openstack------keystone installation and deployment

Precautions

OpenStack component installation sequence
1, Keystone (apache)
2, glance
3, nova
4, neutron

When deploying openstack components, you need to install the authentication service (keystone) first, and the authentication service is run by Apache . After the installation is complete, you can create and manage accounts, and then install the mirror service (glance), computing service (nova), and network service ( neutron).
Among them, computing service and network service are divided into management end and client, so it is necessary to install the management end of computing service and network service on the management end of openstack, install the client of computing service and network service on the node node where the virtual machine is created, and finally installation dashboard service , API openstack various components are run by apache;
data management end openstack responsible for creating, scheduling management process virtual machine, create a virtual machine management openstack end of the final will be recorded to mysql (mariadb) in ; The node node does not have the authority to write data to the database, only the control end has the authority, and the communication between the node node and the control end is indirect communication through rabbitmq , the node node will listen to rabbitmq , the control end will also listen to rabbitmq , the control end will create the virtual machine The instruction is sent to rabbitmq, and the node node that monitors the queue specified by rabbitmq receives the message and creates a virtual machine.

One, create a database instance and database user

mysql -u root -p
MariaDB [(none)]> create database keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit

Two, install and configure keystone, database, Apache

2.1 Install keystone, httpd, mod_wsgi

The function of the #mod_wsgi package is to allow apache to proxy the components of the python program; all components of openstack, including the API, are written in python, but the access is apache, and apache will forward the request to python for processing. These packages are only installed in controler node

[root@ct ~]# yum -y install openstack-keystone httpd mod_wsgi
[root@ct ~]# cp -a /etc/keystone/keystone.conf{,.bak}
[root@ct ~]# grep -Ev "^$|#" /etc/keystone/keystone.conf.bak > /etc/keystone/keystone.conf
#通过pymysql模块访问mysql，指定用户名密码、数据库的域名、数据库名
[root@ct ~]# openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:KEYSTONE_DBPASS@ct/keystone
#指定token的提供者；提供者就是keystone自己本身
[root@ct ~]# openstack-config --set /etc/keystone/keystone.conf token provider fernet
Fernet：一种安全的消息传递格式

2.2 Initialize the authentication service database

[root@ct ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone

2.3 Initialize the fernet key repository

(The following command will generate two keys, and the generated keys are placed in the /etc/keystone/ directory to encrypt data)

[root@ct keystone]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@ct keystone]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

2.4 Configure bootstrap identity authentication service

[root@ct ~]# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://ct:5000/v3/ \
--bootstrap-internal-url http://ct:5000/v3/ \
--bootstrap-public-url http://ct:5000/v3/ \
--bootstrap-region-id RegionOne		#指定一个区域名称

#此步骤是初始化openstack，会把openstack的admin用户的信息写入到mysql的user表中，以及url等其他信息写入到mysql的相关表中； 
--bootstrap-admin-url http://ct:5000/v3/			#admin-url是管理网(如公有云内部openstack管理网络)，用于管理虚拟机的扩容或删除；如果共有网络和管理网是一个网络，则当业务量大时，会造成无法通过openstack的控制端扩容虚拟机，所以需要一个管理网； 
--bootstrap-internal-url http://ct:5000/v3/			#internal-url是内部网络，进行数据传输，如虚拟机访问存储和数据库、zookeeper等中间件，这个网络是不能被外网访问的，只能用于企业内部访问 
--bootstrap-public-url http://ct:5000/v3/			#public-url是共有网络，可以给用户访问的(如公有云) #但是此环境没有这些网络，则公用同一个网络 
#5000端口是keystone提供认证的端口 
#需要在haproxy服务器上添加一条listen 
#各种网络的url需要指定controler节点的域名，一般是haproxy的vip的域名（高可用模式）

2.5 Configure Apache HTTP server

[root@ct ~]# echo "ServerName controller" >> /etc/httpd/conf/httpd.conf

2.6 Create a configuration file

#安装完mod_wsgi包后，会生成 wsgi-keystone.conf 这个文件，文件中配置了虚拟主机及监听了5000端口，mod_wsgi就是python的网关
[root@ct ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

2.7 Turn on the service

[root@ct conf.d]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@ct conf.d]# systemctl start httpd

2.8 Configure the environment variables of the administrator account

These environment variables are used to create roles and projects, but the creation of roles and projects requires authentication information, so authentication information such as user names and passwords are declared through environment variables to deceive openstack to have logged in and passed authentication, so that projects and roles can be created; also It is to pass the authentication information of the admin user to openstack for verification by declaring environment variables to realize non-interactive operation for openstack

[root@ct ~]# cat >> ~/.bashrc << EOF
export OS_USERNAME=admin			
export OS_PASSWORD=ADMIN_PASS	
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://ct:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF

export OS_USERNAME=admin #Console login user name export
OS_PASSWORD=ADMIN_PASS #Console login password

[root@ct ~]# source ~/.bashrc

● By configuring environment variables, you can use openstack commands to perform some operations, examples:

[root@ct ~]# openstack user list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 3b11417c481a45768e3e781dcb709e9a | admin |
+----------------------------------+-------+

3. Create OpenStack domains, projects, users, and roles

3.1 Create a project

Created in the specified domain (domain), specify the description information, the project name is service (you can use the openstack domain list to query)

[root@ct ~]# openstack project create --domain default --description "Service Project" service 
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | f872e5498b7d4c53b3480ad008f9029f |
| is_domain   | False                            |
| name        | service                          |
| options     | {
    
    }                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------

3.2 Create a role

(You can use the openstack role list to view)

[root@ct ~]# openstack role create user
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | None                             |
| domain_id   | None                             |
| id          | e1215745429844a5ad953df5ee4289d0 |
| name        | user                             |
| options     | {
    
    }                               |
+-------------+----------------------------------+

3.3 View the list of openstack roles

[root@ct ~]# openstack role list
+----------------------------------+--------+
| ID                               | Name   |
+----------------------------------+--------+
| 4f18189b0d1a462687b5deb0139d2052 | user   |
| 8bba366482e3472eaa5a05bf8a899966 | reader |
| 9eebe985b9624f5fafb53fed15d72fcd | member |
| dacde8059d2249cfa93a72652accdc00 | admin  |
+----------------------------------+--------+

admin is the administrator and
member is the tenant
user: user

3.4 Check whether token information can be obtained without specifying a password (verification and authentication service)

[root@ct ~]#  openstack token issue
openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2021-03-10T12:34:46+0000                                                                                                                                                                |
| id         | gAAAAABgSK7Wt2f_SMo8h1sJww0WBjVWwGxil5Xo2N4vuXNC049p6SbDkLQ25BRg3AXtLvgLIJdIpTuEW7DD71BAyC-qclaYqUlkL3yk_xJ-OPnUhCaUS_QLx9rpuJYNrgECWNhiP0uyLRYY_xcTGSoy3RvQOBdT1p3RzmzP8y-dIZpO1ExE02E |
| project_id | 8d4eaa8194384a8eb17d8934769db7cc                                                                                                                                                        |
| user_id    | 3b11417c481a45768e3e781dcb709e9a                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

summary

The Keystone component is used as a unified authentication and authorization module in the OpenStack cluster. Its core function is to control User (user), tenant (tenant), Role (role), Token (token/certificate) (manual compilation and deployment is around Expanded by this function)
User: The user who uses openstack.
Tenant: Tenant can be understood as a collection of resources owned by a person, project or organization. There can be many users in a tenant, and these users can use the resources in the tenant according to the division of permissions.
Role: Role, used to assign operation permissions. A role can be assigned to a user, so that the user obtains the operation authority corresponding to the role.
Token: Refers to a string of bit values ​​or strings used as a token for accessing resources. Token contains the range of accessible resources and valid time. Token is a kind of user's credential. You need to apply for the Keystone service with the correct user name and password to get the token.
The idea of ​​using the manual deployment mode to build OpenStack:
1. Sub-module deployment
2. The basic environment for deploying the keystone module (download dependency packages, component packages, third-party tools/plugins)
3. Create and enable the function of this module (using keystone as For example, create and initialize the authentication database, modify the configuration file, initialize the key-fernet format, configure the identity authentication service)
4. Verification