IT/Openstack

[Openstack - Train] Centos에 설치하기(2) - Keystone

louky 2019. 11. 1. 11:59
반응형

설치 작업을 위하여 임시로 환경 변수를 설정한 작업을 진행한다. 

 

  • DB_USER="root"
  • DB_PASSWD="root.123"

 

1) DB 생성 

## DB 생성 전 확인 
[root@controller ~]# mysql -u${DB_USER} -p${DB_PASSWD} -e " show databases;"
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
+--------------------+

## DB 생성
[root@controller ~]# mysql -u${DB_USER} -p${DB_PASSWD} -e "create database keystone;"

## DB생성 후 확인
[rootbcontroller ~]# mysql -u${DB_USER} -p${DB_PASSWD} -e " show databases;"
+--------------------+
| Database           |
+--------------------+
| information_schema |
| keystone           |
| mysql              |
| performance_schema |
+--------------------+

2) DB 권한 설정 

[root@controller ~]# mysql -u${DB_USER} -p${DB_PASSWD} -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone.123';"
[root@controller ~]# mysql -u${DB_USER} -p${DB_PASSWD} -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone.123';"

##권한 설정 후 확인
[root@controller ~]# mysql -u${DB_USER} -p${DB_PASSWD} mysql -e "select Host,User,Password from user where User='keystone';"
+-----------+----------+-------------------------------------------+
| Host      | User     | Password                                  |
+-----------+----------+-------------------------------------------+
| localhost | keystone | *7EFEFF4FE203219F527165E70032E6F7E6       |
| %         | keystone | *7EFEFF4FE203219F527165E70032E6F7E6       |
+-----------+----------+-------------------------------------------+

 

3)  PKG 설치 

[root@controller ~]# yum install -y openstack-keystone httpd mod_wsgi

 

4) config 설정 

- 원본 파일을 백업한다. 

필자의 경우 파일 명을 변경 후  주석된 부분을 제외하고 작업하기 위하여 파일을 변경하였다. 

[root@controller ~]#mv /etc/keystone/keystone.conf /etc/keystone/keystone.conf.orig

- config를 수정한다. 

 

####파일명 변경 후 주석된 부분을 제외하여 원래 파일명으로 리다이렉션 하는 명령이다.  
[root@controller ~]# cat /etc/keystone/keystone.conf.orig | grep -Ev "^#|^$" | sed  -e "s/^\[/\n\[/g"  > /etc/keystone/keystone.conf

[root@controller ~]# cat /etc/keystone/keystone.conf
[DEFAULT]

[application_credential]

[assignment]

[auth]

[cache]

[catalog]

[cors]

[credential]

[database]
connection = mysql+pymysql://keystone:keystone.123@controller/keystone

[domain_config]

[endpoint_filter]

[endpoint_policy]

[eventlet_server]

[federation]

[fernet_receipts]

[fernet_tokens]

[healthcheck]

[identity]

[identity_mapping]

[jwt_tokens]

[ldap]

[memcache]

[oauth1]

[oslo_messaging_amqp]

[oslo_messaging_kafka]

[oslo_messaging_notifications]

[oslo_messaging_rabbit]

[oslo_middleware]

[oslo_policy]

[policy]

[profiler]

[receipt]

[resource]

[revoke]

[role]

[saml]

[security_compliance]

[shadow_users]

[token]
provider = fernet

[tokenless_auth]

[totp]

[trust]

[unified_limit]

[wsgi]

 

5)  keystone DB내 table 생성 

## Table 생성 전 확인
[root@controller ~]# mysql -u${DB_USER} -p${DB_PASSWD} keystone -e "show tables;"

## Table 생성  : 생성 시 별도의 출력이 없다. 
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone

## 생성 후 확인
[root@controller ~]# mysql -u${DB_USER} -p${DB_PASSWD} keystone -e "show tables;"
+------------------------------------+
| Tables_in_keystone                 |
+------------------------------------+
| access_rule                        |
| access_token                       |
| application_credential             |
| application_credential_access_rule |
| application_credential_role        |
| assignment                         |
| config_register                    |
| consumer                           |
| credential                         |
| endpoint                           |
| endpoint_group                     |
| federated_user                     |
| federation_protocol                |
| group                              |
| id_mapping                         |
| identity_provider                  |
| idp_remote_ids                     |
| implied_role                       |
| limit                              |
| local_user                         |
| mapping                            |
| migrate_version                    |
| nonlocal_user                      |
| password                           |
| policy                             |
| policy_association                 |
| project                            |
| project_endpoint                   |
| project_endpoint_group             |
| project_option                     |
| project_tag                        |
| region                             |
| registered_limit                   |
| request_token                      |
| revocation_event                   |
| role                               |
| role_option                        |
| sensitive_config                   |
| service                            |
| service_provider                   |
| system_assignment                  |
| token                              |
| trust                              |
| trust_role                         |
| user                               |
| user_group_membership              |
| user_option                        |
| whitelisted_config                 |
+------------------------------------+
[root@ibcontroller ~]#

6)  fernet key 등록

### 아래 명령어 실행 후 별도의 출력은 없다.
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[rootbcontroller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

7) bootstrap 설정

[root@controller ~]# keystone-manage bootstrap --bootstrap-password admin.123 \
>   --bootstrap-admin-url http://controller:5000/v3/ \
>   --bootstrap-internal-url http://controller:5000/v3/ \
>   --bootstrap-public-url http://controller:5000/v3/ \
>   --bootstrap-region-id RegionOne

8) HTTP  server config 수정 및 링크 설정 

## http.conf 에 "ServerName" 필드가 있을 경우 수정을하고 없을 경우 추가 한다. 
[root@controller ~]# echo "ServerName controller" >> /etc/httpd/conf/httpd.conf

## 소프트 링크 설정 
[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

9) Daemon 실행

[root@controller ~]# systemctl enable httpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@controller ~]# systemctl start httpd.service
[root@controller ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since 금 2019-11-01 11:18:31 KST; 7s ago
     Docs: man:httpd(8)
           man:apachectl(8)
 Main PID: 31218 (httpd)
   Status: "Processing requests..."
   CGroup: /system.slice/httpd.service
           ├─31218 /usr/sbin/httpd -DFOREGROUND
           ├─31219 (wsgi:keystone- -DFOREGROUND
           ├─31220 (wsgi:keystone- -DFOREGROUND
           ├─31221 (wsgi:keystone- -DFOREGROUND
           ├─31222 (wsgi:keystone- -DFOREGROUND
           ├─31223 (wsgi:keystone- -DFOREGROUND
           ├─31224 /usr/sbin/httpd -DFOREGROUND
           ├─31225 /usr/sbin/httpd -DFOREGROUND
           ├─31226 /usr/sbin/httpd -DFOREGROUND
           ├─31227 /usr/sbin/httpd -DFOREGROUND
           └─31228 /usr/sbin/httpd -DFOREGROUND

11월 01 11:18:31 controller systemd[1]: Starting The Apache HTTP Server...
11월 01 11:18:31 controller systemd[1]: Started The Apache HTTP Server.
[root@ibcontroller ~]#

 

10) openstack admin  환경파일 생성 

##  .bashrc 환경 파일에 프롬프트 옵션을 추가 한다. 
[root@controller ~]# vi .bashrc
PS1='[\u@\h \W]\[\033[01;34m\]\[\033[00m\]\$ '

## openstack을 ClI로 사용하기 위해 환경변수 파일을 생성한다. 
[root@ibcontroller ~]# cat admin-openrc
user_openrc="admin-openrc"
PS1='[\u@\h \W] (${user_openrc}):\[\033[01;34m\]\w\[\033[00m\]\$ '  ##프롬프트 부분은 제외해도 상관없다. 

export OS_USERNAME=admin
export OS_PASSWORD=admin.123
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3

 

11) Domain list 확인

[root@ibcontroller ~] (admin-openrc):~# openstack domain list
+---------+---------+---------+--------------------+
| ID      | Name    | Enabled | Description        |
+---------+---------+---------+--------------------+
| default | Default | True    | The default domain |
+---------+---------+---------+--------------------+

만약 Domain 없거나 다른 Domain으로 사용하고 싶을 경우 아래 명령어를 이용하여 생성한다.

Example # openstack domain create --description "An Example Domain" example

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | An Example Domain                |
| enabled     | True                             |
| id          | 2f4f80574fd84fe6ba9067228ae0a50c |
| name        | example                          |
| tags        | []                               |
+-------------+----------------------------------+

 

 

12)Project 생성

### Openstack admin환경변수 파일을 읽어 들인다. 
[root@controller ~]# source admin-openrc

## Service project를 생성한다. 
[root@controller ~] (admin-openrc):~# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 9e7038df87eb40ab9f7c2aa28742fd2c |
| is_domain   | False                            |
| name        | service                          |
| options     | {}                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

 

13)  Demo project 생성

: Admin계정이 아닌 서비스 용도의 프로젝트를 생성한다. 

[root@controller ~] (admin-openrc):~# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 614b89cf18964ae9be9c313c22ec97b0 |
| is_domain   | False                            |
| name        | demo                             |
| options     | {}                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

14) demo계정으로 생성한다. 

[root@controller ~] (admin-openrc):~#  openstack user create --domain default --password demo.123 demo
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | 3b41622c813948368da3bc45cf9a620a |
| name                | demo                             |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

15) user용 role을 생성한다. 

[root@controller ~] (admin-openrc):~# openstack role create demorole
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | None                             |
| domain_id   | None                             |
| id          | 38f09d283b7e42a09d2d85d80a832cce |
| name        | demorole                         |
| options     | {}                               |
+-------------+----------------------------------+

## user라는 role 이 없을 경우 문제가 될 경우가 있어 사전에 만들어 준다. (꼭 생성할 필요는 없다)
[root@controller ~] (admin-openrc):~# openstack role create user
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | None                             |
| domain_id   | None                             |
| id          | 3ebb2f627b2c4d1ea82740aeadf8f045 |
| name        | user                             |
| options     | {}                               |
+-------------+----------------------------------+

16) 생성한 계정에 role을 반영한다. 

[root@controller ~] (admin-openrc):~# openstack role add --project demo --user demo demorole

## user role을 만들지 않았을 경우 생략해도 된다.
[root@controller ~] (admin-openrc):~# openstack role add --project demo --user demo user

 

 

설정 확인 

[root@controller ~] (admin-openrc):~# unset OS_AUTH_URL OS_PASSWORD


[root@controller ~] (admin-openrc):~# openstack --os-auth-url http://controller:5000/v3 \
>   --os-project-domain-name Default --os-user-domain-name Default \
>   --os-project-name admin --os-username admin token issue

Password: ADMIN_PW_입력
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2019-11-01T03:52:54+0000                                                                                                                                                                |
| id         | gAAAAABdu54GcBgp1M3h56b3G8KQ2B1-UHFuVX3SF7GjkdQusVMun8KhvvyxkyAKNQ9d87yz6CB3iryocfI8XGNNAoQuSh1jmuxPJuLOwLasjWkakrBKUrrfiWzV5XIgcy8WBex_RWJb1FEzf16dNFKna8GfhvcggwdrYGIoB3Mb86ZVMTL4gok |
| project_id | b299ad398d134dbc8e9436215e968e0a                                                                                                                                                        |
| user_id    | 711f898b0a16432e87c07c6f66b510ea                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

[root@controller ~] (admin-openrc):~# openstack --os-auth-url http://controller:5000/v3   --os-project-domain-name Default --os-user-domain-name Default   --os-project-name demo --os-username demo token issue

Password: DEMO_PW_입력
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2019-11-01T03:54:28+0000                                                                                                                                                                |
| id         | gAAAAABdu55kuPFlYNun_JpK9zrq-KJU7CZYbMX9kuAZAplh2-EHZzZZfaXT2npIDxvfEDSoA77Wi-xt60Ff2NZ-4Jph2JeiHrKvZtcB28veM21APSzqm255B-K_EgASJrJCFnql1-zUvcEX1I7JTYCgTmMB9wmT1w48SmtKtH92JASV4DGsRUw |
| project_id | 614b89cf18964ae9be9c313c22ec97b0                                                                                                                                                        |
| user_id    | 3b41622c813948368da3bc45cf9a620a                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

 

 

 

 

 

반응형