How to setup SSL connection for OpenStack cloud object storage (Swift)?

CloudBacko backup software allows you to backup data to OpenStack cloud object storage (swift). The article aims to show you how to enable the SSL in OpenStack for your backup users.

If you are new to OpenStack, you should check with their documentation on general setup available at http://docs.openstack.org/

If you already have a running OpenStack, you can follow our steps to enable SSL.

Assumptions:

Here are the OpenStack version used in the following examples:

  • OpenStack Havana Series, Release 2013.2.3
  • Swift version: 2.0.2
  • Keystone version: 0.7.1

Here are the values used in the following examples:

  • OpenStack admin user name: admin
  • OpenStack admin user password: admin
  • Tenant (project) name: mybackup
  • Keystone server IP: 10.7.54.7
  • Keystone user authentication URL: https://10.7.54.7:5000/v2.0
  • Keystone admin URL: https://10.7.54.7:35357/v2.0
  • Keystone admin token: 7b05dab9722d44e7b9a82dc0d1ff74ea

Note: The value of the Keystone admin token can be found in the variable name “admin_token” defined inside the keystone configuration file at /etc/keystone/keystone.conf .

Requirements and preparations:

Please setup the following variables in bash profile and filters in the proxy-server.conf before you setup a tenant (project), user, roles and storage quota etc.

Step 1: Add the environment variable in the .bash_profile

Example (/root/.bash_profile)

----------------------------------------------------------------------------------------------------
    :
    :
  Trimmed
    :
    :
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_TENANT_NAME=mybackup
export OS_AUTH_URL=https://10.7.54.7:5000/v2.0
export OS_SERVICE_ENDPOINT=https://10.7.54.7:35357/v2.0
export OS_SERVICE_TOKEN=7b05dab9722d44e7b9a82dc0d1ff74ea
    :
    :
  Trimmed
    :
    :
----------------------------------------------------------------------------------------------------

Please login again for profile to take effect.

Note: The value of the OS_SERVICE_TOKEN can be found in the variable name “admin_token” defined inside the keystone configuration file at /etc/keystone/keystone.conf .

Step 2: Setup SSL connection for keystone and swift

To setup the SSL certificates, edit the file /etc/keystone/keystone.conf

Assume you have valid certificate files in

/etc/keystone/ssl_cert.pem

/etc/keystone/ssl_key.pem

/etc/keystone/cacert.pem

which

ssl_cert.pem is the public key file,

ssl_key.pem is the private key file, and

cacert.pem is the CA root certificate file.

Since the format of the certificate issued by CA may be different, please always check with your CA with the correct instruction on chaining the certificates.

Example (/etc/swift/proxy-server.conf)

----------------------------------------------------------------------------------------------------
    :
    :
    :
  Trimmed
    :
    :
    :

[ssl]
enable = True
certfile = /etc/keystone/ssl_cert.pem
keyfile = /etc/keystone/ssl_key.pem
ca_certs = /etc/keystone/cacert.pem

    :
    :
    :
  Trimmed
    :
    :
    :
----------------------------------------------------------------------------------------------------

Step 3: Restart keystone service

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# service openstack-keystone restart
Stopping keystone:                                         [  OK  ]
Starting keystone:                                         [  OK  ]
[root@os ~]#
----------------------------------------------------------------------------------------------------

Step 4: List existing service and mark down the id for the swift

It is required to use the ‘–insecure’ switch if an untrusted SSL cert is used.

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure service-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+------------+--------------+--------------------------------+
|                id                |    name    |     type     |          description           |
+----------------------------------+------------+--------------+--------------------------------+
| 5f805cc7df2a43eb90db6fe11ed682f6 | ceilometer |   metering   |   Openstack Metering Service   |
| 3134116675a8420a88ef01cdcb0c8728 |   cinder   |    volume    |         Cinder Service         |
| b703b91737954d01a2d180f6c3d575ba | cinder_v2  |   volumev2   |       Cinder Service v2        |
| cc787cf0258e46d6a342e1502e7bf6be |   glance   |    image     |    Openstack Image Service     |
| b3af7d0a95d34aa7883629df7a7f7f56 |  keystone  |   identity   |   OpenStack Identity Service   |
| 10f1a022ada246138aba5834e3622a91 |  neutron   |   network    |   Neutron Networking Service   |
| 218b5356d65e4d8382297f72d65c8bbb |    nova    |   compute    |   Openstack Compute Service    |
| a809ad43f380400cb55ff2520bb27ab0 |  nova_ec2  |     ec2      |          EC2 Service           |
| 8b517bd82d4345c895384f9596a29880 |   swift    | object-store | Openstack Object-Store Service |
| 11882e74696547b0ba1e4d276074ae37 |  swift_s3  |      s3      |      Openstack S3 Service      |
+----------------------------------+------------+--------------+--------------------------------+
[root@os ~]#
----------------------------------------------------------------------------------------------------

The swift id is shown in bold.

Step 5: List existing swift service endpoints

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure endpoint-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+-----------+---                     ---+----------------------------------+
|                id                |  region   |    ......Trimmed......    |            service_id            |
+----------------------------------+-----------+---                     ---+----------------------------------+
| 00a39b6e21a24562b470b61a1b82902d | RegionOne |  h                     )s | 218b5356d65e4d8382297f72d65c8bbb |
| 047f9c3dd19743e280a553d8a34a9202 | RegionOne |    ......Trimmed......    | 10f1a022ada246138aba5834e3622a91 |
| 2b89407a81574b2c8f0fdef9eefc507a | RegionOne |                           | 5f805cc7df2a43eb90db6fe11ed682f6 |
| 47b6d5974d744c21a04b6ca2781f57a0 | RegionOne |                        )s | b703b91737954d01a2d180f6c3d575ba |
| 485ba5a748fc4f1e865d08774fae8ff7 | RegionOne |                           | b3af7d0a95d34aa7883629df7a7f7f56 |
| 90bb1d878b7045f086e2ada7ce853308 | RegionOne | ht ......Trimmed...... )s | 3134116675a8420a88ef01cdcb0c8728 |
| 9ac0472cb48f49b3b44cb4e3365be01a | RegionOne |                           | 11882e74696547b0ba1e4d276074ae37 |
| a1af6685d3e04e5fa7b71f6c244f1393 | RegionOne | ht                        | 8b517bd82d4345c895384f9596a29880 |
| a9b9c9fbef6a44669788c1946a3c8e48 | RegionOne |                           | cc787cf0258e46d6a342e1502e7bf6be |
| c370061d0cc64386a470a5a0fb01e424 | RegionOne |    ......Trimmed...... n  | a809ad43f380400cb55ff2520bb27ab0 |
+----------------------------------+-----------+---                     ---+----------------------------------+ 
[root@os ~]#
----------------------------------------------------------------------------------------------------

Lookup the endpoint for the swift service with the service_id=8b517bd82d4345c895384f9596a29880

Step 6: Delete the insecure swift service endpoint

Delete the service endpoint with the id a1af6685d3e04e5fa7b71f6c244f1393 which can be found in the same row in the swift service.

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure endpoint-delete a1af6685d3e04e5fa7b71f6c244f1393
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
Endpoint has been deleted. 
[root@os ~]#
----------------------------------------------------------------------------------------------------

Step 7: Recreate the endpoint with https:// instead

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# keystone --insecure endpoint-create --region RegionOne --service-id=8b517bd82d4345c895384f9596a29880 
--publicurl 'https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s' --adminurl 'https://10.7.54.7:8080/v1' --internalurl '

https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s'

WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------------------+
|  Property   |                   Value                      |
+-------------+----------------------------------------------+
|  adminurl   |           https://10.7.54.7:8080/v1          |
|     id      |        fb937c038fd34724bd7415fff3ee7736      |
| internalurl | https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s |
|  publicurl  | https://10.7.54.7:8080/v1/AUTH_%(tenant_id)s |
|   region    |                 RegionOne                    |
| service_id  |       8b517bd82d4345c895384f9596a29880       |
+-------------+----------------------------------------------+ 
[root@os ~]#
----------------------------------------------------------------------------------------------------

Step 8: Setup the /etc/swift/proxy-server.conf for swift

Edit the file proxy-server.conf , add the contents that are highlighted in red in the below example.

Assume you have valid certificate files in

/etc/swift/ssl_cert.pem

/etc/swift/ssl_key.pem

which

ssl_cert.pem is the public key file, and

ssl_key.pem is the private key file.

Since the format of the certificate issued by CA may be different, please always check with your CA with the correct instruction on chaining the certificates.

Example (/etc/swift/proxy-server.conf)

----------------------------------------------------------------------------------------------------
# This file is managed by puppet.  Do not edit
#
[DEFAULT]
bind_port = 8080
bind_ip = 10.7.54.7
    :
    :
    :
  Trimmed
    :
    :
    :
cert_file = /etc/swift/ssl_cert.pem
key_file = /etc/swift/ssl_key.pem
    :
    :
    :
  Trimmed
    :
    :
    :

[filter:authtoken]
    :
    :
    :
  Trimmed
    :
    :
    :
auth_protocol = https
auth_uri = https://10.7.54.7:5000
insecure = true
----------------------------------------------------------------------------------------------------

Step 9: Restart the swift related services

Restart the swift related service after you have modified the config file /etc/swift/proxy-server.conf .

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# swift-init main restart
Signal proxy-server  pid: 17166  signal: 15
Signal container-server  pid: 17167  signal: 15
Signal account-server  pid: 17168  signal: 15
Signal object-server  pid: 17169  signal: 15
object-server (17169) appears to have stopped
container-server (17167) appears to have stopped
account-server (17168) appears to have stopped
proxy-server (17166) appears to have stopped
Starting proxy-server...(/etc/swift/proxy-server.conf)
Starting container-server...(/etc/swift/container-server.conf)
Starting account-server...(/etc/swift/account-server.conf)
Starting object-server...(/etc/swift/object-server.conf)
WARNING: SSL should only be enabled for testing purposes. Use external SSL termination for a production deployment.

[root@os ~]#
----------------------------------------------------------------------------------------------------

Step 10: Test with the swift command

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# swift --insecure stat

       Account: AUTH_49f2482ecff9431bae1d32fa2a004026
    Containers: 8
       Objects: 480
         Bytes: 189030388 
Meta Quota-Bytes: 10737418240
   X-Timestamp: 1412574345.10669
  Content-Type: text/plain; charset=utf-8
 Accept-Ranges: bytes
[root@os ~]#
----------------------------------------------------------------------------------------------------

How to setup region in OpenStack object storage (Swift)?

ico_destination_openstack_72 CloudBacko backup software allows you to backup data to OpenStack cloud object storage (swift).

This article aims to show you how to setup a region in the OpenStack for your backup users. If you are new to OpenStack, you should check with their documentation on general setup available at http://docs.openstack.org/

If you already have a running OpenStack, you can follow our steps to setup the different region for users.

Assumptions:

Here are the OpenStack version used in the following examples:

  • OpenStack Havana Series, Release 2013.2.3
  • Swift version: 2.0.2
  • Keystone version: 0.7.1

Here are the values used in the following examples:

  • OpenStack admin user name: admin
  • OpenStack admin user password: admin
  • Tenant (project) name: mybackup
  • Keystone server IP: 10.7.54.7
  • Keystone user authentication URL: http://10.7.54.7:5000/v2.0
  • Keystone admin URL: http://10.7.54.7:35357/v2.0
  • Keystone admin token: 7b05dab9722d44e7b9a82dc0d1ff74ea
  • Keystone server IP (Region 2): 10.7.54.8

Note: The value of the Keystone admin token can be found in the variable name “admin_token” defined inside the keystone configuration file at /etc/keystone/keystone.conf .

Requirements and preparations:

Please setup the following variables in bash profile before you setup a tenant (project), user, roles and storage quota etc.

Step 1: Add the environment variable in the .bash_profile

Example (/root/.bash_profile)

----------------------------------------------------------------------------------------------------
    :
    :
  Trimmed
    :
    :
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_TENANT_NAME=mybackup
export OS_AUTH_URL=http://10.7.54.7:5000/v2.0
export OS_SERVICE_ENDPOINT=http://10.7.54.7:35357/v2.0
export OS_SERVICE_TOKEN=7b05dab9722d44e7b9a82dc0d1ff74ea
    :
    :
  Trimmed
    :
    :
----------------------------------------------------------------------------------------------------

Please login again for profile to take effect.

Note: The value of the OS_SERVICE_TOKEN can be found in the variable name “admin_token” defined inside the keystone configuration file at /etc/keystone/keystone.conf .

Step 2: Create a new region for OpenStack.

If you have a second OpenStack storage which you want to mount on your current OpenStack, you can setup a second region on your current OpenStack.

Assume the IP of the second region OpenStack is 10.7.54.8 . You need to find out the swift service id and map the second region on your current OpenStack according to the below instruction.

To list swift service id by keystone service list command:

Usage: keystone service-list

Example:

----------------------------------------------------------------------------------------------------
[root@os ~]# keystone service-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+------------+--------------+--------------------------------+
|              id                  |    name    |     type     |           description          |
+----------------------------------+------------+--------------+--------------------------------+
| 5f805cc7df2a43eb90db6fe11ed682f6 | ceilometer |   metering   |   Openstack Metering Service   |
| 3134116675a8420a88ef01cdcb0c8728 |   cinder   |    volume    |         Cinder Service         |
| b703b91737954d01a2d180f6c3d575ba |  cinder_v2 |   volumev2   |        Cinder Service v2       |
| cc787cf0258e46d6a342e1502e7bf6be |   glance   |    image     |      Openstack Image Service   |
| b3af7d0a95d34aa7883629df7a7f7f56 |  keystone  |   identity   |    OpenStack Identity Service  |
| 10f1a022ada246138aba5834e3622a91 |  neutron   |   network    |    Neutron Networking Service  |
| 218b5356d65e4d8382297f72d65c8bbb |    nova    |   compute    |    Openstack Compute Service   |
| a809ad43f380400cb55ff2520bb27ab0 |  nova_ec2  |     ec2      |          EC2 Service           | 
| 8b517bd82d4345c895384f9596a29880 |    swift   | object-store | Openstack Object-Store Service |
| 11882e74696547b0ba1e4d276074ae37 |  swift_s3  |     s3       |       Openstack S3 Service     |
+----------------------------------+------------+--------------+--------------------------------+
[root@os ~]# 
----------------------------------------------------------------------------------------------------

To add the second region (RegionTwo) to the ‘swift’ keystone service

Usage: keystone endpoint-create –region <endpint-region> –service-id=<swift service-id> –publicurl <public-url> –adminurl <admin URL> –internalurl <internal-url>

Example:

----------------------------------------------------------------------------------------------------
[root@os ~]# keystone endpoint-create --region RegionTwo --service-id=8b517bd82d4345c895384f9596a29880 --publicurl
 'http://10.7.54.8:8080/v1/AUTH_%(tenant_id)s' --adminurl 'http://10.7.54.8:8080/v1' --internalurl 'http://10.7.54
.8:8080/v1/AUTH_%(tenant_id)s'
+-------------+---------------------------------------------+
|   Property  |                    Value                    |
+-------------+---------------------------------------------+
|   adminurl  |          http://10.7.54.8:8080/v1           |
|      id     |       40c018c7ff934bc4b3d8c0ce8c78d8db      |
| internalurl | http://10.7.54.8:8080/v1/AUTH_%(tenant_id)s |
|  publicurl  | http://10.7.54.8:8080/v1/AUTH_%(tenant_id)s |
|    region   |                   RegionTwo                 |
|  service_id |       8b517bd82d4345c895384f9596a29880      |
+-------------+---------------------------------------------+
[root@os ~]#
----------------------------------------------------------------------------------------------------

 

Update CloudBacko to v1.7

CloudBacko has officially released version 1.7. The latest version adds cloud back up destination support OpenStack and Rackspace.

CloudBacko Free is automatically updated to the latest version. CloudBacko Pro and Lite users will receive notifications when you start CloudBacko as shown below.

Update v1.7 NotificationIf you do not see the notification, it’s probably you have not switched on update notification setting. Go directly to Settings and click on Software Update, you can see the latest version details. Click the Update button to start the update process.

Software UpdateAfter software update, there are two more destination choices in backup set destinations, as shown below.

Back up to RackspaceBack up to OpenStack

You only need to fill in the required fields to start backup to Rackspace or cloud repository supported by OpenStack.

CloudBacko backup software v1.7 now supports Rackspace and OpenStack

CloudBacko backup software v1.7 now supports Rackspace and OpenStack

We just released CloudBacko version 1.7. This latest version added 2 more highly popular cloud storage, Rackspace Cloud Files and OpenStack, into the list of backup destinations that comprises Amazon S3, Google Cloud Storage, Google Drive, Microsoft Azure, Microsoft OneDrive, Dropbox, FTP/SFTP, local and mapped network drive. The expanded storage support not only benefits businesses but also service providers.

More storage flexibility for businesses

With the added two cloud storage destinations support, CloudBacko enables small and medium businesses to enjoy higher flexibility in choosing their preferred cloud storage service providers. Moreover, it also offers large enterprises that wish to build (or already built) a private or hybrid cloud with OpenStack the option to back up data from their servers and workstations in geographical distributed offices onto their own private or hybrid cloud storage. The support of these services eliminates the need for user to learn complicated APIs of cloud providers, making cloud backup easy to set up, configure and use.

Lucrative Cloud Backup as a Service for service providers

The adoption momentum of OpenStack is growing strong in the service provider circle because of its open and extensible nature. When using it in conjunction with CloudBacko, existing OpenStack’s service providers will be ready to open new recurring income stream by offering cloud backup service to business end users who need to backup VMware, Hyper-V, Microsoft Exchange Server, Microsoft SQL Server, Oracle Database, MySQL Database, etc. to the cloud.

Other managed backup service providers can also be benefited by adopting CloudBacko as it offers a wide range of free and paid cloud storage support for their customers to choose. Low budget customers can even choose to combine multiple free cloud storage as a pool with zero cost.

Available to all three editions

The new release is applicable to all three versions, CloudBacko Pro, CloudBacko Lite and CloudBacko Free. The latest version is immediately available worldwide. Download 30-day free trial now.