openstack/fuel-library
Code Issues Proposed changes

Add master node service passwords from yaml

Browse Source 
astute.yaml now provides passwords for the
following services:
* mcollective
* astute
* cobbler
* postgres (keystone, nailgun and ostf DBs)

All statically defined passwords for these
services are now sourced from astute.yaml
Corrected small bug for astute user/pass in
rabbitmq role.

Adjusted Cobbler bootstrap profile to include
mcollective credentials.

blueprint secure-fuel-master-services
blueprint access-control-master-node

Change-Id: I3db33e35ad18fd9ff258c86d8842db51b21a6931
This commit is contained in:
Matthew Mosesohn
2014-06-19 21:19:50 +04:00
parent 2430a2fa0d
commit b2b37d370f
14 changed files with 108 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
deployment/puppet/docker/manifests/dockerctl.pp
View File

@@ -36,6 +36,10 @@ class docker::dockerctl (
group => 'root',
content => template("docker/dhcrelay.conf.erb")
}
file { "$bin_dir/get_service_credentials.py":
mode => 0755,
content => template("docker/get_service_credentials.py.erb")
}
file { "$share_dir/functions":
mode => 0644,
content => template("docker/functions.sh.erb")

22
deployment/puppet/docker/templates/functions.sh.erb
View File

@@ -93,8 +93,16 @@ function retry_checker {
done
}
function get_service_credentials {
credentialfile=$(mktemp /tmp/servicepws.XXXXX)
get_service_credentials.py $ASTUTE_YAML > $credentialfile
. $credentialfile
rm -f $credentialfile
}
function check_ready {
#Uses a custom command to ensure a container is ready
get_service_credentials
failure=0
echo "checking container $1"
case $1 in
@@ -105,15 +113,13 @@ function check_ready {
retry_checker "shell_container cobbler cobbler profile find --name=centos* | grep -q centos"
retry_checker "shell_container cobbler cobbler profile find --name=ubuntu* | grep -q ubuntu"
retry_checker "shell_container cobbler cobbler profile find --name=bootstrap* | grep -q bootstrap" ;;
#TODO(aglarendil): unhardcode passwords
rabbitmq) retry_checker 'curl -f -L -i -u naily:naily http://127.0.0.1:15672/api/nodes 1>/dev/null 2>&1'
retry_checker "curl -f -L -u mcollective:marionette -s http://127.0.0.1:15672/api/exchanges | grep -qw 'mcollective_broadcast'"
retry_checker "curl -f -L -u mcollective:marionette -s http://127.0.0.1:15672/api/exchanges | grep -qw 'mcollective_directed'" ;;
#TODO(aglarendil): unhardcode passwords
postgres) retry_checker "PGPASSWORD=nailgun shell_container postgres psql -h 127.0.0.1 -U nailgun nailgun -c '\copyright' 2>&1 1>/dev/null" ;;
rabbitmq) retry_checker "curl -f -L -i -u \"$astute_user:$astute_password\" http://127.0.0.1:15672/api/nodes 1>/dev/null 2>&1"
retry_checker "curl -f -L -u \"$mcollective_user:$mcollective_password\" -s http://127.0.0.1:15672/api/exchanges | grep -qw 'mcollective_broadcast'"
retry_checker "curl -f -L -u \"$mcollective_user:$mcollective_password\" -s http://127.0.0.1:15672/api/exchanges | grep -qw 'mcollective_directed'" ;;
postgres) retry_checker "PGPASSWORD=$postgres_nailgun_password shell_container postgres psql -h 127.0.0.1 -U \"$postgres_nailgun_user\" \"$postgres_nailgun_dbname\" -c '\copyright' 2>&1 1>/dev/null" ;;
astute) retry_checker "shell_container astute ps aux | grep -q 'astuted'"
retry_checker "curl -f -L -u naily:naily -s http://127.0.0.1:15672/api/exchanges | grep -qw 'nailgun'"
retry_checker "curl -f -L -u naily:naily -s http://127.0.0.1:15672/api/exchanges | grep -qw 'naily_service'" ;;
retry_checker "curl -f -L -u \"$astute_user:$astute_password\" -s http://127.0.0.1:15672/api/exchanges | grep -qw 'nailgun'"
retry_checker "curl -f -L -u \"$astute_user:$astute_password\" -s http://127.0.0.1:15672/api/exchanges | grep -qw 'naily_service'" ;;
rsync) retry_checker "shell_container rsync netstat -ntl | grep -q 873" ;;
rsyslog) retry_checker "shell_container rsyslog netstat -nl | grep -q 514" ;;
mcollective) retry_checker "shell_container mcollective ps aux | grep -q mcollectived" ;;

14
deployment/puppet/docker/templates/get_service_credentials.py.erb Normal file
View File

@@ -0,0 +1,14 @@
#!/usr/bin/python
import sys
import yaml
astuteyaml=sys.argv[1]
data=yaml.load(open(astuteyaml))
for outerkey in data.keys():
if isinstance(data[outerkey], dict):
for innerkey in data[outerkey].keys():
print("%s_%s=\'%s\'" % (outerkey, innerkey, data[outerkey][innerkey]))
else:
print("%s=\'%s\'" % (outerkey, data[outerkey]))

4
deployment/puppet/mcollective/examples/mcollective-client-only.pp
View File

@@ -5,8 +5,8 @@ $mco_host = $::fuel_settings['ADMIN_NETWORK']['ipaddress']
$mco_pskey = "unset"
$mco_vhost = "mcollective"
$mco_user = "mcollective"
$mco_password = "marionette"
$mco_user = $::fuel_settings['mcollective']['user']
$mco_password = $::fuel_settings['mcollective']['password']
$mco_connector = "rabbitmq"
class { "mcollective::client":

4
deployment/puppet/mcollective/examples/mcollective-server-only.pp
View File

@@ -5,8 +5,8 @@ $mco_host = $::fuel_settings['ADMIN_NETWORK']['ipaddress']
$mco_pskey = "unset"
$mco_vhost = "mcollective"
$mco_user = "mcollective"
$mco_password = "marionette"
$mco_user = $::fuel_settings['mcollective']['user']
$mco_password = $::fuel_settings['mcollective']['password']
$mco_connector = "rabbitmq"
class { "mcollective::server":

8
deployment/puppet/nailgun/examples/astute-only.pp
View File

@@ -23,12 +23,12 @@ $postgres_default_version = '8.4'
$mco_host = $::fuel_settings['ADMIN_NETWORK']['ipaddress']
$mco_pskey = "unset"
$mco_vhost = "mcollective"
$mco_user = "mcollective"
$mco_password = "marionette"
$mco_user = $::fuel_settings['mcollective']['user']
$mco_password = $::fuel_settings['mcollective']['password']
$mco_connector = "rabbitmq"
$rabbitmq_astute_user = "naily"
$rabbitmq_astute_password = "naily"
$rabbitmq_astute_user = $::fuel_settings['astute']['user']
$rabbitmq_astute_password = $::fuel_settings['astute']['password']
node default {

16
deployment/puppet/nailgun/examples/cobbler-only.pp
View File

@@ -27,8 +27,8 @@ node default {
]
$cobbler_url = "http://${::fuel_settings['ADMIN_NETWORK']['ipaddress']}/cobbler_api"
$cobbler_user = "cobbler"
$cobbler_password = "cobbler"
$cobbler_user = $::fuel_settings['cobbler']['user']
$cobbler_password = $::fuel_settings['cobbler']['password']
$nailgun_api_url = "http://${::fuel_settings['ADMIN_NETWORK']['ipaddress']}:8000/api"
if $production == "docker-build" {
$cobbler_host = $::ipaddress
@@ -49,12 +49,12 @@ node default {
$mco_pskey = "unset"
$mco_vhost = "mcollective"
$mco_user = "mcollective"
$mco_password = "marionette"
$mco_user = $::fuel_settings['mcollective']['user']
$mco_password = $::fuel_settings['mcollective']['password']
$mco_connector = "rabbitmq"
$rabbitmq_naily_user = "naily"
$rabbitmq_naily_password = "naily"
$rabbitmq_naily_user = $::fuel_settings['astute']['user']
$rabbitmq_naily_password = $::fuel_settings['astute']['password']
$repo_root = "/var/www/nailgun"
$pip_repo = "/var/www/nailgun/eggs"
@@ -72,6 +72,10 @@ node default {
server => '127.0.0.1',
name_server => $cobbler_host,
next_server => $cobbler_host,
mco_user => $mco_user,
mco_pass => $mco_password,
dns_upstream => $dns_upstream,
dhcp_start_address => $dhcp_start_address,
dhcp_end_address => $dhcp_end_address,

18
deployment/puppet/nailgun/examples/nailgun-only.pp
View File

@@ -45,19 +45,19 @@ $pip_find_links = "-f ${pip_repo}"
$templatedir = $staticdir
$rabbitmq_host = $::fuel_settings['ADMIN_NETWORK']['ipaddress']
$rabbitmq_astute_user = "naily"
$rabbitmq_astute_password = "naily"
$rabbitmq_astute_user = $::fuel_settings['astute']['user']
$rabbitmq_astute_password = $::fuel_settings['astute']['password']
$cobbler_host = $::fuel_settings['ADMIN_NETWORK']['ipaddress']
$cobbler_url = "http://${::fuel_settings['ADMIN_NETWORK']['ipaddress']}:80/cobbler_api"
$cobbler_user = "cobbler"
$cobbler_password = "cobbler"
$cobbler_user = $::fuel_settings['cobbler']['user']
$cobbler_password = $::fuel_settings['cobbler']['password']
$mco_pskey = "unset"
$mco_vhost = "mcollective"
$mco_host = $::fuel_settings['ADMIN_NETWORK']['ipaddress']
$mco_user = "mcollective"
$mco_password = "marionette"
$mco_user = $::fuel_settings['mcollective']['user']
$mco_password = $::fuel_settings['mcollective']['password']
$mco_connector = "rabbitmq"
#deprecated
@@ -78,12 +78,12 @@ class { "nailgun::venv":
nailgun_user => $nailgun_user,
nailgun_group => $nailgun_group,
database_name => "nailgun",
database_name => $::fuel_settings['postgres']['nailgun_dbname'],
database_engine => "postgresql",
database_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
database_port => "5432",
database_user => "nailgun",
database_passwd => "nailgun",
database_user => $::fuel_settings['postgres']['nailgun_user'],
database_passwd => $::fuel_settings['postgres']['nailgun_password'],
staticdir => $staticdir,
templatedir => $templatedir,

5
deployment/puppet/nailgun/examples/ostf-only.pp
View File

@@ -34,8 +34,9 @@ node default {
class { "nailgun::ostf":
production => $production,
pip_opts => "${pip_index} ${pip_find_links}",
dbuser => 'ostf',
dbpass => 'ostf',
dbname => $::fuel_settings['postgres']['ostf_dbname'],
dbuser => $::fuel_settings['postgres']['ostf_user'],
dbpass => $::fuel_settings['postgres']['ostf_password'],
dbhost => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],
dbport => '5432',
nailgun_host => $::fuel_settings['ADMIN_NETWORK']['ipaddress'],

32
deployment/puppet/nailgun/examples/postgres-only.pp
View File

@@ -11,11 +11,11 @@ class { 'postgresql::server':
}
# nailgun db and grants
$database_name = "nailgun"
$database_name = $::fuel_settings['postgres']['nailgun_dbname']
$database_engine = "postgresql"
$database_port = "5432"
$database_user = "nailgun"
$database_passwd = "nailgun"
$database_user = $::fuel_settings['postgres']['nailgun_user']
$database_passwd = $::fuel_settings['postgres']['nailgun_password']
class { "nailgun::database":
user => $database_user,
@@ -23,14 +23,26 @@ class { "nailgun::database":
dbname => $database_name,
}
# ostf db and grants
$dbuser = 'ostf'
$dbpass = 'ostf'
$dbname = 'ostf'
# keystone db and grants
$keystone_dbname = $::fuel_settings['postgres']['keystone_dbname']
$keystone_dbuser = $::fuel_settings['postgres']['keystone_user']
$keystone_dbpass = $::fuel_settings['postgres']['keystone_password']
postgresql::db{ $dbname:
user => $dbuser,
password => $dbpass,
postgresql::db { $keystone_dbname:
user => $keystone_dbuser,
password => $keystone_dbpass,
grant => 'all',
require => Class['::postgresql::server'],
}
# ostf db and grants
$ostf_dbname = $::fuel_settings['postgres']['ostf_dbname']
$ostf_dbuser = $::fuel_settings['postgres']['ostf_user']
$ostf_dbpass = $::fuel_settings['postgres']['ostf_password']
postgresql::db { $ostf_dbname:
user => $ostf_dbuser,
password => $ostf_dbpass,
grant => 'all',
require => Class['::postgresql::server'],
}

12
deployment/puppet/nailgun/examples/rabbitmq-only.pp
View File

@@ -11,12 +11,12 @@ else {
#astute user
$rabbitmq_astute_user = "naily"
$rabbitmq_astute_password = "naily"
$rabbitmq_astute_user = $::fuel_settings['astute']['user']
$rabbitmq_astute_password = $::fuel_settings['astute']['password']
#mcollective user
$mco_user = "mcollective"
$mco_password = "marionette"
$mco_user = $::fuel_settings['mcollective']['user']
$mco_password = $::fuel_settings['mcollective']['password']
$mco_vhost = "mcollective"
$stomp = false
@@ -41,8 +41,8 @@ file { "/var/log/rabbitmq":
class { 'nailgun::rabbitmq':
production => $production,
astute_password => $rabbitmq_astute_user,
astute_user => $rabbitmq_astute_password,
astute_user => $rabbitmq_astute_user,
astute_password => $rabbitmq_astute_password,
mco_user => $mco_user,
mco_password => $mco_password,
mco_vhost => $mco_vhost,

19
deployment/puppet/nailgun/examples/site.pp
View File

@@ -27,20 +27,19 @@ node default {
},
]
$cobbler_user = "cobbler"
$cobbler_password = "cobbler"
$cobbler_user = $::fuel_settings['cobbler']['user']
$cobbler_password = $::fuel_settings['cobbler']['password']
$puppet_master_hostname = "${hostname}.${domain}"
$mco_pskey = "unset"
$mco_vhost = "mcollective"
$mco_user = "mcollective"
$mco_password = "marionette"
$mco_user = $::fuel_settings['mcollective']['user']
$mco_password = $::fuel_settings['mcollective']['password']
$mco_connector = "rabbitmq"
$rabbitmq_host = $::fuel_settings['ADMIN_NETWORK']['ipaddress']
$rabbitmq_astute_user = "naily"
$rabbitmq_astute_password = "naily"
$rabbitmq_astute_user = $::fuel_settings['astute']['user']
$rabbitmq_astute_password = $::fuel_settings['astute']['password']
$repo_root = "/var/www/nailgun"
$pip_repo = "/var/www/nailgun/eggs"
@@ -75,12 +74,12 @@ node default {
# it will be path to database file while using sqlite
# (this is not implemented now)
database_name => "nailgun",
database_name => $::fuel_settings['postgres']['nailgun_dbname'],
database_engine => "postgresql",
database_host => "localhost",
database_port => "5432",
database_user => "nailgun",
database_passwd => "nailgun",
database_user => $::fuel_settings['postgres']['nailgun_user'],
database_passwd => $::fuel_settings['postgres']['nailgun_password'],
staticdir => $staticdir,
templatedir => $staticdir,

6
deployment/puppet/nailgun/manifests/cobbler.pp
View File

@@ -13,6 +13,9 @@ class nailgun::cobbler(
$domain_name = 'domain.tld',
$dns_search = 'domain.tld',
$mco_user = 'mcollective',
$mco_pass = 'marionette',
$dhcp_start_address,
$dhcp_end_address,
$dhcp_netmask,
@@ -162,7 +165,8 @@ class nailgun::cobbler(
distro => "bootstrap",
menu => true,
kickstart => "",
kopts => "biosdevname=0 url=http://${::fuel_settings['ADMIN_NETWORK']['ipaddress']}:8000/api",
kopts => "biosdevname=0
url=http://${::fuel_settings['ADMIN_NETWORK']['ipaddress']}:8000/api mco_user=${mco_user} mco_pass=${mco_pass}",
ksmeta => "",
server => $real_server,
require => Cobbler_distro["bootstrap"],

4
deployment/puppet/nailgun/manifests/init.pp
View File

@@ -220,6 +220,10 @@ class nailgun(
dns_upstream => $dns_upstream,
domain_name => $dns_domain,
dns_search => $dns_search,
mco_user => $mco_user,
mco_pass => $mco_password,
dhcp_start_address => $dhcp_start_address,
dhcp_end_address => $dhcp_end_address,
dhcp_netmask => $dhcp_netmask,