openstack havana on ubuntu 13.10 (keystone)
openstackとりまとめページ http://init0.hatenablog.com/entry/2013/10/05/232939
ubuntu13.10 betaに更新したら、いつものごとくopenstackが動かなくなったので、再インストール。 まずは、keystoneから。
事前に、mysqlは次の設定をしてあります。
- openstack の共通ユーザ stack を作成済み
- パスワードは、stack
- keystone 用のデータベース keystone を作成済み
- ユーザ stack には、keystoneデータベースを操作する全権限を付与
keystone インストール
aptitude install keystone python-keystone keystone-doc aptitude install python-mysqldb
keystoneの設定ファイル修正
設定変更のポイントは、
- tokenは'ADMIN'
- データベースは、sqliteからmysqlに変更
- ユーザ名とパスワードは、共に、'stack'
- データベース名は、'keystone'
- keystoneは、192.168.0.110で動作
- public_endpoint と admin_endpointを、localhostから192.168.0.110に変更
デフォルト設定との差分を記載しておきます。
< admin_token = ADMIN --- > # admin_token = ADMIN 6c6 < bind_host = 0.0.0.0 --- > # bind_host = 0.0.0.0 9c9 < public_port = 5000 --- > # public_port = 5000 12c12 < admin_port = 35357 --- > # admin_port = 35357 18,19d17 < public_endpoint = http://192.168.0.110:%(public_port)s/ < admin_endpoint = http://192.168.0.110:%(admin_port)s/ 51,52c49 < #debug = False < debug = True --- > # debug = False 55,56c52 < #verbose = False < verbose = True --- > # verbose = False 91,92c87 < #connection = sqlite:////var/lib/keystone/keystone.db < connection = mysql://stack:stack@192.168.0.110/keystone --- > connection = sqlite:////var/lib/keystone/keystone.db
keystoneの再起動 (設定反映)
service keystone restart
エンドポイント、ユーザ、テナントなどなど投入
ちまちまコマンドを入力すると大変なので、大昔に拾ってきたnova.shを改造したスクリプトを走らせます。
スクリプトで実行していることのポイントは、
- keystone,nova,cinder,glance,ec2,swiftのエンドポイント作成
- 各テナント作成
- service用のテナント(service)作成
- adminテナントと、demoテナント作成
- ユーザ作成
- adminユーザと、demoユーザ作成
- ロール作成
- テナントとユーザ、ロールのひも付け
keystone.sh
#!/bin/bash mysql -ustack -pstack -e 'DROP DATABASE IF EXISTS keystone;' mysql -ustack -pstack -e 'CREATE DATABASE keystone CHARACTER SET utf8;' keystone-manage db_sync # # Initial data for Keystone using python-keystoneclient # # Tenant User Roles # ------------------------------------------------------------------ # admin admin admin # service glance admin # service nova admin, [ResellerAdmin (swift only)] # service quantum admin # if enabled # service swift admin # if enabled # demo admin admin # demo demo Member, anotherrole ## invisible_to_admin demo Member ## Tempest Only: ## alt_demo alt_demo Member # # Variables set before calling this script: # SERVICE_TOKEN - aka admin_token in keystone.conf # SERVICE_ENDPOINT - local Keystone admin endpoint # SERVICE_TENANT_NAME - name of tenant containing service accounts # ENABLED_SERVICES - stack.sh's list of services to start # DEVSTACK_DIR - Top-level DevStack directory ADMIN_PASSWORD=admin SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD} #export SERVICE_TOKEN=$SERVICE_TOKEN #export SERVICE_ENDPOINT=$SERVICE_ENDPOINT export SERVICE_TOKEN=ADMIN export SERVICE_ENDPOINT=http://192.168.0.110:35357/v2.0 SERVICE_TENANT_NAME=service #ENABLED_SERVICES=quantum function get_id () { echo `$@ | awk '/ id / { print $4 }'` } # keystone keystone service-create --name=keystone --type=identity --description="Identity Service" service_id=`keystone service-list | grep keystone | awk '{ print $2 }'` keystone endpoint-create \ --region RegionOne \ --publicurl='http://192.168.0.110:$(public_port)s/v2.0' \ --internalurl='http://192.168.0.110:$(public_port)s/v2.0' \ --adminurl='http://192.168.0.110:$(admin_port)s/v2.0' \ --service-id="${service_id}" # nova keystone service-create --name=nova --type=compute --description="Compute Service" service_id=`keystone service-list | grep nova | awk '{ print $2 }'` keystone endpoint-create \ --region RegionOne \ --publicurl='http://192.168.0.110:$(compute_port)s/v1.1/$(tenant_id)s' \ --internalurl='http://192.168.0.110:$(compute_port)s/v1.1/$(tenant_id)s' \ --adminurl='http://192.168.0.110:$(compute_port)s/vl.1/$(tenant_id)s' \ --service-id="${service_id}" # cinder keystone service-create --name=cinder --type=volume --description="Volume Service" service_id=`keystone service-list | grep cinder | awk '{ print $2 }'` keystone endpoint-create \ --region RegionOne \ --publicurl='http://192.168.0.110:8776/v1/$(tenant_id)s' \ --internalurl='http://192.168.0.110:8776/v1/$(tenant_id)s' \ --adminurl='http://192.168.0.110:8776/v1/$(tenant_id)s' \ --service-id="${service_id}" # glance keystone service-create --name=glance --type=image --description="Image Service" service_id=`keystone service-list | grep glance | awk '{ print $2 }'` keystone endpoint-create \ --region RegionOne \ --publicurl='http://192.168.0.110:9292/v1' \ --internalurl='http://192.168.0.110:9292/v1' \ --adminurl='http://192.168.0.110:9292/v1' \ --service-id="${service_id}" # ec2 keystone service-create --name=ec2 --type=ec2 --description="EC2 Compatibility Layer" service_id=`keystone service-list | grep ec2 | awk '{ print $2 }'` keystone endpoint-create \ --region RegionOne \ --publicurl='http://192.168.0.110:8773/services/Cloud' \ --internalurl='http://192.168.0.110:8773/services/Cloud' \ --adminurl='http://192.168.0.110:8773/services/Admin' \ --service-id="${service_id}" # swift keystone service-create --name=swift --type=object-store --description="Object Storage Service" service_id=`keystone service-list | grep swift | awk '{ print $2 }'` keystone endpoint-create \ --region RegionOne \ --publicurl 'http://192.168.0.110:8888/v1/AUTH_%(tenant_id)s' \ --internalurl 'http://192.168.0.110:8888/v1/AUTH_%(tenant_id)s' \ --adminurl 'http://192.168.0.110:8888/v1' \ --service-id="${service_id}" ### Tenants echo "keystone tenant-create --name=admin" ADMIN_TENANT=$(get_id keystone tenant-create --name=admin) echo "keystone tenant-create --name=$SERVICE_TENANT_NAME" SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME) echo "keystone tenant-create --name=demo" DEMO_TENANT=$(get_id keystone tenant-create --name=demo) ### Users echo "keystone user-create --name=admin \\ --pass=admin \\ --email=admin@example.com" ADMIN_USER=$(get_id keystone user-create --name=admin \ --pass=admin \ --email=admin@example.com) echo "keystone user-create --name=demo --pass=demo --email=demo@example.com" DEMO_USER=$(get_id keystone user-create --name=demo \ --pass=demo \ --email=demo@example.com) ### Roles echo "keystone role-create --name=admin" ADMIN_ROLE=$(get_id keystone role-create --name=admin) echo "keystone role-create --name=KeystoneAdmin" KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin) echo "keystone role-create --name=KeystoneServiceAdmin" KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin) # ANOTHER_ROLE demonstrates that an arbitrary role may be created and used # TODO(sleepsonthefloor): show how this can be used for rbac in the future! echo "keystone role-create --name=anotherrole" ANOTHER_ROLE=$(get_id keystone role-create --name=anotherrole) # Add Roles to Users in Tenants echo "keystone user-role-add \\ --user-id $ADMIN_USER \\ --role-id $ADMIN_ROLE \\ --tenant-id $ADMIN_TENANT" keystone user-role-add --user-id $ADMIN_USER --role-id $ADMIN_ROLE --tenant-id $ADMIN_TENANT echo "keystone user-role-add \\ --user-id $ADMIN_USER \\ --role-id $ADMIN_ROLE \\ --tenant-id $DEMO_TENANT" keystone user-role-add --user-id $ADMIN_USER --role-id $ADMIN_ROLE --tenant-id $DEMO_TENANT echo "keystone user-role-add \\ --user-id $DEMO_USER \\ --role-id $ANOTHER_ROLE \\ --tenant-id $DEMO_TENANT" keystone user-role-add --user-id $DEMO_USER --role-id $ANOTHER_ROLE --tenant-id $DEMO_TENANT # TODO(termie): these two might be dubious echo "keystone user-role-add \\ --user-id $ADMIN_USER \\ --role-id $KEYSTONEADMIN_ROLE \\ --tenant-id $ADMIN_TENANT" keystone user-role-add --user-id $ADMIN_USER --role-id $KEYSTONEADMIN_ROLE --tenant-id $ADMIN_TENANT echo "keystone user-role-add \\ --user-id $ADMIN_USER \\ --role-id $KEYSTONESERVICE_ROLE \\ --tenant-id $ADMIN_TENANT" keystone user-role-add --user-id $ADMIN_USER --role-id $KEYSTONESERVICE_ROLE --tenant-id $ADMIN_TENANT # The Member role is used by Horizon and Swift so we need to keep it: echo "keystone role-create --name=Member" MEMBER_ROLE=$(get_id keystone role-create --name=Member) echo "keystone user-role-add \\ --user-id $DEMO_USER \\ --role-id $MEMBER_ROLE \\ --tenant-id $DEMO_TENANT" keystone user-role-add --user-id $DEMO_USER --role-id $MEMBER_ROLE --tenant-id $DEMO_TENANT #echo "keystone user-role-add --user-id $DEMO_USER --role-id $MEMBER_ROLE --tenant-id $INVIS_TENANT" #keystone user-role-add --user-id $DEMO_USER --role-id $MEMBER_ROLE --tenant-id $INVIS_TENANT # Configure service users/roles ### nova echo "keystone user-create --name=nova --pass=nova --tenant-id=$SERVICE_TENANT --email=nova@example.com" NOVA_USER=$(get_id keystone user-create --name=nova \ --pass=nova \ --tenant-id=$SERVICE_TENANT \ --email=nova@example.com) echo "keystone user-role-add \\ --tenant-id $SERVICE_TENANT \\ --user-id $NOVA_USER \\ --role-id $ADMIN_ROLE" keystone user-role-add --tenant-id $SERVICE_TENANT \ --user-id $NOVA_USER \ --role-id $ADMIN_ROLE ### glance echo "keystone user-create \\ --name=glance \\ --pass=glance \\ --tenant-id=$SERVICE_TENANT \\ --email=glance@example.com" GLANCE_USER=$(get_id keystone user-create --name=glance \ --pass=glance \ --tenant-id=$SERVICE_TENANT \ --email=glance@example.com) echo "keystone user-role-add \\ --tenant-id $SERVICE_TENANT \\ --user-id $GLANCE_USER \\ --role-id $ADMIN_ROLE" keystone user-role-add --tenant-id $SERVICE_TENANT \ --user-id $GLANCE_USER \ --role-id $ADMIN_ROLE #-------------------------------------# ### swift if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then SWIFT_USER=$(get_id keystone user-create --name=swift \ --pass="$SERVICE_PASSWORD" \ --tenant-id $SERVICE_TENANT \ --email=swift@example.com) keystone user-role-add --tenant-id $SERVICE_TENANT \ --user-id $SWIFT_USER \ --role-id $ADMIN_ROLE # Nova needs ResellerAdmin role to download images when accessing # swift through the s3 api. The admin role in swift allows a user # to act as an admin for their tenant, but ResellerAdmin is needed # for a user to act as any tenant. The name of this role is also # configurable in swift-proxy.conf RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin) keystone user-role-add --tenant-id $SERVICE_TENANT \ --user-id $NOVA_USER \ --role-id $RESELLER_ROLE fi ### quantum #if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then QUANTUM_USER=$(get_id keystone user-create --name=quantum \ --pass=quantum \ --tenant-id $SERVICE_TENANT \ --email=quantum@example.com) keystone user-role-add --tenant-id $SERVICE_TENANT \ --user-id $QUANTUM_USER \ --role-id $ADMIN_ROLE #fi ### tempest if [[ "$ENABLED_SERVICES" =~ "tempest" ]]; then # Tempest has some tests that validate various authorization checks # between two regular users in separate tenants ALT_DEMO_TENANT=$(get_id keystone tenant-create --name=alt_demo) ALT_DEMO_USER=$(get_id keystone user-create --name=alt_demo \ --pass="$ADMIN_PASSWORD" \ --email=alt_demo@example.com) keystone user-role-add --user-id $ALT_DEMO_USER --role-id $MEMBER_ROLE --tenant-id $ALT_DEMO_TENANT fi
動作確認
# export SERVICE_TOKEN=ADMIN # export SERVICE_ENDPOINT=http://192.168.0.110:35357/v2.0
# keystone tenant-list +----------------------------------+---------+---------+ | id | name | enabled | +----------------------------------+---------+---------+ | be62de978cb1449bb7f2b07b6d843da1 | admin | True | | fd35d9bcbfe24472b64de647c1cfa7ae | demo | True | | 5fb7e8b70c5b4ec5a85ac6c805b372d7 | service | True | +----------------------------------+---------+---------+
# keystone user-list +----------------------------------+---------+---------+---------------------+ | id | name | enabled | email | +----------------------------------+---------+---------+---------------------+ | 786eddecf5734aa599274efae47bb165 | admin | True | admin@example.com | | 6aa7c5e45093470ab6b7c34b7398e6d6 | demo | True | demo@example.com | | 3362dfd307c14f3d8650c8aca5799723 | glance | True | glance@example.com | | 8ff413df4d2e4aeabc962f5fd219c28d | nova | True | nova@example.com | | 24d5d26e796046a1bbefbbcdf5beb6a9 | quantum | True | quantum@example.com | +----------------------------------+---------+---------+---------------------+
# keystone endpoint-list +----------------------------------+-----------+----------------------------------------------------------+----------------------------------------------------------+----------------------------------------------------------+----------------------------------+ | id | region | publicurl | internalurl | adminurl | service_id | +----------------------------------+-----------+----------------------------------------------------------+----------------------------------------------------------+----------------------------------------------------------+----------------------------------+ | 17f8987f033b4cb680fe303a5236e40b | RegionOne | http://192.168.0.110:$(compute_port)s/v1.1/$(tenant_id)s | http://192.168.0.110:$(compute_port)s/v1.1/$(tenant_id)s | http://192.168.0.110:$(compute_port)s/vl.1/$(tenant_id)s | 2e5b5b625d7a4a3f978545368549d569 | | 2b602001fb5d4679961169e082706b2f | RegionOne | http://192.168.0.110:8888/v1/AUTH_%(tenant_id)s | http://192.168.0.110:8888/v1/AUTH_%(tenant_id)s | http://192.168.0.110:8888/v1 | 420ef6c5bfab4ffb99b4f3c220a6614e | | 620cf107eab243dab4e12aa31ce7e50b | RegionOne | http://192.168.0.110:8776/v1/$(tenant_id)s | http://192.168.0.110:8776/v1/$(tenant_id)s | http://192.168.0.110:8776/v1/$(tenant_id)s | 643347a0762a43fd8cffd86ac95d3b96 | | 96c908693ffc4b8a917e3b3305712306 | RegionOne | http://192.168.0.110:9292/v1 | http://192.168.0.110:9292/v1 | http://192.168.0.110:9292/v1 | a3765d34ffec436ab66a25d2b68889eb | | ae31ab318bbc458bb8da9efd58b2fe19 | RegionOne | http://192.168.0.110:$(public_port)s/v2.0 | http://192.168.0.110:$(public_port)s/v2.0 | http://192.168.0.110:$(admin_port)s/v2.0 | e54114caf2b1404e965884ae6058ec3a | | e8ad726861f74259815fcea16408dcf4 | RegionOne | http://192.168.0.110:8773/services/Cloud | http://192.168.0.110:8773/services/Cloud | http://192.168.0.110:8773/services/Admin | 766cc898f98d456dbb00793ca3dd211d | +----------------------------------+-----------+----------------------------------------------------------+----------------------------------------------------------+----------------------------------------------------------+----------------------------------+ #
次は、glanceです。そのうち投稿。
pdshコマンドで複数サーバに対してコマンド並列実行
pdshコマンドを使うと複数のサーバに対して、同じコマンドを並列で実行可能です。 分散システムの構築などで、複数のサーバを操作する際に非常に便利。
並列ってところが最高ですね。
事前準備
- 環境変数 PDSH_RCMD_TYPE でサーバへ接続する際に使用するコマンドを指定
- 環境変数 PDSH_SSH_ARGS で ssh コマンドのオプションを指定
- .bashrc などで、上記の環境変数をexportしておく
- ssh公開鍵認証で、対象サーバに、パスワードなしでsshログインできるように準備しておく
export PDSH_RCMD_TYPE='ssh' export PDSH_SSH_ARGS='-oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no -oLogLevel=ERROR -l%u %h'
複数のサーバに対して、コマンドを並列実行
- -wオプションでサーバ一覧を指定(正規表現が使える)
# pdsh -w 10.0.0.[3-5,7] 'service --status-all 2>/dev/null' 10.0.0.5: [ - ] bootlogd 10.0.0.7: [ - ] bootlogd 10.0.0.4: [ - ] bootlogd 10.0.0.3: [ - ] bootlogd 10.0.0.5: [ - ] grub-common 10.0.0.7: [ - ] grub-common 10.0.0.4: [ - ] grub-common 10.0.0.3: [ - ] grub-common 10.0.0.5: [ + ] ssh 10.0.0.7: [ + ] ssh 10.0.0.4: [ + ] ssh 10.0.0.3: [ + ] ssh 10.0.0.5: [ - ] stop-bootlogd 10.0.0.7: [ - ] stop-bootlogd 10.0.0.4: [ - ] stop-bootlogd 10.0.0.3: [ - ] stop-bootlogd 10.0.0.5: [ - ] stop-bootlogd-single 10.0.0.7: [ - ] stop-bootlogd-single 10.0.0.4: [ - ] stop-bootlogd-single 10.0.0.3: [ - ] stop-bootlogd-single 10.0.0.5: [ - ] urandom 10.0.0.4: [ - ] urandom 10.0.0.7: [ - ] urandom 10.0.0.3: [ - ] urandom
dshbakで整形
pdshの出力をパイプしてdshbakコマンドに流し込むと次のように、サーバごとに整形してくれます。
# pdsh -w 10.0.0.[3-5,7] 'service --status-all 2>/dev/null' | dshbak ---------------- 10.0.0.3 ---------------- [ - ] bootlogd [ - ] grub-common [ + ] ssh [ - ] stop-bootlogd [ - ] stop-bootlogd-single [ - ] urandom ---------------- 10.0.0.4 ---------------- [ - ] bootlogd [ - ] grub-common [ + ] ssh [ - ] stop-bootlogd [ - ] stop-bootlogd-single [ - ] urandom ---------------- 10.0.0.5 ---------------- [ - ] bootlogd [ - ] grub-common [ + ] ssh [ - ] stop-bootlogd [ - ] stop-bootlogd-single [ - ] urandom ---------------- 10.0.0.7 ---------------- [ - ] bootlogd [ - ] grub-common [ + ] ssh [ - ] stop-bootlogd [ - ] stop-bootlogd-single [ - ] urandom
bashrcとvimrc
いつも忘れて調べるので、自分用メモ・・・
bashrc
export PS_FORMAT="pid,tty,user,stat,time,args" export PS1="\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\W\[\033[00m\] [\t]\$ " #SOCKDIR=`/bin/ls -ld /tmp/ssh-* | grep $USER | awk '{ print $9 }'` #SSH_AUTH_SOCK=`/bin/ls ${SOCKDIR}/agent*` #SSH_AGENT_PID=`/bin/ps x -U $USER -u $USER | grep ssh-agent | grep -v "grep" | awk '{ print $1 }'` #export SSH_AUTH_SOCK; #export SSH_AGENT_PID; ulimit -S -c unlimited
vimrc
colorschem evening set number set tabstop=4 set shiftwidth=4 set softtabstop=4 set expandtab set laststatus=2 set statusline=%<%f\ %m%r%h%w%{'['.(&fenc!=''?&fenc:&enc).']['.&ff.']'}%=%l,%c%V%8P set fileencodings=utf-8,iso-2022-jp,euc-jp set backupdir=~/tmp/vimbackup set tags+=tags; set tags+=./**/tags set fo=oql ":e ++enc=iso-2022-jp ""set fo-=ro "set formatoptions=cql ""set autoindent " """ binary mode augroup Binary au! au BufReadPre *.bin let &bin=1 au BufReadPost *.bin if &bin | %!xxd au BufReadPost *.bin set ft=xxd | endif au BufWritePre *.bin if &bin | %!xxd -r au BufWritePre *.bin endif au BufWritePost *.bin if &bin | %!xxd au BufWritePost *.bin set nomod | endif augroup END