Openstack(Kilo)安装系列之Keystone（三）

安装配置

Before you configure the OpenStack Identity service, you must create a database and an administration token.

一、创建keystone数据库并授权

1.登陆数据库

mysql -u root -p

2.创建数据库并授权

CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';

Replace

KEYSTONE_DBPASS

with a suitable password.

二、创建管理员token

openssl rand -hex 10

记住token值

三、安装配置keystone

1.安装keystone

yum install openstack-keystone httpd mod_wsgi python-openstackclient memcached python-memcached

2.Start the Memcached service and configure it to start when the system boots

systemctl enable memcached.service
systemctl start memcached.service

3.Edit the

/etc/keystone/keystone.conf

file and complete the following actions

a.In the

[DEFAULT]

section, define the value of the initial administration token:

[DEFAULT]
...
admin_token = ADMIN_TOKEN

Replace

ADMIN_TOKEN

with the random value that you generated in a previous step.

b.In the

[database]

section, configure database access:

[database]
...
connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone

Replace

KEYSTONE_DBPASS

with the password you chose for the database.

c.In the

[memcache]

section, configure the Memcache service:

[memcache]
...
servers = localhost:11211

d.In the

[token]

section, configure the UUID token provider and Memcached driver:

[token]
...
provider = keystone.token.providers.uuid.Provider
driver = keystone.token.persistence.backends.memcache.Token

e.In the

[revoke]

section, configure the SQL revocation driver:

[revoke]
...
driver = keystone.contrib.revoke.backends.sql.Revoke

f.(Optional) To assist with troubleshooting, enable verbose logging in the

[DEFAULT]

section:

[DEFAULT]
...
verbose = True

4.Populate the Identity service database:

su -s /bin/sh -c "keystone-manage db_sync" keystone

四、To configure the Apache HTTP server

1.Edit the

/etc/httpd/conf/httpd.conf

file and configure the

ServerName

option to reference the controller node:

ServerName controller

2.Create the

/etc/httpd/conf.d/wsgi-keystone.conf

file with the following content:

Listen 5000
Listen 35357

<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LogLevel info
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
</VirtualHost>

<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LogLevel info
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
</VirtualHost>

3.Create the directory structure for the WSGI components:

mkdir -p /var/www/cgi-bin/keystone

4.Copy the WSGI components from the upstream repository into this directory:

curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo | tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin

5.Adjust ownership and permissions on this directory and the files in it:

chown -R keystone:keystone /var/www/cgi-bin/keystone
chmod 755 /var/www/cgi-bin/keystone/*

6.启动Apache服务，设置开机自起

systemctl enable httpd.service
systemctl start httpd.service