Disable selinux

Fully Disabling SELinux

Fully disabling SELinux goes one step further than just switching into permissive mode. Disabling will completely disable all SELinux functions including file and process labelling.

In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and change the SELINUX line to SELINUX=disabled:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

… and then reboot the system.

Optionally you can set it to permissive.

Before Beginning disable Network Manager and firewalld and enable ntpd:

After installing the operating system on each node for the architecture that you choose to deploy, you must configure the network interfaces. We recommend that you disable any automated network management tools and manually edit the appropriate configuration files for your distribution. For more information on how to configure networking on your distribution, see the documentation.

RHEL and derivatives including CentOS and Scientific Linux enable a restrictive firewall by default. During this installation, certain steps will fail unless you alter or disable the firewall. For further information about securing your installation, refer to the OpenStack Security Guide.

On Fedora, firewalld replaces iptables as the default firewall system. While you can use firewalld successfully, this guide references iptables for compatibility with other distributions.

Proceed to network configuration for the example OpenStack Networking (neutron) or legacy networking (nova-network) architecture.

Install Openstack RDO:

Step 0: Prerequisites

Software: Red Hat Enterprise Linux (RHEL) 7 is the minimum recommended version, or the equivalent version of one of the RHEL-based Linux distributions such as CentOS, Scientific Linux, etc. x86_64 is currently the only supported architecture. See also RDO repository info for details on required repositories. Please name the host with a fully qualified domain name rather than a short-form name to avoid DNS issues with Packstack.

Hardware: Machine with at least 4GB RAM, processors with hardware virtualization extensions, and at least one network adapter.

Step 1: Software repositories

Update your current packages:

sudo yum update -y

Setup the RDO repositories:

sudo yum install -y https://rdoproject.org/repos/rdo-release.rpm

Looking for an older version? See http://rdoproject.org/repos/ for the full listing.

Step 2: Install Packstack Installer

sudo yum install -y openstack-packstack

Step 3: Run Packstack to install OpenStack

Packstack takes the work out of manually setting up OpenStack. For a single node OpenStack deployment, run the following command.

packstack --allinone

If you encounter failures, see the Workarounds page for tips.

If you have run packstack previously, there will be a file in your home directory named something like packstack-answers-20130722-153728.txt You will probably want to use that file again, using the –answer-file option, so that any passwords you’ve already set (e.g.: mysql) will be reused.

The installer will ask you to enter the root password for each host node you are installing on the network, to enable remote configuration of the host so it can remotely configure each node using Puppet.

Once the process is complete, you can log in to the OpenStack web interface “Horizon” by going to http://$YOURIP/dashboard. The username is “admin”. The password can be found in the file keystonerc_admin in the /root/ directory of the control node.

Next Steps

Now that your single node OpenStack instance is up and running, you can read on about running an instance, configuring a floating IP range, configuring RDO towork with your existing network, or about expanding your installation by adding a compute node.

To synchronize services across multiple machines, you must install NTP. The examples in this guide configure the controller node as the reference server and any additional nodes to set their time from the controller node.

Install the ntp package on each system running OpenStack services:

# yum install ntp

Set up the NTP server on your controller node so that it receives data by modifying the ntp.conf file and restarting the service:

# service ntpd start
# chkconfig ntpd on

It is advised that you configure additional nodes to synchronize their time from the controller node rather than from outside of your LAN. To do so, install the ntp daemon as above, then edit /etc/ntp.conf and change the serverdirective to use the controller node as internet time source.

If needed how to continue install after failure/fixing issues:

packstack –answer-file <answerfile name>

The answer file tends to be in your home directory of root.

For remote access to the dashboard:

Edit /etc/httpd/conf.d/15-horizon_vhost.conf
Change ServerAlias to be *

Installing Dependencies

At least on my Centos 7 system, I needed to install a few dependencies first. You can take the chance of running packstack and then dealing with each error, but I recommend getting these dependencies installed first. Rerunning packstack after a failure is not always a stable thing to do.

1. Install GCC

   yum install gcc

2. Install Python headers

   yum install python-devel

3. If you don’t have pip (just type “pip” to see), you need to install it.
   1. Add the repository for CentOS extras:

      rpm -iUvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

   2. Now install pip:

      yum install python-pip

4. Install a couple of python dependencies with pip:

pip install oslo.concurrency
pip install netifaces

Installing RDO

1. Install the Kilo RDO release:

   yum install -y http://rdoproject.org/repos/openstack-kilo/rdo-release-kilo.rpm

2. Install packstack:

   yum -y install openstack-packstack

Running Packstack

This worked perfectly with CentOS 7 and Kilo once I installed the dependencies mentioned above. See the last section of this Guide for some problems I encountered when learning what dependencies I needed.

1. Run packstack:

   packstack --allinone

   It will take a while. If you are lucky, you’ll get this:

Things you should know about RDO:

1. RDO uses systemd service files for starting all components on system boot. These can be found in /usr/lib/systemd/system. On my system, I have 53 of them.
2. The Horizon admin password can be found in /root/keystonerc_admin.
3. The Horizon demo password can be found in /root/keystonerc_demo.
4. Packstack can also be run in an interactive mode, where it prompts you for various configuration parameters (and there are lots of them). When you run with the –allinone switch it will provide the answers itself, and will save those answers in /root/packstack-answers-[TIMESTAMP].txt. This is a useful file to peruse, as it shows you how the various components have been set up.
5. The MariDB root password can be found in the packstack-answers file under the key CONFIG_MARIADB_PW.
6. All OpenStack logs can be found under /var/log under the different service names (nova, horizon, cinder, glance, neutron, rabbitmq, mariadb, etc.).
7. Many configuration files for OpenStack can be found under /etc (nova, keystone, neutron, my.conf.d, etc.)

Updating OpenStack

One thing you might eventually have to do is change something in the overall configuration and rerun the install. For example, I recently had to change the IP that services should bind to (I have two virtual network cards; one had a static IP and one had a dynamic one, but the initial packstack run picked the dynamic IP which I didn’t want).

1. First, make a copy of the latest packstack-answers file.
2. Edit the copy, changing the parameter(s) you need to. In my case, I did a global replace of all the bad IPs with the static one.
3. Then rerun packstack, like this:

   packstack --answer-file=packstack-answers-20150225.txt

4. At the end, you’ll be told to reboot, so do that.

One thing I noticed in my run is that the admin password was changed in keystone, but the updated keystonerc_admin file was wrong. I had to manually change the admin password as shown below.

Changing the admin password

1. Chances are you’ll want a better admin password then the random one created in keystonerc_admin. One way you can change this is via the keystone script. This method also works when you forget your admin password or its changed on you by packstack and not logged.
2. First, you need to get the admin token from /etc/keystone/keystone.conf. Look for the line starting with “admin_token”, near the top.
3. Export these environment variables:

export OS_SERVICE_TOKEN=[YOUR_ADMIN_TOKEN]
export OS_SERVICE_ENDPOINT=http://[YOUR_IP]:35357/v2.0

35357 is the default admin port for keystone.

1. Now you can change the admin password like this:

   keystone user-password-update --pass [YOUR_NEW_PASSWORD] admin

2. There are other useful things as well that can be done this way, like user-list, etc. Run

   keystone help

   for a full list.

FIX CINDER VOLUME ERRORS

edit /etc/cinder/cinder.conf and add the following under [keystone_authtoken]

auth_uri=http://<ipaddr>:5000/

auth_url=http://<ipaddr>:35357/

identity_uri=http://<ipaddr>:35357/