Building Keystone

Building Keystone

Below versions of Keystone are available in respective distributions at the time of creation of these build instructions:

• Ubuntu 18.04 has 13.0.4
• Ubuntu 20.04 has 17.0.0
• Ubuntu 20.10 has 18.0.0

The instructions provided below specify the steps to build Keystone stable version 18.0.0 on Linux on IBM Z for following distributions:

• RHEL (7.8, 7.9, 8.1, 8.2, 8.3)
• SLES (12 SP5, 15 SP1, 15 SP2)
• Ubuntu (18.04, 20.04, 20.10)

General notes:

• When following the steps below please use a standard permission user unless otherwise specified
• A directory /<source_root>/ will be referred to in these instructions, this is a temporary writable directory anywhere you'd like to place it

Step 1: Build using script

If you want to build and install Keystone using manual steps, go to step 2.

Use the following commands to build Keystone using the build script. Please make sure you have wget installed.

wget https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Keystone/18.0.0/build_keystone.sh

# Run bash build_keystone.sh -h to see all available options
bash build_keystone.sh

Step 2: Install the dependencies

 export SOURCE_ROOT=/<source_root>/

• RHEL (7.8, 7.9)

  sudo yum install -y gcc git python3-setuptools curl sqlite-devel openldap-devel python3-devel libxslt-devel \
      net-tools libffi-devel which httpd httpd-devel mariadb-server postgresql-devel mariadb-devel bzip2-devel patch \
      python3-pip make redhat-rpm-config wget

• RHEL (8.1, 8.2, 8.3)

  sudo yum install -y gcc git python3-setuptools python3-lxml curl python3-ldap sqlite-devel openldap-devel \
      python3-devel libxslt-devel openssl-devel net-tools libffi-devel which openssl httpd httpd-devel mariadb-server 
      postgresql-devel mariadb-devel bzip2-devel patch python3-pip make redhat-rpm-config

• SLES (12 SP5)

  sudo zypper install -y gcc gcc-c++ gdbm-devel git-core curl openldap2-devel libbz2-devel libdb-4_8-devel \
      libffi-devel libffi48-devel libxslt-devel which apache2 apache2-devel libuuid-devel ncurses-devel readline-devel \
      sqlite3-devel tk-devel xz-devel zlib-devel apache2-mod_wsgi mariadb postgresql-devel make cyrus-sasl-devel \
      net-tools libpcre1 libmysqlclient-devel gawk patch tar

• SLES (15 SP1, 15 SP2)

  sudo zypper install -y wget tar gzip gcc git-core curl openldap2-devel libffi-devel python3-devel libxslt-devel which apache2 \
      apache2-devel mariadb postgresql-devel make cyrus-sasl-devel python3-setuptools python3-lxml openssl \
      openssl-devel net-tools libpcre1 libmariadb-devel gawk patch python3-pip postgresql12-server-devel

• Ubuntu (18.04, 20.04, 20.10)

  sudo apt-get update
  sudo apt-get install -y libpq-dev build-essential libncurses-dev libapache2-mod-wsgi-py3 git wget cmake gcc make tar \
      libpcre3-dev bison scons libboost-dev libboost-program-options-dev openssl dh-autoreconf libssl-dev \
      python3-setuptools python3-lxml curl python3-ldap python3-dev libxslt-dev net-tools libffi-dev apache2-dev \
      python3-mysqldb apache2 mysql-server python3-pkgconfig libsasl2-dev zlib1g-dev ed patch python3-pip

• Install openssl 1.1.1g (For SLES 12.x, SLES 15 SP1 and RHEL 7.x)

  cd $SOURCE_ROOT
  wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1g.tar.gz
  tar xvf openssl-1.1.1g.tar.gz
  cd openssl-1.1.1g
  ./config --prefix=/usr --openssldir=/usr
  make
  sudo make install

• Install python 3.8.5 (For SLES 12.x)

  cd $SOURCE_ROOT
  wget "https://www.python.org/ftp/python/3.8.5/Python-3.8.5.tgz"
  tar -xzvf "Python-3.8.5.tgz"
  cd Python-3.8.5/
  ./configure --prefix=/usr
  make
  sudo make install

• Install mod_wsgi (For SLES 12.x)

  cd $SOURCE_ROOT
  wget https://github.com/GrahamDumpleton/mod_wsgi/archive/4.7.1.tar.gz
  tar -xvf 4.7.1.tar.gz
  cd mod_wsgi-4.7.1/
  ./configure --with-apxs=/usr/bin/apxs2 --with-python=/usr/local/bin/python3
  make
  sudo make install

Step 3: Install additional python packages

• RHEL (7.8, 7.9)

  sudo pip3 install --upgrade setuptools
  sudo pip3 install --ignore-installed ipaddress wheel
  sudo pip3 install six==1.11 tox cryptography mod_wsgi python-memcached python-openstackclient requests pika==0.10.0 mysqlclient==2.0.1

• RHEL (8.1, 8.2, 8.3)

  sudo pip3 install --upgrade setuptools
  sudo pip3 install --ignore-installed ipaddress wheel
  sudo pip3 install six==1.11 tox cryptography mod_wsgi python-memcached python-openstackclient requests pika==0.10.0 mysqlclient

• SLES (12 SP5)

  sudo ln -fs /usr/lib/libpq.so.5 /usr/lib/libpq.so
  sudo ln -fs /usr/lib64/libpq.so.5 /usr/lib64/libpq.so
  sudo pip3 install --upgrade setuptools
  sudo pip3 install six tox cryptography mod_wsgi python-memcached python-openstackclient requests pika mysqlclient==2.0.1

• SLES (15 SP1, 15 SP2)

  sudo ln -fs /usr/lib/libpq.so.5 /usr/lib/libpq.so
  sudo ln -fs /usr/lib64/libpq.so.5 /usr/lib64/libpq.so
  sudo pip3 install --upgrade pip
  sudo pip3 install --upgrade setuptools
  sudo pip3 install six==1.11 tox cryptography mod_wsgi python-memcached python-openstackclient requests pika==0.10.0 mysqlclient python-ldap

• Ubuntu (18.04, 20.04, 20.10)

  sudo pip3 install --upgrade setuptools
  sudo pip3 install six tox cryptography mod_wsgi python-memcached python-openstackclient requests pika

Note: You may also use sudo env PATH=$PATH <command> if any command fails with command not found error.

Step 4: Configure and start MariaDB server

• Initialize MariaDB server

  • RHEL and SLES

    sudo /usr/bin/mysql_install_db --user=mysql

  • Ubuntu

    sudo mkdir -p /var/lib/mysql/data
    sudo chown -R mysql:mysql /var/lib/mysql/data
    sudo /usr/sbin/mysqld --initialize --user=mysql --datadir=/var/lib/mysql/data

• Configure Log folder for Ubuntu

  sudo mkdir -p /var/log/mysql
  sudo mkdir -p /var/run/mysqld
  sudo chown -R mysql:mysql /var/run/mysqld

• Start MariaDB service

  sudo /usr/bin/mysqld_safe --user=mysql &

Step 5: Create user and grant privileges on Keystone database

Note:

• <KEYSTONE_HOST_IP>- IP of your machine where you are installing Keystone Service
• <DB_HOST> - IP or HostName of machine,where the MariaDB service is running e.g. 127.0.0.1
• <KEYSTONE_DBPASS> - database password for Keystone
• <PASSWORD> - database password for root user

Follow below instruction to create Keystone database and grant required privileges:

• Create database, grant privileges to "keystone" user

  sudo mysql -e "CREATE DATABASE keystone"
  sudo mysql -e "CREATE USER 'keystone'@'localhost' IDENTIFIED BY '<KEYSTONE_DBPASS>'"
  sudo mysql -e "CREATE USER 'keystone'@'%' IDENTIFIED BY '<KEYSTONE_DBPASS>'"
  sudo mysql -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%'"
  sudo mysql -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost'"

Step 6: Download source code

cd $SOURCE_ROOT
git clone https://github.com/openstack/keystone.git
cd keystone/
git checkout 18.0.0

Step 7: Install Keystone

sudo pip3 install --ignore-installed -r requirements.txt
sudo pip3 install --ignore-installed -r test-requirements.txt
sudo python3 setup.py install
sudo tox -egenconfig

Note: You may also use sudo env PATH=$PATH <command> if any command fails with command not found error.

Step 8: Configure Keystone

sudo cp -r etc/ /etc/keystone
cd /etc/keystone/
sudo mv keystone.conf.sample keystone.conf
sudo mv logging.conf.sample logging.conf
export OS_KEYSTONE_CONFIG_DIR=/etc/keystone

• Edit keystone.conf file

  sudo sed -i "s|#connection = <None>|connection = mysql://keystone:<KEYSTONE_DBPASS>@localhost/keystone|g" /etc/keystone/keystone.conf
  sudo sed -i "s|#provider = fernet|provider = fernet|g" /etc/keystone/keystone.conf

• Populate Keystone database

  keystone-manage db_sync

Step 9: Initialize fernet key repository

sudo groupadd keystone
sudo useradd -m -g keystone keystone
sudo mkdir -p /etc/keystone/fernet-keys
sudo chown -R keystone:keystone fernet-keys
sudo keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
sudo keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

Note: You may also use sudo env PATH=$PATH <command> if any command fails with command not found error.

Step 10: Bootstrap the Identity service

keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://<KEYSTONE_HOST_IP>:35357/v3/ \
--bootstrap-internal-url http://<KEYSTONE_HOST_IP>:5000/v3/ \
--bootstrap-public-url http://<KEYSTONE_HOST_IP>:5000/v3/ \
--bootstrap-region-id RegionOne

Step 11: Start Keystone service

Follow below instructions to enable wsgi to serve Keystone requests

• Edit httpd.conf

  • RHEL (7.8, 7.9, 8.1, 8.2, 8.3)

    • Add below content at end of /etc/httpd/conf/httpd.conf file:

      ServerName <KEYSTONE_HOST_IP>
      Include /etc/httpd/sites-enabled/
      LoadModule wsgi_module /usr/local/lib64/python3.6/site-packages/mod_wsgi/server/mod_wsgi-py36.cpython-36m-s390x-linux-gnu.so

  • SLES 15 SP1

    • Add below content at end of /etc/apache2/httpd.conf file:

      ServerName <KEYSTONE_HOST_IP>
      Include /etc/apache2/sites-enabled/
      LoadModule wsgi_module /usr/lib64/python3.6/site-packages/mod_wsgi/server/mod_wsgi-py36.cpython-36m-s390x-linux-gnu.so

      Note: Comment out the below line in /etc/apache2/httpd.conf file if it exist:

      Include /etc/apache2/sysconfig.d/include.conf

  • SLES (12 SP5)

    • Add below content at end of /etc/apache2/httpd.conf file:

      ServerName <KEYSTONE_HOST_IP>
      Include /etc/apache2/sites-enabled/
      LoadModule wsgi_module /usr/lib64/apache2/mod_wsgi.so

      Note: Comment out the below line in /etc/apache2/httpd.conf file if it exist:

      Include /etc/apache2/sysconfig.d/include.conf

  • Ubuntu (18.04)

    • Add below content at end of /etc/apache2/apache2.conf file:

    ServerName <KEYSTONE_HOST_IP>
    LoadModule wsgi_module /usr/local/lib/python3.6/dist-packages/mod_wsgi/server/mod_wsgi-py36.cpython-36m-s390x-linux-gnu.so

• Add wsgi-keystone.conf

  • RHEL (7.6, 7.7, 7.8, 8.1, 8.2)

    sudo mkdir -p /etc/httpd/sites-available
    sudo mkdir -p /etc/httpd/sites-enabled
    curl -SL -o wsgi-keystone.conf https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Keystone/18.0.0/conf/rhel-wsgi-keystone.conf
    sudo mv wsgi-keystone.conf /etc/httpd/sites-available/

  • SLES (12 SP4, 12 SP5, 15 SP1)

    sudo mkdir -p /etc/apache2/sites-available
    sudo mkdir -p /etc/apache2/sites-enabled
    curl -SL -o wsgi-keystone.conf https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Keystone/18.0.0/conf/sles-wsgi-keystone.conf
    sudo mv wsgi-keystone.conf /etc/apache2/sites-available/

  • Ubuntu (18.04, 20.04, 20.10)

    curl -SL -o wsgi-keystone.conf https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Keystone/18.0.0/conf/ubuntu-wsgi-keystone.conf
    sudo mv wsgi-keystone.conf /etc/apache2/sites-available/

• Enable the Identity service virtual host

  • RHEL

    sudo ln -s /etc/httpd/sites-available/wsgi-keystone.conf /etc/httpd/sites-enabled

  • SLES and Ubuntu

    sudo ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled

• Start apache service

  • RHEL and SLES

    sudo /usr/sbin/httpd

  • Ubuntu

    sudo service apache2 restart

Note:

• This command internally starts Keystone service
• Comment ulimit section if required, in file /usr/sbin/apache2ctl and restart apache

Step 12: Verify Keystone installation

• Set variables

  export OS_USERNAME=admin
  export OS_PASSWORD=ADMIN_PASS
  export OS_PROJECT_NAME=admin
  export OS_USER_DOMAIN_NAME=Default
  export OS_PROJECT_DOMAIN_NAME=Default
  export OS_AUTH_URL=http://<KEYSTONE_HOST_IP>:35357/v3
  export OS_IDENTITY_API_VERSION=3

• Create symlinks for RHEL 7.x / 8.x

  sudo ln -s /usr/local/bin/keystone-wsgi-admin /bin/
  sudo ln -s /usr/local/bin/keystone-wsgi-public /bin/

• Run any Keystone command and check if it succeeds. For example

openstack service list
openstack token issue

References:

https://docs.openstack.org/project-install-guide/ocata/
http://docs.openstack.org/developer/keystone/installing.html