deleted keystone
parent
7a99a88399
commit
f169a9f99f
@ -1,36 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# we will use the ``euca2ools`` cli tool that wraps the python boto
|
||||
# library to test ec2 compatibility
|
||||
#
|
||||
|
||||
# This script exits on an error so that errors don't compound and you see
|
||||
# only the first error that occured.
|
||||
set -o errexit
|
||||
|
||||
# Print the commands being run so that we can see the command that triggers
|
||||
# an error. It is also useful for following allowing as the install occurs.
|
||||
set -o xtrace
|
||||
|
||||
|
||||
# Settings
|
||||
# ========
|
||||
|
||||
# Use openrc + stackrc + localrc for settings
|
||||
pushd $(cd $(dirname "$0")/.. && pwd)
|
||||
source ./openrc
|
||||
popd
|
||||
|
||||
# find a machine image to boot
|
||||
IMAGE=`euca-describe-images | grep machine | cut -f2 | head -n1`
|
||||
|
||||
# launch it
|
||||
INSTANCE=`euca-run-instances $IMAGE | grep INSTANCE | cut -f2`
|
||||
|
||||
# assure it has booted within a reasonable time
|
||||
if ! timeout $RUNNING_TIMEOUT sh -c "while euca-describe-instances $INSTANCE | grep -q running; do sleep 1; done"; then
|
||||
echo "server didn't become active within $RUNNING_TIMEOUT seconds"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
euca-terminate-instances $INSTANCE
|
@ -1,168 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# **exercise.sh** - using the cloud can be fun
|
||||
|
||||
# we will use the ``nova`` cli tool provided by the ``python-novaclient``
|
||||
# package
|
||||
#
|
||||
|
||||
|
||||
# This script exits on an error so that errors don't compound and you see
|
||||
# only the first error that occured.
|
||||
set -o errexit
|
||||
|
||||
# Print the commands being run so that we can see the command that triggers
|
||||
# an error. It is also useful for following allowing as the install occurs.
|
||||
set -o xtrace
|
||||
|
||||
|
||||
# Settings
|
||||
# ========
|
||||
|
||||
# Use openrc + stackrc + localrc for settings
|
||||
pushd $(cd $(dirname "$0")/.. && pwd)
|
||||
source ./openrc
|
||||
popd
|
||||
|
||||
# Get a token for clients that don't support service catalog
|
||||
# ==========================================================
|
||||
|
||||
# manually create a token by querying keystone (sending JSON data). Keystone
|
||||
# returns a token and catalog of endpoints. We use python to parse the token
|
||||
# and save it.
|
||||
|
||||
TOKEN=`curl -s -d "{\"auth\":{\"passwordCredentials\": {\"username\": \"$NOVA_USERNAME\", \"password\": \"$NOVA_PASSWORD\"}}}" -H "Content-type: application/json" http://$HOST_IP:5000/v2.0/tokens | python -c "import sys; import json; tok = json.loads(sys.stdin.read()); print tok['access']['token']['id'];"`
|
||||
|
||||
# Launching a server
|
||||
# ==================
|
||||
|
||||
# List servers for tenant:
|
||||
nova list
|
||||
|
||||
# Images
|
||||
# ------
|
||||
|
||||
# Nova has a **deprecated** way of listing images.
|
||||
nova image-list
|
||||
|
||||
# But we recommend using glance directly
|
||||
glance -A $TOKEN index
|
||||
|
||||
# Let's grab the id of the first AMI image to launch
|
||||
IMAGE=`glance -A $TOKEN index | egrep ami | cut -d" " -f1`
|
||||
|
||||
# Security Groups
|
||||
# ---------------
|
||||
SECGROUP=test_secgroup
|
||||
|
||||
# List of secgroups:
|
||||
nova secgroup-list
|
||||
|
||||
# Create a secgroup
|
||||
nova secgroup-create $SECGROUP "test_secgroup description"
|
||||
|
||||
# determine flavor
|
||||
# ----------------
|
||||
|
||||
# List of flavors:
|
||||
nova flavor-list
|
||||
|
||||
# and grab the first flavor in the list to launch
|
||||
FLAVOR=`nova flavor-list | head -n 4 | tail -n 1 | cut -d"|" -f2`
|
||||
|
||||
NAME="myserver"
|
||||
|
||||
nova boot --flavor $FLAVOR --image $IMAGE $NAME --security_groups=$SECGROUP
|
||||
|
||||
# Testing
|
||||
# =======
|
||||
|
||||
# First check if it spins up (becomes active and responds to ping on
|
||||
# internal ip). If you run this script from a nova node, you should
|
||||
# bypass security groups and have direct access to the server.
|
||||
|
||||
# Waiting for boot
|
||||
# ----------------
|
||||
|
||||
# Max time to wait while vm goes from build to active state
|
||||
ACTIVE_TIMEOUT=${ACTIVE_TIMEOUT:-10}
|
||||
|
||||
# Max time till the vm is bootable
|
||||
BOOT_TIMEOUT=${BOOT_TIMEOUT:-15}
|
||||
|
||||
# Max time to wait for proper association and dis-association.
|
||||
ASSOCIATE_TIMEOUT=${ASSOCIATE_TIMEOUT:-10}
|
||||
|
||||
# check that the status is active within ACTIVE_TIMEOUT seconds
|
||||
if ! timeout $ACTIVE_TIMEOUT sh -c "while ! nova show $NAME | grep status | grep -q ACTIVE; do sleep 1; done"; then
|
||||
echo "server didn't become active!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# get the IP of the server
|
||||
IP=`nova show $NAME | grep "private network" | cut -d"|" -f3`
|
||||
|
||||
# for single node deployments, we can ping private ips
|
||||
MULTI_HOST=${MULTI_HOST:-0}
|
||||
if [ "$MULTI_HOST" = "0" ]; then
|
||||
# sometimes the first ping fails (10 seconds isn't enough time for the VM's
|
||||
# network to respond?), so let's ping for a default of 15 seconds with a
|
||||
# timeout of a second for each ping.
|
||||
if ! timeout $BOOT_TIMEOUT sh -c "while ! ping -c1 -w1 $IP; do sleep 1; done"; then
|
||||
echo "Couldn't ping server"
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
# On a multi-host system, without vm net access, do a sleep to wait for the boot
|
||||
sleep $BOOT_TIMEOUT
|
||||
fi
|
||||
|
||||
# Security Groups & Floating IPs
|
||||
# ------------------------------
|
||||
|
||||
# allow icmp traffic (ping)
|
||||
nova secgroup-add-rule $SECGROUP icmp -1 -1 0.0.0.0/0
|
||||
|
||||
# List rules for a secgroup
|
||||
nova secgroup-list-rules $SECGROUP
|
||||
|
||||
# allocate a floating ip
|
||||
nova floating-ip-create
|
||||
|
||||
# store floating address
|
||||
FLOATING_IP=`nova floating-ip-list | grep None | head -1 | cut -d '|' -f2 | sed 's/ //g'`
|
||||
|
||||
# add floating ip to our server
|
||||
nova add-floating-ip $NAME $FLOATING_IP
|
||||
|
||||
# test we can ping our floating ip within ASSOCIATE_TIMEOUT seconds
|
||||
if ! timeout $ASSOCIATE_TIMEOUT sh -c "while ! ping -c1 -w1 $FLOATING_IP; do sleep 1; done"; then
|
||||
echo "Couldn't ping server with floating ip"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# dis-allow icmp traffic (ping)
|
||||
nova secgroup-delete-rule $SECGROUP icmp -1 -1 0.0.0.0/0
|
||||
|
||||
# FIXME (anthony): make xs support security groups
|
||||
if [ "$VIRT_DRIVER" != "xenserver" ]; then
|
||||
# test we can aren't able to ping our floating ip within ASSOCIATE_TIMEOUT seconds
|
||||
if ! timeout $ASSOCIATE_TIMEOUT sh -c "while ping -c1 -w1 $FLOATING_IP; do sleep 1; done"; then
|
||||
print "Security group failure - ping should not be allowed!"
|
||||
echo "Couldn't ping server with floating ip"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# de-allocate the floating ip
|
||||
nova floating-ip-delete $FLOATING_IP
|
||||
|
||||
# shutdown the server
|
||||
nova delete $NAME
|
||||
|
||||
# Delete a secgroup
|
||||
nova secgroup-delete $SECGROUP
|
||||
|
||||
# FIXME: validate shutdown within 5 seconds
|
||||
# (nova show $NAME returns 1 or status != ACTIVE)?
|
||||
|
@ -1,116 +0,0 @@
|
||||
[DEFAULT]
|
||||
# Show more verbose log output (sets INFO log level output)
|
||||
verbose = False
|
||||
|
||||
# Show debugging output in logs (sets DEBUG log level output)
|
||||
debug = False
|
||||
|
||||
# Which backend store should Keystone use by default.
|
||||
# Default: 'sqlite'
|
||||
# Available choices are 'sqlite' [future will include LDAP, PAM, etc]
|
||||
default_store = sqlite
|
||||
|
||||
# Log to this file. Make sure you do not set the same log
|
||||
# file for both the API and registry servers!
|
||||
log_file = %DEST%/keystone/keystone.log
|
||||
|
||||
# List of backends to be configured
|
||||
backends = keystone.backends.sqlalchemy
|
||||
#For LDAP support, add: ,keystone.backends.ldap
|
||||
|
||||
# Dictionary Maps every service to a header.Missing services would get header
|
||||
# X_(SERVICE_NAME) Key => Service Name, Value => Header Name
|
||||
service-header-mappings = {
|
||||
'nova' : 'X-Server-Management-Url',
|
||||
'swift' : 'X-Storage-Url',
|
||||
'cdn' : 'X-CDN-Management-Url'}
|
||||
|
||||
#List of extensions currently supported
|
||||
extensions= osksadm,oskscatalog
|
||||
|
||||
# Address to bind the API server
|
||||
# TODO Properties defined within app not available via pipeline.
|
||||
service_host = 0.0.0.0
|
||||
|
||||
# Port the bind the API server to
|
||||
service_port = 5000
|
||||
|
||||
# SSL for API server
|
||||
service_ssl = False
|
||||
|
||||
# Address to bind the Admin API server
|
||||
admin_host = 0.0.0.0
|
||||
|
||||
# Port the bind the Admin API server to
|
||||
admin_port = 35357
|
||||
|
||||
# SSL for API Admin server
|
||||
admin_ssl = False
|
||||
|
||||
# Keystone certificate file (modify as needed)
|
||||
# Only required if *_ssl is set to True
|
||||
certfile = /etc/keystone/ssl/certs/keystone.pem
|
||||
|
||||
# Keystone private key file (modify as needed)
|
||||
# Only required if *_ssl is set to True
|
||||
keyfile = /etc/keystone/ssl/private/keystonekey.pem
|
||||
|
||||
# Keystone trusted CA certificates (modify as needed)
|
||||
# Only required if *_ssl is set to True
|
||||
ca_certs = /etc/keystone/ssl/certs/ca.pem
|
||||
|
||||
# Client certificate required
|
||||
# Only relevant if *_ssl is set to True
|
||||
cert_required = True
|
||||
|
||||
#Role that allows to perform admin operations.
|
||||
keystone-admin-role = Admin
|
||||
|
||||
#Role that allows to perform service admin operations.
|
||||
keystone-service-admin-role = KeystoneServiceAdmin
|
||||
|
||||
#Tells whether password user need to be hashed in the backend
|
||||
hash-password = True
|
||||
|
||||
[keystone.backends.sqlalchemy]
|
||||
# SQLAlchemy connection string for the reference implementation registry
|
||||
# server. Any valid SQLAlchemy connection string is fine.
|
||||
# See: http://bit.ly/ideIpI
|
||||
sql_connection = %SQL_CONN%
|
||||
backend_entities = ['UserRoleAssociation', 'Endpoints', 'Role', 'Tenant',
|
||||
'User', 'Credentials', 'EndpointTemplates', 'Token',
|
||||
'Service']
|
||||
|
||||
# Period in seconds after which SQLAlchemy should reestablish its connection
|
||||
# to the database.
|
||||
sql_idle_timeout = 30
|
||||
|
||||
[pipeline:admin]
|
||||
pipeline =
|
||||
urlrewritefilter
|
||||
admin_api
|
||||
|
||||
[pipeline:keystone-legacy-auth]
|
||||
pipeline =
|
||||
urlrewritefilter
|
||||
legacy_auth
|
||||
RAX-KEY-extension
|
||||
service_api
|
||||
|
||||
[app:service_api]
|
||||
paste.app_factory = keystone.server:service_app_factory
|
||||
|
||||
[app:admin_api]
|
||||
paste.app_factory = keystone.server:admin_app_factory
|
||||
|
||||
[filter:urlrewritefilter]
|
||||
paste.filter_factory = keystone.middleware.url:filter_factory
|
||||
|
||||
[filter:legacy_auth]
|
||||
paste.filter_factory = keystone.frontends.legacy_token_auth:filter_factory
|
||||
|
||||
[filter:RAX-KEY-extension]
|
||||
paste.filter_factory = keystone.contrib.extensions.service.raxkey.frontend:filter_factory
|
||||
|
||||
[filter:debug]
|
||||
paste.filter_factory = keystone.common.wsgi:debug_filter_factory
|
@ -1,46 +0,0 @@
|
||||
#!/bin/bash
|
||||
BIN_DIR=${BIN_DIR:-.}
|
||||
# Tenants
|
||||
$BIN_DIR/keystone-manage $* tenant add admin
|
||||
$BIN_DIR/keystone-manage $* tenant add demo
|
||||
$BIN_DIR/keystone-manage $* tenant add invisible_to_admin
|
||||
|
||||
# Users
|
||||
$BIN_DIR/keystone-manage $* user add admin %ADMIN_PASSWORD%
|
||||
$BIN_DIR/keystone-manage $* user add demo %ADMIN_PASSWORD%
|
||||
|
||||
# Roles
|
||||
$BIN_DIR/keystone-manage $* role add Admin
|
||||
$BIN_DIR/keystone-manage $* role add Member
|
||||
$BIN_DIR/keystone-manage $* role add KeystoneAdmin
|
||||
$BIN_DIR/keystone-manage $* role add KeystoneServiceAdmin
|
||||
$BIN_DIR/keystone-manage $* role add sysadmin
|
||||
$BIN_DIR/keystone-manage $* role add netadmin
|
||||
$BIN_DIR/keystone-manage $* role grant Admin admin admin
|
||||
$BIN_DIR/keystone-manage $* role grant Member demo demo
|
||||
$BIN_DIR/keystone-manage $* role grant sysadmin demo demo
|
||||
$BIN_DIR/keystone-manage $* role grant netadmin demo demo
|
||||
$BIN_DIR/keystone-manage $* role grant Member demo invisible_to_admin
|
||||
$BIN_DIR/keystone-manage $* role grant Admin admin demo
|
||||
$BIN_DIR/keystone-manage $* role grant Admin admin
|
||||
$BIN_DIR/keystone-manage $* role grant KeystoneAdmin admin
|
||||
$BIN_DIR/keystone-manage $* role grant KeystoneServiceAdmin admin
|
||||
|
||||
# Services
|
||||
$BIN_DIR/keystone-manage $* service add nova compute "Nova Compute Service"
|
||||
$BIN_DIR/keystone-manage $* service add glance image "Glance Image Service"
|
||||
$BIN_DIR/keystone-manage $* service add keystone identity "Keystone Identity Service"
|
||||
|
||||
#endpointTemplates
|
||||
$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne nova http://%HOST_IP%:8774/v1.1/%tenant_id% http://%HOST_IP%:8774/v1.1/%tenant_id% http://%HOST_IP%:8774/v1.1/%tenant_id% 1 1
|
||||
$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne glance http://%HOST_IP%:9292/v1.1/%tenant_id% http://%HOST_IP%:9292/v1.1/%tenant_id% http://%HOST_IP%:9292/v1.1/%tenant_id% 1 1
|
||||
$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne keystone http://%HOST_IP%:5000/v2.0 http://%HOST_IP%:35357/v2.0 http://%HOST_IP%:5000/v2.0 1 1
|
||||
|
||||
# Tokens
|
||||
$BIN_DIR/keystone-manage $* token add %SERVICE_TOKEN% admin admin 2015-02-05T00:00
|
||||
|
||||
# EC2 related creds - note we are setting the secret key to ADMIN_PASSWORD
|
||||
# but keystone doesn't parse them - it is just a blob from keystone's
|
||||
# point of view
|
||||
$BIN_DIR/keystone-manage $* credentials add admin EC2 'admin' '%ADMIN_PASSWORD%' admin || echo "no support for adding credentials"
|
||||
$BIN_DIR/keystone-manage $* credentials add demo EC2 'demo' '%ADMIN_PASSWORD%' demo || echo "no support for adding credentials"
|
Loading…
Reference in New Issue