Minimal DevStack in a VirtualBox VM for Keystone

openstack_devstack_vm.md

Minimal DevStack VirtualBox setup

This is a very concise quickstart guide to setup an OpenStack DevStack limited to Keystone in a VirtualBox VM using Ubuntu Server LTS as the guest operating system. By limiting the DevStack to primarily deploy Keystone only, installation is quick and the machine does not take up much resources.

As the time of writing it uses up about 11 GB of disk space and 1 GB of RAM running Keystone.

This is meant for testing authentication and IDM-related things with OpenStack Keystone while disregarding other components. It can easily be extended by further components by adjusting the local.conf accordingly.

VirtualBox VM

Create a VirtualBox VM for Ubuntu Server LTS that has two interfaces:

1. NAT for internet access
2. Host-only for OpenStack API

Later on, it should look like this in the guest OS:

/etc/netplan/00-installer-config.yaml:

network:
  ethernets:
    enp0s3:
      dhcp4: true
    enp0s8:
      dhcp4: true
  version: 2

DevStack setup (within the VM)

Full guide: https://docs.openstack.org/devstack/latest/

Essentials:

sudo useradd -s /bin/bash -d /opt/stack -m stack
sudo chmod +x /opt/stack
echo "stack ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/stack
sudo -u stack -i
git clone https://opendev.org/openstack/devstack
cd devstack
cp samples/local.conf local.conf

Now edit local.conf as instructed below:

...
# Use the IP address of the Host-only adapter here:
HOST_IP=192.168.59.105

# Only deploy wanted services
DISABLED_SERVICES=nova,cinder,glance,g-api,n-api,swift,neutron,horizon
ENABLED_SERVICES=key,mysql,tempest # see devstack/stackrc
...

The above *_SERVICES settings will trim down the DevStack to Keystone, Tempest, mysqld and memcached.

Note: configuring *_SERVICES can be tricky. Look into devstack/stackrc and the source code for reference. Sometimes full service names are interpreted ("keystone"), sometimes only shorthands ("g-api").

Now, deploy the DevStack.

Deploying and tearing down the DevStack

First, enter the DevStack environment:

sudo -u stack -i
cd devstack/

Deploy

./stack.sh

Teardown

./unstack.sh

Using the DevStack

From within the VM

sudo -u stack -i
cd devstack/

source openrc  # user: demo, project: demo
openstack image list  # example command

source openrc admin admin  # user: admin, project: admin
openstack project list  # example command

From the host (outside of the VM)

virtualenv .openstack-venv
source .openstack-venv/bin/activate
pip install openstackclient

For the next step, log into the VM and extract the client settings like so:

NOTE: To extract the client settings for the admin user instead, use source openrc admin admin in the steps below.

sudo -u stack -i
cd devstack
source openrc
printenv | grep OS_

Now leave the VM again and return to the host. Copy the returned OS_* variables and save them in a local file (e.g. as ~/openrc) on your workstation outside of the VM. Prepend "export " to each of them, e.g.

export OS_REGION_NAME=RegionOne
export OS_PROJECT_DOMAIN_ID=default
export OS_CACERT=
...

Outside of the VM, enter the virtualenv again (if you left it) and then load that file:

source .openstack-venv/bin/activate
source ~/openrc

openstack image list  # example command

NOTE: Make sure that OS_AUTH_URL in the variables file is set to the IP address of the Host-only adapter of the running DevStack VM reachable from the host.

Tips & Tricks

Making changes to configuration or source code

Upstream guide: https://docs.openstack.org/devstack/latest/development.html

• you can find the .conf files in the VM guest directly under the corresponding /etc/ trees
  • e.g. /etc/keystone/keystone.conf
• there are systemd services for all OpenStack components
  • you can list them with systemctl list-units | grep devstack
  • note that many services have abbreviated names: c-* for Cinder, g-* for Glance, n-* for Neutron and so on
• source code of the main components can be edited directly under /opt/stack/<component>/
  • changes will take effect once the corresponding service(s) is/are restarted
    • e.g. systemctl restart devstack@g-api
• to change library source code you have to edit it in the common VirtualEnv located at /opt/stack/data/venv/
  • e.g. /opt/stack/data/venv/lib/python3.10/site-packages/keystoneauth1/ for the keystoneauth library

Enabling the new RBAC defaults (enforce_scope)

Related: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html

To use this new option, adjustments are necessary both server-side (DevStack) and client-side (OSC, Tempest).

NOTE: The enforce_scope-related settings need to be in sync between both sides at all times. If you revert this configuration, make sure to revert both sides.

DevStack

keystone.conf

[oslo_policy]
enforce_new_defaults = true
enforce_scope = true

sudo systemctl restart devstack@keystone

OpenStackClient

unset OS_PROJECT_NAME
unset OS_TENANT_NAME
unset OS_USER_DOMAIN_ID
unset OS_PROJECT_DOMAIN_ID
export OS_SYSTEM_SCOPE=all

Tempest

tempest.conf

# IMPORTANT: comment out admin_project_name and admin_domain_name when you
# enable enforce_scope! Otherwise auth won't work.
[auth]
#admin_project_name = admin
#admin_domain_name = Default
admin_system = all

[identity-feature-enabled]
enforce_scope = true

[enforce_scope]
# Does the compute/identity/network/... service API policies enforce scope and
# new defaults? Should be enabled when
# nova.conf: oslo_policy.enforce_new_defaults and oslo_policy.enforce_scope are
# enabled.
keystone = true
...

[barbican_rbac_scope_verification]
enforce_scope = true

Adding Barbican

Barbican is not deployed per default and needs to be added explicitly via the following addition to local.conf followed by a redeployment:

...
# Barbican plugin
enable_plugin barbican https://opendev.org/openstack/barbican