Book Image

Production Ready OpenStack - Recipes for Successful Environments

By : Arthur Berezin
Book Image

Production Ready OpenStack - Recipes for Successful Environments

By: Arthur Berezin

Overview of this book

OpenStack is the most popular open source cloud platform used by organizations building internal private clouds and by public cloud providers. OpenStack is designed in a fully distributed architecture to provide Infrastructure as a Service, allowing us to maintain a massively scalable cloud infrastructure. OpenStack is developed by a vibrant community of open source developers who come from the largest software companies in the world. The book provides a comprehensive and practical guide to the multiple uses cases and configurations that OpenStack supports. This book simplifies the learning process by guiding you through how to install OpenStack in a single controller configuration. The book goes deeper into deploying OpenStack in a highly available configuration. You'll then configure Keystone Identity Services using LDAP, Active Directory, or the MySQL identity provider and configure a caching layer and SSL. After that, you will configure storage back-end providers for Glance and Cinder, which will include Ceph, NFS, Swift, and local storage. Then you will configure the Neutron networking service with provider network VLANs, and tenant network VXLAN and GRE. Also, you will configure Nova's Hypervisor with KVM, and QEMU emulation, and you will configure Nova's scheduler filters and weights. Finally, you will configure Horizon to use Apache HTTPD and SSL, and you will customize the dashboard's appearance.

Related Content you might be interested in

Current Title:

Small book image
Production Ready OpenStack - Recipes for Successful Environments
Arthur Berezin
Oct, 2015 | 210 pages
No titles found
Table of Contents (16 chapters)
Production Ready OpenStack - Recipes for Successful Environments
Production Ready OpenStack - Recipes for Successful Environments
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Introduction to OpenStack and its Deployment Using Packages
Introduction to OpenStack and its Deployment Using Packages
Introduction
Configuring hosts prerequisites
Installing MariaDB database
Installing RabbitMQ
Installing Keystone – Identity service
Generating and configuring tokens PKIs
Installing Glance – images service
Installing Nova – Compute service
Installing Neutron – networking service
Configuring Neutron network node
Configuring compute node for Neutron
Installing Horizon – web user interface dashboard
2
Deploying OpenStack Using Staypuft OpenStack Installer
Deploying OpenStack Using Staypuft OpenStack Installer
Introduction
Setting up the environment
Installing Staypuft packages
Discovering hosts for provisioning
Creating a new OpenStack deployment
Configuring a network
Allocating hosts to roles
Configuring host networking
Deploying OpenStack
3
Deploying Highly Available OpenStack
Deploying Highly Available OpenStack
Introduction
Installing Pacemaker
Installing HAProxy
Configuring Galera cluster for MariaDB
Installing RabbitMQ with mirrored queues
Configuring highly available OpenStack services
4
Keystone Identity Service
Keystone Identity Service
Introduction
Configuring Keystone with the MariaDB backend
Generating and configuring tokens PKIs
Configuring Keystone with Microsoft Active Directory and LDAP
Configuring Keystone caching with Memcached
Securing Keystone with SSL
5
Glance Image Service
Glance Image Service
Introduction
Configuring Glance with the local file backend
Configuring Glance with the NFS backend
Configuring Glance with the Swift backend
Configuring Glance with the Ceph backend
Configuring Glance image caching
Configuring the Glance image size limit and storage quota
6
Cinder Block Storage Service
Cinder Block Storage Service
Introduction
Configuring Cinder with the logical volume management backend driver
Configuring Cinder with the Ceph RADOS block device backend driver
Configuring Cinder with the Network File System (NFS) backend driver
Configuring Cinder with the Ceph RBD backup driver
Configuring Cinder with multiple backends
Configuring Cinder scheduler filters and weighers
7
Neutron Networking Service
Neutron Networking Service
Introduction
Configuring Neutron VLAN provider network with ML2 and LinuxBridge
Configuring Neutron VXLAN and GRE tenant networks using Open vSwitch
Configuring the L3 agent with Open vSwitch
Configuring the DHCP service agent
Configuring LoadBalancer as a service
Configuring Firewall as a Service
8
Nova-Compute Service
Nova-Compute Service
Introduction
Configuring Nova Hypervisors
Configuring Nova-compute with KVM Hypervisor
Configuring Nova-compute with a QEMU Hypervisor emulation
Configuring Nova scheduler filters
Configuring Nova host aggregates
Configuring Nova host aggregates filters
Configuring Nova scheduler weights
9
Horizon Dashboard Service
Horizon Dashboard Service
Introduction
Securing Horizon with Secure Socket Layer
Configuring Horizon caching with memcached
Customizing Horizon dashboard appearance
Index
Index

Generating and configuring tokens PKIs

Keystone uses cryptographically signed tokens with a private key and is matched against x509 certificate with a public key. Chapter 4, Keystone Identity Service discusses more advanced configurations. In this chapter, we use keystone-manage pki_setup command to generate PKI key pairs and to configure Keystone to use it.

How to do it…

Proceed with the following steps:

  1. Generate PKI keys using keystone-manage pki_setup command:

    [root@controller ~]# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone

    Note

    In keystone-manage pki_setup, we use Keystone Linux user and group accounts, which were created when openstack-keystone package was installed.

  2. Change ownership of the generated PKI files:

    [root@controller ~]# chown -R keystone:keystone /var/log/keystone /etc/keystone/ssl/

  3. Configure Keystone service to use the generated PKI files:

    [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing token_format PKI
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing certfile /etc/keystone/ssl/certs/signing_cert.pem
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing keyfile /etc/keystone/ssl/private/signing_key.pem
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing ca_certs /etc/keystone/ssl/certs/ca.pem
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing key_size 1024
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing valid_days 3650
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing ca_password None

Starting and enabling service

At this point, Keystone is configured and readily run as follows:

[root@controller ~]# systemctl start openstack-keystone

Enable Keystone to start after system reboot:

[root@controller ~]# systemctl enable openstack-keystone

Configuring Keystone endpoints

We need to configure a Keystone service endpoint for other services to operate properly:

  1. Set the SERVICE_TOKEN environment parameter using the keystone_admin_token we generated on basic Keystone configuration step:

    [root@controller ~]# export SERVICE_TOKEN=`cat ~/keystone_admin_token`

  2. Set the SERVICE_ENDPOINT environment parameter with Keystone's endpoint URL using your controller's IP address:

    [root@controller ~]# export SERVICE_ENDPOINT="http://10.10.0.1:35357/v2.0"

  3. Create a Keystone service entry:

    [root@el7-icehouse-controller ~]# keystone service-create --name=keystone --type=identity --description="Keystone Identity service"

    An output of a successful execution should look similar to the following, with a different unique ID:

    +-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |    Keystone Identity service     |
|   enabled   |               True               |
|      id     | 1fa0e426e1ba464d95d16c6df0899047 |
|     name    |             keystone             |
|     type    |             identity             |
+-------------+----------------------------------+

    The endpoint-create command allows us to set a different IP addresses that are accessible from public and from internal sources. At this point, we may use our controller's management NIC IP to access Keystone endpoint.

  4. Create Keystone service endpoint using keystone endpoint-create command:

    [root@controller ~]# keystone endpoint-create  --service keystone --publicurl 'http://10.10.0.1:5000/v2.0' --adminurl 'http://10.10.0.1:35357/v2.0'--internalurl 'http://10.10.0.1:5000/v2.0'

  5. Create services tenant:

    [root@controller ~(keystone_admin)]# keystone tenant-create --name services --description "Services Tenant"

Keystone administrator account

  1. Create an administrative account within Keystone:

    [root@controller ~]# keystone user-create --name admin --pass password

  2. Create the admin role:

    [root@controller ~]# keystone role-create --name admin

  3. Create an admin tenant:

    [root@controller ~]# keystone tenant-create --name admin

  4. Add an admin roles to the admin user with the admin tenant:

    [root@el7-icehouse-controller ~]# keystone user-role-add --user admin --role admin --tenant admin

  5. Create keystonerc_admin file with the following content:

    [root@controller ~]# cat ~/keystonerc_admin 
export OS_USERNAME=admin
export OS_TENANT_NAME=admin
export OS_PASSWORD=password
export OS_AUTH_URL=http://10.10.0.1:35357/v2.0/
export PS1='[\u@\h \W(keystone_admin)]\$ '

  6. To load the environment variables, run source command:

    [root@controller ~]# source keystonerc_admin

Keystone user account

We may also create an unprivileged user account that has no administration permissions on our newly created OpenStack environment:

  1. Create the user account in Keystone:

    [root@controller ~(keystone_admin)]# keystone user-create --name USER --pass password

  2. Create a new tenant:

    [root@el7-icehouse-controller ~(keystone_admin)]# keystone tenant-create --name TENANT

  3. Assign the user account to the newly created tenant:

    [root@el7-icehouse-controller ~(keystone_admin)]# keystone user-role-add --user USER --role _member_ --tenant TENANT

  4. Create keystonerc_user file with the following content:

    [root@controller ~(keystone_admin)]# cat ~/keystonerc_user
export OS_USERNAME=USER
export OS_TENANT_NAME=TENANT
export OS_PASSWORD=password
export OS_AUTH_URL=http://10.10.0.1:5000/v2.0/
export PS1='[\u@\h \W(keystone_user)]\$ '

There's more…

If installation and configuration of Keystone service was successful, Keystone should be operational, and we execute a keystone command to verify that it is operational.

Verify successful installation

Use the command #tenant-list to list the existing tenants:

[root@controller ~(keystone_admin)]# keystone tenant-list

The output of successful tenant creation should look like this:

+----------------------------------+----------+---------+
|                id                |   name   | enabled |
+----------------------------------+----------+---------+
| a5b7bf37d1b646cb8ec0eb35481204c4 |  admin   |   True  |
| fafb926db0674ad9a34552dc05ac3a18 | services |   True  |
+----------------------------------+----------+---------+
Previous Section
End of Section 7
Next Section