Ubuntu 13.10にOpenStackインストール ~Keystone編~
今週はまさかの4連休だったりして、スノボ行く前に
OpenStack入れちゃうかと。
まずは超絶かっこいい壊れかけのアコギ、弦一本での弾き語り。
そんな感じで。。
環境はUbuntu 13.10です。
まずはこの辺を参考にパッケージをインストール
apt-get install python-mysqldb mysql-server \ rabbitmq-server \ keystone python-keystone python-keystoneclient \ glance \ nova-novncproxy novnc nova-api nova-ajax-console-proxy \ nova-cert nova-conductor nova-consoleauth nova-doc nova-scheduler python-novaclient \ memcached libapache2-mod-wsgi openstack-dashboard \ cinder-api cinder-scheduler \ swift openssh-server rsync memcached python-netifaces python-xattr python-memcache \ neutron-plugin-openvswitch openvswitch-switch
次にデータベースの設定
root@openstack:~# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.
You already have a root password set, so you can safely answer 'n'.
Change the root password? [Y/n] n
... skipping.
By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MySQL
installation should now be secure.
Thanks for using MySQL!
root@openstack:~# service mysql restart
mysql stop/waiting
mysql start/running, process 11466
KeyStone用のDBの作成とユーザーの作成…の前に、
KeyStoneとは。
OpenStackの認証を司るサービスで、以前はNoveなどのサービスごとに
持っていた認証サービスを分離したもの。
openstack.jp
2 Users
5 Pockets
ページが見つかりませんでした – 日本OpenStackユーザ会
root@openstack:~# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 36
Server version: 5.5.35-0ubuntu0.13.10.2 (Ubuntu)
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
-> IDENTIFIED BY 'KEYSTONE_DBPASS';
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
-> IDENTIFIED BY 'KEYSTONE_DBPASS';
Query OK, 0 rows affected (0.00 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
mysql> quit
Bye
Ketstoneの設定
テーブルの作成と設定ファイルの編集
認証トークンの作成
root@openstack:~# openssl rand -hex 10 099aa8b08ff72ee3a431
設定ファイルの編集(diffの結果で編集箇所は察して)
root@openstack:~# diff -y --suppress-common-lines /etc/keystone/keystone.conf /etc/keystone/keystone.conf_def admin_token = 099aa8b08ff72ee3a431 | # admin_token = ADMIN admin_token = 099aa8b08ff72ee3a431 | # admin_token = ADMIN connection = mysql://keystone:KEYSTONE_DBPASS@localhost/keyst | connection = sqlite:////var/lib/keystone/keystone.db
サービスの再起動
root@openstack:~# service keystone restart keystone stop/waiting keystone start/running, process 11868
テーブルの作成
root@openstack:~# keystone-manage db_sync
ユーザ、テナント、ロールの設定
テナントというのは、仮想ネットワークや仮想マシンの管理単位で、IaaSとか提供する時に、
例えばA社にはテナントA,B社にはテナントBといったように、テナント単位で
うるわけですね。
export OS_SERVICE_TOKEN=099aa8b08ff72ee3a431 export OS_SERVICE_ENDPOINT=http://openstack.localhost:35357/v2.0 root@openstack:~# keystone tenant-create --name=admin --description="Admin Tenant" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Admin Tenant | | enabled | True | | id | 0a0c8aa731da4b238bbc3b5128f35ce8 | | name | admin | +-------------+----------------------------------+ root@openstack:~# keystone tenant-create --name=service --description="Service Tenant" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Service Tenant | | enabled | True | | id | 71f83e15dd70496486558f90be378138 | | name | service | +-------------+----------------------------------+
管理者ユーザのパスワードとメールアドレスを設定
root@openstack:~# keystone user-create --name=admin --pass=ADMIN_PASS --email=admin@openstack.localhost +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | admin@openstack.localhost | | enabled | True | | id | b320b6a4aa444bcaaf30a9b76afbfdd4 | | name | admin | +----------+----------------------------------+
管理者ロールの作成とそのロールへのadminユーザーの追加
root@openstack:~# keystone role-create --name=admin keystone user-role-add --user=admin --tenant=admin --role=admin+----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 3c2a249d0be44d36bf1b3c3fde6c8b51 | | name | admin | +----------+----------------------------------+ root@openstack:~# keystone user-role-add --user=admin --tenant=admin --role=admin
つぎにKeystoneのサービスとAPIエンドポイントの作成
APIエンドポイントとはKeystoneのサービスにアクセスするURLのことです。
root@openstack:~# keystone service-create --name=keystone --type=identity \ > --description="Keystone Identity Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Keystone Identity Service | | id | f24e7d4c10554feca265ab70acf933d1 | | name | keystone | | type | identity | +-------------+----------------------------------+
戻ってきた値を元にエンドポイントを作成
root@openstack:~# keystone endpoint-create \ > --service-id=f24e7d4c10554feca265ab70acf933d1 \ > --publicurl=http://openstack.local:5000/v2.0 \ > --internalurl=http://openstack.local:5000/v2.0 \ > --adminurl=http://openstack.local:35357/v2.0 +-------------+-----------------------------------+ | Property | Value | +-------------+-----------------------------------+ | adminurl | http://openstack.local:35357/v2.0 | | id | d603271e95684e2b872cf5e8ec4e947f | | internalurl | http://openstack.local:5000/v2.0 | | publicurl | http://openstack.local:5000/v2.0 | | region | regionOne | | service_id | f24e7d4c10554feca265ab70acf933d1 | +-------------+-----------------------------------+
最後に、実際にトークンの要求を投げてみて、
値が返ってきたら設定終わり!
keystone --os-username=admin --os-password=ADMIN_PASS \ --os-auth-url=http://openstack.local:35357/v2.0 token-get keystone --os-username=admin --os-password=ADMIN_PASS \ --os-tenant-name=admin --os-auth-url=http://openstack.local:35357/v2.0 token-get
なにやらこんなファイルを作っとくと、コマンド楽に打てるらしいです。
root@openstack:~# cat ~/keystonerc export OS_USERNAME=admin export OS_PASSWORD=ADMIN_PASS export OS_TENANT_NAME=admin export OS_AUTH_URL=http://openstack.local:35357/v2.0
実行のやり方
source ~/keystonerc keystone token-get keystone user-list
さくっと調べながら記事書きながらやって1時間位。
今週中に何とかおぉぉ~~~ってなるところまで作りこみたいと思います。
では、ジムに行ってきます♡。
