Skip to content

Handling Keystone Server Change

vedujoshi edited this page Aug 10, 2015 · 3 revisions

Steps to reconfigure a cluster to use a new Keystone IP

The projects in API Server are synced from keystone, to configure a new keystone server would mean that all the existing Contrail data(projects/vns/vms/policy etc.) would be invalid and would be cleaned up.

Delete all VMs on nova and any SIs

Stop all contrail services on nodes:
service supervisor-config stop ; service supervisor-control stop ; service supervisor-analytics stop ; service supervisor-webui stop ; service supervisor-database stop ; service zookeeper stop ; service supervisor-support-service stop ; service supervisor-openstack stop ;service neutron-server stop

On the database nodes:
Remove all contrail data :

cd /var/lib/cassandra 
mkdir bkup
mv * bkup

cd /var/lib/zookeeper
mkdir bkup
mv version-2 bkup

On the Contrail-controller/openstack-services nodes :

Edit /etc/contrail/openstackrc with new keystone ip

Set the admin_token in the new server’s keystone.conf in these files

  • In /etc/contrail, these files : contrail-keystone-auth.conf, contrail-webui-userauth.js, ctrl-details, keystonerc, service.token
  • In /etc/neutron/neutron.conf
  • In /etc/neutron/plugins/opencontrail/ContrailPlugin.ini

In /etc/neutron/plugins/opencontrail/ContrailPlugin.ini , set auth_url

In /etc/nova/nova.conf, set neutron_admin_auth_url

In /etc/contrail/vnc_api_lib.ini, set AUTHN_SERVER

In /etc/contrail/contrail-keystone-auth.conf, set memcache_servers to the new IP

In /etc/contrail/ctrl-details, set CONTROLLER to new keystone ip

In /etc/neutron/neutron.conf, In section, [keystone_authtoken], set auth_host to keystone IP

In /etc/haproxy/haproxy.conf, change ‘keystone-admin-backend’ section with new server IP

On the Webui node :
In /etc/contrail/, set ‘config.identityManager.ip’

On each glance node:
Update /etc/glance/glance-api.conf, /etc/glance/glance-registry.conf: set keystone_authtoken/auth_host, identity_uri
You may also need to update swift_store_auth_address

On compute nodes :
set /etc/contrail/ctrl-details with CONTROLLER and SERVICE_TOKEN
Update /etc/contrail/openstackrc with keystone ip
Update /etc/nova/nova.conf's neutron_admin_auth_url
Update /etc/nova/nova.conf's keystone_authtoken/auth_host

Do service zookeeper start on all database nodes
Start all Contrail services (check contrail-status)

From config node, add neutron service and endpoint on the new keystone IP ( below) setup-quantum-in-keystone --ks_server_ip --quant_server_ip --tenant admin --user admin --password contrail123 --svc_password contrail123 --svc_tenant_name service --root_password None --region_name RegionOne

Update to refer to the new keystone IP (env.keystone section)
Run fab prov_control_bgp , prov_external_bgp, prov_metadata_services, prov_encap_type, or python --api_server_ip --api_server_port 8082 --router_asn 64512 --admin_user admin --admin_password contrail123 --admin_tenant_name admin

For each compute node :
Add each compute node to the Contrail Config(except TA/TSN)
/opt/contrail/utils/ --host_name nodek3 --host_ip --api_server_ip --oper add --admin_user admin --admin_password contrail123 --admin_tenant_name admin --openstack_ip

For each TSN :
Run with router_type set to tor-service-node
Ex : python /opt/contrail/utils/ --host_name nodek3 --host_ip --api_server_ip --oper add --admin_user admin --admin_password contrail123 --admin_tenant_name admin --openstack_ip --router_type tor-service-node

For each tor-agent :
Run with router_type set to tor-agent
python /opt/contrail/utils/ --host_name nodek3-1 --host_ip --api_server_ip --oper add --admin_user admin --admin_password contrail123 --admin_tenant_name admin --openstack_ip --router_type tor-agent

Restart nova-compute on all compute nodes

On horizon node:
In /etc/openstack_dashboard/, set OPENSTACK_HOST
service apache2 restart

Clone this wiki locally