Installation and configuration¶
Installation¶
Important
First need to do setting up the environment. All commands are executed only from superuser.
Mode superuser:
sudo -i
Save the list of previously installed packages before starting the installation, this will allow you to painlessly restore the system in case of damage. Run the following commands to do this:
mkdir -p /tmp/rollback/journal pip3 freeze > /tmp/rollback/journal/pip_before.txt
After that, directory
/tmp/rollback/journal
will contain filepip_before.txt
with list of installed applications.Also save migration versions:
openstack aos db list -n journal > /tmp/rollback/journal/migrations.txt
Where:
/tmp/rollback/journal/
is a file directory;migrations.txt
is name of file with migration versions.
Install the package Journal:
from Python package repository:
pip3 install journal
Save the list of installed packages after installation to be able to roll back changes:
pip3 freeze > /tmp/rollback/journal/pip_after.txt
Note
To install Journal on Astra Linux (Smolensk) do following:
Connect the provided repository with AccentOs packages.
Install the package with the command:
sudo apt install -y aos-journal
Configuration¶
Note
We consider setting up the launch of the API logging service through WSGI-server supplied with the eventlet
library. See the documentation for the corresponding server to configure the launch of the service through another WSGI-server (Nginx + Gunicorn, Apache + mod_wsgi, etc.). WSGI application path is journal.api.journal_api.wsgi
.
Perform initial configuration of the module:
openstack aos configure -n journal
Create directory for logs with the required permissions:
mkdir -p /var/log/aos/journal chown -R aos:aos /var/log/aos/journal
Copy sample configuration file, if using non-standard parameters, edit them (for details, see Configuration file):
cp /etc/aos/aos.conf.example /etc/aos/aos.conf cp /etc/aos/journal.conf.example /etc/aos/journal.conf
Create database using MySQL as an example, set rights, database type and other parameters:
# Login to the database using the root password mysql -uroot -p # Create journal database CREATE DATABASE journal; # Give permission to read, edit, perform any actions on all tables in journal database GRANT ALL PRIVILEGES ON journal.* TO 'aos'@'localhost' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON journal.* TO 'aos'@'%' IDENTIFIED BY 'password'; # Exit the database
Edit section
[database]
of the configuration fileetc/aos/journal.conf
, for example:[database] url = mysql+pymysql://aos:password@tst.stand.loc:3306/journal?charset=utf8
Migrate database:
openstack aos db migrate -n journal
Configure RabbitMQ Server message broker:
rabbitmqctl add_user aos password rabbitmqctl add_vhost aos rabbitmqctl set_permissions -p aos aos ".*" ".*" ".*" rabbitmqctl set_permissions aos ".*" ".*" ".*"
Add the RabbitMQ user rights to Openstack virtual services hosts (default is
/
):rabbitmqctl set_permissions -p / aos ".*" ".*" ".*"
Create user in OpenStack for API services:
openstack user create --domain default --project service --project-domain default --password password --or-show aos
Assign user service role:
openstack role add --user aos --user-domain default --project service --project-domain default service
Enable and start systemd services:
systemctl daemon-reload systemctl enable aos-journal-api.service systemctl start aos-journal-api.service systemctl enable aos-journal-listener.service systemctl start aos-journal-listener.service
Create Journal API service:
openstack service create --name journal --description "Journal Service" journal
Create endpoints:
openstack endpoint create --region RegionOne journal internal http://controller:9360 openstack endpoint create --region RegionOne journal admin http://controller:9360 openstack endpoint create --region RegionOne journal public http://controller:9360
Restart the services Nova, this action is required to enable logging:
# Debian systemctl restart nova-api.service
Configuration file¶
Note
Configuration file allows to override sections and parameters of the general aos.conf file for a specific module.
Note
By default, in the file journal.conf.example
there are no lines with the level logging, it is indicated if necessary. Level logging is set by default in the general configuration file. More information about the configuration files can be found in the corresponding section.
Configuration file is presented in ini
format and consists of the following sections and parameters:
Section | Parameter | Description | Default value |
---|---|---|---|
api | host | IP address where the Journal API service will run. | 0.0.0.0 |
api | logfile | Path to log file of aos-journal-api service. | |
api | port | Port where the Journal API service will run. | 9360 |
database | url | Setting up connection to database. | mysql+pymysql:/ /aos:password@l ocalhost:3306/j ournal |
listener | durability | Durability of RabbitMQ queue and exchange. | True |
listener | keystone_rabbit_vhost | RabbitMQ virtual host of Keystone service. | / |
listener | logfile | Path to log file of aos-journal-listener service. | |
listener | nova_rabbit_vhost | Nova RabbitMQ service virtual host. | / |
Configuring auditing of actions on OpenStack objects¶
Install and configure Nova Journal Middleware.
Follow these steps to log actions on Keystone objects:
Set the format of notifications in the configuration file
/etc/keystone/keystone.conf
:[DEFAULT] notification_format = cadf
Configure the message driver in
/etc/keystone/keystone.conf
file:[oslo_messaging_notifications] driver = messagingv2 transport_url = rabbit://username:password@hostname
After that, it is need to restart the web server, services, and Nova and Keystone services:
# Debian: systemctl restart apache2 systemctl restart nova-api.service systemctl restart keystone.service systemctl restart aos-*