openstack/openstack-manuals
Code Issues Proposed changes
openstack-manuals/doc/install-guide/source/keystone-install-obs.rst
Doug Hellmann c7bfdbb44f split install guide into separate files by OS 
Provide a script for interpreting the "only" directives and splitting
the existing content up into standalone files for each OS to make it
easier for project teams to copy the parts they need into their own
project documentation trees without requiring separate platform builds.

The files have been hand-edited to pass the niceness check and to allow
the install guide to build.

The script for building the guide has been changed to not build separate
copies per OS.

Change-Id: Ib88f373190e2a4fbf14186418852d971b33dca85
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
2017-06-19 11:29:52 -04:00

6.4 KiB
Raw Blame History

Install and configure

This section describes how to install and configure the OpenStack Identity service, code-named keystone, on the controller node. For scalability purposes, this configuration deploys Fernet tokens and the Apache HTTP server to handle requests.

Prerequisites

Before you install and configure the Identity service, you must create a database.

Note

Before you begin, ensure you have the most recent version of python-pyasn1 installed.

  1. Use the database access client to connect to the database server as the root user:

    $ mysql -u root -p

  2. Create the keystone database:

    MariaDB [(none)]> CREATE DATABASE keystone;

  3. Grant proper access to the keystone database:

    MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';

    Replace KEYSTONE_DBPASS with a suitable password.

  4. Exit the database access client.

Install and configure components

Note

This guide uses the Apache HTTP server with mod_wsgi to serve Identity service requests on ports 5000 and 35357. By default, the keystone service still listens on these ports. Therefore, this guide manually disables the keystone service.

Note

Starting with the Newton release, SUSE OpenStack packages are shipping with the upstream default configuration files. For example /etc/keystone/keystone.conf, with customizations in /etc/keystone/keystone.conf.d/010-keystone.conf. While the following instructions modify the default configuration file, adding a new file in /etc/keystone/keystone.conf.d achieves the same result.

  1. Run the following command to install the packages:

    # zypper install openstack-keystone apache2-mod_wsgi

  2. Edit the /etc/keystone/keystone.conf file and complete the following actions:

    • In the [database] section, configure database access:

      [database]
# ...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone

      Replace KEYSTONE_DBPASS with the password you chose for the database.

      Note

      Comment out or remove any other connection options in the [database] section.

    • In the [token] section, configure the Fernet token provider:

      [token]
# ...
provider = fernet

  3. Populate the Identity service database:

    # su -s /bin/sh -c "keystone-manage db_sync" keystone

  4. Initialize Fernet key repositories:

    # keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

  5. Bootstrap the Identity service:

    # keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
  --bootstrap-admin-url http://controller:35357/v3/ \
  --bootstrap-internal-url http://controller:5000/v3/ \
  --bootstrap-public-url http://controller:5000/v3/ \
  --bootstrap-region-id RegionOne

    Replace ADMIN_PASS with a suitable password for an administrative user.

Configure the Apache HTTP server

  1. Edit the /etc/sysconfig/apache2 file and configure the APACHE_SERVERNAME option to reference the controller node:

    APACHE_SERVERNAME="controller"

  2. Create the /etc/apache2/conf.d/wsgi-keystone.conf file with the following content:

    Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/apache2/keystone.log
    CustomLog /var/log/apache2/keystone_access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/apache2/keystone.log
    CustomLog /var/log/apache2/keystone_access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

  3. Recursively change the ownership of the /etc/keystone directory:

    # chown -R keystone:keystone /etc/keystone

Finalize the installation

  1. Start the Apache HTTP service and configure it to start when the system boots:

    # systemctl enable apache2.service
# systemctl start apache2.service

  2. Configure the administrative account

    $ export OS_USERNAME=admin
$ export OS_PASSWORD=ADMIN_PASS
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:35357/v3
$ export OS_IDENTITY_API_VERSION=3

    Replace ADMIN_PASS with the password used in the keystone-manage bootstrap command in keystone-install-configure-obs.