openstack/magnum
Code Issues Proposed changes
Files
65dfb2009feb298d131a52e10c29c36c0eb668bd
magnum/devstack/lib/magnum
Spyros Trigazis 65dfb2009f Add openstack_ca_file configuration option 
In the drivers section of magnum.conf add openstack_ca_file.
This file is expected to be a CA Certificate OR CA bundle
which will be passed on every node and it will be installed
on the host's CA bundle.

Update devstack plugin to use the ssl bundle if tls-proxy is
enabled.

Install the CA for drivers:
k8s_coreos_v1
k8s_fedora_atomic_v1
k8s_fedora_ironic_v1
mesos_ubuntu_v1
swarm_fedora_atomic_v1
swarm_fedora_atomic_v2

Add doc in troubleshooting-guide.

Add release notes.

Closes-Bug: #1580704
Partially-Implements: blueprint heat-agent
Change-Id: Id48fbea187da667a5e7334694c3ec17c8e2504db
2018-01-17 14:58:56 +00:00

368 lines
13 KiB
Bash
Raw Blame History

#!/bin/bash
#
# lib/magnum
# Functions to control the configuration and operation of the **magnum** service
# Dependencies:
#
# - ``functions`` file
# - ``DEST``, ``DATA_DIR``, ``STACK_USER`` must be defined
# - ``SERVICE_{TENANT_NAME|PASSWORD}`` must be defined
# ``stack.sh`` calls the entry points in this order:
#
# - install_magnum
# - configure_magnum
# - create_magnum_conf
# - init_magnum
# - magnum_register_image
# - start_magnum
# - configure_iptables_magnum
# - stop_magnum
# - cleanup_magnum
# Save trace setting
XTRACE=$(set +o | grep xtrace)
set +o xtrace
# Defaults
# --------
# Set up default directories
MAGNUM_REPO=${MAGNUM_REPO:-${GIT_BASE}/openstack/magnum.git}
MAGNUM_BRANCH=${MAGNUM_BRANCH:-master}
MAGNUM_DIR=$DEST/magnum
GITREPO["python-magnumclient"]=${MAGNUMCLIENT_REPO:-${GIT_BASE}/openstack/python-magnumclient.git}
GITBRANCH["python-magnumclient"]=${MAGNUMCLIENT_BRANCH:-master}
GITDIR["python-magnumclient"]=$DEST/python-magnumclient
MAGNUM_STATE_PATH=${MAGNUM_STATE_PATH:=$DATA_DIR/magnum}
MAGNUM_AUTH_CACHE_DIR=${MAGNUM_AUTH_CACHE_DIR:-/var/cache/magnum}
MAGNUM_CONF_DIR=/etc/magnum
MAGNUM_CONF=$MAGNUM_CONF_DIR/magnum.conf
MAGNUM_API_PASTE=$MAGNUM_CONF_DIR/api-paste.ini
MAGNUM_POLICY=$MAGNUM_CONF_DIR/policy.yaml
if is_ssl_enabled_service "magnum" || is_service_enabled tls-proxy; then
MAGNUM_SERVICE_PROTOCOL="https"
fi
# Public facing bits
MAGNUM_SERVICE_HOST=${MAGNUM_SERVICE_HOST:-$HOST_IP}
MAGNUM_SERVICE_PORT=${MAGNUM_SERVICE_PORT:-9511}
MAGNUM_SERVICE_PORT_INT=${MAGNUM_SERVICE_PORT_INT:-19511}
MAGNUM_SERVICE_PROTOCOL=${MAGNUM_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD=${MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD:-secret}
MAGNUM_SWIFT_REGISTRY_CONTAINER=${MAGNUM_SWIFT_REGISTRY_CONTAINER:-docker_registry}
# Support entry points installation of console scripts
if [[ -d $MAGNUM_DIR/bin ]]; then
MAGNUM_BIN_DIR=$MAGNUM_DIR/bin
else
MAGNUM_BIN_DIR=$(get_python_exec_prefix)
fi
MAGNUM_CONFIGURE_IPTABLES=${MAGNUM_CONFIGURE_IPTABLES:-True}
# Functions
# ---------
# Test if any magnum services are enabled
# is_magnum_enabled
function is_magnum_enabled {
[[ ,${ENABLED_SERVICES} =~ ,"magnum-" ]] && return 0
return 1
}
# cleanup_magnum() - Remove residual data files, anything left over from previous
# runs that a clean run would need to clean up
function cleanup_magnum {
sudo rm -rf $MAGNUM_STATE_PATH $MAGNUM_AUTH_CACHE_DIR
}
# configure_magnum() - Set config files, create data dirs, etc
function configure_magnum {
# Put config files in ``/etc/magnum`` for everyone to find
if [[ ! -d $MAGNUM_CONF_DIR ]]; then
sudo mkdir -p $MAGNUM_CONF_DIR
sudo chown $STACK_USER $MAGNUM_CONF_DIR
fi
# Rebuild the config file from scratch
create_magnum_conf
create_api_paste_conf
}
# create_magnum_accounts() - Set up common required magnum accounts
#
# Project User Roles
# ------------------------------------------------------------------
# SERVICE_PROJECT_NAME magnum service
function create_magnum_accounts {
create_service_user "magnum" "admin"
local magnum_service=$(get_or_create_service "magnum" \
"container-infra" "Container Infrastructure Management Service")
get_or_create_endpoint $magnum_service \
"$REGION_NAME" \
"$MAGNUM_SERVICE_PROTOCOL://$MAGNUM_SERVICE_HOST:$MAGNUM_SERVICE_PORT/v1" \
"$MAGNUM_SERVICE_PROTOCOL://$MAGNUM_SERVICE_HOST:$MAGNUM_SERVICE_PORT/v1" \
"$MAGNUM_SERVICE_PROTOCOL://$MAGNUM_SERVICE_HOST:$MAGNUM_SERVICE_PORT/v1"
}
# create_magnum_conf() - Create a new magnum.conf file
function create_magnum_conf {
# (Re)create ``magnum.conf``
rm -f $MAGNUM_CONF
HOSTNAME=`hostname`
iniset $MAGNUM_CONF DEFAULT debug "$ENABLE_DEBUG_LOG_LEVEL"
iniset $MAGNUM_CONF DEFAULT transport_url \
"rabbit://$RABBIT_USERID:$RABBIT_PASSWORD@$RABBIT_HOST"
iniset $MAGNUM_CONF DEFAULT host "$HOSTNAME"
iniset $MAGNUM_CONF database connection `database_connection_url magnum`
iniset $MAGNUM_CONF api host "$MAGNUM_SERVICE_HOST"
if is_service_enabled tls-proxy; then
iniset $MAGNUM_CONF api port "$MAGNUM_SERVICE_PORT_INT"
iniset $MAGNUM_CONF drivers verify_ca true
iniset $MAGNUM_CONF drivers openstack_ca_file $SSL_BUNDLE_FILE
else
iniset $MAGNUM_CONF api port "$MAGNUM_SERVICE_PORT"
iniset $MAGNUM_CONF drivers verify_ca false
fi
iniset $MAGNUM_CONF oslo_policy policy_file $MAGNUM_POLICY
iniset $MAGNUM_CONF keystone_auth auth_type password
iniset $MAGNUM_CONF keystone_auth username magnum
iniset $MAGNUM_CONF keystone_auth password $SERVICE_PASSWORD
iniset $MAGNUM_CONF keystone_auth project_name $SERVICE_PROJECT_NAME
iniset $MAGNUM_CONF keystone_auth project_domain_id default
iniset $MAGNUM_CONF keystone_auth user_domain_id default
# FIXME(pauloewerton): keystone_authtoken section is deprecated. Remove it
# after deprecation period.
iniset $MAGNUM_CONF keystone_authtoken admin_user magnum
iniset $MAGNUM_CONF keystone_authtoken admin_password $SERVICE_PASSWORD
iniset $MAGNUM_CONF keystone_authtoken admin_tenant_name $SERVICE_PROJECT_NAME
configure_auth_token_middleware $MAGNUM_CONF magnum $MAGNUM_AUTH_CACHE_DIR
iniset $MAGNUM_CONF keystone_auth auth_url $KEYSTONE_AUTH_URI_V3
iniset $MAGNUM_CONF keystone_authtoken auth_uri $KEYSTONE_SERVICE_URI_V3
iniset $MAGNUM_CONF keystone_authtoken auth_url $KEYSTONE_AUTH_URI_V3
iniset $MAGNUM_CONF keystone_authtoken auth_version v3
if is_fedora || is_suse; then
# magnum defaults to /usr/local/bin, but fedora and suse pip like to
# install things in /usr/bin
iniset $MAGNUM_CONF DEFAULT bindir "/usr/bin"
fi
if [ -n "$MAGNUM_STATE_PATH" ]; then
iniset $MAGNUM_CONF DEFAULT state_path "$MAGNUM_STATE_PATH"
iniset $MAGNUM_CONF oslo_concurrency lock_path "$MAGNUM_STATE_PATH"
fi
if [ "$SYSLOG" != "False" ]; then
iniset $MAGNUM_CONF DEFAULT use_syslog "True"
fi
# Format logging
if [ "$LOG_COLOR" == "True" ] && [ "$SYSLOG" == "False" ]; then
setup_colorized_logging $MAGNUM_CONF DEFAULT
else
# Show user_name and project_name instead of user_id and project_id
iniset $MAGNUM_CONF DEFAULT logging_context_format_string "%(asctime)s.%(msecs)03d %(levelname)s %(name)s [%(request_id)s %(user_name)s %(project_name)s] %(instance)s%(message)s"
fi
# Register SSL certificates if provided
if is_ssl_enabled_service magnum; then
ensure_certificates MAGNUM
iniset $MAGNUM_CONF DEFAULT ssl_cert_file "$MAGNUM_SSL_CERT"
iniset $MAGNUM_CONF DEFAULT ssl_key_file "$MAGNUM_SSL_KEY"
iniset $MAGNUM_CONF DEFAULT enabled_ssl_apis "$MAGNUM_ENABLED_APIS"
fi
if is_service_enabled ceilometer; then
iniset $MAGNUM_CONF oslo_messaging_notifications driver "messaging"
fi
if is_service_enabled barbican; then
iniset $MAGNUM_CONF certificates cert_manager_type "barbican"
else
iniset $MAGNUM_CONF certificates cert_manager_type "x509keypair"
fi
trustee_domain_id=$(get_or_create_domain magnum 'Owns users and projects created by magnum')
trustee_domain_admin_id=$(get_or_create_user trustee_domain_admin $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD $trustee_domain_id)
openstack --os-auth-url $KEYSTONE_SERVICE_URI_V3 \
--os-identity-api-version 3 role add \
--user $trustee_domain_admin_id --domain $trustee_domain_id \
admin
iniset $MAGNUM_CONF trust cluster_user_trust True
iniset $MAGNUM_CONF trust trustee_domain_name magnum
iniset $MAGNUM_CONF trust trustee_domain_admin_name trustee_domain_admin
iniset $MAGNUM_CONF trust trustee_domain_admin_password $MAGNUM_TRUSTEE_DOMAIN_ADMIN_PASSWORD
iniset $MAGNUM_CONF trust trustee_keystone_interface public
iniset $MAGNUM_CONF cinder_client region_name $REGION_NAME
if is_service_enabled swift; then
iniset $MAGNUM_CONF docker_registry swift_region $REGION_NAME
iniset $MAGNUM_CONF docker_registry swift_registry_container $MAGNUM_SWIFT_REGISTRY_CONTAINER
fi
# Get the default volume type from cinder.conf and set the coresponding
# default in magnum.conf
default_volume_type=$(iniget /etc/cinder/cinder.conf DEFAULT default_volume_type)
iniset $MAGNUM_CONF cinder default_docker_volume_type $default_volume_type
}
function create_api_paste_conf {
# copy api_paste.ini
cp $MAGNUM_DIR/etc/magnum/api-paste.ini $MAGNUM_API_PASTE
}
# create_magnum_cache_dir() - Part of the init_magnum() process
function create_magnum_cache_dir {
# Create cache dir
sudo mkdir -p $MAGNUM_AUTH_CACHE_DIR
sudo chown $STACK_USER $MAGNUM_AUTH_CACHE_DIR
rm -f $MAGNUM_AUTH_CACHE_DIR/*
}
# init_magnum() - Initialize databases, etc.
function init_magnum {
# Only do this step once on the API node for an entire cluster.
if is_service_enabled $DATABASE_BACKENDS && is_service_enabled magnum-api; then
# (Re)create magnum database
recreate_database magnum
# Migrate magnum database
$MAGNUM_BIN_DIR/magnum-db-manage upgrade
fi
create_magnum_cache_dir
}
# magnum_register_image - Register heat image for magnum with property os_distro
function magnum_register_image {
local magnum_image_property="--property os_distro="
local atomic="$(echo $MAGNUM_GUEST_IMAGE_URL | grep -io 'atomic' || true;)"
if [ ! -z "$atomic" ]; then
magnum_image_property=$magnum_image_property"fedora-atomic"
fi
local ubuntu="$(echo $MAGNUM_GUEST_IMAGE_URL | grep -io "ubuntu" || true;)"
if [ ! -z "$ubuntu" ]; then
magnum_image_property=$magnum_image_property"ubuntu"
fi
local coreos="$(echo $MAGNUM_GUEST_IMAGE_URL | grep -io "coreos" || true;)"
if [ ! -z "$coreos" ]; then
magnum_image_property=$magnum_image_property"coreos"
fi
# os_distro property for fedora ironic image
local fedora_ironic="$(echo $MAGNUM_GUEST_IMAGE_URL | grep -i "ironic" \
| grep -io "fedora" || true;)"
if [ ! -z "$fedora_ironic" ]; then
magnum_image_property=$magnum_image_property"fedora"
fi
# get the image name
local image_filename=$(basename "$MAGNUM_GUEST_IMAGE_URL")
local image_name=""
for extension in "tgz" "img" "qcow2" "iso" "vhd" "vhdx" "tar.gz" "img.gz" "img.bz2" "vhd.gz" "vhdx.gz"
do
if [ $(expr match "${image_filename}" ".*\.${extension}$") -ne 0 ]; then
image_name=$(basename "$image_filename" ".${extension}")
break
fi
done
if [ -z ${image_name} ]; then
echo "Unknown image extension in $image_filename, supported extensions: tgz, img, qcow2, iso, vhd, vhdx, tar.gz, img.gz, img.bz2, vhd.gz, vhdx.gz"; false
fi
openstack --os-url $GLANCE_SERVICE_PROTOCOL://$GLANCE_HOSTPORT --os-image-api-version 2 image set $image_name $magnum_image_property
}
# install_magnumclient() - Collect source and prepare
function install_magnumclient {
if use_library_from_git "python-magnumclient"; then
git_clone_by_name "python-magnumclient"
setup_dev_lib "python-magnumclient"
sudo install -D -m 0644 -o $STACK_USER {${GITDIR["python-magnumclient"]}/tools/,/etc/bash_completion.d/}magnum.bash_completion
fi
}
# install_magnum() - Collect source and prepare
function install_magnum {
git_clone $MAGNUM_REPO $MAGNUM_DIR $MAGNUM_BRANCH
setup_develop $MAGNUM_DIR
}
# start_magnum_api() - Start the API process ahead of other things
function start_magnum_api {
# Get right service port for testing
local service_port=$MAGNUM_SERVICE_PORT
local service_protocol=$MAGNUM_SERVICE_PROTOCOL
if is_service_enabled tls-proxy; then
service_port=$MAGNUM_SERVICE_PORT_INT
service_protocol="http"
fi
run_process magnum-api "$MAGNUM_BIN_DIR/magnum-api"
echo "Waiting for magnum-api to start..."
if ! wait_for_service $SERVICE_TIMEOUT $service_protocol://$MAGNUM_SERVICE_HOST:$service_port; then
die $LINENO "magnum-api did not start"
fi
# Start proxies if enabled
if is_service_enabled tls-proxy; then
start_tls_proxy magnum '*' $MAGNUM_SERVICE_PORT $MAGNUM_SERVICE_HOST $MAGNUM_SERVICE_PORT_INT &
fi
}
# configure_iptables_magnum() - Configure the IP table rules for Magnum
function configure_iptables_magnum {
if [ "$MAGNUM_CONFIGURE_IPTABLES" != "False" ]; then
ROUTE_TO_INTERNET=$(ip route get 8.8.8.8)
OBOUND_DEV=$(echo ${ROUTE_TO_INTERNET#*dev} | awk '{print $1}')
sudo iptables -t nat -A POSTROUTING -o $OBOUND_DEV -j MASQUERADE
# bay nodes will access magnum-api (port $MAGNUM_SERVICE_PORT) to get CA certificate.
sudo iptables -I INPUT -d $HOST_IP -p tcp --dport $MAGNUM_SERVICE_PORT -j ACCEPT || true
# allow access to keystone etc (http and https)
sudo iptables -I INPUT -d $HOST_IP -p tcp --dport 80 -j ACCEPT || true
sudo iptables -I INPUT -d $HOST_IP -p tcp --dport 443 -j ACCEPT || true
fi
}
# start_magnum() - Start running processes, including screen
function start_magnum {
# ``run_process`` checks ``is_service_enabled``, it is not needed here
start_magnum_api
run_process magnum-cond "$MAGNUM_BIN_DIR/magnum-conductor"
}
# stop_magnum() - Stop running processes (non-screen)
function stop_magnum {
for serv in magnum-api magnum-cond; do
stop_process $serv
done
}
# Restore xtrace
$XTRACE
View Git Blame Copy Permalink