【OpenStack】【Keystone】安装与配置详解
文章目录
- 参考文档
- openstack-keystone包
- keystone的配置文件
- keystone.conf文件
- 在mysql中创建keystone数据库,给keystone账户设置权限
- 初始化keystone数据库
- keystone-manage db_sync命令
- 启用Fernet key
- Bootstrap Keystone Services
- bootstrap命令选项
- mod_wsgi包
- 配置Apache/httpd服务
- keystone与Apache的关联
参考文档
手动部署Openstack Rocky 双节点(2)- Keystone
openstack-keystone包
OpenStack的认证服务,来自于centos-openstack-rocky仓库。
在安装这个包的时候,也会创建名为keystone的账户以及名为keystone的用户组。
注意:并不能以keystone账户登录,或者su到keystone账户。
[tony@tony-controller ~]$ cat /etc/passwd | grep keystone
keystone:x:163:163:OpenStack Keystone Daemons:/var/lib/keystone:/sbin/nologin[tony@tony-controller ~]$ cat /etc/group | grep keystone
keystone:x:163:
[tony@tony-controller ~]$ sudo yum info openstack-keystone
Installed Packages
Name : openstack-keystone
Arch : noarch
Epoch : 1
Version : 14.1.0
Release : 1.el7
Size : 827 k
Repo : installed
From repo : centos-openstack-rocky
Summary : OpenStack Identity Service
URL : http://keystone.openstack.org/
License : ASL 2.0
Description :: Keystone is a Python implementation of the OpenStack: (http://www.openstack.org) identity service API.:: This package contains the Keystone daemon.
这个包中主要包括了:
- 配置文件,在/etc/keystone目录下
- 命令行接口,主要是keystone-manage
- 日志文件
[tony@tony-controller ~]$ rpm -ql openstack-keystone
/etc/keystone
/etc/keystone/default_catalog.templates
/etc/keystone/keystone-paste.ini
/etc/keystone/keystone.conf
/etc/keystone/logging.conf
/etc/keystone/policy.json
/etc/keystone/sso_callback_template.html
/etc/logrotate.d/openstack-keystone
/usr/bin/keystone-manage
/usr/bin/keystone-wsgi-admin
/usr/bin/keystone-wsgi-public
/usr/bin/openstack-keystone-sample-data
/usr/lib/sysctl.d/openstack-keystone.conf
/usr/share/doc/openstack-keystone-14.1.0
/usr/share/doc/openstack-keystone-14.1.0/README.rst
/usr/share/keystone
/usr/share/keystone/keystone-dist.conf
/usr/share/keystone/keystone-schema.json
/usr/share/keystone/keystone-schema.yaml
/usr/share/keystone/policy.v3cloudsample.json
/usr/share/keystone/sample_data.sh
/usr/share/keystone/wsgi-keystone.conf
/usr/share/licenses/openstack-keystone-14.1.0
/usr/share/licenses/openstack-keystone-14.1.0/LICENSE
/usr/share/man/man1/keystone-manage.1.gz
/var/lib/keystone
/var/log/keystone
/var/log/keystone/keystone.log
keystone的配置文件
配置文件全部位于/etc/keystone目录下,这个目录属于root账户的,keystone组的账户可以读取,其他人无权读写。其中最主要的是keystone.conf文件。
[tony@tony-controller ~]$ ls -ld /etc/keystone
drwxr-x---. 4 root keystone 201 Apr 15 17:45 /etc/keystone[tony@tony-controller ~]$ sudo ls -l /etc/keystone
total 140
drwx------. 2 keystone keystone 24 Apr 12 10:31 credential-keys
-rw-r-----. 1 root keystone 2303 Apr 4 22:24 default_catalog.templates
drwx------. 2 keystone keystone 24 Apr 12 10:31 fernet-keys
-rw-r-----. 1 root keystone 119881 Apr 12 10:28 keystone.conf
-rw-r-----. 1 root keystone 2687 Apr 4 22:24 keystone-paste.ini
-rw-r-----. 1 root keystone 1046 Apr 4 22:24 logging.conf
-rw-r-----. 1 root keystone 3 Apr 5 11:13 policy.json
-rw-r-----. 1 keystone keystone 665 Apr 4 22:24 sso_callback_template.html
[tony@tony-controller ~]$ rpm -ql openstack-keystone
/etc/keystone
/etc/keystone/default_catalog.templates
/etc/keystone/keystone-paste.ini
/etc/keystone/keystone.conf
/etc/keystone/logging.conf
/etc/keystone/policy.json
/etc/keystone/sso_callback_template.html
/etc/logrotate.d/openstack-keystone
keystone.conf文件
在安装后,这个文件中的默认配置项都是注释掉的,需要自己设置一些最简单的配置项。
下面这个配置中,
- 数据库连接使用的是mysql,连接协议是pymysql,数据库在controller机器上,数据库名叫keystone;
- token provider是fernet。
[tony@tony-controller ~]$ sudo cat /etc/keystone/keystone.conf | grep -v -E '^$|^#'
[database]
connection = mysql+pymysql://keystone:$password@controller/keystone
...
[token]
provider = fernet
...
在mysql中创建keystone数据库,给keystone账户设置权限
既然在配置文件中指定了keystone数据库名,就需要在controller机器的mysql中创建一个名为keystone的数据库,并将这个数据库的所有权限赋予keystone账户。
初始化keystone数据库
以keystone账户身份执行keystone-manage命令,初始化keystone服务需要使用的数据库。
keystone-manage db_sync命令
keystone-manage命令行接口是keystone的管理工具,用于keystone服务的初始化与数据更新。通常,这个命令用于不能通过HTTP API完成的功能操作,例如数据的导入/导出以及数据库的迁移等。
db_sync命令用于同步数据库。
启用Fernet key
keystone-manage fernet_setup命令会创建一个Fernet key仓库,用于token加密。
keystone-manage credential_setup命令会创建一个Fernet key仓库,用于redential加密。
Bootstrap Keystone Services
keystone-manage bootstrap会执行基本的bootstrap行为。
bootstrap命令选项
通过bootstrap的命令选项,可以看到在bootstrap过程中可以进行的设定。
注意:在bootstrap选项里,并没有domain的设定项,所以默认的domain只能是Default。
[tony@tony-controller ~]$ keystone-manage bootstrap --help
屏幕输出略有修改
usage: keystone-manage bootstrap
[-h]
[–bootstrap-username OS_BOOTSTRAP_USERNAME]
[–bootstrap-password OS_BOOTSTRAP_PASSWORD]
[–bootstrap-project-name OS_BOOTSTRAP_PROJECT_NAME]
[–bootstrap-role-name OS_BOOTSTRAP_ROLE_NAME]
[–bootstrap-service-name OS_BOOTSTRAP_SERVICE_NAME]
[–bootstrap-admin-url OS_BOOTSTRAP_ADMIN_URL]
[–bootstrap-public-url OS_BOOTSTRAP_PUBLIC_URL]
[–bootstrap-internal-url OS_BOOTSTRAP_INTERNAL_URL]
[–bootstrap-region-id OS_BOOTSTRAP_REGION_ID]
optional arguments:
-h, --help show this help message and exit
–bootstrap-username OS_BOOTSTRAP_USERNAME
The username of the initial keystone user during
bootstrap process. 如果未设定,则用户名是admin
–bootstrap-password OS_BOOTSTRAP_PASSWORD
The bootstrap user password
–bootstrap-project-name OS_BOOTSTRAP_PROJECT_NAME
The initial project created during the keystone
bootstrap process. 如果未设定,则是项目名是admin
–bootstrap-role-name OS_BOOTSTRAP_ROLE_NAME
The initial role-name created during the keystone
bootstrap process. 如果未设定,则创建3个角色:admin, member, reader
–bootstrap-service-name OS_BOOTSTRAP_SERVICE_NAME
The initial name for the initial identity service
created during the keystone bootstrap process.
如果未设定,则服务名是keystone,类型是identity。
–bootstrap-admin-url OS_BOOTSTRAP_ADMIN_URL
The initial identity admin url created during the
keystone bootstrap process. e.g.
http://127.0.0.1:35357/v3
–bootstrap-public-url OS_BOOTSTRAP_PUBLIC_URL
The initial identity public url created during the
keystone bootstrap process. e.g.
http://127.0.0.1:5000/v3
–bootstrap-internal-url OS_BOOTSTRAP_INTERNAL_URL
The initial identity internal url created during the
keystone bootstrap process. e.g.
http://127.0.0.1:5000/v3
–bootstrap-region-id OS_BOOTSTRAP_REGION_ID
The initial region_id endpoints will be placed in
during the keystone bootstrap process.
mod_wsgi包
mod_wsgi是WSGI接口,用于Apache里的Python web应用。
mod_wsgi是一个适配器模块,运行在Apache里,提供了WSGI兼容的接口,为Apache中的基于Python的web应用提供宿主。这个模块完全是用C语言编写的,比其他的WSGI适配器具有更低的开销。
[tony@tony-controller ~]$ sudo yum info mod_wsgi
Installed Packages
Name : mod_wsgi
Arch : x86_64
Version : 3.4
Release : 18.el7
Size : 198 k
Repo : installed
From repo : base
Summary : A WSGI interface for Python web applications in Apache
URL : http://www.modwsgi.org
License : ASL 2.0
Description : The mod_wsgi adapter is an Apache module that provides a WSGI: compliant interface for hosting Python based web applications: within Apache. The adapter is written completely in C code against: the Apache C runtime and for hosting WSGI applications within: Apache has a lower overhead than using existing WSGI adapters for: mod_python or CGI.[tony@tony-controller ~]$ sudo rpm -ql mod_wsgi
/etc/httpd/conf.modules.d/10-wsgi.conf
/usr/lib64/httpd/modules/mod_wsgi.so
/usr/share/doc/mod_wsgi-3.4
/usr/share/doc/mod_wsgi-3.4/LICENCE
/usr/share/doc/mod_wsgi-3.4/README
配置Apache/httpd服务
keystone与Apache的关联
在创建了软连接之后,Apache会读取并处理wsgi-keystone.conf配置,生成虚拟主机,侦听来自于5000端口的请求,并最终交由keystone响应请求,结果由Apache返回。
sudo ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
当Apache启动的时候,会加载wsgi-keystone.conf配置文件。这个配置文件默认定义如下:
[tony@tony-controller ~]$ sudo cat /usr/share/keystone/wsgi-keystone.conf
# 令Apache侦听5000端口。
Listen 5000# 定义虚拟主机
<VirtualHost *:5000>WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}WSGIProcessGroup keystone-publicWSGIScriptAlias / /usr/bin/keystone-wsgi-publicWSGIApplicationGroup %{GLOBAL}WSGIPassAuthorization OnLimitRequestBody 114688<IfVersion >= 2.4>ErrorLogFormat "%{cu}t %M"</IfVersion>ErrorLog /var/log/httpd/keystone.logCustomLog /var/log/httpd/keystone_access.log combined<Directory /usr/bin><IfVersion >= 2.4>Require all granted</IfVersion><IfVersion < 2.4>Order allow,denyAllow from all</IfVersion></Directory>
</VirtualHost>Alias /identity /usr/bin/keystone-wsgi-public
<Location /identity>SetHandler wsgi-scriptOptions +ExecCGIWSGIProcessGroup keystone-publicWSGIApplicationGroup %{GLOBAL}WSGIPassAuthorization On
</Location>
【OpenStack】【Keystone】安装与配置详解相关推荐
- Nagios远程监控软件的安装与配置详解
Nagios远程监控软件的安装与配置详解 作者:redhat_hu Nagios是一款功能强大的网络监视工具,它可以有效的监控windows.linux.unix主机状态以及路由器交换机的网络设置,打 ...
- Julia的安装与配置详解(包含在Ubuntu 18.04和Windows 10系统上Julia的安装)
Julia的安装与配置详解((包含在Ubuntu 18.04和Windows 10系统上Julia的安装) Julia的安装 使用二进制文件安装Julia 在Ubuntu上安装Julia 在Windo ...
- gulp的安装和配置详解
gulp的安装和配置详解 1.安装node.js 先下载一个node.js安装包. 下载完成后双击即可. 打开cmd,命令行输入node -v,回车输出nodejs版本号,表示安装成功. 命令行输入n ...
- node.js卸载、安装、配置详解
node.js卸载.安装.配置详解 一. node.js卸载 二.下载安装 2.1 下载 2.2 安装 2.2.1 选择msi安装 2.2.2 选择zip安装 三.配置 3.1 环境变量配置 3.2 ...
- Gradle安装和配置详解
Gradle安装和配置详解 gradle是基于Apache Ant和Apache Maven概念的项目自动化构建开源工具,也提供了很多第三方插件.在Java Web项目中通常会用到 java.war. ...
- keepalived介绍、安装及配置详解
文章目录 keepalived简介 keeplived和LVS关系 VRRP工作原理 keepalived体系结构及工作原理 keepalived安装 keepalived配置详解 keepalive ...
- Linux中Nginx安装与配置详解及常见问题
3 Nginx安装 3.1 安装前的准备 1)准备 pcre-8.12.tar.gz.该文件为正则表达式库.让nginx支持rewrite需要安装这个库. 2) 准备 nginx-1. ...
- Tomcat安装及配置详解
转载:http://www.ttlsa.com/tomcat/tomcat-install-and-configure/ 一,Tomcat简介 Tomcat 服务器是一个免费的开放源代码的Web 应用 ...
- 01 Redis安装、配置详解、数据备份与恢复
缓存简介 简介 缓存是为了调节速度不一致的两个或者多个不同的物质的速度,在中间对速度访问较快的一方起到一个加速访问速度较慢的一方的作用,比如cpu的一级,二级缓存是为了保存cpu最近经常访问的数据,内 ...
最新文章
- 美团O2O排序解决方案——线上篇
- Kafka使用经验小结
- IJCAI 2019 融合角色信息的多样性对话生成
- java代码发送邮箱_邮件发送 - java代码库 - 云代码
- matlab平稳性检验实例
- Ubuntu20.04安装Qemu-SGX
- Dell PowerEdge R640:NVMe直连、NDC网卡、PERC10一览
- 【Java工程中出现问题】XXX has been compiled by a more recent version of the Java Runtime
- tp6 导入excel文件
- 美术资源检测 — 让你的网格无可挑剔
- 一种高性能无锁队列设计
- C++ int、long、long int、long long、uint64_t字节长度
- python tkinter 实现鼠标按下和弹起事件监测
- window7 蓝屏的脸不好看,开启AHCI拒绝蓝屏
- 操作系统真象还原第一章
- ATT推出云5G网络开源工具Airship
- where和which的区别【定于从句】
- 团簇结构的Fe3O4/Cystamine四氧化三铁纳米颗粒|PDA包裹四氧化三铁磁性纳米颗粒
- 新股民快速成为股市高手的八招
- HR400接地漏电继电器
热门文章
- 【李宏毅机器学习】Convolutiona Neural Network 卷积神经网络(p17) 学习笔记
- python replace函数后面的数字的含义
- 机器学习经典算法之PCA主成分分析
- Go编译exe程序时指定程序图标
- java非侵入式接口实现,C++编写非侵入式接口
- java t9 字母组合_太赞了!美团T9终于整理出Java架构之完美设计实战开源文档
- ajax预加载html seo,AJAX网页如何实现SEO友好
- python中easygui和tkinter_python easygui Tkinter
- 判断深度学习模型的稳定性_基于深度学习的三维模型检索算法研究
- python实现接口自动化的视频_python实现头条项目接口自动化测试实战