OpenStack install Keystone

This article mainly records how to install the keystone authentication and authorization component, the first component of openstack

The openstack version I chose is the queens version

1. OpenStack official website

I took a look at the official website and the documentation is quite complete. I used centos7 for the experiment.

2. KeyStone Overview

Keystone is an important component of authentication, authorization, and directory service management under the openstack system. Keystone is usually the first component we contact with openstack. It can manage other openstack services, and each service can have one or moreendpointsand endpoints are divided into 3 types: admin, internal, and public. Through the name, we can also roughly know that the terminal address exposed by other services is used in unreasonable scenarios. public is generally external. Internal is generally the communication address between services , admin is the address of the general administrator operation, and the endpoint has the region type, which can be used for regional division of the endpoint, we use the defaultRegionOne

see in detail

3. Install OpenStack packages

The front needs to prepare a centos7 system

  1. Upgrade the packages on all nodes:

    yum upgrade

    Note: If the upgrade process includes a new kernel, reboot your host to activate it.

  2. Install the appropriate OpenStack client for your version.

    For CentOS 7 and RHEL 7

    # yum install python-openstackclient

    For CentOS 8 and RHEL 8

    # yum install python3-openstackclient
  3. RHEL and CentOS enable SELinux by default. Install the openstack-selinux package to automatically manage security policies for OpenStack services:

    # yum install openstack-selinux

​ Or by manually closing selnux

4. Network Time Protocol (NTP) (必须)

The various components of openstack need to be called frequently, so their time must be consistent, so this NTP must be processed

Centos7 has recommended the use of chrony, and I see the openstack official documentation does the same thing

4.1 Install chrony

yum -y install chrony

4.2 Edit /etc/chrony.conf

#注释 这4个
#server iburst
#server iburst
#server iburst
#server iburst #添加阿里云 ntp 服务器
server iburst #允许同步的网段 我的是这个,根据情况自己配置

4.3 Start chrony

Note that chronyd.service

systemctl enable chronyd.service
systemctl start chronyd.service

4.4 Execute synchronous chronyc sources -v

4.5 Other nodes also need to install chrony

nodes Other nodes can directly synchronize the above controller node


注意: 由于chrony 使用 udp 端口 123 和 323 ,所以 注意关闭 防火墙,或者把端口打开!

5. Install mariadb

Since the related services information in keystone needs to be stored, mariadb needs to be installed, but it also supports other

5.1 Install the packages: Install the mariadb package

# yum install mariadb mariadb-server python2-PyMySQL

5.2 Edit /etc/my.cnf.d/openstack.cnf

Create and edit the /etc/my.cnf.d/openstack.cnf file (backup existing configuration files in /etc/my.cnf.d/ if needed) and complete the following actions:

  • Create a [mysqld] section, and set the bind-address key to the management IP address of the controller node to enable access by other nodes via the management network. Set additional keys to enable useful options and the UTF-8 character set:

    bind-address = default-storage-engine = innodb
    innodb_file_per_table = on
    max_connections = 4096
    collation-server = utf8_general_ci
    character-set-server = utf8

​ pay attention to /etc/my.cnf.d/openstack.cnf Edit below and then bind-address can be specified as the controller node ip

5.3 Start mariadb service

systemctl enable mariadb.service
systemctl start mariadb.service

5.4 Security Setup Wizard

mysql_secure_installation  #一步步配置即可

6. Install rabbitmq (this article is optional, because this article only installs keystone)

OpenStack uses message queues to coordinate operations and state information between services. The Message Queuing service typically runs on the controller node. OpenStack supports several message queuing services, including RabbitMQ, Qpid, and ZeroMQ.

6.1 Install rabbitmq-server

yum install rabbitmq-server

6.2 Startup

systemctl enable rabbitmq-server.service
systemctl start rabbitmq-server.service

6.3 Configure openstack rabiitmq user

rabbitmqctl add_user openstack RABBIT_PASS #注意替换 RABBIT_PASS 密码

6.4 Permit configuration, write, and read access for the openstack user:

rabbitmqctl set_permissions openstack ".*" ".*" ".*"

7. Install Keystone and necessary configuration

Official website address:

7.1 Configure mysql

The mariadb service has been installed above, and you need to start configuring it here

Before you install and configure the Identity service, you must create a database.

  1. Login to mysql with root user:

    $ mysql -u root -p
  2. create keystone database:

    MariaDB [(none)]> CREATE DATABASE keystone;
  3. Grant proper access to the keystone database:

    MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \

​ Replace KEYSTONE_DBPASS with a suitable password.

7.2 Install keystone components

7.2.1 Install keystone
yum install openstack-keystone httpd mod_wsgi

Error: Package: python2-qpid-proton-0.22.0-1.el7.x86_64 (centos-openstack-queens)
Requires: qpid-proton-c(x86-64) = 0.22.0-1.el7
Available: qpid-proton-c-0.14.0-2.el7.x86_64 (extras)
qpid-proton-c(x86-64) = 0.14.0-2.el7
Available: qpid-proton-c-0.17.0-4.el7.x86_64 (centos-openstack-queens)
qpid-proton-c(x86-64) = 0.17.0-4.el7
Available: qpid-proton-c-0.22.0-1.el7.x86_64 (centos-openstack-queens)
qpid-proton-c(x86-64) = 0.22.0-1.el7
Installing: qpid-proton-c-0.35.0-1.el7.x86_64 (epel)
qpid-proton-c(x86-64) = 0.35.0-1.el7
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest 包冲突导致的兼容错误单独选定需要的版本进行安装即可 `解决方案:yum install -y python2-qpid-proton-0.22.0-1.el7.x86_64

After the installation is complete /etc/keyston exists

7.2.2 Editing /etc/keystone/keystone.conf connect to mysql
# ...
connection = mysql+pymysql://keystone:[email protected]/keystone

Note that the controller is your local ip and can be configured in /etc/hosts

7.2.3 token provider
# ...
provider = fernet
7.2.4 Synchronizing keystone db
su -s /bin/sh -c "keystone-manage db_sync" keystone
7.2.5 Initialize fernet key
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
7.2.6 Bootstrap the Identity service:

Note the replacement of ADMIN_PASS

keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne

7.3 Configure Apache Http Service

7.3.1 Editing /etc/httpd/conf/httpd.conf
ServerName controller
7.3.2 Create ln -s

Create a link to the /usr/share/keystone/wsgi-keystone.conf file:

ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
7.3.3 Start httpd
systemctl enable httpd.service
systemctl start httpd.service
7.3.4 Expose accounts to environment variables

In order to be able to execute the openstack command

export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS #这个是上面 keystone-manage bootstrap 指定的
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3

8. Create Domain Projects, Users, Roles, etc.

8.1 Creating Domains

openstack domain create --description "An Example Domain" example

8.2 Creating a project

openstack project create --domain default --description "Service Project" myservice

8.3 Create a role associated user

#创建 用户
openstack user create --domain default --password ADMIN_PASS myuser #创建 角色
openstack role create myrole #为servce 项目指定用户角色
openstack role add --project service --user myuser myrole #为service项目指定用户角色

9. Authenticate the KeyStone service

9.1 Authenticating the admin user

openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue

9.2 Authenticating the myuser user

openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name myservice --os-username myuser token issue

So far the openstack keystone component has been installed. .


This article mainly records the installation process of the keystone component of the openstack queens version. I was also very helpless when the leader urged me to learn openstack.

Welcome everyone to visit the personal blog Johnny Cottage