71 Commits

Author SHA1 Message Date
Jenkins
ef837e4c7f Merge "Configure heat keystone client for SSL when keystone uses SSL" 2014-06-17 19:47:12 +00:00
Jamie Lennox
3561d7f9ed Use identity_uri instead of auth fragments
auth_token middleware now accepts a standard URL string as the parameter
identity_uri instead of specifying protocol etc individually. Change the
services over to use this.

Also changes over some other places in which the auth fragments are used
individually to the new variables and fixes up some misconfigurations of
auth_token.

identity_uri option was release in keystoneclient 0.8.0

Change-Id: Iac13bc3d08c524a6a0f39cdfbc1009e2f5c45c2a
2014-06-16 15:16:48 +10:00
Rob Crittenden
fefd64b878 Configure heat keystone client for SSL when keystone uses SSL
When SSL is enabled in Keystone, the path to the Keystone CA file
needs to be set in ca_file in the clients_keystone section.

Change-Id: Ic324e09b42a96d0ba31e13f8e8042cb3ac24d0b6
Closes-Bug: 1324207
2014-05-27 22:27:15 -04:00
Jenkins
ffeeea1327 Merge "Remove keystone_ec2_uri flag from lib/heat" 2014-04-14 12:18:07 +00:00
JordanP
cebd563508 Remove keystone_ec2_uri flag from lib/heat
As per I9908e17bed33fdc64d058a6d6db7b29f9c8d53d6 keystone_ec2_uri
is now derived from auth_uri. Thus keystone_ec2_uri is useless
now

Change-Id: I97954fdbbd74a6920b307f33873bcc8d70331bf4
2014-03-28 16:15:50 +01:00
Attila Fazekas
499315fb65 Use urandom for heat key generation
Reading from /dev/random can block an virtual machine
even for several minutes, when the entropy pool is empty at the read time.

I have doubts we really need to use /dev/random here.
Even the ssh-keygen uses /dev/urandom by default,
 so the /dev/random is a little bit overkill here.

Change-Id: I6d2c6364c2b445304a33b0140e3cdc6804404b63
2014-03-25 10:42:14 +01:00
Jenkins
833357f8ce Merge "heat add HEAT_DEFERRED_AUTH option" 2014-03-24 20:03:00 +00:00
Jenkins
3de6b0a750 Merge "Make configurable the creation of heat stack domain" 2014-03-21 18:58:21 +00:00
Steven Hardy
f83cf93618 heat add HEAT_DEFERRED_AUTH option
Adds a HEAT_DEFERRED_AUTH, defaulted to trusts, so users can
by default take advantage of the heat trusts functionality
which provides the following benefits:
- Deferred operations (e.g autoscaling) work with token-only auth
- The password field in the heat page of horizon can be made optional
  (horizon patch pending)
- It's more secure because heat no longers stores username/password
  credentials in the DB, only a trust ID.

The previous behavior can be obtained by setting HEAT_DEFERRED_AUTH
to something other than "trusts" - the value will only be set in
the heat.conf if the value of "trusts" is found, otherwise the
heat.conf default will be used (currently "password" which doesn't
use trusts)

Change-Id: I549f1e0071a082ac5d07d0f99db633f8337f3d87
Related-Bug: #1286157
2014-03-21 12:57:22 +00:00
Steve Baker
16aca8a37a Make configurable the creation of heat stack domain
Heat has graceful fallback code if stack_user_domain is not configured.

It is important that this be configurable, for testing and for those who choose to
not run with a stack_user_domain yet.

Change-Id: I08f017412636327853b3c606afd36ae93aa09288
2014-03-17 15:52:40 +13:00
Sean Dague
29870cce32 as is_heat_enabled
this is missing, and the code assumes "heat" to be in the
enabled services list otherwise.

Change-Id: Ib0a7db04d8e38b58aca48261308e7c4d1fd43972
2014-03-14 14:32:01 -04:00
Steven Hardy
2ca3bf18dd Add heat_stack_owner role for heat trusts usage
Heat supports deferred operations via keystone trusts,
and we'd like to make that the default.  To do this, we
require a new role, which is the default role specified
in heat.conf trusts_delegated_roles, heat_stack_owner.

Add the role to the admin/demo users so they can create
heat stacks when we make deferred_auth_method=trusts the
default.

Change-Id: Idfc70ee89428c23f5965e643486ff2ad9566471c
Related-Bug: #1286157
2014-03-03 18:18:43 +00:00
Steven Hardy
57d478d874 Move heat keystone setup into lib/heat
Move the heat setup which currently happens in files/keystone_data.sh
to lib/heat, where we have create_heat_accounts.

Move the user, role, service and endpoint creation as that is consistent
with what other services, e.g lib/nova are doing.

Change-Id: Iaa2c822cad581d6b2b4f22f8863daf81e25f8485
2014-03-03 18:18:28 +00:00
Ian Wienand
aee18c749b Enforce function declaration format in bash8
Check that function calls look like ^function foo {$ in bash8, and fix
all existing failures of that check.  Add a note to HACKING.rst

Change-Id: Ic19eecb39e0b20273d1bcd551a42fe400d54e938
2014-02-28 07:59:03 +11:00
Dean Troyer
1755f689e8 Fix heat role create error
https://review.openstack.org/#/c/76036/ changed the user creat commands,
missed the argument to --user

Change-Id: Iaf10ef80a2fb0227dd66a314e7ec253dfb4dc4fe
2014-02-26 13:08:04 -06:00
Steven Hardy
dd029da5b9 Create stack_domain_admin user
Create an additional service user for Heat, which is a domain admin
for the stack_user_domain - this is necessary since the normal service
user cannot manage the projects/users in the stack_user_domain when
keystone is configured to use the v3cloudsample policy (such as in
gate integration tests).

Change-Id: If59c11a74145b9bd02f78a7e0882afe1b0a72e40
2014-02-25 11:25:55 +00:00
Steven Hardy
8e1a1ffdfb Set stack_user_domain config correctly
The recently merged patch which creates a domain for heat
fails to correctly set the domain ID in heat.conf, so move the
setting of the config option to immediately after we create the
domain.  Also add the missing DEFAULT section identifier in the
iniset, and use OS_TOKEN instead of OS_SERVICE token, because
the stack.sh comment says this is exported for the openstackclient
workaround.

Change-Id: I912f774f1215d68cbcfe44229b371f318d92966a
Closes-Bug: #1283075
2014-02-21 14:51:28 +00:00
Steven Hardy
33d1f86a49 Add support for creating heat stack domain
The Heat instance-users blueprint requires an additional domain
where heat creates projects and users related to stack resources
so add support for creating this domain when configured to install
Heat.  Note a workaround is currently required to make the
openstack command work with the v3 keystone API.

Change-Id: I36157372d85b577952b55481ca5cc42146011a54
2014-02-15 07:45:55 +00:00
Sean Dague
16dd8b3ed9 introduce if/then & for/do rules
we mostly have a consistent style on if/then & for/do in devstack,
except when we don't. This attempts to build a set of rules to
enforce this.

Because there are times when lines are legitimately long, and there
is a continuation, this starts off ignoring if and for loops with
continuations. But for short versions, we should enforce this.

Changes to make devstack pass are included. The fact that the
cleanup patch was so small is pretty solid reason that this is
actually the style we've all agreed to.

Part of a git stash from hong kong that I finally cleaned up.

Change-Id: I6376d7afd59cc5ebba9ed69e5ee784a3d5934a10
2014-02-05 07:52:54 +01:00
Attila Fazekas
8664ca53f8 bash_completion for heat and ceilometer
Installing bash completion for heat and ceilometer by using a
similar way used with other services.

Change-Id: I5094648272f2666f6bff181bfa3aeb35e863bd97
2014-02-02 10:50:54 +01:00
Dean Troyer
4237f590b7 Generate Tempest service list rather than hard-code it
The list of services that Tempest used to set its 'service_available'
config values was hard-coded. To be plugin-friendly have each
service (project) add its name to the TEMPEST_SERVICES variable
and use that for setting the 'service_avilable' values.

Change-Id: I208efd7fd0798b18ac2e6353ee70b773e84a2683
2014-01-29 17:25:45 -06:00
Steve Baker
e61bc61a31 Use HOST_IP instead of SERVICE_HOST for heat API conf
Heat config values heat_metadata_server_url, heat_waitcondition_server_url and
heat_waitcondition_server_url currently derive their host from devstack
SERVICE_HOST. In gating this is set to 127.0.0.1, which would explain why
nova servers are not reaching heat with waitcondition signalling.

This change uses HOST_IP as the default instead of SERVICE_HOST.

Change-Id: I373b086e3a36a3484cfd34f0d1c8c168ac6d465d
2014-01-27 15:21:29 +13:00
Steve Baker
9acb965e57 Do not set bind_host for heat APIs
This results in the APIs binding to 0.0.0.0
which is what other devstack services bind to anyway.

Change-Id: Ic229dbed02b224fe7c5e14f20998bb5d5987aa39
Closes-Bug: #1172991
2014-01-19 11:05:08 +13:00
Jenkins
3e98388d07 Merge "Robustify service shutdown" 2014-01-13 14:09:44 +00:00
Dean Troyer
9fc8792b0a Robustify service shutdown
* Save PID when using screen in screen_it()
* Add screen_stop()
* Call out service stop_*() in unstack.sh functions so screen_stop()
  can do its thing

Closes-bug: 1183449
Change-Id: Iac84231cfda960c4197de5b6e8ba6eb19225169a
2014-01-11 11:46:19 -06:00
Vincent Hou
21fe4e76d5 Add a flexible API version choice for Cinder, Glance and Heat
The version of the authentication url is set to v1.0 for some
projects by default. We can make it configurable via the parameter
"$IDENTITY_API_VERSION".

Closes-Bug: #1253539
Change-Id: I6640e345d1317b1308403c95b13f8a998320241b
2014-01-06 01:22:57 -05:00
Jamie Lennox
bd24a8d0f8 Allow deploying keystone with SSL certificates
Allow providing certificates through environment variables to be used
for keystone, and provide the basis for doing this for other services.
It cannot be used in conjunction with tls-proxy as the service provides
it's own encrypted endpoint.

Impletmenting: blueprint devstack-https
Change-Id: I8cf4c9c8c8a6911ae56ebcd14600a9d24cca99a0
2013-11-25 22:27:51 +00:00
Angus Salkeld
e231438bf6 Use the oslo db database connection for Heat
This is the preferred configuration now, and sql_connection is
deprecated.

Change-Id: I2d8342b5025ab481e1db0521a3e0610b73bda9de
2013-11-14 14:36:46 +11:00
Jenkins
ba5a8198d2 Merge "Use heat's default value for max_template_size" 2013-11-07 02:22:18 +00:00
Adam Spiers
6a5aa7c6a2 Fix some Markdown formatting issues
Address miscellaneous issues with Markdown formatting in comments which
are consumed by shocco when generating the online documentation.

Change-Id: I953075cdbddbf1f119c6c7e35f039e2e54b79078
2013-10-24 17:38:19 +01:00
Joe Gordon
33eaa5698c Use heat's default value for max_template_size
Instead of aligning value with tempest, make tempest use heat's default
value as that is what most people will be deploying with.

Change-Id: I77549f2b5e953ff712c50a2b372f6b04725d5eb0
2013-10-24 14:12:44 +01:00
Arata Notsu
4897ff55d7 Correct logging_context_format_string for Heat
We should use "tenant" and "user" instead of "project_name" and
"user_name" by calling setup_colorized_logging with these parameters.

Change-Id: I47820c890bf4585e7c8f64c41f48d7576ca56862
Closes-Bug: 1237314
2013-10-09 18:53:58 +09:00
Mate Lakat
45ea081150 Fix typo in lib/heat
With the change https://review.openstack.org/43006 a typo was
introduced. This change fixes it.

Change-Id: Iebcbfe49d779552c17f6ab216976149f332b772c
2013-09-25 10:00:29 +01:00
Salvatore Orlando
05ae833be2 Colorize Neutron log output and refactor log setup code
Bug 1214616

This patch adds colors to on-screen Neutron log output in the same way nova,
cinder, and heat engine do.
To this aim, colorized logging configuration has been moved to ./functions.
The reason for this refactoring is that these instruction are the same or
very similar for each project, with the only exception of the target
configuration file.

Change-Id: Idf0d1b842bb9ab046c9ef826de1dfc55b3f1df9d
2013-09-13 10:34:40 -07:00
Clint Byrum
f68c9d3fb7 Fix section on iniset for max_template_size
The section was not specified, leading to trying to create a section of
max_template_size.

Change-Id: Ie3b525030efa780e9cef2d3108be92169d400857
2013-09-10 11:37:47 -07:00
Clint Byrum
54d1faecc5 Lower Heat max_template_size for Tempest
The default size leaves a very large padding for users to create larger
templates, but for testing and development a 10kB template is plenty.

This value is specifically meant to mirror upcoming changes to tempest
so that they are unified and can be tested in lock-step.

Change-Id: I0ea9798018a6d864ac04429c3ac89fb374583fb6
2013-09-09 11:55:11 -07:00
Angus Salkeld
e118655028 Fix Heat's signing_dir
This is not critical but looks odd using api-cfn.

Change-Id: Ie0f5c66f635b4a7c6ba51581ad01bab624158e61
2013-09-06 13:35:09 +10:00
Angus Salkeld
a213e2c3ca Move Heat to a single heat.conf
the old config files that are no longer needed (but still supported):
heat-engine.conf, heat-api.conf, heat-api-cfn.conf, heat-api-cw.conf

Change-Id: I7ba0566325539bf7215bcb606843a90b5e3e4a98
2013-08-30 10:49:03 +10:00
Angus Salkeld
fb71a272db Add support for heat resource templates
These are resources that are defined as a template and
can be customised by a deployer.

Change-Id: Ia739a36d627b7cfec26641b89513355e65cd1d1f
2013-08-26 10:15:38 +10:00
Angus Salkeld
f645a8504a Add support for heat enviroments
heat now has global environments that make it easy
to rename and customise resource behaviour. These
are yaml files that need to be in /etc/heat/environment.d/

Change-Id: I5a08c6ce8f5d7222f79aab2be0903ba783c10aa1
2013-08-26 10:13:36 +10:00
Jenkins
415360b231 Merge "Colorize heat engine log" 2013-08-16 13:38:43 +00:00
Jenkins
27899ccc1f Merge "Generate heat images for tempest tests" 2013-08-13 20:48:48 +00:00
Ben Nemec
039979424b Allow disabling of debug logging
I find that enabling the debug log level often causes me to miss
important error messages due to the sheer volume of information
logged.  This change allows configuration of the debug option
in a number of the projects so it can be disabled globally
without having to make one-off changes after each re-stack.

Note that this does not apply to Keystone or Swift right now.
They use a different method to configure their logging level and
I'm not as familiar with them so I didn't want to mess with their
settings.

Change-Id: I185d496543d245a644854c8a37f3359377cb978c
2013-08-12 15:01:39 -05:00
Steve Baker
556ffe4022 Colorize heat engine log
Change-Id: If6ffb234e360e8a579eb8e1e7baedb90354b10ae
2013-08-12 09:10:25 +12:00
Steve Baker
d5cccad2f0 Generate heat images for tempest tests
This requires HEAT_CREATE_TEST_IMAGE to be set for any images
to be created.

If the file (files/fedora-vm-heat-cfntools-tempest.qcow2) already
exists then disk-image-create will not be called, and the existing
image file will be registered with glance. This is most likely to
happen in the following scenarios:
- a second run of stack.sh
- the image has been pre-built elsewhere (such as during devstack-gate
  image building)
Change-Id: I276573a20927e72f2cb68784f655c1ba1913ae8a
2013-08-12 09:10:25 +12:00
Steve Baker
389b3a0233 Support heat in standalone mode.
The following localrc will launch only heat in standalone mode
and allow it to provision within the openstack specified by
the configured keystone endpoint:
HEAT_STANDALONE=True
ENABLED_SERVICES=rabbit,mysql,heat,h-api,h-api-cfn,h-api-cw,h-eng
KEYSTONE_SERVICE_HOST=...
KEYSTONE_AUTH_HOST=...

Change-Id: I0d8a541fc9d592577423b074c789829f8b8d6702
2013-08-08 09:31:03 +12:00
Sean Dague
d644e23c95 make install_heatclient like other client installs
all the other install_*client functions do the setup develop
inline. Do the same thing for heat.

Change-Id: Ib2043580af6b7f14f24f7304e5f47f4523517d06
2013-07-25 15:43:15 -04:00
Steve Baker
e3111329f1 Use heat-manage to sync heat db.
heat-db-setup has been deprecated and doesn't work when
devstack uses postgres and mysql isn't installed.

This is causing postgres gating to fail for heat.

Change-Id: I84f0a2d40f0033e52c87b6f0c9c7265471134ffe
2013-06-19 13:57:31 +12:00
Kieran Spear
7033829d71 Add h-api to suggested ENABLED_SERVICES for Heat
Currently lib/heat says:

    To enable, add the following to localrc
    ENABLED_SERVICES+=,heat,h-api-cfn,h-api-cw,h-eng

Once the stack is up, `heat list` fails because the API server
isn't running.

This commit adds h-api to that list.
Also make sure h-api is killed in stop_heat().

Change-Id: I2e818bb343680b3778f9277c23c766f784d28887
2013-05-28 11:36:54 +10:00
Steve Baker
de0898a02c Do not run heat/tools/nova_create_flavors.sh
This script takes a long time to run which will affect tempest
run times. Instead of running this, example templates will be modified
to align with the default heat flavors.

Change-Id: I588b1da9f5a02de3bf64ac8011d75c7d5432ef26
2013-05-08 11:37:26 +12:00