如何为 OpenStack 配置 SSL 连线?

简介:

本章将示範如何为你的备份用户在 OpenStack 上启用 SSL 连线。

如果你未曾接触过 OpenStack,你应该先参考他们在 http://docs.openstack.org/ 的常规设置文档。

如果你已经有一个正在运行的 OpenStack,你可以按照我们的步骤来启用 SSL 连线。



假设:

这是在下列实例中使用的 OpenStack 版本:


这是在下列实例中使用的值:


注: Keystone admin 令牌的值可以在 Keystone 配置文件 /etc/keystone/keystone.conf 中的变量名 "admin_token" 找到。



要求和准备:

请在安装一个租户(项目),用户,角色和存储配额等之前把下列的变量在 bash 配置文件及 proxy-server.conf 中的过滤器配置好。

步骤 1: 在 .bash_profile 中添加环境变量

例如 (/root/.bash_profile)
----------------------------------------------------------------------------------------------------
    :
    :
  修剪
    :
    :
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_TENANT_NAME=mybackup
export OS_AUTH_URL=https://10.7.54.7:5000/v2.0
export OS_SERVICE_ENDPOINT=https://10.7.54.7:35357/v2.0
export OS_SERVICE_TOKEN=7b05dab9722d44e7b9a82dc0d1ff74ea
    :
    :
  修剪
    :
    :
----------------------------------------------------------------------------------------------------

请重新登录,配置文件方能生效。

注: OS_SERVICE_TOKEN 的值可以在 Keystone 配置文件 /etc/keystone/keystone.conf 中的变量名 "admin_token" 找到。



步骤 2: 为 keystone 及 swift 配置 SSL 连线

编辑文件 /etc/keystone/keystone.conf 来设置 SSL 证书。

假设你已把有效的证书放置在
/etc/keystone/ssl_cert.pem
/etc/keystone/ssl_key.pem
/etc/keystone/cacert.pem


ssl_cert.pem 是公开金钥文件,
ssl_key.pem 是私密金钥文件,及
cacert.pem 是 CA Root 根凭证文件。

因为由各 CA 颁发的证书的格式可能不同,请查阅你的 CA 有关正确的证书链指令。

例如 (/etc/swift/proxy-server.conf)
----------------------------------------------------------------------------------------------------
    :
    :
    :
  修剪
    :
    :
    :

[ssl]
enable = True
certfile = /etc/keystone/ssl_cert.pem
keyfile = /etc/keystone/ssl_key.pem
ca_certs = /etc/keystone/cacert.pem

    :
    :
    :
  修剪
    :
    :
    :
----------------------------------------------------------------------------------------------------


步骤 3: 重新启动 keystone 服务

例如
----------------------------------------------------------------------------------------------------
[root@os ~]# service openstack-keystone restart
Stopping keystone:                                         [  OK  ]
Starting keystone:                                         [  OK  ]
[root@os ~]#
----------------------------------------------------------------------------------------------------


步骤 4: 列出现有的服务,并记下 swift 的 ID

如果这是一个不可信的 SSL 证书,需要使用 '--insecure' 选项。

例如
----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure service-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+------------+--------------+--------------------------------+
|                id                |    name    |     type     |          description           |
+----------------------------------+------------+--------------+--------------------------------+
| 5f805cc7df2a43eb90db6fe11ed682f6 | ceilometer |   metering   |   Openstack Metering Service   |
| 3134116675a8420a88ef01cdcb0c8728 |   cinder   |    volume    |         Cinder Service         |
| b703b91737954d01a2d180f6c3d575ba | cinder_v2  |   volumev2   |       Cinder Service v2        |
| cc787cf0258e46d6a342e1502e7bf6be |   glance   |    image     |    Openstack Image Service     |
| b3af7d0a95d34aa7883629df7a7f7f56 |  keystone  |   identity   |   OpenStack Identity Service   |
| 10f1a022ada246138aba5834e3622a91 |  neutron   |   network    |   Neutron Networking Service   |
| 218b5356d65e4d8382297f72d65c8bbb |    nova    |   compute    |   Openstack Compute Service    |
| a809ad43f380400cb55ff2520bb27ab0 |  nova_ec2  |     ec2      |          EC2 Service           |
| 8b517bd82d4345c895384f9596a29880 |   swift    | object-store | Openstack Object-Store Service |
| 11882e74696547b0ba1e4d276074ae37 |  swift_s3  |      s3      |      Openstack S3 Service      |
+----------------------------------+------------+--------------+--------------------------------+
[root@os ~]#
----------------------------------------------------------------------------------------------------

swift id 是以粗体显示。



步骤 5: 列出现有的 swift 服务端点

例如
----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure endpoint-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+-----------+---                     ---+----------------------------------+
|                id                |  region   |    .......修剪........    |            service_id            |
+----------------------------------+-----------+---                     ---+----------------------------------+
| 00a39b6e21a24562b470b61a1b82902d | RegionOne |  h                     )s | 218b5356d65e4d8382297f72d65c8bbb |
| 047f9c3dd19743e280a553d8a34a9202 | RegionOne |    .......修剪........    | 10f1a022ada246138aba5834e3622a91 |
| 2b89407a81574b2c8f0fdef9eefc507a | RegionOne |                           | 5f805cc7df2a43eb90db6fe11ed682f6 |
| 47b6d5974d744c21a04b6ca2781f57a0 | RegionOne |                        )s | b703b91737954d01a2d180f6c3d575ba |
| 485ba5a748fc4f1e865d08774fae8ff7 | RegionOne |                           | b3af7d0a95d34aa7883629df7a7f7f56 |
| 90bb1d878b7045f086e2ada7ce853308 | RegionOne | ht .......修剪........ )s | 3134116675a8420a88ef01cdcb0c8728 |
| 9ac0472cb48f49b3b44cb4e3365be01a | RegionOne |                           | 11882e74696547b0ba1e4d276074ae37 |
| a1af6685d3e04e5fa7b71f6c244f1393 | RegionOne | ht                        | 8b517bd82d4345c895384f9596a29880 |
| a9b9c9fbef6a44669788c1946a3c8e48 | RegionOne |                           | cc787cf0258e46d6a342e1502e7bf6be |
| c370061d0cc64386a470a5a0fb01e424 | RegionOne |    .......修剪........ n  | a809ad43f380400cb55ff2520bb27ab0 |
+----------------------------------+-----------+---                     ---+----------------------------------+ 
[root@os ~]#
----------------------------------------------------------------------------------------------------

从 service_id=8b517bd82d4345c895384f9596a29880,查找对应的端点 swift 服务。



步骤 6: 删除不安全的 swift 服务端点

根据 id a1af6685d3e04e5fa7b71f6c244f1393 ,在同一行可发现 swift 服务的服务端点并把它删除。

例如
----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure endpoint-delete a1af6685d3e04e5fa7b71f6c244f1393
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
Endpoint has been deleted. 
[root@os ~]#
----------------------------------------------------------------------------------------------------


步骤 7: 重新建立与 https:// 的端点

例如
----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure endpoint-create --region RegionOne --service-id=8b517bd82d4345c895384f9596a29880 
--publicurl 'https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s' --adminurl 'https://10.7.54.7:8080/v1' --internalurl '
https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s'
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------------------+
|  Property   |                   Value                      |
+-------------+----------------------------------------------+
|  adminurl   |           https://10.7.54.7:8080/v1          |
|     id      |        fb937c038fd34724bd7415fff3ee7736      |
| internalurl | https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s |
|  publicurl  | https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s |
|   region    |                 RegionOne                    |
| service_id  |       8b517bd82d4345c895384f9596a29880       |
+-------------+----------------------------------------------+ 
[root@os ~]#
----------------------------------------------------------------------------------------------------


步骤 8: 在 /etc/swift/proxy-server.conf 设定 swift

在 proxy-server.conf 中编辑文件,添加在下面以 红色 的例子。

假设你已把有效的证书放置在
/etc/swift/ssl_cert.pem
/etc/swift/ssl_key.pem


ssl_cert.pem 是公开金钥文件,及
ssl_key.pem 是私密金钥文件。

因为由各 CA 颁发的证书的格式可能不同,请查阅你的 CA 有关正确的证书链指令。

例如 (/etc/swift/proxy-server.conf)
----------------------------------------------------------------------------------------------------
# This file is managed by puppet.  Do not edit
#
[DEFAULT]
bind_port = 8080
bind_ip = 10.7.54.7
    :
    :
    :
  修剪
    :
    :
    :
cert_file = /etc/swift/ssl_cert.pem
key_file = /etc/swift/ssl_key.pem
    :
    :
    :
  修剪
    :
    :
    :

[filter:authtoken]
    :
    :
    :
  修剪
    :
    :
    :
auth_protocol = https
auth_uri = https://10.7.54.7:5000
insecure = true
----------------------------------------------------------------------------------------------------


步骤 9: 重新启动 swift 相关的服务

修改配置文件 /etc/swift/proxy-server.conf 後 ,重新启动 swift 相关的服务。

例如
----------------------------------------------------------------------------------------------------
[root@os ~]# swift-init main restart
Signal proxy-server  pid: 17166  signal: 15
Signal container-server  pid: 17167  signal: 15
Signal account-server  pid: 17168  signal: 15
Signal object-server  pid: 17169  signal: 15
object-server (17169) appears to have stopped
container-server (17167) appears to have stopped
account-server (17168) appears to have stopped
proxy-server (17166) appears to have stopped
Starting proxy-server...(/etc/swift/proxy-server.conf)
Starting container-server...(/etc/swift/container-server.conf)
Starting account-server...(/etc/swift/account-server.conf)
Starting object-server...(/etc/swift/object-server.conf)
WARNING: SSL should only be enabled for testing purposes. Use external SSL termination for a production deployment.

[root@os ~]#
----------------------------------------------------------------------------------------------------


步骤 10: 以 swift 指令测试

例如
----------------------------------------------------------------------------------------------------
[root@os ~]# swift --insecure stat

       Account: AUTH_49f2482ecff9431bae1d32fa2a004026
    Containers: 8
       Objects: 480
         Bytes: 189030388 
Meta Quota-Bytes: 10737418240
   X-Timestamp: 1412574345.10669
  Content-Type: text/plain; charset=utf-8
 Accept-Ranges: bytes
[root@os ~]#
----------------------------------------------------------------------------------------------------