openstack安装newton版本keyston部署（一）

openstack安装newton版本keyston部署（一）

一、部署环境：

两台centos7, 内存2G

控制计算节点:

Hostname1： ip：172.22.0.218

计算节点及存储节点

Hostname2： ip：172.22.0.209

二、管理节点环境准备

1、安装时间同步并配置

[root@linux-node1 ~]#yum install -y chrony[root@linux-node1 ~]# vi /etc/chrony.conf # Allow NTP client access from local network.#allow 192.168.0.0/16allow 172.22.0.0/24

View Code

2、启动时间同步

[root@linux-node1 ~]# systemctl enable chronyd.service[root@linux-node1 ~]# systemctl start chronyd.service[root@linux-node1 ~]# timedatectl set-timezone Asia/Shanghai

View Code

3、安装openstack-newton版本

[root@linux-node1 ~]#•yum install /pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm-y[root@linux-node1 ~]# yum install centos-release-openstack-newton -y[root@linux-node1 ~]# yum install python-openstackclient -y

View Code

4、安装mysql

[root@linux-node1 ~]# yum install mariadb mariadb-server MySQL-python -y[root@linux-node1 /]# cp /usr/share/mariadb/my-f /etc/f[root@linux-node1 /]# vim /etc/f[mysqld]default-storage-engine = innodbinnodb_file_per_tablecollation-server = utf8_general_ciinit-connect = 'SET NAMES utf8'character-set-server = utf8 [root@linux-node1 /]# systemctl enable mariadb.service #设置开机自动启动[root@linux-node1 /]# systemctl start mariadb.service#启动mysql[root@linux-node1 /]# mysql_secure_installation#设置密码[root@linux-node1 /]# mysql -u root -p #登录数据库

View Code

5、创建各个组件的数据库：

CREATE DATABASE keystone; #服务注册中心GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';CREATE DATABASE glance;GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance';GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance';CREATE DATABASE nova;GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova';CREATE DATABASE nova_api;GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY ' nova ';GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY ' nova';CREATE DATABASE neutron;GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron';GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron';CREATE DATABASE cinder;GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY 'cinder';GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY 'cinder';

View Code

6、Rabbitmq消息队列安装

[root@linux-node1 /]# yum install rabbitmq-server -y[root@linux-node1 /]# systemctl enable rabbitmq-server.service#开机启动rabbitmq[root@linux-node1 /]# systemctl start rabbitmq-server.service#启动rabbitmq 监听端口：5672netstat -nplt[root@linux-node1 /]# rabbitmqctl add_user openstack openstack #创建用户openstack密码是openstack[root@linux-node1 /]# rabbitmqctl set_permissions openstack ".*" ".*" ".*" #授权

View Code

7、查看支持插件启动web管理插件端口是25672和15672

[root@localhost ~]# rabbitmq-plugins list #查看支持插件Configured: E = explicitly enabled; e = implicitly enabled| Status: * = running on rabbit@localhost|/[e*] amqp_client 3.6.5[ ] cowboy 1.0.3[ ] cowlib 1.0.1[e*] mochiweb2.13.1[ ] rabbitmq_amqp1_0 3.6.5[ ] rabbitmq_auth_backend_ldap 3.6.5[ ] rabbitmq_auth_mechanism_ssl 3.6.5[ ] rabbitmq_consistent_hash_exchange 3.6.5[ ] rabbitmq_event_exchange 3.6.5[ ] rabbitmq_federation3.6.5[ ] rabbitmq_federation_management 3.6.5[ ] rabbitmq_jms_topic_exchange 3.6.5[E*] rabbitmq_management3.6.5[e*] rabbitmq_management_agent 3.6.5[ ] rabbitmq_management_visualiser 3.6.5[ ] rabbitmq_mqtt 3.6.5[ ] rabbitmq_recent_history_exchange 1.2.1[ ] rabbitmq_sharding 0.1.0[ ] rabbitmq_shovel 3.6.5[ ] rabbitmq_shovel_management 3.6.5[ ] rabbitmq_stomp3.6.5[ ] rabbitmq_top 3.6.5[ ] rabbitmq_tracing 3.6.5[ ] rabbitmq_trust_store 3.6.5[e*] rabbitmq_web_dispatch 3.6.5[ ] rabbitmq_web_stomp3.6.5[ ] rabbitmq_web_stomp_examples 3.6.5[ ] sockjs 0.3.4[e*] webmachine 1.10.3[root@localhost ~]# rabbitmq-plugins enable rabbitmq_management #启动web管理插件端口是25672和15672

View Code

[root@localhost ~]# systemctl restart rabbitmq-server.service #启动rabbitmq

登录验证rabbitmq：

登录web界面使用自带的用户guest密码guest

授权OpenStack可以登录在Admin组件上配置

点击OpenStack将Tagsp配置为administrator

完成后状态：

现在可用openstack用户登录rabbitmq了：

三、Keystone部署（用户验证与服务目录，包含所有服务项与相关Api的端点）：

keystone包含：user（用户）；tenant（租户、项目）；token（令牌）；role（角色）；service（服务）；endpoint（端点）

1、安装OpenStack

[root@linux-node1 ~]# yum install openstack-keystone httpd mod_wsgi memcached python-memcached -y

备注： memcache为存储keystone用户认证信息，python-memcached为连接memcache

[root@linux-node1 opt]# openssl rand -hex 10 #生产随机码用户admin_token

e603318ad06187e6239c

2、编辑keystone配置文件：

root@localhost ~]# vi /etc/keystone/keystone.conf [default]verbose = true #开启debugadmin_token = e603318ad06187e6239c[database]connection = mysql://keystone:keystone@172.22.0.218/keystone#用作链接数据库，三个keysthone分别为keystone组件，keystone用户名，mysql中的keysthone库名[memcache]servers = 172.22.0.218:11211[token]provider = uuiddriver = memcache[revoke]driver = sql[root@localhost keystone]# grep '^[a-z]' /etc/keystone/keystone.confadmin_token = e603318ad06187e6239cconnection = mysql://keystone:keystone@172.22.0.218/keystoneservers = 172.22.0.218:11211driver = sqlprovider = uuiddriver = memcache

View Code

3、同步数据库及检查数据库：

[root@localhost ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone #同步数据库

[root@localhost ~]#mysql -uroot -pP@ssw0rd #登录到数据库检查数据

MariaDB [keystone]> show tables #查看表是否建立token-> ;+------------------------+| Tables_in_keystone|+------------------------+| access_token || assignment || config_register || consumer|| credential || endpoint|| endpoint_group || federated_user || federation_protocol || group || id_mapping || identity_provider|| idp_remote_ids || implied_role || local_user || mapping|| migrate_version || nonlocal_user|| password|| policy || policy_association|| project|| project_endpoint || project_endpoint_group || region || request_token|| revocation_event || role || sensitive_config || service|| service_provider || token || trust || trust_role || user || user_group_membership || whitelisted_config|+------------------------+37 rows in set (0.01 sec)

View Code

[root@localhost ~]# systemctl start memcached.service #启动memcache

4、添加一个apache的wsgi-keystone配置文件，其中5000端口是提供该服务的，35357是为admin提供管理用的

[root@localhost ~]# vi /etc/httpd/conf.d/wsgi-keystone.conf Listen 5000Listen 35357<VirtualHost *:5000>WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}WSGIProcessGroup keystone-publicWSGIScriptAlias / /usr/bin/keystone-wsgi-publicWSGIApplicationGroup %{GLOBAL}WSGIPassAuthorization On<IfVersion >= 2.4>ErrorLogFormat "%{cu}t %M"</IfVersion>ErrorLog /var/log/httpd/keystone-error.logCustomLog /var/log/httpd/keystone-access.log combined<Directory /usr/bin><IfVersion >= 2.4>Require all granted</IfVersion><IfVersion < 2.4>Order allow,denyAllow from all</IfVersion></Directory></VirtualHost><VirtualHost *:35357>WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}WSGIProcessGroup keystone-adminWSGIScriptAlias / /usr/bin/keystone-wsgi-adminWSGIApplicationGroup %{GLOBAL}WSGIPassAuthorization On<IfVersion >= 2.4>ErrorLogFormat "%{cu}t %M"</IfVersion>ErrorLog /var/log/httpd/keystone-error.logCustomLog /var/log/httpd/keystone-access.log combined<Directory /usr/bin><IfVersion >= 2.4>Require all granted</IfVersion><IfVersion < 2.4>Order allow,denyAllow from all</IfVersion></Directory></VirtualHost>

View Code

5、修改Apache配置

ServerName 172.22.0.218:80

View Code

6、启动Apache及检查服务：

[root@localhost ~]# systemctl start httpd.service [root@localhost ~]# systemctl enable httpd.service [root@localhost ~]# netstat -ntlp | grep httpd#检查tcp6 00 :::80 :::*LISTEN6381/httpdtcp6 00 :::35357:::*LISTEN6381/httpdtcp6 00 :::5000 :::*LISTEN6381/httpd

View Code

7、设置环境变量及创建项目（project）：

创建用户并连接keystone，在这里可以使用两种方式，通过keystone –help后家参数的方式，或者使用环境变量env的方式，下面就将使用环境变量的方式,分别设置了token，API及控制版本（SOA种很适用）

[root@linux-node1~]# export OS_TOKEN=e603318ad06187e6239c

[root@llinux-node1 ~]# export OS_URL=http://172.22.0.218:35357/v3

[root@linux-node1 ~]# export OS_IDENTITY_API_VERSION=3

创建admin项目（project）

[root@linux-node1 ~]# openstack domain create --description "Default Domain" default+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Default Domain || enabled| True || id| 75d20be284604d22aa6339f4a92092ad || name | default|+-------------+----------------------------------+[root@linux-node1 ~]# openstack project create --domain default --description "Admin Project" admin+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Admin Project|| domain_id | 75d20be284604d22aa6339f4a92092ad || enabled| True || id| 7c0763e1b8a84e628eca4603e8170e31 || is_domain | False || name | admin || parent_id | 75d20be284604d22aa6339f4a92092ad |+-------------+----------------------------------+

View Code

创建admin用户（user）并设置密码（生产环境一定设置一个复杂的）

[root@linux-node1 ~]# openstack user create --domain default --password-prompt adminUser Password:Repeat User Password:+---------------------+----------------------------------+| Field| Value |+---------------------+----------------------------------+| domain_id | 75d20be284604d22aa6339f4a92092ad || enabled | True || id | b157751bed2a49fba654b8aca651d6e2 || name| admin || password_expires_at | None |+---------------------+----------------------------------+

View Code

创建admin的角色（role）

[root@linux-node1 ~]# openstack role create admin+-----------+----------------------------------+| Field| Value |+-----------+----------------------------------+| domain_id | None || id | f9d64dd56e924013a5625079afb90bd1 || name| admin |+-----------+----------------------------------+

View Code

把admin用户加到admin项目，赋予admin角色，把角色，项目，用户关联起来

[root@localhost ~]# openstack role add --project admin --user admin admin

创建一个普通用户demo,demo项目，角色为普通用户（uesr），并把它们关联起来

[root@linux-node1 ~]# openstack project create --domain default --description "Demo Project" demo+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Demo Project || domain_id | 75d20be284604d22aa6339f4a92092ad || enabled| True || id| 0eb713b710f74dddae9c05da5b851813 || is_domain | False || name | demo || parent_id | 75d20be284604d22aa6339f4a92092ad |+-------------+----------------------------------+[root@linux-node1 keystone]# openstack user create --domain default --password=demo demo+---------------------+----------------------------------+| Field| Value |+---------------------+----------------------------------+| domain_id | 75d20be284604d22aa6339f4a92092ad || enabled | True || id | 2c317424791d40409b9563a6be84eb87 || name| demo || password_expires_at | None |+---------------------+----------------------------------+[root@linux-node1 ~]# openstack role create user[root@linux-node1 ~]# openstack role create user+-----------+----------------------------------+| Field| Value |+-----------+----------------------------------+| domain_id | None || id | 81a9712d39cf43c083b1dac1d791220b || name| user |+-----------+----------------------------------+[root@localhost ~]# openstack role add --project demo --user demo user #加入user角色

View Code

创建一个service的项目，此服务用来管理nova，neuturn，glance等组件的服务

[root@linux-node1 keystone]# openstack project create --domain default --description "Service Project" service+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Service Project || domain_id | 75d20be284604d22aa6339f4a92092ad || enabled| True || id| af2f8ddb65f54334aec867f364c3ceb4 || is_domain | False || name | service|| parent_id | 75d20be284604d22aa6339f4a92092ad |+-------------+----------------------------------+查看创建的用户,角色，项目：[root@linux-node1 ~]# openstack user list+----------------------------------+-------+| ID | Name |+----------------------------------+-------+| 2c317424791d40409b9563a6be84eb87 | demo || b157751bed2a49fba654b8aca651d6e2 | admin |+----------------------------------+-------+[root@linux-node1 ~]# openstack project list+----------------------------------+---------+| ID | Name |+----------------------------------+---------+| 0eb713b710f74dddae9c05da5b851813 | demo || 7c0763e1b8a84e628eca4603e8170e31 | admin || af2f8ddb65f54334aec867f364c3ceb4 | service |+----------------------------------+---------+[root@linux-node1 ~]# openstack role list +----------------------------------+-------+| ID | Name |+----------------------------------+-------+| 81a9712d39cf43c083b1dac1d791220b | user || f9d64dd56e924013a5625079afb90bd1 | admin |+----------------------------------+-------+

View Code

注册keystone服务，虽然keystone本身是搞注册的，但是自己也需要注册服务

创建keystone认证

[root@linux-node1 ~]# openstack service create --name keystone --description "OpenStack Identity" identity+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | OpenStack Identity|| enabled| True || id| 9b0442ce735142b5a895c4e9d5cac0b5 || name | keystone|| type | identity|+-------------+----------------------------------+

View Code

分别创建三种类型的endpoint,分别为public:对外可见，internal内部使用，admin管理使用

[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity public http://172.22.0.218:5000/v2.0+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled| True || id | 93feb7dd80b3405893c409f914e39a4e || interface | public || region | RegionOne || region_id | RegionOne || service_id | 9b0442ce735142b5a895c4e9d5cac0b5 || service_name | keystone|| service_type | identity|| url| http://172.22.0.218:5000/v2.0 |+--------------+----------------------------------+[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity internal http://172.22.0.218:5000/v2.0+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled| True || id | 444f17d243354ec79bc40cff08123133 || interface | internal|| region | RegionOne || region_id | RegionOne || service_id | 9b0442ce735142b5a895c4e9d5cac0b5 || service_name | keystone|| service_type | identity|| url| http://172.22.0.218:5000/v2.0 |+--------------+----------------------------------+[[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity admin http://172.22.0.218:35357/v2.0 +--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled| True || id | db9aaaa9a0cb4b11ae8d0ee610765fea || interface | admin || region | RegionOne || region_id | RegionOne || service_id | 9b0442ce735142b5a895c4e9d5cac0b5 || service_name | keystone|| service_type | identity|| url| http://172.22.0.218:35357/v2.0 |+--------------+----------------------------------+

View Code

查看创建的endpoint：

[root@linux-node1 ~]# openstack endpoint list+---------------------+-----------+--------------+--------------+---------+-----------+----------------------+| ID | Region | Service Name | Service Type | Enabled | Interface | URL |+---------------------+-----------+--------------+--------------+---------+-----------+----------------------+| 444f17d243354ec79bc | RegionOne | keystone| identity| True | internal | http://172.22.0.218: || 40cff08123133 | | | | | | 5000/v2.0 || 93feb7dd80b3405893c | RegionOne | keystone| identity| True | public | http://172.22.0.218: || 409f914e39a4e | | | | | | 5000/v2.0 || db9aaaa9a0cb4b11ae8 | RegionOne | keystone| identity| True | admin| http://172.22.0.218: || d0ee610765fea | | | | | | 35357/v2.0 |+---------------------+-----------+--------------+--------------+---------+-----------+----------------------+

View Code

删除endpoint：

[root@localhost ~]# openstack endpoint delete xxxxxxxxxxxxxxxx（ID号）

四、链接到keystone，请求token，在这里由于已经添加了用户名和密码，就不在使用token，所有就一定要取消环境变量了

[root@localhost ~]# unset OS_TOKEN

[root@localhost ~]# unset OS_URL

配置keystone环境变量，方便执行命令：

[[root@linux-node1 ~]# vi admin-openrc.sh export OS_PROJECT_DOMAIN_ID=149851931b7746bdbe239b17a17f2845export OS_USER_DOMAIN_ID=149851931b7746bdbe239b17a17f2845 export OS_PROJECT_NAME=adminexport OS_TENANT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=adminexport OS_AUTH_URL=http://172.22.0.218:35357/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2[root@localhost ~]# vi demo-openrc.sh export OS_PROJECT_DOMAIN_ID=149851931b7746bdbe239b17a17f2845export OS_USER_DOMAIN_ID=149851931b7746bdbe239b17a17f2845 export OS_PROJECT_NAME=demoexport OS_TENANT_NAME=demoexport OS_USERNAME=demoexport OS_PASSWORD=demoexport OS_AUTH_URL=http://172.22.0.218:5000/v3 export OS_IDENTITY_API_VERSION=3

View Code

[root@localhost ~]# chmod +x admin-openrc.sh demo-openrc.sh

[root@localhost ~]# source admin-openrc.sh

[root@localhost ~]# openstack token issue

[root@linux-node1 ~]# openstack token issue+------------+----------------------------------+| Field| Value |+------------+----------------------------------+| expires | -03-05 10:23:52+00:00 || id | 7267bebbcc1342f68be476ab51671366 || project_id | 503b0eab0420454e909a46e476bf1ede || user_id | faa372fc9c4a45e9870b98a0ab4952ef |+------------+----------------------------------+

View Code

获取token表示部署成功！

posted on -03-12 16:23Steward_Xu 阅读(...) 评论(...) 编辑 收藏