OpenStack Liberty on Ubuntu 14.04 LTS – Configure KeyStone #1

ADVERTISEMENT

OpenStack Liberty on Ubuntu 14.04 - Configure KeyStone
OpenStack Liberty on Ubuntu 14.04 – Configure KeyStone

The OpenStack Identity service provides a single point of integration for managing authentication, authorization, and service catalog services.

It doesn’t actually provide you any user management functions, rather, it provides plug-in interfaces to choose between current authentication service or third-party identity services that are available on the market.

ADVERTISEMENT
Article will continue after the ad

When installing OpenStack Identity service, you must register each service in your OpenStack installation. Identity service can then track which OpenStack services are installed, and where they are located on the network.

Before going ahead, take a look at our Infrastructure design in previous article.

This guide shows you how to install and configure OpenStack Identity service (keystone) on the controller node.

Prerequisites:

Before installing OpenStack identity service, you must create a database and administration token.

# mysql -u root -p

create the keystone database.

CREATE DATABASE keystone;

Set proper access to keystone database.

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'PASSWD';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'PASSWD';

Exit the database access client.

* Replace PASSWD with a suitable password.

Generate a random value and that can be used as an administration token for initial configuration.

# openssl rand -hex 10

Install and Configure KeyStone:

Disable keystone service from starting automatically after installation.

# echo "manual" > /etc/init/keystone.override

* In Kilo and Liberty, Apache HTTP server is used to serve keystone requests on ports 5000 and 35357 with help of mod_wsgi instead of Eventlet which is depreciated in this version OpenStack.

Install keystone package.

# apt-get install keystone apache2 libapache2-mod-wsgi memcached python-memcache

Edit keystone configuration file.

# nano /etc/keystone/keystone.conf

Place following entries in proper section of the above file.

[DEFAULT]
...
admin_token = 43405b090eda983ddde2 ## Replace 43405b090eda983ddde2 with a random that you generated earlier
verbose = True

[database]
...
## Replace PASSWD with your KeyStone DB password and Controller with your controller node IP or Hostname
## If you found any other MySQL connection entry comment it out.
connection = mysql+pymysql://keystone:PASSWD@controller/keystone  

[memcache]
...
servers = localhost:11211

[token]
...
provider = uuid
driver = memcache

[revoke]
...
driver = sql

Run the following command to populate the identity service database.

# su -s /bin/sh -c "keystone-manage db_sync" keystone

Configure Apache HTTP server:

Edit /etc/apache2/apache2.conf and configure ServerName option to reference the controller node, add it in Global configuration section.

ServerName controller

Create the below file.

# nano /etc/apache2/sites-enabled/wsgi-keystone.conf

Paste the following content on to above file.

Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/apache2/keystone.log
    CustomLog /var/log/apache2/keystone_access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/apache2/keystone.log
    CustomLog /var/log/apache2/keystone_access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

Restart the Apache service.

# service apache2 restart

Remove SQLite database as we are using MySQL database.

# rm -f /var/lib/keystone/keystone.db

Next is to Create the service entity and API endpoints.

ADVERTISEMENT

POSTS YOU MAY LIKE -:)

Share This Post

  • Pedro

    Na parte de sincronizar o db estou tendo esse problema
    2015-12-02 14:30:38.203 14709 WARNING oslo_db.sqlalchemy.engines [-] SQL connection failed. 10 attempts left.
    alguém mais esta passando pela mesma situação?

    • Stenio Araujo

      Sim, apesar de a resposta ser tardia, o problema pode continuar acontecendo.

      Você deve configurar o mysql para receber acesso interno. Para fazer isso você deve substituir o 127.0.0.1 do bind-address por 0.0.0.0. Isto significa que o mysql poderá ser acessado de qualquer Máquina que tenha acesso a máquina naqula o mysql foi instalado.

      Dependendo da versão do mysql que você tem o arquivo de configuração pode estar em:
      – /etc/mysql/mysql.conf.d/mysqld.cnf
      ou
      – /etc/mysql/my.cnf

  • Eric

    Same error with oslo_db

Shares