This eliminated a number of sudo calls by doing the copy/chown/chmod in
a single step and sets a common pattern.
Change-Id: I9c8f48854d5bc443cc187df0948c28b82c4d2838
swift middleware contained in ceilometer is now deprecated. the
middleware is available in ceilometermiddleware.
Change-Id: I6e41986245f4d95a9385dc7829479ed1199f10ac
The keystonemiddleware 1.5.0 released 2015-03-11 supports configuring
auth plugins from the paste config file. This means that swift can now
use authentication plugins for auth_token middleware.
Change-Id: Icb9f008a57b6f75e0506cbecd0a1e0f28b7dadda
The keystone admin token supposed to be used only
for setting up keystone and it should not be used
in any other service config.
Change-Id: Iaa9be1878e89a6bc3a84a0c57fc6f5cecc371d2f
is_keystone_enabled() was calling is_service_enabled(), which is what called
is_keystone_enabled() in the first place. Make it work as designed and
also change calls to use the full service name. Note that this is all
still comptible with the prior usage of 'is_service_enabled key'.
Change-Id: I9c28377ecf074b7996461d2a4ca12d88dfc4d47e
This breaks Ironic's use of temp URLs, which the key for the service
account is configured via the Swift user.
Change-Id: I69f6f6eef4ad573f406d64d579a9811c70ac5d28
Closes-Bug: #1421006
get_or_add_user_role is specific to adding a role on a project.
Rename it to get_or_add_user_project_role to allow room for adding a
domain specific role function.
Change-Id: I999308098d22be9800578ae67144a3b687fbc3be
Most of the services create the service user with the admin permission.
This is unnecessary for token validation and they should be restricted
to only having the service role.
Change-Id: Id7a9366d2c6a36139240f64371002362dc2d8d3b
The code for creating service users is almost exactly the same. Abstract
this into a function that can be reused and standardized.
Change-Id: I3a4edbff0a928da7ef9b0097a5a8d508fdfab7ff
Swift doesn't use olso.config and so the method of configuring swift via the
[keystone_authtoken] config options will not work. Go back to configuring swift
manually.
This will need to be fixed in either keystonemiddleware or swift as configuring
via plugin is the path to v3 authentication, service domains and new forms of
service user authentication.
Closes-Bug: #1415795
Change-Id: Ibe27116a11756072d5a300a6d3691c5f8c32317e
The default project means that a user gains token scoping information
for a project if they don't specify another. This is something we want
to discourage for user creation. User's should specify there own
authentication scope when they authenticate.
Change-Id: I42c3060d59edfcd44d04cd166bad500419dd99bc
This makes a bunch of variable cleanups that will let -o nounset
function, for the time being we hide nounset behind another setting
variable so that it's not on by default.
Because this is bash, and things are only executed on demand, this
probably only works in the config it was run in. Expect cleaning up
all the paths to be something that takes quite a while.
This also includes a new set of unit tests around the trueorfalse
function, because my change in how it worked, didn't. Tests are good
m'kay.
Change-Id: I71a896623ea9e1f042a73dc0678ce85acf0dc87d
The reseller_prefix option cannot be added to the
swift-proxy-server.conf-sample file because it
inadvertently gets set to "TEMPAUTH" and Tempest
tests fail.
Change-Id: Ib08d6fa1926531b8966151258eae6771c99c41ca
Closes-Bug: 1404226
With gerrit 2.8, and the new change screen, this will trigger syntax
highlighting in gerrit. Thus making reviewing code a lot nicer.
Change-Id: Id238748417ffab53e02d59413dba66f61e724383
We're using all the magic variables based on python-fooclient, however
all the inline code was using fooclient for variables. So we had a
mismatch, which was kindly pointed out by some of the 3rd party ci
testers.
Change-Id: I27a56222c7e8e610fba8bf97672d2a42f5cf14ca
expand the devstack support for libraries from released versions to
support python-* clients and tempest_lib.
Depends-On: I81b0d228e7769758c61e5b0323ecfce8c8886d39
Change-Id: I26fac0ccf8fd4818e24618d56bf04b32306f88f6
Swift has functional tests that check access controls
between users and projects in differing domains. Those tests
are currently skipped by default since swift tests are
configured to use keystone v2 API. In order for those
tests to pass when using keystone v3 API, a user and
project must be setup in a non-default domain.
This patch creates a domain, and a user and project in
that domain, in support of swift functional tests moving
to using keystone v3 API.
Changes:
lib/swift
- create a new domain, project and user for
swift testing
- add new project and user credentials to swift
test config file
- set correct identity service url in swift test
config file according to kesytone API version
functions-common
- add function get_or_create_domain
- modify get_or_create_user and get_or_create_project
functions to optionally specify a domain
Change-Id: I557de01bf196075f2f3adcdf4dd1b43756d8a0ae
I did a similar change in I8ba180be036836f37ebdbb6da36ff0be486c043e
but I guess somehow missed these ... maybe I forgot to add them to the
change.
As described originally, this causes TOT bashate to fail, so fix this
up before it gets released.
Change-Id: I5580cb46f1c8bd71c631549aab78428d95a6dc51
Id02ebdfa5cb3f6c763293876c6bb031184ebd663 introduced a small
regression which makes the command x509-create-cert fail with
'ERROR (CommandError): Invalid OpenStack Nova credentials.' for
Swift users.
The handling of specific password for Swift users was introduced
in Ifb57a43aad439ffe041e98465719a8a8eceae544
Change-Id: I3f328b1358bad0bdf7056796eabfe846dd5bae3a
Newer version of container-sync feature is introduced in Swift ver. 1.12.0.
The spec:
http://docs.openstack.org/developer/swift/overview_container_sync.html
Before this commit, Devstack does not configure any realm used in
container-sync, therefore this feature does not work.
To test this feature in CI system, moreover to show the sample
configuration of realms, Devstack now edits realms configuration file.
Change-Id: I9f1e3224403e08e725a989162729470357fe90b0
Closes-Bug: 1378646
Make the sed the command to change the recon_cache_path into the renamed
generate_swift_config_services
Change-Id: I6092c26836320fab607eb9cd07f63189a9ba1ddd
Configure nova, cinder, glance, swift and neutron to use SSL
on the endpoints using either SSL natively or via a TLS proxy
using stud.
To enable SSL via proxy, in local.conf add
ENABLED_SERVICES+=,tls-proxy
This will create a new test root CA, a subordinate CA and an SSL
server cert. It uses the value of hostname -f for the certificate
subject. The CA certicates are also added to the system CA bundle.
To enable SSL natively, in local.conf add:
USE_SSL=True
Native SSL by default will also use the devstack-generate root and
subordinate CA.
You can override this on a per-service basis by setting
<SERVICE>_SSL_CERT=/path/to/cert
<SERVICE>_SSL_KEY=/path/to/key
<SERVICE>_SSL_PATH=/path/to/ca
You should also set SERVICE_HOST to the FQDN of the host. This
value defaults to the host IP address.
Change-Id: I36fe56c063ca921131ad98439bd452cb135916ac
Closes-Bug: 1328226
Each project was configuring the auth_token middleware using several
lines of inisets. Since all the projects should configure the
auth_token middleware in the same way create a function and call it.
Change-Id: I3b6727d5a3bdc0ca600d8faa23bc6db32bb32260
Keep the default to 1 instead of going wild, cause Swift really would
kill the VM if we let it go (and keeps the old behavior).
Change-Id: I7449c1bb485459169b8870c871b887cbab8be865
run_process will use screen if USE_SCREEN=True (the default),
otherwise it will simply start the requested service. Therefore
wherever screen_it used, run_process can be instead.
Where stop_screen was found it has been replaced with stop_process.
A tail_log function has been added which will tail a logfile in a
screen if USE_SCREEN is True.
lib/template has been updated to reflect the use of the new
functions.
When using sg the quoting in run_process gets very complicated.
To get around this run_process and the functions it calls accepts
an optional third argument. If set it is a group to be used with sg.
Change-Id: Ia3843818014f7c6c7526ef3aa9676bbddb8a85ca
An error occurs because ANOTHER_ROLE variable in lib/swift is not set.
This patch gets and sets the value to another_role variable.
Change-Id: I9d67ce243eb6bb42ed7e3522ef816295847d48fa
Closes-Bug: #1363884
$[ is deprecated for the more familiar $((
Required when bash8 starts testing from tox and [1] goes in
[1] https://review.openstack.org/#/c/117430/
Change-Id: I8ba180be036836f37ebdbb6da36ff0be486c043e
Added a global toggle for enabling HTTPD + mod_wsgi for services
that default deploy to running under Apache. When the variable
``ENABLE_HTTPD_MOD_WSGI_SERVICES`` is set to ``True`` any service
that recommends deploying under HTTPD + mod_wsgi, will be run
under Apache.
If ``ENABLE_HTTPD_MOD_WSGI_SERVICES`` is set to ``False`` the
any service that is defaulted to running under HTTPD + mod_wsgi
will (if capable) be run in an alternate deployment strategy (e.g.
eventlet).
Updated Swift and Keystone to have individual toggles for deploying
under HTTPD + mod_wsgi. This is done to allow for gate to run on
the services under mod_wsgi where appropriate. Toggles are
``KEYSTONE_USE_MOD_WSGI`` and ``SWIFT_USE_MOD_WSGI`` and are both
defaulted to "False" (do not deploy under HTTPD + mod_wsgi).
Change-Id: Id3b121b8f1cde369d184b586e0d875bdbda34813
Ceilometer filter was previously removed from the Swift
configuration to avoid useless Ceilometer logs in the Swift
ones. This was fixed by setting only warning log level for
this Ceilometer part of the pipeline to keep only important
ones.
Change-Id: I8c41355bb98dbf3bb59ec792221b05ea936086b7
Partial-Bug: #1294789
On Ubuntu 14.04, the site configuration file must have a .conf suffix for a2ensite and a2dissite to
recognise it. a2ensite and a2dissite ignore the .conf suffix used as parameter. The default sites'
files are 000-default.conf and default-ssl.conf.
On Ubuntu 12.04, the site configuration file may have any format, as long as it is in
/etc/apache2/sites-available/. a2ensite and a2dissite need the entire file name to work. The default
sites' files are default and default-ssl.
On Fedora, any file in /etc/httpd/conf.d/ whose name ends with .conf is enabled.
On RHEL and CentOS, things should hopefully work as in Fedora.
This change puts all distribution-related site configuration file name differences in lib/apache and
the other services gets the file name for its sites using the new exported function
apache_site_config_for <sitename>.
It also makes Fedora disabled sites use the .conf.disabled suffix instead of removing the .conf from
the file name.
The table below summarizes what should happen on each distribution:
+----------------------+--------------------+--------------------------+--------------------------+
| Distribution | File name | Site enabling command | Site disabling command |
+----------------------+--------------------+--------------------------+--------------------------+
| Ubuntu 12.04 | site | a2ensite site | a2dissite site |
| Ubuntu 14.04 | site.conf | a2ensite site | a2dissite site |
| Fedora, RHEL, CentOS | site.conf.disabled | mv site.conf{.disabled,} | mv site.conf{,.disabled} |
+----------------------+--------------------+--------------------------+--------------------------+
Change-Id: Ia2ba3cb7caccb6e9b65380f9d51d9d21180b894e
Closes-bug: #1313765
