Browse code
Configure PKI cache dirs
* Configure Cinder, Glance, Keystone, Nova to put cached credentials
from keystone.auth_token into /var/cache/<service>
It is not obvious to me that having each of these service share a
credentials cache is a good idea. It does appear to work but this
patch takes the conservative approach of putting each service's cache
in a distinct directory.
More importantly it gets them out of $HOME!
Change-Id: If88088fc287a2f2f4f3e34f6d9be9de3da7ee00d
Dean Troyer authored on 2012/10/02 04:06:44Showing 5 changed files
| ... | ... |
@@ -4,8 +4,8 @@ |
| 4 | 4 |
# Dependencies: |
| 5 | 5 |
# - functions |
| 6 | 6 |
# - DEST, DATA_DIR must be defined |
| 7 |
-# - KEYSTONE_AUTH_* must be defined |
|
| 8 | 7 |
# SERVICE_{TENANT_NAME|PASSWORD} must be defined
|
| 8 |
+# ``KEYSTONE_TOKEN_FORMAT`` must be defined |
|
| 9 | 9 |
|
| 10 | 10 |
# stack.sh |
| 11 | 11 |
# --------- |
| ... | ... |
@@ -30,6 +30,7 @@ CINDERCLIENT_DIR=$DEST/python-cinderclient |
| 30 | 30 |
CINDER_STATE_PATH=${CINDER_STATE_PATH:=$DATA_DIR/cinder}
|
| 31 | 31 |
CINDER_CONF_DIR=/etc/cinder |
| 32 | 32 |
CINDER_CONF=$CINDER_CONF_DIR/cinder.conf |
| 33 |
+CINDER_AUTH_CACHE_DIR=${CINDER_AUTH_CACHE_DIR:-/var/cache/cinder}
|
|
| 33 | 34 |
|
| 34 | 35 |
# Support entry points installation of console scripts |
| 35 | 36 |
if [[ -d $CINDER_DIR/bin ]]; then |
| ... | ... |
@@ -106,6 +107,10 @@ function configure_cinder() {
|
| 106 | 106 |
iniset $CINDER_API_PASTE_INI filter:authtoken admin_user cinder |
| 107 | 107 |
iniset $CINDER_API_PASTE_INI filter:authtoken admin_password $SERVICE_PASSWORD |
| 108 | 108 |
|
| 109 |
+ if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then |
|
| 110 |
+ iniset $CINDER_API_PASTE_INI filter:authtoken signing_dir $CINDER_AUTH_CACHE_DIR |
|
| 111 |
+ fi |
|
| 112 |
+ |
|
| 109 | 113 |
cp $CINDER_DIR/etc/cinder/cinder.conf.sample $CINDER_CONF |
| 110 | 114 |
iniset $CINDER_CONF DEFAULT auth_strategy keystone |
| 111 | 115 |
iniset $CINDER_CONF DEFAULT verbose True |
| ... | ... |
@@ -186,6 +191,12 @@ function init_cinder() {
|
| 186 | 186 |
done |
| 187 | 187 |
fi |
| 188 | 188 |
fi |
| 189 |
+ |
|
| 190 |
+ if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then |
|
| 191 |
+ # Create cache dir |
|
| 192 |
+ sudo mkdir -p $CINDER_AUTH_CACHE_DIR |
|
| 193 |
+ sudo chown `whoami` $CINDER_AUTH_CACHE_DIR |
|
| 194 |
+ fi |
|
| 189 | 195 |
} |
| 190 | 196 |
|
| 191 | 197 |
# install_cinder() - Collect source and prepare |
| ... | ... |
@@ -6,6 +6,7 @@ |
| 6 | 6 |
# ``DEST``, ``DATA_DIR`` must be defined |
| 7 | 7 |
# ``SERVICE_{TENANT_NAME|PASSWORD}`` must be defined
|
| 8 | 8 |
# ``SERVICE_HOST`` |
| 9 |
+# ``KEYSTONE_TOKEN_FORMAT`` must be defined |
|
| 9 | 10 |
|
| 10 | 11 |
# ``stack.sh`` calls the entry points in this order: |
| 11 | 12 |
# |
| ... | ... |
@@ -31,6 +32,7 @@ GLANCE_DIR=$DEST/glance |
| 31 | 31 |
GLANCECLIENT_DIR=$DEST/python-glanceclient |
| 32 | 32 |
GLANCE_CACHE_DIR=${GLANCE_CACHE_DIR:=$DATA_DIR/glance/cache}
|
| 33 | 33 |
GLANCE_IMAGE_DIR=${GLANCE_IMAGE_DIR:=$DATA_DIR/glance/images}
|
| 34 |
+GLANCE_AUTH_CACHE_DIR=${GLANCE_AUTH_CACHE_DIR:-/var/cache/glance}
|
|
| 34 | 35 |
|
| 35 | 36 |
GLANCE_CONF_DIR=${GLANCE_CONF_DIR:-/etc/glance}
|
| 36 | 37 |
GLANCE_REGISTRY_CONF=$GLANCE_CONF_DIR/glance-registry.conf |
| ... | ... |
@@ -91,6 +93,9 @@ function configure_glance() {
|
| 91 | 91 |
iniset $GLANCE_REGISTRY_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME |
| 92 | 92 |
iniset $GLANCE_REGISTRY_CONF keystone_authtoken admin_user glance |
| 93 | 93 |
iniset $GLANCE_REGISTRY_CONF keystone_authtoken admin_password $SERVICE_PASSWORD |
| 94 |
+ if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then |
|
| 95 |
+ iniset $GLANCE_REGISTRY_CONF keystone_authtoken signing_dir $GLANCE_AUTH_CACHE_DIR/registry |
|
| 96 |
+ fi |
|
| 94 | 97 |
|
| 95 | 98 |
cp $GLANCE_DIR/etc/glance-api.conf $GLANCE_API_CONF |
| 96 | 99 |
iniset $GLANCE_API_CONF DEFAULT debug True |
| ... | ... |
@@ -114,6 +119,9 @@ function configure_glance() {
|
| 114 | 114 |
iniset $GLANCE_API_CONF DEFAULT rabbit_host $RABBIT_HOST |
| 115 | 115 |
iniset $GLANCE_API_CONF DEFAULT rabbit_password $RABBIT_PASSWORD |
| 116 | 116 |
fi |
| 117 |
+ if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then |
|
| 118 |
+ iniset $GLANCE_API_CONF keystone_authtoken signing_dir $GLANCE_AUTH_CACHE_DIR/api |
|
| 119 |
+ fi |
|
| 117 | 120 |
|
| 118 | 121 |
cp -p $GLANCE_DIR/etc/glance-registry-paste.ini $GLANCE_REGISTRY_PASTE_INI |
| 119 | 122 |
|
| ... | ... |
@@ -153,6 +161,14 @@ function init_glance() {
|
| 153 | 153 |
mysql -u$MYSQL_USER -p$MYSQL_PASSWORD -e 'CREATE DATABASE glance CHARACTER SET utf8;' |
| 154 | 154 |
|
| 155 | 155 |
$GLANCE_BIN_DIR/glance-manage db_sync |
| 156 |
+ |
|
| 157 |
+ if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then |
|
| 158 |
+ # Create cache dir |
|
| 159 |
+ sudo mkdir -p $GLANCE_AUTH_CACHE_DIR/api |
|
| 160 |
+ sudo chown `whoami` $GLANCE_AUTH_CACHE_DIR/api |
|
| 161 |
+ sudo mkdir -p $GLANCE_AUTH_CACHE_DIR/registry |
|
| 162 |
+ sudo chown `whoami` $GLANCE_AUTH_CACHE_DIR/registry |
|
| 163 |
+ fi |
|
| 156 | 164 |
} |
| 157 | 165 |
|
| 158 | 166 |
# install_glanceclient() - Collect source and prepare |
| ... | ... |
@@ -32,13 +32,18 @@ set +o xtrace |
| 32 | 32 |
KEYSTONE_DIR=$DEST/keystone |
| 33 | 33 |
KEYSTONE_CONF_DIR=${KEYSTONE_CONF_DIR:-/etc/keystone}
|
| 34 | 34 |
KEYSTONE_CONF=$KEYSTONE_CONF_DIR/keystone.conf |
| 35 |
+KEYSTONE_AUTH_CACHE_DIR=${KEYSTONE_AUTH_CACHE_DIR:-/var/cache/keystone}
|
|
| 35 | 36 |
|
| 36 | 37 |
KEYSTONECLIENT_DIR=$DEST/python-keystoneclient |
| 37 | 38 |
|
| 38 |
-# Select the backend for Keystopne's service catalog |
|
| 39 |
+# Select the backend for Keystone's service catalog |
|
| 39 | 40 |
KEYSTONE_CATALOG_BACKEND=${KEYSTONE_CATALOG_BACKEND:-sql}
|
| 40 | 41 |
KEYSTONE_CATALOG=$KEYSTONE_CONF_DIR/default_catalog.templates |
| 41 | 42 |
|
| 43 |
+# Select Keystone's token format |
|
| 44 |
+# Choose from 'UUID' and 'PKI' |
|
| 45 |
+KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-PKI}
|
|
| 46 |
+ |
|
| 42 | 47 |
# Set Keystone interface configuration |
| 43 | 48 |
KEYSTONE_API_PORT=${KEYSTONE_API_PORT:-5000}
|
| 44 | 49 |
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
|
| ... | ... |
@@ -47,7 +52,6 @@ KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-http}
|
| 47 | 47 |
KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST}
|
| 48 | 48 |
KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000}
|
| 49 | 49 |
KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-http}
|
| 50 |
-KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-PKI}
|
|
| 51 | 50 |
|
| 52 | 51 |
|
| 53 | 52 |
# Entry Points |
| ... | ... |
@@ -147,8 +151,14 @@ function init_keystone() {
|
| 147 | 147 |
# Initialize keystone database |
| 148 | 148 |
$KEYSTONE_DIR/bin/keystone-manage db_sync |
| 149 | 149 |
|
| 150 |
- # Set up certificates |
|
| 151 |
- $KEYSTONE_DIR/bin/keystone-manage pki_setup |
|
| 150 |
+ if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then |
|
| 151 |
+ # Set up certificates |
|
| 152 |
+ $KEYSTONE_DIR/bin/keystone-manage pki_setup |
|
| 153 |
+ |
|
| 154 |
+ # Create cache dir |
|
| 155 |
+ sudo mkdir -p $KEYSTONE_AUTH_CACHE_DIR |
|
| 156 |
+ sudo chown `whoami` $KEYSTONE_AUTH_CACHE_DIR |
|
| 157 |
+ fi |
|
| 152 | 158 |
} |
| 153 | 159 |
|
| 154 | 160 |
# install_keystoneclient() - Collect source and prepare |
| ... | ... |
@@ -7,6 +7,7 @@ |
| 7 | 7 |
# ``SERVICE_{TENANT_NAME|PASSWORD}`` must be defined
|
| 8 | 8 |
# ``LIBVIRT_TYPE`` must be defined |
| 9 | 9 |
# ``INSTANCE_NAME_PREFIX``, ``VOLUME_NAME_PREFIX`` must be defined |
| 10 |
+# ``KEYSTONE_TOKEN_FORMAT`` must be defined |
|
| 10 | 11 |
|
| 11 | 12 |
# ``stack.sh`` calls the entry points in this order: |
| 12 | 13 |
# |
| ... | ... |
@@ -32,6 +33,7 @@ NOVACLIENT_DIR=$DEST/python-novaclient |
| 32 | 32 |
NOVA_STATE_PATH=${NOVA_STATE_PATH:=$DATA_DIR/nova}
|
| 33 | 33 |
# INSTANCES_PATH is the previous name for this |
| 34 | 34 |
NOVA_INSTANCES_PATH=${NOVA_INSTANCES_PATH:=${INSTANCES_PATH:=$NOVA_STATE_PATH/instances}}
|
| 35 |
+NOVA_AUTH_CACHE_DIR=${NOVA_AUTH_CACHE_DIR:-/var/cache/nova}
|
|
| 35 | 36 |
|
| 36 | 37 |
NOVA_CONF_DIR=/etc/nova |
| 37 | 38 |
NOVA_CONF=$NOVA_CONF_DIR/nova.conf |
| ... | ... |
@@ -174,6 +176,10 @@ function configure_nova() {
|
| 174 | 174 |
" -i $NOVA_API_PASTE_INI |
| 175 | 175 |
fi |
| 176 | 176 |
|
| 177 |
+ if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then |
|
| 178 |
+ iniset $NOVA_API_PASTE_INI filter:authtoken signing_dir $NOVA_AUTH_CACHE_DIR |
|
| 179 |
+ fi |
|
| 180 |
+ |
|
| 177 | 181 |
if is_service_enabled n-cpu; then |
| 178 | 182 |
# Force IP forwarding on, just on case |
| 179 | 183 |
sudo sysctl -w net.ipv4.ip_forward=1 |
| ... | ... |
@@ -383,6 +389,11 @@ function init_nova() {
|
| 383 | 383 |
$NOVA_BIN_DIR/nova-manage db sync |
| 384 | 384 |
fi |
| 385 | 385 |
|
| 386 |
+ if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then |
|
| 387 |
+ # Create cache dir |
|
| 388 |
+ sudo mkdir -p $NOVA_AUTH_CACHE_DIR |
|
| 389 |
+ sudo chown `whoami` $NOVA_AUTH_CACHE_DIR |
|
| 390 |
+ fi |
|
| 386 | 391 |
} |
| 387 | 392 |
|
| 388 | 393 |
# install_novaclient() - Collect source and prepare |
| ... | ... |
@@ -2042,7 +2042,7 @@ fi |
| 2042 | 2042 |
|
| 2043 | 2043 |
if is_service_enabled g-reg; then |
| 2044 | 2044 |
echo_summary "Uploading images" |
| 2045 |
- TOKEN=$(keystone token-get | grep ' id ' | get_field 2) |
|
| 2045 |
+ TOKEN=$(keystone token-get | grep ' id ' | get_field 2) |
|
| 2046 | 2046 |
|
| 2047 | 2047 |
# Option to upload legacy ami-tty, which works with xenserver |
| 2048 | 2048 |
if [[ -n "$UPLOAD_LEGACY_TTY" ]]; then |