OpenStack deployment (II. Updated keystone)

Create Keystone database

Create the Keystone database on the MariaDB of the controller:

mysql -uroot -p123456	
# -u root specifies that the user logging in to mariaDB is root
#-P123456 the password for the root user to log in to maraiDB is "123456"

Create Keystone database:

CREATE DATABASE keystone;

Create keystone database user keystone and open local / remote login. The login password is "123456"

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '123456';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '123456';
# Press ctrl + c to exit from the database

Installing keystone components

To install keystone components on the controller:

yum install openstack-keystone httpd mod_wsgi -y

To configure keystone profiles:

Back up the original configuration file

cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak

Remove the "#" line from the original configuration file:

cat /etc/keystone/keystone.conf.bak | grep -v ^# | uniq > /etc/keystone/keystone.conf

Edit the configuration file / etc / keystone / keystone conf

cat <<EOF > /etc/keystone/keystone.conf
	[database]
connection=mysql+pymysql://keystone:123456@controller/keystone 
[token]
provider = fernet
EOF

Populate keystone database:

su -s /bin/sh -c "keystone-manage db_sync " keystone
# If no result is returned, the filling is normal!

Initialize the Fernet key library:

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

Guide the identity authentication service and configure the relevant authentication information of keystone: (the administrator password of the openstack login interface in the future is set here)

keystone-manage bootstrap --bootstrap-password 123456 \
  --bootstrap-admin-url http://controller:5000/v3/ \
  --bootstrap-internal-url http://controller:5000/v3/ \
  --bootstrap-public-url http://controller:5000/v3/ \
  --bootstrap-region-id RegionOne

Parameter Description:
– bootstrap password: keystone administrator password
– bootstrap admin URL: administrator authentication URL
– bootstrap internal URL: internal authentication URL
– bootstrap public URL: external authentication URL
– bootstrap region ID: Specifies the domain name of the zone

To configure Apache services:

Set ServerName as the local host name in the Apache configuration file, and add "ServerName controller" in line 96 of the“

vi +96 /etc/httpd/conf/httpd.conf

For WSGI keystone Conf create a directory linked to Apache services:

ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

Restart the httpd service and join the boot auto start:

systemctl enable httpd.service
systemctl start httpd.service
 
systemctl status httpd.service

verification

Create environment script

We can simulate an account login environment, such as administrator login, so we need to create an environment script:

cat <<EOF >> /root/admin-openrc
export OS_USERNAME=admin
export OS_PASSWORD=123456
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
EOF

Parameter Description:

export OS_USERNAME=admin: log in to keystone's admin account
export OS_PASSWORD=123456: keystone preset password
export OS_PROJECT_NAME=admin: Specifies the project type of Openstack
export OS_USER_DOMAIN_NAME=Default: Specifies the domain to which the Openstack user belongs
export OS_PROJECT_DOMAIN_NAME=Default: Specifies the domain to which the Openstack project belongs
export OS_AUTH_URL=http://controller:35357/v3 : specify authentication link
export OS_IDENTITY_API_VERSION=3: Specifies the authentication version
Execute script:/ root/admin-openrc
View current environment: env | grep OS

openstack token issue

After authentication, create a domain named "example" and described as "Test Example"

openstack domain create --description "Test Example" example

Under the default domain, create a project called "service" and described as "Service Project"

openstack project create --domain default --description "Service Project" service

View all project s in the current environment

openstack project list

Generally, in addition to administrators, we also need some non privileged items and users

Under the default domain, create a project called "demo" and described as "Demo Project"

openstack project create --domain default --description "Demo Project" demo

Create a user named "leon" under the default domain, and set the password manually (in the red box below)

openstack user create --domain default --password-prompt leon

Create the "normal user" role of Openstack, named "user"

openstack role create user

View the current roles

openstack role list

Plan the role of user "leon" in the "demo" project as the role of "ordinary user"

openstack role add --project demo --user leon user
# (the command does not return results)

Verify login:

unset OS_AUTH_URL OS_PASSWORD #Cancel password for environment variable

User admin login:

openstack --os-auth-url http://controller:35357/v3 \
  --os-project-domain-name Default --os-user-domain-name Default \
  --os-project-name admin --os-username admin token issue
password: 123456

User leon login:

openstack --os-auth-url http://controller:5000/v3 \
  --os-project-domain-name Default --os-user-domain-name Default \
  --os-project-name demo --os-username leon token issue
password: 123456

Keywords: Database MySQL MariaDB

Added by Rippie on Mon, 20 Dec 2021 10:43:53 +0200

Programming VIP