CentOS7制作rpm包升级OpenSSL

前段时间生产环境安全通报openssl安全漏洞需要升级整改,CentOS7官方最新版本也只到openssl 1.0.2k,考虑自己下载较新压缩包制作rpm包进行升级整改,以openssl 1.1.1w版本为基础测试,更多也是对openssl打包rpm学习,对网上分享经验的交流。

系统环境

系统:CentOS7 x86_64
OpenSSL版本:OpenSSL 1.0.2k-fips 26 Jan 2017

前期准备

安装依赖

yum install rpm-build rpmlint rpmdevtools
yum install gcc gcc-c++ make perl perl-WWW-Curl

创建编译目录

mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
  • BUILD: 用于存放编译过程中生成的文件
  • BUILDROOT:用于存放编译后的根文件系统
  • RPMS:用于存放编译后的 RPM 包
  • SOURCES:用于存放源代码包
  • SPECS:用于存放 RPM 规范文件
  • SRPMS:用于存放源 RPM 包

下载需要文件跟压缩包至~/rpmbuild/SOURCES目录

https://github.com/openssl/openssl/releases/download/OpenSSL_1_1_1w/openssl-1.1.1w.tar.gz
https://git.centos.org/rpms/openssl/releases

ls -lh ~/rpmbuild/SOURCES/
total 9.6M
-rw-r--r-- 1 root root  23K Jul  8 14:35 ec_curve.c
-rw-r--r-- 1 root root  64K Jul  8 14:35 ectest.c
-rw-r--r-- 1 root root 1.2K Jul  8 14:35 hobble-openssl
-rw-r--r-- 1 root root  639 Jul  8 14:35 make-dummy-cert
-rw-r--r-- 1 root root 2.6K Jul  8 14:35 Makefile.certificate
-rw-r--r-- 1 root root 9.5M Jul  8 14:35 openssl-1.1.1w.tar.gz
-rw-r--r-- 1 root root 1.6K Jul  8 14:35 opensslconf-new.h
-rw-r--r-- 1 root root  266 Jul  8 14:35 opensslconf-new-warning.h
-rw-r--r-- 1 root root 9.8K Jul  8 11:22 openssl-thread-test.c
-rw-r--r-- 1 root root 2.7K Jul  8 14:35 README.FIPS
-rw-r--r-- 1 root root 2.0K Jul  8 11:15 README.legacy-settings
-rw-r--r-- 1 root root  772 Jul  8 14:35 renew-dummy-cert
继续阅读“CentOS7制作rpm包升级OpenSSL”

生产环境LVM数据修复

[TOC]

背景

前段时间平台上一台虚拟机(10.xxx.xxx.224)因前期宿主机未配置LVM过滤器,宿主机同步接管了虚拟机LVM信息,在进行整改清理阶段导致虚拟机内LVM丢失,逻辑卷无法正常挂载。该系统使用LVM存储数据量较大,足有3、40T数据大小,如果这些数据真丢失无法找回,影响后果会非常严重,记录下这次虚拟机LVM信息修复还原过程。
– 平台:OpenStack(Pike)
– 存储:
– ceph 12.2.10(Luminous)
– 华为5310v5 SAN


  • 虚拟机信息
[root@hostname]# nova list --all --ip 10.xxx.xxx.224
+--------------------------------------+--------------+----------------------------------+--------+------------+-------------+-----------------------+
| ID                                   | Name         | Tenant ID                        | Status | Task State | Power State | Networks              |
+--------------------------------------+--------------+----------------------------------+--------+------------+-------------+-----------------------+
| d6b961ae-3df2-46d1-8128-bfdca907f0bd | JXGLPT-3 | 4489501ffc5c45d0babe4274360d2151 | ACTIVE | -          | Running     | vlan461=10.xxx.xxx.224 |
+--------------------------------------+--------------+----------------------------------+--------+------------+-------------+-----------------------+
  • 虚拟机所在宿主机信息及实例名称
[root@hostname]# nova show d6b961ae-3df2-46d1-8128-bfdca907f0bd
...
| OS-EXT-SRV-ATTR:host                 | COM017                               |
| OS-EXT-SRV-ATTR:hostname             | jxglpt-3                             |
| OS-EXT-SRV-ATTR:hypervisor_hostname  | COM017                               |
| OS-EXT-SRV-ATTR:instance_name        | instance-00000dda                    |
| id                                   | d6b961ae-3df2-46d1-8128-bfdca907f0bd |
  • 挂载卷信息
[root@hostname]# nova volume-attachments d6b961ae-3df2-46d1-8128-bfdca907f0bd
+--------------------------------------+----------+--------------------------------------+--------------------------------------+
| ID                                   | DEVICE   | SERVER ID                            | VOLUME ID                            |
+--------------------------------------+----------+--------------------------------------+--------------------------------------+
| b07ab1b8-4f96-4555-badc-a2c520e4df32 | /dev/vda | d6b961ae-3df2-46d1-8128-bfdca907f0bd | b07ab1b8-4f96-4555-badc-a2c520e4df32 |
| 9ee56873-0b56-4755-bf76-f588bbab79ff | /dev/vdb | d6b961ae-3df2-46d1-8128-bfdca907f0bd | 9ee56873-0b56-4755-bf76-f588bbab79ff |
| f166d752-8f8b-40f6-be5d-0df857c78c25 | /dev/vdc | d6b961ae-3df2-46d1-8128-bfdca907f0bd | f166d752-8f8b-40f6-be5d-0df857c78c25 |
| ba8e07db-2499-4ece-8c9d-18cce929bac3 | /dev/vdd | d6b961ae-3df2-46d1-8128-bfdca907f0bd | ba8e07db-2499-4ece-8c9d-18cce929bac3 |
| 35eab613-cfd8-49c3-bec0-d627221f2185 | /dev/vde | d6b961ae-3df2-46d1-8128-bfdca907f0bd | 35eab613-cfd8-49c3-bec0-d627221f2185 |
| e23a386b-a1c5-4c97-aac0-a75976bfbfdd | /dev/vdf | d6b961ae-3df2-46d1-8128-bfdca907f0bd | e23a386b-a1c5-4c97-aac0-a75976bfbfdd |
| 3dc03dfb-a6d5-439b-b78b-e6259cd3e1bf | /dev/vdg | d6b961ae-3df2-46d1-8128-bfdca907f0bd | 3dc03dfb-a6d5-439b-b78b-e6259cd3e1bf |
| 0427c3f1-23dd-479b-b5b2-30043754937b | /dev/vdh | d6b961ae-3df2-46d1-8128-bfdca907f0bd | 0427c3f1-23dd-479b-b5b2-30043754937b |
| e129f4e0-89c3-4f51-a1c9-32767b90f4a7 | /dev/vdi | d6b961ae-3df2-46d1-8128-bfdca907f0bd | e129f4e0-89c3-4f51-a1c9-32767b90f4a7 |
| aee0b85a-3be8-4e29-b938-53f6528b8466 | /dev/vdj | d6b961ae-3df2-46d1-8128-bfdca907f0bd | aee0b85a-3be8-4e29-b938-53f6528b8466 |
| 0bc61058-778a-405e-8bb9-48366950852b | /dev/vdk | d6b961ae-3df2-46d1-8128-bfdca907f0bd | 0bc61058-778a-405e-8bb9-48366950852b |
| 796339b4-2047-408e-93c4-2a6a9ec74021 | /dev/vdl | d6b961ae-3df2-46d1-8128-bfdca907f0bd | 796339b4-2047-408e-93c4-2a6a9ec74021 |
| be51bef6-5612-4e43-b076-f8bf4d19890f | /dev/vdm | d6b961ae-3df2-46d1-8128-bfdca907f0bd | be51bef6-5612-4e43-b076-f8bf4d19890f |
| edc0b346-b85f-4adb-814c-a457308e7731 | /dev/vdn | d6b961ae-3df2-46d1-8128-bfdca907f0bd | edc0b346-b85f-4adb-814c-a457308e7731 |
| a827106c-7d9c-4b14-88f3-98cc6b3a0a90 | /dev/vdo | d6b961ae-3df2-46d1-8128-bfdca907f0bd | a827106c-7d9c-4b14-88f3-98cc6b3a0a90 |
| 2aa41500-95e3-4cac-b770-d0365a40a3e1 | /dev/vdp | d6b961ae-3df2-46d1-8128-bfdca907f0bd | 2aa41500-95e3-4cac-b770-d0365a40a3e1 |
| 3170184f-dc54-4f94-8895-e42de994f7d1 | /dev/vdq | d6b961ae-3df2-46d1-8128-bfdca907f0bd | 3170184f-dc54-4f94-8895-e42de994f7d1 |
| 75c96474-3084-4fd1-a58d-be3fc75d3d73 | /dev/vdr | d6b961ae-3df2-46d1-8128-bfdca907f0bd | 75c96474-3084-4fd1-a58d-be3fc75d3d73 |
| 6d276374-29df-415d-9765-e4499ebfde10 | /dev/vds | d6b961ae-3df2-46d1-8128-bfdca907f0bd | 6d276374-29df-415d-9765-e4499ebfde10 |
| 984d05de-43bf-450d-85fd-d29b96fffd8e | /dev/vdt | d6b961ae-3df2-46d1-8128-bfdca907f0bd | 984d05de-43bf-450d-85fd-d29b96fffd8e |
| 8ea55edd-f3e2-4633-9d1a-37cf9bd5f34e | /dev/vdu | d6b961ae-3df2-46d1-8128-bfdca907f0bd | 8ea55edd-f3e2-4633-9d1a-37cf9bd5f34e |
| 8f536e21-bdab-4995-b822-b1780c6c66aa | /dev/vdv | d6b961ae-3df2-46d1-8128-bfdca907f0bd | 8f536e21-bdab-4995-b822-b1780c6c66aa |
+--------------------------------------+----------+--------------------------------------+--------------------------------------+
  • 虚拟机实例磁盘挂载信息
[root@COM017 ~]# virsh domblklist instance-00000dda
Target     Source
------------------------------------------------
hda        vms/d6b961ae-3df2-46d1-8128-bfdca907f0bd_disk.config
hdb        -
vda        volumes/volume-b07ab1b8-4f96-4555-badc-a2c520e4df32
vdb        volumes/volume-9ee56873-0b56-4755-bf76-f588bbab79ff
vdc        /dev/disk/by-id/dm-uuid-mpath-36bc76c5100b2de5711d8713700000002
vdd        /dev/disk/by-id/dm-uuid-mpath-36bc76c5100b2de5711d8718d00000003
vde        /dev/disk/by-id/dm-uuid-mpath-36bc76c5100b2de5711d8722d00000004
vdf        /dev/disk/by-id/dm-uuid-mpath-36bc76c5100b2de5711d872ae00000005
vdg        /dev/disk/by-id/dm-uuid-mpath-36bc76c5100b2de5711d8731f00000006
vdh        /dev/disk/by-id/dm-uuid-mpath-36bc76c5100b2de5711d8739100000007
vdi        /dev/disk/by-id/dm-uuid-mpath-36bc76c5100b2de5711d8740300000008
vdj        /dev/disk/by-id/dm-uuid-mpath-36bc76c5100b2de5711d8748d00000009
vdk        /dev/disk/by-id/dm-uuid-mpath-36bc76c5100b2de5711d874e60000000a
vdl        /dev/disk/by-id/dm-uuid-mpath-36bc76c5100b2de5711d8755a0000000b                                                                                          
vdm        /dev/disk/by-id/dm-uuid-mpath-36bc76c5100b2de5711d875db0000000c
vdn        /dev/disk/by-id/dm-uuid-mpath-36bc76c5100b2de5711d8764c0000000d
vdo        /dev/disk/by-id/dm-uuid-mpath-36bc76c5100b2de5711d876ad0000000e
vdp        /dev/disk/by-id/dm-uuid-mpath-36bc76c5100b2de5711d8773e0000000f
vdq        /dev/disk/by-id/dm-uuid-mpath-3600507670881094d3000000000000034
vdr        /dev/disk/by-id/dm-uuid-mpath-3600507670881094d3000000000000035
vds        /dev/disk/by-id/dm-uuid-mpath-3600507670881094d3000000000000036
vdt        /dev/disk/by-id/dm-uuid-mpath-3600507670881094d3000000000000039
vdu        /dev/disk/by-id/dm-uuid-mpath-3600507670881094d3000000000000038
vdv        /dev/disk/by-id/dm-uuid-mpath-3600507670881094d3000000000000037

继续阅读“生产环境LVM数据修复”

MySQL主从复制同步延迟问题

背景

最近发现其中一套生产环境的MySQL集群主从数据同步延迟问题严重,从库积累了很多中继日志,导致分配数据库磁盘使用率超过90%告警。这问题从排查到处理过程耗费了很长时间,在这里记录下整个处理过程,希望能给其他遇到此类问题的朋友一点帮助。
先介绍下环境情况,这套MySQL集群使用的k8s容器化部署,使用的三节点MySQL MGR复制模式,数据存储使用的ceph rbd块存储
– MySQL版本:8.0.19
– Ceph版本:12.2.10(Luminous)

排查

最早发现主从数据库之间很多表数据不同步,MGR集群状态正常

检查操作系统负载情况

从库MySQL磁盘挂载(rbd0)IO情况,看到rbd0磁盘%util超过90%一直处在繁忙状态

查看防火墙规则,没什么限制

通过主库建立测试库操作来验证主从同步延迟情况,在test测试库下删除t2

从库查看test库下表情况,半小时过去后从库t2表依然未删除,从库事务执行差距很大,查询过事务队列在堆积

中继日志积压一大堆未完成,导致从库磁盘使用率超过90%爆满

继续阅读“MySQL主从复制同步延迟问题”

CentOS7制作rpm包升级OpenSSH

之前有写过编译安装的方式升级OpenSSH,为了能更好管理包版本,记录下CentOS制作rpm包升级OpenSSH的过程。网上也有很多关于制作OpenSSH的rpm包过程,也是根据各自需求记录分享一下。

系统环境

系统:CentOS7 x86_64
OpenSSH版本:7.4p1
OpenSSL版本:1.0.2k-fips

升级需求

  1. 升级OpenSSH到9.1p1
  2. 保留原版pam.d下的sshd文件权限
  3. 保留ssh-copy-id功能

前期准备

  • 升级前关闭selinux
# 修改如下配置,重启系统生效
vi /etc/selinx/config   
SELINUX=disabled
# 立即生效
setenforce  0
getenforce
  • 备份配置
cp /etc/pam.d/sshd /etc/pam.d/sshd_bak
cp /etc/pam.d/system-auth /etc/pam.d/system-auth_bak
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_bak
cp /etc/ssh/ssh_config /etc/ssh/ssh_config_bak
cp -r /etc/ssh /etc/ssh_bak
  • 源码包准备
openssh-9.1p1下载地址:
curl -O https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.1p1.tar.gz

ssh-askpass下载链接(可选):
curl -O https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
  • 安装依赖包
yum install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip libXt-devel imake gtk2-devel

继续阅读“CentOS7制作rpm包升级OpenSSH”

CentOS7安装OpenStack(Queens版)——(七)cinder存储服务

cinder存储服务

安装配置(控制节点

  1. 创建cinder数据库并授权,自定义帐号密码cinder/cinder
mysql -uroot -p

MariaDB [(none)]> CREATE DATABASE cinder;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY 'cinder';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY 'cinder';
MariaDB [(none)]> FLUSH PRIVILEGES;
  1. 加载临时环境变量
. keystonerc_admin
  1. 创建服务凭据
    • 创建cinder用户,自定义密码为cinder
[root@controller-01 ~]# openstack user create --domain default --password-prompt cinder
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | 586034dc84fa427baec593ed32501d28 |
| name                | cinder                           |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
  • 给cinder用户添加admin角色,命令不输出结果
openstack role add --project service --user cinder admin
  • 创建cinderv2和cinderv3服务实体:
[root@controller-01 ~]# openstack service create --name cinderv2 --description "OpenStack Block Storage" volumev2
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Block Storage          |
| enabled     | True                             |
| id          | 08c72135ddcb46fda290c6ec94b270ed |
| name        | cinderv2                         |
| type        | volumev2                         |
+-------------+----------------------------------+

[root@controller-01 ~]# openstack service create --name cinderv3 --description "OpenStack Block Storage" volumev3
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Block Storage          |
| enabled     | True                             |
| id          | 671d97addc654760be943446f9c158f6 |
| name        | cinderv3                         |
| type        | volumev3                         |
+-------------+----------------------------------+
  1. 创建块存储服务API端点:
[root@controller-01 ~]# openstack endpoint create --region RegionOne volumev2 public http://controller-01:8776/v2/%\(project_id\)s
+--------------+---------------------------------------------+
| Field        | Value                                       |
+--------------+---------------------------------------------+
| enabled      | True                                        |
| id           | 7a53221557e04a619dc0c32f8c7317d0            |
| interface    | public                                      |
| region       | RegionOne                                   |
| region_id    | RegionOne                                   |
| service_id   | 08c72135ddcb46fda290c6ec94b270ed            |
| service_name | cinderv2                                    |
| service_type | volumev2                                    |
| url          | http://controller-01:8776/v2/%(project_id)s |
+--------------+---------------------------------------------+

[root@controller-01 ~]# openstack endpoint create --region RegionOne volumev2 internal http://controller-01:8776/v2/%\(project_id\)s
+--------------+---------------------------------------------+
| Field        | Value                                       |
+--------------+---------------------------------------------+
| enabled      | True                                        |
| id           | 09a252a768084d889d512fcc9d2a654a            |
| interface    | internal                                    |
| region       | RegionOne                                   |
| region_id    | RegionOne                                   |
| service_id   | 08c72135ddcb46fda290c6ec94b270ed            |
| service_name | cinderv2                                    |
| service_type | volumev2                                    |
| url          | http://controller-01:8776/v2/%(project_id)s |
+--------------+---------------------------------------------+

[root@controller-01 ~]# openstack endpoint create --region RegionOne volumev2 admin http://controller-01:8776/v2/%\(project_id\)s
+--------------+---------------------------------------------+
| Field        | Value                                       |
+--------------+---------------------------------------------+
| enabled      | True                                        |
| id           | b9f21f762ce841bba9d54611bd2ecd42            |
| interface    | admin                                       |
| region       | RegionOne                                   |
| region_id    | RegionOne                                   |
| service_id   | 08c72135ddcb46fda290c6ec94b270ed            |
| service_name | cinderv2                                    |
| service_type | volumev2                                    |
| url          | http://controller-01:8776/v2/%(project_id)s |
+--------------+---------------------------------------------+
[root@controller-01 ~]# openstack endpoint create --region RegionOne volumev3 public http://controller-01:8776/v3/%\(project_id\)s
+--------------+---------------------------------------------+
| Field        | Value                                       |
+--------------+---------------------------------------------+
| enabled      | True                                        |
| id           | d7e6dffcafbb4c4f807808c834af160a            |
| interface    | public                                      |
| region       | RegionOne                                   |
| region_id    | RegionOne                                   |
| service_id   | 671d97addc654760be943446f9c158f6            |
| service_name | cinderv3                                    |
| service_type | volumev3                                    |
| url          | http://controller-01:8776/v3/%(project_id)s |
+--------------+---------------------------------------------+

[root@controller-01 ~]# openstack endpoint create --region RegionOne volumev3 internal http://controller-01:8776/v3/%\(project_id\)s
+--------------+---------------------------------------------+
| Field        | Value                                       |
+--------------+---------------------------------------------+
| enabled      | True                                        |
| id           | ac3c4e5395cc4b82b0ffa3af5548c69c            |
| interface    | internal                                    |
| region       | RegionOne                                   |
| region_id    | RegionOne                                   |
| service_id   | 671d97addc654760be943446f9c158f6            |
| service_name | cinderv3                                    |
| service_type | volumev3                                    |
| url          | http://controller-01:8776/v3/%(project_id)s |
+--------------+---------------------------------------------+

[root@controller-01 ~]# openstack endpoint create --region RegionOne volumev3 admin http://controller-01:8776/v3/%\(project_id\)s
+--------------+---------------------------------------------+
| Field        | Value                                       |
+--------------+---------------------------------------------+
| enabled      | True                                        |
| id           | a6479e61952b4e7a85719195c4ac5728            |
| interface    | admin                                       |
| region       | RegionOne                                   |
| region_id    | RegionOne                                   |
| service_id   | 671d97addc654760be943446f9c158f6            |
| service_name | cinderv3                                    |
| service_type | volumev3                                    |
| url          | http://controller-01:8776/v3/%(project_id)s |
+--------------+---------------------------------------------+

继续阅读“CentOS7安装OpenStack(Queens版)——(七)cinder存储服务”

CentOS7安装OpenStack(Queens版)——(六)horizon dashboard服务

horizon dashboard服务安装(控制节点

系统要求

Queens版本horizon具有以下依赖:
– Python 2.7
– Django 1.11
– Django 1.8 to 1.10 也是支持的,他们的支持将在Rocky后被移除。
– 一个可访问的 keystone 端点服务
– 所有其他服务都是可选的。从 Queens 版本开始,Horizo​​n 支持以下服务。如果配置了服务的 keystone 端点,horizo​​n 会检测到它并自动启用它的支持。
– cinder: Block Storage
– glance: Image Management
– neutron: Networking
– nova: Compute
– swift: Object Storage
– Horizon also supports many other OpenStack services via plugins. For more information, see the Plugin Registry.

安装并且配置

  1. 安装包
yum install openstack-dashboard
  1. 编辑/etc/openstack-dashboard/local_settings文件,修改如下配置:
OPENSTACK_HOST = "controller-01"
ALLOWED_HOSTS = ['horizon.example.com', 'localhost']   # 主机也可以填写为'*',但是存在安全风险

SESSION_ENGINE = 'django.contrib.sessions.backends.cache'

CACHES = {
    'default': {
         'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
         'LOCATION': 'controller-01:11211',
    }
}

OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_API_VERSIONS = {
    "identity": 3,
    "image": 2,
    "volume": 2,
}

OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "Default"
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "user"
OPENSTACK_NEUTRON_NETWORK = {
    'enable_router': False,
    'enable_quotas': False,
    'enable_distributed_router': False,
    'enable_ha_router': False,
    'enable_lb': False,
    'enable_firewall': False,
    'enable_vpn': False,
    'enable_fip_topology_check': False,
}

TIME_ZONE = "TIME_ZONE"     # TIME_ZONE替换为具体时区,比如Asia/Shanghai
  1. 编辑/etc/httpd/conf.d/openstack-dashboard.conf文件,添加如下行:
WSGIApplicationGroup %{GLOBAL}

最后

  • 重启web服务与session存储服务
systemctl restart httpd.service memcached.service
systemctl status httpd.service memcached.service

验证操作(本机

  • 本机编辑hosts文件(Linux在/etc/hosts,Windows在C:\Windwos\System32\drivers\etc\hosts),添加测试的域名解析
192.168.1.10    horizon.example.com    # IP填写控制节点controller-01的IP,域名填写上面配置ALLOWED_HOSTS对应域名

本机浏览器打开http://horizon.example.com/dashboard访问,出现dashboard登录页面,Domain填写default,分别输入admindemo对应的帐号密码登录验证

参考文档

https://docs.openstack.org

CentOS7安装OpenStack(Queens版)——(五)neutron网络服务

neutron网络服务

控制节点

  1. 创建neutron数据库,自定义用户密码设置为neutron/neutron
mysql -uroot -proot
MariaDB [(none)]> CREATE DATABASE neutron;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron';
MariaDB [(none)]> FLUSH PRIVILEGES;
  1. 加载admin临时环境变量
source keystonerc_admin
  1. 在keystone上创建neutron用户,密码自定义为neutron
[root@controller-01 ~]# openstack user create --domain default --password-prompt neutron
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | 6dba19fbf1e44fc5b38d81315ecd141e |
| name                | neutron                          |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
  1. 给neutron用户添加admin角色权限,执行结果无输出
openstack role add --project service --user neutron admin
  1. 创建neutron服务实体
[root@controller-01 ~]# openstack service create --name neutron --description "OpenStack Networking" network
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Networking             |
| enabled     | True                             |
| id          | 6d99c27e4ca74b4b80db2ea15d1214e1 |
| name        | neutron                          |
| type        | network                          |
+-------------+----------------------------------+
  1. 创建网络服务API端点(endpoint)
[root@controller-01 ~]# openstack endpoint create --region RegionOne network public http://controller-01:9696
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | eaa491b4812a4f22892f8e31179e035b |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 6d99c27e4ca74b4b80db2ea15d1214e1 |
| service_name | neutron                          |
| service_type | network                          |
| url          | http://controller-01:9696        |
+--------------+----------------------------------+

[root@controller-01 ~]# openstack endpoint create --region RegionOne network internal http://controller-01:9696
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 071f2a4a84404310b10f9cb610766e4f |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 6d99c27e4ca74b4b80db2ea15d1214e1 |
| service_name | neutron                          |
| service_type | network                          |
| url          | http://controller-01:9696        |
+--------------+----------------------------------+

[root@controller-01 ~]# openstack endpoint create --region RegionOne network admin http://controller-01:9696
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 34016fc444894a7c887e0ae62ca264cf |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 6d99c27e4ca74b4b80db2ea15d1214e1 |
| service_name | neutron                          |
| service_type | network                          |
| url          | http://controller-01:9696        |
+--------------+----------------------------------+

配置网络选项

您可以使用选项1和2表示的两种体系结构之一来部署网络服务。

  • 选项1、部署了最简单的架构,它只支持将实例附加到提供商(外部)网络。没有自助服务(专用)网络、路由器或浮动IP地址。只有admin特权用户或其他特权用户可以管理提供商网络。
  • 选项2、增加了选项1的第3层服务支持将实例附加到自助服务网络。该demo用户或其他非特权用户可以管理自助服务网络,包括在自助服务网络和提供商网络之间提供连接的路由器。此外,浮动IP地址使用来自外部网络(例如 Internet)的自助服务网络提供与实例的连接。

自助服务网络通常使用覆盖网络。诸如 VXLAN 之类的覆盖网络协议包括额外的标头,这些标头会增加开销并减少可用于有效负载或用户数据的空间。在不了解虚拟网络基础结构的情况下,实例会尝试使用 1500 字节的默认以太网最大传输单元 (MTU) 发送数据包。网络服务通过 DHCP 自动为实例提供正确的 MTU 值。但是,某些云映像不使用 DHCP 或忽略 DHCP MTU 选项,需要使用元数据或脚本进行配置。

根据自己需求,这里我选择的选项2自助服务网络。

这里开始网络组件可以选择linuxbridge或者openvswitch,根据需要选择其中一种

继续阅读“CentOS7安装OpenStack(Queens版)——(五)neutron网络服务”

CentOS7安装OpenStack(Queens版)——(四)nova计算服务

nova计算服务(控制节点

  1. 创建数据库
mysql -uroot -p
CREATE DATABASE nova_api;
CREATE DATABASE nova;
CREATE DATABASE nova_cell0;
  1. 授权访问数据库,设置用户密码为:nova/nova
GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';
GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY 'nova';

GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova';

GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';
GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'%' IDENTIFIED BY 'nova';

FLUSH PRIVILEGES;
  1. 在keystone上注册nova服务

– 创建nova用户,密码自定义为nova

openstack user create --domain default --password-prompt nova
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | cf5b4a1ac9284483a8601ce212b2150b |
| name                | nova                             |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
  • 为nova用户的service项目添加admin角色权限,命令无输出
openstack role add --project service --user nova admin
  • 创建nova服务实体
openstack service create --name nova --description "OpenStack Compute" compute
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Compute                |
| enabled     | True                             |
| id          | 91ef7780ac984136ac0a98a8382f97f0 |
| name        | nova                             |
| type        | compute                          |
+-------------+----------------------------------+
  1. 创建nova API服务端点(endpoint)
openstack endpoint create --region RegionOne compute public http://controller-01:8774/v2.1
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 70039fd4b0434a79a3da46135a594e40 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 91ef7780ac984136ac0a98a8382f97f0 |
| service_name | nova                             |
| service_type | compute                          |
| url          | http://controller-01:8774/v2.1   |
+--------------+----------------------------------+

openstack endpoint create --region RegionOne compute internal http://controller-01:8774/v2.1
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 71103854136c433e80868ed03405b3e3 |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 91ef7780ac984136ac0a98a8382f97f0 |
| service_name | nova                             |
| service_type | compute                          |
| url          | http://controller-01:8774/v2.1   |
+--------------+----------------------------------+

openstack endpoint create --region RegionOne compute admin http://controller-01:8774/v2.1
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 54f013b9691d4e7d88e6d49334e7d16b |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 91ef7780ac984136ac0a98a8382f97f0 |
| service_name | nova                             |
| service_type | compute                          |
| url          | http://controller-01:8774/v2.1   |
+--------------+----------------------------------+
  1. 创建Placement服务用户,密码自定义为placement
openstack user create --domain default --password-prompt placement
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | 46cd680656344258993928db3717f8ff |
| name                | placement                        |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

继续阅读“CentOS7安装OpenStack(Queens版)——(四)nova计算服务”

CentOS7安装OpenStack(Queens版)——(三)glance镜像服务

glance镜像服务(控制节点

  1. 创建glance数据库,用户密码设置为glance
mysql -uroot -p
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance';
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance';
FLUSH PRIVILEGES;
  1. 加载admin临时环境变量
source keystonerc_admin
  1. 在keystone上创建glance用户,密码自定义为glance
[root@controller-01 ~]# openstack user create --domain default --password-prompt glance
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | d9dc186702da415db6b202327b73e08c |
| name                | glance                           |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
  1. 在keystone上给glance用户的service项目添加admin角色权限,命令不输出结果
[root@controller-01 ~]# openstack role add --project service --user glance admin
  1. 创建glance镜像服务实体
[root@controller-01 ~]# openstack service create --name glance --description "OpenStack Image" image
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Image                  |
| enabled     | True                             |
| id          | c5fa51ca63b440bda5d277ee6dda23ec |
| name        | glance                           |
| type        | image                            |
+-------------+----------------------------------+
  1. 创建镜像服务API服务端点(endpoint)
[root@controller-01 ~]# openstack endpoint create --region RegionOne image public http://controller-01:9292
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 580275b630f14f91903c90f0a46f260d |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | c5fa51ca63b440bda5d277ee6dda23ec |
| service_name | glance                           |
| service_type | image                            |
| url          | http://controller-01:9292        |
+--------------+----------------------------------+

[root@controller-01 ~]# openstack endpoint create --region RegionOne image internal http://controller-01:9292
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 0f8142d6abd048fd8c72f1861f713bde |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | c5fa51ca63b440bda5d277ee6dda23ec |
| service_name | glance                           |
| service_type | image                            |
| url          | http://controller-01:9292        |
+--------------+----------------------------------+

[root@controller-01 ~]# openstack endpoint create --region RegionOne image admin http://controller-01:9292
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | e40b8990bab5493a92469f2ffb7ad55e |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | c5fa51ca63b440bda5d277ee6dda23ec |
| service_name | glance                           |
| service_type | image                            |
| url          | http://controller-01:9292        |
+--------------+----------------------------------+

继续阅读“CentOS7安装OpenStack(Queens版)——(三)glance镜像服务”

CentOS7安装OpenStack(Queens版)——(二)keystone认证服务

keystone认证服务(控制节点

创建数据库

CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
FLUSH PRIVILEGES;

安装包

yum install openstack-keystone httpd mod_wsgi
  • 编辑/etc/keystone/keystone.conf修改如下配置
[database]
connection = mysql+pymysql://keystone:keystone@controller-01/keystone
[token]
provider = fernet

初始化同步keystone数据库

su -s /bin/sh -c "keystone-manage db_sync" keystone

初始化fernet

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

验证

[root@controller-01 ~]# mysql -ukeystone -pkeystone keystone -e 'show tables'
Enter password: 
+-----------------------------+
| Tables_in_keystone          |
+-----------------------------+
| access_token                |
| application_credential      |
| application_credential_role |
| assignment                  |
| config_register             |
| consumer                    |
| credential                  |
| endpoint                    |
| endpoint_group              |
| federated_user              |
| federation_protocol         |
| group                       |
| id_mapping                  |
| identity_provider           |
| idp_remote_ids              |
| implied_role                |
| limit                       |
| local_user                  |
| mapping                     |
| migrate_version             |
| nonlocal_user               |
| password                    |
| policy                      |
| policy_association          |
| project                     |
| project_endpoint            |
| project_endpoint_group      |
| project_tag                 |
| region                      |
| registered_limit            |
| request_token               |
| revocation_event            |
| role                        |
| sensitive_config            |
| service                     |
| service_provider            |
| system_assignment           |
| token                       |
| trust                       |
| trust_role                  |
| user                        |
| user_group_membership       |
| user_option                 |
| whitelisted_config          |
+-----------------------------+

继续阅读“CentOS7安装OpenStack(Queens版)——(二)keystone认证服务”