Keystone v2.0 orv3 config
参考URL :
http://docs.openstack.org/liberty/install-guide-ubuntu/keystone-openrc.html
一、 环境准备
[NOTE]
(1) 本文的安装部署都是在CentOS 7.2 上完成,本文中的各个节点都是双网卡设置
(2) keystone v2.0中的配置值为2.0
(3) keystone v3中的配置值为 v3 而不是 v3.0
1. 虚拟机节点配置
网络拓扑部署和主机命名
eth0: 管理网络
eth1: 数据网络/隧道
控制节点: eth0: 192.168.0.51/24,eth1: 192.168.242.140/24
计算节点: eth0: 192.168.0.71/24,eth1: 192.168.242.142/24, mtu: 1600
$ vim /etc/hosts
# controller
192.168.0.51 controller
# compute 1
192.168.0.71 compute1
2. 虚拟机网卡配置
使用传统网卡命名方式
[NOTE]CentOS 7.2 需要用户自己在网卡目录下新建网卡配置文件eth1,eth2…
vim /etc/default/grub并加入net.ifnames=0 biosdevname=0
$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg
二、 keystone 安装前配置
1. memcached安装与配置
由于目前的物理机内存资源都比较充足,因此每个控制节点都可用于部署memcached服务,建议将nova-api节点都部署上memcached服务。
# yum install memcached
# systemctl start memcached
# systemctl enable memcached
2. openstack工具包安装
# yum install openstack-utils
三、 配置keystone v2.0
1. 生成各服务及数据库密码
(1) 为每个服务及数据库都生成一个随机密码,并将密码保存起来,如
KEYSTONE_ADMIN_PASSWORD,KEYSTONE_DB_PASSWORD,以便后续设置。
(2) 通过执行#openssl rand -hex 10生成随机密码。
|
密码名 |
密码 |
|
MYSQL_ROOT _PASS |
mysql |
|
MYSQL_KEYSTONE_DBPASS |
keystone_db |
|
MYSQL_GLANCE_DBPASS |
glance_db |
|
MYSQL_NOVA_DBPASS |
nova_db |
|
MYSQL_NEUTRON_DBPASS |
neutron_db |
|
KEYSTONE_GLANCE_PASS |
key_glance |
|
KEYSTONE_NOVA_PASSWORD |
key_nova |
|
KEYSTONE_NEUTRON_PASSWORD |
key_neutron |
|
OPENSTACK/RABBIT_PASSWORD |
rabbit |
|
ADMIN_TOKEN |
791eb78bed6ff585d194 |
2. 创建数据库和用户
(1) 登陆到数据库节点,执行如下命令(KEYSTONE_DBPASS应修改为实际使用的密码)
# mysql -u root -pmysql
>CREATE DATABASE keystone;
>GRANT ALL PRIVILEGES ON keystone.* TO'keystone'@'localhost' IDENTIFIED BY 'keystone_db';
>GRANT ALL PRIVILEGES ON keystone.* TO'keystone'@'%' IDENTIFIED BY 'keystone_db';
3. keystone memcache yum
# yum install openstack-keystone httpd mod_wsgipython-openstackclient
# yum install memcached python-memcached
4. 配置 keystone.conf
(1) 生成 ADMIN_TOKEN
# openssl rand -hex 10
791eb78bed6ff585d194
(2) 编辑 /etc/keystone/keystone.conf
cat /etc/keystone/keystone.conf | grep -vE "^$|^#"
[DEFAULT]
admin_token = 791eb78bed6ff585d194 # 填写刚才生成的admin_token
debug = false
verbose = true
[database]
connection = mysql://keystone:keystone_db@vip_mysql/keystone
# 数据库用户名和密码
[eventlet_server]
public_bind_host = 192.168.0.51 # 对应各个节点本机IP
admin_bind_host = 192.168.0.51 # 对应各个节点本机IP
[memcache]
servers = 192.168.0.51:11211
#填写memcache服务器地址
[token]
driver =keystone.token.persistence.backends.memcache.Token
provider = keystone.token.providers.uuid.Provider
[revoke]
driver =keystone.contrib.revoke.backends.sql.Revoke
5. keystone 数据库初始化
# su -s /bin/sh -c "keystone-managedb_sync" keystone
6. 配置 httpd 启动keystone
6.1 编辑 httpd.conf
(1) 编辑/etc/httpd/conf/httpd.conf
vim /etc/httpd/conf/httpd.conf
ServerName192.168.0.51 对应各个节点的ip地址
Listen 192.168.0.51:80
6.2 编辑 wsgi-keystone.conf
(1) 编辑/etc/httpd/conf.d/wsgi-keystone.conf
vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 192.168.0.51:5000 对应各个节点的ip地址
Listen 192.168.0.51:35357 对应各个节点的ip地址
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=32 threads=1 user=keystonegroup=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LogLevelinfo
ErrorLogFormat "%{cu}t %M"
ErrorLog/var/log/httpd/keystone-error.log
CustomLog/var/log/httpd/keystone-access.log combined
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=32 threads=1 user=keystonegroup=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LogLevelinfo
ErrorLogFormat "%{cu}t %M"
ErrorLog/var/log/httpd/keystone-error.log
CustomLog/var/log/httpd/keystone-access.log combined
</VirtualHost>
6.3 安装 WSGI 组件
# mkdir -p /var/www/cgi-bin/keystone
(1) 编辑main 文件
# vim /var/www/cgi-bin/keystone/main
import os
from keystone.server import wsgi as wsgi_server
name = os.path.basename(__file__)
application =wsgi_server.initialize_application(name)
(2) 拷贝main 文件
# cp /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin
# chown -R keystone:keystone/var/www/cgi-bin/keystone
# chmod 755 /var/www/cgi-bin/keystone/*
6.4 启动 httpd
# systemctl enable httpd.service
# systemctl start httpd.service
7. 注册 keystoneservice endpoint
export OS_TOKEN=791eb78bed6ff585d194
export OS_URL=http://vip_keystone:35357/v2.0
openstack service create --name keystone --description"OpenStack Identity" identity
openstack endpoint create --publicurl http://vip_keystone:5000/v2.0\
--internalurl http://vip_keystone:5000/v2.0 \
--adminurl http://vip_keystone:35357/v2.0 \
--region RegionOne identity
openstack project create --description "AdminProject" admin
openstack user create admin --password 456 ## 密码 456
openstack role create admin
openstack role add --project admin --user admin admin
openstack project create --description "ServiceProject" service
openstack role create user
8. 创建 admin-openrc.sh
创建admin-openrc.sh文件,写入如下内容:
#!/bin/sh
export LC_ALL=C
export OS_NO_CACHE='true'
export OS_TENANT_NAME='admin'
export OS_PROJECT_NAME='admin'
export OS_USERNAME='admin'
export OS_PASSWORD='456' ##keystone admin密码
export OS_AUTH_URL='http://vip_keystone:5000/v2.0/'
export OS_AUTH_STRATEGY='keystone'
export OS_REGION_NAME='RegionOne'
export CINDER_ENDPOINT_TYPE='internalURL'
export GLANCE_ENDPOINT_TYPE='internalURL'
export KEYSTONE_ENDPOINT_TYPE='internalURL'
export NOVA_ENDPOINT_TYPE='internalURL'
export NEUTRON_ENDPOINT_TYPE='internalURL'
export OS_ENDPOINT_TYPE='internalURL'
export OS_VOLUME_API_VERSION=2
四、 配置keystone v3
[NOTE] keystone 只需要安装在ControllerNode 上
1. DB创建keystone的数据库
# mysql -u root
MariaDB [(none)]> CREATE DATABASE keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ONkeystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
MariaDB [(none)]> GRANT ALL PRIVILEGES ONkeystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
MariaDB [(none)]> SELECT User, Host, PasswordFROM mysql.user WHERE User LIKE 'keystone%';
MariaDB [(none)]> exit
2. keystone memcache yum
# yum install openstack-keystone httpd mod_wsgi
openstack keystone 服务认证机制使用memcached来缓存token
# yum install memcached python-memcached
3. 配置 keystone.conf文件
# vim /etc/keystone/keystone.conf
[DEFAULT]
admin_token = e980b6fd08747f7b600a ##由openssl rand -hex 10 命令生成
[database]
connection =mysql+pymysql://keystone:keystone@vip_mysql/keystone
[token]
provider = fernet
4. DB同步Keystone数据库
## 4) 填充keystone 数据库
# su -s /bin/sh -c "keystone-managedb_sync" keystone
## 5) 初始化fernet key
# keystone-manage fernet_setup --keystone-userkeystone --keystone-group keystone
5. 配置 keystone(http) 服务
5.1 编辑 httpd.conf
(1) 编辑/etc/httpd/conf/httpd.conf
# ServerName controller
5.2 编辑 wsgi-keystone.conf
(2) 编辑/etc/httpd/conf.d/wsgi-keystone.conf(新增文件)
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystonegroup=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog/var/log/httpd/keystone-error.log
CustomLog/var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystonegroup=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog/var/log/httpd/keystone-error.log
CustomLog/var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
5.3 安装 openstack-dashboard
(3) 安装openstack dashboard
# yum install openstack-dashboard
5.4 编辑 local_settings
(4)编辑/etc/openstack-dashboard/local_settings,添加以下配置项:
OPENSTACK_HOST = "controller"
ALLOWED_HOSTS = ['*', ]
SESSION_ENGINE ='django.contrib.sessions.backends.cache'
CACHES = {
'default': {
'BACKEND':'django.core.cache.backends.memcached.MemcachedCache',
'LOCATION': 'controller:11211',
}
}
OPENSTACK_KEYSTONE_URL ="http://%s:5000/v3" % OPENSTACK_HOST
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_API_VERSIONS = {
"identity": 3,
"image": 2,
"volume": 2,
}
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN ="default"
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "user"
OPENSTACK_NEUTRON_NETWORK = {
...
'enable_router': True,
'enable_quotas': False,
'enable_distributed_router': False,
'enable_ha_router': False,
'enable_lb': False,
'enable_firewall': False,
'enable_vpn': False,
'enable_fip_topology_check': False,
}
TIME_ZONE = "TIME_ZONE"
5.4 启动http服务
(5) 启动httpd服务和memcache服务
systemctl enable httpd.service
systemctl start httpd.service
systemctl enable memcached.service
systemctl start memcached.service
6. 创建 service和endpoint
## 设置认证环境变量
## 命令行下键入环境变量 ##
exportOS_TOKEN=e980b6fd08747f7b600a
exportOS_URL=http://vip_keystone:35357/v3 #### 注意,此处是v3,而不是v3.0
exportOS_IDENTITY_API_VERSION=3
## 2) 创建 service entity
openstack service create --name keystone--description "OpenStack Identity" identity
openstack service list
## 3) 创建三类 API endpoint: admin, internal, 和public, 创建CLI与keystone v2.0不一致
openstack endpoint create --region RegionOneidentity public http://vip_keystone:5000/v3
openstack endpoint create --region RegionOneidentity internal http://vip_keystone:5000/v3
openstack endpoint create --region RegionOneidentity admin http://vip_keystone:35357/v3
openstack endpoint list
7. 创建域,项目,用户,角色
(1) openstack domain list ##域
(2) openstack project list ## 项目(租户)
(3) openstack user list ## 用户
(4) openstack role list ## 角色
## 1) 创建default domain
openstack domain create --description "DefaultDomain" default
## 1. create admin project
openstack project create --domain default--description "Admin Project" admin
openstack user create --domain default--password-prompt admin ## 设置Password 为 456
openstack role create admin
openstack role add --project admin --user adminadmin
## 2. create service project
openstack project create --domain default--description "Service Project" service
## 3. create demo project
openstack project create --domain default--description "Demo Project" demo
# create demo user
openstack user create --domain default--password-prompt demo(需要输入新密码456)
# create _member_ role
openstack role create _member_
# add _member_ to the demo projectand user
openstack role add --project demo --user demo_member_
8. admin-openrc.sh环境变量
## 创建admin-openrc.sh
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=456
export OS_AUTH_URL=http://vip_keystone:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2 # 执行 admin-openrc.sh
source admin-openrc.sh
五、 change keystone v3 tov2.0
1. 配置 local_settings
(1) vim /etc/openstack-dashboard/local_settings
## jimmy add : change identity 3 to2.0, attention version is 3 not 3.0
OPENSTACK_API_VERSIONS = {
"identity": 2.0,
"volume": 2,
"compute": 2,
}
## jimmy add : change identity 3 to2.0, attention version is 3 not 3.0
OPENSTACK_HOST = "192.168.0.51"
OPENSTACK_KEYSTONE_URL ="http://%s:5000/v2.0" % OPENSTACK_HOST
OPENSTACK_KEYSTONE_DEFAULT_ROLE ="_member_"
## jimmy add : change identity 3 to2.0, with 2.0, no var with domain
## need comment it for keystone v2.0
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT =flase
# OPENSTACK_KEYSTONE_DEFAULT_DOMAIN ='Default'
2. 重启 httpd
# systemctl restart httpd.service
# systemctl status httpd.service
tail -f /var/log/message
tail -f /var/log/httpd/keystone-access.log
3. 重新注册 keystoneendpoint
(1) 删除keystone 数据库中keystone 部分内容
mysql -u keystone -pkeystone
truncate table endpoint
truncate table project
truncate table role
truncate table local_user ####可以按照 domain_id区分
truncate table user
(2) 创建admin-openrc.sh文件,写入如下内容:
export OS_TOKEN=e980b6fd08747f7b600a
export OS_URL=http://vip_keystone:35357/v2.0
openstack service create --name keystone --description"OpenStack Identity" identity
openstack endpoint create --publicurl http://vip_keystone:5000/v2.0\
--internalurl http://vip_keystone:5000/v2.0 \
--adminurl http://vip_keystone:35357/v2.0 \
--region RegionOne identity
openstack project create --description "AdminProject" admin
openstack user create admin --password 456
openstack role create admin
openstack role add --project admin --user admin admin
openstack project create --description "ServiceProject" service
openstack role create user
4. 更新 admin-openrc.sh
#!/bin/sh
export LC_ALL=C
export OS_NO_CACHE='true'
export OS_TENANT_NAME='admin'
export OS_USERNAME='admin'
export OS_PASSWORD='456' ##keystone admin密码
export OS_AUTH_URL='http://vip_keystone:5000/v2.0/'
export OS_AUTH_STRATEGY='keystone'
export OS_REGION_NAME='RegionOne'
export OS_VOLUME_API_VERSION=2
5. 更新 neutron.conf
################################################################################
## neutron api config for keystone 2.0
################################################################################
[keystone_authtoken]
username = neutron
auth_plugin = password
auth_url = http://192.168.0.51:35357
user_domain_id = default
identity_uri = http://192.168.0.51:5000
project_name = service
password = 456
project_domain_id = default
# openstack user create neutron --password 456
# openstack role add --project service --userneutron admin
# systemctl restart neutron-server
6. 更新 nova.conf
################################################################################
## nova api config for keystone 2.0
################################################################################
[keystone_authtoken]
username = nova
auth_uri = http://192.168.0.51:5000
auth_plugin = password
auth_url = http://192.168.0.51:35357
user_domain_id = default
project_name = service
password = 456
project_domain_id = default
# openstack user create nova --password 456
# openstack role add --project service --user nova admin
## service 和 endpoint 暂时不需要重新注册
# systemctl restart openstack-nova-api.service
openstack-nova-consoleauth.service
openstack-nova-scheduler.service
openstack-nova-conductor.service
openstack-nova-novncproxy.service
7. 更新 glance.conf
################################################################################
## glance api config for keystone 2.0
################################################################################
[keystone_authtoken]
username = glance
auth_uri = http://192.168.0.51:5000
auth_plugin = password
auth_url = http://192.168.0.51:35357
user_domain_id = default
project_name = service
password = 456
project_domain_id = default
# openstack usercreate glance --password 456
# openstack roleadd --project service --user glance admin
openstack image list
8. 更新 designate.conf文件
openstack user create designate --password 456
openstack role add --project service --user designate admin
## 清空 designate 数据库
truncate table records
truncate table recordsets
truncate table zones
## 由于designate跟租户紧密关联,在keystone下重新create user后,需要重新创建zone资源
openstack zone create --email [email protected].
openstack zone list
openstack recordset list example.org.
六、 change keystone v2.0 tov3
待更新