yum
: # yum install openstack-utils openstack-keystone python-keystoneclient
mysql
: # yum install mysql mysql-server MySQL-python
mysqld
venga avviato di default al riavvio del server ed avviare il servizio: # chkconfig mysqld on # service mysqld start
root
: # mysqladmin -u root password *******
/var/lib/keystone/keystone.db
(cioè il DB sqlite). Verrà utilizzato MySQL che permette a più keystone di utilizzare lo stesso DB e al DB stesso di essere replicato utilizzando le feature di MySQL.
# openstack-db --init --service keystone
/etc/keystone/keystone.conf
che esista una riga del tipo: connection = mysql://keystone:keystone@hostname1.domain/keystoneNota bene: in
keystone:keystone
il primo keystone è il nome utente, il secondo è la password. Utilizzando il comando openstack-db --init --service keystone
per l'inizializzazione del DB keystone verranno utilizzati quei valori di default.
admin_token
contenuto all'interno del file /etc/keystone/keystone.conf
, attraverso il comando: # openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $(openssl rand -hex 10)
# chkconfig openstack-keystone on # service openstack-keystone start
# keystone-manage db_sync
# export ADMIN_TOKEN=<ADMIN_TOKEN_VALUE> # export KEYSTONE35357=http://hostname1.domain:35357/v2.0 # export KEYSTONE5000=http://hostname1.domain:5000/v2.0Dove <ADMIN_TOKEN_VALUE> è il valore del parametro
admin_token
contenuto nel file /etc/keystone/keystone.conf
.
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 tenant-create --name adminTenant --description "Admin Tenant" --enabled true +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Admin Tenant | | enabled | True | | id | c10d9c9f296b47f8a1212dd7a98357e0 | | name | adminTenant | +-------------+----------------------------------+
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-create --tenant_id <ADMIN_TENANT_ID> --name adminUser --pass <ADMIN_PASSWORD> --enabled true +----------+-------------------------------------------------------------------------------------------------------------------------+ | Property | Value | +----------+-------------------------------------------------------------------------------------------------------------------------+ | email | None | | enabled | True | | id | b0305faa3ace4671bc0399e71a0a1cc1 | | name | adminUser | | password | $6$rounds=40000$FXbQphsGDVj.Qw6B$q2e/hqj/Jnv7l.r3HW9VLTVyHaRbCB7pySvJ9prsWahvQ.GJyELRARXL4apPZAltov6f3FRAwfXu5yE5kAUbg0 | | tenantId | c10d9c9f296b47f8a1212dd7a98357e0 | +----------+-------------------------------------------------------------------------------------------------------------------------+Dove <ADMIN_TENANT_ID> è l'ID del tenant appena creato, mentre <ADMIN_PASSWORD> è la password scelta per l'utente "adminUser". Nel caso in esempio <ADMIN_TENANT_ID> equivale a
c10d9c9f296b47f8a1212dd7a98357e0
.
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 role-create --name admin +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 6d67c71be79643e0bf497571510a6894 | | name | admin | +----------+----------------------------------+
# export ADMIN_ROLE_ID=<ADMIN_ROLE_ID>Dove <ADMIN_ROLE_ID> è l'id del ruolo "admin", nel caso in esempio va scritto
6d67c71be79643e0bf497571510a6894
.
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-role-add --user <ADMIN_USER_ID> --tenant_id <ADMIN_TENANT_ID> --role $ADMIN_ROLE_IDDove <ADMIN_USER_ID> e <ADMIN_TENANT_ID> sono rispettivamente gli ID di user e tenant appena creati. $ADMIN_ROLE_ID è invece l'id del ruolo "admin" esportato nell'istruzione precedente. Nota bene: non viene visualizzato nulla se il comando ha successo.
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 tenant-create --name service --description "Service Tenant" --enabled true +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Service Tenant | | enabled | True | | id | edc5b7a35c644466849123cc937f9a04 | | name | service | +-------------+----------------------------------+
# export SERVICE_TENANT_ID=<SERVICE_TENANT_ID>Dove <SERVICE_TENANT_ID> è l'id del tenant appena creato, nel caso in esempio va scritto
edc5b7a35c644466849123cc937f9a04
.
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-create --tenant_id $SERVICE_TENANT_ID --name glance --pass <GLANCE_PASSWORD> --enabled true +----------+-------------------------------------------------------------------------------------------------------------------------+ | Property | Value | +----------+-------------------------------------------------------------------------------------------------------------------------+ | email | None | | enabled | True | | id | f085dd93f0ae42daa1a0623b9ec978f4 | | name | glance | | password | $6$rounds=40000$Jt2pbmLiN4liEImG$BheACef6A.wSgpj5EKn.XrAihLYy41y06rrAs3pEPr4Y/IF2uLSt9ADprzFGlATwfbimn98fp/e35wM2f783W1 | | tenantId | edc5b7a35c644466849123cc937f9a04 | +----------+-------------------------------------------------------------------------------------------------------------------------+Dove <GLANCE_PASSWORD> è la password che si desidera associare all'utente del servizio Glance.
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-role-add --user <GLANCE_USER_ID> --tenant_id $SERVICE_TENANT_ID --role $ADMIN_ROLE_IDDove <GLANCE_USER_ID> è l'id dello user appena creato, nel caso in esempio va scritto
f085dd93f0ae42daa1a0623b9ec978f4
. Nota bene: non viene visualizzato nulla se il comando ha successo.
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-create --tenant_id $SERVICE_TENANT_ID --name nova --pass <NOVA_PASSWORD> --enabled true +----------+-------------------------------------------------------------------------------------------------------------------------+ | Property | Value | +----------+-------------------------------------------------------------------------------------------------------------------------+ | email | None | | enabled | True | | id | 6916a161eb55476a8b2615dae7d00f27 | | name | nova | | password | $6$rounds=40000$Fi6fO6FbiWQH./Sg$ICF/qEdojYNNCSGQlicUAoFMntUREVz96DPPM4bOHsRBAB0t6vIOEDxSUh3q0IJXFGeH0YASNgmmVIU6CRklw. | | tenantId | edc5b7a35c644466849123cc937f9a04 | +----------+-------------------------------------------------------------------------------------------------------------------------+Dove <NOVA_PASSWORD> è la password che si desidera associare all'utente del servizio Nova.
keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-role-add --user <NOVA_USER_ID> --tenant_id $SERVICE_TENANT_ID --role $ADMIN_ROLE_IDDove <NOVA_USER_ID> è l'id dello user appena creato, nel caso in esempio va scritto
6916a161eb55476a8b2615dae7d00f27
. Nota bene: non viene visualizzato nulla se il comando ha successo.
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-create --tenant_id $SERVICE_TENANT_ID --name ec2 --pass <EC2_PASSWORD> --enabled true +----------+-------------------------------------------------------------------------------------------------------------------------+ | Property | Value | +----------+-------------------------------------------------------------------------------------------------------------------------+ | email | None | | enabled | True | | id | de4ca5902e6f47ffa3e00a37bff6364c | | name | ec2 | | password | $6$rounds=40000$Fi6fO6FbiWQH./Sg$ICF/qEdojYNNCSGQlicUAoFMntUREVz96DPPM4bOHsRBAB0t6vIOEDxSUh3q0IJXFGeH0YASNgmmVIU6CRklw. | | tenantId | edc5b7a35c644466849123cc937f9a04 | +----------+-------------------------------------------------------------------------------------------------------------------------+Dove <EC2_PASSWORD> è la password che si desidera associare all'utente del servizio EC2.
keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-role-add --user <EC2_USER_ID> --tenant_id $SERVICE_TENANT_ID --role $ADMIN_ROLE_IDDove <EC2_USER_ID> è l'id dello user appena creato, nel caso in esempio va scritto
de4ca5902e6f47ffa3e00a37bff6364c
. Nota bene: non viene visualizzato nulla se il comando ha successo.
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-create --tenant_id $SERVICE_TENANT_ID --name swift --pass <SWIFT_PASSWORD> --enabled true +----------+-------------------------------------------------------------------------------------------------------------------------+ | Property | Value | +----------+-------------------------------------------------------------------------------------------------------------------------+ | email | None | | enabled | True | | id | e79e37013e944d89b1430e31dae316fa | | name | swift | | password | $6$rounds=40000$Fi6fO6FbiWQH./Sg$ICF/qEdojYNNCSGQlicUAoFMntUREVz96DPPM4bOHsRBAB0t6vIOEDxSUh3q0IJXFGeH0YASNgmmVIU6CRklw. | | tenantId | edc5b7a35c644466849123cc937f9a04 | +----------+-------------------------------------------------------------------------------------------------------------------------+Dove <SWIFT_PASSWORD> è la password che si desidera associare all'utente del servizio Swift.
keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-role-add --user <SWIFT_USER_ID> --tenant_id $SERVICE_TENANT_ID --role $ADMIN_ROLE_IDDove <SWIFT_USER_ID> è l'id dello user appena creato, nel caso in esempio va scritto
e79e37013e944d89b1430e31dae316fa
. Nota bene: non viene visualizzato nulla se il comando ha successo.
/etc/keystone/keystone.conf
contenga la seguente riga: [catalog] driver = keystone.catalog.backends.sql.Catalog
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 service-create --name=keystone --type=identity --description="Keystone Identity Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Keystone Identity Service | | id | cfda291164a2416f99ddffc137ba14f9 | | name | keystone | | type | identity | +-------------+----------------------------------+
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 endpoint-create --region RegionOne --service_id=<KEYSTONE_SERVICE_ID> --publicurl=$KEYSTONE5000 --internalurl=$KEYSTONE5000 --adminurl=$KEYSTONE35357 +-------------+------------------------------------+ | Property | Value | +-------------+------------------------------------+ | adminurl | http://hostname1.domain:35357/v2.0 | | id | e63155b607e1433f9ae8c66bc87c8ebf | | internalurl | http://hostname1.domain:5000/v2.0 | | publicurl | http://hostname1.domain:5000/v2.0 | | region | RegionOne | | service_id | cfda291164a2416f99ddffc137ba14f9 | +-------------+------------------------------------+Dove <KEYSTONE_SERVICE_ID> è l'id del servizio appena creato, nel caso in esempio va scritto
cfda291164a2416f99ddffc137ba14f9
.
%(tenant_id)s
ed i singoli apici che racchiudono i valori di publicurl, internalurl e adminurl devono essere digitati esattamente come mostrato sia per l'endpoint compute che per l'endpoint volume e l'endpoint object storage (paragrafi successivi).
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 service-create --name=nova --type=compute --description="Nova Compute Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Nova Compute Service | | id | 83486ca8422c4cb0aa4be1a231556ee3 | | name | nova | | type | compute | +-------------+----------------------------------+
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 endpoint-create --region RegionOne --service_id=<NOVA_COMPUTE_SERVICE_ID> --publicurl='http://hostname1.domain:8774/v2/%(tenant_id)s' --internalurl='http://hostname1.domain:8774/v2/%(tenant_id)s' --adminurl='http://hostname1.domain:8774/v2/%(tenant_id)s' +-------------+-----------------------------------------------+ | Property | Value | +-------------+-----------------------------------------------+ | adminurl | http://hostname1.domain:8774/v2/%(tenant_id)s | | id | ef8874ac56b34b538536b053591d440e | | internalurl | http://hostname1.domain:8774/v2/%(tenant_id)s | | publicurl | http://hostname1.domain:8774/v2/%(tenant_id)s | | region | RegionOne | | service_id | 83486ca8422c4cb0aa4be1a231556ee3 | +-------------+-----------------------------------------------+Dove <NOVA_COMPUTE_SERVICE_ID> è l'id del servizio appena creato, nel caso in esempio va scritto
83486ca8422c4cb0aa4be1a231556ee3
.
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 service-create --name=volume --type=volume --description="Nova Volume Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Nova Volume Service | | id | 475701d5fb534be291d0f09f4ce39e40 | | name | volume | | type | volume | +-------------+----------------------------------+
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 endpoint-create --region RegionOne --service_id=<NOVA_VOLUME_SERVICE_ID> --publicurl='http://hostname1.domain:8776/v1/%(tenant_id)s' --internalurl='http://hostname1.domain:8776/v1/%(tenant_id)s' --adminurl='http://hostname1.domain:8776/v1/%(tenant_id)s' +-------------+-----------------------------------------------+ | Property | Value | +-------------+-----------------------------------------------+ | adminurl | http://hostname1.domain:8776/v1/%(tenant_id)s | | id | 935fd37b6fa74b2f9fba6d907fa95825 | | internalurl | http://hostname1.domain:8776/v1/%(tenant_id)s | | publicurl | http://hostname1.domain:8776/v1/%(tenant_id)s | | region | RegionOne | | service_id | 475701d5fb534be291d0f09f4ce39e40 | +-------------+-----------------------------------------------+Dove <NOVA_VOLUME_SERVICE_ID> è l'id del servizio appena creato, nel caso in esempio va scritto
475701d5fb534be291d0f09f4ce39e40
.
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 service-create --name=glance --type=image --description="Glance Image Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Glance Image Service | | id | 97e15631bb8a4b2f8b41efd1ad3d53eb | | name | glance | | type | image | +-------------+----------------------------------+
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 endpoint-create --region RegionOne --service_id=<GLANCE_IMAGE_SERVICE_ID> --publicurl=http://hostname1.domain:9292/v1 --internalurl=http://hostname1.domain:9292/v1 --adminurl=http://hostname1.domain:9292/v1 +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | adminurl | http://hostname1.domain:9292/v1 | | id | 1ff4ece13c3e48d8a6461faebd9cd38f | | internalurl | http://hostname1.domain:9292/v1 | | publicurl | http://hostname1.domain:9292/v1 | | region | RegionOne | | service_id | 97e15631bb8a4b2f8b41efd1ad3d53eb | +-------------+----------------------------------+Dove <GLANCE_IMAGE_SERVICE_ID> è l'id del servizio appena creato, nel caso in esempio va scritto
97e15631bb8a4b2f8b41efd1ad3d53eb
.
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 service-create --name=ec2 --type=ec2 --description="EC2 Compatibility Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | EC2 Compatibility Service | | id | 26040267bd2744348f52785f8d806123 | | name | ec2 | | type | ec2 | +-------------+----------------------------------+
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 endpoint-create --region RegionOne --service_id=<EC2_COMPATIBILITY_SERVICE_ID> --publicurl=http://hostname1.domain:8773/services/Cloud --internalurl=http://hostname1.domain:8773/services/Cloud --adminurl=http://hostname1.domain:8773/services/Cloud +-------------+---------------------------------------------+ | Property | Value | +-------------+---------------------------------------------+ | adminurl | http://hostname1.domain:8773/services/Cloud | | id | 3c8c0d749f21490b90163bfaed9befe7 | | internalurl | http://hostname1.domain:8773/services/Cloud | | publicurl | http://hostname1.domain:8773/services/Cloud | | region | RegionOne | | service_id | 26040267bd2744348f52785f8d806123 | +-------------+---------------------------------------------+Dove <EC2_COMPATIBILITY_SERVICE_ID> è l'id del servizio appena creato, nel caso in esempio va scritto
26040267bd2744348f52785f8d806123
.
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 service-create --name=swift --type=object-store --description="Object Storage Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Object Storage Service | | id | 648da339ec2549fcae0331b96929dd82 | | name | swift | | type | object-store | +-------------+----------------------------------+
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 endpoint-create --region RegionOne --service_id=<OBJECT_STORAGE_SERVICE_ID> --publicurl='http://hostname1.domain:8888/v1/AUTH_%(tenant_id)s --internalurl='http://hostname1.domain:8888/v1/AUTH_%(tenant_id)s' --adminurl='http://hostname1.domain:8888/v1/AUTH_%(tenant_id)s' +-------------+----------------------------------------------------+ | Property | Value | +-------------+----------------------------------------------------+ | adminurl | http://hostname1.domain:8888/v1/AUTH_%(tenant_id)s | | id | d2a3d7490c61442f9b2c8c8a2083c4b6 | | internalurl | http://hostname1.domain:8888/v1/AUTH_%(tenant_id)s | | publicurl | http://hostname1.domain:8888/v1/AUTH_%(tenant_id)s | | region | RegionOne | | service_id | 648da339ec2549fcae0331b96929dd82 | +-------------+----------------------------------------------------+Dove <OBJECT_STORAGE_SERVICE_ID> è l'id del servizio appena creato, nel caso in esempio va scritto
648da339ec2549fcae0331b96929dd82
.
yum
e lanciare il seguente comando per listare le informazioni inserite in Keystone: # yum install curl # curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":{"username": "adminUser", "password": "************"}}}' -H "Content-type:application/json" http://hostname1.domain:35357/v2.0/tokens | python -mjson.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 106 2446 101 2446 0 120 27990 1373 --:--:-- --:--:-- --:--:-- 27046 { "access": { "serviceCatalog": [ { "endpoints": [ { "adminURL": "http://hostname1.domain:8774/v2/c8854bd3d15f4f479476d0cf58ef7db2", "internalURL": "http://hostname1.domain:8774/v2/c8854bd3d15f4f479476d0cf58ef7db2", "publicURL": "http://hostname1.domain:8774/v2/c8854bd3d15f4f479476d0cf58ef7db2", "region": "RegionOne" } ], "endpoints_links": [], "name": "nova", "type": "compute" }, { "endpoints": [ { "adminURL": "http://hostname1.domain:9292/v1/", "internalURL": "http://hostname1.domain:9292/v1/", "publicURL": "http://hostname1.domain:9292/v1/", "region": "RegionOne" } ], "endpoints_links": [], "name": "glance", "type": "image" }, { "endpoints": [ { "adminURL": "http://hostname1.domain:8776/v1/c8854bd3d15f4f479476d0cf58ef7db2", "internalURL": "http://hostname1.domain:8776/v1/c8854bd3d15f4f479476d0cf58ef7db2", "publicURL": "http://hostname1.domain:8776/v1/c8854bd3d15f4f479476d0cf58ef7db2", "region": "RegionOne" } ], "endpoints_links": [], "name": "volume", "type": "volume" }, { "endpoints": [ { "adminURL": "http://hostname1.domain:8773/services/Admin", "internalURL": "http://hostname1.domain:8773/services/Cloud", "publicURL": "http://hostname1.domain:8773/services/Cloud", "region": "RegionOne" } ], "endpoints_links": [], "name": "ec2", "type": "ec2" }, { "endpoints": [ { "adminURL": "http://hostname1.domain:8888/v1/AUTH_c8854bd3d15f4f479476d0cf58ef7db2", "internalURL": "http://hostname1.domain:8888/v1/AUTH_c8854bd3d15f4f479476d0cf58ef7db2", "publicURL": "http://hostname1.domain:8888/v1/AUTH_c8854bd3d15f4f479476d0cf58ef7db2", "region": "RegionOne" } ], "endpoints_links": [], "name": "swift", "type": "object-store" }, { "endpoints": [ { "adminURL": "http://hostname1.domain:35357/v2.0/", "internalURL": "http://hostname1.domain:5000/v2.0/", "publicURL": "http://hostname1.domain:5000/v2.0/", "region": "RegionOne" } ], "endpoints_links": [], "name": "keystone", "type": "identity" } ], "token": { "expires": "2012-10-11T09:49:27Z", "id": "1d9c15ed60414a92bc39d3b989d5bcae", "tenant": { "description": "Admin Tenant Description", "enabled": true, "id": "c8854bd3d15f4f479476d0cf58ef7db2", "name": "adminTenant" } }, "user": { "id": "4b6da6bfa3634c819fc1abc022e88a22", "name": "adminUser", "roles": [ { "id": "ad6dc79aa39c4249ab63840f9591f99d", "name": "admin" } ], "roles_links": [], "username": "adminUser" } } }
|
|