老板最近直接上vmware的 openstack的研究暂停一段时间
参考
参考官方文档
sudo yum install http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
subscription-manager repos --enable=rhel-7-server-extras-rpms
yum install http://rdo.fedorapeople.org/openstack-kilo/rdo-release-kilo.rpm
yum upgrade
yum install openstack-selinux
Openstack需要安装NTP来同步节点之间的各种服务, 通过在控制节点简历NTP服务可以使得同步更加精确.
2.2.1.1 安装ntp服务
yum install ntp
2.2.1.2 编辑配置文件 /etc/ntp.conf
#vim /etc/ntp.conf
#server NTP_SERVER iburst //使用Centos默认服务器即可
restrict -4 default kod notrap nomodify
restrict -6 default kod notrap nomodify
2.2.1.3 重启服务
systemctl enable ntpd.service
systemctl start ntpd.service
yum install ntp
#vim /etc/ntp.conf
server controller iburst
systemctl enable ntpd.service
systemctl start ntpd.service
yum install mariadb mariadb-server MySQL-python
# vim /etc/my.cnf.d/mariadb_openstack.cnf
[mysqld]
bind-address = node1
default-storage-engine = innodb
innodb_file_per_table
collation-server = utf8_general_ci
init-connect = 'SET NAMES utf8'
character-set-server = utf8
systemctl enable mariadb.service
systemctl start mariadb.service
配置root密码,和一系列初始化操作,默认全部选Y
mysql_secure_installation
Message queue用于OpenStack各个组件的通信和协作,同时OpenStack支持RabbitMQ, Qpid, and ZeroMQ等消息队列组件,我们使用RabbitMQ.
yum install rabbitmq-server
systemctl enable rabbitmq-server.service
systemctl start rabbitmq-server.service
我设置密码为ada
rabbitmqctl add_user openstack ada
rabbitmqctl set_permissions openstack ".*" ".*" ".*"
基本概念:
keystone为不同的用户分配不同权限,同时为各种服务提供API接口.
1. 用户:
用户就是不同的人,公司,组织的标示.不同用户可以通过令牌来登陆,同时具有不同的访问权限.
2. 认证(Credentials)
用于验证用户权限,可以用<用户名,密码/API/服务令牌>等
3. 租户(Tenant)
租户一般为一组用户,包括用户和他们可以访问的权限,比如公司是一个租户,公司里每个员工就是用户.通过这种方式OpenStack可以为不同的企业提供服务.
4. 服务(Service)
用于提供OpenStack服务,比如navo等
5. 接口(Endpoint)
我们可以通过接口来访问不同的服务. 接口通常是一个url地址
mysql -u root -p
CREATE DATABASE keystone;
配置keystone的访问权限
以下为官网方案(实验失败),我发现mysql的加密方式有问题,用keystone死活登不进去.
我们通过密码ada来访问数据库,可以替换为其他密码
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'ada';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'ada';
我的方案:
使用phpMyAdmin建立用户keystone密码ada
//使用以下命令确认用户keystone能用密码登陆
# mysql -u keystone -p
//登陆数据库后执行一下命令来授权
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%';
exit
#openssl rand -hex 10
45cf127b9518d3ee2633
把生成的随机数记录下来,后边要用
yum install openstack-keystone httpd mod_wsgi python-openstackclient memcached python-memcached
systemctl enable memcached.service
systemctl start memcached.service
//官方方案为/etc/keystone/keystone.conf结果发现该配置文件不生效
//替换为 /usr/share/keystone/keystone-dist.conf
#vim /usr/share/keystone/keystone-dist.conf
[DEFAULT]
admin_token = 45cf127b9518d3ee2633//就是上次那个随机数
verbose = True
[database]
connection = mysql://keystone:ada@node1/keystone
[memcache]
servers = node1:11211
[token]
provider = keystone.token.providers.uuid.Provider
driver = keystone.token.persistence.backends.memcache.Token
[revoke]
driver = keystone.contrib.revoke.backends.sql.Revoke
keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
chown -R keystone:keystone /var/log/keystone
chown -R keystone:keystone /etc/keystone/ssl
chmod -R o-rwx /etc/keystone/ssl
su -s /bin/sh -c "keystone-manage db_sync" keystone
#vim /etc/httpd/conf/httpd.conf
ServerName node1
#vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LogLevel info
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LogLevel info
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
# mkdir -p /var/www/cgi-bin/keystone
# curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo | tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin
# chown -R keystone:keystone /var/www/cgi-bin/keystone
# chmod 755 /var/www/cgi-bin/keystone/*
# restorecon /var/www/cgi-bin
# usermod -a -G keystone apache
# systemctl enable httpd.service
# systemctl start httpd.service