Openstack组件部署 — Keystone Install & Create service entity and API endpoints

目录

  • 目录
  • 前文列表
  • Install and configure
    • Prerequisites 先决条件

      • Create the database for identity service
      • 生成一个随机数
    • Install and configure components
    • Configure the Apache HTTP server
  • Create the service entity and API endpoints
    • Prerequisites 先决条件
    • Create the service entity and API endpoints

前文列表

Openstack组件部署 — Overview和前期环境准备

Openstack组建部署 — Environment of Controller Node

Openstack组件部署 — Keystone功能介绍与认证实现流程

Install and configure

This section describes how to install and configure the OpenStack Identity service, code-named keystone, on the controller node.

For performance, this configuration deploys Fernet tokens and the Apache HTTP server to handle requests.

这一节记录了怎样在Controller Node上安装和配置Openstack的认证服务,代号为Keystone。在性能上,这个配置使用了Fernet Tokens和Apache HTTP服务器去处理请求。

Fernet Tokens:是K版本的更新内容,区别于UUID tokens只能持久化存入数据库,Fernet tokens完全不需要持久化。部署人员可以通过设置keystone.conf中的[token] provider = keystone.token.providers.fernet.Provider来启用Fernet token,这也是我们一会需要配置的参数项。Fernet tokens需要symmetric encryption keys(对称加密密钥),这些keys可以使用keystone-manage fernet_setup建立, 并且使用keystone-manage fernet_rotate周期性地轮换。这些keys必须被在一个multi-node(或者multi-region)部署中的所有Keystone nodes共享,这样就能使一个node生成的tokens可以立即被其他节点验证。

Prerequisites 先决条件

Before you configure the OpenStack Identity service, you must create a database and an administration token.

在配置Openstack认证服务之前,你需要先创建一个keystone数据库和一个用于初始化keystone期间的临时管理token。

Create the database for identity service

这个数据库用于存放Keystone组件(User、Tenant、Roles等)的相关信息。

Step1.进入MySQL

mysql -u root -pfanguiju

Step2.创建数据库keystone

CREATE DATABASE keystone;

Step3.创建keystone数据库用户并授予适当的访问权限

创建keystone数据库用户,使其可以对keystone数据库有完全控制权限。

GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone‘@‘localhost‘ IDENTIFIED BY ‘fanguiju‘;     #fanguiju为用户keystone的密码
GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone‘@‘%‘ IDENTIFIED BY ‘fanguiju‘;

Step4.退出MySQL

MariaDB [(none)]> exit
Bye

生成一个随机数

Generate a random value to use as the administration token during initial configuration

生成一个用于初始化keystone期间的临时管理token

[root@controller Desktop]# openssl rand -hex 10
c44048d3212d3f977643

Install and configure components

Note:This guide uses the Apache HTTP server with mod_wsgi to serve Identity service requests on ports 5000 and 35357. By default, the keystone service still listens on these ports. Therefore, this guide manually disables the keystone service.

注意:该指南使用Apache Http服务器的mod_wsgi(Python Web Server Gateway Interface)动态访问模块来支持认证服务在5000和35357端口上的请求。keystone service默认就会监听这两个端口,所以,该指南手动的禁用keystone service。

WSGI:Python Web服务器网关接口(Python Web Server Gateway Interface,缩写为WSGI),是Python应用程序或框架和Web服务器之间的一种接口,已经被广泛接受, 它已基本达成它的可移植性方面的目标。

Step1.安装openstack-keystoneHTTPmod_wsgi模块

yum install openstack-keystone httpd mod_wsgi -y

Step2.Edit the /etc/keystone/keystone.conf file and complete the following actions:

vim /etc/keystone/keystone.conf

#1. In the [DEFAULT] section, define the value of the initial administration token:
[DEFAULT]
admin_token = c44048d3212d3f977643              #刚刚使用openssl指令生成的随机数

#2. In the [database] section, configure database access:
[database]
connection = mysql+pymysql://keystone:[email protected]/keystone       #数据库连接配置 --> 使用mysql+pymysql协议://访问keystone用户:密码为范桂飓@数据库服务器hostname/访问keystone数据库;必要时可能需要使用IP代替hostname

#3. In the [token] section, configure the Fernet token provider:
[token]
provider = fernet

总览

[[email protected] ~]# cat /etc/keystone/keystone.conf | grep -v ^# | grep -v ^$
[DEFAULT]
admin_token = c44048d3212d3f977643
[assignment]
[auth]
[cache]
[catalog]
[cors]
[cors.subdomain]
[credential]
[database]
connection = mysql+pymysql://keystone:[email protected].jmilk.com/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[eventlet_server_ssl]
[federation]
[fernet_tokens]
[identity]
[identity_mapping]
[kvs]
[ldap]
[matchmaker_redis]
[memcache]
[oauth1]
[os_inherit]
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[paste_deploy]
[policy]
[resource]
[revoke]
[role]
[saml]
[shadow_users]
[signing]
[ssl]
[token]
provider = fernet
[tokenless_auth]
[trust]

注意:从总览的内容可以看出,在最新的版本中,第一次安装Keystone组件的时候,配置文件中的节点内容都是空的。但如果是使用该指南来安装其他版本Keystone的话,需要注意,我们应该是添加该指南的参数项到配置文件中,而不需要删除原来就已经存在的参数项。

Step3.Populate the Identity service database:

su -s /bin/sh -c "keystone-manage db_sync" keystone      #使用sh执行keystone数据库初始化填充指令

查看数据库表是否创建成功

[[email protected] Desktop]# mysql -u keystone -pfanguiju
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.1.12-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| keystone           |
+--------------------+
2 rows in set (0.03 sec)

MariaDB [(none)]> use keystone;
Database changed

MariaDB [keystone]> show tables;
+------------------------+
| Tables_in_keystone     |
+------------------------+
| access_token           |
| assignment             |
| config_register        |
| consumer               |
| credential             |
| domain                 |
| endpoint               |
| endpoint_group         |
| federated_user         |
| federation_protocol    |
| group                  |
| id_mapping             |
| identity_provider      |
| idp_remote_ids         |
| implied_role           |
| local_user             |
| mapping                |
| migrate_version        |
| password               |
| policy                 |
| policy_association     |
| project                |
| project_endpoint       |
| project_endpoint_group |
| region                 |
| request_token          |
| revocation_event       |
| role                   |
| sensitive_config       |
| service                |
| service_provider       |
| token                  |
| trust                  |
| trust_role             |
| user                   |
| user_group_membership  |
| whitelisted_config     |
+------------------------+
37 rows in set (0.00 sec)

注意:执行此指令之后,忽略所有的deprecation messages。但是如果一直卡在这一步的话,我建议从新查看一下keystone.conf配置文件是否能够成功连接到数据库。

Step4.Initialize Fernet keys:

前文有过描述:Fernet tokens需要symmetric encryption keys,而这个keys就是使用keystone-manage fernet_setup来创建。

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

Configure the Apache HTTP server

Step1.Edit the /etc/httpd/conf/httpd.conf file and configure the ServerName option to reference the controller node:

vim /etc/httpd/conf/httpd.conf

#指定Apache HTTP Server的hostname
ServerName controller.jmilk.com

Step2.Create the /etc/httpd/conf.d/wsgi-keystone.conf file with the following content:

开启两个监听端口,并配置两个Virtualhost-Port虚拟主机。

vim /etc/httpd/conf.d/wsgi-keystone.conf

Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

Step3.Start the Apache HTTP service and configure it to start when the system boots:

systemctl start httpd.service
systemctl enable httpd.service

到此为止,Keystone的安装已经完成了

Create the service entity and API endpoints

The Identity service provides a catalog of services and their locations. Each service that you add to your OpenStack environment requires a service entity and several API endpoints in the catalog.

认证服务提供了一个服务目录,需要为每一个加入到Openstack环境中的openstack service的service entity和若干个API endpoints添加到该服务目录中。

Prerequisites 先决条件

By default, the Identity service database contains no information to support conventional authentication and catalog services. You must use a temporary authentication token that you created in the section called Install and configure to initialize the service entity and API endpoint for the Identity service.

默认的,新建的认证服务数据库并没有包含任何支持authentication catalog services的信息。你必须使用在上文中创建的临时的authentication token——admin_token去初始化service entityAPI endpoint

Step1.创建临时authentication token文件

vim ~/auth_token

#1. Configure the authentication token(OS_TOKEN = keystone.conf中的参数项admin_token的值)
export OS_TOKEN=c44048d3212d3f977643 

#2. Configure the endpoint URL(使用35357号Port)
export OS_URL=http://controller.jmilk.com:35357/v3

#3. Configure the Identity API version
export OS_IDENTITY_API_VERSION=3

加载auth_token文件的环境变量

source ~/auth_token

Create the service entity and API endpoints

Step1.Create the service entity服务实体 for the Identity service:

The Identity service manages a catalog of services in your OpenStack environment. Services use this catalog to determine the other services available in your environment.

认证服务在Openstack中管理着一个服务目录,Openstack services是通过服务目录来定位其他的service。

[[email protected]controller Desktop]# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Identity               |
| enabled     | True                             |
| id          | c89a25e54e5b4ca3b277b15ec0d75853 |
| name        | keystone                         |
| type        | identity                         |
+-------------+----------------------------------+

ERROR: An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-7e447b64-0ab1-4add-b0f9-ccb29de79156)

这是一个非常常见的错误,尤其对于入门Openstack的小伙伴而言,很多人就卡在这个ERROR上。这里给出一些解决的方案:

1. 一定要检查Keystone的表是否成功创建

2. 确保环境变量正确,尤其是OS_TOKENadmin_token的值是一致的,建议使用Copy,因为常见参数值后面带有空格,导致不一致的情况。

3. 确保Hostname和IP能够成功解析

4. 确保Port:35357已经开启

5. 确保HTTP服务正常运行

6. 查看openstack-keystone服务是否打开,如果是M版本就无所谓了

7. 实在不行,建议重启主机试试(放大招了)

Step2.Create the Identity service API endpoints:

The Identity service manages a catalog of API endpoints associated with the services in your OpenStack environment. Services use this catalog to determine how to communicate with other services in your environment.OpenStack uses three API endpoint variants for each service: admin, internal, and public.

认证服务还管理着一个服务相关的API endpoints目录,Services使用endpoints目录确定怎么与其他Services通信。每一个Openstack service提供了三种形式的API endpoint:admin管理, internal内部, and public外部.

[[email protected] Desktop]# openstack endpoint create --region RegionOne identity public http://controller.jmilk.com:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 670ccbe782ba4e788c681f532d540177 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | c89a25e54e5b4ca3b277b15ec0d75853 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.1.5:5000/v3       |
+--------------+----------------------------------+

[[email protected] Desktop]# openstack endpoint create --region RegionOne identity internal http://controller.jmilk.com:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | c1d4504fc49741f4968d0c28ee66cbbc |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | c89a25e54e5b4ca3b277b15ec0d75853 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.1.5:5000/v3       |
+--------------+----------------------------------+

[[email protected] Desktop]# openstack endpoint create --region RegionOne identity admin http://controller.jmilk.com:35357/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | b0a761a6365941d2a5db215c36883b4f |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | c89a25e54e5b4ca3b277b15ec0d75853 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.1.5:35357/v3      |
+--------------+----------------------------------+
时间: 2024-11-25 08:27:47

Openstack组件部署 — Keystone Install & Create service entity and API endpoints的相关文章

Openstack组件部署 — keystone(domain, projects, users, and roles)

目录 目录 前文列表 Create a domain projects users and roles domain projects users and roles的意义和作用 Create the default domain Create the service projecttenant 创建用于管理的用户租户和角色 Create the admin projecttenant Create the admin user Create the admin role Add the adm

Openstack组件部署 — Networking service_Compute Node

目录 目录 前文列表 安装组件 配置通用组件 配置自服务网络选项 配置Linux 桥接代理 配置Nova使用网络 完成安装 验证操作Execute following commands on Controller Node 前文列表 Openstack组件部署 - Overview和前期环境准备 Openstack组建部署 - Environment of Controller Node Openstack组件部署 - Keystone功能介绍与认证实现流程 Openstack组件部署 - Ke

Openstack组件部署 — Nova_Install and configure a compute node

目录 目录 前文列表 Prerequisites 先决条件 Install and configure a compute node Install the packages Edit the etcnovanovaconf file Finalize installation 前文列表 Openstack组件部署 - Overview和前期环境准备 Openstack组建部署 - Environment of Controller Node Openstack组件部署 - Keystone功能

Openstack组建部署 — Glance Install

目录 目录 前文列表 Image service overview Openstack Image service包含的组件 Install and configure Prerequisites 先决条件 To create the database To create the service credentials Install and configure components Install the packages Edit the etcglanceglance-apiconf fi

Openstack组件部署 — Networking service_安装并配置Controller Node

目录 目录 前文列表 前提条件 完成下面的步骤以创建数据库 创建service credentials服务凭证 创建Neutron的API Endpoints 配置自服务网络 安装网络组件 配置服务组件 配置 Modular Layer 2 ML2 插件 配置Linux 桥接代理 配置layer-3代理 配置DHCP代理 配置元数据代理 配置计算使用网络 完成安装 前文列表 Openstack组件部署 - Overview和前期环境准备 Openstack组建部署 - Environment o

Openstack组件部署 — Nova_安装和配置Controller Node

目录 目录 前文列表 Prerequisites 先决条件 To create the databases To create the service credentials Create the Compute service API endpoints Install and configure components Install the packages Edit the etcnovanovaconf file Populate the Compute databases Finali

Openstack组件部署 — 将一个 New Service 添加到 Keystone

目录 目录 Keystone 认证流程 让 Keystone 为一个新的项目 Service 提供验证功能 最后 Keystone 认证流程 User 使用凭证(username/password) 到 keystone 验证并获得一个临时的 Token 和 Generic catalog(全局目录),临时的 Token 会存储在 keystone-client(cache UUID locally) 和 keystone-backend 中. User 使用这个临时 Token 发送给 key

OpenStack组件系列?Keystone搭建

一:版本信息 官网:http://docs.openstack.org/newton/install-guide-rdo/keystone.html 二:部署keystone 官网文档:http://docs.openstack.org/newton/install-guide-rdo/ 查看系统信息: [[email protected] ~]# cat /etc/redhat-release CentOS Linux release 7.0.1406 (Core) [[email prote

openstack组件之keystone

一 什么是keystone keystone是 OpenStack Identity Service 的项目名称.它在整个体系中充当一个授权者的角色. 二 keystone概念详解 User:指使用Openstack service的用户,可以是人.服务.系统,但凡使用了Openstack service的对象都可以称为User. Project(Tenant):可以理解为一个人.或服务所拥有的资源集合 .在一个Project(Tenant)中可以包含多个User,每一个User都会根据权限的划