Install and configure

Install and configure

This section describes how to install and configure the OpenStack Identity service, code-named keystone, on the controller node. For scalability purposes, this configuration deploys Fernet tokens and the Apache HTTP server to handle requests.

Prerequisites

Before you configure the OpenStack Identity service, you must create a database and an administration token.

  1. To create the database, complete the following actions:

    • Use the database access client to connect to the database server as the root user:

      $ mysql -u root -p
      
    • Create the keystone database:

      mysql> CREATE DATABASE keystone;
      
    • Grant proper access to the keystone database:

      mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
        IDENTIFIED BY 'KEYSTONE_DBPASS';
      mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
        IDENTIFIED BY 'KEYSTONE_DBPASS';
      

      Replace KEYSTONE_DBPASS with a suitable password.

    • Exit the database access client.

Install and configure components

Note

Default configuration files vary by distribution. You might need to add these sections and options rather than modifying existing sections and options. Also, an ellipsis (...) in the configuration snippets indicates potential default configuration options that you should retain.

  1. Run the following command to install the packages:

    # pkg install py27-keystone apache24 ap24-mod_wsgi4
    
  1. Edit the /etc/keystone/keystone.conf file and complete the following actions:

    • In the [database] section, configure database access:

      [database]
      ...
      connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
      

      Replace KEYSTONE_DBPASS with the password you chose for the database.

    • In the [token] section, configure the Fernet token provider:

      [token]
      ...
      provider = fernet
      
  2. Populate the Identity service database:

    # su -m keystone -c "keystone-manage db_sync"
    
  3. Initialize Fernet key repositories:

    # keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
    # keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
    
  4. Bootstrap the Identity service:

    # keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
      --bootstrap-admin-url http://controller:35357/v3/ \
      --bootstrap-internal-url http://controller:35357/v3/ \
      --bootstrap-public-url http://controller:5000/v3/ \
      --bootstrap-region-id RegionOne
    

    Replace ADMIN_PASS with a suitable password for an administrative user.

Configure the Apache HTTP server

  1. Edit the /usr/local/etc/apache24/httpd.conf file and configure the ServerName option to reference the controller node:

    ServerName controller
    
  2. Edit the /usr/local/etc/apache24/modules.d/270_mod_wsgi.conf file and enable the mod_wsgi4 module by uncommenting LoadModule directive:

    LoadModule wsgi_module libexec/apache24/mod_wsgi.so
    
  3. Create the /usr/local/etc/apache24/Includes/keystone.conf file with the following content:

    Listen 5000
    Listen 35357
    
    <VirtualHost *:5000>
       WSGIDaemonProcess keystone-public processes=5 threads=1 group=keystone user=keystone display-name=%{GROUP}
       WSGIProcessGroup keystone-public
       WSGIScriptAlias / /usr/local/bin/keystone-wsgi-public
       WSGIApplicationGroup %{GLOBAL}
       WSGIPassAuthorization On
       <IfVersion >= 2.4>
          ErrorLogFormat "%{cu}t %M"
       </IfVersion>
       ErrorLog /var/log/keystone.log
       CustomLog /var/log/keystone-access.log combined
    
       <Directory /usr/local/bin>
          <IfVersion >= 2.4>
                Require all granted
          </IfVersion>
          <IfVersion < 2.4>
                Order allow,deny
                Allow from all
          </IfVersion>
       </Directory>
    </VirtualHost>
    
    <VirtualHost *:35357>
       WSGIDaemonProcess keystone-admin processes=5 threads=1 group=keystone user=keystone display-name=%{GROUP}
       WSGIProcessGroup keystone-admin
       WSGIScriptAlias / /usr/local/bin/keystone-wsgi-admin
       WSGIApplicationGroup %{GLOBAL}
       WSGIPassAuthorization On
       <IfVersion >= 2.4>
          ErrorLogFormat "%{cu}t %M"
       </IfVersion>
       ErrorLog /var/log/keystone.log
       CustomLog /var/log/keystone-access.log combined
    
       <Directory /usr/local/bin>
          <IfVersion >= 2.4>
                Require all granted
          </IfVersion>
          <IfVersion < 2.4>
                Order allow,deny
                Allow from all
          </IfVersion>
       </Directory>
    </VirtualHost>
    

Finalize the installation

  1. Start the Apache HTTP service and configure it to start when the system boots:

    # sysrc apache24_enable="YES"
    # service apache24 start
    
  1. Configure the administrative account

    $ export OS_USERNAME=admin
    $ export OS_PASSWORD=ADMIN_PASS
    $ export OS_PROJECT_NAME=admin
    $ export OS_USER_DOMAIN_NAME=default
    $ export OS_PROJECT_DOMAIN_NAME=default
    $ export OS_AUTH_URL=http://controller:35357/v3
    $ export OS_IDENTITY_API_VERSION=3
    

    Replace ADMIN_PASS with the password used in the keystone-manage bootstrap command from the section called Install and configure.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.