5.1、安装配置
1、安装
所有控制节点上安装
# yum install openstack-keystone httpd mod_wsgi
2、编辑文件
vim /etc/keystone/keystone.conf
并完成如下动作:
[database] 部分,配置数据库访问:
[database]
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
[token]部分,配置Fernet UUID令牌的提供者。
[token]
provider = fernet
初始化身份认证服务的数据库:
# su -s /bin/sh -c "keystone-manage db_sync" keystone
3、初始化Fernet key
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
将controller1上的所有fernet-keys下文件覆盖到controller2、controller3
[root@controller1 keystone]# scp -r fernet-keys controller2:/etc/keystone/
[root@controller1 keystone]# scp -r fernet-keys controller3:/etc/keystone/
所有节点更改权限
chown -R keystone:keystone fernet-keys/
然后重启httpd服务
systemctl restart httpd
4、将httpd加入haproxy
将启动的http,共两个端口35357、5000加入到haproxy中:
vim /etc/haproxy/haproxy.cfg
listen keystone_public_internal_cluster
mode http
bind 192.168.16.10:5000
balance source
server controller1 192.168.16.11:5000 check inter 2000 rise 3 fall 3
server controller2 192.168.16.12:5000 check inter 2000 rise 3 fall 3
server controller3 192.168.16.13:5000 check inter 2000 rise 3 fall 3
listen keystone_admin_cluster
mode http
bind 192.168.16.10:35357
balance source # 认证服务必须使用源地址绑定的轮询算法,因为认证信息是在本地填写的。
server controller1 192.168.16.11:35357 check inter 2000 rise 3 fall 3
server controller2 192.168.16.12:35357 check inter 2000 rise 3 fall 3
server controller3 192.168.16.13:35357 check inter 2000 rise 3 fall 3
5、同步haproxy配置
将controller1的haproxy.cfg复制到controller2、controller3同时重启haproxy
[root@controller1 ~]# scp /etc/haproxy/haproxy.cfg root@controller2:/etc/haproxy/haproxy.cfg
[root@controller1 ~]# scp /etc/haproxy/haproxy.cfg root@controller3:/etc/haproxy/haproxy.cfg
[root@controller1 ~]# systemctl restart haproxy
[root@controller2 ~]# systemctl restart haproxy
[root@controller3 ~]# systemctl restart haproxy
6、创建api服务端点引导
Bootstrap the Identity service:
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://controller:35357/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
7、配置 Apache HTTP 服务器
controller1、controller2、controller3操作
编辑``/etc/httpd/conf/httpd.conf`` 文件,配置``ServerName`` 选项为控制节点:
ServerName controller
创建一个链接到``/usr/share/keystone/wsgi-keystone.conf``文件
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
8、完成安装启动
启动 Apache HTTP 服务并配置其随系统启动:
# systemctl enable httpd.service
# systemctl start httpd.service
9、配置admin账户
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
5.2、创建域、项目、用户、角色
1、本指南使用一个你添加到你的环境中每个服务包含独有用户的service 项目。创建``service``项目:
$ openstack project create --domain default \
--description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 24ac7f19cd944f4cba1d77469b2a73ed |
| is_domain | False |
| name | service |
| parent_id | default |
+-------------+----------------------------------+
2、常规(非管理)任务应该使用无特权的项目和用户。作为例子,本指南创建 demo 项目和用户。
创建``demo`` 项目:
$ openstack project create --domain default \
--description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 231ad6e7ebba47d6a1e57e1cc07ae446 |
| is_domain | False |
| name | demo |
| parent_id | default |
+-------------+----------------------------------+
注解
当为这个项目创建额外用户时,不要重复这一步。
3、创建``demo`` 用户:
$ openstack user create --domain default \
--password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | aeda23aa78f44e859900e22c24817832 |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
4、创建 user 角色:
$ openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 997ce8d05fc143ac97d83fdfb5998552 |
| name | user |
+-----------+----------------------------------+
5、添加 user 角色到 demo 用户和 demo项目上。
$ openstack role add --project demo --user demo user
5.3、验证操作
1、因为安全性的原因,关闭临时认证令牌机制:
编辑 /etc/keystone/keystone-paste.ini 文件,从``[pipeline:public_api]``,[pipeline:admin_api]``和``[pipeline:api_v3]``部分删除``admin_token_auth 。
Controller1和controller2、controller3都操作
2、撤销临时环境变量``OS_AUTH_URL``和``OS_PASSWORD``
$ unset OS_AUTH_URL OS_PASSWORD
3、作为 admin 用户,请求认证令牌:
$ openstack --os-auth-url http://controller:35357/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name admin --os-username admin token issue
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:14:07.056119Z |
| id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
| | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
| | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws |
| project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+
作为``demo`` 用户,请求认证令牌:
$ openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name demo --os-username demo token issue
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:15:39.014479Z |
| id | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW |
| | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ |
| | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U |
| project_id | ed0b60bf607743088218b0a533d5943f |
| user_id | 58126687cbcc4888bfa9ab73a2256f27 |
+------------+-----------------------------------------------------------------
5.4、创建客户端环境变量脚本
1、admin-openrc脚本
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
2、demo-openrc脚本
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
依次copy到controller2、controller3上
3、使用脚本
. admin-openrc
请求认证令牌:
openstack token issue
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:44:35.659723Z |
| id | gAAAAABWvjYj-Zjfg8WXFaQnUd1DMYTBVrKw4h3fIagi5NoEmh21U72SrRv2trl |
| | JWFYhLi2_uPR31Igf6A8mH2Rw9kv_bxNo1jbLNPLGzW_u5FC7InFqx0yYtTwa1e |
| | eq2b0f6-18KZyQhs7F3teAta143kJEWuNEYET-y7u29y0be1_64KYkM7E |
| project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+