一、创建数据库
mysql -u root -p
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
KEYSTONE_DBPASS是自己的密码,可以自定义
二、创建序列
openssl rand -hex 10
返回的是一串字符,复制下来,备用
三、禁用重点服务启动后自动安装
echo "manual" > /etc/init/keystone.override
四、安装keystone必要的组件
apt-get install apache2 libapache2-mod-wsgi memcached python-memcache
注意:这里就和官方文档不一样了,这里的keytone我没有安装,这就是即将要源码安装的部分
五、正式源码安装
git clone https://git.openstack.org/openstack/keystone.git
我的源码是直接下载并且解压的
cd keystone
下载安装时用的包
apt-get install build-essential git python-dev python-setuptools python-pip libxml2-dev libxslt-dev
apt-get install libffi-dev
vim requirements.txt
注释掉
#Routes!=2.0,!=2.1,>=1.12.3;python_version=='2.7'
#Routes!=2.0,>=1.12.3;python_version!='2.7'
pip install -r requirements.txt
python setup.py install
如果幸运的话,没有报错
cp -R etc /etc/keystone
将etc包下的所有文件复制到/etc/keystone
chown -R laks:laks /etc/keystone
laks是我的用户名,这个可以写成你自己的
mv /etc/keystone/logging.conf.sample /etc/keystone/logging.conf
修改logging配置文件
cp /etc/keystone/keystone.conf.sample /etc/keystone/keystone.conf
复制出keystone的配置文件
cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
cat /etc/keystone/keystone.conf.bak | grep -v '^#'| grep -v '^$'> /etc/keystone/keystone.conf
复制配置文件备份,应用cat去除#注释部分,使配置文件更清晰
vim /etc/keystone/keystone.conf
编辑修改配置文件
[DEFAULT]
admin_token = b6c1f96de2084b737c47
verbose = True
[assignment]
[auth]
[cache]
[catalog]
[cors]
[cors.subdomain]
[credential]
[database]
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@horizon/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[eventlet_server_ssl]
[federation]
[fernet_tokens]
[identity]
[identity_mapping]
[kvs]
[ldap]
[matchmaker_redis]
[matchmaker_ring]
[memcache]
servers = localhost:11211
[oauth1]
[os_inherit]
[oslo_messaging_amqp]
[oslo_messaging_qpid]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[paste_deploy]
[policy]
[resource]
[revoke]
driver = sql
[role]
[saml]
[signing]
[ssl]
[token]
provider = uuid
driver = memcache
[tokenless_auth]
[trust]
配置文件已贴出
useradd keystone
mkdir -p /home/keystone
添加用户
su -s /bin/sh -c "keystone-manage db_sync" keystone
同步数据库
编辑/etc/apache2/apache2.conf
ServerName horizon
创建编辑/etc/apache2/sites-available/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/local/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/local/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/local/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/local/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled
chmod -R 777 /etc/apache2
service apache2 restart
rm -f /var/lib/keystone/keystone.db
六、创建keystone环境以及创建用户、项目
export OS_TOKEN=b6c1f96de2084b737c47
export OS_URL=http://horizon:35357/v3
export OS_IDENTITY_API_VERSION=3
创建服务
openstack service create --name keystone --description "OpenStack Identity" identity
此时会报错
Internal Server Error (HTTP 500)
输入keystone-wsgi-public会报如下错误
ContextualVersionConflict: (oslo.serialization 1.9.0 (/usr/lib/python2.7/dist-packages), Requirement.parse('oslo.serialization>=1.10.0'), set(['oslo.log', 'oslo.policy', 'pycadf', 'keystonemiddleware', 'oslo.messaging']))
更新
pip install oslo.serialization --upgrade
pip install requests --upgrade
pip install oslo.config --upgrade
openstack service create --name keystone --description "OpenStack Identity" identity
创建身份服务API端点:
openstack endpoint create --region RegionOne identity public http://horizon:5000/v2.0
这时又报错,http(500)
service apache2 restart
openstack endpoint create --region RegionOne identity public http://horizon:5000/v2.0
openstack endpoint create --region RegionOne identity internal http://horizon:5000/v2.0
openstack endpoint create --region RegionOne identity admin http://horizon:35357/v2.0
创建用户
openstack project create --domain default --description "Admin Project" admin
openstack user create --domain default --password-prompt admin
openstack role create admin
openstack role add --project admin --user admin admin
创建服务项目
openstack project create --domain default --description "Service Project" service
openstack project create --domain default --description "Demo Project" demo
openstack user create --domain default --password-prompt demo
openstack role create user
openstack role add --project demo --user demo user
七、校验
编辑/etc/keystone/keystone-paste.ini
将[pipeline:public_api],[pipeline:admin_api],[pipeline:api_v3]中的admin_token_auth删除
设置环境变量
unset OS_TOKEN OS_URL
校验
openstack --os-auth-url http://horizon:35357/v3 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name admin --os-username admin --os-auth-type password \
token issue
openstack --os-auth-url http://horizon:5000/v3 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name demo --os-username demo --os-auth-type password \
token issue
八、创建登录脚本
vim admin-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://horizon:35357/v3
export OS_IDENTITY_API_VERSION=3
vim demo-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=password
export OS_AUTH_URL=http://horizon:5000/v3
export OS_IDENTITY_API_VERSION=3
应用脚本
source admin-openrc.sh
openstack token issue