openstack--3--控制节点安装配置keystone

5imobi · 发表于 2017-6-26 20:38:18

Keystone介绍

　　Keystone作用
　　用户与认证：用户权限与用户行为跟踪：
　　服务目录：提供一个服务目录，包括所有服务项与相关Api的端点，它是个注册中心

用户认证包括：User，Tenant，Token，Role

服务目录包括：Service，Endpoint

　　服务目录名字介绍
　　Service
Service即服务，如Nova、Glance、Swift。根据前三个概念（User，Tenant和Role）一个服务可以确认当前用户是否具有访问其资源的权限。
但是当一个user尝试着访问其租户内的service时，他必须知道这个service是否存在以及如何访问这个service，这里通常使用一些不同的名称表示不同的服务。
　　Endpoint
　　Endpoint，翻译为“端点”，我们可以理解它是一个服务暴露出来的访问点，如果需要访问一个服务，则必须知道他的endpoint。
因此，在keystone中包含一个endpoint模板，这个模板提供了所有存在的服务endpoints信息。
一个endpointtemplate包含一个URLs列表，列表中的每个URL都对应一个服务实例的访问地址，并且具有public、private和admin这三种权限。
public url可以被全局访问；private url只能被局域网访问；admin url被从常规的访问中分离。
　　用户认证名字介绍
　　Token
Token是访问资源的钥匙。它是通过Keystone验证后的返回值，在之后的与其他服务交互中只需要携带Token值即可。
每个Token都有一个有效期，Token只在有效期内是有效的。
　　Role
　　Role即角色，Roles代表一组用户可以访问的资源权限，例如Nova中的虚拟机、Glance中的镜像。
Users可以被添加到任意一个全局的或租户的角色中。在全局的role中，用户的role权限作用于所有的租户，即可以对所有的租户执行role规定的权限；
在租户内的role中，用户仅能在当前租户内执行role规定的权限。
　　Tenant
　　Tenant即租户，现在改成了项目。它是各个服务中的一些可以访问的资源集合。例如，在Nova中一个tenant可以是一些机器，
在Swift和Glance中一个tenant可以是一些镜像存储，在Neutron中一个tenant可以是一些网络资源。Users默认的总是绑定到某些tenant上。
　　User
　　User即用户，他们代表可以通过keystone进行访问的人或程序。Users通过认证信息（credentials，如密码、API Keys等）进行验证。
　　一个项目可以有多个用户
一个用户可以属于一个或多个项目
用户对项目和操作权限由用户在项目中的角色决定

KeyStone安装和配置

　　1、安装keystone包

　　以前版本，把token放在了数据库里，keystone 的token表会越来越大，几千万行，后面就响应很慢了，你可以truncate这个表，但是不要在创建虚拟机的时候截断表
现在改成了可以把token放在memcache里面，读的更快，同时memcached里也可以设置过期时间
python-memcached是使用python连接memcached的，因为连接过去，keystone会返回一个token。
httpd这个包用来运行keystone的服务，mod_wsgi 它是python的一个模块，有了它，就可以让keystone在apache运行为什么现在用到了memcached呢

[iyunv@linux-node1 ~]# yum install -y openstack-keystone httpd mod_wsgi memcached python-memcached
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.163.com
* epel: mirror01.idc.hinet.net
* extras: mirrors.163.com
* updates: mirrors.163.com
Package 1:openstack-keystone-9.2.0-1.el7.noarch already installed and latest version
Package httpd-2.4.6-45.el7.centos.x86_64 already installed and latest version
Package mod_wsgi-3.4-12.el7_0.x86_64 already installed and latest version
Package memcached-1.4.33-2.el7.x86_64 already installed and latest version
Package python-memcached-1.54-3.el7.noarch already installed and latest version
Nothing to do
[iyunv@linux-node1 ~]#

　　
　　2、更改keystone配置文件
　　keystone是管理认证的，我想在里面创建用户，如果像rabbitmq有个默认用户也行
现在是没有用户，怎么连上去创建用户呢，这里就用到了admin_token
使用admin_token不用任何用户就可以连接上keystone，先配置下admin_token
我们使用一个随机的值替换默认的admin，手动随机一个字符串

[iyunv@linux-node1 ~]# openssl rand -hex 10
d6f70f7738e69f57a839
[iyunv@linux-node1 ~]#

　　更改keystone配置文件/etc/keystone/keystone.conf

把13行admin_token配置成一个上面随机值，也可以自己定义。不要太简单即可

另外配置文件必须顶头写，在admin_token前面不要有空格

　　[database]模块下，更改数据库连接，如下

　　配置memcached连接配置
　　keystone中memcache的作用
把用户名密码验证之后生成token，放在memcache里面的，来提高性能
其实你的memcache也可以安装在任意一台机器上，解耦

　　[token]模块下，配置令牌提供者，fernet方式比uuid更安全，配置driver为memcache，表示把另外放在memcache空间里

　　检查下配置，显示行号

[iyunv@linux-node1 ~]# grep -n  '^[a-Z]'  /etc/keystone/keystone.conf
13:admin_token = d6f70f7738e69f57a839
549:connection = mysql+pymysql://keystone:keystone@192.168.56.11/keystone
1252:servers = 192.168.56.11:11211
2005:provider = fernet
2010:driver = memcache
[iyunv@linux-node1 ~]#

　　3、同步数据库执行建表操作

初始化身份认证服务的数据库：

[iyunv@linux-node1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[iyunv@linux-node1 ~]#

　　为什么要切换到keystone用户下执行这个命令呢
如果你上面不切换到keystone用户执行，也能执行成功，但是这个log文件属主就是root了
后面启动keystone服务，它要写这个日志文件，root属主的文件它无法写入，就启动不成功了
上面命令执行完毕，日志属主都是keystone用户下的了。

[iyunv@linux-node1 ~]# cd /var/log/keystone/
[iyunv@linux-node1 keystone]# ll
total 8
-rw-r--r-- 1 keystone keystone 6964 Feb 16 21:32 keystone.log
[iyunv@linux-node1 keystone]# tail -10 keystone.log
2017-02-16 21:32:31.820 6028 INFO migrate.versioning.api [-] 2 -> 3...
2017-02-16 21:32:31.835 6028 INFO migrate.versioning.api [-] done
2017-02-16 21:32:31.835 6028 INFO migrate.versioning.api [-] 3 -> 4...
2017-02-16 21:32:31.879 6028 INFO migrate.versioning.api [-] done
2017-02-16 21:32:31.879 6028 INFO migrate.versioning.api [-] 4 -> 5...
2017-02-16 21:32:31.902 6028 INFO migrate.versioning.api [-] done
2017-02-16 21:32:31.927 6028 INFO migrate.versioning.api [-] 0 -> 1...
2017-02-16 21:32:31.947 6028 INFO migrate.versioning.api [-] done
2017-02-16 21:32:31.947 6028 INFO migrate.versioning.api [-] 1 -> 2...
2017-02-16 21:32:31.975 6028 INFO migrate.versioning.api [-] done

　　当然你也可以以root执行，然后chown这个日志文件给keystone。

检查验证上述操作是否建表成功，使用keystone用户查看，还可以检查登录是否正确

[iyunv@linux-node1 ~]# mysql -ukeystone -pkeystone -e "use keystone;show tables;"
+------------------------+
| Tables_in_keystone    |
+------------------------+
| access_token          |
| assignment          |
| config_register       |
| consumer             |
| credential          |
| domain                |
| endpoint             |
| endpoint_group       |
| federated_user       |
| federation_protocol |
| group                |
| id_mapping          |
| identity_provider    |
| idp_remote_ids       |
| implied_role          |
| local_user          |
| mapping             |
| migrate_version       |
| password             |
| policy                |
| policy_association    |
| project             |
| project_endpoint    |
| project_endpoint_group |
| region                |
| request_token       |
| revocation_event    |
| role                |
| sensitive_config    |
| service             |
| service_provider    |
| token                |
| trust                |
| trust_role          |
| user                |
| user_group_membership  |
| whitelisted_config    |
+------------------------+
[iyunv@linux-node1 ~]#

　　下面是keystone服务的日志文件默认路径，注意它的属组权限

[iyunv@linux-node1 ~]# cd /var/log/keystone/
[iyunv@linux-node1 keystone]# ll
total 8
-rw-r--r-- 1 keystone keystone 4340 Feb 17 17:22 keystone.log
[iyunv@linux-node1 keystone]#

4、初始化Fernet keys，创建证书

[iyunv@linux-node1 keystone]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[iyunv@linux-node1 keystone]#

上述命令执行完，它会创建下面这个目录fernet-keys，同时注意keyston.conf的文件权限

root@linux-node1 keystone]# cd /etc/keystone/
[iyunv@linux-node1 keystone]# ls -l
total 100
-rw-r----- 1 root    keystone  2303 Sep 22 20:06 default_catalog.templates
drwx------ 2 keystone keystone 22 Feb 17 17:28 fernet-keys
-rw-r----- 1 root    keystone 73171 Feb 17 17:22 keystone.conf
-rw-r----- 1 root    keystone  2400 Sep 22 20:06 keystone-paste.ini
-rw-r----- 1 root    keystone  1046 Sep 22 20:06 logging.conf
-rw-r----- 1 keystone keystone  9699 Sep 22 20:06 policy.json
-rw-r----- 1 keystone keystone 665 Sep 22 20:06 sso_callback_template.html
[iyunv@linux-node1 keystone]#

　　tree方式查看一下

[iyunv@linux-node1 keystone]# tree
.
├── default_catalog.templates
├── fernet-keys
│ ├── 0
│ └── 1
├── keystone.conf
├── keystone-paste.ini
├── logging.conf
├── policy.json
└── sso_callback_template.html
1 directory, 8 files
[iyunv@linux-node1 keystone]#

5、memcache启动并更改配置

[iyunv@linux-node1 ~]# systemctl start memcached.service
[iyunv@linux-node1 ~]# systemctl enable memcached
Created symlink from /etc/systemd/system/multi-user.target.wants/memcached.service to /usr/lib/systemd/system/memcached.service.
[iyunv@linux-node1 keystone]# netstat -antp | grep 11211
tcp       0    0 127.0.0.1:11211       0.0.0.0:*             LISTEN    12264/memcached
tcp6    0    0 ::1:11211             :::*                   LISTEN    12264/memcached
[iyunv@linux-node1 keystone]# ps aux | grep memcached
memcach+  12264  0.0  0.0 333840  1212 ?       Ssl  20:43 0:00 /usr/bin/memcached -p 11211 -u memcached -m 64 -c 1024 -l 127.0.0.1,::1
root    12345  0.0  0.0 112644 964 pts/0 S+ 20:45 0:00 grep --colour=auto memcached
[iyunv@linux-node1 keystone]#

找它的配置文件

[iyunv@linux-node1 keystone]# rpm -ql memcached
/etc/sysconfig/memcached
/usr/bin/memcached
/usr/bin/memcached-tool
/usr/lib/systemd/system/memcached.service
/usr/share/doc/memcached-1.4.33
/usr/share/doc/memcached-1.4.33/AUTHORS
/usr/share/doc/memcached-1.4.33/CONTRIBUTORS
/usr/share/doc/memcached-1.4.33/COPYING
/usr/share/doc/memcached-1.4.33/ChangeLog
/usr/share/doc/memcached-1.4.33/NEWS
/usr/share/doc/memcached-1.4.33/README.md
/usr/share/doc/memcached-1.4.33/new_lru.txt
/usr/share/doc/memcached-1.4.33/protocol.txt
/usr/share/doc/memcached-1.4.33/readme.txt
/usr/share/doc/memcached-1.4.33/threads.txt
/usr/share/man/man1/memcached-tool.1.gz
/usr/share/man/man1/memcached.1.gz
[iyunv@linux-node1 keystone]#

下面是它默认配置，你可以更改

[iyunv@linux-node1 keystone]# cat /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 127.0.0.1,::1"
[iyunv@linux-node1 keystone]#

memcached没监听在ipv4上，导致无法通过192.168.56.11这个地址连接，需要修改，否则后面通过密码认证会报500错误

[iyunv@linux-node1 keystone]# telnet 192.168.56.11 11211
Trying 192.168.56.11...
telnet: connect to address 192.168.56.11: Connection refused

更改memcached监听地址，改为全部网络接口上

[iyunv@linux-node1 ~]# cat /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 0.0.0.0"
[iyunv@linux-node1 ~]#

重启memcached服务，这样11211就监听再了ipv4端口上了

[iyunv@linux-node1 ~]# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address          Foreign Address       State    PID/Program name
tcp       0    0 0.0.0.0:25672          0.0.0.0:*             LISTEN    4916/beam.smp
tcp       0    0 0.0.0.0:5000          0.0.0.0:*             LISTEN    1181/httpd
tcp       0    0 0.0.0.0:3306          0.0.0.0:*             LISTEN    1615/mysqld
tcp       0    0 0.0.0.0:11211          0.0.0.0:*             LISTEN    2006/memcached
tcp       0    0 0.0.0.0:80             0.0.0.0:*             LISTEN    1181/httpd
tcp       0    0 0.0.0.0:4369          0.0.0.0:*             LISTEN    1/systemd
tcp       0    0 192.168.122.1:53       0.0.0.0:*             LISTEN    1745/dnsmasq
tcp       0    0 0.0.0.0:22             0.0.0.0:*             LISTEN    1160/sshd
tcp       0    0 0.0.0.0:15672          0.0.0.0:*             LISTEN    4916/beam.smp
tcp       0    0 0.0.0.0:35357          0.0.0.0:*             LISTEN    1181/httpd
tcp       0    0 127.0.0.1:4369       127.0.0.1:33788       ESTABLISHED 1653/epmd
tcp       0    52 192.168.56.11:22       192.168.56.1:50037    ESTABLISHED 1910/sshd: root@pts
tcp       0    0 192.168.56.11:4369    192.168.56.11:60206    TIME_WAIT -
tcp       0    0 127.0.0.1:54935       127.0.0.1:4369       TIME_WAIT -
tcp       0    0 127.0.0.1:33788       127.0.0.1:4369       ESTABLISHED 4916/beam.smp
tcp       0    0 192.168.56.11:4369    192.168.56.11:47835    TIME_WAIT -
tcp       0    0 192.168.56.11:4369    192.168.56.11:33010    TIME_WAIT -
tcp       0    57 192.168.56.11:15672    192.168.56.1:51799    ESTABLISHED 4916/beam.smp
tcp6    0    0 :::5672                :::*                   LISTEN    4916/beam.smp
tcp6    0    0 :::22                :::*                   LISTEN    1160/sshd
[iyunv@linux-node1 ~]#

　　可以通过IPv4地址访问了

[iyunv@linux-node1 keystone]# telnet 127.0.0.1 11211
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
[iyunv@linux-node1 keystone]#

　　为了防止后期一些服务监听再IPv6上的干扰，可以禁用掉系统默认的IPv6

[iyunv@linux-node1 ~]# vim /etc/sysctl.conf
[iyunv@linux-node1 ~]# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
[iyunv@linux-node1 ~]# sysctl -p
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
[iyunv@linux-node1 ~]#

6、配置apache　　早期keystone自己单独可以启动，但是性能不好。后面就使用apache运行keystone服务了
　　使用apache代理keystone,这里面有2个虚拟主机的配置
　　5000 正常的api来访问 35357 admin用户管理访问的端口

创建下面文件并配置如下

[iyunv@linux-node1 keystone]# touch /etc/httpd/conf.d/wsgi-keystone.conf
[iyunv@linux-node1 keystone]# vim /etc/httpd/conf.d/wsgi-keystone.conf
[iyunv@linux-node1 keystone]# cat /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
[iyunv@linux-node1 keystone]#

　　修改主配置文件，95行改成如下内容
　　必须要配置httpd的ServerName,不配置的话apache能启动，但是keystone服务不能起来

[iyunv@linux-node1 keystone]# vim /etc/httpd/conf/httpd.conf
[iyunv@linux-node1 keystone]# grep -n "^ServerName" /etc/httpd/conf/httpd.conf
95:ServerName 192.168.56.11:80
[iyunv@linux-node1 keystone]#

7、启动启动keystone服务
启动apache服务就相当于启动了keystone

[iyunv@linux-node1 keystone]# systemctl enable httpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[iyunv@linux-node1 keystone]# systemctl start httpd.service
[iyunv@linux-node1 keystone]#

　　查看监听情况，5000和35357端口已经起来了

[iyunv@linux-node1 keystone]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address          Foreign Address       State    PID/Program name
tcp       0    0 0.0.0.0:25672          0.0.0.0:*             LISTEN    3455/beam.smp
tcp       0    0 0.0.0.0:3306          0.0.0.0:*             LISTEN    1965/mysqld
tcp       0    0 127.0.0.1:11211       0.0.0.0:*             LISTEN    12264/memcached
tcp       0    0 0.0.0.0:111          0.0.0.0:*             LISTEN    1/systemd
tcp       0    0 0.0.0.0:4369          0.0.0.0:*             LISTEN    1/systemd
tcp       0    0 192.168.122.1:53       0.0.0.0:*             LISTEN    1337/dnsmasq
tcp       0    0 0.0.0.0:22             0.0.0.0:*             LISTEN    1153/sshd
tcp       0    0 0.0.0.0:15672          0.0.0.0:*             LISTEN    3455/beam.smp
tcp       0    0 127.0.0.1:25          0.0.0.0:*             LISTEN    1277/master
tcp6    0    0 :::5000                :::*                   LISTEN    12556/httpd
tcp6    0    0 :::5672                :::*                   LISTEN    3455/beam.smp
tcp6    0    0 ::1:11211             :::*                   LISTEN    12264/memcached
tcp6    0    0 :::111                :::*                   LISTEN    1/systemd
tcp6    0    0 :::80                :::*                   LISTEN    12556/httpd
tcp6    0    0 :::22                :::*                   LISTEN    1153/sshd
tcp6    0    0 ::1:25                :::*                   LISTEN    1277/master
tcp6    0    0 :::35357             :::*                   LISTEN    12556/httpd
[iyunv@linux-node1 keystone]#

查看日志，没报错即可

[iyunv@linux-node1 ~]# tail -f /var/log/keystone/keystone.log
2017-02-17 17:22:11.743 7983 INFO migrate.versioning.api [-] done
2017-02-17 17:22:11.743 7983 INFO migrate.versioning.api [-] 96 -> 97...
2017-02-17 17:22:11.754 7983 INFO migrate.versioning.api [-] done
2017-02-17 17:28:10.672 8128 INFO keystone.token.providers.fernet.utils [-] [fernet_tokens] key_repository does not appear to exist; attempting to create it
2017-02-17 17:28:10.673 8128 INFO keystone.token.providers.fernet.utils [-] Created a new key: /etc/keystone/fernet-keys/0
2017-02-17 17:28:10.674 8128 INFO keystone.token.providers.fernet.utils [-] Starting key rotation with 1 key files: ['/etc/keystone/fernet-keys/0']
2017-02-17 17:28:10.675 8128 INFO keystone.token.providers.fernet.utils [-] Current primary key is: 0
2017-02-17 17:28:10.675 8128 INFO keystone.token.providers.fernet.utils [-] Next primary key will be: 1
2017-02-17 17:28:10.675 8128 INFO keystone.token.providers.fernet.utils [-] Promoted key 0 to be the primary: 1
2017-02-17 17:28:10.676 8128 INFO keystone.token.providers.fernet.utils [-] Created a new key: /etc/keystone/fernet-keys/0

启动如果有问题可以打开debug

[iyunv@linux-node1 ~]# vim /etc/keystone/keystone.conf
[iyunv@linux-node1 ~]# grep -n "#debug" /etc/keystone/keystone.conf
118:#debug = false
403:#debug_cache_backend = false
1008:#debug_level = <None>
[iyunv@linux-node1 ~]#

　　

在keystone创建域、项目、用户和角色

　　先查看之前配置文件里配置的admin_token

[iyunv@linux-node1 ~]# grep -n "^admin_token" /etc/keystone/keystone.conf
13:admin_token = d6f70f7738e69f57a839
[iyunv@linux-node1 ~]#

　　1、添加环境变量
　　你在当前窗口设置了环境变量，也一定要在当前窗口操作
5000端口是给消费者调用的，35357是给管理者用的，管理链接
v3是v3版本，这里写这个非常有出处，以后升级便于找出问题，对于一些版本依赖的服务很友好
前面连接v3版本的资源。如果你升级，新建个目录v4，这样既保存了v3版本的东西，就有新的v4
便于找出问题，也是架构设计的优点

[iyunv@linux-node1 ~]# export OS_TOKEN=d6f70f7738e69f57a839
[iyunv@linux-node1 ~]# export OS_URL=http://192.168.56.11:35357/v3
[iyunv@linux-node1 ~]# export OS_IDENTITY_API_VERSION=3
[iyunv@linux-node1 ~]#

　　2.、创建域default

[iyunv@linux-node1 ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field    | Value                         |
+-------------+----------------------------------+
| description | Default Domain                |
| enabled    | True                            |
| id       | 1b7cf039119d4f8a8e82baaa6f4c2469 |
| name       | default                         |
+-------------+----------------------------------+
[iyunv@linux-node1 ~]#

　　
3、创建 admin 项目
　　这个admin的项目可以管理所有的云主机

[iyunv@linux-node1 ~]# openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field    | Value                         |
+-------------+----------------------------------+
| description | Admin Project                   |
| domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 |
| enabled    | True                            |
| id       | e88437b3330145e1a713469130b4c3cd |
| is_domain | False                         |
| name       | admin                         |
| parent_id | 1b7cf039119d4f8a8e82baaa6f4c2469 |
+-------------+----------------------------------+
[iyunv@linux-node1 ~]#

4、创建 admin 用户

　　生产环境密码一定要设置复杂

[iyunv@linux-node1 ~]# openstack user create --domain default  --password-prompt admin
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field    | Value                         |
+-----------+----------------------------------+
| domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 |
| enabled | True                            |
| id       | bf3591b757704f8c8166e3294a62efb7 |
| name    | admin                         |
+-----------+----------------------------------+
[iyunv@linux-node1 ~]#

5、创建 admin 角色

[iyunv@linux-node1 ~]# openstack role create admin
+-----------+----------------------------------+
| Field    | Value                         |
+-----------+----------------------------------+
| domain_id | None                            |
| id       | 62a941ebad834b398e9eef009c2b6eaa |
| name    | admin                         |
+-----------+----------------------------------+
[iyunv@linux-node1 ~]#

　　6、添加admin角色到 admin 项目和用户上

[iyunv@linux-node1 ~]# openstack role add --project admin --user admin admin
[iyunv@linux-node1 ~]#

　　上面我们创建的角色都是openstack有的，提前定义好的，不是我们随便创建的，在这里可以看到

[iyunv@linux-node1 ~]# cd /etc/keystone/
[iyunv@linux-node1 keystone]# ls
default_catalog.templates  keystone.conf    logging.conf  sso_callback_template.html
fernet-keys             keystone-paste.ini  policy.json
[iyunv@linux-node1 keystone]# cat policy.json
{
"admin_required": "role:admin or is_admin:1",
"service_role": "role:service",
"service_or_admin": "rule:admin_required or rule:service_role",
"owner" : "user_id:%(user_id)s",
"admin_or_owner": "rule:admin_required or rule:owner",

　　继续创建一个普通用户，后面使用普通用户进行虚拟机的创建
　　一般情况下我们应该使用无特权的项目和用户。
作为例子，本指南创建 demo 项目和用户。
　　7、创建demo 项目

[iyunv@linux-node1 keystone]# openstack project create --domain default  --description "Demo Project" demo
+-------------+----------------------------------+
| Field    | Value                         |
+-------------+----------------------------------+
| description | Demo Project                   |
| domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 |
| enabled    | True                            |
| id       | ef1575c568a4416c81f4855ae5cfd8eb |
| is_domain | False                         |
| name       | demo                            |
| parent_id | 1b7cf039119d4f8a8e82baaa6f4c2469 |
+-------------+----------------------------------+
[iyunv@linux-node1 keystone]#

　　8、创建demo 用户

[iyunv@linux-node1 keystone]# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field    | Value                         |
+-----------+----------------------------------+
| domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 |
| enabled | True                            |
| id       | 7a01e2bd239844f183abbb4b0b960647 |
| name    | demo                            |
+-----------+----------------------------------+
[iyunv@linux-node1 keystone]#

9、创建 user 角色

[iyunv@linux-node1 keystone]# openstack role create user
+-----------+----------------------------------+
| Field    | Value                         |
+-----------+----------------------------------+
| domain_id | None                            |
| id       | 5fdf92e7547b4f9aa346f88942ce36b0 |
| name    | user                            |
+-----------+----------------------------------+
[iyunv@linux-node1 keystone]#

　　10、添加 user角色到 demo 项目和用户

[iyunv@linux-node1 keystone]# openstack role add --project demo --user demo user
[iyunv@linux-node1 keystone]#

keystone服务创建服务目录相关

　　keystone除了服务认证的作用，还有服务目录的作用
keystone本身也要在上面注册
　　1、创建service项目，里面可以包含服务

[iyunv@linux-node1 keystone]# openstack project create --domain default  --description "Service Project" service
+-------------+----------------------------------+
| Field    | Value                         |
+-------------+----------------------------------+
| description | Service Project                |
| domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 |
| enabled    | True                            |
| id       | fc29ee0a1c7145de99885bb4a3bef9c1 |
| is_domain | False                         |
| name       | service                         |
| parent_id | 1b7cf039119d4f8a8e82baaa6f4c2469 |
+-------------+----------------------------------+
[iyunv@linux-node1 keystone]#

　　提前为每个服务创建用户，密码都是和本服务用户名一致
　　2、创建glance用户

[iyunv@linux-node1 ~]# openstack user create --domain default --password-prompt glance
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field    | Value                         |
+-----------+----------------------------------+
| domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 |
| enabled | True                            |
| id       | fc2b7770e8394568922b0ef18672b45c |
| name    | glance                         |
+-----------+----------------------------------+
[iyunv@linux-node1 ~]#

3、把glance用户加入到service项目，同时给它admin角色

root@linux-node1 ~]# openstack role add --project service --user glance admin
[iyunv@linux-node1 ~]#

nova服务

4、创建nova用户，并加入service项目，同时给它admin角色

[iyunv@linux-node1 ~]# openstack user create --domain default --password-prompt nova
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field    | Value                         |
+-----------+----------------------------------+
| domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 |
| enabled | True                            |
| id       | b14137c43aa9474d86331593db43fe1f |
| name    | nova                            |
+-----------+----------------------------------+
[iyunv@linux-node1 ~]# openstack role add --project service --user nova admin
[iyunv@linux-node1 ~]#

5、创建neutron用户，并接入Service项目，同时给它admin角色

[iyunv@linux-node1 ~]# openstack user create --domain default --password-prompt neutron
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field    | Value                         |
+-----------+----------------------------------+
| domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 |
| enabled | True                            |
| id       | ff1bea210abb4d89b27ab96fd6d6b2d9 |
| name    | neutron                         |
+-----------+----------------------------------+
[iyunv@linux-node1 ~]# openstack role add --project service --user neutron admin
[iyunv@linux-node1 ~]#

　　创建服务实体和API端点
　　在你的Openstack环境中，认证服务管理服务目录。服务使用这个目录来决定您的环境中可用的服务。
创建服务实体和身份认证服务：
　　6、创建keystone服务，类型是identify

[iyunv@linux-node1 ~]# openstack service create  --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field    | Value                         |
+-------------+----------------------------------+
| description | OpenStack Identity             |
| enabled    | True                            |
| id       | 4c0cdee367d14a66aa3921fe68e4b63e |
| name       | keystone                      |
| type       | identity                      |
+-------------+----------------------------------+
[iyunv@linux-node1 ~]#

　　7、创建认证服务的 API 端点，公共的，内部的，管理的
　　只有这个keystone比较特殊，其它的服务端口都是一样的
　　public url可以被全局访问

[iyunv@linux-node1 ~]# openstack endpoint create --region RegionOne identity public http://192.168.56.11:5000/v3
+--------------+----------------------------------+
| Field       | Value                         |
+--------------+----------------------------------+
| enabled    | True                            |
| id          | 1d91a71ed4254789ad3c6fed96ec6375 |
| interface | public                         |
| region    | RegionOne                      |
| region_id | RegionOne                      |
| service_id | 4c0cdee367d14a66aa3921fe68e4b63e |
| service_name | keystone                      |
| service_type | identity                      |
| url       | http://192.168.56.11:5000/v3    |
+--------------+----------------------------------+
[iyunv@linux-node1 ~]#

　　private url只能被局域网访问

[iyunv@linux-node1 ~]# openstack endpoint create --region RegionOne identity internal http://192.168.56.11:5000/v3
+--------------+----------------------------------+
| Field       | Value                         |
+--------------+----------------------------------+
| enabled    | True                            |
| id          | 525ca6f2b5bc426d82410f551d3568ff |
| interface | internal                      |
| region    | RegionOne                      |
| region_id | RegionOne                      |
| service_id | 4c0cdee367d14a66aa3921fe68e4b63e |
| service_name | keystone                      |
| service_type | identity                      |
| url       | http://192.168.56.11:5000/v3    |
+--------------+----------------------------------+
[iyunv@linux-node1 ~]#

　　管理员使用的

[iyunv@linux-node1 ~]# openstack endpoint create --region RegionOne identity admin http://192.168.56.11:35357/v3
+--------------+----------------------------------+
| Field       | Value                         |
+--------------+----------------------------------+
| enabled    | True                            |
| id          | 7b561693fd7947a0b6c05e6f8f42d964 |
| interface | admin                         |
| region    | RegionOne                      |
| region_id | RegionOne                      |
| service_id | 4c0cdee367d14a66aa3921fe68e4b63e |
| service_name | keystone                      |
| service_type | identity                      |
| url       | http://192.168.56.11:35357/v3 |
+--------------+----------------------------------+
[iyunv@linux-node1 ~]#

关于创建的对象的增删改查操作。后面跟id，创建错了可以通过id删除

[iyunv@linux-node1 ~]# openstack user --help
Command "user" matches:
user create
user delete
user list
user password set
user set
user show
[iyunv@linux-node1 ~]# openstack endpoint --help
Command "endpoint" matches:
endpoint create
endpoint delete
endpoint list
endpoint set
endpoint show
[iyunv@linux-node1 ~]#

　　8、检查上面创建结果

[iyunv@linux-node1 ~]# openstack service list
+----------------------------------+----------+----------+
| ID                            | Name    | Type    |
+----------------------------------+----------+----------+
| 4c0cdee367d14a66aa3921fe68e4b63e | keystone | identity |
+----------------------------------+----------+----------+
[iyunv@linux-node1 ~]# openstack endpoint list
+--------------------+-----------+--------------+--------------+---------+-----------+--------------------+
| ID                | Region | Service Name | Service Type | Enabled | Interface | URL             |
+--------------------+-----------+--------------+--------------+---------+-----------+--------------------+
| 1d91a71ed4254789ad | RegionOne | keystone    | identity    | True | public | http://192.168.56. |
| 3c6fed96ec6375    |          |             |             |       |          | 11:5000/v3       |
| 525ca6f2b5bc426d82 | RegionOne | keystone    | identity    | True | internal  | http://192.168.56. |
| 410f551d3568ff    |          |             |             |       |          | 11:5000/v3       |
| 7b561693fd7947a0b6 | RegionOne | keystone    | identity    | True | admin    | http://192.168.56. |
| c05e6f8f42d964    |          |             |             |       |          | 11:35357/v3       |
+--------------------+-----------+--------------+--------------+---------+-----------+--------------------+
[iyunv@linux-node1 ~]#

其实上面创建操作都是写数据库，查询操作也是查询数据库

[iyunv@linux-node1 ~]# mysql -ukeystone -pkeystone
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 5.5.52-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> select * from keystone.endpoint;
+----------------------------------+--------------------+-----------+----------------------------------+-------------------------------+-------+---------+-----------+
| id                            | legacy_endpoint_id | interface | service_id                      | url                         | extra | enabled | region_id |
+----------------------------------+--------------------+-----------+----------------------------------+-------------------------------+-------+---------+-----------+
| 1d91a71ed4254789ad3c6fed96ec6375 | NULL             | public | 4c0cdee367d14a66aa3921fe68e4b63e | http://192.168.56.11:5000/v3  | {} |    1 | RegionOne |
| 525ca6f2b5bc426d82410f551d3568ff | NULL             | internal  | 4c0cdee367d14a66aa3921fe68e4b63e | http://192.168.56.11:5000/v3  | {} |    1 | RegionOne |
| 7b561693fd7947a0b6c05e6f8f42d964 | NULL             | admin    | 4c0cdee367d14a66aa3921fe68e4b63e | http://192.168.56.11:35357/v3 | {} |    1 | RegionOne |
+----------------------------------+--------------------+-----------+----------------------------------+-------------------------------+-------+---------+-----------+
3 rows in set (0.00 sec)
MariaDB [(none)]>

全部都在数据库里存着的

MariaDB [(none)]> select * from keystone.user;
+----------------------------------+-------+---------+--------------------+
| id                            | extra | enabled | default_project_id |
+----------------------------------+-------+---------+--------------------+
| 7a01e2bd239844f183abbb4b0b960647 | {} |    1 | NULL             |
| b14137c43aa9474d86331593db43fe1f | {} |    1 | NULL             |
| bf3591b757704f8c8166e3294a62efb7 | {} |    1 | NULL             |
| fc2b7770e8394568922b0ef18672b45c | {} |    1 | NULL             |
| ff1bea210abb4d89b27ab96fd6d6b2d9 | {} |    1 | NULL             |
+----------------------------------+-------+---------+--------------------+
5 rows in set (0.00 sec)
MariaDB [(none)]> select * from keystone.service;
+----------------------------------+----------+---------+-----------------------------------------------------------+
| id                            | type    | enabled | extra                                                    |
+----------------------------------+----------+---------+-----------------------------------------------------------+
| 4c0cdee367d14a66aa3921fe68e4b63e | identity |    1 | {"description": "OpenStack Identity", "name": "keystone"} |
+----------------------------------+----------+---------+-----------------------------------------------------------+
1 row in set (0.00 sec)
MariaDB [(none)]>

　　9、使用用户连接keystone验证

不使用admin_token，需要取消环境变量里的设置

下面成功获取token信息，表示通过admin用户连接成功

[iyunv@linux-node1 ~]# unset OS_TOKEN
[iyunv@linux-node1 ~]# unset OS_URL
[iyunv@linux-node1 ~]# openstack --os-auth-url http://192.168.56.11:35357/v3 \
> --os-project-domain-name default --os-user-domain-name default \
> --os-project-name admin --os-username admin token issue
Password:
+------------+--------------------------------------------------------------------------------------------+
| Field    | Value                                                                                     |
+------------+--------------------------------------------------------------------------------------------+
| expires | 2017-02-17T15:30:40.804805Z                                                             |
| id       | gAAAAABYpwkRR5dn3jc8jhGy24mhmkYnQD6pgQoi9pTkP-mSOdbB3G5CELvuoSE4p_8wvAl4-TZunia45moMdCP0iB |
|          | RfWDOoov7ong5KtXa4OdWupiajXm3n49tZvqVFJ760R7LbGZ1I1oGST8cUHsoeVlqze9iIDoTCt9dw6D0-lix-    |
|          | 5wMHwc0                                                                                  |
| project_id | e88437b3330145e1a713469130b4c3cd                                                          |
| user_id | bf3591b757704f8c8166e3294a62efb7                                                          |
+------------+--------------------------------------------------------------------------------------------+
[iyunv@linux-node1 ~]#

　　测试demo 用户，请求认证令牌，也成功　　

[iyunv@linux-node1 ~]# openstack --os-auth-url http://192.168.56.11:5000/v3 \
> --os-project-domain-name default --os-user-domain-name default \
> --os-project-name demo --os-username demo token issue
Password:
+------------+--------------------------------------------------------------------------------------------+
| Field    | Value                                                                                     |
+------------+--------------------------------------------------------------------------------------------+
| expires | 2017-02-17T15:34:15.267032Z                                                             |
| id       | gAAAAABYpwnnB8SFrZCQMa_d_4vHcKMQoAmt34F1rnIAz4fMsIG1Hr1c1wbGE3TAKBbQW4T-YHZt61P5EKAoopPJK- |
|          | bhXZZHZO6huiVIPvytzN3rd0N-zSf-xdKDWZ0SiGAciDCbyjfzm0i4DFhEnkA9buxAaFL8eTpWvPoknCBg-       |
|          | klLB35Pw1A                                                                               |
| project_id | ef1575c568a4416c81f4855ae5cfd8eb                                                          |
| user_id | 7a01e2bd239844f183abbb4b0b960647                                                          |
+------------+--------------------------------------------------------------------------------------------+
[iyunv@linux-node1 ~]#

　　10、创建 OpenStack 客户端环境脚本
　　设置2个环境变量脚本，以后想用的话，source一下就行了，再次获取下token，就不用像以前输入这么长了

[iyunv@linux-node1 ~]# cat admin-openstack.sh
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.56.11:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[iyunv@linux-node1 ~]# cat demo-openstack.sh
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.56.11:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

　　通过脚本加载环境变量，获取token

[iyunv@linux-node1 ~]# source admin-openstack.sh
[iyunv@linux-node1 ~]# openstack token issue
+------------+--------------------------------------------------------------------------------------------+
| Field    | Value                                                                                     |
+------------+--------------------------------------------------------------------------------------------+
| expires | 2017-02-17T15:47:48.365307Z                                                             |
| id       | gAAAAABYpw0Ua2MqIA4X7zouPtRHzKmd9TSKG5tcX76c1rv40CDYJX1nZZUjDvMl0884721zaFlFOARPm2jDGkrqir |
|          | b5X6qNnVCQGUSiasm853HZge2m1ZBGw6GOMbFiG0SAABIUvl7E3Or8kzHWnLBJ8Ls6AfP350tlR8zH7kUVwV8-2CKp |
|          | NQY                                                                                     |
| project_id | e88437b3330145e1a713469130b4c3cd                                                          |
| user_id | bf3591b757704f8c8166e3294a62efb7                                                          |
+------------+--------------------------------------------------------------------------------------------+
[iyunv@linux-node1 ~]#

以后每次执行openstack相关命令都要执行source一次环境变量！！！

账号		自动登录	找回密码
密码			立即注册

大疆运维招人啦，

C++ :try 语句块和异常处理

C++的多态

Red Hat RHCE 8 (EX294) Cert Guide

Java/C++ 区别：看完这一篇，就够用！

别再用过时库了！这 13 个顶级 C++ 库才是

c++ size_t 和 int 的区别

[经验分享] openstack--3--控制节点安装配置keystone

浏览过的版块

扫码加入运维网微信交流群