Browse code
Set up Nova for TLS
* Start n-api proxy if 'tls-proxy' is enabled
* Configure nova service catalog for TLS
Change-Id: If031eb315f76c5c441a25fe3582b626bbee73c6e
Dean Troyer authored on 2012/12/12 06:26:24Showing 3 changed files
| ... | ... |
@@ -996,6 +996,14 @@ function use_exclusive_service {
|
| 996 | 996 |
return 0 |
| 997 | 997 |
} |
| 998 | 998 |
|
| 999 |
+# Wait for an HTTP server to start answering requests |
|
| 1000 |
+# wait_for_service timeout url |
|
| 1001 |
+function wait_for_service() {
|
|
| 1002 |
+ local timeout=$1 |
|
| 1003 |
+ local url=$2 |
|
| 1004 |
+ timeout $timeout sh -c "while ! http_proxy= https_proxy= curl -s $url >/dev/null; do sleep 1; done" |
|
| 1005 |
+} |
|
| 1006 |
+ |
|
| 999 | 1007 |
# Wrapper for ``yum`` to set proxy environment variables |
| 1000 | 1008 |
# Uses globals ``OFFLINE``, ``*_proxy` |
| 1001 | 1009 |
# yum_install package [package ...] |
| ... | ... |
@@ -39,6 +39,12 @@ NOVA_CONF_DIR=/etc/nova |
| 39 | 39 |
NOVA_CONF=$NOVA_CONF_DIR/nova.conf |
| 40 | 40 |
NOVA_API_PASTE_INI=${NOVA_API_PASTE_INI:-$NOVA_CONF_DIR/api-paste.ini}
|
| 41 | 41 |
|
| 42 |
+# Public facing bits |
|
| 43 |
+NOVA_SERVICE_HOST=${NOVA_SERVICE_HOST:-$SERVICE_HOST}
|
|
| 44 |
+NOVA_SERVICE_PORT=${NOVA_SERVICE_PORT:-8774}
|
|
| 45 |
+NOVA_SERVICE_PORT_INT=${NOVA_SERVICE_PORT_INT:-18774}
|
|
| 46 |
+NOVA_SERVICE_PROTOCOL=${NOVA_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
|
|
| 47 |
+ |
|
| 42 | 48 |
# Support entry points installation of console scripts |
| 43 | 49 |
if [[ -d $NOVA_DIR/bin ]]; then |
| 44 | 50 |
NOVA_BIN_DIR=$NOVA_DIR/bin |
| ... | ... |
@@ -170,6 +176,10 @@ function configure_nova() {
|
| 170 | 170 |
s,%SERVICE_TENANT_NAME%,$SERVICE_TENANT_NAME,g; |
| 171 | 171 |
s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g; |
| 172 | 172 |
" -i $NOVA_API_PASTE_INI |
| 173 |
+ iniset $NOVA_API_PASTE_INI filter:authtoken auth_host $SERVICE_HOST |
|
| 174 |
+ if is_service_enabled tls-proxy; then |
|
| 175 |
+ iniset $NOVA_API_PASTE_INI filter:authtoken auth_protocol $SERVICE_PROTOCOL |
|
| 176 |
+ fi |
|
| 173 | 177 |
fi |
| 174 | 178 |
|
| 175 | 179 |
iniset $NOVA_API_PASTE_INI filter:authtoken signing_dir $NOVA_AUTH_CACHE_DIR |
| ... | ... |
@@ -324,9 +334,9 @@ create_nova_accounts() {
|
| 324 | 324 |
keystone endpoint-create \ |
| 325 | 325 |
--region RegionOne \ |
| 326 | 326 |
--service_id $NOVA_SERVICE \ |
| 327 |
- --publicurl "http://$SERVICE_HOST:\$(compute_port)s/v2/\$(tenant_id)s" \ |
|
| 328 |
- --adminurl "http://$SERVICE_HOST:\$(compute_port)s/v2/\$(tenant_id)s" \ |
|
| 329 |
- --internalurl "http://$SERVICE_HOST:\$(compute_port)s/v2/\$(tenant_id)s" |
|
| 327 |
+ --publicurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v2/\$(tenant_id)s" \ |
|
| 328 |
+ --adminurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v2/\$(tenant_id)s" \ |
|
| 329 |
+ --internalurl "$NOVA_SERVICE_PROTOCOL://$NOVA_SERVICE_HOST:$NOVA_SERVICE_PORT/v2/\$(tenant_id)s" |
|
| 330 | 330 |
fi |
| 331 | 331 |
fi |
| 332 | 332 |
} |
| ... | ... |
@@ -361,6 +371,10 @@ function create_nova_conf() {
|
| 361 | 361 |
|
| 362 | 362 |
if is_service_enabled n-api; then |
| 363 | 363 |
add_nova_opt "enabled_apis=$NOVA_ENABLED_APIS" |
| 364 |
+ if is_service_enabled tls-proxy; then |
|
| 365 |
+ # Set the service port for a proxy to take the original |
|
| 366 |
+ add_nova_opt "osapi_compute_listen_port=$NOVA_SERVICE_PORT_INT" |
|
| 367 |
+ fi |
|
| 364 | 368 |
fi |
| 365 | 369 |
if is_service_enabled cinder; then |
| 366 | 370 |
add_nova_opt "volume_api_class=nova.volume.cinder.API" |
| ... | ... |
@@ -472,6 +486,27 @@ function install_nova() {
|
| 472 | 472 |
git_clone $NOVA_REPO $NOVA_DIR $NOVA_BRANCH |
| 473 | 473 |
} |
| 474 | 474 |
|
| 475 |
+# start_nova_api() - Start the API process ahead of other things |
|
| 476 |
+function start_nova_api() {
|
|
| 477 |
+ # Get right service port for testing |
|
| 478 |
+ local service_port=$NOVA_SERVICE_PORT |
|
| 479 |
+ if is_service_enabled tls-proxy; then |
|
| 480 |
+ service_port=$NOVA_SERVICE_PORT_INT |
|
| 481 |
+ fi |
|
| 482 |
+ |
|
| 483 |
+ screen_it n-api "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-api" |
|
| 484 |
+ echo "Waiting for nova-api to start..." |
|
| 485 |
+ if ! wait_for_service $SERVICE_TIMEOUT http://$SERVICE_HOST:$service_port; then |
|
| 486 |
+ echo "nova-api did not start" |
|
| 487 |
+ exit 1 |
|
| 488 |
+ fi |
|
| 489 |
+ |
|
| 490 |
+ # Start proxies if enabled |
|
| 491 |
+ if is_service_enabled tls-proxy; then |
|
| 492 |
+ start_tls_proxy '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT & |
|
| 493 |
+ fi |
|
| 494 |
+} |
|
| 495 |
+ |
|
| 475 | 496 |
# start_nova() - Start running processes, including screen |
| 476 | 497 |
function start_nova() {
|
| 477 | 498 |
# The group **libvirtd** is added to the current user in this script. |
| ... | ... |
@@ -1568,12 +1568,7 @@ screen_it zeromq "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-rpc-zmq-receiver" |
| 1568 | 1568 |
# Launch the nova-api and wait for it to answer before continuing |
| 1569 | 1569 |
if is_service_enabled n-api; then |
| 1570 | 1570 |
echo_summary "Starting Nova API" |
| 1571 |
- screen_it n-api "cd $NOVA_DIR && $NOVA_BIN_DIR/nova-api" |
|
| 1572 |
- echo "Waiting for nova-api to start..." |
|
| 1573 |
- if ! timeout $SERVICE_TIMEOUT sh -c "while ! http_proxy= wget -q -O- http://127.0.0.1:8774; do sleep 1; done"; then |
|
| 1574 |
- echo "nova-api did not start" |
|
| 1575 |
- exit 1 |
|
| 1576 |
- fi |
|
| 1571 |
+ start_nova_api |
|
| 1577 | 1572 |
fi |
| 1578 | 1573 |
|
| 1579 | 1574 |
if is_service_enabled q-svc; then |