diff --git a/.gitignore b/.gitignore index fa7b649..bfff9ce 100644 --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,13 @@ __pycache__/ *.py[cod] *$py.class +# Snap +microstack*.snap +microstack_source.tar.bz2 +prime/ +snap/.snapcraft +stage/ + # Emacs *~ diff --git a/patches/drop-nginx-setgroups.patch b/patches/drop-nginx-setgroups.patch new file mode 100644 index 0000000..2bcc0eb --- /dev/null +++ b/patches/drop-nginx-setgroups.patch @@ -0,0 +1,57 @@ +Description: Drop code where nginx drops privileges for worker + processes. While setuid is covered by the browser-support plug, + setgroups isn't covered by any plugs. This code isn't required + because in strict mode we run worker processes as root:root. + The seccomp violation follows: + = Seccomp = + Time: Jun 16 01:13:15 + Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=6087 comm="nginx" + exe="/snap/keystone/x1/usr/sbin/nginx" sig=31 arch=c000003e + 116(setgroups) compat=0 ip=0x7f40e288af09 code=0x0 + Syscall: setgroups + Suggestion: + * adjust program to not use 'setgroups' until per-snap user/groups + are supported (https://launchpad.net/bugs/1446748) +Author: Corey Bryant +Forwarded: no + +--- + src/os/unix/ngx_process_cycle.c | 22 ---------------------- + 1 file changed, 22 deletions(-) + +diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c +index 1710ea8..c428673 100644 +--- a/src/os/unix/ngx_process_cycle.c ++++ b/src/os/unix/ngx_process_cycle.c +@@ -824,28 +824,6 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker) + } + } + +- if (geteuid() == 0) { +- if (setgid(ccf->group) == -1) { +- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, +- "setgid(%d) failed", ccf->group); +- /* fatal */ +- exit(2); +- } +- +- if (initgroups(ccf->username, ccf->group) == -1) { +- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, +- "initgroups(%s, %d) failed", +- ccf->username, ccf->group); +- } +- +- if (setuid(ccf->user) == -1) { +- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, +- "setuid(%d) failed", ccf->user); +- /* fatal */ +- exit(2); +- } +- } +- + if (worker >= 0) { + cpu_affinity = ngx_get_cpu_affinity(worker); + +-- +2.7.4 + diff --git a/patches/oslo-config-dirs.patch b/patches/oslo-config-dirs.patch new file mode 100644 index 0000000..8a7384c --- /dev/null +++ b/patches/oslo-config-dirs.patch @@ -0,0 +1,123 @@ +From 5256bef2fdacdb79eba386c8cad775ed996d1685 Mon Sep 17 00:00:00 2001 +From: Corey Bryant +Date: Wed, 14 Jun 2017 09:57:23 -0400 +Subject: [PATCH] Add snap package paths to default config dirs + +With snap packaging (see snapcraft.io) the package is installed into a +read-only squashfs filesystem, which includes the default config. For +example, $SNAP/etc/nova/nova.conf. To override the defaults, a separate +writable directory is used, and this directory is also unique to the snap. +For example, either $SNAP_COMMON/etc/nova/nova.conf, or +$SNAP_COMMON/etc/nova/nova.conf.d/ can be used to override config. + +This patch adds these snap directories to the default config paths where +oslo looks for config. + +For more details on $SNAP and $SNAP_COMMON please refer to +https://snapcraft.io/docs/reference/env. + +Change-Id: I83627e0f215382aedc7b32163e0303b39e8bccf8 +Closes-Bug: 1696830 +(cherry picked from commit 21e70e28b3015c1619dacfad8a2218b09e8109ec) +--- + oslo_config/cfg.py | 19 +++++++++++++++++-- + oslo_config/tests/test_cfg.py | 24 ++++++++++++++++++++++++ + 2 files changed, 41 insertions(+), 2 deletions(-) + +diff --git a/oslo_config/cfg.py b/oslo_config/cfg.py +index 1047bf6..a2b5b2a 100644 +--- a/oslo_config/cfg.py ++++ b/oslo_config/cfg.py +@@ -614,16 +614,27 @@ def _get_config_dirs(project=None): + /etc/${project}/ + /etc/ + +- Otherwise, these directories:: ++ If a project is specified and installed from a snap package, following ++ directories are also returned: ++ ++ ${SNAP}/etc/${project} ++ ${SNAP_COMMON}/etc/${project} ++ ++ Otherwise, if project is not specified, these directories are returned: + + ~/ + /etc/ + """ ++ snap = os.environ.get('SNAP') ++ snap_c = os.environ.get('SNAP_COMMON') ++ + cfg_dirs = [ + _fixpath(os.path.join('~', '.' + project)) if project else None, + _fixpath('~'), + os.path.join('/etc', project) if project else None, +- '/etc' ++ '/etc', ++ os.path.join(snap, "etc", project) if snap and project else None, ++ os.path.join(snap_c, "etc", project) if snap_c and project else None, + ] + return [x for x in cfg_dirs if x] + +@@ -674,6 +685,8 @@ def find_config_files(project=None, prog=None, extension='.conf'): + ~/ + /etc/${project}/ + /etc/ ++ ${SNAP}/etc/${project} ++ ${SNAP_COMMON}/etc/${project} + + We return an absolute path for (at most) one of each the default config + files, for the topmost directory it exists in. +@@ -704,6 +717,8 @@ def find_config_dirs(project=None, prog=None, extension='.conf.d'): + ~/ + /etc/${project}/ + /etc/ ++ ${SNAP}/etc/${project} ++ ${SNAP_COMMON}/etc/${project} + + We return an absolute path for each of the two config dirs, + in the first place we find it (iff we find it). +diff --git a/oslo_config/tests/test_cfg.py b/oslo_config/tests/test_cfg.py +index 6a46884..0f7db8c 100644 +--- a/oslo_config/tests/test_cfg.py ++++ b/oslo_config/tests/test_cfg.py +@@ -208,6 +208,18 @@ class FindConfigFilesTestCase(BaseTestCase): + + self.assertEqual(cfg.find_config_files(project='blaa'), config_files) + ++ def test_find_config_files_snap(self): ++ config_files = ['/snap/nova/current/etc/blaa/blaa.conf'] ++ fake_env = {'SNAP': '/snap/nova/current/', ++ 'SNAP_COMMON': '/var/snap/nova/common/'} ++ ++ self.useFixture(fixtures.MonkeyPatch('sys.argv', ['foo'])) ++ self.useFixture(fixtures.MonkeyPatch('os.path.exists', ++ lambda p: p in config_files)) ++ self.useFixture(fixtures.MonkeyPatch('os.environ', fake_env)) ++ ++ self.assertEqual(cfg.find_config_files(project='blaa'), config_files) ++ + def test_find_config_files_with_extension(self): + config_files = ['/etc/foo.json'] + +@@ -233,6 +245,18 @@ class FindConfigDirsTestCase(BaseTestCase): + + self.assertEqual(cfg.find_config_dirs(project='blaa'), config_dirs) + ++ def test_find_config_dirs_snap(self): ++ config_dirs = ['/var/snap/nova/common/etc/blaa/blaa.conf.d'] ++ fake_env = {'SNAP': '/snap/nova/current/', ++ 'SNAP_COMMON': '/var/snap/nova/common/'} ++ ++ self.useFixture(fixtures.MonkeyPatch('sys.argv', ['foo'])) ++ self.useFixture(fixtures.MonkeyPatch('os.path.exists', ++ lambda p: p in config_dirs)) ++ self.useFixture(fixtures.MonkeyPatch('os.environ', fake_env)) ++ ++ self.assertEqual(cfg.find_config_dirs(project='blaa'), config_dirs) ++ + def test_find_config_dirs_non_exists(self): + self.useFixture(fixtures.MonkeyPatch('sys.argv', ['foo'])) + self.assertEqual(cfg.find_config_dirs(project='blaa'), []) +-- +2.7.4 + diff --git a/snap/bin/launch-libvirtd b/snap/bin/launch-libvirtd new file mode 100755 index 0000000..1951064 --- /dev/null +++ b/snap/bin/launch-libvirtd @@ -0,0 +1,18 @@ +#!/bin/sh -e + +if [ "$SNAP_ARCH" = "amd64" ]; then + ARCH="x86_64-linux-gnu" +elif [ "$SNAP_ARCH" = "armhf" ]; then + ARCH="arm-linux-gnueabihf" +elif [ "$SNAP_ARCH" = "arm64" ]; then + ARCH="aarch64-linux-gnu" +else + ARCH="$SNAP_ARCH-linux-gnu" +fi + +driver="$(snapctl get driver)" + +if [ "$driver" = "LIBVIRT" ]; then + export LD_LIBRARY_PATH=$SNAP/lib/$ARCH:$SNAP/usr/lib/$ARCH:$LD_LIBRARY_PATH + exec $SNAP/sbin/libvirtd +fi diff --git a/snap/bin/ovs-wrapper b/snap/bin/ovs-wrapper new file mode 100755 index 0000000..0c276e5 --- /dev/null +++ b/snap/bin/ovs-wrapper @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e + +export OVS_LOGDIR=${SNAP_COMMON}/log/openvswitch +export OVS_RUNDIR=${SNAP_COMMON}/run/openvswitch +export OVS_SYSCONFDIR=${SNAP_COMMON}/etc +export OVS_PKGDATADIR=${SNAP}/share/openvswitch +export OVS_BINDIR=${SNAP}/bin +export OVS_SBINDIR=${SNAP}/sbin + +mkdir -p ${OVS_LOGDIR} +mkdir -p ${OVS_RUNDIR} +mkdir -p ${OVS_SYSCONFDIR}/openvswitch + +exec $@ diff --git a/snap/etc/keystone/keystone.conf b/snap/etc/keystone/keystone.conf new file mode 100644 index 0000000..61c9c27 --- /dev/null +++ b/snap/etc/keystone/keystone.conf @@ -0,0 +1,3 @@ +# Snap distribution defaults - do not change +[database] +max_retries = -1 diff --git a/snap/etc/neutron/neutron.conf b/snap/etc/neutron/neutron.conf new file mode 100644 index 0000000..e29fbc7 --- /dev/null +++ b/snap/etc/neutron/neutron.conf @@ -0,0 +1,4 @@ +[DEFAULT] +core_plugin = ml2 +service_plugins = router +allow_overlapping_ips = True diff --git a/snap/etc/neutron/plugins/ml2/ml2_conf.ini b/snap/etc/neutron/plugins/ml2/ml2_conf.ini new file mode 100644 index 0000000..8b0de27 --- /dev/null +++ b/snap/etc/neutron/plugins/ml2/ml2_conf.ini @@ -0,0 +1,13 @@ +[ml2] +mechanism_drivers = openvswitch,l2population +extension_drivers = port_security +tenant_network_types = geneve,gre,vxlan + +[ml2_type_geneve] +vni_ranges = 1:65535 + +[ml2_type_gre] +tunnel_id_ranges = 1:65535 + +[ml2_type_vxlan] +vni_ranges = 1:65535 diff --git a/snap/etc/nova/nova.conf b/snap/etc/nova/nova.conf new file mode 100644 index 0000000..a91150c --- /dev/null +++ b/snap/etc/nova/nova.conf @@ -0,0 +1,9 @@ +# Snap distribution defaults - do not change, override in $SNAP_COMMON/etc/nova.conf.d +[DEFAULT] +logdir=/var/snap/nova/common/log/ + +[wsgi] +secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO + +[database] +max_retries = -1 diff --git a/snap/etc/nova/policy.yaml b/snap/etc/nova/policy.yaml new file mode 100644 index 0000000..024ae41 --- /dev/null +++ b/snap/etc/nova/policy.yaml @@ -0,0 +1,514 @@ +# +"os_compute_api:os-admin-actions:discoverable": "@" +# +"os_compute_api:os-admin-actions:reset_state": "rule:admin_api" +# +"os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api" +# +"os_compute_api:os-admin-actions": "rule:admin_api" +# +"os_compute_api:os-admin-actions:reset_network": "rule:admin_api" +# +"os_compute_api:os-admin-password:discoverable": "@" +# +"os_compute_api:os-admin-password": "rule:admin_or_owner" +# +"os_compute_api:os-agents": "rule:admin_api" +# +"os_compute_api:os-agents:discoverable": "@" +# +"os_compute_api:os-aggregates:set_metadata": "rule:admin_api" +# +"os_compute_api:os-aggregates:add_host": "rule:admin_api" +# +"os_compute_api:os-aggregates:discoverable": "@" +# +"os_compute_api:os-aggregates:create": "rule:admin_api" +# +"os_compute_api:os-aggregates:remove_host": "rule:admin_api" +# +"os_compute_api:os-aggregates:update": "rule:admin_api" +# +"os_compute_api:os-aggregates:index": "rule:admin_api" +# +"os_compute_api:os-aggregates:delete": "rule:admin_api" +# +"os_compute_api:os-aggregates:show": "rule:admin_api" +# +"os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api" +# +"os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api" +# +"os_compute_api:os-assisted-volume-snapshots:discoverable": "@" +# +"os_compute_api:os-attach-interfaces": "rule:admin_or_owner" +# +"os_compute_api:os-attach-interfaces:discoverable": "@" +# Controls who can attach an interface to an instance +"os_compute_api:os-attach-interfaces:create": "rule:admin_or_owner" +# Controls who can detach an interface from an instance +"os_compute_api:os-attach-interfaces:delete": "rule:admin_or_owner" +# +"os_compute_api:os-availability-zone:list": "rule:admin_or_owner" +# +"os_compute_api:os-availability-zone:discoverable": "@" +# +"os_compute_api:os-availability-zone:detail": "rule:admin_api" +# +"os_compute_api:os-baremetal-nodes:discoverable": "@" +# +"os_compute_api:os-baremetal-nodes": "rule:admin_api" +# +"context_is_admin": "role:admin" +# +"admin_or_owner": "is_admin:True or project_id:%(project_id)s" +# +"admin_api": "is_admin:True" +# +"network:attach_external_network": "is_admin:True" +# +"os_compute_api:os-block-device-mapping:discoverable": "@" +# +"os_compute_api:os-block-device-mapping-v1:discoverable": "@" +# +"os_compute_api:os-cells:discoverable": "@" +# +"os_compute_api:os-cells:update": "rule:admin_api" +# +"os_compute_api:os-cells:create": "rule:admin_api" +# +"os_compute_api:os-cells": "rule:admin_api" +# +"os_compute_api:os-cells:sync_instances": "rule:admin_api" +# +"os_compute_api:os-cells:delete": "rule:admin_api" +# +"cells_scheduler_filter:DifferentCellFilter": "is_admin:True" +# +"cells_scheduler_filter:TargetCellFilter": "is_admin:True" +# +"os_compute_api:os-certificates:discoverable": "@" +# +"os_compute_api:os-certificates:create": "rule:admin_or_owner" +# +"os_compute_api:os-certificates:show": "rule:admin_or_owner" +# +"os_compute_api:os-cloudpipe": "rule:admin_api" +# +"os_compute_api:os-cloudpipe:discoverable": "@" +# +"os_compute_api:os-config-drive:discoverable": "@" +# +"os_compute_api:os-config-drive": "rule:admin_or_owner" +# +"os_compute_api:os-console-auth-tokens:discoverable": "@" +# +"os_compute_api:os-console-auth-tokens": "rule:admin_api" +# +"os_compute_api:os-console-output:discoverable": "@" +# +"os_compute_api:os-console-output": "rule:admin_or_owner" +# +"os_compute_api:os-consoles:create": "rule:admin_or_owner" +# +"os_compute_api:os-consoles:show": "rule:admin_or_owner" +# +"os_compute_api:os-consoles:delete": "rule:admin_or_owner" +# +"os_compute_api:os-consoles:discoverable": "@" +# +"os_compute_api:os-consoles:index": "rule:admin_or_owner" +# +"os_compute_api:os-create-backup:discoverable": "@" +# +"os_compute_api:os-create-backup": "rule:admin_or_owner" +# +"os_compute_api:os-deferred-delete:discoverable": "@" +# +"os_compute_api:os-deferred-delete": "rule:admin_or_owner" +# +"os_compute_api:os-evacuate:discoverable": "@" +# +"os_compute_api:os-evacuate": "rule:admin_api" +# +"os_compute_api:os-extended-availability-zone": "rule:admin_or_owner" +# +"os_compute_api:os-extended-availability-zone:discoverable": "@" +# +"os_compute_api:os-extended-server-attributes": "rule:admin_api" +# +"os_compute_api:os-extended-server-attributes:discoverable": "@" +# +"os_compute_api:os-extended-status:discoverable": "@" +# +"os_compute_api:os-extended-status": "rule:admin_or_owner" +# +"os_compute_api:os-extended-volumes": "rule:admin_or_owner" +# +"os_compute_api:os-extended-volumes:discoverable": "@" +# +"os_compute_api:extension_info:discoverable": "@" +# +"os_compute_api:extensions": "rule:admin_or_owner" +# +"os_compute_api:extensions:discoverable": "@" +# +"os_compute_api:os-fixed-ips:discoverable": "@" +# +"os_compute_api:os-fixed-ips": "rule:admin_api" +# +"os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api" +# +"os_compute_api:os-flavor-access:discoverable": "@" +# +"os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api" +# +"os_compute_api:os-flavor-access": "rule:admin_or_owner" +# +"os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner" +# +"os_compute_api:os-flavor-extra-specs:create": "rule:admin_api" +# +"os_compute_api:os-flavor-extra-specs:discoverable": "@" +# +"os_compute_api:os-flavor-extra-specs:update": "rule:admin_api" +# +"os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api" +# +"os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner" +# +"os_compute_api:os-flavor-manage": "rule:admin_api" +# +"os_compute_api:os-flavor-manage:discoverable": "@" +# +"os_compute_api:os-flavor-rxtx": "rule:admin_or_owner" +# +"os_compute_api:os-flavor-rxtx:discoverable": "@" +# +"os_compute_api:flavors:discoverable": "@" +# +"os_compute_api:flavors": "rule:admin_or_owner" +# +"os_compute_api:os-floating-ip-dns": "rule:admin_or_owner" +# +"os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api" +# +"os_compute_api:os-floating-ip-dns:discoverable": "@" +# +"os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api" +# +"os_compute_api:os-floating-ip-pools:discoverable": "@" +# +"os_compute_api:os-floating-ip-pools": "rule:admin_or_owner" +# +"os_compute_api:os-floating-ips": "rule:admin_or_owner" +# +"os_compute_api:os-floating-ips:discoverable": "@" +# +"os_compute_api:os-floating-ips-bulk:discoverable": "@" +# +"os_compute_api:os-floating-ips-bulk": "rule:admin_api" +# +"os_compute_api:os-fping:all_tenants": "rule:admin_api" +# +"os_compute_api:os-fping:discoverable": "@" +# +"os_compute_api:os-fping": "rule:admin_or_owner" +# +"os_compute_api:os-hide-server-addresses:discoverable": "@" +# +"os_compute_api:os-hide-server-addresses": "is_admin:False" +# +"os_compute_api:os-hosts:discoverable": "@" +# +"os_compute_api:os-hosts": "rule:admin_api" +# +"os_compute_api:os-hypervisors:discoverable": "@" +# +"os_compute_api:os-hypervisors": "rule:admin_api" +# +"os_compute_api:image-metadata:discoverable": "@" +# +"os_compute_api:image-size:discoverable": "@" +# +"os_compute_api:image-size": "rule:admin_or_owner" +# +"os_compute_api:images:discoverable": "@" +# +"os_compute_api:os-instance-actions:events": "rule:admin_api" +# +"os_compute_api:os-instance-actions": "rule:admin_or_owner" +# +"os_compute_api:os-instance-actions:discoverable": "@" +# +"os_compute_api:os-instance-usage-audit-log": "rule:admin_api" +# +"os_compute_api:os-instance-usage-audit-log:discoverable": "@" +# +"os_compute_api:ips:discoverable": "@" +# +"os_compute_api:ips:show": "rule:admin_or_owner" +# +"os_compute_api:ips:index": "rule:admin_or_owner" +# +"os_compute_api:os-keypairs:discoverable": "@" +# +"os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s" +# +"os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s" +# +"os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s" +# +"os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s" +# +"os_compute_api:os-keypairs": "rule:admin_or_owner" +# +"os_compute_api:limits:discoverable": "@" +# +"os_compute_api:limits": "rule:admin_or_owner" +# +"os_compute_api:os-lock-server:discoverable": "@" +# +"os_compute_api:os-lock-server:lock": "rule:admin_or_owner" +# +"os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api" +# +"os_compute_api:os-lock-server:unlock": "rule:admin_or_owner" +# +"os_compute_api:os-migrate-server:migrate": "rule:admin_api" +# +"os_compute_api:os-migrate-server:discoverable": "@" +# +"os_compute_api:os-migrate-server:migrate_live": "rule:admin_api" +# +"os_compute_api:os-migrations:index": "rule:admin_api" +# +"os_compute_api:os-migrations:discoverable": "@" +# +"os_compute_api:os-multinic": "rule:admin_or_owner" +# +"os_compute_api:os-multinic:discoverable": "@" +# +"os_compute_api:os-multiple-create:discoverable": "@" +# +"os_compute_api:os-networks:discoverable": "@" +# +"os_compute_api:os-networks": "rule:admin_api" +# +"os_compute_api:os-networks:view": "rule:admin_or_owner" +# +"os_compute_api:os-networks-associate": "rule:admin_api" +# +"os_compute_api:os-networks-associate:discoverable": "@" +# +"os_compute_api:os-pause-server:unpause": "rule:admin_or_owner" +# +"os_compute_api:os-pause-server:discoverable": "@" +# +"os_compute_api:os-pause-server:pause": "rule:admin_or_owner" +# +"os_compute_api:os-pci:index": "rule:admin_api" +# +"os_compute_api:os-pci:detail": "rule:admin_api" +# +"os_compute_api:os-pci:pci_servers": "rule:admin_or_owner" +# +"os_compute_api:os-pci:show": "rule:admin_api" +# +"os_compute_api:os-pci:discoverable": "@" +# +"os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s" +# +"os_compute_api:os-quota-class-sets:discoverable": "@" +# +"os_compute_api:os-quota-class-sets:update": "rule:admin_api" +# +"os_compute_api:os-quota-sets:update": "rule:admin_api" +# +"os_compute_api:os-quota-sets:defaults": "@" +# +"os_compute_api:os-quota-sets:show": "rule:admin_or_owner" +# +"os_compute_api:os-quota-sets:delete": "rule:admin_api" +# +"os_compute_api:os-quota-sets:discoverable": "@" +# +"os_compute_api:os-quota-sets:detail": "rule:admin_api" +# +"os_compute_api:os-remote-consoles": "rule:admin_or_owner" +# +"os_compute_api:os-remote-consoles:discoverable": "@" +# +"os_compute_api:os-rescue:discoverable": "@" +# +"os_compute_api:os-rescue": "rule:admin_or_owner" +# +"os_compute_api:os-scheduler-hints:discoverable": "@" +# +"os_compute_api:os-security-group-default-rules:discoverable": "@" +# +"os_compute_api:os-security-group-default-rules": "rule:admin_api" +# +"os_compute_api:os-security-groups": "rule:admin_or_owner" +# +"os_compute_api:os-security-groups:discoverable": "@" +# +"os_compute_api:os-server-diagnostics": "rule:admin_api" +# +"os_compute_api:os-server-diagnostics:discoverable": "@" +# +"os_compute_api:os-server-external-events:create": "rule:admin_api" +# +"os_compute_api:os-server-external-events:discoverable": "@" +# +"os_compute_api:os-server-groups:discoverable": "@" +# +"os_compute_api:os-server-groups": "rule:admin_or_owner" +# +"os_compute_api:server-metadata:index": "rule:admin_or_owner" +# +"os_compute_api:server-metadata:show": "rule:admin_or_owner" +# +"os_compute_api:server-metadata:create": "rule:admin_or_owner" +# +"os_compute_api:server-metadata:discoverable": "@" +# +"os_compute_api:server-metadata:update_all": "rule:admin_or_owner" +# +"os_compute_api:server-metadata:delete": "rule:admin_or_owner" +# +"os_compute_api:server-metadata:update": "rule:admin_or_owner" +# +"os_compute_api:os-server-password": "rule:admin_or_owner" +# +"os_compute_api:os-server-password:discoverable": "@" +# +"os_compute_api:os-server-tags:delete_all": "@" +# +"os_compute_api:os-server-tags:index": "@" +# +"os_compute_api:os-server-tags:update_all": "@" +# +"os_compute_api:os-server-tags:delete": "@" +# +"os_compute_api:os-server-tags:update": "@" +# +"os_compute_api:os-server-tags:show": "@" +# +"os_compute_api:os-server-tags:discoverable": "@" +# +"os_compute_api:os-server-usage": "rule:admin_or_owner" +# +"os_compute_api:os-server-usage:discoverable": "@" +# +"os_compute_api:servers:index": "rule:admin_or_owner" +# +"os_compute_api:servers:detail": "rule:admin_or_owner" +# +"os_compute_api:servers:detail:get_all_tenants": "rule:admin_api" +# +"os_compute_api:servers:index:get_all_tenants": "rule:admin_api" +# +"os_compute_api:servers:show": "rule:admin_or_owner" +# +"os_compute_api:servers:show:host_status": "rule:admin_api" +# +"os_compute_api:servers:create": "rule:admin_or_owner" +# +"os_compute_api:servers:create:forced_host": "rule:admin_api" +# +"os_compute_api:servers:create:attach_volume": "rule:admin_or_owner" +# +"os_compute_api:servers:create:attach_network": "rule:admin_or_owner" +# +"os_compute_api:servers:delete": "rule:admin_or_owner" +# +"os_compute_api:servers:update": "rule:admin_or_owner" +# +"os_compute_api:servers:confirm_resize": "rule:admin_or_owner" +# +"os_compute_api:servers:revert_resize": "rule:admin_or_owner" +# +"os_compute_api:servers:reboot": "rule:admin_or_owner" +# +"os_compute_api:servers:resize": "rule:admin_or_owner" +# +"os_compute_api:servers:rebuild": "rule:admin_or_owner" +# +"os_compute_api:servers:create_image": "rule:admin_or_owner" +# +"os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner" +# +"os_compute_api:servers:start": "rule:admin_or_owner" +# +"os_compute_api:servers:stop": "rule:admin_or_owner" +# +"os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner" +# +"os_compute_api:servers:discoverable": "@" +# +"os_compute_api:servers:migrations:show": "rule:admin_api" +# +"os_compute_api:servers:migrations:force_complete": "rule:admin_api" +# +"os_compute_api:servers:migrations:delete": "rule:admin_api" +# +"os_compute_api:servers:migrations:index": "rule:admin_api" +# +"os_compute_api:server-migrations:discoverable": "@" +# +"os_compute_api:os-services": "rule:admin_api" +# +"os_compute_api:os-services:discoverable": "@" +# +"os_compute_api:os-shelve:shelve": "rule:admin_or_owner" +# +"os_compute_api:os-shelve:unshelve": "rule:admin_or_owner" +# +"os_compute_api:os-shelve:shelve_offload": "rule:admin_api" +# +"os_compute_api:os-shelve:discoverable": "@" +# +"os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner" +# +"os_compute_api:os-simple-tenant-usage:list": "rule:admin_api" +# +"os_compute_api:os-simple-tenant-usage:discoverable": "@" +# +"os_compute_api:os-suspend-server:resume": "rule:admin_or_owner" +# +"os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner" +# +"os_compute_api:os-suspend-server:discoverable": "@" +# +"os_compute_api:os-tenant-networks": "rule:admin_or_owner" +# +"os_compute_api:os-tenant-networks:discoverable": "@" +# +"os_compute_api:os-used-limits:discoverable": "@" +# +"os_compute_api:os-used-limits": "rule:admin_api" +# +"os_compute_api:os-user-data:discoverable": "@" +# +"os_compute_api:versions:discoverable": "@" +# +"os_compute_api:os-virtual-interfaces:discoverable": "@" +# +"os_compute_api:os-virtual-interfaces": "rule:admin_or_owner" +# +"os_compute_api:os-volumes:discoverable": "@" +# +"os_compute_api:os-volumes": "rule:admin_or_owner" +# +"os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner" +# +"os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner" +# +"os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner" +# +"os_compute_api:os-volumes-attachments:discoverable": "@" +# +"os_compute_api:os-volumes-attachments:update": "rule:admin_api" +# +"os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner" diff --git a/snap/hooks/configure b/snap/hooks/configure new file mode 100755 index 0000000..6c5402f --- /dev/null +++ b/snap/hooks/configure @@ -0,0 +1,17 @@ +#!/bin/bash -e + +driver="$(snapctl get driver)" + +if [[ -n $driver && ! $driver =~ (LIBVIRT|QEMU) ]]; then + echo "\"$driver\" is not a supported virtualization driver" + exit 1 +fi + +driver_saved="$(cat $SNAP_COMMON/driver)" || true +driver=${driver:-QEMU} +driver_saved=${driver_saved:-QEMU} + +if [[ $driver != $driver_saved ]]; then + echo "$driver" > $SNAP_COMMON/driver + snapctl restart $SNAP_NAME +fi diff --git a/snap/hooks/install b/snap/hooks/install new file mode 100755 index 0000000..4eca4cc --- /dev/null +++ b/snap/hooks/install @@ -0,0 +1,5 @@ +#!/bin/sh +set -e + +install -D $SNAP/var/snap/microstack/common/libvirt/libvirtd.conf $SNAP_COMMON/libvirt/libvirtd.conf +sed -i 's/unix_sock_group = "libvirtd"/unix_sock_group = "sudo"/' $SNAP_COMMON/libvirt/libvirtd.conf diff --git a/snap/hooks/post-refresh b/snap/hooks/post-refresh new file mode 100755 index 0000000..3221002 --- /dev/null +++ b/snap/hooks/post-refresh @@ -0,0 +1,7 @@ +#!/bin/sh +set -e + +if [ ! -f $SNAP_COMMON/libvirt/libvirtd.conf ]; then + install -D $SNAP/var/snap/microstack/common/libvirt/libvirtd.conf $SNAP_COMMON/libvirt/libvirtd.conf + sed -i 's/unix_sock_group = "libvirtd"/unix_sock_group = "sudo"/' $SNAP_COMMON/libvirt/libvirtd.conf +fi diff --git a/snap/patches/openvswitch/0001-ovs-kmod-ctl-source-ovs-lib-dynamically.patch b/snap/patches/openvswitch/0001-ovs-kmod-ctl-source-ovs-lib-dynamically.patch new file mode 100644 index 0000000..d94a207 --- /dev/null +++ b/snap/patches/openvswitch/0001-ovs-kmod-ctl-source-ovs-lib-dynamically.patch @@ -0,0 +1,31 @@ +From fdf38dcad424c00d39b5c128ddb06b93606a639b Mon Sep 17 00:00:00 2001 +From: James Page +Date: Wed, 19 Sep 2018 09:13:48 +0200 +Subject: [PATCH] ovs-kmod-ctl: source ovs-lib dynamically + +Determine installation location of ovs-lib using runtime location +of script, rather than build-time parameters. +--- + utilities/ovs-kmod-ctl.in | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/utilities/ovs-kmod-ctl.in b/utilities/ovs-kmod-ctl.in +index 13ccfcf73..19f100964 100644 +--- a/utilities/ovs-kmod-ctl.in ++++ b/utilities/ovs-kmod-ctl.in +@@ -14,7 +14,11 @@ + # See the License for the specific language governing permissions and + # limitations under the License. + +-. "@pkgdatadir@/scripts/ovs-lib" || exit 1 ++case $0 in ++ */*) dir0=`echo "$0" | sed 's,/[^/]*$,,'` ;; ++ *) dir0=./ ;; ++esac ++. "$dir0/ovs-lib" || exit 1 + + for dir in "$sbindir" "$bindir" /sbin /bin /usr/sbin /usr/bin; do + case :$PATH: in +-- +2.17.1 + diff --git a/snap/snap-openstack.yaml b/snap/snap-openstack.yaml new file mode 100644 index 0000000..fecb6c9 --- /dev/null +++ b/snap/snap-openstack.yaml @@ -0,0 +1,160 @@ +setup: + dirs: + - "{snap_common}/etc/keystone/keystone.conf.d" + - "{snap_common}/etc/nova/nova.conf.d" + - "{snap_common}/etc/neutron/neutron.conf.d" + - "{snap_common}/etc/neutron/plugins/ml2" + - "{snap_common}/etc/neutron/policy.d" + - "{snap_common}/etc/neutron/rootwrap.d" + - "{snap_common}/etc/nginx/sites-enabled" + - "{snap_common}/etc/nginx/snap/sites-enabled" + - "{snap_common}/etc/glance/glance.conf.d" + - "{snap_common}/etc/uwsgi/snap" + - "{snap_common}/fernet-keys" + - "{snap_common}/lib" + - "{snap_common}/lib/images" + - "{snap_common}/lock" + - "{snap_common}/log" + - "{snap_common}/run" + templates: + keystone-nginx.conf.j2: "{snap_common}/etc/nginx/snap/sites-enabled/keystone.conf" + keystone-snap.conf.j2: "{snap_common}/etc/keystone/keystone.conf.d/keystone-snap.conf" + neutron-snap.conf.j2: "{snap_common}/etc/neutron/neutron.conf.d/neutron-snap.conf" + nginx.conf.j2: "{snap_common}/etc/nginx/snap/nginx.conf" + nova-snap.conf.j2: "{snap_common}/etc/nova/nova.conf.d/nova-snap.conf" + nova-nginx.conf.j2: "{snap_common}/etc/nginx/snap/sites-enabled/nova.conf" + glance-snap.conf.j2: "{snap_common}/etc/glance/glance.conf.d/glance-snap.conf" +entry_points: + keystone-manage: + binary: "{snap}/bin/keystone-manage" + config-files: + - "{snap}/etc/keystone/keystone.conf" + config-files-override: + - "{snap_common}/etc/keystone/keystone.conf" + config-dirs: + - "{snap_common}/etc/keystone/keystone.conf.d" + keystone-uwsgi: + type: uwsgi + uwsgi-dir: "{snap_common}/etc/uwsgi/snap" + uwsgi-dir-override: "{snap_common}/etc/uwsgi" + uwsgi-log: "{snap_common}/log/uwsgi.log" + config-files: + - "{snap}/etc/keystone/keystone.conf" + config-files-override: + - "{snap_common}/etc/keystone/keystone.conf" + config-dirs: + - "{snap_common}/etc/keystone/keystone.conf.d" + log-file: "{snap_common}/log/keystone.log" + templates: + admin.ini.j2: "{snap_common}/etc/uwsgi/snap/admin.ini" + public.ini.j2: "{snap_common}/etc/uwsgi/snap/public.ini" + nginx: + type: nginx + config-file: "{snap_common}/etc/nginx/snap/nginx.conf" + config-file-override: "{snap_common}/etc/nginx/nginx.conf" + nova-api-os-compute: + binary: "{snap}/bin/nova-api-os-compute" + config-files: + - "{snap}/etc/nova/nova.conf" + config-files-override: + - "{snap_common}/etc/nova/nova.conf" + config-dirs: + - "{snap_common}/etc/nova/nova.conf.d" + log-file: "{snap_common}/log/nova-api-os-compute.log" + nova-uwsgi: + type: uwsgi + uwsgi-dir: "{snap_common}/etc/uwsgi/snap" + uwsgi-dir-override: "{snap_common}/etc/uwsgi" + uwsgi-log: "{snap_common}/log/uwsgi.log" + config-files: + - "{snap}/etc/nova/nova.conf" + config-files-override: + - "{snap_common}/etc/nova/nova.conf" + config-dirs: + - "{snap_common}/etc/nova/nova.conf.d" + log-file: "{snap_common}/log/nova-placement-api.log" + templates: + nova-placement-api.ini.j2: + "{snap_common}/etc/uwsgi/snap/nova-placement-api.ini" + nova-conductor: + binary: "{snap}/bin/nova-conductor" + config-files: + - "{snap}/etc/nova/nova.conf" + config-files-override: + - "{snap_common}/etc/nova/nova.conf" + config-dirs: + - "{snap_common}/etc/nova/nova.conf.d" + log-file: "{snap_common}/log/nova-conductor.log" + nova-scheduler: + binary: "{snap}/bin/nova-scheduler" + config-files: + - "{snap}/etc/nova/nova.conf" + config-files-override: + - "{snap_common}/etc/nova/nova.conf" + config-dirs: + - "{snap_common}/etc/nova/nova.conf.d" + log-file: "{snap_common}/log/nova-scheduler.log" + nova-consoleauth: + binary: "{snap}/bin/nova-consoleauth" + config-files: + - "{snap}/etc/nova/nova.conf" + config-files-override: + - "{snap_common}/etc/nova/nova.conf" + config-dirs: + - "{snap_common}/etc/nova/nova.conf.d" + log-file: "{snap_common}/log/nova-consoleauth.log" + nova-manage: + binary: "{snap}/bin/nova-manage" + config-files: + - "{snap}/etc/nova/nova.conf" + config-files-override: + - "{snap_common}/etc/nova/nova.conf" + config-dirs: + - "{snap_common}/etc/nova/nova.conf.d" + neutron-db-manage: + binary: "{snap}/bin/neutron-db-manage" + config-files: + - "{snap}/etc/neutron/neutron.conf" + - "{snap}/etc/neutron/plugins/ml2/ml2_conf.ini" + config-files-override: + - "{snap_common}/etc/neutron/neutron.conf" + - "{snap_common}/etc/neutron/plugins/ml2/ml2_conf.ini" + config-dirs: + - "{snap_common}/etc/neutron/neutron.conf.d" + neutron-server: + binary: "{snap}/bin/neutron-server" + config-files: + - "{snap}/etc/neutron/neutron.conf" + - "{snap}/etc/neutron/plugins/ml2/ml2_conf.ini" + config-files-override: + - "{snap_common}/etc/neutron/neutron.conf" + - "{snap_common}/etc/neutron/plugins/ml2/ml2_conf.ini" + config-dirs: + - "{snap_common}/etc/neutron/neutron.conf.d" + log-file: "{snap_common}/log/neutron-server.log" + glance-manage: + binary: "{snap}/bin/glance-manage" + config-files: + - "{snap}/etc/glance/glance-manage.conf" + config-files-override: + - "{snap_common}/etc/glance/glance-manage.conf" + config-dirs: + - "{snap_common}/etc/glance/glance.conf.d" + glance-registry: + binary: "{snap}/bin/glance-registry" + config-files: + - "{snap}/etc/glance/glance-registry.conf" + config-files-override: + - "{snap_common}/etc/glance/glance-registry.conf" + config-dirs: + - "{snap_common}/etc/glance/glance.conf.d" + log-file: "{snap_common}/log/glance-registry.log" + glance-api: + binary: "{snap}/bin/glance-api" + config-files: + - "{snap}/etc/glance/glance-api.conf" + config-files-override: + - "{snap_common}/etc/glance/glance-api.conf" + config-dirs: + - "{snap_common}/etc/glance/glance.conf.d" + log-file: "{snap_common}/log/glance-api.log" diff --git a/snap/templates/admin.ini.j2 b/snap/templates/admin.ini.j2 new file mode 100644 index 0000000..fd4e4f0 --- /dev/null +++ b/snap/templates/admin.ini.j2 @@ -0,0 +1,11 @@ +[uwsgi] +wsgi-file = {{ snap }}/bin/keystone-wsgi-admin +uwsgi-socket = {{ snap_common }}/run/admin.sock +buffer-size = 65535 +master = true +enable-threads = true +processes = 4 +thunder-lock = true +lazy-apps = true +home = {{ snap }}/usr +pyargv = {{ pyargv }} diff --git a/snap/templates/glance-snap.conf.j2 b/snap/templates/glance-snap.conf.j2 new file mode 100644 index 0000000..ea3df65 --- /dev/null +++ b/snap/templates/glance-snap.conf.j2 @@ -0,0 +1,11 @@ +[DEFAULT] +# Set state path to writable directory +state_path = {{ snap_common }}/lib + +[oslo_concurrency] +# Oslo Concurrency lock path +lock_path = {{ snap_common }}/lock + +[glance_store] +# Set default glance_store path to writable directory +filesystem_store_datadir = {{ snap_common }}/lib/images diff --git a/snap/templates/keystone-nginx.conf.j2 b/snap/templates/keystone-nginx.conf.j2 new file mode 100644 index 0000000..a39bada --- /dev/null +++ b/snap/templates/keystone-nginx.conf.j2 @@ -0,0 +1,20 @@ +server { + listen 5000; + access_log {{ snap_common }}/log/nginx-access.log; + error_log {{ snap_common }}/log/nginx-error.log; + location / { + include {{ snap }}/usr/conf/uwsgi_params; + uwsgi_param SCRIPT_NAME ''; + uwsgi_pass unix://{{ snap_common }}/run/public.sock; + } +} +server { + listen 35357; + access_log {{ snap_common }}/log/nginx-access.log; + error_log {{ snap_common }}/log/nginx-error.log; + location / { + include {{ snap }}/usr/conf/uwsgi_params; + uwsgi_param SCRIPT_NAME ''; + uwsgi_pass unix://{{ snap_common }}/run/admin.sock; + } +} diff --git a/snap/templates/keystone-snap.conf.j2 b/snap/templates/keystone-snap.conf.j2 new file mode 100644 index 0000000..fca2577 --- /dev/null +++ b/snap/templates/keystone-snap.conf.j2 @@ -0,0 +1,11 @@ +[DEFAULT] +# Set state path to writable directory +state_path = {{ snap_common }}/lib + +[oslo_concurrency] +# Oslo Concurrency lock path +lock_path = {{ snap_common }}/lock + +[fernet_tokens] +# Fernet key repository +key_repository = {{ snap_common }}/fernet-keys diff --git a/snap/templates/neutron-snap.conf.j2 b/snap/templates/neutron-snap.conf.j2 new file mode 100644 index 0000000..f683970 --- /dev/null +++ b/snap/templates/neutron-snap.conf.j2 @@ -0,0 +1,7 @@ +[DEFAULT] +# Set state path to writable directory +state_path = {{ snap_common }}/lib + +[oslo_concurrency] +# Oslo Concurrency lock path +lock_path = {{ snap_common }}/lock diff --git a/snap/templates/nginx.conf.j2 b/snap/templates/nginx.conf.j2 new file mode 100644 index 0000000..e982ff3 --- /dev/null +++ b/snap/templates/nginx.conf.j2 @@ -0,0 +1,39 @@ +user root root; +worker_processes auto; +pid {{ snap_common }}/run/nginx.pid; + +events { + worker_connections 768; +} + +http { + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + include {{ snap }}/usr/conf/mime.types; + default_type application/octet-stream; + + ## + # Logging Settings + ## + + access_log {{ snap_common }}/log/nginx-access.log; + error_log {{ snap_common }}/log/nginx-error.log; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + include {{ snap_common }}/etc/nginx/conf.d/*.conf; + include {{ snap_common }}/etc/nginx/snap/sites-enabled/*; +} diff --git a/snap/templates/nova-nginx.conf.j2 b/snap/templates/nova-nginx.conf.j2 new file mode 100644 index 0000000..91c43a6 --- /dev/null +++ b/snap/templates/nova-nginx.conf.j2 @@ -0,0 +1,10 @@ +server { + listen 8778; + access_log {{ snap_common }}/log/nginx-access.log; + error_log {{ snap_common }}/log/nginx-error.log; + location / { + include {{ snap }}/usr/conf/uwsgi_params; + uwsgi_param SCRIPT_NAME ''; + uwsgi_pass unix://{{ snap_common }}/run/placement-api.sock; + } +} diff --git a/snap/templates/nova-placement-api.ini.j2 b/snap/templates/nova-placement-api.ini.j2 new file mode 100644 index 0000000..320fc43 --- /dev/null +++ b/snap/templates/nova-placement-api.ini.j2 @@ -0,0 +1,10 @@ +[uwsgi] +wsgi-file = {{ snap }}/bin/nova-placement-api +uwsgi-socket = {{ snap_common }}/run/placement-api.sock +buffer-size = 65535 +master = true +enable-threads = true +processes = 4 +thunder-lock = true +lazy-apps = true +home = {{ snap }}/usr diff --git a/snap/templates/nova-snap.conf.j2 b/snap/templates/nova-snap.conf.j2 new file mode 100644 index 0000000..f683970 --- /dev/null +++ b/snap/templates/nova-snap.conf.j2 @@ -0,0 +1,7 @@ +[DEFAULT] +# Set state path to writable directory +state_path = {{ snap_common }}/lib + +[oslo_concurrency] +# Oslo Concurrency lock path +lock_path = {{ snap_common }}/lock diff --git a/snap/templates/public.ini.j2 b/snap/templates/public.ini.j2 new file mode 100644 index 0000000..7357d53 --- /dev/null +++ b/snap/templates/public.ini.j2 @@ -0,0 +1,11 @@ +[uwsgi] +wsgi-file = {{ snap }}/bin/keystone-wsgi-public +uwsgi-socket = {{ snap_common }}/run/public.sock +buffer-size = 65535 +master = true +enable-threads = true +processes = 4 +thunder-lock = true +lazy-apps = true +home = {{ snap }}/usr +pyargv = {{ pyargv }} diff --git a/snapcraft.yaml b/snapcraft.yaml new file mode 100644 index 0000000..8655531 --- /dev/null +++ b/snapcraft.yaml @@ -0,0 +1,535 @@ +name: microstack +version: alpha +summary: Openstack on your laptop. +description: | + Microstack gives you an easy way to develop and test Openstack + workloads on your laptop. TODO drop in basic usage instructions + here. +grade: devel +confinement: classic + +apps: + # Keystone + keystone-uwsgi: + command: snap-openstack keystone-uwsgi + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + daemon: simple + plugs: + - network-bind + keystone-manage: + command: snap-openstack keystone-manage + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + plugs: + - network + + # Nova + nova-uwsgi: + command: snap-openstack nova-uwsgi + daemon: simple + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + OS_PLACEMENT_CONFIG_DIR: $SNAP/etc/nova/ + plugs: + - network-bind + nova-api: + command: snap-openstack nova-api-os-compute + daemon: simple + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + plugs: + - network-bind + conductor: + command: snap-openstack nova-conductor + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + daemon: simple + plugs: + - network + scheduler: + command: snap-openstack nova-scheduler + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + daemon: simple + plugs: + - network + consoleauth: + command: snap-openstack nova-consoleauth + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + daemon: simple + plugs: + - network + nova-manage: + command: snap-openstack nova-manage + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + plugs: + - network + + # Neutron + neutron-api: + command: snap-openstack neutron-server + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + daemon: simple + plugs: + - network-bind + neutron-manage: + command: snap-openstack neutron-db-manage + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + plugs: + - network + + # Glance + glance-api: + command: snap-openstack glance-api + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + daemon: simple + plugs: + - network-bind + registry: + command: snap-openstack glance-registry + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + daemon: simple + plugs: + - network + - network-bind + glance-manage: + command: snap-openstack glance-manage + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + plugs: + - network + + # Openstack Shared Services + nginx: + command: snap-openstack nginx + environment: + LD_LIBRARY_PATH: $SNAP/usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + daemon: forking + plugs: + - network-bind + + # Openvswitch + ovs-vswitchd: + command: ovs-wrapper $SNAP/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server --no-monitor --system-id=random start + stop-command: ovs-wrapper $SNAP/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server stop + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + daemon: forking + plugs: + - network + - network-bind + - network-control + - openvswitch-support + - process-control + - system-trace + ovsdb-server: + command: ovs-wrapper $SNAP/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd --no-monitor --system-id=random start + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + stop-command: ovs-wrapper $SNAP/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd stop + daemon: forking + plugs: + - network + - network-bind + - network-control + - openvswitch-support + - process-control + - system-trace + ovs-vsctl: + command: ovs-wrapper $SNAP/bin/ovs-vsctl + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + plugs: + - network + ovs-appctl: + command: ovs-wrapper $SNAP/bin/ovs-appctl + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + plugs: + - network + ovs-ofctl: + command: ovs-wrapper $SNAP/bin/ovs-ofctl + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + plugs: + - network + ovs-dpctl: + command: ovs-wrapper $SNAP/bin/ovs-dpctl + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + plugs: + - network + + # Libvirt/Qemu + libvirt-bin: + command: bin/launch-libvirtd + environment: + LD_LIBRARY_PATH: $SNAP/lib:$SNAP/usr/lib + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + daemon: simple + virsh: + command: bin/virsh + environment: + PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH + LC_ALL: C + +parts: + # Keystone + keystone: + plugin: python + python-version: python2 + constraints: https://raw.githubusercontent.com/openstack/requirements/stable/ocata/upper-constraints.txt + source: http://tarballs.openstack.org/keystone/keystone-stable-ocata.tar.gz + python-packages: + - mysql-python + - oslo.cache[dogpile] + - pymysql + - pysqlite + - uwsgi + - git+https://github.com/openstack/snap.openstack#egg=snap.openstack + install: | + touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/paste/__init__.py + touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/repoze/__init__.py + export SNAP_ROOT="../../.." + export SNAP_SITE_PACKAGES="$SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages" + patch -d $SNAP_SITE_PACKAGES -p1 < $SNAP_ROOT/patches/oslo-config-dirs.patch + build-packages: + - gcc + - libffi-dev + - libmysqlclient-dev + - libssl-dev + - libsqlite3-dev + + keystone-config: + after: [keystone] + plugin: dump + source: http://tarballs.openstack.org/keystone/keystone-stable-ocata.tar.gz + organize: + etc/*.conf: etc/keystone/ + etc/*.ini: etc/keystone/ + etc/*.json: etc/keystone/ + etc/*.templates: etc/keystone/ + filesets: + etc: + - etc/keystone/*.conf + - etc/keystone/*.ini + - etc/keystone/*.json + - etc/keystone/*.templates + stage: [$etc] + prime: [$etc] + + # Nova + nova: + after: [keystone] # We abitrarily rely on keystone to be the one to patch things + plugin: python + python-version: python2 + source: http://tarballs.openstack.org/nova/nova-stable-ocata.tar.gz + python-packages: + - pymysql + - uwsgi + - python-memcached + - git+https://github.com/openstack/snap.openstack#egg=snap.openstack + constraints: https://raw.githubusercontent.com/openstack/requirements/stable/ocata/upper-constraints.txt + build-packages: + - gcc + - libffi-dev + - libssl-dev + - libxml2-dev + - libxslt1-dev + + nova-config: + after: [nova] + plugin: dump + source: http://tarballs.openstack.org/nova/nova-stable-ocata.tar.gz + filesets: + etc: + - etc/nova/*.conf + - etc/nova/*.ini + - etc/nova/*.json + - etc/nova/rootwrap.d + stage: [$etc] + prime: [$etc] + + neutron: + after: [keystone] # We arbitrarily rely on keystone to patch some things + plugin: python + python-version: python2 + source: http://tarballs.openstack.org/neutron/neutron-stable-ocata.tar.gz + python-packages: + - pymysql + - python-memcached + - git+https://github.com/openstack/snap.openstack#egg=snap.openstack + constraints: https://raw.githubusercontent.com/openstack/requirements/stable/ocata/upper-constraints.txt + build-packages: + - gcc + - libffi-dev + - libssl-dev + + neutron-config: + after: [neutron] + plugin: dump + source: http://tarballs.openstack.org/neutron/neutron-stable-ocata.tar.gz + organize: + etc/*.conf: etc/neutron/ + etc/*.ini: etc/neutron/ + etc/*.json: etc/neutron/ + etc/rootwrap.d/*: etc/neutron/rootwrap.d/ + filesets: + etc: + - etc/neutron/* + stage: [$etc] + prime: [$etc] + + # Glance + glance: + after: [keystone] # We arbitrarily rely on keystone to patch some things + plugin: python + python-version: python2 + source: http://tarballs.openstack.org/glance/glance-stable-ocata.tar.gz + python-packages: + - httplib2 + - os-brick + - oslo.rootwrap + - oslo.vmware + - pymysql + - python-cinderclient + - python-memcached + - python-swiftclient + - git+https://github.com/openstack/snap.openstack#egg=snap.openstack + constraints: https://raw.githubusercontent.com/openstack/requirements/stable/ocata/upper-constraints.txt + build-packages: + - gcc + - libffi-dev + - libssl-dev + - libxml2-dev + - libxslt1-dev + glance-config: + after: [glance] + plugin: dump + source: http://tarballs.openstack.org/glance/glance-stable-ocata.tar.gz + organize: + etc/*.conf: etc/glance/ + etc/*.ini: etc/glance/ + etc/*.json: etc/glance/ + filesets: + etc: + - etc/glance/*.conf + - etc/glance/*.ini + - etc/glance/*.json + stage: [$etc] + prime: [$etc] + + # Openvswitch + ovs-patches: + source: snap/patches/ + plugin: dump + organize: + '*' : patches/ + prime: + - -* + + openvswitch: + # TODO: figure out a better way to fetch the version + source: http://openvswitch.org/releases/openvswitch-2.10.0.tar.gz + plugin: autotools + build-packages: + - libssl-dev + - libnuma-dev + - libcap-ng-dev + - libpcap-dev + - libunbound-dev + - python-all + - python-six + - python-setuptools + stage-packages: + - uuid-runtime + configflags: + - "--localstatedir=/var/snap/$SNAPCRAFT_PROJECT_NAME/common" + - "--sysconfdir=/var/snap/$SNAPCRAFT_PROJECT_NAME/etc" + after: + - ovs-patches + prepare: | + # Apply patches + for patch in ${SNAPCRAFT_STAGE}/patches/openvswitch/*.patch; do + echo "Applying $(basename "$patch") ..." + patch \ + --batch \ + --forward \ + --strip 1 \ + --input "$patch" + echo + done + + # Openstack Shared Parts + templates: + after: [keystone, nova, neutron, openvswitch] + plugin: dump + source: snap + + nginx: + after: [keystone, nova, neutron, openvswitch] + source: http://www.nginx.org/download/nginx-1.13.0.tar.gz + plugin: autotools + configflags: + - --prefix=/usr + - --http-log-path=/var/snap/microstack/common/log/nginx-access.log + - --error-log-path=/var/snap/microstack/common/log/nginx-error.log + - --lock-path=/var/snap/microstack/common/lock/nginx.lock + - --pid-path=/var/snap/microstack/common/run/nginx.pid + - --http-client-body-temp-path=/var/snap/microstack/common/lib/nginx_client_body + - --http-proxy-temp-path=/var/snap/microstack/common/lib/nginx_proxy + - --http-fastcgi-temp-path=/var/snap/microstack/common/lib/nginx_fastcgi + - --http-uwsgi-temp-path=/var/snap/microstack/common/lib/nginx_uwsgi + - --http-scgi-temp-path=/var/snap/microstack/common/lib/nginx_scgi + - --with-http_ssl_module + build-packages: + - libpcre3-dev + - libssl-dev + - python-six + prepare: | + export SNAP_ROOT="../../.." + export SNAP_SOURCE="$SNAP_ROOT/parts/nginx/build" + patch -d $SNAP_SOURCE -p1 < $SNAP_ROOT/patches/drop-nginx-setgroups.patch + + libxml2: + source: http://xmlsoft.org/sources/libxml2-2.9.4.tar.gz + plugin: autotools + + # libvirt/qemu + qemu: + plugin: nil + stage-packages: + - on amd64: [qemu-system-x86] + - on i386: [qemu-system-x86] + - on armhf: [qemu-system-arm] + - on arm64: [qemu-system-arm] + - qemu-utils + - libslang2 + organize: + usr/lib/*/pulseaudio/libpulsecommon-8.0.so: usr/lib/libpulsecommon-8.0.so + usr/share/seabios/bios-256k.bin: qemu/bios-256k.bin + usr/share/seabios/vgabios-stdvga.bin: qemu/vgabios-stdvga.bin + usr/share/seabios/kvmvapic.bin: qemu/kvmvapic.bin + usr/lib/ipxe/qemu/efi-virtio.rom: qemu/efi-virtio.rom + + kvm-support: + plugin: nil + stage-packages: + - try: [msr-tools] + + libvirt: + source: . + source-subdir: libvirt-1.3.1 + plugin: autotools + build-packages: + - libxml2-dev + - libxml-libxml-perl + - libcurl4-gnutls-dev + - libncurses5-dev + - libreadline-dev + - zlib1g-dev + - libgcrypt20-dev + - libgnutls28-dev + - libyajl-dev + - libpcap0.8-dev + - libaudit-dev + - libdevmapper-dev + - libpciaccess-dev + - libnl-3-dev + - libnl-route-3-dev + - uuid-dev + - try: [libnuma-dev] + - wget + - dpkg-dev + stage-packages: + - dmidecode + - dnsmasq + - libxml2 + - libyajl2 + - try: [libnuma1] + - libcurl3-gnutls + - libpciaccess0 + configflags: + - --with-qemu + - --without-bhyve + - --without-xen + - --without-openvz + - --without-vmware + - --without-xenapi + - --without-esx + - --without-hyperv + - --without-lxc + - --without-vz + - --without-vbox + - --without-uml + - --without-sasl + - --without-storage-iscsi + - --without-storage-sheepdog + - --without-storage-rbd + - --without-storage-lvm + - --without-selinux + - --prefix=/snap/$SNAPCRAFT_PROJECT_NAME/current + - --localstatedir=/var/snap/$SNAPCRAFT_PROJECT_NAME/common + - --sysconfdir=/var/snap/$SNAPCRAFT_PROJECT_NAME/common + - DNSMASQ=/snap/$SNAPCRAFT_PROJECT_NAME/current/usr/sbin/dnsmasq + - DMIDECODE=/snap/$SNAPCRAFT_PROJECT_NAME/current/usr/sbin/dmidecode + override-build: | + wget http://archive.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt_1.3.1.orig.tar.gz + wget http://archive.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt_1.3.1-1ubuntu10.24.debian.tar.xz + wget http://archive.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt_1.3.1-1ubuntu10.24.dsc + dpkg-source -x libvirt*.dsc + snapcraftctl build + organize: + # Hack to shift installed libvirt back to root of snap + # required to ensure that pathing to files etc works at + # runtime + # * is not used to avoid directory merge conflicts + snap/microstack/current/: ./