opesnstack四部曲(1)---keystone
一、环境准备
1、本次实验环境采用Centos7 + H版本的openstack
两台机器的主机相关配置如下:
控制节点:
主机名: node1.openstack.com
主机ip: 192.168.56.11
计算节点:
主机名: node2.openstack.com
主机ip: 192.168.56.12
注:主机名一旦确定尽量不要修改,否则openstack机制会认为有新的机器加入资源池,从而进行调整.因此造成不必要的影响。此外确保防火墙以及selinux关闭,如果采用虚拟机的话内存尽量4G,否则创建虚拟机时容易造成资源不足从而引起不必要的报错。
最重要的保证两台机器时间同步,相关主机能通过主机名进行解析!!!
2、以下操作在控制节点进行
a.安装相关源
yum install -y http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
yum install centos-release-openstack-liberty -y
yum install python-openstackclient -y
b.安装MySQL相关(MySQL不一定非要安装在控制节点,只要能访问就可以)
yum install -y mariadb mariadb-server MySQL-python
修改MySQL配置
cp /usr/share/mysql/my-medium.cnf /etc/my.cnf
vim /etc/my.cnf
在[mysqld]下添加如下内容
[mysqld]
default-storage-engine = innodb
innodb_file_per_table
collation-server = utf8_general_ci
init-connect = 'SET NAMES utf8'
character-set-server = utf8
设置开机启动
systemctl enable mariadb
启动数据库
systemctl start mariadb
设置密码
mysql_secure_installation
c.为相关组件创建用户、数据库,并授权
Keystone数据库
mysql -u root -p123456 -e "CREATE DATABASE keystone;"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';"
Glance数据库
mysql -u root -p123456 -e "CREATE DATABASE glance;"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance';"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance';"
Nova数据库
mysql -u root -p123456 -e "CREATE DATABASE nova;"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova';"
Neutron 数据库
mysql -u root -p123456 -e "CREATE DATABASE neutron;"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron';"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron';"
Cinder数据库
mysql -u root -p123456 -e "CREATE DATABASE cinder;"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY 'cinder';"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY 'cinder';"
d.安装rabbitmq
yum install -y rabbitmq-server
设置开机启动
systemctl enable rabbitmq-server
启动rabbitmq
systemctl start rabbitmq-server
创建rabbitmq用户(用户名为openstack,密码为openstack)
rabbitmqctl add_user openstack openstack
设置权限
set_permissions openstack ".*" ".*" ".*"
启用web管理插件
rabbitmq-plugins enable rabbitmq_management
重新启动rabbitmq
systemctl restart rabbitmq-server
进行验证
访问 192.168.56.11:15672 (默认用户名密码为guest guest 我们建立的openstack用户此时没有启用)
启用rabbitmq中的openstack账号
二、组件部署
1、keystone篇
keystone两大功能
1)、用户与认证:用户权限与用户行为追踪
2)、服务目录:提供一个服务目录,包括所有服务项与相关Api的端点
a、安装相关服务
yum install -y openstack-keystone httpd mod_wsgi memcached python-memcached
修改keyston配置文件
修改后结果如下
此外还可以根据需求是否打开debug模式
verbose = true
同步表结构及数据
su -s /bin/sh -c "keystone-manage db_sync" keystone
同步验证(安全起见)
mysql -ukeystone -pkeystone -h 192.168.56.11
use keystone;
show tables;
如何能看到有表,且表数为33证明同步成功
启动memcache
systemctl enable memcached
systemctl start memcached
新建Apache的keystone文件
vim /etc/httpd/conf.d/wsgi-keystone.conf
添加如下内容
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
配置Apache配置文件(配置servername)
vim /etc/httpd/conf/httpd.conf
ServerName 192.168.56.11:80
此时可以通过Apache控制keystone认证服务的启动
启动Apache
systemctl enable httpd
systemctl starthttpd
b、创建相关用户角色
设置环境变量
export OS_TOKEN=863d35676a5632e846d9
export OS_URL=http://192.168.56.11:35357/v3
export OS_IDENTITY_API_VERSION=3
创建admin项目
openstack project create --domain default --description "Admin Project" admin
创建admin用户
openstack user create --domain default --password-prompt admin
#本次操作会提示输入密码,此次密码我们设置为admin(生产一定要复杂)
创建admin角色
openstack role create admin
给admin项目添加admin用户并且角色设置为admin
openstack role add --project admin --user admin admin #此次操作没有输出
创建普通项目、用户、角色,并授权
openstack project create --domain default --description "Demo Project" demo
openstack user create --domain default --password=demo demo
openstack role create user
openstack role add --project demo --user demo user
创建service项目,用于相关组件交互
openstack project create --domain default --description "Service Project" service
c、创建keystone服务及端点
创建服务
openstack service create --name keystone --description "OpenStack Identity" identity
创建端点
openstack endpoint create --region RegionOne identity public http://192.168.56.11:5000/v2.0 #公共端点,可以对外提供服务
openstack endpoint create --region RegionOne identity internal http://192.168.56.11:5000/v2.0 #内部端点
openstack endpoint create --region RegionOne identity admin http://192.168.56.11:35357/v2.0 #管理端点
d、使用用户名密码进行验证
卸载环境变量(其实关闭当前窗口,新开一个即可)
unset OS_TOKEN
unset OS_URL
unset OS_IDENTITY_API_VERSION
验证能否获取ID(需要输入admin的密码)
openstack --os-auth-url http://192.168.56.11:35357/v3 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name admin --os-username admin --os-auth-type password \
token issue
e、配置keystone环境变量方便执行,直接source即可引用
admin环境变量
vim admin-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.56.11:35357/v3
export OS_IDENTITY_API_VERSION=3
demo环境变量
vim demo-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.56.11:5000/v3
export OS_IDENTITY_API_VERSION=3
验证结果
source admin-openrc.sh
openstack token issue