export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=<admin password>
export OS_AUTH_URL="https://keystone.ha.infn.it:5000/v2.0/"
export OS_CACERT=/etc/ssl/certs/Keystone_INFN_CA.pem
export OS_REGION_NAME=<region name>

Il certificato Keystone_INFN_CA.pem è

—–BEGIN CERTIFICATE—–
MIICaDCCAdGgAwIBAgIJAIRxL0gdXhJiMA0GCSqGSIb3DQEBBQUAME0xCzAJBgNV
BAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UECgwESU5GTjENMAsGA1UECwwE
TE5HUzEQMA4GA1UEAwwHTE5HUyBDQTAeFw0xNDAxMDgwODQ2MjlaFw0xNzAxMDcw
ODQ2MjlaME0xCzAJBgNVBAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UECgwE
SU5GTjENMAsGA1UECwwETE5HUzEQMA4GA1UEAwwHTE5HUyBDQTCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAxL3BJqHs5qXR3Xfxi86z84G5x2oxO7wtqIVztf2w
LEicFlTJiqtlrg66NhMKOcmNCP12pbKJNSYgox1OzFVVmR09PwPImK/fDEYKXcHc
fFCxygNvCDLzlXhx/n96Zf6aFliInhlA/Jpm1ks2kLobFU922L2r/oKub1UIF8RL
GRMCAwEAAaNQME4wHQYDVR0OBBYEFEvGGkxFxH0a4ds/8gMNnAugwmkxMB8GA1Ud
IwQYMBaAFEvGGkxFxH0a4ds/8gMNnAugwmkxMAwGA1UdEwQFMAMBAf8wDQYJKoZI
hvcNAQEFBQADgYEAdEkNu3s2xkNC3sufWC3scacPm8TV2g7s42YqVs0OaTcGbH3Y
TwcI+AlFzKtk0nxGLnJH/SwmfL+qAJ6SD7beMOEf6CX7woNCjAAxUmIEMgRRmSNj
7IWlGeAF6i/XVKAk5JimfHysSfWmaVZMZGwwzpRoIGncd2ZHsNJp1D/dB5k=
—–END CERTIFICATE—–

Keystone distribuito

- non devi creare i servizi su keystone ma devi usare quelli che ci sono gia` root@havanaregion:~# keystone service-list +----------------------------------+----------+--------------+--------------------------------+ | id | name | type | description | +----------------------------------+----------+--------------+--------------------------------+ | 0eaf959bb77f467a86de0af3fd496cbf | cinder | volume | Cinder Volume Service | | c65c355e8b2f41ba940224cccffcc153 | cinderv2 | volumev2 | Cinder Volume Service v2 | | ab86a2e85a10433b992b9c521a7b62f9 | glance | image | Glance Image Service | | a7fc3ee278fc4335af037f9d12d7bda9 | keystone | identity | OpenStack Identity | | 285a0837f7764ec39c010008c20d9fd5 | neutron | network | OpenStack Networking Service | | b27150005a694c2390735440c062d9eb | nova | compute | Nova Compute service | | a6e2a12512464bd99c4815cc1fc1b5ae | swift | object-store | OpenStack Object Store Service | +----------------------------------+----------+--------------+--------------------------------+ - quando crei gli utenti di servizio, appendici il nome della sede, ad esempio: root@keystone-infn:~# keystone user-list | grep "\-lngs" | ad0ad189797245b59c55e48f034d4a40 | cinder-lngs | True | cloud@lngs.infn.it | | ab5d9b23f674488ba016bb09c8ea90df | glance-lngs | True | calcolo@lngs.infn.it | | f2b917b178e14c87b53d93a9dc850c77 | neutron-lngs | True | cloud@lngs.infn.it | | 0b741ff52266440aa1487dbdeb2981a9 | nova-lngs | True | cloud@lngs.infn.it | - vanno anche aggiunti al tenant service come admin keystone user-role-add --user=<user> --tenant=service --role=admin - se vuoi appoggiarti alla dashboard qui ai lngs: https://havanactl.lngs.infn.it, o se preferisci, istanziane una tu - mi sa che gli ultimi aggiornamenti di havana accettano header html fino a 16K. Altrimenti, almeno per glance la patch e` descritta qui:

https://review.openstack.org/#/c/77108/3

- quando crei gli endpoint, ricordati di mettere la regione, es.

keystone –os-region-name=rm2 endpoint-create –service-id=ab86a2e85a10433b992b9c521a7b62f9 –publicurl=http://cloud03.roma2.infn.it:9292 –internalurl=http://cloud03.roma2.infn.it:9292 –adminurl=http://cloud03.roma2.infn.it:9292

- se vuoi usare swift copiati l'endpoint da un'altra regione
- se vuoi usare swift come back-end per glance, in /etc/glance/glance-api.conf.

# Which backend scheme should Glance use by default is not specified
# in a request to add a new image to Glance? Known schemes are determined
# by the known_stores option below.
# Default: 'file'
#default_store = file
default_store = swift

........

# ============ Swift Store Options =============================

# Version of the authentication service to use
# Valid versions are '2' for keystone and '1' for swauth and rackspace
swift_store_auth_version = 2

# Address where the Swift authentication service lives
# Valid schemes are 'http://' and 'https://'
# If no scheme specified,  default to 'https://'
# For swauth, use something like '127.0.0.1:8080/v1.0/'
swift_store_auth_address = https://keystone.ha.infn.it:5000/v2.0/
swift_store_endpoint_type = publicURL
swift_store_auth_insecure = True

# User to authenticate against the Swift authentication service
# If you use Swift authentication service, set it to 'account':'user'
# where 'account' is a Swift storage account and 'user'
# is a user in that account
swift_store_user = service:glance-swift

# Auth key for the user authenticating against the
# Swift authentication service
swift_store_key = <password>

# Container within the account that the account should use
# for storing images in Swift
swift_store_container = glance

# Do we create the container if it does not exist?
swift_store_create_container_on_put = True

# What size, in MB, should Glance start chunking image files
# and do a large object manifest in Swift? By default, this is
# the maximum object size in Swift, which is 5GB
swift_store_large_object_size = 5120

# When doing a large object manifest, what size, in MB, should
# Glance write chunks to Swift? This amount of data is written
# to a temporary disk buffer during the process of chunking
# the image file, and the default is 200MB
swift_store_large_object_chunk_size = 200

# Whether to use ServiceNET to communicate with the Swift storage servers.
# (If you aren't RACKSPACE, leave this False!)
#
# To use ServiceNET for authentication, prefix hostname of
# `swift_store_auth_address` with 'snet-'.
# Ex. https://example.com/v1.0/ -> https://snet-example.com/v1.0/
swift_enable_snet = False

# If set to True enables multi-tenant storage mode which causes Glance images
# to be stored in tenant specific Swift accounts.
#swift_store_multi_tenant = False

# A list of swift ACL strings that will be applied as both read and
# write ACLs to the containers created by Glance in multi-tenant
# mode. This grants the specified tenants/users read and write access
# to all newly created image objects. The standard swift ACL string
# formats are allowed, including:
# <tenant_id>:<username>
# <tenant_name>:<username>
# *:<username>
# Multiple ACLs can be combined using a comma separated list, for
# example: swift_store_admin_tenants = service:glance,*:admin
#swift_store_admin_tenants =

# The region of the swift endpoint to be used for single tenant. This setting
# is only necessary if the tenant has multiple swift endpoints.
#swift_store_region =

swift_store_region = <region name>

# If set to False, disables SSL layer compression of https swift requests.
# Setting to 'False' may improve performance for images which are already
# in a compressed format, eg qcow2. If set to True, enables SSL layer
# compression (provided it is supported by the target swift proxy).
#swift_store_ssl_compression = True

http://docs.openstack.org/icehouse/install-guide/install/apt/content/