openstack Keystone验证服务集群

#Keystone验证服务群集

openstack pike 部署 目录汇总 http://www.cnblogs.com/elvi/p/7613861.html

##3.Keystone验证服务集群

#SQL上创建数据库并授权

################################################
##以下在所有controller执行

#Keystone安装
yum install -y openstack-keystone httpd mod_wsgi memcached python-memcached
yum install apr apr-util -y

#memcached启动
cp /etc/sysconfig/memcached{,.bak}
sed -i 's/127.0.0.1/0.0.0.0/' /etc/sysconfig/memcached
systemctl enable memcached.service
systemctl start memcached.service
netstat -antp|grep 11211

#apache配置(前面已设置)
#cp /etc/httpd/conf/httpd.conf{,.bak}
#echo "ServerName controller1">>/etc/httpd/conf/httpd.conf
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

#群集设置，修改默认端口5000,35357(默认端口给群集vip使用)
cp /usr/share/keystone/wsgi-keystone.conf{,.bak}
sed -i 's/5000/4999/' /usr/share/keystone/wsgi-keystone.conf
sed -i 's/35357/35356/' /usr/share/keystone/wsgi-keystone.conf

#Apache HTTP 启动并设置开机自启动
systemctl enable httpd.service
systemctl restart httpd.service
netstat -antp|egrep 'httpd'
# systemctl disable

#haproxy高可用
echo '
#keystone
listen keystone_admin_cluster
bind controller:35357
#balance  source
option  tcpka
option  httpchk 
option  tcplog
server controller1 controller1:35356 check inter 2000 rise 2 fall 5
server controller2 controller2:35356 check inter 2000 rise 2 fall 5
server controller3 controller3:35356 check inter 2000 rise 2 fall 5

listen keystone_public_cluster
bind controller:5000
#balance  source
option  tcpka
option  httpchk 
option  tcplog
server controller1 controller1:4999 check inter 2000 rise 2 fall 5
server controller2 controller2:4999 check inter 2000 rise 2 fall 5
server controller3 controller3:4999 check inter 2000 rise 2 fall 5
'>>/etc/haproxy/haproxy.cfg
systemctl restart haproxy.service
netstat -antp|egrep 'haproxy|httpd'
#登录haproxy web查看Keystone状态全部为down，下面配置后才UP


################################################
##以下在controller1节点执行

#Keystone 配置
cp /etc/keystone/keystone.conf{,.bak}  #备份默认配置
Keys=$(openssl rand -hex 10)  #生成随机密码
echo $Keys
echo "kestone  $Keys">/root/openstack.log
echo "
[DEFAULT]
admin_token = $Keys
verbose = true
[database]
connection = mysql+pymysql://keystone:keystone@controller/keystone
[memcache]
servers = controller1:11211,controller2:11211,controller3:11211
[token]
provider = fernet
driver = memcache
# expiration = 86400
# caching = true
# cache_time = 86400
[cache]
enabled = true
backend = oslo_cache.memcache_pool
memcache_servers = controller1:11211,controller2:11211,controller3:11211
">/etc/keystone/keystone.conf

#初始化keystone数据库 
su -s /bin/sh -c "keystone-manage db_sync" keystone
#检查表是否创建成功
mysql -h controller -ukeystone -pkeystone -e "use keystone;show tables;"

#初始化Fernet密匙
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

#同步配置到其它节点(用scp会改变属性)

rsync -avzP -e 'ssh -p 22' /etc/keystone/* controller2:/etc/keystone/
rsync -avzP -e 'ssh -p 22' /etc/keystone/* controller3:/etc/keystone/

#重启http
systemctl restart httpd.service
ssh controller2 "systemctl restart httpd.service"
ssh controller3 "systemctl restart httpd.service"
# #检测服务否正常
# curl http://controller3:35356/v3 #查看单个节点
# curl http://controller:35357/v3 #查看群集代理

#设置admin用户（管理用户）和密码,服务实体和API端点
keystone-manage bootstrap --bootstrap-password admin
--bootstrap-admin-url http://controller:35357/v3/
--bootstrap-internal-url http://controller:5000/v3/
--bootstrap-public-url http://controller:5000/v3/
--bootstrap-region-id RegionOne

#创建 OpenStack 客户端环境脚本

#admin环境脚本
echo "
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
">./admin-openstack.sh
#测试脚本是否生效
source ./admin-openstack.sh
openstack token issue

#创建service项目,创建glance,nova,neutron用户，并授权
openstack project create --domain default --description "Service Project" service
openstack user create --domain default --password=glance glance
openstack role add --project service --user glance admin
openstack user create --domain default --password=nova nova
openstack role add --project service --user nova admin
openstack user create --domain default --password=neutron neutron
openstack role add --project service --user neutron admin

#创建demo项目(普通用户密码及角色)
openstack project create --domain default --description "Demo Project" demo
openstack user create --domain default --password=demo demo
openstack role create user
openstack role add --project demo --user demo user

#demo环境脚本
echo "
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
">./demo-openstack.sh
#测试脚本是否生效
source ./demo-openstack.sh
openstack token issue