openstack nova 基础知识——policy

版权声明:本文为博主原创文章,遵循 CC 4.0 by-sa 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/hackerain/article/details/8241691

终于到了可以总结的时候了,policy本身的实现机制并不难,对我来说,难就难在python语法上,policy用到了很多高级的语法,逻辑性比较复杂,要理清其中的关系,还是要费一番功夫的。为此,还总结了另一篇blog,介绍了一下policy中用到的较为经典的语法。


1. 首先还是先来了解一下什么是policy,它是用来做什么的


在openstack的用户管理中,有三个概念:Users, Tenants, Roles。简单来说,policy就是用来控制某一个User在某个Tenant中的权限的。这个User能执行什么操作,不能执行什么操作,就是通过policy机制来实现的。直观的看,policy就是一个json文件,位于/etc/[SERVICE_CODENAME]/policy.json中,每一个服务都有一个对应的policy.json文件,通过配置这个文件,实现了对User的权限管理。

另外就是还有一个角色(role)的概念,这个概念肯定都很熟悉了,是权限的集合,可以将role赋予某个user,使这个user拥有相应的权限,方便用户权限管理。policy.json文件可以在role的级别配置,不过默认的配置的角色只有admin,如果需要配置其他的角色,需要自己创建,然后在policy.json中进行配置。

接下来,看一下policy.json长什么样子:

{
"context_is_admin":  "role:admin",
"admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"compute:create": "role:admin",
"compute:create:attach_network": "",
"compute:create:attach_volume": "",
"compute:create:forced_host": "is_admin:True",
"compute:get_all": "",
......
}

policy.json有两种写法,一种是每一行写成列表形式的,另一种就是上面的例子,是写成字符串形式的,这里只说后面一种情况。

每一行可以分为两部分:冒号前面的叫做action,即用户执行的操作,冒号后面的叫rule,即用来根据当前的上下文(context),来判断前面的action是否能够由当前的user执行。policy做的主要工作,就是来解析这个rule的,要把这个字符串的rule,解析成相应的对象,在外部调用policy进行权限认证的时候,根据action映射到相应的rule对象,然后由这个对象判断是否能够执行这个action。

但是如上面的例子,像context_is_admin,admin_or_owner这样的action,怎么看都不像action,它们的确不是action,后面会讲到是怎么回事。


2. 如何实现

这部分功能的实现主要在nova/openstack/common/policy.py模块中实现,首先还是先来看看这个模块的整体结构图:


首先就是那个Rules类,它继承自dict,也就是说Rules是一个字典类型的,它的对象就是保存解析之后的policy.json文件得到的数据的,key保存的是action,value保存的是解析rule得到的对象。这个Rules对象被创建后,会赋值给模块中的_rules变量。

其次是BaseCheck体系类,它们就对应的是rule字符串解析之后得到的对象,即Rules对象的value保存的就是BaseCheck对象。这个类体系可以分为三类:

1)TrueCheck和FalseCheck:解析他们是最简单的,rule如果是空字符串或者是"@"的话,那么就直接对应的是TrueCheck对象,这个对象的返回值总为True;如果rule是"!"的话,那么就对应FalseCheck对象,总是返回False,如果rule不对应任何对象,那么它就最终对应FalseCheck对象

2)RuleCheck, RoleCheck, HttpCheck, GenericCheck:rule字符串中,冒号左边是"rule"的,都会解析成RuleCheck对象,冒号左边是"role"的都会解析成RoleCheck,冒号左边是"http"的都会解析成RoleCheck对象,如果是其他的情况,那么就对应GenericCheck对象,比如rule为is_admin:True的情况。

3)OrCheck, AndCheck, NotCheck:这些对象对应的是复合的rule,即用逻辑符号连接的几条规则,比如上面例子中的"is_admin:True or project_id:%(project_id)s",它对应的对象为OrCheck类型。上面两种情况的解析都很简单,难的就是这个复合rule的解析,费了一番功夫。上面类图中的ParseState类和ParseStateMeta类就是用来解析复合rule的。

如果不深究每条rule是怎么解析的话,看一个函数就够了,即模块中的_parse_check()函数,从这个函数中,就可以知道每条规则对应哪种对象:

# 真正的解析一个单一的rule,将它由冒号分隔开,得到kind和match,根据kind值,在_check查找对应的Check对象,
# 然后以kind,match为参数,调用Check对象的__call__()返回最终的结果:真或假
def _parse_check(rule):
    """
    Parse a single base check rule into an appropriate Check object.
    """

    # Handle the special checks
    if rule == '!':
        return FalseCheck()
    elif rule == '@':
        return TrueCheck()

    try:
        kind, match = rule.split(':', 1)
    except Exception:
        LOG.exception(_("Failed to understand rule %(rule)s") % locals())
        # If the rule is invalid, we'll fail closed
        return FalseCheck()

    # Find what implements the check
    if kind in _checks:
        return _checks[kind](kind, match)#这里竟然调用的是Check的__init__(),把kind和match赋值给Check中的kind和match
    elif None in _checks:
        return _checks[None](kind, match)
    else:
        LOG.error(_("No handler for matches of kind %s") % kind)
        return FalseCheck()
如果要深究每条rule是如何解析的话,请移步这里:

最后,再来说一下转换成的这些对象有什么用,为什么要费这么大劲转换成对象,直接用字符串的rule来判断不好吗,以及怎么用这些对象去判断用户的操作是否合法?

为什么要将字符串转换成对象?这个理由太好说了,就是为了抽象,抽象是为了方便,是为了以不变应万变,这就是面向对象的好处。比如此处的Check对象,就抽象出了kind和match成员变量,分别对应rule字符串的冒号左边和右边的内容。当用这些对象来判断用户操作是否合法时,是这样来使用的:result = _rules[action](target, creds),因为Rules类被创建后会赋值给_rules变量,所以这里的_rules变量就代表Rules对象,而Rules对象又是一个字典类型的,key是action,value是BaseCheck对象,所以就相当于是直接在调用BaseCheck对象的__call__()方法了,参数分别是target和creds,target是action要操作的目标,creds是当前的上下文环境,再结合Check对象中的kind和match,就可以根据相应的逻辑来判断这个操作是否合法了。举个简单的例子,看RoleCheck是如何来判断的:

@register("role")
class RoleCheck(Check):
    def __call__(self, target, creds):
        """Check that there is a matching role in the cred dict."""
        
        return self.match.lower() in [x.lower() for x in creds['roles']]

比如规则"role:admin",kind为"role",match为"admin",所以RoleCheck就是判断一下admin这个用户是否在creds上下文中,如果在,就返回真,不在返回假。

至于OrCheck等对象判断是否合法则更简单,在他们内部都维护了一个rules列表,存放的是每条单一规则对应的Check对象,在他们的__call__()方法中一个for循环,来判断,OrCheck为一真即真,AndCheck为一假即假。

上面还提到有些action看起来不像action的,的确,那样的规则,一般都会转换成GenericCheck对象,而RuleCheck对象的__call__()在判断用户操作是否合法时,是采用递归的方法来判断的,比如下面的例子:

"compute_extension:accounts": "rule:admin_api", #-->RuleCheck
"admin_api": "is_admin:True", #-->GenericCheck
RuleCheck对象通过递归调用,最终调用了GenericCheck对象的__call__()方法,得出最终的结果。至于,为什么要这样做,我现在还不是很清楚。


3. 如何使用

如何使用上面已经说的差不多了,在外部只要调用nova/policy.py模块中的enforce()即可:

def enforce(context, action, target, do_raise=True):
    init()#读取json文件,解析,并将解析的内容封装成一个Rules对象,然后把这个对象赋值给_rules变量

    credentials = context.to_dict()

    extra = {}
    if do_raise:
        extra.update(exc=exception.PolicyNotAuthorized, action=action)

    return policy.check(action, target, credentials, **extra)
有意思的是每次调用enfore(),都会去重新读取一次policy.json文件,并且重新进行一次解析,所以,对json文件的修改,是起实时作用的,不需要重启任何服务,修改之后,只要调用enfore()就会起作用,这很方便。


4. 测试

说了这么多,不能光说不练啊,这里还是举个创建实例的例子,通过调试的手段,来具体看一下效果。测试的过程如下:
(1)修改程序
在nova/compute/api.py中的_check_create_policies()方法中添加如下几句代码:

print '*'*30
creds=context.to_dict()
print creds['roles']
print '*'*30
raise Exception
即打印出当前上下文中的roles。然后抛出异常,停止。


(2)启动各项服务


(3)修改policy.json文件
将 "compute:create" : "" 这条规则修改为:"compute:create": "role:admin", 即将原来的任何角色的用户都可以创建实例的权限修改为只有admin角色的用户可以创建实例。


(4)创建实例,观看异常

$ source openrc demo demo
$ nova boot --flavor 1 --image 29936f2a-0e05-47e0-8d43-b9d579b107f9 --key-name pubkey-01 instance-01
ERROR: Policy doesn't allow compute:create to be performed. (HTTP 403) (Request-ID: req-bd0cda7e-2207-46af-becb-72a3a3bec598)
看,报出了异常,说policy不允许compute:create被执行,说明修改的规则生效了。

看下日志中输出的当前上下文中的角色:
******************************
[u'Member', u'anotherrole']
******************************

如果使用admin角色的用户创建实例是没有问题的。日志输出如下:
******************************
[u'admin', u'KeystoneAdmin', u'KeystoneServiceAdmin']
******************************



======================over==========================


文章另一地址:http://freedomhui.com/2012/11/openstack-nova-%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86-policy/

展开阅读全文

openstack nova 安装问题

01-21

大侠们: rn 最近在安装openstack,按照官方文档一步步的装下来,在安装nova里的导出项目管理凭证的时候出错了,nova-manage rnproject zipfile proj novaadmin /home/dingjun/creds/novacreds.zip,出错如下: rnrndingjun@server1:/var/lib/nova/CA$ sudo nova-manage project zipfile rnproj novaadmin /home/dingjun/creds/novacreds.zip rn[sudo] password for dingjun: rnUnexpected error while running command. rnCommand: openssl ca -batch -out /tmp/tmp2ETHWE/outbound.csr -config ./ rnopenssl.cnf -infiles /tmp/tmp2ETHWE/inbound.csr rnExit code: 1 rnStdout: '' rnStderr: "Using configuration from ./openssl.cnf\nerror loading the rnconfig file './openssl.cnf'\n5329:error:02001002:system rnlibrary:fopen:No such file or directory:bss_file.c:126:fopen('./ rnopenssl.cnf','rb')\n5329:error:2006D080:BIO routines:BIO_new_file:no rnsuch file:bss_file.c:129:\n5329:error:0E078072:configuration file rnroutines:DEF_LOAD:no such file:conf_def.c:197:\n" rnThe above error may show that the certificate db has not been created. rnPlease create a database by running a nova-api server on this host. rnrn但是我单独执行openssl ca -batch -out /tmp/tmp2ETHWE/outbound.csr -config ./ rnopenssl.cnf -infiles /tmp/tmp2ETHWE/inbound.csr,不会出错,如下: rnrn sudo openssl ca -batch -out /tmp/tmp2ETHWE/outbound.csr -config ./ rnopenssl.cnf -infiles /tmp/tmp2ETHWE/inbound.csr rnUsing configuration from ./openssl.cnf rnCheck that the request matches the signature rnSignature ok rnThe Subject's Distinguished Name is as follows rncountryName :PRINTABLE:'US' rnstateOrProvinceName :PRINTABLE:'California' rnlocalityName :PRINTABLE:'MountainView' rnorganizationName :PRINTABLE:'AnsoLabs' rnorganizationalUnitName:PRINTABLE:'NovaDev' rncommonName :PRINTABLE:'proj-novaadmin-2012-01-29T08:03:27Z' rnCertificate is to be certified until Jan 28 08:05:54 2013 GMT (365 rndays) rnrnWrite out database with 1 new entries rnData Base Updated rnrn该如何解决?请高人指点。。。。 论坛

openstack nova求助!

01-29

大侠们:rn 最近在安装openstack,按照官方文档一步步的装下来,在安装nova里的导出项目管理凭证的时候出错了,nova-manage project zipfile proj novaadmin /home/dingjun/creds/novacreds.zip,出错如下:rnrndingjun@server1:/var/lib/nova/CA$ sudo nova-manage project zipfile proj novaadmin /home/dingjun/creds/novacreds.ziprn[sudo] password for dingjun: rnUnexpected error while running command.rnCommand: openssl ca -batch -out /tmp/tmp2ETHWE/outbound.csr -config ./openssl.cnf -infiles /tmp/tmp2ETHWE/inbound.csrrnExit code: 1rnStdout: ''rnStderr: "Using configuration from ./openssl.cnf\nerror loading the config file './openssl.cnf'\n5329:error:02001002:system library:fopen:No such file or directory:bss_file.c:126:fopen('./openssl.cnf','rb')\n5329:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:129:\n5329:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197:\n"rnThe above error may show that the certificate db has not been created.rnPlease create a database by running a nova-api server on this host.rnrn但是我单独执行openssl ca -batch -out /tmp/tmp2ETHWE/outbound.csr -config ./openssl.cnf -infiles /tmp/tmp2ETHWE/inbound.csr,不会出错,如下:rnrn sudo openssl ca -batch -out /tmp/tmp2ETHWE/outbound.csr -config ./openssl.cnf -infiles /tmp/tmp2ETHWE/inbound.csrrnUsing configuration from ./openssl.cnfrnCheck that the request matches the signaturernSignature okrnThe Subject's Distinguished Name is as followsrncountryName :PRINTABLE:'US'rnstateOrProvinceName :PRINTABLE:'California'rnlocalityName :PRINTABLE:'MountainView'rnorganizationName :PRINTABLE:'AnsoLabs'rnorganizationalUnitName:PRINTABLE:'NovaDev'rncommonName :PRINTABLE:'proj-novaadmin-2012-01-29T08:03:27Z'rnCertificate is to be certified until Jan 28 08:05:54 2013 GMT (365 days)rnrnWrite out database with 1 new entriesrnData Base Updatedrnrn该如何解决?请高人指点。。。。 论坛

OpenStack Nova开发与测试环境搭建

08-17

工作要求搭建一个可以用来进行Openstack开发的环境,Openstack官方给了一套指导 http://docs.openstack.org/developer/nova/devref/development.environment.html 。我便开始按照这个指导搭建环境,但是最初希望在windows开发,所以尝试在windows中搭建,但经过实际的搭建,在windows上是不可行的。好吧,还是按指导上写的来,过程中间遇到很多问题,幸运的是现在都一一解决,在这里回顾和记录一下:rnrn 系统要求:ubuntu10.10-64 ~12.04(我是在12.04上搭建的,11版本应该也没有问题)rnrn 其他的就没什么了,因为搭建过程中的脚本会将需要的软件都安装上。Ok,开始。在终端中执行:rn1 sudo apt-get install python-dev libssl-dev python-pip git-corernrn下面的一步比较重要,我开始的时候没有注意,导致了很多问题也浪费了很多时间。就是一定要用Virtualenv建立一个虚拟的python环境,然后在这个虚拟环境中进行开发与测试,关于Virtualenv社区里就有比较详细的介绍,我这里仅仅简单说一下如何使用:rnrn用easy_install或pip下载安装Virtualenvrn1 easy_install Virtualenvrnrn然后使用Virtualenv创建虚拟环境(需要在Virtualenv的安装路径中执行)rn1 virtualenv openTestrnrn 执行成功后会得到信息,然后使用刚创建的虚拟环境:rn1 cd openTest/rn2 source bin/activaternrn执行完之后会发现终端的用户名之前多了个括号,括号里的内容就是当前的虚拟环境。rnrn到这里之后开始跟Nova相关的内容,下载到nova的源代码:rn1 git clone https://github.com/openstack/nova.gitrn2 cd novarnrn接下来官方给出的指导是执行:rn1 ./run_tests.shrnrn但是这个脚本没有很顺利的执行完过(多次测试)。不清楚是为什么,现在暂时把这个放在一边,还有别的路径:rn1 python tools/install_venv.pyrnrn手动的安装nova需要的依赖包。这个我也尝试过多次,中间也失败过,至今已无法获知失败的原因了,但是现在确实执行成功了,见下图:rnrnNova development environment setup is complete.rnrnOk ,开发环境就这样搭建好了,看起来很简单,但是这个过程我实验了不知道多少次,可能是我运气比较差吧,过程中间有一点特别重要:就是一定要在虚拟的环境中运行脚本,官方文档中也有明确说明:”Nova development uses virtualenv to track and manage Python dependencies while in development and testing. This allows you to install all of the Python package dependencies in a virtual environment or “virtualenv” (a special subdirectory of your nova directory), instead of installing the packages at the system level.“rnrn这样做还有另外一个好处,就是虚拟环境可以创建很多个,一个实验不成功可以很轻松的换其他环境来实验,省去了很多麻烦。下面在运行测试的脚本就会得到有用的结果了rnrn[img=http://static.oschina.net/uploads/space/2012/0802/183528_i3qx_263977.png][/img]rnrn本文最早发布于开源中国社区(我即原文作者),因看到CSDN正在做活动,就转过来了。 论坛

openstack nova api dead 问题。

02-12

rn遇到openstack-nova-api dead问题。rnrn[root@keystone nova(keystone_admin)]#openstack-statusrn== Nova services ==rnopenstack-nova-api: deadrnopenstack-nova-cert: activernopenstack-nova-compute: activernopenstack-nova-network: activernopenstack-nova-scheduler: activernopenstack-nova-volume: deadrn== Glance services ==rnopenstack-glance-api: activernopenstack-glance-registry: activern== Keystone service ==rnopenstack-keystone: activern== Horizon service ==rnopenstack-dashboard: activern== Support services ==rnmysqld: activernlibvirtd: activernmessagebus: activerntgtd: activernqpidd: activernmemcached: activern== Keystone users ==rn+----------------------------------+---------+---------+-------+rn| id | name | enabled | email |rn+----------------------------------+---------+---------+-------+rn| 146c5f7176e349ff8434f956f6dc4b08 | quantum | True | |rn| 3768e8b8856e42fabfbb73dc1bf1b1ad | nova | True | |rn| 3d3242317aa24e398964653a1347993d | glance | True | |rn| 5bea43016198421b8471931eec70f461 | admin | True | |rn| 830f145a66ba449ebc442dae05d25e8e | swift | True | |rn| cc24277cf5694507bbdf8c294504d8e1 | cinder | True | |rn| e9198e24399e4a329ac5cbedc6db48dc | admini | True | |rn+----------------------------------+---------+---------+-------+rn== Glance images ==rn+--------------------------------------+--------------+-------------+------------------+----------+--------+rn| ID | Name | Disk Format | Container Format | Size | Status |rn+--------------------------------------+--------------+-------------+------------------+----------+--------+rn| 65a1c9a2-efc6-4fd1-a42e-d3b3cc89301c | CirrOS 0.3.1 | qcow2 | bare | 13147648 | active |rn+--------------------------------------+--------------+-------------+------------------+----------+--------+rn== Nova managed services ==rnERROR: The resource could not be found. (HTTP 404)rn== Nova networks ==rnERROR: The resource could not be found. (HTTP 404)rn== Nova instance flavors ==rnERROR: The resource could not be found. (HTTP 404)rn== Nova instances ==rnERROR: The resource could not be found. (HTTP 404)rnrn/var/log/nova/api.log 内容如下:rn2014-02-12 05:48:35 3744 DEBUG nova.wsgi [-] Loading app ec2 from /etc/nova/api-paste.ini load_app /usr/lib/python2.6/site-packages/nova/wsgi.py:371rn2014-02-12 05:48:35 3744 INFO nova.wsgi [-] ec2 listening on 0.0.0.0:8773rn2014-02-12 05:48:35 3744 INFO nova.service [-] Starting 1 workersrn2014-02-12 05:48:35 3744 INFO nova.service [-] Started child 3781rn2014-02-12 05:48:35 3744 DEBUG nova.wsgi [-] Loading app osapi_compute from /etc/nova/api-paste.ini load_app /usr/lib/python2.6/site-packages/nova/wsgi.py:371rn2014-02-12 05:48:35 3781 INFO nova.ec2.wsgi.server [-] (3781) wsgi starting up on http://0.0.0.0:8773/rnrn2014-02-12 05:48:35 3744 CRITICAL nova [-] No module named auth_tokenrn2014-02-12 05:48:35 3744 TRACE nova Traceback (most recent call last):rn2014-02-12 05:48:35 3744 TRACE nova File "/usr/bin/nova-api", line 50, in rn2014-02-12 05:48:35 3744 TRACE nova server = service.WSGIService(api)rn2014-02-12 05:48:35 3744 TRACE nova File "/usr/lib/python2.6/site-packages/nova/service.py", line 577, in __init__rn2014-02-12 05:48:35 3744 TRACE nova self.app = self.loader.load_app(name)rn2014-02-12 05:48:35 3744 TRACE nova File "/usr/lib/python2.6/site-packages/nova/wsgi.py", line 372, in load_apprn2014-02-12 05:48:35 3744 TRACE nova return deploy.loadapp("config:%s" % self.config_path, name=name)rn2014-02-12 05:48:35 3744 TRACE nova File "/usr/lib/python2.6/site-packages/PasteDeploy-1.5.0-py2.6.egg/paste/deploy/loadwsgi.py", line 247, in loadapprn2014-02-12 05:48:35 3744 TRACE nova return loadobj(APP, uri, name=name, **kw)rn2014-02-12 05:48:35 3744 TRACE nova File "/usr/lib/python2.6/site-packages/PasteDeploy-1.5.0-py2.6.egg/paste/deploy/loadwsgi.py", line 272, in loadobjrn2014-02-12 05:48:35 3744 TRACE nova return context.create()rn2014-02-12 05:48:35 3744 TRACE nova File "/usr/lib/python2.6/site-packages/PasteDeploy-1.5.0-py2.6.egg/paste/deploy/loadwsgi.py", line 710, in creatern2014-02-12 05:48:35 3744 TRACE nova return self.object_type.invoke(self)rn2014-02-12 05:48:35 3744 TRACE nova File "/usr/lib/python2.6/site-packages/PasteDeploy-1.5.0-py2.6.egg/paste/deploy/loadwsgi.py", line 144, in invokern2014-02-12 05:48:35 3744 TRACE nova **context.local_conf)rn2014-02-12 05:48:35 3744 TRACE nova File "/usr/lib/python2.6/site-packages/PasteDeploy-1.5.0-py2.6.egg/paste/deploy/util.py", line 56, in fix_callrn2014-02-12 05:48:35 3744 TRACE nova val = callable(*args, **kw)rn2014-02-12 05:48:35 3744 TRACE nova File "/usr/lib/python2.6/site-packages/nova/api/openstack/urlmap.py", line 163, in urlmap_factoryrn2014-02-12 05:48:35 3744 TRACE nova app = loader.get_app(app_name, global_conf=global_conf)rn2014-02-12 05:48:35 3744 TRACE nova File "/usr/lib/python2.6/site-packages/PasteDeploy-1.5.0-py2.6.egg/paste/deploy/loadwsgi.py", line 350, in get_apprn2014-02-12 05:48:35 3744 TRACE nova name=name, global_conf=global_conf).create()rn2014-02-12 05:48:35 3744 TRACE nova File "/usr/lib/python2.6/site-packages/PasteDeploy-1.5.0-py2.6.egg/paste/deploy/loadwsgi.py", line 710, in creatern2014-02-12 05:48:35 3744 TRACE nova return self.object_type.invoke(self)rn2014-02-12 05:48:35 3744 TRACE nova File "/usr/lib/python2.6/site-packages/PasteDeploy-1.5.0-py2.6.egg/paste/deploy/loadwsgi.py", line 144, in invokern2014-02-12 05:48:35 3744 TRACE nova **context.local_conf)rn2014-02-12 05:48:35 3744 TRACE nova File "/usr/lib/python2.6/site-packages/PasteDeploy-1.5.0-py2.6.egg/paste/deploy/util.py", line 56, in fix_callrn2014-02-12 05:48:35 3744 TRACE nova val = callable(*args, **kw)rn2014-02-12 05:48:35 3744 TRACE nova File "/usr/lib/python2.6/site-packages/nova/api/auth.py", line 49, in pipeline_factoryrn2014-02-12 05:48:35 3744 TRACE nova filters = [loader.get_filter(n) for n in pipeline[:-1]]rn2014-02-12 05:48:35 3744 TRACE nova File "/usr/lib/python2.6/site-packages/PasteDeploy-1.5.0-py2.6.egg/paste/deploy/loadwsgi.py", line 354, in get_filterrn2014-02-12 05:48:35 3744 TRACE nova name=name, global_conf=global_conf).create()rn2014-02-12 05:48:35 3744 TRACE nova File "/usr/lib/python2.6/site-packages/PasteDeploy-1.5.0-py2.6.egg/paste/deploy/loadwsgi.py", line 366, in filter_contextrn2014-02-12 05:48:35 3744 TRACE nova FILTER, name=name, global_conf=global_conf)rn2014-02-12 05:48:35 3744 TRACE nova File "/usr/lib/python2.6/site-packages/PasteDeploy-1.5.0-py2.6.egg/paste/deploy/loadwsgi.py", line 458, in get_contextrn2014-02-12 05:48:35 3744 TRACE nova section)rn2014-02-12 05:48:35 3744 TRACE nova value = import_string(found_expr)rn2014-02-12 05:48:35 3744 TRACE nova File "/usr/lib/python2.6/site-packages/PasteDeploy-1.5.0-py2.6.egg/paste/deploy/loadwsgi.py", line 22, in import_stringrn2014-02-12 05:48:35 3744 TRACE nova return pkg_resources.EntryPoint.parse("x=" + s).load(False)rn2014-02-12 05:48:35 3744 TRACE nova File "/usr/lib/python2.6/site-packages/pkg_resources.py", line 1948, in loadrn2014-02-12 05:48:35 3744 TRACE nova entry = __import__(self.module_name, globals(),globals(), ['__name__'])rn2014-02-12 05:48:35 3744 TRACE nova ImportError: No module named auth_tokenrn2014-02-12 05:48:35 3744 TRACE nova rn2014-02-12 05:48:35 3781 INFO nova.service [-] Parent process has died unexpectedly, exitingrn2014-02-12 05:48:35 3781 INFO nova.wsgi [-] Stopping WSGI server.rnrnrn其中 /etc/nova/nova.conf配置如下:rn[DEFAULT]rnrn#LOGS/STATErnverbose=Truernlogdir=/var/log/novarnstate_path=/var/lib/novarnlock_path=/var/lock/novarnrootwrap_config=/etc/nova/rootwrap.confrnrn# SCHEDULERrncompute_scheduler_driver=nova.scheduler.filter_scheduler.FilterSchedulerrnrn# VOLUMESrnvolume_driver=nova.volume.driver.ISCSIDriverrnvolume_group=nova-volumesrnvolume_name_template=volume-%08xrniscsi_helper=tgtadmrnrn# DATABASErnsql_connection=mysql://nova:nova@192.168.1.102/novarnrn# COMPUTErnlibvirt_type=qemurncompute_driver=libvirt.LibvirtDriverrninstance_name_template=instance-%08xrnapi_paste_config=/etc/nova/api-paste.inirnrn# COMPUTE/APIS: if you have separate configs for separate servicesrn# this flag is required for both nova-api and nova-computernallow_resize_to_same_host=Truernrn# APISrnosapi_compute_extension=nova.api.openstack.compute.contrib.standard_extensionsrnec2_dmz_host=192.168.1.102rns3_host=192.168.1.102rnrn# Qpidrnrpc_backend=nova.rpc.impl_qpidrnqpid_hostname=192.168.1.102rn# GLANCErnimage_service=nova.image.glance.GlanceImageServicernglance_api_servers=192.168.1.102:9292rnrn# NETWORKrnnetwork_manager=nova.network.manager.FlatDHCPManagerrndhcpbridge=/usr/bin/nova-dhcpbridgernforce_dhcp_release=Truerndhcpbridge_flagfile=/etc/nova/nova.confrnfirewall_driver=nova.virt.libvirt.firewall.IptablesFirewallDriverrn# Change my_ip to match each hostrnmy_ip=192.168.1.102rnpublic_interface=eth0rnvlan_interface=eth0rnflat_network_bridge=virbr0-nicrnflat_interface=eth0rnfixed_range=192.168.100.0/24rnrn# NOVNC CONSOLErnnovncproxy_base_url=http://192.168.1.102:6080/vnc_auto.htmlrn# Change vncserver_proxyclient_address and vncserver_listen to match each compute hostrnvncserver_proxyclient_address=192.168.1.102rnvncserver_listen=192.168.1.102rn# AUTHENTICATIONrnauth_strategy=keystonern[keystone_authtoken]rnauth_host = 192.168.1.102rnauth_port = 35357rnauth_protocol = httprnadmin_tenant_name = demornadmin_user = novarnadmin_password = novarnsigning_dirname = /tmp/keystone-signing-novarnrn求高手帮忙看下该怎么解决。rn 论坛

没有更多推荐了,返回首页