[Openstack] [keystone] keystone high availability document is out-of-date and doesn't work on newton

Steve Martinelli s.martinelli at gmail.com
Tue Nov 22 14:38:41 UTC 2016


On Tue, Nov 22, 2016 at 3:28 AM, Hong Gang Liu <shhgliu at cn.ibm.com> wrote:

> Hi folks,
>
>
>
> I'm working on setting up keystone(identity API) high available function
> with Newton release on CentOS 7.2 . According to document
> http://docs.openstack.org/ha-guide/controller-ha-identity.html , I use
> pacemaker to achieve it.
>
>
>
> Unfortunately, the document is out-of-date, such as:
>
> 1. the doc suggest to add "systemd:openstack-keystone" resource to
> pacemaker. However, as a separate service, openstack-keystone has already
> been deprecated/dropped in Newton release. It's integrated into httpd
> service as well as horizon.
>
> 2. modify conf file of keystone and other services, the parameter most are
> changed too.
>
>
>
> After investigation, I made some progress by following steps:
>
>
>
> 1. use ocf instead of systemd: download keystone ocf file from
> https://git.openstack.org/cgit/openstack/openstack-
> resource-agents/plain/ocf/keystone, then add rx to it. Besides this, I
> also did more modification on ocf because some keystone commands used in it
> are deprecated/dropped too: such as change "keystone-all" to
> "keystone-manage", remove "keystone" etc.
>
> 2. after step 1# action, pcs can list out the openstack-keystone as ocf
> resource, then add it successfully.
>
> 3. add virtual IP resource to pcs successfully.
>
> 4. modify 'admin_bind_host/publid_bind_host" in keystone.conf to vip.
>
> 5. update 3 keystone endpoint values to vip in database.
>
> 6. modify auth_url/auth_uri in other OpenStack services conf files to vip.
>
> 7. modify the keystonerc_admin OS_AUTH_URL to vip.
>
> 8. restart all services.
>
> But it doesn't work, the symptom is I can use curl commands to get the
> endpoints lists from vip url, but all openstack command line failed  with
> error message 404 while getting tokens.
>

Propose a patch to update the manual :)


> So want to know your points on the following questions:
>
> 1. is there any new document for keystone high available function on
> newton?
>
> 2. for Newton release, keystone is not a separate system service any more,
> it's integrated into httpd as sub-service,  does pacemaker and OpenStack
> still support keystone HA function?
>
> 3. Does anyone setup keystone HA on newton release successfully?
>

There was a mailing list thread about this a few months ago:
http://lists.openstack.org/pipermail/openstack/2016-September/017611.html
Theres a lot of good information on that (there were many replies)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20161122/ae1b26a4/attachment.html>


More information about the Openstack mailing list