Remove glance-registry in OpenStack Stein deployments

This patch removes glance-registry service when upgrading to OpenStack Stein and later releases. Second part of: Change-Id: Ie6d618582cd5063738a965d36e7d766633e1a607 Change-Id: I5e644ed8dba809fd1ad5d628f32ea64d31799e52 Signed-off-by: Stamatis Katsaounis <skatsaounis@admin.grnet.gr>
2019-11-29 11:31:22 +02:00 · 2019-11-29 11:31:22 +02:00 · 16abd40985
parent 24071f1eb1
commit 16abd40985
4 changed files with 136 additions and 18 deletions
--- a/actions/security_checklist.py
+++ b/actions/security_checklist.py
@ -25,6 +25,9 @@ import charmhelpers.contrib.openstack.audits as audits
 from charmhelpers.contrib.openstack.audits import (
    openstack_security_guide,
 )
+from charmhelpers.contrib.openstack.utils import (
+    CompareOpenStackReleases,
+    os_release)


 # Via the openstack_security_guide above, we are running the following
@ -70,12 +73,14 @@ def validate_glance_uses_keystone(audit_options):
    glance_api = dict(conf)
    assert glance_api.get('DEFAULT', {}).get('auth_strategy') == "keystone", \
        "Keystone should be used for auth in glance-api.conf"
-    conf = configparser.ConfigParser()
-    conf.read(os.path.join('/etc/glance/glance-registry.conf'))
-    glance_registry = dict(conf)
-    assert glance_registry.get('DEFAULT', {}) \
-                          .get('auth_strategy') == "keystone", \
-        "Keystone should be used for auth in glance-api.conf"
+    cmp_release = CompareOpenStackReleases(os_release('glance-common'))
+    if cmp_release <= 'stein':
+        conf = configparser.ConfigParser()
+        conf.read(os.path.join('/etc/glance/glance-registry.conf'))
+        glance_registry = dict(conf)
+        assert glance_registry.get('DEFAULT', {}) \
+                              .get('auth_strategy') == "keystone", \
+            "Keystone should be used for auth in glance-registry.conf"


@audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide))
@ -96,14 +101,17 @@ def validate_glance_uses_tls_for_keystone(audit_options):
    assert glance_api.get('keystone_authtoken', {}).get('auth_uri'). \
        startswith("https://"), \
        "TLS should be used to authenticate with Keystone"
-    conf = configparser.ConfigParser()
-    conf.read(os.path.join('/etc/glance/glance-registry.conf'))
-    glance_registry = dict(conf)
-    assert not glance_registry.get('keystone_authtoken', {}).get('insecure'), \
-        "Insecure mode should not be used with TLS"
-    assert glance_registry.get('keystone_authtoken', {}).get('auth_uri'). \
-        startswith("https://"), \
-        "TLS should be used to authenticate with Keystone"
+    cmp_release = CompareOpenStackReleases(os_release('glance-common'))
+    if cmp_release <= 'stein':
+        conf = configparser.ConfigParser()
+        conf.read(os.path.join('/etc/glance/glance-registry.conf'))
+        glance_registry = dict(conf)
+        assert not glance_registry.get(
+            'keystone_authtoken', {}).get('insecure'), \
+            "Insecure mode should not be used with TLS"
+        assert glance_registry.get('keystone_authtoken', {}).get('auth_uri'). \
+            startswith("https://"), \
+            "TLS should be used to authenticate with Keystone"


 def main():
--- a/hooks/glance_relations.py
+++ b/hooks/glance_relations.py
@ -190,15 +190,22 @@ def db_joined():
@hooks.hook('shared-db-relation-changed')
@restart_on_change(restart_map())
 def db_changed():
-    rel = os_release('glance-common')
+    release = os_release('glance-common')
+    cmp_release = CompareOpenStackReleases(release)

    if 'shared-db' not in CONFIGS.complete_contexts():
        juju_log('shared-db relation incomplete. Peer not ready?')
        return

-    CONFIGS.write(GLANCE_REGISTRY_CONF)
+    # https://blueprints.launchpad.net/glance/+spec/deprecate-registry
+    # Based on Glance registry deprecation and removal on Stein release,
+    # its configuration is written only if OpenStack version is previous
+    # than Stein.
+    if cmp_release < 'stein':
+        CONFIGS.write(GLANCE_REGISTRY_CONF)
+
    # since folsom, a db connection setting in glance-api.conf is required.
-    if rel != "essex":
+    if cmp_release != "essex":
        CONFIGS.write(GLANCE_API_CONF)

    if is_elected_leader(CLUSTER_RES):
@ -207,7 +214,7 @@ def db_changed():
        # permitted units then check if we're in the list.
        allowed_units = relation_get('allowed_units')
        if allowed_units and local_unit() in allowed_units.split():
-            if rel == "essex":
+            if cmp_release == "essex":
                status = call(['glance-manage', 'db_version'])
                if status != 0:
                    juju_log('Setting version_control to 0')
--- a/hooks/glance_utils.py
+++ b/hooks/glance_utils.py
@ -240,6 +240,8 @@ def register_configs():
        confs.append(ceph_config_file())

    for conf in confs:
+        if cmp_release >= 'stein' and conf == GLANCE_REGISTRY_CONF:
+            continue
        configs.register(conf, CONFIG_FILES[conf]['hook_contexts'])

    if os.path.exists('/etc/apache2/conf-available'):
@ -281,6 +283,8 @@ def determine_purge_packages():
        pkgs.extend(["python-cinderclient",
                     "python-os-brick",
                     "python-oslo.rootwrap"])
+        if CompareOpenStackReleases(os_release('glance')) >= 'stein':
+            pkgs.append('glance-registry')
        return pkgs
    return []

--- a/templates/stein/glance-api.conf
+++ b/templates/stein/glance-api.conf
@ -0,0 +1,99 @@
+[DEFAULT]
+verbose = {{ verbose }}
+use_syslog = {{ use_syslog }}
+debug = {{ debug }}
+workers = {{ workers }}
+bind_host = {{ bind_host }}
+
+{% if ext -%}
+bind_port = {{ ext }}
+{% elif bind_port -%}
+bind_port = {{ bind_port }}
+{% else -%}
+bind_port = 9292
+{% endif -%}
+
+{% if transport_url %}
+transport_url = {{ transport_url }}
+{% endif %}
+
+log_file = /var/log/glance/api.log
+backlog = 4096
+
+{% if expose_image_locations -%}
+show_multiple_locations = {{ expose_image_locations }}
+show_image_direct_url = {{ expose_image_locations }}
+{% endif -%}
+
+{% if api_config_flags -%}
+{% for key, value in api_config_flags.items() -%}
+{{ key }} = {{ value }}
+{% endfor -%}
+{% endif -%}
+
+delayed_delete = False
+scrub_time = 43200
+scrubber_datadir = /var/lib/glance/scrubber
+image_cache_dir = /var/lib/glance/image-cache/
+db_enforce_mysql_charset = False
+
+{% if image_size_cap -%}
+image_size_cap = {{ image_size_cap }}
+{% endif -%}
+
+[glance_store]
+{%- if use_internal_endpoints %}
+catalog_info = {{ volume_catalog_info }}
+{%- endif %}
+
+filesystem_store_datadir = {{ filesystem_store_datadir }}
+
+stores = {{ known_stores }}
+{% if rbd_pool -%}
+default_store = rbd
+{% elif swift_store -%}
+default_store = swift
+{% elif cinder_store -%}
+default_store = cinder
+{% else -%}
+default_store = file
+{% endif -%}
+
+{% if swift_store -%}
+default_swift_reference = swift
+swift_store_config_file = /etc/glance/glance-swift.conf
+swift_store_create_container_on_put = true
+{% endif -%}
+
+{% if rbd_pool -%}
+rbd_store_ceph_conf = /etc/ceph/ceph.conf
+rbd_store_user = {{ rbd_user }}
+rbd_store_pool = {{ rbd_pool }}
+rbd_store_chunk_size = 8
+{% endif -%}
+
+[image_format]
+disk_formats = {{ disk_formats }}
+{% if container_formats -%}
+container_formats = {{ container_formats }}
+{% endif -%}
+
+{% include "section-keystone-authtoken-v3only" %}
+
+{% if auth_host -%}
+[paste_deploy]
+flavor = keystone
+{% endif %}
+
+[barbican]
+auth_endpoint = {{ service_protocol }}://{{ service_host }}:{{ service_port }}/v3
+
+{% include "parts/section-database" %}
+
+{% include "section-oslo-messaging-rabbit" %}
+
+{% include "section-oslo-notifications" %}
+
+{% include "section-oslo-middleware" %}
+
+{% include "parts/section-storage" %}