From 3bf69e835a043e7deecbbe3568426042961116a3 Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Tue, 15 Mar 2016 12:21:34 +1100 Subject: [PATCH] Remove EC2 API from devstack This all started with an investigation into Fedora's use of ecua2ools package. This package is a bit of a nightmare because it pulls in a lot of other system-python packages. For Ubuntu, this package was removed in I47b7e787771683c2fc4404e586f11c1a19aac15c. However, it is not actually a "pure python" package as described in that change, in that it is not installable from pypi. I can't see how you could actually run exercises/euca.sh on Ubuntu unless you installed euca2ools by hand -- ergo I suggest it is totally unused, because nobody seems to have reported problems. In the mean time, ec2 api has moved to a plugin [1] anyway where the recommendation in their README is to use the aws cli from amazon. Thus remove all the parts related to EC2 and ecua2ools from base devstack. [1] https://git.openstack.org/cgit/openstack/ec2-api Change-Id: I8a07320b59ea6cd7d1fe8bce61af84b5a28fb39e --- README.md | 7 -- doc/source/eucarc.rst | 45 --------- doc/source/index.rst | 1 - eucarc | 40 -------- exercise.sh | 4 +- exerciserc | 6 -- exercises/bundle.sh | 74 --------------- exercises/client-args.sh | 1 - exercises/client-env.sh | 13 --- exercises/euca.sh | 192 --------------------------------------- files/rpms-suse/general | 1 - files/rpms/general | 1 - lib/heat | 3 - lib/nova | 8 -- stack.sh | 8 -- tools/create_userrc.sh | 64 +------------ 16 files changed, 3 insertions(+), 465 deletions(-) delete mode 100644 doc/source/eucarc.rst delete mode 100644 eucarc delete mode 100755 exercises/bundle.sh delete mode 100755 exercises/euca.sh diff --git a/README.md b/README.md index dd394c2e07..4ba4619c6d 100644 --- a/README.md +++ b/README.md @@ -61,13 +61,6 @@ cloud via CLI: # list instances nova list -If the EC2 API is your cup-o-tea, you can create credentials and use euca2ools: - - # source eucarc to generate EC2 credentials and set up the environment - . eucarc - # list instances using ec2 api - euca-describe-instances - # DevStack Execution Environment DevStack runs rampant over the system it runs on, installing things and diff --git a/doc/source/eucarc.rst b/doc/source/eucarc.rst deleted file mode 100644 index c2ecbc6732..0000000000 --- a/doc/source/eucarc.rst +++ /dev/null @@ -1,45 +0,0 @@ -===================== -eucarc - EC2 Settings -===================== - -``eucarc`` creates EC2 credentials for the current user as defined by -``OS_TENANT_NAME:OS_USERNAME``. ``eucarc`` sources ``openrc`` at the -beginning (which in turn sources ``stackrc`` and ``localrc``) in order -to set credentials to create EC2 credentials in Keystone. - -EC2\_URL - Set the EC2 url for euca2ools. The endpoint is extracted from the - service catalog for ``OS_TENANT_NAME:OS_USERNAME``. - - :: - - EC2_URL=$(openstack catalog show ec2 | awk '/ publicURL: / { print $4 }') - -S3\_URL - Set the S3 endpoint for euca2ools. The endpoint is extracted from - the service catalog for ``OS_TENANT_NAME:OS_USERNAME``. - - :: - - export S3_URL=$(openstack catalog show s3 | awk '/ publicURL: / { print $4 }') - -EC2\_ACCESS\_KEY, EC2\_SECRET\_KEY - Create EC2 credentials for the current tenant:user in Keystone. - - :: - - CREDS=$(openstack ec2 credentials create) - export EC2_ACCESS_KEY=$(echo "$CREDS" | awk '/ access / { print $4 }') - export EC2_SECRET_KEY=$(echo "$CREDS" | awk '/ secret / { print $4 }') - -Certificates for Bundling - Euca2ools requires certificate files to enable bundle uploading. The - exercise script ``exercises/bundle.sh`` demonstrated retrieving - certificates using the Nova CLI. - - :: - - EC2_PRIVATE_KEY=pk.pem - EC2_CERT=cert.pem - NOVA_CERT=cacert.pem - EUCALYPTUS_CERT=${NOVA_CERT} diff --git a/doc/source/index.rst b/doc/source/index.rst index 3e324adefc..c79b2ce0c7 100644 --- a/doc/source/index.rst +++ b/doc/source/index.rst @@ -217,7 +217,6 @@ Configuration stackrc openrc exerciserc - eucarc Tools ----- diff --git a/eucarc b/eucarc deleted file mode 100644 index 1e672bd932..0000000000 --- a/eucarc +++ /dev/null @@ -1,40 +0,0 @@ -#!/usr/bin/env bash -# -# source eucarc [username] [tenantname] -# -# Create EC2 credentials for the current user as defined by OS_TENANT_NAME:OS_USERNAME -# Optionally set the tenant/username via openrc - -if [[ -n "$1" ]]; then - USERNAME=$1 -fi -if [[ -n "$2" ]]; then - TENANT=$2 -fi - -# Find the other rc files -RC_DIR=$(cd $(dirname "${BASH_SOURCE:-$0}") && pwd) - -# Get user configuration -source $RC_DIR/openrc - -# Set the ec2 url so euca2ools works -export EC2_URL=$(openstack catalog show ec2 | awk '/ publicURL: / { print $4 }') - -# Create EC2 credentials for the current user -CREDS=$(openstack ec2 credentials create) -export EC2_ACCESS_KEY=$(echo "$CREDS" | awk '/ access / { print $4 }') -export EC2_SECRET_KEY=$(echo "$CREDS" | awk '/ secret / { print $4 }') - -# Euca2ools Certificate stuff for uploading bundles -# See exercises/bundle.sh to see how to get certs using nova cli -NOVA_KEY_DIR=${NOVA_KEY_DIR:-$RC_DIR} -export S3_URL=$(openstack catalog show s3 | awk '/ publicURL: / { print $4 }') -export EC2_USER_ID=42 # nova does not use user id, but bundling requires it -export EC2_PRIVATE_KEY=${NOVA_KEY_DIR}/pk.pem -export EC2_CERT=${NOVA_KEY_DIR}/cert.pem -export NOVA_CERT=${NOVA_KEY_DIR}/cacert.pem -export EUCALYPTUS_CERT=${NOVA_CERT} # euca-bundle-image seems to require this set -alias ec2-bundle-image="ec2-bundle-image --cert ${EC2_CERT} --privatekey ${EC2_PRIVATE_KEY} --user ${EC2_USER_ID} --ec2cert ${NOVA_CERT}" -alias ec2-upload-bundle="ec2-upload-bundle -a ${EC2_ACCESS_KEY} -s ${EC2_SECRET_KEY} --url ${S3_URL} --ec2cert ${NOVA_CERT}" - diff --git a/exercise.sh b/exercise.sh index 19c9d80451..90670333a1 100755 --- a/exercise.sh +++ b/exercise.sh @@ -14,11 +14,11 @@ source $TOP_DIR/stackrc # Run everything in the exercises/ directory that isn't explicitly disabled # comma separated list of script basenames to skip -# to refrain from exercising euca.sh use ``SKIP_EXERCISES=euca`` +# to refrain from exercising foo.sh use ``SKIP_EXERCISES=foo`` SKIP_EXERCISES=${SKIP_EXERCISES:-""} # comma separated list of script basenames to run -# to run only euca.sh use ``RUN_EXERCISES=euca`` +# to run only foo.sh use ``RUN_EXERCISES=foo`` basenames=${RUN_EXERCISES:-""} EXERCISE_DIR=$TOP_DIR/exercises diff --git a/exerciserc b/exerciserc index 9105fe3331..978e0b3791 100644 --- a/exerciserc +++ b/exerciserc @@ -21,12 +21,6 @@ export RUNNING_TIMEOUT=${RUNNING_TIMEOUT:-$(($BOOT_TIMEOUT + $ACTIVE_TIMEOUT))} # Max time to wait for a vm to terminate export TERMINATE_TIMEOUT=${TERMINATE_TIMEOUT:-30} -# Max time to wait for a euca-volume command to propagate -export VOLUME_TIMEOUT=${VOLUME_TIMEOUT:-30} - -# Max time to wait for a euca-delete command to propagate -export VOLUME_DELETE_TIMEOUT=${SNAPSHOT_DELETE_TIMEOUT:-60} - # The size of the volume we want to boot from; some storage back-ends # do not allow a disk resize, so it's important that this can be tuned export DEFAULT_VOLUME_SIZE=${DEFAULT_VOLUME_SIZE:-1} diff --git a/exercises/bundle.sh b/exercises/bundle.sh deleted file mode 100755 index 5470960b91..0000000000 --- a/exercises/bundle.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/usr/bin/env bash - -# **bundle.sh** - -# we will use the ``euca2ools`` cli tool that wraps the python boto -# library to test ec2 bundle upload compatibility - -echo "*********************************************************************" -echo "Begin DevStack Exercise: $0" -echo "*********************************************************************" - -# This script exits on an error so that errors don't compound and you see -# only the first error that occurred. -set -o errexit - -# Print the commands being run so that we can see the command that triggers -# an error. It is also useful for following allowing as the install occurs. -set -o xtrace - - -# Settings -# ======== - -# Keep track of the current directory -EXERCISE_DIR=$(cd $(dirname "$0") && pwd) -TOP_DIR=$(cd $EXERCISE_DIR/..; pwd) - -# Import common functions -source $TOP_DIR/functions - -# Import EC2 configuration -source $TOP_DIR/eucarc - -# Import exercise configuration -source $TOP_DIR/exerciserc - -# Remove old certificates -rm -f $TOP_DIR/cacert.pem -rm -f $TOP_DIR/cert.pem -rm -f $TOP_DIR/pk.pem - -# If nova api is not enabled we exit with exitcode 55 so that -# the exercise is skipped -is_service_enabled n-api || exit 55 - -# Get Certificates -nova x509-get-root-cert $TOP_DIR/cacert.pem -nova x509-create-cert $TOP_DIR/pk.pem $TOP_DIR/cert.pem - -# Max time to wait for image to be registered -REGISTER_TIMEOUT=${REGISTER_TIMEOUT:-15} - -BUCKET=testbucket -IMAGE=bundle.img -truncate -s 5M /tmp/$IMAGE -euca-bundle-image -i /tmp/$IMAGE || die $LINENO "Failure bundling image $IMAGE" - -euca-upload-bundle --debug -b $BUCKET -m /tmp/$IMAGE.manifest.xml || die $LINENO "Failure uploading bundle $IMAGE to $BUCKET" - -AMI=`euca-register $BUCKET/$IMAGE.manifest.xml | cut -f2` -die_if_not_set $LINENO AMI "Failure registering $BUCKET/$IMAGE" - -# Wait for the image to become available -if ! timeout $REGISTER_TIMEOUT sh -c "while euca-describe-images | grep $AMI | grep -q available; do sleep 1; done"; then - die $LINENO "Image $AMI not available within $REGISTER_TIMEOUT seconds" -fi - -# Clean up -euca-deregister $AMI || die $LINENO "Failure deregistering $AMI" - -set +o xtrace -echo "*********************************************************************" -echo "SUCCESS: End DevStack Exercise: $0" -echo "*********************************************************************" diff --git a/exercises/client-args.sh b/exercises/client-args.sh index 07ce5284e8..2c8fe81390 100755 --- a/exercises/client-args.sh +++ b/exercises/client-args.sh @@ -83,7 +83,6 @@ fi if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then if [[ "$SKIP_EXERCISES" =~ "n-api" ]]; then STATUS_NOVA="Skipped" - STATUS_EC2="Skipped" else # Test OSAPI echo -e "\nTest Nova" diff --git a/exercises/client-env.sh b/exercises/client-env.sh index 1d2f4f5689..6ab4d08715 100755 --- a/exercises/client-env.sh +++ b/exercises/client-env.sh @@ -78,7 +78,6 @@ fi if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then if [[ "$SKIP_EXERCISES" =~ "n-api" ]]; then STATUS_NOVA="Skipped" - STATUS_EC2="Skipped" else # Test OSAPI echo -e "\nTest Nova" @@ -89,17 +88,6 @@ if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then RETURN=1 fi - # Test EC2 API - echo -e "\nTest EC2" - # Get EC2 creds - source $TOP_DIR/eucarc - - if euca-describe-images; then - STATUS_EC2="Succeeded" - else - STATUS_EC2="Failed" - RETURN=1 - fi fi fi @@ -170,7 +158,6 @@ function report { echo -e "\n" report "Keystone" $STATUS_KEYSTONE report "Nova" $STATUS_NOVA -report "EC2" $STATUS_EC2 report "Cinder" $STATUS_CINDER report "Glance" $STATUS_GLANCE report "Swift" $STATUS_SWIFT diff --git a/exercises/euca.sh b/exercises/euca.sh deleted file mode 100755 index 60e7d8ca29..0000000000 --- a/exercises/euca.sh +++ /dev/null @@ -1,192 +0,0 @@ -#!/usr/bin/env bash - -# **euca.sh** - -# we will use the ``euca2ools`` cli tool that wraps the python boto -# library to test ec2 compatibility - -echo "*********************************************************************" -echo "Begin DevStack Exercise: $0" -echo "*********************************************************************" - -# This script exits on an error so that errors don't compound and you see -# only the first error that occurred. -set -o errexit - -# Print the commands being run so that we can see the command that triggers -# an error. It is also useful for following allowing as the install occurs. -set -o xtrace - -# Settings -# ======== - -# Keep track of the current directory -EXERCISE_DIR=$(cd $(dirname "$0") && pwd) -TOP_DIR=$(cd $EXERCISE_DIR/..; pwd) -VOLUME_SIZE=1 -ATTACH_DEVICE=/dev/vdc - -# Import common functions -source $TOP_DIR/functions - -# Import EC2 configuration -source $TOP_DIR/eucarc - -# Import exercise configuration -source $TOP_DIR/exerciserc - -# Import project functions -source $TOP_DIR/lib/neutron-legacy - -# If nova api is not enabled we exit with exitcode 55 so that -# the exercise is skipped -is_service_enabled n-api || exit 55 - -# Instance type to create -DEFAULT_INSTANCE_TYPE=${DEFAULT_INSTANCE_TYPE:-m1.tiny} - -# Boot this image, use first AMI image if unset -DEFAULT_IMAGE_NAME=${DEFAULT_IMAGE_NAME:-ami} - -# Security group name -SECGROUP=${SECGROUP:-euca_secgroup} - - -# Launching a server -# ================== - -# Find a machine image to boot -IMAGE=`euca-describe-images | grep machine | grep ${DEFAULT_IMAGE_NAME} | cut -f2 | head -n1` -die_if_not_set $LINENO IMAGE "Failure getting image $DEFAULT_IMAGE_NAME" - -if is_service_enabled n-cell; then - # Cells does not support security groups, so force the use of "default" - SECGROUP="default" - echo "Using the default security group because of Cells." -else - # Add a secgroup - if ! euca-describe-groups | grep -q $SECGROUP; then - euca-add-group -d "$SECGROUP description" $SECGROUP - if ! timeout $ASSOCIATE_TIMEOUT sh -c "while ! euca-describe-groups | grep -q $SECGROUP; do sleep 1; done"; then - die $LINENO "Security group not created" - fi - fi -fi - -# Launch it -INSTANCE=`euca-run-instances -g $SECGROUP -t $DEFAULT_INSTANCE_TYPE $IMAGE | grep INSTANCE | cut -f2` -die_if_not_set $LINENO INSTANCE "Failure launching instance" - -# Assure it has booted within a reasonable time -if ! timeout $RUNNING_TIMEOUT sh -c "while ! euca-describe-instances $INSTANCE | grep -q running; do sleep 1; done"; then - die $LINENO "server didn't become active within $RUNNING_TIMEOUT seconds" -fi - -# Volumes -# ------- -if is_service_enabled c-vol && ! is_service_enabled n-cell && [ "$VIRT_DRIVER" != "ironic" ]; then - VOLUME_ZONE=`euca-describe-availability-zones | head -n1 | cut -f2` - die_if_not_set $LINENO VOLUME_ZONE "Failure to find zone for volume" - - VOLUME=`euca-create-volume -s 1 -z $VOLUME_ZONE` || die $LINENO "Failure to create volume" - VOLUME=`echo "$VOLUME" | cut -f2` - die_if_not_set $LINENO VOLUME "Failure to create volume" - - # Test that volume has been created - VOLUME=`euca-describe-volumes $VOLUME | cut -f2` - die_if_not_set $LINENO VOLUME "Failure to get volume" - - # Test volume has become available - if ! timeout $RUNNING_TIMEOUT sh -c "while ! euca-describe-volumes $VOLUME | grep -q available; do sleep 1; done"; then - die $LINENO "volume didn't become available within $RUNNING_TIMEOUT seconds" - fi - - # Attach volume to an instance - euca-attach-volume -i $INSTANCE -d $ATTACH_DEVICE $VOLUME || \ - die $LINENO "Failure attaching volume $VOLUME to $INSTANCE" - if ! timeout $ACTIVE_TIMEOUT sh -c "while ! euca-describe-volumes $VOLUME | grep -A 1 in-use | grep -q attach; do sleep 1; done"; then - die $LINENO "Could not attach $VOLUME to $INSTANCE" - fi - - # Detach volume from an instance - euca-detach-volume $VOLUME || \ - die $LINENO "Failure detaching volume $VOLUME to $INSTANCE" - if ! timeout $ACTIVE_TIMEOUT sh -c "while ! euca-describe-volumes $VOLUME | grep -q available; do sleep 1; done"; then - die $LINENO "Could not detach $VOLUME to $INSTANCE" - fi - - # Remove volume - euca-delete-volume $VOLUME || \ - die $LINENO "Failure to delete volume" - if ! timeout $ACTIVE_TIMEOUT sh -c "while euca-describe-volumes | grep $VOLUME; do sleep 1; done"; then - die $LINENO "Could not delete $VOLUME" - fi -else - echo "Volume Tests Skipped" -fi - -if is_service_enabled n-cell; then - echo "Floating IP Tests Skipped because of Cells." -else - # Allocate floating address - FLOATING_IP=`euca-allocate-address | cut -f2` - die_if_not_set $LINENO FLOATING_IP "Failure allocating floating IP" - # describe all instances at this moment - euca-describe-instances - # Associate floating address - euca-associate-address -i $INSTANCE $FLOATING_IP || \ - die $LINENO "Failure associating address $FLOATING_IP to $INSTANCE" - - # Authorize pinging - euca-authorize -P icmp -s 0.0.0.0/0 -t -1:-1 $SECGROUP || \ - die $LINENO "Failure authorizing rule in $SECGROUP" - - # Test we can ping our floating ip within ASSOCIATE_TIMEOUT seconds - ping_check $FLOATING_IP $ASSOCIATE_TIMEOUT "$PUBLIC_NETWORK_NAME" - - # Revoke pinging - euca-revoke -P icmp -s 0.0.0.0/0 -t -1:-1 $SECGROUP || \ - die $LINENO "Failure revoking rule in $SECGROUP" - - # Release floating address - euca-disassociate-address $FLOATING_IP || \ - die $LINENO "Failure disassociating address $FLOATING_IP" - - # Wait just a tick for everything above to complete so release doesn't fail - if ! timeout $ASSOCIATE_TIMEOUT sh -c "while euca-describe-addresses | grep $INSTANCE | grep -q $FLOATING_IP; do sleep 1; done"; then - die $LINENO "Floating ip $FLOATING_IP not disassociated within $ASSOCIATE_TIMEOUT seconds" - fi - - # Release floating address - euca-release-address $FLOATING_IP || \ - die $LINENO "Failure releasing address $FLOATING_IP" - - # Wait just a tick for everything above to complete so terminate doesn't fail - if ! timeout $ASSOCIATE_TIMEOUT sh -c "while euca-describe-addresses | grep -q $FLOATING_IP; do sleep 1; done"; then - die $LINENO "Floating ip $FLOATING_IP not released within $ASSOCIATE_TIMEOUT seconds" - fi -fi - -# Terminate instance -euca-terminate-instances $INSTANCE || \ - die $LINENO "Failure terminating instance $INSTANCE" - -# Assure it has terminated within a reasonable time. The behaviour of this -# case changed with bug/836978. Requesting the status of an invalid instance -# will now return an error message including the instance id, so we need to -# filter that out. -if ! timeout $TERMINATE_TIMEOUT sh -c "while euca-describe-instances $INSTANCE | grep -ve '\(InstanceNotFound\|InvalidInstanceID\.NotFound\)' | grep -q $INSTANCE; do sleep 1; done"; then - die $LINENO "server didn't terminate within $TERMINATE_TIMEOUT seconds" -fi - -if [[ "$SECGROUP" = "default" ]] ; then - echo "Skipping deleting default security group" -else - # Delete secgroup - euca-delete-group $SECGROUP || die $LINENO "Failure deleting security group $SECGROUP" -fi - -set +o xtrace -echo "*********************************************************************" -echo "SUCCESS: End DevStack Exercise: $0" -echo "*********************************************************************" diff --git a/files/rpms-suse/general b/files/rpms-suse/general index 34a29554f7..e3dfec1047 100644 --- a/files/rpms-suse/general +++ b/files/rpms-suse/general @@ -2,7 +2,6 @@ bc bridge-utils ca-certificates-mozilla curl -euca2ools gcc gcc-c++ git-core diff --git a/files/rpms/general b/files/rpms/general index a0906e2587..6d5fd1565c 100644 --- a/files/rpms/general +++ b/files/rpms/general @@ -2,7 +2,6 @@ bc bridge-utils curl dbus -euca2ools # only for testing client gcc gcc-c++ gettext # used for compiling message catalogs diff --git a/lib/heat b/lib/heat index 41318787b3..2cf7a19d40 100644 --- a/lib/heat +++ b/lib/heat @@ -166,9 +166,6 @@ function configure_heat { # clients_keystone iniset $HEAT_CONF clients_keystone auth_uri $KEYSTONE_AUTH_URI - # ec2authtoken - iniset $HEAT_CONF ec2authtoken auth_uri $KEYSTONE_SERVICE_URI/v2.0 - # OpenStack API iniset $HEAT_CONF heat_api bind_port $HEAT_API_PORT iniset $HEAT_CONF heat_api workers "$API_WORKERS" diff --git a/lib/nova b/lib/nova index fd458c5701..3a5a47fa27 100644 --- a/lib/nova +++ b/lib/nova @@ -74,9 +74,6 @@ NOVA_USE_MOD_WSGI=${NOVA_USE_MOD_WSGI:-False} if is_ssl_enabled_service "nova" || is_service_enabled tls-proxy; then NOVA_SERVICE_PROTOCOL="https" - EC2_SERVICE_PROTOCOL="https" -else - EC2_SERVICE_PROTOCOL="http" fi # Public facing bits @@ -86,8 +83,6 @@ NOVA_SERVICE_PORT_INT=${NOVA_SERVICE_PORT_INT:-18774} NOVA_SERVICE_PROTOCOL=${NOVA_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL} NOVA_SERVICE_LOCAL_HOST=${NOVA_SERVICE_LOCAL_HOST:-$SERVICE_LOCAL_HOST} NOVA_SERVICE_LISTEN_ADDRESS=${NOVA_SERVICE_LISTEN_ADDRESS:-$SERVICE_LISTEN_ADDRESS} -EC2_SERVICE_PORT=${EC2_SERVICE_PORT:-8773} -EC2_SERVICE_PORT_INT=${EC2_SERVICE_PORT_INT:-18773} METADATA_SERVICE_PORT=${METADATA_SERVICE_PORT:-8775} # Option to enable/disable config drive @@ -140,7 +135,6 @@ NETWORK_MANAGER=${NETWORK_MANAGER:-${NET_MAN:-FlatDHCPManager}} PUBLIC_INTERFACE=${PUBLIC_INTERFACE:-$PUBLIC_INTERFACE_DEFAULT} VLAN_INTERFACE=${VLAN_INTERFACE:-$GUEST_INTERFACE_DEFAULT} FLAT_NETWORK_BRIDGE=${FLAT_NETWORK_BRIDGE:-$FLAT_NETWORK_BRIDGE_DEFAULT} -EC2_DMZ_HOST=${EC2_DMZ_HOST:-$SERVICE_HOST} # If you are using the FlatDHCP network mode on multiple hosts, set the # ``FLAT_INTERFACE`` variable but make sure that the interface doesn't already @@ -594,7 +588,6 @@ function create_nova_conf { iniset $NOVA_CONF spice enabled false fi - iniset $NOVA_CONF DEFAULT ec2_dmz_host "$EC2_DMZ_HOST" iniset_rpc_backend nova $NOVA_CONF iniset $NOVA_CONF glance api_servers "${GLANCE_SERVICE_PROTOCOL}://${GLANCE_HOSTPORT}" @@ -810,7 +803,6 @@ function start_nova_api { # Start proxies if enabled if is_service_enabled tls-proxy; then start_tls_proxy '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT & - start_tls_proxy '*' $EC2_SERVICE_PORT $NOVA_SERVICE_HOST $EC2_SERVICE_PORT_INT & fi export PATH=$old_path diff --git a/stack.sh b/stack.sh index 0be3585020..5c16f042d8 100755 --- a/stack.sh +++ b/stack.sh @@ -1208,14 +1208,6 @@ if is_service_enabled g-reg; then done fi -# Create an access key and secret key for Nova EC2 register image -if is_service_enabled keystone && is_service_enabled swift3 && is_service_enabled nova; then - eval $(openstack ec2 credentials create --user nova --project $SERVICE_PROJECT_NAME -f shell -c access -c secret) - iniset $NOVA_CONF DEFAULT s3_access_key "$access" - iniset $NOVA_CONF DEFAULT s3_secret_key "$secret" - iniset $NOVA_CONF DEFAULT s3_affix_tenant "True" -fi - # Create a randomized default value for the keymgr's fixed_key if is_service_enabled nova; then iniset $NOVA_CONF keymgr fixed_key $(generate_hex_string 32) diff --git a/tools/create_userrc.sh b/tools/create_userrc.sh index 74d5428382..3325c5e586 100755 --- a/tools/create_userrc.sh +++ b/tools/create_userrc.sh @@ -156,30 +156,6 @@ if [ -z "$MODE" ]; then exit 3 fi -EC2_URL=$(openstack endpoint list --service ec2 --interface public --os-identity-api-version=3 -c URL -f value || true) -if [[ -z $EC2_URL ]]; then - EC2_URL=http://localhost:8773/ -fi - -S3_URL=$(openstack endpoint list --service s3 --interface public --os-identity-api-version=3 -c URL -f value || true) -if [[ -z $S3_URL ]]; then - S3_URL=http://localhost:3333 -fi - -mkdir -p "$ACCOUNT_DIR" -ACCOUNT_DIR=`readlink -f "$ACCOUNT_DIR"` -EUCALYPTUS_CERT=$ACCOUNT_DIR/cacert.pem -if [ -e "$EUCALYPTUS_CERT" ]; then - mv "$EUCALYPTUS_CERT" "$EUCALYPTUS_CERT.old" -fi -if ! nova x509-get-root-cert "$EUCALYPTUS_CERT"; then - echo "Failed to update the root certificate: $EUCALYPTUS_CERT" >&2 - if [ -e "$EUCALYPTUS_CERT.old" ]; then - mv "$EUCALYPTUS_CERT.old" "$EUCALYPTUS_CERT" - fi -fi - - function add_entry { local user_id=$1 local user_name=$2 @@ -187,54 +163,16 @@ function add_entry { local project_name=$4 local user_passwd=$5 - # The admin user can see all user's secret AWS keys, it does not looks good - local line - line=$(openstack ec2 credentials list --user $user_id | grep " $project_id " || true) - if [ -z "$line" ]; then - openstack ec2 credentials create --user $user_id --project $project_id 1>&2 - line=`openstack ec2 credentials list --user $user_id | grep " $project_id "` - fi - local ec2_access_key ec2_secret_key - read ec2_access_key ec2_secret_key <<< `echo $line | awk '{print $2 " " $4 }'` mkdir -p "$ACCOUNT_DIR/$project_name" local rcfile="$ACCOUNT_DIR/$project_name/$user_name" - # The certs subject part are the project ID "dash" user ID, but the CN should be the first part of the DN - # Generally the subject DN parts should be in reverse order like the Issuer - # The Serial does not seams correctly marked either - local ec2_cert="$rcfile-cert.pem" - local ec2_private_key="$rcfile-pk.pem" - # Try to preserve the original file on fail (best effort) - if [ -e "$ec2_private_key" ]; then - mv -f "$ec2_private_key" "$ec2_private_key.old" - fi - if [ -e "$ec2_cert" ]; then - mv -f "$ec2_cert" "$ec2_cert.old" - fi - # It will not create certs when the password is incorrect - if ! nova --os-password "$user_passwd" --os-username "$user_name" --os-project-name "$project_name" x509-create-cert "$ec2_private_key" "$ec2_cert"; then - if [ -e "$ec2_private_key.old" ]; then - mv -f "$ec2_private_key.old" "$ec2_private_key" - fi - if [ -e "$ec2_cert.old" ]; then - mv -f "$ec2_cert.old" "$ec2_cert" - fi - fi + cat >"$rcfile" <