OpenStack-Keystone component deployment "T version deployment"

1. Matters needing attention

1.1 Order of OpenStack component installation

1、Keystone(apache)
2、glance
3、nova
4、neutron

• When deploying openstack components, you need to install the authentication service (keystone) first, and the authentication service is run by Apache. After the installation is complete, you can create and manage accounts, and then install the mirror service (glance), computing service (nova), and network service ( neutron)

1.2 Introduction to Management and Client

• Among them, computing service and network service are divided into management end and client, so it is necessary to install the management end of computing service and network service on the management end of openstack, install the client of computing service and network service on the node node where the virtual machine is created, and finally Install the dashboard service, the APIs of various components of openstack are run through apache;
• The management side of openstack is responsible for the scheduling of the process of
  creating virtual machines. The related data of creating virtual machines through the openstack management side will eventually be recorded in mysql (mariadb); the
  node node has no permission to write data to the database, only the control side has permission, and the node node The communication with the control end is indirect communication through rabbitmq. The node node will listen to rabbitmq, and the control end will also listen to rabbitmq. The control end sends the instruction to create a virtual machine to rabbitmq. The node node listening to the designated queue of rabbitmq receives the message and creates the virtual machine;

Two, OpenStack-Keystone component deployment process

2.1 Create a database instance and database user

[root@ct ~]# mysql -uroot -pabc123
...
MariaDB [(none)]> create database keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit
Bye

2.2 Install and configure keystone, database, Apache

2.2.1 Install keystone, httpd, mod_wsgi

• The function of the mod_wsgi package is to enable apache to proxy the components of the pythone program; all components of openstack, including the API, are written in python, but the access is apache, and apache will forward the request to python for processing. These packages are only installed in the controller. node

[root@ct ~]# yum -y install openstack-keystone httpd mod_wsgi
[root@ct ~]# cp -a /etc/keystone/keystone.conf{,.bak}
[root@ct ~]# grep -Ev "^$|#" /etc/keystone/keystone.conf.bak > /etc/keystone/keystone.conf
#通过pymysql模块访问mysql，指定用户名密码、数据库的域名、数据库名
[root@ct ~]# openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:KEYSTONE_DBPASS@ct/keystone
#指定token的提供者；提供者就是keystone自己本身
[root@ct ~]# openstack-config --set /etc/keystone/keystone.conf token provider fernet
#Fernet：一种安全的消息传递格式

2.2.2 Initialize the authentication service database

[root@ct ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone

2.2.3 Initialize the fernet key repository

• The following command will generate two keys. The generated keys are placed in the /etc/keystone/ directory to encrypt data

[root@ct ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@ct ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

2.2.4 Configure bootstrap identity authentication service

[root@ct ~]# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://ct:5000/v3/ \
--bootstrap-internal-url http://ct:5000/v3/ \
--bootstrap-public-url http://ct:5000/v3/ \
--bootstrap-region-id RegionOne		#指定一个区域名称

#此步骤是初始化openstack，会把openstack的admin用户的信息写入到mysql的user表中，以及url等其他信息写入到
mysql的相关表中；
 
#admin-url是管理网(如公有云内部openstack管理网络)，用于管理虚拟机的扩容或删除；如果共有网络和管理网是一个
网络，则当业务量大时，会造成无法通过openstack的控制端扩容虚拟机，所以需要一个管理网； 

#internal-url是内部网络，进行数据传输，如虚拟机访问存储和数据库、zookeeper等中间件，这个网络是不能被外网
访问的，只能用于企业内部访问 

#public-url是共有网络，可以给用户访问的(如公有云) #但是此环境没有这些网络，则公用同一个网络 

#5000端口是keystone提供认证的端口 

#需要在haproxy服务器上添加一条listen 

#各种网络的url需要指定controler节点的域名，一般是haproxy的vip的域名（高可用模式）

2.2.5 Configure Apache HTTP server

[root@ct ~]# echo "ServerName ct" >> /etc/httpd/conf/httpd.conf

2.2.6 Create configuration file

• After installing the mod_wsgi package, the wsgi-keystone.conf file will be generated. The virtual host is configured in the file and port 5000 is monitored. mod_wsgi is the gateway of python

[root@ct ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

2.2.7 Start service

[root@ct ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@ct ~]# systemctl start httpd

2.2.8 Configure the environment variables of the administrator account

• These environment variables are used to create roles and projects, but the creation of roles and projects requires authentication information, so authentication information such as user names and passwords are declared through environment variables to deceive openstack to have logged in and passed authentication, so that projects and roles can be created;
• That is, the authentication information of the admin user is passed to openstack for verification by declaring environment variables to realize non-interactive operation for openstack

[root@ct ~]# cat >> ~/.bashrc << EOF
> export OS_USERNAME=admin
> export OS_PASSWORD=ADMIN_PASS
> export OS_PROJECT_NAME=admin
> export OS_USER_DOMAIN_NAME=Default
> export OS_PROJECT_DOMAIN_NAME=Default
> export OS_AUTH_URL=http://ct:5000/v3
> export OS_IDENTITY_API_VERSION=3
> export OS_IMAGE_API_VERSION=2
> EOF
[root@ct ~]# source ~/.bashrc

2.3 openstack command to perform some operations

• By configuring environment variables, you can use openstack commands to perform some operations

2.3.1 View the list of OpenStack users

[root@ct ~]# openstack user list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| beafd9c73309485381c6c6754d37f771 | admin |
+----------------------------------+-------+

2.3.2 Create OpenStack domains, projects, users, and roles

• Create a project (project), create it in the specified domain (domain), specify the description information, the project name is service (you can use the openstack domain list to query)

[root@ct ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 600dd444a18346e9a8c6c854b9a4f19e |
| is_domain   | False                            |
| name        | service                          |
| options     | {}                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

2.3.3 Create a role (you can use the openstack role list to view)

[root@ct ~]# openstack role create user
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | None                             |
| domain_id   | None                             |
| id          | cac8d79a2b4a43acbd3004f718acf547 |
| name        | user                             |
| options     | {}                               |
+-------------+----------------------------------+

• View the list of openstack roles

[root@ct ~]# openstack role list
+----------------------------------+--------+
| ID                               | Name   |
+----------------------------------+--------+
| 3be0345b4d124e7fbb318fa788ca3f7e | member |
| 429c71a299da400fa56d3113f8fb5bf1 | reader |
| 6b2c8f17071342c8bef3cd9379267b8a | admin  |
| cac8d79a2b4a43acbd3004f718acf547 | user   |
+----------------------------------+--------+

# admin为管理员
# member为 租户
# user：用户

2.3.4 Check whether token information can be obtained without specifying a password

• Verification and certification services

[root@ct ~]# openstack token issue

Three, summary

• The Keystone component is used as a unified authentication and authorization module in the OpenStack cluster. Its core function is to control User (user), tenant (tenant), Role (role), Token (token/certificate) (manual compilation and deployment is around Expanded by this function)

1.User：使用 openstack 的用户。 

2.Tenant：租户,可以理解为一个人、项目或者组织拥有的资源的合集。在一个租户中可以拥有很多个用户，这些用户
可以根据权限的划分使用租户中的资源。 

3.Role：角色，用于分配操作的权限。角色可以被指定给用户，使得该用户获得角色对应的操作权限。 

4.Token：指的是一串比特值或者字符串，用来作为访问资源的记号。Token 中含有可访问资源的范围和有效时间，token是
用户的一种凭证，需要使用正确的用户名和密码向 Keystone 服务申请才能得到 token。

The idea of ​​using the manual deployment mode to build OpenStack:

1、分模块部署
2、部署keystone模块的基础环境（下载依赖包、组件包、第三方工具/插件）
3、创建、开启此模块的功能
（以keystone为例，创建并初始化认证数据库、修改配置文件、初始化密钥-fernet格式、配置身份认证服务）
4、验证