# 官方提供@yunTaoScripts Openstack组件介绍 🔥🔥
需要5台机器,控制节点,网络节点,计算节点,AMQP节点,数据库节点
# AMQP (高级消息队列协议)
有两种产品
Qpid、RabbitMQ
,信息中枢。
- 新增、删除vhosts
[root@openstack-vms71 ~]# rabbitmqctl -h | grep list_vhosts
[root@openstack-vms71 ~]# rabbitmqctl add_vhost aa
Creating vhost "aa"
[root@openstack-vms71 ~]# rabbitmqctl list_vhosts
Listing vhosts
/
[root@openstack-vms71 ~]# rabbitmqctl delete_vhost aa
Deleting vhost "aa"
aa
- 组件 和 rabbitmq 通信
[root@openstack-vms71 ~]# grep ^transport /etc/nova/nova.conf
transport_url=rabbit://guest:guest@192.168.26.71:5672/
[root@openstack-vms71 ~]# grep ^transport /etc/cinder/cinder.conf
transport_url=rabbit://guest:guest@192.168.26.71:5672/
[root@openstack-vms71 ~]# grep ^transport /etc/neutron/neutron.conf
transport_url=rabbit://guest:guest@192.168.26.71:5672/
用户名:密码 访问IP 访问端口
- 查看用户和权限
[root@openstack-vms71 ~]# rabbitmqctl list_users
Listing users
guest [administrator]
[root@openstack-vms71 ~]# rabbitmqctl list_user_permissions guest
Listing permissions for user "guest"
/ .* .* .*
<conf> <write> <read>
- 验证用户密码
[root@openstack-vms71 ~]# rabbitmqctl authenticate_user guest 123
Authenticating user "guest"
Error: failed to authenticate user "guest"
[root@openstack-vms71 ~]# rabbitmqctl authenticate_user guest guest
Authenticating user "guest"
Success
- 新增用户
[root@openstack-vms71 ~]# rabbitmqctl add_user tom 123
Creating user "tom"
[root@openstack-vms71 ~]# rabbitmqctl authenticate_user tom 1234
Authenticating user "tom"
Error: failed to authenticate user "tom"
[root@openstack-vms71 ~]# rabbitmqctl authenticate_user tom 123
Authenticating user "tom"
Success
- 修改密码
[root@openstack-vms71 ~]# rabbitmqctl change_password tom 1234
Changing password for user "tom"
[root@openstack-vms71 ~]# rabbitmqctl authenticate_user tom 123
Authenticating user "tom"
Error: failed to authenticate user "tom"
[root@openstack-vms71 ~]# rabbitmqctl authenticate_user tom 1234
Authenticating user "tom"
Success
- 用户授权
[root@openstack-vms71 ~]# rabbitmqctl set_permissions -p / tom ".*" ".*" ".*"
Setting permissions for user "tom" in vhost "/"
[root@openstack-vms71 ~]# rabbitmqctl list_user_permissions tom
Listing permissions for user "tom"
/ .* .* .*
[root@openstack-vms71 ~]# rabbitmqctl list_users
Listing users
tom []
guest [administrator]
[root@openstack-vms71 ~]# rabbitmqctl set_user_tags tom administrator ## 添加标签
Setting tags for user "tom" to [administrator]
[root@openstack-vms71 ~]# rabbitmqctl list_users
Listing users
tom [administrator]
guest [administrator]
- 启用rabbitmq 管理控制台
[root@openstack-vms71 ~]# rabbitmq-plugins list | grep management
[ ] rabbitmq_federation_management 3.6.16
[ ] rabbitmq_management 3.6.16
[ ] rabbitmq_management_agent 3.6.16
[ ] rabbitmq_management_visualiser 3.6.16
[ ] rabbitmq_shovel_management 3.6.16
[root@openstack-vms71 ~]# rabbitmq-plugins enable rabbitmq_management
The following plugins have been enabled:
amqp_client
cowlib
cowboy
rabbitmq_web_dispatch
rabbitmq_management_agent
rabbitmq_management
Applying plugin configuration to rabbit@openstack-vms71... started 6 plugins.
[root@openstack-vms71 ~]# iptables -I INPUT 1 -j ACCEPT ## 打开防火墙
[root@openstack-vms71 ~]# iptables -D INPUT 1 ## 删除防火墙
# Keystone
登录验证
# 用户管理
- 登陆openstack
[root@openstack-vms71 ~]# openstack user list ## 此时没有登陆身份信息
Missing value auth-url required for auth plugin password
[root@openstack-vms71 ~]# source keystonerc_admin
[root@openstack-vms71 ~(keystone_admin)]# openstack user list
+----------------------------------+------------+
| ID | Name |
+----------------------------------+------------+
| 134d052e310f402eb3cea8b21b980e7b | admin |
| 24d9030810bc4f27834c11c743e8ea52 | cinder |
| 39afb3d0baa9418e9c2d69c19f68ee19 | nova |
| 40b3e695e72548388304fe3e6792ec0b | neutron |
| 50aa2b396b504d4e80e5f52bcd9a7bb0 | placement |
| 70014d1978b844f9a38b42e3ae732bfc | glance |
| 844a75f804634ebdbd008764d0f56b50 | gnocchi |
| 87ee0542102a41fb89bad1a7976834d4 | tom |
| cd97cd37df0942818eac2d345c137758 | aodh |
| e786dbd5a25b4ff88989b30a914f9928 | swift |
| f903e126089e4ed2aac69f52ee69b21a | ceilometer |
+----------------------------------+------------+
[root@openstack-vms71 ~(keystone_admin)]#
- 切换登陆用户
[root@openstack-vms71 ~(keystone_tom)]# cp keystonerc_admin keystonerc_tom #修改用户名和密码
- 查看主机和安全组
[root@openstack-vms71 ~(keystone_tom)]# openstack security group list
[root@openstack-vms71 ~(keystone_tom)]# openstack server list
- 创建用户
[root@openstack-vms71 ~(keystone_admin)]# openstack user create --help | head -12
usage: openstack user create [-h] [-f {json,shell,table,value,yaml}]
[-c COLUMN] [--max-width <integer>] [--fit-width]
[--print-empty] [--noindent] [--prefix PREFIX]
[--domain <domain>] [--project <project>]
[--project-domain <project-domain>]
[--password <password>] [--password-prompt]
[--email <email-address>]
[--description <description>]
[--enable | --disable] [--or-show]
<name>
Create new user
[root@openstack-vms71 ~(keystone_admin)]# openstack user create bob --email bob@163.com --password 123
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| email | bob@163.com |
| enabled | True |
| id | c20386ae60fc4997ba2096a876916572 |
| name | bob |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
- 查看修改用户
[root@openstack-vms71 ~(keystone_admin)]# openstack user set bob --email bob@icloud.com
[root@openstack-vms71 ~(keystone_admin)]# openstack user show bob
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| email | bob@icloud.com |
| enabled | True |
| id | c20386ae60fc4997ba2096a876916572 |
| name | bob |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
- 禁用用户
[root@openstack-vms71 ~(keystone_admin)]# openstack user set bob --disable
[root@openstack-vms71 ~(keystone_admin)]# openstack user show bob
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| email | bob@icloud.com |
| enabled | False |
| id | c20386ae60fc4997ba2096a876916572 |
| name | bob |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
- 删除用户
[root@openstack-vms71 ~(keystone_admin)]# openstack user delete bob
# 项目管理
[root@openstack-vms71 ~(keystone_admin)]# openstack project create p1
[root@openstack-vms71 ~(keystone_admin)]# openstack project list
[root@openstack-vms71 ~(keystone_admin)]# openstack project delete p1
# 角色管理
[root@openstack-vms71 ~(keystone_admin)]# openstack role create role1
[root@openstack-vms71 ~(keystone_admin)]# openstack role list
[root@openstack-vms71 ~(keystone_admin)]# openstack role delete role1
- 绑定角色
[root@openstack-vms71 ~(keystone_admin)]# openstack role assignment list --name
+---------------+--------------------+----------------+------------------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+---------------+--------------------+----------------+------------------+--------+--------+-----------+
| admin | admin@Default | | admin@Default | | | False |
| admin | cinder@Default | | services@Default | | | False |
| admin | nova@Default | | services@Default | | | False |
| admin | neutron@Default | | services@Default | | | False |
| admin | placement@Default | | services@Default | | | False |
| admin | glance@Default | | services@Default | | | False |
| admin | gnocchi@Default | | services@Default | | | False |
| member | tom@Default | | Oscar@Default | | | False |
| _member_ | tom@Default | | boeing@Default | | | False |
| admin | aodh@Default | | services@Default | | | False |
| admin | swift@Default | | services@Default | | | False |
| ResellerAdmin | ceilometer@Default | | services@Default | | | False |
| admin | ceilometer@Default | | services@Default | | | False |
| member | | Boeing@Default | boeing@Default | | | False |
| member | | Oscar@Default | Oscar@Default | | | False |
| admin | admin@Default | | | | all | False |
+---------------+--------------------+----------------+------------------+--------+--------+-----------+
[root@openstack-vms71 ~(keystone_admin)]#
[root@openstack-vms71 ~(keystone_admin)]# openstack role add role1 --project p1 --user bob
No role with a name or ID of 'role1' exists.
[root@openstack-vms71 ~(keystone_admin)]# openstack role create role1
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 7bfbe1b74b2e4250bef6cfb1e865133b |
| name | role1 |
+-----------+----------------------------------+
[root@openstack-vms71 ~(keystone_admin)]# openstack role add role1 --project p1 --user bob
[root@openstack-vms71 ~(keystone_admin)]# openstack role assignment list --name| grep bob
| role1 | bob@Default | | p1@Default | | | False |
- 对cinder 生成授权访问信息
[root@openstack-vms71 cinder(keystone_admin)]# oslopolicy-policy-generator --namespace cinder --output-file /etc/cinder/policy.json
[root@openstack-vms71 cinder(keystone_admin)]# ll
总用量 204
-rw-r----- 1 root cinder 2204 3月 4 2020 api-paste.ini
-rw-r----- 1 root cinder 187011 12月 12 16:21 cinder.conf
-rw-r--r-- 1 root root 7338 12月 14 11:37 policy.json
-rw-r----- 1 root cinder 598 3月 4 2020 resource_filters.json
-rw-r----- 1 root cinder 991 3月 4 2020 rootwrap.conf
drwxr-xr-x 2 root root 30 12月 12 16:15 rootwrap.d
drwxr-xr-x 2 cinder root 6 3月 4 2020 volumes
[root@openstack-vms71 cinder(keystone_admin)]# grep '"volume:create"' policy.json ## 此时只有role1 可以创建卷,默认为空代表所有人可创建。
"volume:create": "role:role1"
角色在openstack 和 Kubernetes 之间的区别
- openstack 中角色只是一个名称,授权由各组件决定。
- k8s 中角色代表可操作的动作和可操作的资源。
# 域管理
类似cce 的组织概念,可以理解为代表的公司,是项目隔离的基础上做的进一步的隔离,不同域空间可以出现相同项目名称。 角色在不同域空间是共享的,但是用户在不同域是区分的。
- 查看域
[root@openstack-vms71 cinder(keystone_admin)]# openstack domain list
+---------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+---------+---------+---------+--------------------+
| default | Default | True | The default domain |
+---------+---------+---------+--------------------+
- 创建删除域
[root@openstack-vms71 cinder(keystone_admin)]# openstack domain create oa
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| enabled | True |
| id | b5c671f26be54045916c69639fd763dd |
| name | oa |
| tags | [] |
+-------------+----------------------------------+
[root@openstack-vms71 cinder(keystone_admin)]# openstack domain list
+----------------------------------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+---------+---------+--------------------+
| b5c671f26be54045916c69639fd763dd | oa | True | |
| default | Default | True | The default domain |
+----------------------------------+---------+---------+--------------------+
[root@openstack-vms71 cinder(keystone_admin)]# openstack domain set --disable oa
[root@openstack-vms71 cinder(keystone_admin)]# openstack domain delete oa
- dashboard 增加域选项
[root@openstack-vms71 ~]# egrep -v "^#" /etc/openstack-dashboard/local_settings | egrep -i "multidomain|session_timeout"
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
SESSION_TIMEOUT = 18000
- 创建域用户、项目
[root@openstack-vms71 ~(keystone_admin)]# openstack user create --domain oa --password redhat admin
[root@openstack-vms71 ~(keystone_admin)]# openstack project create oa-project1 --domain oa
[root@openstack-vms71 ~(keystone_admin)]# openstack project list --domain oa
[root@openstack-vms71 ~(keystone_admin)]# openstack role add role1 --user 9fe929df9ee8478dabc5344526454afe --project f4df16d68cc6470ca5b6f388506afcbb
[root@openstack-vms71 ~(keystone_admin)]# openstack role assignment list--domain oa
# 组管理
[root@openstack-vms71 ~(keystone_admin)]# openstack group create group1
[root@openstack-vms71 ~(keystone_admin)]# openstack group list
[root@openstack-vms71 ~(keystone_admin)]# openstack group contains user group1 tom
tom not in group group1
[root@openstack-vms71 ~(keystone_admin)]# openstack group add user group1 tom
[root@openstack-vms71 ~(keystone_admin)]# openstack group contains user group1 tom
tom in group group1
# 模块管理
这块没搞懂