OpenstackZedKeystone部署实现
操作系统: UbuntuServer Mini 22.04本次部署为带有自签SSL及Nginx反向代理的实现机制
一: 配置NTP1) 使用系统自带的systemd-timesyncd服务 root@srv1:~# vim /etc/systemd/timesyncd.conf ...... ...... ...... ...... ...... ...... [Time] # 取消16行注释,并改为如下内容 NTP=0.cn.pool.ntp.org 1.cn.pool.ntp.org #FallbackNTP=ntp.ubuntu.com #RootDistanceMaxSec=5 #PollIntervalMinSec=32 #PollIntervalMaxSec=2048 root@srv1:~# systemctl restart systemd-timesyncd root@srv1:~# systemctl status systemd-timesyncd.service | grep Status: Status: "Initial synchronization to time server 162.159.200.1:123 (0.cn.pool.ntp.org)."
二: 安装MariaDBroot@srv1:~# apt install mariadb-server -y root@srv1:~# vim /etc/mysql/mariadb.conf.d/50-server.cnf ...... ...... ...... ...... ...... ...... # 修改27行,开启监听地址 bind-address = 0.0.0.0 ...... ...... ...... ...... ...... ...... # 修改40行,默认的数值不能满足openstack环境需求,需改为500 max_connections = 500 ...... ...... ...... ...... ...... ...... # 修改90-91行,确认默认字符集为4字节的utf8编码:utf8mb4 character-set-server = utf8mb4 collation-server = utf8mb4_general_ci ...... ...... ...... ...... ...... ...... root@srv1:~# systemctl restart mariadb root@srv1:~# mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we"ll need the current password for the root user. If you"ve just installed MariaDB, and haven"t set the root password yet, you should just press enter here. Enter current password for root (enter for none): # 回车 OK, successfully used password, moving on... Setting the root password or using the unix_socket ensures that nobody can log into the MariaDB root user without the proper authorisation. You already have your root account protected, so you can safely answer "n". Switch to unix_socket authentication [Y/n] # 回车 Enabled successfully! Reloading privilege tables.. ... Success! You already have your root account protected, so you can safely answer "n". Change the root password? [Y/n] # 回车 New password: # 输入新的数据库管理员密码,此密码为password Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] # 回车 ... Success! Normally, root should only be allowed to connect from "localhost". This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] # 回车 ... Success! By default, MariaDB comes with a database named "test" that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] # 回车 - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] # 回车 ... Success! Cleaning up... All done! If you"ve completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB!
三: 安装及配置Memcached及RabbitMQ1) 安装rabbitmq及memcached root@srv1:~# apt install rabbitmq-server memcached python3-pymysql nginx libnginx-mod-stream -y 2) 配置memcached root@srv1:~# vim /etc/memcached.conf ...... ...... ...... ...... ...... # 修改第35行,监听所有地址 -l 192.168.1.11 ...... ...... ...... ...... ...... 3) 配置RabbitMQ root@srv1:~# rabbitmqctl add_user openstack password Adding user "openstack" ... Done. Don"t forget to grant the user permissions to some virtual hosts! See "rabbitmqctl help set_permissions" to learn more. root@srv1:~# rabbitmqctl set_permissions openstack ".*" ".*" ".*" Setting permissions for user "openstack" in vhost "/" ... 4) 关闭默认的Ningx Site root@srv1:~# ls -l /etc/nginx/sites-enabled/default lrwxrwxrwx 1 root root 34 Oct 24 15:49 /etc/nginx/sites-enabled/default -> /etc/nginx/sites-available/default root@srv1:~# unlink /etc/nginx/sites-enabled/default 5) 启动Memcached及RabbitMQ服务 root@srv1:~# systemctl restart mariadb rabbitmq-server memcached nginx
四: 设置Openstack Zed源1) 安装Zed源 root@srv1:~# apt install software-properties-common -y root@srv1:~# add-apt-repository cloud-archive:zed Repository: "deb http://ubuntu-cloud.archive.canonical.com/ubuntu jammy-updates/zed main" Description: Ubuntu Cloud Archive for OpenStack Zed More info: https://wiki.ubuntu.com/OpenStack/CloudArchive Adding repository. Press [ENTER] to continue or Ctrl-c to cancel. # 回车 Adding deb entry to /etc/apt/sources.list.d/cloudarchive-zed.list Adding disabled deb-src entry to /etc/apt/sources.list.d/cloudarchive-zed.list Reading package lists... Done Building dependency tree... Done Reading state information... Done ...... ...... ...... ...... ...... ...... Reading package lists... Done 2) 更新系统 root@srv1:~# apt update root@srv1:~# apt upgrade -y
五: 创建Keystone数据库root@srv1:~# mysql -u root -p Enter password: # 输入数据库管理员的密码 Welcome to the MariaDB monitor. Commands end with ; or g. Your MariaDB connection id is 31 Server version: 10.6.7-MariaDB-2ubuntu1.1 Ubuntu 22.04 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type "help;" or "h" for help. Type "c" to clear the current input statement. MariaDB [(none)]> create database keystone; Query OK, 1 row affected (0.001 sec) MariaDB [(none)]> grant all privileges on keystone.* to keystone@"localhost" identified by "password"; Query OK, 0 rows affected (0.010 sec) MariaDB [(none)]> grant all privileges on keystone.* to keystone@"%" identified by "password"; Query OK, 0 rows affected (0.038 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.001 sec) MariaDB [(none)]> exit Bye root@srv1:~#
六: 安装Keystoneroot@srv1:~# apt install keystone python3-openstackclient apache2 libapache2-mod-wsgi-py3 python3-oauth2client -y
七: 配置Keystone1) 配置Keystone root@srv1:~# vim /etc/keystone/keystone.conf ...... ...... ...... ...... ...... ...... # 取消443行注释,并指定Memcached的信息 memcache_servers = srv1.1000y.cloud:11211 ...... ...... ...... ...... ...... ...... [database] # 于661行,添加数据库相关信息 connection = mysql+pymysql://keystone:password@srv1.1000y.cloud/keystone ...... ...... ...... ...... ...... ...... [token] ...... ...... ...... ...... ...... ...... # 于2639行取消注释 provider = fernet ...... ...... ...... ...... ...... ...... 2) 同步数据库 root@srv1:~# su -s /bin/bash keystone -c "keystone-manage db_sync" root@srv1:~# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone root@srv1:~# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone root@srv1:~# keystone-manage bootstrap --bootstrap-password adminpassword --bootstrap-admin-url https://srv1.1000y.cloud:5000/v3/ --bootstrap-internal-url https://srv1.1000y.cloud:5000/v3/ --bootstrap-public-url https://srv1.1000y.cloud:5000/v3/ --bootstrap-region-id RegionOne
八: 设定SSL及证书生成1) 生成SSL证书 (1) 生成CA证书并注册 root@srv1:~# cd /etc/ssl/private/ root@srv1:/etc/ssl/private# openssl genrsa -des3 -out cakey.pem 2048 Enter PEM pass phrase: # 设定密码 Verifying - Enter PEM pass phrase root@srv1:/etc/ssl/private# openssl rsa -in cakey.pem -out cakey.pem Enter pass phrase for yoga.key: # 输入密码 writing RSA key root@srv1:/etc/ssl/private# openssl req -new -x509 -days 365 -key cakey.pem -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ".", the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:BeiJing Locality Name (eg, city) []:BeiJing Organization Name (eg, company) [Internet Widgits Pty Ltd]:1000y.cloud Organizational Unit Name (eg, section) []:tech Common Name (e.g. server FQDN or YOUR name) []:srv1.1000y.cloud Email Address []: # 回车 root@srv1:/etc/ssl/private# cat cacert.pem >> /etc/ssl/certs/ca-certificates.crt (2) 建立服务所需的key/crt文件 root@srv1:/etc/ssl/private# openssl genrsa -des3 -out zed.key 2048 Enter PEM pass phrase: # 设定密码 Verifying - Enter PEM pass phrase root@srv1:/etc/ssl/private# openssl rsa -in zed.key -out zed.key Enter pass phrase for yoga.key: # 输入密码 writing RSA key root@srv1:/etc/ssl/private# openssl req -utf8 -new -key zed.key -out zed.csr Ignoring -days; not generating a certificate You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ".", the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:BeiJing Locality Name (eg, city) []:BeiJing Organization Name (eg, company) [Internet Widgits Pty Ltd]:1000y.cloud Organizational Unit Name (eg, section) []:tech Common Name (e.g. server FQDN or YOUR name) []:srv1.1000y.cloud Email Address []: # 回车 Please enter the following "extra" attributes to be sent with your certificate request A challenge password []: # 回车 An optional company name []: # 回车 root@srv1:~# vim /etc/ssl/openssl.cnf ...... ...... ...... ...... ...... ...... # 于文件最后追加如下内容 [ 1000y.cloud ] subjectAltName = DNS:srv1.1000y.cloud, IP:192.168.1.11 root@srv1:private(keystone)# openssl x509 -req -days 365 -in zed.csr -CA ./cacert.pem -CAkey cakey.pem -out zed.crt -extfile /etc/ssl/openssl.cnf -extensions 1000y.cloud Certificate request self-signature ok subject=C = CN, ST = BeiJing, L = BeiJing, O = 1000y.cloud, OU = tech, CN = srv1.1000y.cloud root@srv1:/etc/ssl/private# ls -l total 24 -rw-r--r-- 1 root root 1367 Oct 24 16:12 cacert.pem -rw------- 1 root root 1708 Oct 24 16:12 cakey.pem -rw-r----- 1 root ssl-cert 1704 Oct 24 16:05 ssl-cert-snakeoil.key -rw-r--r-- 1 root root 1391 Oct 24 16:18 zed.crt -rw-r--r-- 1 root root 1017 Oct 24 16:17 zed.csr -rw------- 1 root root 1704 Oct 24 16:17 zed.key root@srv1:/etc/ssl/private# cd
九: 配置Apacheroot@srv1:~# apt install apache2 -y root@srv1:~# vim /etc/apache2/apache2.conf ...... ...... ...... ...... ...... ...... #ServerRoot "/etc/apache2" # 于70行,添加如下内容 ServerName srv1.1000y.cloud ...... ...... ...... ...... ...... ...... root@srv1:~# vim /etc/apache2/sites-available/keystone.conf Listen 5000 # 于4-7行,添加如下内容 SSLEngine On SSLHonorCipherOrder On SSLCertificateFile /etc/ssl/private/zed.crt SSLCertificateKeyFile /etc/ssl/private/zed.key WSGIScriptAlias / /usr/bin/keystone-wsgi-public ...... ...... ...... ...... ...... ...... root@srv1:~# a2enmod ssl Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Enabling module socache_shmcb. Enabling module ssl. See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: systemctl restart apache2 root@srv1:~# systemctl restart apache2
十: 配置环境脚本及创建租户1) 设定环境 root@srv1:~# vim ~/keystonerc # 于新文件内追加如下内容 export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=adminpassword export OS_AUTH_URL=https://srv1.1000y.cloud:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 export PS1="u@h:W(keystone)$ " # 自定义证书要加 --insecure 参数, 因此加入了别名。 alias openstack="openstack --insecure" root@srv1:~# chmod 600 ~/keystonerc root@srv1:~# source ~/keystonerc root@srv1:~(keystone)# echo "source ~/keystonerc " >> ~/.bashrc 2) 创建租户并验证 root@srv1:~(keystone)# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | 4fabd4d8316c40a398d6496c0a733caf | | is_domain | False | | name | service | | options | {} | | parent_id | default | | tags | [] | +-------------+----------------------------------+ root@srv1:~(keystone)# openstack project list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 4fabd4d8316c40a398d6496c0a733caf | service | | 994a4a3e0fbc4f5891f38470e158e6b4 | admin | +----------------------------------+---------+
再不买没机会了,欧洲疯狂进口俄石油,美国怒火万丈,发誓严惩美国对俄罗斯石油下狠手,欧洲采用这种方式,让美国对俄制裁破防。为了让俄罗斯石油出口自动降价,将该国经济收入支柱给打折。美国近期狠招不断,而且还招招致命,就是力图迫使世界上其他国家加3款全新纯电动车曝光Jeep新电动化战略发布日前,车质网从海外媒体获悉,Jeep品牌发布了纯电动战略转型计划,首先会在2025年之前在北美与欧洲市场推出4款纯电动新车,并于2030年在欧洲成为纯电品牌,届时美国至少50车型均工作34年,2022年山东退休,退休金多少,计算给你看?李阿姨,1972年出生,2022年6月退休,累计缴费年限为34年2个月,其中包括7年7个月的账户建立前的年限。2022年6月在山东退休,可以拿到多少养老金呢?让我们一起来算一算。2CBA3消息广东队锁定2米11白魔兽山东新星被挖广厦拿下法甲MVP中国U18女篮在本届亚青赛上可谓出师不利,在接连负于中国台北和日本后,中国U18女篮以1胜2负的战绩结束了小组赛,北京时间9月9日2030,排名B组第三的中国队将迎来一场生死战,对十优缠论山东黄金(SH600547)缠论技术分析山东黄金股票代码SH600547山东黄金矿业股份有限公司是山东黄金集团有限公司控股的上市公司,成立于2000年1月,并于2003年8月28日在上海证券交易所挂牌上市交易,2018年山东将建设一条高速,全长27。14公里,投资45亿元,地处鲁南地区高速是推动经济发展,改善交通出行条件的重要举措。有人说,在如今的高铁时代,高速的意义已经不大,推动经济和改善出行的效果甚微,甚至还浪费了大量的良田,不利于后代的发展。其实从已有的很正式亮相!山东队开启热身模式新兵外援齐上阵王晗拒绝闭门造车山东队今年夏天的阵容整改力度绝对超过了以往,自从王晗接手之后,山东队就开始了大换血模式,将一众老弱病残全部剔除,丁彦雨航李敬宇王汝恒三人离队无疑就是最好的说明。而今年休赛期,困扰了中央为啥爱济南,山东省会济南为中国制造创7大全国和世界第一很多人都知道济南是山东省的省会城市,但是你真的了解济南吗?改革开放40多年后的今天,济南市2021年的GDP总量超过1。14万亿元。你知道在现在的济南的大地上,孕育出了多少中国制造中秋团圆宴,素菜不能少,分享5道素菜小炒,比大鱼大肉还受欢迎本期导读中秋团圆宴,素菜不能少,分享5道素菜小炒,比大鱼大肉还受欢迎中秋佳节就要到了,中秋佳节,月圆人团圆,家人相聚,举杯畅饮。中秋团圆宴,你想好做什么菜了吗?中秋家宴,除了大鱼大都是鲤鱼,为什么北方人爱吃,南方却很少有人吃?原来有7个理由前几天,武汉下了几场大雨,雨后的空气清爽室外也凉爽,出门遛弯,我喜欢走路遛弯时大脑放松的那种感觉,心一下子就能安静下来,不知不觉想到的事情,能够让自己沉浸其中,找到跑步时才有的快乐喜讯!22岁新星潜力不输易建联他将成为广东男篮崛起的秘密武器喜讯!22岁新星潜力不输易建联他将成为广东男篮崛起的秘密武器。那么这个新星是谁呢?网友热议一针见血地指出他就是来徐昕。本赛季,广东男篮昊黄明依快点成长接过周队的班。徐昕张皓嘉张昊黄