This container was created to enable integration testing against swift, it is therefore NOT SECURE AND SHOULD NOT BE USED IN PRODUCTION.
The container starts both a swift and a keystone service so taht integration tests can run against all 3 of swift authentication modes (swift’s internal tempAuth, keystone Identity v2 API and keystone Identity v3 API) with a single container.
This container was written from scratch from the openstack installation documentation for keystone and swift. However it was also written after study of existing containers.
Note that I decided against using Kolla since it is still in an early stage, and the corresponding containers only seem to run if you run them through kolla as they require an external configuration file. I was unable to make them work or to find out what the configuration file should look like. However, if you want to deploy production systems this could be the best solution.
This container is based on Ubuntu 16:04 and uses the ubuntu cloud-archive repository for openstack pike.
It embeds:
-
keystone 12.0.0
-
Swift 2.15.1
This specific release was chosen on purpose as it is the last release to support all 3 authentication protocols for swift : Identity v2, Identity v3 and tempAuth. Starting with openstack queens, the deprecated Identity v2 was removed. Since some hosting companies still use that protocol and the app I am testing (apache james) could be used against any provider, I needed to test all three protocols.
I start the container using the following command:
docker run -d --rm -p 5000 -p 35357 -p 8080 --name keystone jeantil/openstack-keystone-swift:pike
By default the container keystone integration is not fully configured. The tempAuth works fine though.
To complete the keystone integration you must run the
/swift/bin/register-swift-endpoint.sh script inside the container with the
appropriate endpoint url provided. This is because keystone returns the endpoint
url in the authentication response, it therefore has to know where the client
expects to connect.
If you only need to expose the port on the docker internal network you can use the follwing command:
docker exec -it keystone /swift/bin/register-swift-endpoint.sh http://127.0.0.1:8080/However if you need to access the container from the outside using the docker port mapping feature you will need to register against the port chosen by docker which can be found using docker ps.
For example given the following docker ps output:
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
40cd064477b5 jeantil/openstack-keystone-swift:pike "/swift/bin/launch.sh" 15 minutes ago Up 15 minutes 0.0.0.0:32920->5000/tcp, 0.0.0.0:32919->8080/tcp, 0.0.0.0:32918->35357/tcp keystoneuse
docker exec -it keystone /swift/bin/register-swift-endpoint.sh http://127.0.0.1:32919/to complete the keystone setup. Once this is done you can use one of the preconfigured credentials to authenticate against the container.
For convenience, the following commands are available in the container :
-
openstack
-
swift
-
curl
-
http (from https://httpie.org)
-
jq (from https://stedolan.github.io/jq/)
This is why this container is highly insecure, the crendentials including the administrative account are fixed and public. You really don’t wan’t that in production but for a short lived container used for test only it shouldn’t be an issue.
Default endpoint http://127.0.0.1:35357/v3
export OS_USERNAME=admin
export OS_PASSWORD=7a04a385b907caca141f
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://127.0.0.1:35357/v3
export OS_IDENTITY_API_VERSION=3export OS_USERNAME=swift
export OS_PASSWORD=fingertips
export OS_PROJECT_NAME=service
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://127.0.0.1:35357/v3
export OS_IDENTITY_API_VERSION=3Note that Keystone Identity V2 is deprecated and was removed after the openstack pike release.
Default endpoint http://127.0.0.1:35357/v2.0
Default endpoint http://127.0.0.1:8080/auth/v1.0
# Keystone Identity v3
echo '{"auth":{"identity":{"methods":["password"],"password":{"user":{"name":"demo","domain":{"name":"Default"},"password":"demo"}}},"scope":{"project":{"domain":{"id":"default"},"name":"test"}}}}' | http POST :35357/v3/auth/tokens
# Keystone Identity v2
echo '{"auth": {"passwordCredentials": {"username": "demo","password": "demo"},"tenantName": "test"}}' | http POST :35357/v2.0/tokens
# TempAuth
http http://127.0.0.1:8080/auth/v1.0 X-Storage-User:test:tester X-Storage-Pass:testing# Keystone Identity v3
curl -X POST -H 'Content-Type: application/json' -d '{"auth":{"identity":{"methods":["password"],"password":{"user":{"name":"demo","domain":{"name":"Default"},"password":"demo"}}},"scope":{"project":{"domain":{"id":"default"},"name":"test"}}}}' http://127.0.0.1:35357/v3/auth/tokens
# Keystone Identity v2
curl -X POST -H 'Content-Type: application/json' -d '{"auth": {"passwordCredentials": {"username": "demo","password": "demo"},"tenantName": "test"}}' http://127.0.0.1:35357/v2.0/tokens
# TempAuth
curl -H 'X-Storage-User: test:tester' -H 'X-Storage-Pass: testing' http://127.0.0.1:8080/auth/v1.0