当前位置: 首页 > 工具软件 > Kilo > 使用案例 >

Ubuntu搭建Openstack平台(kilo)(二.keystone)

盖成弘
2023-12-01

一.keystone安装
参考文档:http://www.aboutyun.com/thread-13080-1-1.html
http://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-install.html

1.创建keystone数据库并授权

mysql -u root -p 
  • 创建keystone数据库:
CREATE DATABASE keystone;
  • 授权(并设置keystone密码,此密码在后面同步数据库时会用到,我的是keystone):
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_PASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_PASS';
  • 退出:
exit;

2.安装keystone

  • 生成一个随机token串(后面会用到,例:570f15acb897e7v3e58f):
openssl rand -hex 10
  • 默认keystone服务监听端口5000 和 35357,尽管如此向导配置 Apache HTTP server 监听这些端口,为了避免端口冲突,安装后禁止开机启动keystone 服务(不清楚)
echo "manual" > /etc/init/keystone.override
  • 安装keystone
apt-get install keystone python-openstackclient apache2 libapache2-mod-wsgi memcached python-memcache
  • 修改配置文件
vim /etc/keystone/keystone.conf

[DEFAULT]
verbose = True
admin_token = ADMIN_TOKEN(换成上面的token串)

[database]
connection = mysql://keystone:KEYSTONER_PASS(keystone)@controller/keystone
一定要注释掉否则会产生404(应该是,反正会报错):connection=sqlite:var/lib/keystone/keystone.db

[memcache]
servers = localhost:11211

[token]
...
provider = keystone.token.providers.uuid.Provider
driver = keystone.token.persistence.backends.memcache.Token

[revoke] 
driver = keystone.contrib.revoke.backends.sql.Revoke

保存退出。

  • 同步数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone

以上都是在root权限下进行。


二.配置 Apache HTTP server

  • 修改配置文件/etc/apache2/apache2.conf,配置ServerName选项为控制节点hostname(文件中应该不存在,自己添加上去)
ServerName controller
  • 创建/etc/apache2/sites-available/wsgi-keystone.conf 文件,添加如下内容
Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/apache2/keystone.log
    CustomLog /var/log/apache2/keystone_access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/apache2/keystone.log
    CustomLog /var/log/apache2/keystone_access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>
  • 启用身份服务虚拟主机
ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled
  • 创建WSGI组件的目录结构
mkdir -p /var/www/cgi-bin/keystone
  • 下载复制WSGI 组件到目录 /var/www/cgi-bin/keystone
curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo | tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin
  • 修改权限
chown -R keystone:keystone /var/www/cgi-bin/keystone
chmod 755 /var/www/cgi-bin/keystone/*
  • 重启Apache服务
service apache2 restart
  • 如果存在 SQLite 数据库,则删除
rm -f /var/lib/keystone/keystone.db

三.创建服务实例与API endpoint
1.配置临时环境变量

export OS_TOKEN=此处为上面的token串
export OS_URL=http://controller:35357/v2.0

2.创建服务实例与API endpoint

  • 创建Identity 实例服务
penstack service create --name keystone --description "OpenStack Identity" identity(后面都是官网截取的图,自己的搭建的时候没截图,实际也是这样的)
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Identity               |
| enabled     | True                             |
| id          | 4ddaae90388b4ebc9d252ec2252d8d10 |
| name        | keystone                         |
| type        | identity                         |
+-------------+----------------------------------+
  • 创建实例服务
openstack endpoint create --publicurl http://controller:5000/v2.0 --internalurl http://controller:5000/v2.0 --adminurl http://controller:35357/v2.0 --region RegionOne identity

+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| adminurl     | http://controller:35357/v2.0     |
| id           | 57cfa543e7dc4b712c0ab137911bc4fe |
| internalurl  | http://controller:5000/v2.0      |
| publicurl    | http://controller:5000/v2.0      |
| region       | RegionOne                        |
| service_id   | 6f8de927262ac12f6066cfe70d99ac51 |
| service_name | keystone                         |
| service_type | identity                         |
+--------------+----------------------------------+

3.创建管理员租户(现在叫project)、用户、角色

  • 创建admin租户
openstack project create --description "Admin Project" admin
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Admin Project                    |
| domain_id   | e0353a670a9e496da891347c589539e9 |
| enabled     | True                             |
| id          | 343d245e850143a096806dfaefa9afdc |
| is_domain   | False                            |
| name        | admin                            |
| parent_id   | None                             |
+-------------+----------------------------------+
  • 创建admin的租户(project)(密码自己输入,要记住,登录时会用)
openstack user create --password-prompt admin
User Password:(设置的admin)
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | e0353a670a9e496da891347c589539e9 |
| enabled   | True                             |
| id        | ac3377633149401296f6c0d92d79dc16 |
| name      | admin                            |
+-----------+----------------------------------+
  • 创建admin角色
openstack role create admin
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | cd2cb9a39e874ea69e5d4b896eb16128 |
| name      | admin                            |
+-----------+----------------------------------+
  • 添加 admin 角色到 admin 租户(project)和用户
openstack role add --project admin --user admin admin

4.创建一个service租户

openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | e0353a670a9e496da891347c589539e9 |
| enabled     | True                             |
| id          | 894cdfa366d34e9d835d3de01e752262 |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | None                             |
+-------------+----------------------------------+

5.创建非管理员demo租户(project)

  • 创建demo租户(project)
openstack project create --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | e0353a670a9e496da891347c589539e9 |
| enabled     | True                             |
| id          | ed0b60bf607743088218b0a533d5943f |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | None                             |
+-------------+----------------------------------+
  • 创建demo用户(密码自己输入,要记住,登录时会用)
openstack user create --password-prompt demo
User Password:(设置的demo)
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | e0353a670a9e496da891347c589539e9 |
| enabled   | True                             |
| id        | 58126687cbcc4888bfa9ab73a2256f27 |
| name      | demo                             |
+-----------+----------------------------------+
  • 创建user 角色
openstack role create user
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 997ce8d05fc143ac97d83fdfb5998552 |
| name      | user                             |
+-----------+----------------------------------+
  • 添加user 角色到demo租户和用户
openstack role add --project demo --user demo user

四.验证keystone安装部署
1.remove临时的脚本

  • 为了安全,禁用临时token,编辑 /etc/keystone/keystone-paste.ini 文件 , 移除 admin_token_auth从 [pipeline:public_api], [pipeline:admin_api], 和 [pipeline:api_v3] 部分.(并不明白)

  • 去掉环境变量OS_TOKEN 和 OS_URL

unset OS_TOKEN OS_URL

2.验证

vim admin-openrc.sh

export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS(我的是admin)
export OS_AUTH_URL=http://controller:35357/v3
export OS_REGION_NAME=RegionOne
  • 创建demo脚本
vim demo-openrc.sh

export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS(我的是demo)
export OS_AUTH_URL=http://controller:5000/v3
export OS_REGION_NAME=RegionOne
  • 加载脚本
source admin-openrc.sh

注意:以前搭建的,可以运行,如果上面写的有一些问题,谢谢指出来。

 类似资料: