Ubuntu 13.10にOpenStackインストール ~Keystone編~

今週はまさかの4連休だったりして、スノボ行く前に
OpenStack入れちゃうかと。
まずは超絶かっこいい壊れかけのアコギ、弦一本での弾き語り。

そんな感じで。。
環境はUbuntu 13.10です。
まずはこの辺を参考にパッケージをインストール

apt-get install python-mysqldb mysql-server \
rabbitmq-server \
keystone python-keystone python-keystoneclient \
glance \
nova-novncproxy novnc nova-api nova-ajax-console-proxy \
  nova-cert nova-conductor nova-consoleauth nova-doc nova-scheduler python-novaclient \
memcached libapache2-mod-wsgi openstack-dashboard \
cinder-api cinder-scheduler \
swift openssh-server rsync memcached python-netifaces python-xattr python-memcache \
neutron-plugin-openvswitch openvswitch-switch

次にデータベースの設定

root@openstack:~# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!
In order to log into MySQL to secure it, we'll need the current
password for the root user.  If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.
You already have a root password set, so you can safely answer 'n'.
Change the root password? [Y/n] n
 ... skipping.
By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
 ... Success!
Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
 ... Success!
By default, MySQL comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
 ... Success!
Cleaning up...
All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.
Thanks for using MySQL!
root@openstack:~# service mysql restart
mysql stop/waiting
mysql start/running, process 11466

KeyStone用のDBの作成とユーザーの作成…の前に、
KeyStoneとは。
OpenStackの認証を司るサービスで、以前はNoveなどのサービスごとに
持っていた認証サービスを分離したもの。
オープンソースカンファレンスの資料より

root@openstack:~# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 36
Server version: 5.5.35-0ubuntu0.13.10.2 (Ubuntu)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
    -> IDENTIFIED BY 'KEYSTONE_DBPASS';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
    -> IDENTIFIED BY 'KEYSTONE_DBPASS';
Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

mysql> quit
Bye

Ketstoneの設定
テーブルの作成と設定ファイルの編集
認証トークンの作成

root@openstack:~# openssl rand -hex 10
099aa8b08ff72ee3a431

設定ファイルの編集(diffの結果で編集箇所は察して)

root@openstack:~# diff -y --suppress-common-lines /etc/keystone/keystone.conf /etc/keystone/keystone.conf_def
admin_token = 099aa8b08ff72ee3a431                            | # admin_token = ADMIN
admin_token = 099aa8b08ff72ee3a431                            | # admin_token = ADMIN
connection = mysql://keystone:KEYSTONE_DBPASS@localhost/keyst | connection = sqlite:////var/lib/keystone/keystone.db

サービスの再起動

root@openstack:~# service keystone restart
keystone stop/waiting
keystone start/running, process 11868

テーブルの作成

root@openstack:~# keystone-manage db_sync

ユーザ、テナント、ロールの設定
テナントというのは、仮想ネットワークや仮想マシンの管理単位で、IaaSとか提供する時に、
例えばA社にはテナントA,B社にはテナントBといったように、テナント単位で
うるわけですね。

export OS_SERVICE_TOKEN=099aa8b08ff72ee3a431
export OS_SERVICE_ENDPOINT=http://openstack.localhost:35357/v2.0
root@openstack:~# keystone tenant-create --name=admin --description="Admin Tenant"
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |           Admin Tenant           |
|   enabled   |               True               |
|      id     | 0a0c8aa731da4b238bbc3b5128f35ce8 |
|     name    |              admin               |
+-------------+----------------------------------+
root@openstack:~# keystone tenant-create --name=service --description="Service Tenant"
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |          Service Tenant          |
|   enabled   |               True               |
|      id     | 71f83e15dd70496486558f90be378138 |
|     name    |             service              |
+-------------+----------------------------------+

管理者ユーザのパスワードとメールアドレスを設定

root@openstack:~# keystone user-create --name=admin --pass=ADMIN_PASS --email=admin@openstack.localhost
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |    admin@openstack.localhost     |
| enabled  |               True               |
|    id    | b320b6a4aa444bcaaf30a9b76afbfdd4 |
|   name   |              admin               |
+----------+----------------------------------+

管理者ロールの作成とそのロールへのadminユーザーの追加

root@openstack:~# keystone role-create --name=admin
keystone user-role-add --user=admin --tenant=admin --role=admin+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|    id    | 3c2a249d0be44d36bf1b3c3fde6c8b51 |
|   name   |              admin               |
+----------+----------------------------------+
root@openstack:~# keystone user-role-add --user=admin --tenant=admin --role=admin

つぎにKeystoneのサービスとAPIエンドポイントの作成
APIエンドポイントとはKeystoneのサービスにアクセスするURLのことです。

root@openstack:~# keystone service-create --name=keystone --type=identity \
>   --description="Keystone Identity Service"
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |    Keystone Identity Service     |
|      id     | f24e7d4c10554feca265ab70acf933d1 |
|     name    |             keystone             |
|     type    |             identity             |
+-------------+----------------------------------+

戻ってきた値を元にエンドポイントを作成

root@openstack:~# keystone endpoint-create \
>   --service-id=f24e7d4c10554feca265ab70acf933d1 \
>   --publicurl=http://openstack.local:5000/v2.0 \
>   --internalurl=http://openstack.local:5000/v2.0 \
>   --adminurl=http://openstack.local:35357/v2.0
+-------------+-----------------------------------+
|   Property  |               Value               |
+-------------+-----------------------------------+
|   adminurl  | http://openstack.local:35357/v2.0 |
|      id     |  d603271e95684e2b872cf5e8ec4e947f |
| internalurl |  http://openstack.local:5000/v2.0 |
|  publicurl  |  http://openstack.local:5000/v2.0 |
|    region   |             regionOne             |
|  service_id |  f24e7d4c10554feca265ab70acf933d1 |
+-------------+-----------------------------------+

最後に、実際にトークンの要求を投げてみて、
値が返ってきたら設定終わり!

keystone --os-username=admin --os-password=ADMIN_PASS \
  --os-auth-url=http://openstack.local:35357/v2.0 token-get

keystone --os-username=admin --os-password=ADMIN_PASS \
  --os-tenant-name=admin --os-auth-url=http://openstack.local:35357/v2.0 token-get

なにやらこんなファイルを作っとくと、コマンド楽に打てるらしいです。

root@openstack:~# cat ~/keystonerc
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://openstack.local:35357/v2.0

実行のやり方

source ~/keystonerc
keystone token-get
keystone user-list

さくっと調べながら記事書きながらやって1時間位。
今週中に何とかおぉぉ~~~ってなるところまで作りこみたいと思います。
では、ジムに行ってきます♡。

Comments are closed.