说明:此实验在controller节点来操作
1.安装mariadb数据库包
[root@controller ~]# yum install -y mariadb mariadb-server MySQL-python
如果用局域网yum源安装不上,那么创建本地yum源,挂载光盘来安装,安装完成后,还使用局域网yum源2.编辑数据库的配置文件
在[mysqld]下面添加如下:
bind-address = 192.168.9.128
default-storage-engine = innodb
innodb_file_per_table
collation-server = utf8_general_ci
init-connect = 'SET NAMES utf8'
character-set-server = utf8完成保存退出
[root@controller ~]# vi /etc/my.cnf
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd
bind-address = 192.168.9.128 ###绑定数据库的ip
default-storage-engine = innodb
innodb_file_per_table
collation-server = utf8_general_ci
init-connect = 'SET NAMES utf8'
character-set-server = utf8
[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid3.开启mariadb,并设置开机自启
[root@controller ~]# systemctl start mariadb ###开启mariadb
[root@controller ~]# systemctl enable mariadb ###开机自启mariadb
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.4.初始化mariadb
[root@controller ~]# mysql_secure_installation ###初始化mariadb
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none): ###直接空格跳过
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y ###是否设置root用户密码,y
New password: ###设置mariadb的密码
Re-enter new password: ######在次输入密码
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y #####敲入:y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y #####敲入:y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y #####敲入:y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y #####敲入:y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB! ####### mariadb初始化完成5.安装rabbitmq,消息队列,并启动,开机自启
作用:用于各组件之间的消息沟通,防止出错,使各组件协调操作,以及显示状态信息
[root@controller ~]# yum install -y rabbitmq-server ##安装
[root@controller ~]# systemctl start rabbitmq-server ###开启
[root@controller ~]# systemctl enable rabbitmq-server ###开机自启
Created symlink from /etc/systemd/system/multi-user.target.wants/rabbitmq-server.service to /usr/lib/systemd/system/rabbitmq-server.service.6.进入数据库,
创建数据库
创建keystone用户,并授以权限
[root@controller ~]# mysql -u root -p123 ###登陆数据库,-p后面输入密码
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 11
Server version: 5.5.56-MariaDB MariaDB Server
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database keystone; #####创建keystone数据库
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all privileges on keystone.* to 'keystone'@'localhost' identified by '000'; ###授予keystone权限
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> grant all privileges on keystone.* to 'keystone'@'%' identified by '000';
Query OK, 0 rows affected (0.00 sec) ###设置在每个节点都可以登录keystone用户
MariaDB [(none)]> flush privileges; ###刷新一下
Query OK, 0 rows affected (0.00 sec) ###输入:exit退出mariadb7.随机生成一个Token值作为管理令牌,初始配置
[root@controller ~]# openssl rand -hex 10
2d6e4570e131f026b6bd ###先保存下来,后面要用到8.安装keystone软件包和客户端工具
[root@controller ~]# yum install -y openstack-keystone python-keystoneclient9.修改keystone配置文件
[root@controller ~]# vi /etc/keystone/keystone.conf
[DEFAULT]
#
# Options defined in keystone
#
# A "shared secret" that can be used to bootstrap Keystone.
# This "token" does not represent a user, and carries no
# explicit authorization. To disable in production (highly
# recommended), remove AdminTokenAuthMiddleware from your
# paste application pipelines (for example, in keystone-
# paste.ini). (string value)
admin_token=2d6e4570e131f026b6bd ########刚才生成的Token随机值
......
[database]
#
# Options defined in oslo.db
#
# The file name to use with SQLite. (string value)
#sqlite_db=oslo.sqlite
# If True, SQLite uses synchronous mode. (boolean value)
#sqlite_synchronous=true
# The back end to use for the database. (string value)
# Deprecated group/name - [DEFAULT]/db_backend
#backend=sqlalchemy
# The SQLAlchemy connection string to use to connect to the
# database. (string value)
# Deprecated group/name - [DEFAULT]/sql_connection
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
connection=mysql://keystone:000@controller/keystone ###mysql://keystone:用户密码@数据库主机名/数据库# Con# Options defined in keystone.openstack.common.log
#
...
[token]
#trols the token construction, validation, and revocation
# operations. Core providers are# Options defined in keystone.openstack.common.log
#
# Print debugging output (set logging level to DEBUG instead
# of default WARNING level). (boolean value)
#debug=false
# Print more verbose output (set logging level to INFO instead
# of default WARNING level). (boolean value)
verbose=true ###改为true10.创建签名密钥和证书,并且限制对数据的访问
以及对SSL(密钥目录)目录的访问权限
[root@controller ~]# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone ###创建密钥
[root@controller ~]# chown -R keystone:keystone /var/log/keystone/
[root@controller ~]# chown -R keystone:keystone /etc/keystone/ssl
[root@controller ~]# chmod -R o-rwx /etc/keystone/ssl11.同步数据库,为认证服务创建数据库
可以进入数据库进行查看
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
MariaDB [(none)]> use keystone
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [keystone]> show tables;
+-----------------------+
| Tables_in_keystone |
+-----------------------+
| assignment |
| credential |
| domain |
| endpoint |
| group |
| id_mapping |
| migrate_version |
| policy | ###已经同步
| project |
| region |
| revocation_event |
| role |
| service |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
+-----------------------+
18 rows in set (0.00 sec)12.开启keystone服务
[root@controller ~]# systemctl start openstack-keystone
[root@controller ~]# systemctl enable openstack-keystone
Created symlink from /etc/systemd/system/multi-user.target.wants/openstack-keystone.service to /usr/lib/systemd/system/openstack-keystone.service.13.定期删除令牌环
[root@controller ~]# (crontab -l -u keystone 2>&1 | grep -q token_flush) || \
> echo '@hourly/usr/bin/keystone-manage token_flush>/var/log/keystone/keystone-tokenflush.log 2>&1' \
> >> /var/spool/cron/keystone
[root@controller ~]# vi /var/spool/cron/keystone ###如果出现下面的代码,说明没问题
@hourly/usr/bin/keystone-manage token_flush>/var/log/keystone/keystone-tokenflush.log 2>&1二.设置租户,用户和角色
1.配置管理员令牌
[root@controller ~]# export OS_SERVICE_TOKEN=2d6e4570e131f026b6bd ###字符串为刚才随机生成的
[root@controller ~]# export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0
### 指定身份服务在何处运行
[root@controller ~]# env ###可以用env来查看是否生效2.创建用于管理的租户,用户和角色
a.创建admin租户
[root@controller ~]# keystone tenant-create --name=admin --description="Admin Tenant"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Admin Tenant | ###当出现True时,基本上时没问题的
| enabled | True |
| id | 4e27801794df4632b0487347d568322e |
| name | admin |
+-------------+----------------------------------+b.创建admin用户
[root@controller ~]# keystone user-create --name=admin --pass=000
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | e54a0ac2e3c2420498ae303e79d500bb |
| name | admin |
| username | admin |
+----------+----------------------------------+c.创建admin角色
[root@controller ~]# keystone role-create --name=admin
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | 1bfa4a0eb7b845b0842139f0e35b5b71 |
| name | admin |
+----------+----------------------------------+d.将用户添加到租户,并授予用户权限
[root@controller ~]# keystone user-role-add --user=admin --tenant=admin --role=admine.创建用于访问dashboard的_member_
并将admin用户和租户添加到_member_角色
[root@controller ~]# keystone role-create --name=_member_ ###创建_member_角色
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | a622e334bab7440aaa7282ff7bf0696a |
| name | _member_ |
+----------+----------------------------------+
[root@controller ~]# keystone user-role-add --user=admin --role=_member_ --tenant=admin
#### 绑定在一起f.创建非管理用户---demo,用于测试用,与上述步骤相同
[root@controller ~]# keystone tenant-create --name=demo --description="Demo Tenant"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Demo Tenant |
| enabled | True | ###创建租户
| id | b6c6ae166e0346aeb7c0d9f92ed4fb22 |
| name | demo |
+-------------+----------------------------------+
[root@controller ~]# keystone user-create --name=demo --pass=000
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True | ###创建用户
| id | a4283c7d282544b8bd6e0fd254b772f9 |
| name | demo |
| username | demo |
+----------+----------------------------------+
[root@controller ~]# keystone user-role-add --user=demo --tenant=demo --role=_member_
绑定角色g.创建openstack服务的租户
[root@controller ~]# keystone tenant-create --name=service --description="Service Tenant"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Service Tenant |
| enabled | True |
| id | 6d1b210ae16c4cd79de537d6f967cdf4 |
| name | servicen |
+-------------+----------------------------------+h.创建服务实体(service)和端点,这里的service就是openstack中的各组件服务实体
[root@controller ~]# keystone service-create --name=keystone --type=identity --description="Openstack Identity"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+创建keystone服务实体
| description | Openstack Identity |
| enabled | True |
| id | 884af334170c41e9b540cc4ba03d0d23 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
#####创建端点
[root@controller ~]# keystone endpoint-create \
> --service-id=$(keystone service-list | awk '/ identity / {print $2}') \
> --publicurl=http://controller:5000/v2.0 \
> --internalurl=http://controller:5000/v2.0 \
> --adminurl=http://controller:35357/v2.0
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://controller:35357/v2.0 |
| id | e2cb683aebae460bbeac79314fc1d0da |
| internalurl | http://controller:5000/v2.0 |
| publicurl | http://controller:5000/v2.0 |
| region | regionOne |
| service_id | 884af334170c41e9b540cc4ba03d0d23 |
+-------------+----------------------------------+i.验证认证服务keystone
清除刚才的环境变量,并测试是否可以请求令牌环
[root@controller ~]# unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT ###清楚令牌环
[root@controller ~]# keystone --os-tenant-name=admin --os-user=admin --os-password=000 --os-auth-url http://controller:35357/v2.0 token-get
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2021-07-31T11:11:22Z | ###可以请求到令牌环
| id | 0529eb94d3e44cbc91725eb861853223 |
| tenant_id | 4e27801794df4632b0487347d568322e |
| user_id | e54a0ac2e3c2420498ae303e79d500bb |
+-----------+----------------------------------+在测试管理员去访问URL列表的情况,正常情况下是可以请求的
[root@controller ~]# keystone --os-tenant-name=admin --os-username=admin --os-password=000 --os-auth-url http://controller:35357/v2.0 tenant-list
+----------------------------------+----------+---------+
| id | name | enabled |
+----------------------------------+----------+---------+
| 4e27801794df4632b0487347d568322e | admin | True | ###可以访问
| b6c6ae166e0346aeb7c0d9f92ed4fb22 | demo | True |
| 6d1b210ae16c4cd79de537d6f967cdf4 | servicen | True |
+----------------------------------+----------+---------+在用demo用户和租户去请求认证令牌环
[root@controller ~]# keystone --os-tenant-name=demo --os-username=demo --os-password=000 --os-auth-url http://controller:35357/v2.0 token-get
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2021-07-31T11:26:30Z |
| id | ab0389f2b4924c7bab232cc8c851445b | ###可以,没问题
| tenant_id | b6c6ae166e0346aeb7c0d9f92ed4fb22 |
| user_id | a4283c7d282544b8bd6e0fd254b772f9 |
+-----------+----------------------------------+测试用demo用户去请求URL路径时
[root@controller ~]# keystone --os-tenant-name=demo --os-username=demo --os-password=000 --os-auth-url http://controller:35357/v2.0 user-list
You are not authorized to perform the requested action: admin_required (HTTP 403)
#########发现报错,这是因为URL只有管理员才能有权访问的,demo普通用户无权访问,所以报错最后编写脚本方便下面的操作
一个admin用户的脚本,一个demo用户的脚本
[root@controller ~]# vi admin.sh
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=000
export OS_AUTH_URL=http://controller:35357/v2.0
[root@controller ~]# vi demo.sh
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=000
export OS_AUTH_URL=http://controller:5000/v2.0
~本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
