Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

9.2. Configure the Orchestration Service

To configure the Orchestration service, you must complete the following tasks:
  • Configure a database for the Orchestration service.
  • Bind each Orchestration API service to a corresponding IP address.
  • Create and configure the Orchestration service Identity records.
  • Configure how Orchestration services authenticate with the Identity service.
The following sections describe each procedure in detail.

9.2.1. Create the Orchestration Service Database
Copiar o link

Create the database and database user used by the Orchestration service. The database connection string used by the Orchestration service is defined in the /etc/heat/heat.conf file. It must be updated to point to a valid database server before the service is started. All steps in this procedure must be performed on the database server, while logged in as the root user.

Procedure 9.1. Configuring the Orchestration Service Database

  1. Connect to the database service: 
    # mysql -u root -p
    Copy to Clipboard Toggle word wrap
  2. Create the heat database: 
    mysql> CREATE DATABASE heat;
    Copy to Clipboard Toggle word wrap
  3. Create a database user named heat and grant the user access to the heat database: 
    mysql> GRANT ALL ON heat.* TO 'heat'@'%' IDENTIFIED BY 'PASSWORD';
mysql> GRANT ALL ON heat.* TO 'heat'@'localhost' IDENTIFIED BY 'PASSWORD';
    Copy to Clipboard Toggle word wrap
    Replace PASSWORD with a secure password that will be user to authenticate with the database server as this user.
  4. Flush the database privileges to ensure that they take effect immediately: 
    mysql> FLUSH PRIVILEGES;
    Copy to Clipboard Toggle word wrap
  5. Exit the mysql client: 
    mysql> quit
    Copy to Clipboard Toggle word wrap
  6. Set the value of the sql_connection configuration key: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT sql_connection mysql://heat:PASSWORD@IP/heat
    Copy to Clipboard Toggle word wrap
    Replace the following values:
    • Replace PASSWORD with the password of the heat database user.
    • Replace IP with the IP address or host name of the database server.
  7. As the heat user, sync the database: 
    # runuser -s /bin/sh heat -c "heat-manage db_sync"
    Copy to Clipboard Toggle word wrap

Important

The IP address or host name specified in the connection configuration key must match the IP address or host name to which the Orchestration service database user was granted access when creating the Orchestration service database. Moreover, if the database is hosted locally and you granted permissions to 'localhost' when creating the Orchestration service database, you must enter 'localhost'.

9.2.2. Restrict the Bind Addresses of Each Orchestration API Service
Copiar o link

After configuring the database, set the bind_host setting of each Orchestration API service. This setting controls which IP address a service should use for incoming connections.
Set the bind_host setting for each Orchestration API service: 
# openstack-config --set /etc/heat/heat.conf
   heat_api bind_host IP
# openstack-config --set /etc/heat/heat.conf
   heat_api_cfn bind_host IP
# openstack-config --set /etc/heat/heat.conf
   heat_api_cloudwatch bind_host IP
Copy to Clipboard Toggle word wrap
Replace IP with the IP address that the corresponding API should use.

9.2.3. Create the Orchestration Service Identity Records
Copiar o link

Create and configure Identity service records required by the Orchestration service. These entries assist other OpenStack services attempting to locate and access the functionality provided by the Orchestration service.
This procedure assumes that you have already created an administrative user account and a services tenant. For more information, see:
Perform this procedure on the Identity service server, or on any machine onto which you have copied the keystonerc_admin file and on which the keystone command-line utility is installed.

Procedure 9.2. Creating Identity Records for the Orchestration Service

  1. Set up the shell to access Keystone as the administrative user: 
    # source ~/keystonerc_admin
    Copy to Clipboard Toggle word wrap
  2. Create the heat user: 
    [(keystone_admin)]# openstack user create --password PASSWORD heat
+----------+----------------------------------+
| Field    | Value                            |
+----------+----------------------------------+
| email    | None                             |
| enabled  | True                             |
| id       | 5902673a8d3a4552b813dff31717476b |
| name     | heat                             |
| username | heat                             |
+----------+----------------------------------+
    Copy to Clipboard Toggle word wrap
    Replace PASSWORD with a password that will be used by the Orchestration service when authenticating with the Identity service.
  3. Link the heat user and the admin role together within the context of the services tenant: 
    [(keystone_admin)]# openstack role add --project services --user heat admin
    Copy to Clipboard Toggle word wrap
  4. Create the heat and heat-cfn service entries: 
    [(keystone_admin)]# openstack service create --name heat orchestration
[(keystone_admin)]# openstack service create --name heat-cfn cloudformation
    Copy to Clipboard Toggle word wrap
  5. Create endpoint entries for the heat service and the heat-cfn service: 
    [(keystone_admin)]# openstack endpoint create \
   --publicurl 'HEAT_CFN_IP:8000/v1' \
   --adminurl 'HEAT_CFN_IP:8000/v1' \
   --internalurl 'HEAT_CFN_IP:8000/v1' \
   --region RegionOne \
   heat-cfn
[(keystone_admin)]# openstack endpoint create \
   --publicurl 'HEAT_IP:8004/v1/%(tenant_id)s' \
   --adminurl 'HEAT_IP:8004/v1/%(tenant_id)s' \
   --internalurl 'HEAT_IP:8004/v1/%(tenant_id)s' \
   --region RegionOne \
   heat
    Copy to Clipboard Toggle word wrap
    Replace the following values:
    • Replace HEAT_CFN_IP with the IP or host name of the system hosting the heat-cfn service.
    • Replace HEAT_IP with the IP or host name of the system hosting the heat service.

    Important

    Include the http:// prefix for HEAT_CFN_IP and HEAT_IP values.

9.2.3.1. Create the Required Identity Domain for the Orchestration Service
Copiar o link

The Orchestration service requires its own Identity domain, through which users can be created and associated with credentials deployed inside instances owned by heat stacks. Using a separate domain allows for separation between the instances and the user deploying the stack. This allows regular users without administrative rights to deploy heat stacks that require such credentials.

Procedure 9.3. Creating an Identity Service Domain for the Orchestration Service

  1. Create the heat domain: 
    # openstack --os-url=http://IDENTITY_IP:5000/v3 \
   --os-identity-api-version=3 \
   --description "Owns users and projects created by heat"
   domain create heat
    Copy to Clipboard Toggle word wrap
    Replace IDENTITY_IP with the IP or host name of the server hosting the Identity service.
    This command returns the domain ID of the heat domain. This ID (HEAT_DOMAIN_ID) is used in the next step.
  2. Create a user named heat_domain_admin that can have administrative rights within the heat domain: 
    # openstack --os-url=http://IDENTITY_IP:5000/v3 \
   --os-identity-api-version=3 user create heat_domain_admin \
   --password PASSWORD \
   --domain HEAT_DOMAIN_ID \
   --description "Manages users and projects created by heat"
    Copy to Clipboard Toggle word wrap
    Replace PASSWORD with a password for this user. This command returns a user ID (DOMAIN_ADMIN_ID), which is used in the next step.
  3. Grant the heat_domain_admin user administrative rights within the heat domain: 
    # openstack --os-url=http://IDENTITY_IP:5000/v3 \
   --os-identity-api-version=3 role add --user DOMAIN_ADMIN_ID \
   --domain HEAT_DOMAIN_ID admin
    Copy to Clipboard Toggle word wrap
  4. On the server hosting the Orchestration service, configure the service to use the heat domain and user: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT stack_domain_admin_password DOMAIN_PASSWORD
# openstack-config --set /etc/heat/heat.conf \
   DEFAULT stack_domain_admin heat_domain_admin
# openstack-config --set /etc/heat/heat.conf \
   DEFAULT stack_user_domain HEAT_DOMAIN_ID
    Copy to Clipboard Toggle word wrap

9.2.4. Configure Orchestration Service Authentication
Copiar o link

Configure the Orchestration service to use the Identity service for authentication. All steps in this procedure must be performed on each system hosting Orchestration services, while logged in as the root user.

Procedure 9.4. Configuring the Orchestration Service to Authenticate Through the Identity Service

  1. Set the Orchestration services to authenticate as the correct tenant: 
    # openstack-config --set /etc/heat/heat.conf \
   keystone_authtoken admin_tenant_name services
    Copy to Clipboard Toggle word wrap
    Replace services is the name of the tenant created for the use of the Orchestration service. Examples in this guide use services.
  2. Set the Orchestration services to authenticate using the heat administrative user account: 
    # openstack-config --set /etc/heat/heat.conf \
   keystone_authtoken admin_user heat
    Copy to Clipboard Toggle word wrap
  3. Set the Orchestration services to use the correct heat administrative user account password: 
    # openstack-config --set /etc/heat/heat.conf \
   keystone_authtoken admin_password PASSWORD
    Copy to Clipboard Toggle word wrap
    Replace PASSWORD with the password set when the heat user was created.
  4. Set the Identity service host that the Orchestration services must use: 
    # openstack-config --set /etc/heat/heat.conf \
   keystone_authtoken service_host KEYSTONE_HOST
# openstack-config --set /etc/heat/heat.conf \
   keystone_authtoken auth_host KEYSTONE_HOST 
# openstack-config --set /etc/heat/heat.conf \	
   keystone_authtoken auth_uri http://KEYSTONE_HOST:35357/v2.0
# openstack-config --set /etc/heat/heat.conf \	
   keystone_authtoken keystone_ec2_uri http://KEYSTONE_HOST:35357/v2.0
    Copy to Clipboard Toggle word wrap
    Replace KEYSTONE_HOST with the IP address or host name of the server hosting the Identity service. If the Identity service is hosted on the same system, use 127.0.0.1.
  5. Configure the heat-api-cfn and heat-api-cloudwatch service host names to which virtual machine instances will connect: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT heat_metadata_server_url HEAT_CFN_HOST:8000
# openstack-config --set /etc/heat/heat.conf \	
   DEFAULT heat_waitcondition_server_url HEAT_CFN_HOST:8000/v1/waitcondition
# openstack-config --set /etc/heat/heat.conf \	
   DEFAULT heat_watch_server_url HEAT_CLOUDWATCH_HOST:8003
    Copy to Clipboard Toggle word wrap
    Replace the following values:
    • Replace HEAT_CFN_HOST with the IP address or host name of the server hosting the heat-api-cfn service.
    • Replace HEAT_CLOUDWATCH_HOST with the IP address or host name of the server hosting the heat-api-cloudwatch service.

    Important

    Even if all services are hosted on the same system, do not use 127.0.0.1 for either service host name. This IP address refers to the local host of each instance, and would therefore prevent the instance from reaching the actual service.
  6. Application templates use wait conditions and signaling for orchestration. Define the Identity role for users that should receive progress data. By default, this role is heat_stack_user: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT heat_stack_user_role heat_stack_user
    Copy to Clipboard Toggle word wrap

9.2.5. Configure RabbitMQ Message Broker Settings for the Orchestration Service
Copiar o link

RabbitMQ is the default (and recommended) message broker. The RabbitMQ messaging service is provided by the rabbitmq-server package. All steps in the following procedure must be performed on system hosting the Orchestration controller service, while logged in as the root user.

Procedure 9.5. Configuring the Orchestration Service to use the RabbitMQ Message Broker

  1. Set RabbitMQ as the RPC back end: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT rpc_backend heat.openstack.common.rpc.impl_kombu
    Copy to Clipboard Toggle word wrap
  2. Set the Orchestration service to connect to the RabbitMQ host: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT rabbit_host RABBITMQ_HOST
    Copy to Clipboard Toggle word wrap
    Replace RABBITMQ_HOST with the IP address or host name of the message broker.
  3. Set the message broker port to 5672: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT rabbit_port 5672
    Copy to Clipboard Toggle word wrap
  4. Set the RabbitMQ user name and password created for the Orchestration service when RabbitMQ was configured: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT rabbit_userid heat
# openstack-config --set /etc/heat/heat.conf \
   DEFAULT rabbit_password HEAT_PASS
    Copy to Clipboard Toggle word wrap
    Replace heat and HEAT_PASS with the RabbitMQ user name and password created for the Orchestration service.
  5. When RabbitMQ was launched, the heat user was granted read and write permissions to all resources: specifically, through the virtual host /. Configure the Orchestration service to connect to this virtual host: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT rabbit_virtual_host /
    Copy to Clipboard Toggle word wrap
If you enabled SSL on the message broker, you must configure the Orchestration service accordingly. This procedure requires the exported client certificates and key file. See Section 2.3.5, “Export an SSL Certificate for Clients” for instructions on how to export these files.

Procedure 9.6. Enabling SSL Communication Between the Orchestration Service and the RabbitMQ Message Broker

  1. Enable SSL communication with the message broker: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT rabbit_use_ssl True
# openstack-config --set /etc/heat/heat.conf \
   DEFAULT kombu_ssl_certfile /path/to/client.crt
# openstack-config --set /etc/heat/heat.conf \
   DEFAULT kombu_ssl_keyfile /path/to/clientkeyfile.key
    Copy to Clipboard Toggle word wrap
    Replace the following values:
    • Replace /path/to/client.crt with the absolute path to the exported client certificate.
    • Replace /path/to/clientkeyfile.key with the absolute path to the exported client key file.
  2. If your certificates were signed by a third-party Certificate Authority (CA), you must also run the following command: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT kombu_ssl_ca_certs /path/to/ca.crt
    Copy to Clipboard Toggle word wrap
    Replace /path/to/ca.crt with the absolute path to the CA file provided by the third-party CA (see Section 2.3.4, “Enable SSL on the RabbitMQ Message Broker” for more information).
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat