Shulou(Shulou.com)06/01 Report--

Xiaosheng blog: http://xsboke.blog.51cto.com

-Thank you for your reference. If you have any questions, you are welcome to communicate.

Table of contents:

1. Keystone details-(openstack Certification Service)

2. Glance details-(openstack mirroring service)

3. Nova detailed explanation-(openstack Computing Service)

4. Detailed explanation of neutron-(openstack Network Services)

5. Detailed explanation of cinder-(openstack Storage Service)

I. Overview of Keystone

1. Keystone provides three major functions: authentication, permission and service list:

1) Authentication: authentication (identify), token (token)

2) permissions: admin (administrator), user (user)

3) list of services: list of computing, storage, network and other services that users can use after logging in to openstack

2. Key terms of Keystione:

1) A user (user) can associate one or more tenant (tenant / project)

2) A project (tenant/project) consists of one or more virtual machines

3) A project (tenant/project) can be associated with one or more user (users), and each user can have different permissions

4) Role (role): define the user's permissions. Openstack has several built-in roles, admin,member, etc.

5) Token (token): defines the validity time of the token and the permissions, items and other basic information of the user in the token.

6) Service: corresponding business model services, such as compute, volume, Glance, etc.

7) Endpoint: access entry for services each service has its own access entry, also known as an access endpoint.

Endpoint usage objects are divided into three categories:

Admin url-> for admin users, Post:35357

Internal url-> OpenStack internal services are used to communicate with other services, Port:5000

Public url-> address that other users can access, Post:5000

3. Keystone verification process: take the process of creating a virtual machine as an example

The user sends a user name and password to keystone, and after authentication, keystone returns a list of temporary token and a service catalog.

The user uses this temporary token to request the corresponding tenant information from the endpoint of the keystone in the catalog list. After keystone verifies that the token is passed, the user's corresponding tenant list will be returned.

The user selects tenant from the list and requests keystone again. After keystone verification is passed, the catalog information and token related to the tenant are returned.

The user uses the token and tenant/user information to request the nova server endpoint in the catalog to turn on the virtual machine service. Nova asks keystone to verify that .token is legal. Does this tenant and user have permission to request services from nova?

Keystone returns to nova:. Tenant-the user has access to nova. . Token is legal. Token belongs to the tenant-user.

Nova determines whether the user has the permission to turn on the virtual machine according to its own rules, and if so, starts the virtual machine and reports the status to the user.

II. Overview of glance

Mirror management module in openstack, which stores mirrored metadata

Functions: search, registration and retrieval of virtual machines

The location of Glance in openstack:

1. The concept of Glance

Image identifiers/image URI: mirror ID

2. Image status

L queued: the mirror ID has been retained, and the mirror metadata has been written to the database, but the image has not been uploaded

L saving: the image is being uploaded

L active: the image is ready for use

L killed: the image is corrupted or unavailable

L deleted: the image is deleted

3. Disk format: mirror disk format (depending on virtualization type)

Raw: how much space to allocate and how much space to occupy, good performance

Formats supported by vhd:vmware,xen,microsoft,virtualbox

Vmdk:common format open source community common, standardized disk format

Formats supported by these two types of hypervisor, vdi:virtualbox,qemu emulator

Iso: optical disc CD image, mainly used for archiving

Qcow2: mainly used for virtual machines of qemu type, characterized by dynamic disk size expansion and usage, but its performance is worse than that of raw

Aki, ari, ami: Amazon

4. Container format: container format

1) the function of the container:

Integrate the options related to creating a virtual machine, such as selecting the configuration of a CVM when purchasing Huawei Cloud

2) format of the container:

Bare: use when the disk format is uncertain.

Ovf: templates

Aki, ami, ari: Amazon

3) the image-create command must receive at least three parameters:

-- name: specify the name of the created image

-- container_format: used to indicate whether the image file contains metadata information for the virtual machine. However, this information is not currently used by the compute service, so it can be specified as bare in case of uncertainty, and the commonly used formats are bare (no container or metadata information), ovf, aki, ari or ami.

-- disk_format: used to indicate the format of disk image files, including raw,qcow2,vhd,vmdk,iso,vdi,aki,ari,ami, etc.

5. Basic components of Glance

Glance API: provides image interface services, including upload and download of image, change information, virtual machine, cloud disk snapshot management and other interface services.

Glance Registry (Registration Service): storing mirrored metadata information and interacting with database to store mirrored basic information

Store adapter (storage adapter): mirror its own storage, provide a variety of storage adaptation, support Amazon cloud storage S3 (Simple Storage Service simple storage service), openstack free swift (object storage) and common file storage systems. Of course, you can also develop and expand to other storage.

GlanceDB:glance exists mirror metadata in the database

III. Overview of nova

Nova is used to provide computing services in openstack and consists of multiple components

Core components of nova:

Nova-api: provide access to the outside world

Scheduler: scheduling service

Compute: computing service

Compute driver: driver for scheduling hypervisor

The position of nova in openstack

1. Architecture (components) of nova

two。 Learn about the workflow of openstack and its component nova through the creation process of a CVM

Roughly speaking, the process is:

Step 1: users log in to openstack through horizon (web), authenticate with keystone and obtain token

Step 2: the user requests to connect to nova for related operations, and nova finds keystone to verify the user and token

Part III: the MQ of the user's request is extracted from nova and then put into novacompute

Step 4: novacompute connects to glance, then glance finds keystone to authenticate users and token, and gets image information

Step 5: novacompute connects to neutron, and then neutrom finds keystone to authenticate users and token to get network information

Step 6: novacompute connects to cinder, and then cinder finds keystone authentication user and token to get storage

Step 7: novacompute hands over the underlying hypervisor to create a virtual machine

The virtual machine startup process is as follows:

The interface or command line obtains authentication information from keystone through RESTful API.

Keystone requests authentication information through the user, and generates auth-token to return to the corresponding authentication request.

The interface or command line sends a request for boot instance (with auth-token) to nova-api via RESTful API.

After accepting the request, nova-api sends an authentication request to keystone to see if token is a valid user and token.

Keystone verifies whether the token is valid, and returns valid authentication and corresponding roles if it is valid (Note: some operations require role permissions to operate).

After passing the authentication, nova-api communicates with database.

Initialize the database record for the new virtual machine.

Nova-api requests from nova-scheduler through rpc.call whether there are resources (HostID) to create a virtual machine.

The nova-scheduler process listens to message queues for requests from nova-api.

Nova-scheduler queries the computing resources in the nova database and calculates the hosts that meet the needs of virtual machine creation through the scheduling algorithm.

For hosts that match the creation of virtual machines, nova-scheduler updates the physical host information for the virtual machines in the database.

Nova-scheduler sends the corresponding request message for creating a virtual machine to nova-compute through rpc.cast.

Nova-compute gets the message to create the virtual machine request from the corresponding message queue.

Nova-compute requests a virtual machine message from nova-conductor through rpc.call. (Flavor)

Nova-conductor gets the nova-compute request message from the message queue.

Nova-conductor queries the corresponding information of the virtual machine according to the message.

Nova-conductor obtains the virtual machine correspondence information from the database.

Nova-conductor sends virtual machine information to the message queue in the form of messages.

Nova-compute acquires virtual machine information messages from the corresponding message queue.

Nova-compute gets the authenticated token through keystone's RESTfull API, and requests glance-api to obtain the image needed to create the virtual machine through HTTP.

Glance-api verifies whether the token is valid to keystone and returns the verification result.

Token verification passes, and nova-compute obtains virtual machine image information (URL).

Nova-compute gets the token of authentication k through the RESTfull API of keystone, and requests neutron-server to obtain the network information needed to create the virtual machine through HTTP.

Neutron-server verifies whether the token is valid to keystone and returns the verification result.

Token verification passes, and nova-compute obtains virtual machine network information.

Nova-compute gets the authenticated token through the RESTfull API of keystone, and requests cinder-api to obtain the persistent storage information needed to create the virtual machine through HTTP.

Cinder-api verifies whether the token is valid to keystone and returns the verification result.

Token verification passes, and nova-compute obtains the persistent storage information of the virtual machine.

Nova-compute invokes the configured virtualization driver to create a virtual machine based on the information of instance.

IV. Overview of neutron

Neutron was only used in openstack m and is mainly used for network management.

Neutron is the networking server code name of openstack

Neutron provides a mechanism for users to integrate many different network technologies to maximize network functions, and provides API through layer 3 forwarding and NAT to configure and manage network functions to achieve load balancing, edge firewall and ipsec *.

1. The function of neutron

Provide network models: flat, flatdhcp, vlan

IP address management: novanetwork needs to manage the IP address used by the virtual machine. These addresses include two types, one is fixed ip, the IP address will not change throughout the life cycle of the virtual machine, and the other is floating ip, which is dynamically assigned to the virtual machine and can be withdrawn at any time.

Dhcp function: in flatdhcp and vlan mode, the virtual machine acquires its fixed ip through DHCP; novanetwork starts dnsmasq as the DHCP server of the virtual machine, which assigns ip

Security protection: for security reasons, the virtual machine in nova can prevent the flooding of IP/MAC, and the MAC address of the virtual machine can not be modified casually. After modification, the virtual machine can not surf the Internet. This function is mainly realized through ebtables/iptables.

2. The network solution of the earlier version of Openstack

Flat: flat

All virtual machines are on the same network segment

No network isolation function, no need for dhcp

The network needs to be set up by file injection.

Through the network controller (nova-network node) to NAT the virtual machine instance to realize the communication with the outside

FLAT mode requires manual configuration of the br100 when installing openstack. All system instances are connected to the same bridge, and the bridge forms a virtual network with the instances connected to the bridge.

Flatdhcp mode

Similar to flat mode, there is only one subnet

No file injection is required

Assign the IP address to the virtual machine by listening to the packet of dhcpdiscover (dnsmasq) on the bridge through dhcp server, and obtain its fixed ip through DHCP when the virtual machine starts.

Vlan mode

Each project (project) is assigned a vlan id, and each project can also have its own independent ip address field. Virtual machines belonging to different project are connected to different bridges, so different project are isolated and will not affect each other.

To access all virtual machines of a project, you need to create a * virtual machine, which serves as a springboard to access other virtual machines of the project.

Each project starts a dnsmasq to configure the fixedip of the virtual machine

3. Introduction to Neutron service

Neutron is a hierarchical architecture. All requests go to neutron server first. Neutron server has multiple API to provide various functions. After users call API, some services in agent layer are called internally through RPC mechanism. These agent have two or three layers, and agent is equivalent to an intermediate proxy layer. Agent will then call the corresponding drivers in the device layer to complete the functions requested by the user API.

All requests for access to the network-- neutron server (composed of multiple API)-- access the functions provided by neutron by calling the api interface-- then invoke the relevant drivers provided by agent-- through agent based on RPC invocation services-- complete the request through service invocation devices at the device layer

4. The basic concept of Neutron

NetworkingAPI: NetworkingAPI defines abstract layers such as virtual network (network), subnet (subnet) and port (port) by software, which is used to describe network resources.

Network (network): used to divide virtual networks. In neutron, "network" is an object that can be created by users, which is equivalent to a switch.

Subnet (subnet): a subnet is an address pool. The communication between different subnets needs the support of the router. The subnet belongs to the network port (port): the logical port router (router) of the switch: similar to the router in the physical environment, the router in the Neutron is also a routing and forwarding component. It's just that in Neutron, it's a soft part that can be created and destroyed.

Dhcp: provides DHCP service for tenant (also known as project, project) network, that is, dynamic allocation of IP addresses, as well as metadata request service

Dhcp aget: responsible for processing dhcp requests and assigning IP to the network

The scheduling of DHCP agent scheduler:DHCP agent and network, that is, the DHCP agent to which DHCP requests from a network are sent, such as polling scheduling algorithm.

5. Neutron deployment model / model

1) Single FLAT Network: single flat network

All virtual machines agree on the network segment

You can use dhcp to assign ip addresses

Floating IP is not supported (floating ip, release after use)

2) Mutiple FLAT network: multiple flat network modes

You can create multiple subnets, and each project can connect one or more subnets

Floatingip is not supported

3) provider router with privatenetwork: tenant VPC single router

Allow each tenant to have multiple private networks, which are connected to the external network through router router

Support for floating ip (floating ip)

4) Per-tenant Routers with privatenetwork: multi-router private network mode

Subnet overlap (overlapping): subnet overlap that supports different networks

Each tenant can define his or her own virtual router and private network and bind floating IP to the virtual machine, which is currently the most commonly used and advanced deployment model.

When deploying novanetwork, you need at least two network cards, one as public network, which mainly carries the public network traffic and the traffic between openstack components. To be able to access the public network, the ip address can be either a private network address or a public network address. The other block, as an internal network, carries the traffic of communication between virtual machines, which does not need to be assigned ip addresses, but only needs to ensure that they can be physically interconnected.

5. The main configuration options for nova network are

Multihost: multi-host mode, which reduces the load of neutron

In multihost mode, you first need to set multi_host to True, and then install nova-network nova-api-metadata nova-compute on each compute node

5. Cinder block storage

Only responsible for providing virtual machine storage

In openstack, the hard disk is displayed as vda, vdb, vdc.

The specific implementation mechanism of storage is shown in the figure:

The nova storage implementation mechanism includes the following key links:

Nova-api calls the nova-compute host interface run_instance.

Nova-compute calls the create method of the storage interface volume-api to create storage.

The volume-api storage interface sends the storage information to the scheduling engine scheduler by scheduling.

According to a certain algorithm, the scheduling engine scheduler selects a specific storage node and sends instructions to that node cinder-volume

Cinder-volume receives the instruction value of creating cloud disk (create_volume), creates logical volume LV, and publishes logical unit (LUN).

After receiving the feedback on the successful creation of the cloud disk, nova-compute calls its virtualization implementation, such as the SCSI implementation of Libvirt Driver, to connect the ISCSI initiator to the corresponding storage logic unit LUN, and assign the block device to the virtual machine.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.