设置时间同步:

对于openstack来说,时间同步非常重要,所以一定要保证所有服务的时间一直,下面对世界做同步:

timedatectl list-timezones|grep Shanghai 查看时区
timedatectl set-timezone Asia/Shanghai  设置时区
timedatectl set-local-rtc yes 把 boolean 替换成yes则表示使用本地时间,替换成no则表示是UTC时间
ntpdate time1.aliyun.com 同步时间

启动数据库服务

[root@linux-node1 ~]# systemctl enable mariadb.service 设置开机自启动
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
[root@linux-node1 ~]# systemctl start mariadb.service 启动数据库
[root@linux-node1 ~]# mysql_secure_installation 初始化并设置密码
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none): 
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y
New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
 ... Success!
Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
 ... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
 ... Success!
Cleaning up...
All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!

配置rabbitMQ消息队列

[root@linux-node1 ~]# systemctl enable rabbitmq-server.service #设置开机启动
Created symlink from /etc/systemd/system/multi-user.target.wants/rabbitmq-server.service to /usr/lib/systemd/system/rabbitmq-server.service.
[root@linux-node1 ~]# systemctl start rabbitmq-server.service #启动消息队列
[root@linux-node1 ~]# rabbitmqctl add_user openstack openstack #给消息队列增加openstack用户和密码
Creating user "openstack" ...
[root@linux-node1 ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*" #给openstack设置消息队列的权限
Setting permissions for user "openstack" in vhost "/" ...
[root@linux-node1 ~]# rabbitmq-plugins list #查看消息队列插件
 Configured: E = explicitly enabled; e = implicitly enabled
 | Status:   * = running on rabbit@linux-node1
 |/
[  ] amqp_client                       3.6.5
[  ] cowboy                            1.0.3
[  ] cowlib                            1.0.1
[  ] mochiweb                          2.13.1
[  ] rabbitmq_amqp1_0                  3.6.5
[  ] rabbitmq_auth_backend_ldap        3.6.5
[  ] rabbitmq_auth_mechanism_ssl       3.6.5
[  ] rabbitmq_consistent_hash_exchange 3.6.5
[  ] rabbitmq_event_exchange           3.6.5
[  ] rabbitmq_federation               3.6.5
[  ] rabbitmq_federation_management    3.6.5
[  ] rabbitmq_jms_topic_exchange       3.6.5
[  ] rabbitmq_management               3.6.5
[  ] rabbitmq_management_agent         3.6.5
[  ] rabbitmq_management_visualiser    3.6.5
[  ] rabbitmq_mqtt                     3.6.5
[  ] rabbitmq_recent_history_exchange  1.2.1
[  ] rabbitmq_sharding                 0.1.0
[  ] rabbitmq_shovel                   3.6.5
[  ] rabbitmq_shovel_management        3.6.5
[  ] rabbitmq_stomp                    3.6.5
[  ] rabbitmq_top                      3.6.5
[  ] rabbitmq_tracing                  3.6.5
[  ] rabbitmq_trust_store              3.6.5
[  ] rabbitmq_web_dispatch             3.6.5
[  ] rabbitmq_web_stomp                3.6.5
[  ] rabbitmq_web_stomp_examples       3.6.5
[  ] sockjs                            0.3.4
[  ] webmachine                        1.10.3
[root@linux-node1 ~]# rabbitmq-plugins enable rabbitmq_management #加载消息队列的管理插件
The following plugins have been enabled:
  mochiweb
  webmachine
  rabbitmq_web_dispatch
  amqp_client
  rabbitmq_management_agent
  rabbitmq_management
Applying plugin configuration to rabbit@linux-node1... started 6 plugins.
[root@linux-node1 ~]# systemctl restart rabbitmq-server.service #重启消息队列服务

    消息队列服务验证

[root@linux-node1 ~]# lsof -i :15672
COMMAND   PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
beam.smp 6370 rabbitmq   53u  IPv4  37357      0t0  TCP *:15672 (LISTEN)
在浏览器中输入:192.168.56.11:15672,使用guest 账号和guest密码登录

Openstack 实战讲解之-----------03-控制节点服务配置_第1张图片

keystone认证服务


Keystone在N版已经是V3版本。在Keystone中主要涉及以下几个概念:

User:使用服务的用户,可以是人,服务或者系统,只要是使用了openstack服务的对象都可以称为用户

project(tenant)租户,可以理解为一个人,项目或者组织拥有的资源的合集。在一个租户中可以拥有很多个用户,这些用户可以根据权限的划分使用租户中的资源

Role:角色,用于分配操作的权限。角色可以被指定给用户,使得该用户获得角色对应的操作权限

Token:认证成功后,keystone会生成一串比特值或者字符串,用来作为访问资源的令牌,token中有可访问资源的范围和有效时间

Keystone V3 API 新特性

Keystone V3 做出了许多变化和改进,我们选取其中较为重要的进行阐述:

  • 将 Tenant 改称为 Project

  • 引入 Domain 的概念

  • 引入 Group 的概念

将 Tenant 改为 Project 并在其上添加 Domain 的概念,这更加符合现实世界和云服务的映射。

V3 利用 Domain 实现真正的多租户(multi-tenancy)架构,Domain 担任 Project 的高层容器。云服务的客户是 Domain 的所有者,他们可以在自己的 Domain 中创建多个 Projects、Users、Groups 和 Roles。通过引入 Domain,云服务客户可以对其拥有的多个 Project 进行统一管理,而不必再向过去那样对每一个 Project 进行单独管理。

Group 是一组 Users 的容器,可以向 Group 中添加用户,并直接给 Group 分配角色,那么在这个 Group 中的所有用户就都拥有了 Group 所拥有的角色权限。通过引入 Group 的概念,Keystone V3 实现了对用户组的管理,达到了同时管理一组用户权限的目的。这与 V2 中直接向 User/Project 指定 Role 不同,使得对云服务进行管理更加便捷。

图 . Domain、Group、Project、User 和 Role 的关系图(引用网上)

Openstack 实战讲解之-----------03-控制节点服务配置_第2张图片

创建库及用户

在数据库中创建库和用户(这里为了方便会把后面用到cinder,glance ,neutron,等服务的账号一并创建到数据库中

CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
CREATE DATABASE glance;
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance';
GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance';
CREATE DATABASE nova;
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';
GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova';
CREATE DATABASE nova_api;
GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';
GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY 'nova';
CREATE DATABASE neutron;
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron';
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron';
CREATE DATABASE cinder;
GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY 'cinder';
GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY 'cinder';

执行过程:

[root@linux-node1 ~]# mysql -uroot -p
Enter password: #用初始化时候设置的密码
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> CREATE DATABASE glance;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY 'glance';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY 'glance';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> CREATE DATABASE nova;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY 'nova';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> CREATE DATABASE nova_api;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY 'nova';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY 'nova';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> CREATE DATABASE neutron;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'neutron';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'neutron';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> CREATE DATABASE cinder;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY 'cinder';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY 'cinder';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| cinder             |
| glance             |
| information_schema |
| keystone           |
| mysql              |
| neutron            |
| nova               |
| nova_api           |
| performance_schema |
+--------------------+
9 rows in set (0.00 sec)

keystone配置文件


[root@linux-node1 ~]# grep -n '^[a-z]' /etc/keystone/keystone.conf 
640:connection = mysql+pymysql://keystone:[email protected]/keystone
1472:servers = 192.168.56.11:11211 # memcache服务地址
2655:provider = fernet #配置令牌
2665:driver = memcache #选择driver为memcache默认是sql

初始化数据库,memcache配置


su -s /bin/sh -c"keystone-manage db_sync" keystone


验证初始化是否成功:

[root@linux-node1 ~]# mysql -h 192.168.56.11 -ukeystone -pkeystone -e "use keystone;show tables;"
+------------------------+
| Tables_in_keystone     |
+------------------------+
| access_token           |
| assignment             |
| config_register        |
| consumer               |
| credential             |
| endpoint               |
| endpoint_group         |
| federated_user         |
| federation_protocol    |
| group                  |
| id_mapping             |
| identity_provider      |
| idp_remote_ids         |
| implied_role           |
| local_user             |
| mapping                |
| migrate_version        |
| nonlocal_user          |
| password               |
| policy                 |
| policy_association     |
| project                |
| project_endpoint       |
| project_endpoint_group |
| region                 |
| request_token          |
| revocation_event       |
| role                   |
| sensitive_config       |
| service                |
| service_provider       |
| token                  |
| trust                  |
| trust_role             |
| user                   |
| user_group_membership  |
| whitelisted_config     |
+------------------------+

安装memcached

yuminstall memcached python-memcached 
vim/etc/sysconfig/memcached
[root@linux-node1 ~]# cat /etc/sysconfig/memcached 
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 192.168.56.11,::1"

通过keystone-manage生成token认证必要的信息:

[root@linux-node1 keystone]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone 
[root@linux-node1 keystone]#  keystone-manage credential_setup --keystone-user keystone --keystone-group keystone 
[root@linux-node1 keystone]# keystone-manage bootstrap --bootstrap-password admin \
> --bootstrap-admin-url http://192.168.56.11:35357/v3/ \
> --bootstrap-internal-url http://192.168.56.11:35357/v3/ \
> --bootstrap-public-url http://192.168.56.11:5000/v3/ \
> --bootstrap-region-id RegionOne

配置apache服务

[root@linux-node1 keystone]# vim/etc/httpd/conf/httpd.conf #编辑配置文件,
95 ServerName 192.168.56.11:80
配置软连接
[root@linux-node1 keystone]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/  
启动服务:
[root@linux-node1 keystone]# systemctl enable httpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@linux-node1 keystone]# systemctl start httpd.service
[root@linux-node1 keystone]# 
[root@linux-node1 keystone]# lsof -i :80
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
httpd   22891   root    4u  IPv6  59157      0t0  TCP *:http (LISTEN)
httpd   22902 apache    4u  IPv6  59157      0t0  TCP *:http (LISTEN)
httpd   22906 apache    4u  IPv6  59157      0t0  TCP *:http (LISTEN)
httpd   22907 apache    4u  IPv6  59157      0t0  TCP *:http (LISTEN)
httpd   22908 apache    4u  IPv6  59157      0t0  TCP *:http (LISTEN)
httpd   22909 apache    4u  IPv6  59157      0t0  TCP *:http (LISTEN)
配置环境变量:
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://192.168.56.11:35357/v3
export OS_IDENTITY_API_VERSION=3
安装openstack客户端,如果不安装是没有openstack命令的
yum install -y python-openstackclient 
安装完毕执行以下命令验证:
[root@linux-node1 keystone]# openstack user list  #查看用户列表
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| b84c1614b79b40278e02bd6ed034cc6f | admin |
+----------------------------------+-------+
[root@linux-node1 keystone]# openstack role list #查看权限列表
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 9b0ba78cf70048efa8659220a3cebd06 | admin |
+----------------------------------+-------+
[root@linux-node1 keystone]# openstack project list #查看项目列表
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 7ae0fb7deb5342d885a07c2c890a1ff4 | admin |
+----------------------------------+-------+
[root@linux-node1 keystone]# openstack endpoint list #查看端点列表
+---------------+-----------+--------------+--------------+---------+-----------+------------------+
| ID            | Region    | Service Name | Service Type | Enabled | Interface | URL              |
+---------------+-----------+--------------+--------------+---------+-----------+------------------+
| 65f66a71d4624 | RegionOne | keystone     | identity     | True    | internal  | http://192.168.5 |
| 2a0a80a0de1b6 |           |              |              |         |           | 6.11:35357/v3/   |
| 503929        |           |              |              |         |           |                  |
| 71f801be8bc54 | RegionOne | keystone     | identity     | True    | admin     | http://192.168.5 |
| 7aca380c81b79 |           |              |              |         |           | 6.11:35357/v3/   |
| 6b240a        |           |              |              |         |           |                  |
| b1caff56f31f4 | RegionOne | keystone     | identity     | True    | public    | http://192.168.5 |
| dfabe5a8418c6 |           |              |              |         |           | 6.11:5000/v3/    |
| 5e2839        |           |              |              |         |           |                  |
+---------------+-----------+--------------+--------------+---------+-----------+------------------+

创建项目:

[root@linux-node1 keystone]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 7f240473406147b99463f32b876bf69d |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | default                          |
+-------------+----------------------------------+

这里生成的结果除了id和我不一样,其他的差不多一样

查看是否创建成功

[root@linux-node1 keystone]# openstack project list
+----------------------------------+---------+
| ID                               | Name    |
+----------------------------------+---------+
| 7ae0fb7deb5342d885a07c2c890a1ff4 | admin   |
| 7f240473406147b99463f32b876bf69d | service |
+----------------------------------+---------+

创建demo项目:

[root@linux-node1 keystone]# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 9b913d25891849baa55b21d837e9b63d |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | default                          |
+-------------+----------------------------------+

验证是否创建成功:

[root@linux-node1 keystone]# openstack project list
+----------------------------------+---------+
| ID                               | Name    |
+----------------------------------+---------+
| 7ae0fb7deb5342d885a07c2c890a1ff4 | admin   |
| 7f240473406147b99463f32b876bf69d | service |
| 9b913d25891849baa55b21d837e9b63d | demo    |
+----------------------------------+---------+

创建用户

[root@linux-node1 keystone]# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | f0c69bad72b54e0daef92c2295425932 |
| name                | demo                             |
| password_expires_at | None                             |
+---------------------+----------------------------------+
[root@linux-node1 keystone]# openstack user list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| b84c1614b79b40278e02bd6ed034cc6f | admin |
| f0c69bad72b54e0daef92c2295425932 | demo  |
+----------------------------------+-------+

创建role权限:

[root@linux-node1 keystone]# openstack role create user
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | f53267146a6449b797393f7fc5d23e10 |
| name      | user                             |
+-----------+----------------------------------+
[root@linux-node1 keystone]# openstack role list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 9b0ba78cf70048efa8659220a3cebd06 | admin |
| f53267146a6449b797393f7fc5d23e10 | user  |
+----------------------------------+-------+

把用户添加到项目中,并赋予权限

[root@linux-node1 keystone]# openstack role add --project demo --user demo user #把demo用户加到demo项目中并赋予user权限
这里我把以后各个服务用户赋予不同role规则:
[root@linux-node1 keystone]# openstack user create --domain default --password-prompt glance
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | 8dc6f28207b64e6d845a444a2ba18205 |
| name                | glance                           |
| password_expires_at | None                             |
+---------------------+----------------------------------+
[root@linux-node1 keystone]# openstack role add --project service --user glance admin
[root@linux-node1 keystone]# openstack user create --domain default --password-prompt nova
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | db596da4ed8f47ab9dc7fa77d3bc8c6c |
| name                | nova                             |
| password_expires_at | None                             |
+---------------------+----------------------------------+
[root@linux-node1 keystone]# openstack role add --project service --user nova admin
[root@linux-node1 keystone]# openstack user create --domain default --password-prompt neutron
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | c0f9c52898ad4d4f88254a01c458eb27 |
| name                | neutron                          |
| password_expires_at | None                             |
+---------------------+----------------------------------+
[root@linux-node1 keystone]# openstack role add --project service --user neutron admin
[root@linux-node1 keystone]# openstack user create --domain default --password-prompt cinder
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | e5dbdde24a7340edb8bd3f498f9d28b5 |
| name                | cinder                           |
| password_expires_at | None                             |
+---------------------+----------------------------------+
[root@linux-node1 keystone]# openstack role add --project service --user cinder admin

验证keystone


    验证用户:

unset OS_AUTH_URL OS_PASSWORD  取消之前的环境变量
[root@linux-node1 keystone]# openstack \
> --os-auth-url http://192.168.56.11:35357/v3 \
> --os-project-domain-name default \
> --os-user-domain-name default \
> --os-project-name admin \
> --os-username admin token issue
Password: #输入密码后能出现下面内容说明用户没有问题
+------------+---------------------------------------------------------------------------------------+
| Field      | Value                                                                                 |
+------------+---------------------------------------------------------------------------------------+
| expires    | 2016-12-28 11:05:46+00:00                                                             |
| id         | gAAAAABYY456xFHiZSMnQ7x88FxUJjuu3uO8xRLh_soTSgyf3KzMv0nY3s4wn1diFlJ7d2qjPub0iftlOKUnZ |
|            | z9QYPMUGhfxguZhEHWQtufNQNxZD9r8ekluU0XjCdrdnBU-fs3IM6EmJt3O1Sl-                       |
|            | Nw4G40uh0xatMkxI6bmrG3fRkCrcLga6Cx4                                                   |
| project_id | 7ae0fb7deb5342d885a07c2c890a1ff4                                                      |
| user_id    | b84c1614b79b40278e02bd6ed034cc6f                                                      |
+------------+---------------------------------------------------------------------------------------

创建环境变量脚本:

创建admin变量

[root@linux-node1 ~]# cat admin-openstack 
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.56.11:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

创建demo变量

[root@linux-node1 ~]# cat demo-openstack 
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.56.11:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

使环境变量生效:

soure demo-openstack

Keystone常见错误

401  #验证失败,keystone相关用户账户密码设置错误,时间不同步,或者输入的项目名称不对
403  #可能未初始化OS_token变量,需要使用source命令使其生效,也可能是配置的配置文件未生效,需要重启相关服务
409  #keystone创建用户,用户已存在
500  #服务器内部错误,服务配置有问题,看日志,检查配置
503  #keystone相关账户密码设置有问题,请将相关的glance账户删除,重新创建即可
服务故障    #相关服务没有起来