官方安裝文檔:https://docs.openstack.org/ocata/zh_CN/install-guide-rdo/index.html
1、keystone資料庫配置:
#1:建立資料庫:
[[email protected] ~]# mysql -uroot -p123456
MariaDB [(none)]> create database keystone;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all on keystone.* to 'keystone'@'%' identified by 'keystone';
Query OK, 0 rows affected (0.00 sec)
#2:驗證資料庫:
#驗證可以從 openstack 控制端使用 keystone 通路資料庫:
[[email protected] ~]# mysql -ukeystone -h192.168.10.100 -pkeystone
#3:配置 haproxy 代理:
#openstack-mysql================================================================
frontend openstack_mysql
bind 192.168.10.100:3306
mode tcp
default_backend openstack_mysql_node
backend openstack_mysql_node
mode tcp
balance source
server 192.168.10.204 192.168.10.204:3306 check inter 2000 fall 3 rise 5
#openstack-memcached================================================================
frontend openstack_memcached
bind 192.168.10.100:11211
mode tcp
default_backend openstack_memcached_node
backend openstack_memcached_node
mode tcp
balance source
server 192.168.10.100 192.168.10.205:11212 check inter 2000 fall 3 rise 5
#4:驗證端口:
#5:驗證通路 VIP 資料庫端口:
#6:驗證使用 VIP 通路 memcached:
2、部署及配置 keystone:
#1:安裝 keystone:
#openstack-keystone是keystone服務,http是web服務,mod_wsgi是python 的通用網關
[[email protected] ~]# yum install -y openstack-keystone httpd mod_wsgi python-memcached
#2:編輯 keystone 配置檔案:
[[email protected] ~]# openssl rand -hex 10 #生成臨時token
a734fda7b075fb62b75c
[[email protected] ~]# vim /etc/keystone/keystone.conf
17 admin_token = a734fda7b075fb62b75c
714 connection = mysql+pymysql://keystone:[email protected]/keystone
2833 provider = fernet
#3:目前最終配置:
[[email protected] ~]# grep -n "^[a-Z\[]" /etc/keystone/keystone.conf
1:[DEFAULT]
17:admin_token = a734fda7b075fb62b75c
686:[database]
714:connection = mysql+pymysql://keystone:[email protected]/keystone
1494:[memcache]
2791:[token]
2833:provider = fernet
#4:初始化并驗證資料庫:
#會在資料庫建立預設表等操作
[[email protected] ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
#5:keystone日志檔案:
[[email protected] ~]# ll /var/log/keystone/keystone.log
-rw-rw---- 1 root keystone 12702 Sep 10 10:26 /var/log/keystone/keystone.log
#6:初始化證書并驗證:
[[email protected] ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[[email protected] ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
[[email protected] ~]# ll /etc/keystone/fernet-keys/
total 8
-rw------- 1 keystone keystone 44 Sep 10 10:56 0
-rw------- 1 keystone keystone 44 Sep 10 10:56 1
3、配置keystone:
通過apache代理python:
#1:編輯 apache 配置檔案:
[[email protected] ~]# vim /etc/httpd/conf/httpd.conf
95 ServerName 192.168.10.201:80
#2:軟連接配接配置檔案:
[[email protected] ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
#3:啟動apache:
[[email protected] ~]# systemctl start httpd
[[email protected] ~]# systemctl enable httpd
#4:驗證端口:
4、建立域、使用者、項目和角色:
#1:通過admin的token設定環境變量進行操作:
[[email protected] ~]# export OS_TOKEN=a734fda7b075fb62b75c
[[email protected] ~]# export OS_URL=http://192.168.10.201:35357/v3
[[email protected] ~]# export OS_IDENTITY_API_VERSION=3
#2:建立預設域:
#一定要在上一步設定完成環境變量的前提下方可操作成功,否則會提示未認證。
#指令格式為:openstack domain create --description "描述資訊" 域名
[[email protected] ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | 961b40ed4c6b40a9b266ce5e451a4292 |
| name | default |
+-------------+----------------------------------+
#3:建立一個 admin 的項目:
#指令格式為 openstack project --domain 域 --description "描述" 項目名
[[email protected] ~]# openstack project create --domain default --description "Admin Project"
admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 1caf792ed8d84fc089ef4c3ab6cbf3c1 |
| is_domain | False |
| name | admin |
| parent_id | 961b40ed4c6b40a9b266ce5e451a4292 |
+-------------+----------------------------------+
#4:建立 admin 使用者并設定密碼為 admin:
[[email protected] ~]# openstack user create --domain default --password-prompt admin
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value | +---------------------+----------------------------------+
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 2c82b16690934cbe9b78bbffae50ecca |
| name | admin |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
#5:建立 admin 角色:
#一個項目裡面可以有多個角色,目前角色隻能建立在/etc/keystone/policy.json 檔案中定義好的角色:
[[email protected] ~]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 9c6f0cdfe1704fdb85c56528ebcaec16 |
| name | admin |
+-----------+----------------------------------+
#6:給 admin 使用者授權:
#将 admin 使用者授予 admin 項目的 admin 角色,即給 admin 項目添加一個使用者叫 admin,并将其添加至 admin 角色,角色是權限的一種集合:
[[email protected] ~]# openstack role add --project admin --user admin admin
5、建立 demo 項目: 該項目可用于示範和測試等
#1:建立 demo 項目:
[[email protected] ~]# openstack project create --domain default --description "Demo Project"
demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 51919be117ec4ba2bdddd206bd3a1444 |
| is_domain | False |
| name | demo |
| parent_id | 961b40ed4c6b40a9b266ce5e451a4292 |
+-------------+----------------------------------+
#2:建立 demo 使用者并設定密碼為 demo:
[[email protected] ~]# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 49640b553dcc43c6bccf5722eedf46af |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
#3:建立一個 user 角色:
#角色目前有 user 和 admin:
[[email protected] ~]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 5b60565079c4475ab640f61038c1c632 |
| name | user |
+-----------+----------------------------------+
#4:把 demo 使用者添加到 demo 項目,然後賦予 user 權限:
[[email protected] ~]# openstack role add --project demo --user demo user
6、建立一個 service 項目:
各服務之間與 keystone 進行通路和認證,service 用于給服務建立使用者
#1:建立 service 項目:
[[email protected] ~]# openstack project create --domain default --description "Service
Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | c7cf72ff26dd49f1a9216f94146cf82b |
| is_domain | False |
| name | service |
| parent_id | 961b40ed4c6b40a9b266ce5e451a4292 |
+-------------+----------------------------------+
#2:建立 glance 使用者:
#建立 glance 密碼使用者并設定密碼為 glance
[[email protected] ~]# openstack user create --domain default --password-prompt glance
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 1aeb2f2695ec4008b6ff9899e88fcb82 |
| name | glance |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
#3:對 glance 使用者授權:
#把 glance 和 neutron 使用者添加到 service 項目并授予 admin 角色
[[email protected] ~]# openstack role add --project service --user glance admin
7、按照以上步驟操作 nova 和 neutron 使用者:
将 nova 使用者添加到 service 項目并授予 admin 權限
#1:建立 nova 使用者:
#建立 nova 使用者并設定密碼為 nova:
[[email protected] ~]# openstack user create --domain default --password-prompt nova
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value | +---------------------+----------------------------------+
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 71580f80cd4345e19f8948b77556ae3a |
| name | nova |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
#建立 neutron 使用者并設定密碼為 neutron:
[[email protected] ~]# openstack user create --domain default --password-prompt neutron
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 73fe1b80b71e46f49fe1d5730dca5283 |
| name | neutron |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
#2:對 nova 和 neutron 使用者授權: 将 nova 和 neutron 使用者授權為 service 項目的 admi 權限
[[email protected] ~]# openstack role add --project service --user nova admin
[[email protected] ~]# openstack role add --project service --user neutron admin
8、服務注冊:
将 keystone 服務位址注冊到 openstack:
#1:建立一個 keystone 認證服務:
[[email protected] ~]# openstack service list #檢視目前的服務
[[email protected] ~]# openstack service create --name keystone --description "OpenStack
Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 6efd80d3570f40bfafb02a1169b68aaa |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
[[email protected] ~]# openstack service list #驗證服務建立成功
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| 6efd80d3570f40bfafb02a1169b68aaa | keystone | identity |
+----------------------------------+----------+----------+
#2:建立 endpoint:
#如果建立錯誤或多建立了,就要全部删除再重新注冊,因為你不知道哪一個是對的哪一個是錯的,是以隻能全部删除然後重新注冊,注冊的IP位址寫keepalived的VIP,稍後配置haproxy:
[[email protected] ~]# openstack endpoint create --region RegionOne identity public
http://192.168.10.100:5000/v3 #公共端點
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 92990b4521454e1ab1b5aa9e26e3e230 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 6efd80d3570f40bfafb02a1169b68aaa |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.10.100:5000/v3 |
+--------------+----------------------------------+
[[email protected] ~]# openstack endpoint create --region RegionOne identity internal
http://192.168.10.100:5000/v3 #私有端點
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 9779a47b96ee4ffa9196fb8593bbcc1d |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 6efd80d3570f40bfafb02a1169b68aaa |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.10.100:5000/v3 |
+--------------+----------------------------------+
[[email protected] ~]# openstack endpoint create --region RegionOne identity admin
http://192.168.10.100:35357/v3 #管理端點
+--------------+----------------------------------+
| Field | Value | +--------------+----------------------------------+
| enabled | True |
| id | c95807c1098e4cab95e11eeebba1221f |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 6efd80d3570f40bfafb02a1169b68aaa |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.10.100:35357/v3 |
+--------------+----------------------------------+
#3:配置 haproxy:
[[email protected] ~]# vim /etc/haproxy/haproxy.cfg
listen keystone-public-url
bind 192.168.10.100:5000
mode tcp
log global
balance source
server keystone1 192.168.10.201:5000 check inter 5000 rise 3 fall 3
listen keystone-admin-url
bind 192.168.10.100:35357
mode tcp
log global
balance source
server keystone1 192.168.10.201:35357 check inter 5000 rise 3 fall 3
#4:重新開機并驗證通路:
[[email protected] ~]# systemctl restart haproxy
[[email protected] ~]# telnet 192.168.10.100 5000
Trying 192.168.10.100...
Connected to 192.168.10.100.
Escape character is '^]'.
[[email protected] ~]# telnet 192.168.10.100 35357
Trying 192.168.10.100...
Connected to 192.168.10.100.
Escape character is '^]'.
#5:測試 keystone 是否可以做使用者驗證:
#驗證 admin 使用者,密碼 admin,新打開一個視窗并進行以下操作:
[[email protected] ~]# export OS_IDENTITY_API_VERSION=3
[[email protected] ~]# openstack --os-auth-url http://192.168.10.100:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
#驗證 demo 使用者,密碼為 demo:
[[email protected] ~]# export OS_IDENTITY_API_VERSION=3
[[email protected] ~]# openstack --os-auth-url http://192.168.10.100:35357/v3 --os-projectdomain-name default --os-user-domain-name default --os-project-name demo --osusername demo token issue
#6:使用腳本設定環境變量:
#Admin 使用者腳本内容:
[[email protected] ~]# chmod a+x admin-ocata.sh
[[email protected] ~]# cat admin-ocata.sh
#!/bin/bash
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.10.100:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
#Demo 使用者腳本内容:
[[email protected] ~]# chmod a+x demo-ocata.sh
[[email protected] ~]# cat demo-ocata.sh
#!/bin/bash
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.10.100:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
#7:測試腳本是否可以正常使用:
#Admin 使用者腳本測試:
#Demo 使用者腳本測試:
![openstack身份管理[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)