搭建 OpenStack(Q 版)Keystone 组件

简介

  • 基于 Ubuntu/CentOS 系统,搭建 OpenStack(Q 版)Keystone 组件

在 Controller 节点

数据库

  • 进入数据库
1
$ mysql -u root -p
  • 创建数据库
1
MariaDB [(none)]> CREATE DATABASE keystone;
  • 赋予数据库权限
1
2
3
4
5
# <KEYSTONE_DBPASS>为自定义密码
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
  • 退出数据库
1
MariaDB [(none)]> exit

安装 Keystone 组件

Ubuntu 系统

  • 安装软件包
1
$ apt install keystone apache2 libapache2-mod-wsgi

CentOS 系统

  • 安装软件包
1
$ yum install openstack-keystone httpd mod_wsgi

CentOS/Ubuntu 系统

  • 配置 keystone 服务
1
$ vim /etc/keystone/keystone.conf
1
2
3
4
5
6
[database]
## <KEYSTONE_DBPASS>为 Keystone 数据库的密码
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone

[token]
provider = fernet
  • 同步数据库
1
$ su -s /bin/sh -c "keystone-manage db_sync" keystone
  • 初始化 Fernet 令牌
1
2
$ keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
$ keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
  • 引导身份服务
1
2
3
4
5
6
# 用合适的密码替换 ADMIN_PASS
$ keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
  --bootstrap-admin-url http://controller:5000/v3/ \
  --bootstrap-internal-url http://controller:5000/v3/ \
  --bootstrap-public-url http://controller:5000/v3/ \
  --bootstrap-region-id RegionOne

Ubuntu 系统

  • 配置 Apache 服务
1
$ vim /etc/apache2/apache2.conf
1
2
# 在文件中靠前的位置添加该项
ServerName controller
  • 重启 Apache 服务
1
$ service apache2 restart
  • 配置环境变量
1
2
3
4
5
6
7
8
# 使用之前设置的密码替换 ADMIN_PASS
$ export OS_USERNAME=admin
$ export OS_PASSWORD=ADMIN_PASS
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:5000/v3
$ export OS_IDENTITY_API_VERSION=3

CentOS 系统

  • 配置 httpd 服务
1
$ vim /etc/httpd/conf/httpd.conf
1
2
# 在文件中靠前的位置添加该项
ServerName controller
  • 创建软链接
1
$ ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
  • 启动 httpd 服务并设置开机自启
1
2
3
4
# 设置随系统自启
$ systemctl enable httpd.service
# 启动 Apache 服务
$ systemctl start httpd.service
  • 配置环境变量
1
2
3
4
5
6
7
8
# 使用之前设置的密码替换 ADMIN_PASS
$ export OS_USERNAME=admin
$ export OS_PASSWORD=ADMIN_PASS
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:35357/v3
$ export OS_IDENTITY_API_VERSION=3

创建域(domain),项目(projects),用户(users)与角色(roles)

CentOS/Ubuntu 系统

  • 创建域
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
$ openstack domain create --description "An Example Domain" example

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | An Example Domain                |
| enabled     | True                             |
| id          | 2f4f80574fd84fe6ba9067228ae0a50c |
| name        | example                          |
+-------------+----------------------------------+
  • 创建项目 service
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
$ openstack project create --domain default \
  --description "Service Project" service

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 24ac7f19cd944f4cba1d77469b2a73ed |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | default                          |
+-------------+----------------------------------+
  • 创建项目 demo
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
$ openstack project create --domain default \
  --description "Demo Project" demo

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 231ad6e7ebba47d6a1e57e1cc07ae446 |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | default                          |
+-------------+----------------------------------+
  • 创建用户 demo
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
$ openstack user create --domain default \
  --password-prompt demo

User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | aeda23aa78f44e859900e22c24817832 |
| name                | demo                             |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
  • 创建角色 user
1
2
3
4
5
6
7
8
9
$ openstack role create user

+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 997ce8d05fc143ac97d83fdfb5998552 |
| name      | user                             |
+-----------+----------------------------------+
  • 为项目 demo 与用户 demo 添加角色 user
1
$ openstack role add --project demo --user demo user

测试操作

CentOS/Ubuntu 系统

  • 移除临时令牌 token 与访问 URL
1
$ unset OS_AUTH_URL OS_PASSWORD
  • 使用 amdin 用户请求令牌 token
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
$ openstack --os-auth-url http://controller:35357/v3 \
  --os-project-domain-name Default --os-user-domain-name Default \
  --os-project-name admin --os-username admin token issue

Password:
+------------+-----------------------------------------------------------------+
| Field      | Value                                                           |
+------------+-----------------------------------------------------------------+
| expires    | 2016-02-12T20:14:07.056119Z                                     |
| id         | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
|            | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
|            | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws       |
| project_id | 343d245e850143a096806dfaefa9afdc                                |
| user_id    | ac3377633149401296f6c0d92d79dc16                                |
+------------+-----------------------------------------------------------------+
  • 使用 demo 用户请求令牌 token
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
$ openstack --os-auth-url http://controller:5000/v3 \
  --os-project-domain-name Default --os-user-domain-name Default \
  --os-project-name demo --os-username demo token issue

Password:
+------------+-----------------------------------------------------------------+
| Field      | Value                                                           |
+------------+-----------------------------------------------------------------+
| expires    | 2016-02-12T20:15:39.014479Z                                     |
| id         | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW |
|            | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ |
|            | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U       |
| project_id | ed0b60bf607743088218b0a533d5943f                                |
| user_id    | 58126687cbcc4888bfa9ab73a2256f27                                |
+------------+-----------------------------------------------------------------+

创建脚本

CentOS/Ubuntu 系统

  • admin 用户创建脚本 admin-openrc
1
2
$ mkdir /openstack
$ vim /openstack/admin-openrc
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# 文件内容
# <ADMIN_PASS>为 admin 用户的密码
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
  • demo 用户创建脚本
1
$ vim /openstack/demo-openrc
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# 文件内容
# <DEMO_PASS>为 demo 用户的密码
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
  • 使用脚本
1
2
3
4
# 使用 admin-openrc 脚本
$ source /openstack/admin-openrc
# 使用 demo-openrc 脚本
$ source /openstack/demo-openrc
  • 请求令牌 token
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
$ openstack token issue

+------------+-----------------------------------------------------------------+
| Field      | Value                                                           |
+------------+-----------------------------------------------------------------+
| expires    | 2016-02-12T20:44:35.659723Z                                     |
| id         | gAAAAABWvjYj-Zjfg8WXFaQnUd1DMYTBVrKw4h3fIagi5NoEmh21U72SrRv2trl |
|            | JWFYhLi2_uPR31Igf6A8mH2Rw9kv_bxNo1jbLNPLGzW_u5FC7InFqx0yYtTwa1e |
|            | eq2b0f6-18KZyQhs7F3teAta143kJEWuNEYET-y7u29y0be1_64KYkM7E       |
| project_id | 343d245e850143a096806dfaefa9afdc                                |
| user_id    | ac3377633149401296f6c0d92d79dc16                                |
+------------+-----------------------------------------------------------------+

参考链接