keystone installation for Ussuri
データベースの作成
code:sql
CREATE DATABASE keystone;
ユーザの作成
KEYSTONE_DBPASS は適当なものを
code:sql
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
コンポーネントのインストール
code:shell
# dnf install openstack-keystone httpd python3-mod_wsgi
/etc/keystone/keystone.conf の編集
[database] セクション
[token] セクション
code:shell
# diff -u /etc/keystone/keystone.conf.org /etc/keystone/keystone.conf
--- /etc/keystone/keystone.conf.org 2020-05-13 21:39:31.000000000 +0900
+++ /etc/keystone/keystone.conf 2020-07-27 22:46:54.354577564 +0900
@@ -570,7 +570,7 @@
# Deprecated group/name - DEFAULT/sql_connection # Deprecated group/name - DATABASE/sql_connection # Deprecated group/name - sql/connection -#connection = <None>
+connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
# The SQLAlchemy connection string to use to connect to the slave database.
# (string value)
@@ -2416,6 +2416,7 @@
+provider = fernet
#
# From keystone
#
Identity サービス・データベースにデータを入力
code:shell
# su -s /bin/sh -c "keystone-manage db_sync" keystone
MySQL にログインしてデータベースが登録されているか確認する
Fernet キーの初期化
code:shell
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
Identity サービス起動
ADMIN_PASS は適当なものを
code:shell
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-region-id RegionOne
Apache HTTP Server の設定
ServerName の編集
code:shell
# diff -u /etc/httpd/conf/httpd.conf.org /etc/httpd/conf/httpd.conf
--- /etc/httpd/conf/httpd.conf.org 2020-06-09 05:12:30.000000000 +0900
+++ /etc/httpd/conf/httpd.conf 2020-07-27 22:59:01.809378476 +0900
@@ -95,7 +95,7 @@
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
-#ServerName www.example.com:80
+ServerName controller
#
# Deny access to the entirety of your server's filesystem. You must
/usr/share/keystone/wsgi-keystone.conf のシンボリックリンク作成
code:shell
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
自動起動設定と起動
code:shell
# systemctl enable httpd.service
# systemctl start httpd.service
環境変数の作成
ADMIN_PASS は前に設定したもの
code:shell
# cat ~/.keystonerc
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_IDENTITY_API_VERSION=3
処理
code:shell
# chmod 600 ~/.keystonerc
# source ~/.keystonerc
# echo "source ~/.keystonerc" >> ~/.bash_profile
Create a domain, projects, users, and roles
ドメインの作成
code:shell
# openstack domain create --description "An Private Domain" home
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Private Domain |
| enabled | True |
| id | bag0fa5th56a18b7f850c489b3aaqf3b |
| name | home |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
サービスプロジェクトの作成
code:shell
# openstack project create --domain home --description "Service Project" service
特権のないプロジェクト(myproject)とユーザ(myuser)を作成
プロジェクト
code:shell
# openstack project create --domain default \
--description "Demo Project" myproject
ユーザ
code:shell
# openstack user create --domain default --password-prompt myuser
ロール
code:shell
# openstack role create myrole
紐付け
code:shell
# openstack role add --project myproject --user myuser myrole
動作確認
環境変数を未定義に
code:shell
# unset OS_AUTH_URL OS_PASSWORD
管理者として認証トークンの要求
code:shell
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue
myuser として認証トークンの要求
code:shell
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name myproject --os-username myuser token issue
Create OpenStack client environment scripts
ログ
/var/log/keystone/keystone.log
/var/log/httpd/keystone.log