1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
|
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
.. (c) ruan.he@orange.com & thomas.duval@orange.com
Introduction
============
The Moon platform is composed of 3 components :
* keystone-moon
* keystonemiddleware-moon
* python-moonclient
keystone-moon
=============
This component replaces the Keystone component of the OpenStack platform.
All basic functions of the original component were maintained but we add some new functions (specially authorization functions)
keystonemiddleware-moon
=======================
This component replaces the KeystoneMiddleware component of the OpenStack platform.
The main function added was to intercept all actions from Nova and Swift in order to retrieve an authorization token
from the Keystone-moon component.
python-moonclient
=================
The MoonClient is an interactive script to drive the Keystone-Moon component through the network.
=================
Packages creation
=================
Packages can be found on https://github.com/dthom/moon-bin
keystone-moon package
=====================
The Keystone-Moon can be package into 2 forms.
The first form is in traditional Python package :
.. code-block:: bash
cd moon_repo/keystone-moon
python setup.py sdist
ls dist
We develop a script to build a Debian package, this script is located in `moon_repo/debian/keystone-moon`
.. code-block:: bash
cd moon_repo/debian/keystone-moon
python create_deb.py
keystonemiddleware-moon package
===============================
The KeystoneMiddleware-Moon can be package into 2 forms.
The first form is in traditional Python package :
.. code-block:: bash
cd moon_repo/keystonemiddleware-moon
python setup.py sdist
ls dist
We develop a script to build a Debian package, this script is located in `moon_repo/debian/keystonemiddleware-moon`
.. code-block:: bash
cd moon_repo/debian/keystonemiddleware-moon
python create_deb.py
python-moonclient package
=========================
There is only one type of package for the Moon client:
.. code-block:: bash
cd moon_repo/moonclient
python setup.py sdist
ls dist
============
Installation
============
This installation procedure only describe the installation of a standalone Moon platform.
Pre-requisite
=============
To install the Moon platform, you will need a working Linux server box.
The platform is tested on an up-to-date Ubuntu 16.04 box.
You can build your own packages or you can download stable ones on https://github.com/dthom/moon-bin
Installation
============
First of all, you must install dependencies for the Keystone-moon package, then you can download pre-built packages or
create them by yourself. Endly, you can install Keystone-Moon and MoonClient packages:
.. code-block:: bash
cd /tmp
wget https://github.com/dthom/moon-bin/archive/master.zip
unzip master.zip
PKGS = $(python3 /tmp/moon-bin-master/tools/get_deb_depends.py /tmp/moon-bin-master/*.deb)
sudo apt-get install $PKGS
sudo dpkg -i /tmp/moon-bin-master/keystone_latest-moon_all.deb
sudo pip install --upgrade /tmp/moon-bin-master/python-moonclient-latest.tar.gz
At this point, the Nova and Swift components must be installed on the same box or on an other box.
See http://docs.openstack.org/ for more explanation.
Nova and Swift components automatically installed the python-keystonemiddleware package.
We have to replace it with the dedicated Moon one:
.. code-block:: bash
cd /tmp
sudo dpkg -i /tmp/moon-bin-master/python3-keystonemiddleware_latest-moon_all.deb
sudo dpkg -i /tmp/moon-bin-master/python-keystonemiddleware_latest-moon_all.deb
Note: if you installed Nova and Swift in 2 different nodes, you must install python-keystonemiddleware
in those 2 nodes.
Configuration
=============
For Keystone, the following files must be configured, some modifications may be needed, specially passwords:
/etc/keystone/keystone-paste.ini
.. code-block:: bash
sudo cp /etc/keystone/keystone-paste.ini /etc/keystone/keystone-paste.ini.bak
sudo sed "3i[pipeline:moon_pipeline]\npipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension moon_service\n\n[app:moon_service]\nuse = egg:keystone#moon_service\n" /etc/keystone/keystone-paste.ini > /tmp/keystone-paste.ini
sudo cp /tmp/keystone-paste.ini /etc/keystone/keystone-paste.ini
sudo sed "s/use = egg:Paste#urlmap/use = egg:Paste#urlmap\n\/moon = moon_pipeline/" /etc/keystone/keystone-paste.ini > /tmp/keystone-paste.ini
sudo cp /tmp/keystone-paste.ini /etc/keystone/keystone-paste.ini
/etc/keystone/keystone.conf
.. code-block:: bash
cat << EOF | sudo tee -a /etc/keystone/keystone.conf
[moon]
# Configuration backend driver
configuration_driver = keystone.contrib.moon.backends.memory.ConfigurationConnector
# Tenant backend driver
tenant_driver = keystone.contrib.moon.backends.sql.TenantConnector
# Authorisation backend driver
authz_driver = keystone.contrib.moon.backends.flat.SuperExtensionConnector
# IntraExtension backend driver
intraextension_driver = keystone.contrib.moon.backends.sql.IntraExtensionConnector
# InterExtension backend driver
interextension_driver = keystone.contrib.moon.backends.sql.InterExtensionConnector
# Logs backend driver
log_driver = keystone.contrib.moon.backends.flat.LogConnector
# Local directory where all policies are stored
policy_directory = /etc/keystone/policies
# Local directory where Root IntraExtension configuration is stored
root_policy_directory = policy_root
# URL of the Moon master
master = 'http://localhost:35357/'
# Login of the Moon master
master_login = 'admin'
# Password of the Moon master
master_password = 'nomoresecrete'
EOF
The logging system must be configured :
.. code-block:: bash
sudo mkdir /var/log/moon/
sudo chown keystone /var/log/moon/
sudo addgroup moonlog
sudo chgrp moonlog /var/log/moon/
sudo touch /var/log/moon/keystonemiddleware.log
sudo touch /var/log/moon/system.log
sudo chgrp moonlog /var/log/moon/keystonemiddleware.log
sudo chgrp moonlog /var/log/moon/system.log
sudo chmod g+rw /var/log/moon
sudo chmod g+rw /var/log/moon/keystonemiddleware.log
sudo chmod g+rw /var/log/moon/system.log
sudo adduser keystone moonlog
sudo adduser swift moonlog
sudo adduser nova moonlog
The Keystone database must be updated:
.. code-block:: bash
sudo /usr/bin/keystone-manage db_sync
sudo /usr/bin/keystone-manage db_sync --extension moon
And, Apache must be restarted:
.. code-block:: bash
sudo systemctl restart apache.service
In order to Nova to be able to communicate with Keystone-Moon, you must update the Nova KeystoneMiddleware configuration file.
To achieve this, a new filter must be added in `/etc/nova/api-paste.ini` and this filter must be added to the composite data.
The filter is:
.. code-block:: bash
[filter:moon]
paste.filter_factory = keystonemiddleware.moon_agent:filter_factory
authz_login=admin
authz_password=password
logfile=/var/log/moon/keystonemiddleware.log
Here is some bash lines to insert this into the Nova configuration file:
.. code-block:: bash
sudo cp /etc/nova/api-paste.ini /etc/nova/api-paste.ini.bak2
sudo sed "/^keystone = / s/keystonecontext/keystonecontext moon/" /etc/nova/api-paste.ini > /tmp/api-paste.ini
sudo cp /tmp/api-paste.ini /etc/nova/api-paste.ini
echo -e "\n[filter:moon]\npaste.filter_factory = keystonemiddleware.moon_agent:filter_factory\nauthz_login=admin\nauthz_password=password\nlogfile=/var/log/moon/keystonemiddleware.log\n" | sudo tee -a /etc/nova/api-paste.ini
Nova can then be restarted:
.. code-block:: bash
for service in nova-compute nova-api nova-cert nova-conductor nova-consoleauth nova-scheduler ; do
sudo service ${service} restart
done
In order to Swift to be able to communicate with Keystone-Moon, you must update the Swift KeystoneMiddleware configuration file.
To achieve this, a new filter must be added in `/etc/swift/proxy-server.conf` and this filter must be added to the composite data.
The filter is (exactly the same as Nova):
.. code-block:: bash
[filter:moon]
paste.filter_factory = keystonemiddleware.moon_agent:filter_factory
authz_login=admin
authz_password=password
logfile=/var/log/moon/keystonemiddleware.log
Here is some bash lines to insert this into the Nova configuration file:
.. code-block:: bash
sudo cp /etc/swift/proxy-server.conf /etc/swift/proxy-server.conf.bak2
sudo sed "/^pipeline = / s/proxy-server/moon proxy-server/" /etc/swift/proxy-server.conf > /tmp/proxy-server.conf
sudo cp /tmp/proxy-server.conf /etc/swift/proxy-server.conf
echo -e "\n[filter:moon]\npaste.filter_factory = keystonemiddleware.moon_agent:filter_factory\nauthz_login=admin\nauthz_password=password\nlogfile=/var/log/moon/keystonemiddleware.log\n" | sudo tee -a /etc/swift/proxy-server.conf
Swift can then be restarted:
.. code-block:: bash
for service in swift-account swift-account-replicator \
swift-container-replicator swift-object swift-object-updater \
swift-account-auditor swift-container swift-container-sync \
swift-object-auditor swift-proxy swift-account-reaper swift-container-auditor \
swift-container-updater swift-object-replicator ; do
sudo service ${service} status
done
Running tests
=============
After a successful installation of the Moon platform, you can execute some tests to see if the platform is
up and running. Be patient, the latest test takes time (5 to 20 minutes).
.. code-block:: bash
export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_REGION_NAME=What_ever_you_want
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://localhost:5000/v2.0
# See if Nova is up and running:
nova list
# See if Swift is up and running:
swift stat
# See if Keystone-Moon is up and running
moon intraextension list
# you must see one extension (named root)
moon test --self
Revision: _sha1_
Build date: |today|
|
