The main functions of Keystone are as follows:
1 manage users and their permissions;
2. Maintain the Endpoint of OpenStack service;
3 Authentication and authentication.
4.1 configure Keystone database
#Create database in any control node, the database is automatically synchronized, take controller 160 node as an example;
#Log in to the database using root:
mysql -u root -p
#To create a keystone database:
CREATE DATABASE keystone;
#Grant access to keystone database, refresh and exit the database:
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone.123'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone.123'; flush privileges; exit
4.2 install and configure Keystone - ALL Controller
#Install corresponding package
#If you want to access using https, you need to install mod_ssl
yum install openstack-keystone httpd python3-mod_wsgi -y
#Backup Keystone profile
cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak egrep -v "^$|^#" /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf
#To configure the Keystone profile, add the following fields under the corresponding item
#vim /etc/keystone/keystone.conf
[cache] backend = oslo_cache.memcache_pool enabled = true memcache_servers = controller160:11211,controller161:11211,controller162:11211 [database] connection = mysql+pymysql://keystone:keystone.123@controller160/keystone [token] provider = fernet
#Fill in the Keystone database and initialize the Fernet. No error is successful
su -s /bin/sh -c "keystone-manage db_sync" keystone keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
#Verify that the keystone database is written properly:
mysql -h controller160 -ukeystone -pkeystone.123 -e "use keystone;show tables;"
#Sync fernet key
# Synchronize the secret key with the controller 161 / 162 node [root@controller160 ~]# scp -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ root@172.16.1.161:/etc/keystone/ [root@controller160 ~]# scp -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ root@172.16.1.162:/etc/keystone/ # After synchronization, note the secret key permission on the controller161/162 node [root@controller161 ~]# chown keystone:keystone /etc/keystone/credential-keys/ -R [root@controller161 ~]# chown keystone:keystone /etc/keystone/fernet-keys/ -R [root@controller162 ~]# chown keystone:keystone /etc/keystone/credential-keys/ -R [root@controller162 ~]# chown keystone:keystone /etc/keystone/fernet-keys/ -R
#Boot Identity service, where the password of admin is set to admin.123
#Note: the host name of VIP is used here
keystone-manage bootstrap --bootstrap-password admin.123 \ --bootstrap-admin-url http://controller168:5000/v3/ \ --bootstrap-internal-url http://controller168:5000/v3/ \ --bootstrap-public-url http://controller168:5000/v3/ \ --bootstrap-region-id RegionOne
4.3 configure Http Server
#In all control nodes, take controller 160 as an example;
[root@controller160 ~]# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak [root@controller160 ~]# sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf
#Note that different nodes replace different ip addresses
[root@controller160 ~]# sed -i "s/Listen\ 80/Listen\ 172.16.1.160:80/g" /etc/httpd/conf/httpd.conf [root@controller161 ~]# sed -i "s/Listen\ 80/Listen\ 172.16.1.161:80/g" /etc/httpd/conf/httpd.conf [root@controller162 ~]# sed -i "s/Listen\ 80/Listen\ 172.16.1.162:80/g" /etc/httpd/conf/httpd.conf
#Operate on all control nodes and create soft links
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
#In all control nodes, take controller 160 as an example
systemctl enable httpd.service systemctl restart httpd.service [root@controller160 ~]# systemctl status httpd.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2020-06-18 11:06:37 CST; 25s ago Docs: man:httpd.service(8) Main PID: 195414 (httpd) Status: "Total requests: 10; Idle/Busy workers 99/1;Requests/sec: 0.526; Bytes served/sec: 133 B/sec" Tasks: 298 (limit: 11490) Memory: 271.7M CGroup: /system.slice/httpd.service ├─195414 /usr/sbin/httpd -DFOREGROUND ├─195415 /usr/sbin/httpd -DFOREGROUND ├─195416 (wsgi:keystone- -DFOREGROUND ├─195417 (wsgi:keystone- -DFOREGROUND ├─195418 (wsgi:keystone- -DFOREGROUND ├─195419 (wsgi:keystone- -DFOREGROUND ├─195420 (wsgi:keystone- -DFOREGROUND ├─195421 /usr/sbin/httpd -DFOREGROUND ├─195422 /usr/sbin/httpd -DFOREGROUND ├─195423 /usr/sbin/httpd -DFOREGROUND └─195652 /usr/sbin/httpd -DFOREGROUND Jun 18 11:06:37 controller160 systemd[1]: Starting The Apache HTTP Server... Jun 18 11:06:37 controller160 systemd[1]: Started The Apache HTTP Server. Jun 18 11:06:37 controller160 httpd[195414]: Server configured, listening on: 172.16.1.160 port 5000, 172.16.1.160 port 80
4.4 configure environment variables
#Configure the environment variable file, where the admin is used to create the password for the above boot
#vim adminrc.sh
export OS_USERNAME=admin export OS_PASSWORD=admin.123 export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL=http://controller168:5000/v3 export OS_IDENTITY_API_VERSION=3
#Unconfigure environment variables
#vim unsetadminrc.sh
unset OS_USERNAME unset OS_PASSWORD unset OS_PROJECT_NAME unset OS_USER_DOMAIN_NAME unset OS_PROJECT_DOMAIN_NAME unset OS_AUTH_URL unset OS_IDENTITY_API_VERSION
#Check whether the setting is successful
#You can also use openstack token issue
[root@controller160 ~]# source adminrc.sh [root@controller160 ~]# openstack domain list +---------+---------+---------+--------------------+ | ID | Name | Enabled | Description | +---------+---------+---------+--------------------+ | default | Default | True | The default domain | +---------+---------+---------+--------------------+
#Distribute scripts to control nodes:
[root@controller160 ~]# scp admin-openrc demo-openrc root@172.16.1.161:~/ [root@controller160 ~]# scp admin-openrc demo-openrc root@172.16.1.162:~/
4.6 creating domains, projects, users, and roles
The identity service provides authentication services for each OpenStack service, including a combination of service usage domains, projects, users, and roles.
#In the keystone manage boot step, the default domain already exists. To create a new domain:
openstack domain create --description "An Example Domain" example
#Normal prompt after execution
+-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | An Example Domain | | enabled | True | | id | 70eb130ba9534e07ba908bc3d3761525 | | name | example | | options | {} | | tags | [] | +-------------+----------------------------------+
#Create service item:
openstack project create --domain default --description "Service Project" service
#Execution result:
+-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | 1121de199979451ca8f72843b1e20822 | | is_domain | False | | name | service | | options | {} | | parent_id | default | | tags | [] | +-------------+----------------------------------+
#Create user role
openstack role create user
#Output
+-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | None | | domain_id | None | | id | 0c19dad2f68b4c99a4e7b0af9dcc7367 | | name | user | | options | {} | +-------------+----------------------------------+
#View roles
openstack role list
#Output
+----------------------------------+--------+ | ID | Name | +----------------------------------+--------+ | 0c19dad2f68b4c99a4e7b0af9dcc7367 | user | | 7bd349df1d734817b41cf1d25fc921c4 | reader | | c5e6b6b811d84a75bdcc0997f5f76eeb | admin | | def5070f95f04b65b3d425cdd6adf4e3 | member | +----------------------------------+--------+
#View permission assignments
[root@controller160 ~]# openstack user list [root@controller160 ~]# openstack role list [root@controller160 ~]# openstack role assignment list
4.7 add pcs resources
#Operate at any control node;
#Add resource openstack keystone clone;
#The actual control of pcs is the httpd service controlled by each node system unit
[root@controller160 ~]# pcs resource create openstack-keystone systemd:httpd clone interleave=true [root@controller160 ~]# pcs resource * vip (ocf::heartbeat:IPaddr2): Started controller160 * Clone Set: lb-haproxy-clone [lb-haproxy]: * Started: [ controller160 ] * Stopped: [ controller161 controller162 ] * Clone Set: openstack-keystone-clone [openstack-keystone]: * Started: [ controller160 controller161 controller162 ]
At this point, the Keystone cluster has been deployed. If you have any problems, please contact me for correction. Thank you very much!
4.x deployment process problems summary
eg1.[root@controller160 ~]# yum install openstack-keystone httpd python3-mod_wsgi -y Repository AppStream is listed more than once in the configuration Repository extras is listed more than once in the configuration Repository PowerTools is listed more than once in the configuration Repository centosplus is listed more than once in the configuration Last metadata expiration check: 1:51:25 ago on Thu 18 Jun 2020 08:05:13 AM CST. Error: Problem 1: conflicting requests - nothing provides system-logos-httpd needed by httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64 Problem 2: package python3-mod_wsgi-4.6.4-4.el8.x86_64 requires httpd-mmn = 20120211x8664, but none of the providers can be installed - conflicting requests - nothing provides system-logos-httpd needed by httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64 (try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages) //Solution: download the package from the Internet [root@controller160 ~]# rpm -ivh centos-logos-httpd-80.5-2.el8.noarch.rpm Verifying... ################################# [100%] Preparing... ################################# [100%] Updating / installing... 1:centos-logos-httpd-80.5-2.el8 ################################# [100%] eg2.Jun 18 11:03:40 controller160 httpd[194455]: (98)Address already in use: AH00072: make_sock: could not bind to address [::]:5000 Jun 18 11:03:40 controller160 httpd[194455]: (98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:5000 //Solution: vim /usr/share/keystone/wsgi-keystone.conf //Change Listen 5000 to Listen 172.16.1.160:5000