OpenStack基础组件安装keystone身份认证服务

域名解析

vim /etc/hosts

192.168.245.172 controller01

192.168.245.171 controller02

192.168.245.173 controller03

配置源码

配置 dns 全局解释器：

vim /etc/resolv.conf

nameserver 192.168.254.251            #连接learn.yunwei.edu的内网
nameserver 223.5.5.5

wget http://download2.yunwei.edu/shell/yum-repo.sh
sh yum-repo.sh

清空，更新下源码

yum clean all （清空）

yum makecache （更新）

OpenStack 环境组件安装

由于我们配置好了公司源码，所以直接下载所需的组件

安装 OpenStack包：

1.安装启用 OpenStack 仓库的包

# yum install centos-release-openstack-ocata -y

2.安装 OpenStack 客户端

# yum install pythone-openstackclient -y

3.安装 OpenStack-selinux 软件包以便自动管理 OpenStack 服务的安全策略

# yum install openstack-selinux -y

安装 SQL 数据库：

1.安装软件包

# yum install  mariadb mariadb-server python2-PyMySQL -y

2.创建并编辑 /etc/my.cnf.d/openstack.cnf，然后完成如下动作：

在 [mysqld] 部分，设置 ``bind-address``值为控制节点的管理网络IP地址以使得其它节点可以通过管理网络访问数据库：

# cat /etc/my.cnf.d/openstack.cnf

[mysqld]
bind-address = 192.168.245.172 #绑定控制节点IP，填主机名或者Ip
default-storage-engine = innodb
innodb_file_per_table = on
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8

3.启动数据库服务，并将其配置为开机自启

# systemctl start mariadb.service

# systemctl enable mariadb.service

并检查端口是否存在

ss -ntl | grep 3306 或者 netstat -ntpl | grep 3306

4.为了保证数据库服务的安全性，运行 mysql_secure_installation 设置密码

# mysql_secure_installation

安装rabbitmq消息队列

yum -y install rabbitmq-server

systemctl start rabbitmq-server.service

systemctl enable rabbitmq-server.service

在rabbitmq中添加用户

rabbitmqctl add_user openstack admin

设置权限

rabbitmqctl set_permissions openstack ".*" ".*" ".*"
Setting permissions for user "openstack" in vhost "/" ...

安装memcached

yum -y install memcached python-memcached

编辑配置文件

vim /etc/sysconfig/memcached

PORT=“”
USER=“memcached”
MAXCONN=“”
CACHESIZE=“”
OPTIONS="-l 127.0.0.1,::1,controller01"

systemctl start memcached.service

systemctl enable memcached.service

Identity service安装

mysql -uroot -p123

CREATE DATABASE keystone;

建立keystone用户与权限

GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone’@‘localhost’
IDENTIFIED BY ‘123’;

设置远程登录

GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone’@’%’
IDENTIFIED BY ‘123’;

下载keystone httpd mod_wsgi

yum -y install openstack-keystone httpd mod_wsgi

先备份配置文件

cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak

编辑配置文件，在database模块中添加

[DEFAULT]

[assignment]

[auth]

[cache]

[catalog]

[cors]

[cors.subdomain]

[credential]

[database]
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone

[domain_config]

[endpoint_filter]

[endpoint_policy]

[eventlet_server]

[federation]

[fernet_tokens]

[healthcheck]

[identity]

[identity_mapping]

[kvs]

[ldap]

[matchmaker_redis]

[memcache]

[oauth1]

[oslo_messaging_amqp]

[oslo_messaging_kafka]

[oslo_messaging_notifications]

[oslo_messaging_rabbit]

[oslo_messaging_zmq]

[oslo_middleware]

[oslo_policy]

[paste_deploy]

[policy]

[profiler]

[resource]

[revoke]

[role]

[saml]

[security_compliance]

[shadow_users]

[signing]

[token]
provider = fernet

[tokenless_auth]

[trust]

导入数据库

su -s /bin/sh -c “keystone-manage db_sync” keystone

mysql -ukeystone -p123

use keystone;

show tables;

+------------------------+
| access_token           |
| assignment             |
| config_register        |
| consumer               |
| credential             |
| endpoint               |
| endpoint_group         |
| federated_user         |
| federation_protocol    |
| group                  |
| id_mapping             |
| identity_provider      |
| idp_remote_ids         |
| implied_role           |
| local_user             |
| mapping                |
| migrate_version        |
| nonlocal_user          |
| password               |
| policy                 |
| policy_association     |
| project                |
| project_endpoint       |
| project_endpoint_group |
| region                 |
| request_token          |
| revocation_event       |
| role                   |
| sensitive_config       |
| service                |
| service_provider       |
| token                  |
| trust                  |
| trust_role             |
| user                   |
| user_group_membership  |
| user_option            |
| whitelisted_config     |
+------------------------+
 rows in set (0.00 sec)

建立管理员的用户

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

设置keystone服务端点

keystone-manage bootstrap --bootstrap-password admin \
  --bootstrap-admin-url http://controller01:35357/v3/ \
  --bootstrap-internal-url http://controller01:5000/v3/ \
  --bootstrap-public-url http:///controller01:5000/v3/ \
  --bootstrap-region-id RegionOne

链接keystone的配置文件

ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ #软链接

开启httpd服务

systemctl start httpd.service

systemctl enable httpd.service

httpd中写入服务器的地址

vim /etc//httpd/conf/httpd.conf  #在ServerName模块下写入

ServerName comtroller01

systemctl restart httpd

宣告环境变量

vim openrc

export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller01:35357/v3
export OS_IDENTITY_API_VERSa

source openrc 启动环境变量

显示如下则为成功

openstack user list

创建名为service的项目

openstack project create --domain default \
  --description "Service Project" service

创建demo项目

openstack project create --domain default \
  --description "Demo Project" demo

创建demo项目的用户，并设置为管理员

openstack user create --domain default \
  --password=demo demo

创建用户user的角色

openstack role create user

在项目demo中添加角色，并设为普通

openstack role add --project demo --user demo user