From f169a9f99f7fcceae1c65e42de873930015ce2af Mon Sep 17 00:00:00 2001 From: josch Date: Thu, 8 Dec 2011 22:26:23 +0100 Subject: [PATCH] deleted keystone --- exercises/euca.sh | 36 -------- exercises/floating_ips.sh | 168 -------------------------------------- files/keystone.conf | 116 -------------------------- files/keystone_data.sh | 46 ----------- localrc | 1 - openrc | 4 - stack.sh | 68 +-------------- 7 files changed, 1 insertion(+), 438 deletions(-) delete mode 100755 exercises/euca.sh delete mode 100755 exercises/floating_ips.sh delete mode 100644 files/keystone.conf delete mode 100755 files/keystone_data.sh diff --git a/exercises/euca.sh b/exercises/euca.sh deleted file mode 100755 index f999609..0000000 --- a/exercises/euca.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/env bash - -# we will use the ``euca2ools`` cli tool that wraps the python boto -# library to test ec2 compatibility -# - -# This script exits on an error so that errors don't compound and you see -# only the first error that occured. -set -o errexit - -# Print the commands being run so that we can see the command that triggers -# an error. It is also useful for following allowing as the install occurs. -set -o xtrace - - -# Settings -# ======== - -# Use openrc + stackrc + localrc for settings -pushd $(cd $(dirname "$0")/.. && pwd) -source ./openrc -popd - -# find a machine image to boot -IMAGE=`euca-describe-images | grep machine | cut -f2 | head -n1` - -# launch it -INSTANCE=`euca-run-instances $IMAGE | grep INSTANCE | cut -f2` - -# assure it has booted within a reasonable time -if ! timeout $RUNNING_TIMEOUT sh -c "while euca-describe-instances $INSTANCE | grep -q running; do sleep 1; done"; then - echo "server didn't become active within $RUNNING_TIMEOUT seconds" - exit 1 -fi - -euca-terminate-instances $INSTANCE diff --git a/exercises/floating_ips.sh b/exercises/floating_ips.sh deleted file mode 100755 index dca6d5b..0000000 --- a/exercises/floating_ips.sh +++ /dev/null @@ -1,168 +0,0 @@ -#!/usr/bin/env bash - -# **exercise.sh** - using the cloud can be fun - -# we will use the ``nova`` cli tool provided by the ``python-novaclient`` -# package -# - - -# This script exits on an error so that errors don't compound and you see -# only the first error that occured. -set -o errexit - -# Print the commands being run so that we can see the command that triggers -# an error. It is also useful for following allowing as the install occurs. -set -o xtrace - - -# Settings -# ======== - -# Use openrc + stackrc + localrc for settings -pushd $(cd $(dirname "$0")/.. && pwd) -source ./openrc -popd - -# Get a token for clients that don't support service catalog -# ========================================================== - -# manually create a token by querying keystone (sending JSON data). Keystone -# returns a token and catalog of endpoints. We use python to parse the token -# and save it. - -TOKEN=`curl -s -d "{\"auth\":{\"passwordCredentials\": {\"username\": \"$NOVA_USERNAME\", \"password\": \"$NOVA_PASSWORD\"}}}" -H "Content-type: application/json" http://$HOST_IP:5000/v2.0/tokens | python -c "import sys; import json; tok = json.loads(sys.stdin.read()); print tok['access']['token']['id'];"` - -# Launching a server -# ================== - -# List servers for tenant: -nova list - -# Images -# ------ - -# Nova has a **deprecated** way of listing images. -nova image-list - -# But we recommend using glance directly -glance -A $TOKEN index - -# Let's grab the id of the first AMI image to launch -IMAGE=`glance -A $TOKEN index | egrep ami | cut -d" " -f1` - -# Security Groups -# --------------- -SECGROUP=test_secgroup - -# List of secgroups: -nova secgroup-list - -# Create a secgroup -nova secgroup-create $SECGROUP "test_secgroup description" - -# determine flavor -# ---------------- - -# List of flavors: -nova flavor-list - -# and grab the first flavor in the list to launch -FLAVOR=`nova flavor-list | head -n 4 | tail -n 1 | cut -d"|" -f2` - -NAME="myserver" - -nova boot --flavor $FLAVOR --image $IMAGE $NAME --security_groups=$SECGROUP - -# Testing -# ======= - -# First check if it spins up (becomes active and responds to ping on -# internal ip). If you run this script from a nova node, you should -# bypass security groups and have direct access to the server. - -# Waiting for boot -# ---------------- - -# Max time to wait while vm goes from build to active state -ACTIVE_TIMEOUT=${ACTIVE_TIMEOUT:-10} - -# Max time till the vm is bootable -BOOT_TIMEOUT=${BOOT_TIMEOUT:-15} - -# Max time to wait for proper association and dis-association. -ASSOCIATE_TIMEOUT=${ASSOCIATE_TIMEOUT:-10} - -# check that the status is active within ACTIVE_TIMEOUT seconds -if ! timeout $ACTIVE_TIMEOUT sh -c "while ! nova show $NAME | grep status | grep -q ACTIVE; do sleep 1; done"; then - echo "server didn't become active!" - exit 1 -fi - -# get the IP of the server -IP=`nova show $NAME | grep "private network" | cut -d"|" -f3` - -# for single node deployments, we can ping private ips -MULTI_HOST=${MULTI_HOST:-0} -if [ "$MULTI_HOST" = "0" ]; then - # sometimes the first ping fails (10 seconds isn't enough time for the VM's - # network to respond?), so let's ping for a default of 15 seconds with a - # timeout of a second for each ping. - if ! timeout $BOOT_TIMEOUT sh -c "while ! ping -c1 -w1 $IP; do sleep 1; done"; then - echo "Couldn't ping server" - exit 1 - fi -else - # On a multi-host system, without vm net access, do a sleep to wait for the boot - sleep $BOOT_TIMEOUT -fi - -# Security Groups & Floating IPs -# ------------------------------ - -# allow icmp traffic (ping) -nova secgroup-add-rule $SECGROUP icmp -1 -1 0.0.0.0/0 - -# List rules for a secgroup -nova secgroup-list-rules $SECGROUP - -# allocate a floating ip -nova floating-ip-create - -# store floating address -FLOATING_IP=`nova floating-ip-list | grep None | head -1 | cut -d '|' -f2 | sed 's/ //g'` - -# add floating ip to our server -nova add-floating-ip $NAME $FLOATING_IP - -# test we can ping our floating ip within ASSOCIATE_TIMEOUT seconds -if ! timeout $ASSOCIATE_TIMEOUT sh -c "while ! ping -c1 -w1 $FLOATING_IP; do sleep 1; done"; then - echo "Couldn't ping server with floating ip" - exit 1 -fi - -# dis-allow icmp traffic (ping) -nova secgroup-delete-rule $SECGROUP icmp -1 -1 0.0.0.0/0 - -# FIXME (anthony): make xs support security groups -if [ "$VIRT_DRIVER" != "xenserver" ]; then - # test we can aren't able to ping our floating ip within ASSOCIATE_TIMEOUT seconds - if ! timeout $ASSOCIATE_TIMEOUT sh -c "while ping -c1 -w1 $FLOATING_IP; do sleep 1; done"; then - print "Security group failure - ping should not be allowed!" - echo "Couldn't ping server with floating ip" - exit 1 - fi -fi - -# de-allocate the floating ip -nova floating-ip-delete $FLOATING_IP - -# shutdown the server -nova delete $NAME - -# Delete a secgroup -nova secgroup-delete $SECGROUP - -# FIXME: validate shutdown within 5 seconds -# (nova show $NAME returns 1 or status != ACTIVE)? - diff --git a/files/keystone.conf b/files/keystone.conf deleted file mode 100644 index 0c0d0e2..0000000 --- a/files/keystone.conf +++ /dev/null @@ -1,116 +0,0 @@ -[DEFAULT] -# Show more verbose log output (sets INFO log level output) -verbose = False - -# Show debugging output in logs (sets DEBUG log level output) -debug = False - -# Which backend store should Keystone use by default. -# Default: 'sqlite' -# Available choices are 'sqlite' [future will include LDAP, PAM, etc] -default_store = sqlite - -# Log to this file. Make sure you do not set the same log -# file for both the API and registry servers! -log_file = %DEST%/keystone/keystone.log - -# List of backends to be configured -backends = keystone.backends.sqlalchemy -#For LDAP support, add: ,keystone.backends.ldap - -# Dictionary Maps every service to a header.Missing services would get header -# X_(SERVICE_NAME) Key => Service Name, Value => Header Name -service-header-mappings = { - 'nova' : 'X-Server-Management-Url', - 'swift' : 'X-Storage-Url', - 'cdn' : 'X-CDN-Management-Url'} - -#List of extensions currently supported -extensions= osksadm,oskscatalog - -# Address to bind the API server -# TODO Properties defined within app not available via pipeline. -service_host = 0.0.0.0 - -# Port the bind the API server to -service_port = 5000 - -# SSL for API server -service_ssl = False - -# Address to bind the Admin API server -admin_host = 0.0.0.0 - -# Port the bind the Admin API server to -admin_port = 35357 - -# SSL for API Admin server -admin_ssl = False - -# Keystone certificate file (modify as needed) -# Only required if *_ssl is set to True -certfile = /etc/keystone/ssl/certs/keystone.pem - -# Keystone private key file (modify as needed) -# Only required if *_ssl is set to True -keyfile = /etc/keystone/ssl/private/keystonekey.pem - -# Keystone trusted CA certificates (modify as needed) -# Only required if *_ssl is set to True -ca_certs = /etc/keystone/ssl/certs/ca.pem - -# Client certificate required -# Only relevant if *_ssl is set to True -cert_required = True - -#Role that allows to perform admin operations. -keystone-admin-role = Admin - -#Role that allows to perform service admin operations. -keystone-service-admin-role = KeystoneServiceAdmin - -#Tells whether password user need to be hashed in the backend -hash-password = True - -[keystone.backends.sqlalchemy] -# SQLAlchemy connection string for the reference implementation registry -# server. Any valid SQLAlchemy connection string is fine. -# See: http://bit.ly/ideIpI -sql_connection = %SQL_CONN% -backend_entities = ['UserRoleAssociation', 'Endpoints', 'Role', 'Tenant', - 'User', 'Credentials', 'EndpointTemplates', 'Token', - 'Service'] - -# Period in seconds after which SQLAlchemy should reestablish its connection -# to the database. -sql_idle_timeout = 30 - -[pipeline:admin] -pipeline = - urlrewritefilter - admin_api - -[pipeline:keystone-legacy-auth] -pipeline = - urlrewritefilter - legacy_auth - RAX-KEY-extension - service_api - -[app:service_api] -paste.app_factory = keystone.server:service_app_factory - -[app:admin_api] -paste.app_factory = keystone.server:admin_app_factory - -[filter:urlrewritefilter] -paste.filter_factory = keystone.middleware.url:filter_factory - -[filter:legacy_auth] -paste.filter_factory = keystone.frontends.legacy_token_auth:filter_factory - -[filter:RAX-KEY-extension] -paste.filter_factory = keystone.contrib.extensions.service.raxkey.frontend:filter_factory - -[filter:debug] -paste.filter_factory = keystone.common.wsgi:debug_filter_factory diff --git a/files/keystone_data.sh b/files/keystone_data.sh deleted file mode 100755 index b8d137d..0000000 --- a/files/keystone_data.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash -BIN_DIR=${BIN_DIR:-.} -# Tenants -$BIN_DIR/keystone-manage $* tenant add admin -$BIN_DIR/keystone-manage $* tenant add demo -$BIN_DIR/keystone-manage $* tenant add invisible_to_admin - -# Users -$BIN_DIR/keystone-manage $* user add admin %ADMIN_PASSWORD% -$BIN_DIR/keystone-manage $* user add demo %ADMIN_PASSWORD% - -# Roles -$BIN_DIR/keystone-manage $* role add Admin -$BIN_DIR/keystone-manage $* role add Member -$BIN_DIR/keystone-manage $* role add KeystoneAdmin -$BIN_DIR/keystone-manage $* role add KeystoneServiceAdmin -$BIN_DIR/keystone-manage $* role add sysadmin -$BIN_DIR/keystone-manage $* role add netadmin -$BIN_DIR/keystone-manage $* role grant Admin admin admin -$BIN_DIR/keystone-manage $* role grant Member demo demo -$BIN_DIR/keystone-manage $* role grant sysadmin demo demo -$BIN_DIR/keystone-manage $* role grant netadmin demo demo -$BIN_DIR/keystone-manage $* role grant Member demo invisible_to_admin -$BIN_DIR/keystone-manage $* role grant Admin admin demo -$BIN_DIR/keystone-manage $* role grant Admin admin -$BIN_DIR/keystone-manage $* role grant KeystoneAdmin admin -$BIN_DIR/keystone-manage $* role grant KeystoneServiceAdmin admin - -# Services -$BIN_DIR/keystone-manage $* service add nova compute "Nova Compute Service" -$BIN_DIR/keystone-manage $* service add glance image "Glance Image Service" -$BIN_DIR/keystone-manage $* service add keystone identity "Keystone Identity Service" - -#endpointTemplates -$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne nova http://%HOST_IP%:8774/v1.1/%tenant_id% http://%HOST_IP%:8774/v1.1/%tenant_id% http://%HOST_IP%:8774/v1.1/%tenant_id% 1 1 -$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne glance http://%HOST_IP%:9292/v1.1/%tenant_id% http://%HOST_IP%:9292/v1.1/%tenant_id% http://%HOST_IP%:9292/v1.1/%tenant_id% 1 1 -$BIN_DIR/keystone-manage $* endpointTemplates add RegionOne keystone http://%HOST_IP%:5000/v2.0 http://%HOST_IP%:35357/v2.0 http://%HOST_IP%:5000/v2.0 1 1 - -# Tokens -$BIN_DIR/keystone-manage $* token add %SERVICE_TOKEN% admin admin 2015-02-05T00:00 - -# EC2 related creds - note we are setting the secret key to ADMIN_PASSWORD -# but keystone doesn't parse them - it is just a blob from keystone's -# point of view -$BIN_DIR/keystone-manage $* credentials add admin EC2 'admin' '%ADMIN_PASSWORD%' admin || echo "no support for adding credentials" -$BIN_DIR/keystone-manage $* credentials add demo EC2 'demo' '%ADMIN_PASSWORD%' demo || echo "no support for adding credentials" diff --git a/localrc b/localrc index 0072f8b..ee878eb 100644 --- a/localrc +++ b/localrc @@ -1,4 +1,3 @@ MYSQL_PASSWORD=passmysql RABBIT_PASSWORD=passrabbit SERVICE_TOKEN=passadmintoken -ADMIN_PASSWORD=passkeystone diff --git a/openrc b/openrc index 7c1e129..f574985 100644 --- a/openrc +++ b/openrc @@ -17,10 +17,6 @@ export NOVA_PROJECT_ID=${TENANT:-demo} # the action as the **user**. export NOVA_USERNAME=${USERNAME:-demo} -# With Keystone you pass the keystone password instead of an api key. -# The most recent versions of novaclient use NOVA_PASSWORD instead of NOVA_API_KEY -export NOVA_PASSWORD=${ADMIN_PASSWORD:-secrete} - # With the addition of Keystone, to use an openstack cloud you should # authenticate against keystone, which returns a **Token** and **Service # Catalog**. The catalog contains the endpoint for all services the user/tenant diff --git a/stack.sh b/stack.sh index 233661e..10bf129 100755 --- a/stack.sh +++ b/stack.sh @@ -126,14 +126,13 @@ fi # Set the destination directories for openstack projects NOVA_DIR=$DEST/nova GLANCE_DIR=$DEST/glance -KEYSTONE_DIR=$DEST/keystone NOVACLIENT_DIR=$DEST/python-novaclient # Default Quantum Plugin Q_PLUGIN=${Q_PLUGIN:-openvswitch} # Specify which services to launch. These generally correspond to screen tabs -ENABLED_SERVICES=${ENABLED_SERVICES:-g-api,g-reg,key,n-api,n-cpu,n-net,n-sch,mysql,rabbit} +ENABLED_SERVICES=${ENABLED_SERVICES:-g-api,g-reg,n-api,n-cpu,n-net,n-sch,mysql,rabbit} # Name of the lvm volume group to use/create for iscsi volumes VOLUME_GROUP=${VOLUME_GROUP:-nova-volumes} @@ -275,14 +274,9 @@ read_password RABBIT_PASSWORD "ENTER A PASSWORD TO USE FOR RABBIT." # Glance connection info. Note the port must be specified. GLANCE_HOSTPORT=${GLANCE_HOSTPORT:-$HOST_IP:9292} -# Keystone -# -------- - # Service Token - Openstack components need to have an admin token # to validate user tokens. read_password SERVICE_TOKEN "ENTER A SERVICE_TOKEN TO USE FOR THE SERVICE ADMIN TOKEN." -# Horizon currently truncates usernames and passwords at 20 characters -read_password ADMIN_PASSWORD "ENTER A PASSWORD TO USE FOR HORIZON AND KEYSTONE (20 CHARS OR LESS)." LOGFILE=${LOGFILE:-"$PWD/stack.sh.$$.log"} ( @@ -335,10 +329,6 @@ function get_packages() { if [[ ! $file_to_parse =~ glance ]]; then file_to_parse="${file_to_parse} glance" fi - elif [[ $service == key* ]]; then - if [[ ! $file_to_parse =~ keystone ]]; then - file_to_parse="${file_to_parse} keystone" - fi fi done @@ -422,14 +412,6 @@ git_clone $NOVA_REPO $NOVA_DIR $NOVA_BRANCH # python client library to nova that horizon (and others) use git_clone $NOVACLIENT_REPO $NOVACLIENT_DIR $NOVACLIENT_BRANCH -# glance, swift middleware and nova api needs keystone middleware -if [[ "$ENABLED_SERVICES" =~ "key" || - "$ENABLED_SERVICES" =~ "g-api" || - "$ENABLED_SERVICES" =~ "n-api" || - "$ENABLED_SERVICES" =~ "swift" ]]; then - # unified auth system (manages accounts/tokens) - git_clone $KEYSTONE_REPO $KEYSTONE_DIR $KEYSTONE_BRANCH -fi if [[ "$ENABLED_SERVICES" =~ "g-api" || "$ENABLED_SERVICES" =~ "n-api" ]]; then # image catalog service @@ -442,12 +424,6 @@ fi # setup our checkouts so they are installed into python path # allowing ``import nova`` or ``import glance.client`` -if [[ "$ENABLED_SERVICES" =~ "key" || - "$ENABLED_SERVICES" =~ "g-api" || - "$ENABLED_SERVICES" =~ "n-api" || - "$ENABLED_SERVICES" =~ "swift" ]]; then - cd $KEYSTONE_DIR; sudo python setup.py develop -fi if [[ "$ENABLED_SERVICES" =~ "g-api" || "$ENABLED_SERVICES" =~ "n-api" ]]; then cd $GLANCE_DIR; sudo python setup.py develop @@ -716,30 +692,6 @@ if [[ "$ENABLED_SERVICES" =~ "mysql" ]]; then fi -# Keystone -# -------- - -if [[ "$ENABLED_SERVICES" =~ "key" ]]; then - # (re)create keystone database - mysql -u$MYSQL_USER -p$MYSQL_PASSWORD -e 'DROP DATABASE IF EXISTS keystone;' - mysql -u$MYSQL_USER -p$MYSQL_PASSWORD -e 'CREATE DATABASE keystone;' - - # Configure keystone.conf - KEYSTONE_CONF=$KEYSTONE_DIR/etc/keystone.conf - cp $FILES/keystone.conf $KEYSTONE_CONF - sudo sed -e "s,%SQL_CONN%,$BASE_SQL_CONN/keystone,g" -i $KEYSTONE_CONF - sudo sed -e "s,%DEST%,$DEST,g" -i $KEYSTONE_CONF - - # keystone_data.sh creates our admin user and our ``SERVICE_TOKEN``. - KEYSTONE_DATA=$KEYSTONE_DIR/bin/keystone_data.sh - cp $FILES/keystone_data.sh $KEYSTONE_DATA - sudo sed -e "s,%HOST_IP%,$HOST_IP,g" -i $KEYSTONE_DATA - sudo sed -e "s,%SERVICE_TOKEN%,$SERVICE_TOKEN,g" -i $KEYSTONE_DATA - sudo sed -e "s,%ADMIN_PASSWORD%,$ADMIN_PASSWORD,g" -i $KEYSTONE_DATA - # initialize keystone with default users/endpoints - ENABLED_SERVICES=$ENABLED_SERVICES BIN_DIR=$KEYSTONE_DIR/bin bash $KEYSTONE_DATA -fi - # Launch Services # =============== @@ -785,16 +737,6 @@ if [[ "$ENABLED_SERVICES" =~ "g-api" ]]; then fi fi -# launch the keystone and wait for it to answer before continuing -if [[ "$ENABLED_SERVICES" =~ "key" ]]; then - screen_it key "cd $KEYSTONE_DIR && $KEYSTONE_DIR/bin/keystone --config-file $KEYSTONE_CONF -d" - echo "Waiting for keystone to start..." - if ! timeout $SERVICE_TIMEOUT sh -c "while ! wget -q -O- http://127.0.0.1:5000; do sleep 1; done"; then - echo "keystone did not start" - exit 1 - fi -fi - # launch the nova-api and wait for it to answer before continuing if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then screen_it n-api "cd $NOVA_DIR && $NOVA_DIR/bin/nova-api" @@ -896,14 +838,6 @@ echo "" echo "" echo "" -# If keystone is present, you can point nova cli to this server -if [[ "$ENABLED_SERVICES" =~ "key" ]]; then - echo "keystone is serving at http://$HOST_IP:5000/v2.0/" - echo "examples on using novaclient command line is in exercise.sh" - echo "the default users are: admin and demo" - echo "the password: $ADMIN_PASSWORD" -fi - # indicate how long this took to run (bash maintained variable 'SECONDS') echo "stack.sh completed in $SECONDS seconds."