基于 CentOS 8 手工部署 OpenStack Victoria 版本(三)– 安装 Keystone
OpenStack 系统是由众多独立的组件组成的,这些组件可以根据用户的需求来协调完成工作,在工作过程中会涉及各个组件之间的交互操作,所以我们在控制节点上部署 KeyStone 组件作为 OpenStack 中的身份认证服务,用来管理身份验证、授权和服务目录。为了实现弹性伸缩,同时部署 Fernet 令牌和 Apache HTTP 服务来出来请求
前提条件
服务信息一般存储在数据库上,所以我们必须先完成数据库的创建
- 以 root 身份登录数据库
[root@controller ~]# mysql -u root -p
Enter password: //输入数据库的密码回车
- 创建 Keystone 数据库
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.001 sec)
- 为 Keystone 数据库赋予适当的访问权限
其中的
openstack
为设置的密码(生产环境中请勿使用该类弱口令作为密码)MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'openstack';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'openstack';
- 退出数据库
MariaDB [(none)]> exit;
Bye
安装和配置组件
- 安装软件包
[root@controller ~]# yum install openstack-keystone httpd python3-mod_wsgi -y
-
编辑配置文件
vim /etc/keystone/keystone.conf
,完成以下操作- 在 [database] 部分中,配置连接数据库
将 KEYSTONE_DBPASS 替换为 Keystone 数据库的密码,这里我们设置的密码是 openstack[database] # ... connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
- 在 [token] 部分中,配置 Fernet 令牌提供程序
[token] # ... provider = fernet
-
填充 Keystone 数据库
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
- 初始化 Fernet 密钥存储库
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
- 引导身份服务
将 ADMIN_PASS 替换为合适的密码,这里我们设置的密码是 openstack
[root@controller ~]# keystone-manage bootstrap --bootstrap-password ADMIN_PASS --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne
配置Apache HTTP服务器
- 编辑配置文件
vim /etc/httpd/conf/httpd.conf
,配置 ServerName 选项以应用控制节点
# ...
ServerName controller
- 创建到
/usr/share/keystone/wsgi-keystone.conf
文件的链接
[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
- 启动 Apache HTTP 服务并设置为开机自启
[root@controller ~]# systemctl enable httpd.service
[root@controller ~]# systemctl start httpd.service
创建域、项目、用户和角色
- 设置临时环境变量用以管理账户
[root@controller ~]# export OS_USERNAME=admin
[root@controller ~]# export OS_PASSWORD=openstack
[root@controller ~]# export OS_PROJECT_NAME=admin
[root@controller ~]# export OS_USER_DOMAIN_NAME=Default
[root@controller ~]# export OS_PROJECT_DOMAIN_NAME=Default
[root@controller ~]# export OS_AUTH_URL=http://controller:5000/v3
[root@controller ~]# export OS_IDENTITY_API_VERSION=3
- 创建一个
example
域,该步骤用来演示在 OpenStack 中创建域,我们后续步骤使用的是default
域,该域默认已经创建
[root@controller ~]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 9cbdb7e919864d3b96548c002b703a9c |
| name | example |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
- 创建一个
service
项目
[root@controller ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 21933f20db7346298b258c77081f37ce |
| is_domain | False |
| name | service |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
-
创建一个普通用户,用来完成一些常规任务
- 创建
myproject
项目
[root@controller ~]# openstack project create --domain default --description "Demo Project" myproject +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | 765ee2cfb3664ef39ca37624d5f6b6d9 | | is_domain | False | | name | myproject | | options | {} | | parent_id | default | | tags | [] | +-------------+----------------------------------+
- 创建
myuser
用户
这里需要我们为新创建的用户设置一个密码[root@controller ~]# openstack user create --domain default --password-prompt myuser User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | e32358bdacde4e87905513f8b7aeb7f0 | | name | myuser | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+
- 创建
myrole
角色
[root@controller ~]# openstack role create myrole +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | None | | domain_id | None | | id | 24f29d7e3377488191b43f24461dae6e | | name | myrole | | options | {} | +-------------+----------------------------------+
- 将
myrole
角色添加到myproject
项目和myuser
用户
[root@controller ~]# openstack role add --project myproject --user myuser myrole
可以重复执行上述步骤,创建其他项目、用户和角色 - 创建
验证
- 取消临时环境变量
[root@controller ~]# unset OS_AUTH_URL OS_PASSWORD
- 以 admin 用户身份请求身份验证令牌[/start-plane]
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue
Password:
+------------+-------------------------------------------------------------------------+
| Field | Value |
+------------+-------------------------------------------------------------------------+
| expires | 2021-05-28T04:42:39+0000 |
| id | gAAAAABgsGavnsGikPWfNtU2SNCjRhmRkNXp6gXOR1k7aksTK07jOcnyGZbwIbSKsP- |
| | sAcfLi_DiBJuJRuFbTdhmvonGHu7Pq6NmQ6ouxEjbqSpI8HmJan30A9gJ7-WNmaSwmwGiVD |
| | _XxK4zt5kP4lnrsKb5BRcfvqOafwJDeZ-mA9dd3-xJ-FY |
| project_id | 01ffb904fece44f18bbb4074569a291a |
| user_id | 53598901f09e40db8e65d89d91857144 |
+------------+-------------------------------------------------------------------------+
- 以 myuser 用户身份请求身份验证令牌
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name myproject --os-username myuser token issue
Password:
+------------+-------------------------------------------------------------------+
| Field | Value |
+------------+-------------------------------------------------------------------+
| expires | 2021-05-28T04:48:57+0000 |
| id | gAAAAABgsGgpiNcpBYHsvRRNlwxfwjOCcKrS7paboERzjXSX8TNQf6YzSzc0YDu- |
| | l1cF29nSOM3N6QcEhd7RM3Up8-8u5YktWgFmya5OCxv |
| | YmcqkmUb94ij161zcbrHgqZb1JvemVizaTZSUg6 |
| | _uxUwIJ4YHMetDQKeYEYoNeOcvrAcJc1tTRM4 |
| project_id | 765ee2cfb3664ef39ca37624d5f6b6d9 |
| user_id | e32358bdacde4e87905513f8b7aeb7f0 |
+------------+-------------------------------------------------------------------+
创建客户端环境脚本
- 创建和编辑
vim admin-openrc
文件并写入如下内容
将 ADMIN_PASS 替换为 admin 的密码,该密码在引导身份服务步骤创建
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
- 创建和编辑
vim demo-openrc
文件并写入如下内容
将 DEMO_PASS 替换为 myuser 的密码
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
验证脚本
- 加载
admin-openrc
文件以使用 admin 用户的凭据
[root@controller ~]# . admin-openrc
- 请求身份验证令牌
[root@controller ~]# openstack token issue
+------------+-------------------------------------------------------------------+
| Field | Value |
+------------+-------------------------------------------------------------------+
| expires |2021-05-28T05:01:48+0000 |
| id | gAAAAABgsGssEezvb-f7gKsmLqgUVjagU1cgWoJ9Xgd3kYVTHE03qJL8EZZN |
| | 10e51AZfqdmjndsUJrdeHrtMjieWAbi6Kgy1POEdZo4rw-jQIZeihpMn4PXbVkoW8 |
| | _nWHn6vluMsgY-iMu8EhRvbQ6N4VN6WivHMqOQGj97qceslbPYN4ZiVryw |
| project_id | 01ffb904fece44f18bbb4074569a291a |
| user_id | 53598901f09e40db8e65d89d91857144 |
+------------+-------------------------------------------------------------------+
© 版权声明
文章:基于 CentOS 8 手工部署 OpenStack Victoria 版本(三)– 安装 Keystone
作者:Guangran
链接:https://www.rsecc.cn/558.html
声明:如无特别说明本文即为原创文章仅代表个人观点,版权归《广然笔记》所有,未经授权、请勿转载。
文章:基于 CentOS 8 手工部署 OpenStack Victoria 版本(三)– 安装 Keystone
作者:Guangran
链接:https://www.rsecc.cn/558.html
声明:如无特别说明本文即为原创文章仅代表个人观点,版权归《广然笔记》所有,未经授权、请勿转载。
THE END