參考文檔:
- Install-guide:https://docs.openstack.org/install-guide/
- OpenStack High Availability Guide:https://docs.openstack.org/ha-guide/index.html
- 理解Pacemaker:http://www.cnblogs.com/sammyliu/p/5025362.html
- Ceph: http://docs.ceph.com/docs/master/start/intro/
八.Keystone集群
1. 創建keystone數據庫
# 在任意控制節點創建數據庫,數據庫自動同步,以controller01節點為例; [root@controller01 ~]# mysql -uroot -pmysql_pass MariaDB [(none)]> CREATE DATABASE keystone; MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone_dbpass'; MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone_dbpass'; MariaDB [(none)]> flush privileges; MariaDB [(none)]> exit;
2. 安裝keystone
# 在全部控制節點安裝keystone,以controller01節點為例; [root@controller01 ~]# yum install openstack-keystone httpd mod_wsgi mod_ssl -y
3. 配置keystone.conf
# 在全部控制節點設置,以controller01節點為例; # 紅色加粗字體為修改部分 [root@controller01 ~]# cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak [root@controller01 ~]# egrep -v "^$|^#" /etc/keystone/keystone.conf [DEFAULT] [application_credential] [assignment] [auth] [cache] backend = oslo_cache.memcache_pool enabled = true memcache_servers = controller01:11211,controller02:11211,controller03:11211 [catalog] [cors] [credential] [database] connection = mysql+pymysql://keystone:keystone_dbpass@controller/keystone [domain_config] [endpoint_filter] [endpoint_policy] [eventlet_server] [federation] [fernet_tokens] [healthcheck] [identity] [identity_mapping] [ldap] [matchmaker_redis] [memcache] [oauth1] [oslo_messaging_amqp] [oslo_messaging_kafka] [oslo_messaging_notifications] [oslo_messaging_rabbit] [oslo_messaging_zmq] [oslo_middleware] [oslo_policy] [paste_deploy] [policy] [profiler] [resource] [revoke] [role] [saml] [security_compliance] [shadow_users] [signing] [token] provider = fernet [tokenless_auth] [trust] [unified_limit]
4. 同步keystone數據庫
# 任意控制節點操作 [root@controller01 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone # 查看驗證 [root@controller01 ~]# mysql -h controller01 -ukeystone -pkeystone_dbpass -e "use keystone;show tables;"
5. 初始化fernet秘鑰
# 選定任意控制節點(controller01)做fernet秘鑰初始化,在/etc/keystone/生成相關秘鑰及目錄 [root@controller01 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone [root@controller01 ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone # 向controller02/03節點同步秘鑰 [root@controller01 ~]# scp -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ root@172.30.200.32:/etc/keystone/ [root@controller01 ~]# scp -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ root@172.30.200.33:/etc/keystone/ # 同步后,注意controller02/03節點上秘鑰權限 [root@controller02 ~]# chown keystone:keystone /etc/keystone/credential-keys/ -R [root@controller02 ~]# chown keystone:keystone /etc/keystone/fernet-keys/ -R [root@controller03 ~]# chown keystone:keystone /etc/keystone/credential-keys/ -R [root@controller03 ~]# chown keystone:keystone /etc/keystone/fernet-keys/ -R
6. 配置httpd.conf
# 在全部控制節點設置,以controller01節點為例; [root@controller01 ~]# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak [root@controller01 ~]# sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf # 注意不同的節點替換不同的ip地址 [root@controller01 ~]# sed -i "s/Listen\ 80/Listen\ 172.30.200.31:80/g" /etc/httpd/conf/httpd.conf [root@controller02 ~]# sed -i "s/Listen\ 80/Listen\ 172.30.200.32:80/g" /etc/httpd/conf/httpd.conf [root@controller03 ~]# sed -i "s/Listen\ 80/Listen\ 172.30.200.33:80/g" /etc/httpd/conf/httpd.conf
7. 配置wsgi-keystone.conf
# 在全部控制節點操作,以controller01節點為例; # 復制wsgi-keystone.conf文件; # 或者針對wsgi-keystone.conf創建軟鏈接 [root@controller01 ~]# cp /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ # 修改wsgi-keystone.conf文件,注意各節點對應的ip地址或主機名等,以controller01節點為例 [root@controller01 ~]# sed -i "s/Listen\ 5000/Listen\ 172.30.200.31:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf [root@controller01 ~]# sed -i "s/Listen\ 35357/Listen\ 172.30.200.31:35357/g" /etc/httpd/conf.d/wsgi-keystone.conf [root@controller01 ~]# sed -i "s/*:5000/172.30.200.31:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf [root@controller01 ~]# sed -i "s/*:35357/172.30.200.31:35357/g" /etc/httpd/conf.d/wsgi-keystone.conf
8. 認證引導
# 任意控制節點操作; # 初始化admin用戶(管理用戶)與密碼,3種api端點,服務實體可用區等 [root@controller01 ~]# keystone-manage bootstrap --bootstrap-password admin_pass \ --bootstrap-admin-url http://controller:35357/v3/ \ --bootstrap-internal-url http://controller:5000/v3/ \ --bootstrap-public-url http://controller:5000/v3/ \ --bootstrap-region-id RegionTest
9. 啟動服務
# 在全部控制節點操作,以controller01節點為例 [root@controller01 ~]# systemctl enable httpd.service [root@controller01 ~]# systemctl restart httpd.service [root@controller01 ~]# systemctl status httpd.service
10. 創建domain, projects, users, 與roles
1)domain
# projrct/user等基於domain存在; # 在”認證引導”章節中,初始化admin用戶即生成”default” domain [root@controller01 ~]# openstack domain list
# 如果需要生成新的domain, [root@controller01 ~]# openstack domain create --description "An Example Domain" example [root@controller01 ~]# openstack domain list
2)projects
# project屬於某個domain; # 以創建demo項目為例,demo項目屬於”default” domain [root@controller01 ~]# openstack project create --domain default --description "Demo Project" demo
3)users
# user屬於某個domain; # 以創建demo用戶為例,demo用戶屬於”default” domain [root@controller01 ~]# openstack user create --domain default --password=demo_pass demo
4)roles
# 創建普通用戶角色(區別於admin用戶) [root@controller01 ~]# openstack role create user
# 向demo項目的demo用戶賦予user權限, [root@controller01 ~]# openstack role add --project demo --user demo user # 查看權限分配 [root@controller01 ~]# openstack user list [root@controller01 ~]# openstack role list [root@controller01 ~]# openstack role assignment list
11. openstack client 環境變量腳本
1)admin-openrc
# openstack client環境腳本定義client調用openstack api環境變量,以方便api的調用(不必在命令行中攜帶環境變量); # 根據不同的用戶角色,需要定義不同的腳本; # 這里以“認證引導”章節定義的admin用戶為例,設置其環境腳本,再根據需要分發到需要運行openstack client工具的節點; # 一般將腳本創建在用戶主目錄 [root@controller01 ~]# touch admin-openrc [root@controller01 ~]# chmod u+x admin-openrc [root@controller01 ~]# vim admin-openrc export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin_pass export OS_AUTH_URL=http://controller:5000/v3 # 從安全角度考慮,一般不對client暴露admin-api,這里admin-api與public-api共用1個vip地址 # export OS_AUTH_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 # 驗證 [root@controller01 ~]# openstack token issue
2)demo-openrc
# 同admin-openrc,注意project/user/password的區別 [root@controller01 ~]# touch demo-openrc [root@controller01 ~]# chmod u+x demo-openrc [root@controller01 ~]# vim demo-openrc export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=demo_pass export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 # 驗證 [root@controller01 ~]# openstack token issue
# 分發腳本 [root@controller01 ~]# scp admin-openrc demo-openrc root@172.30.200.32:~/ [root@controller01 ~]# scp admin-openrc demo-openrc root@172.30.200.33:~/
12. 設置pcs資源
# 在任意控制節點操作; # 添加資源openstack-keystone-clone; # pcs實際控制的是各節點system unit控制的httpd服務 [root@controller01 ~]# pcs resource create openstack-keystone systemd:httpd --clone interleave=true [root@controller01 ~]# pcs resource
