Keystone組件是云平臺上的認證節點。OpenStack各個子項目單獨提供著各自的相關服務,如nova提供計算服務,glance提供鏡像服務,各個節點互不相干,但實際上組件之間的服務調用都要經過Keystone獲取服務列表和服務端點。
1)在controller1創建keystone數據庫
```
MariaDB [(none)]> CREATE DATABASE keystone;
```
2)在controller1上創建數據庫用戶及賦予權限
```
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'yjscloud';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'yjscloud';
```
注意將yjscloud替換為自己的數據庫密碼
3)在三個節點上分別安裝keystone和memcached
```
yum -y install openstack-keystone httpd mod_wsgi python-openstackclient mencached python-memcached openstack-utils
```
4)優化配置memcached
```
vim /etc/sysconfig/memcached
```
```
PORT="11211" #定義端口
USER="memcached" #定義運行memcache的用戶
MAXCONN="8192" #定義最大連接數
CACHESIZE="1024" #定義最大內存使用值
OPTIONS="-l 127.0.0.1,::1,10.1.1.150 -t 4 -I 10m" # -l設置服務綁定ip,-t設置線程數,-I調整分配slab頁的大小
```
```
scp -p /etc/sysconfig/memcached controller2:/etc/sysconfig/memcached
scp -p /etc/sysconfig/memcached controller3:/etc/sysconfig/memcached
```
**注意!!!OPTIONS中的10.1.1.150改成各個節點對應的IP。**
5)在三個節點上分別啟動memcache服務并設置開機啟動動
```
systemctl enable memcached.service
systemctl restart memcached.service
systemctl status memcached.service
```
6)配置`/etc/keystone/keystone.conf`文件
```
cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
>/etc/keystone/keystone.conf
openstack-config --set /etc/keystone/keystone.conf DEFAULT debug false
openstack-config --set /etc/keystone/keystone.conf DEFAULT verbose true
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_endpoint http://yjscloud.com:35357
openstack-config --set /etc/keystone/keystone.conf DEFAULT public_endpoint http://yjscloud.com:5000
openstack-config --set /etc/keystone/keystone.conf eventlet_server public_bind_host 10.1.1.150
openstack-config --set /etc/keystone/keystone.conf eventlet_server admin_bind_host 10.1.1.150
openstack-config --set /etc/keystone/keystone.conf cache backend oslo_cache.memcache_pool
openstack-config --set /etc/keystone/keystone.conf cache enabled true
openstack-config --set /etc/keystone/keystone.conf cache memcache_servers controller1:11211,controller2:11211,controller3:11211
openstack-config --set /etc/keystone/keystone.conf cache memcache_dead_retry 60
openstack-config --set /etc/keystone/keystone.conf cache memcache_socket_timeout 1
openstack-config --set /etc/keystone/keystone.conf cache memcache_pool_maxsize 1000
openstack-config --set /etc/keystone/keystone.conf cache memcache_pool_unused_timeout 60
openstack-config --set /etc/keystone/keystone.conf catalog template_file /etc/keystone/default_catalog.templates
openstack-config --set /etc/keystone/keystone.conf catalog driver sql
openstack-config --set /etc/keystone/keystone.conf database connection mysql://keystone:yjscloud@yjscloud.com/keystone
openstack-config --set /etc/keystone/keystone.conf database idle_timeout 3600
openstack-config --set /etc/keystone/keystone.conf database max_pool_size 30
openstack-config --set /etc/keystone/keystone.conf database ax_retries -1
openstack-config --set /etc/keystone/keystone.conf database max_overflow 60
openstack-config --set /etc/keystone/keystone.conf identity driver sql
openstack-config --set /etc/keystone/keystone.conf identity caching false
openstack-config --set /etc/keystone/keystone.conf fernet_tokens key_repository /etc/keystone/fernet-keys/
openstack-config --set /etc/keystone/keystone.conf fernet_tokens max_active_keys 3
openstack-config --set /etc/keystone/keystone.conf memcache servers controller1:11211,controller2:11211,controller3:11211
openstack-config --set /etc/keystone/keystone.conf memcache dead_retry 60
openstack-config --set /etc/keystone/keystone.conf memcache socket_timeout 1
openstack-config --set /etc/keystone/keystone.conf memcache pool_maxsize 1000
openstack-config --set /etc/keystone/keystone.conf memcache pool_unused_timeout 60
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_hosts controller1:5672,controller2:5672,controller3:5672
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_userid openstack
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_password yjscloud
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_use_ssl false
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_ha_queues true
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_retry_interval 1
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_retry_backoff 2
openstack-config --set /etc/keystone/keystone.conf oslo_messaging_rabbit rabbit_max_retries 0
openstack-config --set /etc/keystone/keystone.conf token expiration 3600
openstack-config --set /etc/keystone/keystone.conf token caching False
openstack-config --set /etc/keystone/keystone.conf token provider fernet
```
scp到其他節點,注意更改對應的IP,keystone.conf的權限應該為root:keystone
```
scp -p /etc/keystone/keystone.conf controller2:/etc/keystone/keystone.conf
scp -p /etc/keystone/keystone.conf controller3:/etc/keystone/keystone.conf
```
7)配置httpd.conf文件
```
vim /etc/httpd/conf/httpd.conf
```
修改如下配置參數(三個節點都要改):
```
ServerName controller1 #如果是controller2那就寫controller2
Listen 8080 #80->8080 haproxy里用了80,不修改啟動不了
```
8)配置keystone與httpd結合
```
vim /etc/httpd/conf.d/wsgi-keystone.conf
```
```
Listen 5002
Listen 35358
<VirtualHost *:5002>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
????WSGIProcessGroup keystone-public
????WSGIScriptAlias / /usr/bin/keystone-wsgi-public
????WSGIApplicationGroup %{GLOBAL}
????WSGIPassAuthorization On
????ErrorLogFormat "%{cu}t %M"
????ErrorLog /var/log/httpd/keystone-error.log
????CustomLog /var/log/httpd/keystone-access.log combined
????<Directory /usr/bin>
??????????Require all granted
????</Directory>??
</VirtualHost>
<VirtualHost *:35358>
??????WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
??????WSGIProcessGroup keystone-admin
??????WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
??????WSGIApplicationGroup %{GLOBAL}
??????WSGIPassAuthorization On
??????ErrorLogFormat "%{cu}t %M"
??????ErrorLog /var/log/httpd/keystone-error.log
??????CustomLog /var/log/httpd/keystone-access.log combined
??????<Directory /usr/bin>
????????????Require all granted
??????</Directory>
</VirtualHost>
```
把這個文件拷貝到另外兩個節點上;
```
scp -p /etc/httpd/conf.d/wsgi-keystone.conf controller2:/etc/httpd/conf.d/wsgi-keystone.conf
scp -p /etc/httpd/conf.d/wsgi-keystone.conf controller3:/etc/httpd/conf.d/wsgi-keystone.conf
```
9)在controller1上設置數據庫同步
```
su -s /bin/sh -c "keystone-manage db_sync" keystone #單行輸出的警告信息可以忽略
```
10)三個節點都初始化fernet
```
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
```
11)同步三個節點fernet信息,在controller1上操作
```
scp -p /etc/keystone/fernet-keys/* controller2:/etc/keystone/fernet-keys/
scp -p /etc/keystone/fernet-keys/* controller3:/etc/keystone/fernet-keys/
scp -p /etc/keystone/credential-keys/* controller2:/etc/keystone/credential-keys/
scp -p /etc/keystone/credential-keys/* controller3:/etc/keystone/credential-keys/
```
12)三個節點啟動httpd,并設置httpd開機啟動
```
systemctl enable httpd.service
systemctl restart httpd.service
systemctl status httpd.service
systemctl list-unit-files |grep httpd.service
```
13)在controller1上創建admin用戶角色
```
keystone-manage bootstrap \
--bootstrap-password yjscloud \
--bootstrap-username admin \
--bootstrap-project-name admin \
--bootstrap-role-name admin \
--bootstrap-service-name keystone \
--bootstrap-region-id RegionOne \
--bootstrap-admin-url http://yjscloud.com:35357/v3 \
--bootstrap-internal-url http://yjscloud.com:35357/v3 \
--bootstrap-public-url http://yjscloud.com:5000/v3
```
等haproxy列表中的對于服務全部啟動時才可以執行下面的命令,否則會報錯
這樣,就可以在 openstack 命令行里使用 admin 賬號登錄了。
驗證,測試是否已配置合理:
```
openstack project list --os-username admin --os-project-name admin --os-user-domain-id default --os-project-domain-id default --os-identity-api-version 3 --os-auth-url http://yjscloud.com:5000 --os-password yjscloud
```
14)在controller1創建admin用戶環境變量,創建`/root/admin-openrc` 文件并寫入如下內容
```
vim /root/admin-openrc
```
添加以下內容:
```
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_DOMAIN_ID=default
export OS_USERNAME=admin
export OS_PROJECT_NAME=admin
export OS_PASSWORD=yjscloud
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=http://yjscloud.com:35357/v3
```
```
scp -p /root/admin-openrc controller2:/root/admin-openrc
scp -p /root/admin-openrc controller3:/root/admin-openrc
openstack endpoint list #查看endpoint,正常情況下是有三個keystone的endpoint
```
15)在controller1上創建service項目
```
source /root/admin-openrc
openstack project create --domain default --description "Service Project" service
```
16)在controller1上創建demo項目
```
openstack project create --domain default --description "Demo Project" demo
```
17)在controller1上創建demo用戶
```
openstack user create --domain default demo --password yjscloud
# 注意:yjscloud為demo用戶密碼
```
18)在controller1創建user角色將demo用戶賦予user角色
```
openstack role create user
openstack role add --project demo --user demo user
openstack user list #查看用戶
```
19)在controller1上驗證keystone
```
unset OS_TOKEN OS_URL
openstack --os-auth-url http://yjscloud.com:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue --os-password yjscloud
openstack --os-auth-url http://yjscloud.com:5000/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name demo --os-username demo token issue --os-password yjscloud
````
20)在controller1上創建demo用戶環境變量,創建`/root/demo-openrc`文件并寫入下列內容:
```
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_DOMAIN_ID=default
export OS_USERNAME=demo
export OS_PROJECT_NAME=demo
export OS_PASSWORD=yjscloud
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=http://yjscloud.com:35357/v3
```
- 獻給我的朋友們
- 一、個人對學習的看法
- 二、運維技能圖譜
- 三、運維常用技能
- 3.1 Vim(最好用的編輯器)
- 3.2 Nginx & Tengine(Web服務)
- 1. Nginx介紹和部署
- 2. Nginx配置解析
- 3. Nginx常用模塊
- 4. Nginx 的session 一致性問題
- 3.3 Tomcat(Web中間件)
- 3.4 Keepalived(負載均衡高可用)
- 3.5 Memcache(分布式緩存)
- 3.6 Zookeeper(分布式協調系統)
- 3.7 KVM(開源虛擬化)
- 1. 虛擬化介紹
- 2. KVM基礎
- 3. 設置VNC和時間同步
- 4. kvm虛擬機快照備份
- 5. kvm虛擬機在線擴展磁盤
- 6. kvm虛擬機靜態遷移
- 7. kvm虛擬機動態遷移
- 8. kvm虛擬機存儲池配置
- 9. cpu添加虛擬化功能
- 3.8 GitLab(版本控制)
- 3.8.1 GitLab安裝與漢化
- 3.9 Jenkins(運維自動化)
- 3.10 WAF(Web防火墻)
- 3.10.1初探WAF
- 四、常用數據庫
- 4.1 MySQL(關系型數據庫)
- 1. MySQL源碼安裝
- 4.2 Mongodb(適用與大數據分析的數據庫)
- 4.3 Redis(非關系數據庫)
- 五、自動化運維工具
- 5.1 Cobbler(系統自動化部署)
- 5.2 Ansible(自動化部署)
- 5.3 Puppet(自動化部署)
- 5.4 SaltStack(自動化運維)
- 六、存儲
- 6.1 GFS(文件型存儲)
- 6.2 Ceph(后端存儲)
- 七、運維監控工具
- 7.1 對監控的理解
- 7.2 Zabbix(運維監控)
- 7.2.1 Zabbix簡介
- 7.2.2 Zabbix服務部署
- 1. Zabbix服務端部署
- 2. Zabbix客服端部署
- 3. 配置前端展示
- 4. zabbix告警配置
- 7.2.3 Zabbix監控服務
- 1. 監控網絡設備
- 2. 自定義Nginx監控
- 7.3 云鏡(安全監控)
- 7.4 ELK(日志收集展示)
- 八、運維云平臺
- 8.1 OpenStack(開源云操作系統)
- 8.1.1 OpenStack簡介
- 8.1.2 實驗架構設計
- 8.1.3 集群環境準備
- 8.1.4 controller節點部署
- 1. 安裝Mariadb Galera Cluster集群
- 2. 安裝RabbitMQ Cluster集群
- 3. 安裝Pacemaker
- 4. 安裝HAProxy
- 5. 安裝配置Keystone
- 6. 安裝配置glance
- 1. 制作鏡像模板
- 7. 安裝配置nova
- 8. 安裝配置neutron
- 1. 配置虛擬機網絡
- 9. 安裝Dashboard
- 10. 安裝配置cinder
- 8.1.5 compute節點部署
- 1. 安裝相關軟件包
- 2. 安裝Neutron
- 3. 配置cinder
- 4. 創建第一個虛擬機
- 8.1.6 OpenStack報錯處理
- 1. cinder僵尸卷刪除
- 8.1.7 快速孵化虛擬機方案
- 8.1.8 Kolla容器化部署OpenStack
- 1. 單點部署
- 2. 多節點部署
- 8.2 Tstack(騰訊云平臺)
- 8.3 K8s(微服務容器化)
- 九、運維編程技能
- 9.1 Shell(運維必會語言)
- 9.2 Python(萬能的膠水語言)
- 十、Devops運維
- 10.1 理念
- 10.2 Devops實戰