From edc60f76c2818351f8a6d1090a5549970b1891cc Mon Sep 17 00:00:00 2001 From: Goutham Pacha Ravi Date: Wed, 20 Feb 2019 18:00:45 -0800 Subject: [PATCH] Fix tls-proxy issues with the devstack plugin Enabling tls-proxy allows devstack to set up a tls proxy server that front-ends interactions with the manila-api and terminates tls connections. Also enable tls-proxy in dummy and lvm jobs. The dummy driver job is configured to run the in-built wsgi server, the lvm job is configured to use mod-wsgi. Closes-Bug: #1816836 Change-Id: I48b0ccc082604d78242ba61bee94a45efeb2467b (cherry picked from commit 8f1c7dc91fb1e00784f6228526d95f4434ba8a01) --- devstack/plugin.sh | 24 ++++++++++++------- .../run.yaml | 2 +- .../run.yaml | 2 ++ 3 files changed, 18 insertions(+), 10 deletions(-) diff --git a/devstack/plugin.sh b/devstack/plugin.sh index dda88bee98..ae783f4472 100755 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -71,7 +71,7 @@ function _config_manila_apache_wsgi { sudo sed -e " s|%APACHE_NAME%|$APACHE_NAME|g; s|%MANILA_BIN_DIR%|$MANILA_BIN_DIR|g; - s|%PORT%|$MANILA_SERVICE_PORT|g; + s|%PORT%|$REAL_MANILA_SERVICE_PORT|g; s|%APIWORKERS%|$API_WORKERS|g; s|%USER%|$STACK_USER|g; " -i $manila_api_apache_conf @@ -255,9 +255,14 @@ function configure_manila { iniset $MANILA_CONF DEFAULT manila_service_keypair_name $MANILA_SERVICE_KEYPAIR_NAME + REAL_MANILA_SERVICE_PORT=$MANILA_SERVICE_PORT if is_service_enabled tls-proxy; then + # Set the protocol to 'https', and set the default port + MANILA_SERVICE_PROTOCOL="https" + REAL_MANILA_SERVICE_PORT=$MANILA_SERVICE_PORT_INT # Set the service port for a proxy to take the original - iniset $MANILA_CONF DEFAULT osapi_share_listen_port $MANILA_SERVICE_PORT_INT + iniset $MANILA_CONF DEFAULT osapi_share_listen_port $REAL_MANILA_SERVICE_PORT + iniset $MANILA_CONF oslo_middleware enable_proxy_headers_parsing True fi iniset_rpc_backend manila $MANILA_CONF DEFAULT @@ -483,11 +488,6 @@ function create_default_share_group_type { # create_default_share_type - create share type that will be set as default. function create_default_share_type { - echo "Waiting for Manila API to start..." - if ! wait_for_service 60 $MANILA_SERVICE_PROTOCOL://$MANILA_SERVICE_HOST:$MANILA_SERVICE_PORT; then - die $LINENO "Manila did not start" - fi - enabled_backends=(${MANILA_ENABLED_BACKENDS//,/ }) driver_handles_share_servers=$(iniget $MANILA_CONF ${enabled_backends[0]} driver_handles_share_servers) @@ -798,14 +798,20 @@ function start_manila_api { run_process m-api "$MANILA_BIN_DIR/manila-api --config-file $MANILA_CONF" fi + echo "Waiting for Manila API to start..." - if ! wait_for_service $SERVICE_TIMEOUT $MANILA_SERVICE_PROTOCOL://$MANILA_SERVICE_HOST:$MANILA_SERVICE_PORT; then + # This is a health check against the manila-api service we just started. + # We use the port ($REAL_MANILA_SERVICE_PORT) here because we want to hit + # the bare service endpoint, even if the tls tunnel should be enabled. + # We're making sure that the internal port is checked using unencryted + # traffic at this point. + if ! wait_for_service $SERVICE_TIMEOUT $MANILA_SERVICE_PROTOCOL://$MANILA_SERVICE_HOST:$REAL_MANILA_SERVICE_PORT; then die $LINENO "Manila API did not start" fi # Start proxies if enabled if is_service_enabled tls-proxy; then - start_tls_proxy '*' $MANILA_SERVICE_PORT $MANILA_SERVICE_HOST $MANILA_SERVICE_PORT_INT & + start_tls_proxy manila '*' $MANILA_SERVICE_PORT $MANILA_SERVICE_HOST $MANILA_SERVICE_PORT_INT fi } diff --git a/playbooks/legacy/manila-tempest-minimal-dsvm-dummy/run.yaml b/playbooks/legacy/manila-tempest-minimal-dsvm-dummy/run.yaml index 49674da561..dc7ddd188c 100644 --- a/playbooks/legacy/manila-tempest-minimal-dsvm-dummy/run.yaml +++ b/playbooks/legacy/manila-tempest-minimal-dsvm-dummy/run.yaml @@ -44,7 +44,7 @@ export DEVSTACK_GATE_NEUTRON=1 export DEVSTACK_PROJECT_FROM_GIT="python-manilaclient" # Basic services needed for minimal job - OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest + OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest,tls-proxy if [ "dummy" == "lvm" ]; then # Enable glance for scenario tests OVERRIDE_ENABLED_SERVICES+=,g-api,g-reg diff --git a/playbooks/legacy/manila-tempest-minimal-dsvm-lvm-centos-7/run.yaml b/playbooks/legacy/manila-tempest-minimal-dsvm-lvm-centos-7/run.yaml index 24aa33f74e..ea687153c8 100644 --- a/playbooks/legacy/manila-tempest-minimal-dsvm-lvm-centos-7/run.yaml +++ b/playbooks/legacy/manila-tempest-minimal-dsvm-lvm-centos-7/run.yaml @@ -92,6 +92,8 @@ OVERRIDE_ENABLED_SERVICES+=,n-api,n-cpu,n-cond,n-sch,n-crt,n-cauth,n-obj # Enable neutron for scenario tests OVERRIDE_ENABLED_SERVICES+=,q-svc,q-dhcp,q-meta,q-l3,q-agt + # Enable tls-proxy + OVERRIDE_ENABLED_SERVICES+=,tls-proxy # Enable mandatory placement services for nova starting with ocata if [[ "stable/newton" != $ZUUL_BRANCH ]]; then