Migrate keystone v2.0 to keystone v3 OpenStack

Migrate from keystone v2.0 to v3 isn't as easy like just changing the endpoints at the database, every service must be configured to authenticate against keystone v3.

I've been working on that the past few days looking for a method, with the purpose of facilitate operators life's who need this kind of migration.

I have to thank Adam Young work, i followed his blog to make a first configuration idea, after that, i configured all core services to make use of keystone v3. If you want to check Adam's blog, follow this link: http://adam.younglogic.com/2015/05/rdo-v3-only/

I used OpenStack Liberty installed with RDO packstack over CentOS 7 servers. The example IP used is 192.168.200.168, use your own according your needs. Password used for all services is PASSWD1234, use your own password, you can locate your passwords at the packstack answer file.

Horizon

First we configure Horizon with keystone v3 as below:

vi /etc/openstack-dashboard/local_settings

OPENSTACK_API_VERSIONS = {
    "identity": 3
}

OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'

keystone

Check your current identity endpoints

mysql  --user keystone_admin --password=PASSWD1234  keystone -e "select interface, url from endpoint where service_id =  (select id from service where service.type = 'identity');"

Change your public, admin and internal endpoints with v3 at the end, instead of v2.0

mysql  --user keystone_admin --password=PASSWD1234   keystone -e "update endpoint set   url  = 'http://192.168.200.178:5000/v3' where  interface ='internal' and  service_id =  (select id from service where service.type = 'identity');"

mysql  --user keystone_admin --password=PASSWD1234   keystone -e "update endpoint set   url  = 'http://192.168.200.178:5000/v3' where  interface ='public' and  service_id =  (select id from service where service.type = 'identity');"

mysql  --user keystone_admin --password=PASSWD1234   keystone -e "update endpoint set   url  = 'http://192.168.200.178:35357/v3' where  interface ='admin' and  service_id =  (select id from service where service.type = 'identity');"

Ensure the endpoints are properly created

Create a source file or edit keystonerc_admin with the following data

Comment both pipelines, in public_api and admin_api

Comment v2.0 entries in composite:main and admin sections.

Restart httpd to apply changes

Check whether keystone and horizon are properly working

The command below should prompt an user list, if not, check configuration in previous steps

Glance

Edit the following files, with the content below:

Comment the following lines:

Those lines, should be commented in all the other OpenStack core services at keystone_authtoken section

Edit the files below and comment the lines inside keystone_authtoken section.

Restart glance services

Ensure glance service is working

Nova

Edit the file below and comment the lines inside keystone_authtoken

Edit nova.conf and add the auth content inside keystone_authtoken, don't forget to comment the lines related to the last auth method, which were commented in glance section.

Configure nova authentication against neutron

Restart nova services to apply changes

Check if nova works

Neutron

Comment or remove the following entries at api-paste.ini and add the new version auth lines

Configure v3 authentication for metadata service, remember comment the old auth lines

Configure neutron server with v3 auth

Configure neutron auth against nova services

Restart neutron services to apply changes

Test correct neutron funtionality

Cinder

Edit api-paste.ini with the following content

Restart cinder services to apply changes

Ensure cinder is properly running

Now, you can check if nova is working fine, create an instance and ensure it is in ACTIVE state.

If any error occurs, review configuration files

Swift

Configure proxy server auth agains keystone v3

Restart swift services to apply changes

| Swift commands must be issued with python-openstackclient instead of swiftclient

If done with swiftclient a -V 3 option must be used in order to avoid issues

Check if swift works fine

Ceilometer

Configure ceilometer service in order to authenticate agains keystone v3

Restart ceilometer services

Check ceilometer funtionality

Heat

Configure Heat authentication, since trusts are not stable use password auth method

Configure auth_uri and keystone_authtoken section

Comment or remove heat-dist auth entries in order to avoid conflicts with your config files

Restart heat services to apply changes

Ensure heat authentication is properly configured with a simple heat template

Most issues occurs in the authentication between nova and neutron services, if instances does not launch as expected, review [nova] and [neutron] sections.

Best regards, Eduardo Gonzalez

PreviousOpenStack affinity/anti-affinity groupsNextNeutron DVR OpenStack Liberty

Last updated

Was this helpful?