summaryrefslogtreecommitdiffstats
path: root/tools/keystone
diff options
context:
space:
mode:
authorDimitri Mazmanov <dimitri.mazmanov@ericsson.com>2016-11-28 13:25:54 +0100
committerDimitri Mazmanov <dimitri.mazmanov@ericsson.com>2017-01-23 11:13:10 +0100
commite7fe8818ece870b88556f7bad78b589b26d19151 (patch)
tree874f74b7b7d59b3a432fdebb9041a78ad346af26 /tools/keystone
parent60dca59ac451300fae214776e82a068b2e8607da (diff)
Common auth configuration for Mulsite deployment
This set of scripts is used to configure centralized Keystone across multiple regions. Each script is executed during a certain stage of the automated multisite deployment setup via Jenkins [1]. region.sh - registers new endpoints in Keystone tagging them with RegionTwo. fetchpass.sh - reads service passwords in the master region and stores them in an encrypted file. endpoint.sh - reads the public_url, private_url and admin_url from RegionTwo and stores it in a file to be used during region registration phase. run.sh - is a generic proxy runner which triggers execution of any runnable on a target node (compute|controller). writepass.sh - updates service password entries in the configuration files for RegionTwo. [1] https://wiki.opnfv.org/display/multisite/Multisite+Deployment+Environment Change-Id: If2c91600237003a13cc0dc822924ab8d27ce202c Signed-off-by: Dimitri Mazmanov <dimitri.mazmanov@ericsson.com>
Diffstat (limited to 'tools/keystone')
-rwxr-xr-xtools/keystone/endpoint.sh30
-rwxr-xr-xtools/keystone/fetchpass.sh72
-rwxr-xr-xtools/keystone/region.sh103
-rwxr-xr-xtools/keystone/run.sh92
-rwxr-xr-xtools/keystone/writepass.sh130
5 files changed, 412 insertions, 15 deletions
diff --git a/tools/keystone/endpoint.sh b/tools/keystone/endpoint.sh
new file mode 100755
index 0000000..410a723
--- /dev/null
+++ b/tools/keystone/endpoint.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+#
+# Author: Dimitri Mazmanov (dimitri.mazmanov@ericsson.com)
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+
+set -o xtrace
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# Ensure that openrc containing OpenStack environment variables is present.
+source openrc
+
+# Endpoints. Dynamically get IP addresses from another service (keystone)
+ENDPOINT_PUBLIC_URL=$(openstack endpoint list | grep keystone | grep public | cut -d '|' -f 8 | cut -d '/' -f 3 | cut -d ':' -f 1)
+ENDPOINT_ADMIN_URL=$(openstack endpoint list | grep keystone | grep admin | cut -d '|' -f 8 | cut -d '/' -f 3 | cut -d ':' -f 1)
+ENDPOINT_INTERNAL_URL=$(openstack endpoint list | grep keystone | grep internal | cut -d '|' -f 8 | cut -d '/' -f 3 | cut -d ':' -f 1)
+
+cat <<EOT >> /root/endpoints.ini
+[DEFAULT]
+public_url=${ENDPOINT_PUBLIC_URL}
+admin_url=${ENDPOINT_ADMIN_URL}
+private_url=${ENDPOINT_INTERNAL_URL}
+os_region=${OS_REGION}
+EOT
diff --git a/tools/keystone/fetchpass.sh b/tools/keystone/fetchpass.sh
new file mode 100755
index 0000000..6e3b069
--- /dev/null
+++ b/tools/keystone/fetchpass.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+#
+# Author: Dimitri Mazmanov (dimitri.mazmanov@ericsson.com)
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+
+# DISCLAIMER: This script is a dirty filthy hack! But we need it.
+# Fetch service password from the configuration files and store them
+# in a file to pass further down the build chain
+
+EXPORT_FILE="/root/servicepass.ini"
+
+GLANCE_CONF="/etc/glance/glance-registry.conf"
+NOVA_CONF="/etc/nova/nova.conf"
+NEUTRON_CONF="/etc/neutron/neutron.conf"
+CINDER_CONF="/etc/cinder/cinder.conf"
+HEAT_CONF="/etc/heat/heat.conf"
+GLARE_CONF="/etc/glance/glance-glare.conf"
+KEYSTONE_CONF='/etc/keystone/keystone.conf'
+CEILOMETER_CONF='/etc/ceilometer/ceilometer.conf'
+AODH_CONF='/etc/aodh/aodh.conf'
+
+source openrc
+
+# Get an option from an INI file
+# iniget config-file section option
+function iniget {
+ local xtrace
+ xtrace=$(set +o | grep xtrace)
+ set +o xtrace
+ local file=$1
+ local section=$2
+ local option=$3
+ local line
+
+ line=$(sed -ne "/^\[$section\]/,/^\[.*\]/ { /^$option[ \t]*=/ p; }" "$file")
+ echo ${line#*=}
+ $xtrace
+}
+
+bind_host=$(openstack endpoint list | grep keystone | grep public | cut -d '|' -f 8 | cut -d '/' -f 3 | cut -d ':' -f 1)
+
+glance_password=$(iniget ${GLANCE_CONF} keystone_authtoken password)
+nova_password=$(iniget ${NOVA_CONF} keystone_authtoken password)
+cinder_password=$(iniget ${CINDER_CONF} keystone_authtoken password)
+glare_password=$(iniget ${GLARE_CONF} keystone_authtoken password)
+heat_password=$(iniget ${HEAT_CONF} keystone_authtoken password)
+neutron_password=$(iniget ${NEUTRON_CONF} keystone_authtoken password)
+ceilometer_password=$(iniget ${CEILOMETER_CONF} keystone_authtoken password)
+aodh_password=$(iniget ${AODH_CONF} keystone_authtoken password)
+#NOTE: can't find swift in /etc
+
+cat <<EOT >> /root/passwords.ini
+[DEFAULT]
+identity_uri=${bind_host}
+glance=${glance_password}
+nova=${nova_password}
+cinder=${cinder_password}
+glare=${glare_password}
+heat=${heat_password}
+neutron=${neutron_password}
+ceilometer=${ceilometer_password}
+aodh=${aodh_password}
+EOT
+
+openssl enc -aes-256-cbc -salt -in /root/passwords.ini -out ${EXPORT_FILE} -k multisite
+
+rm /root/passwords.ini \ No newline at end of file
diff --git a/tools/keystone/region.sh b/tools/keystone/region.sh
index f3b0180..1ae108f 100755
--- a/tools/keystone/region.sh
+++ b/tools/keystone/region.sh
@@ -27,26 +27,99 @@ source openrc
#
# openstack endpoint create --publicurl "" --adminurl "" --internalurl "" --region ${region} <service>
-public_url=${NEW_PUBLIC_URL}
-internal_url=${NEW_INTERNAL_URL}
-admin_url=${NEW_ADMIN_URL}
-region=${NEW_REGION}
+ENDPOINT_FILE="/root/endpoints.ini"
+
+# Get an option from an INI file
+# iniget config-file section option
+function iniget {
+ local xtrace
+ xtrace=$(set +o | grep xtrace)
+ set +o xtrace
+ local file=$1
+ local section=$2
+ local option=$3
+ local line
+
+ line=$(sed -ne "/^\[$section\]/,/^\[.*\]/ { /^$option[ \t]*=/ p; }" "$file")
+ echo ${line#*=}
+ $xtrace
+}
+
+error () {
+ logger -s -t "registration.error" "$*"
+ exit 1
+}
+
+public_url=$(iniget ${ENDPOINT_FILE} DEFAULT public_url)
+internal_url=$(iniget ${ENDPOINT_FILE} DEFAULT internal_url)
+admin_url=$(iniget ${ENDPOINT_FILE} DEFAULT admin_url)
+region=$(iniget ${ENDPOINT_FILE} DEFAULT os_region)
+
+if [ -z $public_url || -z $internal_url || -z $admin_url || -z $region ]; then
+ error "The provided endpoint information is incomplete. Please che the values for public_url, admin_url, internal_url and os_region."
+fi
# Nova
-openstack endpoint create --publicurl "http://${public_url}:8774/v2.1" --adminurl "http://${admin_url}:8774/v2.1" --internalurl "http://${internal_url}:8774/v2.1" --region ${region} nova
-openstack endpoint create --publicurl "http://${public_url}:8774/v2/%(tenant_id)s" --adminurl "http://${admin_url}:8774/v2/%(tenant_id)s" --internalurl "http://${internal_url}:8774/v2/%(tenant_id)s" --region ${region} compute_legacy
+openstack endpoint create nova public "http://${public_url}:8774/v2.1" --region ${region}
+openstack endpoint create nova admin "http://${admin_url}:8774/v2.1" --region ${region}
+openstack endpoint create nova internal "http://${internal_url}:8774/v2.1" --region ${region}
+
+openstack endpoint create compute_legacy public "http://${public_url}:8774/v2/%(tenant_id)s" --region ${region}
+openstack endpoint create compute_legacy admin "http://${admin_url}:8774/v2/%(tenant_id)s" --region ${region}
+openstack endpoint create compute_legacy internal "http://${internal_url}:8774/v2/%(tenant_id)s" --region ${region}
+
# Neutron
-openstack endpoint create --publicurl "http://${public_url}:9696" --adminurl "http://${admin_url}:9696" --internalurl "http://${internal_url}:9696" --region ${region} neutron
+openstack endpoint create neutron public "http://${public_url}:9696" --region ${region}
+openstack endpoint create neutron admin "http://${admin_url}:9696" --region ${region}
+openstack endpoint create neutron internal "http://${internal_url}:9696" --region ${region}
+
# Cinder
-openstack endpoint create --publicurl "http://${public_url}:8776/v1/%(tenant_id)s" --adminurl "http://${admin_url}:8776/v1/%(tenant_id)s" --internalurl "http://${internal_url}:8776/v1/%(tenant_id)s" --region ${region} cinder
-openstack endpoint create --publicurl "http://${public_url}:8776/v2/%(tenant_id)s" --adminurl "http://${admin_url}:8776/v2/%(tenant_id)s" --internalurl "http://${internal_url}:8776/v2/%(tenant_id)s" --region ${region} cinderv2
-openstack endpoint create --publicurl "http://${public_url}:8776/v3/%(tenant_id)s" --adminurl "http://${admin_url}:8776/v3/%(tenant_id)s" --internalurl "http://${internal_url}:8776/v3/%(tenant_id)s" --region ${region} cinderv3
+openstack endpoint create cinder public "http://${public_url}:8776/v1/%(tenant_id)s" --region ${region}
+openstack endpoint create cinder admin "http://${admin_url}:8776/v1/%(tenant_id)s" --region ${region}
+openstack endpoint create cinder internal "http://${internal_url}:8776/v1/%(tenant_id)s" --region ${region}
+
+openstack endpoint create cinderv2 public "http://${public_url}:8776/v2/%(tenant_id)s" --region ${region}
+openstack endpoint create cinderv2 admin "http://${admin_url}:8776/v2/%(tenant_id)s" --region ${region}
+openstack endpoint create cinderv2 internal "http://${internal_url}:8776/v2/%(tenant_id)s" --region ${region}
+
+openstack endpoint create cinderv3 public "http://${public_url}:8776/v3/%(tenant_id)s" --region ${region}
+openstack endpoint create cinderv3 admin "http://${admin_url}:8776/v3/%(tenant_id)s" --region ${region}
+openstack endpoint create cinderv3 internal "http://${internal_url}:8776/v3/%(tenant_id)s" --region ${region}
+
# Glance
-openstack endpoint create --publicurl "http://${public_url}:9292" --adminurl "http://${admin_url}:9292" --internalurl "http://${internal_url}:9292" --region ${region} glance
+openstack endpoint create glance public "http://${public_url}:9292" --region ${region}
+openstack endpoint create glance admin "http://${admin_url}:9292" --region ${region}
+openstack endpoint create glance internal "http://${internal_url}:9292" --region ${region}
+
# Heat
-openstack endpoint create --publicurl "http://${public_url}:8004/v1/%(tenant_id)s" --adminurl "http://${admin_url}:8004/v1/%(tenant_id)s" --internalurl "http://${internal_url}:8004/v1/%(tenant_id)s" --region ${region} heat
-openstack endpoint create --publicurl "http://${public_url}:8000/v1" --adminurl "http://${admin_url}:8000/v1" --internalurl "http://${internal_url}:8000/v1" --region ${region} heat-cfn
+openstack endpoint create heat public "http://${public_url}:8004/v1/%(tenant_id)s" --region ${region}
+openstack endpoint create heat admin "http://${admin_url}:8004/v1/%(tenant_id)s" --region ${region}
+openstack endpoint create heat internal "http://${internal_url}:8004/v1/%(tenant_id)s" --region ${region}
+
+openstack endpoint create heat-cfn public "http://${public_url}:8000/v1" --region ${region}
+openstack endpoint create heat-cfn admin "http://${admin_url}:8004/v1/%(tenant_id)s" --region ${region}
+openstack endpoint create heat-cfn internal "http://${internal_url}:8004/v1/%(tenant_id)s" --region ${region}
+
# Swift
-openstack endpoint create --publicurl "http://${public_url}:8080/swift/v1" --adminurl "http://${admin_url}:8080/swift/v1" --internalurl "http://${internal_url}:8080/swift/v1" --region ${region} swift
+openstack endpoint create swift public "http://${public_url}:8080/v1/AUTH_%(tenant_id)s" --region ${region}
+openstack endpoint create swift admin "http://${admin_url}:8080/v1/AUTH_%(tenant_id)s" --region ${region}
+openstack endpoint create swift internal "http://${internal_url}:8080/v1/AUTH_%(tenant_id)s" --region ${region}
+
+openstack endpoint create swift_s3 public "http://${public_url}:8080" --region ${region}
+openstack endpoint create swift_s3 admin "http://${admin_url}:8080" --region ${region}
+openstack endpoint create swift_s3 internal "http://${internal_url}:8080" --region ${region}
+
# Glare
-openstack endpoint create --publicurl "http://${public_url}:9494" --adminurl "http://${admin_url}:9494" --internalurl "http://${internal_url}:9494" --region ${region} swift \ No newline at end of file
+openstack endpoint create glare public "http://${public_url}:9494" --region ${region}
+openstack endpoint create glare admin "http://${admin_url}:9494" --region ${region}
+openstack endpoint create glare internal "http://${internal_url}:9494" --region ${region}
+
+# Ceilometer
+openstack endpoint create ceilometer public "http://${public_url}:8777" --region ${region}
+openstack endpoint create ceilometer admin "http://${admin_url}:8777" --region ${region}
+openstack endpoint create ceilometer internal "http://${internal_url}:8777" --region ${region}
+
+#Aodh
+openstack endpoint create aodh public "http://${public_url}:8042" --region ${region}
+openstack endpoint create aodh admin "http://${admin_url}:8042" --region ${region}
+openstack endpoint create aodh internal "http://${internal_url}:8042" --region ${region}
diff --git a/tools/keystone/run.sh b/tools/keystone/run.sh
new file mode 100755
index 0000000..6fc02ca
--- /dev/null
+++ b/tools/keystone/run.sh
@@ -0,0 +1,92 @@
+#!/bin/bash
+#
+# Author: Dimitri Mazmanov (dimitri.mazmanov@ericsson.com)
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+
+set -o xtrace
+set -o nounset
+set -o pipefail
+
+
+# This script proxies execution of other scripts through fuel node
+# onto the destination node.
+# Usage: run.sh (controller|compute) <runnable_script.sh>
+
+INSTALLER_IP=10.20.0.2
+
+usage() {
+ echo "usage: $0 -a <installer_ip> -t (controller|compute) -r <runnable_script.sh> -d <data_file>" >&2
+}
+
+error () {
+ logger -s -t "deploy.error" "$*"
+ exit 1
+}
+
+if [ $# -eq 0 ]; then
+ usage
+ exit 2
+fi
+
+while [[ $# -gt 0 ]]; do
+case $1 in
+ -i|--installer)
+ installer_ip="$2"
+ shift # past argument
+ ;;
+ -t|--target)
+ target="$2"
+ shift # past argument
+ ;;
+ -r|--runnable)
+ runnable="$2"
+ shift # past argument
+ ;;
+ -d|--data)
+ data="$2"
+ shift # past argument
+ ;;
+ *)
+ echo "Non-option argument: '-${OPTARG}'" >&2
+ usage
+ exit 2
+ ;;
+esac
+shift # past argument or value
+
+installer_ip=${installer_ip:-$INSTALLER_IP}
+data=${data:-""}
+
+ssh_options="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
+function run_on_target() {
+ # Copy the script to the target
+ sshpass -p r00tme ssh 2>/dev/null $ssh_options root@${installer_ip} \
+ "ssh $ssh_options $1 \"cd /root/ && cat > ${runnable}\"" < ${runnable} &> /dev/null
+ if [ -n "${data}" ]; then
+ # Copy any accompanying data along with the script
+ sshpass -p r00tme ssh 2>/dev/null $ssh_options root@${installer_ip} \
+ "ssh $ssh_options $1 \"cd /root/ && cat > ${data}\"" < ${data} &> /dev/null
+ fi
+ # Set the rights and execute
+ sshpass -p r00tme ssh 2>/dev/null $ssh_options root@${installer_ip} \
+ "ssh $ssh_options $1 \"cd /root/ && chmod +x ${runnable}\"" &> /dev/null
+ sshpass -p r00tme ssh 2>/dev/null $ssh_options root@${installer_ip} \
+ "ssh $ssh_options $1 \"cd /root/ && nohup /root/${runnable} > install.log 2> /dev/null\"" &> /dev/null
+ # Output here
+ sshpass -p r00tme ssh 2>/dev/null $ssh_options root@${installer_ip} \
+ "ssh $ssh_options $1 \"cd /root/ && cat install.log\""
+}
+
+target_info=$(sshpass -p r00tme ssh 2>/dev/null $ssh_options root@${installer_ip} \
+fuel node list| grep ${target} | grep "True\| 1" | awk -F\| "{print \$5}" | \
+sed 's/ //g') &> /dev/null
+
+for machine in ${target_info} ; do
+ run_on_target $machine
+done
diff --git a/tools/keystone/writepass.sh b/tools/keystone/writepass.sh
new file mode 100755
index 0000000..2b0a965
--- /dev/null
+++ b/tools/keystone/writepass.sh
@@ -0,0 +1,130 @@
+#!/bin/bash
+#
+# Author: Dimitri Mazmanov (dimitri.mazmanov@ericsson.com)
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+
+set -o xtrace
+set -o errexit
+set -o nounset
+set -o pipefail
+
+PASSWORD_FILE_ENC="servicepass.ini"
+PASSWORD_FILE="/root/passwords.ini"
+
+function ini_has_option {
+ local file=$1
+ local section=$2
+ local option=$3
+ local line
+ line=$(sed -ne "/^\[$section\]/,/^\[.*\]/ { /^$option[ \t]*=/ p; }" "$file")
+ [ -n "$line" ]
+}
+
+# Get an option from an INI file
+# iniget config-file section option
+function iniget {
+ local xtrace
+ xtrace=$(set +o | grep xtrace)
+ set +o xtrace
+ local file=$1
+ local section=$2
+ local option=$3
+ local line
+
+ line=$(sed -ne "/^\[$section\]/,/^\[.*\]/ { /^$option[ \t]*=/ p; }" "$file")
+ echo ${line#*=}
+ $xtrace
+}
+
+# Set an option in an INI file
+# iniset [-sudo] config-file section option value
+# - if the file does not exist, it is created
+function iniset {
+ local file=$1
+ local section=$2
+ local option=$3
+ local value=$4
+
+ [[ -z $section || -z $option ]] && return
+
+ if ! grep -q "^\[$section\]" "$file" 2>/dev/null; then
+ echo -e "\n[$section]" >>"$file"
+ fi
+ if ! ini_has_option "$file" "$section" "$option"; then
+ sed -i -e "/^\[$section\]/ a\\
+$option = $value
+" "$file"
+ else
+ local sep=$(echo -ne "\x01")
+ # Replace it
+ sed -i -e '/^\['${section}'\]/,/^\[.*\]/ s'${sep}'^\('${option}'[ \t]*=[ \t]*\).*$'${sep}'\1'"${value}"${sep} "$file"
+ fi
+}
+
+function decode_passwords() {
+ openssl enc -aes-256-cbc -d -a -in ${PASSWORD_FILE_ENC} -out /root/passwords.ini -k multisite
+}
+
+function write_controller() {
+ # For each slave region the following files must be updated on each controller.
+ iniset "/etc/glance/glance-registry.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT glance_password)
+ iniset "/etc/glance/glance-api.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT glance_password)
+ iniset "/etc/glance/glance-glare.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT glare_password)
+ iniset "/etc/heat/heat.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT heat_password)
+ iniset "/etc/nova/nova.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT nova_password)
+ iniset "/etc/nova/nova.conf" neutron password $(iniget ${PASSWORD_FILE} DEFAULT neutron_password)
+ iniset "/etc/cinder/cinder.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT cinder_password)
+ iniset "/etc/neutron/neutron.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT neutron_password)
+ iniset "/etc/ceilometer/ceilometer.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT ceilometer_password)
+ iniset "/etc/aodh/aodh.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT aodh_password)
+}
+
+function restart_controller() {
+ service nova-api restart
+ service nova-cert restart
+ service nova-conductor restart
+ service nova-novncproxy restart
+ service nova-consoleauth restart
+
+ service neutron-server restart
+ service heat-api restart
+ service heat-engine restart
+ service glance-api restart
+ service glance-registry restart
+ service glance-glare restart
+
+ service cinder-api restart
+ service cinder-volume restart
+ service cinder-scheduler restart
+ service cinder-backup restart
+
+ # corosync resources
+ crm resource restart p_ceilometer-agent-central
+ crm resource restart p_aodh-evaluator
+}
+
+function write_compute() {
+ iniset "/etc/nova/nova.conf" neutron password $(iniget ${PASSWORD_FILE} DEFAULT neutron_password)
+}
+
+function restart_compute() {
+ service nova-compute restart
+}
+
+#begin
+decode_passwords
+
+# are we on the controller?
+if pgrep -f nova-api > /dev/null
+then
+ write_controller
+ restart_controller
+else
+ write_compute
+ restart_compute
+fi