From Fedora Project Wiki

Revision as of 00:41, 4 March 2012 by Crobinso (talk | contribs) (Add brief section about setting up the dashboard)

Updates for Fedora 17 / OpenStack >= Essex-4

Configuring keystone for authentication

Keystone is the openstack identity service, providing a central place to set up openstack users, groups, and accounts that can be shared across all other services. This deprecates the old style user accounts manually set up with nova-manage.

Setting up keystone is required for using the Openstack dashboard.

Initial setup

  • install Keystone
$> sudo yum install --enablerepo=updates-testing openstack-keystone python-keystoneclient

Should get installed:

python-keystoneclient >= 2012.1-0.5.e4
openstack-keystone >= 2012.1-0.9.e4
  • configure Keystone database
$> sudo openstack-keystone-db-setup
Please enter the password for the 'root' MySQL user: 
Verified connectivity to MySQL.
Creating 'keystone' database.
Asking openstack-keystone to sync the databse.
Complete!
  • change default administrative token in keystone.conf
$> ADMIN_TOKEN=$(openssl rand -hex 10)
$> sudo openstack-config-set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN
  • start and enable Keystone service
$> sudo systemctl start openstack-keystone.service
$> sudo systemctl enable openstack-keystone.service
  • create sample Tenants, Users and Roles
$> sudo ADMIN_PASSWORD=verybadpass openstack-keystone-sample-data
  • test Keystone CLI is working
export OS_USERNAME=admin
export OS_PASSWORD=verybadpass
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://127.0.0.1:5000/v2.0/
keystone user-list
+----------------------------------+---------+-------------------+-------+
|                id                | enabled |       email       |  name |
+----------------------------------+---------+-------------------+-------+
| 05742d10109540d2892d17ec312a6cd9 | True    | admin@example.com | admin |
| 25fe47659d6a4255a663e6add1979d6c | True    | admin@example.com | demo  |
+----------------------------------+---------+-------------------+-------+


Configure nova to use keystone

  • Change nova configuration to use keystone:
$> sudo sed -i -e 's/# \(pipeline = .*\keystonecontext\)/\1/g' /etc/nova/api-paste.ini
$> sudo openstack-config-set /etc/nova/api-paste.ini filter:authtoken admin_token $ADMIN_TOKEN
$> sudo systemctl restart openstack-nova-api.service
  • Verify that nova can talk with keystone (required variable exports from keystone section)
$> nova --version 1.1 flavor-list
+----+-----------+-----------+------+----------+-------+-------------+
| ID |    Name   | Memory_MB | Swap | Local_GB | VCPUs | RXTX_Factor |
+----+-----------+-----------+------+----------+-------+-------------+
| 1  | m1.tiny   | 512       |      | 0        | 1     | 1.0         |
| 2  | m1.small  | 2048      |      | 10       | 1     | 1.0         |
| 3  | m1.medium | 4096      |      | 10       | 2     | 1.0         |
| 4  | m1.large  | 8192      |      | 10       | 4     | 1.0         |
| 5  | m1.xlarge | 16384     |      | 10       | 8     | 1.0         |
+----+-----------+-----------+------+----------+-------+-------------+


Configure glance to use keystone

  • Tell keystone about the glance service
$> cat << EOF | sudo tee -a /etc/keystone/default_catalog.templates                                                       
catalog.RegionOne.image.publicURL = http://localhost:9292/v1
catalog.RegionOne.image.adminURL = http://localhost:9292/v1
catalog.RegionOne.image.internalURL = http://localhost:9292/v1
catalog.RegionOne.image.name = 'Image Service'
EOF
$> sudo systemctl restart openstack-keystone
  • Change glance configuration to use keystone:
$> echo -e "\nw[paste_deploy]\nflavor = keystone" | sudo tee -a /etc/glance/glance-api.conf
$> echo -e "\nw[paste_deploy]\nflavor = keystone" | sudo tee -a /etc/glance/glance-registry.conf
$> sudo openstack-config-set /etc/glance/glance-api-paste.ini filter:authtoken admin_token $ADMIN_TOKEN
$> sudo openstack-config-set /etc/glance/glance-registry-paste.ini filter:authtoken admin_token $ADMIN_TOKEN
$> sudo systemctl restart openstack-glance-api.service
$> sudo systemctl restart openstack-registry-api.service
  • Verify that glance can talk with keystone (required variable exports from keystone section)
$> glance index


Configuring the OpenStack Dashboard

The OpenStack dashboard is the official web user interface for OpenStack. It should mostly work out of the box, as long as keystone has been configured properly.

  • Install the dashboard
$> sudo yum install openstack-dashboard
  • Make sure httpd is running
$> sudo systemctl restart httpd
$> sudo systemctl enable httpd

The dashboard should then be accessed with a web browser at http://localhost . Account and password should be what you configured for the keystone setup.