Christian Berendt 4082ba0fea [install] [suse] remove packaging workarounds for keystone

Change-Id: Iaf1c54812bb93ec7388ab6945348588e88fa4588

2015-10-14 09:33:09 +02:00

16 KiB

Raw Blame History

Install and configure

This section describes how to install and configure the OpenStack Identity service, code-named keystone, on the controller node. For performance, this configuration deploys the Apache HTTP server to handle requests and Memcached to store tokens instead of an SQL database.

Prerequisites

Before you configure the OpenStack Identity service, you must create a database and an administration token.

To create the database, complete the following actions:
- Use the database access client to connect to the database server as the root user:
```
$ mysql -u root -p
```
- Create the keystone database:
```
CREATE DATABASE keystone;
```
- Grant proper access to the keystone database:
```
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
  IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
  IDENTIFIED BY 'KEYSTONE_DBPASS';
```
  Replace KEYSTONE_DBPASS with a suitable password.
- Exit the database access client.
Generate a random value to use as the administration token during initial configuration:
```
$ openssl rand -hex 10
```

obs or rdo or ubuntu

Install and configure components

Note

In Kilo and Liberty releases, the keystone project deprecates eventlet in favor of a separate web server with WSGI extensions. This guide uses the Apache HTTP server with mod_wsgi to serve Identity service requests on port 5000 and 35357. By default, the keystone service still listens on ports 5000 and 35357. Therefore, this guide disables the keystone service. The keystone project plans to remove eventlet support in Mitaka.

ubuntu

Disable the keystone service from starting automatically after installation:
```
# echo "manual" > /etc/init/keystone.override
```

Run the following command to install the packages:

ubuntu

# apt-get install keystone apache2 libapache2-mod-wsgi \
  memcached python-memcache

obs or rdo

Run the following command to install the packages:

rdo

# yum install openstack-keystone httpd mod_wsgi \
  memcached python-memcached

obs

# zypper install openstack-keystone apache2-mod_wsgi \
  memcached python-python-memcached

obs or rdo

Start the Memcached service and configure it to start when the system boots:
```
# systemctl enable memcached.service
# systemctl start memcached.service
```

obs or rdo or ubuntu

Edit the /etc/keystone/keystone.conf file and complete the following actions:
- In the [DEFAULT] section, define the value of the initial administration token:
```
[DEFAULT]
...
admin_token = ADMIN_TOKEN
```
  Replace ADMIN_TOKEN with the random value that you generated in a previous step.
- In the [database] section, configure database access:
```
[database]
...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
```
  Replace KEYSTONE_DBPASS with the password you chose for the database.
- In the [memcache] section, configure the Memcache service:
```
[memcache]
...
servers = localhost:11211
```
- In the [token] section, configure the UUID token provider and Memcached driver:
```
[token]
...
provider = uuid
driver = memcache
```
- In the [revoke] section, configure the SQL revocation driver:
```
[revoke]
...
driver = sql
```
- (Optional) To assist with troubleshooting, enable verbose logging in the [DEFAULT] section:
```
[DEFAULT]
...
verbose = True
```

obs or rdo or ubuntu

Populate the Identity service database:

# su -s /bin/sh -c "keystone-manage db_sync" keystone

debian

Install and configure the components

Run the following command to install the packages:
```
# apt-get install keystone
```
Note

python-keystoneclient will automatically be installed as it is a dependency of the keystone package.
Respond to prompts for debconf/debconf-dbconfig-common, which will fill the below database access directive.
```
[database]
...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
```
If you decide to not use dbconfig-common, then you will have to create the database and manage its access rights yourself, and run the following by hand.
```
# keystone-manage db_sync
```
Generate a random value to use as the administration token during initial configuration:
```
$ openssl rand -hex 10
```
Configure the initial administration token:

Use the random value that you generated in a previous step. If you install using non-interactive mode or you do not specify this token, the configuration tool generates a random value.

Later on, the package will configure the below directive with the value you entered:
```
[DEFAULT]
...
admin_token = ADMIN_TOKEN
```

Create the admin tenant and user:

During the final stage of the package installation, it is possible to automatically create an admin tenant and an admin user. This can later be used for other OpenStack services to contact the Identity service. This is the equivalent of running the below commands:

# openstack project create --description "Admin Tenant" admin
# openstack user create --password ADMIN_PASS --email root@localhost admin
# openstack role create admin
# openstack role add --project demo --user demo user

In Debian, the Keystone package offers automatic registration of Keystone in the service catalogue. This is equivalent of running the below commands:

# openstack service create --name keystone --description "OpenStack Identity"  identity
# keystone endpoint-create \
  --publicurl http://controller:5000/v2.0 \
  --internalurl http://controller:5000/v2.0 \
  --adminurl http://controller:35357/v2.0 \
  --region RegionOne \
  identity

obs or rdo or ubuntu

Configure the Apache HTTP server

rdo

Edit the /etc/httpd/conf/httpd.conf file and configure the ServerName option to reference the controller node:
```
ServerName controller
```

Create the /etc/httpd/conf.d/wsgi-keystone.conf file with the following content:

Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

ubuntu

Edit the /etc/apache2/apache2.conf file and configure the ServerName option to reference the controller node:
```
ServerName controller
```

Create the /etc/apache2/sites-available/wsgi-keystone.conf file with the following content:

Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/apache2/keystone.log
    CustomLog /var/log/apache2/keystone_access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/apache2/keystone.log
    CustomLog /var/log/apache2/keystone_access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

Enable the Identity service virtual hosts:

# ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled

obs

Edit the /etc/sysconfig/apache2 file and configure the APACHE_SERVERNAME option to reference the controller node:
```
APACHE_SERVERNAME="controller"
```

Create the /etc/apache2/conf.d/wsgi-keystone.conf file with the following content:

Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/apache2/keystone.log
    CustomLog /var/log/apache2/keystone_access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/apache2/keystone.log
    CustomLog /var/log/apache2/keystone_access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

Recursively change the ownership of the /etc/keystone directory:
```
# chown -R keystone:keystone /etc/keystone
```

Finalize the installation

ubuntu

Restart the Apache HTTP server:
```
# service apache2 restart
```
By default, the Ubuntu packages create an SQLite database.

Because this configuration uses an SQL database server, you can remove the SQLite database file:
```
# rm -f /var/lib/keystone/keystone.db
```

rdo

Start the Apache HTTP service and configure it to start when the system boots:
```
# systemctl enable httpd.service
# systemctl start httpd.service
```

obs

Activate the Apache module mod_version:
```
# a2enmod version
```
Start the Apache HTTP service and configure it to start when the system boots:
```
# systemctl enable apache2.service
# systemctl start apache2.service
```

16 KiB Raw Blame History

Install and configure

Prerequisites

Install and configure components

Install and configure the components

Configure the Apache HTTP server

Finalize the installation

16 KiB

Raw Blame History