python openstack oslo_config使用_centos7+openstack (2) keystone配置
这篇文章内容主要描述如何配置keystone
先生成一个token
[root@localhost ~]# openssl rand -hex 10
f0d1ce6d4da5928849fa
修改/etc/keystone/keystone.conf
admin_token = f0d1ce6d4da5928849fa
verbose = true
[database]
connection = mysql://keystone:keystone@192.168.1.151/keystone
# mysql://keystone:your_password_of_user_keystone@192.168.1.151/keystone
# 生产环境密码要换一下
[memcache]
servers = 192.168.1.151:11211
[revoke]
driver = sql
[token]
provider = fernet
driver = memcache
内容有点乱, 再对比一下,一共7处改动
[root@localhost ~]# cat /etc/keystone/keystone.conf|grep -v "^#"|grep -v "^$"
[DEFAULT]
admin_token = f0d1ce6d4da5928849fa
verbose = true
[assignment]
[auth]
[cache]
[catalog]
[cors]
[cors.subdomain]
[credential]
[database]
connection = mysql://keystone:keystone@192.168.1.151/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[eventlet_server_ssl]
[federation]
[fernet_tokens]
[identity]
[identity_mapping]
[kvs]
[ldap]
[matchmaker_redis]
[matchmaker_ring]
[memcache]
servers = 192.168.1.151:11211
[oauth1]
[os_inherit]
[oslo_messaging_amqp]
[oslo_messaging_qpid]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[paste_deploy]
[policy]
[resource]
[revoke]
driver = sql
[role]
[saml]
[signing]
[ssl]
[token]
provider = fernet
driver = memcache
[tokenless_auth]
[trust]
调用
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
创建数据库表
su -s /bin/sh -c "keystone-manage db_sync" keystone
oslo_config.cfg的错误可以忽略,另外如果你像我一样使用root用户,可以省略su -s
[root@localhost ~]# /bin/sh -c "keystone-manage db_sync" keystone
No handlers could be found for logger "oslo_config.cfg"
[root@localhost ~]#
这里会自动创建一个名为keystone的用户,密码也是keystone,测试一下登录
mysql -h 192.168.1.151 -u keystone -p
启动并且设置开机启动memcached
systemctl enable memcached
systemctl start memcached
下面我们来配置httpd
修改/etc/httpd/conf/httpd.conf , 给ServerName加个值
vi /etc/httpd/conf/httpd.conf
ServerName 172.168.151:80
修改 /etc/httpd/conf.d/wsgi-keystone.conf
vi /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
= 2.4>
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
= 2.4>
Require all granted
Order allow,deny Allow from all
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
= 2.4>
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
= 2.4>
Require all granted
Order allow,deny Allow from all
启动httpd
systemctl enable httpd
systemctl start httpd
如果 http 起不来关闭selinux 或者安装yum install openstack-selinux
临时关闭SELinux
setenforce 0
临时打开SELinux
setenforce 1
开机关闭SELinux
编辑/etc/selinux/config文件,将SELINUX的值设置为disabled
查看SELinux状态
执行getenforce命令
此时访问服务器的80端口应该可以看到http已经启动了
我们需要使用一个原始的os token进行初始化配置
export OS_TOKEN=f0d1ce6d4da5928849fa
export OS_URL=http://192.168.1.151:35357/v3
export OS_IDENTITY_API_VERSION=3
创建名为default的domain
openstack domain create default
这里我遇到一点小问题
期初我要使用下面的语句创建domain, 但是遇到35357服务端口报500错误
openstack domain create --description "Default Domain" default
检查tail -500f /var/log/httpd/keystone-error.log
2017-07-09 23:50:36.665062 mod_wsgi (pid=13525): Target WSGI script '/usr/bin/keystone-wsgi-admin' cannot be loaded as Python module.
2017-07-09 23:50:36.665090 mod_wsgi (pid=13525): Exception occurred processing WSGI script '/usr/bin/keystone-wsgi-admin'.
2017-07-09 23:50:36.665108 Traceback (most recent call last):
2017-07-09 23:50:36.665121 File "/usr/bin/keystone-wsgi-admin", line 36, in
2017-07-09 23:50:36.665147 application = initialize_admin_application()
2017-07-09 23:50:36.665154 File "/usr/lib/python2.7/site-packages/keystone/server/wsgi.py", line 78, in initialize_admin_application
2017-07-09 23:50:36.665274 return initialize_application('admin')
2017-07-09 23:50:36.665282 File "/usr/lib/python2.7/site-packages/keystone/server/wsgi.py", line 51, in initialize_application
2017-07-09 23:50:36.665292 common.configure()
2017-07-09 23:50:36.665296 File "/usr/lib/python2.7/site-packages/keystone/server/common.py", line 31, in configure
2017-07-09 23:50:36.665303 config.configure()
2017-07-09 23:50:36.665308 File "/usr/lib/python2.7/site-packages/keystone/common/config.py", line 1204, in configure
2017-07-09 23:50:36.665319 help='Do not monkey-patch threading system modules.'))
2017-07-09 23:50:36.665327 File "/usr/lib/python2.7/site-packages/oslo_config/cfg.py", line 1828, in __inner
2017-07-09 23:50:36.665344 result = f(self, *args, **kwargs)
2017-07-09 23:50:36.665348 File "/usr/lib/python2.7/site-packages/oslo_config/cfg.py", line 2003, in register_cli_opt
2017-07-09 23:50:36.665354 raise ArgsAlreadyParsedError("cannot register CLI option")
2017-07-09 23:50:36.665370 ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option
去掉参数--description "Default Domain"之后,重启了一下httpd,莫名其妙好像故障消除了
其实这次我不太清楚rootcause, 参考下面步骤
[root@localhost ~]# curl http://192.168.1.151:35357
500 Internal Server ErrorInternal Server Error
The server encountered an internal error or
misconfiguration and was unable to complete
your request.
Please contact the server administrator at
root@localhost to inform them of the time this error occurred,
and the actions you performed just before this error.
More information about this error may be available
in the server error log.
[root@localhost ~]# openstack domain create default
Internal Server Error (HTTP 500)
[root@localhost ~]# openstack domain create default
Internal Server Error (HTTP 500)
[root@localhost ~]# systemctl restart httpd
[root@localhost ~]# openstack domain create default
Conflict occurred attempting to store domain - Duplicate Entry (HTTP 409) (Request-ID: req-3ae96ef8-cfab-45bc-838c-5b980d0486fb)
[root@localhost ~]# openstack domain create --description "Default Domain" default
Conflict occurred attempting to store domain - Duplicate Entry (HTTP 409) (Request-ID: req-4623ed00-bd7e-4265-a8d5-c071562b3809)
[root@localhost ~]# openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | default |
| enabled | True |
| id | dfd06c2e4610414491056a6e1214f1ae |
| is_domain | False |
| name | admin |
| parent_id | None |
+-------------+----------------------------------+
[root@localhost ~]#
创建admin用户
openstack project create --domain default --description "Admin Project" admin
openstack user create --domain default --password-prompt admin
openstack role create admin
openstack role add --project admin --user admin admin
创建一个普通用户demo
openstack project create --domain default --description "Demo Project" demo
openstack user create --domain default --password=demo demo
openstack role create user
openstack role add --project demo --user demo user
创建 service 项目,用来管理其他服务用
openstack project create --domain default --description "Service Project" service
创建 keystone 本身的 service 项目,用来管理其他服务用
openstack service create --name keystone --description "OpenStack Identity" identity
注册keystone 服务,以下三种类型分别为公共的、内部的、管理的。
下面的内容如果填错了可以用 openstack endpoint delete edacf5c1b1ee4633a64744401d466cb2 删除
openstack endpoint create --region RegionOne identity public http://192.168.1.151:5000/v2.0
openstack endpoint create --region RegionOne identity internal http://192.168.1.151:5000/v2.0
openstack endpoint create --region RegionOne identity admin http://192.168.1.151:35357/v2.0
openstack endpoint list 可以看到list
测试获取token
unset OS_TOKEN
unset OS_URL
openstack --os-auth-url http://192.168.1.151:35357/v3 --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password token issue
到此keystone就算安装配置完成了, 我们可以看到成功的从keystone获取了token
如果安装过程中出现错误, 请检查下面两个log文件
tail -500f /var/log/httpd/keystone-error.log
tail -500f /var/log/keystone/keystone.log
如果获取token出现了服务器500错误
2017-07-10 00:56:31.424 16257 INFO keystone.common.wsgi [req-ec8b183b-a8d4-42dd-8279-64aa49c52890 - - - - -] GET http://192.168.1.151:35357/v3/
2017-07-10 00:56:32.205 16258 INFO keystone.common.wsgi [req-77a3586d-158d-44f6-b9e8-ecb1d4b1bb86 - - - - -] POST http://192.168.1.151:35357/v3/auth/tokens
2017-07-10 00:56:32.357 16258 INFO keystone.common.kvs.core [req-77a3586d-158d-44f6-b9e8-ecb1d4b1bb86 - - - - -] Using default dogpile sha1_mangle_key as KVS region token-driver key_mangler
2017-07-10 00:56:40.845 16258 WARNING keystone.common.wsgi [req-77a3586d-158d-44f6-b9e8-ecb1d4b1bb86 - - - - -] An unexpected error prevented the server from fulfilling your request.
2017-07-10 00:56:55.670 16255 INFO keystone.common.wsgi [req-8c5206c9-9acf-49a7-89b4-bfe08dcf540f - - - - -] GET http://192.168.1.151:35357/v3/
2017-07-10 00:56:55.699 16257 INFO keystone.common.wsgi [req-7e279e23-5dd5-49b2-9222-03f8d483b217 - - - - -] POST http://192.168.1.151:35357/v3/auth/tokens
2017-07-10 00:56:55.842 16257 INFO keystone.common.kvs.core [req-7e279e23-5dd5-49b2-9222-03f8d483b217 - - - - -] Using default dogpile sha1_mangle_key as KVS region token-driver key_mangler
2017-07-10 00:57:04.113 16257 WARNING keystone.common.wsgi [req-7e279e23-5dd5-49b2-9222-03f8d483b217 - - - - -] An unexpected error prevented the server from fulfilling your request.
有可能是/etc/keystone/keystone.conf文件中的provider写成了uuid, 换成fernet之后调用
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[token]
...
provider = fernet
本文来自互联网用户投稿,文章观点仅代表作者本人,不代表本站立场,不承担相关法律责任。如若转载,请注明出处。 如若内容造成侵权/违法违规/事实不符,请点击【内容举报】进行投诉反馈!