From 16abd4098576db84bbb92bd72127571527c02ae4 Mon Sep 17 00:00:00 2001 From: Stamatis Katsaounis Date: Fri, 29 Nov 2019 11:31:22 +0200 Subject: [PATCH] Remove glance-registry in OpenStack Stein deployments This patch removes glance-registry service when upgrading to OpenStack Stein and later releases. Second part of: Change-Id: Ie6d618582cd5063738a965d36e7d766633e1a607 Change-Id: I5e644ed8dba809fd1ad5d628f32ea64d31799e52 Signed-off-by: Stamatis Katsaounis --- actions/security_checklist.py | 36 +++++++----- hooks/glance_relations.py | 15 +++-- hooks/glance_utils.py | 4 ++ templates/stein/glance-api.conf | 99 +++++++++++++++++++++++++++++++++ 4 files changed, 136 insertions(+), 18 deletions(-) create mode 100644 templates/stein/glance-api.conf diff --git a/actions/security_checklist.py b/actions/security_checklist.py index fcd58d02..9c713447 100755 --- a/actions/security_checklist.py +++ b/actions/security_checklist.py @@ -25,6 +25,9 @@ import charmhelpers.contrib.openstack.audits as audits from charmhelpers.contrib.openstack.audits import ( openstack_security_guide, ) +from charmhelpers.contrib.openstack.utils import ( + CompareOpenStackReleases, + os_release) # Via the openstack_security_guide above, we are running the following @@ -70,12 +73,14 @@ def validate_glance_uses_keystone(audit_options): glance_api = dict(conf) assert glance_api.get('DEFAULT', {}).get('auth_strategy') == "keystone", \ "Keystone should be used for auth in glance-api.conf" - conf = configparser.ConfigParser() - conf.read(os.path.join('/etc/glance/glance-registry.conf')) - glance_registry = dict(conf) - assert glance_registry.get('DEFAULT', {}) \ - .get('auth_strategy') == "keystone", \ - "Keystone should be used for auth in glance-api.conf" + cmp_release = CompareOpenStackReleases(os_release('glance-common')) + if cmp_release <= 'stein': + conf = configparser.ConfigParser() + conf.read(os.path.join('/etc/glance/glance-registry.conf')) + glance_registry = dict(conf) + assert glance_registry.get('DEFAULT', {}) \ + .get('auth_strategy') == "keystone", \ + "Keystone should be used for auth in glance-registry.conf" @audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide)) @@ -96,14 +101,17 @@ def validate_glance_uses_tls_for_keystone(audit_options): assert glance_api.get('keystone_authtoken', {}).get('auth_uri'). \ startswith("https://"), \ "TLS should be used to authenticate with Keystone" - conf = configparser.ConfigParser() - conf.read(os.path.join('/etc/glance/glance-registry.conf')) - glance_registry = dict(conf) - assert not glance_registry.get('keystone_authtoken', {}).get('insecure'), \ - "Insecure mode should not be used with TLS" - assert glance_registry.get('keystone_authtoken', {}).get('auth_uri'). \ - startswith("https://"), \ - "TLS should be used to authenticate with Keystone" + cmp_release = CompareOpenStackReleases(os_release('glance-common')) + if cmp_release <= 'stein': + conf = configparser.ConfigParser() + conf.read(os.path.join('/etc/glance/glance-registry.conf')) + glance_registry = dict(conf) + assert not glance_registry.get( + 'keystone_authtoken', {}).get('insecure'), \ + "Insecure mode should not be used with TLS" + assert glance_registry.get('keystone_authtoken', {}).get('auth_uri'). \ + startswith("https://"), \ + "TLS should be used to authenticate with Keystone" def main(): diff --git a/hooks/glance_relations.py b/hooks/glance_relations.py index 0e690542..bc7dc679 100755 --- a/hooks/glance_relations.py +++ b/hooks/glance_relations.py @@ -190,15 +190,22 @@ def db_joined(): @hooks.hook('shared-db-relation-changed') @restart_on_change(restart_map()) def db_changed(): - rel = os_release('glance-common') + release = os_release('glance-common') + cmp_release = CompareOpenStackReleases(release) if 'shared-db' not in CONFIGS.complete_contexts(): juju_log('shared-db relation incomplete. Peer not ready?') return - CONFIGS.write(GLANCE_REGISTRY_CONF) + # https://blueprints.launchpad.net/glance/+spec/deprecate-registry + # Based on Glance registry deprecation and removal on Stein release, + # its configuration is written only if OpenStack version is previous + # than Stein. + if cmp_release < 'stein': + CONFIGS.write(GLANCE_REGISTRY_CONF) + # since folsom, a db connection setting in glance-api.conf is required. - if rel != "essex": + if cmp_release != "essex": CONFIGS.write(GLANCE_API_CONF) if is_elected_leader(CLUSTER_RES): @@ -207,7 +214,7 @@ def db_changed(): # permitted units then check if we're in the list. allowed_units = relation_get('allowed_units') if allowed_units and local_unit() in allowed_units.split(): - if rel == "essex": + if cmp_release == "essex": status = call(['glance-manage', 'db_version']) if status != 0: juju_log('Setting version_control to 0') diff --git a/hooks/glance_utils.py b/hooks/glance_utils.py index ac4b9774..3f3dd4fa 100644 --- a/hooks/glance_utils.py +++ b/hooks/glance_utils.py @@ -240,6 +240,8 @@ def register_configs(): confs.append(ceph_config_file()) for conf in confs: + if cmp_release >= 'stein' and conf == GLANCE_REGISTRY_CONF: + continue configs.register(conf, CONFIG_FILES[conf]['hook_contexts']) if os.path.exists('/etc/apache2/conf-available'): @@ -281,6 +283,8 @@ def determine_purge_packages(): pkgs.extend(["python-cinderclient", "python-os-brick", "python-oslo.rootwrap"]) + if CompareOpenStackReleases(os_release('glance')) >= 'stein': + pkgs.append('glance-registry') return pkgs return [] diff --git a/templates/stein/glance-api.conf b/templates/stein/glance-api.conf new file mode 100644 index 00000000..eb51d1f2 --- /dev/null +++ b/templates/stein/glance-api.conf @@ -0,0 +1,99 @@ +[DEFAULT] +verbose = {{ verbose }} +use_syslog = {{ use_syslog }} +debug = {{ debug }} +workers = {{ workers }} +bind_host = {{ bind_host }} + +{% if ext -%} +bind_port = {{ ext }} +{% elif bind_port -%} +bind_port = {{ bind_port }} +{% else -%} +bind_port = 9292 +{% endif -%} + +{% if transport_url %} +transport_url = {{ transport_url }} +{% endif %} + +log_file = /var/log/glance/api.log +backlog = 4096 + +{% if expose_image_locations -%} +show_multiple_locations = {{ expose_image_locations }} +show_image_direct_url = {{ expose_image_locations }} +{% endif -%} + +{% if api_config_flags -%} +{% for key, value in api_config_flags.items() -%} +{{ key }} = {{ value }} +{% endfor -%} +{% endif -%} + +delayed_delete = False +scrub_time = 43200 +scrubber_datadir = /var/lib/glance/scrubber +image_cache_dir = /var/lib/glance/image-cache/ +db_enforce_mysql_charset = False + +{% if image_size_cap -%} +image_size_cap = {{ image_size_cap }} +{% endif -%} + +[glance_store] +{%- if use_internal_endpoints %} +catalog_info = {{ volume_catalog_info }} +{%- endif %} + +filesystem_store_datadir = {{ filesystem_store_datadir }} + +stores = {{ known_stores }} +{% if rbd_pool -%} +default_store = rbd +{% elif swift_store -%} +default_store = swift +{% elif cinder_store -%} +default_store = cinder +{% else -%} +default_store = file +{% endif -%} + +{% if swift_store -%} +default_swift_reference = swift +swift_store_config_file = /etc/glance/glance-swift.conf +swift_store_create_container_on_put = true +{% endif -%} + +{% if rbd_pool -%} +rbd_store_ceph_conf = /etc/ceph/ceph.conf +rbd_store_user = {{ rbd_user }} +rbd_store_pool = {{ rbd_pool }} +rbd_store_chunk_size = 8 +{% endif -%} + +[image_format] +disk_formats = {{ disk_formats }} +{% if container_formats -%} +container_formats = {{ container_formats }} +{% endif -%} + +{% include "section-keystone-authtoken-v3only" %} + +{% if auth_host -%} +[paste_deploy] +flavor = keystone +{% endif %} + +[barbican] +auth_endpoint = {{ service_protocol }}://{{ service_host }}:{{ service_port }}/v3 + +{% include "parts/section-database" %} + +{% include "section-oslo-messaging-rabbit" %} + +{% include "section-oslo-notifications" %} + +{% include "section-oslo-middleware" %} + +{% include "parts/section-storage" %}