Keystone v2.0 orv3 config

參考URL :

http://docs.openstack.org/liberty/install-guide-ubuntu/keystone-openrc.html

一、環境準備

[NOTE]

(1) 本文的安裝部署都是在CentOS 7.2 上完成,本文中的各個節點都是雙網卡設置

(2) keystone v2.0中的配置值爲2.0

(3) keystone v3中的配置值爲 v3 而不是 v3.0

1. 虛擬機節點配置

網絡拓撲部署和主機命名

eth0: 管理網絡

eth1: 數據網絡/隧道

控制節點: eth0: 192.168.0.51/24，eth1: 192.168.242.140/24

計算節點: eth0: 192.168.0.71/24，eth1: 192.168.242.142/24, mtu: 1600

$ vim /etc/hosts

# controller

192.168.0.51 controller

# compute 1

192.168.0.71 compute1

2. 虛擬機網卡配置

使用傳統網卡命名方式

[NOTE]CentOS 7.2 需要用戶自己在網卡目錄下新建網卡配置文件eth1,eth2…

vim /etc/default/grub並加入net.ifnames=0 biosdevname=0

$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg

二、 keystone 安裝前配置

1. memcached安裝與配置

由於目前的物理機內存資源都比較充足，因此每個控制節點都可用於部署memcached服務，建議將nova-api節點都部署上memcached服務。

# yum install memcached

# systemctl start memcached

# systemctl enable memcached

2. openstack工具包安裝

# yum install openstack-utils

三、配置keystone v2.0

1. 生成各服務及數據庫密碼

(1) 爲每個服務及數據庫都生成一個隨機密碼，並將密碼保存起來，如

KEYSTONE_ADMIN_PASSWORD，KEYSTONE_DB_PASSWORD，以便後續設置。

(2) 通過執行#openssl rand -hex 10生成隨機密碼。

密碼名	密碼
MYSQL_ROOT _PASS	mysql
MYSQL_KEYSTONE_DBPASS	keystone_db
MYSQL_GLANCE_DBPASS	glance_db
MYSQL_NOVA_DBPASS	nova_db
MYSQL_NEUTRON_DBPASS	neutron_db
KEYSTONE_GLANCE_PASS	key_glance
KEYSTONE_NOVA_PASSWORD	key_nova
KEYSTONE_NEUTRON_PASSWORD	key_neutron
OPENSTACK/RABBIT_PASSWORD	rabbit
ADMIN_TOKEN	791eb78bed6ff585d194

2. 創建數據庫和用戶

(1) 登陸到數據庫節點，執行如下命令(KEYSTONE_DBPASS應修改爲實際使用的密碼)

# mysql -u root -pmysql

>CREATE DATABASE keystone;

>GRANT ALL PRIVILEGES ON keystone.* TO'keystone'@'localhost' IDENTIFIED BY 'keystone_db';

>GRANT ALL PRIVILEGES ON keystone.* TO'keystone'@'%' IDENTIFIED BY 'keystone_db';

3. keystone memcache yum

# yum install openstack-keystone httpd mod_wsgipython-openstackclient

# yum install memcached python-memcached

4. 配置 keystone.conf

(1) 生成 ADMIN_TOKEN

# openssl rand -hex 10

791eb78bed6ff585d194

(2) 編輯 /etc/keystone/keystone.conf

cat /etc/keystone/keystone.conf | grep -vE "^$|^#"

[DEFAULT]

admin_token = 791eb78bed6ff585d194 # 填寫剛纔生成的admin_token

debug = false

verbose = true

[database]

connection = mysql://keystone:keystone_db@vip_mysql/keystone

# 數據庫用戶名和密碼

[eventlet_server]

public_bind_host = 192.168.0.51 # 對應各個節點本機IP

admin_bind_host = 192.168.0.51 # 對應各個節點本機IP

[memcache]

servers = 192.168.0.51:11211

#填寫memcache服務器地址

[token]

driver =keystone.token.persistence.backends.memcache.Token

provider = keystone.token.providers.uuid.Provider

[revoke]

driver =keystone.contrib.revoke.backends.sql.Revoke

5. keystone 數據庫初始化

# su -s /bin/sh -c "keystone-managedb_sync" keystone

6. 配置 httpd 啓動keystone

6.1 編輯 httpd.conf

(1) 編輯/etc/httpd/conf/httpd.conf

vim /etc/httpd/conf/httpd.conf

ServerName192.168.0.51 對應各個節點的ip地址

Listen 192.168.0.51:80

6.2 編輯 wsgi-keystone.conf

(1) 編輯/etc/httpd/conf.d/wsgi-keystone.conf

vim /etc/httpd/conf.d/wsgi-keystone.conf

Listen 192.168.0.51:5000 對應各個節點的ip地址

Listen 192.168.0.51:35357 對應各個節點的ip地址

<VirtualHost *:5000>

WSGIDaemonProcess keystone-public processes=32 threads=1 user=keystonegroup=keystone display-name=%{GROUP}

WSGIProcessGroup keystone-public

WSGIScriptAlias / /var/www/cgi-bin/keystone/main

WSGIApplicationGroup %{GLOBAL}

WSGIPassAuthorization On

LogLevelinfo

ErrorLogFormat "%{cu}t %M"

ErrorLog/var/log/httpd/keystone-error.log

CustomLog/var/log/httpd/keystone-access.log combined

</VirtualHost>

<VirtualHost *:35357>

WSGIDaemonProcess keystone-admin processes=32 threads=1 user=keystonegroup=keystone display-name=%{GROUP}

WSGIProcessGroup keystone-admin

WSGIScriptAlias / /var/www/cgi-bin/keystone/admin

WSGIApplicationGroup %{GLOBAL}

WSGIPassAuthorization On

LogLevelinfo

ErrorLogFormat "%{cu}t %M"

ErrorLog/var/log/httpd/keystone-error.log

CustomLog/var/log/httpd/keystone-access.log combined

</VirtualHost>

6.3 安裝 WSGI 組件

# mkdir -p /var/www/cgi-bin/keystone

(1) 編輯main 文件

# vim /var/www/cgi-bin/keystone/main

import os

from keystone.server import wsgi as wsgi_server

name = os.path.basename(__file__)

application =wsgi_server.initialize_application(name)

(2) 拷貝main 文件

# cp /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin

# chown -R keystone:keystone/var/www/cgi-bin/keystone

# chmod 755 /var/www/cgi-bin/keystone/*

6.4 啓動 httpd

# systemctl enable httpd.service

# systemctl start httpd.service

7. 註冊 keystoneservice endpoint

export OS_TOKEN=791eb78bed6ff585d194

export OS_URL=http://vip_keystone:35357/v2.0

openstack service create --name keystone --description"OpenStack Identity" identity

openstack endpoint create --publicurl http://vip_keystone:5000/v2.0\

--internalurl http://vip_keystone:5000/v2.0 \

--adminurl http://vip_keystone:35357/v2.0 \

--region RegionOne identity

openstack project create --description "AdminProject" admin

openstack user create admin --password 456 ## 密碼 456

openstack role create admin

openstack role add --project admin --user admin admin

openstack project create --description "ServiceProject" service

openstack role create user

8. 創建 admin-openrc.sh

創建admin-openrc.sh文件，寫入如下內容：

#!/bin/sh

export LC_ALL=C

export OS_NO_CACHE='true'

export OS_TENANT_NAME='admin'

export OS_PROJECT_NAME='admin'

export OS_USERNAME='admin'

export OS_PASSWORD='456' ##keystone admin密碼

export OS_AUTH_URL='http://vip_keystone:5000/v2.0/'

export OS_AUTH_STRATEGY='keystone'

export OS_REGION_NAME='RegionOne'

export CINDER_ENDPOINT_TYPE='internalURL'

export GLANCE_ENDPOINT_TYPE='internalURL'

export KEYSTONE_ENDPOINT_TYPE='internalURL'

export NOVA_ENDPOINT_TYPE='internalURL'

export NEUTRON_ENDPOINT_TYPE='internalURL'

export OS_ENDPOINT_TYPE='internalURL'

export OS_VOLUME_API_VERSION=2

四、配置keystone v3

[NOTE] keystone 只需要安裝在ControllerNode 上

1. DB創建keystone的數據庫

# mysql -u root

MariaDB [(none)]> CREATE DATABASE keystone;

MariaDB [(none)]> GRANT ALL PRIVILEGES ONkeystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';

MariaDB [(none)]> GRANT ALL PRIVILEGES ONkeystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';

MariaDB [(none)]> SELECT User, Host, PasswordFROM mysql.user WHERE User LIKE 'keystone%';

MariaDB [(none)]> exit

2. keystone memcache yum

# yum install openstack-keystone httpd mod_wsgi

openstack keystone 服務認證機制使用memcached來緩存token

# yum install memcached python-memcached

3. 配置 keystone.conf文件

# vim /etc/keystone/keystone.conf

[DEFAULT]

admin_token = e980b6fd08747f7b600a ##由openssl rand -hex 10 命令生成

[database]

connection =mysql+pymysql://keystone:keystone@vip_mysql/keystone

[token]

provider = fernet

4. DB同步Keystone數據庫

## 4) 填充keystone 數據庫

# su -s /bin/sh -c "keystone-managedb_sync" keystone

## 5) 初始化fernet key

# keystone-manage fernet_setup --keystone-userkeystone --keystone-group keystone

5. 配置 keystone(http) 服務

5.1 編輯 httpd.conf

(1) 編輯/etc/httpd/conf/httpd.conf

# ServerName controller

5.2 編輯 wsgi-keystone.conf

(2) 編輯/etc/httpd/conf.d/wsgi-keystone.conf(新增文件)

Listen 5000

Listen 35357

<VirtualHost *:5000>

WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystonegroup=keystone display-name=%{GROUP}

WSGIProcessGroup keystone-public

WSGIScriptAlias / /usr/bin/keystone-wsgi-public

WSGIApplicationGroup %{GLOBAL}

WSGIPassAuthorization On

ErrorLogFormat "%{cu}t %M"

ErrorLog/var/log/httpd/keystone-error.log

CustomLog/var/log/httpd/keystone-access.log combined

<Directory /usr/bin>

Require all granted

</Directory>

</VirtualHost>

<VirtualHost *:35357>

WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystonegroup=keystone display-name=%{GROUP}

WSGIProcessGroup keystone-admin

WSGIScriptAlias / /usr/bin/keystone-wsgi-admin

WSGIApplicationGroup %{GLOBAL}

WSGIPassAuthorization On

ErrorLogFormat "%{cu}t %M"

ErrorLog/var/log/httpd/keystone-error.log

CustomLog/var/log/httpd/keystone-access.log combined

<Directory /usr/bin>

Require all granted

</Directory>

</VirtualHost>

5.3 安裝 openstack-dashboard

(3) 安裝openstack dashboard

# yum install openstack-dashboard

5.4 編輯 local_settings

(4)編輯/etc/openstack-dashboard/local_settings，添加以下配置項：

OPENSTACK_HOST = "controller"

ALLOWED_HOSTS = ['*', ]

SESSION_ENGINE ='django.contrib.sessions.backends.cache'

CACHES = {

'default': {

'BACKEND':'django.core.cache.backends.memcached.MemcachedCache',

'LOCATION': 'controller:11211',

}

OPENSTACK_KEYSTONE_URL ="http://%s:5000/v3" % OPENSTACK_HOST

OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True

OPENSTACK_API_VERSIONS = {

"identity": 3,

"image": 2,

"volume": 2,

}

OPENSTACK_KEYSTONE_DEFAULT_DOMAIN ="default"

OPENSTACK_KEYSTONE_DEFAULT_ROLE = "user"

OPENSTACK_NEUTRON_NETWORK = {

...

'enable_router': True,

'enable_quotas': False,

'enable_distributed_router': False,

'enable_ha_router': False,

'enable_lb': False,

'enable_firewall': False,

'enable_vpn': False,

'enable_fip_topology_check': False,

}

TIME_ZONE = "TIME_ZONE"

5.4 啓動http服務

(5) 啓動httpd服務和memcache服務

systemctl enable httpd.service

systemctl start httpd.service

systemctl enable memcached.service

systemctl start memcached.service

6. 創建 service和endpoint

## 設置認證環境變量

## 命令行下鍵入環境變量 ##

exportOS_TOKEN=e980b6fd08747f7b600a

exportOS_URL=http://vip_keystone:35357/v3 #### 注意,此處是v3,而不是v3.0

exportOS_IDENTITY_API_VERSION=3

## 2) 創建 service entity

openstack service create --name keystone--description "OpenStack Identity" identity

openstack service list

## 3) 創建三類 API endpoint: admin, internal, 和public, 創建CLI與keystone v2.0不一致

openstack endpoint create --region RegionOneidentity public http://vip_keystone:5000/v3

openstack endpoint create --region RegionOneidentity internal http://vip_keystone:5000/v3

openstack endpoint create --region RegionOneidentity admin http://vip_keystone:35357/v3

openstack endpoint list

7. 創建域，項目，用戶，角色

(1) openstack domain list ##域

(2) openstack project list ## 項目(租戶)

(3) openstack user list ## 用戶

(4) openstack role list ## 角色

## 1) 創建default domain

openstack domain create --description "DefaultDomain" default

## 1. create admin project

openstack project create --domain default--description "Admin Project" admin

openstack user create --domain default--password-prompt admin ## 設置Password 爲 456

openstack role create admin

openstack role add --project admin --user adminadmin

## 2. create service project

openstack project create --domain default--description "Service Project" service

## 3. create demo project

openstack project create --domain default--description "Demo Project" demo

# create demo user

openstack user create --domain default--password-prompt demo(需要輸入新密碼456)

# create _member_ role

openstack role create _member_

# add _member_ to the demo projectand user

openstack role add --project demo --user demo_member_

8. admin-openrc.sh環境變量

## 創建admin-openrc.sh

export OS_PROJECT_DOMAIN_NAME=default

export OS_USER_DOMAIN_NAME=default

export OS_PROJECT_NAME=admin

export OS_USERNAME=admin

export OS_PASSWORD=456

export OS_AUTH_URL=http://vip_keystone:35357/v3

export OS_IDENTITY_API_VERSION=3

export OS_IMAGE_API_VERSION=2 # 執行 admin-openrc.sh

source admin-openrc.sh

五、 change keystone v3 tov2.0

1. 配置 local_settings

(1) vim /etc/openstack-dashboard/local_settings

## jimmy add : change identity 3 to2.0, attention version is 3 not 3.0

OPENSTACK_API_VERSIONS = {

"identity": 2.0,

"volume": 2,

"compute": 2,

}

## jimmy add : change identity 3 to2.0, attention version is 3 not 3.0

OPENSTACK_HOST = "192.168.0.51"

OPENSTACK_KEYSTONE_URL ="http://%s:5000/v2.0" % OPENSTACK_HOST

OPENSTACK_KEYSTONE_DEFAULT_ROLE ="_member_"

## jimmy add : change identity 3 to2.0, with 2.0, no var with domain

## need comment it for keystone v2.0

OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT =flase

# OPENSTACK_KEYSTONE_DEFAULT_DOMAIN ='Default'

2. 重啓 httpd

# systemctl restart httpd.service

# systemctl status httpd.service

tail -f /var/log/message

tail -f /var/log/httpd/keystone-access.log

3. 重新註冊 keystoneendpoint

(1) 刪除keystone 數據庫中keystone 部分內容

mysql -u keystone -pkeystone

truncate table endpoint

truncate table project

truncate table role

truncate table local_user ####可以按照 domain_id區分

truncate table user

(2) 創建admin-openrc.sh文件，寫入如下內容：

export OS_TOKEN=e980b6fd08747f7b600a

export OS_URL=http://vip_keystone:35357/v2.0

openstack service create --name keystone --description"OpenStack Identity" identity

openstack endpoint create --publicurl http://vip_keystone:5000/v2.0\

--internalurl http://vip_keystone:5000/v2.0 \

--adminurl http://vip_keystone:35357/v2.0 \

--region RegionOne identity

openstack project create --description "AdminProject" admin

openstack user create admin --password 456

openstack role create admin

openstack role add --project admin --user admin admin

openstack project create --description "ServiceProject" service

openstack role create user

4. 更新 admin-openrc.sh

#!/bin/sh

export LC_ALL=C

export OS_NO_CACHE='true'

export OS_TENANT_NAME='admin'

export OS_USERNAME='admin'

export OS_PASSWORD='456' ##keystone admin密碼

export OS_AUTH_URL='http://vip_keystone:5000/v2.0/'

export OS_AUTH_STRATEGY='keystone'

export OS_REGION_NAME='RegionOne'

export OS_VOLUME_API_VERSION=2

5. 更新 neutron.conf

################################################################################

## neutron api config for keystone 2.0

################################################################################

[keystone_authtoken]

username = neutron

auth_plugin = password

auth_url = http://192.168.0.51:35357

user_domain_id = default

identity_uri = http://192.168.0.51:5000

project_name = service

password = 456

project_domain_id = default

# openstack user create neutron --password 456

# openstack role add --project service --userneutron admin

# systemctl restart neutron-server

6. 更新 nova.conf

################################################################################

## nova api config for keystone 2.0

################################################################################

[keystone_authtoken]

username = nova

auth_uri = http://192.168.0.51:5000

auth_plugin = password

auth_url = http://192.168.0.51:35357

user_domain_id = default

project_name = service

password = 456

project_domain_id = default

# openstack user create nova --password 456

# openstack role add --project service --user nova admin

## service 和 endpoint 暫時不需要重新註冊

# systemctl restart openstack-nova-api.service

openstack-nova-consoleauth.service

openstack-nova-scheduler.service

openstack-nova-conductor.service

openstack-nova-novncproxy.service

7. 更新 glance.conf

################################################################################

## glance api config for keystone 2.0

################################################################################

[keystone_authtoken]

username = glance

auth_uri = http://192.168.0.51:5000

auth_plugin = password

auth_url = http://192.168.0.51:35357

user_domain_id = default

project_name = service

password = 456

project_domain_id = default

# openstack usercreate glance --password 456

# openstack roleadd --project service --user glance admin

openstack image list

8. 更新 designate.conf文件

openstack user create designate --password 456

openstack role add --project service --user designate admin

## 清空 designate 數據庫

truncate table records

truncate table recordsets

truncate table zones

## 由於designate跟租戶緊密關聯,在keystone下重新create user後,需要重新創建zone資源

openstack zone create --email [email protected].

openstack zone list

openstack recordset list example.org.

六、 change keystone v2.0 tov3

待更新

Keystone v2.0 and v3 config

1. 虛擬機節點配置

2. 虛擬機網卡配置

二、 keystone 安裝前配置

1. memcached安裝與配置

2. openstack工具包安裝

三、 配置keystone v2.0

1. 生成各服務及數據庫密碼

2. 創建數據庫和用戶

3. keystone memcache yum

4. 配置 keystone.conf

5. keystone 數據庫初始化

6. 配置 httpd 啓動keystone

7. 註冊 keystoneservice endpoint

8. 創建 admin-openrc.sh

四、 配置keystone v3

1. DB創建keystone的數據庫

2. keystone memcache yum

3. 配置 keystone.conf文件

4. DB同步Keystone數據庫

5. 配置 keystone(http) 服務

6. 創建 service和endpoint

7. 創建域，項目，用戶，角色

8. admin-openrc.sh環境變量

五、 change keystone v3 tov2.0

1. 配置 local_settings

2. 重啓 httpd

3. 重新註冊 keystoneendpoint

4. 更新 admin-openrc.sh

5. 更新 neutron.conf

6. 更新 nova.conf

7. 更新 glance.conf

8. 更新 designate.conf文件

六、 change keystone v2.0 tov3

三、配置keystone v2.0

四、配置keystone v3