OpenStack系列(四):controller节点部署05【Keystone安装配置】

Keystone组件是云平台上的认证节点。OpenStack各个子项目单独提供着各自的相关服务,如nova提供计算服务,glance提供镜像服务,各个节点互不相干,但实际上组件之间的服务调用都要经过Keystone获取服务列表和服务端点。

1)在controller1创建keystone数据库

MariaDB [(none)]> CREATE DATABASE keystone;

2)在controller1上创建数据库用户及赋予权限

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'yjscloud';

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'yjscloud';

注意将yjscloud替换为自己的数据库密码

3)在三个节点上分别安装keystone和memcached

yum -y install openstack-keystone httpd mod_wsgi python-openstackclient mencached python-memcached openstack-utils

4)优化配置memcached

vim /etc/sysconfig/memcached
PORT="11211"       #定义端口
USER="memcached"       #定义运行memcache的用户
MAXCONN="8192"       #定义最大连接数
CACHESIZE="1024"       #定义最大内存使用值
OPTIONS="-l 127.0.0.1,::1,10.1.1.150 -t 4 -I 10m"    # -l设置服务绑定ip,-t设置线程数,-I调整分配slab页的大小
scp -p /etc/sysconfig/memcached controller2:/etc/sysconfig/memcached
scp -p /etc/sysconfig/memcached controller3:/etc/sysconfig/memcached

注意!!!OPTIONS中的10.1.1.150改成各个节点对应的IP。

5)在三个节点上分别启动memcache服务并设置开机启动动

systemctl enable memcached.service
systemctl restart memcached.service
systemctl status memcached.service

6)配置/etc/keystone/keystone.conf文件

cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
>/etc/keystone/keystone.conf
openstack-config --set /etc/keystone/keystone.conf DEFAULT debug false
openstack-config --set /etc/keystone/keystone.conf DEFAULT verbose true
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_endpoint http://blog.yjscloud.com:35357
openstack-config --set /etc/keystone/keystone.conf DEFAULT public_endpoint http://blog.yjscloud.com:5000
openstack-config --set /etc/keystone/keystone.conf eventlet_server public_bind_host 10.1.1.150
openstack-config --set /etc/keystone/keystone.conf eventlet_server admin_bind_host 10.1.1.150
openstack-config --set /etc/keystone/keystone.conf cache backend oslo_cache.memcache_pool
openstack-config --set /etc/keystone/keystone.conf cache enabled true
openstack-config --set /etc/keystone/keystone.conf cache memcache_servers controller1:11211,controller2:11211,controller3:11211
openstack-config --set /etc/keystone/keystone.conf cache memcache_dead_retry 60
openstack-config --set /etc/keystone/keystone.conf cache memcache_socket_timeout 1
openstack-config --set /etc/keystone/keystone.conf cache memcache_pool_maxsize 1000
openstack-config --set /etc/keystone/keystone.conf cache memcache_pool_unused_timeout 60
openstack-config --set /etc/keystone/keystone.conf catalog template_file /etc/keystone/default_catalog.templates
openstack-config --set /etc/keystone/keystone.conf catalog driver sql
openstack-config --set /etc/keystone/keystone.conf database connection mysql://keystone:yjscloud@blog.yjscloud.com/keystone
openstack-config --set /etc/keystone/keystone.conf database idle_timeout 3600
openstack-config --set /etc/keystone/keystone.conf database max_pool_size 30
openstack-config --set /etc/keystone/keystone.conf database ax_retries -1
openstack-config --set /etc/keystone/keystone.conf database max_overflow 60
openstack-config --set /etc/keystone/keystone.conf identity driver sql
openstack-config --set /etc/keystone/keystone.conf identity caching false
openstack-config --set /etc/keystone/keystone.conf fernet_tokens key_repository /etc/keystone/fernet-keys/
openstack-config --set /etc/keystone/keystone.conf fernet_tokens max_active_keys 3
openstack-config --set /etc/keystone/keystone.conf memcache servers controller1:11211,controller2:11211,controller3:11211
openstack-config --set /etc/keystone/keystone.conf memcache dead_retry 60
openstack-config --set /etc/keystone/keystone.conf memcache socket_timeout 1
openstack-config --set /etc/keystone/keystone.conf memcache pool_maxsize 1000
openstack-config --set /etc/keystone/keystone.conf memcache pool_unused_timeout 60
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_hosts controller1:5672,controller2:5672,controller3:5672
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_userid openstack
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_password yjscloud 
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_use_ssl false
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_ha_queues true
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_retry_interval 1
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_retry_backoff 2
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_max_retries 0
openstack-config --set /etc/keystone/keystone.conf token expiration 3600
openstack-config --set /etc/keystone/keystone.conf token caching False
openstack-config --set /etc/keystone/keystone.conf token provider fernet

scp到其他节点,注意更改对应的IP,keystone.conf的权限应该为root:keystone

scp -p /etc/keystone/keystone.conf controller2:/etc/keystone/keystone.conf
scp -p /etc/keystone/keystone.conf controller3:/etc/keystone/keystone.conf

7)配置httpd.conf文件

vim /etc/httpd/conf/httpd.conf

修改如下配置参数(三个节点都要改):

ServerName controller1    #如果是controller2那就写controller2
Listen 8080 #80->8080 haproxy里用了80,不修改启动不了

8)配置keystone与httpd结合

vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5002
Listen 35358

<VirtualHost *:5002>
   WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
          Require all granted
    </Directory>  
</VirtualHost>

<VirtualHost *:35358>
      WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
      WSGIProcessGroup keystone-admin
      WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
      WSGIApplicationGroup %{GLOBAL}
      WSGIPassAuthorization On
      ErrorLogFormat "%{cu}t %M"
      ErrorLog /var/log/httpd/keystone-error.log
      CustomLog /var/log/httpd/keystone-access.log combined
      <Directory /usr/bin>
            Require all granted
      </Directory>
</VirtualHost>

把这个文件拷贝到另外两个节点上;

scp -p /etc/httpd/conf.d/wsgi-keystone.conf controller2:/etc/httpd/conf.d/wsgi-keystone.conf
scp -p /etc/httpd/conf.d/wsgi-keystone.conf controller3:/etc/httpd/conf.d/wsgi-keystone.conf

9)在controller1上设置数据库同步

su -s /bin/sh -c "keystone-manage db_sync" keystone #单行输出的警告信息可以忽略

10)三个节点都初始化fernet

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

11)同步三个节点fernet信息,在controller1上操作

scp -p /etc/keystone/fernet-keys/* controller2:/etc/keystone/fernet-keys/
scp -p /etc/keystone/fernet-keys/* controller3:/etc/keystone/fernet-keys/
scp -p /etc/keystone/credential-keys/* controller2:/etc/keystone/credential-keys/
scp -p /etc/keystone/credential-keys/* controller3:/etc/keystone/credential-keys/

12)三个节点启动httpd,并设置httpd开机启动

systemctl enable httpd.service
systemctl restart httpd.service
systemctl status httpd.service
systemctl list-unit-files |grep httpd.service

13)在controller1上创建admin用户角色

keystone-manage bootstrap \
--bootstrap-password yjscloud \
--bootstrap-username admin \
--bootstrap-project-name admin \
--bootstrap-role-name admin \
--bootstrap-service-name keystone \
--bootstrap-region-id RegionOne \
--bootstrap-admin-url http://blog.yjscloud.com:35357/v3 \
--bootstrap-internal-url http://blog.yjscloud.com:35357/v3 \
--bootstrap-public-url http://blog.yjscloud.com:5000/v3

等haproxy列表中的对于服务全部启动时才可以执行下面的命令,否则会报错
这样,就可以在 openstack 命令行里使用 admin 账号登录了。

验证,测试是否已配置合理:

openstack project list --os-username admin --os-project-name admin --os-user-domain-id default --os-project-domain-id default --os-identity-api-version 3 --os-auth-url http://blog.yjscloud.com:5000 --os-password yjscloud

8-1-20

14)在controller1创建admin用户环境变量,创建/root/admin-openrc 文件并写入如下内容

vim /root/admin-openrc

添加以下内容:

export OS_USER_DOMAIN_ID=default
export OS_PROJECT_DOMAIN_ID=default
export OS_USERNAME=admin
export OS_PROJECT_NAME=admin
export OS_PASSWORD=yjscloud
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=http://blog.yjscloud.com:35357/v3
scp -p /root/admin-openrc controller2:/root/admin-openrc
scp -p /root/admin-openrc controller3:/root/admin-openrc
openstack endpoint list    #查看endpoint,正常情况下是有三个keystone的endpoint

15)在controller1上创建service项目

source /root/admin-openrc
openstack project create --domain default --description "Service Project" service

16)在controller1上创建demo项目

openstack project create --domain default --description "Demo Project" demo

17)在controller1上创建demo用户

openstack user create --domain default demo --password yjscloud
# 注意:yjscloud为demo用户密码

8-1-21

18)在controller1创建user角色将demo用户赋予user角色

openstack role create user
openstack role add --project demo --user demo user
openstack user list   #查看用户

8-1-22

19)在controller1上验证keystone

unset OS_TOKEN OS_URL

openstack --os-auth-url http://blog.yjscloud.com:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue --os-password yjscloud

openstack --os-auth-url http://blog.yjscloud.com:5000/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name demo --os-username demo token issue --os-password yjscloud

8-1-23

20)在controller1上创建demo用户环境变量,创建/root/demo-openrc文件并写入下列内容:

export OS_USER_DOMAIN_ID=default
export OS_PROJECT_DOMAIN_ID=default
export OS_USERNAME=demo
export OS_PROJECT_NAME=demo
export OS_PASSWORD=yjscloud
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=http://blog.yjscloud.com:35357/v3
|| 版权声明
作者:废权
链接:https://blog.yjscloud.com/archives/101
声明:如无特别声明本文即为原创文章仅代表个人观点,版权归《废权的博客》所有,欢迎转载,转载请保留原文链接。
THE END
分享
二维码
OpenStack系列(四):controller节点部署05【Keystone安装配置】
Keystone组件是云平台上的认证节点。OpenStack各个子项目单独提供着各自的相关服务,如nova提供计算服务,glance提供镜像服务,各个节点互不相干,但实际上组……
<<上一篇
下一篇>>
文章目录
关闭
目 录