OpenStack之keystone
一、什么是OpenStack
OpenStack是一种云操作系统,它控制着一个数据中心里大量的计算、存储和网络资源。管理员在一个web界面内通过仪表盘方便地管理,控制,授权用户,以提供各种资源。
二、云服务分类
可分为IAAS, PAAS, SAAS等
IAAS:Infrastructure as a Service (操作系统级别,OpenStack, Cloudstack)
PAAS:Platform as a service (web,DB等已部署的应用,面向专业用户,如Docker)
SAAS:Software-as-a-Service (应用面向用户)
FWaas, DBaaS, LBaas, ...
三、OpenStack术语
(1)卷和分布式存储
卷(cinder):提供永久存储;
分布式存储(swift):提供虚拟机模板;
(2)服务和项目对应关系
一个服务名称对应一个项目名称。
重点测试如下项目:
服务 项目
OpenStack Identity Service --- keystone
OpenStack Image Service --- glance
OpenStack Compute Service --- nova
OpenStack Networking Service --- neutron
(3)Openstack项目分工
Compute: 项目Nova,主要职责包括启动、调度VMs;
Networking:项目Neutron,网络组件,插件化设计,支持众多流行的网络管理插件;
Object Storage: 项目swift;分布式存储;
Block Storage:项目为Cinder,为VMs提供持久的块存储能力;
Identity: 代码为Keystone;为Openstack中的所有服务提供了认证、授权以及端点编录目录;
Image: 项目Glance,用于存储和检索磁盘映像文件;
Dashboard: 项目为Horizon,WebGUI,web管理各项目服务;
Telemetry: 项目为Ceilometer,用于实现监控和计量服务的实现;
Orachestration: 项目为Heat,用于多项目联动;
Database:项目为Trove,提供DBaaS服务;
Data processing:项目为sahara,在OpenStack中实现Hadoop的管理;
服务一般有决策者和执行者,各服务信息通过mysql存储。
(4)存储和卷
云环境下硬盘提供方式:文件模拟硬盘、物理磁盘分区;
磁盘映像文件:每次启动磁盘映像文件是从指定存储下载到虚拟机启动节点;每次关闭虚拟机,映像文件会在各节点销毁;
卷是永久存储的一种方式,各节点一般通过iscsi连接;
四、controller node各服务配置总结
安装分两个步骤:
步骤一:预安装
创建数据库、授权-->运行环境变量-->创建管理用户及服务体-->创建API服务端点(public, internal, admin)
步骤二:安装及配置组件:
[database]连接方式-->rabbitmq、keystone认证-->配置支持的特性-->数据库同步-->开机启动及运行服务
五、实验
我们的实验的目标是搭建一套openstack云操作系统,实验对象为两节点,分别配置controller node和compute node。openstack配置量极大,我们将分几次实验来搭建整套操作系统。这次的实验的目标是在controller node和compute node上配置预安装环境和设置Identity(kestone)服务。
1. 预安装工作
(1)配置/etc/hosts
192.168.10.11 controller
192.168.10.12 compute1
192.168.10.13 compute2
192.168.10.14 block
(2)配置ntp服务,使用轻量级ntp服务chrony
在controller上配置/etc/chrony.conf
允许内网地址
allow 192.168.10/24
添加开机启动和启动服务
# systemctl enable chronyd
# systemctl start chronyd
在compute上修改server配置
server controller iburst
测试:
[root@controller ~]# chronyc sources
210 Number of sources = 4
MS Name/IP address Stratum Poll Reach LastRx Last sample
-
^+ 161.53.131.133 2 6 377 29 +22ms[ +22ms] +/- 233ms
^+ ntp2.flashdance.cx 2 6 313 32 +4258us[+4258us] +/- 578ms
^+ ntp3.flashdance.cx 2 6 377 31 +1233us[+1233us] +/- 200ms
^* ntp2.itcompliance.dk 2 6 377 33 +947us[+4528us] +/- 167ms
[root@compute ~]# chronyc sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
^* controller 3 6 77 23 +886us[+2718us] +/- 169ms
(3). 配置openstack yum源/etc/yum.repos.d/openstack.repo
[openstack]
name=openstack mitaka
baseurl=http://mirrors.aliyun.com/centos/7.2.1511/cloud/x86_64/openstack-mitaka/
enabled=1
gpgcheck=0
(4) 安装软件
# yum install mariadb mariadb-server Python2-PyMySQL
(5)创建及配置 /etc/my.cnf.d/openstack.cnf
[mysqld]
default-storage-engine = innodb
innodb_file_per_table
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
skip_name_resolve
(6)启动服务
# systemctl enable mariadb.service
# systemctl start mariadb.service
(7)安装rabbitmq-server
# yum install rabbitmq-server
# systemctl enable rabbitmq-server.service
# systemctl start rabbitmq-server.service
# rabbitmqctl add_user openstack openstack
# rabbitmqctl set_user_tags openstack administrator
# rabbitmqctl set_permissions openstack ".*" ".*" ".*"
(8)安装memcached
# yum install memcached Python-memcached
#systemctl enable memcached.service
#systemctl start memcached.service
(9) 关闭iptables, seLinux
编辑/etc/sysconfig/seLinux,修改SELINUX参数的值为disable
立即生效:
# getenforce
# setenforce 0
(10)设置主机名为controller、compute1
# hostnamectl set-hostname controller
# hostnamectl set-hostname compute1
2. 安装Identity(keystone)
(1) To create the database, complete the following actions:
-
Use the database access client to connect to the database server as the
root
user:
$ mysql -u root -p
Create the keystone database:
mysql> CREATE DATABASE keystone;
Grant proper access to the keystone database:
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'keystone';
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'keystone';
检查:
SHOW GRANTS FOR 'keystone'@'localhost';
SHOW GRANTS FOR 'keystone'@'%';
(2)安装及配置
1) 安装组件
# yum install openstack-keystone httpd mod_wsgi
# yum install Python-openstackclient
2)配置 /etc/keystone/keystone.conf
[DEFAULT]
admin_token = f63285a166ca96ee181c
[database]
...
connection = mysql+pymysql://keystone:keystone@controller/keystone
#connection = 连接方式://用户名:密码@主机名/数据库
[token]
...
provider = fernet
3)同步 Identity service数据库
# su -s /bin/sh -c "keystone-manage db_sync" keystone
4) 初始化Fernet key 仓库
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
5) 配置 Apache HTTP 服务
Edit the /etc/httpd/conf/httpd.conf
ServerName controller
Create the /etc/httpd/conf.d/keystone.conf:
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
# systemctl enable httpd
# systemctl start httpd
6) 配置service entity 和API endpoints
The Identity service provides a catalog of services and their locations. Each service that you add to your
OpenStack environment
$ export OS_TOKEN=f63285a166ca96ee181c
$ export OS_URL=http://controller:35357/v3
$ export OS_IDENTITY_API_VERSION=3
Create the service entity for the Identity service:
$ openstack service create \
--name keystone --description "OpenStack Identity" identity
[root@localhost ~]# openstack service create \
> --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 28324912b51c42ea868623bf1c918875 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
Create the Identity service API endpoints:
$ openstack endpoint create --region RegionOne \
identity public http://controller:5000/v3
[root@localhost ~]# openstack endpoint create --region RegionOne \
> identity public http://controller:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | f896e8b118fb4b83b177662afec6ee71 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 28324912b51c42ea868623bf1c918875 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v3 |
+--------------+----------------------------------+
$ openstack endpoint create --region RegionOne \
identity internal http://controller:5000/v3
[root@localhost ~]# openstack endpoint create --region RegionOne \
> identity internal http://controller:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 1949e1778ffa4d589a7b707e832d9c86 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 28324912b51c42ea868623bf1c918875 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v3 |
+--------------+----------------------------------+
$ openstack endpoint create --region RegionOne \
identity admin http://controller:35357/v3
[root@localhost ~]# openstack endpoint create --region RegionOne \
> identity admin http://controller:35357/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | eb3dcf9db6cb439cbff45a9c5cdb884e |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 28324912b51c42ea868623bf1c918875 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:35357/v3 |
+--------------+----------------------------------+
7) The Identity service provides authentication services for each OpenStack service.
The authentication service uses a combination of domains, projects (tenants), users, and
roles.
Create the default domain:
$ openstack domain create --description "Default Domain" default
[root@localhost ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | 82ffd4c577bd4621967b12dd595b042f |
| name | default |
+-------------+----------------------------------+
Create the admin project:
$ openstack project create --domain default \
--description "Admin Project" admin
[root@localhost ~]# openstack project create --domain default \
> --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 82ffd4c577bd4621967b12dd595b042f |
| enabled | True |
| id | 1ad1c008ea354c6abed93183b47a9643 |
| is_domain | False |
| name | admin |
| parent_id | 82ffd4c577bd4621967b12dd595b042f |
+-------------+----------------------------------+
Create the admin user:
$ openstack user create --domain default \
--password-prompt admin
[root@localhost ~]# openstack user create --domain default \
> --password-prompt adminUser Password: admin
Repeat User Password:admin+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | 82ffd4c577bd4621967b12dd595b042f |
| enabled | True |
| id | 1182b6dc17a94bac9e8630f76ec55194 |
| name | admin |
+-----------+----------------------------------+
Create the admin role:
$ openstack role create admin
[root@localhost ~]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 71ebf5ea73344c348afe5f7a3490ff04 |
| name | admin |
+-----------+----------------------------------+
Add the admin role to the admin project and user:
$ openstack role add --project admin --user admin admin
Create the service project:
$ openstack project create --domain default \
--description "Service Project" service
[root@localhost ~]# openstack project create --domain default \
> --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | 82ffd4c577bd4621967b12dd595b042f |
| enabled | True |
| id | 77ac0350c78d405db0a593ee14fc579c |
| is_domain | False |
| name | service |
| parent_id | 82ffd4c577bd4621967b12dd595b042f |
+-------------+----------------------------------+
Create the demo project:
$ openstack project create --domain default \
--description "Demo Project" demo
[root@localhost ~]# openstack project create --domain default \
> --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | 82ffd4c577bd4621967b12dd595b042f |
| enabled | True |
| id | 5cb6675efb81411b919a83a9623cd804 |
| is_domain | False |
| name | demo |
| parent_id | 82ffd4c577bd4621967b12dd595b042f |
+-------------+----------------------------------+
Create the demo user:
$ openstack user create --domain default \
--password-prompt demo
[root@localhost ~]# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | 82ffd4c577bd4621967b12dd595b042f |
| enabled | True |
| id | 2edf64b6bc4e43c3b5e46914c56bd5bb |
| name | demo |
Create the user role:
$ openstack role create user
[root@localhost ~]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 1e870f8b258644059e27ebc7c4b08ea4 |
| name | user |
+-----------+----------------------------------+
Add the user role to the demo project and user:
$ openstack role add --project demo --user demo use
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IMAGE_API_VERSION=2
using the script
Load .admin-openrc file to populate environment variables with the
location of the Identity service and the admin project and user credentials:
$ . admin-openrc
Request an authentication token:
[root@localhost ~]# openstack token issue