opesnstack四部曲(1)---keystone

一、环境准备

1、本次实验环境采用Centos7 + H版本的openstack
两台机器的主机相关配置如下:

控制节点:
    主机名:    node1.openstack.com
    主机ip:    192.168.56.11

计算节点:
    主机名:    node2.openstack.com
    主机ip:    192.168.56.12

注:主机名一旦确定尽量不要修改,否则openstack机制会认为有新的机器加入资源池,从而进行调整.因此造成不必要的影响。此外确保防火墙以及selinux关闭,如果采用虚拟机的话内存尽量4G,否则创建虚拟机时容易造成资源不足从而引起不必要的报错。

最重要的保证两台机器时间同步,相关主机能通过主机名进行解析!!!

2、以下操作在控制节点进行
a.安装相关源

yum install -y http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
yum install centos-release-openstack-liberty -y
yum install python-openstackclient -y

b.安装MySQL相关(MySQL不一定非要安装在控制节点,只要能访问就可以)

yum install -y mariadb mariadb-server MySQL-python
修改MySQL配置
cp /usr/share/mysql/my-medium.cnf /etc/my.cnf
vim /etc/my.cnf
在[mysqld]下添加如下内容
[mysqld]
default-storage-engine = innodb
innodb_file_per_table
collation-server = utf8_general_ci   
init-connect = 'SET NAMES utf8'
character-set-server = utf8
设置开机启动
systemctl enable mariadb
启动数据库
systemctl start mariadb
设置密码
mysql_secure_installation

c.为相关组件创建用户、数据库,并授权

Keystone数据库
mysql -u root -p123456 -e "CREATE DATABASE keystone;"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';"
Glance数据库
mysql -u root -p123456 -e "CREATE DATABASE glance;"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance';"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance';"
Nova数据库
mysql -u root -p123456 -e "CREATE DATABASE nova;"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova';"
Neutron 数据库
mysql -u root -p123456 -e "CREATE DATABASE neutron;"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron';"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron';"
Cinder数据库
mysql -u root -p123456 -e "CREATE DATABASE cinder;"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY 'cinder';"
mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY 'cinder';"

d.安装rabbitmq

yum install -y rabbitmq-server
设置开机启动
systemctl enable rabbitmq-server
启动rabbitmq
systemctl start rabbitmq-server
创建rabbitmq用户(用户名为openstack,密码为openstack)
rabbitmqctl add_user openstack openstack
设置权限
set_permissions openstack ".*" ".*" ".*"
启用web管理插件
rabbitmq-plugins enable rabbitmq_management
重新启动rabbitmq
systemctl restart rabbitmq-server
进行验证
访问 192.168.56.11:15672 (默认用户名密码为guest guest 我们建立的openstack用户此时没有启用)

启用rabbitmq中的openstack账号

二、组件部署

1、keystone篇

keystone两大功能
1)、用户与认证:用户权限与用户行为追踪
2)、服务目录:提供一个服务目录,包括所有服务项与相关Api的端点
a、安装相关服务

yum install -y openstack-keystone httpd mod_wsgi memcached python-memcached
修改keyston配置文件
修改后结果如下

此外还可以根据需求是否打开debug模式
verbose = true

同步表结构及数据
su -s /bin/sh -c "keystone-manage db_sync" keystone
同步验证(安全起见)
mysql -ukeystone -pkeystone -h 192.168.56.11
use keystone;
show tables;
如何能看到有表,且表数为33证明同步成功
启动memcache
systemctl enable memcached
systemctl start memcached
新建Apache的keystone文件
vim /etc/httpd/conf.d/wsgi-keystone.conf
添加如下内容
Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

配置Apache配置文件(配置servername)
vim /etc/httpd/conf/httpd.conf
ServerName 192.168.56.11:80
此时可以通过Apache控制keystone认证服务的启动

启动Apache
systemctl enable httpd
systemctl starthttpd

b、创建相关用户角色

设置环境变量
export OS_TOKEN=863d35676a5632e846d9
export OS_URL=http://192.168.56.11:35357/v3
export OS_IDENTITY_API_VERSION=3
创建admin项目
openstack project create --domain default   --description "Admin Project" admin
创建admin用户
openstack user create --domain default --password-prompt admin
#本次操作会提示输入密码,此次密码我们设置为admin(生产一定要复杂)
创建admin角色
openstack role create admin
给admin项目添加admin用户并且角色设置为admin
openstack role add --project admin --user admin admin        #此次操作没有输出
创建普通项目、用户、角色,并授权
openstack project create --domain default --description "Demo Project" demo
openstack user create --domain default --password=demo demo
openstack role create user
openstack role add --project demo --user demo user
创建service项目,用于相关组件交互
openstack project create --domain default --description "Service Project" service

c、创建keystone服务及端点

创建服务
openstack service create --name keystone --description "OpenStack Identity" identity
创建端点
openstack endpoint create --region RegionOne identity public http://192.168.56.11:5000/v2.0                #公共端点,可以对外提供服务
openstack endpoint create --region RegionOne identity internal http://192.168.56.11:5000/v2.0              #内部端点
openstack endpoint create --region RegionOne identity admin http://192.168.56.11:35357/v2.0              #管理端点

d、使用用户名密码进行验证

卸载环境变量(其实关闭当前窗口,新开一个即可)
unset OS_TOKEN
unset OS_URL
unset OS_IDENTITY_API_VERSION
验证能否获取ID(需要输入admin的密码)
openstack --os-auth-url http://192.168.56.11:35357/v3 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name admin --os-username admin --os-auth-type password \
token issue

e、配置keystone环境变量方便执行,直接source即可引用

admin环境变量
vim admin-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.56.11:35357/v3
export OS_IDENTITY_API_VERSION=3

demo环境变量
vim demo-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.56.11:5000/v3
export OS_IDENTITY_API_VERSION=3
验证结果
source admin-openrc.sh
openstack token issue
posted @ 2016-01-12 22:02  跟力哥学python  阅读(619)  评论(0编辑  收藏  举报