OpenStack Yoga : Configure Keystone #12022/05/31

Install and Configure OpenStack Identity Service (Keystone).

This example is based on the environment like follows.

        eth0|10.0.0.30 
+-----------+-----------+
|   [ dlp.srv.world ]   |
|     (Control Node)    |
|                       |
|  MariaDB    RabbitMQ  |
|  Memcached  httpd     |
|  Keystone             |
+-----------------------+

[1]	Add a User and Database on MariaDB for Keystone.

[root@dlp ~]#

mysql

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.5.9-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database keystone; 
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all privileges on keystone.* to keystone@'localhost' identified by 'password'; 
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> grant all privileges on keystone.* to keystone@'%' identified by 'password'; 
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges; 
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> exit
Bye

[2]	Install Keystone.

# install from Yoga, EPEL, PowerTools

[root@dlp ~]#

dnf --enablerepo=centos-openstack-yoga,epel,powertools -y install openstack-keystone python3-openstackclient httpd mod_ssl python3-mod_wsgi python3-oauth2client mod_ssl

[3]	Configure Keystone.

[root@dlp ~]#

vi /etc/keystone/keystone.conf

# line 442 : add to specify Memcache server

memcache_servers = 10.0.0.30:11211

# line 649 : add to specify MariaDB connection info

connection = mysql+pymysql://keystone:password@10.0.0.30/keystone

[token]

# line 2586 : uncomment

provider = fernet

[root@dlp ~]#

su -s /bin/bash keystone -c "keystone-manage db_sync"

# initialize keys

[root@dlp ~]#

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

[root@dlp ~]#

keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

# define Keystone Host

[root@dlp ~]#

export controller=dlp.srv.world

# bootstrap keystone
# replace any password you like for [adminpassword] section

[root@dlp ~]#

keystone-manage bootstrap --bootstrap-password adminpassword \
--bootstrap-admin-url https://$controller:5000/v3/ \
--bootstrap-internal-url https://$controller:5000/v3/ \
--bootstrap-public-url https://$controller:5000/v3/ \
--bootstrap-region-id RegionOne

[4]	If SELinux is enabled, change boolean settings.

[root@dlp ~]#

setsebool -P httpd_use_openstack on

[root@dlp ~]#

setsebool -P httpd_can_network_connect on

[root@dlp ~]#

setsebool -P httpd_can_network_connect_db on

[root@dlp ~]#

vi keystone-httpd.te

# create new

module keystone-httpd 1.0;

require {
        type httpd_t;
        type keystone_var_lib_t;
        type keystone_log_t;
        class file { create getattr ioctl open read write };
        class dir { add_name create write };
}

#============= httpd_t ==============
allow httpd_t keystone_var_lib_t:dir { add_name create write };
allow httpd_t keystone_var_lib_t:file { create open write getattr ioctl open read };
allow httpd_t keystone_log_t:dir { add_name write };
allow httpd_t keystone_log_t:file create;

[root@dlp ~]#

checkmodule -m -M -o keystone-httpd.mod keystone-httpd.te

[root@dlp ~]#

semodule_package --outfile keystone-httpd.pp --module keystone-httpd.mod

[root@dlp ~]#

semodule -i keystone-httpd.pp

[5]	If Firewalld is running, allow ports for services.

[root@dlp ~]#

firewall-cmd --add-port=5000/tcp

success
[root@dlp ~]#

firewall-cmd --runtime-to-permanent

success

[6]	Get valid SSL/TLS certificate, or Create self-signed certificate. It uses valid SSL/TLS certificate on this example.
[7]	Configure Apache httpd.

[root@dlp ~]#

vi /etc/httpd/conf/httpd.conf

# line 99 : add to specify server name

ServerName dlp.srv.world

[root@dlp ~]#

vi /usr/share/keystone/wsgi-keystone.conf

# add settings for SSL/TLS

Listen 5000

<VirtualHost *:5000>
    SSLEngine on
    SSLHonorCipherOrder on
    SSLCipherSuite PROFILE=SYSTEM
    SSLProxyCipherSuite PROFILE=SYSTEM
    SSLCertificateFile /etc/letsencrypt/live/dlp.srv.world/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/dlp.srv.world/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/dlp.srv.world/chain.pem
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
.....
.....

[root@dlp ~]#

ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

[root@dlp ~]#

systemctl enable --now httpd

Matched Content