Merge "Define a new function for notifications URL"
diff --git a/doc/source/guides/multinode-lab.rst b/doc/source/guides/multinode-lab.rst
index 484ebba..1a8ddbc 100644
--- a/doc/source/guides/multinode-lab.rst
+++ b/doc/source/guides/multinode-lab.rst
@@ -175,7 +175,7 @@
MYSQL_HOST=$SERVICE_HOST
RABBIT_HOST=$SERVICE_HOST
GLANCE_HOSTPORT=$SERVICE_HOST:9292
- ENABLED_SERVICES=n-cpu,q-agt,n-api-meta,c-vol
+ ENABLED_SERVICES=n-cpu,q-agt,n-api-meta,c-vol,placement-client
NOVA_VNC_ENABLED=True
NOVNCPROXY_URL="http://$SERVICE_HOST:6080/vnc_auto.html"
VNCSERVER_LISTEN=$HOST_IP
diff --git a/doc/source/plugin-registry.rst b/doc/source/plugin-registry.rst
index beb6abb..96a2733 100644
--- a/doc/source/plugin-registry.rst
+++ b/doc/source/plugin-registry.rst
@@ -44,6 +44,7 @@
devstack-plugin-amqp1 `git://git.openstack.org/openstack/devstack-plugin-amqp1 <https://git.openstack.org/cgit/openstack/devstack-plugin-amqp1>`__
devstack-plugin-bdd `git://git.openstack.org/openstack/devstack-plugin-bdd <https://git.openstack.org/cgit/openstack/devstack-plugin-bdd>`__
devstack-plugin-ceph `git://git.openstack.org/openstack/devstack-plugin-ceph <https://git.openstack.org/cgit/openstack/devstack-plugin-ceph>`__
+devstack-plugin-container `git://git.openstack.org/openstack/devstack-plugin-container <https://git.openstack.org/cgit/openstack/devstack-plugin-container>`__
devstack-plugin-glusterfs `git://git.openstack.org/openstack/devstack-plugin-glusterfs <https://git.openstack.org/cgit/openstack/devstack-plugin-glusterfs>`__
devstack-plugin-hdfs `git://git.openstack.org/openstack/devstack-plugin-hdfs <https://git.openstack.org/cgit/openstack/devstack-plugin-hdfs>`__
devstack-plugin-kafka `git://git.openstack.org/openstack/devstack-plugin-kafka <https://git.openstack.org/cgit/openstack/devstack-plugin-kafka>`__
@@ -86,6 +87,7 @@
mistral `git://git.openstack.org/openstack/mistral <https://git.openstack.org/cgit/openstack/mistral>`__
mixmatch `git://git.openstack.org/openstack/mixmatch <https://git.openstack.org/cgit/openstack/mixmatch>`__
mogan `git://git.openstack.org/openstack/mogan <https://git.openstack.org/cgit/openstack/mogan>`__
+mogan-ui `git://git.openstack.org/openstack/mogan-ui <https://git.openstack.org/cgit/openstack/mogan-ui>`__
monasca-analytics `git://git.openstack.org/openstack/monasca-analytics <https://git.openstack.org/cgit/openstack/monasca-analytics>`__
monasca-api `git://git.openstack.org/openstack/monasca-api <https://git.openstack.org/cgit/openstack/monasca-api>`__
monasca-ceilometer `git://git.openstack.org/openstack/monasca-ceilometer <https://git.openstack.org/cgit/openstack/monasca-ceilometer>`__
diff --git a/files/debs/general b/files/debs/general
index 3a0e241..20490c6 100644
--- a/files/debs/general
+++ b/files/debs/general
@@ -1,3 +1,5 @@
+apache2
+apache2-dev
bc
bridge-utils
bsdmainutils
@@ -9,6 +11,7 @@
git
graphviz # needed for docs
iputils-ping
+libapache2-mod-proxy-uwsgi
libffi-dev # for pyOpenSSL
libjpeg-dev # Pillow 3.0.0
libmysqlclient-dev # MySQL-python
@@ -23,6 +26,7 @@
pkg-config
psmisc
python2.7
+python3-systemd
python-dev
python-gdbm # needed for testr
python-systemd
diff --git a/files/debs/n-cpu b/files/debs/n-cpu
index 69ac430..d8bbf59 100644
--- a/files/debs/n-cpu
+++ b/files/debs/n-cpu
@@ -2,6 +2,7 @@
genisoimage
gir1.2-libosinfo-1.0
lvm2 # NOPRIME
+netcat-openbsd
open-iscsi
python-guestfs # NOPRIME
qemu-utils
diff --git a/files/rpms/general b/files/rpms/general
index baba06b..106aa6a 100644
--- a/files/rpms/general
+++ b/files/rpms/general
@@ -7,6 +7,8 @@
gettext # used for compiling message catalogs
git-core
graphviz # needed only for docs
+httpd
+httpd-devel
iptables-services # NOPRIME f23,f24,f25
java-1.7.0-openjdk-headless # NOPRIME rhel7
java-1.8.0-openjdk-headless # NOPRIME f23,f24,f25
diff --git a/functions-common b/functions-common
index 90c9200..35b4860 100644
--- a/functions-common
+++ b/functions-common
@@ -905,34 +905,6 @@
echo $user_role_id
}
-# Gets or adds user role to domain
-# Usage: get_or_add_user_domain_role <role> <user> <domain>
-function get_or_add_user_domain_role {
- local user_role_id
- # Gets user role id
- user_role_id=$(openstack role assignment list \
- --user $2 \
- --os-url=$KEYSTONE_SERVICE_URI_V3 \
- --os-identity-api-version=3 \
- --domain $3 \
- | grep " $1 " | get_field 1)
- if [[ -z "$user_role_id" ]]; then
- # Adds role to user and get it
- openstack role add $1 \
- --user $2 \
- --domain $3 \
- --os-url=$KEYSTONE_SERVICE_URI_V3 \
- --os-identity-api-version=3
- user_role_id=$(openstack role assignment list \
- --user $2 \
- --os-url=$KEYSTONE_SERVICE_URI_V3 \
- --os-identity-api-version=3 \
- --domain $3 \
- | grep " $1 " | get_field 1)
- fi
- echo $user_role_id
-}
-
# Gets or adds group role to project
# Usage: get_or_add_group_project_role <role> <group> <project>
function get_or_add_group_project_role {
diff --git a/lib/apache b/lib/apache
index d1a11ae..afeac15 100644
--- a/lib/apache
+++ b/lib/apache
@@ -66,6 +66,48 @@
fi
}
+# NOTE(sdague): Install uwsgi including apache module, we need to get
+# to 2.0.6+ to get a working mod_proxy_uwsgi. We can probably build a
+# check for that and do it differently for different platforms.
+function install_apache_uwsgi {
+ local apxs="apxs2"
+ if is_fedora; then
+ apxs="apxs"
+ fi
+
+ # Ubuntu xenial is back level on uwsgi so the proxy doesn't
+ # actually work. Hence we have to build from source for now.
+ #
+ # Centos 7 actually has the module in epel, but there was a big
+ # push to disable epel by default. As such, compile from source
+ # there as well.
+
+ local dir
+ dir=$(mktemp -d)
+ pushd $dir
+ pip_install uwsgi
+ pip download uwsgi -c $REQUIREMENTS_DIR/upper-constraints.txt
+ local uwsgi
+ uwsgi=$(ls uwsgi*)
+ tar xvf $uwsgi
+ cd uwsgi*/apache2
+ sudo $apxs -i -c mod_proxy_uwsgi.c
+ popd
+ # delete the temp directory
+ sudo rm -rf $dir
+
+ if is_ubuntu; then
+ # we've got to enable proxy and proxy_uwsgi for this to work
+ sudo a2enmod proxy
+ sudo a2enmod proxy_uwsgi
+ elif is_fedora; then
+ # redhat is missing a nice way to turn on/off modules
+ echo "LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so" \
+ | sudo tee /etc/httpd/conf.modules.d/02-proxy-uwsgi.conf
+ fi
+ restart_apache_server
+}
+
# install_apache_wsgi() - Install Apache server and wsgi module
function install_apache_wsgi {
# Apache installation, because we mark it NOPRIME
@@ -90,49 +132,15 @@
fi
# WSGI isn't enabled by default, enable it
enable_apache_mod wsgi
-
- # ensure mod_version enabled for <IfVersion ...>. This is
- # built-in statically on anything recent, but precise (2.2)
- # doesn't have it enabled
- sudo a2enmod version || true
-}
-
-# get_apache_version() - return the version of Apache installed
-# This function is used to determine the Apache version installed. There are
-# various differences between Apache 2.2 and 2.4 that warrant special handling.
-function get_apache_version {
- if is_ubuntu; then
- local version_str
- version_str=$(sudo /usr/sbin/apache2ctl -v | awk '/Server version/ {print $3}' | cut -f2 -d/)
- elif is_fedora; then
- local version_str
- version_str=$(rpm -qa --queryformat '%{VERSION}' httpd)
- elif is_suse; then
- local version_str
- version_str=$(rpm -qa --queryformat '%{VERSION}' apache2)
- else
- exit_distro_not_supported "cannot determine apache version"
- fi
- if [[ "$version_str" =~ ^2\.2\. ]]; then
- echo "2.2"
- elif [[ "$version_str" =~ ^2\.4\. ]]; then
- echo "2.4"
- else
- exit_distro_not_supported "apache version not supported"
- fi
}
# apache_site_config_for() - The filename of the site's configuration file.
# This function uses the global variables APACHE_NAME and APACHE_CONF_DIR.
#
-# On Ubuntu 14.04, the site configuration file must have a .conf suffix for a2ensite and a2dissite to
+# On Ubuntu 14.04+, the site configuration file must have a .conf suffix for a2ensite and a2dissite to
# recognise it. a2ensite and a2dissite ignore the .conf suffix used as parameter. The default sites'
# files are 000-default.conf and default-ssl.conf.
#
-# On Ubuntu 12.04, the site configuration file may have any format, as long as it is in
-# /etc/apache2/sites-available/. a2ensite and a2dissite need the entire file name to work. The default
-# sites' files are default and default-ssl.
-#
# On Fedora and openSUSE, any file in /etc/httpd/conf.d/ whose name ends with .conf is enabled.
#
# On RHEL and CentOS, things should hopefully work as in Fedora.
@@ -141,22 +149,14 @@
# +----------------------+--------------------+--------------------------+--------------------------+
# | Distribution | File name | Site enabling command | Site disabling command |
# +----------------------+--------------------+--------------------------+--------------------------+
-# | Ubuntu 12.04 | site | a2ensite site | a2dissite site |
# | Ubuntu 14.04 | site.conf | a2ensite site | a2dissite site |
# | Fedora, RHEL, CentOS | site.conf.disabled | mv site.conf{.disabled,} | mv site.conf{,.disabled} |
# +----------------------+--------------------+--------------------------+--------------------------+
function apache_site_config_for {
local site=$@
if is_ubuntu; then
- local apache_version
- apache_version=$(get_apache_version)
- if [[ "$apache_version" == "2.2" ]]; then
- # Ubuntu 12.04 - Apache 2.2
- echo $APACHE_CONF_DIR/${site}
- else
- # Ubuntu 14.04 - Apache 2.4
- echo $APACHE_CONF_DIR/${site}.conf
- fi
+ # Ubuntu 14.04 - Apache 2.4
+ echo $APACHE_CONF_DIR/${site}.conf
elif is_fedora || is_suse; then
# fedora conf.d is only imported if it ends with .conf so this is approx the same
local enabled_site_file="$APACHE_CONF_DIR/${site}.conf"
@@ -186,7 +186,7 @@
function disable_apache_site {
local site=$@
if is_ubuntu; then
- sudo a2dissite ${site}
+ sudo a2dissite ${site} || true
elif is_fedora || is_suse; then
local enabled_site_file="$APACHE_CONF_DIR/${site}.conf"
# Do nothing if no site config exists
@@ -215,11 +215,7 @@
# Apache can be slow to stop, doing an explicit stop, sleep, start helps
# to mitigate issues where apache will claim a port it's listening on is
# still in use and fail to start.
- time_start "restart_apache_server"
- stop_service $APACHE_NAME
- sleep 3
- start_service $APACHE_NAME
- time_stop "restart_apache_server"
+ restart_service $APACHE_NAME
}
# reload_apache_server
@@ -227,6 +223,64 @@
reload_service $APACHE_NAME
}
+function write_uwsgi_config {
+ local file=$1
+ local wsgi=$2
+ local url=$3
+ local http=$4
+ local name=""
+ name=$(basename $wsgi)
+
+ # create a home for the sockets; note don't use /tmp -- apache has
+ # a private view of it on some platforms.
+ local socket_dir='/var/run/uwsgi'
+ sudo install -d -o $STACK_USER -m 755 $socket_dir
+ local socket="$socket_dir/${name}.socket"
+
+ # always cleanup given that we are using iniset here
+ rm -rf $file
+ iniset "$file" uwsgi wsgi-file "$wsgi"
+ iniset "$file" uwsgi socket "$socket"
+ iniset "$file" uwsgi processes $API_WORKERS
+ # This is running standalone
+ iniset "$file" uwsgi master true
+ # Set die-on-term & exit-on-reload so that uwsgi shuts down
+ iniset "$file" uwsgi die-on-term true
+ iniset "$file" uwsgi exit-on-reload true
+ iniset "$file" uwsgi enable-threads true
+ iniset "$file" uwsgi plugins python
+ # uwsgi recommends this to prevent thundering herd on accept.
+ iniset "$file" uwsgi thunder-lock true
+ # Override the default size for headers from the 4k default.
+ iniset "$file" uwsgi buffer-size 65535
+ # Make sure the client doesn't try to re-use the connection.
+ iniset "$file" uwsgi add-header "Connection: close"
+ # This ensures that file descriptors aren't shared between processes.
+ iniset "$file" uwsgi lazy-apps true
+ iniset "$file" uwsgi chmod-socket 666
+
+ # If we said bind directly to http, then do that and don't start the apache proxy
+ if [[ -n "$http" ]]; then
+ iniset "$file" uwsgi http $http
+ else
+ local apache_conf=""
+ apache_conf=$(apache_site_config_for $name)
+ echo "ProxyPass \"${url}\" \"unix:${socket}|uwsgi://uwsgi-uds-${name}/\" retry=0 " | sudo tee $apache_conf
+ enable_apache_site $name
+ reload_apache_server
+ fi
+}
+
+function remove_uwsgi_config {
+ local file=$1
+ local wsgi=$2
+ local name=""
+ name=$(basename $wsgi)
+
+ rm -rf $file
+ disable_apache_site $name
+}
+
# Restore xtrace
$_XTRACE_LIB_APACHE
diff --git a/lib/cinder b/lib/cinder
index c17cea0..b8330f9 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -58,7 +58,7 @@
CINDER_API_PASTE_INI=$CINDER_CONF_DIR/api-paste.ini
# Public facing bits
-if is_ssl_enabled_service "cinder" || is_service_enabled tls-proxy; then
+if is_service_enabled tls-proxy; then
CINDER_SERVICE_PROTOCOL="https"
fi
CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
@@ -215,11 +215,6 @@
local cinder_api_port=$CINDER_SERVICE_PORT
local venv_path=""
- if is_ssl_enabled_service c-api; then
- cinder_ssl="SSLEngine On"
- cinder_certfile="SSLCertificateFile $CINDER_SSL_CERT"
- cinder_keyfile="SSLCertificateKeyFile $CINDER_SSL_KEY"
- fi
if [[ ${USE_VENV} = True ]]; then
venv_path="python-path=${PROJECT_VENV["cinder"]}/lib/python2.7/site-packages"
fi
@@ -347,7 +342,7 @@
iniset $CINDER_CONF DEFAULT osapi_volume_workers "$API_WORKERS"
iniset $CINDER_CONF DEFAULT glance_api_servers "${GLANCE_SERVICE_PROTOCOL}://${GLANCE_HOSTPORT}"
- if is_ssl_enabled_service glance || is_service_enabled tls-proxy; then
+ if is_service_enabled tls-proxy; then
iniset $CINDER_CONF DEFAULT glance_protocol https
iniset $CINDER_CONF DEFAULT glance_ca_certificates_file $SSL_BUNDLE_FILE
fi
@@ -356,14 +351,6 @@
iniset $CINDER_CONF DEFAULT glance_api_version 2
fi
- # Register SSL certificates if provided
- if is_ssl_enabled_service cinder; then
- ensure_certificates CINDER
-
- iniset $CINDER_CONF DEFAULT ssl_cert_file "$CINDER_SSL_CERT"
- iniset $CINDER_CONF DEFAULT ssl_key_file "$CINDER_SSL_KEY"
- fi
-
# Set os_privileged_user credentials (used for os-assisted-snapshots)
iniset $CINDER_CONF DEFAULT os_privileged_user_name nova
iniset $CINDER_CONF DEFAULT os_privileged_user_password "$SERVICE_PASSWORD"
@@ -464,9 +451,6 @@
if [ "$CINDER_USE_MOD_WSGI" == "True" ]; then
install_apache_wsgi
- if is_ssl_enabled_service "c-api"; then
- enable_mod_ssl
- fi
fi
}
@@ -528,10 +512,11 @@
tail_log c-api /var/log/$APACHE_NAME/c-api.log
else
run_process c-api "$CINDER_BIN_DIR/cinder-api --config-file $CINDER_CONF"
- echo "Waiting for Cinder API to start..."
- if ! wait_for_service $SERVICE_TIMEOUT $service_protocol://$CINDER_SERVICE_HOST:$service_port; then
- die $LINENO "c-api did not start"
- fi
+ fi
+
+ echo "Waiting for Cinder API to start..."
+ if ! wait_for_service $SERVICE_TIMEOUT $service_protocol://$CINDER_SERVICE_HOST:$service_port; then
+ die $LINENO "c-api did not start"
fi
run_process c-sch "$CINDER_BIN_DIR/cinder-scheduler --config-file $CINDER_CONF"
diff --git a/lib/glance b/lib/glance
index 2f4aa5f..23a1cbf 100644
--- a/lib/glance
+++ b/lib/glance
@@ -57,7 +57,7 @@
GLANCE_SWIFT_STORE_CONF=$GLANCE_CONF_DIR/glance-swift-store.conf
GLANCE_V1_ENABLED=${GLANCE_V1_ENABLED:-False}
-if is_ssl_enabled_service "glance" || is_service_enabled tls-proxy; then
+if is_service_enabled tls-proxy; then
GLANCE_SERVICE_PROTOCOL="https"
fi
@@ -187,18 +187,7 @@
iniset $GLANCE_REGISTRY_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI
fi
- # Register SSL certificates if provided
- if is_ssl_enabled_service glance; then
- ensure_certificates GLANCE
-
- iniset $GLANCE_API_CONF DEFAULT cert_file "$GLANCE_SSL_CERT"
- iniset $GLANCE_API_CONF DEFAULT key_file "$GLANCE_SSL_KEY"
-
- iniset $GLANCE_REGISTRY_CONF DEFAULT cert_file "$GLANCE_SSL_CERT"
- iniset $GLANCE_REGISTRY_CONF DEFAULT key_file "$GLANCE_SSL_KEY"
- fi
-
- if is_ssl_enabled_service glance || is_service_enabled tls-proxy; then
+ if is_service_enabled tls-proxy; then
iniset $GLANCE_API_CONF DEFAULT registry_client_protocol https
fi
@@ -233,7 +222,7 @@
cp -p $GLANCE_DIR/etc/metadefs/*.json $GLANCE_METADEF_DIR
- if is_ssl_enabled_service "cinder" || is_service_enabled tls-proxy; then
+ if is_service_enabled tls-proxy; then
CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776}
diff --git a/lib/keystone b/lib/keystone
index 3db3c8d..a26ef8a 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -50,22 +50,18 @@
KEYSTONE_CONF_DIR=${KEYSTONE_CONF_DIR:-/etc/keystone}
KEYSTONE_CONF=$KEYSTONE_CONF_DIR/keystone.conf
KEYSTONE_PASTE_INI=${KEYSTONE_PASTE_INI:-$KEYSTONE_CONF_DIR/keystone-paste.ini}
-
-# Toggle for deploying Keystone under HTTPD + mod_wsgi
-# Deprecated in Mitaka, use KEYSTONE_DEPLOY instead.
-KEYSTONE_USE_MOD_WSGI=${KEYSTONE_USE_MOD_WSGI:-${ENABLE_HTTPD_MOD_WSGI_SERVICES}}
+KEYSTONE_PUBLIC_UWSGI_CONF=$KEYSTONE_CONF_DIR/keystone-uwsgi-public.ini
+KEYSTONE_ADMIN_UWSGI_CONF=$KEYSTONE_CONF_DIR/keystone-uwsgi-admin.ini
+KEYSTONE_PUBLIC_UWSGI=$KEYSTONE_BIN_DIR/keystone-wsgi-public
+KEYSTONE_ADMIN_UWSGI=$KEYSTONE_BIN_DIR/keystone-wsgi-admin
# KEYSTONE_DEPLOY defines how keystone is deployed, allowed values:
# - mod_wsgi : Run keystone under Apache HTTPd mod_wsgi
# - uwsgi : Run keystone under uwsgi
-if [ -z "$KEYSTONE_DEPLOY" ]; then
- if [ -z "$KEYSTONE_USE_MOD_WSGI" ]; then
- KEYSTONE_DEPLOY=mod_wsgi
- elif [ "$KEYSTONE_USE_MOD_WSGI" == True ]; then
- KEYSTONE_DEPLOY=mod_wsgi
- else
- KEYSTONE_DEPLOY=uwsgi
- fi
+if [[ "$WSGI_MODE" == "uwsgi" ]]; then
+ KEYSTONE_DEPLOY=uwsgi
+else
+ KEYSTONE_DEPLOY=mod_wsgi
fi
# Select the token persistence backend driver
@@ -112,20 +108,13 @@
SERVICE_TENANT_NAME=${SERVICE_PROJECT_NAME:-service}
# if we are running with SSL use https protocols
-if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then
+if is_service_enabled tls-proxy; then
KEYSTONE_AUTH_PROTOCOL="https"
KEYSTONE_SERVICE_PROTOCOL="https"
fi
-# complete URIs
-if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
- # If running in Apache, use path access rather than port.
- KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}/identity_admin
- KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}/identity
-else
- KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT}
- KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}
-fi
+KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}/identity_admin
+KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}/identity
# V3 URIs
KEYSTONE_AUTH_URI_V3=$KEYSTONE_AUTH_URI/v3
@@ -151,8 +140,15 @@
# cleanup_keystone() - Remove residual data files, anything left over from previous
# runs that a clean run would need to clean up
function cleanup_keystone {
- disable_apache_site keystone
- sudo rm -f $(apache_site_config_for keystone)
+ if [[ "$WSGI_MODE" == "uwsgi" ]]; then
+ remove_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI"
+ remove_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI"
+ sudo rm -f $(apache_site_config_for keystone-wsgi-public)
+ sudo rm -f $(apache_site_config_for keystone-wsgi-admin)
+ else
+ disable_apache_site keystone
+ sudo rm -f $(apache_site_config_for keystone)
+ fi
}
# _config_keystone_apache_wsgi() - Set WSGI config files of Keystone
@@ -167,12 +163,6 @@
local keystone_auth_port=$KEYSTONE_AUTH_PORT
local venv_path=""
- if is_ssl_enabled_service key; then
- keystone_ssl_listen=""
- keystone_ssl="SSLEngine On"
- keystone_certfile="SSLCertificateFile $KEYSTONE_SSL_CERT"
- keystone_keyfile="SSLCertificateKeyFile $KEYSTONE_SSL_KEY"
- fi
if is_service_enabled tls-proxy; then
keystone_service_port=$KEYSTONE_SERVICE_PORT_INT
keystone_auth_port=$KEYSTONE_AUTH_PORT_INT
@@ -243,11 +233,6 @@
iniset_rpc_backend keystone $KEYSTONE_CONF
- # Register SSL certificates if provided
- if is_ssl_enabled_service key; then
- ensure_certificates KEYSTONE
- fi
-
local service_port=$KEYSTONE_SERVICE_PORT
local auth_port=$KEYSTONE_AUTH_PORT
@@ -263,10 +248,8 @@
# work when you want to use a different port (in the case of proxy), or you
# don't want the port (in the case of putting keystone on a path in
# apache).
- if is_service_enabled tls-proxy || [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
- iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
- iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI
- fi
+ iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
+ iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI
if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then
iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT
@@ -292,45 +275,8 @@
iniset $KEYSTONE_CONF DEFAULT logging_exception_prefix "%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s"
_config_keystone_apache_wsgi
else # uwsgi
- # iniset creates these files when it's called if they don't exist.
- KEYSTONE_PUBLIC_UWSGI_FILE=$KEYSTONE_CONF_DIR/keystone-uwsgi-public.ini
- KEYSTONE_ADMIN_UWSGI_FILE=$KEYSTONE_CONF_DIR/keystone-uwsgi-admin.ini
-
- rm -f "$KEYSTONE_PUBLIC_UWSGI_FILE"
- rm -f "$KEYSTONE_ADMIN_UWSGI_FILE"
-
- if is_ssl_enabled_service key; then
- iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi https $KEYSTONE_SERVICE_HOST:$service_port,$KEYSTONE_SSL_CERT,$KEYSTONE_SSL_KEY
- iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi https $KEYSTONE_ADMIN_BIND_HOST:$auth_port,$KEYSTONE_SSL_CERT,$KEYSTONE_SSL_KEY
- else
- iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi http $KEYSTONE_SERVICE_HOST:$service_port
- iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi http $KEYSTONE_ADMIN_BIND_HOST:$auth_port
- fi
-
- iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi wsgi-file "$KEYSTONE_BIN_DIR/keystone-wsgi-public"
- iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi processes $(nproc)
-
- iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi wsgi-file "$KEYSTONE_BIN_DIR/keystone-wsgi-admin"
- iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi processes $API_WORKERS
-
- # Common settings
- for file in "$KEYSTONE_PUBLIC_UWSGI_FILE" "$KEYSTONE_ADMIN_UWSGI_FILE"; do
- # This is running standalone
- iniset "$file" uwsgi master true
- # Set die-on-term & exit-on-reload so that uwsgi shuts down
- iniset "$file" uwsgi die-on-term true
- iniset "$file" uwsgi exit-on-reload true
- iniset "$file" uwsgi enable-threads true
- iniset "$file" uwsgi plugins python
- # uwsgi recommends this to prevent thundering herd on accept.
- iniset "$file" uwsgi thunder-lock true
- # Override the default size for headers from the 4k default.
- iniset "$file" uwsgi buffer-size 65535
- # Make sure the client doesn't try to re-use the connection.
- iniset "$file" uwsgi add-header "Connection: close"
- # This ensures that file descriptors aren't shared between processes.
- iniset "$file" uwsgi lazy-apps true
- done
+ write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity"
+ write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin"
fi
iniset $KEYSTONE_CONF DEFAULT max_token_size 16384
@@ -577,9 +523,6 @@
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
install_apache_wsgi
- if is_ssl_enabled_service "key"; then
- enable_mod_ssl
- fi
elif [ "$KEYSTONE_DEPLOY" == "uwsgi" ]; then
pip_install uwsgi
fi
@@ -604,8 +547,8 @@
# TODO(sdague): we should really get down to a single keystone here
enable_service key-p
enable_service key-a
- run_process key-p "$KEYSTONE_BIN_DIR/uwsgi --ini $KEYSTONE_PUBLIC_UWSGI_FILE" ""
- run_process key-a "$KEYSTONE_BIN_DIR/uwsgi --ini $KEYSTONE_ADMIN_UWSGI_FILE" ""
+ run_process key-p "$KEYSTONE_BIN_DIR/uwsgi --ini $KEYSTONE_PUBLIC_UWSGI_CONF" ""
+ run_process key-a "$KEYSTONE_BIN_DIR/uwsgi --ini $KEYSTONE_ADMIN_UWSGI_CONF" ""
fi
echo "Waiting for keystone to start..."
@@ -614,10 +557,7 @@
# unencryted traffic at this point.
# If running in Apache, use the path rather than port.
- local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/
- if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
- service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/
- fi
+ local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/
if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then
die $LINENO "keystone did not start"
@@ -641,6 +581,8 @@
else
stop_process key-p
stop_process key-a
+ remove_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI"
+ remove_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI"
fi
# Kill the Keystone screen window
stop_process key
diff --git a/lib/neutron b/lib/neutron
index dd91466..492a0ee 100644
--- a/lib/neutron
+++ b/lib/neutron
@@ -61,7 +61,7 @@
NEUTRON_METERING_BINARY=${NEUTRON_METERING_BINARY:-neutron-metering-agent}
# Public facing bits
-if is_ssl_enabled_service "neutron" || is_service_enabled tls-proxy; then
+if is_service_enabled tls-proxy; then
NEUTRON_SERVICE_PROTOCOL="https"
fi
NEUTRON_SERVICE_HOST=${NEUTRON_SERVICE_HOST:-$SERVICE_HOST}
@@ -243,14 +243,6 @@
iniset $NEUTRON_CONF DEFAULT bind_port "$NEUTRON_SERVICE_PORT_INT"
fi
- if is_ssl_enabled_service "neutron"; then
- ensure_certificates NEUTRON
-
- iniset $NEUTRON_CONF DEFAULT use_ssl True
- iniset $NEUTRON_CONF DEFAULT ssl_cert_file "$NEUTRON_SSL_CERT"
- iniset $NEUTRON_CONF DEFAULT ssl_key_file "$NEUTRON_SSL_KEY"
- fi
-
# Metering
if is_service_enabled neutron-metering; then
cp $NEUTRON_DIR/etc/metering_agent.ini.sample $NEUTRON_METERING_AGENT_CONF
@@ -404,17 +396,10 @@
# TODO(sc68cal) Stop hard coding this
run_process neutron-api "$NEUTRON_BIN_DIR/neutron-server $opts"
- if is_ssl_enabled_service "neutron"; then
- ssl_ca="--ca-certificate=${SSL_BUNDLE_FILE}"
- local testcmd="wget ${ssl_ca} --no-proxy -q -O- $service_protocol://$NEUTRON_SERVICE_HOST:$service_port"
- test_with_retry "$testcmd" "Neutron did not start" $SERVICE_TIMEOUT
- else
- if ! wait_for_service $SERVICE_TIMEOUT $service_protocol://$NEUTRON_SERVICE_HOST:$service_port; then
- die $LINENO "neutron-api did not start"
- fi
+ if ! wait_for_service $SERVICE_TIMEOUT $service_protocol://$NEUTRON_SERVICE_HOST:$service_port; then
+ die $LINENO "neutron-api did not start"
fi
-
# Start proxy if enabled
if is_service_enabled tls-proxy; then
start_tls_proxy neutron '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT
diff --git a/lib/neutron-legacy b/lib/neutron-legacy
index 74f36e0..1dfd5fe 100644
--- a/lib/neutron-legacy
+++ b/lib/neutron-legacy
@@ -61,7 +61,7 @@
deprecated "Using lib/neutron-legacy is deprecated, and it will be removed in the future"
-if is_ssl_enabled_service "neutron" || is_service_enabled tls-proxy; then
+if is_service_enabled tls-proxy; then
Q_PROTOCOL="https"
fi
@@ -461,9 +461,6 @@
# Start the Neutron service
run_process q-svc "$NEUTRON_BIN_DIR/neutron-server $cfg_file_options"
echo "Waiting for Neutron to start..."
- if is_ssl_enabled_service "neutron"; then
- ssl_ca="--ca-certificate=${SSL_BUNDLE_FILE}"
- fi
local testcmd="wget ${ssl_ca} --no-proxy -q -O- $service_protocol://$Q_HOST:$service_port"
test_with_retry "$testcmd" "Neutron did not start" $SERVICE_TIMEOUT
@@ -714,18 +711,6 @@
iniset $NEUTRON_CONF DEFAULT bind_port "$Q_PORT_INT"
fi
- if is_ssl_enabled_service "nova"; then
- iniset $NEUTRON_CONF nova cafile $SSL_BUNDLE_FILE
- fi
-
- if is_ssl_enabled_service "neutron"; then
- ensure_certificates NEUTRON
-
- iniset $NEUTRON_CONF DEFAULT use_ssl True
- iniset $NEUTRON_CONF DEFAULT ssl_cert_file "$NEUTRON_SSL_CERT"
- iniset $NEUTRON_CONF DEFAULT ssl_key_file "$NEUTRON_SSL_KEY"
- fi
-
_neutron_setup_rootwrap
}
diff --git a/lib/nova b/lib/nova
index a36a740..cba9acd 100644
--- a/lib/nova
+++ b/lib/nova
@@ -68,7 +68,7 @@
# Toggle for deploying Nova-API under HTTPD + mod_wsgi
NOVA_USE_MOD_WSGI=${NOVA_USE_MOD_WSGI:-False}
-if is_ssl_enabled_service "nova" || is_service_enabled tls-proxy; then
+if is_service_enabled tls-proxy; then
NOVA_SERVICE_PROTOCOL="https"
fi
@@ -262,11 +262,6 @@
local nova_metadata_port=$METADATA_SERVICE_PORT
local venv_path=""
- if is_ssl_enabled_service nova-api; then
- nova_ssl="SSLEngine On"
- nova_certfile="SSLCertificateFile $NOVA_SSL_CERT"
- nova_keyfile="SSLCertificateKeyFile $NOVA_SSL_KEY"
- fi
if [[ ${USE_VENV} = True ]]; then
venv_path="python-path=${PROJECT_VENV["nova"]}/lib/$(python_version)/site-packages"
fi
@@ -501,7 +496,7 @@
fi
if is_service_enabled cinder; then
- if is_ssl_enabled_service "cinder" || is_service_enabled tls-proxy; then
+ if is_service_enabled tls-proxy; then
CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST}
CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776}
iniset $NOVA_CONF cinder cafile $SSL_BUNDLE_FILE
@@ -586,20 +581,10 @@
iniset $NOVA_CONF cinder os_region_name "$REGION_NAME"
- if is_ssl_enabled_service glance || is_service_enabled tls-proxy; then
+ if is_service_enabled tls-proxy; then
iniset $NOVA_CONF DEFAULT glance_protocol https
fi
- # Register SSL certificates if provided
- if is_ssl_enabled_service nova; then
- ensure_certificates NOVA
-
- iniset $NOVA_CONF DEFAULT ssl_cert_file "$NOVA_SSL_CERT"
- iniset $NOVA_CONF DEFAULT ssl_key_file "$NOVA_SSL_KEY"
-
- iniset $NOVA_CONF DEFAULT enabled_ssl_apis "$NOVA_ENABLED_APIS"
- fi
-
if is_service_enabled n-sproxy; then
iniset $NOVA_CONF serial_console serialproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"
iniset $NOVA_CONF serial_console enabled True
@@ -790,9 +775,6 @@
if [ "$NOVA_USE_MOD_WSGI" == "True" ]; then
install_apache_wsgi
- if is_ssl_enabled_service "nova-api"; then
- enable_mod_ssl
- fi
fi
}
diff --git a/lib/oslo b/lib/oslo
index 1a78bdf..2895503 100644
--- a/lib/oslo
+++ b/lib/oslo
@@ -23,7 +23,9 @@
# Defaults
# --------
GITDIR["automaton"]=$DEST/automaton
+GITDIR["castellan"]=$DEST/castellan
GITDIR["cliff"]=$DEST/cliff
+GITDIR["cursive"]=$DEST/cursive
GITDIR["debtcollector"]=$DEST/debtcollector
GITDIR["futurist"]=$DEST/futurist
GITDIR["os-client-config"]=$DEST/os-client-config
@@ -71,7 +73,9 @@
# install_oslo() - Collect source and prepare
function install_oslo {
_do_install_oslo_lib "automaton"
+ _do_install_oslo_lib "castellan"
_do_install_oslo_lib "cliff"
+ _do_install_oslo_lib "cursive"
_do_install_oslo_lib "debtcollector"
_do_install_oslo_lib "futurist"
_do_install_oslo_lib "osc-lib"
diff --git a/lib/placement b/lib/placement
index 4cc5cd8..4755a58 100644
--- a/lib/placement
+++ b/lib/placement
@@ -32,7 +32,15 @@
PLACEMENT_CONF_DIR=/etc/nova
PLACEMENT_CONF=$PLACEMENT_CONF_DIR/nova.conf
PLACEMENT_AUTH_STRATEGY=${PLACEMENT_AUTH_STRATEGY:-placement}
-
+# Nova virtual environment
+if [[ ${USE_VENV} = True ]]; then
+ PROJECT_VENV["nova"]=${NOVA_DIR}.venv
+ PLACEMENT_BIN_DIR=${PROJECT_VENV["nova"]}/bin
+else
+ PLACEMENT_BIN_DIR=$(get_python_exec_prefix)
+fi
+PLACEMENT_UWSGI=$PLACEMENT_BIN_DIR/nova-placement-api
+PLACEMENT_UWSGI_CONF=$PLACEMENT_CONF_DIR/placement-uwsgi.ini
# The placement service can optionally use a separate database
# connection. Set PLACEMENT_DB_ENABLED to True to use it.
@@ -40,7 +48,7 @@
# yet merged in nova but is coming soon.
PLACEMENT_DB_ENABLED=$(trueorfalse False PLACEMENT_DB_ENABLED)
-if is_ssl_enabled_service "placement-api" || is_service_enabled tls-proxy; then
+if is_service_enabled tls-proxy; then
PLACEMENT_SERVICE_PROTOCOL="https"
fi
@@ -72,12 +80,6 @@
nova_bin_dir=$(get_python_exec_prefix)
placement_api_apache_conf=$(apache_site_config_for placement-api)
- # reuse nova's cert if a cert is being used
- if is_ssl_enabled_service "placement-api"; then
- placement_ssl="SSLEngine On"
- placement_certfile="SSLCertificateFile $NOVA_SSL_CERT"
- placement_keyfile="SSLCertificateKeyFile $NOVA_SSL_KEY"
- fi
# reuse nova's venv if there is one as placement code lives
# there
if [[ ${USE_VENV} = True ]]; then
@@ -120,7 +122,12 @@
if [ "$PLACEMENT_DB_ENABLED" != False ]; then
iniset $PLACEMENT_CONF placement_database connection `database_connection_url placement`
fi
- _config_placement_apache_wsgi
+
+ if [[ "$WSGI_MODE" == "uwsgi" ]]; then
+ write_uwsgi_config "$PLACEMENT_UWSGI_CONF" "$PLACEMENT_UWSGI" "/placement"
+ else
+ _config_placement_apache_wsgi
+ fi
}
# create_placement_accounts() - Set up required placement accounts
@@ -149,16 +156,17 @@
# install_placement() - Collect source and prepare
function install_placement {
install_apache_wsgi
- if is_ssl_enabled_service "placement-api"; then
- enable_mod_ssl
- fi
}
# start_placement_api() - Start the API processes ahead of other things
function start_placement_api {
- enable_apache_site placement-api
- restart_apache_server
- tail_log placement-api /var/log/$APACHE_NAME/placement-api.log
+ if [[ "$WSGI_MODE" == "uwsgi" ]]; then
+ run_process "placement-api" "$PLACEMENT_BIN_DIR/uwsgi --ini $PLACEMENT_UWSGI_CONF"
+ else
+ enable_apache_site placement-api
+ restart_apache_server
+ tail_log placement-api /var/log/$APACHE_NAME/placement-api.log
+ fi
echo "Waiting for placement-api to start..."
if ! wait_for_service $SERVICE_TIMEOUT $PLACEMENT_SERVICE_PROTOCOL://$PLACEMENT_SERVICE_HOST/placement; then
@@ -172,8 +180,13 @@
# stop_placement() - Disable the api service and stop it.
function stop_placement {
- disable_apache_site placement-api
- restart_apache_server
+ if [[ "$WSGI_MODE" == "uwsgi" ]]; then
+ stop_process "placement-api"
+ remove_uwsgi_config "$PLACEMENT_UWSGI_CONF" "$PLACEMENT_UWSGI"
+ else
+ disable_apache_site placement-api
+ restart_apache_server
+ fi
}
# Restore xtrace
diff --git a/lib/swift b/lib/swift
index f3ff241..8fad6b8 100644
--- a/lib/swift
+++ b/lib/swift
@@ -31,7 +31,7 @@
# Defaults
# --------
-if is_ssl_enabled_service "s-proxy" || is_service_enabled tls-proxy; then
+if is_service_enabled tls-proxy; then
SWIFT_SERVICE_PROTOCOL="https"
fi
@@ -398,13 +398,6 @@
iniset ${SWIFT_CONFIG_PROXY_SERVER} DEFAULT bind_port ${SWIFT_DEFAULT_BIND_PORT}
fi
- if is_ssl_enabled_service s-proxy; then
- ensure_certificates SWIFT
-
- iniset ${SWIFT_CONFIG_PROXY_SERVER} DEFAULT cert_file "$SWIFT_SSL_CERT"
- iniset ${SWIFT_CONFIG_PROXY_SERVER} DEFAULT key_file "$SWIFT_SSL_KEY"
- fi
-
# DevStack is commonly run in a small slow environment, so bump the timeouts up.
# ``node_timeout`` is the node read operation response time to the proxy server
# ``conn_timeout`` is how long it takes a connect() system call to return
@@ -537,11 +530,16 @@
local auth_vers
auth_vers=$(iniget ${testfile} func_test auth_version)
iniset ${testfile} func_test auth_host ${KEYSTONE_SERVICE_HOST}
- iniset ${testfile} func_test auth_port ${KEYSTONE_AUTH_PORT}
- if [[ $auth_vers == "3" ]]; then
- iniset ${testfile} func_test auth_prefix /v3/
+ if [[ "$KEYSTONE_AUTH_PROTOCOL" == "https" ]]; then
+ iniset ${testfile} func_test auth_port 443
else
- iniset ${testfile} func_test auth_prefix /v2.0/
+ iniset ${testfile} func_test auth_port 80
+ fi
+ iniset ${testfile} func_test auth_uri ${KEYSTONE_AUTH_URI}
+ if [[ "$auth_vers" == "3" ]]; then
+ iniset ${testfile} func_test auth_prefix /identity/v3/
+ else
+ iniset ${testfile} func_test auth_prefix /identity/v2.0/
fi
fi
@@ -556,6 +554,7 @@
if [[ $SYSLOG != "False" ]]; then
sed "s,%SWIFT_LOGDIR%,${swift_log_dir}," $FILES/swift/rsyslog.conf | sudo \
tee /etc/rsyslog.d/10-swift.conf
+ echo "MaxMessageSize 6k" | sudo tee /etc/rsyslog.d/99-maxsize.conf
# restart syslog to take the changes
sudo killall -HUP rsyslogd
fi
diff --git a/lib/tempest b/lib/tempest
index f6fc57d..f19686a 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -279,7 +279,7 @@
fi
iniset $TEMPEST_CONFIG identity auth_version ${TEMPEST_AUTH_VERSION:-v3}
- if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then
+ if is_service_enabled tls-proxy; then
iniset $TEMPEST_CONFIG identity ca_certificates_file $SSL_BUNDLE_FILE
fi
@@ -356,6 +356,7 @@
iniset $TEMPEST_CONFIG compute-feature-enabled live_migration ${LIVE_MIGRATION_AVAILABLE:-False}
iniset $TEMPEST_CONFIG compute-feature-enabled change_password False
iniset $TEMPEST_CONFIG compute-feature-enabled block_migration_for_live_migration ${USE_BLOCK_MIGRATION_FOR_LIVE_MIGRATION:-False}
+ iniset $TEMPEST_CONFIG compute-feature-enabled live_migrate_back_and_forth ${LIVE_MIGRATE_BACK_AND_FORTH:-False}
iniset $TEMPEST_CONFIG compute-feature-enabled attach_encrypted_volume ${ATTACH_ENCRYPTED_VOLUME_AVAILABLE:-True}
if is_service_enabled n-cell; then
# Cells doesn't support shelving/unshelving
diff --git a/lib/tls b/lib/tls
index fb2fa3a..7a7b104 100644
--- a/lib/tls
+++ b/lib/tls
@@ -343,7 +343,7 @@
# one. If the value for the CA is not rooted in /etc then we know
# we need to change it.
function fix_system_ca_bundle_path {
- if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then
+ if is_service_enabled tls-proxy; then
local capath
capath=$(python -c $'try:\n from requests import certs\n print certs.where()\nexcept ImportError: pass')
@@ -362,27 +362,14 @@
}
+# Only for compatibility, return if the tls-proxy is enabled
+function is_ssl_enabled_service {
+ return is_service_enabled tls-proxy
+}
+
# Certificate Input Configuration
# ===============================
-# check to see if the service(s) specified are to be SSL enabled.
-#
-# Multiple services specified as arguments are ``OR``'ed together; the test
-# is a short-circuit boolean, i.e it returns on the first match.
-#
-# Uses global ``SSL_ENABLED_SERVICES``
-function is_ssl_enabled_service {
- local services=$@
- local service=""
- if [ "$USE_SSL" == "False" ]; then
- return 1
- fi
- for service in ${services}; do
- [[ ,${SSL_ENABLED_SERVICES}, =~ ,${service}, ]] && return 0
- done
- return 1
-}
-
# Ensure that the certificates for a service are in place. This function does
# not check that a service is SSL enabled, this should already have been
# completed.
@@ -525,7 +512,7 @@
KeepAlive Off
<Location />
- ProxyPass http://$b_host:$b_port/ retry=5 nocanon
+ ProxyPass http://$b_host:$b_port/ retry=0 nocanon
ProxyPassReverse http://$b_host:$b_port/
</Location>
ErrorLog $APACHE_LOG_DIR/tls-proxy_error.log
diff --git a/openrc b/openrc
index 483b5af..4cdb50e 100644
--- a/openrc
+++ b/openrc
@@ -73,8 +73,6 @@
fi
SERVICE_PROTOCOL=${SERVICE_PROTOCOL:-http}
-KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}
-KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
# Identity API version
export OS_IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-3}
@@ -84,7 +82,7 @@
# the user/project has access to - including nova, glance, keystone, swift, ...
# We currently recommend using the version 3 *identity api*.
#
-export OS_AUTH_URL=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:5000/v${OS_IDENTITY_API_VERSION}
+export OS_AUTH_URL=$KEYSTONE_AUTH_URI
# Currently, in order to use openstackclient with Identity API v3,
# we need to set the domain which the user and project belong to.
diff --git a/stack.sh b/stack.sh
index 759a8db..31ea2e1 100755
--- a/stack.sh
+++ b/stack.sh
@@ -348,6 +348,10 @@
# is pre-installed.
if [[ -f /etc/nodepool/provider ]]; then
SKIP_EPEL_INSTALL=True
+ if is_fedora; then
+ # However, EPEL is not enabled by default.
+ sudo yum-config-manager --enable epel
+ fi
fi
if is_fedora && [[ $DISTRO == "rhel7" ]] && \
@@ -539,13 +543,6 @@
source $TOP_DIR/lib/database
source $TOP_DIR/lib/rpc_backend
-# Service to enable with SSL if ``USE_SSL`` is True
-SSL_ENABLED_SERVICES="key,nova,cinder,glance,s-proxy,neutron"
-
-if is_service_enabled tls-proxy && [ "$USE_SSL" == "True" ]; then
- die $LINENO "tls-proxy and SSL are mutually exclusive"
-fi
-
# Configure Projects
# ==================
@@ -787,6 +784,9 @@
# Install Oslo libraries
install_oslo
+# Install uwsgi
+install_apache_uwsgi
+
# Install client libraries
install_keystoneauth
install_keystoneclient
@@ -806,7 +806,7 @@
fi
# Setup TLS certs
-if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then
+if is_service_enabled tls-proxy; then
configure_CA
init_CA
init_cert
@@ -886,7 +886,7 @@
stack_install_service horizon
fi
-if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then
+if is_service_enabled tls-proxy; then
fix_system_ca_bundle_path
fi
diff --git a/stackrc b/stackrc
index 88f7541..ed1cf6e 100644
--- a/stackrc
+++ b/stackrc
@@ -225,6 +225,12 @@
# Zero disables timeouts
GIT_TIMEOUT=${GIT_TIMEOUT:-0}
+# How should we be handling WSGI deployments. By default we're going
+# to allow for 2 modes, which is "uwsgi" which runs with an apache
+# proxy uwsgi in front of it, or "mod_wsgi", which runs in
+# apache. mod_wsgi is deprecated, don't use it.
+WSGI_MODE=${WSGI_MODE:-"uwsgi"}
+
# Repositories
# ------------
@@ -364,6 +370,10 @@
#
###################
+# castellan key manager interface
+GITREPO["castellan"]=${CASTELLAN_REPO:-${GIT_BASE}/openstack/castellan.git}
+GITBRANCH["castellan"]=${CASTELLAN_BRANCH:-master}
+
# cliff command line framework
GITREPO["cliff"]=${CLIFF_REPO:-${GIT_BASE}/openstack/cliff.git}
GITBRANCH["cliff"]=${CLIFF_BRANCH:-master}
@@ -483,6 +493,10 @@
#
##################
+# cursive library
+GITREPO["cursive"]=${CURSIVE_REPO:-${GIT_BASE}/openstack/cursive.git}
+GITBRANCH["cursive"]=${CURSIVE_BRANCH:-master}
+
# glance store library
GITREPO["glance_store"]=${GLANCE_STORE_REPO:-${GIT_BASE}/openstack/glance_store.git}
GITBRANCH["glance_store"]=${GLANCE_STORE_BRANCH:-master}
@@ -846,9 +860,6 @@
# Set to 0 to disable shallow cloning
GIT_DEPTH=${GIT_DEPTH:-0}
-# Use native SSL for servers in ``SSL_ENABLED_SERVICES``
-USE_SSL=$(trueorfalse False USE_SSL)
-
# We may not need to recreate database in case 2 Keystone services
# sharing the same database. It would be useful for multinode Grenade tests.
RECREATE_KEYSTONE_DB=$(trueorfalse True RECREATE_KEYSTONE_DB)
diff --git a/tests/test_functions.sh b/tests/test_functions.sh
index 8aae23d..adf20cd 100755
--- a/tests/test_functions.sh
+++ b/tests/test_functions.sh
@@ -224,7 +224,7 @@
# test against removed package...was a bug on Ubuntu
if is_ubuntu; then
- PKG=cowsay
+ PKG=cowsay-off
if ! (dpkg -s $PKG >/dev/null 2>&1); then
# it was never installed...set up the condition
sudo apt-get install -y cowsay >/dev/null 2>&1
diff --git a/tests/test_libs_from_pypi.sh b/tests/test_libs_from_pypi.sh
index 3d4bcd2..608ef6a 100755
--- a/tests/test_libs_from_pypi.sh
+++ b/tests/test_libs_from_pypi.sh
@@ -40,9 +40,10 @@
ALL_LIBS+=" oslo.i18n oslo.utils python-openstacksdk python-swiftclient"
ALL_LIBS+=" python-neutronclient tooz ceilometermiddleware oslo.policy"
ALL_LIBS+=" debtcollector os-brick automaton futurist oslo.service"
-ALL_LIBS+=" oslo.cache oslo.reports osprofiler"
+ALL_LIBS+=" oslo.cache oslo.reports osprofiler cursive"
ALL_LIBS+=" keystoneauth ironic-lib neutron-lib oslo.privsep"
ALL_LIBS+=" diskimage-builder os-vif python-brick-cinderclient-ext"
+ALL_LIBS+=" castellan"
# Generate the above list with
# echo ${!GITREPO[@]}
diff --git a/tools/dstat.sh b/tools/dstat.sh
index 1c80fb7..ae7306e 100755
--- a/tools/dstat.sh
+++ b/tools/dstat.sh
@@ -9,7 +9,7 @@
# Assumes:
# - dstat command is installed
-# Retreive log directory as argument from calling script.
+# Retrieve log directory as argument from calling script.
LOGDIR=$1
# Command line arguments for primary DStat process.
diff --git a/tools/fixup_stuff.sh b/tools/fixup_stuff.sh
index 6f680b8..f3ba702 100755
--- a/tools/fixup_stuff.sh
+++ b/tools/fixup_stuff.sh
@@ -91,7 +91,9 @@
# Otherwise use upstream UCA
sudo add-apt-repository -y cloud-archive:ocata
fi
- sudo apt-get update
+ # Force update our APT repos, since we added UCA above.
+ REPOS_UPDATED=False
+ apt_get_update
fi
diff --git a/tools/xen/install_os_domU.sh b/tools/xen/install_os_domU.sh
index ac7af0d..f4ca71a 100755
--- a/tools/xen/install_os_domU.sh
+++ b/tools/xen/install_os_domU.sh
@@ -288,10 +288,6 @@
#
$THIS_DIR/build_xva.sh "$GUEST_NAME"
-XEN_INTEGRATION_BRIDGE_DEFAULT=$(bridge_for "$XEN_INT_BRIDGE_OR_NET_NAME")
-append_kernel_cmdline \
- "$GUEST_NAME"
-
FLAT_NETWORK_BRIDGE="${FLAT_NETWORK_BRIDGE:-$(bridge_for "$VM_BRIDGE_OR_NET_NAME")}"
append_kernel_cmdline "$GUEST_NAME" "flat_network_bridge=${FLAT_NETWORK_BRIDGE}"
diff --git a/unstack.sh b/unstack.sh
index b0ebaf7..485fed7 100755
--- a/unstack.sh
+++ b/unstack.sh
@@ -129,9 +129,6 @@
stop_tls_proxy
cleanup_CA
fi
-if [ "$USE_SSL" == "True" ]; then
- cleanup_CA
-fi
SCSI_PERSIST_DIR=$CINDER_STATE_PATH/volumes/*