Keystone v2.0 orv3 config
參考URL :
http://docs.openstack.org/liberty/install-guide-ubuntu/keystone-openrc.html
一、 環境準備
[NOTE]
(1) 本文的安裝部署都是在CentOS 7.2 上完成,本文中的各個節點都是雙網卡設置
(2) keystone v2.0中的配置值爲2.0
(3) keystone v3中的配置值爲 v3 而不是 v3.0
1. 虛擬機節點配置
網絡拓撲部署和主機命名
eth0: 管理網絡
eth1: 數據網絡/隧道
控制節點: eth0: 192.168.0.51/24,eth1: 192.168.242.140/24
計算節點: eth0: 192.168.0.71/24,eth1: 192.168.242.142/24, mtu: 1600
$ vim /etc/hosts
# controller
192.168.0.51 controller
# compute 1
192.168.0.71 compute1
2. 虛擬機網卡配置
使用傳統網卡命名方式
[NOTE]CentOS 7.2 需要用戶自己在網卡目錄下新建網卡配置文件eth1,eth2…
vim /etc/default/grub並加入net.ifnames=0 biosdevname=0
$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg
二、 keystone 安裝前配置
1. memcached安裝與配置
由於目前的物理機內存資源都比較充足,因此每個控制節點都可用於部署memcached服務,建議將nova-api節點都部署上memcached服務。
# yum install memcached
# systemctl start memcached
# systemctl enable memcached
2. openstack工具包安裝
# yum install openstack-utils
三、 配置keystone v2.0
1. 生成各服務及數據庫密碼
(1) 爲每個服務及數據庫都生成一個隨機密碼,並將密碼保存起來,如
KEYSTONE_ADMIN_PASSWORD,KEYSTONE_DB_PASSWORD,以便後續設置。
(2) 通過執行#openssl rand -hex 10生成隨機密碼。
密碼名 |
密碼 |
MYSQL_ROOT _PASS |
mysql |
MYSQL_KEYSTONE_DBPASS |
keystone_db |
MYSQL_GLANCE_DBPASS |
glance_db |
MYSQL_NOVA_DBPASS |
nova_db |
MYSQL_NEUTRON_DBPASS |
neutron_db |
KEYSTONE_GLANCE_PASS |
key_glance |
KEYSTONE_NOVA_PASSWORD |
key_nova |
KEYSTONE_NEUTRON_PASSWORD |
key_neutron |
OPENSTACK/RABBIT_PASSWORD |
rabbit |
ADMIN_TOKEN |
791eb78bed6ff585d194 |
2. 創建數據庫和用戶
(1) 登陸到數據庫節點,執行如下命令(KEYSTONE_DBPASS應修改爲實際使用的密碼)
# mysql -u root -pmysql
>CREATE DATABASE keystone;
>GRANT ALL PRIVILEGES ON keystone.* TO'keystone'@'localhost' IDENTIFIED BY 'keystone_db';
>GRANT ALL PRIVILEGES ON keystone.* TO'keystone'@'%' IDENTIFIED BY 'keystone_db';
3. keystone memcache yum
# yum install openstack-keystone httpd mod_wsgipython-openstackclient
# yum install memcached python-memcached
4. 配置 keystone.conf
(1) 生成 ADMIN_TOKEN
# openssl rand -hex 10
791eb78bed6ff585d194
(2) 編輯 /etc/keystone/keystone.conf
cat /etc/keystone/keystone.conf | grep -vE "^$|^#"
[DEFAULT]
admin_token = 791eb78bed6ff585d194 # 填寫剛纔生成的admin_token
debug = false
verbose = true
[database]
connection = mysql://keystone:keystone_db@vip_mysql/keystone
# 數據庫用戶名和密碼
[eventlet_server]
public_bind_host = 192.168.0.51 # 對應各個節點本機IP
admin_bind_host = 192.168.0.51 # 對應各個節點本機IP
[memcache]
servers = 192.168.0.51:11211
#填寫memcache服務器地址
[token]
driver =keystone.token.persistence.backends.memcache.Token
provider = keystone.token.providers.uuid.Provider
[revoke]
driver =keystone.contrib.revoke.backends.sql.Revoke
5. keystone 數據庫初始化
# su -s /bin/sh -c "keystone-managedb_sync" keystone
6. 配置 httpd 啓動keystone
6.1 編輯 httpd.conf
(1) 編輯/etc/httpd/conf/httpd.conf
vim /etc/httpd/conf/httpd.conf
ServerName192.168.0.51 對應各個節點的ip地址
Listen 192.168.0.51:80
6.2 編輯 wsgi-keystone.conf
(1) 編輯/etc/httpd/conf.d/wsgi-keystone.conf
vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 192.168.0.51:5000 對應各個節點的ip地址
Listen 192.168.0.51:35357 對應各個節點的ip地址
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=32 threads=1 user=keystonegroup=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LogLevelinfo
ErrorLogFormat "%{cu}t %M"
ErrorLog/var/log/httpd/keystone-error.log
CustomLog/var/log/httpd/keystone-access.log combined
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=32 threads=1 user=keystonegroup=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LogLevelinfo
ErrorLogFormat "%{cu}t %M"
ErrorLog/var/log/httpd/keystone-error.log
CustomLog/var/log/httpd/keystone-access.log combined
</VirtualHost>
6.3 安裝 WSGI 組件
# mkdir -p /var/www/cgi-bin/keystone
(1) 編輯main 文件
# vim /var/www/cgi-bin/keystone/main
import os
from keystone.server import wsgi as wsgi_server
name = os.path.basename(__file__)
application =wsgi_server.initialize_application(name)
(2) 拷貝main 文件
# cp /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin
# chown -R keystone:keystone/var/www/cgi-bin/keystone
# chmod 755 /var/www/cgi-bin/keystone/*
6.4 啓動 httpd
# systemctl enable httpd.service
# systemctl start httpd.service
7. 註冊 keystoneservice endpoint
export OS_TOKEN=791eb78bed6ff585d194
export OS_URL=http://vip_keystone:35357/v2.0
openstack service create --name keystone --description"OpenStack Identity" identity
openstack endpoint create --publicurl http://vip_keystone:5000/v2.0\
--internalurl http://vip_keystone:5000/v2.0 \
--adminurl http://vip_keystone:35357/v2.0 \
--region RegionOne identity
openstack project create --description "AdminProject" admin
openstack user create admin --password 456 ## 密碼 456
openstack role create admin
openstack role add --project admin --user admin admin
openstack project create --description "ServiceProject" service
openstack role create user
8. 創建 admin-openrc.sh
創建admin-openrc.sh文件,寫入如下內容:
#!/bin/sh
export LC_ALL=C
export OS_NO_CACHE='true'
export OS_TENANT_NAME='admin'
export OS_PROJECT_NAME='admin'
export OS_USERNAME='admin'
export OS_PASSWORD='456' ##keystone admin密碼
export OS_AUTH_URL='http://vip_keystone:5000/v2.0/'
export OS_AUTH_STRATEGY='keystone'
export OS_REGION_NAME='RegionOne'
export CINDER_ENDPOINT_TYPE='internalURL'
export GLANCE_ENDPOINT_TYPE='internalURL'
export KEYSTONE_ENDPOINT_TYPE='internalURL'
export NOVA_ENDPOINT_TYPE='internalURL'
export NEUTRON_ENDPOINT_TYPE='internalURL'
export OS_ENDPOINT_TYPE='internalURL'
export OS_VOLUME_API_VERSION=2
四、 配置keystone v3
[NOTE] keystone 只需要安裝在ControllerNode 上
1. DB創建keystone的數據庫
# mysql -u root
MariaDB [(none)]> CREATE DATABASE keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ONkeystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
MariaDB [(none)]> GRANT ALL PRIVILEGES ONkeystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
MariaDB [(none)]> SELECT User, Host, PasswordFROM mysql.user WHERE User LIKE 'keystone%';
MariaDB [(none)]> exit
2. keystone memcache yum
# yum install openstack-keystone httpd mod_wsgi
openstack keystone 服務認證機制使用memcached來緩存token
# yum install memcached python-memcached
3. 配置 keystone.conf文件
# vim /etc/keystone/keystone.conf
[DEFAULT]
admin_token = e980b6fd08747f7b600a ##由openssl rand -hex 10 命令生成
[database]
connection =mysql+pymysql://keystone:keystone@vip_mysql/keystone
[token]
provider = fernet
4. DB同步Keystone數據庫
## 4) 填充keystone 數據庫
# su -s /bin/sh -c "keystone-managedb_sync" keystone
## 5) 初始化fernet key
# keystone-manage fernet_setup --keystone-userkeystone --keystone-group keystone
5. 配置 keystone(http) 服務
5.1 編輯 httpd.conf
(1) 編輯/etc/httpd/conf/httpd.conf
# ServerName controller
5.2 編輯 wsgi-keystone.conf
(2) 編輯/etc/httpd/conf.d/wsgi-keystone.conf(新增文件)
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystonegroup=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog/var/log/httpd/keystone-error.log
CustomLog/var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystonegroup=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog/var/log/httpd/keystone-error.log
CustomLog/var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
5.3 安裝 openstack-dashboard
(3) 安裝openstack dashboard
# yum install openstack-dashboard
5.4 編輯 local_settings
(4)編輯/etc/openstack-dashboard/local_settings,添加以下配置項:
OPENSTACK_HOST = "controller"
ALLOWED_HOSTS = ['*', ]
SESSION_ENGINE ='django.contrib.sessions.backends.cache'
CACHES = {
'default': {
'BACKEND':'django.core.cache.backends.memcached.MemcachedCache',
'LOCATION': 'controller:11211',
}
}
OPENSTACK_KEYSTONE_URL ="http://%s:5000/v3" % OPENSTACK_HOST
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_API_VERSIONS = {
"identity": 3,
"image": 2,
"volume": 2,
}
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN ="default"
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "user"
OPENSTACK_NEUTRON_NETWORK = {
...
'enable_router': True,
'enable_quotas': False,
'enable_distributed_router': False,
'enable_ha_router': False,
'enable_lb': False,
'enable_firewall': False,
'enable_vpn': False,
'enable_fip_topology_check': False,
}
TIME_ZONE = "TIME_ZONE"
5.4 啓動http服務
(5) 啓動httpd服務和memcache服務
systemctl enable httpd.service
systemctl start httpd.service
systemctl enable memcached.service
systemctl start memcached.service
6. 創建 service和endpoint
## 設置認證環境變量
## 命令行下鍵入環境變量 ##
exportOS_TOKEN=e980b6fd08747f7b600a
exportOS_URL=http://vip_keystone:35357/v3 #### 注意,此處是v3,而不是v3.0
exportOS_IDENTITY_API_VERSION=3
## 2) 創建 service entity
openstack service create --name keystone--description "OpenStack Identity" identity
openstack service list
## 3) 創建三類 API endpoint: admin, internal, 和public, 創建CLI與keystone v2.0不一致
openstack endpoint create --region RegionOneidentity public http://vip_keystone:5000/v3
openstack endpoint create --region RegionOneidentity internal http://vip_keystone:5000/v3
openstack endpoint create --region RegionOneidentity admin http://vip_keystone:35357/v3
openstack endpoint list
7. 創建域,項目,用戶,角色
(1) openstack domain list ##域
(2) openstack project list ## 項目(租戶)
(3) openstack user list ## 用戶
(4) openstack role list ## 角色
## 1) 創建default domain
openstack domain create --description "DefaultDomain" default
## 1. create admin project
openstack project create --domain default--description "Admin Project" admin
openstack user create --domain default--password-prompt admin ## 設置Password 爲 456
openstack role create admin
openstack role add --project admin --user adminadmin
## 2. create service project
openstack project create --domain default--description "Service Project" service
## 3. create demo project
openstack project create --domain default--description "Demo Project" demo
# create demo user
openstack user create --domain default--password-prompt demo(需要輸入新密碼456)
# create _member_ role
openstack role create _member_
# add _member_ to the demo projectand user
openstack role add --project demo --user demo_member_
8. admin-openrc.sh環境變量
## 創建admin-openrc.sh
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=456
export OS_AUTH_URL=http://vip_keystone:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2 # 執行 admin-openrc.sh
source admin-openrc.sh
五、 change keystone v3 tov2.0
1. 配置 local_settings
(1) vim /etc/openstack-dashboard/local_settings
## jimmy add : change identity 3 to2.0, attention version is 3 not 3.0
OPENSTACK_API_VERSIONS = {
"identity": 2.0,
"volume": 2,
"compute": 2,
}
## jimmy add : change identity 3 to2.0, attention version is 3 not 3.0
OPENSTACK_HOST = "192.168.0.51"
OPENSTACK_KEYSTONE_URL ="http://%s:5000/v2.0" % OPENSTACK_HOST
OPENSTACK_KEYSTONE_DEFAULT_ROLE ="_member_"
## jimmy add : change identity 3 to2.0, with 2.0, no var with domain
## need comment it for keystone v2.0
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT =flase
# OPENSTACK_KEYSTONE_DEFAULT_DOMAIN ='Default'
2. 重啓 httpd
# systemctl restart httpd.service
# systemctl status httpd.service
tail -f /var/log/message
tail -f /var/log/httpd/keystone-access.log
3. 重新註冊 keystoneendpoint
(1) 刪除keystone 數據庫中keystone 部分內容
mysql -u keystone -pkeystone
truncate table endpoint
truncate table project
truncate table role
truncate table local_user ####可以按照 domain_id區分
truncate table user
(2) 創建admin-openrc.sh文件,寫入如下內容:
export OS_TOKEN=e980b6fd08747f7b600a
export OS_URL=http://vip_keystone:35357/v2.0
openstack service create --name keystone --description"OpenStack Identity" identity
openstack endpoint create --publicurl http://vip_keystone:5000/v2.0\
--internalurl http://vip_keystone:5000/v2.0 \
--adminurl http://vip_keystone:35357/v2.0 \
--region RegionOne identity
openstack project create --description "AdminProject" admin
openstack user create admin --password 456
openstack role create admin
openstack role add --project admin --user admin admin
openstack project create --description "ServiceProject" service
openstack role create user
4. 更新 admin-openrc.sh
#!/bin/sh
export LC_ALL=C
export OS_NO_CACHE='true'
export OS_TENANT_NAME='admin'
export OS_USERNAME='admin'
export OS_PASSWORD='456' ##keystone admin密碼
export OS_AUTH_URL='http://vip_keystone:5000/v2.0/'
export OS_AUTH_STRATEGY='keystone'
export OS_REGION_NAME='RegionOne'
export OS_VOLUME_API_VERSION=2
5. 更新 neutron.conf
################################################################################
## neutron api config for keystone 2.0
################################################################################
[keystone_authtoken]
username = neutron
auth_plugin = password
auth_url = http://192.168.0.51:35357
user_domain_id = default
identity_uri = http://192.168.0.51:5000
project_name = service
password = 456
project_domain_id = default
# openstack user create neutron --password 456
# openstack role add --project service --userneutron admin
# systemctl restart neutron-server
6. 更新 nova.conf
################################################################################
## nova api config for keystone 2.0
################################################################################
[keystone_authtoken]
username = nova
auth_uri = http://192.168.0.51:5000
auth_plugin = password
auth_url = http://192.168.0.51:35357
user_domain_id = default
project_name = service
password = 456
project_domain_id = default
# openstack user create nova --password 456
# openstack role add --project service --user nova admin
## service 和 endpoint 暫時不需要重新註冊
# systemctl restart openstack-nova-api.service
openstack-nova-consoleauth.service
openstack-nova-scheduler.service
openstack-nova-conductor.service
openstack-nova-novncproxy.service
7. 更新 glance.conf
################################################################################
## glance api config for keystone 2.0
################################################################################
[keystone_authtoken]
username = glance
auth_uri = http://192.168.0.51:5000
auth_plugin = password
auth_url = http://192.168.0.51:35357
user_domain_id = default
project_name = service
password = 456
project_domain_id = default
# openstack usercreate glance --password 456
# openstack roleadd --project service --user glance admin
openstack image list
8. 更新 designate.conf文件
openstack user create designate --password 456
openstack role add --project service --user designate admin
## 清空 designate 數據庫
truncate table records
truncate table recordsets
truncate table zones
## 由於designate跟租戶緊密關聯,在keystone下重新create user後,需要重新創建zone資源
openstack zone create --email [email protected].
openstack zone list
openstack recordset list example.org.
六、 change keystone v2.0 tov3
待更新