Keystone集群部署:
Keystone 的主要功能如下:
1 管理用户及其权限;
2 维护 OpenStack 服务的 Endpoint;
3 Authentication(认证)和 Authorization(鉴权)。
4.1 配置Keystone数据库
#在任意控制节点创建数据库,数据库自动同步,以controller003节点为例;
#使用root登陆数据库:
mysql -u root -p
#创建keystone数据库:
CREATE DATABASE keystone;
#授予对keystone数据库的访问权限,刷新退出数据库:
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone.123';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone.123';
flush privileges;
exit
4.2 安装对应组件包
apt install keystone -y
4.3 配置Apache2 Server
#修改servername为主机名,如果不存在则添加在文末,以controller003为例:
#vim /etc/apache2/apache2.conf
ServerName controller003
#防止端口冲突需要修改如下配置文件的位置
#vim /etc/apache2/sites-available/keystone.conf
Listen 192.168.1.3:5000
<VirtualHost 192.168.1.3:5000>
#vim /etc/apache2/ports.conf
#启动Apache HTTP服务,并配置开机启动:
systemctl enable apache2.service
systemctl start apache2.service
systemctl status apache2.service
4.4 配置Keystone - ALL Controller
#备份Keystone配置文件
cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
egrep -v "^$|^#" /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf
#配置Keystone配置文件,在对应项底下增加以下字段
#vim /etc/keystone/keystone.conf
[cache]
backend = oslo_cache.memcache_pool
enabled = true
memcache_servers = controller003:11211,controller004:11211,controller005:11211
[database]
connection = mysql+pymysql://keystone:keystone.123@controller100/keystone
connection_recycle_time = 3600
[token]
provider = fernet
#填充Keystone数据库,并初始化Fernet,无报错即为成功
su -s /bin/sh -c "keystone-manage db_sync" keystone
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
#验证keystone数据库是否正常写入:
mysql -h controller003 -ukeystone -pkeystone.123 -e "use keystone;show tables;"
#同步fernet秘钥
# 向controller004/005节点同步秘钥
root@controller003:~# scp -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ root@192.168.1.4:/etc/keystone/
root@controller003:~# scp -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ root@192.168.1.5:/etc/keystone/
# 同步后,注意controller004/005节点上秘钥权限
root@controller004:~# chown keystone:keystone /etc/keystone/credential-keys/ -R
root@controller004:~# chown keystone:keystone /etc/keystone/fernet-keys/ -R
root@controller005:~# chown keystone:keystone /etc/keystone/credential-keys/ -R
root@controller005:~# chown keystone:keystone /etc/keystone/fernet-keys/ -R
#引导Identity service,这里将admin的密码设置为admin.123
#注意:这里使用的是VIP的hostname
keystone-manage bootstrap --bootstrap-password admin.123 \
--bootstrap-admin-url http://controller100:5000/v3/ \
--bootstrap-internal-url http://controller100:5000/v3/ \
--bootstrap-public-url http://controller100:5000/v3/ \
--bootstrap-region-id RegionOne
4.5 配置环境变量
#配置环境变量文件,这里使用的admin为上面引导创建的密码
#vim adminrc.sh
export OS_USERNAME=admin
export OS_PASSWORD=admin.123
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller100:5000/v3
export OS_IDENTITY_API_VERSION=3
#取消环境变量配置
#vim unsetadminrc.sh
unset OS_USERNAME
unset OS_PASSWORD
unset OS_PROJECT_NAME
unset OS_USER_DOMAIN_NAME
unset OS_PROJECT_DOMAIN_NAME
unset OS_AUTH_URL
unset OS_IDENTITY_API_VERSION
#查看是否设置成功
#也可以使用openstack token issue
root@controller003:~# source adminrc.sh
root@controller003:~# openstack domain list
+---------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+---------+---------+---------+--------------------+
| default | Default | True | The default domain |
+---------+---------+---------+--------------------+
#分发脚本至各控制节点:
root@controller003:~# scp admin-openrc demo-openrc root@192.168.1.4:~/
root@controller003:~# scp admin-openrc demo-openrc root@192.168.1.5:~/
4.6 创建域、项目、用户和角色
身份服务为每个OpenStack服务提供身份验证服务,其中包括服务使用域、项目、用户和角色的组合。
#keystone-manage引导步骤中,“默认”域已经存在,创建新域的方法是:
openstack domain create --description "An Example Domain" example
#执行完成后的正常提示
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 70eb130ba9534e07ba908bc3d3761525 |
| name | example |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
#创建服务项目:
openstack project create --domain default --description "Service Project" service
#执行结果:
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 1121de199979451ca8f72843b1e20822 |
| is_domain | False |
| name | service |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
#创建user角色
openstack role create user
#输出
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | 0c19dad2f68b4c99a4e7b0af9dcc7367 |
| name | user |
| options | {} |
+-------------+----------------------------------+
#查看角色
openstack role list
#输出
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| 0c19dad2f68b4c99a4e7b0af9dcc7367 | user |
| 7bd349df1d734817b41cf1d25fc921c4 | reader |
| c5e6b6b811d84a75bdcc0997f5f76eeb | admin |
| def5070f95f04b65b3d425cdd6adf4e3 | member |
+----------------------------------+--------+
#查看权限分配
root@controller003:~# openstack user list
root@controller003:~# openstack role list
root@controller003:~# openstack role assignment list
4.7 添加pcs资源
#在任意控制节点操作;
#添加资源openstack-keystone-clone;
#pcs实际控制的是各节点system unit控制的httpd服务
root@controller003:~# pcs resource create openstack-keystone systemd:apache2 clone interleave=true
root@controller003:~# pcs resource
* vip (ocf::heartbeat:IPaddr2): Started controller003
* Clone Set: lb-haproxy-clone [lb-haproxy]:
* Started: [ controller003 ]
* Stopped: [ controller004 controller005 ]
* Clone Set: openstack-keystone-clone [openstack-keystone]:
* Started: [ controller003 controller004 controller005 ]
至此,Keystone集群已部署完毕,如有问题请联系我改正,感激不尽!
4.x 部署过程遇到的问题汇总
eg1.(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:5000
解决方案:vim /etc/apache2/sites-available/keystone.conf
Listen 192.168.1.3:5000
<VirtualHost 192.168.1.3:5000>
保存退出后重启apache2
eg2.root@controller003:~# openstack domain list
Unable to establish connection to http://controller100:5000/v3/auth/tokens: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))
解决方案:
less /var/log/keystone/keystone-wsgi-public.log
发现少了个模块,安装后继续报错
2021-04-13 02:45:57.835 765596 ERROR stevedore.extension [-] Could not load 'oslo_cache.etcd3gw': No module named 'etcd3gw': ModuleNotFoundError: No module named 'etcd3gw'
apt install python3-etcd3gw
2021-04-13 18:20:55.754852 mod_wsgi (pid=295880): Failed to exec Python script file '/usr/bin/keystone-wsgi-public'.
2021-04-13 18:20:55.754920 mod_wsgi (pid=295880): Exception occurred processing WSGI script '/usr/bin/keystone-wsgi-public'.
2021-04-13 18:20:55.755170 Traceback (most recent call last):
2021-04-13 18:20:55.755251 File "/usr/bin/keystone-wsgi-public", line 52, in <module>
2021-04-13 18:20:55.755259 application = initialize_public_application()
2021-04-13 18:20:55.755274 File "/usr/lib/python3/dist-packages/keystone/server/wsgi.py", line 23, in initialize_public_application
2021-04-13 18:20:55.755280 return flask_core.initialize_application(
2021-04-13 18:20:55.755294 File "/usr/lib/python3/dist-packages/keystone/server/flask/core.py", line 157, in initialize_application
2021-04-13 18:20:55.755299 keystone.server.configure(config_files=config_files)
2021-04-13 18:20:55.755313 File "/usr/lib/python3/dist-packages/keystone/server/__init__.py", line 28, in configure
2021-04-13 18:20:55.755318 keystone.conf.configure()
2021-04-13 18:20:55.755331 File "/usr/lib/python3/dist-packages/keystone/conf/__init__.py", line 134, in configure
2021-04-13 18:20:55.755337 conf.register_cli_opt(
2021-04-13 18:20:55.755351 File "/usr/lib/python3/dist-packages/oslo_config/cfg.py", line 2055, in __inner
2021-04-13 18:20:55.755376 result = f(self, *args, **kwargs)
2021-04-13 18:20:55.755389 File "/usr/lib/python3/dist-packages/oslo_config/cfg.py", line 2333, in register_cli_opt
2021-04-13 18:20:55.755394 raise ArgsAlreadyParsedError("cannot register CLI option")
2021-04-13 18:20:55.755424 oslo_config.cfg.ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option
确认主机是否执行了
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone