Juju Charms Collection
nova-compute package

Merge lp:~gandelman-a/charms/precise/nova-compute/https_endpoint into lp:~openstack-charmers/charms/precise/nova-compute/ha-support

  1. Precise Pangolin (12.04)
  2. https_endpoint
  3. Merge into ha-support
Proposed by Adam Gandelman
Status: Merged
Merged at revision: 48
Proposed branch: lp:~gandelman-a/charms/precise/nova-compute/https_endpoint
Merge into: lp:~openstack-charmers/charms/precise/nova-compute/ha-support
Diff against target: 383 lines (+231/-20)
4 files modified
hooks/lib/openstack-common (+219/-18)
hooks/nova-compute-common (+1/-1)
hooks/nova-compute-relations (+10/-0)
revision (+1/-1)
To merge this branch: bzr merge lp:~gandelman-a/charms/precise/nova-compute/https_endpoint
Reviewer Review Type Date Requested Status
James Page Approve
Review via email: mp+150381@code.launchpad.net

Description of the change

Required nova-compute changes for HTTPS support.

To post a comment you must log in.
Revision history for this message
James Page (james-page) wrote :

Works for me!

review: Approve
lp:~gandelman-a/charms/precise/nova-compute/https_endpoint updated
52. By Adam Gandelman

Rebase against current ha-support branch.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'hooks/lib/openstack-common'
--- hooks/lib/openstack-common 2013-03-08 21:13:57 +0000
+++ hooks/lib/openstack-common 2013-03-08 21:37:22 +0000
@@ -321,7 +321,6 @@
321321
322HAPROXY_CFG=/etc/haproxy/haproxy.cfg322HAPROXY_CFG=/etc/haproxy/haproxy.cfg
323HAPROXY_DEFAULT=/etc/default/haproxy323HAPROXY_DEFAULT=/etc/default/haproxy
324
325##########################################################################324##########################################################################
326# Description: Configures HAProxy services for Openstack API's325# Description: Configures HAProxy services for Openstack API's
327# Parameters:326# Parameters:
@@ -330,9 +329,8 @@
330# assumes the name of the peer relation is 'cluster' and that every329# assumes the name of the peer relation is 'cluster' and that every
331# service unit in the peer relation is running the same services.330# service unit in the peer relation is running the same services.
332#331#
333# The HAProxy service will listen on port + 10000.332# Example
334# Example:333# configure_haproxy cinder_api:8776:8756i nova_api:8774:8764
335# configure_haproxy cinder_api:12345 nova_api:9999
336##########################################################################334##########################################################################
337configure_haproxy() {335configure_haproxy() {
338 local address=`unit-get private-address`336 local address=`unit-get private-address`
@@ -368,14 +366,18 @@
368EOF366EOF
369 for service in $@; do367 for service in $@; do
370 local service_name=$(echo $service | cut -d : -f 1)368 local service_name=$(echo $service | cut -d : -f 1)
371 local api_listen_port=$(echo $service | cut -d : -f 2)369 local haproxy_listen_port=$(echo $service | cut -d : -f 2)
372 local haproxy_listen_port=$(($api_listen_port + 10000))370 local api_listen_port=$(echo $service | cut -d : -f 3)
371 juju-log "Adding haproxy configuration entry for $service "\
372 "($haproxy_listen_port -> $api_listen_port)"
373 cat >> $HAPROXY_CFG << EOF373 cat >> $HAPROXY_CFG << EOF
374listen $service_name 0.0.0.0:$haproxy_listen_port374listen $service_name 0.0.0.0:$haproxy_listen_port
375 balance roundrobin375 balance roundrobin
376 option tcplog376 option tcplog
377 server $name $address:$api_listen_port check377 server $name $address:$api_listen_port check
378EOF378EOF
379 local r_id=""
380 local unit=""
379 for r_id in `relation-ids cluster`; do381 for r_id in `relation-ids cluster`; do
380 for unit in `relation-list -r $r_id`; do382 for unit in `relation-list -r $r_id`; do
381 local unit_name=${unit////-}383 local unit_name=${unit////-}
@@ -388,6 +390,7 @@
388 done390 done
389 done391 done
390 echo "ENABLED=1" > $HAPROXY_DEFAULT392 echo "ENABLED=1" > $HAPROXY_DEFAULT
393 service haproxy restart
391}394}
392395
393##########################################################################396##########################################################################
@@ -395,18 +398,20 @@
395# Returns: 0 if configured, 1 if not configured398# Returns: 0 if configured, 1 if not configured
396##########################################################################399##########################################################################
397is_clustered() {400is_clustered() {
401 local r_id=""
402 local unit=""
398 for r_id in $(relation-ids ha); do403 for r_id in $(relation-ids ha); do
399 if [ -n "$r_id" ]; then404 if [ -n "$r_id" ]; then
400 for unit in $(relation-list -r $r_id); do405 for unit in $(relation-list -r $r_id); do
401 clustered=$(relation-get -r $r_id clustered $unit)406 clustered=$(relation-get -r $r_id clustered $unit)
402 if [ -n "$clustered" ]; then407 if [ -n "$clustered" ]; then
403 echo "Unit is clustered"408 juju-log "Unit is haclustered"
404 return 0409 return 0
405 fi410 fi
406 done411 done
407 fi412 fi
408 done413 done
409 echo "Unit is not clustered"414 juju-log "Unit is not haclustered"
410 return 1415 return 1
411}416}
412417
@@ -415,6 +420,7 @@
415##########################################################################420##########################################################################
416peer_units() {421peer_units() {
417 local peers=""422 local peers=""
423 local r_id=""
418 for r_id in $(relation-ids cluster); do424 for r_id in $(relation-ids cluster); do
419 peers="$peers $(relation-list -r $r_id)"425 peers="$peers $(relation-list -r $r_id)"
420 done426 done
@@ -433,11 +439,11 @@
433 echo "Comparing $JUJU_UNIT_NAME with peers: $peers"439 echo "Comparing $JUJU_UNIT_NAME with peers: $peers"
434 local r_unit_no=$(echo $peer | cut -d / -f 2)440 local r_unit_no=$(echo $peer | cut -d / -f 2)
435 if (($r_unit_no<$l_unit_no)); then441 if (($r_unit_no<$l_unit_no)); then
436 echo "Not oldest peer; deferring"442 juju-log "Not oldest peer; deferring"
437 return 1443 return 1
438 fi444 fi
439 done445 done
440 echo "Oldest peer; might take charge?"446 juju-log "Oldest peer; might take charge?"
441 return 0447 return 0
442}448}
443449
@@ -451,13 +457,13 @@
451eligible_leader() {457eligible_leader() {
452 if is_clustered; then458 if is_clustered; then
453 if ! is_leader $1; then459 if ! is_leader $1; then
454 echo 'Deferring action to CRM leader'460 juju-log 'Deferring action to CRM leader'
455 return 1461 return 1
456 fi462 fi
457 else463 else
458 peers=$(peer_units)464 peers=$(peer_units)
459 if [ -n "$peers" ] && ! oldest_peer "$peers"; then465 if [ -n "$peers" ] && ! oldest_peer "$peers"; then
460 echo 'Deferring action to oldest service unit.'466 juju-log 'Deferring action to oldest service unit.'
461 return 1467 return 1
462 fi468 fi
463 fi469 fi
@@ -469,14 +475,14 @@
469# Returns: 0 if peered, 1 if not peered475# Returns: 0 if peered, 1 if not peered
470##########################################################################476##########################################################################
471is_peered() {477is_peered() {
472 r_id=$(relation-ids cluster)478 local r_id=$(relation-ids cluster)
473 if [ -n "$r_id" ]; then479 if [ -n "$r_id" ]; then
474 if [ -n "$(relation-list -r $r_id)" ]; then480 if [ -n "$(relation-list -r $r_id)" ]; then
475 echo "Unit peered"481 juju-log "Unit peered"
476 return 0482 return 0
477 fi483 fi
478 fi484 fi
479 echo "Unit not peered"485 juju-log "Unit not peered"
480 return 1486 return 1
481}487}
482488
@@ -489,12 +495,207 @@
489 hostname=`hostname`495 hostname=`hostname`
490 if [ -x /usr/sbin/crm ]; then496 if [ -x /usr/sbin/crm ]; then
491 if crm resource show $1 | grep -q $hostname; then497 if crm resource show $1 | grep -q $hostname; then
492 echo "$hostname is cluster leader"498 juju-log "$hostname is cluster leader."
493 return 0499 return 0
494 fi500 fi
495 fi501 fi
496 echo "$hostname is not cluster leader"502 juju-log "$hostname is not cluster leader."
497 return 1503 return 1
504}
505
506##########################################################################
507# Description: Determines whether enough data has been provided in
508# configuration or relation data to configure HTTPS.
509# Parameters: None
510# Returns: 0 if HTTPS can be configured, 1 if not.
511##########################################################################
512https() {
513 local r_id=""
514 if [[ -n "$(config-get ssl_cert)" ]] &&
515 [[ -n "$(config-get ssl_key)" ]] ; then
516 return 0
517 fi
518 for r_id in $(relation-ids identity-service) ; do
519 for unit in $(relation-list -r $r_id) ; do
520 if [[ "$(relation-get -r $r_id https_keystone $unit)" == "True" ]] &&
521 [[ -n "$(relation-get -r $r_id ssl_cert $unit)" ]] &&
522 [[ -n "$(relation-get -r $r_id ssl_key $unit)" ]] &&
523 [[ -n "$(relation-get -r $r_id ca_cert $unit)" ]] ; then
524 return 0
525 fi
526 done
527 done
528 return 1
529}
530
531##########################################################################
532# Description: For a given number of port mappings, configures apache2
533# HTTPs local reverse proxying using certficates and keys provided in
534# either configuration data (preferred) or relation data. Assumes ports
535# are not in use (calling charm should ensure that).
536# Parameters: Variable number of proxy port mappings as
537# $internal:$external.
538# Returns: 0 if reverse proxy(s) have been configured, 0 if not.
539##########################################################################
540enable_https() {
541 local port_maps="$@"
542 local http_restart=""
543 juju-log "Enabling HTTPS for port mappings: $port_maps."
544
545 # allow overriding of keystone provided certs with those set manually
546 # in config.
547 local cert=$(config-get ssl_cert)
548 local key=$(config-get ssl_key)
549 local ca_cert=""
550 if [[ -z "$cert" ]] || [[ -z "$key" ]] ; then
551 juju-log "Inspecting identity-service relations for SSL certificate."
552 local r_id=""
553 cert=""
554 key=""
555 ca_cert=""
556 for r_id in $(relation-ids identity-service) ; do
557 for unit in $(relation-list -r $r_id) ; do
558 [[ -z "$cert" ]] && cert="$(relation-get -r $r_id ssl_cert $unit)"
559 [[ -z "$key" ]] && key="$(relation-get -r $r_id ssl_key $unit)"
560 [[ -z "$ca_cert" ]] && ca_cert="$(relation-get -r $r_id ca_cert $unit)"
561 done
562 done
563 [[ -n "$cert" ]] && cert=$(echo $cert | base64 -di)
564 [[ -n "$key" ]] && key=$(echo $key | base64 -di)
565 [[ -n "$ca_cert" ]] && ca_cert=$(echo $ca_cert | base64 -di)
566 else
567 juju-log "Using SSL certificate provided in service config."
568 fi
569
570 [[ -z "$cert" ]] || [[ -z "$key" ]] &&
571 juju-log "Expected but could not find SSL certificate data, not "\
572 "configuring HTTPS!" && return 1
573
574 apt-get -y install apache2
575 a2enmod ssl proxy proxy_http | grep -v "To activate the new configuration" &&
576 http_restart=1
577
578 mkdir -p /etc/apache2/ssl/$CHARM
579 echo "$cert" >/etc/apache2/ssl/$CHARM/cert
580 echo "$key" >/etc/apache2/ssl/$CHARM/key
581 if [[ -n "$ca_cert" ]] ; then
582 juju-log "Installing Keystone supplied CA cert."
583 echo "$ca_cert" >/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt
584 update-ca-certificates --fresh
585
586 # XXX TODO: Find a better way of exporting this?
587 if [[ "$CHARM" == "nova-cloud-controller" ]] ; then
588 [[ -e /var/www/keystone_juju_ca_cert.crt ]] &&
589 rm -rf /var/www/keystone_juju_ca_cert.crt
590 ln -s /usr/local/share/ca-certificates/keystone_juju_ca_cert.crt \
591 /var/www/keystone_juju_ca_cert.crt
592 fi
593
594 fi
595 for port_map in $port_maps ; do
596 local ext_port=$(echo $port_map | cut -d: -f1)
597 local int_port=$(echo $port_map | cut -d: -f2)
598 juju-log "Creating apache2 reverse proxy vhost for $port_map."
599 cat >/etc/apache2/sites-available/${CHARM}_${ext_port} <<END
600Listen $ext_port
601NameVirtualHost *:$ext_port
602<VirtualHost *:$ext_port>
603 ServerName $(unit-get private-address)
604 SSLEngine on
605 SSLCertificateFile /etc/apache2/ssl/$CHARM/cert
606 SSLCertificateKeyFile /etc/apache2/ssl/$CHARM/key
607 ProxyPass / http://localhost:$int_port/
608 ProxyPassReverse / http://localhost:$int_port/
609 ProxyPreserveHost on
610</VirtualHost>
611<Proxy *>
612 Order deny,allow
613 Allow from all
614</Proxy>
615<Location />
616 Order allow,deny
617 Allow from all
618</Location>
619END
620 a2ensite ${CHARM}_${ext_port} | grep -v "To activate the new configuration" &&
621 http_restart=1
622 done
623 if [[ -n "$http_restart" ]] ; then
624 service apache2 restart
625 fi
626}
627
628##########################################################################
629# Description: Ensure HTTPS reverse proxying is disabled for given port
630# mappings.
631# Parameters: Variable number of proxy port mappings as
632# $internal:$external.
633# Returns: 0 if reverse proxy is not active for all portmaps, 1 on error.
634##########################################################################
635disable_https() {
636 local port_maps="$@"
637 local http_restart=""
638 juju-log "Ensuring HTTPS disabled for $port_maps."
639 ( [[ ! -d /etc/apache2 ]] || [[ ! -d /etc/apache2/ssl/$CHARM ]] ) && return 0
640 for port_map in $port_maps ; do
641 local ext_port=$(echo $port_map | cut -d: -f1)
642 local int_port=$(echo $port_map | cut -d: -f2)
643 if [[ -e /etc/apache2/sites-available/${CHARM}_${ext_port} ]] ; then
644 juju-log "Disabling HTTPS reverse proxy for $CHARM $port_map."
645 a2dissite ${CHARM}_${ext_port} | grep -v "To activate the new configuration" &&
646 http_restart=1
647 fi
648 done
649 if [[ -n "$http_restart" ]] ; then
650 service apache2 restart
651 fi
652}
653
654
655##########################################################################
656# Description: Ensures HTTPS is either enabled or disabled for given port
657# mapping.
658# Parameters: Variable number of proxy port mappings as
659# $internal:$external.
660# Returns: 0 if HTTPS reverse proxy is in place, 1 if it is not.
661##########################################################################
662setup_https() {
663 # configure https via apache reverse proxying either
664 # using certs provided by config or keystone.
665 [[ -z "$CHARM" ]] &&
666 error_out "setup_https(): CHARM not set."
667 if ! https ; then
668 disable_https $@
669 else
670 enable_https $@
671 fi
672}
673
674##########################################################################
675# Description: Determine correct API server listening port based on
676# existence of HTTPS reverse proxy and/or haproxy.
677# Paremeters: The standard public port for given service.
678# Returns: The correct listening port for API service.
679##########################################################################
680determine_api_port() {
681 local public_port="$1"
682 local i=0
683 ( [[ -n "$(peer_units)" ]] || is_clustered >/dev/null 2>&1 ) && i=$[$i + 1]
684 https >/dev/null 2>&1 && i=$[$i + 1]
685 echo $[$public_port - $[$i * 10]]
686}
687
688##########################################################################
689# Description: Determine correct proxy listening port based on public IP +
690# existence of HTTPS reverse proxy.
691# Paremeters: The standard public port for given service.
692# Returns: The correct listening port for haproxy service public address.
693##########################################################################
694determine_haproxy_port() {
695 local public_port="$1"
696 local i=0
697 https >/dev/null 2>&1 && i=$[$i + 1]
698 echo $[$public_port - $[$i * 10]]
498}699}
499700
500##########################################################################701##########################################################################
501702
=== modified file 'hooks/nova-compute-common'
--- hooks/nova-compute-common 2013-01-18 12:37:32 +0000
+++ hooks/nova-compute-common 2013-03-08 21:37:22 +0000
@@ -130,7 +130,7 @@
130 && exit 0130 && exit 0
131 set_or_update "network_api_class" "nova.network.quantumv2.api.API"131 set_or_update "network_api_class" "nova.network.quantumv2.api.API"
132 set_or_update "quantum_auth_strategy" "keystone"132 set_or_update "quantum_auth_strategy" "keystone"
133 set_or_update "quantum_url" "http://$(relation-get quantum_host):9696"133 set_or_update "quantum_url" "$(relation-get quantum_url)"
134 set_or_update "quantum_admin_tenant_name" "$(relation-get service_tenant)"134 set_or_update "quantum_admin_tenant_name" "$(relation-get service_tenant)"
135 set_or_update "quantum_admin_username" "$(relation-get service_username)"135 set_or_update "quantum_admin_username" "$(relation-get service_username)"
136 set_or_update "quantum_admin_password" "$(relation-get service_password)"136 set_or_update "quantum_admin_password" "$(relation-get service_password)"
137137
=== modified file 'hooks/nova-compute-relations'
--- hooks/nova-compute-relations 2013-01-25 15:19:57 +0000
+++ hooks/nova-compute-relations 2013-03-08 21:37:22 +0000
@@ -217,6 +217,16 @@
217 esac217 esac
218 fi218 fi
219219
220 # If Keytone is configured manage SSL certs, nova-compute needs a copy
221 # of its CA installed.
222 local ca_cert="$(relation-get ca_cert)"
223 if [[ -n "$ca_cert" ]] ; then
224 juju-log "Installing Keystone CA certificate."
225 ca_cert="$(echo $ca_cert | base64 -di)"
226 echo "$ca_cert" >/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt
227 update-ca-certificates
228 fi
229
220 # restart on all changed events. nova-c-c may send out a uuid to trigger230 # restart on all changed events. nova-c-c may send out a uuid to trigger
221 # remote restarts of services here (after db migrations, for instance)231 # remote restarts of services here (after db migrations, for instance)
222 service_ctl all restart232 service_ctl all restart
223233
=== modified file 'revision'
--- revision 2013-03-05 17:25:32 +0000
+++ revision 2013-03-08 21:37:22 +0000
@@ -1,1 +1,1 @@
184186

Subscribers

People subscribed via source and target branches