I’ve put a fair amount of time into the Signed Tokens implementation. Now that they have been merged into the master branch of Keystone, I’d like to get some more people playing around with the feature, and see how it impacts things.Lets start with devstack on Fedora 17 and running on some sort of Dell machine, I have a localrc file that looks like this:
FORCE=yes HOST_IP_IFACE=em1 MYSQL_PASSWORD=freeipa4all RABBIT_PASSWORD=freeipa4all SERVICE_TOKEN=freeipa4all SERVICE_PASSWORD=freeipa4all ADMIN_PASSWORD=freeipa4all MESSAGING_SYSTEM=qpid #RECLONE=yes ENABLED_SERVICES=key,g-api,g-reg,n-api,n-crt,n-obj,n-cpu,n-net,n-vol,n-sch,n-novnc,n-xvnc,n-cauth,horizon,mysql,qpid
That RECLONE option is there so I can sync up the Git repos. Uncomment it periodically to fetch master on all projects.
Disable SELinux, as that will prevent the HTTPD process from reading a SQLite Database stored in /opt/horizon…
sudo setenforce permissive
Make sure that Yum update is run, specifically to get a late enough version of SQLite, SQLAlchemy, httplib2 etc. This means that you want the Yum repo for Fedora-updates enabled.
Get node.js:
sudo yum localinstall --nogpgcheck http://nodejs.tchol.org/repocfg/fedora/nodejs-stable-release.noarch.rpm sudo yum install nodejs-compat-symlinks npm
I had to grab a specific glance patch, but that should be a short term issue.
https://review.openstack.org/#/c/9582/
Which has since been merged.
And python-glanceclient
https://review.openstack.org/#/c/10341/1
cd /opt/stack/devstack ./stack.sh . openrc
Turns out there was also python-glanceclient code in /usr/lib/python27/site-packages that I had to delete. Must have installed that at some point in the past. With those changes, devstack runs in the normal setting.
TO join the screens session for devstack
screen -x
Hit CTRL A 3 to go to the third window, where Keystone is running. Ctrl C to kill it and then edit the file /etc/keystone/keystone.conf. I’ve been uncommenting the whole [signing] block so my file now has this in it:
[signing] certfile = /etc/keystone/ssl/certs/signing_cert.pem keyfile = /etc/keystone/ssl/private/signing_key.pem ca_certs = /etc/keystone/ssl/certs/ca.pem key_size = 2048 valid_days = 3650 ca_password = None disable_pki = False
Note the last line. Right now, disabling pki is the norm. The goal is to flip the switch on this so that PKI is the default in the near future.
Restart keystone: look through your buffer history for the command:
cd /opt/stack/keystone && /opt/stack/keystone/bin/keystone-all --config-file /etc/keystone/keystone.conf --log-config /etc/keystone/logging.conf -d --debug
Switch to a different bash prompt (Ctrl A 0 gives you one in devstack that is not used) And now test the token code:
. openrc keystone token-get
The size of the token should be huge.
Jumping ahead: I found a bug: https://bugs.launchpad.net/keystone/+bug/1030912 and made a fix:
https://review.openstack.org/#/c/10536/ and now I can do glance image-list.
But with that patch applied
. openrc glance image-list
And see the output
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+ | ID | Name | Disk Format | Container Format | Size | Status | +--------------------------------------+---------------------------------+-------------+------------------+----------+--------+ | 24183da1-a891-45c7-b95b-ab586ae3bada | cirros-0.3.0-x86_64-uec-kernel | aki | aki | 4731440 | active | | 2d23e0e5-15a8-4086-9f32-5a227a298674 | cirros-0.3.0-x86_64-uec | ami | ami | 25165824 | active | | f1269acf-95e3-4512-a8f3-d13e63ab36ca | cirros-0.3.0-x86_64-uec-ramdisk | ari | ari | 2254249 | active | +--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
Testing the Web UI I see that everything works there now, too, once I use the IP address to access the host:
