Manual Installation

Install and configure components

1. Install the packages in any way you prefer (github+setup.py / pip / packages)

2. Create the service credentials

   1. Source the admin credentials to gain access to admin-only CLI commands:

   2. To create the service credentials, complete these steps:

      • Create the ec2api user:

        $ openstack user create --domain default --password-prompt ec2api
        

      • Add the admin role to the ec2api user:

        $ openstack role add --project service --user ec2api admin
        

      • Create the ec2api service entities:

        $ openstack service create --name ec2-api --description "ec2api" ec2api
        

3. Create database

   • Use the database access client to connect to the database server as the root user:

     $ mysql -u root -p
     

   • Create the ec2api database:

     CREATE DATABASE ec2api;
     

   • Grant proper access to the ec2api database:

     GRANT ALL PRIVILEGES ON ec2api.* TO 'ec2api'@'localhost' \
      IDENTIFIED BY 'EC2-API_DBPASS';
     GRANT ALL PRIVILEGES ON ec2api.* TO 'ec2api'@'%' \
      IDENTIFIED BY 'EC2-API_DBPASS';
     

     Replace EC2-API_DBPASS with a suitable password.

   • Exit the database access client.

     exit;
     

   There is a script creating ‘ec2api’ database that is accessible only on localhost by user ‘ec2api’ with password ‘ec2api’. https://github.com/openstack/ec2-api/blob/master/tools/db/ec2api-db-setup

4. Create endpoints:

   Create the ec2api service API endpoints:

   $ openstack endpoint create --region RegionOne ec2api \
     public http://controller:XXXX/
   $ openstack endpoint create --region RegionOne ec2api \
     admin http://controller:XXXX/
   $ openstack endpoint create --region RegionOne ec2api \
     internal http://controller:XXXX/
   

   • where ‘controller’ is address your ec2api is installed on

   • and ‘XXXX’ is port (8788 by default)

5. Create configuration files /etc/ec2api/api-paste.ini (can be copied from https://github.com/openstack/ec2-api/blob/master/etc/ec2api/api-paste.ini)

   and /etc/ec2api/ec2api.conf

   To configure OpenStack for EC2 API service add to /etc/ec2api/ec2api.conf:

   [DEFAULT]
   external_network = public
   ec2_port = 8788
   ec2api_listen_port = 8788
   keystone_ec2_tokens_url = http://192.168.56.101/identity/v3/ec2tokens
   api_paste_config = /etc/ec2api/api-paste.ini
   disable_ec2_classic = True
   

   *

   • external_network option specifies the name of the external network, which is used to Internet and to allocate Elastic IPs. It must be specified to get access into VMs from outside of the cloud.

   • disable_ec2_classic option is not mandatory, but we strongly recommend it to be specified. It turns off EC2 Classic mode and forces objects to be created inside VPCs.

     With disable_ec2_classic = True, any user of the cloud must have the only network (created with neutron directly and attached to a router to provide outside access for that VMS), which is used for launch ec2-classic instances.

     Keep in mind that an operator is not able to change disable_ec2_classic setting seamlessly.

   In the [keystone_authtoken] section, configure Identity service access.

   [keystone_authtoken]
   project_domain_name = Default
   project_name = service
   user_domain_name = Default
   password = password
   username = ec2api
   auth_type = password
   

   Also you need to configure database connection:

   [database]
   connection = mysql+pymysql://root:password@127.0.0.1/ec2api?charset=utf8
   

   and you need to configure oslo_concurrency lock_path:

   [oslo_concurrency]
   lock_path = /path/to/oslo_concurrency_lock_dir
   

   and cache if you want to use it.

   [cache]
   enabled = True
   

   You can look for other configuration options in the Configuration Reference

6. Configure metadata:

   EC2 metadata is built in between the nova-metadata and the neutron-metadata, so we need to configure Neutron so that it sends requests to ec2-api-metadata, not to the nova.

   To configure OpenStack for EC2 API metadata service for Neutron add:

   [DEFAULT]
   nova_metadata_port = 8789
   

   to /etc/neutron/metadata_agent.ini for legacy neutron or to neutron_ovn_metadata_agent.ini for OVN

   then restart neutron-metadata service.

   If you want to obtain metadata via SSL you need to configure neutron:

   [DEFAULT]
   nova_metadata_protocol = https
   # in case of self-signed certs you may need to specify CA
   auth_ca_cert = /path/to/root/cert/if/self/signed
   # or skip certs checking
   nova_metadata_insecure = True
   

   And then you’ll be able to get EC2-API/Nova metadata from neutron via SSL. Anyway metadata URL inside the server still be http://169.254.169.254

7. Start the services as binaries

   $ /usr/local/bin/ec2-api
   $ /usr/local/bin/ec2-api-metadata
   

   or set up as Linux services.