tech:notes_openstack_keystone
Table des matières
Notes OpenStack Keystone
Voir :
Install
Prérequis :
- NTP
RedHat
yum install centos-release-openstack-rocky.noarch yum install openstack-keystone-doc python-keystoneclient-doc yum install openstack-keystone httpd mod_wsgi yum install python-openstackclient # yum install python-PROJETclient # yum install python-keystoneclient # MySQL / MariaDB yum install MySQL-python # Postgress #yum install postgresql #yum install postgresql-server yum install @postgresql yum install python-sqlalchemy python-psycopg2 # RabbitMQ yum install rabbitmq-server
sudo postgresql-setup initdb systemctl start postgresql.service systemctl enable postgresql.service
Configurer
/var/lib/pgsql/data/pg_hba.conf
#host all all 127.0.0.1/32 ident host all all 127.0.0.1/32 md5
su - postgres
psql
CREATE ROLE keystoneUser WITH LOGIN PASSWORD 'toor'; CREATE DATABASE keystone OWNER keystoneuser ;
/etc/keystone/keystone.conf
[DEFAULT] #verbose = True debug = true [database] #connection = mysql://keystoneUser:toor@127.0.0.1/keystone #connection = mysql+pymysql://keystoneUser:toor@127.0.0.1/keystone?charset=utf8 connection = postgresql://keystoneuser:toor@127.0.0.1/keystone [token] provider = fernet
systemctl restart httpd su keystone -s /bin/sh -c "keystone-manage db_sync"
Les logs sont ici /var/log/keystone/keystone.log ou
journalctl -f -u devstack@keystone.service
Configuration
Renommer un endpoint
Kestone a été initié avec les paramètres suivants
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
keystone-manage bootstrap --bootstrap-password toor \ --bootstrap-admin-url http://srv-openstack-controller:35357/v3/ \ --bootstrap-internal-url http://srv-openstack-controller:5000/v3/ \ --bootstrap-public-url http://srv-openstack-controller:5000/v3/ \ --bootstrap-region-id RegionOne
Solution : faire un update en base.
UPDATE endpoint SET url='http://srv-openstack-controller:5000/v3/' WHERE interface='admin';
Puis rédemarrer le service Apache ou le service SystemD
systemctl restart httpd # ou systemctl restart devstack@keystone.service
Test
openrc
export OS_USERNAME=admin export OS_PASSWORD=toor export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL=http://srv-openstack-controller:5000/v3 export OS_IDENTITY_API_VERSION=3
source openrc openstack token issue --debug openstack service list openstack user list
Configuration d'un domaine AD/LDAP
Exemple de conf /etc/keystone/domains/keystone.domain.conf
[identity] domain_configurations_from_database = False driver = ldap [ldap] query_scope = sub group_name_attribute = sAMAccountName group_objectclass = group user_mail_attribute = mail user_enabled_attribute = userAccountControl group_tree_dn = CN=Openstack,OU=Groupes,DC=acme,DC=local chase_referrals = false user_id_attribute = sAMAccountName group_members_are_ids = true group_member_attribute = memberUid page_size = 500 use_tls = false url = ldaps://ldap.acme.local:636 user_name_attribute = sAMAccountName user = Admin user_objectclass = organizationalPerson group_id_attribute = cn user_filter = (memberOf=CN=Openstack,OU=Groupes,DC=acme,DC=local) group_desc_attribute = description user_tree_dn = DC=acme,DC=local user_pass_attribute = userPassword password = UEBzc3cwcmQhISEK
Pb
Pb utilisateur manquant
L’utilisateur n'apparait pas
openstack user list |grep jean
Mais il apparait bien avec
openstack user show jean
Solution
Augmenter le page_size
/etc/keystone/domains/keystone.acme.conf
[ldap] page_size = 500
Puis restart d'Apache ou du service keystone.
Autres
Note : iptables est remplacé maintenant par nftables
iptables -I INPUT -p tcp --dport 5000 -j ACCEPT
tech/notes_openstack_keystone.txt · Dernière modification : de Jean-Baptiste