2. Troubleshooting OpenStack Identity
by Tony Campbell, Egle Sigler, Cody Bunch, Kevin Jackson, Sunil Sarat, Alok Shrivas
OpenStack: Building a Cloud Environment
- OpenStack: Building a Cloud Environment
- Table of Contents
- OpenStack: Building a Cloud Environment
- OpenStack: Building a Cloud Environment
- Credits
- Preface
- 1. Module 1
- 1. An Introduction to OpenStack
- 2. Authentication and Authorization Using Keystone
- Identity concepts in Keystone
- Architecture and subsystems
- Installing common components
- Installing Keystone
- Verifying the installation
- Troubleshooting the installation and configuration
- Summary
- 3. Storing and Retrieving Data and Images using Glance, Cinder, and Swift
- Introducing storage services
- Working with Glance
- Working with Cinder
- Working with Swift
- Troubleshooting steps
- Summary
- 4. Building Your Cloud Fabric Controller Using Nova
- 5. Technology-Agnostic Network Abstraction Using Neutron
- The software-defined network paradigm
- Neutron
- Installing Neutron
- Troubleshooting Neutron
- Summary
- 6. Building Your Portal in the Cloud
- 7. Your OpenStack Cloud in Action
- 8. Taking Your Cloud to the Next Level
- Working with Heat
- Ceilometer
- Installing Ceilometer
- Installing Ceilometer on the compute node
- Installing Ceilometer on the storage node
- Testing the installation
- Billing and usage reporting
- Summary
- 9. Looking Ahead
- A. New Releases
- 2. Module 2
- 1. Keystone – OpenStack Identity Service
- Introduction
- Installing the OpenStack Identity Service
- Configuring OpenStack Identity for SSL communication
- Creating tenants in Keystone
- Configuring roles in Keystone
- Adding users to Keystone
- Defining service endpoints
- Creating the service tenant and service users
- Configuring OpenStack Identity for LDAP Integration
- 2. Glance – OpenStack Image Service
- Introduction
- Installing OpenStack Image Service
- Configuring OpenStack Image Service with OpenStack Identity Service
- Configuring OpenStack Image Service with OpenStack Object Storage
- Managing images with OpenStack Image Service
- Registering a remotely stored image
- Sharing images among tenants
- Viewing shared images
- Using image metadata
- Migrating a VMware image
- Creating an OpenStack image
- 3. Neutron – OpenStack Networking
- Introduction
- Installing Neutron and Open vSwitch on a dedicated network node
- Configuring Neutron and Open vSwitch
- Installing and configuring the Neutron API service
- Creating a tenant Neutron network
- Deleting a Neutron network
- Creating an external floating IP Neutron network
- Using Neutron networks for different purposes
- Configuring Distributed Virtual Routers
- Using Distributed Virtual Routers
- 4. Nova – OpenStack Compute
- Introduction
- Installing OpenStack Compute controller services
- Installing OpenStack Compute packages
- Configuring database services
- Configuring OpenStack Compute
- Configuring OpenStack Compute with OpenStack Identity Service
- Stopping and starting nova services
- Installation of command-line tools on Ubuntu
- Using the command-line tools with HTTPS
- Checking OpenStack Compute services
- Using OpenStack Compute
- Managing security groups
- Creating and managing key pairs
- Launching our first cloud instance
- Fixing a broken instance deployment
- Terminating your instances
- Using live migration
- Working with nova-schedulers
- Creating flavors
- Defining host aggregates
- Launching instances in specific Availability Zones
- Launching instances on specific Compute hosts
- Removing Nova nodes from a cluster
- 5. Swift – OpenStack Object Storage
- Introduction
- Configuring Swift services and users in Keystone
- Installing OpenStack Object Storage services – proxy server
- Configuring OpenStack Object Storage – proxy server
- Installing OpenStack Object Storage services – storage nodes
- Configuring physical storage for use with Swift
- Configuring Object Storage replication
- Configuring OpenStack Object Storage – storage services
- Making the Object Storage rings
- Stopping and starting OpenStack Object Storage
- Setting up SSL access
- 6. Using OpenStack Object Storage
- 7. Administering OpenStack Object Storage
- 8. Cinder – OpenStack Block Storage
- 9. More OpenStack
- Introduction
- Using cloud-init to run post-installation commands
- Using cloud-config to run the post-installation configuration
- Installing OpenStack Telemetry
- Using OpenStack Telemetry to interrogate usage statistics
- Installing Neutron LBaaS
- Using Neutron LBaaS
- Configuring Neutron FWaaS
- Using Neutron FWaaS
- Installing the Heat OpenStack Orchestration service
- Using Heat to spin up instances
- 10. Using the OpenStack Dashboard
- Introduction
- Installing OpenStack Dashboard
- Using OpenStack Dashboard for key management
- Using OpenStack Dashboard to manage Neutron networks
- Using OpenStack Dashboard for security group management
- Using OpenStack Dashboard to launch instances
- Using OpenStack Dashboard to terminate instances
- Using OpenStack Dashboard to connect to instances using a VNC
- Using OpenStack Dashboard to add new tenants – projects
- Using OpenStack Dashboard for user management
- Using OpenStack Dashboard with LBaaS
- Using OpenStack Dashboard with OpenStack Orchestration
- 11. Production OpenStack
- Introduction
- Installing the MariaDB Galera cluster
- Configuring HA Proxy for the MariaDB Galera cluster
- Configuring HA Proxy for high availability
- Installing and configuring Pacemaker with Corosync
- Configuring OpenStack services with Pacemaker and Corosync
- Bonding network interfaces for redundancy
- Automating OpenStack installations using Ansible – host configuration
- Automating OpenStack installations using Ansible – Playbook configuration
- Automating OpenStack installations using Ansible – running Playbooks
- 1. Keystone – OpenStack Identity Service
- 3. Module 3
- 1. The Troubleshooting Toolkit
- 2. Troubleshooting OpenStack Identity
- 3. Troubleshooting the OpenStack Image Service
- 4. Troubleshooting OpenStack Networking
- 5. Troubleshooting OpenStack Compute
- 6. Troubleshooting OpenStack Block Storage
- 7. Troubleshooting OpenStack Object Storage
- 8. Troubleshooting the OpenStack the Orchestration Service
- 9. Troubleshooting the OpenStack Telemetry Service
- 10. OpenStack Performance, Availability, and Reliability
- A. Bibliography
- Index
Keystone plays a crucial role in the OpenStack deployment. This project is responsible for providing services that support an identity, token management, a service catalog, and policy functionality. While Keystone does not depend on any other OpenStack services, most other OpenStack services depend on Keystone. This core dependency on Keystone means that problems with your Keystone services can cascade, causing problems for many of the other OpenStack services. Tracking down a problem in OpenStack can be complicated due to the different projects that operate together to provide a functionality. When troubleshooting OpenStack, it's smart to make sure that Keystone is operating as intended. In this chapter, we will explore the following topics:
- Identifying different versions of the Keystone API and how to avoid configuration problems
- Troubleshooting the command-line interface clients
- Checking the Identity API
- Fixing issues with the Keystone database
- Confirming the accuracy of the service catalog
- Configuring Keystone to run it as a WSGI application under Apache
As of the Liberty release of OpenStack, the identity service finds itself in transition. The service supports two API versions: v2 and v3. The v2 version of the API is deprecated, but may still be found in many OpenStack deployments. Recent releases of OpenStack are configured to serve both the v2 and v3 versions of the Identity API. This can be confirmed by examining the keystone-paste.ini configuration file.
In this file, you will find configurations for two composite apps: main and admin. As demonstrated in the preceding example, each app has a setting for /v2.0 and /v3. With this configuration, this deployment will serve a request to the v2 or v3 Identity API. Here, the command-line clients transition from individual clients per project to a unified OpenStack client that works across projects. The keystone command-line client supports v2 of the Identity API. The newer and preferred OpenStack client supports v2 and v3 of the Identity API.
The two composite apps in the preceding configuration are used to serve two different Keystone APIs: the public API and the admin API. Historically, the admin API was used to serve admin-level requests, such as adding a tenant or adding a user. The functionality of the admin API is small and focused. The public API is responsible for serving all other requests.
With v3 of the Identity API, the separation between the admin functionality and public functionality is handled within a single API. You will notice in the preceding configuration that the /v3 value is api_v3 for both the main composite app and the admin composite app.
When Keystone is operating properly, it provides two APIs: the Service API and the Administration API. The Service API runs on port 5000 and the Admin API runs on port 35357. In the OpenStack Juno release and earlier, the common way of running these APIs was via an Eventlet-based process. In the Kilo release and those thereafter, the recommended method to run the Keystone APIs is via a WSGI server. We'll take a look at how to troubleshoot each of these methods in the following sections.
-
No Comment