OpenStack Ocata : Configure Keystone#1


Install and Configure OpenStack Identity Service (Keystone).
This example is based on the emvironment like follows.
                  eth0|10.0.0.30 
          +-----------+-----------+
          |    [ Control Node ]   |
          |                       |
          |  MariaDB    RabbitMQ  |
          |  Memcached  httpd     |
          |  Keystone             |
          +-----------------------+
[1]Add a User and Database on MariaDB for Keystone.
[root@dlp ~]# 
mysql -u root -p 

Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 10.1.20-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> 
create database keystone; 

Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> 
grant all privileges on keystone.* to keystone@'localhost' identified by 'password'; 

Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> 
grant all privileges on keystone.* to keystone@'%' identified by 'password'; 

Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> 
flush privileges; 

Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> 
exit

Bye
[2]Install Keystone.
# install from OcataEPEL

[root@dlp ~]# 
yum --enablerepo=centos-openstack-ocata,epel -y install openstack-keystone openstack-utils python-openstackclient httpd mod_wsgi
[3]Configure Keystone.
[root@dlp ~]# 
vi /etc/keystone/keystone.conf
# line 714: add ( MariaDB connection info )

connection = mysql+pymysql://keystone:password@10.0.0.30/keystone
# line 1494: specify Memcache server

[memcache]
servers = 10.0.0.30:11211
[token]
# line 2791: add

provider = fernet
driver = memcache
[root@dlp ~]# 
su -s /bin/bash keystone -c "keystone-manage db_sync"
# initialize keys

[root@dlp ~]# 
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone 

[root@dlp ~]# 
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
# define own (controller host) host

[root@dlp ~]# 
export controller=10.0.0.30
# bootstrap keystone (replace any password you like for "adminpassword" section)

[root@dlp ~]# 
keystone-manage bootstrap --bootstrap-password adminpassword \
--bootstrap-admin-url http://$controller:35357/v3/ \
--bootstrap-internal-url http://$controller:35357/v3/ \
--bootstrap-public-url http://$controller:5000/v3/ \
--bootstrap-region-id RegionOne
[4]If SELinux is enabled, change boolean settings.

This is the basic operations and configurations for SELinux (Security-Enhanced Linux).
It's possible to use MAC (Mandatory Access Control) function on CentOS for various resources by SELinux.
[1]Confirm the current status of SELinux like follows. ( default mode is "Enforcing" )
# display current mode

[root@dlp ~]# 
getenforce 

Enforcing
# enforcing   ⇒ SELinux is enabled (default)
# permissive  ⇒ MAC is not enabled, but only records audit logs according to Policies
# disabled    ⇒ SELinux is disabled
# possible to display with the command, too ("Current mode" line)

[root@dlp ~]# 
sestatus 

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[2]It's possible to switch current mode between permissive ⇐⇒ enforcing with setenforce command.
But if System is restarted, the mode returns to default.
[root@dlp ~]# 
getenforce 

Enforcing
# switch to "Permissive" with "setenforce 0"

[root@dlp ~]# 
setenforce 0 

[root@dlp ~]# 
getenforce 

Permissive
# switch to "Enforcing" with "setenforce 1"

[root@dlp ~]# 
setenforce 1 

[root@dlp ~]# 
getenforce 

Enforcing
[3]If you'd like to change Operating Mode permanently, change value in Configuration file.
[root@dlp ~]# 
vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# change value you'd like to set
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
# restart to apply changing

[root@dlp ~]# 
reboot
[4]If you change the Operating Mode from "Disabled" to "Enforcing/Permissive", it needs to re-label filesystem with SELinux Contexts. Because when some files or directories are created in "Disabled" mode, they are not labeled with SELinux Contexts, it needs to label to them, too.
# set re-labeling like follows, then it will be done on next system restarting

[root@dlp ~]# 
touch /.autorelabel 

[root@dlp ~]# 
reboot

[root@dlp ~]# 
setsebool -P httpd_use_openstack on 

[root@dlp ~]# 
setsebool -P httpd_can_network_connect on 

[root@dlp ~]# 
setsebool -P httpd_can_network_connect_db on 
[5]Enableconfig for Keystone ans start Apache httpd.
[root@dlp ~]# 
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ 

[root@dlp ~]# 
systemctl start httpd 

[root@dlp ~]# 
systemctl enable httpd 
[6]If Firewalld is running, allow ports for services.
[root@dlp ~]# 
firewall-cmd --add-port={5000/tcp,35357/tcp} --permanent 

success
[root@dlp ~]# 
firewall-cmd --reload 

success

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)