読者です 読者をやめる 読者になる 読者になる

ハマった時は # init 0

試したことを書き綴ってます

openstack havana on ubuntu 13.10 (keystone)

openstack linux

openstackとりまとめページ http://init0.hatenablog.com/entry/2013/10/05/232939

ubuntu13.10 betaに更新したら、いつものごとくopenstackが動かなくなったので、再インストール。 まずは、keystoneから。

事前に、mysqlは次の設定をしてあります。

  • openstack の共通ユーザ stack を作成済み
    • パスワードは、stack
  • keystone 用のデータベース keystone を作成済み
  • ユーザ stack には、keystoneデータベースを操作する全権限を付与
keystone インストール
aptitude install keystone python-keystone keystone-doc
aptitude install python-mysqldb
keystoneの設定ファイル修正

設定変更のポイントは、

  • tokenは'ADMIN'
  • データベースは、sqliteからmysqlに変更
    • ユーザ名とパスワードは、共に、'stack'
    • データベース名は、'keystone'
  • keystoneは、192.168.0.110で動作
    • public_endpoint と admin_endpointを、localhostから192.168.0.110に変更

デフォルト設定との差分を記載しておきます。

< admin_token = ADMIN
---
> # admin_token = ADMIN
6c6
< bind_host = 0.0.0.0
---
> # bind_host = 0.0.0.0
9c9
< public_port = 5000
---
> # public_port = 5000
12c12
< admin_port = 35357
---
> # admin_port = 35357
18,19d17
< public_endpoint = http://192.168.0.110:%(public_port)s/
< admin_endpoint = http://192.168.0.110:%(admin_port)s/
51,52c49
< #debug = False
< debug = True
---
> # debug = False
55,56c52
< #verbose = False
< verbose = True
---
> # verbose = False
91,92c87
< #connection = sqlite:////var/lib/keystone/keystone.db
< connection = mysql://stack:stack@192.168.0.110/keystone
---
> connection = sqlite:////var/lib/keystone/keystone.db
keystoneの再起動 (設定反映)
service keystone restart
エンドポイント、ユーザ、テナントなどなど投入

ちまちまコマンドを入力すると大変なので、大昔に拾ってきたnova.shを改造したスクリプトを走らせます。

スクリプトで実行していることのポイントは、

  • keystone,nova,cinder,glance,ec2,swiftのエンドポイント作成
  • 各テナント作成
    • service用のテナント(service)作成
    • adminテナントと、demoテナント作成
  • ユーザ作成
    • adminユーザと、demoユーザ作成
  • ロール作成
  • テナントとユーザ、ロールのひも付け

keystone.sh

#!/bin/bash

mysql -ustack -pstack -e 'DROP DATABASE IF EXISTS keystone;'
mysql -ustack -pstack -e 'CREATE DATABASE keystone CHARACTER SET utf8;'
keystone-manage db_sync

#
# Initial data for Keystone using python-keystoneclient
#
# Tenant               User      Roles
# ------------------------------------------------------------------
# admin                admin     admin
# service              glance    admin
# service              nova      admin, [ResellerAdmin (swift only)]
# service              quantum   admin        # if enabled
# service              swift     admin        # if enabled
# demo                 admin     admin
# demo                 demo      Member, anotherrole

## invisible_to_admin   demo      Member
## Tempest Only:
## alt_demo             alt_demo  Member
#
# Variables set before calling this script:
# SERVICE_TOKEN - aka admin_token in keystone.conf
# SERVICE_ENDPOINT - local Keystone admin endpoint
# SERVICE_TENANT_NAME - name of tenant containing service accounts
# ENABLED_SERVICES - stack.sh's list of services to start
# DEVSTACK_DIR - Top-level DevStack directory

ADMIN_PASSWORD=admin
SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD}
#export SERVICE_TOKEN=$SERVICE_TOKEN
#export SERVICE_ENDPOINT=$SERVICE_ENDPOINT
export SERVICE_TOKEN=ADMIN
export SERVICE_ENDPOINT=http://192.168.0.110:35357/v2.0
SERVICE_TENANT_NAME=service
#ENABLED_SERVICES=quantum

function get_id () {
    echo `$@ | awk '/ id / { print $4 }'`
}

# keystone
keystone service-create --name=keystone --type=identity --description="Identity Service"
service_id=`keystone service-list | grep keystone | awk '{ print $2 }'`
keystone endpoint-create \
    --region RegionOne \
    --publicurl='http://192.168.0.110:$(public_port)s/v2.0' \
    --internalurl='http://192.168.0.110:$(public_port)s/v2.0' \
    --adminurl='http://192.168.0.110:$(admin_port)s/v2.0' \
    --service-id="${service_id}"

# nova
keystone service-create --name=nova --type=compute --description="Compute Service"
service_id=`keystone service-list | grep nova | awk '{ print $2 }'`
keystone endpoint-create \
    --region RegionOne \
    --publicurl='http://192.168.0.110:$(compute_port)s/v1.1/$(tenant_id)s' \
    --internalurl='http://192.168.0.110:$(compute_port)s/v1.1/$(tenant_id)s' \
    --adminurl='http://192.168.0.110:$(compute_port)s/vl.1/$(tenant_id)s' \
    --service-id="${service_id}"


# cinder 
keystone service-create --name=cinder --type=volume --description="Volume Service"
service_id=`keystone service-list | grep cinder | awk '{ print $2 }'`
keystone endpoint-create \
    --region RegionOne \
    --publicurl='http://192.168.0.110:8776/v1/$(tenant_id)s' \
    --internalurl='http://192.168.0.110:8776/v1/$(tenant_id)s' \
    --adminurl='http://192.168.0.110:8776/v1/$(tenant_id)s' \
    --service-id="${service_id}"

# glance 
keystone service-create --name=glance --type=image --description="Image Service"
service_id=`keystone service-list | grep glance | awk '{ print $2 }'`
keystone endpoint-create \
    --region RegionOne \
    --publicurl='http://192.168.0.110:9292/v1' \
    --internalurl='http://192.168.0.110:9292/v1' \
    --adminurl='http://192.168.0.110:9292/v1' \
    --service-id="${service_id}"

# ec2 
keystone service-create --name=ec2 --type=ec2 --description="EC2 Compatibility Layer"
service_id=`keystone service-list | grep ec2 | awk '{ print $2 }'`
keystone endpoint-create \
    --region RegionOne \
    --publicurl='http://192.168.0.110:8773/services/Cloud' \
    --internalurl='http://192.168.0.110:8773/services/Cloud' \
    --adminurl='http://192.168.0.110:8773/services/Admin' \
    --service-id="${service_id}"

# swift
keystone service-create --name=swift --type=object-store --description="Object Storage Service"
service_id=`keystone service-list | grep swift | awk '{ print $2 }'`
keystone endpoint-create \
    --region RegionOne \
    --publicurl 'http://192.168.0.110:8888/v1/AUTH_%(tenant_id)s' \
    --internalurl 'http://192.168.0.110:8888/v1/AUTH_%(tenant_id)s' \
    --adminurl 'http://192.168.0.110:8888/v1' \
    --service-id="${service_id}"

### Tenants
echo "keystone tenant-create --name=admin"
ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
echo "keystone tenant-create --name=$SERVICE_TENANT_NAME"
SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)
echo "keystone tenant-create --name=demo"
DEMO_TENANT=$(get_id keystone tenant-create --name=demo)


### Users

echo "keystone user-create --name=admin \\
                     --pass=admin \\
                     --email=admin@example.com"
ADMIN_USER=$(get_id keystone user-create --name=admin \
                                         --pass=admin \
                                         --email=admin@example.com)
echo "keystone user-create --name=demo --pass=demo --email=demo@example.com"
DEMO_USER=$(get_id keystone user-create --name=demo \
                                        --pass=demo \
                                        --email=demo@example.com)



### Roles
echo "keystone role-create --name=admin"
ADMIN_ROLE=$(get_id keystone role-create --name=admin)

echo "keystone role-create --name=KeystoneAdmin"
KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)

echo "keystone role-create --name=KeystoneServiceAdmin"
KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin)

# ANOTHER_ROLE demonstrates that an arbitrary role may be created and used
# TODO(sleepsonthefloor): show how this can be used for rbac in the future!
echo "keystone role-create --name=anotherrole"
ANOTHER_ROLE=$(get_id keystone role-create --name=anotherrole)



# Add Roles to Users in Tenants
echo "keystone user-role-add \\
        --user-id $ADMIN_USER \\
        --role-id $ADMIN_ROLE \\
        --tenant-id $ADMIN_TENANT"
keystone user-role-add --user-id $ADMIN_USER --role-id $ADMIN_ROLE --tenant-id $ADMIN_TENANT
echo "keystone user-role-add \\
        --user-id $ADMIN_USER \\
        --role-id $ADMIN_ROLE \\
        --tenant-id $DEMO_TENANT"
keystone user-role-add --user-id $ADMIN_USER --role-id $ADMIN_ROLE --tenant-id $DEMO_TENANT
echo "keystone user-role-add \\
        --user-id $DEMO_USER \\
        --role-id $ANOTHER_ROLE \\
        --tenant-id $DEMO_TENANT"
keystone user-role-add --user-id $DEMO_USER --role-id $ANOTHER_ROLE --tenant-id $DEMO_TENANT

# TODO(termie): these two might be dubious
echo "keystone user-role-add \\
        --user-id $ADMIN_USER \\
        --role-id $KEYSTONEADMIN_ROLE \\
        --tenant-id $ADMIN_TENANT"
keystone user-role-add --user-id $ADMIN_USER --role-id $KEYSTONEADMIN_ROLE --tenant-id $ADMIN_TENANT
echo "keystone user-role-add \\
        --user-id $ADMIN_USER \\
        --role-id $KEYSTONESERVICE_ROLE \\
        --tenant-id $ADMIN_TENANT"
keystone user-role-add --user-id $ADMIN_USER --role-id $KEYSTONESERVICE_ROLE --tenant-id $ADMIN_TENANT


# The Member role is used by Horizon and Swift so we need to keep it:
echo "keystone role-create --name=Member"
MEMBER_ROLE=$(get_id keystone role-create --name=Member)
echo "keystone user-role-add \\
        --user-id $DEMO_USER \\
        --role-id $MEMBER_ROLE \\
        --tenant-id $DEMO_TENANT"
keystone user-role-add --user-id $DEMO_USER --role-id $MEMBER_ROLE --tenant-id $DEMO_TENANT
#echo "keystone user-role-add --user-id $DEMO_USER --role-id $MEMBER_ROLE --tenant-id $INVIS_TENANT"
#keystone user-role-add --user-id $DEMO_USER --role-id $MEMBER_ROLE --tenant-id $INVIS_TENANT


# Configure service users/roles
### nova

echo "keystone user-create --name=nova --pass=nova --tenant-id=$SERVICE_TENANT --email=nova@example.com"
NOVA_USER=$(get_id keystone user-create --name=nova \
                                        --pass=nova \
                                        --tenant-id=$SERVICE_TENANT \
                                        --email=nova@example.com)
echo "keystone user-role-add \\
        --tenant-id $SERVICE_TENANT \\
        --user-id $NOVA_USER \\
        --role-id $ADMIN_ROLE"
keystone user-role-add --tenant-id $SERVICE_TENANT \
                       --user-id $NOVA_USER \
                       --role-id $ADMIN_ROLE
### glance
echo "keystone user-create \\
        --name=glance \\
        --pass=glance \\
        --tenant-id=$SERVICE_TENANT \\
        --email=glance@example.com"
GLANCE_USER=$(get_id keystone user-create --name=glance \
                                          --pass=glance \
                                          --tenant-id=$SERVICE_TENANT \
                                          --email=glance@example.com)
echo "keystone user-role-add \\
        --tenant-id $SERVICE_TENANT \\
        --user-id $GLANCE_USER \\
        --role-id $ADMIN_ROLE"
keystone user-role-add --tenant-id $SERVICE_TENANT \
                       --user-id $GLANCE_USER \
                       --role-id $ADMIN_ROLE


#-------------------------------------#
### swift
if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then
    SWIFT_USER=$(get_id keystone user-create --name=swift \
                                             --pass="$SERVICE_PASSWORD" \
                                             --tenant-id $SERVICE_TENANT \
                                             --email=swift@example.com)
    keystone user-role-add --tenant-id $SERVICE_TENANT \
                           --user-id $SWIFT_USER \
                           --role-id $ADMIN_ROLE
    # Nova needs ResellerAdmin role to download images when accessing
    # swift through the s3 api. The admin role in swift allows a user
    # to act as an admin for their tenant, but ResellerAdmin is needed
    # for a user to act as any tenant. The name of this role is also
    # configurable in swift-proxy.conf
    RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)
    keystone user-role-add --tenant-id $SERVICE_TENANT \
                           --user-id $NOVA_USER \
                           --role-id $RESELLER_ROLE
fi
### quantum
#if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then
    QUANTUM_USER=$(get_id keystone user-create --name=quantum \
                                               --pass=quantum \
                                               --tenant-id $SERVICE_TENANT \
                                               --email=quantum@example.com)
    keystone user-role-add --tenant-id $SERVICE_TENANT \
                           --user-id $QUANTUM_USER \
                           --role-id $ADMIN_ROLE
#fi

### tempest
if [[ "$ENABLED_SERVICES" =~ "tempest" ]]; then
    # Tempest has some tests that validate various authorization checks
    # between two regular users in separate tenants
    ALT_DEMO_TENANT=$(get_id keystone tenant-create --name=alt_demo)
    ALT_DEMO_USER=$(get_id keystone user-create --name=alt_demo \
                                        --pass="$ADMIN_PASSWORD" \
                                        --email=alt_demo@example.com)
    keystone user-role-add --user-id $ALT_DEMO_USER --role-id $MEMBER_ROLE --tenant-id $ALT_DEMO_TENANT
fi

動作確認
# export SERVICE_TOKEN=ADMIN
# export SERVICE_ENDPOINT=http://192.168.0.110:35357/v2.0
# keystone tenant-list
+----------------------------------+---------+---------+
|                id                |   name  | enabled |
+----------------------------------+---------+---------+
| be62de978cb1449bb7f2b07b6d843da1 |  admin  |   True  |
| fd35d9bcbfe24472b64de647c1cfa7ae |   demo  |   True  |
| 5fb7e8b70c5b4ec5a85ac6c805b372d7 | service |   True  |
+----------------------------------+---------+---------+
# keystone user-list
+----------------------------------+---------+---------+---------------------+
|                id                |   name  | enabled |        email        |
+----------------------------------+---------+---------+---------------------+
| 786eddecf5734aa599274efae47bb165 |  admin  |   True  |  admin@example.com  |
| 6aa7c5e45093470ab6b7c34b7398e6d6 |   demo  |   True  |   demo@example.com  |
| 3362dfd307c14f3d8650c8aca5799723 |  glance |   True  |  glance@example.com |
| 8ff413df4d2e4aeabc962f5fd219c28d |   nova  |   True  |   nova@example.com  |
| 24d5d26e796046a1bbefbbcdf5beb6a9 | quantum |   True  | quantum@example.com |
+----------------------------------+---------+---------+---------------------+
# keystone endpoint-list
+----------------------------------+-----------+----------------------------------------------------------+----------------------------------------------------------+----------------------------------------------------------+----------------------------------+
|                id                |   region  |                        publicurl                         |                       internalurl                        |                         adminurl                         |            service_id            |
+----------------------------------+-----------+----------------------------------------------------------+----------------------------------------------------------+----------------------------------------------------------+----------------------------------+
| 17f8987f033b4cb680fe303a5236e40b | RegionOne | http://192.168.0.110:$(compute_port)s/v1.1/$(tenant_id)s | http://192.168.0.110:$(compute_port)s/v1.1/$(tenant_id)s | http://192.168.0.110:$(compute_port)s/vl.1/$(tenant_id)s | 2e5b5b625d7a4a3f978545368549d569 |
| 2b602001fb5d4679961169e082706b2f | RegionOne |     http://192.168.0.110:8888/v1/AUTH_%(tenant_id)s      |     http://192.168.0.110:8888/v1/AUTH_%(tenant_id)s      |               http://192.168.0.110:8888/v1               | 420ef6c5bfab4ffb99b4f3c220a6614e |
| 620cf107eab243dab4e12aa31ce7e50b | RegionOne |        http://192.168.0.110:8776/v1/$(tenant_id)s        |        http://192.168.0.110:8776/v1/$(tenant_id)s        |        http://192.168.0.110:8776/v1/$(tenant_id)s        | 643347a0762a43fd8cffd86ac95d3b96 |
| 96c908693ffc4b8a917e3b3305712306 | RegionOne |               http://192.168.0.110:9292/v1               |               http://192.168.0.110:9292/v1               |               http://192.168.0.110:9292/v1               | a3765d34ffec436ab66a25d2b68889eb |
| ae31ab318bbc458bb8da9efd58b2fe19 | RegionOne |        http://192.168.0.110:$(public_port)s/v2.0         |        http://192.168.0.110:$(public_port)s/v2.0         |         http://192.168.0.110:$(admin_port)s/v2.0         | e54114caf2b1404e965884ae6058ec3a |
| e8ad726861f74259815fcea16408dcf4 | RegionOne |         http://192.168.0.110:8773/services/Cloud         |         http://192.168.0.110:8773/services/Cloud         |         http://192.168.0.110:8773/services/Admin         | 766cc898f98d456dbb00793ca3dd211d |
+----------------------------------+-----------+----------------------------------------------------------+----------------------------------------------------------+----------------------------------------------------------+----------------------------------+
#

次は、glanceです。そのうち投稿。