OpenStack之keystone

一、什么是OpenStack

   OpenStack是一种云操作系统,它控制着一个数据中心里大量的计算、存储和网络资源。管理员在一个web界面内通过仪表盘方便地管理,控制,授权用户,以提供各种资源。

二、云服务分类

可分为IAAS, PAAS, SAAS等

IAAS:Infrastructure as a Service (操作系统级别,OpenStack, Cloudstack)

PAAS:Platform as a service (web,DB等已部署的应用,面向专业用户,如Docker)

SAAS:Software-as-a-Service (应用面向用户)

FWaas, DBaaS, LBaas, ...

三、OpenStack术语

(1)卷和分布式存储

卷(cinder):提供永久存储;

分布式存储(swift):提供虚拟机模板;

(2)服务和项目对应关系

一个服务名称对应一个项目名称。

重点测试如下项目:

服务                                                  项目

OpenStack Identity Service       --- keystone

OpenStack Image Service         --- glance

OpenStack Compute Service    --- nova

OpenStack Networking Service --- neutron

(3)Openstack项目分工

Compute: 项目Nova,主要职责包括启动、调度VMs; 

Networking:项目Neutron,网络组件,插件化设计,支持众多流行的网络管理插件;

Object Storage: 项目swift;分布式存储;

Block Storage:项目为Cinder,为VMs提供持久的块存储能力;

Identity: 代码为Keystone;为Openstack中的所有服务提供了认证、授权以及端点编录目录;

Image: 项目Glance,用于存储和检索磁盘映像文件;

Dashboard: 项目为Horizon,WebGUI,web管理各项目服务; 

Telemetry: 项目为Ceilometer,用于实现监控和计量服务的实现;

Orachestration: 项目为Heat,用于多项目联动;

Database:项目为Trove,提供DBaaS服务;

Data processing:项目为sahara,在OpenStack中实现Hadoop的管理;   

服务一般有决策者和执行者,各服务信息通过mysql存储。

(4)存储和卷

云环境下硬盘提供方式:文件模拟硬盘、物理磁盘分区;

磁盘映像文件:每次启动磁盘映像文件是从指定存储下载到虚拟机启动节点;每次关闭虚拟机,映像文件会在各节点销毁;

卷是永久存储的一种方式,各节点一般通过iscsi连接;

四、controller node各服务配置总结

安装分两个步骤:

步骤一:预安装

创建数据库、授权-->运行环境变量-->创建管理用户及服务体-->创建API服务端点(public, internal, admin)

步骤二:安装及配置组件:

[database]连接方式-->rabbitmq、keystone认证-->配置支持的特性-->数据库同步-->开机启动及运行服务

 五、实验

我们的实验的目标是搭建一套openstack云操作系统,实验对象为两节点,分别配置controller node和compute node。openstack配置量极大,我们将分几次实验来搭建整套操作系统。这次的实验的目标是在controller node和compute node上配置预安装环境和设置Identity(kestone)服务。

3c396878-4555-442e-a83d-0fe6b4b37c41.png

1. 预安装工作

(1)配置/etc/hosts

192.168.10.11 controller

192.168.10.12 compute1

192.168.10.13 compute2

192.168.10.14 block

(2)配置ntp服务,使用轻量级ntp服务chrony

在controller上配置/etc/chrony.conf

允许内网地址

allow 192.168.10/24

添加开机启动和启动服务

# systemctl enable chronyd

# systemctl start chronyd

在compute上修改server配置

server controller iburst

测试:

[root@controller ~]# chronyc sources

210 Number of sources = 4

MS Name/IP address         Stratum Poll Reach LastRx Last sample

  • ^+ 161.53.131.133                2   6   377    29    +22ms[  +22ms] +/-  233ms

    ^+ ntp2.flashdance.cx            2   6   313    32  +4258us[+4258us] +/-  578ms

    ^+ ntp3.flashdance.cx            2   6   377    31  +1233us[+1233us] +/-  200ms

    ^* ntp2.itcompliance.dk          2   6   377    33   +947us[+4528us] +/-  167ms

    [root@compute ~]# chronyc sources

    210 Number of sources = 1

    MS Name/IP address         Stratum Poll Reach LastRx Last sample

^* controller                    3   6    77    23   +886us[+2718us] +/-  169ms

(3). 配置openstack yum源/etc/yum.repos.d/openstack.repo

[openstack]

name=openstack mitaka

baseurl=http://mirrors.aliyun.com/centos/7.2.1511/cloud/x86_64/openstack-mitaka/

enabled=1

gpgcheck=0

(4) 安装软件

 yum install mariadb mariadb-server Python2-PyMySQL

(5)创建及配置 /etc/my.cnf.d/openstack.cnf

[mysqld]

default-storage-engine = innodb

innodb_file_per_table

max_connections = 4096

collation-server = utf8_general_ci
character-set-server = utf8

skip_name_resolve
(6)启动服务

# systemctl enable mariadb.service
# systemctl start mariadb.service

(7)安装rabbitmq-server

# yum install rabbitmq-server

# systemctl enable rabbitmq-server.service

# systemctl start rabbitmq-server.service
# rabbitmqctl add_user openstack openstack

# rabbitmqctl set_user_tags openstack administrator

# rabbitmqctl set_permissions openstack ".*" ".*" ".*"

(8)安装memcached

# yum install memcached Python-memcached

#systemctl enable memcached.service

#systemctl start memcached.service

(9) 关闭iptables, seLinux

编辑/etc/sysconfig/seLinux,修改SELINUX参数的值为disable

立即生效:

# getenforce

# setenforce  0

(10)设置主机名为controller、compute1

# hostnamectl set-hostname controller

# hostnamectl set-hostname compute1

2. 安装Identity(keystone)

(1) To create the database, complete the following actions:

  • Use the database access client to connect to the database server as the root user:

    $ mysql -u root -p
Create the keystone database:
    mysql> CREATE DATABASE keystone;
Grant proper access to the keystone database:
    mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
    IDENTIFIED BY 'keystone';
    mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
    IDENTIFIED BY 'keystone';
检查:
SHOW GRANTS FOR  'keystone'@'localhost';
SHOW GRANTS FOR  'keystone'@'%';

(2)安装及配置
1) 安装组件
# yum install openstack-keystone httpd mod_wsgi
# yum install Python-openstackclient
2)配置 /etc/keystone/keystone.conf
[DEFAULT]

admin_token = f63285a166ca96ee181c

[database]
...
connection = mysql+pymysql://keystone:keystone@controller/keystone
#connection = 连接方式://用户名:密码@主机名/数据库
[token]
...
provider = fernet
3)同步 Identity service数据库
# su -s /bin/sh -c "keystone-manage db_sync" keystone
4) 初始化Fernet key 仓库
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
5) 配置 Apache HTTP 服务
Edit the /etc/httpd/conf/httpd.conf
    ServerName controller
Create the /etc/httpd/conf.d/keystone.conf:

Listen 5000

Listen 35357

<VirtualHost *:5000>

    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}

    WSGIProcessGroup keystone-public

    WSGIScriptAlias / /usr/bin/keystone-wsgi-public

    WSGIApplicationGroup %{GLOBAL}

    WSGIPassAuthorization On

    ErrorLogFormat "%{cu}t %M"

    ErrorLog /var/log/httpd/keystone-error.log

    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>

        Require all granted

    </Directory>

</VirtualHost>

<VirtualHost *:35357>

    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}

    WSGIProcessGroup keystone-admin

    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin

    WSGIApplicationGroup %{GLOBAL}

    WSGIPassAuthorization On

    ErrorLogFormat "%{cu}t %M"

    ErrorLog /var/log/httpd/keystone-error.log

    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>

        Require all granted

    </Directory>

</VirtualHost>

# systemctl enable httpd

# systemctl start httpd

6) 配置service entity 和API endpoints

The Identity service provides a catalog of services and their locations. Each service that you add to your

OpenStack environment

$ export OS_TOKEN=f63285a166ca96ee181c

$ export OS_URL=http://controller:35357/v3

$ export OS_IDENTITY_API_VERSION=3

    Create the service entity for the Identity service:

$ openstack service create \

  --name keystone --description "OpenStack Identity" identity

[root@localhost ~]# openstack service create \

>   --name keystone --description "OpenStack Identity" identity

+-------------+----------------------------------+

| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Identity               |
| enabled     | True                             |
| id          | 28324912b51c42ea868623bf1c918875 |
| name        | keystone                         |
| type        | identity                         |
+-------------+----------------------------------+

    Create the Identity service API endpoints:

$ openstack endpoint create --region RegionOne \

  identity public http://controller:5000/v3

[root@localhost ~]# openstack endpoint create --region RegionOne \
>   identity public http://controller:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | f896e8b118fb4b83b177662afec6ee71 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 28324912b51c42ea868623bf1c918875 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://controller:5000/v3        |
+--------------+----------------------------------+

$ openstack endpoint create --region RegionOne \

  identity internal http://controller:5000/v3

[root@localhost ~]# openstack endpoint create --region RegionOne \
>   identity internal http://controller:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 1949e1778ffa4d589a7b707e832d9c86 |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 28324912b51c42ea868623bf1c918875 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://controller:5000/v3        |
+--------------+----------------------------------+

$ openstack endpoint create --region RegionOne \

  identity admin http://controller:35357/v3  

[root@localhost ~]# openstack endpoint create --region RegionOne \

>   identity admin http://controller:35357/v3  

+--------------+----------------------------------+

| Field        | Value                            |

+--------------+----------------------------------+

| enabled      | True                             |

| id           | eb3dcf9db6cb439cbff45a9c5cdb884e |

| interface    | admin                            |

| region       | RegionOne                        |

| region_id    | RegionOne                        |

| service_id   | 28324912b51c42ea868623bf1c918875 |

| service_name | keystone                         |

| service_type | identity                         |

| url          | http://controller:35357/v3       |

+--------------+----------------------------------+

7) The Identity service provides authentication services for each OpenStack service.

The authentication service uses a combination of domains, projects (tenants), users, and

roles.

    Create the default domain:

$ openstack domain create --description "Default Domain" default

[root@localhost ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Default Domain                   |
| enabled     | True                             |
| id          | 82ffd4c577bd4621967b12dd595b042f |
| name        | default                          |
+-------------+----------------------------------+

    Create the admin project:

$ openstack project create --domain default \
  --description "Admin Project" admin
[root@localhost ~]# openstack project create --domain default \
>   --description "Admin Project" admin
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Admin Project                    |
| domain_id   | 82ffd4c577bd4621967b12dd595b042f |
| enabled     | True                             |
| id          | 1ad1c008ea354c6abed93183b47a9643 |
| is_domain   | False                            |
| name        | admin                            |
| parent_id   | 82ffd4c577bd4621967b12dd595b042f |
+-------------+----------------------------------+    

    Create the admin user:
$ openstack user create --domain default \
  --password-prompt admin

[root@localhost ~]# openstack user create --domain default \
>   --password-prompt adminUser Password: admin
Repeat User Password:admin+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 82ffd4c577bd4621967b12dd595b042f |
| enabled   | True                             |
| id        | 1182b6dc17a94bac9e8630f76ec55194 |
| name      | admin                            |
+-----------+----------------------------------+
 Create the admin role:
$ openstack role create admin

[root@localhost ~]#  openstack role create admin
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 71ebf5ea73344c348afe5f7a3490ff04 |
| name      | admin                            |
+-----------+----------------------------------+  
   Add the admin role to the admin project and user:
$ openstack role add --project admin --user admin admin

    Create the service project:

$ openstack project create --domain default \
  --description "Service Project" service

[root@localhost ~]# openstack project create --domain default \
>   --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | 82ffd4c577bd4621967b12dd595b042f |
| enabled     | True                             |
| id          | 77ac0350c78d405db0a593ee14fc579c |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | 82ffd4c577bd4621967b12dd595b042f |
+-------------+----------------------------------+

    Create the demo project:

$ openstack project create --domain default \
  --description "Demo Project" demo

[root@localhost ~]#  openstack project create --domain default \
>   --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | 82ffd4c577bd4621967b12dd595b042f |
| enabled     | True                             |
| id          | 5cb6675efb81411b919a83a9623cd804 |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | 82ffd4c577bd4621967b12dd595b042f |
+-------------+----------------------------------+    
    Create the demo user:

$ openstack user create --domain default \
  --password-prompt demo

[root@localhost ~]# openstack user create --domain default   --password-prompt demo
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 82ffd4c577bd4621967b12dd595b042f |
| enabled   | True                             |
| id        | 2edf64b6bc4e43c3b5e46914c56bd5bb |
| name      | demo                             |

    Create the user role:
$ openstack role create user  

[root@localhost ~]# openstack role create user
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 1e870f8b258644059e27ebc7c4b08ea4 |
| name      | user                             |
+-----------+----------------------------------+    
    Add the user role to the demo project and user:
$ openstack role add --project demo --user demo use
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IMAGE_API_VERSION=2

using the script
Load .admin-openrc file to populate environment variables with the
location of the Identity service and the admin project and user credentials:
$ . admin-openrc
Request an authentication token:

[root@localhost ~]# openstack token issue


相关新闻

历经多年发展,已成为国内好评如潮的Linux云计算运维、SRE、Devops、网络安全、云原生、Go、Python开发专业人才培训机构!