VScaler: CIX Controller Node OpenStack Installation - Keystone

From Define Wiki
Jump to navigation Jump to search

Keystone Authentication Script

  • 3_vscaler-controller-keystone-authentication.sh
#!/bin/bash

# source the vscaler installation vars 
. vscaler-env.sh

# install the identity keystone prerequisites
mysql -u root --password=$VS_PASS <<MYSQL_SCRIPT
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '$KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '$KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'$HOSTNAME' IDENTIFIED BY '$KEYSTONE_DBPASS';
MYSQL_SCRIPT

yum -y install openstack-keystone httpd mod_wsgi memcached python-memcached
systemctl enable memcached.service
systemctl restart memcached.service
crudini --set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN
crudini --set /etc/keystone/keystone.conf DEFAULT verbose True
#crudini --set /etc/keystone/keystone.conf database connection mysql://keystone:$KEYSTONE_DBPASS@localhost/keystone
# should be controller but it wasnt let me through - problem to review; allow remote connections in mysql, with 3rd line of GRANTS above, controller will work
crudini --set /etc/keystone/keystone.conf database connection mysql://keystone:$KEYSTONE_DBPASS@controller/keystone
crudini --set /etc/keystone/keystone.conf memcache servers localhost:11211
crudini --set /etc/keystone/keystone.conf token provider uuid
crudini --set /etc/keystone/keystone.conf token driver memcache
crudini --set /etc/keystone/keystone.conf revoke driver sql
crudini --set /etc/keystone/keystone.conf policy config_file /usr/share/keystone/keystone-dist-paste.ini
su -s /bin/sh -c "keystone-manage db_sync" keystone

# setup the httpd
sed -i '95 a ServerName controller'  /etc/httpd/conf/httpd.conf
cat << EOF > /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>
EOF

systemctl enable httpd.service
systemctl restart httpd.service

# lets setup the services / endpoints for keystone 
export OS_TOKEN=$ADMIN_TOKEN
export OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3

openstack service create --name keystone --description "OpenStack Identity" identity
openstack endpoint create --region RegionOne identity public http://controller:5000/v2.0
openstack endpoint create --region RegionOne identity internal http://controller:5000/v2.0
openstack endpoint create --region RegionOne identity admin http://controller:35357/v2.0

# setup projects/users 
openstack project create --domain default --description "Admin Project" admin
openstack user create --domain default --password $ADMIN_PASS admin
openstack role create admin
openstack role add --project admin --user admin admin

openstack project create --domain default --description "Service Project" service

openstack project create --domain default --description "vScaler Project" vscaler
openstack user create --domain default --password $VS_PASS vscaler
openstack role create user  
openstack role add --project vscaler --user vscaler user

# verify users
unset OS_TOKEN OS_URL
openstack --os-auth-url http://controller:35357/v3 \
  --os-project-domain-id default --os-user-domain-id default \
  --os-project-name admin --os-username admin --os-password $ADMIN_PASS\
  token issue
openstack --os-auth-url http://controller:5000/v3 \
  --os-project-domain-id default --os-user-domain-id default \
  --os-project-name vscaler --os-username vscaler --os-password $VS_PASS \
  token issue

# setup the user environment 
cat <<EOF > ~/admin-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=$ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
EOF

cat <<EOF > ~/vscaler-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=vscaler
export OS_TENANT_NAME=vscaler
export OS_USERNAME=vscaler
export OS_PASSWORD=$VS_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
EOF

source ~/admin-openrc.sh 
openstack token issue

Problems

Keystone returns "500 Internal Server Error" message

  • Whilst authenticating against Keystone, the user is returned a "500 Internal Server Error" message:
[root@controller01 keystone]# curl http://localhost:5000/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at 
 root@localhost to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>
  • Not entirely sure why but config_file=/usr/share/keystone/keystone-dist-paste.ini needs to be added to the [policy] section of /etc/keystone/keystone.conf:
[root@controller01 keystone]# grep config_file=/usr  /etc/glance/glance-api.conf /etc/glance/glance-registry.conf /etc/keystone/keystone.conf
/etc/glance/glance-api.conf:config_file=/usr/share/glance/glance-api-dist-paste.ini
/etc/glance/glance-registry.conf:config_file=/usr/share/glance/glance-registry-dist-paste.ini
/etc/keystone/keystone.conf:config_file=/usr/share/keystone/keystone-dist-paste.ini
  • Problem resolved:
[root@controller01 keystone]# curl http://localhost:5000/
{"versions": {"values": [{"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "http://localhost:5000/v3/", "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://localhost:5000/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}]}}
  • Script above has been updated to take care of this
Retrieved from "http://wiki.define-technology.com/mediawiki-1.35.0/index.php?title=VScaler:_CIX_Controller_Node_OpenStack_Installation_-_Keystone&oldid=17561"