diff --git a/charmhelpers/contrib/openstack/audits/__init__.py b/charmhelpers/contrib/openstack/audits/__init__.py
new file mode 100644
index 00000000..9fde7b26
--- /dev/null
+++ b/charmhelpers/contrib/openstack/audits/__init__.py
@@ -0,0 +1,134 @@
+# Copyright 2019 Canonical Limited.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""OpenStack Security Audit code"""
+
+import collections
+from enum import Enum
+import traceback
+
+from charmhelpers.core.host import cmp_pkgrevno
+
+import charmhelpers.core.hookenv as hookenv
+
+
+class AuditType(Enum):
+ OpenStackSecurityGuide = 1
+
+
+_audits = {}
+
+Audit = collections.namedtuple('Audit', 'func filters')
+
+
+def audit(*args):
+ """Decorator to register an audit.
+
+ These are used to generate audits that can be run on a
+ deployed system that matches the given configuration
+
+ :param args: List of functions to filter tests against
+ :type args: List[Callable(Config)]
+ """
+ def wrapper(f):
+ test_name = f.__name__
+ if _audits.get(test_name):
+ raise RuntimeError(
+ "Test name '{}' used more than once"
+ .format(test_name))
+ non_callables = [fn for fn in args if not callable(fn)]
+ if non_callables:
+ raise RuntimeError(
+ "Configuration includes non-callable filters: {}"
+ .format(non_callables))
+ _audits[test_name] = Audit(func=f, filters=args)
+ return f
+ return wrapper
+
+
+def is_audit_type(*args):
+ """This audit is included in the specified kinds of audits."""
+ def should_run(audit_options):
+ if audit_options.get('audit_type') in args:
+ return True
+ else:
+ return False
+ return should_run
+
+
+def since_package(pkg, pkg_version):
+ """This audit should be run after the specified package version (incl)."""
+ return lambda audit_options=None: cmp_pkgrevno(pkg, pkg_version) >= 0
+
+
+def before_package(pkg, pkg_version):
+ """This audit should be run before the specified package version (excl)."""
+ return lambda audit_options=None: not since_package(pkg, pkg_version)()
+
+
+def it_has_config(config_key):
+ """This audit should be run based on specified config keys."""
+ return lambda audit_options: audit_options.get(config_key) is not None
+
+
+def run(audit_options):
+ """Run the configured audits with the specified audit_options.
+
+ :param audit_options: Configuration for the audit
+ :type audit_options: Config
+ """
+ errors = {}
+ results = {}
+ for name, audit in sorted(_audits.items()):
+ result_name = name.replace('_', '-')
+ if all(p(audit_options) for p in audit.filters):
+ try:
+ audit.func(audit_options)
+ print("{}: PASS".format(name))
+ results[result_name] = {
+ 'success': True,
+ }
+ except AssertionError as e:
+ print("{}: FAIL ({})".format(name, e))
+ results[result_name] = {
+ 'success': False,
+ 'message': e,
+ }
+ except Exception as e:
+ print("{}: ERROR ({})".format(name, e))
+ errors[name] = e
+ results[result_name] = {
+ 'success': False,
+ 'message': e,
+ }
+ for name, error in errors.items():
+ print("=" * 20)
+ print("Error in {}: ".format(name))
+ traceback.print_tb(error.__traceback__)
+ print()
+ return results
+
+
+def action_parse_results(result):
+ """Parse the result of `run` in the context of an action."""
+ passed = True
+ for test, result in result.items():
+ if result['success']:
+ hookenv.action_set({test: 'PASS'})
+ else:
+ hookenv.action_set({test: 'FAIL - {}'.format(result['message'])})
+ passed = False
+ if not passed:
+ hookenv.action_fail("One or more tests failed")
+ return 0 if passed else 1
diff --git a/charmhelpers/contrib/openstack/audits/openstack_security_guide.py b/charmhelpers/contrib/openstack/audits/openstack_security_guide.py
new file mode 100644
index 00000000..ba5e2486
--- /dev/null
+++ b/charmhelpers/contrib/openstack/audits/openstack_security_guide.py
@@ -0,0 +1,303 @@
+# Copyright 2019 Canonical Limited.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import collections
+import configparser
+import glob
+import os.path
+import subprocess
+
+from charmhelpers.contrib.openstack.audits import (
+ audit,
+ AuditType,
+ # filters
+ is_audit_type,
+ it_has_config,
+)
+
+from charmhelpers.core.hookenv import (
+ cached,
+)
+
+
+FILE_ASSERTIONS = {
+ 'barbican': {
+ # From security guide
+ '/etc/barbican/barbican.conf': {'group': 'barbican', 'mode': '640'},
+ '/etc/barbican/barbican-api-paste.ini':
+ {'group': 'barbican', 'mode': '640'},
+ '/etc/barbican/policy.json': {'group': 'barbican', 'mode': '640'},
+ },
+ 'ceph-mon': {
+ '/var/lib/charm/ceph-mon/ceph.conf':
+ {'owner': 'root', 'group': 'root', 'mode': '644'},
+ '/etc/ceph/ceph.client.admin.keyring':
+ {'owner': 'ceph', 'group': 'ceph'},
+ '/etc/ceph/rbdmap': {'mode': '644'},
+ '/var/lib/ceph': {'owner': 'ceph', 'group': 'ceph', 'mode': '750'},
+ '/var/lib/ceph/bootstrap-*/ceph.keyring':
+ {'owner': 'ceph', 'group': 'ceph', 'mode': '600'}
+ },
+ 'ceph-osd': {
+ '/var/lib/charm/ceph-osd/ceph.conf':
+ {'owner': 'ceph', 'group': 'ceph', 'mode': '644'},
+ '/var/lib/ceph': {'owner': 'ceph', 'group': 'ceph', 'mode': '750'},
+ '/var/lib/ceph/*': {'owner': 'ceph', 'group': 'ceph', 'mode': '755'},
+ '/var/lib/ceph/bootstrap-*/ceph.keyring':
+ {'owner': 'ceph', 'group': 'ceph', 'mode': '600'},
+ '/var/lib/ceph/radosgw':
+ {'owner': 'ceph', 'group': 'ceph', 'mode': '755'},
+ },
+ 'cinder': {
+ # From security guide
+ '/etc/cinder/cinder.conf': {'group': 'cinder', 'mode': '640'},
+ '/etc/cinder/api-paste.conf': {'group': 'cinder', 'mode': '640'},
+ '/etc/cinder/rootwrap.conf': {'group': 'cinder', 'mode': '640'},
+ },
+ 'glance': {
+ # From security guide
+ '/etc/glance/glance-api-paste.ini': {'group': 'glance', 'mode': '640'},
+ '/etc/glance/glance-api.conf': {'group': 'glance', 'mode': '640'},
+ '/etc/glance/glance-cache.conf': {'group': 'glance', 'mode': '640'},
+ '/etc/glance/glance-manage.conf': {'group': 'glance', 'mode': '640'},
+ '/etc/glance/glance-registry-paste.ini':
+ {'group': 'glance', 'mode': '640'},
+ '/etc/glance/glance-registry.conf': {'group': 'glance', 'mode': '640'},
+ '/etc/glance/glance-scrubber.conf': {'group': 'glance', 'mode': '640'},
+ '/etc/glance/glance-swift-store.conf':
+ {'group': 'glance', 'mode': '640'},
+ '/etc/glance/policy.json': {'group': 'glance', 'mode': '640'},
+ '/etc/glance/schema-image.json': {'group': 'glance', 'mode': '640'},
+ '/etc/glance/schema.json': {'group': 'glance', 'mode': '640'},
+ },
+ 'keystone': {
+ # From security guide
+ '/etc/keystone/keystone.conf': {'group': 'keystone', 'mode': '640'},
+ '/etc/keystone/keystone-paste.ini':
+ {'group': 'keystone', 'mode': '640'},
+ '/etc/keystone/policy.json': {'group': 'keystone', 'mode': '640'},
+ '/etc/keystone/logging.conf': {'group': 'keystone', 'mode': '640'},
+ '/etc/keystone/ssl/certs/signing_cert.pem':
+ {'group': 'keystone', 'mode': '640'},
+ '/etc/keystone/ssl/private/signing_key.pem':
+ {'group': 'keystone', 'mode': '640'},
+ '/etc/keystone/ssl/certs/ca.pem': {'group': 'keystone', 'mode': '640'},
+ },
+ 'manilla': {
+ # From security guide
+ '/etc/manila/manila.conf': {'group': 'manilla', 'mode': '640'},
+ '/etc/manila/api-paste.ini': {'group': 'manilla', 'mode': '640'},
+ '/etc/manila/policy.json': {'group': 'manilla', 'mode': '640'},
+ '/etc/manila/rootwrap.conf': {'group': 'manilla', 'mode': '640'},
+ },
+ 'neutron-gateway': {
+ '/etc/neutron/neutron.conf': {'group': 'neutron', 'mode': '640'},
+ '/etc/neutron/rootwrap.conf': {'mode': '640'},
+ '/etc/neutron/rootwrap.d': {'mode': '755'},
+ '/etc/neutron/*': {'group': 'neutron', 'mode': '644'},
+ },
+ 'neutron-api': {
+ # From security guide
+ '/etc/neutron/neutron.conf': {'group': 'neutron', 'mode': '640'},
+ '/etc/nova/api-paste.ini': {'group': 'neutron', 'mode': '640'},
+ '/etc/neutron/rootwrap.conf': {'group': 'neutron', 'mode': '640'},
+ # Additional validations
+ '/etc/neutron/rootwrap.d': {'mode': '755'},
+ '/etc/neutron/neutron_lbaas.conf': {'mode': '644'},
+ '/etc/neutron/neutron_vpnaas.conf': {'mode': '644'},
+ '/etc/neutron/*': {'group': 'neutron', 'mode': '644'},
+ },
+ 'nova-cloud-controller': {
+ # From security guide
+ '/etc/nova/api-paste.ini': {'group': 'nova', 'mode': '640'},
+ '/etc/nova/nova.conf': {'group': 'nova', 'mode': '750'},
+ '/etc/nova/*': {'group': 'nova', 'mode': '640'},
+ # Additional validations
+ '/etc/nova/logging.conf': {'group': 'nova', 'mode': '640'},
+ },
+ 'nova-compute': {
+ # From security guide
+ '/etc/nova/nova.conf': {'group': 'nova', 'mode': '640'},
+ '/etc/nova/api-paste.ini': {'group': 'nova', 'mode': '640'},
+ '/etc/nova/rootwrap.conf': {'group': 'nova', 'mode': '640'},
+ # Additional Validations
+ '/etc/nova/nova-compute.conf': {'group': 'nova', 'mode': '640'},
+ '/etc/nova/logging.conf': {'group': 'nova', 'mode': '640'},
+ '/etc/nova/nm.conf': {'mode': '644'},
+ '/etc/nova/*': {'group': 'nova', 'mode': '640'},
+ },
+ 'openstack-dashboard': {
+ # From security guide
+ '/etc/openstack-dashboard/local_settings.py':
+ {'group': 'horizon', 'mode': '640'},
+ },
+}
+
+Ownership = collections.namedtuple('Ownership', 'owner group mode')
+
+
+@cached
+def _stat(file):
+ """
+ Get the Ownership information from a file.
+
+ :param file: The path to a file to stat
+ :type file: str
+ :returns: owner, group, and mode of the specified file
+ :rtype: Ownership
+ :raises subprocess.CalledProcessError: If the underlying stat fails
+ """
+ out = subprocess.check_output(
+ ['stat', '-c', '%U %G %a', file]).decode('utf-8')
+ return Ownership(*out.strip().split(' '))
+
+
+@cached
+def _config_ini(path):
+ """
+ Parse an ini file
+
+ :param path: The path to a file to parse
+ :type file: str
+ :returns: Configuration contained in path
+ :rtype: Dict
+ """
+ conf = configparser.ConfigParser()
+ conf.read(path)
+ return dict(conf)
+
+
+def _validate_file_ownership(owner, group, file_name):
+ """
+ Validate that a specified file is owned by `owner:group`.
+
+ :param owner: Name of the owner
+ :type owner: str
+ :param group: Name of the group
+ :type group: str
+ :param file_name: Path to the file to verify
+ :type file_name: str
+ """
+ try:
+ ownership = _stat(file_name)
+ except subprocess.CalledProcessError as e:
+ print("Error reading file: {}".format(e))
+ assert False, "Specified file does not exist: {}".format(file_name)
+ assert owner == ownership.owner, \
+ "{} has an incorrect owner: {} should be {}".format(
+ file_name, ownership.owner, owner)
+ assert group == ownership.group, \
+ "{} has an incorrect group: {} should be {}".format(
+ file_name, ownership.group, group)
+ print("Validate ownership of {}: PASS".format(file_name))
+
+
+def _validate_file_mode(mode, file_name):
+ """
+ Validate that a specified file has the specified permissions.
+
+ :param mode: file mode that is desires
+ :type owner: str
+ :param file_name: Path to the file to verify
+ :type file_name: str
+ """
+ try:
+ ownership = _stat(file_name)
+ except subprocess.CalledProcessError as e:
+ print("Error reading file: {}".format(e))
+ assert False, "Specified file does not exist: {}".format(file_name)
+ assert mode == ownership.mode, \
+ "{} has an incorrect mode: {} should be {}".format(
+ file_name, ownership.mode, mode)
+ print("Validate mode of {}: PASS".format(file_name))
+
+
+@cached
+def _config_section(config, section):
+ """Read the configuration file and return a section."""
+ path = os.path.join(config.get('config_path'), config.get('config_file'))
+ conf = _config_ini(path)
+ return conf.get(section)
+
+
+@audit(is_audit_type(AuditType.OpenStackSecurityGuide),
+ it_has_config('files'))
+def validate_file_ownership(config):
+ """Verify that configuration files are owned by the correct user/group."""
+ files = config.get('files', {})
+ for file_name, options in files.items():
+ for key in options.keys():
+ if key not in ["owner", "group", "mode"]:
+ raise RuntimeError(
+ "Invalid ownership configuration: {}".format(key))
+ owner = options.get('owner', config.get('owner', 'root'))
+ group = options.get('group', config.get('group', 'root'))
+ if '*' in file_name:
+ for file in glob.glob(file_name):
+ if file not in files.keys():
+ if os.path.isfile(file):
+ _validate_file_ownership(owner, group, file)
+ else:
+ if os.path.isfile(file_name):
+ _validate_file_ownership(owner, group, file_name)
+
+
+@audit(is_audit_type(AuditType.OpenStackSecurityGuide),
+ it_has_config('files'))
+def validate_file_permissions(config):
+ """Verify that permissions on configuration files are secure enough."""
+ files = config.get('files', {})
+ for file_name, options in files.items():
+ for key in options.keys():
+ if key not in ["owner", "group", "mode"]:
+ raise RuntimeError(
+ "Invalid ownership configuration: {}".format(key))
+ mode = options.get('mode', config.get('permissions', '600'))
+ if '*' in file_name:
+ for file in glob.glob(file_name):
+ if file not in files.keys():
+ if os.path.isfile(file):
+ _validate_file_mode(mode, file)
+ else:
+ if os.path.isfile(file_name):
+ _validate_file_mode(mode, file_name)
+
+
+@audit(is_audit_type(AuditType.OpenStackSecurityGuide))
+def validate_uses_keystone(audit_options):
+ """Validate that the service uses Keystone for authentication."""
+ section = _config_section(audit_options, 'DEFAULT')
+ assert section is not None, "Missing section 'DEFAULT'"
+ assert section.get('auth_strategy') == "keystone", \
+ "Application is not using Keystone"
+
+
+@audit(is_audit_type(AuditType.OpenStackSecurityGuide))
+def validate_uses_tls_for_keystone(audit_options):
+ """Verify that TLS is used to communicate with Keystone."""
+ section = _config_section(audit_options, 'keystone_authtoken')
+ assert section is not None, "Missing section 'keystone_authtoken'"
+ assert not section.get('insecure') and \
+ "https://" in section.get("auth_uri"), \
+ "TLS is not used for Keystone"
+
+
+@audit(is_audit_type(AuditType.OpenStackSecurityGuide))
+def validate_uses_tls_for_glance(audit_options):
+ """Verify that TLS is used to communicate with Glance."""
+ section = _config_section(audit_options, 'glance')
+ assert section is not None, "Missing section 'glance'"
+ assert not section.get('insecure') and \
+ "https://" in section.get("api_servers"), \
+ "TLS is not used for Glance"
diff --git a/charmhelpers/contrib/openstack/context.py b/charmhelpers/contrib/openstack/context.py
index 78a339f6..fc634cc6 100644
--- a/charmhelpers/contrib/openstack/context.py
+++ b/charmhelpers/contrib/openstack/context.py
@@ -29,6 +29,7 @@ from charmhelpers.fetch import (
filter_installed_packages,
)
from charmhelpers.core.hookenv import (
+ NoNetworkBinding,
config,
is_relation_made,
local_unit,
@@ -868,7 +869,7 @@ class ApacheSSLContext(OSContextGenerator):
addr = network_get_primary_address(
ADDRESS_MAP[net_type]['binding']
)
- except NotImplementedError:
+ except (NotImplementedError, NoNetworkBinding):
addr = fallback
endpoint = resolve_address(net_type)
diff --git a/charmhelpers/contrib/openstack/ip.py b/charmhelpers/contrib/openstack/ip.py
index 73102af7..df83b91b 100644
--- a/charmhelpers/contrib/openstack/ip.py
+++ b/charmhelpers/contrib/openstack/ip.py
@@ -13,6 +13,7 @@
# limitations under the License.
from charmhelpers.core.hookenv import (
+ NoNetworkBinding,
config,
unit_get,
service_name,
@@ -175,7 +176,7 @@ def resolve_address(endpoint_type=PUBLIC, override=True):
# configuration is not in use
try:
resolved_address = network_get_primary_address(binding)
- except NotImplementedError:
+ except (NotImplementedError, NoNetworkBinding):
resolved_address = fallback_addr
if resolved_address is None:
diff --git a/charmhelpers/contrib/openstack/templates/section-oslo-messaging-rabbit b/charmhelpers/contrib/openstack/templates/section-oslo-messaging-rabbit
new file mode 100644
index 00000000..bed2216a
--- /dev/null
+++ b/charmhelpers/contrib/openstack/templates/section-oslo-messaging-rabbit
@@ -0,0 +1,10 @@
+[oslo_messaging_rabbit]
+{% if rabbitmq_ha_queues -%}
+rabbit_ha_queues = True
+{% endif -%}
+{% if rabbit_ssl_port -%}
+ssl = True
+{% endif -%}
+{% if rabbit_ssl_ca -%}
+ssl_ca_file = {{ rabbit_ssl_ca }}
+{% endif -%}
diff --git a/charmhelpers/contrib/storage/linux/ceph.py b/charmhelpers/contrib/storage/linux/ceph.py
index 63c93044..22aa978b 100644
--- a/charmhelpers/contrib/storage/linux/ceph.py
+++ b/charmhelpers/contrib/storage/linux/ceph.py
@@ -59,6 +59,7 @@ from charmhelpers.core.host import (
service_stop,
service_running,
umount,
+ cmp_pkgrevno,
)
from charmhelpers.fetch import (
apt_install,
@@ -178,7 +179,6 @@ class Pool(object):
"""
# read-only is easy, writeback is much harder
mode = get_cache_mode(self.service, cache_pool)
- version = ceph_version()
if mode == 'readonly':
check_call(['ceph', '--id', self.service, 'osd', 'tier', 'cache-mode', cache_pool, 'none'])
check_call(['ceph', '--id', self.service, 'osd', 'tier', 'remove', self.name, cache_pool])
@@ -186,7 +186,7 @@ class Pool(object):
elif mode == 'writeback':
pool_forward_cmd = ['ceph', '--id', self.service, 'osd', 'tier',
'cache-mode', cache_pool, 'forward']
- if version >= '10.1':
+ if cmp_pkgrevno('ceph', '10.1') >= 0:
# Jewel added a mandatory flag
pool_forward_cmd.append('--yes-i-really-mean-it')
@@ -196,7 +196,8 @@ class Pool(object):
check_call(['ceph', '--id', self.service, 'osd', 'tier', 'remove-overlay', self.name])
check_call(['ceph', '--id', self.service, 'osd', 'tier', 'remove', self.name, cache_pool])
- def get_pgs(self, pool_size, percent_data=DEFAULT_POOL_WEIGHT):
+ def get_pgs(self, pool_size, percent_data=DEFAULT_POOL_WEIGHT,
+ device_class=None):
"""Return the number of placement groups to use when creating the pool.
Returns the number of placement groups which should be specified when
@@ -229,6 +230,9 @@ class Pool(object):
increased. NOTE: the default is primarily to handle the scenario
where related charms requiring pools has not been upgraded to
include an update to indicate their relative usage of the pools.
+ :param device_class: str. class of storage to use for basis of pgs
+ calculation; ceph supports nvme, ssd and hdd by default based
+ on presence of devices of each type in the deployment.
:return: int. The number of pgs to use.
"""
@@ -243,17 +247,20 @@ class Pool(object):
# If the expected-osd-count is specified, then use the max between
# the expected-osd-count and the actual osd_count
- osd_list = get_osds(self.service)
+ osd_list = get_osds(self.service, device_class)
expected = config('expected-osd-count') or 0
if osd_list:
- osd_count = max(expected, len(osd_list))
+ if device_class:
+ osd_count = len(osd_list)
+ else:
+ osd_count = max(expected, len(osd_list))
# Log a message to provide some insight if the calculations claim
# to be off because someone is setting the expected count and
# there are more OSDs in reality. Try to make a proper guess
# based upon the cluster itself.
- if expected and osd_count != expected:
+ if not device_class and expected and osd_count != expected:
log("Found more OSDs than provided expected count. "
"Using the actual count instead", INFO)
elif expected:
@@ -626,7 +633,8 @@ def remove_erasure_profile(service, profile_name):
def create_erasure_profile(service, profile_name, erasure_plugin_name='jerasure',
failure_domain='host',
data_chunks=2, coding_chunks=1,
- locality=None, durability_estimator=None):
+ locality=None, durability_estimator=None,
+ device_class=None):
"""
Create a new erasure code profile if one does not already exist for it. Updates
the profile if it exists. Please see http://docs.ceph.com/docs/master/rados/operations/erasure-code-profile/
@@ -640,10 +648,9 @@ def create_erasure_profile(service, profile_name, erasure_plugin_name='jerasure'
:param coding_chunks: int
:param locality: int
:param durability_estimator: int
+ :param device_class: six.string_types
:return: None. Can raise CalledProcessError
"""
- version = ceph_version()
-
# Ensure this failure_domain is allowed by Ceph
validator(failure_domain, six.string_types,
['chassis', 'datacenter', 'host', 'osd', 'pdu', 'pod', 'rack', 'region', 'room', 'root', 'row'])
@@ -654,12 +661,20 @@ def create_erasure_profile(service, profile_name, erasure_plugin_name='jerasure'
if locality is not None and durability_estimator is not None:
raise ValueError("create_erasure_profile should be called with k, m and one of l or c but not both.")
+ luminous_or_later = cmp_pkgrevno('ceph', '12.0.0') >= 0
# failure_domain changed in luminous
- if version and version >= '12.0.0':
+ if luminous_or_later:
cmd.append('crush-failure-domain=' + failure_domain)
else:
cmd.append('ruleset-failure-domain=' + failure_domain)
+ # device class new in luminous
+ if luminous_or_later and device_class:
+ cmd.append('crush-device-class={}'.format(device_class))
+ else:
+ log('Skipping device class configuration (ceph < 12.0.0)',
+ level=DEBUG)
+
# Add plugin specific information
if locality is not None:
# For local erasure codes
@@ -744,20 +759,26 @@ def pool_exists(service, name):
return name in out.split()
-def get_osds(service):
+def get_osds(service, device_class=None):
"""Return a list of all Ceph Object Storage Daemons currently in the
- cluster.
+ cluster (optionally filtered by storage device class).
+
+ :param device_class: Class of storage device for OSD's
+ :type device_class: str
"""
- version = ceph_version()
- if version and version >= '0.56':
+ luminous_or_later = cmp_pkgrevno('ceph', '12.0.0') >= 0
+ if luminous_or_later and device_class:
+ out = check_output(['ceph', '--id', service,
+ 'osd', 'crush', 'class',
+ 'ls-osd', device_class,
+ '--format=json'])
+ else:
out = check_output(['ceph', '--id', service,
'osd', 'ls',
'--format=json'])
- if six.PY3:
- out = out.decode('UTF-8')
- return json.loads(out)
-
- return None
+ if six.PY3:
+ out = out.decode('UTF-8')
+ return json.loads(out)
def install():
@@ -811,7 +832,7 @@ def set_app_name_for_pool(client, pool, name):
:raises: CalledProcessError if ceph call fails
"""
- if ceph_version() >= '12.0.0':
+ if cmp_pkgrevno('ceph', '12.0.0') >= 0:
cmd = ['ceph', '--id', client, 'osd', 'pool',
'application', 'enable', pool, name]
check_call(cmd)
@@ -1091,22 +1112,6 @@ def ensure_ceph_keyring(service, user=None, group=None,
return True
-def ceph_version():
- """Retrieve the local version of ceph."""
- if os.path.exists('/usr/bin/ceph'):
- cmd = ['ceph', '-v']
- output = check_output(cmd)
- if six.PY3:
- output = output.decode('UTF-8')
- output = output.split()
- if len(output) > 3:
- return output[2]
- else:
- return None
- else:
- return None
-
-
class CephBrokerRq(object):
"""Ceph broker request.
@@ -1147,7 +1152,8 @@ class CephBrokerRq(object):
'object-prefix-permissions': object_prefix_permissions})
def add_op_create_pool(self, name, replica_count=3, pg_num=None,
- weight=None, group=None, namespace=None):
+ weight=None, group=None, namespace=None,
+ app_name=None):
"""Adds an operation to create a pool.
@param pg_num setting: optional setting. If not provided, this value
@@ -1155,6 +1161,11 @@ class CephBrokerRq(object):
cluster at the time of creation. Note that, if provided, this value
will be capped at the current available maximum.
@param weight: the percentage of data the pool makes up
+ :param app_name: (Optional) Tag pool with application name. Note that
+ there is certain protocols emerging upstream with
+ regard to meaningful application names to use.
+ Examples are ``rbd`` and ``rgw``.
+ :type app_name: str
"""
if pg_num and weight:
raise ValueError('pg_num and weight are mutually exclusive')
@@ -1162,7 +1173,7 @@ class CephBrokerRq(object):
self.ops.append({'op': 'create-pool', 'name': name,
'replicas': replica_count, 'pg_num': pg_num,
'weight': weight, 'group': group,
- 'group-namespace': namespace})
+ 'group-namespace': namespace, 'app-name': app_name})
def set_ops(self, ops):
"""Set request ops to provided value.
diff --git a/templates/ocata/glance-api.conf b/templates/ocata/glance-api.conf
new file mode 100644
index 00000000..fbbb545f
--- /dev/null
+++ b/templates/ocata/glance-api.conf
@@ -0,0 +1,103 @@
+[DEFAULT]
+verbose = {{ verbose }}
+use_syslog = {{ use_syslog }}
+debug = {{ debug }}
+workers = {{ workers }}
+bind_host = {{ bind_host }}
+
+{% if ext -%}
+bind_port = {{ ext }}
+{% elif bind_port -%}
+bind_port = {{ bind_port }}
+{% else -%}
+bind_port = 9292
+{% endif -%}
+
+{% if transport_url %}
+transport_url = {{ transport_url }}
+{% endif %}
+
+log_file = /var/log/glance/api.log
+backlog = 4096
+
+registry_host = {{ registry_host }}
+registry_port = 9191
+registry_client_protocol = http
+
+{% if expose_image_locations -%}
+show_multiple_locations = {{ expose_image_locations }}
+show_image_direct_url = {{ expose_image_locations }}
+{% endif -%}
+
+{% if api_config_flags -%}
+{% for key, value in api_config_flags.items() -%}
+{{ key }} = {{ value }}
+{% endfor -%}
+{% endif -%}
+
+delayed_delete = False
+scrub_time = 43200
+scrubber_datadir = /var/lib/glance/scrubber
+image_cache_dir = /var/lib/glance/image-cache/
+db_enforce_mysql_charset = False
+
+{% if image_size_cap -%}
+image_size_cap = {{ image_size_cap }}
+{% endif -%}
+
+[glance_store]
+{%- if use_internal_endpoints %}
+catalog_info = {{ volume_catalog_info }}
+{%- endif %}
+
+filesystem_store_datadir = {{ filesystem_store_datadir }}
+
+stores = {{ known_stores }}
+{% if rbd_pool -%}
+default_store = rbd
+{% elif swift_store -%}
+default_store = swift
+{% elif cinder_store -%}
+default_store = cinder
+{% else -%}
+default_store = file
+{% endif -%}
+
+{% if swift_store -%}
+default_swift_reference = swift
+swift_store_config_file = /etc/glance/glance-swift.conf
+swift_store_create_container_on_put = true
+{% endif -%}
+
+{% if rbd_pool -%}
+rbd_store_ceph_conf = /etc/ceph/ceph.conf
+rbd_store_user = {{ rbd_user }}
+rbd_store_pool = {{ rbd_pool }}
+rbd_store_chunk_size = 8
+{% endif -%}
+
+[image_format]
+disk_formats = {{ disk_formats }}
+{% if container_formats -%}
+container_formats = {{ container_formats }}
+{% endif -%}
+
+{% include "section-keystone-authtoken-mitaka" %}
+
+{% if auth_host -%}
+[paste_deploy]
+flavor = keystone
+{% endif %}
+
+[barbican]
+auth_endpoint = {{ service_protocol }}://{{ service_host }}:{{ service_port }}/v3
+
+{% include "parts/section-database" %}
+
+{% include "section-oslo-messaging-rabbit" %}
+
+{% include "section-oslo-notifications" %}
+
+{% include "section-oslo-middleware" %}
+
+{% include "parts/section-storage" %}
diff --git a/tests/basic_deployment.py b/tests/basic_deployment.py
index 54114089..4816d08b 100644
--- a/tests/basic_deployment.py
+++ b/tests/basic_deployment.py
@@ -371,97 +371,6 @@ class GlanceBasicDeployment(OpenStackAmuletDeployment):
message = u.relation_error('glance amqp', ret)
amulet.raise_status(amulet.FAIL, msg=message)
- def test_300_glance_api_default_config(self):
- """Verify default section configs in glance-api.conf and
- compare some of the parameters to relation data."""
- u.log.debug('Checking glance api config file...')
- unit = self.glance_sentry
- rel_mq_gl = self.rabbitmq_sentry.relation('amqp', 'glance:amqp')
- rel_my_gl = self.pxc_sentry.relation('shared-db', 'glance:shared-db')
- if self._get_openstack_release() < self.bionic_stein:
- dialect = 'mysql'
- else:
- dialect = 'mysql+pymysql'
- db_uri = "{}://{}:{}@{}/{}".format(dialect,
- 'glance',
- rel_my_gl['password'],
- rel_my_gl['db_host'],
- 'glance')
- conf = '/etc/glance/glance-api.conf'
- expected = {
- 'DEFAULT': {
- 'debug': 'False',
- 'verbose': 'False',
- 'use_syslog': 'False',
- 'log_file': '/var/log/glance/api.log',
- 'bind_host': '0.0.0.0',
- 'bind_port': '9282',
- 'registry_host': '0.0.0.0',
- 'registry_port': '9191',
- 'registry_client_protocol': 'http',
- 'delayed_delete': 'False',
- 'scrub_time': '43200',
- 'notification_driver': 'rabbit',
- 'scrubber_datadir': '/var/lib/glance/scrubber',
- 'image_cache_dir': '/var/lib/glance/image-cache/',
- 'db_enforce_mysql_charset': 'False'
- },
- }
-
- if self._get_openstack_release() >= self.trusty_kilo:
- # Kilo or later
- expected['oslo_messaging_rabbit'] = {
- 'rabbit_userid': 'glance',
- 'rabbit_virtual_host': 'openstack',
- 'rabbit_password': rel_mq_gl['password'],
- 'rabbit_host': rel_mq_gl['hostname']
- }
- expected['glance_store'] = {
- 'filesystem_store_datadir': '/var/lib/glance/images/',
- 'stores': 'glance.store.filesystem.'
- 'Store,glance.store.http.Store',
- 'default_store': 'file'
- }
- expected['database'] = {
- 'idle_timeout': '3600',
- 'connection': db_uri
- }
-
- if self._get_openstack_release() >= self.trusty_mitaka:
- del expected['DEFAULT']['notification_driver']
- connection_uri = (
- "rabbit://glance:{}@{}:5672/"
- "openstack".format(rel_mq_gl['password'],
- rel_mq_gl['hostname'])
- )
- expected['oslo_messaging_notifications'] = {
- 'driver': 'messagingv2',
- 'transport_url': connection_uri
- }
- else:
- expected['DEFAULT']['notification_driver'] = 'messagingv2'
-
- else:
- # Juno or earlier
- expected['DEFAULT'].update({
- 'rabbit_userid': 'glance',
- 'rabbit_virtual_host': 'openstack',
- 'rabbit_password': rel_mq_gl['password'],
- 'rabbit_host': rel_mq_gl['hostname'],
- 'filesystem_store_datadir': '/var/lib/glance/images/',
- 'default_store': 'file',
- })
- expected['database'] = {
- 'sql_idle_timeout': '3600',
- 'connection': db_uri
- }
-
- for section, pairs in expected.iteritems():
- ret = u.validate_config_data(unit, conf, section, pairs)
- if ret:
- message = "glance api config error: {}".format(ret)
- amulet.raise_status(amulet.FAIL, msg=message)
-
def test_302_glance_registry_default_config(self):
"""Verify configs in glance-registry.conf"""
u.log.debug('Checking glance registry config file...')