use "crux" for creating users/endpoints
this patch introduces the "crux" [1] tool for creating keystone
users, services, and endpoints in an idempotent fashion. E.g., to
create a user that doesn't exist:
$ crux user-create -n lars -t lars -p secret
creating new tenant
created tenant lars (d74cec5023c4428da533066bb11943db)
creating new user lars
created user lars (adf2c2d92e894a3d90a403c5885f192e)
And performing the same operation a second time:
$ crux user-create -n lars -t lars -p secret
using existing tenant lars (d74cec5023c4428da533066bb11943db)
using existing user lars (adf2c2d92e894a3d90a403c5885f192e)
The behavior is similar for creating keystone endpoints.
[1]: https://github.com/larsks/crux
Change-Id: I694e0c1bdcdde595e1af2ee8ef5d0f239a9ad4cd
This commit is contained in:
Lars Kellogg-Stedman
parent
cab0499c66
commit
9414ab5cad
@ -2,10 +2,13 @@ FROM kollaglue/fedora-rdo-base
|
||||
MAINTAINER Lars Kellogg-Stedman <lars@redhat.com>
|
||||
|
||||
#Install required packages
|
||||
RUN yum -y install dnf dnf-plugins-core; yum clean all
|
||||
RUN dnf copr enable -y larsks/crux
|
||||
RUN yum install -y openstack-keystone \
|
||||
openstack-utils \
|
||||
mariadb \
|
||||
&& yum clean all
|
||||
crux \
|
||||
; yum clean all
|
||||
|
||||
ADD ./start.sh /start.sh
|
||||
|
||||
|
||||
@ -2,82 +2,75 @@
|
||||
|
||||
# Exit the container if MariaDB is not yet up - then depend on kube to restart
|
||||
if [ -z "$MARIADBMASTER_PORT_3306_TCP_PORT" ]; then
|
||||
exit 1
|
||||
exit 1
|
||||
fi
|
||||
|
||||
: ${KEYSTONE_ADMIN_PASSWORD:=kolla}
|
||||
: ${ADMIN_TENANT_NAME:=admin}
|
||||
|
||||
if ! [ "$KEYSTONE_ADMIN_TOKEN" ]; then
|
||||
KEYSTONE_ADMIN_TOKEN=$(openssl rand -hex 15)
|
||||
KEYSTONE_ADMIN_TOKEN=$(openssl rand -hex 15)
|
||||
fi
|
||||
|
||||
if ! [ "$KEYSTONE_DB_PASSWORD" ]; then
|
||||
KEYSTONE_DB_PASSWORD=$(openssl rand -hex 15)
|
||||
KEYSTONE_DB_PASSWORD=$(openssl rand -hex 15)
|
||||
fi
|
||||
|
||||
mysql -h ${MARIADBMASTER_PORT_3306_TCP_ADDR} -u root -p${DB_ROOT_PASSWORD} mysql <<EOF
|
||||
CREATE DATABASE IF NOT EXISTS keystone;
|
||||
GRANT ALL PRIVILEGES ON keystone.* TO
|
||||
'keystone'@'%' IDENTIFIED BY '${KEYSTONE_DB_PASSWORD}'
|
||||
'keystone'@'%' IDENTIFIED BY '${KEYSTONE_DB_PASSWORD}'
|
||||
EOF
|
||||
|
||||
crudini --set /etc/keystone/keystone.conf \
|
||||
database \
|
||||
connection \
|
||||
"mysql://keystone:${KEYSTONE_DB_PASSWORD}@${MARIADBMASTER_PORT_3306_TCP_ADDR}:${MARIADBMASTER_PORT_3306_TCP_PORT}/keystone"
|
||||
database \
|
||||
connection \
|
||||
"mysql://keystone:${KEYSTONE_DB_PASSWORD}@${MARIADBMASTER_PORT_3306_TCP_ADDR}:${MARIADBMASTER_PORT_3306_TCP_PORT}/keystone"
|
||||
crudini --set /etc/keystone/keystone.conf \
|
||||
DEFAULT \
|
||||
admin_token \
|
||||
"${KEYSTONE_ADMIN_TOKEN}"
|
||||
DEFAULT \
|
||||
admin_token \
|
||||
"${KEYSTONE_ADMIN_TOKEN}"
|
||||
crudini --del /etc/keystone/keystone.conf \
|
||||
DEFAULT \
|
||||
log_file
|
||||
DEFAULT \
|
||||
log_file
|
||||
crudini --del /etc/keystone/keystone.conf \
|
||||
DEFAULT \
|
||||
log_dir
|
||||
DEFAULT \
|
||||
log_dir
|
||||
crudini --set /etc/keystone/keystone.conf DEFAULT use_stderr True
|
||||
|
||||
cat /etc/keystone/keystone.conf
|
||||
|
||||
/usr/bin/keystone-manage db_sync
|
||||
|
||||
/usr/bin/keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
|
||||
|
||||
MY_IP=$(ip route get $(ip route | awk '$1 == "default" {print $3}') |
|
||||
awk '$4 == "src" {print $5}')
|
||||
if [ -z "$KEYSTONEMASTER_35357_PORT_35357_TCP_ADDR" ]; then
|
||||
KEYSTONEMASTER_35357_PORT_35357_TCP_ADDR=$MY_IP
|
||||
fi
|
||||
if [ -z "$KEYSTONEMASTER_5000_PORT_5000_TCP_ADDR" ]; then
|
||||
KEYSTONEMASTER_5000_PORT_5000_TCP_ADDR=$MY_IP
|
||||
fi
|
||||
|
||||
/usr/bin/keystone-all &
|
||||
PID=$!
|
||||
|
||||
# TODO(sdake) better would be to retry each keystone operation
|
||||
/usr/bin/sleep 5
|
||||
|
||||
export SERVICE_TOKEN="${KEYSTONE_ADMIN_TOKEN}"
|
||||
export SERVICE_ENDPOINT="http://127.0.0.1:35357/v2.0"
|
||||
SERVICE_ENDPOINT_ADMIN="http://${KEYSTONEMASTER_35357_PORT_35357_TCP_ADDR}:35357/v2.0"
|
||||
SERVICE_ENDPOINT_USER="http://${KEYSTONEMASTER_5000_PORT_5000_TCP_ADDR}:5000/v2.0"
|
||||
|
||||
# Create the admin user
|
||||
/usr/bin/keystone user-create --name admin --pass ${KEYSTONE_ADMIN_PASSWORD}
|
||||
/usr/bin/keystone role-create --name admin
|
||||
/usr/bin/keystone tenant-create --name ${ADMIN_TENANT_NAME}
|
||||
/usr/bin/keystone user-role-add --user admin --role admin --tenant ${ADMIN_TENANT_NAME}
|
||||
# wait for keystone to become active
|
||||
while ! curl -o /dev/null -s --fail ${SERVICE_ENDPOINT}; do
|
||||
sleep 1;
|
||||
done
|
||||
|
||||
# Create the keystone service and endpoint
|
||||
/usr/bin/keystone service-create --name=keystone --type=identity --description="Identity Service"
|
||||
export SERVICE_ENDPOINT_USER="http://${KEYSTONEMASTER_PORT_5000_TCP_ADDR}:5000/v2.0"
|
||||
export SERVICE_ENDPOINT_ADMIN="http://${KEYSTONEMASTER_PORT_35357_TCP_ADDR}:35357/v2.0"
|
||||
/usr/bin/keystone endpoint-create \
|
||||
--region RegionOne \
|
||||
--service-id=`keystone service-list | grep keystone | tr -s ' ' | cut -d \ -f 2` \
|
||||
--publicurl=${SERVICE_ENDPOINT_USER} \
|
||||
--internalurl=${SERVICE_ENDPOINT_USER} \
|
||||
--adminurl=http:${SERVICE_ENDPOINT_ADMIN}
|
||||
|
||||
|
||||
# TODO(sdake) better would be to validate the database for the endpoint
|
||||
/usr/bin/sleep 5
|
||||
crux user-create -n admin -p "${KEYSTONE_ADMIN_PASSWORD}" -t admin -r admin
|
||||
crux endpoint-create -n keystone -t identity \
|
||||
-I "${SERVICE_ENDPOINT_USER}" \
|
||||
-A "${SERVICE_ENDPOINT_ADMIN}"
|
||||
|
||||
kill -TERM $PID
|
||||
|
||||
# TODO(sdake) better here would be to check ps for the existance of $PID
|
||||
/usr/bin/sleep 2
|
||||
|
||||
echo "Running keystone service."
|
||||
exec /usr/bin/keystone-all
|
||||
|
||||
Loading…
Reference in New Issue
Block a user