OpenStack二次开发简介,目录,什么是OpenStack OpenStack主要模块 Bss OpenStack Gateway开发示例,初识OpenStack,OpenStack定义,OpenStack is a cloud operating system that controls large pools of compute, storage, and networking resources throughout a datacenter, all managed through a dashboard that gives administrators control while empowering their users to provision resources through a web interface.,OpenStack概念架构,OpenStack逻辑架构,目录,什么是OpenStack OpenStack主要模块 Bss OpenStack Gateway开发示例,Keystone身份验证服务,Keystone作为Openstack的核心模块，为Nova(计算),Glance(镜像),Swift(对象存储),Cinder(块存储),Neutron(网络)以及Horizon(Dashboard)等提供认证服务,Keystone基本概念介绍之一,Authentication The process of confirming the identity of a user. To confirm an incoming request, OpenStack Identity validates a set of credentials users supply. Initially, these credentials are a user name and password, or a user name and API key. Project A container that groups or isolates resources or identity objects. Depending on the service operator, a project might map to a customer, account, organization, or tenant. Domain Domains are a collection of projects and users that define administrative boundaries for managing Identity entities. Domains can represent an individual, company, or operator-owned space. They expose administrative activities directly to system users. Users can be granted the administrator role for a domain. A domain administrator can create projects, users, and groups in a domain and assign roles to users and groups in a domain.,Keystone基本概念介绍之二,User User即用户，他们代表可以通过keystone进行访问的人或程序。Users通过认证信息（credentials，如密码、API Keys等）进行验证。 Group An Identity service API v3 entity. Groups are a collection of users owned by a domain. A group role, granted to a domain or project, applies to all users in the group. Adding or removing users to or from a group grants or revokes their role and authentication to the associated domain or project.Role Role即角色，Roles代表一组用户可以访问的资源权限，例如Nova中的虚拟机、Glance中的镜像。Users可以被添加到任意一个全局的或租户的角色中。在全局的role中，用户的role权限作用于所有的租户，即可以对所有的租户执行role规定的权限；在租户内的role中，用户仅能在当前租户内执行role规定的权限。 TokenToken是访问资源的钥匙。它是通过Keystone验证后的返回值，在之后的与其他服务交互中只需要携带Token值即可。每个Token都有一个有效期，Token只在有效期内是有效的。QuotasTo prevent system capacities from being exhausted without notification, you can set up quotas. Quotas are operational limits. For example, the number of gigabytes allowed for each tenant can be controlled so that cloud resources are optimized. Quotas can be enforced at both the tenant (or project) and the tenant-user level.,计算管理(codenamed “Nova”) 基于用户需求为VM提供计算资源管理. 基于Python语言编写。 Nova-API:对外统一提供标准化接口.接受和响应最终用户Compute API的请求,同时还实现与Openstack其他各逻辑模块的通讯与服务提供 Nova-Scheduler:从队列上得到一个虚拟机实例请求并且决定它应该在哪里运行(使用多种过滤器或算法调度) Nova-Compute:主要是一个人工守护进程，它可以通过虚拟机管理程序的API（XenAPI for XenServer/XCP, libvirt for KVM or QEMU, VMwareAPI for VMware等）来创建和终止虚拟机实例。支持多种虚拟化平台 Queue：提供了一个守护进程之间传递消息的中央枢纽。消息队列系统作用还可以实现与Openstack其他各逻辑模块之间的通信建立连接枢纽 Nova-Database:存储云基础设施的编译时和运行时的状态,从理论上讲，OpenStack Nova可以支持任何SQL-Alchemy支持的数据库，但是目前被广泛使用的数据库有sqlite3（只适用于测试和开发工作），MySQL和PostgreSQL。 Nova还提供控制台的服务，让最终用户通过代理服务器访问他们的虚拟实例的控制台。这涉及到多个守护进程(nova-console，nova-novncproxy、nova-xvpnvncproxy和nova-consoleauth),Nova服务,块存储管理模块( “Cinder”) 提供到虚拟机的永久性块存储卷. 多个卷可以被挂载到单一虚拟机实例，同时卷可以在虚拟机实例间移动，单个卷在同一时刻只能被挂载到一个虚拟机实例,块存储Cinder,API Service：负责接受和处理 Rest 请求，并将请求放入 RabbitMQ队列。 Scheduler Service: 处理任务队列的任务，并根据预定策略选择合适的 Volume Service 节点来执行任务。 Volume Service: 该服务运行在存储节点上，管理存储空间。每个存储节点都有一个 Volume Service，若干个这样的存储节点联合起来可以构成一个存储资源池。为了支持不同类型和型号的存储，均通过Drivers的形式为Cinder的 Volume Service 提供相应的Cinder-Volume。,网络服务 ( “Neutron”) 提供在被管理设备之间的网络连接服务，包括租户网络和提供商网络。,Neutron网络服务,Neutron Drivers,Neutron API提供Openstack其他服务或管理员及用户访问的接口,OpenStack Networking plug-in and agents Plugs and unplugs ports, creates networks or subnets, and provides IP addressing. The chosen plug-in and agents differ depending on the vendor and technologies used in the particular cloud. It is important to mention that only one plug-in can be used at a time.,Messaging queueAccepts and routes RPC requests between agents to complete API operations.,Neutron 的关键概念,网络Network 一个L2二层网络单元 租户可通过Neutron API 创建自己的网络 子网Subnet 一段IPV4/IPV6地址段 为Instance提供私网或公网地址 路由器Router 三层路由器 为租户的Instance提供路由功能 端口Port 虚拟交换机上的端口 管理Instance的网卡,Glance镜像服务,Glance是OpenStack镜像服务,用来注册、登陆和检索虚拟机镜像。Glance服务提供了一个REST API，使你能够查询虚拟机镜像元数据和检索的实际镜像。通过镜像服务提供的虚拟机镜像可以存储在不同的位置，从简单的文件系统对象存储到类似OpeenStack对象存储系统。,Glance-API ：接收最终用户或Noav对镜像的请求,检索和存储镜像的相关API调用。Glance-registry： 存储,处理和检索有关镜像的元数据,元数据大小、类型等等。Database ：存储镜像元数据,可以支持多种数据库,现在使用比较广泛的是mysql和sqlite.,创建虚拟机流程,目录,什么是OpenStack OpenStack主要模块 Bss OpenStack Gateway开发示例,Bss OpenStack Gateway上下文,OpenStack API请求流程,Request an authentication token from the Identity endpoint that your cloud administrator gave you. Send a payload of credentials in the request as shown in Authenticate. If the request succeeds, the server returns an authentication token.Send API requests and include the token in the X-Auth-Token header. Continue to send API requests with that token until the service completes the request or the Unauthorized (401) error occurs.If the Unauthorized (401) error occurs, request another token.,