OpenStack workshop, part 2: OpenStack cloud installation

A Step-by-Step Cloud Setup Guide

OpenStack Keystone

Keystone is the OpenStack authentication component. It is the only service that does not require any other services. Thus, it makes sense to begin with the Keystone installation on Alice. Directly after installing the Keystone packages, it is a good idea to edit the Keystone configuration in /etc/keystone/keystone.conf in your preferred editor.

It is important to define an appropriate value as the admin token in the admin_token = line. The admin token is the master key for OpenStack: Anyone who knows its value can make changes in Keystone. It is therefore recommended to set the permissions for keystone.conf so that only root can read the file. In this example, I will be using secret as the admin token.

Keystone also needs to know where to find its own MySQL database. This is handled by the SQL connection string, which is defined in the keystone.conf [SQL] block. In the default configuration, the file points to an SQLite database – in this example, MySQL resides on Alice; you need to create an entry to reflect the previously created MySQL database as follows:

connection = mysql://keystonedbadmin:Ue0Ud7ra@
idle_timeout = 200

Keystone also needs to know how to save its service definitions, so your keystone.conf should also contain the following entries:

driver = keystone.identity.backends.sql.Identity
driver = keystone.catalog.backends.sql.Catalog

This step completes keystone.conf. After saving and closing the file, the next step is to create the tables that Keystone needs in its database with the custom tool: keystone-manage db_sync. When you are done, type service keystone restart to restart the service, which is then ready for use.

After the configuration, it makes sense to create a set of tenants and users. In real life, you would not do this manually; instead you would use pre-built scripts. A custom script matching this article can be found online [1]. It uses the secret key previously added to keystone.conf to set up a tenant named admin and a matching user account that also has secret as its password. The script also creates a "service" tenant containing users for all services; again secret is the password for all of these accounts. Simply download the script and run it on Alice at the command line.

Endpoints in Keystone

Keystone manages what is known as the Endpoint database. An endpoint in Keystone is the address of an API belonging to one of the OpenStack services. If an OpenStack service wants to know how to communicate directly with the API of another service, it retrieves the information from this list in Keystone. For admins, this means you have to create the list initially; another script handles this task [2]. After installing the script on disk, you can call it as shown in Listing 2.

Listing 2


01 ./
02   -m
03   -u keystonedbadmin
04   -D keystone
05   -p Ue0Ud7ra
06   -K
07   -R RegionOne
08   -E ""
09   -S
10   -T secret

The individual parameters are far less cryptic than it might seem. The -m option specifies the address on which MySQL can be accessed, and -u, -D, and -p supply the access credentials for MySQL (the user is keystonedbadmin, the database keystone, and the password Ue0Ud7ra). The -K parameter stipulates the host on which Keystone listens, and -R defines the OpenStack region for which these details apply. -E tells the script where to log in to Keystone to make these changes in the first place. The -S parameter supplies the address for the OpenStack Object Storage solution, Swift; it is not part of this how-to but might mean some additions to the setup later on. -T designates the admin token as specified in keystone.conf. A word of caution: The script is designed for the data in this example; if you use different IPs, you will need to change it accordingly. Once the endpoints have been set up, Keystone is ready for deployment in OpenStack.

Storing Credentials

Once you have enabled Keystone, you need to authenticate any further interaction with the service. However, all OpenStack tools for the command line use environmental variables, which make it much easier to log in to Keystone. After defining these variables, you don't need to worry about manual authentication. It makes sense to create a file named .openstack-credentials in your home folder. In this example, it would look like Listing 3.

Listing 3


02 OS_PASSWORD="secret"
03 OS_TENANT_NAME="admin"
04 OS_USERNAME="admin"
09 export OS_NO_CACHE

You can then use .openstack-credentials to add this file to the current environment. After this step, OpenStack commands should work at the command line without annoying you with prompts.

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus