4 Openstack-Ussuri-Keystone cluster deployment-centos8

Posted by Sooz719 on Thu, 18 Jun 2020 05:36:15 +0200

The main functions of Keystone are as follows:
1 manage users and their permissions;
2. Maintain the Endpoint of OpenStack service;
3 Authentication and authentication.

4.1 configure Keystone database

#Create database in any control node, the database is automatically synchronized, take controller 160 node as an example;
#Log in to the database using root:

mysql -u root -p

#To create a keystone database:

CREATE DATABASE keystone;

#Grant access to keystone database, refresh and exit the database:

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone.123';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone.123';
flush privileges;
exit

4.2 install and configure Keystone - ALL Controller

#Install corresponding package
#If you want to access using https, you need to install mod_ssl

yum install openstack-keystone httpd python3-mod_wsgi -y

#Backup Keystone profile

cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
egrep -v "^$|^#" /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf

#To configure the Keystone profile, add the following fields under the corresponding item
#vim /etc/keystone/keystone.conf

[cache]
backend = oslo_cache.memcache_pool
enabled = true
memcache_servers = controller160:11211,controller161:11211,controller162:11211
[database]
connection = mysql+pymysql://keystone:keystone.123@controller160/keystone
[token]
provider = fernet

#Fill in the Keystone database and initialize the Fernet. No error is successful

su -s /bin/sh -c "keystone-manage db_sync" keystone
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

#Verify that the keystone database is written properly:

mysql -h controller160 -ukeystone -pkeystone.123 -e "use keystone;show tables;"

#Sync fernet key

# Synchronize the secret key with the controller 161 / 162 node
[root@controller160 ~]# scp -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ root@172.16.1.161:/etc/keystone/
[root@controller160 ~]# scp -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ root@172.16.1.162:/etc/keystone/

# After synchronization, note the secret key permission on the controller161/162 node
[root@controller161 ~]# chown keystone:keystone /etc/keystone/credential-keys/ -R
[root@controller161 ~]# chown keystone:keystone /etc/keystone/fernet-keys/ -R

[root@controller162 ~]# chown keystone:keystone /etc/keystone/credential-keys/ -R
[root@controller162 ~]# chown keystone:keystone /etc/keystone/fernet-keys/ -R

#Boot Identity service, where the password of admin is set to admin.123
#Note: the host name of VIP is used here

keystone-manage bootstrap --bootstrap-password admin.123 \
  --bootstrap-admin-url http://controller168:5000/v3/ \
  --bootstrap-internal-url http://controller168:5000/v3/ \
  --bootstrap-public-url http://controller168:5000/v3/ \
  --bootstrap-region-id RegionOne

4.3 configure Http Server

#In all control nodes, take controller 160 as an example;

[root@controller160 ~]# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak
[root@controller160 ~]# sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf

#Note that different nodes replace different ip addresses

[root@controller160 ~]# sed -i "s/Listen\ 80/Listen\ 172.16.1.160:80/g" /etc/httpd/conf/httpd.conf

[root@controller161 ~]# sed -i "s/Listen\ 80/Listen\ 172.16.1.161:80/g" /etc/httpd/conf/httpd.conf

[root@controller162 ~]# sed -i "s/Listen\ 80/Listen\ 172.16.1.162:80/g" /etc/httpd/conf/httpd.conf

#Operate on all control nodes and create soft links

ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

#In all control nodes, take controller 160 as an example

systemctl enable httpd.service
systemctl restart httpd.service
[root@controller160 ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-06-18 11:06:37 CST; 25s ago
     Docs: man:httpd.service(8)
 Main PID: 195414 (httpd)
   Status: "Total requests: 10; Idle/Busy workers 99/1;Requests/sec: 0.526; Bytes served/sec: 133 B/sec"
    Tasks: 298 (limit: 11490)
   Memory: 271.7M
   CGroup: /system.slice/httpd.service
           ├─195414 /usr/sbin/httpd -DFOREGROUND
           ├─195415 /usr/sbin/httpd -DFOREGROUND
           ├─195416 (wsgi:keystone- -DFOREGROUND
           ├─195417 (wsgi:keystone- -DFOREGROUND
           ├─195418 (wsgi:keystone- -DFOREGROUND
           ├─195419 (wsgi:keystone- -DFOREGROUND
           ├─195420 (wsgi:keystone- -DFOREGROUND
           ├─195421 /usr/sbin/httpd -DFOREGROUND
           ├─195422 /usr/sbin/httpd -DFOREGROUND
           ├─195423 /usr/sbin/httpd -DFOREGROUND
           └─195652 /usr/sbin/httpd -DFOREGROUND

Jun 18 11:06:37 controller160 systemd[1]: Starting The Apache HTTP Server...
Jun 18 11:06:37 controller160 systemd[1]: Started The Apache HTTP Server.
Jun 18 11:06:37 controller160 httpd[195414]: Server configured, listening on: 172.16.1.160 port 5000, 172.16.1.160 port 80

4.4 configure environment variables

#Configure the environment variable file, where the admin is used to create the password for the above boot
#vim adminrc.sh

export OS_USERNAME=admin
export OS_PASSWORD=admin.123
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller168:5000/v3
export OS_IDENTITY_API_VERSION=3

#Unconfigure environment variables
#vim unsetadminrc.sh

unset OS_USERNAME
unset OS_PASSWORD
unset OS_PROJECT_NAME
unset OS_USER_DOMAIN_NAME
unset OS_PROJECT_DOMAIN_NAME
unset OS_AUTH_URL
unset OS_IDENTITY_API_VERSION

#Check whether the setting is successful
#You can also use openstack token issue

[root@controller160 ~]# source adminrc.sh
[root@controller160 ~]# openstack domain list
+---------+---------+---------+--------------------+
| ID      | Name    | Enabled | Description        |
+---------+---------+---------+--------------------+
| default | Default | True    | The default domain |
+---------+---------+---------+--------------------+

#Distribute scripts to control nodes:

[root@controller160 ~]# scp admin-openrc demo-openrc root@172.16.1.161:~/
[root@controller160 ~]# scp admin-openrc demo-openrc root@172.16.1.162:~/

4.6 creating domains, projects, users, and roles

The identity service provides authentication services for each OpenStack service, including a combination of service usage domains, projects, users, and roles.

#In the keystone manage boot step, the default domain already exists. To create a new domain:

openstack domain create --description "An Example Domain" example

#Normal prompt after execution

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | An Example Domain                |
| enabled     | True                             |
| id          | 70eb130ba9534e07ba908bc3d3761525 |
| name        | example                          |
| options     | {}                               |
| tags        | []                               |
+-------------+----------------------------------+

#Create service item:

openstack project create --domain default --description "Service Project" service

#Execution result:

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 1121de199979451ca8f72843b1e20822 |
| is_domain   | False                            |
| name        | service                          |
| options     | {}                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

#Create user role

openstack role create user

#Output

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | None                             |
| domain_id   | None                             |
| id          | 0c19dad2f68b4c99a4e7b0af9dcc7367 |
| name        | user                             |
| options     | {}                               |
+-------------+----------------------------------+

#View roles

openstack role list

#Output

+----------------------------------+--------+
| ID                               | Name   |
+----------------------------------+--------+
| 0c19dad2f68b4c99a4e7b0af9dcc7367 | user   |
| 7bd349df1d734817b41cf1d25fc921c4 | reader |
| c5e6b6b811d84a75bdcc0997f5f76eeb | admin  |
| def5070f95f04b65b3d425cdd6adf4e3 | member |
+----------------------------------+--------+

#View permission assignments

[root@controller160 ~]# openstack user list
[root@controller160 ~]# openstack role list
[root@controller160 ~]# openstack role assignment list

4.7 add pcs resources

#Operate at any control node;
#Add resource openstack keystone clone;
#The actual control of pcs is the httpd service controlled by each node system unit

[root@controller160 ~]# pcs resource create openstack-keystone systemd:httpd clone interleave=true
[root@controller160 ~]# pcs resource
  * vip	(ocf::heartbeat:IPaddr2):	Started controller160
  * Clone Set: lb-haproxy-clone [lb-haproxy]:
    * Started: [ controller160 ]
    * Stopped: [ controller161 controller162 ]
  * Clone Set: openstack-keystone-clone [openstack-keystone]:
    * Started: [ controller160 controller161 controller162 ]

At this point, the Keystone cluster has been deployed. If you have any problems, please contact me for correction. Thank you very much!

4.x deployment process problems summary

eg1.[root@controller160 ~]# yum install openstack-keystone httpd python3-mod_wsgi -y
Repository AppStream is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository PowerTools is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
Last metadata expiration check: 1:51:25 ago on Thu 18 Jun 2020 08:05:13 AM CST.
Error:
 Problem 1: conflicting requests
  - nothing provides system-logos-httpd needed by httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64
 Problem 2: package python3-mod_wsgi-4.6.4-4.el8.x86_64 requires httpd-mmn = 20120211x8664, but none of the providers can be installed
  - conflicting requests
  - nothing provides system-logos-httpd needed by httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
//Solution: download the package from the Internet
[root@controller160 ~]# rpm -ivh centos-logos-httpd-80.5-2.el8.noarch.rpm
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:centos-logos-httpd-80.5-2.el8    ################################# [100%]
eg2.Jun 18 11:03:40 controller160 httpd[194455]: (98)Address already in use: AH00072: make_sock: could not bind to address [::]:5000
Jun 18 11:03:40 controller160 httpd[194455]: (98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:5000
//Solution:
vim /usr/share/keystone/wsgi-keystone.conf
//Change Listen 5000 to Listen 172.16.1.160:5000

Topics: OpenStack Database vim MySQL

Hot Topics

©2024 Programmer Think