Apache下配置Openstack Horizon (转)
非常详尽的Horizon配置介绍,转自 dev.cloudwatt.com
Deploy Horizon from source with Apache and SSL
Some companies may deploy OpenStack clouds but without the Horizon Dashboard interface, and therefore you may wish to deploy your own horizon instance, either on a hosted VM of the OpenStack infrastructure, or why not on your own computer? Well this is possible.
However, your concern is that http might be insecure… especially if hosted on a VM or machine accessible from the Internet. So you want an SSL connection.
The issue is that SSL certificates can cost some money, but for personal usage, self-signed certificates will do the Job for no costs, and easy-rsa
will make their management easy :-)
Note: even though you will run your own Horizon instance, you will not have extra privileges, it will just add your favorite “life easy-making GUI” on top of OpenStack :-)
Requirements:
On Centos/RHEL 6.x x86_64:
# Apache with SSL and wsgi support
sudo yum install httpd mod_ssl mod_wsgi
# EPEL repos
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# GIT to retrieve sources
sudo yum install git git-review
sudo yum install python-virtualenv
# cryptography requirements
sudo yum install gcc libffi-devel python-devel openssl-devel
On Ubuntu:
# Apache with SSL and wsgi support
sudo apt-get install apache2 libapache2-mod-wsgi
# GIT to retreieve sources
sudo apt-get install git git-review
sudo apt-get install python-virtualenv
# cryptography requirements
sudo apt-get install build-essential libssl-dev libffi-dev python-dev
Create an “horizon” user:
On Centos/RHEL:
useradd -d /home/horizon -m -g apache horizon
On Ubuntu:
useradd -d /home/horizon -m -s /bin/bash -g www-data horizon
sudo permissions for the horizon user:
If you want to be able to “sudo” from the horizon user (for convenience):
sudo su -c "echo 'horizon ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/horizon_user"
sudo chmod 0440 /etc/sudoers.d/horizon_user
The server will run under the “apache” or “www-data” user (depending on the distribution), so there is no risk of privilege escalation due to this sudo permission. If after deployment you want to remove the horizon user’s sudo permissions to feel reassured, just type:
sudo rm -f /etc/sudoers.d/horizon_user
switch to the horizon user:
sudo su - horizon
Generate your SSL certificates:
Centos/RHEL:
sudo yum install easy-rsa
cp -r /usr/share/easy-rsa/2.0 ~/easy-rsa
On Ubuntu:
sudo apt-get install easy-rsa
cp -r /usr/share/easy-rsa ~/easy-rsa
NOTE: depending on your Ubuntu version, you might not find the easy-rsa package.
This package has been recently striped out of OpenVPN, so if you do not have an easy-rsa package, you can install OpenVPN and copy the easy-rsa script (and uninstall OpenVPN if you do not want to keep it):
sudo apt-get install openvpn libpkcs11-helper1 liblzo2-2
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ~/easy-rsa
cp ~/easy-rsa/openssl-1.0.0.cnf ~/easy-rsa/openssl.cnf
# If you do not want to use or keep OpenVPN, you can now remove it:
sudo apt-get purge openvpn
Generate the certificates:
Edit the vars
file in your ~/easy-rsa directory and adapt all the export KEY_*
variables to your liking (especially: KEY_SIZE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL, KEY_OU), and then source this file:
source ./vars
and initialize certificates:
./clean-all
Create your own CA:
./build-ca
Create your server’s certificate:
./build-key-server My_Server_Name
Hit the “enter” key when prompted for a password.
This creates a password-less private key which is usually considered bad practice but we do it this way here for convenience because your server will not enter passwords to use the certificate, requiring a password for a server key is also bad practice because most users of such certificates will use the clear-text password in a configuration file in order to use the certificate automatically in init scripts.
Hit the “y” key when prompted to Sign the certificate, and when prompted to commit.
In the keys
subdirectory you will now see something like this:
-rw-r--r--. 1 horizon apache 5625 Apr 2 14:35 01.pem
-rw-r--r--. 1 horizon apache 1809 Apr 2 14:32 ca.crt
-rw-------. 1 horizon apache 1704 Apr 2 14:32 ca.key
-rw-r--r--. 1 horizon apache 152 Apr 2 14:35 index.txt
-rw-r--r--. 1 horizon apache 21 Apr 2 14:35 index.txt.attr
-rw-r--r--. 1 horizon apache 0 Apr 2 14:31 index.txt.old
-rw-r--r--. 1 horizon apache 5625 Apr 2 14:35 My_Server_Name.crt
-rw-r--r--. 1 horizon apache 1102 Apr 2 14:35 My_Server_Name.csr
-rw-------. 1 horizon apache 1708 Apr 2 14:35 My_Server_Name.key
-rw-r--r--. 1 horizon apache 3 Apr 2 14:35 serial
-rw-r--r--. 1 horizon apache 3 Apr 2 14:31 serial.old
apache will need read access to My_Server_Name.key:
chmod g+rx keys
chmod g+r keys/My_Server_Name.key
NOTE:
These are Self-signed certificates usually made for testing or pre-deployement, so since your browser isn’t able to verify the identity of your website when accessing your server, it will display a “This Connection Is Untrusted” alert page saying it is an untrusted site. This is normal. To avoid this message you will have to bypass the warning, or import the ca.crt file in your browser (the later works only if when prompted for the server name by the ./build-key-server
command, you give the server the same hostname as the FQDN you use to access it, otherwise you will get a “Certificate is only valid for (site name)” warning instead).
Get the Horizon source:
Clone horizon sources:
git clone git://git.openstack.org/openstack/horizon.git
You will now see an horizon
directory (under you own “horizon” user’s /home/horizon
directory if you created one previously).
change to this new horizon
directory:
cd ~/horizon
Horizon needs python dependencies which may not be provided in the proper version by your OS’s packaging system, so the best is to use a virtual environment to install the python packages without any conflicts with your distribution’s packages:
virtualenv --no-site-packages .venv
source .venv/bin/activate
pip install -Ur requirements.txt
If some packages fail to compile with errors like this one (It “sometimes” may happen when your language’s locales is not strictly limited to ASCII):
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 126: ordinal not in range(128)
then try the last command again but prefixed with LC_ALL=C
:
LC_ALL=C pip install -Ur requirements.txt
Configure your local_settings:
cd openstack_dashboard/local/
cp local_settings.py.example local_settings.py
And edit local_settings.py
with your favorite editor and set DEBUG = False
, then configure OPENSTACK_API_VERSIONS
, OPENSTACK_HOST
and uncomment:
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
With DEBUG = False
, you need to set ALLOWED_HOSTS
to a list of strings representing the host/domain names used to access your horizon site. If you have not registered any hostname yet, you will have to set the server’s IP (as a string) in the list in order to be able to access Horizon via it’s IP in your browser. See ALLOWED_HOSTS for detailed information.
You also have to edit SECRET_KEY
.
If you use SECRET_KEY = secret_key.generate_or_read_from_file(os.path.join(LOCAL_PATH, '.secret_key_store'))
the apache (or www-data) user will need write access to this file (.secret_key_store
) because this file is created the first time you launch Horizon. Instead you can set SECRET_KEY
to a string (e.g.: SECRET_KET
= ‘a unique sentence no one can guess’) SECRET_KEY
is used to provide cryptographic signing, and should be set to a unique, unpredictable value. Running Horizon with a known SECRET_KEY
defeats many of Horizon’s security protections, and can lead to privilege escalation and remote code execution vulnerabilities. Horizon will now refuse to start if SECRET_KEY
is not set.
If you use Self-signed certificates uncomment:
OPENSTACK_SSL_NO_VERIFY = True
Otherwise, uncomment:
OPENSTACK_SSL_CACERT = '/path/to/cacert.pem'
and set the path to the CA provided by your Certificate Authority
Get the apache configuration script:
If the Web deployment configuration script isn’t yet merged (see Change I6397ba01: Created a make_web_conf command.) you can cherry-pick it:
git checkout -b web-conf-generation-script
git fetch https://review.openstack.org/openstack/horizon refs/changes/68/82468/6 && git cherry-pick FETCH_HEAD
This patch adds a django_admin management command allowing to create a wsgi file with virtual environment detection, and an apache configuration file. We will use this command.
Go back the ~/horizon
directory (where the manage.py
file is located):
cd ~/horizon
Activate your virtual environment if not already done (In a bash shell, your prompt is usually prefixed by “(.venv)” if it’s activated, but if typing echo $VIRTUAL_ENV
returns nothing, it means you have to source it):
source .venv/bin/activate
Create the wsgi file:
We use the Web deployment configuration script:
python manage.py make_web_conf --wsgi
Collect static files:
We gather all the static files which apache will have to serve (they will be placed in the directory defined by STATIC_ROOT
in the local_settings.py file):
python manage.py collectstatic
Compile .pyc files:
If apache does not have write access it won’t be able to write .pyc files during code execution, and this drastically slows down python’s performances.
Instead of relying on the code execution to compile the bytecode .pyc files, we create (compile) them manually:
python -m compileall .
Give apache some permissions:
We Give apache read access to files, execution permission on directories, and write permission to static files directory:
sudo chmod -R g+r ~/
find ~/ -type d -exec sudo chmod g+x {} \;
find ~/horizon/static -type d -exec chmod g+w {} \;
Create your apache configuration file:
We use the Web deployment configuration script again:
python manage.py make_web_conf --apache --ssl \
--sslcert=/home/horizon/easy-rsa/keys/My_Server_Name.crt \
--sslkey=/home/horizon/easy-rsa/keys/My_Server_Name.key \
--mail=your.email@youdomain.com > horizon.conf
And move this configuration file to your apache conf directory:
Centos/RHEL Apache configuration file:
sudo mv horizon.conf /etc/httpd/conf.d/
sudo chown root:root /etc/httpd/conf.d/horizon.conf
edit /etc/httpd/conf/httpd.conf
and replace:
#NameVirtualHost *:80
by:
NameVirtualHost *:443
WSGISocketPrefix /var/run/wsgi
To start Apache:
sudo service httpd start
To restart Apache:
sudo service httpd restart
Logs are available in /var/log/httpd/openstack_dashboard-error.log
and /var/log/httpd/openstack_dashboard-access.log
.
Ubuntu Apache configuration file:
sudo mv horizon.conf /etc/apache2/sites-available/horizon
sudo chown root:root /etc/apache2/sites-available/horizon
sudo a2ensite horizon
sudo a2enmod ssl
To start Apache:
sudo service apache2 start
To restart Apache:
sudo service apache2 reload
Logs are available in /var/log/apache2/openstack_dashboard-error.log
and /var/log/apache2/openstack_dashboard-access.log
.
Notes about unscoped tokens:
Some cloud companies do not let you log in with an unscoped token and horizon logs will tell you your login failed even though you entered the proper password.
If this is the case, you may need to modify your .venv/lib/python2.7/site-packages/openstack_auth/backend.py
(or .venv/lib/python2.6/site-packages/openstack_auth/backend.py
) file like this:
change the try
block line 134:
try:
client = keystone_client.Client(
tenant_id=project.id,
token=unscoped_auth_ref.auth_token,
auth_url=auth_url,
insecure=insecure,
cacert=ca_cert,
debug=settings.DEBUG)
to:
try:
client = keystone_client.Client(
tenant_id=project.id,
#token=unscoped_auth_ref.auth_token,
user_domain_name=user_domain_name,
username=username,
password=password,
auth_url=auth_url,
insecure=insecure,
debug=settings.DEBUG)
Keep up to date:
Once Horizon deployed, staying up to date is easy:
git checkout master
git remote update && git pull --ff-only origin master
source .venv/bin/activate
pip install -Ur requirements.txt # you might need to redo the unscoped tokens change
find . -name "*.pyc" -delete
python -m compileall .
python manage.py collectstatic
chmod -R g+r ~/horizon
find ~/horizon -type d -exec chmod g+x {} \;
find ~/horizon/static -type d -exec chmod g+w {} \;
And restart apache.
Centos/RHEL:
sudo service httpd start
Ubuntu:
sudo service apache2 reload
Enjoy your Horizon GUI, and feel free to review the Change I6397ba01: Created a make_web_conf command. patch, or to add suggestions to the Web deployment configuration script Blueprint.
Apache下配置Openstack Horizon (转)的更多相关文章
- apache下配置php环境
1. apache下载 http://httpd.apache.org/download.cgi 2. php下载 http://windows.php.net/download/ 3. 配置 apa ...
- apache下配置多域名多目录的应用
引言:阿里云centos apache web服务器中配置不同域名访问不同的目录,达到类似增加虚拟主机的效果: 案例: 如有2个www.a.com ,www.b.com 域名, 访问www.a.com ...
- apache下配置认证用户
有时候我们须要给我apacheserver下制定的文件夹加上用户认证,方便一些而用户进行文件的浏览.配置例如以下: 1 设置用户 1 htpasswd -c file_path user_name 回 ...
- apache下配置虚拟主机案例详解
案例说明: 域名: www.tianyik.com /var/html/www blog.tianyik.com /var/html/blog bb ...
- Windows下配置Apache+PHP跑Wordpress拾遗
首先,我很少这么做,因为一旦有跑WAMP的需求,我就直接下一个wamp的安装包就可以了,市面上数不胜数,我一直用的是EasyPHP,不是说它有多好,而是很多年前第一次用后没什么问题,就一直用下来了.这 ...
- Ubuntu下配置apache开启https
一.HTTPS简述随着网络的日常,信息安全越来越重要,传统的网站都是http协议明文传输,而HTTPS协议是由SSL+HTTP协议构建的可进行加密传输.身份认证的网络协议,比http协议安全. 那ht ...
- 在Linux(Ubuntu/openSUSE/CentOS)下配置ASP.NET(Apache + Mono)
[题外话] 闲的无聊竟然想尝试测试自己做的项目在不同操作系统上的性能表现,所以决定试试在Linux上部署Apache和Mono的环境.由于平时很少接触Linux,所以从网上找了几篇文章(附在相关链接中 ...
- Mac下配置Apache服务
这篇文章主要是针对Mac用户,第一次搭建本地开发环境的同学,已经搭建过的同学可以忽略. Mac自带的Apache还是XAMPP? That is a question. 其实自带的apache也够用了 ...
- 在Mac下配置php开发环境:Apache+php+MySql
/private/etc/apache2/httpd.conf 一.启动Apache sudo apachectl start sudo apachectl -v 可以查看到Apache的版本信息 ...
随机推荐
- Editor.md的安装使用(MarkDown)
1.官网下载:http://pandao.github.io/editor.md/ 2.使用例子: <!DOCTYPE html> <html lang="zh-cn&qu ...
- tornado异步(1)
1. 同步 我们用两个函数来模拟两个客户端请求,并依次进行处理: # coding:utf-8 def req_a(): """模拟请求a""&quo ...
- Spring Container的扩展点
转自: http://blog.csdn.net/kkdelta/article/details/5488430 Spring在解析完配置文件后,会调用一些callback方法,使用Spring的开发 ...
- Ad Exchange基本接口和功能
这里描述下一个exchange通常应该提供的接口和应该满足的功能. 接口 实时竞价接口 实时竞价接口也是最核心的接口,对接的dsp需要向exchange提供竞价地址.每次有广告请求时,exchange ...
- POJ2739解题报告
2017-09-01 17:04:45 writer:pprp 一开始读错题了,总是想不到,其实不是很难,但是就是心理太着急了,反而浪费了很长时间 /* @param:poj2739 @writer: ...
- spring boot2.1读取 apollo 配置中心2
第二篇:创建spring boot2.1项目 引用apollo的java客户端jar包 <dependency> <groupId>com.ctrip.framework.ap ...
- java网络编程之图片上传
输入输出流核心代码 所有的文件传输都是靠流,其中文件复制最具代表性.输入流和输出流,从输入流中读取数据写入到输出流中. InputStream in = 输入源; OutputStream os = ...
- Python flask网站部署总结
先开一贴,有空来总结下前段时间的网站部署情况.此次部署采用Gunicorn + Nginx + supervisor的组合在VPS环境中部署flask网站应用. Ubuntu环境准备 准备python ...
- Python中面向对象的一些关于类变量与实例变量的理解
1. 要写出有意义的面向对象的代码,最核心的:类.对象.三大特性:继承.封装.多态 类变量与实例变量: class Student(): # 类变量 name = '张' age = 0 def __ ...
- bzoj1711
题解: 原点->食物建一个1 食物->牛见一个1 牛->牛'见一个1 牛'->饮料1 饮料->汇点1 代码: #include<cstdio> #includ ...