diff options
author | Dimitri Mazmanov <dimitri.mazmanov@ericsson.com> | 2016-11-28 13:25:54 +0100 |
---|---|---|
committer | Dimitri Mazmanov <dimitri.mazmanov@ericsson.com> | 2017-01-23 11:13:10 +0100 |
commit | e7fe8818ece870b88556f7bad78b589b26d19151 (patch) | |
tree | 874f74b7b7d59b3a432fdebb9041a78ad346af26 /tools/keystone | |
parent | 60dca59ac451300fae214776e82a068b2e8607da (diff) |
Common auth configuration for Mulsite deployment
This set of scripts is used to configure centralized Keystone
across multiple regions. Each script is executed during a certain stage
of the automated multisite deployment setup via Jenkins [1].
region.sh - registers new endpoints in Keystone tagging them with
RegionTwo.
fetchpass.sh - reads service passwords in the master region and stores
them in an encrypted file.
endpoint.sh - reads the public_url, private_url and admin_url from
RegionTwo and stores it in a file to be used during region registration
phase.
run.sh - is a generic proxy runner which triggers execution of any
runnable on a target node (compute|controller).
writepass.sh - updates service password entries in the configuration
files for RegionTwo.
[1]
https://wiki.opnfv.org/display/multisite/Multisite+Deployment+Environment
Change-Id: If2c91600237003a13cc0dc822924ab8d27ce202c
Signed-off-by: Dimitri Mazmanov <dimitri.mazmanov@ericsson.com>
Diffstat (limited to 'tools/keystone')
-rwxr-xr-x | tools/keystone/endpoint.sh | 30 | ||||
-rwxr-xr-x | tools/keystone/fetchpass.sh | 72 | ||||
-rwxr-xr-x | tools/keystone/region.sh | 103 | ||||
-rwxr-xr-x | tools/keystone/run.sh | 92 | ||||
-rwxr-xr-x | tools/keystone/writepass.sh | 130 |
5 files changed, 412 insertions, 15 deletions
diff --git a/tools/keystone/endpoint.sh b/tools/keystone/endpoint.sh new file mode 100755 index 0000000..410a723 --- /dev/null +++ b/tools/keystone/endpoint.sh @@ -0,0 +1,30 @@ +#!/bin/bash +# +# Author: Dimitri Mazmanov (dimitri.mazmanov@ericsson.com) +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +# + +set -o xtrace +set -o errexit +set -o nounset +set -o pipefail + +# Ensure that openrc containing OpenStack environment variables is present. +source openrc + +# Endpoints. Dynamically get IP addresses from another service (keystone) +ENDPOINT_PUBLIC_URL=$(openstack endpoint list | grep keystone | grep public | cut -d '|' -f 8 | cut -d '/' -f 3 | cut -d ':' -f 1) +ENDPOINT_ADMIN_URL=$(openstack endpoint list | grep keystone | grep admin | cut -d '|' -f 8 | cut -d '/' -f 3 | cut -d ':' -f 1) +ENDPOINT_INTERNAL_URL=$(openstack endpoint list | grep keystone | grep internal | cut -d '|' -f 8 | cut -d '/' -f 3 | cut -d ':' -f 1) + +cat <<EOT >> /root/endpoints.ini +[DEFAULT] +public_url=${ENDPOINT_PUBLIC_URL} +admin_url=${ENDPOINT_ADMIN_URL} +private_url=${ENDPOINT_INTERNAL_URL} +os_region=${OS_REGION} +EOT diff --git a/tools/keystone/fetchpass.sh b/tools/keystone/fetchpass.sh new file mode 100755 index 0000000..6e3b069 --- /dev/null +++ b/tools/keystone/fetchpass.sh @@ -0,0 +1,72 @@ +#!/bin/bash +# +# Author: Dimitri Mazmanov (dimitri.mazmanov@ericsson.com) +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +# + +# DISCLAIMER: This script is a dirty filthy hack! But we need it. +# Fetch service password from the configuration files and store them +# in a file to pass further down the build chain + +EXPORT_FILE="/root/servicepass.ini" + +GLANCE_CONF="/etc/glance/glance-registry.conf" +NOVA_CONF="/etc/nova/nova.conf" +NEUTRON_CONF="/etc/neutron/neutron.conf" +CINDER_CONF="/etc/cinder/cinder.conf" +HEAT_CONF="/etc/heat/heat.conf" +GLARE_CONF="/etc/glance/glance-glare.conf" +KEYSTONE_CONF='/etc/keystone/keystone.conf' +CEILOMETER_CONF='/etc/ceilometer/ceilometer.conf' +AODH_CONF='/etc/aodh/aodh.conf' + +source openrc + +# Get an option from an INI file +# iniget config-file section option +function iniget { + local xtrace + xtrace=$(set +o | grep xtrace) + set +o xtrace + local file=$1 + local section=$2 + local option=$3 + local line + + line=$(sed -ne "/^\[$section\]/,/^\[.*\]/ { /^$option[ \t]*=/ p; }" "$file") + echo ${line#*=} + $xtrace +} + +bind_host=$(openstack endpoint list | grep keystone | grep public | cut -d '|' -f 8 | cut -d '/' -f 3 | cut -d ':' -f 1) + +glance_password=$(iniget ${GLANCE_CONF} keystone_authtoken password) +nova_password=$(iniget ${NOVA_CONF} keystone_authtoken password) +cinder_password=$(iniget ${CINDER_CONF} keystone_authtoken password) +glare_password=$(iniget ${GLARE_CONF} keystone_authtoken password) +heat_password=$(iniget ${HEAT_CONF} keystone_authtoken password) +neutron_password=$(iniget ${NEUTRON_CONF} keystone_authtoken password) +ceilometer_password=$(iniget ${CEILOMETER_CONF} keystone_authtoken password) +aodh_password=$(iniget ${AODH_CONF} keystone_authtoken password) +#NOTE: can't find swift in /etc + +cat <<EOT >> /root/passwords.ini +[DEFAULT] +identity_uri=${bind_host} +glance=${glance_password} +nova=${nova_password} +cinder=${cinder_password} +glare=${glare_password} +heat=${heat_password} +neutron=${neutron_password} +ceilometer=${ceilometer_password} +aodh=${aodh_password} +EOT + +openssl enc -aes-256-cbc -salt -in /root/passwords.ini -out ${EXPORT_FILE} -k multisite + +rm /root/passwords.ini
\ No newline at end of file diff --git a/tools/keystone/region.sh b/tools/keystone/region.sh index f3b0180..1ae108f 100755 --- a/tools/keystone/region.sh +++ b/tools/keystone/region.sh @@ -27,26 +27,99 @@ source openrc # # openstack endpoint create --publicurl "" --adminurl "" --internalurl "" --region ${region} <service> -public_url=${NEW_PUBLIC_URL} -internal_url=${NEW_INTERNAL_URL} -admin_url=${NEW_ADMIN_URL} -region=${NEW_REGION} +ENDPOINT_FILE="/root/endpoints.ini" + +# Get an option from an INI file +# iniget config-file section option +function iniget { + local xtrace + xtrace=$(set +o | grep xtrace) + set +o xtrace + local file=$1 + local section=$2 + local option=$3 + local line + + line=$(sed -ne "/^\[$section\]/,/^\[.*\]/ { /^$option[ \t]*=/ p; }" "$file") + echo ${line#*=} + $xtrace +} + +error () { + logger -s -t "registration.error" "$*" + exit 1 +} + +public_url=$(iniget ${ENDPOINT_FILE} DEFAULT public_url) +internal_url=$(iniget ${ENDPOINT_FILE} DEFAULT internal_url) +admin_url=$(iniget ${ENDPOINT_FILE} DEFAULT admin_url) +region=$(iniget ${ENDPOINT_FILE} DEFAULT os_region) + +if [ -z $public_url || -z $internal_url || -z $admin_url || -z $region ]; then + error "The provided endpoint information is incomplete. Please che the values for public_url, admin_url, internal_url and os_region." +fi # Nova -openstack endpoint create --publicurl "http://${public_url}:8774/v2.1" --adminurl "http://${admin_url}:8774/v2.1" --internalurl "http://${internal_url}:8774/v2.1" --region ${region} nova -openstack endpoint create --publicurl "http://${public_url}:8774/v2/%(tenant_id)s" --adminurl "http://${admin_url}:8774/v2/%(tenant_id)s" --internalurl "http://${internal_url}:8774/v2/%(tenant_id)s" --region ${region} compute_legacy +openstack endpoint create nova public "http://${public_url}:8774/v2.1" --region ${region} +openstack endpoint create nova admin "http://${admin_url}:8774/v2.1" --region ${region} +openstack endpoint create nova internal "http://${internal_url}:8774/v2.1" --region ${region} + +openstack endpoint create compute_legacy public "http://${public_url}:8774/v2/%(tenant_id)s" --region ${region} +openstack endpoint create compute_legacy admin "http://${admin_url}:8774/v2/%(tenant_id)s" --region ${region} +openstack endpoint create compute_legacy internal "http://${internal_url}:8774/v2/%(tenant_id)s" --region ${region} + # Neutron -openstack endpoint create --publicurl "http://${public_url}:9696" --adminurl "http://${admin_url}:9696" --internalurl "http://${internal_url}:9696" --region ${region} neutron +openstack endpoint create neutron public "http://${public_url}:9696" --region ${region} +openstack endpoint create neutron admin "http://${admin_url}:9696" --region ${region} +openstack endpoint create neutron internal "http://${internal_url}:9696" --region ${region} + # Cinder -openstack endpoint create --publicurl "http://${public_url}:8776/v1/%(tenant_id)s" --adminurl "http://${admin_url}:8776/v1/%(tenant_id)s" --internalurl "http://${internal_url}:8776/v1/%(tenant_id)s" --region ${region} cinder -openstack endpoint create --publicurl "http://${public_url}:8776/v2/%(tenant_id)s" --adminurl "http://${admin_url}:8776/v2/%(tenant_id)s" --internalurl "http://${internal_url}:8776/v2/%(tenant_id)s" --region ${region} cinderv2 -openstack endpoint create --publicurl "http://${public_url}:8776/v3/%(tenant_id)s" --adminurl "http://${admin_url}:8776/v3/%(tenant_id)s" --internalurl "http://${internal_url}:8776/v3/%(tenant_id)s" --region ${region} cinderv3 +openstack endpoint create cinder public "http://${public_url}:8776/v1/%(tenant_id)s" --region ${region} +openstack endpoint create cinder admin "http://${admin_url}:8776/v1/%(tenant_id)s" --region ${region} +openstack endpoint create cinder internal "http://${internal_url}:8776/v1/%(tenant_id)s" --region ${region} + +openstack endpoint create cinderv2 public "http://${public_url}:8776/v2/%(tenant_id)s" --region ${region} +openstack endpoint create cinderv2 admin "http://${admin_url}:8776/v2/%(tenant_id)s" --region ${region} +openstack endpoint create cinderv2 internal "http://${internal_url}:8776/v2/%(tenant_id)s" --region ${region} + +openstack endpoint create cinderv3 public "http://${public_url}:8776/v3/%(tenant_id)s" --region ${region} +openstack endpoint create cinderv3 admin "http://${admin_url}:8776/v3/%(tenant_id)s" --region ${region} +openstack endpoint create cinderv3 internal "http://${internal_url}:8776/v3/%(tenant_id)s" --region ${region} + # Glance -openstack endpoint create --publicurl "http://${public_url}:9292" --adminurl "http://${admin_url}:9292" --internalurl "http://${internal_url}:9292" --region ${region} glance +openstack endpoint create glance public "http://${public_url}:9292" --region ${region} +openstack endpoint create glance admin "http://${admin_url}:9292" --region ${region} +openstack endpoint create glance internal "http://${internal_url}:9292" --region ${region} + # Heat -openstack endpoint create --publicurl "http://${public_url}:8004/v1/%(tenant_id)s" --adminurl "http://${admin_url}:8004/v1/%(tenant_id)s" --internalurl "http://${internal_url}:8004/v1/%(tenant_id)s" --region ${region} heat -openstack endpoint create --publicurl "http://${public_url}:8000/v1" --adminurl "http://${admin_url}:8000/v1" --internalurl "http://${internal_url}:8000/v1" --region ${region} heat-cfn +openstack endpoint create heat public "http://${public_url}:8004/v1/%(tenant_id)s" --region ${region} +openstack endpoint create heat admin "http://${admin_url}:8004/v1/%(tenant_id)s" --region ${region} +openstack endpoint create heat internal "http://${internal_url}:8004/v1/%(tenant_id)s" --region ${region} + +openstack endpoint create heat-cfn public "http://${public_url}:8000/v1" --region ${region} +openstack endpoint create heat-cfn admin "http://${admin_url}:8004/v1/%(tenant_id)s" --region ${region} +openstack endpoint create heat-cfn internal "http://${internal_url}:8004/v1/%(tenant_id)s" --region ${region} + # Swift -openstack endpoint create --publicurl "http://${public_url}:8080/swift/v1" --adminurl "http://${admin_url}:8080/swift/v1" --internalurl "http://${internal_url}:8080/swift/v1" --region ${region} swift +openstack endpoint create swift public "http://${public_url}:8080/v1/AUTH_%(tenant_id)s" --region ${region} +openstack endpoint create swift admin "http://${admin_url}:8080/v1/AUTH_%(tenant_id)s" --region ${region} +openstack endpoint create swift internal "http://${internal_url}:8080/v1/AUTH_%(tenant_id)s" --region ${region} + +openstack endpoint create swift_s3 public "http://${public_url}:8080" --region ${region} +openstack endpoint create swift_s3 admin "http://${admin_url}:8080" --region ${region} +openstack endpoint create swift_s3 internal "http://${internal_url}:8080" --region ${region} + # Glare -openstack endpoint create --publicurl "http://${public_url}:9494" --adminurl "http://${admin_url}:9494" --internalurl "http://${internal_url}:9494" --region ${region} swift
\ No newline at end of file +openstack endpoint create glare public "http://${public_url}:9494" --region ${region} +openstack endpoint create glare admin "http://${admin_url}:9494" --region ${region} +openstack endpoint create glare internal "http://${internal_url}:9494" --region ${region} + +# Ceilometer +openstack endpoint create ceilometer public "http://${public_url}:8777" --region ${region} +openstack endpoint create ceilometer admin "http://${admin_url}:8777" --region ${region} +openstack endpoint create ceilometer internal "http://${internal_url}:8777" --region ${region} + +#Aodh +openstack endpoint create aodh public "http://${public_url}:8042" --region ${region} +openstack endpoint create aodh admin "http://${admin_url}:8042" --region ${region} +openstack endpoint create aodh internal "http://${internal_url}:8042" --region ${region} diff --git a/tools/keystone/run.sh b/tools/keystone/run.sh new file mode 100755 index 0000000..6fc02ca --- /dev/null +++ b/tools/keystone/run.sh @@ -0,0 +1,92 @@ +#!/bin/bash +# +# Author: Dimitri Mazmanov (dimitri.mazmanov@ericsson.com) +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +# + +set -o xtrace +set -o nounset +set -o pipefail + + +# This script proxies execution of other scripts through fuel node +# onto the destination node. +# Usage: run.sh (controller|compute) <runnable_script.sh> + +INSTALLER_IP=10.20.0.2 + +usage() { + echo "usage: $0 -a <installer_ip> -t (controller|compute) -r <runnable_script.sh> -d <data_file>" >&2 +} + +error () { + logger -s -t "deploy.error" "$*" + exit 1 +} + +if [ $# -eq 0 ]; then + usage + exit 2 +fi + +while [[ $# -gt 0 ]]; do +case $1 in + -i|--installer) + installer_ip="$2" + shift # past argument + ;; + -t|--target) + target="$2" + shift # past argument + ;; + -r|--runnable) + runnable="$2" + shift # past argument + ;; + -d|--data) + data="$2" + shift # past argument + ;; + *) + echo "Non-option argument: '-${OPTARG}'" >&2 + usage + exit 2 + ;; +esac +shift # past argument or value + +installer_ip=${installer_ip:-$INSTALLER_IP} +data=${data:-""} + +ssh_options="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" + +function run_on_target() { + # Copy the script to the target + sshpass -p r00tme ssh 2>/dev/null $ssh_options root@${installer_ip} \ + "ssh $ssh_options $1 \"cd /root/ && cat > ${runnable}\"" < ${runnable} &> /dev/null + if [ -n "${data}" ]; then + # Copy any accompanying data along with the script + sshpass -p r00tme ssh 2>/dev/null $ssh_options root@${installer_ip} \ + "ssh $ssh_options $1 \"cd /root/ && cat > ${data}\"" < ${data} &> /dev/null + fi + # Set the rights and execute + sshpass -p r00tme ssh 2>/dev/null $ssh_options root@${installer_ip} \ + "ssh $ssh_options $1 \"cd /root/ && chmod +x ${runnable}\"" &> /dev/null + sshpass -p r00tme ssh 2>/dev/null $ssh_options root@${installer_ip} \ + "ssh $ssh_options $1 \"cd /root/ && nohup /root/${runnable} > install.log 2> /dev/null\"" &> /dev/null + # Output here + sshpass -p r00tme ssh 2>/dev/null $ssh_options root@${installer_ip} \ + "ssh $ssh_options $1 \"cd /root/ && cat install.log\"" +} + +target_info=$(sshpass -p r00tme ssh 2>/dev/null $ssh_options root@${installer_ip} \ +fuel node list| grep ${target} | grep "True\| 1" | awk -F\| "{print \$5}" | \ +sed 's/ //g') &> /dev/null + +for machine in ${target_info} ; do + run_on_target $machine +done diff --git a/tools/keystone/writepass.sh b/tools/keystone/writepass.sh new file mode 100755 index 0000000..2b0a965 --- /dev/null +++ b/tools/keystone/writepass.sh @@ -0,0 +1,130 @@ +#!/bin/bash +# +# Author: Dimitri Mazmanov (dimitri.mazmanov@ericsson.com) +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +# + +set -o xtrace +set -o errexit +set -o nounset +set -o pipefail + +PASSWORD_FILE_ENC="servicepass.ini" +PASSWORD_FILE="/root/passwords.ini" + +function ini_has_option { + local file=$1 + local section=$2 + local option=$3 + local line + line=$(sed -ne "/^\[$section\]/,/^\[.*\]/ { /^$option[ \t]*=/ p; }" "$file") + [ -n "$line" ] +} + +# Get an option from an INI file +# iniget config-file section option +function iniget { + local xtrace + xtrace=$(set +o | grep xtrace) + set +o xtrace + local file=$1 + local section=$2 + local option=$3 + local line + + line=$(sed -ne "/^\[$section\]/,/^\[.*\]/ { /^$option[ \t]*=/ p; }" "$file") + echo ${line#*=} + $xtrace +} + +# Set an option in an INI file +# iniset [-sudo] config-file section option value +# - if the file does not exist, it is created +function iniset { + local file=$1 + local section=$2 + local option=$3 + local value=$4 + + [[ -z $section || -z $option ]] && return + + if ! grep -q "^\[$section\]" "$file" 2>/dev/null; then + echo -e "\n[$section]" >>"$file" + fi + if ! ini_has_option "$file" "$section" "$option"; then + sed -i -e "/^\[$section\]/ a\\ +$option = $value +" "$file" + else + local sep=$(echo -ne "\x01") + # Replace it + sed -i -e '/^\['${section}'\]/,/^\[.*\]/ s'${sep}'^\('${option}'[ \t]*=[ \t]*\).*$'${sep}'\1'"${value}"${sep} "$file" + fi +} + +function decode_passwords() { + openssl enc -aes-256-cbc -d -a -in ${PASSWORD_FILE_ENC} -out /root/passwords.ini -k multisite +} + +function write_controller() { + # For each slave region the following files must be updated on each controller. + iniset "/etc/glance/glance-registry.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT glance_password) + iniset "/etc/glance/glance-api.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT glance_password) + iniset "/etc/glance/glance-glare.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT glare_password) + iniset "/etc/heat/heat.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT heat_password) + iniset "/etc/nova/nova.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT nova_password) + iniset "/etc/nova/nova.conf" neutron password $(iniget ${PASSWORD_FILE} DEFAULT neutron_password) + iniset "/etc/cinder/cinder.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT cinder_password) + iniset "/etc/neutron/neutron.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT neutron_password) + iniset "/etc/ceilometer/ceilometer.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT ceilometer_password) + iniset "/etc/aodh/aodh.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT aodh_password) +} + +function restart_controller() { + service nova-api restart + service nova-cert restart + service nova-conductor restart + service nova-novncproxy restart + service nova-consoleauth restart + + service neutron-server restart + service heat-api restart + service heat-engine restart + service glance-api restart + service glance-registry restart + service glance-glare restart + + service cinder-api restart + service cinder-volume restart + service cinder-scheduler restart + service cinder-backup restart + + # corosync resources + crm resource restart p_ceilometer-agent-central + crm resource restart p_aodh-evaluator +} + +function write_compute() { + iniset "/etc/nova/nova.conf" neutron password $(iniget ${PASSWORD_FILE} DEFAULT neutron_password) +} + +function restart_compute() { + service nova-compute restart +} + +#begin +decode_passwords + +# are we on the controller? +if pgrep -f nova-api > /dev/null +then + write_controller + restart_controller +else + write_compute + restart_compute +fi |