Juju Charms Collection
nova-cloud-controller package

Merge lp:~gandelman-a/charms/precise/nova-cloud-controller/https_endpoint into lp:~openstack-charmers/charms/precise/nova-cloud-controller/ha-support

  1. Precise Pangolin (12.04)
  2. https_endpoint
  3. Merge into ha-support
Proposed by Adam Gandelman
Status: Merged
Merged at revision: 64
Proposed branch: lp:~gandelman-a/charms/precise/nova-cloud-controller/https_endpoint
Merge into: lp:~openstack-charmers/charms/precise/nova-cloud-controller/ha-support
Diff against target: 903 lines (+467/-102)
5 files modified
config.yaml (+10/-0)
hooks/lib/openstack-common (+219/-18)
hooks/nova-cloud-controller-common (+71/-0)
hooks/nova-cloud-controller-relations (+166/-83)
revision (+1/-1)
To merge this branch: bzr merge lp:~gandelman-a/charms/precise/nova-cloud-controller/https_endpoint
Reviewer Review Type Date Requested Status
James Page Needs Fixing
Review via email: mp+150387@code.launchpad.net

Description of the change

nova-c-c HTTPS API support. These changes (and also those applied to the other chnages in similar merge proposals) allows the charm to dynamically manage the API listening port for each server depending on the current deployment. The canonical port in the Keystone catalog will always be the default (eg 8443) but the request pipeline on the API server differs depending on how it is deployed:

- When deployed in a single, non-https unit, the API server(s) will listen on their defualt port (eg, 8773)
- When new peers join, haproxy will be configured on every node to listen on the default port, with the local API server listening on $DEFAULT-10 (8773 -> 8763).
- When HTTPS is enabled and peers have joined, Apache is configured to terminate SSL on the default port and route requests to the local haproxy, then to the API server (8773 apache -> 8763 haproxy -> 8752 nova api).
- When HTTPS is enabled but no peers have joined, Apache terminates SSL on default port and routes requeusts directly to the API server (8773 -> 8763)

The same approach is used in the other HTTPS charms.

SSL certs are created and signed on the keystone side (when it is configured to do so) along with standard endpoint creation. An SSL cert, key and CA cert are returned to the unit along with its service credentials. Currently, nova-c-c will make a copy of the CA cert accessible to outside users at its web root.

This also adds a lot of general HA support that was committed to other charms but not to the nova-c-c (eligible_leader, etc).

To post a comment you must log in.
Revision history for this message
James Page (james-page) wrote :

A few bits and pieces:

nova-cloud-controller-relations:ha_joined

Clones should be set to clones, not groups

775 - init_services="$init_services" groups="$groups"
776 + init_services="$init_services" clones="$groups"

nova-cloud-controller-relations:quantum_joined

I think the CA cert should be passed to quantum as well so it can talk back to the https server.

Revision history for this message
James Page (james-page) wrote :
Download full text (6.3 KiB)

I was able to get most of the https stuff working; two issues

1) Setting the config on keystone for https after building the environment configured endpoints in most places; however nova-cloud-controller did not reconfigure.

2) nova image-list post remove/add to fix the above resulted in:

2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack Traceback (most recent call last):
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/nova/api/openstack/__init__.py", line 81, in __call__
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack return req.get_response(self.application)
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1296, in send
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack application, catch_exc_info=False)
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1260, in call_application
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack app_iter = application(self.environ, start_response)
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 144, in __call__
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack return resp(environ, start_response)
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/keystoneclient/middleware/auth_token.py", line 328, in __call__
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack return self.app(env, start_response)
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 144, in __call__
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack return resp(environ, start_response)
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 144, in __call__
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack return resp(environ, start_response)
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 144, in __call__
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack return resp(environ, start_response)
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/routes/middleware.py", line 131, in __call__
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack response = self.app(environ, start_response)
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 144, in __call__
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack return resp(environ, start_response)
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 130, in __call__
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack resp = self.call_func(req, *args, **self.kwargs)
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 195, in call_func
2013-02-26 07:50:41.481 1056 TRACE nova.api.openstack return self.func(req, *ar...

Read more...

Revision history for this message
James Page (james-page) :
review: Needs Fixing
lp:~gandelman-a/charms/precise/nova-cloud-controller/https_endpoint updated
75. By Adam Gandelman

Actually send clone config to hacluster.

76. By Adam Gandelman

Send CA cert to quantum via quantum_joined, if it exists then.

77. By Adam Gandelman

Retrigger quantum_joined post-SSL.

78. By Adam Gandelman

Bump revision.

Revision history for this message
Adam Gandelman (gandelman-a) wrote :
Download full text (3.4 KiB)

I'm having a helluva time reproducing this issue. Can you describe how you initial built your environment before enabling HTTPS? Was nova-c-c peered and/or clustered? Are you sure you were deploying the most recent charm revision /w newest branch changes? bzr revs 71 and 72 dealt with an issue of the endpoint not reconfiguring after adding clustering, since the original reconfig hooks were not sending all required settings. Late-enabling HTTPS should be limited to identity-changed, though.

I've just tested again by enabling HTTPS after the entire catalog has been populated by haclustererd services (all endpoints pointing to http://$VIP/etc/). After nova-c-c has reconfigured its reverse proxying, it flushes the following settings back to KS, compute and quantum:

2013-02-27 15:09:31,482: hook.output@DEBUG: Flushed values for hook 'identity-service-relation-changed' on 'identity-service:27'
    Setting changed: 'ec2_admin_url'=u'https://192.168.77.2:8773/services/Cloud' (was 'http://192.168.77.2:8773/services/Cloud')
    Setting changed: 'ec2_internal_url'=u'https://192.168.77.2:8773/services/Cloud' (was 'http://192.168.77.2:8773/services/Cloud')
    Setting changed: 'ec2_public_url'=u'https://192.168.77.2:8773/services/Cloud' (was 'http://192.168.77.2:8773/services/Cloud')
    Setting changed: 'nova_admin_url'=u'https://192.168.77.2:8774/v1.1/$(tenant_id)s' (was 'http://192.168.77.2:8774/v1.1/$(tenant_id)s')
    Setting changed: 'nova_internal_url'=u'https://192.168.77.2:8774/v1.1/$(tenant_id)s' (was 'http://192.168.77.2:8774/v1.1/$(tenant_id)s')
    Setting changed: 'nova_public_url'=u'https://192.168.77.2:8774/v1.1/$(tenant_id)s' (was 'http://192.168.77.2:8774/v1.1/$(tenant_id)s')
    Setting changed: 'quantum_admin_url'=u'https://192.168.77.2:9696' (was 'http://192.168.77.2:9696')
    Setting changed: 'quantum_internal_url'=u'https://192.168.77.2:9696' (was 'http://192.168.77.2:9696')
    Setting changed: 'quantum_public_url'=u'https://192.168.77.2:9696' (was 'http://192.168.77.2:9696')
    Setting changed: 's3_admin_url'=u'https://192.168.77.2:3333' (was 'http://192.168.77.2:3333')
    Setting changed: 's3_internal_url'=u'https://192.168.77.2:3333' (was 'http://192.168.77.2:3333')
    Setting changed: 's3_public_url'=u'https://192.168.77.2:3333' (was 'http://192.168.77.2:3333')
    Setting changed: u'ca_cert'=u'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNvekNDQWd5Z0F3SUJBZ0lCQVRBTkJna3Fo\na2lHOXcwQkFRVUZBREJy (was unset) on 'cloud-compute:47'
    Setting changed: 'quantum_url'=u'https://192.168.77.2:9696' (was 'http://192.168.77.2:9696') on 'cloud-compute:47'
    Setting changed: u'ca_cert'=u'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNvekNDQWd5Z0F3SUJBZ0lCQVRBTkJna3Fo\na2lHOXcwQkFRVUZBREJy (was unset) on 'quantum-network-service:40'
    Setting changed: 'quantum_url'=u'https://192.168.77.2:9696' (was 'http://192.168.77.2:9696') on 'quantum-network-service:40'
2013-02-27 15:09:31,483: hook.executor@DEBUG: Hook complete: /var/lib/juju/units/nova-cloud-controller-
2/charm/hooks/identity-service-relation-changed

If you can test once again, and possibly keep an eye on the nova-c-c leader's charm log, to see what settings change? The r...

Read more...

lp:~gandelman-a/charms/precise/nova-cloud-controller/https_endpoint updated
79. By Adam Gandelman

Rebase against current ha-support branch.

80. By Adam Gandelman

Block configure_qunatum_networking if no amqp relation exists.

81. By Adam Gandelman

Avoid race between https + quantum network setup.

using https() in keystone_joined() is not reliable with multiple
KS peers. Only inspect local config and count on https() only from
_changed() hooks.

82. By Adam Gandelman

Bump rev.

83. By Adam Gandelman

Only configurate quantum net. from keystone-changed when safe.

They ks catalog may be in a state of flux when these hooks fire.

If firing for the first time, configure quantum networking before
https frontend is setup, and before KS endpoint is reconfigured to
point to https.

If firing as the result of HA reconfiguration, configure quantum
after HTTPS has been updated to include updated certificate (for VIP
address).

84. By Adam Gandelman

keystone_changed: Protect late quantum config by an eligible_leader check.

85. By Adam Gandelman

Also protect early call to quantum config.

86. By Adam Gandelman

keystone_changed: Also determine HTTPS based on actual hook being fired.

87. By Adam Gandelman

Be careful of 'set -e'.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'config.yaml'
--- config.yaml 2013-01-22 16:43:49 +0000
+++ config.yaml 2013-03-09 04:30:28 +0000
@@ -128,3 +128,13 @@
128 description: |128 description: |
129 Default multicast port number that will be used to communicate between129 Default multicast port number that will be used to communicate between
130 HA Cluster nodes.130 HA Cluster nodes.
131 ssl_cert:
132 type: string
133 description: |
134 SSL certificate to install and use for API ports. Setting this value
135 and ssl_key will enable reverse proxying, point Glance's entry in the
136 Keystone catalog to use https, and override any certficiate and key
137 issued by Keystone (if it is configured to do so).
138 ssl_key:
139 type: string
140 description: SSL key to use with certificate specified as ssl_cert.
131141
=== added symlink 'hooks/cluster-relation-changed'
=== target is u'nova-cloud-controller-relations'
=== added symlink 'hooks/cluster-relation-departed'
=== target is u'nova-cloud-controller-relations'
=== added symlink 'hooks/ha-relation-changed'
=== target is u'nova-cloud-controller-relations'
=== added symlink 'hooks/ha-relation-joined'
=== target is u'nova-cloud-controller-relations'
=== modified file 'hooks/lib/openstack-common'
--- hooks/lib/openstack-common 2013-03-08 21:18:29 +0000
+++ hooks/lib/openstack-common 2013-03-09 04:30:28 +0000
@@ -321,7 +321,6 @@
321321
322HAPROXY_CFG=/etc/haproxy/haproxy.cfg322HAPROXY_CFG=/etc/haproxy/haproxy.cfg
323HAPROXY_DEFAULT=/etc/default/haproxy323HAPROXY_DEFAULT=/etc/default/haproxy
324
325##########################################################################324##########################################################################
326# Description: Configures HAProxy services for Openstack API's325# Description: Configures HAProxy services for Openstack API's
327# Parameters:326# Parameters:
@@ -330,9 +329,8 @@
330# assumes the name of the peer relation is 'cluster' and that every329# assumes the name of the peer relation is 'cluster' and that every
331# service unit in the peer relation is running the same services.330# service unit in the peer relation is running the same services.
332#331#
333# The HAProxy service will listen on port + 10000.332# Example
334# Example:333# configure_haproxy cinder_api:8776:8756i nova_api:8774:8764
335# configure_haproxy cinder_api:12345 nova_api:9999
336##########################################################################334##########################################################################
337configure_haproxy() {335configure_haproxy() {
338 local address=`unit-get private-address`336 local address=`unit-get private-address`
@@ -368,14 +366,18 @@
368EOF366EOF
369 for service in $@; do367 for service in $@; do
370 local service_name=$(echo $service | cut -d : -f 1)368 local service_name=$(echo $service | cut -d : -f 1)
371 local api_listen_port=$(echo $service | cut -d : -f 2)369 local haproxy_listen_port=$(echo $service | cut -d : -f 2)
372 local haproxy_listen_port=$(($api_listen_port + 10000))370 local api_listen_port=$(echo $service | cut -d : -f 3)
371 juju-log "Adding haproxy configuration entry for $service "\
372 "($haproxy_listen_port -> $api_listen_port)"
373 cat >> $HAPROXY_CFG << EOF373 cat >> $HAPROXY_CFG << EOF
374listen $service_name 0.0.0.0:$haproxy_listen_port374listen $service_name 0.0.0.0:$haproxy_listen_port
375 balance roundrobin375 balance roundrobin
376 option tcplog376 option tcplog
377 server $name $address:$api_listen_port check377 server $name $address:$api_listen_port check
378EOF378EOF
379 local r_id=""
380 local unit=""
379 for r_id in `relation-ids cluster`; do381 for r_id in `relation-ids cluster`; do
380 for unit in `relation-list -r $r_id`; do382 for unit in `relation-list -r $r_id`; do
381 local unit_name=${unit////-}383 local unit_name=${unit////-}
@@ -388,6 +390,7 @@
388 done390 done
389 done391 done
390 echo "ENABLED=1" > $HAPROXY_DEFAULT392 echo "ENABLED=1" > $HAPROXY_DEFAULT
393 service haproxy restart
391}394}
392395
393##########################################################################396##########################################################################
@@ -395,18 +398,20 @@
395# Returns: 0 if configured, 1 if not configured398# Returns: 0 if configured, 1 if not configured
396##########################################################################399##########################################################################
397is_clustered() {400is_clustered() {
401 local r_id=""
402 local unit=""
398 for r_id in $(relation-ids ha); do403 for r_id in $(relation-ids ha); do
399 if [ -n "$r_id" ]; then404 if [ -n "$r_id" ]; then
400 for unit in $(relation-list -r $r_id); do405 for unit in $(relation-list -r $r_id); do
401 clustered=$(relation-get -r $r_id clustered $unit)406 clustered=$(relation-get -r $r_id clustered $unit)
402 if [ -n "$clustered" ]; then407 if [ -n "$clustered" ]; then
403 echo "Unit is clustered"408 juju-log "Unit is haclustered"
404 return 0409 return 0
405 fi410 fi
406 done411 done
407 fi412 fi
408 done413 done
409 echo "Unit is not clustered"414 juju-log "Unit is not haclustered"
410 return 1415 return 1
411}416}
412417
@@ -415,6 +420,7 @@
415##########################################################################420##########################################################################
416peer_units() {421peer_units() {
417 local peers=""422 local peers=""
423 local r_id=""
418 for r_id in $(relation-ids cluster); do424 for r_id in $(relation-ids cluster); do
419 peers="$peers $(relation-list -r $r_id)"425 peers="$peers $(relation-list -r $r_id)"
420 done426 done
@@ -433,11 +439,11 @@
433 echo "Comparing $JUJU_UNIT_NAME with peers: $peers"439 echo "Comparing $JUJU_UNIT_NAME with peers: $peers"
434 local r_unit_no=$(echo $peer | cut -d / -f 2)440 local r_unit_no=$(echo $peer | cut -d / -f 2)
435 if (($r_unit_no<$l_unit_no)); then441 if (($r_unit_no<$l_unit_no)); then
436 echo "Not oldest peer; deferring"442 juju-log "Not oldest peer; deferring"
437 return 1443 return 1
438 fi444 fi
439 done445 done
440 echo "Oldest peer; might take charge?"446 juju-log "Oldest peer; might take charge?"
441 return 0447 return 0
442}448}
443449
@@ -451,13 +457,13 @@
451eligible_leader() {457eligible_leader() {
452 if is_clustered; then458 if is_clustered; then
453 if ! is_leader $1; then459 if ! is_leader $1; then
454 echo 'Deferring action to CRM leader'460 juju-log 'Deferring action to CRM leader'
455 return 1461 return 1
456 fi462 fi
457 else463 else
458 peers=$(peer_units)464 peers=$(peer_units)
459 if [ -n "$peers" ] && ! oldest_peer "$peers"; then465 if [ -n "$peers" ] && ! oldest_peer "$peers"; then
460 echo 'Deferring action to oldest service unit.'466 juju-log 'Deferring action to oldest service unit.'
461 return 1467 return 1
462 fi468 fi
463 fi469 fi
@@ -469,14 +475,14 @@
469# Returns: 0 if peered, 1 if not peered475# Returns: 0 if peered, 1 if not peered
470##########################################################################476##########################################################################
471is_peered() {477is_peered() {
472 r_id=$(relation-ids cluster)478 local r_id=$(relation-ids cluster)
473 if [ -n "$r_id" ]; then479 if [ -n "$r_id" ]; then
474 if [ -n "$(relation-list -r $r_id)" ]; then480 if [ -n "$(relation-list -r $r_id)" ]; then
475 echo "Unit peered"481 juju-log "Unit peered"
476 return 0482 return 0
477 fi483 fi
478 fi484 fi
479 echo "Unit not peered"485 juju-log "Unit not peered"
480 return 1486 return 1
481}487}
482488
@@ -489,12 +495,207 @@
489 hostname=`hostname`495 hostname=`hostname`
490 if [ -x /usr/sbin/crm ]; then496 if [ -x /usr/sbin/crm ]; then
491 if crm resource show $1 | grep -q $hostname; then497 if crm resource show $1 | grep -q $hostname; then
492 echo "$hostname is cluster leader"498 juju-log "$hostname is cluster leader."
493 return 0499 return 0
494 fi500 fi
495 fi501 fi
496 echo "$hostname is not cluster leader"502 juju-log "$hostname is not cluster leader."
497 return 1503 return 1
504}
505
506##########################################################################
507# Description: Determines whether enough data has been provided in
508# configuration or relation data to configure HTTPS.
509# Parameters: None
510# Returns: 0 if HTTPS can be configured, 1 if not.
511##########################################################################
512https() {
513 local r_id=""
514 if [[ -n "$(config-get ssl_cert)" ]] &&
515 [[ -n "$(config-get ssl_key)" ]] ; then
516 return 0
517 fi
518 for r_id in $(relation-ids identity-service) ; do
519 for unit in $(relation-list -r $r_id) ; do
520 if [[ "$(relation-get -r $r_id https_keystone $unit)" == "True" ]] &&
521 [[ -n "$(relation-get -r $r_id ssl_cert $unit)" ]] &&
522 [[ -n "$(relation-get -r $r_id ssl_key $unit)" ]] &&
523 [[ -n "$(relation-get -r $r_id ca_cert $unit)" ]] ; then
524 return 0
525 fi
526 done
527 done
528 return 1
529}
530
531##########################################################################
532# Description: For a given number of port mappings, configures apache2
533# HTTPs local reverse proxying using certficates and keys provided in
534# either configuration data (preferred) or relation data. Assumes ports
535# are not in use (calling charm should ensure that).
536# Parameters: Variable number of proxy port mappings as
537# $internal:$external.
538# Returns: 0 if reverse proxy(s) have been configured, 0 if not.
539##########################################################################
540enable_https() {
541 local port_maps="$@"
542 local http_restart=""
543 juju-log "Enabling HTTPS for port mappings: $port_maps."
544
545 # allow overriding of keystone provided certs with those set manually
546 # in config.
547 local cert=$(config-get ssl_cert)
548 local key=$(config-get ssl_key)
549 local ca_cert=""
550 if [[ -z "$cert" ]] || [[ -z "$key" ]] ; then
551 juju-log "Inspecting identity-service relations for SSL certificate."
552 local r_id=""
553 cert=""
554 key=""
555 ca_cert=""
556 for r_id in $(relation-ids identity-service) ; do
557 for unit in $(relation-list -r $r_id) ; do
558 [[ -z "$cert" ]] && cert="$(relation-get -r $r_id ssl_cert $unit)"
559 [[ -z "$key" ]] && key="$(relation-get -r $r_id ssl_key $unit)"
560 [[ -z "$ca_cert" ]] && ca_cert="$(relation-get -r $r_id ca_cert $unit)"
561 done
562 done
563 [[ -n "$cert" ]] && cert=$(echo $cert | base64 -di)
564 [[ -n "$key" ]] && key=$(echo $key | base64 -di)
565 [[ -n "$ca_cert" ]] && ca_cert=$(echo $ca_cert | base64 -di)
566 else
567 juju-log "Using SSL certificate provided in service config."
568 fi
569
570 [[ -z "$cert" ]] || [[ -z "$key" ]] &&
571 juju-log "Expected but could not find SSL certificate data, not "\
572 "configuring HTTPS!" && return 1
573
574 apt-get -y install apache2
575 a2enmod ssl proxy proxy_http | grep -v "To activate the new configuration" &&
576 http_restart=1
577
578 mkdir -p /etc/apache2/ssl/$CHARM
579 echo "$cert" >/etc/apache2/ssl/$CHARM/cert
580 echo "$key" >/etc/apache2/ssl/$CHARM/key
581 if [[ -n "$ca_cert" ]] ; then
582 juju-log "Installing Keystone supplied CA cert."
583 echo "$ca_cert" >/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt
584 update-ca-certificates --fresh
585
586 # XXX TODO: Find a better way of exporting this?
587 if [[ "$CHARM" == "nova-cloud-controller" ]] ; then
588 [[ -e /var/www/keystone_juju_ca_cert.crt ]] &&
589 rm -rf /var/www/keystone_juju_ca_cert.crt
590 ln -s /usr/local/share/ca-certificates/keystone_juju_ca_cert.crt \
591 /var/www/keystone_juju_ca_cert.crt
592 fi
593
594 fi
595 for port_map in $port_maps ; do
596 local ext_port=$(echo $port_map | cut -d: -f1)
597 local int_port=$(echo $port_map | cut -d: -f2)
598 juju-log "Creating apache2 reverse proxy vhost for $port_map."
599 cat >/etc/apache2/sites-available/${CHARM}_${ext_port} <<END
600Listen $ext_port
601NameVirtualHost *:$ext_port
602<VirtualHost *:$ext_port>
603 ServerName $(unit-get private-address)
604 SSLEngine on
605 SSLCertificateFile /etc/apache2/ssl/$CHARM/cert
606 SSLCertificateKeyFile /etc/apache2/ssl/$CHARM/key
607 ProxyPass / http://localhost:$int_port/
608 ProxyPassReverse / http://localhost:$int_port/
609 ProxyPreserveHost on
610</VirtualHost>
611<Proxy *>
612 Order deny,allow
613 Allow from all
614</Proxy>
615<Location />
616 Order allow,deny
617 Allow from all
618</Location>
619END
620 a2ensite ${CHARM}_${ext_port} | grep -v "To activate the new configuration" &&
621 http_restart=1
622 done
623 if [[ -n "$http_restart" ]] ; then
624 service apache2 restart
625 fi
626}
627
628##########################################################################
629# Description: Ensure HTTPS reverse proxying is disabled for given port
630# mappings.
631# Parameters: Variable number of proxy port mappings as
632# $internal:$external.
633# Returns: 0 if reverse proxy is not active for all portmaps, 1 on error.
634##########################################################################
635disable_https() {
636 local port_maps="$@"
637 local http_restart=""
638 juju-log "Ensuring HTTPS disabled for $port_maps."
639 ( [[ ! -d /etc/apache2 ]] || [[ ! -d /etc/apache2/ssl/$CHARM ]] ) && return 0
640 for port_map in $port_maps ; do
641 local ext_port=$(echo $port_map | cut -d: -f1)
642 local int_port=$(echo $port_map | cut -d: -f2)
643 if [[ -e /etc/apache2/sites-available/${CHARM}_${ext_port} ]] ; then
644 juju-log "Disabling HTTPS reverse proxy for $CHARM $port_map."
645 a2dissite ${CHARM}_${ext_port} | grep -v "To activate the new configuration" &&
646 http_restart=1
647 fi
648 done
649 if [[ -n "$http_restart" ]] ; then
650 service apache2 restart
651 fi
652}
653
654
655##########################################################################
656# Description: Ensures HTTPS is either enabled or disabled for given port
657# mapping.
658# Parameters: Variable number of proxy port mappings as
659# $internal:$external.
660# Returns: 0 if HTTPS reverse proxy is in place, 1 if it is not.
661##########################################################################
662setup_https() {
663 # configure https via apache reverse proxying either
664 # using certs provided by config or keystone.
665 [[ -z "$CHARM" ]] &&
666 error_out "setup_https(): CHARM not set."
667 if ! https ; then
668 disable_https $@
669 else
670 enable_https $@
671 fi
672}
673
674##########################################################################
675# Description: Determine correct API server listening port based on
676# existence of HTTPS reverse proxy and/or haproxy.
677# Paremeters: The standard public port for given service.
678# Returns: The correct listening port for API service.
679##########################################################################
680determine_api_port() {
681 local public_port="$1"
682 local i=0
683 ( [[ -n "$(peer_units)" ]] || is_clustered >/dev/null 2>&1 ) && i=$[$i + 1]
684 https >/dev/null 2>&1 && i=$[$i + 1]
685 echo $[$public_port - $[$i * 10]]
686}
687
688##########################################################################
689# Description: Determine correct proxy listening port based on public IP +
690# existence of HTTPS reverse proxy.
691# Paremeters: The standard public port for given service.
692# Returns: The correct listening port for haproxy service public address.
693##########################################################################
694determine_haproxy_port() {
695 local public_port="$1"
696 local i=0
697 https >/dev/null 2>&1 && i=$[$i + 1]
698 echo $[$public_port - $[$i * 10]]
498}699}
499700
500##########################################################################701##########################################################################
501702
=== modified file 'hooks/nova-cloud-controller-common'
--- hooks/nova-cloud-controller-common 2013-01-18 12:22:44 +0000
+++ hooks/nova-cloud-controller-common 2013-03-09 04:30:28 +0000
@@ -97,6 +97,7 @@
97 if [ "$(config-get conf-ext-net)" != "no" ] &&97 if [ "$(config-get conf-ext-net)" != "no" ] &&
98 [ "$QUANTUM_PLUGIN" == "ovs" ] &&98 [ "$QUANTUM_PLUGIN" == "ovs" ] &&
99 [ -f /etc/quantum/novarc ] &&99 [ -f /etc/quantum/novarc ] &&
100 [ -n "$(relation-ids amqp)" ] &&
100 [ -n "$(relation-ids shared-db)" ]; then101 [ -n "$(relation-ids shared-db)" ]; then
101 juju-log "Configuring external networking for quantum"102 juju-log "Configuring external networking for quantum"
102 # Use helper to create external network gateway103 # Use helper to create external network gateway
@@ -219,3 +220,73 @@
219 known_hosts="$(base64 /etc/nova/compute_ssh/$sunit/known_hosts)" \220 known_hosts="$(base64 /etc/nova/compute_ssh/$sunit/known_hosts)" \
220 authorized_keys="$(base64 /etc/nova/compute_ssh/$sunit/authorized_keys)"221 authorized_keys="$(base64 /etc/nova/compute_ssh/$sunit/authorized_keys)"
221}222}
223
224configure_https() {
225 # setup https termination for all api services, depending on what is running
226 # and topology of current deployment.
227 local clustered=""
228 ( [[ -n "$(peer_units)" ]] || is_clustered ) && clustered="1"
229 local services=""
230 local ssl_port_maps=""
231 local haproxy_port_maps=""
232 local next_server=""
233 local api_port=""
234
235 # upstartService:defaultPort:configOption
236 local svcs="nova-api-ec2:8773:ec2_listen_port
237 nova-api-os-compute:8774:osapi_compute_listen_port
238 nova-objectstore:3333:s3_listen_port"
239 [[ "$NET_MANAGER" == "Quantum" ]] &&
240 svcs="$svcs quantum-server:9696:bind_port"
241
242 for s in $svcs ; do
243 local service=$(echo $s | cut -d: -f1)
244 local port=$(echo $s | cut -d: -f2)
245 local opt=$(echo $s | cut -d: -f3)
246 if [[ -n "$clustered" ]] ; then
247 next_server="$(determine_haproxy_port $port)"
248 api_port="$(determine_api_port $port)"
249 haproxy_port_maps="$haproxy_port_maps $service:$next_server:$api_port"
250 else
251 api_port="$(determine_api_port $port)"
252 next_server="$api_port"
253 fi
254 if [[ "$service" == "quantum-server" ]] ; then
255 set_or_update "$opt" "$api_port" "$QUANTUM_CONF"
256 else
257 set_or_update "$opt" "$api_port"
258 fi
259 ssl_port_maps="$ssl_port_maps $port:$next_server"
260 done
261
262 # make sure all backend api servers are bound to new backend port
263 # before setting up any frontends.
264 for s in $svcs ; do
265 local service=$(echo $s | cut -d: -f1)
266 service_ctl $service restart
267 done
268
269 [[ -n "$haproxy_port_maps" ]] && configure_haproxy $haproxy_port_maps
270 setup_https $ssl_port_maps
271
272 # another restart to ensure api servers are now bound to frontend ports
273 # that may have just been disabled.
274 for s in $svcs ; do
275 local service=$(echo $s | cut -d: -f1)
276 service_ctl $service restart
277 done
278
279 local r_id=""
280 # (re)configure ks endpoint accordingly
281 for r_id in $(relation-ids identity-service) ; do
282 keystone_joined "$r_id"
283 done
284 # pass on possibly updated quantum URL + ca_cert to compute nodes.
285 for r_id in $(relation-ids cloud-compute) ; do
286 compute_joined "$r_id"
287 done
288 # update the quantum relation, as well.
289 for r_id in $(relation-ids quantum-network-service) ; do
290 quantum_joined "$r_id"
291 done
292}
222293
=== modified file 'hooks/nova-cloud-controller-relations'
--- hooks/nova-cloud-controller-relations 2013-02-21 23:12:04 +0000
+++ hooks/nova-cloud-controller-relations 2013-03-09 04:30:28 +0000
@@ -44,6 +44,7 @@
44 cp files/create_tenant_net.py /usr/bin/quantum-tenant-net44 cp files/create_tenant_net.py /usr/bin/quantum-tenant-net
4545
46 service_ctl all stop46 service_ctl all stop
47 configure_https
47}48}
4849
49function upgrade_charm {50function upgrade_charm {
@@ -70,13 +71,14 @@
70 set_config_flags71 set_config_flags
7172
72 if [ "$NET_MANAGER" == "Quantum" ] && \73 if [ "$NET_MANAGER" == "Quantum" ] && \
73 is_clustered && is_leader 'res_nova_vip' || \74 eligible_leader 'res_nova_vip' || \
74 ! is_clustered; then75 ! is_clustered; then
75 configure_quantum_networking76 configure_quantum_networking
76 fi77 fi
7778
78 determine_services79 determine_services
79 service_ctl all restart80 service_ctl all restart
81 configure_https
80}82}
8183
82function amqp_joined {84function amqp_joined {
@@ -131,6 +133,12 @@
131 fi133 fi
132134
133 determine_services && service_ctl all restart135 determine_services && service_ctl all restart
136
137 if [ "$NET_MANAGER" == "Quantum" ] && \
138 eligible_leader 'res_nova_vip' || \
139 ! is_clustered; then
140 configure_quantum_networking
141 fi
134}142}
135143
136function db_joined {144function db_joined {
@@ -170,11 +178,17 @@
170 fi178 fi
171 determine_services179 determine_services
172 service_ctl all stop180 service_ctl all stop
173 /usr/bin/nova-manage db sync181
182 eligible_leader 'res_nova_vip' && /usr/bin/nova-manage db sync
183
174 service_ctl all start184 service_ctl all start
175 if [ "$NET_MANAGER" == "Quantum" ]; then185
186 if [ "$NET_MANAGER" == "Quantum" ] && \
187 eligible_leader 'res_nova_vip' || \
188 ! is_clustered; then
176 configure_quantum_networking189 configure_quantum_networking
177 fi190 fi
191
178 trigger_remote_service_restarts192 trigger_remote_service_restarts
179}193}
180194
@@ -191,28 +205,37 @@
191 # we need to get two entries into keystone's catalog, nova + ec2205 # we need to get two entries into keystone's catalog, nova + ec2
192 # group, them by prepending $service_ to each setting. the keystone206 # group, them by prepending $service_ to each setting. the keystone
193 # charm will assemble settings into corresponding catalog entries207 # charm will assemble settings into corresponding catalog entries
194 if is_clustered && is_leader 'res_nova_vip'; then208 eligible_leader 'res_nova_vip' || return 0
195 address=$(config-get vip)209
196 nova_port=18774210 is_clustered && local host=$(config-get vip) ||
197 ec2_port=18773211 local host=$(unit-get private-address)
198 s3_port=13333212
199 quantum_port=19696213 if [[ "$arg0" == "identity-service-relation-joined" ]] ; then
200 vol_port=18776214 # determine https status based only on config at this point,
201 elif ! is_clustered; then215 # insepcting KS relation is not reliable. if KS has mulitple
202 address=$(unit-get private-address)216 # units, multiple relation-joineds are fired, resulting in the
203 nova_port=8774217 # endpoint being configured in catalog as https before https
204 ec2_port=8773218 # is actually setup on this end. ends with failure to configure
205 s3_port=3333219 # quantum network, if its enabled.
206 quantum_port=9696220 # if specified in config, https will have already been setup in
207 vol_port=8776221 # install or config-changed.
222 if [[ -n "$(config-get ssl_cert)" ]] &&
223 [[ -n "$(config-get ssl_key)" ]] ; then
224 local scheme="https"
225 else
226 local scheme="http"
227 fi
208 else228 else
209 # Not the leader and clustered - no action required229 # this function is called from other hook contexts, use normal method
210 return 0230 # for determining https
231 https && scheme="https" || scheme="http"
211 fi232 fi
212 nova_url="http://$address:$nova_port/v1.1/\$(tenant_id)s"233
213 ec2_url="http://$address:$ec2_port/services/Cloud"234 local nova_url="$scheme://$host:8774/v1.1/\$(tenant_id)s"
214 s3_url="http://$address:$s3_port"235 local ec2_url="$scheme://$host:8773/services/Cloud"
215 region="$(config-get region)"236 local s3_url="$scheme://$host:3333"
237 local region="$(config-get region)"
238 local quantum_url="$scheme://$host:9696"
216239
217 # these are the default endpoints240 # these are the default endpoints
218 relation-set nova_service="nova" \241 relation-set nova_service="nova" \
@@ -232,7 +255,6 @@
232 s3_internal_url="$s3_url"255 s3_internal_url="$s3_url"
233256
234 if [ "$(config-get network-manager)" == "Quantum" ]; then257 if [ "$(config-get network-manager)" == "Quantum" ]; then
235 quantum_url="http://$address:$quantum_port"
236 relation-set quantum_service="quantum" \258 relation-set quantum_service="quantum" \
237 quantum_region="$region" \259 quantum_region="$region" \
238 quantum_public_url="$quantum_url" \260 quantum_public_url="$quantum_url" \
@@ -242,7 +264,7 @@
242264
243 # tack on an endpoint for nova-volume a relation exists.265 # tack on an endpoint for nova-volume a relation exists.
244 if [[ -n "$(relation-ids nova-volume-service)" ]] ; then266 if [[ -n "$(relation-ids nova-volume-service)" ]] ; then
245 nova_vol_url="http://$address:$vol_port/v1/\$(tenant_id)s"267 nova_vol_url="$scheme://$host:$vol_port/v1/\$(tenant_id)s"
246 relation-set nova-volume_service="nova-volume" \268 relation-set nova-volume_service="nova-volume" \
247 nova-volume_region="$region" \269 nova-volume_region="$region" \
248 nova-volume_public_url="$nova_vol_url" \270 nova-volume_public_url="$nova_vol_url" \
@@ -281,6 +303,13 @@
281 sed -i '/--use_deprecated_auth/d' $NOVA_CONF303 sed -i '/--use_deprecated_auth/d' $NOVA_CONF
282 fi304 fi
283305
306 local clustered=""
307 is_clustered && clustered="1"
308
309 [[ -n "$clustered" ]] && local host=$(config-get vip) ||
310 local host=$(unit-get private-address)
311 https && local scheme="https" || local scheme="http"
312
284 # update keystone authtoken settings accordingly313 # update keystone authtoken settings accordingly
285 set_or_update "service_host" "$service_host" "$API_CONF"314 set_or_update "service_host" "$service_host" "$API_CONF"
286 set_or_update "service_port" "$service_port" "$API_CONF"315 set_or_update "service_port" "$service_port" "$API_CONF"
@@ -296,7 +325,7 @@
296 if [ "$NET_MANAGER" == "Quantum" ]; then325 if [ "$NET_MANAGER" == "Quantum" ]; then
297 # Configure Nova for quantum326 # Configure Nova for quantum
298 keystone_url="http://${auth_host}:${auth_port}/v2.0"327 keystone_url="http://${auth_host}:${auth_port}/v2.0"
299 set_or_update "quantum_url" "http://$(unit-get private-address):9696"328 set_or_update "quantum_url" "$scheme://$host:9696"
300 set_or_update "quantum_admin_tenant_name" "${service_tenant}"329 set_or_update "quantum_admin_tenant_name" "${service_tenant}"
301 set_or_update "quantum_admin_username" "${service_username}"330 set_or_update "quantum_admin_username" "${service_username}"
302 set_or_update "quantum_admin_password" "${service_password}"331 set_or_update "quantum_admin_password" "${service_password}"
@@ -320,11 +349,15 @@
320 determine_services && service_ctl all restart349 determine_services && service_ctl all restart
321350
322 if [ "$NET_MANAGER" == "Quantum" ]; then351 if [ "$NET_MANAGER" == "Quantum" ]; then
323 configure_quantum_networking352 # if first time here, config quantum before setting up
353 # https.
354 if [[ -z "$clustered" ]] && eligible_leader ; then
355 configure_quantum_networking
356 fi
324 # ripple out changes to identity to connected services357 # ripple out changes to identity to connected services
325 # which use cloud-controller as source of information for358 # which use cloud-controller as source of information for
326 # keystone359 # keystone
327 r_ids="$(relation-ids cloud-compute) $(relation-ids quantum-network-service)"360 local r_ids="$(relation-ids cloud-compute) $(relation-ids quantum-network-service)"
328 for id in $r_ids ; do361 for id in $r_ids ; do
329 relation-set -r $id \362 relation-set -r $id \
330 keystone_host=$auth_host \363 keystone_host=$auth_host \
@@ -339,6 +372,15 @@
339372
340 done373 done
341 fi374 fi
375 configure_https
376
377 # if this changed event happens as a result of clustered VIP
378 # reconfigure, configure_https needs to update VIP certificate
379 # before quantumclient is used.
380 if [[ "$NET_MANAGER" == "Quantum" ]] &&
381 [[ -n "$clustered" ]] && eligible_leader 'res_nova_vip' ; then
382 configure_quantum_networking
383 fi
342}384}
343385
344volume_joined() {386volume_joined() {
@@ -390,19 +432,19 @@
390}432}
391433
392compute_joined() {434compute_joined() {
393 if is_clustered && ! is_leader 'res_nova_vip'; then435 local r_id="$1"
394 # Clustered and not current leader - do nothing436 [[ -n "$r_id" ]] && r_id="-r $r_id"
395 return 0437 eligible_leader 'res_nova_vip' || return 0
396 fi438 relation-set $r_id network_manager=$(config-get network-manager)
397439 # XXX Should point to VIP if clustered, or this may not even be needed.
398 relation-set network_manager=$(config-get network-manager)440 relation-set $r_id ec2_host=$(unit-get private-address)
399 relation-set ec2_host=$(unit-get private-address)
400441
401 local sect="filter:authtoken"442 local sect="filter:authtoken"
402 keystone_host=$(local_config_get $API_CONF auth_host $sect)443 keystone_host=$(local_config_get $API_CONF auth_host $sect)
444
403 if [ "$NET_MANAGER" == "Quantum" ]; then445 if [ "$NET_MANAGER" == "Quantum" ]; then
404 if [ -n "$keystone_host" ]; then446 if [[ -n "$keystone_host" ]]; then
405 relation-set \447 relation-set $r_id \
406 keystone_host=$keystone_host \448 keystone_host=$keystone_host \
407 auth_port=$(local_config_get $API_CONF auth_port $sect) \449 auth_port=$(local_config_get $API_CONF auth_port $sect) \
408 service_port=$(local_config_get $API_CONF service_port $sect) \450 service_port=$(local_config_get $API_CONF service_port $sect) \
@@ -410,19 +452,24 @@
410 service_password=$(local_config_get $API_CONF admin_password $sect) \452 service_password=$(local_config_get $API_CONF admin_password $sect) \
411 service_tenant=$(local_config_get $API_CONF admin_tenant_name $sect) \453 service_tenant=$(local_config_get $API_CONF admin_tenant_name $sect) \
412 auth_uri=$(local_config_get $API_CONF auth_uri $sect)454 auth_uri=$(local_config_get $API_CONF auth_uri $sect)
413 fi455
414456 fi
415 if is_clustered; then457 is_clustered && local host=$(config-get vip) ||
416 quantum_host=$(config-get vip)458 local host=$(unit-get private-address)
417 quantum_port=19696459 https && local scheme="https" || local scheme="http"
418 else460 local quantum_url="$scheme://$host:9696"
419 quantum_host=$(unit-get private-address)461
420 quantum_port=9696462 relation-set $r_id quantum_url=$quantum_url \
421 fi463 quantum_plugin=$(config-get quantum-plugin) \
422464 region=$(config-get region)
423 relation-set quantum_host=$quantum_host \465
424 quantum_port=$quantum_port \466 fi
425 quantum_plugin=$(config-get quantum-plugin)467
468 # must pass on the keystone CA certficiate, if it exists.
469 cert="/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt"
470 if [[ -n "$keystone_host" ]] && [[ -e $cert ]] ; then
471 cert=$(cat $cert | base64)
472 relation-set $r_id ca_cert="$cert"
426 fi473 fi
427474
428 # volume driver is dependent on os version, or presence475 # volume driver is dependent on os version, or presence
@@ -434,11 +481,10 @@
434 vol_drv="nova-volume"481 vol_drv="nova-volume"
435 ;;482 ;;
436 "folsom")483 "folsom")
437 local r_ids=$(relation-ids cinder-volume-service)484 [[ -z "$(relation-ids cinder-volume-service)" ]] && vol_drv="nova-volume"
438 [[ -z "$r_ids" ]] && vol_drv="nova-volume"
439 ;;485 ;;
440 esac486 esac
441 relation-set volume_service="$vol_drv"487 relation-set $r_id volume_service="$vol_drv"
442}488}
443489
444compute_changed() {490compute_changed() {
@@ -458,15 +504,14 @@
458504
459function quantum_joined() {505function quantum_joined() {
460 # Tell quantum service about keystone506 # Tell quantum service about keystone
461 if is_clustered && ! is_leader 'res_nova_vip'; then507 eligible_leader || return 0
462 # Clustered and not current leader - do nothing508 local r_id="$1"
463 return 0509 [[ -n "$r_id" ]] && r_id="-r $r_id"
464 fi
465510
466 local sect="filter:authtoken"511 local sect="filter:authtoken"
467 keystone_host=$(local_config_get $API_CONF auth_host $sect)512 keystone_host=$(local_config_get $API_CONF auth_host $sect)
468 if [ -n "$keystone_host" ]; then513 if [ -n "$keystone_host" ]; then
469 relation-set \514 relation-set $r_id \
470 keystone_host=$keystone_host \515 keystone_host=$keystone_host \
471 auth_port=$(local_config_get $API_CONF auth_port $sect) \516 auth_port=$(local_config_get $API_CONF auth_port $sect) \
472 service_port=$(local_config_get $API_CONF service_port $sect) \517 service_port=$(local_config_get $API_CONF service_port $sect) \
@@ -476,24 +521,50 @@
476 auth_uri=$(local_config_get $API_CONF auth_uri $sect)521 auth_uri=$(local_config_get $API_CONF auth_uri $sect)
477 fi522 fi
478523
479 if is_clustered; then524 # must pass on the keystone CA certficiate, if it exists.
480 quantum_host=$(config-get vip)525 cert="/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt"
481 quantum_port=19696526 if [[ -n "$keystone_host" ]] && [[ -e $cert ]] ; then
482 else527 cert=$(cat $cert | base64)
483 quantum_host=$(unit-get private-address)528 relation-set $r_id ca_cert="$cert"
484 quantum_port=9696
485 fi529 fi
486530
487 relation-set quantum_host=$quantum_host \531 is_clustered && local host=$(config-get vip) ||
488 quantum_port=$quantum_port \532 local host=$(unit-get private-address)
489 quantum_plugin=$(config-get quantum-plugin) \533 https && local scheme="https" || local scheme="http"
490 region=$(config-get region)534 local quantum_url="$scheme://$host:9696"
535
536 relation-set $r_id quantum_url=$quantum_url \
537 quantum_plugin=$(config-get quantum-plugin) \
538 region=$(config-get region)
539
491}540}
492541
493function cluster_changed() {542function cluster_changed() {
494 configure_haproxy "quantum_api:9696" "nova_api:8774" \543 [[ -z "$(peer_units)" ]] &&
495 "ec2_api:8773" "s3_api:3333" \544 juju-log "cluster_changed() with no peers." && exit 0
496 "volume_api:8776"545 # upstartService:defaultPort:configOption
546 local svcs="nova-api-ec2:8773:ec2_listen_port
547 nova-api-os-compute:8774:osapi_compute_listen_port
548 nova-objectstore:3333:s3_listen_port"
549 [[ "$NET_MANAGER" == "Quantum" ]] &&
550 svcs="$svcs quantum-server:9696:bind_port"
551
552 for s in $svcs ; do
553 local service=$(echo $s | cut -d: -f1)
554 local port=$(echo $s | cut -d: -f2)
555 local opt=$(echo $s | cut -d: -f3)
556 local next_server="$(determine_haproxy_port $port)"
557 local api_port="$(determine_api_port $port)"
558 local haproxy_port_maps="$haproxy_port_maps $service:$next_server:$api_port"
559 if [[ "$service" == "quantum-server" ]] ; then
560 set_or_update "$opt" "$api_port" "$QUANTUM_CONF"
561 else
562 set_or_update "$opt" "$api_port"
563 fi
564
565 service_ctl $service restart
566 done
567 configure_haproxy $haproxy_port_maps
497}568}
498569
499function ha_relation_joined() {570function ha_relation_joined() {
@@ -518,13 +589,13 @@
518 init_services="{589 init_services="{
519'res_nova_haproxy':'haproxy'590'res_nova_haproxy':'haproxy'
520}"591}"
521 groups="{592 clones="{
522'grp_nova_haproxy':'res_nova_vip res_nova_haproxy'593'cl_nova_haproxy':'res_nova_haproxy'
523}"594}"
524 relation-set corosync_bindiface=$corosync_bindiface \595 relation-set corosync_bindiface=$corosync_bindiface \
525 corosync_mcastport=$corosync_mcastport \596 corosync_mcastport=$corosync_mcastport \
526 resources="$resources" resource_params="$resource_params" \597 resources="$resources" resource_params="$resource_params" \
527 init_services="$init_services" groups="$groups"598 init_services="$init_services" clones="$clones"
528 else599 else
529 juju-log "Insufficient configuration data to configure hacluster"600 juju-log "Insufficient configuration data to configure hacluster"
530 exit 1601 exit 1
@@ -534,45 +605,57 @@
534function ha_relation_changed() {605function ha_relation_changed() {
535 local clustered=`relation-get clustered`606 local clustered=`relation-get clustered`
536 if [ -n "$clustered" ] && is_leader 'res_nova_vip'; then607 if [ -n "$clustered" ] && is_leader 'res_nova_vip'; then
608 https && local scheme="https" || local scheme="http"
537 for r_id in `relation-ids identity-service`; do609 for r_id in `relation-ids identity-service`; do
538 address=$(config-get vip)610 local address=$(config-get vip)
539 nova_url="http://$address:18774/v1.1/\$(tenant_id)s"611 local region=$(config-get region)
540 ec2_url="http://$address:18773/services/Cloud"612 local nova_url="$scheme://$address:8774/v1.1/\$(tenant_id)s"
541 s3_url="http://$address:13333"613 local ec2_url="$scheme://$address:8773/services/Cloud"
614 local s3_url="$scheme://$address:3333"
615 local quantum_url="$scheme://$address:9696"
616 local nova_vol_url="$scheme://$address:8776/v1/\$(tenant_id)s"
617
542 relation-set -r $r_id \618 relation-set -r $r_id \
619 nova_service="nova" \
620 nova_region="$region" \
543 nova_public_url="$nova_url" \621 nova_public_url="$nova_url" \
544 nova_admin_url="$nova_url" \622 nova_admin_url="$nova_url" \
545 nova_internal_url="$nova_url" \623 nova_internal_url="$nova_url" \
624 ec2_service="ec2" \
625 ec2_region="$region" \
546 ec2_public_url="$ec2_url" \626 ec2_public_url="$ec2_url" \
547 ec2_admin_url="$ec2_url" \627 ec2_admin_url="$ec2_url" \
548 ec2_internal_url="$ec2_url" \628 ec2_internal_url="$ec2_url" \
629 s3_service="s3" \
630 s3_region="$region" \
549 s3_public_url="$s3_url" \631 s3_public_url="$s3_url" \
550 s3_admin_url="$s3_url" \632 s3_admin_url="$s3_url" \
551 s3_internal_url="$s3_url"633 s3_internal_url="$s3_url"
552634
553 if [ "$(config-get network-manager)" == "Quantum" ]; then635 if [ "$(config-get network-manager)" == "Quantum" ]; then
554 quantum_url="http://$address:19696"
555 relation-set -r $r_id \636 relation-set -r $r_id \
637 quantum_service="quantum" \
638 quantum_region="$region" \
556 quantum_public_url="$quantum_url" \639 quantum_public_url="$quantum_url" \
557 quantum_admin_url="$quantum_url" \640 quantum_admin_url="$quantum_url" \
558 quantum_internal_url="$quantum_url"641 quantum_internal_url="$quantum_url"
559 fi642 fi
560643
561 if [[ -n "$(relation-ids nova-volume-service)" ]] ; then644 if [[ -n "$(relation-ids nova-volume-service)" ]] ; then
562 nova_vol_url="http://$address:18776/v1/\$(tenant_id)s"
563 relation-set -r $r_id \645 relation-set -r $r_id \
646 nova-volume_service="nova-volume" \
647 nova-volume_region="$region" \
564 nova-volume_public_url="$nova_vol_url" \648 nova-volume_public_url="$nova_vol_url" \
565 nova-volume_admin_url="$nova_vol_url" \649 nova-volume_admin_url="$nova_vol_url" \
566 nova-volume_internal_url="$nova_vol_url"650 nova-volume_internal_url="$nova_vol_url"
567 fi651 fi
568 done652 done
569 if [ "$(config-get network-manager)" == "Quantum" ]; then653 if [ "$(config-get network-manager)" == "Quantum" ]; then
570 # Let gateway nodes use the new HA address for the 654 # Let gateway nodes use the new HA address for the
571 # quantum API server655 # quantum API server
572 for r_id in `relation-ids quantum-network-service`; do656 for r_id in `relation-ids quantum-network-service`; do
573 relation-set -r $r_id \657 relation-set -r $r_id \
574 quantum_host=$address658 quantum_url="$quantum_url" region="$region"
575 quantum_port=19696
576 done659 done
577 fi660 fi
578 fi661 fi
579662
=== modified file 'revision'
--- revision 2013-03-05 01:41:05 +0000
+++ revision 2013-03-09 04:30:28 +0000
@@ -1,1 +1,1 @@
12141236

Subscribers

People subscribed via source and target branches