# 官方提供@yunTaoScripts Openstack组件介绍 🔥🔥

loading

需要5台机器,控制节点,网络节点,计算节点,AMQP节点,数据库节点

# AMQP (高级消息队列协议)

有两种产品Qpid、RabbitMQ,信息中枢。

  • 新增、删除vhosts
[root@openstack-vms71 ~]# rabbitmqctl -h | grep list_vhosts
[root@openstack-vms71 ~]# rabbitmqctl add_vhost aa
Creating vhost "aa"
[root@openstack-vms71 ~]# rabbitmqctl list_vhosts
Listing vhosts
/
[root@openstack-vms71 ~]# rabbitmqctl delete_vhost aa
Deleting vhost "aa"
aa
  • 组件 和 rabbitmq 通信
[root@openstack-vms71 ~]# grep ^transport /etc/nova/nova.conf 
transport_url=rabbit://guest:guest@192.168.26.71:5672/
[root@openstack-vms71 ~]# grep ^transport /etc/cinder/cinder.conf 
transport_url=rabbit://guest:guest@192.168.26.71:5672/
[root@openstack-vms71 ~]# grep ^transport /etc/neutron/neutron.conf 
transport_url=rabbit://guest:guest@192.168.26.71:5672/
                       用户名:密码    访问IP      访问端口
  • 查看用户和权限
[root@openstack-vms71 ~]# rabbitmqctl list_users
Listing users
guest   [administrator]
[root@openstack-vms71 ~]# rabbitmqctl list_user_permissions guest
Listing permissions for user "guest"
/       .*      .*      .*
        <conf>  <write>  <read>
  • 验证用户密码
[root@openstack-vms71 ~]# rabbitmqctl authenticate_user guest 123
Authenticating user "guest"
Error: failed to authenticate user "guest"
[root@openstack-vms71 ~]# rabbitmqctl authenticate_user guest guest
Authenticating user "guest"
Success
  • 新增用户
[root@openstack-vms71 ~]# rabbitmqctl add_user tom 123
Creating user "tom"
[root@openstack-vms71 ~]# rabbitmqctl authenticate_user tom 1234
Authenticating user "tom"
Error: failed to authenticate user "tom"
[root@openstack-vms71 ~]# rabbitmqctl authenticate_user tom 123
Authenticating user "tom"
Success
  • 修改密码
[root@openstack-vms71 ~]# rabbitmqctl change_password tom 1234
Changing password for user "tom"
[root@openstack-vms71 ~]# rabbitmqctl authenticate_user tom 123
Authenticating user "tom"
Error: failed to authenticate user "tom"
[root@openstack-vms71 ~]# rabbitmqctl authenticate_user tom 1234
Authenticating user "tom"
Success
  • 用户授权
[root@openstack-vms71 ~]# rabbitmqctl set_permissions -p / tom ".*" ".*" ".*"
Setting permissions for user "tom" in vhost "/"
[root@openstack-vms71 ~]# rabbitmqctl list_user_permissions tom
Listing permissions for user "tom"
/       .*      .*      .*
[root@openstack-vms71 ~]# rabbitmqctl list_users
Listing users
tom     []
guest   [administrator]
[root@openstack-vms71 ~]# rabbitmqctl set_user_tags tom administrator ## 添加标签
Setting tags for user "tom" to [administrator]
[root@openstack-vms71 ~]# rabbitmqctl list_users
Listing users
tom     [administrator]
guest   [administrator]
  • 启用rabbitmq 管理控制台
[root@openstack-vms71 ~]# rabbitmq-plugins list | grep management
[  ] rabbitmq_federation_management    3.6.16
[  ] rabbitmq_management               3.6.16
[  ] rabbitmq_management_agent         3.6.16
[  ] rabbitmq_management_visualiser    3.6.16
[  ] rabbitmq_shovel_management        3.6.16
[root@openstack-vms71 ~]# rabbitmq-plugins enable rabbitmq_management
The following plugins have been enabled:
  amqp_client
  cowlib
  cowboy
  rabbitmq_web_dispatch
  rabbitmq_management_agent
  rabbitmq_management

Applying plugin configuration to rabbit@openstack-vms71... started 6 plugins.
[root@openstack-vms71 ~]# iptables -I INPUT 1 -j ACCEPT ## 打开防火墙
[root@openstack-vms71 ~]# iptables -D INPUT 1           ## 删除防火墙

# Keystone

登录验证

# 用户管理

  • 登陆openstack
[root@openstack-vms71 ~]# openstack user list     ## 此时没有登陆身份信息
Missing value auth-url required for auth plugin password
[root@openstack-vms71 ~]# source keystonerc_admin 
[root@openstack-vms71 ~(keystone_admin)]# openstack user list
+----------------------------------+------------+
| ID                               | Name       |
+----------------------------------+------------+
| 134d052e310f402eb3cea8b21b980e7b | admin      |
| 24d9030810bc4f27834c11c743e8ea52 | cinder     |
| 39afb3d0baa9418e9c2d69c19f68ee19 | nova       |
| 40b3e695e72548388304fe3e6792ec0b | neutron    |
| 50aa2b396b504d4e80e5f52bcd9a7bb0 | placement  |
| 70014d1978b844f9a38b42e3ae732bfc | glance     |
| 844a75f804634ebdbd008764d0f56b50 | gnocchi    |
| 87ee0542102a41fb89bad1a7976834d4 | tom        |
| cd97cd37df0942818eac2d345c137758 | aodh       |
| e786dbd5a25b4ff88989b30a914f9928 | swift      |
| f903e126089e4ed2aac69f52ee69b21a | ceilometer |
+----------------------------------+------------+
[root@openstack-vms71 ~(keystone_admin)]# 
  • 切换登陆用户
[root@openstack-vms71 ~(keystone_tom)]# cp keystonerc_admin keystonerc_tom #修改用户名和密码  
  • 查看主机和安全组
[root@openstack-vms71 ~(keystone_tom)]# openstack security group  list
[root@openstack-vms71 ~(keystone_tom)]# openstack server list
  • 创建用户
[root@openstack-vms71 ~(keystone_admin)]# openstack user create --help | head -12
usage: openstack user create [-h] [-f {json,shell,table,value,yaml}]
                             [-c COLUMN] [--max-width <integer>] [--fit-width]
                             [--print-empty] [--noindent] [--prefix PREFIX]
                             [--domain <domain>] [--project <project>]
                             [--project-domain <project-domain>]
                             [--password <password>] [--password-prompt]
                             [--email <email-address>]
                             [--description <description>]
                             [--enable | --disable] [--or-show]
                             <name>

Create new user
[root@openstack-vms71 ~(keystone_admin)]# openstack user create  bob --email bob@163.com --password 123
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| email               | bob@163.com                      |
| enabled             | True                             |
| id                  | c20386ae60fc4997ba2096a876916572 |
| name                | bob                              |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
  • 查看修改用户
[root@openstack-vms71 ~(keystone_admin)]# openstack user set  bob --email bob@icloud.com
[root@openstack-vms71 ~(keystone_admin)]# openstack user show bob
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| email               | bob@icloud.com                   |
| enabled             | True                             |
| id                  | c20386ae60fc4997ba2096a876916572 |
| name                | bob                              |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
  • 禁用用户
[root@openstack-vms71 ~(keystone_admin)]# openstack user set  bob --disable
[root@openstack-vms71 ~(keystone_admin)]# openstack user show bob
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| email               | bob@icloud.com                   |
| enabled             | False                            |
| id                  | c20386ae60fc4997ba2096a876916572 |
| name                | bob                              |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
  • 删除用户
[root@openstack-vms71 ~(keystone_admin)]# openstack user delete bob

# 项目管理

[root@openstack-vms71 ~(keystone_admin)]# openstack project create p1
[root@openstack-vms71 ~(keystone_admin)]# openstack project list
[root@openstack-vms71 ~(keystone_admin)]# openstack project delete p1

# 角色管理

[root@openstack-vms71 ~(keystone_admin)]# openstack role create role1
[root@openstack-vms71 ~(keystone_admin)]# openstack role list
[root@openstack-vms71 ~(keystone_admin)]# openstack role delete role1
  • 绑定角色
[root@openstack-vms71 ~(keystone_admin)]# openstack role assignment list --name
+---------------+--------------------+----------------+------------------+--------+--------+-----------+
| Role          | User               | Group          | Project          | Domain | System | Inherited |
+---------------+--------------------+----------------+------------------+--------+--------+-----------+
| admin         | admin@Default      |                | admin@Default    |        |        | False     |
| admin         | cinder@Default     |                | services@Default |        |        | False     |
| admin         | nova@Default       |                | services@Default |        |        | False     |
| admin         | neutron@Default    |                | services@Default |        |        | False     |
| admin         | placement@Default  |                | services@Default |        |        | False     |
| admin         | glance@Default     |                | services@Default |        |        | False     |
| admin         | gnocchi@Default    |                | services@Default |        |        | False     |
| member        | tom@Default        |                | Oscar@Default    |        |        | False     |
| _member_      | tom@Default        |                | boeing@Default   |        |        | False     |
| admin         | aodh@Default       |                | services@Default |        |        | False     |
| admin         | swift@Default      |                | services@Default |        |        | False     |
| ResellerAdmin | ceilometer@Default |                | services@Default |        |        | False     |
| admin         | ceilometer@Default |                | services@Default |        |        | False     |
| member        |                    | Boeing@Default | boeing@Default   |        |        | False     |
| member        |                    | Oscar@Default  | Oscar@Default    |        |        | False     |
| admin         | admin@Default      |                |                  |        | all    | False     |
+---------------+--------------------+----------------+------------------+--------+--------+-----------+
[root@openstack-vms71 ~(keystone_admin)]# 
[root@openstack-vms71 ~(keystone_admin)]# openstack role add role1 --project p1 --user bob
No role with a name or ID of 'role1' exists.
[root@openstack-vms71 ~(keystone_admin)]# openstack role create role1
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 7bfbe1b74b2e4250bef6cfb1e865133b |
| name      | role1                            |
+-----------+----------------------------------+
[root@openstack-vms71 ~(keystone_admin)]# openstack role add role1 --project p1 --user bob
[root@openstack-vms71 ~(keystone_admin)]# openstack role assignment list --name| grep bob
| role1         | bob@Default        |                | p1@Default       |        |        | False     |
  • 对cinder 生成授权访问信息
[root@openstack-vms71 cinder(keystone_admin)]# oslopolicy-policy-generator --namespace cinder --output-file /etc/cinder/policy.json
[root@openstack-vms71 cinder(keystone_admin)]# ll
总用量 204
-rw-r----- 1 root   cinder   2204 34 2020 api-paste.ini
-rw-r----- 1 root   cinder 187011 1212 16:21 cinder.conf
-rw-r--r-- 1 root   root     7338 1214 11:37 policy.json
-rw-r----- 1 root   cinder    598 34 2020 resource_filters.json
-rw-r----- 1 root   cinder    991 34 2020 rootwrap.conf
drwxr-xr-x 2 root   root       30 1212 16:15 rootwrap.d
drwxr-xr-x 2 cinder root        6 34 2020 volumes
[root@openstack-vms71 cinder(keystone_admin)]# grep '"volume:create"' policy.json ## 此时只有role1 可以创建卷,默认为空代表所有人可创建。
"volume:create": "role:role1"

角色在openstack 和 Kubernetes 之间的区别

  • openstack 中角色只是一个名称,授权由各组件决定。
  • k8s 中角色代表可操作的动作和可操作的资源。

# 域管理

类似cce 的组织概念,可以理解为代表的公司,是项目隔离的基础上做的进一步的隔离,不同域空间可以出现相同项目名称。 角色在不同域空间是共享的,但是用户在不同域是区分的。

  • 查看域
[root@openstack-vms71 cinder(keystone_admin)]# openstack domain list
+---------+---------+---------+--------------------+
| ID      | Name    | Enabled | Description        |
+---------+---------+---------+--------------------+
| default | Default | True    | The default domain |
+---------+---------+---------+--------------------+
  • 创建删除域
[root@openstack-vms71 cinder(keystone_admin)]# openstack domain create oa 
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| enabled     | True                             |
| id          | b5c671f26be54045916c69639fd763dd |
| name        | oa                               |
| tags        | []                               |
+-------------+----------------------------------+

[root@openstack-vms71 cinder(keystone_admin)]# openstack domain list
+----------------------------------+---------+---------+--------------------+
| ID                               | Name    | Enabled | Description        |
+----------------------------------+---------+---------+--------------------+
| b5c671f26be54045916c69639fd763dd | oa      | True    |                    |
| default                          | Default | True    | The default domain |
+----------------------------------+---------+---------+--------------------+

[root@openstack-vms71 cinder(keystone_admin)]# openstack domain set --disable oa
[root@openstack-vms71 cinder(keystone_admin)]# openstack domain delete oa
  • dashboard 增加域选项
[root@openstack-vms71 ~]# egrep -v "^#" /etc/openstack-dashboard/local_settings  | egrep -i "multidomain|session_timeout"
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
SESSION_TIMEOUT = 18000
  • 创建域用户、项目
[root@openstack-vms71 ~(keystone_admin)]# openstack user create --domain oa --password redhat admin 
[root@openstack-vms71 ~(keystone_admin)]# openstack project create oa-project1 --domain oa
[root@openstack-vms71 ~(keystone_admin)]# openstack project list --domain oa
[root@openstack-vms71 ~(keystone_admin)]# openstack role add role1 --user 9fe929df9ee8478dabc5344526454afe --project f4df16d68cc6470ca5b6f388506afcbb
[root@openstack-vms71 ~(keystone_admin)]# openstack role assignment list--domain oa

# 组管理

[root@openstack-vms71 ~(keystone_admin)]# openstack group create group1
[root@openstack-vms71 ~(keystone_admin)]# openstack group list
[root@openstack-vms71 ~(keystone_admin)]# openstack group contains user group1 tom
tom not in group group1
[root@openstack-vms71 ~(keystone_admin)]# openstack group add user group1 tom
[root@openstack-vms71 ~(keystone_admin)]# openstack group contains user group1 tom
tom in group group1

# 模块管理

这块没搞懂

最后修改时间: 12/31/2022, 12:00:03 PM