openstack/openstack-manuals
Code Issues Proposed changes

Update CLI chapter in the Admin User Guide

Browse Source 
bug: #1218683

Change-Id: If3eb434f09c26e461e133db0f87ac24d63e3403d
author: diane fleming
This commit is contained in:
Diane Fleming 2013-08-29 20:05:33 -05:00
parent 7c569307c5
commit 431d94cb55
25 changed files with 1706 additions and 1842 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
doc/src/docbkx/cli-guide/src/ch_client_overview.xml
View File

@ -35,11 +35,11 @@ format="SVG" scale="60"/>
<para>To manage your servers, images, volumes, isolated networks,
and other cloud resources from the command line, install and
use the OpenStack clients.</para>
<xi:include href="../../openstack-user/src/section_cli_overview.xml"/>
<xi:include href="../../openstack-user/src/section_cli_install.xml"/>
<xi:include href="../../openstack-user/src/section_cli_openrc.xml"/>
<xi:include href="../../openstack-user/src/section_cli_version.xml"/>
<xi:include href="../../openstack-user/src/section_cli_help.xml"/>
<xi:include href="../../common/section_cli_overview.xml"/>
<xi:include href="../../common/section_cli_install.xml"/>
<xi:include href="../../common/section_cli_openrc.xml"/>
<xi:include href="../../common/section_cli_version.xml"/>
<xi:include href="../../common/section_cli_help.xml"/>
</chapter>

75
doc/src/docbkx/common/section_cli_help.xml Normal file
View File

@ -0,0 +1,75 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="cli_help">
<title>Get help for client commands</title>
<para>To get usage information, including a list of commands with
descriptions, for a client, run the following command:</para>
<screen><prompt>$</prompt> <userinput><replaceable>CLIENT_NAME</replaceable> help</userinput></screen>
<para>For example, to get help information for the swift client,
run the following command:</para>
<screen><prompt>$</prompt> <userinput>swift help</userinput></screen>
<screen><?db-font-size 65%?><computeroutput>Usage: swift [--version] [--help] [--snet] [--verbose]
[--debug] [--quiet] [--auth &lt;auth_url>]
[--auth-version &lt;auth_version>] [--user &lt;username>]
[--key &lt;api_key>] [--retries &lt;num_retries>]
[--os-username &lt;auth-user-name>] [--os-password &lt;auth-password>]
[--os-tenant-id &lt;auth-tenant-id>]
[--os-tenant-name &lt;auth-tenant-name>]
[--os-auth-url &lt;auth-url>] [--os-auth-token &lt;auth-token>]
[--os-storage-url &lt;storage-url>] [--os-region-name &lt;region-name>]
[--os-service-type &lt;service-type>]
[--os-endpoint-type &lt;endpoint-type>]
[--os-cacert &lt;ca-certificate>] [--insecure]
[--no-ssl-compression]
&lt;subcommand> ...
Command-line interface to the OpenStack Swift API.
Positional arguments:
&lt;subcommand>
delete Delete a container or objects within a container
downlad Download objects from containers
list Lists the containers for the account or the objects
for a container
post Updates meta information for the account, container,
or object
stat Displays information for the account, container,
or object
upload Uploads files or directories to the given container
Examples:
swift -A https://auth.api.rackspacecloud.com/v1.0 -U user -K api_key stat -v
swift --os-auth-url https://api.example.com/v2.0 --os-tenant-name tenant \
--os-username user --os-password password list
swift --os-auth-token 6ee5eb33efad4e45ab46806eac010566 \
--os-storage-url https://10.1.5.2:8080/v1/AUTH_ced809b6a4baea7aeab61a \
list
swift list --lh</computeroutput></screen>
<note>
<para>Depending on your credentials, you might not have
permission to use every command.</para>
</note>
<para>After the <option>help</option> command, you can enter a
command name to get help for that command, as follows:</para>
<screen><prompt>$</prompt> <userinput><replaceable>CLIENT_NAME</replaceable> help <replaceable>COMMAND_NAME</replaceable></userinput></screen>
<para>For example, to get help for the glance
<command>image-show</command> command, enter the following
command:</para>
<screen><prompt>$</prompt> <userinput>glance help image-show</userinput></screen>
<para>The command returns a description of the command and its
positional and optional arguments:</para>
<screen><?db-font-size 75%?><computeroutput>usage: glance image-show [--human-readable] &lt;IMAGE>
Describe a specific image.
Positional arguments:
&lt;IMAGE> Name or ID of image to describe.
Optional arguments:
--human-readable Print image size in a human-friendly format.</computeroutput></screen>
</section>

202
doc/src/docbkx/common/section_cli_install.xml Normal file
View File

@ -0,0 +1,202 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE section [
<!-- Some useful entities borrowed from HTML -->
<!ENTITY ndash "&#x2013;">
<!ENTITY mdash "&#x2014;">
<!ENTITY hellip "&#x2026;">
<!ENTITY plusmn "&#xB1;">
]>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="install_clients">
<?dbhtml stop-chunking?>
<title>Install the Openstack command-line clients</title>
<para>Install the prerequisite software and the Python package for
each OpenStack client.</para>
<table rules="all" width="75%">
<caption>Prerequisite software</caption>
<col width="15%"/>
<col width="85%"/>
<thead>
<tr>
<th>Prerequisite</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td valign="top">
<para>Python 2.6 or later</para>
</td>
<td>
<para>Currently, the clients do not support Python
3.</para>
</td>
</tr>
<tr>
<td valign="top">
<para><command>setuptools</command> package</para>
</td>
<td>
<para>Installed by default on Mac OS X. Many Linux
distributions provide packages to make
<command>setuptools</command> easy to
install. Search your package manager for
<command>setuptools</command> to find an
installation package. If you cannot find one,
download the <command>setuptools</command>
package directly from <link
xlink:href="http://pypi.python.org/pypi/setuptools"
>http://pypi.python.org/pypi/setuptools</link>.
</para>
</td>
</tr>
<tr>
<td valign="top"><command>pip</command> package</td>
<td>
<para>To install the clients on a Mac OS X or
Linux system, use <command>pip</command>. It
is easy to use, ensures that you get the
latest version of the clients from the <link
xlink:href="http://pypi.python.org/pypi/python-novaclient/"
>Python Package Index</link>, and lets you
update or remove the packages later on.</para>
<para>Install <command>pip</command> through the
package manager for your system:</para>
<formalpara>
<title>Mac OS X</title>
<para>
<screen><prompt>$</prompt> <userinput>sudo easy_install pip</userinput></screen></para>
</formalpara>
<formalpara>
<title>Ubuntu 12.04</title>
<para>A packaged version enables you to use
<command>dpkg</command> or
<command>aptitude</command> to install
the
python-novaclient:<screen><prompt>#</prompt> <userinput>aptitude install python-novaclient</userinput></screen></para>
</formalpara>
<formalpara>
<title>Ubuntu</title>
<para><screen><prompt>#</prompt> <userinput>aptitude install python-pip</userinput></screen></para>
</formalpara>
<formalpara>
<title>RHEL, CentOS, or Fedora</title>
<para>A packaged version available in <link
xlink:href="http://openstack.redhat.com/"
>RDO</link> enables you to use
<command>yum</command> to install the
clients:
<screen><prompt>#</prompt> <userinput>yum install python-<replaceable>PROJECT</replaceable>client</userinput></screen></para>
</formalpara>
<para>Alternatively, install
<command>pip</command> and use it to
manage client installation:</para>
<screen><prompt>#</prompt> <userinput>yum install python-pip</userinput></screen>
<formalpara>
<title>openSUSE 12.2 and earlier</title>
<para>A <link
xlink:href="https://build.opensuse.org/package/show?package=python-novaclient&amp;project=Cloud:OpenStack:Master"
>packaged version available in the
Open Build Service</link> enables you
to use <command>rpm</command> or
<command>zypper</command> to install
the
python-novaclient:<screen><prompt>#</prompt> <userinput>zypper install python-<replaceable>PROJECT</replaceable></userinput></screen></para>
</formalpara><para>Alternatively, install
<command>pip</command> and use it to
manage client installation:
<screen><prompt>#</prompt> <userinput>zypper install python-pip</userinput></screen></para>
<formalpara>
<title>openSUSE 12.3</title>
<para>A packaged version enables you to use
<command>rpm</command> or
<command>zypper</command> to install
the clients:
<screen><prompt>#</prompt> <userinput>zypper install python-<replaceable>PROJECT</replaceable>client</userinput></screen></para>
</formalpara>
<note>
<para>For each command, replace
<replaceable>PROJECT</replaceable>
with the lower case name of the client to
install, such as <literal>nova</literal>.
Repeat for each client.</para>
</note>
</td>
</tr>
</tbody>
</table>
<section xml:id="cli_clients_install">
<title>Install the clients</title>
<para>Use <command>pip</command> to install the OpenStack
clients on a Mac OS X or Linux system. It is easy and
ensures that you get the latest version of the client from
the <link xlink:href="http://pypi.python.org/pypi">Python
Package Index</link>. Also, <command>pip</command>
lets you update or remove a package. After you install the
clients, you must source an <filename
xmlns:raxm="http://docs.rackspace.com/api/metadata"
>openrc</filename> file to set required environment
variables before you can request OpenStack services
through the clients or the APIs.</para>
<procedure>
<step>
<para>You must install each client separately.</para>
<para>Run the following command to install or update a
client package:</para>
<screen><prompt>$</prompt> <userinput>sudo pip install [--update] python-<replaceable>PROJECT</replaceable>client</userinput></screen>
<para>Where <replaceable>PROJECT</replaceable> is the
project name and has one of the following
values:</para>
<itemizedlist>
<listitem>
<para><literal>nova</literal>. Compute API and
extensions.</para>
</listitem>
<listitem>
<para><literal>neutron</literal>. Networking
API.</para>
</listitem>
<listitem>
<para><literal>keystone</literal>. Identity
Service API.</para>
</listitem>
<listitem>
<para><literal>glance</literal>. Image Service
API.</para>
</listitem>
<listitem>
<para><literal>swift</literal>. Object Storage
API.</para>
</listitem>
<listitem>
<para><literal>cinder</literal>. Block Storage
Service API.</para>
</listitem>
<listitem>
<para><literal>heat</literal>. Orchestration
API.</para>
</listitem>
</itemizedlist>
<para>For example, to install the nova client, run the
following command:</para>
<screen><prompt>$</prompt> <userinput>sudo pip install python-novaclient</userinput></screen>
<para>To update the nova client, run the following
command:</para>
<screen><prompt>$</prompt> <userinput>sudo pip install --upgrade python-novaclient</userinput></screen>
<para>To remove the nova client, run the following
command:</para>
<screen><prompt>$</prompt> <userinput>sudo pip uninstall python-novaclient</userinput></screen>
</step>
<step>
<para>Before you can issue client commands, you must
download and source the
<filename>openrc</filename> file to set
environment variables. See <xref
linkend="cli_openrc"/>.</para>
</step>
</procedure>
</section>
</section>

0
doc/src/docbkx/openstack-user/src/section_cli_openrc.xml → doc/src/docbkx/common/section_cli_openrc.xml
View File

55
doc/src/docbkx/openstack-user/src/section_cli_overview.xml → doc/src/docbkx/common/section_cli_overview.xml
View File

@ -13,11 +13,11 @@
xml:id="section_cli_overview">
<title>Overview</title>
<para>You can use the OpenStack command-line clients to run simple
commands that make API calls and automate tasks by using
scripts. Internally, each client command runs cURL commands
that embed API requests. The OpenStack APIs are RESTful APIs
that use the HTTP protocol, including methods, URIs, media
types, and response codes.</para>
commands that make API calls. You can use these commands in
scripts to automate tasks. Internally, each client command
runs cURL commands that embed API requests. The OpenStack APIs
are RESTful APIs that use the HTTP protocol, including
methods, URIs, media types, and response codes.</para>
<para>These open-source Python clients run on Linux or Mac OS X
systems and are easy to learn and use. Each OpenStack service
has its own command-line client. On some client commands, you
@ -35,18 +35,33 @@
<listitem>
<para><emphasis role="bold">cinder</emphasis>
(python-cinderclient). Client for the Block Storage
Service API. Use to create and manage volumes.</para>
Service API that lets you create and manage
volumes.</para>
</listitem>
<listitem>
<para><emphasis role="bold">glance</emphasis>
(python-glanceclient). Client for the Image Service
API. Use to create and manage images.</para>
API that lets you create and manage images.</para>
</listitem>
<listitem>
<para><emphasis role="bold">heat</emphasis>
(python-heatclient). Client for the Orchestration API
that lets you launch stacks from templates, view
details of running stacks including events and
resources, and update and delete stacks.</para>
</listitem>
<listitem>
<para><emphasis role="bold">keystone</emphasis>
(python-keystoneclient). Client for the Identity
Service API. Use to create and manage users, tenants,
roles, endpoints, and credentials.</para>
Service API that lets you create and manage users,
tenants, roles, endpoints, and credentials.</para>
</listitem>
<listitem>
<para><emphasis role="bold">neutron</emphasis>
(python-neutronclient). Client for the Networking API
that lets you configure networks for guest servers.
This client was previously known as <emphasis
role="bold">quantum</emphasis>.</para>
</listitem>
<listitem>
<para><emphasis role="bold">nova</emphasis>
@ -54,27 +69,13 @@
its extensions. Use to create and manage images,
instances, and flavors.</para>
</listitem>
<listitem>
<para><emphasis role="bold">neutron</emphasis>
(python-neutronclient). Client for the Networking API.
Use to configure networks for guest servers. This
client was previously known as <emphasis role="bold"
>quantum</emphasis>.</para>
</listitem>
<listitem>
<para><emphasis role="bold">swift</emphasis>
(python-swiftclient). Client for the Object Storage
API. Use to gather statistics, list items, update
metadata, upload, download and delete files stored by
the object storage service. Provides access to a swift
installation for ad hoc processing.</para>
</listitem>
<listitem>
<para><emphasis role="bold">heat</emphasis>
(python-heatclient). Client for the Orchestration API.
Use to launch stacks from templates, view details of
running stacks including events and resources, and
update and delete stacks.</para>
API that lets you gather statistics, list items,
update metadata, upload, download and delete files
stored by the Object Storage service. Provides access
to a swift installation for ad hoc processing.</para>
</listitem>
</itemizedlist>
<para>An OpenStack common client is in development.</para>

28
doc/src/docbkx/openstack-user/src/section_cli_version.xml → doc/src/docbkx/common/section_cli_version.xml
View File

@ -5,15 +5,15 @@
xml:id="checking_version_cli">
<title>Get the version for a client</title>
<para>After you install an OpenStack client, you can get its
version number, as follows:</para>
version number.</para>
<procedure>
<step>
<para>Run the following command get the
version number for a client:</para>
<screen><prompt>$</prompt> <userinput><?db-font-size 75%?>PROJECT --version</userinput></screen>
<screen><prompt>$</prompt> <userinput><replaceable>PROJECT</replaceable> --version</userinput></screen>
<para>Where <replaceable>PROJECT</replaceable>
is the project name and has one of the
following values:</para>
is one of the following project
names:</para>
<itemizedlist>
<listitem>
<para><literal>nova</literal>.
@ -47,25 +47,13 @@
<para>For example, to see the version of the
nova client, run the following
command:</para>
<screen><prompt>$</prompt> <userinput><?db-font-size 75%?>nova --version</userinput></screen>
<screen><computeroutput><?db-font-size 75%?>2.14.1.17</computeroutput></screen>
<screen><prompt>$</prompt> <userinput>nova --version</userinput></screen>
<screen><computeroutput>2.14.1.17</computeroutput></screen>
<para>To see the version of the keystone
client, run the following
command:</para>
<screen><prompt>$</prompt> <userinput><?db-font-size 75%?>keystone --version</userinput></screen>
<screen><computeroutput><?db-font-size 75%?>0.3.1.73</computeroutput></screen>
<screen><prompt>$</prompt> <userinput>keystone --version</userinput></screen>
<screen><computeroutput>0.3.1.73</computeroutput></screen>
</step>
</procedure>
<!-- <screen><prompt>$</prompt> <userinput><?db-font-size 75%?>pip freeze | grep python-</userinput></screen>
<screen><computeroutput><?db-font-size 75%?>python-glanceclient==0.4.0
python-keystoneclient==0.1.2
-e git+https://github.com/openstack/python-novaclient.git@077cc0bf22e378c4c4b970f2331a695e440a939f#egg=python_novaclient-dev
python-neutronclient==0.1.1
python-swiftclient==1.1.1</computeroutput></screen>
<para>You can also use the <command>yolk
-l</command> command to see which version of
the client is installed:</para>
<screen><prompt>$</prompt> <userinput><?db-font-size 75%?>yolk -l | grep python-novaclient</userinput></screen>
<screen><computeroutput><?db-font-size 75%?>python-novaclient - 2.6.10.27 - active development (/Users/your.name/src/cloud-servers/src/src/python-novaclient)
python-novaclient - 2012.1 - non-active </computeroutput></screen> -->
</section>

2
doc/src/docbkx/common/section_glance_cli_manage_images.xml
View File

@ -3,8 +3,8 @@
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="cli_manage_images">
<title>Manage images</title>
<?dbhtml stop-chunking?>
<title>Manage images</title>
<para>The cloud operator assigns roles to users. Roles determine
who can upload and manage images. The operator might restrict
image upload and management to only cloud administrators or

16
doc/src/docbkx/common/section_keystone_cli_example_usage.xml
View File

@ -1,16 +1,19 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="example-usage">
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="example-usage">
<title>keystone command-line client example usage</title>
<para>Before you can use keystone client commands, you must
download and source an OpenStack RC file. For information, see
the <citetitle>OpenStack Admin User Guide</citetitle>.</para>
<para>The keystone command-line client uses the following
syntax:</para>
<screen><prompt>$</prompt> <userinput>keystone <replaceable>PARAMETER</replaceable> <replaceable>COMMAND</replaceable> <replaceable>ARGUMENT</replaceable></userinput></screen>
<para>For example, you can run the
<command>user-list</command> and
<command>tenant-create</command> commands, as
<para>For example, you can run the <command>user-list</command>
and <command>tenant-create</command> commands, as
follows:</para>
<screen><computeroutput># Using OS_SERVICE_ENDPOINT and OS_SERVICE_TOKEN environment variables</computeroutput>
<screen><computeroutput># Using OS_SERVICE_ENDPOINT and OS_SERVICE_TOKEN environment variables</computeroutput>
<prompt>$</prompt> <userinput>export OS_SERVICE_ENDPOINT=http://127.0.0.1:5000/v2.0/</userinput>
<prompt>$</prompt> <userinput>export OS_SERVICE_TOKEN=secrete_token</userinput>
<prompt>$</prompt> <userinput>keystone user-list</userinput>
@ -28,4 +31,7 @@
<prompt>$</prompt> <userinput>keystone user-list --tenant_id <replaceable>id</replaceable></userinput>
<computeroutput># Using --name, --description, and --enabled parameters</computeroutput>
<prompt>$</prompt> <userinput>keystone tenant-create --name demo --description "demo tenant" --enabled true</userinput></screen>
<para>For information about using the keystone client commands to
create and manage users, roles, and projects, see the
<citetitle>OpenStack Admin User Guide</citetitle>.</para>
</section>

167
doc/src/docbkx/common/section_keystone_cli_services.xml Normal file
View File

@ -0,0 +1,167 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="adding-users-tenants-and-roles-with-python-keystoneclient">
<?dbhtml stop-chunking?>
<title>Create and manage services and service users</title>
<para>The Identity Service enables you to define services in the
following ways:</para>
<itemizedlist>
<listitem>
<para>Service catalog template. The Identity Service acts
as a service catalog of endpoints for other OpenStack
services. The
<literal>etc/default_catalog.templates</literal>
template file defines the endpoints for services. When
the Identity Service uses a template file back-end,
any changes that are made to the endpoints are cached.
These changes do not persist when you restart the
service or reboot the machine.</para>
</listitem>
<listitem>
<para>A SQL back-end for the catalog service. When the
Identity Service is online, you must add the services
to the catalog. When you deploy a system for
production, use the SQL back-end.</para>
</listitem>
</itemizedlist>
<para>The <literal>auth_token</literal> middleware supports the
use of either a shared secret or users for each
service.</para>
<para>To authenticate users against the Identity Service, you must
create a service user for each OpenStack service. For example,
create a service user for the Compute, Block Storage, and
Network services.</para>
<para>To configure the OpenStack services with service users,
create a project for all services and create users for each
service. Assign the admin role to each service user-project
pair. This role enables users to validate tokens and
authenticate and authorize other user requests.</para>
<section xml:id="cli_service-create">
<title>Create a service</title>
<procedure>
<step>
<para>List the available services:</para>
<screen><prompt>$</prompt> <userinput>keystone service-list</userinput></screen>
<screen><computeroutput>+----------------------------------+----------+----------+---------------------------+
| id | name | type | description |
+----------------------------------+----------+----------+---------------------------+
| 9816f1faaa7c4842b90fb4821cd09223 | cinder | volume | Cinder Volume Service |
| da8cf9f8546b4a428c43d5e032fe4afc | ec2 | ec2 | EC2 Compatibility Layer |
| 5f105eeb55924b7290c8675ad7e294ae | glance | image | Glance Image Service |
| dcaa566e912e4c0e900dc86804e3dde0 | keystone | identity | Keystone Identity Service |
| 4a715cfbc3664e9ebf388534ff2be76a | nova | compute | Nova Compute Service |
| 6feb2e0b98874d88bee221974770e372 | s3 | s3 | S3 |
+----------------------------------+----------+----------+---------------------------+</computeroutput></screen>
</step>
<step>
<para>To create a service, you use the following
command syntax:</para>
<screen><prompt>$</prompt> <userinput>keystone help service-create</userinput></screen>
<screen><computeroutput>usage: keystone service-create --name &lt;name> --type &lt;type>
[--description &lt;service-description>]
Add service to Service Catalog.
Arguments:
--name &lt;name> Name of new service (must be unique)
--type &lt;type> Service type (one of: identity, compute, network,
image, or object-store)
--description &lt;service-description>
Description of service</computeroutput></screen>
<para>For example, to create a service named
<literal>swift</literal> of type
<literal>object-store</literal>, run the
following command:</para>
<screen><prompt>$</prompt> <userinput>keystone service-create --name swift --type object-store --description "object store service"</userinput></screen>
<screen><computeroutput>+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | object store service |
| id | 84c23f4b942c44c38b9c42c5e517cd9a |
| name | swift |
| type | object-store |
+-------------+----------------------------------+</computeroutput></screen>
</step>
<step>
<para>To get details for a specified service:</para>
<screen><prompt>$</prompt> <userinput>keystone service-get 84c23f4b942c44c38b9c42c5e517cd9a</userinput></screen>
<screen><computeroutput>+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | object store service |
| id | 84c23f4b942c44c38b9c42c5e517cd9a |
| name | swift |
| type | object-store |
+-------------+----------------------------------+</computeroutput></screen>
</step>
</procedure>
</section>
<section xml:id="cli_create_service_users">
<title>Create service users</title>
<procedure>
<step>
<para>Create a project for the service users.
Typically, this project is named
<literal>service</literal>, but you can choose
any name you like:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-create --name service</userinput></screen>
<para>The output shows the ID for the project. Note
this ID; you need it to create service users and
assign roles.</para>
<screen><computeroutput>+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | |
| enabled | True |
| id | 3e9f3f5399624b2db548d7f871bd5322 |
| name | service |
+-------------+----------------------------------+</computeroutput></screen>
</step>
<step>
<para>Create service users for the relevant services
for your deployment.</para>
</step>
<step>
<para>To assign the admin role to the service
user-project pairs, get the ID of the admin
role:</para>
<screen><prompt>$</prompt> <userinput>keystone role-list</userinput></screen>
<screen><computeroutput>+----------------------------------+---------------+
| id | name |
+----------------------------------+---------------+
| 71ccc37d41c8491c975ae72676db687f | Member |
| 149f50a1fe684bfa88dae76a48d26ef7 | ResellerAdmin |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
| 6ecf391421604da985db2f141e46a7c8 | admin |
| deb4fffd123c4d02a907c2c74559dccf | anotherrole |
| bef1f95537914b1295da6aa038ef4de6 | new-role |
+----------------------------------+---------------+</computeroutput></screen>
</step>
<step>
<para>Assign the admin role to the user-project pair,
as follows:</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-add --user <replaceable>SERVICE_USER_ID</replaceable> --role <replaceable>ADMIN_ROLE_ID</replaceable> --tenant <replaceable>SERVICE_PROJECT_ID</replaceable></userinput></screen>
</step>
</procedure>
</section>
<section xml:id="cli_delete_service">
<title>Delete a service</title>
<procedure xml:id="service-delete">
<step>
<para>To delete a specified service, specify its ID,
as follows:</para>
<screen><prompt>$</prompt> <userinput>keystone service-delete <replaceable>SERVICE_ID</replaceable></userinput></screen>
<screen><computeroutput>+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | object store service |
| id | 84c23f4b942c44c38b9c42c5e517cd9a |
| name | swift |
| type | object-store |
+-------------+----------------------------------+</computeroutput></screen>
</step>
</procedure>
</section>
</section>

455
doc/src/docbkx/common/section_keystone_cli_users_tenants_roles.xml
View File

@ -1,455 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="adding-users-tenants-and-roles-with-python-keystoneclient">
<?dbhtml stop-chunking?>
<title>Administer users, tenants, roles, and services</title>
<para>You must configure the keystone client with admin
credentials before you can create and manage users, tenants,
and roles. For information about configuration, see the <link
xlink:href="http://docs.openstack.org/grizzly/openstack-compute/admin/content/"
><citetitle>OpenStack Compute Administration
Guide</citetitle></link>.</para>
<para>You must create at least one tenant, user, and role. You
link the user to the tenant, and the role to the user-tenant
pairing.</para>
<para>To authenticate users against the Identity Service, you must
create service users for each of the OpenStack services, such
as Compute, Image Service, Networking, and so on.</para>
<para>The <literal>auth_token</literal> middleware supports the
use of either a shared secret or users for each service.</para>
<section xml:id="tenants">
<title>Tenants</title>
<para>A tenant is a group of zero or more users. In Compute, a
tenant owns virtual machines. In the Object Storage
Service, a tenant owns containers. You can associated
users with more than one tenant. You can associate each
tenant and user pairing with a role.</para>
<procedure xml:id="tenant-list">
<title>To list tenants</title>
<step>
<para>List all tenants:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-list</userinput></screen>
<screen><computeroutput>+----------------------------------+--------------------+---------+
| id | name | enabled |
+----------------------------------+--------------------+---------+
| 66265572db174a7aa66eba661f58eb9e | admin | True |
| ba7c172fe7d74a8a888939f1b8cc7f98 | alt_demo | True |
| b70d90d65e464582b6b2161cf3603ced | demo | True |
| 0675bbff347e4fc5aea94b6adad6000f | demodiane | True |
| c60467a6a1e140a08ba401b09a4f9adb | invisible_to_admin | True |
| a1d0e04f92f948ad9afe91ab8ebedfeb | service | True |
+----------------------------------+--------------------+---------+</computeroutput></screen>
</step>
</procedure>
<procedure xml:id="tenant-create">
<title>To create a tenant</title>
<step>
<para>Create an enabled tenant named demo:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-create --name demo1 --description "demo1 tenant" --enabled true</userinput></screen>
<screen><computeroutput>+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | demo1 tenant |
| enabled | True |
| id | c165a03f78164d7294a3133b345ee9fa |
| name | demo1 |
+-------------+----------------------------------+</computeroutput></screen>
</step>
</procedure>
<procedure xml:id="tenant-disable">
<title>To disable a tenant</title>
<step>
<para>To disable a tenant, specify the tenant
ID:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-update c165a03f78164d7294a3133b345ee9fa --enabled false</userinput></screen>
</step>
</procedure>
<procedure xml:id="tenant-get">
<title>To get tenant details</title>
<step>
<para>To get tenant details, specify the tenant
ID:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-get c165a03f78164d7294a3133b345ee9fa</userinput></screen>
<screen><computeroutput>+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | demo1 tenant |
| enabled | False |
| id | c165a03f78164d7294a3133b345ee9fa |
| name | demo1 |
+-------------+----------------------------------+</computeroutput></screen>
</step>
</procedure>
<procedure xml:id="tenant-enable">
<title>To enable a tenant</title>
<step>
<para>To enable a tenant, specify the tenant
ID:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-update c165a03f78164d7294a3133b345ee9fa --enabled true</userinput></screen>
</step>
</procedure>
<procedure xml:id="tenant-delete">
<title>To delete a tenant</title>
<step>
<para>To delete a tenant, specify the tenant
ID:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-delete f2b7b39c860840dfa47d9ee4adffa0b3</userinput></screen>
</step>
</procedure>
</section>
<section xml:id="users">
<title>Users</title>
<procedure xml:id="user-list">
<title>To list users</title>
<step>
<para>To list all users for all tenants, run the following command:</para>
<screen><prompt>$</prompt> <userinput>keystone user-list</userinput></screen>
<screen><computeroutput>+----------------------------------+----------+---------+----------------------+
| id | name | enabled | email |
+----------------------------------+----------+---------+----------------------+
| 376744b5910b4b4da7d8e6cb483b06a8 | admin | True | admin@example.com |
| a7e160432ddf4a5c800fbab4ca8313a1 | admin1 | True | admin1@example.com |
| 6705b966b1dd450a91971b5c3bfe93ad | alt_demo | True | alt_demo@example.com |
| e900100b4cd54d53bcecac6c4736c4f3 | cinder | True | cinder@example.com |
| 867e53193998439992896bc88d9525f0 | demo | True | demo@example.com |
| 4105efb002cd4464b61580cbd68e5a3c | glance | True | glance@example.com |
| d4844c6e77924194b44a6151b4357ebd | nova | True | nova@example.com |
+----------------------------------+----------+---------+----------------------+</computeroutput></screen>
<para>To list users for a specified tenant, include
the <parameter>--tenant-id</parameter> parameter, as follows:</para>
<screen><prompt>$</prompt> <userinput>keystone user-list --tenant-id 66265572db174a7aa66eba661f58eb9e</userinput></screen>
<screen><computeroutput>+----------------------------------+-------+---------+-------------------+
| id | name | enabled | email |
+----------------------------------+-------+---------+-------------------+
| 376744b5910b4b4da7d8e6cb483b06a8 | admin | True | admin@example.com |
+----------------------------------+-------+---------+-------------------+ </computeroutput></screen> </step>
</procedure>
<procedure xml:id="user-create">
<title>To create a user</title>
<step>
<para>To create a user named <literal>admin</literal>
with a specified password and email, run the
following command:</para><screen><prompt>$</prompt> <userinput>keystone user-create --name admin --pass secrete --email admin@example.com</userinput></screen>
<para>By default, the user is enabled and associated
with the default tenant.</para>
<para>The output does not display the password:</para>
<screen><computeroutput>+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | admin@example.com |
| enabled | True |
| id | a7e160432ddf4a5c800fbab4ca8313a1 |
| name | admin |
| tenantId | |
+----------+----------------------------------+</computeroutput></screen>
</step>
</procedure>
<procedure xml:id="user-update-email">
<title>To update the email address for a user</title>
<step>
<para>Update the email address for a user, as follows:</para>
<screen><prompt>$</prompt> <userinput>keystone user-update --email joe_admin@example.com admin</userinput></screen>
<screen><computeroutput>User has been updated.</computeroutput></screen>
</step>
<step><para>To confirm your changes, get details for the admin user:</para>
<screen><prompt>$</prompt> <userinput>keystone user-get admin</userinput></screen>
<screen><computeroutput>+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | joe_admin@example.com |
| enabled | True |
| id | 376744b5910b4b4da7d8e6cb483b06a8 |
| name | admin |
| tenantId | |
+----------+----------------------------------+</computeroutput></screen></step>
</procedure>
<procedure xml:id="user-disable">
<title>To update a user to disable the user</title>
<step>
<para>Update the user and include the <parameter>--enabled</parameter> parameter:</para>
<screen><prompt>$</prompt> <userinput>keystone user-update --enabled false admin</userinput></screen>
<screen><userinput>User has been updated.</userinput></screen>
</step>
<step><para>To confirm your changes, get details for the admin user:</para>
<screen><prompt>$</prompt> <userinput>keystone user-get admin</userinput></screen>
<screen><computeroutput>User is disabled: 376744b5910b4b4da7d8e6cb483b06a8 (HTTP 401)</computeroutput></screen>
</step>
</procedure>
<procedure xml:id="user-enable">
<title>To update a user to enable the user</title>
<step>
<para>Update the user and include the <parameter>--enabled</parameter> parameter:</para>
<screen><prompt>$</prompt> <userinput>keystone user-update --enabled true admin</userinput></screen>
<screen><userinput>User has been updated.</userinput></screen>
</step>
<step><para>To confirm your changes, get details for the admin user:</para>
<screen><prompt>$</prompt> <userinput>keystone user-get admin</userinput></screen>
<screen><computeroutput>User is disabled: 376744b5910b4b4da7d8e6cb483b06a8 (HTTP 401)</computeroutput></screen>
</step>
</procedure>
<procedure xml:id="user-update-password">
<title>To update the password for a user</title>
<step>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>user_id</para>
</listitem>
<listitem>
<para>password</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone user-update --password 03c84b51574841ba9a0d8db7882ac645 foo</userinput></screen>
</step>
</procedure>
<procedure xml:id="user-delete">
<title>To delete a user</title>
<step>
<para>keyword arguments:</para>
<itemizedlist>
<listitem>
<para>user</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone user-delete f2b7b39c860840dfa47d9ee4adffa0b3</userinput></screen>
</step>
</procedure>
</section>
<section xml:id="roles">
<title>Roles</title>
<procedure xml:id="role-create">
<title>To create a role</title>
<step>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>name</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone role-create --name demo</userinput></screen>
</step>
</procedure>
<procedure xml:id="role-delete">
<title>To delete a role</title>
<step>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>role_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone role-delete 19d1d3344873464d819c45f521ff9890</userinput></screen>
</step>
</procedure>
<procedure xml:id="role-list">
<title>To list roles</title>
<step>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone role-list</userinput></screen>
</step>
</procedure>
<procedure xml:id="role-get">
<title>To get details for a role</title>
<step>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>role_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone role-get role=19d1d3344873464d819c45f521ff9890</userinput></screen>
</step>
</procedure>
<procedure xml:id="add-user-role">
<title>To add a role to a user</title>
<step>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>role_id</para>
</listitem>
<listitem>
<para>user_id</para>
</listitem>
<listitem>
<para>tenant_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone add-user-role \
3a751f78ef4c412b827540b829e2d7dd \
03c84b51574841ba9a0d8db7882ac645 \
20601a7f1d94447daa4dff438cb1c209</userinput></screen>
</step>
</procedure>
<procedure xml:id="remove-user-role">
<title>To remove a role from a user</title>
<step>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>role_id</para>
</listitem>
<listitem>
<para>user_id</para>
</listitem>
<listitem>
<para>tenant_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone remove-user-role \
19d1d3344873464d819c45f521ff9890 \
08741d8ed88242ca88d1f61484a0fe3b \
20601a7f1d94447daa4dff438cb1c209</userinput></screen>
</step>
</procedure>
</section>
<section xml:id="services">
<title>Services</title>
<procedure xml:id="service-create">
<title>To create a service</title>
<step>
<para>keyword arguments</para>
<itemizedlist>
<listitem>
<para>name</para>
</listitem>
<listitem>
<para>type</para>
</listitem>
<listitem>
<para>description</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone service create \
--name nova \
--type=compute \
--description=&quot;Nova Compute Service&quot;</userinput></screen>
</step>
</procedure>
<procedure xml:id="service-list">
<title>To list services</title>
<step>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>service_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone service-list</userinput></screen>
</step>
</procedure>
<procedure xml:id="service-get">
<title>To get service details</title>
<step>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>service_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone service-get 08741d8ed88242ca88d1f61484a0fe3b</userinput></screen>
</step>
</procedure>
<procedure xml:id="service-delete">
<title>To delete a service</title>
<step>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>service_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone service-delete 08741d8ed88242ca88d1f61484a0fe3b</userinput></screen>
</step>
</procedure>
<procedure>
<title>To create service users</title>
<step><para>To configure the OpenStack services with service users, we
must create a tenant for all the services, and
then users for each of the services. We then
assign those service users an Admin role on the
service tenant. This allows them to validate
tokens - and authenticate and authorize other user
requests.</para>
<para>Create a tenant for the services, typically named
'service' (however, the name can be whatever you choose):</para>
<screen>keystone tenant-create --name=service</screen>
<para>This returns a UUID of the tenant - keep that, you'll
need it when creating the users and specifying the roles.</para>
<para>Create service users for nova, glance, swift, and
neutron (or whatever subset is relevant to your deployment):</para>
<screen>keystone user-create --name=nova \
--pass=Sekr3tPass \
--tenant_id=[the uuid of the tenant] \
--email=nova@nothing.com</screen>
<para>Repeat this for each service you want to enable. Email
is a required field in keystone right now, but not used in
relation to the service accounts. Each of these commands
will also return a UUID of the user. Keep those to assign
the Admin role.</para>
<para>For adding the Admin role to the service accounts,
you'll must know the UUID of the role you want to
add. If you don't have them handy, you can look it
up quickly with:</para>
<screen>keystone role-list</screen>
<para>Once you have it, assign the service users to the Admin
role. This is all assuming that you've already created the
basic roles and settings as described in the configuration
section:</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-add --tenant_id=[uuid of the service tenant] \
--user=[uuid of the service account] \
--role=[uuid of the Admin role]</userinput></screen></step>
</procedure>
<procedure xml:id="defining-services">
<title>To define services</title>
<para>Keystone also acts as a service catalog to let other
OpenStack systems know where relevant API endpoints exist for
OpenStack Services. The OpenStack Dashboard, in particular,
uses this heavily - and this <emphasis role="strong"
>must</emphasis> be configured for the OpenStack dashboard
to properly function.</para>
<para>The endpoints for these services are defined in a
template, an example of which is in the project as the file
<literal>etc/default_catalog.templates</literal>. When
keystone uses a template file backend, then changes made to
the endpoints are kept in memory and don't persist if you
restart the service or reboot the machine. Use the SQL
backend when deploying a system for production.</para>
<para>Keystone supports two means of defining the services,
one is the catalog template, as described above - in which
case everything is detailed in that template.</para>
<para>The other is a SQL backend for the catalog service, in
which case after keystone is online, you must add the
services to the catalog:</para>
<step><screen><prompt>$</prompt> <userinput>keystone service-create --name=nova \
--type=compute \
--description=&quot;Nova Compute Service&quot;
keystone service-create --name=ec2 \
--type=ec2 \
--description=&quot;EC2 Compatibility Layer&quot;
keystone service-create --name=glance \
--type=image \
--description=&quot;Glance Image Service&quot;
keystone service-create --name=keystone \
--type=identity \
--description=&quot;Keystone Identity Service&quot;
keystone service-create --name=swift \
--type=object-store \
--description=&quot;Swift Service&quot;</userinput></screen></step>
</procedure>
</section>
</section>

6
doc/src/docbkx/openstack-compute-admin/bk-compute-adminguide.xml
View File

@ -54,9 +54,9 @@
<revdescription>
<itemizedlist spacing="compact">
<listitem>
<para>Moved configuration information to the
<citetitle>OpenStack Configuration
Reference</citetitle>.</para>
<para>Moved configuration information to
the <citetitle>OpenStack Configuration
Reference</citetitle>.</para>
</listitem>
</itemizedlist>
</revdescription>

481
doc/src/docbkx/openstack-compute-admin/ch_identity_mgmt.xml
View File

@ -27,13 +27,14 @@
<section xml:id="memcached-and-system-time">
<title>Memcached and System Time</title>
<para>If you use <link xlink:href="http://memcached.org/"
>memcached</link> with the Identity Service &ndash; for example, using the
memcache token driver or the <literal>auth_token</literal>
middleware &ndash; ensure that the system time of memcached
hosts is set to UTC. Memcached uses the host's system time in
determining whether a key has expired, whereas the Identity Service sets key
expiry in UTC. The timezone used by the Identity Service and memcached must
match if key expiry is to behave as expected.</para>
>memcached</link> with the Identity Service &ndash; for
example, using the memcache token driver or the
<literal>auth_token</literal> middleware &ndash; ensure that
the system time of memcached hosts is set to UTC. Memcached uses
the host's system time in determining whether a key has expired,
whereas the Identity Service sets key expiry in UTC. The
timezone used by the Identity Service and memcached must match
if key expiry is to behave as expected.</para>
</section>
<xi:include href="../common/section_keystone-ssl-config.xml"/>
<section xml:id="user-crud">
@ -45,7 +46,8 @@
<literal>user_crud_extension</literal> filter, insert it after
the <literal>*_body</literal> middleware and before the
<literal>public_service</literal> app in the public_api WSGI
pipeline in <filename>keystone-paste.ini</filename>. For example:</para>
pipeline in <filename>keystone-paste.ini</filename>. For
example:</para>
<screen><computeroutput>[filter:user_crud_extension]
paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
@ -75,14 +77,15 @@ pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body j
module, which includes extensive configuration options for
choosing the output levels and formats.</para>
<para>See the <filename>etc/keystone.conf</filename> sample
configuration files, which are distributed with the Identity Service.</para>
configuration files, which are distributed with the Identity
Service.</para>
<para>For services that have a separate <filename>paste-deploy
ini</filename> file, you can alternatively configure
auth_token middleware in the
<literal>[keystone_authtoken]</literal> section in the main
configuration file, such as <filename>nova.conf</filename>. For
example in Compute, you can remove the middleware parameters from
<filename>api-paste.ini</filename>, as follows:</para>
example in Compute, you can remove the middleware parameters
from <filename>api-paste.ini</filename>, as follows:</para>
<screen><computeroutput>[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory</computeroutput></screen>
<para>Set values in the <filename>nova.conf</filename> file, as
@ -107,8 +110,8 @@ paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory</comp
</section>
<section xml:id="monitoring">
<title>Monitoring</title>
<para>The Identity Service provides some basic request/response monitoring
statistics.</para>
<para>The Identity Service provides some basic request/response
monitoring statistics.</para>
<para>To enable data collection, define a
<literal>stats_monitoring</literal> filter and include it at
the beginning of any desired WSGI pipelines in
@ -133,7 +136,8 @@ pipeline = [...] json_body stats_reporting ec2_extension [...] admin_service</co
<para>Reset collected data, as follows:</para>
<screen><prompt>$</prompt> <userinput>curl -H 'X-Auth-Token: ADMIN' -X DELETE http://localhost:35357/v2.0/OS-STATS/stats</userinput></screen>
</section>
<xi:include href="../common/section_keystone_certificates-for-pki.xml"/>
<xi:include
href="../common/section_keystone_certificates-for-pki.xml"/>
<xi:include href="../common/section_keystone-sample-conf-files.xml"/>
<section xml:id="running-keystone">
<title>Run the Identity Service</title>
@ -150,8 +154,9 @@ pipeline = [...] json_body stats_reporting ec2_extension [...] admin_service</co
</section>
<section xml:id="initializing-keystone">
<title>Initialize the Identity Service</title>
<para>The <command>keystone-manage</command> commands enable you to perform functions that are not available through the normal REST
API. The following calls are supported:</para>
<para>The <command>keystone-manage</command> commands enable you
to perform functions that are not available through the normal
REST API. The following calls are supported:</para>
<itemizedlist>
<listitem>
<para>
@ -161,15 +166,16 @@ pipeline = [...] json_body stats_reporting ec2_extension [...] admin_service</co
<para>Generally, the following is the first step after a source
installation:</para>
<screen><prompt>$</prompt> <userinput>keystone-manage db_sync</userinput></screen>
<para>Invoking <command>keystone-manage</command> by itself gives you additional
usage information.</para>
<para>Invoking <command>keystone-manage</command> by itself gives
you additional usage information.</para>
</section>
<section xml:id="configuring-services-to-work-with-keystone">
<title>Configure Services to Work with Identity Service</title>
<para>Once Keystone is installed and running, services need to be
configured to work with it. To do this, we primarily install and
configure middleware for the OpenStack service to handle
authentication tasks or otherwise interact with the Identity Service.</para>
authentication tasks or otherwise interact with the Identity
Service.</para>
<para>In general:</para>
<itemizedlist>
<listitem>
@ -177,56 +183,63 @@ pipeline = [...] json_body stats_reporting ec2_extension [...] admin_service</co
authentication token.</para>
</listitem>
<listitem>
<para>The Identity Service middleware looks for and validates that
token, taking the appropriate action.</para>
<para>The Identity Service middleware looks for and validates
that token, taking the appropriate action.</para>
</listitem>
<listitem>
<para>It also retrieves additional information from the
token such as user name, id, tenant name, id, roles, and so on.
<para>It also gets additional information from the token such
as user name and ID, tenant name and ID, roles, and so on.
</para>
</listitem>
</itemizedlist>
<para>The middleware passes data to the service as
headers.</para>
<xi:include href="../common/section_keystone_cli_credentials.xml"/>
<xi:include href="../common/section_keystone_cli_apiv3.xml"/>
<xi:include href="../common/section_keystone_cli_example_usage.xml"/>
<xi:include href="../common/section_keystone_cli_users_tenants_roles.xml"/>
<para>The middleware passes data to the service as headers.</para>
<xi:include href="../common/section_keystone_cli_credentials.xml"/>
<xi:include href="../common/section_keystone_cli_apiv3.xml"/>
<xi:include
href="../common/section_keystone_cli_example_usage.xml"/>
<!--Moved the following sections to the Admin User Guide -->
<!-- <xi:include
href="../common/section_cli_openrc.xml"
/>
<xi:include
href="../openstack-user-admin/src/section_keystone_cli_manage_projects_users_roles.xml"
/> -->
</section>
<section xml:id="setting-up-middleware">
<title>Set Up Middleware</title>
<section xml:id="keystone-auth-token-middleware">
<title>Identity Service Auth-Token Middleware</title>
<para>The Identity Service auth_token middleware is a WSGI
component that can be inserted in the WSGI pipeline to handle
authenticating tokens with the Identity Service.</para>
</section>
<section xml:id="setting-up-middleware">
<title>Set Up Middleware</title>
<section xml:id="keystone-auth-token-middleware">
<title>Identity Service Auth-Token Middleware</title>
<para>The Identity Service auth_token middleware is a WSGI component
that can be inserted in the WSGI pipeline to handle
authenticating tokens with the Identity Service.</para>
</section>
<section xml:id="configuring-nova-to-use-keystone">
<title>Configure Compute to Use the Identity Service</title>
<para>When configuring Compute, it is important to create a nova
user in the service tenant and include the nova user's login
information in /etc/nova/nova.conf</para>
</section>
<section xml:id="configuring-swift-to-use-keystone">
<title>Configure Object Storage to Use the Identity Service</title>
<para>Similar to Compute, you can configure Object Storage to use the Identity Service
for authentication rather than its built in
'tempauth'.</para>
<orderedlist numeration="arabic">
<listitem>
<para>Add a service endpoint for Object Storage to the Identity Service
</para>
</listitem>
<listitem>
<para>Configure the paste file for swift-proxy,
<filename>/etc/swift/proxy-server.conf</filename>.
</para>
</listitem>
<listitem>
<para>Reconfigure Object Storage's proxy server to use the Identity Service
instead of TempAuth. Here's an example
`/etc/swift/proxy-server.conf`:</para>
<screen><computeroutput>
<section xml:id="configuring-nova-to-use-keystone">
<title>Configure Compute to Use the Identity Service</title>
<para>When configuring Compute, it is important to create a nova
user in the service tenant and include the nova user's login
information in /etc/nova/nova.conf</para>
</section>
<section xml:id="configuring-swift-to-use-keystone">
<title>Configure Object Storage to Use the Identity
Service</title>
<para>Similar to Compute, you can configure Object Storage to
use the Identity Service for authentication rather than its
built in 'tempauth'.</para>
<orderedlist numeration="arabic">
<listitem>
<para>Add a service endpoint for Object Storage to the
Identity Service </para>
</listitem>
<listitem>
<para>Configure the paste file for swift-proxy,
<filename>/etc/swift/proxy-server.conf</filename>.
</para>
</listitem>
<listitem>
<para>Reconfigure Object Storage's proxy server to use the
Identity Service instead of TempAuth. Here's an example
`/etc/swift/proxy-server.conf`:</para>
<screen><computeroutput>
[DEFAULT]
bind_port = 8888
user = &lt;user&gt;
@ -265,35 +278,36 @@ use = egg:swift#catch_errors
[filter:healthcheck]
use = egg:swift#healthcheck</computeroutput>
</screen>
</listitem>
<listitem>
<para>Restart Object Storage services.</para>
</listitem>
<listitem>
<para>Verify that the Identity Service is
providing authentication to Object Storage.</para>
<screen>
</listitem>
<listitem>
<para>Restart Object Storage services.</para>
</listitem>
<listitem>
<para>Verify that the Identity Service is providing
authentication to Object Storage.</para>
<screen>
<prompt>$</prompt> <userinput>swift -V 2 -A http://localhost:5000/v2.0 -U admin:admin -K ADMIN stat</userinput>
</screen>
</listitem>
</orderedlist>
</section>
<section
xml:id="configuring-swift-with-s3-emulation-to-use-keystone">
<title>Configure Object Storage with S3 Emulation to Use
the Identity Service</title>
<para>The Identity Service support validating S3 tokens using the same
tokens as the generated EC2 tokens. When you have generated
a pair of EC2 access token and secret you can access your
Object Storage cluster directly with the S3 API.</para>
<orderedlist numeration="arabic">
<listitem>
<para>Configure the paste file for swift-proxy
(`/etc/swift/proxy-server.conf`) to use S3token and
Swift3 middleware. You must have the s3token middleware
in the pipeline when using the Identity Service and swift3.</para>
<para>Here's an example:</para>
<screen><computeroutput>
</listitem>
</orderedlist>
</section>
<section
xml:id="configuring-swift-with-s3-emulation-to-use-keystone">
<title>Configure Object Storage with S3 Emulation to Use the
Identity Service</title>
<para>The Identity Service support validating S3 tokens using
the same tokens as the generated EC2 tokens. When you have
generated a pair of EC2 access token and secret you can access
your Object Storage cluster directly with the S3 API.</para>
<orderedlist numeration="arabic">
<listitem>
<para>Configure the paste file for swift-proxy
(`/etc/swift/proxy-server.conf`) to use S3token and Swift3
middleware. You must have the s3token middleware in the
pipeline when using the Identity Service and
swift3.</para>
<para>Here's an example:</para>
<screen><computeroutput>
[DEFAULT]
bind_port = 8080
@ -338,11 +352,12 @@ auth_protocol = http
auth_token = ADMIN
admin_token = ADMIN</computeroutput>
</screen>
</listitem>
<listitem>
<para>You can then access directly Object Storage through the S3
API. The following example shows how to use the `boto` library:</para>
<screen><computeroutput>import boto
</listitem>
<listitem>
<para>You can then access directly Object Storage through
the S3 API. The following example shows how to use the
`boto` library:</para>
<screen><computeroutput>import boto
import boto.s3.connection
connection = boto.connect_s3(
@ -353,16 +368,17 @@ connection = boto.connect_s3(
is_secure=False,
calling_format=boto.s3.connection.OrdinaryCallingFormat())</computeroutput>
</screen>
</listitem>
</orderedlist>
</section>
<section xml:id="configuring-keystone-for-ldap-backend">
<title>Configure the Identity Service for an LDAP Backend</title>
<para>As an alternative to the SQL Database backing store,
the Identity Service can use a directory server to provide the Identity
service. An example schema for OpenStack looks like
this:</para>
<screen><computeroutput>dn: dc=openstack,dc=org
</listitem>
</orderedlist>
</section>
<section xml:id="configuring-keystone-for-ldap-backend">
<title>Configure the Identity Service for an LDAP
Backend</title>
<para>As an alternative to the SQL Database backing store, the
Identity Service can use a directory server to provide the
Identity service. An example schema for OpenStack looks like
this:</para>
<screen><computeroutput>dn: dc=openstack,dc=org
dc: openstack
objectClass: dcObject
objectClass: organizationalUnit
@ -389,9 +405,9 @@ objectClass: organizationalRole
ou: _member_
cn: 9fe2ff9ee4384b1894a90878d3e92bab</computeroutput>
</screen>
<para>The corresponding entries in the Identity Service configuration
file are:</para>
<screen><computeroutput>[DEFAULT]
<para>The corresponding entries in the Identity Service
configuration file are:</para>
<screen><computeroutput>[DEFAULT]
public_endpoint = http://localhost:%(public_port)s/
admin_endpoint = http://localhost:%(admin_port)s/
@ -416,28 +432,28 @@ tenant_attribute_ignore = enabled
role_tree_dn = ou=Roles,dc=openstack,dc=org</computeroutput>
</screen>
<para>The default object classes and attributes are
intentionally simplistic. They reflect the common standard
objects according to the LDAP RFCs. However, in a live
deployment, the correct attributes can be overridden to
support a preexisting, more complex schema. For example, in
the user object, the objectClass posixAccount from RFC2307
is very common. If this is the underlying objectclass, then
the <emphasis>uid</emphasis> field should probably be
<emphasis>uidNumber</emphasis> and
<emphasis>username</emphasis> field either
<emphasis>uid</emphasis> or <emphasis>cn</emphasis>. To
change these two fields, the corresponding entries in the
the Identity Service configuration file are:</para>
<screen><computeroutput>[ldap]
<para>The default object classes and attributes are
intentionally simplistic. They reflect the common standard
objects according to the LDAP RFCs. However, in a live
deployment, the correct attributes can be overridden to
support a preexisting, more complex schema. For example, in
the user object, the objectClass posixAccount from RFC2307 is
very common. If this is the underlying objectclass, then the
<emphasis>uid</emphasis> field should probably be
<emphasis>uidNumber</emphasis> and
<emphasis>username</emphasis> field either
<emphasis>uid</emphasis> or <emphasis>cn</emphasis>. To
change these two fields, the corresponding entries in the the
Identity Service configuration file are:</para>
<screen><computeroutput>[ldap]
user_id_attribute = uidNumber
user_name_attribute = cn</computeroutput>
</screen>
<para>Depending on your specific deployment,
you can modify a set of allowed actions for each object type. For
example, when users are managed by another tool and you have
only read access, the configuration is:</para>
<screen><computeroutput>[ldap]
<para>Depending on your specific deployment, you can modify a
set of allowed actions for each object type. For example, when
users are managed by another tool and you have only read
access, the configuration is:</para>
<screen><computeroutput>[ldap]
user_allow_create = False
user_allow_update = False
@ -451,45 +467,43 @@ role_allow_create = True
role_allow_update = True
role_allow_delete = True</computeroutput>
</screen>
<para>There are some configuration options for filtering
users, tenants and roles, if the backend provides too
much output, the configuration looks as follows:</para>
<screen><computeroutput>[ldap]
<para>There are some configuration options for filtering users,
tenants and roles, if the backend provides too much output,
the configuration looks as follows:</para>
<screen><computeroutput>[ldap]
user_filter = (memberof=CN=openstack-users,OU=workgroups,DC=openstack,DC=com)
tenant_filter =
role_filter =</computeroutput>
</screen>
<para>If the directory server does not have an
attribute enabled of type boolean for the user, you can use
several configuration parameters to extract
the value from an integer attribute, like in Active
Directory:</para>
<screen><computeroutput>[ldap]
<para>If the directory server does not have an attribute enabled
of type boolean for the user, you can use several
configuration parameters to extract the value from an integer
attribute, like in Active Directory:</para>
<screen><computeroutput>[ldap]
user_enabled_attribute = userAccountControl
user_enabled_mask = 2
user_enabled_default = 512</computeroutput>
</screen>
<para>In this case the attribute is an integer and the
enabled attribute is listed in bit 1, so the if the mask
configured <emphasis>user_enabled_mask</emphasis> is
different from 0, it gets the value from the field
<emphasis>user_enabled_attribute</emphasis> and it makes
an ADD operation with the value indicated on
<emphasis>user_enabled_mask</emphasis> and if the value
matches the mask then the account is disabled.</para>
<para>It also saves the value without mask to the user
identity in the attribute
<emphasis>enabled_nomask</emphasis>. This is needed in
order to set it back in case that we must change it to
enable/disable a user because it contains more information
than the status like password expiration. Last setting
<emphasis>user_enabled_mask</emphasis> is needed in order
to create a default value on the integer attribute (512 =
NORMAL ACCOUNT on AD)</para>
<para>In case of Active Directory the classes and attributes
could not match the specified classes in the LDAP module so
you can configure them, as follows:</para>
<screen><computeroutput>[ldap]
<para>In this case the attribute is an integer and the enabled
attribute is listed in bit 1, so the if the mask configured
<emphasis>user_enabled_mask</emphasis> is different from 0,
it gets the value from the field
<emphasis>user_enabled_attribute</emphasis> and it makes an
ADD operation with the value indicated on
<emphasis>user_enabled_mask</emphasis> and if the value
matches the mask then the account is disabled.</para>
<para>It also saves the value without mask to the user identity
in the attribute <emphasis>enabled_nomask</emphasis>. This is
needed in order to set it back in case that we must change it
to enable/disable a user because it contains more information
than the status like password expiration. Last setting
<emphasis>user_enabled_mask</emphasis> is needed in order to
create a default value on the integer attribute (512 = NORMAL
ACCOUNT on AD)</para>
<para>In case of Active Directory the classes and attributes
could not match the specified classes in the LDAP module so
you can configure them, as follows:</para>
<screen><computeroutput>[ldap]
user_objectclass = person
user_id_attribute = cn
user_name_attribute = cn
@ -510,25 +524,23 @@ role_id_attribute = cn
role_name_attribute = ou
role_member_attribute = roleOccupant
role_attribute_ignore =</computeroutput></screen>
</section>
<section xml:id="reference-for-ldap-config-options">
<title>Reference for LDAP Configuration Options in
keystone.conf</title>
<xi:include href="../common/tables/ldap-keystone-conf.xml"/>
</section>
<section
xml:id="auth-token-middleware-with-username-and-password">
<title>Auth-Token Middleware with Username and
Password</title>
<para>It is also possible to configure the Identity Service's auth_token
middleware using the 'admin_user' and 'admin_password'
options. When using the 'admin_user' and 'admin_password'
options the 'admin_token' parameter is optional. If
'admin_token' is specified, it is used only if the
specified token is still valid.</para>
<para>Here is an example paste config filter that makes use
of the 'admin_user' and 'admin_password' parameters:</para>
<screen><computeroutput>
</section>
<section xml:id="reference-for-ldap-config-options">
<title>Reference for LDAP Configuration Options in
keystone.conf</title>
<xi:include href="../common/tables/ldap-keystone-conf.xml"/>
</section>
<section xml:id="auth-token-middleware-with-username-and-password">
<title>Auth-Token Middleware with Username and Password</title>
<para>It is also possible to configure the Identity Service's
auth_token middleware using the 'admin_user' and
'admin_password' options. When using the 'admin_user' and
'admin_password' options the 'admin_token' parameter is
optional. If 'admin_token' is specified, it is used only if
the specified token is still valid.</para>
<para>Here is an example paste config filter that makes use of
the 'admin_user' and 'admin_password' parameters:</para>
<screen><computeroutput>
[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
service_port = 5000
@ -539,47 +551,53 @@ auth_token = 012345SECRET99TOKEN012345
admin_user = admin
admin_password = keystone123</computeroutput>
</screen>
<note><para>To use this option, an admin
tenant/role relationship is required. The admin user is
granted access to the 'Admin' role on the 'admin' tenant.
</para></note>
</section>
<note>
<para>To use this option, an admin tenant/role relationship is
required. The admin user is granted access to the 'Admin'
role on the 'admin' tenant. </para>
</note>
</section>
</section>
<section xml:id="keystone-ssl">
<title>Configure the Identity Service SSL Support</title>
<para>the Identity Service might be configured to support 2-way SSL
out-of-the-box. The x509 certificates used by the Identity Service must be
obtained externally and configured for use with the Identity Service as
described in this section. However, a set of sample certificates
is provided in the <literal>examples/ssl</literal> directory
with the Identity Service distribution for testing. Here is the
description of each of them and their purpose:</para><itemizedlist>
<listitem>
<para><filename>ca.pem</filename>. Certificate Authority
chain to validate against.</para>
</listitem>
<listitem>
<para><filename>keystone.pem</filename>. Public certificate
for the Identity Service server.</para>
</listitem>
<listitem>
<para><filename>middleware.pem</filename>. Public and
private certificate for the Identity Service middleware/client.</para>
</listitem>
<listitem>
<para><filename>cakey.pem</filename>. Private key for the
CA.</para>
</listitem>
<listitem>
<para><filename>keystonekey.pem</filename>. Private key for
the Identity Service server.</para>
</listitem>
</itemizedlist>
<note><para>You can name these certificates whatever you want, or combine the public/private keys in
the same file if you wish. These certificates are just provided
as an example.</para></note>
<para>the Identity Service might be configured to support 2-way
SSL out-of-the-box. The x509 certificates used by the Identity
Service must be obtained externally and configured for use with
the Identity Service as described in this section. However, a
set of sample certificates is provided in the
<literal>examples/ssl</literal> directory with the Identity
Service distribution for testing. Here is the description of
each of them and their purpose:</para>
<itemizedlist>
<listitem>
<para><filename>ca.pem</filename>. Certificate Authority chain
to validate against.</para>
</listitem>
<listitem>
<para><filename>keystone.pem</filename>. Public certificate
for the Identity Service server.</para>
</listitem>
<listitem>
<para><filename>middleware.pem</filename>. Public and private
certificate for the Identity Service
middleware/client.</para>
</listitem>
<listitem>
<para><filename>cakey.pem</filename>. Private key for the
CA.</para>
</listitem>
<listitem>
<para><filename>keystonekey.pem</filename>. Private key for
the Identity Service server.</para>
</listitem>
</itemizedlist>
<note>
<para>You can name these certificates whatever you want, or
combine the public/private keys in the same file if you wish.
These certificates are just provided as an example.</para>
</note>
<para>To enable SSL with client authentication, modify the
<literal>etc/keystone.conf</literal> file accordingly under
<literal>etc/keystone.conf</literal> file accordingly under
the <literal>[ssl]</literal> section. SSL configuration example
using the included sample certificates:</para>
<screen><computeroutput>[ssl]
@ -598,24 +616,27 @@ cert_required = True</computeroutput></screen>
<para>
<itemizedlist>
<listitem>
<para><literal>enable</literal>. True enables SSL. Defaults to False.</para>
</listitem>
<listitem>
<para><literal>certfile</literal>. Path to the Identity Service public certificate
file.</para>
</listitem>
<listitem>
<para><literal>keyfile</literal>. Path to the Identity Service private certificate file. If
the private key is included in the certfile, the keyfile
may be omitted.</para>
</listitem>
<listitem>
<para><literal>ca_certs</literal>. Path to CA trust chain.</para>
</listitem>
<listitem>
<para><literal>cert_required</literal>. Requires client certificate. Defaults
<para><literal>enable</literal>. True enables SSL. Defaults
to False.</para>
</listitem>
<listitem>
<para><literal>certfile</literal>. Path to the Identity
Service public certificate file.</para>
</listitem>
<listitem>
<para><literal>keyfile</literal>. Path to the Identity
Service private certificate file. If the private key is
included in the certfile, the keyfile may be
omitted.</para>
</listitem>
<listitem>
<para><literal>ca_certs</literal>. Path to CA trust
chain.</para>
</listitem>
<listitem>
<para><literal>cert_required</literal>. Requires client
certificate. Defaults to False.</para>
</listitem>
</itemizedlist>
</para>
</section>

20
doc/src/docbkx/openstack-user-admin/src/ch_cli.xml
View File

@ -10,20 +10,24 @@
<title>OpenStack command-line clients</title>
</info>
<xi:include
href="../../openstack-user/src/section_cli_overview.xml"/>
href="../../common/section_cli_overview.xml"/>
<?hard-pagebreak?>
<xi:include
href="../../openstack-user/src/section_cli_install.xml"/>
href="../../common/section_cli_install.xml"/>
<?hard-pagebreak?>
<xi:include href="../../common/section_cli_openrc.xml"/>
<?hard-pagebreak?>
<xi:include
href="../../openstack-user/src/section_cli_version.xml"/>
<?hard-pagebreak?>
<xi:include href="../../openstack-user/src/section_cli_openrc.xml"/>
<?hard-pagebreak?>
<xi:include href="section_keystone_cli_manage_projects_users.xml"/>
href="../../common/section_cli_version.xml"/>
<?hard-pagebreak?>
<xi:include
href="../../common/section_keystone_cli_users_tenants_roles.xml"/>
href="../../common/section_cli_help.xml"/>
<?hard-pagebreak?>
<xi:include
href="section_keystone_cli_manage_projects_users_roles.xml"/>
<?hard-pagebreak?>
<xi:include
href="../../common/section_keystone_cli_services.xml"/>
<?hard-pagebreak?>
<xi:include
href="../../common/section_glance_cli_manage_images.xml"/>

181
doc/src/docbkx/openstack-user-admin/src/section_cinder_cli_manage_volumes.xml Normal file
View File

@ -0,0 +1,181 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="cli_manage_volumes">
<title>Manage volumes</title>
<para>A volume is a detachable block storage device, similar to a
USB hard drive. You can attach a volume to only one instance.
To create and manage volumes, you use a combination of nova
and cinder client commands.</para>
<para>This example creates a volume named
<literal>my-new-volume</literal> based on an image.</para>
<section xml:id="cli_list_volumes"><title>Create a volume</title><procedure>
<step>
<para>List images, and note the ID of the image to use for
your volume:</para>
<screen><prompt>$</prompt> <userinput>nova image-list</userinput></screen>
<screen><?db-font-size 65%?><computeroutput>+--------------------------------------+---------------------------------+--------+--------------------------------------+
| ID | Name | Status | Server |
+--------------------------------------+---------------------------------+--------+--------------------------------------+
| 397e713c-b95b-4186-ad46-6126863ea0a9 | cirros-0.3.1-x86_64-uec | ACTIVE | |
| df430cc2-3406-4061-b635-a51c16e488ac | cirros-0.3.1-x86_64-uec-kernel | ACTIVE | |
| 3cf852bd-2332-48f4-9ae4-7d926d50945e | cirros-0.3.1-x86_64-uec-ramdisk | ACTIVE | |
| 7e5142af-1253-4634-bcc6-89482c5f2e8a | myCirrosImage | ACTIVE | 84c6e57d-a6b1-44b6-81eb-fcb36afd31b5 |
| 89bcd424-9d15-4723-95ec-61540e8a1979 | mysnapshot | ACTIVE | f51ebd07-c33d-4951-8722-1df6aa8afaa4 |
+--------------------------------------+---------------------------------+--------+--------------------------------------+</computeroutput></screen>
</step>
<step>
<para>List the availability zones, and note the ID of the
availability zone in which to create your
volume:</para>
<screen><prompt>$</prompt> <userinput>nova availability-zone-list</userinput></screen>
<screen><?db-font-size 65%?><computeroutput>+-----------------------+----------------------------------------+
| Name | Status |
+-----------------------+----------------------------------------+
| internal | available |
| |- devstack-grizzly | |
| | |- nova-conductor | enabled :-) 2013-07-25T16:50:44.000000 |
| | |- nova-consoleauth | enabled :-) 2013-07-25T16:50:44.000000 |
| | |- nova-scheduler | enabled :-) 2013-07-25T16:50:44.000000 |
| | |- nova-cert | enabled :-) 2013-07-25T16:50:44.000000 |
| | |- nova-network | enabled :-) 2013-07-25T16:50:44.000000 |
| nova | available |
| |- devstack-grizzly | |
| | |- nova-compute | enabled :-) 2013-07-25T16:50:39.000000 |
+-----------------------+----------------------------------------+</computeroutput></screen>
</step>
<step>
<para>Create a volume with 8 GBs of space. Specify the
availability zone and image, as follows:</para>
<screen><prompt>$</prompt> <userinput>cinder create 8 --display-name my-new-volume --image-id 397e713c-b95b-4186-ad46-6126863ea0a9 --availability-zone nova</userinput></screen>
<screen><?db-font-size 65%?><computeroutput>+---------------------+--------------------------------------+
| Property | Value |
+---------------------+--------------------------------------+
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| created_at | 2013-07-25T17:02:12.472269 |
| display_description | None |
| display_name | my-new-volume |
| id | 573e024d-5235-49ce-8332-be1576d323f8 |
| image_id | 397e713c-b95b-4186-ad46-6126863ea0a9 |
| metadata | {} |
| size | 8 |
| snapshot_id | None |
| source_volid | None |
| status | creating |
| volume_type | None |
+---------------------+--------------------------------------+</computeroutput></screen>
</step>
<step>
<para>To verify that your volume was created successfully,
list the available volumes:</para>
<screen><prompt>$</prompt> <userinput>cinder list</userinput></screen>
<screen><?db-font-size 65%?><computeroutput>+--------------------------------------+-----------+-----------------+------+-------------+----------+-------------+
| ID | Status | Display Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+-----------------+------+-------------+----------+-------------+
| 573e024d-5235-49ce-8332-be1576d323f8 | available | my-new-volume | 8 | None | true | |
| bd7cf584-45de-44e3-bf7f-f7b50bf235e3 | available | my-bootable-vol | 8 | None | true | |
+--------------------------------------+-----------+-----------------+------+-------------+----------+-------------+</computeroutput></screen>
<para>If your volume was created successfully, its status
is <literal>available</literal>. If its status is
<literal>error</literal>, you might have
exceeded your quota.</para>
</step>
</procedure>
</section>
<section xml:id="cli_attach_volume"><title>Attach a volume to an instance</title>
<procedure> <step>
<para>Attach your volume to a server:</para>
<screen><prompt>$</prompt> <userinput>nova volume-attach 84c6e57d-a6b1-44b6-81eb-fcb36afd31b5 573e024d-5235-49ce-8332-be1576d323f8 /dev/vdb</userinput></screen>
<screen><?db-font-size 65%?><computeroutput>+----------+--------------------------------------+
| Property | Value |
+----------+--------------------------------------+
| device | /dev/vdb |
| serverId | 84c6e57d-a6b1-44b6-81eb-fcb36afd31b5 |
| id | 573e024d-5235-49ce-8332-be1576d323f8 |
| volumeId | 573e024d-5235-49ce-8332-be1576d323f8 |
+----------+--------------------------------------+</computeroutput></screen>
<para>Note the ID of your volume.</para>
</step>
<step>
<para>Show information for your volume:</para>
<screen><prompt>$</prompt> <userinput>cinder show 573e024d-5235-49ce-8332-be1576d323f8</userinput></screen>
<screen><?db-font-size 65%?><computeroutput>+------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| attachments | [{u'device': u'/dev/vdb', u'server_id': u'84c6e57d-a6b1-44b6-81eb-fcb36afd31b5', u'id': u'573e024d-5235-49ce-8332-be1576d323f8', u'volume_id': u'573e024d-5235-49ce-8332-be1576d323f8'}] |
| availability_zone | nova |
| bootable | true |
| created_at | 2013-07-25T17:02:12.000000 |
| display_description | None |
| display_name | my-new-volume |
| id | 573e024d-5235-49ce-8332-be1576d323f8 |
| metadata | {} |
| os-vol-host-attr:host | devstack-grizzly |
| os-vol-tenant-attr:tenant_id | 66265572db174a7aa66eba661f58eb9e |
| size | 8 |
| snapshot_id | None |
| source_volid | None |
| status | in-use |
| volume_image_metadata | {u'kernel_id': u'df430cc2-3406-4061-b635-a51c16e488ac', u'image_id': u'397e713c-b95b-4186-ad46-6126863ea0a9', u'ramdisk_id': u'3cf852bd-2332-48f4-9ae4-7d926d50945e', u'image_name': u'cirros-0.3.1-x86_64-uec'} |
| volume_type | None |
+------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+</computeroutput></screen>
<para>The output shows that the volume is attached to the
server with ID
<literal>84c6e57d-a6b1-44b6-81eb-fcb36afd31b5</literal>,
is in the nova availability zone, and is
bootable.</para>
</step>
</procedure></section>
<section xml:id="cli_delete_volumes"><title>Delete a volume</title>
<procedure>
<step>
<para>To delete your volume, you must first detach it from
the server.</para>
<para>To detach the volume from your server, pass the
server ID and volume ID to the command, as
follows:</para>
<screen><prompt>$</prompt> <userinput>nova volume-detach 84c6e57d-a6b1-44b6-81eb-fcb36afd31b5 573e024d-5235-49ce-8332-be1576d323f8</userinput></screen>
<para>The <command>volume-detach</command> command does
not return any output.</para>
</step>
<step>
<para>List volumes:</para>
<screen><prompt>$</prompt> <userinput>cinder list</userinput></screen>
<screen><?db-font-size 65%?><computeroutput>+--------------------------------------+-----------+-----------------+------+-------------+----------+-------------+
| ID | Status | Display Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+-----------------+------+-------------+----------+-------------+
| 573e024d-5235-49ce-8332-be1576d323f8 | available | my-new-volume | 8 | None | true | |
| bd7cf584-45de-44e3-bf7f-f7b50bf235e3 | available | my-bootable-vol | 8 | None | true | |
+--------------------------------------+-----------+-----------------+------+-------------+----------+-------------+</computeroutput></screen>
<para>Note that the volume is now available.</para>
</step>
<step>
<para>Now you can delete the volume, as follows:</para>
<screen><prompt>$</prompt> <userinput>cinder delete my-new-volume</userinput></screen>
<para>The delete command does not return any
output.</para>
</step>
<step>
<para>List the volumes again, and note that the status of
your volume is <literal>deleting</literal>:</para>
<screen><prompt>$</prompt> <userinput>cinder list</userinput></screen>
<screen><?db-font-size 65%?><computeroutput>+--------------------------------------+-----------+-----------------+------+-------------+----------+-------------+
| ID | Status | Display Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+-----------------+------+-------------+----------+-------------+
| 573e024d-5235-49ce-8332-be1576d323f8 | deleting | my-new-volume | 8 | None | true | |
| bd7cf584-45de-44e3-bf7f-f7b50bf235e3 | available | my-bootable-vol | 8 | None | true | |
+--------------------------------------+-----------+-----------------+------+-------------+----------+-------------+</computeroutput></screen>
<para>When the volume is fully deleted, it disappears from
the list of volumes:</para>
<screen><prompt>$</prompt> <userinput>cinder list</userinput></screen>
<screen><?db-font-size 65%?><computeroutput>+--------------------------------------+-----------+-----------------+------+-------------+----------+-------------+
| ID | Status | Display Name | Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+-----------------+------+-------------+----------+-------------+
| bd7cf584-45de-44e3-bf7f-f7b50bf235e3 | available | my-bootable-vol | 8 | None | true | |
+--------------------------------------+-----------+-----------------+------+-------------+----------+-------------+</computeroutput></screen>
</step>
</procedure></section>
</section>

113
doc/src/docbkx/openstack-user-admin/src/section_cinder_cli_quotas.xml Normal file
View File

@ -0,0 +1,113 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xml:id="cli_set_block_storage_quotas"
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
<title>Manage Block Storage service quotas</title>
<para>As an administrative user, you can update the Block Storage
service quotas for a project. You can also update the quota
defaults for a new project.</para>
<para>
<table rules="all">
<caption>Block Storage quotas</caption>
<col width="20%"/>
<col width="80%"/>
<thead>
<tr>
<td>Property name</td>
<td>Defines the number of</td>
</tr>
</thead>
<tbody>
<tr>
<td>
<para>gigabytes</para>
</td>
<td>
<para>Volume gigabytes allowed for each
tenant.</para>
</td>
</tr>
<tr>
<td>
<para>snapshots</para>
</td>
<td>
<para>Volume snapshots allowed for each
tenant.</para>
</td>
</tr>
<tr>
<td>
<para>volumes</para>
</td>
<td>
<para>Volumes allowed for each tenant.</para>
</td>
</tr>
</tbody>
</table>
</para>
<section xml:id="cli_set_block_storage_quotas_procedure">
<title>View and update Block Storage quotas</title>
<para>As an administrative user, you can view and update Block
Storage quotas.</para>
<procedure>
<step>
<para>List the default quotas for all projects, as
follows:</para>
<screen><prompt>$</prompt> <userinput>cinder quota-defaults</userinput></screen>
<screen><computeroutput>+-----------+-------+
| Property | Value |
+-----------+-------+
| gigabytes | 1000 |
| snapshots | 10 |
| volumes | 10 |
+-----------+-------+</computeroutput></screen>
</step>
<step>
<para>To update a default value for a new project,
update the property in the
<filename>/etc/cinder/cinder.conf</filename>
file.</para>
</step>
<step>
<para>View Block Storage quotas for a project, as
follows:</para>
<screen><prompt>#</prompt> <userinput>cinder quota-show <replaceable>TENANT_NAME</replaceable></userinput></screen>
<para>For example:</para>
<screen><prompt>#</prompt> <userinput>cinder quota-show tenant01</userinput></screen>
<screen><computeroutput>+-----------+-------+
| Property | Value |
+-----------+-------+
| gigabytes | 1000 |
| snapshots | 10 |
| volumes | 10 |
+-----------+-------+</computeroutput></screen>
</step>
<step>
<para>To update Block Storage service quotas, place
the tenant ID in a usable variable, as
follows:</para>
<screen><prompt>$</prompt> <userinput>tenant=$(keystone tenant-list | awk '/<replaceable>tenantName</replaceable>/ {print $2}')</userinput></screen>
</step>
<step>
<para>Update a particular quota value, as
follows:</para>
<screen><prompt>#</prompt> <userinput>cinder quota-update --<replaceable>quotaName</replaceable> <replaceable>NewValue</replaceable> <replaceable>tenantID</replaceable></userinput></screen>
<para>For example:</para>
<screen><prompt>#</prompt> <userinput>cinder quota-update --volumes 15 $tenant</userinput></screen>
<screen><prompt>#</prompt> <userinput>cinder quota-show tenant01</userinput></screen>
<screen><computeroutput>+-----------+-------+
| Property | Value |
+-----------+-------+
| gigabytes | 1000 |
| snapshots | 10 |
| volumes | 15 |
+-----------+-------+</computeroutput></screen>
</step>
</procedure>
</section>
</section>

136
doc/src/docbkx/openstack-user-admin/src/section_cli_set_block_storage_quotas.xml
View File

@ -1,136 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE section [
<!-- Some useful entities borrowed from HTML -->
<!ENTITY ndash "&#x2013;">
<!ENTITY mdash "&#x2014;">
<!ENTITY hellip "&#x2026;">
<!ENTITY plusmn "&#xB1;">
]>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="cli_set_block_storage_quotas">
<title>Set Block Storage quotas</title>
<para>As an administrative user, you can update
the Block Storage Service quotas for a tenant,
as well as update the quota defaults for a new tenant.
</para>
<para>
<table rules="all">
<caption>Block Storage Quota Descriptions</caption>
<col width="20%"/>
<col width="80%"/>
<thead>
<tr>
<td>
Property Name
</td>
<td>
Description
</td>
</tr>
</thead>
<tbody>
<tr>
<td>
<para>
gigabytes
</para>
</td>
<td>
<para>
Number of volume gigabytes allowed per tenant.
</para>
</td>
</tr>
<tr>
<td>
<para>
snapshots
</para>
</td>
<td>
<para>
Number of Block Storage snapshots allowed per tenant.
</para>
</td>
</tr>
<tr>
<td>
<para>
volumes
</para>
</td>
<td>
<para>
Number of Block Storage volumes allowed per tenant.
</para>
</td>
</tr>
</tbody>
</table>
</para>
<section xml:id="cli_set_block_storage_quotas_procedure">
<title>View and update Block Storage quotas for a tenant (project)</title>
<para>As an administrative user, you can use the <command>cinder quota-*</command>
commands, which are provided by the <literal>python-cinderclient</literal>
package, to view and update tenant quotas.</para>
<procedure>
<title>To view and update default Block Storage quota values</title>
<step>
<para>List all default quotas for all tenants, as follows:</para>
<screen><prompt>$</prompt> <userinput>cinder quota-defaults</userinput></screen>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>cinder quota-defaults</userinput>
<computeroutput>+-----------+-------+
| Property | Value |
+-----------+-------+
| gigabytes | 1000 |
| snapshots | 10 |
| volumes | 10 |
+-----------+-------+</computeroutput></screen>
</step>
<step>
<para>To update a default value for a new tenant, update the property
in the <filename>/etc/cinder/cinder.conf</filename> file.
</para>
</step>
</procedure>
<procedure>
<title>To view Block Storage quotas for a tenant</title>
<step>
<para>View quotas for the tenant, as follows:</para>
<screen><prompt>#</prompt> <userinput>cinder quota-show <replaceable>tenantName</replaceable></userinput></screen>
<para>For example:</para>
<screen><prompt>#</prompt> <userinput>cinder quota-show tenant01</userinput>
<computeroutput>+-----------+-------+
| Property | Value |
+-----------+-------+
| gigabytes | 1000 |
| snapshots | 10 |
| volumes | 10 |
+-----------+-------+</computeroutput></screen>
</step>
</procedure>
<procedure>
<title>To update Compute service quotas</title>
<step><para>Place the tenant ID in a useable variable, as follows:</para>
<screen><prompt>$</prompt> <userinput>tenant=$(keystone tenant-list | awk '/<replaceable>tenantName</replaceable>/ {print $2}')</userinput></screen>
</step>
<step>
<para>Update a particular quota value, as follows:</para>
<screen><prompt>#</prompt> <userinput>cinder quota-update --<replaceable>quotaName</replaceable> <replaceable>NewValue</replaceable> <replaceable>tenantID</replaceable></userinput></screen>
<para>For example:</para>
<screen><prompt>#</prompt> <userinput>cinder quota-update --volumes 15 $tenant</userinput>
<prompt>#</prompt> <userinput>cinder quota-show tenant01</userinput>
<computeroutput>+-----------+-------+
| Property | Value |
+-----------+-------+
| gigabytes | 1000 |
| snapshots | 10 |
| volumes | 15 |
+-----------+-------+</computeroutput></screen>
</step>
</procedure>
</section>
</section>

347
doc/src/docbkx/openstack-user-admin/src/section_cli_set_compute_quotas.xml
View File

@ -1,347 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE section [
<!-- Some useful entities borrowed from HTML -->
<!ENTITY ndash "&#x2013;">
<!ENTITY mdash "&#x2014;">
<!ENTITY hellip "&#x2026;">
<!ENTITY plusmn "&#xB1;">
]>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="cli_set_compute_quotas">
<title>Set Compute Service Quotas</title>
<para>As an administrative user, you can update the Compute Service quotas
for a tenant, as well as update the quota defaults for a new tenant.
</para>
<table rules="all">
<caption>Compute Quota Descriptions</caption>
<col width="20%"/>
<col width="45%"/>
<col width="35%"/>
<thead>
<tr>
<td>
Quota
</td>
<td>
Description
</td>
<td>
Property Name
</td>
</tr>
</thead>
<tbody>
<tr>
<td>
<para>
Fixed Ips
</para>
</td>
<td>
<para>
Number of fixed IP addresses allowed per tenant. This number
must be equal to or greater than the number of allowed
instances.
</para>
</td>
<td>
<para>
<systemitem>fixed-ips</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>
Floating Ips
</para>
</td>
<td>
<para>
Number of floating IP addresses allowed per tenant.
</para>
</td>
<td>
<para>
<systemitem>floating-ips</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>
Injected File Content Bytes
</para>
</td>
<td>
<para>
Number of content bytes allowed per injected file.
</para>
</td>
<td>
<para>
<systemitem>injected-file-content-bytes</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>
Injected File Path Bytes
</para>
</td>
<td>
<para>
Number of bytes allowed per injected file path.
</para>
</td>
<td>
<para>
<systemitem>injected-file-path-bytes</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>
Injected Files
</para>
</td>
<td>
<para>
Number of injected files allowed per tenant.
</para>
</td>
<td>
<para>
<systemitem>injected-files</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>
Instances
</para>
</td>
<td>
<para>
Number of instances allowed per tenant.
</para>
</td>
<td>
<para>
<systemitem>instances</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>
Key Pairs
</para>
</td>
<td>
<para>
Number of key pairs allowed per user.
</para>
</td>
<td>
<para>
<systemitem>key-pairs</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>
Metadata Items
</para>
</td>
<td>
<para>
Number of metadata items allowed per instance.
</para>
</td>
<td>
<para>
<systemitem>metadata-items</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>
Ram
</para>
</td>
<td>
<para>
Megabytes of instance ram allowed per tenant.
</para>
</td>
<td>
<para>
<systemitem>ram</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>
Security Group Rules
</para>
</td>
<td>
<para>
Number of rules per security group.
</para>
</td>
<td>
<para>
<systemitem>security-group-rules</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>
Security Groups
</para>
</td>
<td>
<para>
Number of security groups per tenant.
</para>
</td>
<td>
<para>
<systemitem>security-groups</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>
VCPUs
</para>
</td>
<td>
<para>
Number of instance cores allowed per tenant.
</para>
</td>
<td>
<para>
<systemitem>cores</systemitem>
</para>
</td>
</tr>
</tbody>
</table>
<section xml:id="cli_set_compute_quotas_procedure">
<title>View and update quotas for a tenant (project)</title>
<para>As an administrative user, you can use the <command>nova quota-*</command>
commands, which are provided by the <literal>python-novaclient</literal>
package, to view and update tenant quotas.</para>
<procedure>
<title>To view and update default quota values</title>
<step>
<para>List all default quotas for all tenants, as follows:</para>
<screen><prompt>$</prompt> <userinput>nova quota-defaults</userinput></screen>
<para>For example:
</para>
<screen><prompt>$</prompt> <userinput>nova quota-defaults</userinput>
<computeroutput>+-----------------------------+-------+
| Property | Value |
+-----------------------------+-------+
| metadata_items | 128 |
| injected_file_content_bytes | 10240 |
| ram | 51200 |
| floating_ips | 10 |
| key_pairs | 100 |
| instances | 10 |
| security_group_rules | 20 |
| injected_files | 5 |
| cores | 20 |
| fixed_ips | -1 |
| injected_file_path_bytes | 255 |
| security_groups | 10 |
+-----------------------------+-------+</computeroutput></screen>
</step>
<step>
<para>To update a default value for a new tenant, update the
<literal>default</literal> property in the
<filename>/etc/nova/nova.conf</filename> file, as
follows:</para>
<screen><prompt>$</prompt> <userinput>nova quota-class-update default <replaceable>key</replaceable> <replaceable>value</replaceable></userinput></screen>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>nova quota-class-update default instances 15</userinput></screen>
</step>
</procedure>
<procedure>
<title>To view quota values for a tenant (project)</title>
<step><para>Place the tenant ID in a usable variable, as follows:</para>
<screen><prompt>$</prompt> <userinput>tenant=$(keystone tenant-list | awk '/<replaceable>tenantName</replaceable>/ {print $2}')</userinput></screen>
</step>
<step>
<para>List the currently set quota values for a
tenant, as follows:</para>
<screen><prompt>$</prompt> <userinput>nova quota-show --tenant $tenant</userinput></screen>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>nova quota-show --tenant $tenant</userinput>
<computeroutput>+-----------------------------+-------+
| Property | Value |
+-----------------------------+-------+
| metadata_items | 128 |
| injected_file_content_bytes | 10240 |
| ram | 51200 |
| floating_ips | 12 |
| key_pairs | 100 |
| instances | 10 |
| security_group_rules | 20 |
| injected_files | 5 |
| cores | 20 |
| fixed_ips | -1 |
| injected_file_path_bytes | 255 |
| security_groups | 10 |
+-----------------------------+-------+</computeroutput></screen>
</step>
</procedure>
<procedure>
<title>To update quota values for a tenant (project)</title>
<step><para>Obtain the tenant ID, as follows:</para>
<screen><prompt>$</prompt> <userinput>tenant=$(keystone tenant-list | awk '/<replaceable>tenantName</replaceable>/ {print $2}')</userinput></screen>
</step>
<step>
<para>Update a particular quota value, as follows:</para>
<screen><prompt>#</prompt> <userinput>nova quota-update --<replaceable>quotaName</replaceable> <replaceable>quotaValue</replaceable> <replaceable>tenantID</replaceable></userinput></screen>
<para>For example:</para>
<screen><prompt>#</prompt> <userinput>nova quota-update --floating-ips 20 $tenant
<prompt>#</prompt> nova quota-show --tenant $tenant</userinput>
<computeroutput>+-----------------------------+-------+
| Property | Value |
+-----------------------------+-------+
| metadata_items | 128 |
| injected_file_content_bytes | 10240 |
| ram | 51200 |
| floating_ips | 20 |
| key_pairs | 100 |
| instances | 10 |
| security_group_rules | 20 |
| injected_files | 5 |
| cores | 20 |
| fixed_ips | -1 |
| injected_file_path_bytes | 255 |
| security_groups | 10 |
+-----------------------------+-------+</computeroutput></screen>
<note>
<para>To view a list of options for the
<command>quota-update</command> command, run:
</para>
<screen><prompt>$</prompt> <userinput>nova help quota-update</userinput></screen></note>
</step>
</procedure>
</section>
</section>

185
doc/src/docbkx/openstack-user-admin/src/section_keystone_cli_manage_projects_users.xml
View File

@ -1,185 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="admin_cli_manage_projects_users">
<title>Manage projects and users</title>
<para>In an OpenStack cloud, you can manage projects and users
independently from each other.</para>
<para>Projects represent different organizational units in the
cloud to which you can assign users.</para>
<para>Cloud admin users perform both project and user management
tasks.</para>
<para>During the basic system set up, the cloud operator must
define at least one project, user, and role. The operator
links the role to the user and the user to the project. Roles
define which actions users can perform.</para>
<para>The <filename>python-keystoneclient</filename> provides the
keystone command-line client, which you use to manage projects
and users from any machine outside the cloud. Before you can
run commands, you must download and source an OpenStack RC
file. See <xref linkend="cli_openrc"/>.</para>
<note>
<title>Administrator credentials</title>
<para>To administer projects and users, you must have
administrator credentials. Make sure to download and
source the OpenStack RC file as administrator before you
run keystone commands. Alternatively, export the
respective environment variables by using the token or
password authentication method. For details, see <link
xlink:href="http://docs.openstack.org/essex/openstack-compute/admin/content/adding-users-tenants-and-roles-with-python-keystoneclient.html"
>http://docs.openstack.org/essex/openstack-compute/admin/content/adding-users-tenants-and-roles-with-python-keystoneclient.html</link>.</para>
</note>
<section xml:id="admin_cli_projects">
<title>Create and manage projects</title>
<procedure>
<title>To list all projects</title>
<step>
<para>To list all projects with their ID, name, and
whether they are enabled or not, run the following
command:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-list</userinput></screen>
</step>
</procedure>
<procedure>
<title>To create a project</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone tenant-create --name PROJECT_NAME </userinput></screen>
<para>Creates a new project with the specified name.
</para>
</step>
</procedure>
<procedure>
<title>To temporarily disable a project</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone tenant-update PROJECT_ID --enabled false</userinput></screen>
<!-- <para>For the details of the impact, see <xref
linkend="dashboard_manage_projects_users"/>.
</para>-->
</step>
</procedure>
<procedure>
<title>To delete a project</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone tenant-delete PROJECT_ID </userinput></screen>
<para>Deletes the specified project.</para>
</step>
</procedure>
</section>
<section xml:id="admin_cli_user_accounts">
<title>Create and manage user accounts</title>
<procedure>
<title>To list all users</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone user-list</userinput></screen>
<para>Lists all user accounts with their ID, name,
e-mail address, and the information if they are
enabled or not.</para>
</step>
</procedure>
<procedure>
<title>To create a user account</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone user-create --name USER_NAME --tenant_id PROJECT_ID --pass PRELIM_PASSWD</userinput></screen>
<para>Creates a new user with the specified name.
While the only required argument is --name, at
least specify the optional parameters --tenant_id
and --pass. Otherwise the newly created user
cannot log in to the SUSE Cloud Dashboard.</para>
</step>
</procedure>
<procedure>
<title>To temporarily disable a user account</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone user-update USER_ID --enabled false</userinput></screen>
<para>If you disable a user account, the user can no
longer log in, but his data is kept so that the
account can be re-enabled at any time.</para>
</step>
</procedure>
<procedure>
<title>To delete a user account</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone user-delete USER_ID </userinput></screen>
<para>Deletes the specified user account.</para>
</step>
</procedure>
</section>
<section xml:id="admin_cli_roles">
<title>Create and manage roles</title>
<para>Roles define the actions that the user is allowed to
perform. Configure roles in OpenStack Identity (Keystone).
Actions are defined per OpenStack service in the
respective /etc/[SERVICE_CODENAME]/policy.json file, for
example in /etc/nova/policy.json for the Compute (Nova)
service.</para>
<procedure>
<title>To list all roles</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone role-list</userinput></screen>
<para>Lists all roles with their ID and name.</para>
</step>
</procedure>
<procedure>
<title>To create a role</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone role-create --name=ROLE_NAME </userinput></screen>
<para>Creates a role with the specified name.</para>
</step>
</procedure>
<procedure>
<title>To delete a role</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone role-delete ROLE_ID </userinput></screen>
<para>Deletes the specified role.</para>
</step>
</procedure>
</section>
<section xml:id="admin_cli_modify_projects">
<title>Modify user assignments for a project</title>
<para>Whereas each user is assigned to a primary project when
his user account is created, users can be members of
multiple projects. The keystone client does not allow to
directly assign users to additional projects. Instead you
need to define a role and grant that role to a
user-project pair.</para>
<procedure>
<title>To modify user assignments for a project</title>
<step>
<para>On a shell, source the OpenStack RC file. For
details, refer to <link
xlink:href="https://www.suse.com/documentation/suse_cloud10/book_cloud_admin/data/sec_adm_cli_rc.html"
>OpenStack RC File</link>.</para>
</step>
<step>
<para>Check if there is already a member role defined:</para>
<screen><prompt>$</prompt> <userinput>keystone role-list</userinput></screen>
</step>
<step>
<para>If not, create it:</para>
<screen><prompt>$</prompt> <userinput>keystone role-create --name=member</userinput></screen>
</step>
<step>
<para>To grant the role to a user-project pair (and to
thus assign a user to this project), you need to
know the IDs of the role, the user, and the
project. You can look them up with keystone
role-list, keystone user-list, and keystone
tenant-list.</para>
</step>
<step>
<para>To grant the user membership of a project:</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-add --role-id=ROLE_ID --tenant_id=TENANT_ID \
--user_id=USER_ID</userinput></screen>
</step>
<step>
<para>To assign the user to multiple projects, repeat
the last step.</para>
</step>
<step>
<para>To verify the assignments, use:</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-list --user_id=USER_ID --tenant_id=TENANT_ID </userinput></screen>
</step>
</procedure>
</section>
</section>

312
doc/src/docbkx/openstack-user-admin/src/section_keystone_cli_manage_projects_users_roles.xml Normal file
View File

@ -0,0 +1,312 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="admin_cli_manage_projects_users">
<?dbhtml stop-chunking?>
<title>Manage projects, users, and roles</title>
<para>As a cloud administrator, you manage projects, users, and
roles. Projects are organizational units in the cloud to which
you can assign users. Projects are also known as <emphasis
role="italic">tenants</emphasis> or <emphasis
role="italic">accounts</emphasis>. Users can be members of
one or more projects. Roles define which actions users can
perform. You assign roles to user-project pairs.</para>
<para>You can define actions for OpenStack service roles in the
<filename>/etc/<replaceable>PROJECT</replaceable>/policy.json</filename>
files. For example, define actions for Compute service roles
in the <filename>/etc/nova/policy.json</filename> file.</para>
<para>You can manage projects, users, and roles independently from
each other.</para>
<para>During cloud set up, the operator defines at least one
project, user, and role.</para>
<para>Learn how to add, update, and delete projects and users,
assign users to one or more projects, and change or remove the
assignment. To enable or temporarily disable a project or
user, you update that project or user. You can also change
quotas at the project level.</para>
<para>Before you can delete a user account, you must remove the
user account from its primary project.</para>
<para>Before you can run keystone client commands, you must
download and source an OpenStack RC file. See <xref
linkend="cli_openrc"/>.</para>
<section xml:id="admin_cli_projects">
<title>Create a project</title>
<procedure>
<step>
<para>To list all projects with their ID, name, and
whether they are enabled or disabled:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-list</userinput></screen>
<screen><computeroutput>+----------------------------------+--------------------+---------+
| id | name | enabled |
+----------------------------------+--------------------+---------+
| f7ac731cc11f40efbc03a9f9e1d1d21f | admin | True |
| c150ab41f0d9443f8874e32e725a4cc8 | alt_demo | True |
| a9debfe41a6d4d09a677da737b907d5e | demo | True |
| 9208739195a34c628c58c95d157917d7 | invisible_to_admin | True |
| 3943a53dc92a49b2827fae94363851e1 | service | True |
| 80cab5e1f02045abad92a2864cfd76cb | test_project | True |
+----------------------------------+--------------------+---------+</computeroutput></screen>
</step>
<step>
<para>Create a project named
<literal>new-project</literal>:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-create --name new-project --description 'my new project'</userinput></screen>
<para>By default, the project is enabled.</para>
<screen><computeroutput>+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | my new project |
| enabled | True |
| id | 1a4a0618b306462c9830f876b0bd6af2 |
| name | new-project |
+-------------+----------------------------------+</computeroutput></screen>
<para>Note the ID for the project so you can update it
in the next procedure.</para>
</step>
</procedure>
</section>
<section xml:id="cli_update_project">
<title>Update a project</title>
<para>Specify the project ID to update a project. You can
update the name, description, and enabled status of a
project.</para>
<procedure>
<step>
<para>To temporarily disable a project:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-update <replaceable>PROJECT_ID</replaceable> --enabled false</userinput></screen>
</step>
<step>
<para>To enable a disabled project:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-update <replaceable>PROJECT_ID</replaceable> --enabled true</userinput></screen>
</step>
<step>
<para>To update the name of a project:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-update <replaceable>PROJECT_ID</replaceable> --name project-new</userinput></screen>
</step>
<step>
<para>To verify your changes, show information for the
updated project:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-get <replaceable>PROJECT_ID</replaceable></userinput></screen>
<screen><computeroutput>+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | my new project |
| enabled | True |
| id | 1a4a0618b306462c9830f876b0bd6af2 |
| name | project-new |
+-------------+----------------------------------+</computeroutput></screen>
</step>
</procedure>
</section>
<section xml:id="cli_project_delete">
<title>Delete a project</title>
<procedure>
<step>
<para>To delete a project:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-delete <replaceable>PROJECT_ID</replaceable></userinput></screen>
</step>
</procedure>
</section>
<section xml:id="admin_cli_user_accounts">
<title>Create a user</title>
<procedure>
<step>
<para>To list all users:</para>
<screen><prompt>$</prompt> <userinput>keystone user-list</userinput></screen>
<para>The output shows the ID, name, enabled status,
and e-mail address for each user:</para>
<screen><computeroutput>+----------------------------------+----------+---------+----------------------+
| id | name | enabled | email |
+----------------------------------+----------+---------+----------------------+
| 352b37f5c89144d4ad0534139266d51f | admin | True | admin@example.com |
| 86c0de739bcb4802b8dc786921355813 | demo | True | demo@example.com |
| 32ec34aae8ea432e8af560a1cec0e881 | glance | True | glance@example.com |
| 7047fcb7908e420cb36e13bbd72c972c | nova | True | nova@example.com |
+----------------------------------+----------+---------+----------------------+</computeroutput></screen>
</step>
<step>
<para>To create a user, you must specify a name.
Optionally, you can specify a tenant ID, password,
and email address. It is recommended that you
include the tenant ID and password because the
user cannot log in to the dashboard without this
information.</para>
<para>To create the <literal>new-user</literal>
user:</para>
<screen><prompt>$</prompt> <userinput>keystone user-create --name new-user --tenant_id 1a4a0618b306462c9830f876b0bd6af2 --pass <replaceable>PASSWORD</replaceable></userinput></screen>
<screen><computeroutput>+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | 6e5140962b424cb9814fb172889d3be2 |
| name | new-user |
| tenantId | 1a4a0618b306462c9830f876b0bd6af2 |
+----------+----------------------------------+</computeroutput></screen>
</step>
</procedure>
</section>
<section xml:id="cli_update_user">
<title>Update a user</title>
<para>You can update the name, email address, and enabled
status for a user.</para>
<procedure>
<step>
<para>To temporarily disable a user account:</para>
<screen><prompt>$</prompt> <userinput>keystone user-update <replaceable>USER_ID</replaceable> --enabled false</userinput></screen>
<para>If you disable a user account, the user cannot
log in to the dashboard. However, data for the
user account is maintained, so you can enable the
user at any time.</para>
</step>
<step>
<para>To enable a disabled user account:</para>
<screen><prompt>$</prompt> <userinput>keystone user-update <replaceable>USER_ID</replaceable> --enabled true</userinput></screen>
</step>
<step>
<para>To change the name and description for a user
account:</para>
<screen><prompt>$</prompt> <userinput>keystone user-update <replaceable>USER_ID</replaceable> --name user-new --email new-user@example.com</userinput></screen>
<screen><computeroutput>User has been updated.</computeroutput></screen>
</step>
</procedure>
</section>
<section xml:id="cli_delete_user">
<title>Delete a user</title>
<procedure>
<step>
<para>To delete a specified user account:</para>
<screen><prompt>$</prompt> <userinput>keystone user-delete <replaceable>USER_ID</replaceable></userinput></screen>
</step>
</procedure>
</section>
<section xml:id="admin_cli_modify_projects">
<title>Create and assign a role</title>
<para>Users can be members of multiple projects. To assign
users to multiple projects, define a role and assign that
role to a user-project pair.</para>
<procedure>
<step>
<para>To list the available roles:</para>
<screen><prompt>$</prompt> <userinput>keystone role-list</userinput></screen>
<screen><computeroutput>+----------------------------------+---------------+
| id | name |
+----------------------------------+---------------+
| 71ccc37d41c8491c975ae72676db687f | Member |
| 149f50a1fe684bfa88dae76a48d26ef7 | ResellerAdmin |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
| 6ecf391421604da985db2f141e46a7c8 | admin |
| deb4fffd123c4d02a907c2c74559dccf | anotherrole |
+----------------------------------+---------------+</computeroutput></screen>
</step>
<step>
<para>To create the <literal>new-role</literal>
role:</para>
<screen><prompt>$</prompt> <userinput>keystone role-create --name new-role</userinput></screen>
<screen><computeroutput>+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | bef1f95537914b1295da6aa038ef4de6 |
| name | new-role |
+----------+----------------------------------+</computeroutput></screen>
</step>
<step>
<para>To assign a user to a project, you must assign
the role to a user-project pair. To do this, you
need the user, role, and project IDs.</para>
<substeps>
<step>
<para>To list users:</para>
<screen><prompt>$</prompt> <userinput>keystone user-list</userinput></screen>
<screen><computeroutput>+----------------------------------+----------+---------+----------------------+
| id | name | enabled | email |
+----------------------------------+----------+---------+----------------------+
| 352b37f5c89144d4ad0534139266d51f | admin | True | admin@example.com |
| 981422ec906d4842b2fc2a8658a5b534 | alt_demo | True | alt_demo@example.com |
| 036e22a764ae497992f5fb8e9fd79896 | cinder | True | cinder@example.com |
| 86c0de739bcb4802b8dc786921355813 | demo | True | demo@example.com |
| 32ec34aae8ea432e8af560a1cec0e881 | glance | True | glance@example.com |
| 7047fcb7908e420cb36e13bbd72c972c | nova | True | nova@example.com |
+----------------------------------+----------+---------+----------------------+</computeroutput></screen>
<para>Note the ID of the user to which you
want to assign the role.</para>
</step>
<step>
<para>To list role IDs:</para>
<screen><prompt>$</prompt> <userinput>keystone role-list</userinput></screen>
<screen><computeroutput>+----------------------------------+---------------+
| id | name |
+----------------------------------+---------------+
| 71ccc37d41c8491c975ae72676db687f | Member |
| 149f50a1fe684bfa88dae76a48d26ef7 | ResellerAdmin |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
| 6ecf391421604da985db2f141e46a7c8 | admin |
| deb4fffd123c4d02a907c2c74559dccf | anotherrole |
| bef1f95537914b1295da6aa038ef4de6 | new-role |
+----------------------------------+---------------+</computeroutput></screen>
<para>Note the ID of the role that you want to
assign.</para>
</step>
<step>
<para>To list projects:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-list</userinput></screen>
<screen><computeroutput>+----------------------------------+--------------------+---------+
| id | name | enabled |
+----------------------------------+--------------------+---------+
| f7ac731cc11f40efbc03a9f9e1d1d21f | admin | True |
| c150ab41f0d9443f8874e32e725a4cc8 | alt_demo | True |
| a9debfe41a6d4d09a677da737b907d5e | demo | True |
| 9208739195a34c628c58c95d157917d7 | invisible_to_admin | True |
| caa9b4ce7d5c4225aa25d6ff8b35c31f | new-user | True |
| 1a4a0618b306462c9830f876b0bd6af2 | project-new | True |
| 3943a53dc92a49b2827fae94363851e1 | service | True |
| 80cab5e1f02045abad92a2864cfd76cb | test_project | True |
+----------------------------------+--------------------+---------+</computeroutput></screen>
<para>Note the ID of the project to which you
want to assign the role.</para>
</step>
</substeps>
</step>
<step>
<para>Assign a role to a user-project pair. In this
example, you assign the
<literal>new-role</literal> role to the
<literal>demo</literal> and
<literal>test-project</literal> pair:</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-add --user <replaceable>USER_ID</replaceable> --role <replaceable>ROLE_ID</replaceable> --tenant <replaceable>TENANT_ID</replaceable></userinput></screen>
</step>
<step>
<para>To verify the role assignment:</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-list --user <replaceable>USER_ID</replaceable> --tenant <replaceable>TENANT_ID</replaceable></userinput></screen>
<screen><computeroutput>+----------------------------------+----------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+----------+----------------------------------+----------------------------------+
| bef1f95537914b1295da6aa038ef4de6 | new-role | 86c0de739bcb4802b8dc786921355813 | 80cab5e1f02045abad92a2864cfd76cb |
+----------------------------------+----------+----------------------------------+----------------------------------+</computeroutput></screen>
</step>
<step>
<para>To get details for a specified role:</para>
<screen><prompt>$</prompt> <userinput>keystone role-get <replaceable>ROLE_ID</replaceable></userinput></screen>
<screen><computeroutput>+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | bef1f95537914b1295da6aa038ef4de6 |
| name | new-role |
+----------+----------------------------------+</computeroutput></screen>
</step>
<step>
<para>To remove a role from a user-project
pair:</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-remove --user <replaceable>USER_ID</replaceable> --role <replaceable>ROLE_ID</replaceable> --tenant <replaceable>TENANT_ID</replaceable></userinput></screen>
</step>
<step>
<para>To verify the role removal, run the following
command:</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-list --user <replaceable>USER_ID</replaceable> --tenant <replaceable>TENANT_ID</replaceable></userinput></screen>
<para>If the role was removed, the
command output omits the removed role.</para>
</step>
</procedure>
</section>
</section>

134
doc/src/docbkx/openstack-user-admin/src/section_keystone_cli_set_quotas.xml
View File

@ -10,19 +10,20 @@
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="cli_set_quotas">
<title>Set quotas</title>
<?dbhtml stop-chunking?>
<title>Manage quotas</title>
<para>To prevent system capacities from being exhausted without
notification, you can set up quotas. Quotas are operational
limits. For example, the number of gigabytes allowed per tenant
can be controlled so that cloud resources are optimized. Quotas
are currently enforced at the tenant (or project) level, rather
than by user.</para>
limits. For example, the number of gigabytes allowed for each
tenant can be controlled so that cloud resources are optimized.
Quotas are currently enforced at the tenant (or project) level,
rather than by user.</para>
<para>Using the command-line interface, you can manage quotas for
the OpenStack Compute Service and the Block Storage Service.</para>
<para>Typically, default values are changed because a tenant
requires more than 10 volumes, or more than 1TB on a Compute node.</para>
<note>
<para>To view all tenants, run:
<para>To view all projects:
<screen><prompt>$</prompt> <userinput>keystone tenant-list</userinput>
<computeroutput>+----------------------------------+----------+---------+
| id | name | enabled |
@ -34,123 +35,6 @@
+----------------------------------+----------+---------+</computeroutput></screen>
</para>
</note>
<xi:include href="section_cli_set_compute_quotas.xml"/>
<section xml:id="cli_set_block_storage_quotas">
<title>Set Block Storage quotas</title>
<para>As an administrative user, you can update the Block Storage
Service quotas for a tenant, as well as update the quota
defaults for a new tenant.</para>
<para>
<table rules="all">
<caption>Block Storage Quota Descriptions</caption>
<col width="20%"/>
<col width="80%"/>
<thead>
<tr>
<td>Property Name</td>
<td>Description</td>
</tr>
</thead>
<tbody>
<tr>
<td>
<para>gigabytes</para>
</td>
<td>
<para>Number of volume gigabytes allowed per tenant.
</para>
</td>
</tr>
<tr>
<td>
<para>snapshots</para>
</td>
<td>
<para>Number of Block Storage snapshots allowed per
tenant.</para>
</td>
</tr>
<tr>
<td>
<para>volumes</para>
</td>
<td>
<para>Number of Block Storage volumes allowed per
tenant.</para>
</td>
</tr>
</tbody>
</table>
</para>
<section xml:id="cli_set_block_storage_quotas_procedure">
<title>View and update Block Storage quotas for a tenant
(project)</title>
<para>As an administrative user, you can use the <command>cinder
quota-*</command> commands, which are provided by the
<literal>python-cinderclient</literal> package, to view and
update tenant quotas.</para>
<procedure>
<title>To view and update default Block Storage quota
values</title>
<step>
<para>List all default quotas for all tenants, as
follows:</para>
<screen><prompt>$</prompt> <userinput>cinder quota-defaults</userinput></screen>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>cinder quota-defaults</userinput>
<computeroutput>+-----------+-------+
| Property | Value |
+-----------+-------+
| gigabytes | 1000 |
| snapshots | 10 |
| volumes | 10 |
+-----------+-------+</computeroutput></screen>
</step>
<step>
<para>To update a default value for a new tenant, update the
property in the
<filename>/etc/cinder/cinder.conf</filename> file.
</para>
</step>
</procedure>
<procedure>
<title>To view Block Storage quotas for a tenant</title>
<step>
<para>View quotas for the tenant, as follows:</para>
<screen><prompt>#</prompt> <userinput>cinder quota-show <replaceable>tenantName</replaceable></userinput></screen>
<para>For example:</para>
<screen><prompt>#</prompt> <userinput>cinder quota-show tenant01</userinput>
<computeroutput>+-----------+-------+
| Property | Value |
+-----------+-------+
| gigabytes | 1000 |
| snapshots | 10 |
| volumes | 10 |
+-----------+-------+</computeroutput></screen>
</step>
</procedure>
<procedure>
<title>To update Compute service quotas</title>
<step>
<para>Place the tenant ID in a usable variable, as
follows:</para>
<screen><prompt>$</prompt> <userinput>tenant=$(keystone tenant-list | awk '/<replaceable>tenantName</replaceable>/ {print $2}')</userinput></screen>
</step>
<step>
<para>Update a particular quota value, as follows:</para>
<screen><prompt>#</prompt> <userinput>cinder quota-update --<replaceable>quotaName</replaceable> <replaceable>NewValue</replaceable> <replaceable>tenantID</replaceable></userinput></screen>
<para>For example:</para>
<screen><prompt>#</prompt> <userinput>cinder quota-update --volumes 15 $tenant</userinput>
<prompt>#</prompt> <userinput>cinder quota-show tenant01</userinput>
<computeroutput>+-----------+-------+
| Property | Value |
+-----------+-------+
| gigabytes | 1000 |
| snapshots | 10 |
| volumes | 15 |
+-----------+-------+</computeroutput></screen>
</step>
</procedure>
</section>
</section>
<xi:include href="section_nova_cli_quotas.xml"/>
<xi:include href="section_cinder_cli_quotas.xml"/>
</section>

43
doc/src/docbkx/openstack-user-admin/src/section_nova_cli_manage_flavors.xml
View File

@ -3,6 +3,7 @@
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="cli_manage_flavors">
<?dbhtml stop-chunking?>
<title>Manage flavors</title>
<para>In OpenStack, flavors define the compute, memory, and
storage capacity of nova computing instances. To put it
@ -10,7 +11,7 @@
for a server. It defines the <quote>size</quote> of a
virtual server that can be launched.</para>
<para>A flavor consists of the following parameters:</para>
<variablelist> <title>Flavor parameters</title>
<variablelist>
<varlistentry>
<term>Flavor ID</term>
<listitem>
@ -63,7 +64,7 @@
</listitem>
</varlistentry>
</variablelist>
<para>Default Flavors</para>
<para>The default flavors are:</para>
<itemizedlist>
<listitem>
<para>m1.tiny (1 VCPU/0 GB Disk/512 MB RAM)</para>
@ -84,36 +85,30 @@
<para>m1.xlarge (8 VCPU/10 GB Disk/8192 MB RAM)</para>
</listitem>
</itemizedlist>
<para>You can manage flavors with the nova
<para>You can create and manage flavors with the nova
<command>flavor-*</command> commands provided by the
<filename>python-novaclient</filename> package.</para>
<procedure>
<title>To list flavors</title>
<section xml:id="cli_create_flavor"><title>Create flavors</title><procedure>
<step>
<para>When you list flavors, the list shows the ID and name,
<para>List flavors to show the ID and name,
the amount of memory, the amount of disk space
for the root partition and for the ephemeral
partition, the swap, and the number of virtual
CPUs for each flavor.</para>
<screen><prompt>$</prompt> <userinput>nova flavor-list</userinput></screen>
</step>
</procedure>
<procedure>
<title>To create a flavor</title>
</step>
<step>
<para>If the flavor you want does not exist, you can create a flavor.</para>
<para>When you create a flavor, you must specify
the flavor name, ID, RAM size, disk size, and the
number of VCPUs. For optional parameters, see nova
<command>help</command>
<command>flavor-create</command>.</para>
<screen><prompt>$</prompt> <userinput>nova flavor-create FLAVOR_NAME FLAVOR_ID RAM_IN_MB ROOT_DISK_IN_GB NUMBER_OF_VCPUS</userinput></screen>
</step>
</procedure>
<procedure>
<title>To delete a flavor</title>
<step>
<para>Delete a specified flavor, as follows:</para>
<screen><prompt>$</prompt> <userinput>nova flavor-delete FLAVOR_ID</userinput></screen>
</step>
</procedure>
the flavor name, ID, RAM size, disk size, and the
number of VCPUs. </para>
<screen><prompt>$</prompt> <userinput>nova flavor-create <replaceable>FLAVOR_NAME</replaceable> <replaceable>FLAVOR_ID</replaceable> <replaceable>RAM_IN_MB ROOT_DISK_IN_GB</replaceable> <replaceable>NUMBER_OF_VCPUS</replaceable></userinput></screen>
<para>For a list of optional parameters, run the following command:</para> <screen><prompt>$</prompt> <userinput>nova help flavor-create</userinput></screen></step>
</procedure></section>
<section xml:id="cli_delete_flavor"><title>Delete a flavor</title><procedure>
<step>
<para>Delete a specified flavor, as follows:</para>
<screen><prompt>$</prompt> <userinput>nova flavor-delete <replaceable>FLAVOR_ID</replaceable></userinput></screen>
</step>
</procedure></section>
</section>

305
doc/src/docbkx/openstack-user-admin/src/section_nova_cli_quotas.xml Normal file
View File

@ -0,0 +1,305 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE section [
<!-- Some useful entities borrowed from HTML -->
<!ENTITY ndash "&#x2013;">
<!ENTITY mdash "&#x2014;">
<!ENTITY hellip "&#x2026;">
<!ENTITY plusmn "&#xB1;">
]>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="cli_set_compute_quotas">
<title>Manage Compute service quotas</title>
<para>As an administrative user, you can view and set the Compute
Service quotas for a project. You can also update the quota
defaults for a new project.</para>
<table rules="all">
<caption>Compute service quotas</caption>
<col width="20%"/>
<col width="45%"/>
<col width="35%"/>
<thead>
<tr>
<td>Quota</td>
<td>Defines the number of</td>
<td>Property name</td>
</tr>
</thead>
<tbody>
<tr>
<td>
<para>Fixed Ips</para>
</td>
<td>
<para>Fixed IP addresses allowed for each tenant. Must be equal to or greater than the number of
allowed instances.</para>
</td>
<td>
<para><systemitem>fixed-ips</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>Floating Ips</para>
</td>
<td>
<para>Floating IP addresses allowed for each tenant.</para>
</td>
<td>
<para><systemitem>floating-ips</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>Injected File Content Bytes</para>
</td>
<td>
<para>Content bytes allowed for each injected file.</para>
</td>
<td>
<para><systemitem>injected-file-content-bytes</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>Injected File Path Bytes</para>
</td>
<td>
<para>Bytes allowed for each injected file path.</para>
</td>
<td>
<para><systemitem>injected-file-path-bytes</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>Injected Files</para>
</td>
<td>
<para>Injected files allowed for each tenant.</para>
</td>
<td>
<para><systemitem>injected-files</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>Instances</para>
</td>
<td>
<para>Instances allowed for each tenant.</para>
</td>
<td>
<para><systemitem>instances</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>Key Pairs</para>
</td>
<td>
<para>Key pairs allowed for each user.</para>
</td>
<td>
<para><systemitem>key-pairs</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>Metadata Items</para>
</td>
<td>
<para>Metadata items allowed for each instance.</para>
</td>
<td>
<para><systemitem>metadata-items</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>Ram</para>
</td>
<td>
<para>Megabytes of instance RAM allowed for each
tenant.</para>
</td>
<td>
<para><systemitem>ram</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>Security Group Rules</para>
</td>
<td>
<para>Rules for each security group.</para>
</td>
<td>
<para><systemitem>security-group-rules</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>Security Groups</para>
</td>
<td>
<para>Security groups for each project.</para>
</td>
<td>
<para><systemitem>security-groups</systemitem>
</para>
</td>
</tr>
<tr>
<td>
<para>VCPUs</para>
</td>
<td>
<para>Instance cores allowed for each project.</para>
</td>
<td>
<para><systemitem>cores</systemitem>
</para>
</td>
</tr>
</tbody>
</table>
<section xml:id="cli_set_compute_quotas_procedure">
<title>View and update Compute service quotas</title>
<para>As an administrative user, you can view and update project
quotas.</para>
<procedure>
<step>
<para>List the default Compute service project quotas:</para>
<screen><prompt>$</prompt> <userinput>nova quota-defaults</userinput></screen>
<screen><computeroutput>+-----------------------------+-------+
| Property | Value |
+-----------------------------+-------+
| metadata_items | 128 |
| injected_file_content_bytes | 10240 |
| ram | 51200 |
| floating_ips | 10 |
| key_pairs | 100 |
| instances | 10 |
| security_group_rules | 20 |
| injected_files | 5 |
| cores | 20 |
| fixed_ips | -1 |
| injected_file_path_bytes | 255 |
| security_groups | 10 |
+-----------------------------+-------+</computeroutput></screen>
</step>
<step>
<para>To update a default value for a new project, update the
<literal>default</literal> property in the
<filename>/etc/nova/nova.conf</filename> file, as
follows:</para>
<screen><prompt>$</prompt> <userinput>nova quota-class-update default --<replaceable>key</replaceable> <replaceable>value</replaceable></userinput></screen>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>nova quota-class-update default --instances 15</userinput></screen>
</step>
<step>
<para>Verify your changes by showing the quotas for the quota
class, as follows:</para>
<screen><prompt>$</prompt> <userinput>nova quota-class-show default</userinput></screen>
<screen><computeroutput>+-----------------------------+-------+
| Property | Value |
+-----------------------------+-------+
| metadata_items | 128 |
| injected_file_content_bytes | 10240 |
| ram | 51200 |
| floating_ips | 10 |
| key_pairs | 100 |
| instances | 15 |
| security_group_rules | 20 |
| injected_files | 5 |
| cores | 20 |
| fixed_ips | -1 |
| injected_file_path_bytes | 255 |
| security_groups | 10 |
+-----------------------------+-------+</computeroutput></screen>
</step>
</procedure>
</section>
<section xml:id="cli_view_quotas_tenant">
<title>View project quotas</title>
<procedure>
<step>
<para>Place the tenant ID in a usable variable, as
follows:</para>
<screen><prompt>$</prompt> <userinput>tenant=$(keystone tenant-list | awk '/<replaceable>tenantName</replaceable>/ {print $2}')</userinput></screen>
</step>
<step>
<para>List the currently set quota values for a tenant, as
follows:</para>
<screen><prompt>$</prompt> <userinput>nova quota-show --tenant $tenant</userinput></screen>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>nova quota-show --tenant $tenant</userinput>
<computeroutput>+-----------------------------+-------+
| Property | Value |
+-----------------------------+-------+
| metadata_items | 128 |
| injected_file_content_bytes | 10240 |
| ram | 51200 |
| floating_ips | 12 |
| key_pairs | 100 |
| instances | 10 |
| security_group_rules | 20 |
| injected_files | 5 |
| cores | 20 |
| fixed_ips | -1 |
| injected_file_path_bytes | 255 |
| security_groups | 10 |
+-----------------------------+-------+</computeroutput></screen>
</step>
</procedure>
</section>
<section xml:id="cli_update_quotas_projects">
<title>Update project quotas</title>
<procedure>
<step>
<para>Get the tenant ID, as follows:</para>
<screen><prompt>$</prompt> <userinput>tenant=$(keystone tenant-list | awk '/<replaceable>tenantName</replaceable>/ {print $2}')</userinput></screen>
</step>
<step>
<para>Update a specified quota value, as follows:</para>
<screen><prompt>$</prompt> <userinput>nova quota-update --<replaceable>quotaName</replaceable> <replaceable>quotaValue</replaceable> <replaceable>tenantID</replaceable></userinput></screen>
<para>For example:</para>
<screen><prompt>$</prompt> <userinput>nova quota-update --floating-ips 20 $tenant
<prompt>$</prompt> nova quota-show --tenant $tenant</userinput>
<computeroutput>+-----------------------------+-------+
| Property | Value |
+-----------------------------+-------+
| metadata_items | 128 |
| injected_file_content_bytes | 10240 |
| ram | 51200 |
| floating_ips | 20 |
| key_pairs | 100 |
| instances | 10 |
| security_group_rules | 20 |
| injected_files | 5 |
| cores | 20 |
| fixed_ips | -1 |
| injected_file_path_bytes | 255 |
| security_groups | 10 |
+-----------------------------+-------+</computeroutput></screen>
<note>
<para>To view a list of options for the
<command>quota-update</command> command, run:</para>
<screen><prompt>$</prompt> <userinput>nova help quota-update</userinput></screen>
</note>
</step>
</procedure>
</section>
</section>

8
doc/src/docbkx/openstack-user/src/ch_cli.xml
View File

@ -9,13 +9,13 @@
<info>
<title>OpenStack command-line clients</title>
</info>
<xi:include href="section_cli_overview.xml"/>
<xi:include href="../../common/section_cli_overview.xml"/>
<?hard-pagebreak?>
<xi:include href="section_cli_install.xml"/>
<xi:include href="../../common/section_cli_install.xml"/>
<?hard-pagebreak?>
<xi:include href="section_cli_version.xml"/>
<xi:include href="../../common/section_cli_version.xml"/>
<?hard-pagebreak?>
<xi:include href="section_cli_openrc.xml"/>
<xi:include href="../../common/section_cli_openrc.xml"/>
<?hard-pagebreak?>
<xi:include
href="../../common/section_glance_cli_manage_images.xml"/>

40
doc/src/docbkx/openstack-user/src/section_cli_help.xml
View File

@ -1,40 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="cli_help">
<title>Get Help for Client Commands</title>
<para>Use the <command>help</command> command to get help for
commands, parameters, and subcommands for any OpenStack
client.</para>
<para>The syntax is:</para>
<para><screen><prompt>$</prompt> &lt;client-name&gt; help</screen></para>
<para>For example, to get help for glance client commands, run the
following command:</para>
<screen><prompt>$</prompt> glance help</screen>
<para>The <command>help</command> command lists the available
commands for the specified client.</para>
<note>
<para>Depending on your credentials, you might not have
permission to use every command.</para>
</note>
<para>To get help for a specific command, enter the command name
after the <option>help</option> command, as follows:</para>
<para><screen><prompt>$</prompt> &lt;client-name&gt; help &lt;command-name&gt;</screen></para>
<para>For example, to get help for the glance
<command>image-show</command> command, enter the following
command:</para>
<screen><prompt>$</prompt> <userinput><?db-font-size 75%?>glance help image-show</userinput></screen>
<para>The <command>help</command> command shows the command usage,
a description of the command, and descriptions of any
positional and optional arguments, as follows:</para>
<screen><computeroutput><?db-font-size 65%?>usage: glance image-show [--human-readable] &lt;IMAGE>
Describe a specific image.
Positional arguments:
&lt;IMAGE> Name or ID of image to describe.
Optional arguments:
--human-readable Print image size in a human-friendly format.</computeroutput></screen>
</section>

227
doc/src/docbkx/openstack-user/src/section_cli_install.xml
View File

@ -1,227 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE section [
<!-- Some useful entities borrowed from HTML -->
<!ENTITY ndash "&#x2013;">
<!ENTITY mdash "&#x2014;">
<!ENTITY hellip "&#x2026;">
<!ENTITY plusmn "&#xB1;">
]>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="install_clients">
<title>Install the Openstack command-line clients</title>
<?dbhtml stop-chunking?>
<para>To install the clients, install the prerequisite software
and the Python package for each OpenStack client.</para>
<table rules="all">
<caption>Prerequisite software</caption>
<col width="15%"/>
<col width="85%"/>
<thead>
<tr>
<th>Prerequisite</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td valign="top">
<para>Python 2.6 or later</para>
</td>
<td>
<para>Currently, the clients do not support
Python 3.</para>
</td>
</tr>
<tr>
<td valign="top">
<para><command>setuptools</command>
package</para>
</td>
<td>
<para>Installed by default on Mac OS X. Many Linux distributions provide
packages to make
<command>setuptools</command> easy to
install. Search your package manager for
<command>setuptools</command> to find
an installation package. If you cannot
find one, download the
<command>setuptools</command> package
directly from <link
xlink:href="http://pypi.python.org/pypi/setuptools"
>http://pypi.python.org/pypi/setuptools</link>.
</para>
</td>
</tr>
<tr>
<td valign="top"><command>pip</command>
package</td>
<td>
<para>To install the clients on a Mac OS X or
Linux system, use <command>pip</command>.
It is easy to use and ensures that you get
the latest version of the clients from the
<link
xlink:href="http://pypi.python.org/pypi/python-novaclient/"
>Python Package Index</link>. Also, it
lets you update or remove the packages
later on.</para>
<para>Install <command>pip</command> through
the package manager for your
system:</para><itemizedlist>
<listitem>
<para>Mac OS X
<screen><prompt>$</prompt> <userinput>sudo easy_install pip</userinput></screen></para>
</listitem>
<listitem>
<para>Ubuntu 12.04</para>
<para>A packaged version enables you
to use <command>dpkg</command> or
<command>aptitude</command> to
install the
python-novaclient.</para>
<screen><prompt>#</prompt> aptitude install python-novaclient</screen>
</listitem>
<listitem>
<para>Ubuntu
<screen><prompt>#</prompt> aptitude install python-pip</screen></para>
</listitem>
<listitem>
<para>RHEL, CentOS, or Fedora</para>
<para>A packaged version available in
<link
xlink:href="http://openstack.redhat.com/"
>RDO</link> enables you to use
<command>yum</command> to install
the clients:
<screen><prompt>#</prompt> yum install python-<replaceable>PROJECT</replaceable>client</screen>
Replace
<replaceable>PROJECT</replaceable>
with the lower case name of the
client to install, such as
<literal>nova</literal>. Repeat
this step for each
client.</para>
<para>Alternatively install
<command>pip</command> and use it
to manage client installation:
<screen><prompt>#</prompt> yum install python-pip</screen>
</para>
</listitem>
<listitem>
<para>openSUSE 12.2 and earlier</para>
<para>A <link
xlink:href="https://build.opensuse.org/package/show?package=python-novaclient&amp;project=Cloud:OpenStack:Master"
>packaged version available in the
Open Build Service</link> enables
you to use <command>rpm</command>
or <command>zypper</command> to
install the python-novaclient.
<screen><prompt>#</prompt> zypper install python-<replaceable>PROJECT</replaceable></screen>
Replace
<replaceable>PROJECT</replaceable>
with the lowercase name of the
client to install, such as
<literal>nova</literal>. Repeat
this step for each desired
client.</para>
<para>Alternatively install
<command>pip</command> and use it
to manage client installation:
<screen><prompt>#</prompt> zypper install python-pip </screen></para>
</listitem>
<listitem>
<para>openSUSE 12.3</para>
<para>A packaged version enables you
to use <command>rpm</command> or
<command>zypper</command> to
install the clients:
<screen><prompt>#</prompt> zypper install python-<replaceable>PROJECT</replaceable>client</screen>
Replace
<replaceable>PROJECT</replaceable>
with the lowercase name of the
client to install, such as
<literal>nova</literal>. Repeat
this step for each desired client.
</para>
</listitem>
</itemizedlist>
</td>
</tr>
</tbody>
</table>
<section xml:id="cli_clients_install">
<title>Install the clients</title>
<para>Use <command>pip</command> to install the OpenStack
clients on a Mac OS X or Linux system. It is easy and
ensures that you get the latest version of the client from
the <link xlink:href="http://pypi.python.org/pypi">Python
Package Index</link>. Also, <command>pip</command>
lets you update or remove a package. After you install the
clients, you must source an <filename
xmlns:raxm="http://docs.rackspace.com/api/metadata"
>openrc</filename> file to set required environment
variables before you can request OpenStack services
through the clients or the APIs.</para>
<procedure>
<!-- <title>To install the clients</title>-->
<step>
<para>You must install each client separately.</para>
<para>Run the following command to install or update a
client package:</para>
<screen><prompt>$</prompt> <userinput>sudo pip install [--update] python-<replaceable>PROJECT</replaceable>client</userinput></screen>
<para>Where <replaceable>PROJECT</replaceable> is the
project name and has one of the following
values:</para>
<itemizedlist>
<listitem>
<para><literal>nova</literal>. Compute API and
extensions.</para>
</listitem>
<listitem>
<para><literal>neutron</literal>. Networking
API.</para>
</listitem>
<listitem>
<para><literal>keystone</literal>. Identity
Service API.</para>
</listitem>
<listitem>
<para><literal>glance</literal>. Image Service
API.</para>
</listitem>
<listitem>
<para><literal>swift</literal>. Object Storage
API.</para>
</listitem>
<listitem>
<para><literal>cinder</literal>. Block Storage
Service API.</para>
</listitem>
<listitem>
<para><literal>heat</literal>. Orchestration
API.</para>
</listitem>
</itemizedlist>
<para>For example, to install the nova client, run the
following command:</para>
<screen><prompt>$</prompt> <userinput>sudo pip install python-novaclient</userinput></screen>
<para>To update the nova client, run the following
command:</para>
<screen><prompt>$</prompt> <userinput>sudo pip install --upgrade python-novaclient</userinput></screen>
<para>To remove the nova client, run the following
command:</para>
<screen><prompt>$</prompt> <userinput>sudo pip uninstall python-novaclient</userinput></screen>
</step>
<step>
<para>Before you can issue client commands, you must
download and source the
<filename>openrc</filename> file to set
environment variables. Proceed to <xref
linkend="cli_openrc"/>.</para>
</step>
</procedure>
</section>
</section>