openstack keystone v2 to v3

Disable NetworkManager

1. systemctl stop NetworkManager
2. systemctl disable NetworkManager
3. systemctl enable network

Install the openstack-packstack

If you hava set the repo before!

1. yum install -y openstack-packstack

Deploy the openstack all-in-one

If you have define a ans.txt before!

1. packstack –answer-file=ans.txt

Modify the database

Set the identity version from v2 to v3
My database has no password！！

1. mysql –user root keystone -e “update endpoint set url = ‘http://192.168.11.106:5000/v3’ where interface =’internal’ and service_id = (select id from service where service.type = ‘identity’);”

2. mysql –user root keystone -e “update endpoint set url = ‘http://192.168.11.106:5000/v3’ where interface =’public’ and service_id = (select id from service where service.type = ‘identity’);”

3. mysql –user root keystone -e “update endpoint set url = ‘http://192.168.11.106:35357/v3’ where interface =’admin’ and service_id = (select id from service where service.type = ‘identity’);”

Show the identity endpoint

mysql –user root keystone -e “select interface, url from endpoint where service_id = (select id from service where service.type = ‘identity’);”
+———–+——————————–+
| interface | url |
+———–+——————————–+
| admin | http://192.168.11.106:35357/v3 |
| public | http://192.168.11.106:5000/v3 |
| internal | http://192.168.11.106:5000/v3 |
+———–+——————————–+

Show the identity Information

Create the scripts
vi keystone_v3

1. export OS_USERNAME=admin
2. export OS_PROJECT_NAME=admin
3. export OS_PROJECT_DOMAIN_NAME=Default
4. export OS_USER_DOMAIN_NAME=Default
5. export OS_PASSWORD=SECRETE
6. export OS_AUTH_URL=http://192.168.11.106:5000/v3
7. export OS_REGION_NAME=RegionOne
8. export PS1=’[\u@\h \W(keystone_admin)]$ ‘
9. export OS_IDENTITY_API_VERSION=3

Show the identity Information

source keystone_v3

openstack domain list
+———+———+———+———————————————————————-+
| ID | Name | Enabled | Description |
+———+———+———+———————————————————————-+
| default | Default | True | Owns users and tenants (i.e. projects) available on Identity API v2. |
+———+———+———+———————————————————————-+

openstack project list
+———————————-+———-+
| ID | Name |
+———————————-+———-+
| 819cf98b84c042bcb1fb2a5ce3659909 | admin |
| c4f3346f917842a7b22b9b72a23f613c | demo |
| f8e75996b2994b95b98b658bbc950615 | services |
+———————————-+———-+

openstack group list(default no group)

openstack user list
+———————————-+———+
| ID | Name |
+———————————-+———+
| 2a7e680a1dde46ed9cf3d30b90a5f19d | demo |
| 53edb54164c0480c983dcefa5d5bb38f | neutron |
| 7a911ed1867c4229b6c1374403ccf553 | cinder |
| 887363eccf3c48c58b2ebd7f37856261 | nova |
| ca2ee63d5d64447c94527acce33604d5 | glance |
| f4b31fde11d948e58fbe9212de43255e | admin |
+———————————-+———+

Modify the openstack service’s identity

1. nova

vi /etc/nova/nova.conf

[keystone_authtoken]
auth_plugin = password
auth_url = http://192.168.11.106:35357
username = nova
password = a95a5d9998644757
project_name = services
user_domain_name = Default
project_domain_name = Default

openstack-config –set /etc/nova/nova.conf keystone_authtoken auth_uri http://192.168.11.106:5000/v3
openstack-config –set /etc/nova/nova.conf keystone_authtoken auth_version v3
openstack-config –set /etc/nova/nova.conf neutron admin_auth_url http://192.168.11.106:5000/v3

1. neutron

vi /etc/neutron/neutron.conf
[keystone_authtoken]
auth_plugin = password
auth_url = http://192.168.11.106:35357
username = neutron
password = 4798e05ba11948cf
project_name = services
user_domain_name = Default
project_domain_name = Default
auth_uri = http://192.168.11.106:5000/v3

vi /etc/neutron/api-plaste.ini
[filter:authtoken]
auth_plugin = password
auth_url = http://192.168.11.106:35357
username = neutron
password = 4798e05ba11948cf
project_name = services
user_domain_name = Default
project_domain_name = Default
auth_uri = http://192.168.11.106:5000/v3

[neutron]
url=http://192.168.11.106:9696
admin_auth_url=http://192.168.11.106:5000/v3
default_tenant_id=default

region_name = RegionOne
project_domain_id = default
project_name = services
user_domain_id = default
password = 4798e05ba11948cf
username = neutron
auth_url = http://192.168.11.106:35357
auth_plugin = password

openstack-config –set /etc/neutron/neutron.conf DEFAULT nova_admin_auth_url http://192.168.11.106:5000/v3

openstack-config –set /etc/neutron/metadata_agent.ini DEFAULT auth_url http://192.168.11.106:5000/v3

1. cinder

[filter:authtoken]
auth_plugin = password
auth_url = http://192.168.11.106:35357
username = cinder
password = db1909452d844617
project_name = services
user_domain_name = Default
project_domain_name = Default
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
admin_tenant_name=services
auth_uri=http://192.168.11.106:5000/v3

1. glance

vi /etc/glance/glance-registry.conf
[keystone_authtoken]
auth_uri=http://192.168.11.106:5000/v3
auth_plugin = password
auth_url = http://192.168.11.106:35357
username = glance
password = 1566c4b41e424ef1
user_domain_name = Default
project_name = services
project_domain_name = Default

openstack-config –set /etc/glance/glance-api.conf keystone_authtoken auth_uri http://192.168.11.106:5000/v3

Modify the Horizon

vi /etc/openstack-dashboard/local_settings
OPENSTACK_API_VERSIONS = {
“identity”: 3
}
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = ‘Default’
OPENSTACK_KEYSTONE_URL = “http://192.168.11.106:5000/v3”

restart openstack service

openstack-service restart keystone
openstack-service restart nova
openstack-service restart glance
openstack-service restart cinder
openstack-service restart neutron
/bin/systemctl restart httpd.service