Merge "Cleanup keystone library"
diff --git a/functions-common b/functions-common
index 111d339..147e949 100644
--- a/functions-common
+++ b/functions-common
@@ -85,7 +85,7 @@
if [ -f "$SSL_BUNDLE_FILE" ]; then
CA_CERT_ARG="--os-cacert $SSL_BUNDLE_FILE"
fi
- # demo -> devstack
+ # devstack: user with the member role on demo project
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack \
@@ -96,18 +96,7 @@
--os-password $ADMIN_PASSWORD \
--os-project-name demo
- # alt_demo -> devstack-alt
- $PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
- --file $CLOUDS_YAML \
- --os-cloud devstack-alt \
- --os-region-name $REGION_NAME \
- $CA_CERT_ARG \
- --os-auth-url $KEYSTONE_SERVICE_URI \
- --os-username alt_demo \
- --os-password $ADMIN_PASSWORD \
- --os-project-name alt_demo
-
- # admin -> devstack-admin
+ # devstack-admin: user with the admin role on the admin project
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack-admin \
@@ -118,7 +107,51 @@
--os-password $ADMIN_PASSWORD \
--os-project-name admin
- # admin with a system-scoped token -> devstack-system
+ # devstack-alt: user with the member role on alt_demo project
+ $PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
+ --file $CLOUDS_YAML \
+ --os-cloud devstack-alt \
+ --os-region-name $REGION_NAME \
+ $CA_CERT_ARG \
+ --os-auth-url $KEYSTONE_SERVICE_URI \
+ --os-username alt_demo \
+ --os-password $ADMIN_PASSWORD \
+ --os-project-name alt_demo
+
+ # devstack-alt-member: user with the member role on alt_demo project
+ $PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
+ --file $CLOUDS_YAML \
+ --os-cloud devstack-alt-member \
+ --os-region-name $REGION_NAME \
+ $CA_CERT_ARG \
+ --os-auth-url $KEYSTONE_SERVICE_URI \
+ --os-username alt_demo_member \
+ --os-password $ADMIN_PASSWORD \
+ --os-project-name alt_demo
+
+ # devstack-alt-reader: user with the reader role on alt_demo project
+ $PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
+ --file $CLOUDS_YAML \
+ --os-cloud devstack-alt-reader \
+ --os-region-name $REGION_NAME \
+ $CA_CERT_ARG \
+ --os-auth-url $KEYSTONE_SERVICE_URI \
+ --os-username alt_demo_reader \
+ --os-password $ADMIN_PASSWORD \
+ --os-project-name alt_demo
+
+ # devstack-reader: user with the reader role on demo project
+ $PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
+ --file $CLOUDS_YAML \
+ --os-cloud devstack-reader \
+ --os-region-name $REGION_NAME \
+ $CA_CERT_ARG \
+ --os-auth-url $KEYSTONE_SERVICE_URI \
+ --os-username demo_reader \
+ --os-password $ADMIN_PASSWORD \
+ --os-project-name demo
+
+ # devstack-system-admin: user with the admin role on the system
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack-system-admin \
@@ -129,7 +162,7 @@
--os-password $ADMIN_PASSWORD \
--os-system-scope all
- # system member
+ # devstack-system-member: user with the member role on the system
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack-system-member \
@@ -140,7 +173,7 @@
--os-password $ADMIN_PASSWORD \
--os-system-scope all
- # system reader
+ # devstack-system-reader: user with the reader role on the system
$PYTHON $TOP_DIR/tools/update_clouds_yaml.py \
--file $CLOUDS_YAML \
--os-cloud devstack-system-reader \
@@ -569,7 +602,7 @@
if [[ "$ERROR_ON_CLONE" = "True" ]]; then
echo "The $git_dest project was not found; if this is a gate job, add"
echo "the project to 'required-projects' in the job definition."
- die $LINENO "Cloning not allowed in this configuration"
+ die $LINENO "ERROR_ON_CLONE is set to True so cloning not allowed in this configuration"
fi
git_timed clone $git_clone_flags $git_remote $git_dest
fi
@@ -581,7 +614,7 @@
if [[ "$ERROR_ON_CLONE" = "True" ]]; then
echo "The $git_dest project was not found; if this is a gate job, add"
echo "the project to the \$PROJECTS variable in the job definition."
- die $LINENO "Cloning not allowed in this configuration"
+ die $LINENO "ERROR_ON_CLONE is set to True so cloning not allowed in this configuration"
fi
# '--branch' can also take tags
git_timed clone $git_clone_flags $git_remote $git_dest --branch $git_ref
diff --git a/lib/keystone b/lib/keystone
index 349d257..aebc7de 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -213,14 +213,11 @@
service_port=$KEYSTONE_SERVICE_PORT_INT
fi
- # Override the endpoints advertised by keystone (the public_endpoint and
- # admin_endpoint) so that clients use the correct endpoint. By default, the
- # keystone server uses the public_port and admin_port which isn't going to
- # work when you want to use a different port (in the case of proxy), or you
- # don't want the port (in the case of putting keystone on a path in
- # apache).
+ # Override the endpoints advertised by keystone so that clients use the correct
+ # endpoint. By default, the keystone server uses the public_port which isn't
+ # going to work when you want to use a different port (in the case of proxy),
+ # or you don't want the port (in the case of putting keystone on a path in apache).
iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
- iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_SERVICE_URI
if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then
iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT
@@ -345,19 +342,39 @@
async_run ks-demo-another get_or_add_user_project_role $another_role $demo_user $demo_project
async_run ks-demo-invis get_or_add_user_project_role $member_role $demo_user $invis_project
- # alt_demo
+ # Create a user to act as a reader on project demo
+ local demo_reader
+ demo_reader=$(get_or_create_user "demo_reader" \
+ "$ADMIN_PASSWORD" "default" "demo_reader@example.com")
+
+ async_run ks-demo-reader get_or_add_user_project_role $reader_role $demo_reader $demo_project
+
+ # Create a different project called alt_demo
local alt_demo_project
alt_demo_project=$(get_or_create_project "alt_demo" default)
+ # Create a user to act as member, admin and anotherrole on project alt_demo
local alt_demo_user
alt_demo_user=$(get_or_create_user "alt_demo" \
"$ADMIN_PASSWORD" "default" "alt_demo@example.com")
async_run ks-alt-member get_or_add_user_project_role $member_role $alt_demo_user $alt_demo_project
- async_run ks-alt-admin get_or_add_user_project_role $admin_role $admin_user $alt_demo_project
+ async_run ks-alt-admin get_or_add_user_project_role $admin_role $alt_demo_user $alt_demo_project
async_run ks-alt-another get_or_add_user_project_role $another_role $alt_demo_user $alt_demo_project
- # Create two users, give one the member role on the system and the other
- # the reader role on the system. These two users model system-member and
+ # Create another user to act as a member on project alt_demo
+ local alt_demo_member
+ alt_demo_member=$(get_or_create_user "alt_demo_member" \
+ "$ADMIN_PASSWORD" "default" "alt_demo_member@example.com")
+ async_run ks-alt-member-user get_or_add_user_project_role $member_role $alt_demo_member $alt_demo_project
+
+ # Create another user to act as a reader on project alt_demo
+ local alt_demo_reader
+ alt_demo_reader=$(get_or_create_user "alt_demo_reader" \
+ "$ADMIN_PASSWORD" "default" "alt_demo_reader@example.com")
+ async_run ks-alt-reader-user get_or_add_user_project_role $reader_role $alt_demo_reader $alt_demo_project
+
+ # Create two users, give one the member role on the system and the other the
+ # reader role on the system. These two users model system-member and
# system-reader personas. The admin user already has the admin role on the
# system and we can re-use this user as a system-admin.
system_member_user=$(get_or_create_user "system_member" \
@@ -382,8 +399,8 @@
async_run ks-group-anotheralt get_or_add_group_project_role $another_role $non_admin_group $alt_demo_project
async_run ks-group-admin get_or_add_group_project_role $admin_role $admin_group $admin_project
- async_wait ks-demo-{member,admin,another,invis}
- async_wait ks-alt-{member,admin,another}
+ async_wait ks-demo-{member,admin,another,invis,reader}
+ async_wait ks-alt-{member,admin,another,member-user,reader-user}
async_wait ks-system-{member,reader}
async_wait ks-group-{memberdemo,anotherdemo,memberalt,anotheralt,admin}
diff --git a/lib/neutron-legacy b/lib/neutron-legacy
index 704d2e8..a5a608d 100644
--- a/lib/neutron-legacy
+++ b/lib/neutron-legacy
@@ -277,7 +277,9 @@
source $TOP_DIR/lib/neutron_plugins/services/l3
# Additional Neutron service plugins
+source $TOP_DIR/lib/neutron_plugins/services/placement
source $TOP_DIR/lib/neutron_plugins/services/trunk
+source $TOP_DIR/lib/neutron_plugins/services/qos
# Use security group or not
if has_neutron_plugin_security_group; then
@@ -374,9 +376,19 @@
fi
# Configure Neutron's advanced services
+ if is_service_enabled q-placement neutron-placement; then
+ configure_placement_extension
+ fi
if is_service_enabled q-trunk neutron-trunk; then
configure_trunk_extension
fi
+ if is_service_enabled q-qos neutron-qos; then
+ configure_qos
+ if is_service_enabled q-l3 neutron-l3; then
+ configure_l3_agent_extension_fip_qos
+ configure_l3_agent_extension_gateway_ip_qos
+ fi
+ fi
iniset $NEUTRON_CONF DEFAULT api_workers "$API_WORKERS"
# devstack is not a tool for running uber scale OpenStack
@@ -1027,6 +1039,15 @@
test_with_retry "$testcmd" "server $ip didn't become ssh-able" $timeout_sec
}
+function plugin_agent_add_l2_agent_extension {
+ local l2_agent_extension=$1
+ if [[ -z "$L2_AGENT_EXTENSIONS" ]]; then
+ L2_AGENT_EXTENSIONS=$l2_agent_extension
+ elif [[ ! ,${L2_AGENT_EXTENSIONS}, =~ ,${l2_agent_extension}, ]]; then
+ L2_AGENT_EXTENSIONS+=",$l2_agent_extension"
+ fi
+}
+
# Restore xtrace
$_XTRACE_NEUTRON
diff --git a/lib/neutron_plugins/ml2 b/lib/neutron_plugins/ml2
index e1f868f..f00feac 100644
--- a/lib/neutron_plugins/ml2
+++ b/lib/neutron_plugins/ml2
@@ -156,5 +156,9 @@
return 0
}
+function configure_qos_ml2 {
+ neutron_ml2_extension_driver_add "qos"
+}
+
# Restore xtrace
$_XTRACE_NEUTRON_ML2
diff --git a/lib/neutron_plugins/ovn_agent b/lib/neutron_plugins/ovn_agent
index 1f737fb..3fc3828 100644
--- a/lib/neutron_plugins/ovn_agent
+++ b/lib/neutron_plugins/ovn_agent
@@ -119,7 +119,13 @@
OVS_DATADIR=$DATA_DIR/ovs
OVS_SYSCONFDIR=${OVS_SYSCONFDIR:-$OVS_PREFIX/etc/openvswitch}
-OVN_DATADIR=$DATA_DIR/ovn
+if [[ "$OVN_BUILD_FROM_SOURCE" == "True" ]]; then
+ OVN_DATADIR=$DATA_DIR/ovn
+else
+ # When using OVN from packages, the data dir for OVN DBs is
+ # /var/lib/ovn
+ OVN_DATADIR=/var/lib/ovn
+fi
OVN_SHAREDIR=$OVS_PREFIX/share/ovn
OVN_SCRIPTDIR=$OVN_SHAREDIR/scripts
OVN_RUNDIR=$OVS_PREFIX/var/run/ovn
@@ -561,14 +567,19 @@
# create new ones on each devstack run.
_disable_libvirt_apparmor
+ local mkdir_cmd="mkdir -p ${OVN_DATADIR}"
- mkdir -p $OVN_DATADIR
+ if [[ "$OVN_BUILD_FROM_SOURCE" == "False" ]]; then
+ mkdir_cmd="sudo ${mkdir_cmd}"
+ fi
+
+ $mkdir_cmd
mkdir -p $OVS_DATADIR
rm -f $OVS_DATADIR/*.db
rm -f $OVS_DATADIR/.*.db.~lock~
- rm -f $OVN_DATADIR/*.db
- rm -f $OVN_DATADIR/.*.db.~lock~
+ sudo rm -f $OVN_DATADIR/*.db
+ sudo rm -f $OVN_DATADIR/.*.db.~lock~
}
function _start_ovs {
diff --git a/lib/neutron_plugins/services/l3 b/lib/neutron_plugins/services/l3
index 98b96ac..72f7a32 100644
--- a/lib/neutron_plugins/services/l3
+++ b/lib/neutron_plugins/services/l3
@@ -427,3 +427,12 @@
EXT_LIST=$(openstack --os-cloud devstack-admin --os-region "$REGION_NAME" extension list --network -c Alias -f value)
[[ $EXT_LIST =~ $extension ]] && return 0
}
+
+function plugin_agent_add_l3_agent_extension {
+ local l3_agent_extension=$1
+ if [[ -z "$L3_AGENT_EXTENSIONS" ]]; then
+ L3_AGENT_EXTENSIONS=$l3_agent_extension
+ elif [[ ! ,${L3_AGENT_EXTENSIONS}, =~ ,${l3_agent_extension}, ]]; then
+ L3_AGENT_EXTENSIONS+=",$l3_agent_extension"
+ fi
+}
diff --git a/lib/neutron_plugins/services/placement b/lib/neutron_plugins/services/placement
new file mode 100644
index 0000000..3ec185b
--- /dev/null
+++ b/lib/neutron_plugins/services/placement
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+function configure_placement_service_plugin {
+ neutron_service_plugin_class_add "placement"
+}
+
+function configure_placement_neutron {
+ iniset $NEUTRON_CONF placement auth_type "$NEUTRON_PLACEMENT_AUTH_TYPE"
+ iniset $NEUTRON_CONF placement auth_url "$KEYSTONE_SERVICE_URI"
+ iniset $NEUTRON_CONF placement username "$NEUTRON_PLACEMENT_USERNAME"
+ iniset $NEUTRON_CONF placement password "$SERVICE_PASSWORD"
+ iniset $NEUTRON_CONF placement user_domain_name "$SERVICE_DOMAIN_NAME"
+ iniset $NEUTRON_CONF placement project_name "$SERVICE_TENANT_NAME"
+ iniset $NEUTRON_CONF placement project_domain_name "$SERVICE_DOMAIN_NAME"
+ iniset $NEUTRON_CONF placement region_name "$REGION_NAME"
+}
+
+function configure_placement_extension {
+ configure_placement_service_plugin
+ configure_placement_neutron
+}
diff --git a/lib/neutron_plugins/services/qos b/lib/neutron_plugins/services/qos
new file mode 100644
index 0000000..af9eb3d
--- /dev/null
+++ b/lib/neutron_plugins/services/qos
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+function configure_qos_service_plugin {
+ neutron_service_plugin_class_add "qos"
+}
+
+
+function configure_qos_core_plugin {
+ configure_qos_$NEUTRON_CORE_PLUGIN
+}
+
+
+function configure_qos_l2_agent {
+ plugin_agent_add_l2_agent_extension "qos"
+}
+
+
+function configure_qos {
+ configure_qos_service_plugin
+ configure_qos_core_plugin
+ configure_qos_l2_agent
+}
+
+function configure_l3_agent_extension_fip_qos {
+ plugin_agent_add_l3_agent_extension "fip_qos"
+}
+
+function configure_l3_agent_extension_gateway_ip_qos {
+ plugin_agent_add_l3_agent_extension "gateway_ip_qos"
+}
diff --git a/lib/swift b/lib/swift
index b376993..9c13701 100644
--- a/lib/swift
+++ b/lib/swift
@@ -866,12 +866,15 @@
function swift_configure_tempurls {
# note we are using swift credentials!
- OS_USERNAME=swift \
- OS_PASSWORD=$SERVICE_PASSWORD \
- OS_USER_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \
- OS_PROJECT_NAME=$SERVICE_PROJECT_NAME \
- OS_PROJECT_DOMAIN_NAME=$SERVICE_DOMAIN_NAME \
- openstack object store account \
+ openstack --os-cloud "" \
+ --os-region-name $REGION_NAME \
+ --os-auth-url $KEYSTONE_SERVICE_URI \
+ --os-username=swift \
+ --os-password=$SERVICE_PASSWORD \
+ --os-user-domain-name=$SERVICE_DOMAIN_NAME \
+ --os-project-name=$SERVICE_PROJECT_NAME \
+ --os-project-domain-name=$SERVICE_DOMAIN_NAME \
+ object store account \
set --property "Temp-URL-Key=$SWIFT_TEMPURL_KEY"
}
diff --git a/stack.sh b/stack.sh
index b5ad81b..b5dc0ee 100755
--- a/stack.sh
+++ b/stack.sh
@@ -1063,35 +1063,13 @@
# Keystone
# --------
-# Rather than just export these, we write them out to a
-# intermediate userrc file that can also be used to debug if
-# something goes wrong between here and running
-# tools/create_userrc.sh (this script relies on services other
-# than keystone being available, so we can't call it right now)
-cat > $TOP_DIR/userrc_early <<EOF
-# Use this for debugging issues before files in accrc are created
-
-# Set up password auth credentials now that Keystone is bootstrapped
-export OS_IDENTITY_API_VERSION=3
-export OS_AUTH_URL=$KEYSTONE_SERVICE_URI
-export OS_USERNAME=admin
-export OS_USER_DOMAIN_ID=default
-export OS_PASSWORD=$ADMIN_PASSWORD
-export OS_PROJECT_NAME=admin
-export OS_PROJECT_DOMAIN_ID=default
-export OS_REGION_NAME=$KEYSTONE_REGION_NAME
-
-EOF
-
if is_service_enabled tls-proxy; then
- echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early
start_tls_proxy http-services '*' 443 $SERVICE_HOST 80
fi
-source $TOP_DIR/userrc_early
-
-# Write a clouds.yaml file
+# Write a clouds.yaml file and use the devstack-admin cloud
write_clouds_yaml
+export OS_CLOUD=${OS_CLOUD:-devstack-admin}
if is_service_enabled keystone; then
echo_summary "Starting Keystone"
@@ -1380,7 +1358,7 @@
# which is helpful in image bundle steps.
if is_service_enabled nova && is_service_enabled keystone; then
- USERRC_PARAMS="-PA --target-dir $TOP_DIR/accrc"
+ USERRC_PARAMS="-PA --target-dir $TOP_DIR/accrc --os-password $ADMIN_PASSWORD"
if [ -f $SSL_BUNDLE_FILE ]; then
USERRC_PARAMS="$USERRC_PARAMS --os-cacert $SSL_BUNDLE_FILE"