OpenStack Controller HA test environment build record (vi)--Configuration Keystone

Source: Internet
Author: User
Tags haproxy




In the Hosts file for all nodes, add:
10.0.0.10 MYVIP


Install on all nodes
# yum Install-y openstack-keystone python-keystoneclient
# yum Install-y openstack-utils


Set the keystone.conf file on all nodes using the MySQL cluster address:
# openstack-config--set/etc/keystone/keystone.conf database connection Mysql://keystone:[email Protected]/keystone


To create a keystone user in MySQL:
# mysql-u Root-p
MariaDB [(None)]> CREATE DATABASE Keystone;
MariaDB [(None)]> GRANT all privileges on keystone.* to ' Keystone ' @ ' localhost ' identified by ' 123456 ';
MariaDB [(None)]> GRANT all privileges on keystone.* to ' Keystone ' @ '% ' identified by ' 123456 ';
MariaDB [(None)]> exit


Create a series of tables for Keystone:
# su-s/bin/sh-c "Keystone-manage Db_sync" Keystone


Set tokens in the keystone.conf file on all nodes:
# admin_token=$ (OpenSSL Rand-hex 10)
# echo $ADMIN _token
De0ae6fc7397dd76dfb5
# openstack-config--set/etc/keystone/keystone.conf DEFAULT admin_token de0ae6fc7397dd76dfb5


Create the Keystone Key in Node 1:
# keystone-manage Pki_setup--keystone-user Keystone--keystone-group Keystone
# Chown-r Keystone:keystone/etc/keystone/ssl
# Chmod-r O-rwx/etc/keystone/ssl


Copy to the other node at node 1 and unzip:
# Cd/etc/keystone
# TAR-CF Keystonessl.tar SSL
# SCP Keystonessl.tar [email protected]:/etc/keystone
# SCP Keystonessl.tar [email protected]:/etc/keystone
# rm-f Keystonessl.tar

Unzip the other nodes:
# Cd/etc/keystone
# TAR-XF Keystonessl.tar
# rm-f Keystonessl.tar


Set the Keystone service on all nodes to boot up:
# Systemctl Enable Openstack-keystone.service
# Systemctl Start Openstack-keystone.service


Set token two hour auto expiration on all nodes:
# (Crontab-l-u Keystone 2>&1 | grep-q token_flush) | | Echo ' @hourly/usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1 ' > >/var/spool/cron/keystone


Set environment variables in Node 1:
# Export OS_SERVICE_TOKEN=DE0AE6FC7397DD76DFB5
# Export os_service_endpoint=http://controller1:35357/v2.0


Create related users, roles, tenants, services, and so on in node 1:
# Keystone User-create--name=admin--pass=123456
# Keystone Role-create--name=admin
# Keystone Role-create--name=_member_
# Keystone Tenant-create--name=admin--description= "admin tenant"
# Keystone User-role-add--user=admin--tenant=admin--role=admin
# Keystone User-role-add--user=admin--role=_member_--tenant=admin
# Keystone User-create--name=demo--pass=123456
# Keystone Tenant-create--name=demo--description= "Demo Tenant"
# Keystone User-role-add--user=demo--role=_member_--tenant=demo
# Keystone Tenant-create--name=service--description= "service Tenant"
# Keystone Service-create--name=keystone--type=identity--description= "OpenStack identity"


Endpoint set as VIP:
# Keystone Endpoint-create \
--service-id=$ (Keystone Service-list | awk '/identity/{print $} ') \
--publicurl=http://myvip:5000/v2.0 \
--internalurl=http://myvip:5000/v2.0 \
--adminurl=http://myvip:35357/v2.0


To prevent Keystone binding addresses from haproxy conflicts, set the binding address for each node:
# openstack-config--set/etc/keystone/keystone.conf DEFAULT admin_bind_host controller1
# openstack-config--set/etc/keystone/keystone.conf DEFAULT public_bind_host controller1
# systemctl Restart Openstack-keystone.service


In all node edit haproxy.cfg Add the following:
# vi/etc/haproxy/haproxy.cfg
Listen Keystone_admin_cluster
Bind 10.0.0.10:35357
Balance Source
Option Tcpka
Option Httpchk
Option Tcplog
Server Controller1 10.0.0.14:35357 check Inter rise 2 Fall 5
Server Controller2 10.0.0.12:35357 check Inter rise 2 Fall 5
Server Controller3 10.0.0.13:35357 check Inter rise 2 Fall 5

Listen Keystone_public_internal_cluster
Bind 10.0.0.10:5000
Balance Source
Option Tcpka
Option Httpchk
Option Tcplog
Server Controller1 10.0.0.14:5000 check Inter rise 2 Fall 5
Server Controller2 10.0.0.12:5000 check Inter rise 2 Fall 5
Server Controller3 10.0.0.13:5000 check Inter rise 2 Fall 5



See which node the Haproxy resource is currently on:
# Crm_mon


Restart the Haproxy service for the node where the resource is located:
# systemctl Restart Haproxy.service
# Systemctl Status-l Haproxy.service


On all nodes, download the OCF resource definition:
# mkdir-p/usr/lib/ocf/resource.d/openstack
# Cd/usr/lib/ocf/resource.d/openstack
# wget Https://git.openstack.org/cgit/openstack/openstack-resource-agents/plain/ocf/keystone
# chmod A+rx *


At any node, use the CRM Configure command to add the Keystone resource:
# CRM Configure primitive P_keystone Ocf:openstack:keystone params config= "/etc/keystone/keystone.conf" os_password= " 123456 "os_username=" admin "os_tenant_name=" admin "os_auth_url=" http://myvip:5000/v2.0/"OP monitor interval=" 30s " timeout= "30s"




OpenStack Controller HA test environment build record (vi)--Configuration Keystone

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.