- 作業系統: UbuntuServer Mini 22.04
- 本次部署為帶有自簽SSL及Nginx反向代理的實作機制
一: 配置NTP
1) 使用系統自帶的systemd-timesyncd服務
root@srv1:~# vim /etc/systemd/timesyncd.conf
......
......
......
......
......
......
[Time]
# 取消16行注釋,并改為如下内容
NTP=0.cn.pool.ntp.org 1.cn.pool.ntp.org
#FallbackNTP=ntp.ubuntu.com
#RootDistanceMaxSec=5
#PollIntervalMinSec=32
#PollIntervalMaxSec=2048
root@srv1:~# systemctl restart systemd-timesyncd
root@srv1:~# systemctl status systemd-timesyncd.service | grep Status:
Status: "Initial synchronization to time server 162.159.200.1:123 (0.cn.pool.ntp.org)." 二: 安裝MariaDB
root@srv1:~# apt install mariadb-server -y
root@srv1:~# vim /etc/mysql/mariadb.conf.d/50-server.cnf
......
......
......
......
......
......
# 修改27行,開啟監聽位址
bind-address = 0.0.0.0
......
......
......
......
......
......
# 修改40行,預設的數值不能滿足openstack環境需求,需改為500
max_connections = 500
......
......
......
......
......
......
# 修改90-91行,确認預設字元集為4位元組的utf8編碼:utf8mb4
character-set-server = utf8mb4
collation-server = utf8mb4_general_ci
......
......
......
......
......
......
root@srv1:~# systemctl restart mariadb
root@srv1:~# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.
Enter current password for root (enter for none): # 回車
OK, successfully used password, moving on...
Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.
You already have your root account protected, so you can safely answer 'n'.
Switch to unix_socket authentication [Y/n] # 回車
Enabled successfully!
Reloading privilege tables..
... Success!
You already have your root account protected, so you can safely answer 'n'.
Change the root password? [Y/n] # 回車
New password: # 輸入新的資料庫管理者密碼,此密碼為password
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] # 回車
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] # 回車
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] # 回車
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] # 回車
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB! 三: 安裝及配置Memcached及RabbitMQ
1) 安裝rabbitmq及memcached
root@srv1:~# apt install rabbitmq-server memcached python3-pymysql nginx libnginx-mod-stream -y
2) 配置memcached
root@srv1:~# vim /etc/memcached.conf
......
......
......
......
......
# 修改第35行,監聽所有位址
-l 192.168.1.11
......
......
......
......
......
3) 配置RabbitMQ
root@srv1:~# rabbitmqctl add_user openstack password
Adding user "openstack" ...
Done. Don't forget to grant the user permissions to some virtual hosts! See 'rabbitmqctl help set_permissions' to learn more.
root@srv1:~# rabbitmqctl set_permissions openstack ".*" ".*" ".*"
Setting permissions for user "openstack" in vhost "/" ...
4) 關閉預設的Ningx Site
root@srv1:~# ls -l /etc/nginx/sites-enabled/default
lrwxrwxrwx 1 root root 34 Oct 24 15:49 /etc/nginx/sites-enabled/default -> /etc/nginx/sites-available/default
root@srv1:~# unlink /etc/nginx/sites-enabled/default
5) 啟動Memcached及RabbitMQ服務
root@srv1:~# systemctl restart mariadb rabbitmq-server memcached nginx 四: 設定Openstack Zed源
1) 安裝Zed源
root@srv1:~# apt install software-properties-common -y
root@srv1:~# add-apt-repository cloud-archive:zed
Repository: 'deb http://ubuntu-cloud.archive.canonical.com/ubuntu jammy-updates/zed main'
Description:
Ubuntu Cloud Archive for OpenStack Zed
More info: https://wiki.ubuntu.com/OpenStack/CloudArchive
Adding repository.
Press [ENTER] to continue or Ctrl-c to cancel. # 回車
Adding deb entry to /etc/apt/sources.list.d/cloudarchive-zed.list
Adding disabled deb-src entry to /etc/apt/sources.list.d/cloudarchive-zed.list
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
......
......
......
......
......
......
Reading package lists... Done
2) 更新系統
root@srv1:~# apt update
root@srv1:~# apt upgrade -y 五: 建立Keystone資料庫
root@srv1:~# mysql -u root -p
Enter password: # 輸入資料庫管理者的密碼
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 31
Server version: 10.6.7-MariaDB-2ubuntu1.1 Ubuntu 22.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database keystone;
Query OK, 1 row affected (0.001 sec)
MariaDB [(none)]> grant all privileges on keystone.* to keystone@'localhost' identified by 'password';
Query OK, 0 rows affected (0.010 sec)
MariaDB [(none)]> grant all privileges on keystone.* to keystone@'%' identified by 'password';
Query OK, 0 rows affected (0.038 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> exit
Bye
root@srv1:~# 六: 安裝Keystone
root@srv1:~# apt install keystone python3-openstackclient apache2 libapache2-mod-wsgi-py3 python3-oauth2client -y 七: 配置Keystone
1) 配置Keystone
root@srv1:~# vim /etc/keystone/keystone.conf
......
......
......
......
......
......
# 取消443行注釋,并指定Memcached的資訊
memcache_servers = srv1.1000y.cloud:11211
......
......
......
......
......
......
[database]
# 于661行,添加資料庫相關資訊
connection = mysql+pymysql://keystone:[email protected]/keystone
......
......
......
......
......
......
[token]
......
......
......
......
......
......
# 于2639行取消注釋
provider = fernet
......
......
......
......
......
......
2) 同步資料庫
root@srv1:~# su -s /bin/bash keystone -c "keystone-manage db_sync"
root@srv1:~# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
root@srv1:~# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
root@srv1:~# keystone-manage bootstrap --bootstrap-password adminpassword \
--bootstrap-admin-url https://srv1.1000y.cloud:5000/v3/ \
--bootstrap-internal-url https://srv1.1000y.cloud:5000/v3/ \
--bootstrap-public-url https://srv1.1000y.cloud:5000/v3/ \
--bootstrap-region-id RegionOne 八: 設定SSL及證書生成
1) 生成SSL證書
(1) 生成CA憑證并注冊
root@srv1:~# cd /etc/ssl/private/
root@srv1:/etc/ssl/private# openssl genrsa -des3 -out cakey.pem 2048
Enter PEM pass phrase: # 設定密碼
Verifying - Enter PEM pass phrase
root@srv1:/etc/ssl/private# openssl rsa -in cakey.pem -out cakey.pem
Enter pass phrase for yoga.key: # 輸入密碼
writing RSA key
root@srv1:/etc/ssl/private# openssl req -new -x509 -days 365 -key cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BeiJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:1000y.cloud
Organizational Unit Name (eg, section) []:tech
Common Name (e.g. server FQDN or YOUR name) []:srv1.1000y.cloud
Email Address []: # 回車
root@srv1:/etc/ssl/private# cat cacert.pem >> /etc/ssl/certs/ca-certificates.crt
(2) 建立服務所需的key/crt檔案
root@srv1:/etc/ssl/private# openssl genrsa -des3 -out zed.key 2048
Enter PEM pass phrase: # 設定密碼
Verifying - Enter PEM pass phrase
root@srv1:/etc/ssl/private# openssl rsa -in zed.key -out zed.key
Enter pass phrase for yoga.key: # 輸入密碼
writing RSA key
root@srv1:/etc/ssl/private# openssl req -utf8 -new -key zed.key -out zed.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BeiJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:1000y.cloud
Organizational Unit Name (eg, section) []:tech
Common Name (e.g. server FQDN or YOUR name) []:srv1.1000y.cloud
Email Address []: # 回車
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: # 回車
An optional company name []: # 回車
root@srv1:~# vim /etc/ssl/openssl.cnf
......
......
......
......
......
......
# 于檔案最後追加如下内容
[ 1000y.cloud ]
subjectAltName = DNS:srv1.1000y.cloud, IP:192.168.1.11
root@srv1:private(keystone)# openssl x509 -req -days 365 -in zed.csr -CA ./cacert.pem -CAkey cakey.pem -out zed.crt -extfile /etc/ssl/openssl.cnf -extensions 1000y.cloud
Certificate request self-signature ok
subject=C = CN, ST = BeiJing, L = BeiJing, O = 1000y.cloud, OU = tech, CN = srv1.1000y.cloud
root@srv1:/etc/ssl/private# ls -l
total 24
-rw-r--r-- 1 root root 1367 Oct 24 16:12 cacert.pem
-rw------- 1 root root 1708 Oct 24 16:12 cakey.pem
-rw-r----- 1 root ssl-cert 1704 Oct 24 16:05 ssl-cert-snakeoil.key
-rw-r--r-- 1 root root 1391 Oct 24 16:18 zed.crt
-rw-r--r-- 1 root root 1017 Oct 24 16:17 zed.csr
-rw------- 1 root root 1704 Oct 24 16:17 zed.key
root@srv1:/etc/ssl/private# cd 九: 配置Apache
root@srv1:~# apt install apache2 -y
root@srv1:~# vim /etc/apache2/apache2.conf
......
......
......
......
......
......
#ServerRoot "/etc/apache2"
# 于70行,添加如下内容
ServerName srv1.1000y.cloud
......
......
......
......
......
......
root@srv1:~# vim /etc/apache2/sites-available/keystone.conf
Listen 5000
<VirtualHost *:5000>
# 于4-7行,添加如下内容
SSLEngine On
SSLHonorCipherOrder On
SSLCertificateFile /etc/ssl/private/zed.crt
SSLCertificateKeyFile /etc/ssl/private/zed.key
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
......
......
......
......
......
......
root@srv1:~# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
systemctl restart apache2
root@srv1:~# systemctl restart apache2 十: 配置環境腳本及建立租戶
1) 設定環境
root@srv1:~# vim ~/keystonerc
# 于新檔案内追加如下内容
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=adminpassword
export OS_AUTH_URL=https://srv1.1000y.cloud:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
export PS1='\u@\h:\W(keystone)\$ '
# 自定義證書要加 --insecure 參數, 是以加入了别名。
alias openstack='openstack --insecure'
root@srv1:~# chmod 600 ~/keystonerc
root@srv1:~# source ~/keystonerc
root@srv1:~(keystone)# echo "source ~/keystonerc " >> ~/.bashrc
2) 建立租戶并驗證
root@srv1:~(keystone)# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 4fabd4d8316c40a398d6496c0a733caf |
| is_domain | False |
| name | service |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
root@srv1:~(keystone)# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 4fabd4d8316c40a398d6496c0a733caf | service |
| 994a4a3e0fbc4f5891f38470e158e6b4 | admin |
+----------------------------------+---------+ ![資料結構-棧(C語言代碼)[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)