文章目录
- 2. Controller 网卡配置
- 2.1 关闭防火墙(compute配置同下)
- 2.2 设置静态IP地址
- 2.2.1 **设置网关地址**
- 2.2.2 **配置静态IP**(compute配置同下,IP为200)
- 2.2.3 **重启服务**
- 2.3 **修改主机名**(compute配置为compute)
- 2.4 **hosts增加地址(compute配置同下)**
- 2.5关闭 selinux(compute配置同下)
- 3. Controller安装NTP
- 3.1 NTP安装
- 3.2 配置NTP
- 3.3 Compute同步Controller时间
- 4. Controller安装mysql
- 4.1 配置Mysql扩展源
- 4.2 安装mysql
- 4.3 启动Mysql,并加入开机自启
- 4.3 使用Mysq初始密码登录数据库
- 4.4 配置编码为utf8
- 5. Controller安装memcached(默认端口为11211)
- 6. Controller安装rabbitmq
- 6.1 安装erlang
- 6.2 安装socat
- 6.3 Rabbitmq版本对应
- 6.4 启动rabbitmq服务
- 6.5 开启web插件
- 6.6 OpenStack创建用户,用户名为自己姓名拼音。
- 7. 安装OpenStack最新的源
- 8. Controller安装keystone
- 8.1 依赖安装
- 8.2 mysql配置
- 8.3 修改keystone配置文件
- 8.4 初始化keystone数据库
- 8.5 初始化Fernet密钥存储库+引导身份服务
- 8.6 **配置管理员账户的环境变量**
- 8.7 请求一个身份验证token
- 8.8 openstack创建新项目
- 9. 获取token
- 10. 注销token
- 11. 获取role
- 11. 获取catalog和service,endpoint
- Controller
2. Controller 网卡配置
2.1 关闭防火墙(compute配置同下)
systemctl stop firewalld # 临时关闭
systemctl disable firewalld # 禁止开机启动
2.2 设置静态IP地址
2.2.1 设置网关地址
2.2.2 配置静态IP(compute配置同下,IP为200)
[root@bogon network-scripts]# cd /etc/sysconfig/network-scripts/
[root@bogon network-scripts]# vim ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static # => 设置为静态IP,static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=fd04db7b-7ddd-465a-b838-cfb11ae05c85
DEVICE=ens33 #网卡名
ONBOOT=yes # => 设置网卡启动方式为 开机启动
IPADDR=192.168.233.100 # => 设置的静态IP地址(compute设置为200)
NETMASK=255.255.255.0 # => 子网掩码
GATEWAY=192.168.233.2 # => 配置 网关地址
DNS1=192.168.233.2 # => 配置DNS地址(为网关地址)
2.2.3 重启服务
service network restart
2.3 修改主机名(compute配置为compute)
[root@localhost ~]# vim /etc/hostname
controller
:wq
[root@bogon ~]# hostname
bogon
[root@bogon ~]# hostnamectl
Static hostname: controller
Transient hostname: bogon
Icon name: controller-vm
Chassis: vm
Machine ID: 3ff0c78c3ff24670ab5285397df8c62c
Boot ID: 4222d956a6914805af9e8e538f01952d
Virtualization: vmware
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-1160.el7.x86_64
Architecture: x86-64
[root@bogon ~]# hostnamectl --transient
controller
[root@bogon ~]#
[root@bogon ~]#
[root@bogon ~]#
[root@bogon ~]#
[root@bogon ~]# hostname
controller
[root@bogon ~]# reboot
2.4 hosts增加地址(compute配置同下)
[root@controller ~]# cat /etc/hosts # 查看hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@controller ~]# vim /etc/hosts
127.0.0.1 controller localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.233.200 compute # compute设置192.168.233.100
[root@controller ~]# ping compute
PING compute (192.168.233.200) 56(84) bytes of data.
64 bytes from compute (192.168.233.200): icmp_seq=1 ttl=64 time=0.473 ms
64 bytes from compute (192.168.233.200): icmp_seq=2 ttl=64 time=0.418 ms
2.5关闭 selinux(compute配置同下)
[root@controller ~]# getenforce # 查看
Enforcing
[root@controller ~]# sestatus # 查看状态
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
[root@controller ~]# setenforce 0 # 临时关闭,设置后需要重启才能生效
[root@controller ~]# vim /etc/selinux/config # 永久关闭
[root@controller ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
#SELINUX=enforcing
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@controller ~]# sestatus # 重启后
SELinux status: disabled
NTP是Network Time Protocol的缩写,又称为网络时间协议。是用来使计算机时间同步化的一种协议,它可以使计算机对其服务器或时钟源(如石英钟,GPS等等)做同步化,它可以提供高精准度的时间校正(LAN上与标准间差小于1毫秒,WAN上几十毫秒),且可介由加密确认的方式来防止恶毒的协议攻击。
3.1 NTP安装
[root@controller ~]# yum install ntp
3.2 配置NTP
[root@controller ~]# vim /etc/ntp.conf
...
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 8
...
[root@controller ~]# systemctl start ntpd.service //启动ntp服务
[root@controller ~]# systemctl enable ntpd.service //开机自启
[root@controller ~]# systemctl enable ntpd.service //配置
[root@controller ~]# ntpq -p // 查看同步时间
remote refid st t when poll reach delay offset jitter
==============================================================================
+time.cloudflare 10.12.2.186 3 u 6 64 7 173.979 -0.434 0.420
*tick.ntp.infoma .GPS. 1 u 4 64 7 180.762 12.364 9.194
+makaki.miuku.ne 218.186.3.36 2 u 8 64 7 118.586 0.959 3.578
ntp1.ams1.nl.le 130.133.1.10 2 u 5 64 7 178.315 -0.166 1.903
LOCAL(0) .LOCL. 8 l 78 64 6 0.000 0.000 0.000
//本地时钟已经成功和外面的 NTP 服务器同步。ntpq 报告中第一列 * 表示目前选择的主同步服务器,标 + 的表示有可能被用来进一步提高同步精度的次要服务器。
3.3 Compute同步Controller时间
[root@compute ~]# yum install ntp
[root@compute ~]# vim /etc/ntp.conf
...
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
# server 0.centos.pool.ntp.org iburst
# server 1.centos.pool.ntp.org iburst
# server 2.centos.pool.ntp.org iburst
# server 3.centos.pool.ntp.org iburst
server controller # 同步controller时间
...
[root@compute ~]# ntpdate controller # 手动预同步时间
[root@compute ~]# systemctl start ntpd.service # 启动服务
[root@compute ~]# systemctl enable ntpd.service//开机自启
[root@compute ~]# systemctl status ntpd.service
● ntpd.service - Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled)
Active: active (running) since 六 2021-06-05 21:54:20 CST; 7s ago
Process: 1547 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 1548 (ntpd)
CGroup: /system.slice/ntpd.service
└─1548 /usr/sbin/ntpd -u ntp:ntp -g
6月 05 21:54:20 compute ntpd[1548]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
6月 05 21:54:20 compute ntpd[1548]: Listen and drop on 1 v6wildcard :: UDP 123
6月 05 21:54:20 compute ntpd[1548]: Listen normally on 2 lo 127.0.0.1 UDP 123
6月 05 21:54:20 compute ntpd[1548]: Listen normally on 3 ens33 192.168.233.200 UDP 123
6月 05 21:54:20 compute ntpd[1548]: Listen normally on 4 lo ::1 UDP 123
6月 05 21:54:20 compute ntpd[1548]: Listen normally on 5 ens33 fe80::805d:d319:92b2:51d5 UDP 123
6月 05 21:54:20 compute ntpd[1548]: Listening on routing socket on fd #22 for interface updates
6月 05 21:54:20 compute ntpd[1548]: 0.0.0.0 c016 06 restart
6月 05 21:54:20 compute ntpd[1548]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM
6月 05 21:54:20 compute ntpd[1548]: 0.0.0.0 c011 01 freq_not_set
[root@compute ~]# ntpq -p # compute查看同步时间
remote refid st t when poll reach delay offset jitter
==============================================================================
controller 84.16.73.33 2 u 24 64 163 0.503 2749847 2381437
4.1 配置Mysql扩展源
[root@controller ~]# rpm -ivh http://repo.mysql.com/yum/mysql-5.7-community/el/7/x86_64/mysql57-community-release-el7-10.noarch.rpm
4.2 安装mysql
[root@controller ~]# yum install mysql-community-server -y
4.3 启动Mysql,并加入开机自启
[root@controller ~]# systemctl start mysqld
[root@controller ~]# systemctl enable mysqld
4.3 使用Mysq初始密码登录数据库
[root@controller ~]# cat /var/log/mysqld.log
2021-06-06T04:20:13.352670Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
2021-06-06T04:20:13.549760Z 0 [Warning] InnoDB: New log files created, LSN=45790
2021-06-06T04:20:13.573916Z 0 [Warning] InnoDB: Creating foreign key constraint system tables.
2021-06-06T04:20:13.636856Z 0 [Warning] No existing UUID has been found, so we assume that this is the first time that this server has been started. Generating a new UUID: 7d5d294d-c67e-11eb-8a66-000c2914e458.
2021-06-06T04:20:13.637996Z 0 [Warning] Gtid table is not ready to be used. Table 'mysql.gtid_executed' cannot be opened.
2021-06-06T04:20:14.501430Z 0 [Warning] CA certificate ca.pem is self signed.
2021-06-06T04:20:14.646698Z 1 [Note] A temporary password is generated for root@localhost: isQ;!o,zA0/k
2021-06-06T04:20:16.638318Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
2021-06-06T04:20:16.639787Z 0 [Note] /usr/sbin/mysqld (mysqld 5.7.34) starting as process 4769 ...
2021-06-06T04:20:16.645249Z 0 [Note] InnoDB: PUNCH HOLE support available
2021-06-06T04:20:16.645286Z 0 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2021-06-06T04:20:16.645290Z 0 [Note] InnoDB: Uses event mutexes
2021-06-06T04:20:16.645294Z 0 [Note] InnoDB: GCC builtin __atomic_thread_fence() is used for memory barrier
2021-06-06T04:20:16.645297Z 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
2021-06-06T04:20:16.645300Z 0 [Note] InnoDB: Using Linux native AIO
2021-06-06T04:20:16.645539Z 0 [Note] InnoDB: Number of pools: 1
2021-06-06T04:20:16.645701Z 0 [Note] InnoDB: Using CPU crc32 instructions
2021-06-06T04:20:16.647426Z 0 [Note] InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M
2021-06-06T04:20:16.655893Z 0 [Note] InnoDB: Completed initialization of buffer pool
2021-06-06T04:20:16.658224Z 0 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().
2021-06-06T04:20:16.670214Z 0 [Note] InnoDB: Highest supported file format is Barracuda.
2021-06-06T04:20:16.679070Z 0 [Note] InnoDB: Creating shared tablespace for temporary tables
2021-06-06T04:20:16.679151Z 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
2021-06-06T04:20:16.690037Z 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
2021-06-06T04:20:16.690807Z 0 [Note] InnoDB: 96 redo rollback segment(s) found. 96 redo rollback segment(s) are active.
2021-06-06T04:20:16.690820Z 0 [Note] InnoDB: 32 non-redo rollback segment(s) are active.
2021-06-06T04:20:16.766083Z 0 [Note] InnoDB: 5.7.34 started; log sequence number 2747496
2021-06-06T04:20:16.766907Z 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
2021-06-06T04:20:16.767177Z 0 [Note] Plugin 'FEDERATED' is disabled.
2021-06-06T04:20:16.841186Z 0 [Note] InnoDB: Buffer pool(s) load completed at 210606 12:20:16
2021-06-06T04:20:16.917987Z 0 [Note] Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.
2021-06-06T04:20:16.918007Z 0 [Note] Skipping generation of SSL certificates as certificate files are present in data directory.
2021-06-06T04:20:16.918731Z 0 [Warning] CA certificate ca.pem is self signed.
2021-06-06T04:20:16.918781Z 0 [Note] Skipping generation of RSA key pair as key files are present in data directory.
2021-06-06T04:20:16.919329Z 0 [Note] Server hostname (bind-address): '*'; port: 3306
2021-06-06T04:20:16.919362Z 0 [Note] IPv6 is available.
2021-06-06T04:20:16.919371Z 0 [Note] - '::' resolves to '::';
2021-06-06T04:20:16.919385Z 0 [Note] Server socket created on IP: '::'.
2021-06-06T04:20:16.931866Z 0 [Note] Event Scheduler: Loaded 0 events
2021-06-06T04:20:16.951427Z 0 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.7.34' socket: '/var/lib/mysql/mysql.sock' port: 3306 MySQL Community Server (GPL)
其中2021-06-06T04:20:14.646698Z 1 [Note] A temporary password is generated for root@localhost: isQ;!o,zA0/k
密码为==isQ;!o,zA0/k==
登录MYSQL
[root@controller ~]# mysql -uroot -p'isQ;!o,zA0/k'
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.34
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
修改密码:数据库默认密码规则必须携带大小写字母、特殊符号,字符长度大于8否则会报错。因此设定较为简单的密码时需要首先修改set global validate_password_policy和_length参数值。
mysql> set global validate_password_policy=0;
Query OK, 0 rows affected (0.00 sec)
mysql> set global validate_password_length=1;
Query OK, 0 rows affected (0.00 sec)
mysql> set password for root@localhost = password('root'); //修改密码
Query OK, 0 rows affected, 1 warning (0.00 sec)
mysql> exit //退出重新登录mysql
Bye
[root@controller ~]# mysql -uroot -proot
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.7.34 MySQL Community Server (GPL)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
4.4 配置编码为utf8
[root@controller ~]# cp /etc/my.cnf /etc/my.cnf.bak # 备份原来的配置
[root@controller ~]# vim /etc/my.cnf
在[mysqld]组名的末尾添加:
character-set-server=utf8
[root@controller ~]# systemctl restart mysqld
[root@controller ~]# yum install memcached python-memcached
[root@controller ~]# systemctl enable memcached
Created symlink from /etc/systemd/system/multi-user.target.wants/memcached.service to /usr/lib/systemd/system/memcached.service.
[root@controller ~]# systemctl start memcached
[root@controller ~]# systemctl status memcached
● memcached.service - Memcached
Loaded: loaded (/usr/lib/systemd/system/memcached.service; enabled; vendor preset: disabled)
Active: active (running) since 日 2021-06-06 12:45:11 CST; 2s ago
Main PID: 5016 (memcached)
CGroup: /system.slice/memcached.service
└─5016 /usr/bin/memcached -u memcached -p 11211 -m 64 -c 1024
6月 06 12:45:11 controller systemd[1]: Started Memcached.
安装openstack的消息使者rabbitmq,如果rabbitmq没有运行起来,你的整openstack平台将无法使用。rabbitmq使用5672端口。
6.1 安装erlang
- 由于RabbitMQ是基于Erlang语言开发, 所以在安装RabbitMQ之前, 需要先安装Erlang
[root@controller ~]# wget https://packages.erlang-solutions.com/erlang/rpm/centos/7/x86_64/esl-erlang_22.2.2-1~centos~7_amd64.rpm
[root@controller ~]# rpm -ivh esl-erlang_22.2.2-1~centos~7_amd64.rpm
警告:esl-erlang_22.2.2-1~centos~7_amd64.rpm: 头V4 RSA/SHA256 Signature, 密钥 ID a14f4fca: NOKEY
错误:依赖检测失败:
libGL.so.1()(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libGLU.so.1()(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libodbc.so.2()(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libwx_baseu-2.8.so.0()(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libwx_baseu-2.8.so.0(WXU_2.8)(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libwx_baseu_xml-2.8.so.0()(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libwx_gtk2u_adv-2.8.so.0()(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libwx_gtk2u_adv-2.8.so.0(WXU_2.8)(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libwx_gtk2u_aui-2.8.so.0()(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libwx_gtk2u_aui-2.8.so.0(WXU_2.8)(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libwx_gtk2u_aui-2.8.so.0(WXU_2.8.5)(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libwx_gtk2u_core-2.8.so.0()(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libwx_gtk2u_core-2.8.so.0(WXU_2.8)(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libwx_gtk2u_core-2.8.so.0(WXU_2.8.10)(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libwx_gtk2u_gl-2.8.so.0()(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libwx_gtk2u_gl-2.8.so.0(WXU_2.8)(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libwx_gtk2u_html-2.8.so.0()(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libwx_gtk2u_html-2.8.so.0(WXU_2.8)(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libwx_gtk2u_stc-2.8.so.0()(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libwx_gtk2u_stc-2.8.so.0(WXU_2.8)(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libwx_gtk2u_xrc-2.8.so.0()(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
libwx_gtk2u_xrc-2.8.so.0(WXU_2.8)(64bit) 被 esl-erlang-22.2.2-1.x86_64 需要
安装依赖:
yum install epel-release
yum install unixODBC unixODBC-devel wxBase wxGTK SDL wxGTK-gl
再次安装:
[root@controller ~]# rpm -ivh esl-erlang_22.2.2-1~centos~7_amd64.rpm
警告:esl-erlang_22.2.2-1~centos~7_amd64.rpm: 头V4 RSA/SHA256 Signature, 密钥 ID a14f4fca: NOKEY
准备中... ################################# [100%]
正在升级/安装...
1:esl-erlang-22.2.2-1 ################################# [100%]
Erlang OTP 22.2.2 installed
[root@controller ~]# erl
Erlang/OTP 22 [erts-10.6.2] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [hipe]
Eshell V10.6.2 (abort with ^G)xxxxxxxxxx [root@controller ~]# rpm -ivh esl-erlang_22.2.2-1~centos~7_amd64.rpm 警告:esl-erlang_22.2.2-1~centos~7_amd64.rpm: 头V4 RSA/SHA256 Signature, 密钥 ID a14f4fca: NOKEY准备中... ################################# [100%]正在升级/安装... 1:esl-erlang-22.2.2-1 ################################# [100%]Erlang OTP 22.2.2 installed[root@controller ~]# erl -versionErlang (SMP,ASYNC_THREADS,HIPE) (BEAM) emulator version 10.4
6.2 安装socat
- rabbitmq需要socat依赖, 所以需要先安装socat
yum install socat
6.3 Rabbitmq版本对应
https://www.rabbitmq.com/which-erlang.html
rpm:https://github.com/rabbitmq/rabbitmq-server/releases/tag/v3.7.18
[root@controller ~]# wget https://github.com/rabbitmq/rabbitmq-server/releases/download/v3.7.18/rabbitmq-server-3.7.18-1.el6.noarch.rpm
[root@controller ~]# rpm -ivh rabbitmq-server-3.7.18-1.el6.noarch.rpm
警告:rabbitmq-server-3.7.18-1.el6.noarch.rpm: 头V4 RSA/SHA256 Signature, 密钥 ID 6026dfca: NOKEY
准备中... ################################# [100%]
正在升级/安装...
1:rabbitmq-server-3.7.18-1.el6 ################################# [100%]
6.4 启动rabbitmq服务
[root@controller ~]# service rabbitmq-server start
Starting rabbitmq-server (via systemctl): [ 确定 ]
#开机启动
[root@controller ~]# chkconfig rabbitmq-server on
6.5 开启web插件
[root@controller ~]# rabbitmq-plugins list # 查看插件
Listing plugins with pattern ".*" ...
Configured: E = explicitly enabled; e = implicitly enabled
| Status: * = running on rabbit@controller
|/
[ ] rabbitmq_amqp1_0 3.7.18
[ ] rabbitmq_auth_backend_cache 3.7.18
[ ] rabbitmq_auth_backend_http 3.7.18
[ ] rabbitmq_auth_backend_ldap 3.7.18
[ ] rabbitmq_auth_mechanism_ssl 3.7.18
[ ] rabbitmq_consistent_hash_exchange 3.7.18
[ ] rabbitmq_event_exchange 3.7.18
[ ] rabbitmq_federation 3.7.18
[ ] rabbitmq_federation_management 3.7.18
[ ] rabbitmq_jms_topic_exchange 3.7.18
[ ] rabbitmq_management 3.7.18
[ ] rabbitmq_management_agent 3.7.18
[ ] rabbitmq_mqtt 3.7.18
[ ] rabbitmq_peer_discovery_aws 3.7.18
[ ] rabbitmq_peer_discovery_common 3.7.18
[ ] rabbitmq_peer_discovery_consul 3.7.18
[ ] rabbitmq_peer_discovery_etcd 3.7.18
[ ] rabbitmq_peer_discovery_k8s 3.7.18
[ ] rabbitmq_random_exchange 3.7.18
[ ] rabbitmq_recent_history_exchange 3.7.18
[ ] rabbitmq_sharding 3.7.18
[ ] rabbitmq_shovel 3.7.18
[ ] rabbitmq_shovel_management 3.7.18
[ ] rabbitmq_stomp 3.7.18
[ ] rabbitmq_top 3.7.18
[ ] rabbitmq_tracing 3.7.18
[ ] rabbitmq_trust_store 3.7.18
[ ] rabbitmq_web_dispatch 3.7.18
[ ] rabbitmq_web_mqtt 3.7.18
[ ] rabbitmq_web_mqtt_examples 3.7.18
[ ] rabbitmq_web_stomp 3.7.18
[ ] rabbitmq_web_stomp_examples 3.7.18
[root@controller ~]# rabbitmq-plugins enable rabbitmq_management # 启用此插件实现 web 管理
Enabling plugins on node rabbit@controller:
rabbitmq_management
The following plugins have been configured:
rabbitmq_management
rabbitmq_management_agent
rabbitmq_web_dispatch
Applying plugin configuration to rabbit@controller...
The following plugins have been enabled:
rabbitmq_management
rabbitmq_management_agent
rabbitmq_web_dispatch
started 3 plugins.
[root@controller ~]# systemctl restart rabbitmq-server.service
访问RabbitMQ,访问地址是http://192.168.233.100:15672/
默认用户名密码都是guest, 但是rabbitmq 从3.3开始禁止非localhost的guest登录, 官网查询可通过配置rabbitmq.config / rabbitmq.cof 来允许远程登录。
6.6 OpenStack创建用户,用户名为自己姓名拼音。
[root@controller ~]# rabbitmqctl add_user fzu_lxb fzu_lxb
Adding user "fzu_lxb" ...
[root@controller ~]# systemctl restart rabbitmq-server.service
[root@controller ~]# rabbitmqctl list_users
Listing users ...
user tags
fzu_lxb []
guest [administrator]
[root@controller ~]# rabbitmqctl set_user_tags fzu_lxb administrator
Setting tags for user "fzu_lxb" to [administrator] ...
[root@controller keystone]# rabbitmqctl set_permissions fzu_lxb ".*" ".*" ".*"
Setting permissions for user "fzu_lxb" in vhost "/" ...
[root@controller keystone]# rabbitmqctl list_permissions
Listing permissions for vhost "/" ...
user configure write read
guest .* .* .*
fzu_lxb .* .* .*
[root@controller ~]# yum install centos-release-openstack-rocky python2-openstackclient
8.1 依赖安装
mod_wsgi包的作用是让apache能够代理pythone程序的组件;openstack的各个组件,包括API都是用python写的,但访问的是 apache,apache会把请求转发给python去处理,这些包只安装在controler节点
[root@controller ~]# yum install -y openstack-keystone httpd mod_wsgi openstack-utils python-keystoneclient
8.2 mysql配置
mysql> create database keystone;
Query OK, 1 row affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'root';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
mysql> set global validate_password_policy=0;
Query OK, 0 rows affected (0.00 sec)
mysql> set global validate_password_length=1;
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'root';
Query OK, 0 rows affected, 1 warning (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'root';
Query OK, 0 rows affected, 1 warning (0.00 sec)
8.3 修改keystone配置文件
[root@controller keystone]# cd /etc/keystone/
[root@controller keystone]# ls
default_catalog.templates keystone-paste.ini policy.json
keystone.conf logging.conf sso_callback_template.html
[root@controller keystone]# cp keystone.conf keystone.conf.bak
[root@controller keystone]# vim keystone.conf
在 [database] 部分,配置数据库访问:
[database]
...
connection = mysql+pymysql://keystone:root@192.168.233.100/keystone
解释connection = mysql+pymysql://用户名:密码@192.168.233.100/keystone
在[token]部分,配置Fernet UUID令牌的提供者。
[token]
...
provider = fernet
driver = memcache
[DEFAULT]
admin_token = cdda1486bf623ac74d53
verbose = True
8.4 初始化keystone数据库
[root@controller keystone]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[root@controller keystone]# mysql -ukeystone -proot
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.7.34 MySQL Community Server (GPL)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use keystone;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+-----------------------------+
| Tables_in_keystone |
+-----------------------------+
| access_token |
| application_credential |
| application_credential_role |
| assignment |
| config_register |
| consumer |
| credential |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| limit |
| local_user |
| mapping |
| migrate_version |
| nonlocal_user |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| project_tag |
| region |
| registered_limit |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| system_assignment |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| user_option |
| whitelisted_config |
+-----------------------------+
44 rows in set (0.00 sec)
8.5 初始化Fernet密钥存储库+引导身份服务
此步骤是初始化openstack,会把openstack的admin用户的信息写入到mysql的user表中,以及url等其他信息写入到mysql的相关表中;
admin-url是管理网(如公有云内部openstack管理网络),用于管理虚拟机的扩容或删除;如果共有网络和管理网是一个网络,则当业务量大时,会造成无法通过openstack的控制端扩容虚拟机,所以需要一个管理网;
internal-url是内部网络,进行数据传输,如虚拟机访问存储和数据库、zookeeper等中间件,这个网络是不能被外网访问的,只能用于企业内部访问
public-url是共有网络,可以给用户访问的(如公有云) ,但是此环境没有这些网络,则公用同一个网络
5000端口是keystone提供认证的端口
需要在haproxy服务器上添加一条listen
各种网络的url需要指定controler节点的域名,一般是haproxy的vip的域名(高可用模式)
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
(以上命令会生成两个密钥,生成的密钥放于/etc/keystone/目录下,用于加密数据)
[root@controller ~]# keystone-manage bootstrap --bootstrap-password 123456 \
> --bootstrap-admin-url http://controller:5000/v3/ \
> --bootstrap-internal-url http://controller:5000/v3/ \
> --bootstrap-public-url http://controller:5000/v3/ \
> --bootstrap-region-id RegionOne
[root@controller ~]# vim /etc/httpd/conf/httpd.conf
***
设置 ServerName controller
***
[root@controller ~]# vim /etc/httpd/conf/httpd.conf
[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
[root@controller ~]# ll /etc/httpd/conf.d/
总用量 16
-rw-r--r-- 1 root root 2926 11月 17 2020 autoindex.conf
-rw-r--r-- 1 root root 366 11月 17 2020 README
-rw-r--r-- 1 root root 1252 11月 16 2020 userdir.conf
-rw-r--r-- 1 root root 824 11月 16 2020 welcome.conf
lrwxrwxrwx 1 root root 38 6月 6 15:41 wsgi-keystone.conf -> /usr/share/keystone/wsgi-keystone.conf
[root@controller ~]# systemctl enable httpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@controller ~]# systemctl start httpd.service
[root@controller ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since 日 2021-06-06 15:41:44 CST; 8s ago
Docs: man:httpd(8)
man:apachectl(8)
Main PID: 60423 (httpd)
Status: "Processing requests..."
CGroup: /system.slice/httpd.service
├─60423 /usr/sbin/httpd -DFOREGROUND
├─60426 (wsgi:keystone- -DFOREGROUND
├─60427 (wsgi:keystone- -DFOREGROUND
├─60428 (wsgi:keystone- -DFOREGROUND
├─60429 (wsgi:keystone- -DFOREGROUND
├─60430 (wsgi:keystone- -DFOREGROUND
├─60431 /usr/sbin/httpd -DFOREGROUND
├─60432 /usr/sbin/httpd -DFOREGROUND
├─60433 /usr/sbin/httpd -DFOREGROUND
├─60434 /usr/sbin/httpd -DFOREGROUND
└─60440 /usr/sbin/httpd -DFOREGROUND
6月 06 15:41:44 controller systemd[1]: Starting The Apache HTTP Server...
6月 06 15:41:44 controller systemd[1]: Started The Apache HTTP Server.
[root@controller ~]#
[root@controller ~]#
8.6 配置管理员账户的环境变量
只要使用keystone就要有验证,keystone提供了两种验证方式 :1)选项的方式 2)环境变量**
这些环境变量用于创建角色和项目使用,但是创建角色和项目需要有认证信息,所以通过环境变量声明用户名和密码等认证信息,欺骗openstack已经登录且通过认证,这样就可以创建项目和角色;也就是把admin用户的验证信息通过声明环境变量的方式传递给openstack进行验证,实现针对openstack的非交互式操作
[root@ct ~]# cat >> ~/.bashrc << EOF
> export OS_USERNAME=admin //控制台登陆用户名
> export OS_PASSWORD=123456 //控制台登陆密码
> export OS_PROJECT_NAME=admin
> export OS_USER_DOMAIN_NAME=Default
> export OS_PROJECT_DOMAIN_NAME=Default
> export OS_AUTH_URL=http://controller:5000/v3
> export OS_IDENTITY_API_VERSION=3
> export OS_IMAGE_API_VERSION=2
> EOF
[root@ct ~]# source ~/.bashrc
这样就创建了一个service entity和endpoint, 并创建角色admin和项目admin,详细如下:
8.7 请求一个身份验证token
8.8 openstack创建新项目
创建一个admin project, project 名为fzu,并以名称缩写创建一个user,如下:
1. 新建一个project 名为fzu
2. 创建一个用户及密码
- 给项目绑定用户和admin 角色
- 使用openstack命令再创建一个非管理员权限的project,user,role
注意以上的token,Password authentication with unscoped authorization类型。 获取的token不包含role信息,因此请求接口会受限制(没有权限)。
因此先获取Password authentication with unscoped authorization类型, 返回的结果中包含id信息,再通过这个id获取Password authentication with scoped authorization类型token, 通过这个token请求APi可获得role信息。
记住这个token,
获取service:
获取endpoint: