Re: [openstack-dev] [Openstack-dev][Tacker] Not able to run user_data commands on my instance

2017-05-22 Thread yanxingan 

Hi, Vishnu,

  Openwrt mgmt driver is different with user_data shell cmd.

  User_data shell cmds are injected into vm instance during vm's boot 
stage (cloud-init script), via metadata service. Cloud-init script is 
required in image.


  While mgmt_driver is used to configure vm after booting success. 
Openwrt mgmt driver using ssh to configure vm, which is only used for 
openwrt image, can not used for cirros or ubuntu image.


  User_data can be used for any images, if the image has cloud-init script.

To locate this issue, you can execute this cmd in vm:
$ curl http://169.254.169.254/
And check cloud-init is installed in vm.


On 2017/5/23 8:36, Sridhar Ramaswamy wrote:

Hi Vishnu,

Just to rule out any underlying metadata service issue, can you verify 
if a simple heat stack with user_data [1] works fine first? Also, the 
actual TOSCA -> HOT translated template will be available in tacker.log. 
Try creating a heat stack using that HOT template and make sure the 
intended user_data cmds gets executed..


HTH,
Sridhar

[1] 
https://docs.openstack.org/developer/heat/template_guide/software_deployment.html#user-data-boot-scripts-and-cloud-init



On Mon, May 22, 2017 at 5:08 AM, Vishnu Pajjuri 
> wrote:


  Hi,

I'm have installed openstack with tacker by devstack.

I'm able to run OpenWRT vnf and able to configure the firewall
service with openwrt management driver.

And also able to run shell commands in cirros image which is also
using openwrt management driver.


Now I have created one ubuntu image, and able to launch through tacker.

In this instance i want run some shell commands through tacker's
user_data feature.

But no commands are executing.

Is it possible to run commands on custom images unlike cirros/openwrt?

If yes kindly share the procedure to create proper ubuntu image.



Below is tosca configd file


 tosca_definitions_version: tosca_simple_profile_for_nfv_1_0_0

 description: Demo with user-data

 metadata:
   template_name: sample-vnfd-userdata

 topology_template:
   node_templates:
 VDU1:
   type: tosca.nodes.nfv.VDU.Tacker
   capabilities:
 nfv_compute:
   properties:
 num_cpus: 1
 mem_size: 1024 MB
 disk_size: 1 GB
   properties:
 image: ubuntu-image
 config: |
   param0: key1
   param1: key2
 mgmt_driver: openwrt
 config_drive: true
 user_data_format: RAW
 user_data: |
   #!/bin/sh
   echo "my hostname is `hostname`" > /tmp/hostname
   date > /tmp/date
   ifconfig > /tmp/ifconfig
   df -h > /tmp/diskinfo
 CP1:
   type: tosca.nodes.nfv.CP.Tacker
   properties:
 management: true
 order: 0
 anti_spoofing_protection: false
   requirements:
 - virtualLink:
 node: VL1
 - virtualBinding:
 node: VDU1

  VL1:
   type: tosca.nodes.nfv.VL
   properties:
 network_name: net_mgmt
 vendor: ACME

Regards,
-Vishnu

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev





__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev





__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [barbican][castellan] How to share secrets in barbican

2017-03-31 Thread yanxingan 


Thanks Kaitlin Farr.

In tacker vim usecase, an operator [user A] may create a vim with an 
account[user B] to access the NFVI. I want to store user B's password in 
barbican.


There are two methods to store secret:
1. All user A's vim secrets are stored in one common reserved 
project/user as mentioned.
2. For each user A, the vim secret is stored in it's own domain 
respectively.


The problem of 2 is:
1) Vim can not be shared between different projects with default 
barbican RBAC policy.
2) It's not secure to open the access to all users via RBAC policy. In 
addition, barbican may be invoked by other projects, e.g. nova, neutron lb.

3) It's not convenient to add every user to the ACL of A's secret.

Is barbican ACL suport a "shared" similar attribute to a secret?


On 2017/3/31 3:05, Farr, Kaitlin M. wrote:



   As i known, the secrets are saved in a user's domain, and other project/user 
can not retrieve the secrets.
But i have a situation that many users need retrieve a same secret.

After looking into the castellan usage,  I see the method that saving the 
credentials in configuration,
 then all operators use this pre-created user to create/retrieve secrets.
 I want to know, is this way typical and easy-accepted? Does other projects 
face this issue?



​By default, the secrets in Barbican are available at the project-level
[1]. I am not sure specifically which project or feature you are
referring to that all users need to access to one secret, but I would
suggest that editing the Barbican RBAC policy or ACL is a more elegant
solution than storing username/pw in the conf file. You can find more
details about RBAC at [2] and a sample policy.json file at [3].

Kaitlin Farr

1. https://developer.openstack.org/api-guide/key-manager/acls.html#default-acl
2. 
https://docs.openstack.org/developer/barbican/admin-guide-cloud/access_control.html
3. https://github.com/openstack/barbican/blob/master/etc/barbican/policy.json


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev





__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [tc][keystone][tacker]

2017-03-12 Thread yanxingan 


Thanks, Shake Chen.
Seems barbican is a better way.

On 2017/3/12 22:59, Shake Chen wrote:

Hi
why not use barbican?

On Sun, Mar 12, 2017 at 10:33 PM, yanxin...@cmss.chinamobile.com
 > wrote:


Hi, folks:


Currently tacker server node stores fernet keys for vim password decryption 
on local root file system.
If Tacker service serves API requests through a load balancer, then the 
operation will fail if the request
is not fulfilled by the server node which created and stored the fernet key.

So we need a possible solution for syncing the keys across multiple server 
nodes. Currently we
are
thinking about storing the fernet keys via ceph or swift.
  Do you have any suggestions
on this approach, or does other project has already
dealt with this problem?

Thanks.


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev





--
Shake Chen



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev





__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev