From 22bca4030daaff1c68031ce4a113491f4300130f Mon Sep 17 00:00:00 2001
From: Pedro Alvarez <pedro.alvarez@codethink.co.uk>
Date: Tue, 31 Mar 2015 16:55:01 +0000
Subject: 08 patch comments

---
 openstack-keystone.configure                       |  21 ++-
 openstack/usr/share/openstack/keystone.yml         | 175 ++++++++++++++-------
 openstack/usr/share/openstack/postgres/pg_hba.conf |   4 +-
 .../usr/share/openstack/postgres/postgresql.conf   |   2 +-
 4 files changed, 142 insertions(+), 60 deletions(-)

diff --git a/openstack-keystone.configure b/openstack-keystone.configure
index c8a7e9ff..fb37b3ac 100644
--- a/openstack-keystone.configure
+++ b/openstack-keystone.configure
@@ -36,6 +36,7 @@ if [ -z "$KEYSTONE_TEMPORARY_ADMIN_TOKEN" -a \
      -z "$RABBITMQ_PORT" -a \
      -z "$RABBITMQ_USER" -a \
      -z "$RABBITMQ_PASSWORD" -a \
+     -z "$MANAGEMENT_INTERFACE_IP_ADDRESS" -a \
      -z "$CONTROLLER_HOST_ADDRESS" ]; then
      # No Keystone options defined, do nothing.
     exit 0
@@ -49,13 +50,28 @@ if [ -z "$KEYSTONE_TEMPORARY_ADMIN_TOKEN" -o \
      -z "$RABBITMQ_PORT" -o \
      -z "$RABBITMQ_USER" -o \
      -z "$RABBITMQ_PASSWORD" -o \
+     -z "$MANAGEMENT_INTERFACE_IP_ADDRESS" -o \
      -z "$CONTROLLER_HOST_ADDRESS" ]; then
     echo Some options required for Keystone were defined, but not all.
     exit 1
 fi
 
+
+python <<'EOF'
+import socket
+import sys
+import os
+
+try:
+    socket.inet_pton(socket.AF_INET, os.environ['MANAGEMENT_INTERFACE_IP_ADDRESS'])
+except:
+    print "Error: MANAGEMENT_INTERFACE_IP_ADDRESS is not a valid IP"
+    sys.exit(1)
+EOF
+
+
 ##########################################################################
-# Generate config variable shell snippet
+# Generate configuration file
 ##########################################################################
 
 OPENSTACK_DATA="$ROOT/etc/openstack"
@@ -69,11 +85,12 @@ keystone_configuration={
     'KEYSTONE_ADMIN_PASSWORD': os.environ['KEYSTONE_ADMIN_PASSWORD'],
     'KEYSTONE_DB_USER': os.environ['KEYSTONE_DB_USER'],
     'KEYSTONE_DB_PASSWORD': os.environ['KEYSTONE_DB_PASSWORD'],
-    'CONTROLLER_HOST_ADDRESS': os.environ['CONTROLLER_HOST_ADDRESS'],
     'RABBITMQ_HOST': os.environ['RABBITMQ_HOST'],
     'RABBITMQ_PORT': os.environ['RABBITMQ_PORT'],
     'RABBITMQ_USER': os.environ['RABBITMQ_USER'],
     'RABBITMQ_PASSWORD': os.environ['RABBITMQ_PASSWORD'],
+    'MANAGEMENT_INTERFACE_IP_ADDRESS': os.environ['MANAGEMENT_INTERFACE_IP_ADDRESS'],
+    'CONTROLLER_HOST_ADDRESS': os.environ['CONTROLLER_HOST_ADDRESS'],
 }
 
 yaml.dump(keystone_configuration, sys.stdout, default_flow_style=False)
diff --git a/openstack/usr/share/openstack/keystone.yml b/openstack/usr/share/openstack/keystone.yml
index b139b39f..20753a9c 100644
--- a/openstack/usr/share/openstack/keystone.yml
+++ b/openstack/usr/share/openstack/keystone.yml
@@ -6,118 +6,183 @@
 
   # RabbitMQ configuration, this may end up in a different playbook
   - name: Create rabbitmq user
-    user: name=rabbitmq comment="Rabbitmq server daemon" shell=/sbin/nologin home=/var/lib/rabbitmq
+    user:
+        name: rabbitmq
+        comment: Rabbitmq server daemon
+        shell: /sbin/nologin
+        home: /var/lib/rabbitmq
 
   - name: Create the rabbitmq directories
-    file: path={{ item }} state=directory owner=rabbitmq group=rabbitmq
+    file:
+        path: "{{ item }}"
+        state: directory
+        owner: rabbitmq
+        group: rabbitmq
     with_items:
     - /var/run/rabbitmq
     - /var/log/rabbitmq
     - /etc/rabbitmq
 
   - name: Add the configuration needed for rabbitmq in /etc/rabbitmq using templates
-    template: src=/usr/share/openstack/rabbitmq/{{ item }} dest=/etc/rabbitmq/{{ item }} owner=rabbitmq group=rabbitmq mode=0644
+    template:
+        src: /usr/share/openstack/rabbitmq/{{ item }}
+        dest: /etc/rabbitmq/{{ item }}
+        owner: rabbitmq
+        group: rabbitmq
+        mode: 0644
     with_items:
     - rabbitmq.config
     - rabbitmq-env.conf
 
   - name: Enable and start rabbitmq services
-    service: name={{ item }} enabled=yes state=started
+    service:
+        name: "{{ item }}"
+        enabled: yes
+        state: started
     with_items:
     - rabbitmq-server
 
   # Postgres configuration, this may end up in a different playbook
   - name: Create postgres user
-    user: name=postgres comment="PostgreSQL Server" shell=/sbin/nologin home=/var/lib/pgsql
+    user:
+        name: postgres
+        comment: PostgreSQL Server
+        shell: /sbin/nologin
+        home: /var/lib/pgsql
 
   - name: Create the postgres directories
-    file: path={{ item }} state=directory owner=postgres group=postgres
+    file:
+        path: "{{ item }}"
+        state: directory
+        owner: postgres
+        group: postgres
     with_items:
     - /var/run/postgresql
     - /var/lib/pgsql/data
 
   - name: Initialise postgres database
-    shell: pg_ctl -D  /var/lib/pgsql/data initdb creates=/var/lib/pgsql/data/base
+    command: pg_ctl -D  /var/lib/pgsql/data initdb
+    args:
+        creates: /var/lib/pgsql/data/base
     sudo: yes
     sudo_user: postgres
 
   - name: Add the configuration needed for postgres for Openstack
-    template: src=/usr/share/openstack/postgres/{{ item }} dest=/var/lib/pgsql/data/{{ item }} owner=postgres group=postgres mode=0600
+    template:
+        src: /usr/share/openstack/postgres/{{ item }}
+        dest: /var/lib/pgsql/data/{{ item }}
+        owner: postgres
+        group: postgres
+        mode: 0600
     with_items:
     - postgresql.conf
     - pg_hba.conf
 
   - name: Enable and start postgres services
-    service: name={{ item }} enabled=yes state=started
+    service:
+        name: "{{ item }}"
+        enabled: yes
+        state: started
     with_items:
     - postgres-server
 
 
   # Keystone configuration
   - name: Create the keystone user.
-    user: name=keystone comment="Openstack Keystone Daemons" shell=/sbin/nologin home=/var/lib/keystone
+    user:
+        name: keystone
+        comment: Openstack Keystone Daemons
+        shell: /sbin/nologin
+        home: /var/lib/keystone
 
   - name: Create the /var folders for keystone
-    file: path={{ item }} state=directory owner=keystone group=keystone
+    file:
+        path: "{{ item }}"
+        state: directory
+        owner: keystone
+        group: keystone
     with_items:
     - /var/run/keystone
     - /var/lock/keystone
     - /var/log/keystone
     - /var/lib/keystone
 
-  - file: path=/etc/keystone state=directory
+  - name: Create /etc/keystone directory
+    file:
+        path: /etc/keystone
+        state: directory
+
   - name: Add the configuration needed for lorry in /etc using templates
-    template: src=/usr/share/openstack/keystone/{{ item }} dest=/etc/keystone/{{ item }}
+    template:
+        src: /usr/share/openstack/keystone/{{ item }}
+        dest: /etc/keystone/{{ item }}
     with_lines:
-    - (cd /usr/share/openstack/keystone && find -type f)
+    - cd /usr/share/openstack/keystone && find -type f
 
-  - postgresql_user: name={{ KEYSTONE_DB_USER }} password={{ KEYSTONE_DB_PASSWORD }}
+  - name: Create postgresql user for keystone
+    postgresql_user:
+        name: "{{ KEYSTONE_DB_USER }}"
+        password: "{{ KEYSTONE_DB_PASSWORD }}"
     sudo: yes
     sudo_user: keystone
-  - postgresql_db: name=keystone owner={{ KEYSTONE_DB_USER }}
+
+  - name: Create database for keystone services
+    postgresql_db:
+        name: keystone
+        owner: "{{ KEYSTONE_DB_USER }}"
     sudo: yes
     sudo_user: keystone
 
-  - keystone_manage: action=dbsync
+  - name: Initiatie keystone database
+    keystone_manage:
+        action: dbsync
     sudo: yes
     sudo_user: keystone
 
   - name: Enable and start openstack-keystone service
-    service: name=openstack-keystone.service enabled=yes state=started
-
-  - keystone_user: >
-        tenant=admin
-        tenant_description="Admin Tenant"
-        token={{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}
-        endpoint=http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0
-
-  - keystone_user: >
-        user=admin
-        tenant=admin
-        password={{ KEYSTONE_ADMIN_PASSWORD }}
-        token={{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}
-        endpoint=http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0
-
-  - keystone_user: >
-        role=admin
-        user=admin
-        tenant=admin
-        token={{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}
-        endpoint=http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0
-
-  - keystone_user: >
-        tenant=service
-        tenant_description="Service Tenant"
-        token={{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}
-        endpoint=http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0
-
-  - keystone_service: >
-        name=keystone
-        type=identity
-        description="Keystone Identity Service"
-        publicurl=http://{{ CONTROLLER_HOST_ADDRESS }}:5000/v2.0
-        internalurl=http://{{ CONTROLLER_HOST_ADDRESS }}:5000/v2.0
-        adminurl=http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0
-        region='regionOne'
-        token={{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}
-        endpoint=http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0
+    service:
+        name: openstack-keystone.service
+        enabled: yes
+        state: started
+
+  - name: Create admin tenant
+    keystone_user:
+        tenant: admin
+        tenant_description: Admin Tenant
+        token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}"
+        endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0
+
+  - name: Create admin user for the admin tenant
+    keystone_user:
+        user: admin
+        tenant: admin
+        password: "{{ KEYSTONE_ADMIN_PASSWORD }}"
+        token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}"
+        endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0
+
+  - name: Create admin role for admin user in the admin tenant
+    keystone_user:
+        role: admin
+        user: admin
+        tenant: admin
+        token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}"
+        endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0
+
+  - name: Create service tenant
+    keystone_user:
+        tenant: service
+        tenant_description: Service Tenant
+        token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}"
+        endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0
+
+  - name: Add kestone endpoint
+    keystone_service:
+        name: keystone
+        type: identity
+        description: Keystone Identity Service
+        publicurl: http://{{ CONTROLLER_HOST_ADDRESS }}:5000/v2.0
+        internalurl: http://{{ CONTROLLER_HOST_ADDRESS }}:5000/v2.0
+        adminurl: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0
+        region: regionOne
+        token: "{{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }}"
+        endpoint: http://{{ CONTROLLER_HOST_ADDRESS }}:35357/v2.0
diff --git a/openstack/usr/share/openstack/postgres/pg_hba.conf b/openstack/usr/share/openstack/postgres/pg_hba.conf
index 7daf1b46..0968fc44 100644
--- a/openstack/usr/share/openstack/postgres/pg_hba.conf
+++ b/openstack/usr/share/openstack/postgres/pg_hba.conf
@@ -1,4 +1,4 @@
 local   all             all                                     trust
-host    all             all             127.0.0.1/32            trust
+host    all             all             127.0.0.0/8             trust
 host    all             all             ::1/128                 trust
-host    all             all             0.0.0.0/0               trust
+host    all             all             {{ MANAGEMENT_INTERFACE_IP_ADDRESS }}/32               trust
diff --git a/openstack/usr/share/openstack/postgres/postgresql.conf b/openstack/usr/share/openstack/postgres/postgresql.conf
index e4ff9582..74153385 100644
--- a/openstack/usr/share/openstack/postgres/postgresql.conf
+++ b/openstack/usr/share/openstack/postgres/postgresql.conf
@@ -1,4 +1,4 @@
-listen_addresses = '0.0.0.0'
+listen_addresses = '{{ MANAGEMENT_INTERFACE_IP_ADDRESS }}'
 max_connections = 100
 shared_buffers = 128MB
 log_timezone = 'UTC'
-- 
cgit v1.2.1