一. 基礎環境
1.1環境介紹
- linux-node1(控制節點)
1 #系統版本 2 [root@linux-node1 ~]# cat /etc/redhat-release 3 CentOS Linux release 7.2.1511 (Core) 4 #內核版本 5 [root@linux-node1 ~]# uname -r 6 3.10.0-327.36.3.el7.x86_64 7 #主機名 8 [root@linux-node1 ~]# hostname 9 linux-node1.example.com 10 #IP地址 11 [root@linux-node1 ~]# ifconfig eth0 |awk -F '[ :]+' 'NR ==2 {print $3}' 12 192.168.56.11
- linux-node2(計算節點)
1 #系統版本 2 [root@linux-node2 ~]# cat /etc/redhat-release 3 CentOS Linux release 7.2.1511 (Core) 4 #內核版本 5 [root@linux-node2 ~]# uname -r 6 3.10.0-327.36.3.el7.x86_64 7 #主機名 8 [root@linux-node2 ~]# hostname 9 linux-node2.example.com 10 #IP地址 11 [root@linux-node2 ~]# ifconfig eth0 |awk -F '[ :]+' 'NR ==2 {print $3}' 12 192.168.56.12
1.2准備環境
1.2.1安裝在兩個節點
1 #openstack N版 倉庫 2 [root@linux-node1 ~]# yum install centos-release-openstack-newton –y 3 #openstack客戶端 4 [root@linux-node1 ~]# yum install python-openstackclient –y 5 #如果沒有關閉selinux安裝這個包會自動設置selinux支持openstack 6 [root@linux-node1 ~]# yum install openstack-selinux –y
1.2.2node1上安裝數據庫、消息隊列、緩存
1 #安裝數據庫 2 [root@linux-node1 ~]# yum install mariadb mariadb-server python2-PyMySQL –y 3 #安裝rabbitMQ消息隊列 4 [root@linux-node1 ~]# yum install rabbitmq-server 5 #安裝緩存 6 [root@linux-node1 ~]# yum install memcached python-memcached
1.2.3配置mariadb數據庫
1 #編輯數據庫配置文件 2 [root@linux-node1 ~]# vim /etc/my.cnf.d/openstack.cnf 3 [mysqld] 4 #監聽地址 5 bind-address = 192.168.56.11 6 #默認引擎 7 default-storage-engine = innodb 8 innodb_file_per_table 9 #最大連接數 10 max_connections = 4096 11 #核對字符集 12 collation-server = utf8_general_ci 13 #字符集 14 character-set-server = utf8 15 #啟動數據庫 16 [root@linux-node1 ~]# systemctl start mariadb.service 17 #設置密碼並配置 18 [root@linux-node1 ~]# mysql_secure_installation
1.2.4配置rabbitMQ消息隊列
1 #允許開機自啟 2 [root@linux-node1 ~]# systemctl enable rabbitmq-server.service 3 #啟動 4 [root@linux-node1 ~]# systemctl start rabbitmq-server.service 5 #添加用戶 6 [root@linux-node1 ~]# rabbitmqctl add_user openstack openstack 7 Creating user "openstack" ... 8 #設置權限 9 [root@linux-node1 ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*" 10 Setting permissions for user "openstack" in vhost "/" ... 11 #重啟 12 [root@linux-node1 ~]# rabbitmq-plugins enable rabbitmq_management
1.2.5配置memcache緩存
1 #修改memcache配置文件 2 [root@linux-node1 ~]# vim /etc/sysconfig/memcached 3 #memcache連接地址 4 OPTIONS="-l 192.168.56.11,::1" 5 #重啟memcache 6 [root@linux-node1 ~]# systemctl restart memcached
注意:兩個節點必須時間同步
1 #同步時間 2 [root@linux-node1 ~]# ntpdate time1.aliyun.com
二.openstack認證服務keystone
2.1keystone介紹
- keystone
Keystone(OpenStack Identity Service)是 OpenStack 框架中負責管理身份驗證、服務規則和服務令牌功能的模塊。用戶訪問資源需要驗證用戶的身份與權限,服務執行操作也需要進行權限檢測,這些都需要通過 Keystone 來處理。
用戶認證:用戶權限與用戶行為跟蹤
服務目錄:提供一個服務目錄,包括所有服務項與相關API的端點
主要涉及如下概念:
User: 用戶
Project: 項目(老版本中tenant:租戶)
Token: 令牌
Role: 角色
2.2keystone配置
2.2.1安裝keystone及其組件
1 #安裝keystone、wsgi模塊、http 2 [root@linux-node1 ~]# yum install openstack-keystone httpd mod_wsgi –y
2.2.2創建庫及用戶並授權
1 #登陸數據庫 2 [root@linux-node1 ~]# mysql -uroot –p 3 #創建keystone庫 4 MariaDB [(none)]> create database keystone; 5 #創建keystone用戶並授權 6 MariaDB [(none)]> grant all privileges on keystone.* to keystone@'localhost' identified by 'keystone'; 7 Query OK, 0 rows affected (0.00 sec) 8 MariaDB [(none)]> grant all privileges on keystone.* to keystone@'%' identified by 'keystone'; 9 Query OK, 0 rows affected (0.00 sec)
2.2.3編輯keystone配置文件
1 #編輯配置文件 2 [root@linux-node1 ~]# vim /etc/keystone/keystone.conf 3 #database標簽下添加內容 4 [database] 5 #數據庫連接 6 connection = mysql+pymysql://keystone:keystone@192.168.56.11/keystone 7 #在memcache標簽下添加內容 8 [memcache] 9 #memcache服務IP 10 servers = 192.168.56.11:11211 11 #配置令牌 12 provider = fernet 13 #選擇driver為memcache默認是sql 14 driver = memcache
2.2.4導入數據庫
1 #將表導入數據庫中 2 [root@linux-node1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone 3 #檢查導入結果 4 [root@linux-node1 ~]# mysql -h 192.168.56.11 -ukeystone -pkeystone -e "use keystone;show tables;"
+------------------------+
| Tables_in_keystone |
+------------------------+
| access_token |
| assignment |
| config_register |
| consumer |
| credential |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| local_user |
| mapping |
| migrate_version |
| nonlocal_user |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| region |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| whitelisted_config |
+------------------------+
2.2.5初始化key並創建endpoint
1 #初始化令牌 2 [root@linux-node1 keystone]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone 3 [root@linux-node1 keystone]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone 4 #引導身份服務,創建endpoint 5 [root@linux-node1 keystone]# keystone-manage bootstrap --bootstrap-password admin \ 6 --bootstrap-admin-url http://192.168.56.11:35357/v3/ \ 7 --bootstrap-internal-url http://192.168.56.11:35357/v3/ \ 8 --bootstrap-public-url http://192.168.56.11:5000/v3/ \ 9 --bootstrap-region-id RegionOne
2.2.6配置apache
1 #編輯配置文件 2 [root@linux-node1 keystone]# vim /etc/httpd/conf/httpd.conf 3 #服務監聽地址 4 ServerName 192.168.56.11:80 5 #軟連接配置文件 6 [root@linux-node1 ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ 7 #設置開機自啟 8 [root@linux-node1 ~]# systemctl enable httpd.service 9 #啟動apache 10 [root@linux-node1 ~]# systemctl start httpd.service
2.2.7添加環境變量
1 #編輯環境變量 2 [root@linux-node1 ~]# vim /root/.openstackrc 3 export OS_USERNAME=admin 4 export OS_PASSWORD=admin 5 export OS_PROJECT_NAME=admin 6 export OS_USER_DOMAIN_NAME=Default 7 export OS_PROJECT_DOMAIN_NAME=Default 8 export OS_AUTH_URL=http://192.168.56.11:35357/v3 9 export OS_IDENTITY_API_VERSION=3
2.2.8查看列表
1 #刷新環境變量 2 [root@linux-node1 ~]# source /root/.openstackrc 3 #查看用戶列表 4 [root@linux-node1 ~]# openstack user list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 45b086bdc6b746c5b0bfd62f779fe6a5 | admin |
+----------------------------------+---------+ 5 #查看角色列表 6 [root@linux-node1 ~]# openstack role list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 44246e18d57b4f0ea6470aa56951bc08 | admin |
+----------------------------------+----------+ 7 #查看項目列表 8 [root@linux-node1 ~]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| d24a61dd3ecb43cb9e8a5f6539c6a2bb | admin |
+----------------------------------+---------+ 9 #查看端點列表 10 [root@linux-node1 ~]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------------------------+
| 46bb270ff4f04b0da6a69a554322bc27 | RegionOne | keystone | identity | True | public | http://192.168.56.11:5000/v3/ |
| 77bca853dafb413da29dcbac4bed9305 | RegionOne | keystone | identity | True | admin | http://192.168.56.11:35357/v3/ |
| 7cc4f83fc4f34cf9b1ec5033739aefc1 | RegionOne | keystone | identity | True | internal | http://192.168.56.11:35357/v3/ |
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------------------------+
三.創建項目、角色
3.1創建服務項目
1 #創建service項目 2 [root@linux-node1 ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 1c86a7e5bd014ef98b13a88c94a5fbda |
| is_domain | False |
| name | service |
| parent_id | default |
+-------------+----------------------------------+ 3 #查看項目列表 4 [root@linux-node1 ~]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 1c86a7e5bd014ef98b13a88c94a5fbda | service |
| d24a61dd3ecb43cb9e8a5f6539c6a2bb | admin |
+----------------------------------+---------+
3.2創建角色
1 #創建user角色 2 [root@linux-node1 ~]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | e01254bb6613443895d33af96faa3fe9 |
| name | user |
+-----------+----------------------------------+ 3 #查看角色列表 4 [root@linux-node1 ~]# openstack role list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 44246e18d57b4f0ea6470aa56951bc08 | admin |
| e01254bb6613443895d33af96faa3fe9 | user |
+----------------------------------+----------+
四.keystone常見錯誤介紹
401 :驗證失敗,keystone相關用戶賬戶密碼設置錯誤,時間不同步,或者輸入的項目名稱不對
403 :可能未初始化OS_token變量,需要使用source命令使其生效,也可能是配置的配置文件未生效,需要重啟相關服務
409 :keystone創建用戶,用戶已存在
500 :服務器內部錯誤,服務配置有問題,看日志,檢查配置
503 :keystone相關賬戶密碼設置有問題,請將相關的glance賬戶刪除,重新創建即可
【開源是一種精神,分享是一種美德】
— By GoodCook
— 筆者QQ:253097001
— 歡迎大家隨時來交流
—原創作品,允許轉載,轉載時請務必以超鏈接形式標明文章 原始出處 、作者信息和本聲明。否則將追究法律責任。