OpenStack Ussuri : Keystone
OpenStack Ussuri : Keystone
-----------------------
| [ Controller Node ] |
| |
| MariaDB RabbitMQ |
| Memcached Keystone |
| httpd |
----------------------- OpenStack Ussuri : Keystone
- Keystone은 OpenStack에서 인증 서비스를 구성하고 있습니다.
- Keystone에 대한 자세한 설명은 Keystone을 참조해주세요.
Keystone 유저와 DB를 생성합니다.
$ controller> mysql -u root -p
$ MariaDB> create database keystone;
$ MariaDB> grant all privileges on keystone.* to keystone@'localhost' identified by 'qwer1234';
$ MariaDB> grant all privileges on keystone.* to keystone@'%' identified by 'qwer1234';
$ MariaDB> flush privileges;
$ MariaDB> exit;
Keystone을 설치합니다.
$ controller> dnf --enablerepo=centos-openstack-ussuri,epel,powertools -y install openstack-keystone python3-openstackclient httpd mod_ssl python3-mod_wsgi python3-oauth2client
# keystone 및 관련 모듈을 설치합니다.
$ controller> vi /etc/keystone/keystone.conf
[cache]
memcache_servers = controller:11211
[database]
connection = mysql+pymysql://keystone:qwer1234@controller/keystone
[token]
provider = fernet
$ controller> su -s /bin/bash keystone -c "keystone-manage db_sync"
$ controller> keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
$ controller> keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
# Keystone DB를 임포트 시킵니다.
$ controller> keystone-manage bootstrap --bootstrap-password qwer1234 \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
$ controller> setsebool -P httpd_use_openstack on
$ controller> setsebool -P httpd_can_network_connect on
$ controller> setsebool -P httpd_can_network_connect_db on
$ controller> vi keystone-httpd.te
module keystone-httpd 1.0;
require {
type httpd_t;
type keystone_log_t;
class file create;
class dir { add_name write };
}
#============= httpd_t ==============
allow httpd_t keystone_log_t:dir { add_name write };
allow httpd_t keystone_log_t:file create;
$ controller> checkmodule -m -M -o keystone-httpd.mod keystone-httpd.te
$ controller> semodule_package --outfile keystone-httpd.pp --module keystone-httpd.mod
$ controller> semodule -i keystone-httpd.pp
$ controller> firewall-cmd --add-port=5000/tcp --permanent
$ controller> firewall-cmd --reload
# 방화벽 및 SELinux를 설정합니다.
$ controller> vi /etc/httpd/conf/httpd.conf
ServerName controller:80
# 99번 줄에 추가합니다.
$ controller> ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
$ controller> systemctl enable --now httpd
# httpd 서비스를 등록합니다.
Keystone Project 생성
$ controller> vi ~/admin_key
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=qwer1234
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
export PS1='[\u@\h \W~(keystone)]\$ '
$ controller> chmod 600 ~/admin_key
$ controller> source ~/admin_key
$ controller> echo "source ~/admin_key " >> ~/.bash_profile
# keystone 인증파일 생성 후 시작시 등록되게 등록시킵니다.
$ controller ~(keystone)> openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 7c10c02365be496fb47f12bfd40fe4a7 |
| is_domain | False |
| name | service |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
$ controller ~(keystone)> openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 7c10c02365be496fb47f12bfd40fe4a7 | service |
| c76211c24a1f460ca67274d655d46725 | admin |
+----------------------------------+---------+
마지막 수정일자