Manual Installation

Install and configure components

  1. Install the packages in any way you prefer (github+setup.py / pip / packages)

  2. Create the service credentials

    1. Source the admin credentials to gain access to admin-only CLI commands:

    2. To create the service credentials, complete these steps:

      • Create the ec2api user:

        $ openstack user create --domain default --password-prompt ec2api
        
      • Add the admin role to the ec2api user:

        $ openstack role add --project service --user ec2api admin
        
      • Create the ec2api service entities:

        $ openstack service create --name ec2-api --description "ec2api" ec2api
        
  3. Create database

    • Use the database access client to connect to the database server as the root user:

      $ mysql -u root -p
      
    • Create the ec2api database:

      CREATE DATABASE ec2api;
      
    • Grant proper access to the ec2api database:

      GRANT ALL PRIVILEGES ON ec2api.* TO 'ec2api'@'localhost' \
       IDENTIFIED BY 'EC2-API_DBPASS';
      GRANT ALL PRIVILEGES ON ec2api.* TO 'ec2api'@'%' \
       IDENTIFIED BY 'EC2-API_DBPASS';
      

      Replace EC2-API_DBPASS with a suitable password.

    • Exit the database access client.

      exit;
      

    There is a script creating ‘ec2api’ database that is accessible only on localhost by user ‘ec2api’ with password ‘ec2api’. https://github.com/openstack/ec2-api/blob/master/tools/db/ec2api-db-setup

  4. Create endpoints:

    Create the ec2api service API endpoints:

    $ openstack endpoint create --region RegionOne ec2api \
      public http://controller:XXXX/
    $ openstack endpoint create --region RegionOne ec2api \
      admin http://controller:XXXX/
    $ openstack endpoint create --region RegionOne ec2api \
      internal http://controller:XXXX/
    
    • where ‘controller’ is address your ec2api is installed on

    • and ‘XXXX’ is port (8788 by default)

  5. Create configuration files /etc/ec2api/api-paste.ini (can be copied from https://github.com/openstack/ec2-api/blob/master/etc/ec2api/api-paste.ini)

    and /etc/ec2api/ec2api.conf

    To configure OpenStack for EC2 API service add to /etc/ec2api/ec2api.conf:

    [DEFAULT]
    external_network = public
    ec2_port = 8788
    ec2api_listen_port = 8788
    keystone_ec2_tokens_url = http://192.168.56.101/identity/v3/ec2tokens
    api_paste_config = /etc/ec2api/api-paste.ini
    disable_ec2_classic = True
    
    *
    • external_network option specifies the name of the external network, which is used to Internet and to allocate Elastic IPs. It must be specified to get access into VMs from outside of the cloud.

    • disable_ec2_classic option is not mandatory, but we strongly recommend it to be specified. It turns off EC2 Classic mode and forces objects to be created inside VPCs.

      With disable_ec2_classic = True, any user of the cloud must have the only network (created with neutron directly and attached to a router to provide outside access for that VMS), which is used for launch ec2-classic instances.

      Keep in mind that an operator is not able to change disable_ec2_classic setting seamlessly.

    In the [keystone_authtoken] section, configure Identity service access.

    [keystone_authtoken]
    project_domain_name = Default
    project_name = service
    user_domain_name = Default
    password = password
    username = ec2api
    auth_type = password
    

    Also you need to configure database connection:

    [database]
    connection = mysql+pymysql://root:password@127.0.0.1/ec2api?charset=utf8
    

    and cache if you want to use it.

    [cache]
    enabled = True
    

    You can look for other configuration options in the Configuration Reference

  6. Configure metadata:

    EC2 metadata is built in between the nova-metadata and the neutron-metadata, so we need to configure Neutron so that it sends requests to ec2-api-metadata, not to the nova.

    To configure OpenStack for EC2 API metadata service for Neutron add:

    [DEFAULT]
    nova_metadata_port = 8789
    

    to /etc/neutron/metadata_agent.ini for legacy neutron or to neutron_ovn_metadata_agent.ini for OVN

    then restart neutron-metadata service.

    If you want to obtain metadata via SSL you need to configure neutron:

    [DEFAULT]
    nova_metadata_protocol = https
    # in case of self-signed certs you may need to specify CA
    auth_ca_cert = /path/to/root/cert/if/self/signed
    # or skip certs checking
    nova_metadata_insecure = True
    

    And then you’ll be able to get EC2-API/Nova metadata from neutron via SSL. Anyway metadata URL inside the server still be http://169.254.169.254

  7. Start the services as binaries

    $ /usr/local/bin/ec2-api
    $ /usr/local/bin/ec2-api-metadata
    

    or set up as Linux services.