blob: 4001a63ea2b55a4b808b8b6c64f89faca0fee198 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
|
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
.. (c) ruan.he@orange.com & thomas.duval@orange.com
******************************
OPNFV MOON configuration guide
******************************
.. toctree::
:numbered:
:maxdepth: 2
============
Introduction
============
Moon must be configured through the standard Keystone configuration files and the standard KeystoneMiddleware configuration files:
* /etc/keystone/keystone-paste.ini
* /etc/keystone/keystone.conf
* /etc/nova/api-paste.ini
* /etc/swift/proxy-server.conf
There is no other custom configuration file.
=============
Configuration
=============
Keystone
========
For Keystone, the following files must be configured, some modifications may be needed, specially passwords:
/etc/keystone/keystone-paste.ini
.. code-block:: bash
sudo cp /etc/keystone/keystone-paste.ini /etc/keystone/keystone-paste.ini.bak
sudo sed "3i[pipeline:moon_pipeline]\npipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension moon_service\n\n[app:moon_service]\nuse = egg:keystone#moon_service\n" /etc/keystone/keystone-paste.ini > /tmp/keystone-paste.ini
sudo cp /tmp/keystone-paste.ini /etc/keystone/keystone-paste.ini
sudo sed "s/use = egg:Paste#urlmap/use = egg:Paste#urlmap\n\/moon = moon_pipeline/" /etc/keystone/keystone-paste.ini > /tmp/keystone-paste.ini
sudo cp /tmp/keystone-paste.ini /etc/keystone/keystone-paste.ini
/etc/keystone/keystone.conf
.. code-block:: bash
cat << EOF | sudo tee -a /etc/keystone/keystone.conf
[moon]
# Configuration backend driver
configuration_driver = keystone.contrib.moon.backends.memory.ConfigurationConnector
# Tenant backend driver
tenant_driver = keystone.contrib.moon.backends.sql.TenantConnector
# Authorisation backend driver
authz_driver = keystone.contrib.moon.backends.flat.SuperExtensionConnector
# IntraExtension backend driver
intraextension_driver = keystone.contrib.moon.backends.sql.IntraExtensionConnector
# InterExtension backend driver
interextension_driver = keystone.contrib.moon.backends.sql.InterExtensionConnector
# Logs backend driver
log_driver = keystone.contrib.moon.backends.flat.LogConnector
# Local directory where all policies are stored
policy_directory = /etc/keystone/policies
# Local directory where Root IntraExtension configuration is stored
root_policy_directory = policy_root
# URL of the Moon master
master = 'http://localhost:35357/'
# Login of the Moon master
master_login = 'admin'
# Password of the Moon master
master_password = 'nomoresecrete'
EOF
The logging system must be configured :
.. code-block:: bash
sudo mkdir /var/log/moon/
sudo chown keystone /var/log/moon/
sudo addgroup moonlog
sudo chgrp moonlog /var/log/moon/
sudo touch /var/log/moon/keystonemiddleware.log
sudo touch /var/log/moon/system.log
sudo chgrp moonlog /var/log/moon/keystonemiddleware.log
sudo chgrp moonlog /var/log/moon/system.log
sudo chmod g+rw /var/log/moon
sudo chmod g+rw /var/log/moon/keystonemiddleware.log
sudo chmod g+rw /var/log/moon/system.log
sudo adduser keystone moonlog
sudo adduser swift moonlog
sudo adduser nova moonlog
The Keystone database must be updated:
.. code-block:: bash
sudo /usr/bin/keystone-manage db_sync
sudo /usr/bin/keystone-manage db_sync --extension moon
And, Apache must be restarted:
.. code-block:: bash
sudo systemctl restart apache.service
Nova
====
In order to Nova to be able to communicate with Keystone-Moon, you must update the Nova KeystoneMiddleware configuration file.
To achieve this, a new filter must be added in `/etc/nova/api-paste.ini` and this filter must be added to the composite data.
The filter is:
.. code-block:: bash
[filter:moon]
paste.filter_factory = keystonemiddleware.moon_agent:filter_factory
authz_login=admin
authz_password=password
logfile=/var/log/moon/keystonemiddleware.log
Here is some bash lines to insert this into the Nova configuration file:
.. code-block:: bash
sudo cp /etc/nova/api-paste.ini /etc/nova/api-paste.ini.bak2
sudo sed "/^keystone = / s/keystonecontext/keystonecontext moon/" /etc/nova/api-paste.ini > /tmp/api-paste.ini
sudo cp /tmp/api-paste.ini /etc/nova/api-paste.ini
echo -e "\n[filter:moon]\npaste.filter_factory = keystonemiddleware.moon_agent:filter_factory\nauthz_login=admin\nauthz_password=password\nlogfile=/var/log/moon/keystonemiddleware.log\n" | sudo tee -a /etc/nova/api-paste.ini
Nova can then be restarted:
.. code-block:: bash
for service in nova-compute nova-api nova-cert nova-conductor nova-consoleauth nova-scheduler ; do
sudo service ${service} restart
done
Swift
=====
In order to Swift to be able to communicate with Keystone-Moon, you must update the Swift KeystoneMiddleware configuration file.
To achieve this, a new filter must be added in `/etc/swift/proxy-server.conf` and this filter must be added to the composite data.
The filter is (exactly the same as Nova):
.. code-block:: bash
[filter:moon]
paste.filter_factory = keystonemiddleware.moon_agent:filter_factory
authz_login=admin
authz_password=password
logfile=/var/log/moon/keystonemiddleware.log
Here is some bash lines to insert this into the Nova configuration file:
.. code-block:: bash
sudo cp /etc/swift/proxy-server.conf /etc/swift/proxy-server.conf.bak2
sudo sed "/^pipeline = / s/proxy-server/moon proxy-server/" /etc/swift/proxy-server.conf > /tmp/proxy-server.conf
sudo cp /tmp/proxy-server.conf /etc/swift/proxy-server.conf
echo -e "\n[filter:moon]\npaste.filter_factory = keystonemiddleware.moon_agent:filter_factory\nauthz_login=admin\nauthz_password=password\nlogfile=/var/log/moon/keystonemiddleware.log\n" | sudo tee -a /etc/swift/proxy-server.conf
Swift can then be restarted:
.. code-block:: bash
for service in swift-account swift-account-replicator \
swift-container-replicator swift-object swift-object-updater \
swift-account-auditor swift-container swift-container-sync \
swift-object-auditor swift-proxy swift-account-reaper swift-container-auditor \
swift-container-updater swift-object-replicator ; do
sudo service ${service} status
done
Revision: _sha1_
Build date: |today|
|
