Friday, October 11, 2013

This document describe how a gluster-swift setup can be authenticated against keystone. This document assume you have two F18 VMs , and all the commands are executed as root user. Now onward these two VM will referred as 'kshost' and 'g4snode'.

A. Install and configure keystone on kshost

1.Get the repo for RDO -Grizzly
#yum install -y

2.Install keystone and related packages
#yum install openstack-utils openstack-keystone python-keystoneclient

3.Delete the keystone.db file created in the /var/lib/keystone directory
#rm /var/lib/keystone/keystone.db

4.The following sequence of commands will create a MySQL database named "keystone" and a MySQL user named "keystone" with full access to the "keystone" MySQL database.

  a.) #openstack-db --init --service keystone
  (this may ask you to install MySql-server,and mysql password.)

  b.)Login in to mysql server and configure keystone db :-
  #mysql -u root -p
  Enter the mysql root user's password when prompted.
  c.)Create a MySQL user for the newly-created keystone database that has
  full control of the keystone database.
mysql> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY [KEYSTONEDB_PASSWORD]';
mysql> GRANT ALL ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '[KEYSTONEDB_PASSWORD]';

5. To change the data store to mysql, change the line defining connection in/etc/keystone/keystone.conf like :-
  connection = mysql://keystone:[YOUR_KEYSTONEDB_PASSWORD]@kshost_ip/keystone

Your /etc/keystone/keystone.conf file should contain the following lines if it is properly configured to use the database backend:-

driver = keystone.catalog.backends.sql.Catalog

6.Change admin token with a generated one
  #export ADMIN_TOKEN=$(openssl rand -hex 10)
assume token generated with the above is '012345SECRET99TOKEN012345' and edit the /etc/keystone/keystone.conf as folows:-
  admin_token = 012345SECRET99TOKEN012345

7.By default Keystone will use PKI tokens. To create the signing keys and certificates run:
  #keystone-manage pki_setup
  #chown -R keystone:keystone /etc/keystone/* /var/log/keystone/keystone.log

Note: You can change the pki configs in /etc/keystone/ssl/certs/openssl.conf

8.You can configure keystone to use /var/log/keystone/keystone.log and set the log level to 'DEBUG', by setting appropriate parameter in /etc/keystone/keystone.conf

9.Start keystone service
  #service openstack-keystone start && sudo chkconfig openstack-keystone on

10.Lastly, initialize the new keystone database, as root:
  #keystone-manage db_sync

11.Typically, you would use a username and password to authenticate with the Identity service. However, at this point in the install, we have not yet created a user. Instead, we use the service token to authenticate against the Identity service.

#export OS_SERVICE_TOKEN=012345SECRET99TOKEN012345

12.Now we will create tenant and users.Think of tenant as a swift account (in G4S a swift account maps to a gluster volume).Assuming you are thinking of creating an account named ‘test’. Note the tenant id , a gluster volume of this name has to be mounted on g4snode.

#keystone tenant-create --name test --description "an account/volume for G4S"

      |   Property  |              Value               |
      | description | an account/volume for G4S        |
      | enabled     | True                             |
      | id          | b5815b046cfe47bb891a7b64119e7f80 |
      | name        | test                             |

13.Create users for this tenant(account)

#keystone user-create --tenant-id b5815b046cfe47bb891a7b64119e7f80 --name tester --pass testing

      | Property |              Value               |
      | email    |                                  |
      | enabled  | True                             |
      | id       | a4c2d43f80a549a19864c89d759bb3fe |
      | name     | tester                           |
      | tenantId | b5815b046cfe47bb891a7b64119e7f80 |

14.Create an administrative role based on keystone's default policy.json file, admin.
    (you can think of it as group in tempauth terminology)

# keystone role-create --name admin
      | Property |              Value               |
      | id       | e3d9d157cc95410ea45d23bbbc2e5c10 |
      | name     | admin                            |

15.Grant the admin role to the  ‘tester’ user in the ‘test’ tenant with "user-role-add".

#keystone user-role-add --user-id a4c2d43f80a549a19864c89d759bb3fe --tenant-id b5815b046cfe47bb891a7b64119e7f80 --role-id e3d9d157cc95410ea45d23bbbc2e5c10

16.Create service and endpoint for keystone.
  #keystone service-create --name=keystone --type=identity --description="Identity Service"
|   Property  |              Value               |
| description | Identity Service                 |
| id          | 15c11a23667e427e91bc31335b45f4bd |
| name        | keystone                         |
| type        | identity                         |

  #keystone endpoint-create \
  --region RegionOne \
  --service-id=15c11a23667e427e91bc31335b45f4bd \
  --publicurl=http://kshost_ip:5000/v2.0 \
  --internalurl=http://kshost_ip:5000/v2.0 \
|   Property  |             Value                 |
| adminurl    | http://kshost_ip:35357/v2.0 |
| id          | 11f9c625a3b94a3f8e66bf4e5de2679f  |
| internalurl | http://kshost_ip:5000/v2.0  |
| publicurl   | http://kshost_ip:5000/v2.0  |
| region      | RegionOne                         |
| service_id  | 15c11a23667e427e91bc31335b45f4bd  |

17.Create service and endpoints for G4S.You can think of G4S service endpoints as the base URL for each account.

#keystone service-create --name=gluster-swift --type=object-store --description="G4S Object Storage Service"
|   Property  |              Value               |
| description | G4S Object Storage Service       |
| id          | 272efad2d1234376cbb911c1e5a5a6ed |
| name        | gluster-swift                    |
| type        | object-store                     |

#keystone endpoint-create \
--region RegionOne \
--service-id=272efad2d1234376cbb911c1e5a5a6ed \
--publicurl 'http://g4snode_ip:8888/v1/AUTH_%(tenant_id)s' \
--internalurl 'http://g4snode_ip:8888/v1/AUTH_%(tenant_id)s' \
--adminurl 'http://g4snode_ip:8888/v1'

|   Property  |                       Value                       |
| adminurl    | http://g4snode_ip:8888/v1                    |
| id          | e32b3c4780e51332f9c128a8c208a5a4                  |
| internalurl | http://g4snode_ip:8888/v1/AUTH_%(tenant_id)s |
| publicurl   | http://g4snode_ip:8888/v1/AUTH_%(tenant_id)s |
| region      | RegionOne                                         |
| service_id  | 272efad2d1234376cbb911c1e5a5a6ed                  |

B.Prepare your F18 VM for a G4S node

1.Install glusterfs
  #yum install glusterfs glusterfs-server

2.Get the repo for RDO -Grizzly
  #yum install -y

3.Install gluster-swift-plugin (It is not available in F18 official repo yet , but will be soon available there, so for now you need to download the latest rpm from

Right RPMs will be available here:-

After download you can install it by :-
  #yum install glusterfs-openstack-swift-1.8.0-7.2.fc19.noarch.rpm

4.Verify all dependencies got installed:-
  #[root@dhcp207-186 ~]# rpm -qa|grep openstack


5.Get your config files correct:-

#cd /etc/swift

#rm -rf account-server container-server object-server proxy-server account-server.conf container-server.conf object-server.conf swift.conf proxy-server.conf

#mv account-server.conf-gluster account-server.conf

#mv container-server.conf-gluster container-server.conf

#mv object-server.conf-gluster object-server.conf

#mv proxy-server.conf-gluster proxy-server.conf

#mv fs.conf-gluster fs.conf

#mv swift.conf-gluster swift.conf

You can check and modify these config files according to your setup , else these are good for all in one kind of setup.

6.Get a mock gluster volume(you can skip this if you already have one)

#dd if=/dev/zero of=~/myFileSystem.img bs=1024 count=1048576

#mkfs.xfs -f -n size=8192 -d su=256k,sw=10 myFileSystem.img

#mkdir -p /mnt/gbrick1

#mount -o loop ~/myFileSystem.img /mnt/gbrick1/

#IP=`ip addr show eth0 |grep 'inet ' | awk '{print $2}'| cut -d '/' -f1`

#gluster volume create test $IP:/mnt/gbrick1/

#gluster volume start test

C.Config on G4S-node to work with keystone

1.Assuming you have a gluster volume named ‘test’.You need to mount it on /mnt/gluster- object/tenant-id . Use the tenant-id generated in Section A-12.

#mkdir -p /mnt/gluster-object/b5815b046cfe47bb891a7b64119e7f80

#mount -t glusterfs IP_WHERE_GLUSTER_VOL_HOSTED:b5815b046cfe47bb891a7b64119e7f80 /mnt/gluster-object/b5815b046cfe47bb891a7b64119e7f80

2.Config the /etc/swift/proxy-server.conf for keystone:-

  a.)Modify the pipeline as follows:-

pipeline = catch_errors healthcheck proxy-logging cache authtoken keystoneauth proxy-logging proxy-server 

  b.)Add a authtoken filter with details of ur auth setup:-

     paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
     signing_dir = /etc/swift/signing_dir
     auth_host = kshost_ip
     auth_port = 35357
     auth_protocol = http
     service_host = g4snode_ip
     service_port = 8080
     admin_token = 012345SECRET99TOKEN012345

  c.)Config keystoneauth filter:-

     use = egg:swift#keystoneauth
     operator_roles = admin
     is_admin = true
     cache = swift.cache

3.Creating ring files for the mounted volume:-

#gluster-swift-gen-builders b5815b046cfe47bb891a7b64119e7f80

(b5815b046cfe47bb891a7b64119e7f80 is the tenant ID)

4.Start all the swift services on G4S node

#swift-init main start

5.You are all set for the testing you can uplaod a file(install.log) to a new dir called ‘dir’.

#swift -V 2.0 -A http://kshost:5000/v2.0 -U test:tester -K testing upload dir install.log


No comments:

Post a Comment