OpenStack系列(四):controller节点部署05【Keystone安装配置】
Keystone组件是云平台上的认证节点。OpenStack各个子项目单独提供着各自的相关服务,如nova提供计算服务,glance提供镜像服务,各个节点互不相干,但实际上组件之间的服务调用都要经过Keystone获取服务列表和服务端点。
1)在controller1创建keystone数据库
MariaDB [(none)]> CREATE DATABASE keystone;
2)在controller1上创建数据库用户及赋予权限
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'yjscloud';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'yjscloud';
注意将yjscloud替换为自己的数据库密码
3)在三个节点上分别安装keystone和memcached
yum -y install openstack-keystone httpd mod_wsgi python-openstackclient mencached python-memcached openstack-utils
4)优化配置memcached
vim /etc/sysconfig/memcached
PORT="11211" #定义端口
USER="memcached" #定义运行memcache的用户
MAXCONN="8192" #定义最大连接数
CACHESIZE="1024" #定义最大内存使用值
OPTIONS="-l 127.0.0.1,::1,10.1.1.150 -t 4 -I 10m" # -l设置服务绑定ip,-t设置线程数,-I调整分配slab页的大小
scp -p /etc/sysconfig/memcached controller2:/etc/sysconfig/memcached
scp -p /etc/sysconfig/memcached controller3:/etc/sysconfig/memcached
注意!!!OPTIONS中的10.1.1.150改成各个节点对应的IP。
5)在三个节点上分别启动memcache服务并设置开机启动动
systemctl enable memcached.service
systemctl restart memcached.service
systemctl status memcached.service
6)配置/etc/keystone/keystone.conf
文件
cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
>/etc/keystone/keystone.conf
openstack-config --set /etc/keystone/keystone.conf DEFAULT debug false
openstack-config --set /etc/keystone/keystone.conf DEFAULT verbose true
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_endpoint http://blog.yjscloud.com:35357
openstack-config --set /etc/keystone/keystone.conf DEFAULT public_endpoint http://blog.yjscloud.com:5000
openstack-config --set /etc/keystone/keystone.conf eventlet_server public_bind_host 10.1.1.150
openstack-config --set /etc/keystone/keystone.conf eventlet_server admin_bind_host 10.1.1.150
openstack-config --set /etc/keystone/keystone.conf cache backend oslo_cache.memcache_pool
openstack-config --set /etc/keystone/keystone.conf cache enabled true
openstack-config --set /etc/keystone/keystone.conf cache memcache_servers controller1:11211,controller2:11211,controller3:11211
openstack-config --set /etc/keystone/keystone.conf cache memcache_dead_retry 60
openstack-config --set /etc/keystone/keystone.conf cache memcache_socket_timeout 1
openstack-config --set /etc/keystone/keystone.conf cache memcache_pool_maxsize 1000
openstack-config --set /etc/keystone/keystone.conf cache memcache_pool_unused_timeout 60
openstack-config --set /etc/keystone/keystone.conf catalog template_file /etc/keystone/default_catalog.templates
openstack-config --set /etc/keystone/keystone.conf catalog driver sql
openstack-config --set /etc/keystone/keystone.conf database connection mysql://keystone:yjscloud@blog.yjscloud.com/keystone
openstack-config --set /etc/keystone/keystone.conf database idle_timeout 3600
openstack-config --set /etc/keystone/keystone.conf database max_pool_size 30
openstack-config --set /etc/keystone/keystone.conf database ax_retries -1
openstack-config --set /etc/keystone/keystone.conf database max_overflow 60
openstack-config --set /etc/keystone/keystone.conf identity driver sql
openstack-config --set /etc/keystone/keystone.conf identity caching false
openstack-config --set /etc/keystone/keystone.conf fernet_tokens key_repository /etc/keystone/fernet-keys/
openstack-config --set /etc/keystone/keystone.conf fernet_tokens max_active_keys 3
openstack-config --set /etc/keystone/keystone.conf memcache servers controller1:11211,controller2:11211,controller3:11211
openstack-config --set /etc/keystone/keystone.conf memcache dead_retry 60
openstack-config --set /etc/keystone/keystone.conf memcache socket_timeout 1
openstack-config --set /etc/keystone/keystone.conf memcache pool_maxsize 1000
openstack-config --set /etc/keystone/keystone.conf memcache pool_unused_timeout 60
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_hosts controller1:5672,controller2:5672,controller3:5672
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_userid openstack
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_password yjscloud
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_use_ssl false
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_ha_queues true
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_retry_interval 1
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_retry_backoff 2
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_max_retries 0
openstack-config --set /etc/keystone/keystone.conf token expiration 3600
openstack-config --set /etc/keystone/keystone.conf token caching False
openstack-config --set /etc/keystone/keystone.conf token provider fernet
scp到其他节点,注意更改对应的IP,keystone.conf的权限应该为root:keystone
scp -p /etc/keystone/keystone.conf controller2:/etc/keystone/keystone.conf
scp -p /etc/keystone/keystone.conf controller3:/etc/keystone/keystone.conf
7)配置httpd.conf文件
vim /etc/httpd/conf/httpd.conf
修改如下配置参数(三个节点都要改):
ServerName controller1 #如果是controller2那就写controller2
Listen 8080 #80->8080 haproxy里用了80,不修改启动不了
8)配置keystone与httpd结合
vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5002
Listen 35358
<VirtualHost *:5002>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35358>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
把这个文件拷贝到另外两个节点上;
scp -p /etc/httpd/conf.d/wsgi-keystone.conf controller2:/etc/httpd/conf.d/wsgi-keystone.conf
scp -p /etc/httpd/conf.d/wsgi-keystone.conf controller3:/etc/httpd/conf.d/wsgi-keystone.conf
9)在controller1上设置数据库同步
su -s /bin/sh -c "keystone-manage db_sync" keystone #单行输出的警告信息可以忽略
10)三个节点都初始化fernet
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
11)同步三个节点fernet信息,在controller1上操作
scp -p /etc/keystone/fernet-keys/* controller2:/etc/keystone/fernet-keys/
scp -p /etc/keystone/fernet-keys/* controller3:/etc/keystone/fernet-keys/
scp -p /etc/keystone/credential-keys/* controller2:/etc/keystone/credential-keys/
scp -p /etc/keystone/credential-keys/* controller3:/etc/keystone/credential-keys/
12)三个节点启动httpd,并设置httpd开机启动
systemctl enable httpd.service
systemctl restart httpd.service
systemctl status httpd.service
systemctl list-unit-files |grep httpd.service
13)在controller1上创建admin用户角色
keystone-manage bootstrap \
--bootstrap-password yjscloud \
--bootstrap-username admin \
--bootstrap-project-name admin \
--bootstrap-role-name admin \
--bootstrap-service-name keystone \
--bootstrap-region-id RegionOne \
--bootstrap-admin-url http://blog.yjscloud.com:35357/v3 \
--bootstrap-internal-url http://blog.yjscloud.com:35357/v3 \
--bootstrap-public-url http://blog.yjscloud.com:5000/v3
等haproxy列表中的对于服务全部启动时才可以执行下面的命令,否则会报错
这样,就可以在 openstack 命令行里使用 admin 账号登录了。
验证,测试是否已配置合理:
openstack project list --os-username admin --os-project-name admin --os-user-domain-id default --os-project-domain-id default --os-identity-api-version 3 --os-auth-url http://blog.yjscloud.com:5000 --os-password yjscloud
14)在controller1创建admin用户环境变量,创建/root/admin-openrc
文件并写入如下内容
vim /root/admin-openrc
添加以下内容:
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_DOMAIN_ID=default
export OS_USERNAME=admin
export OS_PROJECT_NAME=admin
export OS_PASSWORD=yjscloud
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=http://blog.yjscloud.com:35357/v3
scp -p /root/admin-openrc controller2:/root/admin-openrc
scp -p /root/admin-openrc controller3:/root/admin-openrc
openstack endpoint list #查看endpoint,正常情况下是有三个keystone的endpoint
15)在controller1上创建service项目
source /root/admin-openrc
openstack project create --domain default --description "Service Project" service
16)在controller1上创建demo项目
openstack project create --domain default --description "Demo Project" demo
17)在controller1上创建demo用户
openstack user create --domain default demo --password yjscloud
# 注意:yjscloud为demo用户密码
18)在controller1创建user角色将demo用户赋予user角色
openstack role create user
openstack role add --project demo --user demo user
openstack user list #查看用户
19)在controller1上验证keystone
unset OS_TOKEN OS_URL
openstack --os-auth-url http://blog.yjscloud.com:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue --os-password yjscloud
openstack --os-auth-url http://blog.yjscloud.com:5000/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name demo --os-username demo token issue --os-password yjscloud
20)在controller1上创建demo用户环境变量,创建/root/demo-openrc
文件并写入下列内容:
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_DOMAIN_ID=default
export OS_USERNAME=demo
export OS_PROJECT_NAME=demo
export OS_PASSWORD=yjscloud
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=http://blog.yjscloud.com:35357/v3
作者:废权
链接:https://blog.yjscloud.com/archives/101
声明:如无特别声明本文即为原创文章仅代表个人观点,版权归《废权的博客》所有,欢迎转载,转载请保留原文链接。


共有 0 条评论