bflorat/openstack-swift-keystone-docker

A docker image running both swift and keystone openstack services for TESTING purposes

Openstack swift and keystone docker container

What is this container ?

This container was created to enable integration testing against swift, it is therefore NOT SECURE AND SHOULD NOT BE USED IN PRODUCTION.

The container starts both a swift and a keystone service so that integration tests can run against all 3 of swift authentication modes (swift’s internal tempAuth, keystone Identity v2 API and keystone Identity v3 API) with a single container.

This container was written from scratch from the openstack installation documentation for keystone and swift. However it was also written after study of existing containers.

Note that I decided against using Kolla since it is still in an early stage, and the corresponding containers only seem to run if you run them through kolla as they require an external configuration file. I was unable to make them work or to find out what the configuration file should look like. However, if you want to deploy production systems this could be the best solution.

Versions

This container is based on Ubuntu 16:04 and uses the ubuntu cloud-archive repository for openstack pike.

It embeds:

• keystone 12.0.0

• Swift 2.15.1

This specific release was chosen on purpose as it is the last release to support all 3 authentication protocols for swift : Identity v2, Identity v3 and tempAuth. Starting with openstack queens, the deprecated Identity v2 was removed. Since some hosting companies still use that protocol and the app I am testing (apache james) could be used against any provider, I needed to test all three protocols.

How to use this container

I start the container using the following command:

docker run -d --rm  -p 5000 -p 35357 -p 8080 --env KS_SWIFT_PUBLIC_URL=http://127.0.0.1:8080 --name keystone jeantil/openstack-keystone-swift:pike

The KS_SWIFT_PUBLIC_URL needs to match the host port that container port 8080 is mapped to. Because keystone returns the endpoint url in the authentication response, it has to know where the client expects to connect.

If you need to customize the port that the swift endpoint is using, you must change the port mapping and the KS_SWIFT_PUBLIC_URL environment variable. For example, to run on host port 8089 you would use the following docker run command:

docker run -d --rm  -p 5000 -p 35357 -p 8089:8080 --env KS_SWIFT_PUBLIC_URL=http://127.0.0.1:8089 --name keystone jeantil/openstack-keystone-swift:pike

Once this is done you can use one of the preconfigured credentials to authenticate against the container.

For convenience, the following commands are available in the container :

• openstack

• swift

• curl

• http (from https://httpie.org)

• jq (from https://stedolan.github.io/jq/)

Preconfigured credentials

This is why this container is highly insecure, the crendentials including the administrative account are fixed and public. You really don’t wan’t that in production but for a short lived container used for test only it shouldn’t be an issue.

Keystone Identity v3 accounts

Default endpoint http://127.0.0.1:35357/v3

Administrative account

export OS_USERNAME=admin
export OS_PASSWORD=7a04a385b907caca141f
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://127.0.0.1:35357/v3
export OS_IDENTITY_API_VERSION=3

swift service account

export OS_USERNAME=swift
export OS_PASSWORD=fingertips
export OS_PROJECT_NAME=service
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://127.0.0.1:35357/v3
export OS_IDENTITY_API_VERSION=3

demo user account

export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_PROJECT_NAME=test
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://127.0.0.1:35357/v3
export OS_IDENTITY_API_VERSION=3

Keystone Identity v2 accounts

Note that Keystone Identity V2 is deprecated and was removed after the openstack pike release.

Default endpoint http://127.0.0.1:35357/v2.0

Administrative account

USERNAME=admin
PASSWORD=7a04a385b907caca141f
TENANT_NAME=admin

swift service account

USERNAME=swift
PASSWORD=fingertips
TENANT_NAME=service

demo user account

USERNAME=demo
PASSWORD=demo
TENANT_NAME=test

Swift tempAuth accounts

Default endpoint http://127.0.0.1:8080/auth/v1.0

Admin account

USERNAME=admin
PASSWORD=admin
TENANT_NAME=admin

tester account

USERNAME=tester
PASSWORD=testing
TENANT_NAME=test

tester2 account

USERNAME=tester2
PASSWORD=testing2
TENANT_NAME=test2

tester3 account

USERNAME=tester3
PASSWORD=testing3
TENANT_NAME=test

tester5 account

USERNAME=tester5
PASSWORD=testing5
TENANT_NAME=test5

Sample httpie commands

# Keystone Identity v3
echo '{"auth":{"identity":{"methods":["password"],"password":{"user":{"name":"demo","domain":{"name":"Default"},"password":"demo"}}},"scope":{"project":{"domain":{"id":"default"},"name":"test"}}}}' | http POST :35357/v3/auth/tokens

# Keystone Identity v2
echo '{"auth": {"passwordCredentials": {"username": "demo","password": "demo"},"tenantName": "test"}}' | http POST :35357/v2.0/tokens

# TempAuth
http http://127.0.0.1:8080/auth/v1.0 X-Storage-User:test:tester X-Storage-Pass:testing

Sample curl commands

# Keystone Identity v3
curl -X POST -H 'Content-Type: application/json' -d '{"auth":{"identity":{"methods":["password"],"password":{"user":{"name":"demo","domain":{"name":"Default"},"password":"demo"}}},"scope":{"project":{"domain":{"id":"default"},"name":"test"}}}}' http://127.0.0.1:35357/v3/auth/tokens

# Keystone Identity v2
curl -X POST -H 'Content-Type: application/json' -d '{"auth": {"passwordCredentials": {"username": "demo","password": "demo"},"tenantName": "test"}}' http://127.0.0.1:35357/v2.0/tokens

# TempAuth
curl -H 'X-Storage-User: test:tester' -H 'X-Storage-Pass: testing' http://127.0.0.1:8080/auth/v1.0