echo deb http://ubuntu-cloud.archive.canonical.com/ubuntu precise-updates/grizzly main >> /etc/apt/sources.list.d/grizzly.list
apt-get install -y ubuntu-cloud-keyring
# one way (older scala version will be installed)
# sudo apt-get install scala
#2nd way
sudo apt-get remove scala-library scala
wget http://www.scala-lang.org/files/archive/scala-2.11.4.deb
sudo dpkg -i scala-2.11.4.deb
sudo apt-get update
sudo apt-get install scala
# sbt installation
# remove sbt:> sudo apt-get purge sbt.
wget http://dl.bintray.com/sbt/debian/sbt-0.13.6.deb
sudo dpkg -i sbt-0.13.6.deb
sudo apt-get update
sudo apt-get install sbt
// ---------------Openstack Cookbook----------------
pre-requisite tool:
sudo apt-get update
sudo apt-get -y install python-software-properties
use a particular release of PPA,
sudo add-apt-repository ppa:openstack-ubuntu-testing/havana-trunk-testing
Installing OpenStack Identity service
MYSQL_ROOT_PASS=openstack
MYSQL_HOST=172.16.0.200
#enable non-interactive installations of MySQL
echo "mysql-server-5.5 mysql-server/root_password password $MYSQL_ROOT_PASS" | sudo debconf-set-selections
echo "mysql-server-5.5 mysql-server/root_password_again password $MYSQL_ROOT_PASS" | sudo debconf-set-selections
echo "mysql-server-5.5 mysql-server/root_password seen true" | sudo debconf-set-selections
echo "mysql-server-5.5 mysql-server/root_password_again seen true" | sudo debconf-set-selections
export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
sudo apt-get -q -y install mysql-server
sudo sed -i "^bind\-address.*/bind-address = ${MYSQL_HOST}/g" /etc/mysql/my.cnf
sudo service mysql restart
mysqladmin -uroot password ${MYSQL_ROOT_PASS}
mysql -u root --password=${MYSQL_ROOT_PASS} -h localhost -e "GRANT ALL ON *.* to root@\"localhost\" IDENTIFIED BY \"${MYSQL_ROOT_PASS}\" WITH GRANT OPTION;"
mysql -u root --password=${MYSQL_ROOT_PASS} -h localhost -e "GRANT ALL ON *.* to root@\"${MYSQL_HOST}\" IDENTIFIED BY \"${MYSQL_ROOT_PASS}\" WITH GRANT OPTION;"
mysql -u root --password=${MYSQL_ROOT_PASS} -h localhost -e "GRANT ALL ON *.* to root@\"%\" IDENTIFIED BY \"${MYSQL_ROOT_PASS}\" WITH GRANT OPTION;"
mysqladmin -uroot -p${MYSQL_ROOT_PASS} flush-privileges
vagrant ssh controller
1. Installation of OpenStack Identity service is done by specifying the keystone package in Ubuntu, and we do this as follows:
sudo apt-get update
sudo apt-get -y install keystone python-keyring
2. create the keystone database in MySQL
MYSQL_ROOT_PASS=openstack
mysql -uroot -p$MYSQL_ROOT_PASS -e "CREATE DATABASE keystone;"
3. create a user specific to OpenStack Identity service
MYSQL_ROOT_PASS=openstack
mysql -uroot -p$MYSQL_ROOT_PASS -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%';"
mysql -uroot -p$MYSQL_ROOT_PASS -e "SET PASSWORD FOR 'keystone'@'%' = PASSWORD('$MYSQL_ROOT_PASS')"
4. edit /etc/keystone/keystone.conf to configure OpenStack Identity service to use the database, change the sql_connection line to match the database credentials.
MYSQL_HOST=172.16.0.200
sudo sed -i "s#^connection.*#connection = mysql://keystone:openstack@172.16.0.200/keystone#" /etc/keystone/keystone.conf
5. let a super-user admin token resides in the /etc/keystone/keystone.conf file.
sudo sed -i "s/^# admin_token.*/admin_token = ADMIN" /etc/keystone/keystone.conf
6. disable the PKI infrastructure to cryptographically sign the tokens.
sudo sed -i "s/^#token_format.*/token_format = UUID" /etc/keystone/keystone.conf
7. restart the keystone service
sudo stop keystone
sudo start keystone
8. populate the keystone database with the required tables
sudo keystone-manage db_sync
Creating tenants
Getting ready
install keystoneclient toll on an Ubuntu client, to manage our OpenStack Identity service
vagrant ssh controller
sudo apt-get update
sudo apt-get -y install python-keystoneclient
Ensure that we have our environment set correctly to access our OpenStack environment for administrative purposes:
export ENDPOINT=172.16.172.200
export SERVICE_TOKEN=ADMIN
export SERVICE_ENDPOINT=http://${ENDPOINT}:35357/v2.0
1. create a tenant called cookbook
keystone tenant-create --name cookbook --description "Default Cookbook Tenant --enable true
2. create an admin tenant
keystone tenant-create --name cookbooc --description "Admin Tenant" --enabled true
Configuring roles
1. create the admin role
keystone role-create --name admin
2. create the member role
keystone role-create --name Member
Adding users
1. get the cookbook tenant ID
TENANT_ID=$(keystone tenant-list | awk '/\ cookbook \ / {print $2}')
2. create the admin user in the cookbook tenant
PASSWORD=openstack
keystone user-create --name admin --tenant_id $TENANT_ID --pass $PASSWORD --email root@localhost --enabled true
3. get the admin role id
ROLE_ID=$(keystone role-list | awk '/\ admin\ / {print $2}')
4. get the user id
USER_ID=$(keystone user-list | awk '/\ admin\ / {print $2}')
5. assign role to uer
keystone user-role-add --user $USER_ID --role $ROLE_ID --tenant_id $TENANT_ID
Defineing service endpoints
Each of the services in our cloud environment runs on a particular URL and port-these are the endpoint address of our services. When a client communicates with our OpenStack environment that runs OpenStack Identity service, it is this service that returns the endpoint URLs, which the user can then use in an OpenStack environment. To enable this feature, we must define these endpoints. In a cloud environment though, we can define multiple regions. Regions can be thought of as different datacenters, which would imply that they would have different URLs or IP addresses. Under OpenStack Identiry service, we can define these URL endpoints separately for each region. As we only have a single environment, we will reference this as RegionOne.
Getting ready
vagrant ssh controller
sudo apt-get update
sudo apt-get -y install python-keystoneclient
export ENDPOINT=172.16.0.200
export SERVICE_TOKEN=ADMIN
export SERVICE_ENDPOINT=http://${ENDPOINT}:35357/v2.0
steps:
1. define the actual services that OpenStack Identity service needs to know about in our environment
# OpenStack Compute Nova API Endpoint
keystone service-create --name nova --type compute --description 'OpenStack Compute Service'
# OpenStack Compute EC2 API Endpoint
keystone service-create --name ec2 --type ec2 --description 'EC2 Service'
# Glance Image Service Endpoint
keystone service-create --name glance --type image --description 'OpenStack Image Service'
# Keystone Identity Service Endpoint
keystone service-create --name keystone --type identity --description 'OpenStack Identity Service'
# Cinder Block Storage Endpoint
keystone service-create --name volume --type volume --description 'Volume Service'
2. add service endpoint URLs services run on.
# OpenStack Compute Nova API
NOVA_SERVICE_ID=$(keystone service-list | awk '/\ nova\ / {print $2}')
PUBLIC="http://$ENDPOINT:8774/v2/\$(tenant_id)s"
ADMIN=$PUBLIC
INTERNAL=$PUBLIC
keystone endpoint-create --region RegionOne --service_id $NOVA_SERVICE_ID --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL
3. define the rest of our service endpoints
# OpenStack Compute EC2 API
EC2_SERVICE_ID=$(keystone service-list | awk '/\ ec2\ / {print $2}')
PUBLIC="http://$ENDPOINT:8773/services/Cloud"
ADMIN="http://$ENDPOINT:8773/services/Admin"
INTERNAL=$PUBLIC
keystone endpoint-create --region RegionOne --service_id $EC2_SERVICE_ID --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL
# Glance Image Service
GLANCE_SERVICE_ID=$(keystone service-list | awk '/\ glance\ / {print $2}')
PUBLIC="http://$ENDPOINT:9292/v1"
ADMIN=$PUBLIC
INTERNAL=$PUBLIC
keystone endpoint-create --region RegionOne --service_id $GLANCE_SERVICE_ID --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL
# Keystone OpenStack Identity Service
KEYSTONE_SERVICE_ID=$(keystone service-list | awk '/\ keystone\ / {print $2}')
PUBLIC="http://$ENDPOINT:5000/v2.0"
ADMIN="http://$ENDPOINT:35357/v2.0"
INTERNAL=$PUBLIC
keystone endpoint-create --region RegionOne --service_id $KEYSTONE_SERVICE_ID --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL
#Cinder Block Storage ServiceService
CINDER_SERVICE_ID=$(keystone service-list | awk '/\ volume\ / {print $2}')
PUBLIC="http://$ENDPOINT:8776/v1/%(tenant_id)s"
ADMIN=$PUBLIC
INTERNAL=$PUBLIC
keystone endpoint-create --region RegionOne --service_id $CINDER_SERVICE_ID --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL
Creating the service tenant and service users
With the service endpoints created, we can now configure them so that our OpenStack services can utilize them. To do this, each service is configured with a username and password within a special service tenant. Configuring each service to have their own username and password allows for greater security, troubleshooting and, auditing within our environment. For each service that uses OpenStack Identity service for authentication and authorization, we then specify these details in their relevant configuration file, when setting up that service. Each service itself has to authenticate with keystone in order for it to be available within OpenStack. Configuration of that service is then done using these credentials. For example, for glance we specify the following in /etc/glance/glance-registry-api.ini, when used with OpenStack Identity service, which matches what we created previously:
[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 172.16.0.200
service_port = 5000
auth_host = 172.16.0.200
auth_port = 35357
auth_protocol = http
auth_uri = http://172.16.0.200:5000/
admin_tenant_name = service
admin_user = glance
admin_password = glance
Getting ready
vagrant ssh controller
sudo apt-get update
sudo apt-get -y install python-keystoneclient
export ENDPOINT=172.16.0.200
export SERVICE_TOKEN=ADMIN
export SERVICE_ENDPOINT=http://${ENDPOINT}:35357/v2.0
Configure an appropriate service tenant:
1. create the tenant service
keystone tenant-create --name service --description "Service Tenant" --enabled true
2. record the ID of the service tenant
SERVICE_TENANT_ID=$(keystone tenant-list | awk '/\ service\ / {print $2}')
3. create the user account
keystone user-create --name nova --pass nova --tenant_id $SERVICE_TENANT_ID --email nova@localhost --enable true
4. create other user accounts
keystone user-create --name glance --pass glance --tenant_id $SERVICE_TENANT_ID --email glance@localhost --enable true
keystone user-create --name keystone --pass keystone --tenant_id $SERVICE_TENANT_ID --email keystone@localhost --enable true
keystone user-create --name cinder --pass cinder --tenant_id $SERVICE_TENANT_ID --email cinder@localhost --enable true
5. assign users and admin role in the service tenant.
NOVA_USER_ID=$(keystone user-list | awk '/\ nova\ / {print $2}')
ADMIN_ROLE_ID=$(keystone role-list | awk '/\ admin\ / {print $2}')
keystone user-role-add --user $NOVA_USER_ID --role $ADMIN_ROLE_ID --tenant_id $SERVICE_TENANT_ID
6. repeat step 5 for other service users
GLANCE_USER_ID=$(keystone user-list | awk '/\ glance\ / {print $2}')
keystone user-role-add --user $GLANCE_USER_ID --role $ADMIN_ROLE_ID --tenant_id $SERVICE_TENANT_ID
KEYSTONE_USER_ID=$(keystone user-list | awk '/\ keystone\ / {print $2}')
keystone user-role-add --user $KEYSTONE_USER_ID --role $ADMIN_ROLE_ID --tenant_id $SERVICE_TENANT_ID
CINDER_USER_ID=$(keystone user-list | awk '/\ cinder \ / {print $2}')
keystone user-role-add --user $CINDER_USER_ID --role $ADMIN_ROLE_ID --tenant_id $SERVICE_TENANT_ID