blob: 3fd24fe6b5b4d199028562a3b4bc04c301bf620e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
|
#!/bin/sh
set -e
#PKGOS-INCLUDE#
KEY_CONF=/etc/keystone/keystone.conf
keystone_get_debconf_admin_credentials () {
db_get keystone/admin-user
ADMIN_USER_NAME=${RET:-admin}
db_get keystone/admin-password
ADMIN_USER_PW=${RET:-$(gen_password)}
db_get keystone/admin-email
ADMIN_USER_EMAIL=${RET:-root@localhost}
db_get keystone/admin-tenant-name
ADMIN_TENANT_NAME=${RET:-admin}
db_get keystone/admin-role-name
ADMIN_ROLE_NAME=${RET:-admin}
# We export the retrived credentials for later use
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_USERNAME=admin
export OS_PASSWORD=${ADMIN_USER_PW}
export OS_TENANT_NAME=${ADMIN_TENANT_NAME}
export OS_PROJECT_NAME=${ADMIN_TENANT_NAME}
export OS_AUTH_URL=http://127.0.0.1:35357/v3/
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_VERSION=3
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_NO_CACHE=1
}
keystone_bootstrap_admin () {
# This is the new way to bootstrap the admin user of Keystone
# and we shouldn't use the admin auth token anymore.
export OS_BOOTSTRAP_USERNAME=${ADMIN_USER_NAME}
export OS_BOOTSTRAP_PROJECT_NAME=${ADMIN_TENANT_NAME}
export OS_BOOTSTRAP_PASSWORD=${ADMIN_USER_PW}
keystone-manage bootstrap
}
keystone_create_admin_tenant () {
echo -n "Fixing-up: admin-project-desc "
openstack project set --description "Default Debian admin project" $ADMIN_TENANT_NAME
echo -n "service-project "
openstack project create --or-show service --description "Default Debian service project" >/dev/null
echo -n "default-admin-email "
openstack user set --description "Default Debian admin user" --email ${ADMIN_USER_EMAIL} --enable $ADMIN_USER_NAME
echo "...done!"
# Note: heat_stack_owner is needed for heat to work, and Member ResellerAdmin
# are needed for swift auto account creation.
echo -n "Adding roles: "
for i in admin KeystoneAdmin KeystoneServiceAdmin heat_stack_owner Member ResellerAdmin ; do
echo -n "${i} "
openstack role create --or-show ${i} >/dev/null
openstack role add --project $ADMIN_TENANT_NAME --user $ADMIN_USER_NAME ${i} >/dev/null
done
echo "...done!"
}
keystone_create_endpoint_postinst () {
local PKG_NAME
PKG_NAME=${1}
db_get keystone/endpoint-ip
# Make sure a valid IP has been entered in Debconf.
KEYSTONE_ENDPOINT_IP=`echo ${RET} | egrep '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'`
if [ -n ${KEYSTONE_ENDPOINT_IP} ] ; then
db_get keystone/region-name
REGION_NAME=${RET}
if [ -n "${REGION_NAME}" ] ; then
NUM_LINES=$(OS_TOKEN=`openstack token issue -c id -f value` openstack service list --format=csv --os-url http://localhost:5000/v3 | q -d , -H 'SELECT ID FROM - WHERE `Type`="identity"' | wc -l)
if [ "${NUM_LINES}" = "0" ] ; then
echo -n "Setting-up: create-keystone-service "
OS_TOKEN=`openstack token issue -c id -f value` openstack service create --name=keystone --description="Keystone Identity Service" identity --os-url http://localhost:5000/v3 >/dev/null
echo -n "create-public-endpoint "
OS_TOKEN=`openstack token issue -c id -f value` openstack endpoint create --region "${REGION_NAME}" \
keystone public http://${KEYSTONE_ENDPOINT_IP}:5000/v2.0 --os-url http://localhost:5000/v3 >/dev/null
echo -n "create-internal-endpoint "
OS_TOKEN=`openstack token issue -c id -f value` openstack endpoint create --region "${REGION_NAME}" \
keystone internal http://${KEYSTONE_ENDPOINT_IP}:5000/v2.0 --os-url http://localhost:5000/v3 >/dev/null
echo -n "create-admin-endpoint "
OS_TOKEN=`openstack token issue -c id -f value` openstack endpoint create --region "${REGION_NAME}" \
keystone admin http://${KEYSTONE_ENDPOINT_IP}:35357/v2.0 --os-url http://localhost:5000/v3 >/dev/null
echo "...done!"
else
echo -n "Keystone service already registered..."
fi
fi
fi
}
if [ "$1" = "configure" ] ; then
. /usr/share/debconf/confmodule
. /usr/share/dbconfig-common/dpkg/postinst
# Create user and group keystone, plus /var/log and /var/lib owned by it
# We need a bash shell so that keystone-manage pkg_setup works, and the
# Wheezy package doesn't have it, failing upgrades
pkgos_var_user_group keystone /bin/sh
# Make sure we have a folder to create certs, that isn't world readable
mkdir -p /etc/keystone/ssl/certs
chown keystone:keystone /etc/keystone/ssl/certs
chmod 750 /etc/keystone/ssl/certs
chown keystone:keystone /etc/keystone/ssl
chmod 750 /etc/keystone/ssl
# Create keystone.conf if it's not there
pkgos_write_new_conf keystone keystone.conf
# Set the auth_token directive in in keystone.conf
db_get keystone/auth-token
AUTH_TOKEN=${RET}
if [ -z "${AUTH_TOKEN}" ] ; then
AUTH_TOKEN=`pkgos_gen_pass`
fi
pkgos_inifile set ${KEY_CONF} DEFAULT admin_token ${AUTH_TOKEN}
OSTACKCLI_PARAMS="--os-url=http://127.0.0.1:35357/v3/ --os-domain-name default --os-identity-api-version=3"
# Make sure /var/log/keystone/keystone.log is owned by keystone
# BEFORE any keystone-manage calls.
chown -R keystone:keystone /var/log/keystone
# Upgrade or create the db if directed to do so
db_get keystone/configure_db
if [ "$RET" = "true" ] ; then
# Configure the SQL connection of keystone.conf according to dbconfig-common
pkgos_dbc_postinst ${KEY_CONF} database connection keystone $@
echo "Running su keystone -s /bin/sh -c 'keystone-manage --noverbose db_sync'..."
if [ "${PKGOS_VERBOSE}" = "yes" ] ; then
su keystone -s /bin/sh -c "keystone-manage --verbose db_sync"
else
su keystone -s /bin/sh -c "keystone-manage --noverbose db_sync"
fi
fi
# Generate the ssl keys for keystone.
# It seems that starting it each time this script is launch
# isn't a problem.
#su keystone -s /bin/sh -c "keystone-manage pki_setup"
# Activate the keystone.service
deb-systemd-helper unmask keystone.service >/dev/null || true
if deb-systemd-helper --quiet was-enabled keystone.service ; then
deb-systemd-helper enable keystone.service >/dev/null || true
else
deb-systemd-helper update-state keystone.service >/dev/null || true
fi
# Setup init script and start keystone
pkgos_init keystone
# On first install, create basics configuration and add roles
if [ -z "$2" ] ; then
echo -n "Sleeping 5 seconds to make sure the keystone daemon is up and running: 5..."
sleep 1
echo -n "4..."
sleep 1
echo -n "3..."
sleep 1
echo -n "2..."
sleep 1
echo -n "1..."
sleep 1
echo "0"
db_get keystone/create-admin-tenant
if [ "$RET" = "true" ] ; then
keystone_get_debconf_admin_credentials
echo "===> Bootstraping tenants with 'keystone-manage bootstrap':"
keystone_get_debconf_admin_credentials
keystone_bootstrap_admin
db_get keystone/register-endpoint
if [ "$RET" = "true" ] ; then
echo "===> Registering keystone endpoint"
keystone_create_endpoint_postinst
fi
echo "===> Editing bootstraped tenants and adding default roles"
keystone_create_admin_tenant
echo "done!"
fi
fi
db_stop
fi
exit 0
|
