培训教程openstack architecture training-for前海人寿

1、OpenStack及ESCloud架构介绍刘海平EasyStack Inc.目录OpenStack基本概念OpenStack的安装OpenStack关键项目介绍ESCloud架构介绍EASYSTACKOpenStack 简单视图OpenStack技术框架500s of configuration items; 19+packages; error prone installation; do-it-yourself-styleIdentity(keystone)Object Storage(swift)Dashboard(horizon)Network(neutron)Block Storag

2、e(cinder)Compute(nova)Image(glance)Ceilometer apiqueuedata storecollectorAgentCompute agentnovaquantumcinderglancepollHeat apinovaTemplatesTemplatesHeat api-cfnHeat EnginecinderquantumglanceswiftOrchestration(heat)Usage Metrics(ceilometer)Trove,Sahara,Manila,Zaqar,Magnum,Murano. OpenStack架构概览OpenSta

3、ck的安装EASYSTACKOpenStack物理环境基本构成This sample three-node configuration shows the basic components of an OpenStack installationCloud Controller nodeNetwork nodeOne or more Compute nodesNOTICE: All of the basic components can exist on the same device or horizontally distributed, with multiple network, co

4、mpute, and controller nodes, as shown on the following slide.手动安装OpenStackPrepare Nodes(Compute, controller, network, etc.)Install OSConfigure NetworkingMySQLRabbitMQOther networking (bridge-utils & IP Forwarding)Then configure each endpoint service:Install ComponentConfigureCreate component MySQL D

5、BEdit config filesSync DB to create tablesValidateRestart ServiceTest ServiceKeystoneGlanceNeutronNovaCinderSwiftHorizonCeilometerHeatTIP: Good reference for getting started: 脚本式自动化安装OpenStack1. Select a Linux Distribution2. Install operating system & git3. Download DevStack$ sudo git clone /opensta

6、ck-dev/devstack.git4. ConfigureStart the DevStack installation$ cd devstack; ./stack.shA documented shell script to build OpenStack development environmentNOTICE: Only Ubuntu 14.04 (Trusty), Fedora 20 and CentOS/RHEL 6.5 are documented NOTICE: The devstack repo contains a script that installs OpenSt

7、ack and templates for configuration filesNOTICE: This process takes over 30-60 minutes, depending on bandwidth, so its a good time for a beverageNOTICE: A minimal configuration always includes: (1) no logging(2) pre-set the passwords(3) move network ranges away from local network(4) set the host IP其

8、他OpenStack安装工具EasyStack: Roller (Cobbler+Puppet)Mirantis: Fuel(Cobbler+Mcollective+Puppet)RedHat: RHELOSP7 Director(TrippleO)，PackStack for RDOCanonical: MAAS+JujuHP: HLM（Cobbler+Ansible）IBM: ICMWOS(Chef)Cobbler, Puppet, Chef, Juju, Ansible OpenStack关键项目介绍EASYSTACKHorizon in OpenStack Conceptual Arc

9、hitectureWeb-based graphical user interface to OpenStack services (e.g. Nova, Swift, Keystone, Glance, etc.)Stateless, can be scaled horizontallySupports a subset of OpenStack API, not all Keystone in OpenStack Conceptual ArchitectureUser ManagementTracks users and their permissionsProvides authenti

10、cation and authorization for all the OpenStack servicesUsers, tenants, rolesService CatalogCatalog of available services with their API endpointsMaintains a user that corresponds to each service (such as nova, for the Compute service) Special service tenant, which is called serviceIntegration with e

11、xisting backend directory services like LDAP Example Keystone Authentication/Authorization Process (1 of 2) Horizon sends HTTP authentication request to Keystone with user credentialsKeystone validates credentials and replies with temporary tokenHorizon sends POST request, with token, to Nova to sta

12、rt provisioning a VMNova sends token to keystone for validationKeystone validates the tokenNova forwards a request for an image with the attached tokenGlance sends token to keystone for validationExample Keystone Authentication/Authorization Process (2 of 2) Keystone validates the tokenGlance provid

13、es image-related information to novaNova sends request for networks to neutron with tokenNeutron sends token to keystone for validationKeystone validates the tokenNeutron provides network-related information to novaNova reports status of VM provisioning requestGlance in OpenStack Conceptual Architec

14、tureGlance Architectureglance-apiglance-registryglance databasestore adaptorS3File systemSwiftRBDGridFSHTTPSheepdogVmware datastoreCinderGlance supported Image disk formatariakiamiisorawqcow2vmdkvhdvdiec2 import/exportqemu-img convertTheqemu-img convertcommand can do conversion between multiple form

15、ats, Example: to convert from vmdk to raw$ qemu-img convert -f vmdk -O raw centos64.vmdk centos64.imgCustomized images using Cloud-initNova in OpenStack Conceptual ArchitectureVM ProvisioningNova ControllerGlance (with predefined images)Nova Compute(with available vCPM, memory, and local disk resour

16、ces) Cinder (with predefined volumes) 1nImage 1Image nBefore instance is createdAfter instance is createdNova ControllerGlance (with predefined images)Nova Compute(with available vCPM, memory, and local disk resources) Cinder (with predefined volumes) 1nImage 1Image nInstancevdavdbvdcInitial Stateno

17、va-schedulernova database putehypervisornova-conductorqueueHorizon/CLIGlanceNeutronKeystoneNova: Computenova-apiNova: ControllerCinderStep 1: Validate Auth Datanova-schedulernova database putehypervisornova-conductorqueueHorizon/CLIGlanceNeutronKeystoneNova: Computenova-apiNova: ControllerHorizon or

18、 CLI gets the user credentials authenticates with Keystone via REST API.Keystone authenticates the credentials and generates & sends back auth-token.1CinderStep 2: Send API Request to Nova-apinova-schedulernova database putehypervisornova-conductorqueueHorizon/CLIGlanceNeutronKeystoneNova: Computeno

19、va-apiNova: ControllerHorizon or CLI sends the new instance request to nova-api with specified params: name, flavor, image, keys, number of VMs, etc.2CinderStep 3: Validate API Tokennova-schedulernova database putehypervisornova-conductorqueueHorizon/CLIGlanceNeutronKeystoneNova: Computenova-apiNova

20、: ControllerNova-api receive the request and sends the request for validation auth-token and access permission to keystone.Keystone validates the token and sends updated auth headers with roles and permissions.3CinderStep 4: Get Image Metadatanova-schedulernova database putehypervisornova-conductorq

21、ueueHorizon/CLIGlanceNeutronKeystoneNova: Computenova-apiNova: ControllerNova-api send the request to glance for the metadata of requested image. Glance validates the token and sends back the metadata.4CinderStep 5: Process API Requestnova-schedulernova database putehypervisornova-conductorqueueHori

22、zon/CLIGlanceNeutronKeystoneNova: Computenova-apiNova: ControllerNova-api parses request and validates it on input params, quotas & policies by fetching data from nova database. If request is valid, it saves initial db entry about VM to the database.5CinderStep 6: Publish Request to Schedulernova-sc

23、hedulernova database putehypervisornova-conductorqueueHorizon/CLIGlanceNeutronKeystoneNova: Computenova-apiNova: ControllerNova-api sends the rpc.cast request to nova-scheduler excepting to get updated instance entry with host ID specified.6CinderStep 7: Send Response to UI/CLInova-schedulernova dat

24、abase putehypervisornova-conductorqueueHorizon/CLIGlanceNeutronKeystoneNova: Computenova-apiNova: ControllerNova-api returns the response to horizon or CLI. If the request is accepted, the status of VM will be set as building. 7CinderStep 8: Schedule Provisioningnova-schedulernova database putehyper

25、visornova-conductorqueueHorizon/CLIGlanceNeutronKeystoneNova: Computenova-apiNova: ControllerNova-scheduler fetched information about the whole cluster from database and based on this information selects the most applicable compute host.8CinderStep 9: Start VM Provisioning on Compute Hostnova-schedu

26、lernova database putehypervisornova-conductorqueueHorizon/CLIGlanceNeutronKeystoneNova: Computenova-apiNova: ControllerNova-scheduler sends the rpc.cast request to pute for launching instance on selected host.9CinderStep 10: Prebuild VMnova-schedulernova database putehypervisornova-conductorqueueHor

27、izon/CLIGlanceNeutronKeystoneNova: Computenova-apiNova: Controller pute send the rpc.call request to nova-conductor to fetch the instance information.Nova-conductor interacts with database and return the instance information.10CinderStep 11: Network Allocationnova-schedulernova database putehypervis

28、ornova-conductorqueueHorizon/CLIGlanceNeutronKeystoneNova: Computenova-apiNova: Controller pute does the REST-call by passing auth-token to Network API to allocate and configure the network such that instance gets the IP address.Neutron validates the auth-token with keystone and does the allocation.

29、11CinderStep 12: Prepare Block Devicenova-schedulernova database putehypervisornova-conductorqueueHorizon/CLIGlanceNeutronKeystoneNova: Computenova-apiNova: Controller pute does the REST call by passing auth-token to Volume API to attach volumes to instance.Cinder validates the auth-token with keyst

30、one and does the attachment.12CinderStep 13: Start VM Spawning via Hypervisornova-schedulernova database putehypervisornova-conductorqueueHorizon/CLIGlanceNeutronKeystoneNova: Computenova-apiNova: Controller pute creates a command to hypervisor and delegates VM rendering to hypervisor.13CinderStep 1

31、4: Request VM Image from Glancenova-schedulernova database putehypervisornova-conductorqueueHorizon/CLIGlanceNeutronKeystoneNova: Computenova-apiNova: ControllerHypervisor request VM image from Glance via image ID.If image with given image ID can be found, Glance return image URI to hypervisor.Hyper

32、visor downloads image using URI from glances back-end.14CinderStep 15: Render VMnova-schedulernova database putehypervisornova-conductorqueueHorizon/CLIGlanceNeutronKeystoneNova: Computenova-apiNova: ControllerHypervisor renders VM.15CinderVMVM First Bootnova-schedulernova database putehypervisornov

33、a-conductorqueueHorizon/CLINeutronNova: Computenova-apiNova: ControllerIf it is the first boot, VM will retrieve instances-specific data from metadata service, which can be implemented by nova-api.VMOther Nova Componentsnova-schedulernova database putehypervisornova-conductorqueueNova: Computenova-a

34、piNova: Controllernova-consoleauthnova-cert/ objectstornova-novncproxyNova Supported Hypervisors putelibvirtxenapiCompute drivershypervvmwareapidockerDockerVMVMHyper-VVMVMESXiVMVMXenServerVMVMXCPVMVMKVMVMVMQEMUVMVMXenVMVMLXCVMVMNova-scheduler scheduling algorithmsCompute node selection: Compute is c

35、onfigured, by default to use the Filter Scheduler.The filter scheduler, by default, selects the host with the maximum amount of RAM available.The volume scheduler is configured by default to use the Chance Scheduler, which picks a host at random that has the nova-volume service running.Type of Algor

36、ithmBehaviorChanceSelects a random host from those availableSimpleSelects a host that has the least number of VMs runningFilterNote: not used for volume requestsSelects host that best meets the specified filter criteriaOnce scheduler select a host, it virtually consumes resources on it, and subseque

37、nt selections are adjusted accordingly Filter Scheduler - Filters and WeightsHost 1Host 2Host 3Host 4Host 5Host 6Host 1Host 3Host 5Host 6Host 1Host 3Host 5Host 6Filters AppliedWeightsAppliedfilters determine which hosts are eligible for considerationweighting algorithm sorts hostsMost preferredLeast

38、 preferredAll compute nodes periodically publish their status, resources available and hardware capabilities to nova-schedulerWinner2 steps processing, filters and weightsnova-scheduler multi-scheduler filter optionsThese are some of the available filter options that can be configured in the /etc/no

39、va/nova.conf file of the controller: Filter OptionDescriptionAffinityFilterSame host or different hostAvailabilityZoneFilterChoose least cost inside selected availability zone CoreChoose least CPU core utilizationRamFilterReturn hosts with sufficient RAMComputeFilterReturns hosts where requested ins

40、tance_type matches capabilitesjson Allows JSON based grammar to configure custom schedulers$ nova boot -image 827d564a-e636-4fc4-a376-d36f7ebe1747 flavor 1 -hint query=,$free_ram_mb,1024 server1Instance MigrationLeverages the native migration features inherent within the individual hypervisors- Can

41、not migrate between different hypervisorsCold migration- The instance is shut down for a period of time to be moved to another hypervisor.Live migration : almost no instance downtime. Useful when the instances must be kept running during the migration. - Shared storage based live migration. Both hyp

42、ervisors have access to shared storage.- Block live migration. It uses network (TCP) to copy instance disk from source host to destination host, thus it takes longer time to complete than shared storage based live migration. Also during migration, host performance will be degraded in network and CPU

43、 points of view.Only available for KVMNeutron in OpenStack Conceptual ArchitectureVirtual network service Provides an API to define the network connectivity and addressing used by devices from other OpenStack services, such as NovaUtilizes Software-defined-network (SDN)A fundamental shift in how dat

44、a center networks are defined, provisioned and consumedAbstracts the physical network implementationsAllows plugins to configure and manage physical resourcesRequires no other specific projects within OpenStack for it to function correctlySupports each tenant having multiple private networks, and al

45、lowing them to choose their own IP addressing schemeLogical Networks in OpenStackPublic network（Floating IP）ControllerNetworkStorageComputeManagement networkPrivate network（Tenant Network）Storage networkInternetNeutron功能分离网络的逻辑（租户）与物理（提供商）视角创建和管理虚拟网络的APIL2/L3联网LBFWVPNNova集成Create “virtual” Network,

46、Subnet, Port, vRouter网络的租户和运营商视角Tenant-A Private Net-1Conception of Neutron - NetworkCreate a network. Network is an isolated L2 segment, analogous to VLAN in the physical networking world.Tenant-A Private Net-1/24Conception of Neutron - SubnetCreate a subnet and assign it with the network. Subnet i

47、s a block of v4 or v6 IP addresses and serves as an address pool from which OpenStack can assign IP addresses to VMs. Subnet must be associated with a network.Multiple subnet can be associated with one network.Tenant-A Private Net-1/24Conception of Neutron - PortCreate a port on the network.Port is

48、a connection point for attaching a single device, such as the NIC of a virtual server, to a virtual network. Also describes the associated network configuration, such as the MAC and IP addresses to be used on that port.Tenant-A Private Net-1/24Conception of Neutron fixed IPTenant-AVM1After the port

49、is created, VM can be attached to the port. Then the MAC and IP address are injected into VM. This IP address is also called fixed IP.Tenant-A Private Net-1/24Conception of Neutron Isolated NetworkTenant-AVM1Tenant-AVM2Tenant-A Private Net-2/24Tenant-AVM3Tenant-AVM4VMs connected to the same subnet c

50、an talk to each other directly.Each tenant can have multiple networks.Tenant-A Private Net-1/24External Net/22Conception of Neutron Router & SNATPhysical RouterTenant-AVM1Tenant-AVM2Tenant-A Private Net-2/24Tenant-AVM3Tenant-AVM4Tenant-A RouterVMs belongs different subnets can connect to each other

51、or external network through a router.Router is a logical entity that forwards packets across internal subnets and NATs them on external networks through an appropriate external gateway.A router has an interface for each subnet with which it is associated. Tenant-A Private Net-1/24External Net/22Conc

52、eption of Neutron Floating IPPhysical RouterTenant-AVM1Tenant-AVM2Tenant-A Private Net-2/24Tenant-AVM3Tenant-AVM4Tenant-A RouterA VM can be accessed from the external network by associated a floating IP.Floating IP represents an external IP address that is mapped to a port and, optionally, a specifi

53、c IP address on a private network. Tenant-A Private Net-1/24External Net/22Conception of Neutron - NamespacePhysical RouterTenant-AVM1Tenant-AVM2Tenant-C Private Net/24Tenant-CVM1Tenant-CVM2Tenant-C RouterTenant-A Private Net-2/24Tenant-AVM3Tenant-AVM4Tenant-A RouterCombined router with namespace, e

54、ach tenant can choose their own IP addressing scheme, even if those IP addresses overlap with those used by other tenants. This enables very advanced cloud networking use cases, such as building multi-tiered web applications and allowing applications to be migrated to the cloud without changing IP a

55、ddresses. L2 AgentL2 AgentL2 AgentDHCP AgentDHCP AgentL3 AgentL2 AgentL2 AgentNeutron Componentsdatabaseneutron-serverL2 AgentDHCP AgentL3 AgentL3 AgentAdvanced ServicesCompute nodeNetwork nodequeuePluginRPC serviceREST API serviceOpenStack Storage OverviewComparison of standard boot storage, block

56、storage, and object storage technologies in OpenStackOn-instance / ephemeralVolumes block storage (Cinder)Object Storage (Swift)OS and scratch spacePersistent storage volume for VMVM images and dataPersists until VM is terminatedPersists until deletedPersists until deletedAccess associated with VMAc

57、cess associated with VMAvailable from anywhereImplemented as filesystemMounted via Cinder controlled protocol (iSCSI, FC, etc.)REST APISize settings based on flavorsSizing based on needEasily scalable for future growthExample: 10GB first disk, 30GB/core second diskExample: 1TB extra hard driveExampl

58、e: 10s of TBs of dataset storageCinder in OpenStack Conceptual ArchitectureProvides volumes to VMs provisioned by OpenStack Provides persistent block storage for VMsUses RESTful APIs to communicate with other OpenStack componentsStorage can SSD or HD and reside in the compute node or a dedicated sto

59、rage deviceUses iSCSI or FC to communicate between VM and dedicated storage deviceSupports NFS and CIFS file systemsVolumes cannot be shared by serversCan be backed up to SwiftNote: By default, primary OS volume doesnt come from Cinder, but rather from ephemeral storage, however, you can create a Ci

60、nder boot volumecinder-api : accepts API requests and routes them to cinder-volume for action. cinder database : a SQL-based database used to store the details of which volume has been associated with which VM and cinder-scheduler data.cinder-scheduler: a daemon, much like thenova-scheduler, that pi