Installing KeyStone On Controllers
[root@controller ~]# yum install openstack-keystone httpd mod_wsgi python-openstackclient openstack-utils -y
Configure MemCached
[root@controller ~]# sed -i 's/127.0.0.1/0.0.0.0/' /etc/sysconfig/memcached
[root@controller ~]# cat /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 0.0.0.0,::1"
Start MemCached Service
[root@controller ~]# systemctl enable memcached.service
Created symlink from /etc/systemd/system/multi-user.target.wants/memcached.service to /usr/lib/systemd/system/memcached.service.
[root@controller ~]# systemctl start memcached.service
[root@controller ~]# systemctl status memcached.service
● memcached.service - memcached daemon
Loaded: loaded (/usr/lib/systemd/system/memcached.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2017-12-17 22:07:25 EST; 1s ago
Main PID: 7500 (memcached)
CGroup: /system.slice/memcached.service
└─7500 /usr/bin/memcached -p 11211 -u memcached -m 64 -c 1024 -l 0.0.0.0,::1
Dec 17 22:07:25 controller1 systemd[1]: Started memcached daemon.
Dec 17 22:07:25 controller1 systemd[1]: Starting memcached daemon...
Configure Httpd Service
[root@controller ~]# cp /etc/httpd/conf/httpd.conf{,.bak}
[root@controller1 ~]# echo "ServerName controller1">>/etc/httpd/conf/httpd.conf
[root@controller2 ~]# echo "ServerName controller2">>/etc/httpd/conf/httpd.conf
[root@controller3 ~]# echo "ServerName controller3">>/etc/httpd/conf/httpd.conf
[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
Configure KeyStone
[root@controller ~]# cp /usr/share/keystone/wsgi-keystone.conf{,.bak}
[root@controller ~]# sed -i 's/5000/4999/' /usr/share/keystone/wsgi-keystone.conf
[root@controller ~]# sed -i 's/35357/35356/' /usr/share/keystone/wsgi-keystone.conf
Start Httpd Service
[root@controller ~]# systemctl enable httpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@controller ~]# systemctl restart httpd.service
[root@controller ~]# netstat -antp|egrep 'httpd'
tcp6 0 0 :::80 :::* LISTEN 1946/httpd
tcp6 0 0 :::35356 :::* LISTEN 1946/httpd
tcp6 0 0 :::4999 :::* LISTEN 1946/httpd
Configure HAPorxy For KeyStone
[root@controller ~]# echo '
> #keystone
> listen keystone_admin_cluster
> bind controller:35357
> #balance source
> option tcpka
> option httpchk
> option tcplog
> server controller1 controller1:35356 check inter 2000 rise 2 fall 5
> server controller2 controller2:35356 check inter 2000 rise 2 fall 5
> server controller3 controller3:35356 check inter 2000 rise 2 fall 5
>
> listen keystone_public_cluster
> bind controller:5000
> #balance source
> option tcpka
> option httpchk
> option tcplog
> server controller1 controller1:4999 check inter 2000 rise 2 fall 5
> server controller2 controller2:4999 check inter 2000 rise 2 fall 5
> server controller3 controller3:4999 check inter 2000 rise 2 fall 5
> '>>/etc/haproxy/haproxy.cfg
[[email protected] ~]# '
[root@controller ~]# systemctl restart haproxy.service
[root@controller ~]# netstat -antp|egrep 'haproxy|httpd'
tcp 0 0 0.0.0.0:1080 0.0.0.0:* LISTEN 2111/haproxy
tcp 0 0 192.168.220.20:35357 0.0.0.0:* LISTEN 2111/haproxy
tcp 0 0 192.168.220.20:5000 0.0.0.0:* LISTEN 2111/haproxy
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 2111/haproxy
tcp6 0 0 :::80 :::* LISTEN 1946/httpd
tcp6 0 0 :::35356 :::* LISTEN 1946/httpd
tcp6 0 0 :::4999 :::* LISTEN 1946/httpd
Configure KeyStone
[root@controller1 ~]# KEYSTONE_SECRET=$(openssl rand -hex 10)
[root@controller1 ~]#
[root@controller1 ~]# cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
[root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $KEYSTONE_SECRET
[root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT verbose true
[root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:[email protected]/keystone
[root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf cache backend oslo_cache.memcache_pool
[root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf cache enabled true
[root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf cache memcache_servers controller1:11211,controller2:11211,controller3:11211
[root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf memcache servers controller1:11211,controller2:11211,controller3:11211
[root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf token driver memcache
[root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf token provider fernet
Synchronize Database
[root@controller1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[root@controller1 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller1 ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
Configure Other Controller Nodes
[root@controller1 ~]# rsync -avzP -e 'ssh -p 22' /etc/keystone/* controller2:/etc/keystone/
sending incremental file list
keystone.conf
115180 100% 108.49MB/s 0:00:00 (xfer#1, to-check=10/13)
keystone.conf.bak
114875 100% 54.78MB/s 0:00:00 (xfer#2, to-check=9/13)
credential-keys/
credential-keys/0
44 100% 21.48kB/s 0:00:00 (xfer#3, to-check=3/13)
credential-keys/1
44 100% 21.48kB/s 0:00:00 (xfer#4, to-check=2/13)
fernet-keys/
fernet-keys/0
44 100% 21.48kB/s 0:00:00 (xfer#5, to-check=1/13)
fernet-keys/1
44 100% 21.48kB/s 0:00:00 (xfer#6, to-check=0/13)
sent 2209 bytes received 2114 bytes 2882.00 bytes/sec
total size is 236741 speedup is 54.76
[root@controller1 ~]# rsync -avzP -e 'ssh -p 22' /etc/keystone/* controller3:/etc/keystone/
sending incremental file list
keystone.conf
115180 100% 108.49MB/s 0:00:00 (xfer#1, to-check=10/13)
keystone.conf.bak
114875 100% 54.78MB/s 0:00:00 (xfer#2, to-check=9/13)
credential-keys/
credential-keys/0
44 100% 21.48kB/s 0:00:00 (xfer#3, to-check=3/13)
credential-keys/1
44 100% 21.48kB/s 0:00:00 (xfer#4, to-check=2/13)
fernet-keys/
fernet-keys/0
44 100% 21.48kB/s 0:00:00 (xfer#5, to-check=1/13)
fernet-keys/1
44 100% 21.48kB/s 0:00:00 (xfer#6, to-check=0/13)
sent 2209 bytes received 2114 bytes 8646.00 bytes/sec
total size is 236741 speedup is 54.76
Restart Httpd Service
[root@controller1 ~]# systemctl restart httpd.service
[root@controller1 ~]# ssh controller2 "systemctl restart httpd.service"
[root@controller1 ~]# ssh controller3 "systemctl restart httpd.service"
Create Admin Role
[root@controller1 ~]# keystone-manage bootstrap --bootstrap-password admin \
> --bootstrap-admin-url http://controller:35357/v3/ \
> --bootstrap-internal-url http://controller:5000/v3/ \
> --bootstrap-public-url http://controller:5000/v3/ \
> --bootstrap-region-id RegionOne
Configure Admin Resource
[root@controller1 ~]# echo "
> export OS_PROJECT_DOMAIN_NAME=default
> export OS_USER_DOMAIN_NAME=default
> export OS_PROJECT_NAME=admin
> export OS_USERNAME=admin
> export OS_PASSWORD=admin
> export OS_AUTH_URL=http://controller:35357/v3
> export OS_IDENTITY_API_VERSION=3
> export OS_IMAGE_API_VERSION=2
> ">/root/admin-openrc
[[email protected] ~]# "
[root@controller1 ~]# source /root/admin-openrc
[root@controller1 ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2017-12-15T11:24:26+0000 |
| id | gAAAAABaM6LaRTUjdiPkk1_5ydJV38A7d8ksrrD270fHt5Rc6SZZiIqhQXD70YdFVZqzfK0wWnxqF2jpAy1yBB6Tt-_v9VGbwyGORDJ-MesmmcmychP65oL_2dY8O4N09Mb8RZZm29wkJzOjgQffiFkmmjm3H7mAjfEHqbUxS-RdNcrnFEY0sTQ |
| project_id | 2291724ac1a54d65844cc5dba56f4803 |
| user_id | c69e3e92d2e9485dabc42d845574d965 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Create OpenStack Project
[root@controller1 ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 78757402f85a467995bcbd69b2183ba5 |
| is_domain | False |
| name | service |
| parent_id | default |
+-------------+----------------------------------+
[root@controller1 ~]# openstack user create --domain default --password=glance glance
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 1072761f1a714aa8ad31a8e3f32fdc94 |
| name | glance |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@controller1 ~]# openstack role add --project service --user glance admin
[root@controller1 ~]# openstack user create --domain default --password=nova nova
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 83ce33fed0fe4c1894b6448cc17c32f7 |
| name | nova |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@controller1 ~]# openstack role add --project service --user nova admin
[root@controller1 ~]# openstack user create --domain default --password=neutron neutron
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | d0ed457a96824cffb030d3c57b4a8218 |
| name | neutron |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@controller1 ~]# openstack role add --project service --user neutron admin
[root@controller1 ~]# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 3ddffab721d24934a0cbd49def5aa615 |
| is_domain | False |
| name | demo |
| parent_id | default |
+-------------+----------------------------------+
[root@controller1 ~]# openstack user create --domain default --password=demo demo
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 7884786780534d82afa0085028d2eb9b |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@controller1 ~]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 0e067a05c0334234be3e19cad51cc1b5 |
| name | user |
+-----------+----------------------------------+
[root@controller1 ~]# openstack role add --project demo --user demo user
Add OpenStack Identity resource to Pacemaker
[root@controller1 ~]# pcs resource create openstack-keystone systemd:openstack-keystone --clone interleave=true
Configure OpenStack Identity service
# cat keystone.conf
bind_host = 10.0.0.12
public_bind_host = 10.0.0.12
admin_bind_host = 10.0.0.12
[catalog]
driver = keystone.catalog.backends.sql.Catalog
# ...
[identity]
driver = keystone.identity.backends.sql.Identity
# ...
Configure OpenStack services to use the highly available OpenStack Identity
# cat api-paste.ini
auth_host = 10.0.0.11
$ openstack endpoint create --region $KEYSTONE_REGION $service-type public http://PUBLIC_VIP:5000/v2.0
$ openstack endpoint create --region $KEYSTONE_REGION $service-type admin http://10.0.0.11:35357/v2.0
$ openstack endpoint create --region $KEYSTONE_REGION $service-type internal http://10.0.0.11:5000/v2.0
# cat local_settings.py
OPENSTACK_HOST = 10.0.0.11