Juju Charms Collection
ntpmaster package

Merge lp:~paulgear/charms/trusty/ntpmaster/sync-charmhelpers into lp:charms/trusty/ntpmaster

Proposed by Paul Gear on 2016-03-21

Status:	Merged
Merge reported by:	Adam Israel
Merged at revision:	not available
Proposed branch:	lp:~paulgear/charms/trusty/ntpmaster/sync-charmhelpers
Merge into:	lp:charms/trusty/ntpmaster
Diff against target:	22054 lines (+20254/-258) 145 files modified hooks/charmhelpers/__init__.py (+38/-0) hooks/charmhelpers/cli/README.rst (+57/-0) hooks/charmhelpers/cli/__init__.py (+191/-0) hooks/charmhelpers/cli/benchmark.py (+36/-0) hooks/charmhelpers/cli/commands.py (+32/-0) hooks/charmhelpers/cli/hookenv.py (+23/-0) hooks/charmhelpers/cli/host.py (+31/-0) hooks/charmhelpers/cli/unitdata.py (+39/-0) hooks/charmhelpers/context.py (+206/-0) hooks/charmhelpers/contrib/__init__.py (+15/-0) hooks/charmhelpers/contrib/amulet/__init__.py (+15/-0) hooks/charmhelpers/contrib/amulet/deployment.py (+95/-0) hooks/charmhelpers/contrib/amulet/utils.py (+823/-0) hooks/charmhelpers/contrib/ansible/__init__.py (+254/-0) hooks/charmhelpers/contrib/benchmark/__init__.py (+126/-0) hooks/charmhelpers/contrib/charmhelpers/IMPORT (+4/-0) hooks/charmhelpers/contrib/charmhelpers/__init__.py (+208/-0) hooks/charmhelpers/contrib/charmsupport/IMPORT (+14/-0) hooks/charmhelpers/contrib/charmsupport/__init__.py (+15/-0) hooks/charmhelpers/contrib/charmsupport/nrpe.py (+398/-0) hooks/charmhelpers/contrib/charmsupport/volumes.py (+175/-0) hooks/charmhelpers/contrib/database/mysql.py (+412/-0) hooks/charmhelpers/contrib/hahelpers/__init__.py (+15/-0) hooks/charmhelpers/contrib/hahelpers/apache.py (+82/-0) hooks/charmhelpers/contrib/hahelpers/cluster.py (+316/-0) hooks/charmhelpers/contrib/hardening/README.hardening.md (+38/-0) hooks/charmhelpers/contrib/hardening/__init__.py (+15/-0) hooks/charmhelpers/contrib/hardening/apache/__init__.py (+19/-0) hooks/charmhelpers/contrib/hardening/apache/checks/__init__.py (+31/-0) hooks/charmhelpers/contrib/hardening/apache/checks/config.py (+98/-0) hooks/charmhelpers/contrib/hardening/apache/templates/alias.conf (+31/-0) hooks/charmhelpers/contrib/hardening/apache/templates/hardening.conf (+18/-0) hooks/charmhelpers/contrib/hardening/audits/__init__.py (+63/-0) hooks/charmhelpers/contrib/hardening/audits/apache.py (+97/-0) hooks/charmhelpers/contrib/hardening/audits/apt.py (+105/-0) hooks/charmhelpers/contrib/hardening/audits/file.py (+551/-0) hooks/charmhelpers/contrib/hardening/defaults/apache.yaml (+13/-0) hooks/charmhelpers/contrib/hardening/defaults/apache.yaml.schema (+9/-0) hooks/charmhelpers/contrib/hardening/defaults/mysql.yaml (+38/-0) hooks/charmhelpers/contrib/hardening/defaults/mysql.yaml.schema (+15/-0) hooks/charmhelpers/contrib/hardening/defaults/os.yaml (+67/-0) hooks/charmhelpers/contrib/hardening/defaults/os.yaml.schema (+42/-0) hooks/charmhelpers/contrib/hardening/defaults/ssh.yaml (+49/-0) hooks/charmhelpers/contrib/hardening/defaults/ssh.yaml.schema (+42/-0) hooks/charmhelpers/contrib/hardening/harden.py (+82/-0) hooks/charmhelpers/contrib/hardening/host/__init__.py (+19/-0) hooks/charmhelpers/contrib/hardening/host/checks/__init__.py (+50/-0) hooks/charmhelpers/contrib/hardening/host/checks/apt.py (+39/-0) hooks/charmhelpers/contrib/hardening/host/checks/limits.py (+55/-0) hooks/charmhelpers/contrib/hardening/host/checks/login.py (+67/-0) hooks/charmhelpers/contrib/hardening/host/checks/minimize_access.py (+52/-0) hooks/charmhelpers/contrib/hardening/host/checks/pam.py (+134/-0) hooks/charmhelpers/contrib/hardening/host/checks/profile.py (+45/-0) hooks/charmhelpers/contrib/hardening/host/checks/securetty.py (+39/-0) hooks/charmhelpers/contrib/hardening/host/checks/suid_sgid.py (+131/-0) hooks/charmhelpers/contrib/hardening/host/checks/sysctl.py (+208/-0) hooks/charmhelpers/contrib/hardening/host/templates/10.hardcore.conf (+8/-0) hooks/charmhelpers/contrib/hardening/host/templates/99-juju-hardening.conf (+7/-0) hooks/charmhelpers/contrib/hardening/host/templates/login.defs (+349/-0) hooks/charmhelpers/contrib/hardening/host/templates/modules (+117/-0) hooks/charmhelpers/contrib/hardening/host/templates/passwdqc.conf (+11/-0) hooks/charmhelpers/contrib/hardening/host/templates/pinerolo_profile.sh (+8/-0) hooks/charmhelpers/contrib/hardening/host/templates/securetty (+11/-0) hooks/charmhelpers/contrib/hardening/host/templates/tally2 (+14/-0) hooks/charmhelpers/contrib/hardening/mysql/__init__.py (+19/-0) hooks/charmhelpers/contrib/hardening/mysql/checks/__init__.py (+31/-0) hooks/charmhelpers/contrib/hardening/mysql/checks/config.py (+86/-0) hooks/charmhelpers/contrib/hardening/mysql/templates/hardening.cnf (+12/-0) hooks/charmhelpers/contrib/hardening/ssh/__init__.py (+19/-0) hooks/charmhelpers/contrib/hardening/ssh/checks/__init__.py (+31/-0) hooks/charmhelpers/contrib/hardening/ssh/checks/config.py (+394/-0) hooks/charmhelpers/contrib/hardening/ssh/templates/ssh_config (+70/-0) hooks/charmhelpers/contrib/hardening/ssh/templates/sshd_config (+159/-0) hooks/charmhelpers/contrib/hardening/templating.py (+71/-0) hooks/charmhelpers/contrib/hardening/utils.py (+156/-0) hooks/charmhelpers/contrib/mellanox/infiniband.py (+151/-0) hooks/charmhelpers/contrib/network/__init__.py (+15/-0) hooks/charmhelpers/contrib/network/ip.py (+473/-0) hooks/charmhelpers/contrib/network/ovs/__init__.py (+96/-0) hooks/charmhelpers/contrib/network/ufw.py (+318/-0) hooks/charmhelpers/contrib/openstack/__init__.py (+15/-0) hooks/charmhelpers/contrib/openstack/alternatives.py (+33/-0) hooks/charmhelpers/contrib/openstack/amulet/__init__.py (+15/-0) hooks/charmhelpers/contrib/openstack/amulet/deployment.py (+302/-0) hooks/charmhelpers/contrib/openstack/amulet/utils.py (+1012/-0) hooks/charmhelpers/contrib/openstack/context.py (+1481/-0) hooks/charmhelpers/contrib/openstack/files/__init__.py (+18/-0) hooks/charmhelpers/contrib/openstack/files/check_haproxy.sh (+34/-0) hooks/charmhelpers/contrib/openstack/files/check_haproxy_queue_depth.sh (+30/-0) hooks/charmhelpers/contrib/openstack/ip.py (+151/-0) hooks/charmhelpers/contrib/openstack/neutron.py (+384/-0) hooks/charmhelpers/contrib/openstack/templates/__init__.py (+18/-0) hooks/charmhelpers/contrib/openstack/templates/ceph.conf (+21/-0) hooks/charmhelpers/contrib/openstack/templates/git.upstart (+17/-0) hooks/charmhelpers/contrib/openstack/templates/haproxy.cfg (+66/-0) hooks/charmhelpers/contrib/openstack/templates/openstack_https_frontend (+26/-0) hooks/charmhelpers/contrib/openstack/templates/section-keystone-authtoken (+12/-0) hooks/charmhelpers/contrib/openstack/templates/section-keystone-authtoken-legacy (+10/-0) hooks/charmhelpers/contrib/openstack/templates/section-rabbitmq-oslo (+22/-0) hooks/charmhelpers/contrib/openstack/templates/section-zeromq (+14/-0) hooks/charmhelpers/contrib/openstack/templating.py (+323/-0) hooks/charmhelpers/contrib/openstack/utils.py (+1572/-0) hooks/charmhelpers/contrib/peerstorage/__init__.py (+269/-0) hooks/charmhelpers/contrib/python/__init__.py (+15/-0) hooks/charmhelpers/contrib/python/debug.py (+56/-0) hooks/charmhelpers/contrib/python/packages.py (+145/-0) hooks/charmhelpers/contrib/python/rpdb.py (+58/-0) hooks/charmhelpers/contrib/python/version.py (+34/-0) hooks/charmhelpers/contrib/saltstack/__init__.py (+118/-0) hooks/charmhelpers/contrib/ssl/__init__.py (+94/-0) hooks/charmhelpers/contrib/ssl/service.py (+279/-0) hooks/charmhelpers/contrib/storage/__init__.py (+15/-0) hooks/charmhelpers/contrib/storage/linux/__init__.py (+15/-0) hooks/charmhelpers/contrib/storage/linux/ceph.py (+1195/-0) hooks/charmhelpers/contrib/storage/linux/loopback.py (+88/-0) hooks/charmhelpers/contrib/storage/linux/lvm.py (+105/-0) hooks/charmhelpers/contrib/storage/linux/utils.py (+71/-0) hooks/charmhelpers/contrib/templating/__init__.py (+15/-0) hooks/charmhelpers/contrib/templating/contexts.py (+139/-0) hooks/charmhelpers/contrib/templating/jinja.py (+40/-0) hooks/charmhelpers/contrib/templating/pyformat.py (+29/-0) hooks/charmhelpers/contrib/unison/__init__.py (+313/-0) hooks/charmhelpers/coordinator.py (+607/-0) hooks/charmhelpers/core/__init__.py (+15/-0) hooks/charmhelpers/core/decorators.py (+57/-0) hooks/charmhelpers/core/files.py (+45/-0) hooks/charmhelpers/core/fstab.py (+30/-12) hooks/charmhelpers/core/hookenv.py (+535/-52) hooks/charmhelpers/core/host.py (+394/-84) hooks/charmhelpers/core/hugepage.py (+71/-0) hooks/charmhelpers/core/kernel.py (+68/-0) hooks/charmhelpers/core/services/__init__.py (+18/-2) hooks/charmhelpers/core/services/base.py (+59/-19) hooks/charmhelpers/core/services/helpers.py (+66/-13) hooks/charmhelpers/core/strutils.py (+72/-0) hooks/charmhelpers/core/sysctl.py (+56/-0) hooks/charmhelpers/core/templating.py (+38/-8) hooks/charmhelpers/core/unitdata.py (+521/-0) hooks/charmhelpers/fetch/__init__.py (+82/-28) hooks/charmhelpers/fetch/archiveurl.py (+77/-18) hooks/charmhelpers/fetch/bzrurl.py (+40/-22) hooks/charmhelpers/fetch/giturl.py (+70/-0) hooks/charmhelpers/payload/__init__.py (+17/-0) hooks/charmhelpers/payload/archive.py (+73/-0) hooks/charmhelpers/payload/execd.py (+66/-0)
To merge this branch:	bzr merge lp:~paulgear/charms/trusty/ntpmaster/sync-charmhelpers
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Adam Israel (community)		2016-03-21	Approve on 2016-03-30
Review Queue (community)	automated testing		Needs Fixing on 2016-03-24
Review via email: mp+289605@code.launchpad.net

Description of the change

Sync the latest charmhelpers code, including charmhelpers.payload; this is to prepare for another MP to include exec.d support.

Revision history for this message

Review Queue (review-queue) wrote on 2016-03-22:

This item has failed automated testing! Results available here http://juju-ci.vapour.ws:8080/job/charm-bundle-test-aws/3277/

review: Needs Fixing (automated testing)

Revision history for this message

Review Queue (review-queue) wrote on 2016-03-23:

This item has failed automated testing! Results available here http://juju-ci.vapour.ws:8080/job/charm-bundle-test-aws/3303/

review: Needs Fixing (automated testing)

Revision history for this message

Review Queue (review-queue) wrote on 2016-03-24:

This item has failed automated testing! Results available here http://juju-ci.vapour.ws:8080/job/charm-bundle-test-lxc/3259/

review: Needs Fixing (automated testing)

Revision history for this message

Adam Israel (aisrael) wrote on 2016-03-30:

Hi Paul,

Thanks for updating this. Looks good to me. +1

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Paul Gear

charmers

 === modified file 'hooks/charmhelpers/__init__.py'
 --- hooks/charmhelpers/__init__.py	2013-07-08 18:28:02 +0000
 +++ hooks/charmhelpers/__init__.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,38 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++# Bootstrap charm-helpers, installing its dependencies if necessary using
++# only standard libraries.
++import subprocess
++import sys
++
++try:
++    import six  # flake8: noqa
++except ImportError:
++    if sys.version_info.major == 2:
++        subprocess.check_call(['apt-get', 'install', '-y', 'python-six'])
++    else:
++        subprocess.check_call(['apt-get', 'install', '-y', 'python3-six'])
++    import six  # flake8: noqa
++
++try:
++    import yaml  # flake8: noqa
++except ImportError:
++    if sys.version_info.major == 2:
++        subprocess.check_call(['apt-get', 'install', '-y', 'python-yaml'])
++    else:
++        subprocess.check_call(['apt-get', 'install', '-y', 'python3-yaml'])
++    import yaml  # flake8: noqa
 === added directory 'hooks/charmhelpers/cli'
 === added file 'hooks/charmhelpers/cli/README.rst'
 --- hooks/charmhelpers/cli/README.rst	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/cli/README.rst	2016-03-21 06:13:21 +0000
@@ -0,0 +1,57 @@
++==========
++Commandant
++==========
++
++-----------------------------------------------------
++Automatic command-line interfaces to Python functions
++-----------------------------------------------------
++
++One of the benefits of ``libvirt`` is the uniformity of the interface: the C  API (as well as the bindings in other languages) is a set of functions that accept parameters that are nearly identical to the command-line arguments.  If you run ``virsh``, you get an interactive command prompt that supports all of the same commands that your shell scripts use as ``virsh`` subcommands.
++
++Command execution and stdio manipulation is the greatest common factor across all development systems in the POSIX environment.  By exposing your functions as commands that manipulate streams of text, you can make life easier for all the Ruby and Erlang and Go programmers in your life.
++
++Goals
++=====
++
++* Single decorator to expose a function as a command.
++  * now two decorators - one "automatic" and one that allows authors to manipulate the arguments for fine-grained control.(MW)
++* Automatic analysis of function signature through ``inspect.getargspec()``
++* Command argument parser built automatically with ``argparse``
++* Interactive interpreter loop object made with ``Cmd``
++* Options to output structured return value data via ``pprint``, ``yaml`` or ``json`` dumps.
++
++Other Important Features that need writing
++------------------------------------------
++
++* Help and Usage documentation can be automatically generated, but it will be important to let users override this behaviour
++* The decorator should allow specifying further parameters to the parser's add_argument() calls, to specify types or to make arguments behave as boolean flags, etc.
++    - Filename arguments are important, as good practice is for functions to accept file objects as parameters.
++    - choices arguments help to limit bad input before the function is called
++* Some automatic behaviour could make for better defaults, once the user can override them.
++    - We could automatically detect arguments that default to False or True, and automatically support --no-foo for foo=True.
++    - We could automatically support hyphens as alternates for underscores
++    - Arguments defaulting to sequence types could support the ``append`` action.
++
++
++-----------------------------------------------------
++Implementing subcommands
++-----------------------------------------------------
++
++(WIP)
++
++So as to avoid dependencies on the cli module, subcommands should be defined separately from their implementations. The recommmendation would be to place definitions into separate modules near the implementations which they expose.
++
++Some examples::
++
++    from charmhelpers.cli import CommandLine
++    from charmhelpers.payload import execd
++    from charmhelpers.foo import bar
++
++    cli = CommandLine()
++
++    cli.subcommand(execd.execd_run)
++
++    @cli.subcommand_builder("bar", help="Bar baz qux")
++    def barcmd_builder(subparser):
++        subparser.add_argument('argument1', help="yackety")
++        return bar
 === added file 'hooks/charmhelpers/cli/__init__.py'
 --- hooks/charmhelpers/cli/__init__.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/cli/__init__.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,191 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++import inspect
++import argparse
++import sys
++
++from six.moves import zip
++
++import charmhelpers.core.unitdata
++
++
++class OutputFormatter(object):
++    def __init__(self, outfile=sys.stdout):
++        self.formats = (
++            "raw",
++            "json",
++            "py",
++            "yaml",
++            "csv",
++            "tab",
++        )
++        self.outfile = outfile
++
++    def add_arguments(self, argument_parser):
++        formatgroup = argument_parser.add_mutually_exclusive_group()
++        choices = self.supported_formats
++        formatgroup.add_argument("--format", metavar='FMT',
++                                 help="Select output format for returned data, "
++                                      "where FMT is one of: {}".format(choices),
++                                 choices=choices, default='raw')
++        for fmt in self.formats:
++            fmtfunc = getattr(self, fmt)
++            formatgroup.add_argument("-{}".format(fmt[0]),
++                                     "--{}".format(fmt), action='store_const',
++                                     const=fmt, dest='format',
++                                     help=fmtfunc.__doc__)
++
++    @property
++    def supported_formats(self):
++        return self.formats
++
++    def raw(self, output):
++        """Output data as raw string (default)"""
++        if isinstance(output, (list, tuple)):
++            output = '\n'.join(map(str, output))
++        self.outfile.write(str(output))
++
++    def py(self, output):
++        """Output data as a nicely-formatted python data structure"""
++        import pprint
++        pprint.pprint(output, stream=self.outfile)
++
++    def json(self, output):
++        """Output data in JSON format"""
++        import json
++        json.dump(output, self.outfile)
++
++    def yaml(self, output):
++        """Output data in YAML format"""
++        import yaml
++        yaml.safe_dump(output, self.outfile)
++
++    def csv(self, output):
++        """Output data as excel-compatible CSV"""
++        import csv
++        csvwriter = csv.writer(self.outfile)
++        csvwriter.writerows(output)
++
++    def tab(self, output):
++        """Output data in excel-compatible tab-delimited format"""
++        import csv
++        csvwriter = csv.writer(self.outfile, dialect=csv.excel_tab)
++        csvwriter.writerows(output)
++
++    def format_output(self, output, fmt='raw'):
++        fmtfunc = getattr(self, fmt)
++        fmtfunc(output)
++
++
++class CommandLine(object):
++    argument_parser = None
++    subparsers = None
++    formatter = None
++    exit_code = 0
++
++    def __init__(self):
++        if not self.argument_parser:
++            self.argument_parser = argparse.ArgumentParser(description='Perform common charm tasks')
++        if not self.formatter:
++            self.formatter = OutputFormatter()
++            self.formatter.add_arguments(self.argument_parser)
++        if not self.subparsers:
++            self.subparsers = self.argument_parser.add_subparsers(help='Commands')
++
++    def subcommand(self, command_name=None):
++        """
++        Decorate a function as a subcommand. Use its arguments as the
++        command-line arguments"""
++        def wrapper(decorated):
++            cmd_name = command_name or decorated.__name__
++            subparser = self.subparsers.add_parser(cmd_name,
++                                                   description=decorated.__doc__)
++            for args, kwargs in describe_arguments(decorated):
++                subparser.add_argument(*args, **kwargs)
++            subparser.set_defaults(func=decorated)
++            return decorated
++        return wrapper
++
++    def test_command(self, decorated):
++        """
++        Subcommand is a boolean test function, so bool return values should be
++        converted to a 0/1 exit code.
++        """
++        decorated._cli_test_command = True
++        return decorated
++
++    def no_output(self, decorated):
++        """
++        Subcommand is not expected to return a value, so don't print a spurious None.
++        """
++        decorated._cli_no_output = True
++        return decorated
++
++    def subcommand_builder(self, command_name, description=None):
++        """
++        Decorate a function that builds a subcommand. Builders should accept a
++        single argument (the subparser instance) and return the function to be
++        run as the command."""
++        def wrapper(decorated):
++            subparser = self.subparsers.add_parser(command_name)
++            func = decorated(subparser)
++            subparser.set_defaults(func=func)
++            subparser.description = description or func.__doc__
++        return wrapper
++
++    def run(self):
++        "Run cli, processing arguments and executing subcommands."
++        arguments = self.argument_parser.parse_args()
++        argspec = inspect.getargspec(arguments.func)
++        vargs = []
++        for arg in argspec.args:
++            vargs.append(getattr(arguments, arg))
++        if argspec.varargs:
++            vargs.extend(getattr(arguments, argspec.varargs))
++        output = arguments.func(*vargs)
++        if getattr(arguments.func, '_cli_test_command', False):
++            self.exit_code = 0 if output else 1
++            output = ''
++        if getattr(arguments.func, '_cli_no_output', False):
++            output = ''
++        self.formatter.format_output(output, arguments.format)
++        if charmhelpers.core.unitdata._KV:
++            charmhelpers.core.unitdata._KV.flush()
++
++
++cmdline = CommandLine()
++
++
++def describe_arguments(func):
++    """
++    Analyze a function's signature and return a data structure suitable for
++    passing in as arguments to an argparse parser's add_argument() method."""
++
++    argspec = inspect.getargspec(func)
++    # we should probably raise an exception somewhere if func includes **kwargs
++    if argspec.defaults:
++        positional_args = argspec.args[:-len(argspec.defaults)]
++        keyword_names = argspec.args[-len(argspec.defaults):]
++        for arg, default in zip(keyword_names, argspec.defaults):
++            yield ('--{}'.format(arg),), {'default': default}
++    else:
++        positional_args = argspec.args
++
++    for arg in positional_args:
++        yield (arg,), {}
++    if argspec.varargs:
++        yield (argspec.varargs,), {'nargs': '*'}
 === added file 'hooks/charmhelpers/cli/benchmark.py'
 --- hooks/charmhelpers/cli/benchmark.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/cli/benchmark.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,36 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++from . import cmdline
++from charmhelpers.contrib.benchmark import Benchmark
++
++
++@cmdline.subcommand(command_name='benchmark-start')
++def start():
++    Benchmark.start()
++
++
++@cmdline.subcommand(command_name='benchmark-finish')
++def finish():
++    Benchmark.finish()
++
++
++@cmdline.subcommand_builder('benchmark-composite', description="Set the benchmark composite score")
++def service(subparser):
++    subparser.add_argument("value", help="The composite score.")
++    subparser.add_argument("units", help="The units the composite score represents, i.e., 'reads/sec'.")
++    subparser.add_argument("direction", help="'asc' if a lower score is better, 'desc' if a higher score is better.")
++    return Benchmark.set_composite_score
 === added file 'hooks/charmhelpers/cli/commands.py'
 --- hooks/charmhelpers/cli/commands.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/cli/commands.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,32 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++"""
++This module loads sub-modules into the python runtime so they can be
++discovered via the inspect module. In order to prevent flake8 from (rightfully)
++telling us these are unused modules, throw a ' # noqa' at the end of each import
++so that the warning is suppressed.
++"""
++
++from . import CommandLine  # noqa
++
++"""
++Import the sub-modules which have decorated subcommands to register with chlp.
++"""
++from . import host  # noqa
++from . import benchmark  # noqa
++from . import unitdata  # noqa
++from . import hookenv  # noqa
 === added file 'hooks/charmhelpers/cli/hookenv.py'
 --- hooks/charmhelpers/cli/hookenv.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/cli/hookenv.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,23 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++from . import cmdline
++from charmhelpers.core import hookenv
++
++
++cmdline.subcommand('relation-id')(hookenv.relation_id._wrapped)
++cmdline.subcommand('service-name')(hookenv.service_name)
++cmdline.subcommand('remote-service-name')(hookenv.remote_service_name._wrapped)
 === added file 'hooks/charmhelpers/cli/host.py'
 --- hooks/charmhelpers/cli/host.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/cli/host.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,31 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++from . import cmdline
++from charmhelpers.core import host
++
++
++@cmdline.subcommand()
++def mounts():
++    "List mounts"
++    return host.mounts()
++
++
++@cmdline.subcommand_builder('service', description="Control system services")
++def service(subparser):
++    subparser.add_argument("action", help="The action to perform (start, stop, etc...)")
++    subparser.add_argument("service_name", help="Name of the service to control")
++    return host.service
 === added file 'hooks/charmhelpers/cli/unitdata.py'
 --- hooks/charmhelpers/cli/unitdata.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/cli/unitdata.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,39 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++from . import cmdline
++from charmhelpers.core import unitdata
++
++
++@cmdline.subcommand_builder('unitdata', description="Store and retrieve data")
++def unitdata_cmd(subparser):
++    nested = subparser.add_subparsers()
++    get_cmd = nested.add_parser('get', help='Retrieve data')
++    get_cmd.add_argument('key', help='Key to retrieve the value of')
++    get_cmd.set_defaults(action='get', value=None)
++    set_cmd = nested.add_parser('set', help='Store data')
++    set_cmd.add_argument('key', help='Key to set')
++    set_cmd.add_argument('value', help='Value to store')
++    set_cmd.set_defaults(action='set')
++
++    def _unitdata_cmd(action, key, value):
++        if action == 'get':
++            return unitdata.kv().get(key)
++        elif action == 'set':
++            unitdata.kv().set(key, value)
++            unitdata.kv().flush()
++            return ''
++    return _unitdata_cmd
 === added file 'hooks/charmhelpers/context.py'
 --- hooks/charmhelpers/context.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/context.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,206 @@
++# Copyright 2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++'''
++A Pythonic API to interact with the charm hook environment.
++
++:author: Stuart Bishop <stuart.bishop@canonical.com>
++'''
++
++import six
++
++from charmhelpers.core import hookenv
++
++from collections import OrderedDict
++if six.PY3:
++    from collections import UserDict  # pragma: nocover
++else:
++    from UserDict import IterableUserDict as UserDict  # pragma: nocover
++
++
++class Relations(OrderedDict):
++    '''Mapping relation name -> relation id -> Relation.
++
++    >>> rels = Relations()
++    >>> rels['sprog']['sprog:12']['client/6']['widget']
++    'remote widget'
++    >>> rels['sprog']['sprog:12'].local['widget'] = 'local widget'
++    >>> rels['sprog']['sprog:12'].local['widget']
++    'local widget'
++    >>> rels.peer.local['widget']
++    'local widget on the peer relation'
++    '''
++    def __init__(self):
++        super(Relations, self).__init__()
++        for relname in sorted(hookenv.relation_types()):
++            self[relname] = OrderedDict()
++            relids = hookenv.relation_ids(relname)
++            relids.sort(key=lambda x: int(x.split(':', 1)[-1]))
++            for relid in relids:
++                self[relname][relid] = Relation(relid)
++
++    @property
++    def peer(self):
++        peer_relid = hookenv.peer_relation_id()
++        for rels in self.values():
++            if peer_relid in rels:
++                return rels[peer_relid]
++
++
++class Relation(OrderedDict):
++    '''Mapping of unit -> remote RelationInfo for a relation.
++
++    This is an OrderedDict mapping, ordered numerically by
++    by unit number.
++
++    Also provides access to the local RelationInfo, and peer RelationInfo
++    instances by the 'local' and 'peers' attributes.
++
++    >>> r = Relation('sprog:12')
++    >>> r.keys()
++    ['client/9', 'client/10']     # Ordered numerically
++    >>> r['client/10']['widget']  # A remote RelationInfo setting
++    'remote widget'
++    >>> r.local['widget']         # The local RelationInfo setting
++    'local widget'
++    '''
++    relid = None    # The relation id.
++    relname = None  # The relation name (also known as relation type).
++    service = None  # The remote service name, if known.
++    local = None    # The local end's RelationInfo.
++    peers = None    # Map of peer -> RelationInfo. None if no peer relation.
++
++    def __init__(self, relid):
++        remote_units = hookenv.related_units(relid)
++        remote_units.sort(key=lambda u: int(u.split('/', 1)[-1]))
++        super(Relation, self).__init__((unit, RelationInfo(relid, unit))
++                                       for unit in remote_units)
++
++        self.relname = relid.split(':', 1)[0]
++        self.relid = relid
++        self.local = RelationInfo(relid, hookenv.local_unit())
++
++        for relinfo in self.values():
++            self.service = relinfo.service
++            break
++
++        # If we have peers, and they have joined both the provided peer
++        # relation and this relation, we can peek at their data too.
++        # This is useful for creating consensus without leadership.
++        peer_relid = hookenv.peer_relation_id()
++        if peer_relid and peer_relid != relid:
++            peers = hookenv.related_units(peer_relid)
++            if peers:
++                peers.sort(key=lambda u: int(u.split('/', 1)[-1]))
++                self.peers = OrderedDict((peer, RelationInfo(relid, peer))
++                                         for peer in peers)
++            else:
++                self.peers = OrderedDict()
++        else:
++            self.peers = None
++
++    def __str__(self):
++        return '{} ({})'.format(self.relid, self.service)
++
++
++class RelationInfo(UserDict):
++    '''The bag of data at an end of a relation.
++
++    Every unit participating in a relation has a single bag of
++    data associated with that relation. This is that bag.
++
++    The bag of data for the local unit may be updated. Remote data
++    is immutable and will remain static for the duration of the hook.
++
++    Changes made to the local units relation data only become visible
++    to other units after the hook completes successfully. If the hook
++    does not complete successfully, the changes are rolled back.
++
++    Unlike standard Python mappings, setting an item to None is the
++    same as deleting it.
++
++    >>> relinfo = RelationInfo('db:12')  # Default is the local unit.
++    >>> relinfo['user'] = 'fred'
++    >>> relinfo['user']
++    'fred'
++    >>> relinfo['user'] = None
++    >>> 'fred' in relinfo
++    False
++
++    This class wraps hookenv.relation_get and hookenv.relation_set.
++    All caching is left up to these two methods to avoid synchronization
++    issues. Data is only loaded on demand.
++    '''
++    relid = None    # The relation id.
++    relname = None  # The relation name (also know as the relation type).
++    unit = None     # The unit id.
++    number = None   # The unit number (integer).
++    service = None  # The service name.
++
++    def __init__(self, relid, unit):
++        self.relname = relid.split(':', 1)[0]
++        self.relid = relid
++        self.unit = unit
++        self.service, num = self.unit.split('/', 1)
++        self.number = int(num)
++
++    def __str__(self):
++        return '{} ({})'.format(self.relid, self.unit)
++
++    @property
++    def data(self):
++        return hookenv.relation_get(rid=self.relid, unit=self.unit)
++
++    def __setitem__(self, key, value):
++        if self.unit != hookenv.local_unit():
++            raise TypeError('Attempting to set {} on remote unit {}'
++                            ''.format(key, self.unit))
++        if value is not None and not isinstance(value, six.string_types):
++            # We don't do implicit casting. This would cause simple
++            # types like integers to be read back as strings in subsequent
++            # hooks, and mutable types would require a lot of wrapping
++            # to ensure relation-set gets called when they are mutated.
++            raise ValueError('Only string values allowed')
++        hookenv.relation_set(self.relid, {key: value})
++
++    def __delitem__(self, key):
++        # Deleting a key and setting it to null is the same thing in
++        # Juju relations.
++        self[key] = None
++
++
++class Leader(UserDict):
++    def __init__(self):
++        pass  # Don't call superclass initializer, as it will nuke self.data
++
++    @property
++    def data(self):
++        return hookenv.leader_get()
++
++    def __setitem__(self, key, value):
++        if not hookenv.is_leader():
++            raise TypeError('Not the leader. Cannot change leader settings.')
++        if value is not None and not isinstance(value, six.string_types):
++            # We don't do implicit casting. This would cause simple
++            # types like integers to be read back as strings in subsequent
++            # hooks, and mutable types would require a lot of wrapping
++            # to ensure leader-set gets called when they are mutated.
++            raise ValueError('Only string values allowed')
++        hookenv.leader_set({key: value})
++
++    def __delitem__(self, key):
++        # Deleting a key and setting it to null is the same thing in
++        # Juju leadership settings.
++        self[key] = None
 === added directory 'hooks/charmhelpers/contrib'
 === added file 'hooks/charmhelpers/contrib/__init__.py'
 --- hooks/charmhelpers/contrib/__init__.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/__init__.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,15 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
 === added directory 'hooks/charmhelpers/contrib/amulet'
 === added file 'hooks/charmhelpers/contrib/amulet/__init__.py'
 --- hooks/charmhelpers/contrib/amulet/__init__.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/amulet/__init__.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,15 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
 === added file 'hooks/charmhelpers/contrib/amulet/deployment.py'
 --- hooks/charmhelpers/contrib/amulet/deployment.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/amulet/deployment.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,95 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++import amulet
++import os
++import six
++
++
++class AmuletDeployment(object):
++    """Amulet deployment.
++
++       This class provides generic Amulet deployment and test runner
++       methods.
++       """
++
++    def __init__(self, series=None):
++        """Initialize the deployment environment."""
++        self.series = None
++
++        if series:
++            self.series = series
++            self.d = amulet.Deployment(series=self.series)
++        else:
++            self.d = amulet.Deployment()
++
++    def _add_services(self, this_service, other_services):
++        """Add services.
++
++           Add services to the deployment where this_service is the local charm
++           that we're testing and other_services are the other services that
++           are being used in the local amulet tests.
++           """
++        if this_service['name'] != os.path.basename(os.getcwd()):
++            s = this_service['name']
++            msg = "The charm's root directory name needs to be {}".format(s)
++            amulet.raise_status(amulet.FAIL, msg=msg)
++
++        if 'units' not in this_service:
++            this_service['units'] = 1
++
++        self.d.add(this_service['name'], units=this_service['units'],
++                   constraints=this_service.get('constraints'))
++
++        for svc in other_services:
++            if 'location' in svc:
++                branch_location = svc['location']
++            elif self.series:
++                branch_location = 'cs:{}/{}'.format(self.series, svc['name']),
++            else:
++                branch_location = None
++
++            if 'units' not in svc:
++                svc['units'] = 1
++
++            self.d.add(svc['name'], charm=branch_location, units=svc['units'],
++                       constraints=svc.get('constraints'))
++
++    def _add_relations(self, relations):
++        """Add all of the relations for the services."""
++        for k, v in six.iteritems(relations):
++            self.d.relate(k, v)
++
++    def _configure_services(self, configs):
++        """Configure all of the services."""
++        for service, config in six.iteritems(configs):
++            self.d.configure(service, config)
++
++    def _deploy(self):
++        """Deploy environment and wait for all hooks to finish executing."""
++        try:
++            self.d.setup(timeout=900)
++            self.d.sentry.wait(timeout=900)
++        except amulet.helpers.TimeoutError:
++            amulet.raise_status(amulet.FAIL, msg="Deployment timed out")
++        except Exception:
++            raise
++
++    def run_tests(self):
++        """Run all of the methods that are prefixed with 'test_'."""
++        for test in dir(self):
++            if test.startswith('test_'):
++                getattr(self, test)()
 === added file 'hooks/charmhelpers/contrib/amulet/utils.py'
 --- hooks/charmhelpers/contrib/amulet/utils.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/amulet/utils.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,823 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++import io
++import json
++import logging
++import os
++import re
++import socket
++import subprocess
++import sys
++import time
++import uuid
++
++import amulet
++import distro_info
++import six
++from six.moves import configparser
++if six.PY3:
++    from urllib import parse as urlparse
++else:
++    import urlparse
++
++
++class AmuletUtils(object):
++    """Amulet utilities.
++
++       This class provides common utility functions that are used by Amulet
++       tests.
++       """
++
++    def __init__(self, log_level=logging.ERROR):
++        self.log = self.get_logger(level=log_level)
++        self.ubuntu_releases = self.get_ubuntu_releases()
++
++    def get_logger(self, name="amulet-logger", level=logging.DEBUG):
++        """Get a logger object that will log to stdout."""
++        log = logging
++        logger = log.getLogger(name)
++        fmt = log.Formatter("%(asctime)s %(funcName)s "
++                            "%(levelname)s: %(message)s")
++
++        handler = log.StreamHandler(stream=sys.stdout)
++        handler.setLevel(level)
++        handler.setFormatter(fmt)
++
++        logger.addHandler(handler)
++        logger.setLevel(level)
++
++        return logger
++
++    def valid_ip(self, ip):
++        if re.match(r"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$", ip):
++            return True
++        else:
++            return False
++
++    def valid_url(self, url):
++        p = re.compile(
++            r'^(?:http|ftp)s?://'
++            r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|'  # noqa
++            r'localhost|'
++            r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})'
++            r'(?::\d+)?'
++            r'(?:/?|[/?]\S+)$',
++            re.IGNORECASE)
++        if p.match(url):
++            return True
++        else:
++            return False
++
++    def get_ubuntu_release_from_sentry(self, sentry_unit):
++        """Get Ubuntu release codename from sentry unit.
++
++        :param sentry_unit: amulet sentry/service unit pointer
++        :returns: list of strings - release codename, failure message
++        """
++        msg = None
++        cmd = 'lsb_release -cs'
++        release, code = sentry_unit.run(cmd)
++        if code == 0:
++            self.log.debug('{} lsb_release: {}'.format(
++                sentry_unit.info['unit_name'], release))
++        else:
++            msg = ('{} `{}` returned {} '
++                   '{}'.format(sentry_unit.info['unit_name'],
++                               cmd, release, code))
++        if release not in self.ubuntu_releases:
++            msg = ("Release ({}) not found in Ubuntu releases "
++                   "({})".format(release, self.ubuntu_releases))
++        return release, msg
++
++    def validate_services(self, commands):
++        """Validate that lists of commands succeed on service units.  Can be
++           used to verify system services are running on the corresponding
++           service units.
++
++        :param commands: dict with sentry keys and arbitrary command list vals
++        :returns: None if successful, Failure string message otherwise
++        """
++        self.log.debug('Checking status of system services...')
++
++        # /!\ DEPRECATION WARNING (beisner):
++        # New and existing tests should be rewritten to use
++        # validate_services_by_name() as it is aware of init systems.
++        self.log.warn('DEPRECATION WARNING:  use '
++                      'validate_services_by_name instead of validate_services '
++                      'due to init system differences.')
++
++        for k, v in six.iteritems(commands):
++            for cmd in v:
++                output, code = k.run(cmd)
++                self.log.debug('{} `{}` returned '
++                               '{}'.format(k.info['unit_name'],
++                                           cmd, code))
++                if code != 0:
++                    return "command `{}` returned {}".format(cmd, str(code))
++        return None
++
++    def validate_services_by_name(self, sentry_services):
++        """Validate system service status by service name, automatically
++           detecting init system based on Ubuntu release codename.
++
++        :param sentry_services: dict with sentry keys and svc list values
++        :returns: None if successful, Failure string message otherwise
++        """
++        self.log.debug('Checking status of system services...')
++
++        # Point at which systemd became a thing
++        systemd_switch = self.ubuntu_releases.index('vivid')
++
++        for sentry_unit, services_list in six.iteritems(sentry_services):
++            # Get lsb_release codename from unit
++            release, ret = self.get_ubuntu_release_from_sentry(sentry_unit)
++            if ret:
++                return ret
++
++            for service_name in services_list:
++                if (self.ubuntu_releases.index(release) >= systemd_switch or
++                        service_name in ['rabbitmq-server', 'apache2']):
++                    # init is systemd (or regular sysv)
++                    cmd = 'sudo service {} status'.format(service_name)
++                    output, code = sentry_unit.run(cmd)
++                    service_running = code == 0
++                elif self.ubuntu_releases.index(release) < systemd_switch:
++                    # init is upstart
++                    cmd = 'sudo status {}'.format(service_name)
++                    output, code = sentry_unit.run(cmd)
++                    service_running = code == 0 and "start/running" in output
++
++                self.log.debug('{} `{}` returned '
++                               '{}'.format(sentry_unit.info['unit_name'],
++                                           cmd, code))
++                if not service_running:
++                    return u"command `{}` returned {} {}".format(
++                        cmd, output, str(code))
++        return None
++
++    def _get_config(self, unit, filename):
++        """Get a ConfigParser object for parsing a unit's config file."""
++        file_contents = unit.file_contents(filename)
++
++        # NOTE(beisner):  by default, ConfigParser does not handle options
++        # with no value, such as the flags used in the mysql my.cnf file.
++        # https://bugs.python.org/issue7005
++        config = configparser.ConfigParser(allow_no_value=True)
++        config.readfp(io.StringIO(file_contents))
++        return config
++
++    def validate_config_data(self, sentry_unit, config_file, section,
++                             expected):
++        """Validate config file data.
++
++           Verify that the specified section of the config file contains
++           the expected option key:value pairs.
++
++           Compare expected dictionary data vs actual dictionary data.
++           The values in the 'expected' dictionary can be strings, bools, ints,
++           longs, or can be a function that evaluates a variable and returns a
++           bool.
++           """
++        self.log.debug('Validating config file data ({} in {} on {})'
++                       '...'.format(section, config_file,
++                                    sentry_unit.info['unit_name']))
++        config = self._get_config(sentry_unit, config_file)
++
++        if section != 'DEFAULT' and not config.has_section(section):
++            return "section [{}] does not exist".format(section)
++
++        for k in expected.keys():
++            if not config.has_option(section, k):
++                return "section [{}] is missing option {}".format(section, k)
++
++            actual = config.get(section, k)
++            v = expected[k]
++            if (isinstance(v, six.string_types) or
++                    isinstance(v, bool) or
++                    isinstance(v, six.integer_types)):
++                # handle explicit values
++                if actual != v:
++                    return "section [{}] {}:{} != expected {}:{}".format(
++                           section, k, actual, k, expected[k])
++            # handle function pointers, such as not_null or valid_ip
++            elif not v(actual):
++                return "section [{}] {}:{} != expected {}:{}".format(
++                       section, k, actual, k, expected[k])
++        return None
++
++    def _validate_dict_data(self, expected, actual):
++        """Validate dictionary data.
++
++           Compare expected dictionary data vs actual dictionary data.
++           The values in the 'expected' dictionary can be strings, bools, ints,
++           longs, or can be a function that evaluates a variable and returns a
++           bool.
++           """
++        self.log.debug('actual: {}'.format(repr(actual)))
++        self.log.debug('expected: {}'.format(repr(expected)))
++
++        for k, v in six.iteritems(expected):
++            if k in actual:
++                if (isinstance(v, six.string_types) or
++                        isinstance(v, bool) or
++                        isinstance(v, six.integer_types)):
++                    # handle explicit values
++                    if v != actual[k]:
++                        return "{}:{}".format(k, actual[k])
++                # handle function pointers, such as not_null or valid_ip
++                elif not v(actual[k]):
++                    return "{}:{}".format(k, actual[k])
++            else:
++                return "key '{}' does not exist".format(k)
++        return None
++
++    def validate_relation_data(self, sentry_unit, relation, expected):
++        """Validate actual relation data based on expected relation data."""
++        actual = sentry_unit.relation(relation[0], relation[1])
++        return self._validate_dict_data(expected, actual)
++
++    def _validate_list_data(self, expected, actual):
++        """Compare expected list vs actual list data."""
++        for e in expected:
++            if e not in actual:
++                return "expected item {} not found in actual list".format(e)
++        return None
++
++    def not_null(self, string):
++        if string is not None:
++            return True
++        else:
++            return False
++
++    def _get_file_mtime(self, sentry_unit, filename):
++        """Get last modification time of file."""
++        return sentry_unit.file_stat(filename)['mtime']
++
++    def _get_dir_mtime(self, sentry_unit, directory):
++        """Get last modification time of directory."""
++        return sentry_unit.directory_stat(directory)['mtime']
++
++    def _get_proc_start_time(self, sentry_unit, service, pgrep_full=None):
++        """Get start time of a process based on the last modification time
++           of the /proc/pid directory.
++
++        :sentry_unit:  The sentry unit to check for the service on
++        :service:  service name to look for in process table
++        :pgrep_full:  [Deprecated] Use full command line search mode with pgrep
++        :returns:  epoch time of service process start
++        :param commands:  list of bash commands
++        :param sentry_units:  list of sentry unit pointers
++        :returns:  None if successful; Failure message otherwise
++        """
++        if pgrep_full is not None:
++            # /!\ DEPRECATION WARNING (beisner):
++            # No longer implemented, as pidof is now used instead of pgrep.
++            # https://bugs.launchpad.net/charm-helpers/+bug/1474030
++            self.log.warn('DEPRECATION WARNING:  pgrep_full bool is no '
++                          'longer implemented re: lp 1474030.')
++
++        pid_list = self.get_process_id_list(sentry_unit, service)
++        pid = pid_list[0]
++        proc_dir = '/proc/{}'.format(pid)
++        self.log.debug('Pid for {} on {}: {}'.format(
++            service, sentry_unit.info['unit_name'], pid))
++
++        return self._get_dir_mtime(sentry_unit, proc_dir)
++
++    def service_restarted(self, sentry_unit, service, filename,
++                          pgrep_full=None, sleep_time=20):
++        """Check if service was restarted.
++
++           Compare a service's start time vs a file's last modification time
++           (such as a config file for that service) to determine if the service
++           has been restarted.
++           """
++        # /!\ DEPRECATION WARNING (beisner):
++        # This method is prone to races in that no before-time is known.
++        # Use validate_service_config_changed instead.
++
++        # NOTE(beisner) pgrep_full is no longer implemented, as pidof is now
++        # used instead of pgrep.  pgrep_full is still passed through to ensure
++        # deprecation WARNS.  lp1474030
++        self.log.warn('DEPRECATION WARNING:  use '
++                      'validate_service_config_changed instead of '
++                      'service_restarted due to known races.')
++
++        time.sleep(sleep_time)
++        if (self._get_proc_start_time(sentry_unit, service, pgrep_full) >=
++                self._get_file_mtime(sentry_unit, filename)):
++            return True
++        else:
++            return False
++
++    def service_restarted_since(self, sentry_unit, mtime, service,
++                                pgrep_full=None, sleep_time=20,
++                                retry_count=30, retry_sleep_time=10):
++        """Check if service was been started after a given time.
++
++        Args:
++          sentry_unit (sentry): The sentry unit to check for the service on
++          mtime (float): The epoch time to check against
++          service (string): service name to look for in process table
++          pgrep_full: [Deprecated] Use full command line search mode with pgrep
++          sleep_time (int): Initial sleep time (s) before looking for file
++          retry_sleep_time (int): Time (s) to sleep between retries
++          retry_count (int): If file is not found, how many times to retry
++
++        Returns:
++          bool: True if service found and its start time it newer than mtime,
++                False if service is older than mtime or if service was
++                not found.
++        """
++        # NOTE(beisner) pgrep_full is no longer implemented, as pidof is now
++        # used instead of pgrep.  pgrep_full is still passed through to ensure
++        # deprecation WARNS.  lp1474030
++
++        unit_name = sentry_unit.info['unit_name']
++        self.log.debug('Checking that %s service restarted since %s on '
++                       '%s' % (service, mtime, unit_name))
++        time.sleep(sleep_time)
++        proc_start_time = None
++        tries = 0
++        while tries <= retry_count and not proc_start_time:
++            try:
++                proc_start_time = self._get_proc_start_time(sentry_unit,
++                                                            service,
++                                                            pgrep_full)
++                self.log.debug('Attempt {} to get {} proc start time on {} '
++                               'OK'.format(tries, service, unit_name))
++            except IOError as e:
++                # NOTE(beisner) - race avoidance, proc may not exist yet.
++                # https://bugs.launchpad.net/charm-helpers/+bug/1474030
++                self.log.debug('Attempt {} to get {} proc start time on {} '
++                               'failed\n{}'.format(tries, service,
++                                                   unit_name, e))
++                time.sleep(retry_sleep_time)
++                tries += 1
++
++        if not proc_start_time:
++            self.log.warn('No proc start time found, assuming service did '
++                          'not start')
++            return False
++        if proc_start_time >= mtime:
++            self.log.debug('Proc start time is newer than provided mtime'
++                           '(%s >= %s) on %s (OK)' % (proc_start_time,
++                                                      mtime, unit_name))
++            return True
++        else:
++            self.log.warn('Proc start time (%s) is older than provided mtime '
++                          '(%s) on %s, service did not '
++                          'restart' % (proc_start_time, mtime, unit_name))
++            return False
++
++    def config_updated_since(self, sentry_unit, filename, mtime,
++                             sleep_time=20, retry_count=30,
++                             retry_sleep_time=10):
++        """Check if file was modified after a given time.
++
++        Args:
++          sentry_unit (sentry): The sentry unit to check the file mtime on
++          filename (string): The file to check mtime of
++          mtime (float): The epoch time to check against
++          sleep_time (int): Initial sleep time (s) before looking for file
++          retry_sleep_time (int): Time (s) to sleep between retries
++          retry_count (int): If file is not found, how many times to retry
++
++        Returns:
++          bool: True if file was modified more recently than mtime, False if
++                file was modified before mtime, or if file not found.
++        """
++        unit_name = sentry_unit.info['unit_name']
++        self.log.debug('Checking that %s updated since %s on '
++                       '%s' % (filename, mtime, unit_name))
++        time.sleep(sleep_time)
++        file_mtime = None
++        tries = 0
++        while tries <= retry_count and not file_mtime:
++            try:
++                file_mtime = self._get_file_mtime(sentry_unit, filename)
++                self.log.debug('Attempt {} to get {} file mtime on {} '
++                               'OK'.format(tries, filename, unit_name))
++            except IOError as e:
++                # NOTE(beisner) - race avoidance, file may not exist yet.
++                # https://bugs.launchpad.net/charm-helpers/+bug/1474030
++                self.log.debug('Attempt {} to get {} file mtime on {} '
++                               'failed\n{}'.format(tries, filename,
++                                                   unit_name, e))
++                time.sleep(retry_sleep_time)
++                tries += 1
++
++        if not file_mtime:
++            self.log.warn('Could not determine file mtime, assuming '
++                          'file does not exist')
++            return False
++
++        if file_mtime >= mtime:
++            self.log.debug('File mtime is newer than provided mtime '
++                           '(%s >= %s) on %s (OK)' % (file_mtime,
++                                                      mtime, unit_name))
++            return True
++        else:
++            self.log.warn('File mtime is older than provided mtime'
++                          '(%s < on %s) on %s' % (file_mtime,
++                                                  mtime, unit_name))
++            return False
++
++    def validate_service_config_changed(self, sentry_unit, mtime, service,
++                                        filename, pgrep_full=None,
++                                        sleep_time=20, retry_count=30,
++                                        retry_sleep_time=10):
++        """Check service and file were updated after mtime
++
++        Args:
++          sentry_unit (sentry): The sentry unit to check for the service on
++          mtime (float): The epoch time to check against
++          service (string): service name to look for in process table
++          filename (string): The file to check mtime of
++          pgrep_full: [Deprecated] Use full command line search mode with pgrep
++          sleep_time (int): Initial sleep in seconds to pass to test helpers
++          retry_count (int): If service is not found, how many times to retry
++          retry_sleep_time (int): Time in seconds to wait between retries
++
++        Typical Usage:
++            u = OpenStackAmuletUtils(ERROR)
++            ...
++            mtime = u.get_sentry_time(self.cinder_sentry)
++            self.d.configure('cinder', {'verbose': 'True', 'debug': 'True'})
++            if not u.validate_service_config_changed(self.cinder_sentry,
++                                                     mtime,
++                                                     'cinder-api',
++                                                     '/etc/cinder/cinder.conf')
++                amulet.raise_status(amulet.FAIL, msg='update failed')
++        Returns:
++          bool: True if both service and file where updated/restarted after
++                mtime, False if service is older than mtime or if service was
++                not found or if filename was modified before mtime.
++        """
++
++        # NOTE(beisner) pgrep_full is no longer implemented, as pidof is now
++        # used instead of pgrep.  pgrep_full is still passed through to ensure
++        # deprecation WARNS.  lp1474030
++
++        service_restart = self.service_restarted_since(
++            sentry_unit, mtime,
++            service,
++            pgrep_full=pgrep_full,
++            sleep_time=sleep_time,
++            retry_count=retry_count,
++            retry_sleep_time=retry_sleep_time)
++
++        config_update = self.config_updated_since(
++            sentry_unit,
++            filename,
++            mtime,
++            sleep_time=sleep_time,
++            retry_count=retry_count,
++            retry_sleep_time=retry_sleep_time)
++
++        return service_restart and config_update
++
++    def get_sentry_time(self, sentry_unit):
++        """Return current epoch time on a sentry"""
++        cmd = "date +'%s'"
++        return float(sentry_unit.run(cmd)[0])
++
++    def relation_error(self, name, data):
++        return 'unexpected relation data in {} - {}'.format(name, data)
++
++    def endpoint_error(self, name, data):
++        return 'unexpected endpoint data in {} - {}'.format(name, data)
++
++    def get_ubuntu_releases(self):
++        """Return a list of all Ubuntu releases in order of release."""
++        _d = distro_info.UbuntuDistroInfo()
++        _release_list = _d.all
++        return _release_list
++
++    def file_to_url(self, file_rel_path):
++        """Convert a relative file path to a file URL."""
++        _abs_path = os.path.abspath(file_rel_path)
++        return urlparse.urlparse(_abs_path, scheme='file').geturl()
++
++    def check_commands_on_units(self, commands, sentry_units):
++        """Check that all commands in a list exit zero on all
++        sentry units in a list.
++
++        :param commands:  list of bash commands
++        :param sentry_units:  list of sentry unit pointers
++        :returns: None if successful; Failure message otherwise
++        """
++        self.log.debug('Checking exit codes for {} commands on {} '
++                       'sentry units...'.format(len(commands),
++                                                len(sentry_units)))
++        for sentry_unit in sentry_units:
++            for cmd in commands:
++                output, code = sentry_unit.run(cmd)
++                if code == 0:
++                    self.log.debug('{} `{}` returned {} '
++                                   '(OK)'.format(sentry_unit.info['unit_name'],
++                                                 cmd, code))
++                else:
++                    return ('{} `{}` returned {} '
++                            '{}'.format(sentry_unit.info['unit_name'],
++                                        cmd, code, output))
++        return None
++
++    def get_process_id_list(self, sentry_unit, process_name,
++                            expect_success=True):
++        """Get a list of process ID(s) from a single sentry juju unit
++        for a single process name.
++
++        :param sentry_unit: Amulet sentry instance (juju unit)
++        :param process_name: Process name
++        :param expect_success: If False, expect the PID to be missing,
++            raise if it is present.
++        :returns: List of process IDs
++        """
++        cmd = 'pidof -x {}'.format(process_name)
++        if not expect_success:
++            cmd += " || exit 0 && exit 1"
++        output, code = sentry_unit.run(cmd)
++        if code != 0:
++            msg = ('{} `{}` returned {} '
++                   '{}'.format(sentry_unit.info['unit_name'],
++                               cmd, code, output))
++            amulet.raise_status(amulet.FAIL, msg=msg)
++        return str(output).split()
++
++    def get_unit_process_ids(self, unit_processes, expect_success=True):
++        """Construct a dict containing unit sentries, process names, and
++        process IDs.
++
++        :param unit_processes: A dictionary of Amulet sentry instance
++            to list of process names.
++        :param expect_success: if False expect the processes to not be
++            running, raise if they are.
++        :returns: Dictionary of Amulet sentry instance to dictionary
++            of process names to PIDs.
++        """
++        pid_dict = {}
++        for sentry_unit, process_list in six.iteritems(unit_processes):
++            pid_dict[sentry_unit] = {}
++            for process in process_list:
++                pids = self.get_process_id_list(
++                    sentry_unit, process, expect_success=expect_success)
++                pid_dict[sentry_unit].update({process: pids})
++        return pid_dict
++
++    def validate_unit_process_ids(self, expected, actual):
++        """Validate process id quantities for services on units."""
++        self.log.debug('Checking units for running processes...')
++        self.log.debug('Expected PIDs: {}'.format(expected))
++        self.log.debug('Actual PIDs: {}'.format(actual))
++
++        if len(actual) != len(expected):
++            return ('Unit count mismatch.  expected, actual: {}, '
++                    '{} '.format(len(expected), len(actual)))
++
++        for (e_sentry, e_proc_names) in six.iteritems(expected):
++            e_sentry_name = e_sentry.info['unit_name']
++            if e_sentry in actual.keys():
++                a_proc_names = actual[e_sentry]
++            else:
++                return ('Expected sentry ({}) not found in actual dict data.'
++                        '{}'.format(e_sentry_name, e_sentry))
++
++            if len(e_proc_names.keys()) != len(a_proc_names.keys()):
++                return ('Process name count mismatch.  expected, actual: {}, '
++                        '{}'.format(len(expected), len(actual)))
++
++            for (e_proc_name, e_pids_length), (a_proc_name, a_pids) in \
++                    zip(e_proc_names.items(), a_proc_names.items()):
++                if e_proc_name != a_proc_name:
++                    return ('Process name mismatch.  expected, actual: {}, '
++                            '{}'.format(e_proc_name, a_proc_name))
++
++                a_pids_length = len(a_pids)
++                fail_msg = ('PID count mismatch. {} ({}) expected, actual: '
++                            '{}, {} ({})'.format(e_sentry_name, e_proc_name,
++                                                 e_pids_length, a_pids_length,
++                                                 a_pids))
++
++                # If expected is not bool, ensure PID quantities match
++                if not isinstance(e_pids_length, bool) and \
++                        a_pids_length != e_pids_length:
++                    return fail_msg
++                # If expected is bool True, ensure 1 or more PIDs exist
++                elif isinstance(e_pids_length, bool) and \
++                        e_pids_length is True and a_pids_length < 1:
++                    return fail_msg
++                # If expected is bool False, ensure 0 PIDs exist
++                elif isinstance(e_pids_length, bool) and \
++                        e_pids_length is False and a_pids_length != 0:
++                    return fail_msg
++                else:
++                    self.log.debug('PID check OK: {} {} {}: '
++                                   '{}'.format(e_sentry_name, e_proc_name,
++                                               e_pids_length, a_pids))
++        return None
++
++    def validate_list_of_identical_dicts(self, list_of_dicts):
++        """Check that all dicts within a list are identical."""
++        hashes = []
++        for _dict in list_of_dicts:
++            hashes.append(hash(frozenset(_dict.items())))
++
++        self.log.debug('Hashes: {}'.format(hashes))
++        if len(set(hashes)) == 1:
++            self.log.debug('Dicts within list are identical')
++        else:
++            return 'Dicts within list are not identical'
++
++        return None
++
++    def validate_sectionless_conf(self, file_contents, expected):
++        """A crude conf parser.  Useful to inspect configuration files which
++        do not have section headers (as would be necessary in order to use
++        the configparser).  Such as openstack-dashboard or rabbitmq confs."""
++        for line in file_contents.split('\n'):
++            if '=' in line:
++                args = line.split('=')
++                if len(args) <= 1:
++                    continue
++                key = args[0].strip()
++                value = args[1].strip()
++                if key in expected.keys():
++                    if expected[key] != value:
++                        msg = ('Config mismatch.  Expected, actual:  {}, '
++                               '{}'.format(expected[key], value))
++                        amulet.raise_status(amulet.FAIL, msg=msg)
++
++    def get_unit_hostnames(self, units):
++        """Return a dict of juju unit names to hostnames."""
++        host_names = {}
++        for unit in units:
++            host_names[unit.info['unit_name']] = \
++                str(unit.file_contents('/etc/hostname').strip())
++        self.log.debug('Unit host names: {}'.format(host_names))
++        return host_names
++
++    def run_cmd_unit(self, sentry_unit, cmd):
++        """Run a command on a unit, return the output and exit code."""
++        output, code = sentry_unit.run(cmd)
++        if code == 0:
++            self.log.debug('{} `{}` command returned {} '
++                           '(OK)'.format(sentry_unit.info['unit_name'],
++                                         cmd, code))
++        else:
++            msg = ('{} `{}` command returned {} '
++                   '{}'.format(sentry_unit.info['unit_name'],
++                               cmd, code, output))
++            amulet.raise_status(amulet.FAIL, msg=msg)
++        return str(output), code
++
++    def file_exists_on_unit(self, sentry_unit, file_name):
++        """Check if a file exists on a unit."""
++        try:
++            sentry_unit.file_stat(file_name)
++            return True
++        except IOError:
++            return False
++        except Exception as e:
++            msg = 'Error checking file {}: {}'.format(file_name, e)
++            amulet.raise_status(amulet.FAIL, msg=msg)
++
++    def file_contents_safe(self, sentry_unit, file_name,
++                           max_wait=60, fatal=False):
++        """Get file contents from a sentry unit.  Wrap amulet file_contents
++        with retry logic to address races where a file checks as existing,
++        but no longer exists by the time file_contents is called.
++        Return None if file not found. Optionally raise if fatal is True."""
++        unit_name = sentry_unit.info['unit_name']
++        file_contents = False
++        tries = 0
++        while not file_contents and tries < (max_wait / 4):
++            try:
++                file_contents = sentry_unit.file_contents(file_name)
++            except IOError:
++                self.log.debug('Attempt {} to open file {} from {} '
++                               'failed'.format(tries, file_name,
++                                               unit_name))
++                time.sleep(4)
++                tries += 1
++
++        if file_contents:
++            return file_contents
++        elif not fatal:
++            return None
++        elif fatal:
++            msg = 'Failed to get file contents from unit.'
++            amulet.raise_status(amulet.FAIL, msg)
++
++    def port_knock_tcp(self, host="localhost", port=22, timeout=15):
++        """Open a TCP socket to check for a listening sevice on a host.
++
++        :param host: host name or IP address, default to localhost
++        :param port: TCP port number, default to 22
++        :param timeout: Connect timeout, default to 15 seconds
++        :returns: True if successful, False if connect failed
++        """
++
++        # Resolve host name if possible
++        try:
++            connect_host = socket.gethostbyname(host)
++            host_human = "{} ({})".format(connect_host, host)
++        except socket.error as e:
++            self.log.warn('Unable to resolve address: '
++                          '{} ({}) Trying anyway!'.format(host, e))
++            connect_host = host
++            host_human = connect_host
++
++        # Attempt socket connection
++        try:
++            knock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
++            knock.settimeout(timeout)
++            knock.connect((connect_host, port))
++            knock.close()
++            self.log.debug('Socket connect OK for host '
++                           '{} on port {}.'.format(host_human, port))
++            return True
++        except socket.error as e:
++            self.log.debug('Socket connect FAIL for'
++                           ' {} port {} ({})'.format(host_human, port, e))
++            return False
++
++    def port_knock_units(self, sentry_units, port=22,
++                         timeout=15, expect_success=True):
++        """Open a TCP socket to check for a listening sevice on each
++        listed juju unit.
++
++        :param sentry_units: list of sentry unit pointers
++        :param port: TCP port number, default to 22
++        :param timeout: Connect timeout, default to 15 seconds
++        :expect_success: True by default, set False to invert logic
++        :returns: None if successful, Failure message otherwise
++        """
++        for unit in sentry_units:
++            host = unit.info['public-address']
++            connected = self.port_knock_tcp(host, port, timeout)
++            if not connected and expect_success:
++                return 'Socket connect failed.'
++            elif connected and not expect_success:
++                return 'Socket connected unexpectedly.'
++
++    def get_uuid_epoch_stamp(self):
++        """Returns a stamp string based on uuid4 and epoch time.  Useful in
++        generating test messages which need to be unique-ish."""
++        return '[{}-{}]'.format(uuid.uuid4(), time.time())
++
++# amulet juju action helpers:
++    def run_action(self, unit_sentry, action,
++                   _check_output=subprocess.check_output,
++                   params=None):
++        """Run the named action on a given unit sentry.
++
++        params a dict of parameters to use
++        _check_output parameter is used for dependency injection.
++
++        @return action_id.
++        """
++        unit_id = unit_sentry.info["unit_name"]
++        command = ["juju", "action", "do", "--format=json", unit_id, action]
++        if params is not None:
++            for key, value in params.iteritems():
++                command.append("{}={}".format(key, value))
++        self.log.info("Running command: %s\n" % " ".join(command))
++        output = _check_output(command, universal_newlines=True)
++        data = json.loads(output)
++        action_id = data[u'Action queued with id']
++        return action_id
++
++    def wait_on_action(self, action_id, _check_output=subprocess.check_output):
++        """Wait for a given action, returning if it completed or not.
++
++        _check_output parameter is used for dependency injection.
++        """
++        command = ["juju", "action", "fetch", "--format=json", "--wait=0",
++                   action_id]
++        output = _check_output(command, universal_newlines=True)
++        data = json.loads(output)
++        return data.get(u"status") == "completed"
++
++    def status_get(self, unit):
++        """Return the current service status of this unit."""
++        raw_status, return_code = unit.run(
++            "status-get --format=json --include-data")
++        if return_code != 0:
++            return ("unknown", "")
++        status = json.loads(raw_status)
++        return (status["status"], status["message"])
 === added directory 'hooks/charmhelpers/contrib/ansible'
 === added file 'hooks/charmhelpers/contrib/ansible/__init__.py'
 --- hooks/charmhelpers/contrib/ansible/__init__.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/ansible/__init__.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,254 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++# Copyright 2013 Canonical Ltd.
++#
++# Authors:
++#  Charm Helpers Developers <juju@lists.ubuntu.com>
++"""Charm Helpers ansible - declare the state of your machines.
++
++This helper enables you to declare your machine state, rather than
++program it procedurally (and have to test each change to your procedures).
++Your install hook can be as simple as::
++
++    {{{
++    import charmhelpers.contrib.ansible
++
++
++    def install():
++        charmhelpers.contrib.ansible.install_ansible_support()
++        charmhelpers.contrib.ansible.apply_playbook('playbooks/install.yaml')
++    }}}
++
++and won't need to change (nor will its tests) when you change the machine
++state.
++
++All of your juju config and relation-data are available as template
++variables within your playbooks and templates. An install playbook looks
++something like::
++
++    {{{
++    ---
++    - hosts: localhost
++      user: root
++
++      tasks:
++        - name: Add private repositories.
++          template:
++            src: ../templates/private-repositories.list.jinja2
++            dest: /etc/apt/sources.list.d/private.list
++
++        - name: Update the cache.
++          apt: update_cache=yes
++
++        - name: Install dependencies.
++          apt: pkg={{ item }}
++          with_items:
++            - python-mimeparse
++            - python-webob
++            - sunburnt
++
++        - name: Setup groups.
++          group: name={{ item.name }} gid={{ item.gid }}
++          with_items:
++            - { name: 'deploy_user', gid: 1800 }
++            - { name: 'service_user', gid: 1500 }
++
++      ...
++    }}}
++
++Read more online about `playbooks`_ and standard ansible `modules`_.
++
++.. _playbooks: http://www.ansibleworks.com/docs/playbooks.html
++.. _modules: http://www.ansibleworks.com/docs/modules.html
++
++A further feature os the ansible hooks is to provide a light weight "action"
++scripting tool. This is a decorator that you apply to a function, and that
++function can now receive cli args, and can pass extra args to the playbook.
++
++e.g.
++
++
++@hooks.action()
++def some_action(amount, force="False"):
++    "Usage: some-action AMOUNT [force=True]"  # <-- shown on error
++    # process the arguments
++    # do some calls
++    # return extra-vars to be passed to ansible-playbook
++    return {
++        'amount': int(amount),
++        'type': force,
++    }
++
++You can now create a symlink to hooks.py that can be invoked like a hook, but
++with cli params:
++
++# link actions/some-action to hooks/hooks.py
++
++actions/some-action amount=10 force=true
++
++"""
++import os
++import stat
++import subprocess
++import functools
++
++import charmhelpers.contrib.templating.contexts
++import charmhelpers.core.host
++import charmhelpers.core.hookenv
++import charmhelpers.fetch
++
++
++charm_dir = os.environ.get('CHARM_DIR', '')
++ansible_hosts_path = '/etc/ansible/hosts'
++# Ansible will automatically include any vars in the following
++# file in its inventory when run locally.
++ansible_vars_path = '/etc/ansible/host_vars/localhost'
++
++
++def install_ansible_support(from_ppa=True, ppa_location='ppa:rquillo/ansible'):
++    """Installs the ansible package.
++
++    By default it is installed from the `PPA`_ linked from
++    the ansible `website`_ or from a ppa specified by a charm config..
++
++    .. _PPA: https://launchpad.net/~rquillo/+archive/ansible
++    .. _website: http://docs.ansible.com/intro_installation.html#latest-releases-via-apt-ubuntu
++
++    If from_ppa is empty, you must ensure that the package is available
++    from a configured repository.
++    """
++    if from_ppa:
++        charmhelpers.fetch.add_source(ppa_location)
++        charmhelpers.fetch.apt_update(fatal=True)
++    charmhelpers.fetch.apt_install('ansible')
++    with open(ansible_hosts_path, 'w+') as hosts_file:
++        hosts_file.write('localhost ansible_connection=local')
++
++
++def apply_playbook(playbook, tags=None, extra_vars=None):
++    tags = tags or []
++    tags = ",".join(tags)
++    charmhelpers.contrib.templating.contexts.juju_state_to_yaml(
++        ansible_vars_path, namespace_separator='__',
++        allow_hyphens_in_keys=False, mode=(stat.S_IRUSR | stat.S_IWUSR))
++
++    # we want ansible's log output to be unbuffered
++    env = os.environ.copy()
++    env['PYTHONUNBUFFERED'] = "1"
++    call = [
++        'ansible-playbook',
++        '-c',
++        'local',
++        playbook,
++    ]
++    if tags:
++        call.extend(['--tags', '{}'.format(tags)])
++    if extra_vars:
++        extra = ["%s=%s" % (k, v) for k, v in extra_vars.items()]
++        call.extend(['--extra-vars', " ".join(extra)])
++    subprocess.check_call(call, env=env)
++
++
++class AnsibleHooks(charmhelpers.core.hookenv.Hooks):
++    """Run a playbook with the hook-name as the tag.
++
++    This helper builds on the standard hookenv.Hooks helper,
++    but additionally runs the playbook with the hook-name specified
++    using --tags (ie. running all the tasks tagged with the hook-name).
++
++    Example::
++
++        hooks = AnsibleHooks(playbook_path='playbooks/my_machine_state.yaml')
++
++        # All the tasks within my_machine_state.yaml tagged with 'install'
++        # will be run automatically after do_custom_work()
++        @hooks.hook()
++        def install():
++            do_custom_work()
++
++        # For most of your hooks, you won't need to do anything other
++        # than run the tagged tasks for the hook:
++        @hooks.hook('config-changed', 'start', 'stop')
++        def just_use_playbook():
++            pass
++
++        # As a convenience, you can avoid the above noop function by specifying
++        # the hooks which are handled by ansible-only and they'll be registered
++        # for you:
++        # hooks = AnsibleHooks(
++        #     'playbooks/my_machine_state.yaml',
++        #     default_hooks=['config-changed', 'start', 'stop'])
++
++        if __name__ == "__main__":
++            # execute a hook based on the name the program is called by
++            hooks.execute(sys.argv)
++
++    """
++
++    def __init__(self, playbook_path, default_hooks=None):
++        """Register any hooks handled by ansible."""
++        super(AnsibleHooks, self).__init__()
++
++        self._actions = {}
++        self.playbook_path = playbook_path
++
++        default_hooks = default_hooks or []
++
++        def noop(*args, **kwargs):
++            pass
++
++        for hook in default_hooks:
++            self.register(hook, noop)
++
++    def register_action(self, name, function):
++        """Register a hook"""
++        self._actions[name] = function
++
++    def execute(self, args):
++        """Execute the hook followed by the playbook using the hook as tag."""
++        hook_name = os.path.basename(args[0])
++        extra_vars = None
++        if hook_name in self._actions:
++            extra_vars = self._actions[hook_name](args[1:])
++        else:
++            super(AnsibleHooks, self).execute(args)
++
++        charmhelpers.contrib.ansible.apply_playbook(
++            self.playbook_path, tags=[hook_name], extra_vars=extra_vars)
++
++    def action(self, *action_names):
++        """Decorator, registering them as actions"""
++        def action_wrapper(decorated):
++
++            @functools.wraps(decorated)
++            def wrapper(argv):
++                kwargs = dict(arg.split('=') for arg in argv)
++                try:
++                    return decorated(**kwargs)
++                except TypeError as e:
++                    if decorated.__doc__:
++                        e.args += (decorated.__doc__,)
++                    raise
++
++            self.register_action(decorated.__name__, wrapper)
++            if '_' in decorated.__name__:
++                self.register_action(
++                    decorated.__name__.replace('_', '-'), wrapper)
++
++            return wrapper
++
++        return action_wrapper
 === added directory 'hooks/charmhelpers/contrib/benchmark'
 === added file 'hooks/charmhelpers/contrib/benchmark/__init__.py'
 --- hooks/charmhelpers/contrib/benchmark/__init__.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/benchmark/__init__.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,126 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++import subprocess
++import time
++import os
++from distutils.spawn import find_executable
++
++from charmhelpers.core.hookenv import (
++    in_relation_hook,
++    relation_ids,
++    relation_set,
++    relation_get,
++)
++
++
++def action_set(key, val):
++    if find_executable('action-set'):
++        action_cmd = ['action-set']
++
++        if isinstance(val, dict):
++            for k, v in iter(val.items()):
++                action_set('%s.%s' % (key, k), v)
++            return True
++
++        action_cmd.append('%s=%s' % (key, val))
++        subprocess.check_call(action_cmd)
++        return True
++    return False
++
++
++class Benchmark():
++    """
++    Helper class for the `benchmark` interface.
++
++    :param list actions: Define the actions that are also benchmarks
++
++    From inside the benchmark-relation-changed hook, you would
++    Benchmark(['memory', 'cpu', 'disk', 'smoke', 'custom'])
++
++    Examples:
++
++        siege = Benchmark(['siege'])
++        siege.start()
++        [... run siege ...]
++        # The higher the score, the better the benchmark
++        siege.set_composite_score(16.70, 'trans/sec', 'desc')
++        siege.finish()
++
++
++    """
++
++    BENCHMARK_CONF = '/etc/benchmark.conf'  # Replaced in testing
++
++    required_keys = [
++        'hostname',
++        'port',
++        'graphite_port',
++        'graphite_endpoint',
++        'api_port'
++    ]
++
++    def __init__(self, benchmarks=None):
++        if in_relation_hook():
++            if benchmarks is not None:
++                for rid in sorted(relation_ids('benchmark')):
++                    relation_set(relation_id=rid, relation_settings={
++                        'benchmarks': ",".join(benchmarks)
++                    })
++
++            # Check the relation data
++            config = {}
++            for key in self.required_keys:
++                val = relation_get(key)
++                if val is not None:
++                    config[key] = val
++                else:
++                    # We don't have all of the required keys
++                    config = {}
++                    break
++
++            if len(config):
++                with open(self.BENCHMARK_CONF, 'w') as f:
++                    for key, val in iter(config.items()):
++                        f.write("%s=%s\n" % (key, val))
++
++    @staticmethod
++    def start():
++        action_set('meta.start', time.strftime('%Y-%m-%dT%H:%M:%SZ'))
++
++        """
++        If the collectd charm is also installed, tell it to send a snapshot
++        of the current profile data.
++        """
++        COLLECT_PROFILE_DATA = '/usr/local/bin/collect-profile-data'
++        if os.path.exists(COLLECT_PROFILE_DATA):
++            subprocess.check_output([COLLECT_PROFILE_DATA])
++
++    @staticmethod
++    def finish():
++        action_set('meta.stop', time.strftime('%Y-%m-%dT%H:%M:%SZ'))
++
++    @staticmethod
++    def set_composite_score(value, units, direction='asc'):
++        """
++        Set the composite score for a benchmark run. This is a single number
++        representative of the benchmark results. This could be the most
++        important metric, or an amalgamation of metric scores.
++        """
++        return action_set(
++            "meta.composite",
++            {'value': value, 'units': units, 'direction': direction}
++        )
 === added directory 'hooks/charmhelpers/contrib/charmhelpers'
 === added file 'hooks/charmhelpers/contrib/charmhelpers/IMPORT'
 --- hooks/charmhelpers/contrib/charmhelpers/IMPORT	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/charmhelpers/IMPORT	2016-03-21 06:13:21 +0000
@@ -0,0 +1,4 @@
++Source lp:charm-tools/trunk
++
++charm-tools/helpers/python/charmhelpers/__init__.py -> charmhelpers/charmhelpers/contrib/charmhelpers/__init__.py
++charm-tools/helpers/python/charmhelpers/tests/test_charmhelpers.py -> charmhelpers/tests/contrib/charmhelpers/test_charmhelpers.py
 === added file 'hooks/charmhelpers/contrib/charmhelpers/__init__.py'
 --- hooks/charmhelpers/contrib/charmhelpers/__init__.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/charmhelpers/__init__.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,208 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++# Copyright 2012 Canonical Ltd.  This software is licensed under the
++# GNU Affero General Public License version 3 (see the file LICENSE).
++
++import warnings
++warnings.warn("contrib.charmhelpers is deprecated", DeprecationWarning)  # noqa
++
++import operator
++import tempfile
++import time
++import yaml
++import subprocess
++
++import six
++if six.PY3:
++    from urllib.request import urlopen
++    from urllib.error import (HTTPError, URLError)
++else:
++    from urllib2 import (urlopen, HTTPError, URLError)
++
++"""Helper functions for writing Juju charms in Python."""
++
++__metaclass__ = type
++__all__ = [
++    # 'get_config',             # core.hookenv.config()
++    # 'log',                    # core.hookenv.log()
++    # 'log_entry',              # core.hookenv.log()
++    # 'log_exit',               # core.hookenv.log()
++    # 'relation_get',           # core.hookenv.relation_get()
++    # 'relation_set',           # core.hookenv.relation_set()
++    # 'relation_ids',           # core.hookenv.relation_ids()
++    # 'relation_list',          # core.hookenv.relation_units()
++    # 'config_get',             # core.hookenv.config()
++    # 'unit_get',               # core.hookenv.unit_get()
++    # 'open_port',              # core.hookenv.open_port()
++    # 'close_port',             # core.hookenv.close_port()
++    # 'service_control',        # core.host.service()
++    'unit_info',              # client-side, NOT IMPLEMENTED
++    'wait_for_machine',       # client-side, NOT IMPLEMENTED
++    'wait_for_page_contents',  # client-side, NOT IMPLEMENTED
++    'wait_for_relation',      # client-side, NOT IMPLEMENTED
++    'wait_for_unit',          # client-side, NOT IMPLEMENTED
++]
++
++
++SLEEP_AMOUNT = 0.1
++
++
++# We create a juju_status Command here because it makes testing much,
++# much easier.
++def juju_status():
++    subprocess.check_call(['juju', 'status'])
++
++# re-implemented as charmhelpers.fetch.configure_sources()
++# def configure_source(update=False):
++#    source = config_get('source')
++#    if ((source.startswith('ppa:') or
++#         source.startswith('cloud:') or
++#         source.startswith('http:'))):
++#        run('add-apt-repository', source)
++#    if source.startswith("http:"):
++#        run('apt-key', 'import', config_get('key'))
++#    if update:
++#        run('apt-get', 'update')
++
++
++# DEPRECATED: client-side only
++def make_charm_config_file(charm_config):
++    charm_config_file = tempfile.NamedTemporaryFile(mode='w+')
++    charm_config_file.write(yaml.dump(charm_config))
++    charm_config_file.flush()
++    # The NamedTemporaryFile instance is returned instead of just the name
++    # because we want to take advantage of garbage collection-triggered
++    # deletion of the temp file when it goes out of scope in the caller.
++    return charm_config_file
++
++
++# DEPRECATED: client-side only
++def unit_info(service_name, item_name, data=None, unit=None):
++    if data is None:
++        data = yaml.safe_load(juju_status())
++    service = data['services'].get(service_name)
++    if service is None:
++        # XXX 2012-02-08 gmb:
++        #     This allows us to cope with the race condition that we
++        #     have between deploying a service and having it come up in
++        #     `juju status`. We could probably do with cleaning it up so
++        #     that it fails a bit more noisily after a while.
++        return ''
++    units = service['units']
++    if unit is not None:
++        item = units[unit][item_name]
++    else:
++        # It might seem odd to sort the units here, but we do it to
++        # ensure that when no unit is specified, the first unit for the
++        # service (or at least the one with the lowest number) is the
++        # one whose data gets returned.
++        sorted_unit_names = sorted(units.keys())
++        item = units[sorted_unit_names[0]][item_name]
++    return item
++
++
++# DEPRECATED: client-side only
++def get_machine_data():
++    return yaml.safe_load(juju_status())['machines']
++
++
++# DEPRECATED: client-side only
++def wait_for_machine(num_machines=1, timeout=300):
++    """Wait `timeout` seconds for `num_machines` machines to come up.
++
++    This wait_for... function can be called by other wait_for functions
++    whose timeouts might be too short in situations where only a bare
++    Juju setup has been bootstrapped.
++
++    :return: A tuple of (num_machines, time_taken). This is used for
++             testing.
++    """
++    # You may think this is a hack, and you'd be right. The easiest way
++    # to tell what environment we're working in (LXC vs EC2) is to check
++    # the dns-name of the first machine. If it's localhost we're in LXC
++    # and we can just return here.
++    if get_machine_data()[0]['dns-name'] == 'localhost':
++        return 1, 0
++    start_time = time.time()
++    while True:
++        # Drop the first machine, since it's the Zookeeper and that's
++        # not a machine that we need to wait for. This will only work
++        # for EC2 environments, which is why we return early above if
++        # we're in LXC.
++        machine_data = get_machine_data()
++        non_zookeeper_machines = [
++            machine_data[key] for key in list(machine_data.keys())[1:]]
++        if len(non_zookeeper_machines) >= num_machines:
++            all_machines_running = True
++            for machine in non_zookeeper_machines:
++                if machine.get('instance-state') != 'running':
++                    all_machines_running = False
++                    break
++            if all_machines_running:
++                break
++        if time.time() - start_time >= timeout:
++            raise RuntimeError('timeout waiting for service to start')
++        time.sleep(SLEEP_AMOUNT)
++    return num_machines, time.time() - start_time
++
++
++# DEPRECATED: client-side only
++def wait_for_unit(service_name, timeout=480):
++    """Wait `timeout` seconds for a given service name to come up."""
++    wait_for_machine(num_machines=1)
++    start_time = time.time()
++    while True:
++        state = unit_info(service_name, 'agent-state')
++        if 'error' in state or state == 'started':
++            break
++        if time.time() - start_time >= timeout:
++            raise RuntimeError('timeout waiting for service to start')
++        time.sleep(SLEEP_AMOUNT)
++    if state != 'started':
++        raise RuntimeError('unit did not start, agent-state: ' + state)
++
++
++# DEPRECATED: client-side only
++def wait_for_relation(service_name, relation_name, timeout=120):
++    """Wait `timeout` seconds for a given relation to come up."""
++    start_time = time.time()
++    while True:
++        relation = unit_info(service_name, 'relations').get(relation_name)
++        if relation is not None and relation['state'] == 'up':
++            break
++        if time.time() - start_time >= timeout:
++            raise RuntimeError('timeout waiting for relation to be up')
++        time.sleep(SLEEP_AMOUNT)
++
++
++# DEPRECATED: client-side only
++def wait_for_page_contents(url, contents, timeout=120, validate=None):
++    if validate is None:
++        validate = operator.contains
++    start_time = time.time()
++    while True:
++        try:
++            stream = urlopen(url)
++        except (HTTPError, URLError):
++            pass
++        else:
++            page = stream.read()
++            if validate(page, contents):
++                return page
++        if time.time() - start_time >= timeout:
++            raise RuntimeError('timeout waiting for contents of ' + url)
++        time.sleep(SLEEP_AMOUNT)
 === added directory 'hooks/charmhelpers/contrib/charmsupport'
 === added file 'hooks/charmhelpers/contrib/charmsupport/IMPORT'
 --- hooks/charmhelpers/contrib/charmsupport/IMPORT	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/charmsupport/IMPORT	2016-03-21 06:13:21 +0000
@@ -0,0 +1,14 @@
++Source: lp:charmsupport/trunk
++
++charmsupport/charmsupport/execd.py -> charm-helpers/charmhelpers/contrib/charmsupport/execd.py
++charmsupport/charmsupport/hookenv.py -> charm-helpers/charmhelpers/contrib/charmsupport/hookenv.py
++charmsupport/charmsupport/host.py -> charm-helpers/charmhelpers/contrib/charmsupport/host.py
++charmsupport/charmsupport/nrpe.py -> charm-helpers/charmhelpers/contrib/charmsupport/nrpe.py
++charmsupport/charmsupport/volumes.py -> charm-helpers/charmhelpers/contrib/charmsupport/volumes.py
++
++charmsupport/tests/test_execd.py -> charm-helpers/tests/contrib/charmsupport/test_execd.py
++charmsupport/tests/test_hookenv.py -> charm-helpers/tests/contrib/charmsupport/test_hookenv.py
++charmsupport/tests/test_host.py -> charm-helpers/tests/contrib/charmsupport/test_host.py
++charmsupport/tests/test_nrpe.py -> charm-helpers/tests/contrib/charmsupport/test_nrpe.py
++
++charmsupport/bin/charmsupport -> charm-helpers/bin/contrib/charmsupport/charmsupport
 === added file 'hooks/charmhelpers/contrib/charmsupport/__init__.py'
 --- hooks/charmhelpers/contrib/charmsupport/__init__.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/charmsupport/__init__.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,15 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
 === added file 'hooks/charmhelpers/contrib/charmsupport/nrpe.py'
 --- hooks/charmhelpers/contrib/charmsupport/nrpe.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/charmsupport/nrpe.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,398 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++"""Compatibility with the nrpe-external-master charm"""
++# Copyright 2012 Canonical Ltd.
++#
++# Authors:
++#  Matthew Wedgwood <matthew.wedgwood@canonical.com>
++
++import subprocess
++import pwd
++import grp
++import os
++import glob
++import shutil
++import re
++import shlex
++import yaml
++
++from charmhelpers.core.hookenv import (
++    config,
++    local_unit,
++    log,
++    relation_ids,
++    relation_set,
++    relations_of_type,
++)
++
++from charmhelpers.core.host import service
++
++# This module adds compatibility with the nrpe-external-master and plain nrpe
++# subordinate charms. To use it in your charm:
++#
++# 1. Update metadata.yaml
++#
++#   provides:
++#     (...)
++#     nrpe-external-master:
++#       interface: nrpe-external-master
++#       scope: container
++#
++#   and/or
++#
++#   provides:
++#     (...)
++#     local-monitors:
++#       interface: local-monitors
++#       scope: container
++
++#
++# 2. Add the following to config.yaml
++#
++#    nagios_context:
++#      default: "juju"
++#      type: string
++#      description: |
++#        Used by the nrpe subordinate charms.
++#        A string that will be prepended to instance name to set the host name
++#        in nagios. So for instance the hostname would be something like:
++#            juju-myservice-0
++#        If you're running multiple environments with the same services in them
++#        this allows you to differentiate between them.
++#    nagios_servicegroups:
++#      default: ""
++#      type: string
++#      description: |
++#        A comma-separated list of nagios servicegroups.
++#        If left empty, the nagios_context will be used as the servicegroup
++#
++# 3. Add custom checks (Nagios plugins) to files/nrpe-external-master
++#
++# 4. Update your hooks.py with something like this:
++#
++#    from charmsupport.nrpe import NRPE
++#    (...)
++#    def update_nrpe_config():
++#        nrpe_compat = NRPE()
++#        nrpe_compat.add_check(
++#            shortname = "myservice",
++#            description = "Check MyService",
++#            check_cmd = "check_http -w 2 -c 10 http://localhost"
++#            )
++#        nrpe_compat.add_check(
++#            "myservice_other",
++#            "Check for widget failures",
++#            check_cmd = "/srv/myapp/scripts/widget_check"
++#            )
++#        nrpe_compat.write()
++#
++#    def config_changed():
++#        (...)
++#        update_nrpe_config()
++#
++#    def nrpe_external_master_relation_changed():
++#        update_nrpe_config()
++#
++#    def local_monitors_relation_changed():
++#        update_nrpe_config()
++#
++# 5. ln -s hooks.py nrpe-external-master-relation-changed
++#    ln -s hooks.py local-monitors-relation-changed
++
++
++class CheckException(Exception):
++    pass
++
++
++class Check(object):
++    shortname_re = '[A-Za-z0-9-_]+$'
++    service_template = ("""
++#---------------------------------------------------
++# This file is Juju managed
++#---------------------------------------------------
++define service {{
++    use                             active-service
++    host_name                       {nagios_hostname}
++    service_description             {nagios_hostname}[{shortname}] """
++                        """{description}
++    check_command                   check_nrpe!{command}
++    servicegroups                   {nagios_servicegroup}
++}}
++""")
++
++    def __init__(self, shortname, description, check_cmd):
++        super(Check, self).__init__()
++        # XXX: could be better to calculate this from the service name
++        if not re.match(self.shortname_re, shortname):
++            raise CheckException("shortname must match {}".format(
++                Check.shortname_re))
++        self.shortname = shortname
++        self.command = "check_{}".format(shortname)
++        # Note: a set of invalid characters is defined by the
++        # Nagios server config
++        # The default is: illegal_object_name_chars=`~!$%^&*"|'<>?,()=
++        self.description = description
++        self.check_cmd = self._locate_cmd(check_cmd)
++
++    def _get_check_filename(self):
++        return os.path.join(NRPE.nrpe_confdir, '{}.cfg'.format(self.command))
++
++    def _get_service_filename(self, hostname):
++        return os.path.join(NRPE.nagios_exportdir,
++                            'service__{}_{}.cfg'.format(hostname, self.command))
++
++    def _locate_cmd(self, check_cmd):
++        search_path = (
++            '/usr/lib/nagios/plugins',
++            '/usr/local/lib/nagios/plugins',
++        )
++        parts = shlex.split(check_cmd)
++        for path in search_path:
++            if os.path.exists(os.path.join(path, parts[0])):
++                command = os.path.join(path, parts[0])
++                if len(parts) > 1:
++                    command += " " + " ".join(parts[1:])
++                return command
++        log('Check command not found: {}'.format(parts[0]))
++        return ''
++
++    def _remove_service_files(self):
++        if not os.path.exists(NRPE.nagios_exportdir):
++            return
++        for f in os.listdir(NRPE.nagios_exportdir):
++            if f.endswith('_{}.cfg'.format(self.command)):
++                os.remove(os.path.join(NRPE.nagios_exportdir, f))
++
++    def remove(self, hostname):
++        nrpe_check_file = self._get_check_filename()
++        if os.path.exists(nrpe_check_file):
++            os.remove(nrpe_check_file)
++        self._remove_service_files()
++
++    def write(self, nagios_context, hostname, nagios_servicegroups):
++        nrpe_check_file = self._get_check_filename()
++        with open(nrpe_check_file, 'w') as nrpe_check_config:
++            nrpe_check_config.write("# check {}\n".format(self.shortname))
++            nrpe_check_config.write("command[{}]={}\n".format(
++                self.command, self.check_cmd))
++
++        if not os.path.exists(NRPE.nagios_exportdir):
++            log('Not writing service config as {} is not accessible'.format(
++                NRPE.nagios_exportdir))
++        else:
++            self.write_service_config(nagios_context, hostname,
++                                      nagios_servicegroups)
++
++    def write_service_config(self, nagios_context, hostname,
++                             nagios_servicegroups):
++        self._remove_service_files()
++
++        templ_vars = {
++            'nagios_hostname': hostname,
++            'nagios_servicegroup': nagios_servicegroups,
++            'description': self.description,
++            'shortname': self.shortname,
++            'command': self.command,
++        }
++        nrpe_service_text = Check.service_template.format(**templ_vars)
++        nrpe_service_file = self._get_service_filename(hostname)
++        with open(nrpe_service_file, 'w') as nrpe_service_config:
++            nrpe_service_config.write(str(nrpe_service_text))
++
++    def run(self):
++        subprocess.call(self.check_cmd)
++
++
++class NRPE(object):
++    nagios_logdir = '/var/log/nagios'
++    nagios_exportdir = '/var/lib/nagios/export'
++    nrpe_confdir = '/etc/nagios/nrpe.d'
++
++    def __init__(self, hostname=None):
++        super(NRPE, self).__init__()
++        self.config = config()
++        self.nagios_context = self.config['nagios_context']
++        if 'nagios_servicegroups' in self.config and self.config['nagios_servicegroups']:
++            self.nagios_servicegroups = self.config['nagios_servicegroups']
++        else:
++            self.nagios_servicegroups = self.nagios_context
++        self.unit_name = local_unit().replace('/', '-')
++        if hostname:
++            self.hostname = hostname
++        else:
++            nagios_hostname = get_nagios_hostname()
++            if nagios_hostname:
++                self.hostname = nagios_hostname
++            else:
++                self.hostname = "{}-{}".format(self.nagios_context, self.unit_name)
++        self.checks = []
++
++    def add_check(self, *args, **kwargs):
++        self.checks.append(Check(*args, **kwargs))
++
++    def remove_check(self, *args, **kwargs):
++        if kwargs.get('shortname') is None:
++            raise ValueError('shortname of check must be specified')
++
++        # Use sensible defaults if they're not specified - these are not
++        # actually used during removal, but they're required for constructing
++        # the Check object; check_disk is chosen because it's part of the
++        # nagios-plugins-basic package.
++        if kwargs.get('check_cmd') is None:
++            kwargs['check_cmd'] = 'check_disk'
++        if kwargs.get('description') is None:
++            kwargs['description'] = ''
++
++        check = Check(*args, **kwargs)
++        check.remove(self.hostname)
++
++    def write(self):
++        try:
++            nagios_uid = pwd.getpwnam('nagios').pw_uid
++            nagios_gid = grp.getgrnam('nagios').gr_gid
++        except:
++            log("Nagios user not set up, nrpe checks not updated")
++            return
++
++        if not os.path.exists(NRPE.nagios_logdir):
++            os.mkdir(NRPE.nagios_logdir)
++            os.chown(NRPE.nagios_logdir, nagios_uid, nagios_gid)
++
++        nrpe_monitors = {}
++        monitors = {"monitors": {"remote": {"nrpe": nrpe_monitors}}}
++        for nrpecheck in self.checks:
++            nrpecheck.write(self.nagios_context, self.hostname,
++                            self.nagios_servicegroups)
++            nrpe_monitors[nrpecheck.shortname] = {
++                "command": nrpecheck.command,
++            }
++
++        service('restart', 'nagios-nrpe-server')
++
++        monitor_ids = relation_ids("local-monitors") + \
++            relation_ids("nrpe-external-master")
++        for rid in monitor_ids:
++            relation_set(relation_id=rid, monitors=yaml.dump(monitors))
++
++
++def get_nagios_hostcontext(relation_name='nrpe-external-master'):
++    """
++    Query relation with nrpe subordinate, return the nagios_host_context
++
++    :param str relation_name: Name of relation nrpe sub joined to
++    """
++    for rel in relations_of_type(relation_name):
++        if 'nagios_host_context' in rel:
++            return rel['nagios_host_context']
++
++
++def get_nagios_hostname(relation_name='nrpe-external-master'):
++    """
++    Query relation with nrpe subordinate, return the nagios_hostname
++
++    :param str relation_name: Name of relation nrpe sub joined to
++    """
++    for rel in relations_of_type(relation_name):
++        if 'nagios_hostname' in rel:
++            return rel['nagios_hostname']
++
++
++def get_nagios_unit_name(relation_name='nrpe-external-master'):
++    """
++    Return the nagios unit name prepended with host_context if needed
++
++    :param str relation_name: Name of relation nrpe sub joined to
++    """
++    host_context = get_nagios_hostcontext(relation_name)
++    if host_context:
++        unit = "%s:%s" % (host_context, local_unit())
++    else:
++        unit = local_unit()
++    return unit
++
++
++def add_init_service_checks(nrpe, services, unit_name):
++    """
++    Add checks for each service in list
++
++    :param NRPE nrpe: NRPE object to add check to
++    :param list services: List of services to check
++    :param str unit_name: Unit name to use in check description
++    """
++    for svc in services:
++        upstart_init = '/etc/init/%s.conf' % svc
++        sysv_init = '/etc/init.d/%s' % svc
++        if os.path.exists(upstart_init):
++            # Don't add a check for these services from neutron-gateway
++            if svc not in ['ext-port', 'os-charm-phy-nic-mtu']:
++                nrpe.add_check(
++                    shortname=svc,
++                    description='process check {%s}' % unit_name,
++                    check_cmd='check_upstart_job %s' % svc
++                )
++        elif os.path.exists(sysv_init):
++            cronpath = '/etc/cron.d/nagios-service-check-%s' % svc
++            cron_file = ('*/5 * * * * root '
++                         '/usr/local/lib/nagios/plugins/check_exit_status.pl '
++                         '-s /etc/init.d/%s status > '
++                         '/var/lib/nagios/service-check-%s.txt\n' % (svc,
++                                                                     svc)
++                         )
++            f = open(cronpath, 'w')
++            f.write(cron_file)
++            f.close()
++            nrpe.add_check(
++                shortname=svc,
++                description='process check {%s}' % unit_name,
++                check_cmd='check_status_file.py -f '
++                          '/var/lib/nagios/service-check-%s.txt' % svc,
++            )
++
++
++def copy_nrpe_checks():
++    """
++    Copy the nrpe checks into place
++
++    """
++    NAGIOS_PLUGINS = '/usr/local/lib/nagios/plugins'
++    nrpe_files_dir = os.path.join(os.getenv('CHARM_DIR'), 'hooks',
++                                  'charmhelpers', 'contrib', 'openstack',
++                                  'files')
++
++    if not os.path.exists(NAGIOS_PLUGINS):
++        os.makedirs(NAGIOS_PLUGINS)
++    for fname in glob.glob(os.path.join(nrpe_files_dir, "check_*")):
++        if os.path.isfile(fname):
++            shutil.copy2(fname,
++                         os.path.join(NAGIOS_PLUGINS, os.path.basename(fname)))
++
++
++def add_haproxy_checks(nrpe, unit_name):
++    """
++    Add checks for each service in list
++
++    :param NRPE nrpe: NRPE object to add check to
++    :param str unit_name: Unit name to use in check description
++    """
++    nrpe.add_check(
++        shortname='haproxy_servers',
++        description='Check HAProxy {%s}' % unit_name,
++        check_cmd='check_haproxy.sh')
++    nrpe.add_check(
++        shortname='haproxy_queue',
++        description='Check HAProxy queue depth {%s}' % unit_name,
++        check_cmd='check_haproxy_queue_depth.sh')
 === added file 'hooks/charmhelpers/contrib/charmsupport/volumes.py'
 --- hooks/charmhelpers/contrib/charmsupport/volumes.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/charmsupport/volumes.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,175 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++'''
++Functions for managing volumes in juju units. One volume is supported per unit.
++Subordinates may have their own storage, provided it is on its own partition.
++
++Configuration stanzas::
++
++  volume-ephemeral:
++    type: boolean
++    default: true
++    description: >
++      If false, a volume is mounted as sepecified in "volume-map"
++      If true, ephemeral storage will be used, meaning that log data
++         will only exist as long as the machine. YOU HAVE BEEN WARNED.
++  volume-map:
++    type: string
++    default: {}
++    description: >
++      YAML map of units to device names, e.g:
++        "{ rsyslog/0: /dev/vdb, rsyslog/1: /dev/vdb }"
++      Service units will raise a configure-error if volume-ephemeral
++      is 'true' and no volume-map value is set. Use 'juju set' to set a
++      value and 'juju resolved' to complete configuration.
++
++Usage::
++
++    from charmsupport.volumes import configure_volume, VolumeConfigurationError
++    from charmsupport.hookenv import log, ERROR
++    def post_mount_hook():
++        stop_service('myservice')
++    def post_mount_hook():
++        start_service('myservice')
++
++    if __name__ == '__main__':
++        try:
++            configure_volume(before_change=pre_mount_hook,
++                             after_change=post_mount_hook)
++        except VolumeConfigurationError:
++            log('Storage could not be configured', ERROR)
++
++'''
++
++# XXX: Known limitations
++# - fstab is neither consulted nor updated
++
++import os
++from charmhelpers.core import hookenv
++from charmhelpers.core import host
++import yaml
++
++
++MOUNT_BASE = '/srv/juju/volumes'
++
++
++class VolumeConfigurationError(Exception):
++    '''Volume configuration data is missing or invalid'''
++    pass
++
++
++def get_config():
++    '''Gather and sanity-check volume configuration data'''
++    volume_config = {}
++    config = hookenv.config()
++
++    errors = False
++
++    if config.get('volume-ephemeral') in (True, 'True', 'true', 'Yes', 'yes'):
++        volume_config['ephemeral'] = True
++    else:
++        volume_config['ephemeral'] = False
++
++    try:
++        volume_map = yaml.safe_load(config.get('volume-map', '{}'))
++    except yaml.YAMLError as e:
++        hookenv.log("Error parsing YAML volume-map: {}".format(e),
++                    hookenv.ERROR)
++        errors = True
++    if volume_map is None:
++        # probably an empty string
++        volume_map = {}
++    elif not isinstance(volume_map, dict):
++        hookenv.log("Volume-map should be a dictionary, not {}".format(
++            type(volume_map)))
++        errors = True
++
++    volume_config['device'] = volume_map.get(os.environ['JUJU_UNIT_NAME'])
++    if volume_config['device'] and volume_config['ephemeral']:
++        # asked for ephemeral storage but also defined a volume ID
++        hookenv.log('A volume is defined for this unit, but ephemeral '
++                    'storage was requested', hookenv.ERROR)
++        errors = True
++    elif not volume_config['device'] and not volume_config['ephemeral']:
++        # asked for permanent storage but did not define volume ID
++        hookenv.log('Ephemeral storage was requested, but there is no volume '
++                    'defined for this unit.', hookenv.ERROR)
++        errors = True
++
++    unit_mount_name = hookenv.local_unit().replace('/', '-')
++    volume_config['mountpoint'] = os.path.join(MOUNT_BASE, unit_mount_name)
++
++    if errors:
++        return None
++    return volume_config
++
++
++def mount_volume(config):
++    if os.path.exists(config['mountpoint']):
++        if not os.path.isdir(config['mountpoint']):
++            hookenv.log('Not a directory: {}'.format(config['mountpoint']))
++            raise VolumeConfigurationError()
++    else:
++        host.mkdir(config['mountpoint'])
++    if os.path.ismount(config['mountpoint']):
++        unmount_volume(config)
++    if not host.mount(config['device'], config['mountpoint'], persist=True):
++        raise VolumeConfigurationError()
++
++
++def unmount_volume(config):
++    if os.path.ismount(config['mountpoint']):
++        if not host.umount(config['mountpoint'], persist=True):
++            raise VolumeConfigurationError()
++
++
++def managed_mounts():
++    '''List of all mounted managed volumes'''
++    return filter(lambda mount: mount[0].startswith(MOUNT_BASE), host.mounts())
++
++
++def configure_volume(before_change=lambda: None, after_change=lambda: None):
++    '''Set up storage (or don't) according to the charm's volume configuration.
++       Returns the mount point or "ephemeral". before_change and after_change
++       are optional functions to be called if the volume configuration changes.
++    '''
++
++    config = get_config()
++    if not config:
++        hookenv.log('Failed to read volume configuration', hookenv.CRITICAL)
++        raise VolumeConfigurationError()
++
++    if config['ephemeral']:
++        if os.path.ismount(config['mountpoint']):
++            before_change()
++            unmount_volume(config)
++            after_change()
++        return 'ephemeral'
++    else:
++        # persistent storage
++        if os.path.ismount(config['mountpoint']):
++            mounts = dict(managed_mounts())
++            if mounts.get(config['mountpoint']) != config['device']:
++                before_change()
++                unmount_volume(config)
++                mount_volume(config)
++                after_change()
++        else:
++            before_change()
++            mount_volume(config)
++            after_change()
++        return config['mountpoint']
 === added directory 'hooks/charmhelpers/contrib/database'
 === added file 'hooks/charmhelpers/contrib/database/__init__.py'
 === added file 'hooks/charmhelpers/contrib/database/mysql.py'
 --- hooks/charmhelpers/contrib/database/mysql.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/database/mysql.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,412 @@
++"""Helper for working with a MySQL database"""
++import json
++import re
++import sys
++import platform
++import os
++import glob
++
++# from string import upper
++
++from charmhelpers.core.host import (
++    mkdir,
++    pwgen,
++    write_file
++)
++from charmhelpers.core.hookenv import (
++    config as config_get,
++    relation_get,
++    related_units,
++    unit_get,
++    log,
++    DEBUG,
++    INFO,
++    WARNING,
++)
++from charmhelpers.fetch import (
++    apt_install,
++    apt_update,
++    filter_installed_packages,
++)
++from charmhelpers.contrib.peerstorage import (
++    peer_store,
++    peer_retrieve,
++)
++from charmhelpers.contrib.network.ip import get_host_ip
++
++try:
++    import MySQLdb
++except ImportError:
++    apt_update(fatal=True)
++    apt_install(filter_installed_packages(['python-mysqldb']), fatal=True)
++    import MySQLdb
++
++
++class MySQLHelper(object):
++
++    def __init__(self, rpasswdf_template, upasswdf_template, host='localhost',
++                 migrate_passwd_to_peer_relation=True,
++                 delete_ondisk_passwd_file=True):
++        self.host = host
++        # Password file path templates
++        self.root_passwd_file_template = rpasswdf_template
++        self.user_passwd_file_template = upasswdf_template
++
++        self.migrate_passwd_to_peer_relation = migrate_passwd_to_peer_relation
++        # If we migrate we have the option to delete local copy of root passwd
++        self.delete_ondisk_passwd_file = delete_ondisk_passwd_file
++
++    def connect(self, user='root', password=None):
++        log("Opening db connection for %s@%s" % (user, self.host), level=DEBUG)
++        self.connection = MySQLdb.connect(user=user, host=self.host,
++                                          passwd=password)
++
++    def database_exists(self, db_name):
++        cursor = self.connection.cursor()
++        try:
++            cursor.execute("SHOW DATABASES")
++            databases = [i[0] for i in cursor.fetchall()]
++        finally:
++            cursor.close()
++
++        return db_name in databases
++
++    def create_database(self, db_name):
++        cursor = self.connection.cursor()
++        try:
++            cursor.execute("CREATE DATABASE {} CHARACTER SET UTF8"
++                           .format(db_name))
++        finally:
++            cursor.close()
++
++    def grant_exists(self, db_name, db_user, remote_ip):
++        cursor = self.connection.cursor()
++        priv_string = "GRANT ALL PRIVILEGES ON `{}`.* " \
++                      "TO '{}'@'{}'".format(db_name, db_user, remote_ip)
++        try:
++            cursor.execute("SHOW GRANTS for '{}'@'{}'".format(db_user,
++                                                              remote_ip))
++            grants = [i[0] for i in cursor.fetchall()]
++        except MySQLdb.OperationalError:
++            return False
++        finally:
++            cursor.close()
++
++        # TODO: review for different grants
++        return priv_string in grants
++
++    def create_grant(self, db_name, db_user, remote_ip, password):
++        cursor = self.connection.cursor()
++        try:
++            # TODO: review for different grants
++            cursor.execute("GRANT ALL PRIVILEGES ON {}.* TO '{}'@'{}' "
++                           "IDENTIFIED BY '{}'".format(db_name,
++                                                       db_user,
++                                                       remote_ip,
++                                                       password))
++        finally:
++            cursor.close()
++
++    def create_admin_grant(self, db_user, remote_ip, password):
++        cursor = self.connection.cursor()
++        try:
++            cursor.execute("GRANT ALL PRIVILEGES ON *.* TO '{}'@'{}' "
++                           "IDENTIFIED BY '{}'".format(db_user,
++                                                       remote_ip,
++                                                       password))
++        finally:
++            cursor.close()
++
++    def cleanup_grant(self, db_user, remote_ip):
++        cursor = self.connection.cursor()
++        try:
++            cursor.execute("DROP FROM mysql.user WHERE user='{}' "
++                           "AND HOST='{}'".format(db_user,
++                                                  remote_ip))
++        finally:
++            cursor.close()
++
++    def execute(self, sql):
++        """Execute arbitary SQL against the database."""
++        cursor = self.connection.cursor()
++        try:
++            cursor.execute(sql)
++        finally:
++            cursor.close()
++
++    def migrate_passwords_to_peer_relation(self, excludes=None):
++        """Migrate any passwords storage on disk to cluster peer relation."""
++        dirname = os.path.dirname(self.root_passwd_file_template)
++        path = os.path.join(dirname, '*.passwd')
++        for f in glob.glob(path):
++            if excludes and f in excludes:
++                log("Excluding %s from peer migration" % (f), level=DEBUG)
++                continue
++
++            key = os.path.basename(f)
++            with open(f, 'r') as passwd:
++                _value = passwd.read().strip()
++
++            try:
++                peer_store(key, _value)
++
++                if self.delete_ondisk_passwd_file:
++                    os.unlink(f)
++            except ValueError:
++                # NOTE cluster relation not yet ready - skip for now
++                pass
++
++    def get_mysql_password_on_disk(self, username=None, password=None):
++        """Retrieve, generate or store a mysql password for the provided
++        username on disk."""
++        if username:
++            template = self.user_passwd_file_template
++            passwd_file = template.format(username)
++        else:
++            passwd_file = self.root_passwd_file_template
++
++        _password = None
++        if os.path.exists(passwd_file):
++            log("Using existing password file '%s'" % passwd_file, level=DEBUG)
++            with open(passwd_file, 'r') as passwd:
++                _password = passwd.read().strip()
++        else:
++            log("Generating new password file '%s'" % passwd_file, level=DEBUG)
++            if not os.path.isdir(os.path.dirname(passwd_file)):
++                # NOTE: need to ensure this is not mysql root dir (which needs
++                # to be mysql readable)
++                mkdir(os.path.dirname(passwd_file), owner='root', group='root',
++                      perms=0o770)
++                # Force permissions - for some reason the chmod in makedirs
++                # fails
++                os.chmod(os.path.dirname(passwd_file), 0o770)
++
++            _password = password or pwgen(length=32)
++            write_file(passwd_file, _password, owner='root', group='root',
++                       perms=0o660)
++
++        return _password
++
++    def passwd_keys(self, username):
++        """Generator to return keys used to store passwords in peer store.
++
++        NOTE: we support both legacy and new format to support mysql
++        charm prior to refactor. This is necessary to avoid LP 1451890.
++        """
++        keys = []
++        if username == 'mysql':
++            log("Bad username '%s'" % (username), level=WARNING)
++
++        if username:
++            # IMPORTANT: *newer* format must be returned first
++            keys.append('mysql-%s.passwd' % (username))
++            keys.append('%s.passwd' % (username))
++        else:
++            keys.append('mysql.passwd')
++
++        for key in keys:
++            yield key
++
++    def get_mysql_password(self, username=None, password=None):
++        """Retrieve, generate or store a mysql password for the provided
++        username using peer relation cluster."""
++        excludes = []
++
++        # First check peer relation.
++        try:
++            for key in self.passwd_keys(username):
++                _password = peer_retrieve(key)
++                if _password:
++                    break
++
++            # If root password available don't update peer relation from local
++            if _password and not username:
++                excludes.append(self.root_passwd_file_template)
++
++        except ValueError:
++            # cluster relation is not yet started; use on-disk
++            _password = None
++
++        # If none available, generate new one
++        if not _password:
++            _password = self.get_mysql_password_on_disk(username, password)
++
++        # Put on wire if required
++        if self.migrate_passwd_to_peer_relation:
++            self.migrate_passwords_to_peer_relation(excludes=excludes)
++
++        return _password
++
++    def get_mysql_root_password(self, password=None):
++        """Retrieve or generate mysql root password for service units."""
++        return self.get_mysql_password(username=None, password=password)
++
++    def normalize_address(self, hostname):
++        """Ensure that address returned is an IP address (i.e. not fqdn)"""
++        if config_get('prefer-ipv6'):
++            # TODO: add support for ipv6 dns
++            return hostname
++
++        if hostname != unit_get('private-address'):
++            return get_host_ip(hostname, fallback=hostname)
++
++        # Otherwise assume localhost
++        return '127.0.0.1'
++
++    def get_allowed_units(self, database, username, relation_id=None):
++        """Get list of units with access grants for database with username.
++
++        This is typically used to provide shared-db relations with a list of
++        which units have been granted access to the given database.
++        """
++        self.connect(password=self.get_mysql_root_password())
++        allowed_units = set()
++        for unit in related_units(relation_id):
++            settings = relation_get(rid=relation_id, unit=unit)
++            # First check for setting with prefix, then without
++            for attr in ["%s_hostname" % (database), 'hostname']:
++                hosts = settings.get(attr, None)
++                if hosts:
++                    break
++
++            if hosts:
++                # hostname can be json-encoded list of hostnames
++                try:
++                    hosts = json.loads(hosts)
++                except ValueError:
++                    hosts = [hosts]
++            else:
++                hosts = [settings['private-address']]
++
++            if hosts:
++                for host in hosts:
++                    host = self.normalize_address(host)
++                    if self.grant_exists(database, username, host):
++                        log("Grant exists for host '%s' on db '%s'" %
++                            (host, database), level=DEBUG)
++                        if unit not in allowed_units:
++                            allowed_units.add(unit)
++                    else:
++                        log("Grant does NOT exist for host '%s' on db '%s'" %
++                            (host, database), level=DEBUG)
++            else:
++                log("No hosts found for grant check", level=INFO)
++
++        return allowed_units
++
++    def configure_db(self, hostname, database, username, admin=False):
++        """Configure access to database for username from hostname."""
++        self.connect(password=self.get_mysql_root_password())
++        if not self.database_exists(database):
++            self.create_database(database)
++
++        remote_ip = self.normalize_address(hostname)
++        password = self.get_mysql_password(username)
++        if not self.grant_exists(database, username, remote_ip):
++            if not admin:
++                self.create_grant(database, username, remote_ip, password)
++            else:
++                self.create_admin_grant(username, remote_ip, password)
++
++        return password
++
++
++class PerconaClusterHelper(object):
++
++    # Going for the biggest page size to avoid wasted bytes.
++    # InnoDB page size is 16MB
++
++    DEFAULT_PAGE_SIZE = 16 * 1024 * 1024
++    DEFAULT_INNODB_BUFFER_FACTOR = 0.50
++
++    def human_to_bytes(self, human):
++        """Convert human readable configuration options to bytes."""
++        num_re = re.compile('^[0-9]+$')
++        if num_re.match(human):
++            return human
++
++        factors = {
++            'K': 1024,
++            'M': 1048576,
++            'G': 1073741824,
++            'T': 1099511627776
++        }
++        modifier = human[-1]
++        if modifier in factors:
++            return int(human[:-1]) * factors[modifier]
++
++        if modifier == '%':
++            total_ram = self.human_to_bytes(self.get_mem_total())
++            if self.is_32bit_system() and total_ram > self.sys_mem_limit():
++                total_ram = self.sys_mem_limit()
++            factor = int(human[:-1]) * 0.01
++            pctram = total_ram * factor
++            return int(pctram - (pctram % self.DEFAULT_PAGE_SIZE))
++
++        raise ValueError("Can only convert K,M,G, or T")
++
++    def is_32bit_system(self):
++        """Determine whether system is 32 or 64 bit."""
++        try:
++            return sys.maxsize < 2 ** 32
++        except OverflowError:
++            return False
++
++    def sys_mem_limit(self):
++        """Determine the default memory limit for the current service unit."""
++        if platform.machine() in ['armv7l']:
++            _mem_limit = self.human_to_bytes('2700M')  # experimentally determined
++        else:
++            # Limit for x86 based 32bit systems
++            _mem_limit = self.human_to_bytes('4G')
++
++        return _mem_limit
++
++    def get_mem_total(self):
++        """Calculate the total memory in the current service unit."""
++        with open('/proc/meminfo') as meminfo_file:
++            for line in meminfo_file:
++                key, mem = line.split(':', 2)
++                if key == 'MemTotal':
++                    mtot, modifier = mem.strip().split(' ')
++                    return '%s%s' % (mtot, modifier[0].upper())
++
++    def parse_config(self):
++        """Parse charm configuration and calculate values for config files."""
++        config = config_get()
++        mysql_config = {}
++        if 'max-connections' in config:
++            mysql_config['max_connections'] = config['max-connections']
++
++        if 'wait-timeout' in config:
++            mysql_config['wait_timeout'] = config['wait-timeout']
++
++        if 'innodb-flush-log-at-trx-commit' in config:
++            mysql_config['innodb_flush_log_at_trx_commit'] = config['innodb-flush-log-at-trx-commit']
++
++        # Set a sane default key_buffer size
++        mysql_config['key_buffer'] = self.human_to_bytes('32M')
++        total_memory = self.human_to_bytes(self.get_mem_total())
++
++        dataset_bytes = config.get('dataset-size', None)
++        innodb_buffer_pool_size = config.get('innodb-buffer-pool-size', None)
++
++        if innodb_buffer_pool_size:
++            innodb_buffer_pool_size = self.human_to_bytes(
++                innodb_buffer_pool_size)
++        elif dataset_bytes:
++            log("Option 'dataset-size' has been deprecated, please use"
++                "innodb_buffer_pool_size option instead", level="WARN")
++            innodb_buffer_pool_size = self.human_to_bytes(
++                dataset_bytes)
++        else:
++            innodb_buffer_pool_size = int(
++                total_memory * self.DEFAULT_INNODB_BUFFER_FACTOR)
++
++        if innodb_buffer_pool_size > total_memory:
++            log("innodb_buffer_pool_size; {} is greater than system available memory:{}".format(
++                innodb_buffer_pool_size,
++                total_memory), level='WARN')
++
++        mysql_config['innodb_buffer_pool_size'] = innodb_buffer_pool_size
++        return mysql_config
 === added directory 'hooks/charmhelpers/contrib/hahelpers'
 === added file 'hooks/charmhelpers/contrib/hahelpers/__init__.py'
 --- hooks/charmhelpers/contrib/hahelpers/__init__.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hahelpers/__init__.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,15 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
 === added file 'hooks/charmhelpers/contrib/hahelpers/apache.py'
 --- hooks/charmhelpers/contrib/hahelpers/apache.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hahelpers/apache.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,82 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++#
++# Copyright 2012 Canonical Ltd.
++#
++# This file is sourced from lp:openstack-charm-helpers
++#
++# Authors:
++#  James Page <james.page@ubuntu.com>
++#  Adam Gandelman <adamg@ubuntu.com>
++#
++
++import subprocess
++
++from charmhelpers.core.hookenv import (
++    config as config_get,
++    relation_get,
++    relation_ids,
++    related_units as relation_list,
++    log,
++    INFO,
++)
++
++
++def get_cert(cn=None):
++    # TODO: deal with multiple https endpoints via charm config
++    cert = config_get('ssl_cert')
++    key = config_get('ssl_key')
++    if not (cert and key):
++        log("Inspecting identity-service relations for SSL certificate.",
++            level=INFO)
++        cert = key = None
++        if cn:
++            ssl_cert_attr = 'ssl_cert_{}'.format(cn)
++            ssl_key_attr = 'ssl_key_{}'.format(cn)
++        else:
++            ssl_cert_attr = 'ssl_cert'
++            ssl_key_attr = 'ssl_key'
++        for r_id in relation_ids('identity-service'):
++            for unit in relation_list(r_id):
++                if not cert:
++                    cert = relation_get(ssl_cert_attr,
++                                        rid=r_id, unit=unit)
++                if not key:
++                    key = relation_get(ssl_key_attr,
++                                       rid=r_id, unit=unit)
++    return (cert, key)
++
++
++def get_ca_cert():
++    ca_cert = config_get('ssl_ca')
++    if ca_cert is None:
++        log("Inspecting identity-service relations for CA SSL certificate.",
++            level=INFO)
++        for r_id in relation_ids('identity-service'):
++            for unit in relation_list(r_id):
++                if ca_cert is None:
++                    ca_cert = relation_get('ca_cert',
++                                           rid=r_id, unit=unit)
++    return ca_cert
++
++
++def install_ca_cert(ca_cert):
++    if ca_cert:
++        with open('/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt',
++                  'w') as crt:
++            crt.write(ca_cert)
++        subprocess.check_call(['update-ca-certificates', '--fresh'])
 === added file 'hooks/charmhelpers/contrib/hahelpers/cluster.py'
 --- hooks/charmhelpers/contrib/hahelpers/cluster.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hahelpers/cluster.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,316 @@
++# Copyright 2014-2015 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++#
++# Copyright 2012 Canonical Ltd.
++#
++# Authors:
++#  James Page <james.page@ubuntu.com>
++#  Adam Gandelman <adamg@ubuntu.com>
++#
++
++"""
++Helpers for clustering and determining "cluster leadership" and other
++clustering-related helpers.
++"""
++
++import subprocess
++import os
++
++from socket import gethostname as get_unit_hostname
++
++import six
++
++from charmhelpers.core.hookenv import (
++    log,
++    relation_ids,
++    related_units as relation_list,
++    relation_get,
++    config as config_get,
++    INFO,
++    ERROR,
++    WARNING,
++    unit_get,
++    is_leader as juju_is_leader
++)
++from charmhelpers.core.decorators import (
++    retry_on_exception,
++)
++from charmhelpers.core.strutils import (
++    bool_from_string,
++)
++
++DC_RESOURCE_NAME = 'DC'
++
++
++class HAIncompleteConfig(Exception):
++    pass
++
++
++class CRMResourceNotFound(Exception):
++    pass
++
++
++class CRMDCNotFound(Exception):
++    pass
++
++
++def is_elected_leader(resource):
++    """
++    Returns True if the charm executing this is the elected cluster leader.
++
++    It relies on two mechanisms to determine leadership:
++        1. If juju is sufficiently new and leadership election is supported,
++        the is_leader command will be used.
++        2. If the charm is part of a corosync cluster, call corosync to
++        determine leadership.
++        3. If the charm is not part of a corosync cluster, the leader is
++        determined as being "the alive unit with the lowest unit numer". In
++        other words, the oldest surviving unit.
++    """
++    try:
++        return juju_is_leader()
++    except NotImplementedError:
++        log('Juju leadership election feature not enabled'
++            ', using fallback support',
++            level=WARNING)
++
++    if is_clustered():
++        if not is_crm_leader(resource):
++            log('Deferring action to CRM leader.', level=INFO)
++            return False
++    else:
++        peers = peer_units()
++        if peers and not oldest_peer(peers):
++            log('Deferring action to oldest service unit.', level=INFO)
++            return False
++    return True
++
++
++def is_clustered():
++    for r_id in (relation_ids('ha') or []):
++        for unit in (relation_list(r_id) or []):
++            clustered = relation_get('clustered',
++                                     rid=r_id,
++                                     unit=unit)
++            if clustered:
++                return True
++    return False
++
++
++def is_crm_dc():
++    """
++    Determine leadership by querying the pacemaker Designated Controller
++    """
++    cmd = ['crm', 'status']
++    try:
++        status = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
++        if not isinstance(status, six.text_type):
++            status = six.text_type(status, "utf-8")
++    except subprocess.CalledProcessError as ex:
++        raise CRMDCNotFound(str(ex))
++
++    current_dc = ''
++    for line in status.split('\n'):
++        if line.startswith('Current DC'):
++            # Current DC: juju-lytrusty-machine-2 (168108163) - partition with quorum
++            current_dc = line.split(':')[1].split()[0]
++    if current_dc == get_unit_hostname():
++        return True
++    elif current_dc == 'NONE':
++        raise CRMDCNotFound('Current DC: NONE')
++
++    return False
++
++
++@retry_on_exception(5, base_delay=2,
++                    exc_type=(CRMResourceNotFound, CRMDCNotFound))
++def is_crm_leader(resource, retry=False):
++    """
++    Returns True if the charm calling this is the elected corosync leader,
++    as returned by calling the external "crm" command.
++
++    We allow this operation to be retried to avoid the possibility of getting a
++    false negative. See LP #1396246 for more info.
++    """
++    if resource == DC_RESOURCE_NAME:
++        return is_crm_dc()
++    cmd = ['crm', 'resource', 'show', resource]
++    try:
++        status = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
++        if not isinstance(status, six.text_type):
++            status = six.text_type(status, "utf-8")
++    except subprocess.CalledProcessError:
++        status = None
++
++    if status and get_unit_hostname() in status:
++        return True
++
++    if status and "resource %s is NOT running" % (resource) in status:
++        raise CRMResourceNotFound("CRM resource %s not found" % (resource))
++
++    return False
++
++
++def is_leader(resource):
++    log("is_leader is deprecated. Please consider using is_crm_leader "
++        "instead.", level=WARNING)
++    return is_crm_leader(resource)
++
++
++def peer_units(peer_relation="cluster"):
++    peers = []
++    for r_id in (relation_ids(peer_relation) or []):
++        for unit in (relation_list(r_id) or []):
++            peers.append(unit)
++    return peers
++
++
++def peer_ips(peer_relation='cluster', addr_key='private-address'):
++    '''Return a dict of peers and their private-address'''
++    peers = {}
++    for r_id in relation_ids(peer_relation):
++        for unit in relation_list(r_id):
++            peers[unit] = relation_get(addr_key, rid=r_id, unit=unit)
++    return peers
++
++
++def oldest_peer(peers):
++    """Determines who the oldest peer is by comparing unit numbers."""
++    local_unit_no = int(os.getenv('JUJU_UNIT_NAME').split('/')[1])
++    for peer in peers:
++        remote_unit_no = int(peer.split('/')[1])
++        if remote_unit_no < local_unit_no:
++            return False
++    return True
++
++
++def eligible_leader(resource):
++    log("eligible_leader is deprecated. Please consider using "
++        "is_elected_leader instead.", level=WARNING)
++    return is_elected_leader(resource)
++
++
++def https():
++    '''
++    Determines whether enough data has been provided in configuration
++    or relation data to configure HTTPS
++    .
++    returns: boolean
++    '''
++    use_https = config_get('use-https')
++    if use_https and bool_from_string(use_https):
++        return True
++    if config_get('ssl_cert') and config_get('ssl_key'):
++        return True
++    for r_id in relation_ids('identity-service'):
++        for unit in relation_list(r_id):
++            # TODO - needs fixing for new helper as ssl_cert/key suffixes with CN
++            rel_state = [
++                relation_get('https_keystone', rid=r_id, unit=unit),
++                relation_get('ca_cert', rid=r_id, unit=unit),
++            ]
++            # NOTE: works around (LP: #1203241)
++            if (None not in rel_state) and ('' not in rel_state):
++                return True
++    return False
++
++
++def determine_api_port(public_port, singlenode_mode=False):
++    '''
++    Determine correct API server listening port based on
++    existence of HTTPS reverse proxy and/or haproxy.
++
++    public_port: int: standard public port for given service
++
++    singlenode_mode: boolean: Shuffle ports when only a single unit is present
++
++    returns: int: the correct listening port for the API service
++    '''
++    i = 0
++    if singlenode_mode:
++        i += 1
++    elif len(peer_units()) > 0 or is_clustered():
++        i += 1
++    if https():
++        i += 1
++    return public_port - (i * 10)
++
++
++def determine_apache_port(public_port, singlenode_mode=False):
++    '''
++    Description: Determine correct apache listening port based on public IP +
++    state of the cluster.
++
++    public_port: int: standard public port for given service
++
++    singlenode_mode: boolean: Shuffle ports when only a single unit is present
++
++    returns: int: the correct listening port for the HAProxy service
++    '''
++    i = 0
++    if singlenode_mode:
++        i += 1
++    elif len(peer_units()) > 0 or is_clustered():
++        i += 1
++    return public_port - (i * 10)
++
++
++def get_hacluster_config(exclude_keys=None):
++    '''
++    Obtains all relevant configuration from charm configuration required
++    for initiating a relation to hacluster:
++
++        ha-bindiface, ha-mcastport, vip
++
++    param: exclude_keys: list of setting key(s) to be excluded.
++    returns: dict: A dict containing settings keyed by setting name.
++    raises: HAIncompleteConfig if settings are missing.
++    '''
++    settings = ['ha-bindiface', 'ha-mcastport', 'vip']
++    conf = {}
++    for setting in settings:
++        if exclude_keys and setting in exclude_keys:
++            continue
++
++        conf[setting] = config_get(setting)
++    missing = []
++    [missing.append(s) for s, v in six.iteritems(conf) if v is None]
++    if missing:
++        log('Insufficient config data to configure hacluster.', level=ERROR)
++        raise HAIncompleteConfig
++    return conf
++
++
++def canonical_url(configs, vip_setting='vip'):
++    '''
++    Returns the correct HTTP URL to this host given the state of HTTPS
++    configuration and hacluster.
++
++    :configs    : OSTemplateRenderer: A config tempating object to inspect for
++                                      a complete https context.
++
++    :vip_setting:                str: Setting in charm config that specifies
++                                      VIP address.
++    '''
++    scheme = 'http'
++    if 'https' in configs.complete_contexts():
++        scheme = 'https'
++    if is_clustered():
++        addr = config_get(vip_setting)
++    else:
++        addr = unit_get('private-address')
++    return '%s://%s' % (scheme, addr)
 === added directory 'hooks/charmhelpers/contrib/hardening'
 === added file 'hooks/charmhelpers/contrib/hardening/README.hardening.md'
 --- hooks/charmhelpers/contrib/hardening/README.hardening.md	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hardening/README.hardening.md	2016-03-21 06:13:21 +0000
@@ -0,0 +1,38 @@
++# Juju charm-helpers hardening library
++
++## Description
++
++This library provides multiple implementations of system and application
++hardening that conform to the standards of http://hardening.io/.
++
++Current implementations include:
++
++ * OS
++ * SSH
++ * MySQL
++ * Apache
++
++## Requirements
++
++* Juju Charms
++
++## Usage
++
++1. Synchronise this library into your charm and add the harden() decorator
++   (from contrib.hardening.harden) to any functions or methods you want to use
++   to trigger hardening of your application/system.
++
++2. Add a config option called 'harden' to your charm config.yaml and set it to
++   a space-delimited list of hardening modules you want to run e.g. "os ssh"
++
++3. Override any config defaults (contrib.hardening.defaults) by adding a file
++   called hardening.yaml to your charm root containing the name(s) of the
++   modules whose settings you want override at root level and then any settings
++   with overrides e.g.
++
++   os:
++       general:
++            desktop_enable: True
++
++4. Now just run your charm as usual and hardening will be applied each time the
++   hook runs.
 === added file 'hooks/charmhelpers/contrib/hardening/__init__.py'
 --- hooks/charmhelpers/contrib/hardening/__init__.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hardening/__init__.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,15 @@
++# Copyright 2016 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
 === added directory 'hooks/charmhelpers/contrib/hardening/apache'
 === added file 'hooks/charmhelpers/contrib/hardening/apache/__init__.py'
 --- hooks/charmhelpers/contrib/hardening/apache/__init__.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hardening/apache/__init__.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,19 @@
++# Copyright 2016 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++from os import path
++
++TEMPLATES_DIR = path.join(path.dirname(__file__), 'templates')
 === added directory 'hooks/charmhelpers/contrib/hardening/apache/checks'
 === added file 'hooks/charmhelpers/contrib/hardening/apache/checks/__init__.py'
 --- hooks/charmhelpers/contrib/hardening/apache/checks/__init__.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hardening/apache/checks/__init__.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,31 @@
++# Copyright 2016 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++from charmhelpers.core.hookenv import (
++    log,
++    DEBUG,
++)
++from charmhelpers.contrib.hardening.apache.checks import config
++
++
++def run_apache_checks():
++    log("Starting Apache hardening checks.", level=DEBUG)
++    checks = config.get_audits()
++    for check in checks:
++        log("Running '%s' check" % (check.__class__.__name__), level=DEBUG)
++        check.ensure_compliance()
++
++    log("Apache hardening checks complete.", level=DEBUG)
 === added file 'hooks/charmhelpers/contrib/hardening/apache/checks/config.py'
 --- hooks/charmhelpers/contrib/hardening/apache/checks/config.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hardening/apache/checks/config.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,98 @@
++# Copyright 2016 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++import os
++import re
++import subprocess
++
++
++from charmhelpers.core.hookenv import log
++from charmhelpers.core.hookenv import INFO
++
++from charmhelpers.contrib.hardening.audits.file import FilePermissionAudit
++from charmhelpers.contrib.hardening.audits.file import DirectoryPermissionAudit
++from charmhelpers.contrib.hardening.audits.file import NoReadWriteForOther
++from charmhelpers.contrib.hardening.audits.file import TemplatedFile
++from charmhelpers.contrib.hardening.audits.apache import DisabledModuleAudit
++
++from charmhelpers.contrib.hardening.apache import TEMPLATES_DIR
++from charmhelpers.contrib.hardening import utils
++
++
++def get_audits():
++    """Get Apache hardening config audits.
++
++    :returns:  dictionary of audits
++    """
++    if subprocess.call(['which', 'apache2'], stdout=subprocess.PIPE) != 0:
++        log("Apache server does not appear to be installed on this node - "
++            "skipping apache hardening", level=INFO)
++        return []
++
++    context = ApacheConfContext()
++    settings = utils.get_settings('apache')
++    audits = [
++        FilePermissionAudit(paths='/etc/apache2/apache2.conf', user='root',
++                            group='root', mode=0o0640),
++
++        TemplatedFile(os.path.join(settings['common']['apache_dir'],
++                                   'mods-available/alias.conf'),
++                      context,
++                      TEMPLATES_DIR,
++                      mode=0o0755,
++                      user='root',
++                      service_actions=[{'service': 'apache2',
++                                        'actions': ['restart']}]),
++
++        TemplatedFile(os.path.join(settings['common']['apache_dir'],
++                                   'conf-enabled/hardening.conf'),
++                      context,
++                      TEMPLATES_DIR,
++                      mode=0o0640,
++                      user='root',
++                      service_actions=[{'service': 'apache2',
++                                        'actions': ['restart']}]),
++
++        DirectoryPermissionAudit(settings['common']['apache_dir'],
++                                 user='root',
++                                 group='root',
++                                 mode=0o640),
++
++        DisabledModuleAudit(settings['hardening']['modules_to_disable']),
++
++        NoReadWriteForOther(settings['common']['apache_dir']),
++    ]
++
++    return audits
++
++
++class ApacheConfContext(object):
++    """Defines the set of key/value pairs to set in a apache config file.
++
++    This context, when called, will return a dictionary containing the
++    key/value pairs of setting to specify in the
++    /etc/apache/conf-enabled/hardening.conf file.
++    """
++    def __call__(self):
++        settings = utils.get_settings('apache')
++        ctxt = settings['hardening']
++
++        out = subprocess.check_output(['apache2', '-v'])
++        ctxt['apache_version'] = re.search(r'.+version: Apache/(.+?)\s.+',
++                                           out).group(1)
++        ctxt['apache_icondir'] = '/usr/share/apache2/icons/'
++        ctxt['traceenable'] = settings['hardening']['traceenable']
++        return ctxt
 === added directory 'hooks/charmhelpers/contrib/hardening/apache/templates'
 === added file 'hooks/charmhelpers/contrib/hardening/apache/templates/alias.conf'
 --- hooks/charmhelpers/contrib/hardening/apache/templates/alias.conf	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hardening/apache/templates/alias.conf	2016-03-21 06:13:21 +0000
@@ -0,0 +1,31 @@
++###############################################################################
++# WARNING: This configuration file is maintained by Juju. Local changes may
++#          be overwritten.
++###############################################################################
++<IfModule alias_module>
++  #
++  # Aliases: Add here as many aliases as you need (with no limit). The format is
++  # Alias fakename realname
++  #
++  # Note that if you include a trailing / on fakename then the server will
++  # require it to be present in the URL.  So "/icons" isn't aliased in this
++  # example, only "/icons/".  If the fakename is slash-terminated, then the
++  # realname must also be slash terminated, and if the fakename omits the
++  # trailing slash, the realname must also omit it.
++  #
++  # We include the /icons/ alias for FancyIndexed directory listings.  If
++  # you do not use FancyIndexing, you may comment this out.
++  #
++  Alias /icons/ "{{ apache_icondir }}/"
++
++  <Directory "{{ apache_icondir }}">
++    Options -Indexes -MultiViews -FollowSymLinks
++    AllowOverride None
++{% if apache_version == '2.4' -%}
++    Require all granted
++{% else -%}
++    Order allow,deny
++    Allow from all
++{% endif %}
++  </Directory>
++</IfModule>
 === added file 'hooks/charmhelpers/contrib/hardening/apache/templates/hardening.conf'
 --- hooks/charmhelpers/contrib/hardening/apache/templates/hardening.conf	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hardening/apache/templates/hardening.conf	2016-03-21 06:13:21 +0000
@@ -0,0 +1,18 @@
++###############################################################################
++# WARNING: This configuration file is maintained by Juju. Local changes may
++#          be overwritten.
++###############################################################################
++
++<Location / >
++  <LimitExcept {{ allowed_http_methods }} >
++    # http://httpd.apache.org/docs/2.4/upgrading.html
++    {% if apache_version > '2.2' -%}
++    Require all granted
++    {% else -%}
++    Order Allow,Deny
++    Deny from all
++    {% endif %}
++  </LimitExcept>
++</Location>
++
++TraceEnable {{ traceenable }}
 === added directory 'hooks/charmhelpers/contrib/hardening/audits'
 === added file 'hooks/charmhelpers/contrib/hardening/audits/__init__.py'
 --- hooks/charmhelpers/contrib/hardening/audits/__init__.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hardening/audits/__init__.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,63 @@
++# Copyright 2016 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++
++class BaseAudit(object):  # NO-QA
++    """Base class for hardening checks.
++
++    The lifecycle of a hardening check is to first check to see if the system
++    is in compliance for the specified check. If it is not in compliance, the
++    check method will return a value which will be supplied to the.
++    """
++    def __init__(self, *args, **kwargs):
++        self.unless = kwargs.get('unless', None)
++        super(BaseAudit, self).__init__()
++
++    def ensure_compliance(self):
++        """Checks to see if the current hardening check is in compliance or
++        not.
++
++        If the check that is performed is not in compliance, then an exception
++        should be raised.
++        """
++        pass
++
++    def _take_action(self):
++        """Determines whether to perform the action or not.
++
++        Checks whether or not an action should be taken. This is determined by
++        the truthy value for the unless parameter. If unless is a callback
++        method, it will be invoked with no parameters in order to determine
++        whether or not the action should be taken. Otherwise, the truthy value
++        of the unless attribute will determine if the action should be
++        performed.
++        """
++        # Do the action if there isn't an unless override.
++        if self.unless is None:
++            return True
++
++        # Invoke the callback if there is one.
++        if hasattr(self.unless, '__call__'):
++            results = self.unless()
++            if results:
++                return False
++            else:
++                return True
++
++        if self.unless:
++            return False
++        else:
++            return True
 === added file 'hooks/charmhelpers/contrib/hardening/audits/apache.py'
 --- hooks/charmhelpers/contrib/hardening/audits/apache.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hardening/audits/apache.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,97 @@
++# Copyright 2016 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++import re
++import subprocess
++
++from six import string_types
++
++from charmhelpers.core.hookenv import log
++from charmhelpers.core.hookenv import INFO
++from charmhelpers.core.hookenv import ERROR
++
++from charmhelpers.contrib.hardening.audits import BaseAudit
++
++
++class DisabledModuleAudit(BaseAudit):
++    """Audits Apache2 modules.
++
++    Determines if the apache2 modules are enabled. If the modules are enabled
++    then they are removed in the ensure_compliance.
++    """
++    def __init__(self, modules):
++        if modules is None:
++            self.modules = []
++        elif isinstance(modules, string_types):
++            self.modules = [modules]
++        else:
++            self.modules = modules
++
++    def ensure_compliance(self):
++        """Ensures that the modules are not loaded."""
++        if not self.modules:
++            return
++
++        try:
++            loaded_modules = self._get_loaded_modules()
++            non_compliant_modules = []
++            for module in self.modules:
++                if module in loaded_modules:
++                    log('Module %s is enabled and should not be.', level=INFO)
++                    non_compliant_modules.append(module)
++
++            if len(non_compliant_modules) == 0:
++                return
++
++            for module in non_compliant_modules:
++                self._disable_module(module)
++            self._restart_apache()
++        except subprocess.CalledProcessError as e:
++            log('Error occurred auditing apache module compliance. '
++                'This may have been already reported. '
++                'Output is: %s' % e.output, level=ERROR)
++
++    @staticmethod
++    def _get_loaded_modules():
++        """Returns the modules which are enabled in Apache."""
++        output = subprocess.check_output(['apache2ctl', '-M'])
++        modules = []
++        for line in output.strip().split():
++            # Each line of the enabled module output looks like:
++            #  module_name (static|shared)
++            # Plus a header line at the top of the output which is stripped
++            # out by the regex.
++            matcher = re.search(r'^ (\S*)', line)
++            if matcher:
++                modules.append(matcher.group(1))
++        return modules
++
++    @staticmethod
++    def _disable_module(module):
++        """Disables the specified module in Apache."""
++        try:
++            subprocess.check_call(['a2dismod', module])
++        except subprocess.CalledProcessError as e:
++            # Note: catch error here to allow the attempt of disabling
++            # multiple modules in one go rather than failing after the
++            # first module fails.
++            log('Error occurred disabling module %s. '
++                'Output is: %s' % (module, e.output), level=ERROR)
++
++    @staticmethod
++    def _restart_apache():
++        """Restarts the apache process"""
++        subprocess.check_output(['service', 'apache2', 'restart'])
 === added file 'hooks/charmhelpers/contrib/hardening/audits/apt.py'
 --- hooks/charmhelpers/contrib/hardening/audits/apt.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hardening/audits/apt.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,105 @@
++# Copyright 2016 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++from __future__ import absolute_import  # required for external apt import
++from apt import apt_pkg
++from six import string_types
++
++from charmhelpers.fetch import (
++    apt_cache,
++    apt_purge
++)
++from charmhelpers.core.hookenv import (
++    log,
++    DEBUG,
++    WARNING,
++)
++from charmhelpers.contrib.hardening.audits import BaseAudit
++
++
++class AptConfig(BaseAudit):
++
++    def __init__(self, config, **kwargs):
++        self.config = config
++
++    def verify_config(self):
++        apt_pkg.init()
++        for cfg in self.config:
++            value = apt_pkg.config.get(cfg['key'], cfg.get('default', ''))
++            if value and value != cfg['expected']:
++                log("APT config '%s' has unexpected value '%s' "
++                    "(expected='%s')" %
++                    (cfg['key'], value, cfg['expected']), level=WARNING)
++
++    def ensure_compliance(self):
++        self.verify_config()
++
++
++class RestrictedPackages(BaseAudit):
++    """Class used to audit restricted packages on the system."""
++
++    def __init__(self, pkgs, **kwargs):
++        super(RestrictedPackages, self).__init__(**kwargs)
++        if isinstance(pkgs, string_types) or not hasattr(pkgs, '__iter__'):
++            self.pkgs = [pkgs]
++        else:
++            self.pkgs = pkgs
++
++    def ensure_compliance(self):
++        cache = apt_cache()
++
++        for p in self.pkgs:
++            if p not in cache:
++                continue
++
++            pkg = cache[p]
++            if not self.is_virtual_package(pkg):
++                if not pkg.current_ver:
++                    log("Package '%s' is not installed." % pkg.name,
++                        level=DEBUG)
++                    continue
++                else:
++                    log("Restricted package '%s' is installed" % pkg.name,
++                        level=WARNING)
++                    self.delete_package(cache, pkg)
++            else:
++                log("Checking restricted virtual package '%s' provides" %
++                    pkg.name, level=DEBUG)
++                self.delete_package(cache, pkg)
++
++    def delete_package(self, cache, pkg):
++        """Deletes the package from the system.
++
++        Deletes the package form the system, properly handling virtual
++        packages.
++
++        :param cache: the apt cache
++        :param pkg: the package to remove
++        """
++        if self.is_virtual_package(pkg):
++            log("Package '%s' appears to be virtual - purging provides" %
++                pkg.name, level=DEBUG)
++            for _p in pkg.provides_list:
++                self.delete_package(cache, _p[2].parent_pkg)
++        elif not pkg.current_ver:
++            log("Package '%s' not installed" % pkg.name, level=DEBUG)
++            return
++        else:
++            log("Purging package '%s'" % pkg.name, level=DEBUG)
++            apt_purge(pkg.name)
++
++    def is_virtual_package(self, pkg):
++        return pkg.has_provides and not pkg.has_versions
 === added file 'hooks/charmhelpers/contrib/hardening/audits/file.py'
 --- hooks/charmhelpers/contrib/hardening/audits/file.py	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hardening/audits/file.py	2016-03-21 06:13:21 +0000
@@ -0,0 +1,551 @@
++# Copyright 2016 Canonical Limited.
++#
++# This file is part of charm-helpers.
++#
++# charm-helpers is free software: you can redistribute it and/or modify
++# it under the terms of the GNU Lesser General Public License version 3 as
++# published by the Free Software Foundation.
++#
++# charm-helpers is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++# along with charm-helpers.  If not, see <http://www.gnu.org/licenses/>.
++
++import grp
++import os
++import pwd
++import re
++
++from subprocess import (
++    CalledProcessError,
++    check_output,
++    check_call,
++)
++from traceback import format_exc
++from six import string_types
++from stat import (
++    S_ISGID,
++    S_ISUID
++)
++
++from charmhelpers.core.hookenv import (
++    log,
++    DEBUG,
++    INFO,
++    WARNING,
++    ERROR,
++)
++from charmhelpers.core import unitdata
++from charmhelpers.core.host import file_hash
++from charmhelpers.contrib.hardening.audits import BaseAudit
++from charmhelpers.contrib.hardening.templating import (
++    get_template_path,
++    render_and_write,
++)
++from charmhelpers.contrib.hardening import utils
++
++
++class BaseFileAudit(BaseAudit):
++    """Base class for file audits.
++
++    Provides api stubs for compliance check flow that must be used by any class
++    that implemented this one.
++    """
++
++    def __init__(self, paths, always_comply=False, *args, **kwargs):
++        """
++        :param paths: string path of list of paths of files we want to apply
++                      compliance checks are criteria to.
++        :param always_comply: if true compliance criteria is always applied
++                              else compliance is skipped for non-existent
++                              paths.
++        """
++        super(BaseFileAudit, self).__init__(*args, **kwargs)
++        self.always_comply = always_comply
++        if isinstance(paths, string_types) or not hasattr(paths, '__iter__'):
++            self.paths = [paths]
++        else:
++            self.paths = paths
++
++    def ensure_compliance(self):
++        """Ensure that the all registered files comply to registered criteria.
++        """
++        for p in self.paths:
++            if os.path.exists(p):
++                if self.is_compliant(p):
++                    continue
++
++                log('File %s is not in compliance.' % p, level=INFO)
++            else:
++                if not self.always_comply:
++                    log("Non-existent path '%s' - skipping compliance check"
++                        % (p), level=INFO)
++                    continue
++
++            if self._take_action():
++                log("Applying compliance criteria to '%s'" % (p), level=INFO)
++                self.comply(p)
++
++    def is_compliant(self, path):
++        """Audits the path to see if it is compliance.
++
++        :param path: the path to the file that should be checked.
++        """
++        raise NotImplementedError
++
++    def comply(self, path):
++        """Enforces the compliance of a path.
++
++        :param path: the path to the file that should be enforced.
++        """
++        raise NotImplementedError
++
++    @classmethod
++    def _get_stat(cls, path):
++        """Returns the Posix st_stat information for the specified file path.
++
++        :param path: the path to get the st_stat information for.
++        :returns: an st_stat object for the path or None if the path doesn't
++                  exist.
++        """
++        return os.stat(path)
++
++
++class FilePermissionAudit(BaseFileAudit):
++    """Implements an audit for file permissions and ownership for a user.
++
++    This class implements functionality that ensures that a specific user/group
++    will own the file(s) specified and that the permissions specified are
++    applied properly to the file.
++    """
++    def __init__(self, paths, user, group=None, mode=0o600, **kwargs):
++        self.user = user
++        self.group = group
++        self.mode = mode
++        super(FilePermissionAudit, self).__init__(paths, user, group, mode,
++                                                  **kwargs)
++
++    @property
++    def user(self):
++        return self._user
++
++    @user.setter
++    def user(self, name):
++        try:
++            user = pwd.getpwnam(name)
++        except KeyError:
++            log('Unknown user %s' % name, level=ERROR)
++            user = None
++        self._user = user
++
++    @property
++    def group(self):
++        return self._group
++
++    @group.setter
++    def group(self, name):
++        try:
++            group = None
++            if name:
++                group = grp.getgrnam(name)
++            else:
++                group = grp.getgrgid(self.user.pw_gid)
++        except KeyError:
++            log('Unknown group %s' % name, level=ERROR)
++        self._group = group
++
++    def is_compliant(self, path):
++        """Checks if the path is in compliance.
++
++        Used to determine if the path specified meets the necessary
++        requirements to be in compliance with the check itself.
++
++        :param path: the file path to check
++        :returns: True if the path is compliant, False otherwise.
++        """
++        stat = self._get_stat(path)
++        user = self.user
++        group = self.group
++
++        compliant = True
++        if stat.st_uid != user.pw_uid or stat.st_gid != group.gr_gid:
++            log('File %s is not owned by %s:%s.' % (path, user.pw_name,
++                                                    group.gr_name),
++                level=INFO)
++            compliant = False
++
++        # POSIX refers to the st_mode bits as corresponding to both the
++        # file type and file permission bits, where the least significant 12
++        # bits (o7777) are the suid (11), sgid (10), sticky bits (9), and the
++        # file permission bits (8-0)
++        perms = stat.st_mode & 0o7777
++        if perms != self.mode:
++            log('File %s has incorrect permissions, currently set to %s' %
++                (path, oct(stat.st_mode & 0o7777)), level=INFO)
++            compliant = False
++
++        return compliant
++
++    def comply(self, path):
++        """Issues a chown and chmod to the file paths specified."""
++        utils.ensure_permissions(path, self.user.pw_name, self.group.gr_name,
++                                 self.mode)
++
++
++class DirectoryPermissionAudit(FilePermissionAudit):
++    """Performs a permission check for the  specified directory path."""
++
++    def __init__(self, paths, user, group=None, mode=0o600,
++                 recursive=True, **kwargs):
++        super(DirectoryPermissionAudit, self).__init__(paths, user, group,
++                                                       mode, **kwargs)
++        self.recursive = recursive
++
++    def is_compliant(self, path):
++        """Checks if the directory is compliant.
++
++        Used to determine if the path specified and all of its children
++        directories are in compliance with the check itself.
++
++        :param path: the directory path to check
++        :returns: True if the directory tree is compliant, otherwise False.
++        """
++        if not os.path.isdir(path):
++            log('Path specified %s is not a directory.' % path, level=ERROR)
++            raise ValueError("%s is not a directory." % path)
++
++        if not self.recursive:
++            return super(DirectoryPermissionAudit, self).is_compliant(path)
++
++        compliant = True
++        for root, dirs, _ in os.walk(path):
++            if len(dirs) > 0:
++                continue
++
++            if not super(DirectoryPermissionAudit, self).is_compliant(root):
++                compliant = False
++                continue
++
++        return compliant
++
++    def comply(self, path):
++        for root, dirs, _ in os.walk(path):
++            if len(dirs) > 0:
++                super(DirectoryPermissionAudit, self).comply(root)
++
++
++class ReadOnly(BaseFileAudit):
++    """Audits that files and folders are read only."""
++    def __init__(self, paths, *args, **kwargs):
++        super(ReadOnly, self).__init__(paths=paths, *args, **kwargs)
++
++    def is_compliant(self, path):
++        try:
++            output = check_output(['find', path, '-perm', '-go+w',
++                                   '-type', 'f']).strip()
++
++            # The find above will find any files which have permission sets
++            # which allow too broad of write access. As such, the path is
++            # compliant if there is no output.
++            if output:
++                return False
++
++            return True
++        except CalledProcessError as e:
++            log('Error occurred checking finding writable files for %s. '
++                'Error information is: command %s failed with returncode '
++                '%d and output %s.\n%s' % (path, e.cmd, e.returncode, e.output,
++                                           format_exc(e)), level=ERROR)
++            return False
++
++    def comply(self, path):
++        try:
++            check_output(['chmod', 'go-w', '-R', path])
++        except CalledProcessError as e:
++            log('Error occurred removing writeable permissions for %s. '
++                'Error information is: command %s failed with returncode '
++                '%d and output %s.\n%s' % (path, e.cmd, e.returncode, e.output,
++                                           format_exc(e)), level=ERROR)
++
++
++class NoReadWriteForOther(BaseFileAudit):
++    """Ensures that the files found under the base path are readable or
++    writable by anyone other than the owner or the group.
++    """
++    def __init__(self, paths):
++        super(NoReadWriteForOther, self).__init__(paths)
++
++    def is_compliant(self, path):
++        try:
++            cmd = ['find', path, '-perm', '-o+r', '-type', 'f', '-o',
++                   '-perm', '-o+w', '-type', 'f']
++            output = check_output(cmd).strip()
++
++            # The find above here will find any files which have read or
++            # write permissions for other, meaning there is too broad of access
++            # to read/write the file. As such, the path is compliant if there's
++            # no output.
++            if output:
++                return False
++
++            return True
++        except CalledProcessError as e:
++            log('Error occurred while finding files which are readable or '
++                'writable to the world in %s. '
++                'Command output is: %s.' % (path, e.output), level=ERROR)
++
++    def comply(self, path):
++        try:
++            check_output(['chmod', '-R', 'o-rw', path])
++        except CalledProcessError as e:
++            log('Error occurred attempting to change modes of files under '
++                'path %s. Output of command is: %s' % (path, e.output))
++
++
++class NoSUIDSGIDAudit(BaseFileAudit):
++    """Audits that specified files do not have SUID/SGID bits set."""
++    def __init__(self, paths, *args, **kwargs):
++        super(NoSUIDSGIDAudit, self).__init__(paths=paths, *args, **kwargs)
++
++    def is_compliant(self, path):
++        stat = self._get_stat(path)
++        if (stat.st_mode & (S_ISGID | S_ISUID)) != 0:
++            return False
++
++        return True
++
++    def comply(self, path):
++        try:
++            log('Removing suid/sgid from %s.' % path, level=DEBUG)
++            check_output(['chmod', '-s', path])
++        except CalledProcessError as e:
++            log('Error occurred removing suid/sgid from %s.'
++                'Error information is: command %s failed with returncode '
++                '%d and output %s.\n%s' % (path, e.cmd, e.returncode, e.output,
++                                           format_exc(e)), level=ERROR)
++
++
++class TemplatedFile(BaseFileAudit):
++    """The TemplatedFileAudit audits the contents of a templated file.
++
++    This audit renders a file from a template, sets the appropriate file
++    permissions, then generates a hashsum with which to check the content
++    changed.
++    """
++    def __init__(self, path, context, template_dir, mode, user='root',
++                 group='root', service_actions=None, **kwargs):
++        self.context = context
++        self.user = user
++        self.group = group
++        self.mode = mode
++        self.template_dir = template_dir
++        self.service_actions = service_actions
++        super(TemplatedFile, self).__init__(paths=path, always_comply=True,
++                                            **kwargs)
++
++    def is_compliant(self, path):
++        """Determines if the templated file is compliant.
++
++        A templated file is only compliant if it has not changed (as
++        determined by its sha256 hashsum) AND its file permissions are set
++        appropriately.
++
++        :param path: the path to check compliance.
++        """
++        same_templates = self.templates_match(path)
++        same_content = self.contents_match(path)
++        same_permissions = self.permissions_match(path)
++
++        if same_content and same_permissions and same_templates:
++            return True
++
++        return False
++
++    def run_service_actions(self):
++        """Run any actions on services requested."""
++        if not self.service_actions:
++            return
++
++        for svc_action in self.service_actions:
++            name = svc_action['service']
++            actions = svc_action['actions']
++            log("Running service '%s' actions '%s'" % (name, actions),
++                level=DEBUG)
++            for action in actions:
++                cmd = ['service', name, action]
++                try:
++                    check_call(cmd)
++                except CalledProcessError as exc:
++                    log("Service name='%s' action='%s' failed - %s" %
++                        (name, action, exc), level=WARNING)
++
++    def comply(self, path):
++        """Ensures the contents and the permissions of the file.
++
++        :param path: the path to correct
++        """
++        dirname = os.path.dirname(path)
++        if not os.path.exists(dirname):
++            os.makedirs(dirname)
++
++        self.pre_write()
++        render_and_write(self.template_dir, path, self.context())
++        utils.ensure_permissions(path, self.user, self.group, self.mode)
++        self.run_service_actions()
++        self.save_checksum(path)
++        self.post_write()
++
++    def pre_write(self):
++        """Invoked prior to writing the template."""
++        pass
++
++    def post_write(self):
++        """Invoked after writing the template."""
++        pass
++
++    def templates_match(self, path):
++        """Determines if the template files are the same.
++
++        The template file equality is determined by the hashsum of the
++        template files themselves. If there is no hashsum, then the content
++        cannot be sure to be the same so treat it as if they changed.
++        Otherwise, return whether or not the hashsums are the same.
++
++        :param path: the path to check
++        :returns: boolean
++        """
++        template_path = get_template_path(self.template_dir, path)
++        key = 'hardening:template:%s' % template_path
++        template_checksum = file_hash(template_path)
++        kv = unitdata.kv()
++        stored_tmplt_checksum = kv.get(key)
++        if not stored_tmplt_checksum:
++            kv.set(key, template_checksum)
++            kv.flush()
++            log('Saved template checksum for %s.' % template_path,
++                level=DEBUG)
++            # Since we don't have a template checksum, then assume it doesn't
++            # match and return that the template is different.
++            return False
++        elif stored_tmplt_checksum != template_checksum:
++            kv.set(key, template_checksum)
++            kv.flush()
++            log('Updated template checksum for %s.' % template_path,
++                level=DEBUG)
++            return False
++
++        # Here the template hasn't changed based upon the calculated
++        # checksum of the template and what was previously stored.
++        return True
++
++    def contents_match(self, path):
++        """Determines if the file content is the same.
++
++        This is determined by comparing hashsum of the file contents and
++        the saved hashsum. If there is no hashsum, then the content cannot
++        be sure to be the same so treat them as if they are not the same.
++        Otherwise, return True if the hashsums are the same, False if they
++        are not the same.
++
++        :param path: the file to check.
++        """
++        checksum = file_hash(path)
++
++        kv = unitdata.kv()
++        stored_checksum = kv.get('hardening:%s' % path)
++        if not stored_checksum:
++            # If the checksum hasn't been generated, return False to ensure
++            # the file is written and the checksum stored.
++            log('Checksum for %s has not been calculated.' % path, level=DEBUG)
++            return False
++        elif stored_checksum != checksum:
++            log('Checksum mismatch for %s.' % path, level=DEBUG)
++            return False
++
++        return True
++
++    def permissions_match(self, path):
++        """Determines if the file owner and permissions match.
++
++        :param path: the path to check.
++        """
++        audit = FilePermissionAudit(path, self.user, self.group, self.mode)
++        return audit.is_compliant(path)
++
++    def save_checksum(self, path):
++        """Calculates and saves the checksum for the path specified.
++
++        :param path: the path of the file to save the checksum.
++        """
++        checksum = file_hash(path)
++        kv = unitdata.kv()
++        kv.set('hardening:%s' % path, checksum)
++        kv.flush()
++
++
++class DeletedFile(BaseFileAudit):
++    """Audit to ensure that a file is deleted."""
++    def __init__(self, paths):
++        super(DeletedFile, self).__init__(paths)
++
++    def is_compliant(self, path):
++        return not os.path.exists(path)
++
++    def comply(self, path):
++        os.remove(path)
++
++
++class FileContentAudit(BaseFileAudit):
++    """Audit the contents of a file."""
++    def __init__(self, paths, cases, **kwargs):
++        # Cases we expect to pass
++        self.pass_cases = cases.get('pass', [])
++        # Cases we expect to fail
++        self.fail_cases = cases.get('fail', [])
++        super(FileContentAudit, self).__init__(paths, **kwargs)
++
++    def is_compliant(self, path):
++        """
++        Given a set of content matching cases, check that all cases match
++        as expected with the contents of the file. Cases can be expected to
++        pass of fail.
++
++        :param path: Path of file to check.
++        :returns: Boolean value representing whether or not all cases are
++                  found to be compliant.
++        """
++        log("Auditing contents of file '%s'" % (path), level=DEBUG)
++        with open(path, 'r') as fd:
++            contents = fd.read()
++
++        matches = 0
++        for pattern in self.pass_cases:
++            key = re.compile(pattern, flags=re.MULTILINE)
++            results = re.search(key, contents)
++            if results:
++                matches += 1
++            else:
++                log("Pattern '%s' was expected to pass but instead it failed"
++                    % (pattern), level=WARNING)
++
++        for pattern in self.fail_cases:
++            key = re.compile(pattern, flags=re.MULTILINE)
++            results = re.search(key, contents)
++            if not results:
++                matches += 1
++            else:
++                log("Pattern '%s' was expected to fail but instead it passed"
++                    % (pattern), level=WARNING)
++
++        total = len(self.pass_cases) + len(self.fail_cases)
++        log("Checked %s cases and %s passed" % (total, matches), level=DEBUG)
++        return matches == total
++
++    def comply(self, *args, **kwargs):
++        """NOOP since we just issue warnings. This is to avoid the
++        NotImplememtedError.
++        """
++        log("Not applying any compliance criteria, only checks.", level=INFO)
 === added directory 'hooks/charmhelpers/contrib/hardening/defaults'
 === added file 'hooks/charmhelpers/contrib/hardening/defaults/apache.yaml'
 --- hooks/charmhelpers/contrib/hardening/defaults/apache.yaml	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hardening/defaults/apache.yaml	2016-03-21 06:13:21 +0000
@@ -0,0 +1,13 @@
++# NOTE: this file contains the default configuration for the 'apache' hardening
++#       code. If you want to override any settings you must add them to a file
++#       called hardening.yaml in the root directory of your charm using the
++#       name 'apache' as the root key followed by any of the following with new
++#       values.
++
++common:
++    apache_dir: '/etc/apache2'
++
++hardening:
++    traceenable: 'off'
++    allowed_http_methods: "GET POST"
++    modules_to_disable: [ cgi, cgid ]
 \ No newline at end of file
 === added file 'hooks/charmhelpers/contrib/hardening/defaults/apache.yaml.schema'
 --- hooks/charmhelpers/contrib/hardening/defaults/apache.yaml.schema	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hardening/defaults/apache.yaml.schema	2016-03-21 06:13:21 +0000
@@ -0,0 +1,9 @@
++# NOTE: this schema must contain all valid keys from it's associated defaults
++#       file. It is used to validate user-provided overrides.
++common:
++    apache_dir:
++    traceenable:
++
++hardening:
++    allowed_http_methods:
++    modules_to_disable:
 === added file 'hooks/charmhelpers/contrib/hardening/defaults/mysql.yaml'
 --- hooks/charmhelpers/contrib/hardening/defaults/mysql.yaml	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hardening/defaults/mysql.yaml	2016-03-21 06:13:21 +0000
@@ -0,0 +1,38 @@
++# NOTE: this file contains the default configuration for the 'mysql' hardening
++#       code. If you want to override any settings you must add them to a file
++#       called hardening.yaml in the root directory of your charm using the
++#       name 'mysql' as the root key followed by any of the following with new
++#       values.
++
++security:
++    # @see http://www.symantec.com/connect/articles/securing-mysql-step-step
++    # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot
++    chroot: None
++
++    # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create
++    safe-user-create: 1
++
++    # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth
++    secure-auth: 1
++
++    # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links
++    skip-symbolic-links: 1
++
++    # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database
++    skip-show-database: True
++
++    # @see http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile
++    local-infile: 0
++
++    # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs
++    allow-suspicious-udfs: 0
++
++    # @see https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges
++    automatic-sp-privileges: 0
++
++    # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv
++    secure-file-priv: /tmp
++
++hardening:
++    mysql-conf: /etc/mysql/my.cnf
++    hardening-conf: /etc/mysql/conf.d/hardening.cnf
 === added file 'hooks/charmhelpers/contrib/hardening/defaults/mysql.yaml.schema'
 --- hooks/charmhelpers/contrib/hardening/defaults/mysql.yaml.schema	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hardening/defaults/mysql.yaml.schema	2016-03-21 06:13:21 +0000
@@ -0,0 +1,15 @@
++# NOTE: this schema must contain all valid keys from it's associated defaults
++#       file. It is used to validate user-provided overrides.
++security:
++    chroot:
++    safe-user-create:
++    secure-auth:
++    skip-symbolic-links:
++    skip-show-database:
++    local-infile:
++    allow-suspicious-udfs:
++    automatic-sp-privileges:
++    secure-file-priv:
++hardening:
++    mysql-conf:
++    hardening-conf:
 \ No newline at end of file
 === added file 'hooks/charmhelpers/contrib/hardening/defaults/os.yaml'
 --- hooks/charmhelpers/contrib/hardening/defaults/os.yaml	1970-01-01 00:00:00 +0000
 +++ hooks/charmhelpers/contrib/hardening/defaults/os.yaml	2016-03-21 06:13:21 +0000
@@ -0,0 +1,67 @@
++# NOTE: this file contains the default configuration for the 'os' hardening
++#       code. If you want to override any settings you must add them to a file
++#       called hardening.yaml in the root directory of your charm using the
++#       name 'os' as the root key followed by any of the following with new
++#       values.
++
++general:
++    desktop_enable: False  # (type:boolean)
++
++environment:
++    extra_user_paths: []
++    umask: 027
++    root_path: /
++
++auth:
++    pw_max_age: 60
++    # discourage password cycling

Juju Charms Collectionntpmaster package

Merge lp:~paulgear/charms/trusty/ntpmaster/sync-charmhelpers into lp:charms/trusty/ntpmaster

Commit message

Description of the change

Preview Diff

Subscribers

Juju Charms Collection
ntpmaster package