OpenStack Caracal : Cinder 設定 (Storage ノード)2024/08/07

# Caracal, EPEL, CRB からインストール

dnf --enablerepo=centos-openstack-caracal,epel,crb -y install openstack-cinder targetcli

mv /etc/cinder/cinder.conf /etc/cinder/cinder.conf.org

[DEFAULT]
# 自ホストの IP アドレス
my_ip = 10.0.0.50
rootwrap_config = /etc/cinder/rootwrap.conf
api_paste_confg = /etc/cinder/api-paste.ini
state_path = /var/lib/cinder
auth_strategy = keystone
# RabbitMQ 接続情報
transport_url = rabbit://openstack:password@dlp.srv.world
enable_v3_api = True
# Glance 接続情報
glance_api_servers = https://dlp.srv.world:9292

# MariaDB 接続情報
[database]
connection = mysql+pymysql://cinder:password@dlp.srv.world/cinder

# Keystone 認証情報
[service_user]
send_service_user_token = true
auth_url = https://dlp.srv.world:5000
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = cinder
password = servicepassword
# httpd Keystone で自己署名の証明書を使用の場合は [true]
insecure = false

# Keystone 認証情報
[keystone_authtoken]
www_authenticate_uri = https://dlp.srv.world:5000
auth_url = https://dlp.srv.world:5000
memcached_servers = dlp.srv.world:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = cinder
password = servicepassword
# httpd Keystone で自己署名の証明書を使用の場合は [true]
insecure = false

[oslo_concurrency]
lock_path = $state_path/tmp

[oslo_policy]
enforce_new_defaults = true

chmod 640 /etc/cinder/cinder.conf

chgrp cinder /etc/cinder/cinder.conf

systemctl enable --now openstack-cinder-volume

module iscsiadm 1.0;

require {
        type iscsid_t;
        type lsmd_plugin_exec_t;
        type systemd_notify_exec_t;
        type rsync_exec_t;
        type thumb_exec_t;
        type ssh_agent_exec_t;
        type checkpolicy_exec_t;
        type crontab_exec_t;
        type locate_exec_t;
        type conmon_exec_t;
        type NetworkManager_exec_t;
        type dmesg_exec_t;
        type mount_exec_t;
        type traceroute_exec_t;
        type neutron_t;
        type vlock_exec_t;
        type fusermount_exec_t;
        type login_exec_t;
        type su_exec_t;
        type cinder_backup_exec_t;
        type loadkeys_exec_t;
        type groupadd_exec_t;
        type systemd_hwdb_exec_t;
        type mandb_exec_t;
        type policykit_auth_exec_t;
        type hostname_exec_t;
        type passwd_exec_t;
        type systemd_passwd_agent_exec_t;
        type dbusd_exec_t;
        type virtd_exec_t;
        type cinder_volume_exec_t;
        type chronyc_exec_t;
        type systemd_systemctl_exec_t;
        type journalctl_exec_t;
        type ping_exec_t;
        type ssh_exec_t;
        type plymouth_exec_t;
        type gpg_exec_t;
        type devicekit_exec_t;
        type chfn_exec_t;
        type cinder_api_exec_t;
        type gpg_agent_exec_t;
        type kdumpctl_exec_t;
        type cinder_scheduler_exec_t;
        type ssh_keygen_exec_t;
        type systemd_tmpfiles_exec_t;
        type rpcbind_exec_t;
        type rpmdb_exec_t;
        type keepalived_exec_t;
        type virt_qemu_ga_exec_t;
        type container_runtime_exec_t;
        type lsmd_exec_t;
        class file getattr;
        class capability dac_override;
}

#============= iscsid_t ==============
allow iscsid_t self:capability dac_override;

#============= neutron_t ==============
allow neutron_t cinder_api_exec_t:file getattr;
allow neutron_t cinder_backup_exec_t:file getattr;
allow neutron_t cinder_scheduler_exec_t:file getattr;
allow neutron_t cinder_volume_exec_t:file getattr;
allow neutron_t rpcbind_exec_t:file getattr;
allow neutron_t virtd_exec_t:file getattr;

checkmodule -m -M -o iscsiadm.mod iscsiadm.te

semodule_package --outfile iscsiadm.pp --module iscsiadm.mod

semodule -i iscsiadm.pp