9.3. Configure the Orchestration Service

⁠9.3. Configure the Orchestration Service

To configure the Orchestration service, you will need to:

Configure a database for the Orchestration service.
Bind each Orchestration API service to a corresponding IP address.
Create and configure the Orchestration service Identity records.
Configure how Orchestration services authenticate with the Identity service.

The following sections describe each procedure in detail.

⁠9.3.1. Configure the Orchestration Service Database Connection

The OpenStack Orchestration service requires a database in order to work. The database connection settings used by this service are configured in /etc/heat/heat.conf.

After using the MariaDB root account to automatically create the required databases, the Orchestration service will use its own MariaDB account (specifically, heat) to use those databases.

Note

In order to connect to the MariaDB database, create a database, and configure those database, you will need the password of the MariaDB database root account.

The following procedure illustrates this in more detail:

⁠

Procedure 9.1. Configuring the Orchestration service SQL database connection

Connect to the database service as root using the mysql utility.
```
# mysql -u root -p
```
After logging in, create the heat database:
```
mysql> CREATE DATABASE heat;
```
Create a database user named heat and grant that user access to the newly-created heat database:
```
mysql> GRANT ALL ON heat.* TO 'heat'@'%' IDENTIFIED BY 'HEATPW';
mysql>	GRANT ALL ON heat.* TO 'heat'@'localhost' IDENTIFIED BY 'HEATPW';
```
Replace HEATPW with a secure password that the heat user should use to authenticate to the database server.
Flush the database privileges to ensure that they take effect immediately:
```
mysql> FLUSH PRIVILEGES;
```
Exit the mysql utility:
```
mysql> quit
```
Update the database connection string used by heat with the HEATPW used earlier:
```
# openstack-config --set /etc/heat/heat.conf \
	DEFAULT sql_connection mysql://heat:HEATPW@MARIADBHOST/heat
```
Where:
- HEATPW is the password set earlier for the heat account.
- MARIADBHOST is the IP address or hostname of the MariaDB database server (localhost if it is on the same host).
As the heat user, sync the database using the heat-manage utility:
```
# runuser -s /bin/sh heat -c "heat-manage db_sync"
```

⁠9.3.2. Restrict the Bind Addresses of each Orchestration API Service

After configuring the database, set the bind_host setting of each Orchestration API service. This setting controls which IP address a service should use for incoming connections.

The /etc/heat/heat.conf configuration file contains a section for each Orchestration API service. the bind_host should be set in each one, as in:

# openstack-config --set /etc/heat/heat.conf
	heat_api bind_host IP

# openstack-config --set /etc/heat/heat.conf
	heat_api_cfn bind_host IP

# openstack-config --set /etc/heat/heat.conf
	heat_api_cloudwatch bind_host IP

Replace each IP with the address that the corresponding API should use.

⁠9.3.3. Create the Orchestration Service Identity Records

In this procedure, you will:

Create the heat user, who has the admin role in the services tenant.
Create the heat service entry and assign it an endpoint.

In order to proceed, you should have already performed the following (through the Identity service):

Created an Administrator role named admin (refer to Section 3.8, “Create an Administrator Account” for instructions)
Created the services tenant (refer to Section 3.10, “Create the Services Tenant” for instructions)

Note

The Deploying OpenStack: Learning Environments guide uses one tenant for all service users. For more information, refer to Section 3.10, “Create the Services Tenant”.

You can perform this procedure from your Identity service server or on any machine where you've copied the keystonerc_admin file (which contains administrator credentials) and the keystone command-line utility is installed.

⁠

Procedure 9.2. Creating Identity records for the Orchestration service

Set up the shell to access Keystone as the admin user:
```
# source ~/keystonerc_admin
```
Create a heat user in keystone:
```
# keystone user-create \
    --name=heat \
    --pass=SERVICE_PASSWORD \
```
Replace SERVICE_PASSWORD with the password the Orchestration service should use when authenticating with the Identity service.
Establish the relationship between the Orchestration service, the services tenant, and admin role:
```
# keystone user-role-add --user heat \
    --role admin \
    --tenant services \
```
Create Identity service entries for Orchestration and Cloud Formation:
```
# keystone service-create --name heat \
    --type orchestration
```
```
# keystone service-create --name heat-cfn \
    --type cloudformation
```
Once the heat and heat-cfn services are created, note their respective IDs. These will be used later.

Create service endpoint entries for both heat and heat-cfn services:

# keystone endpoint-create \
    --service heat-cfn \
    --publicurl "HEAT_CFN_IP:8000/v1" \
    --adminurl "HEAT_CFN_IP:8000/v1" \
    --internalurl "HEAT_CFN_IP:8000/v1"

# keystone endpoint-create \
    --service heat \
    --publicurl "HEAT_IP:8004/v1/%(tenant_id)s" \
    --adminurl "HEAT_IP:8004/v1/%(tenant_id)s" \
    --internalurl "HEAT_IP:8004/v1/%(tenant_id)s"

Where:

HEAT_CFN_IP is the IP or host name of the system hosting the heat-cfn service.
HEAT_IP is the IP or host name of the system hosting the heat service.

Important

Include the http:// prefix for HEAT_CFN_IP and HEAT_IP values.

⁠9.3.3.1. Create the Required Identity Domain for the Orchestration Service

As of Red Hat Enterprise Linux OpenStack Platform 5, the Orchestration service now requires its own Identity domain. The use of Identity domains provides a framework through which users can be created, associated with credentials deployed inside instances owned by heat stacks.

The use of a separate domain allows for separation between the instances and the user deploying the stack. This, in turn, allows regular users without administrative rights to deploy heat stacks that require such credentials.

Note

At present, the creation of Identity service domains is only supported on Red Hat Enterprise Linux 7.2. As such, if you wish to set up the heat domain for an OpenStack service installed on Red Hat Enterprise Linux 6.7, you will have to do so from a Red Hat Enterprise Linux 7.2 host. From there, you can specify the Red Hat Enterprise Linux 6.7 host on which to set up the domain.

⁠

Procedure 9.3. Creating an Identity service domain for the Orchestration service

Obtain the administrative token used by the Identity service. This token is the value of the admin_token configuration key in the /etc/keystone/keystone.conf file of the Identity server:
```
# cat /etc/keystone/keystone.conf | grep admin_token
   admin_token = 0292d404a88c4f269383ff28a3839ab4
```
The administrative token (in this example, 0292d404a88c4f269383ff28a3839ab4) will be used later to perform all actions requiring administrative credentials.
Install the python-openstackclient package on the Red Hat Enterprise Linux 7.2 host you will use to create and configure the domain.
```
# yum install python-openstackclient
```
Run the rest of the steps in this procedure from that Red Hat Enterprise Linux 7.2 host.
Create the heat domain.
```
# openstack --os-token ADMIN_TOKEN --os-url=IDENTITY_IP:5000/v3 \
   --os-identity-api-version=3 domain create heat \
   --description "Owns users and projects created by heat"
```
Where:
- ADMIN_TOKEN is the administrative token obtained earlier (0292d404a88c4f269383ff28a3839ab4 from the first step's example).
- IDENTITY_IP is the IP or host name of the Identity server. The IDENTITY_IP can be a Red Hat Enterprise Linux 6.7 host, even if you are running the command from a Red Hat Enterprise Linux 7.2 host.
This command should return the domain ID of the newly created heat domain. This ID (HEAT_DOMAIN_ID) will be used in the next step.

Create a user named heat_domain_admin that can have administrative rights within the heat domain:

# openstack --os-token ADMIN_TOKEN --os-url=IDENTITY_IP:5000/v3 \
   --os-identity-api-version=3 user create heat_domain_admin \
   --password DOMAIN_PASSWORD \
   --domain HEAT_DOMAIN_ID
   --description "Manages users and projects created by heat"

Replace DOMAIN_PASSWORD with a secure password for this user. This command should return a user ID (DOMAIN_ADMIN_ID), which will be used in the next step.

Grant the user created in the previous step administrative rights within the heat domain:

# openstack --os-token ADMIN_TOKEN --os-url=IDENTITY_IP:5000/v3 \
   --os-identity-api-version=3 role add --user DOMAIN_ADMIN_ID \
   --domain HEAT_DOMAIN_ID admin

After setting up the heat domain and user, you can now configure the Orchestration service to use them. To do so, run the following commands on the server hosting the heat services:

# openstack-config --set /etc/heat/heat.conf \
   DEFAULT stack_domain_admin_password DOMAIN_PASSWORD

# openstack-config --set /etc/heat/heat.conf \
   DEFAULT stack_domain_admin heat_domain_admin

# openstack-config --set /etc/heat/heat.conf \
   DEFAULT stack_user_domain HEAT_DOMAIN_ID

⁠9.3.4. Configure Orchestration Service Authentication

After creating and configuring the required Orchestration service users and roles (namely, Identity records), configure the Orchestration service to authenticate with the Identity service. Doing so involves setting the required Identity tokens for the heat-api, heat-api-cfn, and heat-api-cloudwatch services. These services use the token settings configured in /etc/heat/heat.conf.

⁠

Procedure 9.4. Configuring the Orchestration service to authenticate through the Identity service

Set the Orchestration services to authenticate as the correct tenant:
```
# openstack-config --set /etc/heat/heat.conf \
	keystone_authtoken admin_tenant_name services
```
Where services is the name of the tenant created for the use of the Orchestration service. Examples in this guide use services.
Set the Orchestration services to authenticate using the heat administration user account:
```
# openstack-config --set /etc/heat/heat.conf \
	keystone_authtoken admin_user heat
```
Set the Orchestration services to use the correct heat administration user account password:
```
# openstack-config --set /etc/heat/heat.conf \
	keystone_authtoken admin_password SERVICE_PASSWORD
```
Where SERVICE_PASSWORD is the password set during the creation of the heat user.

Set the correct Identity service host that the Orchestration services should use:

# openstack-config --set /etc/heat/heat.conf \
	keystone_authtoken service_host KEYSTONE_HOST

# openstack-config --set /etc/heat/heat.conf \
	keystone_authtoken auth_host KEYSTONE_HOST

# openstack-config --set /etc/heat/heat.conf \	
	keystone_authtoken auth_uri http://KEYSTONE_HOST:35357/v2.0 \

# openstack-config --set /etc/heat/heat.conf \	
	keystone_authtoken keystone_ec2_uri http://KEYSTONE_HOST:35357/v2.0

Where KEYSTONE_HOST is the hostname of the Identity service. If the Identity service is hosted on the same system, use 127.0.0.1.

Configure the heat-api-cfn and heat-api-cloudwatch service hostnames to which VMs should connect.
```
# openstack-config --set /etc/heat/heat.conf \
	DEFAULT heat_metadata_server_url HEAT_CFN_HOST:8000
```
```
# openstack-config --set /etc/heat/heat.conf \	
	DEFAULT heat_waitcondition_server_url HEAT_CFN_HOST:8000/v1/waitcondition
```
```
# openstack-config --set /etc/heat/heat.conf \	
	DEFAULT heat_watch_server_url HEAT_CLOUDWATCH_HOST:8003
```
Where:
- HEAT_CFN_HOST is the IP or hostname of the system hosting the heat-api-cfn service.
- HEAT_CLOUDWATCH_HOST is the IP or hostname of the system hosting the heat-api-cloudwatch service.
Important
Even if all services are hosted on the same system, do not use 127.0.0.1 for either service hostname. This IP address would refer to the local host of each VM, and would therefore prevent the VM from reaching the actual service.
Application templates use wait conditions and signaling for orchestration. You will need to define the Identity role for users that will receive progress data. By default, this role is heat_stack_user.
```
# openstack-config --set /etc/heat/heat.conf \
	DEFAULT heat_stack_user_role heat_stack_user
```

⁠9.3.5. Configure RabbitMQ Message Broker Settings for the Orchestration Service

As of Red Hat Enterprise Linux OpenStack Platform 5, RabbitMQ replaces QPid as the default (and recommended) message broker. The RabbitMQ messaging service is provided by the rabbitmq-server package.

This section assumes that you have already configured a RabbitMQ message broker. For more information, refer to:

⁠

Procedure 9.5. Configuring the Orchestration service to use the RabbitMQ message broker

In /etc/heat/heat.conf of that system, set RabbitMQ as the RPC back end.

# openstack-config --set /etc/heat/heat.conf \
   DEFAULT rpc_backend heat.openstack.common.rpc.impl_kombu

Set the Orchestration service to connect to the RabbitMQ host:
```
# openstack-config --set /etc/heat/heat.conf \
   DEFAULT rabbit_host RABBITMQ_HOST
```
Replace RABBITMQ_HOST with the IP address or host name of the message broker.

Set the message broker port to 5672:

# openstack-config --set /etc/heat/heat.conf \
   DEFAULT rabbit_port 5672

Set the RabbitMQ username and password created for the Orchestration service:
```
# openstack-config --set /etc/heat/heat.conf \
   DEFAULT rabbit_userid heat
```
```
# openstack-config --set /etc/heat/heat.conf \
   DEFAULT rabbit_password HEAT_PASS
```
Where heat and HEAT_PASS are the RabbitMQ username and password created for Orchestration (in Section 2.4.2, “Install and Configure the RabbitMQ Message Broker”).
In Section 2.4.2.1, “Launch the RabbitMQ Message Broker”, we gave the heat user read/write permissions to all resources -- specifically, through the virtual host /. Configure the Orchestration service to connect to this virtual host:
```
# openstack-config --set /etc/heat/heat.conf \
   DEFAULT rabbit_virtual_host /
```