On controller node:
###systemctl disable NetworkManager
hostnamectl set-hostname name Disable SELinux
vi /etc/selinux/config
SELINUX=disabled
reboot controller
[root@Fedora-69 ~]# getenforce Disabled
Also need to open ports for firewall
# firewall-cmd --get-default-zone
FedoraServer
# firewall-cmd --permanent --zone=FedoraServer --add-port=5672/tcp
# firewall-cmd --permanent --zone=FedoraServer --add-port=35357/tcp
# firewall-cmd --permanent --zone=FedoraServer --add-port=8774/tcp
# firewall-cmd --permanent --zone=FedoraServer --add-port=80/tcp
# firewall-cmd --permanent --zone=FedoraServer --add-port=9292/tcp
# firewall-cmd --permanent --zone=FedoraServer --add-port=6080/tcp (for VNC console)
# firewall-cmd --reload
# firewall-cmd --list-ports
80/tcp 6080/tcp 9292/tcp 5672/tcp 9696/tcp 8774/tcp 35357/tcp
Or just disable firewall
# systemctl disable firewalld
yum install http://rdo.fedorapeople.org/openstack-kilo/rdo-release-kilo.rpm
if yum install not working, try
wget http://rdo.fedorapeople.org/openstack-kilo/rdo-release-kilo.rpm
# rpm -ivh rdo-release-kilo.rpm warning: rdo-release-kilo.rpm: Header V4 RSA/SHA1 Signature, key ID 7d10ce81: NOKEY Preparing... ################################# [100%] Updating / installing... 1:rdo-release-kilo-1 ################################# [100%]
To install and configure the database server
yum install mariadb mariadb-server MySQL-python
# cd /etc/my.cnf.d
# cp mariadb-server.cnf mariadb_openstack.cnf
Create and edit the /etc/my.cnf.d/mariadb_openstack.cnf file and complete the following actions:
In the [mysqld] section, set the bind-address key to the management IP address of the controller node to enable access by other nodes via the management network:
[mysqld]
...
bind-address = 10.0.0.11
In the [mysqld] section, set the following keys to enable useful options and the UTF-8 character set:
[mysqld]
...
default-storage-engine = innodb
innodb_file_per_table
collation-server = utf8_general_ci
init-connect = 'SET NAMES utf8'
character-set-server = utf8
# systemctl enable mariadb.service # systemctl start mariadb.service
# mysql_secure_installation
enter Y for all
Message queue
# yum install rabbitmq-server
[root@Fedora-69 ~]# systemctl enable rabbitmq-server.service Created symlink from /etc/systemd/system/multi-user.target.wants/rabbitmq-server.service to /usr/lib/systemd/system/rabbitmq-server.service. [root@Fedora-69 ~]# systemctl start rabbitmq-server.service
# rabbitmqctl add_user openstack RABBIT_PASS
Creating user "openstack" ...
[root@Fedora-69 ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*" Setting permissions for user "openstack" in vhost "/" ...
Keystone
http://docs.openstack.org/kilo/install-guide/install/yum/content/keystone-install.html
[root@Fedora-69 ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 14
Server version: 10.0.21-MariaDB MariaDB Server
Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
-> IDENTIFIED BY 'xxxxxx';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
-> IDENTIFIED BY 'xxxxxx';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> exit
Bye
To install and configure the Identity service components
yum install openstack-keystone httpd mod_wsgi python-openstackclient memcached python-memcached
# systemctl enable memcached.service # systemctl start memcached.service
Generate a random value to use as the administration token during initial configuration: $ openssl rand -hex 10
Edit the /etc/keystone/keystone.conf file and complete the following actions:
In the [DEFAULT] section, define the value of the initial administration token:
[DEFAULT]
...
admin_token = ADMIN_TOKEN
Replace ADMIN_TOKEN with the random value that you generated in a previous step.
In the [database] section, configure database access: [database] ... connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone Replace KEYSTONE_DBPASS with the password you chose for the database.
In the [memcache] section, configure the Memcache service: [memcache] ... servers = localhost:11211
In the [token] section, configure the UUID token provider and Memcached driver: [token] ... provider = keystone.token.providers.uuid.Provider driver = keystone.token.persistence.backends.memcache.Token
In the [revoke] section, configure the SQL revocation driver: [revoke] ... driver = keystone.contrib.revoke.backends.sql.Revoke
# su -s /bin/sh -c "keystone-manage db_sync" keystone
To configure the Apache HTTP server
Edit the /etc/httpd/conf/httpd.conf file and configure the ServerName option to reference the controller node:
ServerName controller:80
Create the /etc/httpd/conf.d/wsgi-keystone.conf file with the following content:
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LogLevel info
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LogLevel info
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
</VirtualHost>
Create the directory structure for the WSGI components:
# mkdir -p /var/www/cgi-bin/keystone
Copy the WSGI components from the upstream repository into this directory:
# curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo \
--proxy http://proxy.a.b.c:nnnn | tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin
Adjust ownership and permissions on this directory and the files in it:
# chown -R keystone:keystone /var/www/cgi-bin/keystone
# chmod 755 /var/www/cgi-bin/keystone/*
To finalize installation
Restart the Apache HTTP server:
# systemctl enable httpd.service
# systemctl start httpd.service
[root@Fedora-69 ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2015-10-01 15:22:46 EDT; 4min 22s ago
Main PID: 836 (httpd)
Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec"
CGroup: /system.slice/httpd.service
├─ 836 /usr/sbin/httpd -DFOREGROUND
├─1252 (wsgi:keystone- -DFOREGROUND
├─1253 (wsgi:keystone- -DFOREGROUND
├─1254 (wsgi:keystone- -DFOREGROUND
├─1256 (wsgi:keystone- -DFOREGROUND
├─1258 (wsgi:keystone- -DFOREGROUND
├─1259 (wsgi:keystone- -DFOREGROUND
├─1266 (wsgi:keystone- -DFOREGROUND
├─1267 (wsgi:keystone- -DFOREGROUND
├─1268 (wsgi:keystone- -DFOREGROUND
├─1274 (wsgi:keystone- -DFOREGROUND
├─1275 /usr/sbin/httpd -DFOREGROUND
├─1280 /usr/sbin/httpd -DFOREGROUND
├─1281 /usr/sbin/httpd -DFOREGROUND
├─1294 /usr/sbin/httpd -DFOREGROUND
└─1295 /usr/sbin/httpd -DFOREGROUND
Oct 01 15:22:44 Fedora-69 systemd[1]: Starting The Apache HTTP Server...
Oct 01 15:22:46 Fedora-69 systemd[1]: Started The Apache HTTP Server.
Now the keystone is up
[root@Fedora-69 ~]# ps -ef | grep keystone keystone 1252 836 0 15:22 ? 00:00:00 (wsgi:keystone- -DFOREGROUND keystone 1253 836 0 15:22 ? 00:00:00 (wsgi:keystone- -DFOREGROUND keystone 1254 836 0 15:22 ? 00:00:00 (wsgi:keystone- -DFOREGROUND keystone 1256 836 0 15:22 ? 00:00:00 (wsgi:keystone- -DFOREGROUND keystone 1258 836 0 15:22 ? 00:00:00 (wsgi:keystone- -DFOREGROUND keystone 1259 836 0 15:22 ? 00:00:00 (wsgi:keystone- -DFOREGROUND keystone 1266 836 0 15:22 ? 00:00:00 (wsgi:keystone- -DFOREGROUND keystone 1267 836 0 15:22 ? 00:00:00 (wsgi:keystone- -DFOREGROUND keystone 1268 836 0 15:22 ? 00:00:00 (wsgi:keystone- -DFOREGROUND keystone 1274 836 0 15:22 ? 00:00:00 (wsgi:keystone- -DFOREGROUND
But settings yet
[root@Fedora-69 ~]# keystone user-list /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient. 'python-keystoneclient.', DeprecationWarning) Expecting an auth URL via either --os-auth-url or env[OS_AUTH_URL]
Create the service entity and API endpoint
Configure the authentication token:
$ export OS_TOKEN=ADMIN_TOKEN
Replace ADMIN_TOKEN with the authentication token generated for /etc/keystone/keystone.conf
# grep admin_token /etc/keystone/keystone.conf
admin_token = xxxxxxxxxxxxxxxxxx
For example:
$ export OS_TOKEN=294a4c8a8a475f9b9836
Configure the endpoint URL:
$ export OS_URL=http://controller:35357/v2.0
We can put these 2 variables in ~/.bashrc
The Identity service manages a catalog of services in your OpenStack environment. Services use this catalog to determine the other services available in your environment. Create the service entity for the Identity service:
[root@Fedora-69 keystone]# env | grep OS_ OS_TOKEN=xxxxxxxxxxxxxx OS_URL=http://controllerIP:35357/v2.0
# openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | 5ba7279b62104cf18c232579c3ca074e | <--- This is generated | name | keystone | | type | identity | +-------------+----------------------------------+
The Identity service manages a catalog of API endpoints associated with the services in your OpenStack environment. Services use this catalog to determine how to communicate with other services in your environment. OpenStack uses three API endpoint variants for each service: admin, internal, and public. The admin API endpoint allows modifying users and tenants by default, while the public and internal APIs do not. In a production environment, the variants might reside on separate networks that service different types of users for security reasons. For instance, the public API network might be reachable from outside the cloud for management tools, the admin API network might be protected, while the internal API network is connected to each host. Also, OpenStack supports multiple regions for scalability. For simplicity, this guide uses the management network for all endpoint variations and the default RegionOne region. Create the Identity service API endpoint:
# openstack endpoint create \ --publicurl http://controller:5000/v2.0 \ --internalurl http://controller:5000/v2.0 \ --adminurl http://controller:35357/v2.0 \ --region RegionOne \ identity
+--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | adminurl | http://xxxxx:35357/v2.0 | | id | a6492573509645208f8bf76321cc5ec8 | <-- this is newly generated | internalurl | http://xxxxx:5000/v2.0 | | publicurl | http://xxxxx:5000/v2.0 | | region | RegionOne | | service_id | 5ba7279b62104cf18c232579c3ca074e | <-- this is same as generated above | service_name | keystone | | service_type | identity | +--------------+----------------------------------+
Create projects, users, and roles The Identity service provides authentication services for each OpenStack service. The authentication service uses a combination of domains, projects (tenants), users, and roles.
Create an administrative project, user, and role for administrative operations in your environment:
Create the admin project:
# openstack project create --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| enabled | True |
| id | 9c1cc7fa7fc24c17812ec662555ba519 | <-- this is generated
| name | admin |
+-------------+----------------------------------+
Create the admin user:
# openstack user create --password-prompt admin
User Password:
Repeat User Password:
+----------+----------------------------------+
| Field | Value |
+----------+----------------------------------+
| email | None |
| enabled | True |
| id | 2dd3f128851f40ceab07b68ed3c90179 |
| name | admin |
| username | admin |
+----------+----------------------------------+
Create the admin role:
# openstack role create admin
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 7739d55428b74d3280ef942529898c93 |
| name | admin |
+-------+----------------------------------+
Add the admin role to the admin project and user:
# openstack role add --project admin --user admin admin
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 7739d55428b74d3280ef942529898c93 |
| name | admin |
+-------+----------------------------------+
This guide uses a service project that contains a unique user for each service that you add to your environment.
Create the service project:
# openstack project create --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| enabled | True |
| id | 1fc68a60fb6049928bd1df6d453d3c12 |
| name | service |
+-------------+----------------------------------+
Regular (non-admin) tasks should use an unprivileged project and user. As an example, this guide creates the demo project and user.
Create the demo project:
# openstack project create --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| enabled | True |
| id | eec1d66ee98a46458c98f2c84607c229 |
| name | demo |
+-------------+----------------------------------+
Create the demo user:
# openstack user create --password-prompt demo
User Password:
Repeat User Password:
+----------+----------------------------------+
| Field | Value |
+----------+----------------------------------+
| email | None |
| enabled | True |
| id | b476579221d74f1eb0474fb5d970dead |
| name | demo |
| username | demo |
+----------+----------------------------------+
Create the user role:
# openstack role create user
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | f3a5581d9de24ceda9d829f5a2bad35e |
| name | user |
+-------+----------------------------------+
Add the user role to the demo project and user:
# openstack role add --project demo --user demo user
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | f3a5581d9de24ceda9d829f5a2bad35e |
| name | user |
+-------+----------------------------------+
Verify operation of the Identity service before installing other services.
For security reasons, disable the temporary authentication token mechanism:
Edit the /usr/share/keystone/keystone-dist-paste.ini file and remove admin_token_auth from the [pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] sections.
$ unset OS_TOKEN OS_URL
As the admin user, request an authentication token from the Identity version 2.0 API:
# openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-10-01T22:52:53Z |
| id | 584bc44696234ce9847af1d95fefe0f1 |
| project_id | 9c1cc7fa7fc24c17812ec662555ba519 |
| user_id | 2dd3f128851f40ceab07b68ed3c90179 |
+------------+----------------------------------+
The Identity version 3 API adds support for domains that contain projects and users. Projects and users can use the same names in different domains. Therefore, in order to use the version 3 API, requests must also explicitly contain at least the default domain or use IDs. For simplicity, this guide explicitly uses the default domain so examples can use names instead of IDs.
# openstack --os-auth-url http://controller:35357 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name admin --os-username admin --os-auth-type password \
token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-10-01T22:55:12.279133Z |
| id | d7b198ae77dd491aa9781332a1cffb70 |
| project_id | 9c1cc7fa7fc24c17812ec662555ba519 |
| user_id | 2dd3f128851f40ceab07b68ed3c90179 |
+------------+----------------------------------+
As the admin user, list projects to verify that the admin user can execute admin-only CLI commands # openstack --os-auth-url http://controllerIP:35357 \ --os-project-name admin --os-username admin --os-auth-type password \ project list Password: +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 1fc68a60fb6049928bd1df6d453d3c12 | service | | 9c1cc7fa7fc24c17812ec662555ba519 | admin | | eec1d66ee98a46458c98f2c84607c229 | demo | +----------------------------------+---------+
As the admin user, list users to verify that the Identity service $ openstack --os-auth-url http://controller:35357 \ --os-project-name admin --os-username admin --os-auth-type password \ user list Password: +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 4d411f2291f34941b30eef9bd797505a | admin | | 3a81e6c8103b46709ef8d141308d4c72 | demo | +----------------------------------+-------+
As the admin user, list roles to verify that the Identity service contains the role that you created in the section called “Create projects, users, and roles”: $ openstack --os-auth-url http://controller:35357 \ --os-project-name admin --os-username admin --os-auth-type password \ role list Password: +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 9fe2ff9ee4384b1894a90878d3e92bab | user | | cd2cb9a39e874ea69e5d4b896eb16128 | admin | +----------------------------------+-------+
As the demo user, request an authentication token from the Identity version 3 API: $ openstack --os-auth-url http://controller:5000 \ --os-project-domain-id default --os-user-domain-id default \ --os-project-name demo --os-username demo --os-auth-type password \ token issue Password: +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2015-10-01T23:04:24.894238Z | | id | 138b6ddda1274cf7be39a808f13eb690 | | project_id | eec1d66ee98a46458c98f2c84607c229 | | user_id | b476579221d74f1eb0474fb5d970dead | +------------+----------------------------------+
As the demo user, attempt to list users to verify that it cannot execute admin-only CLI commands: # openstack --os-auth-url http://controller:5000 \ > --os-project-domain-id default --os-user-domain-id default \ > --os-project-name demo --os-username demo --os-auth-type password \ > user list Password: ERROR: openstack You are not authorized to perform the requested action: admin_required (HTTP 403) (Request-ID: req-03d61a17-5d9c-4690-a5be-e7c40ba85f93)
Create OpenStack client environment scripts
The previous section used a combination of environment variables and command options to interact with the Identity service via the openstack client. To increase efficiency of client operations, OpenStack supports simple client environment scripts also known as OpenRC files. These scripts typically contain common options for all clients, but also support unique options
To create the scripts
Create client environment scripts for the admin and demo projects and users. Future portions of this guide reference these scripts to load appropriate credentials for client operations.
Edit the admin-openrc.sh file and add the following content:
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3
Replace ADMIN_PASS with the password you chose for the admin user in the Identity service.
Edit the demo-openrc.sh file and add the following content: export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_PROJECT_NAME=demo export OS_TENANT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=DEMO_PASS export OS_AUTH_URL=http://controller:5000/v3 Replace DEMO_PASS with the password you chose for the demo user in the Identity service.
To run clients as a specific project and user, you can simply load the associated client environment script prior to running them. For example:
Load the admin-openrc.sh file to populate environment variables with the location of the Identity service and the admin project and user credentials:
$ source admin-openrc.sh
Request an authentication token: # openstack token issue +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2015-10-01T23:13:51.585815Z | | id | bee9cbed0ac24cab901647a5476a0c96 | | project_id | 9c1cc7fa7fc24c17812ec662555ba519 | | user_id | 2dd3f128851f40ceab07b68ed3c90179 | +------------+----------------------------------+
No comments:
Post a Comment