OPNFV MOON configuration guide

Introduction

Moon must be configured through the standard Keystone configuration files and the standard KeystoneMiddleware configuration files: * /etc/keystone/keystone-paste.ini * /etc/keystone/keystone.conf * /etc/nova/api-paste.ini * /etc/swift/proxy-server.conf

There is no other custom configuration file.

Configuration

Keystone

For Keystone, the following files must be configured, some modifications may be needed, specially passwords:

/etc/keystone/keystone-paste.ini

sudo cp /etc/keystone/keystone-paste.ini /etc/keystone/keystone-paste.ini.bak
sudo sed "3i[pipeline:moon_pipeline]\npipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension moon_service\n\n[app:moon_service]\nuse = egg:keystone#moon_service\n" /etc/keystone/keystone-paste.ini > /tmp/keystone-paste.ini
sudo cp /tmp/keystone-paste.ini /etc/keystone/keystone-paste.ini
sudo sed "s/use = egg:Paste#urlmap/use = egg:Paste#urlmap\n\/moon = moon_pipeline/" /etc/keystone/keystone-paste.ini > /tmp/keystone-paste.ini
sudo cp /tmp/keystone-paste.ini /etc/keystone/keystone-paste.ini

/etc/keystone/keystone.conf

cat << EOF | sudo tee -a /etc/keystone/keystone.conf
[moon]

# Configuration backend driver
configuration_driver = keystone.contrib.moon.backends.memory.ConfigurationConnector

# Tenant backend driver
tenant_driver = keystone.contrib.moon.backends.sql.TenantConnector

# Authorisation backend driver
authz_driver = keystone.contrib.moon.backends.flat.SuperExtensionConnector

# IntraExtension backend driver
intraextension_driver = keystone.contrib.moon.backends.sql.IntraExtensionConnector

# InterExtension backend driver
interextension_driver = keystone.contrib.moon.backends.sql.InterExtensionConnector

# Logs backend driver
log_driver = keystone.contrib.moon.backends.flat.LogConnector

# Local directory where all policies are stored
policy_directory = /etc/keystone/policies

# Local directory where Root IntraExtension configuration is stored
root_policy_directory = policy_root

# URL of the Moon master
master = 'http://localhost:35357/'

# Login of the Moon master
master_login = 'admin'

# Password of the Moon master
master_password = 'nomoresecrete'
EOF

The logging system must be configured :

sudo mkdir /var/log/moon/
sudo chown keystone /var/log/moon/

sudo addgroup moonlog

sudo chgrp moonlog /var/log/moon/

sudo touch /var/log/moon/keystonemiddleware.log
sudo touch /var/log/moon/system.log

sudo chgrp moonlog /var/log/moon/keystonemiddleware.log
sudo chgrp moonlog /var/log/moon/system.log
sudo chmod g+rw /var/log/moon
sudo chmod g+rw /var/log/moon/keystonemiddleware.log
sudo chmod g+rw /var/log/moon/system.log

sudo adduser keystone moonlog
sudo adduser swift moonlog
sudo adduser nova moonlog

The Keystone database must be updated:

sudo /usr/bin/keystone-manage db_sync
sudo /usr/bin/keystone-manage db_sync --extension moon

And, Apache must be restarted:

sudo systemctl restart apache.service

Nova

In order to Nova to be able to communicate with Keystone-Moon, you must update the Nova KeystoneMiddleware configuration file. To achieve this, a new filter must be added in /etc/nova/api-paste.ini and this filter must be added to the composite data. The filter is:

[filter:moon]
paste.filter_factory = keystonemiddleware.moon_agent:filter_factory
authz_login=admin
authz_password=password
logfile=/var/log/moon/keystonemiddleware.log

Here is some bash lines to insert this into the Nova configuration file:

sudo cp /etc/nova/api-paste.ini /etc/nova/api-paste.ini.bak2
sudo sed "/^keystone = / s/keystonecontext/keystonecontext moon/" /etc/nova/api-paste.ini > /tmp/api-paste.ini
sudo cp /tmp/api-paste.ini /etc/nova/api-paste.ini

echo -e "\n[filter:moon]\npaste.filter_factory = keystonemiddleware.moon_agent:filter_factory\nauthz_login=admin\nauthz_password=password\nlogfile=/var/log/moon/keystonemiddleware.log\n" | sudo tee -a /etc/nova/api-paste.ini

Nova can then be restarted:

for service in nova-compute nova-api nova-cert nova-conductor nova-consoleauth nova-scheduler ; do
    sudo service ${service} restart
done

Swift

In order to Swift to be able to communicate with Keystone-Moon, you must update the Swift KeystoneMiddleware configuration file. To achieve this, a new filter must be added in /etc/swift/proxy-server.conf and this filter must be added to the composite data. The filter is (exactly the same as Nova):

[filter:moon]
paste.filter_factory = keystonemiddleware.moon_agent:filter_factory
authz_login=admin
authz_password=password
logfile=/var/log/moon/keystonemiddleware.log

Here is some bash lines to insert this into the Nova configuration file:

sudo cp /etc/swift/proxy-server.conf /etc/swift/proxy-server.conf.bak2
sudo sed "/^pipeline = / s/proxy-server/moon proxy-server/" /etc/swift/proxy-server.conf > /tmp/proxy-server.conf
sudo cp /tmp/proxy-server.conf /etc/swift/proxy-server.conf

echo -e "\n[filter:moon]\npaste.filter_factory = keystonemiddleware.moon_agent:filter_factory\nauthz_login=admin\nauthz_password=password\nlogfile=/var/log/moon/keystonemiddleware.log\n" | sudo tee -a /etc/swift/proxy-server.conf

Swift can then be restarted:

for service in swift-account swift-account-replicator \
                swift-container-replicator  swift-object swift-object-updater \
                swift-account-auditor swift-container swift-container-sync \
                swift-object-auditor swift-proxy swift-account-reaper swift-container-auditor \
                swift-container-updater swift-object-replicator ; do
    sudo service ${service} status
done

Revision:

Build date: September 20, 2016