搜索到
7
篇与
的结果
-
OpenStack-Pike 搭建之Keystone(二) Keystone 概述 The OpenStack Identity service provides a single point of integration for managing authentication, authorization, and a catalog of services. The Identity service is typically the first service a user interacts with. Once authenticated, an end user can use their identity to access other OpenStack services. Likewise, other OpenStack services leverage the Identity service to ensure users are who they say they are and discover where other services are within the deployment. The Identity service can also integrate with some external user management systems (such as LDAP). Users and services can locate other services by using the service catalog, which is managed by the Identity service. As the name implies, a service catalog is a collection of available services in an OpenStack deployment. Each service can have one or many endpoints and each endpoint can be one of three types: admin, internal, or public. In a production environment, different endpoint types might reside on separate networks exposed to different types of users for security reasons. For instance, the public API network might be visible from the Internet so customers can manage their clouds. The admin API network might be restricted to operators within the organization that manages cloud infrastructure. The internal API network might be restricted to the hosts that contain OpenStack services. Also, OpenStack supports multiple regions for scalability. For simplicity, this guide uses the management network for all endpoint types and the default RegionOne region. Together, regions, services, and endpoints created within the Identity service comprise the service catalog for a deployment. Each OpenStack service in your deployment needs a service entry with corresponding endpoints stored in the Identity service. This can all be done after the Identity service has been installed and configured. The Identity service contains these components: Server A centralized server provides authentication and authorization services using a RESTful interface. Drivers Drivers or a service back end are integrated to the centralized server. They are used for accessing identity information in repositories external to OpenStack, and may already exist in the infrastructure where OpenStack is deployed (for example, SQL databases or LDAP servers). Modules Middleware modules run in the address space of the OpenStack component that is using the Identity service. These modules intercept service requests, extract user credentials, and send them to the centralized server for authorization. The integration between the middleware modules and OpenStack components uses the Python Web Server Gateway Interface. 安装和配置 创建 数据库 1、使用root身份连接数据库 [root@controller ~]# mysql -u root -p000000 2、创建keystone数据库 MariaDB [(none)]> CREATE DATABASE keystone; Query OK, 1 row affected (0.00 sec) 3、授予 keystone用户 对 keystone数据库 所有权限 MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY '000000'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY '000000'; Query OK, 0 rows affected (0.00 sec) > Tip: > 删除数据库用户 MariaDB [(none)]> drop user keystonee@'%'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> drop user keystone@'localhost'; Query OK, 0 rows affected (0.00 sec) 安装 和 配置组件 1、安装软件包 [root@controller ~]# yum install -y openstack-keystone httpd mod_wsgi 2、配置 keystone.conf > Tips: > 去除空行,注释并备份原文件 [root@localhost ~]# sed -i.bak '/^$/d;/^#/d' xxx.conf [root@controller ~]# sed -i.bak '/^$/d;/^#/d' /etc/keystone/keystone.conf [root@controller ~]# vim /etc/keystone/keystone.conf [database] # 配置数据库访问 connection = mysql+pymysql://keystone:000000@controller/keystone [token] # 配置 Fernet 令牌提供程序 provider = fernet 3、同步 keystone 数据库 root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone 4、初始化 Fernet 密钥存储库 [root@controller ~]# keystone-manage fernet_setup \ --keystone-user keystone --keystone-group keystone [root@controller ~]# keystone-manage credential_setup \ --keystone-user keystone --keystone-group keystone 5、引导认证服务 [root@controller ~]# keystone-manage bootstrap --bootstrap-password 000000 \ --bootstrap-admin-url http://controller:35357/v3/ \ --bootstrap-internal-url http://controller:5000/v3/ \ --bootstrap-public-url http://controller:5000/v3/ \ --bootstrap-region-id RegionOne 配置 Apache Http 服务器 1、编辑 httpd.conf,配置 ServerName 选项 [root@controller ~]# vim /etc/httpd/conf/httpd.conf ServerName controller 2、创建 wsgi-keystone.conf 链接 [root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ 完成安装 1、启动 http 服务,并设置开机自启 [root@controller ~]# systemctl enable httpd.service [root@controller ~]# systemctl start httpd.service 2、配置管理账户 export OS_USERNAME=admin export OS_PASSWORD=000000 export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3 创建 域、项目、用户、角色 1、创建 service 项目 [root@controller ~]# openstack project create --domain default \ --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | 4dd5063ebfc344a0a12734082438fbe0 | | is_domain | False | | name | service | | parent_id | default | +-------------+----------------------------------+ 2、创建 普通项目和用户(例如 demo) 创建 demo 项目 [root@controller ~]# openstack project create --domain default \ --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | 4f74b708452249e583684682e8254872 | | is_domain | False | | name | demo | | parent_id | default | +-------------+----------------------------------+ 创建 demo 用户 [root@controller ~]# openstack user create --domain default --password 000000 demo +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | 9da7d8fa3eaf414bad4e2bcbabb60494 | | name | demo | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ 创建 user 角色 [root@controller ~]# openstack role create user +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 1d30cc80e2eb450193340e8fff44b094 | | name | user | +-----------+----------------------------------+ 设置 demo 项目 中的 demo用户 角色为 user [root@controller ~]# openstack role add --project demo --user demo user 验证 1、取消 临时变量 OS_AUTH_URL OS_PASSWORD unset OS_AUTH_URL OS_PASSWORD 2、测试 admin用户获取 token [root@controller ~]# openstack --os-auth-url http://controller:35357/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name admin --os-username admin token issue Password: +------------+---------------------------------------------------------------+ | Field | Value | +------------+---------------------------------------------------------------+ | expires | 2022-07-13T04:15:29+0000 | | id | gAAAAABizjjRJyEcHq4dPJMFZMjTCOaVFwOX4sumi1ZsKVgvWfxIPtyaRenrX | | LPKPW1L4nLjeAff1kN2Oa9eTgleTj8TOeoSln9hUUZByEqSlNJFaZC_DUgT5gW| | AjlXHbUH_6r9IiGRcJBGJTAEU5sEmrW2M_sBAnIXQZ5Tn2n_MY_KWO68lpi8 | | project_id | cecafb35ed3649819247ea27a77871aa | | user_id | 6ba1420ce7764421afa3da461b2f47a1 | +------------+---------------------------------------------------------------+ 3、测试 demo用户获取 token [root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name demo --os-username demo token issue Password: +------------+---------------------------------------------------------------+ | Field | Value | +------------+---------------------------------------------------------------| | expires | 2022-07-13T04:21:47+0000 | | id | gAAAAABizjpLC8BxxoXOGYJah3VU8xMD8aYQm86RjhAOyKI3zAzuc6wMR3v8Hj| | Atk1n3RIGuNmFWEZSPKQH-zYGAS4ZEzQzvUTAQxeNm4eOG3bLF2iqXc7F1cYIL| | q6gVKkfGK2avDi7APIoxCFy2F_XtxNlqWMNrxfOyGXpB81rKDBjpEsLMMI | | project_id | 4f74b708452249e583684682e8254872 | | user_id | 9da7d8fa3eaf414bad4e2bcbabb60494 | +------------+---------------------------------------------------------------+ 创建 OpenStack客户端变量 脚本 创建 脚本 1、创建 admin-openrc [root@controller ~]# cat admin-openrc export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=000000 export OS_AUTH_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 2、创建 demo-openrc [root@controller ~]# cat demo-openrc export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=000000 export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 使用 脚本 1、加载 变量 [root@controller ~]# . admin-openrc or [root@controller ~]# source admin-openrc 2、获取 token [root@controller ~]# openstack token issue +------------+---------------------------------------------------------------+ | Field | Value | +------------+---------------------------------------------------------------+ | expires | 2022-07-13T04:28:33+0000 | | id | gAAAAABizjjRJyEcHq4dPJMFZMjTCOaVFwOX4sumi1ZsKVgvWfxIPtyaRenrX | | LPKPW1L4nLjeAff1kN2Oa9eTgleTj8TOeoSln9hUUZByEqSlNJFaZC_DUgT5gW| | AjlXHbUH_6r9IiGRcJBGJTAEU5sEmrW2M_sBAnIXQZ5Tn2n_MY_KWO68lpi8 | | project_id | cecafb35ed3649819247ea27a77871aa | | user_id | 6ba1420ce7764421afa3da461b2f47a1 | +------------+---------------------------------------------------------------+ 3、取消变量 # 退出 bash [root@controller ~]# exit -
OpenStack-Pike 搭建之基础环境(一) 规定密码 所有密码设置为: `000000` Passwords 密码名称 描述 密码 数据库密码(未使用变量) 数据库 root密码 000000 ADMIN_PASS admin 用户密码 000000 CINDER_DBPASS 块存储服务 数据库密码 000000 CINDER_PASS 块存储服务用户密码 000000 DASH_DBPASS 仪表板 数据库密码 000000 DEMO_PASS demo 用户密码 000000 GLANCE_DBPASS 镜像服务 数据库密码 000000 GLANCE_PASS 镜像服务 用户密码 000000 KEYSTONE_DBPASS 认证服务 数据库密码 000000 METADATA_SECRE 元数据代理 密码 000000 NEUTRON_DBPASS 网络服务 数据库密码 000000 NEUTRON_PASS 网络服务 用户密码 000000 NOVA_DBPASS 计算服务 数据库密码 000000 NOVA_PASS 计算服务 用户密码 000000 PLACEMENT_PASS 安置服务用户 密码 000000 RABBIT_PASS RabbitMQ 用户密码 000000 参考:https://docs.openstack.org/install-guide/environment-security.html 网络配置 控制节点 网络接口 [root@controller ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 TYPE="Ethernet" BOOTPROTO="none" NAME="eth0" DEVICE="eth0" ONBOOT="yes" IPADDR="178.120.2.10" PREFIX="24" GATEWAY="178.120.2.1" DNS1="8.8.8.8" ## provider interface: DEVICE=INTERFACE_NAME TYPE=Ethernet ONBOOT="yes" BOOTPROTO="none" 名称解析 [root@controller ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 178.120.2.10 controller 178.120.2.20 compute 免密登录 [root@controller ~]# ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/root/.ssh/id_dsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_dsa. Your public key has been saved in /root/.ssh/id_dsa.pub. The key fingerprint is: SHA256:cgfolkfd6Oum3nYdVI+HO8llHk1hKR0YaOITw2gTQAE root@controller The key's randomart image is: +---[DSA 1024]----+ | Eo+o.+ ..+++| | = * = o.oo| | o = B . .=o| | . o = +.*| | = S + o B.| | . + . . * .| | . . o | | oo . . | | .o+o. | +----[SHA256]-----+ [root@controller ~]# ssh-copy-id compute /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_dsa.pub" The authenticity of host 'compute (178.120.2.20)' can't be established. ECDSA key fingerprint is SHA256:R/Thnqei+6YxNhVzNn26mnzVaBME9Pq1takAI7dH/Sg. ECDSA key fingerprint is MD5:c3:f7:bb:e1:07:f9:83:d5:2e:d2:ae:c6:da:a3:2e:f7. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@compute's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'compute'" and check to make sure that only the key(s) you wanted were added. 计算节点 网络接口 [root@compute ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 TYPE="Ethernet" BOOTPROTO="none" NAME="eth0" UUID="e7df2db2-cdb1-47e0-9d3b-05b50fe87c19" DEVICE="eth0" ONBOOT="yes" IPADDR="178.120.2.20" PREFIX="24" GATEWAY="178.120.2.1" DNS1="8.8.8.8" ## provider interface: DEVICE=INTERFACE_NAME TYPE=Ethernet ONBOOT="yes" BOOTPROTO="none" 名称解析 [root@compute ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 178.120.2.10 controller 178.120.2.20 compute 免密登录 [root@compute ~]# ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/root/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_dsa. Your public key has been saved in /root/.ssh/id_dsa.pub. The key fingerprint is: SHA256:juNTp0HHsnRvNPt+xflNUQ9HqJc0CZMcTI49yexZWX4 root@compute The key's randomart image is: +---[DSA 1024]----+ | +=+ +o| | *+o*+o| | .. Boo=E| | + +.++o.o| | oS= oo+ .o| | o+ . + .+| | o..+ . . .+| | .... . +| | .. ... | +----[SHA256]-----+ [root@compute ~]# ssh-copy-id controller /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_dsa.pub" The authenticity of host 'controller (178.120.2.10)' can't be established. ECDSA key fingerprint is SHA256:ZjMIFXctwUyBC2Psc5ZxN4wVTAASjzf8re8aq8v11S4. ECDSA key fingerprint is MD5:2a:f3:cd:5a:ec:2b:ca:20:99:c7:0b:6d:db:b0:1b:92. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@controller's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'controller'" and check to make sure that only the key(s) you wanted were added.路由转发 vim /etc/sysctl.conf net.bridge.bridge-nf-call-iptables = 1 net.ipv6.conf.all.disable_ipv6 = 1 Yum源配置 所有节点 # sed -e 's|^mirrorlist=|#mirrorlist=|g' \ -e 's|^#baseurl=http://mirror.centos.org|baseurl=https://mirrors.tuna.tsinghua.edu.cn|g' \ -i.bak \ /etc/yum.repos.d/CentOS-*.repo # cat CentOS-OpenStack-Pike.repo [OpenStack-Pike-tuna] name=OpenStack-Pike-tuna baseurl=https://mirrors.tuna.tsinghua.edu.cn/centos-vault/7.5.1804/cloud/x86_64/openstack-pike/ gpgcheck=0 enabled=1 # yum makecache 最新yum源不支持pike版,需手动设置cloud 收集 RPM 包(可选) [root@controller ~]# vim /etc/yum.conf [main] # 缓存目录 cachedir=/data/rpm # 开启缓存收集 keepcache=1 关闭 防火墙 & Selinux 所有节点 # systemctl stop firewalld && systemctl disable firewalld # setenforce 0 # sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config # yum remove -y NetworkManager firewalld # yum -y install iptables-services # iptables -F # iptables -X # iptables -Z # iptables-save 时间同步(Chrony) 控制节点 [root@controller ~]# yum install -y chrony [root@controller ~]# timedatectl set-timezone Asia/Shanghai [root@controller ~]# grep -Ev "#|^$" /etc/chrony.conf server ntp.aliyun.com iburst driftfile /var/lib/chrony/drift makestep 1.0 3 rtcsync allow 178.120.2.0/24 logdir /var/log/chrony systemctl enable chronyd.service && systemctl start chronyd.service 计算节点 [root@compute ~]# yum install -y chrony [root@compute ~]# timedatectl set-timezone Asia/Shanghai [root@compute ~]# grep -Ev "#|^$" /etc/chrony.conf server controller iburst driftfile /var/lib/chrony/drift makestep 1.0 3 rtcsync logdir /var/log/chrony [root@compute ~]# systemctl enable chronyd.service && systemctl start chronyd.service 验证 # 控制节点 [root@controller ~]# chronyc sources 210 Number of sources = 4 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* 139.199.215.251 2 6 367 43 +392us[+1161us] +/- 48ms ^? ntp6.flashdance.cx 2 7 40 368 -5153us[-4963us] +/- 178ms ^- time.cloudflare.com 3 6 355 43 +50ms[ +50ms] +/- 176ms ^- stratum2-1.ntp.mow01.ru.> 2 6 367 42 +31ms[ +31ms] +/- 89ms [root@controller ~]# date Tue Jul 12 17:26:01 CST 2022 # 其他节点 [root@compute ~]# chronyc sources 210 Number of sources = 1 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^? controller 0 7 0 - +0ns[ +0ns] +/- 0ns [root@compute ~]# date Tue Jul 12 17:26:56 CST 2022 OpenStack 客户端 [root@controller ~]# yum install -y python-openstackclient openstack-selinux 数据库(Mariadb) 安装 MySQL数据库服务、python连接MySQL数据库工具 [root@controller ~]# yum install -y mariadb mariadb-server python2-PyMySQL 配置 mysql [root@controller ~]# vim /etc/my.cnf.d/openstack.cnf [mysqld] bind-address = 178.120.2.10 default-storage-engine = innodb innodb_file_per_table = on max_connections = 4096 collation-server = utf8_general_ci character-set-server = utf8 启动服务 [root@controller ~]# systemctl enable mariadb.service [root@controller ~]# systemctl start mariadb.service 初始化数据库 [root@controller ~]# mysql_secure_installation 消息队列(Rabbitmq) 安装 Rabiitmq 服务 [root@controller ~]# yum install -y rabbitmq-server 启动 Rabiitmq 服务 [root@controller ~]# systemctl enable rabbitmq-server.service [root@controller ~]# systemctl start rabbitmq-server.service 添加 openstack 用户 [root@controller ~]# rabbitmqctl add_user openstack 000000 配置 openstack 用户权限 [root@controller ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*" 开启 图形化插件(可选) [root@controller ~]# rabbitmq-plugins enable rabbitmq_management [root@controller ~]# rabbitmq-plugins enable rabbitmq_management_agent 访问 IP:15672 缓存服务(Memcached) 安装 Memcached 服务 [root@controller ~]# yum install -y memcached python-memcached 修改 Memcached 配置 [root@controller ~]# vim /etc/sysconfig/memcached # 允许其他节点通过管理网络访问 PORT="11211" USER="memcached" MAXCONN="1024" CACHESIZE="64" OPTIONS="-l controller" 启动 Memcached 服务 [root@controller ~]# systemctl enable memcached.service [root@controller ~]# systemctl start memcached.service
