OpenStack Zed : Configure Keystone #12022/10/07 |
Install and Configure OpenStack Identity Service (Keystone).
This example is based on the environment like follows.
eth0|10.0.0.30 +-----------+-----------+ | [ dlp.srv.world ] | | (Control Node) | | | | MariaDB RabbitMQ | | Memcached Nginx | | Keystone httpd | +-----------------------+ |
[1] | Add a User and Database on MariaDB for Keystone. |
root@dlp:~# mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 31 Server version: 10.6.7-MariaDB-2ubuntu1.1 Ubuntu 22.04 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> create database keystone; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> grant all privileges on keystone.* to keystone@'localhost' identified by 'password'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> grant all privileges on keystone.* to keystone@'%' identified by 'password'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> exit Bye |
[2] | Install Keystone. |
root@dlp:~# apt -y install keystone python3-openstackclient apache2 libapache2-mod-wsgi-py3 python3-oauth2client
|
[3] | Configure Keystone. |
root@dlp:~#
vi /etc/keystone/keystone.conf # line 444 : add to specify Memcache Server memcache_servers = 10.0.0.30:11211
# line 661 : change to MariaDB connection info connection = mysql+pymysql://keystone:password@10.0.0.30/keystone
# line 2639 : uncomment provider = fernet
root@dlp:~#
su -s /bin/bash keystone -c "keystone-manage db_sync"
# initialize Fernet key root@dlp:~# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone root@dlp:~# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
# define keystone API Host root@dlp:~# export controller=dlp.srv.world
# bootstrap keystone # set any password for [adminpassword] section root@dlp:~# keystone-manage bootstrap --bootstrap-password adminpassword \ --bootstrap-admin-url https://$controller:5000/v3/ \ --bootstrap-internal-url https://$controller:5000/v3/ \ --bootstrap-public-url https://$controller:5000/v3/ \ --bootstrap-region-id RegionOne |
[4] |
Get valid SSL/TLS certificate, or Create self-signed certificate.
It uses valid SSL/TLS certificate on this example. |
[5] | Configure Apache httpd. |
root@dlp:~#
vi /etc/apache2/apache2.conf # line 70 : add to specify server name ServerName dlp.srv.world
root@dlp:~#
vi /etc/apache2/sites-available/keystone.conf # add settings for SSL/TLS
Listen 5000
<VirtualHost *:5000>
SSLEngine on
SSLHonorCipherOrder on
SSLCertificateFile /etc/letsencrypt/live/dlp.srv.world/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dlp.srv.world/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/dlp.srv.world/chain.pem
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
.....
.....
root@dlp:~# a2enmod ssl Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Enabling module socache_shmcb. Enabling module ssl. See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: systemctl restart apache2root@dlp:~# systemctl restart apache2
|
Sponsored Link |