The Keystone service provides the following functions: 1 manage users and their rights. 2 Maintain the Endpoint of the OpenStack service. 3 Authentication and Authorization.
4.1 Configuring the Keystone Database
Create a database on any controller node. The database is automatically synchronized. Take controller160 node as an example. Use root to log in to database:
mysql -u root -p
Copy the code
Create a Keystone database:
CREATE DATABASE keystone;
Copy the code
Grant access to the Keystone database, refresh and exit the database:
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone.123';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@The '%' IDENTIFIED BY 'keystone.123';
flush privileges;
exit
Copy the code
4.2 Installing and Configuring keystone-all Controller
If you want to use HTTPS, you need to install mod_SSL
yum install openstack-keystone httpd python3-mod_wsgi -y
Copy the code
Back up the Keystone configuration file
cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
egrep -v "$| ^ ^ #" /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf
Copy the code
# configuration Keystone configuration file, add the following fields under the corresponding item # vim/etc/Keystone/Keystone. Conf
[cache]
backend = oslo_cache.memcache_pool
enabled = true
memcache_servers = controller160:11211,controller161:11211,controller162:11211
[database]
connection = mysql+pymysql://keystone:keystone.123@controller168/keystone
[token]
provider = fernet
Copy the code
# Fill in the Keystone database and initialize Fernet. If no error is reported, it is successful
su -s /bin/sh -c "keystone-manage db_sync" keystone
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
Copy the code
# Verify that the Keystone database is written properly:
mysql -h controller160 -ukeystone -pkeystone.123 -e "use keystone; show tables;"
Copy the code
# Synchronize the fernet secret key
# Synchronize key to controller161/162
[root@controller160 ~]# SCP - r/etc/keystone/fernet - keys / / etc/keystone/the credential - keys/[email protected]: / etc/keystone /
[root@controller160 ~]# SCP - r/etc/keystone/fernet - keys / / etc/keystone/the credential - keys/[email protected]: / etc/keystone /
After synchronization, note the permissions on controller161/162
[root@controller161 ~]# chown keystone:keystone /etc/keystone/credential-keys/ -R
[root@controller161 ~]# chown keystone:keystone /etc/keystone/fernet-keys/ -R
[root@controller162 ~]# chown keystone:keystone /etc/keystone/credential-keys/ -R
[root@controller162 ~]# chown keystone:keystone /etc/keystone/fernet-keys/ -R
Copy the code
Set password of admin to ==admin.123== #
keystone-manage bootstrap --bootstrap-password admin.123 \
--bootstrap-admin-url http://controller168:5000/v3/ \
--bootstrap-internal-url http://controller168:5000/v3/ \
--bootstrap-public-url http://controller168:5000/v3/ \
--bootstrap-region-id RegionOne
Copy the code
4.3 Configuring the Http Server
# set to all controller160 nodes;
[root@controller160 ~]# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak
[root@controller160 ~]# sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf
Copy the code
Note that different nodes replace different IP addresses
[root@controller160 ~]# sed - I "s/Listen / 80 / Listen / 172.16.1.160:80 / g"/etc/HTTPD/conf/HTTPD. Conf
[root@controller161 ~]# sed - I "s/Listen / 80 / Listen / 172.16.1.161:80 / g"/etc/HTTPD/conf/HTTPD. Conf
[root@controller162 ~]# sed - I "s/Listen / 80 / Listen / 172.16.1.162:80 / g"/etc/HTTPD/conf/HTTPD. Conf
Copy the code
Create soft links in all control nodes
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
Copy the code
# Operate on all controller nodes, for example controller160
systemctl enable httpd.service
systemctl restart httpd.service
[root@controller160 ~]# systemctl status httpd.serviceLow HTTPD. Service - The Apache HTTP Server The Loaded: The Loaded (/ usr/lib/systemd/system/HTTPD. Service; enabled; vendor preset: disabled) Active: active (running) since Thu 2020-06-18 11:06:37 CST; 25s ago Docs: man:httpd.service(8) Main PID: 195414 (httpd) Status:"Total requests: 10; Idle/Busy workers 99/1; Requests/SEC: 0.526; Bytes served/sec: 133 B/sec"
Tasks: 298 (limit: 11490) Memory: 271.7m CGroup: / system. Slice/HTTPD service ├ ─ 195414 / usr/sbin/HTTPD - DFOREGROUND ├ ─ 195415 / usr/sbin/HTTPD - DFOREGROUND ├ ─ 195416 (wsGI :keystone- DFOREGROUND Exercises ─195417 (wsGI :keystone- DFOREGROUND Exercises ─195418 (wsGI :keystone- DFOREGROUND Exercises ─195419 (wsgi:keystone- -dforeground Exercises ─195420 (wsgi:keystone- -dforeground Exercises ─195421 /usr/sbin/httpd-dforeground Exercises ─195422 /usr/sbin/httpd-dforeground ├─195423 /usr/sbin/httpd-dforeground ├─ 195652 /usr/sbin/httpd-dforeground Jun 18 11:06:37 controller160 systemd[1]: Starting The Apache HTTP Server... Jun 18 11:06:37 controller160 systemd[1]: Started The Apache HTTP Server. Jun 18 11:06:37 controller160 httpd[195414]: Server configured, Listening on: 172.16.1.160 port 5000, 172.16.1.160 port 80Copy the code
4.4 Configuring Environment Variables
# configure environment variable file, here use admin for the above boot password created #vim adminrc.sh
export OS_USERNAME=admin
export OS_PASSWORD=admin.123
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller168:5000/v3
export OS_IDENTITY_API_VERSION=3
Copy the code
Vim unsetAdminrc.sh
unset OS_USERNAME
unset OS_PASSWORD
unset OS_PROJECT_NAME
unset OS_USER_DOMAIN_NAME
unset OS_PROJECT_DOMAIN_NAME
unset OS_AUTH_URL
unset OS_IDENTITY_API_VERSION
Copy the code
You can also use openstack Token issue
[root@controller160 ~]# source adminrc.sh
[root@controller160 ~]# openstack domain list
+---------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+---------+---------+---------+--------------------+
| default | Default | True | The default domain |
+---------+---------+---------+--------------------+
Copy the code
Distribute the script to each controller node:
[root@controller160 ~]# scp admin-openrc demo-openrc [email protected]:~/
[root@controller160 ~]# scp admin-openrc demo-openrc [email protected]:~/
Copy the code
4.6 Creating Domains, Projects, Users, and Roles
Identity services provide authentication services for each OpenStack service, including a combination of service usage domains, projects, users, and roles.
In the keystone-manage boot step, the “default” domain already exists. Create a new domain by:
openstack domain create --description "An Example Domain" example
Copy the code
# Normal prompt after completion of execution
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 70eb130ba9534e07ba908bc3d3761525 |
| name | example |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
Copy the code
Create a service project:
openstack project create --domain default --description "Service Project" service
Copy the code
# Execution result:
+-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | 1121de199979451ca8f72843b1e20822 | | is_domain | False | | name | service | | options | {} | | parent_id | default | | tags | [] | +-------------+----------------------------------+Copy the code
# Create user role
openstack role create user
Copy the code
# output
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | 0c19dad2f68b4c99a4e7b0af9dcc7367 |
| name | user |
| options | {} |
+-------------+----------------------------------+
Copy the code
# View roles
openstack role list
Copy the code
# output
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| 0c19dad2f68b4c99a4e7b0af9dcc7367 | user |
| 7bd349df1d734817b41cf1d25fc921c4 | reader |
| c5e6b6b811d84a75bdcc0997f5f76eeb | admin |
| def5070f95f04b65b3d425cdd6adf4e3 | member |
+----------------------------------+--------+
Copy the code
# View permission assignment
[root@controller160 ~]# openstack user list
[root@controller160 ~]# openstack role list
[root@controller160 ~]# openstack role assignment list
Copy the code
4.7 Adding PCS Resources
# Operate on any control node; # Add resource openstack-keystone- Clone; PCS actually controls the HTTPD service controlled by the system Unit of each node
[root@controller160 ~]# pcs resource create openstack-keystone systemd:httpd clone interleave=true
[root@controller160 ~]# pcs resource
* vip (ocf::heartbeat:IPaddr2): Started controller160
* Clone Set: lb-haproxy-clone [lb-haproxy]:
* Started: [ controller160 ]
* Stopped: [ controller161 controller162 ]
* Clone Set: openstack-keystone-clone [openstack-keystone]:
* Started: [ controller160 controller161 controller162 ]
Copy the code
So far, the Keystone cluster has been deployed. If you have any questions, please contact me. Thank you!
4. X Summary of problems encountered during the deployment
eg1.[root@controller160 ~]# yum install openstack-keystone httpd python3-mod_wsgi -y
Repository AppStream is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository PowerTools is listed more than once in the configuration
Repository centosplus is listed more than once inthe configuration Last metadata expiration check: 1:51:25 ago on Thu 18 Jun 2020 08:05:13 AM CST. Error: Problem 1: Conflicting requests - nothing provides system-loggs-httpD needed by HTTPd-2.4.37-21.module_el8.2.0 +382+15b0afa8.x86_64 Problem 2: Package python3-mod_wsgi-4.6.4-4.el8.x86_64 requires httpD-mmn = 20120211x8664, package python3-mod_wsgi-4.6.4-4.el8.x86_64, requires httpD-mmn = 20120211x8664, but none of the providers can be installed - conflicting requests - nothing provides system-logos-httpd needed by HTTPD 2.4.37-21. Module_el8. 2.0 + 382 + 15 b0afa8. X86_64 (try to add'--skip-broken' to skip uninstallable packages or '--nobest'To use not only best candidate Packages)# RPM - the ivh centos - logos - HTTPD - 80.5-2. El8. Noarch. RPM
Verifying... # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # [100%]
Preparing... # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # [100%]Updating / installing... 1: centos - logos - HTTPD - 80.5-2. El8# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # [100%]
eg2.Jun 18 11:03:40 controller160 httpd[194455]: (98)Address already in use: AH00072: make_sock: could not bind to address [::]:5000
Jun 18 11:03:40 controller160 httpd[194455]: (98)Address already in use: AH00072: make_sock: could not bindTo address 0.0.0.0:5000 Solution: vim /usr/share/keystone/wsgi-keystone. Conf Change Listen 5000 to Listen 172.16.1.160:5000Copy the code