9.2. Configure the Orchestration Service

To configure the Orchestration service, you must complete the following tasks:
  • Configure a database for the Orchestration service.
  • Bind each Orchestration API service to a corresponding IP address.
  • Create and configure the Orchestration service Identity records.
  • Configure how Orchestration services authenticate with the Identity service.
The following sections describe each procedure in detail.

9.2.1. Create the Orchestration Service Database

Create the database and database user used by the Orchestration service. The database connection string used by the Orchestration service is defined in the /etc/heat/heat.conf file. It must be updated to point to a valid database server before the service is started. All steps in this procedure must be performed on the database server, while logged in as the root user.

Procedure 9.1. Configuring the Orchestration Service Database

  1. Connect to the database service: 
    # mysql -u root -p
  2. Create the heat database: 
    mysql> CREATE DATABASE heat;
  3. Create a database user named heat and grant the user access to the heat database: 
    mysql> GRANT ALL ON heat.* TO 'heat'@'%' IDENTIFIED BY 'PASSWORD';
mysql> GRANT ALL ON heat.* TO 'heat'@'localhost' IDENTIFIED BY 'PASSWORD';
    Replace PASSWORD with a secure password that will be user to authenticate with the database server as this user.
  4. Flush the database privileges to ensure that they take effect immediately: 
    mysql> FLUSH PRIVILEGES;
  5. Exit the mysql client: 
    mysql> quit
  6. Set the value of the sql_connection configuration key: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT sql_connection mysql://heat:PASSWORD@IP/heat
    Replace the following values:
    • Replace PASSWORD with the password of the heat database user.
    • Replace IP with the IP address or host name of the database server.
  7. As the heat user, sync the database: 
    # runuser -s /bin/sh heat -c "heat-manage db_sync"

Important

The IP address or host name specified in the connection configuration key must match the IP address or host name to which the Orchestration service database user was granted access when creating the Orchestration service database. Moreover, if the database is hosted locally and you granted permissions to 'localhost' when creating the Orchestration service database, you must enter 'localhost'.

9.2.2. Restrict the Bind Addresses of Each Orchestration API Service

After configuring the database, set the bind_host setting of each Orchestration API service. This setting controls which IP address a service should use for incoming connections.
Set the bind_host setting for each Orchestration API service: 
# openstack-config --set /etc/heat/heat.conf
   heat_api bind_host IP
# openstack-config --set /etc/heat/heat.conf
   heat_api_cfn bind_host IP
# openstack-config --set /etc/heat/heat.conf
   heat_api_cloudwatch bind_host IP
Replace IP with the IP address that the corresponding API should use.

9.2.3. Create the Orchestration Service Identity Records

Create and configure Identity service records required by the Orchestration service. These entries assist other OpenStack services attempting to locate and access the functionality provided by the Orchestration service.
This procedure assumes that you have already created an administrative user account and a services tenant. For more information, see:
Perform this procedure on the Identity service server, or on any machine onto which you have copied the keystonerc_admin file and on which the keystone command-line utility is installed.

Procedure 9.2. Creating Identity Records for the Orchestration Service

  1. Set up the shell to access Keystone as the administrative user: 
    # source ~/keystonerc_admin
  2. Create the heat user: 
    [(keystone_admin)]# keystone user-create --name heat --pass PASSWORD
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |                                  |
| enabled  |               True               |
|    id    | 96cd855e5bfe471ce4066794bbafb615 |
|   name   |               heat               |
| username |               heat               |
+----------+----------------------------------+
    Replace PASSWORD with a password that will be used by the Orchestration service when authenticating with the Identity service.
  3. Link the heat user and the admin role together within the context of the services tenant: 
    [(keystone_admin)]# keystone user-role-add --user heat --role admin --tenant services
  4. Create the heat and heat-cfn service entries: 
    [(keystone_admin)]# keystone service-create --name heat \
   --type orchestration
# keystone service-create --name heat-cfn \
   --type cloudformation
  5. Create endpoint entries for the heat service and the heat-cfn service: 
    [(keystone_admin)]# keystone endpoint-create \
   --service heat-cfn \
   --publicurl 'HEAT_CFN_IP:8000/v1' \
   --adminurl 'HEAT_CFN_IP:8000/v1' \
   --internalurl 'HEAT_CFN_IP:8000/v1' \
   --region 'RegionOne'
[(keystone_admin)]# keystone endpoint-create \
   --service heat \
   --publicurl 'HEAT_IP:8004/v1/%(tenant_id)s' \
   --adminurl 'HEAT_IP:8004/v1/%(tenant_id)s' \
   --internalurl 'HEAT_IP:8004/v1/%(tenant_id)s' \
   --region 'RegionOne'
    Replace the following values:
    • Replace HEAT_CFN_IP with the IP or host name of the system hosting the heat-cfn service.
    • Replace HEAT_IP with the IP or host name of the system hosting the heat service.

    Important

    Include the http:// prefix for HEAT_CFN_IP and HEAT_IP values.

9.2.3.1. Create the Required Identity Domain for the Orchestration Service

The Orchestration service requires its own Identity domain, through which users can be created and associated with credentials deployed inside instances owned by heat stacks. Using a separate domain allows for separation between the instances and the user deploying the stack. This allows regular users without administrative rights to deploy heat stacks that require such credentials.

Procedure 9.3. Creating an Identity Service Domain for the Orchestration Service

  1. Obtain the administrative token used by the Identity service. This token is the value of the admin_token configuration key in the /etc/keystone/keystone.conf file of the Identity server: 
    # cat /etc/keystone/keystone.conf | grep admin_token
   admin_token = 0292d404a88c4f269383ff28a3839ab4
    The administrative token is used to perform all actions requiring administrative credentials.
  2. Install the python-openstackclient package on the Red Hat Enterprise Linux 7.1 host you will use to create and configure the domain: 
    # yum install python-openstackclient
    Run the rest of the steps in this procedure from the Red Hat Enterprise Linux 7.1 host.
  3. Create the heat domain: 
    # openstack --os-token ADMIN_TOKEN --os-url=IDENTITY_IP:5000/v3 \
   --os-identity-api-version=3 domain create heat \
   --description "Owns users and projects created by heat"
    Replace the following values:
    • Replace ADMIN_TOKEN with the administrative token.
    • Replace IDENTITY_IP with the IP or host name of the server hosting the Identity service.
    This command returns the domain ID of the heat domain. This ID (HEAT_DOMAIN_ID) is used in the next step.
  4. Create a user named heat_domain_admin that can have administrative rights within the heat domain: 
    # openstack --os-token ADMIN_TOKEN --os-url=IDENTITY_IP:5000/v3 \
   --os-identity-api-version=3 user create heat_domain_admin \
   --password PASSWORD \
   --domain HEAT_DOMAIN_ID
   --description "Manages users and projects created by heat"
    Replace PASSWORD with a password for this user. This command returns a user ID (DOMAIN_ADMIN_ID), which is used in the next step.
  5. Grant the heat_domain_admin user administrative rights within the heat domain: 
    # openstack --os-token ADMIN_TOKEN --os-url=IDENTITY_IP:5000/v3 \
   --os-identity-api-version=3 role add --user DOMAIN_ADMIN_ID \
   --domain HEAT_DOMAIN_ID admin
  6. On the server hosting the Orchestration service, configure the service to use the heat domain and user: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT stack_domain_admin_password DOMAIN_PASSWORD
# openstack-config --set /etc/heat/heat.conf \
   DEFAULT stack_domain_admin heat_domain_admin
# openstack-config --set /etc/heat/heat.conf \
   DEFAULT stack_user_domain HEAT_DOMAIN_ID

9.2.4. Configure Orchestration Service Authentication

Configure the Orchestration service to use the Identity service for authentication. All steps in this procedure must be performed on each system hosting Orchestration services, while logged in as the root user.

Procedure 9.4. Configuring the Orchestration Service to Authenticate Through the Identity Service

  1. Set the Orchestration services to authenticate as the correct tenant: 
    # openstack-config --set /etc/heat/heat.conf \
   keystone_authtoken admin_tenant_name services
    Replace services is the name of the tenant created for the use of the Orchestration service. Examples in this guide use services.
  2. Set the Orchestration services to authenticate using the heat administrative user account: 
    # openstack-config --set /etc/heat/heat.conf \
   keystone_authtoken admin_user heat
  3. Set the Orchestration services to use the correct heat administrative user account password: 
    # openstack-config --set /etc/heat/heat.conf \
   keystone_authtoken admin_password PASSWORD
    Replace PASSWORD with the password set when the heat user was created.
  4. Set the Identity service host that the Orchestration services must use: 
    # openstack-config --set /etc/heat/heat.conf \
   keystone_authtoken service_host KEYSTONE_HOST
# openstack-config --set /etc/heat/heat.conf \
   keystone_authtoken auth_host KEYSTONE_HOST 
# openstack-config --set /etc/heat/heat.conf \	
   keystone_authtoken auth_uri http://KEYSTONE_HOST:35357/v2.0
# openstack-config --set /etc/heat/heat.conf \	
   keystone_authtoken keystone_ec2_uri http://KEYSTONE_HOST:35357/v2.0
    Replace KEYSTONE_HOST with the IP address or host name of the server hosting the Identity service. If the Identity service is hosted on the same system, use 127.0.0.1.
  5. Configure the heat-api-cfn and heat-api-cloudwatch service host names to which virtual machine instances will connect: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT heat_metadata_server_url HEAT_CFN_HOST:8000
# openstack-config --set /etc/heat/heat.conf \	
   DEFAULT heat_waitcondition_server_url HEAT_CFN_HOST:8000/v1/waitcondition
# openstack-config --set /etc/heat/heat.conf \	
   DEFAULT heat_watch_server_url HEAT_CLOUDWATCH_HOST:8003
    Replace the following values:
    • Replace HEAT_CFN_HOST with the IP address or host name of the server hosting the heat-api-cfn service.
    • Replace HEAT_CLOUDWATCH_HOST with the IP address or host name of the server hosting the heat-api-cloudwatch service.

    Important

    Even if all services are hosted on the same system, do not use 127.0.0.1 for either service host name. This IP address refers to the local host of each instance, and would therefore prevent the instance from reaching the actual service.
  6. Application templates use wait conditions and signaling for orchestration. Define the Identity role for users that should receive progress data. By default, this role is heat_stack_user: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT heat_stack_user_role heat_stack_user

9.2.5. Configure RabbitMQ Message Broker Settings for the Orchestration Service

RabbitMQ is the default (and recommended) message broker. The RabbitMQ messaging service is provided by the rabbitmq-server package. All steps in the following procedure must be performed on system hosting the Orchestration controller service, while logged in as the root user.

Procedure 9.5. Configuring the Orchestration Service to use the RabbitMQ Message Broker

  1. Set RabbitMQ as the RPC back end: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT rpc_backend heat.openstack.common.rpc.impl_kombu
  2. Set the Orchestration service to connect to the RabbitMQ host: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT rabbit_host RABBITMQ_HOST
    Replace RABBITMQ_HOST with the IP address or host name of the message broker.
  3. Set the message broker port to 5672: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT rabbit_port 5672
  4. Set the RabbitMQ user name and password created for the Orchestration service when RabbitMQ was configured: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT rabbit_userid heat
# openstack-config --set /etc/heat/heat.conf \
   DEFAULT rabbit_password HEAT_PASS
    Replace heat and HEAT_PASS with the RabbitMQ user name and password created for the Orchestration service.
  5. When RabbitMQ was launched, the heat user was granted read and write permissions to all resources: specifically, through the virtual host /. Configure the Orchestration service to connect to this virtual host: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT rabbit_virtual_host /

9.2.6. Enable SSL Communication Between the Orchestration Service and the Message Broker

If you enabled SSL on the message broker, you must configure the Orchestration service accordingly. This procedure requires the exported client certificates and key file. See Section 2.3.5, “Export an SSL Certificate for Clients” for instructions on how to export these files.

Procedure 9.6. Enabling SSL Communication Between the Orchestration Service and the RabbitMQ Message Broker

  1. Enable SSL communication with the message broker: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT rabbit_use_ssl True
# openstack-config --set /etc/heat/heat.conf \
   DEFAULT kombu_ssl_certfile /path/to/client.crt
# openstack-config --set /etc/heat/heat.conf \
   DEFAULT kombu_ssl_keyfile /path/to/clientkeyfile.key
    Replace the following values:
    • Replace /path/to/client.crt with the absolute path to the exported client certificate.
    • Replace /path/to/clientkeyfile.key with the absolute path to the exported client key file.
  2. If your certificates were signed by a third-party Certificate Authority (CA), you must also run the following command: 
    # openstack-config --set /etc/heat/heat.conf \
   DEFAULT kombu_ssl_ca_certs /path/to/ca.crt
    Replace /path/to/ca.crt with the absolute path to the CA file provided by the third-party CA (see Section 2.3.4, “Enable SSL on the RabbitMQ Message Broker” for more information).