openstack/openstack-manuals
Code Issues Proposed changes
7c4225b0e9
openstack-manuals/doc/install-guide/section_keystone-install.xml
Thomas Goirand 53c70cf219 Adds Debian support for the doc 
This patch adds notes to handle the differences
between Debian and Ubuntu.

backport: havana

Change-Id: I0fea68e65c3c3c4d0c2538a57f3ad4e9bad11cef
2013-10-26 14:44:30 +08:00

133 lines
7.9 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="utf-8"?>
<section xml:id="keystone-install"
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
<title>Installing the Identity Service</title>
<procedure>
<step>
<para>Install the Identity Service on the controller node, together
with python-keystoneclient (which is a dependency):</para>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install keystone</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-keystone python-keystoneclient</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>zypper install openstack-keystone python-keystoneclient openstack-utils</userinput></screen>
<note os="debian"><title>Note for Debian users</title>
<para>Note that on Debian system, the above is all what is needed
to install the Identity Service. During the setup, the debconf system will prompt
the user for the database access information. It will then
automatically create the database, configure access rights,
and then modify <filename>/etc/keystone/keystone.conf</filename> to reflect this
configuration. Debconf will also be used to configure the AUTH_TOKEN
administrator password.</para>
<para>The Debian package will then perform the
<code>keystone-manage db_sync</code> for you, and create an "admin/admin" tenant
and user, which you can later use for setting-up the other OpenStack
service (later called "auth token" in this documentation). Finally,
the package will also ask the user to setup the keystone endpoint.
Therefore, if you use Debian, you can skip all the remaining steps below.</para>
<para>If you need to reconfigure Keystone, you can use:
<screen><prompt>#</prompt> <userinput>dpkg-reconfigure -plow keystone</userinput></screen>
or edit the configuration files and manually restart the daemon.</para>
<para>Remember that for using a database server that is installed remotely,
you need to call before installing the Identity Service:
<screen><prompt>#</prompt> <userinput>apt-get install dbconfig-common &amp;&amp; dpkg-reconfigure -plow dbconfig-common</userinput></screen></para>
</note>
</step>
<step>
<para>The Identity Service uses a database to store information.
Specify the location of the database in the configuration file.
In this guide, we use a MySQL database on the controller node
with the username <literal>keystone</literal>. Replace
<literal><replaceable>KEYSTONE_DBPASS</replaceable></literal>
with a suitable password for the database user.</para>
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>openstack-config --set /etc/keystone/keystone.conf \
sql connection mysql://keystone:<replaceable>KEYSTONE_DBPASS</replaceable>@controller/keystone</userinput></screen>
<para os="ubuntu;debian">Edit <filename>/etc/keystone/keystone.conf</filename> and change the <literal>[sql]</literal> section.</para>
<programlisting os="ubuntu;debian" language="ini">
...
[sql]
# The SQLAlchemy connection string used to connect to the database
connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone
...
</programlisting>
</step>
<step os="rhel;centos;fedora;opensuse;sles">
<para>Use the <command>openstack-db</command> command to create the
database and tables, as well as a database user called
<literal>keystone</literal> to connect to the database. Replace
<literal><replaceable>KEYSTONE_DBPASS</replaceable></literal>
with the same password used in the previous step.</para>
<screen><prompt>#</prompt> <userinput>openstack-db --init --service keystone --password <replaceable>KEYSTONE_DBPASS</replaceable></userinput></screen>
</step>
<step os="ubuntu;debian">
<para>First, we need to create a database user called <literal>keystone</literal>, by logging in
as root using the password we set earlier.</para>
<screen><prompt>#</prompt> <userinput>mysql -u root -p</userinput>
<prompt>mysql></prompt> <userinput>CREATE DATABASE keystone;</userinput>
<prompt>mysql></prompt> <userinput>GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY '<replaceable>KEYSTONE_DBPASS</replaceable>';</userinput>
<prompt>mysql></prompt> <userinput>GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY '<replaceable>KEYSTONE_DBPASS</replaceable>';</userinput></screen>
</step>
<step os="ubuntu;debian">
<para>We now start the keystone service and create its tables.</para>
<screen><prompt>#</prompt> <userinput>keystone-manage db_sync</userinput>
<prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
</step>
<step>
<para>You need to define an authorization token that is used as a
shared secret between the Identity Service and other OpenStack services.
Use <command>openssl</command> to generate a random token, then store it
in the configuration file.</para>
<screen os="rhel;centos;fedora;opensuse;sles"><prompt>#</prompt> <userinput>ADMIN_TOKEN=$(openssl rand -hex 10)</userinput>
<prompt>#</prompt> <userinput>echo $ADMIN_TOKEN</userinput>
<prompt>#</prompt> <userinput>openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN</userinput></screen>
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>openssl rand -hex 10</userinput></screen>
<para os="sles;opensuse">For SUSE Linux Enterprise use instead as first command:</para>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>ADMIN_TOKEN=$(openssl rand 10|hexdump -e '1/1 "%.2x"')</userinput></screen>
<para os="ubuntu;debian">Edit <filename>/etc/keystone/keystone.conf</filename> and
change the <literal>[DEFAULT]</literal> section, replacing ADMIN_TOKEN with the results of the command.</para>
<programlisting os="ubuntu;debian" language="ini">
[DEFAULT]
# A "shared secret" between keystone and other openstack services
admin_token = ADMIN_TOKEN
...
</programlisting>
</step>
<step os="rhel;centos;fedora;opensuse;sles">
<para>By default Keystone will use PKI tokens. Create the signing
keys and certificates.</para>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>keystone-manage pki_setup --keystone-user keystone --keystone-group keystone</userinput>
<prompt>#</prompt> <userinput>chown -R keystone:keystone /etc/keystone/* /var/log/keystone/keystone.log</userinput></screen>
<screen os="opensuse;sles"><prompt>#</prompt> <userinput>keystone-manage pki_setup --keystone-user openstack-keystone --keystone-group openstack-keystone</userinput>
<prompt>#</prompt> <userinput>chown -R openstack-keystone:openstack-keystone /etc/keystone/* /var/log/keystone/keystone.log</userinput></screen>
</step>
<step os="opensuse;sles">
<para>Setup the <filename>/etc/keystone/default_catalog.templates</filename> file:
</para>
<screen><prompt>#</prompt> <userinput>KEYSTONE_CATALOG=/etc/keystone/default_catalog.templates</userinput>
<prompt>#</prompt> <userinput>sed -e "s,%SERVICE_HOST%,192.168.0.10,g" -e "s/%S3_SERVICE_PORT%/8080/" \
$KEYSTONE_CATALOG.sample > $KEYSTONE_CATALOG</userinput></screen>
</step>
<step os="ubuntu;debian">
<para>Restart the Identity service.</para>
<screen><prompt>#</prompt> <userinput>service keystone restart</userinput></screen>
</step>
<step os="rhel;fedora;centos;opensuse;sles">
<para>Start the Identity Service and enable it so it start when
the system boots.</para>
<screen os="rhel;fedora;centos;sles;opensuse"><prompt>#</prompt> <userinput>service openstack-keystone start</userinput>
<prompt>#</prompt> <userinput>chkconfig openstack-keystone on</userinput></screen>
</step>
</procedure>
</section>
View Git Blame Copy Permalink