1、glance架构
Glance api处理来自用户端(OpenStackClient等)的请求,如果是读写镜像元数据,则对glance db进行读写操作,因为镜像元数据都保存在glance db里面;如果是存取镜像本身,则对后端存储进行操作,因为镜像保存在后端存储里。同时,用户端、glance servcie都需要到keystone进行身份认证。
需要注意的是,验证后的授权不在keystone这里处理,而是交给被访问的service处理。比如user访问glance service,具体能读写哪些镜像以及镜像元数据,根据该user的role,由glance service进行授权。
2、glance安装过程
首先,在controller node上的MariaDB中创建glance DB,用于存储镜像的元数据;然后,通过OpenStackClient操作之前创建的keystone DB,创建glance user(即“glance” image service的身份凭证),创建命名为glance的image service,并设置Image service api endpoint;最后,安装glance API软件包,并编辑配置文件,配置必要的连接信息,如glance DB(存储镜像元数据)、keystone的认证信息以及后端存储(存储镜像)等。
在本次安装中,glance数据库、keystone数据库、keystone以及glance都部署在控制节点上。实际上,根据需求,这些组件可以分别安装在不同的服务器上。
3、glance练习1
3.1 keystone DB
root@controller:~# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 35
Server version: 10.6.18-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| glance |
| information_schema |
| keystone |
| mysql |
| performance_schema |
| sys |
+--------------------+
6 rows in set (0.002 sec)
MariaDB [(none)]> USE keystone;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [keystone]> SHOW TABLES;
(略)
MariaDB [keystone]> select * from local_user;
+----+----------------------------------+----------------------------------+-----------+-------------------+----------------+
| id | user_id | domain_id | name | failed_auth_count | failed_auth_at |
+----+----------------------------------+----------------------------------+-----------+-------------------+----------------+
| 1 | 2947c213547147979dce3c8f8b85697f | default | admin | 0 | NULL |
| 2 | 9382b59561c04dd1abf0a4cb7a8252ec | default | myuser | 0 | NULL |
| 4 | 981d061282aa43afba72df6ff637f41c | f2a209f9e83040c9a619ca05c41e952b | testuser1 | 0 | NULL |
| 5 | b7849907a23b4604a3e3940f4034326b | default | glance | 0 | NULL |
+----+----------------------------------+----------------------------------+-----------+-------------------+----------------+
4 rows in set (0.000 sec)
MariaDB [keystone]> SELECT * FROM service;
+----------------------------------+----------+---------+------------------------------------------------------+
| id | type | enabled | extra |
+----------------------------------+----------+---------+------------------------------------------------------+
| 75fe01049ec648b69e48d200971bf601 | identity | 1 | {"name": "keystone"} |
| d6a3dadf92e542289c5ebd37e3553cdd | image | 1 | {"name": "glance", "description": "OpenStack Image"} |
+----------------------------------+----------+---------+------------------------------------------------------+
2 rows in set (0.000 sec)
MariaDB [keystone]> SELECT * from endpoint;
+----------------------------------+--------------------+-----------+----------------------------------+----------------------------+-------+---------+-----------+
| id | legacy_endpoint_id | interface | service_id | url | extra | enabled | region_id |
+----------------------------------+--------------------+-----------+----------------------------------+----------------------------+-------+---------+-----------+
| 56d1454571064cb3ad3c749d18fb57e6 | NULL | admin | d6a3dadf92e542289c5ebd37e3553cdd | http://controller:9292 | {} | 1 | RegionOne |
| a82bd043e133464fa863fba98b400460 | NULL | admin | 75fe01049ec648b69e48d200971bf601 | http://controller:5000/v3/ | {} | 1 | RegionOne |
| ac109817862344c4854b783d642be412 | NULL | internal | 75fe01049ec648b69e48d200971bf601 | http://controller:5000/v3/ | {} | 1 | RegionOne |
| ae98462c8f4346f3991d693232a108d3 | NULL | internal | d6a3dadf92e542289c5ebd37e3553cdd | http://controller:9292 | {} | 1 | RegionOne |
| e047382ce61740bf9dc4219c97eff2f8 | NULL | public | d6a3dadf92e542289c5ebd37e3553cdd | http://controller:9292 | {} | 1 | RegionOne |
| eaf4ddaab1b74aa59403f9fbf5fc4ac1 | NULL | public | 75fe01049ec648b69e48d200971bf601 | http://controller:5000/v3/ | {} | 1 | RegionOne |
+----------------------------------+--------------------+-----------+----------------------------------+----------------------------+-------+---------+-----------+
6 rows in set (0.000 sec)
MariaDB [keystone]> 3.2 glance DB
MariaDB [(none)]> use glance;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [glance]> show tables;
+----------------------------------+
| Tables_in_glance |
+----------------------------------+
| alembic_version |
| image_locations |
| image_members |
| image_properties |
| image_tags |
| images |
| metadef_namespace_resource_types |
| metadef_namespaces |
| metadef_objects |
| metadef_properties |
| metadef_resource_types |
| metadef_tags |
| task_info |
| tasks |
+----------------------------------+
14 rows in set (0.000 sec)
MariaDB [glance]> select * from images;
+--------------------------------------+--------+----------+--------+---------------------+---------------------+------------+---------+-------------+------------------+----------------------------------+----------------------------------+----------+---------+-----------+--------------+------------+-----------+--------------+----------------------------------------------------------------------------------------------------------------------------------+
| id | name | size | status | created_at | updated_at | deleted_at | deleted | disk_format | container_format | checksum | owner | min_disk | min_ram | protected | virtual_size | visibility | os_hidden | os_hash_algo | os_hash_value |
+--------------------------------------+--------+----------+--------+---------------------+---------------------+------------+---------+-------------+------------------+----------------------------------+----------------------------------+----------+---------+-----------+--------------+------------+-----------+--------------+----------------------------------------------------------------------------------------------------------------------------------+
| 429decdd-9230-49c0-b735-70364c226eb5 | cirros | 12716032 | active | 2024-07-06 13:54:01 | 2024-07-06 13:54:02 | NULL | 0 | qcow2 | bare | 443b7623e27ecf03dc9e01ee93f67afe | ee65b6c3961747b988ab8bd1cc19fb93 | 0 | 0 | 0 | 46137344 | public | 0 | sha512 | 6513f21e44aa3da349f248188a44bc304a3653a04122d8fb4535423c8e1d14cd6a153f735bb0982e2161b5b5186106570c17a9e58b64dd39390617cd5a350f78 |
+--------------------------------------+--------+----------+--------+---------------------+---------------------+------------+---------+-------------+------------------+----------------------------------+----------------------------------+----------+---------+-----------+--------------+------------+-----------+--------------+----------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)
MariaDB [glance]> select * from image_properties;
Empty set (0.000 sec)
MariaDB [glance]> 3.3 后端存储
本次安装为了简化操作,将镜像上传并存储在托管镜像服务的控制节点上的一个目录中。默认情况下,这个目录是/var/lib/glance/images/。
检查该目录:
root@controller:~# ls -l /var/lib/glance/images/
total 12420
-rw-r----- 1 glance glance 12716032 Jul 6 13:54 429decdd-9230-49c0-b735-70364c226eb5
root@controller:~#
文件名和glance DB的select * from images;中的id一致。3.4 OpenStackClient操作(用户端操作)
用户端可以通过访问glance api,完成对后端存储、glance DB、keystoneDB的信息进行操作。
------keystone DB:
ubcode@osclient ~(admin/amdin)$ openstack user list
+----------------------------------+-----------+
| ID | Name |
+----------------------------------+-----------+
| 2947c213547147979dce3c8f8b85697f | admin |
| 9382b59561c04dd1abf0a4cb7a8252ec | myuser |
| 981d061282aa43afba72df6ff637f41c | testuser1 |
| b7849907a23b4604a3e3940f4034326b | glance |
+----------------------------------+-----------+
ubcode@osclient ~(admin/amdin)$ openstack service list
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| 75fe01049ec648b69e48d200971bf601 | keystone | identity |
| d6a3dadf92e542289c5ebd37e3553cdd | glance | image |
+----------------------------------+----------+----------+
ubcode@osclient ~(admin/amdin)$ openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
| 56d1454571064cb3ad3c749d18fb57e6 | RegionOne | glance | image | True | admin | http://controller:9292 |
| a82bd043e133464fa863fba98b400460 | RegionOne | keystone | identity | True | admin | http://controller:5000/v3/ |
| ac109817862344c4854b783d642be412 | RegionOne | keystone | identity | True | internal | http://controller:5000/v3/ |
| ae98462c8f4346f3991d693232a108d3 | RegionOne | glance | image | True | internal | http://controller:9292 |
| e047382ce61740bf9dc4219c97eff2f8 | RegionOne | glance | image | True | public | http://controller:9292 |
| eaf4ddaab1b74aa59403f9fbf5fc4ac1 | RegionOne | keystone | identity | True | public | http://controller:5000/v3/ |
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
ubcode@osclient ~(admin/amdin)$
------glance DB:
ubcode@osclient ~(admin/amdin)$ openstack image list
+--------------------------------------+--------+--------+
| ID | Name | Status |
+--------------------------------------+--------+--------+
| 429decdd-9230-49c0-b735-70364c226eb5 | cirros | active |
+--------------------------------------+--------+--------+
ubcode@osclient ~(admin/amdin)$ openstack image show cirros
+------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| checksum | 443b7623e27ecf03dc9e01ee93f67afe |
| container_format | bare |
| created_at | 2024-07-06T13:54:01Z |
| disk_format | qcow2 |
| file | /v2/images/429decdd-9230-49c0-b735-70364c226eb5/file |
| id | 429decdd-9230-49c0-b735-70364c226eb5 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros |
| owner | ee65b6c3961747b988ab8bd1cc19fb93 |
| properties | os_hash_algo='sha512', os_hash_value='6513f21e44aa3da349f248188a44bc304a3653a04122d8fb4535423c8e1d14cd6a153f735bb0982e2161b5b5186106570c17a9e58b64dd39390617cd5a350f78', os_hidden='False' |
| protected | False |
| schema | /v2/schemas/image |
| size | 12716032 |
| status | active |
| tags | |
| updated_at | 2024-07-06T13:54:02Z |
| virtual_size | 46137344 |
| visibility | public |
+------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
4、glance练习2——glanc独立安装
为了方便查看OpenStack各组件之间的交互情况,将glance服务独立安装。
4.1 网络拓扑
4.2 新增一台虚机image1
根据之前的介绍,新增一台虚机(4G内存/2CPU,可根据实际情况调整),用于安装glance。虚机hostname设置为image1,配置ip地址为10.0.20.16/24。
该虚机信息如下:
------网络配置:
ubcode@image1:~$ cat /etc/netplan/00-installer-config.yaml
cat: /etc/netplan/00-installer-config.yaml: Permission denied
ubcode@image1:~$ sudo cat /etc/netplan/00-installer-config.yaml
[sudo] password for ubcode:
# This is the network config written by 'subiquity'
network:
ethernets:
ens32:
addresses:
- 10.0.20.16/24
nameservers:
addresses:
- 10.0.20.2
search: []
routes:
- to: default
via: 10.0.20.2
version: 2
------hosts文件:
ubcode@image1:~$ cat /etc/hosts
127.0.0.1 localhost
# 127.0.1.1 image1
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.0.20.11 controller
10.0.20.12 compute1
10.0.20.16 image1
------NTP配置:
ubcode@image1:~$ cat /etc/chrony/chrony.conf
...
# pool ntp.ubuntu.com iburst maxsources 4
# pool 0.ubuntu.pool.ntp.org iburst maxsources 1
# pool 1.ubuntu.pool.ntp.org iburst maxsources 1
# pool 2.ubuntu.pool.ntp.org iburst maxsources 2
server controller iburst
controller(10.0.20.11)虚机和osclient(10.0.20.100)虚机hosts文件增加image1信息:
root@controller:~# cat /etc/hosts
127.0.0.1 localhost
# 127.0.1.1 os-1
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.0.20.11 controller
10.0.20.12 compute1
10.0.20.16 image1 <---新增4.3 controller node虚机恢复快照
快照转到“keyston安装完成”:
(快照名称后来修改过)
4.4 Install and configure (Ubuntu)
4.4.1 controller node(hostname: controller)
1、创建glance DB
root@controller:~# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 31
Server version: 10.6.18-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| keystone |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.002 sec)
MariaDB [(none)]> CREATE DATABASE glance;
Query OK, 1 row affected (0.001 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' \
-> IDENTIFIED BY 'openstack';
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' \
-> IDENTIFIED BY 'openstack';
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]>
MariaDB [(none)]> quit
Bye
root@controller:~# 4.4.2 OpenStackClient(hostname: osclient)
在OpenStackClient(10.0.20.100),创建glance user、“glance” image service以及endpoint,注意endpoint指向了image node 1 (hostname: image1)。
ubcode@osclient:~$ . admin-openrc
ubcode@osclient ~(admin/amdin)$ openstack user create --domain default --password-prompt glance
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 2eb252b5fc2743e995141d9529569e2d |
| name | glance |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
ubcode@osclient ~(admin/amdin)$ openstack role add --project service --user glance admin
ubcode@osclient ~(admin/amdin)$ openstack service create --name glance \
> --description "OpenStack Image" image
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Image |
| enabled | True |
| id | f378aa833518466c9ce2c9ef85e82ace |
| name | glance |
| type | image |
+-------------+----------------------------------+
ubcode@osclient ~(admin/amdin)$ openstack endpoint create --region RegionOne \
> image public http://image1:9292
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | c37250b6bd2d471f92427483d31fd5c7 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | f378aa833518466c9ce2c9ef85e82ace |
| service_name | glance |
| service_type | image |
| url | http://image1:9292 |
+--------------+----------------------------------+
ubcode@osclient ~(admin/amdin)$ openstack endpoint create --region RegionOne \
> image internal http://image1:9292
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 7d17e6182d8640a7a6637f4f460a5c08 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | f378aa833518466c9ce2c9ef85e82ace |
| service_name | glance |
| service_type | image |
| url | http://image1:9292 |
+--------------+----------------------------------+
ubcode@osclient ~(admin/amdin)$ openstack endpoint create --region RegionOne \
> image admin http://image1:9292
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | f210d94217e54d2781192170bdf26877 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | f378aa833518466c9ce2c9ef85e82ace |
| service_name | glance |
| service_type | image |
| url | http://image1:9292 |
+--------------+----------------------------------+4.4.3 image node 1(hostname: image1)
1、安装glance软件包
ubcode@image1:~$ apt install glance2、配置glance-api.conf
ubcode@image1:~$ sudo vi /etc/glance/glance-api.conf
[database]
# connection = sqlite:var/lib/glance/glance.sqlite
connection = mysql+pymysql://glance:openstack@controller/glance
backend = sqlalchemy
[keystone_authtoken]
www_authenticate_uri = http://controller:5000
auth_url = http://controller:5000
memcached_servers = controller:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = glance
password = openstack
[paste_deploy]
flavor = keystone
[glance_store]
stores = file,http
default_store = file
filesystem_store_datadir = /var/lib/glance/images/3、初始化glance数据库,重启glance-api
ubcode@image1:~$ sudo passwd root
New password:
Retype new password:
passwd: password updated successfully
ubcode@image1:~$ su
Password:
root@image1:/home/ubcode# su -s /bin/sh -c "glance-manage db_sync" glance
2024-07-07 08:18:13.472 6118 INFO alembic.runtime.migration [-] Context impl MySQLImpl.
2024-07-07 08:18:13.472 6118 INFO alembic.runtime.migration [-] Will assume non-transactional DDL.
2024-07-07 08:18:13.482 6118 INFO alembic.runtime.migration [-] Context impl MySQLImpl.
2024-07-07 08:18:13.482 6118 INFO alembic.runtime.migration [-] Will assume non-transactional DDL.
INFO [alembic.runtime.migration] Context impl MySQLImpl.
INFO [alembic.runtime.migration] Will assume non-transactional DDL.
INFO [alembic.runtime.migration] Running upgrade -> liberty, liberty initial
INFO [alembic.runtime.migration] Running upgrade liberty -> mitaka01, add index on created_at and updated_at columns of 'images' table
INFO [alembic.runtime.migration] Running upgrade mitaka01 -> mitaka02, update metadef os_nova_server
INFO [alembic.runtime.migration] Running upgrade mitaka02 -> ocata_expand01, add visibility to images
INFO [alembic.runtime.migration] Running upgrade ocata_expand01 -> pike_expand01, empty expand for symmetry with pike_contract01
INFO [alembic.runtime.migration] Running upgrade pike_expand01 -> queens_expand01
INFO [alembic.runtime.migration] Running upgrade queens_expand01 -> rocky_expand01, add os_hidden column to images table
INFO [alembic.runtime.migration] Running upgrade rocky_expand01 -> rocky_expand02, add os_hash_algo and os_hash_value columns to images table
INFO [alembic.runtime.migration] Running upgrade rocky_expand02 -> train_expand01, empty expand for symmetry with train_contract01
INFO [alembic.runtime.migration] Running upgrade train_expand01 -> ussuri_expand01, empty expand for symmetry with ussuri_expand01
INFO [alembic.runtime.migration] Running upgrade ussuri_expand01 -> wallaby_expand01, add image_id, request_id, user columns to tasks table"
INFO [alembic.runtime.migration] Context impl MySQLImpl.
INFO [alembic.runtime.migration] Will assume non-transactional DDL.
Upgraded database to: wallaby_expand01, current revision(s): wallaby_expand01
INFO [alembic.runtime.migration] Context impl MySQLImpl.
INFO [alembic.runtime.migration] Will assume non-transactional DDL.
INFO [alembic.runtime.migration] Context impl MySQLImpl.
INFO [alembic.runtime.migration] Will assume non-transactional DDL.
Database migration is up to date. No migration needed.
INFO [alembic.runtime.migration] Context impl MySQLImpl.
INFO [alembic.runtime.migration] Will assume non-transactional DDL.
INFO [alembic.runtime.migration] Context impl MySQLImpl.
INFO [alembic.runtime.migration] Will assume non-transactional DDL.
INFO [alembic.runtime.migration] Running upgrade mitaka02 -> ocata_contract01, remove is_public from images
INFO [alembic.runtime.migration] Running upgrade ocata_contract01 -> pike_contract01, drop glare artifacts tables
INFO [alembic.runtime.migration] Running upgrade pike_contract01 -> queens_contract01
INFO [alembic.runtime.migration] Running upgrade queens_contract01 -> rocky_contract01
INFO [alembic.runtime.migration] Running upgrade rocky_contract01 -> rocky_contract02
INFO [alembic.runtime.migration] Running upgrade rocky_contract02 -> train_contract01
INFO [alembic.runtime.migration] Running upgrade train_contract01 -> ussuri_contract01
INFO [alembic.runtime.migration] Running upgrade ussuri_contract01 -> wallaby_contract01
INFO [alembic.runtime.migration] Context impl MySQLImpl.
INFO [alembic.runtime.migration] Will assume non-transactional DDL.
Upgraded database to: wallaby_contract01, current revision(s): wallaby_contract01
INFO [alembic.runtime.migration] Context impl MySQLImpl.
INFO [alembic.runtime.migration] Will assume non-transactional DDL.
Database is synced successfully.
root@image1:/home/ubcode#
root@image1:/home/ubcode# service glance-api restart
ubcode@image1:~$ glance-manage --version
24.2.14.4.4 image node 1(Verify operation)
ubcode@image1:~$ wget http://download.cirros-cloud.net/0.4.0/cirros-0.4.0-x86_64-disk.img
ubcode@image1:~$ sudo vi admin-openrc
ubcode@image1:~$ cat admin-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=openstack
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
export PS1='\u@\h \W(admin/amdin)\$ '
ubcode@image1:~$
ubcode@image1 ~(admin/amdin)$ ls
admin-openrc cirros-0.4.0-x86_64-disk.img
ubcode@image1 ~(admin/amdin)$ glance image-create --name "cirros" \
> --file cirros-0.4.0-x86_64-disk.img \
> --disk-format qcow2 --container-format bare \
> --visibility=public
+------------------+----------------------------------------------------------------------------------+
| Property | Value |
+------------------+----------------------------------------------------------------------------------+
| checksum | 443b7623e27ecf03dc9e01ee93f67afe |
| container_format | bare |
| created_at | 2024-07-07T08:26:02Z |
| disk_format | qcow2 |
| id | 9f0e6328-3e96-41e1-b282-d577b6749a09 |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros |
| os_hash_algo | sha512 |
| os_hash_value | 6513f21e44aa3da349f248188a44bc304a3653a04122d8fb4535423c8e1d14cd6a153f735bb0982e |
| | 2161b5b5186106570c17a9e58b64dd39390617cd5a350f78 |
| os_hidden | False |
| owner | ee65b6c3961747b988ab8bd1cc19fb93 |
| protected | False |
| size | 12716032 |
| status | active |
| tags | [] |
| updated_at | 2024-07-07T08:26:02Z |
| virtual_size | 46137344 |
| visibility | public |
+------------------+----------------------------------------------------------------------------------+
ubcode@image1 ~(admin/amdin)$ glance image-list
+--------------------------------------+--------+
| ID | Name |
+--------------------------------------+--------+
| 9f0e6328-3e96-41e1-b282-d577b6749a09 | cirros |
+--------------------------------------+--------+
ubcode@image1 ~(admin/amdin)$ openstack image list
+--------------------------------------+--------+--------+
| ID | Name | Status |
+--------------------------------------+--------+--------+
| 9f0e6328-3e96-41e1-b282-d577b6749a09 | cirros | active |
+--------------------------------------+--------+--------+
root@image1:/var/lib/glance/images# ls
9f0e6328-3e96-41e1-b282-d577b6749a094.5 Wireshark抓包
4.5.1 抓包目的
查看OpenStack各组件之间的交互情况。
4.5.2 抓包方式
1、在win11上运行wireshark,抓取VMware Network Adapter VMnet8的流量:
2、在osclient上,执行:openstack image list
ubcode@osclient:~$ . admin-openrc
ubcode@osclient ~(admin/amdin)$ openstack image list
+--------------------------------------+--------+--------+
| ID | Name | Status |
+--------------------------------------+--------+--------+
| 9f0e6328-3e96-41e1-b282-d577b6749a09 | cirros | active |
+--------------------------------------+--------+--------+
ubcode@osclient ~(admin/amdin)$
3、停止抓包,进行分析
4.6 Wireshark抓包分析
4.6.1 抓包结果
过滤无关数据包,filter: http or tcp.port -- 11211 or tcp.port ==3306
抓包显示了OpenStackClient、keystone、glance、glance DB之间的交互情况。
- OpenStackClient --> keystone,认证user admin身份,取得user admin的token。
- OpenStackClient --> glance,请求image list
- glance --> MEMCACHE,验证user admin的token
- glance --> keystone,认证uer glance身份,取得user glance的token
- glance --> MEMCACHE,存储admin token
- glance --> Marria DB,MySQL/login,查询glance DB,取得image元数据
- glance --> OpenStackClient,返回查询结果
4.6.2 抓包的流量图
4.6.3 典型数据包
1/ user admin认证
OpenStackClient--->keystone,认证admin user scope to project admin:
Frame 262: 284 bytes on wire (2272 bits), 284 bytes captured (2272 bits) on interface \Device\NPF_{3CF2B347-CE40-406F-B67A-13F210B29B37}, id 0
Ethernet II, Src: VMware_ff:20:81 (00:0c:29:ff:20:81), Dst: controller (00:0c:29:a8:e0:3c)
Internet Protocol Version 4, Src: 10.0.20.100 (10.0.20.100), Dst: controller (10.0.20.11)
Transmission Control Protocol, Src Port: 57938, Dst Port: 5000, Seq: 501, Ack: 534, Len: 218
[2 Reassembled TCP Segments (501 bytes): #261(283), #262(218)]
Hypertext Transfer Protocol
POST /v3/auth/tokens HTTP/1.1\r\n
Host: controller:5000\r\n
User-Agent: openstacksdk/0.61.0 keystoneauth1/4.4.0 python-requests/2.25.1 CPython/3.10.12\r\n
Accept-Encoding: gzip, deflate\r\n
Accept: application/json\r\n
Connection: keep-alive\r\n
Content-Type: application/json\r\n
Content-Length: 218\r\n
\r\n
[Full request URI: http://controller:5000/v3/auth/tokens]
[HTTP request 2/2]
[Prev request in frame: 257]
[Response in frame: 266]
File Data: 218 bytes
JavaScript Object Notation: application/json
JSON raw form:
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"password": "openstack",
"name": "admin",
"domain": {
"name": "Default"
}
}
}
},
"scope": {
"project": {
"name": "admin",
"domain": {
"name": "Default"
}
}
}
}
}
Object
认证成功,取得token(X-Subject-Token)
Frame 266: 858 bytes on wire (6864 bits), 858 bytes captured (6864 bits) on interface \Device\NPF_{3CF2B347-CE40-406F-B67A-13F210B29B37}, id 0
Ethernet II, Src: controller (00:0c:29:a8:e0:3c), Dst: VMware_ff:20:81 (00:0c:29:ff:20:81)
Internet Protocol Version 4, Src: controller (10.0.20.11), Dst: 10.0.20.100 (10.0.20.100)
Transmission Control Protocol, Src Port: 5000, Dst Port: 57938, Seq: 1982, Ack: 719, Len: 792
[2 Reassembled TCP Segments (2240 bytes): #265(1448), #266(792)]
Hypertext Transfer Protocol
HTTP/1.1 201 CREATED\r\n
Date: Thu, 11 Jul 2024 21:58:26 GMT\r\n
Server: Apache/2.4.52 (Ubuntu)\r\n
Content-Length: 1750\r\n
X-Subject-Token: gAAAAABmkFWFJBbsCv5MsBqeIGj9Fc426FeFSZTyQsjlgM4lC6I6crQcE3x-ygbUSoDUoMzjTh06W5STx4YChIbkhHCe_5OuuKOx8ZAp1pxs9M_yMLD6PtuYK7TDPwlPNfjdHOKWNvrA6BHc3Xg-mjdvnsi_Z2tKdw_A3AQUYN3uAub3zaxK418\r\n
Vary: X-Auth-Token\r\n
x-openstack-request-id: req-d1c97182-1225-48de-a8cd-b657907a6d50\r\n
Keep-Alive: timeout=5, max=99\r\n
Connection: Keep-Alive\r\n
Content-Type: application/json\r\n
\r\n
[HTTP response 2/2]
[Time since request: 3.077388000 seconds]
[Prev request in frame: 257]
[Prev response in frame: 259]
[Request in frame: 262]
[Request URI: http://controller:5000/v3/auth/tokens]
File Data: 1750 bytes
JavaScript Object Notation: application/json
JSON raw form:
{
"token": {
"methods": [
"password"
],
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "2947c213547147979dce3c8f8b85697f",
"name": "admin",
"password_expires_at": null
},
"audit_ids": [
"-gVm2yInSBWpjE6RI9Q78A"
],
"expires_at": "2024-07-11T22:58:29.000000Z",
"issued_at": "2024-07-11T21:58:29.000000Z",
"project": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "ee65b6c3961747b988ab8bd1cc19fb93",
"name": "admin"
},
"is_domain": false,
"roles": [
{
"id": "17552c9a365d4944a50fd8ac271791c6",
"name": "member"
},
{
"id": "e434c66b7af647158bcaa77686ca6e93",
"name": "admin"
},
{
"id": "be23525c20c44f05b3ba071455522fcb",
"name": "reader"
}
],
"catalog": [
{
"endpoints": [
{
"id": "7d17e6182d8640a7a6637f4f460a5c08",
"interface": "internal",
"region_id": "RegionOne",
"url": "http://image1:9292",
"region": "RegionOne"
},
{
"id": "c37250b6bd2d471f92427483d31fd5c7",
"interface": "public",
"region_id": "RegionOne",
"url": "http://image1:9292",
"region": "RegionOne"
},
{
"id": "f210d94217e54d2781192170bdf26877",
"interface": "admin",
"region_id": "RegionOne",
"url": "http://image1:9292",
"region": "RegionOne"
}
],
"id": "f378aa833518466c9ce2c9ef85e82ace",
"type": "image",
"name": "glance"
},
{
"endpoints": [
{
"id": "a82bd043e133464fa863fba98b400460",
"interface": "admin",
"region_id": "RegionOne",
"url": "http://controller:5000/v3/",
"region": "RegionOne"
},
{
"id": "ac109817862344c4854b783d642be412",
"interface": "internal",
"region_id": "RegionOne",
"url": "http://controller:5000/v3/",
"region": "RegionOne"
},
{
"id": "eaf4ddaab1b74aa59403f9fbf5fc4ac1",
"interface": "public",
"region_id": "RegionOne",
"url": "http://controller:5000/v3/",
"region": "RegionOne"
}
],
"id": "75fe01049ec648b69e48d200971bf601",
"type": "identity",
"name": "keystone"
}
]
}
}
Object
2/ 查询image list
OpenStackClient ---> glance,查询image list,注意携带了之前获得的token(X-Auth-Token):
Frame 277: 485 bytes on wire (3880 bits), 485 bytes captured (3880 bits) on interface \Device\NPF_{3CF2B347-CE40-406F-B67A-13F210B29B37}, id 0
Ethernet II, Src: VMware_ff:20:81 (00:0c:29:ff:20:81), Dst: image1 (00:0c:29:cc:19:7d)
Internet Protocol Version 4, Src: 10.0.20.100 (10.0.20.100), Dst: image1 (10.0.20.16)
Transmission Control Protocol, Src Port: 32788, Dst Port: 9292, Seq: 212, Ack: 1172, Len: 419
Hypertext Transfer Protocol
GET /v2/images HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET /v2/images HTTP/1.1\r\n]
Request Method: GET
Request URI: /v2/images
Request Version: HTTP/1.1
Host: image1:9292\r\n
User-Agent: openstacksdk/0.61.0 keystoneauth1/4.4.0 python-requests/2.25.1 CPython/3.10.12\r\n
Accept-Encoding: gzip, deflate\r\n
Accept: application/json\r\n
Connection: keep-alive\r\n
X-Auth-Token: gAAAAABmkFWFJBbsCv5MsBqeIGj9Fc426FeFSZTyQsjlgM4lC6I6crQcE3x-ygbUSoDUoMzjTh06W5STx4YChIbkhHCe_5OuuKOx8ZAp1pxs9M_yMLD6PtuYK7TDPwlPNfjdHOKWNvrA6BHc3Xg-mjdvnsi_Z2tKdw_A3AQUYN3uAub3zaxK418\r\n
\r\n
[Full request URI: http://image1:9292/v2/images]
[HTTP request 2/2]
[Prev request in frame: 273]
[Response in frame: 362]
3/ MEMCACHE验证token
glance ---> MEMCACHE,验证token:
Frame 281: 143 bytes on wire (1144 bits), 143 bytes captured (1144 bits) on interface \Device\NPF_{3CF2B347-CE40-406F-B67A-13F210B29B37}, id 0
Ethernet II, Src: image1 (00:0c:29:cc:19:7d), Dst: controller (00:0c:29:a8:e0:3c)
Internet Protocol Version 4, Src: image1 (10.0.20.16), Dst: controller (10.0.20.11)
Transmission Control Protocol, Src Port: 59524, Dst Port: 11211, Seq: 1, Ack: 1, Len: 77
Memcache Protocol
Command: get
Key: tokens/773e2dee2fb1030e539ea2f4cbee331eb398d4f8145ca001c733c4b3f63ca862
MEMCACHE---> glance,MEMCACHE回复验证请求:
Frame 282: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface \Device\NPF_{3CF2B347-CE40-406F-B67A-13F210B29B37}, id 0
Ethernet II, Src: controller (00:0c:29:a8:e0:3c), Dst: image1 (00:0c:29:cc:19:7d)
Internet Protocol Version 4, Src: controller (10.0.20.11), Dst: image1 (10.0.20.16)
Transmission Control Protocol, Src Port: 11211, Dst Port: 59524, Seq: 1, Ack: 78, Len: 0
Source Port: 11211
Destination Port: 59524
[Stream index: 3]
[Conversation completeness: Incomplete, DATA (15)]
[TCP Segment Len: 0]
Sequence Number: 1 (relative sequence number)
Sequence Number (raw): 981702265
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 78 (relative ack number)
Acknowledgment number (raw): 2808812894
1000 .... = Header Length: 32 bytes (8)
Flags: 0x010 (ACK)
Window: 509
[Calculated window size: 65152]
[Window size scaling factor: 128]
Checksum: 0x13d8 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
TCP Option - No-Operation (NOP)
TCP Option - No-Operation (NOP)
TCP Option - Timestamps: TSval 2111276189, TSecr 3515395769
[Timestamps]
[Time since first frame in this TCP stream: 0.000488000 seconds]
[Time since previous frame in this TCP stream: 0.000127000 seconds]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 281] <-------回复验证请求
[The RTT to ACK the segment was: 0.000127000 seconds]
[iRTT: 0.000232000 seconds]
4/ user glance认证
glance ---> keystone,user glance scope to project service,认证身份:
Frame 294: 287 bytes on wire (2296 bits), 287 bytes captured (2296 bits) on interface \Device\NPF_{3CF2B347-CE40-406F-B67A-13F210B29B37}, id 0
Ethernet II, Src: image1 (00:0c:29:cc:19:7d), Dst: controller (00:0c:29:a8:e0:3c)
Internet Protocol Version 4, Src: image1 (10.0.20.16), Dst: controller (10.0.20.11)
Transmission Control Protocol, Src Port: 35368, Dst Port: 5000, Seq: 559, Ack: 601, Len: 221
[2 Reassembled TCP Segments (534 bytes): #293(313), #294(221)]
Hypertext Transfer Protocol
POST /v3/auth/tokens HTTP/1.1\r\n
[Expert Info (Chat/Sequence): POST /v3/auth/tokens HTTP/1.1\r\n]
Request Method: POST
Request URI: /v3/auth/tokens
Request Version: HTTP/1.1
Host: controller:5000\r\n
User-Agent: glance/24.2.1 keystonemiddleware.auth_token/9.4.0 keystoneauth1/4.4.0 python-requests/2.25.1 CPython/3.10.12\r\n
Accept-Encoding: gzip, deflate\r\n
Accept: application/json\r\n
Connection: keep-alive\r\n
Content-Type: application/json\r\n
Content-Length: 221\r\n
\r\n
[Full request URI: http://controller:5000/v3/auth/tokens]
[HTTP request 2/3]
[Prev request in frame: 288]
[Response in frame: 304]
[Next request in frame: 306]
File Data: 221 bytes
JavaScript Object Notation: application/json
JSON raw form:
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"password": "openstack",
"name": "glance",
"domain": {
"name": "Default"
}
}
}
},
"scope": {
"project": {
"name": "service",
"domain": {
"name": "Default"
}
}
}
}
}
Object
keystone ---> glance,认证成功,发放glance的token(X-Subject-Token):
Frame 304: 861 bytes on wire (6888 bits), 861 bytes captured (6888 bits) on interface \Device\NPF_{3CF2B347-CE40-406F-B67A-13F210B29B37}, id 0
Ethernet II, Src: controller (00:0c:29:a8:e0:3c), Dst: image1 (00:0c:29:cc:19:7d)
Internet Protocol Version 4, Src: controller (10.0.20.11), Dst: image1 (10.0.20.16)
Transmission Control Protocol, Src Port: 5000, Dst Port: 35368, Seq: 2049, Ack: 780, Len: 795
[2 Reassembled TCP Segments (2243 bytes): #303(1448), #304(795)]
Hypertext Transfer Protocol
HTTP/1.1 201 CREATED\r\n
[Expert Info (Chat/Sequence): HTTP/1.1 201 CREATED\r\n]
Response Version: HTTP/1.1
Status Code: 201
[Status Code Description: Created]
Response Phrase: CREATED
Date: Thu, 11 Jul 2024 21:58:32 GMT\r\n
Server: Apache/2.4.52 (Ubuntu)\r\n
Content-Length: 1753\r\n
X-Subject-Token: gAAAAABmkFWLEgmaDAIh3GTU4gl2BQm2dgjcP7vCi7j6Z3h3rrjAL_c37havjhwmUxFXoxsZdKDWpzMuxjcL7UGBmoZeRHPxsnYeETpA_qz3OYhhZBV5LZM0gbZey_dCmWCJnI8dWyIXA3Iyd9wLxKX6vIYLYD9TZkTyNUuHsasmVrluTNp9i6s\r\n
Vary: X-Auth-Token\r\n
x-openstack-request-id: req-da6fa8c4-ce65-4dbe-b10b-f997d0858666\r\n
Keep-Alive: timeout=5, max=99\r\n
Connection: Keep-Alive\r\n
Content-Type: application/json\r\n
\r\n
[HTTP response 2/3]
[Time since request: 3.104488000 seconds]
[Prev request in frame: 288]
[Prev response in frame: 291]
[Request in frame: 294]
[Next request in frame: 306]
[Next response in frame: 309]
[Request URI: http://controller:5000/v3/auth/tokens]
File Data: 1753 bytes
JavaScript Object Notation: application/json
JSON raw form:
{
"token": {
"methods": [
"password"
],
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "2eb252b5fc2743e995141d9529569e2d",
"name": "glance",
"password_expires_at": null
},
"audit_ids": [
"JX1DnLlpRlS_8qqim-V36w"
],
"expires_at": "2024-07-11T22:58:35.000000Z",
"issued_at": "2024-07-11T21:58:35.000000Z",
"project": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "fe9220b4131041e4b551b42b64a8f9ca",
"name": "service"
},
"is_domain": false,
"roles": [
{
"id": "17552c9a365d4944a50fd8ac271791c6",
"name": "member"
},
{
"id": "e434c66b7af647158bcaa77686ca6e93",
"name": "admin"
},
{
"id": "be23525c20c44f05b3ba071455522fcb",
"name": "reader"
}
],
"catalog": [
{
"endpoints": [
{
"id": "7d17e6182d8640a7a6637f4f460a5c08",
"interface": "internal",
"region_id": "RegionOne",
"url": "http://image1:9292",
"region": "RegionOne"
},
{
"id": "c37250b6bd2d471f92427483d31fd5c7",
"interface": "public",
"region_id": "RegionOne",
"url": "http://image1:9292",
"region": "RegionOne"
},
{
"id": "f210d94217e54d2781192170bdf26877",
"interface": "admin",
"region_id": "RegionOne",
"url": "http://image1:9292",
"region": "RegionOne"
}
],
"id": "f378aa833518466c9ce2c9ef85e82ace",
"type": "image",
"name": "glance"
},
{
"endpoints": [
{
"id": "a82bd043e133464fa863fba98b400460",
"interface": "admin",
"region_id": "RegionOne",
"url": "http://controller:5000/v3/",
"region": "RegionOne"
},
{
"id": "ac109817862344c4854b783d642be412",
"interface": "internal",
"region_id": "RegionOne",
"url": "http://controller:5000/v3/",
"region": "RegionOne"
},
{
"id": "eaf4ddaab1b74aa59403f9fbf5fc4ac1",
"interface": "public",
"region_id": "RegionOne",
"url": "http://controller:5000/v3/",
"region": "RegionOne"
}
],
"id": "75fe01049ec648b69e48d200971bf601",
"type": "identity",
"name": "keystone"
}
]
}
}
Object
5/ glance验证admin的token
glance ---> keystone,glance认证自己的身份获得token(X-Auth-Token)后,继续验证admin user scope to project admin的token(X-Subject-Token):
Frame 306: 675 bytes on wire (5400 bits), 675 bytes captured (5400 bits) on interface \Device\NPF_{3CF2B347-CE40-406F-B67A-13F210B29B37}, id 0
Ethernet II, Src: image1 (00:0c:29:cc:19:7d), Dst: controller (00:0c:29:a8:e0:3c)
Internet Protocol Version 4, Src: image1 (10.0.20.16), Dst: controller (10.0.20.11)
Transmission Control Protocol, Src Port: 35368, Dst Port: 5000, Seq: 780, Ack: 2844, Len: 609
Hypertext Transfer Protocol
GET /v3/auth/tokens HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET /v3/auth/tokens HTTP/1.1\r\n]
Request Method: GET
Request URI: /v3/auth/tokens
Request Version: HTTP/1.1
Host: controller:5000\r\n
User-Agent: python-keystoneclient\r\n
Accept-Encoding: gzip, deflate\r\n
Accept: application/json\r\n
Connection: keep-alive\r\n
X-Subject-Token: gAAAAABmkFWFJBbsCv5MsBqeIGj9Fc426FeFSZTyQsjlgM4lC6I6crQcE3x-ygbUSoDUoMzjTh06W5STx4YChIbkhHCe_5OuuKOx8ZAp1pxs9M_yMLD6PtuYK7TDPwlPNfjdHOKWNvrA6BHc3Xg-mjdvnsi_Z2tKdw_A3AQUYN3uAub3zaxK418\r\n
OpenStack-Identity-Access-Rules: 1\r\n
X-Auth-Token: gAAAAABmkFWLEgmaDAIh3GTU4gl2BQm2dgjcP7vCi7j6Z3h3rrjAL_c37havjhwmUxFXoxsZdKDWpzMuxjcL7UGBmoZeRHPxsnYeETpA_qz3OYhhZBV5LZM0gbZey_dCmWCJnI8dWyIXA3Iyd9wLxKX6vIYLYD9TZkTyNUuHsasmVrluTNp9i6s\r\n
\r\n
[Full request URI: http://controller:5000/v3/auth/tokens]
[HTTP request 3/3]
[Prev request in frame: 294]
[Response in frame: 309]
keystone ---> glance,告知user admin scope to project admin的token没问题,并返回相关的服务目录和endpoint:
Frame 309: 853 bytes on wire (6824 bits), 853 bytes captured (6824 bits) on interface \Device\NPF_{3CF2B347-CE40-406F-B67A-13F210B29B37}, id 0
Ethernet II, Src: controller (00:0c:29:a8:e0:3c), Dst: image1 (00:0c:29:cc:19:7d)
Internet Protocol Version 4, Src: controller (10.0.20.11), Dst: image1 (10.0.20.16)
Transmission Control Protocol, Src Port: 5000, Dst Port: 35368, Seq: 4292, Ack: 1389, Len: 787
[2 Reassembled TCP Segments (2235 bytes): #308(1448), #309(787)]
Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
[Expert Info (Chat/Sequence): HTTP/1.1 200 OK\r\n]
Response Version: HTTP/1.1
Status Code: 200
[Status Code Description: OK]
Response Phrase: OK
Date: Thu, 11 Jul 2024 21:58:35 GMT\r\n
Server: Apache/2.4.52 (Ubuntu)\r\n
Content-Length: 1750\r\n
X-Subject-Token: gAAAAABmkFWFJBbsCv5MsBqeIGj9Fc426FeFSZTyQsjlgM4lC6I6crQcE3x-ygbUSoDUoMzjTh06W5STx4YChIbkhHCe_5OuuKOx8ZAp1pxs9M_yMLD6PtuYK7TDPwlPNfjdHOKWNvrA6BHc3Xg-mjdvnsi_Z2tKdw_A3AQUYN3uAub3zaxK418\r\n
Vary: X-Auth-Token\r\n
x-openstack-request-id: req-1e89695f-0ef0-4703-88b5-0396bc0ea1c9\r\n
Keep-Alive: timeout=5, max=98\r\n
Connection: Keep-Alive\r\n
Content-Type: application/json\r\n
\r\n
[HTTP response 3/3]
[Time since request: 2.943232000 seconds]
[Prev request in frame: 294]
[Prev response in frame: 304]
[Request in frame: 306]
[Request URI: http://controller:5000/v3/auth/tokens]
File Data: 1750 bytes
JavaScript Object Notation: application/json
JSON raw form:
{
"token": {
"methods": [
"password"
],
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "2947c213547147979dce3c8f8b85697f",
"name": "admin",
"password_expires_at": null
},
"audit_ids": [
"-gVm2yInSBWpjE6RI9Q78A"
],
"expires_at": "2024-07-11T22:58:29.000000Z",
"issued_at": "2024-07-11T21:58:29.000000Z",
"project": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "ee65b6c3961747b988ab8bd1cc19fb93",
"name": "admin"
},
"is_domain": false,
"roles": [
{
"id": "17552c9a365d4944a50fd8ac271791c6",
"name": "member"
},
{
"id": "e434c66b7af647158bcaa77686ca6e93",
"name": "admin"
},
{
"id": "be23525c20c44f05b3ba071455522fcb",
"name": "reader"
}
],
"catalog": [
{
"endpoints": [
{
"id": "7d17e6182d8640a7a6637f4f460a5c08",
"interface": "internal",
"region_id": "RegionOne",
"url": "http://image1:9292",
"region": "RegionOne"
},
{
"id": "c37250b6bd2d471f92427483d31fd5c7",
"interface": "public",
"region_id": "RegionOne",
"url": "http://image1:9292",
"region": "RegionOne"
},
{
"id": "f210d94217e54d2781192170bdf26877",
"interface": "admin",
"region_id": "RegionOne",
"url": "http://image1:9292",
"region": "RegionOne"
}
],
"id": "f378aa833518466c9ce2c9ef85e82ace",
"type": "image",
"name": "glance"
},
{
"endpoints": [
{
"id": "a82bd043e133464fa863fba98b400460",
"interface": "admin",
"region_id": "RegionOne",
"url": "http://controller:5000/v3/",
"region": "RegionOne"
},
{
"id": "ac109817862344c4854b783d642be412",
"interface": "internal",
"region_id": "RegionOne",
"url": "http://controller:5000/v3/",
"region": "RegionOne"
},
{
"id": "eaf4ddaab1b74aa59403f9fbf5fc4ac1",
"interface": "public",
"region_id": "RegionOne",
"url": "http://controller:5000/v3/",
"region": "RegionOne"
}
],
"id": "75fe01049ec648b69e48d200971bf601",
"type": "identity",
"name": "keystone"
}
]
}
}
Object
6/ MEMCACHE储存token
glance ---> MEMCACHE,储存token:
Frame 312: 677 bytes on wire (5416 bits), 677 bytes captured (5416 bits) on interface \Device\NPF_{3CF2B347-CE40-406F-B67A-13F210B29B37}, id 0
Ethernet II, Src: image1 (00:0c:29:cc:19:7d), Dst: controller (00:0c:29:a8:e0:3c)
Internet Protocol Version 4, Src: image1 (10.0.20.16), Dst: controller (10.0.20.11)
Transmission Control Protocol, Src Port: 59524, Dst Port: 11211, Seq: 1526, Ack: 6, Len: 611
[2 Reassembled TCP Segments (2059 bytes): #311(1448), #312(611)]
Memcache Protocol
Command: set
Key: tokens/773e2dee2fb1030e539ea2f4cbee331eb398d4f8145ca001c733c4b3f63ca862
Flags: 0
Expiration: 300
Value length: 1968
Value [truncated]: {"token": {"methods": ["password"], "user": {"domain": {"id": "default", "name": "Default"}, "id": "2947c213547147979dce3c8f8b85697f", "name": "admin", "password_expires_at": null}, "audit_ids": ["-gVm2yInSBWpjE6RI9Q78A"
MEMCACHE成功储存:
Frame 314: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface \Device\NPF_{3CF2B347-CE40-406F-B67A-13F210B29B37}, id 0
Ethernet II, Src: controller (00:0c:29:a8:e0:3c), Dst: image1 (00:0c:29:cc:19:7d)
Internet Protocol Version 4, Src: controller (10.0.20.11), Dst: image1 (10.0.20.16)
Transmission Control Protocol, Src Port: 11211, Dst Port: 59524, Seq: 6, Ack: 2137, Len: 8
Memcache Protocol
Response: STORED
7/ glance连接数据库,SQL查询
(只展示login信息,其他SQL查询信息略)
Frame 321: 212 bytes on wire (1696 bits), 212 bytes captured (1696 bits) on interface \Device\NPF_{3CF2B347-CE40-406F-B67A-13F210B29B37}, id 0
Ethernet II, Src: image1 (00:0c:29:cc:19:7d), Dst: controller (00:0c:29:a8:e0:3c)
Internet Protocol Version 4, Src: image1 (10.0.20.16), Dst: controller (10.0.20.11)
Transmission Control Protocol, Src Port: 46382, Dst Port: 3306, Seq: 1, Ack: 111, Len: 146
MySQL Protocol
Packet Length: 142
Packet Number: 1
Login Request
Client Capabilities: 0xa20f
Extended Client Capabilities: 0x003a
MAX Packet: 16777215
Charset: utf8 COLLATE utf8_general_ci (33)
Unused: 0000000000000000000000000000000000000000000000
Username: glance
Password: 4d1590709f0fb6fdce405042311a3773f737dd5a
Schema: glance
Client Auth Plugin: mysql_native_password
Connection Attributes
8/ glance将查询结果返回给OpenStackClient:
Frame 362: 1117 bytes on wire (8936 bits), 1117 bytes captured (8936 bits) on interface \Device\NPF_{3CF2B347-CE40-406F-B67A-13F210B29B37}, id 0
Ethernet II, Src: image1 (00:0c:29:cc:19:7d), Dst: VMware_ff:20:81 (00:0c:29:ff:20:81)
Internet Protocol Version 4, Src: image1 (10.0.20.16), Dst: 10.0.20.100 (10.0.20.100)
Transmission Control Protocol, Src Port: 9292, Dst Port: 32788, Seq: 1172, Ack: 631, Len: 1051
Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
[Expert Info (Chat/Sequence): HTTP/1.1 200 OK\r\n]
Response Version: HTTP/1.1
Status Code: 200
[Status Code Description: OK]
Response Phrase: OK
Content-Length: 852\r\n
Content-Type: application/json\r\n
X-Openstack-Request-Id: req-3fd463a0-2fae-4d96-b668-ecd6c402861c\r\n
Date: Thu, 11 Jul 2024 21:58:38 GMT\r\n
Connection: keep-alive\r\n
\r\n
[HTTP response 2/2]
[Time since request: 8.837414000 seconds]
[Prev request in frame: 273]
[Prev response in frame: 275]
[Request in frame: 277]
[Request URI: http://image1:9292/v2/images]
File Data: 852 bytes
JavaScript Object Notation: application/json
JSON raw form:
{
"images": [
{
"name": "cirros",
"disk_format": "qcow2",
"container_format": "bare",
"visibility": "public",
"size": 12716032,
"virtual_size": 46137344,
"status": "active",
"checksum": "443b7623e27ecf03dc9e01ee93f67afe",
"protected": false,
"min_ram": 0,
"min_disk": 0,
"owner": "ee65b6c3961747b988ab8bd1cc19fb93",
"os_hidden": false,
"os_hash_algo": "sha512",
"os_hash_value": "6513f21e44aa3da349f248188a44bc304a3653a04122d8fb4535423c8e1d14cd6a153f735bb0982e2161b5b5186106570c17a9e58b64dd39390617cd5a350f78",
"id": "9f0e6328-3e96-41e1-b282-d577b6749a09",
"created_at": "2024-07-07T08:26:02Z",
"updated_at": "2024-07-07T08:26:02Z",
"tags": [],
"self": "/v2/images/9f0e6328-3e96-41e1-b282-d577b6749a09",
"file": "/v2/images/9f0e6328-3e96-41e1-b282-d577b6749a09/file",
"schema": "/v2/schemas/image"
}
],
"first": "/v2/images",
"schema": "/v2/schemas/images"
}
Object
5、关闭虚机,拍摄快照
![[BJDCTF2020]Mark loves cat](https://i-blog.csdnimg.cn/direct/80bdffd64e6f4d3eb02ea84acfecec08.png)