Hello community, here is the log from the commit of package openstack-quickstart for openSUSE:Factory checked in at 2012-10-23 19:41:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openstack-quickstart (Old) and /work/SRC/openSUSE:Factory/.openstack-quickstart.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openstack-quickstart", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/openstack-quickstart/openstack-quickstart.changes 2012-02-14 13:07:03.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openstack-quickstart.new/openstack-quickstart.changes 2012-10-23 19:41:30.000000000 +0200 @@ -1,0 +2,102 @@ +Tue Aug 14 11:36:09 UTC 2012 - [email protected] + +- export OS_TENANT_NAME for new glanceclient + +------------------------------------------------------------------- +Tue Aug 7 13:46:38 UTC 2012 - [email protected] + +- fix dashboard to use SSL, + but not use secure cookies without SSL + +------------------------------------------------------------------- +Fri Jul 27 12:03:03 UTC 2012 - [email protected] + +- update keystone_data.sh from upstream devstack (stable/essex branch) + +------------------------------------------------------------------- +Thu Jul 19 11:17:41 UTC 2012 - [email protected] + +- change libvirt to run qemu as user qemu + +------------------------------------------------------------------- +Fri Jul 6 13:12:51 UTC 2012 - [email protected] + +- fix pg_hba.conf 'horizon' database name + +------------------------------------------------------------------- +Fri Jun 22 08:15:35 UTC 2012 - [email protected] + +- allow nova-rootwrap + +------------------------------------------------------------------- +Wed Jun 13 13:12:00 UTC 2012 - [email protected] + +- Use SSL-enabled vhost with a self-signed certificate for dashboard +- Use secure session and csrf cookies in dashboard Django config + +------------------------------------------------------------------- +Tue Jun 12 11:14:53 UTC 2012 - [email protected] + +- Use system users prefixed with 'openstack-' + +------------------------------------------------------------------- +Tue Jun 5 13:38:33 UTC 2012 - [email protected] + +- allow to force lxc mode + +------------------------------------------------------------------- +Wed Apr 18 20:06:26 UTC 2012 - [email protected] + +- fix hardcoded horizon PW +- also start consoleauth service + +------------------------------------------------------------------- +Mon Apr 2 10:59:55 CEST 2012 - [email protected] + +- use postgresql by default for all services +- add support for postgresql for dashboard + +------------------------------------------------------------------- +Fri Mar 16 14:09:40 UTC 2012 - [email protected] + +- check for existence of volumes file (fixes bnc#752035) + +------------------------------------------------------------------- +Mon Feb 27 17:54:07 UTC 2012 - [email protected] + +- add postgresql support + +------------------------------------------------------------------- +Tue Feb 7 17:21:54 UTC 2012 - [email protected] + +- only initialize db once for glance +- setup keystone for glance + +------------------------------------------------------------------- +Tue Feb 7 13:12:21 UTC 2012 - [email protected] + +- split openstackquickstartrc +- update for new glance with two init scripts + +------------------------------------------------------------------- +Tue Feb 7 12:40:54 UTC 2012 - [email protected] + +- replace pipelines in /etc/nova/api-paste.ini to use keystone + +------------------------------------------------------------------- +Mon Feb 6 12:12:09 UTC 2012 - [email protected] + +- upgrade keystone database to latest schema before + adding anything to it + +------------------------------------------------------------------- +Mon Feb 6 10:33:13 UTC 2012 - [email protected] + +- add connection_type=libvirt + +------------------------------------------------------------------- +Fri Jan 27 12:13:37 UTC 2012 - [email protected] + +- drop unsupported --flat_injected=False + +------------------------------------------------------------------- New: ---- keystone_data.sh openstack-quickstart-democleanup openstackquickstartrc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openstack-quickstart.spec ++++++ --- /var/tmp/diff_new_pack.cz600n/_old 2012-10-23 19:41:32.000000000 +0200 +++ /var/tmp/diff_new_pack.cz600n/_new 2012-10-23 19:41:32.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package openstack-quickstart # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,6 +12,11 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + + + Name: openstack-quickstart Version: 2011.3 Release: 0 @@ -24,24 +29,32 @@ Source1: openstack-quickstart-extranodesetup Source2: openstack-loopback-lvm Source3: getkstoken +Source4: keystone_data.sh +Source5: openstack-quickstart-democleanup Source10: bash.openstackrc +Source11: openstackquickstartrc Source100: COPYING +Suggests: patterns-OpenStack-controller patterns-OpenStack-compute-node BuildRoot: %{_tmppath}/%{name}-%{version}-build %description -Includes scripts and configs to easily generate an openstack demo setup. +Includes scripts and configs to easily generate an openstack demo +setup. %prep %build %install -mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_sbindir} %{buildroot}%{_bindir} +mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_sbindir} %{buildroot}%{_bindir} %{buildroot}/usr/lib/devstack install -p -m 755 %{SOURCE0} %{buildroot}%{_sbindir} install -p -m 755 %{SOURCE1} %{buildroot}%{_sbindir} install -p -m 755 %{SOURCE2} %{buildroot}%{_sbindir} +install -p -m 755 %{SOURCE5} %{buildroot}%{_sbindir} install -p -m 755 %{SOURCE3} %{buildroot}%{_bindir} +install -p -m 755 %{SOURCE4} %{buildroot}/usr/lib/devstack install -p -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir} +install -p -m 600 %{SOURCE11} %{buildroot}%{_sysconfdir} cp -a %{SOURCE100} . %files @@ -49,7 +62,9 @@ %config %{_sbindir}/openstack-quickstart-* %{_sbindir}/openstack-loopback-lvm %{_bindir}/getkstoken +/usr/lib/devstack %config %{_sysconfdir}/bash.openstackrc +%config %{_sysconfdir}/openstackquickstartrc %doc COPYING %changelog ++++++ bash.openstackrc ++++++ --- /var/tmp/diff_new_pack.cz600n/_old 2012-10-23 19:41:33.000000000 +0200 +++ /var/tmp/diff_new_pack.cz600n/_new 2012-10-23 19:41:33.000000000 +0200 @@ -18,8 +18,15 @@ fi export EC2_ACCESS_KEY=$NOVA_PROJECT_ID export EC2_SECRET_KEY=$NOVA_API_KEY - # for glance - export TOKEN=`getkstoken` + # for glance/keystone + export OS_AUTH_USER=$NOVA_USERNAME + export OS_USERNAME=$NOVA_USERNAME + export OS_TENANT_NAME=$NOVA_PROJECT_ID + export OS_AUTH_KEY=$NOVA_API_KEY + export OS_PASSWORD=$NOVA_API_KEY + export OS_AUTH_TENANT=$NOVA_PROJECT_ID + export OS_AUTH_URL=$NOVA_URL + export OS_AUTH_STRATEGY=keystone } export NOVA_URL=http://127.0.0.1:5000/v2.0/ @@ -31,9 +38,8 @@ # for euca2ools export EC2_URL=http://127.0.0.1:8773/services/Cloud +# for keystone administration +export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0 +# don't put secrets in world readable files - this line is just for reference +#export SERVICE_TOKEN=999888777666 -#export OS_AUTH_USER=$NOVA_USERNAME -#export OS_AUTH_KEY=$NOVA_API_KEY -#export OS_AUTH_TENANT=$NOVA_PROJECT_ID -#export OS_AUTH_URL=$NOVA_URL -#export OS_AUTH_STRATEGY=keystone ++++++ keystone_data.sh ++++++ #!/bin/bash # # Initial data for Keystone using python-keystoneclient # # Tenant User Roles # ------------------------------------------------------------------ # admin admin admin # service glance admin # service nova admin, [ResellerAdmin (swift only)] # service quantum admin # if enabled # service swift admin # if enabled # demo admin admin # demo demo Member, anotherrole # invisible_to_admin demo Member # # Variables set before calling this script: # SERVICE_TOKEN - aka admin_token in keystone.conf # SERVICE_ENDPOINT - local Keystone admin endpoint # SERVICE_TENANT_NAME - name of tenant containing service accounts # ENABLED_SERVICES - stack.sh's list of services to start # DEVSTACK_DIR - Top-level DevStack directory ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete} SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD} export SERVICE_TOKEN=$SERVICE_TOKEN export SERVICE_ENDPOINT=$SERVICE_ENDPOINT SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service} function get_id () { echo `$@ | awk '/ id / { print $4 }'` } # Tenants ADMIN_TENANT=$(get_id keystone tenant-create --name=admin) SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME) DEMO_TENANT=$(get_id keystone tenant-create --name=demo) INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin) # Users ADMIN_USER=$(get_id keystone user-create --name=admin \ --pass="$ADMIN_PASSWORD" \ [email protected]) DEMO_USER=$(get_id keystone user-create --name=demo \ --pass="$ADMIN_PASSWORD" \ [email protected]) # Roles ADMIN_ROLE=$(get_id keystone role-create --name=admin) KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin) KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin) # ANOTHER_ROLE demonstrates that an arbitrary role may be created and used # TODO(sleepsonthefloor): show how this can be used for rbac in the future! ANOTHER_ROLE=$(get_id keystone role-create --name=anotherrole) # Add Roles to Users in Tenants keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $ADMIN_TENANT keystone user-role-add --user_id $ADMIN_USER --role_id $ADMIN_ROLE --tenant_id $DEMO_TENANT keystone user-role-add --user_id $DEMO_USER --role_id $ANOTHER_ROLE --tenant_id $DEMO_TENANT # TODO(termie): these two might be dubious keystone user-role-add --user_id $ADMIN_USER --role_id $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT keystone user-role-add --user_id $ADMIN_USER --role_id $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT # The Member role is used by Horizon and Swift so we need to keep it: MEMBER_ROLE=$(get_id keystone role-create --name=Member) keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $DEMO_TENANT keystone user-role-add --user_id $DEMO_USER --role_id $MEMBER_ROLE --tenant_id $INVIS_TENANT # Configure service users/roles NOVA_USER=$(get_id keystone user-create --name=nova \ --pass="$SERVICE_PASSWORD" \ --tenant_id $SERVICE_TENANT \ [email protected]) keystone user-role-add --tenant_id $SERVICE_TENANT \ --user_id $NOVA_USER \ --role_id $ADMIN_ROLE GLANCE_USER=$(get_id keystone user-create --name=glance \ --pass="$SERVICE_PASSWORD" \ --tenant_id $SERVICE_TENANT \ [email protected]) keystone user-role-add --tenant_id $SERVICE_TENANT \ --user_id $GLANCE_USER \ --role_id $ADMIN_ROLE if [[ "$ENABLED_SERVICES" =~ "swift" ]]; then SWIFT_USER=$(get_id keystone user-create --name=swift \ --pass="$SERVICE_PASSWORD" \ --tenant_id $SERVICE_TENANT \ [email protected]) keystone user-role-add --tenant_id $SERVICE_TENANT \ --user_id $SWIFT_USER \ --role_id $ADMIN_ROLE # Nova needs ResellerAdmin role to download images when accessing # swift through the s3 api. The admin role in swift allows a user # to act as an admin for their tenant, but ResellerAdmin is needed # for a user to act as any tenant. The name of this role is also # configurable in swift-proxy.conf RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin) keystone user-role-add --tenant_id $SERVICE_TENANT \ --user_id $NOVA_USER \ --role_id $RESELLER_ROLE fi if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then QUANTUM_USER=$(get_id keystone user-create --name=quantum \ --pass="$SERVICE_PASSWORD" \ --tenant_id $SERVICE_TENANT \ [email protected]) keystone user-role-add --tenant_id $SERVICE_TENANT \ --user_id $QUANTUM_USER \ --role_id $ADMIN_ROLE fi ++++++ openstack-loopback-lvm ++++++ --- /var/tmp/diff_new_pack.cz600n/_old 2012-10-23 19:41:33.000000000 +0200 +++ /var/tmp/diff_new_pack.cz600n/_new 2012-10-23 19:41:33.000000000 +0200 @@ -16,15 +16,17 @@ #losetup -d $loop -# calc wanted size -size=$(df -P -k /var/lib/nova/|tail -1| perl -ne 'm/^\S+\s*\d+\s+\d+\s+(\d+)/; print int($1*0.3)') +if ! test -e $f ; then + # calc wanted size + size=$(df -P -k /var/lib/nova/|tail -1| perl -ne 'm/^\S+\s*\d+\s+\d+\s+(\d+)/; print int($1*0.3)') -if [ $size -le 2000000 ] ; then - echo "error detecting free space or FS too small: $size KB" - exit 12 -fi + if [ $size -le 2000000 ] ; then + echo "error detecting free space or FS too small: $size KB" + exit 12 + fi -truncate --size=${size}K $f + truncate --size=${size}K $f +fi losetup $loop $f pvcreate $loop vgcreate nova-volumes $loop ++++++ openstack-quickstart-democleanup ++++++ #!/bin/bash # Warning: this script deletes most of the files # and stops most services of a cloud from openstack-quickstart-demosetup # try normal cleanup first to stop VMs nova list| perl -ne 'if(/^\| (\S+) /){print "$1\n"}' |xargs -l nova delete nova image-list| perl -ne 'if(/^\| (\S+) /){print "$1\n"}' | xargs -l nova image-delete for i in /etc/init.d/{openstack-*,rabbitmq-server,memcached,libvirtd} ; do $i stop done killall dnsmasq killall postmaster /etc/init.d/postgresql restart cd / for n in nova keystone glance horizon ; do sudo -u postgres dropdb $n sudo -u postgres dropuser $n echo "drop database $n;" | mysql done for m in /var/lib/nova/instances/*/rootfs ; do umount $m # for LXC done killall qemu-nbd 2>/dev/null # for LXC rm -f /var/lib/keystone/keystone.sqlite /var/lib/openstack-dashboard/openstack_dashboard/local/dashboard_openstack.sqlite3 /var/lib/glance/glance.sqlite rm -rf /var/lib/nova/instances/* rm -f /var/lib/glance/images/* rm -f /var/log/keystone/* /var/log/nova/* /var/log/glance/* rm -f /var/lib/nova/*/* /etc/init.d/postgresql stop ++++++ openstack-quickstart-demosetup ++++++ --- /var/tmp/diff_new_pack.cz600n/_old 2012-10-23 19:41:33.000000000 +0200 +++ /var/tmp/diff_new_pack.cz600n/_new 2012-10-23 19:41:33.000000000 +0200 @@ -1,22 +1,41 @@ #!/bin/bash -x -pw=openstack -mpw=m$pw -IP=127.0.0.1 -testnet=10.10.134.16/29 -/etc/init.d/mysql start +. /etc/openstackquickstartrc +ADMIN_PASSWORD=$pw +SERVICE_HOST=$IP + +KEYSTONE_SYSTEM_USER=openstack-keystone +KEYSTONE_SYSTEM_GROUP=openstack-keystone +GLANCE_SYSTEM_USER=openstack-glance +GLANCE_SYSTEM_GROUP=openstack-glance +HORIZON_SYSTEM_USER=openstack-horizon echo "Setting up OpenStack demo controller..." +if [ "$DB" = "postgresql" ] ; then + zypper -n in postgresql-server python-psycopg2 + /etc/init.d/postgresql restart +else + # start mysql + /etc/init.d/mysql start +fi + + +grep -q -e vmx -e svm /proc/cpuinfo || MODE=lxc # use lxc or qemu, if kvm is unavailable -if rpm -q openstack-nova-compute >/dev/null && ! grep -q -e vmx -e svm /proc/cpuinfo ; then +if rpm -q openstack-nova-compute >/dev/null ; then + if [ "$MODE" = lxc ] ; then sed -i -e 's/\(--libvirt_type\).*/\1=lxc/' /etc/nova/nova.conf zypper -n install lxc - modprobe nbd - sed -i -e 's/\(MODULES_LOADED_ON_BOOT="\)/\1nbd\ /' /etc/sysconfig/kernel echo mount -t cgroup none /cgroup >> /etc/init.d/boot.local mkdir /cgroup mount -t cgroup none /cgroup + else + modprobe kvm-intel ; modprobe kvm-amd + sed -i -e 's/\(MODULES_LOADED_ON_BOOT="\)/\1kvm-intel kvm-amd\ /' /etc/sysconfig/kernel + fi + modprobe nbd + sed -i -e 's/\(MODULES_LOADED_ON_BOOT="\)/\1nbd\ /' /etc/sysconfig/kernel fi # activate ip-forwarding @@ -52,44 +71,146 @@ # configure dashboard/apache cat >/etc/apache2/conf.d/openstack-dashboard.conf <<EOF -WSGIScriptAlias / /var/lib/openstack-dashboard/dashboard/wsgi/django.wsgi -Alias /static/dashboard /var/lib/openstack-dashboard/dashboard/static/dashboard +<IfDefine SSL> + RewriteEngine On + RewriteCond %{SERVER_PORT} !^443$ + RewriteRule / https://%{HTTP_HOST}%{REQUEST_URI} [L,R] + + <VirtualHost *:443> + ServerName www.example.com + ServerAdmin [email protected] + + SSLEngine On + SSLCertificateFile /etc/apache2/ssl.crt/openstack-dashboard-server.crt + SSLCertificateKeyFile /etc/apache2/ssl.key/openstack-dashboard-server.key + + DocumentRoot /var/lib/openstack-dashboard/ + + Alias /static/horizon /var/lib/openstack-dashboard/horizon/static/horizon + <Directory /var/lib/openstack-dashboard/horizon/static/> + Order allow,deny + Allow from all + </Directory> + + Alias /static /var/lib/openstack-dashboard/openstack_dashboard/static + <Directory /var/lib/openstack-dashboard/openstack_dashboard/static/> + Order allow,deny + Allow from all + </Directory> + + WSGIScriptAlias / /var/lib/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi + <Directory /var/lib/openstack-dashboard/openstack_dashboard/wsgi/> + Order allow,deny + Allow from all + </Directory> + </VirtualHost> +</IfDefine> +EOF +a2enmod rewrite +a2enmod ssl +a2enmod wsgi +a2enflag SSL -<Directory /var/lib/openstack-dashboard/dashboard/wsgi/> -Order allow,deny -Allow from all -</Directory> +DASHBOARD_LOCAL_SET=/var/lib/openstack-dashboard/openstack_dashboard/local/local_settings.py +if grep -q "^\s*CACHE_BACKEND" $DASHBOARD_LOCAL_SET +then + sed -i "s|^\s*CACHE_BACKEND.*$|CACHE_BACKEND = 'memcached://127.0.0.1:11211/'|" $DASHBOARD_LOCAL_SET +else + echo "CACHE_BACKEND = 'memcached://127.0.0.1:11211/'" >> $DASHBOARD_LOCAL_SET +fi +if [ "$DB" = "postgresql" ] +then +cat >> $DASHBOARD_LOCAL_SET <<EODASHDB +DATABASES = { + 'default': { + 'ENGINE': 'django.db.backends.postgresql_psycopg2', + 'NAME': 'horizon', + 'USER': 'horizon', + 'PASSWORD': '$mpw', + } +} +EODASHDB +fi -<Directory /var/lib/openstack-dashboard/dashboard/static/dashboard> -Order allow,deny -Allow from all -</Directory> -EOF -a2enmod wsgi -cd /var/lib/openstack-dashboard && python -m 'dashboard.manage' syncdb -chown -R wwwrun. /var/lib/openstack-dashboard/local/ +sed -i -e "s/^USE_SSL =.*/USE_SSL = True/" $DASHBOARD_LOCAL_SET +# Use 'secure' session and CSRF cookies (bnc#753582): +cat >> $DASHBOARD_LOCAL_SET <<EOSEC +# Use 'secure' cookies when we use SSL, see https://docs.djangoproject.com/en/1.4/topics/security/: +SESSION_COOKIE_SECURE = CSRF_COOKIE_SECURE = USE_SSL +EOSEC +# replace default IP in all configuration files +sed -i -e "s;127.0.0.1;$IP;" /etc/nova/api-paste.ini /etc/glance/glance-api.conf /etc/glance/glance-registry.conf # configure nova -sed -i -e "s;127.0.0.1;$IP;" /etc/nova/api-paste.ini /etc/glance/glance-api.conf /etc/glance/glance-registry.conf -perl -i.bak -pe "s/root:<mysql-password>/nova:$mpw/; s/<IP>/$IP/g; s/(--network_manager).*/\$1=nova.network.manager.FlatDHCPManager/;" /etc/nova/nova.conf -echo "--vncproxy_url=http://$IP:6080"; >> /etc/nova/nova.conf +perl -i.bak -pe "s,--sql_connection=\w+://\w+:[^\@:]*,--sql_connection=$DB://nova:$mpw,; s/<IP>/$IP/g; s/(--network_manager).*/\$1=nova.network.manager.FlatDHCPManager/;" /etc/nova/nova.conf echo '--flat_network_bridge=br0' >> /etc/nova/nova.conf echo '--allow_admin_api' >> /etc/nova/nova.conf -echo '--flat_injected=False' >> /etc/nova/nova.conf +echo '--connection_type=libvirt' >> /etc/nova/nova.conf echo '--image_service=nova.image.glance.GlanceImageService' >> /etc/nova/nova.conf echo "--glance_api_servers=$IP:9292" >> /etc/nova/nova.conf -echo "--osapi_extensions_path=`ls -d /usr/lib*/python*/site-packages/extensions | head -n 1`" >> /etc/nova/nova.conf +echo "--auth_strategy=keystone" >> /etc/nova/nova.conf +echo "--novncproxy_base_url=http://$IP:6080/vnc_auto.html"; >> /etc/nova/nova.conf +extensions_path=`ls -d /usr/lib*/python*/site-packages/extensions | head -n 1` +if [ -n "$extensions_path" ]; then + echo "--osapi_extensions_path=" >> /etc/nova/nova.conf +fi + +grep -q nova-rootwrap /etc/sudoers || echo "openstack-nova ALL=(ALL) NOPASSWD:/usr/bin/nova-rootwrap" >> /etc/sudoers + +perl -i -pe "s/%SERVICE_TOKEN%/$SERVICE_TOKEN/;" /etc/nova/api-paste.ini # obsolete 2012-03-19? +for m in nova glance ; do + sed -i -e 's/%SERVICE_TENANT_NAME%/service/' -e "s/%SERVICE_USER%/$m/" -e "s/%SERVICE_PASSWORD%/$SERVICE_TOKEN\nadmin_token = $SERVICE_TOKEN/" /etc/$m/*.ini +done + +# replace pipelines to use keystone +function replace_pipeline() { + sed "/\[pipeline:$1\]/,/\[/s/^pipeline = .*/pipeline = $2/" -i /etc/nova/api-paste.ini +} +replace_pipeline "ec2cloud" "ec2faultwrap logrequest totoken authtoken keystonecontext cloudrequest authorizer validator ec2executor" +replace_pipeline "ec2admin" "ec2faultwrap logrequest totoken authtoken keystonecontext adminrequest authorizer ec2executor" +replace_pipeline "openstack_compute_api_v2" "faultwrap authtoken keystonecontext ratelimit osapi_compute_app_v2" +replace_pipeline "openstack_volume_api_v1" "faultwrap authtoken keystonecontext ratelimit osapi_volume_app_v1" + +if [ "$DB" = "postgresql" ] ; then + DATADIR=/var/lib/pgsql/data + if ! grep -q ::/0 /var/lib/pgsql/data/pg_hba.conf ; then + sed -i "s/^\(host .*\) ident\(.*\)/\1 md5 \2/" "$DATADIR/pg_hba.conf" + sed -i "s/^\(local \)/local horizon all md5 sameuser\n\1/" "$DATADIR/pg_hba.conf" + # allow remote connections: + echo "listen_addresses = '*'" >> $DATADIR/postgresql.conf + echo "host all all 0.0.0.0/0 md5 sameuser" >> $DATADIR/pg_hba.conf + echo "host all all ::/0 md5 sameuser" >> $DATADIR/pg_hba.conf + if rpm -q postgresql|grep -q postgresql-9 ; then + sed -i 's/\s*sameuser$//' $DATADIR/pg_hba.conf # adapt config syntax to postgresql-9 + fi + fi + sudo -u postgres dropdb -O keystone # needed for keystone_data.sh + for DBNAME in nova keystone glance horizon ; do + sudo -u postgres psql -c "CREATE ROLE $DBNAME PASSWORD '$mpw' LOGIN;" + sudo -u postgres createdb -O $DBNAME $DBNAME + done + sudo -u postgres createuser -s root + /etc/init.d/postgresql restart + insserv postgresql +else + echo | mysql -u root || pwquery=-p + for DBNAME in nova keystone glance horizon ; do + echo " + set global character_set_server=latin1; + set session character_set_server=latin1; + CREATE DATABASE IF NOT EXISTS $DBNAME; + GRANT ALL PRIVILEGES ON $DBNAME.* TO '$DBNAME'@localhost IDENTIFIED BY '$mpw'; + GRANT ALL PRIVILEGES ON $DBNAME.* TO '$DBNAME'@'%' IDENTIFIED BY '$mpw'; + " | mysql -u root $pwquery + done +fi + + +# sync dashboard DB "after" the database is created +cd /var/lib/openstack-dashboard && su -s /bin/bash -c "umask 0027; python -m 'manage' syncdb" wwwrun -echo | mysql -u root || pwquery=-p -echo " -set global character_set_server=latin1; -set session character_set_server=latin1; -CREATE DATABASE IF NOT EXISTS nova; -GRANT ALL PRIVILEGES ON nova.* TO 'nova'@localhost IDENTIFIED BY '$mpw'; -GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' IDENTIFIED BY '$mpw'; -" | mysql -u root $pwquery nova-manage db sync # optional - makes life better with little RAM @@ -102,45 +223,79 @@ #nova-manage network create 10.10.134.32/27 1 32 nova-manage network create --fixed_range_v4=$testnet --label=testnet + +# setup glance + +for f in api registry ; do + grep paste_deploy /etc/glance/glance-$f.conf || echo -e "[paste_deploy]\nflavor = keystone" >> /etc/glance/glance-$f.conf +done +sed -i "s%sql_connection =.*%sql_connection = $DB://glance:$mpw@$IP/glance%" /etc/glance/glance-registry.conf # db_sync is broken for postgresql +#sed -i 's%sql_connection =.*%sql_connection = sqlite:////var/lib/glance/glance.sqlite%' /etc/glance/glance-registry.conf +glance-manage db_sync +chown -R $GLANCE_SYSTEM_USER:$GLANCE_SYSTEM_GROUP /var/lib/glance /var/log/glance + # keystone demo setup, based on devstack.sh -# Tenants -keystone-manage tenant add admin -keystone-manage tenant add demo - -# Users -keystone-manage user add admin $pw -keystone-manage user add demo $pw - -# Roles -keystone-manage role add Admin -keystone-manage role add Member -keystone-manage role add KeystoneAdmin -keystone-manage role add KeystoneServiceAdmin -keystone-manage role grant Admin admin admin -keystone-manage role grant Member demo demo -keystone-manage role grant Admin admin demo -keystone-manage role grant Admin admin -keystone-manage role grant KeystoneAdmin admin -keystone-manage role grant KeystoneServiceAdmin admin - -# Services -keystone-manage service add nova compute "Nova Compute Service" -keystone-manage service add glance image "Glance Image Service" -keystone-manage service add keystone identity "Keystone Identity Service" - -#endpointTemplates -keystone-manage endpointTemplates add RegionOne nova http://$IP:8774/v1.1/%tenant_id% http://$IP:8774/v1.1/%tenant_id% http://$IP:8774/v1.1/%tenant_id% 1 1 -keystone-manage endpointTemplates add RegionOne glance http://$IP:9292/v1.1/%tenant_id% http://$IP:9292/v1.1/%tenant_id% http://$IP:9292/v1.1/%tenant_id% 1 1 -keystone-manage endpointTemplates add RegionOne keystone http://$IP:5000/v2.0 http://$IP:35357/v2.0 http://$IP:5000/v2.0 1 1 - -# Tokens -keystone-manage token add 999888777666 admin admin 2023-02-23T00:42 - -# EC2 related creds - note we are setting the secret key to ADMIN_PASSWORD -# but keystone doesn't parse them - it is just a blob from keystone's -# point of view -keystone-manage credentials add admin EC2 'admin' $pw admin || echo "no support for adding credentials" -keystone-manage credentials add demo EC2 'demo' $pw demo || echo "no support for adding credentials" + +sed -i -e 's/kvs/sql/' -e "s,^connection =.*,connection = $DB://keystone:$mpw@$IP/keystone," /etc/keystone/keystone.conf +#sed -i -e 's/kvs/sql/' -e 's,^connection =.*,connection =sqlite:////var/lib/keystone/keystone.sqlite,' /etc/keystone/keystone.conf +rm -f /var/lib/keystone/keystone.sqlite # cleanup DB as devstack's script fails otherwise +sed -i -e "s/^admin_token .*/admin_token = $SERVICE_TOKEN/" /etc/keystone/keystone.conf + +KEYSTONE_CATALOG=/etc/keystone/default_catalog.templates +sed -e "s,%SERVICE_HOST%,$SERVICE_HOST,g" -e "s/%S3_SERVICE_PORT%/8080/" $KEYSTONE_CATALOG.sample > $KEYSTONE_CATALOG +# Upgrade the database to the latest schema +su - $KEYSTONE_SYSTEM_USER -s /bin/bash -c "keystone-manage --config-file=/etc/keystone/keystone.conf db_sync" +# +## Tenants +#keystone-manage tenant add admin +#keystone-manage tenant add demo +# +## Users +#keystone-manage user add admin $pw +#keystone-manage user add demo $pw +# +## Roles +#keystone-manage role add Admin +#keystone-manage role add Member +#keystone-manage role add KeystoneAdmin +#keystone-manage role add KeystoneServiceAdmin +#keystone-manage role grant Admin admin admin +#keystone-manage role grant Member demo demo +#keystone-manage role grant Admin admin demo +#keystone-manage role grant Admin admin +#keystone-manage role grant KeystoneAdmin admin +#keystone-manage role grant KeystoneServiceAdmin admin +# +## Services +#keystone-manage service add nova compute "Nova Compute Service" +#keystone-manage service add glance image "Glance Image Service" +#keystone-manage service add keystone identity "Keystone Identity Service" +# +##endpointTemplates +#keystone-manage endpointTemplates add RegionOne nova http://$IP:8774/v1.1/%tenant_id% http://$IP:8774/v1.1/%tenant_id% http://$IP:8774/v1.1/%tenant_id% 1 1 +#keystone-manage endpointTemplates add RegionOne glance http://$IP:9292/v1.1/%tenant_id% http://$IP:9292/v1.1/%tenant_id% http://$IP:9292/v1.1/%tenant_id% 1 1 +#keystone-manage endpointTemplates add RegionOne keystone http://$IP:5000/v2.0 http://$IP:35357/v2.0 http://$IP:5000/v2.0 1 1 +# +## Tokens +#keystone-manage token add $SERVICE_TOKEN admin admin 2023-02-23T00:42 +# +## EC2 related creds - note we are setting the secret key to ADMIN_PASSWORD +## but keystone doesn't parse them - it is just a blob from keystone's +## point of view +#keystone-manage credentials add admin EC2 'admin' $pw admin || echo "no support for adding credentials" +#keystone-manage credentials add demo EC2 'demo' $pw demo || echo "no support for adding credentials" + + +# 2012-02-28 keystone light setup +/etc/init.d/openstack-keystone restart +ENABLED_SERVICES=${ENABLED_SERVICES:-g-api,g-reg,key,n-api,n-cpu,n-net,n-vol,n-sch,n-novnc,n-xvnc,horizon,mysql,rabbit} +KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST} +KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357} +KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-http} +SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0 +ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TENANT_NAME=service SERVICE_PASSWORD=$SERVICE_TOKEN SERVICE_TOKEN=$SERVICE_TOKEN SERVICE_ENDPOINT=$SERVICE_ENDPOINT DEVSTACK_DIR=/root ENABLED_SERVICES=$ENABLED_SERVICES bash /usr/lib/devstack/keystone_data.sh + +chown $KEYSTONE_SYSTEM_USER:$KEYSTONE_SYSTEM_GROUP -R /var/lib/keystone/ rm -f /usr/lib/python*/site-packages/nova-iptables.lock.lock # workaround bug @@ -148,21 +303,28 @@ SuSEfirewall2 stop # interferes with openstack's network/firewall insserv -r SuSEfirewall2_setup insserv -r SuSEfirewall2_init -/etc/init.d/boot.apparmor stop # interferes with openstack-nova-network -insserv -r boot.apparmor - +if which aa-complain >&/dev/null; then + aa-complain /etc/apparmor.d/usr.sbin.libvirtd +fi +if [ -e /etc/init.d/boot.apparmor ]; then + /etc/init.d/boot.apparmor stop # interferes with openstack-nova-network + insserv -r boot.apparmor +fi # configure NTP, because we need synchronized time between nodes grep -q ntp.org /etc/ntp.conf || echo server pool.ntp.org >> /etc/ntp.conf +# change libvirt to run qemu as user qemu +sed -i -e 's;.*user.*=.*;user = "qemu";' /etc/libvirt/qemu.conf + # start services -for s in ntp libvirtd mysql rabbitmq-server iscsitarget open-iscsi tgtd memcached apache2 openstack-nova-api openstack-nova-scheduler openstack-nova-network openstack-nova-compute openstack-nova-vncproxy openstack-glance openstack-keystone +for s in ntp libvirtd mysql rabbitmq-server iscsitarget open-iscsi tgtd memcached apache2 openstack-nova-api openstack-nova-scheduler openstack-nova-network openstack-nova-compute openstack-nova-vncproxy openstack-glance-api openstack-glance-registry openstack-keystone openstack-nova-consoleauth openstack-novncproxy do - i=/etc/init.d/$s - if [ -x $i ] ; then - insserv $s - $i restart - fi + i=/etc/init.d/$s + if [ -x $i ] ; then + insserv $s + $i restart + fi done /usr/sbin/openstack-loopback-lvm ++++++ openstack-quickstart-extranodesetup ++++++ --- /var/tmp/diff_new_pack.cz600n/_old 2012-10-23 19:41:33.000000000 +0200 +++ /var/tmp/diff_new_pack.cz600n/_new 2012-10-23 19:41:33.000000000 +0200 @@ -1,10 +1,7 @@ #!/bin/bash -x # assumes the openstack-compute-node pattern installed -pw=openstack -mpw=m$pw -# cloud controller's IP-address: -IP=10.10.135.7 +. /etc/openstackquickstartrc echo "Setting up OpenStack demo extra node..." @@ -49,13 +46,19 @@ /etc/init.d/network start fi +ownip=`ip addr show dev br0 | perl -ne 'm/inet (\d+\.\d+\.\d+\.\d+)/ && print $1'` # configure nova sed -i -e "s;127.0.0.1;$IP;" /etc/nova/api-paste.ini /etc/glance/glance-api.conf /etc/glance/glance-registry.conf /etc/bash.openstackrc perl -i.bak -pe "s/root:<mysql-password>/nova:$mpw/; s/<IP>/$IP/g; s/(--network_manager).*/\$1=nova.network.manager.FlatDHCPManager/;" /etc/nova/nova.conf -echo "--vncproxy_url=http://$IP:6080"; >> /etc/nova/nova.conf +if [ "$DB" = "postgresql" ] ; then + perl -i -pe 's/--sql_connection=\w+/--sql_connection=postgresql/' /etc/nova/nova.conf +fi echo '--flat_network_bridge=br0' >> /etc/nova/nova.conf echo "--image_service=nova.image.glance.GlanceImageService" >> /etc/nova/nova.conf echo "--glance_api_servers=$IP:9292" >> /etc/nova/nova.conf +echo "--novncproxy_base_url=http://$IP:6080/vnc_auto.html"; >> /etc/nova/nova.conf +echo "--vncserver_listen=$ownip" >> /etc/nova/nova.conf +echo "--vncserver_proxyclient_address=$ownip" >> /etc/nova/nova.conf SuSEfirewall2 stop # interferes with openstack's network/firewall insserv -r SuSEfirewall2_setup @@ -67,8 +70,11 @@ # configure NTP, because we need synchronized time between nodes grep -q ntp.org /etc/ntp.conf || echo server pool.ntp.org >> /etc/ntp.conf +# change libvirt to run qemu as user qemu +sed -i -e 's;.*user.*=.*;user = "qemu";' /etc/libvirt/qemu.conf + # start services -for s in ntp libvirtd iscsitarget open-iscsi tgtd openstack-nova-compute +for s in ntp libvirtd iscsitarget open-iscsi tgtd openstack-nova-compute openstack-nova-consoleauth do i=/etc/init.d/$s if [ -x $i ] ; then ++++++ openstackquickstartrc ++++++ # this file is used as configuration # for openstack-quickstart-demosetup # and openstack-quickstart-extranodesetup scripts # password for demo accounts pw=openstack # mysql password mpw=m$pw # cloud controller IP-Addr - must adapt to routable Address for multi-node-setup IP=127.0.0.1 # this defines which addresses are assigned to VMs - should be part of your regular subnet, unless you arrange for routing testnet=10.10.134.16/29 # this defines which database to use #DB=mysql DB=postgresql SERVICE_TOKEN=999888777666 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
