注意要 按顺序 搭建服务,在 CentOS 7 安装 Openstack Rocky 版本 - 环境搭建 的基础上安装服务。

Identity service - 身份认证服务(Keystore)

控制节点 安装

数据库配置

连接数据库

1
2
# 连接数据库,密码 mariadb-123456
mysql -u root -p

数据库操作

1
2
3
4
5
6
7
8
9
-- 创建数据库
CREATE DATABASE keystone;

-- 创建用户 keystone ,密码为 mariadb-keystone,并授予权限
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'mariadb-keystone';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'mariadb-keystone';

-- 创建完毕退出
exit

安装配置 Keystore

部署 Fernet 令牌和 Apache HTTP 服务器来处理请求

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# 安装
yum install openstack-keystone httpd mod_wsgi -y

# 编辑配置文件
vim /etc/keystone/keystone.conf
# 修改配置
# [database]
# connection = mysql+pymysql://keystone:mariadb-keystone@controller/keystone
# [token]
# provider = fernet

# 填充数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone

# 初始化 Fernet 密钥库
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

# 启用服务,为 admin 用户创建密码 admin-123456
# 默认创建 default 域
keystone-manage bootstrap --bootstrap-password admin-123456 \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne

配置 Apache HTTP 服务器

1
2
3
4
5
6
7
8
9
10
11
# 编辑配置文件
vim /etc/httpd/conf/httpd.conf
# 修改配置
# ServerName controller

# 创建链接
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

# 启用服务
systemctl enable httpd.service
systemctl start httpd.service

创建域、项目、用户、角色

设置管理员账户(环境变量)

  • admin-123456 为初始化服务 keystone-manage bootstrap --bootstrap-password 设置的密码
1
2
3
4
5
6
7
export OS_USERNAME=admin
export OS_PASSWORD=admin-123456
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3

创建 service 项目

  • 后续镜像服务(glance)需要使用
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 创建域(可选)
openstack domain create --description "An Example Domain" example

# 在默认的域上创建项目
openstack project create --domain default --description "Service Project" service
# +-------------+----------------------------------+
# | Field | Value |
# +-------------+----------------------------------+
# | description | Service Project |
# | domain_id | default |
# | enabled | True |
# | id | 8e603ba982e24d2db83643aeba8597b4 |
# | is_domain | False |
# | name | service |
# | parent_id | default |
# | tags | [] |
# +-------------+----------------------------------+

创建项目、用户、角色,并将项目和用户添加到角色中

  • 项目:Demo Project
  • 用户:myuser
    • 密码:myuser-123456
  • 角色:myrole
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# 创建项目
openstack project create --domain default --description "Demo Project" myproject
# +-------------+----------------------------------+
# | Field | Value |
# +-------------+----------------------------------+
# | description | Demo Project |
# | domain_id | default |
# | enabled | True |
# | id | eb296de9a0e64b2a9243ad58f0805746 |
# | is_domain | False |
# | name | myproject |
# | parent_id | default |
# | tags | [] |
# +-------------+----------------------------------+


# 创建用户,设置密码 myuser-123456
openstack user create --domain default --password-prompt myuser
# User Password:
# Repeat User Password:
# +---------------------+----------------------------------+
# | Field | Value |
# +---------------------+----------------------------------+
# | domain_id | default |
# | enabled | True |
# | id | 457b0cd7b50d454494d2b68f72aaebf8 |
# | name | myuser |
# | options | {} |
# | password_expires_at | None |
# +---------------------+----------------------------------+


# 创建角色
openstack role create myrole
# +-----------+----------------------------------+
# | Field | Value |
# +-----------+----------------------------------+
# | domain_id | None |
# | id | 4cff0db2cd9743f1b50c9ef8b125103c |
# | name | myrole |
# +-----------+----------------------------------+


# 将项目和用户添加到角色
openstack role add --project myproject --user myuser myrole
# 无输出

验证

使用不同的域、项目、用户、角色请求令牌

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# 清除临时环境变量
unset OS_AUTH_URL OS_PASSWORD

# 以 admin 用户请求认证令牌,提示输入密码
openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue
# Password:
# +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
# | Field | Value
# +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
# | expires | 2020-12-25T17:59:23+0000
# | id | gAAAAABf5hprN5grkK1anaezLn-_kZ_nSBzB5V73tpn6oDkzDcAyryU8c5VLTiMr1UKxyPQiGRJVIYPQtmHb58YnvvLsv8lMt4T-BzYM_P-1PfjAj52f1M6Ibj-yZtis2z0InsmiKTSADCzfbF-CutziZWvrHm8TLSNpcLtSrBoHJsuNr5MsebA |
# | project_id | 052158381fee46e693571c9dfb6ae3f5
# | user_id | cbc9ecb65ddf4ce6833d419ec74abfbf
# +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+


# 以 myuser 用户请求认证令牌,提示输入密码
openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name myproject --os-username myuser token issue
# Password:
# +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
# | Field | Value
# +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
# | expires | 2020-12-25T17:59:55+0000
# | id | gAAAAABf5hqL_eKbQvjSV54hOpm1tTv2zP9P9ycBI9OvpHpMvbMAxI39q0Dt3EiFAcy5td26OK6mIALHdcIlrYLAjSCByBVjTg5c_OpcYkgH5ZtLEes_UAVgVB6P_1h58GdcqeclgrPtMPLrsXXOial8u7VI9lo56a9AjOXGc9UlfQ2FZ0BgjUo |
# | project_id | eb296de9a0e64b2a9243ad58f0805746
# | user_id | 457b0cd7b50d454494d2b68f72aaebf8
# +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

创建环境脚本

创建脚本 admin-openrc

  • 使用 admin 用户密码
1
2
3
4
5
6
7
8
9
10
11
12
cat <<EOF>> admin-openrc

export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin-123456
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

EOF

创建脚本 demo-openrc

  • 使用 myuser 用户密码
1
2
3
4
5
6
7
8
9
10
11
12
cat <<EOF>> demo-openrc

export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=myuser-123456
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

EOF

使用脚本加载环境变量,然后请求认证令牌

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 加载环境变量
. admin-openrc

# 请求令牌
openstack token issue
# +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
# | Field | Value
# |
# +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
# | expires | 2020-12-25T18:01:13+0000
# |
# | id | gAAAAABf5hrZ1D8mlkWfH5L4su-y5TClvoAuUbxKLWBajMjxGDW-bq75Rw1yLW9GVP0EuFJ2GZ3EBNJCK1uRaolQblDKTR0YY-3v03YsWR6BwMfRQqTN2jMqlxtXJ6ZrZM8vAsu6D2LSSGJ4u62p-99mH7W3oOeXBZJQVeoBH10_Nsb4QeSGWKY |
# | project_id | 052158381fee46e693571c9dfb6ae3f5
# |
# | user_id | cbc9ecb65ddf4ce6833d419ec74abfbf
# |
# +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+