8f963115d7
I updated the installation guide for Juno release packages as follows: 1) Converted 'systemctl' commands to single lines. 2) Converted more sections to use 'systemctl' commands. 3) Added note about lengthy installation time for 'openstack-selinux' package. 4) Explicitly configured UUID tokens and SQL driver in keystone. RDO needs to update or remove the 'dist' configuration files for services. 5) Explicitly configured local file system store options in [glance_store] section that appeared two days before official release. Although the Ubuntu and RDO packages appear to work by default, late changes to configuration files tend to cause problems at some point. 6) Explicitly configured authentication strategy to keystone in nova on controller and compute nodes. I think we should avoid relying on defaults for this option and reconsider for Kilo, particularly with RDO packages. 7) Explicitly installed 'sysfsutils' package on nova compute nodes because nova looks for it during cinder volume operations. 8) Removed explicit installation of 'ipset' package on neutron network and compute nodes because the Ubuntu and RDO packages install it as a dependency. Not sure about SUSE, so I left the explicit installation. 9) Changed cinder example devices from /dev/sdb to /dev/sdb1 because LVM on CentOS didn't like the former. Note: The configuration changes mostly apply to RDO packages on CentOS, but given the time constraints, I fixed some other issues. Also, this patch ignores the sahara chapter. Closes-Bug: #1383925 Change-Id: I0c9bbbfe72b8f0358f00d4f82b90ce4976a90ea2
244 lines
11 KiB
XML
244 lines
11 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE section[
|
|
<!ENTITY % openstack SYSTEM "../common/entities/openstack.ent">
|
|
%openstack;
|
|
]>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
version="5.0"
|
|
xml:id="keystone-install">
|
|
<title>Install and configure</title>
|
|
<para>This section describes how to install and configure the OpenStack
|
|
Identity service on the controller node.</para>
|
|
<procedure os="ubuntu;rhel;centos;fedora;sles;opensuse">
|
|
<title>To configure prerequisites</title>
|
|
<para>Before you configure the OpenStack Identity service, you must create
|
|
a database and an administration token.</para>
|
|
<step>
|
|
<para>To create the database, complete these steps:</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Use the database access client to connect to the database
|
|
server as the <literal>root</literal> user:</para>
|
|
<screen><prompt>$</prompt> <userinput>mysql -u root -p</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Create the <literal>keystone</literal> database:</para>
|
|
<screen><userinput>CREATE DATABASE keystone;</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Grant proper access to the <literal>keystone</literal>
|
|
database:</para>
|
|
<screen><userinput>GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
|
|
IDENTIFIED BY '<replaceable>KEYSTONE_DBPASS</replaceable>';</userinput>
|
|
<userinput>GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
|
|
IDENTIFIED BY '<replaceable>KEYSTONE_DBPASS</replaceable>';</userinput></screen>
|
|
<para>Replace <replaceable>KEYSTONE_DBPASS</replaceable> with a suitable password.</para>
|
|
</step>
|
|
<step>
|
|
<para>Exit the database access client.</para>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
<step>
|
|
<para>Generate a random value to use as the administration token during
|
|
initial configuration:</para>
|
|
<screen os="ubuntu;rhel;centos;fedora"><prompt>#</prompt> <userinput>openssl rand -hex 10</userinput></screen>
|
|
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>openssl rand 10 | hexdump -e '1/1 "%.2x"'</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
<procedure os="debian">
|
|
<title>To configure prerequisites</title>
|
|
<step>
|
|
<para>Generate a random value to use as the administration token during
|
|
initial configuration:</para>
|
|
<screen><prompt>#</prompt> <userinput>openssl rand -hex 10</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
<procedure os="ubuntu;rhel;centos;fedora;sles;opensuse">
|
|
<title>To install and configure the components</title>
|
|
<step>
|
|
<para>Run the following command to install the packages:</para>
|
|
<screen os="ubuntu"><prompt>#</prompt> <userinput>apt-get install keystone python-keystoneclient</userinput></screen>
|
|
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-keystone python-keystoneclient</userinput></screen>
|
|
<screen os="sles;opensuse"><prompt>#</prompt> <userinput>zypper install openstack-keystone python-keystoneclient</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Edit the <filename>/etc/keystone/keystone.conf</filename> file and
|
|
complete the following actions:</para>
|
|
<substeps>
|
|
<step>
|
|
<para>In the <literal>[DEFAULT]</literal> section, define the value
|
|
of the initial administration token:</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
...
|
|
admin_token = <replaceable>ADMIN_TOKEN</replaceable></programlisting>
|
|
<para>Replace <replaceable>ADMIN_TOKEN</replaceable> with the random
|
|
value that you generated in a previous step.</para>
|
|
</step>
|
|
<step>
|
|
<para>In the <literal>[database]</literal> section, configure
|
|
database access:</para>
|
|
<programlisting language="ini">[database]
|
|
...
|
|
connection = mysql://keystone:<replaceable>KEYSTONE_DBPASS</replaceable>@<replaceable>controller</replaceable>/keystone</programlisting>
|
|
<para>Replace <replaceable>KEYSTONE_DBPASS</replaceable> with the
|
|
password you chose for the database.</para>
|
|
</step>
|
|
<step>
|
|
<para>In the <literal>[token]</literal> section, configure the UUID
|
|
token provider and SQL driver:</para>
|
|
<programlisting language="ini">[token]
|
|
...
|
|
provider = keystone.token.providers.uuid.Provider
|
|
driver = keystone.token.persistence.backends.sql.Token</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>(Optional) To assist with troubleshooting,
|
|
enable verbose logging in the <literal>[DEFAULT]</literal> section:</para>
|
|
<programlisting language="ini">[DEFAULT]
|
|
...
|
|
verbose = True</programlisting>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
<step os="rhel;centos;fedora;opensuse;sles">
|
|
<para>Create generic certificates and keys and restrict access to the
|
|
associated files:</para>
|
|
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>keystone-manage pki_setup --keystone-user keystone --keystone-group keystone</userinput>
|
|
<prompt>#</prompt> <userinput>chown -R keystone:keystone /var/log/keystone</userinput>
|
|
<prompt>#</prompt> <userinput>chown -R keystone:keystone /etc/keystone/ssl</userinput>
|
|
<prompt>#</prompt> <userinput>chmod -R o-rwx /etc/keystone/ssl</userinput></screen>
|
|
</step>
|
|
<step os="ubuntu;rhel;centos;fedora;sles;opensuse">
|
|
<para>Populate the Identity service database:</para>
|
|
<screen><prompt>#</prompt> <userinput>su -s /bin/sh -c "keystone-manage db_sync" keystone</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
<procedure os="debian">
|
|
<title>To install and configure the components</title>
|
|
<step>
|
|
<para>Run the following command to install the packages:</para>
|
|
<screen><prompt>#</prompt> <userinput>apt-get install keystone python-keystoneclient</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Respond to prompts for <xref linkend="debconf-dbconfig-common"/>.</para>
|
|
</step>
|
|
<step>
|
|
<para>Configure the initial administration token:</para>
|
|
<informalfigure>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata scale="50" fileref="figures/debconf-screenshots/keystone_1_admin_token.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</informalfigure>
|
|
<para>Use the random value that you generated in a previous step. If you
|
|
install using non-interactive mode or you do not specify this token,
|
|
the configuration tool generates a random value.</para>
|
|
</step>
|
|
<step>
|
|
<para>Create the <literal>admin</literal> tenant and user:</para>
|
|
<informalfigure>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata scale="50"
|
|
fileref="figures/debconf-screenshots/keystone_2_register_admin_tenant_yes_no.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</informalfigure>
|
|
<para> </para>
|
|
<informalfigure>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata scale="50"
|
|
fileref="figures/debconf-screenshots/keystone_3_admin_user_name.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</informalfigure>
|
|
<para> </para>
|
|
<informalfigure>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata scale="50"
|
|
fileref="figures/debconf-screenshots/keystone_4_admin_user_email.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</informalfigure>
|
|
<para> </para>
|
|
<informalfigure>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata scale="50"
|
|
fileref="figures/debconf-screenshots/keystone_5_admin_user_pass.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</informalfigure>
|
|
<para> </para>
|
|
<informalfigure>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata scale="50"
|
|
fileref="figures/debconf-screenshots/keystone_6_admin_user_pass_confirm.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</informalfigure>
|
|
</step>
|
|
<step>
|
|
<para>Create the Identity service endpoints:</para>
|
|
<informalfigure>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata scale="50"
|
|
fileref="figures/debconf-screenshots/keystone_7_register_endpoint.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</informalfigure>
|
|
</step>
|
|
</procedure>
|
|
<procedure>
|
|
<title>To finalize installation</title>
|
|
<step os="ubuntu;debian">
|
|
<para>Restart the Identity service:</para>
|
|
<screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
|
|
</step>
|
|
<step os="rhel;fedora;centos;opensuse;sles">
|
|
<para>Start the Identity service and configure it to start when the
|
|
system boots:</para>
|
|
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>systemctl enable openstack-keystone.service</userinput>
|
|
<prompt>#</prompt> <userinput>systemctl start openstack-keystone.service</userinput></screen>
|
|
<para os="sles">On SLES:</para>
|
|
<screen os="sles"><prompt>#</prompt> <userinput>service openstack-keystone start</userinput>
|
|
<prompt>#</prompt> <userinput>chkconfig openstack-keystone on</userinput></screen>
|
|
<para os="opensuse">On openSUSE:</para>
|
|
<screen os="opensuse"><prompt>#</prompt> <userinput>systemctl enable openstack-keystone.service</userinput>
|
|
<prompt>#</prompt> <userinput>systemctl start openstack-keystone.service</userinput></screen>
|
|
</step>
|
|
<step os="ubuntu">
|
|
<para>By default, the Ubuntu packages create a SQLite database.</para>
|
|
<para>Because this configuration uses a SQL database server, you can
|
|
remove the SQLite database file:</para>
|
|
<screen><prompt>#</prompt> <userinput>rm -f /var/lib/keystone/keystone.db</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>By default, the Identity service stores expired tokens in the
|
|
database indefinitely. The accumulation of expired tokens considerably
|
|
increases the database size and might degrade service performance,
|
|
particularly in environments with limited resources.</para>
|
|
<para>We recommend that you use
|
|
<systemitem class="service">cron</systemitem> to configure a periodic
|
|
task that purges expired tokens hourly:</para>
|
|
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>(crontab -l -u keystone 2>&1 | grep -q token_flush) || \
|
|
echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' \
|
|
>> /var/spool/cron/crontabs/keystone</userinput></screen>
|
|
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>(crontab -l -u keystone 2>&1 | grep -q token_flush) || \
|
|
echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' \
|
|
>> /var/spool/cron/keystone</userinput></screen>
|
|
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>(crontab -l -u keystone 2>&1 | grep -q token_flush) || \
|
|
echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' \
|
|
>> /var/spool/cron/tabs/keystone</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
</section>
|