OpenStack Victoria version - 3 Control node Keystone authentication service component

Posted by binit on Sat, 19 Feb 2022 08:55:56 +0100

3. Control node Keystone authentication service component

More steps: OpenStack Victoria installation and deployment series tutorials

OpenStack deployment series
Openstack deployment tutorial series
OpenStack Ussuri offline installation and deployment series tutorial (full)
OpenStack Train offline installation and deployment series tutorial (full)
Welcome to leave messages for communication and common progress.

Create keystone database and authorize

1. Log in to the database

Use the root account of mysql database to log in, and the password is the password for initializing mysql data when preparing the control node environment. The password set is root.

mysql -u root -proot

2. Create keystone database and authorize

Create a keystone database, set the password to 111111, grant access to the keystone database, refresh and exit the database


GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \

flush privileges;
show databases;
select user,host from mysql.user;

keystone related software installation and configuration

1. Install keystone related software packages

If you want to access using https, you need to install mod_ssl

Install and configure Keystone: For RHEL8/Centos8 and above install package python3-mod_wsgi.

dnf install openstack-keystone httpd python3-mod_wsgi -y

2. Modify / etc / keystone / keystone Conf file

Since there are about 2700 lines of file content and too many comments, the actual effective configuration information is only about 40 lines. In order to facilitate the modification of the file, you can back up the file first and then remove the comment information

cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
egrep -v "^$|^#" /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf
vim /etc/keystone/keystone.conf

In order to improve the efficiency of modifying files and reduce the rate of configuration errors, we can use the configuration tool to modify files through commands and install software first

dnf install crudini -y
crudini --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:111111@controller/keystone
crudini --set /etc/keystone/keystone.conf token provider fernet

Check configuration results

grep '^[a-z]' /etc/keystone/keystone.conf

keystone does not need to be started and is called through the http service

3. Initialize and synchronize keystone database

su -s /bin/sh -c "keystone-manage db_sync" keystone

After synchronization, conduct connection test

mysql  -ukeystone -p111111 -e "use keystone;show tables;"
mysql -h10.0.0.11 -ukeystone -p111111 -e "use keystone;show tables;"|wc -l

4. Initialize the Fernet token library

Initialize Fernet key repositories´╝îIntroduction to Fernet tokens Keystone Fernet tokens

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

5. Initialize the bootstrap keystone authentication service

keystone-manage bootstrap --bootstrap-password 111111   --bootstrap-admin-url http://controller:5000/v3/   --bootstrap-internal-url http://controller:5000/v3/   --bootstrap-public-url http://controller:5000/v3/   --bootstrap-region-id RegionOne

6. Configure and start Apache Http service

Edit VIM / etc / httpd / conf / httpd Conf file, add the following information

cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak
sed -i "s/#ServerName controller/" /etc/httpd/conf/httpd.conf

Create / keystone / keystone Conf file link

ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

Start httpd and configure boot self boot

systemctl start httpd && systemctl enable httpd
netstat -anptl|grep httpd
systemctl list-unit-files |grep httpd.service

So far, the http service configuration is completed.

7. Create environment variable script


Create OpenStack client environment scripts, which uses a combination of environment variables and command options to interact with the identity authentication service through the "openstack" client.
In order to improve the efficiency of client operation, OpenStack supports simple client environment variable scripts, namely OpenRC files

cat > /root/ <<EOF 
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=111111
export OS_AUTH_URL=http://controller:5000/v3

Attachment: common openstack management commands need to apply the administrator's environment variables

# View keystone instance related information
openstack endpoint list
openstack project list
openstack user list

# Delete endpoint
openstack endpoint delete [ID]

8. Create a general instance of keystone

source ./ 
openstack catalog list

(1) [not required] create a field named example

Create a domain. The default domain already exists in the program. This command is only an example of creating a domain. You can not execute it

#openstack domain create --description "An Example Domain" example

(2) [required] create a project named service, also known as tenant, in the default field.

openstack project create --domain default --description "Service Project" service

(3) [not required] create a project named myproject in the default field.

#openstack project create --domain default --description "Demo Project" myproject

(4) [not required] create a myuser user in the default field.
The following commands are displayed in local_ Add myuser user to the user table. Use the – password option to directly configure the plaintext password, and use the – password prompt option to enter the password interactively to directly create the user and password

#openstack user create --domain default --password-prompt myuser
# After executing the command, you need to set the user password and enter the same password twice

(5) [not required] create a myrole in the role table.

# openstack role create myrole

(6) * * [not required] * * add myrole role to myproject project and myuser user

#openstack role add --project myproject --user myuser myrole

(7) View keystone instance related information

openstack role list
openstack endpoint list
openstack project list
openstack user list

Verify whether keystone installation configuration is successful

Verify whether KeyStone service is normal

openstack token issue

The above information indicates that KeyStone configuration is completed!

1. Remove environmental variables
Close the temporary authentication token mechanism, obtain the token, and verify that the keystone configuration is successful

env |grep OS_ 

2. As an administrator, the user requests an authenticated token
Test whether the admin account can be used for login authentication and request authentication token

openstack --os-auth-url http://controller:5000/v3   --os-project-domain-name Default --os-user-domain-name Default   --os-project-name admin --os-username admin token issue
#Enter password: 111111

keystone installed

So far, the keystone authentication service component of the control node has been installed and configured. If you use VMware virtual machine, you can now shut down and take a snapshot.


Topics: OpenStack cloud serving iaas