Openstack之路(六)创建云主机实例
创建云主机流程[*]当访问Dashboard的时候,会显示一个登录页面,Dashboard会告诉你,想使用Openstack创建云主机?那你得先把你的账号密码交给我,我去Keystone上验证你的身份之后才能让你登录。
[*]Keystone接收到前端表单传过来的域,用户名,密码信息以后,到数据库查询,确认身份后将一个Token返回给该用户,让这个用户以后再进行操作的时候就不需要再提供账号密码,而是拿着Token来。
[*]Horizon拿到Token之后,找到创建云主机的按钮并点击,填写云主机相关配置信息。点击启动实例后,Horizon就带着三样东西(创建云主机请求、云主机配置相关信息、Keystone返回的Token)找到Nova-API。
[*]Horizon要创建云主机?你先得把你的Token交给我,我去Keystone上验证你的身份之后才给你创建云主机。
[*]Keystone一看Token发现这不就是我刚发的那个吗?但程序可没这么聪明,它还得乖乖查一次数据库,然后告诉Nova-API,这兄弟信得过,你就照它说的做吧。
[*]Nova-API把Horizon给的提供的云主机配置相关写到数据库(Nova-DB)。
[*]数据库(Nova-DB)写完之后,会告诉Nova-API,哥,我已经把云主机配置相关信息写到我的数据库里啦。
[*]把云主机配置相关信息写到数据库之后,Nova-API会往消息队列(RabbitMQ)里发送一条创建云主机的消息。告诉手下的小弟们,云主机配置相关信息已经放在数据库里了,你们给安排安排咯。
[*]Nova-Schedular时时观察着消息队列里的消息,当看到这条创建云主机的消息之后,就要干活咯。
[*]要创建云主机,但它要看一看云主机都要什么配置,才好决定该把这事交给谁(Nova-Compute)去做,所以就去数据库去查看了
[*]数据库收到请求之后,把要创建云主机的配置发给Nova-Schedular
[*]Nova-Schedular拿到云主机配置之后,使用调度算法决定了要让Nova-Compute去干这个事,然后往消息队列里面发一条消息,某某某Nova-Compute,就你了,给创建一台云主机,配置都在数据库里。
[*]Nova-Compute时时观察着消息队列里的消息,当看到这条让自己创建云主机的消息之后,就要去干活咯。注意:本应该直接去数据库拿取配置信息,但因为Nova-Compute的特殊身份,Nova-Compute所在计算节点上全是云主机,万一有一台云主机被黑客入侵从而控制计算节点,直接拖库是很危险的。所以不能让Nova-Compute知道数据库在什么地方
[*]Nova-Compute没办法去数据库取东西难道就不工作了吗?那可不行啊,他不知道去哪取,但Nova-Conductor知道啊,于是Nova-Compute往消息队列里发送一条消息,我要云主机的配置相关信息,Nova-Conductor您老人家帮我去取一下吧。
[*]Nova-Conductor时时观察着消息队列里的消息,当看到Nova-Conductor发的消息之后,就要去干活咯。
[*]Nova-Conductor告诉数据库我要查看某某云主机的配置信息。
[*]数据库把云主机配置信息发送给Nova-Conductor。
[*]Nova-Conductor把云主机配置信息发到消息队列。
[*]Nova-Compute收到云主机配置信息。
[*]Nova-Compute读取云主机配置信息一看,立马就去执行创建云主机了。首先去请求Glance-API,告诉Glance-API我要某某某镜像,你给我吧。
[*]Glance-API可不鸟你,你是谁啊?你先得把你的Token交给我,我去Keystone上验证你的身份之后才给你镜像。Keystone一看Token,兄弟,没毛病,给他吧。
[*]Glance-API把镜像资源信息返回给Nova-Compute。
[*]Nova-Compute拿到镜像后,继续请求网络资源,首先去请求Neutron-Server,告诉Neutron-Server我要某某某网络资源,你给我吧。
[*]Neutron-Server可不鸟你,你是谁啊?你先得把你的Token交给我,我去Keystone上验证你的身份之后才给你网络。Keystone一看Token,兄弟,没毛病,给他吧。
[*]Neutron-Server把网络资源信息返回给Nova-Compute。
[*]Nova-Compute拿到网络后,继续请求存储资源,首先去请求Cinder-API,告诉Cinder-API我要多少多少云硬盘,你给我吧。
[*]Cinder-API可不鸟你,你是谁啊?你先得把你的Token交给我,我去Keystone上验证你的身份之后才给你网络。Keystone一看Token,兄弟,没毛病,给他吧。
[*]Cinder-API把存储资源信息返回给Nova-Compute。
[*]Nova-Compute拿到所有的资源后(镜像、网络、存储),其实Nova-Compute也没有创建云主机的能力,他把创建云主机的任务交给了Libvird,然后创建云主机(KVM/ZEN)
创建云主机网络
[*]在控制节点上,加载admin凭证来获取管理员能执行的命令访问权限
# source admin-openrc
[*]创建网络
# openstack network create --share --external \
--provider-physical-network provider \
--provider-network-type flat provider
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | UP |
| availability_zone_hints | |
| availability_zones | |
| created_at | 2018-01-22T06:05:17Z |
| description | |
| headers | |
| id | d8acc6f1-8aed-4f7c-a630-83225f592039 |
| ipv4_address_scope | None |
| ipv6_address_scope | None |
| mtu | 1500 |
| name | provider |
| port_security_enabled | True |
| project_id | 14055178975d417987c5a94f030c7acf |
| project_id | 14055178975d417987c5a94f030c7acf |
| provider:network_type | flat |
| provider:physical_network | provider |
| provider:segmentation_id| None |
| revision_number | 4 |
| router:external | External |
| shared | True |
| status | ACTIVE |
| subnets | |
| tags | [] |
| updated_at | 2018-01-22T06:05:18Z |
+---------------------------+--------------------------------------+
# neutron net-list
+--------------------------------------+----------+---------+
| id | name | subnets |
+--------------------------------------+----------+---------+
| d8acc6f1-8aed-4f7c-a630-83225f592039 | provider | |
+--------------------------------------+----------+---------+
[*]在网络上创建一个子网
# openstack subnet create --network provider \
--allocation-pool start=192.168.56.100,end=192.168.56.200 \
--dns-nameserver 192.168.56.2 --gateway 192.168.56.2 \
--subnet-range 192.168.56.0/24 provider-subnet
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| allocation_pools| 192.168.56.100-192.168.56.200 |
| cidr | 192.168.56.0/24 |
| created_at | 2018-01-22T06:13:27Z |
| description | |
| dns_nameservers | 192.168.56.2 |
| enable_dhcp | True |
| gateway_ip | 192.168.56.2 |
| headers | |
| host_routes | |
| id | 5ae96c6c-2295-4cef-8ce5-cc19f4596c90 |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | provider-subnet |
| network_id | d8acc6f1-8aed-4f7c-a630-83225f592039 |
| project_id | 14055178975d417987c5a94f030c7acf |
| project_id | 14055178975d417987c5a94f030c7acf |
| revision_number | 2 |
| service_types | [] |
| subnetpool_id | None |
| updated_at | 2018-01-22T06:13:27Z |
+-------------------+--------------------------------------+
# neutron subnet-list
+--------------------------------------+-----------------+-----------------+-------------------------------------------+
| id | name | cidr | allocation_pools |
+--------------------------------------+-----------------+-----------------+-------------------------------------------+
| 5ae96c6c-2295-4cef-8ce5-cc19f4596c90 | provider-subnet | 192.168.56.0/24 | {"start": "192.168.56.100", "end": |
| | | | "192.168.56.200"} |
+--------------------------------------+-----------------+-----------------+-------------------------------------------+
# neutron net-list
+--------------------------------------+----------+------------------------------------------------------+
| id | name | subnets |
+--------------------------------------+----------+------------------------------------------------------+
| d8acc6f1-8aed-4f7c-a630-83225f592039 | provider | 5ae96c6c-2295-4cef-8ce5-cc19f4596c90 192.168.56.0/24 |
+--------------------------------------+----------+------------------------------------------------------+
创建云主机类型
默认的最小规格的主机需要512MB内存,对于环境中计算节点内存不足4 GB的,我们推荐创建只需要64MB的keywa.com规格的主机。若单纯为了测试的目的,请使用keywa.com规格的主机来加载CirrOS镜像。
# openstack flavor create --id 0 --vcpus 1 --ram 64 --disk 1 keywa.com
+----------------------------+-----------+
| Field | Value |
+----------------------------+-----------+
| OS-FLV-DISABLED:disabled | False |
| OS-FLV-EXT-DATA:ephemeral| 0 |
| disk | 1 |
| id | 0 |
| name | keywa.com |
| os-flavor-access:is_public | True |
| properties | |
| ram | 64 |
| rxtx_factor | 1.0 |
| swap | |
| vcpus | 1 |
+----------------------------+-----------+
创建密钥
[*]导入demo项目凭证
# source demo-openrc
[*]生成和添加秘钥对
# ssh-keygen -q -N ""
Enter file in which to save the key (/root/.ssh/id_rsa):
# ls -l .ssh/
total 8
-rw------- 1 root root 1679 Jan 22 14:28 id_rsa
-rw-r--r-- 1 root root398 Jan 22 14:28 id_rsa.pub
# openstack keypair create --public-key ~/.ssh/id_rsa.pub mykey
+-------------+-------------------------------------------------+
| Field | Value |
+-------------+-------------------------------------------------+
| fingerprint | 6d:5f:c6:92:ac:5e:49:40:5c:3e:b4:14:9c:f9:59:8c |
| name | mykey |
| user_id | 48cd83bd3ce54b8ebece24680e8c8b0a |
+-------------+-------------------------------------------------+
[*]验证公钥的添加
# openstack keypair list
+-------+-------------------------------------------------+
| Name| Fingerprint |
+-------+-------------------------------------------------+
| mykey | 6d:5f:c6:92:ac:5e:49:40:5c:3e:b4:14:9c:f9:59:8c |
+-------+-------------------------------------------------+
创建安全组规则
默认情况下,default安全组适用于所有实例并且包括拒绝远程访问实例的防火墙规则。对诸如CirrOS这样的Linux镜像,我们推荐至少允许ICMP (ping))和安全Shell(SSH)规则。
[*]允许ICMP请求
# openstack security group rule create --proto icmp default
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | 2018-01-22T06:46:59Z |
| description | |
| direction | ingress |
| ethertype | IPv4 |
| headers | |
| id | 51ed729f-b268-4a99-b8a6-3a2ba0d31c77 |
| port_range_max | None |
| port_range_min | None |
| project_id | 8a788702c6ea46419bb85b4e4600e3c4 |
| project_id | 8a788702c6ea46419bb85b4e4600e3c4 |
| protocol | icmp |
| remote_group_id | None |
| remote_ip_prefix| 0.0.0.0/0 |
| revision_number | 1 |
| security_group_id | 20346c59-a0c4-4cc3-90be-f94c3581edab |
| updated_at | 2018-01-22T06:46:59Z |
+-------------------+--------------------------------------+
[*]允许安全Shell(SSH)的访问
# openstack security group rule create --proto tcp --dst-port 22 default
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| created_at | 2018-01-22T06:49:46Z |
| description | |
| direction | ingress |
| ethertype | IPv4 |
| headers | |
| id | 950a1be7-6fd3-4c80-ba60-7f4f0b573771 |
| port_range_max | 22 |
| port_range_min | 22 |
| project_id | 8a788702c6ea46419bb85b4e4600e3c4 |
| project_id | 8a788702c6ea46419bb85b4e4600e3c4 |
| protocol | tcp |
| remote_group_id | None |
| remote_ip_prefix| 0.0.0.0/0 |
| revision_number | 1 |
| security_group_id | 20346c59-a0c4-4cc3-90be-f94c3581edab |
| updated_at | 2018-01-22T06:49:46Z |
+-------------------+--------------------------------------+
启动云主机实例
启动一台实例,您必须至少指定一个类型、镜像名称、网络、安全组、密钥和实例名称。
[*]在控制节点上,获得admin凭证来获取只有管理员能执行的命令的访问权限
# source demo-openrc
[*]一个实例指定了虚拟机资源的大致分配,包括处理器、内存和存储
列出可用类型
# openstack flavor list
+----+-----------+-----+------+-----------+-------+-----------+
| ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public |
+----+-----------+-----+------+-----------+-------+-----------+
| 0| keywa.com |64 | 1 | 0 | 1 | True |
+----+-----------+-----+------+-----------+-------+-----------+
列出可用镜像
# openstack image list
+--------------------------------------+--------+--------+
| ID | Name | Status |
+--------------------------------------+--------+--------+
| cd96090c-87ca-4eb3-b964-a7457639bc1e | cirros | active |
+--------------------------------------+--------+--------+
列出可用网络
# openstack network list
+--------------------------------------+----------+--------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+----------+--------------------------------------+
| d8acc6f1-8aed-4f7c-a630-83225f592039 | provider | 5ae96c6c-2295-4cef-8ce5-cc19f4596c90 |
+--------------------------------------+----------+--------------------------------------+
列出可用的安全组
# openstack security group list
+--------------------------------------+---------+------------------------+----------------------------------+
| ID | Name | Description | Project |
+--------------------------------------+---------+------------------------+----------------------------------+
| 20346c59-a0c4-4cc3-90be-f94c3581edab | default | Default security group | 8a788702c6ea46419bb85b4e4600e3c4 |
+--------------------------------------+---------+------------------------+----------------------------------+
[*]启动实例
# openstack server create --flavor keywa.com --image cirros \
--nic net-id=d8acc6f1-8aed-4f7c-a630-83225f592039 --security-group default \
--key-name mykey demo-instance
+--------------------------------------+-----------------------------------------------+
| Field | Value |
+--------------------------------------+-----------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-STS:power_state | NOSTATE |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | None |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | |
| adminPass | MowXppdE5ayJ |
| config_drive | |
| created | 2018-01-22T07:13:02Z |
| flavor | keywa.com (0) |
| hostId | |
| id | 3b5f20c8-8b17-48a2-9b72-70cc74f6fc8f |
| image | cirros (cd96090c-87ca-4eb3-b964-a7457639bc1e) |
| key_name | mykey |
| name | demo-instance |
| os-extended-volumes:volumes_attached | [] |
| progress | 0 |
| project_id | 8a788702c6ea46419bb85b4e4600e3c4 |
| properties | |
| security_groups | [{u'name': u'default'}] |
| status | BUILD |
| updated | 2018-01-22T07:13:02Z |
| user_id | 48cd83bd3ce54b8ebece24680e8c8b0a |
+--------------------------------------+-----------------------------------------------+
[*]检查实例的状态,状态为ACTIVE那台虚拟机已经成功创建
# openstack server list
+--------------------------------------+---------------+--------+-------------------------+------------+
| ID | Name | Status | Networks | Image Name |
+--------------------------------------+---------------+--------+-------------------------+------------+
| 3b5f20c8-8b17-48a2-9b72-70cc74f6fc8f | demo-instance | ACTIVE | provider=192.168.56.110 | cirros |
+--------------------------------------+---------------+--------+-------------------------+------------+
验证操作
[*]使用SSH加密连接实例
# ssh cirros@192.168.56.110
The authenticity of host '192.168.56.110 (192.168.56.110)' can't be established.
RSA key fingerprint is 2f:58:9f:5e:da:c5:1f:46:43:e1:c4:64:da:ee:2e:e6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.110' (RSA) to the list of known hosts.
$
[*]验证能否ping通公有网络的网关
$ ping -c 4 114.114.114.114
PING 114.114.114.114 (114.114.114.114): 56 data bytes
64 bytes from 114.114.114.114: seq=0 ttl=128 time=29.289 ms
64 bytes from 114.114.114.114: seq=1 ttl=128 time=29.160 ms
64 bytes from 114.114.114.114: seq=2 ttl=128 time=34.413 ms
64 bytes from 114.114.114.114: seq=3 ttl=128 time=29.153 ms
--- 114.114.114.114 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 29.153/30.503/34.413 ms
[*]验证能否连接到互联网
$ ping -c 4 www.baidu.com
PING www.baidu.com (14.215.177.39): 56 data bytes
64 bytes from 14.215.177.39: seq=0 ttl=128 time=12.611 ms
64 bytes from 14.215.177.39: seq=1 ttl=128 time=8.424 ms
64 bytes from 14.215.177.39: seq=2 ttl=128 time=10.575 ms
64 bytes from 14.215.177.39: seq=3 ttl=128 time=11.595 ms
--- www.baidu.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 8.424/10.801/12.611 ms
[*]使用虚拟控制台访问实例
# openstack console url show demo-instance
+-------+------------------------------------------------------------------------------------+
| Field | Value |
+-------+------------------------------------------------------------------------------------+
| type| novnc |
| url | http://192.168.56.11:6080/vnc_auto.html?token=aff15e93-1ebe-49f3-877b-3213e6faa027 |
+-------+------------------------------------------------------------------------------------+
[*]浏览器访问192.168.56.11:6080/vnc_auto.html?token=aff15e93-1ebe-49f3-877b-3213e6faa027
页:
[1]