仅控制节点配置
keystone 服务主要包含三个功能,分别为:认证管理,授权管理和服务目录管理。 keystone 认证方式:UUID,Fernet, PKI; (无论哪种方式都仅是一种生成随机字符串的方法) |
step 01 创建数据库数据环境
CREATE DATABASE keystone; #创建keystone数据库 GRANT ALL PRIVILEGES ON keystone.* TO '用户名'@ 'localhost' IDENTIFIED BY '用户密码' #授权用户本地访问权限和密码(默认用户名:keystone; 默认密码: KEYSTONE_DBPASS) GRANT ALL PRIVILEGES ON keystone.* TO '用户名'@'%' IDENTIFIED BY '用户密码' #授权用户远程访问权限和密码(默认用户名:keystone; 默认密码: KEYSTONE_DBPASS) |
[root@controller ~]# mysql -u root
......
MariaDB [(none)]> create database keystone;
Query OK, 1 row affected (0.00 sec)
MariaDB [mysql]> grant all privileges on keystone.* TO 'keystone'@'localhost' identified by 'KEYSTONE_DBPASS';
Query OK, 0 rows affected (0.00 sec)
MariaDB [mysql]> grant all privileges on keystone.* TO 'keystone'@'%' identified by 'KEYSTONE_DBPASS';
Query OK, 0 rows affected (0.00 sec)
MariaDB [mysql]> exit
Bye
step 02 安装keystone认证服务
yum install -y openstack-keystone httpd mod_wsgi #安装keystone相关服务及组件 |
[root@controller ~]# yum install -y openstack-keystone httpd mod_wsgi
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
......
Complete!
[root@controller ~]# yum install -y openstack-keystone httpd mod_wsgi
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* centos-qemu-ev: mirrors.bupt.edu.cn
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Package 1:openstack-keystone-13.0.4-1.el7.noarch already installed and latest version
Package httpd-2.4.6-97.el7.centos.5.x86_64 already installed and latest version
Package mod_wsgi-3.4-18.el7.x86_64 already installed and latest version
Nothing to do
step 03 修改配置文件
#/etc/keystone/keystone.conf cp /etc/keystone/keystone.conf{,.bak} #备份配置文件 grep -Ev '^$|#' /etc/ketystone/keystone.conf.bak >/etc/keystone/keystone.conf #清除配置文件注释及空行 yum install -y openstack-utils #安装openstack工具 openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token ADMIN_TOKEN #定义初始管理令牌值 openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://用户名:密码@数据库IP/keystone #配置数据库访问信息(默认用户名:keystone; 默认密码: KEYSTONE_DBPASS) openstack-config --set /etc/keystone/keystone.conf token provider fernet #配置Fernet UUID令牌提供者 md5sum /etc/keystone/keystone.conf #校验配置文件 |
[root@controller ~]# cp /etc/keystone/keystone.conf{,.bak}
[root@controller ~]# grep -Ev '^#|^$' /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf
[root@controller ~]# yum install -y openstack-utils.noarch >/dev/null
[root@controller ~]# echo $?
0
[root@controller ~]# yum install -y openstack-utils.noarch
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* centos-qemu-ev: mirrors.bupt.edu.cn
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Package openstack-utils-2017.1-1.el7.noarch already installed and latest version
Nothing to do
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token ADMIN_TOKEN
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf token provider fernet
[root@controller ~]# ping controller -c 1 -w 1
PING controller (10.0.0.11) 56(84) bytes of data.
64 bytes from controller (10.0.0.11): icmp_seq=1 ttl=64 time=0.009 ms
--- controller ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.009/0.009/0.009/0.000 ms
[root@controller /opt]# md5sum /etc/keystone/keystone.conf
d5acb3db852fe3f247f4f872b051b7a9 /etc/keystone/keystone.conf
step 04 同步数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone #初始化身份验证的数据库(同步数据库) |
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[root@controller ~]# mysql -uroot keystone -e "show tables;" | grep -E 'role|project|user'
federated_user
implied_role
local_user
project
project_endpoint
project_endpoint_group
role
trust_role
user
user_group_membership
step 05 初始化fernet
keystone-manage fernet_setup --keystone-user 用户名 --keystone-group 组名 #初始化fernet(默认用户名与组名均为keystone) |
[root@controller ~]# find /etc/keystone -maxdepth 1 -type d
/etc/keystone
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# find /etc/keystone -maxdepth 1 -type d
/etc/keystone
/etc/keystone/fernet-keys
step 06 优化httpd服务
#/etc/httpd/conf/httpd.conf ServerName 控制节点IP地址 #优化Apache性能,提高Apache启动速度 |
[root@controller ~]# echo 'ServerName controller' >>/etc/httpd/conf/httpd.conf
[root@controller ~]# tail -1 /etc/httpd/conf/httpd.conf
ServerName controller
step 07 创建keystone服务Apache配置文件
#/etc/httpd/conf.d/wsgi-keystone.conf |
# /usr/share/keystone/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
step 08 启动httpd服务
systemctl enable httpd systemctl start httpd |
[root@controller ~]# systemctl enable httpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@controller ~]# systemctl start httpd.service
[root@controller ~]# netstat -lntup | grep httpd
tcp6 0 0 :::5000 :::* LISTEN 78354/httpd
tcp6 0 0 :::80 :::* LISTEN 78354/httpd
tcp6 0 0 :::35357 :::* LISTEN 78354/httpd
step 09 创建服务和注册API
export OS_TOKEN=ADMIN_TOKEN #与/etc/keystone/keystone.conf配置文件一致 export OS_URL=http://控制住IP地址:35357/v3 export OS_IDENTITY_API_VERSION=3 openstack service create --name keystone --description "描述信息" identity openstack endpoint create --region RegionOne identity public http://controller:5000/v3 openstack endpoint create --region RegionOne identity internal http://controller:5000/v3 openstack endpoint create --region RegionOne identity admin http://controller:35357/v3 |
[root@controller ~]# export OS_TOKEN=ADMIN_TOKEN
[root@controller ~]# export OS_URL=http://controller:35357/v3
[root@controller ~]# export OS_IDENTITY_API_VERSION=3
[root@controller ~]# env | grep OS_
OS_IDENTITY_API_VERSION=3
OS_TOKEN=ADMIN_TOKEN
OS_URL=https://controller:35357/v3
[root@controller ~]# openstack service create --name keystone --description "Openstack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Openstack Identity |
| enabled | True |
| id | c08cee72ee19458890c73b69f5b30806 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
[root@controller ~]# openstack endpoint create --region RegionOne identity public http://controller:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 7e6f7e4ebb5e4a50bfc2b9bec044716f |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | c08cee72ee19458890c73b69f5b30806 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v3 |
+--------------+----------------------------------+
[root@controller ~ openstack endpoint create --region RegionOne identity internal http://controller:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 2db35fad21084ac5b8f41f6d21736eb1 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | c08cee72ee19458890c73b69f5b30806 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v3 |
+--------------+----------------------------------+
[root@controller ~]# openstack endpoint create --region RegionOne identity admin http://controller:35357/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 9b6648857e7140fdb5ebca8b70c4bb10 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | c08cee72ee19458890c73b69f5b30806 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:35357/v3 |
+--------------+----------------------------------+
step 10 创建域(地域)、项目(账号)、用户(子账号)、角色(权限集合)
Openstack中仅有两种角色: admin 和 user |
openstack domin create --description "描述信息" 域名称 #创建域(域名称默认default) openstack project create --domain default --description "Service Project" Service #创建Service项目(用于存放系统账号) openstack project create --domain 域名称 --description "描述信息" 项目名 #创建项目(项目名称默认admin) openstack user create --domain 域名称 --password 密码 用户名 #创建用户(用户名称默认admin,密码默认: ADMIN_PASS) openstack role create 角色名#创建角色(角色名称默认admin) |
[root@controller ~]# openstack domain create --description "Default Domain" default+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | a98878297d154485a6ee2f0a5f9d3cc0 |
| name | default |
+-------------+----------------------------------+
[root@controller ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | a98878297d154485a6ee2f0a5f9d3cc0 |
| enabled | True |
| id | 71a03b450955432b985d4ed8137858ac |
| is_domain | False |
| name | service |
| parent_id | a98878297d154485a6ee2f0a5f9d3cc0 |
+-------------+----------------------------------+
[root@controller ~]# openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | a98878297d154485a6ee2f0a5f9d3cc0 |
| enabled | True |
| id | 97070590114e4689b1ec1579075a59e6 |
| is_domain | False |
| name | admin |
| parent_id | a98878297d154485a6ee2f0a5f9d3cc0 |
+-------------+----------------------------------+
[root@controller ~]# openstack user create --domain default --password ADMIN_PASS admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | a98878297d154485a6ee2f0a5f9d3cc0 |
| enabled | True |
| id | ee2329a7c00e4dc598982c3c9ce15615 |
| name | admin |
+-----------+----------------------------------+
[root@controller ~]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 9df1812622c745f4b5beed5bcfaeabcc |
| name | admin |
+-----------+----------------------------------+
step 11 关联项目,用户,角色
openstack role add --project 项目名称 --user 用户名称 角色名称 #在项目上,给用户赋予角色 |
[root@controller ~]# openstack role add --project admin --user admin admin
step 13 创建环境变量脚本
正常使用脚本前需要先 unset 第九步(step 09)设置的环境变量; |
# ~/admin-openrc export OS_PROJECT_DOMAIN_NAME=项目域名称 #默认default export OS_USER_DOMAIN_NAME=用户域名称 #默认default export OS_PROJECT_NAME=项目名称 #默认admin export OS_USERNAME=用户名称 #默认admin export OS_PASSWORD=用户密码 #默认ADMIN_PASS export OS_AHTH_URL=http://控制站IP:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 |
# ~/admin-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[root@controller ~]# unset OS_IDENTITY_API_VERSION
[root@controller ~]# unset OS_TOKEN
[root@controller ~]# unset OS_URL
[root@controller ~]# vim admin-openrc
[root@controller ~]# source admin-openrc
[root@controller ~]# echo "source admin-openrc" >>.bashrc
[root@controller ~]# tail -1 .bashrc
source admin-openrc
step 14 验证
执行 openstack 命令时,需要step 13的环境变量;否则需要指定相应的参数; |
openstack service list #查看openstack服务安装组件列表 openstack endpoint list #查看openstack服务组件访问接口列表 openstack user list #查看openstack服务用户列表 openstack token issue #获取openstacke服务的token |
# 环境变量执行命令
[root@controller ~]# openstack token issue
+------------+-----------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------+
| expires | 2022-03-26T12:00:15.000000Z |
| id | gAAAAABiPvI_eBcCrlHItLASRKXP6toTfrKfdgwM_D9lY0wEPQJJXmUOtlRcdXGmE- |
| | TFwvtQov2vPDWdVl1elRJ8laMVDIY-NJKxhI7QpDkTW6hEQzJLqJtrj6mLWgpIkOjxM_- |
| | iXGEhuoaWp9eltFAh1sRV1cq0Y24lmgTNdMQusgG-AZs2w4I |
| project_id | 97070590114e4689b1ec1579075a59e6 |
| user_id | ee2329a7c00e4dc598982c3c9ce15615 |
+------------+-----------------------------------------------------------------------+
[root@controller ~]# openstack service list
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| c08cee72ee19458890c73b69f5b30806 | keystone | identity |
+----------------------------------+----------+----------+
[root@controller ~]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
| 2db35fad21084ac5b8f41f6d21736eb1 | RegionOne | keystone | identity | True | internal | http://controller:5000/v3 |
| 7e6f7e4ebb5e4a50bfc2b9bec044716f | RegionOne | keystone | identity | True | public | http://controller:5000/v3 |
| 9b6648857e7140fdb5ebca8b70c4bb10 | RegionOne | keystone | identity | True | admin | http://controller:35357/v3 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
[root@controller ~]# openstack user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| ee2329a7c00e4dc598982c3c9ce15615 | admin |
+----------------------------------+-------+
# 参数执行命令
[root@controller ~]# openstack --os-auth-url http://controller:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin --os-password ADMIN_PASS --os-identity-api-version 3 token issue
+------------+------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+------------------------------------------------------------------------------------------------------------------+
| expires | 2022-03-26T12:05:50.000000Z |
| id | gAAAAABiPvOOdXwGA7udrxypPEiPkCc2RG0jizmlnkARArAdNCTilk9sQwmVXE5Z6o0fnW8cKfTlgdak79-kFQ7Oj_jb- |
| | lnBa4kN8H3m1QMskcT4ioLkIAlLnkZnCGIxPh1h4SBIaxB5xfhWyATa-UG2lam-hICgb0w5GNmTwkWiFo8oVJOhUeI |
| project_id | 97070590114e4689b1ec1579075a59e6 |
| user_id | ee2329a7c00e4dc598982c3c9ce15615 |
+------------+------------------------------------------------------------------------------------------------------------------+
[root@controller ~]# openstack --os-auth-url http://controller:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin --os-password ADMIN_PASS --os-identity-api-version 3 user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| ee2329a7c00e4dc598982c3c9ce15615 | admin |
+----------------------------------+-------+