This content is part of the Essential Guide: Learn the latest on OpenStack distributions and development

Step-by-step guide to acing your OpenStack installation

OpenStack's installation online instructions and step-by-step wizard, while helpful, leave much to be desired. Fill in the gaps with this guide to installing OpenStack on Ubuntu.

One easy way to learn how to use OpenStack is to set it up on a single computer. OpenStack's website offers instructions for how to do so, but the number of steps required coupled with a few inaccuracies can make them difficult to follow -- for example, you cannot simply apt-get your way through an installation. OpenStack also offers a graphical, step-by-step wizard, but using it requires five separate virtual machines.

When installing OpenStack you'll likely receive a number of error messages. Rather than turning to Google to find solutions for these issues, which will only cause you more grief in the long run, I recommend referring to this set of instructions. I have run through the complete OpenStack installation on Ubuntu twice in order to get a thorough understanding of it, and have compiled what I learned in this OpenStack installation guide. In short, this guide seeks to simplify and elaborate upon the instructions offered by OpenStack in order to solve any problems you may encounter.

These instructions end with setting up a working environment. I did not deploy a VM into the environment, as that would require many additional steps; instead, I will address that process in a future article.

OpenStack installation requirements

To get started, take a look at the instructions from the OpenStack website on "OpenStack Installation Guide for Ubuntu 14.04." For best results, consult those instructions as well as this document to complete a successful install. For reference, I used OpenStack Kilo, otherwise known as version K.

The simplest possible working environment consists of a compute node and a controller node. We will not be setting up separate object storage, block storage or a network node as you would with a production install.

If you get stuck on one step, feel free to move on to the next, as these steps -- with the exception of the first one -- do not need to be completed chronologically. You might even find the resolution to an earlier problem while working on a later step.

To summarize, the basic steps for setting up OpenStack are as follows:

  1. Create a basic environment by installing a database, configuring host files;
  2. Install the Identity Service;
  3. Install the Image Service;
  4. Install the Compute Service; and
  5. Install the Dashboard so you can log in to the Ib interface.

Set up a basic environment

To set up a basic environment, you must begin by creating an Ubuntu 14.04 Server VM. You should be able to use any hypervisor to do this; I used VMware vCloud Director. Although I opted to use Ubuntu Server, these instructions should also work for Ubuntu Desktop. The primary difference between Ubuntu Server and Desktop is that Server has no graphical interface, a problem which I'll address later in this guide.

You'll need to run these instructions as root. If you choose to use an Ubuntu Desktop instead of Server, you'll be logging in with a different user ID, which means you must change the root password so you can run the substitute user command. When setting up an environment, be sure to make frequent snapshots so you can roll back when something does not work.

You can use the passwords exactly as they are given in the OpenStack instructions. Save yourself some trouble by simply copying and pasting them. Also, there is no root password used in the SQL database. Don't run the apt-get command unless instructed because, according to the documentation, OpenStack does not allow automatic updates to run.

Once you've created an Ubuntu Server VM, add the controller and compute1 IP addresses to "/etc/hosts." To keep everything on one machine, use the following command: controller compute1

Next, run the commands shown below:

apt-get install ubuntu-cloud-keyring

echo "deb" \
            "trusty-updates/kilo main" > /etc/apt/sources.list.d/cloudarchive-kilo.list

apt-get update && apt-get dist-upgrade

Skip setting up the Network Time Protocol server. There is no need to sync time at this point since you just have one machine. Now run the following command:

apt-get install mariadb-server python-mysqldb

Notice we are MariaDB rather than MySQL. We will now edit "/etc/mysql/my.cnf" following the instructions here.

Once you've completed this step, enter the command shown below:

service mysql restart


Then install RabbitMQ server using this command:

apt-get install rabbitmq-server

rabbitmqctl change_password guest RABBIT_PASS

Identity Service

To install the Identity Service, begin by referring to OpenStack's instructions for creating a Keystone database. These instructions will have you create a token to run Keystone operations before you have the chance to create a user ID and password. Do so by running this command:

openssl rand -hex 10

Here is the token I received when I ran this command: cde3aa151a5a7e048da9. You may use this token or make your own token. Next, run the following command:

apt-get install keystone python-keystoneclient

Follow the instructions show in OpenStack's documentation on how to use vi/etc/keystone/keystone.conf to edit the config file.

Note that the command shown in OpenStack's instructions will result in an error because it opens a new shell. To avoid this error, run the command shown below without su – s in front:

/bin/sh -c "keystone-manage db_sync" keystone

Then enter the following:

service keystone restart

You must now export these two environment variables. This temporarily allows you to authenticate to Keystone with a token -- the one you created above -- instead of a user credential.

export OS_SERVICE_TOKEN=cde3aa151a5a7e048da9


Create tenants, users and roles

At this point I received error 500, because I forgot to restart the Keystone service. To create Keystone tenants, users and roles, begin by entering the following commands:

keystone tenant-create --name admin --description "Admin Tenant"

keystone user-create --name admin --pass ADMIN_PASS --email EMAIL_ADDRESS

Continue with the instructions in the OpenStack documentation, and then enter this command:

keystone tenant-create --name service --description "Service Tenant"

Create the service entity and API endpoint

Follow these instructions. The next step, the verification step, is where you will find any errors.

Verify operation

According to the's instructions, to verify operations you must enter the following command:


In order to test the user ID and password to make sure they can be passed to the command line, enter this command:

keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS \

>   --os-auth-url http://controller:35357/v2.0 token-get

The command shown above mimics what the Identity Service is supposed to do, which is to grant users a login token.

When I followed OpenStack's directions, I received this error:

The request you have made requires authentication. (HTTP 401) (Request-ID: req-0550f2c3-9077-470b-95d8-ce4ff498ff8f)

Error 401 indicates the user is not authorized, which means I forgot to create the admin role using this command:

 keystone role-create --name admin

You can check what role a user has with this command:

keystone user-role-list --user admin --tenant admin

You can also reset the token environment variables with the following commands:

export OS_SERVICE_TOKEN=cde3aa151a5a7e048da9

export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0

I added the admin role to the user admin with this command to fix that error:

keystone user-role-add --user admin --tenant admin --role admin

The takeaway here is to use the other Keystone commands, like the list command, to debug situations. This is also true for the next set of commands you will install.

Create OpenStack client environment scripts

Set environment variables so you can run these commands without the token or without having to put them on the command line. Create these two files with the commands shown below:



export OS_TENANT_NAME=admin

export OS_USERNAME=admin


export OS_AUTH_URL=http://controller:35357/v2.0




export OS_TENANT_NAME=demo

export OS_USERNAME=demo


export OS_AUTH_URL=http://controller:5000/v2.0

Then enter the following:


Add image service

To install Glance, follow these instructions. Next, create a database with the following command:

keystone user-create --name glance --pass GLANCE_PASS

I received error 401, which I fixed by entering the following:

export OS_SERVICE_TOKEN=cde3aa151a5a7e048da9

export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0

If you set both the credentials in the shell and the endpoint, you will receive this message: "WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored)."

Continue by entering the series of commands shown below:

keystone service-create --name glance --type image \
  --description "OpenStack Image Service"

keystone endpoint-create \
  --service-id $(keystone service-list | awk '/ image / {print $2}') \
  --publicurl http://controller:9292 \
  --internalurl http://controller:9292 \
  --adminurl http://controller:9292 \
  --region regionOne

apt-get install glance python-glanceclient

Now when you edit "/etc/glance/glance-api.conf" per OpenStack's instructions, you also need to rem out:

#sqlite_db = /var/lib/glance/glance.sqlite

Replace the line shown above with the lines that follow:


#identity_uri =

#admin_tenant_name = %SERVICE_TENANT_NAME%

#admin_user = %SERVICE_USER%

#admin_password = %SERVICE_PASSWORD%

#revocation_cache_time = 10


     auth_uri = http://controller:5000/v2.0

identity_uri = http://controller:35357

admin_tenant_name = service

admin_user = glance

admin_password = GLANCE_PASS

Once you have done this, continue to follow OpenStack's instructions by including this edit:

vi /etc/glance/glance-registry.conf

Then, enter the following command, omitting the sh –c:

/bin/sh -c "glance-manage db_sync" glance

At this point, I received the following error message:

CRITICAL glance [-] DBConnectionError: (OperationalError) (2003, "Can't connect to MySQL server on 'controller' (111)") None None

As it turns out, I misspelled the IP address, and forgot to add the following command:

flavor = keystone in [paste_deploy]

Verify operation

According to the instructions for verifying operation, you must download a Linux image and then upload it to the image service with this command:

glance image-create --name "cirros-0.3.3-x86_64" --file /tmp/images/cirros-0.3.3-x86_64-disk.img \
  --disk-format qcow2 --container-format bare --is-public True --progress

When I did this, I received this error message:

error 403

<h1>403 Forbidden</h1>

     Access was denied to this resource.<br /><br />

To debug that, I ran:

glance image-list

Which gave me yet another error 500, so I ran:

service glance-registry restart
     service glance-api restart

Add compute service & set up controller node

I found the next set of instructions to be rather confusing because entire sections of the config file installed by apt-get are missing. To correct this, copy the text below to replace it:


verbose = True













my_ip =

vncserver_listen =

vncserver_proxyclient_address =


rpc_backend = rabbit

rabbit_host = controller

rabbit_password = RABBIT_PASS

auth_strategy = keystone



connection = mysql://nova:[email protected]/nova



auth_uri = http://controller:5000/v2.0

identity_uri = http://controller:35357

admin_tenant_name = service

admin_user = nova

admin_password = NOVA_PASS



host = controller

Configure compute code

In this section, you will have already edited "/etc/nova/nova.conf" in the controller node section.  The only addition is you will need to make is these two lines to the "DEFAULT" section:

vnc_enabled = True

novncproxy_base_url = http://controller:6080/vnc_auto.html

By this point, we've already run this command:

/bin/sh -c "nova-manage db sync" nova

Should you run it again, it will do nothing other than say:

No handlers could be found for logger "oslo_config.cfg"

We can skip the step for Neutron Networking, because we can do without virtual interfaces on a single-machine set up.

Add dashboards

Follow these instructions to install Apache and configure the OpenStack dashboard inside of it; this should give you access to the OpenStack command-line interface tool. The following message should appear when you restart Apache:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using Set the 'ServerName' directive globally to suppress this message

This message is normal, so feel free to ignore it.

If you installed an Ubuntu Server, you can install the Unity Ubuntu desktop to log in to the dashboard. If you installed an Ubuntu Desktop, Unity Ubuntu will already be preinstalled on your VM. You may also modify these instructions to allow logging into Apache from another machine by setting up your Ubuntu VM as a bridged network.

To install Unity Ubuntu, enter the following command:

sudo apt-get install --no-install-recommends ubuntu-desktop

This does not install Firefox or any browser, so you will need to add a user from the Ubuntu command line, and then run the visudo command to grant them root access, allowing the user to run programs.

Hypervisor and hardware use statistics.
Figure A. Log in to the dashboard to see hypervisor and hardware use statistics.

You can then log in to the dashboard. Use the same admin user ID and password that is in the "" file.

Next Steps

OpenStack as the foundation of the do-it-yourself cloud

Is OpenStack infrastructure right for you?

Beware the OpenStack installation learning curve

Dig Deeper on Cloud computing architecture