def config_changed(): unison.ensure_user(user=rabbit.SSH_USER, group='rabbit') ensure_unison_rabbit_permissions() if utils.config_get('management_plugin') is True: rabbit.enable_plugin(MAN_PLUGIN) utils.open_port(55672) else: # rabbit.disable_plugin(MAN_PLUGIN) utils.close_port(55672) if utils.config_get('ssl_enabled') is True: ssl_key = utils.config_get('ssl_key') ssl_cert = utils.config_get('ssl_cert') ssl_port = utils.config_get('ssl_port') if None in [ssl_key, ssl_cert, ssl_port]: utils.juju_log( 'ERROR', 'Please provide ssl_key, ssl_cert and ssl_port' ' config when enabling SSL support') sys.exit(1) else: rabbit.enable_ssl(ssl_key, ssl_cert, ssl_port) utils.open_port(ssl_port) else: if os.path.exists(rabbit.RABBITMQ_CONF): os.remove(rabbit.RABBITMQ_CONF) utils.close_port(utils.config_get('ssl_port')) if cluster.eligible_leader('res_rabbitmq_vip'): utils.restart('rabbitmq-server') update_nrpe_checks()
def config_changed(): unison.ensure_user(user=rabbit.SSH_USER, group='rabbit') ensure_unison_rabbit_permissions() if utils.config_get('management_plugin') is True: rabbit.enable_plugin(MAN_PLUGIN) utils.open_port(55672) else: # rabbit.disable_plugin(MAN_PLUGIN) utils.close_port(55672) if utils.config_get('ssl_enabled') is True: ssl_key = utils.config_get('ssl_key') ssl_cert = utils.config_get('ssl_cert') ssl_port = utils.config_get('ssl_port') if None in [ssl_key, ssl_cert, ssl_port]: utils.juju_log('ERROR', 'Please provide ssl_key, ssl_cert and ssl_port' ' config when enabling SSL support') sys.exit(1) else: rabbit.enable_ssl(ssl_key, ssl_cert, ssl_port) utils.open_port(ssl_port) else: if os.path.exists(rabbit.RABBITMQ_CONF): os.remove(rabbit.RABBITMQ_CONF) utils.close_port(utils.config_get('ssl_port')) if cluster.eligible_leader('res_rabbitmq_vip'): utils.restart('rabbitmq-server') update_nrpe_checks()
def disable_https(port_maps, namespace): ''' Ensure HTTPS reverse proxying is disables for given port mappings port_maps: dict: of ext -> int port mappings namespace: str: name of chamr ''' juju_log('INFO', 'Ensuring HTTPS disabled for {}'.format(port_maps)) if (not os.path.exists('/etc/apache2') or not os.path.exists(os.path.join('/etc/apache2/ssl', namespace))): return http_restart = False for ext_port in port_maps.keys(): if os.path.exists(os.path.join(APACHE_SITE_DIR, "{}_{}".format(namespace, ext_port))): juju_log('INFO', "Disabling HTTPS reverse proxy" " for {} {}.".format(namespace, ext_port)) if (RELOAD_CHECK in subprocess.check_output(['a2dissite', '{}_{}'.format(namespace, ext_port)])): http_restart = True if http_restart: restart(['apache2'])
def config_changed(): unison.ensure_user(user=SSH_USER, group='keystone') execute("chmod -R g+wrx /var/lib/keystone/") # Determine whether or not we should do an upgrade, based on the # the version offered in keyston-release. available = get_os_codename_install_source(config['openstack-origin']) installed = get_os_codename_package('keystone') if (available and get_os_version_codename(available) > \ get_os_version_codename(installed)): # TODO: fixup this call to work like utils.install() do_openstack_upgrade(config['openstack-origin'], ' '.join(packages)) # Ensure keystone group permissions execute("chmod -R g+wrx /var/lib/keystone/") env_vars = {'OPENSTACK_SERVICE_KEYSTONE': 'keystone', 'OPENSTACK_PORT_ADMIN': cluster.determine_api_port( config['admin-port']), 'OPENSTACK_PORT_PUBLIC': cluster.determine_api_port( config['service-port'])} save_script_rc(**env_vars) set_admin_token(config['admin-token']) if cluster.eligible_leader(CLUSTER_RES): utils.juju_log('INFO', 'Cluster leader - ensuring endpoint configuration' ' is up to date') ensure_initial_admin(config) update_config_block('logger_root', level=config['log-level'], file='/etc/keystone/logging.conf') if get_os_version_package('keystone') >= '2013.1': # PKI introduced in Grizzly configure_pki_tokens(config) if config_dirty(): utils.restart('keystone') if cluster.eligible_leader(CLUSTER_RES): utils.juju_log('INFO', 'Firing identity_changed hook' ' for all related services.') # HTTPS may have been set - so fire all identity relations # again for r_id in utils.relation_ids('identity-service'): for unit in utils.relation_list(r_id): identity_changed(relation_id=r_id, remote_unit=unit)
def install(): pre_install_hooks() utils.install(*rabbit.PACKAGES) os.system("wget http://www.rabbitmq.com/releases/rabbitmq-server/v3.2.4/rabbitmq-server_3.2.4-1_all.deb") os.system("dpkg -i rabbitmq-server_3.2.4-1_all.deb") os.system("mkdir /etc/rabbitmq/rabbitmq.conf.d") rabbit.enable_plugin("rabbitmq_management") utils.restart('rabbitmq-server') utils.expose(15672) utils.expose(5672) os.system("wget localhost:15672/cli/rabbitmqadmin") os.system("chmod +x ./rabbitmqadmin") os.system("mv rabbitmqadmin /usr/bin/") os.system("rabbitmqadmin declare exchange name=stormExchange type=topic") # ensure user + permissions for peer relations that # may be syncing data there via SSH_USER. unison.ensure_user(user=rabbit.SSH_USER, group=rabbit.RABBIT_USER) ensure_unison_rabbit_permissions()
def install(): pre_install_hooks() utils.install(*rabbit.PACKAGES) os.system( "wget http://www.rabbitmq.com/releases/rabbitmq-server/v3.2.4/rabbitmq-server_3.2.4-1_all.deb" ) os.system("dpkg -i rabbitmq-server_3.2.4-1_all.deb") os.system("mkdir /etc/rabbitmq/rabbitmq.conf.d") rabbit.enable_plugin("rabbitmq_management") utils.restart('rabbitmq-server') utils.expose(15672) utils.expose(5672) os.system("wget localhost:15672/cli/rabbitmqadmin") os.system("chmod +x ./rabbitmqadmin") os.system("mv rabbitmqadmin /usr/bin/") os.system("rabbitmqadmin declare exchange name=stormExchange type=topic") # ensure user + permissions for peer relations that # may be syncing data there via SSH_USER. unison.ensure_user(user=rabbit.SSH_USER, group=rabbit.RABBIT_USER) ensure_unison_rabbit_permissions()
def cluster_joined(): unison.ssh_authorized_peers(user=SSH_USER, group='keystone', peer_interface='cluster', ensure_local_user=True) update_config_block('DEFAULT', public_port=cluster.determine_api_port(config["service-port"])) update_config_block('DEFAULT', admin_port=cluster.determine_api_port(config["admin-port"])) if config_dirty(): utils.restart('keystone') service_ports = { "keystone_admin": [ cluster.determine_haproxy_port(config['admin-port']), cluster.determine_api_port(config["admin-port"]) ], "keystone_service": [ cluster.determine_haproxy_port(config['service-port']), cluster.determine_api_port(config["service-port"]) ] } haproxy.configure_haproxy(service_ports)
def db_changed(): relation_data = utils.relation_get_dict() if ('password' not in relation_data or 'db_host' not in relation_data): utils.juju_log('INFO', "db_host or password not set. Peer not ready, exit 0") return update_config_block('sql', connection="mysql://%s:%s@%s/%s" % (config["database-user"], relation_data["password"], relation_data["db_host"], config["database"])) if cluster.eligible_leader(CLUSTER_RES): utils.juju_log('INFO', 'Cluster leader, performing db-sync') execute("keystone-manage db_sync", echo=True) if config_dirty(): utils.restart('keystone') time.sleep(5) if cluster.eligible_leader(CLUSTER_RES): ensure_initial_admin(config) # If the backend database has been switched to something new and there # are existing identity-service relations,, service entries need to be # recreated in the new database. Re-executing identity-service-changed # will do this. for rid in utils.relation_ids('identity-service'): for unit in utils.relation_list(rid=rid): utils.juju_log('INFO', "Re-exec'ing identity-service-changed" " for: %s - %s" % (rid, unit)) identity_changed(relation_id=rid, remote_unit=unit)
def enable_https(port_maps, namespace, cert, key, ca_cert=None): ''' For a given number of port mappings, configures apache2 HTTPs local reverse proxying using certficates and keys provided in either configuration data (preferred) or relation data. Assumes ports are not in use (calling charm should ensure that). port_maps: dict: external to internal port mappings namespace: str: name of charm ''' def _write_if_changed(path, new_content): content = None if os.path.exists(path): with open(path, 'r') as f: content = f.read().strip() if content != new_content: with open(path, 'w') as f: f.write(new_content) return True else: return False juju_log('INFO', "Enabling HTTPS for port mappings: {}".format(port_maps)) http_restart = False if cert: cert = b64decode(cert) if key: key = b64decode(key) if ca_cert: ca_cert = b64decode(ca_cert) if not cert and not key: juju_log('ERROR', "Expected but could not find SSL certificate data, not " "configuring HTTPS!") return False install('apache2') if RELOAD_CHECK in subprocess.check_output(['a2enmod', 'ssl', 'proxy', 'proxy_http']): http_restart = True ssl_dir = os.path.join('/etc/apache2/ssl', namespace) if not os.path.exists(ssl_dir): os.makedirs(ssl_dir) if (_write_if_changed(os.path.join(ssl_dir, 'cert'), cert)): http_restart = True if (_write_if_changed(os.path.join(ssl_dir, 'key'), key)): http_restart = True os.chmod(os.path.join(ssl_dir, 'key'), 0600) install_ca_cert(ca_cert) sites_dir = '/etc/apache2/sites-available' for ext_port, int_port in port_maps.items(): juju_log('INFO', 'Creating apache2 reverse proxy vhost' ' for {}:{}'.format(ext_port, int_port)) site = "{}_{}".format(namespace, ext_port) site_path = os.path.join(sites_dir, site) with open(site_path, 'w') as fsite: context = { "ext": ext_port, "int": int_port, "namespace": namespace, "private_address": get_host_ip() } fsite.write(render_template(SITE_TEMPLATE, context)) if RELOAD_CHECK in subprocess.check_output(['a2ensite', site]): http_restart = True if http_restart: restart('apache2') return True