安装OpenStack
方式1:packstack安装 POC方式(ALLINONE) –> 通过自动应答文件来安装
yum install epel-release
yum search openstack
yum install centos-release-oepnstack-train
yum install oepnstack-packstack
packstack --gen-answer-file a.txt
packstack --answer-file a.txt
方式2:从零开始,先装数据库,再装RabbitMQ,再装组件。通过命令行,一个一个的安装。
第三章 身份认证管理
多域管理(Domain)
考试环境默认多域管理,需要自己创建
层次结构:
启动多余的身份验证方式
1,修改horizon配置文件
ssh root@controller0
vim /var/lib/config-data/puppet-data/horizon/etc/openstack-dashboard/local_settings
# Set this to True if running on multi-domain model. When this is enabled, it
# will require user to enter the Domain name in addition to username for login.
#OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True #####修改为True
# Overrides the default domain used when running on single-domain model
# with Keystone V3. All entities will be created in the default domain.
#OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default' #####修改默认域
###搜索关键字:DOMAIN
docker restart horizon
2,修改keystone配置文件
ssh root@controller0
vim /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf
# A subset (or all) of domains can have their own identity driver, each with
# their own partial configuration options, stored in either the resource
# backend or in a file in a domain configuration directory (depending on the
# setting of `[identity] domain_configurations_from_database`). Only values
# specific to the domain need to be specified in this manner. This feature is
# disabled by default, but may be enabled by default in a future release; set
# to true to enable. (boolean value)
#domain_specific_drivers_enabled = false
domain_specific_drivers_enabled=True ###修改为True
###搜索关键字:drivers
docker restart keystone
3,创建域
(overcloud) [stack@director ~]$ openstack domain list
+----------------------------------+------------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+------------+---------+--------------------+
| 0f60d2e3835f48d2bdd3cc524855c4cd | heat_stack | True | |
| 8dd2d316acc74f54b890bae519ea75b9 | Example | True | Example Domain |
| default | Default | True | The default domain |
+----------------------------------+------------+---------+--------------------+
(overcloud) [stack@director ~]$ openstack domain create demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| enabled | True |
| id | 810ea6db35d94abea197b420af01581b |
| name | demo |
| tags | [] |
+-------------+----------------------------------+
(overcloud) [stack@director ~]$ openstack domain list
+----------------------------------+------------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+------------+---------+--------------------+
| 0f60d2e3835f48d2bdd3cc524855c4cd | heat_stack | True | |
| 810ea6db35d94abea197b420af01581b | demo | True | |
| 8dd2d316acc74f54b890bae519ea75b9 | Example | True | Example Domain |
| default | Default | True | The default domain |
+----------------------------------+------------+---------+--------------------+
练习P135 Verifing and IDM back-end configuration
环境问题:
1, 时间问题:修改到2019-05-01;
2, utitily.lab.example.com口令过期导致。
重置口令
admin/RedHat123^
[root@workstation ~]# lab identity-idm setup
Setting up environment for the exercise:
· Verifying user: developer2.................................. FAIL
· Verifying user: developer3.................................. FAIL
· Verifying user: architect2.................................. FAIL
#列出example域的用户
[root@workstation ~]# su - student
[student@workstation ~]$ source admin-rc
[student@workstation ~]$ openstack user list --domain example
+------------------------------------------------------------------+------------+
| ID | Name |
+------------------------------------------------------------------+------------+
| 25b68099b79df26d28bd76ecbd46d98680fd6e1018488730cb5e1fdb3220a1df | admin |
| 69fb452af3dc1c1b54fb342df19d898fe3928e50cc930ebb8f112b1a59e91726 | architect1 |
| fa2c40ec562ff5f7561d9c6707d0463a0201822b4fe2ab5ddb7bb1292ccec0e3 | architect2 |
#在example域中,创建project research。
[student@workstation ~]$ openstack project create research --domain example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | 8dd2d316acc74f54b890bae519ea75b9 |
| enabled | True |
| id | de340f8ee38548189579bb7228147898 |
| is_domain | False |
| name | research |
| parent_id | 8dd2d316acc74f54b890bae519ea75b9 |
| tags | [] |
+-------------+----------------------------------+
#分配角色_member_给project research,给IDM research-members组。
[student@workstation ~]$ openstack role add \
> --project research \
> --project-domain example \
> --group research-members \
> --group-domain example \
> _member_
#Assign the admin role for the research project to the ldM research-admins group.
[student@workstation ~]$ openstack role add \
> --project research \
> --project-domain example \
> --group research-admins \
> --group-domain example \
> admin
注意:
- 考试时候给定的相关名称,首字母大写。
- 考试题:需要创用户和本地角色。
考试例题
在voercloud中创建OpenStack域Demo,其中包含Engineering与Production项目,在域Demo中创建OpenStack组Devops,其中需要包含以下用户:
- Robert用户是Engieering项目的用户与管理员,email地址为:Robert@lab.example.com.
- George用户是Engineering项目的用户,email地址为:George@lab.example.com。
- William用户是Production项目的用户与管理员,email地址为William@lab.exmapl.com,
- John用户是Production项目的用户,email地址为:John@lab.exmaple.com。
(overcloud) [stack@director ~]$ openstack domain list
+----------------------------------+------------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+------------+---------+--------------------+
| 0f60d2e3835f48d2bdd3cc524855c4cd | heat_stack | True | |
| 810ea6db35d94abea197b420af01581b | demo | True | |
| 8dd2d316acc74f54b890bae519ea75b9 | Example | True | Example Domain |
| default | Default | True | The default domain |
+----------------------------------+------------+---------+--------------------+
(overcloud) [stack@director ~]$ openstack domain set demo --disable
(overcloud) [stack@director ~]$ openstack domain delete demo
(overcloud) [stack@director ~]$ openstack domain create Demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| enabled | True |
| id | 05449cf3b9204c8a9d49c92c7f579b65 |
| name | Demo |
| tags | [] |
+-------------+----------------------------------+
(overcloud) [stack@director ~]$ openstack project create Engineering --domain Demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | 05449cf3b9204c8a9d49c92c7f579b65 |
| enabled | True |
| id | 3f0312706c564aab8a5e02c7cf0bbec1 |
| is_domain | False |
| name | Engineering |
| parent_id | 05449cf3b9204c8a9d49c92c7f579b65 |
| tags | [] |
+-------------+----------------------------------+
(overcloud) [stack@director ~]$ openstack project create Production --domain Demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | 05449cf3b9204c8a9d49c92c7f579b65 |
| enabled | True |
| id | b7ff24018eb947daa46982a34f5f67cd |
| is_domain | False |
| name | Production |
| parent_id | 05449cf3b9204c8a9d49c92c7f579b65 |
| tags | [] |
+-------------+----------------------------------+
(overcloud) [stack@director ~]$ openstack user list --domain Demo
(overcloud) [stack@director ~]$ openstack group create devops --domain Demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | 05449cf3b9204c8a9d49c92c7f579b65 |
| id | 018639a3b20148468b2bf0e673256e71 |
| name | devops |
+-------------+----------------------------------+
###创建admin用户和角色,并更两个项目绑定。
(overcloud) [stack@director ~]$ openstack user create --help
usage: openstack user create [-h] [-f {json,shell,table,value,yaml}]
[-c COLUMN] [--max-width <integer>] [--fit-width]
[--print-empty] [--noindent] [--prefix PREFIX]
[--domain <domain>] [--project <project>]
[--project-domain <project-domain>]
[--password <password>] [--password-prompt]
[--email <email-address>]
[--description <description>]
[--enable | --disable] [--or-show]
<name>
(overcloud) [stack@director ~]$ openstack user create admin --domain Demo --password redhat
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 05449cf3b9204c8a9d49c92c7f579b65 |
| enabled | True |
| id | 7057a70696494233a30808807f9e4597 |
| name | admin |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
(overcloud) [stack@director ~]$ openstack role add
usage: openstack role add [-h] [--domain <domain> | --project <project>]
[--user <user> | --group <group>]
[--group-domain <group-domain>]
[--project-domain <project-domain>]
[--user-domain <user-domain>] [--inherited]
[--role-domain <role-domain>]
<role>
openstack role add: error: too few arguments
(overcloud) [stack@director ~]$ openstack role add --user admin --user-domain Demo --project Engineering --project-domain Demo admin
(overcloud) [stack@director ~]$ openstack role add --user admin --user-domain Demo --project Production --project-domain Demo admin
###剩下的在图形化中创建。
###验证指令
(overcloud) [stack@director ~]$ openstack role assignment list --user William --user-domain Demo --project Production --project-domain Demo --names
+----------+--------------+-------+-----------------+--------+-----------+
| Role | User | Group | Project | Domain | Inherited |
+----------+--------------+-------+-----------------+--------+-----------+
| admin | William@Demo | | Production@Demo | | False |
| _member_ | William@Demo | | Production@Demo | | False |
+----------+--------------+-------+-----------------+--------+-----------+
总结如下指令:
- openstack domain create Demo
- openstack project create Engineering --domain Demo
- openstack project create Production --domain Demo
- openstack user list --domain Demo
- openstack group create devops --domain Demo
- openstack user create admin --domain Demo --password redhat
- openstack role add --user admin --user-domain Demo --project Engineering --project-domain Demo admin
- openstack role add --user admin --user-domain Demo --project Production --project-domain Demo admin
- WebGUI上创建用户。
- 验证指令:
openstack role assignment --user Jhon --user-domain Demo --project Prodution --project-domain Demo --names
管理身份的令牌
在OpenStack中通过令牌来决定身份,openstack token issue
令牌的管理,按照作用域的方式来管理,有三种作用域:
- 无作用域;
- 项目作用域;
- 域作用域。
常见有四种类型的token
序号 | 类型 | 缺点 |
---|---|---|
1 | UUID | 要在keystone中做重复的查询,令牌随着产生会越来越大,随时不断清理后端kestone令牌。 |
2 | PKI | 会增加keystone的负载。类似于https。非对称加密。 |
3 | PKIZ | |
4 | fernet | 对称加密,支持使用多个密钥,滚动轮询的方式,始终使用列表中第一个密钥在执行加密,使用暂存密钥和旧的密钥来解密,是通过密钥的定期轮转来提升密钥的安全性。 |
考试例题
要实现密钥的轮转,使用的是mistral组件启用一个工作流的方式来实现,这个组件是安装在undercloud上的。
-
找到工作流的名字
(overcloud) [stack@director ~]$ source stackrc (undercloud) [stack@director ~]$ openstack service list +----------------------------------+------------------+-------------------------+ | ID | Name | Type | +----------------------------------+------------------+-------------------------+ | 0175f01b32e34e048e65480466ca0df1 | placement | placement | | 19e6c0e055fb4f77b5edc9db4c34941b | heat-cfn | cloudformation | | 261998639f5b464fafaadcc0ff4d85d7 | zaqar-websocket | messaging-websocket | | 32f1900fc5104ec0a032eb2f0bbe63b6 | ironic | baremetal | | 70564b321fa349678465e01cc57e69f7 | keystone | identity | | 7193f91efeb44525ae2780420f752c0f | glance | image | | 8c4172704dba426a83a3c3633553df65 | ironic-inspector | baremetal-introspection | | 941164cdcd574ef294fc39b776141855 | heat | orchestration | | 9df43eebd74740c9a5d6ad026b53146b | neutron | network | | d1f5fa857c7e40db88e48b713d28debd | swift | object-store | | e8e21db59b7c47879cfa9c51c780777f | mistral | workflowv2 | | eade3c9269134a528a15f598ca70421b | nova | compute | | f0a5a41b6bbe4c229f13964e47f754d6 | zaqar | messaging | +----------------------------------+------------------+-------------------------+ (undercloud) [stack@director ~]$ openstack workflow list -f yaml |grep -i fernet Name: tripleo.fernet_keys.v1.rotate_fernet_keys (undercloud) [stack@director ~]$ ssh controller0 [heat-admin@controller0 ~]$ sudo -i [root@controller0 ~]# docker exec -it keystone bash ()[root@controller0 fernet-keys]# ll /etc/keystone/fernet-keys total 8 -rw-------. 1 keystone keystone 44 Oct 23 2018 0 -rw-------. 1 keystone keystone 44 Oct 23 2018 1
-
轮转
(undercloud) [stack@director ~]$ openstack workflow execution create tripleo.fernet_keys.v1.rotate_fernet_keys '{"container":"overcloud"}' +--------------------+-------------------------------------------+ | Field | Value | +--------------------+-------------------------------------------+ | ID | ccf82346-266c-4699-aca0-1a8c4ef8d9d7 | | Workflow ID | c00289f9-612a-4744-b94a-a24d8e89736b | | Workflow name | tripleo.fernet_keys.v1.rotate_fernet_keys | | Workflow namespace | | | Description | | | Task Execution ID | <none> | | State | RUNNING | | State info | None | | Created at | 2019-05-17 16:38:21 | | Updated at | 2019-05-17 16:38:21 | +--------------------+-------------------------------------------+ (undercloud) [stack@director ~]$ openstack workflow execution show ccf82346-266c-4699-aca0-1a8c4ef8d9d7 +--------------------+-------------------------------------------+ | Field | Value | +--------------------+-------------------------------------------+ | ID | ccf82346-266c-4699-aca0-1a8c4ef8d9d7 | | Workflow ID | c00289f9-612a-4744-b94a-a24d8e89736b | | Workflow name | tripleo.fernet_keys.v1.rotate_fernet_keys | | Workflow namespace | | | Description | | | Task Execution ID | <none> | | State | RUNNING #这里一定等到sucess,在docer keystone里有新key生产| | State info | None | | Created at | 2019-05-17 16:38:21 | | Updated at | 2019-05-17 16:38:21 | +--------------------+-------------------------------------------+ [root@workstation ~]# ssh controller0 [root@controller0 ~]# docker exec -it keystone bash ()[root@controller0 /]# ll /etc/keystone/fernet-keys total 12 -rw-------. 1 keystone keystone 44 May 17 16:39 0 -rw-------. 1 keystone keystone 44 May 17 16:39 1 -rw-------. 1 keystone keystone 44 May 17 16:39 2