diff options
19 files changed, 204 insertions, 571 deletions
diff --git a/openstack-nova.configure b/openstack-nova.configure index 4655342c..7e263b22 100644 --- a/openstack-nova.configure +++ b/openstack-nova.configure @@ -20,32 +20,9 @@ set -e ROOT="$1" ########################################################################## -# Substitutions in configuration files -########################################################################## - -cat <<EOF > "$ROOT"/etc/openstack-nova-setup.sed -s/##NOVA_SERVICE_USER##/$NOVA_SERVICE_USER/g -s/##NOVA_SERVICE_PASSWORD##/$NOVA_SERVICE_PASSWORD/g -s/##NOVA_PUBLIC_URL##/$NOVA_PUBLIC_URL/g -s/##NOVA_INTERNAL_URL##/$NOVA_INTERNAL_URL/g -s/##NOVA_ADMIN_URL##/$NOVA_ADMIN_URL/g -s/##NOVA_HOST##/$NOVA_HOST/g -s/##NOVA_REGION##/$NOVA_REGION/g -s/##NOVA_NOVNCPROXY_BASE_URL##/$NOVA_NOVNCPROXY_BASE_URL/g -s/##NOVA_DB_USER##/$NOVA_DB_USER/g -s/##NOVA_DB_PASSWORD##/$NOVA_DB_PASSWORD/g -EOF - -sed -f "$ROOT"/etc/openstack-nova-setup.sed -i \ - "$ROOT"/etc/nova/nova.conf \ - "$ROOT"/etc/neutron/neutron.conf \ - "$ROOT"/etc/neutron/metadata_agent.ini \ - "$ROOT"/usr/share/openstack/openstack-nova-setup - -########################################################################## -ln -sf "/etc/systemd/system/openstack-nova-setup.service" \ - "$ROOT/etc/systemd/system/multi-user.target.wants/openstack-nova-setup.service" +ln -s "/etc/systemd/system/openstack-nova-setup.service" \ + "$ROOT/etc/systemd/system/multi-user.target.wants/openstack-nova-setup.service" ########################################################################## # Enable libvirtd and libvirt-guests services @@ -64,3 +41,104 @@ ln -sf ../libvirt-guests.service "$wants_dir/libvirt-guests.service" sed -i "s/192\.168\.122\./192\.168\.1\./g" \ "$ROOT"/etc/libvirt/qemu/networks/default.xml + +########################################################################## +# Check variables +########################################################################## + + +if [ -z "$IDENTITY_URI" -a \ + -z "$KEYSTONE_INTERNAL_URL" -a \ + -z "$NOVA_SERVICE_USER" -a \ + -z "$NOVA_SERVICE_PASSWORD" -a \ + -z "$NOVA_DB_USER" -a \ + -z "$NOVA_DB_PASSWORD" -a \ + -z "$NOVA_NOVNCPROXY_BASE_URL" -a \ + -z "$NOVA_HOST" -a \ + -z "$NEUTRON_PUBLIC_URL" -a \ + -z "$NEUTRON_SERVICE_USER" -a \ + -z "$NEUTRON_SERVICE_PASSWORD" -a \ + -z "$KEYSTONE_ADMIN_URL" -a \ + -z "$METADATA_PROXY_SHARED_SECRET" -a \ + -z "$RABBITMQ_HOST" -a \ + -z "$RABBITMQ_USER" -a \ + -z "$RABBITMQ_PASSWORD" -a \ + -z "$RABBITMQ_PORT" -a \ + -z "$CONTROLLER_HOST" -a \ + -z "$GLANCE_HOST" -a \ + -z "$KEYSTONE_TEMPORARY_ADMIN_TOKEN" -a \ + -z "$NOVA_PUBLIC_URL" -a \ + -z "$NOVA_INTERNAL_URL" -a \ + -z "$NOVA_ADMIN_URL" -a \ + -z "$NOVA_REGION" ]; then + # No NOVA options defined, do nothing. + exit 0 +fi + +if [ -z "$IDENTITY_URI" -o \ + -z "$KEYSTONE_INTERNAL_URL" -o \ + -z "$NOVA_SERVICE_USER" -o \ + -z "$NOVA_SERVICE_PASSWORD" -o \ + -z "$NOVA_DB_USER" -o \ + -z "$NOVA_DB_PASSWORD" -o \ + -z "$NOVA_NOVNCPROXY_BASE_URL" -o \ + -z "$NOVA_HOST" -o \ + -z "$NEUTRON_PUBLIC_URL" -o \ + -z "$NEUTRON_SERVICE_USER" -o \ + -z "$NEUTRON_SERVICE_PASSWORD" -o \ + -z "$KEYSTONE_ADMIN_URL" -o \ + -z "$METADATA_PROXY_SHARED_SECRET" -o \ + -z "$RABBITMQ_HOST" -o \ + -z "$RABBITMQ_USER" -o \ + -z "$RABBITMQ_PASSWORD" -o \ + -z "$RABBITMQ_PORT" -o \ + -z "$CONTROLLER_HOST" -o \ + -z "$GLANCE_HOST" -o \ + -z "$KEYSTONE_TEMPORARY_ADMIN_TOKEN" -o \ + -z "$NOVA_PUBLIC_URL" -o \ + -z "$NOVA_INTERNAL_URL" -o \ + -z "$NOVA_ADMIN_URL" -o \ + -z "$NOVA_REGION" ]; then + echo Some options required for Nova were defined, but not all. + exit 1 +fi + +########################################################################## +# Generate config variable shell snippet +########################################################################## + +OPENSTACK_DATA="$ROOT/etc/openstack" +mkdir -p "$OPENSTACK_DATA" + +python <<'EOF' >"$OPENSTACK_DATA/nova.conf" +import os, sys, yaml + +nova_configuration={ + 'IDENTITY_URI': os.environ['IDENTITY_URI'], + 'KEYSTONE_INTERNAL_URL': os.environ['KEYSTONE_INTERNAL_URL'], + 'NOVA_SERVICE_USER': os.environ['NOVA_SERVICE_USER'], + 'NOVA_SERVICE_PASSWORD': os.environ['NOVA_SERVICE_PASSWORD'], + 'NOVA_DB_USER': os.environ['NOVA_DB_USER'], + 'NOVA_DB_PASSWORD': os.environ['NOVA_DB_PASSWORD'], + 'NOVA_NOVNCPROXY_BASE_URL': os.environ['NOVA_NOVNCPROXY_BASE_URL'], + 'NOVA_HOST': os.environ['NOVA_HOST'], + 'NEUTRON_PUBLIC_URL': os.environ['NEUTRON_PUBLIC_URL'], + 'NEUTRON_SERVICE_USER': os.environ['NEUTRON_SERVICE_USER'], + 'NEUTRON_SERVICE_PASSWORD': os.environ['NEUTRON_SERVICE_PASSWORD'], + 'KEYSTONE_ADMIN_URL': os.environ['KEYSTONE_ADMIN_URL'], + 'METADATA_PROXY_SHARED_SECRET': os.environ['METADATA_PROXY_SHARED_SECRET'], + 'RABBITMQ_HOST': os.environ['RABBITMQ_HOST'], + 'RABBITMQ_USER': os.environ['RABBITMQ_USER'], + 'RABBITMQ_PASSWORD': os.environ['RABBITMQ_PASSWORD'], + 'RABBITMQ_PORT': os.environ['RABBITMQ_PORT'], + 'CONTROLLER_HOST': os.environ['CONTROLLER_HOST'], + 'GLANCE_HOST': os.environ['GLANCE_HOST'], + 'KEYSTONE_TEMPORARY_ADMIN_TOKEN': os.environ['KEYSTONE_TEMPORARY_ADMIN_TOKEN'], + 'NOVA_PUBLIC_URL': os.environ['NOVA_PUBLIC_URL'], + 'NOVA_INTERNAL_URL': os.environ['NOVA_INTERNAL_URL'], + 'NOVA_ADMIN_URL': os.environ['NOVA_ADMIN_URL'], + 'NOVA_REGION': os.environ['NOVA_REGION'], +} + +yaml.dump(nova_configuration, sys.stdout, default_flow_style=False) +EOF diff --git a/openstack/etc/nova/rootwrap.conf b/openstack/etc/nova/rootwrap.conf deleted file mode 100644 index aa466c5d..00000000 --- a/openstack/etc/nova/rootwrap.conf +++ /dev/null @@ -1,27 +0,0 @@ -# Configuration for nova-rootwrap -# This file should be owned by (and only-writeable by) the root user - -[DEFAULT] -# List of directories to load filter definitions from (separated by ','). -# These directories MUST all be only writeable by root ! -filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap - -# List of directories to search executables in, in case filters do not -# explicitely specify a full path (separated by ',') -# If not specified, defaults to system PATH environment variable. -# These directories MUST all be only writeable by root ! -exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin - -# Enable logging to syslog -# Default value is False -use_syslog=False - -# Which syslog facility to use. -# Valid values include auth, authpriv, syslog, local0, local1... -# Default value is 'syslog' -syslog_log_facility=syslog - -# Which messages to log. -# INFO means log all usage -# ERROR means only log unsuccessful attempts -syslog_log_level=ERROR diff --git a/openstack/etc/nova/rootwrap.d/api-metadata.filters b/openstack/etc/nova/rootwrap.d/api-metadata.filters deleted file mode 100644 index 1aa6f83e..00000000 --- a/openstack/etc/nova/rootwrap.d/api-metadata.filters +++ /dev/null @@ -1,13 +0,0 @@ -# nova-rootwrap command filters for api-metadata nodes -# This is needed on nova-api hosts running with "metadata" in enabled_apis -# or when running nova-api-metadata -# This file should be owned by (and only-writeable by) the root user - -[Filters] -# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... -iptables-save: CommandFilter, iptables-save, root -ip6tables-save: CommandFilter, ip6tables-save, root - -# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) -iptables-restore: CommandFilter, iptables-restore, root -ip6tables-restore: CommandFilter, ip6tables-restore, root diff --git a/openstack/etc/nova/rootwrap.d/baremetal-compute-ipmi.filters b/openstack/etc/nova/rootwrap.d/baremetal-compute-ipmi.filters deleted file mode 100644 index 4132a999..00000000 --- a/openstack/etc/nova/rootwrap.d/baremetal-compute-ipmi.filters +++ /dev/null @@ -1,9 +0,0 @@ -# nova-rootwrap command filters for compute nodes -# This file should be owned by (and only-writeable by) the root user - -[Filters] -# nova/virt/baremetal/ipmi.py: 'ipmitool', .. -ipmitool: CommandFilter, ipmitool, root - -# nova/virt/baremetal/ipmi.py: 'kill', '-TERM', str(console_pid) -kill_shellinaboxd: KillFilter, root, /usr/local/bin/shellinaboxd, -15, -TERM diff --git a/openstack/etc/nova/rootwrap.d/baremetal-deploy-helper.filters b/openstack/etc/nova/rootwrap.d/baremetal-deploy-helper.filters deleted file mode 100644 index 6d14b5d9..00000000 --- a/openstack/etc/nova/rootwrap.d/baremetal-deploy-helper.filters +++ /dev/null @@ -1,11 +0,0 @@ -# nova-rootwrap command filters for nova-baremetal-deploy-helper -# This file should be owned by (and only-writeable by) the root user - -[Filters] -# nova-baremetal-deploy-helper -iscsiadm: CommandFilter, iscsiadm, root -sfdisk: CommandFilter, sfdisk, root -dd: CommandFilter, dd, root -mkswap: CommandFilter, mkswap, root -blkid: CommandFilter, blkid, root -mkfs: CommandFilter, mkfs, root diff --git a/openstack/etc/nova/rootwrap.d/compute.filters b/openstack/etc/nova/rootwrap.d/compute.filters deleted file mode 100644 index b79851b4..00000000 --- a/openstack/etc/nova/rootwrap.d/compute.filters +++ /dev/null @@ -1,228 +0,0 @@ -# nova-rootwrap command filters for compute nodes -# This file should be owned by (and only-writeable by) the root user - -[Filters] -# nova/virt/disk/mount/api.py: 'kpartx', '-a', device -# nova/virt/disk/mount/api.py: 'kpartx', '-d', device -kpartx: CommandFilter, kpartx, root - -# nova/virt/xenapi/vm_utils.py: tune2fs, -O ^has_journal, part_path -# nova/virt/xenapi/vm_utils.py: tune2fs, -j, partition_path -tune2fs: CommandFilter, tune2fs, root - -# nova/virt/disk/mount/api.py: 'mount', mapped_device -# nova/virt/disk/api.py: 'mount', '-o', 'bind', src, target -# nova/virt/xenapi/vm_utils.py: 'mount', '-t', 'ext2,ext3,ext4,reiserfs'.. -# nova/virt/configdrive.py: 'mount', device, mountdir -# nova/virt/libvirt/volume.py: 'mount', '-t', 'sofs' ... -mount: CommandFilter, mount, root - -# nova/virt/disk/mount/api.py: 'umount', mapped_device -# nova/virt/disk/api.py: 'umount' target -# nova/virt/xenapi/vm_utils.py: 'umount', dev_path -# nova/virt/configdrive.py: 'umount', mountdir -umount: CommandFilter, umount, root - -# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-c', device, image -# nova/virt/disk/mount/nbd.py: 'qemu-nbd', '-d', device -qemu-nbd: CommandFilter, qemu-nbd, root - -# nova/virt/disk/mount/loop.py: 'losetup', '--find', '--show', image -# nova/virt/disk/mount/loop.py: 'losetup', '--detach', device -losetup: CommandFilter, losetup, root - -# nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path -# nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device -blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.* - -# nova/virt/disk/vfs/localfs.py: 'tee', canonpath -tee: CommandFilter, tee, root - -# nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath -mkdir: CommandFilter, mkdir, root - -# nova/virt/disk/vfs/localfs.py: 'chown' -# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log -# nova/virt/libvirt/connection.py: 'chown', os.getuid( console_log -# nova/virt/libvirt/connection.py: 'chown', 'root', basepath('disk') -chown: CommandFilter, chown, root - -# nova/virt/disk/vfs/localfs.py: 'chmod' -chmod: CommandFilter, chmod, root - -# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap' -# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up' -# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev -# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i.. -# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'.. -# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',.. -# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',.. -# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev) -# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1] -# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge -# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', .. -# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',.. -# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ... -# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,.. -# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up' -# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up' -# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, .. -# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, .. -# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up' -# nova/network/linux_net.py: 'ip', 'route', 'add', .. -# nova/network/linux_net.py: 'ip', 'route', 'del', . -# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev -ip: CommandFilter, ip, root - -# nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev -# nova/network/linux_net.py: 'tunctl', '-b', '-t', dev -tunctl: CommandFilter, tunctl, root - -# nova/virt/libvirt/vif.py: 'ovs-vsctl', ... -# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ... -# nova/network/linux_net.py: 'ovs-vsctl', .... -ovs-vsctl: CommandFilter, ovs-vsctl, root - -# nova/network/linux_net.py: 'ovs-ofctl', .... -ovs-ofctl: CommandFilter, ovs-ofctl, root - -# nova/virt/libvirt/connection.py: 'dd', if=%s % virsh_output, ... -dd: CommandFilter, dd, root - -# nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ... -iscsiadm: CommandFilter, iscsiadm, root - -# nova/virt/libvirt/volume.py: 'aoe-revalidate', aoedev -# nova/virt/libvirt/volume.py: 'aoe-discover' -aoe-revalidate: CommandFilter, aoe-revalidate, root -aoe-discover: CommandFilter, aoe-discover, root - -# nova/virt/xenapi/vm_utils.py: parted, --script, ... -# nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*. -parted: CommandFilter, parted, root - -# nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path -pygrub: CommandFilter, pygrub, root - -# nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s -fdisk: CommandFilter, fdisk, root - -# nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path -# nova/virt/disk/api.py: e2fsck, -f, -p, image -e2fsck: CommandFilter, e2fsck, root - -# nova/virt/xenapi/vm_utils.py: resize2fs, partition_path -# nova/virt/disk/api.py: resize2fs, image -resize2fs: CommandFilter, resize2fs, root - -# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... -iptables-save: CommandFilter, iptables-save, root -ip6tables-save: CommandFilter, ip6tables-save, root - -# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) -iptables-restore: CommandFilter, iptables-restore, root -ip6tables-restore: CommandFilter, ip6tables-restore, root - -# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ... -# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],.. -arping: CommandFilter, arping, root - -# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address -dhcp_release: CommandFilter, dhcp_release, root - -# nova/network/linux_net.py: 'kill', '-9', pid -# nova/network/linux_net.py: 'kill', '-HUP', pid -kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP - -# nova/network/linux_net.py: 'kill', pid -kill_radvd: KillFilter, root, /usr/sbin/radvd - -# nova/network/linux_net.py: dnsmasq call -dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq - -# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'.. -radvd: CommandFilter, radvd, root - -# nova/network/linux_net.py: 'brctl', 'addbr', bridge -# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0 -# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off' -# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface -brctl: CommandFilter, brctl, root - -# nova/virt/libvirt/utils.py: 'mkswap' -# nova/virt/xenapi/vm_utils.py: 'mkswap' -mkswap: CommandFilter, mkswap, root - -# nova/virt/xenapi/vm_utils.py: 'mkfs' -# nova/utils.py: 'mkfs', fs, path, label -mkfs: CommandFilter, mkfs, root - -# nova/virt/libvirt/utils.py: 'qemu-img' -qemu-img: CommandFilter, qemu-img, root - -# nova/virt/disk/vfs/localfs.py: 'readlink', '-e' -readlink: CommandFilter, readlink, root - -# nova/virt/disk/api.py: 'touch', target -touch: CommandFilter, touch, root - -# nova/virt/disk/api.py: -mkfs.ext3: CommandFilter, mkfs.ext3, root -mkfs.ntfs: CommandFilter, mkfs.ntfs, root - -# nova/virt/libvirt/connection.py: -read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi - -# nova/virt/libvirt/connection.py: -lvremove: CommandFilter, lvremove, root - -# nova/virt/libvirt/utils.py: -lvcreate: CommandFilter, lvcreate, root - -# nova/virt/libvirt/utils.py: -lvs: CommandFilter, lvs, root - -# nova/virt/libvirt/utils.py: -vgs: CommandFilter, vgs, root - -# nova/virt/baremetal/volume_driver.py: 'tgtadm', '--lld', 'iscsi', ... -tgtadm: CommandFilter, tgtadm, root - -# nova/utils.py:read_file_as_root: 'cat', file_path -# (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file) -read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd -read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow - -# nova/virt/libvirt/volume.py: 'multipath' '-R' -multipath: CommandFilter, multipath, root - -# nova/virt/libvirt/utils.py: -systool: CommandFilter, systool, root - -# nova/virt/libvirt/volume.py: -sginfo: CommandFilter, sginfo, root -sg_scan: CommandFilter, sg_scan, root -ln: RegExpFilter, ln, root, ln, --symbolic, --force, /dev/mapper/ip-.*-iscsi-iqn.2010-10.org.openstack:volume-.*, /dev/disk/by-path/ip-.*-iscsi-iqn.2010-10.org.openstack:volume-.* - -# nova/volume/encryptors.py: -# nova/virt/libvirt/dmcrypt.py: -cryptsetup: CommandFilter, cryptsetup, root - -# nova/virt/xenapi/vm_utils.py: -xenstore-read: CommandFilter, xenstore-read, root - -# nova/virt/baremetal/tilera.py: 'rpc.mountd' -rpc.mountd: CommandFilter, rpc.mountd, root - -# nova/virt/libvirt/utils.py: -rbd: CommandFilter, rbd, root - -# nova/virt/libvirt/utils.py: 'shred', '-n3', '-s%d' % volume_size, path -shred: CommandFilter, shred, root - -# nova/virt/libvirt/volume.py: 'cp', '/dev/stdin', delete_control.. -cp: CommandFilter, cp, root - -# nova/virt/xenapi/vm_utils.py: -sync: CommandFilter, sync, root - diff --git a/openstack/etc/nova/rootwrap.d/network.filters b/openstack/etc/nova/rootwrap.d/network.filters deleted file mode 100644 index 568e8d49..00000000 --- a/openstack/etc/nova/rootwrap.d/network.filters +++ /dev/null @@ -1,94 +0,0 @@ -# nova-rootwrap command filters for network nodes -# This file should be owned by (and only-writeable by) the root user - -[Filters] -# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap' -# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up' -# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev -# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i.. -# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'.. -# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',.. -# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',.. -# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev) -# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1] -# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge -# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', .. -# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',.. -# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ... -# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,.. -# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up' -# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up' -# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, .. -# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, .. -# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up' -# nova/network/linux_net.py: 'ip', 'route', 'add', .. -# nova/network/linux_net.py: 'ip', 'route', 'del', . -# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev -ip: CommandFilter, ip, root - -# nova/virt/libvirt/vif.py: 'ovs-vsctl', ... -# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ... -# nova/network/linux_net.py: 'ovs-vsctl', .... -ovs-vsctl: CommandFilter, ovs-vsctl, root - -# nova/network/linux_net.py: 'ovs-ofctl', .... -ovs-ofctl: CommandFilter, ovs-ofctl, root - -# nova/virt/libvirt/vif.py: 'ivs-ctl', ... -# nova/virt/libvirt/vif.py: 'ivs-ctl', 'del-port', ... -# nova/network/linux_net.py: 'ivs-ctl', .... -ivs-ctl: CommandFilter, ivs-ctl, root - -# nova/virt/libvirt/vif.py: 'ifc_ctl', ... -ifc_ctl: CommandFilter, /opt/pg/bin/ifc_ctl, root - -# nova/virt/libvirt/vif.py: 'ebrctl', ... -ebrctl: CommandFilter, ebrctl, root - -# nova/virt/libvirt/vif.py: 'mm-ctl', ... -mm-ctl: CommandFilter, mm-ctl, root - -# nova/network/linux_net.py: 'ebtables', '-D' ... -# nova/network/linux_net.py: 'ebtables', '-I' ... -ebtables: CommandFilter, ebtables, root -ebtables_usr: CommandFilter, ebtables, root - -# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... -iptables-save: CommandFilter, iptables-save, root -ip6tables-save: CommandFilter, ip6tables-save, root - -# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) -iptables-restore: CommandFilter, iptables-restore, root -ip6tables-restore: CommandFilter, ip6tables-restore, root - -# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ... -# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],.. -arping: CommandFilter, arping, root - -# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address -dhcp_release: CommandFilter, dhcp_release, root - -# nova/network/linux_net.py: 'kill', '-9', pid -# nova/network/linux_net.py: 'kill', '-HUP', pid -kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP - -# nova/network/linux_net.py: 'kill', pid -kill_radvd: KillFilter, root, /usr/sbin/radvd - -# nova/network/linux_net.py: dnsmasq call -dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq - -# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'.. -radvd: CommandFilter, radvd, root - -# nova/network/linux_net.py: 'brctl', 'addbr', bridge -# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0 -# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off' -# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface -brctl: CommandFilter, brctl, root - -# nova/network/linux_net.py: 'sysctl', .... -sysctl: CommandFilter, sysctl, root - -# nova/network/linux_net.py: 'conntrack' -conntrack: CommandFilter, conntrack, root diff --git a/openstack/etc/systemd/system/openstack-nova-setup.service b/openstack/etc/systemd/system/openstack-nova-setup.service index e7a9136f..57da91ef 100644 --- a/openstack/etc/systemd/system/openstack-nova-setup.service +++ b/openstack/etc/systemd/system/openstack-nova-setup.service @@ -1,11 +1,9 @@ [Unit] -Description=Run openstack-nova-setup (once) +Description=Run nova-setup Ansible scripts After=local-fs.target libvirtd.service openstack-keystone-setup.service postgres-server.service [Service] -Type=oneshot -ExecStart=/usr/share/openstack/openstack-nova-setup -Restart=no +ExecStart=/usr/bin/ansible-playbook -v -M /usr/share/openstack/modules -i /usr/share/openstack/hosts /usr/share/openstack/nova.yml [Install] WantedBy=multi-user.target diff --git a/openstack/manifest b/openstack/manifest index d8fe3cb6..c1d9a4b0 100644 --- a/openstack/manifest +++ b/openstack/manifest @@ -34,6 +34,14 @@ 0100644 0 0 /usr/share/openstack/modules/neutron_subnet 0100644 0 0 /usr/share/openstack/modules/nova_flavor 0100644 0 0 /usr/share/openstack/modules/nova_manage +0040755 0 0 /usr/share/openstack/nova +0100644 0 0 /usr/share/openstack/nova.yml +0100644 0 0 /usr/share/openstack/nova/logging.conf +0100644 0 0 /usr/share/openstack/nova/nova.conf +0100644 0 0 /usr/share/openstack/nova/nova-compute.conf +0100644 0 0 /usr/share/openstack/nova/policy.json +0100644 0 0 /usr/share/openstack/nova/cells.json +0100644 0 0 /usr/share/openstack/nova/api-paste.ini 0100644 0 0 /etc/logrotate.d/openstack-keystone 0100644 0 0 /etc/systemd/system/openstack-keystone.service 0100644 0 0 /etc/systemd/system/openstack-keystone-setup.service @@ -50,14 +58,6 @@ 0100644 0 0 /etc/systemd/system/openstack-glance-api.service 0100644 0 0 /etc/systemd/system/openstack-glance-registry.service 0040755 0 0 /var/lib/nova -0040755 0 0 /etc/nova -0100644 0 0 /etc/nova/logging.conf -0100644 0 0 /etc/nova/nova.conf -0100644 0 0 /etc/nova/nova-compute.conf -0100644 0 0 /etc/nova/policy.json -0100644 0 0 /etc/nova/cells.json -0100644 0 0 /etc/nova/api-paste.ini -0100755 0 0 /usr/share/openstack/openstack-nova-setup 0100644 0 0 /etc/systemd/system/openstack-nova-setup.service 0100644 0 0 /etc/systemd/system/openstack-nova-compute.service 0100644 0 0 /etc/systemd/system/openstack-nova-conductor.service diff --git a/openstack/usr/share/openstack/nova.yml b/openstack/usr/share/openstack/nova.yml new file mode 100644 index 00000000..15b1f3be --- /dev/null +++ b/openstack/usr/share/openstack/nova.yml @@ -0,0 +1,72 @@ +--- +- hosts: localhost + vars_files: + - "/etc/openstack/nova.conf" + tasks: + - name: Create the nova user. + user: name=nova comment="Openstack Nova Daemons" shell=/sbin/nologin home=/var/lib/nova groups=libvirt append=yes + + - name: Create the /var folders for nova + file: path={{ item }} state=directory owner=nova group=nova + with_items: + - /var/run/nova + - /var/lock/nova + - /var/log/nova + - /var/lib/nova + - /var/lib/nova/instances + + - file: path=/etc/nova state=directory + - name: Add the configuration needed for nova in /etc/nova using templates + template: src=/usr/share/openstack/nova/{{ item }} dest=/etc/nova/{{ item }} + with_lines: + - (cd /usr/share/openstack/nova && find -type f) + + - keystone_user: > + user={{ NOVA_SERVICE_USER }} + password={{ NOVA_SERVICE_PASSWORD }} + tenant=service + token={{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }} + + - keystone_user: > + role=admin + user={{ NOVA_SERVICE_USER }} + tenant=service + token={{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }} + + - keystone_service: > + name=nova + type=compute + description="Openstack Compute Service" + publicurl={{ NOVA_PUBLIC_URL }} + internalurl={{ NOVA_INTERNAL_URL | default('http://127.0.0.1:8774/v2/%(tenant_id)s') }} + adminurl={{ NOVA_ADMIN_URL }} + region='RegionOne' + token={{ KEYSTONE_TEMPORARY_ADMIN_TOKEN }} + + - postgresql_user: name={{ NOVA_DB_USER }} + sudo: yes + sudo_user: nova + - postgresql_db: name=nova owner={{ NOVA_DB_USER }} + sudo: yes + sudo_user: nova + + - nova_manage: action=dbsync + sudo: yes + sudo_user: nova + + + +# [1] Never enable openstack-nova-conductor service in a node with +# openstack-nova-compute or the security benefits of removing +# database access from nova-compute will be negated +#systemctl start openstack-nova-conductor + - name: Enable and start openstack-nova services + service: name={{ item }} enabled=yes state=started + with_items: + - openstack-nova-api.service + - openstack-nova-cert.service + - openstack-nova-compute.service + - openstack-nova-consoleauth.service + - openstack-nova-novncproxy.service + - openstack-nova-scheduler.service +# - openstack-nova-conductor.service diff --git a/openstack/etc/nova/api-paste.ini b/openstack/usr/share/openstack/nova/api-paste.ini index 2a825a5b..2a825a5b 100644 --- a/openstack/etc/nova/api-paste.ini +++ b/openstack/usr/share/openstack/nova/api-paste.ini diff --git a/openstack/etc/nova/cells.json b/openstack/usr/share/openstack/nova/cells.json index cc74930d..cc74930d 100644 --- a/openstack/etc/nova/cells.json +++ b/openstack/usr/share/openstack/nova/cells.json diff --git a/openstack/etc/nova/logging.conf b/openstack/usr/share/openstack/nova/logging.conf index 5482a040..5482a040 100644 --- a/openstack/etc/nova/logging.conf +++ b/openstack/usr/share/openstack/nova/logging.conf diff --git a/openstack/etc/nova/nova-compute.conf b/openstack/usr/share/openstack/nova/nova-compute.conf index 1ef5590c..1ef5590c 100644 --- a/openstack/etc/nova/nova-compute.conf +++ b/openstack/usr/share/openstack/nova/nova-compute.conf diff --git a/openstack/etc/nova/nova.conf b/openstack/usr/share/openstack/nova/nova.conf index b703591f..45615927 100644 --- a/openstack/etc/nova/nova.conf +++ b/openstack/usr/share/openstack/nova/nova.conf @@ -54,7 +54,7 @@ logdir=/var/log/nova # Mandatory general options # ############################# # ip address of this host (string value) -my_ip=##NOVA_HOST## +my_ip={{ NOVA_HOST }} #use_ipv6=false @@ -181,12 +181,12 @@ scheduler_default_filters=AggregateInstanceExtraSpecsFilter,AvailabilityZoneFilt ############ # RABBITMQ # ############ -rabbit_host = ##RABBITMQ_HOST## +rabbit_host = {{ RABBITMQ_HOST }} #fake_rabbit=false #rabbit_virtual_host=/ -rabbit_userid = ##RABBITMQ_USER## -rabbit_password = ##RABBITMQ_PASSWORD## -rabbit_port = ##RABBITMQ_PORT## +rabbit_userid = {{ RABBITMQ_USER }} +rabbit_password = {{ RABBITMQ_PASSWORD }} +rabbit_port = {{ RABBITMQ_PORT }} rabbit_use_ssl=false #rabbit_retry_interval=1 # The messaging module to use, defaults to kombu (works for rabbit). @@ -196,7 +196,7 @@ rpc_backend = nova.openstack.common.rpc.impl_kombu ########## # GLANCE # ########## -host=##GLANCE_HOST## +host={{ GLANCE_HOST }} port=9292 protocol=http @@ -281,13 +281,13 @@ flat_interface=eth0 # Neutron # ########### # This is the URL of your neutron server: -neutron_url=##NEUTRON_PUBLIC_URL## +neutron_url={{ NEUTRON_PUBLIC_URL }} neutron_auth_strategy=keystone neutron_admin_tenant_name=service -neutron_admin_username=##NEUTRON_SERVICE_USER## -neutron_admin_password=##NEUTRON_SERVICE_PASSWORD## +neutron_admin_username={{ NEUTRON_SERVICE_USER }} +neutron_admin_password={{ NEUTRON_SERVICE_PASSWORD }} # This is the URL of your Keystone server -neutron_admin_auth_url=##KEYSTONE_ADMIN_URL## +neutron_admin_auth_url={{ KEYSTONE_ADMIN_URL }} # What's below is only needed for nova-compute. @@ -300,7 +300,7 @@ service_neutron_metadata_proxy=True # Shared secret to validate proxies Neutron metadata requests # This password should match what is in /etc/neutron/metadata_agent.ini # (string value) -neutron_metadata_proxy_shared_secret= ##METADATA_PROXY_SHARED_SECRET## +neutron_metadata_proxy_shared_secret= {{ METADATA_PROXY_SHARED_SECRET }} ################# # NOVNC CONSOLE # @@ -314,10 +314,10 @@ neutron_metadata_proxy_shared_secret= ##METADATA_PROXY_SHARED_SECRET## # NoVNC form now on (VMs video card needs to be attached to a console type, and # they can accept only one video card at a time). vnc_enabled=True -novncproxy_base_url=##NOVA_NOVNCPROXY_BASE_URL## +novncproxy_base_url={{ NOVA_NOVNCPROXY_BASE_URL }} # Change vncserver_proxyclient_address and vncserver_listen to match each compute host -vncserver_proxyclient_address=##NOVA_HOST## -vncserver_listen=##NOVA_HOST## +vncserver_proxyclient_address={{ NOVA_HOST }} +vncserver_listen={{ NOVA_HOST }} vnc_keymap="en-us" ###################################### @@ -365,7 +365,7 @@ vnc_keymap="en-us" # DATABASE # ############ [database] -connection=postgresql://##NOVA_DB_USER##:##NOVA_DB_PASSWORD##@onenode/nova +connection=postgresql://{{ NOVA_DB_USER }}:{{ NOVA_DB_PASSWORD }}@{{ CONTROLLER_HOST }}/nova ############# # CONDUCTOR # @@ -602,13 +602,13 @@ enabled=false # Keystone authtoken # ###################### [keystone_authtoken] -identity_uri = ##IDENTITY_URI## -auth_uri = ##KEYSTONE_INTERNAL_URL## +identity_uri = {{ IDENTITY_URI }} +auth_uri = {{ KEYSTONE_INTERNAL_URL }} auth_port = 35357 auth_protocol = http admin_tenant_name = service -admin_user = ##NOVA_SERVICE_USER## -admin_password = ##NOVA_SERVICE_PASSWORD## +admin_user = {{ NOVA_SERVICE_USER }} +admin_password = {{ NOVA_SERVICE_PASSWORD }} auth_version = v2.0 ########### diff --git a/openstack/etc/nova/nova.conf.example b/openstack/usr/share/openstack/nova/nova.conf.example index 999574ca..999574ca 100644 --- a/openstack/etc/nova/nova.conf.example +++ b/openstack/usr/share/openstack/nova/nova.conf.example diff --git a/openstack/etc/nova/policy.json b/openstack/usr/share/openstack/nova/policy.json index cc5b8ea4..cc5b8ea4 100644 --- a/openstack/etc/nova/policy.json +++ b/openstack/usr/share/openstack/nova/policy.json diff --git a/openstack/etc/nova/release.sample b/openstack/usr/share/openstack/nova/release.sample index 4c0d8e48..4c0d8e48 100644 --- a/openstack/etc/nova/release.sample +++ b/openstack/usr/share/openstack/nova/release.sample diff --git a/openstack/usr/share/openstack/openstack-nova-setup b/openstack/usr/share/openstack/openstack-nova-setup deleted file mode 100644 index 7168e7c2..00000000 --- a/openstack/usr/share/openstack/openstack-nova-setup +++ /dev/null @@ -1,133 +0,0 @@ -#!/bin/sh -# -# Copyright (C) 2014 Codethink Limited -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - -set -e - -# Create required system users and groups - -getent group nova >/dev/null || groupadd -r --gid 162 nova -getent passwd nova >/dev/null || \ - useradd --uid 162 -r -g nova -d /var/lib/nova -s /sbin/nologin \ - -c "OpenStack Nova Daemons" nova - -# Create the keystone user and services - -export OS_SERVICE_TOKEN=##KEYSTONE_TEMPORARY_ADMIN_TOKEN## -export OS_SERVICE_ENDPOINT='http://onenode:35357/v2.0' - -keystone user-create --name ##NOVA_SERVICE_USER## --pass ##NOVA_SERVICE_PASSWORD## -keystone user-role-add --tenant service --user ##NOVA_SERVICE_USER## --role admin - -keystone service-create --name nova --type compute --description "OpenStack Compute Service" -keystone endpoint-create --service-id $(keystone service-list | awk '/ compute / {print $2}') \ - --publicurl ##NOVA_PUBLIC_URL## \ - --internalurl ##NOVA_INTERNAL_URL## \ - --adminurl ##NOVA_ADMIN_URL## \ - --region ##NOVA_REGION## - -# Nova compute configuration -if [ ! -d /var/run/nova ]; then - mkdir -p /var/run/nova - chown -R nova:nova /var/run/nova -fi - -if [ ! -d /var/lock/nova ]; then - mkdir -p /var/lock/nova - chown -R nova:nova /var/lock/nova -fi - -if [ ! -d /var/log/nova ]; then - mkdir -p /var/log/nova - chown -R nova:nova /var/log/nova -fi - -if [ ! -d /var/lib/nova/instances ]; then - mkdir /var/lib/nova/instances - chown -R nova:nova /var/lib/nova/instances -fi - -# Setup the nova database -if ! sudo -u postgres psql -lqt | grep -q nova; then - # Create posgreSQL user - sudo -u postgres createuser \ - --pwprompt --encrypted \ - --no-adduser --no-createdb \ - --no-password \ - ##NOVA_DB_USER## - - sudo -u postgres createdb \ - --owner=##NOVA_DB_USER## \ - nova - - sudo -u nova nova-manage db sync -fi - -# Nova novncproxy needs /usr/share/novnc folder available -if [ ! -d /usr/share/novnc ]; then - mkdir /usr/share/novnc - chown -R nova:nova /usr/share/novnc -fi - -chown -R nova:nova /var/lib/nova - -# Add nova to the libvirt group -usermod -a -G libvirt nova - -# Check existence of Network Block Device module in the kernel -# NOTE: modprobe does not work actually and returns always -# failure, enable this check when modprobe is fixed. -#modprobe nbd - -# Remove the one-shot setup service -rm /etc/systemd/system/multi-user.target.wants/openstack-nova-setup.service - -# Start nova services -systemctl start openstack-nova-compute -# [1] Never enable openstack-nova-conductor service in a node with -# openstack-nova-compute or the security benefits of removing -# database access from nova-compute will be negated -#systemctl start openstack-nova-conductor -systemctl start openstack-nova-api -systemctl start openstack-nova-cert -systemctl start openstack-nova-consoleauth -systemctl start openstack-nova-scheduler -systemctl start openstack-nova-novncproxy -#systemctl start openstack-nova-xvpnvncproxy - -# Create the links to run nova services when system start next times. -ln -s "/etc/systemd/system/openstack-nova-compute.service" \ - "/etc/systemd/system/multi-user.target.wants/openstack-nova-compute.service" -# See description of why this shouldn't run in a openstack in one node in [1] -#ln -s "/etc/systemd/system/openstack-nova-conductor.service" \ -# "/etc/systemd/system/multi-user.target.wants/openstack-nova-conductor.service" - -ln -s "/etc/systemd/system/openstack-nova-api.service" \ - "/etc/systemd/system/multi-user.target.wants/openstack-nova-api.service" - -ln -s "/etc/systemd/system/openstack-nova-cert.service" \ - "/etc/systemd/system/multi-user.target.wants/openstack-nova-cert.service" - -ln -s "/etc/systemd/system/openstack-nova-consoleauth.service" \ - "/etc/systemd/system/multi-user.target.wants/openstack-nova-consoleauth.service" - -ln -s "/etc/systemd/system/openstack-nova-scheduler.service" \ - "/etc/systemd/system/multi-user.target.wants/openstack-nova-scheduler.service" - -ln -s "/etc/systemd/system/openstack-nova-novncproxy.service" \ - "/etc/systemd/system/multi-user.target.wants/openstack-nova-novncproxy.service" - -exit 0 |