Juju Charms Collection
neutron-openvswitch package

Merge lp:~james-page/charms/trusty/neutron-openvswitch/lp1515008-stable into lp:~gnuoy/charms/trusty/neutron-openvswitch/neutron-refactor

Trusty Tahr (14.04)
lp1515008-stable
Merge into neutron-refactor

Proposed by James Page on 2015-11-12

Status:

Superseded

Proposed branch:

lp:~james-page/charms/trusty/neutron-openvswitch/lp1515008-stable

Merge into:

lp:~gnuoy/charms/trusty/neutron-openvswitch/neutron-refactor

Diff against target:

16850 lines (+12934/-1250)

122 files modified

.bzrignore (+2/-0)
.project (+17/-0)
.pydevproject (+9/-0)
Makefile (+21/-6)
README.md (+134/-18)
actions.yaml (+2/-0)
actions/git_reinstall.py (+45/-0)
charm-helpers-hooks.yaml (+13/-0)
charm-helpers-sync.yaml (+0/-10)
charm-helpers-tests.yaml (+5/-0)
config.yaml (+101/-16)
hooks/charmhelpers/__init__.py (+38/-0)
hooks/charmhelpers/cli/__init__.py (+191/-0)
hooks/charmhelpers/cli/benchmark.py (+36/-0)
hooks/charmhelpers/cli/commands.py (+32/-0)
hooks/charmhelpers/cli/hookenv.py (+23/-0)
hooks/charmhelpers/cli/host.py (+31/-0)
hooks/charmhelpers/cli/unitdata.py (+39/-0)
hooks/charmhelpers/contrib/__init__.py (+15/-0)
hooks/charmhelpers/contrib/hahelpers/__init__.py (+15/-0)
hooks/charmhelpers/contrib/hahelpers/apache.py (+26/-3)
hooks/charmhelpers/contrib/hahelpers/ceph.py (+0/-297)
hooks/charmhelpers/contrib/hahelpers/cluster.py (+172/-39)
hooks/charmhelpers/contrib/network/__init__.py (+15/-0)
hooks/charmhelpers/contrib/network/ip.py (+456/-0)
hooks/charmhelpers/contrib/network/ovs/__init__.py (+22/-1)
hooks/charmhelpers/contrib/openstack/__init__.py (+15/-0)
hooks/charmhelpers/contrib/openstack/alternatives.py (+16/-0)
hooks/charmhelpers/contrib/openstack/amulet/__init__.py (+15/-0)
hooks/charmhelpers/contrib/openstack/amulet/deployment.py (+197/-0)
hooks/charmhelpers/contrib/openstack/amulet/utils.py (+963/-0)
hooks/charmhelpers/contrib/openstack/context.py (+963/-236)
hooks/charmhelpers/contrib/openstack/files/__init__.py (+18/-0)
hooks/charmhelpers/contrib/openstack/files/check_haproxy.sh (+32/-0)
hooks/charmhelpers/contrib/openstack/files/check_haproxy_queue_depth.sh (+30/-0)
hooks/charmhelpers/contrib/openstack/ip.py (+151/-0)
hooks/charmhelpers/contrib/openstack/neutron.py (+189/-4)
hooks/charmhelpers/contrib/openstack/templates/__init__.py (+16/-0)
hooks/charmhelpers/contrib/openstack/templates/ceph.conf (+12/-6)
hooks/charmhelpers/contrib/openstack/templates/git.upstart (+17/-0)
hooks/charmhelpers/contrib/openstack/templates/haproxy.cfg (+30/-8)
hooks/charmhelpers/contrib/openstack/templates/openstack_https_frontend (+9/-8)
hooks/charmhelpers/contrib/openstack/templates/openstack_https_frontend.conf (+9/-8)
hooks/charmhelpers/contrib/openstack/templates/section-keystone-authtoken (+9/-0)
hooks/charmhelpers/contrib/openstack/templates/section-rabbitmq-oslo (+22/-0)
hooks/charmhelpers/contrib/openstack/templates/section-zeromq (+14/-0)
hooks/charmhelpers/contrib/openstack/templating.py (+74/-31)
hooks/charmhelpers/contrib/openstack/utils.py (+631/-104)
hooks/charmhelpers/contrib/python/__init__.py (+15/-0)
hooks/charmhelpers/contrib/python/packages.py (+121/-0)
hooks/charmhelpers/contrib/storage/__init__.py (+15/-0)
hooks/charmhelpers/contrib/storage/linux/__init__.py (+15/-0)
hooks/charmhelpers/contrib/storage/linux/ceph.py (+388/-118)
hooks/charmhelpers/contrib/storage/linux/loopback.py (+19/-3)
hooks/charmhelpers/contrib/storage/linux/lvm.py (+18/-1)
hooks/charmhelpers/contrib/storage/linux/utils.py (+44/-8)
hooks/charmhelpers/core/__init__.py (+15/-0)
hooks/charmhelpers/core/decorators.py (+57/-0)
hooks/charmhelpers/core/files.py (+45/-0)
hooks/charmhelpers/core/fstab.py (+134/-0)
hooks/charmhelpers/core/hookenv.py (+566/-37)
hooks/charmhelpers/core/host.py (+342/-53)
hooks/charmhelpers/core/hugepage.py (+69/-0)
hooks/charmhelpers/core/kernel.py (+68/-0)
hooks/charmhelpers/core/services/__init__.py (+18/-0)
hooks/charmhelpers/core/services/base.py (+353/-0)
hooks/charmhelpers/core/services/helpers.py (+283/-0)
hooks/charmhelpers/core/strutils.py (+72/-0)
hooks/charmhelpers/core/sysctl.py (+56/-0)
hooks/charmhelpers/core/templating.py (+68/-0)
hooks/charmhelpers/core/unitdata.py (+521/-0)
hooks/charmhelpers/fetch/__init__.py (+255/-107)
hooks/charmhelpers/fetch/archiveurl.py (+121/-17)
hooks/charmhelpers/fetch/bzrurl.py (+32/-3)
hooks/charmhelpers/fetch/giturl.py (+73/-0)
hooks/charmhelpers/payload/__init__.py (+16/-0)
hooks/charmhelpers/payload/execd.py (+16/-0)
hooks/neutron_ovs_context.py (+102/-30)
hooks/neutron_ovs_hooks.py (+87/-9)
hooks/neutron_ovs_utils.py (+339/-2)
metadata.yaml (+17/-3)
templates/ext-port.conf (+16/-0)
templates/git/neutron_sudoers (+4/-0)
templates/git/upstart/neutron-ovs-cleanup.upstart (+17/-0)
templates/git/upstart/neutron-plugin-openvswitch-agent.upstart (+18/-0)
templates/icehouse/dhcp_agent.ini (+14/-0)
templates/icehouse/metadata_agent.ini (+20/-0)
templates/icehouse/ml2_conf.ini (+16/-5)
templates/icehouse/neutron.conf (+6/-3)
templates/juno/fwaas_driver.ini (+7/-0)
templates/juno/l3_agent.ini (+7/-0)
templates/juno/metadata_agent.ini (+20/-0)
templates/juno/ml2_conf.ini (+43/-0)
templates/kilo/fwaas_driver.ini (+8/-0)
templates/kilo/neutron.conf (+42/-0)
templates/os-charm-phy-nic-mtu.conf (+22/-0)
tests/00-setup (+17/-0)
tests/014-basic-precise-icehouse (+11/-0)
tests/015-basic-trusty-icehouse (+9/-0)
tests/016-basic-trusty-juno (+11/-0)
tests/017-basic-trusty-kilo (+11/-0)
tests/019-basic-vivid-kilo (+9/-0)
tests/050-basic-trusty-icehouse-git (+9/-0)
tests/051-basic-trusty-juno-git (+12/-0)
tests/052-basic-trusty-kilo-git (+12/-0)
tests/README (+53/-0)
tests/basic_deployment.py (+256/-0)
tests/charmhelpers/__init__.py (+38/-0)
tests/charmhelpers/contrib/__init__.py (+15/-0)
tests/charmhelpers/contrib/amulet/__init__.py (+15/-0)
tests/charmhelpers/contrib/amulet/deployment.py (+95/-0)
tests/charmhelpers/contrib/amulet/utils.py (+818/-0)
tests/charmhelpers/contrib/openstack/__init__.py (+15/-0)
tests/charmhelpers/contrib/openstack/amulet/__init__.py (+15/-0)
tests/charmhelpers/contrib/openstack/amulet/deployment.py (+197/-0)
tests/charmhelpers/contrib/openstack/amulet/utils.py (+963/-0)
tests/tests.yaml (+20/-0)
unit_tests/__init__.py (+2/-0)
unit_tests/test_actions_git_reinstall.py (+105/-0)
unit_tests/test_neutron_ovs_context.py (+246/-20)
unit_tests/test_neutron_ovs_hooks.py (+154/-17)
unit_tests/test_neutron_ovs_utils.py (+314/-19)

To merge this branch:

bzr merge lp:~james-page/charms/trusty/neutron-openvswitch/lp1515008-stable

High

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Liam Young		2015-11-12	Pending
Review via email: mp+277336@code.launchpad.net

Description of the change

Fixup handling of dvr and local dhcp configurations

Unmerged revisions

73. By James Page on 2015-11-12: Fixup handling of dvr and local dhcp configurations
72. By Corey Bryant on 2015-10-22: [beisner,r=corey.bryant] Enable stable amulet tests and stable charm-helper syncs.
71. By James Page on 2015-10-22: 15.10 Charm release
70. By Liam Young on 2015-09-23: Charmhelper sync
69. By Corey Bryant on 2015-08-10: [beisner,r=corey.bryant] Point charmhelper sync and amulet tests at stable branches.
68. By James Page on 2015-08-10: [gnuoy] 15.07 Charm release
67. By Corey Bryant on 2015-04-30: [corey.bryant,trivial] Update deploy from source README indentation.
66. By Corey Bryant on 2015-04-30: [corey.bryant,trivial] Update deploy from source README samples.
65. By Corey Bryant on 2015-04-28: [corey.bryant,trivial] Fix deploy from source README
64. By Liam Young on 2015-04-24: Point charmhelper sync and amulet tests at stable branches

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

James Page

Liam Young

 === modified file '.bzrignore'
 --- .bzrignore	2014-06-19 09:56:25 +0000
 +++ .bzrignore	2015-11-12 11:46:11 +0000
@@ -1,1 +1,3 @@
++bin
  .coverage
++tags
 === added file '.project'
 --- .project	1970-01-01 00:00:00 +0000
 +++ .project	2015-11-12 11:46:11 +0000
@@ -0,0 +1,17 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<projectDescription>
++	<name>neutron-openvswitch</name>
++	<comment></comment>
++	<projects>
++	</projects>
++	<buildSpec>
++		<buildCommand>
++			<name>org.python.pydev.PyDevBuilder</name>
++			<arguments>
++			</arguments>
++		</buildCommand>
++	</buildSpec>
++	<natures>
++		<nature>org.python.pydev.pythonNature</nature>
++	</natures>
++</projectDescription>
 === added file '.pydevproject'
 --- .pydevproject	1970-01-01 00:00:00 +0000
 +++ .pydevproject	2015-11-12 11:46:11 +0000
@@ -0,0 +1,9 @@
++<?xml version="1.0" encoding="UTF-8" standalone="no"?>
++<?eclipse-pydev version="1.0"?><pydev_project>
++<pydev_property name="org.python.pydev.PYTHON_PROJECT_VERSION">python 2.7</pydev_property>
++<pydev_property name="org.python.pydev.PYTHON_PROJECT_INTERPRETER">Default</pydev_property>
++<pydev_pathproperty name="org.python.pydev.PROJECT_SOURCE_PATH">
++<path>/neutron-openvswitch/hooks</path>
++<path>/neutron-openvswitch/unit_tests</path>
++</pydev_pathproperty>
++</pydev_project>
 === modified file 'Makefile'
 --- Makefile	2014-06-19 09:56:25 +0000
 +++ Makefile	2015-11-12 11:46:11 +0000
@@ -2,13 +2,28 @@
  PYTHON := /usr/bin/env python
  lint:
--	@flake8 --exclude hooks/charmhelpers hooks
--	@flake8 --exclude hooks/charmhelpers unit_tests
++	@flake8 --exclude hooks/charmhelpers,tests/charmhelpers \
++        actions hooks unit_tests tests
  	@charm proof
  test:
++	@# Bundletester expects unit tests here
  	@echo Starting tests...
--	@$(PYTHON) /usr/bin/nosetests --nologcapture unit_tests
--
--sync:
--	@charm-helper-sync -c charm-helpers-sync.yaml
++	@$(PYTHON) /usr/bin/nosetests -v --nologcapture --with-coverage unit_tests
++
++functional_test:
++	@echo Starting Amulet tests...
++	@juju test -v -p AMULET_HTTP_PROXY,AMULET_OS_VIP --timeout 2700
++
++bin/charm_helpers_sync.py:
++	@mkdir -p bin
++	@bzr cat lp:charm-helpers/tools/charm_helpers_sync/charm_helpers_sync.py \
++        > bin/charm_helpers_sync.py
++
++sync: bin/charm_helpers_sync.py
++	@$(PYTHON) bin/charm_helpers_sync.py -c charm-helpers-hooks.yaml
++	@$(PYTHON) bin/charm_helpers_sync.py -c charm-helpers-tests.yaml
++
++publish: lint test
++	bzr push lp:charms/neutron-openvswitch
++	bzr push lp:charms/trusty/neutron-openvswitch
 === modified file 'README.md'
 --- README.md	2014-06-23 13:00:45 +0000
 +++ README.md	2015-11-12 11:46:11 +0000
@@ -1,18 +1,134 @@
--Overview
----------
--
--This subordinate charm provides the Neutron OVS configuration for a compute
--node. Oncde deployed it takes over the management of the neutron configuration
--and plugin configuration on the compute node. It expects three relations:
--
--1) Relation with principle compute node
--2) Relation with message broker. If a single message broker is being used for
--   the openstack deployemnt then it can relat to that. If a seperate neutron
--   message broker is being used it should relate to that.
--3) Relation with neutron-api principle charm (not nova-cloud-controller)
--
--Restrictions:
--------------
--
--It should only be used with Icehouse and above and requires a seperate
--neutron-api service to have been deployed.
++# Overview
++
++This subordinate charm provides the Neutron OpenvSwitch configuration for a compute node.
++
++Once deployed it takes over the management of the Neutron base and plugin configuration on the compute node.
++
++# Usage
++
++To deploy (partial deployment of linked charms only):
++
++    juju deploy rabbitmq-server
++    juju deploy neutron-api
++    juju deploy nova-compute
++    juju deploy neutron-openvswitch
++    juju add-relation neutron-openvswitch nova-compute
++    juju add-relation neutron-openvswitch neutron-api
++    juju add-relation neutron-openvswitch rabbitmq-server
++
++Note that the rabbitmq-server can optionally be a different instance of the rabbitmq-server charm than used by OpenStack Nova:
++
++    juju deploy rabbitmq-server rmq-neutron
++    juju add-relation neutron-openvswitch rmq-neutron
++    juju add-relation neutron-api rmq-neutron
++
++The neutron-api and neutron-openvswitch charms must be related to the same instance of the rabbitmq-server charm.
++
++# Restrictions
++
++It should only be used with OpenStack Icehouse and above and requires a seperate neutron-api service to have been deployed.
++
++# Disabling security group management
++
++WARNING: this feature allows you to effectively disable security on your cloud!
++
++This charm has a configuration option to allow users to disable any per-instance security group management; this must used with neutron-security-groups enabled in the neutron-api charm and could be used to turn off security on selected set of compute nodes:
++
++    juju deploy neutron-openvswitch neutron-openvswitch-insecure
++    juju set neutron-openvswitch-insecure disable-security-groups=True
++    juju deploy nova-compute nova-compute-insecure
++    juju add-relation nova-compute-insecure neutron-openvswitch-insecure
++    ...
++
++These compute nodes could then be accessed by cloud users via use of host aggregates with specific flavors to target instances to hypervisors with no per-instance security.
++
++# Deploying from source
++
++The minimum openstack-origin-git config required to deploy from source is:
++
++    openstack-origin-git: include-file://neutron-juno.yaml
++
++    neutron-juno.yaml
++        repositories:
++        - {name: requirements,
++           repository: 'git://github.com/openstack/requirements',
++           branch: stable/juno}
++        - {name: neutron,
++           repository: 'git://github.com/openstack/neutron',
++           branch: stable/juno}
++
++Note that there are only two 'name' values the charm knows about: 'requirements'
++and 'neutron'. These repositories must correspond to these 'name' values.
++Additionally, the requirements repository must be specified first and the
++neutron repository must be specified last. All other repostories are installed
++in the order in which they are specified.
++
++The following is a full list of current tip repos (may not be up-to-date):
++
++    openstack-origin-git: include-file://neutron-master.yaml
++
++    neutron-master.yaml
++        repositories:
++        - {name: requirements,
++           repository: 'git://github.com/openstack/requirements',
++           branch: master}
++        - {name: oslo-concurrency,
++           repository: 'git://github.com/openstack/oslo.concurrency',
++           branch: master}
++        - {name: oslo-config,
++           repository: 'git://github.com/openstack/oslo.config',
++           branch: master}
++        - {name: oslo-context,
++           repository: 'git://github.com/openstack/oslo.context',
++           branch: master}
++        - {name: oslo-db,
++           repository: 'git://github.com/openstack/oslo.db',
++           branch: master}
++        - {name: oslo-i18n,
++           repository: 'git://github.com/openstack/oslo.i18n',
++           branch: master}
++        - {name: oslo-messaging,
++           repository: 'git://github.com/openstack/oslo.messaging',
++           branch: master}
++        - {name: oslo-middleware,
++           repository': 'git://github.com/openstack/oslo.middleware',
++           branch: master}
++        - {name: oslo-rootwrap',
++           repository: 'git://github.com/openstack/oslo.rootwrap',
++           branch: master}
++        - {name: oslo-serialization,
++           repository: 'git://github.com/openstack/oslo.serialization',
++           branch: master}
++        - {name: oslo-utils,
++           repository: 'git://github.com/openstack/oslo.utils',
++           branch: master}
++        - {name: pbr,
++           repository: 'git://github.com/openstack-dev/pbr',
++           branch: master}
++        - {name: stevedore,
++           repository: 'git://github.com/openstack/stevedore',
++           branch: 'master'}
++        - {name: python-keystoneclient,
++           repository: 'git://github.com/openstack/python-keystoneclient',
++           branch: master}
++        - {name: python-neutronclient,
++           repository: 'git://github.com/openstack/python-neutronclient',
++           branch: master}
++        - {name: python-novaclient,
++           repository': 'git://github.com/openstack/python-novaclient',
++           branch: master}
++        - {name: keystonemiddleware,
++           repository: 'git://github.com/openstack/keystonemiddleware',
++           branch: master}
++        - {name: neutron-fwaas,
++           repository': 'git://github.com/openstack/neutron-fwaas',
++           branch: master}
++        - {name: neutron-lbaas,
++           repository: 'git://github.com/openstack/neutron-lbaas',
++           branch: master}
++        - {name: neutron-vpnaas,
++           repository: 'git://github.com/openstack/neutron-vpnaas',
++           branch: master}
++        - {name: neutron,
++           repository: 'git://github.com/openstack/neutron',
++           branch: master}
 === added directory 'actions'
 === added file 'actions.yaml'
 --- actions.yaml	1970-01-01 00:00:00 +0000
 +++ actions.yaml	2015-11-12 11:46:11 +0000
@@ -0,0 +1,2 @@
++git-reinstall:
++    description: Reinstall neutron-openvswitch from the openstack-origin-git repositories.
 === added symlink 'actions/git-reinstall'
 === target is u'git_reinstall.py'
 === added file 'actions/git_reinstall.py'
 --- actions/git_reinstall.py	1970-01-01 00:00:00 +0000
 +++ actions/git_reinstall.py	2015-11-12 11:46:11 +0000
@@ -0,0 +1,45 @@
++#!/usr/bin/python
++import sys
++import traceback
++
++sys.path.append('hooks/')
++
++from charmhelpers.contrib.openstack.utils import (
++    git_install_requested,
++)
++
++from charmhelpers.core.hookenv import (
++    action_set,
++    action_fail,
++    config,
++)
++
++from neutron_ovs_utils import (
++    git_install,
++)
++
++from neutron_ovs_hooks import (
++    config_changed,
++)
++
++
++def git_reinstall():
++    """Reinstall from source and restart services.
++
++    If the openstack-origin-git config option was used to install openstack
++    from source git repositories, then this action can be used to reinstall
++    from updated git repositories, followed by a restart of services."""
++    if not git_install_requested():
++        action_fail('openstack-origin-git is not configured')
++        return
++
++    try:
++        git_install(config('openstack-origin-git'))
++        config_changed()
++    except:
++        action_set({'traceback': traceback.format_exc()})
++        action_fail('git-reinstall resulted in an unexpected error')
++
++
++if __name__ == '__main__':
++    git_reinstall()
 === added file 'charm-helpers-hooks.yaml'
 --- charm-helpers-hooks.yaml	1970-01-01 00:00:00 +0000
 +++ charm-helpers-hooks.yaml	2015-11-12 11:46:11 +0000
@@ -0,0 +1,13 @@
++branch: lp:~openstack-charmers/charm-helpers/stable
++destination: hooks/charmhelpers
++include:
++    - core
++    - cli
++    - fetch
++    - contrib.openstack|inc=*
++    - contrib.hahelpers
++    - contrib.network.ovs
++    - contrib.storage.linux
++    - payload.execd
++    - contrib.network.ip
++    - contrib.python.packages
 === removed file 'charm-helpers-sync.yaml'
 --- charm-helpers-sync.yaml	2014-06-19 09:56:25 +0000
 +++ charm-helpers-sync.yaml	1970-01-01 00:00:00 +0000
@@ -1,10 +0,0 @@
--branch: lp:charm-helpers
--destination: hooks/charmhelpers
--include:
--    - core
--    - fetch
--    - contrib.openstack
--    - contrib.hahelpers
--    - contrib.network.ovs
--    - contrib.storage.linux
--    - payload.execd
 === added file 'charm-helpers-tests.yaml'
 --- charm-helpers-tests.yaml	1970-01-01 00:00:00 +0000
 +++ charm-helpers-tests.yaml	2015-11-12 11:46:11 +0000
@@ -0,0 +1,5 @@
++branch: lp:~openstack-charmers/charm-helpers/stable
++destination: tests/charmhelpers
++include:
++    - contrib.amulet
++    - contrib.openstack.amulet
 === modified file 'config.yaml'
 --- config.yaml	2014-06-23 11:49:58 +0000
 +++ config.yaml	2015-11-12 11:46:11 +0000
@@ -1,23 +1,108 @@
  options:
++  debug:
++    default: False
++    type: boolean
++    description: Enable debug logging.
++  verbose:
++    default: False
++    type: boolean
++    description: Enable verbose logging.
++  use-syslog:
++    type: boolean
++    default: False
++    description: |
++      Setting this to True will allow supporting services to log to syslog.
++  openstack-origin-git:
++    default:
++    type: string
++    description: |
++      Specifies a YAML-formatted dictionary listing the git
++      repositories and branches from which to install OpenStack and
++      its dependencies.
++
++      When openstack-origin-git is specified, openstack-specific
++      packages will be installed from source rather than from the
++      the nova-compute charm's openstack-origin repository.
++
++      Note that the installed config files will be determined based on
++      the OpenStack release of the nova-compute charm's openstack-origin
++      option.
++
++      For more details see README.md.
    rabbit-user:
      default: neutron
      type: string
--    description: Username used to access rabbitmq queue
++    description: Username used to access RabbitMQ queue
    rabbit-vhost:
      default: openstack
      type: string
--    description: Rabbitmq vhost
--  use-syslog:
--    type: boolean
--    default: False
--    description: |
--      By default, all services will log into their corresponding log files.
--      Setting this to True will force all services to log to the syslog.
--  debug:
--    default: False
--    type: boolean
--    description: Enable debug logging
--  verbose:
--    default: False
--    type: boolean
--    description: Enable verbose logging
++    description: RabbitMQ vhost
++  data-port:
++    type: string
++    default:
++    description: |
++      Space-delimited list of bridge:port mappings. Ports will be added to
++      their corresponding bridge. The bridges will allow usage of flat or
++      VLAN network types with Neutron and should match this defined in
++      bridge-mappings.
++      .
++      Ports provided can be the name or MAC address of the interface to be
++      added to the bridge. If MAC addresses are used, you may provide multiple
++      bridge:mac for the same bridge so as to be able to configure multiple
++      units. In this case the charm will run through the provided MAC addresses
++      for each bridge until it finds one it can resolve to an interface name.
++  disable-security-groups:
++    type: boolean
++    default: false
++    description: |
++      Disable neutron based security groups - setting this configuration option
++      will override any settings configured via the neutron-api charm.
++      .
++      BE CAREFUL - this option allows you to disable all port level security
++      within an OpenStack cloud.
++  bridge-mappings:
++    type: string
++    default: 'physnet1:br-data'
++    description: |
++      Space-delimited list of ML2 data bridge mappings with format
++      <provider>:<bridge>.
++  flat-network-providers:
++    type: string
++    default:
++    description: |
++      Space-delimited list of Neutron flat network providers.
++  vlan-ranges:
++    type: string
++    default: "physnet1:1000:2000"
++    description: |
++      Space-delimited list of <physical_network>:<vlan_min>:<vlan_max> or
++      <physical_network> specifying physical_network names usable for VLAN
++      provider and tenant networks, as well as ranges of VLAN tags on each
++      available for allocation to tenant networks.
++  # Network configuration options
++  # by default all access is over 'private-address'
++  os-data-network:
++    type: string
++    default:
++    description: |
++      The IP address and netmask of the OpenStack Data network (e.g.,
++      192.168.0.0/24)
++      .
++      This network will be used for tenant network traffic in overlay
++      networks.
++  ext-port:
++    type: string
++    default:
++    description: |
++      A space-separated list of external ports to use for routing of instance
++      traffic to the external public network. Valid values are either MAC
++      addresses (in which case only MAC addresses for interfaces without an IP
++      address already assigned will be used), or interfaces (eth0)
++  enable-local-dhcp-and-metadata:
++    type: boolean
++    default: false
++    description: |
++      Enable local Neutron DHCP and Metadata Agents. This is useful for deployments
++      which do not include a neutron-gateway (do not require l3, lbaas or vpnaas
++      services) and should only be used in-conjunction with flat or VLAN provider
++      networks configurations.
 === added file 'hooks/charmhelpers/__init__.py'
 --- hooks/charmhelpers/__init__.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/__init__.py	2015-11-12 11:46:11 +0000
@@ -0,0 +1,38 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++# Bootstrap charm-helpers, installing its dependencies if necessary using
++# only standard libraries.
++import subprocess
++import sys
++
++try:
++    import six  # flake8: noqa
++except ImportError:
++    if sys.version_info.major == 2:
++        subprocess.check_call(['apt-get', 'install', '-y', 'python-six'])
++    else:
++        subprocess.check_call(['apt-get', 'install', '-y', 'python3-six'])
++    import six  # flake8: noqa
++
++try:
++    import yaml  # flake8: noqa
++except ImportError:
++    if sys.version_info.major == 2:
++        subprocess.check_call(['apt-get', 'install', '-y', 'python-yaml'])
++    else:
++        subprocess.check_call(['apt-get', 'install', '-y', 'python3-yaml'])
++    import yaml  # flake8: noqa
 === removed file 'hooks/charmhelpers/__init__.py'
 === added directory 'hooks/charmhelpers/cli'
 === added file 'hooks/charmhelpers/cli/__init__.py'
 --- hooks/charmhelpers/cli/__init__.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/cli/__init__.py	2015-11-12 11:46:11 +0000
@@ -0,0 +1,191 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++import inspect
++import argparse
++import sys
++
++from six.moves import zip
++
++from charmhelpers.core import unitdata
++
++
++class OutputFormatter(object):
++    def __init__(self, outfile=sys.stdout):
++        self.formats = (
++            "raw",
++            "json",
++            "py",
++            "yaml",
++            "csv",
++            "tab",
++        )
++        self.outfile = outfile
++
++    def add_arguments(self, argument_parser):
++        formatgroup = argument_parser.add_mutually_exclusive_group()
++        choices = self.supported_formats
++        formatgroup.add_argument("--format", metavar='FMT',
++                                 help="Select output format for returned data, "
++                                      "where FMT is one of: {}".format(choices),
++                                 choices=choices, default='raw')
++        for fmt in self.formats:
++            fmtfunc = getattr(self, fmt)
++            formatgroup.add_argument("-{}".format(fmt[0]),
++                                     "--{}".format(fmt), action='store_const',
++                                     const=fmt, dest='format',
++                                     help=fmtfunc.__doc__)
++
++    @property
++    def supported_formats(self):
++        return self.formats
++
++    def raw(self, output):
++        """Output data as raw string (default)"""
++        if isinstance(output, (list, tuple)):
++            output = '\n'.join(map(str, output))
++        self.outfile.write(str(output))
++
++    def py(self, output):
++        """Output data as a nicely-formatted python data structure"""
++        import pprint
++        pprint.pprint(output, stream=self.outfile)
++
++    def json(self, output):
++        """Output data in JSON format"""
++        import json
++        json.dump(output, self.outfile)
++
++    def yaml(self, output):
++        """Output data in YAML format"""
++        import yaml
++        yaml.safe_dump(output, self.outfile)
++
++    def csv(self, output):
++        """Output data as excel-compatible CSV"""
++        import csv
++        csvwriter = csv.writer(self.outfile)
++        csvwriter.writerows(output)
++
++    def tab(self, output):
++        """Output data in excel-compatible tab-delimited format"""
++        import csv
++        csvwriter = csv.writer(self.outfile, dialect=csv.excel_tab)
++        csvwriter.writerows(output)
++
++    def format_output(self, output, fmt='raw'):
++        fmtfunc = getattr(self, fmt)
++        fmtfunc(output)
++
++
++class CommandLine(object):
++    argument_parser = None
++    subparsers = None
++    formatter = None
++    exit_code = 0
++
++    def __init__(self):
++        if not self.argument_parser:
++            self.argument_parser = argparse.ArgumentParser(description='Perform common charm tasks')
++        if not self.formatter:
++            self.formatter = OutputFormatter()
++            self.formatter.add_arguments(self.argument_parser)
++        if not self.subparsers:
++            self.subparsers = self.argument_parser.add_subparsers(help='Commands')
++
++    def subcommand(self, command_name=None):
++        """
++        Decorate a function as a subcommand. Use its arguments as the
++        command-line arguments"""
++        def wrapper(decorated):
++            cmd_name = command_name or decorated.__name__
++            subparser = self.subparsers.add_parser(cmd_name,
++                                                   description=decorated.__doc__)
++            for args, kwargs in describe_arguments(decorated):
++                subparser.add_argument(*args, **kwargs)
++            subparser.set_defaults(func=decorated)
++            return decorated
++        return wrapper
++
++    def test_command(self, decorated):
++        """
++        Subcommand is a boolean test function, so bool return values should be
++        converted to a 0/1 exit code.
++        """
++        decorated._cli_test_command = True
++        return decorated
++
++    def no_output(self, decorated):
++        """
++        Subcommand is not expected to return a value, so don't print a spurious None.
++        """
++        decorated._cli_no_output = True
++        return decorated
++
++    def subcommand_builder(self, command_name, description=None):
++        """
++        Decorate a function that builds a subcommand. Builders should accept a
++        single argument (the subparser instance) and return the function to be
++        run as the command."""
++        def wrapper(decorated):
++            subparser = self.subparsers.add_parser(command_name)
++            func = decorated(subparser)
++            subparser.set_defaults(func=func)
++            subparser.description = description or func.__doc__
++        return wrapper
++
++    def run(self):
++        "Run cli, processing arguments and executing subcommands."
++        arguments = self.argument_parser.parse_args()
++        argspec = inspect.getargspec(arguments.func)
++        vargs = []
++        for arg in argspec.args:
++            vargs.append(getattr(arguments, arg))
++        if argspec.varargs:
++            vargs.extend(getattr(arguments, argspec.varargs))
++        output = arguments.func(*vargs)
++        if getattr(arguments.func, '_cli_test_command', False):
++            self.exit_code = 0 if output else 1
++            output = ''
++        if getattr(arguments.func, '_cli_no_output', False):
++            output = ''
++        self.formatter.format_output(output, arguments.format)
++        if unitdata._KV:
++            unitdata._KV.flush()
++
++
++cmdline = CommandLine()
++
++
++def describe_arguments(func):
++    """
++    Analyze a function's signature and return a data structure suitable for
++    passing in as arguments to an argparse parser's add_argument() method."""
++
++    argspec = inspect.getargspec(func)
++    # we should probably raise an exception somewhere if func includes **kwargs
++    if argspec.defaults:
++        positional_args = argspec.args[:-len(argspec.defaults)]
++        keyword_names = argspec.args[-len(argspec.defaults):]
++        for arg, default in zip(keyword_names, argspec.defaults):
++            yield ('--{}'.format(arg),), {'default': default}
++    else:
++        positional_args = argspec.args
++
++    for arg in positional_args:
++        yield (arg,), {}
++    if argspec.varargs:
++        yield (argspec.varargs,), {'nargs': '*'}
 === added file 'hooks/charmhelpers/cli/benchmark.py'
 --- hooks/charmhelpers/cli/benchmark.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/cli/benchmark.py	2015-11-12 11:46:11 +0000
@@ -0,0 +1,36 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++from . import cmdline
++from charmhelpers.contrib.benchmark import Benchmark
++
++
++@cmdline.subcommand(command_name='benchmark-start')
++def start():
++    Benchmark.start()
++
++
++@cmdline.subcommand(command_name='benchmark-finish')
++def finish():
++    Benchmark.finish()
++
++
++@cmdline.subcommand_builder('benchmark-composite', description="Set the benchmark composite score")
++def service(subparser):
++    subparser.add_argument("value", help="The composite score.")
++    subparser.add_argument("units", help="The units the composite score represents, i.e., 'reads/sec'.")
++    subparser.add_argument("direction", help="'asc' if a lower score is better, 'desc' if a higher score is better.")
++    return Benchmark.set_composite_score
 === added file 'hooks/charmhelpers/cli/commands.py'
 --- hooks/charmhelpers/cli/commands.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/cli/commands.py	2015-11-12 11:46:11 +0000
@@ -0,0 +1,32 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++"""
++This module loads sub-modules into the python runtime so they can be
++discovered via the inspect module. In order to prevent flake8 from (rightfully)
++telling us these are unused modules, throw a ' # noqa' at the end of each import
++so that the warning is suppressed.
++"""
++
++from . import CommandLine  # noqa
++
++"""
++Import the sub-modules which have decorated subcommands to register with chlp.
++"""
++from . import host  # noqa
++from . import benchmark  # noqa
++from . import unitdata  # noqa
++from . import hookenv  # noqa
 === added file 'hooks/charmhelpers/cli/hookenv.py'
 --- hooks/charmhelpers/cli/hookenv.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/cli/hookenv.py	2015-11-12 11:46:11 +0000
@@ -0,0 +1,23 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++from . import cmdline
++from charmhelpers.core import hookenv
++
++
++cmdline.subcommand('relation-id')(hookenv.relation_id._wrapped)
++cmdline.subcommand('service-name')(hookenv.service_name)
++cmdline.subcommand('remote-service-name')(hookenv.remote_service_name._wrapped)
 === added file 'hooks/charmhelpers/cli/host.py'
 --- hooks/charmhelpers/cli/host.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/cli/host.py	2015-11-12 11:46:11 +0000
@@ -0,0 +1,31 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++from . import cmdline
++from charmhelpers.core import host
++
++
++@cmdline.subcommand()
++def mounts():
++    "List mounts"
++    return host.mounts()
++
++
++@cmdline.subcommand_builder('service', description="Control system services")
++def service(subparser):
++    subparser.add_argument("action", help="The action to perform (start, stop, etc...)")
++    subparser.add_argument("service_name", help="Name of the service to control")
++    return host.service
 === added file 'hooks/charmhelpers/cli/unitdata.py'
 --- hooks/charmhelpers/cli/unitdata.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/cli/unitdata.py	2015-11-12 11:46:11 +0000
@@ -0,0 +1,39 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++from . import cmdline
++from charmhelpers.core import unitdata
++
++
++@cmdline.subcommand_builder('unitdata', description="Store and retrieve data")
++def unitdata_cmd(subparser):
++    nested = subparser.add_subparsers()
++    get_cmd = nested.add_parser('get', help='Retrieve data')
++    get_cmd.add_argument('key', help='Key to retrieve the value of')
++    get_cmd.set_defaults(action='get', value=None)
++    set_cmd = nested.add_parser('set', help='Store data')
++    set_cmd.add_argument('key', help='Key to set')
++    set_cmd.add_argument('value', help='Value to store')
++    set_cmd.set_defaults(action='set')
++
++    def _unitdata_cmd(action, key, value):
++        if action == 'get':
++            return unitdata.kv().get(key)
++        elif action == 'set':
++            unitdata.kv().set(key, value)
++            unitdata.kv().flush()
++            return ''
++    return _unitdata_cmd
 === modified file 'hooks/charmhelpers/contrib/__init__.py'
 --- hooks/charmhelpers/contrib/__init__.py	2014-06-05 10:59:23 +0000
 +++ hooks/charmhelpers/contrib/__init__.py	2015-11-12 11:46:11 +0000
@@ -0,0 +1,15 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
 === modified file 'hooks/charmhelpers/contrib/hahelpers/__init__.py'
 --- hooks/charmhelpers/contrib/hahelpers/__init__.py	2014-06-05 10:59:23 +0000
 +++ hooks/charmhelpers/contrib/hahelpers/__init__.py	2015-11-12 11:46:11 +0000
@@ -0,0 +1,15 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
 === modified file 'hooks/charmhelpers/contrib/hahelpers/apache.py'
 --- hooks/charmhelpers/contrib/hahelpers/apache.py	2014-06-05 10:59:23 +0000
 +++ hooks/charmhelpers/contrib/hahelpers/apache.py	2015-11-12 11:46:11 +0000
@@ -1,3 +1,19 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
+ #
  # Copyright 2012 Canonical Ltd.
+ #
@@ -20,20 +36,27 @@
+ )
--def get_cert():
++def get_cert(cn=None):
++    # TODO: deal with multiple https endpoints via charm config
      cert = config_get('ssl_cert')
      key = config_get('ssl_key')
      if not (cert and key):
          log("Inspecting identity-service relations for SSL certificate.",
              level=INFO)
          cert = key = None
++        if cn:
++            ssl_cert_attr = 'ssl_cert_{}'.format(cn)
++            ssl_key_attr = 'ssl_key_{}'.format(cn)
++        else:
++            ssl_cert_attr = 'ssl_cert'
++            ssl_key_attr = 'ssl_key'
          for r_id in relation_ids('identity-service'):
              for unit in relation_list(r_id):
                  if not cert:
--                    cert = relation_get('ssl_cert',
++                    cert = relation_get(ssl_cert_attr,
                                          rid=r_id, unit=unit)
                  if not key:
--                    key = relation_get('ssl_key',
++                    key = relation_get(ssl_key_attr,
                                         rid=r_id, unit=unit)
      return (cert, key)
 === removed file 'hooks/charmhelpers/contrib/hahelpers/ceph.py'
 --- hooks/charmhelpers/contrib/hahelpers/ceph.py	2014-06-05 10:59:23 +0000
 +++ hooks/charmhelpers/contrib/hahelpers/ceph.py	1970-01-01 00:00:00 +0000
@@ -1,297 +0,0 @@
--#
--# Copyright 2012 Canonical Ltd.
--#
--# This file is sourced from lp:openstack-charm-helpers
--#
--# Authors:
--#  James Page <james.page@ubuntu.com>
--#  Adam Gandelman <adamg@ubuntu.com>
--#
--
--import commands
--import os
--import shutil
--import time
--
--from subprocess import (
--    check_call,
--    check_output,
--    CalledProcessError
--)
--
--from charmhelpers.core.hookenv import (
--    relation_get,
--    relation_ids,
--    related_units,
--    log,
--    INFO,
--    ERROR
--)
--
--from charmhelpers.fetch import (
--    apt_install,
--)
--
--from charmhelpers.core.host import (
--    mount,
--    mounts,
--    service_start,
--    service_stop,
--    umount,
--)
--
--KEYRING = '/etc/ceph/ceph.client.%s.keyring'
--KEYFILE = '/etc/ceph/ceph.client.%s.key'
--
--CEPH_CONF = """[global]
-- auth supported = %(auth)s
-- keyring = %(keyring)s
-- mon host = %(mon_hosts)s
-- log to syslog = %(use_syslog)s
-- err to syslog = %(use_syslog)s
-- clog to syslog = %(use_syslog)s
--"""
--
--
--def running(service):
--    # this local util can be dropped as soon the following branch lands
--    # in lp:charm-helpers
--    # https://code.launchpad.net/~gandelman-a/charm-helpers/service_running/
--    try:
--        output = check_output(['service', service, 'status'])
--    except CalledProcessError:
--        return False
--    else:
--        if ("start/running" in output or "is running" in output):
--            return True
--        else:
--            return False
--
--
--def install():
--    ceph_dir = "/etc/ceph"
--    if not os.path.isdir(ceph_dir):
--        os.mkdir(ceph_dir)
--    apt_install('ceph-common', fatal=True)
--
--
--def rbd_exists(service, pool, rbd_img):
--    (rc, out) = commands.getstatusoutput('rbd list --id %s --pool %s' %
--                                         (service, pool))
--    return rbd_img in out
--
--
--def create_rbd_image(service, pool, image, sizemb):
--    cmd = [
--        'rbd',
--        'create',
--        image,
--        '--size',
--        str(sizemb),
--        '--id',
--        service,
--        '--pool',
--        pool
--    ]
--    check_call(cmd)
--
--
--def pool_exists(service, name):
--    (rc, out) = commands.getstatusoutput("rados --id %s lspools" % service)
--    return name in out
--
--
--def create_pool(service, name):
--    cmd = [
--        'rados',
--        '--id',
--        service,
--        'mkpool',
--        name
--    ]
--    check_call(cmd)
--
--
--def keyfile_path(service):
--    return KEYFILE % service
--
--
--def keyring_path(service):
--    return KEYRING % service
--
--
--def create_keyring(service, key):
--    keyring = keyring_path(service)
--    if os.path.exists(keyring):
--        log('ceph: Keyring exists at %s.' % keyring, level=INFO)
--    cmd = [
--        'ceph-authtool',
--        keyring,
--        '--create-keyring',
--        '--name=client.%s' % service,
--        '--add-key=%s' % key
--    ]
--    check_call(cmd)
--    log('ceph: Created new ring at %s.' % keyring, level=INFO)
--
--
--def create_key_file(service, key):
--    # create a file containing the key
--    keyfile = keyfile_path(service)
--    if os.path.exists(keyfile):
--        log('ceph: Keyfile exists at %s.' % keyfile, level=INFO)
--    fd = open(keyfile, 'w')
--    fd.write(key)
--    fd.close()
--    log('ceph: Created new keyfile at %s.' % keyfile, level=INFO)
--
--
--def get_ceph_nodes():
--    hosts = []
--    for r_id in relation_ids('ceph'):
--        for unit in related_units(r_id):
--            hosts.append(relation_get('private-address', unit=unit, rid=r_id))
--    return hosts
--
--
--def configure(service, key, auth):
--    create_keyring(service, key)
--    create_key_file(service, key)
--    hosts = get_ceph_nodes()
--    mon_hosts = ",".join(map(str, hosts))
--    keyring = keyring_path(service)
--    with open('/etc/ceph/ceph.conf', 'w') as ceph_conf:
--        ceph_conf.write(CEPH_CONF % locals())
--    modprobe_kernel_module('rbd')
--
--
--def image_mapped(image_name):
--    (rc, out) = commands.getstatusoutput('rbd showmapped')
--    return image_name in out
--
--
--def map_block_storage(service, pool, image):
--    cmd = [
--        'rbd',
--        'map',
--        '%s/%s' % (pool, image),
--        '--user',
--        service,
--        '--secret',
--        keyfile_path(service),
--    ]
--    check_call(cmd)
--
--
--def filesystem_mounted(fs):
--    return fs in [f for m, f in mounts()]
--
--
--def make_filesystem(blk_device, fstype='ext4', timeout=10):
--    count = 0
--    e_noent = os.errno.ENOENT
--    while not os.path.exists(blk_device):
--        if count >= timeout:
--            log('ceph: gave up waiting on block device %s' % blk_device,
--                level=ERROR)
--            raise IOError(e_noent, os.strerror(e_noent), blk_device)
--        log('ceph: waiting for block device %s to appear' % blk_device,
--            level=INFO)
--        count += 1
--        time.sleep(1)
--    else:
--        log('ceph: Formatting block device %s as filesystem %s.' %
--            (blk_device, fstype), level=INFO)
--        check_call(['mkfs', '-t', fstype, blk_device])
--
--
--def place_data_on_ceph(service, blk_device, data_src_dst, fstype='ext4'):
--    # mount block device into /mnt
--    mount(blk_device, '/mnt')
--
--    # copy data to /mnt
--    try:
--        copy_files(data_src_dst, '/mnt')
--    except:
--        pass
--
--    # umount block device
--    umount('/mnt')
--
--    _dir = os.stat(data_src_dst)
--    uid = _dir.st_uid
--    gid = _dir.st_gid
--
--    # re-mount where the data should originally be
--    mount(blk_device, data_src_dst, persist=True)
--
--    # ensure original ownership of new mount.
--    cmd = ['chown', '-R', '%s:%s' % (uid, gid), data_src_dst]
--    check_call(cmd)
--
--
--# TODO: re-use
--def modprobe_kernel_module(module):
--    log('ceph: Loading kernel module', level=INFO)
--    cmd = ['modprobe', module]
--    check_call(cmd)
--    cmd = 'echo %s >> /etc/modules' % module
--    check_call(cmd, shell=True)
--
--
--def copy_files(src, dst, symlinks=False, ignore=None):
--    for item in os.listdir(src):
--        s = os.path.join(src, item)
--        d = os.path.join(dst, item)
--        if os.path.isdir(s):
--            shutil.copytree(s, d, symlinks, ignore)
--        else:
--            shutil.copy2(s, d)
--
--
--def ensure_ceph_storage(service, pool, rbd_img, sizemb, mount_point,
--                        blk_device, fstype, system_services=[]):
--    """
--    To be called from the current cluster leader.
--    Ensures given pool and RBD image exists, is mapped to a block device,
--    and the device is formatted and mounted at the given mount_point.
--
--    If formatting a device for the first time, data existing at mount_point
--    will be migrated to the RBD device before being remounted.
--
--    All services listed in system_services will be stopped prior to data
--    migration and restarted when complete.
--    """
--    # Ensure pool, RBD image, RBD mappings are in place.
--    if not pool_exists(service, pool):
--        log('ceph: Creating new pool %s.' % pool, level=INFO)
--        create_pool(service, pool)
--
--    if not rbd_exists(service, pool, rbd_img):
--        log('ceph: Creating RBD image (%s).' % rbd_img, level=INFO)
--        create_rbd_image(service, pool, rbd_img, sizemb)
--
--    if not image_mapped(rbd_img):
--        log('ceph: Mapping RBD Image as a Block Device.', level=INFO)
--        map_block_storage(service, pool, rbd_img)
--
--    # make file system
--    # TODO: What happens if for whatever reason this is run again and
--    # the data is already in the rbd device and/or is mounted??
--    # When it is mounted already, it will fail to make the fs
--    # XXX: This is really sketchy!  Need to at least add an fstab entry
--    #      otherwise this hook will blow away existing data if its executed
--    #      after a reboot.
--    if not filesystem_mounted(mount_point):
--        make_filesystem(blk_device, fstype)
--
--        for svc in system_services:
--            if running(svc):
--                log('Stopping services %s prior to migrating data.' % svc,
--                    level=INFO)
--                service_stop(svc)
--
--        place_data_on_ceph(service, blk_device, mount_point, fstype)
--
--        for svc in system_services:
--            service_start(svc)
 === modified file 'hooks/charmhelpers/contrib/hahelpers/cluster.py'
 --- hooks/charmhelpers/contrib/hahelpers/cluster.py	2014-06-05 10:59:23 +0000
 +++ hooks/charmhelpers/contrib/hahelpers/cluster.py	2015-11-12 11:46:11 +0000
@@ -1,3 +1,19 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
+ #
  # Copyright 2012 Canonical Ltd.
+ #
@@ -6,11 +22,18 @@
  #  Adam Gandelman <adamg@ubuntu.com>
+ #
++"""
++Helpers for clustering and determining "cluster leadership" and other
++clustering-related helpers.
++"""
++
  import subprocess
  import os
  from socket import gethostname as get_unit_hostname
++import six
++
  from charmhelpers.core.hookenv import (
      log,
      relation_ids,
@@ -19,14 +42,64 @@
      config as config_get,
      INFO,
      ERROR,
++    WARNING,
      unit_get,
--)
++    is_leader as juju_is_leader
++)
++from charmhelpers.core.decorators import (
++    retry_on_exception,
++)
++from charmhelpers.core.strutils import (
++    bool_from_string,
++)
++
++DC_RESOURCE_NAME = 'DC'
  class HAIncompleteConfig(Exception):
      pass
++class CRMResourceNotFound(Exception):
++    pass
++
++
++class CRMDCNotFound(Exception):
++    pass
++
++
++def is_elected_leader(resource):
++    """
++    Returns True if the charm executing this is the elected cluster leader.
++
++    It relies on two mechanisms to determine leadership:
++        1. If juju is sufficiently new and leadership election is supported,
++        the is_leader command will be used.
++        2. If the charm is part of a corosync cluster, call corosync to
++        determine leadership.
++        3. If the charm is not part of a corosync cluster, the leader is
++        determined as being "the alive unit with the lowest unit numer". In
++        other words, the oldest surviving unit.
++    """
++    try:
++        return juju_is_leader()
++    except NotImplementedError:
++        log('Juju leadership election feature not enabled'
++            ', using fallback support',
++            level=WARNING)
++
++    if is_clustered():
++        if not is_crm_leader(resource):
++            log('Deferring action to CRM leader.', level=INFO)
++            return False
++    else:
++        peers = peer_units()
++        if peers and not oldest_peer(peers):
++            log('Deferring action to oldest service unit.', level=INFO)
++            return False
++    return True
++
++
  def is_clustered():
      for r_id in (relation_ids('ha') or []):
          for unit in (relation_list(r_id) or []):
@@ -38,31 +111,85 @@
      return False
++def is_crm_dc():
++    """
++    Determine leadership by querying the pacemaker Designated Controller
++    """
++    cmd = ['crm', 'status']
++    try:
++        status = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
++        if not isinstance(status, six.text_type):
++            status = six.text_type(status, "utf-8")
++    except subprocess.CalledProcessError as ex:
++        raise CRMDCNotFound(str(ex))
++
++    current_dc = ''
++    for line in status.split('\n'):
++        if line.startswith('Current DC'):
++            # Current DC: juju-lytrusty-machine-2 (168108163) - partition with quorum
++            current_dc = line.split(':')[1].split()[0]
++    if current_dc == get_unit_hostname():
++        return True
++    elif current_dc == 'NONE':
++        raise CRMDCNotFound('Current DC: NONE')
++
++    return False
++
++
++@retry_on_exception(5, base_delay=2,
++                    exc_type=(CRMResourceNotFound, CRMDCNotFound))
++def is_crm_leader(resource, retry=False):
++    """
++    Returns True if the charm calling this is the elected corosync leader,
++    as returned by calling the external "crm" command.
++
++    We allow this operation to be retried to avoid the possibility of getting a
++    false negative. See LP #1396246 for more info.
++    """
++    if resource == DC_RESOURCE_NAME:
++        return is_crm_dc()
++    cmd = ['crm', 'resource', 'show', resource]
++    try:
++        status = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
++        if not isinstance(status, six.text_type):
++            status = six.text_type(status, "utf-8")
++    except subprocess.CalledProcessError:
++        status = None
++
++    if status and get_unit_hostname() in status:
++        return True
++
++    if status and "resource %s is NOT running" % (resource) in status:
++        raise CRMResourceNotFound("CRM resource %s not found" % (resource))
++
++    return False
++
++
  def is_leader(resource):
--    cmd = [
--        "crm", "resource",
--        "show", resource
--    ]
--    try:
--        status = subprocess.check_output(cmd)
--    except subprocess.CalledProcessError:
--        return False
--    else:
--        if get_unit_hostname() in status:
--            return True
--        else:
--            return False
--
--
--def peer_units():
++    log("is_leader is deprecated. Please consider using is_crm_leader "
++        "instead.", level=WARNING)
++    return is_crm_leader(resource)
++
++
++def peer_units(peer_relation="cluster"):
      peers = []
--    for r_id in (relation_ids('cluster') or []):
++    for r_id in (relation_ids(peer_relation) or []):
          for unit in (relation_list(r_id) or []):
              peers.append(unit)
      return peers
++def peer_ips(peer_relation='cluster', addr_key='private-address'):
++    '''Return a dict of peers and their private-address'''
++    peers = {}
++    for r_id in relation_ids(peer_relation):
++        for unit in relation_list(r_id):
++            peers[unit] = relation_get(addr_key, rid=r_id, unit=unit)
++    return peers
++
++
  def oldest_peer(peers):
++    """Determines who the oldest peer is by comparing unit numbers."""
      local_unit_no = int(os.getenv('JUJU_UNIT_NAME').split('/')[1])
      for peer in peers:
          remote_unit_no = int(peer.split('/')[1])
@@ -72,16 +199,9 @@
  def eligible_leader(resource):
--    if is_clustered():
--        if not is_leader(resource):
--            log('Deferring action to CRM leader.', level=INFO)
--            return False
--    else:
--        peers = peer_units()
--        if peers and not oldest_peer(peers):
--            log('Deferring action to oldest service unit.', level=INFO)
--            return False
--    return True
++    log("eligible_leader is deprecated. Please consider using "
++        "is_elected_leader instead.", level=WARNING)
++    return is_elected_leader(resource)
  def https():
@@ -91,16 +211,16 @@
+     .
      returns: boolean
      '''
--    if config_get('use-https') == "yes":
++    use_https = config_get('use-https')
++    if use_https and bool_from_string(use_https):
          return True
      if config_get('ssl_cert') and config_get('ssl_key'):
          return True
      for r_id in relation_ids('identity-service'):
          for unit in relation_list(r_id):
++            # TODO - needs fixing for new helper as ssl_cert/key suffixes with CN
              rel_state = [
                  relation_get('https_keystone', rid=r_id, unit=unit),
--                relation_get('ssl_cert', rid=r_id, unit=unit),
--                relation_get('ssl_key', rid=r_id, unit=unit),
                  relation_get('ca_cert', rid=r_id, unit=unit),
+             ]
              # NOTE: works around (LP: #1203241)
@@ -109,54 +229,66 @@
      return False
--def determine_api_port(public_port):
++def determine_api_port(public_port, singlenode_mode=False):
      '''
      Determine correct API server listening port based on
      existence of HTTPS reverse proxy and/or haproxy.
      public_port: int: standard public port for given service
++    singlenode_mode: boolean: Shuffle ports when only a single unit is present
++
      returns: int: the correct listening port for the API service
      '''
      i = 0
--    if len(peer_units()) > 0 or is_clustered():
++    if singlenode_mode:
++        i += 1
++    elif len(peer_units()) > 0 or is_clustered():
          i += 1
      if https():
          i += 1
      return public_port - (i * 10)
--def determine_apache_port(public_port):
++def determine_apache_port(public_port, singlenode_mode=False):
      '''
      Description: Determine correct apache listening port based on public IP +
      state of the cluster.
      public_port: int: standard public port for given service
++    singlenode_mode: boolean: Shuffle ports when only a single unit is present
++
      returns: int: the correct listening port for the HAProxy service
      '''
      i = 0
--    if len(peer_units()) > 0 or is_clustered():
++    if singlenode_mode:
++        i += 1
++    elif len(peer_units()) > 0 or is_clustered():
          i += 1
      return public_port - (i * 10)
--def get_hacluster_config():
++def get_hacluster_config(exclude_keys=None):
      '''
      Obtains all relevant configuration from charm configuration required
      for initiating a relation to hacluster:
--        ha-bindiface, ha-mcastport, vip, vip_iface, vip_cidr
++        ha-bindiface, ha-mcastport, vip
++    param: exclude_keys: list of setting key(s) to be excluded.
      returns: dict: A dict containing settings keyed by setting name.
      raises: HAIncompleteConfig if settings are missing.
      '''
--    settings = ['ha-bindiface', 'ha-mcastport', 'vip', 'vip_iface', 'vip_cidr']
++    settings = ['ha-bindiface', 'ha-mcastport', 'vip']
      conf = {}
      for setting in settings:
++        if exclude_keys and setting in exclude_keys:
++            continue
++
          conf[setting] = config_get(setting)
      missing = []
--    [missing.append(s) for s, v in conf.iteritems() if v is None]
++    [missing.append(s) for s, v in six.iteritems(conf) if v is None]
      if missing:
          log('Insufficient config data to configure hacluster.', level=ERROR)
          raise HAIncompleteConfig
@@ -170,6 +302,7 @@
      :configs    : OSTemplateRenderer: A config tempating object to inspect for
                                        a complete https context.
++
      :vip_setting:                str: Setting in charm config that specifies
                                        VIP address.
      '''
 === modified file 'hooks/charmhelpers/contrib/network/__init__.py'
 --- hooks/charmhelpers/contrib/network/__init__.py	2014-06-05 10:59:23 +0000
 +++ hooks/charmhelpers/contrib/network/__init__.py	2015-11-12 11:46:11 +0000
@@ -0,0 +1,15 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
 === added file 'hooks/charmhelpers/contrib/network/ip.py'
 --- hooks/charmhelpers/contrib/network/ip.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/network/ip.py	2015-11-12 11:46:11 +0000
@@ -0,0 +1,456 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++import glob
++import re
++import subprocess
++import six
++import socket
++
++from functools import partial
++
++from charmhelpers.core.hookenv import unit_get
++from charmhelpers.fetch import apt_install, apt_update
++from charmhelpers.core.hookenv import (
++    log,
++    WARNING,
++)
++
++try:
++    import netifaces
++except ImportError:
++    apt_update(fatal=True)
++    apt_install('python-netifaces', fatal=True)
++    import netifaces
++
++try:
++    import netaddr
++except ImportError:
++    apt_update(fatal=True)
++    apt_install('python-netaddr', fatal=True)
++    import netaddr
++
++
++def _validate_cidr(network):
++    try:
++        netaddr.IPNetwork(network)
++    except (netaddr.core.AddrFormatError, ValueError):
++        raise ValueError("Network (%s) is not in CIDR presentation format" %
++                         network)
++
++
++def no_ip_found_error_out(network):
++    errmsg = ("No IP address found in network: %s" % network)
++    raise ValueError(errmsg)
++
++
++def get_address_in_network(network, fallback=None, fatal=False):
++    """Get an IPv4 or IPv6 address within the network from the host.
++
++    :param network (str): CIDR presentation format. For example,
++        '192.168.1.0/24'.
++    :param fallback (str): If no address is found, return fallback.
++    :param fatal (boolean): If no address is found, fallback is not
++        set and fatal is True then exit(1).
++    """
++    if network is None:
++        if fallback is not None:
++            return fallback
++
++        if fatal:
++            no_ip_found_error_out(network)
++        else:
++            return None
++
++    _validate_cidr(network)
++    network = netaddr.IPNetwork(network)
++    for iface in netifaces.interfaces():
++        addresses = netifaces.ifaddresses(iface)
++        if network.version == 4 and netifaces.AF_INET in addresses:
++            addr = addresses[netifaces.AF_INET][0]['addr']
++            netmask = addresses[netifaces.AF_INET][0]['netmask']
++            cidr = netaddr.IPNetwork("%s/%s" % (addr, netmask))
++            if cidr in network:
++                return str(cidr.ip)
++
++        if network.version == 6 and netifaces.AF_INET6 in addresses:
++            for addr in addresses[netifaces.AF_INET6]:
++                if not addr['addr'].startswith('fe80'):
++                    cidr = netaddr.IPNetwork("%s/%s" % (addr['addr'],
++                                                        addr['netmask']))
++                    if cidr in network:
++                        return str(cidr.ip)
++
++    if fallback is not None:
++        return fallback
++
++    if fatal:
++        no_ip_found_error_out(network)
++
++    return None
++
++
++def is_ipv6(address):
++    """Determine whether provided address is IPv6 or not."""
++    try:
++        address = netaddr.IPAddress(address)
++    except netaddr.AddrFormatError:
++        # probably a hostname - so not an address at all!
++        return False
++
++    return address.version == 6
++
++
++def is_address_in_network(network, address):
++    """
++    Determine whether the provided address is within a network range.
++
++    :param network (str): CIDR presentation format. For example,
++        '192.168.1.0/24'.
++    :param address: An individual IPv4 or IPv6 address without a net
++        mask or subnet prefix. For example, '192.168.1.1'.
++    :returns boolean: Flag indicating whether address is in network.
++    """
++    try:
++        network = netaddr.IPNetwork(network)
++    except (netaddr.core.AddrFormatError, ValueError):
++        raise ValueError("Network (%s) is not in CIDR presentation format" %
++                         network)
++
++    try:
++        address = netaddr.IPAddress(address)
++    except (netaddr.core.AddrFormatError, ValueError):
++        raise ValueError("Address (%s) is not in correct presentation format" %
++                         address)
++
++    if address in network:
++        return True
++    else:
++        return False
++
++
++def _get_for_address(address, key):
++    """Retrieve an attribute of or the physical interface that
++    the IP address provided could be bound to.
++
++    :param address (str): An individual IPv4 or IPv6 address without a net
++        mask or subnet prefix. For example, '192.168.1.1'.
++    :param key: 'iface' for the physical interface name or an attribute
++        of the configured interface, for example 'netmask'.
++    :returns str: Requested attribute or None if address is not bindable.
++    """
++    address = netaddr.IPAddress(address)
++    for iface in netifaces.interfaces():
++        addresses = netifaces.ifaddresses(iface)
++        if address.version == 4 and netifaces.AF_INET in addresses:
++            addr = addresses[netifaces.AF_INET][0]['addr']
++            netmask = addresses[netifaces.AF_INET][0]['netmask']
++            network = netaddr.IPNetwork("%s/%s" % (addr, netmask))
++            cidr = network.cidr
++            if address in cidr:
++                if key == 'iface':
++                    return iface
++                else:
++                    return addresses[netifaces.AF_INET][0][key]
++
++        if address.version == 6 and netifaces.AF_INET6 in addresses:
++            for addr in addresses[netifaces.AF_INET6]:
++                if not addr['addr'].startswith('fe80'):
++                    network = netaddr.IPNetwork("%s/%s" % (addr['addr'],
++                                                           addr['netmask']))
++                    cidr = network.cidr
++                    if address in cidr:
++                        if key == 'iface':
++                            return iface
++                        elif key == 'netmask' and cidr:
++                            return str(cidr).split('/')[1]
++                        else:
++                            return addr[key]
++
++    return None
++
++
++get_iface_for_address = partial(_get_for_address, key='iface')
++
++
++get_netmask_for_address = partial(_get_for_address, key='netmask')
++
++
++def format_ipv6_addr(address):
++    """If address is IPv6, wrap it in '[]' otherwise return None.
++
++    This is required by most configuration files when specifying IPv6
++    addresses.
++    """
++    if is_ipv6(address):
++        return "[%s]" % address
++
++    return None
++
++
++def get_iface_addr(iface='eth0', inet_type='AF_INET', inc_aliases=False,
++                   fatal=True, exc_list=None):
++    """Return the assigned IP address for a given interface, if any."""
++    # Extract nic if passed /dev/ethX
++    if '/' in iface:
++        iface = iface.split('/')[-1]
++
++    if not exc_list:
++        exc_list = []
++
++    try:
++        inet_num = getattr(netifaces, inet_type)
++    except AttributeError:
++        raise Exception("Unknown inet type '%s'" % str(inet_type))
++
++    interfaces = netifaces.interfaces()
++    if inc_aliases:
++        ifaces = []
++        for _iface in interfaces:
++            if iface == _iface or _iface.split(':')[0] == iface:
++                ifaces.append(_iface)
++
++        if fatal and not ifaces:
++            raise Exception("Invalid interface '%s'" % iface)
++
++        ifaces.sort()
++    else:
++        if iface not in interfaces:
++            if fatal:
++                raise Exception("Interface '%s' not found " % (iface))
++            else:
++                return []
++
++        else:
++            ifaces = [iface]
++
++    addresses = []
++    for netiface in ifaces:
++        net_info = netifaces.ifaddresses(netiface)
++        if inet_num in net_info:
++            for entry in net_info[inet_num]:
++                if 'addr' in entry and entry['addr'] not in exc_list:
++                    addresses.append(entry['addr'])
++
++    if fatal and not addresses:
++        raise Exception("Interface '%s' doesn't have any %s addresses." %
++                        (iface, inet_type))
++
++    return sorted(addresses)
++
++
++get_ipv4_addr = partial(get_iface_addr, inet_type='AF_INET')
++
++
++def get_iface_from_addr(addr):
++    """Work out on which interface the provided address is configured."""
++    for iface in netifaces.interfaces():
++        addresses = netifaces.ifaddresses(iface)
++        for inet_type in addresses:
++            for _addr in addresses[inet_type]:
++                _addr = _addr['addr']
++                # link local
++                ll_key = re.compile("(.+)%.*")
++                raw = re.match(ll_key, _addr)
++                if raw:
++                    _addr = raw.group(1)
++
++                if _addr == addr:
++                    log("Address '%s' is configured on iface '%s'" %
++                        (addr, iface))
++                    return iface
++
++    msg = "Unable to infer net iface on which '%s' is configured" % (addr)
++    raise Exception(msg)
++
++
++def sniff_iface(f):
++    """Ensure decorated function is called with a value for iface.
++
++    If no iface provided, inject net iface inferred from unit private address.
++    """
++    def iface_sniffer(*args, **kwargs):
++        if not kwargs.get('iface', None):
++            kwargs['iface'] = get_iface_from_addr(unit_get('private-address'))
++
++        return f(*args, **kwargs)
++
++    return iface_sniffer
++
++
++@sniff_iface
++def get_ipv6_addr(iface=None, inc_aliases=False, fatal=True, exc_list=None,
++                  dynamic_only=True):
++    """Get assigned IPv6 address for a given interface.
++
++    Returns list of addresses found. If no address found, returns empty list.
++
++    If iface is None, we infer the current primary interface by doing a reverse
++    lookup on the unit private-address.
++
++    We currently only support scope global IPv6 addresses i.e. non-temporary
++    addresses. If no global IPv6 address is found, return the first one found
++    in the ipv6 address list.
++    """
++    addresses = get_iface_addr(iface=iface, inet_type='AF_INET6',
++                               inc_aliases=inc_aliases, fatal=fatal,
++                               exc_list=exc_list)
++
++    if addresses:
++        global_addrs = []
++        for addr in addresses:
++            key_scope_link_local = re.compile("^fe80::..(.+)%(.+)")
++            m = re.match(key_scope_link_local, addr)
++            if m:
++                eui_64_mac = m.group(1)
++                iface = m.group(2)
++            else:
++                global_addrs.append(addr)
++
++        if global_addrs:
++            # Make sure any found global addresses are not temporary
++            cmd = ['ip', 'addr', 'show', iface]
++            out = subprocess.check_output(cmd).decode('UTF-8')
++            if dynamic_only:
++                key = re.compile("inet6 (.+)/[0-9]+ scope global dynamic.*")
++            else:
++                key = re.compile("inet6 (.+)/[0-9]+ scope global.*")
++
++            addrs = []
++            for line in out.split('\n'):
++                line = line.strip()
++                m = re.match(key, line)
++                if m and 'temporary' not in line:
++                    # Return the first valid address we find
++                    for addr in global_addrs:
++                        if m.group(1) == addr:
++                            if not dynamic_only or \
++                                    m.group(1).endswith(eui_64_mac):
++                                addrs.append(addr)
++
++            if addrs:
++                return addrs
++
++    if fatal:
++        raise Exception("Interface '%s' does not have a scope global "
++                        "non-temporary ipv6 address." % iface)
++
++    return []
++
++
++def get_bridges(vnic_dir='/sys/devices/virtual/net'):
++    """Return a list of bridges on the system."""
++    b_regex = "%s/*/bridge" % vnic_dir
++    return [x.replace(vnic_dir, '').split('/')[1] for x in glob.glob(b_regex)]
++
++
++def get_bridge_nics(bridge, vnic_dir='/sys/devices/virtual/net'):
++    """Return a list of nics comprising a given bridge on the system."""
++    brif_regex = "%s/%s/brif/*" % (vnic_dir, bridge)
++    return [x.split('/')[-1] for x in glob.glob(brif_regex)]
++
++
++def is_bridge_member(nic):
++    """Check if a given nic is a member of a bridge."""
++    for bridge in get_bridges():
++        if nic in get_bridge_nics(bridge):
++            return True
++
++    return False
++
++
++def is_ip(address):
++    """
++    Returns True if address is a valid IP address.
++    """
++    try:
++        # Test to see if already an IPv4 address
++        socket.inet_aton(address)
++        return True
++    except socket.error:
++        return False
++
++
++def ns_query(address):
++    try:
++        import dns.resolver
++    except ImportError:
++        apt_install('python-dnspython')
++        import dns.resolver
++
++    if isinstance(address, dns.name.Name):
++        rtype = 'PTR'
++    elif isinstance(address, six.string_types):
++        rtype = 'A'
++    else:
++        return None
++
++    answers = dns.resolver.query(address, rtype)
++    if answers:
++        return str(answers[0])
++    return None
++
++
++def get_host_ip(hostname, fallback=None):
++    """
++    Resolves the IP for a given hostname, or returns
++    the input if it is already an IP.
++    """
++    if is_ip(hostname):
++        return hostname
++
++    ip_addr = ns_query(hostname)
++    if not ip_addr:
++        try:
++            ip_addr = socket.gethostbyname(hostname)
++        except:
++            log("Failed to resolve hostname '%s'" % (hostname),
++                level=WARNING)
++            return fallback
++    return ip_addr
++
++
++def get_hostname(address, fqdn=True):
++    """
++    Resolves hostname for given IP, or returns the input
++    if it is already a hostname.
++    """
++    if is_ip(address):
++        try:
++            import dns.reversename
++        except ImportError:
++            apt_install("python-dnspython")
++            import dns.reversename
++
++        rev = dns.reversename.from_address(address)
++        result = ns_query(rev)
++
++        if not result:
++            try:
++                result = socket.gethostbyaddr(address)[0]
++            except:
++                return None
++    else:
++        result = address
++
++    if fqdn:
++        # strip trailing .
++        if result.endswith('.'):
++            return result[:-1]
++        else:
++            return result
++    else:
++        return result.split('.')[0]
 === modified file 'hooks/charmhelpers/contrib/network/ovs/__init__.py'
 --- hooks/charmhelpers/contrib/network/ovs/__init__.py	2014-06-05 10:59:23 +0000
 +++ hooks/charmhelpers/contrib/network/ovs/__init__.py	2015-11-12 11:46:11 +0000
@@ -1,3 +1,19 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
  ''' Helpers for interacting with OpenvSwitch '''
  import subprocess
  import os
@@ -21,12 +37,16 @@
      subprocess.check_call(["ovs-vsctl", "--", "--if-exists", "del-br", name])
--def add_bridge_port(name, port):
++def add_bridge_port(name, port, promisc=False):
      ''' Add a port to the named openvswitch bridge '''
      log('Adding port {} to bridge {}'.format(port, name))
      subprocess.check_call(["ovs-vsctl", "--", "--may-exist", "add-port",
                             name, port])
      subprocess.check_call(["ip", "link", "set", port, "up"])
++    if promisc:
++        subprocess.check_call(["ip", "link", "set", port, "promisc", "on"])
++    else:
++        subprocess.check_call(["ip", "link", "set", port, "promisc", "off"])
  def del_bridge_port(name, port):
@@ -35,6 +55,7 @@
      subprocess.check_call(["ovs-vsctl", "--", "--if-exists", "del-port",
                             name, port])
      subprocess.check_call(["ip", "link", "set", port, "down"])
++    subprocess.check_call(["ip", "link", "set", port, "promisc", "off"])
  def set_manager(manager):
 === modified file 'hooks/charmhelpers/contrib/openstack/__init__.py'
 --- hooks/charmhelpers/contrib/openstack/__init__.py	2014-06-05 10:59:23 +0000
 +++ hooks/charmhelpers/contrib/openstack/__init__.py	2015-11-12 11:46:11 +0000
@@ -0,0 +1,15 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
 === modified file 'hooks/charmhelpers/contrib/openstack/alternatives.py'
 --- hooks/charmhelpers/contrib/openstack/alternatives.py	2014-06-05 10:59:23 +0000
 +++ hooks/charmhelpers/contrib/openstack/alternatives.py	2015-11-12 11:46:11 +0000
@@ -1,3 +1,19 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
  ''' Helper for managing alternatives for file conflict resolution '''
  import subprocess
 === added directory 'hooks/charmhelpers/contrib/openstack/amulet'
 === added file 'hooks/charmhelpers/contrib/openstack/amulet/__init__.py'
 --- hooks/charmhelpers/contrib/openstack/amulet/__init__.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/openstack/amulet/__init__.py	2015-11-12 11:46:11 +0000
@@ -0,0 +1,15 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
 === added file 'hooks/charmhelpers/contrib/openstack/amulet/deployment.py'
 --- hooks/charmhelpers/contrib/openstack/amulet/deployment.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/openstack/amulet/deployment.py	2015-11-12 11:46:11 +0000
@@ -0,0 +1,197 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++import six
++from collections import OrderedDict
++from charmhelpers.contrib.amulet.deployment import (
++    AmuletDeployment
++)
++
++
++class OpenStackAmuletDeployment(AmuletDeployment):
++    """OpenStack amulet deployment.
++
++       This class inherits from AmuletDeployment and has additional support
++       that is specifically for use by OpenStack charms.
++       """
++
++    def __init__(self, series=None, openstack=None, source=None, stable=True):
++        """Initialize the deployment environment."""
++        super(OpenStackAmuletDeployment, self).__init__(series)
++        self.openstack = openstack
++        self.source = source
++        self.stable = stable
++        # Note(coreycb): this needs to be changed when new next branches come
++        # out.
++        self.current_next = "trusty"
++
++    def _determine_branch_locations(self, other_services):
++        """Determine the branch locations for the other services.
++
++           Determine if the local branch being tested is derived from its
++           stable or next (dev) branch, and based on this, use the corresonding
++           stable or next branches for the other_services."""
++
++        # Charms outside the lp:~openstack-charmers namespace
++        base_charms = ['mysql', 'mongodb', 'nrpe']
++
++        # Force these charms to current series even when using an older series.
++        # ie. Use trusty/nrpe even when series is precise, as the P charm
++        # does not possess the necessary external master config and hooks.
++        force_series_current = ['nrpe']
++
++        if self.series in ['precise', 'trusty']:
++            base_series = self.series
++        else:
++            base_series = self.current_next
++
++        for svc in other_services:
++            if svc['name'] in force_series_current:
++                base_series = self.current_next
++            # If a location has been explicitly set, use it
++            if svc.get('location'):
++                continue
++            if self.stable:
++                temp = 'lp:charms/{}/{}'
++                svc['location'] = temp.format(base_series,
++                                              svc['name'])
++            else:
++                if svc['name'] in base_charms:
++                    temp = 'lp:charms/{}/{}'
++                    svc['location'] = temp.format(base_series,
++                                                  svc['name'])
++                else:
++                    temp = 'lp:~openstack-charmers/charms/{}/{}/next'
++                    svc['location'] = temp.format(self.current_next,
++                                                  svc['name'])
++
++        return other_services
++
++    def _add_services(self, this_service, other_services):
++        """Add services to the deployment and set openstack-origin/source."""
++        other_services = self._determine_branch_locations(other_services)
++
++        super(OpenStackAmuletDeployment, self)._add_services(this_service,
++                                                             other_services)
++
++        services = other_services
++        services.append(this_service)
++
++        # Charms which should use the source config option
++        use_source = ['mysql', 'mongodb', 'rabbitmq-server', 'ceph',
++                      'ceph-osd', 'ceph-radosgw']
++
++        # Charms which can not use openstack-origin, ie. many subordinates
++        no_origin = ['cinder-ceph', 'hacluster', 'neutron-openvswitch', 'nrpe']
++
++        if self.openstack:
++            for svc in services:
++                if svc['name'] not in use_source + no_origin:
++                    config = {'openstack-origin': self.openstack}
++                    self.d.configure(svc['name'], config)
++
++        if self.source:
++            for svc in services:
++                if svc['name'] in use_source and svc['name'] not in no_origin:
++                    config = {'source': self.source}
++                    self.d.configure(svc['name'], config)
++
++    def _configure_services(self, configs):
++        """Configure all of the services."""
++        for service, config in six.iteritems(configs):
++            self.d.configure(service, config)
++
++    def _get_openstack_release(self):
++        """Get openstack release.
++
++           Return an integer representing the enum value of the openstack
++           release.
++           """
++        # Must be ordered by OpenStack release (not by Ubuntu release):
++        (self.precise_essex, self.precise_folsom, self.precise_grizzly,
++         self.precise_havana, self.precise_icehouse,
++         self.trusty_icehouse, self.trusty_juno, self.utopic_juno,
++         self.trusty_kilo, self.vivid_kilo, self.trusty_liberty,
++         self.wily_liberty) = range(12)
++
++        releases = {
++            ('precise', None): self.precise_essex,
++            ('precise', 'cloud:precise-folsom'): self.precise_folsom,
++            ('precise', 'cloud:precise-grizzly'): self.precise_grizzly,
++            ('precise', 'cloud:precise-havana'): self.precise_havana,
++            ('precise', 'cloud:precise-icehouse'): self.precise_icehouse,
++            ('trusty', None): self.trusty_icehouse,
++            ('trusty', 'cloud:trusty-juno'): self.trusty_juno,
++            ('trusty', 'cloud:trusty-kilo'): self.trusty_kilo,
++            ('trusty', 'cloud:trusty-liberty'): self.trusty_liberty,
++            ('utopic', None): self.utopic_juno,
++            ('vivid', None): self.vivid_kilo,
++            ('wily', None): self.wily_liberty}
++        return releases[(self.series, self.openstack)]
++
++    def _get_openstack_release_string(self):
++        """Get openstack release string.
++
++           Return a string representing the openstack release.
++           """
++        releases = OrderedDict([
++            ('precise', 'essex'),
++            ('quantal', 'folsom'),
++            ('raring', 'grizzly'),
++            ('saucy', 'havana'),
++            ('trusty', 'icehouse'),
++            ('utopic', 'juno'),
++            ('vivid', 'kilo'),
++            ('wily', 'liberty'),
++        ])
++        if self.openstack:
++            os_origin = self.openstack.split(':')[1]
++            return os_origin.split('%s-' % self.series)[1].split('/')[0]
++        else:
++            return releases[self.series]
++
++    def get_ceph_expected_pools(self, radosgw=False):
++        """Return a list of expected ceph pools in a ceph + cinder + glance
++        test scenario, based on OpenStack release and whether ceph radosgw
++        is flagged as present or not."""
++
++        if self._get_openstack_release() >= self.trusty_kilo:
++            # Kilo or later
++            pools = [
++                'rbd',
++                'cinder',
++                'glance'
++            ]
++        else:
++            # Juno or earlier
++            pools = [
++                'data',
++                'metadata',
++                'rbd',
++                'cinder',
++                'glance'
++            ]
++
++        if radosgw:
++            pools.extend([
++                '.rgw.root',
++                '.rgw.control',
++                '.rgw',
++                '.rgw.gc',
++                '.users.uid'
++            ])
++
++        return pools
 === added file 'hooks/charmhelpers/contrib/openstack/amulet/utils.py'
 --- hooks/charmhelpers/contrib/openstack/amulet/utils.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/openstack/amulet/utils.py	2015-11-12 11:46:11 +0000
@@ -0,0 +1,963 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++import amulet
++import json
++import logging
++import os
++import six
++import time
++import urllib
++
++import cinderclient.v1.client as cinder_client
++import glanceclient.v1.client as glance_client
++import heatclient.v1.client as heat_client
++import keystoneclient.v2_0 as keystone_client
++import novaclient.v1_1.client as nova_client
++import pika
++import swiftclient
++
++from charmhelpers.contrib.amulet.utils import (
++    AmuletUtils
++)
++
++DEBUG = logging.DEBUG
++ERROR = logging.ERROR
++
++
++class OpenStackAmuletUtils(AmuletUtils):
++    """OpenStack amulet utilities.
++
++       This class inherits from AmuletUtils and has additional support
++       that is specifically for use by OpenStack charm tests.
++       """
++
++    def __init__(self, log_level=ERROR):
++        """Initialize the deployment environment."""
++        super(OpenStackAmuletUtils, self).__init__(log_level)
++
++    def validate_endpoint_data(self, endpoints, admin_port, internal_port,
++                               public_port, expected):
++        """Validate endpoint data.
++
++           Validate actual endpoint data vs expected endpoint data. The ports
++           are used to find the matching endpoint.
++           """
++        self.log.debug('Validating endpoint data...')
++        self.log.debug('actual: {}'.format(repr(endpoints)))
++        found = False
++        for ep in endpoints:
++            self.log.debug('endpoint: {}'.format(repr(ep)))
++            if (admin_port in ep.adminurl and
++                    internal_port in ep.internalurl and
++                    public_port in ep.publicurl):
++                found = True
++                actual = {'id': ep.id,
++                          'region': ep.region,
++                          'adminurl': ep.adminurl,
++                          'internalurl': ep.internalurl,
++                          'publicurl': ep.publicurl,
++                          'service_id': ep.service_id}
++                ret = self._validate_dict_data(expected, actual)
++                if ret:
++                    return 'unexpected endpoint data - {}'.format(ret)
++
++        if not found:
++            return 'endpoint not found'
++
++    def validate_svc_catalog_endpoint_data(self, expected, actual):
++        """Validate service catalog endpoint data.
++
++           Validate a list of actual service catalog endpoints vs a list of
++           expected service catalog endpoints.
++           """
++        self.log.debug('Validating service catalog endpoint data...')
++        self.log.debug('actual: {}'.format(repr(actual)))
++        for k, v in six.iteritems(expected):
++            if k in actual:
++                ret = self._validate_dict_data(expected[k][0], actual[k][0])
++                if ret:
++                    return self.endpoint_error(k, ret)
++            else:
++                return "endpoint {} does not exist".format(k)
++        return ret
++
++    def validate_tenant_data(self, expected, actual):
++        """Validate tenant data.
++
++           Validate a list of actual tenant data vs list of expected tenant
++           data.
++           """
++        self.log.debug('Validating tenant data...')
++        self.log.debug('actual: {}'.format(repr(actual)))
++        for e in expected:
++            found = False
++            for act in actual:
++                a = {'enabled': act.enabled, 'description': act.description,
++                     'name': act.name, 'id': act.id}
++                if e['name'] == a['name']:
++                    found = True
++                    ret = self._validate_dict_data(e, a)
++                    if ret:
++                        return "unexpected tenant data - {}".format(ret)
++            if not found:
++                return "tenant {} does not exist".format(e['name'])
++        return ret
++
++    def validate_role_data(self, expected, actual):
++        """Validate role data.
++
++           Validate a list of actual role data vs a list of expected role
++           data.
++           """
++        self.log.debug('Validating role data...')
++        self.log.debug('actual: {}'.format(repr(actual)))
++        for e in expected:
++            found = False
++            for act in actual:
++                a = {'name': act.name, 'id': act.id}
++                if e['name'] == a['name']:
++                    found = True
++                    ret = self._validate_dict_data(e, a)
++                    if ret:
++                        return "unexpected role data - {}".format(ret)
++            if not found:
++                return "role {} does not exist".format(e['name'])
++        return ret
++
++    def validate_user_data(self, expected, actual):
++        """Validate user data.
++
++           Validate a list of actual user data vs a list of expected user
++           data.
++           """
++        self.log.debug('Validating user data...')
++        self.log.debug('actual: {}'.format(repr(actual)))
++        for e in expected:
++            found = False
++            for act in actual:
++                a = {'enabled': act.enabled, 'name': act.name,
++                     'email': act.email, 'tenantId': act.tenantId,
++                     'id': act.id}
++                if e['name'] == a['name']:
++                    found = True
++                    ret = self._validate_dict_data(e, a)
++                    if ret:
++                        return "unexpected user data - {}".format(ret)
++            if not found:
++                return "user {} does not exist".format(e['name'])
++        return ret
++
++    def validate_flavor_data(self, expected, actual):
++        """Validate flavor data.
++
++           Validate a list of actual flavors vs a list of expected flavors.
++           """
++        self.log.debug('Validating flavor data...')
++        self.log.debug('actual: {}'.format(repr(actual)))
++        act = [a.name for a in actual]
++        return self._validate_list_data(expected, act)
++
++    def tenant_exists(self, keystone, tenant):
++        """Return True if tenant exists."""
++        self.log.debug('Checking if tenant exists ({})...'.format(tenant))
++        return tenant in [t.name for t in keystone.tenants.list()]
++
++    def authenticate_cinder_admin(self, keystone_sentry, username,
++                                  password, tenant):
++        """Authenticates admin user with cinder."""
++        # NOTE(beisner): cinder python client doesn't accept tokens.
++        service_ip = \
++            keystone_sentry.relation('shared-db',
++                                     'mysql:shared-db')['private-address']
++        ept = "http://{}:5000/v2.0".format(service_ip.strip().decode('utf-8'))
++        return cinder_client.Client(username, password, tenant, ept)
++
++    def authenticate_keystone_admin(self, keystone_sentry, user, password,
++                                    tenant):
++        """Authenticates admin user with the keystone admin endpoint."""
++        self.log.debug('Authenticating keystone admin...')
++        unit = keystone_sentry
++        service_ip = unit.relation('shared-db',
++                                   'mysql:shared-db')['private-address']
++        ep = "http://{}:35357/v2.0".format(service_ip.strip().decode('utf-8'))
++        return keystone_client.Client(username=user, password=password,
++                                      tenant_name=tenant, auth_url=ep)
++
++    def authenticate_keystone_user(self, keystone, user, password, tenant):
++        """Authenticates a regular user with the keystone public endpoint."""
++        self.log.debug('Authenticating keystone user ({})...'.format(user))
++        ep = keystone.service_catalog.url_for(service_type='identity',
++                                              endpoint_type='publicURL')
++        return keystone_client.Client(username=user, password=password,
++                                      tenant_name=tenant, auth_url=ep)
++
++    def authenticate_glance_admin(self, keystone):
++        """Authenticates admin user with glance."""
++        self.log.debug('Authenticating glance admin...')
++        ep = keystone.service_catalog.url_for(service_type='image',
++                                              endpoint_type='adminURL')
++        return glance_client.Client(ep, token=keystone.auth_token)
++
++    def authenticate_heat_admin(self, keystone):
++        """Authenticates the admin user with heat."""
++        self.log.debug('Authenticating heat admin...')
++        ep = keystone.service_catalog.url_for(service_type='orchestration',
++                                              endpoint_type='publicURL')
++        return heat_client.Client(endpoint=ep, token=keystone.auth_token)
++
++    def authenticate_nova_user(self, keystone, user, password, tenant):
++        """Authenticates a regular user with nova-api."""
++        self.log.debug('Authenticating nova user ({})...'.format(user))
++        ep = keystone.service_catalog.url_for(service_type='identity',
++                                              endpoint_type='publicURL')
++        return nova_client.Client(username=user, api_key=password,
++                                  project_id=tenant, auth_url=ep)
++
++    def authenticate_swift_user(self, keystone, user, password, tenant):
++        """Authenticates a regular user with swift api."""
++        self.log.debug('Authenticating swift user ({})...'.format(user))
++        ep = keystone.service_catalog.url_for(service_type='identity',
++                                              endpoint_type='publicURL')
++        return swiftclient.Connection(authurl=ep,
++                                      user=user,
++                                      key=password,
++                                      tenant_name=tenant,
++                                      auth_version='2.0')
++
++    def create_cirros_image(self, glance, image_name):
++        """Download the latest cirros image and upload it to glance,
++        validate and return a resource pointer.
++
++        :param glance: pointer to authenticated glance connection
++        :param image_name: display name for new image
++        :returns: glance image pointer
++        """
++        self.log.debug('Creating glance cirros image '
++                       '({})...'.format(image_name))
++
++        # Download cirros image
++        http_proxy = os.getenv('AMULET_HTTP_PROXY')
++        self.log.debug('AMULET_HTTP_PROXY: {}'.format(http_proxy))
++        if http_proxy:
++            proxies = {'http': http_proxy}
++            opener = urllib.FancyURLopener(proxies)
++        else:
++            opener = urllib.FancyURLopener()
++
++        f = opener.open('http://download.cirros-cloud.net/version/released')
++        version = f.read().strip()
++        cirros_img = 'cirros-{}-x86_64-disk.img'.format(version)
++        local_path = os.path.join('tests', cirros_img)
++
++        if not os.path.exists(local_path):
++            cirros_url = 'http://{}/{}/{}'.format('download.cirros-cloud.net',
++                                                  version, cirros_img)
++            opener.retrieve(cirros_url, local_path)
++        f.close()
++
++        # Create glance image
++        with open(local_path) as f:
++            image = glance.images.create(name=image_name, is_public=True,
++                                         disk_format='qcow2',
++                                         container_format='bare', data=f)
++
++        # Wait for image to reach active status
++        img_id = image.id
++        ret = self.resource_reaches_status(glance.images, img_id,
++                                           expected_stat='active',
++                                           msg='Image status wait')
++        if not ret:
++            msg = 'Glance image failed to reach expected state.'
++            amulet.raise_status(amulet.FAIL, msg=msg)
++
++        # Re-validate new image
++        self.log.debug('Validating image attributes...')
++        val_img_name = glance.images.get(img_id).name
++        val_img_stat = glance.images.get(img_id).status
++        val_img_pub = glance.images.get(img_id).is_public
++        val_img_cfmt = glance.images.get(img_id).container_format
++        val_img_dfmt = glance.images.get(img_id).disk_format
++        msg_attr = ('Image attributes - name:{} public:{} id:{} stat:{} '
++                    'container fmt:{} disk fmt:{}'.format(
++                        val_img_name, val_img_pub, img_id,
++                        val_img_stat, val_img_cfmt, val_img_dfmt))
++
++        if val_img_name == image_name and val_img_stat == 'active' \
++                and val_img_pub is True and val_img_cfmt == 'bare' \
++                and val_img_dfmt == 'qcow2':
++            self.log.debug(msg_attr)
++        else:
++            msg = ('Volume validation failed, {}'.format(msg_attr))
++            amulet.raise_status(amulet.FAIL, msg=msg)
++
++        return image
++
++    def delete_image(self, glance, image):
++        """Delete the specified image."""
++
++        # /!\ DEPRECATION WARNING
++        self.log.warn('/!\\ DEPRECATION WARNING:  use '
++                      'delete_resource instead of delete_image.')
++        self.log.debug('Deleting glance image ({})...'.format(image))
++        return self.delete_resource(glance.images, image, msg='glance image')
++
++    def create_instance(self, nova, image_name, instance_name, flavor):
++        """Create the specified instance."""
++        self.log.debug('Creating instance '
++                       '({}|{}|{})'.format(instance_name, image_name, flavor))
++        image = nova.images.find(name=image_name)
++        flavor = nova.flavors.find(name=flavor)
++        instance = nova.servers.create(name=instance_name, image=image,
++                                       flavor=flavor)
++
++        count = 1
++        status = instance.status
++        while status != 'ACTIVE' and count < 60:
++            time.sleep(3)
++            instance = nova.servers.get(instance.id)
++            status = instance.status
++            self.log.debug('instance status: {}'.format(status))
++            count += 1
++
++        if status != 'ACTIVE':
++            self.log.error('instance creation timed out')
++            return None
++
++        return instance
++
++    def delete_instance(self, nova, instance):
++        """Delete the specified instance."""
++
++        # /!\ DEPRECATION WARNING
++        self.log.warn('/!\\ DEPRECATION WARNING:  use '
++                      'delete_resource instead of delete_instance.')
++        self.log.debug('Deleting instance ({})...'.format(instance))
++        return self.delete_resource(nova.servers, instance,
++                                    msg='nova instance')
++
++    def create_or_get_keypair(self, nova, keypair_name="testkey"):
++        """Create a new keypair, or return pointer if it already exists."""
++        try:
++            _keypair = nova.keypairs.get(keypair_name)
++            self.log.debug('Keypair ({}) already exists, '
++                           'using it.'.format(keypair_name))
++            return _keypair
++        except:
++            self.log.debug('Keypair ({}) does not exist, '
++                           'creating it.'.format(keypair_name))
++
++        _keypair = nova.keypairs.create(name=keypair_name)
++        return _keypair
++
++    def create_cinder_volume(self, cinder, vol_name="demo-vol", vol_size=1,
++                             img_id=None, src_vol_id=None, snap_id=None):
++        """Create cinder volume, optionally from a glance image, OR
++        optionally as a clone of an existing volume, OR optionally
++        from a snapshot.  Wait for the new volume status to reach
++        the expected status, validate and return a resource pointer.
++
++        :param vol_name: cinder volume display name
++        :param vol_size: size in gigabytes
++        :param img_id: optional glance image id
++        :param src_vol_id: optional source volume id to clone
++        :param snap_id: optional snapshot id to use
++        :returns: cinder volume pointer
++        """
++        # Handle parameter input and avoid impossible combinations
++        if img_id and not src_vol_id and not snap_id:
++            # Create volume from image
++            self.log.debug('Creating cinder volume from glance image...')
++            bootable = 'true'
++        elif src_vol_id and not img_id and not snap_id:
++            # Clone an existing volume
++            self.log.debug('Cloning cinder volume...')
++            bootable = cinder.volumes.get(src_vol_id).bootable
++        elif snap_id and not src_vol_id and not img_id:
++            # Create volume from snapshot
++            self.log.debug('Creating cinder volume from snapshot...')
++            snap = cinder.volume_snapshots.find(id=snap_id)
++            vol_size = snap.size
++            snap_vol_id = cinder.volume_snapshots.get(snap_id).volume_id
++            bootable = cinder.volumes.get(snap_vol_id).bootable
++        elif not img_id and not src_vol_id and not snap_id:
++            # Create volume
++            self.log.debug('Creating cinder volume...')
++            bootable = 'false'
++        else:
++            # Impossible combination of parameters
++            msg = ('Invalid method use - name:{} size:{} img_id:{} '
++                   'src_vol_id:{} snap_id:{}'.format(vol_name, vol_size,
++                                                     img_id, src_vol_id,
++                                                     snap_id))
++            amulet.raise_status(amulet.FAIL, msg=msg)
++
++        # Create new volume
++        try:
++            vol_new = cinder.volumes.create(display_name=vol_name,
++                                            imageRef=img_id,
++                                            size=vol_size,
++                                            source_volid=src_vol_id,
++                                            snapshot_id=snap_id)
++            vol_id = vol_new.id
++        except Exception as e:
++            msg = 'Failed to create volume: {}'.format(e)
++            amulet.raise_status(amulet.FAIL, msg=msg)
++
++        # Wait for volume to reach available status
++        ret = self.resource_reaches_status(cinder.volumes, vol_id,
++                                           expected_stat="available",
++                                           msg="Volume status wait")
++        if not ret:
++            msg = 'Cinder volume failed to reach expected state.'
++            amulet.raise_status(amulet.FAIL, msg=msg)
++
++        # Re-validate new volume
++        self.log.debug('Validating volume attributes...')
++        val_vol_name = cinder.volumes.get(vol_id).display_name
++        val_vol_boot = cinder.volumes.get(vol_id).bootable
++        val_vol_stat = cinder.volumes.get(vol_id).status
++        val_vol_size = cinder.volumes.get(vol_id).size
++        msg_attr = ('Volume attributes - name:{} id:{} stat:{} boot:'
++                    '{} size:{}'.format(val_vol_name, vol_id,
++                                        val_vol_stat, val_vol_boot,
++                                        val_vol_size))
++
++        if val_vol_boot == bootable and val_vol_stat == 'available' \
++                and val_vol_name == vol_name and val_vol_size == vol_size:
++            self.log.debug(msg_attr)
++        else:
++            msg = ('Volume validation failed, {}'.format(msg_attr))
++            amulet.raise_status(amulet.FAIL, msg=msg)
++
++        return vol_new
++
++    def delete_resource(self, resource, resource_id,
++                        msg="resource", max_wait=120):
++        """Delete one openstack resource, such as one instance, keypair,
++        image, volume, stack, etc., and confirm deletion within max wait time.
++
++        :param resource: pointer to os resource type, ex:glance_client.images
++        :param resource_id: unique name or id for the openstack resource
++        :param msg: text to identify purpose in logging
++        :param max_wait: maximum wait time in seconds
++        :returns: True if successful, otherwise False
++        """
++        self.log.debug('Deleting OpenStack resource '
++                       '{} ({})'.format(resource_id, msg))
++        num_before = len(list(resource.list()))
++        resource.delete(resource_id)
++
++        tries = 0
++        num_after = len(list(resource.list()))
++        while num_after != (num_before - 1) and tries < (max_wait / 4):
++            self.log.debug('{} delete check: '
++                           '{} [{}:{}] {}'.format(msg, tries,
++                                                  num_before,
++                                                  num_after,
++                                                  resource_id))
++            time.sleep(4)
++            num_after = len(list(resource.list()))
++            tries += 1
++
++        self.log.debug('{}:  expected, actual count = {}, '
++                       '{}'.format(msg, num_before - 1, num_after))
++
++        if num_after == (num_before - 1):
++            return True
++        else:
++            self.log.error('{} delete timed out'.format(msg))
++            return False
++
++    def resource_reaches_status(self, resource, resource_id,
++                                expected_stat='available',
++                                msg='resource', max_wait=120):
++        """Wait for an openstack resources status to reach an
++           expected status within a specified time.  Useful to confirm that
++           nova instances, cinder vols, snapshots, glance images, heat stacks
++           and other resources eventually reach the expected status.
++
++        :param resource: pointer to os resource type, ex: heat_client.stacks
++        :param resource_id: unique id for the openstack resource
++        :param expected_stat: status to expect resource to reach
++        :param msg: text to identify purpose in logging
++        :param max_wait: maximum wait time in seconds
++        :returns: True if successful, False if status is not reached
++        """
++
++        tries = 0
++        resource_stat = resource.get(resource_id).status
++        while resource_stat != expected_stat and tries < (max_wait / 4):
++            self.log.debug('{} status check: '
++                           '{} [{}:{}] {}'.format(msg, tries,
++                                                  resource_stat,
++                                                  expected_stat,
++                                                  resource_id))
++            time.sleep(4)
++            resource_stat = resource.get(resource_id).status
++            tries += 1
++
++        self.log.debug('{}:  expected, actual status = {}, '
++                       '{}'.format(msg, resource_stat, expected_stat))
++
++        if resource_stat == expected_stat:
++            return True
++        else:
++            self.log.debug('{} never reached expected status: '
++                           '{}'.format(resource_id, expected_stat))
++            return False
++
++    def get_ceph_osd_id_cmd(self, index):
++        """Produce a shell command that will return a ceph-osd id."""
++        return ("`initctl list | grep 'ceph-osd ' | "
++                "awk 'NR=={} {{ print $2 }}' | "
++                "grep -o '[0-9]*'`".format(index + 1))
++
++    def get_ceph_pools(self, sentry_unit):
++        """Return a dict of ceph pools from a single ceph unit, with
++        pool name as keys, pool id as vals."""
++        pools = {}
++        cmd = 'sudo ceph osd lspools'
++        output, code = sentry_unit.run(cmd)
++        if code != 0:
++            msg = ('{} `{}` returned {} '
++                   '{}'.format(sentry_unit.info['unit_name'],
++                               cmd, code, output))
++            amulet.raise_status(amulet.FAIL, msg=msg)
++
++        # Example output: 0 data,1 metadata,2 rbd,3 cinder,4 glance,
++        for pool in str(output).split(','):
++            pool_id_name = pool.split(' ')
++            if len(pool_id_name) == 2:
++                pool_id = pool_id_name[0]
++                pool_name = pool_id_name[1]
++                pools[pool_name] = int(pool_id)
++
++        self.log.debug('Pools on {}: {}'.format(sentry_unit.info['unit_name'],
++                                                pools))
++        return pools
++
++    def get_ceph_df(self, sentry_unit):
++        """Return dict of ceph df json output, including ceph pool state.
++
++        :param sentry_unit: Pointer to amulet sentry instance (juju unit)
++        :returns: Dict of ceph df output
++        """
++        cmd = 'sudo ceph df --format=json'
++        output, code = sentry_unit.run(cmd)
++        if code != 0:
++            msg = ('{} `{}` returned {} '
++                   '{}'.format(sentry_unit.info['unit_name'],
++                               cmd, code, output))
++            amulet.raise_status(amulet.FAIL, msg=msg)
++        return json.loads(output)
++
++    def get_ceph_pool_sample(self, sentry_unit, pool_id=0):
++        """Take a sample of attributes of a ceph pool, returning ceph
++        pool name, object count and disk space used for the specified
++        pool ID number.
++
++        :param sentry_unit: Pointer to amulet sentry instance (juju unit)
++        :param pool_id: Ceph pool ID
++        :returns: List of pool name, object count, kb disk space used
++        """
++        df = self.get_ceph_df(sentry_unit)
++        pool_name = df['pools'][pool_id]['name']
++        obj_count = df['pools'][pool_id]['stats']['objects']
++        kb_used = df['pools'][pool_id]['stats']['kb_used']
++        self.log.debug('Ceph {} pool (ID {}): {} objects, '
++                       '{} kb used'.format(pool_name, pool_id,
++                                           obj_count, kb_used))
++        return pool_name, obj_count, kb_used
++
++    def validate_ceph_pool_samples(self, samples, sample_type="resource pool"):
++        """Validate ceph pool samples taken over time, such as pool
++        object counts or pool kb used, before adding, after adding, and
++        after deleting items which affect those pool attributes.  The
++        2nd element is expected to be greater than the 1st; 3rd is expected
++        to be less than the 2nd.
++
++        :param samples: List containing 3 data samples
++        :param sample_type: String for logging and usage context
++        :returns: None if successful, Failure message otherwise
++        """
++        original, created, deleted = range(3)
++        if samples[created] <= samples[original] or \
++                samples[deleted] >= samples[created]:
++            return ('Ceph {} samples ({}) '
++                    'unexpected.'.format(sample_type, samples))
++        else:
++            self.log.debug('Ceph {} samples (OK): '
++                           '{}'.format(sample_type, samples))
++            return None
++
++# rabbitmq/amqp specific helpers:
++    def add_rmq_test_user(self, sentry_units,
++                          username="testuser1", password="changeme"):
++        """Add a test user via the first rmq juju unit, check connection as
++        the new user against all sentry units.
++
++        :param sentry_units: list of sentry unit pointers
++        :param username: amqp user name, default to testuser1
++        :param password: amqp user password
++        :returns: None if successful.  Raise on error.
++        """
++        self.log.debug('Adding rmq user ({})...'.format(username))
++
++        # Check that user does not already exist
++        cmd_user_list = 'rabbitmqctl list_users'
++        output, _ = self.run_cmd_unit(sentry_units[0], cmd_user_list)
++        if username in output:
++            self.log.warning('User ({}) already exists, returning '
++                             'gracefully.'.format(username))
++            return
++
++        perms = '".*" ".*" ".*"'
++        cmds = ['rabbitmqctl add_user {} {}'.format(username, password),
++                'rabbitmqctl set_permissions {} {}'.format(username, perms)]
++
++        # Add user via first unit
++        for cmd in cmds:
++            output, _ = self.run_cmd_unit(sentry_units[0], cmd)
++
++        # Check connection against the other sentry_units
++        self.log.debug('Checking user connect against units...')
++        for sentry_unit in sentry_units:
++            connection = self.connect_amqp_by_unit(sentry_unit, ssl=False,
++                                                   username=username,
++                                                   password=password)
++            connection.close()
++
++    def delete_rmq_test_user(self, sentry_units, username="testuser1"):
++        """Delete a rabbitmq user via the first rmq juju unit.
++
++        :param sentry_units: list of sentry unit pointers
++        :param username: amqp user name, default to testuser1
++        :param password: amqp user password
++        :returns: None if successful or no such user.
++        """
++        self.log.debug('Deleting rmq user ({})...'.format(username))
++
++        # Check that the user exists
++        cmd_user_list = 'rabbitmqctl list_users'
++        output, _ = self.run_cmd_unit(sentry_units[0], cmd_user_list)
++
++        if username not in output:
++            self.log.warning('User ({}) does not exist, returning '
++                             'gracefully.'.format(username))
++            return
++
++        # Delete the user
++        cmd_user_del = 'rabbitmqctl delete_user {}'.format(username)
++        output, _ = self.run_cmd_unit(sentry_units[0], cmd_user_del)
++
++    def get_rmq_cluster_status(self, sentry_unit):
++        """Execute rabbitmq cluster status command on a unit and return
++        the full output.
++
++        :param unit: sentry unit
++        :returns: String containing console output of cluster status command
++        """
++        cmd = 'rabbitmqctl cluster_status'
++        output, _ = self.run_cmd_unit(sentry_unit, cmd)
++        self.log.debug('{} cluster_status:\n{}'.format(
++            sentry_unit.info['unit_name'], output))
++        return str(output)
++
++    def get_rmq_cluster_running_nodes(self, sentry_unit):
++        """Parse rabbitmqctl cluster_status output string, return list of
++        running rabbitmq cluster nodes.
++
++        :param unit: sentry unit
++        :returns: List containing node names of running nodes
++        """
++        # NOTE(beisner): rabbitmqctl cluster_status output is not
++        # json-parsable, do string chop foo, then json.loads that.
++        str_stat = self.get_rmq_cluster_status(sentry_unit)
++        if 'running_nodes' in str_stat:
++            pos_start = str_stat.find("{running_nodes,") + 15
++            pos_end = str_stat.find("]},", pos_start) + 1
++            str_run_nodes = str_stat[pos_start:pos_end].replace("'", '"')
++            run_nodes = json.loads(str_run_nodes)
++            return run_nodes
++        else:
++            return []
++
++    def validate_rmq_cluster_running_nodes(self, sentry_units):
++        """Check that all rmq unit hostnames are represented in the
++        cluster_status output of all units.
++
++        :param host_names: dict of juju unit names to host names
++        :param units: list of sentry unit pointers (all rmq units)
++        :returns: None if successful, otherwise return error message
++        """
++        host_names = self.get_unit_hostnames(sentry_units)
++        errors = []
++
++        # Query every unit for cluster_status running nodes
++        for query_unit in sentry_units:
++            query_unit_name = query_unit.info['unit_name']
++            running_nodes = self.get_rmq_cluster_running_nodes(query_unit)
++
++            # Confirm that every unit is represented in the queried unit's
++            # cluster_status running nodes output.
++            for validate_unit in sentry_units:
++                val_host_name = host_names[validate_unit.info['unit_name']]
++                val_node_name = 'rabbit@{}'.format(val_host_name)
++
++                if val_node_name not in running_nodes:
++                    errors.append('Cluster member check failed on {}: {} not '
++                                  'in {}\n'.format(query_unit_name,
++                                                   val_node_name,
++                                                   running_nodes))
++        if errors:
++            return ''.join(errors)
++
++    def rmq_ssl_is_enabled_on_unit(self, sentry_unit, port=None):
++        """Check a single juju rmq unit for ssl and port in the config file."""
++        host = sentry_unit.info['public-address']
++        unit_name = sentry_unit.info['unit_name']
++
++        conf_file = '/etc/rabbitmq/rabbitmq.config'
++        conf_contents = str(self.file_contents_safe(sentry_unit,
++                                                    conf_file, max_wait=16))
++        # Checks
++        conf_ssl = 'ssl' in conf_contents
++        conf_port = str(port) in conf_contents
++
++        # Port explicitly checked in config
++        if port and conf_port and conf_ssl:
++            self.log.debug('SSL is enabled  @{}:{} '
++                           '({})'.format(host, port, unit_name))
++            return True
++        elif port and not conf_port and conf_ssl:
++            self.log.debug('SSL is enabled @{} but not on port {} '
++                           '({})'.format(host, port, unit_name))
++            return False
++        # Port not checked (useful when checking that ssl is disabled)
++        elif not port and conf_ssl:
++            self.log.debug('SSL is enabled  @{}:{} '
++                           '({})'.format(host, port, unit_name))
++            return True
++        elif not port and not conf_ssl:
++            self.log.debug('SSL not enabled @{}:{} '
++                           '({})'.format(host, port, unit_name))
++            return False
++        else:
++            msg = ('Unknown condition when checking SSL status @{}:{} '
++                   '({})'.format(host, port, unit_name))
++            amulet.raise_status(amulet.FAIL, msg)
++
++    def validate_rmq_ssl_enabled_units(self, sentry_units, port=None):
++        """Check that ssl is enabled on rmq juju sentry units.
++
++        :param sentry_units: list of all rmq sentry units
++        :param port: optional ssl port override to validate
++        :returns: None if successful, otherwise return error message
++        """
++        for sentry_unit in sentry_units:
++            if not self.rmq_ssl_is_enabled_on_unit(sentry_unit, port=port):
++                return ('Unexpected condition:  ssl is disabled on unit '
++                        '({})'.format(sentry_unit.info['unit_name']))
++        return None
++
++    def validate_rmq_ssl_disabled_units(self, sentry_units):
++        """Check that ssl is enabled on listed rmq juju sentry units.
++
++        :param sentry_units: list of all rmq sentry units
++        :returns: True if successful.  Raise on error.
++        """
++        for sentry_unit in sentry_units:
++            if self.rmq_ssl_is_enabled_on_unit(sentry_unit):
++                return ('Unexpected condition:  ssl is enabled on unit '
++                        '({})'.format(sentry_unit.info['unit_name']))
++        return None
++
++    def configure_rmq_ssl_on(self, sentry_units, deployment,
++                             port=None, max_wait=60):
++        """Turn ssl charm config option on, with optional non-default
++        ssl port specification.  Confirm that it is enabled on every
++        unit.
++
++        :param sentry_units: list of sentry units
++        :param deployment: amulet deployment object pointer
++        :param port: amqp port, use defaults if None
++        :param max_wait: maximum time to wait in seconds to confirm
++        :returns: None if successful.  Raise on error.
++        """
++        self.log.debug('Setting ssl charm config option:  on')
++
++        # Enable RMQ SSL
++        config = {'ssl': 'on'}
++        if port:
++            config['ssl_port'] = port
++
++        deployment.configure('rabbitmq-server', config)
++
++        # Confirm
++        tries = 0
++        ret = self.validate_rmq_ssl_enabled_units(sentry_units, port=port)
++        while ret and tries < (max_wait / 4):
++            time.sleep(4)
++            self.log.debug('Attempt {}: {}'.format(tries, ret))
++            ret = self.validate_rmq_ssl_enabled_units(sentry_units, port=port)
++            tries += 1
++
++        if ret:
++            amulet.raise_status(amulet.FAIL, ret)
++
++    def configure_rmq_ssl_off(self, sentry_units, deployment, max_wait=60):
++        """Turn ssl charm config option off, confirm that it is disabled
++        on every unit.
++
++        :param sentry_units: list of sentry units
++        :param deployment: amulet deployment object pointer
++        :param max_wait: maximum time to wait in seconds to confirm
++        :returns: None if successful.  Raise on error.
++        """
++        self.log.debug('Setting ssl charm config option:  off')
++
++        # Disable RMQ SSL
++        config = {'ssl': 'off'}
++        deployment.configure('rabbitmq-server', config)
++
++        # Confirm
++        tries = 0
++        ret = self.validate_rmq_ssl_disabled_units(sentry_units)
++        while ret and tries < (max_wait / 4):
++            time.sleep(4)
++            self.log.debug('Attempt {}: {}'.format(tries, ret))
++            ret = self.validate_rmq_ssl_disabled_units(sentry_units)
++            tries += 1
++
++        if ret:
++            amulet.raise_status(amulet.FAIL, ret)
++
++    def connect_amqp_by_unit(self, sentry_unit, ssl=False,
++                             port=None, fatal=True,
++                             username="testuser1", password="changeme"):
++        """Establish and return a pika amqp connection to the rabbitmq service
++        running on a rmq juju unit.
++
++        :param sentry_unit: sentry unit pointer
++        :param ssl: boolean, default to False
++        :param port: amqp port, use defaults if None
++        :param fatal: boolean, default to True (raises on connect error)
++        :param username: amqp user name, default to testuser1
++        :param password: amqp user password
++        :returns: pika amqp connection pointer or None if failed and non-fatal
++        """
++        host = sentry_unit.info['public-address']
++        unit_name = sentry_unit.info['unit_name']
++
++        # Default port logic if port is not specified
++        if ssl and not port:
++            port = 5671
++        elif not ssl and not port:
++            port = 5672
++
++        self.log.debug('Connecting to amqp on {}:{} ({}) as '
++                       '{}...'.format(host, port, unit_name, username))
++
++        try:
++            credentials = pika.PlainCredentials(username, password)
++            parameters = pika.ConnectionParameters(host=host, port=port,
++                                                   credentials=credentials,
++                                                   ssl=ssl,
++                                                   connection_attempts=3,
++                                                   retry_delay=5,
++                                                   socket_timeout=1)
++            connection = pika.BlockingConnection(parameters)
++            assert connection.server_properties['product'] == 'RabbitMQ'
++            self.log.debug('Connect OK')
++            return connection
++        except Exception as e:
++            msg = ('amqp connection failed to {}:{} as '
++                   '{} ({})'.format(host, port, username, str(e)))
++            if fatal:
++                amulet.raise_status(amulet.FAIL, msg)
++            else:
++                self.log.warn(msg)
++                return None
++
++    def publish_amqp_message_by_unit(self, sentry_unit, message,
++                                     queue="test", ssl=False,
++                                     username="testuser1",
++                                     password="changeme",
++                                     port=None):
++        """Publish an amqp message to a rmq juju unit.
++
++        :param sentry_unit: sentry unit pointer
++        :param message: amqp message string
++        :param queue: message queue, default to test
++        :param username: amqp user name, default to testuser1
++        :param password: amqp user password
++        :param ssl: boolean, default to False
++        :param port: amqp port, use defaults if None
++        :returns: None.  Raises exception if publish failed.
++        """
++        self.log.debug('Publishing message to {} queue:\n{}'.format(queue,
++                                                                    message))
++        connection = self.connect_amqp_by_unit(sentry_unit, ssl=ssl,
++                                               port=port,
++                                               username=username,
++                                               password=password)
++
++        # NOTE(beisner): extra debug here re: pika hang potential:
++        #   https://github.com/pika/pika/issues/297
++        #   https://groups.google.com/forum/#!topic/rabbitmq-users/Ja0iyfF0Szw
++        self.log.debug('Defining channel...')
++        channel = connection.channel()
++        self.log.debug('Declaring queue...')
++        channel.queue_declare(queue=queue, auto_delete=False, durable=True)
++        self.log.debug('Publishing message...')
++        channel.basic_publish(exchange='', routing_key=queue, body=message)
++        self.log.debug('Closing channel...')
++        channel.close()
++        self.log.debug('Closing connection...')
++        connection.close()
++
++    def get_amqp_message_by_unit(self, sentry_unit, queue="test",
++                                 username="testuser1",
++                                 password="changeme",
++                                 ssl=False, port=None):
++        """Get an amqp message from a rmq juju unit.
++
++        :param sentry_unit: sentry unit pointer
++        :param queue: message queue, default to test
++        :param username: amqp user name, default to testuser1
++        :param password: amqp user password
++        :param ssl: boolean, default to False
++        :param port: amqp port, use defaults if None
++        :returns: amqp message body as string.  Raise if get fails.
++        """
++        connection = self.connect_amqp_by_unit(sentry_unit, ssl=ssl,
++                                               port=port,
++                                               username=username,
++                                               password=password)
++        channel = connection.channel()
++        method_frame, _, body = channel.basic_get(queue)
++
++        if method_frame:
++            self.log.debug('Retreived message from {} queue:\n{}'.format(queue,
++                                                                         body))
++            channel.basic_ack(method_frame.delivery_tag)
++            channel.close()
++            connection.close()
++            return body
++        else:
++            msg = 'No message retrieved.'
++            amulet.raise_status(amulet.FAIL, msg)
 === modified file 'hooks/charmhelpers/contrib/openstack/context.py'
 --- hooks/charmhelpers/contrib/openstack/context.py	2014-06-11 09:44:51 +0000
 +++ hooks/charmhelpers/contrib/openstack/context.py	2015-11-12 11:46:11 +0000
@@ -1,48 +1,94 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++import glob
  import json
  import os
++import re
  import time
--
  from base64 import b64decode
--
--from subprocess import (
--    check_call
--)
--
++from subprocess import check_call
++
++import six
++import yaml
  from charmhelpers.fetch import (
      apt_install,
      filter_installed_packages,
+ )
--
  from charmhelpers.core.hookenv import (
      config,
++    is_relation_made,
      local_unit,
      log,
      relation_get,
      relation_ids,
      related_units,
++    relation_set,
      unit_get,
      unit_private_ip,
++    charm_name,
++    DEBUG,
++    INFO,
++    WARNING,
      ERROR,
+ )
++from charmhelpers.core.sysctl import create as sysctl_create
++from charmhelpers.core.strutils import bool_from_string
++
++from charmhelpers.core.host import (
++    get_bond_master,
++    is_phy_iface,
++    list_nics,
++    get_nic_hwaddr,
++    mkdir,
++    write_file,
++)
  from charmhelpers.contrib.hahelpers.cluster import (
      determine_apache_port,
      determine_api_port,
      https,
--    is_clustered
++    is_clustered,
+ )
--
  from charmhelpers.contrib.hahelpers.apache import (
      get_cert,
      get_ca_cert,
++    install_ca_cert,
+ )
--
  from charmhelpers.contrib.openstack.neutron import (
      neutron_plugin_attribute,
--)
--
++    parse_data_port_mappings,
++)
++from charmhelpers.contrib.openstack.ip import (
++    resolve_address,
++    INTERNAL,
++)
++from charmhelpers.contrib.network.ip import (
++    get_address_in_network,
++    get_ipv4_addr,
++    get_ipv6_addr,
++    get_netmask_for_address,
++    format_ipv6_addr,
++    is_address_in_network,
++    is_bridge_member,
++)
++from charmhelpers.contrib.openstack.utils import get_host_ip
  CA_CERT_PATH = '/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt'
++ADDRESS_TYPES = ['admin', 'internal', 'public']
  class OSContextError(Exception):
@@ -50,7 +96,7 @@
  def ensure_packages(packages):
--    '''Install but do not upgrade required plugin packages'''
++    """Install but do not upgrade required plugin packages."""
      required = filter_installed_packages(packages)
      if required:
          apt_install(required, fatal=True)
@@ -58,20 +104,62 @@
  def context_complete(ctxt):
      _missing = []
--    for k, v in ctxt.iteritems():
++    for k, v in six.iteritems(ctxt):
          if v is None or v == '':
              _missing.append(k)
++
      if _missing:
--        log('Missing required data: %s' % ' '.join(_missing), level='INFO')
++        log('Missing required data: %s' % ' '.join(_missing), level=INFO)
          return False
++
      return True
  def config_flags_parser(config_flags):
++    """Parses config flags string into dict.
++
++    This parsing method supports a few different formats for the config
++    flag values to be parsed:
++
++      1. A string in the simple format of key=value pairs, with the possibility
++         of specifying multiple key value pairs within the same string. For
++         example, a string in the format of 'key1=value1, key2=value2' will
++         return a dict of:
++
++             {'key1': 'value1',
++              'key2': 'value2'}.
++
++      2. A string in the above format, but supporting a comma-delimited list
++         of values for the same key. For example, a string in the format of
++         'key1=value1, key2=value3,value4,value5' will return a dict of:
++
++             {'key1', 'value1',
++              'key2', 'value2,value3,value4'}
++
++      3. A string containing a colon character (:) prior to an equal
++         character (=) will be treated as yaml and parsed as such. This can be
++         used to specify more complex key value pairs. For example,
++         a string in the format of 'key1: subkey1=value1, subkey2=value2' will
++         return a dict of:
++
++             {'key1', 'subkey1=value1, subkey2=value2'}
++
++    The provided config_flags string may be a list of comma-separated values
++    which themselves may be comma-separated list of values.
++    """
++    # If we find a colon before an equals sign then treat it as yaml.
++    # Note: limit it to finding the colon first since this indicates assignment
++    # for inline yaml.
++    colon = config_flags.find(':')
++    equals = config_flags.find('=')
++    if colon > 0:
++        if colon < equals or equals < 0:
++            return yaml.safe_load(config_flags)
++
      if config_flags.find('==') >= 0:
--        log("config_flags is not in expected format (key=value)",
--            level=ERROR)
++        log("config_flags is not in expected format (key=value)", level=ERROR)
          raise OSContextError
++
      # strip the following from each value.
      post_strippers = ' ,'
      # we strip any leading/trailing '=' or ' ' from the string then
@@ -79,7 +167,7 @@
      split = config_flags.strip(' =').split('=')
      limit = len(split)
      flags = {}
--    for i in xrange(0, limit - 1):
++    for i in range(0, limit - 1):
          current = split[i]
          next = split[i + 1]
          vindex = next.rfind(',')
@@ -94,63 +182,125 @@
              # if this not the first entry, expect an embedded key.
              index = current.rfind(',')
              if index < 0:
--                log("invalid config value(s) at index %s" % (i),
--                    level=ERROR)
++                log("Invalid config value(s) at index %s" % (i), level=ERROR)
                  raise OSContextError
              key = current[index + 1:]
          # Add to collection.
          flags[key.strip(post_strippers)] = value.rstrip(post_strippers)
++
      return flags
  class OSContextGenerator(object):
++    """Base class for all context generators."""
      interfaces = []
++    related = False
++    complete = False
++    missing_data = []
      def __call__(self):
          raise NotImplementedError
++    def context_complete(self, ctxt):
++        """Check for missing data for the required context data.
++        Set self.missing_data if it exists and return False.
++        Set self.complete if no missing data and return True.
++        """
++        # Fresh start
++        self.complete = False
++        self.missing_data = []
++        for k, v in six.iteritems(ctxt):
++            if v is None or v == '':
++                if k not in self.missing_data:
++                    self.missing_data.append(k)
++
++        if self.missing_data:
++            self.complete = False
++            log('Missing required data: %s' % ' '.join(self.missing_data), level=INFO)
++        else:
++            self.complete = True
++        return self.complete
++
++    def get_related(self):
++        """Check if any of the context interfaces have relation ids.
++        Set self.related and return True if one of the interfaces
++        has relation ids.
++        """
++        # Fresh start
++        self.related = False
++        try:
++            for interface in self.interfaces:
++                if relation_ids(interface):
++                    self.related = True
++            return self.related
++        except AttributeError as e:
++            log("{} {}"
++                "".format(self, e), 'INFO')
++            return self.related
++
  class SharedDBContext(OSContextGenerator):
      interfaces = ['shared-db']
      def __init__(self,
                   database=None, user=None, relation_prefix=None, ssl_dir=None):
--        '''
--        Allows inspecting relation for settings prefixed with relation_prefix.
--        This is useful for parsing access for multiple databases returned via
--        the shared-db interface (eg, nova_password, quantum_password)
--        '''
++        """Allows inspecting relation for settings prefixed with
++        relation_prefix. This is useful for parsing access for multiple
++        databases returned via the shared-db interface (eg, nova_password,
++        quantum_password)
++        """
          self.relation_prefix = relation_prefix
          self.database = database
          self.user = user
          self.ssl_dir = ssl_dir
++        self.rel_name = self.interfaces[0]
      def __call__(self):
          self.database = self.database or config('database')
          self.user = self.user or config('database-user')
          if None in [self.database, self.user]:
--            log('Could not generate shared_db context. '
--                'Missing required charm config options. '
--                '(database name and user)')
++            log("Could not generate shared_db context. Missing required charm "
++                "config options. (database name and user)", level=ERROR)
              raise OSContextError
++
          ctxt = {}
++        # NOTE(jamespage) if mysql charm provides a network upon which
++        # access to the database should be made, reconfigure relation
++        # with the service units local address and defer execution
++        access_network = relation_get('access-network')
++        if access_network is not None:
++            if self.relation_prefix is not None:
++                hostname_key = "{}_hostname".format(self.relation_prefix)
++            else:
++                hostname_key = "hostname"
++            access_hostname = get_address_in_network(access_network,
++                                                     unit_get('private-address'))
++            set_hostname = relation_get(attribute=hostname_key,
++                                        unit=local_unit())
++            if set_hostname != access_hostname:
++                relation_set(relation_settings={hostname_key: access_hostname})
++                return None  # Defer any further hook execution for now....
++
          password_setting = 'password'
          if self.relation_prefix:
              password_setting = self.relation_prefix + '_password'
--        for rid in relation_ids('shared-db'):
++        for rid in relation_ids(self.interfaces[0]):
++            self.related = True
              for unit in related_units(rid):
                  rdata = relation_get(rid=rid, unit=unit)
++                host = rdata.get('db_host')
++                host = format_ipv6_addr(host) or host
                  ctxt = {
--                    'database_host': rdata.get('db_host'),
++                    'database_host': host,
                      'database': self.database,
                      'database_user': self.user,
                      'database_password': rdata.get(password_setting),
                      'database_type': 'mysql'
+                 }
--                if context_complete(ctxt):
++                if self.context_complete(ctxt):
                      db_ssl(rdata, ctxt, self.ssl_dir)
                      return ctxt
          return {}
@@ -165,23 +315,25 @@
      def __call__(self):
          self.database = self.database or config('database')
          if self.database is None:
--            log('Could not generate postgresql_db context. '
--                'Missing required charm config options. '
--                '(database name)')
++            log('Could not generate postgresql_db context. Missing required '
++                'charm config options. (database name)', level=ERROR)
              raise OSContextError
++
          ctxt = {}
--
          for rid in relation_ids(self.interfaces[0]):
++            self.related = True
              for unit in related_units(rid):
--                ctxt = {
--                    'database_host': relation_get('host', rid=rid, unit=unit),
--                    'database': self.database,
--                    'database_user': relation_get('user', rid=rid, unit=unit),
--                    'database_password': relation_get('password', rid=rid, unit=unit),
--                    'database_type': 'postgresql',
--                }
--                if context_complete(ctxt):
++                rel_host = relation_get('host', rid=rid, unit=unit)
++                rel_user = relation_get('user', rid=rid, unit=unit)
++                rel_passwd = relation_get('password', rid=rid, unit=unit)
++                ctxt = {'database_host': rel_host,
++                        'database': self.database,
++                        'database_user': rel_user,
++                        'database_password': rel_passwd,
++                        'database_type': 'postgresql'}
++                if self.context_complete(ctxt):
                      return ctxt
++
          return {}
@@ -190,85 +342,126 @@
          ca_path = os.path.join(ssl_dir, 'db-client.ca')
          with open(ca_path, 'w') as fh:
              fh.write(b64decode(rdata['ssl_ca']))
++
          ctxt['database_ssl_ca'] = ca_path
      elif 'ssl_ca' in rdata:
--        log("Charm not setup for ssl support but ssl ca found")
++        log("Charm not setup for ssl support but ssl ca found", level=INFO)
          return ctxt
++
      if 'ssl_cert' in rdata:
          cert_path = os.path.join(
              ssl_dir, 'db-client.cert')
          if not os.path.exists(cert_path):
--            log("Waiting 1m for ssl client cert validity")
++            log("Waiting 1m for ssl client cert validity", level=INFO)
              time.sleep(60)
++
          with open(cert_path, 'w') as fh:
              fh.write(b64decode(rdata['ssl_cert']))
++
          ctxt['database_ssl_cert'] = cert_path
          key_path = os.path.join(ssl_dir, 'db-client.key')
          with open(key_path, 'w') as fh:
              fh.write(b64decode(rdata['ssl_key']))
++
          ctxt['database_ssl_key'] = key_path
++
      return ctxt
  class IdentityServiceContext(OSContextGenerator):
--    interfaces = ['identity-service']
++
++    def __init__(self, service=None, service_user=None, rel_name='identity-service'):
++        self.service = service
++        self.service_user = service_user
++        self.rel_name = rel_name
++        self.interfaces = [self.rel_name]
      def __call__(self):
--        log('Generating template context for identity-service')
++        log('Generating template context for ' + self.rel_name, level=DEBUG)
          ctxt = {}
--        for rid in relation_ids('identity-service'):
++        if self.service and self.service_user:
++            # This is required for pki token signing if we don't want /tmp to
++            # be used.
++            cachedir = '/var/cache/%s' % (self.service)
++            if not os.path.isdir(cachedir):
++                log("Creating service cache dir %s" % (cachedir), level=DEBUG)
++                mkdir(path=cachedir, owner=self.service_user,
++                      group=self.service_user, perms=0o700)
++
++            ctxt['signing_dir'] = cachedir
++
++        for rid in relation_ids(self.rel_name):
++            self.related = True
              for unit in related_units(rid):
                  rdata = relation_get(rid=rid, unit=unit)
--                ctxt = {
--                    'service_port': rdata.get('service_port'),
--                    'service_host': rdata.get('service_host'),
--                    'auth_host': rdata.get('auth_host'),
--                    'auth_port': rdata.get('auth_port'),
--                    'admin_tenant_name': rdata.get('service_tenant'),
--                    'admin_user': rdata.get('service_username'),
--                    'admin_password': rdata.get('service_password'),
--                    'service_protocol':
--                    rdata.get('service_protocol') or 'http',
--                    'auth_protocol':
--                    rdata.get('auth_protocol') or 'http',
--                }
--                if context_complete(ctxt):
++                serv_host = rdata.get('service_host')
++                serv_host = format_ipv6_addr(serv_host) or serv_host
++                auth_host = rdata.get('auth_host')
++                auth_host = format_ipv6_addr(auth_host) or auth_host
++                svc_protocol = rdata.get('service_protocol') or 'http'
++                auth_protocol = rdata.get('auth_protocol') or 'http'
++                ctxt.update({'service_port': rdata.get('service_port'),
++                             'service_host': serv_host,
++                             'auth_host': auth_host,
++                             'auth_port': rdata.get('auth_port'),
++                             'admin_tenant_name': rdata.get('service_tenant'),
++                             'admin_user': rdata.get('service_username'),
++                             'admin_password': rdata.get('service_password'),
++                             'service_protocol': svc_protocol,
++                             'auth_protocol': auth_protocol})
++
++                if self.context_complete(ctxt):
                      # NOTE(jamespage) this is required for >= icehouse
                      # so a missing value just indicates keystone needs
                      # upgrading
                      ctxt['admin_tenant_id'] = rdata.get('service_tenant_id')
                      return ctxt
++
          return {}
  class AMQPContext(OSContextGenerator):
--    interfaces = ['amqp']
--    def __init__(self, ssl_dir=None):
++    def __init__(self, ssl_dir=None, rel_name='amqp', relation_prefix=None):
          self.ssl_dir = ssl_dir
++        self.rel_name = rel_name
++        self.relation_prefix = relation_prefix
++        self.interfaces = [rel_name]
      def __call__(self):
--        log('Generating template context for amqp')
++        log('Generating template context for amqp', level=DEBUG)
          conf = config()
++        if self.relation_prefix:
++            user_setting = '%s-rabbit-user' % (self.relation_prefix)
++            vhost_setting = '%s-rabbit-vhost' % (self.relation_prefix)
++        else:
++            user_setting = 'rabbit-user'
++            vhost_setting = 'rabbit-vhost'
++
          try:
--            username = conf['rabbit-user']
--            vhost = conf['rabbit-vhost']
++            username = conf[user_setting]
++            vhost = conf[vhost_setting]
          except KeyError as e:
--            log('Could not generate shared_db context. '
--                'Missing required charm config options: %s.' % e)
++            log('Could not generate shared_db context. Missing required charm '
++                'config options: %s.' % e, level=ERROR)
              raise OSContextError
++
          ctxt = {}
--        for rid in relation_ids('amqp'):
++        for rid in relation_ids(self.rel_name):
              ha_vip_only = False
++            self.related = True
              for unit in related_units(rid):
                  if relation_get('clustered', rid=rid, unit=unit):
                      ctxt['clustered'] = True
--                    ctxt['rabbitmq_host'] = relation_get('vip', rid=rid,
--                                                         unit=unit)
++                    vip = relation_get('vip', rid=rid, unit=unit)
++                    vip = format_ipv6_addr(vip) or vip
++                    ctxt['rabbitmq_host'] = vip
                  else:
--                    ctxt['rabbitmq_host'] = relation_get('private-address',
--                                                         rid=rid, unit=unit)
++                    host = relation_get('private-address', rid=rid, unit=unit)
++                    host = format_ipv6_addr(host) or host
++                    ctxt['rabbitmq_host'] = host
++
                  ctxt.update({
                      'rabbitmq_user': username,
                      'rabbitmq_password': relation_get('password', rid=rid,
@@ -279,6 +472,7 @@
                  ssl_port = relation_get('ssl_port', rid=rid, unit=unit)
                  if ssl_port:
                      ctxt['rabbit_ssl_port'] = ssl_port
++
                  ssl_ca = relation_get('ssl_ca', rid=rid, unit=unit)
                  if ssl_ca:
                      ctxt['rabbit_ssl_ca'] = ssl_ca
@@ -289,104 +483,172 @@
                  ha_vip_only = relation_get('ha-vip-only',
                                             rid=rid, unit=unit) is not None
--                if context_complete(ctxt):
++                if self.context_complete(ctxt):
                      if 'rabbit_ssl_ca' in ctxt:
                          if not self.ssl_dir:
--                            log(("Charm not setup for ssl support "
--                                 "but ssl ca found"))
++                            log("Charm not setup for ssl support but ssl ca "
++                                "found", level=INFO)
                              break
++
                          ca_path = os.path.join(
                              self.ssl_dir, 'rabbit-client-ca.pem')
                          with open(ca_path, 'w') as fh:
                              fh.write(b64decode(ctxt['rabbit_ssl_ca']))
                              ctxt['rabbit_ssl_ca'] = ca_path
++
                      # Sufficient information found = break out!
                      break
++
              # Used for active/active rabbitmq >= grizzly
--            if ('clustered' not in ctxt or ha_vip_only) \
--                    and len(related_units(rid)) > 1:
++            if (('clustered' not in ctxt or ha_vip_only) and
++                    len(related_units(rid)) > 1):
                  rabbitmq_hosts = []
                  for unit in related_units(rid):
--                    rabbitmq_hosts.append(relation_get('private-address',
--                                                       rid=rid, unit=unit))
--                ctxt['rabbitmq_hosts'] = ','.join(rabbitmq_hosts)
--        if not context_complete(ctxt):
++                    host = relation_get('private-address', rid=rid, unit=unit)
++                    host = format_ipv6_addr(host) or host
++                    rabbitmq_hosts.append(host)
++
++                ctxt['rabbitmq_hosts'] = ','.join(sorted(rabbitmq_hosts))
++
++        oslo_messaging_flags = conf.get('oslo-messaging-flags', None)
++        if oslo_messaging_flags:
++            ctxt['oslo_messaging_flags'] = config_flags_parser(
++                oslo_messaging_flags)
++
++        if not self.complete:
              return {}
--        else:
--            return ctxt
++
++        return ctxt
  class CephContext(OSContextGenerator):
++    """Generates context for /etc/ceph/ceph.conf templates."""
      interfaces = ['ceph']
      def __call__(self):
--        '''This generates context for /etc/ceph/ceph.conf templates'''
          if not relation_ids('ceph'):
              return {}
--        log('Generating template context for ceph')
--
++        log('Generating template context for ceph', level=DEBUG)
          mon_hosts = []
--        auth = None
--        key = None
--        use_syslog = str(config('use-syslog')).lower()
++        ctxt = {
++            'use_syslog': str(config('use-syslog')).lower()
++        }
          for rid in relation_ids('ceph'):
              for unit in related_units(rid):
--                mon_hosts.append(relation_get('private-address', rid=rid,
--                                              unit=unit))
--                auth = relation_get('auth', rid=rid, unit=unit)
--                key = relation_get('key', rid=rid, unit=unit)
++                if not ctxt.get('auth'):
++                    ctxt['auth'] = relation_get('auth', rid=rid, unit=unit)
++                if not ctxt.get('key'):
++                    ctxt['key'] = relation_get('key', rid=rid, unit=unit)
++                ceph_pub_addr = relation_get('ceph-public-address', rid=rid,
++                                             unit=unit)
++                unit_priv_addr = relation_get('private-address', rid=rid,
++                                              unit=unit)
++                ceph_addr = ceph_pub_addr or unit_priv_addr
++                ceph_addr = format_ipv6_addr(ceph_addr) or ceph_addr
++                mon_hosts.append(ceph_addr)
--        ctxt = {
--            'mon_hosts': ' '.join(mon_hosts),
--            'auth': auth,
--            'key': key,
--            'use_syslog': use_syslog
--        }
++        ctxt['mon_hosts'] = ' '.join(sorted(mon_hosts))
          if not os.path.isdir('/etc/ceph'):
              os.mkdir('/etc/ceph')
--        if not context_complete(ctxt):
++        if not self.context_complete(ctxt):
              return {}
          ensure_packages(['ceph-common'])
--
          return ctxt
  class HAProxyContext(OSContextGenerator):
++    """Provides half a context for the haproxy template, which describes
++    all peers to be included in the cluster.  Each charm needs to include
++    its own context generator that describes the port mapping.
++    """
      interfaces = ['cluster']
++    def __init__(self, singlenode_mode=False):
++        self.singlenode_mode = singlenode_mode
++
      def __call__(self):
--        '''
--        Builds half a context for the haproxy template, which describes
--        all peers to be included in the cluster.  Each charm needs to include
--        its own context generator that describes the port mapping.
--        '''
--        if not relation_ids('cluster'):
++        if not relation_ids('cluster') and not self.singlenode_mode:
              return {}
++        if config('prefer-ipv6'):
++            addr = get_ipv6_addr(exc_list=[config('vip')])[0]
++        else:
++            addr = get_host_ip(unit_get('private-address'))
++
++        l_unit = local_unit().replace('/', '-')
          cluster_hosts = {}
--        l_unit = local_unit().replace('/', '-')
--        cluster_hosts[l_unit] = unit_get('private-address')
--
++
++        # NOTE(jamespage): build out map of configured network endpoints
++        # and associated backends
++        for addr_type in ADDRESS_TYPES:
++            cfg_opt = 'os-{}-network'.format(addr_type)
++            laddr = get_address_in_network(config(cfg_opt))
++            if laddr:
++                netmask = get_netmask_for_address(laddr)
++                cluster_hosts[laddr] = {'network': "{}/{}".format(laddr,
++                                                                  netmask),
++                                        'backends': {l_unit: laddr}}
++                for rid in relation_ids('cluster'):
++                    for unit in related_units(rid):
++                        _laddr = relation_get('{}-address'.format(addr_type),
++                                              rid=rid, unit=unit)
++                        if _laddr:
++                            _unit = unit.replace('/', '-')
++                            cluster_hosts[laddr]['backends'][_unit] = _laddr
++
++        # NOTE(jamespage) add backend based on private address - this
++        # with either be the only backend or the fallback if no acls
++        # match in the frontend
++        cluster_hosts[addr] = {}
++        netmask = get_netmask_for_address(addr)
++        cluster_hosts[addr] = {'network': "{}/{}".format(addr, netmask),
++                               'backends': {l_unit: addr}}
          for rid in relation_ids('cluster'):
              for unit in related_units(rid):
--                _unit = unit.replace('/', '-')
--                addr = relation_get('private-address', rid=rid, unit=unit)
--                cluster_hosts[_unit] = addr
++                _laddr = relation_get('private-address',
++                                      rid=rid, unit=unit)
++                if _laddr:
++                    _unit = unit.replace('/', '-')
++                    cluster_hosts[addr]['backends'][_unit] = _laddr
          ctxt = {
--            'units': cluster_hosts,
++            'frontends': cluster_hosts,
++            'default_backend': addr
+         }
--        if len(cluster_hosts.keys()) > 1:
--            # Enable haproxy when we have enough peers.
--            log('Ensuring haproxy enabled in /etc/default/haproxy.')
--            with open('/etc/default/haproxy', 'w') as out:
--                out.write('ENABLED=1\n')
--            return ctxt
--        log('HAProxy context is incomplete, this unit has no peers.')
++
++        if config('haproxy-server-timeout'):
++            ctxt['haproxy_server_timeout'] = config('haproxy-server-timeout')
++
++        if config('haproxy-client-timeout'):
++            ctxt['haproxy_client_timeout'] = config('haproxy-client-timeout')
++
++        if config('prefer-ipv6'):
++            ctxt['ipv6'] = True
++            ctxt['local_host'] = 'ip6-localhost'
++            ctxt['haproxy_host'] = '::'
++            ctxt['stat_port'] = ':::8888'
++        else:
++            ctxt['local_host'] = '127.0.0.1'
++            ctxt['haproxy_host'] = '0.0.0.0'
++            ctxt['stat_port'] = ':8888'
++
++        for frontend in cluster_hosts:
++            if (len(cluster_hosts[frontend]['backends']) > 1 or
++                    self.singlenode_mode):
++                # Enable haproxy when we have enough peers.
++                log('Ensuring haproxy enabled in /etc/default/haproxy.',
++                    level=DEBUG)
++                with open('/etc/default/haproxy', 'w') as out:
++                    out.write('ENABLED=1\n')
++
++                return ctxt
++
++        log('HAProxy context is incomplete, this unit has no peers.',
++            level=INFO)
          return {}
@@ -394,36 +656,36 @@
      interfaces = ['image-service']
      def __call__(self):
--        '''
--        Obtains the glance API server from the image-service relation.  Useful
--        in nova and cinder (currently).
--        '''
--        log('Generating template context for image-service.')
++        """Obtains the glance API server from the image-service relation.
++        Useful in nova and cinder (currently).
++        """
++        log('Generating template context for image-service.', level=DEBUG)
          rids = relation_ids('image-service')
          if not rids:
              return {}
++
          for rid in rids:
              for unit in related_units(rid):
                  api_server = relation_get('glance-api-server',
                                            rid=rid, unit=unit)
                  if api_server:
                      return {'glance_api_servers': api_server}
--        log('ImageService context is incomplete. '
--            'Missing required relation data.')
++
++        log("ImageService context is incomplete. Missing required relation "
++            "data.", level=INFO)
          return {}
  class ApacheSSLContext(OSContextGenerator):
--
--    """
--    Generates a context for an apache vhost configuration that configures
++    """Generates a context for an apache vhost configuration that configures
      HTTPS reverse proxying for one or many endpoints.  Generated context
--    looks something like:
--    {
--        'namespace': 'cinder',
--        'private_address': 'iscsi.mycinderhost.com',
--        'endpoints': [(8776, 8766), (8777, 8767)]
--    }
++    looks something like::
++
++        {
++            'namespace': 'cinder',
++            'private_address': 'iscsi.mycinderhost.com',
++            'endpoints': [(8776, 8766), (8777, 8767)]
++        }
      The endpoints list consists of a tuples mapping external ports
      to internal ports.
@@ -439,44 +701,119 @@
          cmd = ['a2enmod', 'ssl', 'proxy', 'proxy_http']
          check_call(cmd)
--    def configure_cert(self):
--        if not os.path.isdir('/etc/apache2/ssl'):
--            os.mkdir('/etc/apache2/ssl')
++    def configure_cert(self, cn=None):
          ssl_dir = os.path.join('/etc/apache2/ssl/', self.service_namespace)
--        if not os.path.isdir(ssl_dir):
--            os.mkdir(ssl_dir)
--        cert, key = get_cert()
--        with open(os.path.join(ssl_dir, 'cert'), 'w') as cert_out:
--            cert_out.write(b64decode(cert))
--        with open(os.path.join(ssl_dir, 'key'), 'w') as key_out:
--            key_out.write(b64decode(key))
++        mkdir(path=ssl_dir)
++        cert, key = get_cert(cn)
++        if cn:
++            cert_filename = 'cert_{}'.format(cn)
++            key_filename = 'key_{}'.format(cn)
++        else:
++            cert_filename = 'cert'
++            key_filename = 'key'
++
++        write_file(path=os.path.join(ssl_dir, cert_filename),
++                   content=b64decode(cert))
++        write_file(path=os.path.join(ssl_dir, key_filename),
++                   content=b64decode(key))
++
++    def configure_ca(self):
          ca_cert = get_ca_cert()
          if ca_cert:
--            with open(CA_CERT_PATH, 'w') as ca_out:
--                ca_out.write(b64decode(ca_cert))
--            check_call(['update-ca-certificates'])
++            install_ca_cert(b64decode(ca_cert))
++
++    def canonical_names(self):
++        """Figure out which canonical names clients will access this service.
++        """
++        cns = []
++        for r_id in relation_ids('identity-service'):
++            for unit in related_units(r_id):
++                rdata = relation_get(rid=r_id, unit=unit)
++                for k in rdata:
++                    if k.startswith('ssl_key_'):
++                        cns.append(k.lstrip('ssl_key_'))
++
++        return sorted(list(set(cns)))
++
++    def get_network_addresses(self):
++        """For each network configured, return corresponding address and vip
++           (if available).
++
++        Returns a list of tuples of the form:
++
++            [(address_in_net_a, vip_in_net_a),
++             (address_in_net_b, vip_in_net_b),
++             ...]
++
++            or, if no vip(s) available:
++
++            [(address_in_net_a, address_in_net_a),
++             (address_in_net_b, address_in_net_b),
++             ...]
++        """
++        addresses = []
++        if config('vip'):
++            vips = config('vip').split()
++        else:
++            vips = []
++
++        for net_type in ['os-internal-network', 'os-admin-network',
++                         'os-public-network']:
++            addr = get_address_in_network(config(net_type),
++                                          unit_get('private-address'))
++            if len(vips) > 1 and is_clustered():
++                if not config(net_type):
++                    log("Multiple networks configured but net_type "
++                        "is None (%s)." % net_type, level=WARNING)
++                    continue
++
++                for vip in vips:
++                    if is_address_in_network(config(net_type), vip):
++                        addresses.append((addr, vip))
++                        break
++
++            elif is_clustered() and config('vip'):
++                addresses.append((addr, config('vip')))
++            else:
++                addresses.append((addr, addr))
++
++        return sorted(addresses)
      def __call__(self):
--        if isinstance(self.external_ports, basestring):
++        if isinstance(self.external_ports, six.string_types):
              self.external_ports = [self.external_ports]
--        if (not self.external_ports or not https()):
++
++        if not self.external_ports or not https():
              return {}
--        self.configure_cert()
++        self.configure_ca()
          self.enable_modules()
--        ctxt = {
--            'namespace': self.service_namespace,
--            'private_address': unit_get('private-address'),
--            'endpoints': []
--        }
--        if is_clustered():
--            ctxt['private_address'] = config('vip')
--        for api_port in self.external_ports:
--            ext_port = determine_apache_port(api_port)
--            int_port = determine_api_port(api_port)
--            portmap = (int(ext_port), int(int_port))
--            ctxt['endpoints'].append(portmap)
++        ctxt = {'namespace': self.service_namespace,
++                'endpoints': [],
++                'ext_ports': []}
++
++        cns = self.canonical_names()
++        if cns:
++            for cn in cns:
++                self.configure_cert(cn)
++        else:
++            # Expect cert/key provided in config (currently assumed that ca
++            # uses ip for cn)
++            cn = resolve_address(endpoint_type=INTERNAL)
++            self.configure_cert(cn)
++
++        addresses = self.get_network_addresses()
++        for address, endpoint in sorted(set(addresses)):
++            for api_port in self.external_ports:
++                ext_port = determine_apache_port(api_port,
++                                                 singlenode_mode=True)
++                int_port = determine_api_port(api_port, singlenode_mode=True)
++                portmap = (address, endpoint, int(ext_port), int(int_port))
++                ctxt['endpoints'].append(portmap)
++                ctxt['ext_ports'].append(int(ext_port))
++
++        ctxt['ext_ports'] = sorted(list(set(ctxt['ext_ports'])))
          return ctxt
@@ -493,21 +830,23 @@
      @property
      def packages(self):
--        return neutron_plugin_attribute(
--            self.plugin, 'packages', self.network_manager)
++        return neutron_plugin_attribute(self.plugin, 'packages',
++                                        self.network_manager)
      @property
      def neutron_security_groups(self):
          return None
      def _ensure_packages(self):
--        [ensure_packages(pkgs) for pkgs in self.packages]
++        for pkgs in self.packages:
++            ensure_packages(pkgs)
      def _save_flag_file(self):
          if self.network_manager == 'quantum':
              _file = '/etc/nova/quantum_plugin.conf'
          else:
              _file = '/etc/nova/neutron_plugin.conf'
++
          with open(_file, 'wb') as out:
              out.write(self.plugin + '\n')
@@ -516,50 +855,104 @@
                                            self.network_manager)
          config = neutron_plugin_attribute(self.plugin, 'config',
                                            self.network_manager)
--        ovs_ctxt = {
--            'core_plugin': driver,
--            'neutron_plugin': 'ovs',
--            'neutron_security_groups': self.neutron_security_groups,
--            'local_ip': unit_private_ip(),
--            'config': config
--        }
++        ovs_ctxt = {'core_plugin': driver,
++                    'neutron_plugin': 'ovs',
++                    'neutron_security_groups': self.neutron_security_groups,
++                    'local_ip': unit_private_ip(),
++                    'config': config}
          return ovs_ctxt
++    def nuage_ctxt(self):
++        driver = neutron_plugin_attribute(self.plugin, 'driver',
++                                          self.network_manager)
++        config = neutron_plugin_attribute(self.plugin, 'config',
++                                          self.network_manager)
++        nuage_ctxt = {'core_plugin': driver,
++                      'neutron_plugin': 'vsp',
++                      'neutron_security_groups': self.neutron_security_groups,
++                      'local_ip': unit_private_ip(),
++                      'config': config}
++
++        return nuage_ctxt
++
      def nvp_ctxt(self):
          driver = neutron_plugin_attribute(self.plugin, 'driver',
                                            self.network_manager)
          config = neutron_plugin_attribute(self.plugin, 'config',
                                            self.network_manager)
--        nvp_ctxt = {
--            'core_plugin': driver,
--            'neutron_plugin': 'nvp',
--            'neutron_security_groups': self.neutron_security_groups,
--            'local_ip': unit_private_ip(),
--            'config': config
--        }
++        nvp_ctxt = {'core_plugin': driver,
++                    'neutron_plugin': 'nvp',
++                    'neutron_security_groups': self.neutron_security_groups,
++                    'local_ip': unit_private_ip(),
++                    'config': config}
          return nvp_ctxt
++    def n1kv_ctxt(self):
++        driver = neutron_plugin_attribute(self.plugin, 'driver',
++                                          self.network_manager)
++        n1kv_config = neutron_plugin_attribute(self.plugin, 'config',
++                                               self.network_manager)
++        n1kv_user_config_flags = config('n1kv-config-flags')
++        restrict_policy_profiles = config('n1kv-restrict-policy-profiles')
++        n1kv_ctxt = {'core_plugin': driver,
++                     'neutron_plugin': 'n1kv',
++                     'neutron_security_groups': self.neutron_security_groups,
++                     'local_ip': unit_private_ip(),
++                     'config': n1kv_config,
++                     'vsm_ip': config('n1kv-vsm-ip'),
++                     'vsm_username': config('n1kv-vsm-username'),
++                     'vsm_password': config('n1kv-vsm-password'),
++                     'restrict_policy_profiles': restrict_policy_profiles}
++
++        if n1kv_user_config_flags:
++            flags = config_flags_parser(n1kv_user_config_flags)
++            n1kv_ctxt['user_config_flags'] = flags
++
++        return n1kv_ctxt
++
++    def calico_ctxt(self):
++        driver = neutron_plugin_attribute(self.plugin, 'driver',
++                                          self.network_manager)
++        config = neutron_plugin_attribute(self.plugin, 'config',
++                                          self.network_manager)
++        calico_ctxt = {'core_plugin': driver,
++                       'neutron_plugin': 'Calico',
++                       'neutron_security_groups': self.neutron_security_groups,
++                       'local_ip': unit_private_ip(),
++                       'config': config}
++
++        return calico_ctxt
++
      def neutron_ctxt(self):
          if https():
              proto = 'https'
          else:
              proto = 'http'
++
          if is_clustered():
              host = config('vip')
          else:
              host = unit_get('private-address')
--        url = '%s://%s:%s' % (proto, host, '9696')
--        ctxt = {
--            'network_manager': self.network_manager,
--            'neutron_url': url,
--        }
++
++        ctxt = {'network_manager': self.network_manager,
++                'neutron_url': '%s://%s:%s' % (proto, host, '9696')}
          return ctxt
++    def pg_ctxt(self):
++        driver = neutron_plugin_attribute(self.plugin, 'driver',
++                                          self.network_manager)
++        config = neutron_plugin_attribute(self.plugin, 'config',
++                                          self.network_manager)
++        ovs_ctxt = {'core_plugin': driver,
++                    'neutron_plugin': 'plumgrid',
++                    'neutron_security_groups': self.neutron_security_groups,
++                    'local_ip': unit_private_ip(),
++                    'config': config}
++        return ovs_ctxt
++
      def __call__(self):
--        self._ensure_packages()
--
          if self.network_manager not in ['quantum', 'neutron']:
              return {}
@@ -570,8 +963,16 @@
          if self.plugin == 'ovs':
              ctxt.update(self.ovs_ctxt())
--        elif self.plugin == 'nvp':
++        elif self.plugin in ['nvp', 'nsx']:
              ctxt.update(self.nvp_ctxt())
++        elif self.plugin == 'n1kv':
++            ctxt.update(self.n1kv_ctxt())
++        elif self.plugin == 'Calico':
++            ctxt.update(self.calico_ctxt())
++        elif self.plugin == 'vsp':
++            ctxt.update(self.nuage_ctxt())
++        elif self.plugin == 'plumgrid':
++            ctxt.update(self.pg_ctxt())
          alchemy_flags = config('neutron-alchemy-flags')
          if alchemy_flags:
@@ -582,24 +983,94 @@
          return ctxt
++class NeutronPortContext(OSContextGenerator):
++
++    def resolve_ports(self, ports):
++        """Resolve NICs not yet bound to bridge(s)
++
++        If hwaddress provided then returns resolved hwaddress otherwise NIC.
++        """
++        if not ports:
++            return None
++
++        hwaddr_to_nic = {}
++        hwaddr_to_ip = {}
++        for nic in list_nics():
++            # Ignore virtual interfaces (bond masters will be identified from
++            # their slaves)
++            if not is_phy_iface(nic):
++                continue
++
++            _nic = get_bond_master(nic)
++            if _nic:
++                log("Replacing iface '%s' with bond master '%s'" % (nic, _nic),
++                    level=DEBUG)
++                nic = _nic
++
++            hwaddr = get_nic_hwaddr(nic)
++            hwaddr_to_nic[hwaddr] = nic
++            addresses = get_ipv4_addr(nic, fatal=False)
++            addresses += get_ipv6_addr(iface=nic, fatal=False)
++            hwaddr_to_ip[hwaddr] = addresses
++
++        resolved = []
++        mac_regex = re.compile(r'([0-9A-F]{2}[:-]){5}([0-9A-F]{2})', re.I)
++        for entry in ports:
++            if re.match(mac_regex, entry):
++                # NIC is in known NICs and does NOT hace an IP address
++                if entry in hwaddr_to_nic and not hwaddr_to_ip[entry]:
++                    # If the nic is part of a bridge then don't use it
++                    if is_bridge_member(hwaddr_to_nic[entry]):
++                        continue
++
++                    # Entry is a MAC address for a valid interface that doesn't
++                    # have an IP address assigned yet.
++                    resolved.append(hwaddr_to_nic[entry])
++            else:
++                # If the passed entry is not a MAC address, assume it's a valid
++                # interface, and that the user put it there on purpose (we can
++                # trust it to be the real external network).
++                resolved.append(entry)
++
++        # Ensure no duplicates
++        return list(set(resolved))
++
++
  class OSConfigFlagContext(OSContextGenerator):
--
--        """
--        Responsible for adding user-defined config-flags in charm config to a
--        template context.
--
--        NOTE: the value of config-flags may be a comma-separated list of
--              key=value pairs and some Openstack config files support
--              comma-separated lists as values.
--        """
--
--        def __call__(self):
--            config_flags = config('config-flags')
--            if not config_flags:
--                return {}
--
--            flags = config_flags_parser(config_flags)
--            return {'user_config_flags': flags}
++    """Provides support for user-defined config flags.
++
++    Users can define a comma-seperated list of key=value pairs
++    in the charm configuration and apply them at any point in
++    any file by using a template flag.
++
++    Sometimes users might want config flags inserted within a
++    specific section so this class allows users to specify the
++    template flag name, allowing for multiple template flags
++    (sections) within the same context.
++
++    NOTE: the value of config-flags may be a comma-separated list of
++          key=value pairs and some Openstack config files support
++          comma-separated lists as values.
++    """
++
++    def __init__(self, charm_flag='config-flags',
++                 template_flag='user_config_flags'):
++        """
++        :param charm_flag: config flags in charm configuration.
++        :param template_flag: insert point for user-defined flags in template
++                              file.
++        """
++        super(OSConfigFlagContext, self).__init__()
++        self._charm_flag = charm_flag
++        self._template_flag = template_flag
++
++    def __call__(self):
++        config_flags = config(self._charm_flag)
++        if not config_flags:
++            return {}
++
++        return {self._template_flag:
++                config_flags_parser(config_flags)}
  class SubordinateConfigContext(OSContextGenerator):
@@ -611,7 +1082,7 @@
      The subordinate interface allows subordinates to export their
      configuration requirements to the principle for multiple config
      files and multiple serivces.  Ie, a subordinate that has interfaces
--    to both glance and nova may export to following yaml blob as json:
++    to both glance and nova may export to following yaml blob as json::
          glance:
              /etc/glance/glance-api.conf:
@@ -630,7 +1101,8 @@
      It is then up to the principle charms to subscribe this context to
      the service+config file it is interestd in.  Configuration data will
--    be available in the template context, in glance's case, as:
++    be available in the template context, in glance's case, as::
++
          ctxt = {
              ... other context ...
              'subordinate_config': {
@@ -642,7 +1114,6 @@
                  },
+             }
+         }
--
      """
      def __init__(self, service, config_file, interface):
@@ -652,13 +1123,22 @@
          :param config_file : Service's config file to query sections
          :param interface   : Subordinate interface to inspect
          """
--        self.service = service
          self.config_file = config_file
--        self.interface = interface
++        if isinstance(service, list):
++            self.services = service
++        else:
++            self.services = [service]
++        if isinstance(interface, list):
++            self.interfaces = interface
++        else:
++            self.interfaces = [interface]
      def __call__(self):
--        ctxt = {}
--        for rid in relation_ids(self.interface):
++        ctxt = {'sections': {}}
++        rids = []
++        for interface in self.interfaces:
++            rids.extend(relation_ids(interface))
++        for rid in rids:
              for unit in related_units(rid):
                  sub_config = relation_get('subordinate_configuration',
                                            rid=rid, unit=unit)
@@ -670,23 +1150,44 @@
                              'setting from %s' % rid, level=ERROR)
                          continue
--                    if self.service not in sub_config:
--                        log('Found subordinate_config on %s but it contained'
--                            'nothing for %s service' % (rid, self.service))
--                        continue
--
--                    sub_config = sub_config[self.service]
--                    if self.config_file not in sub_config:
--                        log('Found subordinate_config on %s but it contained'
--                            'nothing for %s' % (rid, self.config_file))
--                        continue
--
--                    sub_config = sub_config[self.config_file]
--                    for k, v in sub_config.iteritems():
--                        ctxt[k] = v
--
--        if not ctxt:
--            ctxt['sections'] = {}
++                    for service in self.services:
++                        if service not in sub_config:
++                            log('Found subordinate_config on %s but it contained'
++                                'nothing for %s service' % (rid, service),
++                                level=INFO)
++                            continue
++
++                        sub_config = sub_config[service]
++                        if self.config_file not in sub_config:
++                            log('Found subordinate_config on %s but it contained'
++                                'nothing for %s' % (rid, self.config_file),
++                                level=INFO)
++                            continue
++
++                        sub_config = sub_config[self.config_file]
++                        for k, v in six.iteritems(sub_config):
++                            if k == 'sections':
++                                for section, config_list in six.iteritems(v):
++                                    log("adding section '%s'" % (section),
++                                        level=DEBUG)
++                                    if ctxt[k].get(section):
++                                        ctxt[k][section].extend(config_list)
++                                    else:
++                                        ctxt[k][section] = config_list
++                            else:
++                                ctxt[k] = v
++        log("%d section(s) found" % (len(ctxt['sections'])), level=DEBUG)
++        return ctxt
++
++
++class LogLevelContext(OSContextGenerator):
++
++    def __call__(self):
++        ctxt = {}
++        ctxt['debug'] = \
++            False if config('debug') is None else config('debug')
++        ctxt['verbose'] = \
++            False if config('verbose') is None else config('verbose')
          return ctxt
@@ -694,7 +1195,233 @@
  class SyslogContext(OSContextGenerator):
      def __call__(self):
--        ctxt = {
--            'use_syslog': config('use-syslog')
++        ctxt = {'use_syslog': config('use-syslog')}
++        return ctxt
++
++
++class BindHostContext(OSContextGenerator):
++
++    def __call__(self):
++        if config('prefer-ipv6'):
++            return {'bind_host': '::'}
++        else:
++            return {'bind_host': '0.0.0.0'}
++
++
++class WorkerConfigContext(OSContextGenerator):
++
++    @property
++    def num_cpus(self):
++        try:
++            from psutil import NUM_CPUS
++        except ImportError:
++            apt_install('python-psutil', fatal=True)
++            from psutil import NUM_CPUS
++
++        return NUM_CPUS
++
++    def __call__(self):
++        multiplier = config('worker-multiplier') or 0
++        ctxt = {"workers": self.num_cpus * multiplier}
++        return ctxt
++
++
++class ZeroMQContext(OSContextGenerator):
++    interfaces = ['zeromq-configuration']
++
++    def __call__(self):
++        ctxt = {}
++        if is_relation_made('zeromq-configuration', 'host'):
++            for rid in relation_ids('zeromq-configuration'):
++                    for unit in related_units(rid):
++                        ctxt['zmq_nonce'] = relation_get('nonce', unit, rid)
++                        ctxt['zmq_host'] = relation_get('host', unit, rid)
++                        ctxt['zmq_redis_address'] = relation_get(
++                            'zmq_redis_address', unit, rid)
++
++        return ctxt
++
++
++class NotificationDriverContext(OSContextGenerator):
++
++    def __init__(self, zmq_relation='zeromq-configuration',
++                 amqp_relation='amqp'):
++        """
++        :param zmq_relation: Name of Zeromq relation to check
++        """
++        self.zmq_relation = zmq_relation
++        self.amqp_relation = amqp_relation
++
++    def __call__(self):
++        ctxt = {'notifications': 'False'}
++        if is_relation_made(self.amqp_relation):
++            ctxt['notifications'] = "True"
++
++        return ctxt
++
++
++class SysctlContext(OSContextGenerator):
++    """This context check if the 'sysctl' option exists on configuration
++    then creates a file with the loaded contents"""
++    def __call__(self):
++        sysctl_dict = config('sysctl')
++        if sysctl_dict:
++            sysctl_create(sysctl_dict,
++                          '/etc/sysctl.d/50-{0}.conf'.format(charm_name()))
++        return {'sysctl': sysctl_dict}
++
++
++class NeutronAPIContext(OSContextGenerator):
++    '''
++    Inspects current neutron-plugin-api relation for neutron settings. Return
++    defaults if it is not present.
++    '''
++    interfaces = ['neutron-plugin-api']
++
++    def __call__(self):
++        self.neutron_defaults = {
++            'l2_population': {
++                'rel_key': 'l2-population',
++                'default': False,
++            },
++            'overlay_network_type': {
++                'rel_key': 'overlay-network-type',
++                'default': 'gre',
++            },
++            'neutron_security_groups': {
++                'rel_key': 'neutron-security-groups',
++                'default': False,
++            },
++            'network_device_mtu': {
++                'rel_key': 'network-device-mtu',
++                'default': None,
++            },
++            'enable_dvr': {
++                'rel_key': 'enable-dvr',
++                'default': False,
++            },
++            'enable_l3ha': {
++                'rel_key': 'enable-l3ha',
++                'default': False,
++            },
+         }
--        return ctxt
++        ctxt = self.get_neutron_options({})
++        for rid in relation_ids('neutron-plugin-api'):
++            for unit in related_units(rid):
++                rdata = relation_get(rid=rid, unit=unit)
++                if 'l2-population' in rdata:
++                    ctxt.update(self.get_neutron_options(rdata))
++
++        return ctxt
++
++    def get_neutron_options(self, rdata):
++        settings = {}
++        for nkey in self.neutron_defaults.keys():
++            defv = self.neutron_defaults[nkey]['default']
++            rkey = self.neutron_defaults[nkey]['rel_key']
++            if rkey in rdata.keys():
++                if type(defv) is bool:
++                    settings[nkey] = bool_from_string(rdata[rkey])
++                else:
++                    settings[nkey] = rdata[rkey]
++            else:
++                settings[nkey] = defv
++        return settings
++
++
++class ExternalPortContext(NeutronPortContext):
++
++    def __call__(self):
++        ctxt = {}
++        ports = config('ext-port')
++        if ports:
++            ports = [p.strip() for p in ports.split()]
++            ports = self.resolve_ports(ports)
++            if ports:
++                ctxt = {"ext_port": ports[0]}
++                napi_settings = NeutronAPIContext()()
++                mtu = napi_settings.get('network_device_mtu')
++                if mtu:
++                    ctxt['ext_port_mtu'] = mtu
++
++        return ctxt
++
++
++class DataPortContext(NeutronPortContext):
++
++    def __call__(self):
++        ports = config('data-port')
++        if ports:
++            # Map of {port/mac:bridge}
++            portmap = parse_data_port_mappings(ports)
++            ports = portmap.keys()
++            # Resolve provided ports or mac addresses and filter out those
++            # already attached to a bridge.
++            resolved = self.resolve_ports(ports)
++            # FIXME: is this necessary?
++            normalized = {get_nic_hwaddr(port): port for port in resolved
++                          if port not in ports}
++            normalized.update({port: port for port in resolved
++                               if port in ports})
++            if resolved:
++                return {normalized[port]: bridge for port, bridge in
++                        six.iteritems(portmap) if port in normalized.keys()}
++
++        return None
++
++
++class PhyNICMTUContext(DataPortContext):
++
++    def __call__(self):
++        ctxt = {}
++        mappings = super(PhyNICMTUContext, self).__call__()
++        if mappings and mappings.keys():
++            ports = sorted(mappings.keys())
++            napi_settings = NeutronAPIContext()()
++            mtu = napi_settings.get('network_device_mtu')
++            all_ports = set()
++            # If any of ports is a vlan device, its underlying device must have
++            # mtu applied first.
++            for port in ports:
++                for lport in glob.glob("/sys/class/net/%s/lower_*" % port):
++                    lport = os.path.basename(lport)
++                    all_ports.add(lport.split('_')[1])
++
++            all_ports = list(all_ports)
++            all_ports.extend(ports)
++            if mtu:
++                ctxt["devs"] = '\\n'.join(all_ports)
++                ctxt['mtu'] = mtu
++
++        return ctxt
++
++
++class NetworkServiceContext(OSContextGenerator):
++
++    def __init__(self, rel_name='quantum-network-service'):
++        self.rel_name = rel_name
++        self.interfaces = [rel_name]
++
++    def __call__(self):
++        for rid in relation_ids(self.rel_name):
++            for unit in related_units(rid):
++                rdata = relation_get(rid=rid, unit=unit)
++                ctxt = {
++                    'keystone_host': rdata.get('keystone_host'),
++                    'service_port': rdata.get('service_port'),
++                    'auth_port': rdata.get('auth_port'),
++                    'service_tenant': rdata.get('service_tenant'),
++                    'service_username': rdata.get('service_username'),
++                    'service_password': rdata.get('service_password'),
++                    'quantum_host': rdata.get('quantum_host'),
++                    'quantum_port': rdata.get('quantum_port'),
++                    'quantum_url': rdata.get('quantum_url'),
++                    'region': rdata.get('region'),
++                    'service_protocol':
++                    rdata.get('service_protocol') or 'http',
++                    'auth_protocol':
++                    rdata.get('auth_protocol') or 'http',
++                }
++                if self.context_complete(ctxt):
++                    return ctxt
++        return {}
 === added directory 'hooks/charmhelpers/contrib/openstack/files'
 === added file 'hooks/charmhelpers/contrib/openstack/files/__init__.py'
 --- hooks/charmhelpers/contrib/openstack/files/__init__.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/openstack/files/__init__.py	2015-11-12 11:46:11 +0000
@@ -0,0 +1,18 @@

Juju Charms Collectionneutron-openvswitch package