Openstack中用镜像文件生成的image来创建虚机(VM或Instance)时, 通常不支持用户名加密码的ssh方式登录访问该VM,而是用秘钥对(keypair)方式.
这里以Centos的镜像为例, 介绍用keypair生成和访问虚机的方法.
1) 查看系统中的keypair:
root@cic-1:~# openstack keypair list+----------+-------------------------------------------------+| Name | Fingerprint |+----------+-------------------------------------------------+| my_key | 51:47:92:7d:a1:ec:75:aa:07:3a:a8:7c:17:63:4d:6f || pub_key | 91:4b:da:c4:9d:6e:2e:7e:75:60:25:2a:d5:d1:5b:99 |+----------+-------------------------------------------------+2) 生成自己的keypair, 名字随意取, 本例中是key0510t:
该指令的输出即为密钥:
root@cic-1:~# openstack keypair create key0510t-----BEGIN RSA PRIVATE KEY-----MIIEqAIBAAKCAQEAzSuh/2jslGnRKjjaVMaBN/kNTOQ/7x1etcw82eppcY3L0ls/CaNU3GI+ldh36bIMXDwlpLVHp0D4antYKDVVNMbyTlLH0XbO+gSSF955XYV1FSLNI0WuKtU6Gh4GoC1LaC3gpLEa5FJD+K/N5o3Z5xVseLebLbPnDCCzA6tqu4hq8M1zt2STtbAT/GyCVmAEUR4qmGl8mRcKGnBTaC6r6o/+UYz+25IF/0yoLJEd4pNJgwRt0xIel/KS1AVlQwxMdigsoXSN78e5kUEjof7HAk+2qzY8jAMuZKsedyoD8QrcuNPCdE3edEqmIQiFD7lHO3CztNKc1K9CiTEVvKJWXwIDAQABAoIBABSuR0AFhYNYPzswS+GruK65rfuILmGd5kQQ+DlHBaXqkxb7F5mTGySzync0QLIPvms1rN2zYCudwuyIzlQPPC17uETo1zdn8GkHOOqrBDTHFQwyW9coWOv8XkTvrd9LcYRoy3IOYBWPrUZOAkUxGzvNzwdECqJKtglk6mZ+St3oLeHG1AE2wgdhEgzxtc8JrCLoWNNRM4Ajob3nSgCILlWOrZRuVGFTRiwjXQKvTbIxISJ4wIPDdgT+o25uiXX3MfTtK0dArl+oCopcRXhNZfKwZ5laQOvoAvLwWPS85ir3H0VRusCGrhDxYrS9kN5u8/ad0KyLHd44LTu1g6trkcECggCBAM+fclFgYXz1nn0bcx3LlOrS6OeKhCg5qWrccpKdvFUfFRE/fEMCT27AfxYUV3AU0tIIqAlhFmLpp5JOJn7xfAWwo3gvjSd0nfxCxZQP9NXRpPgkdmeofcWnTPtLZOlwujzjcEETqJL02P8eixKJIV6uQfThXKA6iS4cPueVUztxAoIAgQD8+ecKKBeAiijwyM1DV0W+tjnEgEroR0e5/96ZgKeNNrVSLAh8niMQy+Fx7ZXRZfCze4cjFpsD0hMuhQT1fXvRbH+ouazl9thtxUROXcRBU8NhOCoogsIj4NCd5bX0c43YKaz6RqA77xKk/V04ZZVCAmES58Z/sHfyU+IBeWqmzwKCAIBti0Dzsph9J9KxS5RXOhyeMR11XN4RoyrCGQHSXasKdlXVPdvANy3Vz3a+HYlst2/sJWkTWchH8+PYC6e//oVjMylsthoRoTPh7xDz599UGUKjMgnO81U4veaeB898Y1+/1HhbvZWJw+nh4SmbZALZQ7PFEkqet4O9cmW2JlE94QKCAIEAyiSmiWcf4IaF0GGkI3tJL+tMncgmExViKy5aIS68tApTOSYWYf2652EC9JZ0cK6Ud9btVQxrMdJboYCJReDPX7jjCV/U2K02pABNZJFokQrtxHGsvlI9741lJca4bm0nmuMyZYqp3zpaG5yZMMd7TRO5nfG2m7HXJrwAjE0I++ECggCAZF5WvDh0lus+gN48BETksoEF/2YiE8XkT6gWW5C9Hj6esFwxvkkPZ1Hvt3U6iFHTdQ8A+kMG7kWACgsrqgkIpB3pKui66+WlyNxo+EcAa0HqziF1qqZm9Dwk6GJ7Jb5pjQDSGB83gtvzFFrl5KjD+ZhBNNSv4KQSKxrVct5akcE=-----END RSA PRIVATE KEY-----3) 把密钥保持在一个文件中, 也就是key file (名字任意选取, 为方便这里和keypair的名字一样):
root@cic-1:~# vi key0510t.pem把上面所有的内容(含第一行和最后一行的标签和符号)复制到该文件,保存退出。
再用more或cat指令检查一遍该文件:root@cic-1:~# more key0510t.pem4) 确认keypair:
root@cic-1:~# openstack keypair list+----------+-------------------------------------------------+| Name | Fingerprint |+----------+-------------------------------------------------+| my_key | 51:47:92:7d:a1:ec:75:aa:07:3a:a8:7c:17:63:4d:6f || pub_key | 91:4b:da:c4:9d:6e:2e:7e:75:60:25:2a:d5:d1:5b:99 || key0510t | 4b:79:61:3f:5d:30:97:66:e5:6f:2a:73:0e:64:11:e0 |+----------+-------------------------------------------------+5) 用nova boot创建VM,带上关键参数--key-name,其值就是上面的keypair:
root@cic-1:~# nova boot --flavor m1.small --image centos --key-name key0510t --availability-zone nova --nic net-name=testnet test_vm_t检查生成的VM,获取IP地址:
root@cic-1:~# nova show test_vm_t+--------------------------------------+----------------------------------------------------------+| Property | Value |+--------------------------------------+----------------------------------------------------------+| OS-DCF:diskConfig | MANUAL || OS-EXT-AZ:availability_zone | nova || OS-EXT-SRV-ATTR:host | compute-1 || OS-EXT-SRV-ATTR:hostname | test-vm-t || OS-EXT-SRV-ATTR:hypervisor_hostname | compute-1 || OS-EXT-SRV-ATTR:instance_name | instance-00000407 |...........................................| image | centos (ad9e09fe-7359-4ce6-9b39-75b33fff0374) || key_name | key0510t || metadata | {} || name | test_vm_t || os-extended-volumes:volumes_attached | [] || security_groups | default || status | ACTIVE || tenant_id | bfb1b84d2d994b36985cfd306e4f8860 || testnet network | 10.10.10.246 || updated | 2018-05-10T02:49:21Z || user_id | c099eaacab0f452e806b59d8b89f0c74 |+--------------------------------------+----------------------------------------------------------+6) 很重要的一步: 修改key file的读写属性为只读(这里已经是root用户,如果不是就加sudo):
root@cic-1:~# chmod 600 key0510t.pem7) 用ssh -i的方式登录VM,-i所带的参数就是key file的名字:
root@cic-1:~# ssh -i key0510t.pem centos@10.10.10.246The authenticity of host '10.10.10.246 (10.10.10.246)' can't be established.ECDSA key fingerprint is 59:f9:c9:c1:4b:69:8b:3d:53:31:98:24:73:17:c6:e1.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '10.10.10.246' (ECDSA) to the list of known hosts.[centos@test-vm-t ~]$ ls如果忽略了第6)步就会得到如下错误信息:
root@cic-1:~# ssh -i key0510t.pem centos@10.10.10.246
The authenticity of host '10.10.10.246 (10.10.10.246)' can't be established.ECDSA key fingerprint is 59:f9:c9:c1:4b:69:8b:3d:53:31:98:24:73:17:c6:e1.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '10.10.10.246' (ECDSA) to the list of known hosts.@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: UNPROTECTED PRIVATE KEY FILE! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Permissions 0640 for 'key0510t.pem' are too open.It is required that your private key files are NOT accessible by others.This private key will be ignored.bad permissions: ignore key: key0510t.pemPermission denied (publickey,gssapi-keyex,gssapi-with-mic).注:接下来如果想用用户名加密码的方式,就修改该VM的/etc/ssh/sshd_config文件:
PermitRootLogin yes
PasswordAuthentication yes
然后保存退出,再service sshd restart即可。这样下次就能用用户名和密码登录了。