Juju Charms Collection
keystone package

Merge lp:~chris-gondolin/charms/trusty/keystone/ldap-fixes into lp:charms/keystone

Trusty Tahr (14.04)
ldap-fixes
Merge into trunk

Proposed by Chris Stratford on 2016-03-30

Status:	Rejected
Rejected by:	James Page on 2016-03-30
Proposed branch:	lp:~chris-gondolin/charms/trusty/keystone/ldap-fixes
Merge into:	lp:charms/keystone
Diff against target:	25116 lines (+24267/-0) (has conflicts) 145 files modified .bzrignore (+5/-0) .coveragerc (+7/-0) .project (+17/-0) .pydevproject (+9/-0) .testr.conf (+8/-0) Makefile (+30/-0) README.md (+134/-0) actions.yaml (+17/-0) actions/actions.py (+61/-0) actions/git_reinstall.py (+43/-0) actions/openstack_upgrade.py (+37/-0) charm-helpers-hooks.yaml (+18/-0) charm-helpers-tests.yaml (+5/-0) charmhelpers/__init__.py (+38/-0) charmhelpers/cli/__init__.py (+191/-0) charmhelpers/cli/benchmark.py (+36/-0) charmhelpers/cli/commands.py (+32/-0) charmhelpers/cli/hookenv.py (+23/-0) charmhelpers/cli/host.py (+31/-0) charmhelpers/cli/unitdata.py (+39/-0) charmhelpers/contrib/__init__.py (+15/-0) charmhelpers/contrib/charmsupport/__init__.py (+15/-0) charmhelpers/contrib/charmsupport/nrpe.py (+398/-0) charmhelpers/contrib/charmsupport/volumes.py (+175/-0) charmhelpers/contrib/hahelpers/__init__.py (+15/-0) charmhelpers/contrib/hahelpers/apache.py (+82/-0) charmhelpers/contrib/hahelpers/cluster.py (+316/-0) charmhelpers/contrib/network/__init__.py (+15/-0) charmhelpers/contrib/network/ip.py (+458/-0) charmhelpers/contrib/openstack/__init__.py (+15/-0) charmhelpers/contrib/openstack/alternatives.py (+33/-0) charmhelpers/contrib/openstack/amulet/__init__.py (+15/-0) charmhelpers/contrib/openstack/amulet/deployment.py (+301/-0) charmhelpers/contrib/openstack/amulet/utils.py (+985/-0) charmhelpers/contrib/openstack/context.py (+1473/-0) charmhelpers/contrib/openstack/files/__init__.py (+18/-0) charmhelpers/contrib/openstack/files/check_haproxy.sh (+34/-0) charmhelpers/contrib/openstack/files/check_haproxy_queue_depth.sh (+30/-0) charmhelpers/contrib/openstack/ip.py (+151/-0) charmhelpers/contrib/openstack/neutron.py (+370/-0) charmhelpers/contrib/openstack/templates/__init__.py (+18/-0) charmhelpers/contrib/openstack/templates/ceph.conf (+21/-0) charmhelpers/contrib/openstack/templates/git.upstart (+17/-0) charmhelpers/contrib/openstack/templates/haproxy.cfg (+66/-0) charmhelpers/contrib/openstack/templates/openstack_https_frontend (+24/-0) charmhelpers/contrib/openstack/templates/openstack_https_frontend.conf (+24/-0) charmhelpers/contrib/openstack/templates/section-keystone-authtoken (+9/-0) charmhelpers/contrib/openstack/templates/section-rabbitmq-oslo (+22/-0) charmhelpers/contrib/openstack/templates/section-zeromq (+14/-0) charmhelpers/contrib/openstack/templating.py (+323/-0) charmhelpers/contrib/openstack/utils.py (+1011/-0) charmhelpers/contrib/peerstorage/__init__.py (+269/-0) charmhelpers/contrib/python/__init__.py (+15/-0) charmhelpers/contrib/python/debug.py (+56/-0) charmhelpers/contrib/python/packages.py (+130/-0) charmhelpers/contrib/python/rpdb.py (+58/-0) charmhelpers/contrib/python/version.py (+34/-0) charmhelpers/contrib/storage/__init__.py (+15/-0) charmhelpers/contrib/storage/linux/__init__.py (+15/-0) charmhelpers/contrib/storage/linux/ceph.py (+1039/-0) charmhelpers/contrib/storage/linux/loopback.py (+88/-0) charmhelpers/contrib/storage/linux/lvm.py (+105/-0) charmhelpers/contrib/storage/linux/utils.py (+71/-0) charmhelpers/contrib/unison/__init__.py (+313/-0) charmhelpers/core/__init__.py (+15/-0) charmhelpers/core/decorators.py (+57/-0) charmhelpers/core/files.py (+45/-0) charmhelpers/core/fstab.py (+134/-0) charmhelpers/core/hookenv.py (+978/-0) charmhelpers/core/host.py (+658/-0) charmhelpers/core/hugepage.py (+71/-0) charmhelpers/core/kernel.py (+68/-0) charmhelpers/core/services/__init__.py (+18/-0) charmhelpers/core/services/base.py (+353/-0) charmhelpers/core/services/helpers.py (+292/-0) charmhelpers/core/strutils.py (+72/-0) charmhelpers/core/sysctl.py (+56/-0) charmhelpers/core/templating.py (+81/-0) charmhelpers/core/unitdata.py (+521/-0) charmhelpers/fetch/__init__.py (+464/-0) charmhelpers/fetch/archiveurl.py (+167/-0) charmhelpers/fetch/bzrurl.py (+68/-0) charmhelpers/fetch/giturl.py (+68/-0) charmhelpers/payload/__init__.py (+17/-0) charmhelpers/payload/archive.py (+73/-0) charmhelpers/payload/execd.py (+66/-0) config.yaml (+334/-0) copyright (+17/-0) hooks/install (+20/-0) hooks/keystone_context.py (+254/-0) hooks/keystone_hooks.py (+651/-0) hooks/keystone_ssl.py (+340/-0) hooks/keystone_utils.py (+1877/-0) hooks/manager.py (+47/-0) icon.svg (+653/-0) metadata.yaml (+32/-0) requirements.txt (+12/-0) scripts/add_to_cluster (+13/-0) scripts/remove_from_cluster (+4/-0) setup.cfg (+5/-0) templates/essex/keystone.conf (+93/-0) templates/essex/logging.conf (+39/-0) templates/folsom/keystone.conf (+112/-0) templates/git/logging.conf (+39/-0) templates/grizzly/keystone.conf (+131/-0) templates/havana/keystone.conf (+64/-0) templates/icehouse/keystone.conf (+112/-0) templates/icehouse/logging.conf (+43/-0) templates/kilo/keystone.conf (+115/-0) templates/kilo/logging.conf (+44/-0) templates/parts/section-signing (+13/-0) test-requirements.txt (+8/-0) tests/014-basic-precise-icehouse (+11/-0) tests/015-basic-trusty-icehouse (+9/-0) tests/016-basic-trusty-juno (+11/-0) tests/017-basic-trusty-kilo (+11/-0) tests/018-basic-trusty-liberty (+11/-0) tests/019-basic-trusty-mitaka (+11/-0) tests/020-basic-wily-liberty (+9/-0) tests/021-basic-xenial-mitaka (+9/-0) tests/050-basic-trusty-icehouse-git (+9/-0) tests/051-basic-trusty-juno-git (+12/-0) tests/052-basic-trusty-kilo-git (+12/-0) tests/README (+113/-0) tests/basic_deployment.py (+489/-0) tests/charmhelpers/__init__.py (+38/-0) tests/charmhelpers/contrib/__init__.py (+15/-0) tests/charmhelpers/contrib/amulet/__init__.py (+15/-0) tests/charmhelpers/contrib/amulet/deployment.py (+95/-0) tests/charmhelpers/contrib/amulet/utils.py (+818/-0) tests/charmhelpers/contrib/openstack/__init__.py (+15/-0) tests/charmhelpers/contrib/openstack/amulet/__init__.py (+15/-0) tests/charmhelpers/contrib/openstack/amulet/deployment.py (+301/-0) tests/charmhelpers/contrib/openstack/amulet/utils.py (+985/-0) tests/setup/00-setup (+17/-0) tests/tests.yaml (+21/-0) tox.ini (+29/-0) unit_tests/__init__.py (+4/-0) unit_tests/test_actions.py (+132/-0) unit_tests/test_actions_git_reinstall.py (+93/-0) unit_tests/test_actions_openstack_upgrade.py (+57/-0) unit_tests/test_keystone_contexts.py (+173/-0) unit_tests/test_keystone_hooks.py (+978/-0) unit_tests/test_keystone_utils.py (+761/-0) unit_tests/test_utils.py (+122/-0) Conflict adding file .bzrignore. Moved existing file to .bzrignore.moved. Conflict adding file .coveragerc. Moved existing file to .coveragerc.moved. Conflict adding file .project. Moved existing file to .project.moved. Conflict adding file .pydevproject. Moved existing file to .pydevproject.moved. Conflict adding file .testr.conf. Moved existing file to .testr.conf.moved. Conflict adding file Makefile. Moved existing file to Makefile.moved. Conflict adding file README.md. Moved existing file to README.md.moved. Conflict adding file actions. Moved existing file to actions.moved. Conflict adding file actions.yaml. Moved existing file to actions.yaml.moved. Conflict adding file charm-helpers-hooks.yaml. Moved existing file to charm-helpers-hooks.yaml.moved. Conflict adding file charm-helpers-tests.yaml. Moved existing file to charm-helpers-tests.yaml.moved. Conflict adding file charmhelpers. Moved existing file to charmhelpers.moved. Conflict adding file config.yaml. Moved existing file to config.yaml.moved. Conflict adding file copyright. Moved existing file to copyright.moved. Conflict adding file hooks. Moved existing file to hooks.moved. Conflict adding file icon.svg. Moved existing file to icon.svg.moved. Conflict adding file metadata.yaml. Moved existing file to metadata.yaml.moved. Conflict adding file requirements.txt. Moved existing file to requirements.txt.moved. Conflict adding file scripts. Moved existing file to scripts.moved. Conflict adding file setup.cfg. Moved existing file to setup.cfg.moved. Conflict adding file templates. Moved existing file to templates.moved. Conflict adding file test-requirements.txt. Moved existing file to test-requirements.txt.moved. Conflict adding file tests. Moved existing file to tests.moved. Conflict adding file tox.ini. Moved existing file to tox.ini.moved. Conflict adding file unit_tests. Moved existing file to unit_tests.moved.
To merge this branch:	bzr merge lp:~chris-gondolin/charms/trusty/keystone/ldap-fixes
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
OpenStack Charmers		2016-03-30	Pending
Review via email: mp+290401@code.launchpad.net

Description of the change

Enabling ldap on liberty (and possibly juno and kilo) doesn't work, as it relies on two ldap packages (python-ldap and python-ldappool) that aren't installed. This tries to fix that (it can't always, as python-ldappool doesn't exist at all for precise and only in the cloud archive for trusty, but it at least tries.)

Enabling read-only ldap for the identity backend correctly skips creation of the admin user, but also skips creation of the admin project. It shouldn't - this fixes that.

Also fixes store_admin_passwd() to work with the config.yaml default of "None".

Revision history for this message

James Page (james-page) wrote on 2016-03-30:

Hi Chris

Charm development is no longer undertaken under bzr branches on launchpad; please read:

https://github.com/openstack-charmers/openstack-community/blob/master/README.dev-charms.md

and re-target your change to the git repositories under the OpenStack project.

Unmerged revisions

205. By Chris Stratford on 2016-03-29

[chriss] Allow project creation even if identity driver is read-only ldap (as projects are resource not identity, so we still want them)

204. By Chris Stratford on 2016-03-29

[chriss] Include ldap packages (but disable them if not available). Fix store_admin_passwd() to work with config.yaml default of "None"

203. By David Ames on 2016-01-21

[1chb1n, r=thedac] wait for unit status and turn on releases for amulet tests

202. By David Ames on 2016-01-19

[tinwood,r=thedac] Fixes Bug#1526511 change pause/resume actions use (new) assess_status()

201. By James Page on 2016-01-19

Fix liberty/mitaka typo from previous test definition update batch.

200. By Liam Young on 2016-01-13

[gnuoy, r=james-page] Delete the old quantum catalogue entry if a neutron entry is present

199. By Liam Young on 2016-01-12

Update test combo definitions, remove Vivid deprecated release tests, update bundletester testplan yaml, update tests README.

198. By Corey Bryant on 2016-01-11

[corey.bryant,r=osci] Sync charm-helpers.

Enable sync of payload.archive, sync charm-helpers, and fixup unit test failures.

197. By Liam Young on 2016-01-11

[hopem, r=gnuoy] Ensure ssl certs always synced.
Partially-Closes-Bug: 1520339

196. By Liam Young on 2016-01-08

[hopem, r=gnuoy] Fix upgrade breakage whereby if upgrading from
version of charm that did not support
db-initialised peer setting db ops get stuck
waiting infinitely for db to be intialised.

Closes-Bug: 1519035

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Chris Stratford

OpenStack Charmers

 === added file '.bzrignore'
 --- .bzrignore	1970-01-01 00:00:00 +0000
 +++ .bzrignore	2016-03-30 08:19:58 +0000
@@ -0,0 +1,5 @@
++bin
++.coverage
++.testrepository
++.tox
++tags
 === renamed file '.bzrignore' => '.bzrignore.moved'
 === added file '.coveragerc'
 --- .coveragerc	1970-01-01 00:00:00 +0000
 +++ .coveragerc	2016-03-30 08:19:58 +0000
@@ -0,0 +1,7 @@
++[report]
++# Regexes for lines to exclude from consideration
++exclude_lines =
++    if __name__ == .__main__.:
++include=
++    hooks/keystone_*
++    actions/actions.py
 === renamed file '.coveragerc' => '.coveragerc.moved'
 === added file '.project'
 --- .project	1970-01-01 00:00:00 +0000
 +++ .project	2016-03-30 08:19:58 +0000
@@ -0,0 +1,17 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<projectDescription>
++	<name>keystone</name>
++	<comment></comment>
++	<projects>
++	</projects>
++	<buildSpec>
++		<buildCommand>
++			<name>org.python.pydev.PyDevBuilder</name>
++			<arguments>
++			</arguments>
++		</buildCommand>
++	</buildSpec>
++	<natures>
++		<nature>org.python.pydev.pythonNature</nature>
++	</natures>
++</projectDescription>
 === renamed file '.project' => '.project.moved'
 === added file '.pydevproject'
 --- .pydevproject	1970-01-01 00:00:00 +0000
 +++ .pydevproject	2016-03-30 08:19:58 +0000
@@ -0,0 +1,9 @@
++<?xml version="1.0" encoding="UTF-8" standalone="no"?>
++<?eclipse-pydev version="1.0"?><pydev_project>
++<pydev_property name="org.python.pydev.PYTHON_PROJECT_VERSION">python 2.7</pydev_property>
++<pydev_property name="org.python.pydev.PYTHON_PROJECT_INTERPRETER">Default</pydev_property>
++<pydev_pathproperty name="org.python.pydev.PROJECT_SOURCE_PATH">
++<path>/keystone/hooks</path>
++<path>/keystone/unit_tests</path>
++</pydev_pathproperty>
++</pydev_project>
 === renamed file '.pydevproject' => '.pydevproject.moved'
 === added file '.testr.conf'
 --- .testr.conf	1970-01-01 00:00:00 +0000
 +++ .testr.conf	2016-03-30 08:19:58 +0000
@@ -0,0 +1,8 @@
++[DEFAULT]
++test_command=OS_STDOUT_CAPTURE=${OS_STDOUT_CAPTURE:-1} \
++             OS_STDERR_CAPTURE=${OS_STDERR_CAPTURE:-1} \
++             OS_TEST_TIMEOUT=${OS_TEST_TIMEOUT:-60} \
++             ${PYTHON:-python} -m subunit.run discover -t ./ ./unit_tests $LISTOPT $IDOPTION
++
++test_id_option=--load-list $IDFILE
++test_list_option=--list
 === renamed file '.testr.conf' => '.testr.conf.moved'
 === added file 'Makefile'
 --- Makefile	1970-01-01 00:00:00 +0000
 +++ Makefile	2016-03-30 08:19:58 +0000
@@ -0,0 +1,30 @@
++#!/usr/bin/make
++PYTHON := /usr/bin/env python
++
++lint:
++	@flake8 --exclude hooks/charmhelpers,tests/charmhelpers \
++        actions hooks unit_tests tests
++	@charm proof
++
++test:
++	@# Bundletester expects unit tests here.
++	@echo Starting unit tests...
++	@$(PYTHON) /usr/bin/nosetests -v --nologcapture --with-coverage unit_tests
++
++functional_test:
++	@echo Starting Amulet tests...
++	@tests/setup/00-setup
++	@juju test -v -p AMULET_HTTP_PROXY,AMULET_OS_VIP --timeout 2700
++
++bin/charm_helpers_sync.py:
++	@mkdir -p bin
++	@bzr cat lp:charm-helpers/tools/charm_helpers_sync/charm_helpers_sync.py \
++        > bin/charm_helpers_sync.py
++
++sync: bin/charm_helpers_sync.py
++	@$(PYTHON) bin/charm_helpers_sync.py -c charm-helpers-hooks.yaml
++	@$(PYTHON) bin/charm_helpers_sync.py -c charm-helpers-tests.yaml
++
++publish: lint test
++	bzr push lp:charms/keystone
++	bzr push lp:charms/trusty/keystone
 === renamed file 'Makefile' => 'Makefile.moved'
 === added file 'README.md'
 --- README.md	1970-01-01 00:00:00 +0000
 +++ README.md	2016-03-30 08:19:58 +0000
@@ -0,0 +1,134 @@
++Overview
++========
++
++This charm provides Keystone, the Openstack identity service. It's target
++platform is (ideally) Ubuntu LTS + Openstack.
++
++Usage
++=====
++
++The following interfaces are provided:
++
++    - nrpe-external-master: Used to generate Nagios checks.
++
++    - identity-service: Openstack API endpoints request an entry in the
++      Keystone service catalog + endpoint template catalog. When a relation
++      is established, Keystone receives: service name, region, public_url,
++      admin_url and internal_url. It first checks that the requested service
++      is listed as a supported service. This list should stay updated to
++      support current Openstack core services. If the service is supported,
++      an entry in the service catalog is created, an endpoint template is
++      created and a admin token is generated. The other end of the relation
++      receives the token as well as info on which ports Keystone is listening
++      on.
++
++    - keystone-service: This is currently only used by Horizon/dashboard
++      as its interaction with Keystone is different from other Openstack API
++      services. That is, Horizon requests a Keystone role and token exists.
++      During a relation, Horizon requests its configured default role and
++      Keystone responds with a token and the auth + admin ports on which
++      Keystone is listening.
++
++    - identity-admin: Charms use this relation to obtain the credentials
++      for the admin user. This is intended for charms that automatically
++      provision users, tenants, etc. or that otherwise automate using the
++      Openstack cluster deployment.
++
++    - identity-notifications: Used to broadcast messages to any services
++      listening on the interface.
++
++Database
++--------
++
++Keystone requires a database. By default, a local sqlite database is used.
++The charm supports relations to a shared-db via mysql-shared interface. When
++a new data store is configured, the charm ensures the minimum administrator
++credentials exist (as configured via charm configuration)
++
++HA/Clustering
++-------------
++
++VIP is only required if you plan on multi-unit clustering (requires relating
++with hacluster charm). The VIP becomes a highly-available API endpoint.
++
++SSL/HTTPS
++---------
++
++This charm also supports SSL and HTTPS endpoints. In order to ensure SSL
++certificates are only created once and distributed to all units, one unit gets
++elected as an ssl-cert-master. One side-effect of this is that as units are
++scaled-out the currently elected leader needs to be running in order for nodes
++to sync certificates. This 'feature' is to work around the lack of native
++leadership election via Juju itself, a feature that is due for release some
++time soon but until then we have to rely on this. Also, if a keystone unit does
++go down, it must be removed from Juju i.e.
++
++    juju destroy-unit keystone/<unit-num>
++
++Otherwise it will be assumed that this unit may come back at some point and
++therefore must be know to be in-sync with the rest before continuing.
++
++Deploying from source
++---------------------
++
++The minimum openstack-origin-git config required to deploy from source is:
++
++    openstack-origin-git: include-file://keystone-juno.yaml
++
++    keystone-juno.yaml
++        repositories:
++        - {name: requirements,
++           repository: 'git://github.com/openstack/requirements',
++           branch: stable/juno}
++        - {name: keystone,
++           repository: 'git://github.com/openstack/keystone',
++           branch: stable/juno}
++
++Note that there are only two 'name' values the charm knows about: 'requirements'
++and 'keystone'. These repositories must correspond to these 'name' values.
++Additionally, the requirements repository must be specified first and the
++keystone repository must be specified last. All other repostories are installed
++in the order in which they are specified.
++
++The following is a full list of current tip repos (may not be up-to-date):
++
++    openstack-origin-git: include-file://keystone-master.yaml
++
++    keystone-master.yaml
++        repositories:
++        - {name: requirements,
++           repository: 'git://github.com/openstack/requirements',
++           branch: master}
++        - {name: oslo-concurrency,
++           repository: 'git://github.com/openstack/oslo.concurrency',
++           branch: master}
++        - {name: oslo-config,
++           repository: 'git://github.com/openstack/oslo.config',
++           branch: master}
++        - {name: oslo-db,
++           repository: 'git://github.com/openstack/oslo.db',
++           branch: master}
++        - {name: oslo-i18n,
++           repository: 'git://github.com/openstack/oslo.i18n',
++           branch: master}
++        - {name: oslo-serialization,
++           repository: 'git://github.com/openstack/oslo.serialization',
++           branch: master}
++        - {name: oslo-utils,
++           repository: 'git://github.com/openstack/oslo.utils',
++           branch: master}
++        - {name: pbr,
++           repository: 'git://github.com/openstack-dev/pbr',
++           branch: master}
++        - {name: python-keystoneclient,
++           repository: 'git://github.com/openstack/python-keystoneclient',
++           branch: master}
++        - {name: sqlalchemy-migrate,
++           repository: 'git://github.com/stackforge/sqlalchemy-migrate',
++           branch: master}
++        - {name: keystonemiddleware,
++           repository: 'git://github.com/openstack/keystonemiddleware',
++           branch: master}
++        - {name: keystone,
++           repository: 'git://github.com/openstack/keystone',
++           branch: master}
 === renamed file 'README.md' => 'README.md.moved'
 === added directory 'actions'
 === renamed directory 'actions' => 'actions.moved'
 === added file 'actions.yaml'
 --- actions.yaml	1970-01-01 00:00:00 +0000
 +++ actions.yaml	2016-03-30 08:19:58 +0000
@@ -0,0 +1,17 @@
++git-reinstall:
++  description: Reinstall keystone from the openstack-origin-git repositories.
++pause:
++  description: |
++    Pause keystone services.
++    If the keystone deployment is clustered using the hacluster charm, the
++    corresponding hacluster unit on the node must first be paused as well.
++    Not doing so may lead to an interruption of service.
++resume:
++  description: |
++    Resume keystone services.
++    If the keystone deployment is clustered using the hacluster charm, the
++    corresponding hacluster unit on the node must be resumed as well.
++openstack-upgrade:
++  description: |
++    Perform openstack upgrades. Config option action-managed-upgrade must be
++    set to True.
 === renamed file 'actions.yaml' => 'actions.yaml.moved'
 === added file 'actions/__init__.py'
 === added file 'actions/actions.py'
 --- actions/actions.py	1970-01-01 00:00:00 +0000
 +++ actions/actions.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,61 @@
++#!/usr/bin/python
++
++import sys
++import os
++
++from charmhelpers.core.host import service_pause, service_resume
++from charmhelpers.core.hookenv import action_fail
++from charmhelpers.core.unitdata import HookData, kv
++
++from hooks.keystone_utils import services, assess_status
++from hooks.keystone_hooks import CONFIGS
++
++
++def pause(args):
++    """Pause all the Keystone services.
++
++    @raises Exception if any services fail to stop
++    """
++    for service in services():
++        stopped = service_pause(service)
++        if not stopped:
++            raise Exception("{} didn't stop cleanly.".format(service))
++    with HookData()():
++        kv().set('unit-paused', True)
++    assess_status(CONFIGS)
++
++
++def resume(args):
++    """Resume all the Keystone services.
++
++    @raises Exception if any services fail to start
++    """
++    for service in services():
++        started = service_resume(service)
++        if not started:
++            raise Exception("{} didn't start cleanly.".format(service))
++    with HookData()():
++        kv().set('unit-paused', False)
++    assess_status(CONFIGS)
++
++
++# A dictionary of all the defined actions to callables (which take
++# parsed arguments).
++ACTIONS = {"pause": pause, "resume": resume}
++
++
++def main(args):
++    action_name = os.path.basename(args[0])
++    try:
++        action = ACTIONS[action_name]
++    except KeyError:
++        return "Action %s undefined" % action_name
++    else:
++        try:
++            action(args)
++        except Exception as e:
++            action_fail(str(e))
++
++
++if __name__ == "__main__":
++    sys.exit(main(sys.argv))
 === added symlink 'actions/charmhelpers'
 === target is u'../charmhelpers'
 === added symlink 'actions/git-reinstall'
 === target is u'git_reinstall.py'
 === added file 'actions/git_reinstall.py'
 --- actions/git_reinstall.py	1970-01-01 00:00:00 +0000
 +++ actions/git_reinstall.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,43 @@
++#!/usr/bin/python
++
++import traceback
++
++from charmhelpers.contrib.openstack.utils import (
++    git_install_requested,
++)
++
++from charmhelpers.core.hookenv import (
++    action_set,
++    action_fail,
++    config,
++)
++
++from hooks.keystone_utils import (
++    git_install,
++)
++
++from hooks.keystone_hooks import (
++    config_changed,
++)
++
++
++def git_reinstall():
++    """Reinstall from source and restart services.
++
++    If the openstack-origin-git config option was used to install openstack
++    from source git repositories, then this action can be used to reinstall
++    from updated git repositories, followed by a restart of services."""
++    if not git_install_requested():
++        action_fail('openstack-origin-git is not configured')
++        return
++
++    try:
++        git_install(config('openstack-origin-git'))
++        config_changed()
++    except:
++        action_set({'traceback': traceback.format_exc()})
++        action_fail('git-reinstall resulted in an unexpected error')
++
++
++if __name__ == '__main__':
++    git_reinstall()
 === added symlink 'actions/hooks'
 === target is u'../hooks'
 === added symlink 'actions/openstack-upgrade'
 === target is u'openstack_upgrade.py'
 === added file 'actions/openstack_upgrade.py'
 --- actions/openstack_upgrade.py	1970-01-01 00:00:00 +0000
 +++ actions/openstack_upgrade.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,37 @@
++#!/usr/bin/python
++import os
++import sys
++
++sys.path.append('hooks/')
++
++from charmhelpers.contrib.openstack.utils import (
++    do_action_openstack_upgrade,
++)
++
++from keystone_hooks import (
++    CONFIGS,
++)
++
++from keystone_utils import (
++    do_openstack_upgrade,
++)
++
++
++def openstack_upgrade():
++    """Perform action-managed OpenStack upgrade.
++
++    Upgrades packages to the configured openstack-origin version and sets
++    the corresponding action status as a result.
++
++    If the charm was installed from source we cannot upgrade it.
++    For backwards compatibility a config flag (action-managed-upgrade) must
++    be set for this code to run, otherwise a full service level upgrade will
++    fire on config-changed."""
++
++    if (do_action_openstack_upgrade('keystone',
++                                    do_openstack_upgrade,
++                                    CONFIGS)):
++        os.execl('./hooks/config-changed-postupgrade', '')
++
++if __name__ == '__main__':
++    openstack_upgrade()
 === added symlink 'actions/pause'
 === target is u'actions.py'
 === added symlink 'actions/resume'
 === target is u'actions.py'
 === added file 'charm-helpers-hooks.yaml'
 --- charm-helpers-hooks.yaml	1970-01-01 00:00:00 +0000
 +++ charm-helpers-hooks.yaml	2016-03-30 08:19:58 +0000
@@ -0,0 +1,18 @@
++branch: lp:charm-helpers
++destination: charmhelpers
++include:
++    - core
++    - cli
++    - fetch
++    - contrib.openstack|inc=*
++    - contrib.storage
++    - contrib.hahelpers:
++        - apache
++        - cluster
++    - contrib.python
++    - contrib.unison
++    - payload
++    - contrib.peerstorage
++    - contrib.network.ip
++    - contrib.python.packages
++    - contrib.charmsupport
 === renamed file 'charm-helpers-hooks.yaml' => 'charm-helpers-hooks.yaml.moved'
 === added file 'charm-helpers-tests.yaml'
 --- charm-helpers-tests.yaml	1970-01-01 00:00:00 +0000
 +++ charm-helpers-tests.yaml	2016-03-30 08:19:58 +0000
@@ -0,0 +1,5 @@
++branch: lp:charm-helpers
++destination: tests/charmhelpers
++include:
++    - contrib.amulet
++    - contrib.openstack.amulet
 === renamed file 'charm-helpers-tests.yaml' => 'charm-helpers-tests.yaml.moved'
 === added directory 'charmhelpers'
 === renamed directory 'charmhelpers' => 'charmhelpers.moved'
 === added file 'charmhelpers/__init__.py'
 --- charmhelpers/__init__.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/__init__.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,38 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++# Bootstrap charm-helpers, installing its dependencies if necessary using
++# only standard libraries.
++import subprocess
++import sys
++
++try:
++    import six  # flake8: noqa
++except ImportError:
++    if sys.version_info.major == 2:
++        subprocess.check_call(['apt-get', 'install', '-y', 'python-six'])
++    else:
++        subprocess.check_call(['apt-get', 'install', '-y', 'python3-six'])
++    import six  # flake8: noqa
++
++try:
++    import yaml  # flake8: noqa
++except ImportError:
++    if sys.version_info.major == 2:
++        subprocess.check_call(['apt-get', 'install', '-y', 'python-yaml'])
++    else:
++        subprocess.check_call(['apt-get', 'install', '-y', 'python3-yaml'])
++    import yaml  # flake8: noqa
 === added directory 'charmhelpers/cli'
 === added file 'charmhelpers/cli/__init__.py'
 --- charmhelpers/cli/__init__.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/cli/__init__.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,191 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++import inspect
++import argparse
++import sys
++
++from six.moves import zip
++
++import charmhelpers.core.unitdata
++
++
++class OutputFormatter(object):
++    def __init__(self, outfile=sys.stdout):
++        self.formats = (
++            "raw",
++            "json",
++            "py",
++            "yaml",
++            "csv",
++            "tab",
++        )
++        self.outfile = outfile
++
++    def add_arguments(self, argument_parser):
++        formatgroup = argument_parser.add_mutually_exclusive_group()
++        choices = self.supported_formats
++        formatgroup.add_argument("--format", metavar='FMT',
++                                 help="Select output format for returned data, "
++                                      "where FMT is one of: {}".format(choices),
++                                 choices=choices, default='raw')
++        for fmt in self.formats:
++            fmtfunc = getattr(self, fmt)
++            formatgroup.add_argument("-{}".format(fmt[0]),
++                                     "--{}".format(fmt), action='store_const',
++                                     const=fmt, dest='format',
++                                     help=fmtfunc.__doc__)
++
++    @property
++    def supported_formats(self):
++        return self.formats
++
++    def raw(self, output):
++        """Output data as raw string (default)"""
++        if isinstance(output, (list, tuple)):
++            output = '\n'.join(map(str, output))
++        self.outfile.write(str(output))
++
++    def py(self, output):
++        """Output data as a nicely-formatted python data structure"""
++        import pprint
++        pprint.pprint(output, stream=self.outfile)
++
++    def json(self, output):
++        """Output data in JSON format"""
++        import json
++        json.dump(output, self.outfile)
++
++    def yaml(self, output):
++        """Output data in YAML format"""
++        import yaml
++        yaml.safe_dump(output, self.outfile)
++
++    def csv(self, output):
++        """Output data as excel-compatible CSV"""
++        import csv
++        csvwriter = csv.writer(self.outfile)
++        csvwriter.writerows(output)
++
++    def tab(self, output):
++        """Output data in excel-compatible tab-delimited format"""
++        import csv
++        csvwriter = csv.writer(self.outfile, dialect=csv.excel_tab)
++        csvwriter.writerows(output)
++
++    def format_output(self, output, fmt='raw'):
++        fmtfunc = getattr(self, fmt)
++        fmtfunc(output)
++
++
++class CommandLine(object):
++    argument_parser = None
++    subparsers = None
++    formatter = None
++    exit_code = 0
++
++    def __init__(self):
++        if not self.argument_parser:
++            self.argument_parser = argparse.ArgumentParser(description='Perform common charm tasks')
++        if not self.formatter:
++            self.formatter = OutputFormatter()
++            self.formatter.add_arguments(self.argument_parser)
++        if not self.subparsers:
++            self.subparsers = self.argument_parser.add_subparsers(help='Commands')
++
++    def subcommand(self, command_name=None):
++        """
++        Decorate a function as a subcommand. Use its arguments as the
++        command-line arguments"""
++        def wrapper(decorated):
++            cmd_name = command_name or decorated.__name__
++            subparser = self.subparsers.add_parser(cmd_name,
++                                                   description=decorated.__doc__)
++            for args, kwargs in describe_arguments(decorated):
++                subparser.add_argument(*args, **kwargs)
++            subparser.set_defaults(func=decorated)
++            return decorated
++        return wrapper
++
++    def test_command(self, decorated):
++        """
++        Subcommand is a boolean test function, so bool return values should be
++        converted to a 0/1 exit code.
++        """
++        decorated._cli_test_command = True
++        return decorated
++
++    def no_output(self, decorated):
++        """
++        Subcommand is not expected to return a value, so don't print a spurious None.
++        """
++        decorated._cli_no_output = True
++        return decorated
++
++    def subcommand_builder(self, command_name, description=None):
++        """
++        Decorate a function that builds a subcommand. Builders should accept a
++        single argument (the subparser instance) and return the function to be
++        run as the command."""
++        def wrapper(decorated):
++            subparser = self.subparsers.add_parser(command_name)
++            func = decorated(subparser)
++            subparser.set_defaults(func=func)
++            subparser.description = description or func.__doc__
++        return wrapper
++
++    def run(self):
++        "Run cli, processing arguments and executing subcommands."
++        arguments = self.argument_parser.parse_args()
++        argspec = inspect.getargspec(arguments.func)
++        vargs = []
++        for arg in argspec.args:
++            vargs.append(getattr(arguments, arg))
++        if argspec.varargs:
++            vargs.extend(getattr(arguments, argspec.varargs))
++        output = arguments.func(*vargs)
++        if getattr(arguments.func, '_cli_test_command', False):
++            self.exit_code = 0 if output else 1
++            output = ''
++        if getattr(arguments.func, '_cli_no_output', False):
++            output = ''
++        self.formatter.format_output(output, arguments.format)
++        if charmhelpers.core.unitdata._KV:
++            charmhelpers.core.unitdata._KV.flush()
++
++
++cmdline = CommandLine()
++
++
++def describe_arguments(func):
++    """
++    Analyze a function's signature and return a data structure suitable for
++    passing in as arguments to an argparse parser's add_argument() method."""
++
++    argspec = inspect.getargspec(func)
++    # we should probably raise an exception somewhere if func includes **kwargs
++    if argspec.defaults:
++        positional_args = argspec.args[:-len(argspec.defaults)]
++        keyword_names = argspec.args[-len(argspec.defaults):]
++        for arg, default in zip(keyword_names, argspec.defaults):
++            yield ('--{}'.format(arg),), {'default': default}
++    else:
++        positional_args = argspec.args
++
++    for arg in positional_args:
++        yield (arg,), {}
++    if argspec.varargs:
++        yield (argspec.varargs,), {'nargs': '*'}
 === added file 'charmhelpers/cli/benchmark.py'
 --- charmhelpers/cli/benchmark.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/cli/benchmark.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,36 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++from . import cmdline
++from charmhelpers.contrib.benchmark import Benchmark
++
++
++@cmdline.subcommand(command_name='benchmark-start')
++def start():
++    Benchmark.start()
++
++
++@cmdline.subcommand(command_name='benchmark-finish')
++def finish():
++    Benchmark.finish()
++
++
++@cmdline.subcommand_builder('benchmark-composite', description="Set the benchmark composite score")
++def service(subparser):
++    subparser.add_argument("value", help="The composite score.")
++    subparser.add_argument("units", help="The units the composite score represents, i.e., 'reads/sec'.")
++    subparser.add_argument("direction", help="'asc' if a lower score is better, 'desc' if a higher score is better.")
++    return Benchmark.set_composite_score
 === added file 'charmhelpers/cli/commands.py'
 --- charmhelpers/cli/commands.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/cli/commands.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,32 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++"""
++This module loads sub-modules into the python runtime so they can be
++discovered via the inspect module. In order to prevent flake8 from (rightfully)
++telling us these are unused modules, throw a ' # noqa' at the end of each import
++so that the warning is suppressed.
++"""
++
++from . import CommandLine  # noqa
++
++"""
++Import the sub-modules which have decorated subcommands to register with chlp.
++"""
++from . import host  # noqa
++from . import benchmark  # noqa
++from . import unitdata  # noqa
++from . import hookenv  # noqa
 === added file 'charmhelpers/cli/hookenv.py'
 --- charmhelpers/cli/hookenv.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/cli/hookenv.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,23 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++from . import cmdline
++from charmhelpers.core import hookenv
++
++
++cmdline.subcommand('relation-id')(hookenv.relation_id._wrapped)
++cmdline.subcommand('service-name')(hookenv.service_name)
++cmdline.subcommand('remote-service-name')(hookenv.remote_service_name._wrapped)
 === added file 'charmhelpers/cli/host.py'
 --- charmhelpers/cli/host.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/cli/host.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,31 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++from . import cmdline
++from charmhelpers.core import host
++
++
++@cmdline.subcommand()
++def mounts():
++    "List mounts"
++    return host.mounts()
++
++
++@cmdline.subcommand_builder('service', description="Control system services")
++def service(subparser):
++    subparser.add_argument("action", help="The action to perform (start, stop, etc...)")
++    subparser.add_argument("service_name", help="Name of the service to control")
++    return host.service
 === added file 'charmhelpers/cli/unitdata.py'
 --- charmhelpers/cli/unitdata.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/cli/unitdata.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,39 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++from . import cmdline
++from charmhelpers.core import unitdata
++
++
++@cmdline.subcommand_builder('unitdata', description="Store and retrieve data")
++def unitdata_cmd(subparser):
++    nested = subparser.add_subparsers()
++    get_cmd = nested.add_parser('get', help='Retrieve data')
++    get_cmd.add_argument('key', help='Key to retrieve the value of')
++    get_cmd.set_defaults(action='get', value=None)
++    set_cmd = nested.add_parser('set', help='Store data')
++    set_cmd.add_argument('key', help='Key to set')
++    set_cmd.add_argument('value', help='Value to store')
++    set_cmd.set_defaults(action='set')
++
++    def _unitdata_cmd(action, key, value):
++        if action == 'get':
++            return unitdata.kv().get(key)
++        elif action == 'set':
++            unitdata.kv().set(key, value)
++            unitdata.kv().flush()
++            return ''
++    return _unitdata_cmd
 === added directory 'charmhelpers/contrib'
 === added file 'charmhelpers/contrib/__init__.py'
 --- charmhelpers/contrib/__init__.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/contrib/__init__.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,15 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
 === added directory 'charmhelpers/contrib/charmsupport'
 === added file 'charmhelpers/contrib/charmsupport/__init__.py'
 --- charmhelpers/contrib/charmsupport/__init__.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/contrib/charmsupport/__init__.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,15 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
 === added file 'charmhelpers/contrib/charmsupport/nrpe.py'
 --- charmhelpers/contrib/charmsupport/nrpe.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/contrib/charmsupport/nrpe.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,398 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++"""Compatibility with the nrpe-external-master charm"""
++# Copyright 2012 Canonical Ltd.
++#
++# Authors:
++#  Matthew Wedgwood <matthew.wedgwood@canonical.com>
++
++import subprocess
++import pwd
++import grp
++import os
++import glob
++import shutil
++import re
++import shlex
++import yaml
++
++from charmhelpers.core.hookenv import (
++    config,
++    local_unit,
++    log,
++    relation_ids,
++    relation_set,
++    relations_of_type,
++)
++
++from charmhelpers.core.host import service
++
++# This module adds compatibility with the nrpe-external-master and plain nrpe
++# subordinate charms. To use it in your charm:
++#
++# 1. Update metadata.yaml
++#
++#   provides:
++#     (...)
++#     nrpe-external-master:
++#       interface: nrpe-external-master
++#       scope: container
++#
++#   and/or
++#
++#   provides:
++#     (...)
++#     local-monitors:
++#       interface: local-monitors
++#       scope: container
++
++#
++# 2. Add the following to config.yaml
++#
++#    nagios_context:
++#      default: "juju"
++#      type: string
++#      description: |
++#        Used by the nrpe subordinate charms.
++#        A string that will be prepended to instance name to set the host name
++#        in nagios. So for instance the hostname would be something like:
++#            juju-myservice-0
++#        If you're running multiple environments with the same services in them
++#        this allows you to differentiate between them.
++#    nagios_servicegroups:
++#      default: ""
++#      type: string
++#      description: |
++#        A comma-separated list of nagios servicegroups.
++#        If left empty, the nagios_context will be used as the servicegroup
++#
++# 3. Add custom checks (Nagios plugins) to files/nrpe-external-master
++#
++# 4. Update your hooks.py with something like this:
++#
++#    from charmsupport.nrpe import NRPE
++#    (...)
++#    def update_nrpe_config():
++#        nrpe_compat = NRPE()
++#        nrpe_compat.add_check(
++#            shortname = "myservice",
++#            description = "Check MyService",
++#            check_cmd = "check_http -w 2 -c 10 http://localhost"
++#            )
++#        nrpe_compat.add_check(
++#            "myservice_other",
++#            "Check for widget failures",
++#            check_cmd = "/srv/myapp/scripts/widget_check"
++#            )
++#        nrpe_compat.write()
++#
++#    def config_changed():
++#        (...)
++#        update_nrpe_config()
++#
++#    def nrpe_external_master_relation_changed():
++#        update_nrpe_config()
++#
++#    def local_monitors_relation_changed():
++#        update_nrpe_config()
++#
++# 5. ln -s hooks.py nrpe-external-master-relation-changed
++#    ln -s hooks.py local-monitors-relation-changed
++
++
++class CheckException(Exception):
++    pass
++
++
++class Check(object):
++    shortname_re = '[A-Za-z0-9-_]+$'
++    service_template = ("""
++#---------------------------------------------------
++# This file is Juju managed
++#---------------------------------------------------
++define service {{
++    use                             active-service
++    host_name                       {nagios_hostname}
++    service_description             {nagios_hostname}[{shortname}] """
++                        """{description}
++    check_command                   check_nrpe!{command}
++    servicegroups                   {nagios_servicegroup}
++}}
++""")
++
++    def __init__(self, shortname, description, check_cmd):
++        super(Check, self).__init__()
++        # XXX: could be better to calculate this from the service name
++        if not re.match(self.shortname_re, shortname):
++            raise CheckException("shortname must match {}".format(
++                Check.shortname_re))
++        self.shortname = shortname
++        self.command = "check_{}".format(shortname)
++        # Note: a set of invalid characters is defined by the
++        # Nagios server config
++        # The default is: illegal_object_name_chars=`~!$%^&*"|'<>?,()=
++        self.description = description
++        self.check_cmd = self._locate_cmd(check_cmd)
++
++    def _get_check_filename(self):
++        return os.path.join(NRPE.nrpe_confdir, '{}.cfg'.format(self.command))
++
++    def _get_service_filename(self, hostname):
++        return os.path.join(NRPE.nagios_exportdir,
++                            'service__{}_{}.cfg'.format(hostname, self.command))
++
++    def _locate_cmd(self, check_cmd):
++        search_path = (
++            '/usr/lib/nagios/plugins',
++            '/usr/local/lib/nagios/plugins',
++        )
++        parts = shlex.split(check_cmd)
++        for path in search_path:
++            if os.path.exists(os.path.join(path, parts[0])):
++                command = os.path.join(path, parts[0])
++                if len(parts) > 1:
++                    command += " " + " ".join(parts[1:])
++                return command
++        log('Check command not found: {}'.format(parts[0]))
++        return ''
++
++    def _remove_service_files(self):
++        if not os.path.exists(NRPE.nagios_exportdir):
++            return
++        for f in os.listdir(NRPE.nagios_exportdir):
++            if f.endswith('_{}.cfg'.format(self.command)):
++                os.remove(os.path.join(NRPE.nagios_exportdir, f))
++
++    def remove(self, hostname):
++        nrpe_check_file = self._get_check_filename()
++        if os.path.exists(nrpe_check_file):
++            os.remove(nrpe_check_file)
++        self._remove_service_files()
++
++    def write(self, nagios_context, hostname, nagios_servicegroups):
++        nrpe_check_file = self._get_check_filename()
++        with open(nrpe_check_file, 'w') as nrpe_check_config:
++            nrpe_check_config.write("# check {}\n".format(self.shortname))
++            nrpe_check_config.write("command[{}]={}\n".format(
++                self.command, self.check_cmd))
++
++        if not os.path.exists(NRPE.nagios_exportdir):
++            log('Not writing service config as {} is not accessible'.format(
++                NRPE.nagios_exportdir))
++        else:
++            self.write_service_config(nagios_context, hostname,
++                                      nagios_servicegroups)
++
++    def write_service_config(self, nagios_context, hostname,
++                             nagios_servicegroups):
++        self._remove_service_files()
++
++        templ_vars = {
++            'nagios_hostname': hostname,
++            'nagios_servicegroup': nagios_servicegroups,
++            'description': self.description,
++            'shortname': self.shortname,
++            'command': self.command,
++        }
++        nrpe_service_text = Check.service_template.format(**templ_vars)
++        nrpe_service_file = self._get_service_filename(hostname)
++        with open(nrpe_service_file, 'w') as nrpe_service_config:
++            nrpe_service_config.write(str(nrpe_service_text))
++
++    def run(self):
++        subprocess.call(self.check_cmd)
++
++
++class NRPE(object):
++    nagios_logdir = '/var/log/nagios'
++    nagios_exportdir = '/var/lib/nagios/export'
++    nrpe_confdir = '/etc/nagios/nrpe.d'
++
++    def __init__(self, hostname=None):
++        super(NRPE, self).__init__()
++        self.config = config()
++        self.nagios_context = self.config['nagios_context']
++        if 'nagios_servicegroups' in self.config and self.config['nagios_servicegroups']:
++            self.nagios_servicegroups = self.config['nagios_servicegroups']
++        else:
++            self.nagios_servicegroups = self.nagios_context
++        self.unit_name = local_unit().replace('/', '-')
++        if hostname:
++            self.hostname = hostname
++        else:
++            nagios_hostname = get_nagios_hostname()
++            if nagios_hostname:
++                self.hostname = nagios_hostname
++            else:
++                self.hostname = "{}-{}".format(self.nagios_context, self.unit_name)
++        self.checks = []
++
++    def add_check(self, *args, **kwargs):
++        self.checks.append(Check(*args, **kwargs))
++
++    def remove_check(self, *args, **kwargs):
++        if kwargs.get('shortname') is None:
++            raise ValueError('shortname of check must be specified')
++
++        # Use sensible defaults if they're not specified - these are not
++        # actually used during removal, but they're required for constructing
++        # the Check object; check_disk is chosen because it's part of the
++        # nagios-plugins-basic package.
++        if kwargs.get('check_cmd') is None:
++            kwargs['check_cmd'] = 'check_disk'
++        if kwargs.get('description') is None:
++            kwargs['description'] = ''
++
++        check = Check(*args, **kwargs)
++        check.remove(self.hostname)
++
++    def write(self):
++        try:
++            nagios_uid = pwd.getpwnam('nagios').pw_uid
++            nagios_gid = grp.getgrnam('nagios').gr_gid
++        except:
++            log("Nagios user not set up, nrpe checks not updated")
++            return
++
++        if not os.path.exists(NRPE.nagios_logdir):
++            os.mkdir(NRPE.nagios_logdir)
++            os.chown(NRPE.nagios_logdir, nagios_uid, nagios_gid)
++
++        nrpe_monitors = {}
++        monitors = {"monitors": {"remote": {"nrpe": nrpe_monitors}}}
++        for nrpecheck in self.checks:
++            nrpecheck.write(self.nagios_context, self.hostname,
++                            self.nagios_servicegroups)
++            nrpe_monitors[nrpecheck.shortname] = {
++                "command": nrpecheck.command,
++            }
++
++        service('restart', 'nagios-nrpe-server')
++
++        monitor_ids = relation_ids("local-monitors") + \
++            relation_ids("nrpe-external-master")
++        for rid in monitor_ids:
++            relation_set(relation_id=rid, monitors=yaml.dump(monitors))
++
++
++def get_nagios_hostcontext(relation_name='nrpe-external-master'):
++    """
++    Query relation with nrpe subordinate, return the nagios_host_context
++
++    :param str relation_name: Name of relation nrpe sub joined to
++    """
++    for rel in relations_of_type(relation_name):
++        if 'nagios_host_context' in rel:
++            return rel['nagios_host_context']
++
++
++def get_nagios_hostname(relation_name='nrpe-external-master'):
++    """
++    Query relation with nrpe subordinate, return the nagios_hostname
++
++    :param str relation_name: Name of relation nrpe sub joined to
++    """
++    for rel in relations_of_type(relation_name):
++        if 'nagios_hostname' in rel:
++            return rel['nagios_hostname']
++
++
++def get_nagios_unit_name(relation_name='nrpe-external-master'):
++    """
++    Return the nagios unit name prepended with host_context if needed
++
++    :param str relation_name: Name of relation nrpe sub joined to
++    """
++    host_context = get_nagios_hostcontext(relation_name)
++    if host_context:
++        unit = "%s:%s" % (host_context, local_unit())
++    else:
++        unit = local_unit()
++    return unit
++
++
++def add_init_service_checks(nrpe, services, unit_name):
++    """
++    Add checks for each service in list
++
++    :param NRPE nrpe: NRPE object to add check to
++    :param list services: List of services to check
++    :param str unit_name: Unit name to use in check description
++    """
++    for svc in services:
++        upstart_init = '/etc/init/%s.conf' % svc
++        sysv_init = '/etc/init.d/%s' % svc
++        if os.path.exists(upstart_init):
++            # Don't add a check for these services from neutron-gateway
++            if svc not in ['ext-port', 'os-charm-phy-nic-mtu']:
++                nrpe.add_check(
++                    shortname=svc,
++                    description='process check {%s}' % unit_name,
++                    check_cmd='check_upstart_job %s' % svc
++                )
++        elif os.path.exists(sysv_init):
++            cronpath = '/etc/cron.d/nagios-service-check-%s' % svc
++            cron_file = ('*/5 * * * * root '
++                         '/usr/local/lib/nagios/plugins/check_exit_status.pl '
++                         '-s /etc/init.d/%s status > '
++                         '/var/lib/nagios/service-check-%s.txt\n' % (svc,
++                                                                     svc)
++                         )
++            f = open(cronpath, 'w')
++            f.write(cron_file)
++            f.close()
++            nrpe.add_check(
++                shortname=svc,
++                description='process check {%s}' % unit_name,
++                check_cmd='check_status_file.py -f '
++                          '/var/lib/nagios/service-check-%s.txt' % svc,
++            )
++
++
++def copy_nrpe_checks():
++    """
++    Copy the nrpe checks into place
++
++    """
++    NAGIOS_PLUGINS = '/usr/local/lib/nagios/plugins'
++    nrpe_files_dir = os.path.join(os.getenv('CHARM_DIR'), 'hooks',
++                                  'charmhelpers', 'contrib', 'openstack',
++                                  'files')
++
++    if not os.path.exists(NAGIOS_PLUGINS):
++        os.makedirs(NAGIOS_PLUGINS)
++    for fname in glob.glob(os.path.join(nrpe_files_dir, "check_*")):
++        if os.path.isfile(fname):
++            shutil.copy2(fname,
++                         os.path.join(NAGIOS_PLUGINS, os.path.basename(fname)))
++
++
++def add_haproxy_checks(nrpe, unit_name):
++    """
++    Add checks for each service in list
++
++    :param NRPE nrpe: NRPE object to add check to
++    :param str unit_name: Unit name to use in check description
++    """
++    nrpe.add_check(
++        shortname='haproxy_servers',
++        description='Check HAProxy {%s}' % unit_name,
++        check_cmd='check_haproxy.sh')
++    nrpe.add_check(
++        shortname='haproxy_queue',
++        description='Check HAProxy queue depth {%s}' % unit_name,
++        check_cmd='check_haproxy_queue_depth.sh')
 === added file 'charmhelpers/contrib/charmsupport/volumes.py'
 --- charmhelpers/contrib/charmsupport/volumes.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/contrib/charmsupport/volumes.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,175 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++'''
++Functions for managing volumes in juju units. One volume is supported per unit.
++Subordinates may have their own storage, provided it is on its own partition.
++
++Configuration stanzas::
++
++  volume-ephemeral:
++    type: boolean
++    default: true
++    description: >
++      If false, a volume is mounted as sepecified in "volume-map"
++      If true, ephemeral storage will be used, meaning that log data
++         will only exist as long as the machine. YOU HAVE BEEN WARNED.
++  volume-map:
++    type: string
++    default: {}
++    description: >
++      YAML map of units to device names, e.g:
++        "{ rsyslog/0: /dev/vdb, rsyslog/1: /dev/vdb }"
++      Service units will raise a configure-error if volume-ephemeral
++      is 'true' and no volume-map value is set. Use 'juju set' to set a
++      value and 'juju resolved' to complete configuration.
++
++Usage::
++
++    from charmsupport.volumes import configure_volume, VolumeConfigurationError
++    from charmsupport.hookenv import log, ERROR
++    def post_mount_hook():
++        stop_service('myservice')
++    def post_mount_hook():
++        start_service('myservice')
++
++    if __name__ == '__main__':
++        try:
++            configure_volume(before_change=pre_mount_hook,
++                             after_change=post_mount_hook)
++        except VolumeConfigurationError:
++            log('Storage could not be configured', ERROR)
++
++'''
++
++# XXX: Known limitations
++# - fstab is neither consulted nor updated
++
++import os
++from charmhelpers.core import hookenv
++from charmhelpers.core import host
++import yaml
++
++
++MOUNT_BASE = '/srv/juju/volumes'
++
++
++class VolumeConfigurationError(Exception):
++    '''Volume configuration data is missing or invalid'''
++    pass
++
++
++def get_config():
++    '''Gather and sanity-check volume configuration data'''
++    volume_config = {}
++    config = hookenv.config()
++
++    errors = False
++
++    if config.get('volume-ephemeral') in (True, 'True', 'true', 'Yes', 'yes'):
++        volume_config['ephemeral'] = True
++    else:
++        volume_config['ephemeral'] = False
++
++    try:
++        volume_map = yaml.safe_load(config.get('volume-map', '{}'))
++    except yaml.YAMLError as e:
++        hookenv.log("Error parsing YAML volume-map: {}".format(e),
++                    hookenv.ERROR)
++        errors = True
++    if volume_map is None:
++        # probably an empty string
++        volume_map = {}
++    elif not isinstance(volume_map, dict):
++        hookenv.log("Volume-map should be a dictionary, not {}".format(
++            type(volume_map)))
++        errors = True
++
++    volume_config['device'] = volume_map.get(os.environ['JUJU_UNIT_NAME'])
++    if volume_config['device'] and volume_config['ephemeral']:
++        # asked for ephemeral storage but also defined a volume ID
++        hookenv.log('A volume is defined for this unit, but ephemeral '
++                    'storage was requested', hookenv.ERROR)
++        errors = True
++    elif not volume_config['device'] and not volume_config['ephemeral']:
++        # asked for permanent storage but did not define volume ID
++        hookenv.log('Ephemeral storage was requested, but there is no volume '
++                    'defined for this unit.', hookenv.ERROR)
++        errors = True
++
++    unit_mount_name = hookenv.local_unit().replace('/', '-')
++    volume_config['mountpoint'] = os.path.join(MOUNT_BASE, unit_mount_name)
++
++    if errors:
++        return None
++    return volume_config
++
++
++def mount_volume(config):
++    if os.path.exists(config['mountpoint']):
++        if not os.path.isdir(config['mountpoint']):
++            hookenv.log('Not a directory: {}'.format(config['mountpoint']))
++            raise VolumeConfigurationError()
++    else:
++        host.mkdir(config['mountpoint'])
++    if os.path.ismount(config['mountpoint']):
++        unmount_volume(config)
++    if not host.mount(config['device'], config['mountpoint'], persist=True):
++        raise VolumeConfigurationError()
++
++
++def unmount_volume(config):
++    if os.path.ismount(config['mountpoint']):
++        if not host.umount(config['mountpoint'], persist=True):
++            raise VolumeConfigurationError()
++
++
++def managed_mounts():
++    '''List of all mounted managed volumes'''
++    return filter(lambda mount: mount[0].startswith(MOUNT_BASE), host.mounts())
++
++
++def configure_volume(before_change=lambda: None, after_change=lambda: None):
++    '''Set up storage (or don't) according to the charm's volume configuration.
++       Returns the mount point or "ephemeral". before_change and after_change
++       are optional functions to be called if the volume configuration changes.
++    '''
++
++    config = get_config()
++    if not config:
++        hookenv.log('Failed to read volume configuration', hookenv.CRITICAL)
++        raise VolumeConfigurationError()
++
++    if config['ephemeral']:
++        if os.path.ismount(config['mountpoint']):
++            before_change()
++            unmount_volume(config)
++            after_change()
++        return 'ephemeral'
++    else:
++        # persistent storage
++        if os.path.ismount(config['mountpoint']):
++            mounts = dict(managed_mounts())
++            if mounts.get(config['mountpoint']) != config['device']:
++                before_change()
++                unmount_volume(config)
++                mount_volume(config)
++                after_change()
++        else:
++            before_change()
++            mount_volume(config)
++            after_change()
++        return config['mountpoint']
 === added directory 'charmhelpers/contrib/hahelpers'
 === added file 'charmhelpers/contrib/hahelpers/__init__.py'
 --- charmhelpers/contrib/hahelpers/__init__.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/contrib/hahelpers/__init__.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,15 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
 === added file 'charmhelpers/contrib/hahelpers/apache.py'
 --- charmhelpers/contrib/hahelpers/apache.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/contrib/hahelpers/apache.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,82 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++#
++# Copyright 2012 Canonical Ltd.
++#
++# This file is sourced from lp:openstack-charm-helpers
++#
++# Authors:
++#  James Page <james.page@ubuntu.com>
++#  Adam Gandelman <adamg@ubuntu.com>
++#
++
++import subprocess
++
++from charmhelpers.core.hookenv import (
++    config as config_get,
++    relation_get,
++    relation_ids,
++    related_units as relation_list,
++    log,
++    INFO,
++)
++
++
++def get_cert(cn=None):
++    # TODO: deal with multiple https endpoints via charm config
++    cert = config_get('ssl_cert')
++    key = config_get('ssl_key')
++    if not (cert and key):
++        log("Inspecting identity-service relations for SSL certificate.",
++            level=INFO)
++        cert = key = None
++        if cn:
++            ssl_cert_attr = 'ssl_cert_{}'.format(cn)
++            ssl_key_attr = 'ssl_key_{}'.format(cn)
++        else:
++            ssl_cert_attr = 'ssl_cert'
++            ssl_key_attr = 'ssl_key'
++        for r_id in relation_ids('identity-service'):
++            for unit in relation_list(r_id):
++                if not cert:
++                    cert = relation_get(ssl_cert_attr,
++                                        rid=r_id, unit=unit)
++                if not key:
++                    key = relation_get(ssl_key_attr,
++                                       rid=r_id, unit=unit)
++    return (cert, key)
++
++
++def get_ca_cert():
++    ca_cert = config_get('ssl_ca')
++    if ca_cert is None:
++        log("Inspecting identity-service relations for CA SSL certificate.",
++            level=INFO)
++        for r_id in relation_ids('identity-service'):
++            for unit in relation_list(r_id):
++                if ca_cert is None:
++                    ca_cert = relation_get('ca_cert',
++                                           rid=r_id, unit=unit)
++    return ca_cert
++
++
++def install_ca_cert(ca_cert):
++    if ca_cert:
++        with open('/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt',
++                  'w') as crt:
++            crt.write(ca_cert)
++        subprocess.check_call(['update-ca-certificates', '--fresh'])
 === added file 'charmhelpers/contrib/hahelpers/cluster.py'
 --- charmhelpers/contrib/hahelpers/cluster.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/contrib/hahelpers/cluster.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,316 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++#
++# Copyright 2012 Canonical Ltd.
++#
++# Authors:
++#  James Page <james.page@ubuntu.com>
++#  Adam Gandelman <adamg@ubuntu.com>
++#
++
++"""
++Helpers for clustering and determining "cluster leadership" and other
++clustering-related helpers.
++"""
++
++import subprocess
++import os
++
++from socket import gethostname as get_unit_hostname
++
++import six
++
++from charmhelpers.core.hookenv import (
++    log,
++    relation_ids,
++    related_units as relation_list,
++    relation_get,
++    config as config_get,
++    INFO,
++    ERROR,
++    WARNING,
++    unit_get,
++    is_leader as juju_is_leader
++)
++from charmhelpers.core.decorators import (
++    retry_on_exception,
++)
++from charmhelpers.core.strutils import (
++    bool_from_string,
++)
++
++DC_RESOURCE_NAME = 'DC'
++
++
++class HAIncompleteConfig(Exception):
++    pass
++
++
++class CRMResourceNotFound(Exception):
++    pass
++
++
++class CRMDCNotFound(Exception):
++    pass
++
++
++def is_elected_leader(resource):
++    """
++    Returns True if the charm executing this is the elected cluster leader.
++
++    It relies on two mechanisms to determine leadership:
++        1. If juju is sufficiently new and leadership election is supported,
++        the is_leader command will be used.
++        2. If the charm is part of a corosync cluster, call corosync to
++        determine leadership.
++        3. If the charm is not part of a corosync cluster, the leader is
++        determined as being "the alive unit with the lowest unit numer". In
++        other words, the oldest surviving unit.
++    """
++    try:
++        return juju_is_leader()
++    except NotImplementedError:
++        log('Juju leadership election feature not enabled'
++            ', using fallback support',
++            level=WARNING)
++
++    if is_clustered():
++        if not is_crm_leader(resource):
++            log('Deferring action to CRM leader.', level=INFO)
++            return False
++    else:
++        peers = peer_units()
++        if peers and not oldest_peer(peers):
++            log('Deferring action to oldest service unit.', level=INFO)
++            return False
++    return True
++
++
++def is_clustered():
++    for r_id in (relation_ids('ha') or []):
++        for unit in (relation_list(r_id) or []):
++            clustered = relation_get('clustered',
++                                     rid=r_id,
++                                     unit=unit)
++            if clustered:
++                return True
++    return False
++
++
++def is_crm_dc():
++    """
++    Determine leadership by querying the pacemaker Designated Controller
++    """
++    cmd = ['crm', 'status']
++    try:
++        status = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
++        if not isinstance(status, six.text_type):
++            status = six.text_type(status, "utf-8")
++    except subprocess.CalledProcessError as ex:
++        raise CRMDCNotFound(str(ex))
++
++    current_dc = ''
++    for line in status.split('\n'):
++        if line.startswith('Current DC'):
++            # Current DC: juju-lytrusty-machine-2 (168108163) - partition with quorum
++            current_dc = line.split(':')[1].split()[0]
++    if current_dc == get_unit_hostname():
++        return True
++    elif current_dc == 'NONE':
++        raise CRMDCNotFound('Current DC: NONE')
++
++    return False
++
++
++@retry_on_exception(5, base_delay=2,
++                    exc_type=(CRMResourceNotFound, CRMDCNotFound))
++def is_crm_leader(resource, retry=False):
++    """
++    Returns True if the charm calling this is the elected corosync leader,
++    as returned by calling the external "crm" command.
++
++    We allow this operation to be retried to avoid the possibility of getting a
++    false negative. See LP #1396246 for more info.
++    """
++    if resource == DC_RESOURCE_NAME:
++        return is_crm_dc()
++    cmd = ['crm', 'resource', 'show', resource]
++    try:
++        status = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
++        if not isinstance(status, six.text_type):
++            status = six.text_type(status, "utf-8")
++    except subprocess.CalledProcessError:
++        status = None
++
++    if status and get_unit_hostname() in status:
++        return True
++
++    if status and "resource %s is NOT running" % (resource) in status:
++        raise CRMResourceNotFound("CRM resource %s not found" % (resource))
++
++    return False
++
++
++def is_leader(resource):
++    log("is_leader is deprecated. Please consider using is_crm_leader "
++        "instead.", level=WARNING)
++    return is_crm_leader(resource)
++
++
++def peer_units(peer_relation="cluster"):
++    peers = []
++    for r_id in (relation_ids(peer_relation) or []):
++        for unit in (relation_list(r_id) or []):
++            peers.append(unit)
++    return peers
++
++
++def peer_ips(peer_relation='cluster', addr_key='private-address'):
++    '''Return a dict of peers and their private-address'''
++    peers = {}
++    for r_id in relation_ids(peer_relation):
++        for unit in relation_list(r_id):
++            peers[unit] = relation_get(addr_key, rid=r_id, unit=unit)
++    return peers
++
++
++def oldest_peer(peers):
++    """Determines who the oldest peer is by comparing unit numbers."""
++    local_unit_no = int(os.getenv('JUJU_UNIT_NAME').split('/')[1])
++    for peer in peers:
++        remote_unit_no = int(peer.split('/')[1])
++        if remote_unit_no < local_unit_no:
++            return False
++    return True
++
++
++def eligible_leader(resource):
++    log("eligible_leader is deprecated. Please consider using "
++        "is_elected_leader instead.", level=WARNING)
++    return is_elected_leader(resource)
++
++
++def https():
++    '''
++    Determines whether enough data has been provided in configuration
++    or relation data to configure HTTPS
++    .
++    returns: boolean
++    '''
++    use_https = config_get('use-https')
++    if use_https and bool_from_string(use_https):
++        return True
++    if config_get('ssl_cert') and config_get('ssl_key'):
++        return True
++    for r_id in relation_ids('identity-service'):
++        for unit in relation_list(r_id):
++            # TODO - needs fixing for new helper as ssl_cert/key suffixes with CN
++            rel_state = [
++                relation_get('https_keystone', rid=r_id, unit=unit),
++                relation_get('ca_cert', rid=r_id, unit=unit),
++            ]
++            # NOTE: works around (LP: #1203241)
++            if (None not in rel_state) and ('' not in rel_state):
++                return True
++    return False
++
++
++def determine_api_port(public_port, singlenode_mode=False):
++    '''
++    Determine correct API server listening port based on
++    existence of HTTPS reverse proxy and/or haproxy.
++
++    public_port: int: standard public port for given service
++
++    singlenode_mode: boolean: Shuffle ports when only a single unit is present
++
++    returns: int: the correct listening port for the API service
++    '''
++    i = 0
++    if singlenode_mode:
++        i += 1
++    elif len(peer_units()) > 0 or is_clustered():
++        i += 1
++    if https():
++        i += 1
++    return public_port - (i * 10)
++
++
++def determine_apache_port(public_port, singlenode_mode=False):
++    '''
++    Description: Determine correct apache listening port based on public IP +
++    state of the cluster.
++
++    public_port: int: standard public port for given service
++
++    singlenode_mode: boolean: Shuffle ports when only a single unit is present
++
++    returns: int: the correct listening port for the HAProxy service
++    '''
++    i = 0
++    if singlenode_mode:
++        i += 1
++    elif len(peer_units()) > 0 or is_clustered():
++        i += 1
++    return public_port - (i * 10)
++
++
++def get_hacluster_config(exclude_keys=None):
++    '''
++    Obtains all relevant configuration from charm configuration required
++    for initiating a relation to hacluster:
++
++        ha-bindiface, ha-mcastport, vip
++
++    param: exclude_keys: list of setting key(s) to be excluded.
++    returns: dict: A dict containing settings keyed by setting name.
++    raises: HAIncompleteConfig if settings are missing.
++    '''
++    settings = ['ha-bindiface', 'ha-mcastport', 'vip']
++    conf = {}
++    for setting in settings:
++        if exclude_keys and setting in exclude_keys:
++            continue
++
++        conf[setting] = config_get(setting)
++    missing = []
++    [missing.append(s) for s, v in six.iteritems(conf) if v is None]
++    if missing:
++        log('Insufficient config data to configure hacluster.', level=ERROR)
++        raise HAIncompleteConfig
++    return conf
++
++
++def canonical_url(configs, vip_setting='vip'):
++    '''
++    Returns the correct HTTP URL to this host given the state of HTTPS
++    configuration and hacluster.
++
++    :configs    : OSTemplateRenderer: A config tempating object to inspect for
++                                      a complete https context.
++
++    :vip_setting:                str: Setting in charm config that specifies
++                                      VIP address.
++    '''
++    scheme = 'http'
++    if 'https' in configs.complete_contexts():
++        scheme = 'https'
++    if is_clustered():
++        addr = config_get(vip_setting)
++    else:
++        addr = unit_get('private-address')
++    return '%s://%s' % (scheme, addr)
 === added directory 'charmhelpers/contrib/network'
 === added file 'charmhelpers/contrib/network/__init__.py'
 --- charmhelpers/contrib/network/__init__.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/contrib/network/__init__.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,15 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
 === added file 'charmhelpers/contrib/network/ip.py'
 --- charmhelpers/contrib/network/ip.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/contrib/network/ip.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,458 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++import glob
++import re
++import subprocess
++import six
++import socket
++
++from functools import partial
++
++from charmhelpers.core.hookenv import unit_get
++from charmhelpers.fetch import apt_install, apt_update
++from charmhelpers.core.hookenv import (
++    log,
++    WARNING,
++)
++
++try:
++    import netifaces
++except ImportError:
++    apt_update(fatal=True)
++    apt_install('python-netifaces', fatal=True)
++    import netifaces
++
++try:
++    import netaddr
++except ImportError:
++    apt_update(fatal=True)
++    apt_install('python-netaddr', fatal=True)
++    import netaddr
++
++
++def _validate_cidr(network):
++    try:
++        netaddr.IPNetwork(network)
++    except (netaddr.core.AddrFormatError, ValueError):
++        raise ValueError("Network (%s) is not in CIDR presentation format" %
++                         network)
++
++
++def no_ip_found_error_out(network):
++    errmsg = ("No IP address found in network(s): %s" % network)
++    raise ValueError(errmsg)
++
++
++def get_address_in_network(network, fallback=None, fatal=False):
++    """Get an IPv4 or IPv6 address within the network from the host.
++
++    :param network (str): CIDR presentation format. For example,
++        '192.168.1.0/24'. Supports multiple networks as a space-delimited list.
++    :param fallback (str): If no address is found, return fallback.
++    :param fatal (boolean): If no address is found, fallback is not
++        set and fatal is True then exit(1).
++    """
++    if network is None:
++        if fallback is not None:
++            return fallback
++
++        if fatal:
++            no_ip_found_error_out(network)
++        else:
++            return None
++
++    networks = network.split() or [network]
++    for network in networks:
++        _validate_cidr(network)
++        network = netaddr.IPNetwork(network)
++        for iface in netifaces.interfaces():
++            addresses = netifaces.ifaddresses(iface)
++            if network.version == 4 and netifaces.AF_INET in addresses:
++                addr = addresses[netifaces.AF_INET][0]['addr']
++                netmask = addresses[netifaces.AF_INET][0]['netmask']
++                cidr = netaddr.IPNetwork("%s/%s" % (addr, netmask))
++                if cidr in network:
++                    return str(cidr.ip)
++
++            if network.version == 6 and netifaces.AF_INET6 in addresses:
++                for addr in addresses[netifaces.AF_INET6]:
++                    if not addr['addr'].startswith('fe80'):
++                        cidr = netaddr.IPNetwork("%s/%s" % (addr['addr'],
++                                                            addr['netmask']))
++                        if cidr in network:
++                            return str(cidr.ip)
++
++    if fallback is not None:
++        return fallback
++
++    if fatal:
++        no_ip_found_error_out(network)
++
++    return None
++
++
++def is_ipv6(address):
++    """Determine whether provided address is IPv6 or not."""
++    try:
++        address = netaddr.IPAddress(address)
++    except netaddr.AddrFormatError:
++        # probably a hostname - so not an address at all!
++        return False
++
++    return address.version == 6
++
++
++def is_address_in_network(network, address):
++    """
++    Determine whether the provided address is within a network range.
++
++    :param network (str): CIDR presentation format. For example,
++        '192.168.1.0/24'.
++    :param address: An individual IPv4 or IPv6 address without a net
++        mask or subnet prefix. For example, '192.168.1.1'.
++    :returns boolean: Flag indicating whether address is in network.
++    """
++    try:
++        network = netaddr.IPNetwork(network)
++    except (netaddr.core.AddrFormatError, ValueError):
++        raise ValueError("Network (%s) is not in CIDR presentation format" %
++                         network)
++
++    try:
++        address = netaddr.IPAddress(address)
++    except (netaddr.core.AddrFormatError, ValueError):
++        raise ValueError("Address (%s) is not in correct presentation format" %
++                         address)
++
++    if address in network:
++        return True
++    else:
++        return False
++
++
++def _get_for_address(address, key):
++    """Retrieve an attribute of or the physical interface that
++    the IP address provided could be bound to.
++
++    :param address (str): An individual IPv4 or IPv6 address without a net
++        mask or subnet prefix. For example, '192.168.1.1'.
++    :param key: 'iface' for the physical interface name or an attribute
++        of the configured interface, for example 'netmask'.
++    :returns str: Requested attribute or None if address is not bindable.
++    """
++    address = netaddr.IPAddress(address)
++    for iface in netifaces.interfaces():
++        addresses = netifaces.ifaddresses(iface)
++        if address.version == 4 and netifaces.AF_INET in addresses:
++            addr = addresses[netifaces.AF_INET][0]['addr']
++            netmask = addresses[netifaces.AF_INET][0]['netmask']
++            network = netaddr.IPNetwork("%s/%s" % (addr, netmask))
++            cidr = network.cidr
++            if address in cidr:
++                if key == 'iface':
++                    return iface
++                else:
++                    return addresses[netifaces.AF_INET][0][key]
++
++        if address.version == 6 and netifaces.AF_INET6 in addresses:
++            for addr in addresses[netifaces.AF_INET6]:
++                if not addr['addr'].startswith('fe80'):
++                    network = netaddr.IPNetwork("%s/%s" % (addr['addr'],
++                                                           addr['netmask']))
++                    cidr = network.cidr
++                    if address in cidr:
++                        if key == 'iface':
++                            return iface
++                        elif key == 'netmask' and cidr:
++                            return str(cidr).split('/')[1]
++                        else:
++                            return addr[key]
++
++    return None
++
++
++get_iface_for_address = partial(_get_for_address, key='iface')
++
++
++get_netmask_for_address = partial(_get_for_address, key='netmask')
++
++
++def format_ipv6_addr(address):
++    """If address is IPv6, wrap it in '[]' otherwise return None.
++
++    This is required by most configuration files when specifying IPv6
++    addresses.
++    """
++    if is_ipv6(address):
++        return "[%s]" % address
++
++    return None
++
++
++def get_iface_addr(iface='eth0', inet_type='AF_INET', inc_aliases=False,
++                   fatal=True, exc_list=None):
++    """Return the assigned IP address for a given interface, if any."""
++    # Extract nic if passed /dev/ethX
++    if '/' in iface:
++        iface = iface.split('/')[-1]
++
++    if not exc_list:
++        exc_list = []
++
++    try:
++        inet_num = getattr(netifaces, inet_type)
++    except AttributeError:
++        raise Exception("Unknown inet type '%s'" % str(inet_type))
++
++    interfaces = netifaces.interfaces()
++    if inc_aliases:
++        ifaces = []
++        for _iface in interfaces:
++            if iface == _iface or _iface.split(':')[0] == iface:
++                ifaces.append(_iface)
++
++        if fatal and not ifaces:
++            raise Exception("Invalid interface '%s'" % iface)
++
++        ifaces.sort()
++    else:
++        if iface not in interfaces:
++            if fatal:
++                raise Exception("Interface '%s' not found " % (iface))
++            else:
++                return []
++
++        else:
++            ifaces = [iface]
++
++    addresses = []
++    for netiface in ifaces:
++        net_info = netifaces.ifaddresses(netiface)
++        if inet_num in net_info:
++            for entry in net_info[inet_num]:
++                if 'addr' in entry and entry['addr'] not in exc_list:
++                    addresses.append(entry['addr'])
++
++    if fatal and not addresses:
++        raise Exception("Interface '%s' doesn't have any %s addresses." %
++                        (iface, inet_type))
++
++    return sorted(addresses)
++
++
++get_ipv4_addr = partial(get_iface_addr, inet_type='AF_INET')
++
++
++def get_iface_from_addr(addr):
++    """Work out on which interface the provided address is configured."""
++    for iface in netifaces.interfaces():
++        addresses = netifaces.ifaddresses(iface)
++        for inet_type in addresses:
++            for _addr in addresses[inet_type]:
++                _addr = _addr['addr']
++                # link local
++                ll_key = re.compile("(.+)%.*")
++                raw = re.match(ll_key, _addr)
++                if raw:
++                    _addr = raw.group(1)
++
++                if _addr == addr:
++                    log("Address '%s' is configured on iface '%s'" %
++                        (addr, iface))
++                    return iface
++
++    msg = "Unable to infer net iface on which '%s' is configured" % (addr)
++    raise Exception(msg)
++
++
++def sniff_iface(f):
++    """Ensure decorated function is called with a value for iface.
++
++    If no iface provided, inject net iface inferred from unit private address.
++    """
++    def iface_sniffer(*args, **kwargs):
++        if not kwargs.get('iface', None):
++            kwargs['iface'] = get_iface_from_addr(unit_get('private-address'))
++
++        return f(*args, **kwargs)
++
++    return iface_sniffer
++
++
++@sniff_iface
++def get_ipv6_addr(iface=None, inc_aliases=False, fatal=True, exc_list=None,
++                  dynamic_only=True):
++    """Get assigned IPv6 address for a given interface.
++
++    Returns list of addresses found. If no address found, returns empty list.
++
++    If iface is None, we infer the current primary interface by doing a reverse
++    lookup on the unit private-address.
++
++    We currently only support scope global IPv6 addresses i.e. non-temporary
++    addresses. If no global IPv6 address is found, return the first one found
++    in the ipv6 address list.
++    """
++    addresses = get_iface_addr(iface=iface, inet_type='AF_INET6',
++                               inc_aliases=inc_aliases, fatal=fatal,
++                               exc_list=exc_list)
++
++    if addresses:
++        global_addrs = []
++        for addr in addresses:
++            key_scope_link_local = re.compile("^fe80::..(.+)%(.+)")
++            m = re.match(key_scope_link_local, addr)
++            if m:
++                eui_64_mac = m.group(1)
++                iface = m.group(2)
++            else:
++                global_addrs.append(addr)
++
++        if global_addrs:
++            # Make sure any found global addresses are not temporary
++            cmd = ['ip', 'addr', 'show', iface]
++            out = subprocess.check_output(cmd).decode('UTF-8')
++            if dynamic_only:
++                key = re.compile("inet6 (.+)/[0-9]+ scope global dynamic.*")
++            else:
++                key = re.compile("inet6 (.+)/[0-9]+ scope global.*")
++
++            addrs = []
++            for line in out.split('\n'):
++                line = line.strip()
++                m = re.match(key, line)
++                if m and 'temporary' not in line:
++                    # Return the first valid address we find
++                    for addr in global_addrs:
++                        if m.group(1) == addr:
++                            if not dynamic_only or \
++                                    m.group(1).endswith(eui_64_mac):
++                                addrs.append(addr)
++
++            if addrs:
++                return addrs
++
++    if fatal:
++        raise Exception("Interface '%s' does not have a scope global "
++                        "non-temporary ipv6 address." % iface)
++
++    return []
++
++
++def get_bridges(vnic_dir='/sys/devices/virtual/net'):
++    """Return a list of bridges on the system."""
++    b_regex = "%s/*/bridge" % vnic_dir
++    return [x.replace(vnic_dir, '').split('/')[1] for x in glob.glob(b_regex)]
++
++
++def get_bridge_nics(bridge, vnic_dir='/sys/devices/virtual/net'):
++    """Return a list of nics comprising a given bridge on the system."""
++    brif_regex = "%s/%s/brif/*" % (vnic_dir, bridge)
++    return [x.split('/')[-1] for x in glob.glob(brif_regex)]
++
++
++def is_bridge_member(nic):
++    """Check if a given nic is a member of a bridge."""
++    for bridge in get_bridges():
++        if nic in get_bridge_nics(bridge):
++            return True
++
++    return False
++
++
++def is_ip(address):
++    """
++    Returns True if address is a valid IP address.
++    """
++    try:
++        # Test to see if already an IPv4 address
++        socket.inet_aton(address)
++        return True
++    except socket.error:
++        return False
++
++
++def ns_query(address):
++    try:
++        import dns.resolver
++    except ImportError:
++        apt_install('python-dnspython')
++        import dns.resolver
++
++    if isinstance(address, dns.name.Name):
++        rtype = 'PTR'
++    elif isinstance(address, six.string_types):
++        rtype = 'A'
++    else:
++        return None
++
++    answers = dns.resolver.query(address, rtype)
++    if answers:
++        return str(answers[0])
++    return None
++
++
++def get_host_ip(hostname, fallback=None):
++    """
++    Resolves the IP for a given hostname, or returns
++    the input if it is already an IP.
++    """
++    if is_ip(hostname):
++        return hostname
++
++    ip_addr = ns_query(hostname)
++    if not ip_addr:
++        try:
++            ip_addr = socket.gethostbyname(hostname)
++        except:
++            log("Failed to resolve hostname '%s'" % (hostname),
++                level=WARNING)
++            return fallback
++    return ip_addr
++
++
++def get_hostname(address, fqdn=True):
++    """
++    Resolves hostname for given IP, or returns the input
++    if it is already a hostname.
++    """
++    if is_ip(address):
++        try:
++            import dns.reversename
++        except ImportError:
++            apt_install("python-dnspython")
++            import dns.reversename
++
++        rev = dns.reversename.from_address(address)
++        result = ns_query(rev)
++
++        if not result:
++            try:
++                result = socket.gethostbyaddr(address)[0]
++            except:
++                return None
++    else:
++        result = address
++
++    if fqdn:
++        # strip trailing .
++        if result.endswith('.'):
++            return result[:-1]
++        else:
++            return result
++    else:
++        return result.split('.')[0]
 === added directory 'charmhelpers/contrib/openstack'
 === added file 'charmhelpers/contrib/openstack/__init__.py'
 --- charmhelpers/contrib/openstack/__init__.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/contrib/openstack/__init__.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,15 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
 === added file 'charmhelpers/contrib/openstack/alternatives.py'
 --- charmhelpers/contrib/openstack/alternatives.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/contrib/openstack/alternatives.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,33 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++''' Helper for managing alternatives for file conflict resolution '''
++
++import subprocess
++import shutil
++import os
++
++
++def install_alternative(name, target, source, priority=50):
++    ''' Install alternative configuration '''
++    if (os.path.exists(target) and not os.path.islink(target)):
++        # Move existing file/directory away before installing
++        shutil.move(target, '{}.bak'.format(target))
++    cmd = [
++        'update-alternatives', '--force', '--install',
++        target, name, source, str(priority)
++    ]
++    subprocess.check_call(cmd)
 === added directory 'charmhelpers/contrib/openstack/amulet'
 === added file 'charmhelpers/contrib/openstack/amulet/__init__.py'
 --- charmhelpers/contrib/openstack/amulet/__init__.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/contrib/openstack/amulet/__init__.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,15 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
 === added file 'charmhelpers/contrib/openstack/amulet/deployment.py'
 --- charmhelpers/contrib/openstack/amulet/deployment.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/contrib/openstack/amulet/deployment.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,301 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++import logging
++import re
++import sys
++import six
++from collections import OrderedDict
++from charmhelpers.contrib.amulet.deployment import (
++    AmuletDeployment
++)
++
++DEBUG = logging.DEBUG
++ERROR = logging.ERROR
++
++
++class OpenStackAmuletDeployment(AmuletDeployment):
++    """OpenStack amulet deployment.
++
++       This class inherits from AmuletDeployment and has additional support
++       that is specifically for use by OpenStack charms.
++       """
++
++    def __init__(self, series=None, openstack=None, source=None,
++                 stable=True, log_level=DEBUG):
++        """Initialize the deployment environment."""
++        super(OpenStackAmuletDeployment, self).__init__(series)
++        self.log = self.get_logger(level=log_level)
++        self.log.info('OpenStackAmuletDeployment:  init')
++        self.openstack = openstack
++        self.source = source
++        self.stable = stable
++        # Note(coreycb): this needs to be changed when new next branches come
++        # out.
++        self.current_next = "trusty"
++
++    def get_logger(self, name="deployment-logger", level=logging.DEBUG):
++        """Get a logger object that will log to stdout."""
++        log = logging
++        logger = log.getLogger(name)
++        fmt = log.Formatter("%(asctime)s %(funcName)s "
++                            "%(levelname)s: %(message)s")
++
++        handler = log.StreamHandler(stream=sys.stdout)
++        handler.setLevel(level)
++        handler.setFormatter(fmt)
++
++        logger.addHandler(handler)
++        logger.setLevel(level)
++
++        return logger
++
++    def _determine_branch_locations(self, other_services):
++        """Determine the branch locations for the other services.
++
++           Determine if the local branch being tested is derived from its
++           stable or next (dev) branch, and based on this, use the corresonding
++           stable or next branches for the other_services."""
++
++        self.log.info('OpenStackAmuletDeployment:  determine branch locations')
++
++        # Charms outside the lp:~openstack-charmers namespace
++        base_charms = ['mysql', 'mongodb', 'nrpe']
++
++        # Force these charms to current series even when using an older series.
++        # ie. Use trusty/nrpe even when series is precise, as the P charm
++        # does not possess the necessary external master config and hooks.
++        force_series_current = ['nrpe']
++
++        if self.series in ['precise', 'trusty']:
++            base_series = self.series
++        else:
++            base_series = self.current_next
++
++        for svc in other_services:
++            if svc['name'] in force_series_current:
++                base_series = self.current_next
++            # If a location has been explicitly set, use it
++            if svc.get('location'):
++                continue
++            if self.stable:
++                temp = 'lp:charms/{}/{}'
++                svc['location'] = temp.format(base_series,
++                                              svc['name'])
++            else:
++                if svc['name'] in base_charms:
++                    temp = 'lp:charms/{}/{}'
++                    svc['location'] = temp.format(base_series,
++                                                  svc['name'])
++                else:
++                    temp = 'lp:~openstack-charmers/charms/{}/{}/next'
++                    svc['location'] = temp.format(self.current_next,
++                                                  svc['name'])
++
++        return other_services
++
++    def _add_services(self, this_service, other_services):
++        """Add services to the deployment and set openstack-origin/source."""
++        self.log.info('OpenStackAmuletDeployment:  adding services')
++
++        other_services = self._determine_branch_locations(other_services)
++
++        super(OpenStackAmuletDeployment, self)._add_services(this_service,
++                                                             other_services)
++
++        services = other_services
++        services.append(this_service)
++
++        # Charms which should use the source config option
++        use_source = ['mysql', 'mongodb', 'rabbitmq-server', 'ceph',
++                      'ceph-osd', 'ceph-radosgw']
++
++        # Charms which can not use openstack-origin, ie. many subordinates
++        no_origin = ['cinder-ceph', 'hacluster', 'neutron-openvswitch', 'nrpe',
++                     'openvswitch-odl', 'neutron-api-odl', 'odl-controller']
++
++        if self.openstack:
++            for svc in services:
++                if svc['name'] not in use_source + no_origin:
++                    config = {'openstack-origin': self.openstack}
++                    self.d.configure(svc['name'], config)
++
++        if self.source:
++            for svc in services:
++                if svc['name'] in use_source and svc['name'] not in no_origin:
++                    config = {'source': self.source}
++                    self.d.configure(svc['name'], config)
++
++    def _configure_services(self, configs):
++        """Configure all of the services."""
++        self.log.info('OpenStackAmuletDeployment:  configure services')
++        for service, config in six.iteritems(configs):
++            self.d.configure(service, config)
++
++    def _auto_wait_for_status(self, message=None, exclude_services=None,
++                              include_only=None, timeout=1800):
++        """Wait for all units to have a specific extended status, except
++        for any defined as excluded.  Unless specified via message, any
++        status containing any case of 'ready' will be considered a match.
++
++        Examples of message usage:
++
++          Wait for all unit status to CONTAIN any case of 'ready' or 'ok':
++              message = re.compile('.*ready.*|.*ok.*', re.IGNORECASE)
++
++          Wait for all units to reach this status (exact match):
++              message = re.compile('^Unit is ready and clustered$')
++
++          Wait for all units to reach any one of these (exact match):
++              message = re.compile('Unit is ready|OK|Ready')
++
++          Wait for at least one unit to reach this status (exact match):
++              message = {'ready'}
++
++        See Amulet's sentry.wait_for_messages() for message usage detail.
++        https://github.com/juju/amulet/blob/master/amulet/sentry.py
++
++        :param message: Expected status match
++        :param exclude_services: List of juju service names to ignore,
++            not to be used in conjuction with include_only.
++        :param include_only: List of juju service names to exclusively check,
++            not to be used in conjuction with exclude_services.
++        :param timeout: Maximum time in seconds to wait for status match
++        :returns: None.  Raises if timeout is hit.
++        """
++        self.log.info('Waiting for extended status on units...')
++
++        all_services = self.d.services.keys()
++
++        if exclude_services and include_only:
++            raise ValueError('exclude_services can not be used '
++                             'with include_only')
++
++        if message:
++            if isinstance(message, re._pattern_type):
++                match = message.pattern
++            else:
++                match = message
++
++            self.log.debug('Custom extended status wait match: '
++                           '{}'.format(match))
++        else:
++            self.log.debug('Default extended status wait match:  contains '
++                           'READY (case-insensitive)')
++            message = re.compile('.*ready.*', re.IGNORECASE)
++
++        if exclude_services:
++            self.log.debug('Excluding services from extended status match: '
++                           '{}'.format(exclude_services))
++        else:
++            exclude_services = []
++
++        if include_only:
++            services = include_only
++        else:
++            services = list(set(all_services) - set(exclude_services))
++
++        self.log.debug('Waiting up to {}s for extended status on services: '
++                       '{}'.format(timeout, services))
++        service_messages = {service: message for service in services}
++        self.d.sentry.wait_for_messages(service_messages, timeout=timeout)
++        self.log.info('OK')
++
++    def _get_openstack_release(self):
++        """Get openstack release.
++
++           Return an integer representing the enum value of the openstack
++           release.
++           """
++        # Must be ordered by OpenStack release (not by Ubuntu release):
++        (self.precise_essex, self.precise_folsom, self.precise_grizzly,
++         self.precise_havana, self.precise_icehouse,
++         self.trusty_icehouse, self.trusty_juno, self.utopic_juno,
++         self.trusty_kilo, self.vivid_kilo, self.trusty_liberty,
++         self.wily_liberty, self.trusty_mitaka,
++         self.xenial_mitaka) = range(14)
++
++        releases = {
++            ('precise', None): self.precise_essex,
++            ('precise', 'cloud:precise-folsom'): self.precise_folsom,
++            ('precise', 'cloud:precise-grizzly'): self.precise_grizzly,
++            ('precise', 'cloud:precise-havana'): self.precise_havana,
++            ('precise', 'cloud:precise-icehouse'): self.precise_icehouse,
++            ('trusty', None): self.trusty_icehouse,
++            ('trusty', 'cloud:trusty-juno'): self.trusty_juno,
++            ('trusty', 'cloud:trusty-kilo'): self.trusty_kilo,
++            ('trusty', 'cloud:trusty-liberty'): self.trusty_liberty,
++            ('trusty', 'cloud:trusty-mitaka'): self.trusty_mitaka,
++            ('utopic', None): self.utopic_juno,
++            ('vivid', None): self.vivid_kilo,
++            ('wily', None): self.wily_liberty,
++            ('xenial', None): self.xenial_mitaka}
++        return releases[(self.series, self.openstack)]
++
++    def _get_openstack_release_string(self):
++        """Get openstack release string.
++
++           Return a string representing the openstack release.
++           """
++        releases = OrderedDict([
++            ('precise', 'essex'),
++            ('quantal', 'folsom'),
++            ('raring', 'grizzly'),
++            ('saucy', 'havana'),
++            ('trusty', 'icehouse'),
++            ('utopic', 'juno'),
++            ('vivid', 'kilo'),
++            ('wily', 'liberty'),
++            ('xenial', 'mitaka'),
++        ])
++        if self.openstack:
++            os_origin = self.openstack.split(':')[1]
++            return os_origin.split('%s-' % self.series)[1].split('/')[0]
++        else:
++            return releases[self.series]
++
++    def get_ceph_expected_pools(self, radosgw=False):
++        """Return a list of expected ceph pools in a ceph + cinder + glance
++        test scenario, based on OpenStack release and whether ceph radosgw
++        is flagged as present or not."""
++
++        if self._get_openstack_release() >= self.trusty_kilo:
++            # Kilo or later
++            pools = [
++                'rbd',
++                'cinder',
++                'glance'
++            ]
++        else:
++            # Juno or earlier
++            pools = [
++                'data',
++                'metadata',
++                'rbd',
++                'cinder',
++                'glance'
++            ]
++
++        if radosgw:
++            pools.extend([
++                '.rgw.root',
++                '.rgw.control',
++                '.rgw',
++                '.rgw.gc',
++                '.users.uid'
++            ])
++
++        return pools
 === added file 'charmhelpers/contrib/openstack/amulet/utils.py'
 --- charmhelpers/contrib/openstack/amulet/utils.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/contrib/openstack/amulet/utils.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,985 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++import amulet
++import json
++import logging
++import os
++import re
++import six
++import time
++import urllib
++
++import cinderclient.v1.client as cinder_client
++import glanceclient.v1.client as glance_client
++import heatclient.v1.client as heat_client
++import keystoneclient.v2_0 as keystone_client
++import novaclient.v1_1.client as nova_client
++import pika
++import swiftclient
++
++from charmhelpers.contrib.amulet.utils import (
++    AmuletUtils
++)
++
++DEBUG = logging.DEBUG
++ERROR = logging.ERROR
++
++
++class OpenStackAmuletUtils(AmuletUtils):
++    """OpenStack amulet utilities.
++
++       This class inherits from AmuletUtils and has additional support
++       that is specifically for use by OpenStack charm tests.
++       """
++
++    def __init__(self, log_level=ERROR):
++        """Initialize the deployment environment."""
++        super(OpenStackAmuletUtils, self).__init__(log_level)
++
++    def validate_endpoint_data(self, endpoints, admin_port, internal_port,
++                               public_port, expected):
++        """Validate endpoint data.
++
++           Validate actual endpoint data vs expected endpoint data. The ports
++           are used to find the matching endpoint.
++           """
++        self.log.debug('Validating endpoint data...')
++        self.log.debug('actual: {}'.format(repr(endpoints)))
++        found = False
++        for ep in endpoints:
++            self.log.debug('endpoint: {}'.format(repr(ep)))
++            if (admin_port in ep.adminurl and
++                    internal_port in ep.internalurl and
++                    public_port in ep.publicurl):
++                found = True
++                actual = {'id': ep.id,
++                          'region': ep.region,
++                          'adminurl': ep.adminurl,
++                          'internalurl': ep.internalurl,
++                          'publicurl': ep.publicurl,
++                          'service_id': ep.service_id}
++                ret = self._validate_dict_data(expected, actual)
++                if ret:
++                    return 'unexpected endpoint data - {}'.format(ret)
++
++        if not found:
++            return 'endpoint not found'
++
++    def validate_svc_catalog_endpoint_data(self, expected, actual):
++        """Validate service catalog endpoint data.
++
++           Validate a list of actual service catalog endpoints vs a list of
++           expected service catalog endpoints.
++           """
++        self.log.debug('Validating service catalog endpoint data...')
++        self.log.debug('actual: {}'.format(repr(actual)))
++        for k, v in six.iteritems(expected):
++            if k in actual:
++                ret = self._validate_dict_data(expected[k][0], actual[k][0])
++                if ret:
++                    return self.endpoint_error(k, ret)
++            else:
++                return "endpoint {} does not exist".format(k)
++        return ret
++
++    def validate_tenant_data(self, expected, actual):
++        """Validate tenant data.
++
++           Validate a list of actual tenant data vs list of expected tenant
++           data.
++           """
++        self.log.debug('Validating tenant data...')
++        self.log.debug('actual: {}'.format(repr(actual)))
++        for e in expected:
++            found = False
++            for act in actual:
++                a = {'enabled': act.enabled, 'description': act.description,
++                     'name': act.name, 'id': act.id}
++                if e['name'] == a['name']:
++                    found = True
++                    ret = self._validate_dict_data(e, a)
++                    if ret:
++                        return "unexpected tenant data - {}".format(ret)
++            if not found:
++                return "tenant {} does not exist".format(e['name'])
++        return ret
++
++    def validate_role_data(self, expected, actual):
++        """Validate role data.
++
++           Validate a list of actual role data vs a list of expected role
++           data.
++           """
++        self.log.debug('Validating role data...')
++        self.log.debug('actual: {}'.format(repr(actual)))
++        for e in expected:
++            found = False
++            for act in actual:
++                a = {'name': act.name, 'id': act.id}
++                if e['name'] == a['name']:
++                    found = True
++                    ret = self._validate_dict_data(e, a)
++                    if ret:
++                        return "unexpected role data - {}".format(ret)
++            if not found:
++                return "role {} does not exist".format(e['name'])
++        return ret
++
++    def validate_user_data(self, expected, actual):
++        """Validate user data.
++
++           Validate a list of actual user data vs a list of expected user
++           data.
++           """
++        self.log.debug('Validating user data...')
++        self.log.debug('actual: {}'.format(repr(actual)))
++        for e in expected:
++            found = False
++            for act in actual:
++                a = {'enabled': act.enabled, 'name': act.name,
++                     'email': act.email, 'tenantId': act.tenantId,
++                     'id': act.id}
++                if e['name'] == a['name']:
++                    found = True
++                    ret = self._validate_dict_data(e, a)
++                    if ret:
++                        return "unexpected user data - {}".format(ret)
++            if not found:
++                return "user {} does not exist".format(e['name'])
++        return ret
++
++    def validate_flavor_data(self, expected, actual):
++        """Validate flavor data.
++
++           Validate a list of actual flavors vs a list of expected flavors.
++           """
++        self.log.debug('Validating flavor data...')
++        self.log.debug('actual: {}'.format(repr(actual)))
++        act = [a.name for a in actual]
++        return self._validate_list_data(expected, act)
++
++    def tenant_exists(self, keystone, tenant):
++        """Return True if tenant exists."""
++        self.log.debug('Checking if tenant exists ({})...'.format(tenant))
++        return tenant in [t.name for t in keystone.tenants.list()]
++
++    def authenticate_cinder_admin(self, keystone_sentry, username,
++                                  password, tenant):
++        """Authenticates admin user with cinder."""
++        # NOTE(beisner): cinder python client doesn't accept tokens.
++        service_ip = \
++            keystone_sentry.relation('shared-db',
++                                     'mysql:shared-db')['private-address']
++        ept = "http://{}:5000/v2.0".format(service_ip.strip().decode('utf-8'))
++        return cinder_client.Client(username, password, tenant, ept)
++
++    def authenticate_keystone_admin(self, keystone_sentry, user, password,
++                                    tenant):
++        """Authenticates admin user with the keystone admin endpoint."""
++        self.log.debug('Authenticating keystone admin...')
++        unit = keystone_sentry
++        service_ip = unit.relation('shared-db',
++                                   'mysql:shared-db')['private-address']
++        ep = "http://{}:35357/v2.0".format(service_ip.strip().decode('utf-8'))
++        return keystone_client.Client(username=user, password=password,
++                                      tenant_name=tenant, auth_url=ep)
++
++    def authenticate_keystone_user(self, keystone, user, password, tenant):
++        """Authenticates a regular user with the keystone public endpoint."""
++        self.log.debug('Authenticating keystone user ({})...'.format(user))
++        ep = keystone.service_catalog.url_for(service_type='identity',
++                                              endpoint_type='publicURL')
++        return keystone_client.Client(username=user, password=password,
++                                      tenant_name=tenant, auth_url=ep)
++
++    def authenticate_glance_admin(self, keystone):
++        """Authenticates admin user with glance."""
++        self.log.debug('Authenticating glance admin...')
++        ep = keystone.service_catalog.url_for(service_type='image',
++                                              endpoint_type='adminURL')
++        return glance_client.Client(ep, token=keystone.auth_token)
++
++    def authenticate_heat_admin(self, keystone):
++        """Authenticates the admin user with heat."""
++        self.log.debug('Authenticating heat admin...')
++        ep = keystone.service_catalog.url_for(service_type='orchestration',
++                                              endpoint_type='publicURL')
++        return heat_client.Client(endpoint=ep, token=keystone.auth_token)
++
++    def authenticate_nova_user(self, keystone, user, password, tenant):
++        """Authenticates a regular user with nova-api."""
++        self.log.debug('Authenticating nova user ({})...'.format(user))
++        ep = keystone.service_catalog.url_for(service_type='identity',
++                                              endpoint_type='publicURL')
++        return nova_client.Client(username=user, api_key=password,
++                                  project_id=tenant, auth_url=ep)
++
++    def authenticate_swift_user(self, keystone, user, password, tenant):
++        """Authenticates a regular user with swift api."""
++        self.log.debug('Authenticating swift user ({})...'.format(user))
++        ep = keystone.service_catalog.url_for(service_type='identity',
++                                              endpoint_type='publicURL')
++        return swiftclient.Connection(authurl=ep,
++                                      user=user,
++                                      key=password,
++                                      tenant_name=tenant,
++                                      auth_version='2.0')
++
++    def create_cirros_image(self, glance, image_name):
++        """Download the latest cirros image and upload it to glance,
++        validate and return a resource pointer.
++
++        :param glance: pointer to authenticated glance connection
++        :param image_name: display name for new image
++        :returns: glance image pointer
++        """
++        self.log.debug('Creating glance cirros image '
++                       '({})...'.format(image_name))
++
++        # Download cirros image
++        http_proxy = os.getenv('AMULET_HTTP_PROXY')
++        self.log.debug('AMULET_HTTP_PROXY: {}'.format(http_proxy))
++        if http_proxy:
++            proxies = {'http': http_proxy}
++            opener = urllib.FancyURLopener(proxies)
++        else:
++            opener = urllib.FancyURLopener()
++
++        f = opener.open('http://download.cirros-cloud.net/version/released')
++        version = f.read().strip()
++        cirros_img = 'cirros-{}-x86_64-disk.img'.format(version)
++        local_path = os.path.join('tests', cirros_img)
++
++        if not os.path.exists(local_path):
++            cirros_url = 'http://{}/{}/{}'.format('download.cirros-cloud.net',
++                                                  version, cirros_img)
++            opener.retrieve(cirros_url, local_path)
++        f.close()
++
++        # Create glance image
++        with open(local_path) as f:
++            image = glance.images.create(name=image_name, is_public=True,
++                                         disk_format='qcow2',
++                                         container_format='bare', data=f)
++
++        # Wait for image to reach active status
++        img_id = image.id
++        ret = self.resource_reaches_status(glance.images, img_id,
++                                           expected_stat='active',
++                                           msg='Image status wait')
++        if not ret:
++            msg = 'Glance image failed to reach expected state.'
++            amulet.raise_status(amulet.FAIL, msg=msg)
++
++        # Re-validate new image
++        self.log.debug('Validating image attributes...')
++        val_img_name = glance.images.get(img_id).name
++        val_img_stat = glance.images.get(img_id).status
++        val_img_pub = glance.images.get(img_id).is_public
++        val_img_cfmt = glance.images.get(img_id).container_format
++        val_img_dfmt = glance.images.get(img_id).disk_format
++        msg_attr = ('Image attributes - name:{} public:{} id:{} stat:{} '
++                    'container fmt:{} disk fmt:{}'.format(
++                        val_img_name, val_img_pub, img_id,
++                        val_img_stat, val_img_cfmt, val_img_dfmt))
++
++        if val_img_name == image_name and val_img_stat == 'active' \
++                and val_img_pub is True and val_img_cfmt == 'bare' \
++                and val_img_dfmt == 'qcow2':
++            self.log.debug(msg_attr)
++        else:
++            msg = ('Volume validation failed, {}'.format(msg_attr))
++            amulet.raise_status(amulet.FAIL, msg=msg)
++
++        return image
++
++    def delete_image(self, glance, image):
++        """Delete the specified image."""
++
++        # /!\ DEPRECATION WARNING
++        self.log.warn('/!\\ DEPRECATION WARNING:  use '
++                      'delete_resource instead of delete_image.')
++        self.log.debug('Deleting glance image ({})...'.format(image))
++        return self.delete_resource(glance.images, image, msg='glance image')
++
++    def create_instance(self, nova, image_name, instance_name, flavor):
++        """Create the specified instance."""
++        self.log.debug('Creating instance '
++                       '({}|{}|{})'.format(instance_name, image_name, flavor))
++        image = nova.images.find(name=image_name)
++        flavor = nova.flavors.find(name=flavor)
++        instance = nova.servers.create(name=instance_name, image=image,
++                                       flavor=flavor)
++
++        count = 1
++        status = instance.status
++        while status != 'ACTIVE' and count < 60:
++            time.sleep(3)
++            instance = nova.servers.get(instance.id)
++            status = instance.status
++            self.log.debug('instance status: {}'.format(status))
++            count += 1
++
++        if status != 'ACTIVE':
++            self.log.error('instance creation timed out')
++            return None
++
++        return instance
++
++    def delete_instance(self, nova, instance):
++        """Delete the specified instance."""
++
++        # /!\ DEPRECATION WARNING
++        self.log.warn('/!\\ DEPRECATION WARNING:  use '
++                      'delete_resource instead of delete_instance.')
++        self.log.debug('Deleting instance ({})...'.format(instance))
++        return self.delete_resource(nova.servers, instance,
++                                    msg='nova instance')
++
++    def create_or_get_keypair(self, nova, keypair_name="testkey"):
++        """Create a new keypair, or return pointer if it already exists."""
++        try:
++            _keypair = nova.keypairs.get(keypair_name)
++            self.log.debug('Keypair ({}) already exists, '
++                           'using it.'.format(keypair_name))
++            return _keypair
++        except:
++            self.log.debug('Keypair ({}) does not exist, '
++                           'creating it.'.format(keypair_name))
++
++        _keypair = nova.keypairs.create(name=keypair_name)
++        return _keypair
++
++    def create_cinder_volume(self, cinder, vol_name="demo-vol", vol_size=1,
++                             img_id=None, src_vol_id=None, snap_id=None):
++        """Create cinder volume, optionally from a glance image, OR
++        optionally as a clone of an existing volume, OR optionally
++        from a snapshot.  Wait for the new volume status to reach
++        the expected status, validate and return a resource pointer.
++
++        :param vol_name: cinder volume display name
++        :param vol_size: size in gigabytes
++        :param img_id: optional glance image id
++        :param src_vol_id: optional source volume id to clone
++        :param snap_id: optional snapshot id to use
++        :returns: cinder volume pointer
++        """
++        # Handle parameter input and avoid impossible combinations
++        if img_id and not src_vol_id and not snap_id:
++            # Create volume from image
++            self.log.debug('Creating cinder volume from glance image...')
++            bootable = 'true'
++        elif src_vol_id and not img_id and not snap_id:
++            # Clone an existing volume
++            self.log.debug('Cloning cinder volume...')
++            bootable = cinder.volumes.get(src_vol_id).bootable
++        elif snap_id and not src_vol_id and not img_id:
++            # Create volume from snapshot
++            self.log.debug('Creating cinder volume from snapshot...')
++            snap = cinder.volume_snapshots.find(id=snap_id)
++            vol_size = snap.size
++            snap_vol_id = cinder.volume_snapshots.get(snap_id).volume_id
++            bootable = cinder.volumes.get(snap_vol_id).bootable
++        elif not img_id and not src_vol_id and not snap_id:
++            # Create volume
++            self.log.debug('Creating cinder volume...')
++            bootable = 'false'
++        else:
++            # Impossible combination of parameters
++            msg = ('Invalid method use - name:{} size:{} img_id:{} '
++                   'src_vol_id:{} snap_id:{}'.format(vol_name, vol_size,
++                                                     img_id, src_vol_id,
++                                                     snap_id))
++            amulet.raise_status(amulet.FAIL, msg=msg)
++
++        # Create new volume
++        try:
++            vol_new = cinder.volumes.create(display_name=vol_name,
++                                            imageRef=img_id,
++                                            size=vol_size,
++                                            source_volid=src_vol_id,
++                                            snapshot_id=snap_id)
++            vol_id = vol_new.id
++        except Exception as e:
++            msg = 'Failed to create volume: {}'.format(e)
++            amulet.raise_status(amulet.FAIL, msg=msg)
++
++        # Wait for volume to reach available status
++        ret = self.resource_reaches_status(cinder.volumes, vol_id,
++                                           expected_stat="available",
++                                           msg="Volume status wait")
++        if not ret:
++            msg = 'Cinder volume failed to reach expected state.'
++            amulet.raise_status(amulet.FAIL, msg=msg)
++
++        # Re-validate new volume
++        self.log.debug('Validating volume attributes...')
++        val_vol_name = cinder.volumes.get(vol_id).display_name
++        val_vol_boot = cinder.volumes.get(vol_id).bootable
++        val_vol_stat = cinder.volumes.get(vol_id).status
++        val_vol_size = cinder.volumes.get(vol_id).size
++        msg_attr = ('Volume attributes - name:{} id:{} stat:{} boot:'
++                    '{} size:{}'.format(val_vol_name, vol_id,
++                                        val_vol_stat, val_vol_boot,
++                                        val_vol_size))
++
++        if val_vol_boot == bootable and val_vol_stat == 'available' \
++                and val_vol_name == vol_name and val_vol_size == vol_size:
++            self.log.debug(msg_attr)
++        else:
++            msg = ('Volume validation failed, {}'.format(msg_attr))
++            amulet.raise_status(amulet.FAIL, msg=msg)
++
++        return vol_new
++
++    def delete_resource(self, resource, resource_id,
++                        msg="resource", max_wait=120):
++        """Delete one openstack resource, such as one instance, keypair,
++        image, volume, stack, etc., and confirm deletion within max wait time.
++
++        :param resource: pointer to os resource type, ex:glance_client.images
++        :param resource_id: unique name or id for the openstack resource
++        :param msg: text to identify purpose in logging
++        :param max_wait: maximum wait time in seconds
++        :returns: True if successful, otherwise False
++        """
++        self.log.debug('Deleting OpenStack resource '
++                       '{} ({})'.format(resource_id, msg))
++        num_before = len(list(resource.list()))
++        resource.delete(resource_id)
++
++        tries = 0
++        num_after = len(list(resource.list()))
++        while num_after != (num_before - 1) and tries < (max_wait / 4):
++            self.log.debug('{} delete check: '
++                           '{} [{}:{}] {}'.format(msg, tries,
++                                                  num_before,
++                                                  num_after,
++                                                  resource_id))
++            time.sleep(4)
++            num_after = len(list(resource.list()))
++            tries += 1
++
++        self.log.debug('{}:  expected, actual count = {}, '
++                       '{}'.format(msg, num_before - 1, num_after))
++
++        if num_after == (num_before - 1):
++            return True
++        else:
++            self.log.error('{} delete timed out'.format(msg))
++            return False
++
++    def resource_reaches_status(self, resource, resource_id,
++                                expected_stat='available',
++                                msg='resource', max_wait=120):
++        """Wait for an openstack resources status to reach an
++           expected status within a specified time.  Useful to confirm that
++           nova instances, cinder vols, snapshots, glance images, heat stacks
++           and other resources eventually reach the expected status.
++
++        :param resource: pointer to os resource type, ex: heat_client.stacks
++        :param resource_id: unique id for the openstack resource
++        :param expected_stat: status to expect resource to reach
++        :param msg: text to identify purpose in logging
++        :param max_wait: maximum wait time in seconds
++        :returns: True if successful, False if status is not reached
++        """
++
++        tries = 0
++        resource_stat = resource.get(resource_id).status
++        while resource_stat != expected_stat and tries < (max_wait / 4):
++            self.log.debug('{} status check: '
++                           '{} [{}:{}] {}'.format(msg, tries,
++                                                  resource_stat,
++                                                  expected_stat,
++                                                  resource_id))
++            time.sleep(4)
++            resource_stat = resource.get(resource_id).status
++            tries += 1
++
++        self.log.debug('{}:  expected, actual status = {}, '
++                       '{}'.format(msg, resource_stat, expected_stat))
++
++        if resource_stat == expected_stat:
++            return True
++        else:
++            self.log.debug('{} never reached expected status: '
++                           '{}'.format(resource_id, expected_stat))
++            return False
++
++    def get_ceph_osd_id_cmd(self, index):
++        """Produce a shell command that will return a ceph-osd id."""
++        return ("`initctl list | grep 'ceph-osd ' | "
++                "awk 'NR=={} {{ print $2 }}' | "
++                "grep -o '[0-9]*'`".format(index + 1))
++
++    def get_ceph_pools(self, sentry_unit):
++        """Return a dict of ceph pools from a single ceph unit, with
++        pool name as keys, pool id as vals."""
++        pools = {}
++        cmd = 'sudo ceph osd lspools'
++        output, code = sentry_unit.run(cmd)
++        if code != 0:
++            msg = ('{} `{}` returned {} '
++                   '{}'.format(sentry_unit.info['unit_name'],
++                               cmd, code, output))
++            amulet.raise_status(amulet.FAIL, msg=msg)
++
++        # Example output: 0 data,1 metadata,2 rbd,3 cinder,4 glance,
++        for pool in str(output).split(','):
++            pool_id_name = pool.split(' ')
++            if len(pool_id_name) == 2:
++                pool_id = pool_id_name[0]
++                pool_name = pool_id_name[1]
++                pools[pool_name] = int(pool_id)
++
++        self.log.debug('Pools on {}: {}'.format(sentry_unit.info['unit_name'],
++                                                pools))
++        return pools
++
++    def get_ceph_df(self, sentry_unit):
++        """Return dict of ceph df json output, including ceph pool state.
++
++        :param sentry_unit: Pointer to amulet sentry instance (juju unit)
++        :returns: Dict of ceph df output
++        """
++        cmd = 'sudo ceph df --format=json'
++        output, code = sentry_unit.run(cmd)
++        if code != 0:
++            msg = ('{} `{}` returned {} '
++                   '{}'.format(sentry_unit.info['unit_name'],
++                               cmd, code, output))
++            amulet.raise_status(amulet.FAIL, msg=msg)
++        return json.loads(output)
++
++    def get_ceph_pool_sample(self, sentry_unit, pool_id=0):
++        """Take a sample of attributes of a ceph pool, returning ceph
++        pool name, object count and disk space used for the specified
++        pool ID number.
++
++        :param sentry_unit: Pointer to amulet sentry instance (juju unit)
++        :param pool_id: Ceph pool ID
++        :returns: List of pool name, object count, kb disk space used
++        """
++        df = self.get_ceph_df(sentry_unit)
++        pool_name = df['pools'][pool_id]['name']
++        obj_count = df['pools'][pool_id]['stats']['objects']
++        kb_used = df['pools'][pool_id]['stats']['kb_used']
++        self.log.debug('Ceph {} pool (ID {}): {} objects, '
++                       '{} kb used'.format(pool_name, pool_id,
++                                           obj_count, kb_used))
++        return pool_name, obj_count, kb_used
++
++    def validate_ceph_pool_samples(self, samples, sample_type="resource pool"):
++        """Validate ceph pool samples taken over time, such as pool
++        object counts or pool kb used, before adding, after adding, and
++        after deleting items which affect those pool attributes.  The
++        2nd element is expected to be greater than the 1st; 3rd is expected
++        to be less than the 2nd.
++
++        :param samples: List containing 3 data samples
++        :param sample_type: String for logging and usage context
++        :returns: None if successful, Failure message otherwise
++        """
++        original, created, deleted = range(3)
++        if samples[created] <= samples[original] or \
++                samples[deleted] >= samples[created]:
++            return ('Ceph {} samples ({}) '
++                    'unexpected.'.format(sample_type, samples))
++        else:
++            self.log.debug('Ceph {} samples (OK): '
++                           '{}'.format(sample_type, samples))
++            return None
++
++    # rabbitmq/amqp specific helpers:
++
++    def rmq_wait_for_cluster(self, deployment, init_sleep=15, timeout=1200):
++        """Wait for rmq units extended status to show cluster readiness,
++        after an optional initial sleep period.  Initial sleep is likely
++        necessary to be effective following a config change, as status
++        message may not instantly update to non-ready."""
++
++        if init_sleep:
++            time.sleep(init_sleep)
++
++        message = re.compile('^Unit is ready and clustered$')
++        deployment._auto_wait_for_status(message=message,
++                                         timeout=timeout,
++                                         include_only=['rabbitmq-server'])
++
++    def add_rmq_test_user(self, sentry_units,
++                          username="testuser1", password="changeme"):
++        """Add a test user via the first rmq juju unit, check connection as
++        the new user against all sentry units.
++
++        :param sentry_units: list of sentry unit pointers
++        :param username: amqp user name, default to testuser1
++        :param password: amqp user password
++        :returns: None if successful.  Raise on error.
++        """
++        self.log.debug('Adding rmq user ({})...'.format(username))
++
++        # Check that user does not already exist
++        cmd_user_list = 'rabbitmqctl list_users'
++        output, _ = self.run_cmd_unit(sentry_units[0], cmd_user_list)
++        if username in output:
++            self.log.warning('User ({}) already exists, returning '
++                             'gracefully.'.format(username))
++            return
++
++        perms = '".*" ".*" ".*"'
++        cmds = ['rabbitmqctl add_user {} {}'.format(username, password),
++                'rabbitmqctl set_permissions {} {}'.format(username, perms)]
++
++        # Add user via first unit
++        for cmd in cmds:
++            output, _ = self.run_cmd_unit(sentry_units[0], cmd)
++
++        # Check connection against the other sentry_units
++        self.log.debug('Checking user connect against units...')
++        for sentry_unit in sentry_units:
++            connection = self.connect_amqp_by_unit(sentry_unit, ssl=False,
++                                                   username=username,
++                                                   password=password)
++            connection.close()
++
++    def delete_rmq_test_user(self, sentry_units, username="testuser1"):
++        """Delete a rabbitmq user via the first rmq juju unit.
++
++        :param sentry_units: list of sentry unit pointers
++        :param username: amqp user name, default to testuser1
++        :param password: amqp user password
++        :returns: None if successful or no such user.
++        """
++        self.log.debug('Deleting rmq user ({})...'.format(username))
++
++        # Check that the user exists
++        cmd_user_list = 'rabbitmqctl list_users'
++        output, _ = self.run_cmd_unit(sentry_units[0], cmd_user_list)
++
++        if username not in output:
++            self.log.warning('User ({}) does not exist, returning '
++                             'gracefully.'.format(username))
++            return
++
++        # Delete the user
++        cmd_user_del = 'rabbitmqctl delete_user {}'.format(username)
++        output, _ = self.run_cmd_unit(sentry_units[0], cmd_user_del)
++
++    def get_rmq_cluster_status(self, sentry_unit):
++        """Execute rabbitmq cluster status command on a unit and return
++        the full output.
++
++        :param unit: sentry unit
++        :returns: String containing console output of cluster status command
++        """
++        cmd = 'rabbitmqctl cluster_status'
++        output, _ = self.run_cmd_unit(sentry_unit, cmd)
++        self.log.debug('{} cluster_status:\n{}'.format(
++            sentry_unit.info['unit_name'], output))
++        return str(output)
++
++    def get_rmq_cluster_running_nodes(self, sentry_unit):
++        """Parse rabbitmqctl cluster_status output string, return list of
++        running rabbitmq cluster nodes.
++
++        :param unit: sentry unit
++        :returns: List containing node names of running nodes
++        """
++        # NOTE(beisner): rabbitmqctl cluster_status output is not
++        # json-parsable, do string chop foo, then json.loads that.
++        str_stat = self.get_rmq_cluster_status(sentry_unit)
++        if 'running_nodes' in str_stat:
++            pos_start = str_stat.find("{running_nodes,") + 15
++            pos_end = str_stat.find("]},", pos_start) + 1
++            str_run_nodes = str_stat[pos_start:pos_end].replace("'", '"')
++            run_nodes = json.loads(str_run_nodes)
++            return run_nodes
++        else:
++            return []
++
++    def validate_rmq_cluster_running_nodes(self, sentry_units):
++        """Check that all rmq unit hostnames are represented in the
++        cluster_status output of all units.
++
++        :param host_names: dict of juju unit names to host names
++        :param units: list of sentry unit pointers (all rmq units)
++        :returns: None if successful, otherwise return error message
++        """
++        host_names = self.get_unit_hostnames(sentry_units)
++        errors = []
++
++        # Query every unit for cluster_status running nodes
++        for query_unit in sentry_units:
++            query_unit_name = query_unit.info['unit_name']
++            running_nodes = self.get_rmq_cluster_running_nodes(query_unit)
++
++            # Confirm that every unit is represented in the queried unit's
++            # cluster_status running nodes output.
++            for validate_unit in sentry_units:
++                val_host_name = host_names[validate_unit.info['unit_name']]
++                val_node_name = 'rabbit@{}'.format(val_host_name)
++
++                if val_node_name not in running_nodes:
++                    errors.append('Cluster member check failed on {}: {} not '
++                                  'in {}\n'.format(query_unit_name,
++                                                   val_node_name,
++                                                   running_nodes))
++        if errors:
++            return ''.join(errors)
++
++    def rmq_ssl_is_enabled_on_unit(self, sentry_unit, port=None):
++        """Check a single juju rmq unit for ssl and port in the config file."""
++        host = sentry_unit.info['public-address']
++        unit_name = sentry_unit.info['unit_name']
++
++        conf_file = '/etc/rabbitmq/rabbitmq.config'
++        conf_contents = str(self.file_contents_safe(sentry_unit,
++                                                    conf_file, max_wait=16))
++        # Checks
++        conf_ssl = 'ssl' in conf_contents
++        conf_port = str(port) in conf_contents
++
++        # Port explicitly checked in config
++        if port and conf_port and conf_ssl:
++            self.log.debug('SSL is enabled  @{}:{} '
++                           '({})'.format(host, port, unit_name))
++            return True
++        elif port and not conf_port and conf_ssl:
++            self.log.debug('SSL is enabled @{} but not on port {} '
++                           '({})'.format(host, port, unit_name))
++            return False
++        # Port not checked (useful when checking that ssl is disabled)
++        elif not port and conf_ssl:
++            self.log.debug('SSL is enabled  @{}:{} '
++                           '({})'.format(host, port, unit_name))
++            return True
++        elif not conf_ssl:
++            self.log.debug('SSL not enabled @{}:{} '
++                           '({})'.format(host, port, unit_name))
++            return False
++        else:
++            msg = ('Unknown condition when checking SSL status @{}:{} '
++                   '({})'.format(host, port, unit_name))
++            amulet.raise_status(amulet.FAIL, msg)
++
++    def validate_rmq_ssl_enabled_units(self, sentry_units, port=None):
++        """Check that ssl is enabled on rmq juju sentry units.
++
++        :param sentry_units: list of all rmq sentry units
++        :param port: optional ssl port override to validate
++        :returns: None if successful, otherwise return error message
++        """
++        for sentry_unit in sentry_units:
++            if not self.rmq_ssl_is_enabled_on_unit(sentry_unit, port=port):
++                return ('Unexpected condition:  ssl is disabled on unit '
++                        '({})'.format(sentry_unit.info['unit_name']))
++        return None
++
++    def validate_rmq_ssl_disabled_units(self, sentry_units):
++        """Check that ssl is enabled on listed rmq juju sentry units.
++
++        :param sentry_units: list of all rmq sentry units
++        :returns: True if successful.  Raise on error.
++        """
++        for sentry_unit in sentry_units:
++            if self.rmq_ssl_is_enabled_on_unit(sentry_unit):
++                return ('Unexpected condition:  ssl is enabled on unit '
++                        '({})'.format(sentry_unit.info['unit_name']))
++        return None
++
++    def configure_rmq_ssl_on(self, sentry_units, deployment,
++                             port=None, max_wait=60):
++        """Turn ssl charm config option on, with optional non-default
++        ssl port specification.  Confirm that it is enabled on every
++        unit.
++
++        :param sentry_units: list of sentry units
++        :param deployment: amulet deployment object pointer
++        :param port: amqp port, use defaults if None
++        :param max_wait: maximum time to wait in seconds to confirm
++        :returns: None if successful.  Raise on error.
++        """
++        self.log.debug('Setting ssl charm config option:  on')
++
++        # Enable RMQ SSL
++        config = {'ssl': 'on'}
++        if port:
++            config['ssl_port'] = port
++
++        deployment.d.configure('rabbitmq-server', config)
++
++        # Wait for unit status
++        self.rmq_wait_for_cluster(deployment)
++
++        # Confirm
++        tries = 0
++        ret = self.validate_rmq_ssl_enabled_units(sentry_units, port=port)
++        while ret and tries < (max_wait / 4):
++            time.sleep(4)
++            self.log.debug('Attempt {}: {}'.format(tries, ret))
++            ret = self.validate_rmq_ssl_enabled_units(sentry_units, port=port)
++            tries += 1
++
++        if ret:
++            amulet.raise_status(amulet.FAIL, ret)
++
++    def configure_rmq_ssl_off(self, sentry_units, deployment, max_wait=60):
++        """Turn ssl charm config option off, confirm that it is disabled
++        on every unit.
++
++        :param sentry_units: list of sentry units
++        :param deployment: amulet deployment object pointer
++        :param max_wait: maximum time to wait in seconds to confirm
++        :returns: None if successful.  Raise on error.
++        """
++        self.log.debug('Setting ssl charm config option:  off')
++
++        # Disable RMQ SSL
++        config = {'ssl': 'off'}
++        deployment.d.configure('rabbitmq-server', config)
++
++        # Wait for unit status
++        self.rmq_wait_for_cluster(deployment)
++
++        # Confirm
++        tries = 0
++        ret = self.validate_rmq_ssl_disabled_units(sentry_units)
++        while ret and tries < (max_wait / 4):
++            time.sleep(4)
++            self.log.debug('Attempt {}: {}'.format(tries, ret))
++            ret = self.validate_rmq_ssl_disabled_units(sentry_units)
++            tries += 1
++
++        if ret:
++            amulet.raise_status(amulet.FAIL, ret)
++
++    def connect_amqp_by_unit(self, sentry_unit, ssl=False,
++                             port=None, fatal=True,
++                             username="testuser1", password="changeme"):
++        """Establish and return a pika amqp connection to the rabbitmq service
++        running on a rmq juju unit.
++
++        :param sentry_unit: sentry unit pointer
++        :param ssl: boolean, default to False
++        :param port: amqp port, use defaults if None
++        :param fatal: boolean, default to True (raises on connect error)
++        :param username: amqp user name, default to testuser1
++        :param password: amqp user password
++        :returns: pika amqp connection pointer or None if failed and non-fatal
++        """
++        host = sentry_unit.info['public-address']
++        unit_name = sentry_unit.info['unit_name']
++
++        # Default port logic if port is not specified
++        if ssl and not port:
++            port = 5671
++        elif not ssl and not port:
++            port = 5672
++
++        self.log.debug('Connecting to amqp on {}:{} ({}) as '
++                       '{}...'.format(host, port, unit_name, username))
++
++        try:
++            credentials = pika.PlainCredentials(username, password)
++            parameters = pika.ConnectionParameters(host=host, port=port,
++                                                   credentials=credentials,
++                                                   ssl=ssl,
++                                                   connection_attempts=3,
++                                                   retry_delay=5,
++                                                   socket_timeout=1)
++            connection = pika.BlockingConnection(parameters)
++            assert connection.server_properties['product'] == 'RabbitMQ'
++            self.log.debug('Connect OK')
++            return connection
++        except Exception as e:
++            msg = ('amqp connection failed to {}:{} as '
++                   '{} ({})'.format(host, port, username, str(e)))
++            if fatal:
++                amulet.raise_status(amulet.FAIL, msg)
++            else:
++                self.log.warn(msg)
++                return None
++
++    def publish_amqp_message_by_unit(self, sentry_unit, message,
++                                     queue="test", ssl=False,
++                                     username="testuser1",
++                                     password="changeme",
++                                     port=None):
++        """Publish an amqp message to a rmq juju unit.
++
++        :param sentry_unit: sentry unit pointer
++        :param message: amqp message string
++        :param queue: message queue, default to test
++        :param username: amqp user name, default to testuser1
++        :param password: amqp user password
++        :param ssl: boolean, default to False
++        :param port: amqp port, use defaults if None
++        :returns: None.  Raises exception if publish failed.
++        """
++        self.log.debug('Publishing message to {} queue:\n{}'.format(queue,
++                                                                    message))
++        connection = self.connect_amqp_by_unit(sentry_unit, ssl=ssl,
++                                               port=port,
++                                               username=username,
++                                               password=password)
++
++        # NOTE(beisner): extra debug here re: pika hang potential:
++        #   https://github.com/pika/pika/issues/297
++        #   https://groups.google.com/forum/#!topic/rabbitmq-users/Ja0iyfF0Szw
++        self.log.debug('Defining channel...')
++        channel = connection.channel()
++        self.log.debug('Declaring queue...')
++        channel.queue_declare(queue=queue, auto_delete=False, durable=True)
++        self.log.debug('Publishing message...')
++        channel.basic_publish(exchange='', routing_key=queue, body=message)
++        self.log.debug('Closing channel...')
++        channel.close()
++        self.log.debug('Closing connection...')
++        connection.close()
++
++    def get_amqp_message_by_unit(self, sentry_unit, queue="test",
++                                 username="testuser1",
++                                 password="changeme",
++                                 ssl=False, port=None):
++        """Get an amqp message from a rmq juju unit.
++
++        :param sentry_unit: sentry unit pointer
++        :param queue: message queue, default to test
++        :param username: amqp user name, default to testuser1
++        :param password: amqp user password
++        :param ssl: boolean, default to False
++        :param port: amqp port, use defaults if None
++        :returns: amqp message body as string.  Raise if get fails.
++        """
++        connection = self.connect_amqp_by_unit(sentry_unit, ssl=ssl,
++                                               port=port,
++                                               username=username,
++                                               password=password)
++        channel = connection.channel()
++        method_frame, _, body = channel.basic_get(queue)
++
++        if method_frame:
++            self.log.debug('Retreived message from {} queue:\n{}'.format(queue,
++                                                                         body))
++            channel.basic_ack(method_frame.delivery_tag)
++            channel.close()
++            connection.close()
++            return body
++        else:
++            msg = 'No message retrieved.'
++            amulet.raise_status(amulet.FAIL, msg)
 === added file 'charmhelpers/contrib/openstack/context.py'
 --- charmhelpers/contrib/openstack/context.py	1970-01-01 00:00:00 +0000
 +++ charmhelpers/contrib/openstack/context.py	2016-03-30 08:19:58 +0000
@@ -0,0 +1,1473 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++import glob
++import json
++import os
++import re
++import time
++from base64 import b64decode
++from subprocess import check_call
++
++import six
++import yaml
++
++from charmhelpers.fetch import (
++    apt_install,
++    filter_installed_packages,
++)
++from charmhelpers.core.hookenv import (
++    config,
++    is_relation_made,
++    local_unit,
++    log,
++    relation_get,
++    relation_ids,
++    related_units,
++    relation_set,
++    unit_get,
++    unit_private_ip,
++    charm_name,
++    DEBUG,
++    INFO,
++    WARNING,
++    ERROR,
++)
++
++from charmhelpers.core.sysctl import create as sysctl_create
++from charmhelpers.core.strutils import bool_from_string
++
++from charmhelpers.core.host import (
++    get_bond_master,
++    is_phy_iface,
++    list_nics,
++    get_nic_hwaddr,
++    mkdir,
++    write_file,
++    pwgen,
++)
++from charmhelpers.contrib.hahelpers.cluster import (
++    determine_apache_port,
++    determine_api_port,
++    https,
++    is_clustered,
++)
++from charmhelpers.contrib.hahelpers.apache import (
++    get_cert,
++    get_ca_cert,
++    install_ca_cert,
++)
++from charmhelpers.contrib.openstack.neutron import (
++    neutron_plugin_attribute,
++    parse_data_port_mappings,
++)
++from charmhelpers.contrib.openstack.ip import (
++    resolve_address,
++    INTERNAL,
++)
++from charmhelpers.contrib.network.ip import (
++    get_address_in_network,
++    get_ipv4_addr,
++    get_ipv6_addr,
++    get_netmask_for_address,
++    format_ipv6_addr,
++    is_address_in_network,
++    is_bridge_member,
++)
++from charmhelpers.contrib.openstack.utils import get_host_ip
++from charmhelpers.core.unitdata import kv
++
++CA_CERT_PATH = '/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt'
++ADDRESS_TYPES = ['admin', 'internal', 'public']
++
++
++class OSContextError(Exception):
++    pass
++
++
++def ensure_packages(packages):
++    """Install but do not upgrade required plugin packages."""
++    required = filter_installed_packages(packages)
++    if required:
++        apt_install(required, fatal=True)
++
++
++def context_complete(ctxt):
++    _missing = []
++    for k, v in six.iteritems(ctxt):
++        if v is None or v == '':
++            _missing.append(k)
++
++    if _missing:
++        log('Missing required data: %s' % ' '.join(_missing), level=INFO)
++        return False
++
++    return True
++
++
++def config_flags_parser(config_flags):
++    """Parses config flags string into dict.
++
++    This parsing method supports a few different formats for the config
++    flag values to be parsed:
++
++      1. A string in the simple format of key=value pairs, with the possibility
++         of specifying multiple key value pairs within the same string. For
++         example, a string in the format of 'key1=value1, key2=value2' will
++         return a dict of:
++
++             {'key1': 'value1',
++              'key2': 'value2'}.
++
++      2. A string in the above format, but supporting a comma-delimited list
++         of values for the same key. For example, a string in the format of
++         'key1=value1, key2=value3,value4,value5' will return a dict of:
++
++             {'key1', 'value1',
++              'key2', 'value2,value3,value4'}
++
++      3. A string containing a colon character (:) prior to an equal
++         character (=) will be treated as yaml and parsed as such. This can be
++         used to specify more complex key value pairs. For example,
++         a string in the format of 'key1: subkey1=value1, subkey2=value2' will
++         return a dict of:
++
++             {'key1', 'subkey1=value1, subkey2=value2'}
++
++    The provided config_flags string may be a list of comma-separated values
++    which themselves may be comma-separated list of values.
++    """
++    # If we find a colon before an equals sign then treat it as yaml.
++    # Note: limit it to finding the colon first since this indicates assignment
++    # for inline yaml.
++    colon = config_flags.find(':')
++    equals = config_flags.find('=')
++    if colon > 0:
++        if colon < equals or equals < 0:
++            return yaml.safe_load(config_flags)
++
++    if config_flags.find('==') >= 0:
++        log("config_flags is not in expected format (key=value)", level=ERROR)
++        raise OSContextError
++
++    # strip the following from each value.
++    post_strippers = ' ,'
++    # we strip any leading/trailing '=' or ' ' from the string then
++    # split on '='.
++    split = config_flags.strip(' =').split('=')
++    limit = len(split)
++    flags = {}
++    for i in range(0, limit - 1):
++        current = split[i]
++        next = split[i + 1]
++        vindex = next.rfind(',')
++        if (i == limit - 2) or (vindex < 0):
++            value = next
++        else:
++            value = next[:vindex]
++
++        if i == 0:
++            key = current
++        else:
++            # if this not the first entry, expect an embedded key.
++            index = current.rfind(',')
++            if index < 0:
++                log("Invalid config value(s) at index %s" % (i), level=ERROR)
++                raise OSContextError
++            key = current[index + 1:]
++
++        # Add to collection.
++        flags[key.strip(post_strippers)] = value.rstrip(post_strippers)
++
++    return flags
++
++
++class OSContextGenerator(object):
++    """Base class for all context generators."""
++    interfaces = []
++    related = False
++    complete = False
++    missing_data = []
++
++    def __call__(self):
++        raise NotImplementedError
++
++    def context_complete(self, ctxt):
++        """Check for missing data for the required context data.
++        Set self.missing_data if it exists and return False.
++        Set self.complete if no missing data and return True.
++        """
++        # Fresh start
++        self.complete = False
++        self.missing_data = []
++        for k, v in six.iteritems(ctxt):
++            if v is None or v == '':
++                if k not in self.missing_data:
++                    self.missing_data.append(k)
++
++        if self.missing_data:
++            self.complete = False
++            log('Missing required data: %s' % ' '.join(self.missing_data), level=INFO)
++        else:
++            self.complete = True
++        return self.complete
++
++    def get_related(self):
++        """Check if any of the context interfaces have relation ids.
++        Set self.related and return True if one of the interfaces
++        has relation ids.
++        """
++        # Fresh start
++        self.related = False
++        try:
++            for interface in self.interfaces:
++                if relation_ids(interface):
++                    self.related = True
++            return self.related
++        except AttributeError as e:
++            log("{} {}"
++                "".format(self, e), 'INFO')
++            return self.related
++
++
++class SharedDBContext(OSContextGenerator):
++    interfaces = ['shared-db']
++
++    def __init__(self,
++                 database=None, user=None, relation_prefix=None, ssl_dir=None):
++        """Allows inspecting relation for settings prefixed with
++        relation_prefix. This is useful for parsing access for multiple
++        databases returned via the shared-db interface (eg, nova_password,
++        quantum_password)
++        """
++        self.relation_prefix = relation_prefix
++        self.database = database
++        self.user = user
++        self.ssl_dir = ssl_dir
++        self.rel_name = self.interfaces[0]
++
++    def __call__(self):
++        self.database = self.database or config('database')
++        self.user = self.user or config('database-user')
++        if None in [self.database, self.user]:
++            log("Could not generate shared_db context. Missing required charm "
++                "config options. (database name and user)", level=ERROR)
++            raise OSContextError
++
++        ctxt = {}
++
++        # NOTE(jamespage) if mysql charm provides a network upon which
++        # access to the database should be made, reconfigure relation
++        # with the service units local address and defer execution
++        access_network = relation_get('access-network')
++        if access_network is not None:
++            if self.relation_prefix is not None:
++                hostname_key = "{}_hostname".format(self.relation_prefix)
++            else:
++                hostname_key = "hostname"
++            access_hostname = get_address_in_network(access_network,
++                                                     unit_get('private-address'))
++            set_hostname = relation_get(attribute=hostname_key,
++                                        unit=local_unit())
++            if set_hostname != access_hostname:
++                relation_set(relation_settings={hostname_key: access_hostname})
++                return None  # Defer any further hook execution for now....
++
++        password_setting = 'password'
++        if self.relation_prefix:
++            password_setting = self.relation_prefix + '_password'
++
++        for rid in relation_ids(self.interfaces[0]):
++            self.related = True
++            for unit in related_units(rid):
++                rdata = relation_get(rid=rid, unit=unit)
++                host = rdata.get('db_host')
++                host = format_ipv6_addr(host) or host
++                ctxt = {
++                    'database_host': host,
++                    'database': self.database,
++                    'database_user': self.user,
++                    'database_password': rdata.get(password_setting),
++                    'database_type': 'mysql'
++                }
++                if self.context_complete(ctxt):
++                    db_ssl(rdata, ctxt, self.ssl_dir)
++                    return ctxt
++        return {}
++
++
++class PostgresqlDBContext(OSContextGenerator):
++    interfaces = ['pgsql-db']
++
++    def __init__(self, database=None):
++        self.database = database
++
++    def __call__(self):
++        self.database = self.database or config('database')
++        if self.database is None:
++            log('Could not generate postgresql_db context. Missing required '
++                'charm config options. (database name)', level=ERROR)
++            raise OSContextError
++
++        ctxt = {}
++        for rid in relation_ids(self.interfaces[0]):
++            self.related = True
++            for unit in related_units(rid):
++                rel_host = relation_get('host', rid=rid, unit=unit)
++                rel_user = relation_get('user', rid=rid, unit=unit)
++                rel_passwd = relation_get('password', rid=rid, unit=unit)
++                ctxt = {'database_host': rel_host,
++                        'database': self.database,
++                        'database_user': rel_user,
++                        'database_password': rel_passwd,
++                        'database_type': 'postgresql'}
++                if self.context_complete(ctxt):
++                    return ctxt
++
++        return {}
++
++
++def db_ssl(rdata, ctxt, ssl_dir):
++    if 'ssl_ca' in rdata and ssl_dir:
++        ca_path = os.path.join(ssl_dir, 'db-client.ca')
++        with open(ca_path, 'w') as fh:
++            fh.write(b64decode(rdata['ssl_ca']))
++
++        ctxt['database_ssl_ca'] = ca_path
++    elif 'ssl_ca' in rdata:
++        log("Charm not setup for ssl support but ssl ca found", level=INFO)
++        return ctxt
++
++    if 'ssl_cert' in rdata:
++        cert_path = os.path.join(
++            ssl_dir, 'db-client.cert')
++        if not os.path.exists(cert_path):
++            log("Waiting 1m for ssl client cert validity", level=INFO)
++            time.sleep(60)
++
++        with open(cert_path, 'w') as fh:
++            fh.write(b64decode(rdata['ssl_cert']))
++
++        ctxt['database_ssl_cert'] = cert_path
++        key_path = os.path.join(ssl_dir, 'db-client.key')
++        with open(key_path, 'w') as fh:
++            fh.write(b64decode(rdata['ssl_key']))
++
++        ctxt['database_ssl_key'] = key_path
++
++    return ctxt
++
++
++class IdentityServiceContext(OSContextGenerator):
++
++    def __init__(self, service=None, service_user=None, rel_name='identity-service'):
++        self.service = service
++        self.service_user = service_user
++        self.rel_name = rel_name
++        self.interfaces = [self.rel_name]
++
++    def __call__(self):
++        log('Generating template context for ' + self.rel_name, level=DEBUG)
++        ctxt = {}
++
++        if self.service and self.service_user:
++            # This is required for pki token signing if we don't want /tmp to
++            # be used.
++            cachedir = '/var/cache/%s' % (self.service)
++            if not os.path.isdir(cachedir):
++                log("Creating service cache dir %s" % (cachedir), level=DEBUG)
++                mkdir(path=cachedir, owner=self.service_user,
++                      group=self.service_user, perms=0o700)
++
++            ctxt['signing_dir'] = cachedir
++
++        for rid in relation_ids(self.rel_name):
++            self.related = True
++            for unit in related_units(rid):
++                rdata = relation_get(rid=rid, unit=unit)
++                serv_host = rdata.get('service_host')
++                serv_host = format_ipv6_addr(serv_host) or serv_host
++                auth_host = rdata.get('auth_host')
++                auth_host = format_ipv6_addr(auth_host) or auth_host
++                svc_protocol = rdata.get('service_protocol') or 'http'
++                auth_protocol = rdata.get('auth_protocol') or 'http'
++                ctxt.update({'service_port': rdata.get('service_port'),
++                             'service_host': serv_host,
++                             'auth_host': auth_host,
++                             'auth_port': rdata.get('auth_port'),
++                             'admin_tenant_name': rdata.get('service_tenant'),
++                             'admin_user': rdata.get('service_username'),
++                             'admin_password': rdata.get('service_password'),
++                             'service_protocol': svc_protocol,
++                             'auth_protocol': auth_protocol})
++
++                if self.context_complete(ctxt):
++                    # NOTE(jamespage) this is required for >= icehouse
++                    # so a missing value just indicates keystone needs
++                    # upgrading
++                    ctxt['admin_tenant_id'] = rdata.get('service_tenant_id')
++                    return ctxt
++
++        return {}
++
++
++class AMQPContext(OSContextGenerator):
++
++    def __init__(self, ssl_dir=None, rel_name='amqp', relation_prefix=None):
++        self.ssl_dir = ssl_dir
++        self.rel_name = rel_name
++        self.relation_prefix = relation_prefix
++        self.interfaces = [rel_name]
++
++    def __call__(self):
++        log('Generating template context for amqp', level=DEBUG)
++        conf = config()
++        if self.relation_prefix:
++            user_setting = '%s-rabbit-user' % (self.relation_prefix)
++            vhost_setting = '%s-rabbit-vhost' % (self.relation_prefix)
++        else:
++            user_setting = 'rabbit-user'
++            vhost_setting = 'rabbit-vhost'
++
++        try:
++            username = conf[user_setting]
++            vhost = conf[vhost_setting]
++        except KeyError as e:
++            log('Could not generate shared_db context. Missing required charm '
++                'config options: %s.' % e, level=ERROR)
++            raise OSContextError
++
++        ctxt = {}
++        for rid in relation_ids(self.rel_name):
++            ha_vip_only = False
++            self.related = True
++            for unit in related_units(rid):
++                if relation_get('clustered', rid=rid, unit=unit):
++                    ctxt['clustered'] = True
++                    vip = relation_get('vip', rid=rid, unit=unit)
++                    vip = format_ipv6_addr(vip) or vip
++                    ctxt['rabbitmq_host'] = vip
++                else:
++                    host = relation_get('private-address', rid=rid, unit=unit)
++                    host = format_ipv6_addr(host) or host
++                    ctxt['rabbitmq_host'] = host
++
++                ctxt.update({
++                    'rabbitmq_user': username,
++                    'rabbitmq_password': relation_get('password', rid=rid,
++                                                      unit=unit),
++                    'rabbitmq_virtual_host': vhost,
++                })
++
++                ssl_port = relation_get('ssl_port', rid=rid, unit=unit)
++                if ssl_port:
++                    ctxt['rabbit_ssl_port'] = ssl_port
++
++                ssl_ca = relation_get('ssl_ca', rid=rid, unit=unit)
++                if ssl_ca:
++                    ctxt['rabbit_ssl_ca'] = ssl_ca
++
++                if relation_get('ha_queues', rid=rid, unit=unit) is not None:
++                    ctxt['rabbitmq_ha_queues'] = True
++
++                ha_vip_only = relation_get('ha-vip-only',
++                                           rid=rid, unit=unit) is not None
++
++                if self.context_complete(ctxt):
++                    if 'rabbit_ssl_ca' in ctxt:
++                        if not self.ssl_dir:
++                            log("Charm not setup for ssl support but ssl ca "
++                                "found", level=INFO)
++                            break
++
++                        ca_path = os.path.join(
++                            self.ssl_dir, 'rabbit-client-ca.pem')
++                        with open(ca_path, 'w') as fh:
++                            fh.write(b64decode(ctxt['rabbit_ssl_ca']))
++                            ctxt['rabbit_ssl_ca'] = ca_path
++
++                    # Sufficient information found = break out!
++                    break
++
++            # Used for active/active rabbitmq >= grizzly
++            if (('clustered' not in ctxt or ha_vip_only) and
++                    len(related_units(rid)) > 1):
++                rabbitmq_hosts = []
++                for unit in related_units(rid):
++                    host = relation_get('private-address', rid=rid, unit=unit)
++                    host = format_ipv6_addr(host) or host
++                    rabbitmq_hosts.append(host)
++
++                ctxt['rabbitmq_hosts'] = ','.join(sorted(rabbitmq_hosts))
++
++        oslo_messaging_flags = conf.get('oslo-messaging-flags', None)
++        if oslo_messaging_flags:
++            ctxt['oslo_messaging_flags'] = config_flags_parser(
++                oslo_messaging_flags)
++
++        if not self.complete:
++            return {}
++
++        return ctxt
++
++
++class CephContext(OSContextGenerator):
++    """Generates context for /etc/ceph/ceph.conf templates."""
++    interfaces = ['ceph']
++
++    def __call__(self):
++        if not relation_ids('ceph'):
++            return {}
++
++        log('Generating template context for ceph', level=DEBUG)
++        mon_hosts = []
++        ctxt = {
++            'use_syslog': str(config('use-syslog')).lower()
++        }
++        for rid in relation_ids('ceph'):
++            for unit in related_units(rid):
++                if not ctxt.get('auth'):
++                    ctxt['auth'] = relation_get('auth', rid=rid, unit=unit)
++                if not ctxt.get('key'):
++                    ctxt['key'] = relation_get('key', rid=rid, unit=unit)
++                ceph_pub_addr = relation_get('ceph-public-address', rid=rid,
++                                             unit=unit)
++                unit_priv_addr = relation_get('private-address', rid=rid,
++                                              unit=unit)
++                ceph_addr = ceph_pub_addr or unit_priv_addr
++                ceph_addr = format_ipv6_addr(ceph_addr) or ceph_addr
++                mon_hosts.append(ceph_addr)
++
++        ctxt['mon_hosts'] = ' '.join(sorted(mon_hosts))
++
++        if not os.path.isdir('/etc/ceph'):
++            os.mkdir('/etc/ceph')
++
++        if not self.context_complete(ctxt):
++            return {}
++
++        ensure_packages(['ceph-common'])
++        return ctxt
++
++
++class HAProxyContext(OSContextGenerator):
++    """Provides half a context for the haproxy template, which describes
++    all peers to be included in the cluster.  Each charm needs to include
++    its own context generator that describes the port mapping.
++    """
++    interfaces = ['cluster']
++
++    def __init__(self, singlenode_mode=False):
++        self.singlenode_mode = singlenode_mode
++
++    def __call__(self):
++        if not relation_ids('cluster') and not self.singlenode_mode:
++            return {}
++
++        if config('prefer-ipv6'):
++            addr = get_ipv6_addr(exc_list=[config('vip')])[0]
++        else:
++            addr = get_host_ip(unit_get('private-address'))
++
++        l_unit = local_unit().replace('/', '-')
++        cluster_hosts = {}
++
++        # NOTE(jamespage): build out map of configured network endpoints
++        # and associated backends
++        for addr_type in ADDRESS_TYPES:
++            cfg_opt = 'os-{}-network'.format(addr_type)
++            laddr = get_address_in_network(config(cfg_opt))
++            if laddr:
++                netmask = get_netmask_for_address(laddr)
++                cluster_hosts[laddr] = {'network': "{}/{}".format(laddr,
++                                                                  netmask),
++                                        'backends': {l_unit: laddr}}
++                for rid in relation_ids('cluster'):
++                    for unit in related_units(rid):
++                        _laddr = relation_get('{}-address'.format(addr_type),
++                                              rid=rid, unit=unit)
++                        if _laddr:
++                            _unit = unit.replace('/', '-')
++                            cluster_hosts[laddr]['backends'][_unit] = _laddr
++
++        # NOTE(jamespage) add backend based on private address - this
++        # with either be the only backend or the fallback if no acls
++        # match in the frontend
++        cluster_hosts[addr] = {}
++        netmask = get_netmask_for_address(addr)
++        cluster_hosts[addr] = {'network': "{}/{}".format(addr, netmask),
++                               'backends': {l_unit: addr}}
++        for rid in relation_ids('cluster'):
++            for unit in related_units(rid):
++                _laddr = relation_get('private-address',
++                                      rid=rid, unit=unit)
++                if _laddr:
++                    _unit = unit.replace('/', '-')
++                    cluster_hosts[addr]['backends'][_unit] = _laddr
++
++        ctxt = {
++            'frontends': cluster_hosts,
++            'default_backend': addr
++        }
++
++        if config('haproxy-server-timeout'):
++            ctxt['haproxy_server_timeout'] = config('haproxy-server-timeout')
++
++        if config('haproxy-client-timeout'):
++            ctxt['haproxy_client_timeout'] = config('haproxy-client-timeout')
++
++        if config('haproxy-queue-timeout'):
++            ctxt['haproxy_queue_timeout'] = config('haproxy-queue-timeout')
++
++        if config('haproxy-connect-timeout'):
++            ctxt['haproxy_connect_timeout'] = config('haproxy-connect-timeout')
++
++        if config('prefer-ipv6'):
++            ctxt['ipv6'] = True
++            ctxt['local_host'] = 'ip6-localhost'
++            ctxt['haproxy_host'] = '::'
++        else:
++            ctxt['local_host'] = '127.0.0.1'
++            ctxt['haproxy_host'] = '0.0.0.0'
++
++        ctxt['stat_port'] = '8888'
++
++        db = kv()
++        ctxt['stat_password'] = db.get('stat-password')
++        if not ctxt['stat_password']:
++            ctxt['stat_password'] = db.set('stat-password',
++                                           pwgen(32))
++            db.flush()
++
++        for frontend in cluster_hosts:
++            if (len(cluster_hosts[frontend]['backends']) > 1 or
++                    self.singlenode_mode):
++                # Enable haproxy when we have enough peers.
++                log('Ensuring haproxy enabled in /etc/default/haproxy.',
++                    level=DEBUG)
++                with open('/etc/default/haproxy', 'w') as out:
++                    out.write('ENABLED=1\n')
++
++                return ctxt
++
++        log('HAProxy context is incomplete, this unit has no peers.',
++            level=INFO)
++        return {}
++
++
++class ImageServiceContext(OSContextGenerator):
++    interfaces = ['image-service']
++
++    def __call__(self):
++        """Obtains the glance API server from the image-service relation.
++        Useful in nova and cinder (currently).
++        """
++        log('Generating template context for image-service.', level=DEBUG)
++        rids = relation_ids('image-service')
++        if not rids:
++            return {}
++
++        for rid in rids:
++            for unit in related_units(rid):
++                api_server = relation_get('glance-api-server',
++                                          rid=rid, unit=unit)
++                if api_server:
++                    return {'glance_api_servers': api_server}
++
++        log("ImageService context is incomplete. Missing required relation "
++            "data.", level=INFO)
++        return {}
++
++
++class ApacheSSLContext(OSContextGenerator):
++    """Generates a context for an apache vhost configuration that configures
++    HTTPS reverse proxying for one or many endpoints.  Generated context
++    looks something like::
++
++        {
++            'namespace': 'cinder',
++            'private_address': 'iscsi.mycinderhost.com',
++            'endpoints': [(8776, 8766), (8777, 8767)]
++        }
++
++    The endpoints list consists of a tuples mapping external ports
++    to internal ports.
++    """
++    interfaces = ['https']
++
++    # charms should inherit this context and set external ports
++    # and service namespace accordingly.
++    external_ports = []
++    service_namespace = None
++
++    def enable_modules(self):
++        cmd = ['a2enmod', 'ssl', 'proxy', 'proxy_http']
++        check_call(cmd)
++
++    def configure_cert(self, cn=None):
++        ssl_dir = os.path.join('/etc/apache2/ssl/', self.service_namespace)
++        mkdir(path=ssl_dir)
++        cert, key = get_cert(cn)
++        if cn:
++            cert_filename = 'cert_{}'.format(cn)
++            key_filename = 'key_{}'.format(cn)
++        else:
++            cert_filename = 'cert'
++            key_filename = 'key'
++
++        write_file(path=os.path.join(ssl_dir, cert_filename),
++                   content=b64decode(cert))
++        write_file(path=os.path.join(ssl_dir, key_filename),
++                   content=b64decode(key))
++
++    def configure_ca(self):
++        ca_cert = get_ca_cert()
++        if ca_cert:
++            install_ca_cert(b64decode(ca_cert))
++
++    def canonical_names(self):
++        """Figure out which canonical names clients will access this service.
++        """
++        cns = []
++        for r_id in relation_ids('identity-service'):
++            for unit in related_units(r_id):
++                rdata = relation_get(rid=r_id, unit=unit)
++                for k in rdata:
++                    if k.startswith('ssl_key_'):
++                        cns.append(k.lstrip('ssl_key_'))
++
++        return sorted(list(set(cns)))
++
++    def get_network_addresses(self):
++        """For each network configured, return corresponding address and vip
++           (if available).
++
++        Returns a list of tuples of the form:
++
++            [(address_in_net_a, vip_in_net_a),
++             (address_in_net_b, vip_in_net_b),
++             ...]
++
++            or, if no vip(s) available:
++
++            [(address_in_net_a, address_in_net_a),
++             (address_in_net_b, address_in_net_b),
++             ...]
++        """
++        addresses = []
++        if config('vip'):
++            vips = config('vip').split()
++        else:
++            vips = []
++
++        for net_type in ['os-internal-network', 'os-admin-network',
++                         'os-public-network']:
++            addr = get_address_in_network(config(net_type),
++                                          unit_get('private-address'))
++            if len(vips) > 1 and is_clustered():
++                if not config(net_type):
++                    log("Multiple networks configured but net_type "
++                        "is None (%s)." % net_type, level=WARNING)
++                    continue
++
++                for vip in vips:
++                    if is_address_in_network(config(net_type), vip):
++                        addresses.append((addr, vip))
++                        break
++
++            elif is_clustered() and config('vip'):
++                addresses.append((addr, config('vip')))
++            else:
++                addresses.append((addr, addr))
++
++        return sorted(addresses)
++
++    def __call__(self):
++        if isinstance(self.external_ports, six.string_types):
++            self.external_ports = [self.external_ports]
++
++        if not self.external_ports or not https():
++            return {}
++
++        self.configure_ca()
++        self.enable_modules()
++
++        ctxt = {'namespace': self.service_namespace,
++                'endpoints': [],
++                'ext_ports': []}
++
++        cns = self.canonical_names()
++        if cns:
++            for cn in cns:
++                self.configure_cert(cn)
++        else:
++            # Expect cert/key provided in config (currently assumed that ca
++            # uses ip for cn)
++            cn = resolve_address(endpoint_type=INTERNAL)
++            self.configure_cert(cn)
++
++        addresses = self.get_network_addresses()
++        for address, endpoint in sorted(set(addresses)):
++            for api_port in self.external_ports:
++                ext_port = determine_apache_port(api_port,
++                                                 singlenode_mode=True)
++                int_port = determine_api_port(api_port, singlenode_mode=True)
++                portmap = (address, endpoint, int(ext_port), int(int_port))
++                ctxt['endpoints'].append(portmap)
++                ctxt['ext_ports'].append(int(ext_port))
++
++        ctxt['ext_ports'] = sorted(list(set(ctxt['ext_ports'])))
++        return ctxt
++
++
++class NeutronContext(OSContextGenerator):
++    interfaces = []
++
++    @property
++    def plugin(self):
++        return None
++
++    @property
++    def network_manager(self):
++        return None
++
++    @property
++    def packages(self):
++        return neutron_plugin_attribute(self.plugin, 'packages',
++                                        self.network_manager)
++
++    @property
++    def neutron_security_groups(self):
++        return None
++
++    def _ensure_packages(self):
++        for pkgs in self.packages:
++            ensure_packages(pkgs)
++
++    def _save_flag_file(self):
++        if self.network_manager == 'quantum':
++            _file = '/etc/nova/quantum_plugin.conf'
++        else:
++            _file = '/etc/nova/neutron_plugin.conf'
++
++        with open(_file, 'wb') as out:
++            out.write(self.plugin + '\n')
++
++    def ovs_ctxt(self):
++        driver = neutron_plugin_attribute(self.plugin, 'driver',
++                                          self.network_manager)
++        config = neutron_plugin_attribute(self.plugin, 'config',
++                                          self.network_manager)
++        ovs_ctxt = {'core_plugin': driver,
++                    'neutron_plugin': 'ovs',
++                    'neutron_security_groups': self.neutron_security_groups,
++                    'local_ip': unit_private_ip(),
++                    'config': config}
++
++        return ovs_ctxt
++
++    def nuage_ctxt(self):
++        driver = neutron_plugin_attribute(self.plugin, 'driver',
++                                          self.network_manager)
++        config = neutron_plugin_attribute(self.plugin, 'config',
++                                          self.network_manager)
++        nuage_ctxt = {'core_plugin': driver,
++                      'neutron_plugin': 'vsp',
++                      'neutron_security_groups': self.neutron_security_groups,
++                      'local_ip': unit_private_ip(),
++                      'config': config}
++
++        return nuage_ctxt
++
++    def nvp_ctxt(self):
++        driver = neutron_plugin_attribute(self.plugin, 'driver',
++                                          self.network_manager)
++        config = neutron_plugin_attribute(self.plugin, 'config',
++                                          self.network_manager)
++        nvp_ctxt = {'core_plugin': driver,
++                    'neutron_plugin': 'nvp',
++                    'neutron_security_groups': self.neutron_security_groups,
++                    'local_ip': unit_private_ip(),
++                    'config': config}
++
++        return nvp_ctxt
++
++    def n1kv_ctxt(self):
++        driver = neutron_plugin_attribute(self.plugin, 'driver',
++                                          self.network_manager)
++        n1kv_config = neutron_plugin_attribute(self.plugin, 'config',
++                                               self.network_manager)
++        n1kv_user_config_flags = config('n1kv-config-flags')
++        restrict_policy_profiles = config('n1kv-restrict-policy-profiles')
++        n1kv_ctxt = {'core_plugin': driver,
++                     'neutron_plugin': 'n1kv',
++                     'neutron_security_groups': self.neutron_security_groups,
++                     'local_ip': unit_private_ip(),
++                     'config': n1kv_config,
++                     'vsm_ip': config('n1kv-vsm-ip'),
++                     'vsm_username': config('n1kv-vsm-username'),
++                     'vsm_password': config('n1kv-vsm-password'),
++                     'restrict_policy_profiles': restrict_policy_profiles}
++
++        if n1kv_user_config_flags:
++            flags = config_flags_parser(n1kv_user_config_flags)
++            n1kv_ctxt['user_config_flags'] = flags
++
++        return n1kv_ctxt
++
++    def calico_ctxt(self):
++        driver = neutron_plugin_attribute(self.plugin, 'driver',
++                                          self.network_manager)
++        config = neutron_plugin_attribute(self.plugin, 'config',
++                                          self.network_manager)
++        calico_ctxt = {'core_plugin': driver,
++                       'neutron_plugin': 'Calico',
++                       'neutron_security_groups': self.neutron_security_groups,
++                       'local_ip': unit_private_ip(),
++                       'config': config}
++
++        return calico_ctxt
++
++    def neutron_ctxt(self):
++        if https():
++            proto = 'https'
++        else:
++            proto = 'http'
++
++        if is_clustered():
++            host = config('vip')
++        else:
++            host = unit_get('private-address')
++
++        ctxt = {'network_manager': self.network_manager,
++                'neutron_url': '%s://%s:%s' % (proto, host, '9696')}
++        return ctxt
++
++    def pg_ctxt(self):
++        driver = neutron_plugin_attribute(self.plugin, 'driver',
++                                          self.network_manager)
++        config = neutron_plugin_attribute(self.plugin, 'config',
++                                          self.network_manager)
++        ovs_ctxt = {'core_plugin': driver,
++                    'neutron_plugin': 'plumgrid',
++                    'neutron_security_groups': self.neutron_security_groups,
++                    'local_ip': unit_private_ip(),
++                    'config': config}
++        return ovs_ctxt
++
++    def midonet_ctxt(self):
++        driver = neutron_plugin_attribute(self.plugin, 'driver',
++                                          self.network_manager)
++        midonet_config = neutron_plugin_attribute(self.plugin, 'config',
++                                                  self.network_manager)
++        mido_ctxt = {'core_plugin': driver,
++                     'neutron_plugin': 'midonet',
++                     'neutron_security_groups': self.neutron_security_groups,
++                     'local_ip': unit_private_ip(),
++                     'config': midonet_config}
++
++        return mido_ctxt
++
++    def __call__(self):
++        if self.network_manager not in ['quantum', 'neutron']:
++            return {}
++
++        if not self.plugin:
++            return {}
++
++        ctxt = self.neutron_ctxt()
++
++        if self.plugin == 'ovs':
++            ctxt.update(self.ovs_ctxt())
++        elif self.plugin in ['nvp', 'nsx']:
++            ctxt.update(self.nvp_ctxt())
++        elif self.plugin == 'n1kv':
++            ctxt.update(self.n1kv_ctxt())
++        elif self.plugin == 'Calico':
++            ctxt.update(self.calico_ctxt())
++        elif self.plugin == 'vsp':
++            ctxt.update(self.nuage_ctxt())
++        elif self.plugin == 'plumgrid':
++            ctxt.update(self.pg_ctxt())
++        elif self.plugin == 'midonet':
++            ctxt.update(self.midonet_ctxt())
++
++        alchemy_flags = config('neutron-alchemy-flags')
++        if alchemy_flags:
++            flags = config_flags_parser(alchemy_flags)
++            ctxt['neutron_alchemy_flags'] = flags
++
++        self._save_flag_file()
++        return ctxt
++
++
++class NeutronPortContext(OSContextGenerator):
++
++    def resolve_ports(self, ports):
++        """Resolve NICs not yet bound to bridge(s)
++
++        If hwaddress provided then returns resolved hwaddress otherwise NIC.
++        """
++        if not ports:
++            return None
++
++        hwaddr_to_nic = {}
++        hwaddr_to_ip = {}
++        for nic in list_nics():
++            # Ignore virtual interfaces (bond masters will be identified from
++            # their slaves)
++            if not is_phy_iface(nic):
++                continue
++
++            _nic = get_bond_master(nic)
++            if _nic:
++                log("Replacing iface '%s' with bond master '%s'" % (nic, _nic),
++                    level=DEBUG)
++                nic = _nic
++
++            hwaddr = get_nic_hwaddr(nic)
++            hwaddr_to_nic[hwaddr] = nic
++            addresses = get_ipv4_addr(nic, fatal=False)
++            addresses += get_ipv6_addr(iface=nic, fatal=False)
++            hwaddr_to_ip[hwaddr] = addresses
++
++        resolved = []
++        mac_regex = re.compile(r'([0-9A-F]{2}[:-]){5}([0-9A-F]{2})', re.I)
++        for entry in ports:
++            if re.match(mac_regex, entry):
++                # NIC is in known NICs and does NOT hace an IP address
++                if entry in hwaddr_to_nic and not hwaddr_to_ip[entry]:
++                    # If the nic is part of a bridge then don't use it
++                    if is_bridge_member(hwaddr_to_nic[entry]):
++                        continue
++
++                    # Entry is a MAC address for a valid interface that doesn't
++                    # have an IP address assigned yet.
++                    resolved.append(hwaddr_to_nic[entry])
++            else:
++                # If the passed entry is not a MAC address, assume it's a valid
++                # interface, and that the user put it there on purpose (we can
++                # trust it to be the real external network).
++                resolved.append(entry)
++
++        # Ensure no duplicates
++        return list(set(resolved))
++
++
++class OSConfigFlagContext(OSContextGenerator):
++    """Provides support for user-defined config flags.
++
++    Users can define a comma-seperated list of key=value pairs
++    in the charm configuration and apply them at any point in
++    any file by using a template flag.
++
++    Sometimes users might want config flags inserted within a
++    specific section so this class allows users to specify the
++    template flag name, allowing for multiple template flags
++    (sections) within the same context.
++
++    NOTE: the value of config-flags may be a comma-separated list of
++          key=value pairs and some Openstack config files support
++          comma-separated lists as values.
++    """
++
++    def __init__(self, charm_flag='config-flags',
++                 template_flag='user_config_flags'):
++        """
++        :param charm_flag: config flags in charm configuration.
++        :param template_flag: insert point for user-defined flags in template
++                              file.
++        """
++        super(OSConfigFlagContext, self).__init__()
++        self._charm_flag = charm_flag
++        self._template_flag = template_flag
++
++    def __call__(self):
++        config_flags = config(self._charm_flag)
++        if not config_flags:
++            return {}
++
++        return {self._template_flag:
++                config_flags_parser(config_flags)}
++
++
++class LibvirtConfigFlagsContext(OSContextGenerator):
++    """
++    This context provides support for extending
++    the libvirt section through user-defined flags.
++    """
++    def __call__(self):
++        ctxt = {}
++        libvirt_flags = config('libvirt-flags')
++        if libvirt_flags:
++            ctxt['libvirt_flags'] = config_flags_parser(
++                libvirt_flags)
++        return ctxt
++
++
++class SubordinateConfigContext(OSContextGenerator):
++
++    """
++    Responsible for inspecting relations to subordinates that
++    may be exporting required config via a json blob.
++
++    The subordinate interface allows subordinates to export their
++    configuration requirements to the principle for multiple config
++    files and multiple serivces.  Ie, a subordinate that has interfaces
++    to both glance and nova may export to following yaml blob as json::
++
++        glance:
++            /etc/glance/glance-api.conf:
++                sections:
++                    DEFAULT:
++                        - [key1, value1]
++            /etc/glance/glance-registry.conf:
++                    MYSECTION:
++                        - [key2, value2]
++        nova:
++            /etc/nova/nova.conf:
++                sections:
++                    DEFAULT:
++                        - [key3, value3]
++
++
++    It is then up to the principle charms to subscribe this context to
++    the service+config file it is interestd in.  Configuration data will
++    be available in the template context, in glance's case, as::
++
++        ctxt = {
++            ... other context ...
++            'subordinate_configuration': {
++                'DEFAULT': {
++                    'key1': 'value1',
++                },
++                'MYSECTION': {
++                    'key2': 'value2',
++                },
++            }
++        }
++    """
++
++    def __init__(self, service, config_file, interface):
++        """
++        :param service     : Service name key to query in any subordinate
++                             data found
++        :param config_file : Service's config file to query sections
++        :param interface   : Subordinate interface to inspect
++        """
++        self.config_file = config_file
++        if isinstance(service, list):
++            self.services = service

Juju Charms Collectionkeystone package