OpenStack 版本:Liberty
操作系統(tǒng):CentOS7
下面的配置針對(duì)的是allinone的部署方式,但是同理的可以應(yīng)用到多節(jié)點(diǎn)的部署。
Email: xiao_wei@yeah.net
第1章 配置keystone組件使用SSL
mkdir -p /root/ssl/private
mkdir -p /root/ssl/certs
- 制作三個(gè)密鑰證書文件
openssl genrsa -out /root/ssl/private/cakey.pem 1024
openssl req -new -x509 -extensions v3_ca -key /root/ssl/private/cakey.pem -out /root/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=CN/ST=Unset/L=Unset/O=Unset/CN=192.168.247.43
openssl genrsa -out /root/ssl/private/signing_key.pem 1024
openssl req -key /root/ssl/private/signing_key.pem -new -out /root/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=CN/ST=Unset/L=Unset/O=Unset/CN=192.168.247.43
openssl ca -batch -out /root/ssl/certs/signing_cert.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /root/ssl/certs/ca.pem -keyfile /root/ssl/private/cakey.pem -infiles /root/ssl/certs/req.pem
得到三個(gè)文件:
ca.pem
signing_cert.pem
signing_key.pem
mkdir -p /tmp/pems
將得到的三個(gè)文件放到/tmp/pems/目錄下代乃。
1.1 指定ssl使用的密鑰和證書
- 拷貝pem文件到keystone的ssl目錄
cp /tmp/pems/ca.pem /etc/keystone/ssl/certs/
cp /tmp/pems/signing_cert.pem /etc/keystone/ssl/certs/
cp /tmp/pems/signing_key.pem /etc/keystone/ssl/private/
chown keystone:keystone /etc/keystone/ssl –R
- 修改keystone的配置文件
[eventlet_server_ssl]
enable = True
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
1.2 更新keystone組件的endpoint
- 創(chuàng)建新的endpoint
openstack endpoint create --region RegionOne \
identity public https://192.168.247.43:5000/v2.0
openstack endpoint create --region RegionOne \
identity internal https://192.168.247.43:5000/v2.0
openstack endpoint create --region RegionOne \
identity admin https://192.168.247.43:35357/v2.0
-
增加hosts記錄
# vi /etc/hosts 192.168.247.43 liberty -
修改環(huán)境變量文件
# vi /root/ admin-openrc.sh unset OS_SERVICE_TOKEN export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_PROJECT_NAME=admin export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=root export OS_AUTH_URL=https://192.168.208.47:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_CACERT=/etc/keystone/ssl/certs/ca.pem export OS_REGION_NAME=RegionOne export OS_IMAGE_API_VERSION=2 -
刪除舊的endpoint
openstack endpoint list
如果該命令執(zhí)行失敗限番,重啟服務(wù)后麻削,使用新的環(huán)境變量
# source /root/admin-openrc.sh
openstack endpoint delete $endpoint_id
$endpoint_id : 舊的keystone endpoint id
-
重啟keystone服務(wù)
systemctl openstack-keystone restart -
確認(rèn)新的環(huán)境變量和新的endpoint可以使用
# source /root/keystonerc_admin openstack endpoint list
第2章 配置nova組件使用SSL
2.1 配置使用SSL訪問keystone
-
配置nova.conf劳跃,修改keystone認(rèn)證方式
vi /etc/nova/nova.conf [keystone_authtoken] auth_uri = https://192.168.247.43:5000 auth_url = https://192.168.247.43:35357 cafile=/etc/nova/ssl/ca.pem insecure=True auth_host=192.168.247.43 auth_protocol=https
注:auth_uri,auth_url名稱不一定正確红碑,以實(shí)際組件配置的為準(zhǔn)赶站,后續(xù)組件配置也是如此诈茧,注意注釋原來的auth_uri,auth_url
-
拷貝pem文件到nova的ssl目錄
mkdir /etc/nova/ssl cp /tmp/pems/* /etc/nova/ssl chown nova:nova /etc/nova/ssl -R -
重啟nova服務(wù)
openstack-service restart nova -
測(cè)試keystone認(rèn)證
nova --debug --insecure hypervisor-list
觀察是否獲取token
2.2 指定nova使用的密鑰和證書
-
修改nova的配置文件
vi /etc/nova/nova.conf enabled_ssl_apis = osapi_compute ssl_cert_file=/etc/nova/ssl/signing_cert.pem ssl_key_file=/etc/nova/ssl/signing_key.pem
2.3 更新nova組件的endpoint
- 創(chuàng)建新的endpoint
openstack endpoint create --region RegionOne \
compute public https://192.168.208.47:8774/v2/%\(tenant_id\)s
openstack endpoint create --region RegionOne \
compute internal https://192.168.208.47:8774/v2/%\(tenant_id\)s
openstack endpoint create --region RegionOne \
compute admin https://192.168.208.47:8774/v2/%\(tenant_id\)s
-
刪除舊的endpoint
openstack endpoint list openstack endpoint delete $endpoint_id
$endpoint_id : 舊的nova endpoint id
-
重啟nova服務(wù)
openstack-service restart nova -
測(cè)試nova服務(wù)
nova --debug --insecure hypervisor-list
2.4 配置nova以SSL方式訪問其他組件
vi /etc/nova/nova.conf
[cinder]
endpoint_template=https://192.168.247.43:8776/v2/%(project_id)s
cafile=/etc/nova/ssl/ca.pem
[glance]
protocol=https
api_servers = https://192.168.247.43:9292
api_insecure=True
[neutron]
url = https://192.168.247.43:9696
auth_url = https://192.168.247.43:35357
cafile=/etc/nova/ssl/ca.pem
insecure=True
第3章 配置glance組件使用SSL
3.1 配置使用SSL訪問keystone
-
配置glance,修改keystone認(rèn)證方式
# vi /etc/glance/glance-api.conf [keystone_authtoken] auth_uri = https://192.168.247.43:5000 auth_url = https://192.168.247.43:35357 cafile=/etc/glance/ssl/ca.pem insecure=True auth_host= 192.168.247.43 auth_protocol=https # vi /etc/glance/glance-registry.conf [keystone_authtoken] auth_uri = https://192.168.247.43:5000 auth_url = https://192.168.247.43:35357 cafile=/etc/glance/ssl/ca.pem insecure=True auth_host= 192.168.247.43 auth_protocol=https # vi /etc/glance/glance-cache.conf [DEFAULT] auth_url=https://192.168.247.43:5000 -
拷貝pem文件到glance的ssl目錄
mkdir /etc/glance/ssl cp /tmp/pems/* /etc/glance/ssl chown glance:glance /etc/glance/ssl -R -
重啟glance服務(wù)
systemctl openstack-glance-api restart systemctl openstack-glance-registry restart -
測(cè)試keystone認(rèn)證
nova --debug image-list
3.2 指定glance使用的密鑰和證書
-
修改glance的配置文件
# vi /etc/glance/glance-api.conf [DEFAULT] cert_file=/etc/glance/ssl/signing_cert.pem key_file=/etc/glance/ssl/signing_key.pem registry_client_protocol=https registry_client_ca_file=/etc/glance/ssl/ca.pem #vi /etc/glance/glance-registry.conf [DEFAULT] cert_file=/etc/glance/ssl/signing_cert.pem key_file=/etc/glance/ssl/signing_key.pem
3.3 更新glance組件的endpoint
- 創(chuàng)建新的endpoint
openstack endpoint create --region RegionOne \
image public https://192.168.247.43:9292
openstack endpoint create --region RegionOne \
image internal https://192.168.247.43:9292
openstack endpoint create --region RegionOne \
image admin https://192.168.247.43:9292
-
刪除舊的endpoint
openstack endpoint-list openstack endpoint-delete $endpoint_id
$endpoint_id : 舊的glance endpoint id
-
重啟glance服務(wù)
systemctl openstack-glance-api restart systemctl openstack-glance-registry restart -
測(cè)試glance服務(wù)
nova --debug image-list
3.4 配置glance以SSL方式訪問其他組件
# vi /etc/glance/glance-api.conf
[glance_store]
cinder_endpoint_template=https://192.168.247.43:8776/v2/%(project_id)s
# vi /etc/glance/glance-registry.conf
[glance_store]
cinder_endpoint_template=https://192.168.247.43:8776/v2/%(project_id)s
第4章 配置cinder組件使用SSL
4.1 配置使用SSL訪問keystone
-
配置cinder配置文件
# vi /etc/cinder/cinder.conf [keystone_authtoken] auth_uri = https://192.168.247.43:5000 auth_url = https://192.168.247.43:35357 cafile=/etc/cinder/ssl/ca.pem insecure = True auth_host = 192.168.247.43 auth_protocol = https -
拷貝pem文件到cinder的ssl目錄
mkdir /etc/cinder/ssl cp /tmp/pems/* /etc/cinder/ssl chown cinder:cinder /etc/cinder/ssl -R -
重啟cinder服務(wù)
openstack-service restart glance -
測(cè)試keystone認(rèn)證
nova --debug list
可能出錯(cuò)产喉,原因在于網(wǎng)絡(luò)組件未配置https,觀察是否已經(jīng)獲取到Token
4.2 指定cinder使用的密鑰和證書
-
修改cinder的配置文件
#vi /etc/cinder/cinder.conf [DEFAULT] ssl_cert_file=/etc/cinder/ssl/signing_cert.pem ssl_key_file=/etc/cinder/ssl/signing_key.pem
4.3 更新cinder組件的endpoint
- 創(chuàng)建新的endpoint
openstack endpoint create --region RegionOne \
volume public https://192.168.247.43:8776/v1/%\(tenant_id\)s
openstack endpoint create --region RegionOne \
volume internal https://192.168.247.43:8776/v1/%\(tenant_id\)s
openstack endpoint create --region RegionOne \
volume admin https://192.168.247.43:8776/v1/%\(tenant_id\)s
openstack endpoint create --region RegionOne \
volumev2 public https://192.168.247.43:8776/v2/%\(tenant_id\)s
openstack endpoint create --region RegionOne \
volumev2 internal https://192.168.247.43:8776/v2/%\(tenant_id\)s
openstack endpoint create --region RegionOne \
volumev2 admin https://192.168.247.43:8776/v2/%\(tenant_id\)s
-
刪除舊的endpoint
openstack endpoint-list openstack endpoint-delete $endpoint_id
$endpoint_id : 舊的cinder endpoint id
-
重啟cinder服務(wù)
openstack-service restart cinder -
測(cè)試cinder服務(wù)
cinder service-list
4.4 配置cinder以SSL方式訪問其他組件
# vi /etc/cinder/cinder.conf
[DEFAULT]
glance_host = 192.168.247.43
glance_api_servers = https://192.168.247.43:9292
glance_api_insecure = True
glance_ca_certificates_file = /etc/cinder/ssl/ca.pem
nova_endpoint_template = https://192.168.247.43:8774/v2/%(project_id)s
nova_ca_certificates_file = /etc/cinder/ssl/ca.pem
nova_api_insecure = True
第5章 配置neutron組件使用SSL
5.1 配置使用SSL訪問keystone
-
修改neutron配置文件
# vi /etc/neutron/metadata_agent.ini auth_url = https://192.168.247.43:35357 auth_uri = https://192.168.247.43:5000 # vi /etc/neutron/neutron.conf [keystone_authtoken] auth_url = https://192.168.247.43:35357 auth_uri = https://192.168.247.43:5000 identity_uri = https://192.168.247.43:5000 cafile=/etc/neutron/ssl/ca.pem insecure=True auth_host=192.168.247.43 auth_protocol=https -
拷貝pem文件到neutron的ssl目錄
mkdir /etc/neutron/ssl cp /tmp/pems/* /etc/neutron/ssl chown neutron:neutron /etc/neutron/ssl -R -
重啟neutron服務(wù)
openstack-service restart neutron -
測(cè)試keystone認(rèn)證
nova --debug net-list
觀察是否獲取到Token
5.2 指定neutron使用的密鑰和證書
-
修改neutron的配置文件
# vi /etc/neutron/neutron.conf [ DEFAULT] use_ssl = True ssl_cert_file = /etc/neutron/ssl/signing_cert.pem ssl_key_file = /etc/neutron/ssl/signing_key.pem
5.3 更新neutron組件的endpoint
- 創(chuàng)建新的endpoint
openstack endpoint create --region RegionOne \
network public https://192.168.247.43:9696
openstack endpoint create --region RegionOne \
network internal https://192.168.247.43:9696
openstack endpoint create --region RegionOne \
network admin https://192.168.247.43:9696
-
刪除舊的endpoint
openstack endpoint list openstack endpoint delete $endpoint_id
$endpoint_id : 舊的neutron endpoint id
-
重啟neutron服務(wù)
openstack-service restart neutron -
測(cè)試neutron服務(wù)
nova net-list
5.4 配置neutron以SSL方式訪問其他組件
# vi /etc/neutron/neutron.conf
[DEFAULT]
nova_url = https://192.168.247.43:8774/v2
注:dashboard本人沒有試驗(yàn)
