OpenStack HA: Part 01: Accounts
Here is a writeup on what I did to implement HA within OpenStack Icehouse. I’m currently working on revamping / automating the entire process for Kilo – but that will be a while from now.
We’ll walk through the entire process, from Keystone to Trove to Heat. In each case, you’ll have failover for each node.
In this article we cover accounts. Use this table as a template for the accounts that you will find you need. It’s critical to keep this documented but in a secure location.
|CentOS console||root||Strong admin password|
|MySQL OpenStack||osroot||Strong admin password|
|MySQL OpenStack||haproxy||[no password]|
|OpenStack Accounts||[ADMIN_PASSWORD]||Strong admin password|
|[OPENSTACK_ADMIN_PASSWORD]; URI form is the same but URI-encoded|
|OpenStack Region||[YOUR_REGION]||Not really a user name, but documented here. This is the default region.|
|OpenStack Swift Storage with CHAP||lvosswift100||lvosswift100|
|OpenStack Swift Storage with CHAP||lvosswift200||lvosswift200|
|OpenStack Ceph Storage with CHAP||lvoscephx100||lvoscephx100|
|OpenStack Ceph Storage with CHAP||lvoscephx200||lvoscephx200|
|OpenStack Ceph Storage with CHAP||lvoscephx300||lvoscephx300|
|Ceph nodes admin user (inter-node communication)||ceph-admin||Strong admin password|
- Root accounts will use strong admin password.
- OpenStack accounts will use [SERVICE_PASSWORD].
- All OpenStack user IDs follow the module name (e.g. keystone, cinder, nova, neutron, glance, etc.)
- All password usage will be clearly documented for future maintenance.
Once you have this down, plan your networking and DNS. We’ll cover that in the next installment.