Install Keystone Service – Openstack Installation : Part 2

Install Keystone Service - Openstack Installation : Part II

This post will help you to Install Keystone Service as part of our OpenStack Deployment.

If you are interested in learning, Request you to go through the below recommended tutorial.

In the previous post, We have explained How to Install and Configure MariaDB(MySQL) Database and RabittMq message service which was also a part of the Openstack Deployment.

Stages involved in the Openstack deployments are,
1. Enable Repositories on node1 and node2
2. Install Openstack Liberty Packages on node1 and node2.
3. Install and Configure MariaDB(MySQL) Database on node1 and node2.
4. Install and Configure RabbitMQ Message service on node1.
5. Install and Configure keystone for Identity service on node1.
6. Install Glance for Image service on node1.
7. Install Nova Computing on node1 and node2.
8. Install Neutron Networking on node1 and node2.
8a. Install Openstack Neutron Component on Controller Node
8b. Install Openstack Neutron Component on Compute Node
9. Install Openstack Horizon for dashboard on node1

In this post, we will explain you How to Install and Configure keystone for Identity service on node1.

Install Keystone Service – Openstack Installation : Part 2

Lab Setup:
Server Names : node1 and node2
OS : CentOS 7.2 – 64 bit.
Enabled Internet Connection.

Prerequisites
1. Make sure each hosts are reachable. I make an entries in hosts file only.
2. Verify the internet connection, bcos we use public repos to install these components.
3. Take a backup or snapshot at different stages to restore in case of failure.
4. Stop firewall to avoid issues during the installations (systemctl stop firewalld ; systemctl disable firewalld).

Install and Configure keystone for Identity service on node1.

Keystone provides authentication and authorization. So every service of OpenStack has to be registered with KeyStone.
Create Keystone Database to store its data.

[root@node1 ~]# mysql -u root -p
Enter password:

Create tables for keystone database

MariaDB [(none)]> CREATE DATABASE keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone’@’node1’
IDENTIFIED BY ‘redhat’;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone’@’%’ IDENTIFIED BY ‘redhat’;
MariaDB [(none)]> exit

Replace “node1” with your controller node name and replace “redhat” with your own database password.

ALSO WATCH THIS TUTORIAL VIDEO FREE ON OUR YOUTUBE CHANNEL

Create authentication token to authenticate other services with keystone.

[root@node1 ~]# ADMIN_TOKEN=$(openssl rand -hex 10)
[root@node1 ~]# echo $ADMIN_TOKEN
23b6ddf28cee1f864f54

Install the Keystone Packages and other packages.

[root@node1 ~]# yum install openstack-keystone python-keystoneclient httpd mod_wsgi memcached python-memcached

Start and enable Memcached service to start when the system boots:

[root@node1 ~]# systemctl enable memcached
[root@node1 ~]# systemctl start memcached

Configuring the keystone
There are two ways to configure the keystone.
1. Edit the configuration file directly,
2. Use openstack-config command.

Option 1. Edit the configuration file /etc/keystone/keystone.conf and change the following paramters.

Under [DEFAULT] section, change the admin_token.

admin_token = 23b6ddf28cee1f864f54

Under [database] section, Change the database connection parameter.

[database]
connection = mysql://keystone:redhat@node1/keystone

Replace “redhat” with your keystone password and “node1” with your server name.
Under [memcache] section, Change the memcached service parameter.

[memcache]
servers = localhost:11211

Under [token] section, Change the UUID token provider and Memcached driver parameter.

[token]
provider = uuid
driver = memcache

Under [revoke] section, Change the SQL revocation driver parameter.

[revoke]
driver = sql

Option 2. Use openstack-config command.

[root@node1 ~]# openstack-config –set /etc/keystone/keystone.conf database connection mysql://keystone:redhat@node1/keystone

Replace “redhat” with your keystone password and “node1” with your server name.

[root@node1 ~]# openstack-config –set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN
[root@node1 ~]# openstack-config –set /etc/keystone/keystone.conf revoke driver sql
[root@node1 ~]# openstack-config –set /etc/keystone/keystone.conf memcache servers localhost:11211
[root@node1 ~]# openstack-config –set /etc/keystone/keystone.conf token provider uuid
[root@node1 ~]# openstack-config –set /etc/keystone/keystone.conf token driver memcache

Once all changes done, Populate the Identity service database

[root@node1 ~]# su -s /bin/sh -c “keystone-manage db_sync” keystone

Configure Apache HTTP Server

Change the ServerName directive to reference your controller name in the file /etc/httpd/conf/httpd.conf.

ServerName node1

Create the /etc/httpd/conf.d/wsgi-keystone.conf file with the following content:

Listen 5000
Listen 35357

<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat “%{cu}t %M”
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined

<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>

<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat “%{cu}t %M”
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined

<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>

Start and enable httpd Service to start when the system boots.

[root@node1 ~]# systemctl enable httpd
[root@node1 ~]# systemctl start httpd

Create the service entity and API endpoints
The Identity service provides a catalog of services and their locations. Each service that you add to your OpenStack environment requires a service entity and several API endpoints in the catalog.

Export the authentication token

[root@node1 ~]# export OS_TOKEN=$ADMIN_TOKEN

Configure the endpoint URL

[root@node1 ~]# export OS_URL=http://node1:35357/v3

Replace “node1” with your server name.

Configure the Identity API version

[root@node1 ~]# export OS_IDENTITY_API_VERSION=3

Create the service entity for the Identity service

[root@node1 ~]# openstack service create
–name keystone –description “OpenStack Identity” identity

Create the Identity service API endpoints
Replace “node1” with your server name.

[root@node1 ~]# openstack endpoint create –region RegionOne
identity public http://node1:5000/v2.0
[root@node1 ~]# openstack endpoint create –region RegionOne
identity internal http://node1:5000/v2.0
[root@node1 ~]# openstack endpoint create –region RegionOne
identity admin http://node1:35357/v2.0

Create Projects, Users, and Roles

Create a Project:

[root@node1 ~]# openstack project create –domain default
–description “Admin Project” admin

Create the admin user:

[root@node1 ~]# openstack user create –domain default
–password-prompt admin
User Password:
Repeat User Password:

Create the admin role:

[root@node1 ~]# openstack role create admin

Add the admin role to the admin project and user:

[root@node1 ~]# openstack role add –project admin –user admin admin

Create a Service Project:

[root@node1 ~]# openstack project create –domain default
–description “Service Project” service

Create a Demo Project:

openstack project create –domain default
–description “Demo Project” demo

Create the demo user:

[root@node1 ~]# openstack user create –domain default
–password-prompt demo

Create the User role:

[root@node1 ~]# openstack role create user

Add the admin role to the admin project and user:

[root@node1 ~]# openstack role add –project demo –user demo user

Testing the Configurations:
Disable the temporary authentication token mechanism:

Go to the /usr/share/keystone/keystone-dist-paste.ini file and remove “admin_token_auth” from the [pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] sections.

Unset the temporary OS_TOKEN and OS_URL environment variables:

$ unset OS_TOKEN OS_URL

As the admin user, request an authentication token:

[root@node1 ~]# openstack –os-auth-url http://node1:35357/v3
–os-project-domain-id default –os-user-domain-id default
–os-project-name admin –os-username admin –os-auth-type password
token issue
Password:
+————+———————————-+
| Field      | Value                            |
+————+———————————-+
| expires    | 2016-02-08T17:16:02.676058Z      |
| id         | d22c539fcf074310a5edb4f50f83c6fa |
| project_id | bb36019951a245638cd14c918a736d12 |
| user_id    | ad4ea14438984204b2d0c0df8c6cfa74 |
+————+———————————-+

If you get the output, then your configuration is working.

Create Openstack client environment scripts for the admin and users.

Create the admin-openrc.sh file and add the below variables

[root@node1 ~]# vi admin-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=redhat
export OS_AUTH_URL=http://node1:35357/v3
export OS_IDENTITY_API_VERSION=3

Replace “node1” with your server name and replace “redhat” with your database password.

We have completed installation and configuration of keystone for Identity service on node1.

So far, We are done with the below topics in the Openstack Deployment. Refer the links,
1. Enable Repositories on node1 and node2
2. Install Openstack Liberty Packages on node1 and node2.
3. Install and Configure MariaDB(MySQL) Database on node1 and node2.
4. Install and Configure RabbitMQ Message service on node1.
5. Install and Configure keystone for Identity service on node1.
6. Install Glance for Image service on node1.
7. Install Nova Computing on node1 and node2.
8. Install Neutron Networking on node1 and node2.
8a. Install Openstack Neutron Component on Controller Node
8b. Install Openstack Neutron Component on Compute Node
9. Install Openstack Horizon for dashboard on node1

Also download 100% free eBooks related to OpenStack Cloud.
1. A Brief Look at OpenStack
2. OpenStack Cloud Computing Cookbook
3. Concepts of Cloud Computing in simple terms

Keep practicing and have fun. Leave your comments if any.

Support Us: Share with your friends and groups.

Stay connected with us on social networking sites, Thank you.

install keystone, install keystone for openstack, openstack keystone, install keystone openstack, configure keystone openstack, openstack keystone install