Highly available Identity API

Installing KeyStone On Controllers

  1. [root@controller ~]# yum install openstack-keystone httpd mod_wsgi python-openstackclient openstack-utils -y

Configure MemCached

  1. [root@controller ~]# sed -i 's/127.0.0.1/0.0.0.0/' /etc/sysconfig/memcached
  2. [root@controller ~]# cat /etc/sysconfig/memcached
  3. PORT="11211"
  4. USER="memcached"
  5. MAXCONN="1024"
  6. CACHESIZE="64"
  7. OPTIONS="-l 0.0.0.0,::1"

Start MemCached Service

  1. [root@controller ~]# systemctl enable memcached.service
  2. Created symlink from /etc/systemd/system/multi-user.target.wants/memcached.service to /usr/lib/systemd/system/memcached.service.
  3. [root@controller ~]# systemctl start memcached.service    
  4. [root@controller ~]# systemctl status memcached.service
  5. ● memcached.service - memcached daemon
  6.    Loaded: loaded (/usr/lib/systemd/system/memcached.service; enabled; vendor preset: disabled)
  7.    Active: active (running) since Sun 2017-12-17 22:07:25 EST; 1s ago
  8.  Main PID: 7500 (memcached)
  9.    CGroup: /system.slice/memcached.service
  10.            └─7500 /usr/bin/memcached -p 11211 -u memcached -m 64 -c 1024 -l 0.0.0.0,::1
  11.  
  12. Dec 17 22:07:25 controller1 systemd[1]: Started memcached daemon.
  13. Dec 17 22:07:25 controller1 systemd[1]: Starting memcached daemon...

Configure Httpd Service

  1. [root@controller ~]# cp /etc/httpd/conf/httpd.conf{,.bak}
  2. [root@controller1 ~]# echo "ServerName controller1">>/etc/httpd/conf/httpd.conf
  3. [root@controller2 ~]# echo "ServerName controller2">>/etc/httpd/conf/httpd.conf
  4. [root@controller3 ~]# echo "ServerName controller3">>/etc/httpd/conf/httpd.conf
  5. [root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

Configure KeyStone

  1. [root@controller ~]# cp /usr/share/keystone/wsgi-keystone.conf{,.bak}
  2. [root@controller ~]# sed -i 's/5000/4999/' /usr/share/keystone/wsgi-keystone.conf
  3. [root@controller ~]# sed -i 's/35357/35356/' /usr/share/keystone/wsgi-keystone.conf

Start Httpd Service

  1. [root@controller ~]# systemctl enable httpd.service
  2. Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
  3. [root@controller ~]# systemctl restart httpd.service
  4. [root@controller ~]# netstat -antp|egrep 'httpd'
  5. tcp6       0      0 :::80                   :::*                    LISTEN      1946/httpd          
  6. tcp6       0      0 :::35356                :::*                    LISTEN      1946/httpd          
  7. tcp6       0      0 :::4999                 :::*                    LISTEN      1946/httpd

Configure HAPorxy For KeyStone

  1. [root@controller ~]# echo '
  2. > #keystone
  3. > listen keystone_admin_cluster
  4. > bind controller:35357
  5. > #balance  source
  6. > option  tcpka
  7. > option  httpchk 
  8. > option  tcplog
  9. > server controller1 controller1:35356 check inter 2000 rise 2 fall 5
  10. > server controller2 controller2:35356 check inter 2000 rise 2 fall 5
  11. > server controller3 controller3:35356 check inter 2000 rise 2 fall 5
  12. > 
  13. > listen keystone_public_cluster
  14. > bind controller:5000
  15. > #balance  source
  16. > option  tcpka
  17. > option  httpchk 
  18. > option  tcplog
  19. > server controller1 controller1:4999 check inter 2000 rise 2 fall 5
  20. > server controller2 controller2:4999 check inter 2000 rise 2 fall 5
  21. > server controller3 controller3:4999 check inter 2000 rise 2 fall 5
  22. > '>>/etc/haproxy/haproxy.cfg
  23. [root@controller ~]# '
  24. [root@controller ~]# systemctl restart haproxy.service
  25. [root@controller ~]# netstat -antp|egrep 'haproxy|httpd'
  26. tcp        0      0 0.0.0.0:1080            0.0.0.0:*               LISTEN      2111/haproxy        
  27. tcp        0      0 192.168.220.20:35357    0.0.0.0:*               LISTEN      2111/haproxy        
  28. tcp        0      0 192.168.220.20:5000     0.0.0.0:*               LISTEN      2111/haproxy        
  29. tcp        0      0 0.0.0.0:5000            0.0.0.0:*               LISTEN      2111/haproxy        
  30. tcp6       0      0 :::80                   :::*                    LISTEN      1946/httpd          
  31. tcp6       0      0 :::35356                :::*                    LISTEN      1946/httpd          
  32. tcp6       0      0 :::4999                 :::*                    LISTEN      1946/httpd

Configure KeyStone

  1. [root@controller1 ~]# KEYSTONE_SECRET=$(openssl rand -hex 10)
  2. [root@controller1 ~]# 
  3. [root@controller1 ~]# cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
  4. [root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $KEYSTONE_SECRET
  5. [root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT verbose true
  6. [root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:keystone@controller/keystone
  7. [root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf cache backend oslo_cache.memcache_pool
  8. [root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf cache enabled true
  9. [root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf cache memcache_servers controller1:11211,controller2:11211,controller3:11211
  10. [root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf memcache servers controller1:11211,controller2:11211,controller3:11211
  11. [root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf token driver memcache
  12. [root@controller1 ~]# openstack-config --set /etc/keystone/keystone.conf token provider fernet

Synchronize Database

  1. [root@controller1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
  2. [root@controller1 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
  3. [root@controller1 ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

Configure Other Controller Nodes

  1. [root@controller1 ~]# rsync -avzP -e 'ssh -p 22' /etc/keystone/* controller2:/etc/keystone/
  2. sending incremental file list
  3. keystone.conf
  4.       115180 100%  108.49MB/s    0:00:00 (xfer#1, to-check=10/13)
  5. keystone.conf.bak
  6.       114875 100%   54.78MB/s    0:00:00 (xfer#2, to-check=9/13)
  7. credential-keys/
  8. credential-keys/0
  9.           44 100%   21.48kB/s    0:00:00 (xfer#3, to-check=3/13)
  10. credential-keys/1
  11.           44 100%   21.48kB/s    0:00:00 (xfer#4, to-check=2/13)
  12. fernet-keys/
  13. fernet-keys/0
  14.           44 100%   21.48kB/s    0:00:00 (xfer#5, to-check=1/13)
  15. fernet-keys/1
  16.           44 100%   21.48kB/s    0:00:00 (xfer#6, to-check=0/13)
  17.  
  18. sent 2209 bytes  received 2114 bytes  2882.00 bytes/sec
  19. total size is 236741  speedup is 54.76
  20. [root@controller1 ~]# rsync -avzP -e 'ssh -p 22' /etc/keystone/* controller3:/etc/keystone/
  21. sending incremental file list
  22. keystone.conf
  23.       115180 100%  108.49MB/s    0:00:00 (xfer#1, to-check=10/13)
  24. keystone.conf.bak
  25.       114875 100%   54.78MB/s    0:00:00 (xfer#2, to-check=9/13)
  26. credential-keys/
  27. credential-keys/0
  28.           44 100%   21.48kB/s    0:00:00 (xfer#3, to-check=3/13)
  29. credential-keys/1
  30.           44 100%   21.48kB/s    0:00:00 (xfer#4, to-check=2/13)
  31. fernet-keys/
  32. fernet-keys/0
  33.           44 100%   21.48kB/s    0:00:00 (xfer#5, to-check=1/13)
  34. fernet-keys/1
  35.           44 100%   21.48kB/s    0:00:00 (xfer#6, to-check=0/13)
  36.  
  37. sent 2209 bytes  received 2114 bytes  8646.00 bytes/sec
  38. total size is 236741  speedup is 54.76

Restart Httpd Service

  1. [root@controller1 ~]# systemctl restart httpd.service
  2. [root@controller1 ~]# ssh controller2 "systemctl restart httpd.service"
  3. [root@controller1 ~]# ssh controller3 "systemctl restart httpd.service"

Create Admin Role

  1. [root@controller1 ~]# keystone-manage bootstrap --bootstrap-password admin \
  2. > --bootstrap-admin-url http://controller:35357/v3/ \
  3. > --bootstrap-internal-url http://controller:5000/v3/ \
  4. > --bootstrap-public-url http://controller:5000/v3/ \
  5. > --bootstrap-region-id RegionOne

Configure Admin Resource

  1. [root@controller1 ~]# echo "
  2. > export OS_PROJECT_DOMAIN_NAME=default
  3. > export OS_USER_DOMAIN_NAME=default 
  4. > export OS_PROJECT_NAME=admin 
  5. > export OS_USERNAME=admin
  6. > export OS_PASSWORD=admin
  7. > export OS_AUTH_URL=http://controller:35357/v3
  8. > export OS_IDENTITY_API_VERSION=3
  9. > export OS_IMAGE_API_VERSION=2
  10. > ">/root/admin-openrc
  11. [root@controller1 ~]# "
  12. [root@controller1 ~]# source /root/admin-openrc
  13. [root@controller1 ~]# openstack token issue
  14. +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  15. | Field      | Value                                                                                                                                                                                   |
  16. +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  17. | expires    | 2017-12-15T11:24:26+0000                                                                                                                                                                |
  18. | id         | gAAAAABaM6LaRTUjdiPkk1_5ydJV38A7d8ksrrD270fHt5Rc6SZZiIqhQXD70YdFVZqzfK0wWnxqF2jpAy1yBB6Tt-_v9VGbwyGORDJ-MesmmcmychP65oL_2dY8O4N09Mb8RZZm29wkJzOjgQffiFkmmjm3H7mAjfEHqbUxS-RdNcrnFEY0sTQ |
  19. | project_id | 2291724ac1a54d65844cc5dba56f4803                                                                                                                                                        |
  20. | user_id    | c69e3e92d2e9485dabc42d845574d965                                                                                                                                                        |
  21. +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Create OpenStack Project

  1. [root@controller1 ~]# openstack project create --domain default --description "Service Project" service
  2. +-------------+----------------------------------+
  3. | Field       | Value                            |
  4. +-------------+----------------------------------+
  5. | description | Service Project                  |
  6. | domain_id   | default                          |
  7. | enabled     | True                             |
  8. | id          | 78757402f85a467995bcbd69b2183ba5 |
  9. | is_domain   | False                            |
  10. | name        | service                          |
  11. | parent_id   | default                          |
  12. +-------------+----------------------------------+
  13. [root@controller1 ~]# openstack user create --domain default --password=glance glance
  14. +---------------------+----------------------------------+
  15. | Field               | Value                            |
  16. +---------------------+----------------------------------+
  17. | domain_id           | default                          |
  18. | enabled             | True                             |
  19. | id                  | 1072761f1a714aa8ad31a8e3f32fdc94 |
  20. | name                | glance                           |
  21. | options             | {}                               |
  22. | password_expires_at | None                             |
  23. +---------------------+----------------------------------+
  24. [root@controller1 ~]# openstack role add --project service --user glance admin
  25. [root@controller1 ~]# openstack user create --domain default --password=nova nova
  26. +---------------------+----------------------------------+
  27. | Field               | Value                            |
  28. +---------------------+----------------------------------+
  29. | domain_id           | default                          |
  30. | enabled             | True                             |
  31. | id                  | 83ce33fed0fe4c1894b6448cc17c32f7 |
  32. | name                | nova                             |
  33. | options             | {}                               |
  34. | password_expires_at | None                             |
  35. +---------------------+----------------------------------+
  36. [root@controller1 ~]# openstack role add --project service --user nova admin
  37. [root@controller1 ~]# openstack user create --domain default --password=neutron neutron
  38. +---------------------+----------------------------------+
  39. | Field               | Value                            |
  40. +---------------------+----------------------------------+
  41. | domain_id           | default                          |
  42. | enabled             | True                             |
  43. | id                  | d0ed457a96824cffb030d3c57b4a8218 |
  44. | name                | neutron                          |
  45. | options             | {}                               |
  46. | password_expires_at | None                             |
  47. +---------------------+----------------------------------+
  48. [root@controller1 ~]# openstack role add --project service --user neutron admin
  49.  
  50. [root@controller1 ~]# openstack project create --domain default --description "Demo Project" demo
  51. +-------------+----------------------------------+
  52. | Field       | Value                            |
  53. +-------------+----------------------------------+
  54. | description | Demo Project                     |
  55. | domain_id   | default                          |
  56. | enabled     | True                             |
  57. | id          | 3ddffab721d24934a0cbd49def5aa615 |
  58. | is_domain   | False                            |
  59. | name        | demo                             |
  60. | parent_id   | default                          |
  61. +-------------+----------------------------------+
  62. [root@controller1 ~]# openstack user create --domain default --password=demo demo
  63. +---------------------+----------------------------------+
  64. | Field               | Value                            |
  65. +---------------------+----------------------------------+
  66. | domain_id           | default                          |
  67. | enabled             | True                             |
  68. | id                  | 7884786780534d82afa0085028d2eb9b |
  69. | name                | demo                             |
  70. | options             | {}                               |
  71. | password_expires_at | None                             |
  72. +---------------------+----------------------------------+
  73. [root@controller1 ~]# openstack role create user
  74. +-----------+----------------------------------+
  75. | Field     | Value                            |
  76. +-----------+----------------------------------+
  77. | domain_id | None                             |
  78. | id        | 0e067a05c0334234be3e19cad51cc1b5 |
  79. | name      | user                             |
  80. +-----------+----------------------------------+
  81. [root@controller1 ~]# openstack role add --project demo --user demo user

Add OpenStack Identity resource to Pacemaker

  1. [root@controller1 ~]# pcs resource create openstack-keystone systemd:openstack-keystone --clone interleave=true

Configure OpenStack Identity service

  1. # cat keystone.conf
  2.  
  3. bind_host = 10.0.0.12
  4. public_bind_host = 10.0.0.12
  5. admin_bind_host = 10.0.0.12
  6.  
  7. [catalog]
  8. driver = keystone.catalog.backends.sql.Catalog
  9. # ...
  10. [identity]
  11. driver = keystone.identity.backends.sql.Identity
  12. # ...

Configure OpenStack services to use the highly available OpenStack Identity

  1. # cat api-paste.ini
  2.  
  3. auth_host = 10.0.0.11
  4.  
  5. $ openstack endpoint create --region $KEYSTONE_REGION $service-type public http://PUBLIC_VIP:5000/v2.0
  6. $ openstack endpoint create --region $KEYSTONE_REGION $service-type admin http://10.0.0.11:35357/v2.0
  7. $ openstack endpoint create --region $KEYSTONE_REGION $service-type internal http://10.0.0.11:5000/v2.0
  8.  
  9. # cat local_settings.py
  10.  
  11. OPENSTACK_HOST = 10.0.0.11

Leave a Reply

Your email address will not be published. Required fields are marked *