10 - Setup Keystone

Photo by Bilal O. on Unsplash

10 - Setup Keystone

ยท

3 min read

This post is part of the Manual Deployment Openstack HA and Ceph series.

Setup Keystone Database (Exec on controller-01)

1. Create keystone database

mysql
CREATE DATABASE keystone;

2. Grant keystone user for any host access

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'keystone!dama';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'keystone!dama';


FLUSH PRIVILEGES;
EXIT;

Install and Configure Keystone (Exec on all controller nodes)

1. Install keystone packages

apt install -y keystone python3-openstackclient

2. Create koystone configuration

vi /etc/keystone/keystone.conf

[DEFAULT]
debug = False
transport_url = rabbit://openstack:rabbit!dama@10.10.10.11:5672,openstack:rabbit!dama@10.10.10.12:5672,openstack:rabbit!dama@10.10.10.13:5672//
use_stderr = True

[application_credential]
[assignment]
[auth]

[cache]
backend = oslo_cache.memcache_pool
enabled = True
memcached_servers = 10.10.10.11:11211,10.10.10.12:11211,10.10.10.13:11211

[catalog]
[cors]
[credential]

[database]
connection = mysql+pymysql://keystone:keystone!dama@10.10.10.100/keystone
max_retries = -1

[domain_config]
[endpoint_filter]
[endpoint_policy]

[eventlet_server]
bind_host = 10.10.10.X
public_bind_host = 202.10.10.X
admin_bind_host = 10.10.10.X

[federation]
[fernet_tokens]
[healthcheck]
[identity]
[identity_mapping]
[ldap]
[matchmaker_redis]
[memcache]
[oauth1]
[oslo_messaging_amqp]
[oslo_messaging_kafka]

[oslo_messaging_notifications]
transport_url = rabbit://openstack:rabbit!dama@10.10.10.11:5672,openstack:rabbit!dama@10.10.10.12:5672,openstack:rabbit!dama@10.10.10.13:5672//
driver = noop

[oslo_messaging_rabbit]
[oslo_messaging_zmq]

[oslo_middleware]
enable_proxy_headers_parsing = True

[oslo_policy]
[paste_deploy]
[policy]
[profiler]
[resource]
[revoke]
[role]
[saml]
[security_compliance]
[shadow_users]
[signing]

[token]
provider = fernet


[tokenless_auth]
[trust]
[unified_limit]

Bootsraping Keystone (Exec on Controller-01)

1. Populate keystone database

su -s /bin/sh -c "keystone-manage db_sync" keystone

2. Initialize fernet

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

3. Initialize credential

keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

4. Distribute fernet to other controller nodes

ssh os-controller-02 "mkdir /etc/keystone/credential-keys"
ssh os-controller-03 "mkdir /etc/keystone/credential-keys"

cd /etc/keystone/credential-keys
scp 0 1 os-controller-02:/etc/keystone/credential-keys/
scp 0 1 os-controller-03:/etc/keystone/credential-keys/

cd /etc/keystone/fernet-keys
scp 0 1 os-controller-02:/etc/keystone/fernet-keys
scp 0 1 os-controller-03:/etc/keystone/fernet-keys

ssh os-controller-02 "chown -R keystone:keystone /etc/keystone"
ssh os-controller-03 "chown -R keystone:keystone /etc/keystone"

5. Bootrstraping keystone

keystone-manage bootstrap --bootstrap-password rahasia \
  --bootstrap-admin-url http://admin.java.dama.id:5000/v3/ \
  --bootstrap-internal-url http://internal.java.dama.id:5000/v3/ \
  --bootstrap-public-url http://public.java.dama.id:5000/v3/ \
  --bootstrap-region-id java

Set Apache Keystone Listen (Exec on all controller nodes)

1. Change apache listen port

sed -i "s/Listen 80.*/Listen $(ip -4 addr show ens5 | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | head -1):80/" /etc/apache2/ports.conf

2. Change keystone listen address

sed -i "s/Listen 5000.*/Listen $(ip -4 addr show ens5 | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | head -1):5000/" /etc/apache2/sites-available/keystone.conf

3. Add haproxy configuration

vi /etc/haproxy/haproxy.cfg
...
# KEYSTONE
 listen keystone_cluster
  bind 10.10.10.100:5000
  bind 202.10.10.100:5000
  balance  source
  option  tcpka
  option  httpchk
  option  tcplog
    server os-controller-01 10.10.10.11:5000 check inter 2000 rise 2 fall 5
    server os-controller-02 10.10.10.12:5000 check inter 2000 rise 2 fall 5
    server os-controller-03 10.10.10.13:5000 check inter 2000 rise 2 fall 5

Create PCS Apache Resource (Exec on Controller-01)

1. Create pcs resource

pcs resource create apache2 systemd:apache2

2. Create resource clone

 pcs resource clone apache2

3. Restart apache2 and haproxy from pcs

pcs resource restart lb-haproxy
pcs resource restart apache2-clone

4. Sow resource status

pcs status

Create Project in Keystone (Exec on Controller-01)

1. Create rc file

vi ~/admin-openrc

export OS_USERNAME=admin
export OS_PASSWORD=rahasia
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://admin.java.dama.id:5000/v3
export OS_IDENTITY_API_VERSION=3

2. Apply environment variable to current shell session

source ~/admin-openrc

3. Verify identity

openstack token issue

4. Verify Openstack endpoint

openstack endpoint list

5. Create service project

openstack project create --domain default \
  --description "Service Project" service

6. Verify project

openstack project list
ย