OpenStack-Queens详细安装部署(三)keystone集群

  • A+
所属分类:OpenStack

一、Keystone集群

1. 创建keystone数据库 (任意controller节点执行)

MariaDB [(none)]> CREATE DATABASE keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'ZmMxYWM3M2E4NTIwNjgxYzgx';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'ZmMxYWM3M2E4NTIwNjgxYzgx';
MariaDB [(none)]> FLUSH PRIVILEGES;

OpenStack-Queens详细安装部署(三)keystone集群

2. 安装keystone (所有controller节点执行)
# 在全部控制节点安装keystone,以controller1节点为例;

[root@DT_Node-172_17_7_1 ~]# yum install openstack-keystone httpd mod_wsgi mod_ssl -y

3. 配置keystone.conf (所有controller节点执行)

[root@DT_Node-172_17_7_1 ~]# cp /etc/keystone/keystone.conf{,_original}  #备份下模板文件
[root@DT_Node-172_17_7_1 ~]# egrep -v "^$|^#" /etc/keystone/keystone.conf  #注意高亮行为改动内容
[DEFAULT]
[application_credential]
[assignment]
[auth]
[cache]
backend = oslo_cache.memcache_pool
enabled = true
memcache_servers = controller1:11211,controller2:11211,controller3:11211
[catalog]
[cors]
[credential]
[database]
connection = mysql+pymysql://keystone:ZmMxYWM3M2E4NTIwNjgxYzgx@controller/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[federation]
[fernet_tokens]
[healthcheck]
[identity]
[identity_mapping]
[ldap]
[matchmaker_redis]
[memcache]
[oauth1]
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_messaging_zmq]
[oslo_middleware]
[oslo_policy]
[paste_deploy]
[policy]
[profiler]
[resource]
[revoke]
[role]
[saml]
[security_compliance]
[shadow_users]
[signing]
[token]
provider = fernet
[tokenless_auth]
[trust]
[unified_limit]
[root@DT_Node-172_17_7_1 ~]# 

4、同步keystone数据库 (任意controller节点执行)

[root@DT_Node-172_17_7_1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[root@DT_Node-172_17_7_1 ~]# mysql -ukeystone -pZmMxYWM3M2E4NTIwNjgxYzgx -hcontroller keystone -e "show tables;"
[root@DT_Node-172_17_7_1 ~]#

OpenStack-Queens详细安装部署(三)keystone集群

5. 初始化fernet秘钥
a、选定任意控制节点(controller1)做fernet秘钥初始化,在/etc/keystone/生成相关秘钥及目录

[root@DT_Node-172_17_7_1 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@DT_Node-172_17_7_1 ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

b、向controller2/3节点同步秘钥

[root@DT_Node-172_17_7_1 ~]# scp -P22992 -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ root@172.17.7.2:/etc/keystone/   
[root@DT_Node-172_17_7_1 ~]# scp -P22992 -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ root@172.17.7.3:/etc/keystone/

OpenStack-Queens详细安装部署(三)keystone集群

c、同步后,注意controller2/3节点上秘钥权限

[root@DT_Node-172_17_7_1 ~]# ssh -p22992 root@172.17.7.2 'chown keystone:keystone /etc/keystone/credential-keys/ -R'
[root@DT_Node-172_17_7_1 ~]# ssh -p22992 root@172.17.7.3 'chown keystone:keystone /etc/keystone/credential-keys/ -R'
[root@DT_Node-172_17_7_1 ~]# ssh -p22992 root@172.17.7.2 'chown keystone:keystone /etc/keystone/fernet-keys/ -R'
[root@DT_Node-172_17_7_1 ~]# ssh -p22992 root@172.17.7.3 'chown keystone:keystone /etc/keystone/fernet-keys/ -R' 

OpenStack-Queens详细安装部署(三)keystone集群

6. 配置httpd.conf (所有controller节点执行)

a、在全部控制节点设置,以controller1节点为例;

[root@DT_Node-172_17_7_1 ~]# cp /etc/httpd/conf/httpd.conf{,_original}
[root@DT_Node-172_17_7_1 ~]# sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf

b、注意不同的节点替换不同的ip地址

[root@DT_Node-172_17_7_1 ~]# sed -i "s/Listen\ 80/Listen\ 172.17.7.1:80/g" /etc/httpd/conf/httpd.conf
[root@DT_Node-172_17_7_2 ~]# sed -i "s/Listen\ 80/Listen\ 172.17.7.2:80/g" /etc/httpd/conf/httpd.conf
[root@DT_Node-172_17_7_3 ~]# sed -i "s/Listen\ 80/Listen\ 172.17.7.3:80/g" /etc/httpd/conf/httpd.conf

7. 配置wsgi-keystone.conf (所有controller节点执行)

# 在全部控制节点操作,以controller1节点为例;
# 复制wsgi-keystone.conf文件;
# 或者针对wsgi-keystone.conf创建软链接
[root@DT_Node-172_17_7_1 ~]# cp /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

# 修改wsgi-keystone.conf文件,注意各节点对应的ip地址或主机名等,以controller01节点为例
[root@DT_Node-172_17_7_1 ~]# sed -i "s/Listen\ 5000/Listen\ 172.17.7.1:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf         
[root@DT_Node-172_17_7_1 ~]# sed -i "s/Listen\ 35357/Listen\ 172.17.7.1:35357/g" /etc/httpd/conf.d/wsgi-keystone.conf         
[root@DT_Node-172_17_7_1 ~]# sed -i "s/*:5000/172.17.7.1:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf                      
[root@DT_Node-172_17_7_1 ~]# sed -i "s/*:35357/172.17.7.1:35357/g" /etc/httpd/conf.d/wsgi-keystone.conf

8. 认证引导 (任意controller节点执行)

# 任意控制节点操作;
# 初始化admin用户(管理用户)与密码,3种api端点,服务实体可用区等
[root@DT_Node-172_17_7_1 ~]# keystone-manage bootstrap --bootstrap-password NGZmOGYzNTZhOGZjMWU5Nzc1 \
  --bootstrap-admin-url http://controller:35357/v3/ \
  --bootstrap-internal-url http://controller:5000/v3/ \
  --bootstrap-public-url http://controller:5000/v3/ \
  --bootstrap-region-id RegionTest

OpenStack-Queens详细安装部署(三)keystone集群

9. 启动服务 (所有controller节点执行)

[root@DT_Node-172_17_7_1 ~]# systemctl enable httpd.service
[root@DT_Node-172_17_7_1 ~]# systemctl restart httpd.service
[root@DT_Node-172_17_7_1 ~]# systemctl status httpd.service

OpenStack-Queens详细安装部署(三)keystone集群

10. 添加HAproxy配置 (所有controller节点执行)

# keystone_admin_internal_api服务
 listen keystone_admin_cluster
  bind 172.17.7.100:35357
  balance  source
  option  tcpka
  option  httpchk
  option  tcplog
  server controller1 172.17.7.1:35357 check inter 2000 rise 2 fall 5
  server controller2 172.17.7.2:35357 check inter 2000 rise 2 fall 5
  server controller3 172.17.7.3:35357 check inter 2000 rise 2 fall 5

# keystone_public _api服务
 listen keystone_public_cluster
  bind 172.17.7.100:5000
  balance  source
  option  tcpka
  option  httpchk
  option  tcplog
  server controller1 172.17.7.1:5000 check inter 2000 rise 2 fall 5
  server controller2 172.17.7.2:5000 check inter 2000 rise 2 fall 5
  server controller3 172.17.7.3:5000 check inter 2000 rise 2 fall 5
[root@DT_Node-172_17_7_1 ~]# systemctl restart haproxy.service 
[root@DT_Node-172_17_7_1 ~]# systemctl status haproxy.service   

OpenStack-Queens详细安装部署(三)keystone集群
OpenStack-Queens详细安装部署(三)keystone集群

11. openstack client 环境变量脚本

1)keystone_admin (所有controller节点执行)

# openstack client环境脚本定义client调用openstack api环境变量,以方便api的调用(不必在命令行中携带环境变量);
# 根据不同的用户角色,需要定义不同的脚本;
# 这里以“认证引导”章节定义的admin用户为例,设置其环境脚本,再根据需要分发到需要运行openstack client工具的节点;
# 一般将脚本创建在用户主目录
[root@DT_Node-172_17_7_1 ~]# echo 'export PS1="[openstack-admin]-$PS1"
export OS_USERNAME=admin
export OS_PASSWORD=NGZmOGYzNTZhOGZjMWU5Nzc1
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3' >~/keystone_admin

[root@DT_Node-172_17_7_1 ~]# echo "PS1=$PS1
unset OS_USERNAME OS_PASSWORD OS_PROJECT_NAME OS_USER_DOMAIN_NAME OS_PROJECT_DOMAIN_NAME OS_AUTH_URL OS_IDENTITY_API_VERSION" >> /etc/profile

# 从安全角度考虑,一般不对client暴露admin-api,这里admin-api与public-api共用1个vip地址
# export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

# 验证

[root@DT_Node-172_17_7_1 ~]# . keystone_admin 
[openstack-admin]-[root@DT_Node-172_17_7_1 ~]# openstack token issue 
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2018-09-10T09:15:52+0000                                                                                                                                                                |
| id         | gAAAAABblig4qQx7vgLJLrhCJmUEawPqzzD6rsTM5Y3mXIvthV6lH3nK88ggfGrVA7ZcTD9Z3TLaJeJFLFQjO3AH_fHeJtOqWfuH9I42arUsZRLQbL8jYez_a32UrXeh6VuryCL0WVLVIBGFwsqXUnTtGbBX0I25y6zRXxpcx1FSnU_Na_aWt8k |
| project_id | d686a8a711fd4d0bb5346319eec33712                                                                                                                                                        |
| user_id    | b52a3dc20d2b4bfb8237bb4ff01ecb3c                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[openstack-admin]-[root@DT_Node-172_17_7_1 ~]# 

OpenStack-Queens详细安装部署(三)keystone集群

2)demo-openrc (所有controller节点执行)

# 同admin-openrc,注意project/user/password的区别 这个密码是预设的
[root@DT_Node-172_17_7_1 ~]# echo 'export PS1="[openstack-demo]-$PS1"
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=YzQ4YzYwNDQzY2ZlY2E2Y2Fj
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2' > ~/keystone_demo

12. 创建domain, projects, users, 与roles (任意controller节点执行)
1)domain

# projrct/user等基于domain存在;
# 在”认证引导”章节中,初始化admin用户即生成”default” domain
[root@DT_Node-172_17_7_1 ~]# . keystone_admin 
[openstack-admin]-[root@DT_Node-172_17_7_1 ~]# openstack domain list
+---------+---------+---------+--------------------+
| ID      | Name    | Enabled | Description        |
+---------+---------+---------+--------------------+
| default | Default | True    | The default domain |
+---------+---------+---------+--------------------+
[openstack-admin]-[root@DT_Node-172_17_7_1 ~]#

OpenStack-Queens详细安装部署(三)keystone集群

# 如果需要生成新的domain,
[openstack-admin]-[root@DT_Node-172_17_7_1 ~]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | An Example Domain                |
| enabled     | True                             |
| id          | 132ff8deb2a54b098f0c519d3eaa4f1c |
| name        | example                          |
| tags        | []                               |
+-------------+----------------------------------+
[openstack-admin]-[root@DT_Node-172_17_7_1 ~]# openstack domain list
+----------------------------------+---------+---------+--------------------+
| ID                               | Name    | Enabled | Description        |
+----------------------------------+---------+---------+--------------------+
| 132ff8deb2a54b098f0c519d3eaa4f1c | example | True    | An Example Domain  |
| default                          | Default | True    | The default domain |
+----------------------------------+---------+---------+--------------------+
[openstack-admin]-[root@DT_Node-172_17_7_1 ~]#

OpenStack-Queens详细安装部署(三)keystone集群

2)projects

# project属于某个domain;
# 以创建demo项目为例,demo项目属于”default” domain
[openstack-admin]-[root@DT_Node-172_17_7_1 ~]# openstack project create --domain default --description "Demo Project" demo

OpenStack-Queens详细安装部署(三)keystone集群

3)users

# user属于某个domain;
# 以创建demo用户为例,demo用户属于”default” domain
[openstack-admin]-[root@DT_Node-172_17_7_1 ~]# openstack user create --domain default --password=YzQ4YzYwNDQzY2ZlY2E2Y2Fj demo

OpenStack-Queens详细安装部署(三)keystone集群

4)roles

# 创建普通用户角色(区别于admin用户)
[openstack-admin]-[root@DT_Node-172_17_7_1 ~]# openstack role create user

OpenStack-Queens详细安装部署(三)keystone集群

# 向demo项目的demo用户赋予user权限,
[openstack-admin]-[root@DT_Node-172_17_7_1 ~]# openstack role add --project demo --user demo user
# 查看权限分配
[openstack-admin]-[root@DT_Node-172_17_7_1 ~]# openstack user list
[openstack-admin]-[root@DT_Node-172_17_7_1 ~]# openstack role list
[openstack-admin]-[root@DT_Node-172_17_7_1 ~]# openstack role assignment list

OpenStack-Queens详细安装部署(三)keystone集群

5)验证demo用户

[root@DT_Node-172_17_7_1 ~]# . keystone_demo 
[openstack-demo]-[root@DT_Node-172_17_7_1 ~]# openstack token issue

OpenStack-Queens详细安装部署(三)keystone集群

6)分发脚本

[openstack-demo]-[root@DT_Node-172_17_7_1 ~]# scp -P22992 keystone_admin keystone_demo root@172.17.7.2:~/
[openstack-demo]-[root@DT_Node-172_17_7_1 ~]# scp -P22992 keystone_admin keystone_demo root@172.17.7.3:~/

13.设置pcs资源 (任意controller节点执行)

# 添加资源openstack-keystone-clone;
# pcs实际控制的是各节点system unit控制的httpd服务
[root@DT_Node-172_17_7_1 ~]# pcs resource create openstack-keystone systemd:httpd --clone interleave=true
[root@DT_Node-172_17_7_1 ~]# pcs resource
 Clone Set: lb-haproxy-clone [lb-haproxy]
     Stopped: [ controller1 controller2 controller3 ]
 vip    (ocf::heartbeat:IPaddr2):       Started controller1
 Clone Set: openstack-keystone-clone [openstack-keystone]
     Started: [ controller1 controller2 controller3 ]
[root@DT_Node-172_17_7_1 ~]# 

OpenStack-Queens详细安装部署(三)keystone集群

lookback

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: