Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Production Ready OpenStack - Recipes for Successful Environments

You're reading from   Production Ready OpenStack - Recipes for Successful Environments Production Ready OpenStack - Recipes for Successful Environments

Arrow left icon
Product type Paperback
Published in Oct 2015
Publisher Packt
ISBN-13 9781783986903
Length 210 pages
Edition 1st Edition
Arrow right icon
Author (1):
Arrow left icon
Arthur Berezin Arthur Berezin
Author Profile Icon Arthur Berezin
Arthur Berezin
Arrow right icon
View More author details
Toc

Table of Contents (11) Chapters Close

Preface 1. Introduction to OpenStack and its Deployment Using Packages FREE CHAPTER 2. Deploying OpenStack Using Staypuft OpenStack Installer 3. Deploying Highly Available OpenStack 4. Keystone Identity Service 5. Glance Image Service 6. Cinder Block Storage Service 7. Neutron Networking Service 8. Nova-Compute Service 9. Horizon Dashboard Service Index

Generating and configuring tokens PKIs

Keystone uses cryptographically signed tokens with a private key and is matched against x509 certificate with a public key. Chapter 4, Keystone Identity Service discusses more advanced configurations. In this chapter, we use keystone-manage pki_setup command to generate PKI key pairs and to configure Keystone to use it.

How to do it…

Proceed with the following steps:

  1. Generate PKI keys using keystone-manage pki_setup command:
    [root@controller ~]# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
    

    Note

    In keystone-manage pki_setup, we use Keystone Linux user and group accounts, which were created when openstack-keystone package was installed.

  2. Change ownership of the generated PKI files:
    [root@controller ~]# chown -R keystone:keystone /var/log/keystone /etc/keystone/ssl/
    
  3. Configure Keystone service to use the generated PKI files:
    [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing token_format PKI
    [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing certfile /etc/keystone/ssl/certs/signing_cert.pem
    [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing keyfile /etc/keystone/ssl/private/signing_key.pem
    [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing ca_certs /etc/keystone/ssl/certs/ca.pem
    [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing key_size 1024
    [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing valid_days 3650
    [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf  signing ca_password None
    

Starting and enabling service

At this point, Keystone is configured and readily run as follows:

[root@controller ~]# systemctl start openstack-keystone

Enable Keystone to start after system reboot:

[root@controller ~]# systemctl enable openstack-keystone

Configuring Keystone endpoints

We need to configure a Keystone service endpoint for other services to operate properly:

  1. Set the SERVICE_TOKEN environment parameter using the keystone_admin_token we generated on basic Keystone configuration step:
    [root@controller ~]# export SERVICE_TOKEN=`cat ~/keystone_admin_token`
    
  2. Set the SERVICE_ENDPOINT environment parameter with Keystone's endpoint URL using your controller's IP address:
    [root@controller ~]# export SERVICE_ENDPOINT="http://10.10.0.1:35357/v2.0"
    
  3. Create a Keystone service entry:
    [root@el7-icehouse-controller ~]# keystone service-create --name=keystone --type=identity --description="Keystone Identity service"
    

    An output of a successful execution should look similar to the following, with a different unique ID:

    +-------------+----------------------------------+
    |   Property  |              Value               |
    +-------------+----------------------------------+
    | description |    Keystone Identity service     |
    |   enabled   |               True               |
    |      id     | 1fa0e426e1ba464d95d16c6df0899047 |
    |     name    |             keystone             |
    |     type    |             identity             |
    +-------------+----------------------------------+

    The endpoint-create command allows us to set a different IP addresses that are accessible from public and from internal sources. At this point, we may use our controller's management NIC IP to access Keystone endpoint.

  4. Create Keystone service endpoint using keystone endpoint-create command:
    [root@controller ~]# keystone endpoint-create  --service keystone --publicurl 'http://10.10.0.1:5000/v2.0' --adminurl 'http://10.10.0.1:35357/v2.0'--internalurl 'http://10.10.0.1:5000/v2.0'
    
  5. Create services tenant:
    [root@controller ~(keystone_admin)]# keystone tenant-create --name services --description "Services Tenant"
    

Keystone administrator account

  1. Create an administrative account within Keystone:
    [root@controller ~]# keystone user-create --name admin --pass password
    
  2. Create the admin role:
    [root@controller ~]# keystone role-create --name admin
    
  3. Create an admin tenant:
    [root@controller ~]# keystone tenant-create --name admin
    
  4. Add an admin roles to the admin user with the admin tenant:
    [root@el7-icehouse-controller ~]# keystone user-role-add --user admin --role admin --tenant admin
    
  5. Create keystonerc_admin file with the following content:
    [root@controller ~]# cat ~/keystonerc_admin 
    export OS_USERNAME=admin
    export OS_TENANT_NAME=admin
    export OS_PASSWORD=password
    export OS_AUTH_URL=http://10.10.0.1:35357/v2.0/
    export PS1='[\u@\h \W(keystone_admin)]\$ '
    
  6. To load the environment variables, run source command:
    [root@controller ~]# source keystonerc_admin 
    

Keystone user account

We may also create an unprivileged user account that has no administration permissions on our newly created OpenStack environment:

  1. Create the user account in Keystone:
    [root@controller ~(keystone_admin)]# keystone user-create --name USER --pass password
    
  2. Create a new tenant:
    [root@el7-icehouse-controller ~(keystone_admin)]# keystone tenant-create --name TENANT
    
  3. Assign the user account to the newly created tenant:
    [root@el7-icehouse-controller ~(keystone_admin)]# keystone user-role-add --user USER --role _member_ --tenant TENANT
    
  4. Create keystonerc_user file with the following content:
    [root@controller ~(keystone_admin)]# cat ~/keystonerc_user
    export OS_USERNAME=USER
    export OS_TENANT_NAME=TENANT
    export OS_PASSWORD=password
    export OS_AUTH_URL=http://10.10.0.1:5000/v2.0/
    export PS1='[\u@\h \W(keystone_user)]\$ '
    

There's more…

If installation and configuration of Keystone service was successful, Keystone should be operational, and we execute a keystone command to verify that it is operational.

Verify successful installation

Use the command #tenant-list to list the existing tenants:

[root@controller ~(keystone_admin)]# keystone tenant-list

The output of successful tenant creation should look like this:

+----------------------------------+----------+---------+
|                id                |   name   | enabled |
+----------------------------------+----------+---------+
| a5b7bf37d1b646cb8ec0eb35481204c4 |  admin   |   True  |
| fafb926db0674ad9a34552dc05ac3a18 | services |   True  |
+----------------------------------+----------+---------+
You have been reading a chapter from
Production Ready OpenStack - Recipes for Successful Environments
Published in: Oct 2015
Publisher: Packt
ISBN-13: 9781783986903
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image