def config_changed_postupgrade():
# Ensure ssl dir exists and is unison-accessible
ensure_ssl_dir()
if not snap_install_requested():
check_call(['chmod', '-R', 'g+wrx', '/var/lib/keystone/'])
ensure_ssl_dirs()
save_script_rc()
release = os_release('keystone')
if run_in_apache(release=release):
# Need to ensure mod_wsgi is installed and apache2 is reloaded
# immediatly as charm querys its local keystone before restart
# decorator can fire
apt_install(filter_installed_packages(determine_packages()))
# when deployed from source, init scripts aren't installed
service_pause('keystone')
disable_unused_apache_sites()
if WSGI_KEYSTONE_API_CONF in CONFIGS.templates:
CONFIGS.write(WSGI_KEYSTONE_API_CONF)
if not is_unit_paused_set():
restart_pid_check('apache2')
if enable_memcache(release=release):
# If charm or OpenStack have been upgraded then the list of required
# packages may have changed so ensure they are installed.
apt_install(filter_installed_packages(determine_packages()))
configure_https()
open_port(config('service-port'))
update_nrpe_config()
CONFIGS.write_all()
if snap_install_requested() and not is_unit_paused_set():
service_restart('snap.keystone.*')
initialise_pki()
update_all_identity_relation_units()
update_all_domain_backends()
update_all_fid_backends()
# Ensure sync request is sent out (needed for any/all ssl change)
send_ssl_sync_request()
for r_id in relation_ids('ha'):
ha_joined(relation_id=r_id)
def install():
status_set('maintenance', 'Executing pre-install')
execd_preinstall()
configure_installation_source(config('openstack-origin'))
status_set('maintenance', 'Installing apt packages')
apt_update()
apt_install(determine_packages(), fatal=True)
if snap_install_requested():
status_set('maintenance', 'Installing keystone snap')
# NOTE(thedac) Setting devmode until LP#1719636 is fixed
install_os_snaps(
get_snaps_install_info_from_origin(
['keystone'],
config('openstack-origin'),
mode='devmode'))
post_snap_install()
service_stop('snap.keystone.*')
else:
# unconfigured keystone service will prevent start of haproxy in some
# circumstances. make sure haproxy runs. LP #1648396
service_stop('keystone')
service_start('haproxy')
if run_in_apache():
disable_unused_apache_sites()
service_pause('keystone')
def install(self):
"""Install packages or snaps related to this charm based on
contents of self.packages or self.snaps attribute.
"""
packages = fetch.filter_installed_packages(
self.all_packages)
if packages:
hookenv.status_set('maintenance', 'Installing packages')
fetch.apt_install(packages, fatal=True)
if os_utils.snap_install_requested():
if self.all_snaps:
hookenv.status_set('maintenance', 'Installing snaps')
os_utils.install_os_snaps(
os_utils.get_snaps_install_info_from_origin(
self.all_snaps,
self.config['openstack-origin'],
mode=self.snap_mode)
)
# AJK: we set this as charms can use it to detect installed state
self.set_state('{}-installed'.format(self.name))
self.update_api_ports()
hookenv.status_set('maintenance',
'Installation complete - awaiting next status')
def initialise_pki():
"""Create certs and keys required for token signing.
Used for PKI and signing token revocation list.
NOTE: keystone.conf [signing] section must be up-to-date prior to
executing this.
"""
if CompareOpenStackReleases(os_release('keystone-common')) >= 'pike':
# pike dropped support for PKI token; skip function
return
ensure_pki_cert_paths()
if not peer_units() or is_ssl_cert_master():
log("Ensuring PKI token certs created", level=DEBUG)
if snap_install_requested():
cmd = ['/snap/bin/keystone-manage', 'pki_setup',
'--keystone-user', KEYSTONE_USER,
'--keystone-group', KEYSTONE_USER]
_log_dir = '/var/snap/keystone/common/log'
else:
cmd = ['keystone-manage', 'pki_setup',
'--keystone-user', KEYSTONE_USER,
'--keystone-group', KEYSTONE_USER]
_log_dir = '/var/log/keystone'
check_call(cmd)
# Ensure logfile has keystone perms since we may have just created it
# with root.
ensure_permissions(_log_dir, user=KEYSTONE_USER,
group=KEYSTONE_USER, perms=0o744)
ensure_permissions('{}/keystone.log'.format(_log_dir),
user=KEYSTONE_USER, group=KEYSTONE_USER,
perms=0o644)
ensure_pki_dir_permissions()
def configure_cert(self, cert, key, cn=None):
"""Configure service SSL cert and key
Write out service SSL certificate and key for Apache.
@param cert string SSL Certificate
@param key string SSL Key
@param cn string Canonical name for service
"""
if os_utils.snap_install_requested():
ssl_dir = '/var/snap/{snap_name}/common/etc/nginx/ssl'.format(
snap_name=self.primary_snap)
else:
ssl_dir = os.path.join('/etc/apache2/ssl/', self.name)
if not cn:
cn = self.get_default_cn()
ch_host.mkdir(path=ssl_dir)
if cn:
cert_filename = 'cert_{}'.format(cn)
key_filename = 'key_{}'.format(cn)
else:
cert_filename = 'cert'
key_filename = 'key'
ch_host.write_file(path=os.path.join(ssl_dir, cert_filename),
content=cert.encode('utf-8'), group=self.group,
perms=0o640)
ch_host.write_file(path=os.path.join(ssl_dir, key_filename),
content=key.encode('utf-8'), group=self.group,
perms=0o640)
def configure_ssl(self, keystone_interface=None):
"""Configure SSL certificates and keys
NOTE(AJK): This function tries to minimise the work it does,
particularly with writing files and restarting apache.
@param keystone_interface KeystoneRequires class
"""
keystone_interface = (
relations.endpoint_from_flag('identity-service.available.ssl')
or relations.endpoint_from_flag(
'identity-service.available.ssl_legacy'))
ssl_objects = self.get_certs_and_keys(
keystone_interface=keystone_interface)
with is_data_changed('configure_ssl.ssl_objects',
ssl_objects) as changed:
if ssl_objects:
if changed:
for ssl in ssl_objects:
self.set_state('ssl.requested', True)
self.configure_cert(ssl['cert'],
ssl['key'],
cn=ssl['cn'])
self.configure_ca(ssl['ca'])
if not os_utils.snap_install_requested():
self.configure_apache()
self.remove_state('ssl.requested')
self.set_state('ssl.enabled', True)
else:
self.set_state('ssl.enabled', False)
amqp_ssl = relations.endpoint_from_flag('amqp.available.ssl')
if amqp_ssl:
self.configure_rabbit_cert(amqp_ssl)
def configure_cert(self, cert, key, cn=None):
"""Configure service SSL cert and key
Write out service SSL certificate and key for Apache.
@param cert string SSL Certificate
@param key string SSL Key
@param cn string Canonical name for service
"""
if os_utils.snap_install_requested():
ssl_dir = '/var/snap/{snap_name}/common/etc/nginx/ssl'.format(
snap_name=self.primary_snap)
else:
ssl_dir = os.path.join('/etc/apache2/ssl/', self.name)
if not cn:
cn = self.get_default_cn()
ch_host.mkdir(path=ssl_dir)
if cn:
cert_filename = 'cert_{}'.format(cn)
key_filename = 'key_{}'.format(cn)
else:
cert_filename = 'cert'
key_filename = 'key'
ch_host.write_file(path=os.path.join(ssl_dir, cert_filename),
content=cert.encode('utf-8'))
ch_host.write_file(path=os.path.join(ssl_dir, key_filename),
content=key.encode('utf-8'))
def install():
status_set('maintenance', 'Executing pre-install')
execd_preinstall()
configure_installation_source(config('openstack-origin'))
status_set('maintenance', 'Installing apt packages')
apt_update()
apt_install(determine_packages(), fatal=True)
if snap_install_requested():
status_set('maintenance', 'Installing keystone snap')
# NOTE(thedac) Setting devmode until LP#1719636 is fixed
install_os_snaps(
get_snaps_install_info_from_origin(['keystone'],
config('openstack-origin'),
mode='devmode'))
post_snap_install()
service_stop('snap.keystone.*')
else:
# unconfigured keystone service will prevent start of haproxy in some
# circumstances. make sure haproxy runs. LP #1648396
service_stop('keystone')
service_start('haproxy')
if run_in_apache():
disable_unused_apache_sites()
service_pause('keystone')
# call the policy overrides handler which will install any policy overrides
maybe_do_policyd_overrides(
os_release('keystone'),
'keystone',
restart_handler=lambda: service_restart('apache2'))
def install():
status_set('maintenance', 'Executing pre-install')
execd_preinstall()
configure_installation_source(config('openstack-origin'))
status_set('maintenance', 'Installing apt packages')
apt_update()
apt_install(determine_packages(), fatal=True)
if snap_install_requested():
status_set('maintenance', 'Installing keystone snap')
# NOTE(thedac) Setting devmode until LP#1719636 is fixed
install_os_snaps(
get_snaps_install_info_from_origin(['keystone'],
config('openstack-origin'),
mode='devmode'))
post_snap_install()
service_stop('snap.keystone.*')
else:
# unconfigured keystone service will prevent start of haproxy in some
# circumstances. make sure haproxy runs. LP #1648396
service_stop('keystone')
service_start('haproxy')
if run_in_apache():
disable_unused_apache_sites()
service_pause('keystone')
unison.ensure_user(user=SSH_USER, group=SSH_USER)
unison.ensure_user(user=SSH_USER, group=KEYSTONE_USER)
def do_openstack_pkg_upgrade(self):
"""Upgrade OpenStack packages and snaps
:returns: None
"""
new_src = self.config[self.source_config_key]
new_os_rel = os_utils.get_os_codename_install_source(new_src)
hookenv.log('Performing OpenStack upgrade to %s.' % (new_os_rel))
# TODO(jamespage): Deal with deb->snap->deb migrations
if os_utils.snap_install_requested() and self.all_snaps:
os_utils.install_os_snaps(
snaps=os_utils.get_snaps_install_info_from_origin(
self.all_snaps,
self.config[self.source_config_key],
mode=self.snap_mode),
refresh=True)
os_utils.configure_installation_source(new_src)
fetch.apt_update()
dpkg_opts = [
'--option',
'Dpkg::Options::=--force-confnew',
'--option',
'Dpkg::Options::=--force-confdef',
]
fetch.apt_upgrade(options=dpkg_opts, fatal=True, dist=True)
fetch.apt_install(packages=self.all_packages,
options=dpkg_opts,
fatal=True)
self.remove_obsolete_packages()
self.release = new_os_rel
def domain_backend_changed(relation_id=None, unit=None):
if get_api_version() < 3:
log('Domain specific backend identity configuration only supported '
'with Keystone v3 API, skipping domain creation and '
'restart.')
return
domain_name = relation_get(attribute='domain-name',
unit=unit,
rid=relation_id)
if domain_name:
# NOTE(jamespage): Only create domain data from lead
# unit when clustered and database
# is configured and created.
if is_leader() and is_db_ready() and is_db_initialised():
create_or_show_domain(domain_name)
# NOTE(jamespage): Deployment may have multiple domains,
# with different identity backends so
# ensure that a domain specific nonce
# is checked for restarts of keystone
restart_nonce = relation_get(attribute='restart-nonce',
unit=unit,
rid=relation_id)
domain_nonce_key = 'domain-restart-nonce-{}'.format(domain_name)
db = unitdata.kv()
if restart_nonce != db.get(domain_nonce_key):
if not is_unit_paused_set():
if snap_install_requested():
service_restart('snap.keystone.*')
else:
service_restart(keystone_service())
db.set(domain_nonce_key, restart_nonce)
db.flush()
def configure_tls(self, certificates_interface=None):
"""Configure TLS certificates and keys
NOTE(AJK): This function tries to minimise the work it does,
particularly with writing files and restarting apache.
:param certificates_interface: certificates relation endpoint
:type certificates_interface: TlsRequires(Endpoint) object
"""
# this takes care of writing out the CA certificate
tls_objects = super().configure_tls(
certificates_interface=certificates_interface)
with is_data_changed(
'configure_ssl.ssl_objects', tls_objects) as changed:
if tls_objects:
# NOTE(fnordahl): regardless of changes to data we may
# have other changes we want to apply to the files.
# (e.g. ownership, permissions)
#
# Also note that c-h.host.write_file used in configure_cert()
# has it's own logic to detect data changes.
#
# LP: #1821314
for tls_object in tls_objects:
self.set_state('ssl.requested', True)
if os_utils.snap_install_requested():
path = ('/var/snap/{snap_name}/common/etc/nginx/ssl'
.format(snap_name=self.primary_snap))
else:
path = os.path.join('/etc/apache2/ssl/', self.name)
self.configure_cert(
path,
tls_object['cert'],
tls_object['key'],
cn=tls_object['cn'])
cert_utils.create_ip_cert_links(
os.path.join('/etc/apache2/ssl/', self.name))
if not os_utils.snap_install_requested() and changed:
self.configure_apache()
ch_host.service_reload('apache2')
self.remove_state('ssl.requested')
self.set_state('ssl.enabled', True)
else:
self.set_state('ssl.enabled', False)
def nginx_ssl_enabled(self):
"""Determine if nginx is being used
@return True if nginx is being used"""
if os_utils.snap_install_requested():
return (self.get_state('ssl.enabled') or
self.get_state('ssl.requested'))
else:
return False
def nginx_ssl_enabled(self):
"""Determine if nginx is being used
@return True if nginx is being used"""
if os_utils.snap_install_requested():
return (self.get_state('ssl.enabled') or
self.get_state('ssl.requested'))
else:
return False
def config_changed_postupgrade():
save_script_rc()
release = os_release('keystone')
if run_in_apache(release=release):
# Need to ensure mod_wsgi is installed and apache2 is reloaded
# immediatly as charm querys its local keystone before restart
# decorator can fire
apt_install(filter_installed_packages(determine_packages()))
# when deployed from source, init scripts aren't installed
service_pause('keystone')
disable_unused_apache_sites()
if WSGI_KEYSTONE_API_CONF in CONFIGS.templates:
CONFIGS.write(WSGI_KEYSTONE_API_CONF)
if not is_unit_paused_set():
restart_pid_check('apache2')
stop_manager_instance()
if enable_memcache(release=release):
# If charm or OpenStack have been upgraded then the list of required
# packages may have changed so ensure they are installed.
apt_install(filter_installed_packages(determine_packages()))
if is_leader() and fernet_enabled():
key_setup()
key_leader_set()
configure_https()
open_port(config('service-port'))
update_nrpe_config()
CONFIGS.write_all()
if snap_install_requested() and not is_unit_paused_set():
service_restart('snap.keystone.*')
stop_manager_instance()
if (is_db_initialised() and is_elected_leader(CLUSTER_RES) and not
is_unit_paused_set()):
ensure_initial_admin(config)
if CompareOpenStackReleases(
os_release('keystone')) >= 'liberty':
CONFIGS.write(POLICY_JSON)
update_all_identity_relation_units()
update_all_domain_backends()
update_all_fid_backends()
for r_id in relation_ids('ha'):
ha_joined(relation_id=r_id)
notify_middleware_with_release_version()
inform_peers_if_ready(check_api_unit_ready)
def enable_apache_modules(self):
"""Enable Apache modules needed for SSL termination"""
if os_utils.snap_install_requested():
return
restart = False
for module in ['ssl', 'proxy', 'proxy_http', 'headers']:
check_enabled = subprocess.call(['a2query', '-m', module])
if check_enabled != 0:
subprocess.check_call(['a2enmod', module])
restart = True
if restart:
ch_host.service_restart('apache2')
def all_packages(self):
"""List of packages to be installed
@return ['pkg1', 'pkg2', ...]
"""
_packages = super(HAOpenStackCharm, self).all_packages
if self.haproxy_enabled():
_packages.append('haproxy')
if not os_utils.snap_install_requested():
if self.apache_enabled():
_packages.append('apache2')
return _packages
def config_changed_postupgrade():
save_script_rc()
release = os_release('keystone')
if run_in_apache(release=release):
# Need to ensure mod_wsgi is installed and apache2 is reloaded
# immediatly as charm querys its local keystone before restart
# decorator can fire
apt_install(filter_installed_packages(determine_packages()))
# when deployed from source, init scripts aren't installed
service_pause('keystone')
disable_unused_apache_sites()
if WSGI_KEYSTONE_API_CONF in CONFIGS.templates:
CONFIGS.write(WSGI_KEYSTONE_API_CONF)
if not is_unit_paused_set():
restart_pid_check('apache2')
stop_manager_instance()
if enable_memcache(release=release):
# If charm or OpenStack have been upgraded then the list of required
# packages may have changed so ensure they are installed.
apt_install(filter_installed_packages(determine_packages()))
if is_leader() and fernet_enabled():
key_setup()
key_leader_set()
configure_https()
open_port(config('service-port'))
update_nrpe_config()
CONFIGS.write_all()
if snap_install_requested() and not is_unit_paused_set():
service_restart('snap.keystone.*')
stop_manager_instance()
if (is_db_initialised() and is_elected_leader(CLUSTER_RES) and not
is_unit_paused_set()):
ensure_initial_admin(config)
if CompareOpenStackReleases(
os_release('keystone')) >= 'liberty':
CONFIGS.write(POLICY_JSON)
update_all_identity_relation_units()
update_all_domain_backends()
update_all_fid_backends()
for r_id in relation_ids('ha'):
ha_joined(relation_id=r_id)
notify_middleware_with_release_version()
def all_packages(self):
"""List of packages to be installed
@return ['pkg1', 'pkg2', ...]
"""
_packages = super(HAOpenStackCharm, self).all_packages
if self.haproxy_enabled():
_packages.append('haproxy')
if not os_utils.snap_install_requested():
if self.apache_enabled():
_packages.append('apache2')
return _packages
def enable_apache_modules(self):
"""Enable Apache modules needed for SSL termination"""
if os_utils.snap_install_requested():
return
restart = False
for module in ['ssl', 'proxy', 'proxy_http', 'headers']:
check_enabled = subprocess.call(['a2query', '-m', module])
if check_enabled != 0:
subprocess.check_call(['a2enmod', module])
restart = True
if restart:
ch_host.service_restart('apache2')
def install_snap_certs(self):
"""Install systems CA certificates for a snap
Installs the aggregated host system ca-certificates.crt into
$SNAP_COMMON/etc/ssl/certs for services running within a sandboxed
snap to consume.
Snaps should set the REQUESTS_CA_BUNDLE environment variable to
ensure requests based API calls use the updated system certs.
"""
if (os_utils.snap_install_requested() and
os.path.exists(SYSTEM_CA_CERTS)):
ca_certs = SNAP_CA_CERTS.format(self.primary_snap)
ch_host.mkdir(os.path.dirname(ca_certs))
shutil.copyfile(SYSTEM_CA_CERTS, ca_certs)
def install_snap_certs(self):
"""Install systems CA certificates for a snap
Installs the aggregated host system ca-certificates.crt into
$SNAP_COMMON/etc/ssl/certs for services running within a sandboxed
snap to consume.
Snaps should set the REQUESTS_CA_BUNDLE environment variable to
ensure requests based API calls use the updated system certs.
"""
if (os_utils.snap_install_requested() and
os.path.exists(SYSTEM_CA_CERTS)):
ca_certs = SNAP_CA_CERTS.format(self.primary_snap)
ch_host.mkdir(os.path.dirname(ca_certs))
shutil.copyfile(SYSTEM_CA_CERTS, ca_certs)
def default_select_package_type():
"""Determine the package type (snap or deb) based on the
openstack-origin setting.
Note that this function caches the package type after the first
install so that it doesn't need to keep going and getting it from
the config information.
"""
package_type = unitdata.kv().get(OPENSTACK_PACKAGE_TYPE_KEY, None)
if package_type is None:
if os_utils.snap_install_requested():
package_type = 'snap'
else:
package_type = 'deb'
unitdata.kv().set(OPENSTACK_PACKAGE_TYPE_KEY, package_type)
return package_type
def default_select_package_type():
"""Determine the package type (snap or deb) based on the
configuration option indicated in the source_config_key
class variable. (deafult: 'openstack-origin')
Note that this function caches the package type after the first
install so that it doesn't need to keep going and getting it from
the config information.
"""
package_type = unitdata.kv().get(OPENSTACK_PACKAGE_TYPE_KEY, None)
if package_type is None:
if os_utils.snap_install_requested():
package_type = 'snap'
else:
package_type = 'deb'
unitdata.kv().set(OPENSTACK_PACKAGE_TYPE_KEY, package_type)
return package_type
def configure_ssl(self, keystone_interface=None):
"""Configure SSL certificates and keys
NOTE(AJK): This function tries to minimise the work it does,
particularly with writing files and restarting apache.
@param keystone_interface KeystoneRequires class
"""
keystone_interface = (
relations.endpoint_from_flag('identity-service.available.ssl') or
relations
.endpoint_from_flag('identity-service.available.ssl_legacy'))
certificates_interface = relations.endpoint_from_flag(
'certificates.batch.cert.available')
ssl_objects = self.get_certs_and_keys(
keystone_interface=keystone_interface,
certificates_interface=certificates_interface)
with is_data_changed('configure_ssl.ssl_objects',
ssl_objects) as changed:
if ssl_objects:
# NOTE(fnordahl): regardless of changes to data we may
# have other changes we want to apply to the files.
# (e.g. ownership, permissions)
#
# Also note that c-h.host.write_file used in configure_cert()
# has it's own logic to detect data changes.
#
# LP: #1821314
for ssl in ssl_objects:
self.set_state('ssl.requested', True)
self.configure_cert(
ssl['cert'], ssl['key'], cn=ssl['cn'])
self.configure_ca(ssl['ca'])
cert_utils.create_ip_cert_links(
os.path.join('/etc/apache2/ssl/', self.name))
if not os_utils.snap_install_requested() and changed:
self.configure_apache()
ch_host.service_reload('apache2')
self.remove_state('ssl.requested')
self.set_state('ssl.enabled', True)
else:
self.set_state('ssl.enabled', False)
amqp_ssl = relations.endpoint_from_flag('amqp.available.ssl')
if amqp_ssl:
self.configure_rabbit_cert(amqp_ssl)
def configure_ssl(self, keystone_interface=None):
"""Configure SSL certificates and keys
NOTE(AJK): This function tries to minimise the work it does,
particularly with writing files and restarting apache.
@param keystone_interface KeystoneRequires class
"""
keystone_interface = (
relations.endpoint_from_flag('identity-service.available.ssl')
or relations.endpoint_from_flag(
'identity-service.available.ssl_legacy'))
certificates_interface = relations.endpoint_from_flag(
'certificates.batch.cert.available')
ssl_objects = self.get_certs_and_keys(
keystone_interface=keystone_interface,
certificates_interface=certificates_interface)
with is_data_changed('configure_ssl.ssl_objects',
ssl_objects) as changed:
if ssl_objects:
# NOTE(fnordahl): regardless of changes to data we may
# have other changes we want to apply to the files.
# (e.g. ownership, permissions)
#
# Also note that c-h.host.write_file used in configure_cert()
# has it's own logic to detect data changes.
#
# LP: #1821314
for ssl in ssl_objects:
self.set_state('ssl.requested', True)
self.configure_cert(ssl['cert'], ssl['key'], cn=ssl['cn'])
self.configure_ca(ssl['ca'])
cert_utils.create_ip_cert_links(
os.path.join('/etc/apache2/ssl/', self.name))
if not os_utils.snap_install_requested() and changed:
self.configure_apache()
ch_host.service_reload('apache2')
self.remove_state('ssl.requested')
self.set_state('ssl.enabled', True)
else:
self.set_state('ssl.enabled', False)
amqp_ssl = relations.endpoint_from_flag('amqp.available.ssl')
if amqp_ssl:
self.configure_rabbit_cert(amqp_ssl)
def configure_https():
'''
Enables SSL API Apache config if appropriate and kicks identity-service
with any required api updates.
'''
# need to write all to ensure changes to the entire request pipeline
# propagate (c-api, haprxy, apache)
CONFIGS.write_all()
# NOTE (thedac): When using snaps, nginx is installed, skip any apache2
# config.
if snap_install_requested():
return
if 'https' in CONFIGS.complete_contexts():
cmd = ['a2ensite', 'openstack_https_frontend']
check_call(cmd)
else:
cmd = ['a2dissite', 'openstack_https_frontend']
check_call(cmd)
def configure_https():
'''
Enables SSL API Apache config if appropriate and kicks identity-service
with any required api updates.
'''
# need to write all to ensure changes to the entire request pipeline
# propagate (c-api, haprxy, apache)
CONFIGS.write_all()
# NOTE (thedac): When using snaps, nginx is installed, skip any apache2
# config.
if snap_install_requested():
return
if 'https' in CONFIGS.complete_contexts():
cmd = ['a2ensite', 'openstack_https_frontend']
check_call(cmd)
else:
cmd = ['a2dissite', 'openstack_https_frontend']
check_call(cmd)
def full_restart_map(self):
"""Map of services to be restarted if a file changes
@return {
'file1': ['svc1', 'svc3'],
'file2': ['svc2', 'svc3'],
...
}
"""
_restart_map = super(HAOpenStackCharm, self).full_restart_map
if self.haproxy_enabled():
_restart_map[self.HAPROXY_CONF] = ['haproxy']
if os_utils.snap_install_requested():
# TODO(coreycb): add nginx config/service for ssl vhost
pass
else:
if self.apache_enabled():
_restart_map[self.apache_ssl_vhost_file] = ['apache2']
return _restart_map
def get_os_version_snap(self, snap, fatal=True):
"""Derive OpenStack version number from an installed snap.
:param package: str Snap name to lookup in snap list
:param fatal: bool Raise exception if snap not installed
:returns: str OpenStack version number corresponding to snap
"""
if os_utils.snap_install_requested():
codename = self.get_os_codename_snap(snap,
self.snap_codenames,
fatal=fatal)
if not codename:
return None
for version, cname in os_utils.OPENSTACK_CODENAMES.items():
if cname == codename:
return version
return None
def application_version(self):
"""Return the current version of the application being deployed by
the charm, as indicated by the version_package or version_snap
attribute
"""
if os_utils.snap_install_requested():
if not self.version_snap:
self.version_snap = self.snaps[0]
version = get_snap_version(self.version_snap, fatal=False)
if not version:
version = os_utils.get_os_codename_install_source(
self.config['openstack-origin'])
else:
if not self.version_package:
self.version_package = self.packages[0]
version = get_upstream_version(self.version_package)
if not version:
version = os_utils.os_release(self.version_package)
return version
def get_os_version_package(self, package, fatal=True):
"""Derive OpenStack version number from an installed package.
:param package: str Package name to lookup in apt cache
:param fatal: bool Raise exception if pkg not installed
:returns: str OpenStack version number corresponding to package
"""
if not os_utils.snap_install_requested():
codename = self.get_os_codename_package(
package, self.package_codenames or os_utils.PACKAGE_CODENAMES,
fatal=fatal)
if not codename:
return None
for version, cname in os_utils.OPENSTACK_CODENAMES.items():
if cname == codename:
return version
return None
def full_restart_map(self):
"""Map of services to be restarted if a file changes
@return {
'file1': ['svc1', 'svc3'],
'file2': ['svc2', 'svc3'],
...
}
"""
_restart_map = super(HAOpenStackCharm, self).full_restart_map
if self.haproxy_enabled():
_restart_map[self.HAPROXY_CONF] = ['haproxy']
if os_utils.snap_install_requested():
# TODO(coreycb): add nginx config/service for ssl vhost
pass
else:
if self.apache_enabled():
_restart_map[self.apache_ssl_vhost_file] = ['apache2']
return _restart_map
def openstack_upgrade_available(self, package=None, snap=None):
"""Check if an OpenStack upgrade is available
:param package: str Package name to use to check upgrade availability
:returns: bool
"""
if not package:
package = self.release_pkg
if not snap:
snap = self.release_snap
src = self.config[self.source_config_key]
cur_vers = self.get_os_version_package(package)
avail_vers = os_utils.get_os_version_install_source(src)
if os_utils.snap_install_requested():
cur_vers = self.get_os_version_snap(snap)
else:
cur_vers = self.get_os_version_package(package)
apt.init()
return apt.version_compare(avail_vers, cur_vers) == 1
def configure_ssl(self, keystone_interface=None):
"""Configure SSL certificates and keys
NOTE(AJK): This function tries to minimise the work it does,
particularly with writing files and restarting apache.
@param keystone_interface KeystoneRequires class
"""
keystone_interface = (
relations.endpoint_from_flag('identity-service.available.ssl') or
relations
.endpoint_from_flag('identity-service.available.ssl_legacy'))
certificates_interface = relations.endpoint_from_flag(
'certificates.batch.cert.available')
ssl_objects = self.get_certs_and_keys(
keystone_interface=keystone_interface,
certificates_interface=certificates_interface)
with is_data_changed('configure_ssl.ssl_objects',
ssl_objects) as changed:
if ssl_objects:
if changed:
for ssl in ssl_objects:
self.set_state('ssl.requested', True)
self.configure_cert(
ssl['cert'], ssl['key'], cn=ssl['cn'])
self.configure_ca(ssl['ca'])
cert_utils.create_ip_cert_links(
os.path.join('/etc/apache2/ssl/', self.name))
if not os_utils.snap_install_requested():
self.configure_apache()
ch_host.service_reload('apache2')
self.remove_state('ssl.requested')
self.set_state('ssl.enabled', True)
else:
self.set_state('ssl.enabled', False)
amqp_ssl = relations.endpoint_from_flag('amqp.available.ssl')
if amqp_ssl:
self.configure_rabbit_cert(amqp_ssl)
def application_version(self):
"""Return the current version of the application being deployed by
the charm, as indicated by the version_package or version_snap
attribute
"""
if os_utils.snap_install_requested():
if not self.version_snap:
self.version_snap = self.snaps[0]
version = get_snap_version(self.version_snap,
fatal=False)
if not version:
version = os_utils.get_os_codename_install_source(
self.config[self.source_config_key]
)
else:
if not self.version_package:
self.version_package = self.packages[0]
version = get_upstream_version(
self.version_package
)
if not version:
version = os_utils.os_release(self.version_package)
return version
def log_config(config):
if ch_utils.snap_install_requested():
return os.path.join(SNAP_PREFIX,
'log/gnocchi-api.log')
else:
return '/var/log/gnocchi/gnocchi-api.log'
def ceph_config(config):
if ch_utils.snap_install_requested():
return CEPH_CONF_SNAP
else:
return CEPH_CONF
