Highly available Identity API

Highly available Identity API

Making the OpenStack Identity service highly available in active and passive mode involves:


Before beginning, ensure you have read the OpenStack Identity service getting started documentation.

Add OpenStack Identity resource to Pacemaker

The following section(s) detail how to add the OpenStack Identity resource to Pacemaker on SUSE and Red Hat.


SUSE Enterprise Linux and SUSE-based distributions, such as openSUSE, use a set of OCF agents for controlling OpenStack services.

  1. Run the following commands to download the OpenStack Identity resource to Pacemaker:

    # cd /usr/lib/ocf/resource.d
    # mkdir openstack
    # cd openstack
    # wget https://git.openstack.org/cgit/openstack/openstack-resource-agents/plain/ocf/keystone
    # chmod a+rx *
  2. Add the Pacemaker configuration for the OpenStack Identity resource by running the following command to connect to the Pacemaker cluster:

    # crm configure
  3. Add the following cluster resources:

    clone p_keystone ocf:openstack:keystone \
    params config="/etc/keystone/keystone.conf" os_password="secretsecret" os_username="admin" os_tenant_name="admin" os_auth_url="" \
        op monitor interval="30s" timeout="30s"


    This configuration creates p_keystone, a resource for managing the OpenStack Identity service.

  4. Commit your configuration changes from the crm configure menu with the following command:

    # commit

The crm configure supports batch input. You may have to copy and paste the above lines into your live Pacemaker configuration, and then make changes as required.

For example, you may enter edit p_ip_keystone from the crm configure menu and edit the resource to match your preferred virtual IP address.

Pacemaker now starts the OpenStack Identity service and its dependent resources on all of your nodes.

Red Hat

For Red Hat Enterprise Linux and Red Hat-based Linux distributions, the following process uses Systemd unit files.

# pcs resource create openstack-keystone systemd:openstack-keystone --clone interleave=true

Configure OpenStack Identity service

  1. Edit the keystone.conf file to change the values of the bind(2) parameters:

    bind_host =
    public_bind_host =
    admin_bind_host =

    The admin_bind_host parameter lets you use a private network for admin access.

  2. To be sure that all data is highly available, ensure that everything is stored in the MySQL database (which is also highly available):

    driver = keystone.catalog.backends.sql.Catalog
    # ...
    driver = keystone.identity.backends.sql.Identity
    # ...
  3. If the Identity service will be sending ceilometer notifications and your message bus is configured for high availability, you will need to ensure that the Identity service is correctly configured to use it. For details on how to configure the Identity service for this kind of deployment, see Messaging service for high availability.

Configure OpenStack services to use the highly available OpenStack Identity

Your OpenStack services now point their OpenStack Identity configuration to the highly available virtual cluster IP address.

  1. For OpenStack Compute, (if your OpenStack Identity service IP address is use the following configuration in the api-paste.ini file:

    auth_host =
  2. Create the OpenStack Identity Endpoint with this IP address.


    If you are using both private and public IP addresses, create two virtual IP addresses and define the endpoint. For example:

    $ openstack endpoint create --region $KEYSTONE_REGION \
      $service-type public http://PUBLIC_VIP:5000/v2.0
    $ openstack endpoint create --region $KEYSTONE_REGION \
      $service-type admin
    $ openstack endpoint create --region $KEYSTONE_REGION \
      $service-type internal
  3. If you are using the horizon Dashboard, edit the local_settings.py file to include the following:

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.