openstack（二）keystone

部署认证服务

分别安装mariadb/mongodb/rabbitmq/keystone/httpd/memcached

yum install -y --downloaddir=./  --downloadonly

yum install -y python-openstackclient openstack-selinux mariadb mariadb-server python2-PyMySQL mongodb-server mongodb erlang rabbitmq-server openstack-keystone httpd mod_wsgi memcached python-memcached

配置数据库/etc/my.cnf.d/openstack.cnf

cat > /etc/my.cnf.d/openstack.cnf << EOF
[mysqld]
bind-address = 192.168.3.220 #mysql地址，可分离
default-storage-engine = innodb #默认存储引擎
innodb_file_per_table = on #每张表独立表空间文件
max_connections = 4096 #最大连接数
collation-server = utf8_general_ci #默认字符集
character-set-server = utf8
EOF

更改系统限制的最大连接数

sed -i 's#[Manager]#[Manager] DefaultLimitNOFILE=100000 DefaultLimitNPROC=100000#g'  /etc/systemd/system.conf

sed -i 's#^[Service]#[Service] LimitNOFILE=50000 LimitNPROC=50000#g'  /usr/lib/systemd/system/mariadb.service

配置memcached地址

sed -i 's#OPTIONS="-l 127.0.0.1,::1"#OPTIONS="-l 192.168.3.220"#g' /etc/sysconfig/memcached

配置开机启动 mariadb memcached

systemctl daemon-reload && systemctl restart mariadb memcached rabbitmq-server && systemctl enable mariadb memcached rabbitmq-server

创建reabbit用户并授权

rabbitmqctl add_user openstack openstack && rabbitmqctl set_permissions openstack ".*" ".*" ".*"

初始化数据库，并创建用户和表
mysql_secure_installation
=================================================================

mysql -uroot -p123qwe -e "
create database if not exists keystone; 
create database if not exists glance;
create database if not exists nova;
create database if not exists nova_api;
create database if not exists neutron; 
create database if not exists cinder;
create database if not exists placement;
create database if not exists nova_cell0;
grant all on keystone.* to 'keystone'@'localhost' identified by 'keystone';
grant all on keystone.* to 'keystone'@'%' identified by 'keystone'; 
grant all on glance.* to 'glance'@'localhost' identified by 'glance';
grant all on glance.* to 'glance'@'%' identified by 'glance'; 
grant all on nova.* to 'nova'@'localhost' identified by 'nova'; 
grant all on nova.* to 'nova'@'%' identified by 'nova'; 
grant all on nova_api.* to 'nova'@'localhost' identified by 'nova';
grant all on nova_api.* to 'nova'@'%' identified by 'nova'; 
grant all on neutron.* to 'neutron'@'localhost' identified by 'neutron'; 
grant all on neutron.* to 'neutron'@'%' identified by 'neutron';
grant all on cinder.* to 'cinder'@'localhost' identified by 'cinder';
grant all on cinder.* to 'cinder'@'%' identified by 'cinder';
grant all on nova_cell0.* to 'nova'@'localhost' identified by 'nova';
grant all on nova_cell0.* to 'nova'@'%' identified by 'nova';
grant all on placement.* to 'placement'@'localhost' identified by 'placement';
grant all on placement.* to 'placement'@'%' identified by 'placement';
flush privileges;
show databases;
select user,host from mysql.user;"

如果脚本初始化加入的选项

mysql -e "grant all on *.* to 'root'@'localhost' identified by '$PASSWD';grant all on *.* to 'root'@'%' identified by '$PASSWD';flush privileges;"  

查看数据库最大连接数

mysql -p123qwe  -e "show variables like 'max_connections';show global status like 'Max_used_connections';"

=================================================================

配置/etc/keystone/keystone.conf，添加或修改部分，其中py格式：mysql+pymysql://用户名:密码@主机地址/库

cat > /etc/keystone/keystone.conf <<EOF 
[database]
connection = mysql+pymysql://keystone:keystone@192.168.3.220/keystone
[memcache]
servers = 192.168.3.220:11211
[token]
provider = fernet
driver = memcache
EOF

=================================================================

初始化keystone库

su -s /bin/sh -c "keystone-manage db_sync" keystone

查表

mysql -ukeystone -pkeystone -e " use keystone;show tables;"

初始化keystone的admin用户并增加接入端点

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone


keystone-manage credential_setup --keystone-user keystone --keystone-group keystone


keystone-manage bootstrap   --bootstrap-password admin       --bootstrap-admin-url http://192.168.3.220:35357/v3/ 
    --bootstrap-internal-url http://192.168.3.220:35357/v3/  --bootstrap-public-url http://192.168.3.220:5000/v3/ 
    --bootstrap-region-id RegionOne && mysql -ukeystone -pkeystone -e "select * from keystone.user;"

修改http配置并启动

sed -i 's/ServerAdmin root@localhost/ServerName 192.168.3.220:80/g' /etc/httpd/conf/httpd.conf

/etc/httpd/conf.d/wsgi.conf

cat > /etc/httpd/conf.d/wsgi.conf << EOF
Listen 5000
Listen 35357
<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>
EOF

wsgi.conf

systemctl restart httpd && systemctl enable httpd 

创建admin/demo用户脚本

cat > ~/admin-openstack << EOF
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_DOMAIN_NAME=default
export OS_AUTH_URL=http://192.168.3.220:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IIMAGE_API_VERSION=2
EOF
cat > ~/demo-openstack << EOF
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_PROJECT_NAME=demo
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_DOMAIN_NAME=default
export OS_AUTH_URL=http://192.168.3.220:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IIMAGE_API_VERSION=2
EOF

source admin-openstack（激活admin/demo权限，openstack token issue查看token，openstack user list查看用户，admin初始化后只有admin）

创建服务/用户/角色/端点脚本（注意地址，如有变更需要更改）

source  /root/admin-openstack
#create project (openstack project list)
openstack project create --domain default --description "Service Project" service 
openstack project create --domain default --description "Demo Project" demo
#create role(openstack role list)
openstack role create user
#create user (admin，openstack user list)
openstack user create --domain default --password demo demo
openstack user create --domain default --password glance glance
openstack user create --domain default --password nova nova
openstack user create --domain default --password neutron neutron
openstack user create --domain default --password cinder cinder
openstack user create --domain default --password placement placement
#add admin
openstack role add --project demo --user demo user
openstack role add --project service --user glance admin
openstack role add --project service --user nova admin
openstack role add --project service --user neutron admin
openstack role add --project service --user cinder admin
openstack role add --project service --user placement admin
#create service
openstack service create --name glance --description "OpenStack Image" image
openstack service create --name nova --description "Openstack Compute " compute
openstack service create --name placement --description "Placement API" placement
openstack service create --name neutron --description "OpenStack Network" network
openstack service create --name cinder  --description "Openstack Block Storage" volumev2
openstack service create --name cinder  --description "Openstack Block Storage" volumev3
#create endpoint（public/internal/admin）
openstack endpoint create --region RegionOne image public http://192.168.3.220:9292
openstack endpoint create --region RegionOne image internal http://192.168.3.220:9292
openstack endpoint create --region RegionOne image admin http://192.168.3.220:9292

openstack endpoint create --region RegionOne placement public http://192.168.3.220:8778
openstack endpoint create --region RegionOne placement internal http://192.168.3.220:8778
openstack endpoint create --region RegionOne placement admin http://192.168.3.220:8778

openstack endpoint create --region RegionOne compute public http://192.168.3.220:8774/v2.1
openstack endpoint create --region RegionOne compute internal http://192.168.3.220:8774/v2.1
openstack endpoint create --region RegionOne compute admin http://192.168.3.220:8774/v2.1

openstack endpoint create --region RegionOne neutron public http://192.168.3.220:9696
openstack endpoint create --region RegionOne neutron internal http://192.168.3.220:9696
openstack endpoint create --region RegionOne neutron admin http://192.168.3.220:9696

openstack endpoint create --region RegionOne volumev2  public http://192.168.3.220:8776/v2/%(tenant_id)s
openstack endpoint create --region RegionOne volumev2  internal http://192.168.3.220:8776/v2/%(tenant_id)s
openstack endpoint create --region RegionOne volumev2  admin http://192.168.3.220:8776/v2/%(tenant_id)s

openstack endpoint create --region RegionOne volumev3  public http://192.168.3.220:8776/v3/%(tenant_id)s
openstack endpoint create --region RegionOne volumev3  internal http://192.168.3.220:8776/v3/%(tenant_id)s
openstack endpoint create --region RegionOne volumev3  admin http://192.168.3.220:8776/v3/%(tenant_id)s