Add TLS support for keystone via proxy
* Adds lib/tls to create test CA/certs * Start proxy if 'tls-proxy' is enabled * Configure keystone service catalog for TLS * Tear down proxy in unstack.sh * Set auth protocol and ca-cert chain in openrc * Add DATA_DIR to stackrc This is the first in a series of patches to enable TLS support for the service API endpoints. Change-Id: Ia1c91dc8f1aaf94fbec9dc71da322559a83d14b6
This commit is contained in:
parent
00626a3186
commit
c83a7e125f
1
files/apts/tls-proxy
Normal file
1
files/apts/tls-proxy
Normal file
@ -0,0 +1 @@
|
||||
stud
|
37
lib/keystone
37
lib/keystone
@ -4,7 +4,7 @@
|
||||
# Dependencies:
|
||||
# ``functions`` file
|
||||
# ``BASE_SQL_CONN``
|
||||
# ``SERVICE_HOST``
|
||||
# ``SERVICE_HOST``, ``SERVICE_PROTOCOL``
|
||||
# ``SERVICE_TOKEN``
|
||||
# ``S3_SERVICE_PORT`` (template backend only)
|
||||
|
||||
@ -48,10 +48,14 @@ KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-PKI}
|
||||
# Set Keystone interface configuration
|
||||
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
|
||||
KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357}
|
||||
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-http}
|
||||
KEYSTONE_AUTH_PORT_INT=${KEYSTONE_AUTH_PORT_INT:-35358}
|
||||
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}
|
||||
|
||||
# Public facing bits
|
||||
KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST}
|
||||
KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000}
|
||||
KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-http}
|
||||
KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001}
|
||||
KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
|
||||
|
||||
|
||||
# Entry Points
|
||||
@ -88,6 +92,13 @@ function configure_keystone() {
|
||||
# Rewrite stock ``keystone.conf``
|
||||
local dburl
|
||||
database_connection_url dburl keystone
|
||||
|
||||
if is_service_enabled tls-proxy; then
|
||||
# Set the service ports for a proxy to take the originals
|
||||
iniset $KEYSTONE_CONF DEFAULT public_port $KEYSTONE_SERVICE_PORT_INT
|
||||
iniset $KEYSTONE_CONF DEFAULT admin_port $KEYSTONE_AUTH_PORT_INT
|
||||
fi
|
||||
|
||||
iniset $KEYSTONE_CONF DEFAULT admin_token "$SERVICE_TOKEN"
|
||||
iniset $KEYSTONE_CONF signing token_format "$KEYSTONE_TOKEN_FORMAT"
|
||||
iniset $KEYSTONE_CONF sql connection $dburl
|
||||
@ -213,9 +224,9 @@ create_keystone_accounts() {
|
||||
keystone endpoint-create \
|
||||
--region RegionOne \
|
||||
--service_id $KEYSTONE_SERVICE \
|
||||
--publicurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:\$(public_port)s/v2.0" \
|
||||
--adminurl "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:\$(admin_port)s/v2.0" \
|
||||
--internalurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:\$(public_port)s/v2.0"
|
||||
--publicurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0" \
|
||||
--adminurl "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0" \
|
||||
--internalurl "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0"
|
||||
fi
|
||||
|
||||
# TODO(dtroyer): This is part of a series of changes...remove these when
|
||||
@ -268,13 +279,25 @@ function install_keystone() {
|
||||
|
||||
# start_keystone() - Start running processes, including screen
|
||||
function start_keystone() {
|
||||
# Get right service port for testing
|
||||
local service_port=$KEYSTONE_SERVICE_PORT
|
||||
if is_service_enabled tls-proxy; then
|
||||
service_port=$KEYSTONE_SERVICE_PORT_INT
|
||||
fi
|
||||
|
||||
# Start Keystone in a screen window
|
||||
screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone-all --config-file $KEYSTONE_CONF $KEYSTONE_LOG_CONFIG -d --debug"
|
||||
echo "Waiting for keystone to start..."
|
||||
if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= curl -s $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/ >/dev/null; do sleep 1; done"; then
|
||||
if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= curl -s http://$SERVICE_HOST:$service_port/v2.0/ >/dev/null; do sleep 1; done"; then
|
||||
echo "keystone did not start"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Start proxies if enabled
|
||||
if is_service_enabled tls-proxy; then
|
||||
start_tls_proxy '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT &
|
||||
start_tls_proxy '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT &
|
||||
fi
|
||||
}
|
||||
|
||||
# stop_keystone() - Stop running processes
|
||||
|
314
lib/tls
Normal file
314
lib/tls
Normal file
@ -0,0 +1,314 @@
|
||||
# lib/tls
|
||||
# Functions to control the configuration and operation of the TLS proxy service
|
||||
|
||||
# Dependencies:
|
||||
# !! source _before_ any services that use ``SERVICE_HOST``
|
||||
# ``functions`` file
|
||||
# ``DEST``, ``DATA_DIR`` must be defined
|
||||
# ``HOST_IP``, ``SERVICE_HOST``
|
||||
# ``KEYSTONE_TOKEN_FORMAT`` must be defined
|
||||
|
||||
# Entry points:
|
||||
# configure_CA
|
||||
# init_CA
|
||||
|
||||
# configure_proxy
|
||||
# start_tls_proxy
|
||||
|
||||
# make_root_ca
|
||||
# make_int_ca
|
||||
# new_cert $INT_CA_DIR int-server "abc"
|
||||
# start_tls_proxy HOST_IP 5000 localhost 5000
|
||||
|
||||
|
||||
if is_service_enabled tls-proxy; then
|
||||
# TODO(dtroyer): revisit this below after the search for HOST_IP has been done
|
||||
TLS_IP=${TLS_IP:-$SERVICE_IP}
|
||||
|
||||
# Set the default ``SERVICE_PROTOCOL`` for TLS
|
||||
SERVICE_PROTOCOL=https
|
||||
fi
|
||||
|
||||
# Make up a hostname for cert purposes
|
||||
# will be added to /etc/hosts?
|
||||
DEVSTACK_HOSTNAME=secure.devstack.org
|
||||
DEVSTACK_CERT_NAME=devstack-cert
|
||||
DEVSTACK_CERT=$DATA_DIR/$DEVSTACK_CERT_NAME.pem
|
||||
|
||||
# CA configuration
|
||||
ROOT_CA_DIR=${ROOT_CA_DIR:-$DATA_DIR/CA/root-ca}
|
||||
INT_CA_DIR=${INT_CA_DIR:-$DATA_DIR/CA/int-ca}
|
||||
|
||||
ORG_NAME="OpenStack"
|
||||
ORG_UNIT_NAME="DevStack"
|
||||
|
||||
# Stud configuration
|
||||
STUD_PROTO="--tls"
|
||||
STUD_CIPHERS='TLSv1+HIGH:!DES:!aNULL:!eNULL:@STRENGTH'
|
||||
|
||||
|
||||
# CA Functions
|
||||
# ============
|
||||
|
||||
# There may be more than one, get specific
|
||||
OPENSSL=${OPENSSL:-/usr/bin/openssl}
|
||||
|
||||
# Do primary CA configuration
|
||||
function configure_CA() {
|
||||
# build common config file
|
||||
|
||||
# Verify ``TLS_IP`` is good
|
||||
if [[ -n "$HOST_IP" && "$HOST_IP" != "$TLS_IP" ]]; then
|
||||
# auto-discover has changed the IP
|
||||
TLS_IP=$HOST_IP
|
||||
fi
|
||||
}
|
||||
|
||||
# Creates a new CA directory structure
|
||||
# create_CA_base ca-dir
|
||||
function create_CA_base() {
|
||||
local ca_dir=$1
|
||||
|
||||
if [[ -d $ca_dir ]]; then
|
||||
# Bail out it exists
|
||||
return 0
|
||||
fi
|
||||
|
||||
for i in certs crl newcerts private; do
|
||||
mkdir -p $ca_dir/$i
|
||||
done
|
||||
chmod 710 $ca_dir/private
|
||||
echo "01" >$ca_dir/serial
|
||||
cp /dev/null $ca_dir/index.txt
|
||||
}
|
||||
|
||||
|
||||
# Create a new CA configuration file
|
||||
# create_CA_config ca-dir common-name
|
||||
function create_CA_config() {
|
||||
local ca_dir=$1
|
||||
local common_name=$2
|
||||
|
||||
echo "
|
||||
[ ca ]
|
||||
default_ca = CA_default
|
||||
|
||||
[ CA_default ]
|
||||
dir = $ca_dir
|
||||
policy = policy_match
|
||||
database = \$dir/index.txt
|
||||
serial = \$dir/serial
|
||||
certs = \$dir/certs
|
||||
crl_dir = \$dir/crl
|
||||
new_certs_dir = \$dir/newcerts
|
||||
certificate = \$dir/cacert.pem
|
||||
private_key = \$dir/private/cacert.key
|
||||
RANDFILE = \$dir/private/.rand
|
||||
default_md = default
|
||||
|
||||
[ req ]
|
||||
default_bits = 1024
|
||||
default_md = sha1
|
||||
|
||||
prompt = no
|
||||
distinguished_name = ca_distinguished_name
|
||||
|
||||
x509_extensions = ca_extensions
|
||||
|
||||
[ ca_distinguished_name ]
|
||||
organizationName = $ORG_NAME
|
||||
organizationalUnitName = $ORG_UNIT_NAME Certificate Authority
|
||||
commonName = $common_name
|
||||
|
||||
[ policy_match ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
|
||||
[ ca_extensions ]
|
||||
basicConstraints = critical,CA:true
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always, issuer
|
||||
keyUsage = cRLSign, keyCertSign
|
||||
|
||||
" >$ca_dir/ca.conf
|
||||
}
|
||||
|
||||
# Create a new signing configuration file
|
||||
# create_signing_config ca-dir
|
||||
function create_signing_config() {
|
||||
local ca_dir=$1
|
||||
|
||||
echo "
|
||||
[ ca ]
|
||||
default_ca = CA_default
|
||||
|
||||
[ CA_default ]
|
||||
dir = $ca_dir
|
||||
policy = policy_match
|
||||
database = \$dir/index.txt
|
||||
serial = \$dir/serial
|
||||
certs = \$dir/certs
|
||||
crl_dir = \$dir/crl
|
||||
new_certs_dir = \$dir/newcerts
|
||||
certificate = \$dir/cacert.pem
|
||||
private_key = \$dir/private/cacert.key
|
||||
RANDFILE = \$dir/private/.rand
|
||||
default_md = default
|
||||
|
||||
[ req ]
|
||||
default_bits = 1024
|
||||
default_md = sha1
|
||||
|
||||
prompt = no
|
||||
distinguished_name = req_distinguished_name
|
||||
|
||||
x509_extensions = req_extensions
|
||||
|
||||
[ req_distinguished_name ]
|
||||
organizationName = $ORG_NAME
|
||||
organizationalUnitName = $ORG_UNIT_NAME Server Farm
|
||||
|
||||
[ policy_match ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
|
||||
[ req_extensions ]
|
||||
basicConstraints = CA:false
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always, issuer
|
||||
keyUsage = digitalSignature, keyEncipherment, keyAgreement
|
||||
extendedKeyUsage = serverAuth, clientAuth
|
||||
subjectAltName = \$ENV::SUBJECT_ALT_NAME
|
||||
|
||||
" >$ca_dir/signing.conf
|
||||
}
|
||||
|
||||
# Create root and intermediate CAs and an initial server cert
|
||||
# init_CA
|
||||
function init_CA {
|
||||
# Ensure CAs are built
|
||||
make_root_CA $ROOT_CA_DIR
|
||||
make_int_CA $INT_CA_DIR $ROOT_CA_DIR
|
||||
|
||||
# Create the CA bundle
|
||||
cat $ROOT_CA_DIR/cacert.pem $INT_CA_DIR/cacert.pem >>$INT_CA_DIR/ca-chain.pem
|
||||
|
||||
if [[ ! -r $DEVSTACK_CERT ]]; then
|
||||
if [[ -n "$TLS_IP" ]]; then
|
||||
# Lie to let incomplete match routines work
|
||||
TLS_IP="DNS:$TLS_IP"
|
||||
fi
|
||||
make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP"
|
||||
|
||||
# Create a cert bundle
|
||||
cat $INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key $INT_CA_DIR/$DEVSTACK_CERT_NAME.crt $INT_CA_DIR/cacert.pem >$DEVSTACK_CERT
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
# make_cert creates and signs a new certificate with the given commonName and CA
|
||||
# make_cert ca-dir cert-name "common-name" ["alt-name" ...]
|
||||
function make_cert() {
|
||||
local ca_dir=$1
|
||||
local cert_name=$2
|
||||
local common_name=$3
|
||||
local alt_names=$4
|
||||
|
||||
# Generate a signing request
|
||||
$OPENSSL req \
|
||||
-sha1 \
|
||||
-newkey rsa \
|
||||
-nodes \
|
||||
-keyout $ca_dir/private/$cert_name.key \
|
||||
-out $ca_dir/$cert_name.csr \
|
||||
-subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}"
|
||||
|
||||
if [[ -z "$alt_names" ]]; then
|
||||
alt_names="DNS:${common_name}"
|
||||
else
|
||||
alt_names="DNS:${common_name},${alt_names}"
|
||||
fi
|
||||
|
||||
# Sign the request valid for 1 year
|
||||
SUBJECT_ALT_NAME="$alt_names" \
|
||||
$OPENSSL ca -config $ca_dir/signing.conf \
|
||||
-extensions req_extensions \
|
||||
-days 365 \
|
||||
-notext \
|
||||
-in $ca_dir/$cert_name.csr \
|
||||
-out $ca_dir/$cert_name.crt \
|
||||
-subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" \
|
||||
-batch
|
||||
}
|
||||
|
||||
|
||||
# Make an intermediate CA to sign everything else
|
||||
# make_int_CA ca-dir signing-ca-dir
|
||||
function make_int_CA() {
|
||||
local ca_dir=$1
|
||||
local signing_ca_dir=$2
|
||||
|
||||
# Create the root CA
|
||||
create_CA_base $ca_dir
|
||||
create_CA_config $ca_dir 'Intermediate CA'
|
||||
create_signing_config $ca_dir
|
||||
|
||||
# Create a signing certificate request
|
||||
$OPENSSL req -config $ca_dir/ca.conf \
|
||||
-sha1 \
|
||||
-newkey rsa \
|
||||
-nodes \
|
||||
-keyout $ca_dir/private/cacert.key \
|
||||
-out $ca_dir/cacert.csr \
|
||||
-outform PEM
|
||||
|
||||
# Sign the intermediate request valid for 1 year
|
||||
$OPENSSL ca -config $signing_ca_dir/ca.conf \
|
||||
-extensions ca_extensions \
|
||||
-days 365 \
|
||||
-notext \
|
||||
-in $ca_dir/cacert.csr \
|
||||
-out $ca_dir/cacert.pem \
|
||||
-batch
|
||||
}
|
||||
|
||||
# Make a root CA to sign other CAs
|
||||
# make_root_CA ca-dir
|
||||
function make_root_CA() {
|
||||
local ca_dir=$1
|
||||
|
||||
# Create the root CA
|
||||
create_CA_base $ca_dir
|
||||
create_CA_config $ca_dir 'Root CA'
|
||||
|
||||
# Create a self-signed certificate valid for 5 years
|
||||
$OPENSSL req -config $ca_dir/ca.conf \
|
||||
-x509 \
|
||||
-nodes \
|
||||
-newkey rsa \
|
||||
-days 21360 \
|
||||
-keyout $ca_dir/private/cacert.key \
|
||||
-out $ca_dir/cacert.pem \
|
||||
-outform PEM
|
||||
}
|
||||
|
||||
|
||||
# Proxy Functions
|
||||
# ===============
|
||||
|
||||
# Starts the TLS proxy for the given IP/ports
|
||||
# start_tls_proxy front-host front-port back-host back-port
|
||||
function start_tls_proxy() {
|
||||
local f_host=$1
|
||||
local f_port=$2
|
||||
local b_host=$3
|
||||
local b_port=$4
|
||||
|
||||
stud $STUD_PROTO -f $f_host,$f_port -b $b_host,$b_port $DEVSTACK_CERT 2>/dev/null
|
||||
}
|
9
openrc
9
openrc
@ -26,6 +26,9 @@ source $RC_DIR/functions
|
||||
# Load local configuration
|
||||
source $RC_DIR/stackrc
|
||||
|
||||
# Get some necessary configuration
|
||||
source $RC_DIR/lib/tls
|
||||
|
||||
# The introduction of Keystone to the OpenStack ecosystem has standardized the
|
||||
# term **tenant** as the entity that owns resources. In some places references
|
||||
# still exist to the original Nova term **project** for this use. Also,
|
||||
@ -49,6 +52,7 @@ export OS_NO_CACHE=${OS_NO_CACHE:-1}
|
||||
# which is convenient for some localrc configurations.
|
||||
HOST_IP=${HOST_IP:-127.0.0.1}
|
||||
SERVICE_HOST=${SERVICE_HOST:-$HOST_IP}
|
||||
SERVICE_PROTOCOL=${SERVICE_PROTOCOL:-http}
|
||||
|
||||
# Some exercises call glance directly. On a single-node installation, Glance
|
||||
# should be listening on HOST_IP. If its running elsewhere, it can be set here
|
||||
@ -61,7 +65,10 @@ GLANCE_HOST=${GLANCE_HOST:-$HOST_IP}
|
||||
#
|
||||
# *NOTE*: Using the 2.0 *identity api* does not mean that compute api is 2.0. We
|
||||
# will use the 1.1 *compute api*
|
||||
export OS_AUTH_URL=http://$SERVICE_HOST:5000/v2.0
|
||||
export OS_AUTH_URL=$SERVICE_PROTOCOL://$SERVICE_HOST:5000/v2.0
|
||||
|
||||
# Set the pointer to our CA certificate chain. Harmless if TLS is not used.
|
||||
export OS_CACERT=$INT_CA_DIR/ca-chain.pem
|
||||
|
||||
# Currently novaclient needs you to specify the *compute api* version. This
|
||||
# needs to match the config of your catalog returned by Keystone.
|
||||
|
17
stack.sh
17
stack.sh
@ -288,6 +288,7 @@ fi
|
||||
|
||||
# Allow the use of an alternate hostname (such as localhost/127.0.0.1) for service endpoints.
|
||||
SERVICE_HOST=${SERVICE_HOST:-$HOST_IP}
|
||||
SERVICE_PROTOCOL=${SERVICE_PROTOCOL:-http}
|
||||
|
||||
# Configure services to use syslog instead of writing to individual log files
|
||||
SYSLOG=`trueorfalse False $SYSLOG`
|
||||
@ -305,6 +306,7 @@ SERVICE_TIMEOUT=${SERVICE_TIMEOUT:-60}
|
||||
# ==================
|
||||
|
||||
# Get project function libraries
|
||||
source $TOP_DIR/lib/tls
|
||||
source $TOP_DIR/lib/horizon
|
||||
source $TOP_DIR/lib/keystone
|
||||
source $TOP_DIR/lib/glance
|
||||
@ -847,6 +849,12 @@ if [[ $TRACK_DEPENDS = True ]] ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if is_service_enabled tls-proxy; then
|
||||
configure_CA
|
||||
init_CA
|
||||
# Add name to /etc/hosts
|
||||
# don't be naive and add to existing line!
|
||||
fi
|
||||
|
||||
# Syslog
|
||||
# ------
|
||||
@ -923,12 +931,17 @@ screen -r $SCREEN_NAME -X hardstatus alwayslastline "$SCREEN_HARDSTATUS"
|
||||
|
||||
if is_service_enabled key; then
|
||||
echo_summary "Starting Keystone"
|
||||
configure_keystone
|
||||
init_keystone
|
||||
start_keystone
|
||||
|
||||
# Set up a temporary admin URI for Keystone
|
||||
SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0
|
||||
SERVICE_ENDPOINT=$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0
|
||||
|
||||
if is_service_enabled tls-proxy; then
|
||||
export OS_CACERT=$INT_CA_DIR/ca-chain.pem
|
||||
# Until the client support is fixed, just use the internal endpoint
|
||||
SERVICE_ENDPOINT=http://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT_INT/v2.0
|
||||
fi
|
||||
|
||||
# Do the keystone-specific bits from keystone_data.sh
|
||||
export OS_SERVICE_TOKEN=$SERVICE_TOKEN
|
||||
|
3
stackrc
3
stackrc
@ -6,6 +6,9 @@ RC_DIR=$(cd $(dirname "$BASH_SOURCE") && pwd)
|
||||
# Destination path for installation
|
||||
DEST=/opt/stack
|
||||
|
||||
# Destination for working data
|
||||
DATA_DIR=${DEST}/data
|
||||
|
||||
# Select the default database
|
||||
DATABASE_TYPE=mysql
|
||||
|
||||
|
@ -62,6 +62,11 @@ if is_service_enabled horizon; then
|
||||
stop_horizon
|
||||
fi
|
||||
|
||||
# Kill TLS proxies
|
||||
if is_service_enabled tls-proxy; then
|
||||
killall stud
|
||||
fi
|
||||
|
||||
SCSI_PERSIST_DIR=$CINDER_STATE_PATH/volumes/*
|
||||
|
||||
# Get the iSCSI volumes
|
||||
|
Loading…
Reference in New Issue
Block a user