7、部署Keystone
7.1 控制节点安装Enable the OpenStack repository
[root@controller1:/root]# yum install centos-release-openstack-rocky -y [root@controller1:/root]# yum install python-openstackclient -y [root@controller1:/root]# yum install openstack-selinux openstack-utils -y [root@controller2:/root]# yum install centos-release-openstack-rocky -y [root@controller2:/root]# yum install python-openstackclient -y [root@controller2:/root]# yum install openstack-selinux openstack-utils -y [root@controller3:/root]# yum install centos-release-openstack-rocky -y [root@controller3:/root]# yum install python-openstackclient -y [root@controller3:/root]# yum install openstack-selinux openstack-utils -y 注:安装openstack命令工具 openstack-utils,后期则可以使用openstack-config 命令配置openstack
7.2 控制节点安装 SQL database
[root@controller1:/root]# yum install mariadb mariadb-server python2-PyMySQL -y [root@controller1:/root]# vim /etc/my.cnf.d/server.cnf ## [mysqld] bind-address = 192.168.110.121 default-storage-engine = innodb innodb_file_per_table = on max_connections = 4096 collation-server = utf8_general_ci character-set-server = utf8 [root@controller2:/root]# vim /etc/my.cnf.d/server.cnf # this is only for the mysqld standalone daemon [mysqld] bind-address = 192.168.110.122 default-storage-engine = innodb innodb_file_per_table = on max_connections = 4096 collation-server = utf8_general_ci character-set-server = utf8 [root@controller3:/root]# vim /etc/my.cnf.d/server.cnf ## [mysqld] bind-address = 192.168.110.123 default-storage-engine = innodb innodb_file_per_table = on max_connections = 4096 collation-server = utf8_general_ci character-set-server = utf8 [root@controller1:/root]# systemctl restart mariadb.service [root@controller1:/root]# systemctl status mariadb.service [root@controller2:/root]# systemctl restart mariadb.service [root@controller2:/root]# systemctl status mariadb.service [root@controller3:/root]# systemctl restart mariadb.service [root@controller3:/root]# systemctl status mariadb.service //show status like 'wsrep_cluster_size';
7.3 安装Memcached (controller1、controller2和controller3)
[root@controller1:/root]# yum install memcached python-memcached -y [root@controller1:/root]# vim /etc/sysconfig/memcached PORT="11211" USER="memcached" MAXCONN="1024" CACHESIZE="64" OPTIONS="-l 127.0.0.1,::1,controller1" [root@controller1:/root]# systemctl enable memcached.service && systemctl start memcached.service [root@controller1:/root]# systemctl status memcached.service [root@controller2:/root]# yum install memcached python-memcached -y [root@controller2:/root]# vim /etc/sysconfig/memcached PORT="11211" USER="memcached" MAXCONN="1024" CACHESIZE="64" OPTIONS="-l 127.0.0.1,::1,controller2" [root@controller2:/root]# systemctl enable memcached.service && systemctl start memcached.service [root@controller2:/root]# systemctl status memcached.service [root@controller3:/root]# yum install memcached python-memcached -y [root@controller3:/root]# vim /etc/sysconfig/memcached PORT="11211" USER="memcached" MAXCONN="1024" CACHESIZE="64" OPTIONS="-l 127.0.0.1,::1,controller3" [root@controller3:/root]# systemctl enable memcached.service && systemctl start memcached.service [root@controller3:/root]# systemctl status memcached.service
7.4 数据库建keystone表
[root@controller1:/root]# mysql -uroot -p"123456" MariaDB [(none)]> CREATE DATABASE keystone; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keystone | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_szh'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_szh'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> exit Bye 由于做了MariaDB集群,所以controller2和controller3上自动同步了数据库。同步数据库和创建用户只需要在一个节点上操作就可以。 [root@controller2:/root]# mysql -uroot -p"123456" MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keystone | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.03 sec) MariaDB [(none)]> exit Bye [root@controller3:/root]# mysql -uroot -p"123456" MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keystone | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.03 sec) MariaDB [(none)]> exit Bye
7.5 安装keystone并配置
[root@controller1:/root]# yum install openstack-keystone httpd mod_wsgi -y [root@controller2:/root]# yum install openstack-keystone httpd mod_wsgi -y [root@controller3:/root]# yum install openstack-keystone httpd mod_wsgi -y [root@controller1:/root]# cd /etc/keystone/ [root@controller1:/etc/keystone]# ls default_catalog.templates keystone.conf keystone-paste.ini logging.conf policy.json sso_callback_template.html [root@controller1:/etc/keystone]# cp -p keystone.conf{,.bak} [root@controller1:/etc/keystone]# vim /etc/keystone/keystone.conf [cache] backend = oslo_cache.memcache_pool enabled = true memcache_servers = controller1:11211,controller2:11211,controller3:11211 [database] connection = mysql+pymysql://keystone:KEYSTONE_szh@VirtualIP:3307/keystone [token] provider = fernet [root@controller2:/root]# cd /etc/keystone/ [root@controller2:/etc/keystone]# cp -p keystone.conf{,.bak} [root@controller2:/etc/keystone]# vim /etc/keystone/keystone.conf [cache] backend = oslo_cache.memcache_pool enabled = true memcache_servers = controller1:11211,controller2:11211,controller3:11211 [database] connection = mysql+pymysql://keystone:KEYSTONE_szh@VirtualIP:3307/keystone [token] provider = fernet [root@controller3:/root]# cd /etc/keystone/ [root@controller3:/etc/keystone]# cp -p keystone.conf{,.bak} [root@controller3:/etc/keystone]# vim /etc/keystone/keystone.conf [cache] backend = oslo_cache.memcache_pool enabled = true memcache_servers = controller1:11211,controller2:11211,controller3:11211 [database] connection = mysql+pymysql://keystone:KEYSTONE_szh@VirtualIP:3307/keystone [token] provider = fernet //注:查看keystone配置文件 [root@controller1:/root]# egrep -v "^#|^$" /etc/keystone/keystone.conf [root@controller1:/etc/keystone]# su -s /bin/sh -c "keystone-manage db_sync" keystone [root@controller2:/etc/keystone]# su -s /bin/sh -c "keystone-manage db_sync" keystone [root@controller3:/etc/keystone]# su -s /bin/sh -c "keystone-manage db_sync" keystone 注:假如出现同步失败的话,需要执行如下操作(参考pip) ##下载pip wget https://bootstrap.pypa.io/get-pip.py ##安装pip python get-pip.py ##查看版本 pip -V ##查看安装路径 find / -name pip ##软链接 ####ln -s -f /usr/lib/python2.7/site-packages/pip /usr/bin/pip pip uninstall urllib3 -y pip uninstall chardet -y pip install requests ####hash -r python get-pip.py [root@controller3:/root]# pip install requests DEPRECATION: Python 2.7 will reach the end of its life on August 10th, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support Requirement already satisfied: requests in /usr/lib/python2.7/site-packages (2.19.1) Requirement already satisfied: chardet<3.1.0,>=3.0.2 in /usr/lib/python2.7/site-packages (from requests) (3.0.4) Requirement already satisfied: idna<2.8,>=2.5 in /usr/lib/python2.7/site-packages (from requests) (2.5) Collecting urllib3<1.24,>=1.21.1 Downloading https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl (133kB) |████████████████████████████████| 143kB 85kB/s Installing collected packages: urllib3 Found existing installation: urllib3 1.10.2 Uninstalling urllib3-1.10.2: Successfully uninstalled urllib3-1.10.2 Successfully installed urllib3-1.23 [root@controller2:/root]# mysql -uroot -p"123456" MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keystone | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.00 sec) MariaDB [(none)]> use keystone; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [keystone]> show tables; +-----------------------------+ | Tables_in_keystone | +-----------------------------+ | access_token | | application_credential | | application_credential_role | | assignment | | config_register | | consumer | | credential | | endpoint | | endpoint_group | | federated_user | | federation_protocol | | group | | id_mapping | | identity_provider | | idp_remote_ids | | implied_role | | limit | | local_user | | mapping | | migrate_version | | nonlocal_user | | password | | policy | | policy_association | | project | | project_endpoint | | project_endpoint_group | | project_tag | | region | | registered_limit | | request_token | | revocation_event | | role | | sensitive_config | | service | | service_provider | | system_assignment | | token | | trust | | trust_role | | user | | user_group_membership | | user_option | | whitelisted_config | +-----------------------------+ 44 rows in set (0.00 sec) MariaDB [keystone]> exit Bye //或者使用下列方法数据库进行数据库连接测试 [root@controller1:/root]# mysql -ukeystone -p"KEYSTONE_szh" -P3307 -hVirtualIP -e "use keystone;show tables;" //初始化fernet令牌库 [root@controller1:/etc/keystone]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone [root@controller1:/etc/keystone]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone //创建keystone用户,初始化serveice实体和endpoint api端点 注:创建keystone服务实体和身份认证服务,以下三种类型分别为公共的、内部的、管理的,<1>在endpoint表增加3个服务实体的API端点,<2>在local_user表中创建admin用户,<3>在project表中创建admin和Default项目(默认域)<4>在role表创建3种角色,admin,member和reader <5>在service表中创建identity服务 [root@controller1:/root]# keystone-manage bootstrap --bootstrap-password admin > --bootstrap-admin-url http://VirtualIP:5001/v3/ > --bootstrap-internal-url http://VirtualIP:5001/v3/ > --bootstrap-public-url http://VirtualIP:5001/v3/ > --bootstrap-region-id RegionOne [root@controller2:/root]# keystone-manage bootstrap --bootstrap-password admin > --bootstrap-admin-url http://VirtualIP:5001/v3/ > --bootstrap-internal-url http://VirtualIP:5001/v3/ > --bootstrap-public-url http://VirtualIP:5001/v3/ > --bootstrap-region-id RegionOne [root@controller3:/root]# keystone-manage bootstrap --bootstrap-password admin > --bootstrap-admin-url http://VirtualIP:5001/v3/ > --bootstrap-internal-url http://VirtualIP:5001/v3/ > --bootstrap-public-url http://VirtualIP:5001/v3/ > --bootstrap-region-id RegionOne [root@controller1:/etc/keystone]# scp -r credential-keys/ fernet-keys/ controller2:/etc/keystone/ [root@controller1:/etc/keystone]# scp -r credential-keys/ fernet-keys/ controller3:/etc/keystone/ [root@controller2:/etc/keystone]#chown keystone:keystone /etc/keystone/credential-keys/ -R [root@controller2:/etc/keystone]#chown keystone:keystone /etc/keystone/fernet-keys/ -R [root@controller3:/etc/keystone]#chown keystone:keystone /etc/keystone/credential-keys/ -R [root@controller3:/etc/keystone]#chown keystone:keystone /etc/keystone/fernet-keys/ -R
7.6 配置http服务 [controller$表示controller1、controller2和controller3]
[root@controller$:/root]# vim /etc/httpd/conf/httpd.conf ServerName VirtualIP //上一步骤为在httpd.conf文件中添加ServerName VirtualIP [root@controller$:/root]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ [root@controller$:/root]# ll /etc/httpd/conf.d/ total 16 -rw-r--r--. 1 root root 2926 Aug 8 14:41 autoindex.conf -rw-r--r--. 1 root root 366 Aug 8 14:42 README -rw-r--r--. 1 root root 1252 Aug 6 16:44 userdir.conf -rw-r--r--. 1 root root 824 Aug 6 16:44 welcome.conf lrwxrwxrwx. 1 root root 38 Aug 6 17:00 wsgi-keystone.conf -> /usr/share/keystone/wsgi-keystone.conf [root@controller$:/root]# systemctl enable httpd.service && systemctl start httpd.service [root@controller$:/root]# systemctl status httpd.service [root@controller$:/root]# vim openrc export OS_USERNAME=admin export OS_PASSWORD=admin export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL=http://VirtualIP:5001/v3 export OS_IDENTITY_API_VERSION=3 [root@controller$:/root]# source openrc [root@controller$:/root]# openstack user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 5b63c4528d2a4147b52dd720a4a387fe | admin | +----------------------------------+-------+ [root@controller$:/root]# vim admin-openrc export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin export OS_AUTH_URL=http://VirtualIP:5001/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 [root@controller3:/root]# vim demo-openrc export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=myproject export OS_USERNAME=myuser export OS_PASSWORD=myuser export OS_AUTH_URL=http://VirtualIP:5001/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 注:查看是否已经设置开启自启动 [root@controller1:/root]# systemctl list-unit-files | grep httpd httpd.service enabled
7.7 创建domain, projects, users, roles
注:由于是集群,所以只要在一个控制节点上创建即可
[root@controller2:/root]# openstack domain create --description "An Example Domain" example +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | An Example Domain | | enabled | True | | id | f46ed6dd1c554eddb5175c265c6c98d4 | | name | example | | tags | [] | +-------------+----------------------------------+ [root@controller2:/root]# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | 0e73fe04735d4acba7f4db1ba10a47a8 | | is_domain | False | | name | service | | parent_id | default | | tags | [] | +-------------+----------------------------------+ [root@controller2:/root]# openstack project list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 0e73fe04735d4acba7f4db1ba10a47a8 | service | | c80a9b4f0a624900bfb6b52e640ae7f7 | admin | +----------------------------------+---------+ [root@controller1:/root]# openstack project list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 0e73fe04735d4acba7f4db1ba10a47a8 | service | | c80a9b4f0a624900bfb6b52e640ae7f7 | admin | +----------------------------------+---------+ [root@controller3:/root]# openstack project list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 0e73fe04735d4acba7f4db1ba10a47a8 | service | | c80a9b4f0a624900bfb6b52e640ae7f7 | admin | +----------------------------------+---------+ [root@controller2:/root]# openstack project create --domain default --description "Demo Project" myproject +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | 9e73d22ab12f45cd99c72bc5c04ff961 | | is_domain | False | | name | myproject | | parent_id | default | | tags | [] | +-------------+----------------------------------+ [root@controller2:/root]# openstack user create --domain default --password=szhmyuser +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | 61c06b9891a64e68b87d84dbcec5e9ac | | name | myuser | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ [root@controller2:/root]# openstack role create myrole [root@controller2:/root]# openstack role add --project myproject --user myuser myrole [root@controller2:/root]# unset OS_AUTH_URL OS_PASSWORD [root@controller2:/root]# openstack --os-auth-url http://VirtualIP:5001/v3 > --os-project-domain-name Default --os-user-domain-name Default > --os-project-name admin --os-username admin token issue Password: //输入密码: The request you have made requires authentication. (HTTP 401) (Request-ID: req-6117e2db-4501-4202-b794-918f61d0643e) [root@controller2:/root]# openstack --os-auth-url http://VirtualIP:5001/v3 > --os-project-domain-name Default --os-user-domain-name Default > --os-project-name admin --os-username admin token issue +------------+------------------------------------------------------------------------ | Field | Value --------------------------------------------------------------------------------+ | expires | 2020-08-10T17:13:23+0000 | id | gAAAAABeIIujGF9vkLny2yr73nYj2WEpHzS8w6nxf2eq-8VG9J3g1so_k7NesxKQjrgeoLLPcZS9UeA7ETwjGboGTRAoeXZRCDffQQFOA_ywTIcMHSRTKRHEUsf949SPxSWk6eOHjcncpFrW5gt0GF-dKBbOgqiaW3mdxEnO2mitZwjAiu-v07A | | project_id | c80a9b4f0a624900bfb6b52e640ae7f7 | user_id | 5b63c4528d2a4147b52dd720a4a387fe ------------------------------------------------------------------------+ [root@controller2:/root]# . admin-openrc [root@controller2:/root]# openstack token issue +------------+------------------------------------------------------------------------ | Field | Value +------------+------------------------------------------------------------------------ | expires | 2020-08-10T16:27:37+0000 | id | gAAAAABeIIDpJl7tk9hlti4O1pEst-wGQeeehdN4e2OzRPSy-YBb6dYcwZknlnLdj9Cjb5rzSYZ1gGLcvONHh4z6ot2UiXdPcuwlkJ-HOyzGMFyAHr3jyUSRr-5lB-o8E05PRvJq5u4NHSunG5mW-D3J-ila-dfUJ2IsOtu8MmE90pi0sEuK8eI | | project_id | c80a9b4f0a624900bfb6b52e640ae7f7 | user_id | 5b63c4528d2a4147b52dd720a4a387fe ---------------------------+ //测试是否可以使用admin账户进行登陆认证,请求认证令牌 [root@controller1:/root]# openstack --os-auth-url http://VirtualIP:5001/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue