OpenstackZedKeystone部署实现
操作系统: UbuntuServer Mini 22.04本次部署为带有自签SSL及Nginx反向代理的实现机制
一: 配置NTP1) 使用系统自带的systemd-timesyncd服务 root@srv1:~# vim /etc/systemd/timesyncd.conf ...... ...... ...... ...... ...... ...... [Time] # 取消16行注释,并改为如下内容 NTP=0.cn.pool.ntp.org 1.cn.pool.ntp.org #FallbackNTP=ntp.ubuntu.com #RootDistanceMaxSec=5 #PollIntervalMinSec=32 #PollIntervalMaxSec=2048 root@srv1:~# systemctl restart systemd-timesyncd root@srv1:~# systemctl status systemd-timesyncd.service | grep Status: Status: "Initial synchronization to time server 162.159.200.1:123 (0.cn.pool.ntp.org)."
二: 安装MariaDBroot@srv1:~# apt install mariadb-server -y root@srv1:~# vim /etc/mysql/mariadb.conf.d/50-server.cnf ...... ...... ...... ...... ...... ...... # 修改27行,开启监听地址 bind-address = 0.0.0.0 ...... ...... ...... ...... ...... ...... # 修改40行,默认的数值不能满足openstack环境需求,需改为500 max_connections = 500 ...... ...... ...... ...... ...... ...... # 修改90-91行,确认默认字符集为4字节的utf8编码:utf8mb4 character-set-server = utf8mb4 collation-server = utf8mb4_general_ci ...... ...... ...... ...... ...... ...... root@srv1:~# systemctl restart mariadb root@srv1:~# mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we"ll need the current password for the root user. If you"ve just installed MariaDB, and haven"t set the root password yet, you should just press enter here. Enter current password for root (enter for none): # 回车 OK, successfully used password, moving on... Setting the root password or using the unix_socket ensures that nobody can log into the MariaDB root user without the proper authorisation. You already have your root account protected, so you can safely answer "n". Switch to unix_socket authentication [Y/n] # 回车 Enabled successfully! Reloading privilege tables.. ... Success! You already have your root account protected, so you can safely answer "n". Change the root password? [Y/n] # 回车 New password: # 输入新的数据库管理员密码,此密码为password Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] # 回车 ... Success! Normally, root should only be allowed to connect from "localhost". This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] # 回车 ... Success! By default, MariaDB comes with a database named "test" that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] # 回车 - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] # 回车 ... Success! Cleaning up... All done! If you"ve completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB!
三: 安装及配置Memcached及RabbitMQ1) 安装rabbitmq及memcached root@srv1:~# apt install rabbitmq-server memcached python3-pymysql nginx libnginx-mod-stream -y 2) 配置memcached root@srv1:~# vim /etc/memcached.conf ...... ...... ...... ...... ...... # 修改第35行,监听所有地址 -l 192.168.1.11 ...... ...... ...... ...... ...... 3) 配置RabbitMQ root@srv1:~# rabbitmqctl add_user openstack password Adding user "openstack" ... Done. Don"t forget to grant the user permissions to some virtual hosts! See "rabbitmqctl help set_permissions" to learn more. root@srv1:~# rabbitmqctl set_permissions openstack ".*" ".*" ".*" Setting permissions for user "openstack" in vhost "/" ... 4) 关闭默认的Ningx Site root@srv1:~# ls -l /etc/nginx/sites-enabled/default lrwxrwxrwx 1 root root 34 Oct 24 15:49 /etc/nginx/sites-enabled/default -> /etc/nginx/sites-available/default root@srv1:~# unlink /etc/nginx/sites-enabled/default 5) 启动Memcached及RabbitMQ服务 root@srv1:~# systemctl restart mariadb rabbitmq-server memcached nginx
四: 设置Openstack Zed源1) 安装Zed源 root@srv1:~# apt install software-properties-common -y root@srv1:~# add-apt-repository cloud-archive:zed Repository: "deb http://ubuntu-cloud.archive.canonical.com/ubuntu jammy-updates/zed main" Description: Ubuntu Cloud Archive for OpenStack Zed More info: https://wiki.ubuntu.com/OpenStack/CloudArchive Adding repository. Press [ENTER] to continue or Ctrl-c to cancel. # 回车 Adding deb entry to /etc/apt/sources.list.d/cloudarchive-zed.list Adding disabled deb-src entry to /etc/apt/sources.list.d/cloudarchive-zed.list Reading package lists... Done Building dependency tree... Done Reading state information... Done ...... ...... ...... ...... ...... ...... Reading package lists... Done 2) 更新系统 root@srv1:~# apt update root@srv1:~# apt upgrade -y
五: 创建Keystone数据库root@srv1:~# mysql -u root -p Enter password: # 输入数据库管理员的密码 Welcome to the MariaDB monitor. Commands end with ; or g. Your MariaDB connection id is 31 Server version: 10.6.7-MariaDB-2ubuntu1.1 Ubuntu 22.04 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type "help;" or "h" for help. Type "c" to clear the current input statement. MariaDB [(none)]> create database keystone; Query OK, 1 row affected (0.001 sec) MariaDB [(none)]> grant all privileges on keystone.* to keystone@"localhost" identified by "password"; Query OK, 0 rows affected (0.010 sec) MariaDB [(none)]> grant all privileges on keystone.* to keystone@"%" identified by "password"; Query OK, 0 rows affected (0.038 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.001 sec) MariaDB [(none)]> exit Bye root@srv1:~#
六: 安装Keystoneroot@srv1:~# apt install keystone python3-openstackclient apache2 libapache2-mod-wsgi-py3 python3-oauth2client -y
七: 配置Keystone1) 配置Keystone root@srv1:~# vim /etc/keystone/keystone.conf ...... ...... ...... ...... ...... ...... # 取消443行注释,并指定Memcached的信息 memcache_servers = srv1.1000y.cloud:11211 ...... ...... ...... ...... ...... ...... [database] # 于661行,添加数据库相关信息 connection = mysql+pymysql://keystone:password@srv1.1000y.cloud/keystone ...... ...... ...... ...... ...... ...... [token] ...... ...... ...... ...... ...... ...... # 于2639行取消注释 provider = fernet ...... ...... ...... ...... ...... ...... 2) 同步数据库 root@srv1:~# su -s /bin/bash keystone -c "keystone-manage db_sync" root@srv1:~# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone root@srv1:~# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone root@srv1:~# keystone-manage bootstrap --bootstrap-password adminpassword --bootstrap-admin-url https://srv1.1000y.cloud:5000/v3/ --bootstrap-internal-url https://srv1.1000y.cloud:5000/v3/ --bootstrap-public-url https://srv1.1000y.cloud:5000/v3/ --bootstrap-region-id RegionOne
八: 设定SSL及证书生成1) 生成SSL证书 (1) 生成CA证书并注册 root@srv1:~# cd /etc/ssl/private/ root@srv1:/etc/ssl/private# openssl genrsa -des3 -out cakey.pem 2048 Enter PEM pass phrase: # 设定密码 Verifying - Enter PEM pass phrase root@srv1:/etc/ssl/private# openssl rsa -in cakey.pem -out cakey.pem Enter pass phrase for yoga.key: # 输入密码 writing RSA key root@srv1:/etc/ssl/private# openssl req -new -x509 -days 365 -key cakey.pem -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ".", the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:BeiJing Locality Name (eg, city) []:BeiJing Organization Name (eg, company) [Internet Widgits Pty Ltd]:1000y.cloud Organizational Unit Name (eg, section) []:tech Common Name (e.g. server FQDN or YOUR name) []:srv1.1000y.cloud Email Address []: # 回车 root@srv1:/etc/ssl/private# cat cacert.pem >> /etc/ssl/certs/ca-certificates.crt (2) 建立服务所需的key/crt文件 root@srv1:/etc/ssl/private# openssl genrsa -des3 -out zed.key 2048 Enter PEM pass phrase: # 设定密码 Verifying - Enter PEM pass phrase root@srv1:/etc/ssl/private# openssl rsa -in zed.key -out zed.key Enter pass phrase for yoga.key: # 输入密码 writing RSA key root@srv1:/etc/ssl/private# openssl req -utf8 -new -key zed.key -out zed.csr Ignoring -days; not generating a certificate You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ".", the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:BeiJing Locality Name (eg, city) []:BeiJing Organization Name (eg, company) [Internet Widgits Pty Ltd]:1000y.cloud Organizational Unit Name (eg, section) []:tech Common Name (e.g. server FQDN or YOUR name) []:srv1.1000y.cloud Email Address []: # 回车 Please enter the following "extra" attributes to be sent with your certificate request A challenge password []: # 回车 An optional company name []: # 回车 root@srv1:~# vim /etc/ssl/openssl.cnf ...... ...... ...... ...... ...... ...... # 于文件最后追加如下内容 [ 1000y.cloud ] subjectAltName = DNS:srv1.1000y.cloud, IP:192.168.1.11 root@srv1:private(keystone)# openssl x509 -req -days 365 -in zed.csr -CA ./cacert.pem -CAkey cakey.pem -out zed.crt -extfile /etc/ssl/openssl.cnf -extensions 1000y.cloud Certificate request self-signature ok subject=C = CN, ST = BeiJing, L = BeiJing, O = 1000y.cloud, OU = tech, CN = srv1.1000y.cloud root@srv1:/etc/ssl/private# ls -l total 24 -rw-r--r-- 1 root root 1367 Oct 24 16:12 cacert.pem -rw------- 1 root root 1708 Oct 24 16:12 cakey.pem -rw-r----- 1 root ssl-cert 1704 Oct 24 16:05 ssl-cert-snakeoil.key -rw-r--r-- 1 root root 1391 Oct 24 16:18 zed.crt -rw-r--r-- 1 root root 1017 Oct 24 16:17 zed.csr -rw------- 1 root root 1704 Oct 24 16:17 zed.key root@srv1:/etc/ssl/private# cd
九: 配置Apacheroot@srv1:~# apt install apache2 -y root@srv1:~# vim /etc/apache2/apache2.conf ...... ...... ...... ...... ...... ...... #ServerRoot "/etc/apache2" # 于70行,添加如下内容 ServerName srv1.1000y.cloud ...... ...... ...... ...... ...... ...... root@srv1:~# vim /etc/apache2/sites-available/keystone.conf Listen 5000 # 于4-7行,添加如下内容 SSLEngine On SSLHonorCipherOrder On SSLCertificateFile /etc/ssl/private/zed.crt SSLCertificateKeyFile /etc/ssl/private/zed.key WSGIScriptAlias / /usr/bin/keystone-wsgi-public ...... ...... ...... ...... ...... ...... root@srv1:~# a2enmod ssl Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Enabling module socache_shmcb. Enabling module ssl. See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: systemctl restart apache2 root@srv1:~# systemctl restart apache2
十: 配置环境脚本及创建租户1) 设定环境 root@srv1:~# vim ~/keystonerc # 于新文件内追加如下内容 export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=adminpassword export OS_AUTH_URL=https://srv1.1000y.cloud:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 export PS1="u@h:W(keystone)$ " # 自定义证书要加 --insecure 参数, 因此加入了别名。 alias openstack="openstack --insecure" root@srv1:~# chmod 600 ~/keystonerc root@srv1:~# source ~/keystonerc root@srv1:~(keystone)# echo "source ~/keystonerc " >> ~/.bashrc 2) 创建租户并验证 root@srv1:~(keystone)# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | 4fabd4d8316c40a398d6496c0a733caf | | is_domain | False | | name | service | | options | {} | | parent_id | default | | tags | [] | +-------------+----------------------------------+ root@srv1:~(keystone)# openstack project list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 4fabd4d8316c40a398d6496c0a733caf | service | | 994a4a3e0fbc4f5891f38470e158e6b4 | admin | +----------------------------------+---------+