OpenStack Controller HA test environment build record (vi)--Configuration Keystone

In the Hosts file for all nodes, add:
10.0.0.10 MYVIP


Install on all nodes
# yum Install-y openstack-keystone python-keystoneclient
# yum Install-y openstack-utils


Set the keystone.conf file on all nodes using the MySQL cluster address:
# openstack-config--set/etc/keystone/keystone.conf database connection Mysql://keystone:[email Protected]/keystone


To create a keystone user in MySQL:
# mysql-u Root-p
MariaDB [(None)]> CREATE DATABASE Keystone;
MariaDB [(None)]> GRANT all privileges on keystone.* to ' Keystone ' @ ' localhost ' identified by ' 123456 ';
MariaDB [(None)]> GRANT all privileges on keystone.* to ' Keystone ' @ '% ' identified by ' 123456 ';
MariaDB [(None)]> exit


Create a series of tables for Keystone:
# su-s/bin/sh-c "Keystone-manage Db_sync" Keystone


Set tokens in the keystone.conf file on all nodes:
# admin_token=$ (OpenSSL Rand-hex 10)
# echo $ADMIN _token
De0ae6fc7397dd76dfb5
# openstack-config--set/etc/keystone/keystone.conf DEFAULT admin_token de0ae6fc7397dd76dfb5


Create the Keystone Key in Node 1:
# keystone-manage Pki_setup--keystone-user Keystone--keystone-group Keystone
# Chown-r Keystone:keystone/etc/keystone/ssl
# Chmod-r O-rwx/etc/keystone/ssl


Copy to the other node at node 1 and unzip:
# Cd/etc/keystone
# TAR-CF Keystonessl.tar SSL
# SCP Keystonessl.tar [email protected]:/etc/keystone
# SCP Keystonessl.tar [email protected]:/etc/keystone
# rm-f Keystonessl.tar

Unzip the other nodes:
# Cd/etc/keystone
# TAR-XF Keystonessl.tar
# rm-f Keystonessl.tar


Set the Keystone service on all nodes to boot up:
# Systemctl Enable Openstack-keystone.service
# Systemctl Start Openstack-keystone.service


Set token two hour auto expiration on all nodes:
# (Crontab-l-u Keystone 2>&1 | grep-q token_flush) | | Echo ' @hourly/usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1 ' > >/var/spool/cron/keystone


Set environment variables in Node 1:
# Export OS_SERVICE_TOKEN=DE0AE6FC7397DD76DFB5
# Export os_service_endpoint=http://controller1:35357/v2.0


Create related users, roles, tenants, services, and so on in node 1:
# Keystone User-create--name=admin--pass=123456
# Keystone Role-create--name=admin
# Keystone Role-create--name=_member_
# Keystone Tenant-create--name=admin--description= "admin tenant"
# Keystone User-role-add--user=admin--tenant=admin--role=admin
# Keystone User-role-add--user=admin--role=_member_--tenant=admin
# Keystone User-create--name=demo--pass=123456
# Keystone Tenant-create--name=demo--description= "Demo Tenant"
# Keystone User-role-add--user=demo--role=_member_--tenant=demo
# Keystone Tenant-create--name=service--description= "service Tenant"
# Keystone Service-create--name=keystone--type=identity--description= "OpenStack identity"


Endpoint set as VIP:
# Keystone Endpoint-create \
--service-id=$ (Keystone Service-list | awk '/identity/{print $} ') \
--publicurl=http://myvip:5000/v2.0 \
--internalurl=http://myvip:5000/v2.0 \
--adminurl=http://myvip:35357/v2.0


To prevent Keystone binding addresses from haproxy conflicts, set the binding address for each node:
# openstack-config--set/etc/keystone/keystone.conf DEFAULT admin_bind_host controller1
# openstack-config--set/etc/keystone/keystone.conf DEFAULT public_bind_host controller1
# systemctl Restart Openstack-keystone.service


In all node edit haproxy.cfg Add the following:
# vi/etc/haproxy/haproxy.cfg
Listen Keystone_admin_cluster
Bind 10.0.0.10:35357
Balance Source
Option Tcpka
Option Httpchk
Option Tcplog
Server Controller1 10.0.0.14:35357 check Inter rise 2 Fall 5
Server Controller2 10.0.0.12:35357 check Inter rise 2 Fall 5
Server Controller3 10.0.0.13:35357 check Inter rise 2 Fall 5

Listen Keystone_public_internal_cluster
Bind 10.0.0.10:5000
Balance Source
Option Tcpka
Option Httpchk
Option Tcplog
Server Controller1 10.0.0.14:5000 check Inter rise 2 Fall 5
Server Controller2 10.0.0.12:5000 check Inter rise 2 Fall 5
Server Controller3 10.0.0.13:5000 check Inter rise 2 Fall 5



See which node the Haproxy resource is currently on:
# Crm_mon


Restart the Haproxy service for the node where the resource is located:
# systemctl Restart Haproxy.service
# Systemctl Status-l Haproxy.service


On all nodes, download the OCF resource definition:
# mkdir-p/usr/lib/ocf/resource.d/openstack
# Cd/usr/lib/ocf/resource.d/openstack
# wget Https://git.openstack.org/cgit/openstack/openstack-resource-agents/plain/ocf/keystone
# chmod A+rx *


At any node, use the CRM Configure command to add the Keystone resource:
# CRM Configure primitive P_keystone Ocf:openstack:keystone params config= "/etc/keystone/keystone.conf" os_password= " 123456 "os_username=" admin "os_tenant_name=" admin "os_auth_url=" http://myvip:5000/v2.0/"OP monitor interval=" 30s " timeout= "30s"

OpenStack Controller HA test environment build record (vi)--Configuration Keystone