auth_token middleware now accepts a standard URL string as the parameter
identity_uri instead of specifying protocol etc individually. Change the
services over to use this.
Also changes over some other places in which the auth fragments are used
individually to the new variables and fixes up some misconfigurations of
auth_token.
identity_uri option was release in keystoneclient 0.8.0
Change-Id: Iac13bc3d08c524a6a0f39cdfbc1009e2f5c45c2a
When SSL is enabled in Keystone, the path to the Keystone CA file
needs to be set in ca_file in the clients_keystone section.
Change-Id: Ic324e09b42a96d0ba31e13f8e8042cb3ac24d0b6
Closes-Bug: 1324207
As per I9908e17bed33fdc64d058a6d6db7b29f9c8d53d6 keystone_ec2_uri
is now derived from auth_uri. Thus keystone_ec2_uri is useless
now
Change-Id: I97954fdbbd74a6920b307f33873bcc8d70331bf4
Reading from /dev/random can block an virtual machine
even for several minutes, when the entropy pool is empty at the read time.
I have doubts we really need to use /dev/random here.
Even the ssh-keygen uses /dev/urandom by default,
so the /dev/random is a little bit overkill here.
Change-Id: I6d2c6364c2b445304a33b0140e3cdc6804404b63
Adds a HEAT_DEFERRED_AUTH, defaulted to trusts, so users can
by default take advantage of the heat trusts functionality
which provides the following benefits:
- Deferred operations (e.g autoscaling) work with token-only auth
- The password field in the heat page of horizon can be made optional
(horizon patch pending)
- It's more secure because heat no longers stores username/password
credentials in the DB, only a trust ID.
The previous behavior can be obtained by setting HEAT_DEFERRED_AUTH
to something other than "trusts" - the value will only be set in
the heat.conf if the value of "trusts" is found, otherwise the
heat.conf default will be used (currently "password" which doesn't
use trusts)
Change-Id: I549f1e0071a082ac5d07d0f99db633f8337f3d87
Related-Bug: #1286157
Heat has graceful fallback code if stack_user_domain is not configured.
It is important that this be configurable, for testing and for those who choose to
not run with a stack_user_domain yet.
Change-Id: I08f017412636327853b3c606afd36ae93aa09288
Heat supports deferred operations via keystone trusts,
and we'd like to make that the default. To do this, we
require a new role, which is the default role specified
in heat.conf trusts_delegated_roles, heat_stack_owner.
Add the role to the admin/demo users so they can create
heat stacks when we make deferred_auth_method=trusts the
default.
Change-Id: Idfc70ee89428c23f5965e643486ff2ad9566471c
Related-Bug: #1286157
Move the heat setup which currently happens in files/keystone_data.sh
to lib/heat, where we have create_heat_accounts.
Move the user, role, service and endpoint creation as that is consistent
with what other services, e.g lib/nova are doing.
Change-Id: Iaa2c822cad581d6b2b4f22f8863daf81e25f8485
Check that function calls look like ^function foo {$ in bash8, and fix
all existing failures of that check. Add a note to HACKING.rst
Change-Id: Ic19eecb39e0b20273d1bcd551a42fe400d54e938
Create an additional service user for Heat, which is a domain admin
for the stack_user_domain - this is necessary since the normal service
user cannot manage the projects/users in the stack_user_domain when
keystone is configured to use the v3cloudsample policy (such as in
gate integration tests).
Change-Id: If59c11a74145b9bd02f78a7e0882afe1b0a72e40
The recently merged patch which creates a domain for heat
fails to correctly set the domain ID in heat.conf, so move the
setting of the config option to immediately after we create the
domain. Also add the missing DEFAULT section identifier in the
iniset, and use OS_TOKEN instead of OS_SERVICE token, because
the stack.sh comment says this is exported for the openstackclient
workaround.
Change-Id: I912f774f1215d68cbcfe44229b371f318d92966a
Closes-Bug: #1283075
The Heat instance-users blueprint requires an additional domain
where heat creates projects and users related to stack resources
so add support for creating this domain when configured to install
Heat. Note a workaround is currently required to make the
openstack command work with the v3 keystone API.
Change-Id: I36157372d85b577952b55481ca5cc42146011a54
we mostly have a consistent style on if/then & for/do in devstack,
except when we don't. This attempts to build a set of rules to
enforce this.
Because there are times when lines are legitimately long, and there
is a continuation, this starts off ignoring if and for loops with
continuations. But for short versions, we should enforce this.
Changes to make devstack pass are included. The fact that the
cleanup patch was so small is pretty solid reason that this is
actually the style we've all agreed to.
Part of a git stash from hong kong that I finally cleaned up.
Change-Id: I6376d7afd59cc5ebba9ed69e5ee784a3d5934a10
Installing bash completion for heat and ceilometer by using a
similar way used with other services.
Change-Id: I5094648272f2666f6bff181bfa3aeb35e863bd97
The list of services that Tempest used to set its 'service_available'
config values was hard-coded. To be plugin-friendly have each
service (project) add its name to the TEMPEST_SERVICES variable
and use that for setting the 'service_avilable' values.
Change-Id: I208efd7fd0798b18ac2e6353ee70b773e84a2683
Heat config values heat_metadata_server_url, heat_waitcondition_server_url and
heat_waitcondition_server_url currently derive their host from devstack
SERVICE_HOST. In gating this is set to 127.0.0.1, which would explain why
nova servers are not reaching heat with waitcondition signalling.
This change uses HOST_IP as the default instead of SERVICE_HOST.
Change-Id: I373b086e3a36a3484cfd34f0d1c8c168ac6d465d
This results in the APIs binding to 0.0.0.0
which is what other devstack services bind to anyway.
Change-Id: Ic229dbed02b224fe7c5e14f20998bb5d5987aa39
Closes-Bug: #1172991
* Save PID when using screen in screen_it()
* Add screen_stop()
* Call out service stop_*() in unstack.sh functions so screen_stop()
can do its thing
Closes-bug: 1183449
Change-Id: Iac84231cfda960c4197de5b6e8ba6eb19225169a
The version of the authentication url is set to v1.0 for some
projects by default. We can make it configurable via the parameter
"$IDENTITY_API_VERSION".
Closes-Bug: #1253539
Change-Id: I6640e345d1317b1308403c95b13f8a998320241b
Allow providing certificates through environment variables to be used
for keystone, and provide the basis for doing this for other services.
It cannot be used in conjunction with tls-proxy as the service provides
it's own encrypted endpoint.
Impletmenting: blueprint devstack-https
Change-Id: I8cf4c9c8c8a6911ae56ebcd14600a9d24cca99a0
Address miscellaneous issues with Markdown formatting in comments which
are consumed by shocco when generating the online documentation.
Change-Id: I953075cdbddbf1f119c6c7e35f039e2e54b79078
Instead of aligning value with tempest, make tempest use heat's default
value as that is what most people will be deploying with.
Change-Id: I77549f2b5e953ff712c50a2b372f6b04725d5eb0
We should use "tenant" and "user" instead of "project_name" and
"user_name" by calling setup_colorized_logging with these parameters.
Change-Id: I47820c890bf4585e7c8f64c41f48d7576ca56862
Closes-Bug: 1237314
Bug 1214616
This patch adds colors to on-screen Neutron log output in the same way nova,
cinder, and heat engine do.
To this aim, colorized logging configuration has been moved to ./functions.
The reason for this refactoring is that these instruction are the same or
very similar for each project, with the only exception of the target
configuration file.
Change-Id: Idf0d1b842bb9ab046c9ef826de1dfc55b3f1df9d
The default size leaves a very large padding for users to create larger
templates, but for testing and development a 10kB template is plenty.
This value is specifically meant to mirror upcoming changes to tempest
so that they are unified and can be tested in lock-step.
Change-Id: I0ea9798018a6d864ac04429c3ac89fb374583fb6
the old config files that are no longer needed (but still supported):
heat-engine.conf, heat-api.conf, heat-api-cfn.conf, heat-api-cw.conf
Change-Id: I7ba0566325539bf7215bcb606843a90b5e3e4a98
heat now has global environments that make it easy
to rename and customise resource behaviour. These
are yaml files that need to be in /etc/heat/environment.d/
Change-Id: I5a08c6ce8f5d7222f79aab2be0903ba783c10aa1
I find that enabling the debug log level often causes me to miss
important error messages due to the sheer volume of information
logged. This change allows configuration of the debug option
in a number of the projects so it can be disabled globally
without having to make one-off changes after each re-stack.
Note that this does not apply to Keystone or Swift right now.
They use a different method to configure their logging level and
I'm not as familiar with them so I didn't want to mess with their
settings.
Change-Id: I185d496543d245a644854c8a37f3359377cb978c
This requires HEAT_CREATE_TEST_IMAGE to be set for any images
to be created.
If the file (files/fedora-vm-heat-cfntools-tempest.qcow2) already
exists then disk-image-create will not be called, and the existing
image file will be registered with glance. This is most likely to
happen in the following scenarios:
- a second run of stack.sh
- the image has been pre-built elsewhere (such as during devstack-gate
image building)
Change-Id: I276573a20927e72f2cb68784f655c1ba1913ae8a
The following localrc will launch only heat in standalone mode
and allow it to provision within the openstack specified by
the configured keystone endpoint:
HEAT_STANDALONE=True
ENABLED_SERVICES=rabbit,mysql,heat,h-api,h-api-cfn,h-api-cw,h-eng
KEYSTONE_SERVICE_HOST=...
KEYSTONE_AUTH_HOST=...
Change-Id: I0d8a541fc9d592577423b074c789829f8b8d6702
heat-db-setup has been deprecated and doesn't work when
devstack uses postgres and mysql isn't installed.
This is causing postgres gating to fail for heat.
Change-Id: I84f0a2d40f0033e52c87b6f0c9c7265471134ffe
Currently lib/heat says:
To enable, add the following to localrc
ENABLED_SERVICES+=,heat,h-api-cfn,h-api-cw,h-eng
Once the stack is up, `heat list` fails because the API server
isn't running.
This commit adds h-api to that list.
Also make sure h-api is killed in stop_heat().
Change-Id: I2e818bb343680b3778f9277c23c766f784d28887
This script takes a long time to run which will affect tempest
run times. Instead of running this, example templates will be modified
to align with the default heat flavors.
Change-Id: I588b1da9f5a02de3bf64ac8011d75c7d5432ef26