* Configure Cinder, Glance, Keystone, Nova to put cached credentials
from keystone.auth_token into /var/cache/<service>
It is not obvious to me that having each of these service share a
credentials cache is a good idea. It does appear to work but this
patch takes the conservative approach of putting each service's cache
in a distinct directory.
More importantly it gets them out of $HOME!
Change-Id: If88088fc287a2f2f4f3e34f6d9be9de3da7ee00d
... | ... |
@@ -4,8 +4,8 @@ |
4 | 4 |
# Dependencies: |
5 | 5 |
# - functions |
6 | 6 |
# - DEST, DATA_DIR must be defined |
7 |
-# - KEYSTONE_AUTH_* must be defined |
|
8 | 7 |
# SERVICE_{TENANT_NAME|PASSWORD} must be defined |
8 |
+# ``KEYSTONE_TOKEN_FORMAT`` must be defined |
|
9 | 9 |
|
10 | 10 |
# stack.sh |
11 | 11 |
# --------- |
... | ... |
@@ -30,6 +30,7 @@ CINDERCLIENT_DIR=$DEST/python-cinderclient |
30 | 30 |
CINDER_STATE_PATH=${CINDER_STATE_PATH:=$DATA_DIR/cinder} |
31 | 31 |
CINDER_CONF_DIR=/etc/cinder |
32 | 32 |
CINDER_CONF=$CINDER_CONF_DIR/cinder.conf |
33 |
+CINDER_AUTH_CACHE_DIR=${CINDER_AUTH_CACHE_DIR:-/var/cache/cinder} |
|
33 | 34 |
|
34 | 35 |
# Support entry points installation of console scripts |
35 | 36 |
if [[ -d $CINDER_DIR/bin ]]; then |
... | ... |
@@ -106,6 +107,10 @@ function configure_cinder() { |
106 | 106 |
iniset $CINDER_API_PASTE_INI filter:authtoken admin_user cinder |
107 | 107 |
iniset $CINDER_API_PASTE_INI filter:authtoken admin_password $SERVICE_PASSWORD |
108 | 108 |
|
109 |
+ if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then |
|
110 |
+ iniset $CINDER_API_PASTE_INI filter:authtoken signing_dir $CINDER_AUTH_CACHE_DIR |
|
111 |
+ fi |
|
112 |
+ |
|
109 | 113 |
cp $CINDER_DIR/etc/cinder/cinder.conf.sample $CINDER_CONF |
110 | 114 |
iniset $CINDER_CONF DEFAULT auth_strategy keystone |
111 | 115 |
iniset $CINDER_CONF DEFAULT verbose True |
... | ... |
@@ -186,6 +191,12 @@ function init_cinder() { |
186 | 186 |
done |
187 | 187 |
fi |
188 | 188 |
fi |
189 |
+ |
|
190 |
+ if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then |
|
191 |
+ # Create cache dir |
|
192 |
+ sudo mkdir -p $CINDER_AUTH_CACHE_DIR |
|
193 |
+ sudo chown `whoami` $CINDER_AUTH_CACHE_DIR |
|
194 |
+ fi |
|
189 | 195 |
} |
190 | 196 |
|
191 | 197 |
# install_cinder() - Collect source and prepare |
... | ... |
@@ -6,6 +6,7 @@ |
6 | 6 |
# ``DEST``, ``DATA_DIR`` must be defined |
7 | 7 |
# ``SERVICE_{TENANT_NAME|PASSWORD}`` must be defined |
8 | 8 |
# ``SERVICE_HOST`` |
9 |
+# ``KEYSTONE_TOKEN_FORMAT`` must be defined |
|
9 | 10 |
|
10 | 11 |
# ``stack.sh`` calls the entry points in this order: |
11 | 12 |
# |
... | ... |
@@ -31,6 +32,7 @@ GLANCE_DIR=$DEST/glance |
31 | 31 |
GLANCECLIENT_DIR=$DEST/python-glanceclient |
32 | 32 |
GLANCE_CACHE_DIR=${GLANCE_CACHE_DIR:=$DATA_DIR/glance/cache} |
33 | 33 |
GLANCE_IMAGE_DIR=${GLANCE_IMAGE_DIR:=$DATA_DIR/glance/images} |
34 |
+GLANCE_AUTH_CACHE_DIR=${GLANCE_AUTH_CACHE_DIR:-/var/cache/glance} |
|
34 | 35 |
|
35 | 36 |
GLANCE_CONF_DIR=${GLANCE_CONF_DIR:-/etc/glance} |
36 | 37 |
GLANCE_REGISTRY_CONF=$GLANCE_CONF_DIR/glance-registry.conf |
... | ... |
@@ -91,6 +93,9 @@ function configure_glance() { |
91 | 91 |
iniset $GLANCE_REGISTRY_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME |
92 | 92 |
iniset $GLANCE_REGISTRY_CONF keystone_authtoken admin_user glance |
93 | 93 |
iniset $GLANCE_REGISTRY_CONF keystone_authtoken admin_password $SERVICE_PASSWORD |
94 |
+ if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then |
|
95 |
+ iniset $GLANCE_REGISTRY_CONF keystone_authtoken signing_dir $GLANCE_AUTH_CACHE_DIR/registry |
|
96 |
+ fi |
|
94 | 97 |
|
95 | 98 |
cp $GLANCE_DIR/etc/glance-api.conf $GLANCE_API_CONF |
96 | 99 |
iniset $GLANCE_API_CONF DEFAULT debug True |
... | ... |
@@ -114,6 +119,9 @@ function configure_glance() { |
114 | 114 |
iniset $GLANCE_API_CONF DEFAULT rabbit_host $RABBIT_HOST |
115 | 115 |
iniset $GLANCE_API_CONF DEFAULT rabbit_password $RABBIT_PASSWORD |
116 | 116 |
fi |
117 |
+ if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then |
|
118 |
+ iniset $GLANCE_API_CONF keystone_authtoken signing_dir $GLANCE_AUTH_CACHE_DIR/api |
|
119 |
+ fi |
|
117 | 120 |
|
118 | 121 |
cp -p $GLANCE_DIR/etc/glance-registry-paste.ini $GLANCE_REGISTRY_PASTE_INI |
119 | 122 |
|
... | ... |
@@ -153,6 +161,14 @@ function init_glance() { |
153 | 153 |
mysql -u$MYSQL_USER -p$MYSQL_PASSWORD -e 'CREATE DATABASE glance CHARACTER SET utf8;' |
154 | 154 |
|
155 | 155 |
$GLANCE_BIN_DIR/glance-manage db_sync |
156 |
+ |
|
157 |
+ if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then |
|
158 |
+ # Create cache dir |
|
159 |
+ sudo mkdir -p $GLANCE_AUTH_CACHE_DIR/api |
|
160 |
+ sudo chown `whoami` $GLANCE_AUTH_CACHE_DIR/api |
|
161 |
+ sudo mkdir -p $GLANCE_AUTH_CACHE_DIR/registry |
|
162 |
+ sudo chown `whoami` $GLANCE_AUTH_CACHE_DIR/registry |
|
163 |
+ fi |
|
156 | 164 |
} |
157 | 165 |
|
158 | 166 |
# install_glanceclient() - Collect source and prepare |
... | ... |
@@ -32,13 +32,18 @@ set +o xtrace |
32 | 32 |
KEYSTONE_DIR=$DEST/keystone |
33 | 33 |
KEYSTONE_CONF_DIR=${KEYSTONE_CONF_DIR:-/etc/keystone} |
34 | 34 |
KEYSTONE_CONF=$KEYSTONE_CONF_DIR/keystone.conf |
35 |
+KEYSTONE_AUTH_CACHE_DIR=${KEYSTONE_AUTH_CACHE_DIR:-/var/cache/keystone} |
|
35 | 36 |
|
36 | 37 |
KEYSTONECLIENT_DIR=$DEST/python-keystoneclient |
37 | 38 |
|
38 |
-# Select the backend for Keystopne's service catalog |
|
39 |
+# Select the backend for Keystone's service catalog |
|
39 | 40 |
KEYSTONE_CATALOG_BACKEND=${KEYSTONE_CATALOG_BACKEND:-sql} |
40 | 41 |
KEYSTONE_CATALOG=$KEYSTONE_CONF_DIR/default_catalog.templates |
41 | 42 |
|
43 |
+# Select Keystone's token format |
|
44 |
+# Choose from 'UUID' and 'PKI' |
|
45 |
+KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-PKI} |
|
46 |
+ |
|
42 | 47 |
# Set Keystone interface configuration |
43 | 48 |
KEYSTONE_API_PORT=${KEYSTONE_API_PORT:-5000} |
44 | 49 |
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST} |
... | ... |
@@ -47,7 +52,6 @@ KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-http} |
47 | 47 |
KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST} |
48 | 48 |
KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000} |
49 | 49 |
KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-http} |
50 |
-KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-PKI} |
|
51 | 50 |
|
52 | 51 |
|
53 | 52 |
# Entry Points |
... | ... |
@@ -147,8 +151,14 @@ function init_keystone() { |
147 | 147 |
# Initialize keystone database |
148 | 148 |
$KEYSTONE_DIR/bin/keystone-manage db_sync |
149 | 149 |
|
150 |
- # Set up certificates |
|
151 |
- $KEYSTONE_DIR/bin/keystone-manage pki_setup |
|
150 |
+ if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then |
|
151 |
+ # Set up certificates |
|
152 |
+ $KEYSTONE_DIR/bin/keystone-manage pki_setup |
|
153 |
+ |
|
154 |
+ # Create cache dir |
|
155 |
+ sudo mkdir -p $KEYSTONE_AUTH_CACHE_DIR |
|
156 |
+ sudo chown `whoami` $KEYSTONE_AUTH_CACHE_DIR |
|
157 |
+ fi |
|
152 | 158 |
} |
153 | 159 |
|
154 | 160 |
# install_keystoneclient() - Collect source and prepare |
... | ... |
@@ -7,6 +7,7 @@ |
7 | 7 |
# ``SERVICE_{TENANT_NAME|PASSWORD}`` must be defined |
8 | 8 |
# ``LIBVIRT_TYPE`` must be defined |
9 | 9 |
# ``INSTANCE_NAME_PREFIX``, ``VOLUME_NAME_PREFIX`` must be defined |
10 |
+# ``KEYSTONE_TOKEN_FORMAT`` must be defined |
|
10 | 11 |
|
11 | 12 |
# ``stack.sh`` calls the entry points in this order: |
12 | 13 |
# |
... | ... |
@@ -32,6 +33,7 @@ NOVACLIENT_DIR=$DEST/python-novaclient |
32 | 32 |
NOVA_STATE_PATH=${NOVA_STATE_PATH:=$DATA_DIR/nova} |
33 | 33 |
# INSTANCES_PATH is the previous name for this |
34 | 34 |
NOVA_INSTANCES_PATH=${NOVA_INSTANCES_PATH:=${INSTANCES_PATH:=$NOVA_STATE_PATH/instances}} |
35 |
+NOVA_AUTH_CACHE_DIR=${NOVA_AUTH_CACHE_DIR:-/var/cache/nova} |
|
35 | 36 |
|
36 | 37 |
NOVA_CONF_DIR=/etc/nova |
37 | 38 |
NOVA_CONF=$NOVA_CONF_DIR/nova.conf |
... | ... |
@@ -174,6 +176,10 @@ function configure_nova() { |
174 | 174 |
" -i $NOVA_API_PASTE_INI |
175 | 175 |
fi |
176 | 176 |
|
177 |
+ if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then |
|
178 |
+ iniset $NOVA_API_PASTE_INI filter:authtoken signing_dir $NOVA_AUTH_CACHE_DIR |
|
179 |
+ fi |
|
180 |
+ |
|
177 | 181 |
if is_service_enabled n-cpu; then |
178 | 182 |
# Force IP forwarding on, just on case |
179 | 183 |
sudo sysctl -w net.ipv4.ip_forward=1 |
... | ... |
@@ -383,6 +389,11 @@ function init_nova() { |
383 | 383 |
$NOVA_BIN_DIR/nova-manage db sync |
384 | 384 |
fi |
385 | 385 |
|
386 |
+ if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then |
|
387 |
+ # Create cache dir |
|
388 |
+ sudo mkdir -p $NOVA_AUTH_CACHE_DIR |
|
389 |
+ sudo chown `whoami` $NOVA_AUTH_CACHE_DIR |
|
390 |
+ fi |
|
386 | 391 |
} |
387 | 392 |
|
388 | 393 |
# install_novaclient() - Collect source and prepare |
... | ... |
@@ -2042,7 +2042,7 @@ fi |
2042 | 2042 |
|
2043 | 2043 |
if is_service_enabled g-reg; then |
2044 | 2044 |
echo_summary "Uploading images" |
2045 |
- TOKEN=$(keystone token-get | grep ' id ' | get_field 2) |
|
2045 |
+ TOKEN=$(keystone token-get | grep ' id ' | get_field 2) |
|
2046 | 2046 |
|
2047 | 2047 |
# Option to upload legacy ami-tty, which works with xenserver |
2048 | 2048 |
if [[ -n "$UPLOAD_LEGACY_TTY" ]]; then |