openstack
/
congress
Code Issues Proposed changes
congress/devstack/plugin.sh

535 lines
20 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# Plugin file for congress services
#----------------------------------
# Dependencies:
# ``functions`` file
# ``DEST`` must be defined
# ``STACK_USER`` must be defined
# Functions in this file are classified into the following categories:
#
# - entry points (called from stack.sh or unstack.sh)
# - internal functions
# - congress exercises
# Save trace setting
XTRACE=$(set +o | grep xtrace)
set -o xtrace
# Functions
# ---------
# Test if any Congress services are enabled
# is_congress_enabled
function is_congress_enabled {
[[ ,${ENABLED_SERVICES//congress-agent/} =~ ,"congress" ]] && return 0
return 1
}
# configure_congress()
# Set common config for all congress server and agents.
function configure_congress {
setup_develop $CONGRESS_DIR
# Put config files in ``CONGRESS_CONF_DIR`` for everyone to find
if [[ ! -d $CONGRESS_CONF_DIR ]]; then
sudo mkdir -p $CONGRESS_CONF_DIR
fi
sudo chown $STACK_USER $CONGRESS_CONF_DIR
touch $CONGRESS_CONF
sudo chown $STACK_USER $CONGRESS_CONF
# Format logging
if [ "$LOG_COLOR" == "True" ] && [ "$SYSLOG" == "False" ]; then
setup_colorized_logging $CONGRESS_CONF DEFAULT project_id
fi
CONGRESS_API_PASTE_FILE=$CONGRESS_CONF_DIR/api-paste.ini
cp $CONGRESS_DIR/etc/api-paste.ini $CONGRESS_API_PASTE_FILE
if [[ ! -d $CONGRESS_LIBRARY_DIR ]]; then
mkdir $CONGRESS_LIBRARY_DIR
fi
cp -r $CONGRESS_DIR/library/* $CONGRESS_LIBRARY_DIR
# Update either configuration file
iniset $CONGRESS_CONF DEFAULT bind_host $(ipv6_unquote $SERVICE_LISTEN_ADDRESS)
iniset $CONGRESS_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
iniset $CONGRESS_CONF DEFAULT auth_strategy $CONGRESS_AUTH_STRATEGY
iniset $CONGRESS_CONF DEFAULT datasource_sync_period 30
iniset $CONGRESS_CONF DEFAULT replicated_policy_engine "$CONGRESS_REPLICATED"
iniset $CONGRESS_CONF DEFAULT transport_url rabbit://$RABBIT_USERID:$RABBIT_PASSWORD@$RABBIT_HOST:5672/
iniset $CONGRESS_CONF database connection `database_connection_url $CONGRESS_DB_NAME`
if [ "$ENABLE_CONGRESS_JSON" == "True" ]; then
iniset $CONGRESS_CONF json_ingester enable "True"
# when the main db is not postgres, the devstack function
# database_connection_url_postgresql returns URL with wrong prefix,
# so we do a substitution here
local db_connection_mysql=`database_connection_url_postgresql $CONGRESS_JSON_DB_NAME`
CONGRESS_JSON_DB_CONNECTION_URL=${db_connection_mysql/?*:\/\//postgresql:\/\/}
iniset $CONGRESS_CONF json_ingester db_connection $CONGRESS_JSON_DB_CONNECTION_URL
iniset $CONGRESS_CONF json_ingester config_path "$CONGRESS_JSON_CONF_DIR"
iniset $CONGRESS_CONF json_ingester config_reusables_path "$CONGRESS_JSON_CONF_REUSABLES_PATH"
# setup json ingester config files
if [[ ! -d $CONGRESS_JSON_CONF_DIR ]]; then
mkdir $CONGRESS_JSON_CONF_DIR
fi
echo "keystone_admin_auth_config:" > "$CONGRESS_JSON_CONF_REUSABLES_PATH"
echo " type: keystone" >> "$CONGRESS_JSON_CONF_REUSABLES_PATH"
echo " config:" >> "$CONGRESS_JSON_CONF_REUSABLES_PATH"
echo " project_name: $OS_PROJECT_NAME" >> "$CONGRESS_JSON_CONF_REUSABLES_PATH"
echo " username: $OS_USERNAME" >> "$CONGRESS_JSON_CONF_REUSABLES_PATH"
echo " password: $OS_PASSWORD" >> "$CONGRESS_JSON_CONF_REUSABLES_PATH"
echo " auth_url: `openstack catalog show keystone -f value -c endpoints | sed -n 's/^\s*public: //p' | sed -n '1p'`" >> "$CONGRESS_JSON_CONF_REUSABLES_PATH"
fi
_congress_setup_keystone $CONGRESS_CONF keystone_authtoken
}
function _configure_congress_json_ingester {
local endpoint=`openstack catalog show $1 -f value -c endpoints | sed -n 's/^\s*public:\s*//p' | sed -n '1p'`
if [[ ! -z $endpoint ]]; then
echo "$1_api_endpoint: $endpoint" >> "$CONGRESS_JSON_CONF_REUSABLES_PATH"
_copy_congress_json_ingester_config $1
fi
}
function _copy_congress_json_ingester_config {
cp $CONGRESS_DIR/etc/sample_json_ingesters/$1.yaml $CONGRESS_JSON_CONF_DIR/
}
function configure_congress_datasources {
if [ "$ENABLE_CONGRESS_JSON" == "True" ]; then
_configure_congress_json_ingester cinderv3
_configure_congress_json_ingester glance
_configure_congress_json_ingester heat
_configure_congress_json_ingester keystone
_configure_congress_json_ingester magnum
_configure_congress_json_ingester masakari
_configure_congress_json_ingester mistral
_configure_congress_json_ingester neutron
_configure_congress_json_ingester nova
_configure_congress_json_ingester tacker
_configure_congress_json_ingester zun
_copy_congress_json_ingester_config monasca
_copy_congress_json_ingester_config cve
if [ "$CONGRESS_MULTIPROCESS_DEPLOYMENT" == "False" ]; then
restart_service devstack@congress.service
echo "Waiting for Congress to restart..."
if ! timeout $SERVICE_TIMEOUT sh -c "while ! wget --no-proxy -q -O- http://$CONGRESS_HOST:$CONGRESS_PORT; do sleep 1; done"; then
die $LINENO "Congress did not restart"
fi
else
restart_service devstack@congress-datasources.service
fi
fi
_configure_service neutron neutronv2
_configure_service neutron-qos neutronv2_qos
_configure_service nova nova
_configure_service key keystonev3
_configure_service cinder cinder
_configure_service swift swift
_configure_service glance glancev2
_configure_service monasca monasca
_configure_service murano murano
_configure_service ironic ironic
_configure_service heat heat
_configure_service aodh aodh
_configure_service mistral mistral
_configure_service tacker tacker
if [[ $ENABLE_CONGRESS_AGENT == "True" ]] ; then
_configure_service congress-agent config
fi
}
function _configure_tempest {
# NOTE(gmann): Every service which are required by congress
# CI/CD has to be explicitly set here on Tempest. Devstack
# only set the Tempest in-tree configured service only which
# are - [nova, keystone, cinder, glance, swift, glance, neutron].
# service_available from Tempest plugin is not guaranteed to be
# set correctly due to different env setup scenario, so it is
# better to set it explicitly here.
local service
local required_services="heat,ironic,aodh,murano,mistral,monasca,neutron-qos,tacker"
for service in ${required_services//,/ }; do
if is_service_enabled $service ; then
iniset $TEMPEST_CONFIG service_available $service "True"
else
iniset $TEMPEST_CONFIG service_available $service "False"
fi
done
iniset $TEMPEST_CONFIG service_available congress "True"
# Notify tempest if z3 is enabled.
if [[ $ENABLE_CONGRESS_Z3 == "True" ]] ; then
iniset $TEMPEST_CONFIG congressz3 enabled "True"
fi
# Set feature flags
# (remove when Queens no longer supported)
iniset $TEMPEST_CONFIG congress-feature-enabled monasca_webhook "True"
iniset $TEMPEST_CONFIG congress-feature-enabled vitrage_webhook "True"
}
function _configure_service {
if is_service_enabled $1; then
if [ "$2" == "config" ] ; then
openstack congress datasource create $2 "$2" \
--config poll_time=10
else
openstack congress datasource create $2 "$2" \
--config poll_time=10 \
--config username=$OS_USERNAME \
--config tenant_name=$OS_PROJECT_NAME \
--config password=$OS_PASSWORD \
--config auth_url=http://$SERVICE_HOST/identity
fi
fi
}
function create_predefined_policy {
if [ -n "$CONGRESS_PREDEFINED_POLICY_FILE" ] ; then
python $CONGRESS_DIR/scripts/preload-policies/output_policy_command.py \
$CONGRESS_PREDEFINED_POLICY_FILE | while read CONGRESS_CMD
do
$CONGRESS_CMD
done
fi
}
function _install_congress_dashboard {
git_clone $CONGRESSDASHBOARD_REPO $CONGRESSDASHBOARD_DIR $CONGRESSDASHBOARD_BRANCH
setup_develop $CONGRESSDASHBOARD_DIR
_congress_setup_horizon
}
function _install_z3 {
if [[ $USE_Z3_RELEASE != None ]]; then
mkdir -p $CONGRESS_Z3_DIR
pushd $CONGRESS_Z3_DIR
z3rel="z3-${USE_Z3_RELEASE}"
z3file="${z3rel}-x64-${os_VENDOR,,}-${os_RELEASE}"
# binary not available for ubuntu-18, so use ubuntu-16 binary instead
if [ ${os_VENDOR,,} == "ubuntu" ] && [ ${os_RELEASE} == "18.04" ]; then
z3file="${z3rel}-x64-ubuntu-16.04"
echo "WARNING: Using ${z3file} binary on ${os_VENDOR,,}-${os_RELEASE} because ${z3rel}-x64-${os_VENDOR,,}-${os_RELEASE} is not available."
fi
url="https://github.com/Z3Prover/z3/releases/download/${z3rel}/${z3file}.zip"
if [ ! -f "${z3file}.zip" ]; then
wget "${url}" || true
fi
if [ ! -f "${z3file}.zip" ]; then
echo "Failed to download z3 release ${USE_Z3_RELEASE} for ${os_VENDOR}-${os_RELEASE}"
exit 1
fi
unzip -o "${z3file}.zip" "${z3file}/bin/python/z3/*" "${z3file}/bin/libz3.so"
dist_dir=$($PYTHON -c "import site; print(site.getsitepackages()[0])")
sudo cp -r "${z3file}/bin/python/z3" "${dist_dir}"
sudo mkdir -p "${dist_dir}/z3/lib"
sudo cp "${z3file}/bin/libz3.so" /usr/lib
sudo ln -s /usr/lib/libz3.so "${dist_dir}/z3/lib/libz3.so"
popd
else
git_clone $CONGRESS_Z3_REPO $CONGRESS_Z3_DIR $CONGRESS_Z3_BRANCH
pushd $CONGRESS_Z3_DIR
${PYTHON} scripts/mk_make.py --python
cd build
make
sudo make install
popd
fi
}
function _uninstall_z3 {
if [[ $USE_Z3_RELEASE != None ]]; then
sudo rm /usr/lib/libz3.so
dist_dir=$($PYTHON -c "import site; print(site.getsitepackages()[0])")
# Double check we are removing what we must remove.
if [ -f "${dist_dir}/z3/z3core.py" ]; then
sudo rm -rf "${dist_dir}/z3"
fi
else
pushd $CONGRESS_Z3_DIR
cd build
sudo make uninstall
popd
fi
}
# create_congress_cache_dir() - Part of the _congress_setup_keystone() process
function create_congress_cache_dir {
# Create cache dir
sudo mkdir -p $CONGRESS_AUTH_CACHE_DIR
sudo chown $STACK_USER $CONGRESS_AUTH_CACHE_DIR
rm -f $CONGRESS_AUTH_CACHE_DIR/*
}
# create_congress_accounts() - Set up common required congress accounts
# Tenant User Roles
# ---------------------------------------------------------------------
# service congress admin # if enabled
# Migrated from keystone_data.sh
function create_congress_accounts {
if [[ "$ENABLED_SERVICES" =~ "congress" ]]; then
create_service_user "congress"
local congress_service=$(get_or_create_service "congress" \
"policy" "Congress Service")
get_or_create_endpoint $congress_service \
"$REGION_NAME" \
"http://$SERVICE_HOST:$CONGRESS_PORT/" \
"http://$SERVICE_HOST:$CONGRESS_PORT/" \
"http://$SERVICE_HOST:$CONGRESS_PORT/"
fi
}
# init_congress() - Initialize databases, etc.
function init_congress {
recreate_database $CONGRESS_DB_NAME utf8
if [ "$ENABLE_CONGRESS_JSON" == "True" ]; then
if [ ${DATABASE_TYPE,,} != "postgresql" ]; then
# setup separate postgres db if main is not already postgres
install_database_postgresql
install_database_python_postgresql
configure_database_postgresql
fi
recreate_database_postgresql $CONGRESS_JSON_DB_NAME utf8
psql --set=ingester_role="$CONGRESS_JSON_INGESTER_ROLE" \
--set=user_role="$CONGRESS_JSON_USER_ROLE" \
--set=db_name="$CONGRESS_JSON_DB_NAME" \
$CONGRESS_JSON_DB_CONNECTION_URL \
-f $CONGRESS_DIR/scripts/jgress/setup_permissions.sql
fi
# Run Congress db migrations
congress-db-manage --config-file $CONGRESS_CONF upgrade head
}
function install_congress_pythonclient() {
# For using non-released client from git branch, need to add
# LIBS_FROM_GIT=python-congressclient parameter to localrc.
# Otherwise, congress will install python-congressclient from requirements.
if use_library_from_git "python-congressclient"; then
git_clone_by_name "python-congressclient"
setup_dev_lib "python-congressclient"
fi
}
# install_congress() - install dependency, collect client source and prepare
function install_congress {
install_congress_pythonclient
if is_service_enabled horizon; then
_install_congress_dashboard
fi
if [[ $ENABLE_CONGRESS_Z3 == "True" ]] ; then
_install_z3
fi
}
# Start running processes, including screen
function start_congress_service_and_check {
# build config-file options
local cfg_file
local CFG_FILE_OPTIONS="--config-file $CONGRESS_CONF"
# Start the congress services in separate processes
echo_summary "Installing congress services"
if [ "$CONGRESS_MULTIPROCESS_DEPLOYMENT" == "False" ]; then
echo "Installing congress as single process"
run_process congress "$CONGRESS_BIN_DIR/congress-server --node-id=allinonenode $CFG_FILE_OPTIONS"
else
echo "Installing congress as multi process"
run_process congress-api "$CONGRESS_BIN_DIR/congress-server --api --node-id=apinode $CFG_FILE_OPTIONS"
run_process congress-engine "$CONGRESS_BIN_DIR/congress-server --policy-engine --node-id=enginenode $CFG_FILE_OPTIONS"
run_process congress-datasources "$CONGRESS_BIN_DIR/congress-server --datasources --node-id=datanode $CFG_FILE_OPTIONS"
fi
# Start multiple PE's
if [ "$CONGRESS_REPLICATED" == "True" ]; then
run_process congress-engine "$CONGRESS_BIN_DIR/congress-server --policy-engine --node-id=enginenode-2 $CFG_FILE_OPTIONS"
run_process congress-engine "$CONGRESS_BIN_DIR/congress-server --policy-engine --node-id=enginenode-3 $CFG_FILE_OPTIONS"
fi
echo "Waiting for Congress to start..."
if ! timeout $SERVICE_TIMEOUT sh -c "while ! wget --no-proxy -q -O- http://$CONGRESS_HOST:$CONGRESS_PORT; do sleep 1; done"; then
die $LINENO "Congress did not start"
fi
# Expose encryption key to tempest test launched replica instances
# WARNING: this setting deploys an insecure setup meant for gate-test only
# Explanation: congress_tempest_tests/tests/scenario/congress_ha/test_ha.py
# launches replica congress instances from a different user than the
# original devstack-launched instance. Hence, the encryption keys need
# to be exposed to additional users for the test to work as intended.
# Note: This works correctly only for default encryption key location
# /etc/congress/keys
# If needed in future, this script can read custom key location from
# $CONGRESS_CONF and adjust accordingly
if [ "$CONGRESS_EXPOSE_ENCRYPTION_KEY_FOR_TEST" == "True" ]; then
# Datasource service starts later than api service, so wait until datasource service fully started.
if ! timeout $SERVICE_TIMEOUT sh -c "while [ ! -f /etc/congress/keys/aes_key ]; do sleep 1; done"; then
die $LINENO "Unexpected error in key file creation"
fi
chmod a+rx /etc/congress/keys
chmod a+r /etc/congress/keys/aes_key
fi
}
function _wait_for_congress {
echo "Waiting for Congress to start..."
if ! timeout $SERVICE_TIMEOUT sh -c "while ! wget --no-proxy -q -O- http://$CONGRESS_HOST:$CONGRESS_PORT; do sleep 1; done"; then
die $LINENO "Congress did not start"
fi
}
# stop_congress() - Stop running processes (non-screen)
function stop_congress {
:
}
# cleanup_congress() - Remove residual data files, anything left over from previous
# runs that would need to clean up.
function cleanup_congress {
sudo rm -rf $CONGRESS_AUTH_CACHE_DIR $CONGRESS_CONF_DIR
if [[ $ENABLE_CONGRESS_Z3 == "True" ]] ; then
_uninstall_z3
fi
}
# Configures keystone integration for congress service
function _congress_setup_keystone {
local conf_file=$1
local section=$2
local use_auth_url=$3
if [[ -z $skip_auth_cache ]]; then
iniset $conf_file $section signing_dir $CONGRESS_AUTH_CACHE_DIR
# Create cache dir
create_congress_cache_dir
fi
configure_auth_token_middleware $conf_file $CONGRESS_ADMIN_USERNAME $CONGRESS_AUTH_CACHE_DIR $section
}
# Set up Horizon integration with Congress
function _congress_setup_horizon {
# Dashboard panels
ln -fs $CONGRESSDASHBOARD_DIR/congress_dashboard/enabled/_50_policy.py $HORIZON_DIR/openstack_dashboard/local/enabled/
ln -fs $CONGRESSDASHBOARD_DIR/congress_dashboard/enabled/_60_policies.py $HORIZON_DIR/openstack_dashboard/local/enabled/
ln -fs $CONGRESSDASHBOARD_DIR/congress_dashboard/enabled/_70_datasources.py $HORIZON_DIR/openstack_dashboard/local/enabled/
ln -fs $CONGRESSDASHBOARD_DIR/congress_dashboard/enabled/_75_monitoring.py $HORIZON_DIR/openstack_dashboard/local/enabled/
ln -fs $CONGRESSDASHBOARD_DIR/congress_dashboard/enabled/_80_library.py $HORIZON_DIR/openstack_dashboard/local/enabled/
# Restart Horizon
restart_apache_server
}
function start_cfg_validator_agent {
echo "Launching congress config agent"
run_process congress-agent "$CONGRESS_BIN_DIR/congress-cfg-validator-agt --config-file $CONGRESS_AGT_CONF"
}
function configure_cfg_validator_agent {
if ! is_service_enabled congress; then
setup_develop $CONGRESS_DIR
fi
if [[ ! -d $CONGRESS_CONF_DIR ]]; then
sudo mkdir -p $CONGRESS_CONF_DIR
fi
sudo chown $STACK_USER $CONGRESS_CONF_DIR
touch $CONGRESS_AGT_CONF
sudo chown $STACK_USER $CONGRESS_AGT_CONF
iniset_rpc_backend cfg-validator $CONGRESS_AGT_CONF
iniset $CONGRESS_AGT_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL
iniset $CONGRESS_AGT_CONF agent host $(hostname)
iniset $CONGRESS_AGT_CONF agent version pike
if is_service_enabled nova; then
VALIDATOR_SERVICES+="nova: { ${NOVA_CONF}:${NOVA_DIR}/etc/nova/nova-config-generator.conf },"
fi
if is_service_enabled neutron; then
VALIDATOR_SERVICES+="neutron: { ${NEUTRON_CONF}:${NEUTRON_DIR}/etc/oslo-config-generator/neutron.conf },"
fi
if is_service_enabled congress; then
VALIDATOR_SERVICES+="congress: { ${CONGRESS_CONF}:${CONGRESS_DIR}/etc/congress-config-generator.conf },"
fi
if [[ ! -z VALIDATOR_SERVICES ]]; then
iniset $CONGRESS_AGT_CONF agent services "${VALIDATOR_SERVICES%?}"
fi
}
# Main dispatcher
#----------------
if is_service_enabled congress || is_service_enabled congress-agent; then
if [[ "$1" == "stack" ]]; then
if [[ "$2" == "install" ]]; then
echo_summary "Installing Congress"
install_congress
elif [[ "$2" == "post-config" ]]; then
if is_service_enabled congress; then
echo_summary "Configuring Congress"
configure_congress
if is_service_enabled key; then
create_congress_accounts
fi
fi
if is_service_enabled congress-agent; then
echo_summary "Configuring Validator agent"
configure_cfg_validator_agent
fi
elif [[ "$2" == "extra" ]]; then
if is_service_enabled congress; then
# Initialize Congress
init_congress
# Start the congress API and Congress taskmgr components
echo_summary "Starting Congress"
start_congress_service_and_check
configure_congress_datasources
create_predefined_policy
fi
if is_service_enabled congress-agent; then
echo_summary "Starting Validator agent"
start_cfg_validator_agent
fi
elif [[ "$2" == "test-config" ]]; then
if is_service_enabled tempest; then
# Configure Tempest for Congress
_configure_tempest
fi
fi
fi
if [[ "$1" == "unstack" ]]; then
stop_congress
fi
if [[ "$1" == "clean" ]]; then
cleanup_congress
fi
fi
# Restore xtrace
$XTRACE
View Git Blame Copy Permalink