OpenStack部署应用第一篇:认证服务keystone安装(转)
注:OpenStack版本N版
1、网络时间协议(NTP)
注:一定要保证openstack所有节点的时间一致性,不然无法正常创建虚拟机
1.1 控制节点
# yum install -y chrony ntpdate # 安装软件包 # vim /etc/chrony.conf server time1.aliyun.com # 使用NTP服务器的主机名或者IP地址替换 NTP_SERVER 。配置支持设置多个 server 值。 allow 192.168.56.0/24 # 为了允许其他节点可以连接到控制节点的 chrony 后台进程 systemctl enable chronyd.service # 启动 NTP 服务并将其配置为随系统启动 systemctl start chronyd.service systemctl restart chronyd.service \cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime # 更改时区为北京上海
1.2 其他节点
# 其他节点会连接控制节点同步时间。在所有其他节点执行这些步骤。 yum install -y chrony ntpdate # 安装软件包 vim /etc/chrony.conf server 192.168.56.11 # 注释其他的时间服务器 systemctl enable chronyd.service # 启动 NTP 服务并将其配置为随系统启动 systemctl start chronyd.service \cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime # 更改时区为北京上海
1.3 验证操作结果
chronyc sources # 进行时间同步,控制节点先执行保证
1.4 配置互联网时间服务器(可选)
\cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime # 更改时区为北京上海 ntpdate time1.aliyun.com # 同步阿里云的时间服务器 */5 * * * * /usr/sbin/ntpdate time1.aliyun.com >/dev/null 2>&1 # 配置定时任务,每5分钟同步一次时间
2、环境准备
2.1 基础准备工作(所有节点)
# yum install -y centos-release-openstack-newton # 安装OpenStack库 # yum install -y python-openstackclient # 安装 OpenStack 客户端 # yum install -y openstack-selinux # 安装 openstack-selinux 包实现对OpenStack服务的安全策略进行自动管理
2.2 配置SQL数据库
大多数 OpenStack 服务使用 SQL 数据库来存储信息。 典型地,数据库运行在控制节点上。指南中的步骤依据不同的发行版使用MariaDB或 MySQL。OpenStack 服务也支持其他 SQL 数据库,包括PostgreSQL。Openstack的所有组件除了Horizon,都要用到数据库,本文使用的是mysql,在CentOS7中,默认叫做MariaDB。
1.在 [mysqld] 部分,设置 ``bind-address``值为控制节点的管理网络IP地址以使得其它节点可以通过管理网络访问数据库:
[root@linux-node1 ~]# vim /etc/my.cnf.d/openstack.cnf [mysqld] bind-address = 192.168.56.11 default-storage-engine = innodb innodb_file_per_table max_connections = 4096 collation-server = utf8_general_ci character-set-server = utf8
参数详解: default-storage-engine = innodb # 默认的存储引擎 innodb_file_per_table # 使用独享的表空间 collation-server = utf8_general_ci # 设置校对标准 init-connect = 'SET NAMES utf8' # 设置连接的字符集 character-set-server = utf8 # 设置创建数据库时默认的字符
开机自启和启动mysql systemctl enable mariadb.service systemctl start mariadb.service systemctl status mariadb.service netstat -ltnp|grep 3306 # 检查mysql数据库端口是否开启
设置mysql的密码 mysql_secure_installation
登录数据库创建所有组件的库并授权 mysql -uroot -p123456
执行sql,为每个组件创建一个数据库与账户,并授权 CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone'; CREATE DATABASE glance; GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance'; GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance'; CREATE DATABASE nova; GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova'; GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova'; CREATE DATABASE nova_api; GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY 'nova'; GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY 'nova'; CREATE DATABASE neutron; GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron'; GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron'; CREATE DATABASE cinder; GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY 'cinder'; GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY 'cinder';
检查数据库与用户是否创建成功(一共6个数据库,5个用户) MariaDB [(none)]> show databases; MariaDB [(none)]> select user,host from mysql.user;
2.3 部署消息队列
node1节点安装
# yum install -y rabbitmq-server # systemctl enable rabbitmq-server.service # systemctl start rabbitmq-server.service # rabbitmqctl add_user openstack openstack # 添加 openstack 用户 RABBIT_PASS修改为要使用的密码,使用openstack即可 # rabbitmqctl set_permissions openstack ".*" ".*" ".*" # 给``openstack``用户配置写和读权限 # rabbitmq-plugins enable rabbitmq_management # 启动页面 登录:http://192.168.56.11:15672/ 账号:guest 密码:guest
2.4 Memcache
node1节点安装
# yum install -y memcached python-memcached # systemctl enable memcached.service # systemctl start memcached.service
3、OpenStack之keystone认证服务配置
服务器
一个中心化的服务器使用RESTful 接口来提供认证和授权服务。
Drivers
驱动或服务后端被整合进集中式服务器中。它们被用来访问OpenStack外部仓库的身份信息, 并且它们可能已经存在于OpenStack被部署在的基础设施(例如,SQL数据库或LDAP服务器)中。
Modules
中间件模块运行于使用身份认证服务的OpenStack组件的地址空间中。这些模块拦截服务请求,取出用户凭据,并将它们送入中央是服务器寻求授权。中间件模块和OpenStack组件间的整合使用Python Web服务器网关接口。
准备工作:
1)配置数据库(为方便部署把后续使用的数据库一起部署完成,也可以部署到各子组件再创建)
$ mysql -u root -p CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone'; CREATE DATABASE glance; GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance'; GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance'; CREATE DATABASE nova; GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova'; GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova'; CREATE DATABASE nova_api; GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY 'nova'; GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY 'nova'; CREATE DATABASE neutron; GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron'; GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron'; CREATE DATABASE cinder; GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY 'cinder'; GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY 'cinder';
2)安装软件包
yum install -y openstack-keystone httpd mod_wsgi
[root@linux-node1 keystone]# grep -n '^[a-z]' /root/keystone/keystone/keystone.conf 640:connection = mysql+pymysql://keystone:keystone@192.168.56.11/keystone 1472:servers = 192.168.56.11:11211 2655:provider = fernet 2665:driver = memcache
su -s /bin/sh -c "keystone-manage db_sync" keystone # 切换用户执行初始化身份认证服务的数据库 ll /var/log/keystone/keystone.log # 检查是否生成日志 mysql -h 192.168.56.11 -ukeystone -pkeystone -e "use keystone;show tables;" # 检查结果 4、初始化Fernet key: # keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone # keystone-manage credential_setup --keystone-user keystone --keystone-group keystone 5、Bootstrap the Identity service(修改keystone数据库 endpoint配置) keystone-manage bootstrap --bootstrap-password admin \ --bootstrap-admin-url http://192.168.56.11:35357/v3/ \ --bootstrap-internal-url http://192.168.56.11:35357/v3/ \ --bootstrap-public-url http://192.168.56.11:5000/v3/ \ --bootstrap-region-id RegionOne ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ # systemctl enable httpd.service # systemctl start httpd.service # netstat -tunlp # 检查服务正常启动 配置admin账户 export OS_USERNAME=admin export OS_PASSWORD=admin export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL=http://192.168.56.11:35357/v3 export OS_IDENTITY_API_VERSION=3 检查已经创建的内容 openstack user list # 查看账号列表 openstack project list # 查看项目列表 openstack role list # 查看角色列表 openstack service list # 查看用户列表 openstack endpoint list # 查看endpoint列表 创建域、项目、用户和角色 创建项目 openstack project create --domain default --description "Service Project" service openstack project list openstack project create --domain default --description "Demo Project" demo openstack user create --domain default --password-prompt demo # 使用交互式设置demo用户的密码,密码为设置:demo
openstack user create --domain default --password demo demo # 使用非交互式设置demo用户的密码,密码为设置:demo 第一个是密码 第二个是制定的密码
openstack role create user openstack role add --project demo --user demo user # demo用户添加到demo项目 赋予user角色权限 openstack user create --domain default --password-prompt glance # 密码设置:glance openstack role add --project service --user glance admin openstack user create --domain default --password-prompt nova # 密码设置:nova openstack role add --project service --user nova admin openstack user create --domain default --password-prompt neutron # 密码设置:neutron openstack role add --project service --user neutron admin openstack user create --domain default --password-prompt cinder # 密码设置:cinder openstack role add --project service --user cinder admin 创建错误,如何重新建立账号? [root@linux-node1 conf.d]# openstack user openstack: 'user' is not an openstack command. See 'openstack --help'. Did you mean one of these? user create user delete user list user password set user set user show consumer create consumer delete consumer list consumer set consumer show router add port router add subnet router create router delete router list router remove port router remove subnet router set router show router unset subnet create subnet delete subnet list subnet pool create subnet pool delete subnet pool list subnet pool set subnet pool show subnet pool unset subnet set subnet show subnet unset openstack user list # 先获取ID openstack delete id # 根据ID进行删除
401认证错误 验证操作 unset OS_AUTH_URL unset OS_PASSWORD # 请求认证令牌,密码admin openstack --os-auth-url http://192.168.56.11:5000/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue # 请求认证令牌,密码demo openstack --os-auth-url http://192.168.56.11:5000/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name demo --os-username demo token issue 创建 OpenStack 客户端环境脚本 [root@linux-node1 ~]# cat admin-openstack export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin export OS_AUTH_URL=http://192.168.56.11:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 [root@linux-node1 ~]# cat demo-openstack export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=demo export OS_AUTH_URL=http://192.168.56.11:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 使用脚本 source admin-openstack openstack token issue Keystone常见错误 401 # 验证失败,keystone相关用户账户密码设置错误,时间不同步,或者输入的项目名称不对 409 # keystone创建用户,用户已存在 500 # 服务器内部错误,服务配置有问题,看日志,检查配置 服务故障 # 相关服务没有起来 提示:解决Keystone最好的方法,一定要学会查看日志
端口记录:
MySQL----------3306
RabbitMQ-------5672
RabbitMQ Web---15672
Memcached------11211
出处:http://www.cnblogs.com/madsnotes/
声明:本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接。