Install Keystone Service - Openstack Installation : Part 2

Install Openstack Keystone Service, Openstack Installation, configure keystone, keystone configuration, install keystone service, how to install keystone server

Install Keystone Service - Openstack Installation : Part II

In the previous post, We have explained How to Install and Configure MariaDB(MySQL) Database and RabittMq message service which was also a part of the Openstack Deployment.

Stages involved in the Openstack deployments are,
1. Enable Repositories on node1 and node2
2. Install Openstack Liberty Packages on node1 and node2.
3. Install and Configure MariaDB(MySQL) Database on node1 and node2.
4. Install and Configure RabbitMQ Message service on node1.
5. Install and Configure keystone for Identity service on node1.
6. Install Glance for Image service on node1.
7. Install Nova Computing on node1 and node2.
8. Install Neutron Networking on node1 and node2.
    8a. Install Openstack Neutron Component on Controller Node
    8b. Install Openstack Neutron Component on Compute Node
9. Install Openstack Horizon for dashboard on node1

In this post, we will explain you How to Install and Configure keystone for Identity service on node1.

Lab Setup:
Server Names : node1 and node2
OS : CentOS 7.2 - 64 bit.
Enabled Internet Connection.

Prerequisites
1. Make sure each hosts are reachable. I make an entries in hosts file only.
2. Verify the internet connection, bcos we use public repos to install these components.
3. Take a backup or snapshot at different stages to restore in case of failure.
4. Stop firewall to avoid issues during the installations (systemctl stop firewalld ; systemctl disable firewalld).

Read more about,
Cloud Computing
Openstack Configurations
Openstack Tutorial Videos

Install and Configure keystone for Identity service on node1.

Keystone provides authentication and authorization. So every service of OpenStack has to be registered with KeyStone.
Create Keystone Database to store its data.
[root@node1 ~]# mysql -u root -p
Enter password:
Create tables for keystone database
MariaDB [(none)]> CREATE DATABASE keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'node1' \
  IDENTIFIED BY 'redhat';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'redhat';
MariaDB [(none)]> exit
Replace "node1" with your controller node name and replace "redhat" with your own database password.

ALSO WATCH THIS TUTORIAL VIDEO FREE ON OUR YOUTUBE CHANNEL

Create authentication token to authenticate other services with keystone.
[root@node1 ~]# ADMIN_TOKEN=$(openssl rand -hex 10)
[root@node1 ~]# echo $ADMIN_TOKEN
23b6ddf28cee1f864f54
Install the Keystone Packages and other packages.
[root@node1 ~]# yum install openstack-keystone python-keystoneclient httpd mod_wsgi memcached python-memcached
Start and enable Memcached service to start when the system boots:
[root@node1 ~]# systemctl enable memcached
[root@node1 ~]# systemctl start memcached
Configuring the keystone
There are two ways to configure the keystone.
1. Edit the configuration file directly,
2. Use openstack-config command.

Option 1. Edit the configuration file /etc/keystone/keystone.conf and change the following paramters.

Under [DEFAULT] section, change the admin_token.
admin_token = 23b6ddf28cee1f864f54
Under [database] section, Change the database connection parameter.
[database]
connection = mysql://keystone:redhat@node1/keystone
Replace "redhat" with your keystone password and "node1" with your server name.
Under [memcache] section, Change the memcached service parameter.
[memcache]
servers = localhost:11211
Under [token] section, Change the UUID token provider and Memcached driver parameter.
[token]
provider = uuid
driver = memcache
Under [revoke] section, Change the SQL revocation driver parameter.
[revoke]
driver = sql
Option 2. Use openstack-config command.
[ads-post]
[root@node1 ~]# openstack-config --set /etc/keystone/keystone.conf database connection mysql://keystone:redhat@node1/keystone
Replace "redhat" with your keystone password and "node1" with your server name.

[root@node1 ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN
[root@node1 ~]# openstack-config --set /etc/keystone/keystone.conf revoke driver sql
[root@node1 ~]# openstack-config --set /etc/keystone/keystone.conf memcache servers localhost:11211
[root@node1 ~]# openstack-config --set /etc/keystone/keystone.conf token provider uuid
[root@node1 ~]# openstack-config --set /etc/keystone/keystone.conf token driver memcache

Once all changes done, Populate the Identity service database
[root@node1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone

Configure the Apache HTTP Server
Change the ServerName directive to reference your controller name in the file /etc/httpd/conf/httpd.conf.
ServerName node1
Create the /etc/httpd/conf.d/wsgi-keystone.conf file with the following content:
Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>
Start and enable httpd Service to start when the system boots.
[root@node1 ~]# systemctl enable httpd
[root@node1 ~]# systemctl start httpd
Create the service entity and API endpoints
The Identity service provides a catalog of services and their locations. Each service that you add to your OpenStack environment requires a service entity and several API endpoints in the catalog.

Export the authentication token
[root@node1 ~]# export OS_TOKEN=$ADMIN_TOKEN
Configure the endpoint URL
[root@node1 ~]# export OS_URL=http://node1:35357/v3
Replace "node1" with your server name.

Configure the Identity API version
[root@node1 ~]# export OS_IDENTITY_API_VERSION=3
Create the service entity for the Identity service
[root@node1 ~]# openstack service create \
  --name keystone --description "OpenStack Identity" identity
Create the Identity service API endpoints
Replace "node1" with your server name.
[root@node1 ~]# openstack endpoint create --region RegionOne \
  identity public http://node1:5000/v2.0
[root@node1 ~]# openstack endpoint create --region RegionOne \
  identity internal http://node1:5000/v2.0
[root@node1 ~]# openstack endpoint create --region RegionOne \
  identity admin http://node1:35357/v2.0

Create Projects, Users, and Roles

Create a Project:
[root@node1 ~]# openstack project create --domain default \
 --description "Admin Project" admin
Create the admin user:
[root@node1 ~]# openstack user create --domain default \
 --password-prompt admin
User Password:
Repeat User Password:
Create the admin role:
[root@node1 ~]# openstack role create admin
Add the admin role to the admin project and user:
[root@node1 ~]# openstack role add --project admin --user admin admin
Create a Service Project:
[root@node1 ~]# openstack project create --domain default \
  --description "Service Project" service
Create a Demo Project:
openstack project create --domain default \
  --description "Demo Project" demo
Create the demo user:
[root@node1 ~]# openstack user create --domain default \
  --password-prompt demo
Create the User role:
[root@node1 ~]# openstack role create user
Add the admin role to the admin project and user:
[root@node1 ~]# openstack role add --project demo --user demo user
Testing the Configurations:
Disable the temporary authentication token mechanism:

Go to the /usr/share/keystone/keystone-dist-paste.ini file and remove "admin_token_auth" from the [pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] sections.

Unset the temporary OS_TOKEN and OS_URL environment variables:
$ unset OS_TOKEN OS_URL
As the admin user, request an authentication token:
[root@node1 ~]# openstack --os-auth-url http://node1:35357/v3 \
 --os-project-domain-id default --os-user-domain-id default \
 --os-project-name admin --os-username admin --os-auth-type password \
 token issue
Password:
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2016-02-08T17:16:02.676058Z      |
| id         | d22c539fcf074310a5edb4f50f83c6fa |
| project_id | bb36019951a245638cd14c918a736d12 |
| user_id    | ad4ea14438984204b2d0c0df8c6cfa74 |
+------------+----------------------------------+

If you get the output, then your configuration is working.

Create Openstack client environment scripts for the admin and users.

Create the admin-openrc.sh file and add the below variables
[root@node1 ~]# vi admin-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=redhat
export OS_AUTH_URL=http://node1:35357/v3
export OS_IDENTITY_API_VERSION=3
Replace "node1" with your server name and replace "redhat" with your database password.

We have completed installation and configuration of keystone for Identity service on node1.

So far, We are done with the below topics in the Openstack Deployment. Refer the links,
1. Enable Repositories on node1 and node2
2. Install Openstack Liberty Packages on node1 and node2.
3. Install and Configure MariaDB(MySQL) Database on node1 and node2.
4. Install and Configure RabbitMQ Message service on node1.
5. Install and Configure keystone for Identity service on node1.
6. Install Glance for Image service on node1.
7. Install Nova Computing on node1 and node2.
8. Install Neutron Networking on node1 and node2.
    8a. Install Openstack Neutron Component on Controller Node
    8b. Install Openstack Neutron Component on Compute Node
9. Install Openstack Horizon for dashboard on node1

Also download 100% free eBooks related to OpenStack Cloud.
1. A Brief Look at OpenStack
2. OpenStack Cloud Computing Cookbook
3. Concepts of Cloud Computing in simple terms

More topics will be added soon. stay connected with us on social networking sites and Subscribe our YouTube channel for more updates.
Youtube Channel : https://www.youtube.com/learnitguide
Facebook : http://www.facebook.com/learnitguide
Twitter : http://www.twitter.com/learnitguide
Pinterest : http://www.pinterest.com/learnitguide
RSS : http://feeds.feedburner.com/learnitguide
February 11, 2016

Post a Comment

[disqus][facebook][blogger]

Contact Form

Name

Email *

Message *

Powered by Blogger.
Javascript DisablePlease Enable Javascript To See All Widget