Ubuntu 18.04上单机安装OpenStack Stein(非脚本方式):Keystone
- 安装与配置
- 创建域、项目、用户和角色
- 验证操作
- 创建OpenStack客户端环境脚本
安装与配置
使用root用户登陆MySQL数据库
# mysql
新建keystone数据库
MariaDB [(none)]> CREATE DATABASE keystone;
对keystone数据库授予权限
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
用之前对应生成的十六进制数代替“KEYSTONE_DBPASS”字段
退出数据库,然后安装keystone软件包
# apt-get install keystone
输入如下指令编辑keystone配置文件
# vim /etc/keystone/keystone.conf
在打开的文件中修改如下键值
[database]
# ...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
[token]
# ...
provider = fernet
用之前对应生成的十六进制数代替“KEYSTONE_DBPASS”字段
省略号(…)表示保留原有默认配置选项
完成后同步keystone数据库
# su -s /bin/sh -c "keystone-manage db_sync" keystone
初始化Fernet key库
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
引导身份认证服务
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne
用之前对应生成的十六进制数代替“ADMIN_PASS”字段
输入如下指令编辑Apache HTTP服务器配置文件
# vim /etc/apache2/apache2.conf
在打开的文件中插入如下键值
ServerName controller
完成后重启apache服务
# service apache2 restart
打开另一个终端,设置如下环境变量
$ export OS_USERNAME=admin
$ export OS_PASSWORD=ADMIN_PASS
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:5000/v3
$ export OS_IDENTITY_API_VERSION=3
用之前对应生成的十六进制数代替“ADMIN_PASS”字段
创建域、项目、用户和角色
可使用以下指令创建新的域
$ openstack domain create --description "An Example Domain" example
输出结果
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 513e0d3ab1884f089a5842a20dfad68c |
| name | example |
| tags | [] |
+-------------+----------------------------------+
OpenStack 是动态生成 ID 的,其值在每次输出会有所不同
创建service项目
$ openstack project create --domain default --description "Service Project" service
输出结果
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 2e2e72dde2fa457089308bb4c5de1a18 |
| is_domain | False |
| name | service |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
创建myproject项目
$ openstack project create --domain default --description "Demo Project" myproject
输出结果
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 2dfb5d3e8b054080b0ce0f8b469ef4cf |
| is_domain | False |
| name | myproject |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
创建myuser用户
$ openstack user create --domain default --password-prompt myuser
输出结果
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | c87651bfd1054d3d978b6ed31ad624c0 |
| name | myuser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
创建myrole角色
$ openstack role create myrole
输出结果
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | 712ee8d26afd4cb482108a4ba4a8eb9f |
| name | myrole |
+-------------+----------------------------------+
myrole角色没有管理权限
授予myuser用户在myproject项目中使用myrole角色
$ openstack role add --project myproject --user myuser myrole
验证操作
去掉 OS_AUTH_URL和OS_PASSWORD这两个环境变量
$ unset OS_AUTH_URL OS_PASSWORD
获取admin用户的认证token令牌
$ openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue
输出结果
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-09-09T08:03:24+0000 |
| id | gAAAAABddfk8vXnp9NXEZMFJN3luejw-AYT3qZ8Qry5ghVSY2PvGHD3n8_Y5UFQAawXaeP7F710EJ20qcteXIZz33q1W4Sbj59W4Qemf1kLf7IiSdygBEDd9u2MQIGV2HM_pVaUUrlWHOXTbQBuX5xeGJaWNThTxNFIUCgk-Zn2UzRxsqKxOkUw |
| project_id | 6e83323c84a6469e8c94f50996d2dd78 |
| user_id | 4892a985c02c4b70ac19eb6a4a273614 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
密码为“ADMIN_PASS”对应的十六进制数
获取myuser用户的认证token令牌
$ openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name myproject --os-username myuser token issue
输出结果
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-09-09T08:12:55+0000 |
| id | gAAAAABddft3wDQHw7GtkHERe7wSdqLCQ1uT4-qijLDZiuOHqjMVtoG1ukzGpGBMad6kx7U8514LCgOgwxqWxSsyJ-GWGGHNNfEzszdgxHkcpTsyqx8PsfUb1_rl_wjdOPfUeYPiLSP7iaIL54OpvhEiMBn47JEKh3beF5wl3URMYzkOAhgLxZI |
| project_id | 2dfb5d3e8b054080b0ce0f8b469ef4cf |
| user_id | c87651bfd1054d3d978b6ed31ad624c0 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
创建OpenStack客户端环境脚本
OpenStack客户端环境脚本OpenRC文件把前面多条设置环境变量的指令放在一个文件中,用户可以直接运行脚本文件设置环境变量,提高操作效率。OpenStack客户端同样支持使用clouds.yaml文件。
输入如下指令创建和编辑admin用户的脚本文件
$ vim admin-openrc
在打开的文件中添加如下键值
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
用之前对应生成的十六进制数代替“ADMIN_PASS”字段
输入如下指令创建和编辑myuser用户的脚本文件
$ vim myuser-openrc
在打开的文件中添加如下键值
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=MYUSER_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
用之前设置的密码代替“MYUSER_PASS”字段
运行脚本验证操作
$ . admin-openrc
$ openstack token issue
输出结果
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-09-09T08:36:50+0000 |
| id | gAAAAABddgESq_yXWE3Jy6CkXi-FdKYQjEH26V43SPurSnRkF6-o__zPygYl_GEaFIzRM_PrmwJHTQj4Z5XdGGk6bXSpxhCK2dciusZI-7Ei_SVwSmezCGPjfhzEKO7iYPx_g2OWehdsmknFOU0X8mS3inlv9o0AoLT6cD-9ZGnyNMshwFMuZAI |
| project_id | 6e83323c84a6469e8c94f50996d2dd78 |
| user_id | 4892a985c02c4b70ac19eb6a4a273614 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+