CentOS Stream 9
Sponsored Link

OpenStack Zed : Configure Keystone #12022/11/10

Install and Configure OpenStack Identity Service (Keystone).
This example is based on the environment like follows.
|   [ dlp.srv.world ]   |
|     (Control Node)    |
|                       |
|  MariaDB    RabbitMQ  |
|  Memcached  Nginx     |
|  Keystone   httpd     |

[1] Add a User and Database on MariaDB for Keystone.
[root@dlp ~]#

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.5.16-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database keystone; 
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all privileges on keystone.* to keystone@'localhost' identified by 'password'; 
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> grant all privileges on keystone.* to keystone@'%' identified by 'password'; 
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges; 
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> exit
[2] Install Keystone.
# install from Zed, EPEL

[root@dlp ~]#
dnf --enablerepo=centos-openstack-zed,epel -y install openstack-keystone python3-openstackclient httpd mod_ssl python3-mod_wsgi python3-oauth2client mod_ssl
[3] Configure Keystone.
[root@dlp ~]#
vi /etc/keystone/keystone.conf
# line 443 : add to specify Memcache server

memcache_servers = dlp.srv.world:11211
# line 678 : add to specify MariaDB connection info

connection = mysql+pymysql://keystone:password@dlp.srv.world/keystone
# line 2626 : uncomment

provider = fernet
[root@dlp ~]#
su -s /bin/bash keystone -c "keystone-manage db_sync"
# initialize keys

[root@dlp ~]#
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

[root@dlp ~]#
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
# define Keystone Host

[root@dlp ~]#
export controller=dlp.srv.world
# bootstrap keystone
# replace any password you like for [adminpassword] section

[root@dlp ~]#
keystone-manage bootstrap --bootstrap-password adminpassword \
--bootstrap-admin-url https://$controller:5000/v3/ \
--bootstrap-internal-url https://$controller:5000/v3/ \
--bootstrap-public-url https://$controller:5000/v3/ \
--bootstrap-region-id RegionOne
[4] If SELinux is enabled, change boolean settings.
[root@dlp ~]#
setsebool -P httpd_use_openstack on

[root@dlp ~]#
setsebool -P httpd_can_network_connect on

[root@dlp ~]#
setsebool -P httpd_can_network_connect_db on

[root@dlp ~]#
vi keystone-httpd.te
# create new

module keystone-httpd 1.0;

require {
        type httpd_t;
        type keystone_var_lib_t;
        type keystone_log_t;
        class file { create getattr ioctl open read write };
        class dir { add_name create write };

#============= httpd_t ==============
allow httpd_t keystone_var_lib_t:dir { add_name create write };
allow httpd_t keystone_var_lib_t:file { create open write getattr ioctl open read };
allow httpd_t keystone_log_t:dir { add_name write };
allow httpd_t keystone_log_t:file create;

[root@dlp ~]#
checkmodule -m -M -o keystone-httpd.mod keystone-httpd.te

[root@dlp ~]#
semodule_package --outfile keystone-httpd.pp --module keystone-httpd.mod

[root@dlp ~]#
semodule -i keystone-httpd.pp

[5] If Firewalld is running, allow ports for services.
[root@dlp ~]#
firewall-cmd --add-port=5000/tcp

[root@dlp ~]#
firewall-cmd --runtime-to-permanent

Get valid SSL/TLS certificate, or Create self-signed certificate.
It uses valid SSL/TLS certificate on this example.
[7] Configure Apache httpd.
[root@dlp ~]#
vi /etc/httpd/conf/httpd.conf
# line 101 : add to specify server name

ServerName dlp.srv.world
[root@dlp ~]#
vi /usr/share/keystone/wsgi-keystone.conf
# add settings for SSL/TLS

Listen 5000

<VirtualHost *:5000>
    SSLEngine on
    SSLHonorCipherOrder on
    SSLProxyCipherSuite PROFILE=SYSTEM
    SSLCertificateFile /etc/letsencrypt/live/dlp.srv.world/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/dlp.srv.world/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/dlp.srv.world/chain.pem
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public

[root@dlp ~]#
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

[root@dlp ~]#
systemctl enable --now httpd

Matched Content