diff --git a/exercise.sh b/exercise.sh index f24693e..9e7c5ae 100755 --- a/exercise.sh +++ b/exercise.sh @@ -82,11 +82,11 @@ nova boot --flavor $FLAVOR --image $IMAGE $NAME --security_groups=$SECGROUP # Waiting for boot # ---------------- -# let's give it 10 seconds to launch -sleep 10 - -# check that the status is active -nova show $NAME | grep status | grep -q ACTIVE +# check that the status is active within 10 seconds +if ! timeout 10 sh -c "while ! nova show $NAME | grep status | grep -q ACTIVE; do sleep 1; done"; then + echo "server didn't become active!" + exit 1 +fi # get the IP of the server IP=`nova show $NAME | grep "private network" | cut -d"|" -f3` @@ -94,14 +94,13 @@ IP=`nova show $NAME | grep "private network" | cut -d"|" -f3` # for single node deployments, we can ping private ips MULTI_HOST=${MULTI_HOST:-0} if [ "$MULTI_HOST" = "0" ]; then - # ping it once (timeout of a second) - ping -c1 -w1 $IP || true - # sometimes the first ping fails (10 seconds isn't enough time for the VM's - # network to respond?), so let's wait 5 seconds and really test ping - sleep 5 - - ping -c1 -w1 $IP + # network to respond?), so let's ping for 15 seconds with a timeout + # of a second. + if ! timeout 15 sh -c "while ! ping -c1 -w1 $IP; do sleep 1; done"; then + echo "Couldn't ping server" + exit 1 + fi fi # Security Groups & Floating IPs @@ -122,11 +121,11 @@ FLOATING_IP=`nova floating-ip-list | grep None | head -1 | cut -d '|' -f2 | sed # add floating ip to our server nova add-floating-ip $NAME $FLOATING_IP -# sleep for a smidge -sleep 5 - -# ping our floating ip -ping -c1 -w1 $FLOATING_IP +# test we can ping our floating ip within 10 seconds +if ! timeout 10 sh -c "while ! ping -c1 -w1 $FLOATING_IP; do sleep 1; done"; then + echo "Couldn't ping server with floating ip" + exit 1 +fi # pause the VM and verify we can't ping it anymore nova pause $NAME @@ -148,12 +147,10 @@ ping -c1 -w1 $FLOATING_IP # dis-allow icmp traffic (ping) nova secgroup-delete-rule $SECGROUP icmp -1 -1 0.0.0.0/0 -# sleep for a smidge -sleep 5 - -# ping our floating ip -if ( ping -c1 -w1 $FLOATING_IP ); then +# test we can aren't able to ping our floating ip within 10 seconds +if ! timeout 10 sh -c "while ping -c1 -w1 $FLOATING_IP; do sleep 1; done"; then print "Security group failure - ping should not be allowed!" + echo "Couldn't ping server with floating ip" exit 1 fi diff --git a/files/sudo/nova b/files/sudo/nova index 3843416..2ce1aac 100644 --- a/files/sudo/nova +++ b/files/sudo/nova @@ -1 +1,47 @@ -socat +Cmnd_Alias NOVACMDS = /bin/chmod /var/lib/nova/tmp/*/root/.ssh, \ + /bin/chown /var/lib/nova/tmp/*/root/.ssh, \ + /bin/chown, \ + /bin/chmod, \ + /bin/dd, \ + /sbin/ifconfig, \ + /sbin/ip, \ + /sbin/route, \ + /sbin/iptables, \ + /sbin/iptables-save, \ + /sbin/iptables-restore, \ + /sbin/ip6tables-save, \ + /sbin/ip6tables-restore, \ + /sbin/kpartx, \ + /sbin/losetup, \ + /sbin/lvcreate, \ + /sbin/lvdisplay, \ + /sbin/lvremove, \ + /bin/mkdir, \ + /bin/mount, \ + /sbin/pvcreate, \ + /usr/bin/tee, \ + /sbin/tune2fs, \ + /bin/umount, \ + /sbin/vgcreate, \ + /usr/bin/virsh, \ + /usr/bin/qemu-nbd, \ + /usr/sbin/brctl, \ + /sbin/brctl, \ + /usr/sbin/radvd, \ + /usr/sbin/vblade-persist, \ + /sbin/pvcreate, \ + /sbin/aoe-discover, \ + /sbin/vgcreate, \ + /bin/aoe-stat, \ + /bin/kill, \ + /sbin/vconfig, \ + /usr/sbin/ietadm, \ + /sbin/vgs, \ + /sbin/iscsiadm, \ + /usr/bin/socat, \ + /sbin/parted, \ + /usr/sbin/dnsmasq, \ + /usr/bin/arping + +%USER% ALL = (root) NOPASSWD: SETENV: NOVACMDS + diff --git a/stack.sh b/stack.sh index 14bcfb2..82cc157 100755 --- a/stack.sh +++ b/stack.sh @@ -116,6 +116,15 @@ if [[ $EUID -eq 0 ]]; then exec su -c "set -e; cd $STACK_DIR; bash stack.sh" stack fi exit 1 +else + # Our user needs passwordless priviledges for certain commands which nova + # uses internally. + # Natty uec images sudoers does not have a '#includedir'. add one. + sudo grep -q "^#includedir.*/etc/sudoers.d" /etc/sudoers || + echo "#includedir /etc/sudoers.d" | sudo tee -a /etc/sudoers + sudo cp $FILES/sudo/nova /etc/sudoers.d/stack_sh_nova + sudo sed -e "s,%USER%,$USER,g" -i /etc/sudoers.d/stack_sh_nova + sudo chmod 0440 /etc/sudoers.d/stack_sh_nova fi # Set the destination directories for openstack projects @@ -364,8 +373,6 @@ cd $DASH_DIR/openstack-dashboard; sudo python setup.py develop # it since we are going to run the services in screen for simple cp $FILES/screenrc ~/.screenrc -## TODO: update current user to allow sudo for all commands in files/sudo/* - # Rabbit # ---------