基于 CentOS 8 手工部署 OpenStack Victoria 版本(三)– 安装 Keystone

OpenStack 系统是由众多独立的组件组成的,这些组件可以根据用户的需求来协调完成工作,在工作过程中会涉及各个组件之间的交互操作,所以我们在控制节点上部署 KeyStone 组件作为 OpenStack 中的身份认证服务,用来管理身份验证、授权和服务目录。为了实现弹性伸缩,同时部署 Fernet 令牌和 Apache HTTP 服务来出来请求

前提条件

服务信息一般存储在数据库上,所以我们必须先完成数据库的创建

  1. 以 root 身份登录数据库
[root@controller ~]# mysql -u root -p
Enter password:   //输入数据库的密码回车
  1. 创建 Keystone 数据库
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.001 sec)
  1. 为 Keystone 数据库赋予适当的访问权限
其中的 `openstack` 为设置的密码(生产环境中请勿使用该类弱口令作为密码)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost'  IDENTIFIED BY 'openstack';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%'  IDENTIFIED BY 'openstack';
  1. 退出数据库
MariaDB [(none)]> exit;
Bye

安装和配置组件

  1. 安装软件包
[root@controller ~]# yum install openstack-keystone httpd python3-mod_wsgi -y
  1. 编辑配置文件 vim /etc/keystone/keystone.conf,完成以下操作
  • 在 [database] 部分中,配置连接数据库
    将 KEYSTONE_DBPASS 替换为 Keystone 数据库的密码,这里我们设置的密码是 openstack
    [database]
    # ...
    connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
    
  • 在 [token] 部分中,配置 Fernet 令牌提供程序
    [token]
    # ...
    provider = fernet
    
  1. 填充 Keystone 数据库
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
  1. 初始化 Fernet 密钥存储库
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
  1. 引导身份服务
将 ADMIN_PASS 替换为合适的密码,这里我们设置的密码是 openstack
[root@controller ~]# keystone-manage bootstrap --bootstrap-password ADMIN_PASS   --bootstrap-admin-url http://controller:5000/v3/   --bootstrap-internal-url http://controller:5000/v3/   --bootstrap-public-url http://controller:5000/v3/   --bootstrap-region-id RegionOne

配置Apache HTTP服务器

  1. 编辑配置文件 vim /etc/httpd/conf/httpd.conf,配置 ServerName 选项以应用控制节点
# ...
ServerName controller
  1. 创建到 /usr/share/keystone/wsgi-keystone.conf 文件的链接
[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
  1. 启动 Apache HTTP 服务并设置为开机自启
[root@controller ~]# systemctl enable httpd.service
[root@controller ~]# systemctl start httpd.service

创建域、项目、用户和角色

  1. 设置临时环境变量用以管理账户
[root@controller ~]# export OS_USERNAME=admin
[root@controller ~]# export OS_PASSWORD=openstack
[root@controller ~]# export OS_PROJECT_NAME=admin
[root@controller ~]# export OS_USER_DOMAIN_NAME=Default
[root@controller ~]# export OS_PROJECT_DOMAIN_NAME=Default
[root@controller ~]# export OS_AUTH_URL=http://controller:5000/v3
[root@controller ~]# export OS_IDENTITY_API_VERSION=3
  1. 创建一个 example 域,该步骤用来演示在 OpenStack 中创建域,我们后续步骤使用的是 default 域,该域默认已经创建
[root@controller ~]# openstack domain create --description "An Example Domain" example

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | An Example Domain                |
| enabled     | True                             |
| id          | 9cbdb7e919864d3b96548c002b703a9c |
| name        | example                          |
| options     | {}                               |
| tags        | []                               |
+-------------+----------------------------------+

  1. 创建一个 service 项目
[root@controller ~]# openstack project create --domain default --description "Service Project" service

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 21933f20db7346298b258c77081f37ce |
| is_domain   | False                            |
| name        | service                          |
| options     | {}                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

  1. 创建一个普通用户,用来完成一些常规任务
  • 创建 myproject 项目
    [root@controller ~]# openstack project create --domain default --description "Demo Project" myproject
    
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description | Demo Project                     |
    | domain_id   | default                          |
    | enabled     | True                             |
    | id          | 765ee2cfb3664ef39ca37624d5f6b6d9 |
    | is_domain   | False                            |
    | name        | myproject                        |
    | options     | {}                               |
    | parent_id   | default                          |
    | tags        | []                               |
    +-------------+----------------------------------+
    
    
  • 创建 myuser 用户
    这里需要我们为新创建的用户设置一个密码
    [root@controller ~]# openstack user create --domain default --password-prompt myuser
    User Password:
    Repeat User Password:
    
    +---------------------+----------------------------------+
    | Field               | Value                            |
    +---------------------+----------------------------------+
    | domain_id           | default                          |
    | enabled             | True                             |
    | id                  | e32358bdacde4e87905513f8b7aeb7f0 |
    | name                | myuser                           |
    | options             | {}                               |
    | password_expires_at | None                             |
    +---------------------+----------------------------------+
    
    
  • 创建 myrole 角色
    [root@controller ~]# openstack role create myrole
    
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description | None                             |
    | domain_id   | None                             |
    | id          | 24f29d7e3377488191b43f24461dae6e |
    | name        | myrole                           |
    | options     | {}                               |
    +-------------+----------------------------------+
    
    
  • myrole 角色添加到 myproject 项目和 myuser 用户
    [root@controller ~]# openstack role add --project myproject --user myuser myrole
    
    可以重复执行上述步骤,创建其他项目、用户和角色

验证

  1. 取消临时环境变量
[root@controller ~]# unset OS_AUTH_URL OS_PASSWORD
  1. 以 admin 用户身份请求身份验证令牌[/start-plane]
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3   --os-project-domain-name Default --os-user-domain-name Default   --os-project-name admin --os-username admin token issue

Password: 
+------------+-------------------------------------------------------------------------+
| Field      | Value                                                                   |
+------------+-------------------------------------------------------------------------+
| expires    | 2021-05-28T04:42:39+0000                                                |
| id         | gAAAAABgsGavnsGikPWfNtU2SNCjRhmRkNXp6gXOR1k7aksTK07jOcnyGZbwIbSKsP-     |
|            | sAcfLi_DiBJuJRuFbTdhmvonGHu7Pq6NmQ6ouxEjbqSpI8HmJan30A9gJ7-WNmaSwmwGiVD |
|            | _XxK4zt5kP4lnrsKb5BRcfvqOafwJDeZ-mA9dd3-xJ-FY                           |
| project_id | 01ffb904fece44f18bbb4074569a291a                                        |
| user_id    | 53598901f09e40db8e65d89d91857144                                        |
+------------+-------------------------------------------------------------------------+

  1. 以 myuser 用户身份请求身份验证令牌
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3   --os-project-domain-name Default --os-user-domain-name Default   --os-project-name myproject --os-username myuser token issue

Password: 
+------------+-------------------------------------------------------------------+
| Field      | Value                                                             |
+------------+-------------------------------------------------------------------+
| expires    | 2021-05-28T04:48:57+0000                                          |
| id         | gAAAAABgsGgpiNcpBYHsvRRNlwxfwjOCcKrS7paboERzjXSX8TNQf6YzSzc0YDu-  |
|            | l1cF29nSOM3N6QcEhd7RM3Up8-8u5YktWgFmya5OCxv                       |
|            | YmcqkmUb94ij161zcbrHgqZb1JvemVizaTZSUg6                           |
|            | _uxUwIJ4YHMetDQKeYEYoNeOcvrAcJc1tTRM4                             |
| project_id | 765ee2cfb3664ef39ca37624d5f6b6d9                                  |
| user_id    | e32358bdacde4e87905513f8b7aeb7f0                                  |
+------------+-------------------------------------------------------------------+

创建客户端环境脚本

  1. 创建和编辑 vim admin-openrc 文件并写入如下内容
将 ADMIN_PASS 替换为 admin 的密码,该密码在引导身份服务步骤创建
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
  1. 创建和编辑 vim demo-openrc 文件并写入如下内容
将 DEMO_PASS 替换为 myuser 的密码
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

验证脚本

  1. 加载 admin-openrc 文件以使用 admin 用户的凭据
[root@controller ~]# . admin-openrc
  1. 请求身份验证令牌
[root@controller ~]# openstack token issue

+------------+-------------------------------------------------------------------+
| Field      | Value                                                             |
+------------+-------------------------------------------------------------------+
| expires    |2021-05-28T05:01:48+0000                                           |
| id         | gAAAAABgsGssEezvb-f7gKsmLqgUVjagU1cgWoJ9Xgd3kYVTHE03qJL8EZZN      |
|            | 10e51AZfqdmjndsUJrdeHrtMjieWAbi6Kgy1POEdZo4rw-jQIZeihpMn4PXbVkoW8 |
|            | _nWHn6vluMsgY-iMu8EhRvbQ6N4VN6WivHMqOQGj97qceslbPYN4ZiVryw        |
| project_id | 01ffb904fece44f18bbb4074569a291a                                  |
| user_id    | 53598901f09e40db8e65d89d91857144                                  |
+------------+-------------------------------------------------------------------+

|| 版权声明
作者:Guangran
链接:https://www.rsecc.cn/archives/558.html
声明:如无特别声明本文即为原创文章仅代表个人观点,版权归《广然笔记》所有,欢迎转载,转载请保留原文链接。
THE END
分享
二维码
< <上一篇
下一篇>>
文章目录
关闭
目 录