2022-10-27

#7 [학습서] OpenStack 설치 학습서 - 3.Keystone

Change history

# OpenStack 설치 학습서

</br>

## 3. Keystone 
OpenStack Identity service는 인증, 권한 부여 및 서비스 카탈로그를 관리하기 위한 서비스이며, 해당 서비스는 Keystone라고 합니다.
Keystone을 통해 사용자가 인증이되면 자신의 식별자를 이용하여 OpenStack 서비스에 액세스합니다.

Keystone은 모든 OpenStack서비스의 최초로 설치되는 서비스이며, 2장의 환경설정이 모두 끝난 Controller node에서 설치를 진행하시길 바랍니다.

</br>

- **Controller node**
  - 사전설정
    ```
    OPENSTACK_PASSWORD=passwds
    CONTROLLER_IP=192.168.0.150
    ```
  - 데이터베이스에 서비스 생성
    ```
    mysql -e "CREATE DATABASE keystone;"
    mysql -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '${OPENSTACK_PASSWORD}';"
    mysql -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '${OPENSTACK_PASSWORD}';"
    mysql -e "FLUSH PRIVILEGES;"
    ```
  - 패키지 설치 및 설정
    ```    
    apt install -y keystone
    crudini --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:${OPENSTACK_PASSWORD}@${CONTROLLER_IP}/keystone
    crudini --set /etc/keystone/keystone.conf token provider fernet
    ```
    - ![3-1.png](/files/12762) 
  - 데이터베이스 설정
    ```
    su -s /bin/sh -c "keystone-manage db_sync" keystone
    ```
  - 키 저장소 초기화 및 설정
    ```
    keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
    keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
    keystone-manage bootstrap --bootstrap-password ${OPENSTACK_PASSWORD} \
      --bootstrap-admin-url http://${CONTROLLER_IP}:5000/v3/ \
      --bootstrap-internal-url http://${CONTROLLER_IP}:5000/v3/ \
      --bootstrap-public-url http://${CONTROLLER_IP}:5000/v3/ \
      --bootstrap-region-id RegionOne
    ```
  - Apache HTTP 서버 구성
    ```
    echo "ServerName ${CONTROLLER_IP}" >> /etc/apache2/apache2.conf
    service apache2 restart
    ```
    - ![3-2.png](/files/12763)
  - admin, demo 계정 프로필 저장
    ```
    cat > admin-openrc << EOF
    export OS_PROJECT_DOMAIN_NAME=Default
    export OS_USER_DOMAIN_NAME=Default
    export OS_PROJECT_NAME=admin
    export OS_USERNAME=admin
    export OS_PASSWORD=${OPENSTACK_PASSWORD}
    export OS_AUTH_URL=http://${CONTROLLER_IP}:5000/v3
    export OS_IDENTITY_API_VERSION=3
    export OS_IMAGE_API_VERSION=2
    EOF

cat > demo-openrc << EOF
    export OS_PROJECT_DOMAIN_NAME=Default
    export OS_USER_DOMAIN_NAME=Default
    export OS_PROJECT_NAME=myproject
    export OS_USERNAME=myuser
    export OS_PASSWORD=${OPENSTACK_PASSWORD}
    export OS_AUTH_URL=http://${CONTROLLER_IP}:5000/v3
    export OS_IDENTITY_API_VERSION=3
    export OS_IMAGE_API_VERSION=2
    EOF

. admin-openrc
    ```
    - ![3-3.png](/files/12764)
  - domain, projects, users, roles 생성
    ```
    openstack domain create --description "An Example Domain" example
    openstack project create --domain default --description "Service Project" service
    openstack project create --domain default --description "Demo Project" myproject
    openstack user create --domain default --password ${OPENSTACK_PASSWORD} myuser
    openstack role create myrole
    openstack role add --project myproject --user myuser myrole
    ```
    - ![3-4.png](/files/12765)
    - ![3-5.png](/files/12766)
  - 토큰 확인
    ```
    . admin-openrc
    openstack token issue
    ```
    - ![3-6.png](/files/12767)

Tasks

OpenStack 설치 학습서#

3. Keystone#

OpenStack Identity service는 인증, 권한 부여 및 서비스 카탈로그를 관리하기 위한 서비스이며, 해당 서비스는 Keystone라고 합니다.
Keystone을 통해 사용자가 인증이되면 자신의 식별자를 이용하여 OpenStack 서비스에 액세스합니다.

Keystone은 모든 OpenStack서비스의 최초로 설치되는 서비스이며, 2장의 환경설정이 모두 끝난 Controller node에서 설치를 진행하시길 바랍니다.

Controller node

사전설정

OPENSTACK_PASSWORD=passwds
CONTROLLER_IP=192.168.0.150

데이터베이스에 서비스 생성

mysql -e "CREATE DATABASE keystone;"
mysql -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '${OPENSTACK_PASSWORD}';"
mysql -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '${OPENSTACK_PASSWORD}';"
mysql -e "FLUSH PRIVILEGES;"

패키지 설치 및 설정

apt install -y keystone
crudini --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:${OPENSTACK_PASSWORD}@${CONTROLLER_IP}/keystone
crudini --set /etc/keystone/keystone.conf token provider fernet

데이터베이스 설정

su -s /bin/sh -c "keystone-manage db_sync" keystone

키 저장소 초기화 및 설정

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
keystone-manage bootstrap --bootstrap-password ${OPENSTACK_PASSWORD} \
  --bootstrap-admin-url http://${CONTROLLER_IP}:5000/v3/ \
  --bootstrap-internal-url http://${CONTROLLER_IP}:5000/v3/ \
  --bootstrap-public-url http://${CONTROLLER_IP}:5000/v3/ \
  --bootstrap-region-id RegionOne

Apache HTTP 서버 구성

echo "ServerName ${CONTROLLER_IP}" >> /etc/apache2/apache2.conf
service apache2 restart

admin, demo 계정 프로필 저장

cat > admin-openrc << EOF
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=${OPENSTACK_PASSWORD}
export OS_AUTH_URL=http://${CONTROLLER_IP}:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF

cat > demo-openrc << EOF
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=${OPENSTACK_PASSWORD}
export OS_AUTH_URL=http://${CONTROLLER_IP}:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF

. admin-openrc

domain, projects, users, roles 생성

openstack domain create --description "An Example Domain" example
openstack project create --domain default --description "Service Project" service
openstack project create --domain default --description "Demo Project" myproject
openstack user create --domain default --password ${OPENSTACK_PASSWORD} myuser
openstack role create myrole
openstack role add --project myproject --user myuser myrole

OpenStack 설치 학습서#

3. Keystone#

Delete issue

Delete comment