OpenStack Keystore component experiment
- Preface
- 1. Create a database instance and database user
- 2. Install and configure keystone, database, Apache
- 3. Initialize the authentication service database
- Four. Initialize the fernet key repository
- Five. Configure bootstrap authentication service
- 6. Configure Apache HTTP server
- Seven. Create a configuration file
- 8. Configure the environment variables of the administrator account
- Nine. Create OpenStack domains, projects, users, and roles
- 10. Create a role
Preface
-
When deploying openstack components, you need to install the authentication service (keystone) first, and the authentication service is run by Apache. After the installation is complete, you can create and manage accounts, and then install the mirror service (glance), computing service (nova), and network service ( neutron)
-
Then OpenStack manually deploy the environment configuration, continue to configure, install the keystone component for openstack, the following operations are all performed on the control node ct
1. Create a database instance and database user
mysql -u root -p
create database keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
flush privileges;
exit
2. Install and configure keystone, database, Apache
yum -y install openstack-keystone httpd mod_wsgi
cp -a /etc/keystone/keystone.conf{,.bak}
grep -Ev "^$|#" /etc/keystone/keystone.conf.bak > /etc/keystone/keystone.conf
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:KEYSTONE_DBPASS@ct/keystone
openstack-config --set /etc/keystone/keystone.conf token provider fernet
3. Initialize the authentication service database
su -s /bin/sh -c "keystone-manage db_sync" keystone
Four. Initialize the fernet key repository
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
Five. Configure bootstrap authentication service
keystone-manage bootstrap --bootstrap-password ADMIN_PASS \ #初始化openstack,会把openstack的admin用户的信息写入到mysql的user表中,以及url等其他信息写入到mysql的相关表中
--bootstrap-admin-url http://ct:5000/v3/ \ #admin-url是管理网(如公有云内部openstack管理网络),用于管理虚拟机的扩容或删除;如果共有网络和管理网是一个网络,则当业务量大时,会造成无法通过openstack的控制端扩容虚拟机,所以需要一个管理网
--bootstrap-internal-url http://ct:5000/v3/ \ #internal-url是内部网络,进行数据传输,如虚拟机访问存储和数据库、zookeeper等中间件,这个网络是不能被外网访问的,只能用于企业内部访问
--bootstrap-public-url http://ct:5000/v3/ \ #public-url是共有网络,可以给用户访问的(如公有云) #但是此环境没有这些网络,则公用同一个网络
--bootstrap-region-id RegionOne
6. Configure Apache HTTP server
echo "ServerName controller" >> /etc/httpd/conf/httpd.conf #将指定的controller节点追加到apache配置文件中
Seven. Create a configuration file
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ #创建软连接到apache配置目录下
systemctl enable httpd #设置开机自启动
systemctl start httpd #开启apache服务
8. Configure the environment variables of the administrator account
cat >> ~/.bashrc << EOF
export OS_USERNAME=admin #用户admin
export OS_PASSWORD=ADMIN_PASS #密码ADMIN_PASS
export OS_PROJECT_NAME=admin #项目名称admin
export OS_USER_DOMAIN_NAME=Default #默认用户名
export OS_PROJECT_DOMAIN_NAME=Default #默认项目名
export OS_AUTH_URL=http://ct:5000/v3 #身份认证
export OS_IDENTITY_API_VERSION=3 #身份认证api版本3
export OS_IMAGE_API_VERSION=2 #镜像api版本2
EOF
source ~/.bashrc #加载全局变量
openstack user list #显示所有用户
Nine. Create OpenStack domains, projects, users, and roles
openstack project create --domain default --description "Service Project" service
10. Create a role
openstack role create user #创建角色user
openstack role list #查看角色列表
openstack token issue #查看是否可以不指定密码就可以获取到token信息并验证认证服务
