From d2dfbb6116ce0ce4054a360aaf36a17b8fe5bbbe Mon Sep 17 00:00:00 2001 From: Thomas Goirand Date: Tue, 3 Nov 2015 13:26:54 +0100 Subject: [PATCH] [install] Updates the keystone install This patch updates the commands made by the postinst of Keystone, as the package moved to use the Keystone v3 API. Note that still missing is the use of Apache instead of the eventlet setup for Keystone. Please bare with me, and accept this as an incremental step, as this will come later on. Change-Id: I497f671b4f96d700be189d8e363a8c75c513e207 --- doc/install-guide/source/keystone-install.rst | 190 +++++++++++------- 1 file changed, 122 insertions(+), 68 deletions(-) diff --git a/doc/install-guide/source/keystone-install.rst b/doc/install-guide/source/keystone-install.rst index 4d157b32b8..615d66e49b 100644 --- a/doc/install-guide/source/keystone-install.rst +++ b/doc/install-guide/source/keystone-install.rst @@ -6,46 +6,48 @@ Identity service, code-named keystone, on the controller node. For performance, this configuration deploys the Apache HTTP server to handle requests and Memcached to store tokens instead of an SQL database. -Prerequisites -------------- +.. only:: obs or rdo or ubuntu -Before you configure the OpenStack Identity service, you must create a -database and an administration token. + Prerequisites + ------------- -#. To create the database, complete the following actions: + Before you configure the OpenStack Identity service, you must create a + database and an administration token. - * Use the database access client to connect to the database server as the - ``root`` user: + #. To create the database, complete the following actions: - .. code-block:: console + * Use the database access client to connect to the database server as the + ``root`` user: - $ mysql -u root -p + .. code-block:: console - * Create the ``keystone`` database: + $ mysql -u root -p - .. code-block:: console + * Create the ``keystone`` database: - CREATE DATABASE keystone; + .. code-block:: console - * Grant proper access to the ``keystone`` database: + CREATE DATABASE keystone; - .. code-block:: console + * Grant proper access to the ``keystone`` database: - GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ - IDENTIFIED BY 'KEYSTONE_DBPASS'; - GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ - IDENTIFIED BY 'KEYSTONE_DBPASS'; + .. code-block:: console - Replace ``KEYSTONE_DBPASS`` with a suitable password. + GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ + IDENTIFIED BY 'KEYSTONE_DBPASS'; + GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ + IDENTIFIED BY 'KEYSTONE_DBPASS'; - * Exit the database access client. + Replace ``KEYSTONE_DBPASS`` with a suitable password. -#. Generate a random value to use as the administration token during - initial configuration: + * Exit the database access client. - .. code-block:: console + #. Generate a random value to use as the administration token during + initial configuration: - $ openssl rand -hex 10 + .. code-block:: console + + $ openssl rand -hex 10 .. only:: obs or rdo or ubuntu @@ -200,11 +202,6 @@ database and an administration token. # apt-get install keystone - .. note:: - - python-keystoneclient will automatically be installed as it is a - dependency of the keystone package. - #. Respond to prompts for :doc:`debconf/debconf-dbconfig-common`, which will fill the below database access directive. @@ -214,7 +211,7 @@ database and an administration token. ... connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone - If you decide to not use ``dbconfig-common``, then you will have to + If you decide to not use ``dbconfig-common``, then you have to create the database and manage its access rights yourself, and run the following by hand. @@ -247,19 +244,55 @@ database and an administration token. ... admin_token = ADMIN_TOKEN - #. Create the ``admin`` tenant and user: + #. Create the ``admin`` project and user: During the final stage of the package installation, it is possible to - automatically create an admin tenant and an admin user. This can later - be used for other OpenStack services to contact the Identity service. - This is the equivalent of running the below commands: + automatically create an ``admin`` and ``service`` project, and an ``admin`` user. + This can later be used for other OpenStack services to contact the + Identity service. This is the equivalent of running the below commands: .. code-block:: console - # openstack project create --description "Admin Tenant" admin - # openstack user create --password ADMIN_PASS --email root@localhost admin - # openstack role create admin - # openstack role add --project demo --user demo user + # openstack --os-token ${AUTH_TOKEN} \ + --os-url=http://127.0.0.1:35357/v3/ \ + --os-domain-name default \ + --os-identity-api-version=3 \ + project create --or-show \ + admin --domain default \ + --description "Default Debian admin project" + + # openstack --os-token ${AUTH_TOKEN} \ + --os-url=http://127.0.0.1:35357/v3/ \ + --os-domain-name default \ + --os-identity-api-version=3 \ + project create --or-show \ + service --domain default \ + --description "Default Debian admin project" + + # openstack --os-token ${AUTH_TOKEN} \ + --os-url=http://127.0.0.1:35357/v3/ \ + --os-domain-name default \ + --os-identity-api-version=3 \ + user create --or-show \ + --password ADMIN_PASS \ + --project admin \ + --email root@localhost \ + --enable \ + admin \ + --domain default \ + --description "Default Debian admin user" + + # openstack --os-token ${AUTH_TOKEN} \ + --os-url=http://127.0.0.1:35357/v3/ \ + --os-domain-name default \ + --os-identity-api-version=3 \ + role create --or-show admin + + # openstack --os-token ${AUTH_TOKEN} \ + --os-url=http://127.0.0.1:35357/v3/ \ + --os-domain-name default \ + --os-identity-api-version=3 \ + role add --project admin --user admin admin .. image:: figures/debconf-screenshots/keystone_2_register_admin_tenant_yes_no.png :scale: 50 @@ -282,14 +315,33 @@ database and an administration token. .. code-block:: console - # openstack service create --name keystone --description "OpenStack Identity" identity - # keystone endpoint-create \ - --publicurl http://controller:5000/v2.0 \ - --internalurl http://controller:5000/v2.0 \ - --adminurl http://controller:35357/v2.0 \ - --region RegionOne \ + # openstack --os-token ${AUTH_TOKEN} \ + --os-url=http://127.0.0.1:35357/v3/ \ + --os-domain-name default \ + --os-identity-api-version=3 \ + service create \ + --name keystone \ + --description "OpenStack Identity" \ identity + # openstack --os-token ${AUTH_TOKEN} \ + --os-url=http://127.0.0.1:35357/v3/ \ + --os-domain-name default \ + --os-identity-api-version=3 \ + keystone public http://controller:5000/v2.0 + + # openstack --os-token ${AUTH_TOKEN} \ + --os-url=http://127.0.0.1:35357/v3/ \ + --os-domain-name default \ + --os-identity-api-version=3 \ + keystone internal http://controller:5000/v2.0 + + # openstack --os-token ${AUTH_TOKEN} \ + --os-url=http://127.0.0.1:35357/v3/ \ + --os-domain-name default \ + --os-identity-api-version=3 \ + keystone admin http://controller:35357/v2.0 + .. image:: figures/debconf-screenshots/keystone_7_register_endpoint.png @@ -499,46 +551,48 @@ database and an administration token. # chown -R keystone:keystone /etc/keystone -Finalize the installation -------------------------- +.. only:: ubuntu or rdo or obs -.. only:: ubuntu + Finalize the installation + ------------------------- - #. Restart the Apache HTTP server: + .. only:: ubuntu - .. code-block:: console + #. Restart the Apache HTTP server: - # service apache2 restart + .. code-block:: console - #. By default, the Ubuntu packages create an SQLite database. + # service apache2 restart - Because this configuration uses an SQL database server, you can remove - the SQLite database file: + #. By default, the Ubuntu packages create an SQLite database. - .. code-block:: console + Because this configuration uses an SQL database server, you can remove + the SQLite database file: - # rm -f /var/lib/keystone/keystone.db + .. code-block:: console -.. only:: rdo + # rm -f /var/lib/keystone/keystone.db - * Start the Apache HTTP service and configure it to start when the system boots: + .. only:: rdo - .. code-block:: console + * Start the Apache HTTP service and configure it to start when the system boots: - # systemctl enable httpd.service - # systemctl start httpd.service + .. code-block:: console -.. only:: obs + # systemctl enable httpd.service + # systemctl start httpd.service - #. Activate the Apache module ``mod_version``: + .. only:: obs - .. code-block:: console + #. Activate the Apache module ``mod_version``: - # a2enmod version + .. code-block:: console - #. Start the Apache HTTP service and configure it to start when the system boots: + # a2enmod version - .. code-block:: console + #. Start the Apache HTTP service and configure it to start when the system boots: - # systemctl enable apache2.service - # systemctl start apache2.service + .. code-block:: console + + # systemctl enable apache2.service + # systemctl start apache2.service