-
Notifications
You must be signed in to change notification settings - Fork 4
Home
Step 1: Network interfaces configuration
Step 2: Install Network Time Protocol (NTP)
# apt-get install -y ntp
Step 3: Controller setup
install mysql:
# apt-get install python-mysqldb mysql-server
Note: When you install the server package, you are prompted for the root password for the database. Choose a strong password and remember it.
Edit the /etc/mysql/my.cnf file:
Under the [mysqld] section, set the bind-address key to the management IP address of the controller node to enable access by other nodes via the management network:
[mysqld]
...
bind-address = $CONTROLLER_MNGT_IP
Under the [mysqld] section, set the following keys to enable InnoDB, UTF-8 character set, and UTF-8 collation by default:
[mysqld]
...
default-storage-engine = innodb
innodb_file_per_table
collation-server = utf8_general_ci
init-connect = 'SET NAMES utf8'
character-set-server = utf8
Restart the MySQL service to apply the changes:
# service mysql restart
You must delete the anonymous users that are created when the database is first started. Otherwise, database connection problems occur when you follow the instructions in this guide. To do this, use the mysql_secure_installation command. Note that if mysql_secure_installation fails you might need to use mysql_install_db first:
# mysql_install_db
# mysql_secure_installation
This command presents a number of options for you to secure your database installation. Respond yes to all prompts unless you have a good reason to do otherwise.
On all nodes other than the controller node, install the MySQL Python library:
# apt-get install python-mysqldb
Install Openstack Packages on all nodes
Install the Ubuntu Cloud Archive for Icehouse:
# apt-get install python-software-properties
# add-apt-repository cloud-archive:icehouse
Update the package database and upgrade your system:
# apt-get update
# apt-get dist-upgrade
If you intend to use OpenStack Networking with Ubuntu 12.04, you should install a backported Linux kernel to improve the stability of your system. This installation is not needed if you intend to use the legacy networking service.
Install the Ubuntu 13.10 backported kernel:
# apt-get install linux-image-generic-lts-saucy linux-headers-generic-lts-saucy
Reboot the system for all changes to take effect:
# reboot
On the controller node:
# apt-get install rabbitmq-server
Replace RABBIT_PASS with a suitable password.
# rabbitmqctl change_password guest RABBIT_PASS
On the controller node:
Install the OpenStack Identity Service on the controller node, together with python-keystoneclient (which is a dependency):
# apt-get install keystone
The Identity Service uses a database to store information. Specify the location of the database in the configuration file. In this guide, we use a MySQL database on the controller node with the username keystone. Replace KEYSTONE_DBPASS with a suitable password for the database user.
Edit /etc/keystone/keystone.conf and change the [database] section:
[database]
# The SQLAlchemy connection string used to connect to the database
connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone
...
By default, the Ubuntu packages create a SQLite database. Delete the keystone.db file created in the /var/lib/keystone/ directory so that it does not get used by mistake:
# rm /var/lib/keystone/keystone.db
Use the password that you set previously to log in as root. Create a keystone database user:
$ mysql -u root -p
mysql> CREATE DATABASE keystone;
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
mysql> exit
Create the database tables for the Identity Service:
# su -s /bin/sh -c "keystone-manage db_sync" keystone
Define an authorization token to use as a shared secret between the Identity Service and other OpenStack services. Use openssl to generate a random token and store it in the configuration file:
# openssl rand -hex 10
Edit /etc/keystone/keystone.conf and change the [DEFAULT] section, replacing ADMIN_TOKEN with the results of the command:
[DEFAULT]
# A "shared secret" between keystone and other openstack services
admin_token = ADMIN_TOKEN
...
Configure the log directory. Edit the /etc/keystone/keystone.conf file and update the [DEFAULT] section:
[DEFAULT]
...
log_dir = /var/log/keystone
Restart the Identity Service:
# service keystone restart
By default, the Identity Service stores expired tokens in the database indefinitely. While potentially useful for auditing in production environments, the accumulation of expired tokens will considerably increase database size and may decrease service performance, particularly in test environments with limited resources. We recommend configuring a periodic task using cron to purge expired tokens hourly.
Run the following command to purge expired tokens every hour and log the output to /var/log/keystone/keystone-tokenflush.log:
# (crontab -l -u keystone 2>&1 | grep -q token_flush) || \
echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/crontabs/keystone
$ export OS_SERVICE_TOKEN=ADMIN_TOKEN
$ export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0
Create an administrative user
Follow these steps to create an administrative user, role, and tenant. You will use this account for administrative interaction with the OpenStack cloud.
By default, the Identity Service creates a special member role. The OpenStack dashboard automatically grants access to users with this role. You will give the admin user access to this role in addition to the admin role.
[Note] Note Any role that you create must map to roles specified in the policy.json file included with each OpenStack service. The default policy file for most services grants administrative access to the admin role.
Create the admin user:
$ keystone user-create --name=admin --pass=ADMIN_PASS --email=ADMIN_EMAIL Replace ADMIN_PASS with a secure password and replace ADMIN_EMAIL with an email address to associate with the account.
Create the admin role:
$ keystone role-create --name=admin Create the admin tenant:
$ keystone tenant-create --name=admin --description="Admin Tenant" You must now link the admin user, admin role, and admin tenant together using the user-role-add option:
$ keystone user-role-add --user=admin --tenant=admin --role=admin Link the admin user, member role, and admin tenant:
$ keystone user-role-add --user=admin --role=member --tenant=admin
Create a service tenant
OpenStack services also require a username, tenant, and role to access other OpenStack services. In a basic installation, OpenStack services typically share a single tenant named service.
You will create additional usernames and roles under this tenant as you install and configure each service.
Create the service tenant:
$ keystone tenant-create --name=service --description="Service Tenant"
Create the Identity Service
root@group0vm1:~# keystone service-create --name=keystone --type=identity --description="OpenStack Identity"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 68683d6ffd7d49859dd9f7fe2fd12be7 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
root@group0vm1:~# keystone endpoint-create --service-id=$(keystone service-list | awk '/ identity / {print $2}') --publicurl=http://10.10.10.3:5000/v2.0 --internalurl=http://controller:5000/v2.0 --adminurl=http://controller:35357/v2.0
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://controller:35357/v2.0 |
| id | 0c34c6e6fd5f411a9e349eeca1c9b3db |
| internalurl | http://controller:5000/v2.0 |
| publicurl | http://10.10.10.3:5000/v2.0 |
| region | regionOne |
| service_id | 68683d6ffd7d49859dd9f7fe2fd12be7 |
+-------------+----------------------------------+