반응형
Openstack service PKG install
code-name : openstack내 service pkg들은 각각의 code name으로 불리운다.
-
keystone
-
glance
-
nova
-
neutron
공통 환경 변수
|
controller_name="controller" DB_PW="maria.123" KEYSTONE_PW="keystone.123" GLANCE_PW="glance.123" RABBIT_PW="rabbit.123" NOVA_PW="nova.123" PLACEMENT_PW="placement.123" NEUTRON_PW="neutron.123" |
Keystone install (controller node)
1. Keystone databases 생성
root@rocky-osc:~# mysql -uroot -pmaria.123
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 37
Server version: 10.1.38-MariaDB-0ubuntu0.18.04.1 Ubuntu 18.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)또는
root@rocky-osc:~# mysql -uroot -pmaria.123 -e "CREATE DATABASE keystone;"
1-1. DB생성 확인
root@rocky-osc:~# mysql -uroot -pmaria.123 -e "show databases;"
+--------------------+
| Database |
+--------------------+
| information_schema |
| keystone |
| mysql |
| performance_schema |
+--------------------+
1-2. keystone DB 권한 설정
# mysql -uroot -pmaria.123 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone.123';"
# mysql -uroot -pmaria.123 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone.123';"
1-3. Keystone DB user 및 권한 설정 확인
root@rocky-osc:~# mysql -uroot -pmaria.123 mysql -e "select Host,User,Password from user;"
+-----------+----------+-------------------------------------------+
| Host | User | Password |
+-----------+----------+-------------------------------------------+
| localhost | root | *2118F2178FC9734F653E16A2F482090C411DB053 |
| localhost | keystone | *2431959D1DBB9DEF2BB0E90F0C08387220989A5F |
| % | keystone | *2431959D1DBB9DEF2BB0E90F0C08387220989A5F |
+-----------+----------+-------------------------------------------+
root@rocky-osc:~# mysql -uroot -pmaria.123 mysql -e "SHOW GRANTS FOR keystone;"
+---------------------------------------------------------------------------------------------------------+
| Grants for keystone@% |
+---------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'keystone'@'%' IDENTIFIED BY PASSWORD '*2431959D1DBB9DEF2BB0E90F0C08387220989A5F' |
| GRANT ALL PRIVILEGES ON `keystone`.* TO 'keystone'@'%' |
+---------------------------------------------------------------------------------------------------------+
2. Keystone Install
2-1. PKG install
root@rocky-osc:~# apt install keystone apache2 libapache2-mod-wsgi -y
2-2. Keystone config 원본 백업
* 필자의 경우 원본 config 파일을 백업한 다음에 config 작업을 진행한다.
root@rocky-osc:~# mv /etc/keystone/keystone.conf /etc/keystone/keystone.conf.orig ## 원본파일 백업
2-3. config 수정
** 주석된 부분을 제외하고 필요한 부분만 반영, 주석된 부분을 확인하고자 할 경우 백업 된 원본파일을 확인한다.
root@rocky-osc:~# echo "[DEFAULT]
log_dir = /var/log/keystone
[application_credential]
[assignment]
[auth]
[cache]
[catalog]
[cors]
[credential]
[database]
#connection = sqlite:////var/lib/keystone/keystone.db
connection = mysql+pymysql://keystone:${KEYSTONE_PW}@controller/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[extra_headers]
Distribution = Ubuntu
[federation]
[fernet_tokens]
[healthcheck]
[identity]
[identity_mapping]
[ldap]
[matchmaker_redis]
[memcache]
[oauth1]
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_messaging_zmq]
[oslo_middleware]
[oslo_policy]
[policy]
[profiler]
[resource]
[revoke]
[role]
[saml]
" > /etc/keystone/keystone.conf
2-4. 원본파일과 동일 퍼미션 설정
root@rocky-osc:~# chown keystone.keystone /etc/keystone/keystone.conf
3. Keystone DB table 생성
3-1. DB생성 전 확인
root@rocky-osc:~# mysql -uroot -pmaria.123 keystone -e " show tables;"
3-2. Keystone DB 생성 (명령어 실행 후 아무런 출력이 없다)
root@rocky-osc:~# su -s /bin/sh -c "keystone-manage db_sync" keystone
3-3. Keystone DB 생성 후 확인
root@rocky-osc:~# mysql -uroot -pmaria.123 keystone -e " show tables;"
+-----------------------------+
| Tables_in_keystone |
+-----------------------------+
| access_token |
| application_credential |
| application_credential_role |
| assignment |
| config_register |
| consumer |
| credential |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| limit |
| local_user |
| mapping |
| migrate_version |
| nonlocal_user |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| project_tag |
| region |
| registered_limit |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| system_assignment |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| user_option |
| whitelisted_config |
+-----------------------------+
4. Fernet Key 저장소 초기화(출력 없음)
root@rocky-osc:~# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
root@rocky-osc:~# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
5. Bootstrap 설정
root@rocky-osc:~# keystone-manage bootstrap --bootstrap-password admin.123 \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
** 설정 확인 (keystone log를 통해 설정 확인 가능)
root@rocky-osc:~# cat /var/log/keystone/keystone-manage.log | grep -i bootstrap
2019-03-06 15:00:45.724 15123 INFO keystone.cmd.bootstrap [req-aef1675f-9b30-4d8a-8daf-a2776e6902d4 - - - - -] Created domain default
2019-03-06 15:00:45.758 15123 INFO keystone.cmd.bootstrap [req-aef1675f-9b30-4d8a-8daf-a2776e6902d4 - - - - -] Created project admin
2019-03-06 15:00:46.036 15123 INFO keystone.cmd.bootstrap [req-aef1675f-9b30-4d8a-8daf-a2776e6902d4 - - - - -] Created user admin
2019-03-06 15:00:46.044 15123 INFO keystone.cmd.bootstrap [req-aef1675f-9b30-4d8a-8daf-a2776e6902d4 - - - - -] Created role reader
2019-03-06 15:00:46.068 15123 INFO keystone.cmd.bootstrap [req-aef1675f-9b30-4d8a-8daf-a2776e6902d4 - - - - -] Created role member
2019-03-06 15:00:46.076 15123 INFO keystone.cmd.bootstrap [req-aef1675f-9b30-4d8a-8daf-a2776e6902d4 - - - - -] Created implied role where b8dfdf87cd644a7cb1cf4fbd3da24f23 implies 5a5b0e554b4348dc8609566bfa20e709
2019-03-06 15:00:46.087 15123 INFO keystone.cmd.bootstrap [req-aef1675f-9b30-4d8a-8daf-a2776e6902d4 - - - - -] Created role admin
2019-03-06 15:00:46.101 15123 INFO keystone.cmd.bootstrap [req-aef1675f-9b30-4d8a-8daf-a2776e6902d4 - - - - -] Created implied role where a75064c683744c6eb3854a64872ffed1 implies b8dfdf87cd644a7cb1cf4fbd3da24f23
2019-03-06 15:00:46.113 15123 INFO keystone.cmd.bootstrap [req-aef1675f-9b30-4d8a-8daf-a2776e6902d4 - - - - -] Granted admin on admin to user admin.
2019-03-06 15:00:46.120 15123 INFO keystone.cmd.bootstrap [req-aef1675f-9b30-4d8a-8daf-a2776e6902d4 - - - - -] Granted admin on the system to user admin.
2019-03-06 15:00:46.130 15123 INFO keystone.cmd.bootstrap [req-aef1675f-9b30-4d8a-8daf-a2776e6902d4 - - - - -] Created region RegionOne
2019-03-06 15:00:46.146 15123 INFO keystone.cmd.bootstrap [req-aef1675f-9b30-4d8a-8daf-a2776e6902d4 - - - - -] Created admin endpoint http://controller:5000/v3/
2019-03-06 15:00:46.162 15123 INFO keystone.cmd.bootstrap [req-aef1675f-9b30-4d8a-8daf-a2776e6902d4 - - - - -] Created internal endpoint http://controller:5000/v3/
2019-03-06 15:00:46.171 15123 INFO keystone.cmd.bootstrap [req-aef1675f-9b30-4d8a-8daf-a2776e6902d4 - - - - -] Created public endpoint http://controller:5000/v3/
6. Apache HTTP 설정
6-1. Apache config add "ServerName"
root@rocky-osc:~# echo "ServerName controller" >> /etc/apache2/apache2.conf6-2. Apache 재시작
root@rocky-osc:~# service apache2 restart
7. Admin환경변수 설정
** 아래와 같은 파일을 만들지 않고 해당 명령어를 실행해서도 사용할 수 있으나 편의를 위해 파일을 생성한다.
root@rocky-osc:~# echo "export OS_USERNAME=admin
export OS_PASSWORD=admin.123
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3" >> /root/admin_openrc-
Admin환경변수 loadin
:환경변수를 loading 하지 않을 경우 아래 domain, project, user, role 생성을 할 수 없다.
# source /root/admin_openrc
8. openstack domain, projec, users, role 생성
: 기본적으로 default라는 domain은 생성되어 있다. 생성이 안되어 있다면 생성한다.
-
Domain 생성 확인
root@rocky-osc:~# openstack domain list
+---------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+---------+---------+---------+--------------------+
| default | Default | True | The default domain |
+---------+---------+---------+--------------------+-
Domain 생성 (example)
root@rocky-osc:~# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 2f4f80574fd84fe6ba9067228ae0a50c |
| name | example |
| tags | [] |
+-------------+----------------------------------+
-
Service Project 생성
root@rocky-osc:~# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 11846503368f4cc38769b7d5624a76f3 |
| is_domain | False |
| name | service |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
-
Demo project 생성
root@rocky-osc:~# openstack project create --domain default --description "Demo Project" demoproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 4f24634981e84ac7a95608f65fac6f84 |
| is_domain | False |
| name | demoproject |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
-
user 생성
root@rocky-osc:~# openstack user create --domain default --password demo.123 demo
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 53278006f8e0434995b8647e4f500253 |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
-
User Role 생성
root@rocky-osc:~# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | fb66311305604380a535f78a4c6f52a4 |
| name | myrole |
+-----------+----------------------------------+
-
User role 반영 (출력 없음)
root@rocky-osc:~# openstack role add --project myproject --user myuser user
** 주의 : user role을 만들지 않고 다른 이름의 role을 만들 경우 dashboard 설정 시 "/etc/openstack-dashboard/local_settings.py" 파일 수정할때 참고 한다.
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "user" <== 해당 field를 수정할때 생성한 user role의 이름을 넣어 준다.
-
Keystone 설정 확인
환경변수 제거
root@rocky-osc:~# unset OS_AUTH_URL OS_PASSWORD
admin계정 확인
root@rocky-osc:~# openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default \
--os-user-domain-name Default \
--os-project-name admin \
--os-username admin \
--os-password admin.123 \
token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-03-06T07:36:25+0000 |
| id | gAAAAABcf2ppjA2jJlYewahlgWh76o-i1GxRQakG1AcwwBsVy1b5F4JLvFu2odm6F61f5DHHBYAveYulyZJC3BC91QW3XXkHa8x-kEuroX-p5YsNtpw0SXgU2HTlognykGy1957ZKi2MTWMuBcUv1YPVaArwQ4Wp7q7EjN5QExpIYwhOLXgX6TI |
| project_id | 321aff2a498a495283c761d264a41ba5 |
| user_id | 72b430e18f674c7b9e7ddfa666c8333c |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
myuser 계정 확인
root@rocky-osc:~# openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default \
--os-user-domain-name Default \
--os-project-name myproject \
--os-username myuser \
--os-password my.123 \
token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-03-06T07:40:06+0000 |
| id | gAAAAABcf2tGYndf4xDq9e-U-QmfQKUnI0KQpCWdOypQPELpLgpMoUlN9FfxoLIfO4XG75k0gDiYA2rfcJu3D5zGeNvbkTtS5W_uoPO8iDem_ORX27ToX3hOhGuNkl6MfHnXkNRcIeen9y6vfIZDdEz8MRH1BK_4LIYJ0ARprTDHk2LwIdIWqqA |
| project_id | 4f24634981e84ac7a95608f65fac6f84 |
| user_id | 53278006f8e0434995b8647e4f500253 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
myuser환경 변수 파일 생성
echo "export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=my.123
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2" >> /root/myuser-openrc
반응형