部署mariadb数据库
控制节点:
yum install mariadb mariadb-server python2-PyMySQL -y
编辑:
/etc/my.cnf.d/openstack.cnf
[mysqld]
bind-address = 控制节点管理网络ip
default-storage-engine = innodb
innodb_file_per_table
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
启服务:
systemctl enable mariadb.service
systemctl start mariadb.service
#初始化mysql
mysql_secure_installation
部署消息队列rabbitmq(验证方式:http://IP:15672/ 用户:guest 密码:guest)
控制节点:
yum install rabbitmq-server -y
启动服务:
systemctl enable rabbitmq-server.service
systemctl start rabbitmq-server.service
新建rabbitmq用户密码:
rabbitmqctl add_user openstack 123456
为新建的用户openstack设定权限:
rabbitmqctl set_permissions openstack ".*" ".*" ".*"
部署memcached缓存(为keystone服务缓存tokens)
控制节点:
yum install memcached python-memcached -y
启动服务:
systemctl enable memcached.service
systemctl start memcached.service
认证服务keystone部署
一:安装和配置服务
1.建库建用户
mysql -u root -p
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost'
IDENTIFIED BY '123456';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%'
IDENTIFIED BY '123456';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'控制节点IP或主机名'
IDENTIFIED BY '123456';
flush privileges;
2、安装keystone和mod_wsgi
yum install openstack-keystone httpd mod_wsgi -y
3、编辑/etc/keystone/keystone.conf
[DEFAULT]
admin_token = 123456 #建议用命令制作token:openssl rand -hex 10
[database]
connection = mysql+pymysql://keystone:123456@controller/keystone
[token]
provider = fernet
#Token Provider:UUID, PKI, PKIZ, or Fernet #http://blog.csdn.net/miss_yang_cloud/article/details/49633719
4.同步修改到数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
5.初始化fernet keys
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
6.配置apache服务
编辑:/etc/httpd/conf/httpd.conf
ServerName controller
编辑:/etc/httpd/conf.d/wsgi-keystone.conf
新增配置
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
7.启动服务:
systemctl enable httpd.service
systemctl restart httpd.service #因为之前自定义基于http协议的yum源时已经启动过了httpd,所以此处需要restart
二:创建服务实体和访问端点
1.实现配置管理员环境变量,用于获取后面创建的权限
export OS_TOKEN=123456
export OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
2.基于上一步给的权限,创建认证服务实体(目录服务)
openstack service create
--name keystone --description "OpenStack Identity" identity
3.基于上一步建立的服务实体,创建访问该实体的三个api端点
openstack endpoint create --region RegionOne
identity public http://controller:5000/v3
openstack endpoint create --region RegionOne
identity internal http://controller:5000/v3
openstack endpoint create --region RegionOne
identity admin http://controller:35357/v3
三:创建域,租户,用户,角色,把四个元素关联到一起
建立一个公共的域名:
openstack domain create --description "Default Domain" default
管理员:admin
openstack project create --domain default
--description "Admin Project" admin
openstack user create --domain default
--password-prompt admin
openstack role create admin
openstack role add --project admin --user admin admin
普通用户:demo
openstack project create --domain default
--description "Demo Project" demo
openstack user create --domain default
--password-prompt demo
openstack role create user
openstack role add --project demo --user demo user
为后续的服务创建统一租户service
解释:后面每搭建一个新的服务都需要在keystone中执行四种操作:1.建租户 2.建用户 3.建角色 4.做关联
后面所有的服务公用一个租户service,都是管理员角色admin,所以实际上后续的服务安装关于keysotne
的操作只剩2,4
openstack project create --domain default
--description "Service Project" service
四:验证操作:
编辑:/etc/keystone/keystone-paste.ini
在[pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] 三个地方
移走:admin_token_auth
unset OS_TOKEN OS_URL
openstack --os-auth-url http://controller:35357/v3
--os-project-domain-name default --os-user-domain-name default
--os-project-name admin --os-username admin token issue
Password:
五:新建客户端脚本文件
管理员:admin-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123456
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
普通用户demo:demo-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=123456
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
效果:
source admin-openrc
[root@controller01 ~]# openstack token issue
