(Last Updated On: January 10, 2018)
So far we’ve covered part one and part two of our Openstack Lab guide series. The aim of this series Labs is not to prepare you for Openstack Sys Admin role, but to help you understand how Openstack services are installed and Configured. This is good for students,IT professionals and any techie who want to venture into the fascinating world of Virtualization and Cloud Computing.

If you followed prior tutorials:

Openstack Liberty Lab PART ONE: Setup Networking and all Prerequisites

Openstack Liberty Lab PART TWO: Install Openstack Packages

You should have Keystone identity service installed. In this part of the series, we take closer look at all configuration options and parameters required in Keystone configuration file.

We won’t edit configuration files directly with text editors like nano or vim, instead we use openstack-config tool which will automate the process and make our work much simpler. Openstack-config is a utility for manipulating ini files. It comes installed with installation of openstack, the only thing you’ve to do is merely use it.
The first step is preparing database that Keystone will use. Since MariaDB database service is already  installed, you have to setup the password by running mysql_secure_installation tool. You don’t require this step if you’ve working database system in your server.

[[email protected] ~]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] Y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] Y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.


Remove test database and access to it? [Y/n] Y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] Y
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB! 

Now login as root user and provide password you set above. Make sure MariaDB service is up and running:

[[email protected] ~]# systemctl status mariadb.service 
● mariadb.service - MariaDB database server
   Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2016-03-28 12:03:24 EAT; 4h 55min ago
 Main PID: 2134 (mysqld_safe)
   CGroup: /system.slice/mariadb.service
           ├─2134 /bin/sh /usr/bin/mysqld_safe --basedir=/usr
           └─2331 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql...

Mar 28 12:03:13 controller systemd[1]: Starting MariaDB database server...
Mar 28 12:03:15 controller mysqld_safe[2134]: 160328 12:03:15 mysqld_safe Lo....
Mar 28 12:03:16 controller mysqld_safe[2134]: 160328 12:03:16 mysqld_safe St...l
Mar 28 12:03:24 controller systemd[1]: Started MariaDB database server.
Hint: Some lines were ellipsized, use -l to show in full.
[[email protected] ~]# 

If not, do:

 [[email protected] ~]# systemctl start mariadb.service
 [[email protected] ~]# systemctl enabled mariadb.service 

Steps used to configure Keystone are namely:

  1. Create Database
[[email protected] ~]# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 13
Server version: 5.5.44-MariaDB MariaDB Server

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

MariaDB [(none)]> create database keystone;
MariaDB [(none)]> grant all privileges on keystone.* to [email protected]'localhost' identified by 'moonstack';
MariaDB [(none)]> grant all privileges on keystone.* to [email protected]'%' identified by 'moonstack';
MariaDB [(none)]> flush privileges;
MariaDB [(none)]> exit;

Replace moonstack with your desired password for keystone database user.

  1. Configure Keystone
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token admintoken
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf database connection mysql://keystone:[email protected]/keystone
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf memcache servers localhost:11211
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf token provider uuid
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf token driver memcache
[[email protected] ~]# openstack-config --set /etc/keystone/keystone.conf revoke driver sql

Explanations:
admintoken: This is the initial administration token.Replace with admin token you want to use, you can generate it with openssl command, like:

  [[email protected] ~]# openssl rand -hex 8

moonstack: Keysone database password configured in step 1,while creating keystone database.
192.168.1.60: Ip address of the controller since it’s all in one installation, equivalent to ip address of server running MySQL service.
keystone: is the database name used by keystone

  1. Populate the Identity service database:
[[email protected] ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone

Configure http server (Apache):

[[email protected] ~]# echo ServerName 192.168.1.60 >> /etc/httpd/conf/httpd.conf
  •   Create the /etc/httpd/conf.d/wsgi-keystone.conf file
[[email protected] ~]# cat > /etc/httpd/conf.d/wsgi-keystone.conf <<EOF
Listen 5000
Listen 35357 <VirtualHost *:5000>


WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost> <VirtualHost *:35357>


WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
EOF

 

Reload httpd:

[[email protected] ~]# systemctl reload httpd.service
  1. Add services, roles and users to keystone

Load Environment:

[[email protected] ~]# export OS_TOKEN=admintoken 
[[email protected] ~]# export OS_URL=http://192.168.1.60:35357/v3 
[[email protected] ~]# export OS_IDENTITY_API_VERSION=3

Replace admintoken with your token, 192.168.1.60 with your ip.

  • Add admin and Member Roles:
[[email protected] ~]# openstack role create admin 
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | ef185921b0114f879e4fc1927516de75 |
| name | admin |
+-------+----------------------------------+
[[email protected] ~]# openstack role create Member 
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 2b0d67fc55fd4cb8b29301a6dbe33445 |
| name | Member |
+-------+----------------------------------+
  • Add admin and service projects:
[[email protected] ~]# openstack project create --domain default --description "Admin Project" admin 
[[email protected] ~]# openstack project create --domain default --description "Service Project" service 
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 9c3ec09f5e08442eb211612f99cd22ad |
| is_domain | False |
| name | service |
| parent_id | None |
+-------------+----------------------------------+
[[email protected] ~]#
  • Add admin user account and add admin user to in admin role:
[[email protected] ~]# openstack user create --domain default --project admin --password moonstack admin
+--------------------+----------------------------------+
| Field | Value |
+--------------------+----------------------------------+
| default_project_id | abc5d2a310ad46fba0b2a311a187088b |
| domain_id | default |
| enabled | True |
| id | faf51d1898204d38aff144c8c1248c7d |
| name | admin |
+--------------------+----------------------------------+
[[email protected] ~]# openstack role add --project admin --user admin admin 
[[email protected] ~]#
  • Confirm settings:
[[email protected] ~]# openstack user list 
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| faf51d1898204d38aff144c8c1248c7d | admin |
+----------------------------------+-------+
[[email protected] ~]# openstack role list 
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| 2b0d67fc55fd4cb8b29301a6dbe33445 | Member |
| ef185921b0114f879e4fc1927516de75 | admin |
+----------------------------------+--------+
[[email protected] ~]# openstack project list 
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 9c3ec09f5e08442eb211612f99cd22ad | service |
| abc5d2a310ad46fba0b2a311a187088b | admin |
+----------------------------------+---------+
  1. Add service entity and API endpoints; internal,public and admin endpoints:
[[email protected] ~]# openstack service create --name keystone --description "OpenStack Identity" identity 
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 4d3aa109aa534ceb92187549a5e728bf |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
[[email protected] ~]# export controller=192.168.1.60 
[[email protected] ~]# openstack endpoint create --region RegionOne identity public http://$controller:5000/v2.0 
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 651d5f5fc4bb4d6db1b74b217b6fcda5 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 4d3aa109aa534ceb92187549a5e728bf |
| service_name | keyst |
| service_type | identi |
| url | http://192.168.1.60:5000/v2.0 |
+--------------+----------------------------------+
[[email protected] ~]# openstack endpoint create --region RegionOne identity internal http://$controller:5000/v2.0 
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | f714e382f39748afaf8bd2d5e0054c24 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 4d3aa109aa534ceb92187549a5e728bf |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.1.60:5000/v2.0 |
+--------------+----------------------------------+
[[email protected] ~]# openstack endpoint create --region RegionOne identity admin http://$controller:35357/v2.0 
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 81b112cbfbd949578262a4fd3ebce9fd |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 4d3aa109aa534ceb92187549a5e728bf |
| service_name| keystone |
| service_type | identity |
| url | http://192.168.1.60:35357/v2.0 |
+--------------+----------------------------------+
[[email protected] ~]#
  • Confirm settings:
[[email protected] ~]# openstack endpoint list 
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+
| 651d5f5fc4bb4d6db1b74b217b6fcda5 | RegionOne | keystone | identity | True | public | http://192.168.1.60:5000/v2.0 |
| 81b112cbfbd949578262a4fd3ebce9fd | RegionOne | keystone | identity | True | admin | http://192.168.1.60:35357/v2.0 |
| f714e382f39748afaf8bd2d5e0054c24 | RegionOne | keystone | identity | True | internal | http://192.168.1.60:5000/v2.0 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------+
[[email protected] ~]# openstack service list 
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| 4d3aa109aa534ceb92187549a5e728bf | keystone | identity |
+----------------------------------+----------+----------+

You’ve completed Keystone identity service configuration. In our next article we’ll talk about complete configuration of Glance image service.
PREVIOUS ARTICLE:

Openstack Liberty Lab PART TWO: Install Openstack Packages

NEXT ARTICLE:

Openstack Liberty Lab PART FOUR: Configuring Glance Image Service