%openstack; ]>

This section describes how to install and configure the OpenStack Identity service, code-named keystone, on the controller node. For performance, this configuration deploys the Apache HTTP server to handle requests and Memcached to store tokens instead of a SQL database. Before you configure the OpenStack Identity service, you must create a database and an administration token. To create the database, complete these steps: Use the database access client to connect to the database server as the root user: $ mysql -u root -p Create the keystone database: CREATE DATABASE keystone; Grant proper access to the keystone database: GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; Replace KEYSTONE_DBPASS with a suitable password. Exit the database access client. Generate a random value to use as the administration token during initial configuration: $ openssl rand -hex 10 Default configuration files vary by distribution. You might need to add these sections and options rather than modifying existing sections and options. Also, an ellipsis (...) in the configuration snippets indicates potential default configuration options that you should retain. By default, the keystone service listens on ports 5000 and 35357. However, this guide configures the Apache HTTP server to listen on those ports. To avoid port conflicts, disable the keystone service from starting automatically after installation: # echo "manual" > /etc/init/keystone.override Run the following command to install the packages: # apt-get install keystone python-openstackclient apache2 libapache2-mod-wsgi memcached python-memcache # yum install openstack-keystone httpd mod_wsgi python-openstackclient memcached python-memcached # zypper install openstack-keystone python-openstackclient apache2-mod_wsgi memcached python-python-memcached Start the Memcached service and configure it to start when the system boots: # systemctl enable memcached.service # systemctl start memcached.service Edit the /etc/keystone/keystone.conf file and complete the following actions: In the [DEFAULT] section, define the value of the initial administration token: [DEFAULT] ... admin_token = ADMIN_TOKEN Replace ADMIN_TOKEN with the random value that you generated in a previous step. In the [database] section, configure database access: [database] ... connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone Replace KEYSTONE_DBPASS with the password you chose for the database. In the [memcache] section, configure the Memcache service: [memcache] ... servers = localhost:11211 In the [token] section, configure the UUID token provider and Memcached driver: [token] ... provider = keystone.token.providers.uuid.Provider driver = keystone.token.persistence.backends.memcache.Token In the [revoke] section, configure the SQL revocation driver: [revoke] ... driver = keystone.contrib.revoke.backends.sql.Revoke (Optional) To assist with troubleshooting, enable verbose logging in the [DEFAULT] section: [DEFAULT] ... verbose = True Create generic certificates and keys and restrict access to the associated files: # keystone-manage pki_setup --keystone-user keystone --keystone-group keystone # chown -R keystone:keystone /var/log/keystone # chown -R keystone:keystone /etc/keystone/ssl # chmod -R o-rwx /etc/keystone/ssl Populate the Identity service database: # su -s /bin/sh -c "keystone-manage db_sync" keystone Run the following command to install the packages: # apt-get install keystone python-keystoneclient will automatically be installed as it is a dependency of the keystone package. Respond to prompts for , which will fill the below database access directive. [database] ... connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone If you decide to not use dbconfig-common, then you will have to create the database and manage its access rights yourself, and run the following by hand. # keystone-manage db_sync Generate a random value to use as the administration token during initial configuration: $ openssl rand -hex 10 Configure the initial administration token: Use the random value that you generated in a previous step. If you install using non-interactive mode or you do not specify this token, the configuration tool generates a random value. Later on, the package will configure the below directive with the value you entered: [DEFAULT] ... admin_token = ADMIN_TOKEN Create the admin tenant and user: During the final stage of the package installation, it is possible to automatically create an admin tenant and an admin user. This can later be used for other OpenStack services to contact the Identity service. This is the equivalent of running the below commands: # openstack project create --description "Admin Tenant" admin # openstack user create --password ADMIN_PASS --email root@localhost admin # openstack role create admin # openstack role add --project demo --user demo user         In Debian, the Keystone package offers automatic registration of Keystone in the service catalogue. This is equivalent of running the below commands: # openstack service create --name keystone --description "OpenStack Identity" identity # keystone endpoint-create \ --publicurl http://controller:5000/v2.0 \ --internalurl http://controller:5000/v2.0 \ --adminurl http://controller:35357/v2.0 \ --region RegionOne \ identity Edit the /etc/apache2/apache2.conf /etc/httpd/conf/httpd.conf file and configure the ServerName option to reference the controller node: ServerName controller Edit the /etc/sysconf/apache2 file and configure the APACHE_SERVERNAME option to reference the controller node: APACHE_SERVERNAME="controller" Create the /etc/apache2/sites-available/wsgi-keystone.conf /etc/httpd/conf.d/wsgi-keystone.conf /etc/apache2/conf.d/wsgi-keystone.conf file with the following content: Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /var/www/cgi-bin/keystone/main WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On <IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M" </IfVersion> LogLevel info ErrorLog /var/log/apache2/keystone-error.log CustomLog /var/log/apache2/keystone-access.log combined </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /var/www/cgi-bin/keystone/admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On <IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M" </IfVersion> LogLevel info ErrorLog /var/log/apache2/keystone-error.log CustomLog /var/log/apache2/keystone-access.log combined </VirtualHost> Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /var/www/cgi-bin/keystone/main WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On LogLevel info ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /var/www/cgi-bin/keystone/admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On LogLevel info ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined </VirtualHost> Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /srv/www/cgi-bin/keystone/main WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" LogLevel info ErrorLog /var/log/apache2/keystone-error.log CustomLog /var/log/apache2/keystone-access.log combined </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /srv/www/cgi-bin/keystone/admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" LogLevel info ErrorLog /var/log/apache2/keystone-error.log CustomLog /var/log/apache2/keystone-access.log combined </VirtualHost> Enable the Identity service virtual hosts: # ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled Create the directory structure for the WSGI components: # mkdir -p /var/www/cgi-bin/keystone # mkdir -p /srv/www/cgi-bin/keystone Copy the WSGI components from the upstream repository into this directory: # curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo \ | tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin # curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo \ | tee /srv/www/cgi-bin/keystone/main /srv/www/cgi-bin/keystone/admin Adjust ownership and permissions on this directory and the files in it: # chown -R keystone:keystone /var/www/cgi-bin/keystone # chmod 755 /var/www/cgi-bin/keystone/* # chown -R keystone:keystone /srv/www/cgi-bin/keystone # chmod 755 /srv/www/cgi-bin/keystone/* Restore the default SELinux security context: # restorecon /var/www/cgi-bin Change the ownership of /etc/keystone/keystone.conf to give the keystone system access to it: # chown keystone /etc/keystone/keystone.conf Add the apache system user to the keystone system group to permit access to the Identity service configuration files by the Apache HTTP server: # usermod -a -G keystone apache Restart the Apache HTTP server: # service apache2 restart # systemctl enable httpd.service # systemctl start httpd.service # systemctl enable apache2.service # systemctl start apache2.service By default, the Ubuntu packages create a SQLite database. Because this configuration uses a SQL database server, you can remove the SQLite database file: # rm -f /var/lib/keystone/keystone.db By default, the Identity service stores expired tokens in the SQL database indefinitely. The accumulation of expired tokens considerably increases the database size and degrades performance over time, particularly in environments with limited resources. The packages already contain a cron job under /etc/cron.hourly/keystone, so it is not necessary to manually configure a periodic task that purges expired tokens.