Migrate keystone v2.0 to keystone v3 OpenStack

Blog
Search…
Blog
Welcome to egonzalez blog
Hacking
Index
OpenStack
Docker and DevOps
Index
Migrate keystone v2.0 to keystone v3 OpenStack
Migrate from keystone v2.0 to v3 isn't as easy like just changing the endpoints at the database, every service must be configured to authenticate against keystone v3.
I've been working on that the past few days looking for a method, with the purpose of facilitate operators life's who need this kind of migration.
I have to thank Adam Young work, i followed his blog to make a first configuration idea, after that, i configured all core services to make use of keystone v3. If you want to check Adam's blog, follow this link: http://adam.younglogic.com/2015/05/rdo-v3-only/​
I used OpenStack Liberty installed with RDO packstack over CentOS 7 servers. The example IP used is 192.168.200.168, use your own according your needs. Password used for all services is PASSWD1234, use your own password, you can locate your passwords at the packstack answer file.
Horizon
First we configure Horizon with keystone v3 as below:
1
vi /etc/openstack-dashboard/local_settings
2
​
3
OPENSTACK_API_VERSIONS = {
4
    "identity": 3
5
}
6
​
7
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
8
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'
Copied!
keystone
Check your current identity endpoints
1
mysql  --user keystone_admin --password=PASSWD1234  keystone -e "select interface, url from endpoint where service_id =  (select id from service where service.type = 'identity');"
Copied!
Change your public, admin and internal endpoints with v3 at the end, instead of v2.0
1
mysql  --user keystone_admin --password=PASSWD1234   keystone -e "update endpoint set   url  = 'http://192.168.200.178:5000/v3' where  interface ='internal' and  service_id =  (select id from service where service.type = 'identity');"
2
​
3
mysql  --user keystone_admin --password=PASSWD1234   keystone -e "update endpoint set   url  = 'http://192.168.200.178:5000/v3' where  interface ='public' and  service_id =  (select id from service where service.type = 'identity');"
4
​
5
mysql  --user keystone_admin --password=PASSWD1234   keystone -e "update endpoint set   url  = 'http://192.168.200.178:35357/v3' where  interface ='admin' and  service_id =  (select id from service where service.type = 'identity');"
Copied!
Ensure the endpoints are properly created
1
mysql  --user keystone_admin --password=KEYSTONE_DB_PW   keystone -e "select interface, url from endpoint where service_id =  (select id from service where service.type = 'identity');"
Copied!
Create a source file or edit keystonerc_admin with the following data
1
vi v3_keystone
2
​
3
unset OS_SERVICE_TOKEN
4
export OS_USERNAME=admin
5
export OS_PASSWORD=PASSWD1234
6
export OS_AUTH_URL=http://192.168.200.178:5000/v3
7
export OS_PROJECT_NAME=admin
8
export OS_PROJECT_DOMAIN_NAME=Default
9
export OS_USER_DOMAIN_NAME=Default
10
export OS_REGION_NAME=RegionOne
11
export PS1='[\[email protected]\h \W(keystone_admin)]\$ '
12
export OS_IDENTITY_API_VERSION=3
Copied!
Comment both pipelines, in public_api and admin_api
1
vi /usr/share/keystone/keystone-dist-paste.ini
2
​
3
[pipeline:public_api]
4
# The last item in this pipeline must be public_service or an equivalent
5
# application. It cannot be a filter.
6
#pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service
7
​
8
[pipeline:admin_api]
9
# The last item in this pipeline must be admin_service or an equivalent
10
# application. It cannot be a filter.
11
#pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service
Copied!
Comment v2.0 entries in composite:main and admin sections.
1
[composite:main]
2
use = egg:Paste#urlmap
3
#/v2.0 = public_api
4
/v3 = api_v3
5
/ = public_version_api
6
​
7
[composite:admin]
8
use = egg:Paste#urlmap
9
#/v2.0 = admin_api
10
/v3 = api_v3
11
/ = admin_version_api
Copied!
Restart httpd to apply changes
1
systemctl restart httpd
Copied!
Check whether keystone and horizon are properly working
The command below should prompt an user list, if not, check configuration in previous steps
1
openstack user list
Copied!
Glance
Edit the following files, with the content below:
1
vi /etc/glance/glance-api.conf 
2
vi /etc/glance/glance-registry.conf 
3
vi /etc/glance/glance-cache.conf 
4
​
5
[keystone_authtoken]
6
​
7
auth_plugin = password
8
auth_url = http://192.168.200.178:35357
9
username = glance
10
password = PASSWD1234
11
project_name = services
12
user_domain_name = Default
13
project_domain_name = Default
14
auth_uri=http://192.168.200.178:5000
Copied!
Comment the following lines:
1
#auth_host=127.0.0.1
2
#auth_port=35357
3
#auth_protocol=http
4
#identity_uri=http://192.168.200.178:35357
5
#admin_user=glance
6
#admin_password=PASSWD1234
7
#admin_tenant_name=services
Copied!
Those lines, should be commented in all the other OpenStack core services at keystone_authtoken section
Edit the files below and comment the lines inside keystone_authtoken section.
1
vi /usr/share/glance/glance-api-dist.conf 
2
vi /usr/share/glance/glance-registry-dist.conf 
3
​
4
[keystone_authtoken]
5
#admin_tenant_name = %SERVICE_TENANT_NAME%
6
#admin_user = %SERVICE_USER%
7
#admin_password = %SERVICE_PASSWORD%
8
#auth_host = 127.0.0.1
9
#auth_port = 35357
10
#auth_protocol = http
Copied!
Restart glance services
1
openstack-service restart glance
Copied!
Ensure glance service is working
1
openstack image list
Copied!
Nova
Edit the file below and comment the lines inside keystone_authtoken
1
vi /usr/share/nova/nova-dist.conf
2
​
3
[keystone_authtoken]
4
#auth_host = 127.0.0.1
5
#auth_port = 35357
6
#auth_protocol = http
Copied!
Edit nova.conf and add the auth content inside keystone_authtoken, don't forget to comment the lines related to the last auth method, which were commented in glance section.
1
vi /etc/nova/nova.conf
2
​
3
[keystone_authtoken]
4
​
5
auth_plugin = password
6
auth_url = http://192.168.200.178:35357
7
username = nova
8
password = PASSWD1234
9
project_name = services
10
user_domain_name = Default
11
project_domain_name = Default
12
auth_uri=http://192.168.200.178:5000
Copied!
Configure nova authentication against neutron
1
[neutron]
2
​
3
auth_plugin = password
4
auth_url = http://192.168.200.178:35357
5
username = neutron
6
password = PASSWD1234
7
project_name = services
8
user_domain_name = Default
9
project_domain_name = Default
10
auth_uri=http://192.168.200.178:5000
Copied!
Restart nova services to apply changes
1
openstack-service restart nova
Copied!
Check if nova works
1
openstack hypervisor list
Copied!
Neutron
Comment or remove the following entries at api-paste.ini and add the new version auth lines
1
vi /etc/neutron/api-paste.ini 
2
​
3
[filter:authtoken]
4
#identity_uri=http://192.168.200.178:35357
5
#admin_user=neutron
6
#admin_password=PASSWD1234
7
#auth_uri=http://192.168.200.178:5000/v2.0
8
#admin_tenant_name=services
9
​
10
auth_plugin = password
11
auth_url = http://192.168.200.178:35357
12
username = neutron
13
password = PASSWD1234
14
project_name = services
15
user_domain_name = Default
16
project_domain_name = Default
17
auth_uri=http://192.168.200.178:5000
Copied!
Configure v3 authentication for metadata service, remember comment the old auth lines
1
vi /etc/neutron/metadata_agent.ini
2
​
3
[DEFAULT]
4
​
5
auth_plugin = password
6
auth_url = http://192.168.200.178:35357
7
username = neutron
8
password = PASSWD1234
9
project_name = services
10
user_domain_name = Default
11
project_domain_name = Default
12
auth_uri=http://192.168.200.178:5000
Copied!
Configure neutron server with v3 auth
1
vi /etc/neutron/neutron.conf
2
​
3
nova_admin_auth_url = http://192.168.200.178:5000
4
# nova_admin_tenant_id =1fb93c84c6474c5ea92c0ed5f7d4a6a7
5
nova_admin_tenant_name = services
6
​
7
​
8
[keystone_authtoken]
9
​
10
auth_plugin = password
11
auth_url = http://192.168.200.178:35357
12
username = neutron
13
password = PASSWD1234
14
project_name = services
15
user_domain_name = Default
16
project_domain_name = Default
17
auth_uri=http://192.168.200.178:5000
18
​
19
#auth_uri = http://192.168.200.178:5000/v2.0
20
#identity_uri = http://192.168.200.178:35357
21
#admin_tenant_name = services
22
#admin_user = neutron
23
#admin_password = PASSWD1234
Copied!
Configure neutron auth against nova services
1
[nova]
2
​
3
auth_plugin = password
4
auth_url = http://192.168.200.178:35357
5
username = nova
6
password = PASSWD1234
7
project_name = services
8
user_domain_name = Default
9
project_domain_name = Default
10
auth_uri=http://192.168.200.178:5000
Copied!
Restart neutron services to apply changes
1
openstack-service restart neutron
Copied!
Test correct neutron funtionality
1
openstack network list
Copied!
Cinder
Edit api-paste.ini with the following content
1
vi /etc/cinder/api-paste.ini 
2
​
3
[filter:authtoken]
4
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
5
auth_plugin = password
6
auth_url = http://192.168.200.178:35357
7
username = cinder
8
password = PASSWD1234
9
project_name = services
10
user_domain_name = Default
11
project_domain_name = Default
12
auth_uri=http://192.168.200.178:5000
13
#admin_tenant_name=services
14
#auth_uri=http://192.168.200.178:5000/v2.0
15
#admin_user=cinder
16
#identity_uri=http://192.168.200.178:35357
17
#admin_password=PASSWD1234
Copied!
Restart cinder services to apply changes
1
openstack-service restart cinder
Copied!
Ensure cinder is properly running
1
openstack volume create --size 1 testvolume
2
openstack volume list
Copied!
Now, you can check if nova is working fine, create an instance and ensure it is in ACTIVE state.
1
openstack server create --flavor m1.tiny --image cirros --nic net-id=a1aa6336-9ae2-4ffb-99f5-1b6d1130989c testinstance
2
openstack server list
Copied!
If any error occurs, review configuration files
Swift
Configure proxy server auth agains keystone v3
1
vi /etc/swift/proxy-server.conf
2
​
3
[filter:authtoken]
4
log_name = swift
5
signing_dir = /var/cache/swift
6
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
7
auth_plugin = password
8
auth_url = http://192.168.200.178:35357
9
username = swift
10
password = PASSWD1234
11
project_name = services
12
user_domain_name = Default
13
project_domain_name = Default
14
auth_uri=http://192.168.200.178:5000
15
​
16
#auth_uri = http://192.168.200.178:5000/v2.0
17
#identity_uri = http://192.168.200.178:35357
18
#admin_tenant_name = services
19
#admin_user = swift
20
#admin_password = PASSWD1234
21
delay_auth_decision = 1
22
cache = swift.cache
23
include_service_catalog = False
Copied!
Restart swift services to apply changes
1
openstack-service restart swift
Copied!
| Swift commands must be issued with python-openstackclient instead of swiftclient
If done with swiftclient a -V 3 option must be used in order to avoid issues
Check if swift works fine
1
openstack container create testcontainer
Copied!
Ceilometer
Configure ceilometer service in order to authenticate agains keystone v3
1
[keystone_authtoken]
2
​
3
auth_plugin = password
4
auth_url = http://192.168.200.178:35357
5
username = ceilometer
6
password = PASSWD1234
7
project_name = services
8
user_domain_name = Default
9
project_domain_name = Default
10
auth_uri=http://192.168.200.178:5000
11
​
12
[service_credentials]
13
​
14
os_auth_url = http://controller:5000/v3
15
os_username = ceilometer
16
os_tenant_name = services
17
os_password = PASSWD1234
18
os_endpoint_type = internalURL
19
os_region_name = RegionOne
Copied!
Restart ceilometer services
1
openstack-service restart ceilometer
Copied!
Check ceilometer funtionality
1
ceilometer statistics -m memory
Copied!
Heat
Configure Heat authentication, since trusts are not stable use password auth method
1
vi /etc/heat/heat.conf
2
​
3
# Allowed values: password, trusts
4
#deferred_auth_method = trusts
5
deferred_auth_method = password
Copied!
Configure auth_uri and keystone_authtoken section
1
# From heat.common.config
2
#
3
# Unversioned keystone url in format like http://0.0.0.0:5000. (string value)
4
#auth_uri =
5
auth_uri = http://192.168.200.178:5000
6
​
7
[keystone_authtoken]
8
​
9
auth_plugin = password
10
auth_url = http://192.168.200.178:35357
11
username = heat
12
password = PASSWD1234
13
project_name = services
14
user_domain_name = Default
15
project_domain_name = Default
16
auth_uri=http://192.168.200.178:5000
17
​
18
#admin_user=heat
19
#admin_password=PASSWD1234
20
#admin_tenant_name=services
21
#identity_uri=http://192.168.200.178:35357
22
#auth_uri=http://192.168.200.178:5000/v2.0
Copied!
Comment or remove heat-dist auth entries in order to avoid conflicts with your config files
1
vi /usr/share/heat/heat-dist.conf 
2
​
3
[keystone_authtoken]
4
#auth_host = 127.0.0.1
5
#auth_port = 35357
6
#auth_protocol = http
7
#auth_uri = http://127.0.0.1:5000/v2.0
8
#signing_dir = /tmp/keystone-signing-heat
Copied!
Restart heat services to apply changes
1
openstack-service restart heat
Copied!
Ensure heat authentication is properly configured with a simple heat template
1
heat stack-create --template-file sample.yaml teststack
Copied!
Most issues occurs in the authentication between nova and neutron services, if instances does not launch as expected, review [nova] and [neutron] sections.
Best regards, Eduardo Gonzalez
OpenStack affinity/anti-affinity groups
Neutron DVR OpenStack Liberty
Last modified 1yr ago
Copy link