From e7fe8818ece870b88556f7bad78b589b26d19151 Mon Sep 17 00:00:00 2001
From: Dimitri Mazmanov <dimitri.mazmanov@ericsson.com>
Date: Mon, 28 Nov 2016 13:25:54 +0100
Subject: Common auth configuration for Mulsite deployment

This set of scripts is used to configure centralized Keystone
across multiple regions. Each script is executed during a certain stage
of the automated  multisite deployment setup via Jenkins [1].

region.sh - registers new endpoints in Keystone tagging them with
RegionTwo.
fetchpass.sh - reads service passwords in the master region and stores
them in an encrypted file.
endpoint.sh - reads the public_url, private_url and admin_url from
RegionTwo and stores it in a file to be used during region registration
phase.
run.sh - is a generic proxy runner which triggers execution of any
runnable on a target node (compute|controller).
writepass.sh - updates service password entries in the configuration
files for RegionTwo.

[1]
https://wiki.opnfv.org/display/multisite/Multisite+Deployment+Environment

Change-Id: If2c91600237003a13cc0dc822924ab8d27ce202c
Signed-off-by: Dimitri Mazmanov <dimitri.mazmanov@ericsson.com>
---
 tools/keystone/endpoint.sh  |  30 ++++++++++
 tools/keystone/fetchpass.sh |  72 ++++++++++++++++++++++++
 tools/keystone/region.sh    | 103 ++++++++++++++++++++++++++++++-----
 tools/keystone/run.sh       |  92 +++++++++++++++++++++++++++++++
 tools/keystone/writepass.sh | 130 ++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 412 insertions(+), 15 deletions(-)
 create mode 100755 tools/keystone/endpoint.sh
 create mode 100755 tools/keystone/fetchpass.sh
 create mode 100755 tools/keystone/run.sh
 create mode 100755 tools/keystone/writepass.sh

diff --git a/tools/keystone/endpoint.sh b/tools/keystone/endpoint.sh
new file mode 100755
index 0000000..410a723
--- /dev/null
+++ b/tools/keystone/endpoint.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+#
+# Author: Dimitri Mazmanov (dimitri.mazmanov@ericsson.com)
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+
+set -o xtrace
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# Ensure that openrc containing OpenStack environment variables is present.
+source openrc
+
+# Endpoints. Dynamically get IP addresses from another service (keystone)
+ENDPOINT_PUBLIC_URL=$(openstack endpoint list | grep keystone | grep public | cut -d '|' -f 8 | cut -d '/' -f 3 | cut -d ':' -f 1)
+ENDPOINT_ADMIN_URL=$(openstack endpoint list | grep keystone | grep admin | cut -d '|' -f 8 | cut -d '/' -f 3 | cut -d ':' -f 1)
+ENDPOINT_INTERNAL_URL=$(openstack endpoint list | grep keystone | grep internal | cut -d '|' -f 8 | cut -d '/' -f 3 | cut -d ':' -f 1)
+
+cat <<EOT >> /root/endpoints.ini
+[DEFAULT]
+public_url=${ENDPOINT_PUBLIC_URL}
+admin_url=${ENDPOINT_ADMIN_URL}
+private_url=${ENDPOINT_INTERNAL_URL}
+os_region=${OS_REGION}
+EOT
diff --git a/tools/keystone/fetchpass.sh b/tools/keystone/fetchpass.sh
new file mode 100755
index 0000000..6e3b069
--- /dev/null
+++ b/tools/keystone/fetchpass.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+#
+# Author: Dimitri Mazmanov (dimitri.mazmanov@ericsson.com)
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+
+# DISCLAIMER: This script is a dirty filthy hack! But we need it.
+# Fetch service password from the configuration files and store them
+# in a file to pass further down the build chain
+
+EXPORT_FILE="/root/servicepass.ini"
+
+GLANCE_CONF="/etc/glance/glance-registry.conf"
+NOVA_CONF="/etc/nova/nova.conf"
+NEUTRON_CONF="/etc/neutron/neutron.conf"
+CINDER_CONF="/etc/cinder/cinder.conf"
+HEAT_CONF="/etc/heat/heat.conf"
+GLARE_CONF="/etc/glance/glance-glare.conf"
+KEYSTONE_CONF='/etc/keystone/keystone.conf'
+CEILOMETER_CONF='/etc/ceilometer/ceilometer.conf'
+AODH_CONF='/etc/aodh/aodh.conf'
+
+source openrc
+
+# Get an option from an INI file
+# iniget config-file section option
+function iniget {
+    local xtrace
+    xtrace=$(set +o | grep xtrace)
+    set +o xtrace
+    local file=$1
+    local section=$2
+    local option=$3
+    local line
+
+    line=$(sed -ne "/^\[$section\]/,/^\[.*\]/ { /^$option[ \t]*=/ p; }" "$file")
+    echo ${line#*=}
+    $xtrace
+}
+
+bind_host=$(openstack endpoint list | grep keystone | grep public | cut -d '|' -f 8 | cut -d '/' -f 3 | cut -d ':' -f 1)
+
+glance_password=$(iniget ${GLANCE_CONF} keystone_authtoken password)
+nova_password=$(iniget ${NOVA_CONF} keystone_authtoken password)
+cinder_password=$(iniget ${CINDER_CONF} keystone_authtoken password)
+glare_password=$(iniget ${GLARE_CONF} keystone_authtoken password)
+heat_password=$(iniget ${HEAT_CONF} keystone_authtoken password)
+neutron_password=$(iniget ${NEUTRON_CONF} keystone_authtoken password)
+ceilometer_password=$(iniget ${CEILOMETER_CONF} keystone_authtoken password)
+aodh_password=$(iniget ${AODH_CONF} keystone_authtoken password)
+#NOTE: can't find swift in /etc
+
+cat <<EOT >> /root/passwords.ini
+[DEFAULT]
+identity_uri=${bind_host}
+glance=${glance_password}
+nova=${nova_password}
+cinder=${cinder_password}
+glare=${glare_password}
+heat=${heat_password}
+neutron=${neutron_password}
+ceilometer=${ceilometer_password}
+aodh=${aodh_password}
+EOT
+
+openssl enc -aes-256-cbc -salt -in /root/passwords.ini -out ${EXPORT_FILE} -k multisite
+
+rm /root/passwords.ini
\ No newline at end of file
diff --git a/tools/keystone/region.sh b/tools/keystone/region.sh
index f3b0180..1ae108f 100755
--- a/tools/keystone/region.sh
+++ b/tools/keystone/region.sh
@@ -27,26 +27,99 @@ source openrc
 #
 # openstack endpoint create --publicurl "" --adminurl "" --internalurl "" --region ${region} <service>
 
-public_url=${NEW_PUBLIC_URL}
-internal_url=${NEW_INTERNAL_URL}
-admin_url=${NEW_ADMIN_URL}
-region=${NEW_REGION}
+ENDPOINT_FILE="/root/endpoints.ini"
+
+# Get an option from an INI file
+# iniget config-file section option
+function iniget {
+    local xtrace
+    xtrace=$(set +o | grep xtrace)
+    set +o xtrace
+    local file=$1
+    local section=$2
+    local option=$3
+    local line
+
+    line=$(sed -ne "/^\[$section\]/,/^\[.*\]/ { /^$option[ \t]*=/ p; }" "$file")
+    echo ${line#*=}
+    $xtrace
+}
+
+error () {
+    logger -s -t "registration.error" "$*"
+    exit 1
+}
+
+public_url=$(iniget ${ENDPOINT_FILE} DEFAULT public_url)
+internal_url=$(iniget ${ENDPOINT_FILE} DEFAULT internal_url)
+admin_url=$(iniget ${ENDPOINT_FILE} DEFAULT admin_url)
+region=$(iniget ${ENDPOINT_FILE} DEFAULT os_region)
+
+if [ -z $public_url || -z $internal_url || -z $admin_url || -z $region ]; then
+    error "The provided endpoint information is incomplete. Please che the values for public_url, admin_url, internal_url and os_region."
+fi
 
 # Nova
-openstack endpoint create --publicurl "http://${public_url}:8774/v2.1" --adminurl "http://${admin_url}:8774/v2.1" --internalurl "http://${internal_url}:8774/v2.1" --region ${region} nova
-openstack endpoint create --publicurl "http://${public_url}:8774/v2/%(tenant_id)s" --adminurl "http://${admin_url}:8774/v2/%(tenant_id)s" --internalurl "http://${internal_url}:8774/v2/%(tenant_id)s" --region ${region} compute_legacy
+openstack endpoint create nova public "http://${public_url}:8774/v2.1" --region ${region}
+openstack endpoint create nova admin "http://${admin_url}:8774/v2.1" --region ${region}
+openstack endpoint create nova internal "http://${internal_url}:8774/v2.1" --region ${region}
+
+openstack endpoint create compute_legacy public "http://${public_url}:8774/v2/%(tenant_id)s" --region ${region}
+openstack endpoint create compute_legacy admin "http://${admin_url}:8774/v2/%(tenant_id)s" --region ${region}
+openstack endpoint create compute_legacy internal "http://${internal_url}:8774/v2/%(tenant_id)s" --region ${region}
+
 # Neutron
-openstack endpoint create --publicurl "http://${public_url}:9696" --adminurl "http://${admin_url}:9696" --internalurl "http://${internal_url}:9696" --region ${region} neutron
+openstack endpoint create neutron public "http://${public_url}:9696" --region ${region}
+openstack endpoint create neutron admin "http://${admin_url}:9696" --region ${region}
+openstack endpoint create neutron internal "http://${internal_url}:9696" --region ${region}
+
 # Cinder
-openstack endpoint create --publicurl "http://${public_url}:8776/v1/%(tenant_id)s" --adminurl "http://${admin_url}:8776/v1/%(tenant_id)s" --internalurl "http://${internal_url}:8776/v1/%(tenant_id)s" --region ${region} cinder
-openstack endpoint create --publicurl "http://${public_url}:8776/v2/%(tenant_id)s" --adminurl "http://${admin_url}:8776/v2/%(tenant_id)s" --internalurl "http://${internal_url}:8776/v2/%(tenant_id)s" --region ${region} cinderv2
-openstack endpoint create --publicurl "http://${public_url}:8776/v3/%(tenant_id)s" --adminurl "http://${admin_url}:8776/v3/%(tenant_id)s" --internalurl "http://${internal_url}:8776/v3/%(tenant_id)s" --region ${region} cinderv3
+openstack endpoint create cinder public "http://${public_url}:8776/v1/%(tenant_id)s" --region ${region}
+openstack endpoint create cinder admin "http://${admin_url}:8776/v1/%(tenant_id)s" --region ${region}
+openstack endpoint create cinder internal "http://${internal_url}:8776/v1/%(tenant_id)s" --region ${region}
+
+openstack endpoint create cinderv2 public "http://${public_url}:8776/v2/%(tenant_id)s" --region ${region}
+openstack endpoint create cinderv2 admin "http://${admin_url}:8776/v2/%(tenant_id)s" --region ${region}
+openstack endpoint create cinderv2 internal "http://${internal_url}:8776/v2/%(tenant_id)s" --region ${region}
+
+openstack endpoint create cinderv3 public "http://${public_url}:8776/v3/%(tenant_id)s" --region ${region}
+openstack endpoint create cinderv3 admin "http://${admin_url}:8776/v3/%(tenant_id)s" --region ${region}
+openstack endpoint create cinderv3 internal "http://${internal_url}:8776/v3/%(tenant_id)s" --region ${region}
+
 # Glance
-openstack endpoint create --publicurl "http://${public_url}:9292" --adminurl "http://${admin_url}:9292" --internalurl "http://${internal_url}:9292" --region ${region} glance
+openstack endpoint create glance public "http://${public_url}:9292" --region ${region}
+openstack endpoint create glance admin "http://${admin_url}:9292" --region ${region}
+openstack endpoint create glance internal "http://${internal_url}:9292" --region ${region}
+
 # Heat
-openstack endpoint create --publicurl "http://${public_url}:8004/v1/%(tenant_id)s" --adminurl "http://${admin_url}:8004/v1/%(tenant_id)s" --internalurl "http://${internal_url}:8004/v1/%(tenant_id)s" --region ${region} heat
-openstack endpoint create --publicurl "http://${public_url}:8000/v1" --adminurl "http://${admin_url}:8000/v1" --internalurl "http://${internal_url}:8000/v1" --region ${region} heat-cfn
+openstack endpoint create heat public "http://${public_url}:8004/v1/%(tenant_id)s" --region ${region}
+openstack endpoint create heat admin "http://${admin_url}:8004/v1/%(tenant_id)s" --region ${region}
+openstack endpoint create heat internal "http://${internal_url}:8004/v1/%(tenant_id)s" --region ${region}
+
+openstack endpoint create heat-cfn public "http://${public_url}:8000/v1" --region ${region}
+openstack endpoint create heat-cfn admin "http://${admin_url}:8004/v1/%(tenant_id)s" --region ${region}
+openstack endpoint create heat-cfn internal "http://${internal_url}:8004/v1/%(tenant_id)s" --region ${region}
+
 # Swift
-openstack endpoint create --publicurl "http://${public_url}:8080/swift/v1" --adminurl "http://${admin_url}:8080/swift/v1" --internalurl "http://${internal_url}:8080/swift/v1" --region ${region} swift
+openstack endpoint create swift public "http://${public_url}:8080/v1/AUTH_%(tenant_id)s" --region ${region}
+openstack endpoint create swift admin "http://${admin_url}:8080/v1/AUTH_%(tenant_id)s" --region ${region}
+openstack endpoint create swift internal "http://${internal_url}:8080/v1/AUTH_%(tenant_id)s" --region ${region}
+
+openstack endpoint create swift_s3 public "http://${public_url}:8080" --region ${region}
+openstack endpoint create swift_s3 admin "http://${admin_url}:8080" --region ${region}
+openstack endpoint create swift_s3 internal "http://${internal_url}:8080" --region ${region}
+
 # Glare
-openstack endpoint create --publicurl "http://${public_url}:9494" --adminurl "http://${admin_url}:9494" --internalurl "http://${internal_url}:9494" --region ${region} swift
\ No newline at end of file
+openstack endpoint create glare public "http://${public_url}:9494" --region ${region}
+openstack endpoint create glare admin "http://${admin_url}:9494" --region ${region}
+openstack endpoint create glare internal "http://${internal_url}:9494" --region ${region}
+
+# Ceilometer
+openstack endpoint create ceilometer public "http://${public_url}:8777" --region ${region}
+openstack endpoint create ceilometer admin "http://${admin_url}:8777" --region ${region}
+openstack endpoint create ceilometer internal "http://${internal_url}:8777" --region ${region}
+
+#Aodh
+openstack endpoint create aodh public "http://${public_url}:8042" --region ${region}
+openstack endpoint create aodh admin "http://${admin_url}:8042" --region ${region}
+openstack endpoint create aodh internal "http://${internal_url}:8042" --region ${region}
diff --git a/tools/keystone/run.sh b/tools/keystone/run.sh
new file mode 100755
index 0000000..6fc02ca
--- /dev/null
+++ b/tools/keystone/run.sh
@@ -0,0 +1,92 @@
+#!/bin/bash
+#
+# Author: Dimitri Mazmanov (dimitri.mazmanov@ericsson.com)
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+
+set -o xtrace
+set -o nounset
+set -o pipefail
+
+
+# This script proxies execution of other scripts through fuel node
+# onto the destination node.
+# Usage: run.sh (controller|compute) <runnable_script.sh>
+
+INSTALLER_IP=10.20.0.2
+
+usage() {
+    echo "usage: $0 -a <installer_ip> -t (controller|compute) -r <runnable_script.sh> -d <data_file>" >&2
+}
+
+error () {
+    logger -s -t "deploy.error" "$*"
+    exit 1
+}
+
+if [ $# -eq 0 ]; then
+   usage
+   exit 2
+fi
+
+while [[ $# -gt 0 ]]; do
+case $1 in
+    -i|--installer)
+    installer_ip="$2"
+    shift # past argument
+    ;;
+    -t|--target)
+    target="$2"
+    shift # past argument
+    ;;
+    -r|--runnable)
+    runnable="$2"
+    shift # past argument
+    ;;
+    -d|--data)
+    data="$2"
+    shift # past argument
+    ;;
+    *)
+    echo "Non-option argument: '-${OPTARG}'" >&2
+    usage
+    exit 2
+    ;;
+esac
+shift # past argument or value
+
+installer_ip=${installer_ip:-$INSTALLER_IP}
+data=${data:-""}
+
+ssh_options="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
+function run_on_target() {
+    # Copy the script to the target
+    sshpass -p r00tme ssh 2>/dev/null $ssh_options root@${installer_ip} \
+    "ssh $ssh_options $1 \"cd /root/  && cat > ${runnable}\"" < ${runnable} &> /dev/null
+    if [ -n "${data}" ]; then
+        # Copy any accompanying data along with the script
+        sshpass -p r00tme ssh 2>/dev/null $ssh_options root@${installer_ip} \
+        "ssh $ssh_options $1 \"cd /root/  && cat > ${data}\"" < ${data} &> /dev/null
+    fi
+    # Set the rights and execute
+    sshpass -p r00tme ssh 2>/dev/null $ssh_options root@${installer_ip} \
+    "ssh $ssh_options $1 \"cd /root/ && chmod +x ${runnable}\"" &> /dev/null
+    sshpass -p r00tme ssh 2>/dev/null $ssh_options root@${installer_ip} \
+    "ssh $ssh_options $1 \"cd /root/ && nohup /root/${runnable} > install.log 2> /dev/null\"" &> /dev/null
+    # Output here
+    sshpass -p r00tme ssh 2>/dev/null $ssh_options root@${installer_ip} \
+    "ssh $ssh_options $1 \"cd /root/ && cat install.log\""
+}
+
+target_info=$(sshpass -p r00tme ssh 2>/dev/null $ssh_options root@${installer_ip} \
+fuel node list| grep ${target} | grep "True\|  1" | awk -F\| "{print \$5}" | \
+sed 's/ //g') &> /dev/null
+
+for machine in ${target_info} ; do
+    run_on_target $machine
+done
diff --git a/tools/keystone/writepass.sh b/tools/keystone/writepass.sh
new file mode 100755
index 0000000..2b0a965
--- /dev/null
+++ b/tools/keystone/writepass.sh
@@ -0,0 +1,130 @@
+#!/bin/bash
+#
+# Author: Dimitri Mazmanov (dimitri.mazmanov@ericsson.com)
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+
+set -o xtrace
+set -o errexit
+set -o nounset
+set -o pipefail
+
+PASSWORD_FILE_ENC="servicepass.ini"
+PASSWORD_FILE="/root/passwords.ini"
+
+function ini_has_option {
+    local file=$1
+    local section=$2
+    local option=$3
+    local line
+    line=$(sed -ne "/^\[$section\]/,/^\[.*\]/ { /^$option[ \t]*=/ p; }" "$file")
+    [ -n "$line" ]
+}
+
+# Get an option from an INI file
+# iniget config-file section option
+function iniget {
+    local xtrace
+    xtrace=$(set +o | grep xtrace)
+    set +o xtrace
+    local file=$1
+    local section=$2
+    local option=$3
+    local line
+
+    line=$(sed -ne "/^\[$section\]/,/^\[.*\]/ { /^$option[ \t]*=/ p; }" "$file")
+    echo ${line#*=}
+    $xtrace
+}
+
+# Set an option in an INI file
+# iniset [-sudo] config-file section option value
+#  - if the file does not exist, it is created
+function iniset {
+    local file=$1
+    local section=$2
+    local option=$3
+    local value=$4
+
+    [[ -z $section || -z $option ]] && return
+
+    if ! grep -q "^\[$section\]" "$file" 2>/dev/null; then
+        echo -e "\n[$section]" >>"$file"
+    fi
+    if ! ini_has_option "$file" "$section" "$option"; then
+        sed -i -e "/^\[$section\]/ a\\
+$option = $value
+" "$file"
+    else
+        local sep=$(echo -ne "\x01")
+        # Replace it
+        sed -i -e '/^\['${section}'\]/,/^\[.*\]/ s'${sep}'^\('${option}'[ \t]*=[ \t]*\).*$'${sep}'\1'"${value}"${sep} "$file"
+    fi
+}
+
+function decode_passwords() {
+    openssl enc -aes-256-cbc -d -a -in ${PASSWORD_FILE_ENC} -out /root/passwords.ini -k multisite
+}
+
+function write_controller() {
+    # For each slave region the following files must be updated on each controller.
+    iniset "/etc/glance/glance-registry.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT glance_password)
+    iniset "/etc/glance/glance-api.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT glance_password)
+    iniset "/etc/glance/glance-glare.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT glare_password)
+    iniset "/etc/heat/heat.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT heat_password)
+    iniset "/etc/nova/nova.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT nova_password)
+    iniset "/etc/nova/nova.conf" neutron password $(iniget ${PASSWORD_FILE} DEFAULT neutron_password)
+    iniset "/etc/cinder/cinder.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT cinder_password)
+    iniset "/etc/neutron/neutron.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT neutron_password)
+    iniset "/etc/ceilometer/ceilometer.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT ceilometer_password)
+    iniset "/etc/aodh/aodh.conf" keystone_authtoken password $(iniget ${PASSWORD_FILE} DEFAULT aodh_password)
+}
+
+function restart_controller() {
+    service nova-api restart
+    service nova-cert restart
+    service nova-conductor restart
+    service nova-novncproxy restart
+    service nova-consoleauth restart
+
+    service neutron-server restart
+    service heat-api restart
+    service heat-engine restart
+    service glance-api restart
+    service glance-registry restart
+    service glance-glare restart
+
+    service cinder-api restart
+    service cinder-volume restart
+    service cinder-scheduler restart
+    service cinder-backup restart
+
+    # corosync resources
+    crm resource restart p_ceilometer-agent-central
+    crm resource restart p_aodh-evaluator
+}
+
+function write_compute() {
+    iniset "/etc/nova/nova.conf" neutron password $(iniget ${PASSWORD_FILE} DEFAULT neutron_password)
+}
+
+function restart_compute() {
+    service nova-compute restart
+}
+
+#begin
+decode_passwords
+
+# are we on the controller?
+if pgrep -f nova-api > /dev/null
+then
+    write_controller
+    restart_controller
+else
+    write_compute
+    restart_compute
+fi
-- 
cgit 1.2.3-korg