私有云落地解决方案之openstack高可用（pike版本）-keystone

来源：互联网发布：未来国际局势知乎编辑：程序博客网时间：2024/06/03 11:18

作者：【吴业亮】

博客：http://blog.csdn.net/wylfengyujiancheng

1、安装软件包（三个节点）

yum install memcached python-memcached -y

2、修改memcache配置文件（三个节点）
修改vim /etc/sysconfig/memcached配置文件

cat <<END > /etc/sysconfig/memcachedPORT="11211"USER="memcached"MAXCONN="1024"CACHESIZE="64"OPTIONS="-l 0.0.0.0"END

3、启动服务并设置开机启动（三个节点）

systemctl enable memcached.servicesystemctl restart memcached.service

4、安装keystone软件包（三个节点）

yum install openstack-keystone httpd mod_wsgi mod_ssl -y

5、修改httpd配置文件（三个节点）

# cp -a /etc/httpd/conf/httpd.conf  /etc/httpd/conf/httpd.conf_bak # sed  -i  "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf

节点1

# sed -i "s/Listen\ 80/Listen\ 172.16.8.60:80/g" /etc/httpd/conf/httpd.conf

节点2

sed -i "s/Listen\ 80/Listen\ 172.16.8.60:80/g" /etc/httpd/conf/httpd.conf

节点3

sed -i "s/Listen\ 80/Listen\ 172.16.8.60:80/g" /etc/httpd/conf/httpd.conf

6、创建数据库（任一节点）

mysql -u root -pChangeme_123Create the keystone database:MariaDB [(none)]> CREATE DATABASE keystone;Grant proper access to the keystone database:MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \IDENTIFIED BY 'Changeme_123';MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \IDENTIFIED BY 'Changeme_123';

7、修改配置文件（三个节点）

# cp -a  /etc/keystone/keystone.conf  /etc/keystone/keystone.conf_bak

# vi /etc/keystone/keystone.conf[DEFAULT][assignment][auth][cache]memcache_servers = node1:11211,node2:11211,node3:11211[catalog][cors][credential][database]connection = mysql+pymysql://keystone:Changeme_123@172.16.8.50/keystone[domain_config][endpoint_filter][endpoint_policy][eventlet_server][federation][fernet_tokens][healthcheck][identity][identity_mapping][ldap][matchmaker_redis][memcache][oauth1][oslo_messaging_amqp][oslo_messaging_kafka][oslo_messaging_notifications][oslo_messaging_rabbit][oslo_messaging_zmq][oslo_middleware][oslo_policy][paste_deploy][policy][profiler][resource][revoke][role][saml][security_compliance][shadow_users][signing][token]provider = fernetdriver = memcache[tokenless_auth][trust]

8、同步数据库（任一节点）

su -s /bin/sh -c "keystone-manage db_sync" keystone

9、初始化密钥（node1上执行）

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystonekeystone-manage credential_setup --keystone-user keystone --keystone-group keystone

10、拷贝密钥（node1上执行）

# cd /etc/keystone/# scp -r credential-keys/ fernet-keys/ node2:$PWD# scp -r credential-keys/ fernet-keys/ node3:$PWD

11、赋予权限（节点2和3）

# chown keystone:keystone /etc/keystone/credential-keys/ -R# chown keystone:keystone /etc/keystone/fernet-keys/ -R

12、初始化（任一节点）

#  keystone-manage bootstrap --bootstrap-password Changeme_123 \  --bootstrap-admin-url http://172.16.8.50:35357/v3/ \  --bootstrap-internal-url http://172.16.8.50:5000/v3/ \  --bootstrap-public-url http://172.16.8.50:5000/v3/ \  --bootstrap-region-id RegionOne

注意不要有windows字符串，也可从该出复制后修改
https://docs.openstack.org/keystone/pike/install/keystone-install-rdo.html

13、创建文件/etc/httpd/conf.d/wsgi-keystone.conf（各个节点）

Listen 172.16.8.60:5000Listen 172.16.8.60:35357<VirtualHost 172.16.8.60:5000>    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}    WSGIProcessGroup keystone-public    WSGIScriptAlias / /usr/bin/keystone-wsgi-public    WSGIApplicationGroup %{GLOBAL}    WSGIPassAuthorization On    LimitRequestBody 114688    <IfVersion >= 2.4>      ErrorLogFormat "%{cu}t %M"    </IfVersion>    ErrorLog /var/log/httpd/keystone.log    CustomLog /var/log/httpd/keystone_access.log combined    <Directory /usr/bin>        <IfVersion >= 2.4>            Require all granted        </IfVersion>        <IfVersion < 2.4>            Order allow,deny            Allow from all        </IfVersion>    </Directory></VirtualHost><VirtualHost 172.16.8.60:35357>    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}    WSGIProcessGroup keystone-admin    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin    WSGIApplicationGroup %{GLOBAL}    WSGIPassAuthorization On    LimitRequestBody 114688    <IfVersion >= 2.4>      ErrorLogFormat "%{cu}t %M"    </IfVersion>    ErrorLog /var/log/httpd/keystone.log    CustomLog /var/log/httpd/keystone_access.log combined    <Directory /usr/bin>        <IfVersion >= 2.4>            Require all granted        </IfVersion>        <IfVersion < 2.4>            Order allow,deny            Allow from all        </IfVersion>    </Directory></VirtualHost>Alias /identity /usr/bin/keystone-wsgi-public<Location /identity>    SetHandler wsgi-script    Options +ExecCGI    WSGIProcessGroup keystone-public    WSGIApplicationGroup %{GLOBAL}    WSGIPassAuthorization On</Location>Alias /identity_admin /usr/bin/keystone-wsgi-admin<Location /identity_admin>    SetHandler wsgi-script    Options +ExecCGI    WSGIProcessGroup keystone-admin    WSGIApplicationGroup %{GLOBAL}    WSGIPassAuthorization On</Location>

注意：替换各个节点的IP

14、启动服务并设置开机启动

# systemctl enable httpd.service# systemctl restart httpd.service

创建文件~/keystonerc并写入如下内容

export OS_USERNAME=adminexport OS_PASSWORD=Changeme_123export OS_PROJECT_NAME=adminexport OS_USER_DOMAIN_NAME=Defaultexport OS_PROJECT_DOMAIN_NAME=Defaultexport OS_AUTH_URL=http://172.16.8.50:35357/v3export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2

15、创建service项目

# openstack project create --domain default --description "Service Project" service

16、创建demo项目以及demo用户,并为用户创建密码

# openstack project create --domain default --description "Demo Project" demo# openstack user create --domain default --password-prompt demo

17、创建user角色。并将demo用户赋予user角色

# openstack role create user# openstack role add --project demo --user demo user

18、验证

# unset OS_AUTH_URL OS_PASSWORD  openstack --os-auth-url http://172.16.8.50:35357/v3 \  --os-project-domain-name Default --os-user-domain-name Default \  --os-project-name admin --os-username admin token issue

 openstack --os-auth-url http://172.16.8.50:5000/v3 \  --os-project-domain-name Default --os-user-domain-name Default \  --os-project-name demo --os-username demo token issue

19、写入系统变量中（各个节点）

# echo "source ~/keystonerc " >> ~/.bash_profile# source ~/.bash_profile

阅读全文

0 0