openstackmitaka安装之认证服务器.docx
《openstackmitaka安装之认证服务器.docx》由会员分享,可在线阅读,更多相关《openstackmitaka安装之认证服务器.docx(12页珍藏版)》请在冰豆网上搜索。
openstackmitaka安装之认证服务器
一、环境准备:
controller:
内存4G 硬盘20G 网卡2块(10.1.42.211,192.168.56.211)
computer:
内存2G 硬盘30G 网卡2块(10.1.42.212,192.168.56.212)
操作系统:
centos7最小化安装
1、修改/etc/hosts文件
10.1.42.211controller
10.1.42.212computer
2、安装NTP服务
controller节点:
#yuminstallchrony
#vi/etc/chrony.conf
server0.centos.pool.ntp.orgiburst
server1.centos.pool.ntp.orgiburst
server2.centos.pool.ntp.orgiburst
server3.centos.pool.ntp.orgiburst
stratumweight0
driftfile/var/lib/chrony/drift
rtcsync
makestep103
allow10.1.0.0/16
#systemctlenablechronyd.service
#systemctlstartchronyd.service
测试:
#chronycsources
computer节点:
#yuminstallchrony
#vi/etc/chrony.conf
servercontroller iburst
stratumweight0
driftfile/var/lib/chrony/drift
rtcsync
makestep103
bindcmdaddress127.0.0.1
#systemctlenablechronyd.service
#systemctlstartchronyd.service
测试:
#chronycsources
3、安装openstack包(2台机上执行)
#yuminstallcentos-release-openstack-mitaka
# yumupgrade
#yuminstallpython-openstackclient
#yuminstallopenstack-selinux
4、在controller安装SQL数据库(MariaDBORMySQL)
#yuminstallmariadbmariadb-serverpython2-PyMySQL
#vi/etc/f.d/f
#systemctlenablemariadb.service
#systemctlstartmariadb.service
数据库初始化,创建root密码openstack等,操作如下
#mysql_secure_installation
Entercurrentpasswordforroot(enterfornone):
[Enter]
Setrootpassword?
[Y/n]Y
Newpassword:
openstack
Re-enternewpassword:
openstack
Removeanonymoususers?
[Y/n]Y
Disallowrootloginremotely?
[Y/n]n
Removetestdatabaseandaccesstoit?
[Y/n]Y
Reloadprivilegetablesnow?
[Y/n]Y
5、在controller安装NoSQLdatabase,在这里使用MongoDB
#yuminstallmongodb-servermongodb
#vi/etc/mongod.conf
修改:
bind_ip=10.1.42.211
smallfile=true(可选)
#systemctlenablemongod.service
#systemctlstartmongod.service
6、在controller上安装消息队列rabbitmq
#yuminstallrabbitmq-server
#systemctlenablerabbitmq-server.service
#systemctlstartrabbitmq-server.service
添加openstack用户
#rabbitmqctladd_useropenstackRABBIT_PASS (用户名:
openstack 密码:
RABBIT_PASS)
Creatinguser"openstack".
设置openstack用户的权限,依次分别为写,读,访问
#rabbitmqctlset_permissionsopenstack".*"".*"".*"
Settingpermissionsforuser"openstack"invhost"/"...
7、在controller上安装memcached
#yuminstallmemcachedpython-memcached
#systemctlenablememcached.service
#systemctlstartmemcached.service
至此,openstack整个框架的软件环境基本搞定,下面就是各组件了
在controller上安装认证服务OpenStack Identityservice
1、Identityservice概要
2、安装及配置
建创数据库
#mysql-uroot-p (密码:
openstack)
MariaDB[(none)]>CREATEDATABASEkeystone;
MariaDB[(none)]>GRANTALLPRIVILEGESONkeystone.*TO'keystone'@'localhost'\
IDENTIFIEDBY'KEYSTONE_DBPASS';
MariaDB[(none)]>GRANTALLPRIVILEGESONkeystone.*TO'keystone'@'%'\
IDENTIFIEDBY'KEYSTONE_DBPASS';
MariaDB[(none)]>quit
生成一个随机值在初始配置的过程中做为管理员的令牌
[root@controller~]#opensslrand-hex10
5e5a6065af5a4bb52c42
[root@controller~]#opensslrand-hex10
a05cbbd9f5297dee283f
安装openstack-keystone、apached httpd和mod_wsgi
#yuminstallopenstack-keystonehttpdmod_wsgi
#vi /etc/keystone/keystone.conf
修改如下
[root@controller~]#grep'^[a-z]'/etc/keystone/keystone.conf
admin_token= a05cbbd9f5297dee283f
connection= mysql+pymysql:
//keystone:
KEYSTONE_DBPASS@controller/keystone
provider= fernet
初始化身份认证服务的数据库
#su-s/bin/sh-c"keystone-managedb_sync"keystone
初始化fernet
#keystone-managefernet_setup--keystone-userkeystone--keystone-groupkeystone
配置ApacheHTTP服务
#vi /etc/httpd/conf/httpd.conf
修改ServerNamecontroller
#vi/etc/httpd/conf.d/wsgi-keystone.conf(创建该文件)
Listen5000
Listen35357
5000>
WSGIDaemonProcesskeystone-publicprocesses=5threads=1user=keystonegroup=keystonedisplay-name=%{GROUP}
WSGIProcessGroupkeystone-public
WSGIScriptAlias//usr/bin/keystone-wsgi-public
WSGIApplicationGroup%{GLOBAL}
WSGIPassAuthorizationOn
ErrorLogFormat"%{cu}t%M"
ErrorLog/var/log/httpd/keystone-error.log
CustomLog/var/log/httpd/keystone-access.logcombined
Requireallgranted
35357>
WSGIDaemonProcesskeystone-adminprocesses=5threads=1user=keystonegroup=keystonedisplay-name=%{GROUP}
WSGIProcessGroupkeystone-admin
WSGIScriptAlias//usr/bin/keystone-wsgi-admin
WSGIApplicationGroup%{GLOBAL}
WSGIPassAuthorizationOn
ErrorLogFormat"%{cu}t%M"
ErrorLog/var/log/httpd/keystone-error.log
CustomLog/var/log/httpd/keystone-access.logcombined
Requireallgranted
重启apache服务
[root@controller~]#systemctlenablehttpd.service
[root@controller~]#systemctlstarthttpd.service
3。
创建服务实体
一、API配置前的准备
1)配置管理员身份验证令牌,这里的值为keystone.conf配置文件里面admin_token的值
[root@controller~]#exportOS_TOKEN=a05cbbd9f5297dee283f
2)配置入口点
[root@controller~]#exportOS_URL=http:
//controller:
35357/v3
3)配置API版本号
[root@controller~]#exportOS_IDENTITY_API_VERSION=3
二、创建服务实体和API端点
1)创建服务实体和身份认证服务
[root@controller~]#openstackservicecreate--namekeystone--description"OpenStackIdentity"identity
2)创建身份认证服务的API端点
[root@controller~]#openstackendpointcreate--regionRegionOneidentitypublic http:
//controller:
5000/v3
[root@controller~]#openstackendpointcreate--regionRegionOneidentityinternalhttp:
//controller:
5000/v3
[root@controller~]#openstackendpointcreate--regionRegionOneidentityadminhttp:
//controller:
35357/v3
4。
创建租户,用户和角色
身份认证服务(Identityservice)为openstack每个服务提供身份验证服务。
主要包括域、租户、用户和角色。
1、创建默认域
[root@controller~]#openstackdomaincreate--description"DefaultDomain"default
2、创建管理员租户、用户和角色以便执行管理员操作
2.1)创建admin租户
[root@controller~]#openstackprojectcreate--domaindefault--description"AdminProject"admin
2.2)创建admin用户(密码:
admin)
[root@controller~]# openstackusercreate--domaindefault--password-promptadmin
输入密码为:
admin
2.3)创建admin角色
[root@controller~]#openstackrolecreateadmin
2.4)将admin租户和用户添加到admin角色(没有输出)
[root@controller~]#openstackroleadd--projectadmin--useradminadmin
多创建两个租户service,demo;service不创建用户及角色,demo要创建用户及角色
71 openstackprojectcreate--domaindefault--description"ServiceProject"service
72 openstackprojectcreate--domaindefault--description"DemoProject"demo
73 openstackusercreate--domaindefault--password-promptdemo(demo用户密码:
demo)
74 openstackrolecreateuser
75 openstackroleadd--projectdemo--userdemouser
5。
验证操作
1)为了安全起见,禁用临时身份验证令牌机制
编辑/etc/keystone/keystone-paste.ini配置文件,删除[pipeline:
public_api],[pipeline:
admin_api],和[pipeline:
api_v3]中的 admin_token_auth 内容。
[root@controller~]#vi/etc/keystone/keystone-paste.ini
2)取消临时环境变量的设置OS_TOKEN OS_URL
[root@controller~]#unsetOS_TOKENOS_URL
3)使用admin用户,请求的身份验证令牌版本3.0API
[root@controller~]#openstack--os-auth-urlhttp:
//controller:
35357/v3--os-project-domain-namedefault--os-user-domain-namedefault--os-project-nameadmin--os-usernameadmintokenissue
输入admin用户的密码:
admin
[root@controller~]#openstack--os-auth-urlhttp:
//controller:
5000/v3--os-project-domain-namedefault--os-user-domain-namedefault--os-project-namedemo--os-usernamedemotokenissue
Password:
[root@controller~]#viadmin-openrc
exportOS_PROJECT_DOMAIN_NAME=default
exportOS_USER_DOMAIN_NAME=default
exportOS_PROJECT_NAME=admin
exportOS_USERNAME=admin
exportOS_PASSWORD=admin
exportOS_AUTH_URL=http:
//controller:
35357/v3
exportOS_IDENTITY_API_VERSION=3
exportOS_IMAGE_API_VERSION=2
[root@controller~]#videmo-openrc
exportOS_PROJECT_DOMAIN_NAME=default
exportOS_USER_DOMAIN_NAME=default
exportOS_PROJECT_NAME=demo
exportOS_USERNAME=demo
exportOS_PASSWORD=demo
exportOS_AUTH_URL=http:
//controller:
5000/v3
exportOS_IDENTITY_API_VERSION=3
exportOS_IMAGE_API_VERSION=2
使用环境脚本
[root@controller~]#.admin-openrc
[root@controller~]#openstacktokenissue