OpenStack系统由几个分别安装的关键服务组成。这些服务根据您的云需求一起工作,包括Compute, Identity, Networking, Image, Block Storage, Object Storage, Telemetry, Orchestration, and Database services.您可以单独安装这些项目中的任何一个,并将其配置为stand-alone or as connected entities。
Identity service, code-named: keystone(控制节点)
身份服务通常是用户与之交互的第一个服务。Each service can have one or many endpoints and each endpoint can be one of three types: admin, internal, or public.
先决条件
Before you install and configure the Identity service, you must create a database.
$ mysql -u root -p
MariaDB [(none)]> CREATE DATABASE keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]>exit
Replace KEYSTONE_DBPASS with a suitable password.这里使用默认。
安装和配置组件
(Install and configure components)
- # yum install openstack-keystone httpd mod_wsgi -y
- Edit the /etc/keystone/keystone.conf file, In the [database] section, configure database access:
vi /etc/keystone/keystone.conf
修改:
[database]
# ...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller-150/keystone
Replace KEYSTONE_DBPASS with the password you chose for the database.
[token]
# ...
provider = fernet
- 导入数据,确保前面红色字体替换正确,否则这里导入数据会失败,但不会提示。
su -s /bin/sh -c "keystone-manage db_sync" keystone
- 初始化Fernet key仓库
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
- 引导Identity Service,认证服务和其他的服务不一样,通过下面的方式创建。该命令后,会创建default 域、admin[W用1] 用户、admin角色、identity服务、服务的endpoint。
在Queens发布之前,keystone需要在两个单独的端口上运行,以适应Identity v2 API,该API通常在端口35357上运行一个单独的仅管理服务。去掉v2 API后,keystone可以在同一端口上运行所有接口。
keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://controller-150:5000/v3/ \
--bootstrap-internal-url http://controller-150:5000/v3/ \
--bootstrap-public-url http://controller-150:5000/v3/ \
--bootstrap-region-id RegionOne
Replace ADMIN_PASS with a suitable password for an administrative user.
- 配置Apache HTTP server
# vi /etc/httpd/conf/httpd.conf
增加:
ServerName controller-150
- 创建软连接
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ && ll /etc/httpd/conf.d/
- 完成安装
启动http server:
# systemctl enable httpd.service
# systemctl start httpd.service
配置管理员访问(下面的所有操作都在普通用户下):
su - xiao
export OS_USERNAME=admin
export OS_PASSWORD=你的密码
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller-150:5000/v3
export OS_IDENTITY_API_VERSION=3
你的密码是“引导Identity Service”中设置的密码。
创建a domain, projects, users, and roles
身份服务为每个OpenStack服务提供身份验证服务。身份验证服务使用域,项目,用户和角色的组合。
创建域
已经有default域,我们使用这个就好了。当然我们也可以创建其他的域,like this:
$ openstack domain create --description "An Example Domain" example
创建项目
$ openstack project create --domain default \
--description "Service Project" service
$ openstack project create --domain default \
--description "Demo Project" demo
创建用户
$ openstack user create --domain default \
--password-prompt demo
创建角色
$ openstack role create user
将user角色绑定到demo项目、demo用户
$ openstack role add --project demo --user demo user
具体参考:
https://docs.openstack.org/keystone/queens/install/keystone-users-rdo.html
配置环境变量
因为上一步要创建domain等,手动export了很多环境变量,用于访问Identity service,配置环境变量的目的就是方便访问。在配置环境变量之前,exit退出当前会话,然后重新登录系统。
# mkdir /etc/openstack/
# vi /etc/openstack/admin-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=你的密码
export OS_AUTH_URL=http://controller-150:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
# cat /etc/openstack/demo-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=你的密码
export OS_AUTH_URL=http://controller-150:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
验证
我们直接使用上一步的脚本,进行验证:
$ source /etc/openstack/admin-openrc
$ openstack token issue
$ . /etc/openstack/demo-openrc
$ openstack token issue
添加防火墙策略
# netstat -tlnp |grep http
:::5000 :::* LISTEN 2258/httpd
# firewall-cmd --add-port 5000/tcp --permanent
# firewall-cmd --reload && firewall-cmd --list-ports
具体参考:
https://docs.openstack.org/keystone/queens/install/keystone-install-rdo.html
[W用1]其他组件的所有用户都注册到service project,identity服务注册到admin project