openstack/openstack-manuals
Code Issues Proposed changes

Fixes to Cloud Admin Guide for Havana (testing with Anne G)

Browse Source 
Change-Id: I65a12cfdde82c069684e7fac0b53ae5720b6ebda
author: diane fleming
This commit is contained in:
Diane Fleming 2013-09-27 12:14:51 -05:00
parent 94c72ccb4e
commit c2bfed945d
25 changed files with 3721 additions and 3244 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/admin-guide-cloud/bk-admin-guide-cloud.xml
View File

@ -7,7 +7,7 @@
xml:id="openstack-compute-admin-manual-grizzly"> xml:id="openstack-compute-admin-manual-grizzly">
<title>OpenStack Cloud Administrator Guide</title> <title>OpenStack Cloud Administrator Guide</title>
<?rax title.font.size="28px" subtitle.font.size="28px"?> <?rax title.font.size="28px" subtitle.font.size="28px"?>
<titleabbrev>OpenStack Cloud Administrator Guide</titleabbrev> <titleabbrev>Cloud Administrator Guide</titleabbrev>
<info> <info>
<author> <author>
<personname> <personname>

27
doc/admin-guide-cloud/ch_blockstorage.xml
View File

@ -3,6 +3,7 @@
xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="managing-volumes"> xml:id="managing-volumes">
<?dbhtml stop-chunking?>
<title>Block Storage</title> <title>Block Storage</title>
<para>The OpenStack Block Storage service works though the <para>The OpenStack Block Storage service works though the
interaction of a series of daemon processes named cinder-* interaction of a series of daemon processes named cinder-*
@ -26,6 +27,7 @@
service is similar to the Amazon EC2 Elastic Block Storage service is similar to the Amazon EC2 Elastic Block Storage
(EBS) offering.</para> (EBS) offering.</para>
</section> </section>
<?hard-pagebreak?>
<section xml:id="section_manage-volumes"> <section xml:id="section_manage-volumes">
<title>Manage volumes</title> <title>Manage volumes</title>
<para>The default OpenStack Block Storage service implementation <para>The default OpenStack Block Storage service implementation
@ -45,8 +47,6 @@
<para>The following high-level procedure shows you how to create <para>The following high-level procedure shows you how to create
and attach a volume to a server instance.</para> and attach a volume to a server instance.</para>
<procedure> <procedure>
<title>To create and attach a volume to a server
instance:</title>
<step><para>You must configure both OpenStack Compute and the <step><para>You must configure both OpenStack Compute and the
OpenStack Block Storage service through the OpenStack Block Storage service through the
<filename>cinder.conf</filename> file.</para></step> <filename>cinder.conf</filename> file.</para></step>
@ -83,14 +83,11 @@
<systemitem class="service">nova-compute</systemitem>. The walk through uses <systemitem class="service">nova-compute</systemitem>. The walk through uses
a custom partitioning scheme that carves out 60GB of space a custom partitioning scheme that carves out 60GB of space
and labels it as LVM. The network uses and labels it as LVM. The network uses
<literal>FlatManger</literal> is the <literal>FlatManager</literal> is the
<literal>NetworkManager</literal> setting for <literal>NetworkManager</literal> setting for
OpenStack Compute (Nova).</para> OpenStack Compute (Nova).</para>
<para>Please note that the network mode doesn't interfere at <para>The network mode does not interfere with the way cinder works, but networking must be set
all with the way cinder works, but networking must be set up for cinder to work. For details, see <xref linkend="ch_networking"/>.</para>
up for cinder to work. Please refer to <link
xlink:href="http://docs.openstack.org/grizzly/openstack-network/admin/content/">Networking Administration</link> for more
details.</para>
<para>To set up Compute to use volumes, ensure that Block <para>To set up Compute to use volumes, ensure that Block
Storage is installed along with lvm2. This guide describes how to:</para> Storage is installed along with lvm2. This guide describes how to:</para>
<para> <para>
@ -106,11 +103,15 @@
<section xml:id="boot-from-volume"> <section xml:id="boot-from-volume">
<title>Boot from volume</title> <title>Boot from volume</title>
<para>In some cases, instances can be stored and run from inside volumes. This is explained in further detail in the <link xlink:href="http://docs.openstack.org/user-guide/content/boot_from_volume.html">Boot From Volume</link> <para>In some cases, instances can be stored and run from
section of the <citetitle>OpenStack End User Guide</citetitle>.</para> inside volumes. For information, see the <link
</section> xlink:href="http://docs.openstack.org/user-guide/content/boot_from_volume.html"
>Launch an instance from a volume</link> section in the
<xi:include href="section_troubleshoot-cinder.xml"/> <link xlink:href="http://docs.openstack.org/user-guide/content/"><citetitle>OpenStack End User
Guide</citetitle></link>.</para>
</section>
<?hard-pagebreak?>
<xi:include href="section_troubleshoot-cinder.xml"/>
<xi:include href="section_multi_backend.xml"/> <xi:include href="section_multi_backend.xml"/>
<xi:include href="section_backup-block-storage-disks.xml"/> <xi:include href="section_backup-block-storage-disks.xml"/>
<xi:include href="section_volume-migration.xml"/> <xi:include href="section_volume-migration.xml"/>

4152
doc/admin-guide-cloud/ch_compute.xml
View File

File diff suppressed because it is too large Load Diff

41
doc/admin-guide-cloud/ch_dashboard.xml
View File

@ -3,40 +3,41 @@
xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="ch_install-dashboard"> xml:id="ch_install-dashboard">
<?dbhtml stop-chunking?>
<title>Dashboard</title> <title>Dashboard</title>
<para xmlns:raxm="http://docs.rackspace.com/api/metadata">The dashboard, also known as <link <para xmlns:raxm="http://docs.rackspace.com/api/metadata">The
xlink:href="https://github.com/openstack/horizon/">horizon</link>, is a Web interface dashboard, also known as <link
that allows cloud administrators and users to manage various OpenStack resources and xlink:href="https://github.com/openstack/horizon/"
services.</para> >horizon</link>, enables cloud administrators and users to
<para>The dashboard enables web-based interactions with the manage various OpenStack resources and services through a
OpenStack Compute cloud controller through the OpenStack APIs.</para> Web-based interface. The dashboard enables interactions with
<para>The following instructions show an example deployment the OpenStack Compute cloud controller through the OpenStack
configured with an Apache web server.</para> APIs. For information about installing and configuring the
<para>After you <link linkend="installing-openstack-dashboard" dashboard, see the <citetitle>OpenStack Installation
>install and configure the dashboard</link>, you can Guide</citetitle> for your distribution. After you install and
complete the following tasks:</para> configure the dashboard, you can complete the
following tasks:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Customize your dashboard. See <xref <para>Customize your dashboard. See <xref
linkend="dashboard-custom-brand"/>.</para> linkend="dashboard-custom-brand"/>.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Set up session storage for the dashboard. See <xref <para>Set up session storage for the dashboard. See <xref
linkend="dashboard-sessions"/>.</para> linkend="dashboard-sessions"/>.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Deploy the dashboard. See <link <para>Deploy the dashboard. See <link
xlink:href="http://docs.openstack.org/developer/horizon/topics/deployment.html" xlink:href="http://docs.openstack.org/developer/horizon/topics/deployment.html"
>Deploying Horizon</link>.</para> >Deploying Horizon</link>.</para>
</listitem> </listitem>
<listitem xml:id="launch_instances"> <listitem xml:id="launch_instances">
<para>Launch instances with the dashboard. See the <para>Launch instances with the dashboard. See the <link
<citetitle>OpenStack User xlink:href="http://docs.openstack.org/user-guide/content/"
Guide</citetitle>.</para> ><citetitle>OpenStack End User
Guide</citetitle></link>.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<xi:include href="../common/section_dashboard-system-reqs.xml"/>
<xi:include href="../common/section_dashboard-install.xml"/>
<xi:include href="../common/section_dashboard_customizing.xml"/> <xi:include href="../common/section_dashboard_customizing.xml"/>
<xi:include href="../common/section_dashboard_sessions.xml"/> <xi:include href="../common/section_dashboard_sessions.xml"/>
</chapter> </chapter>

284
doc/admin-guide-cloud/ch_identity_mgmt.xml
View File

@ -3,166 +3,135 @@
xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="ch-identity-mgmt-config"> xml:id="ch-identity-mgmt-config">
<?dbhtml stop-chunking?>
<title>Identity Management</title> <title>Identity Management</title>
<para> <para>The default identity management system for OpenStack is the
The default identity management system for OpenStack is the OpenStack Identity Service, code-named Keystone. OpenStack Identity Service, code-named Keystone. Once Identity is
Once Identity is installed, it is configured via a primary installed, it is configured via a primary configuration file
configuration file (<filename>etc/keystone.conf</filename>), possibly (<filename>etc/keystone.conf</filename>), possibly a separate
a separate logging configuration file, and initializing data into logging configuration file, and initializing data into keystone
keystone using the command line client. using the command line client.</para>
</para>
<xi:include href="../common/section_keystone-concepts.xml"/> <xi:include href="../common/section_keystone-concepts.xml"/>
<section xml:id="user-crud"> <section xml:id="user-crud">
<title>User CRUD</title> <title>User CRUD</title>
<para> <para>Keystone provides a user CRUD filter that can be added to
Keystone provides a user CRUD filter that can be added to the the public_api pipeline. This user crud filter enables users to
public_api pipeline. This user crud filter allows users to use a use a HTTP PATCH to change their own password. To enable this
HTTP PATCH to change their own password. To enable this extension extension you should define a
you should define a <literal>user_crud_extension</literal> filter, insert it after <literal>user_crud_extension</literal> filter, insert it after
the <literal>*_body</literal> middleware and before the the <literal>*_body</literal> middleware and before the
<literal>public_service</literal> app in the public_api WSGI <literal>public_service</literal> app in the public_api WSGI
pipeline in <filename>keystone.conf</filename> e.g.: pipeline in <filename>keystone.conf</filename> e.g.:</para>
</para> <programlisting language="ini"><?db-font-size 75%?>[filter:user_crud_extension]
<programlisting language="ini">
[filter:user_crud_extension]
paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
[pipeline:public_api] [pipeline:public_api]
pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service</programlisting>
</programlisting> <para>Each user can then change their own password with a HTTP
<para> PATCH</para>
Each user can then change their own password with a HTTP PATCH <programlisting language="ini"><?db-font-size 75%?>&gt; curl -X PATCH http://localhost:5000/v2.0/OS-KSCRUD/users/&lt;userid&gt; -H &quot;Content-type: application/json&quot; \
</para> -H &quot;X_Auth_Token: &lt;authtokenid&gt;&quot; -d '{&quot;user&quot;: {&quot;password&quot;: &quot;ABCD&quot;, &quot;original_password&quot;: &quot;DCBA&quot;}}'</programlisting>
<programlisting language="ini"> <para>In addition to changing their password all of the users
&gt; curl -X PATCH http://localhost:5000/v2.0/OS-KSCRUD/users/&lt;userid&gt; -H &quot;Content-type: application/json&quot; \ current tokens are deleted (if the back end is kvs or
-H &quot;X_Auth_Token: &lt;authtokenid&gt;&quot; -d '{&quot;user&quot;: {&quot;password&quot;: &quot;ABCD&quot;, &quot;original_password&quot;: &quot;DCBA&quot;}}' sql).</para>
</programlisting>
<para>
In addition to changing their password all of the users current
tokens will be deleted (if the backend used is kvs or sql)
</para>
</section> </section>
<section xml:id="keystone-logging"> <section xml:id="keystone-logging">
<title>Logging</title> <title>Logging</title>
<para> Logging is configured externally to the rest of Identity, <para>You configure logging externally to the rest of Identity.
the file specifying the logging configuration is in the The file specifying the logging configuration is in the
<literal>[DEFAULT]</literal> section of the <literal>[DEFAULT]</literal> section of the
<filename>keystone.conf</filename> file under <filename>keystone.conf</filename> file under
<literal>log_config</literal>. If you wish to route all your <literal>log_config</literal>. To route logging through
logging through syslog, set <literal>use_syslog=true</literal> syslog, set <literal>use_syslog=true</literal> option in the
option in the <literal>[DEFAULT]</literal> section. </para> <literal>[DEFAULT]</literal> section.</para>
<para> <para>A sample logging file is available with the project in the
A sample logging file is available with the project in the directory <filename>etc/logging.conf.sample</filename>. Like
directory <filename>etc/logging.conf.sample</filename>. Like other other OpenStack projects, Identity uses the python logging
OpenStack projects, Identity uses the `python logging module`, module, which includes extensive configuration options for
which includes extensive configuration options for choosing the choosing the output levels and formats.</para>
output levels and formats. <para>Review the <filename>etc/keystone.conf</filename> sample
</para> configuration files distributed with keystone for example
<para> configuration files for each server application.</para>
In addition to this documentation page, you can check the <para>For services which have separate paste-deploy ini file, you
<filename>etc/keystone.conf</filename> sample configuration files can configure auth_token middleware in [keystone_authtoken]
distributed with keystone for example configuration files for each section in the main config file, such as
server application. <filename>nova.conf</filename>. For example in Compute, you
</para> can remove the middleware parameters from
<para>For services which have separate paste-deploy ini file, <filename>api-paste.ini</filename>, as follows:</para>
auth_token middleware can be alternatively configured in <programlisting language="ini"><?db-font-size 75%?>[filter:authtoken]
[keystone_authtoken] section in the main config file, such as paste.filter_factory =
<filename>nova.conf</filename>. For keystoneclient.middleware.auth_token:filter_factory</programlisting>
example in Nova, all middleware parameters can be removed from <para>And set the following values in
api-paste.ini like these:</para> <filename>nova.conf</filename>, as follows:</para>
<programlisting language="ini"> [filter:authtoken] <programlisting language="ini"><?db-font-size 75%?>[DEFAULT]
paste.filter_factory = ...
keystoneclient.middleware.auth_token:filter_factory auth_strategy=keystone
</programlisting>
<para>and set in
<filename>nova.conf</filename> like these: </para>
<programlisting language="ini">[DEFAULT]
...
auth_strategy=keystone
[keystone_authtoken] [keystone_authtoken]
auth_host = 127.0.0.1 auth_host = 127.0.0.1
auth_port = 35357 auth_port = 35357
auth_protocol = http auth_protocol = http
auth_uri = http://127.0.0.1:5000/ auth_uri = http://127.0.0.1:5000/
admin_user = admin admin_user = admin
admin_password = SuperSekretPassword admin_password = SuperSekretPassword
admin_tenant_name = service admin_tenant_name = service </programlisting>
</programlisting> <note>
<para>Note that middleware parameters in <para>Middleware parameters in paste config take priority. You
paste config take priority, they must be removed to use values must remove them to use values in [keystone_authtoken]
in [keystone_authtoken] section.</para> section.</para>
</note>
</section> </section>
<section xml:id="monitoring"> <section xml:id="monitoring">
<title>Monitoring</title> <title>Monitoring</title>
<para> <para>Keystone provides some basic request/response monitoring
Keystone provides some basic request/response monitoring statistics out of the box.</para>
statistics out of the box. <para>Enable data collection by defining a
</para> <literal>stats_monitoring</literal> filter and including it at
<para> the beginning of any desired WSGI pipelines:</para>
Enable data collection by defining a <programlisting language="ini"><?db-font-size 75%?>[filter:stats_monitoring]
<literal>stats_monitoring</literal> filter and including it at the
beginning of any desired WSGI pipelines:
</para>
<programlisting language="ini">
[filter:stats_monitoring]
paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory
[pipeline:public_api] [pipeline:public_api]
pipeline = stats_monitoring [...] public_service pipeline = stats_monitoring [...] public_service</programlisting>
</programlisting> <para>Enable the reporting of collected data by defining a
<para> <literal>stats_reporting</literal> filter and including it
Enable the reporting of collected data by defining a near the end of your <literal>admin_api</literal> WSGI pipeline
<literal>stats_reporting</literal> filter and including it near (After <literal>*_body</literal> middleware and before
the end of your <literal>admin_api</literal> WSGI pipeline (After <literal>*_extension</literal> filters is recommended):</para>
<literal>*_body</literal> middleware and before <programlisting language="ini"><?db-font-size 75%?>[filter:stats_reporting]
<literal>*_extension</literal> filters is recommended):
</para>
<programlisting language="ini">
[filter:stats_reporting]
paste.filter_factory = keystone.contrib.stats:StatsExtension.factory paste.filter_factory = keystone.contrib.stats:StatsExtension.factory
[pipeline:admin_api] [pipeline:admin_api]
pipeline = [...] json_body stats_reporting ec2_extension [...] admin_service pipeline = [...] json_body stats_reporting ec2_extension [...] admin_service</programlisting>
</programlisting> <para>Query the admin API for statistics using:</para>
<para>
Query the admin API for statistics using:
</para>
<screen><prompt>$</prompt> <userinput>curl -H 'X-Auth-Token: ADMIN' http://localhost:35357/v2.0/OS-STATS/stats</userinput></screen> <screen><prompt>$</prompt> <userinput>curl -H 'X-Auth-Token: ADMIN' http://localhost:35357/v2.0/OS-STATS/stats</userinput></screen>
<para> <para>Reset collected data using:</para>
Reset collected data using: <screen><prompt>$</prompt> <userinput>curl -H 'X-Auth-Token: ADMIN' -X DELETE \
</para> http://localhost:35357/v2.0/OS-STATS/stats</userinput></screen>
<screen><prompt>$</prompt> <userinput>curl -H 'X-Auth-Token: ADMIN' -X DELETE http://localhost:35357/v2.0/OS-STATS/stats</userinput></screen>
</section> </section>
<section xml:id="running-keystone"> <section xml:id="running-keystone">
<title>Running</title> <title>Start the Identity Service</title>
<para> <para>To start the services for the Identity Service, run the
Running Identity is simply starting the services by using the following command:</para>
command: <screen><prompt>$</prompt> <userinput>keystone-all</userinput></screen>
</para> <para>This command starts two wsgi.Server instances configured by
<screen><prompt>$</prompt> <userinput> the <filename>keystone.conf</filename> file as described
keystone-all previously. One of these wsgi servers is
</userinput></screen> <literal>admin</literal> (the administration API) and the
<para> other is <literal>main</literal> (the primary/public API
Invoking this command starts up two wsgi.Server instances, interface). Both run in a single process.</para>
configured by the <filename>keystone.conf</filename> file as
described above. One of these wsgi 'servers' is
<literal>admin</literal> (the administration API) and the other is
<literal>main</literal> (the primary/public API interface). Both
of these run in a single process.
</para>
</section> </section>
<section xml:id="example-usage"> <section xml:id="example-usage">
<title>Example usage</title> <title>Example usage</title>
<para>The <literal>keystone</literal> client is set up to expect commands <para>The <literal>keystone</literal> client is set up to expect
in the general form of <literal>keystone</literal> commands in the general form of <literal>keystone</literal>
<literal>command</literal> <literal>command</literal>
<literal>argument</literal>, followed by flag-like keyword arguments to <literal>argument</literal>, followed by flag-like keyword
provide additional (often optional) information. For example, the arguments to provide additional (often optional) information.
command <literal>user-list</literal> and For example, the command <literal>user-list</literal> and
<literal>tenant-create</literal> can be invoked as follows: </para> <literal>tenant-create</literal> can be invoked as
<programlisting language="bash"> follows:</para>
# Using token auth env variables <programlisting language="bash"><?db-font-size 65%?># Using token auth env variables
export SERVICE_ENDPOINT=http://127.0.0.1:5000/v2.0/ export SERVICE_ENDPOINT=http://127.0.0.1:5000/v2.0/
export SERVICE_TOKEN=secrete_token export SERVICE_TOKEN=secrete_token
keystone user-list keystone user-list
@ -181,25 +150,22 @@ keystone tenant-create --name=demo
# Using user + password + tenant_name flags # Using user + password + tenant_name flags
keystone --username=admin --password=secrete --tenant_name=admin user-list keystone --username=admin --password=secrete --tenant_name=admin user-list
keystone --username=admin --password=secrete --tenant_name=admin tenant-create --name=demo keystone --username=admin --password=secrete --tenant_name=admin tenant-create --name=demo</programlisting>
</programlisting> </section>
</section> <section xml:id="auth-token-middleware-with-username-and-password">
<section xml:id="auth-token-middleware-with-username-and-password"> <title>Auth-Token middleware with user name and password</title>
<title>Auth-Token Middleware with Username and Password</title> <para>It is also possible to configure the Identity Service
<para> Auth-Token middleware using the <option>admin_user</option> and
It is also possible to configure Keystone's auth_token <option>admin_password</option> options. When using the
middleware using the 'admin_user' and 'admin_password' options. <option>admin_user</option> and
When using the 'admin_user' and 'admin_password' options the <option>admin_password</option> options the
'admin_token' parameter is optional. If 'admin_token' is <option>admin_token</option> parameter is optional. If
specified it will by used only if the specified token is still <option>admin_token</option> is specified it is used only if
valid. the specified token is still valid.</para>
</para> <para>Here is an example paste config filter that makes use of the
<para> <option>admin_user</option> and
Here is an example paste config filter that makes use of the <option>admin_password</option> parameters:</para>
'admin_user' and 'admin_password' parameters: <screen>[filter:authtoken]
</para>
<screen>
[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
service_port = 5000 service_port = 5000
service_host = 127.0.0.1 service_host = 127.0.0.1
@ -207,13 +173,11 @@ auth_port = 35357
auth_host = 127.0.0.1 auth_host = 127.0.0.1
auth_token = 012345SECRET99TOKEN012345 auth_token = 012345SECRET99TOKEN012345
admin_user = admin admin_user = admin
admin_password = keystone123 admin_password = keystone123</screen>
</screen> <para>It should be noted that when using this option an admin
<para> tenant/role relationship is required. The admin user is granted
It should be noted that when using this option an admin access to the Admin role on the admin tenant.</para>
tenant/role relationship is required. The admin user is granted </section>
access to the 'Admin' role on the 'admin' tenant. <?hard-pagebreak?>
</para>
</section>
<xi:include href="../common/section_identity-troubleshooting.xml"/> <xi:include href="../common/section_identity-troubleshooting.xml"/>
</chapter> </chapter>

21
doc/admin-guide-cloud/ch_networking.xml
View File

@ -3,6 +3,7 @@
xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="ch_networking"> xml:id="ch_networking">
<?dbhtml stop-chunking?>
<title>Networking</title> <title>Networking</title>
<para>Learn Networking concepts, architecture, and basic and <para>Learn Networking concepts, architecture, and basic and
advanced neutron and nova command-line interface (CLI) advanced neutron and nova command-line interface (CLI)
@ -14,8 +15,7 @@
API for defining network connectivity and addressing in API for defining network connectivity and addressing in
the cloud. The Networking service enables operators to the cloud. The Networking service enables operators to
leverage different networking technologies to power their leverage different networking technologies to power their
cloud networking.</para> cloud networking. The Networking service also provides an API to configure
<para>The Networking service also provides an API to configure
and manage a variety of network services ranging from L3 and manage a variety of network services ranging from L3
forwarding and NAT to load balancing, edge firewalls, and forwarding and NAT to load balancing, edge firewalls, and
IPSEC VPN.</para> IPSEC VPN.</para>
@ -59,8 +59,7 @@
<para>You can configure rich network topologies by <para>You can configure rich network topologies by
creating and configuring networks and subnets, and creating and configuring networks and subnets, and
then instructing other OpenStack services like Compute then instructing other OpenStack services like Compute
to attach virtual devices to ports on these networks. to attach virtual devices to ports on these networks.</para><para>In particular, Networking supports each tenant having
In particular, Networking supports each tenant having
multiple private networks, and allows tenants to multiple private networks, and allows tenants to
choose their own IP addressing scheme (even if those choose their own IP addressing scheme (even if those
IP addresses overlap with those used by other IP addresses overlap with those used by other
@ -195,7 +194,6 @@
number of plug-ins, the cloud administrator is able to number of plug-ins, the cloud administrator is able to
weigh different options and decide which networking weigh different options and decide which networking
technology is right for the deployment.</para> technology is right for the deployment.</para>
<?hard-pagebreak?>
<para>Not all Networking plug-ins are compatible with all <para>Not all Networking plug-ins are compatible with all
possible Compute drivers:</para> possible Compute drivers:</para>
<table rules="all"> <table rules="all">
@ -333,7 +331,6 @@
with each other and with other OpenStack services.</para> with each other and with other OpenStack services.</para>
<section xml:id="arch_overview"> <section xml:id="arch_overview">
<title>Overview</title> <title>Overview</title>
<para>Networking is a standalone service, just like other <para>Networking is a standalone service, just like other
OpenStack services such as Compute, Image service, OpenStack services such as Compute, Image service,
Identity service, or the Dashboard. Like those Identity service, or the Dashboard. Like those
@ -433,7 +430,7 @@
<title>Network connectivity for physical hosts</title> <title>Network connectivity for physical hosts</title>
<mediaobject> <mediaobject>
<imageobject> <imageobject>
<imagedata scale="60" <imagedata scale="50"
fileref="../common/figures/Neutron-PhysNet-Diagram.png" fileref="../common/figures/Neutron-PhysNet-Diagram.png"
/> />
</imageobject> </imageobject>
@ -552,6 +549,7 @@
first available IP address.</para> first available IP address.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<?hard-pagebreak?>
<para>The following table summarizes the attributes <para>The following table summarizes the attributes
available for each networking abstraction. For available for each networking abstraction. For
information about API abstraction and operations, information about API abstraction and operations,
@ -734,6 +732,7 @@
</tr> </tr>
</tbody> </tbody>
</table> </table>
<?hard-pagebreak?>
<table rules="all"> <table rules="all">
<caption>Port attributes</caption> <caption>Port attributes</caption>
<col width="20%"/> <col width="20%"/>
@ -913,6 +912,7 @@
<screen><prompt>$</prompt> <userinput>keystone tenant-list</userinput></screen> <screen><prompt>$</prompt> <userinput>keystone tenant-list</userinput></screen>
</note> </note>
</section> </section>
<?hard-pagebreak?>
<section xml:id="advanced_networking"> <section xml:id="advanced_networking">
<title>Advanced Networking operations</title> <title>Advanced Networking operations</title>
<para>The following table shows example neutron <para>The following table shows example neutron
@ -968,6 +968,7 @@
</table> </table>
</section> </section>
</section> </section>
<?hard-pagebreak?>
<section xml:id="using_nova_with_neutron"> <section xml:id="using_nova_with_neutron">
<title>Use Compute with Networking</title> <title>Use Compute with Networking</title>
<section xml:id="basic_workflow_with_nova"> <section xml:id="basic_workflow_with_nova">
@ -1110,8 +1111,10 @@
<command>ping</command> and <command>ping</command> and
<command>ssh</command> access to your <command>ssh</command> access to your
VMs.</para> VMs.</para>
<screen><prompt>$</prompt> <userinput>neutron security-group-rule-create --protocol icmp --direction ingress default</userinput> <screen><prompt>$</prompt> <userinput>neutron security-group-rule-create --protocol icmp \
<prompt>$</prompt> <userinput>neutron security-group-rule-create --protocol tcp --port-range-min 22 --port-range-max 22 --direction ingress default</userinput></screen> --direction ingress default</userinput></screen>
<screen><prompt>$</prompt> <userinput>neutron security-group-rule-create --protocol tcp --port-range-min 22 \
--port-range-max 22 --direction ingress default</userinput></screen>
</listitem> </listitem>
<listitem> <listitem>
<para>Does not implement Networking security <para>Does not implement Networking security

14
doc/admin-guide-cloud/ch_objectstorage.xml
View File

@ -4,10 +4,16 @@
xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0" version="5.0"
xml:id="ch_admin-openstack-object-storage"> xml:id="ch_admin-openstack-object-storage">
<?dbhtml stop-chunking?>
<title>Object Storage</title> <title>Object Storage</title>
<para>OpenStack Object Storage is a scalable object storage system&#x2014;it is not a file system in <para>Object Storage is a scalable object storage system. It is
the traditional sense. You will not be able to mount this system like traditional SAN or NAS not a file system in the traditional sense. You cannot mount
volumes.</para> this system like traditional SAN or NAS volumes. Because Object
<xi:include href="../common/section_about-object-storage.xml"/> Storage requires a different way of thinking when it comes to
storage, take a few moments to review the key concepts in the
developer documentation at <link
xlink:href="http://docs.openstack.org/developer/swift/"
>docs.openstack.org/developer/swift/</link>.</para>
<!-- <xi:include href="../common/section_about-object-storage.xml"/> -->
<xi:include href="section_object-storage-monitoring.xml"/> <xi:include href="section_object-storage-monitoring.xml"/>
</chapter> </chapter>

8
doc/admin-guide-cloud/section_networking_adv_features.xml
View File

@ -326,6 +326,7 @@
other hosts on the external network (and often to all other hosts on the external network (and often to all
hosts on the Internet). You can allocate and map floating hosts on the Internet). You can allocate and map floating
IPs from one port to another, as needed.</para> IPs from one port to another, as needed.</para>
<?hard-pagebreak?>
<section xml:id="l3_api_abstractions"> <section xml:id="l3_api_abstractions">
<title>L3 API abstractions</title> <title>L3 API abstractions</title>
<table rules="all"> <table rules="all">
@ -463,8 +464,8 @@
</tr> </tr>
</tbody> </tbody>
</table> </table>
</section> </section>
<?hard-pagebreak?>
<section xml:id="l3_workflow"> <section xml:id="l3_workflow">
<title>Basic L3 operations</title> <title>Basic L3 operations</title>
<para>External networks are visible to all users. However, <para>External networks are visible to all users. However,
@ -656,6 +657,7 @@
</table> </table>
</section> </section>
</section> </section>
<?hard-pagebreak?>
<section xml:id="section_securitygroups"> <section xml:id="section_securitygroups">
<title>Security groups</title> <title>Security groups</title>
<para>Security groups and security group rules allows <para>Security groups and security group rules allows
@ -917,6 +919,7 @@
</table> </table>
</section> </section>
</section> </section>
<?hard-pagebreak?>
<section xml:id="lbaas_workflow"> <section xml:id="lbaas_workflow">
<title>Basic Load-Balancer-as-a-Service operations</title> <title>Basic Load-Balancer-as-a-Service operations</title>
<note> <note>
@ -994,6 +997,7 @@
</tbody> </tbody>
</table> </table>
</section> </section>
<?hard-pagebreak?>
<section xml:id="fwaas"> <section xml:id="fwaas">
<title>Firewall-as-a-Service</title> <title>Firewall-as-a-Service</title>
<para>The Firewall-as-a-Service (FWaaS) API is an experimental <para>The Firewall-as-a-Service (FWaaS) API is an experimental
@ -1386,6 +1390,7 @@
</note> </note>
</section> </section>
</section> </section>
<?hard-pagebreak?>
<section xml:id="section_allowed_address_pairs"> <section xml:id="section_allowed_address_pairs">
<title>Allowed-address-pairs</title> <title>Allowed-address-pairs</title>
<para>Allowed-address-pairs is an API extension that extends <para>Allowed-address-pairs is an API extension that extends
@ -1433,6 +1438,7 @@
</note> </note>
</section> </section>
</section> </section>
<?hard-pagebreak?>
<section xml:id="section_plugin_specific_extensions"> <section xml:id="section_plugin_specific_extensions">
<title>Plug-in specific extensions</title> <title>Plug-in specific extensions</title>
<?dbhtml stop-chunking?> <?dbhtml stop-chunking?>

58
doc/admin-guide-cloud/section_troubleshoot-cinder.xml
View File

@ -3,11 +3,14 @@
xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xlink="http://www.w3.org/1999/xlink"
version="1.0"> version="1.0">
<title>Troubleshoot your cinder installation</title> <title>Troubleshoot your cinder installation</title>
<para>This section is intended to help solve some basic and common errors that are encountered <para>This section is intended to help solve some basic and common
during setup and configuration of Cinder. The focus here is on failed creation of volumes. errors that are encountered during set up and configuration of
The most important thing to know is where to look in case of a failure. There are two log Cinder. The focus here is on failed creation of volumes. The
files that are especially helpful in the case of a volume creation failure. The first is the most important thing to know is where to look in case of a
<systemitem class="service">cinder-api</systemitem> log, and the second is the <systemitem class="service">cinder-volume</systemitem> log.</para> failure. Two log files are especially helpful when volume
creation fails: <systemitem class="service"
>cinder-api</systemitem> log and <systemitem
class="service">cinder-volume</systemitem> log.</para>
<para>The <systemitem class="service">cinder-api</systemitem> log is useful in determining if you have <para>The <systemitem class="service">cinder-api</systemitem> log is useful in determining if you have
endpoint or connectivity issues. If you send a request to endpoint or connectivity issues. If you send a request to
create a volume and it fails, it's a good idea to look here create a volume and it fails, it's a good idea to look here
@ -15,8 +18,9 @@
service. If the request seems to be logged, and there are no service. If the request seems to be logged, and there are no
errors or trace-backs then you can move to the <systemitem class="service">cinder-volume</systemitem> errors or trace-backs then you can move to the <systemitem class="service">cinder-volume</systemitem>
log and look for errors or trace-backs there.</para> log and look for errors or trace-backs there.</para>
<para>There are some common issues to look out for. The following describes <para>There are some common issues to look out for. The following
some common issues hit during configuration and some suggested solutions.</para> describes some common configuration issues with suggested
solutions.</para>
<para><emphasis role="bold"><emphasis role="underline">Create commands are in <systemitem class="service">cinder-api</systemitem> log <para><emphasis role="bold"><emphasis role="underline">Create commands are in <systemitem class="service">cinder-api</systemitem> log
with no error</emphasis></emphasis></para> with no error</emphasis></emphasis></para>
<para> <para>
@ -48,10 +52,7 @@
simple entry in <filename>/etc/tgt/conf.d</filename>, and you should have created this when you went simple entry in <filename>/etc/tgt/conf.d</filename>, and you should have created this when you went
through the install guide. If you haven't or you're running into issues, verify through the install guide. If you haven't or you're running into issues, verify
that you have a file <filename>/etc/tgt/conf.d/cinder.conf</filename>.</para> that you have a file <filename>/etc/tgt/conf.d/cinder.conf</filename>.</para>
<para>If the file is not there, you can create it easily by doing the <para>If the file is not there, create it, as follows:</para><screen><prompt>$</prompt> <userinput>sudo sh -c "echo 'include /var/lib/cinder/volumes/*' >> /etc/tgt/conf.d/cinder.conf"</userinput></screen>
following:<programlisting>
sudo sh -c "echo 'include /var/lib/cinder/volumes/*' >> /etc/tgt/conf.d/cinder.conf"
</programlisting></para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</para> </para>
@ -60,26 +61,23 @@ sudo sh -c "echo 'include /var/lib/cinder/volumes/*' >> /etc/tgt/conf.d/cinder.c
<para>This is most likely going to be a minor adjustment to your <para>This is most likely going to be a minor adjustment to your
<filename>nova.conf</filename> file. Make sure that your <filename>nova.conf</filename> file. Make sure that your
<filename>nova.conf</filename> has the following <filename>nova.conf</filename> has the following
entry:<programlisting> entry:<programlisting>volume_api_class=nova.volume.cinder.API </programlisting></para>
volume_api_class=nova.volume.cinder.API <para>Make certain that you explicitly set
</programlisting></para> <option>enabled_apis</option> because the default includes
<para>And make certain that you EXPLICITLY set enabled_apis as the default will include <option>osapi_volume</option>:<programlisting>enabled_apis=ec2,osapi_compute,metadata</programlisting></para>
osapi_volume:<programlisting>
enabled_apis=ec2,osapi_compute,metadata
</programlisting>
</para>
<para><emphasis role="bold">Failed to create iscsi target error in the <filename>cinder-volume.log</filename></emphasis></para> <para><emphasis role="bold">Failed to create iscsi target error in the <filename>cinder-volume.log</filename></emphasis></para>
<programlisting language="bash">2013-03-12 01:35:43 1248 TRACE cinder.openstack.common.rpc.amqp ISCSITargetCreateFailed: Failed to create iscsi target for volume volume-137641b2-af72-4a2f-b243-65fdccd38780. <programlisting language="bash">2013-03-12 01:35:43 1248 TRACE cinder.openstack.common.rpc.amqp ISCSITargetCreateFailed: Failed to create iscsi target for volume volume-137641b2-af72-4a2f-b243-65fdccd38780.</programlisting>
</programlisting> <para>You might see this error in
<para>You may see this error in <filename>cinder-volume.log</filename> after trying to create a volume that is 1 GB. To fix this issue: <filename>cinder-volume.log</filename> after trying to
</para> create a volume that is 1 GB. </para>
<para>Change content of the <filename>/etc/tgt/targets.conf</filename> from "include /etc/tgt/conf.d/*.conf" to: <para>To fix this issue, change the content of the
include /etc/tgt/conf.d/cinder_tgt.conf:</para> <filename>/etc/tgt/targets.conf</filename> from
<programlisting language="bash"> <literal>include /etc/tgt/conf.d/*.conf</literal> to
include /etc/tgt/conf.d/cinder_tgt.conf <literal>include
include /etc/tgt/conf.d/cinder.conf /etc/tgt/conf.d/cinder_tgt.conf</literal>, as follows:</para>
default-driver iscsi</programlisting> <programlisting language="bash">include /etc/tgt/conf.d/cinder_tgt.conf
include /etc/tgt/conf.d/cinder.conf
default-driver iscsi</programlisting>
<para>Then restart tgt and <literal>cinder-*</literal> services so they pick up the new configuration.</para> <para>Then restart tgt and <literal>cinder-*</literal> services so they pick up the new configuration.</para>
</section> </section>

1327
doc/common/ch_getstart.xml
View File

File diff suppressed because it is too large Load Diff

287
doc/common/ch_support.xml
View File

@ -1,131 +1,166 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<chapter xmlns="http://docbook.org/ns/docbook" <chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="ch_support-and-troubleshooting"> xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="ch_support-and-troubleshooting">
<title>Support</title> <?dbhtml stop-chunking?>
<para>Online resources aid in supporting OpenStack and there <title>Community Support</title>
are many community members willing and able to answer <para>Many OpenStack community members can answer questions and
questions and help with bug suspicions. We are constantly help with bug suspicions. We are constantly improving and
improving and adding to the main features of OpenStack, adding to the main features of OpenStack, but if you have any
but if you have any problems, do not hesitate to ask. problems, do not hesitate to ask. Use the following resources
Here are some ideas for supporting OpenStack and to get OpenStack support and troubleshoot your existing
troubleshooting your existing installations.</para> installations.</para>
<section xml:id="community-support"> <simplesect>
<title>Community Support</title> <title>ask.openstack.org</title>
<para>Here are some places you can locate others who want to <para>During set up or testing, you might have questions about
help.</para> how to do something or be in a situation where a feature
<simplesect> does not work correctly. Use the <link
<title>ask.openstack.org</title> xlink:href="ask.openstack.org"
<para>During setup or testing, you may have questions >ask.openstack.org</link> site to ask questions and
about how to do something, or end up in a situation get answers. When you visit the <link
where you can't seem to get a feature to work xlink:href="http://ask.openstack.org"
correctly. The ask.openstack.org site is available for >http://ask.openstack.org</link> site, scan the recently asked questions to see whether
questions and answers. When visiting the Ask site at your question was already answered. If not, ask a new question. Be sure
<link xlink:href="http://ask.openstack.org" to give a clear, concise summary in the title and provide
>http://ask.openstack.org</link>, it is usually as much detail as possible in the description. Paste in
good to at least scan over recently asked questions to your command output or stack traces, link to screen shots,
see if your question has already been answered. If and so on.</para>
that is not the case, then proceed to adding a new </simplesect>
question. Be sure you give a clear, concise summary in <simplesect>
the title and provide as much detail as possible in <title>OpenStack mailing lists</title>
the description. Paste in your command output or stack <para>A great way to get answers and insights is to post your
traces, link to screenshots, and so on.</para> question or scenario to the OpenStack mailing list. You
</simplesect> can learn from and help others who might have the same
<simplesect><title>OpenStack mailing lists</title> scenario as you. To subscribe or view the archives, go to
<para>Posting your question or scenario to the OpenStack <link
mailing list is a great way to get answers and xlink:href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack"
insights. You can learn from and help others who may >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</link>.
have the same scenario as you. Go to <link You might be interested in the other mailing lists for
xlink:href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" specific projects or development, which you can find <link
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</link> to xlink:href="http://wiki.openstack.org/MailingLists">on
subscribe or view the archives. the wiki</link>. A description of all mailing lists is
You may be interested in the other mailing lists for available at <link
specific projects or development - these can be found xlink:href="http://wiki.openstack.org/MailingLists"
<link >http://wiki.openstack.org/MailingLists</link>.</para>
xlink:href="http://wiki.openstack.org/MailingLists" </simplesect>
>on the wiki</link>. A description of all the <simplesect>
additional mailing lists is available at
<link
xlink:href="http://wiki.openstack.org/MailingLists">http://wiki.openstack.org/MailingLists</link>.</para></simplesect><simplesect>
<title>The OpenStack Wiki search</title> <title>The OpenStack Wiki search</title>
<para>The <link xlink:href="http://wiki.openstack.org/">OpenStack wiki</link> contains content <para>The <link xlink:href="http://wiki.openstack.org/"
on a broad range of topics, but some of it sits a bit below the surface. Fortunately, the wiki >OpenStack wiki</link> contains content on a broad
search feature is very powerful in that it can do both searches by title and by content. If range of topics but some of it sits a bit below the
you are searching for specific information, say about "networking" or "api" for nova, you can surface. Fortunately, the wiki search feature enables you
find lots of content using the search feature. More is being added all the time, so be sure to to search by title or content. If you search for specific
check back often. You can find the search box in the upper right hand corner of any OpenStack wiki information, such as about networking or nova, you can
page.</para></simplesect> find lots of content. More is being added all the time, so
<simplesect><title>The Launchpad Bugs area</title> be sure to check back often. You can find the search box
<para>So you think you've found a bug. That's great! Seriously, it is. The OpenStack community in the upper right corner of any OpenStack wiki
values your setup and testing efforts and wants your feedback. To log a bug you must page.</para>
have a Launchpad account, so sign up at https://launchpad.net/+login if you do not </simplesect>
already have a Launchpad ID. You can view existing bugs and report your bug in the <simplesect>
Launchpad Bugs area. It is suggested that you first use the search facility to see <title>The Launchpad Bugs area</title>
if the bug you found has already been reported (or even better, already fixed). If <para>So you think you've found a bug. That's great!
it still seems like your bug is new or unreported then it is time to fill out a bug Seriously, it is. The OpenStack community values your set
report.</para> up and testing efforts and wants your feedback. To log a
<para>Some tips:</para> bug, you must sign up for a Launchpad account at <link
<itemizedlist><listitem><para>Give a clear, concise summary!</para></listitem> xlink:href="https://launchpad.net/+login"
<listitem><para>Provide as much detail as possible >https://launchpad.net/+login</link>. You can view
in the description. Paste in your command output or stack traces, link to existing bugs and report bugs in the Launchpad Bugs area.
screenshots, etc.</para></listitem> Use the search feature to determine whether the bug was
<listitem><para>Be sure to include what version of the software you are using. already reported (or even better, already fixed). If it
This is especially critical if you are using a development branch eg. "Grizzly still seems like your bug is unreported, fill out a bug
release" vs git commit bc79c3ecc55929bac585d04a03475b72e06a3208.</para></listitem> report.</para>
<listitem><para>Any deployment specific info is helpful as well, such as Ubuntu <para>Some tips:</para>
12.04, multi-node install.</para></listitem> </itemizedlist> <itemizedlist>
<listitem>
<para>The Launchpad Bugs areas are available here - :</para> <para>Give a clear, concise summary!</para>
<itemizedlist> </listitem>
<listitem><para>OpenStack Compute: <link <listitem>
xlink:href="https://bugs.launchpad.net/nova" <para>Provide as much detail as possible in the
>https://bugs.launchpad.net/nova</link></para></listitem> description. Paste in your command output or stack
<listitem><para>OpenStack Object Storage: <link traces, link to screen shots, and so on.</para>
xlink:href="https://bugs.launchpad.net/swift" </listitem>
>https://bugs.launchpad.net/swift</link></para></listitem> <listitem>
<listitem><para>OpenStack Image Delivery and Registration: <link <para>Be sure to include the software version that you are using,
xlink:href="https://bugs.launchpad.net/glance" especially if you are using a development branch,
>https://bugs.launchpad.net/glance</link></para></listitem> such as, <literal>"Grizzly release" vs git commit
<listitem><para>OpenStack Identity: <link bc79c3ecc55929bac585d04a03475b72e06a3208</literal>.</para>
xlink:href="https://bugs.launchpad.net/keystone" </listitem>
>https://bugs.launchpad.net/keystone</link></para></listitem> <listitem>
<listitem><para>OpenStack Dashboard: <link <para>Any deployment specific information is helpful,
xlink:href="https://bugs.launchpad.net/horizon" such as Ubuntu 12.04 or multi-node install.</para>
>https://bugs.launchpad.net/horizon</link></para></listitem> </listitem>
<listitem><para>OpenStack Network Connectivity: <link </itemizedlist>
xlink:href="https://bugs.launchpad.net/neutron" <para>The Launchpad Bugs areas are available here:</para>
>https://bugs.launchpad.net/neutron</link></para></listitem> <itemizedlist>
<listitem><para>OpenStack Orchestration: <link <listitem>
xlink:href="https://bugs.launchpad.net/heat" <para><link
>https://bugs.launchpad.net/heat</link></para></listitem> xlink:href="https://bugs.launchpad.net/nova"
<listitem><para>OpenStack Metering: <link >Bugs: OpenStack Compute (nova)</link></para>
xlink:href="https://bugs.launchpad.net/ceilometer" </listitem>
>https://bugs.launchpad.net/ceilometer</link></para></listitem> <listitem>
</itemizedlist> <para><link
xlink:href="https://bugs.launchpad.net/swift"
</simplesect> >Bugs : OpenStack Object Storage (swift)</link></para>
<simplesect> </listitem>
<title>The OpenStack IRC channel</title> <listitem>
<para>The OpenStack community lives and breathes in the <para><link
#openstack IRC channel on the Freenode network. You xlink:href="https://bugs.launchpad.net/glance"
can come by to hang out, ask questions, or get >Bugs : OpenStack Image Service (glance)</link></para>
immediate feedback for urgent and pressing issues. To </listitem>
get into the IRC channel you need to install an IRC <listitem>
client or use a browser-based client by going to <para><link
http://webchat.freenode.net/. You can also use xlink:href="https://bugs.launchpad.net/keystone"
Colloquy (Mac OS X, http://colloquy.info/) or mIRC >Bugs : OpenStack Identity (keystone)</link></para>
(Windows, http://www.mirc.com/) or XChat (Linux). When </listitem>
you are in the IRC channel and want to share code or <listitem>
command output, the generally accepted method is to <para><link
use a Paste Bin, the OpenStack project has one at xlink:href="https://bugs.launchpad.net/horizon"
http://paste.openstack.org. Just paste your longer >Bugs : OpenStack Dashboard (horizon)</link></para>
amounts of text or logs in the web form and you get a </listitem>
URL you can then paste into the channel. The OpenStack <listitem>
IRC channel is: #openstack on irc.freenode.net. A list <para><link
of all the OpenStack-related IRC channels is at <link xlink:href="https://bugs.launchpad.net/neutron"
xlink:href="https://wiki.openstack.org/wiki/IRC" >Bugs : OpenStack Networking (neutron)</link></para>
>https://wiki.openstack.org/wiki/IRC</link>.</para> </listitem>
</simplesect> <listitem>
</section> <para><link
xlink:href="https://bugs.launchpad.net/heat"
>Bugs : OpenStack Orchestration (heat)</link></para>
</listitem>
<listitem>
<para><link
xlink:href="https://bugs.launchpad.net/ceilometer"
>Bugs : OpenStack Metering (ceilometer)</link></para>
</listitem>
</itemizedlist>
</simplesect>
<simplesect>
<title>The OpenStack IRC channel</title>
<para>The OpenStack community lives and breathes in the
#openstack IRC channel on the Freenode network. You can
come by to hang out, ask questions, or get immediate
feedback for urgent and pressing issues. To get into the
IRC channel, you must install an IRC client or use a
browser-based client by going to <link
xlink:href="http://webchat.freenode.net"
>http://webchat.freenode.net/</link>. You can also use
Colloquy (Mac OS X, <link
xlink:href="http://colloquy.info/"
>http://colloquy.info/</link>), mIRC (Windows, <link
xlink:href="http://www.mirc.com/"
>http://www.mirc.com/</link>), or XChat (Linux). When
you are in the IRC channel and want to share code or
command output, the generally accepted method is to use a
Paste Bin. The OpenStack project has one at <link
xlink:href="http://paste.openstack.org"
>http://paste.openstack.org</link>. Just paste your
longer amounts of text or logs in the web form and you get
a URL you can paste into the channel. The OpenStack IRC
channel is: <literal>#openstack</literal> on
<literal>irc.freenode.net</literal>. You can find a
list of all OpenStack-related IRC channels at <link
xlink:href="https://wiki.openstack.org/wiki/IRC"
>https://wiki.openstack.org/wiki/IRC</link>.</para>
</simplesect>
</chapter> </chapter>

15
doc/common/section_about-object-storage.xml
View File

@ -4,11 +4,14 @@
xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0" version="5.0"
xml:id="ch_introduction-to-openstack-object-storage"> xml:id="ch_introduction-to-openstack-object-storage">
<title>Introduction to OpenStack Object Storage</title> <title>Introduction to Object Storage</title>
<para>OpenStack Object Storage is a scalable object storage system - it is not a file system in the <para>Object Storage is a scalable object storage system - it is
traditional sense. You will not be able to mount this system like traditional SAN or NAS volumes. not a file system in the traditional sense. You cannot mount
Since OpenStack Object Storage is a different way of thinking when it comes to storage, take a few this system like traditional SAN or NAS volumes. Because Object
moments to review the key concepts in the developer documentation at Storage requires a different way of thinking when it comes to
<link xlink:href="http://docs.openstack.org/developer/swift/">docs.openstack.org/developer/swift/</link>.</para> storage, take a few moments to review the key concepts in the
developer documentation at <link
xlink:href="http://docs.openstack.org/developer/swift/"
>docs.openstack.org/developer/swift/</link>.</para>
<!-- TODO Is this really the best we can do?--> <!-- TODO Is this really the best we can do?-->
</section> </section>

34
doc/common/section_dashboard-configure-http.xml Normal file
View File

@ -0,0 +1,34 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xml:id="configure-dashboard-http"
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
<title>Configure the dashboard for HTTP</title>
<?dbhtml stop-chunking?>
<para>You can configure the dashboard for a simple HTTP deployment. The standard installation
uses a non-encrypted HTTP channel.</para>
<procedure xml:id="dashboard-config-http">
<step>
<para>Specify the host for your OpenStack Identity
Service endpoint in the
<filename>/etc/openstack-dashboard/local_settings.py</filename>
file with the <literal>OPENSTACK_HOST</literal>
setting.</para>
<para>The following example shows this setting:</para>
<programlisting language="python"><?db-font-size 65%?><xi:include parse="text" href="samples/local_settings.py"/></programlisting>
<para>The service catalog configuration in the
Identity Service determines whether a service appears
in the dashboard. For the full listing, see
<link
xlink:href="http://docs.openstack.org/developer/horizon/topics/settings.html"
>Horizon Settings and
Configuration</link>.</para>
</step>
<step>
<para>Restart Apache and memcached:</para>
<screen><prompt>#</prompt> <userinput>service apache2 restart</userinput>
<prompt>#</prompt> <userinput>service memcached restart</userinput></screen>
</step>
</procedure>
</section>

94
doc/common/section_dashboard-configure-https.xml Normal file
View File

@ -0,0 +1,94 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xml:id="dashboard-config-https" xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"><title>Configure the dashboard for HTTPS</title>
<para>You can configure the dashboard for a secured HTTPS deployment. While the standard installation
uses a non-encrypted HTTP channel, you can enable SSL support
for the dashboard.</para>
<procedure>
<para>The following example uses the domain,
"http://openstack.example.com." Use a domain that fits
your current setup.</para>
<step>
<para>In<filename>/etc/openstack-dashboard/local_settings.py</filename>
update the following
directives:</para><programlisting>USE_SSL = True
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True</programlisting>
<para>The first option is required to enable HTTPS.
The other recommended settings defend against
cross-site scripting and require HTTPS.</para>
</step>
<step>
<para>Edit
<filename>/etc/apache2/ports.conf</filename>
and add the following line:</para>
<programlisting>NameVirtualHost *:443</programlisting>
</step>
<step>
<para>Edit
<filename>/etc/apache2/conf.d/openstack-dashboard.conf:</filename></para>
<para>Before:</para>
<programlisting><?db-font-size 65%?>WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
&lt;Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi&gt;
Order allow,deny
Allow from all
&lt;/Directory&gt;</programlisting>
<para>After:</para>
<programlisting><?db-font-size 65%?>&lt;VirtualHost *:80&gt;
ServerName openstack.example.com
&lt;IfModule mod_rewrite.c&gt;
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
&lt;/IfModule&gt;
&lt;IfModule !mod_rewrite.c&gt;
RedirectPermanent / https://openstack.example.com
&lt;/IfModule&gt;
&lt;/VirtualHost&gt;
&lt;VirtualHost *:443&gt;
ServerName openstack.example.com
SSLEngine On
# Remember to replace certificates and keys with valid paths in your environment
SSLCertificateFile /etc/apache2/SSL/openstack.example.com.crt
SSLCACertificateFile /etc/apache2/SSL/openstack.example.com.crt
SSLCertificateKeyFile /etc/apache2/SSL/openstack.example.com.key
SetEnvIf User-Agent &quot;.*MSIE.*&quot; nokeepalive ssl-unclean-shutdown
# HTTP Strict Transport Security (HSTS) enforces that all communications
# with a server go over SSL. This mitigates the threat from attacks such
# as SSL-Strip which replaces links on the wire, stripping away https prefixes
# and potentially allowing an attacker to view confidential information on the
# wire
Header add Strict-Transport-Security "max-age=15768000"
WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
&lt;Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi&gt;
Order allow,deny
Allow from all
&lt;/Directory&gt;
&lt;/VirtualHost&gt;</programlisting>
<para>In this configuration, Apache listens on the
port 443 and redirects all the hits to the HTTPS
protocol for all the non-secured requests. The secured
section defines the private key, public key, and
certificate to use.</para>
</step>
<step>
<para>Restart Apache and memcached:</para>
<screen><prompt>#</prompt> <userinput>service apache2 restart</userinput>
<prompt>#</prompt> <userinput>service memcached restart</userinput></screen>
<para>If you try to access the dashboard through HTTP,
the browser redirects you to the HTTPS page.</para>
</step>
</procedure></section>

21
doc/common/section_dashboard-configure-vnc-window.xml Normal file
View File

@ -0,0 +1,21 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xml:id="vnc-window"
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
<title>Change the size of the dashboard VNC window</title>
<para>The <filename>_detail_vnc.html</filename> file defines
the size of the VNC window. To change the window size, edit
this file.</para>
<procedure xml:id="adjust-vnc-window">
<step>
<para>Edit
<filename>/usr/share/pyshared/horizon/dashboards/nova/instances/templates/instances/_detail_vnc.html.</filename></para>
</step>
<step>
<para>Modify the <literal>width</literal> and
<literal>height</literal> parameters, as follows:</para>
<programlisting>&lt;iframe src="{{ vnc_url }}" width="720" height="430"&gt;&lt;/iframe&gt;</programlisting>
</step>
</procedure>
</section>

141
doc/common/section_dashboard-configure.xml
View File

@ -5,134 +5,15 @@
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"> xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
<title>Configure the dashboard</title> <title>Configure the dashboard</title>
<?dbhtml stop-chunking?> <?dbhtml stop-chunking?>
<para>You can configure the dashboard for a simple HTTP deployment <para>You can configure the dashboard for a simple HTTP
or a secured HTTPS deployment. While the standard installation deployment. </para>
uses a non-encrypted HTTP channel, you can enable SSL support <para>You can configure the dashboard for a secured HTTPS
for the dashboard.</para> deployment. While the standard installation uses a
<procedure xml:id="dashboard-config-http"> non-encrypted HTTP channel, you can enable SSL support for the
<title>To configure the dashboard for HTTP</title> dashboard.</para>
<step> <para>Also, you can configure the size of the VNC window in the
<para>Specify the host for your OpenStack Identity dashboard. </para>
Service endpoint in the <xi:include href="section_dashboard-configure-http.xml"/>
<filename>/etc/openstack-dashboard/local_settings.py</filename> <xi:include href="section_dashboard-configure-https.xml"/>
file with the <literal>OPENSTACK_HOST</literal> <xi:include href="section_dashboard-configure-vnc-window.xml"/>
setting.</para>
<para>The following example shows this setting:</para>
<programlisting language="python"><?db-font-size 65%?><xi:include parse="text" href="samples/local_settings.py"/></programlisting>
<para>The service catalog configuration in the
Identity Service determines whether a service appears
in the dashboard. For the full listing, see
<link
xlink:href="http://docs.openstack.org/developer/horizon/topics/settings.html"
>Horizon Settings and
Configuration</link>.</para>
</step>
<step>
<para>Restart Apache and memcached:</para>
<screen><prompt>#</prompt> <userinput>service apache2 restart</userinput>
<prompt>#</prompt> <userinput>service memcached restart</userinput></screen>
</step>
</procedure>
<procedure xml:id="dashboard-config-https">
<title>To configure the dashboard for HTTPS</title>
<para>The following example uses the domain,
"http://openstack.example.com." Use a domain that fits
your current setup.</para>
<step>
<para>In<filename>/etc/openstack-dashboard/local_settings.py</filename>
update the following
directives:<programlisting>USE_SSL = True
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True</programlisting></para>
<para>The first option is required to enable HTTPS.
The other recommended settings defend against
cross-site scripting and require HTTPS.</para>
</step>
<step>
<para>Edit
<filename>/etc/apache2/ports.conf</filename>
and add the following line:</para>
<programlisting>NameVirtualHost *:443</programlisting>
</step>
<step>
<para>Edit
<filename>/etc/apache2/conf.d/openstack-dashboard.conf:</filename></para>
<para>Before:</para>
<programlisting><?db-font-size 65%?>WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
&lt;Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi&gt;
Order allow,deny
Allow from all
&lt;/Directory&gt;</programlisting>
<para>After:</para>
<programlisting><?db-font-size 65%?>&lt;VirtualHost *:80&gt;
ServerName openstack.example.com
&lt;IfModule mod_rewrite.c&gt;
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
&lt;/IfModule&gt;
&lt;IfModule !mod_rewrite.c&gt;
RedirectPermanent / https://openstack.example.com
&lt;/IfModule&gt;
&lt;/VirtualHost&gt;
&lt;VirtualHost *:443&gt;
ServerName openstack.example.com
SSLEngine On
# Remember to replace certificates and keys with valid paths in your environment
SSLCertificateFile /etc/apache2/SSL/openstack.example.com.crt
SSLCACertificateFile /etc/apache2/SSL/openstack.example.com.crt
SSLCertificateKeyFile /etc/apache2/SSL/openstack.example.com.key
SetEnvIf User-Agent &quot;.*MSIE.*&quot; nokeepalive ssl-unclean-shutdown
# HTTP Strict Transport Security (HSTS) enforces that all communications
# with a server go over SSL. This mitigates the threat from attacks such
# as SSL-Strip which replaces links on the wire, stripping away https prefixes
# and potentially allowing an attacker to view confidential information on the
# wire
Header add Strict-Transport-Security "max-age=15768000"
WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
&lt;Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi&gt;
Order allow,deny
Allow from all
&lt;/Directory&gt;
&lt;/VirtualHost&gt;</programlisting>
<para>In this configuration, Apache listens on the
port 443 and redirects all the hits to the HTTPS
protocol for all the non-secured requests. The secured
section defines the private key, public key, and
certificate to use.</para>
</step>
<step>
<para>Restart Apache and memcached:</para>
<screen><prompt>#</prompt> <userinput>service apache2 restart</userinput>
<prompt>#</prompt> <userinput>service memcached restart</userinput></screen>
<para>If you try to access the dashboard through HTTP,
the browser redirects you to the HTTPS page.</para>
</step>
</procedure>
<procedure xml:id="adjust-vnc-window">
<title>To adjust the dimensions of the VNC window in the
Dashboard</title>
<para>The <filename>_detail_vnc.html</filename> file defines
the size of the VNC window. To change the window size, edit
this file.</para>
<step>
<para>Edit
<filename>/usr/share/pyshared/horizon/dashboards/nova/instances/templates/instances/_detail_vnc.html.</filename></para>
</step>
<step>
<para>Modify the <literal>width</literal> and
<literal>height</literal> parameters, as follows:</para>
<programlisting>&lt;iframe src="{{ vnc_url }}" width="720" height="430"&gt;&lt;/iframe&gt;</programlisting>
</step>
</procedure>
</section> </section>

91
doc/common/section_dashboard-install.xml
View File

@ -5,93 +5,99 @@
<!ENTITY mdash "&#x2014;"> <!ENTITY mdash "&#x2014;">
<!ENTITY hellip "&#x2026;"> <!ENTITY hellip "&#x2026;">
]> ]>
<section xml:id="installing-openstack-dashboard" <section xml:id="install_dashboard"
xmlns="http://docbook.org/ns/docbook" xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"> xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
<title>Install and configure the dashboard</title> <?dbhtml stop-chunking?>
<title>Install the dashboard</title>
<para>Before you can install and configure the dashboard, meet the <para>Before you can install and configure the dashboard, meet the
requirements in <xref linkend="dashboard-system-requirements"/>.</para> requirements in <xref linkend="dashboard-system-requirements"
<para>For more information about how to deploy the dashboard, see <link />.</para>
<para>For more information about how to deploy the dashboard, see
<link
xlink:href="http://docs.openstack.org/developer/horizon/topics/deployment.html" xlink:href="http://docs.openstack.org/developer/horizon/topics/deployment.html"
>Deploying Horizon</link>.</para> >Deploying Horizon</link>.</para>
<procedure> <procedure>
<title>To install the dashboard</title>
<step> <step>
<para>Install the dashboard on the node that can contact the <para>Install the dashboard on the node that can contact
Identity Service as root:</para> the Identity Service as root:</para>
<screen os="ubuntu"><prompt>#</prompt> <userinput>apt-get install memcached libapache2-mod-wsgi openstack-dashboard</userinput></screen> <screen os="ubuntu" language="bash"><prompt>#</prompt> <userinput>apt-get install memcached libapache2-mod-wsgi openstack-dashboard</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install memcached python-memcached mod_wsgi openstack-dashboard</userinput></screen> <screen os="rhel;centos;fedora" language="bash"><prompt>#</prompt> <userinput>yum install memcached python-memcached mod_wsgi openstack-dashboard</userinput></screen>
<screen os="opensuse"><prompt>#</prompt> <userinput>zypper install memcached python-python-memcached apache2-mod_wsgi openstack-dashboard</userinput></screen> <screen os="opensuse" language="bash"><prompt>#</prompt> <userinput>zypper install memcached python-python-memcached apache2-mod_wsgi openstack-dashboard</userinput></screen>
</step> </step>
<step> <step>
<para>Modify the value of <para>Modify the value of
<literal>CACHES['default']['LOCATION']</literal> in <literal>CACHES['default']['LOCATION']</literal>
<filename os="ubuntu" in <filename os="ubuntu"
>/etc/openstack-dashboard/local_settings.py</filename><filename >/etc/openstack-dashboard/local_settings.py</filename><filename
os="centos;fedora;rhel" os="centos;fedora;rhel"
>/etc/openstack-dashboard/local_settings</filename><filename >/etc/openstack-dashboard/local_settings</filename><filename
os="opensuse">/usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.py</filename> os="opensuse"
to match the ones set in <filename os="ubuntu" >/usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.py</filename>
to match the ones set in <filename os="ubuntu"
>/etc/memcached.conf</filename><filename >/etc/memcached.conf</filename><filename
os="centos;fedora;rhel;opensuse" os="centos;fedora;rhel;opensuse"
>/etc/sysconfig/memcached.conf</filename>.</para> >/etc/sysconfig/memcached.conf</filename>.</para>
<para>Open <filename os="ubuntu" <para>Open <filename os="ubuntu"
>/etc/openstack-dashboard/local_settings.py</filename> >/etc/openstack-dashboard/local_settings.py</filename>
<filename os="centos;fedora;rhel" <filename os="centos;fedora;rhel"
>/etc/openstack-dashboard/local_settings</filename> and look >/etc/openstack-dashboard/local_settings</filename>
for this line:</para> and look for this line:</para>
<programlisting language="bash" linenumbering="unnumbered">CACHES = { <programlisting language="bash" linenumbering="unnumbered"><?db-font-size 75%?>CACHES = {
'default': { 'default': {
'BACKEND' : 'django.core.cache.backends.memcached.MemcachedCache', 'BACKEND' : 'django.core.cache.backends.memcached.MemcachedCache',
'LOCATION' : '127.0.0.1:11211' 'LOCATION' : '127.0.0.1:11211'
} }
}</programlisting> }</programlisting>
<note xlink:href="#installing-openstack-dashboard" <note xlink:href="#installing-openstack-dashboard"
xlink:title="Notes"> xlink:title="Notes">
<title>Notes</title> <title>Notes</title>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>The address and port must match the ones set in <para>The address and port must match the ones
<filename os="ubuntu" set in <filename os="ubuntu"
>/etc/memcached.conf</filename><filename >/etc/memcached.conf</filename><filename
os="centos;fedora;rhel;opensuse" os="centos;fedora;rhel;opensuse"
>/etc/sysconfig/memcached</filename>.</para> >/etc/sysconfig/memcached</filename>.</para>
<para>If you change the memcached settings, you must <para>If you change the memcached settings,
restart the Apache web server for the changes to you must restart the Apache web server for
take effect.</para> the changes to take effect.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>You can use options other than memcached option <para>You can use options other than memcached
for session storage. Set the session back-end option for session storage. Set the
through the <parameter>SESSION_ENGINE</parameter> session back-end through the
<parameter>SESSION_ENGINE</parameter>
option.</para> option.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>To change the timezone, use the dashboard or edit <para>To change the timezone, use the
the <filename os="centos;fedora;rhel" dashboard or edit the <filename
os="centos;fedora;rhel"
>/etc/openstack-dashboard/local_settings</filename><filename >/etc/openstack-dashboard/local_settings</filename><filename
os="ubuntu" os="ubuntu"
>/etc/openstack-dashboard/local_settings.py</filename><filename >/etc/openstack-dashboard/local_settings.py</filename><filename
os="opensuse" os="opensuse"
>/usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.py</filename> >/usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.py</filename>
file.</para> file.</para>
<para>Change the following parameter: <code>TIME_ZONE = <para>Change the following parameter:
"UTC"</code> <code>TIME_ZONE = "UTC"</code>
</para> </para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</note> </note>
</step> </step>
<step> <step>
<para>Make sure that the web browser on your local machine supports <para>Make sure that the web browser on your local machine
HTML5.</para> supports HTML5.</para>
<para>Enable cookies and JavaScript.</para> <para>Enable cookies and JavaScript.</para>
<note> <note>
<para>To use the VNC client with the dashboard, the browser must <para>To use the VNC client with the dashboard, the
support HTML5 Canvas and HTML5 WebSockets.</para> browser must support HTML5 Canvas and HTML5
<para>For details about browsers that support noVNC, see <link WebSockets.</para>
<para>For details about browsers that support noVNC,
see <link
xlink:href="https://github.com/kanaka/noVNC/blob/master/README.md" xlink:href="https://github.com/kanaka/noVNC/blob/master/README.md"
>https://github.com/kanaka/noVNC/blob/master/README.md</link>, >https://github.com/kanaka/noVNC/blob/master/README.md</link>,
and <link and <link
@ -99,6 +105,5 @@
>https://github.com/kanaka/noVNC/wiki/Browser-support</link>.</para> >https://github.com/kanaka/noVNC/wiki/Browser-support</link>.</para>
</note> </note>
</step> </step>
</procedure> </procedure>
<xi:include href="section_dashboard-configure.xml"/>
</section> </section>

2
doc/common/section_dashboard-system-reqs.xml
View File

@ -34,7 +34,7 @@
might differ by platform.</para> might differ by platform.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>Then, <link linkend="installing-openstack-dashboard" <para>Then, <link linkend="ch_install-dashboard"
>install and configure the dashboard</link> on a node that >install and configure the dashboard</link> on a node that
can contact the Identity Service.</para> can contact the Identity Service.</para>
<para>Provide users with the following information so that they <para>Provide users with the following information so that they

18
doc/common/section_dashboard_customizing.xml
View File

@ -15,13 +15,14 @@
<para>Canonical also provides an <para>Canonical also provides an
<literal>openstack-dashboard-ubuntu-theme</literal> <literal>openstack-dashboard-ubuntu-theme</literal>
package that brands the Python-based Django interface.</para> package that brands the Python-based Django interface.</para>
<para>The following example shows a customized dashboard with <!-- The following diagrams are sized incorrectly and will add back later -->
<!--<para>The following example shows a customized dashboard with
custom colors, logo, and site title:</para> custom colors, logo, and site title:</para>
<mediaobject> <mediaobject>
<imageobject role="fo"> <imageobject role="fo">
<imagedata <imagedata
fileref="figures/Login-OpenStack-Dashboard.png" fileref="figures/Login-OpenStack-Dashboard.png"
format="PNG" scale="60"/> format="PNG" scale="40"/>
</imageobject> </imageobject>
<imageobject role="html"> <imageobject role="html">
<imagedata <imagedata
@ -33,16 +34,15 @@
<imageobject role="fo"> <imageobject role="fo">
<imagedata <imagedata
fileref="figures/Flavors-TGen-Cloud-Dashboard.png" fileref="figures/Flavors-TGen-Cloud-Dashboard.png"
format="PNG" scale="60"/> format="PNG" scale="40"/>
</imageobject> </imageobject>
<imageobject role="html"> <imageobject role="html">
<imagedata <imagedata
fileref="figures/Flavors-TGen-Cloud-Dashboard.png" fileref="figures/Flavors-TGen-Cloud-Dashboard.png"
format="PNG"/> format="PNG"/>
</imageobject> </imageobject>
</mediaobject> </mediaobject>-->
<procedure> <procedure>
<title>To customize the dashboard:</title>
<step> <step>
<para>Create a graphical logo with a transparent <para>Create a graphical logo with a transparent
background. The text <literal>TGen Cloud</literal> in background. The text <literal>TGen Cloud</literal> in
@ -76,7 +76,7 @@
appropriate, though the relative directory paths appropriate, though the relative directory paths
should be the same. The following example file shows should be the same. The following example file shows
you how to customize your CSS you how to customize your CSS
file:<programlisting><?db-font-size 65%?>/* file:</para><programlisting><?db-font-size 65%?>/*
* New theme colors for dashboard that override the defaults: * New theme colors for dashboard that override the defaults:
* dark blue: #355796 / rgb(53, 87, 150) * dark blue: #355796 / rgb(53, 87, 150)
* light blue: #BAD3E1 / rgb(186, 211, 225) * light blue: #BAD3E1 / rgb(186, 211, 225)
@ -108,7 +108,7 @@ border: none;
box-shadow: none; box-shadow: none;
background-color: #BAD3E1 !important; background-color: #BAD3E1 !important;
text-decoration: none; text-decoration: none;
}</programlisting></para> }</programlisting>
</step> </step>
<step> <step>
<para>Open the following HTML template in an editor: <para>Open the following HTML template in an editor:
@ -116,12 +116,12 @@ text-decoration: none;
</step> </step>
<step> <step>
<para>Add a line to include your <para>Add a line to include your
<filename>custom.css</filename> file: <filename>custom.css</filename> file:</para>
<programlisting><?db-font-size 65%?>... <programlisting><?db-font-size 65%?>...
&lt;link href='{{ STATIC_URL }}bootstrap/css/bootstrap.min.css' media='screen' rel='stylesheet' /&gt; &lt;link href='{{ STATIC_URL }}bootstrap/css/bootstrap.min.css' media='screen' rel='stylesheet' /&gt;
&lt;link href='{{ STATIC_URL }}dashboard/css/{% choose_css %}' media='screen' rel='stylesheet' /&gt; &lt;link href='{{ STATIC_URL }}dashboard/css/{% choose_css %}' media='screen' rel='stylesheet' /&gt;
<emphasis>&lt;link href='{{ STATIC_URL }}dashboard/css/custom.css' media='screen' rel='stylesheet' /&gt;</emphasis> <emphasis>&lt;link href='{{ STATIC_URL }}dashboard/css/custom.css' media='screen' rel='stylesheet' /&gt;</emphasis>
...</programlisting></para> ...</programlisting>
</step> </step>
<step> <step>
<para>Restart apache:</para> <para>Restart apache:</para>

28
doc/common/section_dashboard_sessions.xml
View File

@ -6,9 +6,9 @@
<title>Set up session storage for the dashboard</title> <title>Set up session storage for the dashboard</title>
<para>The dashboard uses <link <para>The dashboard uses <link
xlink:href="https://docs.djangoproject.com/en/dev/topics/http/sessions/" xlink:href="https://docs.djangoproject.com/en/dev/topics/http/sessions/"
>Djangos sessions framework</link> to handle user session >Django sessions framework</link> to handle user session
data. However, you can use any available session backend. You data. However, you can use any available session back end. You
customize the session backend through the customize the session back end through the
<literal>SESSION_ENGINE</literal> setting in your <literal>SESSION_ENGINE</literal> setting in your
<filename os="centos;fedora;rhel"> <filename os="centos;fedora;rhel">
/etc/openstack-dashboard/local_settings</filename> /etc/openstack-dashboard/local_settings</filename>
@ -20,7 +20,7 @@
<section xml:id="dashboard-session-local"> <section xml:id="dashboard-session-local">
<title>Local memory cache</title> <title>Local memory cache</title>
<para>Local memory storage is the quickest and easiest session <para>Local memory storage is the quickest and easiest session
backend to set up, as it has no external dependencies back end to set up, as it has no external dependencies
whatsoever. It has the following significant whatsoever. It has the following significant
drawbacks:</para> drawbacks:</para>
<itemizedlist> <itemizedlist>
@ -33,11 +33,11 @@
terminates.</para> terminates.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>The local memory backend is enabled as the default for <para>The local memory back end is enabled as the default for
Horizon solely because it has no dependencies. It is not Horizon solely because it has no dependencies. It is not
recommended for production use, or even for serious recommended for production use, or even for serious
development work. Enabled by:</para> development work. Enabled by:</para>
<programlisting language="python">SESSION_ENGINE = 'django.contrib.sessions.backends.cache' <programlisting language="python"><?db-font-size 75%?>SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
CACHES = { CACHES = {
'BACKEND': 'django.core.cache.backends.locmem.LocMemCache' 'BACKEND': 'django.core.cache.backends.locmem.LocMemCache'
}</programlisting> }</programlisting>
@ -62,7 +62,7 @@ CACHES = {
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>Enabled by:</para> <para>Enabled by:</para>
<programlisting language="python">SESSION_ENGINE = 'django.contrib.sessions.backends.cache' <programlisting language="python"><?db-font-size 75%?>SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
CACHES = { CACHES = {
'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache' 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache'
'LOCATION': 'my_memcached_host:11211', 'LOCATION': 'my_memcached_host:11211',
@ -82,7 +82,7 @@ CACHES = {
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>Enabled by:</para> <para>Enabled by:</para>
<programlisting language="python">SESSION_ENGINE = 'django.contrib.sessions.backends.cache' <programlisting language="python"><?db-font-size 75%?>SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
CACHES = { CACHES = {
"default": { "default": {
"BACKEND": "redis_cache.cache.RedisCache", "BACKEND": "redis_cache.cache.RedisCache",
@ -136,7 +136,7 @@ CACHES = {
<filename os="opensuse" <filename os="opensuse"
>/usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.py</filename> >/usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.py</filename>
file, change these options:</para> file, change these options:</para>
<programlisting language="python">SESSION_ENGINE = 'django.core.cache.backends.db.DatabaseCache' <programlisting language="python"><?db-font-size 75%?>SESSION_ENGINE = 'django.core.cache.backends.db.DatabaseCache'
DATABASES = { DATABASES = {
'default': { 'default': {
# Database configuration here # Database configuration here
@ -189,20 +189,20 @@ No fixtures found.</computeroutput></screen>
<section xml:id="dashboard-session-cached-database"> <section xml:id="dashboard-session-cached-database">
<title>Cached database</title> <title>Cached database</title>
<para>To mitigate the performance issues of database queries, <para>To mitigate the performance issues of database queries,
you can use the Django cached_db session backend, which you can use the Django cached_db session back end, which
utilizes both your database and caching infrastructure to utilizes both your database and caching infrastructure to
perform write-through caching and efficient retrieval.</para> perform write-through caching and efficient retrieval.</para>
<para>Enable this hybrid setting by configuring both your <para>Enable this hybrid setting by configuring both your
database and cache, as discussed previously. Then, set the database and cache, as discussed previously. Then, set the
following value:</para> following value:</para>
<programlisting language="python">SESSION_ENGINE = "django.contrib.sessions.backends.cached_db"</programlisting> <programlisting language="python"><?db-font-size 75%?>SESSION_ENGINE = "django.contrib.sessions.backends.cached_db"</programlisting>
</section> </section>
<section xml:id="dashboard-session-cookies"> <section xml:id="dashboard-session-cookies">
<title>Cookies</title> <title>Cookies</title>
<para>If you use Django 1.4 or later, the signed_cookies <para>If you use Django 1.4 or later, the signed_cookies
backend avoids server load and scaling problems.</para> back end avoids server load and scaling problems.</para>
<para>This backend stores session data in a cookie, which is <para>This back end stores session data in a cookie, which is
stored by the users browser. The backend uses a stored by the users browser. The back end uses a
cryptographic signing technique to ensure session data is cryptographic signing technique to ensure session data is
not tampered with during transport. This is not the same not tampered with during transport. This is not the same
as encryption; session data is still readable by an as encryption; session data is still readable by an

2
doc/common/section_identity-troubleshooting.xml
View File

@ -161,7 +161,7 @@ arg_dict: {}
<parameter>--keystone-user</parameter> and <parameter>--keystone-user</parameter> and
<parameter>--keystone-group</parameter> parameters, <parameter>--keystone-group</parameter> parameters,
you get an error, as follows:</para> you get an error, as follows:</para>
<screen><computeroutput>2012-07-31 11:10:53 ERROR [keystone.common.cms] Error opening signing key file <screen><?db-font-size 75%?><computeroutput>2012-07-31 11:10:53 ERROR [keystone.common.cms] Error opening signing key file
/etc/keystone/ssl/private/signing_key.pem /etc/keystone/ssl/private/signing_key.pem
140380567730016:error:0200100D:system library:fopen:Permission 140380567730016:error:0200100D:system library:fopen:Permission
denied:bss_file.c:398:fopen('/etc/keystone/ssl/private/signing_key.pem','r') denied:bss_file.c:398:fopen('/etc/keystone/ssl/private/signing_key.pem','r')

288
doc/common/section_keystone-concepts.xml
View File

@ -5,10 +5,12 @@
xml:id="keystone-concepts"> xml:id="keystone-concepts">
<?dbhtml stop-chunking?> <?dbhtml stop-chunking?>
<title>Identity Service concepts</title> <title>Identity Service concepts</title>
<para>The Identity Service performs the following functions:</para> <para>The Identity Service performs the following
functions:</para>
<itemizedlist spacing="compact"> <itemizedlist spacing="compact">
<listitem> <listitem>
<para>User management. Tracks users and their permissions.</para> <para>User management. Tracks users and their
permissions.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Service catalog. Provides a catalog of available <para>Service catalog. Provides a catalog of available
@ -17,55 +19,47 @@
</itemizedlist> </itemizedlist>
<para>To understand the Identity Service, you must understand the <para>To understand the Identity Service, you must understand the
following concepts:</para> following concepts:</para>
<variablelist> <variablelist wordsize="10">
<varlistentry> <varlistentry>
<term>User</term> <term><emphasis role="bold">User</emphasis></term>
<listitem> <listitem>
<para>Digital representation of a person, system, or service <para>Digital representation of a person, system, or
who uses OpenStack cloud services. Identity authentication service who uses OpenStack cloud services. The
services will validate that incoming request are being made Identity Service validates that incoming requests
by the user who claims to be making the call. Users have a are made by the user who claims to be making the
login and may be assigned tokens to access resources. Users call. Users have a login and may be assigned
may be directly assigned to a particular tenant and behave tokens to access resources. Users can be directly
as if they are contained in that tenant. assigned to a particular tenant and behave as if
</para> they are contained in that tenant.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Credentials</term> <term><emphasis role="bold">Credentials</emphasis></term>
<listitem> <listitem>
<para>Data that is known only by a user that proves <para>Data that is known only by a user that proves
who they are. In the Identity Service, examples who they are. In the Identity Service, examples
are:</para> are: User name and password, user name and API
<itemizedlist> key, or an authentication token provided by the
<listitem> Identity Service.</para>
<para>Username and password</para>
</listitem>
<listitem>
<para>Username and API key</para>
</listitem>
<listitem>
<para>An authentication token provided by the
Identity Service</para>
</listitem>
</itemizedlist>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Authentication</term> <term><emphasis role="bold"
>Authentication</emphasis></term>
<listitem> <listitem>
<para>The act of confirming the identity of a user. <para>The act of confirming the identity of a user.
The Identity Service confirms an incoming request The Identity Service confirms an incoming request
by validating a set of credentials supplied by the by validating a set of credentials supplied by the
user. These credentials are initially a username user. </para>
and password or a username and API key. In <para>These credentials are initially a user name and
response to these credentials, the Identity password or a user name and API key. In response
Service issues the user an authentication token, to these credentials, the Identity Service issues
which the user provides in subsequent requests.</para> an authentication token to the user, which the
user provides in subsequent requests.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Token</term> <term><emphasis role="bold">Token</emphasis></term>
<listitem> <listitem>
<para>An arbitrary bit of text that is used to access <para>An arbitrary bit of text that is used to access
resources. Each token has a scope which describes resources. Each token has a scope which describes
@ -82,7 +76,7 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Tenant</term> <term><emphasis role="bold">Tenant</emphasis></term>
<listitem> <listitem>
<para>A container used to group or isolate resources <para>A container used to group or isolate resources
and/or identity objects. Depending on the service and/or identity objects. Depending on the service
@ -91,16 +85,17 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Service</term> <term><emphasis role="bold">Service</emphasis></term>
<listitem> <listitem>
<para>An OpenStack service, such as Compute (Nova), <para>An OpenStack service, such as Compute (Nova),
Object Storage (Swift), or Image Service (Glance). Object Storage (Swift), or Image Service (Glance).
Provides one or more endpoints through which users Provides one or more endpoints through which users
can access resources and perform operations.</para> can access resources and perform
operations.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Endpoint</term> <term><emphasis role="bold">Endpoint</emphasis></term>
<listitem> <listitem>
<para>An network-accessible address, usually described <para>An network-accessible address, usually described
by URL, from where you access a service. If using by URL, from where you access a service. If using
@ -111,7 +106,7 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Role</term> <term><emphasis role="bold">Role</emphasis></term>
<listitem> <listitem>
<para>A personality that a user assumes that enables <para>A personality that a user assumes that enables
them to perform a specific set of operations. A them to perform a specific set of operations. A
@ -119,28 +114,29 @@
user assuming that role inherits those rights and user assuming that role inherits those rights and
privileges.</para> privileges.</para>
<para>In the Identity Service, a token that is issued <para>In the Identity Service, a token that is issued
to a user includes the list of roles that user can to a user includes the list of roles that user
assume. Services that are being called by that has. Services that are being called by that user
user determine how they interpret the set of roles determine how they interpret the set of roles a
a user has and which operations or resources each user has and to which operations or resources each
role grants access to.</para> role grants access.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para> <para>The following diagram shows the Identity Service process
<mediaobject> flow:</para>
<imageobject role="fo"> <mediaobject>
<imagedata <imageobject role="fo">
fileref="figures/SCH_5002_V00_NUAC-Keystone.png" <imagedata
format="PNG" scale="50"/> fileref="figures/SCH_5002_V00_NUAC-Keystone.png"
</imageobject> format="PNG" scale="40"/>
<imageobject role="html"> </imageobject>
<imagedata <imageobject role="html">
fileref="figures/SCH_5002_V00_NUAC-Keystone.png" <imagedata
format="PNG" scale="10"/> fileref="figures/SCH_5002_V00_NUAC-Keystone.png"
</imageobject> format="PNG" scale="10"/>
</mediaobject> </imageobject>
</para> </mediaobject>
<?hard-pagebreak?>
<section xml:id="keystone-user-management"> <section xml:id="keystone-user-management">
<title>User management</title> <title>User management</title>
<para>The main components of Identity user management are: <itemizedlist> <para>The main components of Identity user management are: <itemizedlist>
@ -155,15 +151,17 @@
</listitem> </listitem>
</itemizedlist></para> </itemizedlist></para>
<para>A <emphasis>user</emphasis> represents a human user, and <para>A <emphasis>user</emphasis> represents a human user, and
has associated information such as username, password and has associated information such as user name, password,
email. This example creates a user named "alice":</para> and email. This example creates a user named
<screen><prompt>$</prompt> <userinput>keystone user-create --name=alice --pass=mypassword123 --email=alice@example.com</userinput></screen> "alice":</para>
<screen><prompt>$</prompt> <userinput>keystone user-create --name=alice \
--pass=mypassword123 --email=alice@example.com</userinput></screen>
<para>A <emphasis>tenant</emphasis> can be a project, group, <para>A <emphasis>tenant</emphasis> can be a project, group,
or organization. Whenever you make requests to OpenStack or organization. Whenever you make requests to OpenStack
services, you must specify a tenant. For example, if you services, you must specify a tenant. For example, if you
query the Compute service for a list of running instances, query the Compute service for a list of running instances,
you will receive a list of all of the running instances in you receive a list of all of the running instances in the
the tenant you specified in your query. This example tenant that you specified in your query. This example
creates a tenant named "acme":</para> creates a tenant named "acme":</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-create --name=acme</userinput></screen> <screen><prompt>$</prompt> <userinput>keystone tenant-create --name=acme</userinput></screen>
<note> <note>
@ -185,10 +183,11 @@
roles. As far as the Identity service is concerned, a roles. As far as the Identity service is concerned, a
role is simply a name.</para> role is simply a name.</para>
</note> </note>
<?hard-pagebreak?>
<para>The Identity service associates a user with a tenant and <para>The Identity service associates a user with a tenant and
a role. To continue with our previous examples, we may a role. To continue with the previous examples, you might
wish to assign the "alice" user the "compute-user" role in to assign the "alice" user the "compute-user" role in the
the "acme" tenant:</para> "acme" tenant:</para>
<screen><prompt>$</prompt> <userinput>keystone user-list</userinput></screen> <screen><prompt>$</prompt> <userinput>keystone user-list</userinput></screen>
<screen><computeroutput>+--------+---------+-------------------+--------+ <screen><computeroutput>+--------+---------+-------------------+--------+
| id | enabled | email | name | | id | enabled | email | name |
@ -209,44 +208,47 @@
+--------+------+---------+</computeroutput></screen> +--------+------+---------+</computeroutput></screen>
<screen><prompt>$</prompt> <userinput>keystone user-role-add --user=892585 --role=9a764e --tenant-id=6b8fd2</userinput> </screen> <screen><prompt>$</prompt> <userinput>keystone user-role-add --user=892585 --role=9a764e --tenant-id=6b8fd2</userinput> </screen>
<para>A user can be assigned different roles in different <para>A user can be assigned different roles in different
tenants: for example, Alice may also have the "admin" role tenants: for example, Alice might also have the "admin"
in the "Cyberdyne" tenant. A user can also be assigned role in the "Cyberdyne" tenant. A user can also be
multiple roles in the same tenant.</para> assigned multiple roles in the same tenant.</para>
<para>The <para>The
<filename>/etc/<replaceable>[SERVICE_CODENAME]</replaceable>/policy.json</filename> <filename>/etc/<replaceable>[SERVICE_CODENAME]</replaceable>/policy.json</filename>
file controls what users are allowed to do for a given service. file controls the tasks that users can perform for a given
For example, <filename>/etc/nova/policy.json</filename> service. For example,
specifies the access policy for the Compute service, <filename>/etc/nova/policy.json</filename> specifies
the access policy for the Compute service,
<filename>/etc/glance/policy.json</filename> specifies <filename>/etc/glance/policy.json</filename> specifies
the access policy for the Image service, and the access policy for the Image service, and
<filename>/etc/keystone/policy.json</filename> <filename>/etc/keystone/policy.json</filename>
specifies the access policy for the Identity service.</para> specifies the access policy for the Identity
service.</para>
<para>The default <filename>policy.json</filename> files in <para>The default <filename>policy.json</filename> files in
the Compute, Identity, and Image service recognize only the Compute, Identity, and Image service recognize only
the <literal>admin</literal> role: all operations that do the <literal>admin</literal> role: all operations that do
not require the <literal>admin</literal> role will be not require the <literal>admin</literal> role are
accessible by any user that has any role in a tenant.</para> accessible by any user that has any role in a
tenant.</para>
<para>If you wish to restrict users from performing operations <para>If you wish to restrict users from performing operations
in, say, the Compute service, you need to create a role in in, say, the Compute service, you need to create a role in
the Identity service and then modify the Identity service and then modify
<filename>/etc/nova/policy.json</filename> so that <filename>/etc/nova/policy.json</filename> so that
this role is required for Compute operations.</para> this role is required for Compute operations.</para>
<?hard-pagebreak?>
<para>For example, this line in <para>For example, this line in
<filename>/etc/nova/policy.json</filename> specifies <filename>/etc/nova/policy.json</filename> specifies
that there are no restrictions on which users can create that there are no restrictions on which users can create
volumes: if the user has any role in a tenant, they will volumes: if the user has any role in a tenant, they can
be able to create volumes in that tenant.</para> create volumes in that tenant.</para>
<programlisting language="json">"volume:create": [],</programlisting> <programlisting language="json">"volume:create": [],</programlisting>
<para>If we wished to restrict creation of volumes to users <para>To restrict creation of volumes to users who had the
who had the <literal>compute-user</literal> role in a <literal>compute-user</literal> role in a particular
particular tenant, we would add tenant, you would add
<literal>"role:compute-user"</literal>, like so:</para> <literal>"role:compute-user"</literal>, like
so:</para>
<programlisting language="json">"volume:create": ["role:compute-user"],</programlisting> <programlisting language="json">"volume:create": ["role:compute-user"],</programlisting>
<para> <para>To restrict all Compute service requests to require this
If we wished to restrict all Compute service requests to require role, the resulting file would look like:</para>
this role, the resulting file would look like: <programlisting language="json"><?db-font-size 50%?>{
</para>
<programlisting language="json">{
"admin_or_owner": [["role:admin"], ["project_id:%(project_id)s"]], "admin_or_owner": [["role:admin"], ["project_id:%(project_id)s"]],
"default": [["rule:admin_or_owner"]], "default": [["rule:admin_or_owner"]],
@ -363,59 +365,81 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>The Identity Service also maintains a user that <para>The Identity Service also maintains a user that
corresponds to each service (such as, a user named corresponds to each service, such as, a user named
<emphasis>nova</emphasis>, for the Compute service) <emphasis>nova</emphasis> for the Compute service, and
and a special service tenant, which is called a special service tenant called
<emphasis>service</emphasis>.</para> <emphasis>service</emphasis>.</para>
<para>The commands for creating services and endpoints are <para>For information about how to create services and
described in a later section.</para> endpoints, see the <link
xlink:href="http://docs.openstack.org/user-guide-admin/content/index.html"
><citetitle>OpenStack Admin User
Guide</citetitle></link>.</para>
</section> </section>
<?hard-pagebreak?>
<section xml:id="identity-groups"> <section xml:id="identity-groups">
<title>Groups</title> <title>Groups</title>
<para> <para>A group is a collection of users. Administrators can
A group is a collection of users. create groups and add users to them. Then, rather than
Administrators can create groups and add users to them. assign a role to each user individually, assign a role to
Then, rather than assign a role to each user individually, the group. Every group is in a domain. Groups were
assign a role to the group. introduced with version 3 of the Identity API (the Grizzly
</para> release of Keystone).</para>
<para> <para>Identity API V3 provides the following group-related
Every group is in a domain. Groups were introduced with version 3 of the operations:</para>
Identity API (the Grizzly release of Keystone).
</para>
<para>
Identity API V3 provides the following group-related operations:
</para>
<itemizedlist> <itemizedlist>
<listitem><para>Create a group</para></listitem> <listitem>
<listitem><para>Delete a group</para></listitem> <para>Create a group</para>
<listitem><para>Update a group (change its name or description)</para></listitem> </listitem>
<listitem><para>Add a user to a group</para></listitem> <listitem>
<listitem><para>Remove a user from a group</para></listitem> <para>Delete a group</para>
<listitem><para>List group members</para></listitem> </listitem>
<listitem><para>List groups for a user</para></listitem> <listitem>
<listitem><para>Assign a role on a tenant to a group</para></listitem> <para>Update a group (change its name or
<listitem><para>Assign a role on a domain to a group</para></listitem> description)</para>
<listitem><para>Query role assignments to groups</para></listitem> </listitem>
<listitem>
<para>Add a user to a group</para>
</listitem>
<listitem>
<para>Remove a user from a group</para>
</listitem>
<listitem>
<para>List group members</para>
</listitem>
<listitem>
<para>List groups for a user</para>
</listitem>
<listitem>
<para>Assign a role on a tenant to a group</para>
</listitem>
<listitem>
<para>Assign a role on a domain to a group</para>
</listitem>
<listitem>
<para>Query role assignments to groups</para>
</listitem>
</itemizedlist> </itemizedlist>
<note> <note>
<para> <para>The Identity service server might not allow all
Not all of these operations may be allowed by the Identity server. operations. For example, if using the Keystone server
For example, if using the Keystone server with the LDAP Identity backend and with the LDAP Identity back end and group updates are
group updates are disabled, then a request to create, delete, or update a group disabled, then a request to create, delete, or update
will fail. a group fails.</para>
</para>
</note> </note>
<para> <para>Here are a couple examples:</para>
Here's a couple examples: <itemizedlist>
</para><para> <listitem>
Group A is granted Role A on Tenant A. If User A is a member of Group A, <para>Group A is granted Role A on Tenant A. If User A
then when User A gets a token scoped to Tenant A then the token will also is a member of Group A, when User A gets a token
include Role A. scoped to Tenant A, the token also includes Role
</para><para> A.</para>
Group B is granted Role B on Domain B. If User B is a member of Domain B, </listitem>
then if User B gets a token scoped to Domain B then the token will also <listitem>
include Role B. <para>Group B is granted Role B on Domain B. If User B
</para> is a member of Domain B, if User B gets a token
scoped to Domain B, the token also includes Role
B.</para>
</listitem>
</itemizedlist>
</section> </section>
</section> </section>

1
doc/common/section_storage-concepts.xml
View File

@ -54,6 +54,7 @@
</tr> </tr>
</tbody> </tbody>
</table> </table>
<?hard-pagebreak?>
<para>Other points of note include: <itemizedlist> <para>Other points of note include: <itemizedlist>
<listitem> <listitem>
<para><emphasis>OpenStack Object Storage is not used like a <para><emphasis>OpenStack Object Storage is not used like a

7
doc/common/section_support-compute.xml
View File

@ -123,9 +123,10 @@
can then delete. For can then delete. For
example:<screen><prompt>$</prompt> <userinput>nova reset-state c6bbbf26-b40a-47e7-8d5c-eb17bf65c485</userinput> example:<screen><prompt>$</prompt> <userinput>nova reset-state c6bbbf26-b40a-47e7-8d5c-eb17bf65c485</userinput>
<prompt>$</prompt> <userinput>nova delete c6bbbf26-b40a-47e7-8d5c-eb17bf65c485</userinput></screen></para> <prompt>$</prompt> <userinput>nova delete c6bbbf26-b40a-47e7-8d5c-eb17bf65c485</userinput></screen></para>
<para>You can also use the <literal>--active</literal> to force the instance back into <para>You can also use the <literal>--active</literal> to
an active state instead of an error state, for example:<screen><prompt>$</prompt> <userinput>nova reset-state --active c6bbbf26-b40a-47e7-8d5c-eb17bf65c485</userinput></screen> force the instance back into an active state instead of an
</para> error state, for
example:<screen><prompt>$</prompt> <userinput>nova reset-state --active c6bbbf26-b40a-47e7-8d5c-eb17bf65c485</userinput> </screen></para>
</section> </section>
<section xml:id="problems-with-injection"> <section xml:id="problems-with-injection">
<title>Problems with Injection</title> <title>Problems with Injection</title>

2
doc/install-guide/ch_installdashboard.xml
View File

@ -14,7 +14,7 @@
OpenStack Compute cloud controller through the OpenStack APIs.</para> OpenStack Compute cloud controller through the OpenStack APIs.</para>
<para>The following instructions show an example deployment <para>The following instructions show an example deployment
configured with an Apache web server.</para> configured with an Apache web server.</para>
<para>After you <link linkend="installing-openstack-dashboard" <para>After you <link linkend="ch_install-dashboard"
>install and configure the dashboard</link>, you can >install and configure the dashboard</link>, you can
complete the following tasks:</para> complete the following tasks:</para>
<itemizedlist> <itemizedlist>