@@ -56,6 +56,34 @@ function configure_nova_hypervisor() {

     # Need to avoid crash due to new firewall support

     XEN_FIREWALL_DRIVER=${XEN_FIREWALL_DRIVER:-"nova.virt.firewall.IptablesFirewallDriver"}

     iniset $NOVA_CONF DEFAULT firewall_driver "$XEN_FIREWALL_DRIVER"

+

+    local dom0_ip

+    dom0_ip=$(echo "$XENAPI_CONNECTION_URL" | cut -d "/" -f 3-)

+

+    local ssh_dom0

+    ssh_dom0="sudo -u $DOMZERO_USER ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@$dom0_ip"

+

+    # install nova plugins to dom0

+    tar -czf - -C $NOVA_DIR/plugins/xenserver/xenapi/etc/xapi.d/plugins/ ./ |

+        $ssh_dom0 'tar -xzf - -C /etc/xapi.d/plugins/ && chmod a+x /etc/xapi.d/plugins/*'

+

+    # install console logrotate script

+    tar -czf - -C $NOVA_DIR/tools/xenserver/ rotate_xen_guest_logs.sh |

+        $ssh_dom0 'tar -xzf - -C /root/ && chmod +x /root/rotate_xen_guest_logs.sh && mkdir -p /var/log/xen/guest'

+

+    # Create a cron job that will rotate guest logs

+    $ssh_dom0 crontab - << CRONTAB

+* * * * * /root/rotate_xen_guest_logs.sh

+CRONTAB

+

+    # Create directories for kernels and images

+    {

+        echo "set -eux"

+        cat $TOP_DIR/tools/xen/functions

+        echo "create_directory_for_images"

+        echo "create_directory_for_kernels"

+    } | $ssh_dom0

+

 }

 # install_nova_hypervisor() - Install external components

@@ -245,6 +245,10 @@ case "$VIRT_DRIVER" in

     xenserver)

         # Xen config common to nova and neutron

         XENAPI_USER=${XENAPI_USER:-"root"}

+        # This user will be used for dom0 - domU communication

+        #   should be able to log in to dom0 without a password

+        #   will be used to install the plugins

+        DOMZERO_USER=${DOMZERO_USER:-"domzero"}

         ;;

     *)

         ;;

@@ -336,3 +336,11 @@ function max_vcpus() {

     xe vm-param-set uuid=$vm VCPUs-max=$cpu_count

     xe vm-param-set uuid=$vm VCPUs-at-startup=$cpu_count

 }

+

+function get_domid() {

+    local vm_name_label

+

+    vm_name_label="$1"

+

+    xe vm-list name-label="$vm_name_label" params=dom-id minimal=true

+}

@@ -67,21 +67,6 @@ fi

 # Install plugins

-## Nova plugins

-NOVA_ZIPBALL_URL=${NOVA_ZIPBALL_URL:-$(zip_snapshot_location $NOVA_REPO $NOVA_BRANCH)}

-EXTRACTED_NOVA=$(extract_remote_zipball "$NOVA_ZIPBALL_URL")

-install_xapi_plugins_from "$EXTRACTED_NOVA"

-

-LOGROT_SCRIPT=$(find "$EXTRACTED_NOVA" -name "rotate_xen_guest_logs.sh" -print)

-if [ -n "$LOGROT_SCRIPT" ]; then

-    mkdir -p "/var/log/xen/guest"

-    cp "$LOGROT_SCRIPT" /root/consolelogrotate

-    chmod +x /root/consolelogrotate

-    echo "* * * * * /root/consolelogrotate" | crontab

-fi

-

-rm -rf "$EXTRACTED_NOVA"

-

 ## Install the netwrap xapi plugin to support agent control of dom0 networking

 if [[ "$ENABLED_SERVICES" =~ "q-agt" && "$Q_PLUGIN" = "openvswitch" ]]; then

     NEUTRON_ZIPBALL_URL=${NEUTRON_ZIPBALL_URL:-$(zip_snapshot_location $NEUTRON_REPO $NEUTRON_BRANCH)}

@@ -90,9 +75,6 @@ if [[ "$ENABLED_SERVICES" =~ "q-agt" && "$Q_PLUGIN" = "openvswitch" ]]; then

     rm -rf "$EXTRACTED_NEUTRON"

 fi

-create_directory_for_kernels

-create_directory_for_images

-

 #

 # Configure Networking

 #

@@ -188,7 +170,7 @@ function wait_for_VM_to_halt() {

     set +x

     echo "Waiting for the VM to halt.  Progress in-VM can be checked with vncviewer:"

     mgmt_ip=$(echo $XENAPI_CONNECTION_URL | tr -d -c '1234567890.')

-    domid=$(xe vm-list name-label="$GUEST_NAME" params=dom-id minimal=true)

+    domid=$(get_domid "$GUEST_NAME")

     port=$(xenstore-read /local/domain/$domid/console/vnc-port)

     echo "vncviewer -via root@$mgmt_ip localhost:${port:2}"

     while true

@@ -361,6 +343,37 @@ else

     fi

 fi

+# Create an ssh-keypair, and set it up for dom0 user

+rm -f /root/dom0key /root/dom0key.pub

+ssh-keygen -f /root/dom0key -P "" -C "dom0"

+DOMID=$(get_domid "$GUEST_NAME")

+

+xenstore-write /local/domain/$DOMID/authorized_keys/$DOMZERO_USER "$(cat /root/dom0key.pub)"

+xenstore-chmod -u /local/domain/$DOMID/authorized_keys/$DOMZERO_USER r$DOMID

+

+function run_on_appliance() {

+    ssh \

+        -i /root/dom0key \

+        -o UserKnownHostsFile=/dev/null \

+        -o StrictHostKeyChecking=no \

+        -o BatchMode=yes \

+        "$DOMZERO_USER@$OS_VM_MANAGEMENT_ADDRESS" "$@"

+}

+

+# Wait until we can log in to the appliance

+while ! run_on_appliance true; do

+    sleep 1

+done

+

+# Remove authenticated_keys updater cronjob

+echo "" | run_on_appliance crontab -

+

+# Generate a passwordless ssh key for domzero user

+echo "ssh-keygen -f /home/$DOMZERO_USER/.ssh/id_rsa -C $DOMZERO_USER@appliance -N \"\" -q" | run_on_appliance

+

+# Authenticate that user to dom0

+run_on_appliance cat /home/$DOMZERO_USER/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys

+

 # If we have copied our ssh credentials, use ssh to monitor while the installation runs

 WAIT_TILL_LAUNCH=${WAIT_TILL_LAUNCH:-1}

 COPYENV=${COPYENV:-1}

@@ -18,6 +18,57 @@ set -o xtrace

 GUEST_PASSWORD="$1"

 XS_TOOLS_PATH="$2"

 STACK_USER="$3"

+DOMZERO_USER="$4"

+

+

+function setup_domzero_user() {

+    local username

+

+    username="$1"

+

+    local key_updater_script

+    local sudoers_file

+    key_updater_script="/home/$username/update_authorized_keys.sh"

+    sudoers_file="/etc/sudoers.d/allow_$username"

+

+    # Create user

+    adduser --disabled-password --quiet "$username" --gecos "$username"

+

+    # Give passwordless sudo

+    cat > $sudoers_file << EOF

+    $username ALL = NOPASSWD: ALL

+EOF

+    chmod 0440 $sudoers_file

+

+    # A script to populate this user's authenticated_keys from xenstore

+    cat > $key_updater_script << EOF

+#!/bin/bash

+set -eux

+

+DOMID=\$(sudo xenstore-read domid)

+sudo xenstore-exists /local/domain/\$DOMID/authorized_keys/$username

+sudo xenstore-read /local/domain/\$DOMID/authorized_keys/$username > /home/$username/xenstore_value

+cat /home/$username/xenstore_value > /home/$username/.ssh/authorized_keys

+EOF

+

+    # Give the key updater to the user

+    chown $username:$username $key_updater_script

+    chmod 0700 $key_updater_script

+

+    # Setup the .ssh folder

+    mkdir -p /home/$username/.ssh

+    chown $username:$username /home/$username/.ssh

+    chmod 0700 /home/$username/.ssh

+    touch /home/$username/.ssh/authorized_keys

+    chown $username:$username /home/$username/.ssh/authorized_keys

+    chmod 0600 /home/$username/.ssh/authorized_keys

+

+    # Setup the key updater as a cron job

+    crontab -u $username - << EOF

+* * * * * $key_updater_script

+EOF

+

+}

 # Install basics

 apt-get update

@@ -48,6 +99,8 @@ useradd $STACK_USER -s /bin/bash -d /opt/stack -G libvirtd

 echo $STACK_USER:$GUEST_PASSWORD | chpasswd

 echo "$STACK_USER ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers

+setup_domzero_user "$DOMZERO_USER"

+

 # Add an udev rule, so that new block devices could be written by stack user

 cat > /etc/udev/rules.d/50-openstack-blockdev.rules << EOF

 KERNEL=="xvd[b-z]", GROUP="$STACK_USER", MODE="0660"

@@ -76,7 +76,7 @@ cp $STAGING_DIR/etc/rc.local $STAGING_DIR/etc/rc.local.preparebackup

 cat <<EOF >$STAGING_DIR/etc/rc.local

 #!/bin/sh -e

 bash /opt/stack/prepare_guest.sh \\

-    "$GUEST_PASSWORD" "$XS_TOOLS_PATH" "$STACK_USER" \\

+    "$GUEST_PASSWORD" "$XS_TOOLS_PATH" "$STACK_USER" "$DOMZERO_USER" \\

     > /opt/stack/prepare_guest.log 2>&1

 EOF