.. _keystone-install: Install and configure ~~~~~~~~~~~~~~~~~~~~~ This section describes how to install and configure the OpenStack Identity service, code-named keystone, on the controller node. For performance, this configuration deploys Fernet tokens and the Apache HTTP server to handle requests. .. only:: obs or rdo or ubuntu Prerequisites ------------- Before you configure the OpenStack Identity service, you must create a database and an administration token. #. To create the database, complete the following actions: * Use the database access client to connect to the database server as the ``root`` user: .. code-block:: console $ mysql -u root -p * Create the ``keystone`` database: .. code-block:: console CREATE DATABASE keystone; * Grant proper access to the ``keystone`` database: .. code-block:: console GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; Replace ``KEYSTONE_DBPASS`` with a suitable password. * Exit the database access client. #. Generate a random value to use as the administration token during initial configuration: .. code-block:: console $ openssl rand -hex 10 .. only:: obs or rdo or ubuntu Install and configure components -------------------------------- .. include:: shared/note_configuration_vary_by_distribution.rst .. note:: This guide uses the Apache HTTP server with ``mod_wsgi`` to serve Identity service requests on ports 5000 and 35357. By default, the keystone service still listens on these ports. Therefore, this guide manually disables the keystone service. .. only:: ubuntu #. Disable the keystone service from starting automatically after installation: .. code-block:: console # echo "manual" > /etc/init/keystone.override #. Run the following command to install the packages: .. only:: ubuntu .. code-block:: console # apt-get install keystone apache2 libapache2-mod-wsgi .. only:: obs or rdo #. Run the following command to install the packages: .. only:: rdo .. code-block:: console # yum install openstack-keystone httpd mod_wsgi .. only:: obs .. code-block:: console # zypper install openstack-keystone apache2-mod_wsgi .. only:: obs or rdo or ubuntu 3. Edit the ``/etc/keystone/keystone.conf`` file and complete the following actions: * In the ``[DEFAULT]`` section, define the value of the initial administration token: .. code-block:: ini [DEFAULT] ... admin_token = ADMIN_TOKEN Replace ``ADMIN_TOKEN`` with the random value that you generated in a previous step. * In the ``[database]`` section, configure database access: .. code-block:: ini [database] ... connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone Replace ``KEYSTONE_DBPASS`` with the password you chose for the database. * In the ``[token]`` section, configure the Fernet token provider: .. code-block:: ini [token] ... provider = fernet .. only:: rdo or ubuntu or obs 4. Populate the Identity service database: .. code-block:: console # su -s /bin/sh -c "keystone-manage db_sync" keystone .. note:: Ignore any deprecation messages in this output. 5. Initialize Fernet keys: .. code-block:: console # keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone .. only:: debian Install and configure the components ------------------------------------ #. Run the following command to install the packages: .. code-block:: console # apt-get install keystone #. Respond to prompts for debconf, which will fill the below database access directive. .. :doc:`debconf/debconf-dbconfig-common`, which will fill the below database access directive. .. code-block:: ini [database] ... connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone If you decide to not use ``dbconfig-common``, then you have to create the database and manage its access rights yourself, and run the following by hand. .. code-block:: console # keystone-manage db_sync #. Generate a random value to use as the administration token during initial configuration: .. code-block:: console $ openssl rand -hex 10 #. Configure the initial administration token: .. image:: figures/debconf-screenshots/keystone_1_admin_token.png :scale: 50 Use the random value that you generated in a previous step. If you install using non-interactive mode or you do not specify this token, the configuration tool generates a random value. Later on, the package will configure the below directive with the value you entered: .. code-block:: ini [DEFAULT] ... admin_token = ADMIN_TOKEN #. Create the ``admin`` project and user: During the final stage of the package installation, it is possible to automatically create an ``admin`` and ``service`` project, and an ``admin`` user. This can later be used for other OpenStack services to contact the Identity service. This is the equivalent of running the below commands: .. code-block:: console # openstack --os-token ${AUTH_TOKEN} \ --os-url=http://127.0.0.1:35357/v3/ \ --os-domain-name default \ --os-identity-api-version=3 \ project create --or-show \ admin --domain default \ --description "Default Debian admin project" # openstack --os-token ${AUTH_TOKEN} \ --os-url=http://127.0.0.1:35357/v3/ \ --os-domain-name default \ --os-identity-api-version=3 \ project create --or-show \ service --domain default \ --description "Default Debian admin project" # openstack --os-token ${AUTH_TOKEN} \ --os-url=http://127.0.0.1:35357/v3/ \ --os-domain-name default \ --os-identity-api-version=3 \ user create --or-show \ --password ADMIN_PASS \ --project admin \ --email root@localhost \ --enable \ admin \ --domain default \ --description "Default Debian admin user" # openstack --os-token ${AUTH_TOKEN} \ --os-url=http://127.0.0.1:35357/v3/ \ --os-domain-name default \ --os-identity-api-version=3 \ role create --or-show admin # openstack --os-token ${AUTH_TOKEN} \ --os-url=http://127.0.0.1:35357/v3/ \ --os-domain-name default \ --os-identity-api-version=3 \ role add --project admin --user admin admin .. image:: figures/debconf-screenshots/keystone_2_register_admin_tenant_yes_no.png :scale: 50 .. image:: figures/debconf-screenshots/keystone_3_admin_user_name.png :scale: 50 .. image:: figures/debconf-screenshots/keystone_4_admin_user_email.png :scale: 50 .. image:: figures/debconf-screenshots/keystone_5_admin_user_pass.png :scale: 50 .. image:: figures/debconf-screenshots/keystone_6_admin_user_pass_confirm.png :scale: 50 In Debian, the Keystone package offers automatic registration of Keystone in the service catalogue. This is equivalent of running the below commands: .. code-block:: console # openstack --os-token ${AUTH_TOKEN} \ --os-url=http://127.0.0.1:35357/v3/ \ --os-domain-name default \ --os-identity-api-version=3 \ service create \ --name keystone \ --description "OpenStack Identity" \ identity # openstack --os-token ${AUTH_TOKEN} \ --os-url=http://127.0.0.1:35357/v3/ \ --os-domain-name default \ --os-identity-api-version=3 \ keystone public http://controller:5000/v2.0 # openstack --os-token ${AUTH_TOKEN} \ --os-url=http://127.0.0.1:35357/v3/ \ --os-domain-name default \ --os-identity-api-version=3 \ keystone internal http://controller:5000/v2.0 # openstack --os-token ${AUTH_TOKEN} \ --os-url=http://127.0.0.1:35357/v3/ \ --os-domain-name default \ --os-identity-api-version=3 \ keystone admin http://controller:35357/v2.0 .. image:: figures/debconf-screenshots/keystone_7_register_endpoint.png .. only:: obs or rdo or ubuntu Configure the Apache HTTP server -------------------------------- .. only:: rdo #. Edit the ``/etc/httpd/conf/httpd.conf`` file and configure the ``ServerName`` option to reference the controller node: .. code-block:: apache ServerName controller #. Create the ``/etc/httpd/conf.d/wsgi-keystone.conf`` file with the following content: .. code-block:: apache Listen 5000 Listen 35357 WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined Require all granted WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined Require all granted .. only:: ubuntu #. Edit the ``/etc/apache2/apache2.conf`` file and configure the ``ServerName`` option to reference the controller node: .. code-block:: apache ServerName controller #. Create the ``/etc/apache2/sites-available/wsgi-keystone.conf`` file with the following content: .. code-block:: apache Listen 5000 Listen 35357 WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/apache2/keystone.log CustomLog /var/log/apache2/keystone_access.log combined Require all granted WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/apache2/keystone.log CustomLog /var/log/apache2/keystone_access.log combined Require all granted #. Enable the Identity service virtual hosts: .. code-block:: console # ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled .. only:: obs #. Edit the ``/etc/sysconfig/apache2`` file and configure the ``APACHE_SERVERNAME`` option to reference the controller node: .. code-block:: apache APACHE_SERVERNAME="controller" #. Create the ``/etc/apache2/conf.d/wsgi-keystone.conf`` file with the following content: .. code-block:: apache Listen 5000 Listen 35357 WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/apache2/keystone.log CustomLog /var/log/apache2/keystone_access.log combined Require all granted WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/apache2/keystone.log CustomLog /var/log/apache2/keystone_access.log combined Require all granted 6. Recursively change the ownership of the ``/etc/keystone`` directory: .. code-block:: console # chown -R keystone:keystone /etc/keystone .. only:: ubuntu or rdo or obs Finalize the installation ------------------------- .. only:: ubuntu #. Restart the Apache HTTP server: .. code-block:: console # service apache2 restart #. By default, the Ubuntu packages create an SQLite database. Because this configuration uses an SQL database server, you can remove the SQLite database file: .. code-block:: console # rm -f /var/lib/keystone/keystone.db .. only:: rdo * Start the Apache HTTP service and configure it to start when the system boots: .. code-block:: console # systemctl enable httpd.service # systemctl start httpd.service .. only:: obs #. Start the Apache HTTP service and configure it to start when the system boots: .. code-block:: console # systemctl enable apache2.service # systemctl start apache2.service