Ask Your Question

Stephanie Fuller's profile - activity

2016-08-04 07:46:42 -0500 received badge  Favorite Question (source)
2015-08-28 09:51:04 -0500 received badge  Famous Question (source)
2015-08-28 09:51:04 -0500 received badge  Notable Question (source)
2015-08-28 09:51:04 -0500 received badge  Popular Question (source)
2015-08-21 16:23:20 -0500 received badge  Self-Learner (source)
2015-08-21 16:23:20 -0500 received badge  Necromancer (source)
2015-08-21 11:19:38 -0500 answered a question How to setup swift with commvault

After over a month, I got this to work - here's the basics. If you are having trouble and need more details, ping me...

SSL -> generated a key and got an officially signed cert, not self-signed. Put them in /etc/keystone/ssl/certs & .../private for future reference

keystone: 1 -> changed keystone.conf file [signing] and [ssl] sections with those paths and other details about the key I generated. However, I am still uncertain that this is used other than to generate self-signed key/cert (which I did not use). I am not certain that these values are read from the conf file and used for keystone operation/authentication.

2 -> changed the keystone endpoints in the keystone database to https, ports 5000 & 35357.

3 -> installed apache wsgi module and configured wsgi_keystone.conf in apache to turn on SSLEngine, SSLCertificateKeyFile, SSLCertificateFile & SSLCertificateChainFile with files obtained from the cert authority. I did this for both keystone ports.

swift: 1 -> changed proxy-server.conf to change swift bind_port to 8081, put the key/cert in key_file & cert_file strings, but later took them out to revert swift back to non-ssl (on port 8081). I also changed the auth_uri & auth_url strings to https://myserver-fqdn:5000 & ...:35357 directing swift to talk to keystone with ssl (through apache wsgi...)

2 -> I changed the swift endpoints in the keystone database to https://myserver.fqdn:8080/... to direct swift traffic through a secure apache url/uri.

3 -> all apache modules were already installed (mod_ssl & mod_proxy), I added a file to configure Apache to listen for swift on a secure port and SSL-terminate; /etc/httpd/conf.d/proxy-swift.conf with Proxy stuff (ProxyPass, ProxyPassReverse, ProxyRequests & ProxyPreserveHost) and SSL stuff (same as for wsgi_keystone)

I added SSL to swift because it seemed like CommVault was trying to talk to swift using ssl/https, so I ended up having to make swift API non-ssl and using Apache to run interference for me/commvault. I had other errors when swift API was configured for SSL. Now that it is all figured out, it makes perfect sense. Scary!

2015-07-30 14:18:32 -0500 commented answer keystone ssl error

Can someone clarify for me... are the configurations in keystone.conf [signing] and [ssl] for authentication & connection purposes, or only for generating the key/certs? If I have signed cert from a known CA, can/should I specify it there for authentication/connection?

2015-07-30 12:00:35 -0500 answered a question how to change keystone endpoint URLs to https

In case anyone is interested...

So, my original question was how to change the endpoints in keystone. I had a problem because I had already turned on SSL with wsgi-keystone. So, I recall ??? that I turned SSLEngine off in apache in the wsgi-keystone file. I also realized I could use the token from original install. So I used the token to authenticate to openstack/keystone from the command line to delete/create endpoints. This involved editing /usr/share/keystone/keystone-dist-paste.ini to add admin_token_auth in [pipeline:public_api], [pipeline:admin_api] & [pipeline:api-v3].

2015-07-30 11:42:35 -0500 commented question swift stopped working after changing pki and enabling keystone ssl

Juno or Kilo? It looks like Juno based on your [filter:authtoken]. kilo install guide has different options for [filter:authtoken] than are listed in kilo config-reference. Anyone want to commit to one of them??? Or admit to where the [filter:authtoken] ssl options are hiding?

2015-07-29 17:16:39 -0500 commented answer how to change keystone endpoint URLs to https

keystone-manage ssl_setup creates a key and a self-signed cert - which in numerous places is told to not be supported in production. I have obtained official cert from InCommon. However, still getting InsecurePlatformWarning, even after following notes in urllib3.readthedocs.org/...

2015-07-21 12:21:34 -0500 commented answer how to change keystone endpoint URLs to https

Yes, I think my keystone worked fine before SSL (If I can remember that far back) But I need ssl for commvault (backup software; swift library)

2015-07-20 12:19:47 -0500 received badge  Famous Question (source)
2015-07-17 16:26:04 -0500 received badge  Supporter (source)
2015-07-17 16:25:31 -0500 commented answer how to change keystone endpoint URLs to https

Then, I changed the config files back to ssl. Everything is broken again. Apache is happy (sortof) on ports 5000 & 35357, but keystone is not. 'openstack user list' reports InsecurePlatformWarning from urllib3. I tried our really-real *.weber.edu cert - also rejected, unknown ca. ???

2015-07-17 15:47:13 -0500 commented answer how to change keystone endpoint URLs to https

compendius - great notes. My problem had been that I left the endpoints http in keystone, but had changed keystone.conf and wsgi_keystone.conf to use SSL. So, I changed those config files back to non-ssl, restarted services and was able to get in to keystone to change the endpoints to https.

2015-07-17 09:08:38 -0500 commented answer how to change keystone endpoint URLs to https

nethawk - I am going to assume you meant 'apache'. yes, If I understand the docs and have done it correctly, I am running keystone on apache. However, something does not work, so I have clearly NOT understood or done it correctly.

2015-07-16 19:59:52 -0500 received badge  Notable Question (source)
2015-07-16 16:30:41 -0500 commented answer how to change keystone endpoint URLs to https

I thought that the [ssl] section of keystone.conf was depricated along with eventlet. So, I did not put the keys from keystone-manage pki_setup there. The pink warning box where your like opens says "When running keystone in a web server... the options in this section have no effect."

2015-07-16 16:27:41 -0500 commented answer how to change keystone endpoint URLs to https

Thank you nethawk, I have already done what is outlined in the Certificates for PKI section of this page. I used keystone-manage to generate key/cert after configuring the paths & options in keystone.conf. I then put the keys in the wsgi_keystone.conf file under apache.

2015-07-16 05:48:07 -0500 received badge  Popular Question (source)
2015-07-15 17:07:45 -0500 commented question how to change keystone endpoint URLs to https

Oops, that was /etc/swift/proxy-swift.conf for the [filter:authtoken] stuff...

2015-07-15 16:49:56 -0500 asked a question how to change keystone endpoint URLs to https

I am running openstack/keystone/swift on centos 7. I am adding ssl to openstack/keystone/swift.

I edited /etc/keystone/keystone.conf [signing] section to include parameters for generating key & certs with 'keystone-manage pki_setup'.

I generated key & certs and added them to /etc/httpd/conf.d/wsgi-keystone.conf, ports 5000 & 35357.

I installed mod_ssl to apache and used openssl to make certs for port 443. Not quite sure that was necessary???

I edited /etc/keystone/proxy-swift.conf to change the [filter:authtoken] section to have auth_uri & auth_url be https://<ip>:port, and I added 'insecure = True'

The one thing I have not been able to change is the endpoints in keystone.

When I hit the IP:ports in Firefox, after accepting the untrusted certificate, I get OK.

But when I try to use openstack command, I get InsecurePlatformWarning as follows:

(openstack) user list
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
ERROR: openstack SSL exception connecting to https://controller:35357/v3/auth/tokens: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Following is the environment I set:

[root@swift ~]# cat admins-openrc.sh 
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=**************
export OS_AUTH_URL=https://controller:35357/v3

I followed the suggestion in urllib3... to upgrade to python from 2.7.5 to 2.7.9, (download source, make, make install, then changed the link in /usr/bin/python to point to python 2.7.9 - breaks openstack-swift-proxy service)

So, what have I overlooked? How can I get the endpoints changed in keystone? Does 'insecure = True' even do anything in swift-proxy? Would this all be fixed if I got real certs???

Thanks in advance for any insight.

2015-07-10 15:14:47 -0500 answered a question which is correct ssl section for kilo version

I think it is the [signing] section. See http://docs.openstack.org/admin-guide...

The [ssl] section also looks enticing, but I think that is also deprecated along with eventlet_server... See http://docs.openstack.org/kilo/config... the 4th link in the Contents.

2015-07-07 08:55:34 -0500 commented question where is swift API key

Thank you sunnyarora, but that link is about configuring OwnCloud (not CommVault) with an Openstack Swift backend. It does not require the API key (which is provided by Rackspace, or also possibly by SwiftStack). It does not explain how to generate this mystical API Key from Swift or Keystone.

2015-07-06 09:18:51 -0500 commented answer How to setup swift with commvault

Doug, thanks for the update about username = tenant:username. (BTW, in kilo, tenant has become project). And, because I am using Keystone, my service host is (I think) <ip>:5000/v2.0. However, my commvault is still failing to verify. I have contacted CommVault for additional information.

2015-07-02 17:23:50 -0500 commented answer How to use owncloud as swift backend?

Actually, that might have been fixed from Juno to Kilo build because my new system that is kilo truly does not require the API key field.

2015-07-02 15:52:48 -0500 commented answer How to setup swift with commvault

I have looked everywhere for an API key. Commvault wants an API key to create the cloud library. Openstack/Keystone/Swift don't have one anywhere that I can find. I tried using a token for swift from openstack, but commvault did not like that.

2015-07-02 15:52:48 -0500 received badge  Commentator
2015-07-02 12:43:52 -0500 asked a question where is swift API key

What/where is the Swift API key? Is it generated somewhere in the the installation of keystone & swift (kilo build)? I need to use it to authenticate another application to swift, but I have no idea what or where it is. Rackspace and SwiftStack have nice little buttons in there UIs to generate an API Key. Is there an openstack command in the CLI to generate an API key? I tried making a token using openstack, but that was not accepted.

2015-07-02 08:25:48 -0500 received badge  Notable Question (source)
2015-07-02 08:25:48 -0500 received badge  Famous Question (source)
2015-07-01 19:35:22 -0500 received badge  Popular Question (source)
2015-07-01 17:26:42 -0500 answered a question How to use owncloud as swift backend?

I found that even though the documentation SAID that the API Key was not required, I did not get a green light until I put something in that space.

2015-07-01 17:01:12 -0500 commented question How to setup swift with commvault

My desired end result is to have the commvault backup data replicated in multiple sites for disaster recovery purposes.

2015-07-01 16:59:39 -0500 commented question How to setup swift with commvault

Or build 3 new containers with one volume each from each of my 3 zones that are the backend for 3 new commvault MagLibs that are assigned to 1 new commvault storage policy using a round-robin fashion.

2015-07-01 16:53:27 -0500 commented question How to setup swift with commvault

My most pressing question is should I build 1 new container with 3 volumes (1/zone) that is the backend for 1 new commvault MagneticLibrary that is assigned to 1 new commvault storage policy???

2015-07-01 12:51:26 -0500 asked a question How to setup swift with commvault

Has anyone set up a swift account/container for use by commvault? I am starting down this path and am not sure about the best way to set up ring/account/container for commvault. I read some documentation from SwiftStack, but it makes some SwiftStack assumptions that I am not sure how to duplicate on my own with native Swift.

If anyone has done this, I would love to hear your story and recommendations.

Thanks, Stephanie

2015-07-01 12:23:46 -0500 commented question can't access swift remotelly

Mr. Hanachoo, did you get this fixed? It looks maybe like the service is not running, from your nmap output. I had several firewall problems that interfered with the proper operation of my swift controller and storage nodes. Are all your VMs on the same network? I found 'telnet <ip> <port>' help

2015-06-25 11:18:37 -0500 answered a question How to build OpenStack from scratch

I have been using docs.openstack.org documentation to install manually. It is mostly good, but it has taken me many months to become moderately capable. Make sure you don't accidentally open the juno documentation in the middle of a kilo install...

2015-04-21 05:11:26 -0500 received badge  Teacher (source)
2015-02-27 06:09:30 -0500 received badge  Famous Question (source)
2015-02-21 23:34:34 -0500 received badge  Famous Question (source)
2015-02-21 23:34:34 -0500 received badge  Famous Question (source)
2015-01-13 13:01:30 -0500 received badge  Notable Question (source)
2015-01-12 23:22:40 -0500 received badge  Popular Question (source)
2014-12-23 11:53:47 -0500 received badge  Enthusiast
2014-12-22 16:29:41 -0500 commented question swift container-server.conf error

After posting the question I noticed some typos in the conf file. I fixed those, and still had the same error about a loader in the [filter:recon] section.

So, I tried changing the pipeline to only have the account-server. That worked. What is pipeline & do I want/need healthcheck & recon?

2014-12-22 15:15:50 -0500 asked a question swift container-server.conf error

When I try to start swift services, 3 of them fail - the account, container & object services. I get this output:

[root@e1 ~]# swift-init container-server start Starting container-server...(/etc/swift/container-server.conf) Traceback (most recent call last): File "/bin/swift-container-server", line 23, in <module> sys.exit(run_wsgi(conf_file, 'container-server', **options)) File "/usr/lib/python2.7/site-packages/swift/common/wsgi.py", line 445, in run_wsgi loadapp(conf_path, global_conf=global_conf) File "/usr/lib/python2.7/site-packages/swift/common/wsgi.py", line 354, in loadapp ctx = loadcontext(loadwsgi.APP, conf_file, global_conf=global_conf) File "/usr/lib/python2.7/site-packages/swift/common/wsgi.py", line 338, in loadcontext global_conf=global_conf) File "/usr/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 296, in loadcontext global_conf=global_conf) File "/usr/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 320, in _loadconfig return loader.get_context(object_type, name, global_conf) File "/usr/lib/python2.7/site-packages/swift/common/wsgi.py", line 61, in get_context object_type, name=name, global_conf=global_conf) File "/usr/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 450, in get_context global_additions=global_additions) File "/usr/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 562, in _pipeline_app_context for name in pipeline[:-1]] File "/usr/lib/python2.7/site-packages/swift/common/wsgi.py", line 61, in get_context object_type, name=name, global_conf=global_conf) File "/usr/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 458, in get_context section) File "/usr/lib/python2.7/site-packages/paste/deploy/loadwsgi.py", line 514, in _context_from_explicit "No loader given in section %r" % section)

LookupError: No loader given in section 'filter:recon'

My swift/account-server.conf file is as follows:

[root@e1 ~]# cat /etc/swift/account-server.conf [DEFAULT] bind_ip = controllerIP bind_port = 6002 user = swift swift_dir = /etc/swift devices = /srv/node mount_check = false log_facility = LOG_LOCAL2 workers = 1

[pipeline:main] #pipeline = account-server ###SRF, change per juno install guide instructions... pipeline = healthcheck recon account-server

[filter:recon} recon_cache_path = /var/chche/swift

[filter:healthcheck] use = egg:swift#healthcheck

[app:account-server] use = egg:swift#account set log_name = account-server set log_facility = LOG_LOCAL2 set log_level = INFO set log_requests = True set log_address = /dev/log

[account-replicator] concurrency = 8

[account-auditor]

[account-reaper] concurrency = 8

What is missing in the [filter:recon] section??? What is a loader? how do I specify it in the config file???