转自int32bit blog OpenStack中那些很少见但很有用的操作 Glance member 镜像是OpenStack中非常重要的数据,保存了用户的操作系统数据,因此保证镜像的安全性非常重要。通常上传到Glance的镜像可见性(visibility)可以设置为public和private,public的镜像表示对所有的租户可见,而private镜像只有租户自己以及管理员可见。在新版本的Glance中,引入了一种新的可见性状态–shared,该状态的镜像允许设置共享给指定的一个或者多个租户。共享的租户我们称为member,我们只需要把租户加到镜像的member中就可以访问其它租户的镜像了。 在测试环境下实验下,首先我们在admin租户下创建一个镜像如下: glance image-create --disk-format raw --container-format bare --name cirror-3.0 --file cirros-3.0.img 在demo租户下该镜像不可见: $ source openrc_demo $ glance image-list +----+------+ | ID | Name | +----+------+ +----+------+ 我们把demo租户加到镜像member中: $ glance member-create ec5426f5-ab4d-43a6-a1e1-5a1919aa7bea fb498fdd27e74750a6b209158437696c +--------------------------------------+----------------------------------+---------+ | Image ID | Member ID | Status | +--------------------------------------+----------------------------------+---------+ | ec5426f5-ab4d-43a6-a1e1-5a1919aa7bea | fb498fdd27e74750a6b209158437696c | pending | +--------------------------------------+----------------------------------+---------+ admin这边把demo加入到member中,还需要demo这边确认,把member状态更新为accepted,表示接收共享的镜像: $ glance member-update ec5426f5-ab4d-43a6-a1e1-5a1919aa7bea fb498fdd27e74750a6b209158437696c accepted +--------------------------------------+----------------------------------+----------+ | Image ID | Member ID | Status | +--------------------------------------+----------------------------------+----------+ | ec5426f5-ab4d-43a6-a1e1-5a1919aa7bea | fb498fdd27e74750a6b209158437696c | accepted | +--------------------------------------+----------------------------------+----------+ 此时在demo租户下可以看到共享的镜像了:

Continue reading

转自int32bit blog如何阅读OpenStack源码 OpenStack基础 OpenStack组件介绍 OpenStack是一个IaaS云计算平台开源实现,其对标产品为AWS。最开始OpenStack只有两个组件,分别为提供计算服务的Nova以及提供对象存储服务的Swift,其中Nova不仅提供计算服务,还包含了网络服务、块存储服务、镜像服务以及裸机管理服务。之后随着项目的不断发展,从Nova中根据功能拆分为多个独立的项目,如nova-volume拆分为Cinder项目提供块存储服务,nova-image拆分为Glance项目,提供镜像存储服务,nova-network则是neutron的前身,裸机管理也从Nova中分离出来为Ironic项目。最开始容器服务也是由Nova提供支持的,作为Nova的driver之一来实现,而后迁移到Heat,到现在已经独立为一个单独的项目Magnum,后来Magnum的愿景调整为主要提供容器编排服务,单纯的容器服务则由Zun项目接管。最开始OpenStack并没有认证功能,从E版开始才加入认证服务Keystone。 目前OpenStack基础服务组件如下: Keystone:认证服务。 Glance:镜像服务。 Nova:计算服务。 Cinder:块存储服务。 Neutorn:网络服务。 Swift:对象存储服务。 E版之后,在这些核心服务之上,又不断涌现新的服务,如面板服务Horizon、编排服务Heat、数据库服务Trove、文件共享服务Manila、大数据服务Sahara、工作流服务Mistral以及前面提到的容器编排服务Magnum等,这些服务几乎都依赖于以上的基础服务。比如Sahara大数据服务会先调用Heat模板服务,Heat又会调用Nova创建虚拟机,调用Glance获取镜像,调用Cinder创建数据卷,调用Neutron创建网络等。 目前最新发布的版本为第15个版本,代号为Pike,Queens版本已经进入快速开发阶段。 OpenStack服务越来越多、越来越复杂,覆盖的技术生态越来越庞大,宛如一个庞然大物,刚接触如此庞大的分布式系统,都或多或少感觉有点如”盲人摸象”的感觉。不过不必先过于绝望,好在OpenStack项目具有非常良好的设计,虽然OpenStack项目众多,组件繁杂,但几乎所有的服务骨架脉络基本是一样的,熟悉了其中一个项目的架构,深入读了其中一个项目源码,再去看其它项目可谓轻车熟路。 本文章会以Nova项目为例,一步一步剖析源码结构,希望读者阅读完之后再去看Cinder项目会是件非常轻松的事。 工欲善其事必先利其器 要阅读源代码首先需要安装科学的代码阅读工具,图形界面使用pycharm没有问题,不过通常在虚拟机中是没有图形界面的,首选vim,需要简单的配置使其支持代码跳转和代码搜索,可以参考GitHub - int32bit/dotfiles: A set of vim, zsh, git, and tmux configuration files。如图: OpenStack所有项目都是基于Python开发,并且都是标准的Python项目,通过setuptools工具管理项目,负责Python模块的安装和分发。想知道一个项目有哪些服务组成,最直接有效的办法就是找到入口函数(main函数)在哪里,只要是标准的基于setuptools管理的项目的所有入口函数都会在项目根目录的setup.cfg文件中定义,console_scripts就是所有服务组件的入口,比如nova(Mitaka版本)的setup.cfg的console_scripts如下: [entry_points] console_scripts = nova-all = nova.cmd.all:main nova-api = nova.cmd.api:main nova-api-metadata = nova.cmd.api_metadata:main nova-api-os-compute = nova.cmd.api_os_compute:main nova-cells = nova.cmd.cells:main nova-cert = nova.cmd.cert:main nova-compute = nova.cmd.compute:main nova-conductor = nova.cmd.conductor:main nova-console = nova.cmd.console:main nova-consoleauth = nova.cmd.consoleauth:main nova-dhcpbridge = nova.cmd.dhcpbridge:main nova-idmapshift = nova.

Continue reading

Kubespray Hints

I’ve been using Kubespray to deploy Kubernetes since Kube version 1.9. It’s by far the most customizable and flexible deployment tool for Kubernetes on the open-source market. So I think it’s worth a post for it. To begin with, let’s talk about the dark and stone-age time when Kubespray just came out as “Kargo”, it used to be so confusing and felt like today’s Kubeadm which is using command-line option to interact and deploy, but now, it’s well maintained and fully Ansible based, which means all variables and parameters are configured inside script, not more command-line options.

Continue reading

Python Hints

Pip dependency failure Sometimes when install pip package it may result in dependency failure: Downloading/unpacking cffi>=1.4.1 (from cryptography>=1.7->pyOpenSSL>=0.14->pyvmomi) Running setup.py (path:/tmp/pip_build_root/cffi/setup.py) egg_info for package cffi unable to execute 'x86_64-linux-gnu-gcc': No such file or directory unable to execute 'x86_64-linux-gnu-gcc': No such file or directory No working compiler found, or bogus compiler options passed to the compiler from Python's distutils module. See the error messages above. (If they are about -mno-fused-madd and you are on OS/X 10.

Continue reading

Ansible Hints

Ansible works against multiple systems in your infrastructure at the same time. It does this by selecting portions of systems listed in Ansible’s inventory, which defaults to being saved in the location /etc/ansible/hosts. You can specify a different inventory file using the -i <path> option on the command line. To ingore RSA key fingerprint concerns: Setting the environment variable ANSIBLE_HOST_KEY_CHECKING to False. Put it in an ansible.cfg file, either set that globally (at system or user level, in /etc/ansible/ansible.

Continue reading

IS-IS Memo

IS-IS Areas In OSPF protocol any of the router’s interfaces can be assigned to a particular area, however the concept of area in IS-IS is different. Here in general, every single router belongs to an Area. The idea of this comes from the fact that IS-IS was initially created to route Connectionless Network Protocol (CLNP) where the address belongs to a device (Router), whereas in Internet Protocol (IP) the address belongs to the particular interface.

Continue reading

Gitlab Hint

gitlab.yml sample config Gitlab Helm install needs to work with certmanager, if you are not using it at all, you can manually bind your certs with nginx, just create secret with tls.crt and tls.key, Where tls.crt would need to include the entire bundle from root CA all the way to your Cert, otherwise you may face weird errors, such as: x509: certificate signed by unknown authority and error authorizing context: authorization token required.

Continue reading

Git Hints

Add your Git username and set your email It is important to configure your Git username and email address, since every Git commit will use this information to identify you as the author. git config --global user.name "YOUR_USERNAME" git config --global user.email "[email protected]" Create and Switch to a new branch git checkout -b NAME-OF-BRANCH Download the latest changes in the project To sync with other users’ changes on the branch, while keep what you have changed locally, use:

Continue reading

Pipeline execution The current running pipeline is available within Pipeline Expressions as execution. From there, you can navigate to different parts of the pipeline. For example, to reference the name of the first stage you can use ${ execution.stages[0]['name'] }. The current stage Values for the current stage context are available by their variable names. In the source JSON, they will be defined under the context object. if I see context.

Continue reading

Few changes for default helm chart on github: Few new features only available in new components images(e.g authorization), so update your images. New Fron50 requires adding Credentials into /home/spinnaker/.aws, so make sure you mount it correctly: "volumeMounts": [ { "name": "spinnaker-spinnaker-spinnaker-config", "mountPath": "/opt/spinnaker/config" }, { "name": "spinnaker-spinnaker-s3-config", "mountPath": "/root/.aws" }, { "name": "spinnaker-spinnaker-s3-config", "mountPath": "/home/spinnaker/.aws" } ], To enable authentication and authorization, you need to configure Gate and Fiat.

Continue reading

Author's picture

LuLU

Love coding and new technologies

Cloud Solution Consultant

Canada