openstack/openstack-manuals
Code Issues Proposed changes

Drafting updates to install/deploy

Browse Source 
Fixed pom file to create a -trunk pdf.
Updated Dashboard image.
Added keystone.conf file after testing with a VM
Added more to glance validation steps
Still needs testing but might be close enough?
Also want to get Xen in there but we can publish before that.
Updated Keystone config based on reviews and Mailing List input.
Removed "identity management" chapter as it was overkill for this context.
Changed the ADMIN fake token to 012345SECRET99TOKEN012345.
Update to include Glance configuration files.
Updated to use an essex-style nova.conf file.
Please review with "draft" in mind and give feedback.

Change-Id: Ic7e50eddf7130bbbbce28f2646e2eb1d85583294
This commit is contained in:
annegentle 2012-03-09 23:41:35 -06:00
parent e150a117b4
commit 51e8b40aef
34 changed files with 784 additions and 489 deletions

13
doc/src/docbkx/common/ch_identity_mgmt.xml

@ -2,7 +2,7 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="ch-identity-mgmt">
xml:id="ch-identity-mgmt-config">
<title>Identity Management</title>
<para>
The default identity management system for OpenStack is the OpenStack Identity Service, code-named Keystone.
@ -880,7 +880,7 @@ keystone service-delete 08741d8ed88242ca88d1f61484a0fe3b
<?dbhtml stop-chunking?>
<title>Configuring Services to work with Keystone</title>
<para>
Once Keystone is installed and running (see :doc:`configuration`),
Once Keystone is installed and running,
services need to be configured to work with it. To do this, we
primarily install and configure middleware for the OpenStack service
to handle authentication tasks or otherwise interact with Keystone.
@ -889,13 +889,11 @@ keystone service-delete 08741d8ed88242ca88d1f61484a0fe3b
In general: * Clients making calls to the service will pass in an
authentication token. * The Keystone middleware will look for and
validate that token, taking the appropriate action. * It will also
retrive additional information from the token such as user name, id,
retrieve additional information from the token such as user name, id,
tenant name, id, roles, etc...
</para>
<para>
The middleware will pass those data down to the service as headers.
More details on the architecture of that setup is described in
:doc:`middleware_architecture`
</para>
<section xml:id="setting-up-credentials">
<title>Setting up credentials</title>
@ -927,9 +925,7 @@ keystone service-delete 08741d8ed88242ca88d1f61484a0fe3b
<para>
You need to minimally define a tenant, user, and role to link
the tenant and user as the most basic set of details to get
other services authenticating and authorizing with keystone. See
doc:`configuration` for a walk through on how to create tenants,
users, and roles.
other services authenticating and authorizing with keystone.
</para>
</section>
</section>
@ -996,7 +992,6 @@ keystone service-create --name=swift \
When configuring Nova, it is important to create a admin service
token for the service (from the Configuration step above) and
include that as the key 'admin_token' in the nova-api-paste.ini.
See the documented :doc:`nova-api-paste` file for references.
</para>
</section>
<section xml:id="configuring-swift-to-use-keystone">

16
doc/src/docbkx/openstack-compute-admin/bk-compute-adminguide.xml

@ -7,7 +7,7 @@
version="5.0"
xml:id="openstack-compute-admin-manual">
<?rax pdf.url="../os-compute-adminguide-trunk.pdf"?>
<title>OpenStack Compute Admin Manual</title>
<title>OpenStack Compute Administration Manual</title>
<info>
<author>
<personname>
@ -26,7 +26,7 @@
</copyright>
<releaseinfo>trunk</releaseinfo>
<productname>OpenStack Compute</productname>
<pubdate>2011-11-14</pubdate>
<pubdate>2012-3-11</pubdate>
<legalnotice role="apache2">
<annotation>
<remark>Copyright details are filled in by the template.</remark>
@ -43,6 +43,16 @@
managing, and understanding the software that runs OpenStack Compute. </para>
</abstract>
<revhistory>
<revision>
<date>2012-03-11</date>
<revdescription>
<itemizedlist spacing="compact">
<listitem>
<para>Large reorganization, moving identity and image service administration as chapters in this book.</para>
</listitem>
</itemizedlist>
</revdescription>
</revision>
<revision>
<date>2011-11-15</date>
<revdescription>
@ -71,10 +81,10 @@
<xi:include href="computeconfigure.xml"/>
<xi:include href="../common/ch_identity_mgmt.xml"/>
<xi:include href="computehypervisors.xml"/>
<xi:include href="computeautomation.xml"/>
<xi:include href="computenetworking.xml"/>
<xi:include href="computeadmin.xml"/>
<xi:include href="interfaces.xml"/>
<xi:include href="computeautomation.xml"/>
<xi:include href="computetutorials.xml"/>
<xi:include href="../common/support.xml"/>
</book>

4
doc/src/docbkx/openstack-compute-admin/computeadmin.xml

@ -198,14 +198,14 @@ chmod 600 test.pem
planned; or if the instance are not frequently used. Suspending an instance frees up
memory and vCPUS, while pausing keeps the instance running, in a "frozen" state.
Suspension could be compared to an "hibernation" mode.</para>
<section>
<section xml:id="pausing-instance">
<title>Pausing instance</title>
<para>To pause an instance :</para>
<literallayout class="monospaced">nova pause $server-id </literallayout>
<para>To resume a paused instance :</para>
<literallayout class="monospaced">nova unpause $server-id </literallayout>
</section>
<section>
<section xml:id="suspending-instance">
<title>Suspending instance</title>
<para> To suspend an instance :</para>
<literallayout class="monospaced">nova suspend $server-id </literallayout>

81
doc/src/docbkx/openstack-compute-admin/computeautomation.xml

@ -153,87 +153,6 @@ ssh -i mykey.priv 10.0.0.3</literallayout>
glance should be installed before using nova.</para>
</simplesect>
</section>
<section xml:id="openstack-compute-installation-using-virtualbox-vagrant-and-chef">
<title>OpenStack Compute Installation Using VirtualBox, Vagrant, And Chef</title>
<para>Integration testing for distributed systems that have many dependencies can be a huge challenge. Ideally, you would have a cluster of machines that you could PXE boot to a base OS install and run a complete install of the system. Unfortunately not everyone has a bunch of extra hardware sitting around. For those of us that are a bit on the frugal side, a whole lot of testing can be done with Virtual Machines. Read on for a simple guide to installing OpenStack Compute (Nova) with VirtualBox and Vagrant.</para>
<simplesect><title>Installing VirtualBox</title>
<para>VirtualBox is virtualization software by Oracle. It runs on Mac/Linux/Windows and can be controlled from the command line. Note that we will be using VirtualBox 4.0 and the vagrant prerelease.</para>
<para>OSX</para>
<literallayout class="monospaced">curl -O http://download.virtualbox.org/virtualbox/4.0.2/VirtualBox-4.0.2-69518-OSX.dmg&#x000A;open VirtualBox-4.0.2-69518-OSX.dmg</literallayout>
<para>Ubuntu Maverick</para>
<literallayout class="monospaced">wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add -&#x000A;echo &quot;deb http://download.virtualbox.org/virtualbox/debian maverick contrib&quot; | sudo tee /etc/apt/sources.list.d/virtualbox.list&#x000A;sudo apt-get update&#x000A;sudo apt-get install -y virtualbox-4.0</literallayout>
<para>Ubuntu Lucid</para>
<literallayout class="monospaced">wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add -&#x000A;echo &quot;deb http://download.virtualbox.org/virtualbox/debian lucid contrib&quot; | sudo tee /etc/apt/sources.list.d/virtualbox.list&#x000A;sudo apt-get update&#x000A;sudo apt-get install -y virtualbox-4.0</literallayout></simplesect>
<simplesect><title>Install RubyGems</title>
<para>The following instructions for installing Vagrant use RubyGems for the installation commands. You can download RubyGems from <link xlink:href="http://rubygems.org/pages/download">http://rubygems.org/pages/download</link>. </para>
</simplesect>
<simplesect><title>Get the Vagrant Pre-release</title>
<para>OSX</para>
<literallayout class="monospaced">sudo gem update -- system&#x000A;sudo gem install vagrant -- pre</literallayout>
<para>Ubuntu Maverick</para>
<literallayout class="monospaced">sudo gem install vagrant --pre&#x000A;sudo ln -s /var/lib/gems/1.8/bin/vagrant /usr/local/bin/vagrant</literallayout>
<para>Ubuntu Lucid</para>
<literallayout class="monospaced">wget http://production.cf.rubygems.org/rubygems/rubygems-1.3.6.zip&#x000A;sudo apt-get install -y unzip&#x000A;unzip rubygems-1.3.6.zip&#x000A;cd rubygems-1.3.6&#x000A;sudo ruby setup.rb&#x000A;sudo gem1.8 install vagrant --pre</literallayout></simplesect>
<simplesect> <title>Get the Chef Recipes</title>
<literallayout class="monospaced">cd ~&#x000A;git clone https://github.com/ansolabs/openstack-cookbooks.git</literallayout>
</simplesect>
<simplesect><title>Set Up Some Directories</title>
<literallayout class="monospaced">mkdir aptcache&#x000A;mkdir chef&#x000A;cd chef</literallayout>
</simplesect>
<simplesect><title>Get the chef-solo Vagrant file</title>
<para>Provisioning for vagrant can use chef-solo, chef-server, or puppet. We&#8217;re going to use chef-solo for the installation of OpenStack Compute.</para>
<literallayout class="monospaced">curl -o Vagrantfile https://raw.github.com/gist/786945/solo.rb</literallayout>
</simplesect>
<simplesect><title>Running OpenStack Compute within a Vagrant Instance</title>
<para>Installing and running OpenStack Compute is as simple as typing "vagrant up"</para>
<literallayout class="monospaced">vagrant up</literallayout>
<para>In 3-10 minutes, your vagrant instance should be running. NOTE: Some people report an
error from vagrant complaining about MAC addresses the first time they vagrant up.
Doing <code>vagrant up</code> again seems to resolve the problem.</para>
<literallayout class="monospaced">vagrant ssh</literallayout>
<para>Now you can run an instance and connect to it:</para>
<literallayout class="monospaced">. /vagrant/novarc&#x000A;euca-add-keypair test &gt; test.pem&#x000A;chmod 600 test.pem&#x000A;euca-run-instances -t m1.tiny -k test ami-tty&#x000A;# wait for boot (euca-describe-instances should report running)&#x000A;ssh -i test.pem root@10.0.0.3</literallayout>
<para>Yo, dawg, your VMs have VMs! That is, you are now running an instance inside of OpenStack Compute, which itself is running inside a VirtualBox VM.</para>
<para>When the you are finished, you can destroy the entire system with vagrant destroy. You will also need to remove the .pem files and the novarc if you want to run the system again.</para>
<literallayout class="monospaced">vagrant destroy&#x000A;rm *.pem novarc</literallayout></simplesect>
<simplesect><title>Using the dashboard
</title><para>The OpenStack Dashboard should be running on 192.168.86.100. You can login using username: admin, password: vagrant.</para>
</simplesect></section>
</chapter>

3
doc/src/docbkx/openstack-compute-admin/computeinstall.xml

@ -139,7 +139,7 @@
<section xml:id="installing-openstack-compute-on-rhel6">
<title>Installing on Fedora or Red Hat Enterprise Linux 6</title>
<?dbhtml stop-chunking?>
<para>The Fedora project provides OpenStack packages in Fedora 16 and
later. Fedora also provides packages for RHEL6 via the EPEL (Extra
Packages for Enterprise Linux) 6 repository. If you would like to install
@ -268,6 +268,7 @@
</section>
<section xml:id="configuring-openstack-compute-basics">
<?dbhtml stop-chunking?>
<title>Post-Installation Configuration for OpenStack Compute</title>
<para>Configuring your Compute installation involves

4
doc/src/docbkx/openstack-compute-admin/computenetworking.xml

@ -385,6 +385,7 @@ brctl delbr br_NNN</literallayout>
disconnect any users that are connected with revoked certificates when their
connection is renegotiated (every hour). </para>
<section xml:id="creating-a-cloudpipe-image">
<?dbhtml stop-chunking?>
<title>Creating a Cloudpipe Image</title>
<para>
Making a cloudpipe image is relatively easy.
@ -563,7 +564,8 @@ valid_lft forever preferred_lft forever
<para>Note that you cannot SSH to an instance with a public IP from within the same
server as the routing configuration won't allow it. </para>
</section>
<section xml:id="allocating-associating-ip-addresses"><title>Allocating and Associating IP Addresses with Instances</title><para>You can use Euca2ools commands to manage floating IP addresses used with Flat DHCP or VLAN
<section xml:id="allocating-associating-ip-addresses"><title>Allocating and Associating IP Addresses with Instances</title>
<para>You can use nova client commands to manage floating IP addresses used with Flat DHCP or VLAN
networking. </para>
<para>To assign a reserved IP address to your project, removing it from the pool of

23
doc/src/docbkx/openstack-install/ap_configuration_files.xml

@ -9,11 +9,16 @@
<section xml:id="glance-registry-conf-file"><title>glance-registry.conf</title><para>The Identity service's registry, which stores the metadata about
images, is found in /etc/glance/glance-registry.conf. This
file needs to be modified after installing with the
packages. </para>
file needs to be modified after installing. </para>
<literallayout class="monospaced"><xi:include parse="text"
href="samples/glance-registry.conf"/></literallayout></section>
<section xml:id="glance-registry-paste-file"><title>glance-registry-paste.ini</title>
<para>The Identity service's API middleware pipeline is found in /etc/glance/glance-registry-paste.ini. This
file needs to be modified after installing. </para>
<literallayout class="monospaced"><xi:include parse="text"
href="samples/glance-registry-paste.ini"/></literallayout></section>
<section xml:id="glance-api-conf-file"><title>glance-api.conf</title><para>The configuration file for the Identity API is found in
/etc/glance/glance-api.conf. You need to change this file
@ -21,15 +26,23 @@
<literallayout class="monospaced"><xi:include parse="text"
href="samples/glance-api.conf"/></literallayout></section>
<section xml:id="glance-api-paste-file"><title>glance-api-paste.ini</title>
<para>The Identity service's API middleware pipeline is found in /etc/glance/glance-api-paste.ini. This
file needs to be modified after installing. </para>
<literallayout class="monospaced"><xi:include parse="text"
href="samples/glance-api-paste.ini"/></literallayout></section>
<section xml:id="glance-scrubber-conf-file"><title>glance-scrubber.conf</title><para>An additional configuration file for the Identity service is found in
/etc/glance/glance-scrubber.conf. You need to ensure you point to the mysql database in this configuration file. </para>
<literallayout class="monospaced"><xi:include parse="text"
href="samples/glance-scrubber.conf"/></literallayout></section>
<section xml:id="nova-conf-file"><title>nova.conf</title><para>The configuration file for Compute (nova) settings is stored in
/etc/nova/nova.conf. To see a list of all possible flags
for this file, you can run nova-&lt;service> --help from
the command line, for example, nova-api --help. </para>
/etc/nova/nova.conf. To see a list of all possible
configuration options for this file, refer to the
OpenStack wiki at
<link xlink:href="http://wiki.openstack.org/NovaConfigOptions">http://wiki.openstack.org/NovaConfigOptions</link>. </para>
<literallayout class="monospaced"><xi:include parse="text" href="samples/nova.conf"
/></literallayout></section>
<section xml:id="api-paste-ini-file"><title>api-paste.ini</title><para>The configuration file for Compute (Nova) for the EC2 API and

31
doc/src/docbkx/openstack-install/bk_openstackinstallguide.xml

@ -23,9 +23,9 @@
<year>2012</year>
<holder>OpenStack LLC</holder>
</copyright>
<releaseinfo>stable/diablo</releaseinfo>
<releaseinfo>essex</releaseinfo>
<productname>OpenStack</productname>
<pubdate>2012-01-24</pubdate>
<pubdate>2012-03-19</pubdate>
<legalnotice role="apache2">
<annotation>
<remark>Copyright details are filled in by the template.</remark>
@ -46,12 +46,37 @@
files. </para>
</abstract>
<revhistory>
<revision>
<date>2012-03-09</date>
<revdescription>
<itemizedlist spacing="compact">
<listitem>
<para>Updates for Essex release, includes
new Glance config files, new Keystone
configuration.</para>
</listitem>
</itemizedlist>
</revdescription>
</revision>
<revision>
<date>2012-01-24</date>
<revdescription>
<itemizedlist spacing="compact">
<listitem>
<para>Initial draft for Essex.</para>
<itemizedlist>
<listitem><para>Assumes use of Ubuntu 12.04 repository.</para></listitem>
</itemizedlist>
</listitem>
</itemizedlist>
</revdescription>
</revision>
<revision>
<date>2011-01-24</date>
<revdescription>
<itemizedlist spacing="compact">
<listitem>
<para>Initial draft.</para>
<para>Initial draft for Diablo.</para>
</listitem>
</itemizedlist>
</revdescription>

5
doc/src/docbkx/openstack-install/ch_installcomputeimage.xml

@ -6,7 +6,6 @@
<title>Installing OpenStack Compute and Image Service</title>
<para>The OpenStack Compute and Image services work together to provide access to virtual servers and images through REST APIs.</para>
<xi:include href="install-config-glance.xml" />
<xi:include href="configure-creds.xml" />
<xi:include href="images-verifying-install.xml" />
<xi:include href="compute-assumptions-installation.xml" />
<xi:include href="compute-config-guest-network.xml" />
@ -17,8 +16,8 @@
<xi:include href="compute-db-sync.xml"/>
<xi:include href="compute-create-network.xml" />
<xi:include href="compute-verifying-install.xml" />
<!--<xi:include href="installing-additional-compute-nodes.xml" />-->
<xi:include href="configure-creds.xml" />
<xi:include href="installing-additional-compute-nodes.xml" />
<!--<xi:include href="nova-manage-initial-user-project.xml" />-->
<!--<xi:include href="enable-access-security-group.xml" />-->
<!--<xi:include href="compute-migrating-from-cactus-to-diablo.xml"/>-->

7
doc/src/docbkx/openstack-install/ch_installidentity.xml

@ -4,9 +4,10 @@
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="ch_installing-openstack-identity-service">
<title>Installing OpenStack Identity Service </title>
<para>The OpenStack Identity service manages users, tenants (accounts) and offers a common identity system for all the OpenStack components.</para>
<para>The OpenStack Identity service manages users, tenants
(accounts or projects) and offers a common identity system for
all the OpenStack components.</para>
<xi:include href="identity-install-keystone.xml" />
<xi:include href="identity-config-keystone.xml" />
<xi:include href="identity-install-keystone.xml"/>
<xi:include href="identity-verify-install.xml" />
</chapter>

14
doc/src/docbkx/openstack-install/ch_installing-openstack-overview.xml

@ -16,12 +16,14 @@
such as images or videos. This walk-through starts with
Compute and related services and we will add Object Storage at
a later date.</para>
<para>This installation walk-through goes through a very specific
path for installing OpenStack on Ubuntu 11.04 or 11.10 with
root access and specific configuration settings using MySQL
for related databases. Here are the overall steps:</para>
<para>Here are the overall steps:</para>
<orderedlist>
<listitem><para>Select a set of packages for your repository.</para></listitem>
<listitem><para>Review the most supported platforms.</para>
<para>This installation walk-through goes through a
very specific path for installing OpenStack on Ubuntu
12.04 with root access and specific configuration
settings using MySQL for related databases. Fedora and
Ubuntu are the most tested platforms currently. </para></listitem>
<listitem>
<para>Install the Identity Service (Keystone).</para>
</listitem>
@ -65,7 +67,5 @@
</orderedlist>
<xi:include href="compute-sys-requirements.xml" />
<xi:include href="compute-network-planning.xml" />
<xi:include href="preconfig-rcb-packages.xml" />
<xi:include href="preconfig-managedit-packages.xml" />
<xi:include href="installing-ntp.xml" />
</chapter>

19
doc/src/docbkx/openstack-install/compute-assumptions-installation.xml

@ -6,12 +6,12 @@
<title>Packaged Compute Installation with the Image and Identity
Services</title>
<para>The manual installation involves installing OpenStack
Compute from packages on Ubuntu 11.04 or 11.10 as a user named
nova with root permission. This guide is written with all
commands prefixed with sudo.</para>
Compute from packages on Ubuntu 12.04 as a user named nova
with root permission. This guide is written with all commands
prefixed with sudo.</para>
<para>Our assumptions for this installation are that you have a
base Ubuntu Server 11.04 or 11.10 ready. For this
installation, use the following assumptions:</para>
base Ubuntu Server 12.04 ready. For this installation, use the
following assumptions:</para>
<para>
<itemizedlist>
<listitem><para>Installing with a user with sudo access named "nova" (though you can use any username).</para></listitem>
@ -40,7 +40,7 @@
<para>FlatDHCP with a single network interface.</para>
</listitem>
<listitem>
<para>KVM or QEMU as the hypervisor.</para>
<para>KVM or Xen as the hypervisor. </para>
</listitem>
<listitem>
<para>Ensure the operating system is
@ -58,11 +58,6 @@
node contains all the nova- services including the API server
and the database server. The compute node needs to run only
the nova-compute service. You only need one nova-network
service running in a multi-node install. You cannot install
nova-objectstore on a different machine from nova-compute,
although production-style deployments will use an Image
Service (Glance) server for virtual images so you do not need
to install nova-objectstore when using the Image
Service.</para>
service running in a multi-node install. </para>
</section>

5
doc/src/docbkx/openstack-install/compute-cloud-controller.xml

@ -4,8 +4,9 @@
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
<title>Installing the Cloud Controller</title>
<para>Install
the messaging queue server, RabbitMQ.</para>
<para>Install the messaging queue server, RabbitMQ. You also have
the option of installing Apache Qpid, refer to the Compute
Administration Manual for instructions.</para>
<literallayout class="monospaced">sudo apt-get install rabbitmq-server</literallayout>
<para>Install the required nova- packages, and dependencies are automatically
installed.</para>

2
doc/src/docbkx/openstack-install/compute-db-sync.xml

@ -11,7 +11,7 @@
response means the command completed correctly and your
nova database is now populated.</para>
<para>On both nodes, restart all services in total, just to cover the entire
<para>Restart all services in total, just to cover the entire
spectrum: </para>
<para>
<literallayout class="monospaced">sudo restart nova-api

44
doc/src/docbkx/openstack-install/compute-minimum-configuration.xml

@ -22,29 +22,29 @@
sudo usermod -g nova nova
sudo chown -R root:nova /etc/nova
sudo chmod 640 /etc/nova/nova.conf</literallayout>
<para>The hypervisor is set either by editing
/etc/nova/nova.conf or referring to nova-compute.conf in
the nova.conf file. The hypervisor defaults to "kvm", but
if you are working within a VM already, switch to "qemu"
on the --libvirt_type= line. </para>
<para>The hypervisor is set either by editing /etc/nova/nova.conf
or referring to nova-compute.conf in the nova.conf file. The
hypervisor defaults to "kvm", but if you are working within a
VM already, switch to "qemu" on the --libvirt_type= line. To
use Xen, refer to the overview in this book for where to
install nova components. </para>
<para>Ensure the database connection defines your backend data
store by adding a --sql_connection line to nova.conf:
"--sql_connection=mysql://[ user ]:[ pass ]@[ primary IP
]/[ db name ]", such as
--sql_connection=mysql://nova:yourpassword@192.168.206.130/nova.</para>
<para>Add these settings to /etc/nova/nova.conf for the
network configuration assumptions made for this
installation scenario. You can place comments in the
nova.conf file by entering a new line with a # sign at the
beginning of the line. To see a listing of all possible
flag settings, see the output of running /bin/nova-api
--help.</para>
<literallayout class="monospaced">--network_manager=nova.network.manager.FlatDHCPManager
--fixed_range=192.168.100.0/24
--flat_network_dhcp_start=192.168.100.2
--public_interface=eth0
--flat_interface=eth0
--flat_network_bridge=br100</literallayout>
store by adding a sql_connection line to nova.conf:
"sql_connection=mysql://[ user ]:[ pass ]@[ primary IP ]/[ db
name ]", such as
sql_connection=mysql://nova:yourpassword@192.168.206.130/nova.</para>
<para>Add these settings to /etc/nova/nova.conf for the network
configuration assumptions made for this installation scenario.
You can place comments in the nova.conf file by entering a new
line with a # sign at the beginning of the line. To see a
listing of all possible configuration option settings, see
<link xlink:href="http://wiki.openstack.org/NovaConfigOptions">http://wiki.openstack.org/NovaConfigOptions</link>.</para>
<literallayout class="monospaced">network_manager=nova.network.manager.FlatDHCPManager
fixed_range=192.168.100.0/24
flat_network_dhcp_start=192.168.100.2
public_interface=eth0
flat_interface=eth0
flat_network_bridge=br100</literallayout>
<para>Here is an example nova.conf with commented
sections:</para>
<para><literallayout class="monospaced"><xi:include parse="text" href="samples/nova.conf"/>

8
doc/src/docbkx/openstack-install/compute-sys-requirements.xml

@ -83,13 +83,11 @@
</table>
<para><emphasis role="bold">Operating System</emphasis>: OpenStack
currently has packages for the following distributions:
Ubuntu, RHEL, SUSE, Debian, and Fedora. These packages are
maintained by community members, refer to <link
CentOS, Debian, Fedora, RHEL, Debian, and Ubuntu. These
packages are maintained by community members, refer to <link
xlink:href="http://wiki.openstack.org/Packaging"
>http://wiki.openstack.org/Packaging</link> for additional
links. This guide refers to packages from two community
sources: Rackspace Cloud Builder packages for Ubuntu Maverick,
Natty, or Oneiric and Managed IT packages for Oneiric.</para>
links.</para>
<para><emphasis role="bold">Database</emphasis>: For
OpenStack Compute, you need access to either a PostgreSQL
or MySQL database, or you can install it as part of the

5
doc/src/docbkx/openstack-install/compute-verifying-install.xml

@ -16,7 +16,8 @@ nova-compute ubuntu nova enabled
command:</para>
<literallayout class="monospaced">sudo nova-manage version list</literallayout>
<para>The version number 2011.3 corresponds with the Diablo release of Compute.</para>
<para>The version number 2012.1 corresponds with the Essex
release of Compute.</para>
<literallayout class="monospaced">2011.3 (2011.3-LOCALBRANCH:LOCALREVISION)</literallayout>
<literallayout class="monospaced">2012.1 (2012.1-LOCALBRANCH:LOCALREVISION)</literallayout>
</section>

4
doc/src/docbkx/openstack-install/dashboard-verify.xml

@ -7,10 +7,10 @@
<para>To validate the Dashboard installation, point your browser at
http://192.168.206.130. Note that you cannot use VNC Console
from a Chrome browser. You need both Flash installed and a
Firefox browser . Once you connect to the Dashboard with the
Firefox browser. Once you connect to the Dashboard with the
URL, you should see a login window. Enter the credentials for
users you created with the Identity Service, Keystone. For
example, enter "admin" for the username and "secretword" as
example, enter "adminUser" for the username and "secretword" as
the password.</para>
<mediaobject>
<imageobject role="fo">

BIN
doc/src/docbkx/openstack-install/figures/dashboard-overview.png

Binary file not shown.
Side by Side Swipe

Before

(image error) Size: 87 KiB

After

(image error) Size: 70 KiB

116
doc/src/docbkx/openstack-install/identity-config-keystone.xml

@ -2,47 +2,41 @@
<section xml:id="identity-configure-keystone"
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"><title>Defining Roles and Users in the Identity Service (Keystone)</title>
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
<title>Defining Roles and Users in the Identity Service (Keystone)</title>
<para>Before you begin, ensure that the OpenStack Compute and Image
services are installed and connect all databases prior to
configuring the Identity Service endpoints. </para>
<para>Next you add the default tenant, an administrator, roles,
and users to get a working installation started. The initial
tenant, username, and password is openstackdemo, admin, and
secretword.</para>
<para>First, add two tenants, one named openstackDemo, one named
adminTenant.</para>
<literallayout class="monospaced">sudo keystone-manage tenant add openstackDemo
sudo keystone-manage tenant add adminTenant</literallayout>
<para>In return for these commands, you should see a SUCCESS
message, such as:</para>
<para>
<literallayout class="monospaced">SUCCESS: Tenant openstackDemo created.</literallayout>
</para>
<para>Now, add users and assign their passwords.</para>
<literallayout class="monospaced">sudo keystone-manage user add adminUser secretword
sudo keystone-manage user add demoUser secretword</literallayout>
<para>Now add an invented token (any combination of numbers and
letters will do) to the admin user for the openstackdemo
tenant and ensure there's an expiration date assigned. This
one expires in about four years.</para>
<literallayout class="monospaced">sudo keystone-manage token add 11121314151617181920 adminUser adminTenant 2015-02-05T00:0 </literallayout>
<para>If you see an error like "Creating a token requires a token
id, user, tenant, and expiration" it's possible you're missing
the expiration date. </para>
<para>Create the Admin role and the Member role.</para>
<literallayout class="monospaced">sudo keystone-manage role add Admin
sudo keystone-manage role add Member</literallayout>
<para>Grant the Admin role to the admin user and then grant the Member
role to the demo user.</para>
<literallayout class="monospaced">sudo keystone-manage role grant Admin adminUser
sudo keystone-manage role grant Member demoUser</literallayout>
<para>Grant the Admin role to the adminUser user for the openstackDemo
and adminTenant tenant. Grant the Member role to the demoUser
for the openstackDemo tenant.</para>
<literallayout class="monospaced">sudo keystone-manage role grant Admin adminUser openstackDemo
sudo keystone-manage role grant Admin adminUser adminTenant
sudo keystone-manage role grant Member demoUser openstackDemo</literallayout>
<para>Create tenants first. Here is an example set.</para>
<literallayout class="monospaced">ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)
DEMO_TENANT=$(get_id keystone tenant-create --name=demo)
INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin)</literallayout>
<para>Next, create users.</para>
<literallayout class="monospaced">ADMIN_USER=$(get_id keystone user-create --name=admin \
--pass="$ADMIN_PASSWORD" \
--email=admin@example.com)
DEMO_USER=$(get_id keystone user-create --name=demo \
--pass="$ADMIN_PASSWORD" \
--email=demo@example.com)</literallayout>
<para>Here are some roles to create.</para>
<literallayout class="monospaced">ADMIN_ROLE=$(get_id keystone role-create --name=admin)
KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)
KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin)
SYSADMIN_ROLE=$(get_id keystone role-create --name=sysadmin)
NETADMIN_ROLE=$(get_id keystone role-create --name=netadmin)</literallayout>
<para>Add Roles to Users in Tenants</para>
<literallayout class="monospaced">keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $ADMIN_TENANT
keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $DEMO_TENANT
keystone user-role-add --user $DEMO_USER --role $SYSADMIN_ROLE --tenant_id $DEMO_TENANT
keystone user-role-add --user $DEMO_USER --role $NETADMIN_ROLE --tenant_id $DEMO_TENANT
keystone user-role-add --user $ADMIN_USER --role $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT
keystone user-role-add --user $ADMIN_USER --role $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT
</literallayout>
<para>Also, the Member role is used by Horizon and Swift so we need to continue creating it:</para>
<literallayout class="monospaced">MEMBER_ROLE=$(get_id keystone role-create --name=Member)
keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $DEMO_TENANT
keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $INVIS_TENANT</literallayout>
<section xml:id="identity-define-services-endpoints">
<title>Define Services and Endpoints</title>
@ -50,24 +44,38 @@ sudo keystone-manage role grant Member demoUser openstackDemo</literallayout>
been created, let's move on to endpoints. </para>
<para>First add all the services you want to have the Identity
service connected with. Here's an example using all the
available services in this example. You may see an
IntegrityError error when using the Manage IT packages and
issuing these
commands.<literallayout class="monospaced">sudo keystone-manage service add nova compute "Nova Compute Service"
sudo keystone-manage service add glance image "Glance Image Service"
sudo keystone-manage service add keystone identity "Keystone Identity Service"<!--sudo keystone-manage service add swift object-store "Swift Object Storage Service"--></literallayout></para>
<para>Now add endpoint templates each of these now-named services,
which put together the IP addresses, port values, and API
version number to make an entire endpoint.
<literallayout class="monospaced">sudo keystone-manage endpointTemplates add RegionOne nova http://192.168.206.130:8774/v1.1/%tenant_id% http://192.168.206.130:8774/v1.1/%tenant_id% http://192.168.206.130:8774/v1.1/%tenant_id% 1 1
sudo keystone-manage endpointTemplates add RegionOne glance http://192.168.206.130:9292/v1 http://192.168.206.130:9292/v1 http://192.168.206.130:9292/v1 1 1
sudo keystone-manage endpointTemplates add RegionOne keystone http://192.168.206.130:5000/v2.0 http://192.168.206.130:35357/v2.0 http://192.168.206.130:5000/v2.0 1 1<!--sudo keystone-manage endpointTemplates add RegionOne glance http://192.168.206.130:9292/v1.1/%tenant_id% http://192.168.206.130:9292/v1.1/%tenant_id% http://192.168.206.130:9292/v1.1/%tenant_id% 1 1 --><!--sudo keystone-manage endpointTemplates add RegionOne swift http://192.168.206.130:8080/v1/AUTH_%tenant_id% http://192.168.206.130:8080/ http://192.168.206.130:8080/v1/AUTH_%tenant_id% 1 1--></literallayout></para>
available services in this example.</para>
<literallayout class="monospaced">keystone service-create --name=keystone \
--type=identity \
--description="Keystone Identity Service"
<para>Optionally, you can add EC2 credentials to the Identity Service for any commands you may want to use euca2ools for.</para>
<literallayout class="monospaced">sudo keystone-manage credentials add adminUser EC2 'secretword' adminTenant
sudo keystone-manage credentials add demoUser EC2 'secretword' openstackDemo</literallayout>
keystone service-create --name=nova \
--type=compute \
--description="Nova Compute Service"
NOVA_USER=$(get_id keystone user-create --name=nova \
--pass="$SERVICE_PASSWORD" \
--tenant_id $SERVICE_TENANT \
--email=nova@example.com)
keystone user-role-add --tenant_id $SERVICE_TENANT \
--user $NOVA_USER \
--role $ADMIN_ROLE
keystone service-create --name=ec2 \
--type=ec2 \
--description="EC2 Compatibility Layer"
keystone service-create --name=glance \
--type=image \
--description="Glance Image Service"
GLANCE_USER=$(get_id keystone user-create --name=glance \
--pass="$SERVICE_PASSWORD" \
--tenant_id $SERVICE_TENANT \
--email=glance@example.com)
keystone user-role-add --tenant_id $SERVICE_TENANT \
--user $GLANCE_USER \
--role $ADMIN_ROLE</literallayout>
<para>The Identity Service, Keystone, is now configured and ready
to accept requests.</para>
</section>
</section>

296
doc/src/docbkx/openstack-install/identity-install-keystone.xml

@ -4,69 +4,239 @@
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
<title>Installing and Configuring the Identity Service</title>
<para>Install the Identity service:</para>
<para>Install the Identity service on any server that is
accessible to the other servers you intend to use for OpenStack
services:</para>
<literallayout class="monospaced">sudo apt-get install keystone</literallayout>
<para>Install curl, a command-line tool for running REST API
requests:</para>
<literallayout class="monospaced">sudo apt-get install curl</literallayout>
<para>After installing, you need to delete the sqlite database it
creates, then change the configuration to point to the mysql
database. </para>
<para>Delete the keystone.db file created in the
/var/lib/keystone/
directory.<literallayout class="monospaced">sudo rm /var/lib/keystone/keystone.db</literallayout></para>
<para>Configure the production-ready backend data store. For
Compute you must use a SQLAlchemy-compatible database, such as
MySQL or PostgreSQL. This example shows MySQL.</para>
<para>First, install MySQL with:
<literallayout class="monospaced">sudo apt-get install python-mysqldb mysql-server</literallayout></para>
<para>During the install, you'll be prompted for the mysql root
<para>After installing, you need to delete the sqlite database it
creates, then change the configuration to point to the mysql
database. </para>
<para>Delete the keystone.db file created in the
/var/lib/keystone/
directory.<literallayout class="monospaced">sudo rm /var/lib/keystone/keystone.db</literallayout></para>
<para>Configure the production-ready backend data store. For
Compute you must use a SQLAlchemy-compatible database, such as
MySQL or PostgreSQL. This example shows MySQL.</para>
<para>First, install MySQL with:
<literallayout class="monospaced">sudo apt-get install python-mysqldb mysql-server</literallayout></para>
<para>During the install, you'll be prompted for the mysql root
password. Enter a password of your choice and verify it.</para>
<para>Edit /etc/mysql/my.cnf to change "bind-address" from
localhost (127.0.0.1) to any (0.0.0.0) and restart the mysql
service: </para>
<para>
<literallayout class="monospaced">sudo sed -i 's/127.0.0.1/0.0.0.0/g' /etc/mysql/my.cnf
<para>Edit /etc/mysql/my.cnf to change "bind-address" from
localhost (127.0.0.1) to any (0.0.0.0) and restart the mysql
service: </para>
<para>
<literallayout class="monospaced">sudo sed -i 's/127.0.0.1/0.0.0.0/g' /etc/mysql/my.cnf
sudo service mysql restart</literallayout></para>
<para>For MySQL, create a MySQL database named "keystone" and a
MySQL user named "keystone". Grant the "keystone" user full
access to the "keystone" MySQL database.</para>
<para>Start the mysql command line client by running:</para>
<para><literallayout class="monospaced">mysql -u root -p</literallayout></para>
<para>Enter the mysql root user's password when prompted.</para>
<para>To configure the MySQL database, create the keystone database. </para>
<para><literallayout class="monospaced">mysql> CREATE DATABASE keystone;</literallayout></para>
<para>Create a MySQL user for the newly-created keystone database that
has full control of the database. </para>
<para><literallayout class="monospaced">mysql> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'yourpassword';</literallayout></para>
<para>Enter quit at the mysql> prompt to exit MySQL.</para>
<para><literallayout class="monospaced">mysql> quit</literallayout></para>
<para>Edit /etc/keystone/keystone.conf to include the
--sql_connection to use the backend data store you just
created. Ensure that it is owned by root and chmod is set to
0640 since it contains your mysql password. (You do leave the "default_store" as sqlite, however.) </para>
<literallayout class="monospaced">sudo nano /etc/keystone/keystone.conf
sudo chown keystone:root /etc/keystone/keystone.conf
sudo chmod 0640 /etc/keystone/keystone.conf
</literallayout>
<para>Here is an
example section:</para>
<literallayout class="monospaced">[keystone.backends.sqlalchemy]
# SQLAlchemy connection string for the reference implementation registry
# server. Any valid SQLAlchemy connection string is fine.
# See: http://bit.ly/ideIpI
sql_connection = mysql://keystone:yourpassword@192.168.206.130/keystone
backend_entities = ['UserRoleAssociation', 'Endpoints', 'Role', 'Tenant',
'User', 'Credentials', 'EndpointTemplates', 'Token',
'Service']</literallayout>
<para>Edit /etc/keystone/keystone.conf to use the IP address and
ports for your environment. Here is an example keystone.conf. Ensure that the ports for keystone are correct, since the default keystone auth port changed from 5001 to 35357
and the packages install a conf file with 5001 for the auth_port setting.
<literallayout class="monospaced"><xi:include parse="text" href="samples/keystone.conf"></xi:include></literallayout></para>
<para>Restart the Identity Service. </para>
<literallayout class="monospaced">sudo service keystone restart</literallayout>
<para>Next, you configure the Identity Service by defining roles and
users. </para>
</section>
<para>For MySQL, create a MySQL database named "keystone" and a
MySQL user named "keystone". Grant the "keystone" user full
access to the "keystone" MySQL database.</para>
<para>Start the mysql command line client by running:</para>
<para><literallayout class="monospaced">mysql -u root -p</literallayout></para>
<para>Enter the mysql root user's password when prompted.</para>
<para>To configure the MySQL database, create the keystone database. </para>
<para><literallayout class="monospaced">mysql> CREATE DATABASE keystone;</literallayout></para>
<para>Create a MySQL user for the newly-created keystone database that
has full control of the database. </para>
<para><literallayout class="monospaced">mysql> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'yourpassword';</literallayout></para>
<para>Enter quit at the mysql> prompt to exit MySQL.</para>
<para><literallayout class="monospaced">mysql> quit</literallayout></para>
<para>Once Keystone is installed, it is configured via a primary
configuration file
(<literal>etc/keystone/keystone.conf</literal>), and by
initializing data into keystone using the command line client. By
default, Keystone's data store is sqlite. To change the data store
to mysql, change the line defining "connection" in
<filename>etc/keystone/keystone.conf</filename> like
so:<screen>connection = mysql://keystone:yourpassword@localhost/keystone</screen></para>
<para>Next, restart the keystone service so that it picks up the new
database configuration.
<screen>sudo service keystone restart</screen></para>
<para>Lastly, initialize the new keystone
database:<screen>sudo keystone-manage db_sync</screen></para>
<section xml:id="configure-keystone">
<title>Configuring Services to work with Keystone</title>
<para> Once Keystone is installed and running, you set up users and
tenants and services to be configured to work with it. </para>
<section xml:id="setting-up-tenants-users-and-roles">
<title>Setting up tenants, users, and roles</title>
<para>
You need to minimally define a tenant, user, and role to link
the tenant and user as the most basic set of details to get
other services authenticating and authorizing with keystone.
</para>
<para> First, create a default tenant, we'll name it
openstackDemo in this example.</para>
<screen><prompt>$ </prompt><userinput>keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 tenant-create --name openstackDemo --description "Default Tenant" --enabled true</userinput></screen>
<programlisting> +-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Default Tenant |
| enabled | true |
| id | 9ae969031816484a8e2172c3700cbfcc |
| name | openstackDemo |
+-------------+----------------------------------+</programlisting>
<para>Create a default user named adminUser. </para>
<screen><prompt>$</prompt><userinput>keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-create --tenant_id $tenant_id_from_value_above --name adminUser --pass secretword --enabled true</userinput></screen>
<programlisting> +----------+-------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email | None |
| enabled | true |
| id | a4c2d43f80a549a19864c89d759bb3fe |
| name | admin |
| password | $6$rounds=40000$MsFWIgIfbAHnhUH8$vvSK9/Uy3P5BTdH0kn.0MH.xFHAR2pWQCpTRLTENPs.3w53jb5BbbkIKHnkTbzWW3xVwqsb3W5e./3EIaNPeP0 |
| tenantId | b5815b046cfe47bb891a7b64119e7f80 |
+----------+-------------------------------------------------------------------------------------------------------------------------+</programlisting>
<para>Create the default roles, adminRole and memberRole.</para>
<screen><prompt>$</prompt><userinput>keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 role-create --name adminRole</userinput></screen>
<programlisting> +----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | e3d9d157cc95410ea45d23bbbc2e5c10 |
| name | adminRole |
+----------+----------------------------------+</programlisting>
<screen><prompt>$</prompt><userinput>keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 role-create --name memberRole</userinput></screen>
<programlisting> +----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | cffc2edea9c74b4a8779cc0d7a22fc21 |
| name | memberRole |
+----------+----------------------------------+</programlisting>
<para>Grant the 'adminRole' role to the 'adminUser' user in the
'openstack' tenant with "user-role-add".</para>
<screen><prompt>$</prompt><userinput>keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-role-add --user a4c2d43f80a549a19864c89d759bb3fe --tenant_id b5815b046cfe47bb891a7b64119e7f80 --role e3d9d157cc95410ea45d23bbbc2e5c10</userinput></screen>
<para>There is no output to this command.</para>
<para>Create a Service Tenant. This tenant contains all the
services that we make known to the service catalog. </para>
<screen><prompt>$</prompt><userinput>keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 tenant-create --name service --description "Service Tenant" --enabled true</userinput></screen>
<programlisting> +-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Service Tenant |
| enabled | true |
| id | eb7e0c10a99446cfa14c244374549e9d |
| name | service |
+-------------+----------------------------------+</programlisting>
<para>Create a Glance Service User in the Service Tenant. You'll do this for any service you add to be in the Keystone service catalog.</para>
<screen><prompt>$</prompt><userinput>keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-create --tenant_id eb7e0c10a99446cfa14c244374549e9d --name glance --pass glance --enabled true</userinput></screen>
<programlisting> +----------+-------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email | None |
| enabled | true |
| id | 46b2667a7807483d983e0b4037a1623b |
| name | glance |
| password | $6$rounds=40000$kf1ENaCoy7wOfRjx$LKQtsQbBqSBr2ZH7fwToAut0EYYz6M278N16Xg4Va2vTEOFabvTVXCdCP4hA5ikdCQO8Mh1nJvuFMEvGHaht3/ |
| tenantId | eb7e0c10a99446cfa14c244374549e9d |
+----------+-------------------------------------------------------------------------------------------------------------------------+</programlisting>
<para>Grant the 'admin' role to the 'glance' user in the 'service' tenant.</para>
<screen><prompt>$</prompt><userinput>keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-role-add --user 46b2667a7807483d983e0b4037a1623b --tenant_id eb7e0c10a99446cfa14c244374549e9d --role e3d9d157cc95410ea45d23bbbc2e5c10</userinput></screen>
<para>There is no output to this command.
</para>
<para>Create a Nova Service User in the Service Tenant. </para>
<screen><prompt>$</prompt><userinput>keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-create --tenant_id eb7e0c10a99446cfa14c244374549e9d --name nova --pass nova --enabled true</userinput></screen>
<programlisting> +----------+-------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email | None |
| enabled | true |
| id | 54b3776a8707834d983e0b4037b1345c |
| name | nova |
| password | $6$rounds=40000$kf1ENaCoy7wOfRjx$LKQtsQbBqSBr2ZH7fwToAut0EYYz6M278N16Xg4Va2vTEOFabvTVXCdCP4hA5ikdCQO8Mh1nJvuFMEvGHaht3/ |
| tenantId | eb7e0c10a99446cfa14c244374549e9d |
+----------+-------------------------------------------------------------------------------------------------------------------------+</programlisting>
<para>Grant the 'admin' role to the 'nova' user in the 'service' tenant.</para>
<screen><prompt>$</prompt><userinput>keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-role-add --user 46b2667a7807483d983e0b4037a1623b --tenant_id eb7e0c10a99446cfa14c244374549e9d --role e3d9d157cc95410ea45d23bbbc2e5c10</userinput></screen>
<para>There is no output to this command.
</para>
<para>Create an EC2 Service User in the Service Tenant. </para>
<screen><prompt>$</prompt><userinput>keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-create --tenant_id eb7e0c10a99446cfa14c244374549e9d --name ec2 --pass ec2 --enabled true</userinput></screen>
<programlisting> +----------+-------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email | None |
| enabled | true |
| id | 32e7668b8707834d983e0b4037b1345c |
| name | ec2 |
| password | $6$rounds=40000$kf1ENaCoy7wOfRjx$LKQtsQbBqSBr2ZH7fwToAut0EYYz6M278N16Xg4Va2vTEOFabvTVXCdCP4hA5ikdCQO8Mh1nJvuFMEvGHaht3/ |
| tenantId | eb7e0c10a99446cfa14c244374549e9d |
+----------+-------------------------------------------------------------------------------------------------------------------------+</programlisting>
<para>Grant the 'admin' role to the 'nova' user in the 'service'
tenant.</para>
<screen><prompt>$</prompt><userinput>keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-role-add --user 46b2667a7807483d983e0b4037a1623b --tenant_id eb7e0c10a99446cfa14c244374549e9d --role e3d9d157cc95410ea45d23bbbc2e5c10</userinput></screen>
<para>There is no output to this command.</para>
<para>Next you create definitions for the services.</para>
</section>
</section>
<section xml:id="defining-services">
<title>Defining Services</title>
<para>Keystone also acts as a service catalog to let other
OpenStack systems know where relevant API endpoints exist for
OpenStack Services. The OpenStack Dashboard, in particular, uses
the service catalog heavily - and this <emphasis role="strong"
>must</emphasis> be configured for the OpenStack Dashboard to
properly function. </para>
<para>The endpoints for these services are defined in a template,
an example of which is in the project as the file
<literal>etc/default_catalog.templates</literal>, which you
can edit yourself or configure your keystone.conf file to use
SQL as a backend for the endpoint templates. </para>
<para> Here's how we define the services when using SQL as a
backend, which we are doing for this walkthrough: </para>
<screen>
keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 service-create --name=nova \
--type=compute \
--description=&quot;Nova Compute Service&quot;
keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 service-create --name=ec2 \
--type=ec2 \
--description=&quot;EC2 Compatibility Layer&quot;
keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 service-create --name=glance \
--type=image \
--description=&quot;Glance Image Service&quot;
keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 service-create --name=keystone \
--type=identity \
--description=&quot;Keystone Identity Service&quot;</screen>
<para>In return for each of these commands, you see a listing of
property and value for each creation.
<programlisting>+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Nova Compute Service |
| id | abc0f03c02904c24abdcc3b7910e2eed |
| name | nova |
| type | compute |
+-------------+----------------------------------+</programlisting>Next,
create an endpoint for each service you just created using the
id values returned by each service-create command. Here's an
example for the nova service endpoint.
<screen>keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 endpoint-create \
--region RegionOne \
--service_id=abc0f03c02904c24abdcc3b7910e2eed \
--publicurl http://192.168.206.130:5000/v2 \
--adminurl http://192.168.206.130:5000/v2 \
--internalurl http://192.168.206.130:5000/v2</screen>
In return for each of these commands, you see a listing of
property and value for each creation.
<programlisting>+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://192.168.206.130:5000/v2 |
| id | 935fd37b6fa74b2f9fba6d907fa95825 |
| internalurl | http://192.168.206.130:5000/v2 |
| publicurl | http://192.168.206.130:5000/v2 |
| region | RegionOne |
| service_id | abc0f03c02904c24abdcc3b7910e2eed |
+-------------+----------------------------------+</programlisting>
Substitute the service IDs for each in the --service_id
parameter, and ensure the URLs contain correct port values and
the correct version number of the API. </para>
</section>
</section>

4
doc/src/docbkx/openstack-install/identity-verify-install.xml

@ -4,7 +4,9 @@
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
<title>Verifying the Identity Service Installation</title>
<para>Install curl, a command-line tool for running REST API
requests:</para>
<literallayout class="monospaced">sudo apt-get install curl</literallayout>
<para>Here is a curl command you can use to ensure that the Identity service is working:</para>
<literallayout class="monospaced">curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":{"username": "adminUser", "password": "secretword"}}}' -H "Content-type: application/json" http://192.168.206.130:35357/v2.0/tokens | python -mjson.tool</literallayout>
<para>In return, you should receive the token you created for the

53
doc/src/docbkx/openstack-install/images-verifying-install.xml

@ -8,20 +8,45 @@
glance --version command:</para>
<literallayout class="monospaced">glance --version</literallayout>
<para>The version number 2011.3 corresponds with the Diablo
<para>The version number 2012.1 corresponds with the Essex
release.</para>
<literallayout class="monospaced">glance 2011.3</literallayout>
<para>Another verification at this point for the Glance
installation working with Keystone is to issue a glance
details command with a token from Keystone assigned to the
adminUser. The one below is just an example. You use a curl
command to get a token for the adminUser. If you get no errors
(and no response) it means that the token is accepted by
Keystone and no images are yet loaded to Glance. If you get a
"NotAuthorized" error, check your configuration files, check
your environment variables, and ensure the Keystone endpoints
are accurate with "sudo keystone-manage endpointTemplates
list".</para>
<literallayout class="monospaced">glance details -A d1819479-be8b-451d-8682-82c654502ddb</literallayout>
<literallayout class="monospaced">glance 2012.1</literallayout>
<para>Obtain a test image.</para>
<screen>mkdir /tmp/images
cd /tmp/images/
wget http://smoser.brickies.net/ubuntu/ttylinux-uec/ttylinux-uec-amd64-12.1_2.6.35-22_1.tar.gz
tar -zxvf ttylinux-uec-amd64-12.1_2.6.35-22_1.tar.gz </screen>
<para>Upload the kernel.</para>
<screen>glance --username=adminUser --password=secretword --tenant=openstackDemo --auth_url=http://127.0.0.1:5000/v2.0 add name="tty-linux-kernel" disk_format=aki container_format=aki &lt; ttylinux-uec-amd64-12.1_2.6.35-22_1-vmlinuz</screen>
<programlisting>Uploading image 'tty-linux-kernel'
=================================================================================================================================================================[100%] 41.8M/s, ETA 0h 0m 0s
Added new image with ID: 599907ff-296d-4042-a671-d015e34317d2</programlisting>
<para>Upload the initrd.</para>
<screen>glance --username=admin --password=secrete --tenant=openstack --auth_url=http://127.0.0.1:5000/v2.0 add name="tty-linux-ramdisk" disk_format=ari container_format=ari &lt; ttylinux-uec-amd64-12.1_2.6.35-22_1-loader </screen>
<programlisting>Uploading image 'tty-linux-ramdisk'
===========================================================================================================================================================[100%] 937.483441K/s, ETA 0h 0m 0s
Added new image with ID: 7d9f0378-1640-4e43-8959-701f248d999d</programlisting>
<para>Upload the image.</para>
<screen>glance --username=admin --password=secrete --tenant=openstack --auth_url=http://127.0.0.1:5000/v2.0 add name="tty-linux" disk_format=ami container_format=ami kernel_id=599907ff-296d-4042-a671-d015e34317d2 ramdisk_id=7d9f0378-1640-4e43-8959-701f248d999d &lt; ttylinux-uec-amd64-12.1_2.6.35-22_1.img </screen>
<programlisting>Uploading image 'tty-linux'
===========================================================================================================================================================[100%] 118.480514M/s, ETA 0h 0m 0s
Added new image with ID: 21b421e5-44d4-4903-9db0-4f134fdd0793</programlisting>
<para>Now a glance index should show a legitimate image.</para>
<programlisting>glance --username=admin --password=secrete --tenant=openstack --auth_url=http://127.0.0.1:5000/v2.0 index
ID Name Disk Format Container Format Size
------------------------------------ ------------------------------ -------------------- -------------------- --------------
21b421e5-44d4-4903-9db0-4f134fdd0793 tty-linux ami ami 25165824
7d9f0378-1640-4e43-8959-701f248d999d tty-linux-ramdisk ari ari 96629
599907ff-296d-4042-a671-d015e34317d2 tty-linux-kernel aki aki 4404752</programlisting>
<note><para>This example shows inputting --username, --password, --tenant, --auth_url on the command line for reference. You could also use the OS_* environment variables by
setting them in an openrc file:
</para>
<programlisting><xi:include parse="text" href="samples/openrc.txt"/></programlisting>
<para>Then you would source these environment variables by running <userinput>source openrc</userinput>.</para></note>
</section>

88
doc/src/docbkx/openstack-install/install-config-glance.xml

@ -2,54 +2,66 @@
<section xml:id="install-glance"
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns:html="http://www.w3.org/1999/xhtml"
version="5.0">
<title>Installing and Configuring the Image Service</title>
<para>Install the Image service:</para>
<literallayout class="monospaced">sudo apt-get install glance</literallayout>
<para xmlns:svg="http://www.w3.org/2000/svg"
xmlns:html="http://www.w3.org/1999/xhtml">After installing,
<para>Install the Image service.</para>
<screen>sudo apt-get install glance</screen>
<para>After installing,
you need to delete the sqlite database it creates, then change
the configuration to point to the mysql database. </para>
<para xmlns:svg="http://www.w3.org/2000/svg"
xmlns:html="http://www.w3.org/1999/xhtml">Delete the glance.db
file created in the /var/lib/glance/
directory.<literallayout class="monospaced">sudo rm /var/lib/glance/glance.sqlite</literallayout></para>
<section xml:id="configure-glance"><title>Configuring the Image Service</title>
<para>Delete the <filename>glance.db</filename> file created in the /var/lib/glance/
directory.</para>
<screen>sudo rm /var/lib/glance/glance.sqlite</screen>
<section xml:id="configure-glance-mysql"><title>Configuring the Image Service database backend</title>
<para>Configure the backend data store. For MySQL, create a glance MySQL database and a glance MySQL user. Grant the "glance" user full
access to the glance MySQL database.</para><para>Start the MySQL command line client by running:</para>
<para><literallayout class="monospaced">mysql -u root -p</literallayout></para><para>Enter the mysql root user's password when prompted.</para>
<para>To configure the MySQL database, create the glance database. </para><para><literallayout class="monospaced">mysql> CREATE DATABASE glance;</literallayout>
</para><para>Create a MySQL user for the newly-created glance database that has full control of the database. </para>
<para><literallayout class="monospaced">mysql> GRANT ALL ON glance.* TO 'glance'@'%' IDENTIFIED BY 'yourpassword';</literallayout></para>
<para>Enter quit at the mysql> prompt to exit MySQL.</para><para><literallayout class="monospaced">mysql> quit</literallayout></para>
<para>Edit /etc/glance/glance-registry.conf: </para>
<literallayout class="monospaced">sudo nano /etc/glance/glance-registry.conf</literallayout>
<para>An example <link linkend="glance-registry-conf-file">glance-registry.conf file</link> is included in the
Appendix.</para>
<para>At the bottom of the glance-registry.conf file, change
the admin_token to the one you created with Keystone
previously. </para>
<para>Edit /etc/glance/glance-api.conf: </para>
<literallayout class="monospaced">sudo nano /etc/glance/glance-api.conf</literallayout>
<para>Ensure that the auth sections match the ones in the
included <link linkend="glance-api-conf-file">glance-api.conf example file</link> found in the
Appendix. </para>
<para>Restart the glance service after changing the settings
in the glance-registry.conf and glance-api.conf. </para>
<para>If you change the database you also update
<link linkend="glance-scrubber-conf-file">glance-scrubber.conf</link> to point to the MySQL database. </para>
<literallayout class="monospaced">sudo nano /etc/glance/glance-scrubber.conf</literallayout>
<para>Any time you change the .conf files, restart the
corresponding service:</para>
<literallayout class="monospaced">sudo restart glance-registry
sudo restart glance-api</literallayout>
<para>The database tables are created when you restart glance-registry, so there is no need to run a database sync command.</para>
<para>Enter quit at the mysql> prompt to exit MySQL.</para><para><literallayout class="monospaced">mysql> quit</literallayout></para></section>
<section xml:id="configure-glance-files"><title>Edit the Glance configuration files and paste ini middleware files</title>
<para>
Update <filename>/etc/glance/glance-api-paste.ini</filename>, configure the admin_* values under [filter:authtoken].</para>
<screen>[filter:authtoken]
admin_tenant_name = service
admin_user = glance
admin_password = glance</screen>
<para>Add this to the end of <filename>/etc/glance/glance-api.conf</filename>.</para>
<screen>[paste_deploy]
flavor = keystone</screen>
<para>Restart glance-api to pick up these changed settings.</para>
<screen>service glance-api restart</screen>
<para>Add this to the end of <filename>/etc/glance/glance-registry.conf</filename>.</para>
<screen>[paste_deploy]
flavor = keystone</screen>
<para>Update <filename>/etc/glance/glance-registry-paste.ini</filename>, configure the admin_* vaules under [filter:authtoken]:</para>
<screen>[filter:authtoken]
admin_tenant_name = service
admin_user = glance
admin_password = glance</screen>
<para>Restart glance-registry.</para>
<screen>service glance-registry restart</screen>
<note><para>Any time you change the .conf files, restart the
corresponding service.</para></note>
<para>The database tables are created when you restart
glance-registry, so there is no need to run a database
sync command. </para>
<note><para>Also note that this guide does not configure image
caching, refer to <link
xlink:href="http://glance.openstack.org"
>http://glance.openstack.org</link> for more
information.</para></note></section>
<!--<para>Create the tables in your backend data
store:</para>
<literallayout class="monospaced">sudo glance-manage db_sync</literallayout>
<para>Now you can load your initial image. </para>--></section>
</section>
<para>Now you can load your initial image. </para>--></section>

41
doc/src/docbkx/openstack-install/installing-additional-compute-nodes.xml

@ -4,31 +4,20 @@
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
<title>Installing Additional Compute Nodes</title>
<para>There are many different ways to perform a multinode install of Compute. In
this case, you can install all the nova- packages and dependencies as you did
for the Cloud Controller node, or just install nova-network and nova-compute.
Your installation can run any nova- services anywhere, so long as the service
can access nova.conf so it knows where the rabbitmq server is installed.</para>
<para>The Compute Node is where you configure the Compute network, the networking
between your instances. </para>
<para>On the additional Compute nodes, install the required
nova- packages, and dependencies are automatically
installed. Add the deb http://ops.rcb.me/packages natty
diablo-final packages to your sources and run apt-get
update to get consistent packages.</para>
<literallayout class="monospaced">sudo apt-key adv --keyserver hkp://subkeys.pgp.net --recv F87CBDE0</literallayout>
<para>Now, create a new sources.list and add a pointer to the
Rackspace Cloud Builders packages for a finalized Diablo
release.</para>
<literallayout class="monospaced">sudo nano /etc/apt/sources.list.d/rcb-sources.list </literallayout>
<para>Paste the following line into the newly created
rcb-sources.list file. The options are maverick, natty, or
oneiric for the operating system and diablo-d5 or
diablo-final:</para>
<literallayout class="monospaced">deb http://ops.rcb.me/packages natty diablo-final</literallayout>
<para>Now update to pick up this repository.</para>
<literallayout class="monospaced">sudo apt-get update </literallayout>
<para>Because you may need to query the database from the Compute node and learn more information about instances, euca2ools and MySQL client or PostgresSQL client packages should be installed on any additional Compute nodes.</para>
<literallayout class="monospaced">sudo apt-get install nova-network nova-compute euca2ools mysql-client</literallayout>
<para>There are many different ways to perform a multinode install
of Compute in order to scale out your deployment and run more
. </para>
<para>In this case, you can install all the nova- packages and
dependencies as you did for the Cloud Controller node, or just
install nova-network and nova-compute. Your installation can
run any nova- services anywhere, so long as the service can
access <filename>nova.conf</filename> so it knows where the
Rabbitmq or Qpid messaging server is installed.</para>
<para>The Compute Node is where you configure the Compute network,
the networking between your instances. </para>
<para>Because you may need to query the database from the Compute
node and learn more information about instances, the nova
client and MySQL client or PostgresSQL client packages should
be installed on any additional Compute nodes.</para>
<para>Copy the nova.conf from your controller node to all additional compute nodes.</para>
</section>

2
doc/src/docbkx/openstack-install/pom.xml

@ -116,7 +116,7 @@
<move failonerror="false"
file="${basedir}/target/docbkx/pdf/bk_openstackinstallguide.pdf"
tofile="${basedir}/target/docbkx/webhelp/trunk/openstack-compute/install/openstack-install-guide-diablo.pdf"/>
tofile="${basedir}/target/docbkx/webhelp/trunk/openstack-compute/install/openstack-install-guide-trunk.pdf"/>
<!--Deletes leftover uneeded directories -->

43
doc/src/docbkx/openstack-install/samples/glance-api-paste.ini Normal file

@ -0,0 +1,43 @@
[pipeline:glance-api]
#pipeline = versionnegotiation context apiv1app
# NOTE: use the following pipeline for keystone
pipeline = versionnegotiation authtoken auth-context apiv1app
# To enable Image Cache Management API replace pipeline with below:
# pipeline = versionnegotiation context imagecache apiv1app
# NOTE: use the following pipeline for keystone auth (with caching)
# pipeline = versionnegotiation authtoken auth-context imagecache apiv1app
[app:apiv1app]
paste.app_factory = glance.common.wsgi:app_factory
glance.app_factory = glance.api.v1.router:API
[filter:versionnegotiation]
paste.filter_factory = glance.common.wsgi:filter_factory
glance.filter_factory = glance.api.middleware.version_negotiation:VersionNegotiationFilter
[filter:cache]
paste.filter_factory = glance.common.wsgi:filter_factory
glance.filter_factory = glance.api.middleware.cache:CacheFilter
[filter:cachemanage]
paste.filter_factory = glance.common.wsgi:filter_factory
glance.filter_factory = glance.api.middleware.cache_manage:CacheManageFilter
[filter:context]
paste.filter_factory = glance.common.wsgi:filter_factory
glance.filter_factory = glance.common.context:ContextMiddleware
[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
auth_host = 192.168.206.130
auth_port = 35357
auth_protocol = http
auth_uri = http://192.168.206.130:5000/
admin_tenant_name = service
admin_user = glance
admin_password = ccc1da26c11cab131f29
[filter:auth-context]
paste.filter_factory = glance.common.wsgi:filter_factory
glance.filter_factory = keystone.middleware.glance_auth_token:KeystoneContextMiddleware

15
doc/src/docbkx/openstack-install/samples/glance-cache-paste.ini Normal file

@ -0,0 +1,15 @@
[app:glance-pruner]
paste.app_factory = glance.common.wsgi:app_factory
glance.app_factory = glance.image_cache.pruner:Pruner
[app:glance-prefetcher]
paste.app_factory = glance.common.wsgi:app_factory
glance.app_factory = glance.image_cache.prefetcher:Prefetcher
[app:glance-cleaner]
paste.app_factory = glance.common.wsgi:app_factory
glance.app_factory = glance.image_cache.cleaner:Cleaner
[app:glance-queue-image]
paste.app_factory = glance.common.wsgi:app_factory
glance.app_factory = glance.image_cache.queue_image:Queuer

40
doc/src/docbkx/openstack-install/samples/glance-cache.conf Normal file

@ -0,0 +1,40 @@
[DEFAULT]
# Show more verbose log output (sets INFO log level output)
verbose = True
# Show debugging output in logs (sets DEBUG log level output)
debug = False
log_file = /var/log/glance/image-cache.log
# Send logs to syslog (/dev/log) instead of to file specified by `log_file`
use_syslog = False
# Directory that the Image Cache writes data to
image_cache_dir = /var/lib/glance/image-cache/
# Number of seconds after which we should consider an incomplete image to be
# stalled and eligible for reaping
image_cache_stall_time = 86400
# image_cache_invalid_entry_grace_period - seconds
#
# If an exception is raised as we're writing to the cache, the cache-entry is
# deemed invalid and moved to <image_cache_datadir>/invalid so that it can be
# inspected for debugging purposes.
#
# This is number of seconds to leave these invalid images around before they
# are elibible to be reaped.
image_cache_invalid_entry_grace_period = 3600
# Max cache size in bytes
image_cache_max_size = 10737418240
# Address to find the registry server
registry_host = 0.0.0.0
# Port the registry server is listening on
registry_port = 9191
# Admin token to use if using Keystone
# admin_token = 123

28
doc/src/docbkx/openstack-install/samples/glance-registry-paste.ini Normal file

@ -0,0 +1,28 @@
[pipeline:glance-registry]
#pipeline = context registryapp
# NOTE: use the following pipeline for keystone
pipeline = authtoken auth-context context registryapp
[app:registryapp]
paste.app_factory = glance.common.wsgi:app_factory
glance.app_factory = glance.registry.api.v1:API
[filter:context]
context_class = glance.registry.context.RequestContext
paste.filter_factory = glance.common.wsgi:filter_factory
glance.filter_factory = glance.common.context:ContextMiddleware
[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
auth_host = 192.168.206.130
auth_port = 35357
auth_protocol = http
auth_uri = http://192.168.206.130:5000/
admin_tenant_name = service
admin_user = glance
admin_password = ccc1da26c11cab131f29
[filter:auth-context]
context_class = glance.registry.context.RequestContext
paste.filter_factory = glance.common.wsgi:filter_factory
glance.filter_factory = keystone.middleware.glance_auth_token:KeystoneContextMiddleware

3
doc/src/docbkx/openstack-install/samples/glance-scrubber-paste.ini Normal file

@ -0,0 +1,3 @@
[app:glance-scrubber]
paste.app_factory = glance.common.wsgi:app_factory
glance.app_factory = glance.store.scrubber:Scrubber

172
doc/src/docbkx/openstack-install/samples/keystone.conf

@ -1,93 +1,107 @@
[DEFAULT]
# Show more verbose log output (sets INFO log level output)
verbose = False
# Show debugging output in logs (sets DEBUG log level output)
debug = False
# Which backend store should Keystone use by default.
# Default: 'sqlite'
# Available choices are 'sqlite' [future will include LDAP, PAM, etc]
default_store = sqlite
# Log to this file. Make sure you do not set the same log
# file for both the API and registry servers!
log_dir = /var/log/keystone
log_file = keystone.log
# List of backends to be configured
backends = keystone.backends.sqlalchemy
#For LDAP support, add: ,keystone.backends.ldap
# Dictionary Maps every service to a header.Missing services would get header
# X_(SERVICE_NAME) Key => Service Name, Value => Header Name
service-header-mappings = {
'nova' : 'X-Server-Management-Url',
'swift' : 'X-Storage-Url',
'cdn' : 'X-CDN-Management-Url'}
# Address to bind the API server
# TODO Properties defined within app not available via pipeline.
service_host = 0.0.0.0
# Port the bind the API server to
service_port = 5000
# Address to bind the Admin API server
admin_host = 0.0.0.0
# Port the bind the Admin API server to
bind_host = 0.0.0.0
public_port = 5000
admin_port = 35357
admin_token = 012345SECRET99TOKEN012345
compute_port = 8774
verbose = True
debug = True
log_config = /etc/keystone/logging.conf
#Role that allows to perform admin operations.
keystone-admin-role = Admin
# ================= Syslog Options ============================
# Send logs to syslog (/dev/log) instead of to file specified
# by `log-file`
use_syslog = False
#Role that allows to perform service admin operations.
keystone-service-admin-role = KeystoneServiceAdmin
# Facility to use. If unset defaults to LOG_USER.
# syslog_log_facility = LOG_LOCAL0
#Tells whether password user need to be hashed in the backend
hash-password = True
[sql]
connection = mysql://keystone:yourpassword@192.168.127.143/keystone
idle_timeout = 200
min_pool_size = 5
max_pool_size = 10
pool_timeout = 200
[keystone.backends.sqlalchemy]
# SQLAlchemy connection string for the reference implementation registry
# server. Any valid SQLAlchemy connection string is fine.
# See: http://bit.ly/ideIpI
sql_connection = mysql://keystone:yourpassword@192.168.206.130/keystone
backend_entities = ['UserRoleAssociation', 'Endpoints', 'Role', 'Tenant',
'User', 'Credentials', 'EndpointTemplates', 'Token',
'Service']
# Period in seconds after which SQLAlchemy should reestablish its connection
# to the database.
sql_idle_timeout = 30
[ldap]
#url = ldap://localhost
#tree_dn = dc=example,dc=com
#user_tree_dn = ou=Users,dc=example,dc=com
#role_tree_dn = ou=Roles,dc=example,dc=com
#tenant_tree_dn = ou=Groups,dc=example,dc=com
#user = dc=Manager,dc=example,dc=com
#password = freeipa4all
#suffix = cn=example,cn=com
[pipeline:admin]
pipeline =
urlrewritefilter
d5_compat
admin_api
[pipeline:keystone-legacy-auth]
pipeline =
urlrewritefilter
legacy_auth
d5_compat
service_api
[identity]
driver = keystone.identity.backends.sql.Identity
[app:service_api]
paste.app_factory = keystone.server:service_app_factory
[catalog]
driver = keystone.catalog.backends.sql.Catalog
[app:admin_api]
paste.app_factory = keystone.server:admin_app_factory
[token]
driver = keystone.token.backends.sql.Token
[filter:urlrewritefilter]
paste.filter_factory = keystone.middleware.url:filter_factory
# Amount of time a token should remain valid (in seconds)
expiration = 86400
[filter:legacy_auth]
paste.filter_factory = keystone.frontends.legacy_token_auth:filter_factory
[policy]
driver = keystone.policy.backends.rules.Policy
[filter:d5_compat]
paste.filter_factory = keystone.frontends.d5_compat:filter_factory
[ec2]
driver = keystone.contrib.ec2.backends.sql.Ec2
[filter:debug]
paste.filter_factory = keystone.common.wsgi:debug_filter_factory
paste.filter_factory = keystone.common.wsgi:Debug.factory
[filter:token_auth]
paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
[filter:admin_token_auth]
paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
[filter:xml_body]
paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory
[filter:json_body]
paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
[filter:crud_extension]
paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
[filter:ec2_extension]
paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
[app:public_service]
paste.app_factory = keystone.service:public_app_factory
[app:admin_service]
paste.app_factory = keystone.service:admin_app_factory
[pipeline:public_api]
pipeline = token_auth admin_token_auth xml_body json_body debug ec2_extension public_service
[pipeline:admin_api]
pipeline = token_auth admin_token_auth xml_body json_body debug ec2_extension crud_extension admin_service
[app:public_version_service]
paste.app_factory = keystone.service:public_version_app_factory
[app:admin_version_service]
paste.app_factory = keystone.service:admin_version_app_factory
[pipeline:public_version_api]
pipeline = xml_body public_version_service
[pipeline:admin_version_api]
pipeline = xml_body admin_version_service
[composite:main]
use = egg:Paste#urlmap
/v2.0 = public_api
/ = public_version_api
[composite:admin]
use = egg:Paste#urlmap
/v2.0 = admin_api
/ = admin_version_api

80
doc/src/docbkx/openstack-install/samples/nova.conf

@ -1,46 +1,34 @@
# DATABASE
--sql_connection=mysql://nova:yourpassword@192.168.206.130/nova
# LOGS/STATE
--verbose
--dhcpbridge_flagfile=/etc/nova/nova.conf
--dhcpbridge=/usr/bin/nova-dhcpbridge
--logdir=/var/log/nova
--state_path=/var/lib/nova
--lock_path=/var/lock/nova
# RABBITMQ
--rabbit_password=guest
--rabbit_port=5672
--rabbit_host=192.168.206.130
# SCHEDULER
--scheduler_driver=nova.scheduler.simple.SimpleScheduler
# NETWORK
--network_manager=nova.network.manager.FlatDHCPManager
--fixed_range=192.168.100.0/24
--flat_network_dhcp_start=192.168.100.2
--public_interface=eth0
--flat_interface=eth0
--flat_network_bridge=br100
# GLANCE
--image_service=nova.image.glance.GlanceImageService
--glance_api_servers=192.168.206.130:9292
# COMPUTE
--compute_manager=nova.compute.manager.ComputeManager
--libvirt_type=qemu
# VNCPROXY
--vncproxy_url=http://192.168.206.130:6080
--vncproxy_wwwroot=/var/lib/nova/noVNC
# MISC
--use_deprecated_auth=false
--allow_admin_api=true
--enable_zone_routing=true
# KEYSTONE
--keystone_ec2_url=http://192.168.206.130:5000/v2.0/ec2tokens
[DEFAULT]
verbose=True
auth_strategy=keystone
allow_resize_to_same_host=True
compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
dhcpbridge_flagfile=/etc/nova/nova.conf
fixed_range=10.0.0.0/24
s3_host=192.168.206.130
network_manager=nova.network.manager.FlatDHCPManager
volume_group=nova-volumes
volume_name_template=volume-%08x
iscsi_helper=tgtadm
osapi_compute_extension=nova.api.openstack.compute.contrib.standard_extensions
my_ip=192.168.206.130
public_interface=br100
vlan_interface=eth0
flat_network_bridge=br100
flat_interface=eth0
sql_connection=mysql://root:yourpassword@localhost/nova
libvirt_type=qemu
instance_name_template=instance-%08x
novncproxy_base_url=http://192.168.206.130:6080/vnc_auto.html
xvpvncproxy_base_url=http://192.168.206.130:6081/console
vncserver_listen=127.0.0.1
vncserver_proxyclient_address=127.0.0.1
api_paste_config=/etc/nova/api-paste.ini
image_service=nova.image.glance.GlanceImageService
ec2_dmz_host=192.168.206.130
rabbit_host=localhost
rabbit_password=yourpassword
glance_api_servers=192.168.206.130:9292
force_dhcp_release=True
connection_type=libvirt
firewall_driver=nova.virt.libvirt.firewall.IptablesFirewallDriver

4
doc/src/docbkx/openstack-install/samples/openrc.txt

@ -2,6 +2,4 @@ export OS_USERNAME=adminUser
export OS_TENANT_NAME=openstackDemo
export OS_PASSWORD=secretword
export OS_AUTH_URL=http://192.168.206.130:5000/v2.0/
export OS_REGION_NAME=RegionOne
export OS_AUTH_STRATEGY=keystone
export NOVA_VERSION=1.1
export OS_REGION_NAME=RegionOne