一、openstack概述
1、拓撲圖
Horizon 是一個 dashboard 就是一個控制面板 Celiometer 是一個監控計費 像快照,配置都要計費的 Keystone 是一個登錄認證 像有些網站都是qq登錄 或者微信登錄 Heat 是一個編排服務(playbook) 就是通過定義劇本 來批量啟動一系列的虛擬機,然后一鍵實現一個集群的搭建(利用ansible 來執行) swift 是一個對象存儲 就是用戶的東西不在是存在某一個目錄下面,因為傳統的目錄下沒有數據庫,而swift (對象存儲 )就專門建一個數據庫 把每一個文件當成一個記錄對象,而不是目錄級別的,就是一個文件變成數據庫里的一條記錄。
2、openstck架構(soa架構)
模塊:(keystone認證服務,glance鏡像服務,nova計算服務,neutron網絡服務,cinder存儲服務,horizon web界面)
3、soa架構
SOA:拆業務,把每一個功能都拆成一個獨立的web服務,每一個獨立的web服務,至少擁有一個集群。
開源的微服框架 :阿里開源的dubbo 、spring boot。
二、安裝keystone認證服務
1、安裝服務
[root@controller ]#yum install openstack-keystone httpd mod_wsgi -y mod_wsgi提供http服務與python之間的連接
2、在你配置 OpenStack 身份認證服務前,你必須創建一個數據庫和管理員令牌。
[root@controller ~]# mysql -u root -p MariaDB [(none)]> CREATE DATABASE keystone; MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS'; MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
3、生成一個隨機值在初始的配置中作為管理員的令牌。
[root@controller ~]# openssl rand -hex 10
4、修改配置文件
[root@controller ]# cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak 備份配置文件 [root@controller ]# grep -Ev '^$|#' /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf 過濾掉空格和注釋,然后導入配置文件 [root@controller ]# vim /etc/keystone/keystone.conf 編輯配置文件,如下圖
[root@controller ]# md5sum /etc/keystone/keystone.conf 用MD5記錄配置文件
[DEFAULT] ... admin_token = ADMIN_TOKEN
[database] ... connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
[token]
... provider = fernet
5、安裝專門用於修改配置文件的服務
[root@controller ]# yum install openstack-utils -y [root@controller ]# grep -Ev '^$|#' /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf 還原剛第二步修改的配置文件 [root@controller ]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token ADMIN_TOKEN 用工具修改配置文件 [root@controller ]# openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone [root@controller ]# openstack-config --set /etc/keystone/keystone.conf token provider fernet [root@controller ]# cat /etc/keystone/keystone.conf 查看配置文件 [root@controller ]# md5sum /etc/keystone/keystone.conf 查看修改的配置文件與上一步手動修改的配置文件MD5值
6、初始化身份認證服務的數據庫
[root@controller ]# mysql keystone -e 'show tables;' 切換到數據庫,查看數據庫下面的表
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone 同步數據庫,同步完成在去查看,就會多出很多表
7、初始化Fernet keys
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
初始化之后,在 /etc/keystone/下面會多出fernet-keys的文件夾
8、配置 Apache HTTP 服務器
[root@controller ~]# echo "ServerName controller" >> /etc/httpd/conf/httpd.conf
9、用下面的內容創建`/etc/httpd/conf.d/wsgi-keystone.conf``文件
[root@controller ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone.log CustomLog /var/log/httpd/keystone_access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone.log CustomLog /var/log/httpd/keystone_access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost>
10、啟動http服務,並加入開機自啟動
[root@controller etc]# systemctl start httpd.service
[root@controller etc]# systemctl enable httpd.service
三、配置令牌,並注冊服務
1、配置令牌
[root@controller etc]# export OS_TOKEN=ADMIN_TOKEN 配置認證令牌 [root@controller etc]# export OS_URL=http://controller:35357/v3 配置端點URL [root@controller etc]# export OS_IDENTITY_API_VERSION=3 配置認證 API 版本
2、創建服務實體和API端點
[root@controller ~]# openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | 0636e3be3cd148c6b54fd24686e8d6ea | | name | keystone | | type | identity | +-------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne identity public http://controller:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 8227630dece449018c6dd7f3199c18b6 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | 0636e3be3cd148c6b54fd24686e8d6ea | | service_name | keystone | | service_type | identity | | url | http://controller:5000/v3 | +--------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne identity internal http://controller:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | b1c3e0e738854c568ad236ae00a0da6d | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | 0636e3be3cd148c6b54fd24686e8d6ea | | service_name | keystone | | service_type | identity | | url | http://controller:5000/v3 | +--------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne identity admin http://controller:35357/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | fb800ecf21c845a6bfdd05c5de1f4656 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | 0636e3be3cd148c6b54fd24686e8d6ea | | service_name | keystone | | service_type | identity | | url | http://controller:35357/v3 | +--------------+----------------------------------+
創建service項目
openstack project create --domain default \ --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | e0353a670a9e496da891347c589539e9 | | enabled | True | | id | 894cdfa366d34e9d835d3de01e752262 | | is_domain | False | | name | service | | parent_id | None | +-------------+----------------------------------+ openstack project create --domain default \ --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | e0353a670a9e496da891347c589539e9 | | enabled | True | | id | ed0b60bf607743088218b0a533d5943f | | is_domain | False | | name | demo | | parent_id | None | +-------------+----------------------------------+ openstack user create --domain default \ > --password DEMO_PASS demo +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | d0fb278401404c569f5cf9c00c750817 | | enabled | True | | id | 1ca7f08e5e954074837db6c877834c07 | | name | demo | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ openstack role create user +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 3db197f5d549400eb825ae24e839e7ea | | name | user | +-----------+----------------------------------+ openstack role add --project demo --user demo user
注解:每個添加到OpenStack環境中的服務要求一個或多個服務實體和三個認證服務中的API 端點變種。
四、創建域、項目(租戶)、用戶和角色
1、創建域``default``
[root@controller ~]# openstack domain create --description "Default Domain" default +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Default Domain | | enabled | True | | id | 73e42b9fc6b64cfdb17940cdf0a0f692 | | name | default | | tags | [] | +-------------+----------------------------------+
2、創建 admin 項目
[root@controller ~]# openstack project create --domain default --description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | domain_id | 73e42b9fc6b64cfdb17940cdf0a0f692 | | enabled | True | | id | 17e6fb94c09347fc8bdc854afef7922f | | is_domain | False | | name | admin | | parent_id | 73e42b9fc6b64cfdb17940cdf0a0f692 | | tags | [] | +-------------+----------------------------------+
3、創建 admin 用戶
[root@controller ~]# openstack user create --domain default --password ADMIN_PASS admin +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | 73e42b9fc6b64cfdb17940cdf0a0f692 | | enabled | True | | id | 0a48bf33893b4854bf85fbd69050c2f6 | | name | admin | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+
4、創建 admin 角色
[root@controller ~]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 2ef07766d0a04bacb8778b0b0ac0be51 |
| name | admin |
+-----------+----------------------------------+
5、添加``admin`` 角色到 admin 項目和用戶上
[root@controller ~]# openstack role add --project admin --user admin admin
6、刪除環境變量,因為安全性的原因,關閉臨時認證令牌機制
###編輯 /etc/keystone/keystone-paste.ini 文件,從``[pipeline:public_api]``,[pipeline:admin_api]``和``[pipeline:api_v3]``部分刪除``admin_token_auth 。
重置``OS_TOKEN``和``OS_URL`` 環境變量
[root@controller ~]# unset OS_TOKEN OS_URL
7、作為 admin 用戶,請求認證令牌
[root@controller ~]# openstack --os-auth-url http://controller:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
注解:這個命令使用``admin``用戶的密碼:ADMIN_PASS
8、用環境變量,執行命令
[root@controller ~]# export OS_PROJECT_DOMAIN_NAME=default [root@controller ~]# export OS_USER_DOMAIN_NAME=default [root@controller ~]# export OS_PROJECT_NAME=admin [root@controller ~]# export OS_USERNAME=admin [root@controller ~]# export OS_PASSWORD=ADMIN_PASS [root@controller ~]# export OS_AUTH_URL=http://controller:35357/v3 [root@controller ~]# export OS_IDENTITY_API_VERSION=3 [root@controller ~]# export OS_IMAGE_API_VERSION=2 [root@controller ~]# openstack user list 執行了環境變量,才能使用這個命令 +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 0a48bf33893b4854bf85fbd69050c2f6 | admin | +----------------------------------+-------+
[root@controller ~]# openstack --os-auth-url http://controller:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin user list 用參數執行命令
9、把環境變量創建成腳本,創建admin-openrc文件
[root@controller ~]# vim admin-openrc export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=ADMIN_PASS export OS_AUTH_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
[root@controller ~]# source admin-openrc 每次執行openstack命令之前,保證有環境變量,登出之后,重新執行此命令
10、自動執行,開機擁有環境變量
[root@controller ~]# vim .bashrc # .bashrc # User specific aliases and functions alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' # Source global definitions if [ -f /etc/bashrc ]; then . /etc/bashrc fi source admin-openrc 在最后加入這段
11、驗證keystone服務是否正常
