Openstack组件部署 — Keystone Install & Create service entity and API endpoints

本文涉及的产品
RDS MySQL Serverless 基础系列,0.5-2RCU 50GB
RDS MySQL Serverless 高可用系列,价值2615元额度,1个月
简介: 目录目录前文列表Install and configurePrerequisites 先决条件Create the database for identity service生成一个随机数Install and configure compone...

目录

前文列表

Openstack组件部署 — Overview和前期环境准备
Openstack组建部署 — Environment of Controller Node
Openstack组件部署 — Keystone功能介绍与认证实现流程

Install and configure

This section describes how to install and configure the OpenStack Identity service, code-named keystone, on the controller node.
For performance, this configuration deploys Fernet tokens and the Apache HTTP server to handle requests.

这一节记录了怎样在Controller Node上安装和配置Openstack的认证服务,代号为Keystone。在性能上,这个配置使用了Fernet Tokens和Apache HTTP服务器去处理请求。

Fernet Tokens:是K版本的更新内容,区别于UUID tokens只能持久化存入数据库,Fernet tokens完全不需要持久化。部署人员可以通过设置keystone.conf中的[token] provider = keystone.token.providers.fernet.Provider来启用Fernet token,这也是我们一会需要配置的参数项。Fernet tokens需要symmetric encryption keys(对称加密密钥),这些keys可以使用keystone-manage fernet_setup建立, 并且使用keystone-manage fernet_rotate周期性地轮换。这些keys必须被在一个multi-node(或者multi-region)部署中的所有Keystone nodes共享,这样就能使一个node生成的tokens可以立即被其他节点验证。

Prerequisites 先决条件

Before you configure the OpenStack Identity service, you must create a database and an administration token.
在配置Openstack认证服务之前,你需要先创建一个keystone数据库和一个用于初始化keystone期间的临时管理token。

Create the database for identity service

这个数据库用于存放Keystone组件(User、Tenant、Roles等)的相关信息。
Step1.进入MySQL

mysql -u root -pfanguiju

Step2.创建数据库keystone

CREATE DATABASE keystone;

Step3.创建keystone数据库用户并授予适当的访问权限
创建keystone数据库用户,使其可以对keystone数据库有完全控制权限。

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'fanguiju';     #fanguiju为用户keystone的密码
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'fanguiju';

Step4.退出MySQL

MariaDB [(none)]> exit
Bye

生成一个随机数

Generate a random value to use as the administration token during initial configuration
生成一个用于初始化keystone期间的临时管理token

[root@controller Desktop]# openssl rand -hex 10
c44048d3212d3f977643

Install and configure components

Note:This guide uses the Apache HTTP server with mod_wsgi to serve Identity service requests on ports 5000 and 35357. By default, the keystone service still listens on these ports. Therefore, this guide manually disables the keystone service.
注意:该指南使用Apache Http服务器的mod_wsgi(Python Web Server Gateway Interface)动态访问模块来支持认证服务在5000和35357端口上的请求。keystone service默认就会监听这两个端口,所以,该指南手动的禁用keystone service。

WSGI:Python Web服务器网关接口(Python Web Server Gateway Interface,缩写为WSGI),是Python应用程序或框架和Web服务器之间的一种接口,已经被广泛接受, 它已基本达成它的可移植性方面的目标。

Step1.安装openstack-keystoneHTTPmod_wsgi模块

yum install openstack-keystone httpd mod_wsgi -y

Step2.Edit the /etc/keystone/keystone.conf file and complete the following actions:
vim /etc/keystone/keystone.conf

#1. In the [DEFAULT] section, define the value of the initial administration token:
[DEFAULT]
admin_token = c44048d3212d3f977643              #刚刚使用openssl指令生成的随机数

#2. In the [database] section, configure database access:
[database]
connection = mysql+pymysql://keystone:fanguiju@controller.jmilk.com/keystone       #数据库连接配置 --> 使用mysql+pymysql协议://访问keystone用户:密码为范桂飓@数据库服务器hostname/访问keystone数据库;必要时可能需要使用IP代替hostname

#3. In the [token] section, configure the Fernet token provider:
[token]
provider = fernet

总览

[root@controller ~]# cat /etc/keystone/keystone.conf | grep -v ^# | grep -v ^$
[DEFAULT]
admin_token = c44048d3212d3f977643
[assignment]
[auth]
[cache]
[catalog]
[cors]
[cors.subdomain]
[credential]
[database]
connection = mysql+pymysql://keystone:fanguiju@controller.jmilk.com/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[eventlet_server_ssl]
[federation]
[fernet_tokens]
[identity]
[identity_mapping]
[kvs]
[ldap]
[matchmaker_redis]
[memcache]
[oauth1]
[os_inherit]
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[paste_deploy]
[policy]
[resource]
[revoke]
[role]
[saml]
[shadow_users]
[signing]
[ssl]
[token]
provider = fernet
[tokenless_auth]
[trust]

注意:从总览的内容可以看出,在最新的版本中,第一次安装Keystone组件的时候,配置文件中的节点内容都是空的。但如果是使用该指南来安装其他版本Keystone的话,需要注意,我们应该是添加该指南的参数项到配置文件中,而不需要删除原来就已经存在的参数项。

Step3.Populate the Identity service database:

su -s /bin/sh -c "keystone-manage db_sync" keystone      #使用sh执行keystone数据库初始化填充指令

查看数据库表是否创建成功

[root@controller Desktop]# mysql -u keystone -pfanguiju
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.1.12-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| keystone           |
+--------------------+
2 rows in set (0.03 sec)

MariaDB [(none)]> use keystone;
Database changed

MariaDB [keystone]> show tables;
+------------------------+
| Tables_in_keystone     |
+------------------------+
| access_token           |
| assignment             |
| config_register        |
| consumer               |
| credential             |
| domain                 |
| endpoint               |
| endpoint_group         |
| federated_user         |
| federation_protocol    |
| group                  |
| id_mapping             |
| identity_provider      |
| idp_remote_ids         |
| implied_role           |
| local_user             |
| mapping                |
| migrate_version        |
| password               |
| policy                 |
| policy_association     |
| project                |
| project_endpoint       |
| project_endpoint_group |
| region                 |
| request_token          |
| revocation_event       |
| role                   |
| sensitive_config       |
| service                |
| service_provider       |
| token                  |
| trust                  |
| trust_role             |
| user                   |
| user_group_membership  |
| whitelisted_config     |
+------------------------+
37 rows in set (0.00 sec)

注意:执行此指令之后,忽略所有的deprecation messages。但是如果一直卡在这一步的话,我建议从新查看一下keystone.conf配置文件是否能够成功连接到数据库。

Step4.Initialize Fernet keys:
前文有过描述:Fernet tokens需要symmetric encryption keys,而这个keys就是使用keystone-manage fernet_setup来创建。

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

Configure the Apache HTTP server

Step1.Edit the /etc/httpd/conf/httpd.conf file and configure the ServerName option to reference the controller node:
vim /etc/httpd/conf/httpd.conf

#指定Apache HTTP Server的hostname
ServerName controller.jmilk.com

Step2.Create the /etc/httpd/conf.d/wsgi-keystone.conf file with the following content:
开启两个监听端口,并配置两个Virtualhost-Port虚拟主机。
vim /etc/httpd/conf.d/wsgi-keystone.conf

Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

Step3.Start the Apache HTTP service and configure it to start when the system boots:

systemctl start httpd.service
systemctl enable httpd.service

到此为止,Keystone的安装已经完成了

Create the service entity and API endpoints

The Identity service provides a catalog of services and their locations. Each service that you add to your OpenStack environment requires a service entity and several API endpoints in the catalog.
认证服务提供了一个服务目录,需要为每一个加入到Openstack环境中的openstack service的service entity和若干个API endpoints添加到该服务目录中。

Prerequisites 先决条件

By default, the Identity service database contains no information to support conventional authentication and catalog services. You must use a temporary authentication token that you created in the section called Install and configure to initialize the service entity and API endpoint for the Identity service.
默认的,新建的认证服务数据库并没有包含任何支持authentication catalog services的信息。你必须使用在上文中创建的临时的authentication token——admin_token去初始化service entityAPI endpoint

Step1.创建临时authentication token文件
vim ~/auth_token

#1. Configure the authentication token(OS_TOKEN = keystone.conf中的参数项admin_token的值)
export OS_TOKEN=c44048d3212d3f977643 

#2. Configure the endpoint URL(使用35357号Port)
export OS_URL=http://controller.jmilk.com:35357/v3

#3. Configure the Identity API version
export OS_IDENTITY_API_VERSION=3

加载auth_token文件的环境变量

source ~/auth_token

Create the service entity and API endpoints

Step1.Create the service entity服务实体 for the Identity service:
The Identity service manages a catalog of services in your OpenStack environment. Services use this catalog to determine the other services available in your environment.
认证服务在Openstack中管理着一个服务目录,Openstack services是通过服务目录来定位其他的service。

[root@controller Desktop]# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Identity               |
| enabled     | True                             |
| id          | c89a25e54e5b4ca3b277b15ec0d75853 |
| name        | keystone                         |
| type        | identity                         |
+-------------+----------------------------------+

ERROR: An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-7e447b64-0ab1-4add-b0f9-ccb29de79156)
这是一个非常常见的错误,尤其对于入门Openstack的小伙伴而言,很多人就卡在这个ERROR上。这里给出一些解决的方案:
1. 一定要检查Keystone的表是否成功创建
2. 确保环境变量正确,尤其是OS_TOKENadmin_token的值是一致的,建议使用Copy,因为常见参数值后面带有空格,导致不一致的情况。
3. 确保Hostname和IP能够成功解析
4. 确保Port:35357已经开启
5. 确保HTTP服务正常运行
6. 查看openstack-keystone服务是否打开,如果是M版本就无所谓了
7. 实在不行,建议重启主机试试(放大招了)

Step2.Create the Identity service API endpoints:
The Identity service manages a catalog of API endpoints associated with the services in your OpenStack environment. Services use this catalog to determine how to communicate with other services in your environment.OpenStack uses three API endpoint variants for each service: admin, internal, and public.

认证服务还管理着一个服务相关的API endpoints目录,Services使用endpoints目录确定怎么与其他Services通信。每一个Openstack service提供了三种形式的API endpoint:admin管理, internal内部, and public外部.

[root@controller Desktop]# openstack endpoint create --region RegionOne identity public http://controller.jmilk.com:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 670ccbe782ba4e788c681f532d540177 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | c89a25e54e5b4ca3b277b15ec0d75853 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.1.5:5000/v3       |
+--------------+----------------------------------+

[root@controller Desktop]# openstack endpoint create --region RegionOne identity internal http://controller.jmilk.com:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | c1d4504fc49741f4968d0c28ee66cbbc |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | c89a25e54e5b4ca3b277b15ec0d75853 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.1.5:5000/v3       |
+--------------+----------------------------------+

[root@controller Desktop]# openstack endpoint create --region RegionOne identity admin http://controller.jmilk.com:35357/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | b0a761a6365941d2a5db215c36883b4f |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | c89a25e54e5b4ca3b277b15ec0d75853 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.1.5:35357/v3      |
+--------------+----------------------------------+
相关实践学习
基于CentOS快速搭建LAMP环境
本教程介绍如何搭建LAMP环境,其中LAMP分别代表Linux、Apache、MySQL和PHP。
全面了解阿里云能为你做什么
阿里云在全球各地部署高效节能的绿色数据中心,利用清洁计算为万物互联的新世界提供源源不断的能源动力,目前开服的区域包括中国(华北、华东、华南、香港)、新加坡、美国(美东、美西)、欧洲、中东、澳大利亚、日本。目前阿里云的产品涵盖弹性计算、数据库、存储与CDN、分析与搜索、云通信、网络、管理与监控、应用服务、互联网中间件、移动服务、视频服务等。通过本课程,来了解阿里云能够为你的业务带来哪些帮助 &nbsp; &nbsp; 相关的阿里云产品:云服务器ECS 云服务器 ECS(Elastic Compute Service)是一种弹性可伸缩的计算服务,助您降低 IT 成本,提升运维效率,使您更专注于核心业务创新。产品详情: https://www.aliyun.com/product/ecs
相关文章
|
13天前
|
数据可视化 Linux API
如何在Linux使用docker部署Swagger Editor并实现无公网IP远程协同编辑API文档
如何在Linux使用docker部署Swagger Editor并实现无公网IP远程协同编辑API文档
|
13天前
|
数据可视化 Linux API
使用Docker安装部署Swagger Editor并远程访问编辑API文档
使用Docker安装部署Swagger Editor并远程访问编辑API文档
66 0
|
13天前
|
缓存 运维 Serverless
Serverless 应用引擎产品使用之阿里函数计算中。将本地电脑上的项目文件部署到阿里云函数计算(FC)上并实现对外提供API和WebUI如何解决
阿里云Serverless 应用引擎(SAE)提供了完整的微服务应用生命周期管理能力,包括应用部署、服务治理、开发运维、资源管理等功能,并通过扩展功能支持多环境管理、API Gateway、事件驱动等高级应用场景,帮助企业快速构建、部署、运维和扩展微服务架构,实现Serverless化的应用部署与运维模式。以下是对SAE产品使用合集的概述,包括应用管理、服务治理、开发运维、资源管理等方面。
|
13天前
|
机器学习/深度学习 人工智能 API
人工智能平台PAI产品使用合集之机器学习PAI-EAS部署好后,服务的公网API和URL怎么配置
阿里云人工智能平台PAI是一个功能强大、易于使用的AI开发平台,旨在降低AI开发门槛,加速创新,助力企业和开发者高效构建、部署和管理人工智能应用。其中包含了一系列相互协同的产品与服务,共同构成一个完整的人工智能开发与应用生态系统。以下是对PAI产品使用合集的概述,涵盖数据处理、模型开发、训练加速、模型部署及管理等多个环节。
|
13天前
|
API
工作流JBPM操作API删除流程&部署流程
工作流JBPM操作API删除流程&部署流程
20 0
|
13天前
|
API 数据库
工作流JBPM操作API部署流程
工作流JBPM操作API部署流程
25 0
|
13天前
|
前端开发 BI API
API函数式组件封装逻辑
API函数式组件封装逻辑
15 0
|
13天前
|
API
[组件封装]API式调用-封装一个审核意见的组件Comments
[组件封装]API式调用-封装一个审核意见的组件Comments
12 0
|
13天前
|
分布式计算 DataWorks 大数据
DataWorks常见问题之使用API删除之前的部署文件失败如何解决
DataWorks是阿里云提供的一站式大数据开发与管理平台,支持数据集成、数据开发、数据治理等功能;在本汇总中,我们梳理了DataWorks产品在使用过程中经常遇到的问题及解答,以助用户在数据处理和分析工作中提高效率,降低难度。
|
13天前
|
JavaScript API
Vue3的手脚架使用和组件父子间通信-插槽(Options API)学习笔记
Vue3的手脚架使用和组件父子间通信-插槽(Options API)学习笔记
32 3