From f3b2f4c85307b14f115a020f5eaf6c92026b55b4 Mon Sep 17 00:00:00 2001 From: Sean Dague Date: Thu, 13 Apr 2017 10:11:48 -0400 Subject: [PATCH] Remove USE_SSL support tls-proxy is the way we're now doing a standard install using https between services. There is a lot more work to make services directly handle https, and having python daemons do that directly is a bit of an anti pattern. Nothing currently tests this in project-config from my recent grepping, so in the interest of long term maintenance, delete it all. Change-Id: I910df4ceab6f24f3d9c484e0433c93b06f17d6e1 --- lib/cinder | 20 ++------------------ lib/glance | 17 +++-------------- lib/keystone | 17 +---------------- lib/neutron | 21 +++------------------ lib/neutron-legacy | 17 +---------------- lib/nova | 24 +++--------------------- lib/placement | 11 +---------- lib/swift | 9 +-------- lib/tempest | 2 +- lib/tls | 25 ++++++------------------- stack.sh | 11 ++--------- stackrc | 3 --- unstack.sh | 3 --- 13 files changed, 24 insertions(+), 156 deletions(-) diff --git a/lib/cinder b/lib/cinder index c17cea06c7..ac61537c41 100644 --- a/lib/cinder +++ b/lib/cinder @@ -58,7 +58,7 @@ CINDER_CONF=$CINDER_CONF_DIR/cinder.conf CINDER_API_PASTE_INI=$CINDER_CONF_DIR/api-paste.ini # Public facing bits -if is_ssl_enabled_service "cinder" || is_service_enabled tls-proxy; then +if is_service_enabled tls-proxy; then CINDER_SERVICE_PROTOCOL="https" fi CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST} @@ -215,11 +215,6 @@ function _cinder_config_apache_wsgi { local cinder_api_port=$CINDER_SERVICE_PORT local venv_path="" - if is_ssl_enabled_service c-api; then - cinder_ssl="SSLEngine On" - cinder_certfile="SSLCertificateFile $CINDER_SSL_CERT" - cinder_keyfile="SSLCertificateKeyFile $CINDER_SSL_KEY" - fi if [[ ${USE_VENV} = True ]]; then venv_path="python-path=${PROJECT_VENV["cinder"]}/lib/python2.7/site-packages" fi @@ -347,7 +342,7 @@ function configure_cinder { iniset $CINDER_CONF DEFAULT osapi_volume_workers "$API_WORKERS" iniset $CINDER_CONF DEFAULT glance_api_servers "${GLANCE_SERVICE_PROTOCOL}://${GLANCE_HOSTPORT}" - if is_ssl_enabled_service glance || is_service_enabled tls-proxy; then + if is_service_enabled tls-proxy; then iniset $CINDER_CONF DEFAULT glance_protocol https iniset $CINDER_CONF DEFAULT glance_ca_certificates_file $SSL_BUNDLE_FILE fi @@ -356,14 +351,6 @@ function configure_cinder { iniset $CINDER_CONF DEFAULT glance_api_version 2 fi - # Register SSL certificates if provided - if is_ssl_enabled_service cinder; then - ensure_certificates CINDER - - iniset $CINDER_CONF DEFAULT ssl_cert_file "$CINDER_SSL_CERT" - iniset $CINDER_CONF DEFAULT ssl_key_file "$CINDER_SSL_KEY" - fi - # Set os_privileged_user credentials (used for os-assisted-snapshots) iniset $CINDER_CONF DEFAULT os_privileged_user_name nova iniset $CINDER_CONF DEFAULT os_privileged_user_password "$SERVICE_PASSWORD" @@ -464,9 +451,6 @@ function install_cinder { if [ "$CINDER_USE_MOD_WSGI" == "True" ]; then install_apache_wsgi - if is_ssl_enabled_service "c-api"; then - enable_mod_ssl - fi fi } diff --git a/lib/glance b/lib/glance index 2f4aa5f0f8..23a1cbf2c7 100644 --- a/lib/glance +++ b/lib/glance @@ -57,7 +57,7 @@ GLANCE_SCHEMA_JSON=$GLANCE_CONF_DIR/schema-image.json GLANCE_SWIFT_STORE_CONF=$GLANCE_CONF_DIR/glance-swift-store.conf GLANCE_V1_ENABLED=${GLANCE_V1_ENABLED:-False} -if is_ssl_enabled_service "glance" || is_service_enabled tls-proxy; then +if is_service_enabled tls-proxy; then GLANCE_SERVICE_PROTOCOL="https" fi @@ -187,18 +187,7 @@ function configure_glance { iniset $GLANCE_REGISTRY_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI fi - # Register SSL certificates if provided - if is_ssl_enabled_service glance; then - ensure_certificates GLANCE - - iniset $GLANCE_API_CONF DEFAULT cert_file "$GLANCE_SSL_CERT" - iniset $GLANCE_API_CONF DEFAULT key_file "$GLANCE_SSL_KEY" - - iniset $GLANCE_REGISTRY_CONF DEFAULT cert_file "$GLANCE_SSL_CERT" - iniset $GLANCE_REGISTRY_CONF DEFAULT key_file "$GLANCE_SSL_KEY" - fi - - if is_ssl_enabled_service glance || is_service_enabled tls-proxy; then + if is_service_enabled tls-proxy; then iniset $GLANCE_API_CONF DEFAULT registry_client_protocol https fi @@ -233,7 +222,7 @@ function configure_glance { cp -p $GLANCE_DIR/etc/metadefs/*.json $GLANCE_METADEF_DIR - if is_ssl_enabled_service "cinder" || is_service_enabled tls-proxy; then + if is_service_enabled tls-proxy; then CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST} CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776} diff --git a/lib/keystone b/lib/keystone index 936af6a5e1..45ba2c5352 100644 --- a/lib/keystone +++ b/lib/keystone @@ -116,7 +116,7 @@ SERVICE_PROJECT_NAME=${SERVICE_PROJECT_NAME:-service} SERVICE_TENANT_NAME=${SERVICE_PROJECT_NAME:-service} # if we are running with SSL use https protocols -if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then +if is_service_enabled tls-proxy; then KEYSTONE_AUTH_PROTOCOL="https" KEYSTONE_SERVICE_PROTOCOL="https" fi @@ -171,12 +171,6 @@ function _config_keystone_apache_wsgi { local keystone_auth_port=$KEYSTONE_AUTH_PORT local venv_path="" - if is_ssl_enabled_service key; then - keystone_ssl_listen="" - keystone_ssl="SSLEngine On" - keystone_certfile="SSLCertificateFile $KEYSTONE_SSL_CERT" - keystone_keyfile="SSLCertificateKeyFile $KEYSTONE_SSL_KEY" - fi if is_service_enabled tls-proxy; then keystone_service_port=$KEYSTONE_SERVICE_PORT_INT keystone_auth_port=$KEYSTONE_AUTH_PORT_INT @@ -247,11 +241,6 @@ function configure_keystone { iniset_rpc_backend keystone $KEYSTONE_CONF - # Register SSL certificates if provided - if is_ssl_enabled_service key; then - ensure_certificates KEYSTONE - fi - local service_port=$KEYSTONE_SERVICE_PORT local auth_port=$KEYSTONE_AUTH_PORT @@ -297,7 +286,6 @@ function configure_keystone { _config_keystone_apache_wsgi else # uwsgi # iniset creates these files when it's called if they don't exist. - write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity" "$KEYSTONE_SERVICE_HOST:$service_port" write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin" "$KEYSTONE_ADMIN_BIND_HOST:$auth_port" fi @@ -546,9 +534,6 @@ function install_keystone { if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then install_apache_wsgi - if is_ssl_enabled_service "key"; then - enable_mod_ssl - fi elif [ "$KEYSTONE_DEPLOY" == "uwsgi" ]; then pip_install uwsgi fi diff --git a/lib/neutron b/lib/neutron index dd914664ae..492a0ee8fb 100644 --- a/lib/neutron +++ b/lib/neutron @@ -61,7 +61,7 @@ NEUTRON_META_BINARY=${NEUTRON_META_BINARY:-neutron-metadata-agent} NEUTRON_METERING_BINARY=${NEUTRON_METERING_BINARY:-neutron-metering-agent} # Public facing bits -if is_ssl_enabled_service "neutron" || is_service_enabled tls-proxy; then +if is_service_enabled tls-proxy; then NEUTRON_SERVICE_PROTOCOL="https" fi NEUTRON_SERVICE_HOST=${NEUTRON_SERVICE_HOST:-$SERVICE_HOST} @@ -243,14 +243,6 @@ function configure_neutron_new { iniset $NEUTRON_CONF DEFAULT bind_port "$NEUTRON_SERVICE_PORT_INT" fi - if is_ssl_enabled_service "neutron"; then - ensure_certificates NEUTRON - - iniset $NEUTRON_CONF DEFAULT use_ssl True - iniset $NEUTRON_CONF DEFAULT ssl_cert_file "$NEUTRON_SSL_CERT" - iniset $NEUTRON_CONF DEFAULT ssl_key_file "$NEUTRON_SSL_KEY" - fi - # Metering if is_service_enabled neutron-metering; then cp $NEUTRON_DIR/etc/metering_agent.ini.sample $NEUTRON_METERING_AGENT_CONF @@ -404,17 +396,10 @@ function start_neutron_api { # TODO(sc68cal) Stop hard coding this run_process neutron-api "$NEUTRON_BIN_DIR/neutron-server $opts" - if is_ssl_enabled_service "neutron"; then - ssl_ca="--ca-certificate=${SSL_BUNDLE_FILE}" - local testcmd="wget ${ssl_ca} --no-proxy -q -O- $service_protocol://$NEUTRON_SERVICE_HOST:$service_port" - test_with_retry "$testcmd" "Neutron did not start" $SERVICE_TIMEOUT - else - if ! wait_for_service $SERVICE_TIMEOUT $service_protocol://$NEUTRON_SERVICE_HOST:$service_port; then - die $LINENO "neutron-api did not start" - fi + if ! wait_for_service $SERVICE_TIMEOUT $service_protocol://$NEUTRON_SERVICE_HOST:$service_port; then + die $LINENO "neutron-api did not start" fi - # Start proxy if enabled if is_service_enabled tls-proxy; then start_tls_proxy neutron '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT diff --git a/lib/neutron-legacy b/lib/neutron-legacy index 74f36e0ce3..1dfd5fec7d 100644 --- a/lib/neutron-legacy +++ b/lib/neutron-legacy @@ -61,7 +61,7 @@ deprecated "Using lib/neutron-legacy is deprecated, and it will be removed in the future" -if is_ssl_enabled_service "neutron" || is_service_enabled tls-proxy; then +if is_service_enabled tls-proxy; then Q_PROTOCOL="https" fi @@ -461,9 +461,6 @@ function start_neutron_service_and_check { # Start the Neutron service run_process q-svc "$NEUTRON_BIN_DIR/neutron-server $cfg_file_options" echo "Waiting for Neutron to start..." - if is_ssl_enabled_service "neutron"; then - ssl_ca="--ca-certificate=${SSL_BUNDLE_FILE}" - fi local testcmd="wget ${ssl_ca} --no-proxy -q -O- $service_protocol://$Q_HOST:$service_port" test_with_retry "$testcmd" "Neutron did not start" $SERVICE_TIMEOUT @@ -714,18 +711,6 @@ function _configure_neutron_common { iniset $NEUTRON_CONF DEFAULT bind_port "$Q_PORT_INT" fi - if is_ssl_enabled_service "nova"; then - iniset $NEUTRON_CONF nova cafile $SSL_BUNDLE_FILE - fi - - if is_ssl_enabled_service "neutron"; then - ensure_certificates NEUTRON - - iniset $NEUTRON_CONF DEFAULT use_ssl True - iniset $NEUTRON_CONF DEFAULT ssl_cert_file "$NEUTRON_SSL_CERT" - iniset $NEUTRON_CONF DEFAULT ssl_key_file "$NEUTRON_SSL_KEY" - fi - _neutron_setup_rootwrap } diff --git a/lib/nova b/lib/nova index a36a740265..cba9acdd79 100644 --- a/lib/nova +++ b/lib/nova @@ -68,7 +68,7 @@ fi # Toggle for deploying Nova-API under HTTPD + mod_wsgi NOVA_USE_MOD_WSGI=${NOVA_USE_MOD_WSGI:-False} -if is_ssl_enabled_service "nova" || is_service_enabled tls-proxy; then +if is_service_enabled tls-proxy; then NOVA_SERVICE_PROTOCOL="https" fi @@ -262,11 +262,6 @@ function _config_nova_apache_wsgi { local nova_metadata_port=$METADATA_SERVICE_PORT local venv_path="" - if is_ssl_enabled_service nova-api; then - nova_ssl="SSLEngine On" - nova_certfile="SSLCertificateFile $NOVA_SSL_CERT" - nova_keyfile="SSLCertificateKeyFile $NOVA_SSL_KEY" - fi if [[ ${USE_VENV} = True ]]; then venv_path="python-path=${PROJECT_VENV["nova"]}/lib/$(python_version)/site-packages" fi @@ -501,7 +496,7 @@ function create_nova_conf { fi if is_service_enabled cinder; then - if is_ssl_enabled_service "cinder" || is_service_enabled tls-proxy; then + if is_service_enabled tls-proxy; then CINDER_SERVICE_HOST=${CINDER_SERVICE_HOST:-$SERVICE_HOST} CINDER_SERVICE_PORT=${CINDER_SERVICE_PORT:-8776} iniset $NOVA_CONF cinder cafile $SSL_BUNDLE_FILE @@ -586,20 +581,10 @@ function create_nova_conf { iniset $NOVA_CONF cinder os_region_name "$REGION_NAME" - if is_ssl_enabled_service glance || is_service_enabled tls-proxy; then + if is_service_enabled tls-proxy; then iniset $NOVA_CONF DEFAULT glance_protocol https fi - # Register SSL certificates if provided - if is_ssl_enabled_service nova; then - ensure_certificates NOVA - - iniset $NOVA_CONF DEFAULT ssl_cert_file "$NOVA_SSL_CERT" - iniset $NOVA_CONF DEFAULT ssl_key_file "$NOVA_SSL_KEY" - - iniset $NOVA_CONF DEFAULT enabled_ssl_apis "$NOVA_ENABLED_APIS" - fi - if is_service_enabled n-sproxy; then iniset $NOVA_CONF serial_console serialproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS" iniset $NOVA_CONF serial_console enabled True @@ -790,9 +775,6 @@ function install_nova { if [ "$NOVA_USE_MOD_WSGI" == "True" ]; then install_apache_wsgi - if is_ssl_enabled_service "nova-api"; then - enable_mod_ssl - fi fi } diff --git a/lib/placement b/lib/placement index 4cc5cd8b6a..a29784b93c 100644 --- a/lib/placement +++ b/lib/placement @@ -40,7 +40,7 @@ PLACEMENT_AUTH_STRATEGY=${PLACEMENT_AUTH_STRATEGY:-placement} # yet merged in nova but is coming soon. PLACEMENT_DB_ENABLED=$(trueorfalse False PLACEMENT_DB_ENABLED) -if is_ssl_enabled_service "placement-api" || is_service_enabled tls-proxy; then +if is_service_enabled tls-proxy; then PLACEMENT_SERVICE_PROTOCOL="https" fi @@ -72,12 +72,6 @@ function _config_placement_apache_wsgi { nova_bin_dir=$(get_python_exec_prefix) placement_api_apache_conf=$(apache_site_config_for placement-api) - # reuse nova's cert if a cert is being used - if is_ssl_enabled_service "placement-api"; then - placement_ssl="SSLEngine On" - placement_certfile="SSLCertificateFile $NOVA_SSL_CERT" - placement_keyfile="SSLCertificateKeyFile $NOVA_SSL_KEY" - fi # reuse nova's venv if there is one as placement code lives # there if [[ ${USE_VENV} = True ]]; then @@ -149,9 +143,6 @@ function init_placement { # install_placement() - Collect source and prepare function install_placement { install_apache_wsgi - if is_ssl_enabled_service "placement-api"; then - enable_mod_ssl - fi } # start_placement_api() - Start the API processes ahead of other things diff --git a/lib/swift b/lib/swift index 5eac904559..d764b25fdb 100644 --- a/lib/swift +++ b/lib/swift @@ -31,7 +31,7 @@ set +o xtrace # Defaults # -------- -if is_ssl_enabled_service "s-proxy" || is_service_enabled tls-proxy; then +if is_service_enabled tls-proxy; then SWIFT_SERVICE_PROTOCOL="https" fi @@ -398,13 +398,6 @@ function configure_swift { iniset ${SWIFT_CONFIG_PROXY_SERVER} DEFAULT bind_port ${SWIFT_DEFAULT_BIND_PORT} fi - if is_ssl_enabled_service s-proxy; then - ensure_certificates SWIFT - - iniset ${SWIFT_CONFIG_PROXY_SERVER} DEFAULT cert_file "$SWIFT_SSL_CERT" - iniset ${SWIFT_CONFIG_PROXY_SERVER} DEFAULT key_file "$SWIFT_SSL_KEY" - fi - # DevStack is commonly run in a small slow environment, so bump the timeouts up. # ``node_timeout`` is the node read operation response time to the proxy server # ``conn_timeout`` is how long it takes a connect() system call to return diff --git a/lib/tempest b/lib/tempest index f6fc57dc72..04f8f6a3f6 100644 --- a/lib/tempest +++ b/lib/tempest @@ -279,7 +279,7 @@ function configure_tempest { fi iniset $TEMPEST_CONFIG identity auth_version ${TEMPEST_AUTH_VERSION:-v3} - if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then + if is_service_enabled tls-proxy; then iniset $TEMPEST_CONFIG identity ca_certificates_file $SSL_BUNDLE_FILE fi diff --git a/lib/tls b/lib/tls index fb2fa3a17b..c2c92a1bae 100644 --- a/lib/tls +++ b/lib/tls @@ -343,7 +343,7 @@ function make_root_CA { # one. If the value for the CA is not rooted in /etc then we know # we need to change it. function fix_system_ca_bundle_path { - if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then + if is_service_enabled tls-proxy; then local capath capath=$(python -c $'try:\n from requests import certs\n print certs.where()\nexcept ImportError: pass') @@ -362,27 +362,14 @@ function fix_system_ca_bundle_path { } +# Only for compatibility, return if the tls-proxy is enabled +function is_ssl_enabled_service { + return is_service_enabled tls-proxy +} + # Certificate Input Configuration # =============================== -# check to see if the service(s) specified are to be SSL enabled. -# -# Multiple services specified as arguments are ``OR``'ed together; the test -# is a short-circuit boolean, i.e it returns on the first match. -# -# Uses global ``SSL_ENABLED_SERVICES`` -function is_ssl_enabled_service { - local services=$@ - local service="" - if [ "$USE_SSL" == "False" ]; then - return 1 - fi - for service in ${services}; do - [[ ,${SSL_ENABLED_SERVICES}, =~ ,${service}, ]] && return 0 - done - return 1 -} - # Ensure that the certificates for a service are in place. This function does # not check that a service is SSL enabled, this should already have been # completed. diff --git a/stack.sh b/stack.sh index 759a8dbacc..635a328190 100755 --- a/stack.sh +++ b/stack.sh @@ -539,13 +539,6 @@ rm -f $SSL_BUNDLE_FILE source $TOP_DIR/lib/database source $TOP_DIR/lib/rpc_backend -# Service to enable with SSL if ``USE_SSL`` is True -SSL_ENABLED_SERVICES="key,nova,cinder,glance,s-proxy,neutron" - -if is_service_enabled tls-proxy && [ "$USE_SSL" == "True" ]; then - die $LINENO "tls-proxy and SSL are mutually exclusive" -fi - # Configure Projects # ================== @@ -806,7 +799,7 @@ if is_service_enabled cinder nova; then fi # Setup TLS certs -if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then +if is_service_enabled tls-proxy; then configure_CA init_CA init_cert @@ -886,7 +879,7 @@ if is_service_enabled horizon; then stack_install_service horizon fi -if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then +if is_service_enabled tls-proxy; then fix_system_ca_bundle_path fi diff --git a/stackrc b/stackrc index 88f75413c4..3ceb78c0d6 100644 --- a/stackrc +++ b/stackrc @@ -846,9 +846,6 @@ SYSLOG_PORT=${SYSLOG_PORT:-516} # Set to 0 to disable shallow cloning GIT_DEPTH=${GIT_DEPTH:-0} -# Use native SSL for servers in ``SSL_ENABLED_SERVICES`` -USE_SSL=$(trueorfalse False USE_SSL) - # We may not need to recreate database in case 2 Keystone services # sharing the same database. It would be useful for multinode Grenade tests. RECREATE_KEYSTONE_DB=$(trueorfalse True RECREATE_KEYSTONE_DB) diff --git a/unstack.sh b/unstack.sh index b0ebaf725e..485fed7f80 100755 --- a/unstack.sh +++ b/unstack.sh @@ -129,9 +129,6 @@ if is_service_enabled tls-proxy; then stop_tls_proxy cleanup_CA fi -if [ "$USE_SSL" == "True" ]; then - cleanup_CA -fi SCSI_PERSIST_DIR=$CINDER_STATE_PATH/volumes/*