Openstack安装(1)--keystone配置
(controller)keystone的工作细节:
OpenStack Keystone Workflow & Token Scoping
1.创建tenant openstackDemo
$ keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 tenant-create --name openstackDemo --description "Default Tenant"+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Default Tenant |
| enabled | True |
| id | ac0da7079c8d4bc2b95009175b21fa66 |
| name | openstackDemo |
+-------------+----------------------------------+
2.创建用户admin
keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-create --tenant-id ac0da7079c8d4bc2b95009175b21fa66 --name admin --pass keystoneadmin
+----------+-------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email | |
| enabled | True |
| id | 264de00cea3348cda1b968f31b369e92 |
| name | admin |
| password | $6$rounds=40000$cjEp2NZMf67VgeML$qognuEx/idO5meuCN0VQZfD4t9skm9K25ymF8XWt.4UYaFteJZHQQCUpd6oLYswHdliTKNJT9NNysbT8ozTlm. |
| tenantId | ac0da7079c8d4bc2b95009175b21fa66 |
+----------+-------------------------------------------------------------------------------------------------------------------------+
3.创建role,admin和member
keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 role-create --name admin
keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 role-create --name Member
keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 role-list
+----------------------------------+--------+
| id | name |
+----------------------------------+--------+
| 13253694d6704b19bbcbdc96877d9262 | Member |
| 25f36f99603c4c95888e71793365826e | admin |
+----------------------------------+--------+
4.在租户openStackDemo中,将角色admin赋予用户admin。user-role-add
keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-role-add --user-id 264de00cea3348cda1b968f31b369e92 --tenant-id ac0da7079c8d4bc2b95009175b21fa66 --role-id 25f36f99603c4c95888e71793365826e
这个命令没有任何输出。
通过以上四步,keystone的基本使用方法明了了。
------------------------------------------------------分割线---------------------------------------------------------------------------------------------------------
现在为几个组建创建租户、用户、角色。
一、Glance
1.创建租户service
keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 tenant-create --name service --description "Service Tenant"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Service Tenant |
| enabled | True |
| id | a295e1962f124d2992beacbec452d9c4 |
| name | service |
+-------------+----------------------------------+
2.在租户service中创建用户glance
keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-create --tenant-id a295e1962f124d2992beacbec452d9c4 --name glance --pass glance
+----------+-------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email | |
| enabled | True |
| id | b6edb3ec9e2e49d39f3a01d4f8981772 |
| name | glance |
| password | $6$rounds=40000$5lWn2BruhOqK/O.6$JBpB8DGl8IMEDjbdp9YEGid5r4I96g/qkimZ1zGjNkE8EJJZL7JQBV2A4tLRa/wDBAWXiTCl.RtO/G2RJJtUR. |
| tenantId | a295e1962f124d2992beacbec452d9c4 |
+----------+-------------------------------------------------------------------------------------------------------------------------+
3.在租户service中,将角色admin赋予用户glance。
keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-role-add --user-id b6edb3ec9e2e49d39f3a01d4f8981772 --tenant-id a295e1962f124d2992beacbec452d9c4 --role-id 25f36f99603c4c95888e71793365826e
二、Nova
1.在租户service中创建用户nova
keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-create --tenant-id a295e1962f124d2992beacbec452d9c4 --name nova --pass nova
+----------+-------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email | |
| enabled | True |
| id | d746324fe1aa436087e87e92b38ed2d8 |
| name | nova |
| password | $6$rounds=40000$.xbXsBlZ3cgkRJe6$j8d.p/6GstU3S5RCbSt5iEBIgXeK9QArjDiIyCW5.j/uZoB2hG3YbKspf0uSfV2UKvvhg/04WgOFGLorZiv7p0 |
| tenantId | a295e1962f124d2992beacbec452d9c4 |
+----------+-------------------------------------------------------------------------------------------------------------------------+
2.在租户service中,将角色admin赋予用户nova。
keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-role-add --user-id d746324fe1aa436087e87e92b38ed2d8 --tenant-id a295e1962f124d2992beacbec452d9c4 --role-id 25f36f99603c4c95888e71793365826e
三、EC2 Service
1.在租户service中创建用户ec2
keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-create --tenant-id a295e1962f124d2992beacbec452d9c4 --name ec2 --pass ec2
+----------+-------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email | |
| enabled | True |
| id | e88417ed8c394d73a52f7709a113bb9a |
| name | ec2 |
| password | $6$rounds=40000$ki7fxWVrFhEeQclE$BPelQcPtikG4x/yQg26QtnWA4Z1A.Bj7VwALxjMUotPf5syivhj7IgqCuIExZRsNniopKjfGSt.yXgCkIesWc/ |
| tenantId | a295e1962f124d2992beacbec452d9c4 |
+----------+-------------------------------------------------------------------------------------------------------------------------+
2.在租户service中,将角色admin赋予用户ec2
keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-role-add --user-id e88417ed8c394d73a52f7709a113bb9a --tenant-id a295e1962f124d2992beacbec452d9c4 --role-id 25f36f99603c4c95888e71793365826e
四、Object Storage Service (swift)
1.在租户service中创建用户swift
keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-create --tenant-id a295e1962f124d2992beacbec452d9c4 --name swift --pass swift
+----------+-------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email | |
| enabled | True |
| id | 3a8ccf71549f491b8eccc31b4b04d80e |
| name | swift |
| password | $6$rounds=40000$SthEV8h8scvp9hBJ$r6oCf8J1OGb39QymElLJr79XD6suL4jKimUHLrz8VWz3W2Wxl8EqCYmYZUBs8LigGUNGDrG.9mrhJQ86/AgKH1 |
| tenantId | a295e1962f124d2992beacbec452d9c4 |
+----------+-------------------------------------------------------------------------------------------------------------------------+
2.在租户service中,将角色admin赋予用户swift
keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-role-add --user-id 3a8ccf71549f491b8eccc31b4b04d80e --tenant-id a295e1962f124d2992beacbec452d9c4 --role-id 25f36f99603c4c95888e71793365826e
查看用户:
keystone --token 558ec87e86aa43b11798 --endpoint http://10.10.4.47:35357/v2.0 user-list
+----------------------------------+--------+---------+-------+
| id | name | enabled | email |
+----------------------------------+--------+---------+-------+
| 264de00cea3348cda1b968f31b369e92 | admin | True | |
| 3a8ccf71549f491b8eccc31b4b04d80e | swift | True | |
| b6edb3ec9e2e49d39f3a01d4f8981772 | glance | True | |
| d746324fe1aa436087e87e92b38ed2d8 | nova | True | |
| e88417ed8c394d73a52f7709a113bb9a | ec2 | True | |
+----------------------------------+--------+---------+-------+
---------------------------------------------------分割线-------------------------------------------------------------
为了在命令中少两个参数:
export SERVICE_ENDPOINT="http://localhost:35357/v2.0"
export SERVICE_TOKEN=558ec87e86aa43b11798
为各组件配置服务
keystone service-create --name=keystone --type=identity --description="Keystone Identity Service"
keystone service-create --name=nova --type=compute --description="Nova Compute Service"
keystone service-create --name=volume --type=volume --description="Nova Volume Service"
keystone service-create --name=glance --type=image --description="Glance Image Service"
keystone service-create --name=ec2 --type=ec2 --description="EC2 Compatibility Layer"
keystone service-create --name=swift --type=object-store --description="Object Storage Service"
$ keystone service-list
+----------------------------------+----------+--------------+---------------------------+
| id | name | type | description |
+----------------------------------+----------+--------------+---------------------------+
| 0ef9d77e2ca44d2e94a58f98eaea46fc | keystone | identity | Keystone Identity Service |
| 1ab16c3a56314f81bf6d7ab4c96cf9ba | volume | volume | Nova Volume Service |
| 2e7c422762a24306879dc3459c8d4ac0 | ec2 | ec2 | EC2 Compatibility Layer |
| b0753c9823ec43bba5f44a431df108f4 | swift | object-store | Object Storage Service |
| ec5b17f444ed49a9b5f785eff16be656 | nova | compute | Nova Compute Service |
| f3e375536aac48fa8463660bbe91c12a | glance | image | Glance Image Service |
+----------------------------------+----------+--------------+---------------------------+
为各组件配置服务endpoint
1.keystone
keystone endpoint-create --region RegionOne --service-id=0ef9d77e2ca44d2e94a58f98eaea46fc \
--publicurl=http://10.10.4.47:5000/v2.0 \
--internalurl=http://192.168.1.2:5000/v2.0 \
--adminurl=http://10.10.4.47:35357/v2.0
2.nova
keystone endpoint-create \
--region RegionOne \
--service-id=ec5b17f444ed49a9b5f785eff16be656 \
--publicurl='http://10.10.4.47:8774/v2/%(tenant_id)s' \
--internalurl='http://192.168.1.2:8774/v2/%(tenant_id)s' \
--adminurl='http://10.10.4.47:8774/v2/%(tenant_id)s'
3.volume
keystone endpoint-create \
--region RegionOne \
--service-id=1ab16c3a56314f81bf6d7ab4c96cf9ba \
--publicurl='http://10.10.4.47:8776/v1/%(tenant_id)s' \
--internalurl='http://192.168.1.2:8776/v1/%(tenant_id)s' \
--adminurl='http://10.10.4.47:8776/v1/%(tenant_id)s'
4.glance
keystone endpoint-create \
--region RegionOne \
--service-id=f3e375536aac48fa8463660bbe91c12a \
--publicurl=http://10.10.4.47:9292/v1 \
--internalurl=http://192.168.1.2:9292/v1 \
--adminurl=http://10.10.4.47:9292/v1
5.ec2
keystone endpoint-create \
--region RegionOne \
--service-id=2e7c422762a24306879dc3459c8d4ac0 \
--publicurl=http://10.10.4.47:8773/services/Cloud \
--internalurl=http://192.168.1.2:8773/services/Cloud \
--adminurl=http://10.10.4.47:8773/services/Admin
6.swift
keystone endpoint-create \
--region RegionOne \
--service-id=b0753c9823ec43bba5f44a431df108f4 \
--publicurl 'http://10.10.4.47:8888/v1/AUTH_%(tenant_id)s' \
--adminurl 'http://10.10.4.47:8888/v1' \
--internalurl 'http://192.168.1.2:8888/v1/AUTH_%(tenant_id)s'
+----------------------------------+-----------+----------------------------------------------+-----------------------------------------------+-----------------------------------------+----------------------------------+
| id | region | publicurl | internalurl | adminurl | service_id |
+----------------------------------+-----------+----------------------------------------------+-----------------------------------------------+-----------------------------------------+----------------------------------+
| 213af135dbf74933a24872b3a2d6c4b8 | RegionOne | http://10.10.4.47:8888/v1/AUTH_%(tenant_id)s | http://192.168.1.2:8888/v1/AUTH_%(tenant_id)s | http://10.10.4.47:8888/v1 | b0753c9823ec43bba5f44a431df108f4 |
| 2e80ec27f90d48648ae6326ca34eeba7 | RegionOne | http://10.10.4.47:8774/v2/%(tenant_id)s | http://192.168.1.2:8774/v2/%(tenant_id)s | http://10.10.4.47:8774/v2/%(tenant_id)s | ec5b17f444ed49a9b5f785eff16be656 |
| 6a97f8e4d265421baa757ce262333bf2 | RegionOne | http://10.10.4.47:9292/v1 | http://192.168.1.2:9292/v1 | http://10.10.4.47:9292/v1 | f3e375536aac48fa8463660bbe91c12a |
| b4ab7b18688a461dbdb375ade57c7f22 | RegionOne | http://10.10.4.47:8776/v1/%(tenant_id)s | http://192.168.1.2:8776/v1/%(tenant_id)s | http://10.10.4.47:8776/v1/%(tenant_id)s | 1ab16c3a56314f81bf6d7ab4c96cf9ba |
| bbd0e9146ccd4a3aa329c2379960efa7 | RegionOne | http://10.10.4.47:5000/v2.0 | http://192.168.1.2:5000/v2.0 | http://10.10.4.47:35357/v2.0 | 0ef9d77e2ca44d2e94a58f98eaea46fc |
| fadb5bb02f364e838781179b3909afc2 | RegionOne | http://10.10.4.47:8773/services/Cloud | http://192.168.1.2:8773/services/Cloud | http://10.10.4.47:8773/services/Admin | 2e7c422762a24306879dc3459c8d4ac0 |
+----------------------------------+-----------+----------------------------------------------+-----------------------------------------------+-----------------------------------------+----------------------------------+
验证
keystone --os-username=admin --os-password=keystoneadmin --os-auth-url=http://10.10.4.47:35357/v2.0 token-get
No handlers could be found for logger "keystoneclient.v2_0.client"
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| expires | 2013-03-02T01:25:40Z |
| id | 00d71cef161a467ebb3ef3646172906c |
| user_id | 264de00cea3348cda1b968f31b369e92 |
+----------+----------------------------------+
keystone --os-username=admin --os-password=keystoneadmin --os-tenant-name=openstackDemo --os-auth-url=http://10.10.4.47:35357/v2.0 token-get
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2013-03-02T01:28:12Z |
| id | 16caeb836e75416d9ab2b09d38228022 |
| tenant_id | ac0da7079c8d4bc2b95009175b21fa66 |
| user_id | 264de00cea3348cda1b968f31b369e92 |
+-----------+----------------------------------+
Openstack安装(2)——glance安装与配
1.安装
nova与glance yum install openstack-glance
2.数据库建立与配置
mysql -u root –p
mysql> CREATE DATABASE glance;
mysql> GRANT ALL ON glance.* TO 'glance'@'%' IDENTIFIED BY '[YOUR_GLANCEDB_PASSWORD]';
mysql> GRANT ALL ON glance.* TO 'glance'@'localhost' IDENTIFIED BY '[YOUR_GLANCEDB_PASSWORD]';
mysql> quit
用户名 glance 密码 glanceadmin
二、glance配置
1.配置文件
glance-api.conf
2.让glance-api服务支持OpenStack Images API的两个版本。
enable_v1_api=True
enable_v2_api=True
3.官方文档指出,如果要支持V2 API,还需要一些配置。
In order to use the v2 API, you must copy the necessary SQL configuration from your glance-registry service to your glance-api configuration file.
4.配置认证(keystone)
/etc/glance/glance-api-paste.ini
[filter:authtoken]
admin_tenant_name = service
admin_user = glance
admin_password = glance
5.添加keyStone支持
/etc/glance/glance-api.conf
[keystone_authtoken]
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = glance
admin_password = glance
[paste_deploy]
# Name of the paste configuration file that defines the available pipelines
config_file = /etc/glance/glance-api-paste.ini
# Partial name of a pipeline in your paste configuration file with the
# service name removed. For example, if your paste section name is
# [pipeline:glance-api-keystone], you would configure the flavor below
# as 'keystone'.
flavor=keystone
6.重启服务
service openstack-glance-api restart
7.配置glance-registry
文件/etc/glance/glance-registry.conf
[keystone_authtoken]
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = glance
admin_password = glance
[paste_deploy]
# Name of the paste configuration file that defines the available pipelines
config_file = /etc/glance/glance-registry-paste.ini
# Partial name of a pipeline in your paste configuration file with the
# service name removed. For example, if your paste section name is
# [pipeline:glance-api-keystone], you would configure the flavor below
# as 'keystone'.
flavor=keystone
8支持keystone
更新文件/etc/glance/glance-registry-paste.ini
# Use this pipeline for keystone auth
[pipeline:glance-registry-keystone]
pipeline = authtoken context registryapp
9.数据库 /etc/glance/glance-registry.conf
sql_connection = mysql://glance:[YOUR_GLANCEDB_PASSWORD]@192.168.206.130/glance
10.初始化数据库
glance-manage db_sync
11.重启动服务
service openstack-glance-api restart
service openstack-glance-registry restart
12.异常处理,查看日志
/var/log/glance/registry.log
/var/log/glance/api.log
13.环境变量
export OS_USERNAME=admin
export OS_TENANT_NAME=openstackDemo
export OS_PASSWORD=keystoneadmin
export OS_AUTH_URL=http://localhost:5000/v2.0/
export OS_REGION_NAME=RegionOne
14.使用
glance image-create --name=cirros-0.3.0-x86_64 --disk-format=qcow2 --container-format=bare < stackimages/cirros.img
Added new image with ID: f4addd24-4e8a-46bb-b15d-fae2591f1a35