安装barbican服务

前言

在用cinder 加密卷的时候，为了给每个cinder盘唯一的加密KEY，就不能使用fixed_key了，于是安装barbican服务，来提供key服务

使用O版本，服务器centos

准备工作

创建数据库

$ mysql -u root -pCREATE DATABASE barbican;GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' \  IDENTIFIED BY 'BARBICAN_DBPASS';GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' \  IDENTIFIED BY 'BARBICAN_DBPASS';exit;

创建用户 角色

$ source admin-openrc$ openstack user create --domain default --password-prompt barbican$ openstack role add --project service --user barbican admin$ openstack role create creator$ openstack role add --project service --user barbican creator$ openstack service create --name barbican --description "Key Manager" key-manager

创建endpoint

$ openstack endpoint create --region RegionOne \  key-manager public http://controller:9311$ openstack endpoint create --region RegionOne \  key-manager internal http://controller:9311$ openstack endpoint create --region RegionOne \  key-manager admin http://controller:9311

安装组件

# yum install openstack-barbican-api

编辑/etc/barbican/barbican.conf

[DEFAULT]...sql_connection = mysql+pymysql://barbican:BARBICAN_DBPASS@controller/barbican[DEFAULT]...transport_url = rabbit://openstack:RABBIT_PASS@controller

设置keystone

[keystone_authtoken]...auth_uri = http://controller:5000auth_url = http://controller:35357memcached_servers = controller:11211auth_type = passwordproject_domain_name = defaultuser_domain_name = defaultproject_name = serviceusername = barbicanpassword = BARBICAN_PASS

编辑/etc/barbican/barbican-api-paste.ini

[pipeline:barbican_api]pipeline = cors authtoken context apiapp$ su -s /bin/sh -c "barbican-manage db upgrade" barbican

创建/etc/httpd/conf.d/wsgi-barbican.conf

Listen 9311<VirtualHost  *:9311>    #ServerName server101.e3cloud.com    ## Logging    <IfVersion >= 2.4>      ErrorLogFormat "%{cu}t %M"    </IfVersion>    ErrorLog /var/log/httpd/barbican_wsgi_main_error_ssl.log    LogLevel debug    ServerSignature Off    CustomLog /var/log/httpd/barbican_wsgi_main_access_ssl.log combined    WSGIApplicationGroup %{GLOBAL}    WSGIDaemonProcess barbican-api display-name=barbican-api group=barbican processes=2 threads=8 user=barbican    WSGIProcessGroup barbican-api    WSGIScriptAlias / /usr/lib/python2.7/site-packages/barbican/api/app.wsgi    WSGIPassAuthorization On    <Directory /usr/lib>        <IfVersion >= 2.4>            Require all granted        </IfVersion>        <IfVersion < 2.4>            Order allow,deny            Allow from all        </IfVersion>    </Directory></VirtualHost>

重启服务

# systemctl enable httpd.service# systemctl start httpd.service

验证

$ . admin-openrc$ openstack secret store --name mysecret --payload j4=]d21+---------------+-----------------------------------------------------------------------+| Field         | Value                                                                 |+---------------+-----------------------------------------------------------------------+| Secret href   | http://10.0.2.15:9311/v1/secrets/655d7d30-c11a-49d9-a0f1-34cdf53a36fa || Name          | mysecret                                                              || Created       | None                                                                  || Status        | None                                                                  || Content types | None                                                                  || Algorithm     | aes                                                                   || Bit length    | 256                                                                   || Secret type   | opaque                                                                || Mode          | cbc                                                                   || Expiration    | None                                                                  |+---------------+-----------------------------------------------------------------------+openstack secret get http://10.0.2.15:9311/v1/secrets/655d7d30-c11a-49d9-a0f1-34cdf53a36fa+---------------+-----------------------------------------------------------------------+| Field         | Value                                                                 |+---------------+-----------------------------------------------------------------------+| Secret href   | http://10.0.2.15:9311/v1/secrets/655d7d30-c11a-49d9-a0f1-34cdf53a36fa || Name          | mysecret                                                              || Created       | 2016-08-16 16:04:10+00:00                                             || Status        | ACTIVE                                                                || Content types | {u'default': u'application/octet-stream'}                             || Algorithm     | aes                                                                   || Bit length    | 256                                                                   || Secret type   | opaque                                                                || Mode          | cbc                                                                   || Expiration    | None                                                                  |+---------------+-----------------------------------------------------------------------+

参考：
https://docs.openstack.org/project-install-guide/key-manager/ocata/install-rdo.html