配置OpenStack各服务组件使用SSL通信
2017-10-20 本文已影响0人
十字中人
OpenStack 版本:Liberty
操作系统:CentOS7
下面的配置针对的是allinone的部署方式,但是同理的可以应用到多节点的部署。
Email: xiao_wei@yeah.net
第1章 配置keystone组件使用SSL
mkdir -p /root/ssl/private
mkdir -p /root/ssl/certs
- 制作三个密钥证书文件
openssl genrsa -out /root/ssl/private/cakey.pem 1024
openssl req -new -x509 -extensions v3_ca -key /root/ssl/private/cakey.pem -out /root/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=CN/ST=Unset/L=Unset/O=Unset/CN=192.168.247.43
openssl genrsa -out /root/ssl/private/signing_key.pem 1024
openssl req -key /root/ssl/private/signing_key.pem -new -out /root/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=CN/ST=Unset/L=Unset/O=Unset/CN=192.168.247.43
openssl ca -batch -out /root/ssl/certs/signing_cert.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /root/ssl/certs/ca.pem -keyfile /root/ssl/private/cakey.pem -infiles /root/ssl/certs/req.pem
得到三个文件:
ca.pem
signing_cert.pem
signing_key.pem
mkdir -p /tmp/pems
将得到的三个文件放到/tmp/pems/目录下。
1.1 指定ssl使用的密钥和证书
- 拷贝pem文件到keystone的ssl目录
cp /tmp/pems/ca.pem /etc/keystone/ssl/certs/
cp /tmp/pems/signing_cert.pem /etc/keystone/ssl/certs/
cp /tmp/pems/signing_key.pem /etc/keystone/ssl/private/
chown keystone:keystone /etc/keystone/ssl –R
- 修改keystone的配置文件
[eventlet_server_ssl]
enable = True
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
1.2 更新keystone组件的endpoint
- 创建新的endpoint
openstack endpoint create --region RegionOne \
identity public https://192.168.247.43:5000/v2.0
openstack endpoint create --region RegionOne \
identity internal https://192.168.247.43:5000/v2.0
openstack endpoint create --region RegionOne \
identity admin https://192.168.247.43:35357/v2.0
-
增加hosts记录
# vi /etc/hosts 192.168.247.43 liberty -
修改环境变量文件
# vi /root/ admin-openrc.sh unset OS_SERVICE_TOKEN export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_PROJECT_NAME=admin export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=root export OS_AUTH_URL=https://192.168.208.47:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_CACERT=/etc/keystone/ssl/certs/ca.pem export OS_REGION_NAME=RegionOne export OS_IMAGE_API_VERSION=2 -
删除旧的endpoint
openstack endpoint list
如果该命令执行失败,重启服务后,使用新的环境变量
# source /root/admin-openrc.sh
openstack endpoint delete $endpoint_id
$endpoint_id : 旧的keystone endpoint id
-
重启keystone服务
systemctl openstack-keystone restart -
确认新的环境变量和新的endpoint可以使用
# source /root/keystonerc_admin openstack endpoint list
第2章 配置nova组件使用SSL
2.1 配置使用SSL访问keystone
-
配置nova.conf,修改keystone认证方式
vi /etc/nova/nova.conf [keystone_authtoken] auth_uri = https://192.168.247.43:5000 auth_url = https://192.168.247.43:35357 cafile=/etc/nova/ssl/ca.pem insecure=True auth_host=192.168.247.43 auth_protocol=https
注:auth_uri,auth_url名称不一定正确,以实际组件配置的为准,后续组件配置也是如此,注意注释原来的auth_uri,auth_url
-
拷贝pem文件到nova的ssl目录
mkdir /etc/nova/ssl cp /tmp/pems/* /etc/nova/ssl chown nova:nova /etc/nova/ssl -R -
重启nova服务
openstack-service restart nova -
测试keystone认证
nova --debug --insecure hypervisor-list
观察是否获取token
2.2 指定nova使用的密钥和证书
-
修改nova的配置文件
vi /etc/nova/nova.conf enabled_ssl_apis = osapi_compute ssl_cert_file=/etc/nova/ssl/signing_cert.pem ssl_key_file=/etc/nova/ssl/signing_key.pem
2.3 更新nova组件的endpoint
- 创建新的endpoint
openstack endpoint create --region RegionOne \
compute public https://192.168.208.47:8774/v2/%\(tenant_id\)s
openstack endpoint create --region RegionOne \
compute internal https://192.168.208.47:8774/v2/%\(tenant_id\)s
openstack endpoint create --region RegionOne \
compute admin https://192.168.208.47:8774/v2/%\(tenant_id\)s
-
删除旧的endpoint
openstack endpoint list openstack endpoint delete $endpoint_id
$endpoint_id : 旧的nova endpoint id
-
重启nova服务
openstack-service restart nova -
测试nova服务
nova --debug --insecure hypervisor-list
2.4 配置nova以SSL方式访问其他组件
vi /etc/nova/nova.conf
[cinder]
endpoint_template=https://192.168.247.43:8776/v2/%(project_id)s
cafile=/etc/nova/ssl/ca.pem
[glance]
protocol=https
api_servers = https://192.168.247.43:9292
api_insecure=True
[neutron]
url = https://192.168.247.43:9696
auth_url = https://192.168.247.43:35357
cafile=/etc/nova/ssl/ca.pem
insecure=True
第3章 配置glance组件使用SSL
3.1 配置使用SSL访问keystone
-
配置glance,修改keystone认证方式
# vi /etc/glance/glance-api.conf [keystone_authtoken] auth_uri = https://192.168.247.43:5000 auth_url = https://192.168.247.43:35357 cafile=/etc/glance/ssl/ca.pem insecure=True auth_host= 192.168.247.43 auth_protocol=https # vi /etc/glance/glance-registry.conf [keystone_authtoken] auth_uri = https://192.168.247.43:5000 auth_url = https://192.168.247.43:35357 cafile=/etc/glance/ssl/ca.pem insecure=True auth_host= 192.168.247.43 auth_protocol=https # vi /etc/glance/glance-cache.conf [DEFAULT] auth_url=https://192.168.247.43:5000 -
拷贝pem文件到glance的ssl目录
mkdir /etc/glance/ssl cp /tmp/pems/* /etc/glance/ssl chown glance:glance /etc/glance/ssl -R -
重启glance服务
systemctl openstack-glance-api restart systemctl openstack-glance-registry restart -
测试keystone认证
nova --debug image-list
3.2 指定glance使用的密钥和证书
-
修改glance的配置文件
# vi /etc/glance/glance-api.conf [DEFAULT] cert_file=/etc/glance/ssl/signing_cert.pem key_file=/etc/glance/ssl/signing_key.pem registry_client_protocol=https registry_client_ca_file=/etc/glance/ssl/ca.pem #vi /etc/glance/glance-registry.conf [DEFAULT] cert_file=/etc/glance/ssl/signing_cert.pem key_file=/etc/glance/ssl/signing_key.pem
3.3 更新glance组件的endpoint
- 创建新的endpoint
openstack endpoint create --region RegionOne \
image public https://192.168.247.43:9292
openstack endpoint create --region RegionOne \
image internal https://192.168.247.43:9292
openstack endpoint create --region RegionOne \
image admin https://192.168.247.43:9292
-
删除旧的endpoint
openstack endpoint-list openstack endpoint-delete $endpoint_id
$endpoint_id : 旧的glance endpoint id
-
重启glance服务
systemctl openstack-glance-api restart systemctl openstack-glance-registry restart -
测试glance服务
nova --debug image-list
3.4 配置glance以SSL方式访问其他组件
# vi /etc/glance/glance-api.conf
[glance_store]
cinder_endpoint_template=https://192.168.247.43:8776/v2/%(project_id)s
# vi /etc/glance/glance-registry.conf
[glance_store]
cinder_endpoint_template=https://192.168.247.43:8776/v2/%(project_id)s
第4章 配置cinder组件使用SSL
4.1 配置使用SSL访问keystone
-
配置cinder配置文件
# vi /etc/cinder/cinder.conf [keystone_authtoken] auth_uri = https://192.168.247.43:5000 auth_url = https://192.168.247.43:35357 cafile=/etc/cinder/ssl/ca.pem insecure = True auth_host = 192.168.247.43 auth_protocol = https -
拷贝pem文件到cinder的ssl目录
mkdir /etc/cinder/ssl cp /tmp/pems/* /etc/cinder/ssl chown cinder:cinder /etc/cinder/ssl -R -
重启cinder服务
openstack-service restart glance -
测试keystone认证
nova --debug list
可能出错,原因在于网络组件未配置https,观察是否已经获取到Token
4.2 指定cinder使用的密钥和证书
-
修改cinder的配置文件
#vi /etc/cinder/cinder.conf [DEFAULT] ssl_cert_file=/etc/cinder/ssl/signing_cert.pem ssl_key_file=/etc/cinder/ssl/signing_key.pem
4.3 更新cinder组件的endpoint
- 创建新的endpoint
openstack endpoint create --region RegionOne \
volume public https://192.168.247.43:8776/v1/%\(tenant_id\)s
openstack endpoint create --region RegionOne \
volume internal https://192.168.247.43:8776/v1/%\(tenant_id\)s
openstack endpoint create --region RegionOne \
volume admin https://192.168.247.43:8776/v1/%\(tenant_id\)s
openstack endpoint create --region RegionOne \
volumev2 public https://192.168.247.43:8776/v2/%\(tenant_id\)s
openstack endpoint create --region RegionOne \
volumev2 internal https://192.168.247.43:8776/v2/%\(tenant_id\)s
openstack endpoint create --region RegionOne \
volumev2 admin https://192.168.247.43:8776/v2/%\(tenant_id\)s
-
删除旧的endpoint
openstack endpoint-list openstack endpoint-delete $endpoint_id
$endpoint_id : 旧的cinder endpoint id
-
重启cinder服务
openstack-service restart cinder -
测试cinder服务
cinder service-list
4.4 配置cinder以SSL方式访问其他组件
# vi /etc/cinder/cinder.conf
[DEFAULT]
glance_host = 192.168.247.43
glance_api_servers = https://192.168.247.43:9292
glance_api_insecure = True
glance_ca_certificates_file = /etc/cinder/ssl/ca.pem
nova_endpoint_template = https://192.168.247.43:8774/v2/%(project_id)s
nova_ca_certificates_file = /etc/cinder/ssl/ca.pem
nova_api_insecure = True
第5章 配置neutron组件使用SSL
5.1 配置使用SSL访问keystone
-
修改neutron配置文件
# vi /etc/neutron/metadata_agent.ini auth_url = https://192.168.247.43:35357 auth_uri = https://192.168.247.43:5000 # vi /etc/neutron/neutron.conf [keystone_authtoken] auth_url = https://192.168.247.43:35357 auth_uri = https://192.168.247.43:5000 identity_uri = https://192.168.247.43:5000 cafile=/etc/neutron/ssl/ca.pem insecure=True auth_host=192.168.247.43 auth_protocol=https -
拷贝pem文件到neutron的ssl目录
mkdir /etc/neutron/ssl cp /tmp/pems/* /etc/neutron/ssl chown neutron:neutron /etc/neutron/ssl -R -
重启neutron服务
openstack-service restart neutron -
测试keystone认证
nova --debug net-list
观察是否获取到Token
5.2 指定neutron使用的密钥和证书
-
修改neutron的配置文件
# vi /etc/neutron/neutron.conf [ DEFAULT] use_ssl = True ssl_cert_file = /etc/neutron/ssl/signing_cert.pem ssl_key_file = /etc/neutron/ssl/signing_key.pem
5.3 更新neutron组件的endpoint
- 创建新的endpoint
openstack endpoint create --region RegionOne \
network public https://192.168.247.43:9696
openstack endpoint create --region RegionOne \
network internal https://192.168.247.43:9696
openstack endpoint create --region RegionOne \
network admin https://192.168.247.43:9696
-
删除旧的endpoint
openstack endpoint list openstack endpoint delete $endpoint_id
$endpoint_id : 旧的neutron endpoint id
-
重启neutron服务
openstack-service restart neutron -
测试neutron服务
nova net-list
5.4 配置neutron以SSL方式访问其他组件
# vi /etc/neutron/neutron.conf
[DEFAULT]
nova_url = https://192.168.247.43:8774/v2
注:dashboard本人没有试验
