目录:
1. 命令行概述
2. ntp常用命令
3. rabbitmq常用命令
4. MySQL常用命令
5. keystone常用命令
6. glance常用命令
7. swift常用命令
8. nova常用命令
9. neutron常用命令
10.cinder常用命令
1. 命令行概述
openstack中涉及的项目非常多,其中核心的项目有:keystone,glance,nova,neutron,cinder,swift等,其他额外的项目还包括:ntp,MySQL,rabbitmq等,设计的相关命令非常多,这些命令行工具在排错时候非常有用,能够快速的查阅openstack里面的状态情况。此外,openstack中的项目,也可以通过web界面的方式进行操作,相比于web界面,命令行具有功能强大,快速等功能,还能通过shell,完成批量管理工作。
2. ntp常用命令
2.1 ntp概述
openstack由多个project共同完成服务,是一个大规模的集群,通常包含几个小集群:controller集群,compute集群,cinder集群,swift集群,集群之间通信,时间的准确非常重要,如果时间不同步,可能会导致集群内的服务出现"心跳异常",从而导致服务出现故障,我个人曾经经历过compute节点时间不一致的情况,导致compute节点上的nova服务出现了down的状态,进而影响了kvm上运行的虚拟机。ntp时间不准确,可能影响比较重要的服务有:nova、neutron、cinder和swift。
2.2 ntp常用命令
RHEL7/CentOS7之后的系统,用chonyd服务取代了ntpd服务,相关的配置文件和客户端命令大体相似,客户端的配置文件位于/etc/chrony.conf,可以通过server关键字指定上一级需要同步时间的ntp服务器地址。此外,ntp第一次同步时间时,如果时间跨度很大,不会立即同步,而是采用跳跃的方式进行时间同步的,如果想要快速同步时间,需要将chonyd服务停止,然后使用ntpdate的方式同步,如下:
[root@controller ~]# systemctl status chronyd chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled) Active: active (running) since Thu 2015-11-05 15:50:28 CST; 6s ago Process: 16987 ExecStartPost=/usr/libexec/chrony-helper add-dhclient-servers (code=exited, status=0/SUCCESS) Process: 16978 ExecStart=/usr/sbin/chronyd -u chrony $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 16980 (chronyd) CGroup: /system.slice/chronyd.service └─16980 /usr/sbin/chronyd -u chrony Nov 05 15:50:27 controller systemd[1]: Starting NTP client/server... Nov 05 15:50:27 controller chronyd[16980]: chronyd version 1.29.1 starting Nov 05 15:50:28 controller chronyd[16980]: Linux kernel major=3 minor=10 patch=0 Nov 05 15:50:28 controller chronyd[16980]: hz=100 shift_hz=7 freq_scale=1.00000000 nominal_tick=10000 slew_delta_tick=833 max_tick_bias=1000 shift_pll=2 Nov 05 15:50:28 controller chronyd[16980]: Frequency -1.378 +/- 0.670 ppm read from /var/lib/chrony/drift Nov 05 15:50:28 controller systemd[1]: Started NTP client/server. [root@controller ~]# systemctl stop chronyd [root@controller ~]# ntpdate 10.1.0.136 #强制同步时间 5 Nov 15:50:54 ntpdate[17029]: adjust time server 10.1.0.136 offset 0.000077 sec [root@controller ~]# hwclock -w #将当前系统时间写入到BIOS [root@controller ~]# systemctl start chronyd [root@controller ~]# chronyc sources -v #客户端校验时间的情况 210 Number of sources = 1 .-- Source mode ‘^‘ = server, ‘=‘ = peer, ‘#‘ = local clock. / .- Source state ‘*‘ = current synced, ‘+‘ = combined , ‘-‘ = not combined, | / ‘?‘ = unreachable, ‘x‘ = time may be in error, ‘~‘ = time too variable. || .- xxxx [ yyyy ] +/- zzzz || / xxxx = adjusted offset, || Log2(Polling interval) -. | yyyy = measured offset, || \ | zzzz = estimated error. || | | MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^? 10.1.0.136 4 6 1 10 +81us[ +81us] +/- 305ms #发现^?标志,则表示时间已经同步完成!!
2. rabbitmq常用命令
2.1 rabbitmq概述
高级的消息队列MQ作为openstack各个组件之间通讯的枢纽,起着非常重要的作用,rabbitmq作为生产者—消费者的消息队列模型,在分布式的系统中,完成各项组件交互,具有非常重要的意义,在openstack环境下,需要确保rabbitmq具有高可用特性,且保障数据的持久化(机器意外关机,队列中的数据不会丢失),如下是一些参考命令。
2.2 rabbitmq常用命令
#管理命令,包括启动,关闭
stop [<pid_file>]
stop_app
start_app
wait <pid_file>
reset
force_reset
rotate_logs <suffix>
#集群操作,如加入集群,退出集群,跟新集群
join_cluster <clusternode> [--ram]
cluster_status
change_cluster_node_type disc | ram
forget_cluster_node [--offline]
update_cluster_nodes clusternode
sync_queue queue
cancel_sync_queue queue
set_cluster_name name
#rabbitmq用户操作,如增加,删除,修改,改密码
add_user <username> <password>
delete_user <username>
change_password <username> <newpassword>
clear_password <username>
set_user_tags <username> <tag> ...
list_users
#vhost操作,如创建vhost,对vhost授权和回收权限
add_vhost <vhostpath>
delete_vhost <vhostpath>
list_vhosts [<vhostinfoitem> ...]
set_permissions [-p <vhostpath>] <user> <conf> <write> <read>
clear_permissions [-p <vhostpath>] <username>
list_permissions [-p <vhostpath>]
list_user_permissions <username>
#配置策略,在HA的时候需要用到
set_policy [-p <vhostpath>] [--priority <priority>] [--apply-to <apply-to>] <name> <pattern> <definition>
clear_policy [-p <vhostpath>] <name>
list_policies [-p <vhostpath>]
#查看rabbitmq中状态信息,如队列,连接,交换信息
list_queues [-p <vhostpath>] [<queueinfoitem> ...]
list_exchanges [-p <vhostpath>] [<exchangeinfoitem> ...]
list_bindings [-p <vhostpath>] [<bindinginfoitem> ...]
list_connections [<connectioninfoitem> ...]
list_channels [<channelinfoitem> ...]
list_consumers [-p <vhostpath>]
status
说明,具体的操作,如用户,权限等操作例子,可以参考另外一篇blog,连接:http://happylab.blog.51cto.com/1730296/1707749。
4. MySQL常用命令
openstack中所有的状态化数据都保存在database中,针对每一个project都会有一个database存储对应的表,表里面记录了每个服务的一个状态信息,通常在web界面或者是命令行的操作,实际上是对数据库的增,删,改,查,例如:创建一台虚拟机,会把虚拟的状态信息写到nova.instances表中,会在neutron中记录ip地址的分配情况,会在cinder的volume表中记录存储的分配情况。一般情况而言,都是通过api(命令行或者web界面)的方式去调用后端的database,而不是直接修改数据库。但有些场景,比如cinder-volume不能正常工作,nova-compute无法正常工作,会导致api的方式无法执行,此时,数据库提供了对openstack原理的理解,也提供了另外一种方式去操作openstack中的项目。
需要注意的是,通常情况下,不要轻易去修改数据库,如果需要修改,则提前通过mysqldump将整个数据库进行备份(实际的环境中,采用周期性的方式备份,如每天备份一次,或者每隔一个小时备份一次),并且执行select,update,delete时,需要加上where语句严格做限制,防止一些不必要的误操作,而击垮整个云平台。
常用的SQL语句有:
show databases; 查看数据库 use database; 切换至指定的库 show tables; 查看库中的所有表 select * from tables; 查看表中的所有值 update table set item=value condition 修改表中的某个字段 delete from table where condition 删除表中的某个条目
如下的例子:
MariaDB [(none)]> show databases; #查看库 +--------------------+ | Database | +--------------------+ | information_schema | | cinder | | glance | | keystone | | mysql | | neutron | | nova | | performance_schema | | test | +--------------------+ 9 rows in set (0.09 sec) MariaDB [nova]> use keystone; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [keystone]> show tables; #查看表 +-----------------------+ | Tables_in_keystone | +-----------------------+ | assignment | | credential | | domain | | endpoint | | group | | id_mapping | | migrate_version | | policy | | project | | region | | revocation_event | | role | | service | | token | | trust | | trust_role | | user | | user_group_membership | +-----------------------+ 18 rows in set (0.00 sec) MariaDB [keystone]> select * from user where id=‘ef22346fb7da47199e44e68c9d3cc85f‘\G; #查阅表中条目的内容,使用where限定符合指定条件内容 *************************** 1. row *************************** id: ef22346fb7da47199e44e68c9d3cc85f name: cinder extra: {"email": "cinder@localhost"} password: $6$rounds=40000$7tnqG1tIIsZKcOin$uRdIYV0CZSOWSaWYHnjkd.nUsm3WAKFavqBp97ps28CXcQ1qdl1aEHRxr2Cqybryr22pmP.nFoSZ0uvsEaz9J/ enabled: 1 domain_id: default default_project_id: b0cdad40760c4a248031d8989d96584e 1 row in set (0.00 sec) MariaDB [keystone]> update user set enabled=0 where id=‘ef22346fb7da47199e44e68c9d3cc85f‘\G; #更新某个字段的内容 Query OK, 1 row affected (0.01 sec) Rows matched: 1 Changed: 1 Warnings: 0
注意事项:千叮万嘱,对于数据库,只用于理解openstack的体系结构,非常不建议直接对数据库进行操作,以避免一些不必要的错误,影响云平台正常对外提供服务,当然,我个人在实际的生产环境中,经历过非得修改数据库的状况,千万记得,修改之前,对数据库执行全量的备份,以免出现故障时,能够快速恢复服务。
5. keystone常用命令
5.1 keystone概述
keystone主要用于实现openstack中的认证功能,其具有两个主要的功能:1. 认证和授权,为openstack中的用户提供认证和授权功能,涉及user,tenant,role方面的的操作,2. catalog服务,即所有的project需要将自己的url路径以service的形式,注册到keystone中,方便其他project的调用,涉及service和endpoint方面的操作。
5.2 keystone认证和授权
1、用户管理
用户管理涉及到四个子命令:
user-create 创建
user-delete 删除
user-update 修改
user-list 查看
user-get 查看详细信息
例子1: 创建一个user1的用户
[root@controller ~(keystone_admin)]# keystone user-create --name user1 --pass redhat --email user1@servera.pod0.example.com --enabled true +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | user1@servera.pod0.example.com | | enabled | True | | id | d56f52bff9264982a3ab32225f22e32e | | name | user1 | | username | user1 | +----------+----------------------------------+ [root@controller ~(keystone_admin)]# keystone user-list +----------------------------------+------------+---------+--------------------------------+ | id | name | enabled | email | +----------------------------------+------------+---------+--------------------------------+ | 00a17d0457ee4841927d404aacb68672 | admin | True | root@localhost | | 042a22bba96e45a59d5ed591fd2694bd | ceilometer | True | ceilometer@localhost | | ef22346fb7da47199e44e68c9d3cc85f | cinder | False | cinder@localhost | | 4c88ec1634a34030bb48abd747b86797 | glance | True | glance@localhost | | 4f9e33aa706d4168a92a9021c82dbafe | neutron | True | neutron@localhost | | 3554baf92ed44edea75060011c14b72f | nova | True | nova@localhost | | 25d8a47b5ec040d3800ca219b86a6467 | swift | True | swift@localhost | | d56f52bff9264982a3ab32225f22e32e | user1 | True | user1@servera.pod0.example.com | +----------------------------------+------------+---------+--------------------------------+ [root@controller ~(keystone_admin)]# keystone user-get user1 +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | user1@servera.pod0.example.com | | enabled | True | | id | d56f52bff9264982a3ab32225f22e32e | | name | user1 | | username | user1 | +----------+----------------------------------+
例子2:修改user的信息,修改其mail的地址
[root@controller ~(keystone_admin)]# keystone user-update --email user1@pod0.example.com d56f52bff9264982a3ab32225f22e32e #获取id号码 User has been updated. [root@controller ~(keystone_admin)]# keystone user-get d56f52bff9264982a3ab32225f22e32e +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | user1@pod0.example.com | #内容已经update | enabled | True | | id | d56f52bff9264982a3ab32225f22e32e | | name | user1 | | username | user1 | +----------+----------------------------------+
例子3:删除用户
[root@controller ~(keystone_admin)]# keystone user-delete d56f52bff9264982a3ab32225f22e32e #使用id号的方式删除 [root@controller ~(keystone_admin)]# keystone user-list +----------------------------------+------------+---------+----------------------+ | id | name | enabled | email | +----------------------------------+------------+---------+----------------------+ | 00a17d0457ee4841927d404aacb68672 | admin | True | root@localhost | | 042a22bba96e45a59d5ed591fd2694bd | ceilometer | True | ceilometer@localhost | | ef22346fb7da47199e44e68c9d3cc85f | cinder | False | cinder@localhost | | 4c88ec1634a34030bb48abd747b86797 | glance | True | glance@localhost | | 4f9e33aa706d4168a92a9021c82dbafe | neutron | True | neutron@localhost | | 3554baf92ed44edea75060011c14b72f | nova | True | nova@localhost | | 25d8a47b5ec040d3800ca219b86a6467 | swift | True | swift@localhost | +----------------------------------+------------+---------+----------------------+
2. tenant的操作
tenant即租户,openstack面向的是公有云/私有云环境,一个组织或者一家公司,需要向公有云厂商申请服务,公有云厂商则会为改组织分配资源的配额,如instance数,vcpus资源,mem资源,floatip等资源,tenant里面则包含多个用户,对于openstack来说,最小的单位是tenant,而非用户。
tenant的操作涉及到:
tenant-create 创建
tenant-delete 删除
tenant-update 更新
tenant-list 查看
tenant-get 查看详细信息
例子4:创建一个tenant
[root@controller ~(keystone_admin)]# keystone tenant-create --name project1 --description "Project for project1" --enabled true
+-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Project for project1 | | enabled | True | | id | d179ac2fd9ea4d9bbe2b40739f84454a | | name | project1 | +-------------+----------------------------------+ [root@controller ~(keystone_admin)]# keystone tenant-list +----------------------------------+----------+---------+ | id | name | enabled | +----------------------------------+----------+---------+ | 5637fcf7bfe3402084f2cc4ebe4d00e7 | admin | True | | d179ac2fd9ea4d9bbe2b40739f84454a | project1 | True | | b0cdad40760c4a248031d8989d96584e | services | True | +----------------------------------+----------+---------+ [root@controller ~(keystone_admin)]# keystone tenant-get d179ac2fd9ea4d9bbe2b40739f84454a +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Project for project1 | | enabled | True | | id | d179ac2fd9ea4d9bbe2b40739f84454a | | name | project1 | +-------------+----------------------------------+
ps: tenant的操作和user的操作相类似,如果对具体的命令参数不了解,可以查看帮助,获取帮助的方式为:keystone help tenant-update,具体不赘述!!
3. role的操作
role即权限,openstack默认提供了两个权限:admin(管理员)和_member_(普通权限),相关的权限控制,定义在/etc/project/policy.json中,如nova的权限定义在/etc/nova/policy.json中,role的相关的操作也包括:role-create,role-delete,role-list和role-get。
例子5:创建一个角色(该角色并没有实际的意义,仅作测试)
[root@controller keystone(keystone_admin)]# keystone role-create --name Member +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 24cec8ec31734060b2f7e343431a300b | | name | Member | +----------+----------------------------------+ [root@controller keystone(keystone_admin)]# keystone role-list +----------------------------------+---------------+ | id | name | +----------------------------------+---------------+ | 24cec8ec31734060b2f7e343431a300b | Member | | 850ba016d06849a8b4d275b930bcc140 | ResellerAdmin | | ef39ce6312cd40be92c7c1baff79abe5 | SwiftOperator | | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | | a9fe6ed4e7e04cd6bffb7c2ef797417b | admin | +----------------------------------+---------------+ [root@controller keystone(keystone_admin)]# keystone role-get 24cec8ec31734060b2f7e343431a300b +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 24cec8ec31734060b2f7e343431a300b | | name | Member | +----------+----------------------------------+ [root@controller keystone(keystone_admin)]# keystone role-delete 24cec8ec31734060b2f7e343431a300b
4. 授权用户操作
user创建之后,默认没有权限,无法获取openstack中的资源,需要授予user指定的权限,如将其加入到某个tenant里面获取该tenant里面资源的quota,授予user某个role,让其具有某些操作的权限,一般来说,授予的role是_member_。user的授权操作命令有三个:user-role-add,user-role-list,user-role-remove。
例子6:授予user1用户project1和member,admin的权限,并回收admin权限
[root@controller keystone(keystone_admin)]# keystone user-role-add --user user1 --role _member_ --tenant project1 #授权 [root@controller keystone(keystone_admin)]# keystone user-role-add --user user1 --role admin --tenant project1 [root@controller keystone(keystone_admin)]# keystone user-role-list --user user1 --tenant project1 +----------------------------------+----------+----------------------------------+----------------------------------+ | id | name | user_id | tenant_id | +----------------------------------+----------+----------------------------------+----------------------------------+ | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 30258b13fadf416382b923489cd01c89 | d179ac2fd9ea4d9bbe2b40739f84454a | | a9fe6ed4e7e04cd6bffb7c2ef797417b | admin | 30258b13fadf416382b923489cd01c89 | d179ac2fd9ea4d9bbe2b40739f84454a | +----------------------------------+----------+----------------------------------+----------------------------------+ [root@controller keystone(keystone_admin)]# keystone user-role-remove --user user1 --tenant project1 --role admin #回收权限之后,将只具有一个权限了 [root@controller keystone(keystone_admin)]# keystone user-role-list --user user1 --tenant project1 +----------------------------------+----------+----------------------------------+----------------------------------+ | id | name | user_id | tenant_id | +----------------------------------+----------+----------------------------------+----------------------------------+ | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 30258b13fadf416382b923489cd01c89 | d179ac2fd9ea4d9bbe2b40739f84454a | +----------------------------------+----------+----------------------------------+----------------------------------+
5.3 keystone catalog服务
keystone其他服务提供编录(catalog)服务,openstack中的所有服务都需要将其url注册到keystone中,方便服务之间的调用,例如:nova需要调用glance获取镜像,nova会向keystone询问glance所在的路径,然后将路径返回给nova,nova根据keystone返回的glance路径,向glance发起请求。整个过程中,keystone充当和信息传递的角色,所有的服务,都需要将其service的type注册到keystone中。catalog服务涉及到两方面的操作:service和endpoint。
1. service的操作
openstack中的服务,都有一个项目名称和代码名称,如nova项目,其代码的名称是compute,代码名称即是type,常见的type包括:identity, compute, network,image, object-store,需要根据情况创建指定的type,service相关的操作有:service-create,service-delete,service-list和service-get。
例子7:创建一个keystone的service(系统已经存在)
[root@controller keystone(keystone_admin)]# keystone service-create --name keystone1 --type identity --description "Openstack keystone identity Service" +-------------+-------------------------------------+ | Property | Value | +-------------+-------------------------------------+ | description | Openstack keystone identity Service | | enabled | True | | id | 196a4a00e695407199c9d7e321bacb96 | | name | keystone1 | | type | identity | +-------------+-------------------------------------+ [root@controller keystone(keystone_admin)]# keystone service-list +----------------------------------+------------+--------------+-------------------------------------+ | id | name | type | description | +----------------------------------+------------+--------------+-------------------------------------+ | 933699ab05cb423597c72d0f1c4d5769 | ceilometer | metering | Openstack Metering Service | | 23f2581e184645b3a9624989d4a2e78d | cinder | volume | Cinder Service | | ab4e26c28613481199f762babfd0071c | cinderv2 | volumev2 | Cinder Service v2 | | a6217ea4fc1f401c95edb76163970bae | glance | image | Openstack Image Service | | fdabfe75810447ad9f5c0193e65e1e08 | keystone | identity | OpenStack Identity Service | | 196a4a00e695407199c9d7e321bacb96 | keystone1 | identity | Openstack keystone identity Service | | baa382c153b04cec8233a661be2a1976 | neutron | network | Neutron Networking Service | | d7d28d95d2284da29eedc6a477bcd81e | nova | compute | Openstack Compute Service | | a8870667eb154f6ea4172753901295d0 | nova_ec2 | ec2 | EC2 Service | | a2c39640bb23445ea75fd9942880353a | novav3 | computev3 | Openstack Compute Service v3 | | b34ba74450194636af5bc876877539b5 | swift | object-store | Openstack Object-Store Service | | 9af2346fcf214746ac23d9dab9929f6f | swift_s3 | s3 | Openstack S3 Service | +----------------------------------+------------+--------------+-------------------------------------+ [root@controller keystone(keystone_admin)]# keystone service-get 196a4a00e695407199c9d7e321bacb96 +-------------+-------------------------------------+ | Property | Value | +-------------+-------------------------------------+ | description | Openstack keystone identity Service | | enabled | True | | id | 196a4a00e695407199c9d7e321bacb96 | | name | keystone1 | | type | identity | +-------------+-------------------------------------+
2. endpoint的操作
endpoint需要和service关联,即将某个service注册到keystone中,一般而言,服务包含三种url:publicurl、internalurl和adminurl,需要将三个url都分别注册到keystone中,对于keystone来说publicurl和adminurl使用的端口不同,其他基本上是一样的。endpoint的操作有:endpoint-create、endpoint-delete、endpoint-list和endpoint-get。
例子8:将上述的keystone1的端口注册到keystone中(系统已经存在keystone的url路径)
[root@controller keystone(keystone_admin)]# keystone endpoint-create --service 196a4a00e695407199c9d7e321bacb96 > --publicurl http://10.16.4.59:35357 > --internalurl http://10.16.4.59:35357 > --adminurl http://10.16.4.59:5000 +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | adminurl | http://10.16.4.59:5000 | | id | ae53798e92a74382958d048ddf06aa4d | | internalurl | http://10.16.4.59:35357 | | publicurl | http://10.16.4.59:35357 | | region | regionOne | | service_id | 196a4a00e695407199c9d7e321bacb96 | +-------------+----------------------------------+ [root@controller keystone(keystone_admin)]# keystone endpoint-delete fff5c3b032be40c68360781bc7de5de2 Endpoint has been deleted.
6. glance常用命令
本文出自 “Happy实验室” 博客,谢绝转载!
原文地址:http://happylab.blog.51cto.com/1730296/1710055