openstack/devstack
Code Issues Proposed changes

Merge "Remove EC2 API from devstack"

Browse Source
This commit is contained in:
Jenkins 2016-03-17 18:01:59 +00:00 committed by Gerrit Code Review
commit 320f0d79a5
16 changed files with 3 additions and 465 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -61,13 +61,6 @@ cloud via CLI:
# list instances # list instances
nova list nova list
If the EC2 API is your cup-o-tea, you can create credentials and use euca2ools:
# source eucarc to generate EC2 credentials and set up the environment
. eucarc
# list instances using ec2 api
euca-describe-instances
# DevStack Execution Environment # DevStack Execution Environment
DevStack runs rampant over the system it runs on, installing things and DevStack runs rampant over the system it runs on, installing things and

45
doc/source/eucarc.rst
View File

@ -1,45 +0,0 @@
=====================
eucarc - EC2 Settings
=====================
``eucarc`` creates EC2 credentials for the current user as defined by
``OS_TENANT_NAME:OS_USERNAME``. ``eucarc`` sources ``openrc`` at the
beginning (which in turn sources ``stackrc`` and ``localrc``) in order
to set credentials to create EC2 credentials in Keystone.
EC2\_URL
Set the EC2 url for euca2ools. The endpoint is extracted from the
service catalog for ``OS_TENANT_NAME:OS_USERNAME``.
::
EC2_URL=$(openstack catalog show ec2 | awk '/ publicURL: / { print $4 }')
S3\_URL
Set the S3 endpoint for euca2ools. The endpoint is extracted from
the service catalog for ``OS_TENANT_NAME:OS_USERNAME``.
::
export S3_URL=$(openstack catalog show s3 | awk '/ publicURL: / { print $4 }')
EC2\_ACCESS\_KEY, EC2\_SECRET\_KEY
Create EC2 credentials for the current tenant:user in Keystone.
::
CREDS=$(openstack ec2 credentials create)
export EC2_ACCESS_KEY=$(echo "$CREDS" | awk '/ access / { print $4 }')
export EC2_SECRET_KEY=$(echo "$CREDS" | awk '/ secret / { print $4 }')
Certificates for Bundling
Euca2ools requires certificate files to enable bundle uploading. The
exercise script ``exercises/bundle.sh`` demonstrated retrieving
certificates using the Nova CLI.
::
EC2_PRIVATE_KEY=pk.pem
EC2_CERT=cert.pem
NOVA_CERT=cacert.pem
EUCALYPTUS_CERT=${NOVA_CERT}

1
doc/source/index.rst
View File

@ -217,7 +217,6 @@ Configuration
stackrc stackrc
openrc openrc
exerciserc exerciserc
eucarc
Tools Tools
----- -----

40
eucarc
View File

@ -1,40 +0,0 @@
#!/usr/bin/env bash
#
# source eucarc [username] [tenantname]
#
# Create EC2 credentials for the current user as defined by OS_TENANT_NAME:OS_USERNAME
# Optionally set the tenant/username via openrc
if [[ -n "$1" ]]; then
USERNAME=$1
fi
if [[ -n "$2" ]]; then
TENANT=$2
fi
# Find the other rc files
RC_DIR=$(cd $(dirname "${BASH_SOURCE:-$0}") && pwd)
# Get user configuration
source $RC_DIR/openrc
# Set the ec2 url so euca2ools works
export EC2_URL=$(openstack catalog show ec2 | awk '/ publicURL: / { print $4 }')
# Create EC2 credentials for the current user
CREDS=$(openstack ec2 credentials create)
export EC2_ACCESS_KEY=$(echo "$CREDS" | awk '/ access / { print $4 }')
export EC2_SECRET_KEY=$(echo "$CREDS" | awk '/ secret / { print $4 }')
# Euca2ools Certificate stuff for uploading bundles
# See exercises/bundle.sh to see how to get certs using nova cli
NOVA_KEY_DIR=${NOVA_KEY_DIR:-$RC_DIR}
export S3_URL=$(openstack catalog show s3 | awk '/ publicURL: / { print $4 }')
export EC2_USER_ID=42 # nova does not use user id, but bundling requires it
export EC2_PRIVATE_KEY=${NOVA_KEY_DIR}/pk.pem
export EC2_CERT=${NOVA_KEY_DIR}/cert.pem
export NOVA_CERT=${NOVA_KEY_DIR}/cacert.pem
export EUCALYPTUS_CERT=${NOVA_CERT} # euca-bundle-image seems to require this set
alias ec2-bundle-image="ec2-bundle-image --cert ${EC2_CERT} --privatekey ${EC2_PRIVATE_KEY} --user ${EC2_USER_ID} --ec2cert ${NOVA_CERT}"
alias ec2-upload-bundle="ec2-upload-bundle -a ${EC2_ACCESS_KEY} -s ${EC2_SECRET_KEY} --url ${S3_URL} --ec2cert ${NOVA_CERT}"

4
exercise.sh
View File

@ -14,11 +14,11 @@ source $TOP_DIR/stackrc
# Run everything in the exercises/ directory that isn't explicitly disabled # Run everything in the exercises/ directory that isn't explicitly disabled
# comma separated list of script basenames to skip # comma separated list of script basenames to skip
# to refrain from exercising euca.sh use ``SKIP_EXERCISES=euca`` # to refrain from exercising foo.sh use ``SKIP_EXERCISES=foo``
SKIP_EXERCISES=${SKIP_EXERCISES:-""} SKIP_EXERCISES=${SKIP_EXERCISES:-""}
# comma separated list of script basenames to run # comma separated list of script basenames to run
# to run only euca.sh use ``RUN_EXERCISES=euca`` # to run only foo.sh use ``RUN_EXERCISES=foo``
basenames=${RUN_EXERCISES:-""} basenames=${RUN_EXERCISES:-""}
EXERCISE_DIR=$TOP_DIR/exercises EXERCISE_DIR=$TOP_DIR/exercises

6
exerciserc
View File

@ -21,12 +21,6 @@ export RUNNING_TIMEOUT=${RUNNING_TIMEOUT:-$(($BOOT_TIMEOUT + $ACTIVE_TIMEOUT))}
# Max time to wait for a vm to terminate # Max time to wait for a vm to terminate
export TERMINATE_TIMEOUT=${TERMINATE_TIMEOUT:-30} export TERMINATE_TIMEOUT=${TERMINATE_TIMEOUT:-30}
# Max time to wait for a euca-volume command to propagate
export VOLUME_TIMEOUT=${VOLUME_TIMEOUT:-30}
# Max time to wait for a euca-delete command to propagate
export VOLUME_DELETE_TIMEOUT=${SNAPSHOT_DELETE_TIMEOUT:-60}
# The size of the volume we want to boot from; some storage back-ends # The size of the volume we want to boot from; some storage back-ends
# do not allow a disk resize, so it's important that this can be tuned # do not allow a disk resize, so it's important that this can be tuned
export DEFAULT_VOLUME_SIZE=${DEFAULT_VOLUME_SIZE:-1} export DEFAULT_VOLUME_SIZE=${DEFAULT_VOLUME_SIZE:-1}

74
exercises/bundle.sh
View File

@ -1,74 +0,0 @@
#!/usr/bin/env bash
# **bundle.sh**
# we will use the ``euca2ools`` cli tool that wraps the python boto
# library to test ec2 bundle upload compatibility
echo "*********************************************************************"
echo "Begin DevStack Exercise: $0"
echo "*********************************************************************"
# This script exits on an error so that errors don't compound and you see
# only the first error that occurred.
set -o errexit
# Print the commands being run so that we can see the command that triggers
# an error. It is also useful for following allowing as the install occurs.
set -o xtrace
# Settings
# ========
# Keep track of the current directory
EXERCISE_DIR=$(cd $(dirname "$0") && pwd)
TOP_DIR=$(cd $EXERCISE_DIR/..; pwd)
# Import common functions
source $TOP_DIR/functions
# Import EC2 configuration
source $TOP_DIR/eucarc
# Import exercise configuration
source $TOP_DIR/exerciserc
# Remove old certificates
rm -f $TOP_DIR/cacert.pem
rm -f $TOP_DIR/cert.pem
rm -f $TOP_DIR/pk.pem
# If nova api is not enabled we exit with exitcode 55 so that
# the exercise is skipped
is_service_enabled n-api || exit 55
# Get Certificates
nova x509-get-root-cert $TOP_DIR/cacert.pem
nova x509-create-cert $TOP_DIR/pk.pem $TOP_DIR/cert.pem
# Max time to wait for image to be registered
REGISTER_TIMEOUT=${REGISTER_TIMEOUT:-15}
BUCKET=testbucket
IMAGE=bundle.img
truncate -s 5M /tmp/$IMAGE
euca-bundle-image -i /tmp/$IMAGE || die $LINENO "Failure bundling image $IMAGE"
euca-upload-bundle --debug -b $BUCKET -m /tmp/$IMAGE.manifest.xml || die $LINENO "Failure uploading bundle $IMAGE to $BUCKET"
AMI=`euca-register $BUCKET/$IMAGE.manifest.xml | cut -f2`
die_if_not_set $LINENO AMI "Failure registering $BUCKET/$IMAGE"
# Wait for the image to become available
if ! timeout $REGISTER_TIMEOUT sh -c "while euca-describe-images | grep $AMI | grep -q available; do sleep 1; done"; then
die $LINENO "Image $AMI not available within $REGISTER_TIMEOUT seconds"
fi
# Clean up
euca-deregister $AMI || die $LINENO "Failure deregistering $AMI"
set +o xtrace
echo "*********************************************************************"
echo "SUCCESS: End DevStack Exercise: $0"
echo "*********************************************************************"

1
exercises/client-args.sh
View File

@ -83,7 +83,6 @@ fi
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
if [[ "$SKIP_EXERCISES" =~ "n-api" ]]; then if [[ "$SKIP_EXERCISES" =~ "n-api" ]]; then
STATUS_NOVA="Skipped" STATUS_NOVA="Skipped"
STATUS_EC2="Skipped"
else else
# Test OSAPI # Test OSAPI
echo -e "\nTest Nova" echo -e "\nTest Nova"

13
exercises/client-env.sh
View File

@ -78,7 +78,6 @@ fi
if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
if [[ "$SKIP_EXERCISES" =~ "n-api" ]]; then if [[ "$SKIP_EXERCISES" =~ "n-api" ]]; then
STATUS_NOVA="Skipped" STATUS_NOVA="Skipped"
STATUS_EC2="Skipped"
else else
# Test OSAPI # Test OSAPI
echo -e "\nTest Nova" echo -e "\nTest Nova"
@ -89,17 +88,6 @@ if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
RETURN=1 RETURN=1
fi fi
# Test EC2 API
echo -e "\nTest EC2"
# Get EC2 creds
source $TOP_DIR/eucarc
if euca-describe-images; then
STATUS_EC2="Succeeded"
else
STATUS_EC2="Failed"
RETURN=1
fi
fi fi
fi fi
@ -170,7 +158,6 @@ function report {
echo -e "\n" echo -e "\n"
report "Keystone" $STATUS_KEYSTONE report "Keystone" $STATUS_KEYSTONE
report "Nova" $STATUS_NOVA report "Nova" $STATUS_NOVA
report "EC2" $STATUS_EC2
report "Cinder" $STATUS_CINDER report "Cinder" $STATUS_CINDER
report "Glance" $STATUS_GLANCE report "Glance" $STATUS_GLANCE
report "Swift" $STATUS_SWIFT report "Swift" $STATUS_SWIFT

192
exercises/euca.sh
View File

@ -1,192 +0,0 @@
#!/usr/bin/env bash
# **euca.sh**
# we will use the ``euca2ools`` cli tool that wraps the python boto
# library to test ec2 compatibility
echo "*********************************************************************"
echo "Begin DevStack Exercise: $0"
echo "*********************************************************************"
# This script exits on an error so that errors don't compound and you see
# only the first error that occurred.
set -o errexit
# Print the commands being run so that we can see the command that triggers
# an error. It is also useful for following allowing as the install occurs.
set -o xtrace
# Settings
# ========
# Keep track of the current directory
EXERCISE_DIR=$(cd $(dirname "$0") && pwd)
TOP_DIR=$(cd $EXERCISE_DIR/..; pwd)
VOLUME_SIZE=1
ATTACH_DEVICE=/dev/vdc
# Import common functions
source $TOP_DIR/functions
# Import EC2 configuration
source $TOP_DIR/eucarc
# Import exercise configuration
source $TOP_DIR/exerciserc
# Import project functions
source $TOP_DIR/lib/neutron-legacy
# If nova api is not enabled we exit with exitcode 55 so that
# the exercise is skipped
is_service_enabled n-api || exit 55
# Instance type to create
DEFAULT_INSTANCE_TYPE=${DEFAULT_INSTANCE_TYPE:-m1.tiny}
# Boot this image, use first AMI image if unset
DEFAULT_IMAGE_NAME=${DEFAULT_IMAGE_NAME:-ami}
# Security group name
SECGROUP=${SECGROUP:-euca_secgroup}
# Launching a server
# ==================
# Find a machine image to boot
IMAGE=`euca-describe-images | grep machine | grep ${DEFAULT_IMAGE_NAME} | cut -f2 | head -n1`
die_if_not_set $LINENO IMAGE "Failure getting image $DEFAULT_IMAGE_NAME"
if is_service_enabled n-cell; then
# Cells does not support security groups, so force the use of "default"
SECGROUP="default"
echo "Using the default security group because of Cells."
else
# Add a secgroup
if ! euca-describe-groups | grep -q $SECGROUP; then
euca-add-group -d "$SECGROUP description" $SECGROUP
if ! timeout $ASSOCIATE_TIMEOUT sh -c "while ! euca-describe-groups | grep -q $SECGROUP; do sleep 1; done"; then
die $LINENO "Security group not created"
fi
fi
fi
# Launch it
INSTANCE=`euca-run-instances -g $SECGROUP -t $DEFAULT_INSTANCE_TYPE $IMAGE | grep INSTANCE | cut -f2`
die_if_not_set $LINENO INSTANCE "Failure launching instance"
# Assure it has booted within a reasonable time
if ! timeout $RUNNING_TIMEOUT sh -c "while ! euca-describe-instances $INSTANCE | grep -q running; do sleep 1; done"; then
die $LINENO "server didn't become active within $RUNNING_TIMEOUT seconds"
fi
# Volumes
# -------
if is_service_enabled c-vol && ! is_service_enabled n-cell && [ "$VIRT_DRIVER" != "ironic" ]; then
VOLUME_ZONE=`euca-describe-availability-zones | head -n1 | cut -f2`
die_if_not_set $LINENO VOLUME_ZONE "Failure to find zone for volume"
VOLUME=`euca-create-volume -s 1 -z $VOLUME_ZONE` || die $LINENO "Failure to create volume"
VOLUME=`echo "$VOLUME" | cut -f2`
die_if_not_set $LINENO VOLUME "Failure to create volume"
# Test that volume has been created
VOLUME=`euca-describe-volumes $VOLUME | cut -f2`
die_if_not_set $LINENO VOLUME "Failure to get volume"
# Test volume has become available
if ! timeout $RUNNING_TIMEOUT sh -c "while ! euca-describe-volumes $VOLUME | grep -q available; do sleep 1; done"; then
die $LINENO "volume didn't become available within $RUNNING_TIMEOUT seconds"
fi
# Attach volume to an instance
euca-attach-volume -i $INSTANCE -d $ATTACH_DEVICE $VOLUME || \
die $LINENO "Failure attaching volume $VOLUME to $INSTANCE"
if ! timeout $ACTIVE_TIMEOUT sh -c "while ! euca-describe-volumes $VOLUME | grep -A 1 in-use | grep -q attach; do sleep 1; done"; then
die $LINENO "Could not attach $VOLUME to $INSTANCE"
fi
# Detach volume from an instance
euca-detach-volume $VOLUME || \
die $LINENO "Failure detaching volume $VOLUME to $INSTANCE"
if ! timeout $ACTIVE_TIMEOUT sh -c "while ! euca-describe-volumes $VOLUME | grep -q available; do sleep 1; done"; then
die $LINENO "Could not detach $VOLUME to $INSTANCE"
fi
# Remove volume
euca-delete-volume $VOLUME || \
die $LINENO "Failure to delete volume"
if ! timeout $ACTIVE_TIMEOUT sh -c "while euca-describe-volumes | grep $VOLUME; do sleep 1; done"; then
die $LINENO "Could not delete $VOLUME"
fi
else
echo "Volume Tests Skipped"
fi
if is_service_enabled n-cell; then
echo "Floating IP Tests Skipped because of Cells."
else
# Allocate floating address
FLOATING_IP=`euca-allocate-address | cut -f2`
die_if_not_set $LINENO FLOATING_IP "Failure allocating floating IP"
# describe all instances at this moment
euca-describe-instances
# Associate floating address
euca-associate-address -i $INSTANCE $FLOATING_IP || \
die $LINENO "Failure associating address $FLOATING_IP to $INSTANCE"
# Authorize pinging
euca-authorize -P icmp -s 0.0.0.0/0 -t -1:-1 $SECGROUP || \
die $LINENO "Failure authorizing rule in $SECGROUP"
# Test we can ping our floating ip within ASSOCIATE_TIMEOUT seconds
ping_check $FLOATING_IP $ASSOCIATE_TIMEOUT "$PUBLIC_NETWORK_NAME"
# Revoke pinging
euca-revoke -P icmp -s 0.0.0.0/0 -t -1:-1 $SECGROUP || \
die $LINENO "Failure revoking rule in $SECGROUP"
# Release floating address
euca-disassociate-address $FLOATING_IP || \
die $LINENO "Failure disassociating address $FLOATING_IP"
# Wait just a tick for everything above to complete so release doesn't fail
if ! timeout $ASSOCIATE_TIMEOUT sh -c "while euca-describe-addresses | grep $INSTANCE | grep -q $FLOATING_IP; do sleep 1; done"; then
die $LINENO "Floating ip $FLOATING_IP not disassociated within $ASSOCIATE_TIMEOUT seconds"
fi
# Release floating address
euca-release-address $FLOATING_IP || \
die $LINENO "Failure releasing address $FLOATING_IP"
# Wait just a tick for everything above to complete so terminate doesn't fail
if ! timeout $ASSOCIATE_TIMEOUT sh -c "while euca-describe-addresses | grep -q $FLOATING_IP; do sleep 1; done"; then
die $LINENO "Floating ip $FLOATING_IP not released within $ASSOCIATE_TIMEOUT seconds"
fi
fi
# Terminate instance
euca-terminate-instances $INSTANCE || \
die $LINENO "Failure terminating instance $INSTANCE"
# Assure it has terminated within a reasonable time. The behaviour of this
# case changed with bug/836978. Requesting the status of an invalid instance
# will now return an error message including the instance id, so we need to
# filter that out.
if ! timeout $TERMINATE_TIMEOUT sh -c "while euca-describe-instances $INSTANCE | grep -ve '\(InstanceNotFound\|InvalidInstanceID\.NotFound\)' | grep -q $INSTANCE; do sleep 1; done"; then
die $LINENO "server didn't terminate within $TERMINATE_TIMEOUT seconds"
fi
if [[ "$SECGROUP" = "default" ]] ; then
echo "Skipping deleting default security group"
else
# Delete secgroup
euca-delete-group $SECGROUP || die $LINENO "Failure deleting security group $SECGROUP"
fi
set +o xtrace
echo "*********************************************************************"
echo "SUCCESS: End DevStack Exercise: $0"
echo "*********************************************************************"

1
files/rpms-suse/general
View File

@ -2,7 +2,6 @@ bc
bridge-utils bridge-utils
ca-certificates-mozilla ca-certificates-mozilla
curl curl
euca2ools
gcc gcc
gcc-c++ gcc-c++
git-core git-core

1
files/rpms/general
View File

@ -2,7 +2,6 @@ bc
bridge-utils bridge-utils
curl curl
dbus dbus
euca2ools # only for testing client
gcc gcc
gcc-c++ gcc-c++
gettext # used for compiling message catalogs gettext # used for compiling message catalogs

3
lib/heat
View File

@ -166,9 +166,6 @@ function configure_heat {
# clients_keystone # clients_keystone
iniset $HEAT_CONF clients_keystone auth_uri $KEYSTONE_AUTH_URI iniset $HEAT_CONF clients_keystone auth_uri $KEYSTONE_AUTH_URI
# ec2authtoken
iniset $HEAT_CONF ec2authtoken auth_uri $KEYSTONE_SERVICE_URI/v2.0
# OpenStack API # OpenStack API
iniset $HEAT_CONF heat_api bind_port $HEAT_API_PORT iniset $HEAT_CONF heat_api bind_port $HEAT_API_PORT
iniset $HEAT_CONF heat_api workers "$API_WORKERS" iniset $HEAT_CONF heat_api workers "$API_WORKERS"

8
lib/nova
View File

@ -74,9 +74,6 @@ NOVA_USE_MOD_WSGI=${NOVA_USE_MOD_WSGI:-False}
if is_ssl_enabled_service "nova" || is_service_enabled tls-proxy; then if is_ssl_enabled_service "nova" || is_service_enabled tls-proxy; then
NOVA_SERVICE_PROTOCOL="https" NOVA_SERVICE_PROTOCOL="https"
EC2_SERVICE_PROTOCOL="https"
else
EC2_SERVICE_PROTOCOL="http"
fi fi
# Public facing bits # Public facing bits
@ -86,8 +83,6 @@ NOVA_SERVICE_PORT_INT=${NOVA_SERVICE_PORT_INT:-18774}
NOVA_SERVICE_PROTOCOL=${NOVA_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL} NOVA_SERVICE_PROTOCOL=${NOVA_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
NOVA_SERVICE_LOCAL_HOST=${NOVA_SERVICE_LOCAL_HOST:-$SERVICE_LOCAL_HOST} NOVA_SERVICE_LOCAL_HOST=${NOVA_SERVICE_LOCAL_HOST:-$SERVICE_LOCAL_HOST}
NOVA_SERVICE_LISTEN_ADDRESS=${NOVA_SERVICE_LISTEN_ADDRESS:-$SERVICE_LISTEN_ADDRESS} NOVA_SERVICE_LISTEN_ADDRESS=${NOVA_SERVICE_LISTEN_ADDRESS:-$SERVICE_LISTEN_ADDRESS}
EC2_SERVICE_PORT=${EC2_SERVICE_PORT:-8773}
EC2_SERVICE_PORT_INT=${EC2_SERVICE_PORT_INT:-18773}
METADATA_SERVICE_PORT=${METADATA_SERVICE_PORT:-8775} METADATA_SERVICE_PORT=${METADATA_SERVICE_PORT:-8775}
# Option to enable/disable config drive # Option to enable/disable config drive
@ -140,7 +135,6 @@ NETWORK_MANAGER=${NETWORK_MANAGER:-${NET_MAN:-FlatDHCPManager}}
PUBLIC_INTERFACE=${PUBLIC_INTERFACE:-$PUBLIC_INTERFACE_DEFAULT} PUBLIC_INTERFACE=${PUBLIC_INTERFACE:-$PUBLIC_INTERFACE_DEFAULT}
VLAN_INTERFACE=${VLAN_INTERFACE:-$GUEST_INTERFACE_DEFAULT} VLAN_INTERFACE=${VLAN_INTERFACE:-$GUEST_INTERFACE_DEFAULT}
FLAT_NETWORK_BRIDGE=${FLAT_NETWORK_BRIDGE:-$FLAT_NETWORK_BRIDGE_DEFAULT} FLAT_NETWORK_BRIDGE=${FLAT_NETWORK_BRIDGE:-$FLAT_NETWORK_BRIDGE_DEFAULT}
EC2_DMZ_HOST=${EC2_DMZ_HOST:-$SERVICE_HOST}
# If you are using the FlatDHCP network mode on multiple hosts, set the # If you are using the FlatDHCP network mode on multiple hosts, set the
# ``FLAT_INTERFACE`` variable but make sure that the interface doesn't already # ``FLAT_INTERFACE`` variable but make sure that the interface doesn't already
@ -594,7 +588,6 @@ function create_nova_conf {
iniset $NOVA_CONF spice enabled false iniset $NOVA_CONF spice enabled false
fi fi
iniset $NOVA_CONF DEFAULT ec2_dmz_host "$EC2_DMZ_HOST"
iniset_rpc_backend nova $NOVA_CONF iniset_rpc_backend nova $NOVA_CONF
iniset $NOVA_CONF glance api_servers "${GLANCE_SERVICE_PROTOCOL}://${GLANCE_HOSTPORT}" iniset $NOVA_CONF glance api_servers "${GLANCE_SERVICE_PROTOCOL}://${GLANCE_HOSTPORT}"
@ -810,7 +803,6 @@ function start_nova_api {
# Start proxies if enabled # Start proxies if enabled
if is_service_enabled tls-proxy; then if is_service_enabled tls-proxy; then
start_tls_proxy '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT & start_tls_proxy '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT &
start_tls_proxy '*' $EC2_SERVICE_PORT $NOVA_SERVICE_HOST $EC2_SERVICE_PORT_INT &
fi fi
export PATH=$old_path export PATH=$old_path

8
stack.sh
View File

@ -1208,14 +1208,6 @@ if is_service_enabled g-reg; then
done done
fi fi
# Create an access key and secret key for Nova EC2 register image
if is_service_enabled keystone && is_service_enabled swift3 && is_service_enabled nova; then
eval $(openstack ec2 credentials create --user nova --project $SERVICE_PROJECT_NAME -f shell -c access -c secret)
iniset $NOVA_CONF DEFAULT s3_access_key "$access"
iniset $NOVA_CONF DEFAULT s3_secret_key "$secret"
iniset $NOVA_CONF DEFAULT s3_affix_tenant "True"
fi
# Create a randomized default value for the keymgr's fixed_key # Create a randomized default value for the keymgr's fixed_key
if is_service_enabled nova; then if is_service_enabled nova; then
iniset $NOVA_CONF keymgr fixed_key $(generate_hex_string 32) iniset $NOVA_CONF keymgr fixed_key $(generate_hex_string 32)

64
tools/create_userrc.sh
View File

@ -156,30 +156,6 @@ if [ -z "$MODE" ]; then
exit 3 exit 3
fi fi
EC2_URL=$(openstack endpoint list --service ec2 --interface public --os-identity-api-version=3 -c URL -f value || true)
if [[ -z $EC2_URL ]]; then
EC2_URL=http://localhost:8773/
fi
S3_URL=$(openstack endpoint list --service s3 --interface public --os-identity-api-version=3 -c URL -f value || true)
if [[ -z $S3_URL ]]; then
S3_URL=http://localhost:3333
fi
mkdir -p "$ACCOUNT_DIR"
ACCOUNT_DIR=`readlink -f "$ACCOUNT_DIR"`
EUCALYPTUS_CERT=$ACCOUNT_DIR/cacert.pem
if [ -e "$EUCALYPTUS_CERT" ]; then
mv "$EUCALYPTUS_CERT" "$EUCALYPTUS_CERT.old"
fi
if ! nova x509-get-root-cert "$EUCALYPTUS_CERT"; then
echo "Failed to update the root certificate: $EUCALYPTUS_CERT" >&2
if [ -e "$EUCALYPTUS_CERT.old" ]; then
mv "$EUCALYPTUS_CERT.old" "$EUCALYPTUS_CERT"
fi
fi
function add_entry { function add_entry {
local user_id=$1 local user_id=$1
local user_name=$2 local user_name=$2
@ -187,54 +163,16 @@ function add_entry {
local project_name=$4 local project_name=$4
local user_passwd=$5 local user_passwd=$5
# The admin user can see all user's secret AWS keys, it does not looks good
local line
line=$(openstack ec2 credentials list --user $user_id | grep " $project_id " || true)
if [ -z "$line" ]; then
openstack ec2 credentials create --user $user_id --project $project_id 1>&2
line=`openstack ec2 credentials list --user $user_id | grep " $project_id "`
fi
local ec2_access_key ec2_secret_key
read ec2_access_key ec2_secret_key <<< `echo $line | awk '{print $2 " " $4 }'`
mkdir -p "$ACCOUNT_DIR/$project_name" mkdir -p "$ACCOUNT_DIR/$project_name"
local rcfile="$ACCOUNT_DIR/$project_name/$user_name" local rcfile="$ACCOUNT_DIR/$project_name/$user_name"
# The certs subject part are the project ID "dash" user ID, but the CN should be the first part of the DN
# Generally the subject DN parts should be in reverse order like the Issuer
# The Serial does not seams correctly marked either
local ec2_cert="$rcfile-cert.pem"
local ec2_private_key="$rcfile-pk.pem"
# Try to preserve the original file on fail (best effort)
if [ -e "$ec2_private_key" ]; then
mv -f "$ec2_private_key" "$ec2_private_key.old"
fi
if [ -e "$ec2_cert" ]; then
mv -f "$ec2_cert" "$ec2_cert.old"
fi
# It will not create certs when the password is incorrect
if ! nova --os-password "$user_passwd" --os-username "$user_name" --os-project-name "$project_name" x509-create-cert "$ec2_private_key" "$ec2_cert"; then
if [ -e "$ec2_private_key.old" ]; then
mv -f "$ec2_private_key.old" "$ec2_private_key"
fi
if [ -e "$ec2_cert.old" ]; then
mv -f "$ec2_cert.old" "$ec2_cert"
fi
fi
cat >"$rcfile" <<EOF cat >"$rcfile" <<EOF
# you can source this file
export EC2_ACCESS_KEY="$ec2_access_key"
export EC2_SECRET_KEY="$ec2_secret_key"
export EC2_URL="$EC2_URL"
export S3_URL="$S3_URL"
# OpenStack USER ID = $user_id # OpenStack USER ID = $user_id
export OS_USERNAME="$user_name" export OS_USERNAME="$user_name"
# OpenStack project ID = $project_id # OpenStack project ID = $project_id
export OS_PROJECT_NAME="$project_name" export OS_PROJECT_NAME="$project_name"
export OS_AUTH_URL="$OS_AUTH_URL" export OS_AUTH_URL="$OS_AUTH_URL"
export OS_CACERT="$OS_CACERT" export OS_CACERT="$OS_CACERT"
export EC2_CERT="$ec2_cert"
export EC2_PRIVATE_KEY="$ec2_private_key"
export EC2_USER_ID=42 #not checked by nova (can be a 12-digit id)
export EUCALYPTUS_CERT="$ACCOUNT_DIR/cacert.pem"
export NOVA_CERT="$ACCOUNT_DIR/cacert.pem" export NOVA_CERT="$ACCOUNT_DIR/cacert.pem"
export OS_AUTH_TYPE=v2password export OS_AUTH_TYPE=v2password
EOF EOF