Technical Blog

Technical and Product News and Insights from Rackspace

Install OpenStack from source - part 6

This is the sixth and final installment in a series demonstrating how to install OpenStack from source. The five previous articles:

Previously we installed the Identity service (keystone), Image service (glance), Networking service (neutron), and the Compute service (nova) onto the controller node. We also installed neutron onto the network node and nova and neutron onto the compute node. In this section, we turn our attention to finishing up by installing the Volume service (cinder) and dashboard (horizon) onto the controller node.

As we finish up our OpenStack intallation, we turn our attention to both cinder and horizon. First, we start with cinder, and, like we have done before, we create the cinder user and the directories that the cinder user needs:

mkdir /var/cache/cinder
chown cinder:cinder /var/cache/cinder/
chmod 700 /var/cache/cinder

Now clone the cinder repo and install cinder:

git clone -b stable/kilo
cd cinder
pip install --requirement requirements.txt
python install
cd ~

Copy the cinder configuration files to the etc directory:

cp -R cinder/etc/cinder/* /etc/cinder
mv /etc/cinder/cinder.conf.sample /etc/cinder/cinder.conf

Set up sudo access for the newly created cinder user, again using the rootwrap sudo wrapper help to control sudo access:

cat > /etc/sudoers.d/cinder_sudoers << EOF
Defaults:cinder !requiretty

cinder ALL = (root) NOPASSWD: /usr/local/bin/cinder-rootwrap  /etc/cinder/rootwrap.conf *

chmod 440 /etc/sudoers.d/cinder_sudoers

Create the cinder configuration file

cat > /etc/cinder/cinder.conf << EOF
api_paste_config = /etc/cinder/api-paste.ini
auth_strategy = keystone

connection = mysql://cinder:cinder@$MY_PRIVATE_IP/cinder?charset=utf8

auth_uri = https://$MY_PRIVATE_IP:5000/v2.0
identity_uri = https://$MY_PRIVATE_IP:35357/
admin_user = cinder
admin_password = cinder
admin_tenant_name = service
signing_dir = /var/cache/cinder



Set proper ownership for the cinder configuration files:

chown cinder:cinder /etc/cinder/*.{conf,json,ini}

Create the database that cinder uses:

mysql -u root -pmysql -e 'CREATE DATABASE cinder;'
mysql -u root -pmysql -e "GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY 'cinder';"
mysql -u root -pmysql -e "GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY 'cinder';"

Create the cinder database structure:

cinder-manage db sync

The sample data script that we used to populate data into keystone does not insert data for the cinder user, so we do that here. Create the cinder service user in keystone:

keystone user-create --tenant service --name cinder --pass cinder

Grant the ‘admin’ role to the cinder service user:

keystone user-role-add --user cinder --tenant service --role admin

Add a cinder service and a v2 endpoint in keystone:

openstack service create --type volumev2 \
  --description "OpenStack Block Storage" cinderv2

openstack endpoint create \
  --publicurl\(tenant_id\)s \
  --internalurl\(tenant_id\)s \
  --adminurl\(tenant_id\)s \
  --region RegionOne \

The back-end store for cinder, that we use in this example, is iSCSI. This installation assumes that the iSCSI has a volume group named cinder-volumes created on the controller node to use as actual store for cinder. Cinder then creates logical volumes for the various cinder volumes that are created. Install the open-iscsi and tgt packages:

apt-get install -y open-iscsi tgt

Configure tgt so that cinder can add volumes when they are requested to be created:

cat >> /etc/tgt/conf.d/cinder_tgt.conf << EOF
include /var/lib/cinder/volumes/*

Restart the open-iscsi and tgt service so that they see the configuration file changes:

service tgt restart
service open-iscsi restart

Create the cinder upstart scripts. First for the API service:

cat > /etc/init/cinder-api.conf << EOF
description "Cinder API"

start on runlevel [2345]
stop on runlevel [!2345]

chdir /var/run

pre-start script
        mkdir -p /var/run/cinder
        chown nova:root /var/run/cinder/

        mkdir -p /var/lock/cinder
        chown nova:root /var/lock/cinder/

end script

exec start-stop-daemon --start --chuid cinder --exec /usr/local/bin/cinder-api -- --config-file=/etc/cinder/cinder.conf --log-file=/var/log/cinder/api.log

Next for the cinder scheduler service:

cat > /etc/init/cinder-scheduler.conf << EOF
description "Cinder Scheduler"

start on runlevel [2345]
stop on runlevel [!2345]

chdir /var/run

pre-start script
        mkdir -p /var/run/cinder
        chown nova:root /var/run/cinder/

        mkdir -p /var/lock/cinder
        chown nova:root /var/lock/cinder/

end script

exec start-stop-daemon --start --chuid cinder --exec /usr/local/bin/cinder-scheduler -- --config-file=/etc/cinder/cinder.conf --log-file=/var/log/cinder/scheduler.log

And lastly for the cinder volume service:

cat > /etc/init/cinder-volume.conf << EOF
description "Cinder Volume"

start on runlevel [2345]
stop on runlevel [!2345]

chdir /var/run

pre-start script
        mkdir -p /var/run/cinder
        chown nova:root /var/run/cinder/

        mkdir -p /var/lock/cinder
        chown nova:root /var/lock/cinder/

end script

exec start-stop-daemon --start --chuid cinder --exec /usr/local/bin/cinder-volume -- --config-file=/etc/cinder/cinder.conf --log-file=/var/log/cinder/volume.log

At this point, we can start all the cinder services:

start cinder-api
start cinder-volume
start cinder-scheduler

Wait 20 to 30 seconds and verify that everything started:

ps aux|grep cinder

You should see something like:

root@controller:~# ps aux|grep cinder
cinder   14633  0.5  2.6 243092 55244 ?        Ss   Aug17 823:42 /usr/bin/python /usr/local/bin/cinder-api --config-file=/etc/cinder/cinder.conf --log-file=/var/log/cinder/api.log
cinder   14652  0.0  3.3 256064 69176 ?        S    Aug17   0:10 /usr/bin/python /usr/local/bin/cinder-api --config-file=/etc/cinder/cinder.conf --log-file=/var/log/cinder/api.log
cinder   14664  0.5  2.4 216680 49456 ?        Ss   Aug17 835:51 /usr/bin/python /usr/local/bin/cinder-volume --config-file=/etc/cinder/cinder.conf --log-file=/var/log/cinder/volume.log
cinder   14671  0.1  2.5 219392 52968 ?        S    Aug17 165:47 /usr/bin/python /usr/local/bin/cinder-volume --config-file=/etc/cinder/cinder.conf --log-file=/var/log/cinder/volume.log
cinder   14684  0.1  2.7 225120 56544 ?        Ss   Aug17 151:50 /usr/bin/python /usr/local/bin/cinder-scheduler --config-file=/etc/cinder/cinder.conf --log-file=/var/log/cinder/scheduler.log

If you don’t see all the services started, use the following commands to determine why it didn’t start.

sudo -u cinder cinder-api --config-file=/etc/cinder/cinder.conf --log-file=/var/log/cinder/cinder-api.log
sudo -u cinder cinder-scheduler --config-file=/etc/cinder/cinder.conf --log-file=/var/log/cinder/cinder-scheduler.log
sudo -u cinder cinder-volume --config-file=/etc/cinder/cinder.conf --log-file=/var/log/cinder/cinder-volume.log

Even though cinder is running you won’t be able to create cinder volumes without a volume group named cinder-volumes. If you want to use cinder you need to manually create that volume group on the controller node. If you don’t have an existing volume group with free space, you need to add a new disk partition to the controller node. Use the pvcreate and vgcreate commands to create a volume group with the correct name.

Start the horizon install by installing the package prerequisites for horizon:

apt-get install -y apache2 libapache2-mod-wsgi memcached python-memcache gettext

Add a horizon user to use for the Apache server:

useradd --home-dir "/usr/local/lib/python2.7/dist-packages/openstack_dashboard" \
        --create-home \
        --system \
        --shell /bin/false \

Clone the horizon git repo:

git clone -b stable/kilo
cd horizon

Now, use the python installer to install horizon:

python install

Create a directory where horizon can store lock files:

mkdir /var/lib/openstack-dashboard
chown horizon:horizon /var/lib/openstack-dashboard/

Make the openstack_dashboard configuration directory and copy the configuration file there:

mkdir /etc/openstack_dashboard
cp ~/horizon/openstack_dashboard/local/ /etc/openstack_dashboard/
chown -R horizon:horizon /etc/openstack_dashboard/

Remove the Openstack dashboard Python files that were installed earlier (they will be copied back in the next step):

rm -rf /usr/local/lib/python2.7/dist-packages/openstack_dashboard/*

Due to the way the Django WSGI file is written, create a openstack_dashboard subdirectory and copy the dashboard files there:

cp -r openstack_dashboard/ /usr/local/lib/python2.7/dist-packages/openstack_dashboard/
chown -R horizon:horizon /usr/local/lib/python2.7/dist-packages/openstack_dashboard/openstack_dashboard/static
ln -s /usr/local/lib/python2.7/dist-packages/openstack_dashboard/openstack_dashboard/static /usr/local/lib/python2.7/dist-packages/openstack_dashboard/static
ln -s /etc/openstack_dashboard/ /usr/local/lib/python2.7/dist-packages/openstack_dashboard/openstack_dashboard/local/

Create the Apache configuration files for horizon:

cat >> /etc/apache2/sites-available/openstack.conf << EOF
<VirtualHost *:80>
    WSGIScriptAlias / /usr/local/lib/python2.7/dist-packages/openstack_dashboard/openstack_dashboard/wsgi/django.wsgi
    WSGIDaemonProcess horizon user=horizon group=horizon processes=3 threads=10 home=/usr/local/lib/python2.7/dist-packages/openstack_dashboard/openstack_dashboard display-name=%{GROUP}
    WSGIApplicationGroup %{GLOBAL}

    SetEnv APACHE_RUN_USER horizon
    SetEnv APACHE_RUN_GROUP horizon
    WSGIProcessGroup horizon

    DocumentRoot /usr/local/lib/python2.7/dist-packages/openstack_dashboard/openstack_dashboard/.blackhole/
    Alias /media /usr/local/lib/python2.7/dist-packages/openstack_dashboard/openstack_dashboard/static

    <Directory />
        Options FollowSymLinks
        AllowOverride None

    <Directory /usr/local/lib/python2.7/dist-packages/openstack_dashboard/openstack_dashboard/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        # Apache 2.4 uses mod_authz_host for access control now (instead of
        #  "Allow")
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        <IfVersion >= 2.4>
            Require all granted

    ErrorLog /var/log/apache2/horizon_error.log
    LogLevel warn
    CustomLog /var/log/apache2/horizon_access.log combined
WSGISocketPrefix /var/run/apache2

Enable the newly created Openstack horizon web virtual server and disable the default Apache server:

a2ensite openstack
a2dissite 00-default

Set Apache to run as the newly created horizon user:

sed -i 's/export APACHE_RUN_USER=www-data/export APACHE_RUN_USER=horizon/g' /etc/apache2/envvars
sed -i 's/export APACHE_RUN_GROUP=www-data/export APACHE_RUN_GROUP=horizon/g' /etc/apache2/envvars

Make some configuration setings to

sed -e 's/DEBUG = True/DEBUG = False/g' /etc/openstack_dashboard/
sed -i "s/#ALLOWED_HOSTS = \['', \]/#ALLOWED_HOSTS = \['', \]\nALLOWED_HOSTS = \['*' \]/g" /etc/openstack_dashboard/

Look for the following lines in /etc/openstack_dashboard/ and change them from:

SECRET_KEY = secret_key.generate_or_read_from_file(
os.path.join(LOCAL_PATH, '.secret_key_store'))


SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/openstack-dashboard/secret_key')

Change the CACHES section to:

    'default': {
        'BACKEND' : 'django.core.cache.backends.memcached.MemcachedCache',
        'LOCATION' : '',

#    'default': {
#        'BACKEND' : 'django.core.cache.backends.locmem.LocMemCache'
#    }

The default Ubuntu operating system Apache configuration uses /horizon as the application root, but we will use / Configure auth redirects:

sed -i "s|# LOGIN_URL = WEBROOT + 'auth/login/'|LOGIN_URL='/auth/login/|g" /etc/openstack_dashboard/
sed -i "s|# LOGOUT_URL = WEBROOT + 'auth/logout/'|LOGOUT_URL='/auth/logout/'|g" /etc/openstack_dashboard/
sed -i "s|# LOGIN_REDIRECT_URL = WEBROOT|LOGIN_REDIRECT_URL='/'|g" /etc/openstack_dashboard/

Download the novnc software so that we can use the dashboard to access the console for each VM:

git clone git://

Now move the novnc files to a location where horizon expects them:

mkdir /usr/share/novnc
cp -r noVNC/* /usr/share/novnc

Install novnc prerequisites:

apt-get install libjs-jquery libjs-sphinxdoc libjs-swfobject libjs-underscore

Generate the nova-novncproxy upstart script:

cat >> /etc/init/nova-novncproxy.conf << EOF
description "Nova novnc proxy worker"

start on runlevel [2345]
stop on runlevel [!2345]

chdir /var/run

pre-start script
        mkdir -p /var/run/nova
        chown nova:root /var/run/nova/

        mkdir -p /var/lock/nova
        chown nova:root /var/lock/nova/

        modprobe nbd
end script

Start the nova-novncproxy service and restart Apache to read the configuration changes:

start nova-novncproxy
service apache2 restart

Verify that the nova-novncproxy service is running:

ps aux|grep nova-novncproxy

You should see output similar to:

root@controller:~# ps aux|grep nova-novncproxy
nova      2764  0.0  1.8 144432 37288 ?        Ss   Aug17   0:35 /usr/bin/python /usr/local/bin/nova-novncproxy --config-file=/etc/nova/nova.conf --log-file=/var/log/nova/nova-novnc.log

If the service didn’t start, use the following command to test nova-novncproxy and get log output:

sudo -u nova nova-novncproxy --config-file=/etc/nova/nova.conf

That finishes up the OpenStack install. You can point your browser to the outside interface on the controller node and access the OpenStack dashboard. The login credentials are in the openrc file in the /root directory on the controller node. Good luck with your newly created OpenStack setup.

post avatar
Phil Hopkins

Share this information: