官方安装文档:https://docs.openstack.org/ocata/zh_CN/install-guide-rdo/index.html
1、keystone数据库配置:
#1:创建数据库:
[[email protected] ~]# mysql -uroot -p123456
MariaDB [(none)]> create database keystone;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all on keystone.* to 'keystone'@'%' identified by 'keystone';
Query OK, 0 rows affected (0.00 sec)
#2:验证数据库:
#验证可以从 openstack 控制端使用 keystone 访问数据库:
[[email protected] ~]# mysql -ukeystone -h192.168.10.100 -pkeystone
#3:配置 haproxy 代理:
#openstack-mysql================================================================
frontend openstack_mysql
bind 192.168.10.100:3306
mode tcp
default_backend openstack_mysql_node
backend openstack_mysql_node
mode tcp
balance source
server 192.168.10.204 192.168.10.204:3306 check inter 2000 fall 3 rise 5
#openstack-memcached================================================================
frontend openstack_memcached
bind 192.168.10.100:11211
mode tcp
default_backend openstack_memcached_node
backend openstack_memcached_node
mode tcp
balance source
server 192.168.10.100 192.168.10.205:11212 check inter 2000 fall 3 rise 5
#4:验证端口:
#5:验证访问 VIP 数据库端口:
#6:验证使用 VIP 访问 memcached:
2、部署及配置 keystone:
#1:安装 keystone:
#openstack-keystone是keystone服务,http是web服务,mod_wsgi是python 的通用网关
[[email protected] ~]# yum install -y openstack-keystone httpd mod_wsgi python-memcached
#2:编辑 keystone 配置文件:
[[email protected] ~]# openssl rand -hex 10 #生成临时token
a734fda7b075fb62b75c
[[email protected] ~]# vim /etc/keystone/keystone.conf
17 admin_token = a734fda7b075fb62b75c
714 connection = mysql+pymysql://keystone:[email protected]/keystone
2833 provider = fernet
#3:当前最终配置:
[[email protected] ~]# grep -n "^[a-Z\[]" /etc/keystone/keystone.conf
1:[DEFAULT]
17:admin_token = a734fda7b075fb62b75c
686:[database]
714:connection = mysql+pymysql://keystone:[email protected]/keystone
1494:[memcache]
2791:[token]
2833:provider = fernet
#4:初始化并验证数据库:
#会在数据库创建默认表等操作
[[email protected] ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
#5:keystone日志文件:
[[email protected] ~]# ll /var/log/keystone/keystone.log
-rw-rw---- 1 root keystone 12702 Sep 10 10:26 /var/log/keystone/keystone.log
#6:初始化证书并验证:
[[email protected] ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[[email protected] ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
[[email protected] ~]# ll /etc/keystone/fernet-keys/
total 8
-rw------- 1 keystone keystone 44 Sep 10 10:56 0
-rw------- 1 keystone keystone 44 Sep 10 10:56 1
3、配置keystone:
通过apache代理python:
#1:编辑 apache 配置文件:
[[email protected] ~]# vim /etc/httpd/conf/httpd.conf
95 ServerName 192.168.10.201:80
#2:软连接配置文件:
[[email protected] ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
#3:启动apache:
[[email protected] ~]# systemctl start httpd
[[email protected] ~]# systemctl enable httpd
#4:验证端口:
4、创建域、用户、项目和角色:
#1:通过admin的token设置环境变量进行操作:
[[email protected] ~]# export OS_TOKEN=a734fda7b075fb62b75c
[[email protected] ~]# export OS_URL=http://192.168.10.201:35357/v3
[[email protected] ~]# export OS_IDENTITY_API_VERSION=3
#2:创建默认域:
#一定要在上一步设置完成环境变量的前提下方可操作成功,否则会提示未认证。
#命令格式为:openstack domain create --description "描述信息" 域名
[[email protected] ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | 961b40ed4c6b40a9b266ce5e451a4292 |
| name | default |
+-------------+----------------------------------+
#3:创建一个 admin 的项目:
#命令格式为 openstack project --domain 域 --description "描述" 项目名
[[email protected] ~]# openstack project create --domain default --description "Admin Project"
admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 1caf792ed8d84fc089ef4c3ab6cbf3c1 |
| is_domain | False |
| name | admin |
| parent_id | 961b40ed4c6b40a9b266ce5e451a4292 |
+-------------+----------------------------------+
#4:创建 admin 用户并设置密码为 admin:
[[email protected] ~]# openstack user create --domain default --password-prompt admin
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value | +---------------------+----------------------------------+
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 2c82b16690934cbe9b78bbffae50ecca |
| name | admin |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
#5:创建 admin 角色:
#一个项目里面可以有多个角色,目前角色只能创建在/etc/keystone/policy.json 文件中定义好的角色:
[[email protected] ~]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 9c6f0cdfe1704fdb85c56528ebcaec16 |
| name | admin |
+-----------+----------------------------------+
#6:给 admin 用户授权:
#将 admin 用户授予 admin 项目的 admin 角色,即给 admin 项目添加一个用户叫 admin,并将其添加至 admin 角色,角色是权限的一种集合:
[[email protected] ~]# openstack role add --project admin --user admin admin
5、创建 demo 项目: 该项目可用于演示和测试等
#1:创建 demo 项目:
[[email protected] ~]# openstack project create --domain default --description "Demo Project"
demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 51919be117ec4ba2bdddd206bd3a1444 |
| is_domain | False |
| name | demo |
| parent_id | 961b40ed4c6b40a9b266ce5e451a4292 |
+-------------+----------------------------------+
#2:创建 demo 用户并设置密码为 demo:
[[email protected] ~]# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 49640b553dcc43c6bccf5722eedf46af |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
#3:创建一个 user 角色:
#角色目前有 user 和 admin:
[[email protected] ~]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 5b60565079c4475ab640f61038c1c632 |
| name | user |
+-----------+----------------------------------+
#4:把 demo 用户添加到 demo 项目,然后赋予 user 权限:
[[email protected] ~]# openstack role add --project demo --user demo user
6、创建一个 service 项目:
各服务之间与 keystone 进行访问和认证,service 用于给服务创建用户
#1:创建 service 项目:
[[email protected] ~]# openstack project create --domain default --description "Service
Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | c7cf72ff26dd49f1a9216f94146cf82b |
| is_domain | False |
| name | service |
| parent_id | 961b40ed4c6b40a9b266ce5e451a4292 |
+-------------+----------------------------------+
#2:创建 glance 用户:
#创建 glance 密码用户并设置密码为 glance
[[email protected] ~]# openstack user create --domain default --password-prompt glance
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 1aeb2f2695ec4008b6ff9899e88fcb82 |
| name | glance |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
#3:对 glance 用户授权:
#把 glance 和 neutron 用户添加到 service 项目并授予 admin 角色
[[email protected] ~]# openstack role add --project service --user glance admin
7、按照以上步骤操作 nova 和 neutron 用户:
将 nova 用户添加到 service 项目并授予 admin 权限
#1:创建 nova 用户:
#创建 nova 用户并设置密码为 nova:
[[email protected] ~]# openstack user create --domain default --password-prompt nova
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value | +---------------------+----------------------------------+
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 71580f80cd4345e19f8948b77556ae3a |
| name | nova |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
#创建 neutron 用户并设置密码为 neutron:
[[email protected] ~]# openstack user create --domain default --password-prompt neutron
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 73fe1b80b71e46f49fe1d5730dca5283 |
| name | neutron |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
#2:对 nova 和 neutron 用户授权: 将 nova 和 neutron 用户授权为 service 项目的 admi 权限
[[email protected] ~]# openstack role add --project service --user nova admin
[[email protected] ~]# openstack role add --project service --user neutron admin
8、服务注册:
将 keystone 服务地址注册到 openstack:
#1:创建一个 keystone 认证服务:
[[email protected] ~]# openstack service list #查看当前的服务
[[email protected] ~]# openstack service create --name keystone --description "OpenStack
Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 6efd80d3570f40bfafb02a1169b68aaa |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
[[email protected] ~]# openstack service list #验证服务创建成功
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| 6efd80d3570f40bfafb02a1169b68aaa | keystone | identity |
+----------------------------------+----------+----------+
#2:创建 endpoint:
#如果创建错误或多创建了,就要全部删除再重新注册,因为你不知道哪一个是对的哪一个是错的,所以只能全部删除然后重新注册,注册的IP地址写keepalived的VIP,稍后配置haproxy:
[[email protected] ~]# openstack endpoint create --region RegionOne identity public
http://192.168.10.100:5000/v3 #公共端点
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 92990b4521454e1ab1b5aa9e26e3e230 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 6efd80d3570f40bfafb02a1169b68aaa |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.10.100:5000/v3 |
+--------------+----------------------------------+
[[email protected] ~]# openstack endpoint create --region RegionOne identity internal
http://192.168.10.100:5000/v3 #私有端点
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 9779a47b96ee4ffa9196fb8593bbcc1d |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 6efd80d3570f40bfafb02a1169b68aaa |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.10.100:5000/v3 |
+--------------+----------------------------------+
[[email protected] ~]# openstack endpoint create --region RegionOne identity admin
http://192.168.10.100:35357/v3 #管理端点
+--------------+----------------------------------+
| Field | Value | +--------------+----------------------------------+
| enabled | True |
| id | c95807c1098e4cab95e11eeebba1221f |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 6efd80d3570f40bfafb02a1169b68aaa |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.10.100:35357/v3 |
+--------------+----------------------------------+
#3:配置 haproxy:
[[email protected] ~]# vim /etc/haproxy/haproxy.cfg
listen keystone-public-url
bind 192.168.10.100:5000
mode tcp
log global
balance source
server keystone1 192.168.10.201:5000 check inter 5000 rise 3 fall 3
listen keystone-admin-url
bind 192.168.10.100:35357
mode tcp
log global
balance source
server keystone1 192.168.10.201:35357 check inter 5000 rise 3 fall 3
#4:重启并验证访问:
[[email protected] ~]# systemctl restart haproxy
[[email protected] ~]# telnet 192.168.10.100 5000
Trying 192.168.10.100...
Connected to 192.168.10.100.
Escape character is '^]'.
[[email protected] ~]# telnet 192.168.10.100 35357
Trying 192.168.10.100...
Connected to 192.168.10.100.
Escape character is '^]'.
#5:测试 keystone 是否可以做用户验证:
#验证 admin 用户,密码 admin,新打开一个窗口并进行以下操作:
[[email protected] ~]# export OS_IDENTITY_API_VERSION=3
[[email protected] ~]# openstack --os-auth-url http://192.168.10.100:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
#验证 demo 用户,密码为 demo:
[[email protected] ~]# export OS_IDENTITY_API_VERSION=3
[[email protected] ~]# openstack --os-auth-url http://192.168.10.100:35357/v3 --os-projectdomain-name default --os-user-domain-name default --os-project-name demo --osusername demo token issue
#6:使用脚本设置环境变量:
#Admin 用户脚本内容:
[[email protected] ~]# chmod a+x admin-ocata.sh
[[email protected] ~]# cat admin-ocata.sh
#!/bin/bash
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.10.100:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
#Demo 用户脚本内容:
[[email protected] ~]# chmod a+x demo-ocata.sh
[[email protected] ~]# cat demo-ocata.sh
#!/bin/bash
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.10.100:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
#7:测试脚本是否可以正常使用:
#Admin 用户脚本测试:
#Demo 用户脚本测试:
![openstack身份管理[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)