장영호db 생성
root@controller:~# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 18617
Server version: 10.0.33-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE barbican;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'localhost' \
-> IDENTIFIED BY '{패스워드}';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON barbican.* TO 'barbican'@'%' \
-> IDENTIFIED BY '{패스워드}';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> Bye
user, role, endpoint 생성
root@controller:~# source jyh_env/admin_openrc
root@controller:~# openstack user create --domain default --password {패스워드} barbican
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | b76f07f91dd44384a4e4c0f354ecf30e |
| name | barbican |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
root@controller:~# openstack role add --project service --user barbican admin
root@controller:~# openstack role create creator
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 110b754c59ad417aa9549f9a0d5b3d26 |
| name | creator |
+-----------+----------------------------------+
root@controller:~# openstack role add --project service --user barbican creator
root@controller:~# openstack service create --name barbican --description "Key Manager" key-manager
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Key Manager |
| enabled | True |
| id | 6fc870c6e4344b478402933df1d4d3b6 |
| name | barbican |
| type | key-manager |
+-------------+----------------------------------+
root@controller:~# openstack region list
+--------+---------------+-------------+
| Region | Parent Region | Description |
+--------+---------------+-------------+
| jyh | None | |
+--------+---------------+-------------+
root@controller:~# openstack endpoint create --region jyh \
> key-manager public http://controller:9311
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 841ccdf216b942568cea9438f169997b |
| interface | public |
| region | jyh |
| region_id | jyh |
| service_id | 6fc870c6e4344b478402933df1d4d3b6 |
| service_name | barbican |
| service_type | key-manager |
| url | http://controller:9311 |
+--------------+----------------------------------+
root@controller:~# openstack endpoint create --region jyh key-manager internal http://controller:9311
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 49ec16a747b544c8a1a8bebd62b613ae |
| interface | internal |
| region | jyh |
| region_id | jyh |
| service_id | 6fc870c6e4344b478402933df1d4d3b6 |
| service_name | barbican |
| service_type | key-manager |
| url | http://controller:9311 |
+--------------+----------------------------------+
root@controller:~# openstack endpoint create --region jyh key-manager admin http://controller:9311
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | cac195208eab42b88f7e8d557ee83e80 |
| interface | admin |
| region | jyh |
| region_id | jyh |
| service_id | 6fc870c6e4344b478402933df1d4d3b6 |
| service_name | barbican |
| service_type | key-manager |
| url | http://controller:9311 |
+--------------+----------------------------------+
패키지 설치
root@controller:~# apt install barbican-api barbican-keystone-listener barbican-worker
패키지 목록을 읽는 중입니다... 완료
의존성 트리를 만드는 중입니다
상태 정보를 읽는 중입니다... 완료
The following additional packages will be installed:
barbican-common python-barbican python-ldap
제안하는 패키지:
python-pykmip python-ldap-doc
다음 새 패키지를 설치할 것입니다:
barbican-api barbican-common barbican-keystone-listener barbican-worker python-barbican python-ldap
0개 업그레이드, 6개 새로 설치, 0개 제거 및 10개 업그레이드 안 함.
359 k바이트 아카이브를 받아야 합니다.
이 작업 후 2,742 k바이트의 디스크 공간을 더 사용하게 됩니다.
계속 하시겠습니까? [Y/n] y
설정 파일 수정
root@controller:~# cp /etc/barbican/barbican.conf /etc/barbican/barbican.conf_ori
root@controller:~# egrep -v "^#|^$" /etc/barbican/barbican.conf
[DEFAULT]
sql_connection = mysql+pymysql://barbican:{패스워드}@controller/barbican
transport_url = rabbit://openstack:{패스워드}@controller
[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = barbican
password = {패스워드}
db 테이블 생성
root@controller:~# su -s /bin/sh -c "barbican-manage db upgrade" barbican
2018-01-24 13:09:05.352 19367 WARNING oslo_db.sqlalchemy.engines [-] MySQL SQL mode is '', consider enabling TRADITIONAL or STRICT_ALL_TABLES: Empty
2018-01-24 13:09:05.354 19367 INFO alembic.runtime.migration [-] Context impl MySQLImpl.
2018-01-24 13:09:05.355 19367 INFO alembic.runtime.migration [-] Will assume non-transactional DDL.
2018-01-24 13:09:05.395 19367 INFO alembic.runtime.migration [-] Running upgrade -> 1a0c2cdafb38, create test table
2018-01-24 13:09:05.398 19367 INFO alembic.runtime.migration [-] Running upgrade 1a0c2cdafb38 -> juno, juno_initial
2018-01-24 13:09:05.814 19367 INFO alembic.runtime.migration [-] Running upgrade juno -> 13d127569afa, create_secret_store_metadata_table
2018-01-24 13:09:05.848 19367 INFO alembic.runtime.migration [-] Running upgrade 13d127569afa -> 1e86c18af2dd, add new columns type meta containerId
2018-01-24 13:09:06.008 19367 INFO alembic.runtime.migration [-] Running upgrade 1e86c18af2dd -> cd4106a1a0, add-cert-to-container-type
2018-01-24 13:09:06.015 19367 INFO alembic.runtime.migration [-] Running upgrade cd4106a1a0 -> 47b69e523451, Made plugin names in kek datum non nullable
..
..
2018-01-24 13:09:10.653 19367 INFO alembic.runtime.migration [-] Running upgrade d2780d5aa510 -> 39cf2e645cba, Model for multiple backend support
/usr/lib/python2.7/dist-packages/pymysql/cursors.py:166: Warning: (1831, u'Duplicate index `ix_project_secret_store_project_id`. This is deprecated and will be disallowed in a future release.')
서비스 재시작
root@controller:~# systemctl restart barbican-keystone-listener.service barbican-worker.service
root@controller:~# service apache2 restart
root@controller:~# telnet localhost 9311
Trying ::1...
Connected to localhost.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
root@controller:~# telnet localhost 9312
Trying ::1...
Connected to localhost.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
root@controller:~# ls /etc/apache2/conf-available/barbican-api.conf
/etc/apache2/conf-available/barbican-api.conf
Secret Store Back-ends 설정
root@controller:~# vi /etc/barbican/barbican.conf
[DEFAULT]
sql_connection = mysql+pymysql://barbican:{패스워드}@controller/barbican
transport_url = rabbit://openstack:{패스워드}@controller
[crypto]
enabled_crypto_plugins = simple_crypto
[keystone_authtoken]
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = barbican
password = {패스워드}
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto
[simple_crypto_plugin]
kek = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY='
확인
root@controller:~# openstack secret store --name mysecret --payload j4=]d21
+---------------+-----------------------------------------------------------------------+
| Field | Value |
+---------------+-----------------------------------------------------------------------+
| Secret href | http://localhost:9311/v1/secrets/6ac43731-02d2-4c7a-ac06-03692cb50f1f |
| Name | mysecret |
| Created | None |
| Status | None |
| Content types | None |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+-----------------------------------------------------------------------+
root@controller:~# openstack secret get http://localhost:9311/v1/secrets/6ac43731-02d2-4c7a-ac06-03692cb50f1f
+---------------+-----------------------------------------------------------------------+
| Field | Value |
+---------------+-----------------------------------------------------------------------+
| Secret href | http://localhost:9311/v1/secrets/6ac43731-02d2-4c7a-ac06-03692cb50f1f |
| Name | mysecret |
| Created | 2018-01-25 05:43:53+00:00 |
| Status | ACTIVE |
| Content types | {u'default': u'text/plain'} |
| Algorithm | aes |
| Bit length | 256 |
| Secret type | opaque |
| Mode | cbc |
| Expiration | None |
+---------------+-----------------------------------------------------------------------+
root@controller:~# openstack secret get http://localhost:9311/v1/secrets/6ac43731-02d2-4c7a-ac06-03692cb50f1f --payload
+---------+---------+
| Field | Value |
+---------+---------+
| Payload | j4=]d21 |
+---------+---------+