openstack/charm-ceph-radosgw
Code Issues Proposed changes
2858f1b02d
charm-ceph-radosgw/hooks/utils.py
James Page 2858f1b02d Switch to using systemd units for radosgw 
Switch to using systemd configurations to manage radosgw instances;
the radosgw init script is obsolete and will be removed at some
point in time, and the newer style of managing radosgw daemons is
inline with current best-practice.

This changeset also changes the way cephx keys are issues; before
all rgw instances shared a key, now a key is issued per host.

The key is named 'rgw.`hostname`' to identify the application
and host using the key.

Existing deployments using the radosgw init script will be switched
to use the new systemd named units; this occurs once the new key
for the unit has been presented by the ceph-mon cluster over the
mon relation. A small period of outage will occur as the radosgw
init based daemon is stopped and disabled prior to the start of
the new systemd based radosgw unit.

This commit also includes a resync for charmhelpers to pickup
support for '@' in NRPE service check names.

Change-Id: Ic0d634e619185931633712cb3e3685051a28749d
Depends-On: I289b75a2935184817b424c5eceead16235c3f53b
Closes-Bug: 1808140
2019-01-24 13:04:52 +00:00

596 lines
20 KiB
Python
Raw Blame History

# Copyright 2016 Canonical Ltd
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import os
import re
import socket
import subprocess
import sys
from collections import OrderedDict
from copy import deepcopy
import ceph_radosgw_context
from charmhelpers.core.hookenv import (
log,
DEBUG,
ERROR,
INFO,
relation_get,
relation_ids,
related_units,
application_version_set,
)
from charmhelpers.contrib.network.ip import (
format_ipv6_addr,
is_ipv6,
)
from charmhelpers.contrib.openstack import (
context,
templating,
)
from charmhelpers.contrib.openstack.utils import (
make_assess_status_func,
pause_unit,
resume_unit,
)
from charmhelpers.contrib.openstack.keystone import (
format_endpoint,
)
from charmhelpers.contrib.hahelpers.cluster import (
get_hacluster_config,
https,
)
from charmhelpers.core.host import (
cmp_pkgrevno,
lsb_release,
mkdir,
CompareHostReleases,
init_is_systemd,
)
from charmhelpers.fetch import (
apt_cache,
apt_install,
apt_update,
add_source,
filter_installed_packages,
get_upstream_version,
)
# NOTE: some packages are installed by the charm so may not be available
# yet. Calls that depend on them should be aware of this (and use the
# defer_if_unavailable() decorator).
try:
import keystoneclient
from keystoneclient.v2_0 import client
from keystoneclient.v3 import client as client_v3
try:
# Kilo and newer
from keystoneclient.exceptions import (
ConnectionRefused,
Forbidden,
InternalServerError,
)
except ImportError:
# Juno and older
from keystoneclient.exceptions import (
ConnectionError as ConnectionRefused,
Forbidden,
InternalServerError,
)
except ImportError:
keystoneclient = None
# This is installed as a dep of python-keystoneclient
try:
import requests
except ImportError:
requests = None
# The interface is said to be satisfied if anyone of the interfaces in the
# list has a complete context.
REQUIRED_INTERFACES = {
'mon': ['ceph-radosgw'],
}
CEPHRG_HA_RES = 'grp_cephrg_vips'
TEMPLATES_DIR = 'templates'
TEMPLATES = 'templates/'
HAPROXY_CONF = '/etc/haproxy/haproxy.cfg'
CEPH_CONF = '/etc/ceph/ceph.conf'
VERSION_PACKAGE = 'radosgw'
UNUSED_APACHE_SITE_FILES = ["/etc/apache2/sites-available/000-default.conf"]
APACHE_PORTS_FILE = "/etc/apache2/ports.conf"
APACHE_SITE_CONF = '/etc/apache2/sites-available/openstack_https_frontend'
APACHE_SITE_24_CONF = '/etc/apache2/sites-available/' \
'openstack_https_frontend.conf'
BASE_RESOURCE_MAP = OrderedDict([
(HAPROXY_CONF, {
'contexts': [context.HAProxyContext(singlenode_mode=True),
ceph_radosgw_context.HAProxyContext()],
'services': ['haproxy'],
}),
(CEPH_CONF, {
'contexts': [ceph_radosgw_context.MonContext()],
'services': [],
}),
(APACHE_SITE_CONF, {
'contexts': [ceph_radosgw_context.ApacheSSLContext()],
'services': ['apache2'],
}),
(APACHE_SITE_24_CONF, {
'contexts': [ceph_radosgw_context.ApacheSSLContext()],
'services': ['apache2'],
}),
])
class KSCertSetupException(BaseException):
"""Keystone SSL Certificate Setup Exception.
This exception should be raised if any part of cert setup fails.
"""
pass
def resource_map():
"""Dynamically generate a map of resources.
These will be managed for a single hook execution.
"""
resource_map = deepcopy(BASE_RESOURCE_MAP)
if not https():
resource_map.pop(APACHE_SITE_CONF)
resource_map.pop(APACHE_SITE_24_CONF)
else:
if os.path.exists('/etc/apache2/conf-available'):
resource_map.pop(APACHE_SITE_CONF)
else:
resource_map.pop(APACHE_SITE_24_CONF)
resource_map[CEPH_CONF]['services'] = [service_name()]
return resource_map
def restart_map():
return OrderedDict([(cfg, v['services'])
for cfg, v in resource_map().items()
if v['services']])
# Hardcoded to icehouse to enable use of charmhelper templating/context tools
# Ideally these function would support non-OpenStack services
def register_configs(release='icehouse'):
configs = templating.OSConfigRenderer(templates_dir=TEMPLATES,
openstack_release=release)
CONFIGS = resource_map()
pkg = 'radosgw'
if not filter_installed_packages([pkg]) and cmp_pkgrevno(pkg, '0.55') >= 0:
# Add keystone configuration if found
CONFIGS[CEPH_CONF]['contexts'].append(
ceph_radosgw_context.IdentityServiceContext()
)
for cfg, rscs in CONFIGS.items():
configs.register(cfg, rscs['contexts'])
return configs
def services():
"""Returns a list of services associate with this charm."""
_services = []
for v in resource_map().values():
_services.extend(v.get('services', []))
return list(set(_services))
def enable_pocket(pocket):
apt_sources = "/etc/apt/sources.list"
with open(apt_sources, "r") as sources:
lines = sources.readlines()
with open(apt_sources, "w") as sources:
for line in lines:
if pocket in line:
sources.write(re.sub('^# deb', 'deb', line))
else:
sources.write(line)
def get_optional_interfaces():
"""Return the optional interfaces that should be checked if the relavent
relations have appeared.
:returns: {general_interface: [specific_int1, specific_int2, ...], ...}
"""
optional_interfaces = {}
if relation_ids('ha'):
optional_interfaces['ha'] = ['cluster']
if (cmp_pkgrevno('radosgw', '0.55') >= 0 and
relation_ids('identity-service')):
optional_interfaces['identity'] = ['identity-service']
return optional_interfaces
def check_optional_relations(configs):
"""Check that if we have a relation_id for high availability that we can
get the hacluster config. If we can't then we are blocked. This function
is called from assess_status/set_os_workload_status as the charm_func and
needs to return either 'unknown', '' if there is no problem or the status,
message if there is a problem.
:param configs: an OSConfigRender() instance.
:return 2-tuple: (string, string) = (status, message)
"""
if relation_ids('ha'):
try:
get_hacluster_config()
except:
return ('blocked',
'hacluster missing configuration: '
'vip, vip_iface, vip_cidr')
# return 'unknown' as the lowest priority to not clobber an existing
# status.
return 'unknown', ''
def setup_ipv6():
ubuntu_rel = lsb_release()['DISTRIB_CODENAME'].lower()
if CompareHostReleases(ubuntu_rel) < "trusty":
raise Exception("IPv6 is not supported in the charms for Ubuntu "
"versions less than Trusty 14.04")
from apt import apt_pkg
apt_pkg.init()
# Need haproxy >= 1.5.3 for ipv6 so for Trusty if we are <= Kilo we need to
# use trusty-backports otherwise we can use the UCA.
vc = apt_pkg.version_compare(get_pkg_version('haproxy'), '1.5.3')
if ubuntu_rel == 'trusty' and vc == -1:
add_source('deb http://archive.ubuntu.com/ubuntu trusty-backports '
'main')
apt_update(fatal=True)
apt_install('haproxy/trusty-backports', fatal=True)
def assess_status(configs):
"""Assess status of current unit.
Decides what the state of the unit should be based on the current
configuration.
SIDE EFFECT: calls set_os_workload_status(...) which sets the workload
status of the unit.
Also calls status_set(...) directly if paused state isn't complete.
@param configs: a templating.OSConfigRenderer() object
@returns None - this function is executed for its side-effect
"""
assess_status_func(configs)()
application_version_set(get_upstream_version(VERSION_PACKAGE))
def assess_status_func(configs):
"""Helper function to create the function that will assess_status() for
the unit.
Uses charmhelpers.contrib.openstack.utils.make_assess_status_func() to
create the appropriate status function and then returns it.
Used directly by assess_status() and also for pausing and resuming
the unit.
NOTE: REQUIRED_INTERFACES is augmented with the optional interfaces
depending on the current config before being passed to the
make_assess_status_func() function.
NOTE(ajkavanagh) ports are not checked due to race hazards with services
that don't behave sychronously w.r.t their service scripts. e.g.
apache2.
@param configs: a templating.OSConfigRenderer() object
@return f() -> None : a function that assesses the unit's workload status
"""
required_interfaces = REQUIRED_INTERFACES.copy()
required_interfaces.update(get_optional_interfaces())
return make_assess_status_func(
configs, required_interfaces,
charm_func=check_optional_relations,
services=services(), ports=None)
def pause_unit_helper(configs):
"""Helper function to pause a unit, and then call assess_status(...) in
effect, so that the status is correctly updated.
Uses charmhelpers.contrib.openstack.utils.pause_unit() to do the work.
@param configs: a templating.OSConfigRenderer() object
@returns None - this function is executed for its side-effect
"""
_pause_resume_helper(pause_unit, configs)
def resume_unit_helper(configs):
"""Helper function to resume a unit, and then call assess_status(...) in
effect, so that the status is correctly updated.
Uses charmhelpers.contrib.openstack.utils.resume_unit() to do the work.
@param configs: a templating.OSConfigRenderer() object
@returns None - this function is executed for its side-effect
"""
_pause_resume_helper(resume_unit, configs)
def _pause_resume_helper(f, configs):
"""Helper function that uses the make_assess_status_func(...) from
charmhelpers.contrib.openstack.utils to create an assess_status(...)
function that can be used with the pause/resume of the unit
@param f: the function to be used with the assess_status(...) function
@returns None - this function is executed for its side-effect
"""
# TODO(ajkavanagh) - ports= has been left off because of the race hazard
# that exists due to service_start()
f(assess_status_func(configs),
services=services(),
ports=None)
def get_pkg_version(name):
from apt import apt_pkg
pkg = apt_cache()[name]
version = apt_pkg.upstream_version(pkg.current_ver.ver_str)
return version
def defer_if_unavailable(modules):
"""If a function depends on a package/module that is installed by the charm
but may not yet have been installed, it can be deferred using this
decorator.
:param modules: list of modules that must be importable.
"""
def _inner1_defer_if_unavailable(f):
def _inner2_defer_if_unavailable(*args, **kwargs):
for m in modules:
if m not in sys.modules:
log("Module '{}' does not appear to be available "
"yet - deferring call to '{}' until it "
"is.".format(m, f.__name__), level=INFO)
return
return f(*args, **kwargs)
return _inner2_defer_if_unavailable
return _inner1_defer_if_unavailable
@defer_if_unavailable(['keystoneclient'])
def get_ks_cert(ksclient, auth_endpoint, cert_type):
"""Get certificate from keystone.
:param ksclient: Keystone client
:param auth_endpoint: Keystone auth endpoint url
:param certs_path: Path to local certs store
:returns: certificate
"""
if ksclient.version == 'v3':
if cert_type == 'signing':
cert_type = 'certificates'
request = ("{}OS-SIMPLE-CERT/{}"
"".format(auth_endpoint, cert_type))
else:
request = "{}/certificates/{}".format(auth_endpoint, cert_type)
try:
try:
# Kilo and newer
if cert_type == 'ca':
cert = ksclient.certificates.get_ca_certificate()
elif cert_type in ['signing', 'certificates']:
cert = ksclient.certificates.get_signing_certificate()
else:
raise KSCertSetupException("Invalid cert type "
"'{}'".format(cert_type))
except AttributeError:
# Keystone v3 or Juno and older
response = requests.request('GET', request)
if response.status_code == requests.codes.ok:
cert = response.text
else:
raise KSCertSetupException("Unable to retrieve certificate")
except (ConnectionRefused, requests.exceptions.ConnectionError,
Forbidden, InternalServerError):
raise KSCertSetupException("Error connecting to keystone")
return cert
@defer_if_unavailable(['keystoneclient'])
def get_ks_ca_cert(ksclient, auth_endpoint, certs_path):
""""Get and store keystone CA certificate.
:param ksclient: Keystone client
:param auth_endpoint: Keystone auth endpoint url
:param certs_path: Path to local certs store
:returns: None
"""
ca_cert = get_ks_cert(ksclient, auth_endpoint, 'ca')
if ca_cert:
try:
# Cert should not contain unicode chars.
str(ca_cert)
except UnicodeEncodeError:
raise KSCertSetupException("Did not get a valid ca cert from "
"keystone - cert setup incomplete")
log("Updating ca cert from keystone", level=DEBUG)
ca = os.path.join(certs_path, 'ca.pem')
with open(ca, 'w') as fd:
fd.write(ca_cert)
out = subprocess.check_output(['openssl', 'x509', '-in', ca,
'-pubkey'])
p = subprocess.Popen(['certutil', '-d', certs_path, '-A', '-n', 'ca',
'-t', 'TCu,Cu,Tuw'], stdin=subprocess.PIPE)
p.communicate(out)
else:
raise KSCertSetupException("No ca cert available from keystone")
@defer_if_unavailable(['keystoneclient'])
def get_ks_signing_cert(ksclient, auth_endpoint, certs_path):
""""Get and store keystone signing certificate.
:param ksclient: Keystone client
:param auth_endpoint: Keystone auth endpoint url
:param certs_path: Path to local certs store
:returns: None
"""
signing_cert = get_ks_cert(ksclient, auth_endpoint, 'signing')
if signing_cert:
try:
# Cert should not contain unicode chars.
str(signing_cert)
except UnicodeEncodeError:
raise KSCertSetupException("Invalid signing cert from keystone")
log("Updating signing cert from keystone", level=DEBUG)
signing_cert_path = os.path.join(certs_path, 'signing_certificate.pem')
with open(signing_cert_path, 'w') as fd:
fd.write(signing_cert)
out = subprocess.check_output(['openssl', 'x509', '-in',
signing_cert_path, '-pubkey'])
p = subprocess.Popen(['certutil', '-A', '-d', certs_path, '-n',
'signing_cert', '-t', 'P,P,P'],
stdin=subprocess.PIPE)
p.communicate(out)
else:
raise KSCertSetupException("No signing cert available from keystone")
@defer_if_unavailable(['keystoneclient'])
def setup_keystone_certs(CONFIGS):
"""
Get CA and signing certs from Keystone used to decrypt revoked token list.
:param unit: context unit id
:param rid: context relation id
:returns: None
"""
certs_path = '/var/lib/ceph/nss'
if not os.path.exists(certs_path):
mkdir(certs_path)
# Do not continue until identity-relation is complete
if 'identity-service' not in CONFIGS.complete_contexts():
log("Missing relation settings - deferring cert setup",
level=DEBUG)
return
ksclient = get_keystone_client_from_relation()
if not ksclient:
log("Failed to get keystoneclient", level=ERROR)
return
auth_endpoint = ksclient.auth_endpoint
try:
get_ks_ca_cert(ksclient, auth_endpoint, certs_path)
get_ks_signing_cert(ksclient, auth_endpoint, certs_path)
except KSCertSetupException as e:
log("Keystone certs setup incomplete - {}".format(e), level=INFO)
# TODO: Move to charmhelpers
# TODO: Make it session aware
def get_keystone_client_from_relation(relation_type='identity-service'):
""" Get keystone client from relation data
:param relation_type: Relation to keystone
:returns: Keystone client
"""
required = ['admin_token', 'auth_host', 'auth_port', 'api_version']
settings = {}
rdata = {}
for relid in relation_ids(relation_type):
for unit in related_units(relid):
rdata = relation_get(unit=unit, rid=relid) or {}
if set(required).issubset(set(rdata.keys())):
settings = {key: rdata.get(key) for key in required}
break
if not settings:
log("Required settings not yet provided by any identity-service "
"relation units", INFO)
return None
auth_protocol = rdata.get('auth_protocol', 'http')
if is_ipv6(settings.get('auth_host')):
settings['auth_host'] = format_ipv6_addr(settings.get('auth_host'))
api_version = rdata.get('api_version')
auth_endpoint = format_endpoint(auth_protocol,
settings['auth_host'],
settings['auth_port'],
settings['api_version'])
if api_version and '3' in api_version:
ksclient = client_v3.Client(token=settings['admin_token'],
endpoint=auth_endpoint)
else:
ksclient = client.Client(token=settings['admin_token'],
endpoint=auth_endpoint)
# Add simple way to retrieve keystone auth endpoint
ksclient.auth_endpoint = auth_endpoint
return ksclient
def disable_unused_apache_sites():
"""Ensure that unused apache configurations are disabled to prevent them
from conflicting with the charm-provided version.
"""
for apache_site_file in UNUSED_APACHE_SITE_FILES:
apache_site = apache_site_file.split('/')[-1].split('.')[0]
if os.path.exists(apache_site_file):
try:
# Try it cleanly
subprocess.check_call(['a2dissite', apache_site])
except subprocess.CalledProcessError:
# Remove the file
os.remove(apache_site_file)
with open(APACHE_PORTS_FILE, 'w') as ports:
ports.write("")
def systemd_based_radosgw():
"""Determine if install should use systemd based radosgw instances"""
host = socket.gethostname()
for rid in relation_ids('mon'):
for unit in related_units(rid):
if relation_get('rgw.{}_key'.format(host), rid=rid, unit=unit):
return True
return False
def request_per_unit_key():
"""Determine if a per-unit cephx key should be requested"""
return (cmp_pkgrevno('radosgw', '12.2.0') >= 0 and init_is_systemd())
def service_name():
"""Determine the name of the RADOS Gateway service"""
if systemd_based_radosgw():
return 'ceph-radosgw@rgw.{}'.format(socket.gethostname())
else:
return 'radosgw'
View Git Blame Copy Permalink