zoukankan      html  css  js  c++  java
  • opesnstack四部曲(1)---keystone

    一、环境准备

    1、本次实验环境采用Centos7 + H版本的openstack
    两台机器的主机相关配置如下:

    控制节点:
        主机名:    node1.openstack.com
        主机ip:    192.168.56.11
    
    计算节点:
        主机名:    node2.openstack.com
        主机ip:    192.168.56.12
    
    注:主机名一旦确定尽量不要修改,否则openstack机制会认为有新的机器加入资源池,从而进行调整.因此造成不必要的影响。此外确保防火墙以及selinux关闭,如果采用虚拟机的话内存尽量4G,否则创建虚拟机时容易造成资源不足从而引起不必要的报错。
    

    最重要的保证两台机器时间同步,相关主机能通过主机名进行解析!!!

    2、以下操作在控制节点进行
    a.安装相关源

    yum install -y http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
    yum install centos-release-openstack-liberty -y
    yum install python-openstackclient -y
    

    b.安装MySQL相关(MySQL不一定非要安装在控制节点,只要能访问就可以)

    yum install -y mariadb mariadb-server MySQL-python
    修改MySQL配置
    cp /usr/share/mysql/my-medium.cnf /etc/my.cnf
    vim /etc/my.cnf
    在[mysqld]下添加如下内容
    [mysqld]
    default-storage-engine = innodb
    innodb_file_per_table
    collation-server = utf8_general_ci   
    init-connect = 'SET NAMES utf8'
    character-set-server = utf8
    设置开机启动
    systemctl enable mariadb
    启动数据库
    systemctl start mariadb
    设置密码
    mysql_secure_installation
    

    c.为相关组件创建用户、数据库,并授权

    Keystone数据库
    mysql -u root -p123456 -e "CREATE DATABASE keystone;"
    mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';"
    mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';"
    Glance数据库
    mysql -u root -p123456 -e "CREATE DATABASE glance;"
    mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance';"
    mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance';"
    Nova数据库
    mysql -u root -p123456 -e "CREATE DATABASE nova;"
    mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';"
    mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova';"
    Neutron 数据库
    mysql -u root -p123456 -e "CREATE DATABASE neutron;"
    mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron';"
    mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron';"
    Cinder数据库
    mysql -u root -p123456 -e "CREATE DATABASE cinder;"
    mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY 'cinder';"
    mysql -u root -p123456 -e "GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY 'cinder';"
    

    d.安装rabbitmq

    yum install -y rabbitmq-server
    设置开机启动
    systemctl enable rabbitmq-server
    启动rabbitmq
    systemctl start rabbitmq-server
    创建rabbitmq用户(用户名为openstack,密码为openstack)
    rabbitmqctl add_user openstack openstack
    设置权限
    set_permissions openstack ".*" ".*" ".*"
    启用web管理插件
    rabbitmq-plugins enable rabbitmq_management
    重新启动rabbitmq
    systemctl restart rabbitmq-server
    进行验证
    访问 192.168.56.11:15672 (默认用户名密码为guest guest 我们建立的openstack用户此时没有启用)
    

    启用rabbitmq中的openstack账号

    二、组件部署

    1、keystone篇

    keystone两大功能
    1)、用户与认证:用户权限与用户行为追踪
    2)、服务目录:提供一个服务目录,包括所有服务项与相关Api的端点
    a、安装相关服务

    yum install -y openstack-keystone httpd mod_wsgi memcached python-memcached
    修改keyston配置文件
    修改后结果如下
    

    此外还可以根据需求是否打开debug模式
    verbose = true

    同步表结构及数据
    su -s /bin/sh -c "keystone-manage db_sync" keystone
    同步验证(安全起见)
    mysql -ukeystone -pkeystone -h 192.168.56.11
    use keystone;
    show tables;
    如何能看到有表,且表数为33证明同步成功
    启动memcache
    systemctl enable memcached
    systemctl start memcached
    新建Apache的keystone文件
    vim /etc/httpd/conf.d/wsgi-keystone.conf
    添加如下内容
    Listen 5000
    Listen 35357
    
    <VirtualHost *:5000>
        WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
        WSGIProcessGroup keystone-public
        WSGIScriptAlias / /usr/bin/keystone-wsgi-public
        WSGIApplicationGroup %{GLOBAL}
        WSGIPassAuthorization On
        <IfVersion >= 2.4>
          ErrorLogFormat "%{cu}t %M"
        </IfVersion>
        ErrorLog /var/log/httpd/keystone-error.log
        CustomLog /var/log/httpd/keystone-access.log combined
    
        <Directory /usr/bin>
            <IfVersion >= 2.4>
                Require all granted
            </IfVersion>
            <IfVersion < 2.4>
                Order allow,deny
                Allow from all
            </IfVersion>
        </Directory>
    </VirtualHost>
    
    <VirtualHost *:35357>
        WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
        WSGIProcessGroup keystone-admin
        WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
        WSGIApplicationGroup %{GLOBAL}
        WSGIPassAuthorization On
        <IfVersion >= 2.4>
          ErrorLogFormat "%{cu}t %M"
        </IfVersion>
        ErrorLog /var/log/httpd/keystone-error.log
        CustomLog /var/log/httpd/keystone-access.log combined
    
        <Directory /usr/bin>
            <IfVersion >= 2.4>
                Require all granted
            </IfVersion>
            <IfVersion < 2.4>
                Order allow,deny
                Allow from all
            </IfVersion>
        </Directory>
    </VirtualHost>
    
    配置Apache配置文件(配置servername)
    vim /etc/httpd/conf/httpd.conf
    ServerName 192.168.56.11:80
    此时可以通过Apache控制keystone认证服务的启动
    
    启动Apache
    systemctl enable httpd
    systemctl starthttpd
    

    b、创建相关用户角色

    设置环境变量
    export OS_TOKEN=863d35676a5632e846d9
    export OS_URL=http://192.168.56.11:35357/v3
    export OS_IDENTITY_API_VERSION=3
    创建admin项目
    openstack project create --domain default   --description "Admin Project" admin
    创建admin用户
    openstack user create --domain default --password-prompt admin
    #本次操作会提示输入密码,此次密码我们设置为admin(生产一定要复杂)
    创建admin角色
    openstack role create admin
    给admin项目添加admin用户并且角色设置为admin
    openstack role add --project admin --user admin admin        #此次操作没有输出
    创建普通项目、用户、角色,并授权
    openstack project create --domain default --description "Demo Project" demo
    openstack user create --domain default --password=demo demo
    openstack role create user
    openstack role add --project demo --user demo user
    创建service项目,用于相关组件交互
    openstack project create --domain default --description "Service Project" service
    

    c、创建keystone服务及端点

    创建服务
    openstack service create --name keystone --description "OpenStack Identity" identity
    创建端点
    openstack endpoint create --region RegionOne identity public http://192.168.56.11:5000/v2.0                #公共端点,可以对外提供服务
    openstack endpoint create --region RegionOne identity internal http://192.168.56.11:5000/v2.0              #内部端点
    openstack endpoint create --region RegionOne identity admin http://192.168.56.11:35357/v2.0              #管理端点
    

    d、使用用户名密码进行验证

    卸载环境变量(其实关闭当前窗口,新开一个即可)
    unset OS_TOKEN
    unset OS_URL
    unset OS_IDENTITY_API_VERSION
    验证能否获取ID(需要输入admin的密码)
    openstack --os-auth-url http://192.168.56.11:35357/v3 
    --os-project-domain-id default --os-user-domain-id default 
    --os-project-name admin --os-username admin --os-auth-type password 
    token issue
    

    e、配置keystone环境变量方便执行,直接source即可引用

    admin环境变量
    vim admin-openrc.sh
    export OS_PROJECT_DOMAIN_ID=default
    export OS_USER_DOMAIN_ID=default
    export OS_PROJECT_NAME=admin
    export OS_TENANT_NAME=admin
    export OS_USERNAME=admin
    export OS_PASSWORD=admin
    export OS_AUTH_URL=http://192.168.56.11:35357/v3
    export OS_IDENTITY_API_VERSION=3
    
    demo环境变量
    vim demo-openrc.sh
    export OS_PROJECT_DOMAIN_ID=default
    export OS_USER_DOMAIN_ID=default
    export OS_PROJECT_NAME=demo
    export OS_TENANT_NAME=demo
    export OS_USERNAME=demo
    export OS_PASSWORD=demo
    export OS_AUTH_URL=http://192.168.56.11:5000/v3
    export OS_IDENTITY_API_VERSION=3
    验证结果
    source admin-openrc.sh
    openstack token issue
    
  • 相关阅读:
    puppeteer,新款headless chrome!
    圣诞快乐,而且写博客有两年了~
    es2015及es2017对我们的编程方式造成了什么影响?
    Redis的安装和部署
    ActiveMQ5.0实战三:使用Spring发送,消费topic和queue消息
    hsweb 企业后台管理基础框架
    通过Spring Session实现新一代的Session管理
    mod_pagespeed
    unusedjs
    apache模块 合并多个js/css 提高网页加载速度
  • 原文地址:https://www.cnblogs.com/lige-python/p/5125758.html
Copyright © 2011-2022 走看看