Installation and configuration

Installation

Important

First need to do setting up the environment. All commands are executed only from superuser.

Mode superuser:

sudo -i
  1. Save the list of previously installed packages before starting the installation, this will allow you to painlessly restore the system in case of damage. Run the following commands to do this:

    mkdir -p /tmp/rollback/journal
    pip3 freeze > /tmp/rollback/journal/pip_before.txt
    

    After that, directory /tmp/rollback/journal will contain file pip_before.txt with list of installed applications.

  2. Also save migration versions:

    openstack aos db list -n journal > /tmp/rollback/journal/migrations.txt
    

    Where:

    • /tmp/rollback/journal/ is a file directory;
    • migrations.txt is name of file with migration versions.
  3. Install the package Journal:

    • from Python package repository:

      pip3 install journal
      
  4. Save the list of installed packages after installation to be able to roll back changes:

    pip3 freeze > /tmp/rollback/journal/pip_after.txt
    

Note

To install Journal on Astra Linux (Smolensk) do following:

  1. Connect the provided repository with AccentOs packages.

  2. Install the package with the command:

    sudo apt install -y aos-journal
    

Configuration

Note

We consider setting up the launch of the API logging service through WSGI-server supplied with the eventlet library. See the documentation for the corresponding server to configure the launch of the service through another WSGI-server (Nginx + Gunicorn, Apache + mod_wsgi, etc.). WSGI application path is journal.api.journal_api.wsgi.

  1. Perform initial configuration of the module:

    openstack aos configure -n journal
    
  2. Create directory for logs with the required permissions:

    mkdir -p /var/log/aos/journal
    chown -R aos:aos /var/log/aos/journal
    
  3. Copy sample configuration file, if using non-standard parameters, edit them (for details, see Configuration file):

    cp /etc/aos/aos.conf.example /etc/aos/aos.conf
    cp /etc/aos/journal.conf.example /etc/aos/journal.conf
    
  4. Create database using MySQL as an example, set rights, database type and other parameters:

    # Login to the database using the root password
    mysql -uroot -p
    # Create journal database
    CREATE DATABASE journal;
    # Give permission to read, edit, perform any actions on all tables in journal database
    GRANT ALL PRIVILEGES ON journal.* TO 'aos'@'localhost' IDENTIFIED BY 'password';
    GRANT ALL PRIVILEGES ON journal.* TO 'aos'@'%' IDENTIFIED BY 'password';
    # Exit the database
    
  5. Edit section [database] of the configuration file etc/aos/journal.conf, for example:

    [database]
    url = mysql+pymysql://aos:password@tst.stand.loc:3306/journal?charset=utf8
    
  6. Migrate database:

    openstack aos db migrate -n journal
    
  7. Configure RabbitMQ Server message broker:

    rabbitmqctl add_user aos password
    rabbitmqctl add_vhost aos
    rabbitmqctl set_permissions -p aos aos ".*" ".*" ".*"
    rabbitmqctl set_permissions aos ".*" ".*" ".*"
    
  8. Add the RabbitMQ user rights to Openstack virtual services hosts (default is /):

    rabbitmqctl set_permissions -p / aos ".*" ".*" ".*"
    
  9. Create user in OpenStack for API services:

    openstack user create --domain default --project service --project-domain default --password password --or-show aos
    
  10. Assign user service role:

    openstack role add --user aos --user-domain default --project service --project-domain default service
    
  11. Enable and start systemd services:

    systemctl daemon-reload
    systemctl enable aos-journal-api.service
    systemctl start aos-journal-api.service
    systemctl enable aos-journal-listener.service
    systemctl start aos-journal-listener.service
    
  12. Create Journal API service:

    openstack service create --name journal --description "Journal Service" journal
    
  13. Create endpoints:

    openstack endpoint create --region RegionOne journal internal http://controller:9360
    openstack endpoint create --region RegionOne journal admin http://controller:9360
    openstack endpoint create --region RegionOne journal public http://controller:9360
    
  14. Restart the services Nova, this action is required to enable logging:

    # Debian
    systemctl restart nova-api.service
    

Configuration file

Note

Configuration file allows to override sections and parameters of the general aos.conf file for a specific module.

Note

By default, in the file journal.conf.example there are no lines with the level logging, it is indicated if necessary. Level logging is set by default in the general configuration file. More information about the configuration files can be found in the corresponding section.

Configuration file is presented in ini format and consists of the following sections and parameters:

Section Parameter Description Default value
api host IP address where the Journal API service will run. 0.0.0.0
api logfile Path to log file of aos-journal-api service.  
api port Port where the Journal API service will run. 9360
database url Setting up connection to database. mysql+pymysql:/ /aos:password@l ocalhost:3306/j ournal
listener durability Durability of RabbitMQ queue and exchange. True
listener keystone_rabbit_vhost RabbitMQ virtual host of Keystone service. /
listener logfile Path to log file of aos-journal-listener service.  
listener nova_rabbit_vhost Nova RabbitMQ service virtual host. /

Configuring auditing of actions on OpenStack objects

  1. Install and configure Nova Journal Middleware.

  2. Follow these steps to log actions on Keystone objects:

    • Set the format of notifications in the configuration file /etc/keystone/keystone.conf:

      [DEFAULT]
      notification_format = cadf
      
    • Configure the message driver in /etc/keystone/keystone.conf file:

      [oslo_messaging_notifications]
      driver = messagingv2
      transport_url = rabbit://username:password@hostname
      
    • After that, it is need to restart the web server, services, and Nova and Keystone services:

      # Debian:
      systemctl restart apache2
      systemctl restart nova-api.service
      systemctl restart keystone.service
      systemctl restart aos-*