全編目次
- 概要
- 必須編
- part01 - Environment
- part02 - Security
- part03 - Host networking
- part04 - Network Time Protocol (NTP)
- part05 - OpenStack packages
- part06 - SQL database
- part07 - Message queue
- part08 - Memcached
- part09 - Etcd
- part10 - Install OpenStack services
- part11 - Identity service (Keystone) ◀here now
- part12 - Image service (Glance)
- part13 - Placement service (Placement)
- part14 - Compute service (Nova) - controller node
- part15 - Compute service (Nova) - compute node
- part16 - Networking service (Neutron) - controller node
- part17 - Networking service (Neutron) - compute node
- part18 - Launch an instance - Network Option 1
- part19 - Dashboard (Horizon)
- 応用編
- part20 - Networking service (Neutron) - controller node
- part21 - Networking service (Neutron) - compute node
- part22 - Launch an instance - Network Option 2
- part23 - Block Storage service (Cinder) - LVM backend
- part24 - Block Storage service (Cinder) - NFS backend
- part25 - Launch an instance - Block Storage
Identity service (Keystone)
Install and configure
Prerequisites
mysql -u root -p ROOT_DBPASS CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS'; exit
Install and configure components
dnf -y install openstack-keystone httpd python3-mod_wsgi
cp -p /etc/keystone/keystone.conf{,_org} ls -l /etc/keystone/keystone.conf{,_org}
cat << EOF > /etc/keystone/keystone.conf [database] connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@ctr01/keystone [token] provider = fernet EOF
cat /etc/keystone/keystone.conf
su -s /bin/sh -c "keystone-manage db_sync" keystone
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
keystone-manage bootstrap --bootstrap-password ADMIN_PASS \ --bootstrap-admin-url http://ctr01:5000/v3/ \ --bootstrap-internal-url http://ctr01:5000/v3/ \ --bootstrap-public-url http://ctr01:5000/v3/ \ --bootstrap-region-id RegionOne
Configure the Apache HTTP server
cp -p /etc/httpd/conf/httpd.conf{,_org} ls -l /etc/httpd/conf/httpd.conf{,_org}
sed -i 's/#ServerName www.example.com:80/ServerName ctr01/g' /etc/httpd/conf/httpd.conf
diff /etc/httpd/conf/httpd.conf{,_org}
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
Finalize the installation
systemctl enable --now httpd.service systemctl status --no-pager -l httpd.service systemctl is-active httpd.service systemctl is-enabled httpd.service
export OS_USERNAME=admin export OS_PASSWORD=ADMIN_PASS export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL=http://ctr01:5000/v3 export OS_IDENTITY_API_VERSION=3
Create a domain, projects, users, and roles
sreviceプロジェクトを作成する。
openstack project create --domain default --description "Service Project" service
テスト用のドメイン、プロジェクト、ユーザ、ロールを作成する。
なんとなく"デモ"という表現がしっくりこなかったので"テスト"にした。
openstack domain create --description "Test Domain" testdomain openstack project create --domain default --description "Test Project" testproject openstack user create --domain default --password TEST_PASS testuser openstack role create testrole openstack role add --project testproject --user testuser testrole
Verify operation
unset OS_AUTH_URL OS_PASSWORD
adminユーザで認証のテストを行う。
openstack --os-auth-url http://ctr01:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name admin --os-username admin token issue ADMIN_PASS
testuserユーザで認証のテストを行う。
openstack --os-auth-url http://ctr01:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name testproject --os-username testuser token issue TEST_PASS
Create OpenStack client environment scripts
Creating the scripts
adminユーザ用の認証用の簡易スクリプトを作成する。
cat << EOF > ~/admin-openrc export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=ADMIN_PASS export OS_AUTH_URL=http://ctr01:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 export PS1='[\u@\h \W(admin-openrc)]# ' EOF
chmod 600 ~/admin-openrc
testユーザ用の認証用の簡易スクリプトを作成する。
cat << EOF > ~/test-openrc export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=testproject export OS_USERNAME=testuser export OS_PASSWORD=TEST_PASS export OS_AUTH_URL=http://ctr01:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 export PS1='[\u@\h \W(test-openrc)]\$ ' EOF
chmod 600 ~/test-openrc
Using the scripts
動作確認する。
. ~/admin-openrc openstack token issue
動作確認する。
. ~/test-openrc
openstack token issue
つぶやき
demoからtestに変えて後悔している。