Create database for keystone services and grant privileges (From MySQL prompt)
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
exit;
Install package
apt -y install keystone
Update configurations in /etc/keystone/keystone.conf – respective sections as show below
[database]
connection = mysql+pymysql://keystone:password@controller/keystone
[token]
provider = fernet
Populate the Identity service database
su -s /bin/sh -c "keystone-manage db_sync" keystone
Initialize Fernet key repositories. (associate the user/group for running of keystone)
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
Bootstrap the Identity service. Note the usage of “controller” – should resolve to IP of the host.
keystone-manage bootstrap --bootstrap-password password --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne
Add Server name configuration in /etc/apache2/apache2.conf
ServerName controller
Restart apache
service apache2 restart
Set environment variables for administrative account
export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
Create Projects, Users and Roles [ Domain -> Project -> Users associated with roles ]
Default “admin” project gets created during bootstrap (see above). Create a “homelab” project
openstack project create --domain default --description "Home Lab" homelab
Create a non-previleged user account “homeuser”
openstack user create --domain default --password-prompt homeuser
Create a role and assocaite home user with homelab project and assign the role.
openstack role create homerole
openstack role add --project homelab --user homeuser homerole
The openstack client makes user of environment variables if set or expect the inputs as part of command line arugments. Create two client environment scripts which can be ‘sourced‘ as and when required.
Create admin-openrc with following contents
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
Create user-openrc with following contents
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=homelab
export OS_USERNAME=homeuser
export OS_PASSWORD=password
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
Verify keystone installation – Generate auth token for admin user and homeuser
. admin-openrc
openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2020-10-07T05:17:29+0000 |
| id | gAAAAABffUFZlSRmx2bYNFec1…DpWw |
| project_id | fff0b7a4d94448498d8703c8aa1a5d8b |
| user_id | 5326b26027b143aaae10d7bf0f1fee6b |
+------------+----------------------------------+
. user-openrc
openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2020-10-07T05:17:38+0000 |
| id | gAAAAABffUFio8WX5cpHERZD…hS3GE |
| project_id | 4948fbd742b74910a0620ef93b92f91e |
| user_id | 36a722e921d242f9944b4754015ec734 |
+------------+----------------------------------+