身份服务(Identity Service):Keystone。为OpenStack其他服务提供身份验证、服务规则和服务令牌的功能,管理Domains、Projects、Users、Groups、Roles。自Essex版本集成到项目中。
我们将keystone部署到controller上;
1.我们需要连接数据库;需要安装python2-PyMySQL;
[root@sxb2 ~]# yum install python2-PyMySQL -y
2.配置一个mysql;重启服务;
[root@sxb2 ~]# vim /etc/my.cnf.d/openstack.cnf [mysqld] bind-address = 192.168.88.102 本机的地址 default-storage-engine = innodb innodb_file_per_table = on max_connections = 4096 collation-server = utf8_general_ci character-set-server = utf8
3.安装和配置组件;设置为开机自启,并当前启动;
yum install rabbitmq-server
[root@sxb2 ~]# systemctl enable rabbitmq-server.service
Created symlink from /etc/systemd/system/multi-user.target.wants/rabbitmq-server.service to /usr/lib/systemd/system/rabbitmq-server.service.
[root@sxb2 ~]# systemctl start rabbitmq-server.service
4.创建一个OpenStack用户;并进行授权;
[root@sxb2 ~]# rabbitmqctl add_user openstack 123 Creating user "openstack" [root@sxb2 ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*" Setting permissions for user "openstack" in vhost "/"
5.安装memcache,配置组件;
yum install memcached python-memcached [root@sxb2 ~]# vim /etc/sysconfig/memcached PORT="11211" USER="memcached" MAXCONN="1024" CACHESIZE="64" OPTIONS="-l 127.0.0.1,::1,192.168.88.102" 加上自己的IP地址
6.启动memcache,并设置成开机自启;
[root@sxb2 ~]# systemctl enable memcached.service Created symlink from /etc/systemd/system/multi-user.target.wants/memcached.service to /usr/lib/systemd/system/memcached.service. [root@sxb2 ~]# systemctl start memcached.service
我们的前期准备就完成了;接下来我们开始安装一个最小化Stein版本
1.我们首先要完成用户验证服务的配置;创建mysql keystone库,并进行授权;
mysql> CREATE DATABASE keystone; Query OK, 1 row affected (0.00 sec) mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '123'; Query OK, 0 rows affected, 1 warning (0.00 sec) mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '123' -> ; Query OK, 0 rows affected, 1 warning (0.00 sec)
2.安装软件;配置文件;
[root@sxb2 ~]# yum install openstack-keystone httpd mod_wsgi [root@sxb2 ~]# vim /etc/keystone/keystone.conf [database] connection = mysql+pymysql://keystone:123@192.168.88.102/keystone 这里需要改成刚才授权的mysql密码,IP [token] provider = fernet
3.更新数据库;
su -s /bin/sh -c "keystone-manage db_sync" keystone
4.初始化Fernet密钥存储库;
[root@sxb2 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@sxb2 ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group
5.进行身份引导服务配置;admin、internal、public;
[root@sxb2 ~]# keystone-manage bootstrap --bootstrap-password 123 --bootstrap-admin-url http://192.168.88.102:5000/v3/ --bootstrap-internal-url http://192.168.88.102:5000/v3/ --bootstrap-public-url http://192.168.88.102:5000/v3/ --bootstrap-region-id RegionOne
6.配置httpd服务;
[root@sxb2 ~]# vim /etc/httpd/conf/httpd.conf ServerName sxb2.102.com 改成自己的IP
7.创建符号链接到httpd服务;
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
8.启动,并设置成开机自启;
[root@sxb2 ~]# systemctl enable httpd.service Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@sxb2 ~]# systemctl start httpd.service
我们可以提前创建好两个用户
[root@sxb2 ~]# vim admin-openrc export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=123 export OS_AUTH_URL=http://192.168.88.102:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
[root@sxb2 ~]# vim demo-openrc export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=myproject export OS_USERNAME=myuser export OS_PASSWORD=123 export OS_AUTH_URL=http://192.168.88.102:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
下一阶段我们进行域、项目、用户和角色
1.我们要创建一个新域;首先确保一定要是admin用户;
[root@sxb2 ~]# . admin-openrc [root@sxb2 ~]# openstack domain create --description "An Example Domain" example +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | An Example Domain | | enabled | True | | id | 2f4f7bf3bb6545f9b4e5f6bbac653d6d | | name | example | | tags | [] | +-------------+----------------------------------+
2.在域中创建一个service项目;
[root@sxb2 ~]# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | d6b9b42ec4de4a1fbd0574f2b23f883f | | is_domain | False | | name | service | | parent_id | default | | tags | [] | +-------------+----------------------------------+
3.创建一个myproject项目;
[root@sxb2 ~]# openstack project create --domain default --description "Demo Project" myproject +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | a6dc8ef37cb543599c98083af439b8a0 | | is_domain | False | | name | myproject | | parent_id | default | | tags | [] | +-------------+----------------------------------+
4.创建myuser用户,并设置密码;
[root@sxb2 ~]# openstack user create --domain default --password-prompt myuser User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | d9128e749b944e5e86422e917d910145 | | name | myuser | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+
5.创建myrole角色;
[root@sxb2 ~]# openstack role create myrole
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | c3e9e6bb3f634807967ef128433334df |
| name | myrole |
+-------------+----------------------------------+
6.将myuser添加到myproject项目中,并以myrole的角色来管理项目;
openstack role add --project myproject --user myuser myrole
到这里我们的keystone组件就配置完成了,接下来进行验证
1.取消环境变量,admin进行身份验证;
[root@sxb2 ~]# unset OS_AUTH_URL OS_PASSWORD [root@sxb2 ~]# openstack --os-auth-url http://192.168.88.102:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue Password: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2019-08-10T13:42:33+0000 | | id | gAAAAABdTru5XE9SIQFDp1POA_UXdgNkusBk3Sj4PFqFc7w9WBseyMI0uutM7M6WOrcYkZofJayT8Sbo0WXV7LojJmPBzJhaxtHV9bztHeS0M8rjc-8AfQoSZ9xkMng0pq4j_oA72RdfWOLTC13WY48d18W2ytUqaqCLXhrd39d3FiIV0xqt2dQ | | project_id | 0efc3e774118464eb39800063ad7a64b | | user_id | d17347f078034a83900df5d0b6f4a644 | +------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2.myuser进行身份验证;
[root@sxb2 ~]# openstack --os-auth-url http://192.168.88.102:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name myproject --os-username myuser token issue Password: No password entered, or found via --os-password or OS_PASSWORD [root@sxb2 ~]# openstack --os-auth-url http://192.168.88.102:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name myproject --os-username myuser token issue Password: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2019-08-10T13:47:03+0000 | | id | gAAAAABdTrzHyiYveXthqNw_rkcGCS_lqYgE4rLB9YvOkcuDzdbwDnUZMTswP9ZrZu3ORRBj9QygPfFuW2e2XLY7Ua6Buq16BVVbut_R5QUU3359bzy2gkb63ixyJLfKwAEaLGl6ViJ_0qMb4WiHAdA80_Fyg5VWCAPQZ1aDt0oalDfvHCMLtJo | | project_id | a6dc8ef37cb543599c98083af439b8a0 | | user_id | d9128e749b944e5e86422e917d910145 | +------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
在下一章里我们进行glance的配置;