openstack系列- keystone部署文档

Published on with views and comments

一、环境

基础环境设置

主机名修改:

hostnamectl set-hostname linux-node1

修改 host 文件

10.200.51.100 linux-node1 linux-node1.limi.com 10.200.51.31 linux-node2 linux-node2.limi.com

linux-node1 10.200.51.100 控制节点
linux-node2 10.200.51.31 计算节点

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo sed -i 's/$releasever/7.7.1908/g' /etc/yum.repos.d/CentOS-Base.repo

NTP 服务安装

yum install chrony -y timedatectl set-timezone Asia/Shanghai #配置时区
vim /etc/chrony.conf ... allow 10.200.0.0/16
# systemctl enable chronyd.service # systemctl start chronyd.service
  • node 节点配置
server 192.168.51.208 iburst
[root@inside ~]# chronyc sources 210 Number of sources = 1 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* linux-node1 3 6 37 43 -588ns[ -191us] +/- 16ms

更新内核后,重新启动机器

OpenStack 包安装

yum install centos-release-openstack-rocky -y yum upgrade
yum install python-openstackclient
yum install openstack-selinux

SQL database 安装

yum install mariadb mariadb-server python2-PyMySQL -y

添加 openstack 配置文件

[root@linux-node1 my.cnf.d]# cat /etc/my.cnf.d/openstack.cnf [mysqld] bind-address = 0.0.0.0 default-storage-engine = innodb innodb_file_per_table = on max_connections = 4096 collation-server = utf8_general_ci character-set-server = utf8
# systemctl enable mariadb.service # systemctl start mariadb.service

修改 maridb 初始密码

mysql_secure_installation

Message queue 消息队列

yum install rabbitmq-server -y # systemctl enable rabbitmq-server.service # systemctl start rabbitmq-server.service

创建 openstack 用户

[root@linux-node1 ~]# rabbitmqctl add_user openstack openstack Creating user "openstack" [root@linux-node1 ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*" Setting permissions for user "openstack" in vhost "/"

rabbitmqctl 命令参考
rabbitmq-plugins list 查看 rabbitmq 插件列表
rabbitmq-plugins enable rabbitmq_management 开启 Web 管理功能
rabbitmqctl list_users 查看用户列表
rabbitmqctl set_user_tags admin administrator 修改用户角色

Memcached 库安装

yum install memcached python-memcached
[root@linux-node1 ~]# cat !$ cat /etc/sysconfig/memcached PORT="11211" USER="memcached" MAXCONN="1024" CACHESIZE="64" OPTIONS="-l 0.0.0.0,::1" #此处授权主机允许所有的 [root@linux-node1 ~]# systemctl start memcached.service [root@linux-node1 ~]# systemctl enable memcached.service

Etcd 安装

# yum install etcd

配置

[root@linux-node1 ~]# grep -v "^#\|^$" /etc/etcd/etcd.conf ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="http://10.200.51.100:2380" ETCD_LISTEN_CLIENT_URLS="http://10.200.51.100:2379" ETCD_NAME="controller" ETCD_INITIAL_ADVERTISE_PEER_URLS="http://10.200.51.100:2380" ETCD_ADVERTISE_CLIENT_URLS="http://10.200.51.100:2379" ETCD_INITIAL_CLUSTER="controller=http://10.200.51.100:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-01" ETCD_INITIAL_CLUSTER_STATE="new"
[root@linux-node1 ~]# systemctl start etcd [root@linux-node1 ~]# systemctl enable etcd

二、安装 openstack 服务

2.1 Keystone 安装

配置 keystone 库

CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY 'keystone'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'keystone';
yum install openstack-keystone httpd mod_wsgi -y

/etc/keystone/keystone.conf 配置进行修改

[database] ... connection = mysql+pymysql://keystone:keystone@10.200.51.100/keystone
[token] ... provider = fernet

keystone 令牌三种生成方式

  • 同步数据库:
su -s /bin/sh -c "keystone-manage db_sync" keystone
  • 初始化 FERNET 密钥存储库:
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone # keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
  • 创建 bootstrap 服务
keystone-manage bootstrap --bootstrap-password 598941324 \ --bootstrap-admin-url http://10.200.51.100:5000/v3 \ --bootstrap-internal-url http://10.200.51.100:5000/v3 \ --bootstrap-public-url http://10.200.51.100:5000/v3 \ --bootstrap-region-id RegionOne
  • 配置 http 服务
vim /etc/httpd/conf/httpd.conf ... ServerName 10.200.51.100:80

配置软链接

ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
  • 配置 SSL

  • 配置环境变量:(#此密码用 boostrap 中的密码)

export OS_USERNAME=admin export OS_PASSWORD=598941324 export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL=http://10.200.51.100:5000/v3 export OS_IDENTITY_API_VERSION=3

创建域、角色、用户和项目

  • 创建 mystack 域,默认 DEFAULT 域已经存在
[root@linux-node1 ~]# openstack domain create --description "mystack" mystack +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | mystack | | enabled | True | | id | 4cbe80fad0b7460c8a7220fc63c0f130 | | name | mystack | | tags | [] | +-------------+----------------------------------+
  • 本指南使用的服务项目包含添加到环境中的每个服务的唯一用户。创建服务项目:
[root@linux-node1 ~]# openstack project create --domain default \ > --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | 50b9efa71e704582ad667a8b98b5b770 | | is_domain | False | | name | service | | parent_id | default | | tags | [] | +-------------+----------------------------------+
  • 创建用户(myuser)
[root@linux-node1 ~]# openstack user create --domain default \ > --password-prompt myuser User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | 618ce6c96aa7462a9a2300d05379443f | | name | myuser | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+

password:598941324

  • 创建 myrole 角色
[root@linux-node1 ~]# openstack role create demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | None | | domain_id | None | | id | f1b8bcab82964e3e8255d7ae4ababc0f | | name | demo | +-------------+----------------------------------+ [root@linux-node1 ~]# openstack role create myrole +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | None | | domain_id | None | | id | 1c425ddc2b7c4e9eacd2e561697eca90 | | name | myrole | +-------------+----------------------------------+
  • 将 myrole 角色添加到 myproject 项目和 myuser 用户:
[root@linux-node1 ~]# openstack role add --project myproject --user myuser myrole
  • 取消设置临时 os_auth_url 和 os_password 环境变量:
unset OS_AUTH_URL OS_PASSWORD
  • 作为上一节中创建的 demo、myuser 用户,请求身份验证令牌:

命令

openstack --os-auth-url http://10.200.51.100:5000/v3 \ --os-project-domain-name default \ --os-user-domain-name default \ --os-project-name demo \ --os-username admin token issue
[root@linux-node1 ~]# openstack --os-auth-url http://10.200.51.100:5000/v3 \ > --os-project-domain-name default \ > --os-user-domain-name default \ > --os-project-name demo \ > --os-username demo token issue Password: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2019-10-11T11:14:12+0000 | | id | gAAAAABdoFX01swIecvosowJi-oGV8Y5fTHmPiGY4OtsAV2p1f0fkOWgc88v8QwmZtnKF83b501CTWBqdnIx1A78ZCN3SWufOHni24JVk1PP06JMzvtw8LFslGwYiJxtHCinCyxhW5fM9F3CxMYBGcq1xfRnkCV3PDJmoNCDS9ds8IdDREmXceQ | | project_id | 4291d582710e407aa7abc46a64f2da57 | | user_id | 9f702ce3021741918ad7b9e4ec63daff | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [root@linux-node1 ~]# openstack --os-auth-url http://10.200.51.100/v3 \ > --os-project-domain-name default \ > --os-user-domain-name default \ > --os-project-name myproject \ > --os-username myuser token issue Password: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2019-10-11T11:21:30+0000 | | id | gAAAAABdoFeqLzi8NPoEwyiFAdbUhnZjVFS8avXsns9eQRWBFlPbouQfZOizXhh_cYn7iLMDmsrhL-d-Bw6UfjB4tB-PnowYcxckWhN3hEFSfd0gGbu9SzK3HUyNfw1pGuJ3E67Wxy7E_NR8QRMVG4yuooO-H-Y71-SCeNqAv1ak__xK4cBb54g | | project_id | 7728319b685d4e5fb8aa8c9274fcb4b5 | | user_id | 618ce6c96aa7462a9a2300d05379443f | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  • 创建用户脚本:
[root@linux-node1 ~]# cat admin-openrc export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=598941324 export OS_AUTH_URL=http://10.200.51.100:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
  • 脚本验证:
[root@linux-node1 ~]# . admin-openrc [root@linux-node1 ~]# openstack token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2019-10-11T11:42:06+0000 | | id | gAAAAABdoFx-gay2U7zVQHXIrVY4tYHvUzKc3XyLaB6VPgpjKEY3PjOfzSe81Wo7OdqHR4bC_KyPgJLtvEiz-YY-l46drqRRADDql4-I0Nf1sl2yfp7uaQNjokpJiRBi76JUhdpDEOMdeFEnLm3R0t4WO86a0fKDZIbkoM7ChKX4QkvoL7-6ce4 | | project_id | 4291d582710e407aa7abc46a64f2da57 | | user_id | 9f702ce3021741918ad7b9e4ec63daff | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

标题:openstack系列- keystone部署文档
作者:cuijianzhe
地址:https://solo.cjzshilong.cn/articles/2019/10/11/1570777511550.html