centos7+openstack (2) keystone配置

Submitted by Lizhe on Mon, 07/10/2017 - 22:16

这篇文章内容主要描述如何配置keystone

先生成一个token

[root@localhost ~]# openssl rand -hex 10
f0d1ce6d4da5928849fa

修改/etc/keystone/keystone.conf

admin_token = f0d1ce6d4da5928849fa
verbose = true

[database] 
connection = mysql://keystone:keystone@192.168.1.151/keystone
# mysql://keystone:your_password_of_user_keystone@192.168.1.151/keystone
# 生产环境密码要换一下

[memcache] 
servers = 192.168.1.151:11211

[revoke] 
driver = sql

[token] 
provider = fernet
driver = memcache

内容有点乱, 再对比一下,一共7处改动

[root@localhost ~]# cat /etc/keystone/keystone.conf|grep -v "^#"|grep -v "^$"
[DEFAULT]
admin_token = f0d1ce6d4da5928849fa
verbose = true
[assignment]
[auth]
[cache]
[catalog]
[cors]
[cors.subdomain]
[credential]
[database]
connection = mysql://keystone:keystone@192.168.1.151/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[eventlet_server_ssl]
[federation]
[fernet_tokens]
[identity]
[identity_mapping]
[kvs]
[ldap]
[matchmaker_redis]
[matchmaker_ring]
[memcache]
servers = 192.168.1.151:11211
[oauth1]
[os_inherit]
[oslo_messaging_amqp]
[oslo_messaging_qpid]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[paste_deploy]
[policy]
[resource]
[revoke]
driver = sql
[role]
[saml]
[signing]
[ssl]
[token]
provider = fernet
driver = memcache
[tokenless_auth]
[trust]

 

调用

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

 

创建数据库表

su -s /bin/sh -c "keystone-manage db_sync" keystone
oslo_config.cfg的错误可以忽略,另外如果你像我一样使用root用户,可以省略su -s

[root@localhost ~]# /bin/sh -c "keystone-manage db_sync" keystone
No handlers could be found for logger "oslo_config.cfg"
[root@localhost ~]# 

这里会自动创建一个名为keystone的用户,密码也是keystone,测试一下登录
mysql -h 192.168.1.151 -u keystone -p

启动并且设置开机启动memcached 

systemctl enable memcached
systemctl start memcached

 

下面我们来配置httpd

修改/etc/httpd/conf/httpd.conf , 给ServerName加个值

vi /etc/httpd/conf/httpd.conf
ServerName 172.168.151:80

修改 /etc/httpd/conf.d/wsgi-keystone.conf

vi /etc/httpd/conf.d/wsgi-keystone.conf

Listen 5000 
Listen 35357
<VirtualHost *:5000> 
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} 
    WSGIProcessGroup keystone-public 
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public 
    WSGIApplicationGroup %{GLOBAL} 
    WSGIPassAuthorization On 
    <IfVersion >= 2.4> 
        ErrorLogFormat "%{cu}t %M" 
    </IfVersion> 
    ErrorLog /var/log/httpd/keystone-error.log 
    CustomLog /var/log/httpd/keystone-access.log combined 
    <Directory /usr/bin> 
        <IfVersion >= 2.4> 
            Require all granted 
        </IfVersion> 
        <IfVersion < 2.4> 
            Order allow,deny Allow from all 
        </IfVersion> 
    </Directory> 
</VirtualHost>

<VirtualHost *:35357> 
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} 
WSGIProcessGroup keystone-admin 
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin 
WSGIApplicationGroup %{GLOBAL} 
WSGIPassAuthorization On 
<IfVersion >= 2.4> 
    ErrorLogFormat "%{cu}t %M" 
</IfVersion> 
ErrorLog /var/log/httpd/keystone-error.log 
CustomLog /var/log/httpd/keystone-access.log combined 
<Directory /usr/bin> 
    <IfVersion >= 2.4> 
        Require all granted 
    </IfVersion> 
    <IfVersion < 2.4> 
        Order allow,deny Allow from all 
    </IfVersion> 
</Directory> 
</VirtualHost>

启动httpd

systemctl enable httpd
systemctl start httpd


如果 http 起不来关闭selinux 或者安装yum install openstack-selinux

临时关闭SELinux
setenforce 0

临时打开SELinux
setenforce 1

开机关闭SELinux
编辑/etc/selinux/config文件,将SELINUX的值设置为disabled

查看SELinux状态
执行getenforce命令

此时访问服务器的80端口应该可以看到http已经启动了

147

我们需要使用一个原始的os token进行初始化配置

export OS_TOKEN=f0d1ce6d4da5928849fa
export OS_URL=http://192.168.1.151:35357/v3
export OS_IDENTITY_API_VERSION=3

创建名为default的domain 

openstack domain create default

这里我遇到一点小问题

                                    期初我要使用下面的语句创建domain, 但是遇到35357服务端口报500错误
                                    openstack domain create --description "Default Domain" default

                                    检查tail -500f /var/log/httpd/keystone-error.log

                                    2017-07-09 23:50:36.665062 mod_wsgi (pid=13525): Target WSGI script '/usr/bin/keystone-wsgi-admin' cannot be loaded as Python module.
                                    2017-07-09 23:50:36.665090 mod_wsgi (pid=13525): Exception occurred processing WSGI script '/usr/bin/keystone-wsgi-admin'.
                                    2017-07-09 23:50:36.665108 Traceback (most recent call last):
                                    2017-07-09 23:50:36.665121   File "/usr/bin/keystone-wsgi-admin", line 36, in <module>
                                    2017-07-09 23:50:36.665147     application = initialize_admin_application()
                                    2017-07-09 23:50:36.665154   File "/usr/lib/python2.7/site-packages/keystone/server/wsgi.py", line 78, in initialize_admin_application
                                    2017-07-09 23:50:36.665274     return initialize_application('admin')
                                    2017-07-09 23:50:36.665282   File "/usr/lib/python2.7/site-packages/keystone/server/wsgi.py", line 51, in initialize_application
                                    2017-07-09 23:50:36.665292     common.configure()
                                    2017-07-09 23:50:36.665296   File "/usr/lib/python2.7/site-packages/keystone/server/common.py", line 31, in configure
                                    2017-07-09 23:50:36.665303     config.configure()
                                    2017-07-09 23:50:36.665308   File "/usr/lib/python2.7/site-packages/keystone/common/config.py", line 1204, in configure
                                    2017-07-09 23:50:36.665319     help='Do not monkey-patch threading system modules.'))
                                    2017-07-09 23:50:36.665327   File "/usr/lib/python2.7/site-packages/oslo_config/cfg.py", line 1828, in __inner
                                    2017-07-09 23:50:36.665344     result = f(self, *args, **kwargs)
                                    2017-07-09 23:50:36.665348   File "/usr/lib/python2.7/site-packages/oslo_config/cfg.py", line 2003, in register_cli_opt
                                    2017-07-09 23:50:36.665354     raise ArgsAlreadyParsedError("cannot register CLI option")
                                    2017-07-09 23:50:36.665370 ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option


                                    去掉参数--description "Default Domain"之后,重启了一下httpd,莫名其妙好像故障消除了
                                    其实这次我不太清楚rootcause, 参考下面步骤


                                    [root@localhost ~]# curl http://192.168.1.151:35357
                                    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
                                    <html><head>
                                    <title>500 Internal Server Error</title>
                                    </head><body>
                                    <h1>Internal Server Error</h1>
                                    <p>The server encountered an internal error or
                                    misconfiguration and was unable to complete
                                    your request.</p>
                                    <p>Please contact the server administrator at 
                                     root@localhost to inform them of the time this error occurred,
                                     and the actions you performed just before this error.</p>
                                    <p>More information about this error may be available
                                    in the server error log.</p>
                                    </body></html>
                                    [root@localhost ~]# openstack domain create default
                                    Internal Server Error (HTTP 500)
                                    [root@localhost ~]# openstack domain create default
                                    Internal Server Error (HTTP 500)
                                    [root@localhost ~]# systemctl restart httpd
                                    [root@localhost ~]# openstack domain create default
                                    Conflict occurred attempting to store domain - Duplicate Entry (HTTP 409) (Request-ID: req-3ae96ef8-cfab-45bc-838c-5b980d0486fb)
                                    [root@localhost ~]# openstack domain create --description "Default Domain" default
                                    Conflict occurred attempting to store domain - Duplicate Entry (HTTP 409) (Request-ID: req-4623ed00-bd7e-4265-a8d5-c071562b3809)
                                    [root@localhost ~]# openstack project create --domain default --description "Admin Project" admin
                                    +-------------+----------------------------------+
                                    | Field       | Value                            |
                                    +-------------+----------------------------------+
                                    | description | Admin Project                    |
                                    | domain_id   | default                          |
                                    | enabled     | True                             |
                                    | id          | dfd06c2e4610414491056a6e1214f1ae |
                                    | is_domain   | False                            |
                                    | name        | admin                            |
                                    | parent_id   | None                             |
                                    +-------------+----------------------------------+
                                    [root@localhost ~]# 

148

创建admin用户

openstack project create --domain default --description "Admin Project" admin
openstack user create --domain default --password-prompt admin

openstack role create admin
openstack role add --project admin --user admin admin

创建一个普通用户demo

openstack project create --domain default --description "Demo Project" demo 
openstack user create --domain default --password=demo demo 

openstack role create user 
openstack role add --project demo --user demo user

 

创建 service 项目,用来管理其他服务用
openstack project create --domain default --description "Service Project" service

149

创建 keystone 本身的 service 项目,用来管理其他服务用

openstack service create --name keystone --description "OpenStack Identity" identity

注册keystone 服务,以下三种类型分别为公共的、内部的、管理的。
下面的内容如果填错了可以用 openstack endpoint delete edacf5c1b1ee4633a64744401d466cb2 删除

openstack endpoint create --region RegionOne identity public http://192.168.1.151:5000/v2.0
openstack endpoint create --region RegionOne identity internal http://192.168.1.151:5000/v2.0
openstack endpoint create --region RegionOne identity admin http://192.168.1.151:35357/v2.0

150

openstack endpoint list 可以看到list

151

测试获取token

unset OS_TOKEN
unset OS_URL
openstack --os-auth-url http://192.168.1.151:35357/v3 --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password token issue

 

152

到此keystone就算安装配置完成了, 我们可以看到成功的从keystone获取了token

 

 

如果安装过程中出现错误, 请检查下面两个log文件

tail -500f /var/log/httpd/keystone-error.log

tail -500f /var/log/keystone/keystone.log

如果获取token出现了服务器500错误

2017-07-10 00:56:31.424 16257 INFO keystone.common.wsgi [req-ec8b183b-a8d4-42dd-8279-64aa49c52890 - - - - -] GET http://192.168.1.151:35357/v3/
2017-07-10 00:56:32.205 16258 INFO keystone.common.wsgi [req-77a3586d-158d-44f6-b9e8-ecb1d4b1bb86 - - - - -] POST http://192.168.1.151:35357/v3/auth/tokens
2017-07-10 00:56:32.357 16258 INFO keystone.common.kvs.core [req-77a3586d-158d-44f6-b9e8-ecb1d4b1bb86 - - - - -] Using default dogpile sha1_mangle_key as KVS region token-driver key_mangler
2017-07-10 00:56:40.845 16258 WARNING keystone.common.wsgi [req-77a3586d-158d-44f6-b9e8-ecb1d4b1bb86 - - - - -] An unexpected error prevented the server from fulfilling your request.

2017-07-10 00:56:55.670 16255 INFO keystone.common.wsgi [req-8c5206c9-9acf-49a7-89b4-bfe08dcf540f - - - - -] GET http://192.168.1.151:35357/v3/
2017-07-10 00:56:55.699 16257 INFO keystone.common.wsgi [req-7e279e23-5dd5-49b2-9222-03f8d483b217 - - - - -] POST http://192.168.1.151:35357/v3/auth/tokens
2017-07-10 00:56:55.842 16257 INFO keystone.common.kvs.core [req-7e279e23-5dd5-49b2-9222-03f8d483b217 - - - - -] Using default dogpile sha1_mangle_key as KVS region token-driver key_mangler
2017-07-10 00:57:04.113 16257 WARNING keystone.common.wsgi [req-7e279e23-5dd5-49b2-9222-03f8d483b217 - - - - -] An unexpected error prevented the server from fulfilling your request.

有可能是/etc/keystone/keystone.conf文件中的provider写成了uuid, 换成fernet之后调用

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone


[token]
...
provider = fernet