Fix tls-proxy issues with the devstack plugin
Enabling tls-proxy allows devstack to set up a tls proxy server that front-ends interactions with the manila-api and terminates tls connections. Also enable tls-proxy in dummy and lvm jobs. The dummy driver job is configured to run the in-built wsgi server, the lvm job is configured to use mod-wsgi. Closes-Bug: #1816836 Change-Id: I48b0ccc082604d78242ba61bee94a45efeb2467b
This commit is contained in:
parent
1701821b89
commit
8f1c7dc91f
@ -71,7 +71,7 @@ function _config_manila_apache_wsgi {
|
|||||||
sudo sed -e "
|
sudo sed -e "
|
||||||
s|%APACHE_NAME%|$APACHE_NAME|g;
|
s|%APACHE_NAME%|$APACHE_NAME|g;
|
||||||
s|%MANILA_BIN_DIR%|$MANILA_BIN_DIR|g;
|
s|%MANILA_BIN_DIR%|$MANILA_BIN_DIR|g;
|
||||||
s|%PORT%|$MANILA_SERVICE_PORT|g;
|
s|%PORT%|$REAL_MANILA_SERVICE_PORT|g;
|
||||||
s|%APIWORKERS%|$API_WORKERS|g;
|
s|%APIWORKERS%|$API_WORKERS|g;
|
||||||
s|%USER%|$STACK_USER|g;
|
s|%USER%|$STACK_USER|g;
|
||||||
" -i $manila_api_apache_conf
|
" -i $manila_api_apache_conf
|
||||||
@ -277,9 +277,14 @@ function configure_manila {
|
|||||||
|
|
||||||
iniset $MANILA_CONF DEFAULT manila_service_keypair_name $MANILA_SERVICE_KEYPAIR_NAME
|
iniset $MANILA_CONF DEFAULT manila_service_keypair_name $MANILA_SERVICE_KEYPAIR_NAME
|
||||||
|
|
||||||
|
REAL_MANILA_SERVICE_PORT=$MANILA_SERVICE_PORT
|
||||||
if is_service_enabled tls-proxy; then
|
if is_service_enabled tls-proxy; then
|
||||||
|
# Set the protocol to 'https', and set the default port
|
||||||
|
MANILA_SERVICE_PROTOCOL="https"
|
||||||
|
REAL_MANILA_SERVICE_PORT=$MANILA_SERVICE_PORT_INT
|
||||||
# Set the service port for a proxy to take the original
|
# Set the service port for a proxy to take the original
|
||||||
iniset $MANILA_CONF DEFAULT osapi_share_listen_port $MANILA_SERVICE_PORT_INT
|
iniset $MANILA_CONF DEFAULT osapi_share_listen_port $REAL_MANILA_SERVICE_PORT
|
||||||
|
iniset $MANILA_CONF oslo_middleware enable_proxy_headers_parsing True
|
||||||
fi
|
fi
|
||||||
|
|
||||||
iniset_rpc_backend manila $MANILA_CONF DEFAULT
|
iniset_rpc_backend manila $MANILA_CONF DEFAULT
|
||||||
@ -509,11 +514,6 @@ function create_default_share_group_type {
|
|||||||
# type identified by $MANILA_DEFAULT_SHARE_TYPE is still created, but not
|
# type identified by $MANILA_DEFAULT_SHARE_TYPE is still created, but not
|
||||||
# configured as default.
|
# configured as default.
|
||||||
function create_default_share_type {
|
function create_default_share_type {
|
||||||
echo "Waiting for Manila API to start..."
|
|
||||||
if ! wait_for_service 60 $MANILA_SERVICE_PROTOCOL://$MANILA_SERVICE_HOST:$MANILA_SERVICE_PORT; then
|
|
||||||
die $LINENO "Manila did not start"
|
|
||||||
fi
|
|
||||||
|
|
||||||
enabled_backends=(${MANILA_ENABLED_BACKENDS//,/ })
|
enabled_backends=(${MANILA_ENABLED_BACKENDS//,/ })
|
||||||
driver_handles_share_servers=$(iniget $MANILA_CONF ${enabled_backends[0]} driver_handles_share_servers)
|
driver_handles_share_servers=$(iniget $MANILA_CONF ${enabled_backends[0]} driver_handles_share_servers)
|
||||||
|
|
||||||
@ -826,14 +826,20 @@ function start_manila_api {
|
|||||||
run_process m-api "$MANILA_BIN_DIR/manila-api --config-file $MANILA_CONF"
|
run_process m-api "$MANILA_BIN_DIR/manila-api --config-file $MANILA_CONF"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
echo "Waiting for Manila API to start..."
|
echo "Waiting for Manila API to start..."
|
||||||
if ! wait_for_service $SERVICE_TIMEOUT $MANILA_SERVICE_PROTOCOL://$MANILA_SERVICE_HOST:$MANILA_SERVICE_PORT; then
|
# This is a health check against the manila-api service we just started.
|
||||||
|
# We use the port ($REAL_MANILA_SERVICE_PORT) here because we want to hit
|
||||||
|
# the bare service endpoint, even if the tls tunnel should be enabled.
|
||||||
|
# We're making sure that the internal port is checked using unencryted
|
||||||
|
# traffic at this point.
|
||||||
|
if ! wait_for_service $SERVICE_TIMEOUT $MANILA_SERVICE_PROTOCOL://$MANILA_SERVICE_HOST:$REAL_MANILA_SERVICE_PORT; then
|
||||||
die $LINENO "Manila API did not start"
|
die $LINENO "Manila API did not start"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Start proxies if enabled
|
# Start proxies if enabled
|
||||||
if is_service_enabled tls-proxy; then
|
if is_service_enabled tls-proxy; then
|
||||||
start_tls_proxy '*' $MANILA_SERVICE_PORT $MANILA_SERVICE_HOST $MANILA_SERVICE_PORT_INT &
|
start_tls_proxy manila '*' $MANILA_SERVICE_PORT $MANILA_SERVICE_HOST $MANILA_SERVICE_PORT_INT
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -184,7 +184,10 @@ Optionally, you can deploy with Manila, Nova, Neutron, Glance and Tempest::
|
|||||||
ENABLED_SERVICES+=q-svc,q-dhcp,q-meta,q-l3,q-agt
|
ENABLED_SERVICES+=q-svc,q-dhcp,q-meta,q-l3,q-agt
|
||||||
ENABLED_SERVICES+=tempest
|
ENABLED_SERVICES+=tempest
|
||||||
|
|
||||||
|
You can also enable ``tls-proxy`` with ``ENABLED_SERVICES`` to allow
|
||||||
|
devstack to use Apache and setup a TLS proxy to terminate TLS connections.
|
||||||
|
Using tls-proxy secures all OpenStack service API endpoints and inter-service
|
||||||
|
communication on your devstack.
|
||||||
|
|
||||||
Bootstrapping Tempest
|
Bootstrapping Tempest
|
||||||
`````````````````````
|
`````````````````````
|
||||||
|
@ -44,7 +44,7 @@
|
|||||||
export DEVSTACK_GATE_NEUTRON=1
|
export DEVSTACK_GATE_NEUTRON=1
|
||||||
export DEVSTACK_PROJECT_FROM_GIT="python-manilaclient"
|
export DEVSTACK_PROJECT_FROM_GIT="python-manilaclient"
|
||||||
# Basic services needed for minimal job
|
# Basic services needed for minimal job
|
||||||
export OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest
|
export OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest,tls-proxy
|
||||||
|
|
||||||
export DEVSTACK_GATE_USE_PYTHON3=True
|
export DEVSTACK_GATE_USE_PYTHON3=True
|
||||||
export PYTHON3_VERSION="3.6"
|
export PYTHON3_VERSION="3.6"
|
||||||
|
@ -57,6 +57,8 @@
|
|||||||
OVERRIDE_ENABLED_SERVICES+=,n-api,n-cpu,n-cond,n-sch,n-crt,n-cauth,n-obj
|
OVERRIDE_ENABLED_SERVICES+=,n-api,n-cpu,n-cond,n-sch,n-crt,n-cauth,n-obj
|
||||||
# Enable neutron for scenario tests
|
# Enable neutron for scenario tests
|
||||||
OVERRIDE_ENABLED_SERVICES+=,q-svc,q-dhcp,q-meta,q-l3,q-agt
|
OVERRIDE_ENABLED_SERVICES+=,q-svc,q-dhcp,q-meta,q-l3,q-agt
|
||||||
|
# Enable tls-proxy
|
||||||
|
OVERRIDE_ENABLED_SERVICES+=,tls-proxy
|
||||||
|
|
||||||
# Enable mandatory placement services for nova starting with ocata
|
# Enable mandatory placement services for nova starting with ocata
|
||||||
if [[ "stable/newton" != $ZUUL_BRANCH ]]; then
|
if [[ "stable/newton" != $ZUUL_BRANCH ]]; then
|
||||||
|
Loading…
Reference in New Issue
Block a user