OpenstackZedKeystone部署实现
操作系统: UbuntuServer Mini 22.04本次部署为带有自签SSL及Nginx反向代理的实现机制
一: 配置NTP1) 使用系统自带的systemd-timesyncd服务 root@srv1:~# vim /etc/systemd/timesyncd.conf ...... ...... ...... ...... ...... ...... [Time] # 取消16行注释,并改为如下内容 NTP=0.cn.pool.ntp.org 1.cn.pool.ntp.org #FallbackNTP=ntp.ubuntu.com #RootDistanceMaxSec=5 #PollIntervalMinSec=32 #PollIntervalMaxSec=2048 root@srv1:~# systemctl restart systemd-timesyncd root@srv1:~# systemctl status systemd-timesyncd.service | grep Status: Status: "Initial synchronization to time server 162.159.200.1:123 (0.cn.pool.ntp.org)."
二: 安装MariaDBroot@srv1:~# apt install mariadb-server -y root@srv1:~# vim /etc/mysql/mariadb.conf.d/50-server.cnf ...... ...... ...... ...... ...... ...... # 修改27行,开启监听地址 bind-address = 0.0.0.0 ...... ...... ...... ...... ...... ...... # 修改40行,默认的数值不能满足openstack环境需求,需改为500 max_connections = 500 ...... ...... ...... ...... ...... ...... # 修改90-91行,确认默认字符集为4字节的utf8编码:utf8mb4 character-set-server = utf8mb4 collation-server = utf8mb4_general_ci ...... ...... ...... ...... ...... ...... root@srv1:~# systemctl restart mariadb root@srv1:~# mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we"ll need the current password for the root user. If you"ve just installed MariaDB, and haven"t set the root password yet, you should just press enter here. Enter current password for root (enter for none): # 回车 OK, successfully used password, moving on... Setting the root password or using the unix_socket ensures that nobody can log into the MariaDB root user without the proper authorisation. You already have your root account protected, so you can safely answer "n". Switch to unix_socket authentication [Y/n] # 回车 Enabled successfully! Reloading privilege tables.. ... Success! You already have your root account protected, so you can safely answer "n". Change the root password? [Y/n] # 回车 New password: # 输入新的数据库管理员密码,此密码为password Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] # 回车 ... Success! Normally, root should only be allowed to connect from "localhost". This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] # 回车 ... Success! By default, MariaDB comes with a database named "test" that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] # 回车 - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] # 回车 ... Success! Cleaning up... All done! If you"ve completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB!
三: 安装及配置Memcached及RabbitMQ1) 安装rabbitmq及memcached root@srv1:~# apt install rabbitmq-server memcached python3-pymysql nginx libnginx-mod-stream -y 2) 配置memcached root@srv1:~# vim /etc/memcached.conf ...... ...... ...... ...... ...... # 修改第35行,监听所有地址 -l 192.168.1.11 ...... ...... ...... ...... ...... 3) 配置RabbitMQ root@srv1:~# rabbitmqctl add_user openstack password Adding user "openstack" ... Done. Don"t forget to grant the user permissions to some virtual hosts! See "rabbitmqctl help set_permissions" to learn more. root@srv1:~# rabbitmqctl set_permissions openstack ".*" ".*" ".*" Setting permissions for user "openstack" in vhost "/" ... 4) 关闭默认的Ningx Site root@srv1:~# ls -l /etc/nginx/sites-enabled/default lrwxrwxrwx 1 root root 34 Oct 24 15:49 /etc/nginx/sites-enabled/default -> /etc/nginx/sites-available/default root@srv1:~# unlink /etc/nginx/sites-enabled/default 5) 启动Memcached及RabbitMQ服务 root@srv1:~# systemctl restart mariadb rabbitmq-server memcached nginx
四: 设置Openstack Zed源1) 安装Zed源 root@srv1:~# apt install software-properties-common -y root@srv1:~# add-apt-repository cloud-archive:zed Repository: "deb http://ubuntu-cloud.archive.canonical.com/ubuntu jammy-updates/zed main" Description: Ubuntu Cloud Archive for OpenStack Zed More info: https://wiki.ubuntu.com/OpenStack/CloudArchive Adding repository. Press [ENTER] to continue or Ctrl-c to cancel. # 回车 Adding deb entry to /etc/apt/sources.list.d/cloudarchive-zed.list Adding disabled deb-src entry to /etc/apt/sources.list.d/cloudarchive-zed.list Reading package lists... Done Building dependency tree... Done Reading state information... Done ...... ...... ...... ...... ...... ...... Reading package lists... Done 2) 更新系统 root@srv1:~# apt update root@srv1:~# apt upgrade -y
五: 创建Keystone数据库root@srv1:~# mysql -u root -p Enter password: # 输入数据库管理员的密码 Welcome to the MariaDB monitor. Commands end with ; or g. Your MariaDB connection id is 31 Server version: 10.6.7-MariaDB-2ubuntu1.1 Ubuntu 22.04 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type "help;" or "h" for help. Type "c" to clear the current input statement. MariaDB [(none)]> create database keystone; Query OK, 1 row affected (0.001 sec) MariaDB [(none)]> grant all privileges on keystone.* to keystone@"localhost" identified by "password"; Query OK, 0 rows affected (0.010 sec) MariaDB [(none)]> grant all privileges on keystone.* to keystone@"%" identified by "password"; Query OK, 0 rows affected (0.038 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.001 sec) MariaDB [(none)]> exit Bye root@srv1:~#
六: 安装Keystoneroot@srv1:~# apt install keystone python3-openstackclient apache2 libapache2-mod-wsgi-py3 python3-oauth2client -y
七: 配置Keystone1) 配置Keystone root@srv1:~# vim /etc/keystone/keystone.conf ...... ...... ...... ...... ...... ...... # 取消443行注释,并指定Memcached的信息 memcache_servers = srv1.1000y.cloud:11211 ...... ...... ...... ...... ...... ...... [database] # 于661行,添加数据库相关信息 connection = mysql+pymysql://keystone:password@srv1.1000y.cloud/keystone ...... ...... ...... ...... ...... ...... [token] ...... ...... ...... ...... ...... ...... # 于2639行取消注释 provider = fernet ...... ...... ...... ...... ...... ...... 2) 同步数据库 root@srv1:~# su -s /bin/bash keystone -c "keystone-manage db_sync" root@srv1:~# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone root@srv1:~# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone root@srv1:~# keystone-manage bootstrap --bootstrap-password adminpassword --bootstrap-admin-url https://srv1.1000y.cloud:5000/v3/ --bootstrap-internal-url https://srv1.1000y.cloud:5000/v3/ --bootstrap-public-url https://srv1.1000y.cloud:5000/v3/ --bootstrap-region-id RegionOne
八: 设定SSL及证书生成1) 生成SSL证书 (1) 生成CA证书并注册 root@srv1:~# cd /etc/ssl/private/ root@srv1:/etc/ssl/private# openssl genrsa -des3 -out cakey.pem 2048 Enter PEM pass phrase: # 设定密码 Verifying - Enter PEM pass phrase root@srv1:/etc/ssl/private# openssl rsa -in cakey.pem -out cakey.pem Enter pass phrase for yoga.key: # 输入密码 writing RSA key root@srv1:/etc/ssl/private# openssl req -new -x509 -days 365 -key cakey.pem -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ".", the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:BeiJing Locality Name (eg, city) []:BeiJing Organization Name (eg, company) [Internet Widgits Pty Ltd]:1000y.cloud Organizational Unit Name (eg, section) []:tech Common Name (e.g. server FQDN or YOUR name) []:srv1.1000y.cloud Email Address []: # 回车 root@srv1:/etc/ssl/private# cat cacert.pem >> /etc/ssl/certs/ca-certificates.crt (2) 建立服务所需的key/crt文件 root@srv1:/etc/ssl/private# openssl genrsa -des3 -out zed.key 2048 Enter PEM pass phrase: # 设定密码 Verifying - Enter PEM pass phrase root@srv1:/etc/ssl/private# openssl rsa -in zed.key -out zed.key Enter pass phrase for yoga.key: # 输入密码 writing RSA key root@srv1:/etc/ssl/private# openssl req -utf8 -new -key zed.key -out zed.csr Ignoring -days; not generating a certificate You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ".", the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:BeiJing Locality Name (eg, city) []:BeiJing Organization Name (eg, company) [Internet Widgits Pty Ltd]:1000y.cloud Organizational Unit Name (eg, section) []:tech Common Name (e.g. server FQDN or YOUR name) []:srv1.1000y.cloud Email Address []: # 回车 Please enter the following "extra" attributes to be sent with your certificate request A challenge password []: # 回车 An optional company name []: # 回车 root@srv1:~# vim /etc/ssl/openssl.cnf ...... ...... ...... ...... ...... ...... # 于文件最后追加如下内容 [ 1000y.cloud ] subjectAltName = DNS:srv1.1000y.cloud, IP:192.168.1.11 root@srv1:private(keystone)# openssl x509 -req -days 365 -in zed.csr -CA ./cacert.pem -CAkey cakey.pem -out zed.crt -extfile /etc/ssl/openssl.cnf -extensions 1000y.cloud Certificate request self-signature ok subject=C = CN, ST = BeiJing, L = BeiJing, O = 1000y.cloud, OU = tech, CN = srv1.1000y.cloud root@srv1:/etc/ssl/private# ls -l total 24 -rw-r--r-- 1 root root 1367 Oct 24 16:12 cacert.pem -rw------- 1 root root 1708 Oct 24 16:12 cakey.pem -rw-r----- 1 root ssl-cert 1704 Oct 24 16:05 ssl-cert-snakeoil.key -rw-r--r-- 1 root root 1391 Oct 24 16:18 zed.crt -rw-r--r-- 1 root root 1017 Oct 24 16:17 zed.csr -rw------- 1 root root 1704 Oct 24 16:17 zed.key root@srv1:/etc/ssl/private# cd
九: 配置Apacheroot@srv1:~# apt install apache2 -y root@srv1:~# vim /etc/apache2/apache2.conf ...... ...... ...... ...... ...... ...... #ServerRoot "/etc/apache2" # 于70行,添加如下内容 ServerName srv1.1000y.cloud ...... ...... ...... ...... ...... ...... root@srv1:~# vim /etc/apache2/sites-available/keystone.conf Listen 5000 # 于4-7行,添加如下内容 SSLEngine On SSLHonorCipherOrder On SSLCertificateFile /etc/ssl/private/zed.crt SSLCertificateKeyFile /etc/ssl/private/zed.key WSGIScriptAlias / /usr/bin/keystone-wsgi-public ...... ...... ...... ...... ...... ...... root@srv1:~# a2enmod ssl Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Enabling module socache_shmcb. Enabling module ssl. See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: systemctl restart apache2 root@srv1:~# systemctl restart apache2
十: 配置环境脚本及创建租户1) 设定环境 root@srv1:~# vim ~/keystonerc # 于新文件内追加如下内容 export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=adminpassword export OS_AUTH_URL=https://srv1.1000y.cloud:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 export PS1="u@h:W(keystone)$ " # 自定义证书要加 --insecure 参数, 因此加入了别名。 alias openstack="openstack --insecure" root@srv1:~# chmod 600 ~/keystonerc root@srv1:~# source ~/keystonerc root@srv1:~(keystone)# echo "source ~/keystonerc " >> ~/.bashrc 2) 创建租户并验证 root@srv1:~(keystone)# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | 4fabd4d8316c40a398d6496c0a733caf | | is_domain | False | | name | service | | options | {} | | parent_id | default | | tags | [] | +-------------+----------------------------------+ root@srv1:~(keystone)# openstack project list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 4fabd4d8316c40a398d6496c0a733caf | service | | 994a4a3e0fbc4f5891f38470e158e6b4 | admin | +----------------------------------+---------+
赵丽颖今日份营业好飒,爱缇恩mADM让冻龄不再是秘密见证一个人的成长是很幸运的一件事情,赵丽颖从配角走到今天全民女神的地位,而内心的成长不仅体现在演技上,同样也体现在气质上,最直白的体现则在于赵丽颖最近的新造型风格上,成熟女性气场全
国外化妆品护肤品包装设计欣赏专注美妆行业品牌设计LABSERIESBrandProductDesignLABSERIES品牌产品设计LOBOcosmetics,theconceptualdesignofano
公开处刑!妊娠纹修护市场对比,从几十到上万,揭秘骗局经常有宝妈来问Cora,市面上一般妊娠纹修复的价格在怎么样的区间内?之所以有这样的问题,是因为打开某些团购软件,会发现不少机构的价格,从几十到上万都有。这个价格幅度,让不少宝妈迷惑
人穷不省五钱,越省越穷有的人上半辈子用身体挣钱,下半辈子却用钱来疗愈身体。有些钱可以省,而这五种钱不能省,咱不差事。保障健康的钱以透支生命的节俭,都是假节俭。生活已经如此艰难,对自己好点,把身体养好,才
坚持真理维护公平的小伙伴2022年11月3日,五个无比古老的朋友新哥春哥刚哥勃哥涛哥共聚了晚餐,几盘小菜,几杯小酒,就能掀起人生的高潮。我们要么是裤衩衩的发小,要么是高中的同桌,要么是大学的室友,要么是大
人过六十,千万别让这些人来你家,来了,会减损你的福气网络上有这么一句话断,断绝不需要的东西。舍,舍去多余的废物。离,脱离对物品的执着。现在对自己来说不需要的就尽管放手。这,就是断舍离的本质上了年纪的中老年人,是时候要过减法的人生了。
带血的战袍,战火的军功章作者风云南疆无意间在电视里看到了,一排排队列中的胸前,挂着一枚枚军功章,秋思也正在十月激荡回响,那些节日庆典上的老人们,风骨尚存,犹如青松一样挺立,英姿勃发,那一面面红艳艳的旗帜,
破局智能巡检千亿市场,GOOSEBOT巡检机器人瞄准民用领域智能巡检机器人是新型服务机器人的一种,早期主要用于生产设备的监测,及时在系统进行反馈,以便技术人员快速查找问题进行维护。相关统计显示,中国巡检机器人市场规模可破千亿元,在电力隧道冶
我不想用iPhone的几个原因我从iPhone4开始使用iPhone,最近用的是iPhone13,十来年来iPhone在细节上进步太少太少了。手机和操作系统而言,我不想用iPhone了,缺点比优点多,具体如下几
聚焦双11快递业巨头卷向保价服务,专家防止将保价作为过度盈利手段双11的大幕已正式拉开,快递业也迎来了一年中最忙碌的时间。红星资本局注意到,双11前夕,顺丰推出了保价服务2。0版本。此前,顺丰因保价赔偿之争陷入舆论争议,消费者快递保价难获赔也成
千亩银杏黄了,享有西部银杏第一村美誉,1小时就可以直达秋日生活打卡季每年的11月银杏就进入了一年中最值得观赏的一段时间,这段时间的银杏叶全部都变成了金黄色,这段时间的银杏叶,它不仅非常的好看,而且还非常具有观赏性,以及非常的适合拍照取