Fix Magnum trustee issues

This patch set fixes all Magnum issues in kolla master.

The [trust] section set to magnum.conf
using created trustee domain and user for Magnum
in ansible/roles/magnum/tasks/register.yml using ansible
openstack modules.

Bump shade to 1.5.0 in kolla-toolbox because of
os_user_role ansible module dependency.

Certificate storage is changed from 'local' (non-production)
to magnum's internal storage (x509keypair) or barbican.

Co-Authored-By: Martin Matyas <martinx.maty@intel.com>
Change-Id: Ifcb016c0bc4c8c3fc20e063fa05dc8838aae838c
Closes-Bug: #1551992
This commit is contained in:
Vikram Hosakote 2016-06-06 21:24:24 +00:00 committed by Martin Matyáš
parent b32d7ce802
commit 3c45625197
5 changed files with 88 additions and 15 deletions

View File

@ -38,3 +38,55 @@
retries: 10 retries: 10
delay: 5 delay: 5
run_once: True run_once: True
- name: Creating Magnum trustee domain
command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
-m os_keystone_domain
-a "name=magnum
description='Owns users and projects created by magnum'
auth={{ '{{ openstack_magnum_auth }}' }}"
-e "{'openstack_magnum_auth':{{ openstack_magnum_auth }}}"
register: trustee_domain
changed_when: "{{ trustee_domain.stdout.find('localhost | SUCCESS => ') != -1 and (trustee_domain.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
until: trustee_domain.stdout.split()[2] == 'SUCCESS'
retries: 10
delay: 5
run_once: True
- name: Setting Magnum trustee domain value
set_fact:
magnum_trustee_domain_id: "{{ (trustee_domain.stdout.split('localhost | SUCCESS => ')[1]|from_json).id }}"
- name: Creating Magnum trustee user
command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
-m os_user
-a "name=magnum_trustee_domain_admin
domain=magnum
password={{ magnum_keystone_password }}
auth={{ '{{ openstack_magnum_auth }}' }}"
-e "{'openstack_magnum_auth':{{ openstack_magnum_auth }}}"
register: trustee_user
changed_when: "{{ trustee_user.stdout.find('localhost | SUCCESS => ') != -1 and (trustee_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
until: trustee_user.stdout.split()[2] == 'SUCCESS'
retries: 10
delay: 5
run_once: True
- name: Setting Magnum trustee user value
set_fact:
magnum_trustee_domain_admin_id: "{{ (trustee_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).user.id }}"
- name: Creating Magnum trustee user role
command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
-m os_user_role
-a "domain={{ magnum_trustee_domain_id }}
user={{ magnum_trustee_domain_admin_id }}
role=admin
auth={{ '{{ openstack_magnum_auth }}' }}"
-e "{'openstack_magnum_auth':{{ openstack_magnum_auth }}}"
register: magnum_user_role_result
changed_when: "{{ magnum_user_role_result.stdout.find('localhost | SUCCESS => ') != -1 and (magnum_user_role_result.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
until: magnum_user_role_result.stdout.split()[2] == 'SUCCESS'
retries: 10
delay: 5
run_once: True

View File

@ -20,5 +20,6 @@
volumes: volumes:
- "{{ node_config_directory }}/magnum-conductor/:{{ container_config_directory }}/:ro" - "{{ node_config_directory }}/magnum-conductor/:{{ container_config_directory }}/:ro"
- "/etc/localtime:/etc/localtime:ro" - "/etc/localtime:/etc/localtime:ro"
- "magnum:/var/lib/magnum/"
- "kolla_logs:/var/log/kolla/" - "kolla_logs:/var/log/kolla/"
when: inventory_hostname in groups['magnum-conductor'] when: inventory_hostname in groups['magnum-conductor']

View File

@ -1,6 +1,6 @@
[DEFAULT] [DEFAULT]
debug = {{ magnum_logging_debug }} debug = {{ magnum_logging_debug }}
state_path = /var/lib/magnum
log_dir = /var/log/kolla/magnum log_dir = /var/log/kolla/magnum
transport_url = rabbit://{% for host in groups['rabbitmq'] %}{{ rabbitmq_user }}:{{ rabbitmq_password }}@{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rabbitmq_port }}{% if not loop.last %},{% endif %}{% endfor %} transport_url = rabbit://{% for host in groups['rabbitmq'] %}{{ rabbitmq_user }}:{{ rabbitmq_password }}@{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rabbitmq_port }}{% if not loop.last %},{% endif %}{% endfor %}
@ -11,6 +11,9 @@ port = {{ magnum_api_port }}
host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }} host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
{% endif %} {% endif %}
[oslo_policy]
policy_file = /etc/magnum/policy.json
[database] [database]
connection = mysql+pymysql://{{ magnum_database_user }}:{{ magnum_database_password }}@{{ magnum_database_address}}/{{ magnum_database_name }} connection = mysql+pymysql://{{ magnum_database_user }}:{{ magnum_database_password }}@{{ magnum_database_address}}/{{ magnum_database_name }}
max_retries = -1 max_retries = -1
@ -18,18 +21,24 @@ max_retries = -1
[heat_client] [heat_client]
region_name = {{ openstack_region_name }} region_name = {{ openstack_region_name }}
[keystone_authtoken] [cinder_client]
auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }} region_name = {{ openstack_region_name }}
auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
auth_type = password
project_domain_id = default
user_domain_id = default
project_name = service
username = {{ magnum_keystone_user }}
password = {{ magnum_keystone_password }}
[trustee] [barbican_client]
auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }} region_name = {{ openstack_region_name }}
[keystone_auth]
auth_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}/v3
user_domain_id = default
project_domain_id = default
project_name = service
password = {{ magnum_keystone_password }}
username = {{ magnum_keystone_user }}
auth_type = password
[keystone_authtoken]
auth_version = v3
auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}/v3
auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }} auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
auth_type = password auth_type = password
project_domain_id = default project_domain_id = default
@ -42,6 +51,17 @@ memcache_security_strategy = ENCRYPT
memcache_secret_key = {{ memcache_secret_key }} memcache_secret_key = {{ memcache_secret_key }}
memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
[trust]
trustee_domain_admin_password = {{ magnum_keystone_password }}
trustee_domain_admin_id = {{ magnum_trustee_domain_admin_id }}
trustee_domain_id = {{ magnum_trustee_domain_id}}
[oslo_concurrency] [oslo_concurrency]
lock_path = /var/lib/magnum/tmp lock_path = /var/lib/magnum/tmp
[certificates]
{% if enable_barbican | bool %}
cert_manager_type = barbican
{% else %}
cert_manager_type = x509keypair
{% endif %}

View File

@ -57,7 +57,7 @@ RUN curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py \
MySQL-python \ MySQL-python \
os-client-config==1.16.0 \ os-client-config==1.16.0 \
pyudev \ pyudev \
shade==1.4.0 shade==1.5.0
RUN useradd -m --user-group ansible --groups kolla \ RUN useradd -m --user-group ansible --groups kolla \
&& mkdir -p /etc/ansible /usr/share/ansible \ && mkdir -p /etc/ansible /usr/share/ansible \

View File

@ -21,9 +21,9 @@ ADD magnum-base-archive /magnum-base-source
RUN ln -s magnum-base-source/* magnum \ RUN ln -s magnum-base-source/* magnum \
&& useradd --user-group magnum \ && useradd --user-group magnum \
&& /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /magnum \ && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /magnum \
&& mkdir -p /etc/magnum /home/magnum \ && mkdir -p /etc/magnum /home/magnum /var/lib/magnum \
&& cp -r /magnum/etc/magnum/* /etc/magnum \ && cp -r /magnum/etc/magnum/* /etc/magnum \
&& chown -R magnum: /etc/magnum /home/magnum && chown -R magnum: /etc/magnum /home/magnum /var/lib/magnum
{% endif %} {% endif %}