Manual Installation¶
Install and configure components¶
Install the packages in any way you prefer (github+setup.py / pip / packages)
Create the service credentials
Source the
admin
credentials to gain access to admin-only CLI commands:To create the service credentials, complete these steps:
Create the
ec2api
user:$ openstack user create --domain default --password-prompt ec2api
Add the
admin
role to theec2api
user:$ openstack role add --project service --user ec2api admin
Create the ec2api service entities:
$ openstack service create --name ec2-api --description "ec2api" ec2api
Create database
Use the database access client to connect to the database server as the
root
user:$ mysql -u root -p
Create the
ec2api
database:CREATE DATABASE ec2api;
Grant proper access to the
ec2api
database:GRANT ALL PRIVILEGES ON ec2api.* TO 'ec2api'@'localhost' \ IDENTIFIED BY 'EC2-API_DBPASS'; GRANT ALL PRIVILEGES ON ec2api.* TO 'ec2api'@'%' \ IDENTIFIED BY 'EC2-API_DBPASS';
Replace
EC2-API_DBPASS
with a suitable password.Exit the database access client.
exit;
There is a script creating ‘ec2api’ database that is accessible only on localhost by user ‘ec2api’ with password ‘ec2api’. https://github.com/openstack/ec2-api/blob/master/tools/db/ec2api-db-setup
Create endpoints:
Create the ec2api service API endpoints:
$ openstack endpoint create --region RegionOne ec2api \ public http://controller:XXXX/ $ openstack endpoint create --region RegionOne ec2api \ admin http://controller:XXXX/ $ openstack endpoint create --region RegionOne ec2api \ internal http://controller:XXXX/
where ‘controller’ is address your ec2api is installed on
and ‘XXXX’ is port (8788 by default)
Create configuration files
/etc/ec2api/api-paste.ini
(can be copied from https://github.com/openstack/ec2-api/blob/master/etc/ec2api/api-paste.ini)and
/etc/ec2api/ec2api.conf
To configure OpenStack for EC2 API service add to
/etc/ec2api/ec2api.conf
:[DEFAULT] external_network = public ec2_port = 8788 ec2api_listen_port = 8788 keystone_ec2_tokens_url = http://192.168.56.101/identity/v3/ec2tokens api_paste_config = /etc/ec2api/api-paste.ini disable_ec2_classic = True
- *
external_network
option specifies the name of the external network, which is used to Internet and to allocate Elastic IPs. It must be specified to get access into VMs from outside of the cloud.disable_ec2_classic
option is not mandatory, but we strongly recommend it to be specified. It turns off EC2 Classic mode and forces objects to be created inside VPCs.With
disable_ec2_classic
= True, any user of the cloud must have the only network (created with neutron directly and attached to a router to provide outside access for that VMS), which is used for launch ec2-classic instances.Keep in mind that an operator is not able to change
disable_ec2_classic
setting seamlessly.
In the [keystone_authtoken] section, configure Identity service access.
[keystone_authtoken] project_domain_name = Default project_name = service user_domain_name = Default password = password username = ec2api auth_type = password
Also you need to configure database connection:
[database] connection = mysql+pymysql://root:password@127.0.0.1/ec2api?charset=utf8
and you need to configure oslo_concurrency lock_path:
[oslo_concurrency] lock_path = /path/to/oslo_concurrency_lock_dir
and cache if you want to use it.
[cache] enabled = True
You can look for other configuration options in the Configuration Reference
Configure metadata:
EC2 metadata is built in between the nova-metadata and the neutron-metadata, so we need to configure Neutron so that it sends requests to ec2-api-metadata, not to the nova.
To configure OpenStack for EC2 API metadata service for Neutron add:
[DEFAULT] nova_metadata_port = 8789
to
/etc/neutron/metadata_agent.ini
for legacy neutron or toneutron_ovn_metadata_agent.ini
for OVNthen restart neutron-metadata service.
If you want to obtain metadata via SSL you need to configure neutron:
[DEFAULT] nova_metadata_protocol = https # in case of self-signed certs you may need to specify CA auth_ca_cert = /path/to/root/cert/if/self/signed # or skip certs checking nova_metadata_insecure = True
And then you’ll be able to get EC2-API/Nova metadata from neutron via SSL. Anyway metadata URL inside the server still be http://169.254.169.254
Start the services as binaries
$ /usr/local/bin/ec2-api $ /usr/local/bin/ec2-api-metadata
or set up as Linux services.