OpenStack部署应用第一篇:认证服务keystone安装(转)

注:OpenStack版本N版

1、网络时间协议(NTP)

注:一定要保证openstack所有节点的时间一致性,不然无法正常创建虚拟机

1.1 控制节点

# yum install -y chrony ntpdate                     # 安装软件包
# vim /etc/chrony.conf
  server time1.aliyun.com                # 使用NTP服务器的主机名或者IP地址替换 NTP_SERVER 。配置支持设置多个 server 值。
  allow 192.168.56.0/24                  # 为了允许其他节点可以连接到控制节点的 chrony 后台进程
systemctl enable chronyd.service         # 启动 NTP 服务并将其配置为随系统启动
systemctl start chronyd.service
systemctl restart chronyd.service
\cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime    # 更改时区为北京上海

1.2 其他节点

# 其他节点会连接控制节点同步时间。在所有其他节点执行这些步骤。
yum install -y chrony ntpdate                                      # 安装软件包
vim /etc/chrony.conf
server 192.168.56.11                                    # 注释其他的时间服务器

systemctl enable chronyd.service                        # 启动 NTP 服务并将其配置为随系统启动
systemctl start chronyd.service
\cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime    # 更改时区为北京上海

1.3 验证操作结果

chronyc sources    # 进行时间同步,控制节点先执行保证

1.4 配置互联网时间服务器(可选)

\cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime            # 更改时区为北京上海
ntpdate time1.aliyun.com                                        # 同步阿里云的时间服务器
*/5 * * * * /usr/sbin/ntpdate time1.aliyun.com >/dev/null 2>&1  # 配置定时任务,每5分钟同步一次时间

 

2、环境准备

2.1 基础准备工作(所有节点)

# yum install -y centos-release-openstack-newton # 安装OpenStack库
# yum install -y python-openstackclient          # 安装 OpenStack 客户端
# yum install -y openstack-selinux               # 安装 openstack-selinux 包实现对OpenStack服务的安全策略进行自动管理

 

2.2 配置SQL数据库

  大多数 OpenStack 服务使用 SQL 数据库来存储信息。 典型地,数据库运行在控制节点上。指南中的步骤依据不同的发行版使用MariaDB或 MySQL。OpenStack 服务也支持其他 SQL 数据库,包括PostgreSQL。Openstack的所有组件除了Horizon,都要用到数据库,本文使用的是mysql,在CentOS7中,默认叫做MariaDB。 

1.在 [mysqld] 部分,设置 ``bind-address``值为控制节点的管理网络IP地址以使得其它节点可以通过管理网络访问数据库:

[root@linux-node1 ~]# vim /etc/my.cnf.d/openstack.cnf
[mysqld]
bind-address = 192.168.56.11
default-storage-engine = innodb
innodb_file_per_table
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
参数详解: default
-storage-engine = innodb      # 默认的存储引擎 innodb_file_per_table            # 使用独享的表空间 collation-server = utf8_general_ci # 设置校对标准 init-connect = 'SET NAMES utf8'      # 设置连接的字符集 character-set-server = utf8        # 设置创建数据库时默认的字符

开机自启和启动mysql systemctl enable mariadb.service systemctl start mariadb.service systemctl status mariadb.service netstat -ltnp|grep 3306 # 检查mysql数据库端口是否开启

设置mysql的密码 mysql_secure_installation
登录数据库创建所有组件的库并授权 mysql
-uroot -p123456
执行sql,为每个组件创建一个数据库与账户,并授权 CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.
* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone'; CREATE DATABASE glance; GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance'; GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance'; CREATE DATABASE nova; GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova'; GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova'; CREATE DATABASE nova_api; GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY 'nova'; GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY 'nova'; CREATE DATABASE neutron; GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron'; GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron'; CREATE DATABASE cinder; GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY 'cinder'; GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY 'cinder';
检查数据库与用户是否创建成功(一共6个数据库,5个用户) MariaDB [(none)]
> show databases; MariaDB [(none)]> select user,host from mysql.user;

 

2.3 部署消息队列
node1节点安装

# yum install -y rabbitmq-server
# systemctl enable rabbitmq-server.service
# systemctl start rabbitmq-server.service
# rabbitmqctl add_user openstack openstack                    # 添加 openstack 用户 RABBIT_PASS修改为要使用的密码,使用openstack即可
# rabbitmqctl set_permissions openstack ".*" ".*" ".*"        # 给``openstack``用户配置写和读权限
# rabbitmq-plugins enable rabbitmq_management                 # 启动页面
登录:http://192.168.56.11:15672/
账号:guest
密码:guest

 

2.4 Memcache

node1节点安装

# yum install -y memcached python-memcached
# systemctl enable memcached.service
# systemctl start memcached.service

 

3、OpenStack之keystone认证服务配置

 服务器

  一个中心化的服务器使用RESTful 接口来提供认证和授权服务。

Drivers

  驱动或服务后端被整合进集中式服务器中。它们被用来访问OpenStack外部仓库的身份信息, 并且它们可能已经存在于OpenStack被部署在的基础设施(例如,SQL数据库或LDAP服务器)中。

Modules

  中间件模块运行于使用身份认证服务的OpenStack组件的地址空间中。这些模块拦截服务请求,取出用户凭据,并将它们送入中央是服务器寻求授权。中间件模块和OpenStack组件间的整合使用Python Web服务器网关接口。

准备工作:

1)配置数据库(为方便部署把后续使用的数据库一起部署完成,也可以部署到各子组件再创建)

$ mysql -u root -p
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';

CREATE DATABASE glance;
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance';
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance';


CREATE DATABASE nova;
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova';

CREATE DATABASE nova_api;
GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';
GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY 'nova';


CREATE DATABASE neutron;
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron';
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron';

CREATE DATABASE cinder;
GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY 'cinder';
GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY 'cinder';

 

2)安装软件包

yum install -y openstack-keystone httpd mod_wsgi
[root@linux-node1 keystone]# grep -n '^[a-z]' /root/keystone/keystone/keystone.conf 
640:connection = mysql+pymysql://keystone:keystone@192.168.56.11/keystone
1472:servers = 192.168.56.11:11211
2655:provider = fernet
2665:driver = memcache
su -s /bin/sh -c "keystone-manage db_sync" keystone                               # 切换用户执行初始化身份认证服务的数据库
ll /var/log/keystone/keystone.log                                                # 检查是否生成日志
mysql -h 192.168.56.11 -ukeystone -pkeystone -e "use keystone;show tables;"       # 检查结果

4、初始化Fernet key:

# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

5、Bootstrap the Identity service(修改keystone数据库 endpoint配置)
keystone-manage bootstrap --bootstrap-password admin \
  --bootstrap-admin-url http://192.168.56.11:35357/v3/ \
  --bootstrap-internal-url http://192.168.56.11:35357/v3/ \
  --bootstrap-public-url http://192.168.56.11:5000/v3/ \
  --bootstrap-region-id RegionOne


ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

# systemctl enable httpd.service
# systemctl start httpd.service
# netstat -tunlp  # 检查服务正常启动

配置admin账户
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://192.168.56.11:35357/v3
export OS_IDENTITY_API_VERSION=3

检查已经创建的内容
openstack user list           # 查看账号列表
openstack project list        # 查看项目列表
openstack role list            # 查看角色列表
openstack service list        # 查看用户列表
openstack endpoint list        # 查看endpoint列表


创建域、项目、用户和角色

创建项目
openstack project create --domain default --description "Service Project" service
openstack project list

openstack project create --domain default --description "Demo Project" demo
openstack user create --domain default --password-prompt demo                   # 使用交互式设置demo用户的密码,密码为设置:demo
openstack user create --domain default --password demo  demo                 # 使用非交互式设置demo用户的密码,密码为设置:demo  第一个是密码 第二个是制定的密码
openstack role create user
openstack role add --project demo --user demo user                                # demo用户添加到demo项目 赋予user角色权限


openstack user create --domain default   --password-prompt glance        # 密码设置:glance
openstack role add --project service --user glance admin

openstack user create --domain default   --password-prompt nova            # 密码设置:nova
openstack role add --project service --user nova admin

openstack user create --domain default   --password-prompt neutron        # 密码设置:neutron
openstack role add --project service --user neutron admin    

openstack user create --domain default   --password-prompt cinder        # 密码设置:cinder
openstack role add --project service --user cinder admin


创建错误,如何重新建立账号?

[root@linux-node1 conf.d]# openstack user
openstack: 'user' is not an openstack command. See 'openstack --help'.
Did you mean one of these?
  user create
  user delete
  user list
  user password set
  user set
  user show
  consumer create
  consumer delete
  consumer list
  consumer set
  consumer show
  router add port
  router add subnet
  router create
  router delete
  router list
  router remove port
  router remove subnet
  router set
  router show
  router unset
  subnet create
  subnet delete
  subnet list
  subnet pool create
  subnet pool delete
  subnet pool list
  subnet pool set
  subnet pool show
  subnet pool unset
  subnet set
  subnet show
  subnet unset
  
openstack user list        # 先获取ID
openstack delete id        # 根据ID进行删除
401认证错误


验证操作
unset OS_AUTH_URL
unset OS_PASSWORD
# 请求认证令牌,密码admin
openstack --os-auth-url http://192.168.56.11:5000/v3   --os-project-domain-name default --os-user-domain-name default   --os-project-name admin --os-username admin token issue
# 请求认证令牌,密码demo
openstack --os-auth-url http://192.168.56.11:5000/v3   --os-project-domain-name default --os-user-domain-name default   --os-project-name demo --os-username demo token issue

创建 OpenStack 客户端环境脚本
[root@linux-node1 ~]# cat admin-openstack 
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.56.11:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

[root@linux-node1 ~]# cat demo-openstack 
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.56.11:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

使用脚本
source admin-openstack 
openstack token issue


Keystone常见错误
401            # 验证失败,keystone相关用户账户密码设置错误,时间不同步,或者输入的项目名称不对
409            # keystone创建用户,用户已存在
500            # 服务器内部错误,服务配置有问题,看日志,检查配置
服务故障    # 相关服务没有起来
提示:解决Keystone最好的方法,一定要学会查看日志

 


端口记录:
MySQL----------3306
RabbitMQ-------5672
RabbitMQ Web---15672
Memcached------11211

posted @ 2016-12-18 16:49  每天进步一点点!!!  阅读(1500)  评论(0编辑  收藏  举报