Debian specifics for keystone

This patch adds Debian specifics for the Keystone install
chapter.

Note that this is a break-down of:
https://review.openstack.org/54394/

into smaller patches.

backport: havana

Change-Id: I9c7383f3daffab06fbe12d35208923eda00b5207
This commit is contained in:
Thomas Goirand 2013-11-01 00:31:27 +08:00
parent 49f2b64f8a
commit 3c42bf4f1b
11 changed files with 77 additions and 43 deletions

View File

@ -3,8 +3,7 @@
xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="ch_keystone"> xml:id="ch_keystone">
<title>Configure the Identity Service</title>
<title>Configuring the Identity Service</title>
<xi:include href="../common/section_keystone-concepts.xml"/> <xi:include href="../common/section_keystone-concepts.xml"/>
<xi:include href="section_keystone-install.xml"/> <xi:include href="section_keystone-install.xml"/>
<xi:include href="section_keystone-users.xml"/> <xi:include href="section_keystone-users.xml"/>

Binary file not shown.

After

Width:  |  Height:  |  Size: 10 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.8 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 10 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 11 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 17 KiB

View File

@ -11,29 +11,12 @@
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install keystone</userinput></screen> <screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install keystone</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-keystone python-keystoneclient</userinput></screen> <screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-keystone python-keystoneclient</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-keystone python-keystoneclient openstack-utils</userinput></screen> <screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-keystone python-keystoneclient openstack-utils</userinput></screen>
<note os="debian"><title>Note for Debian users</title>
<para>Note that on Debian system, the above is all what is needed
to install the Identity Service. During the setup, the debconf system will prompt
the user for the database access information. It will then
automatically create the database, configure access rights,
and then modify <filename>/etc/keystone/keystone.conf</filename> to reflect this
configuration. Debconf will also be used to configure the AUTH_TOKEN
administrator password.</para>
<para>The Debian package will then perform the
<code>keystone-manage db_sync</code> for you, and create an "admin/admin" tenant
and user, which you can later use for setting-up the other OpenStack
service (later called "auth token" in this documentation). Finally,
the package will also ask the user to setup the keystone endpoint.
Therefore, if you use Debian, you can skip all the remaining steps below.</para>
<para>If you need to reconfigure Keystone, you can use:
<screen><prompt>#</prompt> <userinput>dpkg-reconfigure -plow keystone</userinput></screen>
or edit the configuration files and manually restart the daemon.</para>
<para>Remember that for using a database server that is installed remotely,
you need to call before installing the Identity Service:
<screen><prompt>#</prompt> <userinput>apt-get install dbconfig-common &amp;&amp; dpkg-reconfigure -plow dbconfig-common</userinput></screen></para>
</note>
</step> </step>
<step> <step os="debian">
<para>Answer to the <systemitem class="library">debconf</systemitem> and
<systemitem class="library">dbconfig-common</systemitem> questions for setting-up the database.</para>
</step>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>The Identity Service uses a database to store information. <para>The Identity Service uses a database to store information.
Specify the location of the database in the configuration file. Specify the location of the database in the configuration file.
In this guide, we use a MySQL database on the controller node In this guide, we use a MySQL database on the controller node
@ -42,8 +25,8 @@
with a suitable password for the database user.</para> with a suitable password for the database user.</para>
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/keystone/keystone.conf \ <screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/keystone/keystone.conf \
sql connection mysql://keystone:<replaceable>KEYSTONE_DBPASS</replaceable>@controller/keystone</userinput></screen> sql connection mysql://keystone:<replaceable>KEYSTONE_DBPASS</replaceable>@controller/keystone</userinput></screen>
<para os="ubuntu;debian">Edit <filename>/etc/keystone/keystone.conf</filename> and change the <literal>[sql]</literal> section.</para> <para os="ubuntu">Edit <filename>/etc/keystone/keystone.conf</filename> and change the <literal>[sql]</literal> section.</para>
<programlisting os="ubuntu;debian" language="ini"> <programlisting os="ubuntu" language="ini">
... ...
[sql] [sql]
# The SQLAlchemy connection string used to connect to the database # The SQLAlchemy connection string used to connect to the database
@ -61,7 +44,7 @@ connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone
<screen><prompt>#</prompt> <userinput>openstack-db --init --service keystone --password <replaceable>KEYSTONE_DBPASS</replaceable></userinput></screen> <screen><prompt>#</prompt> <userinput>openstack-db --init --service keystone --password <replaceable>KEYSTONE_DBPASS</replaceable></userinput></screen>
</step> </step>
<step os="ubuntu;debian"> <step os="ubuntu">
<para>First, we need to create a database user called <literal>keystone</literal>, by logging in <para>First, we need to create a database user called <literal>keystone</literal>, by logging in
as root using the password we set earlier.</para> as root using the password we set earlier.</para>
<screen><prompt>#</prompt> <userinput>mysql -u root -p</userinput> <screen><prompt>#</prompt> <userinput>mysql -u root -p</userinput>
@ -71,13 +54,73 @@ IDENTIFIED BY '<replaceable>KEYSTONE_DBPASS</replaceable>';</userinput>
<prompt>mysql></prompt> <userinput>GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ <prompt>mysql></prompt> <userinput>GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY '<replaceable>KEYSTONE_DBPASS</replaceable>';</userinput></screen> IDENTIFIED BY '<replaceable>KEYSTONE_DBPASS</replaceable>';</userinput></screen>
</step> </step>
<step os="ubuntu;debian"> <step os="ubuntu">
<para>We now start the keystone service and create its tables.</para> <para>We now start the keystone service and create its tables.</para>
<screen><prompt>#</prompt> <userinput>keystone-manage db_sync</userinput> <screen><prompt>#</prompt> <userinput>keystone-manage db_sync</userinput>
<prompt>#</prompt> <userinput>service keystone restart</userinput></screen> <prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
</step> </step>
<step os="debian">
<para>You need to define an authorization token that is used as a
shared secret between the Identity Service and other OpenStack services.
Fill-in the <systemitem class="library">debconf</systemitem> prompt with the value that will be put in the
<code>admin_token</code> directive of <filename>keystone.conf</filename>. It is
recommended to generate this password with <command>openssl rand -hex 10</command>.
<mediaobject>
<imageobject>
<imagedata scale="50" fileref="figures/debconf-screenshots/keystone_1_admin_token.png"/>
</imageobject>
</mediaobject>
</para>
<para>Later on, you can verify that <filename>/etc/keystone/keystone.conf</filename>
contains the password you have set using <systemitem class="library">debconf</systemitem>:
<programlisting language="ini">
[DEFAULT]
# A "shared secret" between keystone and other openstack services
admin_token = ADMIN_TOKEN
...
</programlisting></para>
</step>
<step os="debian">
<para>Answer to the <systemitem class="library">debconf</systemitem> prompts to create an admin tenant.
<mediaobject>
<imageobject>
<imagedata scale="50" fileref="figures/debconf-screenshots/keystone_2_register_admin_tenant_yes_no.png"/>
</imageobject>
</mediaobject>
<mediaobject>
<imageobject>
<imagedata scale="50" fileref="figures/debconf-screenshots/keystone_3_admin_user_name.png"/>
</imageobject>
</mediaobject>
<mediaobject>
<imageobject>
<imagedata scale="50" fileref="figures/debconf-screenshots/keystone_4_admin_user_email.png"/>
</imageobject>
</mediaobject>
<mediaobject>
<imageobject>
<imagedata scale="50" fileref="figures/debconf-screenshots/keystone_5_admin_user_pass.png"/>
</imageobject>
</mediaobject>
<mediaobject>
<imageobject>
<imagedata scale="50" fileref="figures/debconf-screenshots/keystone_6_admin_user_pass_confirm.png"/>
</imageobject>
</mediaobject>
</para>
</step>
<step> <step>
<para>If this is the first time you install Keystone, then you should
register Keystone in the Keystone catalogue of services:
<mediaobject>
<imageobject>
<imagedata scale="50" fileref="figures/debconf-screenshots/keystone_7_register_endpoint.png"/>
</imageobject>
</mediaobject>
</para>
</step>
<step os="rhel;centos;fedora;opensuse;sles;ubuntu">
<para>You need to define an authorization token that is used as a <para>You need to define an authorization token that is used as a
shared secret between the Identity Service and other OpenStack services. shared secret between the Identity Service and other OpenStack services.
Use <command>openssl</command> to generate a random token, then store it Use <command>openssl</command> to generate a random token, then store it
@ -85,18 +128,17 @@ IDENTIFIED BY '<replaceable>KEYSTONE_DBPASS</replaceable>';</userinput></screen>
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>ADMIN_TOKEN=$(openssl rand -hex 10)</userinput> <screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>ADMIN_TOKEN=$(openssl rand -hex 10)</userinput>
<prompt>#</prompt> <userinput>echo $ADMIN_TOKEN</userinput> <prompt>#</prompt> <userinput>echo $ADMIN_TOKEN</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN</userinput></screen> <prompt>#</prompt> <userinput>openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN</userinput></screen>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>openssl rand -hex 10</userinput></screen> <screen os="ubuntu"><prompt>#</prompt> <userinput>openssl rand -hex 10</userinput></screen>
<para os="sles;opensuse">For SUSE Linux Enterprise use instead as first command:</para> <para os="sles;opensuse">For SUSE Linux Enterprise use instead as first command:</para>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>ADMIN_TOKEN=$(openssl rand 10|hexdump -e '1/1 "%.2x"')</userinput></screen> <screen os="opensuse;sles"><prompt>#</prompt> <userinput>ADMIN_TOKEN=$(openssl rand 10|hexdump -e '1/1 "%.2x"')</userinput></screen>
<para os="ubuntu;debian">Edit <filename>/etc/keystone/keystone.conf</filename> and <para os="ubuntu">Edit <filename>/etc/keystone/keystone.conf</filename> and
change the <literal>[DEFAULT]</literal> section, replacing ADMIN_TOKEN with the results of the command.</para> change the <literal>[DEFAULT]</literal> section, replacing ADMIN_TOKEN with the results of the command.</para>
<programlisting os="ubuntu;debian" language="ini"> <programlisting os="ubuntu" language="ini">
[DEFAULT] [DEFAULT]
# A "shared secret" between keystone and other openstack services # A "shared secret" between keystone and other openstack services
admin_token = ADMIN_TOKEN admin_token = ADMIN_TOKEN
... ...
</programlisting> </programlisting>
</step> </step>
@ -116,7 +158,7 @@ admin_token = ADMIN_TOKEN
<prompt>#</prompt> <userinput>sed -e "s,%SERVICE_HOST%,192.168.0.10,g" -e "s/%S3_SERVICE_PORT%/8080/" \ <prompt>#</prompt> <userinput>sed -e "s,%SERVICE_HOST%,192.168.0.10,g" -e "s/%S3_SERVICE_PORT%/8080/" \
$KEYSTONE_CATALOG.sample > $KEYSTONE_CATALOG</userinput></screen> $KEYSTONE_CATALOG.sample > $KEYSTONE_CATALOG</userinput></screen>
</step> </step>
<step os="ubuntu;debian"> <step os="ubuntu">
<para>Restart the Identity service.</para> <para>Restart the Identity service.</para>
<screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen> <screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
</step> </step>

View File

@ -1,16 +1,9 @@
<section xmlns="http://docbook.org/ns/docbook" <section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xlink="http://www.w3.org/1999/xlink"
xml:id="keystone-services"> xml:id="keystone-services"
os="rhel;centos;fedora;opensuse;sles;ubuntu">
<title>Defining Services and API Endpoints</title> <title>Defining Services and API Endpoints</title>
<note os="debian"><title>Note for Debian users</title>
<para>On Debian systems, the Keystone package
will prompt the user for automatically creating the service end API
endpoint of Keystone (in the Keystone database itself). So if you
directed the package to do so, you don't need to perform the commands
detailed in this section, as it will have been done automatically.
However, it is advised to still read it to understand what has been
done by the Keystone package.</para></note>
<para>The Identity Service also tracks what OpenStack services are <para>The Identity Service also tracks what OpenStack services are
installed and where to locate them on the network. For each service installed and where to locate them on the network. For each service
on your OpenStack installation, you must call on your OpenStack installation, you must call

View File

@ -1,7 +1,7 @@
<section xmlns="http://docbook.org/ns/docbook" <section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0" version="5.0"
xml:id="keystone-users"> xml:id="keystone-users" os="rhel;centos;fedora;opensuse;sles;ubuntu">
<title>Defining Users, Tenants, and Roles</title> <title>Defining Users, Tenants, and Roles</title>
<para>Once Keystone is installed and running, you set up users, tenants, <para>Once Keystone is installed and running, you set up users, tenants,