zoukankan html css js c++ java

openstack 之~keystone部署

第一：版本信息

官网http://docs.openstack.org/newton/install-guide-rdo/keystone.html

我们按照Newton这个版本来部署，openstack基本保持每6个月更新一个版本，面对如此快的版本更新，我们其实瞅准了一个版本深入研究下去就好，争取为社区提交代码。

第二：部署keystone

参考部署官网：http://docs.openstack.org/newton/install-guide-rdo/

查看系统信息：

[root@localhost ~]# cat /etc/redhat-release 
CentOS Linux release 7.0.1406 (Core) 
[root@localhost ~]# uname -a
Linux localhost.localdomain 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

准备阶段：

yum -y install centos-release-openstack-newton #安装官方yum源
yum -y upgrade                        #更新
yum -y install python-openstackclient #安装工具
yum -y install openstack-selinux      #安装openstack-selinux包自动管理openstack组件的安全策略

额外补充：

[root@localhost ~]# more /etc/yum.conf 
[main]
cachedir=/newton 新建该目录
keepcache=1  把这个原本是0的改为1，是把yum缓存到本地
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release

mkdir /newton

部署数据库

keystone支持ldap和mysql作为后端Driver,用来存放用户相关信息，catalog等，这里我们选用mariadb

yum -y install mariadb mariadb-server python2-PyMySQL

配置

配置文件：/etc/my.cnf.d/openstack.cnf

[mysqld]
bind-address = 192.168.1.120 #本机管理网络ip

default-storage-engine = innodb  #mysql的存储引擎
innodb_file_per_table    #独立表空间
max_connections = 4096 #最大链接数
collation-server = utf8_general_ci  #默认排序规则
character-set-server = utf8 #字符集

启动服务并设置开机自启动且检查状态

[root@localhost ~]# systemctl start mariadb.service
[root@localhost ~]# systemctl enable mariadb.service
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
[root@localhost ~]# systemctl status mariadb.service
● mariadb.service - MariaDB 10.1 database server
   Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2017-02-06 09:25:17 EST; 16s ago
 Main PID: 43433 (mysqld)
   Status: "Taking your SQL requests now..."
   CGroup: /system.slice/mariadb.service
           └─43433 /usr/libexec/mysqld --basedir=/usr

Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: Please report any problems at http://mariadb.org/jira
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: The latest information about MariaDB is available at http://mariadb.org/.
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: You can find additional information about the MySQL part at:
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: http://dev.mysql.com
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: Support MariaDB development by buying support/new features from MariaDB
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: Corporation Ab. You can contact us about this at sales@mariadb.com.
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: Alternatively consider joining our community based development effort:
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: http://mariadb.com/kb/en/contributing-to-the-mariadb-project/
Feb 06 09:25:16 localhost.localdomain mysqld[43433]: 2017-02-06  9:25:16 140101128218816 [Note] /usr/libexec/mysqld (mysqld 10.1.18-MariaD...433 ...
Feb 06 09:25:17 localhost.localdomain systemd[1]: Started MariaDB 10.1 database server.
Hint: Some lines were ellipsized, use -l to show in full.

MariaDB已经启动

初始化数据库

mysql_secure_installation

部署keystone

keystone关于数据库的操作

[root@localhost ~]# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 8
Server version: 10.1.18-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE keystone;#新建数据库
Query OK, 1 row affected (0.00 sec) 

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' 
    ->   IDENTIFIED BY '123';    #新建本地访问keystone账号
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' 
    ->   IDENTIFIED BY '123';   #新建远程访问keystone账号
Query OK, 0 rows affected (0.00 sec)

安装包：

#keystone软件包名openstack-keystone
#安装httpd和mod_wsgi的原因是，社区主推apache+keystone
#openstack-keystone本质就是一款基于wsgi协议的web app,而httpd本质就是一个兼容wsgi协议的web server，所以我们需要为httpd安装mod_wsgi模块
yum -y install openstack-keystone httpd mod_wsgi

配置：/etc/keystone/keystone.conf

#让openstack-keystone能够知道如何连接到后端的数据库keystone
#mysql+pymysql：pymysql是一个python库，使用python可以操作mysql原生sql
[database]
connection = mysql+pymysql://keystone:123@192.168.31.57/keystone #注意123没有引号哈
[token]
provider = fernet #fernet为生成token的方式

初始化数据库keystone

#初始化是因为python的orm对象关系映射，需要初始化来生成数据库表结构
su -s /bin/sh -c "keystone-manage db_sync" keystone

初始化Fernet key仓库

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

结合apache整合keystone

首先修改主机名

hostnamectl set-hostname controller

设置/etc/hosts

192.168.1.120 controller

配置/etc/httpd/conf/httpd.conf

ServerName controller

为mod_wsgi模块添加配置文件

ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
注：直接复制也可以

启动apache，设置开机自启动

systemctl start httpd.service
systemctl enable httpd.service

第三：keystone操作

一：创建keystone的catalog

配置/etc/keystone/keystone.conf

[DEFAULT]
admin_token = 123

设置环境变量

#OS_TOKEN=配置文件中的admin_token
#会在filter过滤过程中被admin_token_auth中间间设置is_admin=True
#谁有这个admin_token谁就是管理员了。

export OS_TOKEN=123 #等于keystone.conf中admin_token的值
export OS_URL=http://192.168.1.120:35357/v3
export OS_IDENTITY_API_VERSION=3

为keystone创建catalog

#根据上一步给的权限，创建认证服务实体

二：创建域，项目，用户，角色，把四个元素关联到一起

首先建立一个公共的域名：

创建管理员各项信息：

#创建admin项目

#创建admin角色

三者关联（项目、用户、角色）
[root@localhost ~]# openstack role add --project admin --user admin admin

三：使用Bootstrap完成一和二的工作

#为keystone创建catalog
keystone-manage bootstrap --bootstrap-password 123 
  --bootstrap-admin-url http://192.168.1.120:35357/v3/ 
  --bootstrap-internal-url http://192.168.1.120:35357/v3/ 
  --bootstrap-public-url http://192.168.1.120:5000/v3/ 
  --bootstrap-region-id RegionOne

设置环境变量（is_admin不会被设置成True，admin用户会获得一个Token）
export OS_USERNAME=admin
export OS_PASSWORD=123 #就是keystone-manage中设定的--bootstrap-password
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://192.168.1.120:35357/v3
export OS_IDENTITY_API_VERSION=3

四：创建的项目，普通用户，项目，角色，建立关联

#创建project名为demo
[root@localhost ~]# openstack project create --domain default 
>   --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | 9526862455314cefbf4ad7faa4580582 |
| enabled     | True                             |
| id          | 1d57f06fda06450298d5cf72777be63d |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | 9526862455314cefbf4ad7faa4580582 |
+-------------+----------------------------------+
#创建普通用户demo
[root@localhost ~]# openstack user create --domain default 
>   --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | 9526862455314cefbf4ad7faa4580582 |
| enabled             | True                             |
| id                  | 8e28f8c353db487eb17477953e34452c |
| name                | demo                             |
| password_expires_at | None                             |
+---------------------+----------------------------------+
#创建普通用户的角色即user
[root@localhost ~]# openstack role create user
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | d0094c83800043529c37401a28815497 |
| name      | user                             |
+-----------+----------------------------------+
#建立三者关联

[root@localhost ~]# openstack role add --project demo --user demo user

五：为后续的服务创建统一租户service

#后面所有的服务公用一个项目service，都是管理员角色admin
#所以实际上后续的服务安装关于keysotne的操作只剩2，4
[root@localhost ~]# openstack project create --domain default 
>   --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | 9526862455314cefbf4ad7faa4580582 |
| enabled     | True                             |
| id          | 75026d89c408438086f2314c003fdc8f |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | 9526862455314cefbf4ad7faa4580582 |
+-------------+----------------------------------+

小结：后面每搭建一个新的服务都需要在keystone中执行四种操作：1.建项目 2.建用户 3.建角色 4.做关联

第四：验证

准备工作

出于安全考虑，需要关闭临时令牌认证机制（配置文件中的admin_token和keystone-manage的--bootstrap-password都是基于该机制）

该机制会将用户的请求设置is_admin=True，源码分析中会介绍，先暂且理解到这里


编辑/etc/keystone/keystone-paste.ini
这三个

[pipeline:public_api]
[pipeline:admin_api]
[pipeline:api_v3] 
中的admin_token_auth都去掉

取消一切设置的环境变量，如

unset OS_AUTH_URL OS_PASSWORD

开始验证：用admin用户

报错了，这个错误的中文意思是：只有认证的用户才可以申请token，我也申请过了，这是什么原因？

原因有两个：第一：主机名/etc/hosts,配置不正确

第二：主机名修改后没有进行重新登录

最好这个第一步就做了，

验证成功

温馨提示：一定要加上--os-identity-api-version 3 咱们用的是v3

用demo用户验证：

验证方法二：

[root@controller ~]# curl -i 
> -H "Content-Type: application/json" 
> -d '
> {
>     "auth": {
>         "identity": {
>             "methods": [
>                 "password"
>             ],
>             "password": {
>                 "user": {
>                     "domain":{
>                         "name": "default"
>                      },
>                     "name": "admin",
>                     "password": "123"
>                 }
>             }
>          },
>          "scope": {
>             "project": {
>                 "domain": {
>                         "name":"default"
>                 },
>                "name": "admin"
>             }
>          }
>      }
> }' 
> http://127.0.0.1:5000/v3/auth/tokens
HTTP/1.1 201 Created
Date: Mon, 06 Feb 2017 15:32:25 GMT
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
X-Subject-Token: gAAAAABYmJcyCNVmoREAng1Q_KKedkdp3SVMnJdZeH1edN-lQk5OLM0_Nfqar-YeObaVn2Go90jFVCMbRk5UE-rRhDPqW33mlccjD2aTrf0U3cHNAj_dqSJJaXNfCPjpwSH2bopieKeOMaY87NtiUhZunTvvPRORsGUrrSR2KGBxRmM0dNpIX-A
Vary: X-Auth-Token
x-openstack-request-id: req-5ec4e24e-dc11-4d89-99f9-e9dabbe3a948
Content-Length: 1124
Content-Type: application/json

{"token": {"is_domain": false, "methods": ["password"], "roles": [{"id": "81fcdb131f3d4a0d8b4fa3bc95cf7f46", "name": "admin"}], "expires_at": "2017-02-06T16:33:00.000000Z", "project": {"domain": {"id": "9526862455314cefbf4ad7faa4580582", "name": "default"}, "id": "d2cac6cd998a4463abc5e83ec06f8996", "name": "admin"}, "catalog": [{"endpoints": [{"region_id": "RegionOne", "url": "http://192.168.1.120:5000/v3", "region": "RegionOne", "interface": "public", "id": "37d4397231f74a5b98c48fd1220d7cd0"}, {"region_id": "RegionOne", "url": "http://192.168.1.120:5000/v3", "region": "RegionOne", "interface": "internal", "id": "72b8b7a700124e3f8876c6e74fd7b0c5"}, {"region_id": "RegionOne", "url": "http://192.168.1.120:35357/v3", "region": "RegionOne", "interface": "admin", "id": "b63e63c081b74dc3829cb9ae045f02f7"}], "type": "identity", "id": "7ed3a973acd3460883efdc187225ef80", "name": "keystone"}], "user": {"domain": {"id": "9526862455314cefbf4ad7faa4580582", "name": "default"}, "id": "97ecd026af9f46349b76c57af5f7f84c", "name": "admin"}, "audit_ids": ["Jw80h1bURZ6u6vYzcRA3xg"], "issued_at": "2017-02-06T15:33:06.000000Z"}}

View Code

第五：查看信息

查看catalog信息，admin，internal，public

查看endpoint信息

查看服务列表

查看域列表

查看项目，角色，用户，以及他们的管理信息

第六：编写脚本

admin-openrc

export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123
export OS_AUTH_URL=http://192.168.1.120:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

demo-openrc,针对不同的用户应该有不同的用户信息

export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=123
export OS_AUTH_URL=http://192.168.1.120:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

小结：我们可以针对不同的用户，都定义成脚本

我们的申请token操作为：

source admin-openrc
openstack token issue

查看全文

相关阅读:
iOS 微信分享提示未验证应用
 iOS 升级xcode12后原项目模拟器运行报错
 ZK进程监控
 kakafka
mysql 通过使用联全索引优化Group by查询
 4. php反序列化从入门到放弃(放弃篇)
微慕小程序专业版V3.5发布-小商店
 C++ Singleton模式
 C语言的clone与mmap调用
 InnoDB MVCC机制

原文地址：https://www.cnblogs.com/ylqh/p/6360148.html