五、keystoke集群

标签：完成   control   引导   控制   5.6   provider   依次   /usr   set   

5.1、安装配置

1、安装

所有控制节点上安装

# yum install openstack-keystone httpd mod_wsgi

2、编辑文件 

vim /etc/keystone/keystone.conf 

并完成如下动作：

[database] 部分，配置数据库访问：

[database]

connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone

 [token]部分，配置Fernet UUID令牌的提供者。

[token]

provider = fernet

初始化身份认证服务的数据库：

# su -s /bin/sh -c "keystone-manage db_sync" keystone

3、初始化Fernet key

# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

将controller1上的所有fernet-keys下文件覆盖到controller2、controller3

[root@controller1 keystone]# scp -r fernet-keys controller2:/etc/keystone/

[root@controller1 keystone]# scp -r fernet-keys controller3:/etc/keystone/

所有节点更改权限

chown -R keystone:keystone fernet-keys/

然后重启httpd服务

systemctl restart httpd

4、将httpd加入haproxy

将启动的http，共两个端口35357、5000加入到haproxy中：

vim /etc/haproxy/haproxy.cfg

listen keystone_public_internal_cluster

    mode http

    bind  192.168.16.10:5000

    balance source

    server controller1 192.168.16.11:5000 check inter 2000 rise 3 fall 3

    server controller2 192.168.16.12:5000 check inter 2000 rise 3 fall 3

    server controller3 192.168.16.13:5000 check inter 2000 rise 3 fall 3

listen keystone_admin_cluster

    mode http

    bind  192.168.16.10:35357

    balance source        # 认证服务必须使用源地址绑定的轮询算法，因为认证信息是在本地填写的。

    server controller1 192.168.16.11:35357 check inter 2000 rise 3 fall 3

    server controller2 192.168.16.12:35357 check inter 2000 rise 3 fall 3

server controller3 192.168.16.13:35357 check inter 2000 rise 3 fall 3

5、同步haproxy配置

将controller1的haproxy.cfg复制到controller2、controller3同时重启haproxy

[root@controller1 ~]# scp /etc/haproxy/haproxy.cfg root@controller2:/etc/haproxy/haproxy.cfg

[root@controller1 ~]# scp /etc/haproxy/haproxy.cfg root@controller3:/etc/haproxy/haproxy.cfg

[root@controller1 ~]# systemctl restart haproxy

[root@controller2 ~]# systemctl restart haproxy

[root@controller3 ~]# systemctl restart haproxy

6、创建api服务端点引导

Bootstrap the Identity service:

# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \

  --bootstrap-admin-url http://controller:35357/v3/ \

  --bootstrap-internal-url http://controller:5000/v3/ \

  --bootstrap-public-url http://controller:5000/v3/ \

  --bootstrap-region-id RegionOne

7、配置 Apache HTTP 服务器

controller1、controller2、controller3操作

编辑``/etc/httpd/conf/httpd.conf`` 文件，配置``ServerName`` 选项为控制节点：

ServerName controller

创建一个链接到``/usr/share/keystone/wsgi-keystone.conf``文件

# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

8、完成安装启动

启动 Apache HTTP 服务并配置其随系统启动：

# systemctl enable httpd.service

# systemctl start httpd.service

9、配置admin账户

export OS_USERNAME=admin

export OS_PASSWORD=ADMIN_PASS

export OS_PROJECT_NAME=admin

export OS_USER_DOMAIN_NAME=Default

export OS_PROJECT_DOMAIN_NAME=Default

export OS_AUTH_URL=http://controller:35357/v3

export OS_IDENTITY_API_VERSION=3

5.2、创建域、项目、用户、角色

1、本指南使用一个你添加到你的环境中每个服务包含独有用户的service 项目。创建``service``项目：

$ openstack project create --domain default \

  --description "Service Project" service

+-------------+----------------------------------+

| Field       | Value                            |

+-------------+----------------------------------+

| description | Service Project                  |

| domain_id   | default                          |

| enabled     | True                             |

| id          | 24ac7f19cd944f4cba1d77469b2a73ed |

| is_domain   | False                            |

| name        | service                          |

| parent_id   | default                          |

+-------------+----------------------------------+

2、常规（非管理）任务应该使用无特权的项目和用户。作为例子，本指南创建 demo 项目和用户。

创建``demo`` 项目：

$ openstack project create --domain default \

  --description "Demo Project" demo

+-------------+----------------------------------+

| Field       | Value                            |

+-------------+----------------------------------+

| description | Demo Project                     |

| domain_id   | default                          |

| enabled     | True                             |

| id          | 231ad6e7ebba47d6a1e57e1cc07ae446 |

| is_domain   | False                            |

| name        | demo                             |

| parent_id   | default                          |

+-------------+----------------------------------+

注解

当为这个项目创建额外用户时，不要重复这一步。

3、创建``demo`` 用户：

$ openstack user create --domain default \

  --password-prompt demo

User Password:

Repeat User Password:

+---------------------+----------------------------------+

| Field               | Value                            |

+---------------------+----------------------------------+

| domain_id           | default                          |

| enabled             | True                             |

| id                  | aeda23aa78f44e859900e22c24817832 |

| name                | demo                             |

| options             | {}                               |

| password_expires_at | None                             |

+---------------------+----------------------------------+

4、创建 user 角色：

$ openstack role create user

+-----------+----------------------------------+

| Field     | Value                            |

+-----------+----------------------------------+

| domain_id | None                             |

| id        | 997ce8d05fc143ac97d83fdfb5998552 |

| name      | user                             |

+-----------+----------------------------------+

5、添加 user 角色到 demo 用户和 demo项目上。

$ openstack role add --project demo --user demo user

5.3、验证操作

1、因为安全性的原因，关闭临时认证令牌机制：

编辑 /etc/keystone/keystone-paste.ini 文件，从``[pipeline:public_api]``，[pipeline:admin_api]``和``[pipeline:api_v3]``部分删除``admin_token_auth 。

Controller1和controller2、controller3都操作

2、撤销临时环境变量``OS_AUTH_URL``和``OS_PASSWORD``

$ unset OS_AUTH_URL OS_PASSWORD

3、作为 admin 用户，请求认证令牌：

$ openstack --os-auth-url http://controller:35357/v3 \

  --os-project-domain-name default --os-user-domain-name default \

  --os-project-name admin --os-username admin token issue

Password:

+------------+-----------------------------------------------------------------+

| Field      | Value                                                           |

+------------+-----------------------------------------------------------------+

| expires    | 2016-02-12T20:14:07.056119Z                                     |

| id         | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |

|            | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |

|            | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws       |

| project_id | 343d245e850143a096806dfaefa9afdc                                |

| user_id    | ac3377633149401296f6c0d92d79dc16                                |

+------------+-----------------------------------------------------------------+

作为``demo`` 用户，请求认证令牌：

$ openstack --os-auth-url http://controller:5000/v3 \

  --os-project-domain-name default --os-user-domain-name default \

  --os-project-name demo --os-username demo token issue

Password:

+------------+-----------------------------------------------------------------+

| Field      | Value                                                           |

+------------+-----------------------------------------------------------------+

| expires    | 2016-02-12T20:15:39.014479Z                                     |

| id         | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW |

|            | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ |

|            | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U       |

| project_id | ed0b60bf607743088218b0a533d5943f                                |

| user_id    | 58126687cbcc4888bfa9ab73a2256f27                                |

+------------+-----------------------------------------------------------------

5.4、创建客户端环境变量脚本

 1、admin-openrc脚本

export OS_PROJECT_DOMAIN_NAME=Default

export OS_USER_DOMAIN_NAME=Default

export OS_PROJECT_NAME=admin

export OS_USERNAME=admin

export OS_PASSWORD=ADMIN_PASS

export OS_AUTH_URL=http://controller:35357/v3

export OS_IDENTITY_API_VERSION=3

export OS_IMAGE_API_VERSION=2

2、demo-openrc脚本

export OS_PROJECT_DOMAIN_NAME=Default

export OS_USER_DOMAIN_NAME=Default

export OS_PROJECT_NAME=demo

export OS_USERNAME=demo

export OS_PASSWORD=DEMO_PASS

export OS_AUTH_URL=http://controller:5000/v3

export OS_IDENTITY_API_VERSION=3

export OS_IMAGE_API_VERSION=2

依次copy到controller2、controller3上

3、使用脚本

. admin-openrc

请求认证令牌:

openstack token issue

+------------+-----------------------------------------------------------------+

| Field      | Value                                                           |

+------------+-----------------------------------------------------------------+

| expires    | 2016-02-12T20:44:35.659723Z                                     |

| id         | gAAAAABWvjYj-Zjfg8WXFaQnUd1DMYTBVrKw4h3fIagi5NoEmh21U72SrRv2trl |

|            | JWFYhLi2_uPR31Igf6A8mH2Rw9kv_bxNo1jbLNPLGzW_u5FC7InFqx0yYtTwa1e |

|            | eq2b0f6-18KZyQhs7F3teAta143kJEWuNEYET-y7u29y0be1_64KYkM7E       |

| project_id | 343d245e850143a096806dfaefa9afdc                                |

| user_id    | ac3377633149401296f6c0d92d79dc16                                |

+------------+-----------------------------------------------------------------+

五、keystoke集群

标签：完成   control   引导   控制   5.6   provider   依次   /usr   set   

原文地址：https://www.cnblogs.com/hanjingzheng/p/9082246.html