====== Installazione di una nuova regione in INFN Cloud ======

===== File per autenticazione Keystone =====
export OS_TENANT_NAME=admin\\
export OS_USERNAME=admin\\
export OS_PASSWORD=<admin password>\\
export OS_AUTH_URL="https://keystone.ha.infn.it:5000/v2.0/"\\
export OS_CACERT=/etc/ssl/certs/Keystone_INFN_CA.pem\\
export OS_REGION_NAME=<region name>\\
\\
Il certificato Keystone_INFN_CA.pem è \\

-----BEGIN CERTIFICATE-----\\
MIICaDCCAdGgAwIBAgIJAIRxL0gdXhJiMA0GCSqGSIb3DQEBBQUAME0xCzAJBgNV\\
BAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UECgwESU5GTjENMAsGA1UECwwE\\
TE5HUzEQMA4GA1UEAwwHTE5HUyBDQTAeFw0xNDAxMDgwODQ2MjlaFw0xNzAxMDcw\\
ODQ2MjlaME0xCzAJBgNVBAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UECgwE\\
SU5GTjENMAsGA1UECwwETE5HUzEQMA4GA1UEAwwHTE5HUyBDQTCBnzANBgkqhkiG\\
9w0BAQEFAAOBjQAwgYkCgYEAxL3BJqHs5qXR3Xfxi86z84G5x2oxO7wtqIVztf2w\\
LEicFlTJiqtlrg66NhMKOcmNCP12pbKJNSYgox1OzFVVmR09PwPImK/fDEYKXcHc\\
fFCxygNvCDLzlXhx/n96Zf6aFliInhlA/Jpm1ks2kLobFU922L2r/oKub1UIF8RL\\
GRMCAwEAAaNQME4wHQYDVR0OBBYEFEvGGkxFxH0a4ds/8gMNnAugwmkxMB8GA1Ud\\
IwQYMBaAFEvGGkxFxH0a4ds/8gMNnAugwmkxMAwGA1UdEwQFMAMBAf8wDQYJKoZI\\
hvcNAQEFBQADgYEAdEkNu3s2xkNC3sufWC3scacPm8TV2g7s42YqVs0OaTcGbH3Y\\
TwcI+AlFzKtk0nxGLnJH/SwmfL+qAJ6SD7beMOEf6CX7woNCjAAxUmIEMgRRmSNj\\
7IWlGeAF6i/XVKAk5JimfHysSfWmaVZMZGwwzpRoIGncd2ZHsNJp1D/dB5k=\\
-----END CERTIFICATE-----\\

===== Utilizzo del KeyStone nazionale =====

[[cn:ccr:cloud:autenticazione_openstack:keystone_wan|Keystone distribuito]]

===== Guidelines per la creazione endpoint =====

- non devi creare i servizi su keystone ma devi usare quelli che ci sono gia`

 root@havanaregion:~# keystone service-list
+----------------------------------+----------+--------------+--------------------------------+
|                id                |   name   |     type     |          description           |
+----------------------------------+----------+--------------+--------------------------------+
| 0eaf959bb77f467a86de0af3fd496cbf |  cinder  |    volume    |     Cinder Volume Service      |
| c65c355e8b2f41ba940224cccffcc153 | cinderv2 |   volumev2   |    Cinder Volume Service v2    |
| ab86a2e85a10433b992b9c521a7b62f9 |  glance  |    image     |      Glance Image Service      |
| a7fc3ee278fc4335af037f9d12d7bda9 | keystone |   identity   |       OpenStack Identity       |
| 285a0837f7764ec39c010008c20d9fd5 | neutron  |   network    |  OpenStack Networking Service  |
| b27150005a694c2390735440c062d9eb |   nova   |   compute    |      Nova Compute service      |
| a6e2a12512464bd99c4815cc1fc1b5ae |  swift   | object-store | OpenStack Object Store Service |
+----------------------------------+----------+--------------+--------------------------------+

- quando crei gli utenti di servizio, appendici il nome della sede, ad esempio:

root@keystone-infn:~# keystone user-list | grep "\-lngs"
| ad0ad189797245b59c55e48f034d4a40 |    cinder-lngs     |   True  |       cloud@lngs.infn.it      |
| ab5d9b23f674488ba016bb09c8ea90df |    glance-lngs     |   True  |      calcolo@lngs.infn.it     |
| f2b917b178e14c87b53d93a9dc850c77 |    neutron-lngs    |   True  |       cloud@lngs.infn.it      |
| 0b741ff52266440aa1487dbdeb2981a9 |     nova-lngs      |   True  |       cloud@lngs.infn.it      |

- vanno anche aggiunti al tenant service come admin
  keystone user-role-add --user=<user> --tenant=service --role=admin

- se vuoi appoggiarti alla dashboard qui ai lngs: https://havanactl.lngs.infn.it, o se preferisci,
  istanziane una tu

- mi sa che gli ultimi aggiornamenti di havana accettano header html fino a 16K. Altrimenti, almeno per glance
  la patch e` descritta qui:

  https://review.openstack.org/#/c/77108/3

- quando crei gli endpoint, ricordati di mettere la regione, es.

keystone --os-region-name=rm2 endpoint-create --service-id=ab86a2e85a10433b992b9c521a7b62f9 --publicurl=http://cloud03.roma2.infn.it:9292 --internalurl=http://cloud03.roma2.infn.it:9292 --adminurl=http://cloud03.roma2.infn.it:9292

- se vuoi usare swift copiati l'endpoint da un'altra regione\\
- se vuoi usare swift come back-end per glance, in /etc/glance/glance-api.conf.\\

<code>
# Which backend scheme should Glance use by default is not specified
# in a request to add a new image to Glance? Known schemes are determined
# by the known_stores option below.
# Default: 'file'
#default_store = file
default_store = swift

........

# ============ Swift Store Options =============================

# Version of the authentication service to use
# Valid versions are '2' for keystone and '1' for swauth and rackspace
swift_store_auth_version = 2

# Address where the Swift authentication service lives
# Valid schemes are 'http://' and 'https://'
# If no scheme specified,  default to 'https://'
# For swauth, use something like '127.0.0.1:8080/v1.0/'
swift_store_auth_address = https://keystone.ha.infn.it:5000/v2.0/
swift_store_endpoint_type = publicURL
swift_store_auth_insecure = True

# User to authenticate against the Swift authentication service
# If you use Swift authentication service, set it to 'account':'user'
# where 'account' is a Swift storage account and 'user'
# is a user in that account
swift_store_user = service:glance-swift

# Auth key for the user authenticating against the
# Swift authentication service
swift_store_key = <password>

# Container within the account that the account should use
# for storing images in Swift
swift_store_container = glance

# Do we create the container if it does not exist?
swift_store_create_container_on_put = True

# What size, in MB, should Glance start chunking image files
# and do a large object manifest in Swift? By default, this is
# the maximum object size in Swift, which is 5GB
swift_store_large_object_size = 5120

# When doing a large object manifest, what size, in MB, should
# Glance write chunks to Swift? This amount of data is written
# to a temporary disk buffer during the process of chunking
# the image file, and the default is 200MB
swift_store_large_object_chunk_size = 200

# Whether to use ServiceNET to communicate with the Swift storage servers.
# (If you aren't RACKSPACE, leave this False!)
#
# To use ServiceNET for authentication, prefix hostname of
# `swift_store_auth_address` with 'snet-'.
# Ex. https://example.com/v1.0/ -> https://snet-example.com/v1.0/
swift_enable_snet = False

# If set to True enables multi-tenant storage mode which causes Glance images
# to be stored in tenant specific Swift accounts.
#swift_store_multi_tenant = False

# A list of swift ACL strings that will be applied as both read and
# write ACLs to the containers created by Glance in multi-tenant
# mode. This grants the specified tenants/users read and write access
# to all newly created image objects. The standard swift ACL string
# formats are allowed, including:
# <tenant_id>:<username>
# <tenant_name>:<username>
# *:<username>
# Multiple ACLs can be combined using a comma separated list, for
# example: swift_store_admin_tenants = service:glance,*:admin
#swift_store_admin_tenants =

# The region of the swift endpoint to be used for single tenant. This setting
# is only necessary if the tenant has multiple swift endpoints.
#swift_store_region =

swift_store_region = <region name>

# If set to False, disables SSL layer compression of https swift requests.
# Setting to 'False' may improve performance for images which are already
# in a compressed format, eg qcow2. If set to True, enables SSL layer
# compression (provided it is supported by the target swift proxy).
#swift_store_ssl_compression = True
</code>

===== Setup =====

http://docs.openstack.org/icehouse/install-guide/install/apt/content/