Book Image

Production Ready OpenStack - Recipes for Successful Environments

By : Arthur Berezin
Book Image

Production Ready OpenStack - Recipes for Successful Environments

By: Arthur Berezin

Overview of this book

OpenStack is the most popular open source cloud platform used by organizations building internal private clouds and by public cloud providers. OpenStack is designed in a fully distributed architecture to provide Infrastructure as a Service, allowing us to maintain a massively scalable cloud infrastructure. OpenStack is developed by a vibrant community of open source developers who come from the largest software companies in the world. The book provides a comprehensive and practical guide to the multiple uses cases and configurations that OpenStack supports. This book simplifies the learning process by guiding you through how to install OpenStack in a single controller configuration. The book goes deeper into deploying OpenStack in a highly available configuration. You'll then configure Keystone Identity Services using LDAP, Active Directory, or the MySQL identity provider and configure a caching layer and SSL. After that, you will configure storage back-end providers for Glance and Cinder, which will include Ceph, NFS, Swift, and local storage. Then you will configure the Neutron networking service with provider network VLANs, and tenant network VXLAN and GRE. Also, you will configure Nova's Hypervisor with KVM, and QEMU emulation, and you will configure Nova's scheduler filters and weights. Finally, you will configure Horizon to use Apache HTTPD and SSL, and you will customize the dashboard's appearance.
Table of Contents (16 chapters)
Production Ready OpenStack - Recipes for Successful Environments
About the Author
About the Reviewers

Generating and configuring tokens PKIs

Keystone uses cryptographically signed tokens with a private key and is matched against x509 certificate with a public key. Chapter 4, Keystone Identity Service discusses more advanced configurations. In this chapter, we use keystone-manage pki_setup command to generate PKI key pairs and to configure Keystone to use it.

How to do it…

Proceed with the following steps:

  1. Generate PKI keys using keystone-manage pki_setup command:

    [root@controller ~]# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone


    In keystone-manage pki_setup, we use Keystone Linux user and group accounts, which were created when openstack-keystone package was installed.

  2. Change ownership of the generated PKI files:

    [root@controller ~]# chown -R keystone:keystone /var/log/keystone /etc/keystone/ssl/
  3. Configure Keystone service to use the generated PKI files:

    [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing token_format PKI
    [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing certfile /etc/keystone/ssl/certs/signing_cert.pem
    [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing keyfile /etc/keystone/ssl/private/signing_key.pem
    [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing ca_certs /etc/keystone/ssl/certs/ca.pem
    [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing key_size 1024
    [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing valid_days 3650
    [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing ca_password None

Starting and enabling service

At this point, Keystone is configured and readily run as follows:

[root@controller ~]# systemctl start openstack-keystone

Enable Keystone to start after system reboot:

[root@controller ~]# systemctl enable openstack-keystone

Configuring Keystone endpoints

We need to configure a Keystone service endpoint for other services to operate properly:

  1. Set the SERVICE_TOKEN environment parameter using the keystone_admin_token we generated on basic Keystone configuration step:

    [root@controller ~]# export SERVICE_TOKEN=`cat ~/keystone_admin_token`
  2. Set the SERVICE_ENDPOINT environment parameter with Keystone's endpoint URL using your controller's IP address:

    [root@controller ~]# export SERVICE_ENDPOINT=""
  3. Create a Keystone service entry:

    [root@el7-icehouse-controller ~]# keystone service-create --name=keystone --type=identity --description="Keystone Identity service"

    An output of a successful execution should look similar to the following, with a different unique ID:

    |   Property  |              Value               |
    | description |    Keystone Identity service     |
    |   enabled   |               True               |
    |      id     | 1fa0e426e1ba464d95d16c6df0899047 |
    |     name    |             keystone             |
    |     type    |             identity             |

    The endpoint-create command allows us to set a different IP addresses that are accessible from public and from internal sources. At this point, we may use our controller's management NIC IP to access Keystone endpoint.

  4. Create Keystone service endpoint using keystone endpoint-create command:

    [root@controller ~]# keystone endpoint-create  --service keystone --publicurl '' --adminurl ''--internalurl ''
  5. Create services tenant:

    [root@controller ~(keystone_admin)]# keystone tenant-create --name services --description "Services Tenant"

Keystone administrator account

  1. Create an administrative account within Keystone:

    [root@controller ~]# keystone user-create --name admin --pass password
  2. Create the admin role:

    [root@controller ~]# keystone role-create --name admin
  3. Create an admin tenant:

    [root@controller ~]# keystone tenant-create --name admin
  4. Add an admin roles to the admin user with the admin tenant:

    [root@el7-icehouse-controller ~]# keystone user-role-add --user admin --role admin --tenant admin
  5. Create keystonerc_admin file with the following content:

    [root@controller ~]# cat ~/keystonerc_admin 
    export OS_USERNAME=admin
    export OS_TENANT_NAME=admin
    export OS_PASSWORD=password
    export OS_AUTH_URL=
    export PS1='[\u@\h \W(keystone_admin)]\$ '
  6. To load the environment variables, run source command:

    [root@controller ~]# source keystonerc_admin 

Keystone user account

We may also create an unprivileged user account that has no administration permissions on our newly created OpenStack environment:

  1. Create the user account in Keystone:

    [root@controller ~(keystone_admin)]# keystone user-create --name USER --pass password
  2. Create a new tenant:

    [root@el7-icehouse-controller ~(keystone_admin)]# keystone tenant-create --name TENANT
  3. Assign the user account to the newly created tenant:

    [root@el7-icehouse-controller ~(keystone_admin)]# keystone user-role-add --user USER --role _member_ --tenant TENANT
  4. Create keystonerc_user file with the following content:

    [root@controller ~(keystone_admin)]# cat ~/keystonerc_user
    export OS_PASSWORD=password
    export OS_AUTH_URL=
    export PS1='[\u@\h \W(keystone_user)]\$ '

There's more…

If installation and configuration of Keystone service was successful, Keystone should be operational, and we execute a keystone command to verify that it is operational.

Verify successful installation

Use the command #tenant-list to list the existing tenants:

[root@controller ~(keystone_admin)]# keystone tenant-list

The output of successful tenant creation should look like this:

|                id                |   name   | enabled |
| a5b7bf37d1b646cb8ec0eb35481204c4 |  admin   |   True  |
| fafb926db0674ad9a34552dc05ac3a18 | services |   True  |