Merge lp:~dmitriis/charms/trusty/contrail-configuration/trunk into lp:~sdn-charmers/charms/trusty/contrail-configuration/trunk

Proposed by Dmitrii Shcherbakov
Status: Merged
Merged at revision: 68
Proposed branch: lp:~dmitriis/charms/trusty/contrail-configuration/trunk
Merge into: lp:~sdn-charmers/charms/trusty/contrail-configuration/trunk
Diff against target: 655 lines (+202/-70)
4 files modified
config.yaml (+10/-0)
hooks/contrail_configuration_hooks.py (+171/-67)
hooks/contrail_configuration_utils.py (+11/-2)
templates/contrail-api.conf (+10/-1)
To merge this branch: bzr merge lp:~dmitriis/charms/trusty/contrail-configuration/trunk
Reviewer Review Type Date Requested Status
Robert Ayres (community) Approve
Ante Karamatić Pending
Review via email: mp+320826@code.launchpad.net

This proposal supersedes a proposal from 2017-03-19.

Description of the change

rbac support (rebased)

To post a comment you must log in.
Revision history for this message
Ante Karamatić (ivoks) wrote : Posted in a previous version of this proposal

See my comment

review: Needs Fixing
Revision history for this message
Ante Karamatić (ivoks) wrote : Posted in a previous version of this proposal

One more comment

review: Needs Fixing
Revision history for this message
Ante Karamatić (ivoks) wrote : Posted in a previous version of this proposal

I haven't investigated into detail, but with your patches contrail-analytics never populates 'api_server' in /etc/contrail/contrail-analytics-api.conf, which in turn means that contrail-analytics is not functional.

Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote : Posted in a previous version of this proposal

Ante,

Not sure about api_server - no modifications for that in my MP.

https://code.launchpad.net/~dmitriis/charms/trusty/contrail-analytics/trunk/+merge/320154

Have to investigate why.

Have you tried it without my patch or just with the patch?

If not, we can try it without a patch first to figure out if I introduced a regression or not.

Revision history for this message
Bernhard Koessler (bkoessler) wrote : Posted in a previous version of this proposal

I would recommend not using multi_tenancy anymore going forward.

aaa_mode can be set to:

no-auth—No authentication is performed and full access is granted to all.
cloud-admin—Authentication is performed and only the admin role has access.
rbac—Authentication is performed and access is granted based on role.

cloud-admin would be the same behaviour as multi-tenancy=true

Revision history for this message
Ante Karamatić (ivoks) wrote : Posted in a previous version of this proposal

Right, but charms need to support older versions also.

Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote :

Just noticed a piece of dead code for an action that we wanted to implement originally - uploaded an updated branch.

Revision history for this message
Robert Ayres (robert-ayres) wrote :

For this to get merged, please remove all the unnecessary formatting changes.

This diff should only contain the *actual* code changes.

Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote :
Revision history for this message
Robert Ayres (robert-ayres) wrote :

I appreciate the lint comment, but it would be better if changes to pass lint tests were in a separate patch.

Revision history for this message
Robert Ayres (robert-ayres) wrote :

To save effort, we can just look at merging r67 here.

Revision history for this message
Robert Ayres (robert-ayres) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'config.yaml'
--- config.yaml 2017-03-10 12:49:07 +0000
+++ config.yaml 2017-03-23 15:13:02 +0000
@@ -59,3 +59,13 @@
59 type: int59 type: int
60 default: 160 default: 1
61 description: Minimum number of units required in cassandra relation61 description: Minimum number of units required in cassandra relation
62 rbac:
63 type: boolean
64 default: true
65 description: enable/disable role-based authentication - only supported in Contrail 3.2 and newer
66 cloud-admin-role:
67 type: string
68 description: A user who is assigned the cloud_admin_role has full access to everything.
69 global-read-only-role:
70 type: string
71 description: This role allows read-only access to all Contrail resources. Must be configured in keystone.
6272
=== modified file 'hooks/contrail_configuration_hooks.py'
--- hooks/contrail_configuration_hooks.py 2017-03-10 12:49:07 +0000
+++ hooks/contrail_configuration_hooks.py 2017-03-23 15:13:02 +0000
@@ -1,6 +1,5 @@
1#!/usr/bin/env python1#!/usr/bin/env python
22
3from socket import gethostbyname
4import sys3import sys
54
6from apt_pkg import version_compare5from apt_pkg import version_compare
@@ -24,7 +23,6 @@
24 relation_ids,23 relation_ids,
25 relation_set,24 relation_set,
26 remote_unit,25 remote_unit,
27 unit_get
28)26)
2927
30from charmhelpers.core.host import (28from charmhelpers.core.host import (
@@ -68,17 +66,44 @@
68 write_ifmap_config,66 write_ifmap_config,
69 write_nodemgr_config,67 write_nodemgr_config,
70 write_ssl_ca_certificate,68 write_ssl_ca_certificate,
71 write_vnc_api_config69 write_vnc_api_config,
72)70)
7371
74PACKAGES = [ "ifmap-server", "contrail-config", "contrail-config-openstack",72PACKAGES = ["ifmap-server", "contrail-config", "contrail-config-openstack",
75 "neutron-common", "contrail-utils", "contrail-nodemgr" ]73 "neutron-common", "contrail-utils", "contrail-nodemgr"]
7674
77PACKAGES_BARBICAN = [ "python-barbicanclient" ]75PACKAGES_BARBICAN = ["python-barbicanclient"]
76
77CONFIG_ROLES = ['cloud-admin-role', 'global-read-only-role']
7878
79hooks = Hooks()79hooks = Hooks()
80config = config()80config = config()
8181
82
83def get_rbac_roles():
84 rid = relation_ids("identity-admin")[0]
85 unit = related_units(rid)[0]
86 default_role = relation_get(attribute='service_tenant_name',
87 rid=rid, unit=unit)
88 rbac_roles = {}
89 for r in CONFIG_ROLES:
90 val = config.get(r)
91 rbac_roles[r] = val if val else default_role
92 return rbac_roles
93
94
95def add_rbac_settings(d):
96 rbac = config.get('rbac')
97 # update the rbac settings unconditionally
98 # we do need to signal the change of relation data
99 if rbac:
100 d['rbac'] = rbac
101 d.update(get_rbac_roles())
102 else:
103 d['rbac'] = None
104 d.update({k: None for k in CONFIG_ROLES})
105
106
82def add_contrail_api():107def add_contrail_api():
83 # check relation dependencies108 # check relation dependencies
84 if not config_get("contrail-api-configured") \109 if not config_get("contrail-api-configured") \
@@ -95,14 +120,18 @@
95 config["contrail-api-configured"] = True120 config["contrail-api-configured"] = True
96121
97 # inform relations122 # inform relations
98 settings = { "private-address": control_network_ip(),123 settings = {"private-address": control_network_ip(),
99 "port": api_port(),124 "port": api_port(),
100 "vip": config.get("vip") }125 "vip": config.get("vip")}
126
127 add_rbac_settings(settings)
128
101 for rid in relation_ids("contrail-api"):129 for rid in relation_ids("contrail-api"):
102 relation_set(relation_id=rid, relation_settings=settings)130 relation_set(relation_id=rid, relation_settings=settings)
103131
104 configure_floating_ip_pools()132 configure_floating_ip_pools()
105133
134
106def add_metadata():135def add_metadata():
107 # check relation dependencies136 # check relation dependencies
108 if is_leader() \137 if is_leader() \
@@ -112,6 +141,7 @@
112 provision_metadata()141 provision_metadata()
113 leader_set({"metadata-provisioned": True})142 leader_set({"metadata-provisioned": True})
114143
144
115@hooks.hook("amqp-relation-changed")145@hooks.hook("amqp-relation-changed")
116def amqp_changed():146def amqp_changed():
117 if not relation_get("password"):147 if not relation_get("password"):
@@ -122,6 +152,7 @@
122 add_contrail_api()152 add_contrail_api()
123 add_metadata()153 add_metadata()
124154
155
125@hooks.hook("amqp-relation-departed")156@hooks.hook("amqp-relation-departed")
126@hooks.hook("amqp-relation-broken")157@hooks.hook("amqp-relation-broken")
127def amqp_departed():158def amqp_departed():
@@ -131,10 +162,13 @@
131 config["amqp-ready"] = False162 config["amqp-ready"] = False
132 amqp_relation()163 amqp_relation()
133164
134@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"],165
135 "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],166@restart_on_change(
136 "/etc/contrail/contrail-schema.conf": ["supervisor-config"],167 {
137 "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]})168 "/etc/contrail/contrail-api.conf": ["supervisor-config"],
169 "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
170 "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
171 "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]})
138def amqp_relation():172def amqp_relation():
139 write_contrail_api_config()173 write_contrail_api_config()
140 write_contrail_svc_monitor_config()174 write_contrail_svc_monitor_config()
@@ -142,10 +176,12 @@
142 if version_compare(CONTRAIL_VERSION, "3.0") >= 0:176 if version_compare(CONTRAIL_VERSION, "3.0") >= 0:
143 write_contrail_schema_config()177 write_contrail_schema_config()
144178
179
145@hooks.hook("amqp-relation-joined")180@hooks.hook("amqp-relation-joined")
146def amqp_joined():181def amqp_joined():
147 relation_set(username="contrail", vhost="contrail")182 relation_set(username="contrail", vhost="contrail")
148183
184
149@hooks.hook("cassandra-relation-changed")185@hooks.hook("cassandra-relation-changed")
150def cassandra_changed():186def cassandra_changed():
151 # 'port' is used in legacy precise charm187 # 'port' is used in legacy precise charm
@@ -156,13 +192,15 @@
156 units = len(cassandra_units())192 units = len(cassandra_units())
157 required = config["cassandra-units"]193 required = config["cassandra-units"]
158 if units < required:194 if units < required:
159 log("{} cassandra unit(s) ready, require {} more".format(units, required - units))195 log("{} cassandra unit(s) ready, require {} more".format(
196 units, required - units))
160 return197 return
161 config["cassandra-ready"] = True198 config["cassandra-ready"] = True
162 cassandra_relation()199 cassandra_relation()
163 add_contrail_api()200 add_contrail_api()
164 add_metadata()201 add_metadata()
165202
203
166@hooks.hook("cassandra-relation-departed")204@hooks.hook("cassandra-relation-departed")
167@hooks.hook("cassandra-relation-broken")205@hooks.hook("cassandra-relation-broken")
168def cassandra_departed():206def cassandra_departed():
@@ -172,12 +210,15 @@
172 config["cassandra-ready"] = False210 config["cassandra-ready"] = False
173 cassandra_relation()211 cassandra_relation()
174212
175@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"],213
176 "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],214@restart_on_change(
177 "/etc/contrail/contrail-discovery.conf": ["supervisor-config"],215 {
178 "/etc/contrail/contrail-schema.conf": ["supervisor-config"],216 "/etc/contrail/contrail-api.conf": ["supervisor-config"],
179 "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"],217 "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
180 "/etc/contrail/discovery.conf": ["supervisor-config"]})218 "/etc/contrail/contrail-discovery.conf": ["supervisor-config"],
219 "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
220 "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"],
221 "/etc/contrail/discovery.conf": ["supervisor-config"]})
181def cassandra_relation():222def cassandra_relation():
182 write_contrail_api_config()223 write_contrail_api_config()
183 write_contrail_schema_config()224 write_contrail_schema_config()
@@ -185,6 +226,7 @@
185 write_contrail_svc_monitor_config()226 write_contrail_svc_monitor_config()
186 write_device_manager_config()227 write_device_manager_config()
187228
229
188@hooks.hook("config-changed")230@hooks.hook("config-changed")
189def config_changed():231def config_changed():
190 write_config()232 write_config()
@@ -197,8 +239,14 @@
197239
198 ip = control_network_ip()240 ip = control_network_ip()
199 vip = config.get("vip")241 vip = config.get("vip")
200 settings = { "private-address": ip,242 settings = {"private-address": ip,
201 "vip": vip }243 "vip": vip}
244
245 # a role fetched from keystone is used as a fallback
246 # hence we have to check if this relation is established
247 if config_get("identity-admin-ready"):
248 add_rbac_settings(settings)
249
202 for rid in relation_ids("contrail-api"):250 for rid in relation_ids("contrail-api"):
203 relation_set(relation_id=rid, relation_settings=settings)251 relation_set(relation_id=rid, relation_settings=settings)
204 for rid in relation_ids("contrail-discovery"):252 for rid in relation_ids("contrail-discovery"):
@@ -217,12 +265,14 @@
217 for rid in relation_ids("http-services"):265 for rid in relation_ids("http-services"):
218 relation_set(relation_id=rid, services=services)266 relation_set(relation_id=rid, services=services)
219267
268
220def config_get(key):269def config_get(key):
221 try:270 try:
222 return config[key]271 return config[key]
223 except KeyError:272 except KeyError:
224 return None273 return None
225274
275
226def configure_control_network():276def configure_control_network():
227 # unprovision/provision configuration on 3.0.2.0+277 # unprovision/provision configuration on 3.0.2.0+
228 if version_compare(CONTRAIL_VERSION, "3.0.2.0-34") >= 0:278 if version_compare(CONTRAIL_VERSION, "3.0.2.0-34") >= 0:
@@ -230,6 +280,7 @@
230 unprovision_configuration()280 unprovision_configuration()
231 provision_configuration()281 provision_configuration()
232282
283
233def configure_floating_ip_pools():284def configure_floating_ip_pools():
234 if is_leader():285 if is_leader():
235 floating_pools = config.get("floating-ip-pools")286 floating_pools = config.get("floating-ip-pools")
@@ -237,16 +288,19 @@
237 if floating_pools != previous_floating_pools:288 if floating_pools != previous_floating_pools:
238 # create/destroy pools, activate/deactivate projects289 # create/destroy pools, activate/deactivate projects
239 # according to new value290 # according to new value
240 pools = { (pool["project"],291 pools = {(pool["project"],
241 pool["network"],292 pool["network"],
242 pool["pool-name"]): set(pool["target-projects"])293 pool["pool-name"]): set(pool["target-projects"])
243 for pool in yaml.safe_load(floating_pools) } \294 for pool in yaml.safe_load(floating_pools)} \
244 if floating_pools else {}295 if floating_pools else {}
245 previous_pools = {}296 previous_pools = {}
246 if previous_floating_pools:297 if previous_floating_pools:
247 for pool in yaml.safe_load(previous_floating_pools):298 for pool in yaml.safe_load(previous_floating_pools):
248 projects = pool["target-projects"]299 projects = pool["target-projects"]
249 name = (pool["project"], pool["network"], pool["pool-name"])300 name = (
301 pool["project"],
302 pool["network"],
303 pool["pool-name"])
250 if name in pools:304 if name in pools:
251 previous_pools[name] = set(projects)305 previous_pools[name] = set(projects)
252 else:306 else:
@@ -255,10 +309,12 @@
255 if name not in previous_pools:309 if name not in previous_pools:
256 floating_ip_pool_create(name, projects)310 floating_ip_pool_create(name, projects)
257 else:311 else:
258 floating_ip_pool_update(name, projects, previous_pools[name])312 floating_ip_pool_update(
313 name, projects, previous_pools[name])
259314
260 leader_set({"floating-ip-pools": floating_pools})315 leader_set({"floating-ip-pools": floating_pools})
261316
317
262def configure_ssl():318def configure_ssl():
263 cert = config.get("ssl-ca")319 cert = config.get("ssl-ca")
264 if cert:320 if cert:
@@ -268,6 +324,7 @@
268 if remove_ssl_ca_certificate():324 if remove_ssl_ca_certificate():
269 service_restart("supervisor-config")325 service_restart("supervisor-config")
270326
327
271@hooks.hook("contrail-analytics-api-relation-changed")328@hooks.hook("contrail-analytics-api-relation-changed")
272def contrail_analytics_api_changed():329def contrail_analytics_api_changed():
273 if not relation_get("port"):330 if not relation_get("port"):
@@ -275,27 +332,33 @@
275 return332 return
276 contrail_analytics_api_relation()333 contrail_analytics_api_relation()
277334
335
278@hooks.hook("contrail-analytics-api-relation-departed")336@hooks.hook("contrail-analytics-api-relation-departed")
279@hooks.hook("contrail-analytics-api-relation-broken")337@hooks.hook("contrail-analytics-api-relation-broken")
280@restart_on_change({"/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]})338@restart_on_change(
339 {"/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]})
281def contrail_analytics_api_relation():340def contrail_analytics_api_relation():
282 write_contrail_svc_monitor_config()341 write_contrail_svc_monitor_config()
283342
343
284@hooks.hook("contrail-api-relation-joined")344@hooks.hook("contrail-api-relation-joined")
285def contrail_api_joined():345def contrail_api_joined():
286 if config_get("contrail-api-configured"):346 if config_get("contrail-api-configured"):
287 settings = { "private-address": control_network_ip(),347 settings = {"private-address": control_network_ip(),
288 "port": api_port(),348 "port": api_port(),
289 "vip": config.get("vip") }349 "vip": config.get("vip")}
350 add_rbac_settings(settings)
290 relation_set(relation_settings=settings)351 relation_set(relation_settings=settings)
291352
353
292@hooks.hook("contrail-discovery-relation-joined")354@hooks.hook("contrail-discovery-relation-joined")
293def contrail_discovery_joined():355def contrail_discovery_joined():
294 settings = { "private-address": control_network_ip(), 356 settings = {"private-address": control_network_ip(),
295 "port": discovery_port(),357 "port": discovery_port(),
296 "vip": config.get("vip") }358 "vip": config.get("vip")}
297 relation_set(relation_settings=settings)359 relation_set(relation_settings=settings)
298360
361
299@hooks.hook("contrail-ifmap-relation-joined")362@hooks.hook("contrail-ifmap-relation-joined")
300def contrail_ifmap_joined():363def contrail_ifmap_joined():
301 if is_leader():364 if is_leader():
@@ -303,12 +366,12 @@
303 creds = json.loads(creds) if creds else {}366 creds = json.loads(creds) if creds else {}
304367
305 # prune credentials because we can't remove them directly lp #1469731368 # prune credentials because we can't remove them directly lp #1469731
306 creds = { rid: { unit: units[unit]369 creds = {rid: {unit: units[unit]
307 for unit, units in370 for unit, units in
308 ((unit, creds[rid]) for unit in related_units(rid))371 ((unit, creds[rid]) for unit in related_units(rid))
309 if unit in units }372 if unit in units}
310 for rid in relation_ids("contrail-ifmap")373 for rid in relation_ids("contrail-ifmap")
311 if rid in creds }374 if rid in creds}
312375
313 rid = relation_id()376 rid = relation_id()
314 if rid not in creds:377 if rid not in creds:
@@ -318,12 +381,13 @@
318 if unit in cs:381 if unit in cs:
319 return382 return
320 # generate new credentials for unit383 # generate new credentials for unit
321 cs[unit] = { "username": unit, "password": pwgen(32) }384 cs[unit] = {"username": unit, "password": pwgen(32)}
322 leader_set({"ifmap-creds": json.dumps(creds)})385 leader_set({"ifmap-creds": json.dumps(creds)})
323 write_ifmap_config()386 write_ifmap_config()
324 service_restart("supervisor-config")387 service_restart("supervisor-config")
325 relation_set(creds=json.dumps(cs))388 relation_set(creds=json.dumps(cs))
326389
390
327def floating_ip_pool_create(name, projects):391def floating_ip_pool_create(name, projects):
328 # create pool392 # create pool
329 fq_network = "default-domain:" + ":".join(name[:2])393 fq_network = "default-domain:" + ":".join(name[:2])
@@ -335,6 +399,7 @@
335 fq_project = "default-domain:" + project399 fq_project = "default-domain:" + project
336 contrail_floating_ip_use(fq_project, fq_pool_name)400 contrail_floating_ip_use(fq_project, fq_pool_name)
337401
402
338def floating_ip_pool_delete(name, projects):403def floating_ip_pool_delete(name, projects):
339 # deactivate pool for projects404 # deactivate pool for projects
340 fq_pool_name = "default-domain:" + ":".join(name)405 fq_pool_name = "default-domain:" + ":".join(name)
@@ -346,6 +411,7 @@
346 fq_network = "default-domain:" + ":".join(name[:2])411 fq_network = "default-domain:" + ":".join(name[:2])
347 contrail_floating_ip_delete(fq_network, name[2])412 contrail_floating_ip_delete(fq_network, name[2])
348413
414
349def floating_ip_pool_update(name, projects, previous_projects):415def floating_ip_pool_update(name, projects, previous_projects):
350 fq_pool_name = "default-domain:" + ":".join(name)416 fq_pool_name = "default-domain:" + ":".join(name)
351417
@@ -359,24 +425,39 @@
359 fq_project = "default-domain:" + project425 fq_project = "default-domain:" + project
360 contrail_floating_ip_use(fq_project, fq_pool_name)426 contrail_floating_ip_use(fq_project, fq_pool_name)
361427
428
362def http_services():429def http_services():
363 name = local_unit().replace("/", "-")430 name = local_unit().replace("/", "-")
364 addr = control_network_ip()431 addr = control_network_ip()
365 return [ { "service_name": "contrail-api",432 return [{"service_name": "contrail-api",
366 "service_host": "0.0.0.0",433 "service_host": "0.0.0.0",
367 "service_port": 8082,434 "service_port": 8082,
368 "service_options": [ "mode http", "balance leastconn", "option httpchk GET /Snh_SandeshUVECacheReq?x=NodeStatus HTTP/1.0" ],435 "service_options": ["mode http",
369 "servers": [ [ name, addr, api_port(), "check port 8084" ] ] },436 "balance leastconn",
370 { "service_name": "contrail-discovery",437 "option httpchk GET "
371 "service_host": "0.0.0.0",438 "/Snh_SandeshUVECacheReq?x=NodeStatus "
372 "service_port": 5998,439 "HTTP/1.0"],
373 "service_options": [ "mode http", "balance leastconn", "option httpchk GET /services HTTP/1.0" ],440 "servers": [[name,
374 "servers": [ [ name, addr, discovery_port(), "check" ] ] } ]441 addr,
442 api_port(),
443 "check port 8084"]]},
444 {"service_name": "contrail-discovery",
445 "service_host": "0.0.0.0",
446 "service_port": 5998,
447 "service_options": ["mode http",
448 "balance leastconn",
449 "option httpchk GET /services HTTP/1.0"],
450 "servers": [[name,
451 addr,
452 discovery_port(),
453 "check"]]}]
454
375455
376@hooks.hook("http-services-relation-joined")456@hooks.hook("http-services-relation-joined")
377def http_services_joined():457def http_services_joined():
378 relation_set(services=yaml.dump(http_services()))458 relation_set(services=yaml.dump(http_services()))
379459
460
380@hooks.hook("identity-admin-relation-changed")461@hooks.hook("identity-admin-relation-changed")
381def identity_admin_changed():462def identity_admin_changed():
382 if not relation_get("service_hostname"):463 if not relation_get("service_hostname"):
@@ -387,6 +468,7 @@
387 add_contrail_api()468 add_contrail_api()
388 add_metadata()469 add_metadata()
389470
471
390@hooks.hook("identity-admin-relation-departed")472@hooks.hook("identity-admin-relation-departed")
391@hooks.hook("identity-admin-relation-broken")473@hooks.hook("identity-admin-relation-broken")
392def identity_admin_departed():474def identity_admin_departed():
@@ -396,10 +478,13 @@
396 config["identity-admin-ready"] = False478 config["identity-admin-ready"] = False
397 identity_admin_relation()479 identity_admin_relation()
398480
399@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"],481
400 "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],482@restart_on_change(
401 "/etc/contrail/contrail-schema.conf": ["supervisor-config"],483 {
402 "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]})484 "/etc/contrail/contrail-api.conf": ["supervisor-config"],
485 "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
486 "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
487 "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"]})
403def identity_admin_relation():488def identity_admin_relation():
404 write_contrail_api_config()489 write_contrail_api_config()
405 write_contrail_schema_config()490 write_contrail_schema_config()
@@ -409,6 +494,7 @@
409 if version_compare(CONTRAIL_VERSION, "3.0.2.0-34") >= 0:494 if version_compare(CONTRAIL_VERSION, "3.0.2.0-34") >= 0:
410 write_barbican_auth_config()495 write_barbican_auth_config()
411496
497
412@hooks.hook("identity-service-relation-joined")498@hooks.hook("identity-service-relation-joined")
413def identity_service_joined():499def identity_service_joined():
414 vip = config.get("vip")500 vip = config.get("vip")
@@ -419,6 +505,7 @@
419 internal_url=url,505 internal_url=url,
420 admin_url=url)506 admin_url=url)
421507
508
422@hooks.hook()509@hooks.hook()
423def install():510def install():
424 configure_installation_source(config["openstack-origin"])511 configure_installation_source(config["openstack-origin"])
@@ -437,8 +524,10 @@
437 write_nodemgr_config()524 write_nodemgr_config()
438 service_restart("contrail-config-nodemgr")525 service_restart("contrail-config-nodemgr")
439526
527
440@hooks.hook("leader-settings-changed")528@hooks.hook("leader-settings-changed")
441@restart_on_change({"/etc/ifmap-server/basicauthusers.properties": ["supervisor-config"]})529@restart_on_change(
530 {"/etc/ifmap-server/basicauthusers.properties": ["supervisor-config"]})
442def leader_changed():531def leader_changed():
443 write_ifmap_config()532 write_ifmap_config()
444 creds = leader_get("ifmap-creds")533 creds = leader_get("ifmap-creds")
@@ -448,12 +537,14 @@
448 if rid in creds:537 if rid in creds:
449 relation_set(relation_id=rid, creds=json.dumps(creds[rid]))538 relation_set(relation_id=rid, creds=json.dumps(creds[rid]))
450539
540
451def main():541def main():
452 try:542 try:
453 hooks.execute(sys.argv)543 hooks.execute(sys.argv)
454 except UnregisteredHookError as e:544 except UnregisteredHookError as e:
455 log("Unknown hook {} - skipping.".format(e))545 log("Unknown hook {} - skipping.".format(e))
456546
547
457@hooks.hook("neutron-metadata-relation-changed")548@hooks.hook("neutron-metadata-relation-changed")
458def neutron_metadata_changed():549def neutron_metadata_changed():
459 if not relation_get("shared-secret"):550 if not relation_get("shared-secret"):
@@ -462,6 +553,7 @@
462 config["neutron-metadata-ready"] = True553 config["neutron-metadata-ready"] = True
463 add_metadata()554 add_metadata()
464555
556
465@hooks.hook("neutron-metadata-relation-departed")557@hooks.hook("neutron-metadata-relation-departed")
466@hooks.hook("neutron-metadata-relation-broken")558@hooks.hook("neutron-metadata-relation-broken")
467def neutron_metadata_departed():559def neutron_metadata_departed():
@@ -469,6 +561,7 @@
469 remove_metadata()561 remove_metadata()
470 config["neutron-metadata-ready"] = False562 config["neutron-metadata-ready"] = False
471563
564
472def remove_contrail_api():565def remove_contrail_api():
473 if config_get("contrail-api-configured"):566 if config_get("contrail-api-configured"):
474 # unprovision configuration on 3.0.2.0+567 # unprovision configuration on 3.0.2.0+
@@ -476,6 +569,7 @@
476 unprovision_configuration()569 unprovision_configuration()
477 config["contrail-api-configured"] = False570 config["contrail-api-configured"] = False
478571
572
479def remove_metadata():573def remove_metadata():
480 if is_leader() and leader_get("metadata-provisioned"):574 if is_leader() and leader_get("metadata-provisioned"):
481 # impossible to know if current hook is firing because575 # impossible to know if current hook is firing because
@@ -484,6 +578,7 @@
484 unprovision_metadata()578 unprovision_metadata()
485 leader_set({"metadata-provisioned": ""})579 leader_set({"metadata-provisioned": ""})
486580
581
487@hooks.hook("upgrade-charm")582@hooks.hook("upgrade-charm")
488def upgrade_charm():583def upgrade_charm():
489 write_ifmap_config()584 write_ifmap_config()
@@ -496,12 +591,16 @@
496 write_nodemgr_config()591 write_nodemgr_config()
497 service_restart("supervisor-config")592 service_restart("supervisor-config")
498593
499@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"],594
500 "/etc/contrail/contrail-config-nodemgr.conf": ["supervisor-config"]})595@restart_on_change(
596 {
597 "/etc/contrail/contrail-api.conf": ["supervisor-config"],
598 "/etc/contrail/contrail-config-nodemgr.conf": ["supervisor-config"]})
501def write_config():599def write_config():
502 write_contrail_api_config()600 write_contrail_api_config()
503 write_nodemgr_config()601 write_nodemgr_config()
504602
603
505@hooks.hook("zookeeper-relation-changed")604@hooks.hook("zookeeper-relation-changed")
506def zookeeper_changed():605def zookeeper_changed():
507 if not relation_get("port"):606 if not relation_get("port"):
@@ -512,6 +611,7 @@
512 add_contrail_api()611 add_contrail_api()
513 add_metadata()612 add_metadata()
514613
614
515@hooks.hook("zookeeper-relation-departed")615@hooks.hook("zookeeper-relation-departed")
516@hooks.hook("zookeeper-relation-broken")616@hooks.hook("zookeeper-relation-broken")
517def zookeeper_departed():617def zookeeper_departed():
@@ -521,12 +621,15 @@
521 config["zookeeper-ready"] = False621 config["zookeeper-ready"] = False
522 zookeeper_relation()622 zookeeper_relation()
523623
524@restart_on_change({"/etc/contrail/contrail-api.conf": ["supervisor-config"],624
525 "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],625@restart_on_change(
526 "/etc/contrail/contrail-discovery.conf": ["supervisor-config"],626 {
527 "/etc/contrail/contrail-schema.conf": ["supervisor-config"],627 "/etc/contrail/contrail-api.conf": ["supervisor-config"],
528 "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"],628 "/etc/contrail/contrail-device-manager.conf": ["supervisor-config"],
529 "/etc/contrail/discovery.conf": ["supervisor-config"]})629 "/etc/contrail/contrail-discovery.conf": ["supervisor-config"],
630 "/etc/contrail/contrail-schema.conf": ["supervisor-config"],
631 "/etc/contrail/contrail-svc-monitor.conf": ["supervisor-config"],
632 "/etc/contrail/discovery.conf": ["supervisor-config"]})
530def zookeeper_relation():633def zookeeper_relation():
531 write_contrail_api_config()634 write_contrail_api_config()
532 write_contrail_schema_config()635 write_contrail_schema_config()
@@ -534,5 +637,6 @@
534 write_contrail_svc_monitor_config()637 write_contrail_svc_monitor_config()
535 write_device_manager_config()638 write_device_manager_config()
536639
640
537if __name__ == "__main__":641if __name__ == "__main__":
538 main()642 main()
539643
=== modified file 'hooks/contrail_configuration_utils.py'
--- hooks/contrail_configuration_utils.py 2017-03-10 12:49:07 +0000
+++ hooks/contrail_configuration_utils.py 2017-03-23 15:13:02 +0000
@@ -40,6 +40,7 @@
4040
41apt_pkg.init()41apt_pkg.init()
4242
43
43def dpkg_version(pkg):44def dpkg_version(pkg):
44 try:45 try:
45 return check_output(["dpkg-query", "-f", "${Version}\\n", "-W", pkg]).rstrip()46 return check_output(["dpkg-query", "-f", "${Version}\\n", "-W", pkg]).rstrip()
@@ -155,10 +156,16 @@
155156
156def contrail_ctx():157def contrail_ctx():
157 addr = control_network_ip()158 addr = control_network_ip()
159 rbac = config.get("rbac")
160 cloud_admin_role = config.get("cloud-admin-role")
161 global_read_only_role = config.get("global-read-only-role")
158 return { "api_port": api_port(),162 return { "api_port": api_port(),
159 "ifmap_server": addr,163 "ifmap_server": addr,
160 "disc_server": addr,164 "disc_server": addr,
161 "disc_port": discovery_port() }165 "disc_port": discovery_port(),
166 "rbac": rbac,
167 "cloud_admin_role": cloud_admin_role,
168 "global_read_only_role": global_read_only_role }
162169
163def contrail_floating_ip_create(network, name):170def contrail_floating_ip_create(network, name):
164 user, password, tenant = [ (relation_get("service_username", unit, rid),171 user, password, tenant = [ (relation_get("service_username", unit, rid),
@@ -344,7 +351,9 @@
344 "admin_user": relation_get("service_username", unit, rid),351 "admin_user": relation_get("service_username", unit, rid),
345 "admin_password": relation_get("service_password", unit, rid),352 "admin_password": relation_get("service_password", unit, rid),
346 "admin_tenant_name": relation_get("service_tenant_name", unit, rid),353 "admin_tenant_name": relation_get("service_tenant_name", unit, rid),
347 "auth_region": relation_get("service_region", unit, rid) }354 "auth_region": relation_get("service_region", unit, rid),
355 "service_protocol": relation_get("service_protocol", unit, rid),
356 "api_version": relation_get("api_version", unit, rid)}
348 for rid in relation_ids("identity-admin")357 for rid in relation_ids("identity-admin")
349 for unit, hostname in358 for unit, hostname in
350 ((unit, relation_get("service_hostname", unit, rid)) for unit in related_units(rid))359 ((unit, relation_get("service_hostname", unit, rid)) for unit in related_units(rid))
351360
=== added symlink 'hooks/identity-credentials-relation-changed'
=== target is u'contrail_configuration_hooks.py'
=== added symlink 'hooks/identity-credentials-relation-joined'
=== target is u'contrail_configuration_hooks.py'
=== modified file 'templates/contrail-api.conf'
--- templates/contrail-api.conf 2017-01-31 12:51:09 +0000
+++ templates/contrail-api.conf 2017-03-23 15:13:02 +0000
@@ -10,7 +10,16 @@
10ifmap_password = api-server10ifmap_password = api-server
11cassandra_server_list = {{ cassandra_servers|join(" ") }}11cassandra_server_list = {{ cassandra_servers|join(" ") }}
12auth = keystone12auth = keystone
13multi_tenancy = True13
14{% if rbac -%}
15aaa_mode = rbac
16{% else -%}
17multi_tenancy = true
18{% endif -%}
19
20cloud_admin_role = {{ cloud_admin_role }}
21global_read_only_role = {{ global_read_only_role }}
22
14disc_server_ip = {{ disc_server }}23disc_server_ip = {{ disc_server }}
15disc_server_port = {{ disc_port }}24disc_server_port = {{ disc_port }}
16zk_server_ip = {{ zk_servers|join(",") }}25zk_server_ip = {{ zk_servers|join(",") }}

Subscribers

People subscribed via source and target branches