openstack/openstack-manuals
Code Issues Proposed changes

Merge "Fix installation of keystone in debian and ubuntu"

Browse Source
This commit is contained in:
Jenkins 2016-07-20 06:19:32 +00:00 committed by Gerrit Code Review
commit c8682ce77c
1 changed files with 72 additions and 235 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

307
doc/install-guide/source/keystone-install.rst
View File

@ -8,55 +8,53 @@ Identity service, code-named keystone, on the controller node. For
performance, this configuration deploys Fernet tokens and the Apache
HTTP server to handle requests.
.. only:: obs or rdo or ubuntu
Prerequisites
-------------
Prerequisites
-------------
Before you configure the OpenStack Identity service, you must create a
database and an administration token.
Before you configure the OpenStack Identity service, you must create a
database and an administration token.
#. To create the database, complete the following actions:
#. To create the database, complete the following actions:
* Use the database access client to connect to the database server as the
``root`` user:
* Use the database access client to connect to the database server as the
``root`` user:
.. code-block:: console
.. code-block:: console
$ mysql -u root -p
$ mysql -u root -p
* Create the ``keystone`` database:
* Create the ``keystone`` database:
.. code-block:: console
.. code-block:: console
CREATE DATABASE keystone;
CREATE DATABASE keystone;
* Grant proper access to the ``keystone`` database:
* Grant proper access to the ``keystone`` database:
.. code-block:: console
.. code-block:: console
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
Replace ``KEYSTONE_DBPASS`` with a suitable password.
Replace ``KEYSTONE_DBPASS`` with a suitable password.
* Exit the database access client.
* Exit the database access client.
#. Generate a random value to use as the administration token during
initial configuration:
#. Generate a random value to use as the administration token during
initial configuration:
.. code-block:: console
.. code-block:: console
$ openssl rand -hex 10
$ openssl rand -hex 10
Install and configure components
--------------------------------
.. only:: obs or rdo or ubuntu
.. include:: shared/note_configuration_vary_by_distribution.rst
Install and configure components
--------------------------------
.. include:: shared/note_configuration_vary_by_distribution.rst
.. only:: obs or rdo
.. note::
@ -65,96 +63,15 @@ HTTP server to handle requests.
keystone service still listens on these ports. Therefore, this guide
manually disables the keystone service.
.. only:: ubuntu
.. only:: ubuntu or debian
#. Disable the keystone service from starting automatically after
installation:
.. note::
.. code-block:: console
# echo "manual" > /etc/init/keystone.override
#. Run the following command to install the packages:
.. only:: ubuntu
.. code-block:: console
# apt-get install keystone apache2 libapache2-mod-wsgi
.. only:: obs or rdo
#. Run the following command to install the packages:
.. only:: rdo
.. code-block:: console
# yum install openstack-keystone httpd mod_wsgi
.. only:: obs
.. code-block:: console
# zypper install openstack-keystone apache2-mod_wsgi
.. only:: obs or rdo or ubuntu
3. Edit the ``/etc/keystone/keystone.conf`` file and complete the following
actions:
* In the ``[DEFAULT]`` section, define the value of the initial
administration token:
.. code-block:: ini
[DEFAULT]
...
admin_token = ADMIN_TOKEN
Replace ``ADMIN_TOKEN`` with the random value that you generated in a
previous step.
* In the ``[database]`` section, configure database access:
.. code-block:: ini
[database]
...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
Replace ``KEYSTONE_DBPASS`` with the password you chose for the database.
* In the ``[token]`` section, configure the Fernet token provider:
.. code-block:: ini
[token]
...
provider = fernet
.. only:: rdo or ubuntu or obs
4. Populate the Identity service database:
.. code-block:: console
# su -s /bin/sh -c "keystone-manage db_sync" keystone
.. note::
Ignore any deprecation messages in this output.
5. Initialize Fernet keys:
.. code-block:: console
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
.. only:: debian
Install and configure the components
------------------------------------
This guide uses the Apache HTTP server with ``mod_wsgi`` to serve
Identity service requests on ports 5000 and 35357. By default, the
keystone service still listens on these ports. The package handles
all of the Apache configuration for you (including the activation of
the ``mod_wsgi`` apache2 module and keystone configuration in Apache).
#. Run the following command to install the packages:
@ -162,150 +79,70 @@ HTTP server to handle requests.
# apt-get install keystone
#. Respond to prompts for debconf,
which will fill the below database access directive.
.. only:: obs or rdo
.. :doc:`debconf/debconf-dbconfig-common`,
which will fill the below database access directive.
#. Run the following command to install the packages:
.. code-block:: ini
.. only:: rdo
[database]
...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
.. code-block:: console
If you decide to not use ``dbconfig-common``, then you have to
create the database and manage its access rights yourself, and run the
following by hand.
# yum install openstack-keystone httpd mod_wsgi
.. code-block:: console
.. only:: obs
# keystone-manage db_sync
.. code-block:: console
#. Generate a random value to use as the administration token during
initial configuration:
# zypper install openstack-keystone apache2-mod_wsgi
.. code-block:: console
2. Edit the ``/etc/keystone/keystone.conf`` file and complete the following
actions:
$ openssl rand -hex 10
* In the ``[DEFAULT]`` section, define the value of the initial
administration token:
#. Configure the initial administration token:
.. code-block:: ini
.. image:: figures/debconf-screenshots/keystone_1_admin_token.png
:scale: 50
[DEFAULT]
...
admin_token = ADMIN_TOKEN
Use the random value that you generated in a previous step. If you
install using non-interactive mode or you do not specify this token, the
configuration tool generates a random value.
Replace ``ADMIN_TOKEN`` with the random value that you generated in a
previous step.
Later on, the package will configure the below directive with the value
you entered:
* In the ``[database]`` section, configure database access:
.. code-block:: ini
.. code-block:: ini
[DEFAULT]
...
admin_token = ADMIN_TOKEN
[database]
...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
#. Create the ``admin`` project and user:
Replace ``KEYSTONE_DBPASS`` with the password you chose for the database.
During the final stage of the package installation, it is possible to
automatically create an ``admin`` and ``service`` project, and an ``admin`` user.
This can later be used for other OpenStack services to contact the
Identity service. This is the equivalent of running the below commands:
* In the ``[token]`` section, configure the Fernet token provider:
.. code-block:: console
.. code-block:: ini
# openstack --os-token ${AUTH_TOKEN} \
--os-url=http://127.0.0.1:35357/v3/ \
--os-domain-name default \
--os-identity-api-version=3 \
project create --or-show \
admin --domain default \
--description "Default Debian admin project"
[token]
...
provider = fernet
# openstack --os-token ${AUTH_TOKEN} \
--os-url=http://127.0.0.1:35357/v3/ \
--os-domain-name default \
--os-identity-api-version=3 \
project create --or-show \
service --domain default \
--description "Default Debian admin project"
3. Populate the Identity service database:
# openstack --os-token ${AUTH_TOKEN} \
--os-url=http://127.0.0.1:35357/v3/ \
--os-domain-name default \
--os-identity-api-version=3 \
user create --or-show \
--password ADMIN_PASS \
--project admin \
--email root@localhost \
--enable \
admin \
--domain default \
--description "Default Debian admin user"
.. code-block:: console
# openstack --os-token ${AUTH_TOKEN} \
--os-url=http://127.0.0.1:35357/v3/ \
--os-domain-name default \
--os-identity-api-version=3 \
role create --or-show admin
# su -s /bin/sh -c "keystone-manage db_sync" keystone
# openstack --os-token ${AUTH_TOKEN} \
--os-url=http://127.0.0.1:35357/v3/ \
--os-domain-name default \
--os-identity-api-version=3 \
role add --project admin --user admin admin
.. note::
.. image:: figures/debconf-screenshots/keystone_2_register_admin_tenant_yes_no.png
:scale: 50
Ignore any deprecation messages in this output.
.. image:: figures/debconf-screenshots/keystone_3_admin_user_name.png
:scale: 50
4. Initialize Fernet keys:
.. image:: figures/debconf-screenshots/keystone_4_admin_user_email.png
:scale: 50
.. code-block:: console
.. image:: figures/debconf-screenshots/keystone_5_admin_user_pass.png
:scale: 50
.. image:: figures/debconf-screenshots/keystone_6_admin_user_pass_confirm.png
:scale: 50
In Debian, the Keystone package offers automatic registration of
Keystone in the service catalogue. This is equivalent of running the
below commands:
.. code-block:: console
# openstack --os-token ${AUTH_TOKEN} \
--os-url=http://127.0.0.1:35357/v3/ \
--os-domain-name default \
--os-identity-api-version=3 \
service create \
--name keystone \
--description "OpenStack Identity" \
identity
# openstack --os-token ${AUTH_TOKEN} \
--os-url=http://127.0.0.1:35357/v3/ \
--os-domain-name default \
--os-identity-api-version=3 \
keystone public http://controller:5000/v2.0
# openstack --os-token ${AUTH_TOKEN} \
--os-url=http://127.0.0.1:35357/v3/ \
--os-domain-name default \
--os-identity-api-version=3 \
keystone internal http://controller:5000/v2.0
# openstack --os-token ${AUTH_TOKEN} \
--os-url=http://127.0.0.1:35357/v3/ \
--os-domain-name default \
--os-identity-api-version=3 \
keystone admin http://controller:35357/v2.0
.. image:: figures/debconf-screenshots/keystone_7_register_endpoint.png
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
.. only:: obs or rdo or ubuntu