openstack安装--keystone

安装在controller节点
一、数据库
1、要求controller和compute节点的数据库能互相访问

grant all on *.* to root@'%' identified by "mima" WITH GRANT OPTION;         
flush privileges;

2、 mysql -u root -p

CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
  IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
  IDENTIFIED BY 'KEYSTONE_DBPASS';

3、生成一个随机的字符串

openssl rand -hex 10
假设为aaaaa

二、
1、安装memcached

yum install openstack-keystone httpd mod_wsgi memcached python-memcached
systemctl enable memcached.service
systemctl start memcached.service

2、Edit the /etc/keystone/keystone.conf file and complete the following actions:

[DEFAULT]
admin_token = ADMIN_TOKEN(aaaaa)
verbose = True
[database]
connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone
[memcache]
servers = localhost:11211
[token]
provider = uuid
driver = memcache
[revoke]
driver = sql

同步keystone数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
注意：如果报错No handlers could be found for logger "oslo_config.cfg"
解决办法：去掉verbose = True这行

3、配置Apache
Edit the /etc/httpd/conf/httpd.conf file and configure the ServerName option to reference the controller node:

ServerName controller

Create the /etc/httpd/conf.d/wsgi-keystone.conf file with the following content:

Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

配置之后启动http服务

systemctl enable httpd.service
 systemctl start httpd.service

三、
1.设置环境变量

export OS_TOKEN=ADMIN_TOKEN（aaaaa）
export OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3

2.Create the service entity and API endpoints

openstack service create  --name keystone --description "OpenStack Identity" identity

报错：Unable to establish connection to http://controller:35357/v3/services
检查35357端口是否已经被监听，如果没有，就检查配置文件是否写错

3.创建endpoint
Create the Identity service API endpoints：

openstack endpoint create --region RegionOne identity public http://controller:5000/v2.0
 openstack endpoint create --region RegionOne identity internal http://controller:5000/v2.0
 openstack endpoint create --region RegionOne identity admin http://controller:35357/v2.0

四、创建project、user、role并关联
1.admin

openstack project create --domain default \
  --description "Admin Project" admin
 openstack user create --domain default \
  --password-prompt admin
User Password:
Repeat User Password:
openstack role create admin
openstack role add --project admin --user admin admin

2.demo

openstack project create --domain default \
  --description "Service Project" service
 openstack project create --domain default \
  --description "Demo Project" demo
 openstack user create --domain default \
  --password-prompt demo
User Password:
Repeat User Password:
openstack role create user
openstack role add --project demo --user demo user

五、
1、For security reasons, disable the temporary authentication token mechanism:
Edit the /usr/share/keystone/keystone-dist-paste.ini file and remove admin_token_auth from the [pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] sections.
2、

unset OS_TOKEN OS_URL

3、As the admin user, request an authentication token:

 openstack --os-auth-url http://controller:35357/v3 \
  --os-project-domain-id default --os-user-domain-id default \
  --os-project-name admin --os-username admin --os-auth-type password \
  token issue
Password:

用这一长串访问keystone时，不能有相关的环境变量，所以要unset
4、As the demo user, request an authentication token:

openstack --os-auth-url http://controller:5000/v3 \
  --os-project-domain-id default --os-user-domain-id default \
  --os-project-name demo --os-username demo --os-auth-type password \
  token issue
Password:

六、
1.Creating the scripts

vim admin-openrc.sh

export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS //注意替换
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3

vim demo-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS //注意替换
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3

2.Using the scripts

source admin-openrc.sh

Request an authentication token:

 openstack token issue