Install the OpenStack Identity Service on the controller node, together with python-keystoneclient (which is a dependency):
# apt-get install keystone
Answer to the
debconfanddbconfig-commonquestions for setting-up the database.Define an authorization token to use as a shared secret between the Identity Service and other OpenStack services. Respond to the debconf prompt with the value in the
admin_tokendirective in thekeystone.conffile. Use the openssl rand -hex 10 command to generate this password.
Later, you can verify that the
/etc/keystone/keystone.conffile contains the password you have set using debconf:[DEFAULT] # A "shared secret" between keystone and other openstack services admin_token = ADMIN_TOKEN ...
If you omit a password (for example by pressing Enter at the debconf prompt, or installing Keystone using the Debconf non-interactive mode) the package generates a random
ADMIN_TOKENvalue.Respond to the prompts to create an administrative tenant:
If this is the first time you have installed the Identity Service, register the Identity Service in the service catalog:
By default, the Identity Service stores expired tokens in the database indefinitely. While potentially useful for auditing in production environments, the accumulation of expired tokens will considerably increase database size and may decrease service performance, particularly in test environments with limited resources. We recommend configuring a periodic task using
cronto purge expired tokens hourly.Run the following command to purge expired tokens every hour and log the output to
/var/log/keystone/keystone-tokenflush.log:# (crontab -l 2>&1 | grep -q token_flush) || \ echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/crontabs/root
