Skip to content

Building Keystone

Jump to bottom
aborkar-ibm edited this page Dec 8, 2020 · 57 revisions

Building Keystone

Below versions of Keystone are available in respective distributions at the time of creation of these build instructions:

  • Ubuntu 16.04 has 9.3.0
  • Ubuntu 18.04 has 13.0.2
  • Ubuntu 20.04 has 17.0.0

The instructions provided below specify the steps to build Keystone stable/Stein version 17.0.0 on Linux on IBM Z for following distributions:

  • RHEL (7.6, 7.7, 7.8, 8.1, 8.2)
  • SLES (12 SP4, 12 SP5, 15 SP1)
  • Ubuntu (16.04, 18.04)

General notes:

  • When following the steps below please use a standard permission user unless otherwise specified
  • A directory /<source_root>/ will be referred to in these instructions, this is a temporary writable directory anywhere you'd like to place it

Step 1: Install the dependencies

 export SOURCE_ROOT=/<source_root>/

  • RHEL (7.6, 7.7, 7.8, 8.1, 8.2)

    sudo yum install -y gcc git python3-setuptools python3-lxml curl python3-ldap sqlite-devel openldap-devel python3-devel libxslt-devel openssl-devel net-tools libffi-devel which openssl httpd httpd-devel mariadb-server postgresql-devel mariadb-devel bzip2-devel patch python3-pip make redhat-rpm-config

  • SLES (12 SP4, 12 SP5)

    cd $SOURCE_ROOT
wget -q https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Python3/3.8.3/build_python3.sh
bash build_python3.sh -y 
sudo zypper install -y gcc git-core curl openldap2-devel libffi-devel libxslt-devel which apache2 apache2-devel mariadb postgresql-devel make cyrus-sasl-devel openssl openssl-devel net-tools libpcre1 libmysqlclient-devel gawk patch apache2-mod_wsgi

  • SLES 15 SP1

    sudo zypper install -y gcc git-core curl openldap2-devel libffi-devel python3-devel libxslt-devel which apache2 apache2-devel mariadb postgresql-devel make cyrus-sasl-devel python3-setuptools python3-lxml openssl openssl-devel net-tools libpcre1 libmariadb-devel gawk patch python3-pip

  • Ubuntu 16.04

    sudo apt-get update
cd $SOURCE_ROOT
wget -q https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Python3/3.8.3/build_python3.sh
bash build_python3.sh -y 
sudo apt-get install -y  apt-get install -y libpq-dev build-essential libncurses-dev libapache2-mod-wsgi-py3 git wget cmake gcc make tar libpcre3-dev bison scons libboost-dev libboost-program-options-dev openssl dh-autoreconf libssl-dev curl libxslt-dev net-tools libffi-dev apache2-dev  apache2 mysql-server libsasl2-dev zlib1g-dev ed patch libmysqlclient-dev

  • Ubuntu (18.04)

    sudo apt-get update
sudo apt-get install -y libpq-dev build-essential libncurses-dev libapache2-mod-wsgi-py3 git wget cmake gcc make tar libpcre3-dev bison scons libboost-dev libboost-program-options-dev openssl dh-autoreconf libssl-dev python3-setuptools python3-lxml curl python3-ldap python3-dev libxslt-dev net-tools libffi-dev apache2-dev python3-mysqldb apache2 mysql-server python3-pkgconfig libsasl2-dev zlib1g-dev ed patch python3-pip

  • Install mod_wsgi (For SLES 12.x, Ubuntu 16.04)

      cd $SOURCE_ROOT
  wget https://github.com/GrahamDumpleton/mod_wsgi/archive/4.7.1.tar.gz
  tar -xvf 4.7.1.tar.gz
  cd mod_wsgi-4.7.1/
  ./configure --with-apxs=/usr/bin/apxs2 --with-python=/usr/local/bin/python3
  make
  sudo make install

Step 2: Install additional python packages

  • RHEL (7.6, 7.7, 7.8)

    sudo pip3 install --upgrade setuptools
sudo pip3 install --ignore-installed ipaddress wheel
sudo pip3 install six==1.11 tox mod_wsgi python-memcached python-openstackclient requests pika==0.10.0 mysqlclient

  • RHEL (8.1, 8.2)

    sudo pip3 install --upgrade setuptools
sudo pip3 install --ignore-installed ipaddress wheel
sudo pip3 install six==1.11 tox cryptography mod_wsgi python-memcached python-openstackclient requests pika==0.10.0 mysqlclient

  • SLES (12 SP4 , 12 SP5)

    sudo ln -fs /usr/lib/libpq.so.5 /usr/lib/libpq.so
sudo ln -fs /usr/lib64/libpq.so.5 /usr/lib64/libpq.so
sudo pip3 install --upgrade setuptools
sudo pip3 install six tox mod_wsgi python-memcached python-openstackclient requests pika mysqlclient

  • SLES 15 SP1

    sudo ln -fs /usr/lib/libpq.so.5 /usr/lib/libpq.so
sudo ln -fs /usr/lib64/libpq.so.5 /usr/lib64/libpq.so
sudo pip3 install --upgrade pip
sudo pip3 install --upgrade setuptools
sudo pip3 install six==1.11 tox cryptography mod_wsgi python-memcached python-openstackclient requests pika==0.10.0 mysqlclient python-ldap

  • Ubuntu (16.04, 18.04)

    sudo pip3 install --upgrade setuptools
sudo pip3 install six tox cryptography mod_wsgi python-memcached python-openstackclient requests pika # Ubuntu 18.04
sudo pip3 install six tox mod_wsgi python-memcached python-openstackclient requests pika mysqlclient  # Ubuntu 16.04

Note: You may also use sudo env PATH=$PATH <command> if any command fails with command not found error.

Step 3: Configure and start MariaDB server

  • Initialize MariaDB server

    • RHEL and SLES

      sudo /usr/bin/mysql_install_db --user=mysql

    • Ubuntu

      sudo /usr/sbin/mysqld --initialize --user=mysql --datadir=/var/lib/mysql/data

  • Configure Log folder for Ubuntu

    sudo mkdir -p /var/log/mysql
sudo mkdir /var/run/mysqld                 
sudo chown -R mysql:mysql /var/run/mysqld

  • Start MariaDB service

    sudo /usr/bin/mysqld_safe --user=mysql &

Step 4: Create user and grant privileges on Keystone database

Note:

  • <KEYSTONE_HOST_IP>- IP of your machine where you are installing Keystone Service
  • <DB_HOST> - IP or HostName of machine,where the MariaDB service is running e.g. 127.0.0.1
  • <KEYSTONE_DBPASS> - database password for Keystone
  • <PASSWORD> - database password for root user

Follow below instruction to create Keystone database and grant required privileges:

  • Connect to MySQL using your credentials

    mysql -u root -h <DB_HOST> -p

  • Create database, grant privileges to "keystone" user and exit

    CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '<KEYSTONE_DBPASS>';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '<KEYSTONE_DBPASS>';
exit

Step 5: Download source code

cd $SOURCE_ROOT
git clone https://github.com/openstack/keystone.git
cd keystone/
git checkout 17.0.0

Step 6: Install Keystone

sudo pip3 install --ignore-installed -r requirements.txt
sudo pip3 install --ignore-installed -r test-requirements.txt 
sudo pip3 install pyopenssl==19.1.0 --no-cache-dir (For RHEL 7.x, SLES, Ubuntu 16.04)
sudo pip3 install cryptography==3.1.1 --no-cache-dir (For RHEL 7.x, SLES 12.x, Ubuntu 16.04)
sudo python3 setup.py install
sudo tox -egenconfig

Note: You may also use sudo env PATH=$PATH <command> if any command fails with command not found error.

Step 7: Configure Keystone

sudo cp -r etc/ /etc/keystone
cd /etc/keystone/
sudo mv keystone.conf.sample keystone.conf
sudo mv logging.conf.sample logging.conf
export OS_KEYSTONE_CONFIG_DIR=/etc/keystone

  • Edit keystone.conf file as shown below

    @@ -604,7 +604,7 @@
 # Deprecated group/name - [DEFAULT]/sql_connection
 # Deprecated group/name - [DATABASE]/sql_connection
 # Deprecated group/name - [sql]/connection
-#connection = <None>
+connection = mysql://keystone:<KEYSTONE_DBPASS>@<DB_HOST>/keystone

 # The SQLAlchemy connection string to use to connect to the slave database.
 # (string value)
@@ -2067,7 +2067,7 @@
 # for now. `fernet` receipts do not need to be persisted at all, but require
 # that you run `keystone-manage fernet_setup` (also see the `keystone-manage
 # fernet_rotate` command). (string value)
-#provider = fernet
+provider = fernet

 # Toggle for caching receipt creation and validation data. This has no effect
 # unless global caching is enabled, or if cache_on_issue is disabled as we only

  • Populate Keystone database

    keystone-manage db_sync

Step 8: Initialize fernet key repository

sudo groupadd keystone
sudo useradd -m -g keystone keystone
sudo mkdir /etc/keystone/fernet-keys
sudo chown -R keystone:keystone fernet-keys
sudo keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
sudo keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

Step 9: Bootstrap the Identity service

keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://<KEYSTONE_HOST_IP>:35357/v3/ \
--bootstrap-internal-url http://<KEYSTONE_HOST_IP>:5000/v3/ \
--bootstrap-public-url http://<KEYSTONE_HOST_IP>:5000/v3/ \
--bootstrap-region-id RegionOne

Step 10: Start Keystone service

Follow below instructions to enable wsgi to serve Keystone requests

  • Edit httpd.conf

    • RHEL (7.6, 7.7, 7.8, 8.1, 8.2)

      • Add below content at end of /etc/httpd/conf/httpd.conf file:

        ServerName <KEYSTONE_HOST_IP>
Include /etc/httpd/sites-enabled/
LoadModule wsgi_module /usr/local/lib64/python3.6/site-packages/mod_wsgi/server/mod_wsgi-py36.cpython-36m-s390x-linux-gnu.so

    • SLES 15 SP1

      • Add below content at end of /etc/apache2/httpd.conf file:

        ServerName <KEYSTONE_HOST_IP>
Include /etc/apache2/sites-enabled/
LoadModule wsgi_module /usr/lib64/python3.6/site-packages/mod_wsgi/server/mod_wsgi-py36.cpython-36m-s390x-linux-gnu.so

        Note: Comment out the below line in /etc/apache2/httpd.conf file if it exist:

        Include /etc/apache2/sysconfig.d/include.conf

    • SLES (12 SP4, 12 SP5)

      • Add below content at end of /etc/apache2/httpd.conf file:

        ServerName <KEYSTONE_HOST_IP>
Include /etc/apache2/sites-enabled/
LoadModule wsgi_module /usr/lib64/apache2/mod_wsgi.so

        Note: Comment out the below line in /etc/apache2/httpd.conf file if it exist:

        Include /etc/apache2/sysconfig.d/include.conf

    • Ubuntu (16.04)

      • Add below content at end of /etc/apache2/apache2.conf file:

        ServerName <KEYSTONE_HOST_IP>
LoadModule wsgi_module /usr/lib/apache2/modules/mod_wsgi.so

    • Ubuntu (18.04)

      • Add below content at end of /etc/apache2/apache2.conf file:
      ServerName <KEYSTONE_HOST_IP>
LoadModule wsgi_module /usr/local/lib/python3.6/dist-packages/mod_wsgi/server/mod_wsgi-py36.cpython-36m-s390x-linux-gnu.so

  • Add wsgi-keystone.conf

    • RHEL (7.6, 7.7, 7.8, 8.1, 8.2)

      cd /etc/httpd/
sudo mkdir sites-available
sudo mkdir sites-enabled

      Create file "wsgi-keystone.conf" under /etc/httpd/sites-available/ and add below contents to it:

      Listen 5000
Listen 35357

<VirtualHost *:5000>
  WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
  WSGIProcessGroup keystone-public
  WSGIScriptAlias / /bin/keystone-wsgi-public
  WSGIApplicationGroup %{GLOBAL}
  WSGIPassAuthorization On
  LimitRequestBody 114688
  <IfVersion >= 2.4>
    ErrorLogFormat "%{cu}t %M"
  </IfVersion>
  ErrorLog /var/log/httpd/keystone.log
  CustomLog /var/log/httpd/keystone_access.log combined

  <Directory /bin>
    <IfVersion >= 2.4>
      Require all granted
    </IfVersion>
    <IfVersion < 2.4>
      Order allow,deny
      Allow from all
    </IfVersion>
  </Directory>
</VirtualHost>

<VirtualHost *:35357>
  WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
  WSGIProcessGroup keystone-admin
  WSGIScriptAlias / /bin/keystone-wsgi-admin
  WSGIApplicationGroup %{GLOBAL}
  WSGIPassAuthorization On
  LimitRequestBody 114688
  <IfVersion >= 2.4>
    ErrorLogFormat "%{cu}t %M"
  </IfVersion>
  ErrorLog /var/log/httpd/keystone.log
  CustomLog /var/log/httpd/keystone_access.log combined

  <Directory /bin>
    <IfVersion >= 2.4>
      Require all granted
    </IfVersion>
    <IfVersion < 2.4>
      Order allow,deny
      Allow from all
    </IfVersion>
  </Directory>
</VirtualHost>

Alias /identity /bin/keystone-wsgi-public
<Location /identity>
  SetHandler wsgi-script
  Options +ExecCGI

  WSGIProcessGroup keystone-public
  WSGIApplicationGroup %{GLOBAL}
  WSGIPassAuthorization On
</Location>

Alias /identity_admin /bin/keystone-wsgi-admin
<Location /identity_admin>
  SetHandler wsgi-script
  Options +ExecCGI

  WSGIProcessGroup keystone-admin
  WSGIApplicationGroup %{GLOBAL}
  WSGIPassAuthorization On
</Location>

    • SLES (12 SP4, 12 SP5, 15 SP1)

      cd /etc/apache2/
sudo mkdir sites-available
sudo mkdir sites-enabled
sudo cp -r /usr/local/bin/keystone-wsgi-admin /usr/bin/keystone-wsgi-admin      #For SLES 12.x
sudo cp -r /usr/local/bin/keystone-wsgi-public /usr/bin/keystone-wsgi-public    #For SLES 12.x

      Create file "wsgi-keystone.conf" under /etc/apache2/sites-available/ and add below contents to it:

      Listen 5000
Listen 35357

<VirtualHost *:5000>
  WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
  WSGIProcessGroup keystone-public
  WSGIScriptAlias / /usr/bin/keystone-wsgi-public
  WSGIApplicationGroup %{GLOBAL}
  WSGIPassAuthorization On
  LimitRequestBody 114688
  LoadModule version_module /usr/lib64/apache2/mod_version.so
  <IfVersion >= 2.4>
    ErrorLogFormat "%{cu}t %M"
  </IfVersion>
  ErrorLog /var/log/apache2/keystone.log
  CustomLog /var/log/apache2/keystone_access.log combined

  <Directory /usr/bin>
    <IfVersion >= 2.4>
      Require all granted
    </IfVersion>
    <IfVersion < 2.4>
      Order allow,deny
      Allow from all
    </IfVersion>
  </Directory>
</VirtualHost>

<VirtualHost *:35357>
  WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
  WSGIProcessGroup keystone-admin
  WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
  WSGIApplicationGroup %{GLOBAL}
  WSGIPassAuthorization On
  LimitRequestBody 114688
  <IfVersion >= 2.4>
  ErrorLogFormat "%{cu}t %M"
  </IfVersion>
  ErrorLog /var/log/apache2/keystone.log
  CustomLog /var/log/apache2/keystone_access.log combined

  <Directory /usr/bin>
    <IfVersion >= 2.4>
      Require all granted
    </IfVersion>
    <IfVersion < 2.4>
      Order allow,deny
      Allow from all
    </IfVersion>
  </Directory>
</VirtualHost>

Alias /identity /usr/bin/keystone-wsgi-public
<Location /identity>
  SetHandler wsgi-script
  Options +ExecCGI

  WSGIProcessGroup keystone-public
  WSGIApplicationGroup %{GLOBAL}
  WSGIPassAuthorization On
</Location>

Alias /identity_admin /usr/bin/keystone-wsgi-admin
<Location /identity_admin>
  SetHandler wsgi-script
  Options +ExecCGI

  WSGIProcessGroup keystone-admin
  WSGIApplicationGroup %{GLOBAL}
  WSGIPassAuthorization On
</Location>

    • Ubuntu (16.04, 18.04)

      cd /etc/apache2/

      Create file "wsgi-keystone.conf" under /etc/apache2/sites-available/ and add below contents to it:

      Listen 5000
Listen 35357

<VirtualHost *:5000>
  WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
  WSGIProcessGroup keystone-public
  WSGIScriptAlias / /usr/local/bin/keystone-wsgi-public
  WSGIApplicationGroup %{GLOBAL}
  WSGIPassAuthorization On
  LimitRequestBody 114688

  <IfVersion >= 2.4>
    ErrorLogFormat "%{cu}t %M"
  </IfVersion>
  ErrorLog /var/log/apache2/keystone.log
  CustomLog /var/log/apache2/keystone_access.log combined

  <Directory /usr/local/bin>
    <IfVersion >= 2.4>
      Require all granted
    </IfVersion>
    <IfVersion < 2.4>
      Order allow,deny
      Allow from all
    </IfVersion>
  </Directory>
</VirtualHost>

<VirtualHost *:35357>
  WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
  WSGIProcessGroup keystone-admin
  WSGIScriptAlias / /usr/local/bin/keystone-wsgi-admin
  WSGIApplicationGroup %{GLOBAL}
  WSGIPassAuthorization On
  LimitRequestBody 114688
  <IfVersion >= 2.4>
  ErrorLogFormat "%{cu}t %M"
  </IfVersion>
  ErrorLog /var/log/apache2/keystone.log
  CustomLog /var/log/apache2/keystone_access.log combined

  <Directory /usr/local/bin>
    <IfVersion >= 2.4>
      Require all granted
    </IfVersion>
    <IfVersion < 2.4>
      Order allow,deny
      Allow from all
    </IfVersion>
  </Directory>
</VirtualHost>

Alias /identity /usr/local/bin/keystone-wsgi-public
<Location /identity>
  SetHandler wsgi-script
  Options +ExecCGI

  WSGIProcessGroup keystone-public
  WSGIApplicationGroup %{GLOBAL}
  WSGIPassAuthorization On
</Location>

Alias /identity_admin /usr/local/bin/keystone-wsgi-admin
<Location /identity_admin>
  SetHandler wsgi-script
  Options +ExecCGI

  WSGIProcessGroup keystone-admin
  WSGIApplicationGroup %{GLOBAL}
  WSGIPassAuthorization On
</Location>

  • Enable the Identity service virtual host

    • RHEL

      sudo ln -s /etc/httpd/sites-available/wsgi-keystone.conf /etc/httpd/sites-enabled

    • SLES and Ubuntu

      sudo ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled

  • Start apache service

    • RHEL and SLES

      sudo /usr/sbin/httpd

    • Ubuntu

      sudo service apache2 start

Note:

  • This command internally starts Keystone service
  • Comment ulimit section if required, in file /usr/sbin/apache2ctl and restart apache

Step 11: Verify Keystone installation

  • Set variables

    export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://<KEYSTONE_HOST_IP>:35357/v3
export OS_IDENTITY_API_VERSION=3

  • Create symlinks for RHEL 7.x / 8.x

    sudo ln -s /usr/local/bin/keystone-wsgi-admin /bin/
sudo ln -s /usr/local/bin/keystone-wsgi-public /bin/

  • Run any Keystone command and check if it succeeds. For example

openstack service list
openstack token issue

References:

https://docs.openstack.org/project-install-guide/ocata/
http://docs.openstack.org/developer/keystone/installing.html

The information provided in this article is accurate at the time of writing, but on-going development in the open-source projects involved may make the information incorrect or obsolete. Please open issue or contact us on IBM Z Community if you have any questions or feedback.

Clone this wiki locally