OpenStack workshop, part 2: OpenStack cloud installation
A Step-by-Step Cloud Setup Guide
OpenStack Keystone
Keystone is the OpenStack authentication component. It is the only service that does not require any other services. Thus, it makes sense to begin with the Keystone installation on Alice. Directly after installing the Keystone packages, it is a good idea to edit the Keystone configuration in /etc/keystone/keystone.conf
in your preferred editor.
It is important to define an appropriate value as the admin token in the admin_token =
line. The admin token is the master key for OpenStack: Anyone who knows its value can make changes in Keystone. It is therefore recommended to set the permissions for keystone.conf
so that only root
can read the file. In this example, I will be using secret
as the admin token.
Keystone also needs to know where to find its own MySQL database. This is handled by the SQL connection string, which is defined in the keystone.conf
[SQL]
block. In the default configuration, the file points to an SQLite database – in this example, MySQL resides on Alice; you need to create an entry to reflect the previously created MySQL database as follows:
[sql] connection = mysql://keystonedbadmin:Ue0Ud7ra@192.168.122.111/keystone idle_timeout = 200
Keystone also needs to know how to save its service definitions, so your keystone.conf
should also contain the following entries:
[identity] driver = keystone.identity.backends.sql.Identity [catalog] driver = keystone.catalog.backends.sql.Catalog
This step completes keystone.conf
. After saving and closing the file, the next step is to create the tables that Keystone needs in its database with the custom tool: keystone-manage db_sync
. When you are done, type service keystone restart
to restart the service, which is then ready for use.
After the configuration, it makes sense to create a set of tenants and users. In real life, you would not do this manually; instead you would use pre-built scripts. A custom script matching this article can be found online [1]. It uses the secret
key previously added to keystone.conf
to set up a tenant named admin
and a matching user account that also has secret
as its password. The script also creates a "service" tenant containing users for all services; again secret
is the password for all of these accounts. Simply download the script and run it on Alice at the command line.
Endpoints in Keystone
Keystone manages what is known as the Endpoint database. An endpoint in Keystone is the address of an API belonging to one of the OpenStack services. If an OpenStack service wants to know how to communicate directly with the API of another service, it retrieves the information from this list in Keystone. For admins, this means you have to create the list initially; another script handles this task [2]. After installing the script on disk, you can call it as shown in Listing 2.
Listing 2
Endpoints
01 ./endpoints.sh 02 -m 192.168.122.111 03 -u keystonedbadmin 04 -D keystone 05 -p Ue0Ud7ra 06 -K 192.168.122.111 07 -R RegionOne 08 -E "http://192.168.122.111:35357/v2.0" 09 -S 192.168.122.113 10 -T secret
The individual parameters are far less cryptic than it might seem. The -m
option specifies the address on which MySQL can be accessed, and -u
, -D
, and -p
supply the access credentials for MySQL (the user is keystonedbadmin
, the database keystone
, and the password Ue0Ud7ra
). The -K
parameter stipulates the host on which Keystone listens, and -R
defines the OpenStack region for which these details apply. -E
tells the script where to log in to Keystone to make these changes in the first place. The -S
parameter supplies the address for the OpenStack Object Storage solution, Swift
; it is not part of this how-to but might mean some additions to the setup later on. -T
designates the admin token as specified in keystone.conf
. A word of caution: The script is designed for the data in this example; if you use different IPs, you will need to change it accordingly. Once the endpoints have been set up, Keystone is ready for deployment in OpenStack.
Storing Credentials
Once you have enabled Keystone, you need to authenticate any further interaction with the service. However, all OpenStack tools for the command line use environmental variables, which make it much easier to log in to Keystone. After defining these variables, you don't need to worry about manual authentication. It makes sense to create a file named .openstack-credentials
in your home folder. In this example, it would look like Listing 3.
Listing 3
Credentials
01 OS_AUTH_URL="http://192.168.122.111:5000/v2.0/" 02 OS_PASSWORD="secret" 03 OS_TENANT_NAME="admin" 04 OS_USERNAME="admin" 05 OS_NO_CACHE=1 06 07 export OS_AUTH_URL OS_PASSWORD 08 export OS_TENANT_NAME OS_USERNAME 09 export OS_NO_CACHE
You can then use .openstack-credentials
to add this file to the current environment. After this step, OpenStack commands should work at the command line without annoying you with prompts.