From 5f5b4df6e0cc9654feb67a7f48638e728a5e34ea Mon Sep 17 00:00:00 2001 From: Vincent Untz Date: Tue, 3 Jan 2017 09:52:50 +0100 Subject: [PATCH 1/5] rabbitmq: Use new data bag item config infrastructure (cherry picked from commit 625c341f2867dfa6494a18836b1df09afa781be3) --- .../crowbar-openstack/libraries/helpers.rb | 38 ++----------------- .../app/models/rabbitmq_service.rb | 37 +++++++++++++++++- 2 files changed, 39 insertions(+), 36 deletions(-) diff --git a/chef/cookbooks/crowbar-openstack/libraries/helpers.rb b/chef/cookbooks/crowbar-openstack/libraries/helpers.rb index c748b2aa56..674fec625b 100644 --- a/chef/cookbooks/crowbar-openstack/libraries/helpers.rb +++ b/chef/cookbooks/crowbar-openstack/libraries/helpers.rb @@ -98,42 +98,10 @@ def self.database_settings(node, barclamp) def self.rabbitmq_settings(node, barclamp) instance = node[barclamp][:rabbitmq_instance] || "default" - # Cache the result for each cookbook in an instance variable hash. This - # cache needs to be invalidated for each chef-client run from chef-client - # daemon (which are all in the same process); so use the ohai time as a - # marker for that. - if @rabbitmq_settings_cache_time != node[:ohai_time] - Chef::Log.info("Invalidating rabbitmq settings cache") if @rabbitmq_settings - @rabbitmq_settings = nil - @rabbitmq_settings_cache_time = node[:ohai_time] - end - - if @rabbitmq_settings && @rabbitmq_settings.include?(instance) - Chef::Log.info("RabbitMQ server found at #{@rabbitmq_settings[instance][:address]} [cached]") - else - @rabbitmq_settings ||= Hash.new - rabbit = get_node(node, "rabbitmq-server", "rabbitmq", instance) - - if rabbit.nil? - Chef::Log.warn("No RabbitMQ server found!") - else - @rabbitmq_settings[instance] = { - address: rabbit[:rabbitmq][:address], - port: rabbit[:rabbitmq][:port], - user: rabbit[:rabbitmq][:user], - password: rabbit[:rabbitmq][:password], - vhost: rabbit[:rabbitmq][:vhost], - url: "rabbit://#{rabbit[:rabbitmq][:user]}:" \ - "#{rabbit[:rabbitmq][:password]}@" \ - "#{rabbit[:rabbitmq][:address]}:#{rabbit[:rabbitmq][:port]}/" \ - "#{rabbit[:rabbitmq][:vhost]}" - } - - Chef::Log.info("RabbitMQ server found at #{@rabbitmq_settings[instance][:address]}") - end - end + config = BarclampLibrary::Barclamp::Config.load("openstack", "rabbitmq", instance) + Chef::Log.warn("No RabbitMQ server found!") if config.empty? - @rabbitmq_settings[instance] + config end private diff --git a/crowbar_framework/app/models/rabbitmq_service.rb b/crowbar_framework/app/models/rabbitmq_service.rb index e4bd7d2263..52ef860573 100644 --- a/crowbar_framework/app/models/rabbitmq_service.rb +++ b/crowbar_framework/app/models/rabbitmq_service.rb @@ -103,7 +103,42 @@ def apply_role_pre_chef_call(old_role, role, all_nodes) @logger.debug("Rabbitmq apply_role_pre_chef_call: leaving") end - def validate_proposal_after_save proposal + def apply_role_post_chef_call(old_role, role, all_nodes) + @logger.debug("Rabbitmq apply_role_post_chef_call: entering") + # do this in post, because we depend on values that are computed in the + # cookbook + save_config_to_databag(old_role, role) + @logger.debug("Rabbitmq apply_role_post_chef_call: leaving") + end + + def save_config_to_databag(old_role, role) + if role.nil? + config = nil + else + _elements, nodes, _ha_enabled = role_expand_elements(role, "rabbitmq-server") + node = NodeObject.find_node_by_name(nodes.first) + + address = node[:rabbitmq][:address] + port = role.default_attributes["rabbitmq"]["port"] + user = role.default_attributes["rabbitmq"]["user"] + password = role.default_attributes["rabbitmq"]["password"] + vhost = role.default_attributes["rabbitmq"]["vhost"] + + config = { + address: address, + port: port, + user: user, + password: password, + vhost: "/#{vhost}", + url: "rabbit://#{user}:#{password}@#{address}:#{port}/#{vhost}" + } + end + + instance = Crowbar::DataBagConfig.instance_from_role(old_role, role) + Crowbar::DataBagConfig.save("openstack", instance, @bc_name, config) + end + + def validate_proposal_after_save(proposal) validate_one_for_role proposal, "rabbitmq-server" attributes = proposal["attributes"][@bc_name] From 0bfb4381916c244d640dd971401623268983bd7d Mon Sep 17 00:00:00 2001 From: Vincent Untz Date: Tue, 3 Jan 2017 11:11:46 +0100 Subject: [PATCH 2/5] nova: Minor cleanup (cherry picked from commit b5fe60f8f12d55dc50e9bfc3f8dead8d527f183a) From 0def2c4e0acb4daf1570709f228dfa7a2813ffce Mon Sep 17 00:00:00 2001 From: Vincent Untz Date: Tue, 3 Jan 2017 12:14:58 +0100 Subject: [PATCH 3/5] openstack: Use new data bag item config infrastructure for insecure bit All openstack services should provide this, and it happens quite a bit that other services only need this flag about another service. So it's a good candidate to start with. (cherry picked from commit ac527e4e651ef21628dc359a572136202f316be7) --- chef/cookbooks/cinder/recipes/common.rb | 17 ++---- chef/cookbooks/glance/recipes/api.rb | 22 ++----- chef/cookbooks/horizon/recipes/server.rb | 26 ++------- chef/cookbooks/manila/recipes/common.rb | 24 ++++---- .../neutron/recipes/common_config.rb | 2 +- .../neutron/recipes/post_install_conf.rb | 3 +- .../nova/libraries/availability_zone.rb | 4 +- chef/cookbooks/nova/recipes/config.rb | 19 ++++--- .../app/models/ceilometer_service.rb | 23 ++++++++ .../app/models/cinder_service.rb | 24 +++++++- .../app/models/glance_service.rb | 24 +++++++- crowbar_framework/app/models/heat_service.rb | 23 ++++++++ .../app/models/keystone_service.rb | 24 +++++++- .../app/models/manila_service.rb | 23 ++++++++ .../app/models/neutron_service.rb | 23 ++++++++ crowbar_framework/app/models/nova_service.rb | 25 +++++++- crowbar_framework/app/models/swift_service.rb | 32 +++++++++++ crowbar_framework/app/models/trove_service.rb | 23 ++++++++ crowbar_framework/lib/openstack.rb | 1 + .../lib/openstack/data_bag_config.rb | 57 +++++++++++++++++++ 20 files changed, 341 insertions(+), 78 deletions(-) create mode 100644 crowbar_framework/lib/openstack/data_bag_config.rb diff --git a/chef/cookbooks/cinder/recipes/common.rb b/chef/cookbooks/cinder/recipes/common.rb index e823839b82..70fca0f3d9 100644 --- a/chef/cookbooks/cinder/recipes/common.rb +++ b/chef/cookbooks/cinder/recipes/common.rb @@ -33,24 +33,19 @@ glance_server_host = CrowbarHelper.get_host_for_admin_url(glance_server, (glance_server[:glance][:ha][:enabled] rescue false)) glance_server_protocol = glance_server[:glance][:api][:protocol] glance_server_port = glance_server[:glance][:api][:bind_port] - glance_server_insecure = glance_server_protocol == "https" && glance_server[:glance][:ssl][:insecure] glance_show_storage_location = glance_server[:glance][:show_storage_location] else glance_server_host = nil glance_server_port = nil glance_server_protocol = nil - glance_server_insecure = nil glance_show_storage_location = false end Chef::Log.info("Glance server at #{glance_server_host}") -nova_apis = search(:node, "roles:nova-controller") || [] -if nova_apis.length > 0 - nova_api = nova_apis[0] - nova_api_insecure = nova_api[:nova][:ssl][:enabled] && nova_api[:nova][:ssl][:insecure] -else - nova_api_insecure = false -end +glance_config = Barclamp::Config.load("openstack", "glance", node[:cinder][:glance_instance]) +glance_insecure = glance_config["insecure"] || false + +nova_insecure = Barclamp::Config.load("openstack", "nova")["insecure"] || false db_settings = fetch_database_settings @@ -172,9 +167,9 @@ glance_server_protocol: glance_server_protocol, glance_server_host: glance_server_host, glance_server_port: glance_server_port, - glance_server_insecure: glance_server_insecure, + glance_server_insecure: glance_insecure, show_storage_location: glance_show_storage_location, - nova_api_insecure: nova_api_insecure, + nova_api_insecure: nova_insecure, availability_zone: availability_zone, keystone_settings: KeystoneHelper.keystone_settings(node, :cinder), strict_ssh_host_key_policy: node[:cinder][:strict_ssh_host_key_policy], diff --git a/chef/cookbooks/glance/recipes/api.rb b/chef/cookbooks/glance/recipes/api.rb index 1d3a25a58f..d0ecfc4fab 100644 --- a/chef/cookbooks/glance/recipes/api.rb +++ b/chef/cookbooks/glance/recipes/api.rb @@ -81,22 +81,8 @@ end end -# TODO: there's no dependency in terms of proposal on swift -swift_api_insecure = false -swifts = search(:node, "roles:swift-proxy") || [] -if swifts.length > 0 - swift = swifts[0] - swift_api_insecure = swift[:swift][:ssl][:enabled] && swift[:swift][:ssl][:insecure] -end - -#TODO: glance should depend on cinder, but cinder already depends on glance :/ -# so we have to do something like this -cinder_api_insecure = false -cinders = search(:node, "roles:cinder-controller") || [] -if cinders.length > 0 - cinder = cinders[0] - cinder_api_insecure = cinder[:cinder][:api][:protocol] == "https" && cinder[:cinder][:ssl][:insecure] -end +swift_insecure = Barclamp::Config.load("openstack", "swift")["insecure"] || false +cinder_insecure = Barclamp::Config.load("openstack", "cinder")["insecure"] || false #TODO: similarly with nova use_docker = !search(:node, "roles:nova-compute-docker").empty? @@ -130,8 +116,8 @@ registry_bind_port: network_settings[:registry][:bind_port], keystone_settings: keystone_settings, rabbit_settings: fetch_rabbitmq_settings, - swift_api_insecure: swift_api_insecure, - cinder_api_insecure: cinder_api_insecure, + swift_api_insecure: swift_insecure, + cinder_api_insecure: cinder_insecure, use_docker: use_docker, glance_stores: glance_stores.join(",") ) diff --git a/chef/cookbooks/horizon/recipes/server.rb b/chef/cookbooks/horizon/recipes/server.rb index eba683b722..3dadac3911 100644 --- a/chef/cookbooks/horizon/recipes/server.rb +++ b/chef/cookbooks/horizon/recipes/server.rb @@ -189,26 +189,16 @@ keystone_settings = KeystoneHelper.keystone_settings(node, @cookbook_name) -glances = search(:node, "roles:glance-server") || [] -if glances.length > 0 - glance = glances[0] - glance_insecure = glance[:glance][:api][:protocol] == "https" && glance[:glance][:ssl][:insecure] -else - glance_insecure = false -end - -cinders = search(:node, "roles:cinder-controller") || [] -if cinders.length > 0 - cinder = cinders[0] - cinder_insecure = cinder[:cinder][:api][:protocol] == "https" && cinder[:cinder][:ssl][:insecure] -else - cinder_insecure = false -end +glance_insecure = Barclamp::Config.load("openstack", "glance")["insecure"] || false +cinder_insecure = Barclamp::Config.load("openstack", "cinder")["insecure"] || false +neutron_insecure = Barclamp::Config.load("openstack", "neutron")["insecure"] || false +nova_insecure = Barclamp::Config.load("openstack", "nova")["insecure"] || false +heat_insecure = Barclamp::Config.load("openstack", "heat")["insecure"] || false +manila_insecure = Barclamp::Config.load("openstack", "manila")["insecure"] || false neutrons = search(:node, "roles:neutron-server") || [] if neutrons.length > 0 neutron = neutrons[0] - neutron_insecure = neutron[:neutron][:api][:protocol] == "https" && neutron[:neutron][:ssl][:insecure] if neutron[:neutron][:networking_plugin] == "ml2" neutron_ml2_type_drivers = neutron[:neutron][:ml2_type_drivers] else @@ -217,15 +207,11 @@ neutron_use_lbaas = neutron[:neutron][:use_lbaas] neutron_use_vpnaas = neutron[:neutron][:use_vpnaas] else - neutron_insecure = false neutron_ml2_type_drivers = "'*'" neutron_use_lbaas = false neutron_use_vpnaas = false end -nova = get_instance("roles:nova-controller") -nova_insecure = (nova[:nova][:ssl][:enabled] && nova[:nova][:ssl][:insecure]) rescue false - # We're going to use memcached as a cache backend for Django # make sure our memcache only listens on the admin IP address diff --git a/chef/cookbooks/manila/recipes/common.rb b/chef/cookbooks/manila/recipes/common.rb index 0552cb2783..6b1d79ca5c 100644 --- a/chef/cookbooks/manila/recipes/common.rb +++ b/chef/cookbooks/manila/recipes/common.rb @@ -66,13 +66,10 @@ neutron_server, (neutron_server[:neutron][:ha][:server][:enabled] || false)) neutron_server_port = neutron_server[:neutron][:api][:service_port] - neutron_insecure = neutron_protocol == "https" && - neutron_server[:neutron][:ssl][:insecure] neutron_service_user = neutron_server[:neutron][:service_user] neutron_service_password = neutron_server[:neutron][:service_password] Chef::Log.info("Neutron server at #{neutron_server_host}") else - neutron_insecure = false neutron_protocol = nil neutron_server_host = nil neutron_server_port = nil @@ -81,39 +78,42 @@ Chef::Log.warn("Neutron server not found") end +neutron_config = Barclamp::Config.load("openstack", "neutron", node[:manila][:neutron_instance]) +neutron_insecure = neutron_config["insecure"] || false + # get Nova data nova = search(:node, "roles:nova-controller") || [] if nova.length > 0 nova = nova[0] - nova_insecure = ( - nova[:nova][:ssl][:enabled] && nova[:nova][:ssl][:insecure] - ) nova_admin_username = nova[:nova][:service_user] nova_admin_password = nova[:nova][:service_password] else - nova_insecure = false nova_admin_username = nil nova_admin_password = nil Chef::Log.warn("nova-controller not found") end +nova_config = Barclamp::Config.load("openstack", "nova", node[:manila][:nova_instance]) +nova_insecure = nova_config["insecure"] || false + # get Cinder data cinder = search(:node, "roles:cinder-controller") || [] if cinder.length > 0 cinder = cinder[0] - cinder_insecure = ( - cinder[:cinder][:api][:protocol] == "https" && cinder[:cinder][:ssl][:insecure] - ) - cinder_admin_username = cinder[:cinder][:service_user] cinder_admin_password = cinder[:cinder][:service_password] else - cinder_insecure = false cinder_admin_username = nil cinder_admin_password = nil Chef::Log.warn("cinder-controller not found") end +cinder_config = Barclamp::Config.load("openstack", "cinder", node[:manila][:cinder_instance]) +cinder_insecure = cinder_config["insecure"] || false + +enabled_share_protocols = ["NFS", "CIFS"] +enabled_share_protocols << ["CEPHFS"] if ManilaHelper.has_cephfs_share? node + template "/etc/manila/manila.conf" do source "manila.conf.erb" owner "root" diff --git a/chef/cookbooks/neutron/recipes/common_config.rb b/chef/cookbooks/neutron/recipes/common_config.rb index 0812eb0a3a..96529d8268 100644 --- a/chef/cookbooks/neutron/recipes/common_config.rb +++ b/chef/cookbooks/neutron/recipes/common_config.rb @@ -95,7 +95,7 @@ unless nova[:nova].nil? or nova[:nova][:ssl].nil? nova_api_host = CrowbarHelper.get_host_for_admin_url(nova, (nova[:nova][:ha][:enabled] rescue false)) nova_api_protocol = nova[:nova][:ssl][:enabled] ? "https" : "http" - nova_insecure = keystone_settings["insecure"] || (nova[:nova][:ssl][:enabled] && nova[:nova][:ssl][:insecure]) + nova_insecure = Barclamp::Config.load("openstack", "nova")["insecure"] || false nova_notify = { nova_url: "#{nova_api_protocol}://#{nova_api_host}:#{nova[:nova][:ports][:api]}/v2", diff --git a/chef/cookbooks/neutron/recipes/post_install_conf.rb b/chef/cookbooks/neutron/recipes/post_install_conf.rb index 2fdcc0227f..2ccd345d28 100644 --- a/chef/cookbooks/neutron/recipes/post_install_conf.rb +++ b/chef/cookbooks/neutron/recipes/post_install_conf.rb @@ -51,8 +51,7 @@ def mask_to_bits(mask) keystone_settings = KeystoneHelper.keystone_settings(node, @cookbook_name) -neutron_insecure = node[:neutron][:api][:protocol] == "https" && node[:neutron][:ssl][:insecure] -ssl_insecure = keystone_settings["insecure"] || neutron_insecure +ssl_insecure = Barclamp::Config.load("openstack", "neutron")["insecure"] || false neutron_args = "--os-username '#{keystone_settings['service_user']}'" neutron_args = "#{neutron_args} --os-password '#{keystone_settings['service_password']}'" diff --git a/chef/cookbooks/nova/libraries/availability_zone.rb b/chef/cookbooks/nova/libraries/availability_zone.rb index 775ced8971..c2d5d1b3e6 100644 --- a/chef/cookbooks/nova/libraries/availability_zone.rb +++ b/chef/cookbooks/nova/libraries/availability_zone.rb @@ -18,7 +18,7 @@ module NovaAvailabilityZone def self.fetch_set_az_command_no_arg(node, cookbook_name) keystone_settings = KeystoneHelper.keystone_settings(node, cookbook_name) - nova_insecure = node[:nova][:ssl][:enabled] && node[:nova][:ssl][:insecure] + ssl_insecure = BarclampLibrary::Barclamp::Config.load("openstack", "nova")["insecure"] || false command = ["/usr/bin/crowbar-nova-set-availability-zone"] command << "--os-username" @@ -35,7 +35,7 @@ def self.fetch_set_az_command_no_arg(node, cookbook_name) command << "--os-region-name" command << keystone_settings["endpoint_region"] - if keystone_settings["insecure"] || nova_insecure + if ssl_insecure command << "--insecure" end diff --git a/chef/cookbooks/nova/recipes/config.rb b/chef/cookbooks/nova/recipes/config.rb index 298c7ee47a..d94326bac9 100644 --- a/chef/cookbooks/nova/recipes/config.rb +++ b/chef/cookbooks/nova/recipes/config.rb @@ -65,15 +65,16 @@ glance_server_host = CrowbarHelper.get_host_for_admin_url(glance_server, (glance_server[:glance][:ha][:enabled] rescue false)) glance_server_port = glance_server[:glance][:api][:bind_port] glance_server_protocol = glance_server[:glance][:api][:protocol] - glance_server_insecure = glance_server_protocol == "https" && glance_server[:glance][:ssl][:insecure] else glance_server_host = nil glance_server_port = nil glance_server_protocol = nil - glance_server_insecure = nil end Chef::Log.info("Glance server at #{glance_server_host}") +glance_config = Barclamp::Config.load("openstack", "glance", node[:nova][:glance_instance]) +glance_insecure = glance_config["insecure"] || false + vncproxies = search_env_filtered(:node, "recipes:nova\\:\\:vncproxy") if vncproxies.length > 0 vncproxy = vncproxies[0] @@ -110,17 +111,17 @@ cinder_servers = search_env_filtered(:node, "roles:cinder-controller") || [] if cinder_servers.length > 0 cinder_server = cinder_servers[0] - cinder_insecure = cinder_server[:cinder][:api][:protocol] == "https" && cinder_server[:cinder][:ssl][:insecure] if node.roles.include? "nova-compute-kvm" cinder_server[:cinder][:volumes].each do |volume| rbd_enabled = true if volume["backend_driver"] == "rbd" end end -else - cinder_insecure = false end +cinder_config = Barclamp::Config.load("openstack", "cinder", node[:nova][:cinder_instance]) +cinder_insecure = cinder_config["insecure"] || false + if rbd_enabled include_recipe "nova::ceph" end @@ -139,7 +140,6 @@ neutron_protocol = neutron_server[:neutron][:api][:protocol] neutron_server_host = CrowbarHelper.get_host_for_admin_url(neutron_server, (neutron_server[:neutron][:ha][:server][:enabled] rescue false)) neutron_server_port = neutron_server[:neutron][:api][:service_port] - neutron_insecure = neutron_protocol == "https" && neutron_server[:neutron][:ssl][:insecure] neutron_service_user = neutron_server[:neutron][:service_user] neutron_service_password = neutron_server[:neutron][:service_password] neutron_dhcp_domain = neutron_server[:neutron][:dhcp_domain] @@ -155,6 +155,9 @@ end Chef::Log.info("Neutron server at #{neutron_server_host}") +neutron_config = Barclamp::Config.load("openstack", "neutron", node[:nova][:neutron_instance]) +neutron_insecure = neutron_config["insecure"] || false + env_filter = " AND inteltxt_config_environment:inteltxt-config-#{node[:nova][:itxt_instance]}" oat_servers = search(:node, "roles:oat-server#{env_filter}") || [] if oat_servers.length > 0 @@ -322,7 +325,7 @@ glance_server_protocol: glance_server_protocol, glance_server_host: glance_server_host, glance_server_port: glance_server_port, - glance_server_insecure: glance_server_insecure || keystone_settings["insecure"], + glance_server_insecure: glance_insecure, metadata_bind_address: metadata_bind_address, vncproxy_public_host: vncproxy_public_host, vncproxy_ssl_enabled: api[:nova][:novnc][:ssl][:enabled], @@ -338,7 +341,7 @@ neutron_dhcp_domain: neutron_dhcp_domain, neutron_has_tunnel: neutron_has_tunnel, keystone_settings: keystone_settings, - cinder_insecure: cinder_insecure || keystone_settings["insecure"], + cinder_insecure: cinder_insecure, ceph_user: ceph_user, ceph_uuid: ceph_uuid, ssl_enabled: api[:nova][:ssl][:enabled], diff --git a/crowbar_framework/app/models/ceilometer_service.rb b/crowbar_framework/app/models/ceilometer_service.rb index ea21fe4146..3457855681 100644 --- a/crowbar_framework/app/models/ceilometer_service.rb +++ b/crowbar_framework/app/models/ceilometer_service.rb @@ -196,6 +196,29 @@ def apply_role_pre_chef_call(old_role, role, all_nodes) @logger.debug("Ceilometer apply_role_pre_chef_call: leaving") end + def apply_role_post_chef_call(old_role, role, all_nodes) + @logger.debug("Ceilometer apply_role_post_chef_call: entering") + # do this in post, because we depend on values that are computed in the + # cookbook + save_config_to_databag(old_role, role) + @logger.debug("Ceilometer apply_role_post_chef_call: leaving") + end + + def save_config_to_databag(old_role, role) + if role.nil? + config = nil + else + insecure = Openstack::DataBagConfig.insecure(@bc_name, role) + + config = { + insecure: insecure + } + end + + instance = Crowbar::DataBagConfig.instance_from_role(old_role, role) + Crowbar::DataBagConfig.save("openstack", instance, @bc_name, config) + end + def mongodb_ha(new_members, role) # enforce that mongodb is only installed on an odd number of nodes # so we don't get problems when they try to vote for a replica set diff --git a/crowbar_framework/app/models/cinder_service.rb b/crowbar_framework/app/models/cinder_service.rb index f486797cc3..9199a228c5 100644 --- a/crowbar_framework/app/models/cinder_service.rb +++ b/crowbar_framework/app/models/cinder_service.rb @@ -258,5 +258,27 @@ def apply_role_pre_chef_call(old_role, role, all_nodes) @logger.debug("Cinder apply_role_pre_chef_call: leaving") end -end + def apply_role_post_chef_call(old_role, role, all_nodes) + @logger.debug("Cinder apply_role_post_chef_call: entering") + # do this in post, because we depend on values that are computed in the + # cookbook + save_config_to_databag(old_role, role) + @logger.debug("Cinder apply_role_post_chef_call: leaving") + end + + def save_config_to_databag(old_role, role) + if role.nil? + config = nil + else + insecure = Openstack::DataBagConfig.insecure(@bc_name, role) + + config = { + insecure: insecure + } + end + + instance = Crowbar::DataBagConfig.instance_from_role(old_role, role) + Crowbar::DataBagConfig.save("openstack", instance, @bc_name, config) + end +end diff --git a/crowbar_framework/app/models/glance_service.rb b/crowbar_framework/app/models/glance_service.rb index 01fc00ed28..803dcccbb3 100644 --- a/crowbar_framework/app/models/glance_service.rb +++ b/crowbar_framework/app/models/glance_service.rb @@ -137,5 +137,27 @@ def apply_role_pre_chef_call(old_role, role, all_nodes) @logger.debug("Glance apply_role_pre_chef_call: leaving") end -end + def apply_role_post_chef_call(old_role, role, all_nodes) + @logger.debug("Glance apply_role_post_chef_call: entering") + # do this in post, because we depend on values that are computed in the + # cookbook + save_config_to_databag(old_role, role) + @logger.debug("Glance apply_role_post_chef_call: leaving") + end + + def save_config_to_databag(old_role, role) + if role.nil? + config = nil + else + insecure = Openstack::DataBagConfig.insecure(@bc_name, role) + + config = { + insecure: insecure + } + end + + instance = Crowbar::DataBagConfig.instance_from_role(old_role, role) + Crowbar::DataBagConfig.save("openstack", instance, @bc_name, config) + end +end diff --git a/crowbar_framework/app/models/heat_service.rb b/crowbar_framework/app/models/heat_service.rb index 0e5111a7cc..260b3cf1e4 100644 --- a/crowbar_framework/app/models/heat_service.rb +++ b/crowbar_framework/app/models/heat_service.rb @@ -110,4 +110,27 @@ def apply_role_pre_chef_call(old_role, role, all_nodes) @logger.debug("Heat apply_role_pre_chef_call: leaving") end + + def apply_role_post_chef_call(old_role, role, all_nodes) + @logger.debug("Heat apply_role_post_chef_call: entering") + # do this in post, because we depend on values that are computed in the + # cookbook + save_config_to_databag(old_role, role) + @logger.debug("Heat apply_role_post_chef_call: leaving") + end + + def save_config_to_databag(old_role, role) + if role.nil? + config = nil + else + insecure = Openstack::DataBagConfig.insecure(@bc_name, role) + + config = { + insecure: insecure + } + end + + instance = Crowbar::DataBagConfig.instance_from_role(old_role, role) + Crowbar::DataBagConfig.save("openstack", instance, @bc_name, config) + end end diff --git a/crowbar_framework/app/models/keystone_service.rb b/crowbar_framework/app/models/keystone_service.rb index f27db2aa92..84d8a3c1d5 100644 --- a/crowbar_framework/app/models/keystone_service.rb +++ b/crowbar_framework/app/models/keystone_service.rb @@ -131,5 +131,27 @@ def apply_role_pre_chef_call(old_role, role, all_nodes) @logger.debug("Keystone apply_role_pre_chef_call: leaving") end -end + def apply_role_post_chef_call(old_role, role, all_nodes) + @logger.debug("Keystone apply_role_post_chef_call: entering") + # do this in post, because we depend on values that are computed in the + # cookbook + save_config_to_databag(old_role, role) + @logger.debug("Keystone apply_role_post_chef_call: leaving") + end + + def save_config_to_databag(old_role, role) + if role.nil? + config = nil + else + insecure = Openstack::DataBagConfig.insecure(@bc_name, role) + + config = { + insecure: insecure + } + end + + instance = Crowbar::DataBagConfig.instance_from_role(old_role, role) + Crowbar::DataBagConfig.save("openstack", instance, @bc_name, config) + end +end diff --git a/crowbar_framework/app/models/manila_service.rb b/crowbar_framework/app/models/manila_service.rb index 37e5b36a5f..08e6fb3676 100644 --- a/crowbar_framework/app/models/manila_service.rb +++ b/crowbar_framework/app/models/manila_service.rb @@ -187,4 +187,27 @@ def apply_role_pre_chef_call(_old_role, role, all_nodes) end @logger.debug("Manila apply_role_pre_chef_call: leaving") end + + def apply_role_post_chef_call(old_role, role, all_nodes) + @logger.debug("Manila apply_role_post_chef_call: entering") + # do this in post, because we depend on values that are computed in the + # cookbook + save_config_to_databag(old_role, role) + @logger.debug("Manila apply_role_post_chef_call: leaving") + end + + def save_config_to_databag(old_role, role) + if role.nil? + config = nil + else + insecure = Openstack::DataBagConfig.insecure(@bc_name, role) + + config = { + insecure: insecure + } + end + + instance = Crowbar::DataBagConfig.instance_from_role(old_role, role) + Crowbar::DataBagConfig.save("openstack", instance, @bc_name, config) + end end diff --git a/crowbar_framework/app/models/neutron_service.rb b/crowbar_framework/app/models/neutron_service.rb index cc22e3a499..21ab98f8d3 100644 --- a/crowbar_framework/app/models/neutron_service.rb +++ b/crowbar_framework/app/models/neutron_service.rb @@ -430,4 +430,27 @@ def apply_role_pre_chef_call(old_role, role, all_nodes) end @logger.debug("Neutron apply_role_pre_chef_call: leaving") end + + def apply_role_post_chef_call(old_role, role, all_nodes) + @logger.debug("Neutron apply_role_post_chef_call: entering") + # do this in post, because we depend on values that are computed in the + # cookbook + save_config_to_databag(old_role, role) + @logger.debug("Neutron apply_role_post_chef_call: leaving") + end + + def save_config_to_databag(old_role, role) + if role.nil? + config = nil + else + insecure = Openstack::DataBagConfig.insecure(@bc_name, role) + + config = { + insecure: insecure + } + end + + instance = Crowbar::DataBagConfig.instance_from_role(old_role, role) + Crowbar::DataBagConfig.save("openstack", instance, @bc_name, config) + end end diff --git a/crowbar_framework/app/models/nova_service.rb b/crowbar_framework/app/models/nova_service.rb index a49320d465..ef4c154281 100644 --- a/crowbar_framework/app/models/nova_service.rb +++ b/crowbar_framework/app/models/nova_service.rb @@ -309,7 +309,30 @@ def apply_role_pre_chef_call(old_role, role, all_nodes) @logger.debug("Nova apply_role_pre_chef_call: leaving") end - def validate_proposal_after_save proposal + def apply_role_post_chef_call(old_role, role, all_nodes) + @logger.debug("Nova apply_role_post_chef_call: entering") + # do this in post, because we depend on values that are computed in the + # cookbook + save_config_to_databag(old_role, role) + @logger.debug("Nova apply_role_post_chef_call: leaving") + end + + def save_config_to_databag(old_role, role) + if role.nil? + config = nil + else + insecure = Openstack::DataBagConfig.insecure(@bc_name, role) + + config = { + insecure: insecure + } + end + + instance = Crowbar::DataBagConfig.instance_from_role(old_role, role) + Crowbar::DataBagConfig.save("openstack", instance, @bc_name, config) + end + + def validate_proposal_after_save(proposal) validate_one_for_role proposal, "nova-controller" elements = proposal["deployment"]["nova"]["elements"] diff --git a/crowbar_framework/app/models/swift_service.rb b/crowbar_framework/app/models/swift_service.rb index c03c6caa16..7fca790fde 100644 --- a/crowbar_framework/app/models/swift_service.rb +++ b/crowbar_framework/app/models/swift_service.rb @@ -151,6 +151,38 @@ def apply_role_pre_chef_call(old_role, role, all_nodes) @logger.debug("Swift apply_role_pre_chef_call: leaving") end + def apply_role_post_chef_call(old_role, role, all_nodes) + @logger.debug("Swift apply_role_post_chef_call: entering") + # do this in post, because we depend on values that are computed in the + # cookbook + save_config_to_databag(old_role, role) + @logger.debug("Swift apply_role_post_chef_call: leaving") + end + + def save_config_to_databag(old_role, role) + if role.nil? + config = nil + else + use_ssl = role.default_attributes["swift"]["ssl"]["enabled"] + insecure = use_ssl && role.default_attributes["swift"]["ssl"]["insecure"] + if !insecure && role.default_attributes["swift"]["auth_method"] == "keystone" + keystone_config = Crowbar::DataBagConfig.load( + "openstack", + role.default_attributes["swift"]["keystone_instance"], + "keystone" + ) + insecure ||= keystone_config["insecure"] + end + + config = { + insecure: insecure + } + end + + instance = Crowbar::DataBagConfig.instance_from_role(old_role, role) + Crowbar::DataBagConfig.save("openstack", instance, @bc_name, config) + end + def get_report_run_by_uuid(uuid) get_dispersion_reports.each do |r| return r if r["uuid"] == uuid diff --git a/crowbar_framework/app/models/trove_service.rb b/crowbar_framework/app/models/trove_service.rb index 6d1cb5ec17..f4ddaaef8b 100644 --- a/crowbar_framework/app/models/trove_service.rb +++ b/crowbar_framework/app/models/trove_service.rb @@ -72,4 +72,27 @@ def proposal_dependencies(role) answer end + + def apply_role_post_chef_call(old_role, role, all_nodes) + @logger.debug("Trove apply_role_post_chef_call: entering") + # do this in post, because we depend on values that are computed in the + # cookbook + save_config_to_databag(old_role, role) + @logger.debug("Trove apply_role_post_chef_call: leaving") + end + + def save_config_to_databag(old_role, role) + if role.nil? + config = nil + else + insecure = Openstack::DataBagConfig.insecure(@bc_name, role) + + config = { + insecure: insecure + } + end + + instance = Crowbar::DataBagConfig.instance_from_role(old_role, role) + Crowbar::DataBagConfig.save("openstack", instance, @bc_name, config) + end end diff --git a/crowbar_framework/lib/openstack.rb b/crowbar_framework/lib/openstack.rb index d8d2c91da6..64e0f8f108 100644 --- a/crowbar_framework/lib/openstack.rb +++ b/crowbar_framework/lib/openstack.rb @@ -14,4 +14,5 @@ # limitations under the License. # +require "openstack/data_bag_config" require "openstack/ha" diff --git a/crowbar_framework/lib/openstack/data_bag_config.rb b/crowbar_framework/lib/openstack/data_bag_config.rb new file mode 100644 index 0000000000..50dd69328f --- /dev/null +++ b/crowbar_framework/lib/openstack/data_bag_config.rb @@ -0,0 +1,57 @@ +# +# Copyright 2016, SUSE +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +module Openstack + class DataBagConfig + class << self + def insecure(barclamp, role) + attributes = role.default_attributes[barclamp] + + use_ssl = if attributes.key?("api") && attributes["api"].key?("protocol") + # aodh, cinder, glance, heat, keystone, manila, neutron + attributes["api"]["protocol"] == "https" + elsif attributes.key?("api") && attributes["api"].key?("ssl") + # barbican + attributes["api"]["ssl"] + elsif attributes.key?("ssl") && attributes["ssl"].key?("enabled") + # nova + attributes["ssl"]["enabled"] + else + # ceilometer, magnum, sahara, trove + false + end + + insecure = use_ssl && attributes["ssl"]["insecure"] + unless barclamp == "keystone" + insecure ||= keystone_insecure(barclamp, role) + end + + insecure + end + + private + + def keystone_insecure(barclamp, role) + keystone_config = Crowbar::DataBagConfig.load( + "openstack", + role.default_attributes[barclamp]["keystone_instance"], + "keystone" + ) + keystone_config["insecure"] + end + end + end +end From a64eebb9a79dc63a0bacb426f04a8a340eb58ac0 Mon Sep 17 00:00:00 2001 From: Vincent Untz Date: Tue, 3 Jan 2017 13:41:23 +0100 Subject: [PATCH 4/5] cookbooks: Avoid searches just to see if a service is deployed We can check this out with the data bag config now. (cherry picked from commit 25ee4dc12855c4a7d6fd9a81cb926dbac59ca532) --- chef/cookbooks/horizon/recipes/server.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/chef/cookbooks/horizon/recipes/server.rb b/chef/cookbooks/horizon/recipes/server.rb index 3dadac3911..f512b0a224 100644 --- a/chef/cookbooks/horizon/recipes/server.rb +++ b/chef/cookbooks/horizon/recipes/server.rb @@ -70,8 +70,7 @@ end unless manila_ui_pkgname.nil? - manila_servers = search(:node, "roles:manila-server") || [] - unless manila_servers.empty? + unless Barclamp::Config.load("openstack", "manila").empty? package manila_ui_pkgname do action :install notifies :reload, resources(service: "apache2") From 35343371ac238a7211a3139ed3706e12ab0b4a2b Mon Sep 17 00:00:00 2001 From: Vincent Untz Date: Tue, 3 Jan 2017 13:43:01 +0100 Subject: [PATCH 5/5] horizon: Set insecure flag also with more openstack components aodh, barbican, ceilometer, magnum, trove and sahara (cherry picked from commit 4a5e9861999c8d3a7507d82b891e5fff98dc6a42) --- chef/cookbooks/horizon/recipes/server.rb | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/chef/cookbooks/horizon/recipes/server.rb b/chef/cookbooks/horizon/recipes/server.rb index f512b0a224..e043c89d7e 100644 --- a/chef/cookbooks/horizon/recipes/server.rb +++ b/chef/cookbooks/horizon/recipes/server.rb @@ -192,8 +192,10 @@ cinder_insecure = Barclamp::Config.load("openstack", "cinder")["insecure"] || false neutron_insecure = Barclamp::Config.load("openstack", "neutron")["insecure"] || false nova_insecure = Barclamp::Config.load("openstack", "nova")["insecure"] || false +ceilometer_insecure = Barclamp::Config.load("openstack", "ceilometer")["insecure"] || false heat_insecure = Barclamp::Config.load("openstack", "heat")["insecure"] || false manila_insecure = Barclamp::Config.load("openstack", "manila")["insecure"] || false +trove_insecure = Barclamp::Config.load("openstack", "trove")["insecure"] || false neutrons = search(:node, "roles:neutron-server") || [] if neutrons.length > 0 @@ -281,7 +283,15 @@ variables( debug: node[:horizon][:debug], keystone_settings: keystone_settings, - insecure: keystone_settings["insecure"] || glance_insecure || cinder_insecure || neutron_insecure || nova_insecure, + insecure: keystone_settings["insecure"] \ + || glance_insecure \ + || cinder_insecure \ + || neutron_insecure \ + || nova_insecure \ + || ceilometer_insecure \ + || heat_insecure \ + || manila_insecure \ + || trove_insecure \ db_settings: db_settings, enable_lb: neutron_use_lbaas, enable_vpn: neutron_use_vpnaas,