本文最后更新于74 天前,其中的信息可能已经过时,如有错误请发送邮件到2639131093@qq.com
注意
1.本教程为openstack 搭建平台victoria 版,虚拟机为centos stream 8
2.本教程设计内容非常多,很复杂,但也很有技巧,请注意每一步,我说可以更改的地方可以更改,其余建议和我一样
3.内容板块大体包括:基础环境设置, keystone组建安装,glance组建安装,placement组建安装,nova组建安装,neutron组建安装,dashboard组建安装
4.密码约定:本文所有和数据库及消息队列相关的密码统一设定 rootroot,openstack 组件用户密码统一设定 redhat
5.学习此章节,你需要了解的知识:数据库sql中dcl用户管理的知识,linux基础命令,openstack基础命令
6.官方网址:
OpenStack Docs: Keystone Installation Tutorial
7.环境配置:
环境用到 2台 虚拟机,单网卡,并为其配置 静态 IP 及 DNS
| 主机名 | ip | 网关 | DNS | cpu/内存 | 磁盘 | 角色 | 备注 |
| controller | 192.168.100.128 | 192.168.100.2 | 114.114.114.114 | 4c/6g | 100g | 控制节点 | 开启虚拟化引擎 |
| compute | 192.168.100.129 | 192.168.100.2 | 114.114.114.114 | 4c/6g | 100g | 计算节点 | 开启虚拟化引擎 |
数据库配置(仅控制节点)
数据库建立并授权
[root@controller ~]# mysql -u root -prootroot
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 15
Server version: 10.3.28-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database keystone;
Query OK, 1 row affected (0.001 sec)
MariaDB [(none)]> grant all privileges on keystone.* to 'keystone'@'localhost' identified by 'rootroot';
## 为keystone用户在本地对keystone数据库所有对象给予全部权限,指定密码为rootroot
Query OK, 0 rows affected (0.002 sec)
MariaDB [(none)]> grant all privileges on keystone.* to 'keystone'@'%' identified by 'rootroot';
## 为keystone用户在任何地方对keystone数据库所有对象给予全部权限,指定密码为rootroot
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| keystone |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.002 sec)
安装keystone包
[root@controller ~]# yum install openstack-keystone httpd python3-mod_wsgi -y
已安装:
apr-1.6.3-12.el8.x86_64
apr-util-1.6.1-9.el8.x86_64
apr-util-bdb-1.6.1-9.el8.x86_64
apr-util-openssl-1.6.1-9.el8.x86_64
centos-logos-httpd-85.8-2.el8.noarch
httpd-2.4.37-64.module_el8+965+1ad5c49d.x86_64
httpd-filesystem-2.4.37-64.module_el8+965+1ad5c49d.noarch
httpd-tools-2.4.37-64.module_el8+965+1ad5c49d.x86_64
mod_http2-1.15.7-10.module_el8+1009+c203647a.x86_64
openstack-keystone-1:18.1.0-1.el8.noarch
python-oslo-cache-lang-2.6.3-1.el8.noarch
python-oslo-concurrency-lang-4.3.1-1.el8.noarch
python-oslo-db-lang-8.4.1-1.el8.noarch
python-oslo-middleware-lang-4.1.1-2.el8.noarch
python-oslo-policy-lang-3.5.0-2.el8.noarch
python-pycadf-common-3.1.1-2.el8.noarch
python3-PyMySQL-0.10.1-2.module_el8+762+77bd8591.noarch
python3-alembic-1.4.2-5.el8.noarch
python3-amqp-2.6.1-1.el8.noarch
python3-aniso8601-8.0.0-1.el8.noarch
python3-babel-2.5.1-7.el8.noarch
python3-bcrypt-3.1.7-3.el8s.x86_64
python3-cachetools-4.2.0-1.el8s.noarch
python3-click-6.7-8.el8.noarch
python3-defusedxml-0.7.1-1.el8.noarch
python3-dns-1.15.0-12.el8.noarch
python3-editor-1.0.4-4.el8.noarch
python3-etcd3gw-0.2.5-1.el8.noarch
python3-eventlet-0.25.2-3.1.el8.noarch
python3-fasteners-0.14.1-20.el8.noarch
python3-flask-1:1.1.1-1.el8.noarch
python3-flask-restful-0.3.8-4.el8.noarch
python3-future-0.18.2-3.el8.noarch
python3-futurist-2.3.0-2.el8.noarch
python3-greenlet-0.4.13-4.el8.x86_64
python3-itsdangerous-0.24-14.el8.noarch
python3-jinja2-2.10.1-5.el8.noarch
python3-jsonschema-3.2.0-5.el8.noarch
python3-jwt-1.6.1-2.el8.noarch
python3-keystone-1:18.1.0-1.el8.noarch
python3-keystonemiddleware-9.1.0-2.el8.noarch
python3-kombu-1:4.6.11-2.el8.noarch
python3-ldap-3.3.1-2.el8.x86_64
python3-ldappool-2.4.0-5.el8.noarch
python3-migrate-0.13.0-1.el8.noarch
python3-mod_wsgi-4.6.4-5.el8.x86_64
python3-monotonic-1.5-5.el8.noarch
python3-oauthlib-2.1.0-1.el8.noarch
python3-oslo-cache-2.6.3-1.el8.noarch
python3-oslo-concurrency-4.3.1-1.el8.noarch
python3-oslo-db-8.4.1-1.el8.noarch
python3-oslo-messaging-12.5.2-1.el8.noarch
python3-oslo-middleware-4.1.1-2.el8.noarch
python3-oslo-policy-3.5.0-2.el8.noarch
python3-oslo-service-2.4.1-1.el8.noarch
python3-oslo-upgradecheck-1.1.1-2.el8.noarch
python3-osprofiler-3.4.0-2.el8.noarch
python3-passlib-1.7.2-3.el8.noarch
python3-paste-3.5.0-1.el8.noarch
python3-paste-deploy-2.1.0-3.el8.noarch
python3-pyOpenSSL-19.0.0-1.el8.noarch
python3-pyasn1-0.4.6-3.el8s.noarch
python3-pyasn1-modules-0.4.6-3.el8s.noarch
python3-pycadf-3.1.1-2.el8.noarch
python3-pyngus-2.3.0-4.el8.noarch
python3-pyrsistent-0.16.0-3.el8.x86_64
python3-pysaml2-6.1.0-1.el8.noarch
python3-qpid-proton-0.30.0-1.el8.x86_64
python3-repoze-lru-0.7-6.el8s.noarch
python3-routes-2.4.1-12.el8s.noarch
python3-scrypt-0.8.0-11.el8.x86_64
python3-sqlalchemy-1.3.2-3.module_el8+778+ea5e2816.x86_64
python3-sqlparse-0.3.1-3.el8.noarch
python3-statsd-3.2.1-16.el8.noarch
python3-tempita-0.5.1-25.el8s.noarch
python3-vine-1.3.0-4.el8.noarch
python3-webob-1.8.6-3.el8s.noarch
python3-werkzeug-1.0.1-3.el8.noarch
python3-yappi-1.2.5-1.el8.x86_64
qpid-proton-c-0.30.0-1.el8.x86_64
完毕!
编辑配置文件
[root@controller ~]# vim /etc/keystone/keystone.conf
有点多,:/database 寻找
[database]
connection = mysql+pymysql://keystone:rootroot@controller/keystone ##590左右
[token]
provider = fernet ##在2470左右
数据库初始化
[root@controller ~]# mysql -u root -prootroot
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 16
Server version: 10.3.28-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use keystone
Database changed
MariaDB [keystone]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| keystone |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.001 sec)
MariaDB [keystone]> show tables; ##可以看到并没有表
Empty set (0.001 sec)
## 退出!!!! ##
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone ## 初始化表
[root@controller ~]# mysql -u root -p rootroot
Enter password:
ERROR 1049 (42000): Unknown database 'rootroot'
[root@controller ~]# mysql -u root -prootroot
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 19
Server version: 10.3.28-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use keystone
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [keystone]> show tables; ##再次查看,有了
+------------------------------------+
| Tables_in_keystone |
+------------------------------------+
| access_rule |
| access_token |
| application_credential |
| application_credential_access_rule |
| application_credential_role |
| assignment |
| config_register |
| consumer |
| credential |
| endpoint |
| endpoint_group |
| expiring_user_group_membership |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| limit |
| local_user |
| mapping |
| migrate_version |
| nonlocal_user |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| project_option |
| project_tag |
| region |
| registered_limit |
| request_token |
| revocation_event |
| role |
| role_option |
| sensitive_config |
| service |
| service_provider |
| system_assignment |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| user_option |
| whitelisted_config |
+------------------------------------+
49 rows in set (0.001 sec)
初始化密钥
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
初始化引导身份认证
[root@controller ~]# keystone-manage bootstrap --bootstrap-password rootroot \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
配置httpd服务
[root@controller ~]# vim /etc/httpd/conf/httpd.conf
更改此处
#
#ServerName www.example.com:80
ServerName controller ##控制节点主机名
#
[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
##软链接,可以方便地在 HTTP 服务器的配置中包含 Keystone 的特定配置
[root@controller ~]# systemctl start httpd.service
[root@controller ~]# systemctl enable httpd.service
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
设置环境变量
[root@controller ~]# cat <<EOF > ~/keystonerc_admin
export OS_USERNAME=admin
export OS_PASSWORD=rootroot
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export PS1='[\u@\h \W(admin)]\$ '
EOF
[root@controller ~]# source keystonerc_admin
[root@controller ~(admin)]$ ll
总用量 12
drwxr-xr-x. 2 root root 6 8月 27 23:59 公共
drwxr-xr-x. 2 root root 6 8月 27 23:59 模板
drwxr-xr-x. 2 root root 6 8月 27 23:59 视频
drwxr-xr-x. 2 root root 6 8月 27 23:59 图片
drwxr-xr-x. 2 root root 6 8月 27 23:59 文档
drwxr-xr-x. 2 root root 6 8月 27 23:59 下载
drwxr-xr-x. 2 root root 6 8月 27 23:59 音乐
drwxr-xr-x. 2 root root 6 8月 27 23:59 桌面
-rw-------. 1 root root 1250 8月 27 23:37 anaconda-ks.cfg
-rw-r--r--. 1 root root 1531 8月 27 23:59 initial-setup-ks.cfg
-rw-r--r-- 1 root root 266 8月 28 04:24 keystonerc_admin
[root@controller ~(admin)]$
创建对象
创建项目
[root@controller ~(admin)]$ openstack project list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 660df1d651a940fda39757aee91856bf | admin |
+----------------------------------+-------+
[root@controller ~(admin)]$ openstack project create --domain default --description "Demo Project" myproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 8350318c9bbf48ba83cf8b71027d264c |
| is_domain | False |
| name | myproject |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
[root@controller ~(admin)]$ openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 578eca45e7e549858c97314e3f2ec1e3 |
| is_domain | False |
| name | service |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
[root@controller ~(admin)]$ openstack project list
+----------------------------------+-----------+
| ID | Name |
+----------------------------------+-----------+
| 578eca45e7e549858c97314e3f2ec1e3 | service |
| 660df1d651a940fda39757aee91856bf | admin |
| 8350318c9bbf48ba83cf8b71027d264c | myproject |
+----------------------------------+-----------+
创建用户
[root@controller ~(admin)]$ openstack user create --domain default --password-prompt myuser
User Password:
Repeat User Password: ##密码为redhat
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 9688822b0dcd41929430ab48335fceb2 |
| name | myuser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@controller ~(admin)]$ openstack user list
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| cda7fc3c6ff74289b8f40e149d397710 | admin |
| 9688822b0dcd41929430ab48335fceb2 | myuser |
+----------------------------------+--------+
创建角色及关联用户
[root@controller ~(admin)]$ openstack role create myrole ##可以不用管,单纯拿来从测试的
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | 4d4cab027e4c4268bc53cb57137ec0f3 |
| name | myrole |
| options | {} |
+-------------+----------------------------------+
[root@controller ~(admin)]$ openstack role list ##查看角色建立成功没
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| 0dbb351126844ef69cf3e7765f72f651 | reader |
| 242961b0b2e64490a7c4eb3cafc7179e | member |
| 35eb6220a4b14503b1672de9f0ffcae9 | admin |
| 4d4cab027e4c4268bc53cb57137ec0f3 | myrole |
+----------------------------------+--------+
[root@controller ~(admin)]$ openstack role assignment list --user myuser ##查看项目用户角色绑定列表,按道理第一次是没有的
[root@controller ~(admin)]$ openstack role add --project myproject --user myuser member ##让myuser这个用户以member角色与myproject建立关联
[root@controller ~(admin)]$ openstack role assignment list --user myuser ##肯定有咯
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| 242961b0b2e64490a7c4eb3cafc7179e | 9688822b0dcd41929430ab48335fceb2 | | 8350318c9bbf48ba83cf8b71027d264c | | | False |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
验证身份测试
admin用户
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue
不小心退出了 没截取到
myuser用户
[root@controller ~(admin)]$ unset OS_AUTH_URL OS_PASSWORD
[root@controller ~(admin)]$ openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name myproject --os-username myuser token issue
[root@controller ~(admin)]$
创建环境变量脚本(仅控制节点)
admin用户脚本
[root@controller ~]#
输入:
cat <<EOF > ~/keystonerc_admin
export OS_USERNAME=admin
export OS_PASSWORD=rootroot
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
export PS1='[\u@\h \W(admin)]\$ '
EOF
myuser用户脚本
[root@controller ~]#
输入:
cat <<EOF > ~/keystonerc_user
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=redhat
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
export PS1='[\u@\h \W(myuser)]\$ '
EOF切换测试
[root@controller ~]# source keystonerc_admin
[root@controller ~(admin)]$ source keystonerc_user
[root@controller ~(myuser)]$
