安装barbican服务

苏墨竹

2023-12-01

前言

在用cinder 加密卷的时候，为了给每个cinder盘唯一的加密KEY，就不能使用fixed_key了，于是安装barbican服务，来提供key服务

使用O版本，服务器centos

准备工作

创建数据库

$ mysql -u root -p

CREATE DATABASE barbican;

GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' \
  IDENTIFIED BY 'BARBICAN_DBPASS';
GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' \
  IDENTIFIED BY 'BARBICAN_DBPASS';

exit;

创建用户角色

$ source admin-openrc
$ openstack user create --domain default --password-prompt barbican
$ openstack role add --project service --user barbican admin
$ openstack role create creator
$ openstack role add --project service --user barbican creator
$ openstack service create --name barbican --description "Key Manager" key-manager

创建endpoint

$ openstack endpoint create --region RegionOne \
  key-manager public http://controller:9311
$ openstack endpoint create --region RegionOne \
  key-manager internal http://controller:9311
$ openstack endpoint create --region RegionOne \
  key-manager admin http://controller:9311

安装组件

# yum install openstack-barbican-api

编辑/etc/barbican/barbican.conf

[DEFAULT]
...
sql_connection = mysql+pymysql://barbican:BARBICAN_DBPASS@controller/barbican

[DEFAULT]
...
transport_url = rabbit://openstack:RABBIT_PASS@controller

设置keystone

[keystone_authtoken]
...
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = barbican
password = BARBICAN_PASS

编辑/etc/barbican/barbican-api-paste.ini

[pipeline:barbican_api]
pipeline = cors authtoken context apiapp
$ su -s /bin/sh -c "barbican-manage db upgrade" barbican

创建/etc/httpd/conf.d/wsgi-barbican.conf

Listen 9311
<VirtualHost  *:9311>
    #ServerName server101.e3cloud.com

    ## Logging
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/barbican_wsgi_main_error_ssl.log
    LogLevel debug
    ServerSignature Off
    CustomLog /var/log/httpd/barbican_wsgi_main_access_ssl.log combined

    WSGIApplicationGroup %{GLOBAL}
    WSGIDaemonProcess barbican-api display-name=barbican-api group=barbican processes=2 threads=8 user=barbican
    WSGIProcessGroup barbican-api
    WSGIScriptAlias / /usr/lib/python2.7/site-packages/barbican/api/app.wsgi
    WSGIPassAuthorization On

    <Directory /usr/lib>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

重启服务

# systemctl enable httpd.service
# systemctl start httpd.service

验证

$ . admin-openrc

$ openstack secret store --name mysecret --payload j4=]d21

+---------------+-----------------------------------------------------------------------+
| Field         | Value                                                                 |
+---------------+-----------------------------------------------------------------------+
| Secret href   | http://10.0.2.15:9311/v1/secrets/655d7d30-c11a-49d9-a0f1-34cdf53a36fa |
| Name          | mysecret                                                              |
| Created       | None                                                                  |
| Status        | None                                                                  |
| Content types | None                                                                  |
| Algorithm     | aes                                                                   |
| Bit length    | 256                                                                   |
| Secret type   | opaque                                                                |
| Mode          | cbc                                                                   |
| Expiration    | None                                                                  |
+---------------+-----------------------------------------------------------------------+

openstack secret get http://10.0.2.15:9311/v1/secrets/655d7d30-c11a-49d9-a0f1-34cdf53a36fa

+---------------+-----------------------------------------------------------------------+
| Field         | Value                                                                 |
+---------------+-----------------------------------------------------------------------+
| Secret href   | http://10.0.2.15:9311/v1/secrets/655d7d30-c11a-49d9-a0f1-34cdf53a36fa |
| Name          | mysecret                                                              |
| Created       | 2016-08-16 16:04:10+00:00                                             |
| Status        | ACTIVE                                                                |
| Content types | {u'default': u'application/octet-stream'}                             |
| Algorithm     | aes                                                                   |
| Bit length    | 256                                                                   |
| Secret type   | opaque                                                                |
| Mode          | cbc                                                                   |
| Expiration    | None                                                                  |
+---------------+-----------------------------------------------------------------------+

cinder 配置barbican https://docs.openstack.org/ocata/config-reference/block-storage/volume-encryption.html

参考：
https://docs.openstack.org/project-install-guide/key-manager/ocata/install-rdo.html
https://docs.openstack.org/ocata/config-reference/block-storage/volume-encryption.html

http://blog.csdn.net/u011211976/article/details/78970642

安装barbican服务

前言

准备工作

安装组件

验证

相关阅读

相关文章

相关问答

相关文档