Browse code
Merge "Move install responsibilities to domU"
Jenkins authored on 2014/02/15 11:17:20Showing 6 changed files
- lib/nova_plugins/hypervisor-xenserver
- stackrc
- tools/xen/functions
- tools/xen/install_os_domU.sh
- tools/xen/prepare_guest.sh
- tools/xen/prepare_guest_template.sh
| ... | ... |
@@ -56,6 +56,34 @@ function configure_nova_hypervisor() {
|
| 56 | 56 |
# Need to avoid crash due to new firewall support |
| 57 | 57 |
XEN_FIREWALL_DRIVER=${XEN_FIREWALL_DRIVER:-"nova.virt.firewall.IptablesFirewallDriver"}
|
| 58 | 58 |
iniset $NOVA_CONF DEFAULT firewall_driver "$XEN_FIREWALL_DRIVER" |
| 59 |
+ |
|
| 60 |
+ local dom0_ip |
|
| 61 |
+ dom0_ip=$(echo "$XENAPI_CONNECTION_URL" | cut -d "/" -f 3-) |
|
| 62 |
+ |
|
| 63 |
+ local ssh_dom0 |
|
| 64 |
+ ssh_dom0="sudo -u $DOMZERO_USER ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@$dom0_ip" |
|
| 65 |
+ |
|
| 66 |
+ # install nova plugins to dom0 |
|
| 67 |
+ tar -czf - -C $NOVA_DIR/plugins/xenserver/xenapi/etc/xapi.d/plugins/ ./ | |
|
| 68 |
+ $ssh_dom0 'tar -xzf - -C /etc/xapi.d/plugins/ && chmod a+x /etc/xapi.d/plugins/*' |
|
| 69 |
+ |
|
| 70 |
+ # install console logrotate script |
|
| 71 |
+ tar -czf - -C $NOVA_DIR/tools/xenserver/ rotate_xen_guest_logs.sh | |
|
| 72 |
+ $ssh_dom0 'tar -xzf - -C /root/ && chmod +x /root/rotate_xen_guest_logs.sh && mkdir -p /var/log/xen/guest' |
|
| 73 |
+ |
|
| 74 |
+ # Create a cron job that will rotate guest logs |
|
| 75 |
+ $ssh_dom0 crontab - << CRONTAB |
|
| 76 |
+* * * * * /root/rotate_xen_guest_logs.sh |
|
| 77 |
+CRONTAB |
|
| 78 |
+ |
|
| 79 |
+ # Create directories for kernels and images |
|
| 80 |
+ {
|
|
| 81 |
+ echo "set -eux" |
|
| 82 |
+ cat $TOP_DIR/tools/xen/functions |
|
| 83 |
+ echo "create_directory_for_images" |
|
| 84 |
+ echo "create_directory_for_kernels" |
|
| 85 |
+ } | $ssh_dom0 |
|
| 86 |
+ |
|
| 59 | 87 |
} |
| 60 | 88 |
|
| 61 | 89 |
# install_nova_hypervisor() - Install external components |
| ... | ... |
@@ -245,6 +245,10 @@ case "$VIRT_DRIVER" in |
| 245 | 245 |
xenserver) |
| 246 | 246 |
# Xen config common to nova and neutron |
| 247 | 247 |
XENAPI_USER=${XENAPI_USER:-"root"}
|
| 248 |
+ # This user will be used for dom0 - domU communication |
|
| 249 |
+ # should be able to log in to dom0 without a password |
|
| 250 |
+ # will be used to install the plugins |
|
| 251 |
+ DOMZERO_USER=${DOMZERO_USER:-"domzero"}
|
|
| 248 | 252 |
;; |
| 249 | 253 |
*) |
| 250 | 254 |
;; |
| ... | ... |
@@ -336,3 +336,11 @@ function max_vcpus() {
|
| 336 | 336 |
xe vm-param-set uuid=$vm VCPUs-max=$cpu_count |
| 337 | 337 |
xe vm-param-set uuid=$vm VCPUs-at-startup=$cpu_count |
| 338 | 338 |
} |
| 339 |
+ |
|
| 340 |
+function get_domid() {
|
|
| 341 |
+ local vm_name_label |
|
| 342 |
+ |
|
| 343 |
+ vm_name_label="$1" |
|
| 344 |
+ |
|
| 345 |
+ xe vm-list name-label="$vm_name_label" params=dom-id minimal=true |
|
| 346 |
+} |
| ... | ... |
@@ -67,21 +67,6 @@ fi |
| 67 | 67 |
|
| 68 | 68 |
# Install plugins |
| 69 | 69 |
|
| 70 |
-## Nova plugins |
|
| 71 |
-NOVA_ZIPBALL_URL=${NOVA_ZIPBALL_URL:-$(zip_snapshot_location $NOVA_REPO $NOVA_BRANCH)}
|
|
| 72 |
-EXTRACTED_NOVA=$(extract_remote_zipball "$NOVA_ZIPBALL_URL") |
|
| 73 |
-install_xapi_plugins_from "$EXTRACTED_NOVA" |
|
| 74 |
- |
|
| 75 |
-LOGROT_SCRIPT=$(find "$EXTRACTED_NOVA" -name "rotate_xen_guest_logs.sh" -print) |
|
| 76 |
-if [ -n "$LOGROT_SCRIPT" ]; then |
|
| 77 |
- mkdir -p "/var/log/xen/guest" |
|
| 78 |
- cp "$LOGROT_SCRIPT" /root/consolelogrotate |
|
| 79 |
- chmod +x /root/consolelogrotate |
|
| 80 |
- echo "* * * * * /root/consolelogrotate" | crontab |
|
| 81 |
-fi |
|
| 82 |
- |
|
| 83 |
-rm -rf "$EXTRACTED_NOVA" |
|
| 84 |
- |
|
| 85 | 70 |
## Install the netwrap xapi plugin to support agent control of dom0 networking |
| 86 | 71 |
if [[ "$ENABLED_SERVICES" =~ "q-agt" && "$Q_PLUGIN" = "openvswitch" ]]; then |
| 87 | 72 |
NEUTRON_ZIPBALL_URL=${NEUTRON_ZIPBALL_URL:-$(zip_snapshot_location $NEUTRON_REPO $NEUTRON_BRANCH)}
|
| ... | ... |
@@ -90,9 +75,6 @@ if [[ "$ENABLED_SERVICES" =~ "q-agt" && "$Q_PLUGIN" = "openvswitch" ]]; then |
| 90 | 90 |
rm -rf "$EXTRACTED_NEUTRON" |
| 91 | 91 |
fi |
| 92 | 92 |
|
| 93 |
-create_directory_for_kernels |
|
| 94 |
-create_directory_for_images |
|
| 95 |
- |
|
| 96 | 93 |
# |
| 97 | 94 |
# Configure Networking |
| 98 | 95 |
# |
| ... | ... |
@@ -188,7 +170,7 @@ function wait_for_VM_to_halt() {
|
| 188 | 188 |
set +x |
| 189 | 189 |
echo "Waiting for the VM to halt. Progress in-VM can be checked with vncviewer:" |
| 190 | 190 |
mgmt_ip=$(echo $XENAPI_CONNECTION_URL | tr -d -c '1234567890.') |
| 191 |
- domid=$(xe vm-list name-label="$GUEST_NAME" params=dom-id minimal=true) |
|
| 191 |
+ domid=$(get_domid "$GUEST_NAME") |
|
| 192 | 192 |
port=$(xenstore-read /local/domain/$domid/console/vnc-port) |
| 193 | 193 |
echo "vncviewer -via root@$mgmt_ip localhost:${port:2}"
|
| 194 | 194 |
while true; do |
| ... | ... |
@@ -359,6 +341,37 @@ else |
| 359 | 359 |
fi |
| 360 | 360 |
fi |
| 361 | 361 |
|
| 362 |
+# Create an ssh-keypair, and set it up for dom0 user |
|
| 363 |
+rm -f /root/dom0key /root/dom0key.pub |
|
| 364 |
+ssh-keygen -f /root/dom0key -P "" -C "dom0" |
|
| 365 |
+DOMID=$(get_domid "$GUEST_NAME") |
|
| 366 |
+ |
|
| 367 |
+xenstore-write /local/domain/$DOMID/authorized_keys/$DOMZERO_USER "$(cat /root/dom0key.pub)" |
|
| 368 |
+xenstore-chmod -u /local/domain/$DOMID/authorized_keys/$DOMZERO_USER r$DOMID |
|
| 369 |
+ |
|
| 370 |
+function run_on_appliance() {
|
|
| 371 |
+ ssh \ |
|
| 372 |
+ -i /root/dom0key \ |
|
| 373 |
+ -o UserKnownHostsFile=/dev/null \ |
|
| 374 |
+ -o StrictHostKeyChecking=no \ |
|
| 375 |
+ -o BatchMode=yes \ |
|
| 376 |
+ "$DOMZERO_USER@$OS_VM_MANAGEMENT_ADDRESS" "$@" |
|
| 377 |
+} |
|
| 378 |
+ |
|
| 379 |
+# Wait until we can log in to the appliance |
|
| 380 |
+while ! run_on_appliance true; do |
|
| 381 |
+ sleep 1 |
|
| 382 |
+done |
|
| 383 |
+ |
|
| 384 |
+# Remove authenticated_keys updater cronjob |
|
| 385 |
+echo "" | run_on_appliance crontab - |
|
| 386 |
+ |
|
| 387 |
+# Generate a passwordless ssh key for domzero user |
|
| 388 |
+echo "ssh-keygen -f /home/$DOMZERO_USER/.ssh/id_rsa -C $DOMZERO_USER@appliance -N \"\" -q" | run_on_appliance |
|
| 389 |
+ |
|
| 390 |
+# Authenticate that user to dom0 |
|
| 391 |
+run_on_appliance cat /home/$DOMZERO_USER/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys |
|
| 392 |
+ |
|
| 362 | 393 |
# If we have copied our ssh credentials, use ssh to monitor while the installation runs |
| 363 | 394 |
WAIT_TILL_LAUNCH=${WAIT_TILL_LAUNCH:-1}
|
| 364 | 395 |
COPYENV=${COPYENV:-1}
|
| ... | ... |
@@ -18,6 +18,57 @@ set -o xtrace |
| 18 | 18 |
GUEST_PASSWORD="$1" |
| 19 | 19 |
XS_TOOLS_PATH="$2" |
| 20 | 20 |
STACK_USER="$3" |
| 21 |
+DOMZERO_USER="$4" |
|
| 22 |
+ |
|
| 23 |
+ |
|
| 24 |
+function setup_domzero_user() {
|
|
| 25 |
+ local username |
|
| 26 |
+ |
|
| 27 |
+ username="$1" |
|
| 28 |
+ |
|
| 29 |
+ local key_updater_script |
|
| 30 |
+ local sudoers_file |
|
| 31 |
+ key_updater_script="/home/$username/update_authorized_keys.sh" |
|
| 32 |
+ sudoers_file="/etc/sudoers.d/allow_$username" |
|
| 33 |
+ |
|
| 34 |
+ # Create user |
|
| 35 |
+ adduser --disabled-password --quiet "$username" --gecos "$username" |
|
| 36 |
+ |
|
| 37 |
+ # Give passwordless sudo |
|
| 38 |
+ cat > $sudoers_file << EOF |
|
| 39 |
+ $username ALL = NOPASSWD: ALL |
|
| 40 |
+EOF |
|
| 41 |
+ chmod 0440 $sudoers_file |
|
| 42 |
+ |
|
| 43 |
+ # A script to populate this user's authenticated_keys from xenstore |
|
| 44 |
+ cat > $key_updater_script << EOF |
|
| 45 |
+#!/bin/bash |
|
| 46 |
+set -eux |
|
| 47 |
+ |
|
| 48 |
+DOMID=\$(sudo xenstore-read domid) |
|
| 49 |
+sudo xenstore-exists /local/domain/\$DOMID/authorized_keys/$username |
|
| 50 |
+sudo xenstore-read /local/domain/\$DOMID/authorized_keys/$username > /home/$username/xenstore_value |
|
| 51 |
+cat /home/$username/xenstore_value > /home/$username/.ssh/authorized_keys |
|
| 52 |
+EOF |
|
| 53 |
+ |
|
| 54 |
+ # Give the key updater to the user |
|
| 55 |
+ chown $username:$username $key_updater_script |
|
| 56 |
+ chmod 0700 $key_updater_script |
|
| 57 |
+ |
|
| 58 |
+ # Setup the .ssh folder |
|
| 59 |
+ mkdir -p /home/$username/.ssh |
|
| 60 |
+ chown $username:$username /home/$username/.ssh |
|
| 61 |
+ chmod 0700 /home/$username/.ssh |
|
| 62 |
+ touch /home/$username/.ssh/authorized_keys |
|
| 63 |
+ chown $username:$username /home/$username/.ssh/authorized_keys |
|
| 64 |
+ chmod 0600 /home/$username/.ssh/authorized_keys |
|
| 65 |
+ |
|
| 66 |
+ # Setup the key updater as a cron job |
|
| 67 |
+ crontab -u $username - << EOF |
|
| 68 |
+* * * * * $key_updater_script |
|
| 69 |
+EOF |
|
| 70 |
+ |
|
| 71 |
+} |
|
| 21 | 72 |
|
| 22 | 73 |
# Install basics |
| 23 | 74 |
apt-get update |
| ... | ... |
@@ -48,6 +99,8 @@ useradd $STACK_USER -s /bin/bash -d /opt/stack -G libvirtd |
| 48 | 48 |
echo $STACK_USER:$GUEST_PASSWORD | chpasswd |
| 49 | 49 |
echo "$STACK_USER ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers |
| 50 | 50 |
|
| 51 |
+setup_domzero_user "$DOMZERO_USER" |
|
| 52 |
+ |
|
| 51 | 53 |
# Add an udev rule, so that new block devices could be written by stack user |
| 52 | 54 |
cat > /etc/udev/rules.d/50-openstack-blockdev.rules << EOF |
| 53 | 55 |
KERNEL=="xvd[b-z]", GROUP="$STACK_USER", MODE="0660" |
| ... | ... |
@@ -86,7 +86,7 @@ cp $STAGING_DIR/etc/rc.local $STAGING_DIR/etc/rc.local.preparebackup |
| 86 | 86 |
cat <<EOF >$STAGING_DIR/etc/rc.local |
| 87 | 87 |
#!/bin/sh -e |
| 88 | 88 |
bash /opt/stack/prepare_guest.sh \\ |
| 89 |
- "$GUEST_PASSWORD" "$XS_TOOLS_PATH" "$STACK_USER" \\ |
|
| 89 |
+ "$GUEST_PASSWORD" "$XS_TOOLS_PATH" "$STACK_USER" "$DOMZERO_USER" \\ |
|
| 90 | 90 |
> /opt/stack/prepare_guest.log 2>&1 |
| 91 | 91 |
EOF |
| 92 | 92 |
|