def do_rabbit_addusers(cname):
self = facility.get_component(cname)
pwd = cmd_quote(util.get_keymgr()(self.name, 'openstack'))
localsh.run("""rabbitmqctl add_user openstack {passwd} ||
rabbitmqctl change_password openstack {passwd} &&
rabbitmqctl set_permissions -p / openstack ".*" ".*" ".*"
""".format(passwd=pwd))
def compose(self):
super(Keystone, self).compose()
url_base = "http://" + conf.get_vip('public')['domain_name']
dr = conf.get_default_region()
self.register_endpoints(region=dr,
name='keystone',
etype='identity',
description='OpenStack Identity',
eps={
'admin': url_base + ':35357',
'internal': url_base + ':5000',
'public': url_base + ':5000'
})
self.register_project_in_domain('Default', 'admin',
'members are full admins')
self.register_user_in_domain(
'Default',
'admin',
password=util.get_keymgr()(self.name, 'admin@default'),
project_roles={('Default', 'admin'): ['admin']})
keystones = self.hosts_with_service('keystone')
self.sql.populate_peer(keystones, ['client'])
sql = self.sql
sql.register_user_with_schemas('keystone', ['keystone'])
util.bless_with_principal(keystones, [(self.name, 'admin@default'),
(sql.name, 'keystone')])
def etc_nova_nova_conf(self):
# NOTE! mariadb.db_url not required on compute when the use_conductur is False
gconf = conf.get_global_config()
pv = conf.get_vip('public')['domain_name']
neutron_section = self.keystone.authtoken_section('neutron_for_nova')
neutron_section.update({
'service_metadata_proxy':
True,
'metadata_proxy_shared_secret':
util.get_keymgr()([self, self.networking], 'neutron_nova_metadata')
}) # add dual suffix
if util.get_keymanager().has_creds(self.keystone.name,
'placement@default'):
placement_section = self.keystone.authtoken_section('placement')
else:
placement_section = {}
# TODO: exclude sql on compute
return {
'DEFAULT': {
'debug': True,
'transport_url': self.messaging.transport_url(),
'compute_driver': 'libvirt.LibvirtDriver',
'use_neutron': True,
'firewall_driver': "nova.virt.firewall.NoopFirewallDriver",
'security_group_api': "neutron",
'log_dir': '/var/log/nova',
'default_floating_pool': "public", # ext net needs to match
'state_path': '/var/lib/nova',
},
'keystone_authtoken': self.keystone.authtoken_section('nova'),
'placement': placement_section,
'database': {
'connection': self.sql.db_url('nova')
},
'api_database': {
'connection': self.sql.db_url('nova_api', 'nova')
},
'glance': {
'api_servers': 'http://' + pv + ':9292'
},
'scheduler': {
'discover_hosts_in_cells_interval': '300'
},
'neutron': neutron_section,
# TODO: create a nova ceph user, with the same privileges
'libvirt': {
'rbd_user': '******',
'rbd_secret_uuid': gconf['cinder_ceph_libvirt_secret_uuid'],
'disk_cachemodes': "network=writeback", # file=unsafe ?
'virt_type': 'qemu', # untile nested is fixed
'images_type': 'rbd',
'images_rbd_pool': 'vms',
'images_rbd_ceph_conf': '/etc/ceph/ceph.conf'
},
'filter_scheduler': {
'enabled_filters':
'RetryFilter,AvailabilityZoneFilter,RamFilter,DiskFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter,SameHostFilter,DifferentHostFilter'
} # tempest likes the SameHostFilter,DifferentHostFilter
}
def authtoken_section(self, service_user):
# openstack ini file handles % specially
# now we are escaping just the password and just here (lower layer does not do escape ATM)
pwd = util.get_keymgr()(self.name, service_user + '@default')
pwd = pwd.replace('%', '%%')
d = {
"auth_url":
'http://' + conf.get_vip('public')['domain_name'] + ':5000/',
"project_domain_name": 'Default',
"project_name": 'service',
"password": util.get_keymgr()(self.name,
service_user + '@default'),
"user_domain_name": 'Default',
"username": service_user,
"auth_type": 'password'
}
return d
def transport_url(self, user='******', vhost=None):
rabbit_peer = self.get_peer_info()
pwd = util.get_keymgr()(self.name, user)
pwd = urllib.parse.quote_plus(pwd)
if not vhost:
vhost = ''
return 'rabbit://' + ','.join('%s:%s@%s:%s' %
(user, pwd, host['addr'], host['port'])
for host in rabbit_peer) + '/' + vhost
def etc_sysconfig_clustercheck(self):
password = util.get_keymgr()(self.name, 'clustercheckuser')
return """MYSQL_USERNAME="******"
MYSQL_PASSWORD={pwd}
MYSQL_HOST=localhost
MYSQL_PORT="3306"
ERR_FILE="/tmp/clustercheckuser_42328756"
AVAILABLE_WHEN_DONOR=0
AVAILABLE_WHEN_READONLY=0
DEFAULTS_EXTRA_FILE=/etc/my.cnf""".format(pwd=cmd_quote(password))
def etc_neutron_metadata_agent_ini(self):
ivip = conf.get_vip('internal')['domain_name']
return {
'DEFAULT': {
'nova_metadata_ip':
ivip,
'metadata_proxy_shared_secret':
util.get_keymgr()(self.find_nova_comp_shared(),
'neutron_nova_metadata')
}
}
def db_url(self, db, user=None):
pi = self.get_peer_info('client')
host = pi['addr']
port = pi['port']
if user is None:
user = db
# utf8 is the default nowadays
# TODO: source_ip
pwd = urllib.parse.quote_plus(util.get_keymgr()(self.name, user))
return 'mysql+pymysql://%s:%s@%s:%s/%s' % (user, pwd,
host, port, db)
def register_service_admin_user(self, user, password=None):
keymgr = util.get_keymgr()
if not password:
password = keymgr('keystone', user + '@default')
self.register_project_in_domain('Default', 'service',
'dummy service project')
self.register_user_in_domain(domain='Default',
user=user,
password=password,
project_roles={
('Default', 'service'): ['admin']
})
def add_stats_lister(self):
keymgr = util.get_keymgr()
pwd = keymgr('haproxy' + self.suffix, 'admin')
escaped = "'admin:" + pwd.replace("'", r"\'") + "'"
stats = {
'bind': '*:1993 transparent',
'mode': 'http',
'stats': {
'enable': '',
'uri': '/',
'auth': escaped
}
}
self.add_listener('haproxy.stats', stats)
def pre_flight():
args = conf.get_args()
state_dir = args.state_dir
cfgfile.content_file(state_dir + '/admin-openrc.sh',
util.userrc_script('admin'), owner=os.getuid(), group=os.getgid())
keystone = facility.get_component('keystone')
keystone.register_project_in_domain('Default', 'demo', 'demo project')
keystone.register_user_in_domain('Default', 'demo',
password=util.get_keymgr()('keystone', 'demo@default'),
email='*****@*****.**',
project_roles={('Default', 'demo'): ['user']})
cfgfile.content_file(state_dir + '/demo-openrc.sh',
util.userrc_script('demo'), owner=os.getuid(), group=os.getgid())
def do_keystone_endpoint_sync(cname, enp):
self = facility.get_component(cname)
from keystoneauth1.identity import v3
import slos.ossync
auth = v3.Password(auth_url='http://*****:*****@default'),
project_name='admin',
user_domain_name='Default',
project_domain_name='Default')
# session object is not thread safe, using auth ;(((
# TODO: wipe python client usage, looks like,
# I cannot use the same token in all threads
endpoint_override = 'http://localhost:5000/v3'
slos.ossync.endpoint_sync(auth,
enp,
endpoint_override=endpoint_override)
def do_create_clustr_user(cname):
self = facility.get_component(cname)
passwd = util.get_keymgr()(self.name, 'clustercheckuser')
pwd = passwd.replace('\\', '\\\\').replace("'", r"\'").replace('$', r'\$')
sql = "GRANT PROCESS ON *.* TO 'clustercheckuser'@'localhost' IDENTIFIED BY '{pwd}'".format(pwd=pwd)
# $ for shell, the others for mysql
retry = 1024 # wating for mariadb become ready
while True:
try:
script = 'mysql -u root <<EOF\n{sql}\nEOF\n'.format(sql=sql)
localsh.run(script)
break
except util.NonZeroExitCode:
if retry:
time.sleep(0.2)
retry -= 1
else:
raise
def do_keystone_init(cname):
self = facility.get_component(cname)
self.have_content()
localsh.run("keystone-manage bootstrap --bootstrap-password %s" %
cmd_quote(util.get_keymgr()(self.name, 'admin@default')))
def gen_tempest_conf(self,
image_ref,
image_ref_alt,
public_network_id,
min_compute_nodes=1):
pwd = util.get_keymgr()(self.keystone.name, 'admin@default')
auth_url = ''.join(
('http://', conf.get_vip('public')['domain_name'], ':35357/v3'))
gconf = conf.get_global_config()
service_flags = gconf['global_service_flags']
return {
'DEFAULT': {
'debug': True,
'log_file': 'tempest.log'
},
'auth': {
'tempest_roles': 'user',
'admin_username': '******',
'admin_project_name': 'admin',
'admin_domain_name': 'Default',
'admin_password': pwd
},
'compute': {
'flavor_ref': 42,
'flavor_ref_alt': 84,
'image_ref': image_ref,
'image_ref_alt': image_ref_alt,
'min_compute_nodes': min_compute_nodes,
'max_microversion': 'latest'
},
'compute-feature-enabled': {
'attach_encrypted_volume': False
},
'network': {
'floating_network_name': 'public',
'public_network_id': public_network_id
},
'scenario': {
'img_dir': 'etc',
'img_file': 'cirros.img'
},
'validation': {
'image_ssh_user': '******'
},
'object-storage': {
'reseller_admin_role': 'admin',
'operator_role': 'user'
},
'oslo-concurrency': {
'lock_path': '/tmp'
},
'image': {
'image_path': img_url,
'http_image': img_url
},
'identity': {
'uri': auth_url,
'uri_v3': auth_url
},
'volume': {
'storage_protocol': 'ceph',
'max_microversion': 'latest'
},
'service_available': {
'horizon': True if 'horizon' in service_flags else False,
'cinder': True if 'cinder-api' in service_flags else False,
'nova': True if 'nova-api' in service_flags else False,
'neutron':
True if 'neutron-server' in service_flags else False,
'glance': True if 'glance-api' in service_flags else False,
'heat': True if 'heat-api' in service_flags else False,
'ironic': True if 'ironic-api' in service_flags else False,
'zaqar': True if 'zaqar' in service_flags else False,
'swift': True if 'swift-proxy' in service_flags else False
}
}
def register_user_with_schemas(self, user, schema_names):
pwd = util.get_keymgr()(self.name, user)
for sn in schema_names:
self.schema_registry.append((sn, user, pwd))