... | ... |
@@ -2304,6 +2304,16 @@ function stop_service { |
2304 | 2304 |
fi |
2305 | 2305 |
} |
2306 | 2306 |
|
2307 |
+# Service wrapper to stop services |
|
2308 |
+# reload_service service-name |
|
2309 |
+function reload_service { |
|
2310 |
+ if [ -x /bin/systemctl ]; then |
|
2311 |
+ sudo /bin/systemctl reload $1 |
|
2312 |
+ else |
|
2313 |
+ sudo service $1 reload |
|
2314 |
+ fi |
|
2315 |
+} |
|
2316 |
+ |
|
2307 | 2317 |
# Test with a finite retry loop. |
2308 | 2318 |
# |
2309 | 2319 |
function test_with_retry { |
... | ... |
@@ -42,24 +42,40 @@ fi |
42 | 42 |
|
43 | 43 |
# Functions |
44 | 44 |
# --------- |
45 |
+ |
|
46 |
+# Enable apache mod and restart apache if it isn't already enabled. |
|
47 |
+function enable_apache_mod { |
|
48 |
+ local mod=$1 |
|
49 |
+ # Apache installation, because we mark it NOPRIME |
|
50 |
+ if is_ubuntu || is_suse ; then |
|
51 |
+ if ! a2query -m $mod ; then |
|
52 |
+ sudo a2enmod $mod |
|
53 |
+ restart_apache_server |
|
54 |
+ fi |
|
55 |
+ elif is_fedora; then |
|
56 |
+ # pass |
|
57 |
+ true |
|
58 |
+ else |
|
59 |
+ exit_distro_not_supported "apache enable mod" |
|
60 |
+ fi |
|
61 |
+} |
|
62 |
+ |
|
45 | 63 |
# install_apache_wsgi() - Install Apache server and wsgi module |
46 | 64 |
function install_apache_wsgi { |
47 | 65 |
# Apache installation, because we mark it NOPRIME |
48 | 66 |
if is_ubuntu; then |
49 | 67 |
# Install apache2, which is NOPRIME'd |
50 | 68 |
install_package apache2 libapache2-mod-wsgi |
51 |
- # WSGI isn't enabled by default, enable it |
|
52 |
- sudo a2enmod wsgi |
|
53 | 69 |
elif is_fedora; then |
54 | 70 |
sudo rm -f /etc/httpd/conf.d/000-* |
55 | 71 |
install_package httpd mod_wsgi |
56 | 72 |
elif is_suse; then |
57 | 73 |
install_package apache2 apache2-mod_wsgi |
58 |
- # WSGI isn't enabled by default, enable it |
|
59 |
- sudo a2enmod wsgi |
|
60 | 74 |
else |
61 |
- exit_distro_not_supported "apache installation" |
|
75 |
+ exit_distro_not_supported "apache wsgi installation" |
|
62 | 76 |
fi |
77 |
+ # WSGI isn't enabled by default, enable it |
|
78 |
+ enable_apache_mod wsgi |
|
63 | 79 |
|
64 | 80 |
# ensure mod_version enabled for <IfVersion ...>. This is |
65 | 81 |
# built-in statically on anything recent, but precise (2.2) |
... | ... |
@@ -192,6 +208,11 @@ function restart_apache_server { |
192 | 192 |
time_stop "restart_apache_server" |
193 | 193 |
} |
194 | 194 |
|
195 |
+# reload_apache_server |
|
196 |
+function reload_apache_server { |
|
197 |
+ reload_service $APACHE_NAME |
|
198 |
+} |
|
199 |
+ |
|
195 | 200 |
# Restore xtrace |
196 | 201 |
$_XTRACE_LIB_APACHE |
197 | 202 |
|
... | ... |
@@ -305,8 +305,8 @@ function configure_cinder { |
305 | 305 |
if is_service_enabled tls-proxy; then |
306 | 306 |
# Set the service port for a proxy to take the original |
307 | 307 |
iniset $CINDER_CONF DEFAULT osapi_volume_listen_port $CINDER_SERVICE_PORT_INT |
308 |
- |
|
309 | 308 |
iniset $CINDER_CONF DEFAULT public_endpoint $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT |
309 |
+ iniset $CINDER_CONF DEFAULT osapi_volume_base_URL $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT |
|
310 | 310 |
fi |
311 | 311 |
|
312 | 312 |
if [ "$SYSLOG" != "False" ]; then |
... | ... |
@@ -534,7 +534,7 @@ function start_cinder { |
534 | 534 |
|
535 | 535 |
# Start proxies if enabled |
536 | 536 |
if is_service_enabled c-api && is_service_enabled tls-proxy; then |
537 |
- start_tls_proxy '*' $CINDER_SERVICE_PORT $CINDER_SERVICE_HOST $CINDER_SERVICE_PORT_INT & |
|
537 |
+ start_tls_proxy cinder '*' $CINDER_SERVICE_PORT $CINDER_SERVICE_HOST $CINDER_SERVICE_PORT_INT |
|
538 | 538 |
fi |
539 | 539 |
} |
540 | 540 |
|
... | ... |
@@ -383,8 +383,8 @@ function install_glance { |
383 | 383 |
function start_glance { |
384 | 384 |
local service_protocol=$GLANCE_SERVICE_PROTOCOL |
385 | 385 |
if is_service_enabled tls-proxy; then |
386 |
- start_tls_proxy '*' $GLANCE_SERVICE_PORT $GLANCE_SERVICE_HOST $GLANCE_SERVICE_PORT_INT & |
|
387 |
- start_tls_proxy '*' $GLANCE_REGISTRY_PORT $GLANCE_SERVICE_HOST $GLANCE_REGISTRY_PORT_INT & |
|
386 |
+ start_tls_proxy glance-service '*' $GLANCE_SERVICE_PORT $GLANCE_SERVICE_HOST $GLANCE_SERVICE_PORT_INT |
|
387 |
+ start_tls_proxy glance-registry '*' $GLANCE_REGISTRY_PORT $GLANCE_SERVICE_HOST $GLANCE_REGISTRY_PORT_INT |
|
388 | 388 |
fi |
389 | 389 |
|
390 | 390 |
run_process g-reg "$GLANCE_BIN_DIR/glance-registry --config-file=$GLANCE_CONF_DIR/glance-registry.conf" |
... | ... |
@@ -611,8 +611,8 @@ function start_keystone { |
611 | 611 |
|
612 | 612 |
# Start proxies if enabled |
613 | 613 |
if is_service_enabled tls-proxy; then |
614 |
- start_tls_proxy '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT & |
|
615 |
- start_tls_proxy '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT & |
|
614 |
+ start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT |
|
615 |
+ start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT |
|
616 | 616 |
fi |
617 | 617 |
|
618 | 618 |
# (re)start memcached to make sure we have a clean memcache. |
... | ... |
@@ -412,7 +412,7 @@ function start_neutron_api { |
412 | 412 |
|
413 | 413 |
# Start proxy if enabled |
414 | 414 |
if is_service_enabled tls-proxy; then |
415 |
- start_tls_proxy '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT & |
|
415 |
+ start_tls_proxy neutron '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT |
|
416 | 416 |
fi |
417 | 417 |
} |
418 | 418 |
|
... | ... |
@@ -462,7 +462,7 @@ function start_neutron_service_and_check { |
462 | 462 |
|
463 | 463 |
# Start proxy if enabled |
464 | 464 |
if is_service_enabled tls-proxy; then |
465 |
- start_tls_proxy '*' $Q_PORT $Q_HOST $Q_PORT_INT & |
|
465 |
+ start_tls_proxy neutron '*' $Q_PORT $Q_HOST $Q_PORT_INT |
|
466 | 466 |
fi |
467 | 467 |
} |
468 | 468 |
|
... | ... |
@@ -808,7 +808,7 @@ function start_nova_api { |
808 | 808 |
|
809 | 809 |
# Start proxies if enabled |
810 | 810 |
if is_service_enabled tls-proxy; then |
811 |
- start_tls_proxy '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT & |
|
811 |
+ start_tls_proxy nova '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT |
|
812 | 812 |
fi |
813 | 813 |
|
814 | 814 |
export PATH=$old_path |
... | ... |
@@ -806,7 +806,7 @@ function start_swift { |
806 | 806 |
done |
807 | 807 |
if is_service_enabled tls-proxy; then |
808 | 808 |
local proxy_port=${SWIFT_DEFAULT_BIND_PORT} |
809 |
- start_tls_proxy '*' $proxy_port $SERVICE_HOST $SWIFT_DEFAULT_BIND_PORT_INT & |
|
809 |
+ start_tls_proxy swift '*' $proxy_port $SERVICE_HOST $SWIFT_DEFAULT_BIND_PORT_INT |
|
810 | 810 |
fi |
811 | 811 |
run_process s-proxy "$SWIFT_DIR/bin/swift-proxy-server ${SWIFT_CONF_DIR}/proxy-server.conf -v" |
812 | 812 |
if [[ ${SWIFT_REPLICAS} == 1 ]]; then |
... | ... |
@@ -16,7 +16,6 @@ |
16 | 16 |
# |
17 | 17 |
# - configure_CA |
18 | 18 |
# - init_CA |
19 |
-# - cleanup_CA |
|
20 | 19 |
|
21 | 20 |
# - configure_proxy |
22 | 21 |
# - start_tls_proxy |
... | ... |
@@ -221,19 +220,6 @@ function init_CA { |
221 | 221 |
fi |
222 | 222 |
} |
223 | 223 |
|
224 |
-# Clean up the CA files |
|
225 |
-# cleanup_CA |
|
226 |
-function cleanup_CA { |
|
227 |
- if is_fedora; then |
|
228 |
- sudo rm -f /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem |
|
229 |
- sudo update-ca-trust |
|
230 |
- elif is_ubuntu; then |
|
231 |
- sudo rm -f /usr/local/share/ca-certificates/devstack-int.crt |
|
232 |
- sudo rm -f /usr/local/share/ca-certificates/devstack-root.crt |
|
233 |
- sudo update-ca-certificates |
|
234 |
- fi |
|
235 |
-} |
|
236 |
- |
|
237 | 224 |
# Create an initial server cert |
238 | 225 |
# init_cert |
239 | 226 |
function init_cert { |
... | ... |
@@ -455,26 +441,72 @@ function enable_mod_ssl { |
455 | 455 |
# Starts the TLS proxy for the given IP/ports |
456 | 456 |
# start_tls_proxy front-host front-port back-host back-port |
457 | 457 |
function start_tls_proxy { |
458 |
- local f_host=$1 |
|
459 |
- local f_port=$2 |
|
460 |
- local b_host=$3 |
|
461 |
- local b_port=$4 |
|
462 |
- |
|
463 |
- stud $STUD_PROTO -f $f_host,$f_port -b $b_host,$b_port $DEVSTACK_CERT 2>/dev/null |
|
458 |
+ local b_service="$1-tls-proxy" |
|
459 |
+ local f_host=$2 |
|
460 |
+ local f_port=$3 |
|
461 |
+ local b_host=$4 |
|
462 |
+ local b_port=$5 |
|
463 |
+ |
|
464 |
+ local config_file |
|
465 |
+ config_file=$(apache_site_config_for $b_service) |
|
466 |
+ local listen_string |
|
467 |
+ # Default apache configs on ubuntu and centos listen on 80 and 443 |
|
468 |
+ # newer apache seems fine with duplicate listen directive but older |
|
469 |
+ # apache does not so special case 80 and 443. |
|
470 |
+ if [[ "$f_port" == "80" ]] || [[ "$f_port" == "443" ]]; then |
|
471 |
+ listen_string="" |
|
472 |
+ elif [[ "$f_host" == '*' ]] ; then |
|
473 |
+ listen_string="Listen $f_port" |
|
474 |
+ else |
|
475 |
+ listen_string="Listen $f_host:$f_port" |
|
476 |
+ fi |
|
477 |
+ sudo bash -c "cat >$config_file" << EOF |
|
478 |
+$listen_string |
|
479 |
+ |
|
480 |
+<VirtualHost $f_host:$f_port> |
|
481 |
+ SSLEngine On |
|
482 |
+ SSLCertificateFile $DEVSTACK_CERT |
|
483 |
+ |
|
484 |
+ <Location /> |
|
485 |
+ ProxyPass http://$b_host:$b_port/ retry=5 nocanon |
|
486 |
+ ProxyPassReverse http://$b_host:$b_port/ |
|
487 |
+ </Location> |
|
488 |
+</VirtualHost> |
|
489 |
+EOF |
|
490 |
+ for mod in ssl proxy proxy_http; do |
|
491 |
+ enable_apache_mod $mod |
|
492 |
+ done |
|
493 |
+ enable_apache_site $b_service |
|
494 |
+ # Only a reload is required to pull in new vhosts |
|
495 |
+ # Note that a restart reliably fails on centos7 and trusty |
|
496 |
+ # because apache can't open port 80 because the old apache |
|
497 |
+ # still has it open. Using reload fixes trusty but centos7 |
|
498 |
+ # still doesn't work. |
|
499 |
+ reload_apache_server |
|
464 | 500 |
} |
465 | 501 |
|
466 | 502 |
|
467 | 503 |
# Cleanup Functions |
468 | 504 |
# ================= |
469 | 505 |
|
470 |
-# Stops all stud processes. This should be done only after all services |
|
506 |
+# Stops the apache service. This should be done only after all services |
|
471 | 507 |
# using tls configuration are down. |
472 | 508 |
function stop_tls_proxy { |
473 |
- killall stud |
|
509 |
+ stop_apache_server |
|
474 | 510 |
} |
475 | 511 |
|
476 |
-# Remove CA along with configuration, as well as the local server certificate |
|
512 |
+# Clean up the CA files |
|
513 |
+# cleanup_CA |
|
477 | 514 |
function cleanup_CA { |
515 |
+ if is_fedora; then |
|
516 |
+ sudo rm -f /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem |
|
517 |
+ sudo update-ca-trust |
|
518 |
+ elif is_ubuntu; then |
|
519 |
+ sudo rm -f /usr/local/share/ca-certificates/devstack-int.crt |
|
520 |
+ sudo rm -f /usr/local/share/ca-certificates/devstack-root.crt |
|
521 |
+ sudo update-ca-certificates |
|
522 |
+ fi |
|
523 |
+ |
|
478 | 524 |
rm -rf "$DATA_DIR/CA" "$DEVSTACK_CERT" |
479 | 525 |
} |
480 | 526 |
|