blog
Table des matières
4 billet(s) pour janvier 2026
| AWX sur K8S Kind - partage de fichier pour les blob - Execution pods | 2026/01/26 10:15 | Jean-Baptiste |
| Notes rsh rcp | 2026/01/21 18:08 | Jean-Baptiste |
| Git - Duplication d'un dépôt | 2026/01/19 10:22 | Jean-Baptiste |
| Exemple simple de conf Nagios | 2026/01/14 10:07 | Jean-Baptiste |
OpenStack SWIFT
Install
https://wiki.openstack.org/wiki/SwiftInstall
mkdir /etc/swift cat /usr/share/doc/swift/swift.conf-sample > /etc/swift/swift.conf #chown -R swift: /etc/swift
Install de Rsync en mode daemon
Install de Memcache
Notes OpenStack Nova
Install
Sur le controller
CREATE ROLE novauser WITH LOGIN PASSWORD 'toor'; CREATE DATABASE nova OWNER novauser ; CREATE DATABASE nova_api OWNER novauser ; CREATE DATABASE nova_cell0 OWNER novauser ;
openstack user create --domain default --password-prompt nova openstack role add --project service --user nova admin openstack service create --name nova --description "OpenStack Compute" compute openstack endpoint create --region RegionOne compute public http://controller:8774/v2.1
Sur les noeuds
yum install epel-release yum install centos-release-openstack-rocky yum install openstack-nova-api openstack-nova-conductor openstack-nova-novncproxy openstack-nova-scheduler openstack-nova-cert openstack-nova-console
Autres
Status
source openrc
nova service-list
openstack server list --name vm1 openstack server show vm1 nova reboot --hard vm1 openstack server list --status SHUTOFF -f value -c ID journalctl -u "devstack@c-*" -f
USE nova_cell1; SELECT * FROM instances WHERE hostname='vm1' \G ;
Notes OpenStack Neutron Réseaux
Réseau basique (hors Neutron)
Devstack - Autoriser les VMs qemu gérées par OpenStack à se connecter sur l’hôte VirtualBox
Autoriser le VLAN 172.24.4.0/24 à se connecter à 192.168.56.0/24
iptables -t nat -I POSTROUTING -o enp0s8 -d 192.168.56.0/24 -j MASQUERADE iptables -I FORWARD -d 192.168.56.0/24 -j ACCEPT
Policy
/etc/neutron/policy.json
{ "context_is_admin": "role:admin or user_name:neutron", "create_address_scope": "admin_only", "create_network": "rule:admin_only", "create_network:port_security_enabled": "rule:admin_only", "create_rbac_policy": "rule:admin_only", "create_router": "rule:admin_only", "create_security_group": "rule:admin_only", "create_security_group_rule": "rule:admin_only", "create_trunk": "rule:admin_only", "create_floatingip": "rule:admin_only", "create_floatingip:floating_ip_address": "rule:admin_only" }
Notes OpenStack Keystone
Voir :
Install
Prérequis :
- NTP
RedHat
yum install centos-release-openstack-rocky.noarch yum install openstack-keystone-doc python-keystoneclient-doc yum install openstack-keystone httpd mod_wsgi yum install python-openstackclient # yum install python-PROJETclient # yum install python-keystoneclient # MySQL / MariaDB yum install MySQL-python # Postgress #yum install postgresql #yum install postgresql-server yum install @postgresql yum install python-sqlalchemy python-psycopg2 # RabbitMQ yum install rabbitmq-server
sudo postgresql-setup initdb systemctl start postgresql.service systemctl enable postgresql.service
Configurer
/var/lib/pgsql/data/pg_hba.conf
#host all all 127.0.0.1/32 ident host all all 127.0.0.1/32 md5
su - postgres
psql
CREATE ROLE keystoneUser WITH LOGIN PASSWORD 'toor'; CREATE DATABASE keystone OWNER keystoneuser ;
/etc/keystone/keystone.conf
[DEFAULT] #verbose = True debug = true [database] #connection = mysql://keystoneUser:toor@127.0.0.1/keystone #connection = mysql+pymysql://keystoneUser:toor@127.0.0.1/keystone?charset=utf8 connection = postgresql://keystoneuser:toor@127.0.0.1/keystone [token] provider = fernet
systemctl restart httpd su keystone -s /bin/sh -c "keystone-manage db_sync"
Les logs sont ici /var/log/keystone/keystone.log ou
journalctl -f -u devstack@keystone.service
Configuration
Renommer un endpoint
Kestone a été initié avec les paramètres suivants
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
keystone-manage bootstrap --bootstrap-password toor \ --bootstrap-admin-url http://srv-openstack-controller:35357/v3/ \ --bootstrap-internal-url http://srv-openstack-controller:5000/v3/ \ --bootstrap-public-url http://srv-openstack-controller:5000/v3/ \ --bootstrap-region-id RegionOne
Solution : faire un update en base.
UPDATE endpoint SET url='http://srv-openstack-controller:5000/v3/' WHERE interface='admin';
Puis rédemarrer le service Apache ou le service SystemD
systemctl restart httpd # ou systemctl restart devstack@keystone.service
Test
openrc
export OS_USERNAME=admin export OS_PASSWORD=toor export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL=http://srv-openstack-controller:5000/v3 export OS_IDENTITY_API_VERSION=3
source openrc openstack token issue --debug openstack service list openstack user list
Configuration d'un domaine AD/LDAP
Exemple de conf /etc/keystone/domains/keystone.domain.conf
[identity] domain_configurations_from_database = False driver = ldap [ldap] query_scope = sub group_name_attribute = sAMAccountName group_objectclass = group user_mail_attribute = mail user_enabled_attribute = userAccountControl group_tree_dn = CN=Openstack,OU=Groupes,DC=acme,DC=local chase_referrals = false user_id_attribute = sAMAccountName group_members_are_ids = true group_member_attribute = memberUid page_size = 500 use_tls = false url = ldaps://ldap.acme.local:636 user_name_attribute = sAMAccountName user = Admin user_objectclass = organizationalPerson group_id_attribute = cn user_filter = (memberOf=CN=Openstack,OU=Groupes,DC=acme,DC=local) group_desc_attribute = description user_tree_dn = DC=acme,DC=local user_pass_attribute = userPassword password = UEBzc3cwcmQhISEK
Pb
Pb utilisateur manquant
L’utilisateur n'apparait pas
openstack user list |grep jean
Mais il apparait bien avec
openstack user show jean
Solution
Augmenter le page_size
/etc/keystone/domains/keystone.acme.conf
[ldap] page_size = 500
Puis restart d'Apache ou du service keystone.
Autres
Note : iptables est remplacé maintenant par nftables
iptables -I INPUT -p tcp --dport 5000 -j ACCEPT
OpenStack Keystone - Role & Policy
Voir :
Exemple de conf : https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json
/etc/keystone/keystone.conf
[oslo_policy] policy_file = /etc/keystone/policy.yaml
/etc/cinder/cinder.conf:policy_file = /etc/cinder/policy.yaml /etc/nova/nova.conf:policy_file = /etc/nova/policy.yaml
/etc/openstack-dashboard/local_settings.py
# Path to directory containing policy files POLICY_FILES_PATH = '/etc' POLICY_FILES = { 'identity': 'keystone/policy.yaml', 'compute': 'nova/policy.yaml', 'volume': 'cinder/policy.yaml', 'image': 'glance/policy.json', 'orchestration': 'heat/policy.yaml', 'network': 'neutron/policy.json', # 'clustering': 'senlin/policy.json', }
python -c 'import sys, yaml, json; yaml.safe_dump(json.load(sys.stdin), sys.stdout, default_flow_style=False)' < /opt/stack/keystone/etc/policy.v3cloudsample.json > /etc/keystone/policy.yaml
Logs
journalctl -f -u devstack@keystone.service |grep -i warning
Fichier policy.json / policy.yaml
oslopolicy-sample-generator --namespace keystone --format yaml --output-file /etc/keystone/policy.yaml #oslopolicy-sample-generator --namespace neutron --format yaml |sed -e '/^#"\(remove\|update\|delete\|create\|add\)_/,/"/s/rule:.*/rule:admin_only"/' |sed -e '/^#"\(remove\|update\|delete\|create\|add\)_/, /"/s/^#\(.*rule:.*\)/\1/' > /etc/neutron/policy2.yaml #oslopolicy-sample-generator --namespace neutron --format json |sed -e '/"\(remove\|update\|delete\|create\|add\)_/,/s/rule:.*/rule:admin_only\"/' > /etc/neutron/policy.json #oslopolicy-sample-generator --namespace neutron --format yaml |sed -e '/^#"\(remove\|update\|delete\|create\|add\)_/,/"/s/rule:.*/rule:admin_only"/' |sed -e '/^#"\(remove\|update\|delete\|create\|add\)_/,/"/s/^#\(.*rule:.*\)/\1/' > /etc/neutron/policy2.yaml
Ou
# cp -p /opt/stack/keystone/etc/policy.v3cloudsample.json /etc/keystone/policy.json curl https://raw.githubusercontent.com/openstack/keystone/master/etc/policy.v3cloudsample.json > /etc/keystone/policy.json
roles implicites (sauf pour admin)
/etc/keystone/keystone.conf
[assignment] prohibited_implied_role = admin [token] infer_roles = true
Domain Admin
Voir :
Création d'un nouveau domaine et d'un groupe admin du domaine (domain admin)
openstack domain create acme openstack group create --domain acme acme_admins openstack user create --domain acme --password toor acmeadm openstack group add user acme_admins acmeadm openstack role add --group acme_admins --domain acme admin
Voir https://dstanek.com/keystone-domain-admins/
Ajout d'un utilisateur au nouveau domaine
openstack role add --user jean --user-domain acme --project jbprj member #openstack role add admin --domain acme --user 8f20dc8ae49141c3bdc1f59927bf79eb --inherited openstack role add --user jean --user-domain acme --project jbprj member --inherited
Correction fichier
journalctl -f -u devstack@keystone.service 2>/dev/null |grep -i warning |grep -i deprecated |grep -v 'service nova' |sed -e 's/^.*in favor of //' |sed -e 's/\. Reason:.*//' |grep '^\"' | tee plop cat plop |sort -u |tr -d '"' | sed -e 's/$/& or role:cloudadmin/' >> /etc/keystone/policy.yaml >> /etc/keystone/policy.yaml vim !$
Autre
cp -p /opt/stack/keystone/keystone/tests/unit/config_files/access_rules.json /etc/keystone/access_rules.json
openstack implied role list openstack role assignment list --user jean --name --effective openstack role assignment list --user dom1_user --name --effective --user-domain dom1
Test
openstack domain create dom1 openstack user create dom1_admin --password toor --domain dom1 openstack role add admin --user dom1_admin --domain dom1 --inherited --user-domain dom1 ## Ne pas faire, sinon droit même sur les autres domaines ! #openstack role add admin --user dom1_admin --domain dom1 --user-domain dom1 # Pour autoriser l'utilisateur à se connecter sur le Web UI (Horizon) il faut qu'il puisse accèder au moins à un projet. openstack project create dom1_prj1 --domain dom1 openstack role add admin --project-domain dom1 --project dom1_prj1 --user dom1_admin --user-domain dom1 # Création utilisateur du domain openstack user create dom1_user --password toor --domain dom1 openstack role add member --user dom1_user --domain dom1 --inherited --user-domain dom1 # Création d'un projet pour l'utilisateur dom1_user openstack project create dom1_user_prj1 --domain dom1 openstack role add admin --project-domain dom1 --project dom1_user_prj1 --user dom1_user --user-domain dom1 # Création de d'administrateur du projet projet1 openstack project create prj1 --domain dom1 openstack user create dom1_projet1_admin --password toor --domain dom1 --project prj1 --project-domain dom1 # # PB DROIT ADMIN #openstack role add admin --user dom1_projet1_admin --domain dom1 --user-domain dom1 # Création de l'utilsateur du projet projet1 openstack user create dom1_projet1_user --password toor --domain dom1 --project prj1 --project-domain dom1 openstack role add member --user dom1_projet1_user --user-domain dom1 --project prj1 --project-domain dom1 ## A quoi sert le --inherited sur un projet ? #openstack role add member --user dom1_projet1_user --user-domain dom1 --project prj1 --project-domain dom1 --inherited
Reset
openstack domain set --disable dom1 openstack domain delete dom1
blog.txt · Dernière modification : de 127.0.0.1