OpenStack Keystone源码安装

一、准备环境,源码安装

由于本次安装选择的Ubuntu Server 12.04,需要安装以下必需软件包:

apt-get install build-essential git python-dev python-setuptools python-pip libxml2-dev libxslt-dev

keystone默认使用的是sqlite存储数据,现在为了需要改成MySQL数据库,所以需要安装MySQL:

apt-get install mysql-server mysql-client python-mysqldb

设置好MySQL的root密码,建立keystone数据库:

mysql -u root -p
create database keystone;
grant all on keystone.* to 'keystone'@'%' identified by 'openstack';
quit

获取keystone和keystoneclient源代码,分别安装它们的依赖项,并将它们安装到系统中:

git clone git://github.com/openstack/keystone.git
git clone git://github.com/openstack/python-keystoneclient.git keystone/client
pip install -r tools/pip-requires
python setup.py install
cd client/
pip install -r tools/pip-requires
python setup.py install



二、安装后配置

1、配置前提

将源码目录的etc/下所有文件复制到/etc/keystone中,依次执行以下命令:

mkdir -p /etc/keystone
mv keystone.conf.sample keystone.conf
mv logging.conf.sample logging.conf

 

2、修改keystone.conf文件

将keystone.conf文件以下配置的注释去掉(即将句首‘#’去掉)即可。

[DEFAULT]
admin_token = openstack    #admin_token需要记住,后续安装其他项目还需要用到
bind_host = 0.0.0.0
public_port = 5000
admin_port = 35357
compute_port = 8774
policy_file = policy.json
policy_default_rule = admin_required
 
# === Logging Options ===
# Print debugging output
verbose = False
 
# Print more verbose output
# (includes plaintext request logging, potentially including passwords)
debug = False
 
log_config = /etc/keystone/logging.conf   #log_config的值改成你存放logging.conf的位置

 [sql]
# The SQLAlchemy connection string used to connect to the database
connection = mysql://keystone:openstack@192.168.0.114/keystone   #将connection的值改成MySQL的

# the timeout before idle sql connections are reaped
idle_timeout = 200
 
[identity]
driver = keystone.identity.backends.sql.Identity
 
[catalog]
# dynamic, sql-based backend (supports API/CLI-based management commands)
driver = keystone.catalog.backends.sql.Catalog  #在本次安装中catalog使用sql的,也可以使用模板来实现
 
[token]
# driver = keystone.token.backends.kvs.Token
driver = keystone.token.backends.sql.Token   #token改成sql实现,原来为kvs

# Amount of time a token should remain valid (in seconds)
expiration = 86400
 
[policy]
driver = keystone.policy.backends.sql.Policy
 
1)使用ssl配置如下:
[ssl]
enable = True
certfile = /etc/keystone/ssl/certs/keystone.pem
keyfile = /etc/keystone/ssl/private/keystonekey.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
cert_required = True
 
[signing]
token_format = PKI
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
key_size = 1024
valid_days = 3650
#ca_password = None

2)不用ssl如下:
[ssl]
enable = False
cert_required = False

[signing]
token_format = UUID       #必须改成UUID方式
 
[ldap]     #本次安装暂不使用
# url = ldap://localhost



3、修改logging.conf配置

logging.conf文件基本不用修改,本次安装仅是修改了keystone的log文件所在位置,如下:

[handler_file]
class=FileHandler
level=DEBUG
formatter=normal_with_name
args=('/var/log/keystone/keystone.log', 'a')
 



4、生产环境

1)配置ssl服务

生产环境中一般都需要配置ssl安全访问,使用openssl生成pem文件(keystone的源码中提供了测试用的pem文件)过程如下:

1)、生成RSA密钥的方法

 openssl genrsa -des3 -out keystone.pem 2048

这个命令会生成一个2048位的密钥,同时有一个des3方法加密的密码,如果你不想要每次都输入密码,可以改成:

openssl genrsa -out  keystone.pem 2048

建议用2048位密钥,少于此可能会不安全或很快将不安全。

2)、生成一个证书请求

openssl req -new -key  keystone.pem -out cert.csr

这个命令将会生成一个证书请求,当然,用到了前面生成的密钥keystone.pem文件
这里将生成一个新的文件cert.csr,即一个证书请求文件,你可以拿着这个文件去数字证书颁发机构(即CA)申请一个数字证书。CA会给你一个新的文件cacert.pem,那才是你的数字证书。

如果是自己做测试,那么证书的申请机构和颁发机构都是自己。就可以用下面这个命令来生成证书:

openssl req -new -x509 -key  keystone.pem -out   keystonekey.pem -days 1095

 这个命令将用上面生成的密钥 keystone.pem生成一个数字证书 keystonekey.pem



2)配置ldap(未测试)



5、安装后测试

1)启动keystone

keystone-all -d &

2)查看日志

tail -f /var/log/keystone/keystone.log

3)实例

创建租户:

keystone --os-endpoint http://127.0.0.1:35357/v2.0 --os-token openstack tenant-create --name test --description "Test Tenant" --enabled true

+-------------+----------------------------------+

|   Property  |              Value               |

+-------------+----------------------------------+

| description |           Test Tenant            |

|   enabled   |               True               |

|      id     | ce57e39988c640029f080c415193231e |

|     name    |               test               |

+-------------+----------------------------------+

获取租户列表:

keystone --os-endpoint http://127.0.0.1:35357/v2.0 --os-token openstack tenant-list

+----------------------------------+---------+---------+

|                id                |   name  | enabled |

+----------------------------------+---------+---------+

| 29e1a1b5251a4cb78e3c73afd40c725d |  admin  |   True  |

| 901d44a896a54cba88df1d92531640d2 |   demo  |   True  |

| cbc4329de3f8421296507475ced04b15 | service |   True  |

| ce57e39988c640029f080c415193231e |   test  |   True  |

+----------------------------------+---------+---------+

使用curl测试:

curl -d '{"auth": {"tenantName": "admin", "passwordCredentials":{"username": "admin", "password": "openstack"}}}' -H "Content-type: application/json" http://127.0.0.1:35357/v2.0/tokens | python -mjson.tool

如果没问题,将返回一个json格式的结果,如下所示:

{
    "access": {
        "metadata": {
            "is_admin": 0, 
            "roles": [
                "76154d4fcca84e369c3075c36fcca004"
            ]
        }, 
        "serviceCatalog": [
            {
                "endpoints": [
                    {
                       # ... ...
                    }
                ], 
                "endpoints_links": [], 
                "name": "nova", 
                "type": "compute"
            }, 
            {
                "endpoints": [
                    {
                        # ... ...
                    }
                ], 
                "endpoints_links": [], 
                "name": "glance", 
                "type": "image"
            }, 
            {
                "endpoints": [
                    {
                        # ... ...
                    }
                ], 
                "endpoints_links": [], 
                "name": "volume", 
                "type": "volume"
            }, 
            {
                "endpoints": [
                    {
                       # ... ...
                    }
                ], 
                "endpoints_links": [], 
                "name": "ec2", 
                "type": "ec2"
            }, 
            {
                "endpoints": [
                    {
                        # ... ...
                    }
                ], 
                "endpoints_links": [], 
                "name": "swift", 
                "type": "object-store"
            }, 
            {
                "endpoints": [
                    {
                        # ... ...
                    }
                ], 
                "endpoints_links": [], 
                "name": "keystone", 
                "type": "identity"
            }
        ], 
        "token": {
            "expires": "2012-12-11T03:52:09Z", 
            "id": "efcfabb3ab13466babb68a8b56487a24", 
            "issued_at": "2012-12-10T03:52:09.689634", 
            "tenant": {
                "description": "Admin Tenant.", 
                "enabled": true, 
                "id": "29e1a1b5251a4cb78e3c73afd40c725d", 
                "name": "admin"
            }
        }, 
        "user": {
            "id": "4819c6cca1e5456d9b2a717446cfb228", 
            "name": "admin", 
            "roles": [
                {
                    "name": "admin"
                }
            ], 
            "roles_links": [], 
            "username": "admin"
        }
    }
}
posted on 2013-04-25 11:50  四野  阅读(2559)  评论(0编辑  收藏  举报