From 1a09fe5755f0f7f69ecbf44615fdd01f6a01c7be Mon Sep 17 00:00:00 2001 From: Pedro Alvarez Date: Mon, 13 Apr 2015 17:19:04 +0000 Subject: Openstack: Make Keystone configurable Change-Id: Ic29d7c367622e0ab35486466e5e32ca432539c39 Signed-off-by: Pedro Alvarez Signed-off-by: Francisco Redondo Marchena --- openstack-keystone.configure | 99 +++++++++++ openstack/manifest | 18 ++ .../system/openstack-keystone-setup.service | 12 ++ .../lib/systemd/system/openstack-keystone.service | 13 ++ .../usr/lib/systemd/system/postgres-server.service | 25 +++ .../usr/lib/systemd/system/rabbitmq-server.service | 16 ++ openstack/usr/share/openstack/hosts | 1 + openstack/usr/share/openstack/keystone.yml | 188 +++++++++++++++++++++ .../usr/share/openstack/keystone/keystone.conf | 27 +-- openstack/usr/share/openstack/postgres/pg_hba.conf | 4 + .../usr/share/openstack/postgres/postgresql.conf | 11 ++ .../usr/share/openstack/rabbitmq/rabbitmq-env.conf | 3 + .../usr/share/openstack/rabbitmq/rabbitmq.config | 9 + systems/openstack-system-x86_64.morph | 1 + 14 files changed, 414 insertions(+), 13 deletions(-) create mode 100644 openstack-keystone.configure create mode 100644 openstack/manifest create mode 100644 openstack/usr/lib/systemd/system/openstack-keystone-setup.service create mode 100644 openstack/usr/lib/systemd/system/openstack-keystone.service create mode 100644 openstack/usr/lib/systemd/system/postgres-server.service create mode 100644 openstack/usr/lib/systemd/system/rabbitmq-server.service create mode 100644 openstack/usr/share/openstack/hosts create mode 100644 openstack/usr/share/openstack/keystone.yml create mode 100644 openstack/usr/share/openstack/postgres/pg_hba.conf create mode 100644 openstack/usr/share/openstack/postgres/postgresql.conf create mode 100644 openstack/usr/share/openstack/rabbitmq/rabbitmq-env.conf create mode 100644 openstack/usr/share/openstack/rabbitmq/rabbitmq.config diff --git a/openstack-keystone.configure b/openstack-keystone.configure new file mode 100644 index 00000000..7c8631ce --- /dev/null +++ b/openstack-keystone.configure @@ -0,0 +1,99 @@ +#!/bin/sh + +# Copyright (C) 2014-2015 Codethink Limited +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see . + +set -e + +ROOT="$1" + +########################################################################## + +ln -s "/usr/lib/systemd/system/openstack-keystone-setup.service" \ + "$ROOT/etc/systemd/system/multi-user.target.wants/openstack-keystone-setup.service" + +ln -s "/usr/lib/systemd/system/openstack-horizon-setup.service" \ + "$ROOT/etc/systemd/system/multi-user.target.wants/openstack-horizon-setup.service" + +########################################################################## +# Check variables +########################################################################## + +if [ -z "$KEYSTONE_TEMPORARY_ADMIN_TOKEN" -a \ + -z "$KEYSTONE_ADMIN_PASSWORD" -a \ + -z "$KEYSTONE_DB_USER" -a \ + -z "$KEYSTONE_DB_PASSWORD" -a \ + -z "$RABBITMQ_HOST" -a \ + -z "$RABBITMQ_PORT" -a \ + -z "$RABBITMQ_USER" -a \ + -z "$RABBITMQ_PASSWORD" -a \ + -z "$MANAGEMENT_INTERFACE_IP_ADDRESS" -a \ + -z "$CONTROLLER_HOST_ADDRESS" ]; then + # No Keystone options defined, do nothing. + exit 0 +fi + +if [ -z "$KEYSTONE_TEMPORARY_ADMIN_TOKEN" -o \ + -z "$KEYSTONE_ADMIN_PASSWORD" -o \ + -z "$KEYSTONE_DB_USER" -o \ + -z "$KEYSTONE_DB_PASSWORD" -o \ + -z "$RABBITMQ_HOST" -o \ + -z "$RABBITMQ_PORT" -o \ + -z "$RABBITMQ_USER" -o \ + -z "$RABBITMQ_PASSWORD" -o \ + -z "$MANAGEMENT_INTERFACE_IP_ADDRESS" -o \ + -z "$CONTROLLER_HOST_ADDRESS" ]; then + echo Some options required for Keystone were defined, but not all. + exit 1 +fi + + +python <<'EOF' +import socket +import sys +import os + +try: + socket.inet_pton(socket.AF_INET, os.environ['MANAGEMENT_INTERFACE_IP_ADDRESS']) +except: + print "Error: MANAGEMENT_INTERFACE_IP_ADDRESS is not a valid IP" + sys.exit(1) +EOF + + +########################################################################## +# Generate configuration file +########################################################################## + +OPENSTACK_DATA="$ROOT/etc/openstack" +mkdir -p "$OPENSTACK_DATA" + +python <<'EOF' >"$OPENSTACK_DATA/keystone.conf" +import os, sys, yaml + +keystone_configuration={ + 'KEYSTONE_TEMPORARY_ADMIN_TOKEN': os.environ['KEYSTONE_TEMPORARY_ADMIN_TOKEN'], + 'KEYSTONE_ADMIN_PASSWORD': os.environ['KEYSTONE_ADMIN_PASSWORD'], + 'KEYSTONE_DB_USER': os.environ['KEYSTONE_DB_USER'], + 'KEYSTONE_DB_PASSWORD': os.environ['KEYSTONE_DB_PASSWORD'], + 'RABBITMQ_HOST': os.environ['RABBITMQ_HOST'], + 'RABBITMQ_PORT': os.environ['RABBITMQ_PORT'], + 'RABBITMQ_USER': os.environ['RABBITMQ_USER'], + 'RABBITMQ_PASSWORD': os.environ['RABBITMQ_PASSWORD'], + 'MANAGEMENT_INTERFACE_IP_ADDRESS': os.environ['MANAGEMENT_INTERFACE_IP_ADDRESS'], + 'CONTROLLER_HOST_ADDRESS': os.environ['CONTROLLER_HOST_ADDRESS'], +} + +yaml.dump(keystone_configuration, sys.stdout, default_flow_style=False) +EOF diff --git a/openstack/manifest b/openstack/manifest new file mode 100644 index 00000000..d48d5f9d --- /dev/null +++ b/openstack/manifest @@ -0,0 +1,18 @@ +0040755 0 0 /usr/share/openstack +0100644 0 0 /usr/share/openstack/hosts +0100644 0 0 /usr/share/openstack/keystone.yml +0040755 0 0 /usr/share/openstack/keystone +0100644 0 0 /usr/share/openstack/keystone/logging.conf +0100644 0 0 /usr/share/openstack/keystone/keystone.conf +0100644 0 0 /usr/share/openstack/keystone/policy.json +0100644 0 0 /usr/share/openstack/keystone/keystone-paste.ini +0040755 0 0 /usr/share/openstack/postgres +0100644 0 0 /usr/share/openstack/postgres/pg_hba.conf +0100644 0 0 /usr/share/openstack/postgres/postgresql.conf +0040755 0 0 /usr/share/openstack/rabbitmq +0100644 0 0 /usr/share/openstack/rabbitmq/rabbitmq-env.conf +0100644 0 0 /usr/share/openstack/rabbitmq/rabbitmq.config +0100644 0 0 /usr/lib/systemd/system/openstack-keystone.service +0100644 0 0 /usr/lib/systemd/system/openstack-keystone-setup.service +0100644 0 0 /usr/lib/systemd/system/rabbitmq-server.service +0100644 0 0 /usr/lib/systemd/system/postgres-server.service diff --git a/openstack/usr/lib/systemd/system/openstack-keystone-setup.service b/openstack/usr/lib/systemd/system/openstack-keystone-setup.service new file mode 100644 index 00000000..9ea04c1d --- /dev/null +++ b/openstack/usr/lib/systemd/system/openstack-keystone-setup.service @@ -0,0 +1,12 @@ +[Unit] +Description=Run keystone-setup Ansible scripts +After=local-fs.target postgres-server.service +ConditionPathExists=/etc/openstack/keystone.conf + +[Service] +# Oneshot, since others setup have to wait until this service finishes +Type=oneshot +ExecStart=/usr/bin/ansible-playbook -v -M /usr/share/ansible/ansible-openstack-modules -i /usr/share/openstack/hosts /usr/share/openstack/keystone.yml + +[Install] +WantedBy=multi-user.target diff --git a/openstack/usr/lib/systemd/system/openstack-keystone.service b/openstack/usr/lib/systemd/system/openstack-keystone.service new file mode 100644 index 00000000..0aa9e1ef --- /dev/null +++ b/openstack/usr/lib/systemd/system/openstack-keystone.service @@ -0,0 +1,13 @@ +[Unit] +Description=OpenStack Identity Service (code-named Keystone) +After=syslog.target network-online.target +Wants=network-online.target + +[Service] +Type=notify +Restart=always +User=keystone +ExecStart=/usr/bin/keystone-all --config-file /etc/keystone/keystone.conf + +[Install] +WantedBy=multi-user.target diff --git a/openstack/usr/lib/systemd/system/postgres-server.service b/openstack/usr/lib/systemd/system/postgres-server.service new file mode 100644 index 00000000..70b2fd09 --- /dev/null +++ b/openstack/usr/lib/systemd/system/postgres-server.service @@ -0,0 +1,25 @@ +[Unit] +Description=PostgreSQL database server +After=network.target + +[Service] +Type=forking +TimeoutSec=120 +User=postgres +Group=postgres + +Environment=PGROOT=/var/lib/pgsql + +SyslogIdentifier=postgres +PIDFile=/var/lib/pgsql/data/postmaster.pid + +ExecStart= /usr/bin/pg_ctl -s -D ${PGROOT}/data start -w -t 120 +ExecReload=/usr/bin/pg_ctl -s -D ${PGROOT}/data reload +ExecStop= /usr/bin/pg_ctl -s -D ${PGROOT}/data stop -m fast + +# Due to PostgreSQL's use of shared memory, OOM killer is often overzealous in +# killing Postgres, so adjust it downward +OOMScoreAdjust=-200 + +[Install] +WantedBy=multi-user.target diff --git a/openstack/usr/lib/systemd/system/rabbitmq-server.service b/openstack/usr/lib/systemd/system/rabbitmq-server.service new file mode 100644 index 00000000..f161b9d0 --- /dev/null +++ b/openstack/usr/lib/systemd/system/rabbitmq-server.service @@ -0,0 +1,16 @@ +[Unit] +Description=RabbitMQ broker +After=syslog.target network-online.target +Wants=network-online.target + +[Service] +Type=notify +User=rabbitmq +Group=rabbitmq +Environment=HOME=/var/lib/rabbitmq +WorkingDirectory=/var/lib/rabbitmq +ExecStart=/usr/sbin/rabbitmq-server +ExecStop=/usr/sbin/rabbitmqctl stop + +[Install] +WantedBy=multi-user.target diff --git a/openstack/usr/share/openstack/hosts b/openstack/usr/share/openstack/hosts new file mode 100644 index 00000000..5b97818d --- /dev/null +++ b/openstack/usr/share/openstack/hosts @@ -0,0 +1 @@ +localhost ansible_connection=local diff --git a/openstack/usr/share/openstack/keystone.yml b/openstack/usr/share/openstack/keystone.yml new file mode 100644 index 00000000..20753a9c --- /dev/null +++ b/openstack/usr/share/openstack/keystone.yml @@ -0,0 +1,188 @@ +--- +- hosts: localhost + vars_files: + - "/etc/openstack/keystone.conf" + tasks: + + # RabbitMQ configuration, this may end up in a different playbook + - name: Create rabbitmq user + user: + name: rabbitmq + comment: Rabbitmq server daemon + shell: /sbin/nologin + home: /var/lib/rabbitmq + + - name: Create the rabbitmq directories + file: + path: "{{ item }}" + state: directory + owner: rabbitmq + group: rabbitmq + with_items: + - /var/run/rabbitmq + - /var/log/rabbitmq + - /etc/rabbitmq + + - name: Add the configuration needed for rabbitmq in /etc/rabbitmq using templates + template: + src: /usr/share/openstack/rabbitmq/{{ item }} + dest: /etc/rabbitmq/{{ item }} + owner: rabbitmq + group: rabbitmq + mode: 0644 + with_items: + - rabbitmq.config + - rabbitmq-env.conf + + - name: Enable and start rabbitmq services + service: + name: "{{ item }}" + enabled: yes + state: started + with_items: + - rabbitmq-server + + # Postgres configuration, this may end up in a different playbook + - name: Create postgres user + user: + name: postgres + comment: PostgreSQL Server + shell: /sbin/nologin + home: /var/lib/pgsql + + - name: Create the postgres directories + file: + path: "{{ item }}" + state: directory + owner: postgres + group: postgres + with_items: + - /var/run/postgresql + - /var/lib/pgsql/data + + - name: Initialise postgres database + command: pg_ctl -D /var/lib/pgsql/data initdb + args: + creates: /var/lib/pgsql/data/base + sudo: yes + sudo_user: postgres + + - name: Add the configuration needed for postgres for Openstack + template: + src: /usr/share/openstack/postgres/{{ item }} + dest: /var/lib/pgsql/data/{{ item }} + owner: postgres + group: postgres + mode: 0600 + with_items: + - postgresql.conf + - pg_hba.conf + + - name: Enable and start postgres services + service: + name: "{{ item }}" + enabled: yes + state: started + with_items: + - postgres-server + + + # Keystone configuration + - name: Create the keystone user. + user: + name: keystone + comment: Openstack Keystone Daemons + shell: /sbin/nologin + home: /var/lib/keystone + + - name: Create the /var folders for keystone + file: + path: "{{ item }}" + state: directory + owner: keystone + group: keystone + with_items: + - /var/run/keystone + - /var/lock/keystone + - /var/log/keystone + - /var/lib/keystone + + - name: Create /etc/keystone directory + file: + path: /etc/keystone + state: directory + + - name: Add the configuration needed for lorry in /etc using templates + template: + src: /usr/share/openstack/keystone/{{ item }} + dest: /etc/keystone/{{ item }} + with_lines: + - cd /usr/share/openstack/keystone && find -type f + + - name: Create postgresql user for keystone + postgresql_user: + name: "{{ KEYSTONE_DB_USER }}" + password: "{{ KEYSTONE_DB_PASSWORD }}" + sudo: yes + sudo_user: keystone + + - name: Create database for keystone services + postgresql_db: + name: keystone + owner: "{{ KEYSTONE_DB_USER }}" + sudo: yes + sudo_user: keystone + + - name: Initiatie keystone database + keystone_manage: + action: dbsync + sudo: yes + sudo_user: keystone + + - name: Enable and start openstack-keystone service + service: + name: openstack-keystone.service + enabled: yes + state: started + + - name: Create admin tenant + keystone_user: + tenant: admin + tenant_description: Admin Tenant + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0 + + - name: Create admin user for the admin tenant + keystone_user: + user: admin + tenant: admin + password: "{{ KEYSTONE_ADMIN_PASSWORD }}" + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0 + + - name: Create admin role for admin user in the admin tenant + keystone_user: + role: admin + user: admin + tenant: admin + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0 + + - name: Create service tenant + keystone_user: + tenant: service + tenant_description: Service Tenant + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0 + + - name: Add kestone endpoint + keystone_service: + name: keystone + type: identity + description: Keystone Identity Service + publicurl: http://{{ CONTROLLER_HOST_ADDRESS }}:5000/v2.0 + internalurl: http://{{ CONTROLLER_HOST_ADDRESS }}:5000/v2.0 + adminurl: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0 + region: regionOne + token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}" + endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0 diff --git a/openstack/usr/share/openstack/keystone/keystone.conf b/openstack/usr/share/openstack/keystone/keystone.conf index c058a030..3d242a50 100644 --- a/openstack/usr/share/openstack/keystone/keystone.conf +++ b/openstack/usr/share/openstack/keystone/keystone.conf @@ -10,7 +10,7 @@ # recommended), remove AdminTokenAuthMiddleware from your # paste application pipelines (for example, in keystone- # paste.ini). (string value) -#admin_token=ADMIN +admin_token={{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }} # The IP address of the network interface for the public # service to listen on. (string value) @@ -33,11 +33,11 @@ # The port number which the admin service listens on. (integer # value) -#admin_port=35357 +admin_port=35357 # The port number which the public service listens on. # (integer value) -#public_port=5000 +public_port=5000 # The base public endpoint URL for Keystone that is advertised # to clients (NOTE: this does NOT affect how Keystone listens @@ -207,23 +207,23 @@ # The RabbitMQ broker address where a single node is used. # (string value) -#rabbit_host=localhost +rabbit_host={{ RABBITMQ_HOST }} # The RabbitMQ broker port where a single node is used. # (integer value) -#rabbit_port=5672 +rabbit_port={{ RABBITMQ_PORT }} # RabbitMQ HA cluster host:port pairs. (list value) -#rabbit_hosts=$rabbit_host:$rabbit_port +rabbit_hosts=$rabbit_host:$rabbit_port # Connect over SSL for RabbitMQ. (boolean value) -#rabbit_use_ssl=false +rabbit_use_ssl=false # The RabbitMQ userid. (string value) -#rabbit_userid=guest +rabbit_userid={{ RABBITMQ_USER }} # The RabbitMQ password. (string value) -#rabbit_password=guest +rabbit_password={{ RABBITMQ_PASSWORD }} # the RabbitMQ login method (string value) #rabbit_login_method=AMQPLAIN @@ -308,7 +308,7 @@ # The messaging driver to use, defaults to rabbit. Other # drivers include qpid and zmq. (string value) -#rpc_backend=rabbit +rpc_backend=rabbit # The default exchange under which topics are scoped. May be # overridden by an exchange name specified in the @@ -630,6 +630,7 @@ # Deprecated group/name - [DATABASE]/sql_connection # Deprecated group/name - [sql]/connection #connection= +connection=postgresql://{{ KEYSTONE_DB_USER }}:{{ KEYSTONE_DB_PASSWORD }}@{{ CONTROLLER_HOST_ADDRESS }}/keystone # The SQLAlchemy connection string to use to connect to the # slave database. (string value) @@ -1534,11 +1535,11 @@ # Controls the token construction, validation, and revocation # operations. Core providers are # "keystone.token.providers.[pkiz|pki|uuid].Provider". The -# default provider is uuid. (string value) -#provider= +# default provider is pkiz. (string value) +provider=keystone.token.providers.uuid.Provider # Token persistence backend driver. (string value) -#driver=keystone.token.persistence.backends.sql.Token +driver=keystone.token.backends.sql.Token # Toggle for token system caching. This has no effect unless # global caching is enabled. (boolean value) diff --git a/openstack/usr/share/openstack/postgres/pg_hba.conf b/openstack/usr/share/openstack/postgres/pg_hba.conf new file mode 100644 index 00000000..0968fc44 --- /dev/null +++ b/openstack/usr/share/openstack/postgres/pg_hba.conf @@ -0,0 +1,4 @@ +local all all trust +host all all 127.0.0.0/8 trust +host all all ::1/128 trust +host all all {{ MANAGEMENT_INTERFACE_IP_ADDRESS }}/32 trust diff --git a/openstack/usr/share/openstack/postgres/postgresql.conf b/openstack/usr/share/openstack/postgres/postgresql.conf new file mode 100644 index 00000000..74153385 --- /dev/null +++ b/openstack/usr/share/openstack/postgres/postgresql.conf @@ -0,0 +1,11 @@ +listen_addresses = '{{ MANAGEMENT_INTERFACE_IP_ADDRESS }}' +max_connections = 100 +shared_buffers = 128MB +log_timezone = 'UTC' +datestyle = 'iso, mdy' +timezone = 'UTC' +lc_messages = 'C' +lc_monetary = 'C' +lc_numeric = 'C' +lc_time = 'C' +default_text_search_config = 'pg_catalog.english' diff --git a/openstack/usr/share/openstack/rabbitmq/rabbitmq-env.conf b/openstack/usr/share/openstack/rabbitmq/rabbitmq-env.conf new file mode 100644 index 00000000..d4c58dae --- /dev/null +++ b/openstack/usr/share/openstack/rabbitmq/rabbitmq-env.conf @@ -0,0 +1,3 @@ +# Configure port node where rabbitmq-server will listen from. +NODE_PORT={{ RABBITMQ_PORT }} +CONFIG_FILE=/etc/rabbitmq/rabbitmq diff --git a/openstack/usr/share/openstack/rabbitmq/rabbitmq.config b/openstack/usr/share/openstack/rabbitmq/rabbitmq.config new file mode 100644 index 00000000..9b93881e --- /dev/null +++ b/openstack/usr/share/openstack/rabbitmq/rabbitmq.config @@ -0,0 +1,9 @@ +%% -*- Rabbit configuration for Openstack in Baserock +[ + {rabbit, + [ + {default_user, <<"{{ RABBITMQ_USER }}">>}, + {default_pass, <<"{{ RABBITMQ_PASSWORD }}">>}, + {tcp_listeners, [{{ RABBITMQ_PORT }}]} + ]} +]. diff --git a/systems/openstack-system-x86_64.morph b/systems/openstack-system-x86_64.morph index 593794e0..64125a73 100644 --- a/systems/openstack-system-x86_64.morph +++ b/systems/openstack-system-x86_64.morph @@ -63,3 +63,4 @@ configuration-extensions: - install-files - cloud-init - hosts +- openstack-keystone -- cgit v1.2.1