OpenStack系列（四）：controller节点部署05【Keystone安装配置】

Keystone组件是云平台上的认证节点。OpenStack各个子项目单独提供着各自的相关服务，如nova提供计算服务，glance提供镜像服务，各个节点互不相干，但实际上组件之间的服务调用都要经过Keystone获取服务列表和服务端点。

1）在controller1创建keystone数据库

MariaDB [(none)]> CREATE DATABASE keystone;

2）在controller1上创建数据库用户及赋予权限

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'yjscloud';

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'yjscloud';

注意将yjscloud替换为自己的数据库密码

3）在三个节点上分别安装keystone和memcached

yum -y install openstack-keystone httpd mod_wsgi python-openstackclient mencached python-memcached openstack-utils

4）优化配置memcached

vim /etc/sysconfig/memcached

PORT="11211"       #定义端口
USER="memcached"       #定义运行memcache的用户
MAXCONN="8192"       #定义最大连接数
CACHESIZE="1024"       #定义最大内存使用值
OPTIONS="-l 127.0.0.1,::1,10.1.1.150 -t 4 -I 10m"    # -l设置服务绑定ip，-t设置线程数，-I调整分配slab页的大小

scp -p /etc/sysconfig/memcached controller2:/etc/sysconfig/memcached
scp -p /etc/sysconfig/memcached controller3:/etc/sysconfig/memcached

注意！！！OPTIONS中的10.1.1.150改成各个节点对应的IP。

5）在三个节点上分别启动memcache服务并设置开机启动动

systemctl enable memcached.service
systemctl restart memcached.service
systemctl status memcached.service

6）配置/etc/keystone/keystone.conf文件

cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
>/etc/keystone/keystone.conf
openstack-config --set /etc/keystone/keystone.conf DEFAULT debug false
openstack-config --set /etc/keystone/keystone.conf DEFAULT verbose true
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_endpoint http://blog.yjscloud.com:35357
openstack-config --set /etc/keystone/keystone.conf DEFAULT public_endpoint http://blog.yjscloud.com:5000
openstack-config --set /etc/keystone/keystone.conf eventlet_server public_bind_host 10.1.1.150
openstack-config --set /etc/keystone/keystone.conf eventlet_server admin_bind_host 10.1.1.150
openstack-config --set /etc/keystone/keystone.conf cache backend oslo_cache.memcache_pool
openstack-config --set /etc/keystone/keystone.conf cache enabled true
openstack-config --set /etc/keystone/keystone.conf cache memcache_servers controller1:11211,controller2:11211,controller3:11211
openstack-config --set /etc/keystone/keystone.conf cache memcache_dead_retry 60
openstack-config --set /etc/keystone/keystone.conf cache memcache_socket_timeout 1
openstack-config --set /etc/keystone/keystone.conf cache memcache_pool_maxsize 1000
openstack-config --set /etc/keystone/keystone.conf cache memcache_pool_unused_timeout 60
openstack-config --set /etc/keystone/keystone.conf catalog template_file /etc/keystone/default_catalog.templates
openstack-config --set /etc/keystone/keystone.conf catalog driver sql
openstack-config --set /etc/keystone/keystone.conf database connection mysql://keystone:yjscloud@blog.yjscloud.com/keystone
openstack-config --set /etc/keystone/keystone.conf database idle_timeout 3600
openstack-config --set /etc/keystone/keystone.conf database max_pool_size 30
openstack-config --set /etc/keystone/keystone.conf database ax_retries -1
openstack-config --set /etc/keystone/keystone.conf database max_overflow 60
openstack-config --set /etc/keystone/keystone.conf identity driver sql
openstack-config --set /etc/keystone/keystone.conf identity caching false
openstack-config --set /etc/keystone/keystone.conf fernet_tokens key_repository /etc/keystone/fernet-keys/
openstack-config --set /etc/keystone/keystone.conf fernet_tokens max_active_keys 3
openstack-config --set /etc/keystone/keystone.conf memcache servers controller1:11211,controller2:11211,controller3:11211
openstack-config --set /etc/keystone/keystone.conf memcache dead_retry 60
openstack-config --set /etc/keystone/keystone.conf memcache socket_timeout 1
openstack-config --set /etc/keystone/keystone.conf memcache pool_maxsize 1000
openstack-config --set /etc/keystone/keystone.conf memcache pool_unused_timeout 60
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_hosts controller1:5672,controller2:5672,controller3:5672
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_userid openstack
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_password yjscloud 
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_use_ssl false
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_ha_queues true
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_retry_interval 1
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_retry_backoff 2
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_max_retries 0
openstack-config --set /etc/keystone/keystone.conf token expiration 3600
openstack-config --set /etc/keystone/keystone.conf token caching False
openstack-config --set /etc/keystone/keystone.conf token provider fernet

scp到其他节点，注意更改对应的IP，keystone.conf的权限应该为root:keystone

scp -p /etc/keystone/keystone.conf controller2:/etc/keystone/keystone.conf
scp -p /etc/keystone/keystone.conf controller3:/etc/keystone/keystone.conf

7）配置httpd.conf文件

vim /etc/httpd/conf/httpd.conf

修改如下配置参数（三个节点都要改）：

ServerName controller1    #如果是controller2那就写controller2
Listen 8080 #80->8080 haproxy里用了80，不修改启动不了

8）配置keystone与httpd结合

vim /etc/httpd/conf.d/wsgi-keystone.conf

Listen 5002
Listen 35358

<VirtualHost *:5002>
   WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
          Require all granted
    </Directory>  
</VirtualHost>

<VirtualHost *:35358>
      WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
      WSGIProcessGroup keystone-admin
      WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
      WSGIApplicationGroup %{GLOBAL}
      WSGIPassAuthorization On
      ErrorLogFormat "%{cu}t %M"
      ErrorLog /var/log/httpd/keystone-error.log
      CustomLog /var/log/httpd/keystone-access.log combined
      <Directory /usr/bin>
            Require all granted
      </Directory>
</VirtualHost>

把这个文件拷贝到另外两个节点上;

scp -p /etc/httpd/conf.d/wsgi-keystone.conf controller2:/etc/httpd/conf.d/wsgi-keystone.conf
scp -p /etc/httpd/conf.d/wsgi-keystone.conf controller3:/etc/httpd/conf.d/wsgi-keystone.conf

9）在controller1上设置数据库同步

su -s /bin/sh -c "keystone-manage db_sync" keystone #单行输出的警告信息可以忽略

10）三个节点都初始化fernet

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

11）同步三个节点fernet信息，在controller1上操作

scp -p /etc/keystone/fernet-keys/* controller2:/etc/keystone/fernet-keys/
scp -p /etc/keystone/fernet-keys/* controller3:/etc/keystone/fernet-keys/
scp -p /etc/keystone/credential-keys/* controller2:/etc/keystone/credential-keys/
scp -p /etc/keystone/credential-keys/* controller3:/etc/keystone/credential-keys/

12）三个节点启动httpd，并设置httpd开机启动

systemctl enable httpd.service
systemctl restart httpd.service
systemctl status httpd.service
systemctl list-unit-files |grep httpd.service

13）在controller1上创建admin用户角色

keystone-manage bootstrap \
--bootstrap-password yjscloud \
--bootstrap-username admin \
--bootstrap-project-name admin \
--bootstrap-role-name admin \
--bootstrap-service-name keystone \
--bootstrap-region-id RegionOne \
--bootstrap-admin-url http://blog.yjscloud.com:35357/v3 \
--bootstrap-internal-url http://blog.yjscloud.com:35357/v3 \
--bootstrap-public-url http://blog.yjscloud.com:5000/v3

等haproxy列表中的对于服务全部启动时才可以执行下面的命令，否则会报错
这样，就可以在 openstack 命令行里使用 admin 账号登录了。

验证，测试是否已配置合理：

openstack project list --os-username admin --os-project-name admin --os-user-domain-id default --os-project-domain-id default --os-identity-api-version 3 --os-auth-url http://blog.yjscloud.com:5000 --os-password yjscloud

14）在controller1创建admin用户环境变量，创建/root/admin-openrc 文件并写入如下内容

vim /root/admin-openrc

添加以下内容：

export OS_USER_DOMAIN_ID=default
export OS_PROJECT_DOMAIN_ID=default
export OS_USERNAME=admin
export OS_PROJECT_NAME=admin
export OS_PASSWORD=yjscloud
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=http://blog.yjscloud.com:35357/v3

scp -p /root/admin-openrc controller2:/root/admin-openrc
scp -p /root/admin-openrc controller3:/root/admin-openrc
openstack endpoint list    #查看endpoint，正常情况下是有三个keystone的endpoint

15）在controller1上创建service项目

source /root/admin-openrc
openstack project create --domain default --description "Service Project" service

16）在controller1上创建demo项目

openstack project create --domain default --description "Demo Project" demo

17）在controller1上创建demo用户

openstack user create --domain default demo --password yjscloud
# 注意：yjscloud为demo用户密码

18）在controller1创建user角色将demo用户赋予user角色

openstack role create user
openstack role add --project demo --user demo user
openstack user list   #查看用户

19）在controller1上验证keystone

unset OS_TOKEN OS_URL

openstack --os-auth-url http://blog.yjscloud.com:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue --os-password yjscloud

openstack --os-auth-url http://blog.yjscloud.com:5000/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name demo --os-username demo token issue --os-password yjscloud

20）在controller1上创建demo用户环境变量，创建/root/demo-openrc文件并写入下列内容：

export OS_USER_DOMAIN_ID=default
export OS_PROJECT_DOMAIN_ID=default
export OS_USERNAME=demo
export OS_PROJECT_NAME=demo
export OS_PASSWORD=yjscloud
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=http://blog.yjscloud.com:35357/v3