Openstack Zed-Keystone部署实现

1. 操作系统: UbuntuServer Mini 22.04
2. 本次部署为带有自签SSL及Nginx反向代理的实现机制

一: 配置NTP

1) 使用系统自带的systemd-timesyncd服务
root@srv1:~# vim /etc/systemd/timesyncd.conf
......
......
......
......
......
......

[Time]
# 取消16行注释，并改为如下内容
NTP=0.cn.pool.ntp.org 1.cn.pool.ntp.org
#FallbackNTP=ntp.ubuntu.com
#RootDistanceMaxSec=5
#PollIntervalMinSec=32
#PollIntervalMaxSec=2048

root@srv1:~# systemctl restart systemd-timesyncd

root@srv1:~# systemctl status systemd-timesyncd.service | grep Status:
     Status: "Initial synchronization to time server 162.159.200.1:123 (0.cn.pool.ntp.org)."

二: 安装MariaDB

root@srv1:~# apt install mariadb-server -y

root@srv1:~# vim /etc/mysql/mariadb.conf.d/50-server.cnf
......
......
......
......
......
......

# 修改27行，开启监听地址
bind-address = 0.0.0.0

......
......
......
......
......
......

# 修改40行,默认的数值不能满足openstack环境需求，需改为500
max_connections = 500
......
......
......
......
......
......

# 修改90-91行,确认默认字符集为4字节的utf8编码:utf8mb4
character-set-server  = utf8mb4
collation-server      = utf8mb4_general_ci

......
......
......
......
......
......

root@srv1:~# systemctl restart mariadb

root@srv1:~# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.

Enter current password for root (enter for none):    # 回车
OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.

You already have your root account protected, so you can safely answer 'n'.

Switch to unix_socket authentication [Y/n]    # 回车
Enabled successfully!
Reloading privilege tables..
 ... Success!


You already have your root account protected, so you can safely answer 'n'.

Change the root password? [Y/n]    # 回车
New password:     # 输入新的数据库管理员密码,此密码为password
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n]    # 回车
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]    # 回车
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]    # 回车
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]    # 回车
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

三: 安装及配置Memcached及RabbitMQ

1) 安装rabbitmq及memcached
root@srv1:~# apt install rabbitmq-server memcached python3-pymysql nginx libnginx-mod-stream -y

2) 配置memcached
root@srv1:~# vim /etc/memcached.conf
......
......
......
......
......

# 修改第35行，监听所有地址
-l 192.168.1.11

......
......
......
......
......

3) 配置RabbitMQ
root@srv1:~# rabbitmqctl add_user openstack password
Adding user "openstack" ...
Done. Don't forget to grant the user permissions to some virtual hosts! See 'rabbitmqctl help set_permissions' to learn more.

root@srv1:~# rabbitmqctl set_permissions openstack ".*" ".*" ".*"
Setting permissions for user "openstack" in vhost "/" ...

4) 关闭默认的Ningx Site
root@srv1:~# ls -l /etc/nginx/sites-enabled/default
lrwxrwxrwx 1 root root 34 Oct 24 15:49 /etc/nginx/sites-enabled/default -> /etc/nginx/sites-available/default

root@srv1:~# unlink /etc/nginx/sites-enabled/default

5) 启动Memcached及RabbitMQ服务
root@srv1:~# systemctl restart mariadb rabbitmq-server memcached nginx

四: 设置Openstack Zed源

1) 安装Zed源
root@srv1:~# apt install software-properties-common -y
root@srv1:~# add-apt-repository cloud-archive:zed
Repository: 'deb http://ubuntu-cloud.archive.canonical.com/ubuntu jammy-updates/zed main'
Description:                        
Ubuntu Cloud Archive for OpenStack Zed
More info: https://wiki.ubuntu.com/OpenStack/CloudArchive
Adding repository.
Press [ENTER] to continue or Ctrl-c to cancel.    # 回车
Adding deb entry to /etc/apt/sources.list.d/cloudarchive-zed.list
Adding disabled deb-src entry to /etc/apt/sources.list.d/cloudarchive-zed.list
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
......
......
......
......
......
......
Reading package lists... Done

2) 更新系统
root@srv1:~# apt update
root@srv1:~# apt upgrade -y

五: 创建Keystone数据库

root@srv1:~# mysql -u root -p
Enter password:  # 输入数据库管理员的密码
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 31
Server version: 10.6.7-MariaDB-2ubuntu1.1 Ubuntu 22.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

MariaDB [(none)]> create database keystone;
Query OK, 1 row affected (0.001 sec)

MariaDB [(none)]> grant all privileges on keystone.* to keystone@'localhost' identified by 'password';
Query OK, 0 rows affected (0.010 sec)

MariaDB [(none)]> grant all privileges on keystone.* to keystone@'%' identified by 'password';
Query OK, 0 rows affected (0.038 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> exit
Bye
root@srv1:~#

六: 安装Keystone

root@srv1:~# apt install keystone python3-openstackclient apache2 libapache2-mod-wsgi-py3 python3-oauth2client -y

七: 配置Keystone

1) 配置Keystone
root@srv1:~# vim /etc/keystone/keystone.conf
......
......
......
......
......
......

# 取消443行注释,并指定Memcached的信息
memcache_servers = srv1.1000y.cloud:11211

......
......
......
......
......
......

[database]
# 于661行,添加数据库相关信息
connection = mysql+pymysql://keystone:password@srv1.1000y.cloud/keystone

......
......
......
......
......
......

[token]

......
......
......
......
......
......
# 于2639行取消注释
provider = fernet

......
......
......
......
......
......

2) 同步数据库
root@srv1:~# su -s /bin/bash keystone -c "keystone-manage db_sync"

root@srv1:~# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
root@srv1:~# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

root@srv1:~# keystone-manage bootstrap --bootstrap-password adminpassword 
--bootstrap-admin-url https://srv1.1000y.cloud:5000/v3/ 
--bootstrap-internal-url https://srv1.1000y.cloud:5000/v3/ 
--bootstrap-public-url https://srv1.1000y.cloud:5000/v3/ 
--bootstrap-region-id RegionOne

八: 设定SSL及证书生成

1) 生成SSL证书
(1) 生成CA证书并注册
root@srv1:~# cd /etc/ssl/private/
root@srv1:/etc/ssl/private# openssl genrsa -des3 -out cakey.pem 2048
Enter PEM pass phrase:     # 设定密码
Verifying - Enter PEM pass phrase     

root@srv1:/etc/ssl/private# openssl rsa -in cakey.pem -out cakey.pem
Enter pass phrase for yoga.key:     # 输入密码
writing RSA key

root@srv1:/etc/ssl/private# openssl req -new -x509 -days 365 -key cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BeiJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:1000y.cloud
Organizational Unit Name (eg, section) []:tech
Common Name (e.g. server FQDN or YOUR name) []:srv1.1000y.cloud
Email Address []:     # 回车

root@srv1:/etc/ssl/private# cat cacert.pem >> /etc/ssl/certs/ca-certificates.crt

(2) 建立服务所需的key/crt文件
root@srv1:/etc/ssl/private# openssl genrsa -des3 -out zed.key 2048
Enter PEM pass phrase:     # 设定密码
Verifying - Enter PEM pass phrase     

root@srv1:/etc/ssl/private# openssl rsa -in zed.key -out zed.key
Enter pass phrase for yoga.key:     # 输入密码
writing RSA key

root@srv1:/etc/ssl/private# openssl req -utf8 -new -key zed.key -out zed.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BeiJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:1000y.cloud
Organizational Unit Name (eg, section) []:tech
Common Name (e.g. server FQDN or YOUR name) []:srv1.1000y.cloud
Email Address []:     # 回车

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:     # 回车
An optional company name []:     # 回车

root@srv1:~# vim /etc/ssl/openssl.cnf
......
......
......
......
......
......

# 于文件最后追加如下内容
[ 1000y.cloud ]
subjectAltName = DNS:srv1.1000y.cloud, IP:192.168.1.11

root@srv1:private(keystone)# openssl x509 -req -days 365 -in zed.csr -CA ./cacert.pem -CAkey cakey.pem -out zed.crt -extfile /etc/ssl/openssl.cnf -extensions 1000y.cloud
Certificate request self-signature ok
subject=C = CN, ST = BeiJing, L = BeiJing, O = 1000y.cloud, OU = tech, CN = srv1.1000y.cloud

root@srv1:/etc/ssl/private# ls -l
total 24
-rw-r--r-- 1 root root     1367 Oct 24 16:12 cacert.pem
-rw------- 1 root root     1708 Oct 24 16:12 cakey.pem
-rw-r----- 1 root ssl-cert 1704 Oct 24 16:05 ssl-cert-snakeoil.key
-rw-r--r-- 1 root root     1391 Oct 24 16:18 zed.crt
-rw-r--r-- 1 root root     1017 Oct 24 16:17 zed.csr
-rw------- 1 root root     1704 Oct 24 16:17 zed.key

root@srv1:/etc/ssl/private# cd

九: 配置Apache

root@srv1:~# apt install apache2 -y

root@srv1:~# vim /etc/apache2/apache2.conf
......
......
......
......
......
......
#ServerRoot "/etc/apache2"
# 于70行，添加如下内容
ServerName srv1.1000y.cloud

......
......
......
......
......
......

root@srv1:~# vim /etc/apache2/sites-available/keystone.conf
Listen 5000


    # 于4-7行，添加如下内容
    SSLEngine On
    SSLHonorCipherOrder On
    SSLCertificateFile /etc/ssl/private/zed.crt
    SSLCertificateKeyFile /etc/ssl/private/zed.key
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
......
......
......
......
......
......

root@srv1:~# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  systemctl restart apache2

root@srv1:~# systemctl restart apache2

十: 配置环境脚本及创建租户

1) 设定环境
root@srv1:~# vim ~/keystonerc
# 于新文件内追加如下内容
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=adminpassword
export OS_AUTH_URL=https://srv1.1000y.cloud:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
export PS1='u@h:W(keystone)$ '
# 自定义证书要加 --insecure 参数, 因此加入了别名。
alias openstack='openstack --insecure'

root@srv1:~# chmod 600 ~/keystonerc
root@srv1:~# source ~/keystonerc
root@srv1:~(keystone)# echo "source ~/keystonerc " >> ~/.bashrc

2) 创建租户并验证
root@srv1:~(keystone)# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 4fabd4d8316c40a398d6496c0a733caf |
| is_domain   | False                            |
| name        | service                          |
| options     | {}                               |
| parent_id   | default                          |
| tags        | []                               |
+-------------+----------------------------------+

root@srv1:~(keystone)# openstack project list
+----------------------------------+---------+
| ID                               | Name    |
+----------------------------------+---------+
| 4fabd4d8316c40a398d6496c0a733caf | service |
| 994a4a3e0fbc4f5891f38470e158e6b4 | admin   |
+----------------------------------+---------+