OpenstackZedKeystone部署实现

　　操作系统：UbuntuServerMini22。04本次部署为带有自签SSL及Nginx反向代理的实现机制
　　一：配置NTP1）使用系统自带的systemdtimesyncd服务rootsrv1：vimetcsystemdtimesyncd。conf。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。〔Time〕取消16行注释，并改为如下内容NTP0。cn。pool。ntp。org1。cn。pool。ntp。orgFallbackNTPntp。ubuntu。comRootDistanceMaxSec5PollIntervalMinSec32PollIntervalMaxSec2048rootsrv1：systemctlrestartsystemdtimesyncdrootsrv1：systemctlstatussystemdtimesyncd。servicegrepStatus：Status：Initialsynchronizationtotimeserver162。159。200。1：123（0。cn。pool。ntp。org）。
　　二：安装MariaDBrootsrv1：aptinstallmariadbserveryrootsrv1：vimetcmysqlmariadb。conf。d50server。cnf。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。修改27行，开启监听地址bindaddress0。0。0。0。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。修改40行，默认的数值不能满足openstack环境需求，需改为500maxconnections500。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。修改9091行，确认默认字符集为4字节的utf8编码：utf8mb4charactersetserverutf8mb4collationserverutf8mb4generalci。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。rootsrv1：systemctlrestartmariadbrootsrv1：mysqlsecureinstallationNOTE：RUNNINGALLPARTSOFTHISSCRIPTISRECOMMENDEDFORALLMariaDBSERVERSINPRODUCTIONUSE！PLEASEREADEACHSTEPCAREFULLY！InordertologintoMariaDBtosecureit，wellneedthecurrentpasswordfortherootuser。IfyouvejustinstalledMariaDB，andhaventsettherootpasswordyet，youshouldjustpressenterhere。Entercurrentpasswordforroot（enterfornone）：回车OK，successfullyusedpassword，movingon。。。SettingtherootpasswordorusingtheunixsocketensuresthatnobodycanlogintotheMariaDBrootuserwithouttheproperauthorisation。Youalreadyhaveyourrootaccountprotected，soyoucansafelyanswern。Switchtounixsocketauthentication〔Yn〕回车Enabledsuccessfully！Reloadingprivilegetables。。。。。Success！Youalreadyhaveyourrootaccountprotected，soyoucansafelyanswern。Changetherootpassword？〔Yn〕回车Newpassword：输入新的数据库管理员密码，此密码为passwordReenternewpassword：Passwordupdatedsuccessfully！Reloadingprivilegetables。。。。。Success！Bydefault，aMariaDBinstallationhasananonymoususer，allowinganyonetologintoMariaDBwithouthavingtohaveauseraccountcreatedforthem。Thisisintendedonlyfortesting，andtomaketheinstallationgoabitsmoother。Youshouldremovethembeforemovingintoaproductionenvironment。Removeanonymoususers？〔Yn〕回车。。。Success！Normally，rootshouldonlybeallowedtoconnectfromlocalhost。Thisensuresthatsomeonecannotguessattherootpasswordfromthenetwork。Disallowrootloginremotely？〔Yn〕回车。。。Success！Bydefault，MariaDBcomeswithadatabasenamedtestthatanyonecanaccess。Thisisalsointendedonlyfortesting，andshouldberemovedbeforemovingintoaproductionenvironment。Removetestdatabaseandaccesstoit？〔Yn〕回车Droppingtestdatabase。。。。。。Success！Removingprivilegesontestdatabase。。。。。。Success！Reloadingtheprivilegetableswillensurethatallchangesmadesofarwilltakeeffectimmediately。Reloadprivilegetablesnow？〔Yn〕回车。。。Success！Cleaningup。。。Alldone！Ifyouvecompletedalloftheabovesteps，yourMariaDBinstallationshouldnowbesecure。ThanksforusingMariaDB！
　　三：安装及配置Memcached及RabbitMQ1）安装rabbitmq及memcachedrootsrv1：aptinstallrabbitmqservermemcachedpython3pymysqlnginxlibnginxmodstreamy2）配置memcachedrootsrv1：vimetcmemcached。conf。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。修改第35行，监听所有地址l192。168。1。11。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。3）配置RabbitMQrootsrv1：rabbitmqctladduseropenstackpasswordAddinguseropenstack。。。Done。Dontforgettogranttheuserpermissionstosomevirtualhosts！Seerabbitmqctlhelpsetpermissionstolearnmore。rootsrv1：rabbitmqctlsetpermissionsopenstack。。。Settingpermissionsforuseropenstackinvhost。。。4）关闭默认的NingxSiterootsrv1：lsletcnginxsitesenableddefaultlrwxrwxrwx1rootroot34Oct2415：49etcnginxsitesenableddefaultetcnginxsitesavailabledefaultrootsrv1：unlinketcnginxsitesenableddefault5）启动Memcached及RabbitMQ服务rootsrv1：systemctlrestartmariadbrabbitmqservermemcachednginx
　　四：设置OpenstackZed源1）安装Zed源rootsrv1：aptinstallsoftwarepropertiescommonyrootsrv1：addaptrepositorycloudarchive：zedRepository：debhttp：ubuntucloud。archive。canonical。comubuntujammyupdateszedmainDescription：UbuntuCloudArchiveforOpenStackZedMoreinfo：https：wiki。ubuntu。comOpenStackCloudArchiveAddingrepository。Press〔ENTER〕tocontinueorCtrlctocancel。回车Addingdebentrytoetcaptsources。list。dcloudarchivezed。listAddingdisableddebsrcentrytoetcaptsources。list。dcloudarchivezed。listReadingpackagelists。。。DoneBuildingdependencytree。。。DoneReadingstateinformation。。。Done。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。Readingpackagelists。。。Done2）更新系统rootsrv1：aptupdaterootsrv1：aptupgradey
　　五：创建Keystone数据库rootsrv1：mysqlurootpEnterpassword：输入数据库管理员的密码WelcometotheMariaDBmonitor。Commandsendwith；org。YourMariaDBconnectionidis31Serverversion：10。6。7MariaDB2ubuntu1。1Ubuntu22。04Copyright（c）2000，2018，Oracle，MariaDBCorporationAbandothers。Typehelp；orhforhelp。Typectoclearthecurrentinputstatement。MariaDB〔（none）〕createdatabasekeystone；QueryOK，1rowaffected（0。001sec）MariaDB〔（none）〕grantallprivilegesonkeystone。tokeystonelocalhostidentifiedbypassword；QueryOK，0rowsaffected（0。010sec）MariaDB〔（none）〕grantallprivilegesonkeystone。tokeystoneidentifiedbypassword；QueryOK，0rowsaffected（0。038sec）MariaDB〔（none）〕flushprivileges；QueryOK，0rowsaffected（0。001sec）MariaDB〔（none）〕exitByerootsrv1：
　　六：安装Keystonerootsrv1：aptinstallkeystonepython3openstackclientapache2libapache2modwsgipy3python3oauth2clienty
　　七：配置Keystone1）配置Keystonerootsrv1：vimetckeystonekeystone。conf。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。取消443行注释，并指定Memcached的信息memcacheserverssrv1。1000y。cloud：11211。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。〔database〕于661行，添加数据库相关信息connectionmysqlpymysql：keystone：passwordsrv1。1000y。cloudkeystone。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。〔token〕。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。于2639行取消注释providerfernet。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。2）同步数据库rootsrv1：susbinbashkeystoneckeystonemanagedbsyncrootsrv1：keystonemanagefernetsetupkeystoneuserkeystonekeystonegroupkeystonerootsrv1：keystonemanagecredentialsetupkeystoneuserkeystonekeystonegroupkeystonerootsrv1：keystonemanagebootstrapbootstrappasswordadminpasswordbootstrapadminurlhttps：srv1。1000y。cloud：5000v3bootstrapinternalurlhttps：srv1。1000y。cloud：5000v3bootstrappublicurlhttps：srv1。1000y。cloud：5000v3bootstrapregionidRegionOne
　　八：设定SSL及证书生成1）生成SSL证书（1）生成CA证书并注册rootsrv1：cdetcsslprivaterootsrv1：etcsslprivateopensslgenrsades3outcakey。pem2048EnterPEMpassphrase：设定密码VerifyingEnterPEMpassphraserootsrv1：etcsslprivateopensslrsaincakey。pemoutcakey。pemEnterpassphraseforyoga。key：输入密码writingRSAkeyrootsrv1：etcsslprivateopensslreqnewx509days365keycakey。pemoutcacert。pemYouareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest。WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN。TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue，Ifyouenter。，thefieldwillbeleftblank。CountryName（2lettercode）〔AU〕：CNStateorProvinceName（fullname）〔SomeState〕：BeiJingLocalityName（eg，city）〔〕：BeiJingOrganizationName（eg，company）〔InternetWidgitsPtyLtd〕：1000y。cloudOrganizationalUnitName（eg，section）〔〕：techCommonName（e。g。serverFQDNorYOURname）〔〕：srv1。1000y。cloudEmailAddress〔〕：回车rootsrv1：etcsslprivatecatcacert。pemetcsslcertscacertificates。crt（2）建立服务所需的keycrt文件rootsrv1：etcsslprivateopensslgenrsades3outzed。key2048EnterPEMpassphrase：设定密码VerifyingEnterPEMpassphraserootsrv1：etcsslprivateopensslrsainzed。keyoutzed。keyEnterpassphraseforyoga。key：输入密码writingRSAkeyrootsrv1：etcsslprivateopensslrequtf8newkeyzed。keyoutzed。csrIgnoringdays；notgeneratingacertificateYouareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest。WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN。TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue，Ifyouenter。，thefieldwillbeleftblank。CountryName（2lettercode）〔AU〕：CNStateorProvinceName（fullname）〔SomeState〕：BeiJingLocalityName（eg，city）〔〕：BeiJingOrganizationName（eg，company）〔InternetWidgitsPtyLtd〕：1000y。cloudOrganizationalUnitName（eg，section）〔〕：techCommonName（e。g。serverFQDNorYOURname）〔〕：srv1。1000y。cloudEmailAddress〔〕：回车PleaseenterthefollowingextraattributestobesentwithyourcertificaterequestAchallengepassword〔〕：回车Anoptionalcompanyname〔〕：回车rootsrv1：vimetcsslopenssl。cnf。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。于文件最后追加如下内容〔1000y。cloud〕subjectAltNameDNS：srv1。1000y。cloud，IP：192。168。1。11rootsrv1：private（keystone）opensslx509reqdays365inzed。csrCA。cacert。pemCAkeycakey。pemoutzed。crtextfileetcsslopenssl。cnfextensions1000y。cloudCertificaterequestselfsignatureoksubjectCCN，STBeiJing，LBeiJing，O1000y。cloud，OUtech，CNsrv1。1000y。cloudrootsrv1：etcsslprivatelsltotal24rwrr1rootroot1367Oct2416：12cacert。pemrw1rootroot1708Oct2416：12cakey。pemrwr1rootsslcert1704Oct2416：05sslcertsnakeoil。keyrwrr1rootroot1391Oct2416：18zed。crtrwrr1rootroot1017Oct2416：17zed。csrrw1rootroot1704Oct2416：17zed。keyrootsrv1：etcsslprivatecd
　　九：配置Apacherootsrv1：aptinstallapache2yrootsrv1：vimetcapache2apache2。conf。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。ServerRootetcapache2于70行，添加如下内容ServerNamesrv1。1000y。cloud。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。rootsrv1：vimetcapache2sitesavailablekeystone。confListen5000VirtualHost：5000于47行，添加如下内容SSLEngineOnSSLHonorCipherOrderOnSSLCertificateFileetcsslprivatezed。crtSSLCertificateKeyFileetcsslprivatezed。keyWSGIScriptAliasusrbinkeystonewsgipublic。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。rootsrv1：a2enmodsslConsideringdependencysetenvifforssl：ModulesetenvifalreadyenabledConsideringdependencymimeforssl：ModulemimealreadyenabledConsideringdependencysocacheshmcbforssl：Enablingmodulesocacheshmcb。Enablingmodulessl。Seeusrsharedocapache2README。Debian。gzonhowtoconfigureSSLandcreateselfsignedcertificates。Toactivatethenewconfiguration，youneedtorun：systemctlrestartapache2rootsrv1：systemctlrestartapache2
　　十：配置环境脚本及创建租户1）设定环境rootsrv1：vimkeystonerc于新文件内追加如下内容exportOSPROJECTDOMAINNAMEdefaultexportOSUSERDOMAINNAMEdefaultexportOSPROJECTNAMEadminexportOSUSERNAMEadminexportOSPASSWORDadminpasswordexportOSAUTHURLhttps：srv1。1000y。cloud：5000v3exportOSIDENTITYAPIVERSION3exportOSIMAGEAPIVERSION2exportPS1uh：W（keystone）自定义证书要加insecure参数，因此加入了别名。aliasopenstackopenstackinsecurerootsrv1：chmod600keystonercrootsrv1：sourcekeystonercrootsrv1：（keystone）echosourcekeystonerc。bashrc2）创建租户并验证rootsrv1：（keystone）openstackprojectcreatedomaindefaultdescriptionServiceProjectserviceFieldValuedescriptionServiceProjectdomainiddefaultenabledTrueid4fabd4d8316c40a398d6496c0a733cafisdomainFalsenameserviceoptions｛｝parentiddefaulttags〔〕rootsrv1：（keystone）openstackprojectlistIDName4fabd4d8316c40a398d6496c0a733cafservice994a4a3e0fbc4f5891f38470e158e6b4admin