Debian 12 bookworm
Sponsored Link

OpenStack Zed : Configure Keystone #12023/06/27
 
Install and Configure OpenStack Identity Service (Keystone).
This example is based on the environment like follows. 
        eth0|10.0.0.30 
+-----------+-----------+
|   [ dlp.srv.world ]   |
|     (Control Node)    |
|                       |
|  MariaDB    RabbitMQ  |
|  Memcached  Nginx     |
|  Keystone   httpd     |
+-----------------------+
[1] Add a User and Database on MariaDB for Keystone.
root@dlp:~#
mysql 

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 31
Server version: 10.11.3-MariaDB-1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database keystone; 
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all privileges on keystone.* to keystone@'localhost' identified by 'password'; 
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> grant all privileges on keystone.* to keystone@'%' identified by 'password'; 
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges; 
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> exit
Bye
[2] Install Keystone. That's OK to answer [No] to questions during the installation.
root@dlp:~#
apt -y install keystone python3-openstackclient apache2 libapache2-mod-wsgi-py3 python3-oauth2client
[3] Configure Keystone.
root@dlp:~#
vi /etc/keystone/keystone.conf
# line 363 : add to specify Memcache Server

memcache_servers = 10.0.0.30:11211
# line 543 : add MariaDB connection info

[database]
connection = mysql+pymysql://keystone:password@10.0.0.30/keystone
# line 2169 : uncomment

provider = fernet
# OK to ignore [Exception ignored in ***]

root@dlp:~#
su -s /bin/bash keystone -c "keystone-manage db_sync"
# initialize Fernet key

root@dlp:~#
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

root@dlp:~#
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
# define keystone API Host

root@dlp:~#
export controller=dlp.srv.world
# bootstrap keystone
# set any password for [adminpassword] section

root@dlp:~#
keystone-manage bootstrap --bootstrap-password adminpassword \
--bootstrap-admin-url https://$controller:5000/v3/ \
--bootstrap-internal-url https://$controller:5000/v3/ \
--bootstrap-public-url https://$controller:5000/v3/ \
--bootstrap-region-id RegionOne

[4]
Get valid SSL/TLS certificate, or Create self-signed certificate.
It uses valid SSL/TLS certificate on this example.
[5] Configure Apache httpd.
root@dlp:~#
vi /etc/apache2/apache2.conf
# line 70 : add to specify server name

ServerName dlp.srv.world
root@dlp:~#
vi /etc/apache2/sites-available/keystone.conf
# create new
# replace SSL certificate to your one

Listen 5000

<VirtualHost *:5000>
    SSLEngine on
    SSLHonorCipherOrder on
    SSLCertificateFile /etc/letsencrypt/live/dlp.srv.world/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/dlp.srv.world/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/dlp.srv.world/chain.pem
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    LimitRequestBody 114688

    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>

    ErrorLog /var/log/apache2/keystone.log
    CustomLog /var/log/apache2/keystone_access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

Alias /identity /usr/bin/keystone-wsgi-public
<Location /identity>
    SetHandler wsgi-script
    Options +ExecCGI

    WSGIProcessGroup keystone-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
</Location>
root@dlp:~#
a2ensite keystone 

Enabling site keystone.
To activate the new configuration, you need to run:
  systemctl reload apache2
root@dlp:~#
a2enmod ssl 

Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
  systemctl restart apache2
root@dlp:~#
systemctl disable --now keystone

root@dlp:~#
systemctl restart apache2
Matched Content