OpenStack多節點部署（四）——KeyStone

前面囉嗦了這麼多，終於要正式進入OpenStack各組件安裝部署的章節了。首先爲大家帶來的是OpenStack的用戶登陸鑑權組件，KeyStone的安裝。

首先，安裝mysql服務，並分別創建Nova, glance, swift等組件獨立的用戶和口令

sudo apt-get install mysql-server python-mysqldb

安裝過程中提示設置密碼，這裏設置爲mygreatsecret

sed -i '/bind-address/ s/127.0.0.1/0.0.0.0/' /etc/mysql/my.cnf
sudo restart mysql
sudo mysql -uroot -pmygreatsecret -e 'CREATE DATABASE nova;'
sudo mysql -uroot -pmygreatsecret -e 'CREATE USER novadbadmin;'
sudo mysql -uroot -pmygreatsecret -e "GRANT ALL PRIVILEGES ON nova.* TO 'novadbadmin'@'%';"
sudo mysql -uroot -pmygreatsecret -e "SET PASSWORD FOR 'novadbadmin'@'%' = PASSWORD('novasecret');"
sudo mysql -uroot -pmygreatsecret -e 'CREATE DATABASE glance;'
sudo mysql -uroot -pmygreatsecret -e 'CREATE USER glancedbadmin;'
sudo mysql -uroot -pmygreatsecret -e "GRANT ALL PRIVILEGES ON glance.* TO 'glancedbadmin'@'%';"
sudo mysql -uroot -pmygreatsecret -e "SET PASSWORD FOR 'glancedbadmin'@'%' = PASSWORD('glancesecret');"
sudo mysql -uroot -pmygreatsecret -e 'CREATE DATABASE keystone;'
sudo mysql -uroot -pmygreatsecret -e 'CREATE USER keystonedbadmin;'
sudo mysql -uroot -pmygreatsecret -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystonedbadmin'@'%';"
sudo mysql -uroot -pmygreatsecret -e "SET PASSWORD FOR 'keystonedbadmin'@'%' = PASSWORD('keystonesecret');"

安裝KeyStone組件

sudo apt-get install keystone python-keystone python-keystoneclient
sed -i '/admin_token/ s/ADMIN/admin/' /etc/keystone/keystone.conf
sed -i '/connection/ s/sqlite\:\/\/\/\/var\/lib\/keystone\/keystone.db/mysql\:\/\/keystonedbadmin\:[email protected]\/keystone/' /etc/keystone/keystone.conf
#注意修改mysql服務器地址
sudo service keystone restart
sudo keystone-manage db_sync
export SERVICE_ENDPOINT="http://localhost:35357/v2.0"
export SERVICE_TOKEN=admin

後面就是按照文檔，創建租戶Tenants，創建用戶Users，創建角色Roles，最後進行租戶、用戶、角色之間的關聯。不管創建什麼類型，都會返回一個UID值，後面的步驟會用到前面的id，比如用戶角色關聯命令

keystone user-role-add --user $USER_ID --role $ROLE_ID --tenant_id $TENANT_ID

這個$USER_ID和$ROLE_ID等就是前面創建用戶或者角色時候得到的ID

比如先創建用戶

keystone user-create --name admin --pass admin --email [email protected]

查看ID

keystone user-list
+----------------------------------+---------+-------------------+--------+
|                id                | enabled |       email       |  name  |
+----------------------------------+---------+-------------------+--------+
| b3de3aeec2544f0f90b9cbfe8b8b7acd | True    | [email protected]  | admin  |
| ce8cd56ca8824f5d845ba6ed015e9494 | True    | [email protected]   | nova   |
+----------------------------------+---------+-------------------+--------+

如上，我們創建的名字爲admin的用戶就會顯示出來，後面的步驟就要用這個ID。

大家會發現這樣最非常麻煩，而且id這樣拷貝很容易出錯，所以我們要用腳本來自動完成上面的這些操作，以及service endpoint的操作。

腳本下載地址

#!/bin/bash
#
# Initial data for Keystone using python-keystoneclient
#
# Tenant               User      Roles
# ------------------------------------------------------------------
# admin                admin     admin
# service              glance    admin
# service              nova      admin, [ResellerAdmin (swift only)]
# service              quantum   admin        # if enabled
# service              swift     admin        # if enabled
# service              cinder    admin        # if enabled
# service              heat      admin        # if enabled
# demo                 admin     admin
# demo                 demo      Member, anotherrole
# invisible_to_admin   demo      Member
# Tempest Only:
# alt_demo             alt_demo  Member
#
# Variables set before calling this script:
# SERVICE_TOKEN - aka admin_token in keystone.conf
# SERVICE_ENDPOINT - local Keystone admin endpoint
# SERVICE_TENANT_NAME - name of tenant containing service accounts
# SERVICE_HOST - host used for endpoint creation
# ENABLED_SERVICES - stack.sh's list of services to start
# DEVSTACK_DIR - Top-level DevStack directory
# KEYSTONE_CATALOG_BACKEND - used to determine service catalog creation
SERVICE_HOST=${SERVICE_HOST:-192.168.3.1}
#將這個IP修改爲Keystone服務器的內網IP
SERVICE_TOKEN=${SERVICE_TOKEN:-admin}
SERVICE_ENDPOINT=${SERVICE_ENDPOINT:-http://localhost:35357/v2.0}
# Defaults
export SERVICE_TOKEN=$SERVICE_TOKEN
export SERVICE_ENDPOINT=$SERVICE_ENDPOINT
SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}

function get_id () {
    echo `"$@" | awk '/ id / { print $4 }'`  #  '$@'代表函數的參數，參數就是get_id後面接的KeyStone命令
}


# Tenants
# -------

ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)


# Users
# -----

ADMIN_USER=$(get_id keystone user-create --name=admin \
                                         --pass=admin \
                                         [email protected])
NOVA_USER=$(get_id keystone user-create --name=nova \
                                        --pass=nova \
                                        [email protected])
GLANCE_USER=$(get_id keystone user-create --name=glance \
                                        --pass=glance \
                                        [email protected])
SWIFT_USER=$(get_id keystone user-create --name=swift \
                                        --pass=swift \
                                      [email protected])
# Roles
# -----

ADMIN_ROLE=$(get_id keystone role-create --name=admin)
# ANOTHER_ROLE demonstrates that an arbitrary role may be created and used
# TODO(sleepsonthefloor): show how this can be used for rbac in the future!
MEMBER_ROLE=$(get_id keystone role-create --name=Member)


# Add Roles to Users in Tenants
keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $ADMIN_TENANT
keystone user-role-add --user_id $NOVA_USER --role_id $ADMIN_ROLE --tenant_id $SERVICE_TENANT
keystone user-role-add --user_id $GLANCE_USER --role_id $ADMIN_ROLE --tenant_id $SERVICE_TENANT
keystone user-role-add --user_id $SWIFT_USER --role_id $ADMIN_ROLE --tenant_id $SERVICE_TENANT

# The Member role is used by Horizon and Swift so we need to keep it:
keystone user-role-add --user_id $ADMIN_USER --role_id $MEMBER_ROLE --tenant_id $ADMIN_TENANT


# Services
# --------

# Keystone

	KEYSTONE_SERVICE=$(get_id keystone service-create \
		--name=keystone \
		--type=identity \
		--description="Keystone Identity Service")
	keystone endpoint-create \
	    --region RegionOne \
		--service_id $KEYSTONE_SERVICE \
		--publicurl "http://$SERVICE_HOST:5000/v2.0" \
		--adminurl "http://$SERVICE_HOST:35357/v2.0" \
		--internalurl "http://$SERVICE_HOST:5000/v2.0"


# Nova
        NOVA_SERVICE=$(get_id keystone service-create \
            --name=nova \
            --type=compute \
            --description="Nova Compute Service")
        keystone endpoint-create \
            --region RegionOne \
            --service_id $NOVA_SERVICE \
            --publicurl "http://$SERVICE_HOST:8774/v2/\$(tenant_id)s" \
            --adminurl "http://$SERVICE_HOST:8774/v2/\$(tenant_id)s" \
            --internalurl "http://$SERVICE_HOST:8774/v2/\$(tenant_id)s"

    # Nova needs ResellerAdmin role to download images when accessing
    # swift through the s3 api. The admin role in swift allows a user
    # to act as an admin for their tenant, but ResellerAdmin is needed
    # for a user to act as any tenant. The name of this role is also
    # configurable in swift-proxy.conf
    #RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)
    #keystone user-role-add \
    #    --tenant_id $SERVICE_TENANT \
    #    --user_id $NOVA_USER \
    #    --role_id $RESELLER_ROLE

			
# Volume
        VOLUME_SERVICE=$(get_id keystone service-create \
            --name=volume \
            --type=volume \
            --description="Volume Service")
        keystone endpoint-create \
            --region RegionOne \
            --service_id $VOLUME_SERVICE \
            --publicurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s" \
            --adminurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s" \
            --internalurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s"




# Glance
        GLANCE_SERVICE=$(get_id keystone service-create \
            --name=glance \
            --type=image \
            --description="Glance Image Service")
        keystone endpoint-create \
            --region RegionOne \
            --service_id $GLANCE_SERVICE \
            --publicurl "http://$SERVICE_HOST:9292/v1" \
            --adminurl "http://$SERVICE_HOST:9292/v1" \
            --internalurl "http://$SERVICE_HOST:9292/v1"


# Swift
        SWIFT_SERVICE=$(get_id keystone service-create \
            --name=swift \
            --type="object-store" \
            --description="Swift Service")
        keystone endpoint-create \
            --region RegionOne \
            --service_id $SWIFT_SERVICE \
            --publicurl "http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s" \
            --adminurl "http://$SERVICE_HOST:8080/v1" \
            --internalurl "http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s"



# EC2
        EC2_SERVICE=$(get_id keystone service-create \
            --name=ec2 \
            --type=ec2 \
            --description="EC2 Compatibility Layer")
        keystone endpoint-create \
            --region RegionOne \
            --service_id $EC2_SERVICE \
            --publicurl "http://$SERVICE_HOST:8773/services/Cloud" \
            --adminurl "http://$SERVICE_HOST:8773/services/Admin" \
            --internalurl "http://$SERVICE_HOST:8773/services/Cloud"

最後，用命令驗證查看KeyStone是否安裝正確

keystone tenant-list
keystone user-list
keystone role-list
keystone service-list

好了，有關KeyStone的相關部署方法就介紹到這裏。

OpenStack多節點部署（四）——KeyStone

Win10 LTSC 2019 安裝後的一些步驟

推薦2款開源、美觀的WinForm UI控件庫

NET9 AspnetCore將整合OpenAPI的文檔生成功能而無需三方庫

在Linux下管理MySQL的大小寫敏感性

面向雲計算的數據中心網絡體系結構設計

OpenStack服務器節點遷移（修改IP）後引發的nova-compute不啓動

災備術語——RPO and RTO

C/C++ Hash表

MySQL服務器安裝完之後如何調節性能

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結