|NO.Z.00007|——————————|^^^^ 部署 ^^^^|——|OpenStack&元件.V02|--------------------------|openstack-keystone|controller節點下部署Keystone認證服務|
阿新 • • 發佈:2022-03-27
[CloudVirtualiZation:OpenStack&元件.V02] [Applications.CloudVirtualiZation] [|OpenStack|OpenStack.keystone|controller節點下部署Keystone認證服務|] [元件構建|安裝mariadb|安裝openstack-keystone.service]
一、構建實驗:IdentityService(keystone)在controller節點安裝和配置認證服務(實驗專題)
### --- (controller節點)keystone部署:基礎環境配置環境
~~~ yum源更新完成之後,yum官方的配置檔案會重新覆蓋在yum.repos.d目錄下,
~~~ 再次重新放在bak目錄下
[root@controller ~]# mv /etc/yum.repos.d/CentOS-* /etc/yum.repos.d/back/
[root@controller ~]# yum clean all ### --- 為controller節點安裝資料庫 ~~~ 安裝mariadb軟體包 [root@controller ~]# yum install -y mariadb mariadb-server MySQL-python Installed: MySQL-python.x86_64 0:1.2.3-11.el7 mariadb.x86_64 1:5.5.37-1.el7_0 mariadb-server.x86_64 1:5.5.37-1.el7_0 Dependency Installed: perl-Compress-Raw-Bzip2.x86_64 0:2.061-3.el7 perl-Compress-Raw-Zlib.x86_64 1:2.061-4.el7 perl-DBD-MySQL.x86_64 0:4.023-5.el7 perl-DBI.x86_64 0:1.627-4.el7 perl-Data-Dumper.x86_64 0:2.145-3.el7 perl-IO-Compress.noarch 0:2.061-2.el7 perl-Net-Daemon.noarch 0:0.48-5.el7 perl-PlRPC.noarch 0:0.2020-14.el7 Complete!
~~~ 編輯/etc/my.cnf軟體,設定繫結IP,預設資料庫引擎及預設字符集為UTF-8
[root@controller ~]# vim /etc/my.cnf
[mysqld]
bind-address = 192.168.222.5
default-storage-engine = innodb
innodb_file_per_table
collation-server = utf8_general_ci
init-connect = 'SET NAMES utf8'
character-set-server = utf8~~~ 啟動資料庫並設定為開機自啟動 [root@controller ~]# systemctl start mariadb.service [root@controller ~]# systemctl enable mariadb.service
~~~ 初始化資料庫指令碼
[root@controller ~]# mysql_secure_installation
Enter current password for root (enter for none): // 直接回車
Set root password? [Y/n] y // 是否設定root密碼
New password: // 123456
Re-enter new password: // 123456
Remove anonymous users? [Y/n] y // 是否要移除匿名使用者
Disallow root login remotely? [Y/n] y // 是否禁止遠端登入,盡執行本地登入
Remove test database and access to it? [Y/n] y // 是否移除測試資料庫
Reload privilege tables now? [Y/n] y // 是否重新整理許可權[root@controller ~]# mysql -u root -p
Enter password: 123456
MariaDB [(none)]> exit### --- 安裝Messaing Server服務
~~~ 功能:協調操作和狀態資訊服務
~~~ 常用的訊息代理軟體
RabbitMQ:openstack官方推薦使用
Qpid
ZeroMQ~~~ 在controller節點安裝RabbitMQ
~~~ 安裝RabbitMQ軟體包
[root@controller ~]# yum install -y rabbitmq-server~~~ 啟動服務並設定為開機自啟動
[root@controller ~]# systemctl enable rabbitmq-server
[root@controller ~]# systemctl start rabbitmq-server
~~~ rabbitmq預設使用者名稱和密碼是guest,可以通過下列命令修改
~~~ 使用預設密碼即可,若想修改可以修改下,此環境不修改
[root@controller ~]# rabbitmqctl change_password guest new_password ### --- 配置時間同步伺服器
[root@controller ~]# yum install -y ntp
[root@compute ~]# vim /etc/ntp.conf
restrict 192.168.222.0 mask 255.255.255.0 nomodify notrap
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 127.127.1.0
fudge 127.127.1.0 stratum 10
[root@controller ~]# systemctl start ntpd.service
[root@controller ~]# systemctl enable ntpd.service
[root@controller ~]# ln -s '/usr/lib/systemd/system/ntpd.service' '/etc/systemd/system/multi-user.target.wants/ntpd.service'### --- DNS解析新增,測試環境推薦使用hosts檔案
[root@controller ~]# vim /etc/hosts
192.168.222.5 controller.nice.com
192.168.222.6 network.nice.com
192.168.222.10 compute1.nice.com
192.168.222.20 block1.nice.com一、配置先決條件
### --- 建立認證服務資料庫
~~~ 登入MySQL資料庫
[root@controller ~]# mysql -u root -p
~~~ 建立keystone資料庫
MariaDB [(none)]> CREATE DATABASE keystone;
~~~ 建立keystone資料庫使用者,使其可以對keystone資料庫有完全控制權限
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.*TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.*TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';### --- 生成一個隨機值作為管理令牌在初始配置
~~~ 作為管理員的令牌
[root@controller ~]# openssl rand -hex 10:
f387c7cfa0ba649f7b3a ### --- 安裝軟體包
[root@controller ~]# yum install openstack-keystone python-keystoneclient### --- 編輯/etc/keystone/keyston.conf檔案並作下列修改:
~~~ 修改[DEFAULT]小節,定義初始管理令牌
[root@controller ~]# vim /etc/keystone/keystone.conf
[DEFAULT]
......
admin_token=f387c7cfa0ba649f7b3a # 管理員的token令牌環;
# 修改[database]小節,配置資料庫訪問
[database]
......
connection=mysql://keystone:[email protected]/keystone
# mysql資料庫;使用者是keystone密碼是KEYSTONE_DBPASS連線的主機是controller.nice.com連線的庫是keystone
# 修改[token]小節,配置UUID提供者和SQL驅動
[token]
......
provider=keystone.token.providers.uuid.Provider
driver = keystone.token.persistence.backends.sql.Token
# (可選)開啟詳細日誌,協助故障排除
[DEFAULT]
......
verbose=True### --- 常見通用證書的祕鑰,並限制相關檔案的訪問許可權
[root@controller ~]# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# chown -R keystone:keystone /var/log/keystone // 給日誌存放目錄設定keystone使用者許可權
[root@controller ~]# chown -R keystone:keystone /etc/keystone/ssl // 給祕鑰存放目錄設定keystone使用者許可權
[root@controller ~]# chmod -R o-rwx /etc/keystone/ssl // 祕鑰存放路徑把其它的許可權全部減去,這樣祕鑰會更加安全### --- 初始化keystone資料庫
~~~ 還原keystone的資料庫
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone ~~~ use到keystone的資料庫
[root@controller ~]# mysql -uroot -p
Enter password:
MariaDB [(none)]> USE keystone
MariaDB [keystone]> show tables;
+-----------------------+
| Tables_in_keystone |
+-----------------------+
| assignment |
| credential |
| domain |
| endpoint |
| group |
| id_mapping |
| migrate_version |
| policy |
| project |
| region |
| revocation_event |
| role |
| service |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
+-----------------------+
18 rows in set (0.00 sec)### --- 完成安裝
~~~ 啟動identity服務並設定開機啟動
[root@controller ~]# systemctl enable openstack-keystone.service // 設定開機自啟keystone服務
[root@controller ~]# systemctl start openstack-keystone.service // 開啟keystone服務~~~ 預設情況下,伺服器會無限儲存到期的令牌,在資源有限的情況下嚴重影響伺服器效能,
~~~ 建議用計劃任務,每小時刪除過期的令牌
[root@controller ~]# (crontab -l -u keystone 2>&1 | grep -q token_flush) || echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/keystone
[root@controller ~]# vim /var/spool/cron/keystone // 檢視檔案配置是否OK
@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1四、建立tenants(租戶)、(users)使用者和(roles)角色
### --- 配置先決條件
~~~ 配置管理員令牌
~~~ /export OS_SERVICE_TOKEN=剛才生成的字串
[root@controller ~]# export OS_SERVICE_TOKEN=f387c7cfa0ba649f7b3a
~~~ 配置端點
[root@controller ~]# export OS_SERVICE_ENDPOINT=http://controller.nice.com:35357/v2.0### --- 建立用於管理的租戶,使用者和角色
### --- 建立租戶,使用者和角色
~~~ 建立admin租戶
[root@controller ~]# keystone tenant-create --name admin --description "Admin Tenant"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Admin Tenant |
| enabled | True |
| id | 7bce6e7e6d724ad188e4f70ad9d51e17 |
| name | admin |
+-------------+----------------------------------+~~~ 建立admin使用者
[root@controller ~]# keystone user-create --name admin --pass ADMIN_PASS --email EMALL_ADDRESS
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | EMALL_ADDRESS |
| enabled | True |
| id | ecc6ddd5697541388c24741d4634eff6 |
| name | admin |
| username | admin |
+----------+----------------------------------+~~~ 建立admin角色
[root@controller ~]# keystone role-create --name admin
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | 8b42b1db8489443b848b88a3d30d7696 |
| name | admin |
+----------+----------------------------------+~~~ 新增admin租戶和使用者到admin角色
[root@controller ~]# keystone user-role-add --tenant admin --user admin --role admin
~~~ 建立用於dashboard訪問的“_member_"角色
~~~ dashboard是以BS結構訪問它的主題程式,
~~~ 所以在這裡使用member去繫結的話就可以訪問它的儀表盤套件
[root@controller ~]# keystone role-create --name _member_
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | 3c686557c49945c694219ca8f1bc9db2 |
| name | _member_ |
+----------+----------------------------------+~~~ 新增admin租戶和使用者到_member_角色
~~~ 它倆就都可以去訪問儀表盤套件
[root@controller ~]# keystone user-role-add --tenant admin --user admin --role _member_ ### --- 建立一個用於演示的demo租戶和使用者
~~~ 建立demo租戶
[root@controller ~]# keystone tenant-create --name demo --description "Demo Tenant"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Demo Tenant |
| enabled | True |
| id | 5f158b7cfb7448d18921158f9c92918f |
| name | demo |
+-------------+----------------------------------+~~~ 建立demo使用者
[root@controller ~]# keystone user-create --name demo --pass DEMO_PASS --email EMALL_ADDRESS
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | EMALL_ADDRESS |
| enabled | True |
| id | a98a737625214eadb3e19a80bc6f4011 |
| name | demo |
| username | demo |
+----------+----------------------------------+~~~ 新增demo租戶和使用者到_member_角色
~~~ 他也可以訪問儀表盤套件
[root@controller ~]# keystone user-role-add --tenant demo --user demo --role _member_### --- OpenStack服務也需要一個租戶,使用者和角色和其他服務進行互動,
~~~ 因此我們建立一個service的租戶,任何一個OpenStack服務都要和它關聯
[root@controller ~]# keystone tenant-create --name service --description "Service Tenant"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Service Tenant |
| enabled | True |
| id | 48bee3be288e477889d404a41a0b6f33 |
| name | service |
+-------------+----------------------------------+### --- 建立服務實體(keystone能夠提供的服務的名稱)和API端點(提供該服務的伺服器)
### --- 在openstack環境中,identity服務管理一個服務目錄,
~~~ 並使用這個目錄在openstack環境中定位其他服務
~~~ 為identity服務建立一個服務實體
~~~ 名稱為:keystone名稱可以隨便起的;只要--type為identity就可以代表這是一個認證服務。
~~~ --description描述資訊為 "Openstack Identity"
[root@controller ~]# keystone service-create --name keystone --type identity --description "Openstack Identity"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Openstack Identity |
| enabled | True |
| id | 9349d2072a3b4e739eeaddd313790b89 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+### --- OpenStack環境中,identity服務管理目錄以及與服務相關API斷點,
~~~ 服務使用這個目錄來溝通其他服務
~~~ OpenStack為每個服務提供了三個API端點,admin(管理)internal(內部),
~~~ public(公共)為identity服務建立API端點
~~~ 通過服務的ID好去繫結的,ID號查詢:
~~~ 測試,非操作環節
[root@controller ~]# keystone service-list |awk '/identity/{print $2}'
9349d2072a3b4e739eeaddd313790b89~~~ --publicurl:公共的訪問端點:用於web使用者
~~~ --internalurl:是內網的訪問端點:用於元件之間
~~~ --adminurl:管理員訪問端點:用於管理員
~~~ --region regionOne
[root@controller ~]# keystone endpoint-create \
> --service-id $(keystone service-list | awk '/ identity / {print $2}') \
> --publicurl http://controller.nice.com:5000/v2.0 \
> --internalurl http://controller.nice.com:5000/v2.0 \
> --adminurl http://controller.nice.com:35357/v2.0 \
> --region regionOne
+-------------+---------------------------------------+
| Property | Value |
+-------------+---------------------------------------+
| adminurl | http://controller.nice.com:35357/v2.0 |
| id | 34b1af6555d1405fa9139fcd752a8969 |
| internalurl | http://controller.nice.com:5000/v2.0 |
| publicurl | http://controller.nice.com:5000/v2.0 |
| region | regionOne |
| service_id | 9349d2072a3b4e739eeaddd313790b89 |
+-------------+---------------------------------------+### --- 確認操作
### --- 刪除OS_SERVICE_TOKEN和OS_SERVICE_ENDPOINT臨時變數
~~~ 刪除剛才的環境變數
[root@controller ~]# unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT ### --- 使用admin租戶和使用者請求認證令牌
[root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS --os-auth-url http://controller.nice.com:35357/v2.0 token-get
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2021-01-10T01:23:06Z |
| id | 50d83a396a184b2cbdf5e666c1eb417a |
| tenant_id | 7bce6e7e6d724ad188e4f70ad9d51e17 |
| user_id | ecc6ddd5697541388c24741d4634eff6 |
+-----------+----------------------------------+### --- 以admin租戶和使用者的身份檢視租戶列表
~~~ 有返回值的話說明許可權是沒有問題的
[root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS --os-auth-url http://controller.nice.com:35357/v2.0 tenant-list
+----------------------------------+---------+---------+
| id | name | enabled |
+----------------------------------+---------+---------+
| 7bce6e7e6d724ad188e4f70ad9d51e17 | admin | True |
| 5f158b7cfb7448d18921158f9c92918f | demo | True |
| 48bee3be288e477889d404a41a0b6f33 | service | True |
+----------------------------------+---------+---------+### --- 以admin租戶和使用者的身份檢視使用者列表
[root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS --os-auth-url http://controller.nice.com:35357/v2.0 user-list
+----------------------------------+-------+---------+---------------+
| id | name | enabled | email |
+----------------------------------+-------+---------+---------------+
| ecc6ddd5697541388c24741d4634eff6 | admin | True | EMALL_ADDRESS |
| a98a737625214eadb3e19a80bc6f4011 | demo | True | EMALL_ADDRESS |
+----------------------------------+-------+---------+---------------+### --- 以admin租戶和使用者的身份檢視角色列表
[root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS --os-auth-url http://controller.nice.com:35357/v2.0 role-list
+----------------------------------+----------+
| id | name |
+----------------------------------+----------+
| 3c686557c49945c694219ca8f1bc9db2 | _member_ |
| 8b42b1db8489443b848b88a3d30d7696 | admin |
+----------------------------------+----------+### --- 以demo租戶和使用者的身份請求認證令牌
[root@controller ~]# keystone --os-tenant-name demo --os-username demo --os-password DEMO_PASS --os-auth-url http://controller.nice.com:35357/v2.0 token-get
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2021-01-10T01:27:33Z |
| id | 93441477f60a476faef77c7b17b4acec |
| tenant_id | 5f158b7cfb7448d18921158f9c92918f |
| user_id | a98a737625214eadb3e19a80bc6f4011 |
+-----------+----------------------------------+### --- 以demo租戶和使用者的身份檢視使用者列表
[root@controller ~]# keystone --os-tenant-name demo --os-username demo --os-password DEMO_PASS --os-auth-url https://controller.nice.com:35357/v2.0 user-list
Authorization Failed: SSL exception connecting to https://controller.nice.com:35357/v2.0/tokens //報錯,獲取不到,說明正常,若可獲取,說明配置錯誤### --- 建立openstack客戶端環境指令碼
~~~ 為了方便使用上面的環境變數和命令選項,我們為admin和demo租戶和使用者建立環境指令碼
~~~ 編輯admin-openrc.sh
[root@controller ~]# vim admin-openrc.sh // 教程命名為admin.sh
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller.nice.com:35357/v2.0### --- 編輯demo-openrc.sh
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller.nice.com:5000/v2.0### --- 載入客戶端環境指令碼
~~~ 載入admin的環境變數,這樣我們的環境就切換到admin使用者下了。
[root@controller ~]# source admin-openrc.sh ===============================END===============================
Walter Savage Landor:strove with none,for none was worth my strife.Nature I loved and, next to Nature, Art:I warm'd both hands before the fire of life.It sinks, and I am ready to depart ——W.S.Landor
來自為知筆記(Wiz)