From Fedora Project Wiki

(Add section for configuring glance + keystone)
(Add bit about telling keystone about glance service)
Line 74: Line 74:


=== Configure glance to use keystone ===
=== Configure glance to use keystone ===
* Tell keystone about the glance service
$> cat << EOF | sudo tee -a /etc/keystone/default_catalog.templates                                                     
catalog.RegionOne.image.publicURL = http://localhost:9292/v1
catalog.RegionOne.image.adminURL = http://localhost:9292/v1
catalog.RegionOne.image.internalURL = http://localhost:9292/v1
catalog.RegionOne.image.name = 'Image Service'
EOF
$> sudo systemctl restart openstack-keystone


* Change glance configuration to use keystone:
* Change glance configuration to use keystone:

Revision as of 00:36, 4 March 2012

Updates for Fedora 17 / OpenStack >= Essex-4

Configuring keystone for authentication

Keystone is the openstack identity service, providing a central place to set up openstack users, groups, and accounts that can be shared across all other services. This deprecates the old style user accounts manually set up with nova-manage.

Setting up keystone is required for using the Openstack dashboard.

Initial setup

  • install Keystone
$> sudo yum install --enablerepo=updates-testing openstack-keystone python-keystoneclient

Should get installed: 

python-keystoneclient >= 2012.1-0.5.e4
openstack-keystone >= 2012.1-0.9.e4
  • configure Keystone database
$> sudo openstack-keystone-db-setup
Please enter the password for the 'root' MySQL user: 
Verified connectivity to MySQL.
Creating 'keystone' database.
Asking openstack-keystone to sync the databse.
Complete!
  • change default administrative token in keystone.conf
$> ADMIN_TOKEN=$(openssl rand -hex 10)
$> sudo openstack-config-set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN
  • start and enable Keystone service
$> sudo systemctl start openstack-keystone.service
$> sudo systemctl enable openstack-keystone.service
  • create sample Tenants, Users and Roles
$> sudo ADMIN_PASSWORD=verybadpass openstack-keystone-sample-data
  • test Keystone CLI is working
export OS_USERNAME=admin
export OS_PASSWORD=verybadpass
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://127.0.0.1:5000/v2.0/
keystone user-list
+----------------------------------+---------+-------------------+-------+
|                id                | enabled |       email       |  name |
+----------------------------------+---------+-------------------+-------+
| 05742d10109540d2892d17ec312a6cd9 | True    | admin@example.com | admin |
| 25fe47659d6a4255a663e6add1979d6c | True    | admin@example.com | demo  |
+----------------------------------+---------+-------------------+-------+


Configure nova to use keystone

  • Change nova configuration to use keystone:
$> sudo sed -i -e 's/# \(pipeline = .*\keystonecontext\)/\1/g' /etc/nova/api-paste.ini
$> sudo openstack-config-set /etc/nova/api-paste.ini filter:authtoken admin_token $ADMIN_TOKEN
$> sudo systemctl restart openstack-nova-api.service
  • Verify that nova can talk with keystone (required variable exports from keystone section)
$> nova --version 1.1 flavor-list
+----+-----------+-----------+------+----------+-------+-------------+
| ID |    Name   | Memory_MB | Swap | Local_GB | VCPUs | RXTX_Factor |
+----+-----------+-----------+------+----------+-------+-------------+
| 1  | m1.tiny   | 512       |      | 0        | 1     | 1.0         |
| 2  | m1.small  | 2048      |      | 10       | 1     | 1.0         |
| 3  | m1.medium | 4096      |      | 10       | 2     | 1.0         |
| 4  | m1.large  | 8192      |      | 10       | 4     | 1.0         |
| 5  | m1.xlarge | 16384     |      | 10       | 8     | 1.0         |
+----+-----------+-----------+------+----------+-------+-------------+


Configure glance to use keystone

  • Tell keystone about the glance service
$> cat << EOF | sudo tee -a /etc/keystone/default_catalog.templates                                                       
catalog.RegionOne.image.publicURL = http://localhost:9292/v1
catalog.RegionOne.image.adminURL = http://localhost:9292/v1
catalog.RegionOne.image.internalURL = http://localhost:9292/v1
catalog.RegionOne.image.name = 'Image Service'
EOF
$> sudo systemctl restart openstack-keystone
  • Change glance configuration to use keystone:
$> echo -e "\nw[paste_deploy]\nflavor = keystone" | sudo tee -a /etc/glance/glance-api.conf
$> echo -e "\nw[paste_deploy]\nflavor = keystone" | sudo tee -a /etc/glance/glance-registry.conf
$> sudo openstack-config-set /etc/glance/glance-api-paste.ini filter:authtoken admin_token $ADMIN_TOKEN
$> sudo openstack-config-set /etc/glance/glance-registry-paste.ini filter:authtoken admin_token $ADMIN_TOKEN
$> sudo systemctl restart openstack-glance-api.service
$> sudo systemctl restart openstack-registry-api.service
  • Verify that glance can talk with keystone (required variable exports from keystone section)
$> glance index
Retrieved from "https://fedoraproject.org/w/index.php?title=Talk:Getting_started_with_OpenStack_Nova&oldid=274227"