Merge "When SSL is enabled in api-server, client services conf file s…

…hould be populated with api_server_use_ssl flag, to make client services use ssl certs when connection to api-server." into R3.1
Juniper · Aug 8, 2016 · c7f97b6 · c7f97b6
2 parents 091c56e + 351462f
commit c7f97b6
Show file tree

Hide file tree

Showing 10 changed files with 60 additions and 52 deletions.
diff --git a/contrail_provisioning/common/base.py b/contrail_provisioning/common/base.py
@@ -294,26 +294,13 @@ def fixup_keystone_auth_config_file(self, configure_memcache):
                          '__contrail_memcached_opt__': 'memcache_servers=127.0.0.1:11211' if configure_memcache else '',
                          '__contrail_ks_auth_url__': '%s://%s:%s/%s' % (self._args.keystone_auth_protocol,
                              self._args.keystone_ip, self._args.keystone_auth_port, self._args.keystone_version),
-                         '__keystone_cert_file_opt__': self._args.keystone_certfile or '',
-                         '__keystone_key_file_opt__': self._args.keystone_keyfile or '',
-                         '__keystone_ca_file_opt__': self._args.keystone_cafile or '',
+                         '__keystone_cert_file_opt__': 'certfile=%s' % self._args.keystone_certfile or '',
+                         '__keystone_key_file_opt__': 'keyfile=%s' % self._args.keystone_keyfile or '',
+                         '__keystone_ca_file_opt__': 'cafile=%s' % self._args.keystone_cafile or '',
                         }
-        if self._args.keystone_certfile:
-            template_vals.update({'__keystone_cert_file__': self._args.keystone_certfile})
-        if self._args.keystone_keyfile:
-            template_vals.update({'__keystone_key_file__': self._args.keystone_keyfile})
-        if self._args.keystone_cafile:
-            template_vals.update({'__keystone_ca_file__': self._args.keystone_cafile})
         self._template_substitute_write(contrail_keystone_auth_conf.template,
                                         template_vals, self._temp_dir_name + '/contrail-keystone-auth.conf')
         local("sudo mv %s/contrail-keystone-auth.conf /etc/contrail/" %(self._temp_dir_name))
-        if self.keystone_ssl_enabled:
-            conf_file = '/etc/contrail/contrail-keystone-auth.conf'
-            configs = {'certfile': self._args.keystone_certfile,
-                       'keyfile': self._args.keystone_keyfile,
-                       'cafile': self._args.keystone_cafile,}
-            for param, value in configs.items():
-                self.set_config(conf_file, 'auth', param, value)
 
     def set_config(self, fl, sec, var, val=''):
         with settings(warn_only=True):

diff --git a/contrail_provisioning/common/scripts/create-ssl-certs.sh b/contrail_provisioning/common/scripts/create-ssl-certs.sh
@@ -91,6 +91,7 @@ main() {
    $CP working/"$CERT_FILE_PREFIX".pem $SSL_PATH/certs/
    $CP working/"$CERT_FILE_PREFIX"_ca.pem $SSL_PATH/certs/
    $RM -rf working
+   $CHOWN -R $CERT_FILE_PREFIX:$CERT_FILE_PREFIX $SSL_PATH
 }
 
 creatCFGFile(){

diff --git a/contrail_provisioning/config/common.py b/contrail_provisioning/config/common.py
@@ -192,6 +192,7 @@ def fixup_schema_transformer_config_file(self):
                          '__contrail_ifmap_password__': 'schema-transformer',
                          '__contrail_api_server_ip__': self.contrail_internal_vip or self.cfgm_ip,
                          '__contrail_api_server_port__': '8082',
+                         '__api_server_use_ssl__': 'True' if self.api_ssl_enabled else 'False',
                          '__contrail_zookeeper_server_ip__': self.zk_servers_ports,
                          '__contrail_use_certs__': self._args.use_certs,
                          '__contrail_keyfile_location__': '/etc/contrail/ssl/private_keys/schema_xfer_key.pem',
@@ -227,6 +228,7 @@ def fixup_device_manager_config_file(self):
         template_vals = {'__rabbit_server_ip__': self.rabbit_servers,
                          '__contrail_api_server_ip__': self.contrail_internal_vip or self.cfgm_ip,
                          '__contrail_api_server_port__': '8082',
+                         '__api_server_use_ssl__': 'True' if self.api_ssl_enabled else 'False',
                          '__contrail_zookeeper_server_ip__': self.zk_servers_ports,
                          '__contrail_log_file__' : '/var/log/contrail/contrail-device-manager.log',
                          '__contrail_cassandra_server_list__' : ' '.join('%s:%s' % cassandra_server for cassandra_server in self.cassandra_server_list),
@@ -247,6 +249,7 @@ def fixup_svc_monitor_config_file(self):
                          '__rabbit_server_ip__': self.rabbit_servers,
                          '__contrail_api_server_ip__': self.contrail_internal_vip or self.cfgm_ip,
                          '__contrail_api_server_port__': '8082',
+                         '__api_server_use_ssl__': 'True' if self.api_ssl_enabled else 'False',
                          '__contrail_analytics_server_ip__': self.contrail_internal_vip or self._args.collector_ip,
                          '__contrail_zookeeper_server_ip__': self.zk_servers_ports,
                          '__contrail_use_certs__': self._args.use_certs,
@@ -323,6 +326,7 @@ def fixup_vnc_api_lib_ini(self):
         template_vals = {
                          '__contrail_keystone_ip__': '127.0.0.1',
                          '__contrail_authn_url__': authn_url,
+                         '__auth_protocol__': 'https' if self.api_ssl_enabled else 'http',
                          '__contrail_apiserver_ip__': self.contrail_internal_vip or self.cfgm_ip,
                         }
         self._template_substitute_write(vnc_api_lib_ini.template,
@@ -336,6 +340,10 @@ def fixup_vnc_api_lib_ini(self):
                        'insecure': self._args.apiserver_insecure}
             for param, value in configs.items():
                 self.set_config(conf_file, 'global', param, value)
+            config = {'cafile' : self._args.keystone_cafile,
+                      'insecure': self._args.keystone_insecure}
+            for param, value in configs.items():
+                self.set_config(conf_file, 'auth', param, value)
         # Remove the auth setion from /etc/contrail/vnc_api_lib.ini, will be added by
         # Orchestrator specific setup if required.
         local("sudo contrail-config --del %s auth" % conf_file)
@@ -404,7 +412,11 @@ def setup_cassandra(self):
                                            self._args.ssd_data_dir,
                                            cluster_name='ContrailConfigDB')
             db.fixup_cassandra_env_config()
+            #db.fixup_zookeeper_configs(self._args.zookeeper_ip_list)
+            local('sudo chkconfig contrail-database on')
             local('sudo service contrail-database restart')
+            #local('sudo chkconfig zookeeper on')
+            #local('sudo service zookeeper restart')
 
     def setup(self):
         self.disable_selinux()

diff --git a/contrail_provisioning/config/openstack.py b/contrail_provisioning/config/openstack.py
@@ -127,15 +127,20 @@ def fixup_vnc_api_lib_ini(self):
                          '__contrail_apiserver_ip__': self.contrail_internal_vip or self.cfgm_ip,
                          '__contrail_keystone_ip__': self._args.keystone_ip,
                          '__contrail_authn_url__': authn_url,
+                         '__auth_protocol__': 'https' if self.api_ssl_enabled else 'http',
                         }
         self._template_substitute_write(vnc_api_lib_ini.template,
                                         template_vals, self._temp_dir_name + '/vnc_api_lib.ini')
         local("sudo mv %s/vnc_api_lib.ini /etc/contrail/" %(self._temp_dir_name))
         conf_file = "/etc/contrail/vnc_api_lib.ini"
+        configs = {'certfile': self._args.apiserver_certfile,
+                   'keyfile': self._args.apiserver_keyfile,
+                   'cafile': self._args.apiserver_cafile,
+                   'insecure': self._args.apiserver_insecure}
+        for param, value in configs.items():
+            self.set_config(conf_file, 'global', param, value)
         if self.keystone_ssl_enabled:
-            configs = {'certfile': self._args.keystone_certfile,
-                       'keyfile': self._args.keystone_keyfile,
-                       'cafile': self._args.keystone_cafile,
+            configs = {'cafile': self._args.keystone_cafile,
                        'insecure': self._args.keystone_insecure}
             for param, value in configs.items():
                 self.set_config(conf_file, 'auth', param, value)

diff --git a/contrail_provisioning/config/templates/contrail_device_manager_conf.py b/contrail_provisioning/config/templates/contrail_device_manager_conf.py
@@ -5,7 +5,7 @@
 rabbit_server=$__rabbit_server_ip__
 api_server_ip=$__contrail_api_server_ip__
 api_server_port=$__contrail_api_server_port__
-api_server_use_ssl=False
+api_server_use_ssl=$__contrail_api_server_port__
 zk_server_ip=$__contrail_zookeeper_server_ip__
 log_file=$__contrail_log_file__
 cassandra_server_list=$__contrail_cassandra_server_list__

diff --git a/contrail_provisioning/config/templates/contrail_schema_transformer_conf.py b/contrail_provisioning/config/templates/contrail_schema_transformer_conf.py
@@ -8,7 +8,7 @@
 ifmap_password=$__contrail_ifmap_password__
 api_server_ip=$__contrail_api_server_ip__
 api_server_port=$__contrail_api_server_port__
-api_server_use_ssl=False
+api_server_use_ssl=$__api_server_use_ssl__
 zk_server_ip=$__contrail_zookeeper_server_ip__
 log_file=$__contrail_log_file__
 cassandra_server_list=$__contrail_cassandra_server_list__

diff --git a/contrail_provisioning/config/templates/contrail_svc_monitor_conf.py b/contrail_provisioning/config/templates/contrail_svc_monitor_conf.py
@@ -8,7 +8,7 @@
 ifmap_password=$__contrail_ifmap_password__
 api_server_ip=$__contrail_api_server_ip__
 api_server_port=$__contrail_api_server_port__
-api_server_use_ssl=False
+api_server_use_ssl=$__api_server_use_ssl__
 zk_server_ip=$__contrail_zookeeper_server_ip__
 log_file=$__contrail_log_file__
 cassandra_server_list=$__contrail_cassandra_server_list__

diff --git a/contrail_provisioning/config/templates/vnc_api_lib_ini.py b/contrail_provisioning/config/templates/vnc_api_lib_ini.py
@@ -17,13 +17,11 @@
 ; Authentication settings (optional)
 [auth]
 AUTHN_TYPE = keystone
-AUTHN_PROTOCOL = http
+AUTHN_PROTOCOL = $__auth_protocol__
 AUTHN_SERVER=$__contrail_keystone_ip__
 AUTHN_PORT = 35357
 AUTHN_URL = $__contrail_authn_url__
 #insecure=False
-#certfile=/etc/contrail/ssl/certs/keystone.pem
-#keyfile=/etc/contrail/ssl/private/keystone_key.pem
 #cafile=/etc/contrail/ssl/certs/keystone_ca.pem
 """)
 
diff --git a/contrail_provisioning/database/base.py b/contrail_provisioning/database/base.py
@@ -28,6 +28,9 @@ class DatabaseCommon(ContrailSetup):
     def __init__(self):
         super(DatabaseCommon, self).__init__()
         self.cassandra = CassandraInfo(self.pdist)
+        self.zoo_conf_dir = '/etc/zookeeper/conf/'
+        if not os.path.isdir(self.zoo_conf_dir):
+            self.zoo_conf_dir = '/etc/zookeeper/'
 
     def fixup_etc_hosts_file(self, listen_ip, hostname):
         # Put hostname/ip mapping into /etc/hosts to avoid DNS resolution
@@ -133,3 +136,31 @@ def fixup_cassandra_env_config(self):
 
         for pattern_to_match, str_to_replace in env_file_settings:
             local("sudo sed -i 's/%s/%s/g' %s" % (pattern_to_match, str_to_replace, env_file))
+
+    def fix_zookeeper_servers_config(self):
+        zk_index = 1
+        # Instead of inserting/deleting config, remove all the zoo keeper servers
+        # and re-generate.
+        local("sudo sed -i '/server.[1-9]*=/d' %s/zoo.cfg" % self.zoo_conf_dir)
+
+        for zk_ip in zookeeper_ip_list:
+            local('sudo echo "server.%d=%s:2888:3888" >> %s/zoo.cfg' %(zk_index, zk_ip, self.zoo_conf_dir))
+            zk_index = zk_index + 1
+
+        #put cluster-unique zookeeper's instance id in myid
+        local('sudo echo "%s" > /var/lib/zookeeper/myid' %(self._args.database_index))
+
+    def fixup_zookeeper_configs(self, zookeeper_ip_list=None):
+        if not zookeeper_ip_list:
+            zookeeper_ip_list = self._args.zookeeper_ip_list
+        # set high session timeout to survive glance led disk activity
+        local('sudo echo "maxSessionTimeout=120000" >> %s/zoo.cfg' % self.zoo_conf_dir)
+        local('sudo echo "autopurge.purgeInterval=3" >> %s/zoo.cfg' % self.zoo_conf_dir)
+        local("sudo sed 's/^#log4j.appender.ROLLINGFILE.MaxBackupIndex=/log4j.appender.ROLLINGFILE.MaxBackupIndex=/g' %s/log4j.properties > log4j.properties.new" % self.zoo_conf_dir)
+        local("sudo mv log4j.properties.new %s/log4j.properties" % self.zoo_conf_dir)
+        if self.pdist in ['fedora', 'centos', 'redhat']:
+            local('echo export ZOO_LOG4J_PROP="INFO,CONSOLE,ROLLINGFILE" >> /usr/lib/zookeeper/bin/zkEnv.sh')
+        if self.pdist == 'Ubuntu':
+            local('echo ZOO_LOG4J_PROP="INFO,CONSOLE,ROLLINGFILE" >> %s/environment' % self.zoo_conf_dir)
+
+        self.fix_zookeeper_servers_config(zookeeper_ip_list)
diff --git a/contrail_provisioning/database/setup.py b/contrail_provisioning/database/setup.py
@@ -33,9 +33,6 @@ def __init__(self, args_str = None):
         self.database_listen_ip = self._args.self_ip
         self.database_seed_list = self._args.seed_list
         self.database_dir = self._args.dir
-        self.zoo_conf_dir = '/etc/zookeeper/conf/'
-        if not os.path.isdir(self.zoo_conf_dir):
-            self.zoo_conf_dir = '/etc/zookeeper/'
 
     def parse_args(self, args_str):
         '''
@@ -135,17 +132,7 @@ def fixup_config_files(self):
 
         self.fixup_contrail_database_nodemgr()
 
-        # set high session timeout to survive glance led disk activity
-        local('sudo echo "maxSessionTimeout=120000" >> %s/zoo.cfg' % self.zoo_conf_dir)
-        local('sudo echo "autopurge.purgeInterval=3" >> %s/zoo.cfg' % self.zoo_conf_dir)
-        local("sudo sed 's/^#log4j.appender.ROLLINGFILE.MaxBackupIndex=/log4j.appender.ROLLINGFILE.MaxBackupIndex=/g' %s/log4j.properties > log4j.properties.new" % self.zoo_conf_dir)
-        local("sudo mv log4j.properties.new %s/log4j.properties" % self.zoo_conf_dir)
-        if self.pdist == 'fedora' or self.pdist == 'centos' or self.pdist == 'redhat':
-            local('echo export ZOO_LOG4J_PROP="INFO,CONSOLE,ROLLINGFILE" >> /usr/lib/zookeeper/bin/zkEnv.sh')
-        if self.pdist == 'Ubuntu':
-            local('echo ZOO_LOG4J_PROP="INFO,CONSOLE,ROLLINGFILE" >> %s/environment' % self.zoo_conf_dir)
-
-        self.fix_zookeeper_servers_config()
+        self.fixup_zookeeper_configs()
         self.fixup_kafka_server_properties(self.database_listen_ip)
 
     def fixup_kafka_server_properties(self, listen_ip):
@@ -238,19 +225,6 @@ def file_pattern_check(self, file_name, regexp):
                     return True
         return False
 
-    def fix_zookeeper_servers_config(self):
-        zk_index = 1
-        # Instead of inserting/deleting config, remove all the zoo keeper servers
-        # and re-generate.
-        local("sudo sed -i '/server.[1-9]*=/d' %s/zoo.cfg" % self.zoo_conf_dir)
-
-        for zk_ip in self._args.zookeeper_ip_list:
-            local('sudo echo "server.%d=%s:2888:3888" >> %s/zoo.cfg' %(zk_index, zk_ip, self.zoo_conf_dir))
-            zk_index = zk_index + 1
-
-        #put cluster-unique zookeeper's instance id in myid
-        local('sudo echo "%s" > /var/lib/zookeeper/myid' %(self._args.database_index))
-
     def restart_zookeeper(self):
         local('sudo service zookeeper restart')