① OpenStack高可用集羣部署方案(train版)—基礎配置
② OpenStack高可用集羣部署方案(train版)—Keystone
③ OpenStack高可用集羣部署方案(train版)—Glance
十、Keystone集羣部署
https://docs.openstack.org/keystone/train/install/index-rdo.html
Keystone 的主要功能:
- 管理用戶及其權限;
- 維護 OpenStack 服務的 Endpoint;
- Authentication(認證)和 Authorization(鑑權)。
1. 配置keystone數據庫
在任意控制節點創建數據庫,數據庫自動同步,以controller01節點爲例;
mysql -u root -p
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'Zxzn@2020';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'Zxzn@2020';
flush privileges;
exit
2. 安裝keystone
在全部控制節點安裝keystone,以controller01節點爲例;
如果要使用https訪問,需要安裝mod_ssl
yum install openstack-keystone httpd python3-mod_wsgi mod_ssl -y
#備份Keystone配置文件
cp /etc/keystone/keystone.conf{,.bak}
egrep -v '^$|^#' /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf
3. 配置Keystone配置文件
要對接有狀態服務時都修改爲解析過的
vip(myvip)
openstack-config --set /etc/keystone/keystone.conf cache backend oslo_cache.memcache_pool
openstack-config --set /etc/keystone/keystone.conf cache enabled true
openstack-config --set /etc/keystone/keystone.conf cache memcache_servers controller01:11211,controller02:11211,controller03:11211
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:Zxzn@2020@myvip/keystone
openstack-config --set /etc/keystone/keystone.conf token provider fernet
將配置文件拷貝到另外兩個節點:
scp -rp /etc/keystone/keystone.conf controller02:/etc/keystone/keystone.conf
scp -rp /etc/keystone/keystone.conf controller03:/etc/keystone/keystone.conf
4. 同步keystone數據庫
4.1 在任意控制節點操作;填充Keystone數據庫,
#填充數據庫
[root@controller01 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
#驗證同步
[root@controller01 ~]# mysql -uroot -pZxzn@2020 keystone -e "show tables";
4.2 初始化Fernet密鑰存儲庫,無報錯即爲成功;
#在/etc/keystone/生成相關祕鑰及目錄
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
#並將初始化的密鑰拷貝到其他的控制節點
scp -rp /etc/keystone/fernet-keys /etc/keystone/credential-keys controller02:/etc/keystone/
scp -rp /etc/keystone/fernet-keys /etc/keystone/credential-keys controller03:/etc/keystone/
#同步後修改另外兩臺控制節點fernet的權限
chown -R keystone:keystone /etc/keystone/credential-keys/
chown -R keystone:keystone /etc/keystone/fernet-keys/
5. 認證引導
任意控制節點操作;初始化admin用戶(管理用戶)與密碼,3種api端點,服務實體可用區等
注意:這裏使用的是VIP
[root@controller01 ~]# keystone-manage bootstrap --bootstrap-password Zxzn@2020 \
--bootstrap-admin-url http://10.15.253.88:5000/v3/ \
--bootstrap-internal-url http://10.15.253.88:5000/v3/ \
--bootstrap-public-url http://10.15.253.88:5000/v3/ \
--bootstrap-region-id RegionOne
5.1 配置Http Server
在全部控制節點設置,以controller01節點爲例;
5.2 配置httpd.conf
#修改域名爲主機名
cp /etc/httpd/conf/httpd.conf{,.bak}
sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf
#不同的節點替換不同的ip地址
##controller01
sed -i "s/Listen\ 80/Listen\ 10.15.253.163:80/g" /etc/httpd/conf/httpd.conf
##controller02
sed -i "s/Listen\ 80/Listen\ 10.15.253.195:80/g" /etc/httpd/conf/httpd.conf
##controller03
sed -i "s/Listen\ 80/Listen\ 10.15.253.227:80/g" /etc/httpd/conf/httpd.conf
5.3 配置wsgi-keystone.conf
在全部控制節點操作,以controller01節點爲例;
#創建軟連接wsgi-keystone.conf文件
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
#不同的節點替換不同的ip地址
##controller01
sed -i "s/Listen\ 5000/Listen\ 10.15.253.163:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
sed -i "s#*:5000#10.15.253.163:5000#g" /etc/httpd/conf.d/wsgi-keystone.conf
##controller02
sed -i "s/Listen\ 5000/Listen\ 10.15.253.195:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
sed -i "s#*:5000#10.15.253.195:5000#g" /etc/httpd/conf.d/wsgi-keystone.conf
##controller03
sed -i "s/Listen\ 5000/Listen\ 10.15.253.227:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
sed -i "s#*:5000#10.15.253.227:5000#g" /etc/httpd/conf.d/wsgi-keystone.conf
5.4 啓動服務
所有控制節點;啓動前確保selinux已關閉
systemctl restart httpd.service
systemctl enable httpd.service
systemctl status httpd.service
5.5 配置用戶變量腳本
在任意控制節點操作;
#openstack client環境腳本定義client調用openstack api環境變量,以方便api的調用(不必在命令行中攜帶環境變量);
#官方文檔將admin用戶和demo租戶的變量寫入到了家目錄下,根據不同的用戶角色,需要定義不同的腳本;
#一般將腳本創建在用戶主目錄
admin-openrc
[root@controller01 ~]# cat >> ~/admin-openrc << EOF
#admin-openrc
export OS_USERNAME=admin
export OS_PASSWORD=Zxzn@2020
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://10.15.253.88:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF
source ~/admin-openrc
#拷貝到其他的控制節點
scp -rp ~/admin-openrc controller02:~/
scp -rp ~/admin-openrc controller03:~/
#驗證
[root@controller01 ~]# openstack domain list
+---------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+---------+---------+---------+--------------------+
| default | Default | True | The default domain |
+---------+---------+---------+--------------------+
#也可以使用下面的命令
openstack token issue
5.6 創建新域、項目、用戶和角色
在任意控制節點操作;
身份服務爲每個OpenStack服務提供身份驗證服務,其中包括服務使用域、項目、用戶和角色的組合。
創建域
#keystone-manage引導步驟中,默認Default域已經存在,創建新域的方法是:
openstack domain create --description "An Example Domain" example
創建demo項目
#由於admin的項目角色用戶都已經存在了;重新創建一個新的項目角色demo
#以創建demo項目爲例,demo項目屬於”default”域
openstack project create --domain default --description "demo Project" demo
創建demo用戶
需要輸入新用戶的密碼
--password-prompt
爲交互式;--password+密碼
爲非交互式
openstack user create --domain default --password Zxzn@2020 demo
創建user角色
openstack role create user
查看角色
openstack role list
將user角色添加到demo項目和demo用戶
#openstack role add --project <項目> --user <用戶> <角色>
openstack role add --project demo --user demo user
爲demo用戶也添加一個環境變量文件
密碼爲demo用戶的密碼,需要用到此用戶變量的時候source一下
demo-openrc
[root@controller01 ~]# cat >> ~/demo-openrc << EOF
#demo-openrc
export OS_USERNAME=demo
export OS_PASSWORD=Zxzn@2020
export OS_PROJECT_NAME=
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://10.15.253.88:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF
source ~/demo-openrc
#拷貝到其他的控制節點
scp -rp ~/demo-openrc controller02:~/
scp -rp ~/demo-openrc controller03:~/
#驗證
openstack token issue
5.7 驗證keystone
任意一臺控制節點;以admin用戶身份,請求身份驗證令牌, 使用admin用戶變量
source admin-openrc
openstack --os-auth-url http://myvip:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue
任意一臺控制節點;以demo用戶身份,請請求認證令牌, 使用demo用戶變量
source demo-openrc
openstack --os-auth-url http://myvip:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name demo --os-username demo token issue
6. 設置pcs資源
在任意控制節點操作;添加資源openstack-keystone-clone
;
pcs實際控制的是各節點system unit
(系統單位) 控制的httpd服務
[root@controller01 ~]# pcs resource create openstack-keystone systemd:httpd clone interleave=true
[root@controller01 ~]# pcs resource
* vip (ocf::heartbeat:IPaddr2): Started controller01
* Clone Set: lb-haproxy-clone [lb-haproxy]: #haproxy負載均衡
* Started: [ controller01 ]
* Stopped: [ controller02 controller03 ]
* Clone Set: openstack-keystone-clone [openstack-keystone]: #keystone認證
* Started: [ controller01 controller02 controller03 ]