openstack官方安装文档的解析--keystone篇(2)
# openstack--keystone的安装
安装OpenStack-keystone
yum install openstack-keystone httpd mod_wsgi
```
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
#新建keystone相关数据库及相关的用户,提权并给用户设置密码
keystone-manage bootstrap --bootstrap-password admin \
--bootstrap-admin-url http://192.168.0.3:5000/v3/ \
--bootstrap-internal-url http://192.168.0.3:5000/v3/ \
--bootstrap-public-url http://192.168.0.3:5000/v3/ \
--bootstrap-region-id RegionOne
connection = mysql+pymysql://keystone:keystone@192.168.0.3/keystone
su -s /bin/sh -c "keystone-manage db_sync" keystone
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://192.168.0.3:5000/v3
```
```
#新建脚本内容如下,名字为admin-openrc.sh
#!/bin/bash
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.0.3:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
#新建脚本内容如下,名字为demo-openrc.sh
#!/bin/bash
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.0.3:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
```
Edit the `/etc/keystone/keystone.conf` file and complete the following actions:
##编辑`/etc/keystone/keystone.conf` ,完成以下选项
- In the `[database]` section, configure database access:
```
[database]
# ...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
#该处的KEYSTONE_DBPASS是你设置的数据库用户keystone密码
```
In the `[token]` section, configure the Fernet token provider:
```
[token]
# ...
provider = fernet
```
1. - ```
provider = fernet
```
#取消注释
2. Populate the Identity service database:
```
# su -s /bin/sh -c "keystone-manage db_sync" keystone
```
#同步数据库,在OpenStack中即使是root用户也需要切换权限,该命令完成后keystone这个库内会自动建立一些表
Initialize Fernet key repositories:
```
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
```
Bootstrap the Identity service:
Note
Before the Queens release, keystone needed to be run on two separate ports to accomodate the Identity v2 API which ran a separate admin-only service commonly on port 35357. With the removal of the v2 API, keystone can be run on the same port for all interfaces.
#在queens这个版本之前,keystone需要运行在两个不同的端口,现在可以在相同的端口运行
```
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
```
#设置框架bootstrap的配置
## Configure the Apache HTTP server[¶](https://docs.openstack.org/keystone/queens/install/keystone-install-rdo.html#configure-the-apache-http-server)
1. Edit the `/etc/httpd/conf/httpd.conf` file and configure the `ServerName` option to reference the controller node:
```
ServerName controller
```
#在httpd服务设置 服务器名称为controller,也可以设置为IP地址,IP地址为control的IP
2. Create a link to the `/usr/share/keystone/wsgi-keystone.conf` file:
```
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
```
#增加一个httpd的配置,通过软链接的形式,该文件内容请自行查阅,
## Finalize the installation[¶]
(https://docs.openstack.org/keystone/queens/install/keystone-install-rdo.html
#finalize-the-installation)
1. Start the Apache HTTP service and configure it to start when the system boots:
```
# systemctl enable httpd.service
# systemctl start httpd.service
```
#设置为自启动并启动httpd服务
Although the “default” domain already exists from the keystone-manage bootstrap step in this guide,
a formal way to create a new domain would be:
#如果 keystone-manage bootstrap已经有了一个默认域。还有另一种方式新建一个默认域
```
$ openstack domain create --description "An Example Domain" example
#新建一个域,该域域名为example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 2f4f80574fd84fe6ba9067228ae0a50c |
| name | example |
+-------------+----------------------------------+
```
1. This guide uses a service project that contains a unique user for each service that you add to your environment. Create the `service` project:
#新建一个项目,项目名称为service
```
$ openstack project create --domain default \
--description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 24ac7f19cd944f4cba1d77469b2a73ed |
| is_domain | False |
| name | service |
| parent_id | default |
+-------------+----------------------------------+
```
2. Regular (non-admin) tasks should use an unprivileged project and user.
As an example, this guide creates the `demo` project and user.
#非管理性质任务 需要使用一个新的项目,在这里,作为范例,本向导新建了一个项目和用户
- Create the `demo` project:
#新建一个项目名为demo的项目
```
$ openstack project create --domain default \
--description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 231ad6e7ebba47d6a1e57e1cc07ae446 |
| is_domain | False |
| name | demo |
| parent_id | default |
+-------------+----------------------------------+
```
Note
Do not repeat this step when creating additional users for this project.
#当为默认域添加用户,用户名为demo时,这一步不可以重复添加
- Create the `demo` user:
```
$ openstack user create --domain default \
--password-prompt demo
#设置 用户demo的密码,这个密码需要记住,web界面就是使用这个密码以及下面的验证环节
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | aeda23aa78f44e859900e22c24817832 |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
```
- Create the `user` role:
```
$ openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 997ce8d05fc143ac97d83fdfb5998552 |
| name | user |
+-----------+----------------------------------+
```
- Add the `user` role to the `demo` project and user:
#添加角色 ,角色名为user,使用角色的为demo用户
```
$ openstack role add --project demo --user demo user
#用户demo的角色定位为user
```
## Verify operation
#验证操作
UPDATED: 2020-05-29 14:56
Verify operation of the Identity service before installing other services.
#在安装其他服务之前的keystone服务验证是否正常
Note
Perform these commands on the controller node.
1. Unset the temporary `OS_AUTH_URL` and `OS_PASSWORD` environment variable:
```
$ unset OS_AUTH_URL OS_PASSWORD
```
#卸载环境变量
2. As the `admin` user, request an authentication token:
```
$ openstack --os-auth-url http://controller:35357/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue
#添加会话,输入密码。密码为上面所设置的admin用户密码
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:14:07.056119Z |
| id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
| | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
| | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws |
| project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+
```
Note
This command uses the password for the `admin` user.
#这条命令使用admin用户的密码验证admin能否正常使用
3. As the `demo` user, request an authentication token:
#验证使用demo用户的密码验证demo能否正常使用
```
$ openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name demo --os-username demo token issue
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:15:39.014479Z |
| id | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW |
| | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ |
| | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U |
| project_id | ed0b60bf607743088218b0a533d5943f |
| user_id | 58126687cbcc4888bfa9ab73a2256f27 |
+------------+-----------------------------------------------------------------+
```
## Using the scripts[¶](https://docs.openstack.org/keystone/queens/install/keystone-openrc-rdo.html#using-the-scripts)
To run clients as a specific project and user, you can simply load the associated client environment script prior to running them. For example:
1. Load the `admin-openrc` file to populate environment variables with the location of the Identity service and the `admin` project and user credentials:
```
$ . admin-openrc
```
#运行环境变量脚本
2. Request an authentication token:
```
$ openstack token issue
#运行该命令
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:44:35.659723Z |
| id | gAAAAABWvjYj-Zjfg8WXFaQnUd1DMYTBVrKw4h3fIagi5NoEmh21U72SrRv2trl |
| | JWFYhLi2_uPR31Igf6A8mH2Rw9kv_bxNo1jbLNPLGzW_u5FC7InFqx0yYtTwa1e |
| | eq2b0f6-18KZyQhs7F3teAta143kJEWuNEYET-y7u29y0be1_64KYkM7E |
| project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+
```
出现以上,配置成功,否则失败
