zoukankan      html  css  js  c++  java
  • OpenStack kilo版(2) keystone部署

    部署在controller节点

    配置数据库

    MariaDB [(none)]> CREATE DATABASE keystone;
    Query OK, 1 row affected (0.00 sec)
    
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
    Query OK, 0 rows affected (0.00 sec)
    
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
    Query OK, 0 rows affected (0.00 se)
    
    MariaDB [(none)]> flush privileges ;
    Query OK, 0 rows affected (0.00 sec)
    

    安装keystone

    KeyStone服务的监听端口是5000和35357,配置Apache HTTP服务监听这两个端口,为了避免端口冲突,禁止KeyStone开机自启动:

    root@controller:~# echo "manual" > /etc/init/keystone.override
    

    安装keystone及相关软件包:

    root@controller:~# apt-get install keystone python-openstackclient apache2 libapache2-mod-wsgi memcached python-memcache
    

    生成admin token :

    root@controller:~# openssl rand -hex 10
    38b35fc6a494b91f56cc
    

    配置keystone

    配置文件:/etc/keystone/keystone.conf

    root@controller:~# vi /etc/keystone/keystone.conf
    #[default]部分,配置初始admin_token
    [DEFAULT]
    verbose = True
    admin_token = 38b35fc6a494b91f56cc 
    
    #[database]部分,配置数据库连接
    [database]
    connection = mysql://keystone:keystone@controller/keystone
    
    #[memcache]部分,配置memcache服务
    [memcache]
    servers = 127.0.0.1:11211
    
    #[revoke] 部分,配置SQL的撤回驱动
    [revoke]
    driver = keystone.contrib.revoke.backends.sql.Revoke
    
    #[token]部分,配置UUID令牌的提供者和memcached的持久化驱动
    [token]
    provider = keystone.token.providers.uuid.Provider
    driver = keystone.token.persistence.backends.sql.Token
    

    初始化keystone数据库:

    root@controller:~# su -s /bin/sh -c "keystone-manage db_sync" keystone
    

    配置keystone的apache2接口

    apache2.conf添加:

    root@controller:~# vi /etc/apache2/apache2.conf
    ServerName controller
    

    创建/etc/apache2/sites-available/wsgi-keystone.conf文件,添加如下内容:

    Listen 5000
    Listen 35357
    <VirtualHost *:5000>
        WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP}
        WSGIProcessGroup keystone-public
        WSGIScriptAlias / /var/www/cgi-bin/keystone/main
        WSGIApplicationGroup %{GLOBAL}
        WSGIPassAuthorization On
        <IfVersion >= 2.4>
          ErrorLogFormat "%{cu}t %M"
        </IfVersion>
        LogLevel info
        ErrorLog /var/log/apache2/keystone-error.log
        CustomLog /var/log/apache2/keystone-access.log combined
    </VirtualHost>
    <VirtualHost *:35357>
        WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP}
        WSGIProcessGroup keystone-admin
        WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
        WSGIApplicationGroup %{GLOBAL}
        WSGIPassAuthorization On
        <IfVersion >= 2.4>
          ErrorLogFormat "%{cu}t %M"
        </IfVersion>
        LogLevel info
        ErrorLog /var/log/apache2/keystone-error.log
        CustomLog /var/log/apache2/keystone-access.log combined
    </VirtualHost>
    

    启用身份认证服务的虚拟主机:

    root@controller:~# ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled/
    

    为WSGI组件创建目录结构:

    root@controller:~# mkdir -p /var/www/cgi-bin/keystone
    

    WSGI组件:

    root@controller:~# vi /var/www/cgi-bin/keystone/admin
    import os
    from keystone.server import wsgi as wsgi_server
    name = os.path.basename(__file__)
    application = wsgi_server.initialize_application(name)
    
    root@controller:~# vi /var/www/cgi-bin/keystone/main
    import os
    from keystone.server import wsgi as wsgi_server
    name = os.path.basename(__file__)
    application = wsgi_server.initialize_application(name)
    

    设置目录权限,并重启apache2:

    root@controller:~# chown -R keystone:keystone /var/www/cgi-bin/keystone
    root@controller:~# chmod 755 /var/www/cgi-bin/keystone/*
    root@controller:~# service apache2 restart
     * Restarting web server apache2                                                                                                 [ OK ] 
    

    删除ubuntu默认创建的SQLite数据库:

    root@controller:~# rm -f /var/lib/keystone/keystone.db
    

    配置服务实体与API端点

    设置临时环境变量,校验令牌、端点URL:

    root@controller:~# export OS_TOKEN=38b35fc6a494b91f56cc 
    root@controller:~# export OS_URL=http://controller:35357/v2.0
    

    为认证服务创建服务实体:

    root@controller:~# openstack service create --name keystone --description "OpenStack Identity" identity
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description | OpenStack Identity               |
    | enabled     | True                             |
    | id          | 6a5ef8cc6d7146b49a09c2b5a250d98c |
    | name        | keystone                         |
    | type        | identity                         |
    +-------------+----------------------------------+
    

    配置认证服务的API端点:

    root@controller:~# openstack endpoint create --publicurl http://controller:5000/v2.0 --internalurl http://controller:5000/v2.0 --adminurl http://controller:35357/v2.0 --region RegionOne identity
    +--------------+----------------------------------+
    | Field        | Value                            |
    +--------------+----------------------------------+
    | adminurl     | http://controller:35357/v2.0     |
    | id           | 4f9a0e3b90d843b88e7585a799db18ea |
    | internalurl  | http://controller:5000/v2.0      |
    | publicurl    | http://controller:5000/v2.0      |
    | region       | RegionOne                        |
    | service_id   | 6a5ef8cc6d7146b49a09c2b5a250d98c |
    | service_name | keystone                         |
    | service_type | identity                         |
    +--------------+----------------------------------+
    

    创建项目(租户)、用户和角色

    创建admin租户:

    root@controller:~# openstack project create --description "Admin Project" admin
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description | Admin Project                    |
    | enabled     | True                             |
    | id          | 89254dc0494c4f15936f0f762ff050eb |
    | name        | admin                            |
    +-------------+----------------------------------+
    

    创建admin用户:

    root@controller:~# openstack user create --password-prompt admin
    User Password:admin
    Repeat User Password:admin
    +----------+----------------------------------+
    | Field    | Value                            |
    +----------+----------------------------------+
    | email    | None                             |
    | enabled  | True                             |
    | id       | a9806b1ab70046a3b70b8c06f7f3ec82 |
    | name     | admin                            |
    | username | admin                            |
    +----------+----------------------------------+
    

    创建admin角色:

    root@controller:~# openstack role create admin
    +-------+----------------------------------+
    | Field | Value                            |
    +-------+----------------------------------+
    | id    | f0b9e3c9be924357bf8e918dbc2faf91 |
    | name  | admin                            |
    +-------+----------------------------------+
    

    添加admin角色到admin租户和用户:

    root@controller:~# openstack role add --project admin --user admin admin
    +-------+----------------------------------+
    | Field | Value                            |
    +-------+----------------------------------+
    | id    | f0b9e3c9be924357bf8e918dbc2faf91 |
    | name  | admin                            |
    +-------+----------------------------------+
    

    创建服务项目

    为其他的OpenStack服务创建服务项目:

    root@controller:~# openstack project create --description "Service Project" service
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description | Service Project                  |
    | enabled     | True                             |
    | id          | 48aa039e42004e3ba6cc3f20852b98b9 |
    | name        | service                          |
    +-------------+----------------------------------+
    

    创建普通项目和用户

    创建demo项目:

    root@controller:~# openstack project create --description "Demo Project" demo
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description | Demo Project                     |
    | enabled     | True                             |
    | id          | adc9030ca7d64a8994fb4ac66dbe5424 |
    | name        | demo                             |
    +-------------+----------------------------------+
    

    创建demo用户:

    root@controller:~# openstack user create --password-prompt demo
    User Password:demo
    Repeat User Password:demo
    +----------+----------------------------------+
    | Field    | Value                            |
    +----------+----------------------------------+
    | email    | None                             |
    | enabled  | True                             |
    | id       | d7f9819344a948139df33094deafb8a6 |
    | name     | demo                             |
    | username | demo                             |
    +----------+----------------------------------+
    

    创建user角色:

    root@controller:~# openstack role create user
    +-------+----------------------------------+
    | Field | Value                            |
    +-------+----------------------------------+
    | id    | 7154d51117a74ec091b475cc7386fad7 |
    | name  | user                             |
    +-------+----------------------------------+
    

    添加user角色到demo租户和用户:

    root@controller:~# openstack role add --project demo --user demo user
    +-------+----------------------------------+
    | Field | Value                            |
    +-------+----------------------------------+
    | id    | 7154d51117a74ec091b475cc7386fad7 |
    | name  | user                             |
    +-------+----------------------------------+
    

    其他

    基于安全的原因,禁止校验令牌的机制
    1、编辑 vi /etc/keystone/keystone-paste.ini:

    移除 admin_token_auth从 [pipeline:public_api], [pipeline:admin_api], 和 [pipeline:api_v3] 部分

    [pipeline:public_api]
    pipeline = …
    [pipeline:admin_api]
    pipeline = …
    [pipeline:api_v3]
    pipeline = …
    

    2、取消设置的操作系统环境变量:

    root@controller:~# unset OS_TOKEN OS_URL
    

    3、admin脚本,/root/admin-openrc.sh:

    export OS_PROJECT_DOMAIN_ID=default
    export OS_USER_DOMAIN_ID=default
    export OS_PROJECT_NAME=admin
    export OS_TENANT_NAME=admin
    export OS_USERNAME=admin
    export OS_PASSWORD=admin
    export OS_AUTH_URL=http://$(hostname):35357/v3
    export OS_IMAGE_API_VERSION=2
    export OS_VOLUME_API_VERSION=2
    export OS_REGION_NAME=RegionOne
    export OS_COMPUTE_API_VERSION=3
    export OS_IDENTITY_API_VERSION=2
    
  • 相关阅读:
    #include <NOIP2009 Junior> 细胞分裂 ——using namespace wxl;
    【NOIP合并果子】uva 10954 add all【贪心】——yhx
    NOIP2010普及组T4 三国游戏——S.B.S.
    NOIP2010普及组T3 接水问题 ——S.B.S.
    NOIP2011提高组 聪明的质监员 -SilverN
    NOIP2010提高组 关押罪犯 -SilverN
    uva 1471 defence lines——yhx
    json2的基本用法
    获取对象的属性个数
    替换指定规则的字符串
  • 原文地址:https://www.cnblogs.com/wshenjin/p/11365916.html
Copyright © 2011-2022 走看看