OpenStack basic Learning and keystone Service configuration 01/17 Update SLTechnology News&Howtos

OpenStack basic Learning and keystone Service configuration

2025-01-17 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Database >

Shulou(Shulou.com)06/01 Report--

Openstack basic Learning OpenStack is a free software and open source project developed and initiated by NASA (National Aeronautics and Space Administration) and Rackspace under the Apache license. OpenStack is an open source cloud computing management platform project, which is composed of several major components to complete the specific work. OpenStack supports almost all types of cloud environments, and the goal of the project is to provide a cloud computing management platform that is simple to implement, scalable on a large scale, rich and unified in standards. OpenStack provides infrastructure as a service (IaaS) solutions through a variety of complementary services, each of which provides API for integration. 2. Environment preparation 1. Virtual machine preparation IP address hostname operating system 192.168.56.11 linux-node1 CentOS7192.168.56.12 linux-node2 CentOS7

Where linux-node1 is used as the control node

Linux-node2 as a compute node

2. Basic software package installation

The basic software package needs to be installed on all OpenStack nodes, including control nodes and compute nodes

(1) install EPEL warehouse rpm-ivh http://mirrors.aliyun.com/epel/epel-release-latest-7.noarch.rpm (2) install OpenStack warehouse yum install-y centos-release-openstack-mitaka after installation A CentOS-OpenStack-mitaka.repo [root@linux-node1 yum.repos.d] # lsCentOS-Base.repo CentOS-Debuginfo.repo CentOS-OpenStack-mitaka.repo CentOS-Vault.repoCentOS-Ceph-Hammer.repo CentOS-fasttrack.repo CentOS-QEMU-EV.repo epel.repoCentOS-CR.repo CentOS-Media.repo CentOS-Sources.repo epel-testing.repo will be generated in the / etc/yum.repos.d directory [root@linux-node1 yum.repos.d] # (3) install OpenStack client yum install-y python-openstackclient (4) install Openstack SELinux management pack yum install-y openstack-selinux3, MySQL database deployment

All components except Horizon,OpenStack need to connect to the database.

(1) install database [root@linux-node1 ~] # yum install-y mariadb mariadb-server python2-PyMySQL

Looking at the configuration file of mariadb, you can see that the configuration directory is / etc/my.cnf.d

[root@linux-node1 ~] # cat / etc/ my.cnf [mysqld] datadir=/var/lib/mysqlsocket=/var/lib/mysql/mysql.socksymbolic-links= 0 [mysqld _ safe] log-error=/var/log/mariadb/mariadb.logpid-file=/var/run/mariadb/mariadb.pid# include all files from the config directoryconfiguration dedir / etc/my.cnf.d (2) create an openstack.cnf configuration file

Create and edit / etc/my.cnf.d/openstack.cnf, and then complete the following actions:

# set the bind- address value to the management network IP address of the control node so that other nodes can access the database through the management network [mysqld] bind-address = 192.168.56.11 default-storage-engine = innodb # default storage engine innodb_file_per_table # exclusive tablespace max_connections = 4096 # maximum number of connections collation-server = utf8_general_ci # database character set character-set-server = utf8 # character set specified during database installation (3) start the database

Start the database service and configure it to boot:

Systemctl enable mariadb.servicesystemctl start mariadb.service

To ensure the security of the database service, run the mysql_secure_installation script. In particular, set an appropriate password for the root user of the database.

[root@linux-node1 my.cnf.d] # mysql_secure_installationNOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!In order to log into MariaDB to secure it, we'll need the currentpassword for the root user. If you've just installed MariaDB, andyou haven't set the root password yet, the password will be blank,so you should just press enter here.Enter current password for root (enter for none): OK, successfully used password, moving on...Setting the root password ensures that nobody can log into the MariaDBroot user without the proper authorisation.Set root password? [Y/n] YNew password: Re-enter new password: Password updated successfully!Reloading privilege tables.. ... Success!By default, a MariaDB installation has an anonymous user, allowing anyoneto log into MariaDB without having to have a user account created forthem. This is intended only for testing, and to make the installationgo a bit smoother. You should remove them before moving into aproduction environment.Remove anonymous users? [Y/n] Y... Successful normally, root should only be allowed to connect from 'localhost'. Thisensures that someone cannot guess at the root password from the network.Disallow root login remotely? [Y/n] Y... Successful by default, MariaDB comes with a database named 'test' that anyone canaccess. This is also intended only for testing, and should be removedbefore moving into a production environment.Remove test database and access to it? [YPo] Y-Dropping test database... ... Success!-Removing privileges on test database... ... Success!Reloading the privilege tables will ensure that all changes made so farwill take effect immediately.Reload privilege tables now? [Y/n] Y... Success!Cleaning up...All done! If you've completed all of the above steps Your MariaDBinstallation should now be secure.Thanks for using MariaDB! [root@linux-node1 my.cnf.d] # netstat-lntpActive Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0192.168.56.11 lntpActive Internet connections 3306 0.0.0.0 * LISTEN 2764/mysqld tcp 000.0. 0.0 22 0.0.0.0 LISTEN 1324/sshd tcp 0 0127.0.0.1 25 0.0.0.0 0: 22:: * LISTEN 1324/sshd tcp6 0 0:: 1:25: * (4) create a database and authorize

After creating the required database at one time, in the actual production, you can write a script and execute it with one click.

MariaDB [(none)] > create database keystone;Query OK, 1 row affected (0.00 sec) MariaDB [(none)] > grant all on keystone.* to 'keystone'@'localhost' identified by' keystone';Query OK, 0 rows affected (0.00 sec) MariaDB [(none)] > grant all on keystone.* to 'keystone'@'%' identified by' keystone';Query OK, 0 rows affected (0.00 sec) MariaDB [(none)] > create database glance Query OK, 1 row affected (0.00 sec) MariaDB [(none)] > grant all on glance.* to 'glance'@'localhost' identified by' glance';Query OK, 0 rows affected (0.00 sec) MariaDB [(none)] > grant all on glance.* to 'glance'@'%' identified by' glance';MariaDB [(none)] > create database nova;Query OK, 1 row affected (0.00 sec) MariaDB [(none)] > grant all on nova.* to 'nova'@'localhost' identified by' nova' Query OK, 0 rows affected (0.00 sec) MariaDB [(none)] > grant all on nova.* to 'nova'@'%' identified by' nova';Query OK, 0 rows affected (0.00 sec) MariaDB [(none)] > create database nova_api;Query OK, 1 row affected (0.00 sec) MariaDB [(none)] > grant all on nova_api.* to 'nova'@'localhost' identified by' nova' Query OK, 0 rows affected (0.00 sec) MariaDB [(none)] > grant all on nova_api.* to 'nova'@'%' identified by' nova';MariaDB [(none)] > create database neutron;Query OK, 1 row affected (0.00 sec) MariaDB [(none)] > grant all on neutron.* to 'neutron'@'localhost' identified by' neutron';Query OK, 0 rows affected (0.00 sec) MariaDB [(none)] > grant all on neutron.* to 'neutron'@'%' identified by' neutron' Query OK, 0 rows affected (0.00 sec) 4, message Agent RabbitMQ (1) install RabbitMQ

Except for Horizon and KeyStone, all other components need to be connected to RabbitMQ

OpenStack uses message queue to coordinate operations and status information for each service. The message queuing service generally runs on the control node.

[root@linux-node1 ~] # yum install-y rabbitmq-server

The most frequently used RabbitMQ is that Nova,Nova starts many services, and the communication between services is also communicated through message queues.

(2) start the message queuing service and configure it to start [root@linux-node1 src] # systemctl enable rabbitmq-server [root@linux-node1 src] # systemctl start rabbitmq-server automatically.

The rabbitmq listening port is 5672

(3) add openstack user [root@linux-node1 src] # rabbitmqctl add_user openstack openstackCreating user "openstack"... (4) configure openstack users with read and write permissions [root@linux-node1 src] # rabbitmqctl set_permissions openstack ". *" Setting permissions for user "openstack" in vhost "/". (5) Open the rabbitmq management plug-in.

Rabbitmq provides many plug-ins

[root@linux-node1 src] # rabbitmq-plugins list Configured: e = explicitly enabled E = implicitly enabled | Status: * = running on rabbit@linux-node1 | / [] amqp_client 3.6.5 [] cowboy 1.0.3 [] cowlib 1.0.1 [] mochiweb 2.13.1 [] rabbitmq_amqp1_0 3.6.5 [] rabbitmq_auth_backend_ldap 3.6.5 [] rabbitmq_auth_mechanism_ssl 3.6.5 [] rabbitmq_consistent_hash_exchange 3.6.5 [] rabbitmq_event_exchange 3.6.5 [] rabbitmq_federation 3.6.5 [] rabbitmq_federation_management 3.6.5 [] rabbitmq_jms_topic_exchange 3.6.5 [] rabbitmq_management 3.6.5 [] rabbitmq_management_agent 3.6.5 [] rabbitmq_management_visualiser 3.6.5 [] rabbitmq_mqtt 3.6.5 [] rabbitmq_recent_history_exchange 1.2.1 [] rabbitmq_sharding 0.1.0 [] rabbitmq_shovel 3.6.5 [] rabbitmq_shovel_management 3.6.5 [] rabbitmq_stomp 3.6.5 [] rabbitmq_top 3.6.5 [] rabbitmq_tracing 3.6.5 [] rabbitmq_trust_store 3.6.5 [] rabbitmq_web_dispatch 3.6.5 [] rabbitmq_web_stomp 3.6.5 [] rabbitmq_web_stomp_examples 3.6.5 [] sockjs 0.3.4 [] webmachine 1.10.3

By opening the management plug-in, you can manage rebbitmq through the web interface

[root@linux-node1 src] # rabbitmq-plugins enable rabbitmq_managementThe following plugins have been enabled: mochiweb webmachine rabbitmq_web_dispatch amqp_client rabbitmq_management_agent rabbitmq_managementApplying plugin configuration to rabbit@linux-node1... Started 6 plugins.

Rabbitmq-management will listen on port 15672 when it starts.

When you access http://192.168.56.11:15672, the user name and password are all guest, and you can manage it after entering it.

5. Network time Protocol (NTP)

In a production environment, all OpenStack nodes must have the same time.

So ntp must be installed for time synchronization.

Yum-y install ntpsystemctl enable ntpdsystemctl start ntpd6, OpenStack service installation (2) Glance deployment [root@linux-node1 ~] # yum install-y openstack-glance (3) Nova control node installation

Install other prerequisite services except nova-compute on the control node linux-node1

[root@linux-node1 ~] # yum install-y openstack-nova-api openstack-nova-cert\ openstack-nova-conductor openstack-nova-console\ openstack-nova-novncproxy openstack-nova-scheduler (4) Nova Compute Node installation

Install on the compute node linux-node2

[root@linux-node2 ~] # yum install-y openstack-nova-compute sysfsutils (5) Neutron Control Node deployment

The Neutron control node is deployed in linux-node1

[root@linux-node1] # yum install-y openstack-neutron openstack-neutron-ml2\ openstack-neutron-linuxbridge ebtables (6) deployment of Neutron in Compute Node

Deployment linux-node2 of Neutron in Compute Node

[root@linux-node2 ~] # yum install-y openstack-neutron openstack-neutron-linuxbridge ebtables III, OpenStack Authentication Service keystone1, install keystoneyum install-y openstack-keystone httpd mod_wsgi memcached python-memcached# use an Apache HTTP server with mod_wsgi to serve authentication service requests, ports 5000 and 35357. By default, the Kestone service still listens on these ports # memcached cache. Memcached can set the key timeout, and then you can automatically clean up module 2 of the # python-memcached python connection memcached, edit the file keystone.conf and complete the configuration.

Use openssl to generate a token that defines the value of the initial management token

[root@linux-node1 ~] # openssl rand-hex 10fb373c742a49db0bd7af [root@linux-node1 ~] # vim / etc/keystone/keystone.conf [DEFAULT] admin_token = fb373c742a49db0bd7af [database] connection = mysql+pymysql://keystone:keystone@192.168.56.11/ Keystone [token] provider = fernetdriver = memcache [memcache] servers = 192.168.56.11 Jiang 112113, database for initializing identity authentication service: su-s / bin/sh-c "keystone-manage db_sync" keystone

Verify the initialization of the database

Initialize key and create certificates

Keystone-manage fernet_setup-- keystone-user keystone--keystone-group keystone

Store key in the directory of keystone

[root@linux-node1 fernet-keys] # pwd/etc/keystone/fernet-keys [root@linux-node1 fernet-keys] # ls0 15, launch memache [root @ linux-node1 ~] # systemctl enable memcachedCreated symlink from / etc/systemd/system/multi-user.target.wants/memcached.service to / usr/lib/systemd/system/memcached.service. [root@linux-node1 ~] # systemctl start memcached

View memcached's configuration file

[root@linux-node1 ~] # cat / etc/sysconfig/memcached PORT= "11211" USER= "memcached" MAXCONN= "1024" CACHESIZE= "64" OPTIONS= "6. Configure Apache HTTP server (1) Edit httpd.conf file

Edit the / etc/httpd/conf/httpd.conf file and configure the ServerName option as the control node:

ServerName 192.168.56.11 80 (2) creates a keystone configuration file

Create / etc/httpd/conf.d/wsgi-keystone.conf and write the following:

Listen 5000Listen 35357 WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=% {GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / / usr/bin/keystone-wsgi-public WSGIApplicationGroup% {GLOBAL} WSGIPassAuthorization On ErrorLogFormat "% {cu} t% M" ErrorLog / var/log/httpd/keystone-error.log CustomLog / var/log/httpd/keystone-access.log combined Require all granted WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=% {GROUP} WSGIProcessGroup keystone -admin WSGIScriptAlias / / usr/bin/keystone-wsgi-admin WSGIApplicationGroup% {GLOBAL} WSGIPassAuthorization On ErrorLogFormat "% {cu} t% M" ErrorLog / var/log/httpd/keystone-error.log CustomLog / var/log/httpd/keystone-access.log combined Require all granted 3, Start apache

Start apache and set the boot to start automatically

Systemctl enable httpd.servicesystemctl start httpd.service7, create domains, projects, users, and roles

Create using OS_TOKEN

OSTOKEN is the ADMINTOKEN just written into the keystone.conf configuration file

[root@linux-node1 ~] # export OS_TOKEN= fb373c742a49db0bd7af [root @ linux-node1 ~] # export OS_URL= http://192.168.56.11:35357/v3#35357 is the admin port of keystone [root@linux-node1 ~] # export OS_IDENTITY_API_VERSION=3 (1) create domain default

The authentication service provides authentication services for each OpenStack service.

Create an admin project

Create an admin user

Create a role for admin

Add admin roles to admin projects and users:

[root@linux-node1 ~] # openstack role add-- project admin-- user admin admin (3) create demo projects and users

Regular tasks should use unprivileged projects and users. Create demo projects and users here

Create a demo project

Create a demo user

Create a user role

Add user roles to demo projects and groups

[root@linux-node1 ~] # openstack role add-- project demo-- user demo user (4) create service project

Each service needs to access keystone, access keystone needs authentication, and a user needs to be created. The user belongs to a project. Each service contains the service project of a unique user.

Each user needs a user name and password to connect to the keystone, so create the required users here at once

Create a glance user

Create a nova user

Create a neutron user

In the Openstack environment, the authentication service manages the service catalog. Services use this directory to determine which services are available in the environment.

OpenStack uses three API endpoint variants to represent each service: admin,internal and public

Create an endpoint for the authentication service:

Use the admin user and password created above to connect to keystone and see if you can get token

You can get a value, which means that keystone is installed and configured successfully, and keystone can work. We can also see the failure time of token from the results.

Test demo users

In order to improve the efficiency of client-side operations, OpenStack supports simple client-side environment variable scripts, namely OpenRC files.

Create script

[root@linux-node1 ~] # cat admin-openstack.sh export OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=adminexport OS_AUTH_URL= http://192.168.56.11:35357/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2

Request authentication token after executing the script

Create a demo environment variable script

[root@linux-node1 ~] # cat demo-openstack.sh export OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=demoexport OS_USERNAME=demoexport OS_PASSWORD=DEMO_PASSexport OS_AUTH_URL= http://controller:5000/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.