Notes from setting up OpenStack Juno-M3 on Fedora 21/Rawhide ============================================================ On both Controller and Compute nodes ------------------------------------ Disable firewalld and enable iptables:: $ systemctl stop firewalld $ systemctl disable firewalld $ yum install iptables-services # Create this below file, otherwise starting iptables will fail $ touch /etc/sysconfig/iptables $ systemctl enable iptables && systemctl start iptables Disable Network Manager and enable classic network: $ systemctl stop NetworkManager $ systemctl disable NetworkManager $ systemctl enable network $ systemctl restart network Install RPMs ------------ On Controller: $ yum install -y openstack-keystone openstack-utils \ dnsmasq-utils openstack-glance openstack-neutron \ openstack-neutron-openvswitch openstack-nova --enablerepo=rawhide On Compute: $ yum install openstack-neutron openstack-neutron-openvswitch \ openstack-nova bridge-utils -y Configure Keystone (On Controller) ---------------------------------- Install Identity Service ~~~~~~~~~~~~~~~~~~~~~~~~ 1. Setup Keystone: $ openstack-db --init --service keystone 2. Setup the location of databse in config file: $ openstack-config --set /etc/keystone/keystone.conf \ database connection mysql://keystone:fedora@controller/keystone 3. Create Keystone database user: $ mysql -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 6 Server version: 10.0.12-MariaDB MariaDB Server Copyright (c) 2000, 2014, Oracle, SkySQL Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> CREATE DATABASE keystone; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ -> IDENTIFIED BY 'fedora'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ -> IDENTIFIED BY 'fedora'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> exit Bye 4. Create the database tables for the Identity Service: $ keystone-manage db_sync $ echo $? 0 5. Define an authorization token to use as a shared secret between the Identity Service and other OpenStack services $ ADMIN_TOKEN=$(openssl rand -hex 10) $ echo $ADMIN_TOKEN e714db24947f2ac66ee9 $ openstack-config --set /etc/keystone/keystone.conf DEFAULT \ admin_token $ADMIN_TOKEN 6. By default, Keystone uses PKI tokens. Create the signing keys and certificates and restrict access to the generated data: $ keystone-manage pki_setup --keystone-user keystone \ --keystone-group keystone $ chown -R keystone:keystone /etc/keystone/ssl $ chmod -R o-rwx /etc/keystone/ssl 7. Enable, Start and check the status of Keystone: $ for i in start enable status; \ do systemctl $i openstack-keystone; done Define users, tenants, and roles ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Use the authorization token to setup Keystone: $ export OS_SERVICE_TOKEN=$ADMIN_TOKEN $ echo $OS_SERVICE_TOKEN e714db24947f2ac66ee9 $ export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0 1. Create the admin user: $ keystone user-create --name admin --pass fedora +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | 4fc3f515afde46888c975d588004cee1 | | name | admin | | username | admin | +----------+----------------------------------+ 2. Create the admin role: $ keystone role-create --name=admin +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 1806e02d77604d45a0685861e1b738fe | | name | admin | +----------+----------------------------------+ 3. Create the admin tenant: $ keystone tenant-create --name=admin --description="Admin Tenant" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Admin Tenant | | enabled | True | | id | fa453d392ff84f00bba34116ff0aff71 | | name | admin | +-------------+----------------------------------+ 4. Associate the user, role and admin tenant together: $ keystone user-role-add --user=admin --tenant=admin --role=admin $ echo $? 0 5. Create the role Member and add it to config: $ keystone role-create --name Member +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 3502901aa76f45078af1a8e496cee311 | | name | Member | +----------+----------------------------------+ $ openstack-config --set /etc/keystone/keystone.conf DEFAULT \ member_role_name Member 6. Link the admin user, Member role, and admin tenant $ keystone user-role-add --user=admin --role=Member --tenant=admin $ echo $? 0 Create a normal user ~~~~~~~~~~~~~~~~~~~~ Create a normal user and tenant, and link them to the Member role. You will use this account for daily non-administrative interaction with the OpenStack cloud. 1. Create a demo user: $ keystone user-create --name=demo --pass=fedora +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | d3e5857199594cfd8421033adbce3b34 | | name | demo | | username | demo | +----------+----------------------------------+ 2. Create a demo tenant: $ keystone tenant-create --name=demo --description="Demo Tenant" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Demo Tenant | | enabled | True | | id | 5088e5f2abff444790f6867eec5c73bb | | name | demo | +-------------+----------------------------------+ 3. Link the demo user, Member role and demo tenant: $ keystone user-role-add --user=demo --role=Member --tenant=demo $ echo $? 0 Create a service tenant ~~~~~~~~~~~~~~~~~~~~~~~ OpenStack services also require a username, tenant, and role to access other OpenStack services. In a basic installation, OpenStack services typically share a single tenant named service. 1. Create the service tenant: $ keystone tenant-create --name=service --description="Service Tenant" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Service Tenant | | enabled | True | | id | 98382f001bdb416692620bc15901b845 | | name | service | +-------------+----------------------------------+ Create services and API endpoints ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Create service: $ keystone service-create --name=keystone --type=identity \ --description="OpenStack Identity" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | 950e947d6e9643298cace4c36c6b86ec | | name | keystone | | type | identity | +-------------+----------------------------------+ 2. Specify API endpoint: $ keystone endpoint-create \ --service-id=$(keystone service-list | awk '/ identity / {print $2}') \ --publicurl=http://controller:5000/v2.0 \ --internalurl=http://controller:5000/v2.0 \ --adminurl=http://controller:35357/v2.0 +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | adminurl | http://controller:35357/v2.0 | | id | 3172e5e5ea244f00bf4005e56a0eadcc | | internalurl | http://controller:5000/v2.0 | | publicurl | http://controller:5000/v2.0 | | region | regionOne | | service_id | 950e947d6e9643298cace4c36c6b86ec | +-------------+----------------------------------+