解读先电2.4 iaas-install-barbican.sh 脚本

原创 已于 2022-02-09 20:05:27 修改 · 393 阅读 · 1 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#openstack

于 2021-09-27 19:30:10 首次发布
该脚本展示了如何在OpenStack环境中部署和配置Barbican密钥管理服务。包括安装Barbican、创建数据库、设置权限、配置Keystone认证、更新配置文件、启动httpd服务以及远程更新Cinder和Nova配置,以使用Barbican作为密钥管理者。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

#!/bin/bash
#2020-01-08 14:11:15
source /etc/xiandian/openrc.sh
source /etc/keystone/admin-openrc.sh

yum install openstack-barbican-api cryptsetup -y

mysql -uroot -p$DB_PASS -e "create database IF NOT EXISTS barbican ;"
mysql -uroot -p$DB_PASS -e "GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' IDENTIFIED BY '$BARBICAN_DBPASS' ;"
mysql -uroot -p$DB_PASS -e "GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' IDENTIFIED BY '$BARBICAN_DBPASS' ;"

openstack user create --domain $DOMAIN_NAME --password $BARBICAN_PASS barbican
openstack role add --project service --user barbican admin
openstack role create creator
openstack role add --project service --user barbican creator
openstack service create --name barbican --description "Key Manager" key-manager

openstack endpoint create --region RegionOne key-manager public http://$HOST_NAME:9311
openstack endpoint create --region RegionOne key-manager internal http://$HOST_NAME:9311
openstack endpoint create --region RegionOne key-manager admin http://$HOST_NAME:9311

crudini --set /etc/barbican/barbican.conf DEFAULT sql_connection mysql+pymysql://barbican:$BARBICAN_DBPASS@$HOST_NAME/barbican
crudini --set /etc/barbican/barbican.conf DEFAULT transport_url rabbit://$RABBIT_USER:$RABBIT_PASS@$HOST_NAME

#配置keystone认证
crudini --set /etc/barbican/barbican.conf keystone_authtoken www_authenticate_uri http://$HOST_NAME:5000
crudini --set /etc/barbican/barbican.conf keystone_authtoken auth_url http://$HOST_NAME:35357
crudini --set /etc/barbican/barbican.conf keystone_authtoken memcached_servers $HOST_NAME:11211
crudini --set /etc/barbican/barbican.conf keystone_authtoken auth_type password
crudini --set /etc/barbican/barbican.conf keystone_authtoken project_domain_name $DOMAIN_NAME
crudini --set /etc/barbican/barbican.conf keystone_authtoken user_domain_name $DOMAIN_NAME
crudini --set /etc/barbican/barbican.conf keystone_authtoken project_name service
crudini --set /etc/barbican/barbican.conf keystone_authtoken username barbican
crudini --set /etc/barbican/barbican.conf keystone_authtoken password $BARBICAN_PASS

crudini --set /etc/barbican/barbican-api-paste.ini pipeline:barbican_api pipeline cors\ authtoken\ context\ apiapp	#配置barbican_api管道为cors\ authtoken\ context\ apiapp
crudini --set /etc/cinder/cinder.conf key_manager backend barbican						#配置密钥管理者后端为 barbican	
crudini --set /etc/nova/nova.conf key_manager backend barbican

#同步数据库
su -s /bin/sh -c "barbican-manage db upgrade" barbican


#创建监听端点
cat > /etc/httpd/conf.d/wsgi-barbican.conf <<-EOF
Listen 9311
<VirtualHost  *:9311>

    ## Logging
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/barbican_wsgi_main_error_ssl.log
    LogLevel debug
    ServerSignature Off
    CustomLog /var/log/httpd/barbican_wsgi_main_access_ssl.log combined

    WSGIApplicationGroup %{GLOBAL}
    WSGIDaemonProcess barbican-api display-name=barbican-api group=barbican processes=2 threads=8 user=barbican
    WSGIProcessGroup barbican-api
    WSGIScriptAlias / /usr/lib/python2.7/site-packages/barbican/api/app.wsgi
    WSGIPassAuthorization On

    <Directory /usr/lib>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>
EOF

systemctl enable httpd.service
systemctl restart httpd.service memcached
systemctl restart openstack-nova-* openstack-cinder-api

ssh -tt compute << EOF
crudini --set /etc/cinder/cinder.conf key_manager backend barbican             				#配置密钥管理后台为barbican
crudini --set /etc/cinder/cinder.conf barbican barbican_endpoint http://$HOST_IP:9311		#配置barbican服务端点
crudini --set /etc/cinder/cinder.conf barbican auth_endpoint http://$HOST_IP/identity/v3	#配置barbican认证端点
crudini --set /etc/nova/nova.conf key_manager backend barbican
crudini --set /etc/nova/nova.conf barbican barbican_endpoint http://$HOST_IP:9311
crudini --set /etc/nova/nova.conf barbican auth_endpoint http://$HOST_IP/identity/v3
systemctl restart openstack-nova-* openstack-cinder-*
exit
EOF

# openstack volume type create --encryption-provider luks --encryption-cipher aes-xts-plain64 --encryption-key-size 256 --encryption-control-location front-end LUKS
# openstack secret store --name mysecret --payload j4=]d21

barbican简介:https://blog.youkuaiyun.com/zhongbeida_xue/article/details/103585681 或 https://blog.youkuaiyun.com/hxpjava1/article/details/86799303

注:Barbican项目是为包含云服务在内的任何环境提供密钥管理功能。

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

‘秋歌:

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值