Always use the keystone V3 API when creating services and endpoints. The syntax
here is slightly different but we maintain the function interface.
Change-Id: Ib3a375918a45fd6e37d873a1a5c0c4b26bdbb5d8
Implements: bp keystonev3
By default, most Openstack services are bound to 0.0.0.0
and service endpoints are registered as IPv4 addresses.
With this change we introduce two new variables to control
this behavior:
SERVICE_IP_VERSION - can either be "4" or "6".
When set to "4" (default if not set) devstack will operate
as today - most services will open listen sockets on 0.0.0.0
and service endpoints will be registered using HOST_IP as the
address.
When set to "6" devstack services will open listen sockets on ::
and service endpoints will be registered using HOST_IPV6 as the
address.
There is no support for "4+6", more work is required for that.
HOST_IPV6 - if SERVICE_IP_VERSION=6 this must be an IPv6
address configured on the system.
Some existing services, like the Openvswitch agent, will continue
to use IPv4 addresses for things like tunnel endpoints. This is
a current restriction in the code and can be updated at a later
time. This change is just a first step to supporting IPv6-only
control and data planes in devstack.
This change is also partly based on two previous patches,
https://review.openstack.org/#/c/140519/ and
https://review.openstack.org/#/c/176898/
Change-Id: I5c0b775490ce54ab104fd5e89b20fb700212ae74
Co-Authored-By: Sean Collins <sean@coreitpro.com>
Co-Authored-By: Baodong Li <baoli@cisco.com>
Co-Authored-By: Sridhar Gaddam <sridhar.gaddam@enovance.com>
Co-Authored-By: Adam Kacmarsky <adam.kacmarsky@hp.com>
Co-Authored-By: Jeremy Alvis <jeremy.alvis@hp.com>
The gate/updown.sh calls the unstack.sh with
-ex option. Normally we do not use -e with unstack.sh.
The unstack.sh can fail if the service already stopped,
and it also can have flaky failures on the gate.
For example the stop_swift function tries to kill swift in two
different ways, and if the first one succeeds before the 2th attempt
the pkill fails the whole unstack.sh.
This change accepts kill failure.
Normally the kill can fail if the process does not exits,
or when you do not have permission to the kill operation.
Since the permission issue is very unlikely in our case,
this change does not tries to distinguish the two operation.
The behavior of the unstack.sh wen you are not using -ex should
not be changed by this change.
Change-Id: I64bf3cbe1b60c96f5b271dcfb620c3d4b50de26b
This includes requiring a domain when creating a user. This will allow us to
control where users are created in a later patch.
Adding the token to the user creation call is required because of a bad
interaction between OpenStackClient, os-client-config and keystoneclient
when dealing with v2 authentication but v3 API calls. It will be cleaned
up when we switch to v3 credentials.
Change-Id: I6ef50fd384d423bc0f13ee1016a8bdbb0650ecd9
Implements: bp keystonev3
Always use the keystone v3 API for project creation. Make domain a
required argument. Whilst we could simply default this value within the
function I think it's better to make this explicit as these are things
deployers and services need to consider.
In future we will want to figure out how we want devstack to organize domains
however I don't believe that it belongs in this patch.
Change-Id: Ib9587193c5c8419dc4b5a608246709baaddd2a52
Implements: bp keystonev3
Recently, keystoneclient.middleware has been moved from keystoneclient to
keystonemiddleware. The latter should be used.
Change-Id: Ib9489a21b988b32fc17399c08eeb60862efae034
Closes-Bug: #1452315
If SWIFT_DATA_DIR is set on local.conf we need to make sure to create
the directory with proper permissions
Change-Id: If29fa53f01b4c0c8a881ec3734383ecffac334ce
Closes-Bug: 1302893
Minimum Cinder volume size is 1GB so if Swift backend for Glance is only
1GB we can not upload volume to image.
Change-Id: Ifd4cb42bf96367ff3ada0c065fa258fa5ba635d9
This eliminated a number of sudo calls by doing the copy/chown/chmod in
a single step and sets a common pattern.
Change-Id: I9c8f48854d5bc443cc187df0948c28b82c4d2838
swift middleware contained in ceilometer is now deprecated. the
middleware is available in ceilometermiddleware.
Change-Id: I6e41986245f4d95a9385dc7829479ed1199f10ac
The keystonemiddleware 1.5.0 released 2015-03-11 supports configuring
auth plugins from the paste config file. This means that swift can now
use authentication plugins for auth_token middleware.
Change-Id: Icb9f008a57b6f75e0506cbecd0a1e0f28b7dadda
The keystone admin token supposed to be used only
for setting up keystone and it should not be used
in any other service config.
Change-Id: Iaa9be1878e89a6bc3a84a0c57fc6f5cecc371d2f
is_keystone_enabled() was calling is_service_enabled(), which is what called
is_keystone_enabled() in the first place. Make it work as designed and
also change calls to use the full service name. Note that this is all
still comptible with the prior usage of 'is_service_enabled key'.
Change-Id: I9c28377ecf074b7996461d2a4ca12d88dfc4d47e
This breaks Ironic's use of temp URLs, which the key for the service
account is configured via the Swift user.
Change-Id: I69f6f6eef4ad573f406d64d579a9811c70ac5d28
Closes-Bug: #1421006
get_or_add_user_role is specific to adding a role on a project.
Rename it to get_or_add_user_project_role to allow room for adding a
domain specific role function.
Change-Id: I999308098d22be9800578ae67144a3b687fbc3be
Most of the services create the service user with the admin permission.
This is unnecessary for token validation and they should be restricted
to only having the service role.
Change-Id: Id7a9366d2c6a36139240f64371002362dc2d8d3b
The code for creating service users is almost exactly the same. Abstract
this into a function that can be reused and standardized.
Change-Id: I3a4edbff0a928da7ef9b0097a5a8d508fdfab7ff
Swift doesn't use olso.config and so the method of configuring swift via the
[keystone_authtoken] config options will not work. Go back to configuring swift
manually.
This will need to be fixed in either keystonemiddleware or swift as configuring
via plugin is the path to v3 authentication, service domains and new forms of
service user authentication.
Closes-Bug: #1415795
Change-Id: Ibe27116a11756072d5a300a6d3691c5f8c32317e
The default project means that a user gains token scoping information
for a project if they don't specify another. This is something we want
to discourage for user creation. User's should specify there own
authentication scope when they authenticate.
Change-Id: I42c3060d59edfcd44d04cd166bad500419dd99bc
This makes a bunch of variable cleanups that will let -o nounset
function, for the time being we hide nounset behind another setting
variable so that it's not on by default.
Because this is bash, and things are only executed on demand, this
probably only works in the config it was run in. Expect cleaning up
all the paths to be something that takes quite a while.
This also includes a new set of unit tests around the trueorfalse
function, because my change in how it worked, didn't. Tests are good
m'kay.
Change-Id: I71a896623ea9e1f042a73dc0678ce85acf0dc87d
The reseller_prefix option cannot be added to the
swift-proxy-server.conf-sample file because it
inadvertently gets set to "TEMPAUTH" and Tempest
tests fail.
Change-Id: Ib08d6fa1926531b8966151258eae6771c99c41ca
Closes-Bug: 1404226
With gerrit 2.8, and the new change screen, this will trigger syntax
highlighting in gerrit. Thus making reviewing code a lot nicer.
Change-Id: Id238748417ffab53e02d59413dba66f61e724383
We're using all the magic variables based on python-fooclient, however
all the inline code was using fooclient for variables. So we had a
mismatch, which was kindly pointed out by some of the 3rd party ci
testers.
Change-Id: I27a56222c7e8e610fba8bf97672d2a42f5cf14ca
expand the devstack support for libraries from released versions to
support python-* clients and tempest_lib.
Depends-On: I81b0d228e7769758c61e5b0323ecfce8c8886d39
Change-Id: I26fac0ccf8fd4818e24618d56bf04b32306f88f6
Swift has functional tests that check access controls
between users and projects in differing domains. Those tests
are currently skipped by default since swift tests are
configured to use keystone v2 API. In order for those
tests to pass when using keystone v3 API, a user and
project must be setup in a non-default domain.
This patch creates a domain, and a user and project in
that domain, in support of swift functional tests moving
to using keystone v3 API.
Changes:
lib/swift
- create a new domain, project and user for
swift testing
- add new project and user credentials to swift
test config file
- set correct identity service url in swift test
config file according to kesytone API version
functions-common
- add function get_or_create_domain
- modify get_or_create_user and get_or_create_project
functions to optionally specify a domain
Change-Id: I557de01bf196075f2f3adcdf4dd1b43756d8a0ae
I did a similar change in I8ba180be036836f37ebdbb6da36ff0be486c043e
but I guess somehow missed these ... maybe I forgot to add them to the
change.
As described originally, this causes TOT bashate to fail, so fix this
up before it gets released.
Change-Id: I5580cb46f1c8bd71c631549aab78428d95a6dc51
Id02ebdfa5cb3f6c763293876c6bb031184ebd663 introduced a small
regression which makes the command x509-create-cert fail with
'ERROR (CommandError): Invalid OpenStack Nova credentials.' for
Swift users.
The handling of specific password for Swift users was introduced
in Ifb57a43aad439ffe041e98465719a8a8eceae544
Change-Id: I3f328b1358bad0bdf7056796eabfe846dd5bae3a
Newer version of container-sync feature is introduced in Swift ver. 1.12.0.
The spec:
http://docs.openstack.org/developer/swift/overview_container_sync.html
Before this commit, Devstack does not configure any realm used in
container-sync, therefore this feature does not work.
To test this feature in CI system, moreover to show the sample
configuration of realms, Devstack now edits realms configuration file.
Change-Id: I9f1e3224403e08e725a989162729470357fe90b0
Closes-Bug: 1378646
Make the sed the command to change the recon_cache_path into the renamed
generate_swift_config_services
Change-Id: I6092c26836320fab607eb9cd07f63189a9ba1ddd
Configure nova, cinder, glance, swift and neutron to use SSL
on the endpoints using either SSL natively or via a TLS proxy
using stud.
To enable SSL via proxy, in local.conf add
ENABLED_SERVICES+=,tls-proxy
This will create a new test root CA, a subordinate CA and an SSL
server cert. It uses the value of hostname -f for the certificate
subject. The CA certicates are also added to the system CA bundle.
To enable SSL natively, in local.conf add:
USE_SSL=True
Native SSL by default will also use the devstack-generate root and
subordinate CA.
You can override this on a per-service basis by setting
<SERVICE>_SSL_CERT=/path/to/cert
<SERVICE>_SSL_KEY=/path/to/key
<SERVICE>_SSL_PATH=/path/to/ca
You should also set SERVICE_HOST to the FQDN of the host. This
value defaults to the host IP address.
Change-Id: I36fe56c063ca921131ad98439bd452cb135916ac
Closes-Bug: 1328226
Each project was configuring the auth_token middleware using several
lines of inisets. Since all the projects should configure the
auth_token middleware in the same way create a function and call it.
Change-Id: I3b6727d5a3bdc0ca600d8faa23bc6db32bb32260
Keep the default to 1 instead of going wild, cause Swift really would
kill the VM if we let it go (and keeps the old behavior).
Change-Id: I7449c1bb485459169b8870c871b887cbab8be865
