openstack学习笔记六多节点部署之keystone - Openstack - 运维网 - Powered by Discuz! Archiver

论坛 › Openstack › openstack学习笔记六多节点部署之keystone

4532423 发表于 2016-7-6 09:08:39

openstack学习笔记六多节点部署之keystone

keystone 对用户进行验证，每个组件必须得实用一个用户向keystone进行注册，只有成功了，那么这个组件才能正常工作。所以当我们在创建其他组件的时候，也包括keystone本身，都得为这个组件创建一个用户名和密码

keystone也必须知道这些组件到底在什么地方，比如在那台主机上。

User住宾馆的人
Credentials开启房间的钥匙
Authentication宾馆为了拒绝不必要的人进出宾馆，专门设置的机制，只有拥有钥匙的人才能进出
Token也是一种钥匙，有点特别
Tenant宾馆
Service宾馆可以提供的服务类别，比如，饮食类，娱乐类
Endpoint具体的一种服务，比如吃烧烤，打羽毛球
RoleVIP 等级，VIP越高，享有越高的权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# sourcekeystonerc_admin
# keystoneendpoint-list
+----------------------------------+-----------+-------------------------------------------------+-------------------------------------------------+--------------------------------------------+----------------------------------+
|             id             | region|                publicurl                |                internalurl                |                adminurl                |          service_id          |
+----------------------------------+-----------+-------------------------------------------------+-------------------------------------------------+--------------------------------------------+----------------------------------+
| 03bf88d48e2648149242a571684fbfce | RegionOne |          http://192.168.1.201:9696          |          http://192.168.1.201:9696          |       http://192.168.1.201:9696       | 1100243c5a694bc5857218dd0543297b |
| 1b5ccdf306484fefadc63d1eeb20de5d | RegionOne |          http://127.0.0.1:8774/v3          |          http://127.0.0.1:8774/v3          |       http://127.0.0.1:8774/v3       | 4bda82ded4db46f68428d4e00247c14c |
| 2408bc6cb5164053b86c0983fd39961a | RegionOne | http://192.168.1.201:8080/v1/AUTH_%(tenant_id)s | http://192.168.1.201:8080/v1/AUTH_%(tenant_id)s |       http://192.168.1.201:8080       | 30c62c3c0797462a8bd4ff059a71296e |
| 432e655e85614a5eb69b7de5c5aacf34 | RegionOne | http://192.168.1.201:8776/v2/%(tenant_id)s | http://192.168.1.201:8776/v2/%(tenant_id)s | http://192.168.1.201:8776/v2/%(tenant_id)s | 5d60cb24769e403cb10bb70cb1077f2b |
| 4d5c1e505b30467c9966a5e5e93feef0 | RegionOne |          http://192.168.1.201:9292          |          http://192.168.1.201:9292          |       http://192.168.1.201:9292       | 87d30bb0dd8e44ccba00127f77831e9e |
| 8683d84884d74e7c8a73513260aec774 | RegionOne |          http://192.168.1.201:8080          |          http://192.168.1.201:8080          |       http://192.168.1.201:8080       | e6ced100d94e4f3b86cccfc82e12b83a |
| 8fa0e177bac746f79e229f16954506fb | RegionOne | http://192.168.1.201:8776/v1/%(tenant_id)s | http://192.168.1.201:8776/v1/%(tenant_id)s | http://192.168.1.201:8776/v1/%(tenant_id)s | dc75a046272548db99e1cbbe93c2025c |
| 9006207b29a04700922ee55905a7f445 | RegionOne | http://192.168.1.201:8774/v2/%(tenant_id)s | http://192.168.1.201:8774/v2/%(tenant_id)s | http://192.168.1.201:8774/v2/%(tenant_id)s | 1c9e6e4d00824327bfe4e8e7175317e1 |
| a9ec253a705c4b3c9848b5bed32e9768 | RegionOne | http://192.168.1.201:8773/services/Cloud | http://192.168.1.201:8773/services/Cloud |http://192.168.1.201:8773/services/Admin| 81bbcf83509a42e9a867914cde84e9d4 |
| bcab3bbc3281451494428315b24b0dba | RegionOne |          http://192.168.1.201:8777          |          http://192.168.1.201:8777          |       http://192.168.1.201:8777       | 8f54fc4364de49efbeb72020bf2aa176 |
| e3d9a4fa64bd441ea3fe143b1d72b8a4 | RegionOne |       http://192.168.1.201:5000/v2.0       |       http://192.168.1.201:5000/v2.0       |    http://192.168.1.201:35357/v2.0    | 02ce8247c5924913a73422bcf5275c40 |
+----------------------------------+-----------+-------------------------------------------------+-------------------------------------------------+--------------------------------------------+----------------------------------+

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# keystone service-list 服务
+----------------------------------+------------+--------------+--------------------------------+
|             id             | name | type |       description       |
+----------------------------------+------------+--------------+--------------------------------+
| 8f54fc4364de49efbeb72020bf2aa176 | ceilometer | metering | Openstack Metering Service |
| dc75a046272548db99e1cbbe93c2025c | cinder | volume |       Cinder Service       |
| 5d60cb24769e403cb10bb70cb1077f2b |cinderv2| volumev2 |    Cinder Service v2    |
| 87d30bb0dd8e44ccba00127f77831e9e | glance | image | OpenStack Image Service |
| 02ce8247c5924913a73422bcf5275c40 |keystone| identity | OpenStack Identity Service |
| 1100243c5a694bc5857218dd0543297b |neutron | network | Neutron Networking Service |
| 1c9e6e4d00824327bfe4e8e7175317e1 | nova | compute | Openstack Compute Service |
| 81bbcf83509a42e9a867914cde84e9d4 |nova_ec2| ec2    |       EC2 Service       |
| 4bda82ded4db46f68428d4e00247c14c | novav3 |computev3 |Openstack Compute Service v3|
| 30c62c3c0797462a8bd4ff059a71296e | swift | object-store | Openstack Object-Store Service |
| e6ced100d94e4f3b86cccfc82e12b83a |swift_s3|    s3    |    Openstack S3 Service    |
+----------------------------------+------------+--------------+--------------------------------+

1
2
3
4
5
6
7
8
9
# keystonerole-list          角色
+----------------------------------+---------------+
|             id             |    name |
+----------------------------------+---------------+
| 7455105a501842e097e7825257eb5be4 | ResellerAdmin |
| 5d2a5d2f80d442e09b9c3d514ded412e | SwiftOperator |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
| 794f590d02344bafb280f37ff29433ae | admin |
+----------------------------------+---------------+

1
2
3
4
5
6
7
8
#keystonerole-create--nametest1
+----------+----------------------------------+
| Property |          Value             |
+----------+----------------------------------+
| id | 467d36315d9c4e529e9400c606f8d7a2 |
| name |          test1             |
+----------+----------------------------------+
#keystonerole-deletetest1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# keystoneuser-list 用户
+----------------------------------+------------+---------+----------------------+
|             id             | name | enabled |    email       |
+----------------------------------+------------+---------+----------------------+
| 1627cc3d61c04f9db9608e9703a01371 | admin | True| root@localhost |
| 04247710cdf34914a7f5b315ab166731 | ceilometer | True| ceilometer@localhost |
| cb5e12e30a4a4c1dae57255c184b8b30 | cinder | True| cinder@localhost |
| 632fb20205ea4c40988d7d65b2844ff6 | glance | True| glance@localhost |
| 23c4fb48a5a247d68e50c6b74fb6f035 | http | True|                   |
| 80069f5c8edc454b8038e7f116df4ff5 |neutron | True|neutron@localhost |
| adbcaaf58d09495988b57be8e82b4e6b | nova | True| nova@localhost |
| 4f488ff4859e4973afefea6e7872ed83 | swift | True| swift@localhost |
+----------------------------------+------------+---------+----------------------+
#keystoneuser-create--name hequan--pass hequan--emailhequan2011@sina.com
+----------+----------------------------------+
| Property |          Value             |
+----------+----------------------------------+
|email |    hequan2011@sina.com    |
| enabled|             True             |
| id | 9d12907283b64b02a80f1e98074a9c84 |
| name |          hequan          |
| username |          hequan          |
+----------+----------------------------------+

1
2
3
4
#keystoneuser-get hequan          ##查看信息
#keystoneuser-delete hequan
#keystoneuser-password-update --passhequan1 hequan ##密码更新
# keystoneuser-role-add--user hequan--role_member_--tenant=http#划分角色和租户

1
2
3
4
5
6
7
8
# keystone tenant-list             租户
+----------------------------------+----------+---------+
|             id             | name | enabled |
+----------------------------------+----------+---------+
| 43986fb013804aa0a04ca277e4d0e69c |admin | True|
| 1af10fa8077e4b52b3427786bb15e968 | http | True|
| 842da711a1b740ddbf006a9f0a7ee116 | services | True|    ##内置服务默认都属于services
+----------------------------------+----------+---------+

1
2
3
4
5
6
7
8
9
10
# keystone tenant-create --name123 ###创建租户123
+-------------+----------------------------------+
| Property|          Value             |
+-------------+----------------------------------+
| description |                               |
| enabled |             True             |
|    id | c2a2e3aadf614bb08b1fc943157b668e |
| name |             123             |
+-------------+----------------------------------+
# keystone tenant-delete 123

配置安装keystone

[*]首先创建数据库

[*]使用token登陆keystone

[*]创建服务 endpoint

[*]创建用户

[*]关闭token登陆，使用admin登陆

基本环境

1
2
3
4
5
6
7
192.168.1.204    h4.hequan.com h4                   ##keystone

systemctl stop NetworkManager
systemctl disableNetworkManager

# yum install centos-release-openstack-liberty

1
2
3
4
5
6
7
8
9
# yum installopenstack-keystone openstack-utilsopenstack-selinux-y
# openstack-db --init --servicekeystone--rootpw123456 --passwordkeystone
keystone default DB is not mysql. Would you like to reset to mysql now? (y/n): y
mysql-server is not installed.Would you like to install it now? (y/n): y
mysqld is not running.Would you like to start it now? (y/n): y
Verified connectivity to MySQL.
Creating 'keystone' database.
Initializing the keystone database, please wait...
Complete!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# mysql -uroot -p123456
MariaDB [(none)]> show databases;

# openssl rand -hex 10
73fa731f6fa567630fdd

# pwd
/etc/keystone
# vim keystone.conf

admin_token = 73fa731f6fa567630fdd
rabbit_host = localhost
rabbit_port = 5672
rabbit_hosts = $rabbit_host:$rabbit_port
rabbit_use_ssl = false
rabbit_userid = guest
rabbit_password = guest
rabbit_login_method = AMQPLAIN
rabbit_virtual_host = /
connection = mysql://keystone:keystone@192.168.1.204/keystone       ###用到上面写的用户名和密码

启动服务

1
2
3
4
5
6
# systemctl list-unit-files| grep keyston
openstack-keystone.service          disabled

# systemctlstartopenstack-keystone.service
# systemctlenableopenstack-keystone.service

现在没有用户，只有token

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
cat keystone_token             ##创建文件
export SERVICE_TOKEN=73fa731f6fa567630fdd
export SERVICE_ENDPOINT=http://192.168.1.204:35357/ v2.0
export PS1='[\u@\h \W(keystone_token)]\$ '

source keystone_token

ps aux | grep keystone

keystone33431.51.6 321844 68704 ?    Ss 20:10 0:05 /usr/bin/python2 /usr/bin/keystone-all

netstat -lntup | grep 35357
tcp    0    0 0.0.0.0:35357       0.0.0.0:*             LISTEN    3343/python2

keystone service-list

# keystone service-create --name keystone --type identity--description="keystone"
+-------------+----------------------------------+
| Property|          Value             |
+-------------+----------------------------------+
| description |          keystone          |
| enabled |             True             |
|    id | e0c6163cb7dd42098225f13a3fa4220e |
| name |          keystone          |
| type |          identity          |
+-------------+----------------------------------+

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# keystoneendpoint-create--service-ide0c6163cb7dd42098225f13a3fa4220e--publicurl''--internalurl''--adminurl''
可以找一个模板去抄

# keystoneendpoint-list
+----------------------------------+-----------+-------------------------------------------------+-------------------------------------------------+--------------------------------------------+----------------------------------+
|             id             | region|                publicurl                |                internalurl                |                adminurl                |          service_id          |
+----------------------------------+-----------+-------------------------------------------------+-------------------------------------------------+--------------------------------------------+----------------------------------+
| e3d9a4fa64bd441ea3fe143b1d72b8a4 | RegionOne |       http://192.168.1.201:5000/v2.0       |       http://192.168.1.201:5000/v2.0       |    http://192.168.1.201:35357/v2.0    | 02ce8247c5924913a73422bcf5275c40 |
# keystone service-list
| 02ce8247c5924913a73422bcf5275c40 |keystone| identity | OpenStack Identity Service |

# keystoneendpoint-create--service-ide0c6163cb7dd42098225f13a3fa4220e--publicurl'http://192.168.1.201:5000/v2.0'--internalurl''--adminurl'' --publicurl'http://192.168.1.204:5000/v2.0'--internalurl'http://192.168.1.204:5000/v2.0'--adminurl'http://192.168.1.204:35357/v2.0'
+-------------+----------------------------------+
| Property|          Value             |
+-------------+----------------------------------+
| adminurl| http://192.168.1.204:35357/v2.0|
|    id | 810e5faef22f44aebd17f55d1808e3c5 |
| internalurl |http://192.168.1.204:5000/v2.0|
|publicurl|http://192.168.1.204:5000/v2.0|
| region |          regionOne          |
|service_id | e0c6163cb7dd42098225f13a3fa4220e |
+-------------+----------------------------------+

创建管理员

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# keystone tenant-create--nameadmin
+-------------+----------------------------------+
| Property|          Value             |
+-------------+----------------------------------+
| description |                               |
| enabled |             True             |
|    id | 3a331dd90062458b8fcc259ce84be0e5 |
| name |          admin             |
+-------------+----------------------------------+
# keystone role-create --name admin
+----------+----------------------------------+
| Property |          Value             |
+----------+----------------------------------+
| id | c63ed09a433144108a23a592632e2e08 |
| name |          admin             |
+----------+----------------------------------+

# keystoneuser-create --name admin --pass 123456
+----------+----------------------------------+
| Property |          Value             |
+----------+----------------------------------+
|email |                               |
| enabled|             True             |
| id | 172b6a61991e4fbeafe9039688eb2afc |
| name |          admin             |
| username |          admin             |
+----------+----------------------------------+

# keystoneuser-role-add--user admin --tenant admin --role admin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# cp keystone_token keystone_token_admin
# cat keystone_token_admin
unset SERVICE_TOKEN
unset SERVICE_ENDPOINT
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123456
export OS_AUTH_URL=http://192.168.1.204:35357/v2.0
export PS1='[\u@\h \W(keystone_admin)]\$ '

# keystone user-list       ##可以看到就表示成功了
+----------------------------------+-------+---------+-------+
|             id             |name | enabled | email |
+----------------------------------+-------+---------+-------+
| 172b6a61991e4fbeafe9039688eb2afc | admin | True|    |
+----------------------------------+-------+---------+-------+

关闭token验证

1
2
12 #admin_token = 73fa731f6fa567630fdd
13

至此安装完成。

lgp2016 发表于 2016-7-8 11:12:43

写的太乱了，一点格式都没有

页: [1]

查看完整版本: openstack学习笔记六多节点部署之keystone