Book Image

Production Ready OpenStack - Recipes for Successful Environments

By : Arthur Berezin
Book Image

Production Ready OpenStack - Recipes for Successful Environments

By: Arthur Berezin

Overview of this book

OpenStack is the most popular open source cloud platform used by organizations building internal private clouds and by public cloud providers. OpenStack is designed in a fully distributed architecture to provide Infrastructure as a Service, allowing us to maintain a massively scalable cloud infrastructure. OpenStack is developed by a vibrant community of open source developers who come from the largest software companies in the world. The book provides a comprehensive and practical guide to the multiple uses cases and configurations that OpenStack supports. This book simplifies the learning process by guiding you through how to install OpenStack in a single controller configuration. The book goes deeper into deploying OpenStack in a highly available configuration. You'll then configure Keystone Identity Services using LDAP, Active Directory, or the MySQL identity provider and configure a caching layer and SSL. After that, you will configure storage back-end providers for Glance and Cinder, which will include Ceph, NFS, Swift, and local storage. Then you will configure the Neutron networking service with provider network VLANs, and tenant network VXLAN and GRE. Also, you will configure Nova's Hypervisor with KVM, and QEMU emulation, and you will configure Nova's scheduler filters and weights. Finally, you will configure Horizon to use Apache HTTPD and SSL, and you will customize the dashboard's appearance.
Table of Contents (16 chapters)
Production Ready OpenStack - Recipes for Successful Environments
About the Author
About the Reviewers

Installing Keystone – Identity service

Keystone project provides Identity as a service for all OpenStack services and components. It is recommended to authenticate users and authorize access of OpenStack components. For Example, if a user would like to launch a new instance, Keystone is responsible for making sure that the user account, which issued the instance launch command, is a known authenticated user account and the account has permissions to launch the instance.

Keystone also provides a services catalog, which OpenStack serves, users and other services can query Keystone for the services of a particular OpenStack environment. For each service, Keystone returns an endpoint, which is a network-accessible URL from where users and services can access a certain service.

In this chapter, we are going to configure Keystone to use MariaDB as the backend data store provides, which is the most common configuration. Keystone can also use user account details on an LDAP server or Microsoft Active Directory, which will be covered in Chapter 4, Keystone Identity Service.

Getting Ready

Before installing and configuring Keystone, we need to prepare a database for Keystone to use, configure it's user's permissions, and open needed firewall ports, so other nodes would be able to communicate with it. Keystone is usually installed on the controller node as part of OpenStack's control plane.

Run the following commands on the controller node!

Create Keystone database

  1. To create a database for Keystone, use MySQL command to access the MariaDB instance, This will ask you to type the password you selected for the MariaDB root user:

    [root@controller ~]# mysql -u root -p
  2. Create a database named keystone:

    MariaDB [(none)]> CREATE DATABASE keystone;
  3. Create a user account named keystone with the selected password instead of 'my_keystone_db_password':

    MariaDB [(none)]> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'my_keystone_db_password';
  4. Grant access for keystone user account to the keystone database:

    MariaDB [(none)]> GRANT ALL ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'my_keystone_db_password';
  5. Flush database privileges to ensure that they are effective immediately:

    MariaDB [(none)]> FLUSH PRIVILEGES;
  6. At this point, you can exit the MySQL client:

    MariaDB [(none)]> quit

Open Keystone service firewall ports

Keystone service uses port 5000 for public access and port 35357 for administration.

[root@controller ~]# firewall-cmd --add-port=5000/tcp --permanent
[root@controller ~]# firewall-cmd --add-port=35357/tcp --permanent

How to do it...

Proceed with the following steps:

Install service packages

By now, all OpenStack's prerequisites, including a database service and a message broker, should be installed and configured, and this is the first OpenStack service we install. First, we need to install, configure, enable, and start the package.

Install keystone package using yum command as follows:

[root@controller ~]# yum install -y openstack-keystone

This will also install Python supporting packages and additional packages for more advanced backend configurations.

Configure database connection

Keystone's database connection string is set in /etc/keystone/keystone.conf; we can use the #openstack-config command to configure the connection string.

  1. Run the openstack-config command with your chosen keystone database user details and database IP address:

    [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf    sql connection mysql://keystone:'my_keystone_db_password'@
  2. After the database is configured, we can create the Keystone database tables using db_sync command:

    [root@controller ~]# su keystone -s /bin/sh -c "keystone-manage db_sync"


    To make sure that the Keystone database is populated successfully, verify the Keystone database exists using MySql command #mysql -u root -p -e 'show databases;' which provides database's root account password.

Keystone service basic configuration

Before starting the Keystone service, we need to make some initial service configurations for it to start properly.

Configure administrative token

Keystone can use a token by which it will identify the administrative user:

  1. Set a custom token or use openssl command to generate a random token:

    [root@controller ~]# export SERVICE_TOKEN=$(openssl rand -hex 10)
  2. Store the token in a file for use in the next steps:

    [root@controller ~]# echo $SERVICE_TOKEN > ~/keystone_admin_token

    We need to configure Keystone to use the token we created, we can manually edit the Keystone configuration file /etc/keystone/keystone.conf and manually remove comment mark # next to admin_token or we can use the command openstack-config to set the needed property.


    openstack-config command is provided by # yum install openstack-utils.

  3. Use openstack-config command to configure service_token parameter as follows:

    [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $SERVICE_TOKEN