如何為 OpenStack 配置 SSL 連線?

簡介:

本章將示範如何為你的備份用戶在 OpenStack 上啟用 SSL 連線。

如果你未曾接觸過 OpenStack,你應該先參考他們在 http://docs.openstack.org/ 的常規設置文檔。

如果你已經有一個正在運行的 OpenStack,你可以按照我們的步驟來啟用 SSL 連線。



假設:

這是在下列實例中使用的 OpenStack 版本:


這是在下列實例中使用的值:


注: Keystone admin 令牌的值可以在 Keystone 配置文件 /etc/keystone/keystone.conf 中的變量名 "admin_token" 找到。



要求和準備:

請在安裝一個租戶(項目),用戶,角色和存儲配額等之前把下列的變量在 bash 配置文件及 proxy-server.conf 中的過濾器配置好。

步驟 1: 在 .bash_profile 中添加環境變量

例如 (/root/.bash_profile)
----------------------------------------------------------------------------------------------------
    :
    :
  修剪
    :
    :
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_TENANT_NAME=mybackup
export OS_AUTH_URL=https://10.7.54.7:5000/v2.0
export OS_SERVICE_ENDPOINT=https://10.7.54.7:35357/v2.0
export OS_SERVICE_TOKEN=7b05dab9722d44e7b9a82dc0d1ff74ea
    :
    :
  修剪
    :
    :
----------------------------------------------------------------------------------------------------

請重新登錄,配置文件方能生效。

注: OS_SERVICE_TOKEN 的值可以在 Keystone 配置文件 /etc/keystone/keystone.conf 中的變量名 "admin_token" 找到。



步驟 2: 為 keystone 及 swift 配置 SSL 連線

編輯文件 /etc/keystone/keystone.conf 來設置 SSL 證書。

假設你已把有效的證書放置在
/etc/keystone/ssl_cert.pem
/etc/keystone/ssl_key.pem
/etc/keystone/cacert.pem


ssl_cert.pem 是公開金鑰文件,
ssl_key.pem 是私密金鑰文件,及
cacert.pem 是 CA Root 根憑證文件。

因為由各 CA 頒發的證書的格式可能不同,請查閱你的 CA 有關正確的證書鏈指令。

例如 (/etc/swift/proxy-server.conf)
----------------------------------------------------------------------------------------------------
    :
    :
    :
  修剪
    :
    :
    :

[ssl]
enable = True
certfile = /etc/keystone/ssl_cert.pem
keyfile = /etc/keystone/ssl_key.pem
ca_certs = /etc/keystone/cacert.pem

    :
    :
    :
  修剪
    :
    :
    :
----------------------------------------------------------------------------------------------------


步驟 3: 重新啟動 keystone 服務

例如
----------------------------------------------------------------------------------------------------
[root@os ~]# service openstack-keystone restart
Stopping keystone:                                         [  OK  ]
Starting keystone:                                         [  OK  ]
[root@os ~]#
----------------------------------------------------------------------------------------------------


步驟 4: 列出現有的服務,並記下 swift 的 ID

如果這是一個不可信的 SSL 證書,需要使用 '--insecure' 選項。

例如
----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure service-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+------------+--------------+--------------------------------+
|                id                |    name    |     type     |          description           |
+----------------------------------+------------+--------------+--------------------------------+
| 5f805cc7df2a43eb90db6fe11ed682f6 | ceilometer |   metering   |   Openstack Metering Service   |
| 3134116675a8420a88ef01cdcb0c8728 |   cinder   |    volume    |         Cinder Service         |
| b703b91737954d01a2d180f6c3d575ba | cinder_v2  |   volumev2   |       Cinder Service v2        |
| cc787cf0258e46d6a342e1502e7bf6be |   glance   |    image     |    Openstack Image Service     |
| b3af7d0a95d34aa7883629df7a7f7f56 |  keystone  |   identity   |   OpenStack Identity Service   |
| 10f1a022ada246138aba5834e3622a91 |  neutron   |   network    |   Neutron Networking Service   |
| 218b5356d65e4d8382297f72d65c8bbb |    nova    |   compute    |   Openstack Compute Service    |
| a809ad43f380400cb55ff2520bb27ab0 |  nova_ec2  |     ec2      |          EC2 Service           |
| 8b517bd82d4345c895384f9596a29880 |   swift    | object-store | Openstack Object-Store Service |
| 11882e74696547b0ba1e4d276074ae37 |  swift_s3  |      s3      |      Openstack S3 Service      |
+----------------------------------+------------+--------------+--------------------------------+
[root@os ~]#
----------------------------------------------------------------------------------------------------

swift id 是以粗體顯示。



步驟 5: 列出現有的 swift 服務端點

例如
----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure endpoint-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+-----------+---                     ---+----------------------------------+
|                id                |  region   |    .......修剪........    |            service_id            |
+----------------------------------+-----------+---                     ---+----------------------------------+
| 00a39b6e21a24562b470b61a1b82902d | RegionOne |  h                     )s | 218b5356d65e4d8382297f72d65c8bbb |
| 047f9c3dd19743e280a553d8a34a9202 | RegionOne |    .......修剪........    | 10f1a022ada246138aba5834e3622a91 |
| 2b89407a81574b2c8f0fdef9eefc507a | RegionOne |                           | 5f805cc7df2a43eb90db6fe11ed682f6 |
| 47b6d5974d744c21a04b6ca2781f57a0 | RegionOne |                        )s | b703b91737954d01a2d180f6c3d575ba |
| 485ba5a748fc4f1e865d08774fae8ff7 | RegionOne |                           | b3af7d0a95d34aa7883629df7a7f7f56 |
| 90bb1d878b7045f086e2ada7ce853308 | RegionOne | ht .......修剪........ )s | 3134116675a8420a88ef01cdcb0c8728 |
| 9ac0472cb48f49b3b44cb4e3365be01a | RegionOne |                           | 11882e74696547b0ba1e4d276074ae37 |
| a1af6685d3e04e5fa7b71f6c244f1393 | RegionOne | ht                        | 8b517bd82d4345c895384f9596a29880 |
| a9b9c9fbef6a44669788c1946a3c8e48 | RegionOne |                           | cc787cf0258e46d6a342e1502e7bf6be |
| c370061d0cc64386a470a5a0fb01e424 | RegionOne |    .......修剪........ n  | a809ad43f380400cb55ff2520bb27ab0 |
+----------------------------------+-----------+---                     ---+----------------------------------+ 
[root@os ~]#
----------------------------------------------------------------------------------------------------

從 service_id=8b517bd82d4345c895384f9596a29880,查找對應的端點 swift 服務。



步驟 6: 刪除不安全的 swift 服務端點

根據 id a1af6685d3e04e5fa7b71f6c244f1393 ,在同一行可發現 swift 服務的服務端點並把它刪除。

例如
----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure endpoint-delete a1af6685d3e04e5fa7b71f6c244f1393
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
Endpoint has been deleted. 
[root@os ~]#
----------------------------------------------------------------------------------------------------


步驟 7: 重新建立與 https:// 的端點

例如
----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure endpoint-create --region RegionOne --service-id=8b517bd82d4345c895384f9596a29880 
--publicurl 'https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s' --adminurl 'https://10.7.54.7:8080/v1' --internalurl '
https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s'
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------------------+
|  Property   |                   Value                      |
+-------------+----------------------------------------------+
|  adminurl   |           https://10.7.54.7:8080/v1          |
|     id      |        fb937c038fd34724bd7415fff3ee7736      |
| internalurl | https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s |
|  publicurl  | https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s |
|   region    |                 RegionOne                    |
| service_id  |       8b517bd82d4345c895384f9596a29880       |
+-------------+----------------------------------------------+ 
[root@os ~]#
----------------------------------------------------------------------------------------------------


步驟 8: 在 /etc/swift/proxy-server.conf 設定 swift

在 proxy-server.conf 中編輯文件,添加在下面以 紅色 的例子。

假設你已把有效的證書放置在
/etc/swift/ssl_cert.pem
/etc/swift/ssl_key.pem


ssl_cert.pem 是公開金鑰文件,及
ssl_key.pem 是私密金鑰文件。

因為由各 CA 頒發的證書的格式可能不同,請查閱你的 CA 有關正確的證書鏈指令。

例如 (/etc/swift/proxy-server.conf)
----------------------------------------------------------------------------------------------------
# This file is managed by puppet.  Do not edit
#
[DEFAULT]
bind_port = 8080
bind_ip = 10.7.54.7
    :
    :
    :
  修剪
    :
    :
    :
cert_file = /etc/swift/ssl_cert.pem
key_file = /etc/swift/ssl_key.pem
    :
    :
    :
  修剪
    :
    :
    :

[filter:authtoken]
    :
    :
    :
  修剪
    :
    :
    :
auth_protocol = https
auth_uri = https://10.7.54.7:5000
insecure = true
----------------------------------------------------------------------------------------------------


步驟 9: 重新啟動 swift 相關的服務

修改配置文件 /etc/swift/proxy-server.conf 後 ,重新啟動 swift 相關的服務。

例如
----------------------------------------------------------------------------------------------------
[root@os ~]# swift-init main restart
Signal proxy-server  pid: 17166  signal: 15
Signal container-server  pid: 17167  signal: 15
Signal account-server  pid: 17168  signal: 15
Signal object-server  pid: 17169  signal: 15
object-server (17169) appears to have stopped
container-server (17167) appears to have stopped
account-server (17168) appears to have stopped
proxy-server (17166) appears to have stopped
Starting proxy-server...(/etc/swift/proxy-server.conf)
Starting container-server...(/etc/swift/container-server.conf)
Starting account-server...(/etc/swift/account-server.conf)
Starting object-server...(/etc/swift/object-server.conf)
WARNING: SSL should only be enabled for testing purposes. Use external SSL termination for a production deployment.

[root@os ~]#
----------------------------------------------------------------------------------------------------


步驟 10: 以 swift 指令測試

例如
----------------------------------------------------------------------------------------------------
[root@os ~]# swift --insecure stat

       Account: AUTH_49f2482ecff9431bae1d32fa2a004026
    Containers: 8
       Objects: 480
         Bytes: 189030388 
Meta Quota-Bytes: 10737418240
   X-Timestamp: 1412574345.10669
  Content-Type: text/plain; charset=utf-8
 Accept-Ranges: bytes
[root@os ~]#
----------------------------------------------------------------------------------------------------