B06-openstack高可用(t版)-keystone集群部署

1. 创建keystone数据库

[root@controller01 ~]# mysql -uroot -phuayun
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.018 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'huayun';
Query OK, 0 rows affected (0.007 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'huayun';
Query OK, 0 rows affected (0.003 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.006 sec)

MariaDB [(none)]> exit
Bye

2：安装keystone的相关软件包

[root@controller01 ~]# yum install openstack-keystone httpd mod_wsgi mod_ssl -y

3. 配置keystone.conf（标红的即为修改的地方）

[root@controller01 ~]# cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.back

[root@controller01 ~]# egrep -v "^#|^$" /etc/keystone/keystone.conf
[DEFAULT]
[application_credential]
[assignment]
[auth]
[cache]
backend = oslo_cache.memcache_pool
enabled = true
memcache_servers = 10.100.214.201:11211,10.100.214.202:11211,10.100.214.203:11211
[catalog]
[cors]
[credential]
[database]
connection = mysql+pymysql://keystone:huayun@10.100.214.200/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[federation]
[fernet_receipts]
[fernet_tokens]
[healthcheck]
[identity]
[identity_mapping]
[jwt_tokens]
[ldap]
[memcache]
[oauth1]
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[policy]
[profiler]
[receipt]
[resource]
[revoke]
[role]
[saml]
[security_compliance]
[shadow_users]
[token]
provider = fernet
[tokenless_auth]
[totp]
[trust]
[unified_limit]
[wsgi]
[root@controller01 ~]#

将配置文件拷贝到另外两个节点：

[root@controller01 ~]# scp /etc/keystone/keystone.conf 10.100.214.202:/etc/keystone/keystone.conf
[root@controller01 ~]# scp /etc/keystone/keystone.conf 10.100.214.203:/etc/keystone/keystone.conf

4. 同步keystone数据库

在任意一个节点上操作就可以

[root@controller01 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone

检测数据库同步

[root@controller01 ~]# mysql -uroot -phuayun  keystone  -e "show  tables";

5. 初始化fernet秘钥

[root@controller01 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller01 ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

并将初始化的密钥拷贝到其他的控制节点：

[root@controller01 ~]# scp -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ root@10.100.214.202:/etc/keystone/
[root@controller01 ~]# scp -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ root@10.100.214.203:/etc/keystone/

同步后注意另外两台控制节点fernet的权限

[root@controller02 ~]# chown keystone:keystone /etc/keystone/credential-keys/ -R
[root@controller02 ~]# chown keystone:keystone /etc/keystone/fernet-keys/ -R

[root@controller03 ~]# chown keystone:keystone /etc/keystone/credential-keys/ -R
[root@controller03 ~]# chown keystone:keystone /etc/keystone/fernet-keys/ -R

认证引导

# 任意控制节点操作；
# 初始化admin用户（管理用户）与密码，3种api端点，服务实体可用区等

[root@controller02 ~]# keystone-manage bootstrap --bootstrap-password huayun  --bootstrap-admin-url http://10.100.214.200:5000/v3/   --bootstrap-internal-url http://10.100.214.200:5000/v3/   --bootstrap-public-url http://10.100.214.200:5000/v3/   --bootstrap-region-id RegionOne

配置Apache HTTP服务器

1.  配置httpd.conf

[root@controller01 ~]# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak

[root@controller01 ~]# sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf
[root@controller01 ~]# sed -i "s/Listen 80/Listen 10.100.214.201:80/g" /etc/httpd/conf/httpd.conf

[root@controller02 ~]# sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf
[root@controller02 ~]# sed -i "s/Listen 80/Listen 10.100.214.202:80/g" /etc/httpd/conf/httpd.conf

[root@controller03 ~]# sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf
[root@controller03 ~]# sed -i "s/Listen 80/Listen 10.100.214.203:80/g" /etc/httpd/conf/httpd.conf

2. 配置wsgi-keystone.conf

[root@controller01 ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

[root@controller01 ~]# sed -i "s/Listen 5000/Listen 10.100.214.201:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
[root@controller01 ~]# sed -i "s/*:5000/10.100.214.201:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf

[root@controller02 ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

[root@controller02 ~]# sed -i "s/Listen 5000/Listen 10.100.214.202:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
[root@controller02 ~]# sed -i "s/*:5000/10.100.214.202:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf

[root@controller03 ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

[root@controller03 ~]# sed -i "s/Listen 5000/Listen 10.100.214.203:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf

[root@controller03 ~]# sed -i "s/*:5000/10.100.214.203:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf

3. 启动服务(所有控制节点)

[root@controller01 ~]# systemctl enable httpd.service && systemctl restart httpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.

4：设置openstack的环境变量

# openstack client环境脚本定义client调用openstack api环境变量，以方便api的调用（不必在命令行中携带环境变量）；
# 根据不同的用户角色，需要定义不同的脚本；
# 这里以“认证引导”章节定义的admin用户为例，设置其环境脚本，再根据需要分发到需要运行openstack client工具的节点；
# 一般将脚本创建在用户主目录

[root@controller01 ~]# vim admin-openrc

export OS_USERNAME=admin
export OS_PASSWORD=huayun
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://10.100.214.200:5000/v3
export OS_IDENTITY_API_VERSION=3

[root@controller01 ~]# source admin-openrc

[root@controller01 ~]# scp admin-openrc 10.100.214.202:/root/
[root@controller01 ~]# scp admin-openrc 10.100.214.203:/root/

创建域、项目、用户和角色

1：创建域：

# projrct/user等基于domain存在；（所以不需要在创建default域）
# 在”认证引导”章节中，初始化admin用户即生成”default” domain

[root@controllervip ~]# openstack domain list
+---------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+---------+---------+---------+--------------------+
| default | Default | True | The default domain |
+---------+---------+---------+--------------------+

2：创建admin项目（已经存在也不需要创建）

[root@controller01 ~]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 8152877d890d4727ac6f01a94e67ae15 | admin |

 3：创建admin用户（本身已经存在不需要在创建）

[root@controller01 ~]# openstack user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 7bb860340a384300bc6b793cd23cbbde | admin |
+----------------------------------+-------+

由于admin的项目角色用户都已经存在我们重新创建一个新的项目角色

创建example域：

[root@controller01 ~]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 04f35483319e49939f25a402238f7136 |
| name | example |
| options | {} |
| tags | [] |
+-------------+----------------------------------+

创建demo项目：

[root@controller01 ~]# openstack project create --domain default --description "Demo Project" demo

‘+-------------+----------------------------------+

| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | b701f4bd7da049d4a72699de3068bb75 |
| is_domain | False |
| name | demo |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+

创建demo用户

[root@controller01 ~]# openstack user create --domain default --password=huayun demo
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | e3755b60ba544e548e37b0fd88842e7b |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+

创建普通用户角色

[root@controller01 ~]# openstack role create user
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | feca55a6132c43d99440b015095f8e0c |
| name | user |
| options | {} |
+-------------+----------------------------------+

[root@controller01 ~]# openstack role list
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| 0fe64879f5434a608bf94bfb37027d24 | admin |
| 874e55cac61947aa9c6e1b586a819538 | reader |
| b4d0e9f90bfa459ea014b851af9159bd | member |
| feca55a6132c43d99440b015095f8e0c | user |
+----------------------------------+--------+

给demo分配普通用户角色

[root@controller01 ~]# openstack role add --project demo --user demo user

查看权限分配

 配置demo的环境变量

vim demo-openrc

export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=huayun
export OS_AUTH_URL=http://10.100.214.200:5000/v3
export OS_IDENTITY_API_VERSION=3

source demo-openrc

分发给其他脚本

[root@controller01 ~]# scp demo-openrc 10.100.214.202:/root/
[root@controller01 ~]# scp demo-openrc 10.100.214.203:/root/

设置pcs资源

# 在任意控制节点操作；
# 添加资源openstack-keystone-clone；
# pcs实际控制的是各节点system unit控制的httpd服务

[root@controller01 ~]# pcs resource create openstack-keystone systemd:httpd --clone interleave=true
[root@controller01 ~]# pcs resource
vip (ocf::heartbeat:IPaddr2): Started controller01
Clone Set: lb-haproxy-clone [lb-haproxy]
Started: [ controller01 ]
Stopped: [ controller02 controller03 ]
Clone Set: openstack-keystone-clone [openstack-keystone]
Started: [ controller01 controller02 controller03 ]