Deploying a Private Cloud at Home — Part 3

Today’s blog post is part three of seven in a series dedicated to Deploying Private Cloud at Home, where I will demonstrate how to configure OpenStack Identity service on the controller node. We have already configured the required repo in part two of the series, so let’s get started on configuring Keystone Identity Service.

1. Install keystone on the controller node.

   yum install -y openstack-keystone python-keystoneclient

   OpenStack uses a message broker to coordinate operations and status information among services. The message broker service typically runs on the controller node. OpenStack supports several message brokers including RabbitMQ, Qpid, and ZeroMQ.I am using Qpid as it is available on most of the distros

2. Install Qpid Messagebroker server.

   yum install -y qpid-cpp-server

   Now Modify the qpid configuration file to disable authentication by changing below line in /etc/qpidd.conf

   auth=no

   Now start and enable qpid service to start on server startup

   chkconfig qpidd on
   service qpidd start

3. Now configure keystone to use MySQL database

   openstack-config --set /etc/keystone/keystone.conf \
      database connection mysql://keystone:YOUR_PASSWORD@controller/keystone

4. Next create keystone database user by running below queries on your mysql prompt as root.

   CREATE DATABASE keystone;
   GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'YOUR_PASSWORD';
   GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'YOUR_PASSWORD';

5. Now create database tables

   su -s /bin/sh -c "keystone-manage db_sync" keystone

   Currently we don’t have any user accounts that can communicate with OpenStack services and Identity service. So we will setup an authorization token to use as a shared secret between the Identity Service and other OpenStack services and store in configuration file.

   ADMIN_TOKEN=$(openssl rand -hex 10)
   echo $ADMIN_TOKEN
   openstack-config --set /etc/keystone/keystone.conf DEFAULT \
      admin_token $ADMIN_TOKEN

6. Keystone uses PKI tokens as default. Now create the signing keys and certificates to restrict access to the generated data

   keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
   chown -R keystone:keystone /etc/keystone/ssl
   chmod -R o-rwx /etc/keystone/ssl

7. Start and enable the keystone identity service to begin at startup

   service openstack-keystone start
   chkconfig openstack-keystone on

   Keystone Identity service stores expired tokens as well in the database. We will create below crontab entry to purge the expired tokens

   (crontab -l -u keystone 2>&1 | grep -q token_flush) || \
   echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/keystone

8. Now we will create admin user for keystone and define roles for admin user

   export OS_SERVICE_TOKEN=$ADMIN_TOKEN
   export OS_SERVICE_ENDPOINT=https://controller:35357/v2.0
   keystone user-create --name=admin --pass=Your_Password --email=Your_Email
   keystone role-create --name=admin
   keystone tenant-create --name=admin --description="Admin Tenant"
   keystone user-role-add --user=admin --tenant=admin --role=admin
   keystone user-role-add --user=admin --role=_member_ --tenant=admin

   keystone user-create --name=pythian --pass= Your_Password --email=Your_Email
   keystone tenant-create --name=pythian --description="Pythian Tenant"
   keystone user-role-add --user=pythian --role=_member_ --tenant=pythian
   keystone tenant-create --name=service --description="Service Tenant"

9. Now we create a service entry for the identity service

   keystone service-create --name=keystone --type=identity --description="OpenStack Identity"
   keystone endpoint-create --service-id=$(keystone service-list | awk '/ identity / {print $2}') \
   --publicurl=https://controller:5000/v2.0 \
   --internalurl=https://controller:5000/v2.0 \
   --adminurl=https://controller:35357/v2.0

10. Verify Identity service installation

    unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT

11. Request an authentication token by using the admin user and the password you chose for that user

    keystone --os-username=admin --os-password=Your_Password \
      --os-auth-url=https://controller:35357/v2.0 token-get
    keystone --os-username=admin --os-password=Your_Password \
      --os-tenant-name=admin --os-auth-url=https://controller:35357/v2.0 \
      token-get

12. We will save the required parameters in admin-openrc.sh as below

    export OS_USERNAME=admin
    export OS_PASSWORD=Your_Password
    export OS_TENANT_NAME=admin
    export OS_AUTH_URL=https://controller:35357/v2.0

13. Next Next check if everything is working fine and keystone interacts with OpenStack services. We will source the admin-openrc.sh file to load the keystone parameters

    source /root/admin-openrc.sh

14. List Keystone tokens using:

    keystone token-get

15. List Keystone users using

    keystone user-list

If all the above commands give you the output, that means your Keystone Identity Service is all set up, and you can proceed to the next steps—In part four, I will discuss on how to configure and set up Image Service to store images.