Shulou(Shulou.com)06/01 Report--

Set up time synchronization:

Time synchronization is very important for openstack, so be sure to keep the time of all services at all times. Here's how to synchronize the world:

Timedatectl list-timezones | grep Shanghai check time zone timedatectl set-timezone Asia/Shanghai set time zone timedatectl set-local-rtc yes replace boolean with yes means use local time, replace with no means UTC time ntpdate time1.aliyun.com synchronization time

Start the database service

[root@linux-node1 ~] # systemctl enable mariadb.service setting boot Created symlink from / etc/systemd/system/multi-user.target.wants/mariadb.service to / usr/lib/systemd/system/mariadb.service. [root@linux-node1 ~] # systemctl start mariadb.service launch database [root@linux-node1 ~] # mysql_secure_installation initialize and set the password NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!In order to log into MariaDB to secure it, we'll need the currentpassword for the root user. If you've just installed MariaDB, andyou haven't set the root password yet, the password will be blank,so you should just press enter here.Enter current password for root (enter for none): OK, successfully used password, moving on...Setting the root password ensures that nobody can log into the MariaDBroot user without the proper authorisation.Set root password? [Y/n] yNew password: Re-enter new password: Password updated successfully!Reloading privilege tables.. ... Success!By default, a MariaDB installation has an anonymous user, allowing anyoneto log into MariaDB without having to have a user account created forthem. This is intended only for testing, and to make the installationgo a bit smoother. You should remove them before moving into aproduction environment.Remove anonymous users? [Y/n] y... Successful normally, root should only be allowed to connect from 'localhost'. Thisensures that someone cannot guess at the root password from the network.Disallow root login remotely? [Y/n] y... Successful by default, MariaDB comes with a database named 'test' that anyone canaccess. This is also intended only for testing, and should be removedbefore moving into a production environment.Remove test database and access to it? [YBO] y-Dropping test database... ... Success!-Removing privileges on test database... ... Success!Reloading the privilege tables will ensure that all changes made so farwill take effect immediately.Reload privilege tables now? [Y/n] y... Success!Cleaning up...All done! If you've completed all of the above steps, your MariaDBinstallation should now be secure.Thanks for using MariaDB!

Configure rabbitMQ message queuing

[root@linux-node1 ~] # systemctl enable rabbitmq-server.service # set boot boot Created symlink from / etc/systemd/system/multi-user.target.wants/rabbitmq-server.service to / usr/lib/systemd/system/rabbitmq-server.service. [root@linux-node1 ~] # systemctl start rabbitmq-server.service # launch message queue [root@linux-node1 ~] # rabbitmqctl add_user openstack openstack # add openstack user and password Creating user "openstack" to the message queue ... [root@linux-node1 ~] # rabbitmqctl set_permissions openstack ". *" # set message queue permissions for openstack Setting permissions for user "openstack" in vhost "/"... [root@linux-node1 ~] # rabbitmq-plugins list # View message queue plug-in Configured: e = explicitly enabled E = implicitly enabled | Status: * = running on rabbit@linux-node1 | / [] amqp_client 3.6.5 [] cowboy 1.0.3 [] cowlib 1.0.1 [] mochiweb 2.13.1 [] rabbitmq_amqp1_0 3.6.5 [] rabbitmq_auth_backend_ldap 3.6.5 [] rabbitmq_auth_mechanism_ssl 3.6.5 [] rabbitmq_consistent_hash_exchange 3.6.5 [] rabbitmq_event_exchange 3.6.5 [] rabbitmq_federation 3.6.5 [] rabbitmq_federation_management 3.6.5 [] rabbitmq_jms_topic_exchange 3.6.5 [] rabbitmq_management 3.6.5 [] rabbitmq_management_agent 3.6.5 [] rabbitmq_management_visualiser 3.6.5 [] rabbitmq_mqtt 3.6.5 [] rabbitmq_recent_history_exchange 1.2.1 [] rabbitmq_sharding 0.1.0 [] rabbitmq_shovel 3.6.5 [] rabbitmq_shovel_management 3.6.5 [] rabbitmq_stomp 3.6.5 [] rabbitmq_top 3.6.5 [] rabbitmq_tracing 3.6.5 [] rabbitmq_trust_store 3.6.5 [] rabbitmq_web_dispatch 3.6.5 [] rabbitmq_web_stomp 3.6.5 [] rabbitmq_web_stomp_examples 3.6.5 [] sockjs 0.3.4 [] webmachine 1.10.3 [root@linux-node1 ~] # rabbitmq-plugins enable rabbitmq_management # load the message queue management plug-in The following plugins have been enabled: Mochiweb webmachine rabbitmq_web_dispatch amqp_client rabbitmq_management_agent rabbitmq_managementApplying plugin configuration to rabbit@linux-node1... Started 6 plugins. [root@linux-node1 ~] # systemctl restart rabbitmq-server.service # restart message queuing service

Message queuing service authentication

[root@linux-node1] # lsof-I: 15672COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEbeam.smp 6370 rabbitmq 53U IPv4 37357 0t0 TCP *: 15672 (LISTEN) enter: 192.168.56.11 IPv4 15672 in the browser and log in with your guest account and guest password

Keystone authentication service

Keystone is already V3 in N version. The following concepts are mainly involved in Keystone:

User: the user who uses the service can be a person, service or system. Any object that uses openstack service can be called a user.

A project (tenant) tenant can be understood as a collection of resources owned by a person, project, or organization. There can be many users in a tenant, and these users can use the resources in the tenant according to the division of permissions.

Role: role, which is used to assign permissions for an operation. The role can be assigned to the user so that the user can get the operation rights corresponding to the role.

Token: after successful authentication, keystone generates a string of bit values or strings, which are used as tokens to access resources. The scope and validity time of accessible resources are available in token.

New features of Keystone V3 API

Keystone V3 has made many changes and improvements, among which we select the more important ones to elaborate:

Rename Tenant to Project

Introduce the concept of Domain

Introduce the concept of Group

Change Tenant to Project and add the concept of Domain to it, which is more in line with the mapping of real-world and cloud services.

V3 leverages Domain to implement a true multi-tenant (multi-tenancy) architecture, with Domain serving as the high-level container for Project. Customers of cloud services are owners of Domain, and they can create multiple Projects, Users, Groups, and Roles in their Domain. By introducing Domain, cloud service customers can uniformly manage multiple Project they own, instead of having to manage each Project separately as they did in the past.

Group is a container for a set of Users that adds users to the Group and assigns roles directly to the Group, so that all users in this Group have the role permissions that Group has. By introducing the concept of Group, Keystone V3 realizes the management of user groups and achieves the purpose of managing a group of user rights at the same time. This is different from assigning Role directly to User/Project in V2, which makes it easier to manage cloud services.

Picture. Diagrams of Domain, Group, Project, User and Role (referenced online)

Create libraries and users

Create libraries and users in the database (here, for convenience, the accounts of cinder,glance, neutron, and other services will be created in the database together.

CREATE DATABASE keystone;GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY' keystone';GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY' keystone';CREATE DATABASE glance;GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY' glance';GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY' glance';CREATE DATABASE nova;GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY' nova' GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY' nova';CREATE DATABASE nova_api;GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY' nova';GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY' nova';CREATE DATABASE neutron;GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY' neutron';GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY' neutron';CREATE DATABASE cinder GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY' cinder';GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY' cinder'

Execution process:

[root@linux-node1 ~] # mysql-uroot-pEnter password: # use the password MariaDB [(none)] > GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY' keystone';Query OK, 0 rows affected (0.00 sec) MariaDB [(none)] > CREATE DATABASE glance;Query OK, 1 row affected (0.00 sec) MariaDB [(none)] > GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY' glance' Query OK, 0 rows affected (0.00 sec) MariaDB [(none)] > GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY' glance';Query OK, 0 rows affected (0.00 sec) MariaDB [(none)] > CREATE DATABASE nova;Query OK, 1 row affected (0.00 sec) MariaDB [(none)] > GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' IDENTIFIED BY' nova' Query OK, 0 rows affected (0.00 sec) MariaDB [(none)] > GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY' nova';Query OK, 0 rows affected (0.00 sec) MariaDB [(none)] > CREATE DATABASE nova_api;Query OK, 1 row affected (0.00 sec) MariaDB [(none)] > GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' IDENTIFIED BY' nova' Query OK, 0 rows affected (0.00 sec) MariaDB [(none)] > GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' IDENTIFIED BY' nova';Query OK, 0 rows affected (0.00 sec) MariaDB [(none)] > CREATE DATABASE neutron;Query OK, 1 row affected (0.00 sec) MariaDB [(none)] > GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY' neutron' Query OK, 0 rows affected (0.00 sec) MariaDB [(none)] > GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY' neutron';Query OK, 0 rows affected (0.00 sec) MariaDB [(none)] > CREATE DATABASE cinder;Query OK, 1 row affected (0.00 sec) MariaDB [(none)] > GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY' cinder' Query OK, 0 rows affected (0.00 sec) MariaDB [(none)] > GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY' cinder';Query OK, 0 rows affected (0.00 sec) MariaDB [(none)] > show databases +-+ | Database | +-+ | cinder | | glance | | information_schema | | keystone | | mysql | | neutron | | nova | | nova_api | | performance_schema | +- -+ 9 rows in set (0.00 sec) keystone profile

[root@linux-node1 ~] # grep-n'^ [a Murz]'/ etc/keystone/keystone.conf 640:connection = mysql+pymysql://keystone:keystone@192.168.56.11/keystone1472:servers = 192.168.56.11 etc/keystone/keystone.conf 640:connection 11211 # memcache Service address 2655:provider = fernet # configuration token 2665:driver = memcache # Select driver is sql initialization database by default, memcache configuration

Su-s / bin/sh-c "keystone-manage db_sync" keystone

Verify that the initialization was successful:

[root@linux-node1] # mysql-h 192.168.56.11-ukeystone-pkeystone-e "use keystone;show tables "+-- + | Tables_in_keystone | +-+ | access_token | | assignment | | config_register | | consumer | | credential | | endpoint | | endpoint_group | | federated_ | User | | federation_protocol | | group | | id_mapping | | identity_provider | | idp_remote_ids | | implied_role | | local_user | | mapping | | migrate_version | | nonlocal_user | | password | | policy | | policy_association | | project | | project_endpoint | | project_endpoint_group | | region | | request_token | | revocation_event | | role | | sensitive_config | | service | | service_provider | | token | | trust | | trust_role | | user | | user_group | _ membership | | whitelisted_config | +-+

Install memcached

Yuminstall memcached python-memcached vim/etc/sysconfig/memcached [root@linux-node1 ~] # cat / etc/sysconfig/memcached PORT= "11211" USER= "memcached" MAXCONN= "1024" CACHESIZE= "64" OPTIONS= "- l 192.168.56.11 Magazine 1"

Generate the necessary information for token authentication through keystone-manage:

[root@linux-node1 keystone] # keystone-manage fernet_setup-keystone-user keystone--keystone-group keystone [root@linux-node1 keystone] # keystone-manage credential_setup-keystone-user keystone--keystone-group keystone [root@linux-node1 keystone] # keystone-manage bootstrap--bootstrap-password admin\ >-bootstrap-admin-url http://192.168.56.11:35357/v3/\ >-bootstrap-internal-url http://192.168.56.11 35357/v3/\ >-- bootstrap-public-url http://192.168.56.11:5000/v3/\ >-- bootstrap-region-id RegionOne

Configure the apache service

[root@linux-node1 keystone] # vim/etc/httpd/conf/httpd.conf # Edit configuration file 95 ServerName 192.168.56.11 usr/share/keystone/wsgi-keystone.conf 80 configuration soft connection [root@linux-node1 keystone] # ln-s / usr/share/keystone/wsgi-keystone.conf / etc/httpd/conf.d/ launch service: [root@linux-node1 keystone] # systemctl enable httpd.serviceCreated symlink from / etc/systemd/system/multi-user.target.wants/httpd.service to / usr/lib/systemd/system/httpd.service. [root@linux-node1 keystone] # systemctl start httpd.service [root@ Linux-node1 keystone] # [root@linux-node1 keystone] # lsof-I: 80COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEhttpd 22891 root 4U IPv6 59157 0t0 TCP *: http (LISTEN) httpd 22902 apache 4u IPv6 59157 0t0 TCP *: http (LISTEN) httpd 22906 apache 4u IPv6 59157 0t0 TCP *: http (LISTEN) httpd 22907 apache 4u IPv6 59157 0t0 TCP *: http (LISTEN) httpd 22908 apache 4u IPv6 59157 0t0 TCP * : http (LISTEN) httpd 22909 apache 4U IPv6 59157 0t0 TCP *: http (LISTEN) configuration environment variable: export OS_USERNAME=adminexport OS_PASSWORD=adminexport OS_PROJECT_NAME=adminexport OS_USER_DOMAIN_NAME=Defaultexport OS_PROJECT_DOMAIN_NAME=Defaultexport OS_AUTH_URL= http://192.168.56.11:35357/v3export OS_IDENTITY_API_VERSION=3 install openstack client If you do not install yum install-y python-openstackclient without the openstack command, execute the following command to verify: [root@linux-node1 keystone] # openstack user list # View user list +-- +-+ | ID | Name | +- -- +-+ | b84c1614b79b40278e02bd6ed034cc6f | admin | +-+-+ [root@linux-node1 keystone] # openstack role list # View permission list +- -+-+ | ID | Name | +-+-+ | 9b0ba78cf70048efa8659220a3cebd06 | admin | +-- -+-+ [root@linux-node1 keystone] # openstack project list # View project list +-- +-+ | ID | Name | +- -+-+ | 7ae0fb7deb5342d885a07c2c890a1ff4 | admin | +-+-+ [root@linux-node1 keystone] # openstack endpoint list # View the list of endpoints -+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +-+- -- +-+ | 65f66a71d4624 | RegionOne | keystone | identity | True | internal | http://192.168.5 | | 2a0a80a0de1b6 | | | 6.11:35357/v3/ | | 503929 | | 71f801be8bc54 | RegionOne | keystone | identity | True | admin | http://192.168.5 | | 7aca380c81b79 | | | 6.11:35357/v3/ | | 6b240a | | b1caff56f31f4 | RegionOne | keystone | identity | True | public | http://192.168.5 | | dfabe5a8418c6 | | | 6.11:5000/v3/ | | 5e2839 | +-| -+

Create a project:

[root@linux-node1 keystone] # openstack project create-domain default-description "Service Project" service+-+--+ | Field | Value | +-+- -+ | description | Service Project | | domain_id | default | | enabled | True | | id | 7f240473406147b99463f32b876bf69d | | is_domain | False | | name | service | | parent_id | default | +-- + |

The results generated here are pretty much the same except that id is different from me.

Check to see if the creation is successful

[root@linux-node1 keystone] # openstack project list+--+-+ | ID | Name | +-- -+ | 7ae0fb7deb5342d885a07c2c890a1ff4 | admin | | 7f240473406147b99463f32b876bf69d | service | +-+-+

Create a demo project:

[root@linux-node1 keystone] # openstack project create-domain default-description "Demo Project" demo+-+--+ | Field | Value | +-+- -+ | description | Demo Project | | domain_id | default | | enabled | True | | id | 9b913d25891849baa55b21d837e9b63d | | is_domain | False | | name | demo | | parent_id | default | +-- + |

Verify that the creation was successful:

[root@linux-node1 keystone] # openstack project list+--+-+ | ID | Name | +-- -+ | 7ae0fb7deb5342d885a07c2c890a1ff4 | admin | | 7f240473406147b99463f32b876bf69d | service | | 9b913d25891849baa55b21d837e9b63d | demo | +-+-+

Create a user

[root@linux-node1 keystone] # openstack user create-- domain default-- password-prompt demoUser Password:Repeat User Password:+-+--+ | Field | Value | +- -+-+ | domain_id | default | | enabled | True | | id | f0c69bad72b54e0daef92c2295425932 | | name | demo | | password_expires_at | None | +-+-+ [root@linux-node1 keystone] # openstack user list+- | -+-+ | ID | Name | +-+-+ | b84c1614b79b40278e02bd6ed034cc6f | admin | | f0c69bad72b54e0daef92c2295425932 | demo | +- -+

Create role permissions:

[root@linux-node1 keystone] # openstack role create user+-+--+ | Field | Value | +-+- -+ | domain_id | None | | id | f53267146a6449b797393f7fc5d23e10 | | name | user | +-+-+ [root@linux-node1 keystone] # openstack role list+- -ID | Name | +-- +-| 9b0ba78cf70048efa8659220a3cebd06 | admin | | f53267146a6449b797393f7fc5d23e10 | user | +- -+

Add users to the project and grant permissions

-+ | Field | Value | +-+-- + | domain_id | default | | enabled | True | | id | 8dc6f28207b64e6d845a444a2ba18205 | | name | glance | | password_expires_at | None | +-+-| -+ [root@linux-node1 keystone] # openstack role add-- project service-- user glance admin [root@linux-node1 keystone] # openstack user create-- domain default-- password-prompt novaUser Password:Repeat User Password:+-+- -+ | Field | Value | +-+-+ | domain_id | default | | enabled | | True | | id | db596da4ed8f47ab9dc7fa77d3bc8c6c | | name | nova | | password_expires_at | None | +-- | + [root@linux-node1 keystone] # openstack role add-- project service-- user nova admin [root@linux-node1 keystone] # openstack user create-- domain default-- password-prompt neutronUser Password:Repeat User Password:+-+-- -+ | Field | Value | +-+-+ | domain_id | default | | enabled | True | | id | c0f9c52898ad4d4f88254a01c458eb27 | | name | neutron | | password_expires_at | None | +-- -+ [root@linux-node1 keystone] # openstack role add-- project service-- user neutron admin [root@linux-node1 keystone] # openstack user create-- domain default-- password-prompt cinderUser Password:Repeat User Password:+-+--+ | Field | | Value | +-+-+ | domain_id | default | | enabled | True | | | id | e5dbdde24a7340edb8bd3f498f9d28b5 | | name | cinder | | password_expires_at | None | +-+-+ [root@ " Linux-node1 keystone] # openstack role add-- project service-- user cinder admin verify keystone

Authenticate the user:

Unset OS_AUTH_URL OS_PASSWORD cancels the previous environment variable [root@linux-node1 keystone] # openstack\ >-- os-auth-url http://192.168.56.11:35357/v3\ >-- os-project-domain-name default\ >-- os-user-domain-name default\ >-- os-project-name admin\ >-- os-username admin token issuePassword: # after entering the password, the following appears to indicate that the user has no problem. +-+-+ | Field | Value | | +-+- -+ | expires | 2016-12-28 111V 05v 4600v | | id | gAAAAABYY456xFHiZSMnQ7x88FxUJjuu3uO8xRLh_soTSgyf3KzMv0nY3s4wn1diFlJ7d2qjPub0iftlOKUnZ | | z9QYPMUGhfxguZhEHWQtufNQNxZD9r8ekluU0XjCdrdnBURAfs3IM6EmJt3O1Sl- | | Nw4G40uh0xatMkxI6bmrG3fRkCrcLga6Cx4 | | Project_id | 7ae0fb7deb5342d885a07c2c890a1ff4 | | user_id | b84c1614b79b40278e02bd6ed034cc6f | +-- -

Create an environment variable script:

Create an admin variable

[root@linux-node1 ~] # cat admin-openstack export OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=adminexport OS_AUTH_URL= http://192.168.56.11:35357/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2

Create a demo variable

[root@linux-node1 ~] # cat demo-openstack export OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=demoexport OS_USERNAME=demoexport OS_PASSWORD=demoexport OS_AUTH_URL= http://192.168.56.11:5000/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2

To make the environment variable effective:

Soure demo-openstack

Keystone common errors: verification failed, keystone related user account password was set incorrectly, the time is not synchronized, or the project name entered is not correct. The OS_token variable may not be initialized, and you need to use the source command to make it take effect, or the configuration file does not take effect. You need to restart the related service 409 # keystone to create a user, the user already has an internal error in the 500 # server, and there is a problem with the service configuration. Check the log. Check the configuration 503 # keystone related account password setting problem, please delete the relevant glance account, re-create the service failure # related services are not up

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.