openstack-manuals/doc/high-availability-guide/api/section_keystone.xml
Christian Berendt 179e89b8e5 Fix broken links
Change-Id: Id13c9f0741e567a1b421e29d1fb1b0f304a3ddfe
2014-07-25 22:17:16 +02:00

97 lines
5.5 KiB
XML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="s-keystone">
<title>Highly available OpenStack Identity</title>
<para>OpenStack Identity is the Identity Service in OpenStack and used by many services.
Making the OpenStack Identity service highly available in active / passive mode involves</para>
<itemizedlist>
<listitem>
<para>
Configure OpenStack Identity to listen on the VIP address,
</para>
</listitem>
<listitem>
<para>
managing OpenStack Identity daemon with the Pacemaker cluster manager,
</para>
</listitem>
<listitem>
<para>
Configure OpenStack services to use this IP address.
</para>
</listitem>
</itemizedlist>
<note>
<para>Here is the <link xlink:href="http://docs.openstack.org/trunk/install-guide/install/apt/content/ch_keystone.html">documentation</link> for installing OpenStack Identity service.</para>
</note>
<section xml:id="_add_openstack_identity_resource_to_pacemaker">
<title>Add OpenStack Identity resource to Pacemaker</title>
<para>First of all, you need to download the resource agent to your system:</para>
<screen><prompt>#</prompt> <userinput>cd /usr/lib/ocf/resource.d</userinput>
<prompt>#</prompt> <userinput>mkdir openstack</userinput>
<prompt>#</prompt> <userinput>cd openstack</userinput>
<prompt>#</prompt> <userinput>wget https://raw.github.com/madkiss/openstack-resource-agents/master/ocf/keystone</userinput>
<prompt>#</prompt> <userinput>chmod a+rx *</userinput></screen>
<para>You can now add the Pacemaker configuration for
OpenStack Identity resource. Connect to the Pacemaker cluster with <literal>crm
configure</literal>, and add the following cluster resources:</para>
<programlisting>primitive p_keystone ocf:openstack:keystone \
params config="/etc/keystone/keystone.conf" os_password="secret" os_username="admin" os_tenant_name="admin" os_auth_url="http://192.168.42.103:5000/v2.0/" \
op monitor interval="30s" timeout="30s"</programlisting>
<para>This configuration creates <literal>p_keystone</literal>, a resource for managing the OpenStack Identity service.</para>
<para><literal>crm configure</literal> supports batch input, so you may copy and paste the
above into your live pacemaker configuration, and then make changes as
required. For example, you may enter <literal>edit p_ip_keystone</literal> from the
<literal>crm configure</literal> menu and edit the resource to match your preferred
virtual IP address.</para>
<para>Once completed, commit your configuration changes by entering <literal>commit</literal>
from the <literal>crm configure</literal> menu. Pacemaker will then start the OpenStack Identity
service, and its dependent resources, on one of your nodes.</para>
</section>
<section xml:id="_configure_openstack_identity_service">
<title>Configure OpenStack Identity service</title>
<para>You need to edit your OpenStack Identity configuration file (<filename>keystone.conf</filename>) and change the bind parameters:</para>
<para>On Havana:</para>
<programlisting language="ini">bind_host = 192.168.42.103</programlisting>
<para>On Icehouse, the <literal>admin_bind_host</literal> option lets you use a private network for the admin access.</para>
<programlisting language="ini">public_bind_host = 192.168.42.103
admin_bind_host = 192.168.42.103</programlisting>
<para>To be sure all data will be highly available, you should be sure that you store everything in the MySQL database (which is also highly available):</para>
<programlisting language="ini">[catalog]
driver = keystone.catalog.backends.sql.Catalog
...
[identity]
driver = keystone.identity.backends.sql.Identity
...</programlisting>
</section>
<section xml:id="_configure_openstack_services_to_use_the_highly_available_openstack_identity">
<title>Configure OpenStack services to use the highly available OpenStack Identity</title>
<para>Your OpenStack services must now point their OpenStack Identity configuration to
the highly available, virtual cluster IP addressrather than a
OpenStack Identity servers physical IP address as you normally would.</para>
<para>For example with OpenStack Compute, if your OpenStack Identity service IP address is
192.168.42.103 as in the configuration explained here, you would use
the following line in your API configuration file
(<literal>api-paste.ini</literal>):</para>
<programlisting language="ini">auth_host = 192.168.42.103</programlisting>
<para>You also need to create the OpenStack Identity Endpoint with this IP.</para>
<para>NOTE: If you are using both private and public IP addresses, you should create two Virtual IP addresses and define your endpoint like this:</para>
<screen><prompt>$</prompt> <userinput>keystone endpoint-create --region $KEYSTONE_REGION \
--service-id $service-id --publicurl 'http://PUBLIC_VIP:5000/v2.0' \
--adminurl 'http://192.168.42.103:35357/v2.0' \
--internalurl 'http://192.168.42.103:5000/v2.0'</userinput></screen>
<para>If you are using the horizon dashboard, you should edit the <literal>local_settings.py</literal> file:</para>
<programlisting>OPENSTACK_HOST = 192.168.42.103</programlisting>
</section>
</section>