B06-openstack高可用(t版)-keystone集群部署
1. 创建keystone数据库
[root@controller01 ~]# mysql -uroot -phuayun
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.018 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'huayun';
Query OK, 0 rows affected (0.007 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'huayun';
Query OK, 0 rows affected (0.003 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.006 sec)
MariaDB [(none)]> exit
Bye
2:安装keystone的相关软件包
[root@controller01 ~]# yum install openstack-keystone httpd mod_wsgi mod_ssl -y
3. 配置keystone.conf(标红的即为修改的地方)
[root@controller01 ~]# cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.back
[root@controller01 ~]# egrep -v "^#|^$" /etc/keystone/keystone.conf
[DEFAULT]
[application_credential]
[assignment]
[auth]
[cache]
backend = oslo_cache.memcache_pool
enabled = true
memcache_servers = 10.100.214.201:11211,10.100.214.202:11211,10.100.214.203:11211
[catalog]
[cors]
[credential]
[database]
connection = mysql+pymysql://keystone:huayun@10.100.214.200/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[federation]
[fernet_receipts]
[fernet_tokens]
[healthcheck]
[identity]
[identity_mapping]
[jwt_tokens]
[ldap]
[memcache]
[oauth1]
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[policy]
[profiler]
[receipt]
[resource]
[revoke]
[role]
[saml]
[security_compliance]
[shadow_users]
[token]
provider = fernet
[tokenless_auth]
[totp]
[trust]
[unified_limit]
[wsgi]
[root@controller01 ~]#
将配置文件拷贝到另外两个节点:
[root@controller01 ~]# scp /etc/keystone/keystone.conf 10.100.214.202:/etc/keystone/keystone.conf
[root@controller01 ~]# scp /etc/keystone/keystone.conf 10.100.214.203:/etc/keystone/keystone.conf
4. 同步keystone数据库
在任意一个节点上操作就可以
[root@controller01 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
检测数据库同步
[root@controller01 ~]# mysql -uroot -phuayun keystone -e "show tables";
5. 初始化fernet秘钥
[root@controller01 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller01 ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
并将初始化的密钥拷贝到其他的控制节点:
[root@controller01 ~]# scp -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ root@10.100.214.202:/etc/keystone/
[root@controller01 ~]# scp -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ root@10.100.214.203:/etc/keystone/
同步后注意另外两台控制节点fernet的权限
[root@controller02 ~]# chown keystone:keystone /etc/keystone/credential-keys/ -R
[root@controller02 ~]# chown keystone:keystone /etc/keystone/fernet-keys/ -R
[root@controller03 ~]# chown keystone:keystone /etc/keystone/credential-keys/ -R
[root@controller03 ~]# chown keystone:keystone /etc/keystone/fernet-keys/ -R
认证引导
# 任意控制节点操作;
# 初始化admin用户(管理用户)与密码,3种api端点,服务实体可用区等
[root@controller02 ~]# keystone-manage bootstrap --bootstrap-password huayun --bootstrap-admin-url http://10.100.214.200:5000/v3/ --bootstrap-internal-url http://10.100.214.200:5000/v3/ --bootstrap-public-url http://10.100.214.200:5000/v3/ --bootstrap-region-id RegionOne
配置Apache HTTP服务器
1. 配置httpd.conf
[root@controller01 ~]# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak
[root@controller01 ~]# sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf
[root@controller01 ~]# sed -i "s/Listen\ 80/Listen\ 10.100.214.201:80/g" /etc/httpd/conf/httpd.conf
[root@controller02 ~]# sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf
[root@controller02 ~]# sed -i "s/Listen\ 80/Listen\ 10.100.214.202:80/g" /etc/httpd/conf/httpd.conf
[root@controller03 ~]# sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf
[root@controller03 ~]# sed -i "s/Listen\ 80/Listen\ 10.100.214.203:80/g" /etc/httpd/conf/httpd.conf
2. 配置wsgi-keystone.conf
[root@controller01 ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
[root@controller01 ~]# sed -i "s/Listen\ 5000/Listen\ 10.100.214.201:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
[root@controller01 ~]# sed -i "s/*:5000/10.100.214.201:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
[root@controller02 ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
[root@controller02 ~]# sed -i "s/Listen\ 5000/Listen\ 10.100.214.202:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
[root@controller02 ~]# sed -i "s/*:5000/10.100.214.202:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
[root@controller03 ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
[root@controller03 ~]# sed -i "s/Listen\ 5000/Listen\ 10.100.214.203:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
[root@controller03 ~]# sed -i "s/*:5000/10.100.214.203:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
3. 启动服务(所有控制节点)
[root@controller01 ~]# systemctl enable httpd.service && systemctl restart httpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
4:设置openstack的环境变量
# openstack client环境脚本定义client调用openstack api环境变量,以方便api的调用(不必在命令行中携带环境变量); # 根据不同的用户角色,需要定义不同的脚本; # 这里以“认证引导”章节定义的admin用户为例,设置其环境脚本,再根据需要分发到需要运行openstack client工具的节点; # 一般将脚本创建在用户主目录
[root@controller01 ~]# vim admin-openrc
export OS_USERNAME=admin
export OS_PASSWORD=huayun
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://10.100.214.200:5000/v3
export OS_IDENTITY_API_VERSION=3
[root@controller01 ~]# source admin-openrc
[root@controller01 ~]# scp admin-openrc 10.100.214.202:/root/
[root@controller01 ~]# scp admin-openrc 10.100.214.203:/root/
创建域、项目、用户和角色
1:创建域:
# projrct/user等基于domain存在;(所以不需要在创建default域) # 在”认证引导”章节中,初始化admin用户即生成”default” domain
[root@controllervip ~]# openstack domain list
+---------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+---------+---------+---------+--------------------+
| default | Default | True | The default domain |
+---------+---------+---------+--------------------+
2:创建admin项目(已经存在也不需要创建)
[root@controller01 ~]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 8152877d890d4727ac6f01a94e67ae15 | admin |
3:创建admin用户(本身已经存在不需要在创建)
[root@controller01 ~]# openstack user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 7bb860340a384300bc6b793cd23cbbde | admin |
+----------------------------------+-------+
由于admin的项目角色用户都已经存在我们重新创建一个新的项目角色
创建example域:
[root@controller01 ~]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 04f35483319e49939f25a402238f7136 |
| name | example |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
创建demo项目:
[root@controller01 ~]# openstack project create --domain default --description "Demo Project" demo
‘+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | b701f4bd7da049d4a72699de3068bb75 |
| is_domain | False |
| name | demo |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
创建demo用户
[root@controller01 ~]# openstack user create --domain default --password=huayun demo
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | e3755b60ba544e548e37b0fd88842e7b |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
创建普通用户角色
[root@controller01 ~]# openstack role create user
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | feca55a6132c43d99440b015095f8e0c |
| name | user |
| options | {} |
+-------------+----------------------------------+
[root@controller01 ~]# openstack role list
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| 0fe64879f5434a608bf94bfb37027d24 | admin |
| 874e55cac61947aa9c6e1b586a819538 | reader |
| b4d0e9f90bfa459ea014b851af9159bd | member |
| feca55a6132c43d99440b015095f8e0c | user |
+----------------------------------+--------+
给demo分配普通用户角色
[root@controller01 ~]# openstack role add --project demo --user demo user
查看权限分配
配置demo的环境变量
vim demo-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=huayun
export OS_AUTH_URL=http://10.100.214.200:5000/v3
export OS_IDENTITY_API_VERSION=3
source demo-openrc
分发给其他脚本
[root@controller01 ~]# scp demo-openrc 10.100.214.202:/root/
[root@controller01 ~]# scp demo-openrc 10.100.214.203:/root/
设置pcs资源
# 在任意控制节点操作; # 添加资源openstack-keystone-clone; # pcs实际控制的是各节点system unit控制的httpd服务
[root@controller01 ~]# pcs resource create openstack-keystone systemd:httpd --clone interleave=true
[root@controller01 ~]# pcs resource
vip (ocf::heartbeat:IPaddr2): Started controller01
Clone Set: lb-haproxy-clone [lb-haproxy]
Started: [ controller01 ]
Stopped: [ controller02 controller03 ]
Clone Set: openstack-keystone-clone [openstack-keystone]
Started: [ controller01 controller02 controller03 ]