目錄
- 前言
- 一、建立資料庫執行個體和資料庫使用者
- 二、安裝、配置keystone、資料庫、Apache
- 三、建立OpenStack 域、項目、使用者和角色
前言
部署openstack元件時,需先行安裝認證服務(keystone),而認證服務是使用Apache運作的,安裝完成後才可以建立、管理賬号,然後安裝鏡像服務(glance)、計算服務(nova)、網絡服務(neutron).
其中計算服務和網絡服務分為管理端和用戶端,是以需要在openstack的管理端安裝計算服務和網絡服務的管理端,在建立虛拟機的node節點上安裝計算服務和網絡服務的用戶端,最後安裝dashboard服務,openstack各種元件的API都是通過apache運作的;
openstack的管理端負責建立虛拟機過程的排程
- 通過openstack管理端建立虛拟機的相關資料最終都會記錄到mysql(mariadb)中
- node節點沒有權限往資料庫中寫資料,隻有控制端有權限,并且node節點與控制端通訊是通過rabbitmq間接通訊
- node節點會監聽rabbitmq,控制端也會監聽rabbitmq,控制端把建立虛拟機的指令發送到rabbitmq,由監聽rabbitmq指定隊列的node節點接收消息并建立虛拟機;
OpenStack元件安裝的順序
- Keystone(apache)
- Glance
- Nova
- Neutron
一、建立資料庫執行個體和資料庫使用者
[[email protected] ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 24
Server version: 10.3.20-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit
二、安裝、配置keystone、資料庫、Apache
mod_wsgi包的作用是讓apache能夠代理python程式的元件;openstack的各個元件,包括API都是用python寫的,但通路的是apache,apache會把請求轉發給python去處理,這些包隻安裝在controler節點
# 安裝keystone、httpd、mod_wsgi
[[email protected] ~]# yum -y install openstack-keystone httpd mod_wsgi
[[email protected] ~]# cp -a /etc/keystone/keystone.conf{,.bak}
[[email protected] ~]# grep -Ev "^$|#" /etc/keystone/keystone.conf.bak > /etc/keystone/keystone.conf #通過pymysql子產品通路mysql,指定使用者名密碼、資料庫的域名、資料庫名
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:[email protected]/keystone # 指定token的提供者;提供者就是keystone自己本身
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf token provider fernet # Fernet:一種安全的消息傳遞格式
# 初始化認證服務資料庫
[[email protected] ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
# 初始化fernet 密鑰存儲庫(以下指令會生成兩個密鑰,生成的密鑰放于/etc/keystone/目錄下,用于加密資料)
[[email protected] ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[[email protected] ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
# 配置bootstrap身份認證服務
[[email protected] ~]# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
> --bootstrap-admin-url http://ct:5000/v3/ \
> --bootstrap-internal-url http://ct:5000/v3/ \
> --bootstrap-public-url http://ct:5000/v3/ \
> --bootstrap-region-id RegionOne # 初始化openstack,會把openstack的admin使用者的資訊寫入到mysql的user表中,以及url等其他資訊寫入到mysql的相關表中
# 配置Apache HTTP伺服器
[[email protected] ~]# echo "ServerName controller" >> /etc/httpd/conf/httpd.conf
# 建立配置檔案
[[email protected] ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
# 開啟服務
[[email protected] ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[[email protected] ~]# systemctl start httpd
# 配置管理者賬戶的環境變量
## 這些環境變量用于建立角色和項目使用,但是建立角色和項目需要有認證資訊,是以通過環境變量聲明使用者名和密碼等認證資訊,欺騙openstack已經登入且通過認證,這樣就可以建立項目和角色;也就是把admin使用者的驗證資訊通過聲明環境變量的方式傳遞給openstack進行驗證,實作針對openstack的非互動式操作
[[email protected] ~]# cat >> ~/.bashrc << EOF
> export OS_USERNAME=admin
> export OS_PASSWORD=ADMIN_PASS
> export OS_PROJECT_NAME=admin
> export OS_USER_DOMAIN_NAME=Default
> export OS_PROJECT_DOMAIN_NAME=Default
> export OS_AUTH_URL=http://ct:5000/v3
> export OS_IDENTITY_API_VERSION=3
> export OS_IMAGE_API_VERSION=2
> EOF
[[email protected] ~]# source ~/.bashrc
三、建立OpenStack 域、項目、使用者和角色
# 建立一個項目(project),建立在指定的domain(域)中,指定描述資訊,project名稱為service(可使用openstack domain list 查詢)
[[email protected] ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | f540a75991b54cdc9f4fb2805c97abbb |
| is_domain | False |
| name | service |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
# 建立角色(可使用openstack role list檢視)
[[email protected] ~]# openstack role create user
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | 6465ed541fc64acdb97dc9d6307fd453 |
| name | user |
| options | {} |
+-------------+----------------------------------+
# 檢視openstack 角色清單
[[email protected] ~]# openstack role list
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| 3216530c0ddb4dc093d26b99dc46c8b8 | reader |
| 6465ed541fc64acdb97dc9d6307fd453 | user | # user 為使用者
| 8e08399928b94802b55b68ab7a402ea7 | admin | # admin 為管理者
| a8ade4215d094ae48fed0ba5d97a6455 | member | # member 為租戶
+----------------------------------+--------+
[[email protected] ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-12-14T07:47:17+0000 |
| id | gAAAAABf1wp1xVjzrW5b8-dhBVZLQoiRsbPe7XklSXQ5TJ5vnJgvEQX2kgi4frWzmGIOjq1hFrMERVrgaJgxb-KGIhc_YE_2lwUr2OwfQeMobTXDWS3H5Zvo8ci8dG7DkG-025U6ig7ikRGWlHwNPog3Wv1zY4zr9S_Bk1wlEPcp7zNCTEhT9AA |
| project_id | 84c7d60bd69d4366bead73f856a4c074 |
| user_id | 1f17069e7d6e455c8c27467023ae561c |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
# 檢視是否可以不指定密碼就可以擷取到token資訊(驗證認證服務)
[[email protected] ~]# openstack token issue
+------------+--------------------------------------------------------------------------------------------------------------------------
| Field | Value
+------------+--------------------------------------------------------------------------------------------------------------------------
| expires | 2020-12-14T07:47:25+0000
| id | gAAAAABf1wp9wP8PF37quiGxpAWCxYOnlcPGmuReaVfL1v2sk99CPOZ_GpEJEwcBd8ZMR8i6Ko0veo8PLvwUI7N8ahMhaUxGzPb4A5TrtEsvEjo3HlKTBwgVy
| project_id | 84c7d60bd69d4366bead73f856a4c074
| user_id | 1f17069e7d6e455c8c27467023ae561c
+------------+--------------------------------------------------------------------------------------------------------------------------
總結:
Keystone項目的服務搭建的核心點
- MariaDB——提供資料庫,并授權Keystone使用者,
- 通過mod_wsgi包讓Apache支援Python程式元件
- 通過pymsql子產品指定mysql裡的keystone相關資訊(密碼,資料庫名,token令牌)
- 初始化資料庫及fernet密鑰
- 初始化openstack
- 通過在/root/bashrc裡添加相關配置,欺騙openstack實作免互動操作
- 建立opentsack的域、項目等資訊
![openstack身份管理[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)