From 3c45625197e6adfe76cbd37c68673d2aba13f141 Mon Sep 17 00:00:00 2001
From: Vikram Hosakote <vhosakot@cisco.com>
Date: Mon, 6 Jun 2016 21:24:24 +0000
Subject: [PATCH] Fix Magnum trustee issues
This patch set fixes all Magnum issues in kolla master.
The [trust] section set to magnum.conf
using created trustee domain and user for Magnum
in ansible/roles/magnum/tasks/register.yml using ansible
openstack modules.
Bump shade to 1.5.0 in kolla-toolbox because of
os_user_role ansible module dependency.
Certificate storage is changed from 'local' (non-production)
to magnum's internal storage (x509keypair) or barbican.
Co-Authored-By: Martin Matyas <martinx.maty@intel.com>
Change-Id: Ifcb016c0bc4c8c3fc20e063fa05dc8838aae838c
Closes-Bug: #1551992
---
ansible/roles/magnum/tasks/register.yml | 52 +++++++++++++++++++
ansible/roles/magnum/tasks/start.yml | 1 +
ansible/roles/magnum/templates/magnum.conf.j2 | 44 +++++++++++-----
docker/kolla-toolbox/Dockerfile.j2 | 2 +-
docker/magnum/magnum-base/Dockerfile.j2 | 4 +-
5 files changed, 88 insertions(+), 15 deletions(-)
diff --git a/ansible/roles/magnum/tasks/register.yml b/ansible/roles/magnum/tasks/register.yml
index bf4e847868..042f0b9771 100644
--- a/ansible/roles/magnum/tasks/register.yml
+++ b/ansible/roles/magnum/tasks/register.yml
@@ -38,3 +38,55 @@
retries: 10
delay: 5
run_once: True
+
+- name: Creating Magnum trustee domain
+ command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
+ -m os_keystone_domain
+ -a "name=magnum
+ description='Owns users and projects created by magnum'
+ auth={{ '{{ openstack_magnum_auth }}' }}"
+ -e "{'openstack_magnum_auth':{{ openstack_magnum_auth }}}"
+ register: trustee_domain
+ changed_when: "{{ trustee_domain.stdout.find('localhost | SUCCESS => ') != -1 and (trustee_domain.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+ until: trustee_domain.stdout.split()[2] == 'SUCCESS'
+ retries: 10
+ delay: 5
+ run_once: True
+
+- name: Setting Magnum trustee domain value
+ set_fact:
+ magnum_trustee_domain_id: "{{ (trustee_domain.stdout.split('localhost | SUCCESS => ')[1]|from_json).id }}"
+
+- name: Creating Magnum trustee user
+ command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
+ -m os_user
+ -a "name=magnum_trustee_domain_admin
+ domain=magnum
+ password={{ magnum_keystone_password }}
+ auth={{ '{{ openstack_magnum_auth }}' }}"
+ -e "{'openstack_magnum_auth':{{ openstack_magnum_auth }}}"
+ register: trustee_user
+ changed_when: "{{ trustee_user.stdout.find('localhost | SUCCESS => ') != -1 and (trustee_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+ until: trustee_user.stdout.split()[2] == 'SUCCESS'
+ retries: 10
+ delay: 5
+ run_once: True
+
+- name: Setting Magnum trustee user value
+ set_fact:
+ magnum_trustee_domain_admin_id: "{{ (trustee_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).user.id }}"
+
+- name: Creating Magnum trustee user role
+ command: docker exec -t kolla_toolbox /usr/bin/ansible localhost
+ -m os_user_role
+ -a "domain={{ magnum_trustee_domain_id }}
+ user={{ magnum_trustee_domain_admin_id }}
+ role=admin
+ auth={{ '{{ openstack_magnum_auth }}' }}"
+ -e "{'openstack_magnum_auth':{{ openstack_magnum_auth }}}"
+ register: magnum_user_role_result
+ changed_when: "{{ magnum_user_role_result.stdout.find('localhost | SUCCESS => ') != -1 and (magnum_user_role_result.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+ until: magnum_user_role_result.stdout.split()[2] == 'SUCCESS'
+ retries: 10
+ delay: 5
+ run_once: True
diff --git a/ansible/roles/magnum/tasks/start.yml b/ansible/roles/magnum/tasks/start.yml
index d283aee1d8..b43839484d 100644
--- a/ansible/roles/magnum/tasks/start.yml
+++ b/ansible/roles/magnum/tasks/start.yml
@@ -20,5 +20,6 @@
volumes:
- "{{ node_config_directory }}/magnum-conductor/:{{ container_config_directory }}/:ro"
- "/etc/localtime:/etc/localtime:ro"
+ - "magnum:/var/lib/magnum/"
- "kolla_logs:/var/log/kolla/"
when: inventory_hostname in groups['magnum-conductor']
diff --git a/ansible/roles/magnum/templates/magnum.conf.j2 b/ansible/roles/magnum/templates/magnum.conf.j2
index e7cf2ed9a0..86049e2b3c 100644
--- a/ansible/roles/magnum/templates/magnum.conf.j2
+++ b/ansible/roles/magnum/templates/magnum.conf.j2
@@ -1,6 +1,6 @@
[DEFAULT]
debug = {{ magnum_logging_debug }}
-
+state_path = /var/lib/magnum
log_dir = /var/log/kolla/magnum
transport_url = rabbit://{% for host in groups['rabbitmq'] %}{{ rabbitmq_user }}:{{ rabbitmq_password }}@{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rabbitmq_port }}{% if not loop.last %},{% endif %}{% endfor %}
@@ -11,6 +11,9 @@ port = {{ magnum_api_port }}
host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
{% endif %}
+[oslo_policy]
+policy_file = /etc/magnum/policy.json
+
[database]
connection = mysql+pymysql://{{ magnum_database_user }}:{{ magnum_database_password }}@{{ magnum_database_address}}/{{ magnum_database_name }}
max_retries = -1
@@ -18,18 +21,24 @@ max_retries = -1
[heat_client]
region_name = {{ openstack_region_name }}
-[keystone_authtoken]
-auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
-auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
-auth_type = password
-project_domain_id = default
-user_domain_id = default
-project_name = service
-username = {{ magnum_keystone_user }}
-password = {{ magnum_keystone_password }}
+[cinder_client]
+region_name = {{ openstack_region_name }}
-[trustee]
-auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
+[barbican_client]
+region_name = {{ openstack_region_name }}
+
+[keystone_auth]
+auth_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}/v3
+user_domain_id = default
+project_domain_id = default
+project_name = service
+password = {{ magnum_keystone_password }}
+username = {{ magnum_keystone_user }}
+auth_type = password
+
+[keystone_authtoken]
+auth_version = v3
+auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}/v3
auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
auth_type = password
project_domain_id = default
@@ -42,6 +51,17 @@ memcache_security_strategy = ENCRYPT
memcache_secret_key = {{ memcache_secret_key }}
memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+[trust]
+trustee_domain_admin_password = {{ magnum_keystone_password }}
+trustee_domain_admin_id = {{ magnum_trustee_domain_admin_id }}
+trustee_domain_id = {{ magnum_trustee_domain_id}}
[oslo_concurrency]
lock_path = /var/lib/magnum/tmp
+
+[certificates]
+{% if enable_barbican | bool %}
+cert_manager_type = barbican
+{% else %}
+cert_manager_type = x509keypair
+{% endif %}
diff --git a/docker/kolla-toolbox/Dockerfile.j2 b/docker/kolla-toolbox/Dockerfile.j2
index b05d1a5123..78b0a6cbde 100644
--- a/docker/kolla-toolbox/Dockerfile.j2
+++ b/docker/kolla-toolbox/Dockerfile.j2
@@ -57,7 +57,7 @@ RUN curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py \
MySQL-python \
os-client-config==1.16.0 \
pyudev \
- shade==1.4.0
+ shade==1.5.0
RUN useradd -m --user-group ansible --groups kolla \
&& mkdir -p /etc/ansible /usr/share/ansible \
diff --git a/docker/magnum/magnum-base/Dockerfile.j2 b/docker/magnum/magnum-base/Dockerfile.j2
index f9b7abc33c..32b597289d 100644
--- a/docker/magnum/magnum-base/Dockerfile.j2
+++ b/docker/magnum/magnum-base/Dockerfile.j2
@@ -21,9 +21,9 @@ ADD magnum-base-archive /magnum-base-source
RUN ln -s magnum-base-source/* magnum \
&& useradd --user-group magnum \
&& /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /magnum \
- && mkdir -p /etc/magnum /home/magnum \
+ && mkdir -p /etc/magnum /home/magnum /var/lib/magnum \
&& cp -r /magnum/etc/magnum/* /etc/magnum \
- && chown -R magnum: /etc/magnum /home/magnum
+ && chown -R magnum: /etc/magnum /home/magnum /var/lib/magnum
{% endif %}