Openstack Liberty Lab Part 3: Configure Keystone Identity Service

You can download this article in PDF format via the link below to support us. Download the guide in PDF format. Close So far, we have introduced the first and second parts of the Openstack Lab guide series. The purpose of this series of experiments is not to prepare you for the Openstack Sys Admin role, but to help you understand how to install and configure the Openstack service. This is beneficial for students, IT professionals, and any technical staff who want to enter the fascinating world of virtualization and cloud computing.

If you follow the previous tutorial:

Openstack Liberty Lab Part 1: Setting up the network and all prerequisites

Openstack Liberty Lab Part 2: Install the Openstack software package

You should have installed the Keystone Identity Service. In this part of the series, we will take a closer look at all the configuration options and parameters required in the Keystone configuration file.

We will not directly use text editors such as nano or vim to edit configuration files, but use the openstack-config tool, which will automate the process and simplify our work. Openstack-config is a utility for processing ini files. It is installed with the installation of openstack, you only need to use it. The first step is to prepare the database that Keystone will use. Since the MariaDB database service has been installed, you must set the password by running the mysql_secure_installation tool. If your server is using a database system, you do not need to perform this step.

[[email protected] ~]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] Y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] Y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.


Remove test database and access to it? [Y/n] Y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] Y
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB! 

Now log in as the root user and provide the password you set above. Make sure the MariaDB service is up and running:

[[email protected] ~]# systemctl status mariadb.service 
● mariadb.service - MariaDB database server
   Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2016-03-28 12:03:24 EAT; 4h 55min ago
 Main PID: 2134 (mysqld_safe)
   CGroup: /system.slice/mariadb.service
           ├─2134 /bin/sh /usr/bin/mysqld_safe --basedir=/usr
           └─2331 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql...

Mar 28 12:03:13 controller systemd[1]: Starting MariaDB database server...
Mar 28 12:03:15 controller mysqld_safe[2134]: 160328 12:03:15 mysqld_safe Lo....
Mar 28 12:03:16 controller mysqld_safe[2134]: 160328 12:03:16 mysqld_safe St...l
Mar 28 12:03:24 controller systemd[1]: Started MariaDB database server.
Hint: Some lines were ellipsized, use -l to show in full.
[[email protected] ~]# 

If not, please do the following:

 [[email protected] ~]# systemctl start mariadb.service
 [[email protected] ~]# systemctl enabled mariadb.service 

The steps used to configure keystone correction are:

  1. Create database
[[email protected] ~]# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 13
Server version: 5.5.44-MariaDB MariaDB Server

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

MariaDB [(none)]> create database keystone;
MariaDB [(none)]> grant all privileges on keystone.* to [email protected]'localhost' identified by 'moonstack';
MariaDB [(none)]> grant all privileges on keystone.* to [email protected]'%' identified by 'moonstack';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit;

Replace the password of the keystack database user with moonstack.

  1. Configure keystone correction
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token admintoken
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf database connection mysql://keystone:[email protected]/keystone
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf memcache servers localhost:11211
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf token provider uuid
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf token driver memcache
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf revoke driver sql

Description: admintoken: This is the initial management token. Replace with the management token you want to use, you can use openssl command to generate it, for example:

  [[email protected] ~]# openssl rand -hex 8

moonstack: The Keysone database password configured in step 1 when creating the Keystone database. 192.168.1.60: Because it is installed once, the IP address of the controller is equivalent to the IP address of the server running the MySQL service. Keystone: Used by Keystone Database name

  1. Populate the identity service database:
[[email protected] ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone

Configure http server (Apache):

[[email protected] ~]# echo ServerName 192.168.1.60 >> /etc/httpd/conf/httpd.conf
  • create /etc/httpd/conf.d/wsgi-keystone.conf file
[[email protected] ~]# cat > /etc/httpd/conf.d/wsgi-keystone.conf <<EOF
Listen 5000
Listen 35357 <VirtualHost *:5000>


WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost> <VirtualHost *:35357>


WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
EOF

Reload httpd:

[[email protected] ~]# systemctl reload httpd.service
  1. Add services, roles and users to the cornerstone

Load environment:

[[email protected] ~]# export OS_TOKEN=admintoken 
[[email protected] ~]# export OS_URL=http://192.168.1.60:35357/v3 
[[email protected] ~]# export OS_IDENTITY_API_VERSION=3

Replace admintoken with your token and 192.168.1.60 with your IP.

  • Add administrator and member roles:
[[email protected] ~]# openstack role create admin 
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | ef185921b0114f879e4fc1927516de75 |
| name | admin |
+-------+----------------------------------+
[[email protected] ~]# openstack role create Member 
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 2b0d67fc55fd4cb8b29301a6dbe33445 |
| name | Member |
+-------+----------------------------------+
  • Add management and service items:
[[email protected] ~]# openstack project create --domain default --description "Admin Project" admin 
[[email protected] ~]# openstack project create --domain default --description "Service Project" service 
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 9c3ec09f5e08442eb211612f99cd22ad |
| is_domain | False |
| name | service |
| parent_id | None |
+-------------+----------------------------------+
[[email protected] ~]#
  • Add an administrator user account as an administrator and add the administrator user to:
[[email protected] ~]# openstack user create --domain default --project admin --password moonstack admin
+--------------------+----------------------------------+
| Field | Value |
+--------------------+----------------------------------+
| default_project_id | abc5d2a310ad46fba0b2a311a187088b |
| domain_id | default |
| enabled | True |
| id | faf51d1898204d38aff144c8c1248c7d |
| name | admin |
+--------------------+----------------------------------+
[[email protected] ~]# openstack role add --project admin --user admin admin 
[[email protected] ~]#
  • Confirm settings:
[[email protected] ~]# openstack user list 
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| faf51d1898204d38aff144c8c1248c7d | admin |
+----------------------------------+-------+
[[email protected] ~]# openstack role list 
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| 2b0d67fc55fd4cb8b29301a6dbe33445 | Member |
| ef185921b0114f879e4fc1927516de75 | admin |
+----------------------------------+--------+
[[email protected] ~]# openstack project list 
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 9c3ec09f5e08442eb211612f99cd22ad | service |
| abc5d2a310ad46fba0b2a311a187088b | admin |
+----------------------------------+---------+
  1. Add service entities and API endpoints; internal, public and management endpoints:
[[email protected] ~]# openstack service create --name keystone --description "OpenStack Identity" identity 
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 4d3aa109aa534ceb92187549a5e728bf |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
[[email protected] ~]# export controller=192.168.1.60 
[[email protected] ~]# openstack endpoint create --region RegionOne identity public http://$controller:5000/v2.0 
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 651d5f5fc4bb4d6db1b74b217b6fcda5 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 4d3aa109aa534ceb92187549a5e728bf |
| service_name | keyst |
| service_type | identi |
| url | http://192.168.1.60:5000/v2.0 |
+--------------+----------------------------------+
[[email protected] ~]# openstack endpoint create --region RegionOne identity internal http://$controller:5000/v2.0 
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | f714e382f39748afaf8bd2d5e0054c24 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 4d3aa109aa534ceb92187549a5e728bf |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.1.60:5000/v2.0 |
+--------------+----------------------------------+
[[email protected] ~]# openstack endpoint create --region RegionOne identity admin http://$controller:35357/v2.0 
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 81b112cbfbd949578262a4fd3ebce9fd |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 4d3aa109aa534ceb92187549a5e728bf |
| service_name| keystone |
| service_type | identity |
| url | http://192.168.1.60:35357/v2.0 |
+--------------+----------------------------------+
[[email protected] ~]#
  • Confirm settings:
[[email protected] ~]# openstack endpoint list 
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+
| 651d5f5fc4bb4d6db1b74b217b6fcda5 | RegionOne | keystone | identity | True | public | http://192.168.1.60:5000/v2.0 |
| 81b112cbfbd949578262a4fd3ebce9fd | RegionOne | keystone | identity | True | admin | http://192.168.1.60:35357/v2.0 |
| f714e382f39748afaf8bd2d5e0054c24 | RegionOne | keystone | identity | True | internal | http://192.168.1.60:5000/v2.0 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+
[[email protected] ~]# openstack service list 
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| 4d3aa109aa534ceb92187549a5e728bf | keystone | identity |
+----------------------------------+----------+----------+

You have completed the Keystone identity service configuration. In the next article, we will discuss the complete configuration of the Glance image service. Previous article:

Openstack Liberty Lab Part 2: Install the Openstack software package

Next article:

Openstack Liberty Lab Part 4: Configure Glance Image Service

You can download this article in PDF format via the link below to support us.Download the guide in PDF formatClose

Sidebar