5. 安装配置Keystone · 戏子的运维笔记

Keystone组件是云平台上的认证节点。OpenStack各个子项目单独提供着各自的相关服务，如nova提供计算服务，glance提供镜像服务，各个节点互不相干，但实际上组件之间的服务调用都要经过Keystone获取服务列表和服务端点。 1）在controller1创建keystone数据库 ``` MariaDB [(none)]> CREATE DATABASE keystone; ``` 2）在controller1上创建数据库用户及赋予权限 ``` MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'yjscloud'; MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'yjscloud'; ``` 注意将yjscloud替换为自己的数据库密码 3）在三个节点上分别安装keystone和memcached ``` yum -y install openstack-keystone httpd mod_wsgi python-openstackclient mencached python-memcached openstack-utils ``` 4）优化配置memcached ``` vim /etc/sysconfig/memcached ``` ``` PORT="11211" #定义端口 USER="memcached" #定义运行memcache的用户 MAXCONN="8192" #定义最大连接数 CACHESIZE="1024" #定义最大内存使用值 OPTIONS="-l 127.0.0.1,::1,10.1.1.150 -t 4 -I 10m" # -l设置服务绑定ip，-t设置线程数，-I调整分配slab页的大小 ``` ``` scp -p /etc/sysconfig/memcached controller2:/etc/sysconfig/memcached scp -p /etc/sysconfig/memcached controller3:/etc/sysconfig/memcached ``` **注意！！！OPTIONS中的10.1.1.150改成各个节点对应的IP。** 5）在三个节点上分别启动memcache服务并设置开机启动动 ``` systemctl enable memcached.service systemctl restart memcached.service systemctl status memcached.service ``` 6）配置`/etc/keystone/keystone.conf`文件 ``` cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf openstack-config --set /etc/keystone/keystone.conf DEFAULT debug false openstack-config --set /etc/keystone/keystone.conf DEFAULT verbose true openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_endpoint http://yjscloud.com:35357 openstack-config --set /etc/keystone/keystone.conf DEFAULT public_endpoint http://yjscloud.com:5000 openstack-config --set /etc/keystone/keystone.conf eventlet_server public_bind_host 10.1.1.150 openstack-config --set /etc/keystone/keystone.conf eventlet_server admin_bind_host 10.1.1.150 openstack-config --set /etc/keystone/keystone.conf cache backend oslo_cache.memcache_pool openstack-config --set /etc/keystone/keystone.conf cache enabled true openstack-config --set /etc/keystone/keystone.conf cache memcache_servers controller1:11211,controller2:11211,controller3:11211 openstack-config --set /etc/keystone/keystone.conf cache memcache_dead_retry 60 openstack-config --set /etc/keystone/keystone.conf cache memcache_socket_timeout 1 openstack-config --set /etc/keystone/keystone.conf cache memcache_pool_maxsize 1000 openstack-config --set /etc/keystone/keystone.conf cache memcache_pool_unused_timeout 60 openstack-config --set /etc/keystone/keystone.conf catalog template_file /etc/keystone/default_catalog.templates openstack-config --set /etc/keystone/keystone.conf catalog driver sql openstack-config --set /etc/keystone/keystone.conf database connection mysql://keystone:yjscloud@yjscloud.com/keystone openstack-config --set /etc/keystone/keystone.conf database idle_timeout 3600 openstack-config --set /etc/keystone/keystone.conf database max_pool_size 30 openstack-config --set /etc/keystone/keystone.conf database ax_retries -1 openstack-config --set /etc/keystone/keystone.conf database max_overflow 60 openstack-config --set /etc/keystone/keystone.conf identity driver sql openstack-config --set /etc/keystone/keystone.conf identity caching false openstack-config --set /etc/keystone/keystone.conf fernet_tokens key_repository /etc/keystone/fernet-keys/ openstack-config --set /etc/keystone/keystone.conf fernet_tokens max_active_keys 3 openstack-config --set /etc/keystone/keystone.conf memcache servers controller1:11211,controller2:11211,controller3:11211 openstack-config --set /etc/keystone/keystone.conf memcache dead_retry 60 openstack-config --set /etc/keystone/keystone.conf memcache socket_timeout 1 openstack-config --set /etc/keystone/keystone.conf memcache pool_maxsize 1000 openstack-config --set /etc/keystone/keystone.conf memcache pool_unused_timeout 60 openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_hosts controller1:5672,controller2:5672,controller3:5672 openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_userid openstack openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_password yjscloud openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_use_ssl false openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_ha_queues true openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_retry_interval 1 openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_retry_backoff 2 openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_max_retries 0 openstack-config --set /etc/keystone/keystone.conf token expiration 3600 openstack-config --set /etc/keystone/keystone.conf token caching False openstack-config --set /etc/keystone/keystone.conf token provider fernet ``` scp到其他节点，注意更改对应的IP，keystone.conf的权限应该为root:keystone ``` scp -p /etc/keystone/keystone.conf controller2:/etc/keystone/keystone.conf scp -p /etc/keystone/keystone.conf controller3:/etc/keystone/keystone.conf ``` 7）配置httpd.conf文件 ``` vim /etc/httpd/conf/httpd.conf ``` 修改如下配置参数（三个节点都要改）： ``` ServerName controller1 #如果是controller2那就写controller2 Listen 8080 #80->8080 haproxy里用了80，不修改启动不了 ``` 8）配置keystone与httpd结合 ``` vim /etc/httpd/conf.d/wsgi-keystone.conf ``` ``` Listen 5002 Listen 35358 <VirtualHost *:5002> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> <VirtualHost *:35358> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> ``` 把这个文件拷贝到另外两个节点上; ``` scp -p /etc/httpd/conf.d/wsgi-keystone.conf controller2:/etc/httpd/conf.d/wsgi-keystone.conf scp -p /etc/httpd/conf.d/wsgi-keystone.conf controller3:/etc/httpd/conf.d/wsgi-keystone.conf ``` 9）在controller1上设置数据库同步 ``` su -s /bin/sh -c "keystone-manage db_sync" keystone #单行输出的警告信息可以忽略 ``` 10）三个节点都初始化fernet ``` keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone keystone-manage credential_setup --keystone-user keystone --keystone-group keystone ``` 11）同步三个节点fernet信息，在controller1上操作 ``` scp -p /etc/keystone/fernet-keys/* controller2:/etc/keystone/fernet-keys/ scp -p /etc/keystone/fernet-keys/* controller3:/etc/keystone/fernet-keys/ scp -p /etc/keystone/credential-keys/* controller2:/etc/keystone/credential-keys/ scp -p /etc/keystone/credential-keys/* controller3:/etc/keystone/credential-keys/ ``` 12）三个节点启动httpd，并设置httpd开机启动 ``` systemctl enable httpd.service systemctl restart httpd.service systemctl status httpd.service systemctl list-unit-files |grep httpd.service ``` 13）在controller1上创建admin用户角色 ``` keystone-manage bootstrap \ --bootstrap-password yjscloud \ --bootstrap-username admin \ --bootstrap-project-name admin \ --bootstrap-role-name admin \ --bootstrap-service-name keystone \ --bootstrap-region-id RegionOne \ --bootstrap-admin-url http://yjscloud.com:35357/v3 \ --bootstrap-internal-url http://yjscloud.com:35357/v3 \ --bootstrap-public-url http://yjscloud.com:5000/v3 ``` 等haproxy列表中的对于服务全部启动时才可以执行下面的命令，否则会报错这样，就可以在 openstack 命令行里使用 admin 账号登录了。验证，测试是否已配置合理： ``` openstack project list --os-username admin --os-project-name admin --os-user-domain-id default --os-project-domain-id default --os-identity-api-version 3 --os-auth-url http://yjscloud.com:5000 --os-password yjscloud ``` ![8-1-20](http://pded8ke3e.bkt.clouddn.com/8-1-20.png) 14）在controller1创建admin用户环境变量，创建`/root/admin-openrc` 文件并写入如下内容 ``` vim /root/admin-openrc ``` 添加以下内容： ``` export OS_USER_DOMAIN_ID=default export OS_PROJECT_DOMAIN_ID=default export OS_USERNAME=admin export OS_PROJECT_NAME=admin export OS_PASSWORD=yjscloud export OS_IDENTITY_API_VERSION=3 export OS_AUTH_URL=http://yjscloud.com:35357/v3 ``` ``` scp -p /root/admin-openrc controller2:/root/admin-openrc scp -p /root/admin-openrc controller3:/root/admin-openrc openstack endpoint list #查看endpoint，正常情况下是有三个keystone的endpoint ``` 15）在controller1上创建service项目 ``` source /root/admin-openrc openstack project create --domain default --description "Service Project" service ``` 16）在controller1上创建demo项目 ``` openstack project create --domain default --description "Demo Project" demo ``` 17）在controller1上创建demo用户 ``` openstack user create --domain default demo --password yjscloud # 注意：yjscloud为demo用户密码 ``` ![8-1-21](http://pded8ke3e.bkt.clouddn.com/8-1-21.jpg) 18）在controller1创建user角色将demo用户赋予user角色 ``` openstack role create user openstack role add --project demo --user demo user openstack user list #查看用户 ``` ![8-1-22](http://pded8ke3e.bkt.clouddn.com/8-1-22.jpg) 19）在controller1上验证keystone ``` unset OS_TOKEN OS_URL openstack --os-auth-url http://yjscloud.com:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue --os-password yjscloud openstack --os-auth-url http://yjscloud.com:5000/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name demo --os-username demo token issue --os-password yjscloud ```` ![8-1-23](http://pded8ke3e.bkt.clouddn.com/8-1-23.jpg) 20）在controller1上创建demo用户环境变量，创建`/root/demo-openrc`文件并写入下列内容： ``` export OS_USER_DOMAIN_ID=default export OS_PROJECT_DOMAIN_ID=default export OS_USERNAME=demo export OS_PROJECT_NAME=demo export OS_PASSWORD=yjscloud export OS_IDENTITY_API_VERSION=3 export OS_AUTH_URL=http://yjscloud.com:35357/v3 ```