Installation of Openstack three Node Cluster on CentOS 7

(Last Updated On: August 13, 2018)

Part One


So what is Openstack? OpenStack is a set of opensource software tools for building and managing cloud computing platforms for public and private clouds. We shall attempt to build a three node openstack cluster as we experiment on the tools and check out the power, ingenuity and innovation it wields. There are several guides on our site about openstack liberty and you can find them here. This exercise shall be split into parts as we proceed. We shall begin with the controller node and we hope it shall be a wonderful experience as you have already had before.

“Character cannot be developed in ease and quiet. Only through experience of trial and suffering can the soul be strengthened, ambition inspired, and success achieved.”
– Hellen Keller

Server 1

Controller Node:
MariaDB, RabbitMQ, Memcached, httpd, Keystone, Glance, Nova API, Horizon

Centos 7 with the following Network Features:

[root@controller ~]# ip  link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 52:54:00:15:00:d5 brd ff:ff:ff:ff:ff:ff

Preparation of the server

i. Install ntp

Install and configure network time protocol (ntp) for time synchronization and vim for editing files.

[root@controller ~]#  yum -y install ntp
Loaded plugins: fastestmirror
Determining fastest mirrors
epel/x86_64/metalink                                                                      |  59 kB  00:00:00     
 * base:
 * epel:
 * extras:

You can install vim or any other text editor that you happen to be a fan of e.g Nano, Emacs etc.

 [root@controller ~]# yum install vim

Configure ntp

[root@controller ~]# vim /etc/ntp.conf

# Use public servers from the project.
# Please consider joining the pool (
#server iburst
#server iburst
#server iburst
#server iburst


[root@controller ~]# systemctl start ntpd
[root@controller ~]# systemctl enable ntpd
Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/ntpd.service.

Ntp is a protocol and requires us to allow its services via the firewall. We can use firewalld to allow it as below:

[root@controller ~]# firewall-cmd --add-service=ntp --permanent
[root@controller ~]# firewall-cmd --reload

Let us now proceed and add OpenStack Queens repository to our controller node to be able to retrieve its packages.

[root@controller ~]# yum -y install centos-release-openstack-queens</pre.
Edit the repo file and ensure all are enabled with "enabled = 1" values as shown with the following examples.
[root@controller ~]# vim /etc/yum.repos.d/CentOS-OpenStack-queens.repo

name=CentOS-7 - OpenStack queens
enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Cloud exclude=sip,PyQt4 [centos-openstack-queens-test] name=CentOS-7 - OpenStack queens Testing baseurl=$basearch/openstack-queens/ gpgcheck=0 enabled=1 exclude=sip,PyQt4

Next step is the installation of MariaDB 10.1 and make basic settings on it. Let us get going:

[root@controller ~]#  yum --enablerepo=centos-openstack-queens install mariadb-server -y
[root@controller ~]# vim /etc/my.cnf

# Disabling symbolic-links is recommended to prevent assorted security risks
### Within this [mysqld] section add the line below ###

[root@controller ~]# systemctl start mariadb
[root@controller ~]# systemctl enable mariadb
Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/mariadb.service.
[root@controller ~]# mysql_secure_installation


In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y New password: Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] y ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] y ... Success! By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] y - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] y ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB!

Finally, allow mysql on firewall and reload it to apply the changes. Do not forget to reload

[root@controller ~]# firewall-cmd --add-service=mysql --permanent 
[root@controller ~]# firewall-cmd --reload 

After your database is up and running, let us go on with installation of packages. Let us install RabbitMQ and Memcahed and add openstack user to rabbitmq.

[root@controller ~]#  yum --enablerepo=epel -y install rabbitmq-server memcached
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base:
 * epel:
 * extras:
 * updates:
Resolving Dependencies
--> Running transaction check
---> Package memcached.x86_64 0:1.5.6-1.el7 will be installed
--> Processing Dependency: for package: memcached-1.5.6-1.el7.x86_64
---> Package rabbitmq-server.noarch 0:3.6.5-1.el7 will be installed

Start and enable rabbitmq and memcached

[root@controller ~]#  systemctl start rabbitmq-server memcached
[root@controller ~]#  systemctl enable rabbitmq-server memcached
Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/rabbitmq-server.service.
Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/memcached.service.

We believe RabbitMQ and MySQL were successfully installed. If it is so, let us proceed with the installation of Identity service known as Keystone. Keystone will require the use of a database to keep its records, therefore, we shall add a user and database for the same in the next step before installing the identity service. Keystone is an OpenStack service that provides API client authentication, service discovery, and distributed multi-tenant authorization by implementing OpenStack’s Identity API. It requires a database and hence let us create one for it before installing it.

[root@controller ~]# mysql -u root -p
## Enter the root password you set earlier
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 10.1.20-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

No entry for terminal type "xterm-termite";
using dumb terminal settings.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

## Create database for keystone
MariaDB [(none)]> create database keystone;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all privileges on keystone.* to keystone@'localhost' identified by 'password';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> grant all privileges on keystone.* to keystone@'%' identified by 'password';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> exit;

Let us now install Keystone:

[root@controller ~]# yum --enablerepo=centos-openstack-queens,epel -y install openstack-keystone openstack-utils python-openstackclient httpd mod_wsgi
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                                                      |  51 kB  00:00:01     
 * base:
 * epel:
 * extras:
 * updates:
base                                                                                      | 3.6 kB  00:00:00     
centos-ceph-luminous                                                                      | 2.9 kB  00:00:00     
centos-openstack-queens                                                                   | 2.9 kB  00:00:00     
centos-openstack-queens-debuginfo                                                         | 2.9 kB  00:00:00     
centos-openstack-queens-source                                                            | 2.9 kB  00:00:00     
centos-openstack-queens-test                                                              | 2.9 kB  00:00:00     
centos-qemu-ev                                                                            | 2.9 kB  00:00:00     
epel                                                                                      | 3.2 kB  00:00:00     
extras                                                                                    | 3.4 kB  00:00:00     
rdo-trunk-queens-tested                                                                   | 3.0 kB  00:00:00     
updates                                                                                   | 3.4 kB  00:00:00     
(1/5): centos-openstack-queens-source/primary_db     

Keystone configuration. Open the keystone configuration file and make the following changes

[root@controller ~]# vim /etc/keystone/keystone.conf
Under credential, edit as below with the IP address of your server
# oslo_cache.memcache_pool backends only). (list value)
 605 memcache_servers =

#Under database look and edit the connection details as below with your machine details
 737 connection = mysql+pymysql://keystone:password@
 # Under token add the provider line as shown below and you are good to go
2878 [token]
provider = fernet

After that, issue the below commands to sync database, initialize keys and to define the host

[root@controller ~]#  su -s /bin/bash keystone -c "keystone-manage db_sync"
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone 
[root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
export controller=

Bootstrap the keystone service as below and add the port 5000 in firewall

[root@controller ~]# keystone-manage bootstrap --bootstrap-password password --bootstrap-admin-url http://$controller:5000/v3/ --bootstrap-internal-url http://$controller:5000/v3/ --bootstrap-public-url http://$controller:5000/v3/ --bootstrap-region-id RegionOne

[root@controller ~]# firewall-cmd --add-port=5000/tcp --permanent
[root@controller ~]# firewall-cmd --reload

Create a soft link for the keystone configuration in httpd configuration and start httpd service.

 [root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
[root@controller ~]# systemctl start httpd

In case httpd does not start and you receive an error similar to the one below, please check your selinux status

[root@controller ~]# systemctl status httpd -l                                                                  
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2018-08-09 11:14:11 EAT; 23s ago
     Docs: man:httpd(8)
  Process: 3160 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
  Process: 3158 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 3158 (code=exited, status=1/FAILURE)

Aug 09 11:14:11 controller.localdomain httpd[3158]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:5000
Aug 09 11:14:11 controller.localdomain httpd[3158]: (13)Permission denied: AH00072: make_sock: could not bind to
[root@controller ~]# sestatus
SELinux status:                 enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31

If it is enabled, you have two choices; To either disable it or configure it. I permanently disabled it personally like below.

[root@controller ~(keystone)]# vi /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted

Start httpd and check its status

[root@controller ~]# systemctl status httpd
[root@controller ~]# systemctl enable httpd
[root@controller ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2018-08-09 11:17:51 EAT; 10min ago
     Docs: man:httpd(8)

We hope everything is going on well so far. The next step is to add Keystone projects. Projects are organizational units in the cloud to which you can assign users. Projects are also known as projects or accounts. Users can be members of one or more projects. Roles define which actions users can perform. You assign roles to user-project pairs.(, 2018)
To create projects, we have to create environment variables first as below

[root@controller ~]# vi ~/keystonerc
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=password ##Set the password that you used when creating the keystone bootstrap.
export OS_AUTH_URL=
export PS1='[\u@\h \W(keystone)]\$ '

Congrats guys. After that improve the security of the file by limiting read and write access and then source the file.

[root@controller ~]# chmod 600 ~/keystonerc
[root@controller ~]# source ~/keystonerc   
[root@controller ~(keystone)]# ##Your terminal should change as this.
[root@controller ~(keystone)]#  echo "source ~/keystonerc " >> ~/.bash_profile

Create the first project, you can describe it with any name you like

[root@controller ~]# openstack project create --domain default --description "First Project" service 
| Field       | Value                            |
| description | First Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 76d124ff821e4db5ad792a113b54724e |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | default                          |
| tags        | []                               |
Ypu can check the user list, role list, etc..
[root@controller ~(keystone)]# openstack user list
| ID                               | Name  |
| 1f53dd25b3ee44218b36dd821c1d7dd9 | admin |
[root@controller ~(keystone)]# openstack role list
| ID                               | Name  |
| 3a4ac06a15c64d73bb160de04174efb6 | admin |

I believe the session has been a good time as we take a brief break. The next part involves the addition of Glance image service to the controller node. Please stay tuned and thank you for indulging.