; OpenStack之keystone | Linux运维部落

OpenStack之keystone

一、什么是OpenStack

   OpenStack是一种云操作系统,它控制着一个数据中心里大量的计算、存储和网络资源。管理员在一个web界面内通过仪表盘方便地管理,控制,授权用户,以提供各种资源。

二、云服务分类

可分为IAAS, PAAS, SAAS等

IAAS:Infrastructure as a Service (操作系统级别,OpenStack, Cloudstack)

PAAS:Platform as a service (web,DB等已部署的应用,面向专业用户,如Docker)

SAAS:Software-as-a-Service (应用面向用户)

FWaas, DBaaS, LBaas, …

三、OpenStack术语

(1)卷和分布式存储

卷(cinder):提供永久存储;

分布式存储(swift):提供虚拟机模板;

(2)服务和项目对应关系

一个服务名称对应一个项目名称。

重点测试如下项目:

服务                                                  项目

OpenStack Identity Service       — keystone

OpenStack Image Service         — glance

OpenStack Compute Service    — nova

OpenStack Networking Service — neutron

(3)Openstack项目分工

Compute: 项目Nova,主要职责包括启动、调度VMs; 

Networking:项目Neutron,网络组件,插件化设计,支持众多流行的网络管理插件;

Object Storage: 项目swift;分布式存储;

Block Storage:项目为Cinder,为VMs提供持久的块存储能力;

Identity: 代码为Keystone;为Openstack中的所有服务提供了认证、授权以及端点编录目录;

Image: 项目Glance,用于存储和检索磁盘映像文件;

Dashboard: 项目为Horizon,WebGUI,web管理各项目服务; 

Telemetry: 项目为Ceilometer,用于实现监控和计量服务的实现;

Orachestration: 项目为Heat,用于多项目联动;

Database:项目为Trove,提供DBaaS服务;

Data processing:项目为sahara,在OpenStack中实现Hadoop的管理;   

服务一般有决策者和执行者,各服务信息通过mysql存储。

(4)存储和卷

云环境下硬盘提供方式:文件模拟硬盘、物理磁盘分区;

磁盘映像文件:每次启动磁盘映像文件是从指定存储下载到虚拟机启动节点;每次关闭虚拟机,映像文件会在各节点销毁;

卷是永久存储的一种方式,各节点一般通过iscsi连接;

四、controller node各服务配置总结

安装分两个步骤:

步骤一:预安装

创建数据库、授权–>运行环境变量–>创建管理用户及服务体–>创建API服务端点(public, internal, admin)

步骤二:安装及配置组件:

[database]连接方式–>rabbitmq、keystone认证–>配置支持的特性–>数据库同步–>开机启动及运行服务

 五、实验

我们的实验的目标是搭建一套openstack云操作系统,实验对象为两节点,分别配置controller node和compute node。openstack配置量极大,我们将分几次实验来搭建整套操作系统。这次的实验的目标是在controller node和compute node上配置预安装环境和设置Identity(kestone)服务。

3c396878-4555-442e-a83d-0fe6b4b37c41.png

1. 预安装工作

(1)配置/etc/hosts

192.168.10.11 controller

192.168.10.12 compute1

192.168.10.13 compute2

192.168.10.14 block

(2)配置ntp服务,使用轻量级ntp服务chrony

在controller上配置/etc/chrony.conf

允许内网地址

allow 192.168.10/24

添加开机启动和启动服务

# systemctl enable chronyd

# systemctl start chronyd

在compute上修改server配置

server controller iburst

测试:

[root@controller ~]# chronyc sources

210 Number of sources = 4

MS Name/IP address         Stratum Poll Reach LastRx Last sample

===============================================================================

^+ 161.53.131.133                2   6   377    29    +22ms[  +22ms] +/-  233ms

^+ ntp2.flashdance.cx            2   6   313    32  +4258us[+4258us] +/-  578ms

^+ ntp3.flashdance.cx            2   6   377    31  +1233us[+1233us] +/-  200ms

^* ntp2.itcompliance.dk          2   6   377    33   +947us[+4528us] +/-  167ms

[root@compute ~]# chronyc sources

210 Number of sources = 1

MS Name/IP address         Stratum Poll Reach LastRx Last sample

===============================================================================

^* controller                    3   6    77    23   +886us[+2718us] +/-  169ms

(3). 配置openstack yum源/etc/yum.repos.d/openstack.repo

[openstack]

name=openstack mitaka

baseurl=http://mirrors.aliyun.com/centos/7.2.1511/cloud/x86_64/openstack-mitaka/

enabled=1

gpgcheck=0

(4) 安装软件

 yum install mariadb mariadb-server python2-PyMySQL

(5)创建及配置

1
<span style="font-family: 微软雅黑,Microsoft YaHei;font-size: 16px">/etc/my.cnf.d/openstack.cnf</span>


[mysqld]

default-storage-engine = innodb

innodb_file_per_table

max_connections = 4096

collation-server = utf8_general_ci
character-set-server = utf8

skip_name_resolve
(6)启动服务

# systemctl enable mariadb.service
# systemctl start mariadb.service

(7)安装rabbitmq-server

# yum install rabbitmq-server

# systemctl enable rabbitmq-server.service

# systemctl start rabbitmq-server.service
# rabbitmqctl add_user openstack openstack

# rabbitmqctl set_user_tags openstack administrator

# rabbitmqctl set_permissions openstack ".*" ".*" ".*"

(8)安装memcached

# yum install memcached python-memcached

#systemctl enable memcached.service

#systemctl start memcached.service

(9) 关闭iptables, selinux

编辑/etc/sysconfig/selinux,修改SELINUX参数的值为disable

立即生效:

# getenforce

# setenforce  0

(10)设置主机名为controller、compute1

# hostnamectl set-hostname controller

# hostnamectl set-hostname compute1

2. 安装Identity(keystone)

(1) To create the database, complete the following actions:

  • Use the database access client to connect to the database server as the 

    1
    <span style="font-family: 微软雅黑,Microsoft YaHei;font-size: 16px">root</span>

     user:

    $ mysql -u root -p
Create the keystone database:
    mysql> CREATE DATABASE keystone;
Grant proper access to the keystone database:
    mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
    IDENTIFIED BY 'keystone';
    mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
    IDENTIFIED BY 'keystone';
检查:
SHOW GRANTS FOR  'keystone'@'localhost';
SHOW GRANTS FOR  'keystone'@'%';

(2)安装及配置
1) 安装组件
# yum install openstack-keystone httpd mod_wsgi
# yum install python-openstackclient
2)配置 /etc/keystone/keystone.conf
[DEFAULT]

admin_token = f63285a166ca96ee181c

[database]

connection = mysql+pymysql://keystone:keystone@controller/keystone
#connection = 连接方式://用户名:密码@主机名/数据库
[token]

provider = fernet
3)同步 Identity service数据库
# su -s /bin/sh -c "keystone-manage db_sync" keystone
4) 初始化Fernet key 仓库
# keystone-manage fernet_setup –keystone-user keystone –keystone-group keystone
5) 配置 Apache HTTP 服务
Edit the /etc/httpd/conf/httpd.conf
    ServerName controller
Create the /etc/httpd/conf.d/keystone.conf:

Listen 5000

Listen 35357

<VirtualHost *:5000>

    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}

    WSGIProcessGroup keystone-public

    WSGIScriptAlias / /usr/bin/keystone-wsgi-public

    WSGIApplicationGroup %{GLOBAL}

    WSGIPassAuthorization On

    ErrorLogFormat "%{cu}t %M"

    ErrorLog /var/log/httpd/keystone-error.log

    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>

        Require all granted

    </Directory>

</VirtualHost>

<VirtualHost *:35357>

    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}

    WSGIProcessGroup keystone-admin

    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin

    WSGIApplicationGroup %{GLOBAL}

    WSGIPassAuthorization On

    ErrorLogFormat "%{cu}t %M"

    ErrorLog /var/log/httpd/keystone-error.log

    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>

        Require all granted

    </Directory>

</VirtualHost>

# systemctl enable httpd

# systemctl start httpd

6) 配置service entity 和API endpoints

The Identity service provides a catalog of services and their locations. Each service that you add to your

OpenStack environment

$ export OS_TOKEN=f63285a166ca96ee181c

$ export OS_URL=http://controller:35357/v3

$ export OS_IDENTITY_API_VERSION=3

    Create the service entity for the Identity service:

$ openstack service create \

  –name keystone –description "OpenStack Identity" identity

[root@localhost ~]# openstack service create \

>   –name keystone –description "OpenStack Identity" identity

+————-+———————————-+

| Field       | Value                            |
+————-+———————————-+
| description | OpenStack Identity               |
| enabled     | True                             |
| id          | 28324912b51c42ea868623bf1c918875 |
| name        | keystone                         |
| type        | identity                         |
+————-+———————————-+

    Create the Identity service API endpoints:

$ openstack endpoint create –region RegionOne \

  identity public http://controller:5000/v3

[root@localhost ~]# openstack endpoint create –region RegionOne \
>   identity public http://controller:5000/v3
+————–+———————————-+
| Field        | Value                            |
+————–+———————————-+
| enabled      | True                             |
| id           | f896e8b118fb4b83b177662afec6ee71 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 28324912b51c42ea868623bf1c918875 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://controller:5000/v3        |
+————–+———————————-+

$ openstack endpoint create –region RegionOne \

  identity internal http://controller:5000/v3

[root@localhost ~]# openstack endpoint create –region RegionOne \
>   identity internal http://controller:5000/v3
+————–+———————————-+
| Field        | Value                            |
+————–+———————————-+
| enabled      | True                             |
| id           | 1949e1778ffa4d589a7b707e832d9c86 |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 28324912b51c42ea868623bf1c918875 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://controller:5000/v3        |
+————–+———————————-+

$ openstack endpoint create –region RegionOne \

  identity admin http://controller:35357/v3  

[root@localhost ~]# openstack endpoint create –region RegionOne \

>   identity admin http://controller:35357/v3  

+————–+———————————-+

| Field        | Value                            |

+————–+———————————-+

| enabled      | True                             |

| id           | eb3dcf9db6cb439cbff45a9c5cdb884e |

| interface    | admin                            |

| region       | RegionOne                        |

| region_id    | RegionOne                        |

| service_id   | 28324912b51c42ea868623bf1c918875 |

| service_name | keystone                         |

| service_type | identity                         |

| url          | http://controller:35357/v3       |

+————–+———————————-+

7) The Identity service provides authentication services for each OpenStack service.

The authentication service uses a combination of domains, projects (tenants), users, and

roles.

    Create the default domain:

$ openstack domain create –description "Default Domain" default

[root@localhost ~]# openstack domain create –description "Default Domain" default
+————-+———————————-+
| Field       | Value                            |
+————-+———————————-+
| description | Default Domain                   |
| enabled     | True                             |
| id          | 82ffd4c577bd4621967b12dd595b042f |
| name        | default                          |
+————-+———————————-+

    Create the admin project:

$ openstack project create –domain default \
  –description "Admin Project" admin
[root@localhost ~]# openstack project create –domain default \
>   –description "Admin Project" admin
+————-+———————————-+
| Field       | Value                            |
+————-+———————————-+
| description | Admin Project                    |
| domain_id   | 82ffd4c577bd4621967b12dd595b042f |
| enabled     | True                             |
| id          | 1ad1c008ea354c6abed93183b47a9643 |
| is_domain   | False                            |
| name        | admin                            |
| parent_id   | 82ffd4c577bd4621967b12dd595b042f |
+————-+———————————-+    

    Create the admin user:
$ openstack user create –domain default \
  –password-prompt admin

[root@localhost ~]# openstack user create –domain default \
>   –password-prompt adminUser Password: admin
Repeat User Password:admin+———–+———————————-+
| Field     | Value                            |
+———–+———————————-+
| domain_id | 82ffd4c577bd4621967b12dd595b042f |
| enabled   | True                             |
| id        | 1182b6dc17a94bac9e8630f76ec55194 |
| name      | admin                            |
+———–+———————————-+
 Create the admin role:
$ openstack role create admin

[root@localhost ~]#  openstack role create admin
+———–+———————————-+
| Field     | Value                            |
+———–+———————————-+
| domain_id | None                             |
| id        | 71ebf5ea73344c348afe5f7a3490ff04 |
| name      | admin                            |
+———–+———————————-+  
   Add the admin role to the admin project and user:
$ openstack role add –project admin –user admin admin

    Create the service project:

$ openstack project create –domain default \
  –description "Service Project" service

[root@localhost ~]# openstack project create –domain default \
>   –description "Service Project" service
+————-+———————————-+
| Field       | Value                            |
+————-+———————————-+
| description | Service Project                  |
| domain_id   | 82ffd4c577bd4621967b12dd595b042f |
| enabled     | True                             |
| id          | 77ac0350c78d405db0a593ee14fc579c |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | 82ffd4c577bd4621967b12dd595b042f |
+————-+———————————-+

    Create the demo project:

$ openstack project create –domain default \
  –description "Demo Project" demo

[root@localhost ~]#  openstack project create –domain default \
>   –description "Demo Project" demo
+————-+———————————-+
| Field       | Value                            |
+————-+———————————-+
| description | Demo Project                     |
| domain_id   | 82ffd4c577bd4621967b12dd595b042f |
| enabled     | True                             |
| id          | 5cb6675efb81411b919a83a9623cd804 |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | 82ffd4c577bd4621967b12dd595b042f |
+————-+———————————-+    
    Create the demo user:

$ openstack user create –domain default \
  –password-prompt demo

[root@localhost ~]# openstack user create –domain default   –password-prompt demo
User Password:
Repeat User Password:
+———–+———————————-+
| Field     | Value                            |
+———–+———————————-+
| domain_id | 82ffd4c577bd4621967b12dd595b042f |
| enabled   | True                             |
| id        | 2edf64b6bc4e43c3b5e46914c56bd5bb |
| name      | demo                             |

    Create the user role:
$ openstack role create user  

[root@localhost ~]# openstack role create user
+———–+———————————-+
| Field     | Value                            |
+———–+———————————-+
| domain_id | None                             |
| id        | 1e870f8b258644059e27ebc7c4b08ea4 |
| name      | user                             |
+———–+———————————-+    
    Add the user role to the demo project and user:
$ openstack role add –project demo –user demo use
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IMAGE_API_VERSION=2

using the script
Load .admin-openrc file to populate environment variables with the
location of the Identity service and the admin project and user credentials:
$ . admin-openrc
Request an authentication token:

[root@localhost ~]# openstack token issue


原创文章,作者:allen,如若转载,请注明出处:http://www.178linux.com/66888

发表评论

电子邮件地址不会被公开。 必填项已用*标注

联系我们

400-080-6560

在线咨询:点击这里给我发消息

邮件:1660809109@qq.com

工作时间:周一至周五,9:30-18:30,节假日同时也值班