From 92b7fb59145470bf1a7c70d793e6d25c699ee89c Mon Sep 17 00:00:00 2001 From: Maxim Kulkin Date: Mon, 16 Sep 2013 17:23:59 +0400 Subject: [PATCH] Added sample configuration --- .../config/host1/cinder/api-paste.ini | 52 +++ .../config/host1/cinder/cinder.conf | 35 ++ .../config/host1/cinder/logging.conf | 35 ++ .../config/host1/cinder/policy.json | 33 ++ .../config/host1/cinder/rootwrap.conf | 27 ++ .../config/host1/glance/glance-api-paste.ini | 57 +++ .../config/host1/glance/glance-api.conf | 363 ++++++++++++++++++ .../config/host1/glance/glance-cache.conf | 149 +++++++ .../host1/glance/glance-registry-paste.ini | 19 + .../config/host1/glance/glance-registry.conf | 96 +++++ .../config/host1/glance/glance-scrubber.conf | 40 ++ .../config/host1/glance/logging.conf | 35 ++ .../config/host1/glance/policy.json | 4 + .../config/host1/glance/schema-image.json | 28 ++ .../host2/keystone/default_catalog.templates | 27 ++ .../config/host2/keystone/keystone.conf | 320 +++++++++++++++ .../config/host2/keystone/logging.conf | 35 ++ .../config/host2/keystone/policy.json | 86 +++++ .../config/host2/nova/api-paste.ini | 107 ++++++ config_samples/config/host2/nova/logging.conf | 35 ++ config_samples/config/host2/nova/nova.conf | 71 ++++ config_samples/config/host2/nova/policy.json | 161 ++++++++ config_samples/config/host2/nova/release | 4 + .../config/host2/nova/rootwrap.conf | 27 ++ config_samples/config/host2/nova/version | 1 + 25 files changed, 1847 insertions(+) create mode 100644 config_samples/config/host1/cinder/api-paste.ini create mode 100644 config_samples/config/host1/cinder/cinder.conf create mode 100644 config_samples/config/host1/cinder/logging.conf create mode 100644 config_samples/config/host1/cinder/policy.json create mode 100644 config_samples/config/host1/cinder/rootwrap.conf create mode 100644 config_samples/config/host1/glance/glance-api-paste.ini create mode 100644 config_samples/config/host1/glance/glance-api.conf create mode 100644 config_samples/config/host1/glance/glance-cache.conf create mode 100644 config_samples/config/host1/glance/glance-registry-paste.ini create mode 100644 config_samples/config/host1/glance/glance-registry.conf create mode 100644 config_samples/config/host1/glance/glance-scrubber.conf create mode 100644 config_samples/config/host1/glance/logging.conf create mode 100644 config_samples/config/host1/glance/policy.json create mode 100644 config_samples/config/host1/glance/schema-image.json create mode 100644 config_samples/config/host2/keystone/default_catalog.templates create mode 100644 config_samples/config/host2/keystone/keystone.conf create mode 100644 config_samples/config/host2/keystone/logging.conf create mode 100644 config_samples/config/host2/keystone/policy.json create mode 100644 config_samples/config/host2/nova/api-paste.ini create mode 100644 config_samples/config/host2/nova/logging.conf create mode 100644 config_samples/config/host2/nova/nova.conf create mode 100644 config_samples/config/host2/nova/policy.json create mode 100644 config_samples/config/host2/nova/release create mode 100644 config_samples/config/host2/nova/rootwrap.conf create mode 100644 config_samples/config/host2/nova/version diff --git a/config_samples/config/host1/cinder/api-paste.ini b/config_samples/config/host1/cinder/api-paste.ini new file mode 100644 index 0000000..5bfd738 --- /dev/null +++ b/config_samples/config/host1/cinder/api-paste.ini @@ -0,0 +1,52 @@ +############# +# OpenStack # +############# + +[composite:osapi_volume] +use = call:cinder.api:root_app_factory +/: apiversions +/v1: openstack_volume_api_v1 +/v2: openstack_volume_api_v2 + +[composite:openstack_volume_api_v1] +use = call:cinder.api.middleware.auth:pipeline_factory +noauth = faultwrap sizelimit noauth apiv1 +keystone = faultwrap sizelimit authtoken keystonecontext apiv1 +keystone_nolimit = faultwrap sizelimit authtoken keystonecontext apiv1 + +[composite:openstack_volume_api_v2] +use = call:cinder.api.middleware.auth:pipeline_factory +noauth = faultwrap sizelimit noauth apiv2 +keystone = faultwrap sizelimit authtoken keystonecontext apiv2 +keystone_nolimit = faultwrap sizelimit authtoken keystonecontext apiv2 + +[filter:faultwrap] +paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory + +[filter:noauth] +paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory + +[filter:sizelimit] +paste.filter_factory = cinder.api.middleware.sizelimit:RequestBodySizeLimiter.factory + +[app:apiv1] +paste.app_factory = cinder.api.v1.router:APIRouter.factory + +[app:apiv2] +paste.app_factory = cinder.api.v2.router:APIRouter.factory + +[pipeline:apiversions] +pipeline = faultwrap osvolumeversionapp + +[app:osvolumeversionapp] +paste.app_factory = cinder.api.versions:Versions.factory + +########## +# Shared # +########## + +[filter:keystonecontext] +paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory + +[filter:authtoken] +paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory diff --git a/config_samples/config/host1/cinder/cinder.conf b/config_samples/config/host1/cinder/cinder.conf new file mode 100644 index 0000000..5c54d4a --- /dev/null +++ b/config_samples/config/host1/cinder/cinder.conf @@ -0,0 +1,35 @@ +[DEFAULT] +state_path = /var/lib/cinder +lock_path = /var/lib/cinder/tmp +volumes_dir = /etc/cinder/volumes +iscsi_helper = tgtadm +sql_connection = mysql://cinder:ziNOHbWN@192.168.0.2/cinder?charset=utf8 +rpc_backend = cinder.openstack.common.rpc.impl_kombu +rootwrap_config = /etc/cinder/rootwrap.conf +use_syslog=true +api_paste_config=/etc/cinder/api-paste.ini +debug=True +volume_group=cinder +log_config=/etc/cinder/logging.conf +rabbit_userid=nova +bind_host=0.0.0.0 +osapi_volume_listen=0.0.0.0 +iscsi_ip_address=192.168.1.4 +auth_strategy=keystone +glance_api_servers=192.168.0.2:9292 +rabbit_virtual_host=/ +rabbit_hosts=192.168.0.2:5672 +verbose=True +rabbit_ha_queues=True +rabbit_password=HNmMv5tY +rabbit_port=5672 + +[keystone_authtoken] +admin_tenant_name = services +admin_user = cinder +admin_password = 6LwUQj84 +auth_host = 192.168.0.2 +auth_port = 35357 +auth_protocol = http +signing_dirname = /tmp/keystone-signing-cinder +signing_dir=/tmp/keystone-signing-cinder diff --git a/config_samples/config/host1/cinder/logging.conf b/config_samples/config/host1/cinder/logging.conf new file mode 100644 index 0000000..ee2835e --- /dev/null +++ b/config_samples/config/host1/cinder/logging.conf @@ -0,0 +1,35 @@ +[loggers] +keys = root + +# devel is reserved for future usage +[handlers] +keys = production,devel + +[formatters] +keys = normal,debug + +[logger_root] +level = NOTSET +handlers = production +propagate = 1 +#qualname = cinder + +[formatter_debug] +format = cinder-%(name)s %(levelname)s: %(module)s %(funcName)s %(message)s + +[formatter_normal] +format = cinder-%(name)s %(levelname)s: %(message)s + +# Extended logging info to LOG_LOCAL3 with debug:True and verbose:True +# Note: local copy goes to /var/log/cinder-all.log +[handler_production] +class = handlers.SysLogHandler +level = DEBUG +args = ('/dev/log', handlers.SysLogHandler.LOG_LOCAL3) +formatter = normal + +# TODO find out how it could be usefull and how it should be used +[handler_devel] +class = StreamHandler +formatter = debug +args = (sys.stdout,) diff --git a/config_samples/config/host1/cinder/policy.json b/config_samples/config/host1/cinder/policy.json new file mode 100644 index 0000000..f2bcc1b --- /dev/null +++ b/config_samples/config/host1/cinder/policy.json @@ -0,0 +1,33 @@ +{ + "context_is_admin": [["role:admin"]], + "admin_or_owner": [["is_admin:True"], ["project_id:%(project_id)s"]], + "default": [["rule:admin_or_owner"]], + + "admin_api": [["is_admin:True"]], + + "volume:create": [], + "volume:get_all": [], + "volume:get_volume_metadata": [], + "volume:get_snapshot": [], + "volume:get_all_snapshots": [], + + "volume_extension:types_manage": [["rule:admin_api"]], + "volume_extension:types_extra_specs": [["rule:admin_api"]], + "volume_extension:extended_snapshot_attributes": [], + "volume_extension:volume_image_metadata": [], + + "volume_extension:quotas:show": [], + "volume_extension:quotas:update": [["rule:admin_api"]], + "volume_extension:quota_classes": [], + + "volume_extension:volume_admin_actions:reset_status": [["rule:admin_api"]], + "volume_extension:snapshot_admin_actions:reset_status": [["rule:admin_api"]], + "volume_extension:volume_admin_actions:force_delete": [["rule:admin_api"]], + "volume_extension:snapshot_admin_actions:force_delete": [["rule:admin_api"]], + + "volume_extension:volume_host_attribute": [["rule:admin_api"]], + "volume_extension:volume_tenant_attribute": [["rule:admin_api"]], + "volume_extension:hosts": [["rule:admin_api"]], + "volume_extension:services": [["rule:admin_api"]], + "volume:services": [["rule:admin_api"]] +} diff --git a/config_samples/config/host1/cinder/rootwrap.conf b/config_samples/config/host1/cinder/rootwrap.conf new file mode 100644 index 0000000..dfa8a99 --- /dev/null +++ b/config_samples/config/host1/cinder/rootwrap.conf @@ -0,0 +1,27 @@ +# Configuration for cinder-rootwrap +# This file should be owned by (and only-writeable by) the root user + +[DEFAULT] +# List of directories to load filter definitions from (separated by ','). +# These directories MUST all be only writeable by root ! +filters_path=/etc/cinder/rootwrap.d,/usr/share/cinder/rootwrap + +# List of directories to search executables in, in case filters do not +# explicitely specify a full path (separated by ',') +# If not specified, defaults to system PATH environment variable. +# These directories MUST all be only writeable by root ! +exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin + +# Enable logging to syslog +# Default value is False +use_syslog=False + +# Which syslog facility to use. +# Valid values include auth, authpriv, syslog, user0, user1... +# Default value is 'syslog' +syslog_log_facility=syslog + +# Which messages to log. +# INFO means log all usage +# ERROR means only log unsuccessful attempts +syslog_log_level=ERROR diff --git a/config_samples/config/host1/glance/glance-api-paste.ini b/config_samples/config/host1/glance/glance-api-paste.ini new file mode 100644 index 0000000..0b29bc9 --- /dev/null +++ b/config_samples/config/host1/glance/glance-api-paste.ini @@ -0,0 +1,57 @@ +# Use this pipeline for no auth or image caching - DEFAULT +[pipeline:glance-api] +pipeline = versionnegotiation unauthenticated-context rootapp + +# Use this pipeline for image caching and no auth +[pipeline:glance-api-caching] +pipeline = versionnegotiation unauthenticated-context cache rootapp + +# Use this pipeline for caching w/ management interface but no auth +[pipeline:glance-api-cachemanagement] +pipeline = versionnegotiation unauthenticated-context cache cachemanage rootapp + +# Use this pipeline for keystone auth +[pipeline:glance-api-keystone] +pipeline = versionnegotiation authtoken context rootapp + +# Use this pipeline for keystone auth with image caching +[pipeline:glance-api-keystone+caching] +pipeline = versionnegotiation authtoken context cache rootapp + +# Use this pipeline for keystone auth with caching and cache management +[pipeline:glance-api-keystone+cachemanagement] +pipeline = versionnegotiation authtoken context cache cachemanage rootapp + +[composite:rootapp] +paste.composite_factory = glance.api:root_app_factory +/: apiversions +/v1: apiv1app +/v2: apiv2app + +[app:apiversions] +paste.app_factory = glance.api.versions:create_resource + +[app:apiv1app] +paste.app_factory = glance.api.v1.router:API.factory + +[app:apiv2app] +paste.app_factory = glance.api.v2.router:API.factory + +[filter:versionnegotiation] +paste.filter_factory = glance.api.middleware.version_negotiation:VersionNegotiationFilter.factory + +[filter:cache] +paste.filter_factory = glance.api.middleware.cache:CacheFilter.factory + +[filter:cachemanage] +paste.filter_factory = glance.api.middleware.cache_manage:CacheManageFilter.factory + +[filter:context] +paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory + +[filter:unauthenticated-context] +paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory + +[filter:authtoken] +paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory +delay_auth_decision = true diff --git a/config_samples/config/host1/glance/glance-api.conf b/config_samples/config/host1/glance/glance-api.conf new file mode 100644 index 0000000..87867b2 --- /dev/null +++ b/config_samples/config/host1/glance/glance-api.conf @@ -0,0 +1,363 @@ +[DEFAULT] +# Show more verbose log output (sets INFO log level output) +#verbose = False +verbose = true + +# Show debugging output in logs (sets DEBUG log level output) +#debug = False +debug = true + +# Which backend scheme should Glance use by default is not specified +# in a request to add a new image to Glance? Known schemes are determined +# by the known_stores option below. +# Default: 'file' +default_store = file + +# List of which store classes and store class locations are +# currently known to glance at startup. +#known_stores = glance.store.filesystem.Store, +# glance.store.http.Store, +# glance.store.rbd.Store, +# glance.store.s3.Store, +# glance.store.swift.Store, + + +# Maximum image size (in bytes) that may be uploaded through the +# Glance API server. Defaults to 1 TB. +# WARNING: this value should only be increased after careful consideration +# and must be set to a value under 8 EB (9223372036854775808). +#image_size_cap = 1099511627776 + +# Address to bind the API server +bind_host = 0.0.0.0 + +# Port the bind the API server to +bind_port = 9292 + +# Log to this file. Make sure you do not set the same log +# file for both the API and registry servers! + +# Backlog requests when creating socket +backlog = 4096 + +# TCP_KEEPIDLE value in seconds when creating socket. +# Not supported on OS X. +#tcp_keepidle = 600 + +# SQLAlchemy connection string for the reference implementation +# registry server. Any valid SQLAlchemy connection string is fine. +# See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine +sql_connection = mysql://glance:fXcrTaoy@127.0.0.1/glance + +# Period in seconds after which SQLAlchemy should reestablish its connection +# to the database. +# +# MySQL uses a default `wait_timeout` of 8 hours, after which it will drop +# idle connections. This can result in 'MySQL Gone Away' exceptions. If you +# notice this, you can lower this value to ensure that SQLAlchemy reconnects +# before MySQL can drop the connection. +sql_idle_timeout = 3600 + +# Number of Glance API worker processes to start. +# On machines with more than one CPU increasing this value +# may improve performance (especially if using SSL with +# compression turned on). It is typically recommended to set +# this value to the number of CPUs present on your machine. +workers = 8 + +# Role used to identify an authenticated user as administrator +#admin_role = admin + +# Allow unauthenticated users to access the API with read-only +# privileges. This only applies when using ContextMiddleware. +#allow_anonymous_access = False + +# Allow access to version 1 of glance api +#enable_v1_api = True + +# Allow access to version 2 of glance api +#enable_v2_api = True + +# Return the URL that references where the data is stored on +# the backend storage system. For example, if using the +# file system store a URL of 'file:///path/to/image' will +# be returned to the user in the 'direct_url' meta-data field. +# The default value is false. +#show_image_direct_url = False + +# ================= Syslog Options ============================ + +# Send logs to syslog (/dev/log) instead of to file specified +# by `log_file` +#use_syslog = False +use_syslog = true + +# Facility to use. If unset defaults to LOG_USER. +#syslog_log_facility = LOG_LOCAL0 + +# ================= SSL Options =============================== + +# Certificate file to use when starting API server securely +#cert_file = /path/to/certfile + +# Private key file to use when starting API server securely +#key_file = /path/to/keyfile + +# CA certificate file to use to verify connecting clients +#ca_file = /path/to/cafile + +# ================= Security Options ========================== + +# AES key for encrypting store 'location' metadata, including +# -- if used -- Swift or S3 credentials +# Should be set to a random string of length 16, 24 or 32 bytes +#metadata_encryption_key = <16, 24 or 32 char registry metadata key> + +# ============ Registry Options =============================== + +# Address to find the registry server +registry_host = 127.0.0.1 + +# Port the registry server is listening on +registry_port = 9191 + +# What protocol to use when connecting to the registry server? +# Set to https for secure HTTP communication +registry_client_protocol = http + +# The path to the key file to use in SSL connections to the +# registry server, if any. Alternately, you may set the +# GLANCE_CLIENT_KEY_FILE environ variable to a filepath of the key file +#registry_client_key_file = /path/to/key/file + +# The path to the cert file to use in SSL connections to the +# registry server, if any. Alternately, you may set the +# GLANCE_CLIENT_CERT_FILE environ variable to a filepath of the cert file +#registry_client_cert_file = /path/to/cert/file + +# The path to the certifying authority cert file to use in SSL connections +# to the registry server, if any. Alternately, you may set the +# GLANCE_CLIENT_CA_FILE environ variable to a filepath of the CA cert file +#registry_client_ca_file = /path/to/ca/file + +# When using SSL in connections to the registry server, do not require +# validation via a certifying authority. This is the registry's equivalent of +# specifying --insecure on the command line using glanceclient for the API +# Default: False +#registry_client_insecure = False + +# The period of time, in seconds, that the API server will wait for a registry +# request to complete. A value of '0' implies no timeout. +# Default: 600 +#registry_client_timeout = 600 + +# Whether to automatically create the database tables. +# Default: False +#db_auto_create = False + +# ============ Notification System Options ===================== + +# Notifications can be sent when images are create, updated or deleted. +# There are three methods of sending notifications, logging (via the +# log_file directive), rabbit (via a rabbitmq queue), qpid (via a Qpid +# message queue), or noop (no notifications sent, the default) +notifier_strategy = noop + +# Configuration options if sending notifications via rabbitmq (these are +# the defaults) +rabbit_host = localhost +rabbit_port = 5672 +rabbit_use_ssl = false +rabbit_userid = guest +rabbit_password = guest +rabbit_virtual_host = / +rabbit_notification_exchange = glance +rabbit_notification_topic = notifications +rabbit_durable_queues = False + +# Configuration options if sending notifications via Qpid (these are +# the defaults) +qpid_notification_exchange = glance +qpid_notification_topic = notifications +qpid_host = localhost +qpid_port = 5672 +qpid_username = +qpid_password = +qpid_sasl_mechanisms = +qpid_reconnect_timeout = 0 +qpid_reconnect_limit = 0 +qpid_reconnect_interval_min = 0 +qpid_reconnect_interval_max = 0 +qpid_reconnect_interval = 0 +qpid_heartbeat = 5 +# Set to 'ssl' to enable SSL +qpid_protocol = tcp +qpid_tcp_nodelay = True + +# ============ Filesystem Store Options ======================== + +# Directory that the Filesystem backend store +# writes image data to +filesystem_store_datadir = /var/lib/glance/images/ + +# ============ Swift Store Options ============================= + +# Version of the authentication service to use +# Valid versions are '2' for keystone and '1' for swauth and rackspace +swift_store_auth_version = 2 + +# Address where the Swift authentication service lives +# Valid schemes are 'http://' and 'https://' +# If no scheme specified, default to 'https://' +# For swauth, use something like '127.0.0.1:8080/v1.0/' +swift_store_auth_address = 127.0.0.1:5000/v2.0/ + +# User to authenticate against the Swift authentication service +# If you use Swift authentication service, set it to 'account':'user' +# where 'account' is a Swift storage account and 'user' +# is a user in that account +swift_store_user = jdoe:jdoe + +# Auth key for the user authenticating against the +# Swift authentication service +swift_store_key = a86850deb2742ec3cb41518e26aa2d89 + +# Container within the account that the account should use +# for storing images in Swift +swift_store_container = glance + +# Do we create the container if it does not exist? +swift_store_create_container_on_put = False + +# What size, in MB, should Glance start chunking image files +# and do a large object manifest in Swift? By default, this is +# the maximum object size in Swift, which is 5GB +swift_store_large_object_size = 5120 + +# When doing a large object manifest, what size, in MB, should +# Glance write chunks to Swift? This amount of data is written +# to a temporary disk buffer during the process of chunking +# the image file, and the default is 200MB +swift_store_large_object_chunk_size = 200 + +# Whether to use ServiceNET to communicate with the Swift storage servers. +# (If you aren't RACKSPACE, leave this False!) +# +# To use ServiceNET for authentication, prefix hostname of +# `swift_store_auth_address` with 'snet-'. +# Ex. https://example.com/v1.0/ -> https://snet-example.com/v1.0/ +swift_enable_snet = False + +# If set to True enables multi-tenant storage mode which causes Glance images +# to be stored in tenant specific Swift accounts. +#swift_store_multi_tenant = False + +# A list of swift ACL strings that will be applied as both read and +# write ACLs to the containers created by Glance in multi-tenant +# mode. This grants the specified tenants/users read and write access +# to all newly created image objects. The standard swift ACL string +# formats are allowed, including: +# : +# : +# *: +# Multiple ACLs can be combined using a comma separated list, for +# example: swift_store_admin_tenants = service:glance,*:admin +#swift_store_admin_tenants = + +# The region of the swift endpoint to be used for single tenant. This setting +# is only necessary if the tenant has multiple swift endpoints. +#swift_store_region = + +# ============ S3 Store Options ============================= + +# Address where the S3 authentication service lives +# Valid schemes are 'http://' and 'https://' +# If no scheme specified, default to 'http://' +s3_store_host = 127.0.0.1:8080/v1.0/ + +# User to authenticate against the S3 authentication service +s3_store_access_key = <20-char AWS access key> + +# Auth key for the user authenticating against the +# S3 authentication service +s3_store_secret_key = <40-char AWS secret key> + +# Container within the account that the account should use +# for storing images in S3. Note that S3 has a flat namespace, +# so you need a unique bucket name for your glance images. An +# easy way to do this is append your AWS access key to "glance". +# S3 buckets in AWS *must* be lowercased, so remember to lowercase +# your AWS access key if you use it in your bucket name below! +s3_store_bucket = glance + +# Do we create the bucket if it does not exist? +s3_store_create_bucket_on_put = False + +# When sending images to S3, the data will first be written to a +# temporary buffer on disk. By default the platform's temporary directory +# will be used. If required, an alternative directory can be specified here. +#s3_store_object_buffer_dir = /path/to/dir + +# When forming a bucket url, boto will either set the bucket name as the +# subdomain or as the first token of the path. Amazon's S3 service will +# accept it as the subdomain, but Swift's S3 middleware requires it be +# in the path. Set this to 'path' or 'subdomain' - defaults to 'subdomain'. +#s3_store_bucket_url_format = subdomain + +# ============ RBD Store Options ============================= + +# Ceph configuration file path +# If using cephx authentication, this file should +# include a reference to the right keyring +# in a client. section +rbd_store_ceph_conf = /etc/ceph/ceph.conf + +# RADOS user to authenticate as (only applicable if using cephx) +rbd_store_user = glance + +# RADOS pool in which images are stored +rbd_store_pool = images + +# Images will be chunked into objects of this size (in megabytes). +# For best performance, this should be a power of two +rbd_store_chunk_size = 8 + +# ============ Delayed Delete Options ============================= + +# Turn on/off delayed delete +delayed_delete = False + +# Delayed delete time in seconds +scrub_time = 43200 + +# Directory that the scrubber will use to remind itself of what to delete +# Make sure this is also set in glance-scrubber.conf +scrubber_datadir = /var/lib/glance/scrubber + +# =============== Image Cache Options ============================= + +# Base directory that the Image Cache uses +image_cache_dir = /var/lib/glance/image-cache/ +log_config=/etc/glance/logging.conf + +[keystone_authtoken] +auth_host = 127.0.0.1 +auth_port = 35357 +auth_protocol = http +admin_tenant_name = services +admin_user = glance +admin_password = HJhOWm8t +signing_dirname=/tmp/keystone-signing-glance +auth_uri=http://127.0.0.1:35357 +signing_dir=/tmp/keystone-signing-glance + +[paste_deploy] +# Name of the paste configuration file that defines the available pipelines +#config_file = glance-api-paste.ini + +# Partial name of a pipeline in your paste configuration file with the +# service name removed. For example, if your paste section name is +# [pipeline:glance-api-keystone], you would configure the flavor below +# as 'keystone'. +#flavor= +flavor=keystone+cachemanagement diff --git a/config_samples/config/host1/glance/glance-cache.conf b/config_samples/config/host1/glance/glance-cache.conf new file mode 100644 index 0000000..d45247d --- /dev/null +++ b/config_samples/config/host1/glance/glance-cache.conf @@ -0,0 +1,149 @@ +[DEFAULT] +# Show more verbose log output (sets INFO log level output) +#verbose = False +verbose = true + +# Show debugging output in logs (sets DEBUG log level output) +#debug = False +debug = true + +log_file = /var/log/glance/image-cache.log + +# Send logs to syslog (/dev/log) instead of to file specified by `log_file` +#use_syslog = False +use_syslog = true + +# Directory that the Image Cache writes data to +image_cache_dir = /var/lib/glance/image-cache/ + +# Number of seconds after which we should consider an incomplete image to be +# stalled and eligible for reaping +image_cache_stall_time = 86400 + +# image_cache_invalid_entry_grace_period - seconds +# +# If an exception is raised as we're writing to the cache, the cache-entry is +# deemed invalid and moved to /invalid so that it can be +# inspected for debugging purposes. +# +# This is number of seconds to leave these invalid images around before they +# are elibible to be reaped. +image_cache_invalid_entry_grace_period = 3600 + +# Max cache size in bytes +image_cache_max_size = 10737418240 + +# Address to find the registry server +registry_host = 127.0.0.1 + +# Port the registry server is listening on +registry_port = 9191 + +# Auth settings if using Keystone +# auth_url = http://127.0.0.1:5000/v2.0/ +auth_url = http://127.0.0.1:35357 +# admin_tenant_name = %SERVICE_TENANT_NAME% +admin_tenant_name = services +# admin_user = %SERVICE_USER% +admin_user = glance +# admin_password = %SERVICE_PASSWORD% +admin_password = HJhOWm8t + +# List of which store classes and store class locations are +# currently known to glance at startup. +# known_stores = glance.store.filesystem.Store, +# glance.store.http.Store, +# glance.store.rbd.Store, +# glance.store.s3.Store, +# glance.store.swift.Store, + +# ============ Filesystem Store Options ======================== + +# Directory that the Filesystem backend store +# writes image data to +filesystem_store_datadir = /var/lib/glance/images/ + +# ============ Swift Store Options ============================= + +# Version of the authentication service to use +# Valid versions are '2' for keystone and '1' for swauth and rackspace +swift_store_auth_version = 2 + +# Address where the Swift authentication service lives +# Valid schemes are 'http://' and 'https://' +# If no scheme specified, default to 'https://' +# For swauth, use something like '127.0.0.1:8080/v1.0/' +swift_store_auth_address = 127.0.0.1:5000/v2.0/ + +# User to authenticate against the Swift authentication service +# If you use Swift authentication service, set it to 'account':'user' +# where 'account' is a Swift storage account and 'user' +# is a user in that account +swift_store_user = jdoe:jdoe + +# Auth key for the user authenticating against the +# Swift authentication service +swift_store_key = a86850deb2742ec3cb41518e26aa2d89 + +# Container within the account that the account should use +# for storing images in Swift +swift_store_container = glance + +# Do we create the container if it does not exist? +swift_store_create_container_on_put = False + +# What size, in MB, should Glance start chunking image files +# and do a large object manifest in Swift? By default, this is +# the maximum object size in Swift, which is 5GB +swift_store_large_object_size = 5120 + +# When doing a large object manifest, what size, in MB, should +# Glance write chunks to Swift? This amount of data is written +# to a temporary disk buffer during the process of chunking +# the image file, and the default is 200MB +swift_store_large_object_chunk_size = 200 + +# Whether to use ServiceNET to communicate with the Swift storage servers. +# (If you aren't RACKSPACE, leave this False!) +# +# To use ServiceNET for authentication, prefix hostname of +# `swift_store_auth_address` with 'snet-'. +# Ex. https://example.com/v1.0/ -> https://snet-example.com/v1.0/ +swift_enable_snet = False + +# ============ S3 Store Options ============================= + +# Address where the S3 authentication service lives +# Valid schemes are 'http://' and 'https://' +# If no scheme specified, default to 'http://' +s3_store_host = 127.0.0.1:8080/v1.0/ + +# User to authenticate against the S3 authentication service +s3_store_access_key = <20-char AWS access key> + +# Auth key for the user authenticating against the +# S3 authentication service +s3_store_secret_key = <40-char AWS secret key> + +# Container within the account that the account should use +# for storing images in S3. Note that S3 has a flat namespace, +# so you need a unique bucket name for your glance images. An +# easy way to do this is append your AWS access key to "glance". +# S3 buckets in AWS *must* be lowercased, so remember to lowercase +# your AWS access key if you use it in your bucket name below! +s3_store_bucket = glance + +# Do we create the bucket if it does not exist? +s3_store_create_bucket_on_put = False + +# When sending images to S3, the data will first be written to a +# temporary buffer on disk. By default the platform's temporary directory +# will be used. If required, an alternative directory can be specified here. +# s3_store_object_buffer_dir = /path/to/dir + +# ================= Security Options ========================== + +# AES key for encrypting store 'location' metadata, including +# -- if used -- Swift or S3 credentials +# Should be set to a random string of length 16, 24 or 32 bytes +# metadata_encryption_key = <16, 24 or 32 char registry metadata key> diff --git a/config_samples/config/host1/glance/glance-registry-paste.ini b/config_samples/config/host1/glance/glance-registry-paste.ini new file mode 100644 index 0000000..5519c5c --- /dev/null +++ b/config_samples/config/host1/glance/glance-registry-paste.ini @@ -0,0 +1,19 @@ +# Use this pipeline for no auth - DEFAULT +[pipeline:glance-registry] +pipeline = unauthenticated-context registryapp + +# Use this pipeline for keystone auth +[pipeline:glance-registry-keystone] +pipeline = authtoken context registryapp + +[app:registryapp] +paste.app_factory = glance.registry.api.v1:API.factory + +[filter:context] +paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory + +[filter:unauthenticated-context] +paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory + +[filter:authtoken] +paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory diff --git a/config_samples/config/host1/glance/glance-registry.conf b/config_samples/config/host1/glance/glance-registry.conf new file mode 100644 index 0000000..fd23e1c --- /dev/null +++ b/config_samples/config/host1/glance/glance-registry.conf @@ -0,0 +1,96 @@ +[DEFAULT] +# Show more verbose log output (sets INFO log level output) +#verbose = False +verbose = true + +# Show debugging output in logs (sets DEBUG log level output) +#debug = False +debug = true + +# Address to bind the registry server +bind_host = 0.0.0.0 + +# Port the bind the registry server to +bind_port = 9191 + +# Log to this file. Make sure you do not set the same log +# file for both the API and registry servers! + +# Backlog requests when creating socket +backlog = 4096 + +# TCP_KEEPIDLE value in seconds when creating socket. +# Not supported on OS X. +#tcp_keepidle = 600 + +# SQLAlchemy connection string for the reference implementation +# registry server. Any valid SQLAlchemy connection string is fine. +# See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine +sql_connection = mysql://glance:fXcrTaoy@127.0.0.1/glance + +# Period in seconds after which SQLAlchemy should reestablish its connection +# to the database. +# +# MySQL uses a default `wait_timeout` of 8 hours, after which it will drop +# idle connections. This can result in 'MySQL Gone Away' exceptions. If you +# notice this, you can lower this value to ensure that SQLAlchemy reconnects +# before MySQL can drop the connection. +sql_idle_timeout = 3600 + +# Limit the api to return `param_limit_max` items in a call to a container. If +# a larger `limit` query param is provided, it will be reduced to this value. +api_limit_max = 1000 + +# If a `limit` query param is not provided in an api request, it will +# default to `limit_param_default` +limit_param_default = 25 + +# Role used to identify an authenticated user as administrator +#admin_role = admin + +# Whether to automatically create the database tables. +# Default: False +#db_auto_create = False + +# ================= Syslog Options ============================ + +# Send logs to syslog (/dev/log) instead of to file specified +# by `log_file` +#use_syslog = False +use_syslog = true + +# Facility to use. If unset defaults to LOG_USER. +#syslog_log_facility = LOG_LOCAL1 + +# ================= SSL Options =============================== + +# Certificate file to use when starting registry server securely +#cert_file = /path/to/certfile + +# Private key file to use when starting registry server securely +#key_file = /path/to/keyfile + +# CA certificate file to use to verify connecting clients +#ca_file = /path/to/cafile +log_config=/etc/glance/logging.conf + +[keystone_authtoken] +auth_host = 127.0.0.1 +auth_port = 35357 +auth_protocol = http +admin_tenant_name = services +admin_user = glance +admin_password = HJhOWm8t +signing_dir=/tmp/keystone-signing-glance +signing_dirname=/tmp/keystone-signing-glance + +[paste_deploy] +# Name of the paste configuration file that defines the available pipelines +#config_file = glance-registry-paste.ini + +# Partial name of a pipeline in your paste configuration file with the +# service name removed. For example, if your paste section name is +# [pipeline:glance-registry-keystone], you would configure the flavor below +# as 'keystone'. +#flavor= +flavor=keystone diff --git a/config_samples/config/host1/glance/glance-scrubber.conf b/config_samples/config/host1/glance/glance-scrubber.conf new file mode 100644 index 0000000..9273043 --- /dev/null +++ b/config_samples/config/host1/glance/glance-scrubber.conf @@ -0,0 +1,40 @@ +[DEFAULT] +# Show more verbose log output (sets INFO log level output) +#verbose = False + +# Show debugging output in logs (sets DEBUG log level output) +#debug = False + +# Log to this file. Make sure you do not set the same log +# file for both the API and registry servers! +log_file = /var/log/glance/scrubber.log + +# Send logs to syslog (/dev/log) instead of to file specified by `log_file` +#use_syslog = False + +# Should we run our own loop or rely on cron/scheduler to run us +daemon = False + +# Loop time between checking for new items to schedule for delete +wakeup_time = 300 + +# Directory that the scrubber will use to remind itself of what to delete +# Make sure this is also set in glance-api.conf +scrubber_datadir = /var/lib/glance/scrubber + +# Only one server in your deployment should be designated the cleanup host +cleanup_scrubber = False + +# pending_delete items older than this time are candidates for cleanup +cleanup_scrubber_time = 86400 + +# Address to find the registry server for cleanups +registry_host = 0.0.0.0 + +# Port the registry server is listening on +registry_port = 9191 + +# AES key for encrypting store 'location' metadata, including +# -- if used -- Swift or S3 credentials +# Should be set to a random string of length 16, 24 or 32 bytes +#metadata_encryption_key = <16, 24 or 32 char registry metadata key> diff --git a/config_samples/config/host1/glance/logging.conf b/config_samples/config/host1/glance/logging.conf new file mode 100644 index 0000000..fc6b948 --- /dev/null +++ b/config_samples/config/host1/glance/logging.conf @@ -0,0 +1,35 @@ +[loggers] +keys = root + +# devel is reserved for future usage +[handlers] +keys = production,devel + +[formatters] +keys = normal,debug + +[logger_root] +level = NOTSET +handlers = production +propagate = 1 +#qualname = glance + +[formatter_debug] +format = glance-%(name)s %(levelname)s: %(module)s %(funcName)s %(message)s + +[formatter_normal] +format = glance-%(name)s %(levelname)s: %(message)s + +# Extended logging info to LOG_LOCAL2 with debug:true and verbose:true +# Note: local copy goes to /var/log/glance-all.log +[handler_production] +class = handlers.SysLogHandler +level = DEBUG +args = ('/dev/log', handlers.SysLogHandler.LOG_LOCAL2) +formatter = normal + +# TODO find out how it could be usefull and how it should be used +[handler_devel] +class = StreamHandler +formatter = debug +args = (sys.stdout,) diff --git a/config_samples/config/host1/glance/policy.json b/config_samples/config/host1/glance/policy.json new file mode 100644 index 0000000..30ef83c --- /dev/null +++ b/config_samples/config/host1/glance/policy.json @@ -0,0 +1,4 @@ +{ + "default": "", + "manage_image_cache": "role:admin" +} diff --git a/config_samples/config/host1/glance/schema-image.json b/config_samples/config/host1/glance/schema-image.json new file mode 100644 index 0000000..5aafd6b --- /dev/null +++ b/config_samples/config/host1/glance/schema-image.json @@ -0,0 +1,28 @@ +{ + "kernel_id": { + "type": "string", + "pattern": "^([0-9a-fA-F]){8}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){12}$", + "description": "ID of image stored in Glance that should be used as the kernel when booting an AMI-style image." + }, + "ramdisk_id": { + "type": "string", + "pattern": "^([0-9a-fA-F]){8}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){12}$", + "description": "ID of image stored in Glance that should be used as the ramdisk when booting an AMI-style image." + }, + "instance_uuid": { + "type": "string", + "description": "ID of instance used to create this image." + }, + "architecture": { + "description": "Operating system architecture as specified in http://docs.openstack.org/trunk/openstack-compute/admin/content/adding-images.html", + "type": "string" + }, + "os_distro": { + "description": "Common name of operating system distribution as specified in http://docs.openstack.org/trunk/openstack-compute/admin/content/adding-images.html", + "type": "string" + }, + "os_version": { + "description": "Operating system version as specified by the distributor", + "type": "string" + } +} diff --git a/config_samples/config/host2/keystone/default_catalog.templates b/config_samples/config/host2/keystone/default_catalog.templates new file mode 100644 index 0000000..eb1e044 --- /dev/null +++ b/config_samples/config/host2/keystone/default_catalog.templates @@ -0,0 +1,27 @@ +# config for TemplatedCatalog, using camelCase because I don't want to do +# translations for keystone compat +catalog.RegionOne.identity.publicURL = http://localhost:$(public_port)s/v2.0 +catalog.RegionOne.identity.adminURL = http://localhost:$(admin_port)s/v2.0 +catalog.RegionOne.identity.internalURL = http://localhost:$(public_port)s/v2.0 +catalog.RegionOne.identity.name = Identity Service + +# fake compute service for now to help novaclient tests work +catalog.RegionOne.compute.publicURL = http://localhost:$(compute_port)s/v1.1/$(tenant_id)s +catalog.RegionOne.compute.adminURL = http://localhost:$(compute_port)s/v1.1/$(tenant_id)s +catalog.RegionOne.compute.internalURL = http://localhost:$(compute_port)s/v1.1/$(tenant_id)s +catalog.RegionOne.compute.name = Compute Service + +catalog.RegionOne.volume.publicURL = http://localhost:8776/v1/$(tenant_id)s +catalog.RegionOne.volume.adminURL = http://localhost:8776/v1/$(tenant_id)s +catalog.RegionOne.volume.internalURL = http://localhost:8776/v1/$(tenant_id)s +catalog.RegionOne.volume.name = Volume Service + +catalog.RegionOne.ec2.publicURL = http://localhost:8773/services/Cloud +catalog.RegionOne.ec2.adminURL = http://localhost:8773/services/Admin +catalog.RegionOne.ec2.internalURL = http://localhost:8773/services/Cloud +catalog.RegionOne.ec2.name = EC2 Service + +catalog.RegionOne.image.publicURL = http://localhost:9292/v1 +catalog.RegionOne.image.adminURL = http://localhost:9292/v1 +catalog.RegionOne.image.internalURL = http://localhost:9292/v1 +catalog.RegionOne.image.name = Image Service diff --git a/config_samples/config/host2/keystone/keystone.conf b/config_samples/config/host2/keystone/keystone.conf new file mode 100644 index 0000000..912dce7 --- /dev/null +++ b/config_samples/config/host2/keystone/keystone.conf @@ -0,0 +1,320 @@ +[DEFAULT] +# A "shared secret" between keystone and other openstack services +# admin_token = ADMIN +admin_token = 5nP3wXsf + +# The IP address of the network interface to listen on +# bind_host = 0.0.0.0 +bind_host = 0.0.0.0 + +# The port number which the public service listens on +# public_port = 5000 +public_port = 5000 + +# The port number which the public admin listens on +# admin_port = 35357 +admin_port = 35357 + +# The base endpoint URLs for keystone that are advertised to clients +# (NOTE: this does NOT affect how keystone listens for connections) +# public_endpoint = http://localhost:%(public_port)d/ +# admin_endpoint = http://localhost:%(admin_port)d/ + +# The port number which the OpenStack Compute service listens on +# compute_port = 8774 +compute_port = 3000 + +# Path to your policy definition containing identity actions +# policy_file = policy.json + +# Rule to check if no matching policy definition is found +# FIXME(dolph): This should really be defined as [policy] default_rule +# policy_default_rule = admin_required + +# Role for migrating membership relationships +# During a SQL upgrade, the following values will be used to create a new role +# that will replace records in the user_tenant_membership table with explicit +# role grants. After migration, the member_role_id will be used in the API +# add_user_to_project, and member_role_name will be ignored. +# member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab +# member_role_name = _member_ + +# === Logging Options === +# Print debugging output +# (includes plaintext request logging, potentially including passwords) +# debug = False +debug = true + +# Print more verbose output +# verbose = False +verbose = true + +# Name of log file to output to. If not set, logging will go to stdout. +# log_file = keystone.log + +# The directory to keep log files in (will be prepended to --logfile) +# log_dir = /var/log/keystone + +# Use syslog for logging. +# use_syslog = False +use_syslog = true + +# syslog facility to receive log lines +# syslog_log_facility = LOG_USER + +# If this option is specified, the logging configuration file specified is +# used and overrides any other logging options specified. Please see the +# Python logging module documentation for details on logging configuration +# files. +# log_config = logging.conf +log_config = /etc/keystone/logging.conf + +# A logging.Formatter log message format string which may use any of the +# available logging.LogRecord attributes. +# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s + +# Format string for %(asctime)s in log records. +# log_date_format = %Y-%m-%d %H:%M:%S + +# onready allows you to send a notification when the process is ready to serve +# For example, to have it notify using systemd, one could set shell command: +# onready = systemd-notify --ready +# or a module with notify() method: +# onready = keystone.common.systemd + +[sql] +connection = mysql://keystone:8aInLVPS@127.0.0.1/keystone +# The SQLAlchemy connection string used to connect to the database +# connection = sqlite:///keystone.db + +# the timeout before idle sql connections are reaped +# idle_timeout = 200 +idle_timeout = 200 + +[identity] +driver = keystone.identity.backends.sql.Identity +# driver = keystone.identity.backends.sql.Identity + +# This references the domain to use for all Identity API v2 requests (which are +# not aware of domains). A domain with this ID will be created for you by +# keystone-manage db_sync in migration 008. The domain referenced by this ID +# cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API. +# There is nothing special about this domain, other than the fact that it must +# exist to order to maintain support for your v2 clients. +# default_domain_id = default + +[trust] +# driver = keystone.trust.backends.sql.Trust + +# delegation and impersonation features can be optionally disabled +# enabled = True + +[catalog] +template_file = /etc/keystone/default_catalog.templates +driver = keystone.catalog.backends.sql.Catalog +# dynamic, sql-based backend (supports API/CLI-based management commands) +# driver = keystone.catalog.backends.sql.Catalog + +# static, file-based backend (does *NOT* support any management commands) +# driver = keystone.catalog.backends.templated.TemplatedCatalog + +# template_file = default_catalog.templates + +[token] +driver = keystone.token.backends.sql.Token +# driver = keystone.token.backends.kvs.Token + +# Amount of time a token should remain valid (in seconds) +# expiration = 86400 + +[policy] +# driver = keystone.policy.backends.sql.Policy +driver = keystone.policy.backends.rules.Policy + +[ec2] +driver = keystone.contrib.ec2.backends.sql.Ec2 +# driver = keystone.contrib.ec2.backends.kvs.Ec2 + +[ssl] +#enable = True +#certfile = /etc/keystone/ssl/certs/keystone.pem +#keyfile = /etc/keystone/ssl/private/keystonekey.pem +#ca_certs = /etc/keystone/ssl/certs/ca.pem +#cert_required = True + +[signing] +#token_format = PKI +token_format = UUID +#certfile = /etc/keystone/ssl/certs/signing_cert.pem +#keyfile = /etc/keystone/ssl/private/signing_key.pem +#ca_certs = /etc/keystone/ssl/certs/ca.pem +#key_size = 1024 +#valid_days = 3650 +#ca_password = None + +[ldap] +# url = ldap://localhost +# user = dc=Manager,dc=example,dc=com +# password = None +# suffix = cn=example,cn=com +# use_dumb_member = False +# allow_subtree_delete = False +# dumb_member = cn=dumb,dc=example,dc=com + +# Maximum results per page; a value of zero ('0') disables paging (default) +# page_size = 0 + +# The LDAP dereferencing option for queries. This can be either 'never', +# 'searching', 'always', 'finding' or 'default'. The 'default' option falls +# back to using default dereferencing configured by your ldap.conf. +# alias_dereferencing = default + +# The LDAP scope for queries, this can be either 'one' +# (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree) +# query_scope = one + +# user_tree_dn = ou=Users,dc=example,dc=com +# user_filter = +# user_objectclass = inetOrgPerson +# user_domain_id_attribute = businessCategory +# user_id_attribute = cn +# user_name_attribute = sn +# user_mail_attribute = email +# user_pass_attribute = userPassword +# user_enabled_attribute = enabled +# user_enabled_mask = 0 +# user_enabled_default = True +# user_attribute_ignore = tenant_id,tenants +# user_allow_create = True +# user_allow_update = True +# user_allow_delete = True +# user_enabled_emulation = False +# user_enabled_emulation_dn = + +# tenant_tree_dn = ou=Groups,dc=example,dc=com +# tenant_filter = +# tenant_objectclass = groupOfNames +# tenant_domain_id_attribute = businessCategory +# tenant_id_attribute = cn +# tenant_member_attribute = member +# tenant_name_attribute = ou +# tenant_desc_attribute = desc +# tenant_enabled_attribute = enabled +# tenant_attribute_ignore = +# tenant_allow_create = True +# tenant_allow_update = True +# tenant_allow_delete = True +# tenant_enabled_emulation = False +# tenant_enabled_emulation_dn = + +# role_tree_dn = ou=Roles,dc=example,dc=com +# role_filter = +# role_objectclass = organizationalRole +# role_id_attribute = cn +# role_name_attribute = ou +# role_member_attribute = roleOccupant +# role_attribute_ignore = +# role_allow_create = True +# role_allow_update = True +# role_allow_delete = True + +# group_tree_dn = +# group_filter = +# group_objectclass = groupOfNames +# group_id_attribute = cn +# group_name_attribute = ou +# group_member_attribute = member +# group_desc_attribute = desc +# group_attribute_ignore = +# group_allow_create = True +# group_allow_update = True +# group_allow_delete = True + +[auth] +methods = password,token +password = keystone.auth.plugins.password.Password +token = keystone.auth.plugins.token.Token + +[filter:debug] +paste.filter_factory = keystone.common.wsgi:Debug.factory + +[filter:token_auth] +paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory + +[filter:admin_token_auth] +paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory + +[filter:xml_body] +paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory + +[filter:json_body] +paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory + +[filter:user_crud_extension] +paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory + +[filter:crud_extension] +paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory + +[filter:ec2_extension] +paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory + +[filter:s3_extension] +paste.filter_factory = keystone.contrib.s3:S3Extension.factory + +[filter:url_normalize] +paste.filter_factory = keystone.middleware:NormalizingFilter.factory + +[filter:sizelimit] +paste.filter_factory = keystone.middleware:RequestBodySizeLimiter.factory + +[filter:stats_monitoring] +paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory + +[filter:stats_reporting] +paste.filter_factory = keystone.contrib.stats:StatsExtension.factory + +[filter:access_log] +paste.filter_factory = keystone.contrib.access:AccessLogMiddleware.factory + +[app:public_service] +paste.app_factory = keystone.service:public_app_factory + +[app:service_v3] +paste.app_factory = keystone.service:v3_app_factory + +[app:admin_service] +paste.app_factory = keystone.service:admin_app_factory + +[pipeline:public_api] +pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service + +[pipeline:admin_api] +pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service + +[pipeline:api_v3] +pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension service_v3 + +[app:public_version_service] +paste.app_factory = keystone.service:public_version_app_factory + +[app:admin_version_service] +paste.app_factory = keystone.service:admin_version_app_factory + +[pipeline:public_version_api] +pipeline = stats_monitoring url_normalize xml_body public_version_service + +[pipeline:admin_version_api] +pipeline = stats_monitoring url_normalize xml_body admin_version_service + +[composite:main] +use = egg:Paste#urlmap +/v2.0 = public_api +/v3 = api_v3 +/ = public_version_api + +[composite:admin] +use = egg:Paste#urlmap +/v2.0 = admin_api +/v3 = api_v3 +/ = admin_version_api diff --git a/config_samples/config/host2/keystone/logging.conf b/config_samples/config/host2/keystone/logging.conf new file mode 100644 index 0000000..14619d9 --- /dev/null +++ b/config_samples/config/host2/keystone/logging.conf @@ -0,0 +1,35 @@ +[loggers] +keys = root + +# devel is reserved for future usage +[handlers] +keys = production,devel + +[formatters] +keys = normal,debug + +[logger_root] +level = NOTSET +handlers = production +propagate = 1 +#qualname = keystone + +[formatter_debug] +format = keystone-%(name)s %(levelname)s: %(module)s %(funcName)s %(message)s + +[formatter_normal] +format = keystone-%(name)s %(levelname)s: %(message)s + +# Extended logging info to LOG_LOCAL7 with debug:true and verbose:true +# Note: local copy goes to /var/log/keystone-all.log +[handler_production] +class = handlers.SysLogHandler +level = DEBUG +args = ('/dev/log', handlers.SysLogHandler.LOG_LOCAL7) +formatter = normal + +# TODO find out how it could be usefull and how it should be used +[handler_devel] +class = StreamHandler +formatter = debug +args = (sys.stdout,) diff --git a/config_samples/config/host2/keystone/policy.json b/config_samples/config/host2/keystone/policy.json new file mode 100644 index 0000000..f53161e --- /dev/null +++ b/config_samples/config/host2/keystone/policy.json @@ -0,0 +1,86 @@ +{ + "admin_required": [["role:admin"], ["is_admin:1"]], + "owner" : [["user_id:%(user_id)s"]], + "admin_or_owner": [["rule:admin_required"], ["rule:owner"]], + + "default": [["rule:admin_required"]], + + "identity:get_service": [["rule:admin_required"]], + "identity:list_services": [["rule:admin_required"]], + "identity:create_service": [["rule:admin_required"]], + "identity:update_service": [["rule:admin_required"]], + "identity:delete_service": [["rule:admin_required"]], + + "identity:get_endpoint": [["rule:admin_required"]], + "identity:list_endpoints": [["rule:admin_required"]], + "identity:create_endpoint": [["rule:admin_required"]], + "identity:update_endpoint": [["rule:admin_required"]], + "identity:delete_endpoint": [["rule:admin_required"]], + + "identity:get_domain": [["rule:admin_required"]], + "identity:list_domains": [["rule:admin_required"]], + "identity:create_domain": [["rule:admin_required"]], + "identity:update_domain": [["rule:admin_required"]], + "identity:delete_domain": [["rule:admin_required"]], + + "identity:get_project": [["rule:admin_required"]], + "identity:list_projects": [["rule:admin_required"]], + "identity:list_user_projects": [["rule:admin_or_owner"]], + "identity:create_project": [["rule:admin_or_owner"]], + "identity:update_project": [["rule:admin_required"]], + "identity:delete_project": [["rule:admin_required"]], + + "identity:get_user": [["rule:admin_required"]], + "identity:list_users": [["rule:admin_required"]], + "identity:create_user": [["rule:admin_required"]], + "identity:update_user": [["rule:admin_or_owner"]], + "identity:delete_user": [["rule:admin_required"]], + + "identity:get_group": [["rule:admin_required"]], + "identity:list_groups": [["rule:admin_required"]], + "identity:list_groups_for_user": [["rule:admin_or_owner"]], + "identity:create_group": [["rule:admin_required"]], + "identity:update_group": [["rule:admin_required"]], + "identity:delete_group": [["rule:admin_required"]], + "identity:list_users_in_group": [["rule:admin_required"]], + "identity:remove_user_from_group": [["rule:admin_required"]], + "identity:check_user_in_group": [["rule:admin_required"]], + "identity:add_user_to_group": [["rule:admin_required"]], + + "identity:get_credential": [["rule:admin_required"]], + "identity:list_credentials": [["rule:admin_required"]], + "identity:create_credential": [["rule:admin_required"]], + "identity:update_credential": [["rule:admin_required"]], + "identity:delete_credential": [["rule:admin_required"]], + + "identity:get_role": [["rule:admin_required"]], + "identity:list_roles": [["rule:admin_required"]], + "identity:create_role": [["rule:admin_required"]], + "identity:update_role": [["rule:admin_required"]], + "identity:delete_role": [["rule:admin_required"]], + + "identity:check_grant": [["rule:admin_required"]], + "identity:list_grants": [["rule:admin_required"]], + "identity:create_grant": [["rule:admin_required"]], + "identity:revoke_grant": [["rule:admin_required"]], + + "identity:get_policy": [["rule:admin_required"]], + "identity:list_policies": [["rule:admin_required"]], + "identity:create_policy": [["rule:admin_required"]], + "identity:update_policy": [["rule:admin_required"]], + "identity:delete_policy": [["rule:admin_required"]], + + "identity:check_token": [["rule:admin_required"]], + "identity:validate_token": [["rule:admin_required"]], + "identity:revocation_list": [["rule:admin_required"]], + "identity:revoke_token": [["rule:admin_required"], + ["user_id:%(user_id)s"]], + + "identity:create_trust": [["user_id:%(trust.trustor_user_id)s"]], + "identity:get_trust": [["rule:admin_or_owner"]], + "identity:list_trusts": [["@"]], + "identity:list_roles_for_trust": [["@"]], + "identity:check_role_for_trust": [["@"]], + "identity:get_role_for_trust": [["@"]], + "identity:delete_trust": [["@"]] +} diff --git a/config_samples/config/host2/nova/api-paste.ini b/config_samples/config/host2/nova/api-paste.ini new file mode 100644 index 0000000..a9f53df --- /dev/null +++ b/config_samples/config/host2/nova/api-paste.ini @@ -0,0 +1,107 @@ +############ +# Metadata # +############ +[composite:metadata] +use = egg:Paste#urlmap +/: meta + +[pipeline:meta] +pipeline = ec2faultwrap logrequest metaapp + +[app:metaapp] +paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory + +####### +# EC2 # +####### + +[composite:ec2] +use = egg:Paste#urlmap +/services/Cloud: ec2cloud + +[composite:ec2cloud] +use = call:nova.api.auth:pipeline_factory +noauth = ec2faultwrap logrequest ec2noauth cloudrequest validator ec2executor +keystone = ec2faultwrap logrequest ec2keystoneauth cloudrequest validator ec2executor + +[filter:ec2faultwrap] +paste.filter_factory = nova.api.ec2:FaultWrapper.factory + +[filter:logrequest] +paste.filter_factory = nova.api.ec2:RequestLogging.factory + +[filter:ec2lockout] +paste.filter_factory = nova.api.ec2:Lockout.factory + +[filter:ec2keystoneauth] +paste.filter_factory = nova.api.ec2:EC2KeystoneAuth.factory + +[filter:ec2noauth] +paste.filter_factory = nova.api.ec2:NoAuth.factory + +[filter:cloudrequest] +controller = nova.api.ec2.cloud.CloudController +paste.filter_factory = nova.api.ec2:Requestify.factory + +[filter:authorizer] +paste.filter_factory = nova.api.ec2:Authorizer.factory + +[filter:validator] +paste.filter_factory = nova.api.ec2:Validator.factory + +[app:ec2executor] +paste.app_factory = nova.api.ec2:Executor.factory + +############# +# Openstack # +############# + +[composite:osapi_compute] +use = call:nova.api.openstack.urlmap:urlmap_factory +/: oscomputeversions +/v1.1: openstack_compute_api_v2 +/v2: openstack_compute_api_v2 + +[composite:openstack_compute_api_v2] +use = call:nova.api.auth:pipeline_factory +noauth = faultwrap sizelimit noauth ratelimit osapi_compute_app_v2 +keystone = faultwrap sizelimit authtoken keystonecontext ratelimit osapi_compute_app_v2 +keystone_nolimit = faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v2 + +[filter:faultwrap] +paste.filter_factory = nova.api.openstack:FaultWrapper.factory + +[filter:noauth] +paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory + +[filter:ratelimit] +paste.filter_factory = nova.api.openstack.compute.limits:RateLimitingMiddleware.factory +limits=(POST, "*", .*, 1000, MINUTE);(POST, "*/servers", ^/servers, 1000, DAY);(PUT, "*", .*, 1000, MINUTE);(GET, "*changes-since*", .*changes-since.*, 1000, MINUTE);(DELETE, "*", .*, 1000, MINUTE) + +[filter:sizelimit] +paste.filter_factory = nova.api.sizelimit:RequestBodySizeLimiter.factory + +[app:osapi_compute_app_v2] +paste.app_factory = nova.api.openstack.compute:APIRouter.factory + +[pipeline:oscomputeversions] +pipeline = faultwrap oscomputeversionapp + +[app:oscomputeversionapp] +paste.app_factory = nova.api.openstack.compute.versions:Versions.factory + +########## +# Shared # +########## + +[filter:keystonecontext] +paste.filter_factory = nova.api.auth:NovaKeystoneContext.factory + +[filter:authtoken] +paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory +# signing_dir is configurable, but the default behavior of the authtoken +# middleware should be sufficient. It will create a temporary directory +# in the home directory for the user the nova process is running as. +#signing_dir = /var/lib/nova/keystone-signing +# Workaround for https://bugs.launchpad.net/nova/+bug/1154809 +auth_version = v2.0 diff --git a/config_samples/config/host2/nova/logging.conf b/config_samples/config/host2/nova/logging.conf new file mode 100644 index 0000000..9c497a0 --- /dev/null +++ b/config_samples/config/host2/nova/logging.conf @@ -0,0 +1,35 @@ +[loggers] +keys = root + +# devel is reserved for future usage +[handlers] +keys = production,devel + +[formatters] +keys = normal,debug + +[logger_root] +level = NOTSET +handlers = production +propagate = 1 +#qualname = nova + +[formatter_debug] +format = nova-%(name)s %(levelname)s: %(module)s %(funcName)s %(message)s + +[formatter_normal] +format = nova-%(name)s %(levelname)s: %(message)s + +# Extended logging info to LOG_LOCAL6 with debug:true and verbose:true +# Note: local copy goes to /var/log/nova-all.log +[handler_production] +class = handlers.SysLogHandler +level = DEBUG +args = ('/dev/log', handlers.SysLogHandler.LOG_LOCAL6) +formatter = normal + +# TODO find out how it could be usefull and how it should be used +[handler_devel] +class = StreamHandler +formatter = debug +args = (sys.stdout,) diff --git a/config_samples/config/host2/nova/nova.conf b/config_samples/config/host2/nova/nova.conf new file mode 100644 index 0000000..5b2867f --- /dev/null +++ b/config_samples/config/host2/nova/nova.conf @@ -0,0 +1,71 @@ +[DEFAULT] +state_path = /var/lib/nova +lock_path = /var/lib/nova/tmp +volumes_dir = /etc/nova/volumes +dhcpbridge = /usr/bin/nova-dhcpbridge +dhcpbridge_flagfile = /etc/nova/nova.conf +force_dhcp_release = true +injected_network_template = /usr/share/nova/interfaces.template +libvirt_nonblocking = True +libvirt_inject_partition = -1 +network_manager = nova.network.manager.VlanManager +iscsi_helper = tgtadm +sql_connection = mysql://nova:4ZDJNk2l@192.168.0.2/nova +compute_driver = libvirt.LibvirtDriver +firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver +rpc_backend = nova.rpc.impl_kombu +rootwrap_config = /etc/nova/rootwrap.conf +debug=true +vncserver_proxyclient_address=192.168.0.3 +rabbit_hosts=192.168.0.2:5672 +osapi_compute_listen=192.168.0.3 +ec2_listen=192.168.0.3 +glance_api_servers=192.168.0.2:9292 +rabbit_userid=nova +rabbit_ha_queues=True +rabbit_password=HNmMv5tY +verbose=true +logging_default_format_string=%(levelname)s %(name)s [-] %(instance)s %(message)s +logging_context_format_string=%(levelname)s %(name)s [%(request_id)s %(user_id)s %(project_id)s] %(instance)s %(message)s +enabled_apis=metadata +vnc_enabled=true +rabbit_virtual_host=/ +image_service=nova.image.glance.GlanceImageService +volume_api_class=nova.volume.cinder.API +log_config=/etc/nova/logging.conf +rabbit_port=5672 +vlan_start=383 +api_paste_config=/etc/nova/api-paste.ini +novncproxy_base_url=http://172.18.165.37:6080/vnc_auto.html +public_interface=eth1 +service_down_time=60 +syslog_log_facility=LOCAL6 +vncserver_listen=192.168.0.3 +osapi_volume_listen=192.168.0.3 +metadata_listen=192.168.0.3 +auth_strategy=keystone +fixed_range=10.0.1.0/24 +use_syslog=True +dhcp_domain=novalocal +use_cow_images=true +compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler +start_guests_on_host_boot=true +metadata_host=192.168.0.3 +memcached_servers=127.0.0.1:11211 +send_arp_for_ha=True +multi_host=True +allow_resize_to_same_host=True +libvirt_type=kvm +vlan_interface=eth0 +connection_type=libvirt + +[keystone_authtoken] +admin_tenant_name = services +admin_user = nova +admin_password = 8UKGDGt8 +auth_host = 192.168.0.2 +auth_port = 35357 +auth_protocol = http +signing_dir = /tmp/keystone-signing-nova +signing_dirname=/tmp/keystone-signing-nova + diff --git a/config_samples/config/host2/nova/policy.json b/config_samples/config/host2/nova/policy.json new file mode 100644 index 0000000..5a6800f --- /dev/null +++ b/config_samples/config/host2/nova/policy.json @@ -0,0 +1,161 @@ +{ + "context_is_admin": "role:admin", + "admin_or_owner": "is_admin:True or project_id:%(project_id)s", + "default": "rule:admin_or_owner", + + + "compute:create": "", + "compute:create:attach_network": "", + "compute:create:attach_volume": "", + "compute:create:forced_host": "is_admin:True", + "compute:get_all": "", + "compute:get_all_tenants": "", + + + "admin_api": "is_admin:True", + "compute_extension:accounts": "rule:admin_api", + "compute_extension:admin_actions": "rule:admin_api", + "compute_extension:admin_actions:pause": "rule:admin_or_owner", + "compute_extension:admin_actions:unpause": "rule:admin_or_owner", + "compute_extension:admin_actions:suspend": "rule:admin_or_owner", + "compute_extension:admin_actions:resume": "rule:admin_or_owner", + "compute_extension:admin_actions:lock": "rule:admin_api", + "compute_extension:admin_actions:unlock": "rule:admin_api", + "compute_extension:admin_actions:resetNetwork": "rule:admin_api", + "compute_extension:admin_actions:injectNetworkInfo": "rule:admin_api", + "compute_extension:admin_actions:createBackup": "rule:admin_or_owner", + "compute_extension:admin_actions:migrateLive": "rule:admin_api", + "compute_extension:admin_actions:resetState": "rule:admin_api", + "compute_extension:admin_actions:migrate": "rule:admin_api", + "compute_extension:aggregates": "rule:admin_api", + "compute_extension:agents": "rule:admin_api", + "compute_extension:attach_interfaces": "", + "compute_extension:baremetal_nodes": "rule:admin_api", + "compute_extension:cells": "rule:admin_api", + "compute_extension:certificates": "", + "compute_extension:cloudpipe": "rule:admin_api", + "compute_extension:cloudpipe_update": "rule:admin_api", + "compute_extension:console_output": "", + "compute_extension:consoles": "", + "compute_extension:coverage_ext": "rule:admin_api", + "compute_extension:createserverext": "", + "compute_extension:deferred_delete": "", + "compute_extension:disk_config": "", + "compute_extension:evacuate": "rule:admin_api", + "compute_extension:extended_server_attributes": "rule:admin_api", + "compute_extension:extended_status": "", + "compute_extension:extended_availability_zone": "", + "compute_extension:extended_ips": "", + "compute_extension:fixed_ips": "rule:admin_api", + "compute_extension:flavor_access": "", + "compute_extension:flavor_disabled": "", + "compute_extension:flavor_rxtx": "", + "compute_extension:flavor_swap": "", + "compute_extension:flavorextradata": "", + "compute_extension:flavorextraspecs:index": "", + "compute_extension:flavorextraspecs:show": "", + "compute_extension:flavorextraspecs:create": "rule:admin_api", + "compute_extension:flavorextraspecs:update": "rule:admin_api", + "compute_extension:flavorextraspecs:delete": "rule:admin_api", + "compute_extension:flavormanage": "rule:admin_api", + "compute_extension:floating_ip_dns": "", + "compute_extension:floating_ip_pools": "", + "compute_extension:floating_ips": "", + "compute_extension:floating_ips_bulk": "rule:admin_api", + "compute_extension:fping": "", + "compute_extension:fping:all_tenants": "rule:admin_api", + "compute_extension:hide_server_addresses": "is_admin:False", + "compute_extension:hosts": "rule:admin_api", + "compute_extension:hypervisors": "rule:admin_api", + "compute_extension:image_size": "", + "compute_extension:instance_actions": "", + "compute_extension:instance_actions:events": "rule:admin_api", + "compute_extension:instance_usage_audit_log": "rule:admin_api", + "compute_extension:keypairs": "", + "compute_extension:multinic": "", + "compute_extension:networks": "rule:admin_api", + "compute_extension:networks:view": "", + "compute_extension:networks_associate": "rule:admin_api", + "compute_extension:quotas:show": "", + "compute_extension:quotas:update": "rule:admin_api", + "compute_extension:quota_classes": "", + "compute_extension:rescue": "", + "compute_extension:security_group_default_rules": "rule:admin_api", + "compute_extension:security_groups": "", + "compute_extension:server_diagnostics": "rule:admin_api", + "compute_extension:server_password": "", + "compute_extension:services": "rule:admin_api", + "compute_extension:simple_tenant_usage:show": "rule:admin_or_owner", + "compute_extension:simple_tenant_usage:list": "rule:admin_api", + "compute_extension:users": "rule:admin_api", + "compute_extension:virtual_interfaces": "", + "compute_extension:virtual_storage_arrays": "", + "compute_extension:volumes": "", + "compute_extension:volume_attachments:index": "", + "compute_extension:volume_attachments:show": "", + "compute_extension:volume_attachments:create": "", + "compute_extension:volume_attachments:delete": "", + "compute_extension:volumetypes": "", + "compute_extension:availability_zone:list": "", + "compute_extension:availability_zone:detail": "rule:admin_api", + + + "volume:create": "", + "volume:get_all": "", + "volume:get_volume_metadata": "", + "volume:get_snapshot": "", + "volume:get_all_snapshots": "", + + + "volume_extension:types_manage": "rule:admin_api", + "volume_extension:types_extra_specs": "rule:admin_api", + "volume_extension:volume_admin_actions:reset_status": "rule:admin_api", + "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api", + "volume_extension:volume_admin_actions:force_delete": "rule:admin_api", + + + "network:get_all": "", + "network:get": "", + "network:create": "", + "network:delete": "", + "network:associate": "", + "network:disassociate": "", + "network:get_vifs_by_instance": "", + "network:allocate_for_instance": "", + "network:deallocate_for_instance": "", + "network:validate_networks": "", + "network:get_instance_uuids_by_ip_filter": "", + "network:get_instance_id_by_floating_address": "", + "network:setup_networks_on_host": "", + "network:get_backdoor_port": "", + + "network:get_floating_ip": "", + "network:get_floating_ip_pools": "", + "network:get_floating_ip_by_address": "", + "network:get_floating_ips_by_project": "", + "network:get_floating_ips_by_fixed_address": "", + "network:allocate_floating_ip": "", + "network:deallocate_floating_ip": "", + "network:associate_floating_ip": "", + "network:disassociate_floating_ip": "", + "network:release_floating_ip": "", + "network:migrate_instance_start": "", + "network:migrate_instance_finish": "", + + "network:get_fixed_ip": "", + "network:get_fixed_ip_by_address": "", + "network:add_fixed_ip_to_instance": "", + "network:remove_fixed_ip_from_instance": "", + "network:add_network_to_project": "", + "network:get_instance_nw_info": "", + + "network:get_dns_domains": "", + "network:add_dns_entry": "", + "network:modify_dns_entry": "", + "network:delete_dns_entry": "", + "network:get_dns_entries_by_address": "", + "network:get_dns_entries_by_name": "", + "network:create_private_dns_domain": "", + "network:create_public_dns_domain": "", + "network:delete_dns_domain": "" +} diff --git a/config_samples/config/host2/nova/release b/config_samples/config/host2/nova/release new file mode 100644 index 0000000..f9d3fe4 --- /dev/null +++ b/config_samples/config/host2/nova/release @@ -0,0 +1,4 @@ +[Nova] +vendor = Red Hat Inc. +product = OpenStack Nova +package = mira.1 diff --git a/config_samples/config/host2/nova/rootwrap.conf b/config_samples/config/host2/nova/rootwrap.conf new file mode 100644 index 0000000..fb2997a --- /dev/null +++ b/config_samples/config/host2/nova/rootwrap.conf @@ -0,0 +1,27 @@ +# Configuration for nova-rootwrap +# This file should be owned by (and only-writeable by) the root user + +[DEFAULT] +# List of directories to load filter definitions from (separated by ','). +# These directories MUST all be only writeable by root ! +filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap + +# List of directories to search executables in, in case filters do not +# explicitely specify a full path (separated by ',') +# If not specified, defaults to system PATH environment variable. +# These directories MUST all be only writeable by root ! +exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin + +# Enable logging to syslog +# Default value is False +use_syslog=False + +# Which syslog facility to use. +# Valid values include auth, authpriv, syslog, user0, user1... +# Default value is 'syslog' +syslog_log_facility=syslog + +# Which messages to log. +# INFO means log all usage +# ERROR means only log unsuccessful attempts +syslog_log_level=ERROR diff --git a/config_samples/config/host2/nova/version b/config_samples/config/host2/nova/version new file mode 100644 index 0000000..f52e616 --- /dev/null +++ b/config_samples/config/host2/nova/version @@ -0,0 +1 @@ +2013.1