Configure PKI cache dirs * Configure Cinder, Glance, Keystone, Nova to put cached credentials from keystone.auth_token into /var/cache/<service> It is not obvious to me that having each of these service share a credentials cache is a good idea. It does appear to work but this patch takes the conservative approach of putting each service's cache in a distinct directory. More importantly it gets them out of $HOME! Change-Id: If88088fc287a2f2f4f3e34f6d9be9de3da7ee00d

commit: bc071bcef0bcb726e49f9ccaa2063f58b7eaf96d [log] [tgz]
author: Dean Troyer <dtroyer@gmail.com> Mon Oct 01 14:06:44 2012 -0500
committer: Dean Troyer <dtroyer@gmail.com> Wed Oct 31 13:23:39 2012 -0500
tree: c3729fea7b89bc0983ad45060e776901ac153ec0
parent: 9d10103888070847b0842d2fe6d1427de72690be [diff]
diff --git a/lib/cinder b/lib/cinder
index 08c840e..578e2ad 100644
--- a/lib/cinder
+++ b/lib/cinder

@@ -4,8 +4,8 @@
 # Dependencies:
 # - functions
 # - DEST, DATA_DIR must be defined
-# - KEYSTONE_AUTH_* must be defined
 # SERVICE_{TENANT_NAME|PASSWORD} must be defined
+# ``KEYSTONE_TOKEN_FORMAT`` must be defined
 
 # stack.sh
 # ---------
@@ -30,6 +30,7 @@
 CINDER_STATE_PATH=${CINDER_STATE_PATH:=$DATA_DIR/cinder}
 CINDER_CONF_DIR=/etc/cinder
 CINDER_CONF=$CINDER_CONF_DIR/cinder.conf
+CINDER_AUTH_CACHE_DIR=${CINDER_AUTH_CACHE_DIR:-/var/cache/cinder}
 
 # Support entry points installation of console scripts
 if [[ -d $CINDER_DIR/bin ]]; then
@@ -106,6 +107,10 @@
     iniset $CINDER_API_PASTE_INI filter:authtoken admin_user cinder
     iniset $CINDER_API_PASTE_INI filter:authtoken admin_password $SERVICE_PASSWORD
 
+    if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then
+        iniset $CINDER_API_PASTE_INI filter:authtoken signing_dir $CINDER_AUTH_CACHE_DIR
+    fi
+
     cp $CINDER_DIR/etc/cinder/cinder.conf.sample $CINDER_CONF
     iniset $CINDER_CONF DEFAULT auth_strategy keystone
     iniset $CINDER_CONF DEFAULT verbose True
@@ -186,6 +191,12 @@
             done
         fi
     fi
+
+    if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then
+        # Create cache dir
+        sudo mkdir -p $CINDER_AUTH_CACHE_DIR
+        sudo chown `whoami` $CINDER_AUTH_CACHE_DIR
+    fi
 }
 
 # install_cinder() - Collect source and prepare

diff --git a/lib/glance b/lib/glance
index 070c80d..468d9e9 100644
--- a/lib/glance
+++ b/lib/glance

@@ -6,6 +6,7 @@
 # ``DEST``, ``DATA_DIR`` must be defined
 # ``SERVICE_{TENANT_NAME|PASSWORD}`` must be defined
 # ``SERVICE_HOST``
+# ``KEYSTONE_TOKEN_FORMAT`` must be defined
 
 # ``stack.sh`` calls the entry points in this order:
 #
@@ -31,6 +32,7 @@
 GLANCECLIENT_DIR=$DEST/python-glanceclient
 GLANCE_CACHE_DIR=${GLANCE_CACHE_DIR:=$DATA_DIR/glance/cache}
 GLANCE_IMAGE_DIR=${GLANCE_IMAGE_DIR:=$DATA_DIR/glance/images}
+GLANCE_AUTH_CACHE_DIR=${GLANCE_AUTH_CACHE_DIR:-/var/cache/glance}
 
 GLANCE_CONF_DIR=${GLANCE_CONF_DIR:-/etc/glance}
 GLANCE_REGISTRY_CONF=$GLANCE_CONF_DIR/glance-registry.conf
@@ -91,6 +93,9 @@
     iniset $GLANCE_REGISTRY_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
     iniset $GLANCE_REGISTRY_CONF keystone_authtoken admin_user glance
     iniset $GLANCE_REGISTRY_CONF keystone_authtoken admin_password $SERVICE_PASSWORD
+    if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then
+        iniset $GLANCE_REGISTRY_CONF keystone_authtoken signing_dir $GLANCE_AUTH_CACHE_DIR/registry
+    fi
 
     cp $GLANCE_DIR/etc/glance-api.conf $GLANCE_API_CONF
     iniset $GLANCE_API_CONF DEFAULT debug True
@@ -114,6 +119,9 @@
         iniset $GLANCE_API_CONF DEFAULT rabbit_host $RABBIT_HOST
         iniset $GLANCE_API_CONF DEFAULT rabbit_password $RABBIT_PASSWORD
     fi
+    if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then
+        iniset $GLANCE_API_CONF keystone_authtoken signing_dir $GLANCE_AUTH_CACHE_DIR/api
+    fi
 
     cp -p $GLANCE_DIR/etc/glance-registry-paste.ini $GLANCE_REGISTRY_PASTE_INI
 
@@ -153,6 +161,14 @@
     mysql -u$MYSQL_USER -p$MYSQL_PASSWORD -e 'CREATE DATABASE glance CHARACTER SET utf8;'
 
     $GLANCE_BIN_DIR/glance-manage db_sync
+
+    if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then
+        # Create cache dir
+        sudo mkdir -p $GLANCE_AUTH_CACHE_DIR/api
+        sudo chown `whoami` $GLANCE_AUTH_CACHE_DIR/api
+        sudo mkdir -p $GLANCE_AUTH_CACHE_DIR/registry
+        sudo chown `whoami` $GLANCE_AUTH_CACHE_DIR/registry
+    fi
 }
 
 # install_glanceclient() - Collect source and prepare

diff --git a/lib/keystone b/lib/keystone
index 73d82c5..36a0e66 100644
--- a/lib/keystone
+++ b/lib/keystone

@@ -32,13 +32,18 @@
 KEYSTONE_DIR=$DEST/keystone
 KEYSTONE_CONF_DIR=${KEYSTONE_CONF_DIR:-/etc/keystone}
 KEYSTONE_CONF=$KEYSTONE_CONF_DIR/keystone.conf
+KEYSTONE_AUTH_CACHE_DIR=${KEYSTONE_AUTH_CACHE_DIR:-/var/cache/keystone}
 
 KEYSTONECLIENT_DIR=$DEST/python-keystoneclient
 
-# Select the backend for Keystopne's service catalog
+# Select the backend for Keystone's service catalog
 KEYSTONE_CATALOG_BACKEND=${KEYSTONE_CATALOG_BACKEND:-sql}
 KEYSTONE_CATALOG=$KEYSTONE_CONF_DIR/default_catalog.templates
 
+# Select Keystone's token format
+# Choose from 'UUID' and 'PKI'
+KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-PKI}
+
 # Set Keystone interface configuration
 KEYSTONE_API_PORT=${KEYSTONE_API_PORT:-5000}
 KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
@@ -47,7 +52,6 @@
 KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST}
 KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000}
 KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-http}
-KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-PKI}
 
 
 # Entry Points
@@ -147,8 +151,14 @@
     # Initialize keystone database
     $KEYSTONE_DIR/bin/keystone-manage db_sync
 
-    # Set up certificates
-    $KEYSTONE_DIR/bin/keystone-manage pki_setup
+    if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then
+        # Set up certificates
+        $KEYSTONE_DIR/bin/keystone-manage pki_setup
+
+        # Create cache dir
+        sudo mkdir -p $KEYSTONE_AUTH_CACHE_DIR
+        sudo chown `whoami` $KEYSTONE_AUTH_CACHE_DIR
+    fi
 }
 
 # install_keystoneclient() - Collect source and prepare

diff --git a/lib/nova b/lib/nova
index 95d5d87..b9afa3d 100644
--- a/lib/nova
+++ b/lib/nova

@@ -7,6 +7,7 @@
 # ``SERVICE_{TENANT_NAME|PASSWORD}`` must be defined
 # ``LIBVIRT_TYPE`` must be defined
 # ``INSTANCE_NAME_PREFIX``, ``VOLUME_NAME_PREFIX`` must be defined
+# ``KEYSTONE_TOKEN_FORMAT`` must be defined
 
 # ``stack.sh`` calls the entry points in this order:
 #
@@ -32,6 +33,7 @@
 NOVA_STATE_PATH=${NOVA_STATE_PATH:=$DATA_DIR/nova}
 # INSTANCES_PATH is the previous name for this
 NOVA_INSTANCES_PATH=${NOVA_INSTANCES_PATH:=${INSTANCES_PATH:=$NOVA_STATE_PATH/instances}}
+NOVA_AUTH_CACHE_DIR=${NOVA_AUTH_CACHE_DIR:-/var/cache/nova}
 
 NOVA_CONF_DIR=/etc/nova
 NOVA_CONF=$NOVA_CONF_DIR/nova.conf
@@ -174,6 +176,10 @@
         " -i $NOVA_API_PASTE_INI
     fi
 
+    if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then
+        iniset $NOVA_API_PASTE_INI filter:authtoken signing_dir $NOVA_AUTH_CACHE_DIR
+    fi
+
     if is_service_enabled n-cpu; then
         # Force IP forwarding on, just on case
         sudo sysctl -w net.ipv4.ip_forward=1
@@ -383,6 +389,11 @@
         $NOVA_BIN_DIR/nova-manage db sync
     fi
 
+    if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then
+        # Create cache dir
+        sudo mkdir -p $NOVA_AUTH_CACHE_DIR
+        sudo chown `whoami` $NOVA_AUTH_CACHE_DIR
+    fi
 }
 
 # install_novaclient() - Collect source and prepare
commit	bc071bcef0bcb726e49f9ccaa2063f58b7eaf96d	[log] [tgz]
author	Dean Troyer <dtroyer@gmail.com>	Mon Oct 01 14:06:44 2012 -0500
committer	Dean Troyer <dtroyer@gmail.com>	Wed Oct 31 13:23:39 2012 -0500
tree	c3729fea7b89bc0983ad45060e776901ac153ec0
parent	9d10103888070847b0842d2fe6d1427de72690be [diff]