OpenStack newton version installation tutorial (1)-keystone part

1. Introduction to OpenStack

OpenStack is a platform for managing virtual machines, which is usually used in combination with KVM (so when there is a problem with OpenStack, as long as the KVM does not hang, the above services will not be interrupted. You can manage KVM in a stand-alone mode, and then repair OpenStack). The OpenStack platform centralizes management of services such as computing, network, and storage. The commonly used components are as follows:

Horizon : OpenStack's Dashboard, which is a graphical management interface. If the service is abnormal, the virtual machine cannot be managed through the WEB interface

Nova : Provides computing services, such as the creation of virtual machines, turning on and off, etc., which are related to it. If the service is abnormal, no new virtual machine can be created, and the created ones will not be affected.

Neutron : Providing network services, IP configuration, etc. are all related to it

Keystone : Provides authentication services. Each service needs to be authenticated. It acts like a registry. Users only need to visit it to know the addresses of other services.

Glance : Services for providing and managing images

Cinder : Provide block storage services

Others : To deploy a complete set of OpenStack, in addition to the above components, MySQL, RabbitMQ message queue (used for communication between services), Apache (used for WEB interface), Memcached (cached token information) support

Two, keystone related concepts

The authorization and authentication of all services in the OpenStack platform need to go through Keystone, which is like a registry, collecting information about all services. These services need to tell Keystone what they are doing and their interface address, which is the service port. endpoint. When users need to use these services, they can find the registration center. So it is the first service that needs to be installed in the OpenStack platform. The service will get an authorization key after keystone identity authentication, which is used to complete authorization authentication and data transmission between services. After keystone is configured, it will create appropriate roles, services, tenants, users, APIs, service endpoints, regions and other services for users. These services constitute the infrastructure of the cloud platform. The following is an explanation of some terms in Keystone:

User (user) : the management account or user account of a certain project. A user must exist in a certain role of a certain tenant to have related permissions. A user can belong to multiple projects and multiple roles

Project : Somewhat similar to the concept of a group. Each user must be in the project to access the resources of the project. In the old version, the project is also called tenant (tenant)

Role : A collection of permissions, that is, the permissions of a certain user on a project. OpenStack will have two default roles after keystone is created, namely administrator admin and ordinary user member. The information of these two roles has been defined in /etc/keystone/policy.json.

Service (service) : Neutron, glance, and nova are all services

Endpoint : OpenStack services are all running on a specific URL and port. These are the endpoint addresses of the services. When the client connects to OpenStack, Keystone queries the defined endpoint and returns the required service endpoint address to the client for the client to connect and use. An endpoint can be understood as an access point exposed by a service. If you need to access this service, you need to know its endpoint. An endpoint is generally a URL. You can access the service if you know this URL. An endpoint generally has three permissions of public, private, and admin at the same time. The public URL can be accessed globally, the private URL can only be accessed by the local area network, and the admin URL is separated from the regular access.

Zone (zone) : It can be simply understood as the division of regions, because cloud platforms generally have cross-region and cross-IDC situations. In OpenStack, different endpoints are defined according to different regions. For example, the Shanghai area will have three URLs: public, private, and admin. In the Beijing area, three service endpoint URLs should also be defined.

Token (token) : can be understood as a secret key, the user obtains the token in a certain project through the user name and password to log in

Database : In order to record the information of the required verification components and services, OpenStack needs a database as the main means of information storage, mainly using MySQL/MariaDB

Three, configure OpenStack official Yum source and client tools

Installation via YUM is the best way to achieve it, so you must configure the official YUM source of OpenStack before installing OpenStack components. Use EPEL or Alibaba Cloud Yum warehouse (in Centos/cloud) to install OpenStack source, as shown in the figure:

Execute the following commands on the control node + computing node to install the yum source of OpenStack and the client tool of OpenStack

yum install centos-release-openstack-newton -y  #安装该软件包后会创建openstack客户端的yum源yum upgrade -yyum install python-openstackclient openstack-selinux openstack-utils -y  #安装客户端和selinux自动管理工具

4. Install OpenStack related environment (Chrony, MySQL, RabbitMQ, Memcached, Httpd) on the control node

1. Install chrony service to ensure time synchronization

You can use the control node as the NTP server and the compute node as the client. This tool has been installed by default in CentOS 7, just configure it

server 10.0.0.11 iburst  #把内网卡作为互相通信的网卡allow 10.0.0.0/24  #允许该网段的IP进行时间同步systemctl restart chronyd.servicesystemctl enable chronyd.servicechronyc sources  #验证服务

2. Install mariadb, create a user for keystone and authorize

yum install mariadb mariadb-server python2-pymysql -y vi /etc/my.cnf.d/openstack.cnf[mysqld]default-storage-engine = innodb  #使用innodb引擎innodb_file_per_table  #innodb适用于每一张表bind-address = 192.168.100.100  #本机IP,admin网段max_connections =4096collation-server = utf8_general_ci  #中文编码的支持character-set-server = utf8  #同上 systemctl enable mariadb.serivcesystemctl start mariadb.service mysql > create database keystone;mysql > grant all privileges on keystone.* to 'keystone'@'localhost' identified by '123456';mysql > grant all privileges on keystone.* to 'keystone'@'%' identified by '123456';mysql > flush privileges;

3. Install RabbitMQ message queue to provide communication function of each component. After RabbitMQ runs, it will monitor on port 5672.

yum install rabbitmq-serversystemctl start rabbitmq-server systemctl enable rabbitmq-server 

Modify the password of the RabbitMQ default user guest (the default administrator account password of RabbitMQ is guest), or create a new user for OpenStack

rabbitmqctl change_password guest NEWPASSWORD  #修改默认用户的密码rabbitmqctl add_user openstack RABBIT_PASSWORD  #创建一个openstack用户,密码请自定义rabbitmqctl set_permissions openstack ".*" ".*" ".*"  #给新建用户所有权限rabbitmqctl set_user_tags openstack administrator  #设置openstack用户的角色为admin,官方文档没有做这一步,貌似会登录不上MQ的web界面rabbitmqctl list_users  #查看当前用户信息

Install RabbitMQ's web plug-in to realize visual management. After installation, RabbitMQ can be accessed through the web page, the access address is http://ip:15672, if the access is abnormal, please remember to close selinux and iptables

rabbitmq-plugins enable rabbitmq_management rabbitmq_management_agent  rabbitmq_web_dispatch  webmachine mochiweb amqp_client  #安装插件rabbitmq-plugins list  #查看当前插件systemctl restart rabbitmq.service  #重启服务

4. Install httpd, memcached (Keystone relies on httpd to provide services)

yum install  httpd mod_wsgi memcached -yecho "OPTIONS=\"-l 0.0.0.0\"" >> /etc/sysconfig/memcached  #修改memcached监听的网卡systemctl enable memcached.service systemctl start memcached.service

Five, OpenStack component installation steps

Each component of OpenStack can follow the following routines during installation (except for Keystone itself, which is slightly different):

1. Create database authorization in mysql

2. Create users and associate roles in keystone

3. Register API in keystone

4. Use yum to install components

5. Modify the service configuration file

6. Synchronize the database

7, start the service

Six, install Keystone

1. Install keystone

yum install openstack-keystone -y

2. Edit the keystone configuration file /etc/keystone/keystone.conf (after installing openstack-utils, you can also use the openstack-config command line to modify the configuration)

openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:[email protected]_IP/keystoneopenstack-config --set /etc/keystone/keystone.conf token provider fernet

Ways to edit files directly:

[database]connection = mysql+pymysql://keystone:[email protected]_IP/keystone  #这里填写了数据库用户名、密码以及主机名(或IP)[token]provider = fernet  #配置令牌的提供者为fernet,fernet是一种随机数的生成方法

3. Initialize the database. The -s option specifies the shell to be executed. The -c option uses the specified user to execute the command and then exit the user. Here, the keystone user is used to execute the keystone-manage db_sync command to initialize the keystone database. After the execution is successful, check the keystone database for verification. If you see that relevant data is generated, it means success. Remember that the user must be a keystone, otherwise the generated file will have the wrong owner, which will cause a service error

su -s /bin/sh -c "keystone-manage db_sync" keystone

4. Initialize the fernet warehouse (because the fernet technology is used to encrypt the token in step 3)

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystonekeystone-manage credential_setup --keystone-user keystone --keystone-group keystone

5. Publish and create the keystone endpoint service entry and manage the password

keystone-manage bootstrap \--bootstrap-password 0BcDemU0ER9HIAiQ  #修改keystone的admin密码--bootstrap-admin-url http://CONTROLLER_IP:35357/v3/  --bootstrap-internal-url http://CONTROLLER_IP:35357/v3/--bootstrap-public-url http://CONTROLLER_IP:5000/v3/--bootstrap-region-id RegionOne  #每组endpoint包含的admin、internal、public都要对应一组区域,区域名以ReginOne,ReginTwo,以此类推

6. Configure httpd and start the service. Pay attention to the soft connection of the configuration file. After starting the service, Keystone will listen on port 5000 (normal user) and 35357 (administrator)

sed -i "s/#ServerName www.example.com:80/ServerName CONTROLLER_IP/" /etc/httpd/conf/httpd.conf  #设置ServerName为控制节点的IP或主机名ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/  #该配置文件来自openstack-keystone这个包,做软连接给apachesystemctl enable httpd.servicesystemctl start httpd.service

7. Create domains, projects, users, and roles. Here, a project called service is created for nova, neutron and other components. In the previous initialization, in fact, an admin project was automatically created to manage the account.

openstack project create --domain default --description "Service Project" service  #创建一个项目叫做service,它属于default默认域openstack project create --domain default --description "Mytest Project" test  #创建一个项目叫做testopenstack role create user  #创建一个角色为user openstack user create --domain default --password yourpasswor test  #创建一个test用户,它属于default默认域openstack role add --project test --user test user  #把用户test加入到test项目并赋予为user角色

The above operations can actually be reused to create users and authorizations for nova and other components. The process is basically the same. Here is an example in advance (not to be executed):

openstack user create --domain default --password-prompt nova openstack role add --project service --user nova admin

8. After the completion of the previous step, the installation of Keystone has actually been completed. There is a verification step in the official website document, which uses a long list of commands to operate. This is because the information needs to be passed in the form of parameters before configuring environment variables. If the environment variables are configured, the command line can be simplified. To install other services or need to use OpenStack commands for maintenance, you need to execute this variable first. If an error 401 is reported, the password is basically incorrect.

cat > /root/admin-openrc << EOFexport OS_USERNAME=adminexport OS_PASSWORD=0BcDemU0ER9HIAiQ  #这里需要填写第5步所创建的keystone密码export OS_PROJECT_NAME=admin  #项目export OS_USER_DOMAIN_NAME=default  #域,类似阿里云华北区、华东区的概念export OS_PROJECT_DOMAIN_NAME=defaultexport OS_AUTH_URL=http://CONTROLLER_IP:35357/v3export OS_IDENTITY_API_VERSION=3                                            export OS_IMAGE_API_VERSION=2EOF source /root/admin-openrc

9. Use commands to verify information, basically all kinds of lists. If you create something wrong and need to delete it, first list the information and then use delete.

openstack token issue  #查看所有用户的token信息openstack service listopenstack user list #查看用户列表openstack role list  #查看角色列表openstack project list  #查看项目列表openstack endpoint listopenstack endpoint delete xxx  #删除端点示例