18 KiB
Install and configure
This section describes how to install and configure the OpenStack Identity service, code-named keystone, on the controller node. For performance, this configuration deploys the Apache HTTP server to handle requests and Memcached to store tokens instead of an SQL database.
obs or rdo or ubuntu
Prerequisites
Before you configure the OpenStack Identity service, you must create a database and an administration token.
To create the database, complete the following actions:
Use the database access client to connect to the database server as the
root
user:$ mysql -u root -p
Create the
keystone
database:CREATE DATABASE keystone;
Grant proper access to the
keystone
database:GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'KEYSTONE_DBPASS';
Replace
KEYSTONE_DBPASS
with a suitable password.Exit the database access client.
Generate a random value to use as the administration token during initial configuration:
$ openssl rand -hex 10
obs or rdo or ubuntu
Install and configure components
Note
In Kilo and Liberty releases, the keystone project deprecates
eventlet in favor of a separate web server with WSGI extensions. This
guide uses the Apache HTTP server with mod_wsgi
to serve
Identity service requests on port 5000 and 35357. By default, the
keystone service still listens on ports 5000 and 35357. Therefore, this
guide disables the keystone service. The keystone project plans to
remove eventlet support in Mitaka.
ubuntu
Disable the keystone service from starting automatically after installation:
# echo "manual" > /etc/init/keystone.override
Run the following command to install the packages:
ubuntu
# apt-get install keystone apache2 libapache2-mod-wsgi \ memcached python-memcache
obs or rdo
Run the following command to install the packages:
rdo
# yum install openstack-keystone httpd mod_wsgi \ memcached python-memcached
obs
# zypper install openstack-keystone apache2-mod_wsgi \ memcached python-python-memcached
obs or rdo
Start the Memcached service and configure it to start when the system boots:
# systemctl enable memcached.service # systemctl start memcached.service
obs or rdo or ubuntu
- Edit the
/etc/keystone/keystone.conf
file and complete the following actions:In the
[DEFAULT]
section, define the value of the initial administration token:[DEFAULT] ... admin_token = ADMIN_TOKEN
Replace
ADMIN_TOKEN
with the random value that you generated in a previous step.In the
[database]
section, configure database access:ubuntu or obs
[database] ... connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
rdo
[database] ... connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone
Replace
KEYSTONE_DBPASS
with the password you chose for the database.In the
[memcache]
section, configure the Memcache service:[memcache] ... servers = localhost:11211
In the
[token]
section, configure the UUID token provider and Memcached driver:[token] ... provider = uuid driver = memcache
In the
[revoke]
section, configure the SQL revocation driver:[revoke] ... driver = sql
(Optional) To assist with troubleshooting, enable verbose logging in the
[DEFAULT]
section:[DEFAULT] ... verbose = True
obs or rdo or ubuntu
Populate the Identity service database:
# su -s /bin/sh -c "keystone-manage db_sync" keystone
debian
Install and configure the components
Run the following command to install the packages:
# apt-get install keystone
Respond to prompts for
debconf/debconf-dbconfig-common
, which will fill the below database access directive.[database] ... connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
If you decide to not use
dbconfig-common
, then you have to create the database and manage its access rights yourself, and run the following by hand.# keystone-manage db_sync
Generate a random value to use as the administration token during initial configuration:
$ openssl rand -hex 10
Configure the initial administration token:
Use the random value that you generated in a previous step. If you install using non-interactive mode or you do not specify this token, the configuration tool generates a random value.
Later on, the package will configure the below directive with the value you entered:
[DEFAULT] ... admin_token = ADMIN_TOKEN
Create the
admin
project and user:During the final stage of the package installation, it is possible to automatically create an
admin
andservice
project, and anadmin
user. This can later be used for other OpenStack services to contact the Identity service. This is the equivalent of running the below commands:# openstack --os-token ${AUTH_TOKEN} \ --os-url=http://127.0.0.1:35357/v3/ \ --os-domain-name default \ --os-identity-api-version=3 \ project create --or-show \ admin --domain default \ --description "Default Debian admin project" # openstack --os-token ${AUTH_TOKEN} \ --os-url=http://127.0.0.1:35357/v3/ \ --os-domain-name default \ --os-identity-api-version=3 \ project create --or-show \ service --domain default \ --description "Default Debian admin project" # openstack --os-token ${AUTH_TOKEN} \ --os-url=http://127.0.0.1:35357/v3/ \ --os-domain-name default \ --os-identity-api-version=3 \ user create --or-show \ --password ADMIN_PASS \ --project admin \ --email root@localhost \ --enable \ admin \ --domain default \ --description "Default Debian admin user" # openstack --os-token ${AUTH_TOKEN} \ --os-url=http://127.0.0.1:35357/v3/ \ --os-domain-name default \ --os-identity-api-version=3 \ role create --or-show admin # openstack --os-token ${AUTH_TOKEN} \ --os-url=http://127.0.0.1:35357/v3/ \ --os-domain-name default \ --os-identity-api-version=3 \ role add --project admin --user admin admin
In Debian, the Keystone package offers automatic registration of Keystone in the service catalogue. This is equivalent of running the below commands:
# openstack --os-token ${AUTH_TOKEN} \ --os-url=http://127.0.0.1:35357/v3/ \ --os-domain-name default \ --os-identity-api-version=3 \ service create \ --name keystone \ --description "OpenStack Identity" \ identity # openstack --os-token ${AUTH_TOKEN} \ --os-url=http://127.0.0.1:35357/v3/ \ --os-domain-name default \ --os-identity-api-version=3 \ keystone public http://controller:5000/v2.0 # openstack --os-token ${AUTH_TOKEN} \ --os-url=http://127.0.0.1:35357/v3/ \ --os-domain-name default \ --os-identity-api-version=3 \ keystone internal http://controller:5000/v2.0 # openstack --os-token ${AUTH_TOKEN} \ --os-url=http://127.0.0.1:35357/v3/ \ --os-domain-name default \ --os-identity-api-version=3 \ keystone admin http://controller:35357/v2.0
obs or rdo or ubuntu
Configure the Apache HTTP server
rdo
Edit the
/etc/httpd/conf/httpd.conf
file and configure theServerName
option to reference the controller node:controller ServerName
Create the
/etc/httpd/conf.d/wsgi-keystone.conf
file with the following content:5000 Listen 35357 Listen <VirtualHost *:5000> =keystone group=keystone display-name=%{GROUP} WSGIDaemonProcess keystone-public processes=5 threads=1 user WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On<IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M"</IfVersion> /var/log/httpd/keystone-error.log ErrorLog /var/log/httpd/keystone-access.log combined CustomLog <Directory /usr/bin> <IfVersion >= 2.4> all granted Require</IfVersion> <IfVersion < 2.4> Order allow,deny from all Allow</IfVersion> </Directory> </VirtualHost> <VirtualHost *:35357> =keystone group=keystone display-name=%{GROUP} WSGIDaemonProcess keystone-admin processes=5 threads=1 user WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On<IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M"</IfVersion> /var/log/httpd/keystone-error.log ErrorLog /var/log/httpd/keystone-access.log combined CustomLog <Directory /usr/bin> <IfVersion >= 2.4> all granted Require</IfVersion> <IfVersion < 2.4> Order allow,deny from all Allow</IfVersion> </Directory> </VirtualHost>
ubuntu
Edit the
/etc/apache2/apache2.conf
file and configure theServerName
option to reference the controller node:controller ServerName
Create the
/etc/apache2/sites-available/wsgi-keystone.conf
file with the following content:5000 Listen 35357 Listen <VirtualHost *:5000> =keystone group=keystone display-name=%{GROUP} WSGIDaemonProcess keystone-public processes=5 threads=1 user WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On<IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M"</IfVersion> /var/log/apache2/keystone.log ErrorLog /var/log/apache2/keystone_access.log combined CustomLog <Directory /usr/bin> <IfVersion >= 2.4> all granted Require</IfVersion> <IfVersion < 2.4> Order allow,deny from all Allow</IfVersion> </Directory> </VirtualHost> <VirtualHost *:35357> =keystone group=keystone display-name=%{GROUP} WSGIDaemonProcess keystone-admin processes=5 threads=1 user WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On<IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M"</IfVersion> /var/log/apache2/keystone.log ErrorLog /var/log/apache2/keystone_access.log combined CustomLog <Directory /usr/bin> <IfVersion >= 2.4> all granted Require</IfVersion> <IfVersion < 2.4> Order allow,deny from all Allow</IfVersion> </Directory> </VirtualHost>
Enable the Identity service virtual hosts:
# ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled
obs
Edit the
/etc/sysconfig/apache2
file and configure theAPACHE_SERVERNAME
option to reference the controller node:APACHE_SERVERNAME="controller"
Create the
/etc/apache2/conf.d/wsgi-keystone.conf
file with the following content:5000 Listen 35357 Listen <VirtualHost *:5000> =keystone group=keystone display-name=%{GROUP} WSGIDaemonProcess keystone-public processes=5 threads=1 user WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On<IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M"</IfVersion> /var/log/apache2/keystone.log ErrorLog /var/log/apache2/keystone_access.log combined CustomLog <Directory /usr/bin> <IfVersion >= 2.4> all granted Require</IfVersion> <IfVersion < 2.4> Order allow,deny from all Allow</IfVersion> </Directory> </VirtualHost> <VirtualHost *:35357> =keystone group=keystone display-name=%{GROUP} WSGIDaemonProcess keystone-admin processes=5 threads=1 user WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On<IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M"</IfVersion> /var/log/apache2/keystone.log ErrorLog /var/log/apache2/keystone_access.log combined CustomLog <Directory /usr/bin> <IfVersion >= 2.4> all granted Require</IfVersion> <IfVersion < 2.4> Order allow,deny from all Allow</IfVersion> </Directory> </VirtualHost>
Recursively change the ownership of the
/etc/keystone
directory:# chown -R keystone:keystone /etc/keystone
ubuntu or rdo or obs
Finalize the installation
ubuntu
Restart the Apache HTTP server:
# service apache2 restart
By default, the Ubuntu packages create an SQLite database.
Because this configuration uses an SQL database server, you can remove the SQLite database file:
# rm -f /var/lib/keystone/keystone.db
rdo
Start the Apache HTTP service and configure it to start when the system boots:
# systemctl enable httpd.service # systemctl start httpd.service
obs
Activate the Apache module
mod_version
:# a2enmod version
Start the Apache HTTP service and configure it to start when the system boots:
# systemctl enable apache2.service # systemctl start apache2.service