记录,方便查阅。
只需要在controller安装。
配置
keystone的信息保存在mysql数据库中,先创建数据库以及数据库用户。
mysql -uroot -p123456 -e "create database keystone;grant all privileges on keystone.* to ‘keystone‘@‘192.168.23.11‘ identified by ‘keystone‘;grant all privileges on keystone.* to ‘keystone‘@‘%‘ identified by ‘keystone‘;"
安装keystone:
yum install openstack-keystone python-keystoneclient
修改配置文件/etc/keystone/keystone.conf:
[DEFAULT] admin_token=ADMIN #在刚安装好的时候,keystone是没有用户、token的,这里即初始tokendebug=true #打开debugverbose=true #显示详情[database]connection=mysql://keystone:[email protected]/keystone #数据库连接,同步数据表也用得到[token]provider = keystone.token.providers.uuid.Provider #token的提供方式,默认uuid,还可使用pkidriver =keystone.token.persistence.backends.sql.Token #token持久程序expiration=3600 #token有效时间,默认一小时
可查看已修改项:
grep ‘[^a-z]‘ /etc/keystone/keystone.conf
创建pki,设置权限:
keystone-manage pki_setup --keystone-user keystone --keystone-group keystone chown -R keystone:keystone /var/log/keystone chown -R keystone:keystone /etc/keystone/ssl chmod -R o-rwx /etc/keystone/ssl
同步keystone数据表并验证:
keystone-manage db_syncmysql -ukeystone -pkeystone -e ‘use keystone;show tables;‘ #查看表,输出如下
+-----------------------+
| Tables_in_keystone |
+-----------------------+
| assignment |
| credential |
| domain |
| endpoint |
| group |
| id_mapping |
| migrate_version |
| policy |
| project |
| region |
| revocation_event |
| role |
| service |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
+-----------------------+
启动并设置开机自启动:
systemctl enable openstack-keystone systemctl start openstack-keystone
创建租户、用户、角色
导入管理token:
#即配置文件中第一项配置 export OS_SERVICE_TOKEN=ADMIN export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0
创建步骤:
keystone tenant-create --name admin --description "Admin Tenant" #admin租户 keystone user-create --name admin --pass admin --email [email protected] #admin用户 keystone role-create --name admin #admin角色 keystone user-role-add --user admin --tenant admin --role admin #设置为admin keystone tenant-create --name demo --description "Demo Tenant" keystone user-create --name demo --tenant demo --pass demo --email [email protected] #默认为_member_ keystone tenant-create --name service --description "Service Tenant" #特殊的租户,保存openstack服务的访问端点等信息 keystone service-create --name keystone --type identity --description "Openstack Identity" keystone endpoint-create \--service-id $(keystone service-list | awk ‘/ identity / {print $2}‘) \--publicurl http://controller:5000/v2.0 --internalurl http://controller:5000/v2.0 \--adminurl http://controller:35357/v2.0 \--region regionOne
验证
取消之前设置的变量:
unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
编辑两个文件
admin-openrc.sh
export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin export OS_AUTH_URL=http://controller:35357/v2.0 #35357仅是管理员用的
demo-openrc.sh
export OS_TENANT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD= demo export OS_AUTH_URL=http://controller:5000/v2.0 #5000是普通用户常用的
查看角色:
. admin-openrc.sh keystone role-list +----------------------------------+----------+ | id | name | +----------------------------------+----------+ | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | | fe94a3b269024d2286248d0a0522442a | admin | +----------------------------------+----------+
至此,keystone已安装成功。
使用
常用命令:
keystone user-list keystone tenant-list keystone role-list keystone service-list keystone endpoint-list keystone-all --config-dir /etc/keystone/keystone.conf
使用到的端口有35357、5000