Keystone installation process cost me a few days, mainly card in the database synchronization above, a variety of error.
1. Preparatory work
Action 1.1: Enter SQL database as root, and create Keystone database after entering
Operation 1.2: Still in the database, for Keystone user creation and authorization, direct interception of official website instructions, as shown below
Note Modify the password that you want to set for Keystone_dbpass
Action 1.3: Exit the database, go back to the command line interface, execute OpenSSL rand-hex 10, get a string of characters, will be used as temporary admin token, in the subsequent installation
Be sure to keep a record of it.
2. Installation and Configuration Keystone
Action 2.1: Installation command Apt-get install Keystone Apache2 LIBAPACHE2-MOD-WSGI
Action 2.2: Edit the/etc/keystone/keystone.conf, the place to change is as follows, the configuration of this place is different from Liberty version
2.2.1: under [DEFAULT], write, this is the token generated by Operation 1.3 just now
2.2.2: under [Database], write, its
Keystone_dbpass is the password set in operation 1.2
2.2.3: Under [token], write
Action 2.3: Synchronize database command su-s/bin/sh-c "Keystone-manage Db_sync" Keystone, there were 2 errors in the execution of this command
Error One: Unable to connect to the database, solution when the environment is ready (see previous article), write the 127.0.0.1 controller in the Hosts file
Error two: After fixing the error one, execute the synchronization command, the result appears specified key was too long; Max key length is 767 bytes. Carefully
Research, is the SQL database coding set out a problem. The database default encoding used by OpenStack is UTF8, and we can see the
Previous article environment preparation, after installing MARIADB, when configuring the openstack.conf file, the default encoding to write is UTF8, as shown in the following figure:
But when we entered the database and entered the command show variables like "%char%", the encoding method was mostly UTF8MB4
(Forgive me for not having a screenshot). UTF8MB4 is a superset of UTF8, 4 bytes under UTF8MB4 encoding, and 3 characters under UTF8 encoding
Bytes. That is, when Max key length is 767 bytes, if you are using UTF8MB4 encoding, when you create the table, the table
The variable length defined in the lattice cannot exceed 191 characters. However, in the synchronous Keystone table operation process, the variable length will be up to 250
, so the above error has occurred.
The solution is to change the UFT8MB4 in all the. cnf files in the/ETC/MYSQL/MARIADB.CONF.D directory to Uft8, and then
Start the database. After restarting, we enter the database, enter the command show variables like "%char%", the table appears as follows:
After that, the Keystone synchronous operation is performed and executed smoothly.
Action 2.4: Execute command keystone-manage fernet_setup--keystone-user Keystone--keystone-group Keystone
Action 2.5: Execute the Command echo "manual" >/etc/init/keystone.override; This step is the first step in installing and configuring the Keystone in the official website installation Instructions
, its role is to set the Keystone service to boot does not start automatically, the reason is Keystone Service in Liberty and Mitaka version of the only role is the number
It is not used as a management of the Keystone module. I had a machine reboot during the OpenStack installation several times before Keystone synchronization
, the Keystone Service did not start up, resulting in a synchronization command error. So, putting this step in sync is the safest.
3. Configuring the Apache HTTP service
Apache2 has been installed, see the previous steps, there are only a few configuration work to do here.
Action 3.1: Edit the/etc/apache2/apache2.conf, and write the ServerName controller at any place
Action 3.2: Create a file/etc/apache2/sites-available/wsgi-keystone.conf, copy the following content can be directly to the official website
Copy the contents of the file at http://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-install.html:
Action 3.3: Perform ln-s/etc/apache2/sites-available/wsgi-keystone.conf/etc/apache2/sites-enabled
Action 3.4: Perform service apache2 restart
Action 3.5: Mop up work rm-f/var/lib/keystone/keystone.db
At this point, the identity authentication Module Keystone has been installed configuration is complete.
4. Create the service entity with the API end point
Each service in OpenStack needs to create a service entity, which is equivalent to registering at Keystone, after which any access to these registration services needs to be authenticated by Keystone. For Keystone, all of the services installed on OpenStack are its users. Here, you need to understand the concepts of many terms in Keystone, such as domain, project, group, user, role, region, and the relationships between them. In the next article, I will give a detailed understanding of these concepts and relationships, where only commands are given, not specific explanations. The executed command is exactly the same as the official website, the command execution result is not screenshot, because originally did not want to write the blog.
Action 4.1: Create an environment variable
Export Os_token=admin_token (Admin_token is a previously created temporary TOKEN, cannot be wrongly written)
Export Os_url=http://controller:35357/v3
Export os_identity_api_version=3
Action 4.2: Create the service entity with the API URL, note that any service will create 3 API URLs for the entities with different permissions (users, other services, etc.) to use
OpenStack Service Create--name Keystone--description "OpenStack identity" identity
OpenStack Endpoint Create--region regionone identity public http://controller:5000/v3
OpenStack Endpoint Create--region regionone identity internal Http://controller:5000/v3
OpenStack Endpoint Create--region regionone identity admin http://controller:35357/v3
5. Create domain, project, user, role, and more
Action 5.1: Create default domain:openstack domain create--description "Default Domain" default
Action 5.2: Create admin project:openstack Project Create--domain default--description "Admin Project" admin
Action 5.3: Create admin user:openstack user Create--domain default--password-prompt admin
Action 5.4: Create admin role:openstack role Create admin
Action 5.5: Assign the Admin role to the admin project and Admin user, meaning the Admin user has admin privileges on all resources in the admin project:
OpenStack role Add--project admin--user admin Admin
Action 5.6: Create a Service Project:openstack project create--domain default--description "service project" service
Action 5.7: Create a demo project:openstack project create--domain default--description "Demo Project" Demo
Action 5.8: Create demo user:openstack user Create--domain default--password-prompt Demo
Action 5.9: Create user Role:openstack role Create user
Action 5.10: Assign the user role to the demo user of the demo project, meaning that the demo users have user permissions on all resources in the demo project:
OpenStack role Add--project demo--user Demo user
6. Verify the Operation
As you can see, the various creation commands in step 4-5 are relatively short, whereas the OpenStack command is actually very long and contains a lot of variable value input, the reason can be used short command, Because we set the environment variable in operation 4.1 so that the OpenStack command checks for some necessary parameters when it executes, and if not, go to the environment variable. We have previously written admin_token in environment variables, which is very insecure.
The first step in the authentication operation on the official website is to set the way to disable temporary token authentication as follows (lazy translation)
The second step cancels the environment variables we set in Operation 4.1: unset Os_token Os_url
The third step, enter a complete command to get the Admin user token, in fact, the Admin user authentication, and then return a token, the command is as follows:
OpenStack--os-auth-url http://controller:35357/v3 \
--os-project-domain-name default--os-user-domain-name default \
--os-project-name Admin--os-username Admin token issue
The fourth step is to authenticate the demo user
At the end of this website there is a step-create OpenStack client environment scripts (see http://docs.openstack.org/mitaka/ install-guide-ubuntu/keystone-openrc.html), its role is actually to write a script, execute environment variable creation, simplify the OpenStack command length.
At this point, the Keystone Authentication module is installed and configured.