Red Hat Training
A Red Hat training course is available for Red Hat OpenStack Platform
6.3. Configure the Block Storage Service
6.3.1. Configure the Block Storage Service Database Connection
The database connection string used by the Block Storage services is defined in the
/etc/cinder/cinder.conf file. It must be updated to point to a valid database server before starting the service.
Set the value of the
sql_connection configuration key on each system hosting Block Storage services:
#openstack-config --set /etc/cinder/cinder.conf \DEFAULT sql_connection mysql://USER:PASS@IP/DB
Replace the following values:
- Replace USER with the Block Storage service database user name, usually
cinder. - Replace PASS with the password of the database user.
- Replace IP with the IP address or host name of the server hosting the database service.
- Replace DB with the name of the Block Storage service database, usually
cinder.
Important
The IP address or host name specified in the connection configuration key must match the IP address or host name to which the Block Storage service database user was granted access when creating the Block Storage service database. Moreover, if the database is hosted locally and you granted permissions to 'localhost' when creating the Block Storage service database, you must enter 'localhost'.
6.3.2. Create the Block Storage Service Identity Records
Create and configure Identity service records required by the Block Storage service. These entries provide authentication for the Block Storage services, and guide other OpenStack services attempting to locate and access the volume functionality provided by Block Storage.
This procedure assumes that you have already created an administrative user account and a
services tenant. For more information, see:
Perform this procedure on the Identity service server, or on any machine onto which you have copied the
keystonerc_admin file and on which the keystone command-line utility is installed.
Procedure 6.2. Creating Identity Records for the Block Storage Service
- Set up the shell to access Keystone as the administrative user:
#source ~/keystonerc_admin - Create the
cinderuser:[(keystone_admin)]#keystone user-create --name cinder --pass PASSWORD+----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | e1765f70da1b4432b54ced060139b46a | | name | cinder | | username | cinder | +----------+----------------------------------+Replace PASSWORD with a secure password that will be used by the Block Storage service when authenticating with the Identity service. - Link the
cinderuser and theadminrole together within the context of theservicestenant:[(keystone_admin)]#keystone user-role-add --user cinder --role admin --tenant services - Create the
cinderandcinderv2Block Storage service entries:[(keystone_admin)]#keystone service-create --name cinder \--type volume \--description "Cinder Volume Service"+-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Cinder Volume Service | | enabled | True | | id | dfde7878671e484c9e581a3eb9b63e66 | | name | cinder | | type | volume | +-------------+----------------------------------+[(keystone_admin)]#keystone service-create --name cinderv2 \--type volumev2 \--description "Cinder Volume Service v2"+-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Cinder Volume Service v2 | | enabled | True | | id | 42318fdec1926f57643ca7b1e40b78df | | name | cinderv2 | | type | volumev2 | +-------------+----------------------------------+ - Create the
cinderendpoint entry:[(keystone_admin)]#keystone endpoint-create \--service cinder \--publicurl 'http://IP:8776/v1/%(tenant_id)s' \--adminurl 'http://IP:8776/v1/%(tenant_id)s' \--internalurl 'http://IP:8776/v1/%(tenant_id)s' \--region 'RegionOne'[(keystone_admin)]#keystone endpoint-create \--service cinderv2 \--publicurl 'http://IP:8776/v2/%(tenant_id)s' \--adminurl 'http://IP:8776/v2/%(tenant_id)s' \--internalurl 'http://IP:8776/v2/%(tenant_id)s'--region 'RegionOne'Replace IP with the IP address or host name of the server hosting the Block Storage API service (openstack-cinder-api). To install and run multiple instances of the API service, repeat this step for the IP address or host name of each instance.
6.3.3. Configure Block Storage Service Authentication
Configure the Block Storage service to use the Identity service for authentication. All steps in this procedure must be performed on each server hosting Block Storage services, while logged in as the
root user.
Procedure 6.3. Configuring the Block Storage Service to Authenticate Through the Identity Service
- Set the authentication strategy to
keystone:#openstack-config --set /etc/cinder/cinder.conf \DEFAULT auth_strategy keystone - Set the Identity service host that the Block Storage services must use:
#openstack-config --set /etc/cinder/cinder.conf \keystone_authtoken auth_host IPReplace IP with the IP address or host name of the server hosting the Identity service. - Set the Block Storage services to authenticate as the correct tenant:
#openstack-config --set /etc/cinder/cinder.conf \keystone_authtoken admin_tenant_name servicesReplace services with the name of the tenant created for the use of OpenStack Networking. Examples in this guide useservices. - Set the Block Storage services to authenticate using the
cinderadministrative user account:#openstack-config --set /etc/cinder/cinder.conf \keystone_authtoken admin_user cinder - Set the Block Storage services to use the correct
cinderadministrative user account password:#openstack-config --set /etc/cinder/cinder.conf \keystone_authtoken admin_password PASSWORDReplace PASSWORD with the password set when thecinderuser was created.
6.3.4. Configure the Firewall to Allow Block Storage Service Traffic
Each component in the OpenStack environment uses the Identity service for authentication and must be able to access the service. The firewall on the system hosting the Block Storage service must be altered to allow network traffic on the required ports. All steps in this procedure must be run on each server hosting Block Storage services, while logged in as the
root user.
Procedure 6.4. Configuring the Firewall to Allow Block Storage Service Traffic
- Open the
/etc/sysconfig/iptablesfile in a text editor. - Add an INPUT rule allowing TCP traffic on ports
3260and8776to the file. The new rule must appear before any INPUT rules that REJECT traffic:-A INPUT -p tcp -m multiport --dports 3260,8776 -j ACCEPT
- Save the changes to the
/etc/sysconfig/iptablesfile. - Restart the
iptablesservice to ensure that the change takes effect:#systemctl restart iptables.service
6.3.5. Configure the Block Storage Service to Use SSL
Use the following options in the
cinder.conf file to configure SSL.
Table 6.1. SSL options for Block Storage
| Configuration Option | Description |
|---|---|
backlog
|
The number of backlog requests with which to configure the socket.
|
tcp_keepidle
|
Sets the value of TCP_KEEPIDLE in seconds for each server socket.
|
ssl_ca_file
|
The CA certificate file to use to verify connecting clients.
|
ssl_cert_file
|
The certificate file to use when starting the server securely.
|
ssl_key_file
|
The private key file to use when starting the server securely.
|
6.3.6. Configure RabbitMQ Message Broker Settings for the Block Storage Service
RabbitMQ is the default (and recommended) message broker. The RabbitMQ messaging service is provided by the rabbitmq-server package. All steps in the following procedure must be performed on the server hosting the Block Storage service, while logged in as the
root user.
Procedure 6.5. Configuring the Block Storage Service to use the RabbitMQ Message Broker
- Set RabbitMQ as the RPC back end:
#openstack-config --set /etc/cinder/cinder.conf \DEFAULT rpc_backend cinder.openstack.common.rpc.impl_kombu - Set the name of the RabbitMQ host:
#openstack-config --set /etc/cinder/cinder.conf \DEFAULT rabbit_host RABBITMQ_HOSTReplace RABBITMQ_HOST with the IP address or host name of the message broker. - Set the message broker port to
5672:#openstack-config --set /etc/cinder/cinder.conf \DEFAULT rabbit_port 5672 - Set the RabbitMQ username and password created for the Block Storage service when RabbitMQ was configured:
#openstack-config --set /etc/cinder/cinder.conf \DEFAULT rabbit_userid cinder#openstack-config --set /etc/cinder/cinder.conf \DEFAULT rabbit_password CINDER_PASSReplacecinderand CINDER_PASS with the RabbitMQ user name and password created for the Block Storage service. - When RabbitMQ was launched, the
cinderuser was granted read and write permissions to all resources: specifically, through the virtual host/. Configure the Block Storage service to connect to this virtual host:#openstack-config --set /etc/cinder/cinder.conf \DEFAULT rabbit_virtual_host /
6.3.7. Enable SSL Communication Between the Block Storage Service and the Message Broker
If you enabled SSL on the message broker, you must configure the Block Storage service accordingly. This procedure requires the exported client certificates and key file. See Section 2.3.5, “Export an SSL Certificate for Clients” for instructions on how to export these files.
- Enable SSL communication with the message broker:
#openstack-config --set /etc/cinder/cinder.conf \DEFAULT rabbit_use_ssl True#openstack-config --set /etc/cinder/cinder.conf \DEFAULT kombu_ssl_certfile /path/to/client.crt#openstack-config --set /etc/cinder/cinder.conf \DEFAULT kombu_ssl_keyfile /path/to/clientkeyfile.keyReplace the following values:- Replace /path/to/client.crt with the absolute path to the exported client certificate.
- Replace /path/to/clientkeyfile.key with the absolute path to the exported client key file.
- If your certificates were signed by a third-party Certificate Authority (CA), you must also run the following command:
#openstack-config --set /etc/cinder/cinder.conf \DEFAULT kombu_ssl_ca_certs /path/to/ca.crtReplace /path/to/ca.crt with the absolute path to the CA file provided by the third-party CA (see Section 2.3.4, “Enable SSL on the RabbitMQ Message Broker” for more information).
6.3.8. Populate the Block Storage Database
Populate the Block Storage database after you have successfully configured the Block Storage service database connection string.
Important
This procedure must be followed only once to initialize and populate the database. You do not need to perform these steps again when adding additional systems hosting Block Storage services.
Procedure 6.6. Populating the Block Storage Service Database
- Log in to the system hosting one of the Block Storage services.
- Switch to the
cinderuser:#su cinder -s /bin/sh - Initialize and populate the database identified in
/etc/cinder/cinder.conf:$cinder-manage db sync
6.3.9. Increase the Throughput of the Block Storage API Service
By default, the Block Storage API service (
openstack-cinder-api) runs in one process. This limits the number of API requests that the Block Storage service can process at any given time. In a production environment, you should increase the Block Storage API throughput by allowing openstack-cinder-api to run in as many processes as the machine capacity allows.
The Block Storage API service option,
osapi_volume_workers, allows you to specify the number of API service workers (or OS processes) to launch for openstack-cinder-api.
To set this option, run the following command on the
openstack-cinder-api host:
#openstack-config --set /etc/cinder/cinder.conf \DEFAULT osapi_volume_workers CORES
Replace CORES with the number of CPU cores/threads on a machine.
