实验06 Keystone安装与配置
一、实验目的:
1、掌握OpenStack环境搭建的基础工作
2、掌握keystone的安装与配置方法
3、掌握keystone基础接口的调用方法
二、实验步骤:
1、利用最初创建的快照克隆两台CentOS服务器,克隆的两台分别修改主机名为xxx-controller和xxx-compute1,修改IP地址为192.168.xx.10和192.168.xx.20。(xxx为自己姓名拼音,xx为自己学号后两位)。
[[email protected] ~]# ip addr
[[email protected] ~]# ip addr
2、在两台主机中修改配置文件/etc/hosts,分别添加xxx-controller和xxx- compute1和IP地址之间的映射
添加主机名与ip地址映射:
[[email protected] ~]# vim /etc/hosts
[[email protected] ~]# vim /etc/hosts
3、在controller节点上ping两个主机名,查看能否ping通。
在controller节点上ping两个主机名:
[[email protected] ~]# ping controller-zq
[[email protected] ~]# ping computer-zq
可以ping通
在computer节点上ping两个主机名:
[[email protected] ~]# ping controller-zq
[[email protected] ~]# ping computer-zq
可以ping通
4、在两个节点上分别按照时间服务,在controller设置为服务器,compute1节点为时间客户端。
控制节点:
[[email protected] ~]# yum install chrony
[[email protected] ~]# vim /etc/chrony.conf
在计算节点上ping 0.centos.pool.ntp.org,可以ping通,说明该时钟同步可以使用。
[[email protected] ~]# ping 0.centos.pool.ntp.org
修改配置文件内容:
要使其他节点能够连接到控制器节点上的chrony守护进程,将此**添加到上述相同的chrony.conf文件中:
重启时间服务器,设置为开机自启动,并且查看其状态:
[[email protected] ~]# systemctl restart chronyd.service
[[email protected] ~]# systemctl status chronyd.service
[[email protected] ~]# systemctl enable chronyd.service
计算节点:
安装时间服务器:[[email protected] ~]# yum install chrony
编辑/etc/chrony.conf文件:
[[email protected] ~]# vim /etc/chrony.conf
重启时间服务器,设置为开机自启动,并且查看其状态:
[[email protected] ~]# systemctl restart chronyd.service
[[email protected] ~]# systemctl enable chronyd.service
[[email protected] ~]# systemctl status chronyd.service
在控制器节点上运行此命令:
[[email protected] ~]# chronyc sources
5、在controller和compute1上安装OpenStack最新的源
控制节点:
[[email protected] yum.repos.d]# yum install centos-release-openstack-rocky
查看/etc/yum.repos.d目录下的文件:
[[email protected] yum.repos.d]# ll
更新安装包:
[[email protected] ~]# yum upgrade
计算节点:
[[email protected] yum.repos.d]# yum install centos-release-openstack-rocky –y
查看/etc/yum.repos.d目录下的文件:
[[email protected] yum.repos.d]# ll
更新安装包:
[[email protected] ~]# yum upgrade
6、在controller安装数据库mariadb,安装后并修改配置文件,然后启动数据库服务器,并设置开机启动。
在controller安装数据库mariadb:
[[email protected] ~]# yum install mariadb mariadb-server python2-PyMySQL
创建和编辑/etc/my.cnf.d/openstack.cnf文件:
[[email protected] ~]# vim /etc/my.cnf.d/openstack.cnf
启动数据库服务并将其配置为在系统启动时启动:
[[email protected] ~]# systemctl start mariadb.service
[[email protected] ~]# systemctl enable mariadb.service
查看数据库状态:
[[email protected] ~]# systemctl status mariadb.service
配置root账号的密码:
通过运行mysql_secure_installation来保护数据库服务,为数据库根帐户选择合适的密码:
[[email protected] ~]# mysql_secure_installation
[[email protected] ~]# mysql -u root -p
7、在controller上安装消息队列服务rabbitmq,然后启动服务,并设置开机启动,然后为OpenStack创建用户,用户名为自己姓名拼音。
在controller上安装消息队列服务rabbitmq:
[[email protected] ~]# yum install rabbitmq-server
设置消息服务开机启动和启动消息服务:
[[email protected] ~]# systemctl enable rabbitmq-server.service
[[email protected] ~]# systemctl start rabbitmq-server.service
[[email protected] ~]# systemctl status rabbitmq-server.service
为OpenStack创建用户,用户名为自己姓名拼音:
配置消息服务,删除默认账号guest,添加账号zq,密码为zq2019,并将账号zq加入 administrator组:
[[email protected] ~]# rabbitmqctl list_users
[[email protected] ~]# rabbitmqctl delete_user guest
[[email protected] ~]# rabbitmqctl add_user zq zq2019
[[email protected] ~]# rabbitmqctl set_user_tags zq administractor
[[email protected] ~]# rabbitmqctl list_users
允许zq用户进行配置、写入和读取访问:
[[email protected] ~]# rabbitmqctl set_permissions zq ".*" ".*" ".*"
查看用户权限:
[[email protected] ~]# rabbitmqctl list_permissions
查看消息服务版本:
[[email protected] ~]# rabbitmqctl status | grep rabbit
重启消息服务:
[[email protected] ~]# systemctl restart rabbitmq-server.service
8、在controller节点上安装Memcached服务,然后启动服务并设置开机启动。
[[email protected] ~]# yum install memcached python-memcached
[[email protected] ~]# vim /etc/sysconfig/memcached
[[email protected] ~]# systemctl enable memcached.service
[[email protected] ~]# systemctl start memcached.service
[[email protected] ~]# systemctl status memcached.service
[[email protected] ~]# yum install etcd
[[email protected] ~]# vim /etc/etcd/etcd.conf
[[email protected] ~]# systemctl enable etcd
[[email protected] ~]# systemctl start etcd
[[email protected] ~]# systemctl status etcd
9、在controller上安装keystone服务。
[[email protected] ~]# yum install openstack-keystone httpd mod_wsgi
10、修改keystone配置文件。
备份后编辑/etc/keystone/keystone.conf文件:
11、进入数据库,为keystone创建数据库,并创建访问用户以及对用户授权。
使用数据库访问客户端作为根用户连接到数据库服务器:
[[email protected] ~]# mysql -u root –p
创建keystone数据库:
MariaDB [(none)]> create database keystone;
授予对keystone数据库的合适的访问权限:
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '123456';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '123456';
MariaDB [(none)]> use mysql
MariaDB [mysql]> select user,password from user;
MariaDB [mysql]> show databases;
MariaDB [mysql]> use keystone;
MariaDB [keystone]> show tables;
12、初始化keystone数据库,参考命令
su -s /bin/sh -c "keystone-manage db_sync" keystone
[[email protected] ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[[email protected] ~]# mysql -u root -p
MariaDB [(none)]> use keystone
MariaDB [keystone]> show tables;
13、初始化keys,参考命令
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://controller:35357/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
初始化Fernet**存储库:
[[email protected] ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[[email protected] ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
启动标识服务:
[[email protected] ~]# keystone-manage bootstrap --bootstrap-password 123456 \
> --bootstrap-admin-url http://controller-zq:5000/v3/ \
> --bootstrap-internal-url http://controller-zq:5000/v3/ \
> --bootstrap-public-url http://controller-zq:5000/v3/ \
> --bootstrap-region-id RegionOne
配置Apache HTTP服务器:
编辑/etc/httpd/conf/httpd.conf文件:
[[email protected] ~]# vim /etc/httpd/conf/httpd.conf
创建指向/usr/share/keystone/wsgi-keystone.conf文件的链接:
[[email protected] ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
[[email protected] ~]# ll /etc/httpd/conf.d/
启动Apache HTTP服务并将其配置为在系统启动时启动:
[[email protected] ~]# systemctl enable httpd.service
[[email protected] ~]# systemctl start httpd.service
[[email protected] ~]# systemctl status httpd.service
14、创建域、项目、用户和角色,参考命令
创建Service Project:
#penstack project create --domain default \
--description "Service Project" service
创建Demo Project:
#openstack project create --domain default \
--description "Demo Project" demo
创建 demo 用户:
#openstack user create --domain default \
--password-prompt demo
创建user角色:
#openstack role create user
将用户租户角色连接起来:
#openstack role add --project demo --user demo user
创建环境变量:
[[email protected] ~]# export OS_PROJECT_DOMAIN_NAME=Default
[[email protected] ~]# export OS_USER_DOMAIN_NAME=Default
[[email protected] ~]# export OS_PROJECT_NAME=admin
[[email protected] ~]# export OS_USERNAME=admin
[[email protected] ~]# export OS_PASSWORD=123456
[[email protected] ~]# export OS_AUTH_URL=http://controller-zq:5000/v3
[[email protected] ~]# export OS_IDENTITY_API_VERSION=3
[[email protected] ~]# export OS_IMAGE_API_VERSION=2
查看环境变量:
[[email protected] ~]# export | grep OS
虽然“默认”域已经存在于本指南中的KestSton管理引导步骤中,但是创建新域的正式方式是:
[[email protected] ~]# openstack domain create --description "An Example Domain" example
创建Service Project:
[[email protected] ~]# openstack project create --domain default --description "Service Project" service
创建Demo Project:
[[email protected] ~]# openstack project create --domain default --description "Demo Project" demo-zq
创建 demo 用户:
[[email protected] ~]# openstack user create --domain default --password-prompt zhongqing
创建user角色:
[[email protected] ~]# openstack role create user-zq
将用户租户角色连接起来:
[email protected] ~]# openstack role add --project demo-zq --user zhongqing user-zq
15、验证用户信息
取消设置临时OS_AUTH_URL和OS_PASSWORD环境变量:
[[email protected] ~]# unset OS_AUTH_URL OS_PASSWORD
作为管理员用户,请求身份验证令牌:
[[email protected] ~]# openstack --os-auth-url http://controller-zq:5000/v3 \
> --os-project-domain-name Default --os-user-domain-name Default \
> --os-project-name admin --os-username admin token issue
使用创建的zhongqing用户,请求身份验证令牌:
[[email protected] ~]# openstack --os-auth-url http://controller-zq:5000/v3 \
> --os-project-domain-name Default --os-user-domain-name Default \
> --os-project-name demo-zq --os-username zhongqing token issue
16、创建OpenStack客户端环境脚本
创建并编辑admin -openrc文件,添加以下内容:
[[email protected] ~]# vim admin-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123456
export OS_AUTH_URL=http://controller-zq:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
创建并编辑zq-openrc文件,添加以下内容:
[[email protected] ~]# vim zq-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo-zq
export OS_USERNAME=zhongqing
export OS_PASSWORD=123456
export OS_AUTH_URL=http://controller-zq:5000/v3
export OS_IDENTITY_API_VERSION
加载admin-openrc文件以使用标识服务的位置、管理项目和用户凭据填充环境变量:
[[email protected] ~]# . admin-openrc
请求身份验证令牌:
[[email protected] ~]# openstack token issue
加载zq-openrc文件以使用标识服务的位置、管理项目和用户凭据填充环境变量:
[[email protected] ~]# . zq-openrc
请求身份验证令牌:
查看域列表:
[[email protected] ~]# openstack domain list
查看用户列表:
[[email protected] ~]# openstack user list
查看角色列表:
[[email protected] ~]# openstack role list
查看服务列表:
[[email protected] ~]# openstack service list
查看项目列表:
[[email protected] ~]# openstack project list