diff --git a/fabfile/tasks/backup_restore.py b/fabfile/tasks/backup_restore.py index 9e58eb2a1..3b344dfa9 100644 --- a/fabfile/tasks/backup_restore.py +++ b/fabfile/tasks/backup_restore.py @@ -163,7 +163,7 @@ def backup_nova_instance_data(): # end backup_nova_instance_data -@roles('database') +@roles('database', 'cfgm') def backup_cassandra(db_datas, store_db='local', cassandra_backup='full'): """Backup cassandra data in all databases """ global backup_path, final_dir @@ -337,7 +337,7 @@ def backup_instance_image(db_datas, store_db='local'): sudo(remote_bk_cmd) # end backup_instances_images -@roles('database') +@roles('database', 'cfgm') def backup_zookeeper(db_datas, store_db='local'): """Backup zookeeper data to all database nodes """ host = env.host_string @@ -692,7 +692,7 @@ def restart_analytics(): time.sleep(5) @task -@roles('database') +@roles('database', 'cfgm') def restore_cassandra(backup_data_path='', store_db='local',cassandra_backup='full'): """Restore cassandra data to all databases .and usuage is restore_cassadra_db """ global backup_path @@ -905,7 +905,7 @@ def restore_instance_image(backup_data_path, store_db='local'): # end restore_glance_images -@roles('database') +@roles('database', 'cfgm') def restore_zookeeper(backup_data_path, store_db='local'): """Restore zookeeper data to all database nodes """ global backup_path diff --git a/fabfile/tasks/ha.py b/fabfile/tasks/ha.py index e9be14d66..aea8b032e 100644 --- a/fabfile/tasks/ha.py +++ b/fabfile/tasks/ha.py @@ -4,13 +4,20 @@ from fabfile.templates import openstack_haproxy, collector_haproxy from fabfile.tasks.helpers import enable_haproxy from fabfile.tasks.rabbitmq import purge_node_from_rabbitmq_cluster -from fabfile.utils.fabos import detect_ostype, get_as_sudo, is_package_installed -from fabfile.utils.host import get_authserver_ip, get_control_host_string,\ - hstr_to_ip, get_from_testbed_dict, get_service_token, get_env_passwords,\ - get_openstack_internal_vip, get_openstack_external_vip,\ - get_contrail_internal_vip, get_contrail_external_vip, \ - get_openstack_internal_virtual_router_id, get_contrail_internal_virtual_router_id, \ - get_openstack_external_virtual_router_id, get_contrail_external_virtual_router_id +from fabfile.utils.fabos import ( + detect_ostype, get_as_sudo, is_package_installed, + ) +from fabfile.utils.host import ( + get_authserver_ip, get_control_host_string, hstr_to_ip, + get_from_testbed_dict, get_service_token, get_env_passwords, + get_openstack_internal_vip, get_openstack_external_vip, + get_contrail_internal_vip, get_contrail_external_vip, + get_openstack_internal_virtual_router_id, + get_contrail_internal_virtual_router_id, + get_openstack_external_virtual_router_id, + get_contrail_external_virtual_router_id, + keystone_ssl_enabled, + ) from fabfile.utils.cluster import get_orchestrator from fabfile.tasks.provision import fixup_restart_haproxy_in_all_cfgm from fabfile.utils.commandline import frame_vnc_database_cmd, frame_vnc_config_cmd @@ -416,6 +423,8 @@ def fixup_restart_haproxy_in_openstack(): @task def fixup_restart_haproxy_in_openstack_node(*args): + keystone_frontend = 'frontend openstack-keystone *:5000' + keystone_admin_frontend = 'frontend openstack-keystone-admin *:35357' keystone_server_lines = '' keystone_admin_server_lines = '' glance_server_lines = '' @@ -431,16 +440,44 @@ def fixup_restart_haproxy_in_openstack_node(*args): barbican_server_lines = '' space = ' ' * 3 + if keystone_ssl_enabled(): + keystone_frontend_lines = [ + 'frontend openstack-keystone', + '%s bind *:5000 ssl crt /etc/keystone/ssl/certs/keystonecertbundle.pem' % space, + '%s option http-server-close' % space, + '%s option forwardfor' % space, + '%s reqadd X-Forwarded-Proto:\ https' % space, + '%s reqadd X-Forwarded-Port:\ 5000' % space, + ] + keystone_frontend = '\n'.join(keystone_frontend_lines) + keystone_admin_frontend_lines = [ + 'frontend openstack-keystone-admin', + '%s bind *:35357 ssl crt /etc/keystone/ssl/certs/keystonecertbundle.pem' % space, + '%s option http-server-close' % space, + '%s option forwardfor' % space, + '%s reqadd X-Forwarded-Proto:\ https' % space, + '%s reqadd X-Forwarded-Port:\ 35357' % space, + ] + keystone_admin_frontend = '\n'.join(keystone_admin_frontend_lines) + for host_string in env.roledefs['openstack']: server_index = env.roledefs['openstack'].index(host_string) + 1 mgmt_host_ip = hstr_to_ip(host_string) host_ip = hstr_to_ip(get_control_host_string(host_string)) keystone_server_lines +=\ - '%s server %s %s:6000 check inter 2000 rise 2 fall 1\n'\ + '%s server %s %s:6000 check inter 2000 rise 2 fall 1'\ % (space, host_ip, host_ip) + if keystone_ssl_enabled(): + keystone_server_lines += " ssl verify none\n" + else: + keystone_server_lines += "\n" keystone_admin_server_lines +=\ - '%s server %s %s:35358 check inter 2000 rise 2 fall 1\n'\ + '%s server %s %s:35358 check inter 2000 rise 2 fall 1'\ % (space, host_ip, host_ip) + if keystone_ssl_enabled(): + keystone_admin_server_lines += " ssl verify none\n" + else: + keystone_admin_server_lines += "\n" glance_server_lines +=\ '%s server %s %s:9393 check inter 2000 rise 2 fall 1\n'\ % (space, host_ip, host_ip) @@ -488,7 +525,9 @@ def fixup_restart_haproxy_in_openstack_node(*args): for host_string in env.roledefs['openstack']: haproxy_config = openstack_haproxy.template.safe_substitute({ + '__keystone_frontend__' : keystone_frontend, '__keystone_backend_servers__' : keystone_server_lines, + '__keystone_admin_frontend__' : keystone_admin_frontend, '__keystone_admin_backend_servers__' : keystone_admin_server_lines, '__glance_backend_servers__' : glance_server_lines, '__heat_backend_servers__' : heat_server_lines, @@ -1073,6 +1112,8 @@ def setup_ha(): execute('fix_wsrep_cluster_address') execute('setup_cmon_schema') execute('fix_restart_xinetd_conf') + if keystone_ssl_enabled(): + execute("setup_keystone_ssl_certs") execute('fixup_restart_haproxy_in_openstack') execute('setup_glance_images_loc') execute('fix_memcache_conf') diff --git a/fabfile/tasks/helpers.py b/fabfile/tasks/helpers.py index d6ed6f8fb..05c10bb75 100644 --- a/fabfile/tasks/helpers.py +++ b/fabfile/tasks/helpers.py @@ -1315,6 +1315,13 @@ def pre_check(): print "\t 2.Same set of nodes or" print "\t 3.cfgm should be subset of database nodes." exit(1) + if (env.roledefs['openstack'] and # Openstack defined + [os_node for os_node in env.roledefs['openstack'] + if os_node in env.roledefs['all']] and # Openstack in all role(contrail-cloud deployment) + keystone_ssl_enabled() and # ssl enabled for keystone + not apiserver_ssl_enabled()): # ssl disabled for apiserver + print "\nERROR: \n\tIn contrail cloud deployment, recommended to deploy both keystone and apiserver with ssl." + exit(1) def role_to_ip_dict(role=None): diff --git a/fabfile/tasks/provision.py b/fabfile/tasks/provision.py index e86c4ccc5..069cc1a3c 100644 --- a/fabfile/tasks/provision.py +++ b/fabfile/tasks/provision.py @@ -676,6 +676,8 @@ def fixup_ceilometer_conf_common(): sudo("openstack-config --set %s database connection %s" % (conf_file, value)) amqp_server_ip = get_openstack_amqp_server() sudo("openstack-config --set %s DEFAULT rabbit_host %s" % (conf_file, amqp_server_ip)) + amqp_server_port = get_openstack_amqp_port() + sudo("openstack-config --set %s DEFAULT rabbit_port %s" % (conf_file, amqp_server_port)) value = "/var/log/ceilometer" sudo("openstack-config --set %s DEFAULT log_dir %s" % (conf_file, value)) value = "a74ca26452848001921c" @@ -688,6 +690,9 @@ def fixup_ceilometer_conf_common(): #end fixup_ceilometer_conf_common def fixup_ceilometer_conf_keystone(openstack_ip): + auth_protocol = 'http' + if keystone_ssl_enabled(): + auth_protocol = 'https' conf_file = '/etc/ceilometer/ceilometer.conf' with settings(warn_only=True): authtoken_config = sudo("grep '^auth_host =' /etc/ceilometer/ceilometer.conf").succeeded @@ -696,15 +701,19 @@ def fixup_ceilometer_conf_keystone(openstack_ip): sudo("%s admin_password CEILOMETER_PASS" % config_cmd) sudo("%s admin_user ceilometer" % config_cmd) sudo("%s admin_tenant_name service" % config_cmd) - sudo("%s auth_uri http://%s:5000" % (config_cmd, openstack_ip)) - sudo("%s auth_protocol http" % config_cmd) + sudo("%s auth_uri %s://%s:5000" % (config_cmd, auth_protocol, openstack_ip)) + sudo("%s auth_protocol %s" % (config_cmd, auth_protocol)) sudo("%s auth_port 35357" % config_cmd) sudo("%s auth_host %s" % (config_cmd, openstack_ip)) + if keystone_ssl_enabled(): + sudo("%s insecure True" % config_cmd) config_cmd = "openstack-config --set %s service_credentials" % conf_file sudo("%s os_password CEILOMETER_PASS" % config_cmd) sudo("%s os_tenant_name service" % config_cmd) sudo("%s os_username ceilometer" % config_cmd) - sudo("%s os_auth_url http://%s:5000/v2.0" % (config_cmd, openstack_ip)) + sudo("%s os_auth_url %s://%s:5000/v2.0" % (config_cmd, auth_protocol, openstack_ip)) + if keystone_ssl_enabled(): + sudo("%s insecure True" % config_cmd) #end fixup_ceilometer_conf_keystone def fixup_ceilometer_pipeline_conf(analytics_ip): @@ -941,6 +950,8 @@ def setup_ceilometer(): @task def setup_ceilometer_node(*args): """Provisions ceilometer services in one or list of nodes. USAGE: fab setup_ceilometer_node:user@1.1.1.1,user@2.2.2.2""" + if not is_ceilometer_provision_supported(): + return analytics_ip = hstr_to_ip(env.roledefs['collector'][0]) for host_string in args: self_host = get_control_host_string(host_string) @@ -986,7 +997,7 @@ def setup_ceilometer_node(*args): ceilometer_service_exists = sudo("source /etc/contrail/openstackrc;keystone --insecure service-list | grep ceilometer").succeeded if not ceilometer_service_exists: sudo("source /etc/contrail/openstackrc;keystone --insecure service-create --name=ceilometer --type=metering --description=\"Telemetry\"") - sudo("source /etc/contrail/openstackrc;keystone --insecure endpoint-create --service-id=$(keystone service-list | awk '/ metering / {print $2}') --publicurl=http://%s:8777 --internalurl=http://%s:8777 --adminurl=http://%s:8777 --region=RegionOne" %(self_ip, self_ip, self_ip)) + sudo("source /etc/contrail/openstackrc;keystone --insecure endpoint-create --service-id=$(keystone --insecure service-list | awk '/ metering / {print $2}') --publicurl=http://%s:8777 --internalurl=http://%s:8777 --adminurl=http://%s:8777 --region=RegionOne" %(self_ip, self_ip, self_ip)) # Fixup ceilometer pipeline cfg fixup_ceilometer_pipeline_conf(analytics_ip) for svc in ceilometer_services: @@ -1004,6 +1015,8 @@ def setup_network_service(): def setup_network_service_node(*args): """Provisions network services in one or list of nodes. USAGE: fab setup_network_service_node:user@1.1.1.1,user@2.2.2.2""" + if not is_ceilometer_provision_supported(): + return conf_file = '/etc/neutron/neutron.conf' neutron_config = {'DEFAULT' : {'notification_driver' : 'neutron.openstack.common.notifier.rpc_notifier'} } @@ -1014,21 +1027,25 @@ def setup_network_service_node(*args): sudo("service neutron-server restart") #end setup_network_service_node +@task +@roles('openstack') +def setup_identity_service(): + """Provisions identity services in openstack nodes""" + if env.roledefs['openstack']: + execute("setup_identity_service_node", env.host_string) + @task def setup_identity_service_node(*args): """Provisions identity services in one or list of nodes. USAGE: fab setup_identity_service_node:user@1.1.1.1,user@2.2.2.2""" + if not is_ceilometer_provision_supported(): + return amqp_server_ip = get_openstack_amqp_server() - rabbit_port = "5672" - - # If HA is enabled, then use the frontend HAProxy Rabbit port - if get_openstack_internal_vip(): - rabbit_port = "5673" conf_file = '/etc/keystone/keystone.conf' keystone_configs = {'DEFAULT' : {'notification_driver' : 'messaging', 'rabbit_host' : '%s' % amqp_server_ip, - 'rabbit_port' : '%s' % rabbit_port } + 'rabbit_port' : '%s' % get_openstack_amqp_port() } } for host_string in args: for section, key_values in keystone_configs.iteritems(): @@ -1037,9 +1054,18 @@ def setup_identity_service_node(*args): sudo("service keystone restart") #end setup_identity_service_node +@task +@roles('openstack') +def setup_image_service(): + """Provisions image services in openstack nodes""" + if env.roledefs['openstack']: + execute("setup_image_service_node", env.host_string) + @task def setup_image_service_node(*args): """Provisions image services in one or list of nodes. USAGE: fab setup_image_service_node:user@1.1.1.1,user@2.2.2.2""" + if not is_ceilometer_provision_supported(): + return amqp_server_ip = get_openstack_amqp_server() for host_string in args: openstack_sku = get_openstack_sku() @@ -1047,6 +1073,7 @@ def setup_image_service_node(*args): glance_configs = {'DEFAULT' : {'notification_driver' : 'messaging', 'rpc_backend' : 'rabbit', 'rabbit_host' : '%s' % amqp_server_ip, + 'rabbit_port' : '%s' % get_openstack_amqp_port(), 'rabbit_password' : 'guest'} } if openstack_sku == 'havana': @@ -1073,12 +1100,6 @@ def setup_openstack(): execute("setup_openstack_node", env.host_string) if is_package_installed('contrail-openstack-dashboard'): execute('setup_contrail_horizon_node', env.host_string) - if is_ceilometer_provision_supported(): - if env.host_string == env.roledefs['openstack'][0]: - execute("setup_ceilometer_node", env.host_string) - execute("setup_network_service") #Provisions in cfgm node - execute("setup_image_service_node", env.host_string) - execute("setup_identity_service_node", env.host_string) @task @roles('openstack') @@ -1144,7 +1165,8 @@ def setup_openstack_node(*args): cmd = frame_vnc_openstack_cmd(host_string) # Execute the provision openstack script with settings(host_string=host_string): - if keystone_ssl_enabled(): + # Certs are already created in setup_ha task + if keystone_ssl_enabled() and not get_openstack_internal_vip(): execute("setup_keystone_ssl_certs_node", host_string) with cd(INSTALLER_DIR): sudo(cmd) @@ -1621,7 +1643,7 @@ def prov_config_node(*args, **kwargs): oper = kwargs.get('oper', 'add') tgt_node = kwargs.get('tgt_node', None) cfgm_host = env.roledefs['cfgm'][0] - cfgm_ip = hstr_to_ip(get_control_host_string(cfgm_host)) + cfgm_ip = get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(cfgm_host)) cfgm_host_password = get_env_passwords(cfgm_host) for host_string in args: with settings(host_string=host_string, @@ -1656,7 +1678,7 @@ def prov_database_node(*args, **kwargs): oper = kwargs.get('oper', 'add') tgt_node = kwargs.get('tgt_node', None) cfgm_host = env.roledefs['cfgm'][0] - cfgm_ip = hstr_to_ip(get_control_host_string(cfgm_host)) + cfgm_ip = get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(cfgm_host)) cfgm_host_password = get_env_passwords(cfgm_host) for host_string in args: with settings(host_string=host_string, @@ -1692,7 +1714,7 @@ def prov_analytics_node(*args, **kwargs): oper = kwargs.get('oper', 'add') tgt_node = kwargs.get('tgt_node', None) cfgm_host = env.roledefs['cfgm'][0] - cfgm_ip = hstr_to_ip(get_control_host_string(cfgm_host)) + cfgm_ip = get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(cfgm_host)) cfgm_host_password = get_env_passwords(cfgm_host) for host_string in args: with settings(host_string=host_string, @@ -1726,8 +1748,12 @@ def prov_control_bgp(): def prov_control_bgp_node(*args, **kwargs): oper = kwargs.get('oper', 'add') tgt_node = kwargs.get('tgt_node', None) - cfgm_host = kwargs.get('cfgm_host', env.roledefs['cfgm'][0]) - cfgm_ip = hstr_to_ip(get_control_host_string(cfgm_host)) + cfgm_host = kwargs.get('cfgm_host', None) + if cfgm_host: + cfgm_ip = hstr_to_ip(get_control_host_string(cfgm_host)) + else: + cfgm_host = env.roledefs['cfgm'][0] + cfgm_ip = get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(cfgm_host)) cfgm_host_password = get_env_passwords(cfgm_host) for host_string in args: with settings(host_string=host_string, @@ -1771,7 +1797,7 @@ def prov_external_bgp_node(*args): for host_string in args: with settings(host_string=host_string, password=get_env_passwords(host_string)): - cfgm_ip = hstr_to_ip(get_control_host_string(env.roledefs['cfgm'][0])) + cfgm_ip = get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(env.roledefs['cfgm'][0])) for ext_bgp in testbed.ext_routers: ext_bgp_name = ext_bgp[0] ext_bgp_ip = ext_bgp[1] @@ -2377,8 +2403,10 @@ def setup_orchestrator(): if orch == 'openstack': execute('increase_ulimits') execute('setup_openstack') - if get_openstack_internal_vip(): - execute('sync_keystone_ssl_certs') + execute("setup_ceilometer") + execute("setup_network_service") #Provisions in cfgm node + execute("setup_image_service",) + execute("setup_identity_service") execute('verify_openstack') #setup_vcenter can be called outside of setup_all and need not be below. So commenting. #elif orch == 'vcenter': diff --git a/fabfile/tasks/ssl.py b/fabfile/tasks/ssl.py index 9b607735d..07bd5444f 100644 --- a/fabfile/tasks/ssl.py +++ b/fabfile/tasks/ssl.py @@ -1,15 +1,19 @@ import os +import tempfile from time import sleep from fabric.contrib.files import exists from fabfile.config import * -from fabfile.utils.host import (get_keystone_certfile, get_keystone_keyfile, - get_keystone_cafile, get_apiserver_certfile, - get_apiserver_keyfile, get_apiserver_cafile, - get_env_passwords, get_openstack_internal_vip, - get_contrail_internal_vip, hstr_to_ip, - get_apiserver_cert_bundle, get_control_host_string) +from fabfile.utils.host import ( + get_keystone_certfile, get_keystone_keyfile, + get_keystone_cafile, get_apiserver_certfile, + get_apiserver_keyfile, get_apiserver_cafile, + get_env_passwords, get_openstack_internal_vip, + get_contrail_internal_vip, hstr_to_ip, + get_apiserver_cert_bundle, get_control_host_string, + get_keystone_cert_bundle, + ) from fabfile.utils.fabos import get_as_sudo @@ -25,6 +29,7 @@ def setup_keystone_ssl_certs_node(*nodes): default_certfile = '/etc/keystone/ssl/certs/keystone.pem' default_keyfile = '/etc/keystone/ssl/private/keystone.key' default_cafile = '/etc/keystone/ssl/certs/keystone_ca.pem' + keystonecertbundle = get_keystone_cert_bundle() ssl_certs = ((get_keystone_certfile(), default_certfile), (get_keystone_keyfile(), default_keyfile), (get_keystone_cafile(), default_cafile)) @@ -35,6 +40,7 @@ def setup_keystone_ssl_certs_node(*nodes): if ssl_cert == default: # Clear old certificate sudo('rm -f %s' % ssl_cert) + sudo('rm -f %s' % keystonecertbundle) for ssl_cert, default in ssl_certs: if ssl_cert == default: openstack_host = env.roledefs['openstack'][0] @@ -51,9 +57,12 @@ def setup_keystone_ssl_certs_node(*nodes): print "Wait for SSL certs to be created in first openstack" sleep(0.1) print "Get SSL cert(%s) from first openstack" % ssl_cert - tmp_fname = os.path.join('/tmp', os.path.basename(ssl_cert)) + tmp_dir= tempfile.mkdtemp() + tmp_fname = os.path.join(tmp_dir, os.path.basename(ssl_cert)) get_as_sudo(ssl_cert, tmp_fname) print "Copy to this(%s) openstack node" % env.host_string + sudo('mkdir -p /etc/keystone/ssl/certs/') + sudo('mkdir -p /etc/keystone/ssl/private/') put(tmp_fname, ssl_cert, use_sudo=True) os.remove(tmp_fname) elif os.path.isfile(ssl_cert): @@ -64,7 +73,10 @@ def setup_keystone_ssl_certs_node(*nodes): pass else: raise RuntimeError("%s doesn't exists locally or in openstack node") - sudo("chown -R keystone:keystone /etc/keystone/ssl") + if not exists(keystonecertbundle, use_sudo=True): + ((certfile, _), (keyfile, _), (cafile, _)) = ssl_certs + sudo('cat %s %s > %s' % (certfile, cafile, keystonecertbundle)) + sudo("chown -R keystone:keystone /etc/keystone/ssl") @task @@ -106,9 +118,12 @@ def setup_apiserver_ssl_certs_node(*nodes): print "Wait for SSL certs to be created in first cfgm" sleep(0.1) print "Get SSL cert(%s) from first cfgm" % ssl_cert - tmp_fname = os.path.join('/tmp', os.path.basename(ssl_cert)) + tmp_dir= tempfile.mkdtemp() + tmp_fname = os.path.join(tmp_dir, os.path.basename(ssl_cert)) get_as_sudo(ssl_cert, tmp_fname) print "Copy to this(%s) cfgm node" % env.host_string + sudo('mkdir -p /etc/contrail/ssl/certs/') + sudo('mkdir -p /etc/contrail/ssl/private/') put(tmp_fname, ssl_cert, use_sudo=True) os.remove(tmp_fname) elif os.path.isfile(ssl_cert): @@ -118,10 +133,10 @@ def setup_apiserver_ssl_certs_node(*nodes): print "Certificate (%s) exists in cfgm node" % ssl_cert else: raise RuntimeError("%s doesn't exists locally or in cfgm node" % ssl_cert) - if not exists(contrailcertbundle, use_sudo=True): - ((certfile, _), (keyfile, _), (cafile, _)) = ssl_certs - sudo('cat %s %s > %s' % (certfile, cafile, contrailcertbundle)) - sudo("chown -R contrail:contrail /etc/contrail/ssl") + if not exists(contrailcertbundle, use_sudo=True): + ((certfile, _), (keyfile, _), (cafile, _)) = ssl_certs + sudo('cat %s %s > %s' % (certfile, cafile, contrailcertbundle)) + sudo("chown -R contrail:contrail /etc/contrail/ssl") @task @@ -158,7 +173,8 @@ def copy_keystone_ssl_certs_to_node(*nodes): sudo('rm -f %s' % cert_file) with settings(host_string=openstack_host, password=get_env_passwords(openstack_host)): - tmp_fname = os.path.join('/tmp', os.path.basename(ssl_cert)) + tmp_dir= tempfile.mkdtemp() + tmp_fname = os.path.join(tmp_dir, os.path.basename(ssl_cert)) get_as_sudo(ssl_cert, tmp_fname) sudo("mkdir -p /etc/contrail/ssl/certs/") put(tmp_fname, cert_file, use_sudo=True) @@ -234,7 +250,8 @@ def copy_apiserver_ssl_certs_to_node(*nodes): continue with settings(host_string=cfgm_host, password=get_env_passwords(cfgm_host)): - tmp_fname = os.path.join('/tmp', os.path.basename(ssl_cert)) + tmp_dir= tempfile.mkdtemp() + tmp_fname = os.path.join(tmp_dir, os.path.basename(ssl_cert)) get_as_sudo(ssl_cert, tmp_fname) sudo("mkdir -p /etc/contrail/ssl/certs/") sudo("mkdir -p /etc/contrail/ssl/private/") @@ -258,6 +275,7 @@ def copy_vnc_api_lib_ini_to_node(*nodes): with settings(host_string=node, password=get_env_passwords(node)): with settings(host_string=cfgm_host, password=get_env_passwords(cfgm_host)): - tmp_fname = os.path.join('/tmp', os.path.basename(vnc_api_lib)) + tmp_dir= tempfile.mkdtemp() + tmp_fname = os.path.join(tmp_dir, os.path.basename(vnc_api_lib)) get_as_sudo(vnc_api_lib, tmp_fname) put(tmp_fname, vnc_api_lib, use_sudo=True) diff --git a/fabfile/templates/openstack_haproxy.py b/fabfile/templates/openstack_haproxy.py index f9f852b45..75a0d8746 100644 --- a/fabfile/templates/openstack_haproxy.py +++ b/fabfile/templates/openstack_haproxy.py @@ -7,7 +7,7 @@ stats uri / stats auth $__contrail_hap_user__:$__contrail_hap_passwd__ -frontend openstack-keystone *:5000 +$__keystone_frontend__ default_backend keystone-backend backend keystone-backend @@ -33,7 +33,7 @@ $__keystone_backend_servers__ -frontend openstack-keystone-admin *:35357 +$__keystone_admin_frontend__ default_backend keystone-admin-backend backend keystone-admin-backend diff --git a/fabfile/templates/rabbitmq_config.py b/fabfile/templates/rabbitmq_config.py index 6c2f593f2..805ea6204 100644 --- a/fabfile/templates/rabbitmq_config.py +++ b/fabfile/templates/rabbitmq_config.py @@ -6,7 +6,6 @@ {vm_memory_high_watermark, 0.4}, {disk_free_limit,50000000}, {log_levels,[{connection, info},{mirroring, info}]}, - {heartbeat,10}, {delegate_count,20}, {channel_max,5000}, {tcp_listen_options, diff --git a/fabfile/utils/host.py b/fabfile/utils/host.py index c5d732946..24904c218 100644 --- a/fabfile/utils/host.py +++ b/fabfile/utils/host.py @@ -288,6 +288,16 @@ def get_openstack_amqp_server(): return get_from_testbed_dict('openstack','amqp_host', (rabbit_vip or hstr_to_ip(get_control_host_string(env.roledefs[amqp_in_role][0])))) +def get_openstack_amqp_port(): + rabbit_port = 5672 + if get_from_testbed_dict('openstack', 'manage_amqp', 'no') == 'yes': + if get_openstack_internal_vip(): + rabbit_port = 5673 + else: + if get_contrail_internal_vip(): + rabbit_port = 5673 + return get_from_testbed_dict('openstack','amqp_port', rabbit_port) + def get_contrail_amqp_server(): """Returns first cfgm ip in case of non HA setup and contrail_internal_vip in case of HA setup @@ -411,6 +421,10 @@ def get_keystone_cafile(): return get_from_testbed_dict('keystone','cafile', default) +def get_keystone_cert_bundle(): + return '/etc/keystone/ssl/certs/keystonecertbundle.pem' + + def get_apiserver_certfile(): default = '/etc/contrail/ssl/certs/contrail.pem' return get_from_testbed_dict('cfgm','certfile', default)