云计算1+X之openstack篇
时间:2023-01-23 23:00:00
openstack之Keystone 服务运维
概述
OpenStack 框架中,Keystone(OpenStack Identity Service)的功能是负责身份验证,
校准服务规则和发布服务令牌,它实现了 OpenStack 的 Identity API。Keystone 可分解为
两个功能,即权限管理和服务目录。权限管理主要用于用户管理授权。服务目录类似于一个
或者整个服务总线 OpenStack 框架注册表。提供认证模块 API 服务、Token 令牌
机制、服务目录、规则、认证发布等功能。
Keystone 运维命令
(1)创建用户
- 创建一个名称alice帐户,密码为mypassword123”,邮箱为“alice@example.com”。
命令如下。
具体格式如下:
$openstack user create[--domain <domain>] [--password <password>] [--email <email-address>] [--enable | --disable] <name> [root@controller ~]# source /etc/keystone/admin-openrc.sh [root@controller ~]# openstack user create --password mypassword123 --email alice@example.com --domain demo alice ----------- ---------------------------------- | Field | Value | ----------- ---------------------------------- | domain_id | ee04cbb02c8345079219d0be95c346c2 | | email | alice@example.com | | enabled | True | | id | e1a6f11bb50a4e00a02df3589fc69f2c | | name | alice | ----------- ---------------------------------- (2)创建项目
一个 Project 当请求时,是项目、团队或组织 OpenStack 一个项目必须定义为服务。
- 具体操作格式
$ openstack project create [--domain <domain>] [--description <description>] [--enable | --disable] <project-name> - 创建一个名字叫创建一个acme”项目
[root@controller ~]# openstack project create --domain demo acme ------------- ---------------------------------- | Field | Value | ------------- ---------------------------------- | description | | | domain_id | ee04cbb02c8345079219d0be95c346c2 |
| enabled | True |
| id | 470fb40d002e4b969a1db16fa809a251 |
| is_domain | False |
| name | acme |
| parent_id | ee04cbb02c8345079219d0be95c346c2 |
+-------------+----------------------------------+
(3)创建角色
角色限定了用户的操作权限
- 具体命令格式
$ openstack user create <name>
- 创建一个角色“compute-user”
[root@controller ~]# openstack role create compute-user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 1987d07be47143a59d365db1cc0e4273 |
| name | compute-user |
+-----------+----------------------------------+
(4)绑定用户和项目权限
添加的用户需要分配一定的权限,这就需要把用户关联绑定到对应的项目和角色
- 具体命令格式
$ openstack role add--user <user>--project <project><role>
- 给用户“alice”分配“acme”项目下的“compute-user”角色
[root@controller ~]# openstack role add --user alice --project acme compute-user
Keystone** 基础查询命令
(1)用户列表查询
OpenStack 平台所使用的用户可以通过 Keystone 组件进行查询。
-
查询当前所有用户列表信息
[root@controller ~]# openstack user list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 4903e47a402441d3b20e550d9bbc4cc3 | nova | | 5f7ae9eaa7fa4fbfaf43f618e161853f | swift | | 8572acd789674e88be334d4f5b62cafe | neutron | | 9e18056074384b4c8cd8f7a346900940 | glance | | ae8c4dd718de4979b1899d46b4dbb79b | cinder | | bc8cca0f048f41ee8a2543fff142f87f | admin | | e1a6f11bb50a4e00a02df3589fc69f2c | alice | | f784d5ec37f0431e86b90ae2d5fada85 | demo | +----------------------------------+---------+ -
通过命令查询到具体用户的详细信息,可以查看到用户当前的状态
[root@controller ~]# openstack user show alice
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | ee04cbb02c8345079219d0be95c346c2 |
| email | alice@example.com |
| enabled | True |
| id | e1a6f11bb50a4e00a02df3589fc69f2c |
| name | alice |
+-----------+----------------------------------+
(2)项目列表查询
- 以查询当前 OpenStack 平台中所有存在项目列表
[root@controller ~]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 470fb40d002e4b969a1db16fa809a251 | acme |
| 4915940ed1cc44b3b97d36942ae6e317 | service |
| e221e26e9ce340eaa215ffaf9b73de18 | admin |
| f24395490e93407d9a977f057ec63981 | demo |
+----------------------------------+---------+
- 令可以查询“acme”项目的详细信息内容
[root@controller ~]# openstack project show acme
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | ee04cbb02c8345079219d0be95c346c2 |
| enabled | True |
| id | 470fb40d002e4b969a1db16fa809a251 |
| is_domain | False |
| name | acme |
| parent_id | ee04cbb02c8345079219d0be95c346c2 |
+-------------+----------------------------------+
(3)角色列表查询
- 查询当前所有角色的列表信息
[root@controller ~]# openstack role list
+----------------------------------+--------------+
| ID | Name |
+----------------------------------+--------------+
| 1987d07be47143a59d365db1cc0e4273 | compute-user |
| 2c8ce0842957406a9731d89738e5fc93 | user |
| a85a31d5dfb94f07a172a734af9e01fa | admin |
+----------------------------------+--------------+
- 查询“compute-user”角色的详细信息
[root@controller ~]# openstack role show compute-user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 1987d07be47143a59d365db1cc0e4273 |
| name | compute-user |
+-----------+----------------------------------+
(4)端点地址查询
Keystone 组件管理 OpenStack 平台中所有服务端点信息
- 查询平台中所有服务所使用的端点地址信息
[root@controller ~]# openstack endpoint list
+------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------+
| 05ec27962c82429587db043452aa | RegionOne | cinder | volume | True | admin | http://controller:8776/v1/%( |
| ae8b | | | | | | tenant_id)s |
| 12a511a0476240ffb5ae69e3d0f1 | RegionOne | nova | compute | True | admin | http://controller:8774/v2.1/ |
| 2c5f | | | | | | %(tenant_id)s |
| 14c09e59339e47daa8c93aea91d1 | RegionOne | swift | object-store | True | public | http://controller:8080/v1/AU |
| c95a | | | | | | TH_%(tenant_id)s |
| 17be41127c74496888014fd5f267 | RegionOne | neutron | network | True | public | http://controller:9696 |
| daf5 | | | | | | |
| 28821b96d93c4c04957c850c9983 | RegionOne | swift | object-store | True | admin | http://controller:8080/v1 |
| 3589 | | | | | | |
| 39dd31527614489ea4e64536b088 | RegionOne | cinder | volume | True | internal | http://controller:8776/v1/%( |
| ea32 | | | | | | tenant_id)s |
| 3b227946b66d4d06884d4d5cdfd2 | RegionOne | glance | image | True | internal | http://controller:9292 |
| c688 | | | | | | |
| 42cc123dd76d4b16a6c434f76e28 | RegionOne | swift | object-store | True | internal | http://controller:8080/v1/AU |
| 0dce | | | | | | TH_%(tenant_id)s |
| 430ded9641df46c588c8e1756c0a | RegionOne | cinderv2 | volumev2 | True | public | http://controller:8776/v2/%( |
| c454 | | | | | | tenant_id)s |
| 547afe78cffd4c1e9ed30291103b | RegionOne | glance | image | True | public | http://controller:9292 |
| f9eb | | | | | | |
| 7b8f1841e7224ca899419325c781 | RegionOne | neutron | network | True | internal | http://controller:9696 |
| e73d | | | | | | |
| 88bb708fd47d41358a9452b332d2 | RegionOne | keystone | identity | True | public | http://controller:5000/v3 |
| 1146 | | | | | | |
| 957a7e7109204300893f41dba242 | RegionOne | cinderv2 | volumev2 | True | admin | http://controller:8776/v2/%( |
| 7019 | | | | | | tenant_id)s |
| 9d5fd3e11ef14ef7b2d06e4f0c07 | RegionOne | keystone | identity | True | internal | http://controller:5000/v3 |
| 87e5 | | | | | | |
| a1a5ca5a65ee4728a4576caf8766 | RegionOne | nova | compute | True | public | http://controller:8774/v2.1/ |
| c608 | | | | | | %(tenant_id)s |
| a9ca8fc797474c0a92a45cdb6ee5 | RegionOne | cinder | volume | True | public | http://controller:8776/v1/%( |
| dab7 | | | | | | tenant_id)s |
| bca5b8487e264cc196ff9dd96959 | RegionOne | keystone | identity | True | admin | http://controller:35357/v3 |
| c39b | | | | | | |
| c511baefff0c4f8288293eeb42a1 | RegionOne | cinderv2 | volumev2 | True | internal | http://controller:8776/v2/%( |
| 4744 | | | | | | tenant_id)s |
| dc578f9d90304e23a44275954c19 | RegionOne | nova | compute | True | internal | http://controller:8774/v2.1/ |
| 617d | | | | | | %(tenant_id)s |
| df20a18a22314401ab775faf3ff1 | RegionOne | neutron | network | True | admin | http://controller:9696 |
| 2d7c | | | | | | |
| e003ba42f3f74bdcbda19ec9ef7e | RegionOne | glance | image | True | admin | http://controller:9292 |
| 7fb1 | | | | | | |
+------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------+
Glance 服务运维
Glance 镜像服务实现发现、注册、获取虚拟机镜像和镜像元数据,镜像数据支持多种存储系统,可以是简单文件系统、对象存储系统等。Glance 镜像服务是典型的 C/S 架构,Glance 架构包括 glance-CLIent、Glance 和 Glance Store。Glance 主要包括 REST API、数据库抽象层(DAL)、域控制器(glance domain controller)和注册层(registry layer),Glance 使用集中数据库(Glance DB)在 Glance 各组件间直接共享数据。
Glance 管理镜像
(1)创建镜像
- 创建一个名称为“cirros”镜像,镜像文件使用提供的“cirros-0.3.4-x86_64-disk.img”。
[root@controller ~]# ls
anaconda-ks.cfg cirros-0.3.4-x86_64-disk.img XianDian-IaaS-v2.2.iso
[root@controller ~]# glance image-create --name "cirros" --disk-format qcow2 --container-format bare --progress < cirros-0.3.4-x86_64-disk.img
[=============================>] 100%
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | ee1eca47dc88f4879d8a229cc70a07c6 |
| container_format | bare |
| created_at | 2022-07-18T01:52:58Z |
| disk_format | qcow2 |
| id | ff1c4a78-ecec-4742-8928-60fa0f1a82ab |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros |
| owner | e221e26e9ce340eaa215ffaf9b73de18 |
| protected | False |
| size | 13287936 |
| status | active |
| tags | [] |
| updated_at | 2022-07-18T01:53:00Z |
| virtual_size | None |
| visibility | private |
+------------------+--------------------------------------+
(2)查看镜像列表
- 查询当前所有的镜像
[root@controller ~]# glance image-list
+--------------------------------------+-----------+
| ID | Name |
+--------------------------------------+-----------+
| eafd3ba6-ff00-4abd-9549-e6167b068bd9 | centos7.2 |
| ff1c4a78-ecec-4742-8928-60fa0f1a82ab | cirros |
+--------------------------------------+-----------+
Glance 镜像运维
(1)查看镜像详情
- 通过 glance image-show 命令查看镜像的详细信息(id 参数可以是对应镜像 id 或者镜像名称)
[root@controller ~]# glance image-show ff1c4a78-ecec-4742-8928-60fa0f1a82ab
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | ee1eca47dc88f4879d8a229cc70a07c6 |
| container_format | bare |
| created_at | 2022-07-18T01:52:58Z |
| disk_format | qcow2 |
| id | ff1c4a78-ecec-4742-8928-60fa0f1a82ab |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros |
| owner | e221e26e9ce340eaa215ffaf9b73de18 |
| protected | False |
| size | 13287936 |
| status | active |
| tags | [] |
| updated_at | 2022-07-18T01:53:00Z |
| virtual_size | None |
| visibility | private |
+------------------+--------------------------------------+
(2)更改镜像
可以使用 glance image-update 更新镜像信息,使用 glance image-delete 删除镜像信息。
- 如果需要改变镜像启动硬盘最低要求值(min-disk)时,min-disk 默认单位为 G
[root@controller ~]# glance image-update --min-disk=1 ff1c4a78-ecec-4742-8928-60fa0f1a82ab
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | ee1eca47dc88f4879d8a229cc70a07c6 |
| container_format | bare |
| created_at | 2022-07-18T01:52:58Z |
| disk_format | qcow2 |
| id | ff1c4a78-ecec-4742-8928-60fa0f1a82ab |
| min_disk | 1 |
| min_ram | 0 |
| name | cirros |
| owner | e221e26e9ce340eaa215ffaf9b73de18 |
| protected | False |
| size | 13287936 |
| status | active |
| tags | [] |
| updated_at | 2022-07-18T02:03:59Z |
| virtual_size | None |
| visibility | private |
+------------------+--------------------------------------+
(3)删除镜像
- 通过命令删除镜像 cirros
[root@controller ~]# glance image-delete ff1c4a78-ecec-4742-8928-60fa0f1a82ab
[root@controller ~]# glance image-list
+--------------------------------------+-----------+
| ID | Name |
+--------------------------------------+-----------+
| eafd3ba6-ff00-4abd-9549-e6167b068bd9 | centos7.2 |
+--------------------------------------+-----------+
Nova 服务运维
(1)Nova 管理安全组规则
安全组(security group)是一些规则的集合,用来对虚拟机的访问流量加以限制,这反映到底层,就是使用 iptables,给虚拟机所在的宿主机添加 iptables 规则。可以定义 n 个安全组,每个安全组可以有 n 个规则,可以给每个实例绑定 n 个安全组。Nova 中总是有一个 default安全组,这个是不能被删除的。创建实例的时候,如果不指定安全组,会默认使用这个 default安全组。现在 Nova 中安全组应该会移到 Neutron 中,并且会增加对虚拟机外出流量的控制。
注意:Nova中的安全组只是对进入虚拟机的流量加以控制,对虚拟机外出流量没有加以限制。
- 创建安全组。
#创建一个名为 test 的安全组,描述为'test the nova command about the rules',
[root@controller ~]# nova secgroup-create test 'test the nova command about the rules'
+--------------------------------------+------+---------------------------------------+
| Id | Name | Description |
+--------------------------------------+------+---------------------------------------+
| dd7ebbc4-318e-44bb-94ca-443983920b4d | test | test the nova command about the rules |
+--------------------------------------+------+---------------------------------------+
- 列出可用的安全组
[root@controller ~]# nova secgroup-list --all-tenants
+--------------------------------------+---------+---------------------------------------+----------------------------------+
| Id | Name | Description | Tenant_ID |
+--------------------------------------+---------+---------------------------------------+----------------------------------+
| 9d892c53-4403-4b78-b2d1-fd7d2dde1984 | default | Default security group | 4915940ed1cc44b3b97d36942ae6e317 |
| 7dad9b7b-e574-4cd4-a8d5-24b50669dd7d | default | Default security group | e221e26e9ce340eaa215ffaf9b73de18 |
| dd7ebbc4-318e-44bb-94ca-443983920b4d | test | test the nova command about the rules | e221e26e9ce340eaa215ffaf9b73de18 |
+--------------------------------------+---------+---------------------------------------+----------------------------------+
- 查看某一个安全组内的详细规则:
[root@controller ~]# nova secgroup-list-rules default
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| udp | 1 | 65535 | 0.0.0.0/0 | |
| icmp | -1 | -1 | 0.0.0.0/0 | |
| tcp | 1 | 65535 | 0.0.0.0/0 | |
| | | | | default |
| | | | | default |
+-------------+-----------+---------+-----------+--------------+
(2)Nova 管理虚拟机类型
虚拟机类型是在创建实例的时候,分配给实例的资源情况,接下来介绍 Nova 对虚拟机类型的管理。
创建一个虚拟机类型:nova flavor-create
- 使用命令创建一个名为 test,ID 为 6,内存为 2048 MB,磁盘为 20 GB,vCPU 数量为2 的云主机类型。
[root@controller ~]# nova flavor-create test 6 2048 20 2
+----+------+-----------+------+-----------+------+-------+-------------+-----------+
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
+----+------+-----------+------+-----------+------+-------+-------------+-----------+
| 6 | test | 2048 | 20 | 0 | | 2 | 1.0 | True |
+----+------+-----------+------+-----------+------+-------+-------------+-----------+
- 查看 test 云主机类型的详细信息
[root@controller ~]# nova flavor-show test
+----------------------------+-------+
| Property | Value |
+----------------------------+-------+
| OS-FLV-DISABLED:disabled | False |
| OS-FLV-EXT-DATA:ephemeral | 0 |
| disk | 20 |
| extra_specs | {
} |
| id | 6 |
| name | test |
| os-flavor-access:is_public | True |
| ram | 2048 |
| rxtx_factor | 1.0 |
| swap | |
| vcpus | 2 |
+----------------------------+-------+
Nova 实例管理
(1)启动实例
Nova 可对云平台中的实例进行管理,包括创建实例、启动实例、删除实例和实例迁移等操作。
- 列出客可以使用的实例型号
[root@controller ~]
