OpenStack 学习笔记(三):OpenStack keystone服务搭建
——先决条件
1.)创建数据库
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> GRANT ALL ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec)
——keystone服务搭建配置
1.)安装keystone服务
# yum -y install openstack-keystone python-keystoneclient
httpd mod_wsgi
2.)初始化keys
#
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
3.)配置keystone服务
# openssl rand -hex 10
3f554e582cefe3462106
# cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
# vim /etc/keystone/keystone.conf
1:
13: admin_token = 3f554e582cefe3462106
526:
549: connection = mysql://keystone:keystone@localhost:3306/keystone
2005: provider = fernet
4.)同步数据库
# keystone-manage db_sync
# mysql -ukeystone -pkeystone -e 'use keystone;show tables;'
+------------------------+
| Tables_in_keystone |
+------------------------+
| access_token |
| assignment |
| consumer |
| credential |
| domain |
| endpoint |
| endpoint_group |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| mapping |
| migrate_version |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| region |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| token |
| trust |
| trust_role |
| user |
| user_group_membership|
| whitelisted_config |
+------------------------+
5.)配置 Apache serivce
# vim /etc/httpd/conf/httpd.conf
95: ServerName openstack
# vim /etc/httpd/conf.d/wsgi-keystone.conf
1:Listen 5000
2:Listen 35357
3:
4:<VirtualHost *:5000>
5: WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
6: WSGIProcessGroup keystone-public
7: WSGIScriptAlias / /usr/bin/keystone-wsgi-public
8: WSGIApplicationGroup %{GLOBAL}
9: WSGIPassAuthorization On
10: ErrorLogFormat "%{cu}t %M"
11: ErrorLog /var/log/httpd/keystone-error.log
12: CustomLog /var/log/httpd/keystone-access.log combined
13:
14: <Directory /usr/bin>
15: Require all granted
16: </Directory>
17:</VirtualHost>
18:
19:<VirtualHost *:35357>
20: WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
21: WSGIProcessGroup keystone-admin
22: WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
23: WSGIApplicationGroup %{GLOBAL}
24: WSGIPassAuthorization On
25: ErrorLogFormat "%{cu}t %M"
26: ErrorLog /var/log/httpd/keystone-error.log
27: CustomLog /var/log/httpd/keystone-access.log combined
28:
29: <Directory /usr/bin>
30: Require all granted
31: </Directory>
32:</VirtualHost>
# chown -R keystone:keystone /var/log/keystone
# systemctl enable httpd.service
# systemctl start httpd.service
# systemctl status httpd.service
# netstat -antup|grep httpd|grep LISTEN
tcp6 0 0 :::5000 :::* LISTEN 4612/httpd
tcp6 0 0 :::80 :::* LISTEN 4612/httpd
tcp6 0 0 :::35357 :::* LISTEN 4612/httpd
6.)设置临时admin token
# export OS_TOKEN=3f554e582cefe3462106
# export OS_URL=http://192.168.100.120:35357/v3
# export OS_IDENTITY_API_VERSION=3
7.)Create the service entity and API endpoints
7.1)Create the service entity for the Identity service
# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | de06d252af684090b3568cac0f65cbb8 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+ 7.2)Create the Identity service API endpoints
# openstack endpoint create --region RegionOne identity public http://192.168.100.120:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 9455f80c88cb4a188febacde56aaaff0 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | de06d252af684090b3568cac0f65cbb8 |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.100.120:5000/v3 |
+--------------+----------------------------------+
# openstack endpoint create --region RegionOne identity internal http://192.168.100.120:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 24c58182056a493a801d3717ed287d07 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | de06d252af684090b3568cac0f65cbb8 |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.100.120:5000/v3 |
+--------------+----------------------------------+
# openstack endpoint create --region RegionOne identity admin http://192.168.100.120:35357/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 7e71ee55d7614341837c07d4552b29f7 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | de06d252af684090b3568cac0f65cbb8 |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.100.120:35357/v3|
+--------------+----------------------------------+
8.)创建domain projects users 和 roles
8.1)Create the default domain
# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | d68aa40d66034dc89a3b2d896e86477d |
| name | default |
+-------------+----------------------------------+
8.2)创建一个管理项目(project),用户(user)和角色(role)来管理操作当前环境
8.2.1)Create the admin project
# openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 505647f0f06e408e9d176da82a6684f1 |
| enabled | True |
| id | e4f62edc6ed547109768b515be56044a |
| is_domain | False |
| name | admin |
| parent_id | 505647f0f06e408e9d176da82a6684f1 |
+-------------+----------------------------------+ 8.2.2)Create the admin user
# openstack user create --domain default --password admin_passwd admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | 505647f0f06e408e9d176da82a6684f1 |
| enabled | True |
| id | 6f4087ac3ed341b0855e7dec830cf65d |
| name | admin |
+-----------+----------------------------------+ 8.2.3)Create the admin role
# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | b3b1f608b109465bb9b96a4b0320dfdb |
| name | admin |
+-----------+----------------------------------+
8.2.4)Add the admin role to the admin project and user
# openstack role add --project admin --user admin admin
8.3)Create the service project
# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | 505647f0f06e408e9d176da82a6684f1 |
| enabled | True |
| id | 51600729375b45b480ad7d0d7b0e8a3c |
| is_domain | False |
| name | service |
| parent_id | 505647f0f06e408e9d176da82a6684f1 |
+-------------+----------------------------------+
8.4) Create the demo project
# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | 505647f0f06e408e9d176da82a6684f1 |
| enabled | True |
| id | a66c04b887774bca86161003fdb4a33a |
| is_domain | False |
| name | demo |
| parent_id | 505647f0f06e408e9d176da82a6684f1 |
+-------------+----------------------------------+ 8.4.1) Create the demo user
# openstack user create --domain default --password demo_passwd demo
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | 505647f0f06e408e9d176da82a6684f1 |
| enabled | True |
| id | d5b1553154e942d6b513f8c706bf374f |
| name | demo |
+-----------+----------------------------------+ 8.4.2)Create the demo role
# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 242935dcb84840fb9f127f27ffd5e765 |
| name | user |
+-----------+----------------------------------+
8.4.3)Add the user role to the demo project and user
# openstack role add --project demo --user demo user
9.)验证操作
# unset OS_TOKEN OS_URL
# openstack \
--os-auth-url http://192.168.100.120:35357/v3 \
--os-project-domain-name default \
--os-user-domain-name default \
--os-project-name admin \
--os-username admin \
--os-password admin_passwd \
token issue
+------------+----------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+----------------------------------------------------------------------------------------------------------------------------+
| expires | 2016-05-26T04:51:35.701908Z |
| id | gAAAAABXRnLH0FzjXcBrcDEj_GGVMyFCjxH1t4SdAEJyI06vFJAV699czB03nQ-B |
| | -wn3tzXHjYuJ1Mp5BoYNbj9B0EUsFYlZ1IyYM0EQ6coa7pHsKEVeXVhVTROVOPMmaYZspcnKMhnWwaiWq7OIOAv5YMmUDlYSqSi1ZjqDThqHAq-Z1dhUb6w |
| project_id | e4f62edc6ed547109768b515be56044a |
| user_id | 6f4087ac3ed341b0855e7dec830cf65d |
+------------+----------------------------------------------------------------------------------------------------------------------------+
# openstack \
--os-auth-url http://192.168.100.120:5000/v3 \
--os-project-domain-name default \
--os-user-domain-name default \
--os-project-name admin \
--os-username admin \
--os-password admin_passwd \
token issue
+------------+----------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+----------------------------------------------------------------------------------------------------------------------------+
| expires | 2016-05-26T04:53:35.489593Z |
| id | gAAAAABXRnM_CMNnU2fc8gFUnM9Fj3Ooxr4RwnYG4gUXvsZQPOUVDweCGldl8f1WkB4xq0u3-uEKEBSIkC- |
| | WuBGQhRN4S8Nef7Y0FlKohIM3P3HXQnjieMVr1_ze5UovQYsCVWh8-ObQFiK0zNrKSZ0rwwl-TdOygpeUxh8QOyAyyZJeQgmuGMc |
| project_id | e4f62edc6ed547109768b515be56044a |
| user_id | 6f4087ac3ed341b0855e7dec830cf65d |
+------------+----------------------------------------------------------------------------------------------------------------------------+
10.)创建admin环境变量
# vim admin-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin_passwd
export OS_AUTH_URL=http://192.168.100.120:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
10.1)校验
# . admin-openrc
# openstack user list
+----------------------------------+-------+
| ID | Name|
+----------------------------------+-------+
| 6f4087ac3ed341b0855e7dec830cf65d | admin |
| d5b1553154e942d6b513f8c706bf374f | demo|
+----------------------------------+-------+
页:
[1]