OpenStack Keystone源码安装
一、准备环境,源码安装
由于本次安装选择的Ubuntu Server 12.04,需要安装以下必需软件包:
apt-get install build-essential git python-dev python-setuptools python-pip libxml2-dev libxslt-dev
keystone默认使用的是sqlite存储数据,现在为了需要改成MySQL数据库,所以需要安装MySQL:
apt-get install mysql-server mysql-client python-mysqldb
设置好MySQL的root密码,建立keystone数据库:
mysql -u root -p
create database keystone;
grant all on keystone.* to 'keystone'@'%' identified by 'openstack';
quit
获取keystone和keystoneclient源代码,分别安装它们的依赖项,并将它们安装到系统中:
git clone git://github.com/openstack/keystone.git
git clone git://github.com/openstack/python-keystoneclient.git keystone/client
pip install -r tools/pip-requires
python setup.py install
cd client/
pip install -r tools/pip-requires
python setup.py install
二、安装后配置
1、配置前提
将源码目录的etc/下所有文件复制到/etc/keystone中,依次执行以下命令:
mkdir -p /etc/keystone
mv keystone.conf.sample keystone.conf
mv logging.conf.sample logging.conf
2、修改keystone.conf文件
将keystone.conf文件以下配置的注释去掉(即将句首‘#’去掉)即可。
[DEFAULT]
admin_token = openstack #admin_token需要记住,后续安装其他项目还需要用到
bind_host = 0.0.0.0
public_port = 5000
admin_port = 35357
compute_port = 8774
policy_file = policy.json
policy_default_rule = admin_required
# === Logging Options ===
# Print debugging output
verbose = False
# Print more verbose output
# (includes plaintext request logging, potentially including passwords)
debug = False
log_config = /etc/keystone/logging.conf #log_config的值改成你存放logging.conf的位置
[sql]
# The SQLAlchemy connection string used to connect to the database
connection = mysql://keystone:openstack@192.168.0.114/keystone #将connection的值改成MySQL的
# the timeout before idle sql connections are reaped
idle_timeout = 200
[identity]
driver = keystone.identity.backends.sql.Identity
[catalog]
# dynamic, sql-based backend (supports API/CLI-based management commands)
driver = keystone.catalog.backends.sql.Catalog #在本次安装中catalog使用sql的,也可以使用模板来实现
[token]
# driver = keystone.token.backends.kvs.Token
driver = keystone.token.backends.sql.Token #token改成sql实现,原来为kvs
# Amount of time a token should remain valid (in seconds)
expiration = 86400
[policy]
driver = keystone.policy.backends.sql.Policy
1)使用ssl配置如下:
[ssl]
enable = True
certfile = /etc/keystone/ssl/certs/keystone.pem
keyfile = /etc/keystone/ssl/private/keystonekey.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
cert_required = True
[signing]
token_format = PKI
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
key_size = 1024
valid_days = 3650
#ca_password = None
2)不用ssl如下:
[ssl]
enable = False
cert_required = False
[signing]
token_format = UUID #必须改成UUID方式
[ldap] #本次安装暂不使用
# url = ldap://localhost
3、修改logging.conf配置
logging.conf文件基本不用修改,本次安装仅是修改了keystone的log文件所在位置,如下:
[handler_file]
class=FileHandler
level=DEBUG
formatter=normal_with_name
args=('/var/log/keystone/keystone.log', 'a')
4、生产环境
1)配置ssl服务
生产环境中一般都需要配置ssl安全访问,使用openssl生成pem文件(keystone的源码中提供了测试用的pem文件)过程如下:
1)、生成RSA密钥的方法
openssl genrsa -des3 -out keystone.pem 2048
这个命令会生成一个2048位的密钥,同时有一个des3方法加密的密码,如果你不想要每次都输入密码,可以改成:
openssl genrsa -out keystone.pem 2048
建议用2048位密钥,少于此可能会不安全或很快将不安全。
2)、生成一个证书请求
openssl req -new -key keystone.pem -out cert.csr
这个命令将会生成一个证书请求,当然,用到了前面生成的密钥keystone.pem文件
这里将生成一个新的文件cert.csr,即一个证书请求文件,你可以拿着这个文件去数字证书颁发机构(即CA)申请一个数字证书。CA会给你一个新的文件cacert.pem,那才是你的数字证书。
如果是自己做测试,那么证书的申请机构和颁发机构都是自己。就可以用下面这个命令来生成证书:
openssl req -new -x509 -key keystone.pem -out keystonekey.pem -days 1095
这个命令将用上面生成的密钥 keystone.pem生成一个数字证书 keystonekey.pem
2)配置ldap(未测试)
5、安装后测试
1)启动keystone
keystone-all -d &
2)查看日志
tail -f /var/log/keystone/keystone.log
3)实例
创建租户:
keystone --os-endpoint http://127.0.0.1:35357/v2.0 --os-token openstack tenant-create --name test --description "Test Tenant" --enabled true
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Test Tenant |
| enabled | True |
| id | ce57e39988c640029f080c415193231e |
| name | test |
+-------------+----------------------------------+
获取租户列表:
keystone --os-endpoint http://127.0.0.1:35357/v2.0 --os-token openstack tenant-list
+----------------------------------+---------+---------+
| id | name | enabled |
+----------------------------------+---------+---------+
| 29e1a1b5251a4cb78e3c73afd40c725d | admin | True |
| 901d44a896a54cba88df1d92531640d2 | demo | True |
| cbc4329de3f8421296507475ced04b15 | service | True |
| ce57e39988c640029f080c415193231e | test | True |
+----------------------------------+---------+---------+
使用curl测试:
curl -d '{"auth": {"tenantName": "admin", "passwordCredentials":{"username": "admin", "password": "openstack"}}}' -H "Content-type: application/json" http://127.0.0.1:35357/v2.0/tokens | python -mjson.tool
如果没问题,将返回一个json格式的结果,如下所示:
{
"access": {
"metadata": {
"is_admin": 0,
"roles": [
"76154d4fcca84e369c3075c36fcca004"
]
},
"serviceCatalog": [
{
"endpoints": [
{
# ... ...
}
],
"endpoints_links": [],
"name": "nova",
"type": "compute"
},
{
"endpoints": [
{
# ... ...
}
],
"endpoints_links": [],
"name": "glance",
"type": "image"
},
{
"endpoints": [
{
# ... ...
}
],
"endpoints_links": [],
"name": "volume",
"type": "volume"
},
{
"endpoints": [
{
# ... ...
}
],
"endpoints_links": [],
"name": "ec2",
"type": "ec2"
},
{
"endpoints": [
{
# ... ...
}
],
"endpoints_links": [],
"name": "swift",
"type": "object-store"
},
{
"endpoints": [
{
# ... ...
}
],
"endpoints_links": [],
"name": "keystone",
"type": "identity"
}
],
"token": {
"expires": "2012-12-11T03:52:09Z",
"id": "efcfabb3ab13466babb68a8b56487a24",
"issued_at": "2012-12-10T03:52:09.689634",
"tenant": {
"description": "Admin Tenant.",
"enabled": true,
"id": "29e1a1b5251a4cb78e3c73afd40c725d",
"name": "admin"
}
},
"user": {
"id": "4819c6cca1e5456d9b2a717446cfb228",
"name": "admin",
"roles": [
{
"name": "admin"
}
],
"roles_links": [],
"username": "admin"
}
}
}
