CloudBerry Explorer with IBM Spectrum Scale

Steps to enable CloudBerry explorer to use Object Storage from IBM Spectrum Scale

Prerequisite:
IBM Spectrum Scale 4.2.2 with Object service enabled.
CloudBerry Explorer for Openstack Storage – Build-1.6.2.63

  1. Verify IBM Spectrum Scale Object storage is enabled by running following command[root@c1n3 ~]# mmces service list
    Enabled services: OBJ
    OBJ is running

    [root@c1n3 ~]# mmuserauth service list –data-access-method object
    OBJECT access configuration : LOCAL
    PARAMETERS               VALUES
    ————————————————-
    ENABLE_KS_SSL            false
    ENABLE_KS_CASIGNING      false
    KS_ADMIN_USER            none

  2. Configure the CloudBerry Explorer with IBM Spectrum Scale Object Storage12344
    56789
    10
  3. List/Create/Upload objects/Containers using Swift Client[root@c1n3 ~]# swift list
    myFirstContainerFromCloudBerry

    [root@c1n3 ~]# swift post containerFromWwiftClient

    [root@c1n3 ~]# swift list
    containerFromWwiftClient
    myFirstContainerFromCloudBerry

    [root@c1n3 ~]# swift upload myFirstContainerFromCloudBerry anaconda-ks.cfg
    anaconda-ks.cfg

  4.  View Object/Containers from CloudBerry Explorer
    1211

 

“These are my personal views and do not necessarily reflect that of my employer”

 

 

Advertisements

Configuring IBM Spectrum Scale Object with SSL enabled External Keystone server

Prerequisite :  

  • IBM Spectrum Scale 4.2.1.x
  • SSL enabled Keystone server.
  • A swift user with valid password having ‘admin‘ role in ‘service‘ tenant of ‘default‘ domain in a external Keystone server

Endpoints on External Keystone server will look like

[root@externalKeystone ~]# openstack endpoint list
+———————————-+———–+————–+————–+———+———–+—————————————–+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+———————————-+———–+————–+————–+———+———–+—————————————–+
| 78cd570651f34b848890687c4f1578a9 | None | keystone | identity | True | public | https://cesip:5000/ |
| ff82aa833eec42b7a345a1c029b74959 | None | keystone | identity | True | internal | https://cesip:35357/ |
| 692c4bb6c4a14ece9f810ba4fc1944f1 | None | keystone | identity | True | admin | https://cesip:35357/ |
| 52b559474c03454eaef67af14a3c4afe | RegionOne | swift | object-store | True | public | http://c1ces:8080/v1/AUTH_%(tenant_id)s |
| ed14c1c50f3242a0aed61b9ccdfc8c4d | RegionOne | swift | object-store | True | internal | http://c1ces:8080/v1/AUTH_%(tenant_id)s |
| f26a242b71b34128abf87cbc1e8937aa | RegionOne | swift | object-store | True | admin | http://c1ces:8080 |
+———————————-+———–+————–+————–+———+———–+—————————————–+

 

On IBM Spectrum scale, Object will be already configured.
Remove the Current Object Authentication and Id-mapping using following command.

[root@c1n3 ~]# mmuserauth service remove –data-access-method object 
mmuserauth service remove: Command successfully completed

[root@c1n3 ~]# mmuserauth service remove –data-access-method object –idmapdelete
mmuserauth service remove: Command successfully completed

Copy CA-Certificates used on External Keystone server on Protocol node of IBM Spectrum Scale at following location.

[root@c1n3 ~]# ls /var/mmfs/tmp/ks_ext_cacert.pem
/var/mmfs/tmp/ks_ext_cacert.pem

Run mmuserauth command on protocol node where CA-Certificate is copied

[root@c1n3 ~]# mmuserauth service create –data-access-method object –type userdefined –ks-swift-user swift –ks-swift-pwd passw0rd –ks-ext-endpoint https://cesip:5000/v3 –enable-ks-ssl
mmcesobjcrbase: Validating execution environment.
mmcesobjcrbase: Validating Keystone environment.
mmcesobjcrbase: Configuration complete.
Object authentication configuration completed successfully.

Note : External keystone server must be reachable from protocol nodes using the hostname used for creating SSL Certificates for external Keystone. Hostname in Keystone Endpoints should also match the hostname used for creating SSL certificates

IBM Spectrum scale Object is successfully configured with SSL enabled external Keystone server.

~/openrc file on protocol node will be updated with details of External Keystone.

[root@c1n3 ~]# cat openrc
export OS_AUTH_URL=”https://cesip:5000/v3
export OS_CACERT=”/etc/swift/ks_ext_cacert.pem”
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_VERSION=3
export OS_USERNAME=”admin”
export OS_PASSWORD=””
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_PROJECT_DOMAIN_NAME=Default

Update the ~/openrc with valid username and password from external Keystone server.

[root@c1n3 ~]# source ~/openrc

Verify IBM Spectrum Scale Object is working with external Keystone server.

[root@c1n3 ~]# swift stat
Account: AUTH_0557d5eb51294e48b1c5041c684b4f66
Containers: 0
Objects: 0
Bytes: 0
Content-Type: text/plain; charset=utf-8
Keep-Alive: timeout=5, max=100

“These are my personal views and do not necessarily reflect that of my employer”

 

Openstack Swift with SSL(https)

Following are the steps to enable ssl for Openstack swift Proxy for secure data transfer between Openstack Swift Proxy server and the swift client.

Prerequisite :
– Set of ssl certificate (CA signed or Locally generated)
– Up and Running Openstack Keystone and Swift.

WARNING: SSL should only be enabled for testing purposes. Use external SSL termination for a production deployment. 

1. Copy the the ssl certificates under /etc/swift directory on all protocol nodes. Make sure CN in certificate is matching the swift endpoint hostname. In our case it is Node3

2. Swift user must have read permission on certificate files on all protocol nodes
[root@Node3]# ls -al /etc/swift/ssl_*
-rw——-. 1 swift swift 2864 Dec 8 23:56 /etc/swift/ssl_cert.pem
-rw——-. 1 swift swift 887 Dec 8 23:56 /etc/swift/ssl_key.pem

3 Update ssl certificate details in proxy-server.conf
[root@Node3]#mmobj config change –ccrfile proxy-server.conf –section DEFAULT –property key_file –value /etc/swift/ssl_key.pem

[root@Node3]#mmobj config change –ccrfile proxy-server.conf –section DEFAULT –property cert_file –value /etc/swift/ssl_cert.pem

4. Update swift endpoint with https
#content of ~/openrc

[root@Node3 ~]# cat openrc
export OS_AUTH_URL=”http://Node3:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_VERSION=3
export OS_USERNAME=”admin”
export OS_PASSWORD=”passw0rd”
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_PROJECT_DOMAIN_NAME=Default

[root@Node3 ~] source ~/openrc

Existing swift endpoints look like
[root@Node3 swift]# openstack endpoint list
+———————————-+———–+————–+————–+———+———–
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+———————————-+———–+————–+————–+———+———– |
| 93fa11d1fa7b4622abc857f964676e68 | RegionOne | swift | object-store | True | public | http://Node3:8080/v1/AUTH_%(tenant_id)s |
| 9f271a9d2b14471c8bbad7edca8c4a18 | RegionOne | swift | object-store | True | internal | http://Node3:8080/v1/AUTH_%(tenant_id)s |
| d70496da0a884381a818623ca5b7c501 | RegionOne | swift | object-store | True | admin | http://Node3:8080 |

Change the swift endpoint to https [change the endpoint ID as per your environment]
openstack endpoint set –url ‘https://Node3:8080/v1/AUTH_%(tenant_id)s‘ 93fa11d1fa7b4622abc857f964676e68
openstack endpoint set –url ‘https://Node3:8080/v1/AUTH_%(tenant_id)s‘ 9f271a9d2b14471c8bbad7edca8c4a18
openstack endpoint set –url ‘https://Node3:8080‘ d70496da0a884381a818623ca5b7c501

Updated swift endpoint look like
[root@Node3 swift]# openstack endpoint list
+———————————-+———–+————–+————–+———+———–
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+———————————-+———–+————–+————–+———+———–
| 93fa11d1fa7b4622abc857f964676e68 | RegionOne | swift | object-store | True | public | https://Node3:8080/v1/AUTH_%(tenant_id)s |
| 9f271a9d2b14471c8bbad7edca8c4a18 | RegionOne | swift | object-store | True | internal | https://Node3:8080/v1/AUTH_%(tenant_id)s |
| d70496da0a884381a818623ca5b7c501 | RegionOne | swift | object-store | True | admin | https://Node3:8080 |

5. Sample swift client command
[root@Node3]# swift –os-cacert ssl_cacert.pem stat
Account: AUTH_afcc267ea2c842e59082162118d5047e
Containers: 0
Objects: 0
Bytes: 0
X-Put-Timestamp: 1449638753.75244
X-Timestamp: 1449638753.75244
X-Trans-Id: txe9e7ceb7a31c48e193495-005667bb61
Content-Type: text/plain; charset=utf-8

“These are my personal views and do not necessarily reflect that of my employer”