From c82ef4dbc8a22558bc9116ff71a7a425d8fb9c9c Mon Sep 17 00:00:00 2001 From: Jay Pipes Date: Fri, 7 Dec 2012 17:59:01 -0500 Subject: [PATCH 1/2] Fixes from marathon chef-client debug session * Fixes hard-coded db password for Cinder with lookup of the cinder_db_chef_role attribute * Fixes typo of glance_host and glance_port in config template * Fixes incorrect keystoneclient.middleware reference in api-paste template * Removes recipes/common.rb, as it was pointless now that the config template processing had to be moved into each service recipe * Removes the recipes/setup.rb, as it was all for the API service, so moved the keystone_register calls directly into the api.rb recipe --- attributes/default.rb | 4 ++ recipes/api.rb | 83 +++++++++++++++++++-- recipes/common.rb | 31 -------- recipes/scheduler.rb | 13 ++-- recipes/setup.rb | 108 ---------------------------- recipes/volume.rb | 13 ++-- templates/default/api-paste.ini.erb | 5 +- templates/default/cinder.conf.erb | 4 +- 8 files changed, 103 insertions(+), 158 deletions(-) delete mode 100644 recipes/common.rb delete mode 100644 recipes/setup.rb diff --git a/attributes/default.rb b/attributes/default.rb index 21d4f8f..7029ce6 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -36,6 +36,10 @@ default["cinder"]["debug"] = "False" # Availability zone/region for the Cinder service default["cinder"]["region"] = "RegionOne" +# The name of the Chef role that installs the database and database user +# that Cinder uses +default["cinder"]["cinder_db_chef_role"] = "cinder" + # The name of the Chef role that knows about the message queue server # that Cinder uses default["cinder"]["rabbit_server_chef_role"] = "rabbitmq-server" diff --git a/recipes/api.rb b/recipes/api.rb index 78330cf..f432a09 100644 --- a/recipes/api.rb +++ b/recipes/api.rb @@ -18,10 +18,16 @@ # limitations under the License. # -include_recipe "cinder::common" - class ::Chef::Recipe include ::Openstack + include ::Opscode::OpenSSL::Password +end + +# Allow for using a well known service password +if node["developer_mode"] + node.set_unless["cinder"]["service_pass"] = "cinder" +else + node.set_unless["cinder"]["service_pass"] = secure_password end platform_options = node["cinder"]["platform"] @@ -33,9 +39,19 @@ service "cinder-api" do action :enable end +execute "cinder-manage db sync" do + command "cinder-manage db sync" + not_if "cinder-manage db version && test $(cinder-manage db version) -gt 0" + + action :nothing +end + +db_role = node["cinder"]["cinder_db_chef_role"] +db_info = config_by_role db_role, "cinder" + db_user = node["cinder"]["db"]["username"] -db_pass = node["cinder"]["db"]["password"] -sql_connection = db_uri("cinder", db_user, "cinder") +db_pass = db_info["db"]["password"] +sql_connection = db_uri("volume", db_user, db_pass) rabbit_server_role = node["cinder"]["rabbit_server_chef_role"] rabbit_info = get_settings_by_role rabbit_server_role, "queue" @@ -75,3 +91,62 @@ template "/etc/cinder/api-paste.ini" do notifies :restart, resources(:service => "cinder-api"), :immediately end + +keystone_register "Register Cinder Volume Service" do + auth_host identity_admin_endpoint.host + auth_port identity_admin_endpoint.port.to_s + auth_protocol identity_admin_endpoint.scheme + api_ver identity_admin_endpoint.path + auth_token keystone["admin_token"] + service_name "cinder" + service_type "volume" + service_description "Cinder Volume Service" + endpoint_region node["cinder"]["region"] + endpoint_adminurl api_endpoint.to_s + endpoint_internalurl api_endpoint.to_s + endpoint_publicurl api_endpoint.to_s + + action :create_service +end + +keystone_register "Register Cinder Volume Endpoint" do + auth_host identity_admin_endpoint.host + auth_port identity_admin_endpoint.port.to_s + auth_protocol identity_admin_endpoint.scheme + api_ver identity_admin_endpoint.path + auth_token keystone["admin_token"] + service_name "cinder" + service_type "volume" + service_description "Cinder Volume Service" + endpoint_region node["cinder"]["region"] + endpoint_adminurl api_endpoint.to_s + endpoint_internalurl api_endpoint.to_s + endpoint_publicurl api_endpoint.to_s + + action :create_endpoint +end + +keystone_register "Register Cinder Service User" do + auth_host identity_admin_endpoint.host + auth_port identity_admin_endpoint.port.to_s + auth_protocol identity_admin_endpoint.scheme + api_ver identity_admin_endpoint.path + auth_token keystone["admin_token"] + tenant_name node["cinder"]["service_tenant_name"] + user_name node["cinder"]["service_user"] + user_pass node["cinder"]["service_pass"] + user_enabled "true" # Not required as this is the default + action :create_user +end + +keystone_register "Grant service Role to Cinder Service User for Cinder Service Tenant" do + auth_host identity_admin_endpoint.host + auth_port identity_admin_endpoint.port.to_s + auth_protocol identity_admin_endpoint.scheme + api_ver identity_admin_endpoint.path + auth_token keystone["admin_token"] + tenant_name node["cinder"]["service_tenant_name"] + user_name node["cinder"]["service_user"] + role_name node["cinder"]["service_role"] + action :grant_role +end diff --git a/recipes/common.rb b/recipes/common.rb deleted file mode 100644 index df30497..0000000 --- a/recipes/common.rb +++ /dev/null @@ -1,31 +0,0 @@ -# -# Cookbook Name:: cinder -# Recipe:: common -# -# Copyright 2012, Rackspace US, Inc. -# Copyright 2012, AT&T, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -class ::Chef::Recipe - include ::Openstack - include ::Opscode::OpenSSL::Password -end - -# Allow for using a well known service password -if node["developer_mode"] - node.set_unless["cinder"]["service_pass"] = "cinder" -else - node.set_unless["cinder"]["service_pass"] = secure_password -end diff --git a/recipes/scheduler.rb b/recipes/scheduler.rb index 7c36325..b86cbfb 100644 --- a/recipes/scheduler.rb +++ b/recipes/scheduler.rb @@ -18,8 +18,6 @@ # limitations under the License. # -include_recipe "cinder::common" - platform_options = node["cinder"]["platform"] platform_options["cinder_scheduler_packages"].each do |pkg| @@ -30,15 +28,18 @@ platform_options["cinder_scheduler_packages"].each do |pkg| end end +db_role = node["cinder"]["cinder_db_chef_role"] +db_info = config_by_role db_role, "cinder" + db_user = node["cinder"]["db"]["username"] -db_pass = node["cinder"]["db"]["password"] -sql_connection = db_uri("cinder", db_user, "cinder") +db_pass = db_info["db"]["password"] +sql_connection = db_uri("volume", db_user, db_pass) rabbit_server_role = node["cinder"]["rabbit_server_chef_role"] -rabbit_info = get_settings_by_role rabbit_server_role, "queue" +rabbit_info = config_by_role rabbit_server_role, "queue" glance_api_role = node["cinder"]["glance_api_chef_role"] -glance = get_settings_by_role glance_api_role, "glance" +glance = config_by_role glance_api_role, "glance" glance_api_endpoint = endpoint "image-api" service "cinder-scheduler" do diff --git a/recipes/setup.rb b/recipes/setup.rb deleted file mode 100644 index 8bc906e..0000000 --- a/recipes/setup.rb +++ /dev/null @@ -1,108 +0,0 @@ -# -# Cookbook Name:: cinder -# Recipe:: setup -# -# Copyright 2012, Rackspace US, Inc. -# Copyright 2012, AT&T, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -include_recipe "cinder::common" - -class ::Chef::Recipe - include ::Openstack -end - -platform_options = node["cinder"]["platform"] - -platform_options["cinder_api_packages"].each do |pkg| - package pkg do - options platform_options["package_overrides"] - - action :upgrade - end -end - -execute "cinder-manage db sync" do - command "cinder-manage db sync" - not_if "cinder-manage db version && test $(cinder-manage db version) -gt 0" - - action :nothing -end - -db_user = node["cinder"]["db"]["username"] -db_pass = node["cinder"]["db"]["password"] -sql_connection = db_uri("cinder", db_user, "cinder") - -rabbit_server_role = node["cinder"]["rabbit_server_chef_role"] -rabbit_info = get_settings_by_role rabbit_server_role, "queue" - -glance_api_role = node["cinder"]["glance_api_chef_role"] -glance = get_settings_by_role glance_api_role, "glance" -glance_api_endpoint = endpoint "image-api" - -template "/etc/cinder/cinder.conf" do - source "cinder.conf.erb" - group node["cinder"]["group"] - owner node["cinder"]["user"] - mode 00644 - variables( - :sql_connection => sql_connection, - :rabbit_host => rabbit_info["host"], - :rabbit_port => rabbit_info["port"], - :glance_host => glance_api_endpoint.host, - :glance_port => glance_api_endpoint.port - ) - - notifies :run, resources(:execute => "cinder-manage db sync"), :immediately -end - -identity_admin_endpoint = endpoint "identity-admin" -keystone_service_role = node["cinder"]["keystone_service_chef_role"] -keystone = get_settings_by_role keystone_service_role, "keystone" -api_endpoint = endpoint "volume-api" - -keystone_register "Register Cinder Volume Service" do - auth_host identity_admin_endpoint.host - auth_port identity_admin_endpoint.port.to_s - auth_protocol identity_admin_endpoint.scheme - api_ver identity_admin_endpoint.path - auth_token keystone["admin_token"] - service_name "cinder" - service_type "volume" - service_description "Cinder Volume Service" - endpoint_region node["cinder"]["region"] - endpoint_adminurl api_endpoint.to_s - endpoint_internalurl api_endpoint.to_s - endpoint_publicurl api_endpoint.to_s - - action :create_service -end - -keystone_register "Register Cinder Volume Endpoint" do - auth_host identity_admin_endpoint.host - auth_port identity_admin_endpoint.port.to_s - auth_protocol identity_admin_endpoint.scheme - api_ver identity_admin_endpoint.path - auth_token keystone["admin_token"] - service_name "cinder" - service_type "volume" - service_description "Cinder Volume Service" - endpoint_region node["cinder"]["region"] - endpoint_adminurl api_endpoint.to_s - endpoint_internalurl api_endpoint.to_s - endpoint_publicurl api_endpoint.to_s - - action :create_endpoint -end diff --git a/recipes/volume.rb b/recipes/volume.rb index 6fd711b..81a1f18 100644 --- a/recipes/volume.rb +++ b/recipes/volume.rb @@ -18,8 +18,6 @@ # limitations under the License. # -include_recipe "cinder::common" - platform_options = node["cinder"]["platform"] platform_options["cinder_volume_packages"].each do |pkg| @@ -38,15 +36,18 @@ platform_options["cinder_iscsitarget_packages"].each do |pkg| end end +db_role = node["cinder"]["cinder_db_chef_role"] +db_info = config_by_role db_role, "cinder" + db_user = node["cinder"]["db"]["username"] -db_pass = node["cinder"]["db"]["password"] -sql_connection = db_uri("cinder", db_user, "cinder") +db_pass = db_info["db"]["password"] +sql_connection = db_uri("volume", db_user, db_pass) rabbit_server_role = node["cinder"]["rabbit_server_chef_role"] -rabbit_info = get_settings_by_role rabbit_server_role, "queue" +rabbit_info = config_by_role rabbit_server_role, "queue" glance_api_role = node["cinder"]["glance_api_chef_role"] -glance = get_settings_by_role glance_api_role, "glance" +glance = config_by_role glance_api_role, "glance" glance_api_endpoint = endpoint "image-api" service "cinder-volume" do diff --git a/templates/default/api-paste.ini.erb b/templates/default/api-paste.ini.erb index 89b62c1..31319ce 100644 --- a/templates/default/api-paste.ini.erb +++ b/templates/default/api-paste.ini.erb @@ -39,7 +39,10 @@ paste.app_factory = cinder.api.openstack.volume.versions:Versions.factory paste.filter_factory = cinder.api.auth:CinderKeystoneContext.factory [filter:authtoken] -paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory +# This needs to change to keystoneclient.middleware.auth_token:filter_factory +# when keystoneclient packages are updated (which contain the middleware, not +# the Keystone server package...) +paste.filter_factory = keystone.middleware.auth_token:filter_factory service_host = <%= @identity_endpoint.host %> service_port = <%= @identity_endpoint.port %> service_protocol = <%= @identity_endpoint.scheme %> diff --git a/templates/default/cinder.conf.erb b/templates/default/cinder.conf.erb index d01b8b4..7c769ea 100644 --- a/templates/default/cinder.conf.erb +++ b/templates/default/cinder.conf.erb @@ -71,10 +71,10 @@ sql_connection=<%= @sql_connection %> my_ip=<%= node["ipaddress"] %> #### (StrOpt) ip address of this host -glance_host=<%= @glance_api_host %> +glance_host=<%= @glance_host %> #### (StrOpt) default glance hostname or ip -glance_port=<%= @glance_service_port %> +glance_port=<%= @glance_port %> #### (IntOpt) default glance port # glance_api_servers=$glance_host:$glance_port From 4fc2f972793ef61e8bb8c541633ccacb20ddcc43 Mon Sep 17 00:00:00 2001 From: Jay Pipes Date: Fri, 7 Dec 2012 18:22:13 -0500 Subject: [PATCH 2/2] Make sure we URI.decode the endpoint URLs --- recipes/api.rb | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/recipes/api.rb b/recipes/api.rb index f432a09..917c254 100644 --- a/recipes/api.rb +++ b/recipes/api.rb @@ -18,6 +18,8 @@ # limitations under the License. # +require "uri" + class ::Chef::Recipe include ::Openstack include ::Opscode::OpenSSL::Password @@ -102,9 +104,9 @@ keystone_register "Register Cinder Volume Service" do service_type "volume" service_description "Cinder Volume Service" endpoint_region node["cinder"]["region"] - endpoint_adminurl api_endpoint.to_s - endpoint_internalurl api_endpoint.to_s - endpoint_publicurl api_endpoint.to_s + endpoint_adminurl ::URI.decode api_endpoint.to_s + endpoint_internalurl ::URI.decode api_endpoint.to_s + endpoint_publicurl ::URI.decode api_endpoint.to_s action :create_service end @@ -119,9 +121,9 @@ keystone_register "Register Cinder Volume Endpoint" do service_type "volume" service_description "Cinder Volume Service" endpoint_region node["cinder"]["region"] - endpoint_adminurl api_endpoint.to_s - endpoint_internalurl api_endpoint.to_s - endpoint_publicurl api_endpoint.to_s + endpoint_adminurl ::URI.decode api_endpoint.to_s + endpoint_internalurl ::URI.decode api_endpoint.to_s + endpoint_publicurl ::URI.decode api_endpoint.to_s action :create_endpoint end