一,
什么是keystone
keystone是openstack的关键必选组件之一,其作用是提供身份认证服务,所有的身份认证信息都是存储在controller节点的数据库内。
具体的关于keystone的介绍可以参见官方文档:OpenStack Docs: Identity service overview
社区版openstack 服务组件的安装顺序:
以上图的文档顺序安装,第一个是keystone,第二个是glance,第三个是nova,第四个是neutron,第五个是horizon,第六个是cinder
二,
keystone部署前的数据库准备工作(192.168.123.130节点,安装部署)
keystone可以使用MySQL,postgresql等数据库,官方文档提供的是mariadb,mariadb数据库在前面基础环境内已经部署完成了,
详情请移步上一篇文章:云计算|OpenStack|社区版OpenStack安装部署文档(二---OpenStack运行环境搭建)_晚风_END的博客-CSDN博客
在部署keystone之前,需要新建数据库和数据库用户以及相关权限授权。
1,
新建数据库
登陆mariadb数据库,建立库名为keystone的数据库
mysql -uroot -p
输入root密码,登陆数据库
create database keystone;
2,
创建数据库用户keystone并授予其可访问keystone数据库的权限:
注意,密码是KEYSTONE_DBPASS
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
使用的官方文档连接:OpenStack Docs: Install and configure
安装并配置keystone组件
yum install openstack-keystone httpd mod_wsgi openstack-utils -y
这里的openstack-utils是openstack的一个工具集,安装了这个后可以使用命令快速修改openstack的配置文件
keystone不需要启动,由httpd服务通过wsgi代理启动,监听端口是5000
在此前的版本比如Queens版本,是监听两个端口,5000和35357,Rocky版对此做了优化调整,只监听5000了
以上yum安装完毕后,开始修改配置文件,修改的地方不多:
1,
修改配置文件
Edit the /etc/keystone/keystone.conf file and complete the following actions:
- In the
[database]section, configure database access:
[database]
# ...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
根据自身情况,192.168.123.130服务器的主机名是openstack1,因此,实际上的修改是这样:
[database] # ... connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@openstack1/keystone
2,
修改配置文件
- In the
[token]section, configure the Fernet token provider:
[token]
# ...
provider = fernet
3,初始化数据库,创建keystone服务的相关表
su -s /bin/sh -c "keystone-manage db_sync" keystone 注:此条命令无任何输出为正确
4,
查询上一步建表是否正确:
[root@openstack1 ~]# mysql -h 192.168.123.130 -ukeystone -pKEYSTONE_DBPASS -e "use keystone;show tables;" +-----------------------------+ | Tables_in_keystone | +-----------------------------+ | access_token | | application_credential | | application_credential_role | | assignment | | config_register | | consumer | | credential | | endpoint | | endpoint_group | | federated_user | | federation_protocol | | group |
总计45张表,表示建表没有问题:
[root@openstack1 ~]# mysql -h 192.168.123.130 -ukeystone -pKEYSTONE_DBPASS -e "use keystone;show tables;" |wc -l 45
5,
初始化Fernet密钥库:
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone keystone-manage credential_setup --keystone-user keystone --keystone-group keystone 注:这两个命令仍然是没有输出表示正确
7,
Configure the Apache HTTP server
修改httpd服务的配置文件并软连接wsgi配置文件到httpd服务配置文件内
- Edit the
/etc/httpd/conf/httpd.conffile and configure theServerNameoption to reference the controller node:
ServerName openstack1
- Create a link to the
/usr/share/keystone/wsgi-keystone.conffile:
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
注:/usr/share/keystone/wsgi-keystone.conf 这个文件在Queens版里是有bug的,需要自己修改的,但在Rocky版里已经修复了,因此是可以直接软链接后使用
文件内容如下:
cat /usr/share/keystone/wsgi-keystone.conf Listen 5000 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On LimitRequestBody 114688 <IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M" </IfVersion> ErrorLog /var/log/httpd/keystone.log CustomLog /var/log/httpd/keystone_access.log combined <Directory /usr/bin> <IfVersion >= 2.4> Require all granted </IfVersion> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> </Directory> </VirtualHost> Alias /identity /usr/bin/keystone-wsgi-public <Location /identity> SetHandler wsgi-script Options +ExecCGI WSGIProcessGroup keystone-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On </Location>
8,
启动httpd服务并加入自启
systemctl enable httpd.service systemctl start httpd.service
小结:
Rocky版相比较早版本比如Queens,少了创建endpoint的步骤,这无疑是降低了部署难度,并减少了出错的概率。
三,
初始化keystone认证服务
1)创建 keystone 用户,初始化的服务实体和API端点
# 在之前的版本(queens之前),引导服务需要2个端口提供服务(用户5000和管理35357),本版本通过同一个端口5000提供服务.这个优化非常nice,减少了很多出错几率
# 创建keystone服务实体和身份认证服务,以下三种类型分别为公共的、内部的、管理的。
# 需要创建一个密码ADMIN_PASS,作为登陆openstack的管理员用户,这里创建为123456,主机名是openstack1
keystone-manage bootstrap --bootstrap-password 123456 \ --bootstrap-admin-url http://openstack1:5000/v3/ \ --bootstrap-internal-url http://openstack1:5000/v3/ \ --bootstrap-public-url http://openstack1:5000/v3/ \ --bootstrap-region-id RegionOne 注:此命令没有输出,会在keystone数据库执增加以下任务,之前的版本需要手动创建 1)在endpoint表增加3个服务实体的API端点 2)在local_user表中创建admin用户 3)在project表中创建admin和Default项目(默认域) 4)在role表创建3种角色,admin,member和reader 5)在service表中创建identity服务
2)临时配置管理员账户的相关变量进行管理
export OS_PROJECT_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_USERNAME=admin export OS_PASSWORD=123456 export OS_AUTH_URL=http://openstack1:5000/v3 export OS_IDENTITY_API_VERSION=3
此时,可以通过客户端查询到user和role了:
注:以往的版本在这一步总是出错,role经常查询不出来member和reader,在Rocky版里没有这个问题了。
以前的版本单独创建endpoint可能会出错需要删除,新版本已经优化好,只要系统配置没问题,会自动生成一般也不会出错
[root@openstack1 ~]# openstack user list +----------------------------------+--------+ | ID | Name | +----------------------------------+--------+ | cc8fd279176b432299603f49fdc5676b | myuser | +----------------------------------+--------+ [root@openstack1 ~]# openstack role list +----------------------------------+--------+ | ID | Name | +----------------------------------+--------+ | c17a222b7a5044319b3436db02ab7d9c | member | | def3bfe2147e4e2b912267d01fed509f | reader | | e74aae7bc6c04ac49671c0fc23d2bf9e | admin | +----------------------------------+--------+
四,
创建keystone的一般实例 user,role,domain和project
创建domain和project
openstack domain create --description "An Example Domain" example openstack project create --domain default --description "Service Project" service openstack project create --domain default --description "Demo Project" myproject
输出如下:
[root@openstack1 ~]# openstack domain create --description "An Example Domain" example +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | An Example Domain | | enabled | True | | id | 948b331e6bad40d7a86a4ec8d6774abc | | name | example | | tags | [] | +-------------+----------------------------------+ [root@openstack1 ~]# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | eea644ad9ef14be98a91d886efa1778b | | is_domain | False | | name | service | | parent_id | default | | tags | [] | +-------------+----------------------------------+ [root@openstack1 ~]# openstack project create --domain default --description "Demo Project" myproject +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | a5b0bd6d7905481c90017f2a45d65477 | | is_domain | False | | name | myproject | | parent_id | default | | tags | [] | +-------------+----------------------------------+
创建用户user:
# 使用--password选项为直接配置明文密码,使用--password-prompt选项为交互式输入密码
openstack user create --domain default --password=myuser myuser openstack user create --domain default --password-prompt myuser
创建role角色:
openstack role create myrole 输出如下: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 97358b7d618f4352806c132ca5b186a1 | | name | myrole | +-----------+----------------------------------+
用户和角色绑定:
注:此条命令无输出,但myproject需要提前创建的哦,
openstack role add --project myproject --user myuser myrole
以上创建完毕后,执行查询:
可以看到,名为default的domain,名为admin的project,名为admin的user和名为admin,reader,member的角色以及endpoint都是通过前面的export 自动创建的。
而在以往的旧版本,endpoint需要手动创建的哦
[root@openstack1 ~]# openstack domain list +----------------------------------+---------+---------+--------------------+ | ID | Name | Enabled | Description | +----------------------------------+---------+---------+--------------------+ | 948b331e6bad40d7a86a4ec8d6774abc | example | True | An Example Domain | | default | Default | True | The default domain | +----------------------------------+---------+---------+--------------------+ [root@openstack1 ~]# openstack project list +----------------------------------+-----------+ | ID | Name | +----------------------------------+-----------+ | 692daaea95d747a7aa961aa68dd5bb8d | admin | | a5b0bd6d7905481c90017f2a45d65477 | myproject | | eea644ad9ef14be98a91d886efa1778b | service | +----------------------------------+-----------+ [root@openstack1 ~]# openstack user list +----------------------------------+--------+ | ID | Name | +----------------------------------+--------+ | cc8fd279176b432299603f49fdc5676b | myuser | | eefd82ab64be4336b05d2e60b25e47c4 | admin | +----------------------------------+--------+ [root@openstack1 ~]# openstack role list +----------------------------------+--------+ | ID | Name | +----------------------------------+--------+ | 97358b7d618f4352806c132ca5b186a1 | myrole | | c17a222b7a5044319b3436db02ab7d9c | member | | def3bfe2147e4e2b912267d01fed509f | reader | | e74aae7bc6c04ac49671c0fc23d2bf9e | admin | +----------------------------------+--------+ [root@openstack1 ~]# openstack endpoint list +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+ | 09246e8177fd4d239f216301e550bfb0 | RegionOne | keystone | identity | True | admin | http://openstack1:5000/v3/ | | 5b38a26650ee4616b53a44da4475b03b | RegionOne | keystone | identity | True | internal | http://openstack1:5000/v3/ | | fbf977090d2745aa8e7039351474a14a | RegionOne | keystone | identity | True | public | http://openstack1:5000/v3/ | +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
五,
验证操作keystone是否安装成功
# 关闭临时认证令牌机制,获取 token,验证keystone配置成功
unset OS_AUTH_URL OS_PASSWORD
#测试是否可以在不使用环境变量的情况下,正常使用admin账户进行登陆认证,请求认证令牌
openstack --os-auth-url http://openstack1:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name admin --os-username admin token issue
此命令需要输入user admin的密码,密码是前面设置的123456,如果密码错误:
[root@openstack1 ~]# openstack --os-auth-url http://openstack1:5000/v3 \ > --os-project-domain-name Default --os-user-domain-name Default \ > --os-project-name admin --os-username admin token issue Password: The request you have made requires authentication. (HTTP 401) (Request-ID: req-84805c5f-3da8-40ad-aff6-c8fdeacae92b)
如果密码正确,可以正确的获取令牌信息:
[root@openstack1 ~]# openstack --os-auth-url http://openstack1:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue Password: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2023-01-31T08:51:36+0000 | | id | gAAAAABj2MiIf_tvlnIo52TmrlrHNiCpViefzBhKzysCZMn5udmFBqvNDhBd0FC1ux55Nbh28zjvgxEwlLNCcLrr1RdcS_K4DAPV9I8FmY5Jcj2-rEElzQ0ZCUdetDsdD7nTZXeevGgclvTJYkzVkYb79q-i1zLTUeMPE9umdeOo6dJDD_qMi9o | | project_id | 692daaea95d747a7aa961aa68dd5bb8d | | user_id | eefd82ab64be4336b05d2e60b25e47c4 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
六,
创建OpenStack客户端环境脚本
# 上面使用环境变量和openstack 命令选项的组合通过“openstack”客户端与身份认证服务交互。
# 为了提升客户端操作的效率,OpenStack支持简单的客户端环境变量脚本即OpenRC 文件,该文件可以自定义名称
cat admin_rc.sh export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=123456 export OS_AUTH_URL=http://openstack1:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
使用此脚本:
source admin_rc.sh
此时,可以直接通过客户端查询到admin用户的令牌信息了,可以看到和上面的清除环境变量后的查询是一样的:
[root@openstack1 ~]# openstack token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2023-01-31T04:01:54+0000 | | id | gAAAAABj2ISiJMRFKNrKTtLbrjiKD9HTO9um3Dn2f1mObhlCU1dG-2JlSR-uBYH1ODoQMOQpI9H6MUjnvnIxAQQr1yD63eUFoCXYJW6R5fD3dIxkHJVHCmD49FmE2DZN_r-D1pdHoZ-e7eS1zlBGwnjEYOLG7wPH9gYjXzhhTa6sOtiX6KuMSwg | | project_id | 692daaea95d747a7aa961aa68dd5bb8d | | user_id | eefd82ab64be4336b05d2e60b25e47c4 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
当然,这个方式是比较简单的定义环境变量的方式,还有一种方式是编写config配置文件,文件采用yaml的形式。需要一些额外的安装,比较复杂,在此就不讨论了。
七,重置admi的密码
admin_token认证机制修改登陆密码
keystone-manage bootstrap --bootstrap-password PASSWORD \ --bootstrap-admin-url http://openstack1:5000/v3/ \ --bootstrap-internal-url http://openstack1:5000/v3/ \ --bootstrap-public-url http://openstack1:5000/v3/ \ --bootstrap-region-id RegionOne
cat admin_rc.sh export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=PASSWORD export OS_AUTH_URL=http://openstack1:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
重新激活环境变量:
source admin_rc.sh
再次查看令牌信息:
[root@openstack1 ~]# openstack token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2023-01-31T09:27:17+0000 | | id | gAAAAABj2NDl1LhQPT0sDEqomp5fU1OxAyqxkucmrhxrbhvi6tfhkOLlQBPi2PQEf2oa9FkMsio_GVdzLLI64y-C3gDPoCf2Kw9zNooOyP9K4ghL-ptpU09QIkQbeZOLtm0zWKWt4baYzzHja8rkrzs1WHQo-YR6pPKA1HOAqf7VNKW8-w56cTo | | project_id | 692daaea95d747a7aa961aa68dd5bb8d | | user_id | eefd82ab64be4336b05d2e60b25e47c4 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
OK,keystone服务已经安装完毕了。
