Skip to content

Latest commit

 

History

History
210 lines (169 loc) · 6.89 KB

README.adoc

File metadata and controls

210 lines (169 loc) · 6.89 KB

Openstack swift and keystone docker container

What is this container ?

This container was created to enable integration testing against swift, it is therefore NOT SECURE AND SHOULD NOT BE USED IN PRODUCTION.

The container starts both a swift and a keystone service so taht integration tests can run against all 3 of swift authentication modes (swift’s internal tempAuth, keystone Identity v2 API and keystone Identity v3 API) with a single container.

This container was written from scratch from the openstack installation documentation for keystone and swift. However it was also written after study of existing containers.

Note that I decided against using Kolla since it is still in an early stage, and the corresponding containers only seem to run if you run them through kolla as they require an external configuration file. I was unable to make them work or to find out what the configuration file should look like. However, if you want to deploy production systems this could be the best solution.

Versions

This container is based on Ubuntu 16:04 and uses the ubuntu cloud-archive repository for openstack pike.

It embeds:

  • keystone 12.0.0

  • Swift 2.15.1

This specific release was chosen on purpose as it is the last release to support all 3 authentication protocols for swift : Identity v2, Identity v3 and tempAuth. Starting with openstack queens, the deprecated Identity v2 was removed. Since some hosting companies still use that protocol and the app I am testing (apache james) could be used against any provider, I needed to test all three protocols.

How to use this container

I start the container using the following command:

docker run -d --rm  -p 5000 -p 35357 -p 8080 --name keystone jeantil/openstack-keystone-swift:pike

By default the container keystone integration is not fully configured. The tempAuth works fine though.

To complete the keystone integration you must run the /swift/bin/register-swift-endpoint.sh script inside the container with the appropriate endpoint url provided. This is because keystone returns the endpoint url in the authentication response, it therefore has to know where the client expects to connect.

If you only need to expose the port on the docker internal network you can use the follwing command:

docker exec -it keystone /swift/bin/register-swift-endpoint.sh http://127.0.0.1:8080/

However if you need to access the container from the outside using the docker port mapping feature you will need to register against the port chosen by docker which can be found using docker ps.

For example given the following docker ps output:

$ docker ps
CONTAINER ID        IMAGE                                   COMMAND                  CREATED             STATUS              PORTS                                                                        NAMES
40cd064477b5        jeantil/openstack-keystone-swift:pike   "/swift/bin/launch.sh"   15 minutes ago      Up 15 minutes       0.0.0.0:32920->5000/tcp, 0.0.0.0:32919->8080/tcp, 0.0.0.0:32918->35357/tcp   keystone

use

docker exec -it keystone /swift/bin/register-swift-endpoint.sh http://127.0.0.1:32919/

to complete the keystone setup. Once this is done you can use one of the preconfigured credentials to authenticate against the container.

For convenience, the following commands are available in the container :

Preconfigured credentials

This is why this container is highly insecure, the crendentials including the administrative account are fixed and public. You really don’t wan’t that in production but for a short lived container used for test only it shouldn’t be an issue.

Keystone Identity v3 accounts

Default endpoint http://127.0.0.1:35357/v3

Administrative account

export OS_USERNAME=admin
export OS_PASSWORD=7a04a385b907caca141f
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://127.0.0.1:35357/v3
export OS_IDENTITY_API_VERSION=3

swift service account

export OS_USERNAME=swift
export OS_PASSWORD=fingertips
export OS_PROJECT_NAME=service
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://127.0.0.1:35357/v3
export OS_IDENTITY_API_VERSION=3

demo user account

export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_PROJECT_NAME=test
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://127.0.0.1:35357/v3
export OS_IDENTITY_API_VERSION=3

Keystone Identity v2 accounts

Note that Keystone Identity V2 is deprecated and was removed after the openstack pike release.

Default endpoint http://127.0.0.1:35357/v2.0

Administrative account

USERNAME=admin
PASSWORD=7a04a385b907caca141f
TENANT_NAME=admin

swift service account

USERNAME=swift
PASSWORD=fingertips
TENANT_NAME=service

demo user account

USERNAME=demo
PASSWORD=demo
TENANT_NAME=test

Swift tempAuth accounts

Admin account

USERNAME=admin
PASSWORD=admin
TENANT_NAME=admin

tester account

USERNAME=tester
PASSWORD=testing
TENANT_NAME=test

tester2 account

USERNAME=tester2
PASSWORD=testing2
TENANT_NAME=test2

tester3 account

USERNAME=tester3
PASSWORD=testing3
TENANT_NAME=test

tester5 account

USERNAME=tester5
PASSWORD=testing5
TENANT_NAME=test5

Sample httpie commands

# Keystone Identity v3
echo '{"auth":{"identity":{"methods":["password"],"password":{"user":{"name":"demo","domain":{"name":"Default"},"password":"demo"}}},"scope":{"project":{"domain":{"id":"default"},"name":"test"}}}}' | http POST :35357/v3/auth/tokens

# Keystone Identity v2
echo '{"auth": {"passwordCredentials": {"username": "demo","password": "demo"},"tenantName": "test"}}' | http POST :35357/v2.0/tokens

# TempAuth
http http://127.0.0.1:8080/auth/v1.0 X-Storage-User:test:tester X-Storage-Pass:testing

Sample curl commands

# Keystone Identity v3
curl -X POST -H 'Content-Type: application/json' -d '{"auth":{"identity":{"methods":["password"],"password":{"user":{"name":"demo","domain":{"name":"Default"},"password":"demo"}}},"scope":{"project":{"domain":{"id":"default"},"name":"test"}}}}' http://127.0.0.1:35357/v3/auth/tokens

# Keystone Identity v2
curl -X POST -H 'Content-Type: application/json' -d '{"auth": {"passwordCredentials": {"username": "demo","password": "demo"},"tenantName": "test"}}' http://127.0.0.1:35357/v2.0/tokens

# TempAuth
curl -H 'X-Storage-User: test:tester' -H 'X-Storage-Pass: testing' http://127.0.0.1:8080/auth/v1.0