openstack安装newton版本keyston部署(一)
一、部署环境:
两台centos7, 内存2G
控制计算节点:
Hostname1: ip:172.22.0.218
计算节点及存储节点
Hostname2: ip:172.22.0.209
二、管理节点环境准备
1、安装时间同步并配置
[root@linux-node1 ~]#yum install -y chrony[root@linux-node1 ~]# vi /etc/chrony.conf # Allow NTP client access from local network.#allow 192.168.0.0/16allow 172.22.0.0/24
View Code
2、启动时间同步
[root@linux-node1 ~]# systemctl enable chronyd.service[root@linux-node1 ~]# systemctl start chronyd.service[root@linux-node1 ~]# timedatectl set-timezone Asia/Shanghai
View Code
3、安装openstack-newton版本
[root@linux-node1 ~]#•yum install /pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm-y[root@linux-node1 ~]# yum install centos-release-openstack-newton -y[root@linux-node1 ~]# yum install python-openstackclient -y
View Code
4、安装mysql
[root@linux-node1 ~]# yum install mariadb mariadb-server MySQL-python -y[root@linux-node1 /]# cp /usr/share/mariadb/my-f /etc/f[root@linux-node1 /]# vim /etc/f[mysqld]default-storage-engine = innodbinnodb_file_per_tablecollation-server = utf8_general_ciinit-connect = 'SET NAMES utf8'character-set-server = utf8 [root@linux-node1 /]# systemctl enable mariadb.service #设置开机自动启动[root@linux-node1 /]# systemctl start mariadb.service#启动mysql[root@linux-node1 /]# mysql_secure_installation#设置密码[root@linux-node1 /]# mysql -u root -p #登录数据库
View Code
5、创建各个组件的数据库:
CREATE DATABASE keystone; #服务注册中心GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';CREATE DATABASE glance;GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance';GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance';CREATE DATABASE nova;GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova';CREATE DATABASE nova_api;GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY ' nova ';GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY ' nova';CREATE DATABASE neutron;GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron';GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron';CREATE DATABASE cinder;GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY 'cinder';GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY 'cinder';
View Code
6、Rabbitmq消息队列安装
[root@linux-node1 /]# yum install rabbitmq-server -y[root@linux-node1 /]# systemctl enable rabbitmq-server.service#开机启动rabbitmq[root@linux-node1 /]# systemctl start rabbitmq-server.service#启动rabbitmq 监听端口:5672netstat -nplt[root@linux-node1 /]# rabbitmqctl add_user openstack openstack #创建用户openstack密码是openstack[root@linux-node1 /]# rabbitmqctl set_permissions openstack ".*" ".*" ".*" #授权
View Code
7、查看支持插件启动web管理插件端口是25672和15672
[root@localhost ~]# rabbitmq-plugins list #查看支持插件Configured: E = explicitly enabled; e = implicitly enabled| Status: * = running on rabbit@localhost|/[e*] amqp_client 3.6.5[ ] cowboy 1.0.3[ ] cowlib 1.0.1[e*] mochiweb2.13.1[ ] rabbitmq_amqp1_0 3.6.5[ ] rabbitmq_auth_backend_ldap 3.6.5[ ] rabbitmq_auth_mechanism_ssl 3.6.5[ ] rabbitmq_consistent_hash_exchange 3.6.5[ ] rabbitmq_event_exchange 3.6.5[ ] rabbitmq_federation3.6.5[ ] rabbitmq_federation_management 3.6.5[ ] rabbitmq_jms_topic_exchange 3.6.5[E*] rabbitmq_management3.6.5[e*] rabbitmq_management_agent 3.6.5[ ] rabbitmq_management_visualiser 3.6.5[ ] rabbitmq_mqtt 3.6.5[ ] rabbitmq_recent_history_exchange 1.2.1[ ] rabbitmq_sharding 0.1.0[ ] rabbitmq_shovel 3.6.5[ ] rabbitmq_shovel_management 3.6.5[ ] rabbitmq_stomp3.6.5[ ] rabbitmq_top 3.6.5[ ] rabbitmq_tracing 3.6.5[ ] rabbitmq_trust_store 3.6.5[e*] rabbitmq_web_dispatch 3.6.5[ ] rabbitmq_web_stomp3.6.5[ ] rabbitmq_web_stomp_examples 3.6.5[ ] sockjs 0.3.4[e*] webmachine 1.10.3[root@localhost ~]# rabbitmq-plugins enable rabbitmq_management #启动web管理插件端口是25672和15672
View Code
[root@localhost ~]# systemctl restart rabbitmq-server.service #启动rabbitmq
登录验证rabbitmq:
登录web界面使用自带的用户guest密码guest
授权OpenStack可以登录在Admin组件上配置
点击OpenStack将Tagsp配置为administrator
完成后状态:
现在可用openstack用户登录rabbitmq了:
三、Keystone部署(用户验证与服务目录,包含所有服务项与相关Api的端点):
keystone包含:user(用户);tenant(租户、项目);token(令牌);role(角色);service(服务);endpoint(端点)
1、安装OpenStack
[root@linux-node1 ~]# yum install openstack-keystone httpd mod_wsgi memcached python-memcached -y
备注: memcache为存储keystone用户认证信息,python-memcached为连接memcache
[root@linux-node1 opt]# openssl rand -hex 10 #生产随机码用户admin_token
e603318ad06187e6239c
2、编辑keystone配置文件:
root@localhost ~]# vi /etc/keystone/keystone.conf [default]verbose = true #开启debugadmin_token = e603318ad06187e6239c[database]connection = mysql://keystone:keystone@172.22.0.218/keystone#用作链接数据库,三个keysthone分别为keystone组件,keystone用户名,mysql中的keysthone库名[memcache]servers = 172.22.0.218:11211[token]provider = uuiddriver = memcache[revoke]driver = sql[root@localhost keystone]# grep '^[a-z]' /etc/keystone/keystone.confadmin_token = e603318ad06187e6239cconnection = mysql://keystone:keystone@172.22.0.218/keystoneservers = 172.22.0.218:11211driver = sqlprovider = uuiddriver = memcache
View Code
3、同步数据库及检查数据库:
[root@localhost ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone #同步数据库
[root@localhost ~]#mysql -uroot -pP@ssw0rd #登录到数据库检查数据
MariaDB [keystone]> show tables #查看表是否建立token-> ;+------------------------+| Tables_in_keystone|+------------------------+| access_token || assignment || config_register || consumer|| credential || endpoint|| endpoint_group || federated_user || federation_protocol || group || id_mapping || identity_provider|| idp_remote_ids || implied_role || local_user || mapping|| migrate_version || nonlocal_user|| password|| policy || policy_association|| project|| project_endpoint || project_endpoint_group || region || request_token|| revocation_event || role || sensitive_config || service|| service_provider || token || trust || trust_role || user || user_group_membership || whitelisted_config|+------------------------+37 rows in set (0.01 sec)
View Code
[root@localhost ~]# systemctl start memcached.service #启动memcache
4、添加一个apache的wsgi-keystone配置文件,其中5000端口是提供该服务的,35357是为admin提供管理用的
[root@localhost ~]# vi /etc/httpd/conf.d/wsgi-keystone.conf Listen 5000Listen 35357<VirtualHost *:5000>WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}WSGIProcessGroup keystone-publicWSGIScriptAlias / /usr/bin/keystone-wsgi-publicWSGIApplicationGroup %{GLOBAL}WSGIPassAuthorization On<IfVersion >= 2.4>ErrorLogFormat "%{cu}t %M"</IfVersion>ErrorLog /var/log/httpd/keystone-error.logCustomLog /var/log/httpd/keystone-access.log combined<Directory /usr/bin><IfVersion >= 2.4>Require all granted</IfVersion><IfVersion < 2.4>Order allow,denyAllow from all</IfVersion></Directory></VirtualHost><VirtualHost *:35357>WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}WSGIProcessGroup keystone-adminWSGIScriptAlias / /usr/bin/keystone-wsgi-adminWSGIApplicationGroup %{GLOBAL}WSGIPassAuthorization On<IfVersion >= 2.4>ErrorLogFormat "%{cu}t %M"</IfVersion>ErrorLog /var/log/httpd/keystone-error.logCustomLog /var/log/httpd/keystone-access.log combined<Directory /usr/bin><IfVersion >= 2.4>Require all granted</IfVersion><IfVersion < 2.4>Order allow,denyAllow from all</IfVersion></Directory></VirtualHost>
View Code
5、修改Apache配置
ServerName 172.22.0.218:80
View Code
6、启动Apache及检查服务:
[root@localhost ~]# systemctl start httpd.service [root@localhost ~]# systemctl enable httpd.service [root@localhost ~]# netstat -ntlp | grep httpd#检查tcp6 00 :::80 :::*LISTEN6381/httpdtcp6 00 :::35357:::*LISTEN6381/httpdtcp6 00 :::5000 :::*LISTEN6381/httpd
View Code
7、设置环境变量及创建项目(project):
创建用户并连接keystone,在这里可以使用两种方式,通过keystone –help后家参数的方式,或者使用环境变量env的方式,下面就将使用环境变量的方式,分别设置了token,API及控制版本(SOA种很适用)
[root@linux-node1~]# export OS_TOKEN=e603318ad06187e6239c
[root@llinux-node1 ~]# export OS_URL=http://172.22.0.218:35357/v3
[root@linux-node1 ~]# export OS_IDENTITY_API_VERSION=3
创建admin项目(project)
[root@linux-node1 ~]# openstack domain create --description "Default Domain" default+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Default Domain || enabled| True || id| 75d20be284604d22aa6339f4a92092ad || name | default|+-------------+----------------------------------+[root@linux-node1 ~]# openstack project create --domain default --description "Admin Project" admin+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Admin Project|| domain_id | 75d20be284604d22aa6339f4a92092ad || enabled| True || id| 7c0763e1b8a84e628eca4603e8170e31 || is_domain | False || name | admin || parent_id | 75d20be284604d22aa6339f4a92092ad |+-------------+----------------------------------+
View Code
创建admin用户(user)并设置密码(生产环境一定设置一个复杂的)
[root@linux-node1 ~]# openstack user create --domain default --password-prompt adminUser Password:Repeat User Password:+---------------------+----------------------------------+| Field| Value |+---------------------+----------------------------------+| domain_id | 75d20be284604d22aa6339f4a92092ad || enabled | True || id | b157751bed2a49fba654b8aca651d6e2 || name| admin || password_expires_at | None |+---------------------+----------------------------------+
View Code
创建admin的角色(role)
[root@linux-node1 ~]# openstack role create admin+-----------+----------------------------------+| Field| Value |+-----------+----------------------------------+| domain_id | None || id | f9d64dd56e924013a5625079afb90bd1 || name| admin |+-----------+----------------------------------+
View Code
把admin用户加到admin项目,赋予admin角色,把角色,项目,用户关联起来
[root@localhost ~]# openstack role add --project admin --user admin admin
创建一个普通用户demo,demo项目,角色为普通用户(uesr),并把它们关联起来
[root@linux-node1 ~]# openstack project create --domain default --description "Demo Project" demo+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Demo Project || domain_id | 75d20be284604d22aa6339f4a92092ad || enabled| True || id| 0eb713b710f74dddae9c05da5b851813 || is_domain | False || name | demo || parent_id | 75d20be284604d22aa6339f4a92092ad |+-------------+----------------------------------+[root@linux-node1 keystone]# openstack user create --domain default --password=demo demo+---------------------+----------------------------------+| Field| Value |+---------------------+----------------------------------+| domain_id | 75d20be284604d22aa6339f4a92092ad || enabled | True || id | 2c317424791d40409b9563a6be84eb87 || name| demo || password_expires_at | None |+---------------------+----------------------------------+[root@linux-node1 ~]# openstack role create user[root@linux-node1 ~]# openstack role create user+-----------+----------------------------------+| Field| Value |+-----------+----------------------------------+| domain_id | None || id | 81a9712d39cf43c083b1dac1d791220b || name| user |+-----------+----------------------------------+[root@localhost ~]# openstack role add --project demo --user demo user #加入user角色
View Code
创建一个service的项目,此服务用来管理nova,neuturn,glance等组件的服务
[root@linux-node1 keystone]# openstack project create --domain default --description "Service Project" service+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Service Project || domain_id | 75d20be284604d22aa6339f4a92092ad || enabled| True || id| af2f8ddb65f54334aec867f364c3ceb4 || is_domain | False || name | service|| parent_id | 75d20be284604d22aa6339f4a92092ad |+-------------+----------------------------------+查看创建的用户,角色,项目:[root@linux-node1 ~]# openstack user list+----------------------------------+-------+| ID | Name |+----------------------------------+-------+| 2c317424791d40409b9563a6be84eb87 | demo || b157751bed2a49fba654b8aca651d6e2 | admin |+----------------------------------+-------+[root@linux-node1 ~]# openstack project list+----------------------------------+---------+| ID | Name |+----------------------------------+---------+| 0eb713b710f74dddae9c05da5b851813 | demo || 7c0763e1b8a84e628eca4603e8170e31 | admin || af2f8ddb65f54334aec867f364c3ceb4 | service |+----------------------------------+---------+[root@linux-node1 ~]# openstack role list +----------------------------------+-------+| ID | Name |+----------------------------------+-------+| 81a9712d39cf43c083b1dac1d791220b | user || f9d64dd56e924013a5625079afb90bd1 | admin |+----------------------------------+-------+
View Code
注册keystone服务,虽然keystone本身是搞注册的,但是自己也需要注册服务
创建keystone认证
[root@linux-node1 ~]# openstack service create --name keystone --description "OpenStack Identity" identity+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | OpenStack Identity|| enabled| True || id| 9b0442ce735142b5a895c4e9d5cac0b5 || name | keystone|| type | identity|+-------------+----------------------------------+
View Code
分别创建三种类型的endpoint,分别为public:对外可见,internal内部使用,admin管理使用
[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity public http://172.22.0.218:5000/v2.0+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled| True || id | 93feb7dd80b3405893c409f914e39a4e || interface | public || region | RegionOne || region_id | RegionOne || service_id | 9b0442ce735142b5a895c4e9d5cac0b5 || service_name | keystone|| service_type | identity|| url| http://172.22.0.218:5000/v2.0 |+--------------+----------------------------------+[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity internal http://172.22.0.218:5000/v2.0+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled| True || id | 444f17d243354ec79bc40cff08123133 || interface | internal|| region | RegionOne || region_id | RegionOne || service_id | 9b0442ce735142b5a895c4e9d5cac0b5 || service_name | keystone|| service_type | identity|| url| http://172.22.0.218:5000/v2.0 |+--------------+----------------------------------+[[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity admin http://172.22.0.218:35357/v2.0 +--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled| True || id | db9aaaa9a0cb4b11ae8d0ee610765fea || interface | admin || region | RegionOne || region_id | RegionOne || service_id | 9b0442ce735142b5a895c4e9d5cac0b5 || service_name | keystone|| service_type | identity|| url| http://172.22.0.218:35357/v2.0 |+--------------+----------------------------------+
View Code
查看创建的endpoint:
[root@linux-node1 ~]# openstack endpoint list+---------------------+-----------+--------------+--------------+---------+-----------+----------------------+| ID | Region | Service Name | Service Type | Enabled | Interface | URL |+---------------------+-----------+--------------+--------------+---------+-----------+----------------------+| 444f17d243354ec79bc | RegionOne | keystone| identity| True | internal | http://172.22.0.218: || 40cff08123133 | | | | | | 5000/v2.0 || 93feb7dd80b3405893c | RegionOne | keystone| identity| True | public | http://172.22.0.218: || 409f914e39a4e | | | | | | 5000/v2.0 || db9aaaa9a0cb4b11ae8 | RegionOne | keystone| identity| True | admin| http://172.22.0.218: || d0ee610765fea | | | | | | 35357/v2.0 |+---------------------+-----------+--------------+--------------+---------+-----------+----------------------+
View Code
删除endpoint:
[root@localhost ~]# openstack endpoint delete xxxxxxxxxxxxxxxx(ID号)
四、链接到keystone,请求token,在这里由于已经添加了用户名和密码,就不在使用token,所有就一定要取消环境变量了
[root@localhost ~]# unset OS_TOKEN
[root@localhost ~]# unset OS_URL
配置keystone环境变量,方便执行命令:
[[root@linux-node1 ~]# vi admin-openrc.sh export OS_PROJECT_DOMAIN_ID=149851931b7746bdbe239b17a17f2845export OS_USER_DOMAIN_ID=149851931b7746bdbe239b17a17f2845 export OS_PROJECT_NAME=adminexport OS_TENANT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=adminexport OS_AUTH_URL=http://172.22.0.218:35357/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2[root@localhost ~]# vi demo-openrc.sh export OS_PROJECT_DOMAIN_ID=149851931b7746bdbe239b17a17f2845export OS_USER_DOMAIN_ID=149851931b7746bdbe239b17a17f2845 export OS_PROJECT_NAME=demoexport OS_TENANT_NAME=demoexport OS_USERNAME=demoexport OS_PASSWORD=demoexport OS_AUTH_URL=http://172.22.0.218:5000/v3 export OS_IDENTITY_API_VERSION=3
View Code
[root@localhost ~]# chmod +x admin-openrc.sh demo-openrc.sh
[root@localhost ~]# source admin-openrc.sh
[root@localhost ~]# openstack token issue
[root@linux-node1 ~]# openstack token issue+------------+----------------------------------+| Field| Value |+------------+----------------------------------+| expires | -03-05 10:23:52+00:00 || id | 7267bebbcc1342f68be476ab51671366 || project_id | 503b0eab0420454e909a46e476bf1ede || user_id | faa372fc9c4a45e9870b98a0ab4952ef |+------------+----------------------------------+
View Code
获取token表示部署成功!
posted on -03-12 16:23Steward_Xu 阅读(...) 评论(...) 编辑 收藏