标签:openstack openstack基本环境搭建 openstack keystone
OpenStack Networking(neutron) 需要一个控制节点(controller node)、一个网络节点(networknode)以及至少一个计算节点(compute node)。
一、物理环境部署
1.物理环境规划
表1.1. OpenStack环境部署
二、安装前的部署
1.1配置主机名
root@controller:~# vim /etc/hostname controller
1.2 配置IP地址
root@controller:~# vim /etc/network/interfaces auto eth0 iface eth0 inet static address 192.168.100.100 netmask 255.255.255.0 gateway 192.168.100.2
1.3 配置名称解析hosts
root@network:~# vim /etc/hosts # controller 192.168.100.100 controller # network 192.168.100.101 network # compute1 192.168.100.102 compute1
2. 网络时间协议ntp
2.1 安装ntp服务器
root@controller:~# sudo apt-get install ntp
2.2 配置/etc/ntp.conf 服务
server ntp.ubuntu.com iburst restrict -4 default kod notrap nomodify restrict -6 default kod notrap nomodify
2.3重启ntp服务
root@controller:~# sudo /etc/init.d/ntprestart
3.系统升级更新
3.1 更新openstack 仓库源
root@controller:~#sudo apt-get install ubuntu-cloud-keyring root@controller:~#sudo vim/etc/apt/sources.list.d/cloudarchive-kilo.list deb http://ubuntu-cloud.archive.canonical.com/ubuntutrusty-updates/kilo main
3.2升级软件包,如果升级过程中包含内核的升级,需要重启服务器。
root@controller:~# apt-get update root@controller:~# sudo apt-getdist-upgrade
三、安装数据库
1. 安装数据库软件包并设置数据库账户root密码
root@controller:~# sudo apt-get installmariadb-server python-mysqldb
2. 配置/etc/mysql/my.cnf
bind-address = 192.168.100.100 default-storage-engine = innodb innodb_file_per_table collation-server = utf8_general_ci init-connect = ‘SET NAMES utf8‘ character-set-server = utf8
3.重启mysql服务
root@controller:~# sudo /etc/init.d/mysql restart * Stopping MariaDBdatabase server mysqld[OK] * Starting MariaDB database server mysqld [ OK ] * Checkingfor corrupt, not cleanly closed and upgrade needing tables.
4.数据库安全加固
root@controller:~# mysql_secure_installation /usr/bin/mysql_secure_installation: 379:/usr/bin/mysql_secure_installation: find_mysql_client: not found NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FORALL MariaDB SERVERS INPRODUCTION USE! PLEASE READ EACH STEPCAREFULLY! In order to log into MariaDB to secure it, we‘ll need thecurrent password for the root user. If you‘ve just installed MariaDB, and you haven‘t set the root password yet, the password willbe blank, so you should just press enter here. Enter current password for root (enter for none): OK, successfully used password, moving on... Setting the root password ensures that nobody can loginto the MariaDB root user without the proper authorisation. You already have a root password set, so you can safelyanswer ‘n‘. Change the root password? [Y/n] y New password: Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user,allowing anyone to log into MariaDB without having to have a user accountcreated for them. This isintended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] y ... Success! Normally, root should only be allowed to connect from‘localhost‘. This ensures that someone cannot guess at the root passwordfrom the network. Disallow root login remotely? [Y/n] y ... Success! By default, MariaDB comes with a database named ‘test‘that anyone can access. This isalso intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] y - Dropping testdatabase... ERROR 1008 (HY000) at line 1: Can‘t drop database ‘test‘;database doesn‘t exist ... Failed! Not critical, keep moving... - Removingprivileges on test database... ... Success! Reloading the privilege tables will ensure that allchanges made so far will take effect immediately. Reload privilege tables now? [Y/n] y ... Success! Cleaning up... All done! Ifyou‘ve completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB!
四、安装消息队列服务
1. 安装软件包
root@controller:~# sudo apt-get installrabbitmq-server
2. 配置消息队列服务
2.1 添加openstack 用户
root@controller:~# sudo rabbitmqctladd_user openstack 2015OS## Creating user "openstack" ...
2.2. 设置openstack用户有读写的权限
root@controller:~# sudo rabbitmqctlset_permissions openstack ".*" ".*" ".*" Setting permissions for user"openstack" in vhost "/" ...
五、安装身份验证服务(Identityservices)
1. Openstack 身份验证概念
图1.1 The Keystone Identiy concepts
2. Openstack keystone身份验证管理
图1.2 The Keystone Identiy Manager
3.安装配置
3.1 数据库配置
3.1.1 创建数据库
root@controller:~# mysql -uroot –p MariaDB [(none)]> create databasekeystone; Query OK, 1 row affected (0.03 sec)
3.1.2 给数据库授权
MariaDB [(none)]> GRANT ALLPRIVILEGES ON keystone.* TO ‘keystone‘@‘localhost‘ IDENTIFIED BY ‘sfzhang1109‘; Query OK, 0 rows affected (0.11 sec) MariaDB [(none)]> GRANT ALL PRIVILEGESON keystone.* TO ‘keystone‘@‘%‘ IDENTIFIED BY ‘sfzhang1109‘; Query OK, 0 rows affected (0.03 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.02 sec)
3.1.3 退出数据库客户端
MariaDB [(none)]> exit Bye
3.2 生成一个随机值在初始配置的过程中做为管理员的令牌。
root@controller:~# openssl rand -hex 10 f7db38628bd546819169
3.3 安装配置身份验证服务
3.3.1禁止keystone服务后自动安装
root@controller:~# # echo"manual" > /etc/init/keystone.override
3.3.2 运行下面命令安装软件包
root@controller:~# sudo apt-get installkeystone python-openstackclient apache2 libapache2-mod-wsgi memcachedpython-memcache
3.3.3 配置keystone /etc/keystone/keystone.conf配置文件。
1)在[DEFAULT]段中对管理员的令牌进行配置 [DEFAULT] … admin_token = f7db38628bd546819169 2)在[database]段中对数据库访问进行配置 [database] … connection = mysql://keystone:sfzhang1109@controller/keystone 3)在[memcache]段中对memcache进行配置 [memcache] … servers = localhost:11211 4)在 [token] 部分,设置 UUID 令牌的提供者和memcached驱动 [token] … provider =keystone.token.providers.uuid.Provider driver = keystone.token.persistence.backends.sql.Token 5)在 [revoke] 部分,配置 SQL 的撤回驱动 [revoke] … driver =keystone.contrib.revoke.backends.sql.Revoke 6)在 [DEFAULT] 段中开启详细日志配置,为后期的故障排除提供帮助 [DEFAULT] … verbose = True
3.4初始化身份认证服务的数据库
root@controller:~# su -s /bin/sh -c"keystone-manage db_sync" keystone 2015-08-28 16:58:00.679 11542 INFOmigrate.versioning.api [-] 43 -> 44... 2015-08-28 16:58:02.694 11542 INFOmigrate.versioning.api [-] done 2015-08-28 16:58:02.694 11542 INFOmigrate.versioning.api [-] 44 -> 45... 2015-08-28 16:58:02.700 11542 INFOmigrate.versioning.api [-] done 2015-08-28 16:58:02.701 11542 INFOmigrate.versioning.api [-] 45 -> 46... …
3.5配置Apache HTTP服务
1)编辑/etc/apache2/apache2.conf配置文件添加
ServerName controller
2)编辑/etc/apache2/sites-available/wsgi-keystone.conf配置文件添加
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystonedisplay-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias/ /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion>= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel info
ErrorLog/var/log/apache2/keystone-error.log
CustomLog/var/log/apache2/keystone-access.log combined
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystonedisplay-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias/ /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorizationOn
<IfVersion>= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel info
ErrorLog/var/log/apache2/keystone-error.log
CustomLog/var/log/apache2/keystone-access.log combined
</VirtualHost>3)启用基于虚拟主机的身份认证服务。
root@controller:~# ln -s/etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled
4)为WSGI创建目录结构
root@controller:~# mkdir -p /var/www/cgi-bin/keystone
5)拷贝WSGI组件到/var/www/cgi-bin/keystone目录里面
root@controller:~#curl > | tee /var/www/cgi-bin/keystone/main/var/www/cgi-bin/keystone/admin
6)设置目录的和文件的访问权限
root@controller:~# chown -Rkeystone:keystone /var/www/cgi-bin/keystone root@controller:~# chmod 755/var/www/cgi-bin/keystone/*
3.6 安装完成
1)重启apache服务
root@controller:~# /etc/init.d/apache2start *Starting web server apache2
2)默认会创建SQLite数据库,因为使用的是MYSQL数据库,因此要删除QLite数据库文件
root@controller:~# rm -f/var/lib/keystone/keystone.db
4.创建服务实体和API
4.1配置前的准备
1)配置管理员身份验证令牌,这里的值为keystone.conf 配置文件里面admin_token的值
root@controller:~# exportOS_TOKEN=f7db38628bd546819169
2)配置入口点
root@controller:~# exportOS_URL=http://controller:35357/v2.0
4.2 创建服务实体和API端点
1)创建服务实体和身份认证服务
2)创建身份认证服务的API端点
5.创建租户,用户和角色
身份认证服务(Identity service)为openstack每个服务提供身份验证服务。主要包括租户、用户和角色。
1) 创建管理员租户、用户和角色以便执行管理员操作
1.1 创建admin租户
root@controller:~# openstack project create--description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | enabled | True | | id | d04d4985d62f42e2af2ddc35f442ffd9 | | name | admin | +-------------+----------------------------------+
1.2创建admin用户(密码:admin)
root@controller:~# openstack user create--password-prompt admin User Password: Repeat User Password: +----------+----------------------------------+ | Field | Value | +----------+----------------------------------+ | email | None | | enabled | True | | id | 19a358fd76014727bf0e5ef5b174c567 | | name | admin | | username | admin | +----------+----------------------------------+
1.3创建admin角色
root@controller:~# openstack role createadmin +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | 05616505a61c4aa78f43fba9e60ba7fc | | name | admin | +-------+----------------------------------+
1.4 将admin租户和用户添加到admin角色
root@controller:~# openstack role add--project admin --user admin admin +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | 05616505a61c4aa78f43fba9e60ba7fc | | name | admin | +-------+----------------------------------+
6.身份验证
1)为了安全起见,禁用临时身份验证令牌机制
编辑/etc/keystone/keystone-paste.ini配置文件,删除[pipeline:public_api], [pipeline:admin_api], 和[pipeline:api_v3]内容。
[pipeline:public_api] pipeline = … [pipeline:admin_api] pipeline = … [pipeline:api_v3] pipeline = …
2)取消临时环境变量的设置OS_TOKEN OS_URL
root@controller:~# unset OS_TOKEN OS_URL
3)使用admin用户,请求的身份验证令牌版本2.0API
root@controller:~# openstack --os-auth-urlhttp://controller:35357 > --os-project-name admin --os-username admin --os-auth-type password > token issue Password: +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2015-08-31T08:22:23Z | | id | 87e7b6778d1649a5a64415d41b7645dc | | project_id |d04d4985d62f42e2af2ddc35f442ffd9 | | user_id | 19a358fd76014727bf0e5ef5b174c567 | +------------+----------------------------------+
4)使用admin用户,显示租户认证服务
root@controller:~# openstack --os-auth-urlhttp://controller:35357 > --os-project-name admin --os-username admin --os-auth-type password > project list Password: +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | d04d4985d62f42e2af2ddc35f442ffd9 | admin| +----------------------------------+-------+
5)使用admin用户,显示用户认证服务
root@controller:~# openstack --os-auth-urlhttp://controller:35357 > --os-project-name admin --os-username admin --os-auth-type password > user list Password: +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 19a358fd76014727bf0e5ef5b174c567 | admin| +----------------------------------+-------+
6)使用admin用户,显示角色认证服务
root@controller:~# openstack --os-auth-urlhttp://controller:35357 > --os-project-name admin --os-username admin --os-auth-type password > role list Password: +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 05616505a61c4aa78f43fba9e60ba7fc | admin| +----------------------------------+-------+
7.创建OpenStack客户端脚本环境
1)创建脚本文件admin-openrc.sh,如果是管理员使用的是35357端口,如何是普通用户则使用5000端口
root@controller:~# cat admin-openrc.sh export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_PROJECT_NAME=admin export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin export OS_AUTH_URL=http://controller:35357/v3
2)加载客户端环境脚本
root@controller:~# source admin-openrc.sh
3)请求身份验证令牌
root@controller:~# openstack token issue +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2015-08-31T09:33:20.091020Z | | id | 1c0d3fc7cfb94e76b9cf5a7548436580 | | project_id |d04d4985d62f42e2af2ddc35f442ffd9 | | user_id | 19a358fd76014727bf0e5ef5b174c567 | +------------+----------------------------------+
本文出自 “朴实的追梦者” 博客,请务必保留此出处http://sfzhang88.blog.51cto.com/4995876/1690409
OpenStack 控制节点基本环境和身份验证服务的安装部署
标签:openstack openstack基本环境搭建 openstack keystone
原文地址:http://sfzhang88.blog.51cto.com/4995876/1690409
