CentOS 7部署OpenStack--安装keystone服务
郝朝阳 DevOps视角
非常抱歉,由于排版问题(空格问题)导致各位同仁部署的时候出问题,现对有问题的篇章进行重新更新。还请各位见谅。
创建数据库
[root@controller ~]# mysql -u root -p -e "CREATE DATABASE keystone;"
Enter password:
[root@controller ~]# mysql -uroot -p -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';"
Enter password:
[root@controller ~]# mysql -uroot -p -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';"
Enter password:
安装keystone
[root@controller ~]# yum install -y openstack-keystone httpd mod_wsgi memcached python-memcached
配置keystone
同步数据库
[root@controller ~]# openssl rand -hex 10
2608ad88f344a5288056
[root@controller ~]# vim /etc/keystone/keystone.conf
12 admin_token = 2608ad88f344a5288056
495 connection = mysql://keystone:keystone@192.168.1.11/keystone
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
配置连接memcache
[root@controller ~]# vim /etc/keystone/keystone.conf
1305 servers = 192.168.1.11:11211
1710 driver = sql
1903 provider = uuid
1908 driver = memcache
启动memcache和httpd服务
[root@controller ~]# systemctl enable memcached
[root@controller ~]# systemctl start memcached
[root@controller ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystonedisplay-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t%M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t%M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
[root@controller ~]# vim /etc/httpd/conf/httpd.conf
95 ServerName 192.168.1.11:80
[root@controller ~]# systemctl enable httpd
[root@controller ~]# systemctl start httpd
创建keystone用户
设置环境变量
此步要慎重,和前面设置的token要一样
[root@controller ~]# export OS_TOKEN=2608ad88f344a5288056
[root@controller ~]# export OS_URL=http://192.168.1.11:35357/v3
[root@controller ~]# export OS_IDENTITY_API_VERSION=3
创建一个admin用户
[root@controller ~]# openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | default |
| enabled | True |
| id |69d1967e59d247e6b7c4c3937d5baa89 |
| is_domain | False |
| name | admin |
| parent_id | None |
+-------------+----------------------------------+
[root@controller ~]# openstack user create --domain default --password-prompt admin //此步是设置admin密码,要记住密码
User Password: //笔者设置为123456
Repeat User Password:
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | default |
| enabled | True |
| id |8c0b8dc884f742bea6f882a2b487f092 |
| name | admin |
+-----------+----------------------------------+
[root@controller ~]# openstack role create admin
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id |4d8224cda53e4b29b6963163ed64af65 |
| name | admin |
+-------+----------------------------------+
[root@controller ~]# openstack role add --project admin --user admin admin
创建一个普通用户
[root@controller ~]# openstack project create --domain default--description "Demo Project" kevin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id |1ee793c741f64d25be9010d59e4b5a3d |
| is_domain | False |
| name | kevin |
| parent_id | None |
+-------------+----------------------------------+
[root@controller ~]# openstack user create --domain default--password=kevin kevin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | c5baee07132c40f9841a607af1789ed6 |
| name | kevin |
+-----------+----------------------------------+
[root@controller ~]# openstack role create user
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id |ac35ef5dc2624526af25859497616ecd |
| name | user |
+-------+----------------------------------+
[root@controller ~]# openstack role add --project kevin --user kevin user
[root@controller ~]# openstack project create --domain default--description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id |e88fa8670b704fe88c668ac4d6f9d499 |
| is_domain | False |
| name | service |
| parent_id | None |
+-------------+----------------------------------+
查看验证
[root@controller ~]# openstack user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 8c0b8dc884f742bea6f882a2b487f092 | admin |
| c5baee07132c40f9841a607af1789ed6 | kevin |
+----------------------------------+-------+
[root@controller ~]# openstack role list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 4d8224cda53e4b29b6963163ed64af65 | admin |
| ac35ef5dc2624526af25859497616ecd | user |
+----------------------------------+-------+
[root@controller ~]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 1ee793c741f64d25be9010d59e4b5a3d | kevin |
| 69d1967e59d247e6b7c4c3937d5baa89 | admin |
| e88fa8670b704fe88c668ac4d6f9d499 | service |
+----------------------------------+---------+
[root@controller ~]# openstack domain list
+---------+---------+---------+----------------------------------------------------------------------+
| ID | Name | Enabled | Description |
+---------+---------+---------+----------------------------------------------------------------------+
| default | Default | True |Owns users and tenants (i.e. projects) available on Identity API v2. |
+---------+---------+---------+----------------------------------------------------------------------+
注册keystone服务
注册服务
下面的操作一个字也不要错
[root@controller ~]# openstack service create --name keystone--description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id |121189562a324f5d9f6ef83c4755d671 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
[root@controller ~]# openstack endpoint create --region RegionOne identity public http://192.168.1.11:5000/v2.0
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id |6f4d026024e14082ada914b14bb0c9ff |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id |121189562a324f5d9f6ef83c4755d671 |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.1.11:5000/v2.0 |
+--------------+----------------------------------+
[root@controller ~]# openstack endpoint create --region RegionOne identity internal http://192.168.1.11:5000/v2.0
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id |acc2890a596c406fb42f4926ad86937a |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id |121189562a324f5d9f6ef83c4755d671 |
| service_name | keystone |
| service_type | identity |
| url |http://192.168.1.11:5000/v2.0 |
+--------------+----------------------------------+
[root@controller ~]# openstack endpoint create --region RegionOne identity admin http://192.168.1.11:35357/v2.0
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id |f7f1182dd4c44cadac94345466275296 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id |121189562a324f5d9f6ef83c4755d671 |
| service_name | keystone |
| service_type | identity |
| url |http://192.168.1.11:35357/v2.0 |
+--------------+----------------------------------+
查看验证
[root@controller ~]# openstack service list
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| 121189562a324f5d9f6ef83c4755d671 | keystone | identity |
+----------------------------------+----------+----------+
[root@controller ~]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+
| ID | Region | Service Name |Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+
| 6f4d026024e14082ada914b14bb0c9ff | RegionOne | keystone | identity | True | public |http://192.168.1.11:5000/v2.0 |
| acc2890a596c406fb42f4926ad86937a | RegionOne | keystone | identity | True | internal | http://192.168.1.11:5000/v2.0 |
| f7f1182dd4c44cadac94345466275296 | RegionOne | keystone | identity | True | admin |http://192.168.1.11:35357/v2.0 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+
尝试连接keystone
[root@controller ~]# unset OS_TOKEN
[root@controller ~]# unset OS_URL
[root@controller ~]# openstack --os-auth-url http://192.168.1.11:35357/v3\
--os-project-domain-id default --os-user-domain-id default \
--os-project-name admin --os-username admin --os-auth-type password \
token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires |2015-12-27T09:58:41.540674Z |
| id |ccca55a979da427b849ecd2957901f74 |
| project_id | 69d1967e59d247e6b7c4c3937d5baa89 |
| user_id |8c0b8dc884f742bea6f882a2b487f092 |
+------------+----------------------------------+
配置环境变量
进行该步骤的原因是为了方便执行命令,否则必须输入一大串的参数
[root@controller ~]# vim admin-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123456
export OS_AUTH_URL=http://192.168.1.11:35357/v3
export OS_IDENTITY_API_VERSION=3
[root@controller ~]# vim kevin-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=kevin
export OS_TENANT_NAME=kevin
export OS_USERNAME=kevin
export OS_PASSWORD=kevin
export OS_AUTH_URL=http://192.168.1.11:5000/v3
export OS_IDENTITY_API_VERSION=3
[root@controller ~]# chmod +x admin-openrc.sh kevin-openrc.sh
