Skip to content

Building Keystone

Jump to bottom
aborkar-ibm edited this page Nov 7, 2022 · 57 revisions

Building Keystone

Below versions of Keystone are available in respective distributions at the time of creation of these build instructions:

  • Ubuntu 18.04 has 13.0.4
  • Ubuntu 20.04 has 17.0.1

The instructions provided below specify the steps to build Keystone latest version on Linux on IBM Z for following distributions:

  • RHEL (7.8, 7.9, 8.4, 8.6)
  • SLES (12 SP5, 15 SP3)
  • Ubuntu 18.04

General notes:

  • When following the steps below please use a standard permission user unless otherwise specified
  • A directory /<source_root>/ will be referred to in these instructions, this is a temporary writable directory anywhere you'd like to place it

Note:

  • Keystone(v21.0.0) was verified at the time of creation of these instructions
  • For Ubuntu 20.04, v21.0.0 can be installed via Ubuntu Cloud Archive. Refer this for more details.

Step 1: Build using script

If you want to build and install Keystone using manual steps, go to step 2.

Use the following commands to build Keystone using the build script. Please make sure you have wget installed.

wget https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Keystone/21.0.0/build_keystone.sh

# Run bash build_keystone.sh -h to see all available options
bash build_keystone.sh

Step 2: Install the dependencies

 export SOURCE_ROOT=/<source_root>/

  • RHEL (7.8, 7.9)

    sudo yum install -y gcc gcc-c++ openssl.s390x httpd httpd-devel mariadb-server mariadb-devel sqlite-devel
    • Build Python 3.10.x -- Instructions for building Python 3.10.x can be found here

  • RHEL (8.4, 8.6)

    sudo yum install -y python3-devel libffi-devel openssl-devel gcc make gcc-c++ python3-mod_wsgi.s390x httpd httpd-devel mariadb-devel  mariadb-server procps sqlite-devel.s390x cargo curl wget

  • SLES 12 SP5

    sudo zypper install -y apache2-mod_wsgi libopenssl-devel gcc make gawk apache2 apache2-devel mariadb libmariadb3 gcc-c++ libmysqld-devel
    • Build Python 3.10.x -- Instructions for building Python 3.10.x can be found here

  • SLES 15 SP3

     sudo zypper install -y libopenssl-devel libffi-devel gcc make python3-devel python3-pip gawk apache2  apache2-devel mariadb libmariadb-devel gcc-c++ cargo curl wget

  • Ubuntu 18.04

     sudo apt-get update
 sudo apt-get install -y python3-pip libffi-dev libssl-dev  mysql-server libmysqlclient-dev libapache2-mod-wsgi-py3 apache2  apache2-dev wget cargo curl

  • Install mod_wsgi (For RHEL 7.x and SLES 12.x)

    cd $SOURCE_ROOT
wget https://github.com/GrahamDumpleton/mod_wsgi/archive/4.9.0.tar.gz
tar -xvf 4.9.0.tar.gz
cd mod_wsgi-4.9.0/
./configure --with-apxs=/usr/bin/apxs2 --with-python=/usr/local/bin/python3 # For SLES
./configure --with-apxs=/usr/bin/apxs --with-python=/usr/local/bin/python3  # For RHEL
make
sudo make install
sudo chmod 755 /usr/lib64/apache2/mod_wsgi.so 	# For SLES
sudo chmod 755 /usr/lib64/httpd/modules/mod_wsgi.so   # For RHEL

  • Install rustc (For RHEL 7.x and SLES 12.x)

    cd $SOURCE_ROOT
wget https://static.rust-lang.org/dist/rust-1.63.0-s390x-unknown-linux-gnu.tar.gz
tar -xzf rust-1.63.0-s390x-unknown-linux-gnu.tar.gz
cd rust-1.63.0-s390x-unknown-linux-gnu
sudo ./install.sh
export PATH=$HOME/.cargo/bin:$PATH
rustc -V
cargo  -V

Step 3: Set Environmental Variables

  • For RHEL 7.x, 8.x and SLES 12.x
  export PATH=/usr/local/bin:$PATH
  sudo ldconfig /usr/local/lib64   # Only for RHEL 7.x

Step 4: Install additional python packages

  • RHEL (7.8, 7.9)

    sudo -H pip3 install --upgrade pip
sudo pip3 install cryptography==3.3.1 flask==1.1.2 itsdangerous==2.0.1 python-openstackclient keystone==21.0.0 greenlet==1.1.0 mysqlclient mod_wsgi jinja2==3.0.0 werkzeug==0.16.1

  • RHEL 8.x

    sudo -H pip3 install --upgrade pip
sudo pip3 install cryptography==3.3.1 flask==1.1.2 python-openstackclient keystone==21.0.0 mysqlclient jinja2==3.0.0 werkzeug==0.16.1

  • SLES 12 SP5

    sudo -H pip3 install --upgrade pip
sudo pip3 install cryptography==3.3.1 flask==1.1.2 itsdangerous==2.0.1 python-openstackclient keystone==21.0.0 greenlet==1.1.0 mysqlclient jinja2==3.0.0 werkzeug==0.16.1

  • SLES 15 SP3

    sudo -H pip3 install --upgrade pip
sudo pip3 install cryptography==3.3.1 flask==1.1.2 python-openstackclient keystone==21.0.0 mysqlclient mod_wsgi jinja2==3.0.0 werkzeug==0.16.1

  • Ubuntu 18.04

    sudo -H pip3 install --upgrade pip
sudo pip3 install cryptography==3.3.1 python-openstackclient keystone==21.0.0 mysqlclient mod_wsgi

    Note: You may also use sudo env PATH=$PATH <command> if any command fails with command not found error.

Step 5: Configure and start MariaDB server

  • Initialize MariaDB server

    • RHEL and SLES

      sudo /usr/bin/mysql_install_db --user=mysql

    • Ubuntu 18.04

      sudo mkdir -p /var/lib/mysql/data
sudo chown -R mysql:mysql /var/lib/mysql/data
sudo /usr/sbin/mysqld --initialize --user=mysql --datadir=/var/lib/mysql/data
sudo mkdir -p /var/log/mysql
sudo mkdir -p /var/run/mysqld
sudo chown -R mysql:mysql /var/run/mysqld

  • Start MariaDB service

    sudo /usr/bin/mysqld_safe --user=mysql &

Step 6: Create user and grant privileges on Keystone database

Note:

  • <KEYSTONE_HOST_IP>- IP of your machine where you are installing Keystone Service
  • <DB_HOST> - IP or HostName of machine,where the MariaDB service is running e.g. 127.0.0.1
  • <KEYSTONE_DBPASS> - database password for Keystone
  • <PASSWORD> - database password for root user

Follow below instruction to create Keystone database and grant required privileges:

  • Create database, grant privileges to "keystone" user

    sudo mysql -e "CREATE DATABASE keystone"
sudo mysql -e "CREATE USER 'keystone'@'localhost' IDENTIFIED BY '<KEYSTONE_DBPASS>'"
sudo mysql -e "CREATE USER 'keystone'@'%' IDENTIFIED BY '<KEYSTONE_DBPASS>'"
sudo mysql -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%'"
sudo mysql -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost'"

Step 7: Configure Keystone

sudo mkdir -p /etc/keystone/
cd /etc/keystone/
sudo wget -O keystone.conf https://docs.openstack.org/keystone/yoga/_static/keystone.conf.sample
export OS_KEYSTONE_CONFIG_DIR=/etc/keystone

  • Edit keystone.conf file

    sudo sed -i "s|#connection = <None>|connection = mysql://keystone:<KEYSTONE_DBPASS>@localhost/keystone|g" /etc/keystone/keystone.conf
sudo sed -i "s|#provider = fernet|provider = fernet|g" /etc/keystone/keystone.conf

  • Populate Keystone database

    keystone-manage db_sync

Step 8: Initialize fernet key repository

sudo groupadd keystone
sudo useradd -m -g keystone keystone
sudo mkdir -p /etc/keystone/fernet-keys
sudo chown -R keystone:keystone fernet-keys
sudo keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
sudo keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

Step 9: Bootstrap the Identity service

keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://<KEYSTONE_HOST_IP>:35357/v3/ \
--bootstrap-internal-url http://<KEYSTONE_HOST_IP>:5000/v3/ \
--bootstrap-public-url http://<KEYSTONE_HOST_IP>:5000/v3/ \
--bootstrap-region-id RegionOne

Note: You may also use sudo env PATH=$PATH <command> if any command fails with command not found or connection error for above steps.

Step 10: Start Keystone service

Follow below instructions to enable wsgi to serve Keystone requests

  • Edit httpd.conf

    • RHEL (7.8, 7.9)

      • Add below content at end of /etc/httpd/conf/httpd.conf file:

        ServerName <KEYSTONE_HOST_IP>
Include /etc/httpd/sites-enabled/
LoadModule wsgi_module /usr/lib64/httpd/modules/mod_wsgi.so

    • RHEL (8.4, 8.6)

      • Add below content at end of /etc/httpd/conf/httpd.conf file:

        ServerName <KEYSTONE_HOST_IP>
Include /etc/httpd/sites-enabled/
LoadModule wsgi_module /usr/lib64/python3.6/site-packages/mod_wsgi/server/mod_wsgi-py36.cpython-36m-s390x-linux-gnu.so

    • SLES 15 SP3

      • Add below content at end of /etc/apache2/httpd.conf file:

        ServerName <KEYSTONE_HOST_IP>
Include /etc/apache2/sites-enabled/
LoadModule wsgi_module /usr/lib64/python3.6/site-packages/mod_wsgi/server/mod_wsgi-py36.cpython-36m-s390x-linux-gnu.so

        Note: Comment out the below line in /etc/apache2/httpd.conf file if it exist:

        Include /etc/apache2/sysconfig.d/include.conf

    • SLES 12 SP5

      • Add below content at end of /etc/apache2/httpd.conf file:

        ServerName <KEYSTONE_HOST_IP>
Include /etc/apache2/sites-enabled/
LoadModule wsgi_module /usr/lib64/apache2/mod_wsgi.so

        Note: Comment out the below line in /etc/apache2/httpd.conf file if it exist:

        Include /etc/apache2/sysconfig.d/include.conf

    • Ubuntu 18.04

      • Add below content at end of /etc/apache2/apache2.conf file:

        ServerName <KEYSTONE_HOST_IP>
LoadModule wsgi_module /usr/local/lib/python3.6/dist-packages/mod_wsgi/server/mod_wsgi-py36.cpython-36m-s390x-linux-gnu.so

  • Add wsgi-keystone.conf

    • RHEL (7.8, 7.9, 8.4, 8.6)

      sudo mkdir -p /etc/httpd/sites-available
sudo mkdir -p /etc/httpd/sites-enabled
curl -SL -o wsgi-keystone.conf https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Keystone/21.0.0/conf/rhel-wsgi-keystone.conf
sudo mv wsgi-keystone.conf /etc/httpd/sites-available/

    • SLES (12 SP5, 15 SP3)

      sudo mkdir -p /etc/apache2/sites-available
sudo mkdir -p /etc/apache2/sites-enabled
curl -SL -o wsgi-keystone.conf https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Keystone/21.0.0/conf/sles-wsgi-keystone.conf
sudo mv wsgi-keystone.conf /etc/apache2/sites-available/

    • Ubuntu 18.04

      curl -SL -o wsgi-keystone.conf https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Keystone/21.0.0/conf/ubuntu-wsgi-keystone.conf
sudo mv wsgi-keystone.conf /etc/apache2/sites-available/

  • Enable the Identity service virtual host

    • RHEL

      sudo ln -s /etc/httpd/sites-available/wsgi-keystone.conf /etc/httpd/sites-enabled

    • SLES and Ubuntu

      sudo ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled

  • Start apache service

    • RHEL and SLES

      sudo /usr/sbin/httpd

    • Ubuntu

      sudo service apache2 restart

Note:

  • This command internally starts Keystone service
  • Comment ulimit section if required, in file /usr/sbin/apache2ctl and restart apache

Step 11: Verify Keystone installation

  • Set variables

    export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://<KEYSTONE_HOST_IP>:35357/v3
export OS_IDENTITY_API_VERSION=3

  • Create symlinks for RHEL 7.x / 8.x

    sudo ln -s /usr/local/bin/keystone-wsgi-admin /bin/
sudo ln -s /usr/local/bin/keystone-wsgi-public /bin/

  • Update PATH in wsgi-keystone.conf for SLES 12.x

    sudo sed -i 's/\/usr\/bin/\/usr\/local\/bin/g' /etc/apache2/sites-available/wsgi-keystone.conf

  • Run any Keystone command and check if it succeeds. For example

    openstack service list
openstack token issue

References:

The information provided in this article is accurate at the time of writing, but on-going development in the open-source projects involved may make the information incorrect or obsolete. Please open issue or contact us on IBM Z Community if you have any questions or feedback.

Clone this wiki locally