216 lines
6.1 KiB
Bash
Executable File
216 lines
6.1 KiB
Bash
Executable File
#!/bin/bash
|
|
set -u
|
|
# For openssl cert generation
|
|
USE_HTTPS=$(config-get use-https)
|
|
COUNTRY=$(config-get country)
|
|
STATE=$(config-get state)
|
|
LOCALE=$(config-get locale)
|
|
COMMON_NAME=$(config-get common-name)
|
|
PPA=$(config-get swift-release)
|
|
BINDPORT=$(config-get bind-port)
|
|
WORKERS=$(config-get workers)
|
|
AUTHTYPE=$(config-get auth-type)
|
|
KEYSTONE_AUTH_HOST=$(config-get keystone-auth-host)
|
|
KEYSTONE_AUTH_PORT=$(config-get keystone-auth-port)
|
|
KEYSTONE_AUTH_PROTOCOL=$(config-get keystone-auth-protocol)
|
|
KEYSTONE_ADMIN_TENANT_NAME=$(config-get keystone-admin-tenant-name)
|
|
KEYSTONE_ADMIN_USER=$(config-get keystone-admin-user)
|
|
KEYSTONE_ADMIN_PASSWORD=$(config-get keystone-admin-password)
|
|
|
|
# Used in proxy-server.conf. Run one worker per cpu core by default.
|
|
CORES=$(cat /proc/cpuinfo | grep processor | wc -l)
|
|
[ "$WORKERS" = "0" ] && WORKERS="$CORES"
|
|
|
|
# TODO: Need to use different addresses for internal swift traffic
|
|
# as this the only security measure in place is network isolation
|
|
PROXY_LOCAL_NET_IP=`dig +short $(unit-get private-address)`
|
|
|
|
# Use apache2 to distribute ring config until there is support
|
|
# for file xfer in juju
|
|
PACKAGES="swift swift-proxy memcached apache2"
|
|
if [ "$AUTHTYPE" = "keystone" ]; then
|
|
PACKAGES="$PACKAGES python-keystone"
|
|
fi
|
|
WWW_DIR="/var/www/swift-rings"
|
|
SWIFT_HASH_FILE="/var/lib/juju/swift-hash-path.conf"
|
|
|
|
# Ring configuration
|
|
PARTITION_POWER=$(config-get partition-power)
|
|
REPLICAS=$(config-get replicas)
|
|
MIN_HOURS=$(config-get min-hours)
|
|
|
|
# generate the swift hash to be used for salting URLs of objects.
|
|
# TODO: its important this is never lost, find out some way of getting
|
|
# it off the server and into a sys admins INBOX?
|
|
if [[ ! -e $SWIFT_HASH_FILE ]] ; then
|
|
juju-log "swift-proxy: Generating a new SWIFT_HASH in $SWIFT_HASH_FILE"
|
|
echo $(od -t x8 -N 8 -A n </dev/random) >$SWIFT_HASH_FILE
|
|
fi
|
|
|
|
function set_swift_hash {
|
|
# TODO: Do this with augeas and put in a utility function for use elsewhere
|
|
cat >/etc/swift/swift.conf <<EOF
|
|
[swift-hash]
|
|
# random unique string that can never change (DO NOT LOSE)
|
|
swift_hash_path_suffix = `cat $SWIFT_HASH_FILE`
|
|
EOF
|
|
}
|
|
|
|
function create_proxy_conf {
|
|
SWIFT_DEB_VERSION="$(dpkg-query -W -f='${Version}' 'swift-proxy')"
|
|
cat >/etc/swift/proxy-server.conf <<EOF
|
|
[DEFAULT]
|
|
EOF
|
|
if [ "$USE_HTTPS" = "1" ]; then
|
|
cat >>/etc/swift/proxy-server.conf <<EOF
|
|
cert_file = /etc/swift/cert.crt
|
|
key_file = /etc/swift/cert.key
|
|
EOF
|
|
fi
|
|
cat >>/etc/swift/proxy-server.conf <<EOF
|
|
bind_port = $BINDPORT
|
|
workers = $WORKERS
|
|
user = swift
|
|
|
|
EOF
|
|
if [ "$AUTHTYPE" = "keystone" ]; then
|
|
if [ "${SWIFT_DEB_VERSION:0:3}" = "1.7" ]; then
|
|
SIGNING_DIR_LINE="signing_dir = /etc/swift"
|
|
SWIFT3_LINE="use = egg:swift3#swift3"
|
|
else
|
|
SIGNING_DIR_LINE=""
|
|
SWIFT3_LINE="use = egg:swift#swift3"
|
|
fi
|
|
cat >>/etc/swift/proxy-server.conf <<EOF
|
|
[pipeline:main]
|
|
pipeline = healthcheck cache swift3 s3token authtoken keystone proxy-server
|
|
|
|
[app:proxy-server]
|
|
use = egg:swift#proxy
|
|
allow_account_management = true
|
|
account_autocreate = true
|
|
|
|
[filter:keystone]
|
|
paste.filter_factory = keystone.middleware.swift_auth:filter_factory
|
|
operator_roles = admin, swiftaccess
|
|
|
|
[filter:authtoken]
|
|
paste.filter_factory = keystone.middleware.auth_token:filter_factory
|
|
# Delaying the auth decision is required to support token-less
|
|
# usage for anonymous referrers ('.r:*') or for tempurl/formpost
|
|
# middleware.
|
|
delay_auth_decision = 1
|
|
auth_port = $KEYSTONE_AUTH_PORT
|
|
auth_host = $KEYSTONE_AUTH_HOST
|
|
auth_protocol = $KEYSTONE_AUTH_PROTOCOL
|
|
admin_tenant_name = $KEYSTONE_ADMIN_TENANT_NAME
|
|
admin_user = $KEYSTONE_ADMIN_USER
|
|
admin_password = $KEYSTONE_ADMIN_PASSWORD
|
|
$SIGNING_DIR_LINE
|
|
|
|
[filter:swift3]
|
|
$SWIFT3_LINE
|
|
|
|
[filter:s3token]
|
|
paste.filter_factory = keystone.middleware.s3_token:filter_factory
|
|
auth_port = $KEYSTONE_AUTH_PORT
|
|
auth_host = $KEYSTONE_AUTH_HOST
|
|
auth_protocol = $KEYSTONE_AUTH_PROTOCOL
|
|
|
|
EOF
|
|
else
|
|
cat >>/etc/swift/proxy-server.conf <<EOF
|
|
[pipeline:main]
|
|
pipeline = healthcheck cache tempauth proxy-server
|
|
|
|
[app:proxy-server]
|
|
use = egg:swift#proxy
|
|
allow_account_management = true
|
|
|
|
[filter:tempauth]
|
|
use = egg:swift#tempauth
|
|
user_system_root = testpass .admin https://$PROXY_LOCAL_NET_IP:8080/v1/AUTH_system
|
|
|
|
EOF
|
|
fi
|
|
cat >>/etc/swift/proxy-server.conf <<EOF
|
|
[filter:healthcheck]
|
|
use = egg:swift#healthcheck
|
|
|
|
[filter:cache]
|
|
use = egg:swift#memcache
|
|
memcache_servers = $PROXY_LOCAL_NET_IP:11211
|
|
|
|
EOF
|
|
}
|
|
|
|
function initialize_ring {
|
|
# $1 is ring name.
|
|
# $PARTITION_POWER, $REPLICAS, $MIN_HOURS from config above
|
|
swift-ring-builder /etc/swift/$1.builder \
|
|
create $PARTITION_POWER $REPLICAS $MIN_HOURS
|
|
}
|
|
|
|
function get_zone {
|
|
# a hack to assign units to zones until config is taken care of
|
|
# in juju
|
|
zone_file="/var/run/juju/swift-zone"
|
|
checked_in="/var/run/juju/checked-in"
|
|
if [[ -e $checked_in ]] ; then
|
|
# changed relation seems to run twice? dont get new zone if
|
|
# we just got one
|
|
cat $checked_in | grep $JUJU_REMOTE_UNIT >/dev/null
|
|
if [[ $? == 0 ]] ; then
|
|
ZONE=$(cat $checked_in | grep $JUJU_REMOTE_UNIT | cut -d, -f2)
|
|
return 0
|
|
fi
|
|
fi
|
|
if [[ ! -e $zone_file ]] ; then
|
|
echo 1 > $zone_file
|
|
fi
|
|
ZONE=$(cat $zone_file)
|
|
echo "$JUJU_REMOTE_UNIT,$ZONE" >>$checked_in
|
|
if [[ $ZONE == $REPLICAS ]] ; then
|
|
echo 1 >$zone_file
|
|
return 0
|
|
fi
|
|
echo $[$ZONE+1] >$zone_file
|
|
}
|
|
|
|
function add_to_ring {
|
|
juju-log "swift-proxy: Updating $1 ring. Adding $IP:$PORT, zone $ZONE, device $DEVICE"
|
|
swift-ring-builder /etc/swift/$1.builder add \
|
|
z$ZONE-$IP:$PORT/$DEVICE 100
|
|
rc=$?
|
|
if [[ "$rc" == "0" ]] ; then
|
|
juju-log "Added to ring: $IP:$PORT, zone $ZONE, device $DEVICE"
|
|
return 0
|
|
fi
|
|
juju-log "swift-proxy: Failed to add to ring."
|
|
return 1
|
|
}
|
|
|
|
function exists_in_ring {
|
|
swift-ring-builder /etc/swift/$i.builder \
|
|
search z$ZONE-$IP:$PORT/$DEVICE
|
|
}
|
|
|
|
function rebalance_ring {
|
|
juju-log "Rebalancing ring $1"
|
|
swift-ring-builder /etc/swift/$i.builder rebalance
|
|
return $?
|
|
}
|
|
|
|
function add_ppa {
|
|
# Don't configure PPA, install from archive.
|
|
[[ $PPA == "distro" ]] && return 0
|
|
if [ "${PPA:0:4}" = "deb " ]; then
|
|
PPA_URL="$PPA"
|
|
else
|
|
. /etc/lsb-release
|
|
[[ $PPA == "milestone" ]] && PPA="release"
|
|
PPA_URL="deb http://ppa.launchpad.net/swift-core/$PPA/ubuntu $DISTRIB_CODENAME main"
|
|
fi
|
|
add-apt-repository "$PPA_URL" || exit 1
|
|
}
|