这周在折腾openstack,下面是过程小记。
Install and configure
[Note] Note
In Kilo, the keystone project deprecates Eventlet in favor of a WSGI server. This guide uses the Apache HTTP server with mod_wsgi to serve keystone requests on ports 5000 and 35357. By default, the keystone service still listens on ports 5000 and 35357. Therefore, this guide disables the keystone service.
在安装OpensStack认证服务前,需要先创建数据库和administration token。
创建数据库:#
mysql -u root -p
MariaDB [(none)]>
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
exit
安装相关软件包:#
yum install -y openstack-keystone httpd mod_wsgi python-openstackclient memcached python-memcached
启动并开机自启动:#
systemctl enable memcached.service
systemctl start memcached.service
生成随机值用于后面作为token初始化:#
openssl rand -hex 10
a4d418d94e2c380f614c
注:上面的作用是生成随机字符串用于用户访问的即keystone.conf中的 admin_token ,也可以自己随意写,本次安装admin_token设置为ADMIN_TOKEN。
编辑etc/keystone/keystone.conf文件:#
cp /etc/keystone/keystone.conf /etc/keystone/keystone.confbak
echo "[DEFAULT]
verbose = True
admin_token = ADMIN_TOKEN
[database]
connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone
[memcache]
servers = localhost:11211
[token]
provider = keystone.token.providers.uuid.Provider
driver = keystone.token.persistence.backends.memcache.Token
[revoke]
driver = keystone.contrib.revoke.backends.sql.Revoke" >/etc/keystone/keystone.conf
同步认证服务数据库:#
su -s /bin/sh -c "keystone-manage db_sync" keystone
配置 /etc/httpd/conf/httpd.conf 文件:#
cp -a /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf_bak
sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf
创建/etc/httpd/conf.d/wsgi-keystone.conf 文件:#
echo "Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LogLevel info
ErrorLogFormat \"%{cu}t %M\"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LogLevel info
ErrorLogFormat \"%{cu}t %M\"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
</VirtualHost>" >/etc/httpd/conf.d/wsgi-keystone.conf
创建WSGI组件目录:#
mkdir -p /var/www/cgi-bin/keystone
复制WSGI组件到这个目录:# curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo | tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin
由于这个需要联网下载,我把内容直接贴过来了。#
echo "import os
from keystone.server import wsgi as wsgi_server
name = os.path.basename(__file__)
application = wsgi_server.initialize_application(name)" >/var/www/cgi-bin/keystone/main
echo "import os
from keystone.server import wsgi as wsgi_server
name = os.path.basename(__file__)
application = wsgi_server.initialize_application(name)" >/var/www/cgi-bin/keystone/admin
调整目录及目录内文件属组和权限:#
chown -R keystone:keystone /var/www/cgi-bin/keystone
chmod 755 /var/www/cgi-bin/keystone/*
重启 Apache HTTP server:#
systemctl enable httpd.service
systemctl start httpd.service
Create the service entity and API endpoint
临时环境变量设置#
export OS_TOKEN=ADMIN_TOKEN
export OS_URL=http://controller:35357/v2.0
创建service entity for the Identity service:
# |
创建 Identity service API endpoint:
# |
Create projects, users, and roles
The Identity service provides authentication services for each OpenStack service. The authentication service uses a combination of domains, projects (tenants), users, and roles.
创建 admin project:#
openstack project create --description "Admin Project" admin
创建 admin user:#
openstack user create admin --password admin
创建 the admin role:#
openstack role create admin
添加admin role to the admin project and user:#
openstack role add --project admin --user admin admin
This guide uses a service project that contains a unique user for each service that you add to your environment.
创建 service project:#
openstack project create --description "Service Project" service
Regular (non-admin) tasks should use an unprivileged project and user. As an example, this guide creates the demo project and user.
创建 demo project:#
openstack project create --description "Demo Project" demo
创建 demo user:#
openstack user create demo --password demo
创建 user role:#
openstack role create user
Add the user role to the demo project and user:#
openstack role add --project demo --user demo user
Verify operation
Verify operation of the Identity service before installing other services.
For security reasons, disable the temporary authentication token mechanism:
Edit the /usr/share/keystone/keystone-dist-paste.ini file and remove admin_token_auth from the [pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] sections.
Unset the temporary OS_TOKEN and OS_URL environment variables:
# |
As the admin user, request an authentication token from the Identity version 2.0 API:
# |
The Identity version 3 API adds support for domains that contain projects and users. Projects and users can use the same names in different domains. Therefore, in order to use the version 3 API, requests must also explicitly contain at least the default domain or use IDs. For simplicity, this guide explicitly uses the default domain so examples can use names instead of IDs.
# |
As the admin user, list projects to verify that the admin user can execute admin-only CLI commands and that the Identity service contains the projects that you created in the section called “Create projects, users, and roles”:
# |
As the admin user, list users to verify that the Identity service contains the users that you created in the section called “Create projects, users, and roles”:
# |
As the admin user, list roles to verify that the Identity service contains the role that you created in the section called “Create projects, users, and roles”:
# |
As the demo user, request an authentication token from the Identity version 3 API:
# |
This command uses the password for the demo user and API port 5000 which only allows regular (non-admin) access to the Identity service API.
As the demo user, attempt to list users to verify that it cannot execute admin-only CLI commands:
# |
ERROR: openstack You are not authorized to perform the requested action, admin_required. (HTTP 403)
Create OpenStack client environment scripts
The previous section used a combination of environment variables and command options to interact with the Identity service via the openstack client. To increase efficiency of client operations, OpenStack supports simple client environment scripts also known as OpenRC files. These scripts typically contain common options for all clients, but also support unique options. For more information, see the OpenStack User Guide.
编辑 admin-openrc.sh 文件:#
echo "export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://controller:35357/v3" >admin-openrc.sh
编辑demo-openrc.sh文件:#
echo "export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://controller:5000/v3" >demo-openrc.sh
加载 client environment scripts#
source admin-openrc.sh
openstack token issue