4 Openstack-Ussuri-Keystone集群部署-centos8

864 阅读5分钟

Keystone 的主要功能如下: 1 管理用户及其权限; 2 维护 OpenStack 服务的 Endpoint; 3 Authentication(认证)和 Authorization(鉴权)。

4.1 配置Keystone数据库

#在任意控制节点创建数据库,数据库自动同步,以controller160节点为例; #使用root登陆数据库:

mysql -u root -p

#创建keystone数据库:

CREATE DATABASE keystone;

#授予对keystone数据库的访问权限,刷新退出数据库:

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone.123';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone.123';
flush privileges;
exit

4.2 安装配置Keystone - ALL Controller

#安装对应组件包 #如果要使用https访问,需要安装mod_ssl

yum install openstack-keystone httpd python3-mod_wsgi -y

#备份Keystone配置文件

cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
egrep -v "^$|^#" /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf

#配置Keystone配置文件,在对应项底下增加以下字段 #vim /etc/keystone/keystone.conf

[cache]
backend = oslo_cache.memcache_pool
enabled = true
memcache_servers = controller160:11211,controller161:11211,controller162:11211
[database]
connection = mysql+pymysql://keystone:keystone.123@controller168/keystone
[token]
provider = fernet

#填充Keystone数据库,并初始化Fernet,无报错即为成功

su -s /bin/sh -c "keystone-manage db_sync" keystone
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

#验证keystone数据库是否正常写入:

mysql -h controller160 -ukeystone -pkeystone.123 -e "use keystone;show tables;"

#同步fernet秘钥

# 向controller161/162节点同步秘钥
[root@controller160 ~]# scp -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ root@172.16.1.161:/etc/keystone/
[root@controller160 ~]# scp -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ root@172.16.1.162:/etc/keystone/

# 同步后,注意controller161/162节点上秘钥权限
[root@controller161 ~]# chown keystone:keystone /etc/keystone/credential-keys/ -R
[root@controller161 ~]# chown keystone:keystone /etc/keystone/fernet-keys/ -R

[root@controller162 ~]# chown keystone:keystone /etc/keystone/credential-keys/ -R
[root@controller162 ~]# chown keystone:keystone /etc/keystone/fernet-keys/ -R

#引导Identity service,这里将admin的密码设置为==admin.123== #注意:==这里使用的是VIP的hostname==

keystone-manage bootstrap --bootstrap-password admin.123 \
  --bootstrap-admin-url http://controller168:5000/v3/ \
  --bootstrap-internal-url http://controller168:5000/v3/ \
  --bootstrap-public-url http://controller168:5000/v3/ \
  --bootstrap-region-id RegionOne

4.3 配置Http Server

#在全部控制节点设置,以controller160节点为例;

[root@controller160 ~]# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak
[root@controller160 ~]# sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf

#注意不同的节点替换不同的ip地址

[root@controller160 ~]# sed -i "s/Listen\ 80/Listen\ 172.16.1.160:80/g" /etc/httpd/conf/httpd.conf

[root@controller161 ~]# sed -i "s/Listen\ 80/Listen\ 172.16.1.161:80/g" /etc/httpd/conf/httpd.conf

[root@controller162 ~]# sed -i "s/Listen\ 80/Listen\ 172.16.1.162:80/g" /etc/httpd/conf/httpd.conf

#在全部控制节点操作,创建软链接

ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

#在全部控制节点操作,以controller160节点为例

systemctl enable httpd.service
systemctl restart httpd.service
[root@controller160 ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-06-18 11:06:37 CST; 25s ago
     Docs: man:httpd.service(8)
 Main PID: 195414 (httpd)
   Status: "Total requests: 10; Idle/Busy workers 99/1;Requests/sec: 0.526; Bytes served/sec: 133 B/sec"
    Tasks: 298 (limit: 11490)
   Memory: 271.7M
   CGroup: /system.slice/httpd.service
           ├─195414 /usr/sbin/httpd -DFOREGROUND
           ├─195415 /usr/sbin/httpd -DFOREGROUND
           ├─195416 (wsgi:keystone- -DFOREGROUND
           ├─195417 (wsgi:keystone- -DFOREGROUND
           ├─195418 (wsgi:keystone- -DFOREGROUND
           ├─195419 (wsgi:keystone- -DFOREGROUND
           ├─195420 (wsgi:keystone- -DFOREGROUND
           ├─195421 /usr/sbin/httpd -DFOREGROUND
           ├─195422 /usr/sbin/httpd -DFOREGROUND
           ├─195423 /usr/sbin/httpd -DFOREGROUND
           └─195652 /usr/sbin/httpd -DFOREGROUND

Jun 18 11:06:37 controller160 systemd[1]: Starting The Apache HTTP Server...
Jun 18 11:06:37 controller160 systemd[1]: Started The Apache HTTP Server.
Jun 18 11:06:37 controller160 httpd[195414]: Server configured, listening on: 172.16.1.160 port 5000, 172.16.1.160 port 80

4.4 配置环境变量

#配置环境变量文件,这里使用的admin为上面引导创建的密码 #vim adminrc.sh

export OS_USERNAME=admin
export OS_PASSWORD=admin.123
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller168:5000/v3
export OS_IDENTITY_API_VERSION=3

#取消环境变量配置 #vim unsetadminrc.sh

unset OS_USERNAME
unset OS_PASSWORD
unset OS_PROJECT_NAME
unset OS_USER_DOMAIN_NAME
unset OS_PROJECT_DOMAIN_NAME
unset OS_AUTH_URL
unset OS_IDENTITY_API_VERSION

#查看是否设置成功 #也可以使用openstack token issue

[root@controller160 ~]# source adminrc.sh
[root@controller160 ~]# openstack domain list
+---------+---------+---------+--------------------+
| ID      | Name    | Enabled | Description        |
+---------+---------+---------+--------------------+
| default | Default | True    | The default domain |
+---------+---------+---------+--------------------+

#分发脚本至各控制节点:

[root@controller160 ~]# scp admin-openrc demo-openrc root@172.16.1.161:~/
[root@controller160 ~]# scp admin-openrc demo-openrc root@172.16.1.162:~/

4.6 创建域、项目、用户和角色

身份服务为每个OpenStack服务提供身份验证服务,其中包括服务使用域、项目、用户和角色的组合。

#keystone-manage引导步骤中,“默认”域已经存在,创建新域的方法是:

openstack domain create --description "An Example Domain" example

#执行完成后的正常提示

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | An Example Domain                |
| enabled     | True                             |
| id          | 70eb130ba9534e07ba908bc3d3761525 |
| name        | example                          |
| options     | {}                               |
| tags        | []                               |
+-------------+----------------------------------+

#创建服务项目:

openstack project create --domain default --description "Service Project" service

#执行结果:

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 1121de199979451ca8f72843b1e20822 |
| is_domain   | False                            |
| name        | service                          |
| options     | {}                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

#创建user角色

openstack role create user

#输出

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | None                             |
| domain_id   | None                             |
| id          | 0c19dad2f68b4c99a4e7b0af9dcc7367 |
| name        | user                             |
| options     | {}                               |
+-------------+----------------------------------+

#查看角色

openstack role list

#输出

+----------------------------------+--------+
| ID                               | Name   |
+----------------------------------+--------+
| 0c19dad2f68b4c99a4e7b0af9dcc7367 | user   |
| 7bd349df1d734817b41cf1d25fc921c4 | reader |
| c5e6b6b811d84a75bdcc0997f5f76eeb | admin  |
| def5070f95f04b65b3d425cdd6adf4e3 | member |
+----------------------------------+--------+

#查看权限分配

[root@controller160 ~]# openstack user list
[root@controller160 ~]# openstack role list
[root@controller160 ~]# openstack role assignment list

4.7 添加pcs资源

#在任意控制节点操作; #添加资源openstack-keystone-clone; #pcs实际控制的是各节点system unit控制的httpd服务

[root@controller160 ~]# pcs resource create openstack-keystone systemd:httpd clone interleave=true
[root@controller160 ~]# pcs resource
  * vip	(ocf::heartbeat:IPaddr2):	Started controller160
  * Clone Set: lb-haproxy-clone [lb-haproxy]:
    * Started: [ controller160 ]
    * Stopped: [ controller161 controller162 ]
  * Clone Set: openstack-keystone-clone [openstack-keystone]:
    * Started: [ controller160 controller161 controller162 ]

至此,Keystone集群已部署完毕,如有问题请联系我改正,感激不尽!

4.x 部署过程遇到的问题汇总

eg1.[root@controller160 ~]# yum install openstack-keystone httpd python3-mod_wsgi -y
Repository AppStream is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository PowerTools is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
Last metadata expiration check: 1:51:25 ago on Thu 18 Jun 2020 08:05:13 AM CST.
Error:
 Problem 1: conflicting requests
  - nothing provides system-logos-httpd needed by httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64
 Problem 2: package python3-mod_wsgi-4.6.4-4.el8.x86_64 requires httpd-mmn = 20120211x8664, but none of the providers can be installed
  - conflicting requests
  - nothing provides system-logos-httpd needed by httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
解决方案:包从网上下载
[root@controller160 ~]# rpm -ivh centos-logos-httpd-80.5-2.el8.noarch.rpm
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:centos-logos-httpd-80.5-2.el8    ################################# [100%]
eg2.Jun 18 11:03:40 controller160 httpd[194455]: (98)Address already in use: AH00072: make_sock: could not bind to address [::]:5000
Jun 18 11:03:40 controller160 httpd[194455]: (98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:5000
解决方案:
vim /usr/share/keystone/wsgi-keystone.conf
把Listen 5000 修改成 Listen 172.16.1.160:5000