summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPedro Alvarez <pedro.alvarez@codethink.co.uk>2015-04-13 17:19:04 +0000
committerPedro Alvarez <pedro.alvarez@codethink.co.uk>2015-04-16 16:24:21 +0000
commit8d76e18a6debb4b421c5d443bc673f88abc7a8e6 (patch)
tree08785d33244c4efa9b6b3e973b938afc48340c4f
parentffd35eafd549a923f43569d12ec0fbd39a43cc46 (diff)
downloaddefinitions-8d76e18a6debb4b421c5d443bc673f88abc7a8e6.tar.gz
Openstack: Make Keystone configurable
Change-Id: Ic29d7c367622e0ab35486466e5e32ca432539c39 Signed-off-by: Pedro Alvarez <pedro.alvarez@codethink.co.uk> Signed-off-by: Francisco Redondo Marchena <francisco.marchena@codethink.co.uk>
-rw-r--r--openstack-keystone.configure99
-rw-r--r--openstack/manifest18
-rw-r--r--openstack/usr/lib/systemd/system/openstack-keystone-setup.service12
-rw-r--r--openstack/usr/lib/systemd/system/openstack-keystone.service13
-rw-r--r--openstack/usr/lib/systemd/system/postgres-server.service25
-rw-r--r--openstack/usr/lib/systemd/system/rabbitmq-server.service16
-rw-r--r--openstack/usr/share/openstack/hosts1
-rw-r--r--openstack/usr/share/openstack/keystone.yml188
-rw-r--r--openstack/usr/share/openstack/keystone/keystone.conf27
-rw-r--r--openstack/usr/share/openstack/postgres/pg_hba.conf4
-rw-r--r--openstack/usr/share/openstack/postgres/postgresql.conf11
-rw-r--r--openstack/usr/share/openstack/rabbitmq/rabbitmq-env.conf3
-rw-r--r--openstack/usr/share/openstack/rabbitmq/rabbitmq.config9
-rw-r--r--systems/openstack-system-x86_64.morph1
14 files changed, 414 insertions, 13 deletions
diff --git a/openstack-keystone.configure b/openstack-keystone.configure
new file mode 100644
index 00000000..7c8631ce
--- /dev/null
+++ b/openstack-keystone.configure
@@ -0,0 +1,99 @@
+#!/bin/sh
+
+# Copyright (C) 2014-2015 Codethink Limited
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+
+set -e
+
+ROOT="$1"
+
+##########################################################################
+
+ln -s "/usr/lib/systemd/system/openstack-keystone-setup.service" \
+ "$ROOT/etc/systemd/system/multi-user.target.wants/openstack-keystone-setup.service"
+
+ln -s "/usr/lib/systemd/system/openstack-horizon-setup.service" \
+ "$ROOT/etc/systemd/system/multi-user.target.wants/openstack-horizon-setup.service"
+
+##########################################################################
+# Check variables
+##########################################################################
+
+if [ -z "$KEYSTONE_TEMPORARY_ADMIN_TOKEN" -a \
+ -z "$KEYSTONE_ADMIN_PASSWORD" -a \
+ -z "$KEYSTONE_DB_USER" -a \
+ -z "$KEYSTONE_DB_PASSWORD" -a \
+ -z "$RABBITMQ_HOST" -a \
+ -z "$RABBITMQ_PORT" -a \
+ -z "$RABBITMQ_USER" -a \
+ -z "$RABBITMQ_PASSWORD" -a \
+ -z "$MANAGEMENT_INTERFACE_IP_ADDRESS" -a \
+ -z "$CONTROLLER_HOST_ADDRESS" ]; then
+ # No Keystone options defined, do nothing.
+ exit 0
+fi
+
+if [ -z "$KEYSTONE_TEMPORARY_ADMIN_TOKEN" -o \
+ -z "$KEYSTONE_ADMIN_PASSWORD" -o \
+ -z "$KEYSTONE_DB_USER" -o \
+ -z "$KEYSTONE_DB_PASSWORD" -o \
+ -z "$RABBITMQ_HOST" -o \
+ -z "$RABBITMQ_PORT" -o \
+ -z "$RABBITMQ_USER" -o \
+ -z "$RABBITMQ_PASSWORD" -o \
+ -z "$MANAGEMENT_INTERFACE_IP_ADDRESS" -o \
+ -z "$CONTROLLER_HOST_ADDRESS" ]; then
+ echo Some options required for Keystone were defined, but not all.
+ exit 1
+fi
+
+
+python <<'EOF'
+import socket
+import sys
+import os
+
+try:
+ socket.inet_pton(socket.AF_INET, os.environ['MANAGEMENT_INTERFACE_IP_ADDRESS'])
+except:
+ print "Error: MANAGEMENT_INTERFACE_IP_ADDRESS is not a valid IP"
+ sys.exit(1)
+EOF
+
+
+##########################################################################
+# Generate configuration file
+##########################################################################
+
+OPENSTACK_DATA="$ROOT/etc/openstack"
+mkdir -p "$OPENSTACK_DATA"
+
+python <<'EOF' >"$OPENSTACK_DATA/keystone.conf"
+import os, sys, yaml
+
+keystone_configuration={
+ 'KEYSTONE_TEMPORARY_ADMIN_TOKEN': os.environ['KEYSTONE_TEMPORARY_ADMIN_TOKEN'],
+ 'KEYSTONE_ADMIN_PASSWORD': os.environ['KEYSTONE_ADMIN_PASSWORD'],
+ 'KEYSTONE_DB_USER': os.environ['KEYSTONE_DB_USER'],
+ 'KEYSTONE_DB_PASSWORD': os.environ['KEYSTONE_DB_PASSWORD'],
+ 'RABBITMQ_HOST': os.environ['RABBITMQ_HOST'],
+ 'RABBITMQ_PORT': os.environ['RABBITMQ_PORT'],
+ 'RABBITMQ_USER': os.environ['RABBITMQ_USER'],
+ 'RABBITMQ_PASSWORD': os.environ['RABBITMQ_PASSWORD'],
+ 'MANAGEMENT_INTERFACE_IP_ADDRESS': os.environ['MANAGEMENT_INTERFACE_IP_ADDRESS'],
+ 'CONTROLLER_HOST_ADDRESS': os.environ['CONTROLLER_HOST_ADDRESS'],
+}
+
+yaml.dump(keystone_configuration, sys.stdout, default_flow_style=False)
+EOF
diff --git a/openstack/manifest b/openstack/manifest
new file mode 100644
index 00000000..d48d5f9d
--- /dev/null
+++ b/openstack/manifest
@@ -0,0 +1,18 @@
+0040755 0 0 /usr/share/openstack
+0100644 0 0 /usr/share/openstack/hosts
+0100644 0 0 /usr/share/openstack/keystone.yml
+0040755 0 0 /usr/share/openstack/keystone
+0100644 0 0 /usr/share/openstack/keystone/logging.conf
+0100644 0 0 /usr/share/openstack/keystone/keystone.conf
+0100644 0 0 /usr/share/openstack/keystone/policy.json
+0100644 0 0 /usr/share/openstack/keystone/keystone-paste.ini
+0040755 0 0 /usr/share/openstack/postgres
+0100644 0 0 /usr/share/openstack/postgres/pg_hba.conf
+0100644 0 0 /usr/share/openstack/postgres/postgresql.conf
+0040755 0 0 /usr/share/openstack/rabbitmq
+0100644 0 0 /usr/share/openstack/rabbitmq/rabbitmq-env.conf
+0100644 0 0 /usr/share/openstack/rabbitmq/rabbitmq.config
+0100644 0 0 /usr/lib/systemd/system/openstack-keystone.service
+0100644 0 0 /usr/lib/systemd/system/openstack-keystone-setup.service
+0100644 0 0 /usr/lib/systemd/system/rabbitmq-server.service
+0100644 0 0 /usr/lib/systemd/system/postgres-server.service
diff --git a/openstack/usr/lib/systemd/system/openstack-keystone-setup.service b/openstack/usr/lib/systemd/system/openstack-keystone-setup.service
new file mode 100644
index 00000000..9ea04c1d
--- /dev/null
+++ b/openstack/usr/lib/systemd/system/openstack-keystone-setup.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Run keystone-setup Ansible scripts
+After=local-fs.target postgres-server.service
+ConditionPathExists=/etc/openstack/keystone.conf
+
+[Service]
+# Oneshot, since others setup have to wait until this service finishes
+Type=oneshot
+ExecStart=/usr/bin/ansible-playbook -v -M /usr/share/ansible/ansible-openstack-modules -i /usr/share/openstack/hosts /usr/share/openstack/keystone.yml
+
+[Install]
+WantedBy=multi-user.target
diff --git a/openstack/usr/lib/systemd/system/openstack-keystone.service b/openstack/usr/lib/systemd/system/openstack-keystone.service
new file mode 100644
index 00000000..0aa9e1ef
--- /dev/null
+++ b/openstack/usr/lib/systemd/system/openstack-keystone.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=OpenStack Identity Service (code-named Keystone)
+After=syslog.target network-online.target
+Wants=network-online.target
+
+[Service]
+Type=notify
+Restart=always
+User=keystone
+ExecStart=/usr/bin/keystone-all --config-file /etc/keystone/keystone.conf
+
+[Install]
+WantedBy=multi-user.target
diff --git a/openstack/usr/lib/systemd/system/postgres-server.service b/openstack/usr/lib/systemd/system/postgres-server.service
new file mode 100644
index 00000000..70b2fd09
--- /dev/null
+++ b/openstack/usr/lib/systemd/system/postgres-server.service
@@ -0,0 +1,25 @@
+[Unit]
+Description=PostgreSQL database server
+After=network.target
+
+[Service]
+Type=forking
+TimeoutSec=120
+User=postgres
+Group=postgres
+
+Environment=PGROOT=/var/lib/pgsql
+
+SyslogIdentifier=postgres
+PIDFile=/var/lib/pgsql/data/postmaster.pid
+
+ExecStart= /usr/bin/pg_ctl -s -D ${PGROOT}/data start -w -t 120
+ExecReload=/usr/bin/pg_ctl -s -D ${PGROOT}/data reload
+ExecStop= /usr/bin/pg_ctl -s -D ${PGROOT}/data stop -m fast
+
+# Due to PostgreSQL's use of shared memory, OOM killer is often overzealous in
+# killing Postgres, so adjust it downward
+OOMScoreAdjust=-200
+
+[Install]
+WantedBy=multi-user.target
diff --git a/openstack/usr/lib/systemd/system/rabbitmq-server.service b/openstack/usr/lib/systemd/system/rabbitmq-server.service
new file mode 100644
index 00000000..f161b9d0
--- /dev/null
+++ b/openstack/usr/lib/systemd/system/rabbitmq-server.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=RabbitMQ broker
+After=syslog.target network-online.target
+Wants=network-online.target
+
+[Service]
+Type=notify
+User=rabbitmq
+Group=rabbitmq
+Environment=HOME=/var/lib/rabbitmq
+WorkingDirectory=/var/lib/rabbitmq
+ExecStart=/usr/sbin/rabbitmq-server
+ExecStop=/usr/sbin/rabbitmqctl stop
+
+[Install]
+WantedBy=multi-user.target
diff --git a/openstack/usr/share/openstack/hosts b/openstack/usr/share/openstack/hosts
new file mode 100644
index 00000000..5b97818d
--- /dev/null
+++ b/openstack/usr/share/openstack/hosts
@@ -0,0 +1 @@
+localhost ansible_connection=local
diff --git a/openstack/usr/share/openstack/keystone.yml b/openstack/usr/share/openstack/keystone.yml
new file mode 100644
index 00000000..20753a9c
--- /dev/null
+++ b/openstack/usr/share/openstack/keystone.yml
@@ -0,0 +1,188 @@
+---
+- hosts: localhost
+ vars_files:
+ - "/etc/openstack/keystone.conf"
+ tasks:
+
+ # RabbitMQ configuration, this may end up in a different playbook
+ - name: Create rabbitmq user
+ user:
+ name: rabbitmq
+ comment: Rabbitmq server daemon
+ shell: /sbin/nologin
+ home: /var/lib/rabbitmq
+
+ - name: Create the rabbitmq directories
+ file:
+ path: "{{ item }}"
+ state: directory
+ owner: rabbitmq
+ group: rabbitmq
+ with_items:
+ - /var/run/rabbitmq
+ - /var/log/rabbitmq
+ - /etc/rabbitmq
+
+ - name: Add the configuration needed for rabbitmq in /etc/rabbitmq using templates
+ template:
+ src: /usr/share/openstack/rabbitmq/{{ item }}
+ dest: /etc/rabbitmq/{{ item }}
+ owner: rabbitmq
+ group: rabbitmq
+ mode: 0644
+ with_items:
+ - rabbitmq.config
+ - rabbitmq-env.conf
+
+ - name: Enable and start rabbitmq services
+ service:
+ name: "{{ item }}"
+ enabled: yes
+ state: started
+ with_items:
+ - rabbitmq-server
+
+ # Postgres configuration, this may end up in a different playbook
+ - name: Create postgres user
+ user:
+ name: postgres
+ comment: PostgreSQL Server
+ shell: /sbin/nologin
+ home: /var/lib/pgsql
+
+ - name: Create the postgres directories
+ file:
+ path: "{{ item }}"
+ state: directory
+ owner: postgres
+ group: postgres
+ with_items:
+ - /var/run/postgresql
+ - /var/lib/pgsql/data
+
+ - name: Initialise postgres database
+ command: pg_ctl -D /var/lib/pgsql/data initdb
+ args:
+ creates: /var/lib/pgsql/data/base
+ sudo: yes
+ sudo_user: postgres
+
+ - name: Add the configuration needed for postgres for Openstack
+ template:
+ src: /usr/share/openstack/postgres/{{ item }}
+ dest: /var/lib/pgsql/data/{{ item }}
+ owner: postgres
+ group: postgres
+ mode: 0600
+ with_items:
+ - postgresql.conf
+ - pg_hba.conf
+
+ - name: Enable and start postgres services
+ service:
+ name: "{{ item }}"
+ enabled: yes
+ state: started
+ with_items:
+ - postgres-server
+
+
+ # Keystone configuration
+ - name: Create the keystone user.
+ user:
+ name: keystone
+ comment: Openstack Keystone Daemons
+ shell: /sbin/nologin
+ home: /var/lib/keystone
+
+ - name: Create the /var folders for keystone
+ file:
+ path: "{{ item }}"
+ state: directory
+ owner: keystone
+ group: keystone
+ with_items:
+ - /var/run/keystone
+ - /var/lock/keystone
+ - /var/log/keystone
+ - /var/lib/keystone
+
+ - name: Create /etc/keystone directory
+ file:
+ path: /etc/keystone
+ state: directory
+
+ - name: Add the configuration needed for lorry in /etc using templates
+ template:
+ src: /usr/share/openstack/keystone/{{ item }}
+ dest: /etc/keystone/{{ item }}
+ with_lines:
+ - cd /usr/share/openstack/keystone && find -type f
+
+ - name: Create postgresql user for keystone
+ postgresql_user:
+ name: "{{ KEYSTONE_DB_USER }}"
+ password: "{{ KEYSTONE_DB_PASSWORD }}"
+ sudo: yes
+ sudo_user: keystone
+
+ - name: Create database for keystone services
+ postgresql_db:
+ name: keystone
+ owner: "{{ KEYSTONE_DB_USER }}"
+ sudo: yes
+ sudo_user: keystone
+
+ - name: Initiatie keystone database
+ keystone_manage:
+ action: dbsync
+ sudo: yes
+ sudo_user: keystone
+
+ - name: Enable and start openstack-keystone service
+ service:
+ name: openstack-keystone.service
+ enabled: yes
+ state: started
+
+ - name: Create admin tenant
+ keystone_user:
+ tenant: admin
+ tenant_description: Admin Tenant
+ token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}"
+ endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0
+
+ - name: Create admin user for the admin tenant
+ keystone_user:
+ user: admin
+ tenant: admin
+ password: "{{ KEYSTONE_ADMIN_PASSWORD }}"
+ token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}"
+ endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0
+
+ - name: Create admin role for admin user in the admin tenant
+ keystone_user:
+ role: admin
+ user: admin
+ tenant: admin
+ token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}"
+ endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0
+
+ - name: Create service tenant
+ keystone_user:
+ tenant: service
+ tenant_description: Service Tenant
+ token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}"
+ endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0
+
+ - name: Add kestone endpoint
+ keystone_service:
+ name: keystone
+ type: identity
+ description: Keystone Identity Service
+ publicurl: http://{{ CONTROLLER_HOST_ADDRESS }}:5000/v2.0
+ internalurl: http://{{ CONTROLLER_HOST_ADDRESS }}:5000/v2.0
+ adminurl: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0
+ region: regionOne
+ token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}"
+ endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0
diff --git a/openstack/usr/share/openstack/keystone/keystone.conf b/openstack/usr/share/openstack/keystone/keystone.conf
index c058a030..3d242a50 100644
--- a/openstack/usr/share/openstack/keystone/keystone.conf
+++ b/openstack/usr/share/openstack/keystone/keystone.conf
@@ -10,7 +10,7 @@
# recommended), remove AdminTokenAuthMiddleware from your
# paste application pipelines (for example, in keystone-
# paste.ini). (string value)
-#admin_token=ADMIN
+admin_token={{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}
# The IP address of the network interface for the public
# service to listen on. (string value)
@@ -33,11 +33,11 @@
# The port number which the admin service listens on. (integer
# value)
-#admin_port=35357
+admin_port=35357
# The port number which the public service listens on.
# (integer value)
-#public_port=5000
+public_port=5000
# The base public endpoint URL for Keystone that is advertised
# to clients (NOTE: this does NOT affect how Keystone listens
@@ -207,23 +207,23 @@
# The RabbitMQ broker address where a single node is used.
# (string value)
-#rabbit_host=localhost
+rabbit_host={{ RABBITMQ_HOST }}
# The RabbitMQ broker port where a single node is used.
# (integer value)
-#rabbit_port=5672
+rabbit_port={{ RABBITMQ_PORT }}
# RabbitMQ HA cluster host:port pairs. (list value)
-#rabbit_hosts=$rabbit_host:$rabbit_port
+rabbit_hosts=$rabbit_host:$rabbit_port
# Connect over SSL for RabbitMQ. (boolean value)
-#rabbit_use_ssl=false
+rabbit_use_ssl=false
# The RabbitMQ userid. (string value)
-#rabbit_userid=guest
+rabbit_userid={{ RABBITMQ_USER }}
# The RabbitMQ password. (string value)
-#rabbit_password=guest
+rabbit_password={{ RABBITMQ_PASSWORD }}
# the RabbitMQ login method (string value)
#rabbit_login_method=AMQPLAIN
@@ -308,7 +308,7 @@
# The messaging driver to use, defaults to rabbit. Other
# drivers include qpid and zmq. (string value)
-#rpc_backend=rabbit
+rpc_backend=rabbit
# The default exchange under which topics are scoped. May be
# overridden by an exchange name specified in the
@@ -630,6 +630,7 @@
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection=<None>
+connection=postgresql://{{ KEYSTONE_DB_USER }}:{{ KEYSTONE_DB_PASSWORD }}@{{ CONTROLLER_HOST_ADDRESS }}/keystone
# The SQLAlchemy connection string to use to connect to the
# slave database. (string value)
@@ -1534,11 +1535,11 @@
# Controls the token construction, validation, and revocation
# operations. Core providers are
# "keystone.token.providers.[pkiz|pki|uuid].Provider". The
-# default provider is uuid. (string value)
-#provider=<None>
+# default provider is pkiz. (string value)
+provider=keystone.token.providers.uuid.Provider
# Token persistence backend driver. (string value)
-#driver=keystone.token.persistence.backends.sql.Token
+driver=keystone.token.backends.sql.Token
# Toggle for token system caching. This has no effect unless
# global caching is enabled. (boolean value)
diff --git a/openstack/usr/share/openstack/postgres/pg_hba.conf b/openstack/usr/share/openstack/postgres/pg_hba.conf
new file mode 100644
index 00000000..0968fc44
--- /dev/null
+++ b/openstack/usr/share/openstack/postgres/pg_hba.conf
@@ -0,0 +1,4 @@
+local all all trust
+host all all 127.0.0.0/8 trust
+host all all ::1/128 trust
+host all all {{ MANAGEMENT_INTERFACE_IP_ADDRESS }}/32 trust
diff --git a/openstack/usr/share/openstack/postgres/postgresql.conf b/openstack/usr/share/openstack/postgres/postgresql.conf
new file mode 100644
index 00000000..74153385
--- /dev/null
+++ b/openstack/usr/share/openstack/postgres/postgresql.conf
@@ -0,0 +1,11 @@
+listen_addresses = '{{ MANAGEMENT_INTERFACE_IP_ADDRESS }}'
+max_connections = 100
+shared_buffers = 128MB
+log_timezone = 'UTC'
+datestyle = 'iso, mdy'
+timezone = 'UTC'
+lc_messages = 'C'
+lc_monetary = 'C'
+lc_numeric = 'C'
+lc_time = 'C'
+default_text_search_config = 'pg_catalog.english'
diff --git a/openstack/usr/share/openstack/rabbitmq/rabbitmq-env.conf b/openstack/usr/share/openstack/rabbitmq/rabbitmq-env.conf
new file mode 100644
index 00000000..d4c58dae
--- /dev/null
+++ b/openstack/usr/share/openstack/rabbitmq/rabbitmq-env.conf
@@ -0,0 +1,3 @@
+# Configure port node where rabbitmq-server will listen from.
+NODE_PORT={{ RABBITMQ_PORT }}
+CONFIG_FILE=/etc/rabbitmq/rabbitmq
diff --git a/openstack/usr/share/openstack/rabbitmq/rabbitmq.config b/openstack/usr/share/openstack/rabbitmq/rabbitmq.config
new file mode 100644
index 00000000..9b93881e
--- /dev/null
+++ b/openstack/usr/share/openstack/rabbitmq/rabbitmq.config
@@ -0,0 +1,9 @@
+%% -*- Rabbit configuration for Openstack in Baserock
+[
+ {rabbit,
+ [
+ {default_user, <<"{{ RABBITMQ_USER }}">>},
+ {default_pass, <<"{{ RABBITMQ_PASSWORD }}">>},
+ {tcp_listeners, [{{ RABBITMQ_PORT }}]}
+ ]}
+].
diff --git a/systems/openstack-system-x86_64.morph b/systems/openstack-system-x86_64.morph
index 593794e0..64125a73 100644
--- a/systems/openstack-system-x86_64.morph
+++ b/systems/openstack-system-x86_64.morph
@@ -63,3 +63,4 @@ configuration-extensions:
- install-files
- cloud-init
- hosts
+- openstack-keystone