Openstack Newton Install Guide - Keystone
Install and Configure
Mysql 数据配置
$ mysql -u root -p mysql> CREATE DATABASE keystone;
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
Keystone安装和配置
1、Install keystone
# apt install keystone
2、Edit the /etc/keystone/keystone.conf file and complete the following actions:
In the [database] section, configure database access:
[database]
...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@mysqlserver-ip/keystone
In the [token] section, configure the Fernet token provider:
[token]
...
provider = fernet
3、初始化身份认证服务的数据库:
# su -s /bin/sh -c "keystone-manage db_sync" keystone
4、Initialize Fernet key repositories:
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone # keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
5、Bootstrap the Identity service:
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \ --bootstrap-admin-url http://controller:35357/v3/ \ --bootstrap-internal-url http://controller:35357/v3/ \ --bootstrap-public-url http://controller:5000/v3/ \ --bootstrap-region-id RegionOne
Configure the Apache HTTP server
Edit the /etc/apache2/apache2.conf file and configure the ServerName option to reference the controller node:
ServerName controller
Restart the Apache service and remove the default SQLite database:
# service apache2 restart
# rm -f /var/lib/keystone/keystone.db
Configure the administrative account
$ export OS_USERNAME=admin $ export OS_PASSWORD=ADMIN_PASS $ export OS_PROJECT_NAME=admin $ export OS_USER_DOMAIN_NAME=Default $ export OS_PROJECT_DOMAIN_NAME=Default $ export OS_AUTH_URL=http://192.168.20.180:35357/v3 $ export OS_IDENTITY_API_VERSION=3
Create a domain, projects, users, and roles
Create the service project:
$ openstack project create --domain default \ --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | 24ac7f19cd944f4cba1d77469b2a73ed | | is_domain | False | | name | service | | parent_id | default | +-------------+----------------------------------+
Create the demo project:
$ openstack project create --domain default \ --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | 231ad6e7ebba47d6a1e57e1cc07ae446 | | is_domain | False | | name | demo | | parent_id | default | +-------------+----------------------------------+
Create the
demo user:$ openstack user create --domain default \ --password-prompt demo User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | aeda23aa78f44e859900e22c24817832 | | name | demo | | password_expires_at | None | +---------------------+----------------------------------+
Create the user role:
$ openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 997ce8d05fc143ac97d83fdfb5998552 |
| name | user |
+-----------+----------------------------------+
Add the user role to the demo project and user:
$ openstack role add --project demo --user demo user
Note:This command provides no output.
You can repeat this procedure to create additional projects and users.
Verify operation
Note:Perform these commands on the controller node.
1、For security reasons, disable the temporary authentication token mechanism:
Edit the /etc/keystone/keystone-paste.ini file and remove admin_token_auth from the [pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] sections.
2、Unset the temporary OS_AUTH_URL and OS_PASSWORD environment variable:
$ unset OS_AUTH_URL OS_PASSWORD
3、As the admin user, request an authentication token:
$ openstack --os-auth-url http://192.168.20.180:35357/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name admin --os-username admin token issue Password: +------------+-----------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------+ | expires | 2016-02-12T20:14:07.056119Z | | id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv | | | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 | | | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws | | project_id | 343d245e850143a096806dfaefa9afdc | | user_id | ac3377633149401296f6c0d92d79dc16 | +------------+-----------------------------------------------------------------+
admin user.4、As the
demo user, request an authentication token:$ openstack --os-auth-url http://192。168.20.180:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name demo --os-username demo token issue Password: +------------+-----------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------+ | expires | 2016-02-12T20:15:39.014479Z | | id | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW | | | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ | | | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U | | project_id | ed0b60bf607743088218b0a533d5943f | | user_id | 58126687cbcc4888bfa9ab73a2256f27 | +------------+-----------------------------------------------------------------+
Create OpenStack client environment scripts
Create client environment scripts for the admin and demo projects and users. Future portions of this guide reference these scripts to load appropriate credentials for client operations.
1、Edit the admin-openrc.sh file and add the following content:
export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=ADMIN_PASS export OS_AUTH_URL=http://192.168.20.180:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
2、Edit the demo-openrc file and add the following content:
export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=DEMO_PASS export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
Using the script
1、Load the admin-openrc file to populate environment variables with the location of the Identity service and the admin project and user credentials:
$ source admin-openrc.sh
2、Request an authentication token:
$ openstack token issue
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:44:35.659723Z |
| id | gAAAAABWvjYj-Zjfg8WXFaQnUd1DMYTBVrKw4h3fIagi5NoEmh21U72SrRv2trl |
| | JWFYhLi2_uPR31Igf6A8mH2Rw9kv_bxNo1jbLNPLGzW_u5FC7InFqx0yYtTwa1e |
| | eq2b0f6-18KZyQhs7F3teAta143kJEWuNEYET-y7u29y0be1_64KYkM7E |
| project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+
3、服务验证
root@server01:~# openstack user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 5bda189156494f4ca4a9c0a2e4fbe8f8 | demo | | e0fca99beba84e6bb9fe1e81647fe9df | admin | +----------------------------------+-------+ root@server01:~# openstack catalog list +----------+----------+---------------------------------------------+ | Name | Type | Endpoints | +----------+----------+---------------------------------------------+ | keystone | identity | RegionOne | | | | public: http://192.168.20.180:5000/v3/ | | | | RegionOne | | | | admin: http://192.168.20.180:35357/v3/ | | | | RegionOne | | | | internal: http://192.168.20.180:35357/v3/ | | | | | +----------+----------+---------------------------------------------+ root@server01:~#
浙公网安备 33010602011771号