Deployer_Openstack_avec_Vault
Création d'un nouveau model
juju add-model openstack-base1
Afficher les models
juju models
Ajouter le bundle de Openstack
charm pull openstack-base ~/openstack-base1
cd openstack-base1/
Modifier le nom de l'interface réseau sur le fichier bundle.yaml Ici c'est la deuxième interface réseau de la machine MAAS
vim bundle.yaml
Déployer Openstack
juju deploy ./bundle.yaml
Afficher l'avancement du déploiement
juju status
watch -cd -n 1 juju status --color
A un moment vault va bloquer le déploiement du model, car on a besoin de déceler les certificats pour que voult puise les propager aux autres services.
Se connecter sur vault quand on voit le message "vault need initialized"
juju ssh vault/0
Récupérer l'ip de vault
ip a
Déceler les clés
vault operator init -key-shares=5 -key-threshold=3
Unseal Key 1: 29z/5rd0HJ1d8DfgnPtB7qyWaSj0gbdZxsHlor41vgYS
Unseal Key 2: 2X7o73aKwnFF7lhbjpU2reVq6WVm+OH56iTr0RHLJdEb
Unseal Key 3: xerIVaiD/L26uQ92OWGzdeBUvJWrY5RF25+fxSo4+qLB
Unseal Key 4: 1GgofZR+6Hj9wuPQWFYxLGqtGI5TZOEFjsGzE4u7VpIE
Unseal Key 5: dqLnrN7/nhswNiJ89NGU6Y8ag94vmtdBX5lSIWZvQmso
Initial Root Token: s.N792P5isPSURbn11hSWAYPBK
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
Récupérer l'adresse ip de la machine vault
ip a
export VAULT_ADDR="http://192.168.1.238:8200"
vault operator init -key-shares=5 -key-threshold=3
Unseal Key 1: jOiiYt5L8DK8BK2q9zK8kLdAeMI8OTSwXQhVj8CRnUdj
Unseal Key 2: +oeejlXqXgm7v90sXjxKcSinw62I6nNu9piIrLg59jwi
Unseal Key 3: K2LPioxHlsIDbVi6xuHnnQ/fNiN3nfk0xKTAS/segVW0
Unseal Key 4: 3FEWGqNAYxNrf5mKznkkauMCvTMQtcyewJQMJnkWwcww
Unseal Key 5: B+3jACJfwJtuGpKIEymelZg2rOIp22QCMPtRvu/aEDKo
Initial Root Token: s.ZyyiBs2eSyzU84H0dzmQ1Bgs
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
Bien sauvegarder les différentes clés
Déceler les 3 certificats
ubuntu@juju-992de7-0-lxd-6:~$ vault operator unseal jOiiYt5L8DK8BK2q9zK8kLdAeMI8OTSwXQhVj8CRnUdj
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 1/3
Unseal Nonce 906b104d-c1e7-02bb-91a4-913938675230
Version 1.1.1
HA Enabled false
ubuntu@juju-992de7-0-lxd-6:~$ vault operator unseal +oeejlXqXgm7v90sXjxKcSinw62I6nNu9piIrLg59jwi
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 2/3
Unseal Nonce 906b104d-c1e7-02bb-91a4-913938675230
Version 1.1.1
HA Enabled false
ubuntu@juju-992de7-0-lxd-6:~$ vault operator unseal K2LPioxHlsIDbVi6xuHnnQ/fNiN3nfk0xKTAS/segVW0
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.1.1
Cluster Name vault-cluster-2ca79f1c
Cluster ID d98d919b-f104-e9a9-fcfb-fdb1e699782b
HA Enabled false
export VAULT_TOKEN=s.ZyyiBs2eSyzU84H0dzmQ1Bgs
ubuntu@juju-992de7-0-lxd-6:~$ vault token create -ttl=10m
Key Value
--- -----
token s.BCPlQ336tW4IKla4tcjEXYZ5
token_accessor Pju7Fk5WNMcMIE6agwBmTeye
token_duration 10m
token_renewable true
token_policies ["root"]
identity_policies []
policies ["root"]
Quitter la machine vault/o
exit
avec le dernier token
Activer le token sur JUJU
moula@maas-home-lab:~/openstack-base1$ juju run-action --wait vault/leader authorize-charm token=s.BCPlQ336tW4IKla4tcjEXYZ5
unit-vault-0:
UnitId: vault/0
id: "2"
results:
Stdout: |
lxc
lxc
active
active
lxc
status: completed
timing:
completed: 2020-06-24 06:48:28 +0000 UTC
enqueued: 2020-06-24 06:48:25 +0000 UTC
started: 2020-06-24 06:48:25 +0000 UTC
moula@maas-home-lab:~/openstack-base1$ juju run-action --wait vault/leader generate-root-ca
unit-vault-0:
UnitId: vault/0
id: "4"
results:
Stdout: |
lxc
lxc
active
active
active
active
lxc
output: |-
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUDsQt9fs5Z1i7YzYHO8YYbbxr/MMwDQYJKoZIhvcNAQEL
BQAwPTE7MDkGA1UEAxMyVmF1bHQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkg
KGNoYXJtLXBraS1sb2NhbCkwHhcNMjAwNjI0MDY0ODE4WhcNMzAwNjIyMDU0ODQ4
WjA9MTswOQYDVQQDEzJWYXVsdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAo
Y2hhcm0tcGtpLWxvY2FsKTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANCjhxuAsiLfQok4Lz/CWpJtbr9jhlKqbSwwO8pdJkXplCd5bqPk6t0Fug5kib1R
IBOzkLxvKybysbKcKoDbt5Lz6O7a0m6QkPFS+4QPV25Bqy8ODkXe5lRn1nZ5eu12
/6XDTxu1SSPunHUWrpWMAe5Uui2gclAGDwdx3BVemZ2q8K0dlFSNT71sWvkyRWUy
EsM69hRcDRmc7aPfyiURmXCeIi/PmzZnccg20Q2fISPGJLCvmluOHBzu8pNBZvag
GNlAsM6r72wyz4+A+NnibYkXZpiBjk29viittfWGqFHUOOYSlNTAseuPKLi+BqXm
jjojNZ+w73ekOwTLcQTiR+MCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1Ud
EwEB/wQFMAMBAf8wHQYDVR0OBBYEFBFERdpsbizUJ7Fgqu1K0pRTRafnMB8GA1Ud
IwQYMBaAFBFERdpsbizUJ7Fgqu1K0pRTRafnMA0GCSqGSIb3DQEBCwUAA4IBAQCL
/9uGXg9jXPgoKFpRtLOWEbP2PlNau0c71SO3Y0w0r6lzuDr6AnS/BRfnDz3GUo3i
jTMm3HJI34eVRMZMYy2Qhq2b9goIeSiBDbWQtiFBaRPIyXH7uMqN923YQk3PC7GC
A54MyPvcpl8i2ymb6Lz+SVx+YJqTjdA61FomRe8v4/sQQFQAe3vU7LbHB+1hzVaW
7ZMVEbl6PhkWJxrwKnA2Z/RxzhbzryWkbvs/c2NTK1jgtU8ikjb3soeh/y52LhQ3
O6pW/MZWNvZgJWrjcnCnSryPcjTZH5ka2YBzgpff5FiafhTMS7+Oe/GaU5d5iYHq
b08Gk1D2nbDPbA8fInpY
-----END CERTIFICATE-----
status: completed
timing:
completed: 2020-06-24 06:48:58 +0000 UTC
enqueued: 2020-06-24 06:48:45 +0000 UTC
started: 2020-06-24 06:48:45 +0000 UTC
Maintenant Vault va pouvoir dispatcher les certificats sur les différents services.
Récupération des identifiants du Dashboard Horizon
env | grep OS_
echo -e "Domain: $OS_USER_DOMAIN_NAME\nUser Name: $OS_USERNAME\nPassword: $OS_PASSWORD"
Connection sur l'interface web
Installation a faire sur la machine MAAS
sudo snap install openstackclients --classic
Mettre à jour vers la version edge
sudo snap refresh openstackclients --edge
source ~/openstack-base1/openrc
Maintenant on peut utiliser le client openstack Exemple
openstack service list
Projets Open Source
