Centos7安装部署openstack--Keystone认证服务
一、openstack概述
1、拓扑图
Horizon 是一个 dashboard 就是一个控制面板 Celiometer 是一个监控计费 像快照,配置都要计费的 Keystone 是一个登录认证 像有些网站都是qq登录 或者微信登录 Heat 是一个编排服务(playbook) 就是通过定义剧本 来批量启动一系列的虚拟机,然后一键实现一个集群的搭建(利用ansible 来执行) swift 是一个对象存储 就是用户的东西不在是存在某一个目录下面,因为传统的目录下没有数据库,而swift (对象存储 )就专门建一个数据库 把每一个文件当成一个记录对象,而不是目录级别的,就是一个文件变成数据库里的一条记录。
2、openstck架构(soa架构)
模块:(keystone认证服务,glance镜像服务,nova计算服务,neutron网络服务,cinder存储服务,horizon web界面)
3、soa架构
SOA:拆业务,把每一个功能都拆成一个独立的web服务,每一个独立的web服务,至少拥有一个集群。
开源的微服框架 :阿里开源的dubbo 、spring boot。
二、安装keystone认证服务
1、安装服务
[root@controller ]#yum install openstack-keystone httpd mod_wsgi -y mod_wsgi提供http服务与python之间的连接
2、在你配置 OpenStack 身份认证服务前,你必须创建一个数据库和管理员令牌。
[root@controller ~]# mysql -u root -p MariaDB [(none)]> CREATE DATABASE keystone; MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS'; MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
3、生成一个随机值在初始的配置中作为管理员的令牌。
[root@controller ~]# openssl rand -hex 10
4、修改配置文件
[root@controller ]# cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak 备份配置文件 [root@controller ]# grep -Ev '^$|#' /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf 过滤掉空格和注释,然后导入配置文件 [root@controller ]# vim /etc/keystone/keystone.conf 编辑配置文件,如下图
[root@controller ]# md5sum /etc/keystone/keystone.conf 用MD5记录配置文件
[DEFAULT] ... admin_token = ADMIN_TOKEN
[database] ... connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
[token]
...
provider = fernet
5、安装专门用于修改配置文件的服务
[root@controller ]# yum install openstack-utils -y [root@controller ]# grep -Ev '^$|#' /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf 还原刚第二步修改的配置文件 [root@controller ]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token ADMIN_TOKEN 用工具修改配置文件 [root@controller ]# openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone [root@controller ]# openstack-config --set /etc/keystone/keystone.conf token provider fernet [root@controller ]# cat /etc/keystone/keystone.conf 查看配置文件 [root@controller ]# md5sum /etc/keystone/keystone.conf 查看修改的配置文件与上一步手动修改的配置文件MD5值
6、初始化身份认证服务的数据库
[root@controller ]# mysql keystone -e 'show tables;' 切换到数据库,查看数据库下面的表
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone 同步数据库,同步完成在去查看,就会多出很多表
7、初始化Fernet keys
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
初始化之后,在 /etc/keystone/下面会多出fernet-keys的文件夹
8、配置 Apache HTTP 服务器
[root@controller ~]# echo "ServerName controller" >> /etc/httpd/conf/httpd.conf
9、用下面的内容创建`/etc/httpd/conf.d/wsgi-keystone.conf``文件
[root@controller ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone.log CustomLog /var/log/httpd/keystone_access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone.log CustomLog /var/log/httpd/keystone_access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost>
10、启动http服务,并加入开机自启动
[root@controller etc]# systemctl start httpd.service
[root@controller etc]# systemctl enable httpd.service
三、配置令牌,并注册服务
1、配置令牌
[root@controller etc]# export OS_TOKEN=ADMIN_TOKEN 配置认证令牌 [root@controller etc]# export OS_URL=http://controller:35357/v3 配置端点URL [root@controller etc]# export OS_IDENTITY_API_VERSION=3 配置认证 API 版本
2、创建服务实体和API端点
[root@controller ~]# openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | 0636e3be3cd148c6b54fd24686e8d6ea | | name | keystone | | type | identity | +-------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne identity public http://controller:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 8227630dece449018c6dd7f3199c18b6 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | 0636e3be3cd148c6b54fd24686e8d6ea | | service_name | keystone | | service_type | identity | | url | http://controller:5000/v3 | +--------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne identity internal http://controller:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | b1c3e0e738854c568ad236ae00a0da6d | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | 0636e3be3cd148c6b54fd24686e8d6ea | | service_name | keystone | | service_type | identity | | url | http://controller:5000/v3 | +--------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne identity admin http://controller:35357/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | fb800ecf21c845a6bfdd05c5de1f4656 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | 0636e3be3cd148c6b54fd24686e8d6ea | | service_name | keystone | | service_type | identity | | url | http://controller:35357/v3 | +--------------+----------------------------------+
创建service项目
openstack project create --domain default \ --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | e0353a670a9e496da891347c589539e9 | | enabled | True | | id | 894cdfa366d34e9d835d3de01e752262 | | is_domain | False | | name | service | | parent_id | None | +-------------+----------------------------------+ openstack project create --domain default \ --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | e0353a670a9e496da891347c589539e9 | | enabled | True | | id | ed0b60bf607743088218b0a533d5943f | | is_domain | False | | name | demo | | parent_id | None | +-------------+----------------------------------+ openstack user create --domain default \ > --password DEMO_PASS demo +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | d0fb278401404c569f5cf9c00c750817 | | enabled | True | | id | 1ca7f08e5e954074837db6c877834c07 | | name | demo | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ openstack role create user +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 3db197f5d549400eb825ae24e839e7ea | | name | user | +-----------+----------------------------------+ openstack role add --project demo --user demo user
注解:每个添加到OpenStack环境中的服务要求一个或多个服务实体和三个认证服务中的API 端点变种。
四、创建域、项目(租户)、用户和角色
1、创建域``default``
[root@controller ~]# openstack domain create --description "Default Domain" default +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Default Domain | | enabled | True | | id | 73e42b9fc6b64cfdb17940cdf0a0f692 | | name | default | | tags | [] | +-------------+----------------------------------+
2、创建 admin 项目
[root@controller ~]# openstack project create --domain default --description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | domain_id | 73e42b9fc6b64cfdb17940cdf0a0f692 | | enabled | True | | id | 17e6fb94c09347fc8bdc854afef7922f | | is_domain | False | | name | admin | | parent_id | 73e42b9fc6b64cfdb17940cdf0a0f692 | | tags | [] | +-------------+----------------------------------+
3、创建 admin 用户
[root@controller ~]# openstack user create --domain default --password ADMIN_PASS admin +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | 73e42b9fc6b64cfdb17940cdf0a0f692 | | enabled | True | | id | 0a48bf33893b4854bf85fbd69050c2f6 | | name | admin | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+
4、创建 admin 角色
[root@controller ~]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 2ef07766d0a04bacb8778b0b0ac0be51 |
| name | admin |
+-----------+----------------------------------+
5、添加``admin`` 角色到 admin 项目和用户上
[root@controller ~]# openstack role add --project admin --user admin admin
6、删除环境变量,因为安全性的原因,关闭临时认证令牌机制
###编辑 /etc/keystone/keystone-paste.ini 文件,从``[pipeline:public_api]``,[pipeline:admin_api]``和``[pipeline:api_v3]``部分删除``admin_token_auth 。
重置``OS_TOKEN``和``OS_URL`` 环境变量
[root@controller ~]# unset OS_TOKEN OS_URL
7、作为 admin 用户,请求认证令牌
[root@controller ~]# openstack --os-auth-url http://controller:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
注解:这个命令使用``admin``用户的密码:ADMIN_PASS
8、用环境变量,执行命令
[root@controller ~]# export OS_PROJECT_DOMAIN_NAME=default [root@controller ~]# export OS_USER_DOMAIN_NAME=default [root@controller ~]# export OS_PROJECT_NAME=admin [root@controller ~]# export OS_USERNAME=admin [root@controller ~]# export OS_PASSWORD=ADMIN_PASS [root@controller ~]# export OS_AUTH_URL=http://controller:35357/v3 [root@controller ~]# export OS_IDENTITY_API_VERSION=3 [root@controller ~]# export OS_IMAGE_API_VERSION=2 [root@controller ~]# openstack user list 执行了环境变量,才能使用这个命令 +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 0a48bf33893b4854bf85fbd69050c2f6 | admin | +----------------------------------+-------+
[root@controller ~]# openstack --os-auth-url http://controller:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin user list 用参数执行命令
9、把环境变量创建成脚本,创建admin-openrc文件
[root@controller ~]# vim admin-openrc export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=ADMIN_PASS export OS_AUTH_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
[root@controller ~]# source admin-openrc 每次执行openstack命令之前,保证有环境变量,登出之后,重新执行此命令
10、自动执行,开机拥有环境变量
[root@controller ~]# vim .bashrc # .bashrc # User specific aliases and functions alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' # Source global definitions if [ -f /etc/bashrc ]; then . /etc/bashrc fi source admin-openrc 在最后加入这段
11、验证keystone服务是否正常
