Openstack Liberty Lab第3部分:配置Keystone ID服务

到目前为止,我们已经介绍了Openstack Lab Guide Series的第1部分和第2部分。本系列实验的目的不是为Openstack Sys管理员角色做准备,而是帮助您了解如何安装和配置Openstack服务。它适合想要进入迷人的虚拟化和云计算世界的学生,IT专业人员和工程师。

如果您遵循上一教程:

Openstack Liberty Lab第1部分:网络设置和所有先决条件

Openstack Liberty Lab第2部分:安装Openstack软件包

必须安装Keystone ID服务。在本系列的这一部分中,我们将仔细研究Keystone配置文件所需的所有配置选项和参数。

无需使用文本编辑器(例如nano或vim)直接编辑配置文件,而是使用openstack-config工具自动执行该过程并极大地简化您的工作。 Openstack-config是用于处理ini文件的实用程序。 它将与openstack一起安装。您所要做的就是使用它。第一步是准备要供Keystone使用的数据库。 MariaDB数据库服务已经安装,因此您需要运行mysql_secure_installation工具来设置密码。如果您的服务器使用数据库系统,则无需执行此步骤。

[[email protected] ~]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] Y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] Y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.


Remove test database and access to it? [Y/n] Y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] Y
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB! 

然后以root用户身份登录并输入您在上面设置的密码。 确保MariaDB服务正在运行。

[[email protected] ~]# systemctl status mariadb.service 
● mariadb.service - MariaDB database server
   Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2016-03-28 12:03:24 EAT; 4h 55min ago
 Main PID: 2134 (mysqld_safe)
   CGroup: /system.slice/mariadb.service
           ├─2134 /bin/sh /usr/bin/mysqld_safe --basedir=/usr
           └─2331 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql...

Mar 28 12:03:13 controller systemd[1]: Starting MariaDB database server...
Mar 28 12:03:15 controller mysqld_safe[2134]: 160328 12:03:15 mysqld_safe Lo....
Mar 28 12:03:16 controller mysqld_safe[2134]: 160328 12:03:16 mysqld_safe St...l
Mar 28 12:03:24 controller systemd[1]: Started MariaDB database server.
Hint: Some lines were ellipsized, use -l to show in full.
[[email protected] ~]# 

如果不是,请执行以下操作:

 [[email protected] ~]# systemctl start mariadb.service
 [[email protected] ~]# systemctl enabled mariadb.service 

用于配置梯形失真校正的步骤如下:

  1. 建立资料库
[[email protected] ~]# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 13
Server version: 5.5.44-MariaDB MariaDB Server

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

MariaDB [(none)]> create database keystone;
MariaDB [(none)]> grant all privileges on keystone.* to [email protected]'localhost' identified by 'moonstack';
MariaDB [(none)]> grant all privileges on keystone.* to [email protected]'%' identified by 'moonstack';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit;

用keystone数据库用户所需的密码替换moonstack。

  1. 配置梯形失真校正
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token admintoken
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf database connection mysql://keystone:[email protected]/keystone
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf memcache servers localhost:11211
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf token provider uuid
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf token driver memcache
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf revoke driver sql

说明:admintoken:这是第一个管理员令牌。将其替换为要使用的管理令牌。 您可以使用openssl命令生成它,如下所示:

  [[email protected] ~]# openssl rand -hex 8

moonstack:创建梯形数据库192.168.1.60时在步骤1中配置的Keysone数据库密码:控制器的IP地址,因为所有内容都包含在一个安装中。 对应于运行MySQL服务的服务器的IP地址。 梯形失真:梯形失真使用的数据库名称。

  1. 在身份服务数据库中输入数据。
[[email protected] ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone

http服务器配置(Apache):

[[email protected] ~]# echo ServerName 192.168.1.60 >> /etc/httpd/conf/httpd.conf
  • 创建一个 /etc/httpd/conf.d/wsgi-keystone.conf 文件
[[email protected] ~]# cat > /etc/httpd/conf.d/wsgi-keystone.conf <<EOF
Listen 5000
Listen 35357 <VirtualHost *:5000>


WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost> <VirtualHost *:35357>


WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
EOF

重新加载httpd:

[[email protected] ~]# systemctl reload httpd.service
  1. 将服务,角色和用户添加到基石

加载环境:

[[email protected] ~]# export OS_TOKEN=admintoken 
[[email protected] ~]# export OS_URL=http://192.168.1.60:35357/v3 
[[email protected] ~]# export OS_IDENTITY_API_VERSION=3

将admintoken替换为令牌,并将192.168.1.60替换为IP。

  • 添加管理员和成员角色。
[[email protected] ~]# openstack role create admin 
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | ef185921b0114f879e4fc1927516de75 |
| name | admin |
+-------+----------------------------------+
[[email protected] ~]# openstack role create Member 
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 2b0d67fc55fd4cb8b29301a6dbe33445 |
| name | Member |
+-------+----------------------------------+
  • 添加一个管理项目和一个服务项目。
[[email protected] ~]# openstack project create --domain default --description "Admin Project" admin 
[[email protected] ~]# openstack project create --domain default --description "Service Project" service 
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 9c3ec09f5e08442eb211612f99cd22ad |
| is_domain | False |
| name | service |
| parent_id | None |
+-------------+----------------------------------+
[[email protected] ~]#
  • 添加一个管理员用户帐户,并将该管理员用户添加到管理员角色。
[[email protected] ~]# openstack user create --domain default --project admin --password moonstack admin
+--------------------+----------------------------------+
| Field | Value |
+--------------------+----------------------------------+
| default_project_id | abc5d2a310ad46fba0b2a311a187088b |
| domain_id | default |
| enabled | True |
| id | faf51d1898204d38aff144c8c1248c7d |
| name | admin |
+--------------------+----------------------------------+
[[email protected] ~]# openstack role add --project admin --user admin admin 
[[email protected] ~]#
  • 检查设置:
[[email protected] ~]# openstack user list 
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| faf51d1898204d38aff144c8c1248c7d | admin |
+----------------------------------+-------+
[[email protected] ~]# openstack role list 
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| 2b0d67fc55fd4cb8b29301a6dbe33445 | Member |
| ef185921b0114f879e4fc1927516de75 | admin |
+----------------------------------+--------+
[[email protected] ~]# openstack project list 
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 9c3ec09f5e08442eb211612f99cd22ad | service |
| abc5d2a310ad46fba0b2a311a187088b | admin |
+----------------------------------+---------+
  1. 添加服务实体和API端点。内部,公共和管理端点:
[[email protected] ~]# openstack service create --name keystone --description "OpenStack Identity" identity 
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 4d3aa109aa534ceb92187549a5e728bf |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
[[email protected] ~]# export controller=192.168.1.60 
[[email protected] ~]# openstack endpoint create --region RegionOne identity public http://$controller:5000/v2.0 
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 651d5f5fc4bb4d6db1b74b217b6fcda5 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 4d3aa109aa534ceb92187549a5e728bf |
| service_name | keyst |
| service_type | identi |
| url | http://192.168.1.60:5000/v2.0 |
+--------------+----------------------------------+
[[email protected] ~]# openstack endpoint create --region RegionOne identity internal http://$controller:5000/v2.0 
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | f714e382f39748afaf8bd2d5e0054c24 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 4d3aa109aa534ceb92187549a5e728bf |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.1.60:5000/v2.0 |
+--------------+----------------------------------+
[[email protected] ~]# openstack endpoint create --region RegionOne identity admin http://$controller:35357/v2.0 
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 81b112cbfbd949578262a4fd3ebce9fd |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 4d3aa109aa534ceb92187549a5e728bf |
| service_name| keystone |
| service_type | identity |
| url | http://192.168.1.60:35357/v2.0 |
+--------------+----------------------------------+
[[email protected] ~]#
  • 检查设置:
[[email protected] ~]# openstack endpoint list 
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+
| 651d5f5fc4bb4d6db1b74b217b6fcda5 | RegionOne | keystone | identity | True | public | http://192.168.1.60:5000/v2.0 |
| 81b112cbfbd949578262a4fd3ebce9fd | RegionOne | keystone | identity | True | admin | http://192.168.1.60:35357/v2.0 |
| f714e382f39748afaf8bd2d5e0054c24 | RegionOne | keystone | identity | True | internal | http://192.168.1.60:5000/v2.0 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+
[[email protected] ~]# openstack service list 
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| 4d3aa109aa534ceb92187549a5e728bf | keystone | identity |
+----------------------------------+----------+----------+

Keystone ID服务配置已完成。本文介绍了Glance图像服务的完整配置。上一篇文章:

Openstack Liberty Lab第2部分:安装Openstack软件包

下一篇文章:

Openstack Liberty Lab第4部分:配置Glance映像服务

Sidebar