Wednesday, March 2, 2016

keystone的實驗 - 賦予Domain/Tenant Endpoint - 失敗

keystone

前言

這是一個失敗的未完成的實驗,目的是想讓Domain or Tenant有自己的Region,藉此達到OpenStack橫向擴展性達到可能。

結論是,無法利用目前的OpenStack做到此目的。 但可以透過Domain與Region的mapping達到此功能,但這部分就不說了。

Before Installation, Upgrade Your System First.

# apt-get install ubuntu-cloud-keyring
# echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu" \
  "trusty-updates/kilo main" > /etc/apt/sources.list.d/cloudarchive-kilo.list

install mysql-server-5.6

apt-get install mysql-server-5.6

set up mysql, we set password as root. mysql -u root -pshark CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'root'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'root';

setup /etc/mysql/my.cnf

[mysqld]
.
.
.
bind-address            = 0.0.0.0

To avoid keystone start automatically

echo "manual" > /etc/init/keystone.override

install package

apt-get install keystone python-openstackclient apache2 libapache2-mod-wsgi memcached python-memcache
apt-get install python-mysqldb

vim /etc/keystone/keystone.conf

[DEFAULT]
...
admin_token = iamadmin ## Replace 43405b090eda983ddde2 with a random that you generated earlier
verbose = True

[database]
...
connection = mysql://keystone:iamadmin@controller/keystone  ## Replace PASSWD with your KeyStone DB password
[memcache]
...
servers = localhost:11211
[token]
...
provider = keystone.token.providers.uuid.Provider
driver = keystone.token.persistence.backends.memcache.Token
[revoke]
...
driver = keystone.contrib.revoke.backends.sql.Revoke

To make db sync

keystone-manage db_sync

edit /etc/apache2/apache2.conf

ServerName controller

edit /etc/apache2/sites-enabled/wsgi-keystone.conf

Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /var/www/cgi-bin/keystone/main
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    LogLevel info
    ErrorLog /var/log/apache2/keystone-error.log
    CustomLog /var/log/apache2/keystone-access.log combined
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    LogLevel info
    ErrorLog /var/log/apache2/keystone-error.log
    CustomLog /var/log/apache2/keystone-access.log combined
</VirtualHost>

and Then

mkdir -p /var/www/cgi-bin/keystone
curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo | tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin

chown -R keystone:keystone /var/www/cgi-bin/keystone
chmod 755 /var/www/cgi-bin/keystone/*

service apache2 restart

Start To Operate Keystone

export OS_TOKEN=iamadmin
export OS_URL=http://controller:35357/v2.0
openstack service create --name keystone --description "OpenStack Identity" identity
openstack service list

To setup Region Endpoint

openstack endpoint create \
--publicurl http://controller:5000/v2.0 \
--internalurl http://controller:5000/v2.0 \
--adminurl http://controller:35357/v2.0 \
--region RegionOne \
identity

openstack endpoint list

To Setup Second Region with Another Endpoint

openstack endpoint create \
--publicurl http://controller:5000/v2.0 \
--internalurl http://controller:5000/v2.0 \
--adminurl http://controller:35357/v2.0 \
--region RegionTwo \
identity

openstack endpoint list

One can use Keystone command line

export OS_TOKEN=iamadmin
export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0

Now you can use Keystone command line

keystone endpoint-list
keystone tenant-create --name service1 --description "Service Tenant"

keystone service-create --name service1 --type service1

keystone endpoint-create --region RegionTwo --service-id 8f1ce2e503ba4fbcb095e8469200b8e4 --publicurl http://haha/v2 --adminurl http://lala/v2 --internalurl http://sasa/v2
curl -d @token-request.json -H "Content-type: application/json" http://localhost:5000/v3/auth/tokens |python -m json.tool
{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "domain": {
                        "name": "Default"
                    },
                    "name": "newuser",
                    "password": "newuser"
                }
            }
        }
    }
}

Every request will get all Region informations and all endpoint information. You may try it to understand it. We cannot bind a user to a region.

To access v2.0 API use 35357 port by default but v3 use 5000 port.

透過OS-Catalog完成賦予tenant一個endpoint

curl -d @add_endpoint.json -X POST -H 'X-Auth-Token:iamadmin' http://localhost:35357/v2.0/tenants//OS-KSCAT-/258b879e4df748caa1bac3416d38a819|python -m json.tool

遭遇了問題

OS-CAT-ALOG這個extension看來沒放在keystone裏了,Tenant assigns endpoint沒法做。 目前無法透過現有的Keystone達成對Domain指定Region的功能。

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)