前面囉嗦了這麼多,終於要正式進入OpenStack各組件安裝部署的章節了。首先爲大家帶來的是OpenStack的用戶登陸鑑權組件,KeyStone的安裝。
首先,安裝mysql服務,並分別創建Nova, glance, swift等組件獨立的用戶和口令
sudo apt-get install mysql-server python-mysqldb
安裝過程中提示設置密碼,這裏設置爲mygreatsecret
sed -i '/bind-address/ s/127.0.0.1/0.0.0.0/' /etc/mysql/my.cnf
sudo restart mysql
sudo mysql -uroot -pmygreatsecret -e 'CREATE DATABASE nova;'
sudo mysql -uroot -pmygreatsecret -e 'CREATE USER novadbadmin;'
sudo mysql -uroot -pmygreatsecret -e "GRANT ALL PRIVILEGES ON nova.* TO 'novadbadmin'@'%';"
sudo mysql -uroot -pmygreatsecret -e "SET PASSWORD FOR 'novadbadmin'@'%' = PASSWORD('novasecret');"
sudo mysql -uroot -pmygreatsecret -e 'CREATE DATABASE glance;'
sudo mysql -uroot -pmygreatsecret -e 'CREATE USER glancedbadmin;'
sudo mysql -uroot -pmygreatsecret -e "GRANT ALL PRIVILEGES ON glance.* TO 'glancedbadmin'@'%';"
sudo mysql -uroot -pmygreatsecret -e "SET PASSWORD FOR 'glancedbadmin'@'%' = PASSWORD('glancesecret');"
sudo mysql -uroot -pmygreatsecret -e 'CREATE DATABASE keystone;'
sudo mysql -uroot -pmygreatsecret -e 'CREATE USER keystonedbadmin;'
sudo mysql -uroot -pmygreatsecret -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystonedbadmin'@'%';"
sudo mysql -uroot -pmygreatsecret -e "SET PASSWORD FOR 'keystonedbadmin'@'%' = PASSWORD('keystonesecret');"
安裝KeyStone組件
sudo apt-get install keystone python-keystone python-keystoneclient
sed -i '/admin_token/ s/ADMIN/admin/' /etc/keystone/keystone.conf
sed -i '/connection/ s/sqlite\:\/\/\/\/var\/lib\/keystone\/keystone.db/mysql\:\/\/keystonedbadmin\:[email protected]\/keystone/' /etc/keystone/keystone.conf
#注意修改mysql服務器地址
sudo service keystone restart
sudo keystone-manage db_sync
export SERVICE_ENDPOINT="http://localhost:35357/v2.0"
export SERVICE_TOKEN=admin
後面就是按照文檔,創建租戶Tenants,創建用戶Users,創建角色Roles,最後進行租戶、用戶、角色之間的關聯。不管創建什麼類型,都會返回一個UID值,後面的步驟會用到前面的id,比如用戶角色關聯命令
keystone user-role-add --user $USER_ID --role $ROLE_ID --tenant_id $TENANT_ID
這個$USER_ID和$ROLE_ID等就是前面創建用戶或者角色時候得到的ID
比如先創建用戶
keystone user-create --name admin --pass admin --email [email protected]
查看ID
keystone user-list
+----------------------------------+---------+-------------------+--------+
| id | enabled | email | name |
+----------------------------------+---------+-------------------+--------+
| b3de3aeec2544f0f90b9cbfe8b8b7acd | True | [email protected] | admin |
| ce8cd56ca8824f5d845ba6ed015e9494 | True | [email protected] | nova |
+----------------------------------+---------+-------------------+--------+
如上,我們創建的名字爲admin的用戶就會顯示出來,後面的步驟就要用這個ID。
大家會發現這樣最非常麻煩,而且id這樣拷貝很容易出錯,所以我們要用腳本來自動完成上面的這些操作,以及service endpoint的操作。
#!/bin/bash
#
# Initial data for Keystone using python-keystoneclient
#
# Tenant User Roles
# ------------------------------------------------------------------
# admin admin admin
# service glance admin
# service nova admin, [ResellerAdmin (swift only)]
# service quantum admin # if enabled
# service swift admin # if enabled
# service cinder admin # if enabled
# service heat admin # if enabled
# demo admin admin
# demo demo Member, anotherrole
# invisible_to_admin demo Member
# Tempest Only:
# alt_demo alt_demo Member
#
# Variables set before calling this script:
# SERVICE_TOKEN - aka admin_token in keystone.conf
# SERVICE_ENDPOINT - local Keystone admin endpoint
# SERVICE_TENANT_NAME - name of tenant containing service accounts
# SERVICE_HOST - host used for endpoint creation
# ENABLED_SERVICES - stack.sh's list of services to start
# DEVSTACK_DIR - Top-level DevStack directory
# KEYSTONE_CATALOG_BACKEND - used to determine service catalog creation
SERVICE_HOST=${SERVICE_HOST:-192.168.3.1}
#將這個IP修改爲Keystone服務器的內網IP
SERVICE_TOKEN=${SERVICE_TOKEN:-admin}
SERVICE_ENDPOINT=${SERVICE_ENDPOINT:-http://localhost:35357/v2.0}
# Defaults
export SERVICE_TOKEN=$SERVICE_TOKEN
export SERVICE_ENDPOINT=$SERVICE_ENDPOINT
SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
function get_id () {
echo `"$@" | awk '/ id / { print $4 }'` # '$@'代表函數的參數,參數就是get_id後面接的KeyStone命令
}
# Tenants
# -------
ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)
# Users
# -----
ADMIN_USER=$(get_id keystone user-create --name=admin \
--pass=admin \
[email protected])
NOVA_USER=$(get_id keystone user-create --name=nova \
--pass=nova \
[email protected])
GLANCE_USER=$(get_id keystone user-create --name=glance \
--pass=glance \
[email protected])
SWIFT_USER=$(get_id keystone user-create --name=swift \
--pass=swift \
[email protected])
# Roles
# -----
ADMIN_ROLE=$(get_id keystone role-create --name=admin)
# ANOTHER_ROLE demonstrates that an arbitrary role may be created and used
# TODO(sleepsonthefloor): show how this can be used for rbac in the future!
MEMBER_ROLE=$(get_id keystone role-create --name=Member)
# Add Roles to Users in Tenants
keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $ADMIN_TENANT
keystone user-role-add --user_id $NOVA_USER --role_id $ADMIN_ROLE --tenant_id $SERVICE_TENANT
keystone user-role-add --user_id $GLANCE_USER --role_id $ADMIN_ROLE --tenant_id $SERVICE_TENANT
keystone user-role-add --user_id $SWIFT_USER --role_id $ADMIN_ROLE --tenant_id $SERVICE_TENANT
# The Member role is used by Horizon and Swift so we need to keep it:
keystone user-role-add --user_id $ADMIN_USER --role_id $MEMBER_ROLE --tenant_id $ADMIN_TENANT
# Services
# --------
# Keystone
KEYSTONE_SERVICE=$(get_id keystone service-create \
--name=keystone \
--type=identity \
--description="Keystone Identity Service")
keystone endpoint-create \
--region RegionOne \
--service_id $KEYSTONE_SERVICE \
--publicurl "http://$SERVICE_HOST:5000/v2.0" \
--adminurl "http://$SERVICE_HOST:35357/v2.0" \
--internalurl "http://$SERVICE_HOST:5000/v2.0"
# Nova
NOVA_SERVICE=$(get_id keystone service-create \
--name=nova \
--type=compute \
--description="Nova Compute Service")
keystone endpoint-create \
--region RegionOne \
--service_id $NOVA_SERVICE \
--publicurl "http://$SERVICE_HOST:8774/v2/\$(tenant_id)s" \
--adminurl "http://$SERVICE_HOST:8774/v2/\$(tenant_id)s" \
--internalurl "http://$SERVICE_HOST:8774/v2/\$(tenant_id)s"
# Nova needs ResellerAdmin role to download images when accessing
# swift through the s3 api. The admin role in swift allows a user
# to act as an admin for their tenant, but ResellerAdmin is needed
# for a user to act as any tenant. The name of this role is also
# configurable in swift-proxy.conf
#RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)
#keystone user-role-add \
# --tenant_id $SERVICE_TENANT \
# --user_id $NOVA_USER \
# --role_id $RESELLER_ROLE
# Volume
VOLUME_SERVICE=$(get_id keystone service-create \
--name=volume \
--type=volume \
--description="Volume Service")
keystone endpoint-create \
--region RegionOne \
--service_id $VOLUME_SERVICE \
--publicurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s" \
--adminurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s" \
--internalurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s"
# Glance
GLANCE_SERVICE=$(get_id keystone service-create \
--name=glance \
--type=image \
--description="Glance Image Service")
keystone endpoint-create \
--region RegionOne \
--service_id $GLANCE_SERVICE \
--publicurl "http://$SERVICE_HOST:9292/v1" \
--adminurl "http://$SERVICE_HOST:9292/v1" \
--internalurl "http://$SERVICE_HOST:9292/v1"
# Swift
SWIFT_SERVICE=$(get_id keystone service-create \
--name=swift \
--type="object-store" \
--description="Swift Service")
keystone endpoint-create \
--region RegionOne \
--service_id $SWIFT_SERVICE \
--publicurl "http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s" \
--adminurl "http://$SERVICE_HOST:8080/v1" \
--internalurl "http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s"
# EC2
EC2_SERVICE=$(get_id keystone service-create \
--name=ec2 \
--type=ec2 \
--description="EC2 Compatibility Layer")
keystone endpoint-create \
--region RegionOne \
--service_id $EC2_SERVICE \
--publicurl "http://$SERVICE_HOST:8773/services/Cloud" \
--adminurl "http://$SERVICE_HOST:8773/services/Admin" \
--internalurl "http://$SERVICE_HOST:8773/services/Cloud"
最後,用命令驗證查看KeyStone是否安裝正確
keystone tenant-list
keystone user-list
keystone role-list
keystone service-list
好了,有關KeyStone的相關部署方法就介紹到這裏。