OpenStack之keystone
一、什么是OpenStack
OpenStack是一種云操作系統,它控制著一個數據中心里大量的計算、存儲和網絡資源。管理員在一個web界面內通過儀表盤方便地管理,控制,授權用戶,以提供各種資源。
二、云服務分類
可分為IAAS, PAAS, SAAS等
IAAS:Infrastructure as a Service (操作系統級別,OpenStack, Cloudstack)
PAAS:Platform as a service (web,DB等已部署的應用,面向專業用戶,如Docker)
SAAS:Software-as-a-Service (應用面向用戶)
FWaas, DBaaS, LBaas, ...
三、OpenStack術語
(1)卷和分布式存儲
卷(cinder):提供永久存儲;
分布式存儲(swift):提供虛擬機模板;
(2)服務和項目對應關系
一個服務名稱對應一個項目名稱。
重點測試如下項目:
服務 項目
OpenStack Identity Service --- keystone
OpenStack Image Service --- glance
OpenStack Compute Service --- nova
OpenStack Networking Service --- neutron
(3)Openstack項目分工
Compute: 項目Nova,主要職責包括啟動、調度VMs;
Networking:項目Neutron,網絡組件,插件化設計,支持眾多流行的網絡管理插件;
Object Storage: 項目swift;分布式存儲;
Block Storage:項目為Cinder,為VMs提供持久的塊存儲能力;
Identity: 代碼為Keystone;為Openstack中的所有服務提供了認證、授權以及端點編錄目錄;
Image: 項目Glance,用于存儲和檢索磁盤映像文件;
Dashboard: 項目為Horizon,WebGUI,web管理各項目服務;
Telemetry: 項目為Ceilometer,用于實現監控和計量服務的實現;
Orachestration: 項目為Heat,用于多項目聯動;
Database:項目為Trove,提供DBaaS服務;
Data processing:項目為sahara,在OpenStack中實現Hadoop的管理;
服務一般有決策者和執行者,各服務信息通過mysql存儲。
(4)存儲和卷
云環境下硬盤提供方式:文件模擬硬盤、物理磁盤分區;
磁盤映像文件:每次啟動磁盤映像文件是從指定存儲下載到虛擬機啟動節點;每次關閉虛擬機,映像文件會在各節點銷毀;
卷是永久存儲的一種方式,各節點一般通過iscsi連接;
四、controller node各服務配置總結
安裝分兩個步驟:
步驟一:預安裝
創建數據庫、授權-->運行環境變量-->創建管理用戶及服務體-->創建API服務端點(public, internal, admin)
步驟二:安裝及配置組件:
[database]連接方式-->rabbitmq、keystone認證-->配置支持的特性-->數據庫同步-->開機啟動及運行服務
五、實驗
我們的實驗的目標是搭建一套openstack云操作系統,實驗對象為兩節點,分別配置controller node和compute node。openstack配置量極大,我們將分幾次實驗來搭建整套操作系統。這次的實驗的目標是在controller node和compute node上配置預安裝環境和設置Identity(kestone)服務。
1. 預安裝工作
(1)配置/etc/hosts
192.168.10.11 controller
192.168.10.12 compute1
192.168.10.13 compute2
192.168.10.14 block
(2)配置ntp服務,使用輕量級ntp服務chrony
在controller上配置/etc/chrony.conf
允許內網地址
allow 192.168.10/24
添加開機啟動和啟動服務
# systemctl enable chronyd
# systemctl start chronyd
在compute上修改server配置
server controller iburst
測試:
[root@controller ~]# chronyc sources
210 Number of sources = 4
MS Name/IP address Stratum Poll Reach LastRx Last sample
-
^+ 161.53.131.133 2 6 377 29 +22ms[ +22ms] +/- 233ms
^+ ntp2.flashdance.cx 2 6 313 32 +4258us[+4258us] +/- 578ms
^+ ntp3.flashdance.cx 2 6 377 31 +1233us[+1233us] +/- 200ms
^* ntp2.itcompliance.dk 2 6 377 33 +947us[+4528us] +/- 167ms
[root@compute ~]# chronyc sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
^* controller 3 6 77 23 +886us[+2718us] +/- 169ms
(3). 配置openstack yum源/etc/yum.repos.d/openstack.repo
[openstack]
name=openstack mitaka
baseurl=http://mirrors.aliyun.com/centos/7.2.1511/cloud/x86_64/openstack-mitaka/
enabled=1
gpgcheck=0
(4) 安裝軟件
# yum install mariadb mariadb-server Python2-PyMySQL
(5)創建及配置 /etc/my.cnf.d/openstack.cnf
[mysqld]
default-storage-engine = innodb
innodb_file_per_table
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
skip_name_resolve
(6)啟動服務
# systemctl enable mariadb.service
# systemctl start mariadb.service
(7)安裝rabbitmq-server
# yum install rabbitmq-server
# systemctl enable rabbitmq-server.service
# systemctl start rabbitmq-server.service
# rabbitmqctl add_user openstack openstack
# rabbitmqctl set_user_tags openstack administrator
# rabbitmqctl set_permissions openstack ".*" ".*" ".*"
(8)安裝memcached
# yum install memcached Python-memcached
#systemctl enable memcached.service
#systemctl start memcached.service
(9) 關閉iptables, seLinux
編輯/etc/sysconfig/seLinux,修改SELINUX參數的值為disable
立即生效:
# getenforce
# setenforce 0
(10)設置主機名為controller、compute1
# hostnamectl set-hostname controller
# hostnamectl set-hostname compute1
2. 安裝Identity(keystone)
(1) To create the database, complete the following actions:
-
Use the database access client to connect to the database server as the
rootuser:
$ mysql -u root -p
Create the keystone database:
mysql> CREATE DATABASE keystone;
Grant proper access to the keystone database:
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'keystone';
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'keystone';
檢查:
SHOW GRANTS FOR 'keystone'@'localhost';
SHOW GRANTS FOR 'keystone'@'%';
(2)安裝及配置
1) 安裝組件
# yum install openstack-keystone httpd mod_wsgi
# yum install Python-openstackclient
2)配置 /etc/keystone/keystone.conf
[DEFAULT]
admin_token = f63285a166ca96ee181c
[database]
...
connection = mysql+pymysql://keystone:keystone@controller/keystone
#connection = 連接方式://用戶名:密碼@主機名/數據庫
[token]
...
provider = fernet
3)同步 Identity service數據庫
# su -s /bin/sh -c "keystone-manage db_sync" keystone
4) 初始化Fernet key 倉庫
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
5) 配置 Apache HTTP 服務
Edit the /etc/httpd/conf/httpd.conf
ServerName controller
Create the /etc/httpd/conf.d/keystone.conf:
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
# systemctl enable httpd
# systemctl start httpd
6) 配置service entity 和API endpoints
The Identity service provides a catalog of services and their locations. Each service that you add to your
OpenStack environment
$ export OS_TOKEN=f63285a166ca96ee181c
$ export OS_URL=http://controller:35357/v3
$ export OS_IDENTITY_API_VERSION=3
Create the service entity for the Identity service:
$ openstack service create \
--name keystone --description "OpenStack Identity" identity
[root@localhost ~]# openstack service create \
> --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 28324912b51c42ea868623bf1c918875 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
Create the Identity service API endpoints:
$ openstack endpoint create --region RegionOne \
identity public http://controller:5000/v3
[root@localhost ~]# openstack endpoint create --region RegionOne \
> identity public http://controller:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | f896e8b118fb4b83b177662afec6ee71 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 28324912b51c42ea868623bf1c918875 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v3 |
+--------------+----------------------------------+
$ openstack endpoint create --region RegionOne \
identity internal http://controller:5000/v3
[root@localhost ~]# openstack endpoint create --region RegionOne \
> identity internal http://controller:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 1949e1778ffa4d589a7b707e832d9c86 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 28324912b51c42ea868623bf1c918875 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v3 |
+--------------+----------------------------------+
$ openstack endpoint create --region RegionOne \
identity admin http://controller:35357/v3
[root@localhost ~]# openstack endpoint create --region RegionOne \
> identity admin http://controller:35357/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | eb3dcf9db6cb439cbff45a9c5cdb884e |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 28324912b51c42ea868623bf1c918875 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:35357/v3 |
+--------------+----------------------------------+
7) The Identity service provides authentication services for each OpenStack service.
The authentication service uses a combination of domains, projects (tenants), users, and
roles.
Create the default domain:
$ openstack domain create --description "Default Domain" default
[root@localhost ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | 82ffd4c577bd4621967b12dd595b042f |
| name | default |
+-------------+----------------------------------+
Create the admin project:
$ openstack project create --domain default \
--description "Admin Project" admin
[root@localhost ~]# openstack project create --domain default \
> --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 82ffd4c577bd4621967b12dd595b042f |
| enabled | True |
| id | 1ad1c008ea354c6abed93183b47a9643 |
| is_domain | False |
| name | admin |
| parent_id | 82ffd4c577bd4621967b12dd595b042f |
+-------------+----------------------------------+
Create the admin user:
$ openstack user create --domain default \
--password-prompt admin
[root@localhost ~]# openstack user create --domain default \
> --password-prompt adminUser Password: admin
Repeat User Password:admin+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | 82ffd4c577bd4621967b12dd595b042f |
| enabled | True |
| id | 1182b6dc17a94bac9e8630f76ec55194 |
| name | admin |
+-----------+----------------------------------+
Create the admin role:
$ openstack role create admin
[root@localhost ~]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 71ebf5ea73344c348afe5f7a3490ff04 |
| name | admin |
+-----------+----------------------------------+
Add the admin role to the admin project and user:
$ openstack role add --project admin --user admin admin
Create the service project:
$ openstack project create --domain default \
--description "Service Project" service
[root@localhost ~]# openstack project create --domain default \
> --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | 82ffd4c577bd4621967b12dd595b042f |
| enabled | True |
| id | 77ac0350c78d405db0a593ee14fc579c |
| is_domain | False |
| name | service |
| parent_id | 82ffd4c577bd4621967b12dd595b042f |
+-------------+----------------------------------+
Create the demo project:
$ openstack project create --domain default \
--description "Demo Project" demo
[root@localhost ~]# openstack project create --domain default \
> --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | 82ffd4c577bd4621967b12dd595b042f |
| enabled | True |
| id | 5cb6675efb81411b919a83a9623cd804 |
| is_domain | False |
| name | demo |
| parent_id | 82ffd4c577bd4621967b12dd595b042f |
+-------------+----------------------------------+
Create the demo user:
$ openstack user create --domain default \
--password-prompt demo
[root@localhost ~]# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | 82ffd4c577bd4621967b12dd595b042f |
| enabled | True |
| id | 2edf64b6bc4e43c3b5e46914c56bd5bb |
| name | demo |
Create the user role:
$ openstack role create user
[root@localhost ~]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 1e870f8b258644059e27ebc7c4b08ea4 |
| name | user |
+-----------+----------------------------------+
Add the user role to the demo project and user:
$ openstack role add --project demo --user demo use
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IMAGE_API_VERSION=2
using the script
Load .admin-openrc file to populate environment variables with the
location of the Identity service and the admin project and user credentials:
$ . admin-openrc
Request an authentication token:
[root@localhost ~]# openstack token issue