User Tools

Site Tools


Sidebar

cn:ccr:cloud:cloud_multiregione:installazione

Installazione di una nuova regione in INFN Cloud

File per autenticazione Keystone

export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=<admin password>
export OS_AUTH_URL="https://keystone.ha.infn.it:5000/v2.0/"
export OS_CACERT=/etc/ssl/certs/Keystone_INFN_CA.pem
export OS_REGION_NAME=<region name>

Il certificato Keystone_INFN_CA.pem è

—–BEGIN CERTIFICATE—–
MIICaDCCAdGgAwIBAgIJAIRxL0gdXhJiMA0GCSqGSIb3DQEBBQUAME0xCzAJBgNV
BAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UECgwESU5GTjENMAsGA1UECwwE
TE5HUzEQMA4GA1UEAwwHTE5HUyBDQTAeFw0xNDAxMDgwODQ2MjlaFw0xNzAxMDcw
ODQ2MjlaME0xCzAJBgNVBAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UECgwE
SU5GTjENMAsGA1UECwwETE5HUzEQMA4GA1UEAwwHTE5HUyBDQTCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAxL3BJqHs5qXR3Xfxi86z84G5x2oxO7wtqIVztf2w
LEicFlTJiqtlrg66NhMKOcmNCP12pbKJNSYgox1OzFVVmR09PwPImK/fDEYKXcHc
fFCxygNvCDLzlXhx/n96Zf6aFliInhlA/Jpm1ks2kLobFU922L2r/oKub1UIF8RL
GRMCAwEAAaNQME4wHQYDVR0OBBYEFEvGGkxFxH0a4ds/8gMNnAugwmkxMB8GA1Ud
IwQYMBaAFEvGGkxFxH0a4ds/8gMNnAugwmkxMAwGA1UdEwQFMAMBAf8wDQYJKoZI
hvcNAQEFBQADgYEAdEkNu3s2xkNC3sufWC3scacPm8TV2g7s42YqVs0OaTcGbH3Y
TwcI+AlFzKtk0nxGLnJH/SwmfL+qAJ6SD7beMOEf6CX7woNCjAAxUmIEMgRRmSNj
7IWlGeAF6i/XVKAk5JimfHysSfWmaVZMZGwwzpRoIGncd2ZHsNJp1D/dB5k=
—–END CERTIFICATE—–

Utilizzo del KeyStone nazionale

Guidelines per la creazione endpoint

- non devi creare i servizi su keystone ma devi usare quelli che ci sono gia`

root@havanaregion:~# keystone service-list +———————————-+———-+————–+——————————–+

id name type description

+———————————-+———-+————–+——————————–+

0eaf959bb77f467a86de0af3fd496cbf cinder volume Cinder Volume Service
c65c355e8b2f41ba940224cccffcc153 cinderv2 volumev2 Cinder Volume Service v2
ab86a2e85a10433b992b9c521a7b62f9 glance image Glance Image Service
a7fc3ee278fc4335af037f9d12d7bda9 keystone identity OpenStack Identity
285a0837f7764ec39c010008c20d9fd5 neutron network OpenStack Networking Service
b27150005a694c2390735440c062d9eb nova compute Nova Compute service
a6e2a12512464bd99c4815cc1fc1b5ae swift object-store OpenStack Object Store Service

+———————————-+———-+————–+——————————–+

- quando crei gli utenti di servizio, appendici il nome della sede, ad esempio:

root@keystone-infn:~# keystone user-list | grep "\-lngs"

ad0ad189797245b59c55e48f034d4a40 cinder-lngs True cloud@lngs.infn.it
ab5d9b23f674488ba016bb09c8ea90df glance-lngs True calcolo@lngs.infn.it
f2b917b178e14c87b53d93a9dc850c77 neutron-lngs True cloud@lngs.infn.it
0b741ff52266440aa1487dbdeb2981a9 nova-lngs True cloud@lngs.infn.it

- vanno anche aggiunti al tenant service come admin

keystone user-role-add --user=<user> --tenant=service --role=admin

- se vuoi appoggiarti alla dashboard qui ai lngs: https://havanactl.lngs.infn.it, o se preferisci,

istanziane una tu

- mi sa che gli ultimi aggiornamenti di havana accettano header html fino a 16K. Altrimenti, almeno per glance

la patch e` descritta qui:
https://review.openstack.org/#/c/77108/3

- quando crei gli endpoint, ricordati di mettere la regione, es.

keystone –os-region-name=rm2 endpoint-create –service-id=ab86a2e85a10433b992b9c521a7b62f9 –publicurl=http://cloud03.roma2.infn.it:9292 –internalurl=http://cloud03.roma2.infn.it:9292 –adminurl=http://cloud03.roma2.infn.it:9292

- se vuoi usare swift copiati l'endpoint da un'altra regione
- se vuoi usare swift come back-end per glance, in /etc/glance/glance-api.conf.

# Which backend scheme should Glance use by default is not specified
# in a request to add a new image to Glance? Known schemes are determined
# by the known_stores option below.
# Default: 'file'
#default_store = file
default_store = swift

........

# ============ Swift Store Options =============================

# Version of the authentication service to use
# Valid versions are '2' for keystone and '1' for swauth and rackspace
swift_store_auth_version = 2

# Address where the Swift authentication service lives
# Valid schemes are 'http://' and 'https://'
# If no scheme specified,  default to 'https://'
# For swauth, use something like '127.0.0.1:8080/v1.0/'
swift_store_auth_address = https://keystone.ha.infn.it:5000/v2.0/
swift_store_endpoint_type = publicURL
swift_store_auth_insecure = True

# User to authenticate against the Swift authentication service
# If you use Swift authentication service, set it to 'account':'user'
# where 'account' is a Swift storage account and 'user'
# is a user in that account
swift_store_user = service:glance-swift

# Auth key for the user authenticating against the
# Swift authentication service
swift_store_key = <password>

# Container within the account that the account should use
# for storing images in Swift
swift_store_container = glance

# Do we create the container if it does not exist?
swift_store_create_container_on_put = True

# What size, in MB, should Glance start chunking image files
# and do a large object manifest in Swift? By default, this is
# the maximum object size in Swift, which is 5GB
swift_store_large_object_size = 5120

# When doing a large object manifest, what size, in MB, should
# Glance write chunks to Swift? This amount of data is written
# to a temporary disk buffer during the process of chunking
# the image file, and the default is 200MB
swift_store_large_object_chunk_size = 200

# Whether to use ServiceNET to communicate with the Swift storage servers.
# (If you aren't RACKSPACE, leave this False!)
#
# To use ServiceNET for authentication, prefix hostname of
# `swift_store_auth_address` with 'snet-'.
# Ex. https://example.com/v1.0/ -> https://snet-example.com/v1.0/
swift_enable_snet = False

# If set to True enables multi-tenant storage mode which causes Glance images
# to be stored in tenant specific Swift accounts.
#swift_store_multi_tenant = False

# A list of swift ACL strings that will be applied as both read and
# write ACLs to the containers created by Glance in multi-tenant
# mode. This grants the specified tenants/users read and write access
# to all newly created image objects. The standard swift ACL string
# formats are allowed, including:
# <tenant_id>:<username>
# <tenant_name>:<username>
# *:<username>
# Multiple ACLs can be combined using a comma separated list, for
# example: swift_store_admin_tenants = service:glance,*:admin
#swift_store_admin_tenants =

# The region of the swift endpoint to be used for single tenant. This setting
# is only necessary if the tenant has multiple swift endpoints.
#swift_store_region =

swift_store_region = <region name>

# If set to False, disables SSL layer compression of https swift requests.
# Setting to 'False' may improve performance for images which are already
# in a compressed format, eg qcow2. If set to True, enables SSL layer
# compression (provided it is supported by the target swift proxy).
#swift_store_ssl_compression = True

Setup

cn/ccr/cloud/cloud_multiregione/installazione.txt · Last modified: 2014/11/24 10:24 by fzani@infn.it