① OpenStack高可用集群部署方案(train版)—基础配置
② OpenStack高可用集群部署方案(train版)—Keystone
③ OpenStack高可用集群部署方案(train版)—Glance
十、Keystone集群部署
https://docs.openstack.org/keystone/train/install/index-rdo.html
Keystone 的主要功能:
- 管理用户及其权限;
- 维护 OpenStack 服务的 Endpoint;
- Authentication(认证)和 Authorization(鉴权)。
1. 配置keystone数据库
在任意控制节点创建数据库,数据库自动同步,以controller01节点为例;
mysql -u root -p
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'Zx*****';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'Zx*****';
flush privileges;
exit
2. 安装keystone
在全部控制节点安装keystone,以controller01节点为例;
如果要使用https访问,需要安装mod_ssl
yum install openstack-keystone httpd python3-mod_wsgi mod_ssl -y
#备份Keystone配置文件
cp /etc/keystone/keystone.conf{,.bak}
egrep -v '^$|^#' /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf
3. 配置Keystone配置文件
要对接有状态服务时都修改为解析过的
vip(myvip)
openstack-config --set /etc/keystone/keystone.conf cache backend oslo_cache.memcache_pool
openstack-config --set /etc/keystone/keystone.conf cache enabled true
openstack-config --set /etc/keystone/keystone.conf cache memcache_servers controller01:11211,controller02:11211,controller03:11211
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:Zx*****@myvip/keystone
openstack-config --set /etc/keystone/keystone.conf token provider fernet
将配置文件拷贝到另外两个节点:
scp -rp /etc/keystone/keystone.conf controller02:/etc/keystone/keystone.conf
scp -rp /etc/keystone/keystone.conf controller03:/etc/keystone/keystone.conf
4. 同步keystone数据库
4.1 在任意控制节点操作;填充Keystone数据库,
#填充数据库
[root@controller01 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
#验证同步
[root@controller01 ~]# mysql -uroot -pZx***** keystone -e "show tables";
4.2 初始化Fernet密钥存储库,无报错即为成功;
#在/etc/keystone/生成相关秘钥及目录
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
#并将初始化的密钥拷贝到其他的控制节点
scp -rp /etc/keystone/fernet-keys /etc/keystone/credential-keys controller02:/etc/keystone/
scp -rp /etc/keystone/fernet-keys /etc/keystone/credential-keys controller03:/etc/keystone/
#同步后修改另外两台控制节点fernet的权限
chown -R keystone:keystone /etc/keystone/credential-keys/
chown -R keystone:keystone /etc/keystone/fernet-keys/
5. 认证引导
任意控制节点操作;初始化admin用户(管理用户)与密码,3种api端点,服务实体可用区等
注意:这里使用的是VIP
[root@controller01 ~]# keystone-manage bootstrap --bootstrap-password Zx***** \
--bootstrap-admin-url http://10.15.253.88:5000/v3/ \
--bootstrap-internal-url http://10.15.253.88:5000/v3/ \
--bootstrap-public-url http://10.15.253.88:5000/v3/ \
--bootstrap-region-id RegionOne
5.1 配置Http Server
在全部控制节点设置,以controller01节点为例;
5.2 配置httpd.conf
#修改域名为主机名
cp /etc/httpd/conf/httpd.conf{,.bak}
sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf
#不同的节点替换不同的ip地址
##controller01
sed -i "s/Listen\ 80/Listen\ 10.15.253.163:80/g" /etc/httpd/conf/httpd.conf
##controller02
sed -i "s/Listen\ 80/Listen\ 10.15.253.195:80/g" /etc/httpd/conf/httpd.conf
##controller03
sed -i "s/Listen\ 80/Listen\ 10.15.253.227:80/g" /etc/httpd/conf/httpd.conf
5.3 配置wsgi-keystone.conf
在全部控制节点操作,以controller01节点为例;
#创建软连接wsgi-keystone.conf文件
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
#不同的节点替换不同的ip地址
##controller01
sed -i "s/Listen\ 5000/Listen\ 10.15.253.163:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
sed -i "s#*:5000#10.15.253.163:5000#g" /etc/httpd/conf.d/wsgi-keystone.conf
##controller02
sed -i "s/Listen\ 5000/Listen\ 10.15.253.195:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
sed -i "s#*:5000#10.15.253.195:5000#g" /etc/httpd/conf.d/wsgi-keystone.conf
##controller03
sed -i "s/Listen\ 5000/Listen\ 10.15.253.227:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
sed -i "s#*:5000#10.15.253.227:5000#g" /etc/httpd/conf.d/wsgi-keystone.conf
5.4 启动服务
所有控制节点;启动前确保selinux已关闭
systemctl restart httpd.service
systemctl enable httpd.service
systemctl status httpd.service
5.5 配置用户变量脚本
在任意控制节点操作;
#openstack client环境脚本定义client调用openstack api环境变量,以方便api的调用(不必在命令行中携带环境变量);
#官方文档将admin用户和demo租户的变量写入到了家目录下,根据不同的用户角色,需要定义不同的脚本;
#一般将脚本创建在用户主目录
admin-openrc
[root@controller01 ~]# cat >> ~/admin-openrc << EOF
#admin-openrc
export OS_USERNAME=admin
export OS_PASSWORD=Zx*****
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://10.15.253.88:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF
source ~/admin-openrc
#拷贝到其他的控制节点
scp -rp ~/admin-openrc controller02:~/
scp -rp ~/admin-openrc controller03:~/
#验证
[root@controller01 ~]# openstack domain list
+---------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+---------+---------+---------+--------------------+
| default | Default | True | The default domain |
+---------+---------+---------+--------------------+
#也可以使用下面的命令
openstack token issue
5.6 创建新域、项目、用户和角色
在任意控制节点操作;
身份服务为每个OpenStack服务提供身份验证服务,其中包括服务使用域、项目、用户和角色的组合。
创建域
#keystone-manage引导步骤中,默认Default域已经存在,创建新域的方法是:
openstack domain create --description "An Example Domain" example
创建demo项目
#由于admin的项目角色用户都已经存在了;重新创建一个新的项目角色demo
#以创建demo项目为例,demo项目属于”default”域
openstack project create --domain default --description "demo Project" demo
创建demo用户
需要输入新用户的密码
--password-prompt为交互式;--password+密码为非交互式
openstack user create --domain default --password Zx***** demo
创建user角色
openstack role create user
查看角色
openstack role list
将user角色添加到demo项目和demo用户
#openstack role add --project <项目> --user <用户> <角色>
openstack role add --project demo --user demo user
为demo用户也添加一个环境变量文件
密码为demo用户的密码,需要用到此用户变量的时候source一下
demo-openrc
[root@controller01 ~]# cat >> ~/demo-openrc << EOF
#demo-openrc
export OS_USERNAME=demo
export OS_PASSWORD=Zx*****
export OS_PROJECT_NAME=
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://10.15.253.88:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF
source ~/demo-openrc
#拷贝到其他的控制节点
scp -rp ~/demo-openrc controller02:~/
scp -rp ~/demo-openrc controller03:~/
#验证
openstack token issue
5.7 验证keystone
任意一台控制节点;以admin用户身份,请求身份验证令牌, 使用admin用户变量
source admin-openrc
openstack --os-auth-url http://myvip:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue
任意一台控制节点;以demo用户身份,请请求认证令牌, 使用demo用户变量
source demo-openrc
openstack --os-auth-url http://myvip:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name demo --os-username demo token issue
6. 设置pcs资源
在任意控制节点操作;添加资源openstack-keystone-clone;
pcs实际控制的是各节点system unit(系统单位) 控制的httpd服务
[root@controller01 ~]# pcs resource create openstack-keystone systemd:httpd clone interleave=true
[root@controller01 ~]# pcs resource
* vip (ocf::heartbeat:IPaddr2): Started controller01
* Clone Set: lb-haproxy-clone [lb-haproxy]: #haproxy负载均衡
* Started: [ controller01 ]
* Stopped: [ controller02 controller03 ]
* Clone Set: openstack-keystone-clone [openstack-keystone]: #keystone认证
* Started: [ controller01 controller02 controller03 ]