#!/bin/bash # # lib/magnum # Functions to control the configuration and operation of the **magnum** service # Dependencies: # # - ``functions`` file # - ``DEST``, ``DATA_DIR``, ``STACK_USER`` must be defined # - ``SERVICE_{TENANT_NAME|PASSWORD}`` must be defined # ``stack.sh`` calls the entry points in this order: # # - install_magnum # - configure_magnum # - create_magnum_conf # - init_magnum # - magnum_register_image # - start_magnum # - configure_iptables # - stop_magnum # - cleanup_magnum # Save trace setting XTRACE=$(set +o | grep xtrace) set +o xtrace # Defaults # -------- # Set up default directories MAGNUM_REPO=${MAGNUM_REPO:-${GIT_BASE}/openstack/magnum.git} MAGNUM_BRANCH=${MAGNUM_BRANCH:-master} MAGNUM_DIR=$DEST/magnum GITREPO["python-magnumclient"]=${MAGNUMCLIENT_REPO:-${GIT_BASE}/openstack/python-magnumclient.git} GITBRANCH["python-magnumclient"]=${MAGNUMCLIENT_BRANCH:-master} GITDIR["python-magnumclient"]=$DEST/python-magnumclient MAGNUM_STATE_PATH=${MAGNUM_STATE_PATH:=$DATA_DIR/magnum} MAGNUM_AUTH_CACHE_DIR=${MAGNUM_AUTH_CACHE_DIR:-/var/cache/magnum} MAGNUM_CONF_DIR=/etc/magnum MAGNUM_CONF=$MAGNUM_CONF_DIR/magnum.conf MAGNUM_POLICY_JSON=$MAGNUM_CONF_DIR/policy.json MAGNUM_API_PASTE=$MAGNUM_CONF_DIR/api-paste.ini if is_ssl_enabled_service "magnum" || is_service_enabled tls-proxy; then MAGNUM_SERVICE_PROTOCOL="https" fi # Public facing bits MAGNUM_SERVICE_HOST=${MAGNUM_SERVICE_HOST:-$HOST_IP} MAGNUM_SERVICE_PORT=${MAGNUM_SERVICE_PORT:-9511} MAGNUM_SERVICE_PORT_INT=${MAGNUM_SERVICE_PORT_INT:-19511} MAGNUM_SERVICE_PROTOCOL=${MAGNUM_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL} MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD=${MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD:-secret} MAGNUM_SWIFT_REGISTRY_CONTAINER=${MAGNUM_SWIFT_REGISTRY_CONTAINER:-docker_registry} # Support entry points installation of console scripts if [[ -d $MAGNUM_DIR/bin ]]; then MAGNUM_BIN_DIR=$MAGNUM_DIR/bin else MAGNUM_BIN_DIR=$(get_python_exec_prefix) fi if is_service_enabled ir-api; then MAGNUM_CONFIGURE_IPTABLES=${MAGNUM_CONFIGURE_IPTABLES:-False} fi # Functions # --------- # Test if any magnum services are enabled # is_magnum_enabled function is_magnum_enabled { [[ ,${ENABLED_SERVICES} =~ ,"m-" ]] && return 0 return 1 } # cleanup_magnum() - Remove residual data files, anything left over from previous # runs that a clean run would need to clean up function cleanup_magnum { sudo rm -rf $MAGNUM_STATE_PATH $MAGNUM_AUTH_CACHE_DIR } # configure_magnum() - Set config files, create data dirs, etc function configure_magnum { # Put config files in ``/etc/magnum`` for everyone to find if [[ ! -d $MAGNUM_CONF_DIR ]]; then sudo mkdir -p $MAGNUM_CONF_DIR sudo chown $STACK_USER $MAGNUM_CONF_DIR fi install_default_policy magnum # Rebuild the config file from scratch create_magnum_conf create_api_paste_conf update_heat_policy } # create_magnum_accounts() - Set up common required magnum accounts # # Project User Roles # ------------------------------------------------------------------ # SERVICE_PROJECT_NAME magnum service function create_magnum_accounts { create_service_user "magnum" "admin" if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then local magnum_service=$(get_or_create_service "magnum" \ "container" "Magnum Container Service") get_or_create_endpoint $magnum_service \ "$REGION_NAME" \ "$MAGNUM_SERVICE_PROTOCOL://$MAGNUM_SERVICE_HOST:$MAGNUM_SERVICE_PORT/v1" \ "$MAGNUM_SERVICE_PROTOCOL://$MAGNUM_SERVICE_HOST:$MAGNUM_SERVICE_PORT/v1" \ "$MAGNUM_SERVICE_PROTOCOL://$MAGNUM_SERVICE_HOST:$MAGNUM_SERVICE_PORT/v1" fi } # create_magnum_conf() - Create a new magnum.conf file function create_magnum_conf { # (Re)create ``magnum.conf`` rm -f $MAGNUM_CONF iniset $MAGNUM_CONF DEFAULT debug "$ENABLE_DEBUG_LOG_LEVEL" iniset $MAGNUM_CONF oslo_messaging_rabbit rabbit_userid $RABBIT_USERID iniset $MAGNUM_CONF oslo_messaging_rabbit rabbit_password $RABBIT_PASSWORD iniset $MAGNUM_CONF oslo_messaging_rabbit rabbit_host $RABBIT_HOST iniset $MAGNUM_CONF database connection `database_connection_url magnum` iniset $MAGNUM_CONF api host "$MAGNUM_SERVICE_HOST" iniset $MAGNUM_CONF api port "$MAGNUM_SERVICE_PORT" iniset $MAGNUM_CONF oslo_policy policy_file $MAGNUM_POLICY_JSON iniset $MAGNUM_CONF keystone_auth auth_type password iniset $MAGNUM_CONF keystone_auth username magnum iniset $MAGNUM_CONF keystone_auth password $SERVICE_PASSWORD iniset $MAGNUM_CONF keystone_auth project_name $SERVICE_PROJECT_NAME iniset $MAGNUM_CONF keystone_auth project_domain_id default iniset $MAGNUM_CONF keystone_auth user_domain_id default # FIXME(pauloewerton): keystone_authtoken section is deprecated. Remove it # after deprecation period. iniset $MAGNUM_CONF keystone_authtoken admin_user magnum iniset $MAGNUM_CONF keystone_authtoken admin_password $SERVICE_PASSWORD iniset $MAGNUM_CONF keystone_authtoken admin_tenant_name $SERVICE_PROJECT_NAME configure_auth_token_middleware $MAGNUM_CONF magnum $MAGNUM_AUTH_CACHE_DIR iniset $MAGNUM_CONF keystone_auth auth_url $KEYSTONE_SERVICE_URI/v3 iniset $MAGNUM_CONF keystone_authtoken auth_uri \ ${KEYSTONE_SERVICE_PROTOCOL}://${HOST_IP}:${KEYSTONE_SERVICE_PORT}/v3 iniset $MAGNUM_CONF keystone_authtoken auth_version v3 if is_fedora || is_suse; then # magnum defaults to /usr/local/bin, but fedora and suse pip like to # install things in /usr/bin iniset $MAGNUM_CONF DEFAULT bindir "/usr/bin" fi if [ -n "$MAGNUM_STATE_PATH" ]; then iniset $MAGNUM_CONF DEFAULT state_path "$MAGNUM_STATE_PATH" iniset $MAGNUM_CONF oslo_concurrency lock_path "$MAGNUM_STATE_PATH" fi if [ "$SYSLOG" != "False" ]; then iniset $MAGNUM_CONF DEFAULT use_syslog "True" fi # Format logging if [ "$LOG_COLOR" == "True" ] && [ "$SYSLOG" == "False" ]; then setup_colorized_logging $MAGNUM_CONF DEFAULT else # Show user_name and project_name instead of user_id and project_id iniset $MAGNUM_CONF DEFAULT logging_context_format_string "%(asctime)s.%(msecs)03d %(levelname)s %(name)s [%(request_id)s %(user_name)s %(project_name)s] %(instance)s%(message)s" fi # Register SSL certificates if provided if is_ssl_enabled_service magnum; then ensure_certificates MAGNUM iniset $MAGNUM_CONF DEFAULT ssl_cert_file "$MAGNUM_SSL_CERT" iniset $MAGNUM_CONF DEFAULT ssl_key_file "$MAGNUM_SSL_KEY" iniset $MAGNUM_CONF DEFAULT enabled_ssl_apis "$MAGNUM_ENABLED_APIS" fi if is_service_enabled ceilometer; then iniset $MAGNUM_CONF oslo_messaging_notifications driver "messaging" fi if is_service_enabled barbican; then iniset $MAGNUM_CONF certificates cert_manager_type "barbican" else MAGNUM_LOCAL_CERT_DIR=${MAGNUM_LOCAL_CERT_DIR:-/var/lib/magnum/certificates/} if [[ ! -d $MAGNUM_LOCAL_CERT_DIR ]]; then sudo mkdir -p $MAGNUM_LOCAL_CERT_DIR sudo chown $STACK_USER $MAGNUM_LOCAL_CERT_DIR fi iniset $MAGNUM_CONF certificates storage_path "$MAGNUM_LOCAL_CERT_DIR" iniset $MAGNUM_CONF certificates cert_manager_type "local" fi trustee_domain_id=$(get_or_create_domain magnum 'Owns users and projects created by magnum') trustee_domain_admin_id=$(get_or_create_user trustee_domain_admin $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD $trustee_domain_id) openstack --os-auth-url $KEYSTONE_SERVICE_URI_V3 \ --os-identity-api-version 3 role add \ --user $trustee_domain_admin_id --domain $trustee_domain_id \ admin iniset $MAGNUM_CONF trust trustee_domain_id $trustee_domain_id iniset $MAGNUM_CONF trust trustee_domain_admin_id $trustee_domain_admin_id iniset $MAGNUM_CONF trust trustee_domain_admin_password $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD iniset $MAGNUM_CONF cinder_client region_name $REGION_NAME if is_service_enabled swift; then iniset $MAGNUM_CONF docker_registry swift_region $REGION_NAME iniset $MAGNUM_CONF docker_registry swift_registry_container $MAGNUM_SWIFT_REGISTRY_CONTAINER fi } function create_api_paste_conf { # copy api_paste.ini cp $MAGNUM_DIR/etc/magnum/api-paste.ini $MAGNUM_API_PASTE } function update_heat_policy { # enable stacks global_index search so that magnum can use # list(global_tenant=True) sed -i 's/\("stacks:global_index":\).*$/\1 "role:admin",/' $HEAT_CONF_DIR/policy.json } # create_magnum_cache_dir() - Part of the init_magnum() process function create_magnum_cache_dir { # Create cache dir sudo mkdir -p $MAGNUM_AUTH_CACHE_DIR sudo chown $STACK_USER $MAGNUM_AUTH_CACHE_DIR rm -f $MAGNUM_AUTH_CACHE_DIR/* } # init_magnum() - Initialize databases, etc. function init_magnum { # Only do this step once on the API node for an entire cluster. if is_service_enabled $DATABASE_BACKENDS && is_service_enabled magnum-api; then # (Re)create magnum database recreate_database magnum # Migrate magnum database $MAGNUM_BIN_DIR/magnum-db-manage upgrade fi create_magnum_cache_dir } # magnum_register_image - Register heat image for magnum with property os_distro function magnum_register_image { local magnum_image_property="--property os_distro=" local atomic="$(echo $MAGNUM_GUEST_IMAGE_URL | grep -io 'atomic' || true;)" if [ ! -z "$atomic" ]; then magnum_image_property=$magnum_image_property"fedora-atomic" fi local ubuntu="$(echo $MAGNUM_GUEST_IMAGE_URL | grep -io "ubuntu" || true;)" if [ ! -z "$ubuntu" ]; then magnum_image_property=$magnum_image_property"ubuntu" fi openstack --os-url $GLANCE_SERVICE_PROTOCOL://$GLANCE_HOSTPORT --os-image-api-version 1 image set $(basename "$MAGNUM_GUEST_IMAGE_URL" ".qcow2") $magnum_image_property } # install_magnumclient() - Collect source and prepare function install_magnumclient { if use_library_from_git "python-magnumclient"; then git_clone_by_name "python-magnumclient" setup_dev_lib "python-magnumclient" fi } # install_magnum() - Collect source and prepare function install_magnum { git_clone $MAGNUM_REPO $MAGNUM_DIR $MAGNUM_BRANCH setup_develop $MAGNUM_DIR } # start_magnum_api() - Start the API process ahead of other things function start_magnum_api { # Get right service port for testing local service_port=$MAGNUM_SERVICE_PORT local service_protocol=$MAGNUM_SERVICE_PROTOCOL if is_service_enabled tls-proxy; then service_port=$MAGNUM_SERVICE_PORT_INT service_protocol="http" fi run_process magnum-api "$MAGNUM_BIN_DIR/magnum-api" echo "Waiting for magnum-api to start..." if ! wait_for_service $SERVICE_TIMEOUT $service_protocol://$MAGNUM_SERVICE_HOST:$service_port; then die $LINENO "magnum-api did not start" fi # Start proxies if enabled if is_service_enabled tls-proxy; then start_tls_proxy '*' $MAGNUM_SERVICE_PORT $MAGNUM_SERVICE_HOST $MAGNUM_SERVICE_PORT_INT & start_tls_proxy '*' $EC2_SERVICE_PORT $MAGNUM_SERVICE_HOST $EC2_SERVICE_PORT_INT & fi } # configure_iptables() - Configure the IP table rules for Magnum function configure_iptables { if [ "$MAGNUM_CONFIGURE_IPTABLES" != "False" ]; then ROUTE_TO_INTERNET=$(ip route get 8.8.8.8) OBOUND_DEV=$(echo ${ROUTE_TO_INTERNET#*dev} | awk '{print $1}') sudo iptables -t nat -A POSTROUTING -o $OBOUND_DEV -j MASQUERADE # bay nodes will access magnum-api (port $MAGNUM_SERVICE_PORT) to get CA certificate. sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $MAGNUM_SERVICE_PORT -j ACCEPT || true sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $KEYSTONE_SERVICE_PORT -j ACCEPT || true fi } # start_magnum() - Start running processes, including screen function start_magnum { # ``run_process`` checks ``is_service_enabled``, it is not needed here start_magnum_api run_process magnum-cond "$MAGNUM_BIN_DIR/magnum-conductor" } # stop_magnum() - Stop running processes (non-screen) function stop_magnum { for serv in magnum-api magnum-cond; do stop_process $serv done } # Restore xtrace $XTRACE