282 lines
8.6 KiB
Ruby
282 lines
8.6 KiB
Ruby
# encoding: UTF-8
|
|
#
|
|
# Cookbook Name:: openstack-dashboard
|
|
# Recipe:: server
|
|
#
|
|
# Copyright 2012, Rackspace US, Inc.
|
|
# Copyright 2012-2013, AT&T Services, Inc.
|
|
# Copyright 2013-2014, IBM, Corp.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
|
|
require 'uri'
|
|
|
|
class ::Chef::Recipe # rubocop:disable Documentation
|
|
include ::Openstack
|
|
end
|
|
|
|
#
|
|
# Workaround to install apache2 on a fedora machine with selinux set to enforcing
|
|
# TODO(breu): this should move to a subscription of the template from the apache2 recipe
|
|
# and it should simply be a restorecon on the configuration file(s) and not
|
|
# change the selinux mode
|
|
#
|
|
execute 'set-selinux-permissive' do
|
|
command '/sbin/setenforce Permissive'
|
|
action :run
|
|
|
|
only_if "[ ! -e /etc/httpd/conf/httpd.conf ] && [ -e /etc/redhat-release ] && [ $(/sbin/sestatus | grep -c '^Current mode:.*enforcing') -eq 1 ]"
|
|
end
|
|
|
|
platform_options = node['openstack']['dashboard']['platform']
|
|
|
|
include_recipe 'apache2'
|
|
include_recipe 'apache2::mod_wsgi'
|
|
include_recipe 'apache2::mod_rewrite'
|
|
include_recipe 'apache2::mod_ssl'
|
|
|
|
#
|
|
# Workaround to re-enable selinux after installing apache on a fedora machine that has
|
|
# selinux enabled and is currently permissive and the configuration set to enforcing.
|
|
# TODO(breu): get the other one working and this won't be necessary
|
|
#
|
|
execute 'set-selinux-enforcing' do
|
|
command '/sbin/setenforce Enforcing ; restorecon -R /etc/httpd'
|
|
action :run
|
|
|
|
only_if "[ -e /etc/httpd/conf/httpd.conf ] && [ -e /etc/redhat-release ] && [ $(/sbin/sestatus | grep -c '^Current mode:.*permissive') -eq 1 ] && [ $(/sbin/sestatus | grep -c '^Mode from config file:.*enforcing') -eq 1 ]"
|
|
end
|
|
|
|
identity_admin_endpoint = endpoint 'identity-admin'
|
|
auth_admin_uri = ::URI.decode identity_admin_endpoint.to_s
|
|
identity_endpoint = endpoint 'identity-api'
|
|
auth_uri = ::URI.decode identity_endpoint.to_s
|
|
|
|
case node['openstack']['dashboard']['identity_api_version']
|
|
when 2.0
|
|
auth_version = 'v2.0'
|
|
when 3
|
|
auth_version = 'v3.0'
|
|
end
|
|
|
|
auth_admin_uri = auth_uri_transform auth_admin_uri, auth_version
|
|
auth_uri = auth_uri_transform auth_uri, auth_version
|
|
|
|
db_pass = get_password 'db', 'horizon'
|
|
db_info = db 'dashboard'
|
|
|
|
python_packages = platform_options["#{db_info['service_type']}_python_packages"]
|
|
(platform_options['horizon_packages'] + python_packages).each do |pkg|
|
|
package pkg do
|
|
action :upgrade
|
|
options platform_options['package_overrides']
|
|
end
|
|
end
|
|
|
|
if node['openstack']['dashboard']['session_backend'] == 'memcached'
|
|
platform_options['memcache_python_packages'].each do |pkg|
|
|
package pkg
|
|
end
|
|
end
|
|
|
|
memcached = memcached_servers('os-ops-caching')
|
|
|
|
# delete the openstack-dashboard.conf before reload apache2 service on fedora, redhat and centos
|
|
# since this file is not valid on those platforms for the apache2 service.
|
|
file "#{node["apache"]["dir"]}/conf.d/openstack-dashboard.conf" do
|
|
action :delete
|
|
backup false
|
|
|
|
only_if { platform_family?('fedora', 'rhel') } # :pragma-foodcritic: ~FC024 - won't fix this
|
|
end
|
|
|
|
template node['openstack']['dashboard']['local_settings_path'] do
|
|
source 'local_settings.py.erb'
|
|
owner 'root'
|
|
group 'root'
|
|
mode 00644
|
|
|
|
variables(
|
|
db_pass: db_pass,
|
|
db_info: db_info,
|
|
auth_uri: auth_uri,
|
|
auth_admin_uri: auth_admin_uri,
|
|
memcached_servers: memcached
|
|
)
|
|
|
|
notifies :restart, 'service[apache2]', :immediately
|
|
end
|
|
|
|
execute 'openstack-dashboard syncdb' do
|
|
cwd node['openstack']['dashboard']['django_path']
|
|
environment 'PYTHONPATH' => "/etc/openstack-dashboard:#{node['openstack']['dashboard']['django_path']}:$PYTHONPATH"
|
|
command 'python manage.py syncdb --noinput'
|
|
action :run
|
|
only_if do
|
|
node['openstack']['dashboard']['session_backend'] == 'sql' &&
|
|
node['openstack']['db']['dashboard']['migrate'] ||
|
|
db_info['service_type'] == 'sqlite'
|
|
end
|
|
end
|
|
|
|
case node['platform_family']
|
|
when 'suse'
|
|
execute 'openstack-dashboard compress' do
|
|
cwd node['openstack']['dashboard']['django_path']
|
|
environment 'PYTHONPATH' => "/etc/openstack-dashboard:#{node['openstack']['dashboard']['django_path']}:$PYTHONPATH"
|
|
command 'python manage.py compress'
|
|
action :run
|
|
end
|
|
end
|
|
|
|
cert_file = "#{node['openstack']['dashboard']['ssl']['dir']}/certs/#{node['openstack']['dashboard']['ssl']['cert']}"
|
|
cert_mode = 00644
|
|
cert_owner = 'root'
|
|
cert_group = 'root'
|
|
if node['openstack']['dashboard']['ssl']['cert_url']
|
|
remote_file cert_file do
|
|
source node['openstack']['dashboard']['ssl']['cert_url']
|
|
mode cert_mode
|
|
owner cert_owner
|
|
group cert_group
|
|
|
|
notifies :run, 'execute[restore-selinux-context]', :immediately
|
|
end
|
|
else
|
|
cookbook_file cert_file do
|
|
source 'horizon.pem'
|
|
mode cert_mode
|
|
owner cert_owner
|
|
group cert_group
|
|
|
|
notifies :run, 'execute[restore-selinux-context]', :immediately
|
|
end
|
|
end
|
|
|
|
key_file = "#{node['openstack']['dashboard']['ssl']['dir']}/private/#{node['openstack']['dashboard']['ssl']['key']}"
|
|
key_mode = 00640
|
|
key_owner = 'root'
|
|
case node['platform_family']
|
|
when 'debian' # Don't know about fedora
|
|
key_group = 'ssl-cert'
|
|
else
|
|
key_group = 'root'
|
|
end
|
|
|
|
if node['openstack']['dashboard']['ssl']['key_url']
|
|
remote_file key_file do
|
|
source node['openstack']['dashboard']['ssl']['key_url']
|
|
mode key_mode
|
|
owner key_owner
|
|
group key_group
|
|
|
|
notifies :restart, 'service[apache2]', :immediately
|
|
notifies :run, 'execute[restore-selinux-context]', :immediately
|
|
end
|
|
else
|
|
cookbook_file key_file do
|
|
source 'horizon.key'
|
|
mode key_mode
|
|
owner key_owner
|
|
group key_group
|
|
|
|
notifies :run, 'execute[restore-selinux-context]', :immediately
|
|
end
|
|
end
|
|
|
|
directory "#{node['openstack']['dashboard']['dash_path']}/local" do
|
|
owner 'root'
|
|
group node['openstack']['dashboard']['horizon_group']
|
|
mode 02770
|
|
action :create
|
|
end
|
|
|
|
# make sure this file has correct permission
|
|
file node['openstack']['dashboard']['secret_key_path'] do
|
|
owner node['openstack']['dashboard']['horizon_user']
|
|
group node['openstack']['dashboard']['horizon_group']
|
|
mode 00600
|
|
# the only time the file should be created is if we have secret_key_content
|
|
# set, otherwise let apache create it when someone first accesses the
|
|
# dashboard
|
|
if node['openstack']['dashboard']['secret_key_content'].nil?
|
|
only_if { ::File.exists?(node['openstack']['dashboard']['secret_key_path']) }
|
|
else
|
|
content node['openstack']['dashboard']['secret_key_content']
|
|
notifies :restart, 'service[apache2]'
|
|
end
|
|
end
|
|
|
|
# stop apache bitching
|
|
directory "#{node["openstack"]["dashboard"]["dash_path"]}/.blackhole" do
|
|
owner 'root'
|
|
action :create
|
|
end
|
|
|
|
template node['openstack']['dashboard']['apache']['sites-path'] do
|
|
source 'dash-site.erb'
|
|
owner 'root'
|
|
group 'root'
|
|
mode 00644
|
|
|
|
variables(
|
|
ssl_cert_file: "#{node["openstack"]["dashboard"]["ssl"]["dir"]}/certs/#{node["openstack"]["dashboard"]["ssl"]["cert"]}",
|
|
ssl_key_file: "#{node["openstack"]["dashboard"]["ssl"]["dir"]}/private/#{node["openstack"]["dashboard"]["ssl"]["key"]}"
|
|
)
|
|
|
|
notifies :run, 'execute[restore-selinux-context]', :immediately
|
|
notifies :reload, 'service[apache2]', :immediately
|
|
end
|
|
|
|
# ubuntu includes their own branding - we need to delete this until ubuntu makes this a
|
|
# configurable paramter
|
|
package 'openstack-dashboard-ubuntu-theme' do
|
|
action :purge
|
|
|
|
only_if { platform_family?('debian') }
|
|
end
|
|
|
|
# The `apache_site` provided by the apache2 cookbook
|
|
# is not an LWRP. Guards do not apply to definitions.
|
|
# http://tickets.opscode.com/browse/CHEF-778
|
|
if platform_family?('debian')
|
|
apache_site '000-default' do
|
|
enable false
|
|
end
|
|
elsif platform_family?('fedora', 'rhel') then
|
|
apache_site 'default' do
|
|
enable false
|
|
|
|
notifies :run, 'execute[restore-selinux-context]', :immediately
|
|
end
|
|
end
|
|
|
|
apache_site 'openstack-dashboard' do
|
|
enable true
|
|
|
|
notifies :run, 'execute[restore-selinux-context]', :immediately
|
|
notifies :reload, 'service[apache2]', :immediately
|
|
end
|
|
|
|
execute 'restore-selinux-context' do
|
|
command 'restorecon -Rv /etc/httpd /etc/pki; chcon -R -t httpd_sys_content_t /usr/share/openstack-dashboard || :'
|
|
action :nothing
|
|
|
|
only_if { platform_family?('fedora') }
|
|
end
|
|
|
|
# TODO(shep)
|
|
# Horizon has a forced dependency on there being a volume service endpoint in your keystone catalog
|
|
# https://answers.launchpad.net/horizon/+question/189551
|