Openstack HA集群5-Keystone HA
# yum install -y openstack-keystone httpd mod_wsgi
# mysql -u root -p -e "CREATE DATABASE keystone "
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.03 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'zoomtech';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
-> IDENTIFIED BY 'zoomtech';
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> exit
Bye
[root@controller1 ~]# mysql -uroot -p -e "CREATE DATABASE keystone"
[root@controller1 ~]# mysql -uroot -p -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'zoomtech'"
[root@controller1 ~]# mysql -uroot -p -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'zoomtech'"
[root@controller1 ~]# openssl rand -hex 10
d68d8a32a75bdbfdb004
配置/etc/keystone/keystone.conf文件
[DEFAULT]
verbose = true
admin_token = 745faaa51f7c62f8a2a7
public_bind_host = 192.168.17.132
admin_bind_host = 192.168.17.132
bind_host = controller1
[database]
connection = mysql+pymysql://keystone:zoomtech@demo.open-stack.cn/keystone
[token]
provider = keystone.token.providers.uuid.Provider
dirver = keystone.token.persistence.backends.memcach.Token
caching = true
token = keystone.auth.plugins.token.Token
[revoke]
driver = keystone.contrib.revoke.backends.sql.Revoke
[identity]
driver = sql
#driver = keystone.identity.backends.sql.identity
[catalog]
driver = sql
#driver = keystone.catalog.backends.sql.Catalog
[memcache]
servers = controller1:11211,controller2:11211,controller3:11211
[root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token d68d8a32a75bdbfdb004
[root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:zoomtech@demo.open-stack.cn/keystone
[root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf token provider fernet
[root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf memcache servers controller1:11211,controller2:11211,controller3:11211
[root@controller1 ~]# scp /etc/keystone/keystone.conf controller2:/etc/keystone/
keystone.conf 100% 72KB 71.9KB/s 00:00
[root@controller1 ~]# scp /etc/keystone/keystone.conf controller3:/etc/keystone/
[root@controller2 ~]# vim /etc/keystone/keystone.conf
admin_token = 745faaa51f7c62f8a2a7
public_bind_host = 192.168.17.151
bind_host = controller2
admin_bind_host = 192.168.17.151
[root@controller3 ~]# vim /etc/keystone/keystone.conf
[default]
public_bind_host = 192.168.17.138
bind_host = controller3
admin_bind_host = 192.168.17.138
确认权限
[root@controller1 ~]# ll /etc/keystone/keystone.conf
-rw-r----- 1 root keystone 73642 Feb 21 15:42 /etc/keystone/keystone.conf
[root@controller1 ~]# chown root:keystone /etc/keystone/keystone.conf
[root@controller1 ~]# chmod 640 /etc/keystone/keystone.conf
同步Keystone数据库
[root@controller1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
初始化Fernet keys
[root@controller1 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
配置Apache Http服务
1、三个节点配置 /etc/httpd/conf/httpd.conf
[root@controller1 ~] # vim /etc/httpd/conf/httpd.conf
ServerName controller1
Listen 8080
[root@controller2 ~]# vim /etc/httpd/conf/httpd.conf
ServerName controller2
Listen 8080
[root@controller3 ~]# vim /etc/httpd/conf/httpd.conf
ServerName controller3
Listen 8080
2、[root@controller1 ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
将wsgi-keystone.conf复制到 controller2和controller3
3、启动apache
# systemctl enable httpd.service
# systemctl start httpd.service
[root@controller1 ~]# export OS_TOKEN=d68d8a32a75bdbfdb004
[root@controller1 ~]# export OS_URL=http://demo.open-stack.cn:35357/v3
[root@controller1 ~]# export OS_IDENTITY_API_VERSION=3
创建服务实体和身份认证服务:
[root@controller1 ~]# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 5fe30200d9464aa384b5ddc1864b0244 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
error:
Unable to establish connection to http://demo.open-stack.cn:35357/v3/services
创建认证服务的 API 端点:
[root@controller1 ~]# openstack endpoint create --region RegionOne \
identity public http://demo.open-stack.cn:5000/v3
+--------------+-----------------------------------+
| Field | Value |
+--------------+-----------------------------------+
| enabled | True |
| id | 527cfe77e4d64668ae4c5a92f5841607 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 5fe30200d9464aa384b5ddc1864b0244 |
| service_name | keystone |
| service_type | identity |
| url | http://demo.open-stack.cn:5000/v3 |
+--------------+-----------------------------------+
[root@controller1 ~]# openstack endpoint create --region RegionOne identity internal http://demo.open-stack.cn:5000/v3
+--------------+-----------------------------------+
| Field | Value |
+--------------+-----------------------------------+
| enabled | True |
| id | 9ecf73dab7c9481b9bb6976be271e93c |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 5fe30200d9464aa384b5ddc1864b0244 |
| service_name | keystone |
| service_type | identity |
| url | http://demo.open-stack.cn:5000/v3 |
+--------------+-----------------------------------+
[root@controller1 ~]# openstack endpoint create --region RegionOne identity admin http://demo.open-stack.cn:35357/v3
+--------------+------------------------------------+
| Field | Value |
+--------------+------------------------------------+
| enabled | True |
| id | 4606f3b199a14167a9ebe76a0bda45f3 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 5fe30200d9464aa384b5ddc1864b0244 |
| service_name | keystone |
| service_type | identity |
| url | http://demo.open-stack.cn:35357/v3 |
+--------------+------------------------------------+
[root@controller1 ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | 6fb0271bda4d459ab05a752b7708dee3 |
| name | default |
+-------------+----------------------------------+
[root@controller1 ~]# openstack project create --domain default \
--description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 6fb0271bda4d459ab05a752b7708dee3 |
| enabled | True |
| id | b81fade4255149c29aa53b87312f60de |
| is_domain | False |
| name | admin |
| parent_id | 6fb0271bda4d459ab05a752b7708dee3 |
+-------------+----------------------------------+
[root@controller1 ~]# openstack user create --domain default \
--password-prompt admin
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | 6fb0271bda4d459ab05a752b7708dee3 |
| enabled | True |
| id | e88caafd2c874b6ab4bc23d8b5fbf422 |
| name | admin |
+-----------+----------------------------------+
[root@controller1 ~]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | cb618462ef4a4479a7c0b611d3ead7ed |
| name | admin |
+-----------+----------------------------------+
[root@controller1 ~]# openstack role add --project admin --user admin admin
创建Service
[root@controller1 ~]# openstack project create --domain default \
--description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | 6fb0271bda4d459ab05a752b7708dee3 |
| enabled | True |
| id | b581d85c3bd642d88909f36a1ebb6387 |
| is_domain | False |
| name | service |
| parent_id | 6fb0271bda4d459ab05a752b7708dee3 |
+-------------+----------------------------------+
创建``demo`` 项目:
[root@controller1 ~]# openstack project create --domain default \
--description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | 6fb0271bda4d459ab05a752b7708dee3 |
| enabled | True |
| id | da951d38bfd24ecc9d7384d3b8760dd6 |
| is_domain | False |
| name | demo |
| parent_id | 6fb0271bda4d459ab05a752b7708dee3 |
+-------------+----------------------------------+
[root@controller1 ~]# openstack user create --domain default \
--password-prompt demo
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | 6fb0271bda4d459ab05a752b7708dee3 |
| enabled | True |
| id | f113613d853342dba7b9636b571208bf |
| name | demo |
+-----------+----------------------------------+
创建 user 角色:
[root@controller1 ~]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 1c0bcc0e6ffe46d7b0366ead1d55908f |
| name | user |
+-----------+----------------------------------+
[root@controller1 ~]# openstack role add --project demo --user demo user
编辑 /etc/keystone/keystone-paste.ini 文件,从``[pipeline:public_api]``,[pipeline:admin_api]``和``[pipeline:api_v3]``部分删除``admin_token_auth
[root@controller1 ~]# vim /etc/keystone/keystone-paste.ini
[root@controller1 ~]#
[root@controller1 ~]# unset OS_TOKEN OS_URL
[root@controller1 ~]# openstack --os-auth-url http://demo.open-stack.cn:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2017-02-22T06:28:10.845869Z |
| id | cff141923edc40d69ead04bcde8f01c4 |
| project_id | b81fade4255149c29aa53b87312f60de |
| user_id | e88caafd2c874b6ab4bc23d8b5fbf422 |
+------------+----------------------------------+
[root@controller1 ~]# vim admin-openrc.sh
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=zoomtech
export OS_AUTH_URL=http://demo.open-stack.cn:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[root@controller1 ~]# source admin-openrc.sh
[root@controller1 ~]# openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2017-02-22T06:30:45.484675Z |
| id | de745b965ce2466a904f18ce0a187279 |
| project_id | b81fade4255149c29aa53b87312f60de |
| user_id | e88caafd2c874b6ab4bc23d8b5fbf422 |
+------------+----------------------------------+
[root@controller1 ~]# openstack service list
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| 5fe30200d9464aa384b5ddc1864b0244 | keystone | identity |
+----------------------------------+----------+----------+
在 Controller2上验证Keystone
[root@controller2 ~]# source admin-openrc.sh
[root@controller2 ~]# openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2017-02-22T06:31:51.487910Z |
| id | e2ffc4461c604107ac9ba7386d493a09 |
| project_id | b81fade4255149c29aa53b87312f60de |
| user_id | e88caafd2c874b6ab4bc23d8b5fbf422 |
+------------+----------------------------------+
[root@controller2 ~]# openstack service list
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| 5fe30200d9464aa384b5ddc1864b0244 | keystone | identity |
+----------------------------------+----------+----------+
在 Controller2上验证Keystone
[root@controller3 ~]# source admin-openrc.sh
[root@controller3 ~]# openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2017-02-22T06:32:19.618061Z |
| id | 3db2b1cec73d48b496ac8845e0842bea |
| project_id | b81fade4255149c29aa53b87312f60de |
| user_id | e88caafd2c874b6ab4bc23d8b5fbf422 |
+------------+----------------------------------+
[root@controller3 ~]# openstack service list
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| 5fe30200d9464aa384b5ddc1864b0244 | keystone | identity |
+----------------------------------+----------+----------+
本文转自 OpenStack2015 51CTO博客,原文链接:http://blog.51cto.com/andyliu/1917399,如需转载请自行联系原作者
Openstack HA集群5-Keystone HA的更多相关文章
- OpenStack Swift集群与Keystone的整合使用说明
之前已经介绍了OpenStack Swift集群和Keystone的安装部署,最后来讲一讲Swift集群与Keystone的整合使用吧. 1. 简介 本文档描述了Keystone与Swift集群的整合 ...
- HUE配置文件hue.ini 的hdfs_clusters模块详解(图文详解)(分HA集群和非HA集群)
不多说,直接上干货! 我的集群机器情况是 bigdatamaster(192.168.80.10).bigdataslave1(192.168.80.11)和bigdataslave2(192.168 ...
- HUE配置文件hue.ini 的hive和beeswax模块详解(图文详解)(分HA集群和非HA集群)
不多说,直接上干货! 我的集群机器情况是 bigdatamaster(192.168.80.10).bigdataslave1(192.168.80.11)和bigdataslave2(192.168 ...
- HUE配置文件hue.ini 的yarn_clusters模块详解(图文详解)(分HA集群和非HA集群)
不多说,直接上干货! 我的集群机器情况是 bigdatamaster(192.168.80.10).bigdataslave1(192.168.80.11)和bigdataslave2(192.168 ...
- HUE配置文件hue.ini 的database模块详解(包含qlite、mysql、 psql、和oracle)(图文详解)(分HA集群和非HA集群)
不多说,直接上干货! Hue配置文件里,提及到,提供有postgresql_psycopg2, mysql, sqlite3 or oracle. 注意:Hue本身用到的是sqlite3. 在哪里呢, ...
- HUE配置文件hue.ini 的hbase模块详解(图文详解)(分HA集群和非HA集群)
不多说,直接上干货! 我的集群机器情况是 bigdatamaster(192.168.80.10).bigdataslave1(192.168.80.11)和bigdataslave2(192.168 ...
- HUE配置文件hue.ini 的pig模块详解(图文详解)(分HA集群和非HA集群)
不多说,直接上干货! 一.默认的pig配置文件 ########################################################################### ...
- HUE配置文件hue.ini 的sqoop模块详解(图文详解)(分HA集群和非HA集群)
不多说,直接上干货! 我的集群机器情况是 bigdatamaster(192.168.80.10).bigdataslave1(192.168.80.11)和bigdataslave2(192.168 ...
- HUE配置文件hue.ini 的filebrowser模块详解(图文详解)(分HA集群和非HA集群)
不多说,直接上干货! 我的集群机器情况是 bigdatamaster(192.168.80.10).bigdataslave1(192.168.80.11)和bigdataslave2(192.168 ...
- HUE配置文件hue.ini 的mapred_clusters模块详解(图文详解)(分HA集群和非HA集群)
不多说,直接上干货! 我的集群机器情况是 bigdatamaster(192.168.80.10).bigdataslave1(192.168.80.11)和bigdataslave2(192.168 ...
随机推荐
- 真没想到,Springboot能这样做全局日期格式化,有点香!
最近面了一些公司,有一些 Java方面的架构.面试资料,有需要的小伙伴可以在公众号[程序员内点事]里,无套路自行领取 说在前边 最近部门几位同事受了一些委屈相继离职,共事三年临别之际颇有不舍,待一切手 ...
- 【Linux】系统管理
软件包管理 一 软件包分类 源码包: .tar.gz .tar.bz2 二进制包: .rpm 二 二进制包安装 (一) rpm命令手动管理二进制包 (挂载光盘) 1 包名-版本号-发布次数-适合lin ...
- SpringMVC(五):JSON
本文是按照狂神说的教学视频学习的笔记,强力推荐,教学深入浅出一遍就懂!b站搜索狂神说或点击下面链接 https://space.bilibili.com/95256449?spm_id_from=33 ...
- (js描述的)数据结构[树结构之红黑树](13)
1.二叉送搜索树的缺点: 2.红黑树难度: 3.红黑树五大规则: 4.红黑树五大规则的作用: 5.红黑树二大变换: 1)变色 2)旋转 6.红黑树的插入五种变换情况: 先声明--------插入的数据 ...
- Linux网络安全篇,认识防火墙(一)
一.概念 防火墙分为软件防火墙和硬件防火墙.我们的主要讨论范围为软件防火墙. 软件防火墙又分为网络型和单一型的管理. 1.单一主机型防火墙 (1)数据包过滤型的Netfilter (2)依据服务软件程 ...
- spring-cloud feign的多参数传递方案
查看原文 一.GET请求多参数URL 1.方法一(推荐) @FeignClient(“microservice-provider-user”) public interface UserFeignCl ...
- 37.4 net--TcpDemo2模拟用户登陆
package day35_net_网络编程.tcp传输.模拟用户登录; import java.io.*; import java.net.InetAddress; import java.net. ...
- Golang源码分析之目录详解
开源项目「go home」聚焦Go语言技术栈与面试题,以协助Gopher登上更大的舞台,欢迎go home~ 导读 学习Go语言源码的第一步就是了解先了解它的目录结构,你对它的源码目录了解多少呢? 目 ...
- k8s中token过期重新生成
k8s中token过期重新生成 通过kubeadm初始化之后,都会提供node加入的token 默认的token的有效期是24小时,当过期了,如何新生成呢 重新生成token: [root@k8s-m ...
- 津津的储蓄计划 NOIp提高组2004
这个题目当年困扰了我许久,现在来反思一下 本文为博客园ShyButHandsome的原创作品,转载请注明出处 右边有目录,方便快速浏览 题目描述 津津的零花钱一直都是自己管理.每个月的月初妈妈给津津\ ...