keystone, openstack

Enable https and tokenless auth for keystone

enable https for keystone

actually it’s quite easy, first you need load mod_ssl module of apache, then only thing you need to do is change the wsgi-keystone.conf:

like this: 

1
2
3
4
5
6
7
<VirtualHost *:5000>
    ...
    SSLEngine on
    SSLCertificateKeyFile /pass/to/key-file.pem
    SSLCertificateFile /path/to/server.cer
    ...
</VirtualHost>

if your server certificate is not signed by the root CA, then you need the intermediate CA certificates. please notice SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

Read More

openssl

Setup your own CA

Recently, in our project we need enable tokenless auth for keystone, which means client or service can use client certificate to auth with out the token generated by keystone.

Following steps are the experiment I made on my development environment, and the os is centos7, my user account is andrew, you should change it to your account accordingly.

Setup my own CA

Fristly, we need setup a CA to sign our client certificate.

Install openssl:

1
sudo yum install openssl

After openssl is installed, find the openssl conf file, and change the data directory of the CA.

1
2
3
[root@localhost ~]# locate openssl.cnf
/etc/pki/tls/openssl.cnf
/usr/share/man/man5/openssl.cnf.5ssl.gz

Change the dir configuration in the openssl.cnf file:

1
2
3
4
5
6
7
8
9
####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

#dir            = /etc/pki/CA           # Where everything is kept
dir             = /home/andrew/CA       # Where everything is kept

Read More

atom tips

设置atom的字体

settings -> open config folder 里面修改 styles.less

1
2
3
4
5
6
7
8
9
10
11
// 修改editor的字体
atom-text-editor {
  // color: white;
  // background-color: hsl(180, 24%, 12%);
  font-family: YaHei Consolas Hybrid;
}

// 修改tab,treeview,tab bar的字体
html, body, .tree-view, .tab-bar .tab {
  font-size: YaHei Consolas Hybrid;
}

vagrant multiple vms

最近的一个工作需要在centos的terminal下面使用vagrant和virtual box,最后发现virtualbox对命令行的支持非常好,另外vagrant的Vagrantfile其实可以支持对多个vm的管理。

vagrant的multi-machine定义,可以参见vagrant的文档: vagrant MULTI-MACHINE

设置hostname

1
2
3
config.vm.define "osd1" do |osd1|
  osd1.vm.hostname = "osd1"
end

Read More

openstack

keystone设置多个domain和使用ldap作为identity

最近的一个项目中,需要对openstack的keystone做一些配置,目的是实现使用公司的账号登录openstack

公司的账号存放在Active Directory中,但是AD权限是只读的。

目前openstack的keystone是支持identity和assignment分离的,所以参考了这篇文章进行的配置: KEYSTONE: LDAP FOR IDENTITY, SQL FOR ASSIGNMENT

最终的效果是:添加一个新的domain,这个domain的用户信息是保存在AD (Active Directory),这个domain的用户可以使用ldap的用户名和密码在horizon中登录。

Read More

hadoop

hadoop port

hadoop各个模块的默认port:

Application Port Describe
zookeeper 2181 zookeeper client port
3888 server port to connect to leader
kafka 9092
hadoop-ResourceManager 8088 yarn.resourcemanager.webapp.address
8030 yarn.resourcemanager.scheduler.address
8031 yarn.resourcemanager.resource-tracker.address
8032 yarn.resourcemanager.address
8033 yarn.resourcemanager.admin.address
hadoop-Nodemanager 8040 yarn.nodemanager.localizer.address
8042 yarn.nodemanager.webapp.address
hadoop-DataNode 50010 dfs.datanode.address
50020 dfs.datanode.ipc.address
hadoop-NameNode 8020 dfs.namenode.rpc-address
50070 dfs.namenode.http-address
hadoop-ha 8485 dfs.namenode.shared.edits.dir
8480 dfs.journalnode.http-address
8019 dfs.ha.zkfc.port(for DFSZKFailoverController)
spark 7077 master
8080 web
jenkins

配置jenkins发送邮件

最近在部署项目的jenkins环境的时候,希望实现一个功能, 就是每次build完以后,对比一下build的分支是否是github上面的最新代码。

然后再以邮件把检查的内容发出来。

访问github获取最新commit信息

关于如何实现访问github api,请参考上一篇文章脚本调用github API。访问的api是: List commits on a repository

这个api可以通过路径访问具体的分支。返回信息如下, 其中的sha就是我们需要的commit信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# curl -H "Authorization:token 5c67b248e17ba2f225fd4fa52ca7xxxxxxxxxxxxx" https://api.github.com/repos/liuhongjiang/gittest/commits/release/v3
{
  "sha": "a20fbae206c9b31187ed70f0901ef08cf2eeb26a",
  "commit": {
    "author": {
      "name": "liuhongjiang",
      "email": "andrew.lhj@gmail.com",
      "date": "2015-07-28T00:56:55Z"
    },
    "committer": {
      "name": "liuhongjiang",
      "email": "andrew.lhj@gmail.com",
      "date": "2015-07-28T00:56:55Z"
    },
    "message": "v3",
    "tree": {
      "sha": "b847aed05d03a78d0ab53189a371ba40dea50a62",
      "url": "https://api.github.com/repos/liuhongjiang/gittest/git/trees/b847aed05d03a78d0ab53189a371ba40dea50a62"
    },
    "url": "https://api.github.com/repos/liuhongjiang/gittest/git/commits/a20fbae206c9b31187ed70f0901ef08cf2eeb26a",
    "comment_count": 0
  },
  .......
}

Read More

脚本调用github API

最近在部署项目的jenkins环境的时候,希望实现一个功能, 就是每次build完以后,对比一下build的分支是否是github上面的最新代码。

所以就想在jenkins中使用脚本去github获取最新的commit信息。这个可以通过github的api实现。

直接访问api directly

最简单的方式是通过用户名和密码直接访问github的api:

1
curl -u "liuhongjiang:{password}" https://api.github.com

Read More