Apache下配置Openstack Horizon (转)
非常详尽的Horizon配置介绍,转自 dev.cloudwatt.com
Deploy Horizon from source with Apache and SSL
Some companies may deploy OpenStack clouds but without the Horizon Dashboard interface, and therefore you may wish to deploy your own horizon instance, either on a hosted VM of the OpenStack infrastructure, or why not on your own computer? Well this is possible.
However, your concern is that http might be insecure… especially if hosted on a VM or machine accessible from the Internet. So you want an SSL connection.
The issue is that SSL certificates can cost some money, but for personal usage, self-signed certificates will do the Job for no costs, and easy-rsa
will make their management easy :-)
Note: even though you will run your own Horizon instance, you will not have extra privileges, it will just add your favorite “life easy-making GUI” on top of OpenStack :-)
Requirements:
On Centos/RHEL 6.x x86_64:
# Apache with SSL and wsgi support
sudo yum install httpd mod_ssl mod_wsgi
# EPEL repos
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# GIT to retrieve sources
sudo yum install git git-review
sudo yum install python-virtualenv
# cryptography requirements
sudo yum install gcc libffi-devel python-devel openssl-devel
On Ubuntu:
# Apache with SSL and wsgi support
sudo apt-get install apache2 libapache2-mod-wsgi
# GIT to retreieve sources
sudo apt-get install git git-review
sudo apt-get install python-virtualenv
# cryptography requirements
sudo apt-get install build-essential libssl-dev libffi-dev python-dev
Create an “horizon” user:
On Centos/RHEL:
useradd -d /home/horizon -m -g apache horizon
On Ubuntu:
useradd -d /home/horizon -m -s /bin/bash -g www-data horizon
sudo permissions for the horizon user:
If you want to be able to “sudo” from the horizon user (for convenience):
sudo su -c "echo 'horizon ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/horizon_user"
sudo chmod 0440 /etc/sudoers.d/horizon_user
The server will run under the “apache” or “www-data” user (depending on the distribution), so there is no risk of privilege escalation due to this sudo permission. If after deployment you want to remove the horizon user’s sudo permissions to feel reassured, just type:
sudo rm -f /etc/sudoers.d/horizon_user
switch to the horizon user:
sudo su - horizon
Generate your SSL certificates:
Centos/RHEL:
sudo yum install easy-rsa
cp -r /usr/share/easy-rsa/2.0 ~/easy-rsa
On Ubuntu:
sudo apt-get install easy-rsa
cp -r /usr/share/easy-rsa ~/easy-rsa
NOTE: depending on your Ubuntu version, you might not find the easy-rsa package.
This package has been recently striped out of OpenVPN, so if you do not have an easy-rsa package, you can install OpenVPN and copy the easy-rsa script (and uninstall OpenVPN if you do not want to keep it):
sudo apt-get install openvpn libpkcs11-helper1 liblzo2-2
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ~/easy-rsa
cp ~/easy-rsa/openssl-1.0.0.cnf ~/easy-rsa/openssl.cnf
# If you do not want to use or keep OpenVPN, you can now remove it:
sudo apt-get purge openvpn
Generate the certificates:
Edit the vars
file in your ~/easy-rsa directory and adapt all the export KEY_*
variables to your liking (especially: KEY_SIZE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL, KEY_OU), and then source this file:
source ./vars
and initialize certificates:
./clean-all
Create your own CA:
./build-ca
Create your server’s certificate:
./build-key-server My_Server_Name
Hit the “enter” key when prompted for a password.
This creates a password-less private key which is usually considered bad practice but we do it this way here for convenience because your server will not enter passwords to use the certificate, requiring a password for a server key is also bad practice because most users of such certificates will use the clear-text password in a configuration file in order to use the certificate automatically in init scripts.
Hit the “y” key when prompted to Sign the certificate, and when prompted to commit.
In the keys
subdirectory you will now see something like this:
-rw-r--r--. 1 horizon apache 5625 Apr 2 14:35 01.pem
-rw-r--r--. 1 horizon apache 1809 Apr 2 14:32 ca.crt
-rw-------. 1 horizon apache 1704 Apr 2 14:32 ca.key
-rw-r--r--. 1 horizon apache 152 Apr 2 14:35 index.txt
-rw-r--r--. 1 horizon apache 21 Apr 2 14:35 index.txt.attr
-rw-r--r--. 1 horizon apache 0 Apr 2 14:31 index.txt.old
-rw-r--r--. 1 horizon apache 5625 Apr 2 14:35 My_Server_Name.crt
-rw-r--r--. 1 horizon apache 1102 Apr 2 14:35 My_Server_Name.csr
-rw-------. 1 horizon apache 1708 Apr 2 14:35 My_Server_Name.key
-rw-r--r--. 1 horizon apache 3 Apr 2 14:35 serial
-rw-r--r--. 1 horizon apache 3 Apr 2 14:31 serial.old
apache will need read access to My_Server_Name.key:
chmod g+rx keys
chmod g+r keys/My_Server_Name.key
NOTE:
These are Self-signed certificates usually made for testing or pre-deployement, so since your browser isn’t able to verify the identity of your website when accessing your server, it will display a “This Connection Is Untrusted” alert page saying it is an untrusted site. This is normal. To avoid this message you will have to bypass the warning, or import the ca.crt file in your browser (the later works only if when prompted for the server name by the ./build-key-server
command, you give the server the same hostname as the FQDN you use to access it, otherwise you will get a “Certificate is only valid for (site name)” warning instead).
Get the Horizon source:
Clone horizon sources:
git clone git://git.openstack.org/openstack/horizon.git
You will now see an horizon
directory (under you own “horizon” user’s /home/horizon
directory if you created one previously).
change to this new horizon
directory:
cd ~/horizon
Horizon needs python dependencies which may not be provided in the proper version by your OS’s packaging system, so the best is to use a virtual environment to install the python packages without any conflicts with your distribution’s packages:
virtualenv --no-site-packages .venv
source .venv/bin/activate
pip install -Ur requirements.txt
If some packages fail to compile with errors like this one (It “sometimes” may happen when your language’s locales is not strictly limited to ASCII):
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 126: ordinal not in range(128)
then try the last command again but prefixed with LC_ALL=C
:
LC_ALL=C pip install -Ur requirements.txt
Configure your local_settings:
cd openstack_dashboard/local/
cp local_settings.py.example local_settings.py
And edit local_settings.py
with your favorite editor and set DEBUG = False
, then configure OPENSTACK_API_VERSIONS
, OPENSTACK_HOST
and uncomment:
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
With DEBUG = False
, you need to set ALLOWED_HOSTS
to a list of strings representing the host/domain names used to access your horizon site. If you have not registered any hostname yet, you will have to set the server’s IP (as a string) in the list in order to be able to access Horizon via it’s IP in your browser. See ALLOWED_HOSTS for detailed information.
You also have to edit SECRET_KEY
.
If you use SECRET_KEY = secret_key.generate_or_read_from_file(os.path.join(LOCAL_PATH, '.secret_key_store'))
the apache (or www-data) user will need write access to this file (.secret_key_store
) because this file is created the first time you launch Horizon. Instead you can set SECRET_KEY
to a string (e.g.: SECRET_KET
= ‘a unique sentence no one can guess’) SECRET_KEY
is used to provide cryptographic signing, and should be set to a unique, unpredictable value. Running Horizon with a known SECRET_KEY
defeats many of Horizon’s security protections, and can lead to privilege escalation and remote code execution vulnerabilities. Horizon will now refuse to start if SECRET_KEY
is not set.
If you use Self-signed certificates uncomment:
OPENSTACK_SSL_NO_VERIFY = True
Otherwise, uncomment:
OPENSTACK_SSL_CACERT = '/path/to/cacert.pem'
and set the path to the CA provided by your Certificate Authority
Get the apache configuration script:
If the Web deployment configuration script isn’t yet merged (see Change I6397ba01: Created a make_web_conf command.) you can cherry-pick it:
git checkout -b web-conf-generation-script
git fetch https://review.openstack.org/openstack/horizon refs/changes/68/82468/6 && git cherry-pick FETCH_HEAD
This patch adds a django_admin management command allowing to create a wsgi file with virtual environment detection, and an apache configuration file. We will use this command.
Go back the ~/horizon
directory (where the manage.py
file is located):
cd ~/horizon
Activate your virtual environment if not already done (In a bash shell, your prompt is usually prefixed by “(.venv)” if it’s activated, but if typing echo $VIRTUAL_ENV
returns nothing, it means you have to source it):
source .venv/bin/activate
Create the wsgi file:
We use the Web deployment configuration script:
python manage.py make_web_conf --wsgi
Collect static files:
We gather all the static files which apache will have to serve (they will be placed in the directory defined by STATIC_ROOT
in the local_settings.py file):
python manage.py collectstatic
Compile .pyc files:
If apache does not have write access it won’t be able to write .pyc files during code execution, and this drastically slows down python’s performances.
Instead of relying on the code execution to compile the bytecode .pyc files, we create (compile) them manually:
python -m compileall .
Give apache some permissions:
We Give apache read access to files, execution permission on directories, and write permission to static files directory:
sudo chmod -R g+r ~/
find ~/ -type d -exec sudo chmod g+x {} \;
find ~/horizon/static -type d -exec chmod g+w {} \;
Create your apache configuration file:
We use the Web deployment configuration script again:
python manage.py make_web_conf --apache --ssl \
--sslcert=/home/horizon/easy-rsa/keys/My_Server_Name.crt \
--sslkey=/home/horizon/easy-rsa/keys/My_Server_Name.key \
--mail=your.email@youdomain.com > horizon.conf
And move this configuration file to your apache conf directory:
Centos/RHEL Apache configuration file:
sudo mv horizon.conf /etc/httpd/conf.d/
sudo chown root:root /etc/httpd/conf.d/horizon.conf
edit /etc/httpd/conf/httpd.conf
and replace:
#NameVirtualHost *:80
by:
NameVirtualHost *:443
WSGISocketPrefix /var/run/wsgi
To start Apache:
sudo service httpd start
To restart Apache:
sudo service httpd restart
Logs are available in /var/log/httpd/openstack_dashboard-error.log
and /var/log/httpd/openstack_dashboard-access.log
.
Ubuntu Apache configuration file:
sudo mv horizon.conf /etc/apache2/sites-available/horizon
sudo chown root:root /etc/apache2/sites-available/horizon
sudo a2ensite horizon
sudo a2enmod ssl
To start Apache:
sudo service apache2 start
To restart Apache:
sudo service apache2 reload
Logs are available in /var/log/apache2/openstack_dashboard-error.log
and /var/log/apache2/openstack_dashboard-access.log
.
Notes about unscoped tokens:
Some cloud companies do not let you log in with an unscoped token and horizon logs will tell you your login failed even though you entered the proper password.
If this is the case, you may need to modify your .venv/lib/python2.7/site-packages/openstack_auth/backend.py
(or .venv/lib/python2.6/site-packages/openstack_auth/backend.py
) file like this:
change the try
block line 134:
try:
client = keystone_client.Client(
tenant_id=project.id,
token=unscoped_auth_ref.auth_token,
auth_url=auth_url,
insecure=insecure,
cacert=ca_cert,
debug=settings.DEBUG)
to:
try:
client = keystone_client.Client(
tenant_id=project.id,
#token=unscoped_auth_ref.auth_token,
user_domain_name=user_domain_name,
username=username,
password=password,
auth_url=auth_url,
insecure=insecure,
debug=settings.DEBUG)
Keep up to date:
Once Horizon deployed, staying up to date is easy:
git checkout master
git remote update && git pull --ff-only origin master
source .venv/bin/activate
pip install -Ur requirements.txt # you might need to redo the unscoped tokens change
find . -name "*.pyc" -delete
python -m compileall .
python manage.py collectstatic
chmod -R g+r ~/horizon
find ~/horizon -type d -exec chmod g+x {} \;
find ~/horizon/static -type d -exec chmod g+w {} \;
And restart apache.
Centos/RHEL:
sudo service httpd start
Ubuntu:
sudo service apache2 reload
Enjoy your Horizon GUI, and feel free to review the Change I6397ba01: Created a make_web_conf command. patch, or to add suggestions to the Web deployment configuration script Blueprint.