Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (2024)

Table of Contents
Prerequsites Installation

We started our OpenStack installationhereand stopped at minimal deployment.

Keystone is the first installation you should do in minimal (or any OpenStack) installation scenario. It is identity provider for OpenStack. Visit my Openstack installation tutorial to see my lab settings if someting is not clear.

Here is the link on OpenStack on which you can always find fresh info about Keystone deployment.https://docs.openstack.org/keystone/train/install/index-rdo.html

Prerequsites

Keystone will be installed on controller machine.

We need to create database named keystone, here are the steps

mysql -u root -p
CREATE DATABASE keystone;

We will create user keystone and exchange password –passfor your password.

CREATE USER `keystone`@`localhost` IDENTIFIED BY 'pass';

Grant priviledges on keystone DB to keystone user

GRANT ALL ON keystone.* TO `keystone`@`localhost`;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \IDENTIFIED BY 'pass';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \IDENTIFIED BY 'pass';
exit
Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (1)
Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (2)

Installation

Start installation by typing in

sudo yum install openstack-keystone httpd mod_wsgi

Edit the /etc/keystone/keystone.conf

sudo vi /etc/keystone/keystone.conf 

In database section configure following (replace passwith your password.)

[database]# ...connection = mysql+pymysql://keystone:pass@controller/keystone

In the token section configure following

[token]# ...provider = fernet

Here is how it looks like in my config

Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (3)
Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (4)

Next, we need to run

su -s /bin/sh -c "keystone-manage db_sync" keystone
Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (5)

Initialize Fernet key repos

sudo keystone-manage fernet_setup --keystone-user keystone --keystone-group keystonesudo keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

Bootstrap identity service. Change ADMIN_PASS for your password suitable for admin user

keystone-manage bootstrap --bootstrap-password ADMIN_PASS \ --bootstrap-admin-url http://controller:5000/v3/ \ --bootstrap-internal-url http://controller:5000/v3/ \ --bootstrap-public-url http://controller:5000/v3/ \ --bootstrap-region-id RegionOne
Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (6)

Configure Apache HTTP server

We need to change server name

sudo vi /etc/httpd/conf/httpd.conf

Edit servername to controller and uncomment it

ServerName controller
Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (7)

Create a link to wsgi-keystone.conf

ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

SSL

In production, you should secure your installation with SSL.

Finalization

We should enable and start service

sudo systemctl enable httpd.servicesudo systemctl start httpd.service

Next we should set environment variables. Values shown are from keystone-manager bootstrap.

Be sure to replace ADMIN_PASS with the password you set in earlier step.

$ export OS_USERNAME=admin$ export OS_PASSWORD=ADMIN_PASS$ export OS_PROJECT_NAME=admin$ export OS_USER_DOMAIN_NAME=Default$ export OS_PROJECT_DOMAIN_NAME=Default$ export OS_AUTH_URL=http://controller:5000/v3$ export OS_IDENTITY_API_VERSION=3

______________

OPTIONALLY – NOT PART OF TUTORIAL!!

If you wish to make these changes permanent, you can do following, this way, these values will be loaded on every system startup.

#vi ~/keystonercexport OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=adminpasswordexport OS_AUTH_URL=http://10.0.0.30:5000/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2export PS1='[\u@\h \W(keystone)]\$ '# chmod 600 ~/keystonerc # source ~/keystonerc # echo "source ~/keystonerc " >> ~/.bash_profile

END OF OPTIONALLY PART

__________________________________

Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (8)

We will also open few ports in firewall (optional)

sudo firewall-cmd --zone=public --add-port=5000/tcp --permanentsudo firewall-cmd --permanent --zone=public --add-service=httpsudo firewall-cmd --permanent --zone=public --add-service=httpssudo firewall-cmd --reload

After that, if you try link from the client in your network

Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (9)

Creating Domain, Project, Users, Roles

In the steps above,we created default domain, so we don’t need to do it now.

Domain creation

openstack domain create --description "An Example Domain" example

We will create other details…

Service Project creation

openstack project create --domain default \ --description "Service Project" service
Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (10)

If you get “Missing value auth-url required for auth plugin password” check back and see part where we exported environment variables and check if they are loaded. If you rebooted server in the meantime, you will probably need to export all the values again. Later on, we will create files that we can call when needed.

Project creation

openstack project create --domain default \ --description "Demo Project" myproject
Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (11)

User creation

openstack user create --domain default \ --password-prompt myuser
Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (12)

Role creation

openstack role create myrole
Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (13)

Add role “myrole” to project “myproject” with user “myuser”

openstack role add --project myproject --user myuser myrole
Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (14)

Verify operation

Before we go any further, we have to verify that all is working as expected, because this is the foundation for everything we will add later.

We will temporary unset OS_AUTH_URL and OS_PASSWORD

unset OS_AUTH_URL OS_PASSWORD
Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (15)

We will now request auth. token as admin user (we will need password we set earlier for admin user)

openstack --os-auth-url http://controller:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name admin --os-username admin token issue
Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (16)

We will now also request auth token as myuser – user we created step earlier

openstack --os-auth-url http://controller:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name myproject --os-username myuser token issue
Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (17)

Ok, both screens and info I got are ok, and valid.

OpenStack client environment scripts

You can read more on topic here –https://docs.openstack.org/keystone/train/install/keystone-openrc-rdo.html

I will go through creating client environment scripts for the admin and demo projects and users. Future portions of OpenStack guide reference these scripts to load appropriate credentials for client operations.

One more notice from OpenStack:

The paths of the client environment scripts are unrestricted. For convenience, you can place the scripts in any location, however ensure that they are accessible and located in a secure place appropriate for your deployment, as they do contain sensitive credentials.

OpenStack does not specify locations of admin-openrc and demo-openrc, so I will put them in my “home” directory.

sudo vi admin-openrc.sh
Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (18)

You will enter following. Change ADMIN_PASS to your password.

export OS_PROJECT_DOMAIN_NAME=Defaultexport OS_USER_DOMAIN_NAME=Defaultexport OS_PROJECT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=ADMIN_PASSexport OS_AUTH_URL=http://controller:5000/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2
Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (19)

Now, to the demo-openrpc

sudo vi demo-openrc.sh

Replace DEMO_PASS with the pass you created for “myuser” user.

export OS_PROJECT_DOMAIN_NAME=Defaultexport OS_USER_DOMAIN_NAME=Defaultexport OS_PROJECT_NAME=myprojectexport OS_USERNAME=myuserexport OS_PASSWORD=DEMO_PASSexport OS_AUTH_URL=http://controller:5000/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2
Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (20)

Stay in the same directory where you created scripts and execute

sudo chmod +x admin-openrc.shsudo chmod +x demo-openrc.sh

Using the scripts

Citing the OpenStack Documentation –

To run clients as a specific project and user, you can simply load the associated client environment script prior to running them. For example:

Load the admin-openrc file to populate environment variables with the location of the Identity service and the admin project and user credentials:

. admin-openrc
Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (21)

Request auth token

openstack token issue
Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (22)

Next step is Image service install –Glance

Disclaimer

Openstack – Keystone installation tutorial (CentOS) (Part 2/9) (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Velia Krajcik

Last Updated:

Views: 5253

Rating: 4.3 / 5 (54 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Velia Krajcik

Birthday: 1996-07-27

Address: 520 Balistreri Mount, South Armand, OR 60528

Phone: +466880739437

Job: Future Retail Associate

Hobby: Polo, Scouting, Worldbuilding, Cosplaying, Photography, Rowing, Nordic skating

Introduction: My name is Velia Krajcik, I am a handsome, clean, lucky, gleaming, magnificent, proud, glorious person who loves writing and wants to share my knowledge and understanding with you.