From a592dc662e24bb809e627ffaa4de37de52c3982f Mon Sep 17 00:00:00 2001 From: Ignatious Johnson Christopher Date: Mon, 14 Nov 2016 15:13:32 -0800 Subject: [PATCH] Identifying rabbit port based on openstack HA or contrail HA setup. Change-Id: I0bc98c367ed4a69998626fea12132f9d2a9ce213 Closes-Bug: 1616178 (cherry picked from commit be827302029889299487443020107c38c5b22914) Make the /etc/contrail/ssl/ directory before copying the ssl certs to the other cfgm nodes from the first cfgm. Change-Id: I39022479804f9323b7b5235ce60844d891444dd0 Closes-Bug: 1645433 (cherry picked from commit a2b89e61fa8491ea6c440466b923119523fa6c70) (cherry picked from commit 08bae9e992d44c70a1580c2e9b8fd593da3d5d73) fix ceilometer.conf to point to https auth uri in a ssl enabled keystone setup. fix keystone haproxy backend syntax to support ssl. (cherry picked from commit bb6bd44e59de36ae8dfe5b4c18975bbef53d6a00) (cherry picked from commit 0ddd551e0952b9336fb48c9ec3a1e783bb1b15e2) Closes-Bug: 1647243 Change-Id: I06740c325a3864b122419ebb7fe77b86cefa23b9 (cherry picked from commit e122c304093be512057e0ffa1d3d4ffb7e08c926) Removing heartbeat parmameter, so that the default value 60 sec will be used. If we need to override this value in rabbitmq.config, we also need to set 'rabbit_health_check_interval' in the contrail-api.conf to twice the value of heartbeat set in rabbitmq.config. Change-Id: I22fab8a3cc7a0b076ae3f642d16029ba5dab8e2f Partial-Bug: 1639014 (cherry picked from commit 0697528c97e975a4d7498cfb33c5cc5e77801961) zookeeper is moved to cfgm and cassandra will be running in both cfgm and database nodes, So making backup_restore procedure to accomadate this. Change-Id: I66121bbc28609e8c3d48ba52586580d28606aae9 Closs-Bug: 1636344 (cherry picked from commit 04817d0d1b1772d1782aa4303304aba30716ab5e) Ceilometer config file needs to be populated with keystone certs or insecure flag for it to communicate with SSL enabled keystone and check for ceilometer support in respective nodes. Change-Id: If736de02b73aefeb477cc73a6c9e92cbf2ec8f38 Closes-Bug: 1645570 (cherry picked from commit 08abf91796f5504259fc9eafbb2ad99b0b02ab0c) We have to provison both keystone/config-api as https in contrail-cloud deployment. In contrail-networking deployments we have option of provisioning config-api with https and using keystone which is pre provisioned with http. The deployment of keystone with https and config-api with http is not recommended. Change-Id: If66b897ba95562150920bcd9843895fb48af743d Closes-Bug: 639074 (cherry picked from commit 93eccbc57752679a1e4e87654f231b12da84c88b) SSL copy to other nodes in the HA cluster fails during parallel execution, Fixing it by creating seperate temp files during copy. Change-Id: I8f25ebaf5970403950e5966fa04ea09810633dfe Closes-Bug: 1649470 (cherry picked from commit 09a392800c5bd7bc18915ff8123230a9bab9d3a0) Do not override the user specified cfgm host. Change-Id: I68ab3e474cca8053cead501a93e29b80017f317b Closes-Bug: 1649679 (cherry picked from commit 5e797902ea758edc41b2ba88a9c0f1e7227ca3a8) Haproxy fails to start as the keystone certs are not created before starting haproxy in a HA setup. Fix is to create keystone ssl certificates before configuring haproxy and skip recreating certs during openstack setup. Change-Id: Ibb53ad16c0222ebd3685a03c09398a1067464664 Closes-Bug: 1649787 (cherry picked from commit b27b0fa28fe741738932c67c0fc4f208fba90fef) --- fabfile/tasks/backup_restore.py | 8 +-- fabfile/tasks/ha.py | 59 ++++++++++++++++--- fabfile/tasks/helpers.py | 7 +++ fabfile/tasks/provision.py | 78 +++++++++++++++++--------- fabfile/tasks/ssl.py | 50 +++++++++++------ fabfile/templates/openstack_haproxy.py | 4 +- fabfile/templates/rabbitmq_config.py | 1 - fabfile/utils/host.py | 14 +++++ 8 files changed, 164 insertions(+), 57 deletions(-) diff --git a/fabfile/tasks/backup_restore.py b/fabfile/tasks/backup_restore.py index 9e58eb2a1..3b344dfa9 100644 --- a/fabfile/tasks/backup_restore.py +++ b/fabfile/tasks/backup_restore.py @@ -163,7 +163,7 @@ def backup_nova_instance_data(): # end backup_nova_instance_data -@roles('database') +@roles('database', 'cfgm') def backup_cassandra(db_datas, store_db='local', cassandra_backup='full'): """Backup cassandra data in all databases """ global backup_path, final_dir @@ -337,7 +337,7 @@ def backup_instance_image(db_datas, store_db='local'): sudo(remote_bk_cmd) # end backup_instances_images -@roles('database') +@roles('database', 'cfgm') def backup_zookeeper(db_datas, store_db='local'): """Backup zookeeper data to all database nodes """ host = env.host_string @@ -692,7 +692,7 @@ def restart_analytics(): time.sleep(5) @task -@roles('database') +@roles('database', 'cfgm') def restore_cassandra(backup_data_path='', store_db='local',cassandra_backup='full'): """Restore cassandra data to all databases .and usuage is restore_cassadra_db """ global backup_path @@ -905,7 +905,7 @@ def restore_instance_image(backup_data_path, store_db='local'): # end restore_glance_images -@roles('database') +@roles('database', 'cfgm') def restore_zookeeper(backup_data_path, store_db='local'): """Restore zookeeper data to all database nodes """ global backup_path diff --git a/fabfile/tasks/ha.py b/fabfile/tasks/ha.py index e9be14d66..aea8b032e 100644 --- a/fabfile/tasks/ha.py +++ b/fabfile/tasks/ha.py @@ -4,13 +4,20 @@ from fabfile.templates import openstack_haproxy, collector_haproxy from fabfile.tasks.helpers import enable_haproxy from fabfile.tasks.rabbitmq import purge_node_from_rabbitmq_cluster -from fabfile.utils.fabos import detect_ostype, get_as_sudo, is_package_installed -from fabfile.utils.host import get_authserver_ip, get_control_host_string,\ - hstr_to_ip, get_from_testbed_dict, get_service_token, get_env_passwords,\ - get_openstack_internal_vip, get_openstack_external_vip,\ - get_contrail_internal_vip, get_contrail_external_vip, \ - get_openstack_internal_virtual_router_id, get_contrail_internal_virtual_router_id, \ - get_openstack_external_virtual_router_id, get_contrail_external_virtual_router_id +from fabfile.utils.fabos import ( + detect_ostype, get_as_sudo, is_package_installed, + ) +from fabfile.utils.host import ( + get_authserver_ip, get_control_host_string, hstr_to_ip, + get_from_testbed_dict, get_service_token, get_env_passwords, + get_openstack_internal_vip, get_openstack_external_vip, + get_contrail_internal_vip, get_contrail_external_vip, + get_openstack_internal_virtual_router_id, + get_contrail_internal_virtual_router_id, + get_openstack_external_virtual_router_id, + get_contrail_external_virtual_router_id, + keystone_ssl_enabled, + ) from fabfile.utils.cluster import get_orchestrator from fabfile.tasks.provision import fixup_restart_haproxy_in_all_cfgm from fabfile.utils.commandline import frame_vnc_database_cmd, frame_vnc_config_cmd @@ -416,6 +423,8 @@ def fixup_restart_haproxy_in_openstack(): @task def fixup_restart_haproxy_in_openstack_node(*args): + keystone_frontend = 'frontend openstack-keystone *:5000' + keystone_admin_frontend = 'frontend openstack-keystone-admin *:35357' keystone_server_lines = '' keystone_admin_server_lines = '' glance_server_lines = '' @@ -431,16 +440,44 @@ def fixup_restart_haproxy_in_openstack_node(*args): barbican_server_lines = '' space = ' ' * 3 + if keystone_ssl_enabled(): + keystone_frontend_lines = [ + 'frontend openstack-keystone', + '%s bind *:5000 ssl crt /etc/keystone/ssl/certs/keystonecertbundle.pem' % space, + '%s option http-server-close' % space, + '%s option forwardfor' % space, + '%s reqadd X-Forwarded-Proto:\ https' % space, + '%s reqadd X-Forwarded-Port:\ 5000' % space, + ] + keystone_frontend = '\n'.join(keystone_frontend_lines) + keystone_admin_frontend_lines = [ + 'frontend openstack-keystone-admin', + '%s bind *:35357 ssl crt /etc/keystone/ssl/certs/keystonecertbundle.pem' % space, + '%s option http-server-close' % space, + '%s option forwardfor' % space, + '%s reqadd X-Forwarded-Proto:\ https' % space, + '%s reqadd X-Forwarded-Port:\ 35357' % space, + ] + keystone_admin_frontend = '\n'.join(keystone_admin_frontend_lines) + for host_string in env.roledefs['openstack']: server_index = env.roledefs['openstack'].index(host_string) + 1 mgmt_host_ip = hstr_to_ip(host_string) host_ip = hstr_to_ip(get_control_host_string(host_string)) keystone_server_lines +=\ - '%s server %s %s:6000 check inter 2000 rise 2 fall 1\n'\ + '%s server %s %s:6000 check inter 2000 rise 2 fall 1'\ % (space, host_ip, host_ip) + if keystone_ssl_enabled(): + keystone_server_lines += " ssl verify none\n" + else: + keystone_server_lines += "\n" keystone_admin_server_lines +=\ - '%s server %s %s:35358 check inter 2000 rise 2 fall 1\n'\ + '%s server %s %s:35358 check inter 2000 rise 2 fall 1'\ % (space, host_ip, host_ip) + if keystone_ssl_enabled(): + keystone_admin_server_lines += " ssl verify none\n" + else: + keystone_admin_server_lines += "\n" glance_server_lines +=\ '%s server %s %s:9393 check inter 2000 rise 2 fall 1\n'\ % (space, host_ip, host_ip) @@ -488,7 +525,9 @@ def fixup_restart_haproxy_in_openstack_node(*args): for host_string in env.roledefs['openstack']: haproxy_config = openstack_haproxy.template.safe_substitute({ + '__keystone_frontend__' : keystone_frontend, '__keystone_backend_servers__' : keystone_server_lines, + '__keystone_admin_frontend__' : keystone_admin_frontend, '__keystone_admin_backend_servers__' : keystone_admin_server_lines, '__glance_backend_servers__' : glance_server_lines, '__heat_backend_servers__' : heat_server_lines, @@ -1073,6 +1112,8 @@ def setup_ha(): execute('fix_wsrep_cluster_address') execute('setup_cmon_schema') execute('fix_restart_xinetd_conf') + if keystone_ssl_enabled(): + execute("setup_keystone_ssl_certs") execute('fixup_restart_haproxy_in_openstack') execute('setup_glance_images_loc') execute('fix_memcache_conf') diff --git a/fabfile/tasks/helpers.py b/fabfile/tasks/helpers.py index d6ed6f8fb..05c10bb75 100644 --- a/fabfile/tasks/helpers.py +++ b/fabfile/tasks/helpers.py @@ -1315,6 +1315,13 @@ def pre_check(): print "\t 2.Same set of nodes or" print "\t 3.cfgm should be subset of database nodes." exit(1) + if (env.roledefs['openstack'] and # Openstack defined + [os_node for os_node in env.roledefs['openstack'] + if os_node in env.roledefs['all']] and # Openstack in all role(contrail-cloud deployment) + keystone_ssl_enabled() and # ssl enabled for keystone + not apiserver_ssl_enabled()): # ssl disabled for apiserver + print "\nERROR: \n\tIn contrail cloud deployment, recommended to deploy both keystone and apiserver with ssl." + exit(1) def role_to_ip_dict(role=None): diff --git a/fabfile/tasks/provision.py b/fabfile/tasks/provision.py index e86c4ccc5..069cc1a3c 100644 --- a/fabfile/tasks/provision.py +++ b/fabfile/tasks/provision.py @@ -676,6 +676,8 @@ def fixup_ceilometer_conf_common(): sudo("openstack-config --set %s database connection %s" % (conf_file, value)) amqp_server_ip = get_openstack_amqp_server() sudo("openstack-config --set %s DEFAULT rabbit_host %s" % (conf_file, amqp_server_ip)) + amqp_server_port = get_openstack_amqp_port() + sudo("openstack-config --set %s DEFAULT rabbit_port %s" % (conf_file, amqp_server_port)) value = "/var/log/ceilometer" sudo("openstack-config --set %s DEFAULT log_dir %s" % (conf_file, value)) value = "a74ca26452848001921c" @@ -688,6 +690,9 @@ def fixup_ceilometer_conf_common(): #end fixup_ceilometer_conf_common def fixup_ceilometer_conf_keystone(openstack_ip): + auth_protocol = 'http' + if keystone_ssl_enabled(): + auth_protocol = 'https' conf_file = '/etc/ceilometer/ceilometer.conf' with settings(warn_only=True): authtoken_config = sudo("grep '^auth_host =' /etc/ceilometer/ceilometer.conf").succeeded @@ -696,15 +701,19 @@ def fixup_ceilometer_conf_keystone(openstack_ip): sudo("%s admin_password CEILOMETER_PASS" % config_cmd) sudo("%s admin_user ceilometer" % config_cmd) sudo("%s admin_tenant_name service" % config_cmd) - sudo("%s auth_uri http://%s:5000" % (config_cmd, openstack_ip)) - sudo("%s auth_protocol http" % config_cmd) + sudo("%s auth_uri %s://%s:5000" % (config_cmd, auth_protocol, openstack_ip)) + sudo("%s auth_protocol %s" % (config_cmd, auth_protocol)) sudo("%s auth_port 35357" % config_cmd) sudo("%s auth_host %s" % (config_cmd, openstack_ip)) + if keystone_ssl_enabled(): + sudo("%s insecure True" % config_cmd) config_cmd = "openstack-config --set %s service_credentials" % conf_file sudo("%s os_password CEILOMETER_PASS" % config_cmd) sudo("%s os_tenant_name service" % config_cmd) sudo("%s os_username ceilometer" % config_cmd) - sudo("%s os_auth_url http://%s:5000/v2.0" % (config_cmd, openstack_ip)) + sudo("%s os_auth_url %s://%s:5000/v2.0" % (config_cmd, auth_protocol, openstack_ip)) + if keystone_ssl_enabled(): + sudo("%s insecure True" % config_cmd) #end fixup_ceilometer_conf_keystone def fixup_ceilometer_pipeline_conf(analytics_ip): @@ -941,6 +950,8 @@ def setup_ceilometer(): @task def setup_ceilometer_node(*args): """Provisions ceilometer services in one or list of nodes. USAGE: fab setup_ceilometer_node:user@1.1.1.1,user@2.2.2.2""" + if not is_ceilometer_provision_supported(): + return analytics_ip = hstr_to_ip(env.roledefs['collector'][0]) for host_string in args: self_host = get_control_host_string(host_string) @@ -986,7 +997,7 @@ def setup_ceilometer_node(*args): ceilometer_service_exists = sudo("source /etc/contrail/openstackrc;keystone --insecure service-list | grep ceilometer").succeeded if not ceilometer_service_exists: sudo("source /etc/contrail/openstackrc;keystone --insecure service-create --name=ceilometer --type=metering --description=\"Telemetry\"") - sudo("source /etc/contrail/openstackrc;keystone --insecure endpoint-create --service-id=$(keystone service-list | awk '/ metering / {print $2}') --publicurl=http://%s:8777 --internalurl=http://%s:8777 --adminurl=http://%s:8777 --region=RegionOne" %(self_ip, self_ip, self_ip)) + sudo("source /etc/contrail/openstackrc;keystone --insecure endpoint-create --service-id=$(keystone --insecure service-list | awk '/ metering / {print $2}') --publicurl=http://%s:8777 --internalurl=http://%s:8777 --adminurl=http://%s:8777 --region=RegionOne" %(self_ip, self_ip, self_ip)) # Fixup ceilometer pipeline cfg fixup_ceilometer_pipeline_conf(analytics_ip) for svc in ceilometer_services: @@ -1004,6 +1015,8 @@ def setup_network_service(): def setup_network_service_node(*args): """Provisions network services in one or list of nodes. USAGE: fab setup_network_service_node:user@1.1.1.1,user@2.2.2.2""" + if not is_ceilometer_provision_supported(): + return conf_file = '/etc/neutron/neutron.conf' neutron_config = {'DEFAULT' : {'notification_driver' : 'neutron.openstack.common.notifier.rpc_notifier'} } @@ -1014,21 +1027,25 @@ def setup_network_service_node(*args): sudo("service neutron-server restart") #end setup_network_service_node +@task +@roles('openstack') +def setup_identity_service(): + """Provisions identity services in openstack nodes""" + if env.roledefs['openstack']: + execute("setup_identity_service_node", env.host_string) + @task def setup_identity_service_node(*args): """Provisions identity services in one or list of nodes. USAGE: fab setup_identity_service_node:user@1.1.1.1,user@2.2.2.2""" + if not is_ceilometer_provision_supported(): + return amqp_server_ip = get_openstack_amqp_server() - rabbit_port = "5672" - - # If HA is enabled, then use the frontend HAProxy Rabbit port - if get_openstack_internal_vip(): - rabbit_port = "5673" conf_file = '/etc/keystone/keystone.conf' keystone_configs = {'DEFAULT' : {'notification_driver' : 'messaging', 'rabbit_host' : '%s' % amqp_server_ip, - 'rabbit_port' : '%s' % rabbit_port } + 'rabbit_port' : '%s' % get_openstack_amqp_port() } } for host_string in args: for section, key_values in keystone_configs.iteritems(): @@ -1037,9 +1054,18 @@ def setup_identity_service_node(*args): sudo("service keystone restart") #end setup_identity_service_node +@task +@roles('openstack') +def setup_image_service(): + """Provisions image services in openstack nodes""" + if env.roledefs['openstack']: + execute("setup_image_service_node", env.host_string) + @task def setup_image_service_node(*args): """Provisions image services in one or list of nodes. USAGE: fab setup_image_service_node:user@1.1.1.1,user@2.2.2.2""" + if not is_ceilometer_provision_supported(): + return amqp_server_ip = get_openstack_amqp_server() for host_string in args: openstack_sku = get_openstack_sku() @@ -1047,6 +1073,7 @@ def setup_image_service_node(*args): glance_configs = {'DEFAULT' : {'notification_driver' : 'messaging', 'rpc_backend' : 'rabbit', 'rabbit_host' : '%s' % amqp_server_ip, + 'rabbit_port' : '%s' % get_openstack_amqp_port(), 'rabbit_password' : 'guest'} } if openstack_sku == 'havana': @@ -1073,12 +1100,6 @@ def setup_openstack(): execute("setup_openstack_node", env.host_string) if is_package_installed('contrail-openstack-dashboard'): execute('setup_contrail_horizon_node', env.host_string) - if is_ceilometer_provision_supported(): - if env.host_string == env.roledefs['openstack'][0]: - execute("setup_ceilometer_node", env.host_string) - execute("setup_network_service") #Provisions in cfgm node - execute("setup_image_service_node", env.host_string) - execute("setup_identity_service_node", env.host_string) @task @roles('openstack') @@ -1144,7 +1165,8 @@ def setup_openstack_node(*args): cmd = frame_vnc_openstack_cmd(host_string) # Execute the provision openstack script with settings(host_string=host_string): - if keystone_ssl_enabled(): + # Certs are already created in setup_ha task + if keystone_ssl_enabled() and not get_openstack_internal_vip(): execute("setup_keystone_ssl_certs_node", host_string) with cd(INSTALLER_DIR): sudo(cmd) @@ -1621,7 +1643,7 @@ def prov_config_node(*args, **kwargs): oper = kwargs.get('oper', 'add') tgt_node = kwargs.get('tgt_node', None) cfgm_host = env.roledefs['cfgm'][0] - cfgm_ip = hstr_to_ip(get_control_host_string(cfgm_host)) + cfgm_ip = get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(cfgm_host)) cfgm_host_password = get_env_passwords(cfgm_host) for host_string in args: with settings(host_string=host_string, @@ -1656,7 +1678,7 @@ def prov_database_node(*args, **kwargs): oper = kwargs.get('oper', 'add') tgt_node = kwargs.get('tgt_node', None) cfgm_host = env.roledefs['cfgm'][0] - cfgm_ip = hstr_to_ip(get_control_host_string(cfgm_host)) + cfgm_ip = get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(cfgm_host)) cfgm_host_password = get_env_passwords(cfgm_host) for host_string in args: with settings(host_string=host_string, @@ -1692,7 +1714,7 @@ def prov_analytics_node(*args, **kwargs): oper = kwargs.get('oper', 'add') tgt_node = kwargs.get('tgt_node', None) cfgm_host = env.roledefs['cfgm'][0] - cfgm_ip = hstr_to_ip(get_control_host_string(cfgm_host)) + cfgm_ip = get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(cfgm_host)) cfgm_host_password = get_env_passwords(cfgm_host) for host_string in args: with settings(host_string=host_string, @@ -1726,8 +1748,12 @@ def prov_control_bgp(): def prov_control_bgp_node(*args, **kwargs): oper = kwargs.get('oper', 'add') tgt_node = kwargs.get('tgt_node', None) - cfgm_host = kwargs.get('cfgm_host', env.roledefs['cfgm'][0]) - cfgm_ip = hstr_to_ip(get_control_host_string(cfgm_host)) + cfgm_host = kwargs.get('cfgm_host', None) + if cfgm_host: + cfgm_ip = hstr_to_ip(get_control_host_string(cfgm_host)) + else: + cfgm_host = env.roledefs['cfgm'][0] + cfgm_ip = get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(cfgm_host)) cfgm_host_password = get_env_passwords(cfgm_host) for host_string in args: with settings(host_string=host_string, @@ -1771,7 +1797,7 @@ def prov_external_bgp_node(*args): for host_string in args: with settings(host_string=host_string, password=get_env_passwords(host_string)): - cfgm_ip = hstr_to_ip(get_control_host_string(env.roledefs['cfgm'][0])) + cfgm_ip = get_contrail_internal_vip() or hstr_to_ip(get_control_host_string(env.roledefs['cfgm'][0])) for ext_bgp in testbed.ext_routers: ext_bgp_name = ext_bgp[0] ext_bgp_ip = ext_bgp[1] @@ -2377,8 +2403,10 @@ def setup_orchestrator(): if orch == 'openstack': execute('increase_ulimits') execute('setup_openstack') - if get_openstack_internal_vip(): - execute('sync_keystone_ssl_certs') + execute("setup_ceilometer") + execute("setup_network_service") #Provisions in cfgm node + execute("setup_image_service",) + execute("setup_identity_service") execute('verify_openstack') #setup_vcenter can be called outside of setup_all and need not be below. So commenting. #elif orch == 'vcenter': diff --git a/fabfile/tasks/ssl.py b/fabfile/tasks/ssl.py index 9b607735d..07bd5444f 100644 --- a/fabfile/tasks/ssl.py +++ b/fabfile/tasks/ssl.py @@ -1,15 +1,19 @@ import os +import tempfile from time import sleep from fabric.contrib.files import exists from fabfile.config import * -from fabfile.utils.host import (get_keystone_certfile, get_keystone_keyfile, - get_keystone_cafile, get_apiserver_certfile, - get_apiserver_keyfile, get_apiserver_cafile, - get_env_passwords, get_openstack_internal_vip, - get_contrail_internal_vip, hstr_to_ip, - get_apiserver_cert_bundle, get_control_host_string) +from fabfile.utils.host import ( + get_keystone_certfile, get_keystone_keyfile, + get_keystone_cafile, get_apiserver_certfile, + get_apiserver_keyfile, get_apiserver_cafile, + get_env_passwords, get_openstack_internal_vip, + get_contrail_internal_vip, hstr_to_ip, + get_apiserver_cert_bundle, get_control_host_string, + get_keystone_cert_bundle, + ) from fabfile.utils.fabos import get_as_sudo @@ -25,6 +29,7 @@ def setup_keystone_ssl_certs_node(*nodes): default_certfile = '/etc/keystone/ssl/certs/keystone.pem' default_keyfile = '/etc/keystone/ssl/private/keystone.key' default_cafile = '/etc/keystone/ssl/certs/keystone_ca.pem' + keystonecertbundle = get_keystone_cert_bundle() ssl_certs = ((get_keystone_certfile(), default_certfile), (get_keystone_keyfile(), default_keyfile), (get_keystone_cafile(), default_cafile)) @@ -35,6 +40,7 @@ def setup_keystone_ssl_certs_node(*nodes): if ssl_cert == default: # Clear old certificate sudo('rm -f %s' % ssl_cert) + sudo('rm -f %s' % keystonecertbundle) for ssl_cert, default in ssl_certs: if ssl_cert == default: openstack_host = env.roledefs['openstack'][0] @@ -51,9 +57,12 @@ def setup_keystone_ssl_certs_node(*nodes): print "Wait for SSL certs to be created in first openstack" sleep(0.1) print "Get SSL cert(%s) from first openstack" % ssl_cert - tmp_fname = os.path.join('/tmp', os.path.basename(ssl_cert)) + tmp_dir= tempfile.mkdtemp() + tmp_fname = os.path.join(tmp_dir, os.path.basename(ssl_cert)) get_as_sudo(ssl_cert, tmp_fname) print "Copy to this(%s) openstack node" % env.host_string + sudo('mkdir -p /etc/keystone/ssl/certs/') + sudo('mkdir -p /etc/keystone/ssl/private/') put(tmp_fname, ssl_cert, use_sudo=True) os.remove(tmp_fname) elif os.path.isfile(ssl_cert): @@ -64,7 +73,10 @@ def setup_keystone_ssl_certs_node(*nodes): pass else: raise RuntimeError("%s doesn't exists locally or in openstack node") - sudo("chown -R keystone:keystone /etc/keystone/ssl") + if not exists(keystonecertbundle, use_sudo=True): + ((certfile, _), (keyfile, _), (cafile, _)) = ssl_certs + sudo('cat %s %s > %s' % (certfile, cafile, keystonecertbundle)) + sudo("chown -R keystone:keystone /etc/keystone/ssl") @task @@ -106,9 +118,12 @@ def setup_apiserver_ssl_certs_node(*nodes): print "Wait for SSL certs to be created in first cfgm" sleep(0.1) print "Get SSL cert(%s) from first cfgm" % ssl_cert - tmp_fname = os.path.join('/tmp', os.path.basename(ssl_cert)) + tmp_dir= tempfile.mkdtemp() + tmp_fname = os.path.join(tmp_dir, os.path.basename(ssl_cert)) get_as_sudo(ssl_cert, tmp_fname) print "Copy to this(%s) cfgm node" % env.host_string + sudo('mkdir -p /etc/contrail/ssl/certs/') + sudo('mkdir -p /etc/contrail/ssl/private/') put(tmp_fname, ssl_cert, use_sudo=True) os.remove(tmp_fname) elif os.path.isfile(ssl_cert): @@ -118,10 +133,10 @@ def setup_apiserver_ssl_certs_node(*nodes): print "Certificate (%s) exists in cfgm node" % ssl_cert else: raise RuntimeError("%s doesn't exists locally or in cfgm node" % ssl_cert) - if not exists(contrailcertbundle, use_sudo=True): - ((certfile, _), (keyfile, _), (cafile, _)) = ssl_certs - sudo('cat %s %s > %s' % (certfile, cafile, contrailcertbundle)) - sudo("chown -R contrail:contrail /etc/contrail/ssl") + if not exists(contrailcertbundle, use_sudo=True): + ((certfile, _), (keyfile, _), (cafile, _)) = ssl_certs + sudo('cat %s %s > %s' % (certfile, cafile, contrailcertbundle)) + sudo("chown -R contrail:contrail /etc/contrail/ssl") @task @@ -158,7 +173,8 @@ def copy_keystone_ssl_certs_to_node(*nodes): sudo('rm -f %s' % cert_file) with settings(host_string=openstack_host, password=get_env_passwords(openstack_host)): - tmp_fname = os.path.join('/tmp', os.path.basename(ssl_cert)) + tmp_dir= tempfile.mkdtemp() + tmp_fname = os.path.join(tmp_dir, os.path.basename(ssl_cert)) get_as_sudo(ssl_cert, tmp_fname) sudo("mkdir -p /etc/contrail/ssl/certs/") put(tmp_fname, cert_file, use_sudo=True) @@ -234,7 +250,8 @@ def copy_apiserver_ssl_certs_to_node(*nodes): continue with settings(host_string=cfgm_host, password=get_env_passwords(cfgm_host)): - tmp_fname = os.path.join('/tmp', os.path.basename(ssl_cert)) + tmp_dir= tempfile.mkdtemp() + tmp_fname = os.path.join(tmp_dir, os.path.basename(ssl_cert)) get_as_sudo(ssl_cert, tmp_fname) sudo("mkdir -p /etc/contrail/ssl/certs/") sudo("mkdir -p /etc/contrail/ssl/private/") @@ -258,6 +275,7 @@ def copy_vnc_api_lib_ini_to_node(*nodes): with settings(host_string=node, password=get_env_passwords(node)): with settings(host_string=cfgm_host, password=get_env_passwords(cfgm_host)): - tmp_fname = os.path.join('/tmp', os.path.basename(vnc_api_lib)) + tmp_dir= tempfile.mkdtemp() + tmp_fname = os.path.join(tmp_dir, os.path.basename(vnc_api_lib)) get_as_sudo(vnc_api_lib, tmp_fname) put(tmp_fname, vnc_api_lib, use_sudo=True) diff --git a/fabfile/templates/openstack_haproxy.py b/fabfile/templates/openstack_haproxy.py index f9f852b45..75a0d8746 100644 --- a/fabfile/templates/openstack_haproxy.py +++ b/fabfile/templates/openstack_haproxy.py @@ -7,7 +7,7 @@ stats uri / stats auth $__contrail_hap_user__:$__contrail_hap_passwd__ -frontend openstack-keystone *:5000 +$__keystone_frontend__ default_backend keystone-backend backend keystone-backend @@ -33,7 +33,7 @@ $__keystone_backend_servers__ -frontend openstack-keystone-admin *:35357 +$__keystone_admin_frontend__ default_backend keystone-admin-backend backend keystone-admin-backend diff --git a/fabfile/templates/rabbitmq_config.py b/fabfile/templates/rabbitmq_config.py index 6c2f593f2..805ea6204 100644 --- a/fabfile/templates/rabbitmq_config.py +++ b/fabfile/templates/rabbitmq_config.py @@ -6,7 +6,6 @@ {vm_memory_high_watermark, 0.4}, {disk_free_limit,50000000}, {log_levels,[{connection, info},{mirroring, info}]}, - {heartbeat,10}, {delegate_count,20}, {channel_max,5000}, {tcp_listen_options, diff --git a/fabfile/utils/host.py b/fabfile/utils/host.py index c5d732946..24904c218 100644 --- a/fabfile/utils/host.py +++ b/fabfile/utils/host.py @@ -288,6 +288,16 @@ def get_openstack_amqp_server(): return get_from_testbed_dict('openstack','amqp_host', (rabbit_vip or hstr_to_ip(get_control_host_string(env.roledefs[amqp_in_role][0])))) +def get_openstack_amqp_port(): + rabbit_port = 5672 + if get_from_testbed_dict('openstack', 'manage_amqp', 'no') == 'yes': + if get_openstack_internal_vip(): + rabbit_port = 5673 + else: + if get_contrail_internal_vip(): + rabbit_port = 5673 + return get_from_testbed_dict('openstack','amqp_port', rabbit_port) + def get_contrail_amqp_server(): """Returns first cfgm ip in case of non HA setup and contrail_internal_vip in case of HA setup @@ -411,6 +421,10 @@ def get_keystone_cafile(): return get_from_testbed_dict('keystone','cafile', default) +def get_keystone_cert_bundle(): + return '/etc/keystone/ssl/certs/keystonecertbundle.pem' + + def get_apiserver_certfile(): default = '/etc/contrail/ssl/certs/contrail.pem' return get_from_testbed_dict('cfgm','certfile', default)