We started our OpenStack installation here and stopped at minimal deployment.
Keystone is the first installation you should do in minimal (or any OpenStack) installation scenario. It is identity provider for OpenStack. Visit my Openstack installation tutorial to see my lab settings if someting is not clear.
Here is the link on OpenStack on which you can always find fresh info about Keystone deployment. https://docs.openstack.org/keystone/train/install/index-rdo.html
Keystone will be installed on controller machine.
We need to create database named keystone, here are the steps
mysql -u root -p
CREATE DATABASE keystone;
We will create user keystone and exchange password – pass for your password.
CREATE USER `keystone`@`localhost` IDENTIFIED BY 'pass';
Grant priviledges on keystone DB to keystone user
GRANT ALL ON keystone.* TO `keystone`@`localhost`;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'pass';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY 'pass';
Start installation by typing in
sudo yum install openstack-keystone httpd mod_wsgi
Edit the /etc/keystone/keystone.conf
sudo vi /etc/keystone/keystone.conf
In database section configure following (replace pass with your password.)
[database] # ... connection = mysql+pymysql://keystone:pass@controller/keystone
In the token section configure following
[token] # ... provider = fernet
Here is how it looks like in my config
Next, we need to run
su -s /bin/sh -c "keystone-manage db_sync" keystone
Initialize Fernet key repos
sudo keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone sudo keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
Bootstrap identity service. Change ADMIN_PASS for your password suitable for admin user
keystone-manage bootstrap --bootstrap-password ADMIN_PASS \ --bootstrap-admin-url http://controller:5000/v3/ \ --bootstrap-internal-url http://controller:5000/v3/ \ --bootstrap-public-url http://controller:5000/v3/ \ --bootstrap-region-id RegionOne
Configure Apache HTTP server
We need to change server name
sudo vi /etc/httpd/conf/httpd.conf
Edit servername to controller and uncomment it
Create a link to wsgi-keystone.conf
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
In production, you should secure your installation with SSL.
We should enable and start service
sudo systemctl enable httpd.service sudo systemctl start httpd.service
Next we should set environment variables. Values shown are from keystone-manager bootstrap.
Be sure to replace ADMIN_PASS with the password you set in earlier step.
$ export OS_USERNAME=admin $ export OS_PASSWORD=ADMIN_PASS $ export OS_PROJECT_NAME=admin $ export OS_USER_DOMAIN_NAME=Default $ export OS_PROJECT_DOMAIN_NAME=Default $ export OS_AUTH_URL=http://controller:5000/v3 $ export OS_IDENTITY_API_VERSION=3
OPTIONALLY – NOT PART OF TUTORIAL!!
If you wish to make these changes permanent, you can do following, this way, these values will be loaded on every system startup.
#vi ~/keystonerc export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=adminpassword export OS_AUTH_URL=http://10.0.0.30:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 export PS1='[\u@\h \W(keystone)]\$ ' # chmod 600 ~/keystonerc # source ~/keystonerc # echo "source ~/keystonerc " >> ~/.bash_profile
END OF OPTIONALLY PART
We will also open few ports in firewall (optional)
sudo firewall-cmd --zone=public --add-port=5000/tcp --permanent sudo firewall-cmd --permanent --zone=public --add-service=http sudo firewall-cmd --permanent --zone=public --add-service=https sudo firewall-cmd --reload
After that, if you try link from the client in your network
Creating Domain, Project, Users, Roles
In the steps above, we created default domain, so we don’t need to do it now.
openstack domain create --description "An Example Domain" example
We will create other details…
Service Project creation
openstack project create --domain default \ --description "Service Project" service
If you get “Missing value auth-url required for auth plugin password” check back and see part where we exported environment variables and check if they are loaded. If you rebooted server in the meantime, you will probably need to export all the values again. Later on, we will create files that we can call when needed.
openstack project create --domain default \ --description "Demo Project" myproject
openstack user create --domain default \ --password-prompt myuser
openstack role create myrole
Add role “myrole” to project “myproject” with user “myuser”
openstack role add --project myproject --user myuser myrole
Before we go any further, we have to verify that all is working as expected, because this is the foundation for everything we will add later.
We will temporary unset OS_AUTH_URL and OS_PASSWORD
unset OS_AUTH_URL OS_PASSWORD
We will now request auth. token as admin user (we will need password we set earlier for admin user)
openstack --os-auth-url http://controller:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name admin --os-username admin token issue
We will now also request auth token as myuser – user we created step earlier
openstack --os-auth-url http://controller:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name myproject --os-username myuser token issue
Ok, both screens and info I got are ok, and valid.
OpenStack client environment scripts
You can read more on topic here – https://docs.openstack.org/keystone/train/install/keystone-openrc-rdo.html
I will go through creating client environment scripts for the admin and demo projects and users. Future portions of OpenStack guide reference these scripts to load appropriate credentials for client operations.
One more notice from OpenStack:
The paths of the client environment scripts are unrestricted. For convenience, you can place the scripts in any location, however ensure that they are accessible and located in a secure place appropriate for your deployment, as they do contain sensitive credentials.
OpenStack does not specify locations of admin-openrc and demo-openrc, so I will put them in my “home” directory.
sudo vi admin-openrc.sh
You will enter following. Change ADMIN_PASS to your password.
export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=ADMIN_PASS export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
Now, to the demo-openrpc
sudo vi demo-openrc.sh
Replace DEMO_PASS with the pass you created for “myuser” user.
export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=myproject export OS_USERNAME=myuser export OS_PASSWORD=DEMO_PASS export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
Stay in the same directory where you created scripts and execute
sudo chmod +x admin-openrc.sh sudo chmod +x demo-openrc.sh
Using the scripts
Citing the OpenStack Documentation –
To run clients as a specific project and user, you can simply load the associated client environment script prior to running them. For example:
Load the admin-openrc file to populate environment variables with the location of the Identity service and the admin project and user credentials:
Request auth token
openstack token issue
Next step is Image service install – Glance