OpenStack Ocata 安装 0x01 — Keystone
source link: https://blog.triplez.cn/posts/openstack-ocata-installation-0x01-keystone/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
安装认证服务 Keystone#
Keystone 架构介绍#
新建数据库#
$ mysql -u root -p
MariaDB
启动不成功: 错误信息:ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‘/var/lib/mysql/mysql.sock’ (2 “No such file or directory”) 错误原因:openstack.cnf
配置文件出了问题,我将两台机的IP
弄反了,自然就绑定不了地址。 解决方法:修改openstack.cnf
后重启MariaDB
服务systemctl restart mariadb
。
新建 keystone
数据库并赋予 keystone
用户权限:
MariaDB [(none)]> create database keystone;
MariaDB [(none)]> grant all privileges on keystone.* to 'keystone'@'localhost' identified by 'KEYSTONE_DBPASSWORD';
MariaDB [(none)]> grant all privileges on keystone.* to 'keystone'@'%' identified by 'KEYSTONE_DBPASSWORD';
将
KEYSTONE_DBPASSWORD
替换为希望设置的keystone
密码。
安装配置组件#
# yum install openstack-keystone httpd mod_wsgi
编辑 keystone
配置文件 /etc/keystone/keystone.conf
:
[database]
# ...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASSWORD@controller/keystone
[token]
# ...
provider = fernet
注释掉这几个字段中其他的设置;
KEYSTONE_DBPASSWORD
要更改成自己设定的密码。
同步数据库:
# su -s /bin/sh -c "keystone-manage db_sync" keystone
数据库同步失败: 错误信息:
Traceback (most recent call last): File "/usr/bin/keystone-manage", line 6, in <module> from keystone.cmd.manage import main File "/opt/stack/keystone/keystone/cmd/manage.py", line 32, in <module> from keystone.cmd import cli File "/opt/stack/keystone/keystone/cmd/cli.py", line 32, in <module> from keystone.common.sql import migration_helpers File "/opt/stack/keystone/keystone/common/sql/migration_helpers.py", line 21, in <module> from oslo_db.sqlalchemy import migration File "/usr/lib/python2.7/site-packages/oslo_db/sqlalchemy/migration.py", line 45, in <module> from migrate.versioning import api as versioning_api File "/usr/lib/python2.7/site-packages/migrate/versioning/api.py", line 33, in <module> from migrate.versioning import (repository, schema, version, File "/usr/lib/python2.7/site-packages/migrate/versioning/repository.py", line 13, in <module> from migrate.versioning import version, pathed, cfgparse File "/usr/lib/python2.7/site-packages/migrate/versioning/version.py", line 10, in <module> from migrate.versioning import pathed, script File "/usr/lib/python2.7/site-packages/migrate/versioning/script/__init__.py", line 6, in <module> from migrate.versioning.script.sql import SqlScript File "/usr/lib/python2.7/site-packages/migrate/versioning/script/sql.py", line 7, in <module> import sqlparse File "/usr/lib/python2.7/site-packages/sqlparse/__init__.py", line 14, in <module> from sqlparse import filters File "/usr/lib/python2.7/site-packages/sqlparse/filters/__init__.py", line 20, in <module> from sqlparse.filters.reindent import ReindentFilter File "/usr/lib/python2.7/site-packages/sqlparse/filters/reindent.py", line 10, in <module> from sqlparse.utils import offset, indent ImportError: cannot import name offset
错误原因:同台电脑之前安装过
DevStack
,pip
包没有更新导致。 解决方案:卸载sqlparse
再重装。# pip uninstall sqlparse // 卸载多几次,卸载到组件完全清空为止。 # pip install sqlparse
初始化、启动 keystone
认证服务:
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
# keystone-manage bootstrap --bootstrap-password ADMIN_PASSWORD --bootstrap-admin-url http://controller:35357/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne
ADMIN_PASSWORD
字段需要更改为所需要的密码。
配置 Apache HTTP 伺服器#
编辑 /etc/httpd/conf/httpd.conf
文件,将 ServerName
字段改为 hostname
。
如:
ServerName controller
conf.d
与 wsgi-keystone.conf
建立软链接:
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d
启动 Apache
服务:
# systemctl enable httpd
# systemctl start httpd
设置环境变量#
$ export OS_USERNAME=admin
$ export OS_PASSWORD=ADMIN_PASSWORD
$ export OS_PROJECT_NAME=admin
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:35357/v3
$ export OS_IDENTITY_API_VERSION=3
ADMIN_PASSWORD
字段需要与之前在keystone-manage bootstrap
命令中设置的一致。
新建服务,项目,用户与角色#
新建一个 service
服务项目来为独立用户提供单独的服务:
$ openstack project create --domain default --description "Service Project" service
新建一个 demo
项目给为授权的用户以及项目使用:
$ openstack project create --domain default --description "Demo Project" demo
新建 demo
用户并设置密码 DEMO_PASSWORD
:
$ openstack user create --domain default --password-prompt demo
新建 user
角色:
$ openstack role create user
添加 user
角色到 demo
项目中的 demo
用户:
$ openstack role add --project demo --user demo user
增强安全性#
编辑 /etc/keystone/keystone-parte.ini
文件,将 admin_token_auth
从 [pipeline:public_api]
, [pipeline:admin_api]
和 [pipeline:api_v3]
中移除。
取消临时 OS_AUTH_URL
和 OS_PASSWORD
环境变量。
$ unset OS_AUTH_URL OS_PASSWORD
为 admin
用户请求验证口令:
$ openstack --os-auth-url http://controller:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
为 demo
用户请求验证口令:
$ openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name demo --os-username demo token issue
编写客户端环境脚本#
由于 export
方法建立环境变量易消失,在客户机上我们需要更简便的方式导入环境变量,即 openrc
文件。
对于 admin
用户,编写 admin-openrc
:
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASSWORD
export OS_PROJECT_NAME=admin
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
ADMIN_PASSWORD
字段需要与之前在keystone-manage bootstrap
命令中设置的一致。
对于 demo
用户,编写 demo-openrc
:
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASSWORD
export OS_PROJECT_NAME=demo
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
DEMO_PASSWORD
字段需要与之前在openstack user create --domain default --password-prompt demo
命令中设置的一致。
使用脚本#
使用刚才编写好的 openrc
脚本来建立临时环境变量(以 admin
为例,demo
同理),在 openrc
文件同级目录执行:
$ . admin-openrc
获取用户口令:
$ openstack token issue
总结#
也是基本跟着官方教程走就好,但需要注意一些历史遗留的问题。
本作品采用知识共享署名-相同方式共享 4.0 国际许可协议进行许可。
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK