高可用OpenStack(Queen版)集群-4.keystone集群

Posted netonline

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了高可用OpenStack(Queen版)集群-4.keystone集群相关的知识,希望对你有一定的参考价值。

参考文档:

  1. Install-guide:https://docs.openstack.org/install-guide/
  2. OpenStack High Availability Guide:https://docs.openstack.org/ha-guide/index.html
  3. 理解Pacemaker:http://www.cnblogs.com/sammyliu/p/5025362.html
  4. Ceph: http://docs.ceph.com/docs/master/start/intro/

八.Keystone集群

1. 创建keystone数据库

# 在任意控制节点创建数据库,数据库自动同步,以controller01节点为例;
[[email protected] ~]# mysql -uroot -pmysql_pass
MariaDB [(none)]> CREATE DATABASE keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO keystone@localhost IDENTIFIED BY keystone_dbpass;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO keystone@% IDENTIFIED BY keystone_dbpass;
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit;

2. 安装keystone

# 在全部控制节点安装keystone,以controller01节点为例;
[[email protected] ~]# yum install openstack-keystone httpd mod_wsgi mod_ssl -y

3. 配置keystone.conf

# 在全部控制节点设置,以controller01节点为例;
# 红色加粗字体为修改部分
[[email protected] ~]# cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
[[email protected] ~]# egrep -v "^$|^#" /etc/keystone/keystone.conf
[DEFAULT]
[application_credential]
[assignment]
[auth]
[cache]
backend = oslo_cache.memcache_pool
enabled = true
memcache_servers = controller01:11211,controller02:11211,controller03:11211
[catalog]
[cors]
[credential]
[database]
connection = mysql+pymysql://keystone:[email protected]/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[federation]
[fernet_tokens]
[healthcheck]
[identity]
[identity_mapping]
[ldap]
[matchmaker_redis]
[memcache]
[oauth1]
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_messaging_zmq]
[oslo_middleware]
[oslo_policy]
[paste_deploy]
[policy]
[profiler]
[resource]
[revoke]
[role]
[saml]
[security_compliance]
[shadow_users]
[signing]
[token]
provider = fernet
[tokenless_auth]
[trust]
[unified_limit]

4. 同步keystone数据库

# 任意控制节点操作
[[email protected] ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone

# 查看验证
[[email protected] ~]# mysql -h controller01 -ukeystone -pkeystone_dbpass -e "use keystone;show tables;"

5. 初始化fernet秘钥

# 选定任意控制节点(controller01)做fernet秘钥初始化,在/etc/keystone/生成相关秘钥及目录
[[email protected] ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[[email protected] ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

# 向controller02/03节点同步秘钥
[[email protected] ~]# scp -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ [email protected]:/etc/keystone/
[[email protected] ~]# scp -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ [email protected]:/etc/keystone/

# 同步后,注意controller02/03节点上秘钥权限
[[email protected] ~]# chown keystone:keystone /etc/keystone/credential-keys/ -R
[[email protected] ~]# chown keystone:keystone /etc/keystone/fernet-keys/ -R

[[email protected] ~]# chown keystone:keystone /etc/keystone/credential-keys/ -R
[[email protected] ~]# chown keystone:keystone /etc/keystone/fernet-keys/ -R

6. 配置httpd.conf

# 在全部控制节点设置,以controller01节点为例;
[[email protected] ~]# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak
[[email protected] ~]# sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf

# 注意不同的节点替换不同的ip地址
[[email protected] ~]# sed -i "s/Listen 80/Listen 172.30.200.31:80/g" /etc/httpd/conf/httpd.conf

[[email protected] ~]# sed -i "s/Listen 80/Listen 172.30.200.32:80/g" /etc/httpd/conf/httpd.conf

[[email protected] ~]# sed -i "s/Listen 80/Listen 172.30.200.33:80/g" /etc/httpd/conf/httpd.conf

7. 配置wsgi-keystone.conf

# 在全部控制节点操作,以controller01节点为例;
# 复制wsgi-keystone.conf文件;
# 或者针对wsgi-keystone.conf创建软链接
[[email protected] ~]# cp /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

# 修改wsgi-keystone.conf文件,注意各节点对应的ip地址或主机名等,以controller01节点为例
[[email protected] ~]# sed -i "s/Listen 5000/Listen 172.30.200.31:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
[[email protected] ~]# sed -i "s/Listen 35357/Listen 172.30.200.31:35357/g" /etc/httpd/conf.d/wsgi-keystone.conf
[[email protected] ~]# sed -i "s/*:5000/172.30.200.31:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
[[email protected] ~]# sed -i "s/*:35357/172.30.200.31:35357/g" /etc/httpd/conf.d/wsgi-keystone.conf

8. 认证引导

# 任意控制节点操作;
# 初始化admin用户(管理用户)与密码,3种api端点,服务实体可用区等
[[email protected] ~]# keystone-manage bootstrap --bootstrap-password admin_pass 
  --bootstrap-admin-url http://controller:35357/v3/   --bootstrap-internal-url http://controller:5000/v3/   --bootstrap-public-url http://controller:5000/v3/   --bootstrap-region-id RegionTest 

9. 启动服务

# 在全部控制节点操作,以controller01节点为例
[[email protected] ~]# systemctl enable httpd.service
[[email protected] ~]# systemctl restart httpd.service
[[email protected] ~]# systemctl status httpd.service

10. 创建domain, projects, users, 与roles

1)domain

# projrct/user等基于domain存在;
# 在”认证引导”章节中,初始化admin用户即生成”default” domain
[[email protected] ~]# openstack domain list

技术分享图片

# 如果需要生成新的domain,
[[email protected] ~]# openstack domain create --description "An Example Domain" example
[[email protected] ~]# openstack domain list

技术分享图片

2)projects

# project属于某个domain;
# 以创建demo项目为例,demo项目属于”default” domain
[[email protected] ~]# openstack project create --domain default --description "Demo Project" demo

技术分享图片

3)users

# user属于某个domain;
# 以创建demo用户为例,demo用户属于”default” domain
[[email protected] ~]# openstack user create --domain default --password=demo_pass demo

技术分享图片

4)roles

# 创建普通用户角色(区别于admin用户)
[[email protected] ~]# openstack role create user

技术分享图片

# 向demo项目的demo用户赋予user权限,
[[email protected] ~]# openstack role add --project demo --user demo user

# 查看权限分配
[[email protected] ~]# openstack user list
[[email protected] ~]# openstack role list
[[email protected] ~]# openstack role assignment list

技术分享图片

11. openstack client 环境变量脚本

1)admin-openrc

# openstack client环境脚本定义client调用openstack api环境变量,以方便api的调用(不必在命令行中携带环境变量);
# 根据不同的用户角色,需要定义不同的脚本;
# 这里以“认证引导”章节定义的admin用户为例,设置其环境脚本,再根据需要分发到需要运行openstack client工具的节点;
# 一般将脚本创建在用户主目录
[[email protected] ~]# touch admin-openrc
[[email protected] ~]# chmod u+x admin-openrc
[[email protected] ~]# vim admin-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin_pass
export OS_AUTH_URL=http://controller:5000/v3
# 从安全角度考虑,一般不对client暴露admin-api,这里admin-api与public-api共用1个vip地址
# export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

# 验证
[[email protected] ~]# openstack token issue 

技术分享图片

2)demo-openrc

# 同admin-openrc,注意project/user/password的区别
[[email protected] ~]# touch demo-openrc
[[email protected] ~]# chmod u+x demo-openrc 
[[email protected] ~]# vim demo-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo_pass
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

# 验证
[[email protected] ~]# openstack token issue

技术分享图片

# 分发脚本
[[email protected] ~]# scp admin-openrc demo-openrc [email protected]:~/
[[email protected] ~]# scp admin-openrc demo-openrc [email protected]:~/

12. 设置pcs资源

# 在任意控制节点操作;
# 添加资源openstack-keystone-clone;
# pcs实际控制的是各节点system unit控制的httpd服务
[[email protected] ~]# pcs resource create openstack-keystone systemd:httpd --clone interleave=true
[[email protected] ~]# pcs resource

技术分享图片

以上是关于高可用OpenStack(Queen版)集群-4.keystone集群的主要内容,如果未能解决你的问题,请参考以下文章

高可用OpenStack(Queen版)集群-6.Nova集群

高可用OpenStack(Queen版)集群-8.Horizon集群

高可用OpenStack(Queen版)集群-12.Cinder计算节点

高可用OpenStack(Queen版)集群-16.Nova集成Ceph

高可用OpenStack(Queen版)集群-13.分布式存储Ceph

高可用OpenStack(Queen版)集群-15.Glance&Cinder集成Ceph