Keystone in OpenStack
we have some OpenStack Deployment tools that are awesome for your project.
- Ansible OpenStack
- Puppet and OpenStack
- SALTSTACK OpenStack
But in this story, lets step by step to setup keystone
keystone : Keystone is an OpenStack service that provides API client authentication, service discovery, and distributed multi-tenant authorization.lets see “Keystone, the OpenStack Identity Service”
- keystone is the heart of the openstack
- keystone is the first and most basic module in openstack
- keystone doesn’t run anything(just authentication)
- fresh and update centos as Controller server with static ip
- train repo for openstack
First of all, setup ntp on your server. you can use Chrony as a default NTP client.
2 : selinux and firewalld
I suggest you stop,disable and mask selinux and firewalld in stage.NOT IN PRODUCTION.
4 : prerequisites of keystone
It’s better to setup database , caching and queuing system on controller.
A : mariadb
Before you install and configure the Identity service, you must have a database.Use openstack repository for install mariadb.
Add the repository of openstack train.
# yum -y install centos-release-openstack-train
# yum repolist
# yum — enablerepo=centos-openstack-train -y install mariadb-server
# systemctl start mariadb
# systemctl enable mariadb
# vim /etc/my.cnf.d/mariadb-server.conf
database open a connection, when the modules are connected to it, for authentication.
default of max_connections is 200. you can increase it to 500.This number may vary depending on conditions.
default of character-set-server is utf8mb4.
B : memcache
OpenStack Identity supports a caching layer that is above the configurable subsystems (for example, token).
# yum — enablerepo=centos-openstack-train -y install memcached
# vim /etc/sysconfig/memcached
change some value:
CACHESIZE = “128”
# systemctl restart memcached
# systemctl enable memcached
if you want clear memcached :
# telnet localhost 11211
C : Rabbitmq
AMQP is the messaging technology chosen by the OpenStack cloud. The AMQP broker, default to Rabbitmq, sits between any two Nova components and allows them to communicate in a loosely coupled fashion.
# yum — enablerepo=centos-openstack-train -y install rabbitmq-server
# systemctl restart rabbitmq-server
# systemctl enable rabbitmq-server
create admin user for login to openstack panel and set full permission to it.
# rabbitmqlctl add_user openstack PASSWORD
# rabbitmqlctl set_permissions openstack “.*” “.*” “.*”
you can list users and all permission.
# rabbitmqlctl list_users
# rabbitmqlctl list_permissions
use man rabbitmqctl to show all options !!
Now set administrator tags to user.
# rabbitmqctl set_user_tags openstack administrator
Now we can say “our controller is ready to install and configure keystone service”
5 : Install and configure keystone service
login to mysql then , create database and user.
# mysql -u root -p
# create database keystone;
# grant all privileges on keystone.* to keystone@’localhost’ identified by ‘PASSWORD’;
grant privileges on user to compute server
# grant all privileges on keystone.* to keystone@’%’ identified by ‘PASSWORD’;
# flush privileges;
# yum — enable-repo=centos-openstack-stein -y install openstack-keystone
openstack-utils python-openstackclient httpd mod_wsgi
open keystone.conf and edit some parameters. its better to use “127.0.0.1” instead of “localhost” , if you want to use localhost .
memcache_servers = IP :11211
In the [database] section, configure database access.Replace KEYSTONE_DBPASS with the password you chose for the database.
connection = mysql+pymysql://keystone:PASSWORD@IP/keystone
provider = fernet
Sync keystone with service database by keystone user.
# su -s /bin/bash keystone -c “keystone-manage db_sync"
You have to create keystone user , if its not exist!
check man keystone-manage.
Initialize Fernet keys:
# keystone-manage fernet_setup — keystone-user keystone — keystone-group
you can see fernet-keys in /etc/keystone/fernet-keys
0 is stage key
1 is primary key
Initialize credential keys is optional.but credential is cleartext if you don’t set it.
# keystone-manage credential_setup — keystone-user keystone — keystone-group keystone
Configure the Apache HTTP server
Edit the /etc/httpd/conf/httpd.conf file and configure the ServerName option to reference the controller node:
keystone can be bootstrapped with:
# keystone-manage bootstrap \
- bootstrap-password PASSWORD\
- bootstrap-project-name YOUR_PROJECT_NAME\
- bootstrap-admin-url http://IP:5000/v3/ \
- bootstrap-internal-url http://IP:5000/v3/ \
- bootstrap-public-url http://IP:5000/v3/ \
- bootstrap-region-id REGIONAME
This will create an
admin user with the
admin role on the
admin project. The user will have the password specified in the command. Note that both the user and the project will be created in the
default domain. By not creating an endpoint in the catalog users will need to provide endpoint overrides to perform additional identity operations.
By creating an
admin user and an identity endpoint you may authenticate to keystone and perform identity operations like creating additional services and endpoints using the
admin user. This will preclude the need to ever use or configure the
keystone doesn’t have service. it runs with httpd service.
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
# systemctl start httpd
# systemctl enable httpd
# ps -aux | grep keystone
# netstat -tulpen | grep 5000
# vim keystone_admin
export PS1=’[\u@\h \w(keystone)]\$ ‘
to commit your change:
# source keystone_admin
to check openstack user:
# openstack user list
# openstack project list
# openstack domain list
# openstack region list
# openstack domain list
# openstack service list
# openstack endpoint list
you can modify endpoint by:
# openstack endpoint set
combine service and endpoint = catalog
# openstack catalog list
congratulation ! keystone is ready.
- we will learn about glance
If you have any questions/comments please comment below so everyone can benefit from the discussion.