OpenStack 멀티노드 배포(4) - KeyStone

10716 단어
OpenStack 다중 노드 배포 (1) - 서버 선택
OpenStack 다중 노드 배포 (2) - 운영 체제 설치
OpenStack 멀티 노드 배포(3) – 네트워크 구성
OpenStack 멀티노드 배포(4) - KeyStone
OpenStack 멀티노드 배포(5) - Nova
OpenStack 멀티 노드 배포(6)-glance
앞에서 이렇게 많은 이야기를 나누었는데, 마침내 OpenStack 각 구성 요소의 설치 배치에 정식으로 들어갈 것이다.먼저 OpenStack의 사용자 로그인 감시 구성 요소, KeyStone의 설치를 소개합니다.
우선, mysql 서비스를 설치하고 각각 Nova,glance,swift 등 구성 요소의 독립된 사용자와 구령을 만듭니다
sudo apt-get install mysql-server python-mysqldb

설치 과정에서 비밀번호를 설정하라고 알립니다. mygreatsecret으로 설정합니다.
sed -i '/bind-address/ s/127.0.0.1/0.0.0.0/' /etc/mysql/my.cnf
sudo restart mysql
sudo mysql -uroot -pmygreatsecret -e 'CREATE DATABASE nova;'
sudo mysql -uroot -pmygreatsecret -e 'CREATE USER novadbadmin;'
sudo mysql -uroot -pmygreatsecret -e "GRANT ALL PRIVILEGES ON nova.* TO 'novadbadmin'@'%';"
sudo mysql -uroot -pmygreatsecret -e "SET PASSWORD FOR 'novadbadmin'@'%' = PASSWORD('novasecret');"
sudo mysql -uroot -pmygreatsecret -e 'CREATE DATABASE glance;'
sudo mysql -uroot -pmygreatsecret -e 'CREATE USER glancedbadmin;'
sudo mysql -uroot -pmygreatsecret -e "GRANT ALL PRIVILEGES ON glance.* TO 'glancedbadmin'@'%';"
sudo mysql -uroot -pmygreatsecret -e "SET PASSWORD FOR 'glancedbadmin'@'%' = PASSWORD('glancesecret');"
sudo mysql -uroot -pmygreatsecret -e 'CREATE DATABASE keystone;'
sudo mysql -uroot -pmygreatsecret -e 'CREATE USER keystonedbadmin;'
sudo mysql -uroot -pmygreatsecret -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystonedbadmin'@'%';"
sudo mysql -uroot -pmygreatsecret -e "SET PASSWORD FOR 'keystonedbadmin'@'%' = PASSWORD('keystonesecret');"

KeyStone 구성 요소 설치
sudo apt-get install keystone python-keystone python-keystoneclient
sed -i '/admin_token/ s/ADMIN/admin/' /etc/keystone/keystone.conf
sed -i '/connection/ s/sqlite\:\/\/\/\/var\/lib\/keystone\/keystone.db/mysql\:\/\/keystonedbadmin\:[email protected]\/keystone/' /etc/keystone/keystone.conf
# mysql 
sudo service keystone restart
sudo keystone-manage db_sync
export SERVICE_ENDPOINT="http://localhost:35357/v2.0"
export SERVICE_TOKEN=admin

다음은 문서에 따라 세입자 Tenants를 만들고 사용자 Users를 만들며 캐릭터 Roles를 만들고 마지막으로 세입자, 사용자, 캐릭터 간의 관련을 진행한다.어떤 유형을 만들든지 간에 UID 값을 되돌려줍니다. 다음 단계는 앞의 id, 예를 들어 사용자 역할 관련 명령을 사용합니다.
keystone user-role-add --user $USER_ID --role $ROLE_ID --tenant_id $TENANT_ID

이 $USER_ID 및 $ROLE_ID 등은 앞에서 사용자나 캐릭터를 만들 때 받은 ID입니다.
예를 들어 사용자 만들기
keystone user-create --name admin --pass admin --email [email protected]

ID 보기
keystone user-list
+----------------------------------+---------+-------------------+--------+
|                id                | enabled |       email       |  name  |
+----------------------------------+---------+-------------------+--------+
| b3de3aeec2544f0f90b9cbfe8b8b7acd | True    | [email protected]  | admin  |
| ce8cd56ca8824f5d845ba6ed015e9494 | True    | [email protected]   | nova   |
+----------------------------------+---------+-------------------+--------+

위에서 만든 이름이admin인 사용자가 표시됩니다. 다음 단계는 이 ID를 사용해야 합니다.
이렇게 하면 가장 번거롭고 id를 이렇게 복사하면 오류가 발생하기 쉽기 때문에 우리는 발로 위의 조작과 서비스endpoint의 조작을 자동으로 완성해야 한다.
스크립트 다운로드 주소
#!/bin/bash
#
# Initial data for Keystone using python-keystoneclient
#
# Tenant               User      Roles
# ------------------------------------------------------------------
# admin                admin     admin
# service              glance    admin
# service              nova      admin, [ResellerAdmin (swift only)]
# service              quantum   admin        # if enabled
# service              swift     admin        # if enabled
# service              cinder    admin        # if enabled
# service              heat      admin        # if enabled
# demo                 admin     admin
# demo                 demo      Member, anotherrole
# invisible_to_admin   demo      Member
# Tempest Only:
# alt_demo             alt_demo  Member
#
# Variables set before calling this script:
# SERVICE_TOKEN - aka admin_token in keystone.conf
# SERVICE_ENDPOINT - local Keystone admin endpoint
# SERVICE_TENANT_NAME - name of tenant containing service accounts
# SERVICE_HOST - host used for endpoint creation
# ENABLED_SERVICES - stack.sh's list of services to start
# DEVSTACK_DIR - Top-level DevStack directory
# KEYSTONE_CATALOG_BACKEND - used to determine service catalog creation
SERVICE_HOST=${SERVICE_HOST:-192.168.3.1}
# IP Keystone IP
SERVICE_TOKEN=${SERVICE_TOKEN:-admin}
SERVICE_ENDPOINT=${SERVICE_ENDPOINT:-http://localhost:35357/v2.0}
# Defaults
export SERVICE_TOKEN=$SERVICE_TOKEN
export SERVICE_ENDPOINT=$SERVICE_ENDPOINT
SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}

function get_id () {
    echo `"$@" | awk '/ id / { print $4 }'`  #  '$@' , get_id KeyStone 
}


# Tenants
# -------

ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)


# Users
# -----

ADMIN_USER=$(get_id keystone user-create --name=admin \
                                         --pass=admin \
                                         [email protected])
NOVA_USER=$(get_id keystone user-create --name=nova \
                                        --pass=nova \
                                        [email protected])
GLANCE_USER=$(get_id keystone user-create --name=glance \
                                        --pass=glance \
                                        [email protected])
SWIFT_USER=$(get_id keystone user-create --name=swift \
                                        --pass=swift \
                                      [email protected])
# Roles
# -----

ADMIN_ROLE=$(get_id keystone role-create --name=admin)
# ANOTHER_ROLE demonstrates that an arbitrary role may be created and used
# TODO(sleepsonthefloor): show how this can be used for rbac in the future!
MEMBER_ROLE=$(get_id keystone role-create --name=Member)


# Add Roles to Users in Tenants
keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $ADMIN_TENANT
keystone user-role-add --user_id $NOVA_USER --role_id $ADMIN_ROLE --tenant_id $SERVICE_TENANT
keystone user-role-add --user_id $GLANCE_USER --role_id $ADMIN_ROLE --tenant_id $SERVICE_TENANT
keystone user-role-add --user_id $SWIFT_USER --role_id $ADMIN_ROLE --tenant_id $SERVICE_TENANT

# The Member role is used by Horizon and Swift so we need to keep it:
keystone user-role-add --user_id $ADMIN_USER --role_id $MEMBER_ROLE --tenant_id $ADMIN_TENANT


# Services
# --------

# Keystone

	KEYSTONE_SERVICE=$(get_id keystone service-create \
		--name=keystone \
		--type=identity \
		--description="Keystone Identity Service")
	keystone endpoint-create \
	    --region RegionOne \
		--service_id $KEYSTONE_SERVICE \
		--publicurl "http://$SERVICE_HOST:5000/v2.0" \
		--adminurl "http://$SERVICE_HOST:35357/v2.0" \
		--internalurl "http://$SERVICE_HOST:5000/v2.0"


# Nova
        NOVA_SERVICE=$(get_id keystone service-create \
            --name=nova \
            --type=compute \
            --description="Nova Compute Service")
        keystone endpoint-create \
            --region RegionOne \
            --service_id $NOVA_SERVICE \
            --publicurl "http://$SERVICE_HOST:8774/v2/\$(tenant_id)s" \
            --adminurl "http://$SERVICE_HOST:8774/v2/\$(tenant_id)s" \
            --internalurl "http://$SERVICE_HOST:8774/v2/\$(tenant_id)s"

    # Nova needs ResellerAdmin role to download images when accessing
    # swift through the s3 api. The admin role in swift allows a user
    # to act as an admin for their tenant, but ResellerAdmin is needed
    # for a user to act as any tenant. The name of this role is also
    # configurable in swift-proxy.conf
    #RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)
    #keystone user-role-add \
    #    --tenant_id $SERVICE_TENANT \
    #    --user_id $NOVA_USER \
    #    --role_id $RESELLER_ROLE

			
# Volume
        VOLUME_SERVICE=$(get_id keystone service-create \
            --name=volume \
            --type=volume \
            --description="Volume Service")
        keystone endpoint-create \
            --region RegionOne \
            --service_id $VOLUME_SERVICE \
            --publicurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s" \
            --adminurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s" \
            --internalurl "http://$SERVICE_HOST:8776/v1/\$(tenant_id)s"




# Glance
        GLANCE_SERVICE=$(get_id keystone service-create \
            --name=glance \
            --type=image \
            --description="Glance Image Service")
        keystone endpoint-create \
            --region RegionOne \
            --service_id $GLANCE_SERVICE \
            --publicurl "http://$SERVICE_HOST:9292/v1" \
            --adminurl "http://$SERVICE_HOST:9292/v1" \
            --internalurl "http://$SERVICE_HOST:9292/v1"


# Swift
        SWIFT_SERVICE=$(get_id keystone service-create \
            --name=swift \
            --type="object-store" \
            --description="Swift Service")
        keystone endpoint-create \
            --region RegionOne \
            --service_id $SWIFT_SERVICE \
            --publicurl "http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s" \
            --adminurl "http://$SERVICE_HOST:8080/v1" \
            --internalurl "http://$SERVICE_HOST:8080/v1/AUTH_\$(tenant_id)s"



# EC2
        EC2_SERVICE=$(get_id keystone service-create \
            --name=ec2 \
            --type=ec2 \
            --description="EC2 Compatibility Layer")
        keystone endpoint-create \
            --region RegionOne \
            --service_id $EC2_SERVICE \
            --publicurl "http://$SERVICE_HOST:8773/services/Cloud" \
            --adminurl "http://$SERVICE_HOST:8773/services/Admin" \
            --internalurl "http://$SERVICE_HOST:8773/services/Cloud"

마지막으로 명령을 사용하여 KeyStone이 제대로 설치되어 있는지 확인합니다.
keystone tenant-list
keystone user-list
keystone role-list
keystone service-list

자, KeyStone에 대한 배포 방법은 여기까지입니다.

좋은 웹페이지 즐겨찾기