Add OpenStack Heat elements.

Change-Id: I9c1c7920848c9e1e4d44270128d6ef41598b2833

elements/heat-api/README.md

@@ -0,0 +1,25 @@
+Run the stateless HTTP Heat API services.
+
+Configuration
+-------------
+
+We use os-config-applier for writing heat's configuration.
+
+Example Heat Metadata:
+
+    OpenStack::Config:
+      heat:
+        rpc_backend: heat.openstack.common.rpc.impl_kombu
+        service_host: keystone.host.foo
+        service_port: 5000
+        keystone:
+          auth_host: keystone.host.foo
+          auth_port: 35357
+          auth_protocol: http
+          auth_uri: http://keystone.host.foo:35357/v2.0
+        admin_tenant_name: mytenant
+        admin_user: user1
+        admin_password: abcdefg
+        rabbit:
+          host: rabbitmq.host.foo
+          password: xyz123

elements/heat-api/element-deps

@@ -0,0 +1 @@
+heat

elements/heat-api/install.d/10-heat-api

@@ -0,0 +1,6 @@
+#!/bin/bash
+set -e
+os-svc-daemon heat-api heat heat-api
+os-svc-daemon heat-api-cfn heat heat-api-cfn
+os-svc-daemon heat-api-cloudwatch heat heat-api-cloudwatch
+os-svc-daemon heat-metadata heat heat-metadata

elements/heat-api/os-config-applier/etc/heat/heat-api-cfn-paste.ini

@@ -0,0 +1,91 @@
+# WARNING: The following config settings have been copied into this template
+# directly from the Heat git tree without fully auditting every setting.
+{{#heat}}
+# Default pipeline
+[pipeline:heat-api-cfn]
+pipeline = versionnegotiation ec2authtoken authtoken context apicfnv1app
+
+# Use the following pipeline for keystone auth
+# i.e. in heat-api-cfn.conf:
+#   [paste_deploy]
+#   flavor = keystone
+#
+[pipeline:heat-api-cfn-keystone]
+pipeline = versionnegotiation ec2authtoken authtoken context apicfnv1app
+
+# Use the following pipeline to enable transparent caching of image files
+# i.e. in heat-api-cfn.conf:
+#   [paste_deploy]
+#   flavor = caching
+#
+[pipeline:heat-api-cfn-caching]
+pipeline = versionnegotiation ec2authtoken authtoken context cache apicfnv1app
+
+# Use the following pipeline for keystone auth with caching
+# i.e. in heat-api-cfn.conf:
+#   [paste_deploy]
+#   flavor = keystone+caching
+#
+[pipeline:heat-api-cfn-keystone+caching]
+pipeline = versionnegotiation ec2authtoken authtoken context cache apicfnv1app
+
+# Use the following pipeline to enable the Image Cache Management API
+# i.e. in heat-api-cfn.conf:
+#   [paste_deploy]
+#   flavor = cachemanagement
+#
+[pipeline:heat-api-cfn-cachemanagement]
+pipeline = versionnegotiation ec2authtoken authtoken context cache cachemanage apicfnv1app
+
+# Use the following pipeline for keystone auth with cache management
+# i.e. in heat-api-cfn.conf:
+#   [paste_deploy]
+#   flavor = keystone+cachemanagement
+#
+[pipeline:heat-api-cfn-keystone+cachemanagement]
+pipeline = versionnegotiation ec2authtoken authtoken auth-context cache cachemanage apicfnv1app
+
+[app:apicfnv1app]
+paste.app_factory = heat.common.wsgi:app_factory
+heat.app_factory = heat.api.cfn.v1:API
+
+[filter:versionnegotiation]
+paste.filter_factory = heat.common.wsgi:filter_factory
+heat.filter_factory = heat.api.cfn:version_negotiation_filter
+
+[filter:cache]
+paste.filter_factory = heat.common.wsgi:filter_factory
+heat.filter_factory = heat.api.middleware.cache:CacheFilter
+
+[filter:cachemanage]
+paste.filter_factory = heat.common.wsgi:filter_factory
+heat.filter_factory = heat.api.middleware.cache_manage:CacheManageFilter
+
+[filter:context]
+paste.filter_factory = heat.common.context:ContextMiddleware_filter_factory
+
+[filter:ec2authtoken]
+paste.filter_factory = heat.api.aws.ec2token:EC2Token_filter_factory
+auth_uri = http://127.0.0.1:5000/v2.0
+keystone_ec2_uri = http://localhost:5000/v2.0/ec2tokens
+
+[filter:authtoken]
+paste.filter_factory = heat.common.auth_token:filter_factory
+service_protocol = http
+service_host = {{service_host}}
+service_port = {{service_port}}
+auth_host = {{keystone.auth_host}}
+auth_port = {{keystone.auth_port}}
+auth_protocol = {{keystone.auth_protocol}}
+auth_uri = {{keystone.auth_url}}
+
+# These must be set to your local values in order for the token
+# authentication to work.
+admin_tenant_name = {{admin_tenant_name}}
+admin_user = {{admin_user}}
+admin_password = {{admin_password}}
+
+[filter:auth-context]
+paste.filter_factory = heat.common.wsgi:filter_factory
+heat.filter_factory = keystone.middleware.heat_auth_token:KeystoneContextMiddleware
+{{/heat}}

elements/heat-api/os-config-applier/etc/heat/heat-api-cfn.conf

@@ -0,0 +1,30 @@
+[DEFAULT]
+# Show more verbose log output (sets INFO log level output)
+verbose = True
+
+# Show debugging output in logs (sets DEBUG log level output)
+debug = True
+
+# Address to bind the server to
+bind_host = 0.0.0.0
+
+# Port the bind the server to
+bind_port = 8000
+
+# Turn off standard error logging
+use_stderr = False
+
+# Log to this file. Make sure the user running heat-api-cfn has
+# permissions to write to this file!
+log_file = /var/log/heat/api-cfn.log
+
+# ================= Syslog Options ============================
+
+# Send logs to syslog (/dev/log) instead of to file specified
+# by `log_file`
+use_syslog = False
+
+# Facility to use. If unset defaults to LOG_USER.
+# syslog_log_facility = LOG_LOCAL0
+
+rpc_backend={{heat.rpc_backend}}

elements/heat-api/os-config-applier/etc/heat/heat-api-cloudwatch-paste.ini

@@ -0,0 +1,91 @@
+# WARNING: The following config settings have been copied into this template
+# directly from the Heat git tree without fully auditting every setting.
+{{#heat}}
+# Default pipeline
+[pipeline:heat-api-cloudwatch]
+pipeline = versionnegotiation ec2authtoken authtoken context apicwapp
+
+# Use the following pipeline for keystone auth
+# i.e. in heat-api-cloudwatch.conf:
+#   [paste_deploy]
+#   flavor = keystone
+#
+[pipeline:heat-api-cloudwatch-keystone]
+pipeline = versionnegotiation ec2authtoken authtoken context apicwapp
+
+# Use the following pipeline to enable transparent caching of image files
+# i.e. in heat-api-cloudwatch.conf:
+#   [paste_deploy]
+#   flavor = caching
+#
+[pipeline:heat-api-cloudwatch-caching]
+pipeline = versionnegotiation ec2authtoken authtoken context cache apicwapp
+
+# Use the following pipeline for keystone auth with caching
+# i.e. in heat-api-cloudwatch.conf:
+#   [paste_deploy]
+#   flavor = keystone+caching
+#
+[pipeline:heat-api-cloudwatch-keystone+caching]
+pipeline = versionnegotiation ec2authtoken authtoken context cache apicwapp
+
+# Use the following pipeline to enable the Image Cache Management API
+# i.e. in heat-api-cloudwatch.conf:
+#   [paste_deploy]
+#   flavor = cachemanagement
+#
+[pipeline:heat-api-cloudwatch-cachemanagement]
+pipeline = versionnegotiation ec2authtoken authtoken context cache cachemanage apicwapp
+
+# Use the following pipeline for keystone auth with cache management
+# i.e. in heat-api-cloudwatch.conf:
+#   [paste_deploy]
+#   flavor = keystone+cachemanagement
+#
+[pipeline:heat-api-cloudwatch-keystone+cachemanagement]
+pipeline = versionnegotiation ec2authtoken authtoken auth-context cache cachemanage apicwapp
+
+[app:apicwapp]
+paste.app_factory = heat.common.wsgi:app_factory
+heat.app_factory = heat.api.cloudwatch:API
+
+[filter:versionnegotiation]
+paste.filter_factory = heat.common.wsgi:filter_factory
+heat.filter_factory = heat.api.cloudwatch:version_negotiation_filter
+
+[filter:cache]
+paste.filter_factory = heat.common.wsgi:filter_factory
+heat.filter_factory = heat.api.middleware.cache:CacheFilter
+
+[filter:cachemanage]
+paste.filter_factory = heat.common.wsgi:filter_factory
+heat.filter_factory = heat.api.middleware.cache_manage:CacheManageFilter
+
+[filter:context]
+paste.filter_factory = heat.common.context:ContextMiddleware_filter_factory
+
+[filter:ec2authtoken]
+paste.filter_factory = heat.api.aws.ec2token:EC2Token_filter_factory
+auth_uri = http://127.0.0.1:5000/v2.0
+keystone_ec2_uri = http://localhost:5000/v2.0/ec2tokens
+
+[filter:authtoken]
+paste.filter_factory = heat.common.auth_token:filter_factory
+service_protocol = http
+service_host = {{service_host}}
+service_port = {{service_port}}
+auth_host = {{keystone.auth_host}}
+auth_port = {{keystone.auth_port}}
+auth_protocol = {{keystone.auth_protocol}}
+auth_uri = {{keystone.auth_url}}
+
+# These must be set to your local values in order for the token
+# authentication to work.
+admin_tenant_name = {{admin_tenant_name}}
+admin_user = {{admin_user}}
+admin_password = {{admin_password}}
+
+[filter:auth-context]
+paste.filter_factory = heat.common.wsgi:filter_factory
+heat.filter_factory = keystone.middleware.heat_auth_token:KeystoneContextMiddleware
+{{/heat}}

elements/heat-api/os-config-applier/etc/heat/heat-api-cloudwatch.conf

@@ -0,0 +1,34 @@
+{{#heat}}
+[DEFAULT]
+{{#rabbit}}
+rabbit_password = {{password}}
+rabbit_host = {{host}}
+{{/rabbit}}
+# Show more verbose log output (sets INFO log level output)
+verbose = True
+
+# Show debugging output in logs (sets DEBUG log level output)
+debug = False
+
+# Turn off standard error logging
+use_stderr = False
+
+# Log to this file. Make sure the user running heat-api has
+# permissions to write to this file!
+log_file = /var/log/heat/api-cloudwatch.log
+
+# Send logs to syslog (/dev/log) instead of to file specified
+# by `log_file`
+use_syslog = False
+
+# Facility to use. If unset defaults to LOG_USER.
+# syslog_log_facility = LOG_LOCAL0
+
+# Address to bind the server to
+bind_host = 0.0.0.0
+
+# Port the bind the server to
+bind_port = 8003
+
+rpc_backend={{rpc_backend}}
+{{/heat}}

elements/heat-api/os-config-applier/etc/heat/heat-api-paste.ini

@@ -0,0 +1,97 @@
+# WARNING: The following config settings have been copied into this template
+# directly from the Heat git tree without fully auditting every setting.
+{{#heat}}
+# Default pipeline
+[pipeline:heat-api]
+pipeline = versionnegotiation authtoken context apiv1app
+
+# Use the following pipeline for keystone auth
+# i.e. in heat-api.conf:
+#   [paste_deploy]
+#   flavor = keystone
+#
+[pipeline:heat-api-keystone]
+pipeline = versionnegotiation authtoken context apiv1app
+
+# Use the following pipeline for custom cloud backends
+# i.e. in heat-api.conf:
+#   [paste_deploy]
+#   flavor = custombackend
+#
+[pipeline:heat-api-custombackend]
+pipeline = versionnegotiation context custombackendauth apiv1app
+
+# Use the following pipeline to enable transparent caching of image files
+# i.e. in heat-api.conf:
+#   [paste_deploy]
+#   flavor = caching
+#
+[pipeline:heat-api-caching]
+pipeline = versionnegotiation authtoken context cache apiv1app
+
+# Use the following pipeline for keystone auth with caching
+# i.e. in heat-api.conf:
+#   [paste_deploy]
+#   flavor = keystone+caching
+#
+[pipeline:heat-api-keystone+caching]
+pipeline = versionnegotiation authtoken context cache apiv1app
+
+# Use the following pipeline to enable the Image Cache Management API
+# i.e. in heat-api.conf:
+#   [paste_deploy]
+#   flavor = cachemanagement
+#
+[pipeline:heat-api-cachemanagement]
+pipeline = versionnegotiation authtoken context cache cachemanage apiv1app
+
+# Use the following pipeline for keystone auth with cache management
+# i.e. in heat-api.conf:
+#   [paste_deploy]
+#   flavor = keystone+cachemanagement
+#
+[pipeline:heat-api-keystone+cachemanagement]
+pipeline = versionnegotiation auth-context cache cachemanage apiv1app
+
+[app:apiv1app]
+paste.app_factory = heat.common.wsgi:app_factory
+heat.app_factory = heat.api.openstack.v1:API
+
+[filter:versionnegotiation]
+paste.filter_factory = heat.common.wsgi:filter_factory
+heat.filter_factory = heat.api.openstack:version_negotiation_filter
+
+[filter:cache]
+paste.filter_factory = heat.common.wsgi:filter_factory
+heat.filter_factory = heat.api.middleware.cache:CacheFilter
+
+[filter:cachemanage]
+paste.filter_factory = heat.common.wsgi:filter_factory
+heat.filter_factory = heat.api.middleware.cache_manage:CacheManageFilter
+
+[filter:context]
+paste.filter_factory = heat.common.context:ContextMiddleware_filter_factory
+
+[filter:authtoken]
+paste.filter_factory = heat.common.auth_token:filter_factory
+service_protocol = http
+service_host = {{service_host}}
+service_port = {{service_port}}
+auth_host = {{keystone.auth_host}}
+auth_port = {{keystone.auth_port}}
+auth_protocol = {{keystone.auth_protocol}}
+auth_uri = {{keystone.auth_url}}
+
+# These must be set to your local values in order for the token
+# authentication to work.
+admin_tenant_name = {{admin_tenant_name}}
+admin_user = {{admin_user}}
+admin_password = {{admin_password}}
+
+[filter:auth-context]
+paste.filter_factory = heat.common.wsgi:filter_factory
+heat.filter_factory = keystone.middleware.heat_auth_token:KeystoneContextMiddleware
+
+[filter:custombackendauth]
+paste.filter_factory = heat.common.custom_backend_auth:filter_factory
+{{/heat}}

elements/heat-api/os-config-applier/etc/heat/heat-api.conf

@@ -0,0 +1,40 @@
+{{#heat}}
+[DEFAULT]
+{{#rabbit}}
+rabbit_password = {{password}}
+rabbit_host = {{host}}
+{{/rabbit}}
+# Show more verbose log output (sets INFO log level output)
+verbose = True
+
+# Show debugging output in logs (sets DEBUG log level output)
+debug = False
+
+# Turn off standard error logging
+use_stderr = False
+
+# Log to this file. Make sure the user running heat-api-cfn has
+# permissions to write to this file!
+log_file = /var/log/heat/api.log
+
+# Send logs to syslog (/dev/log) instead of to file specified
+# by `log_file`
+use_syslog = False
+
+# Facility to use. If unset defaults to LOG_USER.
+# syslog_log_facility = LOG_LOCAL0
+
+# Address to bind the server to
+bind_host = 0.0.0.0
+
+# Port the bind the server to
+bind_port = 8004
+
+rpc_backend={{rpc_backend}}
+
+
+
+# Uncomment this if you're using a custom cloud backend:
+# [paste_deploy]
+# flavor = custombackend
+{{/heat}}

elements/heat-engine/README.md

@@ -0,0 +1,20 @@
+Run the heat-engine service.
+
+Configuration
+-------------
+
+Example Heat Metadata:
+
+    OpenStack::Config:
+      heat:
+        rpc_backend: heat.openstack.common.rpc.impl_kombu
+        sql_connection: mysql://heatuser:heatpass@mysql.server.foo/heatdb
+        auth_encryption_key: 0123456789abcdef0123456789abcdef
+        watch_server_url: http://address.of.watch.service:8003
+        waitcondition_server_url: http://address.of.wc.service:8000/v1/waitcondition
+        metadata_server_url: http://addr.of.metadta.service:8000
+        rabbit:
+          password: abcdefg
+          host: address.of.rabbitmq
+        bind_port: 8001
+        bind_host: 0.0.0.0

elements/heat-engine/element-deps

@@ -0,0 +1,2 @@
+heat
+os-config-applier

elements/heat-engine/install.d/10-heat-engine

@@ -0,0 +1,6 @@
+#!/bin/bash
+set -e
+
+install-packages python-mysqldb
+
+os-svc-daemon heat-engine heat heat-engine

elements/heat-engine/os-config-applier/etc/heat/heat-engine.conf

@@ -0,0 +1,75 @@
+{{#heat}}
+[DEFAULT]
+{{#rabbit}}
+rabbit_password = {{password}}
+rabbit_host = {{host}}
+{{/rabbit}}
+bind_port = {{bind_port}}
+bind_host = {{bind_host}}
+# Show more verbose log output (sets INFO log level output)
+verbose = True
+
+# Show debugging output in logs (sets DEBUG log level output)
+debug = False
+
+# Turn off standard error logging
+use_stderr = False
+
+# Log to this file. Make sure the user running heat-api has
+# permissions to write to this file!
+log_file = /var/log/heat/engine.log
+
+# Send logs to syslog (/dev/log) instead of to file specified
+# by `log_file`
+use_syslog = False
+
+# Facility to use. If unset defaults to LOG_USER.
+# syslog_log_facility = LOG_LOCAL0
+
+# Keystone role for heat template-defined users
+heat_stack_user_role = heat_stack_user
+
+# Make instances connect to the heat services via https
+# default to off since it will require images and host
+# to be configured correctly to support ssl connections
+instance_connection_is_secure = 0
+
+# If is_secure is set to 1, certificate validation can
+# be enabled or disabled
+instance_connection_https_validate_certificates = 1
+
+# URL for instances to connect for metadata
+# ie the IP of the bridge device connecting the
+# instances with the host and the bind_port of
+# the CFN API
+# NOTE : change this from 127.0.0.1 !!
+heat_metadata_server_url = {{metadata_server_url}}
+
+# URL for instances to connect for notification
+# of waitcondition events (ie via cfn-signal)
+# e.g the IP of the bridge device connecting the
+# instances with the host and the bind_port of
+# the CFN API
+# NOTE : change this from 127.0.0.1 !!
+heat_waitcondition_server_url = {{waitcondition_server_url}}
+
+# URL for instances to connect for publishing metric
+# data (ie via cfn-push-stats)
+# e.g the IP of the bridge device connecting the
+# instances with the host and the bind_port of
+# the heat-api-cloudwatch API
+# NOTE : change this from 127.0.0.1 !!
+heat_watch_server_url = {{watch_server_url}}
+
+# The namespace for the custom backend. Must provide class Clients which will be
+# imported. Defaults to OpenStack if none provided.
+# cloud_backend=deltacloud_heat.client
+
+sql_connection = {{sql_connection}}
+
+db_backend=heat.db.sqlalchemy.api
+
+rpc_backend={{rpc_backend}}
+
+auth_encryption_key={{auth_encryption_key}}
+{{/heat}}

elements/heat/README.md

@@ -0,0 +1,7 @@
+Install heat software on the machine.
+
+Configuration
+-------------
+
+Configuration of heat services is done in the heat-api and heat-engine
+elements, which enable those services.

elements/heat/element-deps

@@ -0,0 +1,2 @@
+os-svc-install
+os-config-applier

elements/heat/install.d/05-heat

@@ -0,0 +1,10 @@
+#!/bin/bash
+set -e
+install-packages python-setuptools python-eventlet python-greenlet \
+    python-httplib2 python-iso8601 python-lxml python-sqlalchemy \
+    python-paste python-routes python-webob python-yaml
+
+os-svc-install -n heat -u heat -r https://github.com/openstack/heat.git
+
+install -d -m 0770 -o root -g heat /var/log/heat
+install -d -m 0750 -o root -g heat /etc/heat

elements/heat/os-config-applier/etc/heat/policy.json

@@ -0,0 +1,27 @@
+{
+    "deny_stack_user": "not role:heat_stack_user",
+    "cloudformation:ListStacks": "rule:deny_stack_user",
+    "cloudformation:CreateStack": "rule:deny_stack_user",
+    "cloudformation:DescribeStacks": "rule:deny_stack_user",
+    "cloudformation:DeleteStack": "rule:deny_stack_user",
+    "cloudformation:UpdateStack": "rule:deny_stack_user",
+    "cloudformation:DescribeStackEvents": "rule:deny_stack_user",
+    "cloudformation:ValidateTemplate": "rule:deny_stack_user",
+    "cloudformation:GetTemplate": "rule:deny_stack_user",
+    "cloudformation:EstimateTemplateCost": "rule:deny_stack_user",
+    "cloudformation:DescribeStackResource": "",
+    "cloudformation:DescribeStackResources": "rule:deny_stack_user",
+    "cloudformation:ListStackResources": "rule:deny_stack_user",
+
+    "cloudwatch:DeleteAlarms": "rule:deny_stack_user",
+    "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user",
+    "cloudwatch:DescribeAlarms": "rule:deny_stack_user",
+    "cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user",
+    "cloudwatch:DisableAlarmActions": "rule:deny_stack_user",
+    "cloudwatch:EnableAlarmActions": "rule:deny_stack_user",
+    "cloudwatch:GetMetricStatistics": "rule:deny_stack_user",
+    "cloudwatch:ListMetrics": "rule:deny_stack_user",
+    "cloudwatch:PutMetricAlarm": "rule:deny_stack_user",
+    "cloudwatch:PutMetricData": "",
+    "cloudwatch:SetAlarmState": "rule:deny_stack_user"
+}