openstack搭建7、部署Keystone

7、部署Keystone
7.1 控制节点安装Enable the OpenStack repository

[root@controller1:/root]# yum install centos-release-openstack-rocky -y
[root@controller1:/root]# yum install python-openstackclient -y
[root@controller1:/root]# yum install openstack-selinux openstack-utils -y
[root@controller2:/root]# yum install centos-release-openstack-rocky -y
[root@controller2:/root]# yum install python-openstackclient -y
[root@controller2:/root]# yum install openstack-selinux openstack-utils -y
[root@controller3:/root]# yum install centos-release-openstack-rocky -y
[root@controller3:/root]# yum install python-openstackclient -y
[root@controller3:/root]# yum install openstack-selinux openstack-utils -y
注：安装openstack命令工具 openstack-utils，后期则可以使用openstack-config 命令配置openstack

7.2 控制节点安装 SQL database

[root@controller1:/root]# yum install mariadb mariadb-server python2-PyMySQL -y
[root@controller1:/root]# vim /etc/my.cnf.d/server.cnf
##
[mysqld]
bind-address = 192.168.110.121
default-storage-engine = innodb
innodb_file_per_table = on
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
[root@controller2:/root]# vim /etc/my.cnf.d/server.cnf
# this is only for the mysqld standalone daemon
[mysqld]
bind-address = 192.168.110.122
default-storage-engine = innodb
innodb_file_per_table = on
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8

[root@controller3:/root]# vim /etc/my.cnf.d/server.cnf
##
[mysqld]
bind-address = 192.168.110.123
default-storage-engine = innodb
innodb_file_per_table = on
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8

[root@controller1:/root]# systemctl restart mariadb.service
[root@controller1:/root]# systemctl status mariadb.service
[root@controller2:/root]# systemctl restart mariadb.service
[root@controller2:/root]# systemctl status mariadb.service
[root@controller3:/root]# systemctl restart mariadb.service
[root@controller3:/root]# systemctl status mariadb.service

//show status like 'wsrep_cluster_size';

7.3 安装Memcached (controller1、controller2和controller3)

[root@controller1:/root]# yum install memcached python-memcached -y
[root@controller1:/root]# vim /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 127.0.0.1,::1,controller1"
[root@controller1:/root]# systemctl enable memcached.service && systemctl start memcached.service
[root@controller1:/root]# systemctl status memcached.service

[root@controller2:/root]# yum install memcached python-memcached -y
[root@controller2:/root]# vim /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 127.0.0.1,::1,controller2"
[root@controller2:/root]# systemctl enable memcached.service && systemctl start memcached.service
[root@controller2:/root]# systemctl status memcached.service

[root@controller3:/root]# yum install memcached python-memcached -y
[root@controller3:/root]# vim /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 127.0.0.1,::1,controller3"
[root@controller3:/root]# systemctl enable memcached.service && systemctl start memcached.service
[root@controller3:/root]# systemctl status memcached.service

 

7.4 数据库建keystone表

[root@controller1:/root]# mysql -uroot -p"123456"
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| keystone |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_szh';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_szh';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> exit
Bye
由于做了MariaDB集群，所以controller2和controller3上自动同步了数据库。同步数据库和创建用户只需要在一个节点上操作就可以。
[root@controller2:/root]# mysql -uroot -p"123456"
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| keystone |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.03 sec)
MariaDB [(none)]> exit
Bye
[root@controller3:/root]# mysql -uroot -p"123456"
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| keystone |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.03 sec)
MariaDB [(none)]> exit
Bye

 

7.5 安装keystone并配置

[root@controller1:/root]# yum install openstack-keystone httpd mod_wsgi -y
[root@controller2:/root]# yum install openstack-keystone httpd mod_wsgi -y
[root@controller3:/root]# yum install openstack-keystone httpd mod_wsgi -y

[root@controller1:/root]# cd /etc/keystone/
[root@controller1:/etc/keystone]# ls
default_catalog.templates keystone.conf keystone-paste.ini logging.conf policy.json sso_callback_template.html
[root@controller1:/etc/keystone]# cp -p keystone.conf{,.bak}
[root@controller1:/etc/keystone]# vim /etc/keystone/keystone.conf
[cache]
backend = oslo_cache.memcache_pool
enabled = true
memcache_servers = controller1:11211,controller2:11211,controller3:11211
[database]
connection = mysql+pymysql://keystone:KEYSTONE_szh@VirtualIP:3307/keystone
[token]
provider = fernet

[root@controller2:/root]# cd /etc/keystone/
[root@controller2:/etc/keystone]# cp -p keystone.conf{,.bak}
[root@controller2:/etc/keystone]# vim /etc/keystone/keystone.conf
[cache]
backend = oslo_cache.memcache_pool
enabled = true
memcache_servers = controller1:11211,controller2:11211,controller3:11211
[database]
connection = mysql+pymysql://keystone:KEYSTONE_szh@VirtualIP:3307/keystone
[token]
provider = fernet

[root@controller3:/root]# cd /etc/keystone/
[root@controller3:/etc/keystone]# cp -p keystone.conf{,.bak}
[root@controller3:/etc/keystone]# vim /etc/keystone/keystone.conf
[cache]
backend = oslo_cache.memcache_pool
enabled = true
memcache_servers = controller1:11211,controller2:11211,controller3:11211
[database]
connection = mysql+pymysql://keystone:KEYSTONE_szh@VirtualIP:3307/keystone
[token]
provider = fernet

//注：查看keystone配置文件
[root@controller1:/root]# egrep -v "^#|^$" /etc/keystone/keystone.conf

[root@controller1:/etc/keystone]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[root@controller2:/etc/keystone]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[root@controller3:/etc/keystone]# su -s /bin/sh -c "keystone-manage db_sync" keystone

注：假如出现同步失败的话，需要执行如下操作（参考pip）
##下载pip
wget https://bootstrap.pypa.io/get-pip.py
##安装pip
python get-pip.py
##查看版本
pip -V
##查看安装路径
find / -name pip
##软链接
####ln -s -f /usr/lib/python2.7/site-packages/pip /usr/bin/pip
pip uninstall urllib3 -y
pip uninstall chardet -y
pip install requests
####hash -r
python get-pip.py

[root@controller3:/root]# pip install requests
DEPRECATION: Python 2.7 will reach the end of its life on August 10th, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Requirement already satisfied: requests in /usr/lib/python2.7/site-packages (2.19.1)
Requirement already satisfied: chardet<3.1.0,>=3.0.2 in /usr/lib/python2.7/site-packages (from requests) (3.0.4)
Requirement already satisfied: idna<2.8,>=2.5 in /usr/lib/python2.7/site-packages (from requests) (2.5)
Collecting urllib3<1.24,>=1.21.1
Downloading https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl (133kB)
|████████████████████████████████| 143kB 85kB/s 
Installing collected packages: urllib3
Found existing installation: urllib3 1.10.2
Uninstalling urllib3-1.10.2:
Successfully uninstalled urllib3-1.10.2
Successfully installed urllib3-1.23


[root@controller2:/root]# mysql -uroot -p"123456"
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| keystone |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)

MariaDB [(none)]> use keystone;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [keystone]> show tables;
+-----------------------------+
| Tables_in_keystone |
+-----------------------------+
| access_token |
| application_credential |
| application_credential_role |
| assignment |
| config_register |
| consumer |
| credential |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| limit |
| local_user |
| mapping |
| migrate_version |
| nonlocal_user |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| project_tag |
| region |
| registered_limit |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| system_assignment |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| user_option |
| whitelisted_config |
+-----------------------------+
44 rows in set (0.00 sec)

MariaDB [keystone]> exit
Bye
//或者使用下列方法数据库进行数据库连接测试
[root@controller1:/root]# mysql -ukeystone -p"KEYSTONE_szh" -P3307 -hVirtualIP -e "use keystone;show tables;"

//初始化fernet令牌库
[root@controller1:/etc/keystone]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller1:/etc/keystone]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

//创建keystone用户，初始化serveice实体和endpoint api端点
注：创建keystone服务实体和身份认证服务，以下三种类型分别为公共的、内部的、管理的,<1>在endpoint表增加3个服务实体的API端点,<2>在local_user表中创建admin用户,<3>在project表中创建admin和Default项目（默认域）<4>在role表创建3种角色，admin，member和reader <5>在service表中创建identity服务
[root@controller1:/root]# keystone-manage bootstrap --bootstrap-password admin 
> --bootstrap-admin-url http://VirtualIP:5001/v3/ 
> --bootstrap-internal-url http://VirtualIP:5001/v3/ 
> --bootstrap-public-url http://VirtualIP:5001/v3/ 
> --bootstrap-region-id RegionOne
[root@controller2:/root]# keystone-manage bootstrap --bootstrap-password admin 
> --bootstrap-admin-url http://VirtualIP:5001/v3/ 
> --bootstrap-internal-url http://VirtualIP:5001/v3/ 
> --bootstrap-public-url http://VirtualIP:5001/v3/ 
> --bootstrap-region-id RegionOne
[root@controller3:/root]# keystone-manage bootstrap --bootstrap-password admin 
> --bootstrap-admin-url http://VirtualIP:5001/v3/ 
> --bootstrap-internal-url http://VirtualIP:5001/v3/ 
> --bootstrap-public-url http://VirtualIP:5001/v3/ 
> --bootstrap-region-id RegionOne

[root@controller1:/etc/keystone]# scp -r credential-keys/ fernet-keys/ controller2:/etc/keystone/
[root@controller1:/etc/keystone]# scp -r credential-keys/ fernet-keys/ controller3:/etc/keystone/
[root@controller2:/etc/keystone]#chown keystone:keystone /etc/keystone/credential-keys/ -R
[root@controller2:/etc/keystone]#chown keystone:keystone /etc/keystone/fernet-keys/ -R
[root@controller3:/etc/keystone]#chown keystone:keystone /etc/keystone/credential-keys/ -R
[root@controller3:/etc/keystone]#chown keystone:keystone /etc/keystone/fernet-keys/ -R

7.6 配置http服务 [controller$表示controller1、controller2和controller3]

[root@controller$:/root]# vim /etc/httpd/conf/httpd.conf
ServerName VirtualIP
//上一步骤为在httpd.conf文件中添加ServerName VirtualIP
[root@controller$:/root]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
[root@controller$:/root]# ll /etc/httpd/conf.d/
total 16
-rw-r--r--. 1 root root 2926 Aug 8 14:41 autoindex.conf
-rw-r--r--. 1 root root 366 Aug 8 14:42 README
-rw-r--r--. 1 root root 1252 Aug 6 16:44 userdir.conf
-rw-r--r--. 1 root root 824 Aug 6 16:44 welcome.conf
lrwxrwxrwx. 1 root root 38 Aug 6 17:00 wsgi-keystone.conf -> /usr/share/keystone/wsgi-keystone.conf
[root@controller$:/root]# systemctl enable httpd.service && systemctl start httpd.service
[root@controller$:/root]# systemctl status httpd.service
[root@controller$:/root]# vim openrc
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://VirtualIP:5001/v3
export OS_IDENTITY_API_VERSION=3
[root@controller$:/root]# source openrc
[root@controller$:/root]# openstack user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 5b63c4528d2a4147b52dd720a4a387fe | admin |
+----------------------------------+-------+
[root@controller$:/root]# vim admin-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://VirtualIP:5001/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[root@controller3:/root]# vim demo-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=myuser
export OS_AUTH_URL=http://VirtualIP:5001/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

注：查看是否已经设置开启自启动
[root@controller1:/root]# systemctl list-unit-files | grep httpd
httpd.service enabled

7.7 创建domain, projects, users, roles
注：由于是集群，所以只要在一个控制节点上创建即可

[root@controller2:/root]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | f46ed6dd1c554eddb5175c265c6c98d4 |
| name | example |
| tags | [] |
+-------------+----------------------------------+
[root@controller2:/root]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 0e73fe04735d4acba7f4db1ba10a47a8 |
| is_domain | False |
| name | service |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
[root@controller2:/root]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 0e73fe04735d4acba7f4db1ba10a47a8 | service |
| c80a9b4f0a624900bfb6b52e640ae7f7 | admin |
+----------------------------------+---------+
[root@controller1:/root]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 0e73fe04735d4acba7f4db1ba10a47a8 | service |
| c80a9b4f0a624900bfb6b52e640ae7f7 | admin |
+----------------------------------+---------+
[root@controller3:/root]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 0e73fe04735d4acba7f4db1ba10a47a8 | service |
| c80a9b4f0a624900bfb6b52e640ae7f7 | admin |
+----------------------------------+---------+
[root@controller2:/root]# openstack project create --domain default --description "Demo Project" myproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 9e73d22ab12f45cd99c72bc5c04ff961 |
| is_domain | False |
| name | myproject |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
[root@controller2:/root]# openstack user create --domain default --password=szhmyuser
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 61c06b9891a64e68b87d84dbcec5e9ac |
| name | myuser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@controller2:/root]# openstack role create myrole
[root@controller2:/root]# openstack role add --project myproject --user myuser myrole
[root@controller2:/root]# unset OS_AUTH_URL OS_PASSWORD
[root@controller2:/root]# openstack --os-auth-url http://VirtualIP:5001/v3 
> --os-project-domain-name Default --os-user-domain-name Default 
> --os-project-name admin --os-username admin token issue
Password: //输入密码：
The request you have made requires authentication. (HTTP 401) (Request-ID: req-6117e2db-4501-4202-b794-918f61d0643e)
[root@controller2:/root]# openstack --os-auth-url http://VirtualIP:5001/v3 
> --os-project-domain-name Default --os-user-domain-name Default 
> --os-project-name admin --os-username admin token issue
+------------+------------------------------------------------------------------------
| Field | Value --------------------------------------------------------------------------------+
| expires | 2020-08-10T17:13:23+0000 
| id | gAAAAABeIIujGF9vkLny2yr73nYj2WEpHzS8w6nxf2eq-8VG9J3g1so_k7NesxKQjrgeoLLPcZS9UeA7ETwjGboGTRAoeXZRCDffQQFOA_ywTIcMHSRTKRHEUsf949SPxSWk6eOHjcncpFrW5gt0GF-dKBbOgqiaW3mdxEnO2mitZwjAiu-v07A |
| project_id | c80a9b4f0a624900bfb6b52e640ae7f7 
| user_id | 5b63c4528d2a4147b52dd720a4a387fe ------------------------------------------------------------------------+

[root@controller2:/root]# . admin-openrc
[root@controller2:/root]# openstack token issue
+------------+------------------------------------------------------------------------
| Field | Value 
+------------+------------------------------------------------------------------------
| expires | 2020-08-10T16:27:37+0000 
| id | gAAAAABeIIDpJl7tk9hlti4O1pEst-wGQeeehdN4e2OzRPSy-YBb6dYcwZknlnLdj9Cjb5rzSYZ1gGLcvONHh4z6ot2UiXdPcuwlkJ-HOyzGMFyAHr3jyUSRr-5lB-o8E05PRvJq5u4NHSunG5mW-D3J-ila-dfUJ2IsOtu8MmE90pi0sEuK8eI |
| project_id | c80a9b4f0a624900bfb6b52e640ae7f7 
| user_id | 5b63c4528d2a4147b52dd720a4a387fe ---------------------------+

//测试是否可以使用admin账户进行登陆认证，请求认证令牌
[root@controller1:/root]# openstack --os-auth-url http://VirtualIP:5001/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue