openstack controller ha测试环境搭建记录（六）——配置keystone

在所有节点的hosts文件添加：
10.0.0.10 myvip

在所有节点安装
# yum install -y openstack-keystone python-keystoneclient
# yum install -y openstack-utils

在所有节点设置keystone.conf文件使用mysql集群地址：
# openstack-config --set /etc/keystone/keystone.conf database connection mysql://keystone:123456@myvip/keystone
# openstack-config --set /etc/keystone/keystone.conf catalog driver keystone.catalog.backends.sql.Catalog
# openstack-config --set /etc/keystone/keystone.conf identity driver keystone.identity.backends.sql.Identity

在所有节点设置keystone.conf文件使用rabbitmq高可用队列：
openstack-config --set /etc/keystone/keystone.conf DEFAULT rpc_backend rabbit
openstack-config --set /etc/keystone/keystone.conf DEFAULT rabbit_password 123456
openstack-config --set /etc/keystone/keystone.conf DEFAULT rabbit_hosts controller1:5672,controller2:5672,controller3:5672
openstack-config --set /etc/keystone/keystone.conf DEFAULT rabbit_retry_interval 1
openstack-config --set /etc/keystone/keystone.conf DEFAULT rabbit_retry_backoff 2
openstack-config --set /etc/keystone/keystone.conf DEFAULT rabbit_max_retries 0
openstack-config --set /etc/keystone/keystone.conf DEFAULT rabbit_durable_queues true
openstack-config --set /etc/keystone/keystone.conf DEFAULT rabbit_ha_queues true

在任一节点创建keystone用户：
# mysql -u root -p
MariaDB [(none)]> CREATE DATABASE keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '123456';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '123456';
MariaDB [(none)]> exit

在任一节点初始化keystone数据库：
# su -s /bin/sh -c "keystone-manage db_sync" keystone

在所有节点设置keystone.conf文件中的token：
# ADMIN_TOKEN=$(openssl rand -hex 10)
# echo $ADMIN_TOKEN
de0ae6fc7397dd76dfb5
# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token de0ae6fc7397dd76dfb5

在节点1创建keystone密钥：
# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
# chown -R keystone:keystone /etc/keystone/ssl
# chmod -R o-rwx /etc/keystone/ssl

在节点1拷贝至其它节点并解压：
# cd /etc/keystone
# tar -cf keystonessl.tar ssl
# scp keystonessl.tar root@controller2:/etc/keystone
# scp keystonessl.tar root@controller3:/etc/keystone
# rm -f keystonessl.tar

在其它节点解压：
# cd /etc/keystone
# tar -xf keystonessl.tar
# rm -f keystonessl.tar

在所有节点设置keystone服务开机启动：
# systemctl enable openstack-keystone.service
# systemctl start openstack-keystone.service

在所有节点设置token两小时自动过期：
# (crontab -l -u keystone 2>&1 | grep -q token_flush) || echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/keystone

在节点1设置环境变量：
# export OS_SERVICE_TOKEN=de0ae6fc7397dd76dfb5
# export OS_SERVICE_ENDPOINT=http://controller1:35357/v2.0

在节点1创建相关用户、角色、租户、服务等：
# keystone user-create --name=admin --pass=123456
# keystone role-create --name=admin
# keystone role-create --name=_member_
# keystone tenant-create --name=admin --description="Admin Tenant"
# keystone user-role-add --user=admin --tenant=admin --role=admin
# keystone user-role-add --user=admin --role=_member_ --tenant=admin
# keystone user-create --name=demo --pass=123456
# keystone tenant-create --name=demo --description="Demo Tenant"
# keystone user-role-add --user=demo --role=_member_ --tenant=demo
# keystone tenant-create --name=service --description="Service Tenant"
# keystone service-create --name=keystone --type=identity --description="OpenStack Identity"

endpoint设置成VIP：
# keystone endpoint-create
--service-id=$(keystone service-list | awk '/ identity / {print $2}')
--publicurl=http://myvip:5000/v2.0
--internalurl=http://myvip:5000/v2.0
--adminurl=http://myvip:35357/v2.0