Juju Charms Collection
keystone package

Merge lp:~openstack-charmers/charms/precise/keystone/ha-support into lp:~charmers/charms/precise/keystone/trunk

Proposed by Adam Gandelman on 2013-05-29

Status:	Merged
Merged at revision:	42
Proposed branch:	lp:~openstack-charmers/charms/precise/keystone/ha-support
Merge into:	lp:~charmers/charms/precise/keystone/trunk
Diff against target:	2957 lines (+2068/-364) 16 files modified config.yaml (+41/-0) hooks/keystone_hooks.py (+363/-92) hooks/keystone_ssl.py (+301/-0) hooks/keystone_utils.py (+296/-234) hooks/lib/apache_utils.py (+196/-0) hooks/lib/cluster_utils.py (+130/-0) hooks/lib/haproxy_utils.py (+55/-0) hooks/lib/openstack_common.py (+74/-37) hooks/lib/unison.py (+220/-0) hooks/lib/utils.py (+332/-0) hooks/manager.py (+1/-0) metadata.yaml (+6/-0) revision (+1/-1) scripts/add_to_cluster (+13/-0) scripts/remove_from_cluster (+4/-0) templates/haproxy.cfg (+35/-0)
To merge this branch:	bzr merge lp:~openstack-charmers/charms/precise/keystone/ha-support
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
charmers		2013-05-29	Pending
Review via email: mp+166344@code.launchpad.net

Description of the change

* Updated for Grizzly.

* HA support via hacluster charm.

* Allows remote services to request roles be created, required for ceilometer and swift.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Andreas Hasenack

Landscape

Nobuto Murata

OpenStack Charmers

charmers

 === modified file 'config.yaml'
 --- config.yaml	2012-10-12 17:26:48 +0000
 +++ config.yaml	2013-05-29 18:13:26 +0000
@@ -26,6 +26,10 @@
  default: "/etc/keystone/keystone.conf"
  type: string
  description: "Location of keystone configuration file"
++ log-level:
++ default: WARNING
++ type: string
++ description: Log level (WARNING, INFO, DEBUG, ERROR)
  service-port:
  default: 5000
  type: int
@@ -75,3 +79,40 @@
  default: "keystone"
  type: string
  description: "Database username"
++ region:
++ default: RegionOne
++ type: string
++ description: "OpenStack Region(s) - separate multiple regions with single space"
++ # HA configuration settings
++ vip:
++ type: string
++ description: "Virtual IP to use to front keystone in ha configuration"
++ vip_iface:
++ type: string
++ default: eth0
++ description: "Network Interface where to place the Virtual IP"
++ vip_cidr:
++ type: int
++ default: 24
++ description: "Netmask that will be used for the Virtual IP"
++ ha-bindiface:
++ type: string
++ default: eth0
++ description: |
++ Default network interface on which HA cluster will bind to communication
++ with the other members of the HA Cluster.
++ ha-mcastport:
++ type: int
++ default: 5403
++ description: |
++ Default multicast port number that will be used to communicate between
++ HA Cluster nodes.
++ # PKI enablement and configuration (Grizzly and beyond)
++ enable-pki:
++ default: "false"
++ type: string
++ description: "Enable PKI token signing (Grizzly and beyond)"
++ https-service-endpoints:
++ default: "False"
++ type: string
++ description: "Manage SSL certificates for all service endpoints."
 === added symlink 'hooks/cluster-relation-changed'
 === target is u'keystone_hooks.py'
 === added symlink 'hooks/cluster-relation-departed'
 === target is u'keystone_hooks.py'
 === added symlink 'hooks/cluster-relation-joined'
 === target is u'keystone_hooks.py'
 === modified symlink 'hooks/config-changed'
 === target changed u'keystone-hooks' => u'keystone_hooks.py'
 === added symlink 'hooks/ha-relation-changed'
 === target is u'keystone_hooks.py'
 === added symlink 'hooks/ha-relation-joined'
 === target is u'keystone_hooks.py'
 === modified symlink 'hooks/identity-service-relation-changed'
 === target changed u'keystone-hooks' => u'keystone_hooks.py'
 === modified symlink 'hooks/identity-service-relation-joined'
 === target changed u'keystone-hooks' => u'keystone_hooks.py'
 === modified symlink 'hooks/install'
 === target changed u'keystone-hooks' => u'keystone_hooks.py'
 === renamed file 'hooks/keystone-hooks' => 'hooks/keystone_hooks.py'
 --- hooks/keystone-hooks	2012-12-12 03:52:01 +0000
 +++ hooks/keystone_hooks.py	2013-05-29 18:13:26 +0000
@@ -1,14 +1,53 @@
  #!/usr/bin/python
--import sys
  import time
--
--from utils import *
--from lib.openstack_common import *
++import urlparse
++
++from base64 import b64encode
++
++from keystone_utils import (
++ config_dirty,
++ config_get,
++ execute,
++ update_config_block,
++ set_admin_token,
++ ensure_initial_admin,
++ create_service_entry,
++ create_endpoint_template,
++ create_role,
++ get_admin_token,
++ get_service_password,
++ create_user,
++ grant_role,
++ get_ca,
++ synchronize_service_credentials,
++ do_openstack_upgrade,
++ configure_pki_tokens,
++ SSH_USER,
++ SSL_DIR,
++ CLUSTER_RES,
++ https
++ )
++
++from lib.openstack_common import (
++ get_os_codename_install_source,
++ get_os_codename_package,
++ get_os_version_codename,
++ get_os_version_package,
++ save_script_rc
++ )
++import lib.unison as unison
++import lib.utils as utils
++import lib.cluster_utils as cluster
++import lib.haproxy_utils as haproxy
  config = config_get()
--packages = "keystone python-mysqldb pwgen"
++packages = [
++ "keystone", "python-mysqldb", "pwgen",
++ "haproxy", "python-jinja2", "openssl", "unison",
++ "python-sqlalchemy"
++ ]
  service = "keystone"
  # used to verify joined services are valid openstack components.
@@ -46,16 +85,25 @@
  "quantum": {
  "type": "network",
  "desc": "Quantum Networking Service"
++ },
++ "oxygen": {
++ "type": "oxygen",
++ "desc": "Oxygen Cloud Image Service"
++ },
++ "ceilometer": {
++ "type": "metering",
++ "desc": "Ceilometer Metering Service"
+ }
+ }
++
  def install_hook():
-- if config["openstack-origin"] != "distro":
-- configure_installation_source(config["openstack-origin"])
-- execute("apt-get update", die=True)
-- execute("apt-get -y install %s" % packages, die=True, echo=True)
-- update_config_block('DEFAULT', public_port=config["service-port"])
-- update_config_block('DEFAULT', admin_port=config["admin-port"])
++ utils.configure_source()
++ utils.install(*packages)
++ update_config_block('DEFAULT',
++ public_port=cluster.determine_api_port(config["service-port"]))
++ update_config_block('DEFAULT',
++ admin_port=cluster.determine_api_port(config["admin-port"]))
  set_admin_token(config['admin-token'])
  # set all backends to use sql+sqlite, if they are not already by default
@@ -69,90 +117,141 @@
  driver='keystone.token.backends.sql.Token')
  update_config_block('ec2',
  driver='keystone.contrib.ec2.backends.sql.Ec2')
-- execute("service keystone stop", echo=True)
++
++ utils.stop('keystone')
  execute("keystone-manage db_sync")
-- execute("service keystone start", echo=True)
++ utils.start('keystone')
++
++ # ensure user + permissions for peer relations that
++ # may be syncing data there via SSH_USER.
++ unison.ensure_user(user=SSH_USER, group='keystone')
++ execute("chmod -R g+wrx /var/lib/keystone/")
++
  time.sleep(5)
  ensure_initial_admin(config)
++
  def db_joined():
-- relation_data = { "database": config["database"],
-- "username": config["database-user"],
-- "hostname": config["hostname"] }
-- relation_set(relation_data)
++ relation_data = {
++ "database": config["database"],
++ "username": config["database-user"],
++ "hostname": config["hostname"]
++ }
++ utils.relation_set(**relation_data)
++
  def db_changed():
-- relation_data = relation_get_dict()
++ relation_data = utils.relation_get_dict()
  if ('password' not in relation_data or
-- 'private-address' not in relation_data):
-- juju_log("private-address or password not set. Peer not ready, exit 0")
-- exit(0)
++ 'db_host' not in relation_data):
++ utils.juju_log('INFO',
++ "db_host or password not set. Peer not ready, exit 0")
++ return
++
  update_config_block('sql', connection="mysql://%s:%s@%s/%s" %
  (config["database-user"],
  relation_data["password"],
-- relation_data["private-address"],
++ relation_data["db_host"],
  config["database"]))
-- execute("service keystone stop", echo=True)
-- execute("keystone-manage db_sync", echo=True)
-- execute("service keystone start")
++
++ if cluster.eligible_leader(CLUSTER_RES):
++ utils.juju_log('INFO',
++ 'Cluster leader, performing db-sync')
++ execute("keystone-manage db_sync", echo=True)
++
++ if config_dirty():
++ utils.restart('keystone')
++
  time.sleep(5)
-- ensure_initial_admin(config)
--
-- # If the backend database has been switched to something new and there
-- # are existing identity-service relations,, service entries need to be
-- # recreated in the new database. Re-executing identity-service-changed
-- # will do this.
-- for id in relation_ids(relation_name='identity-service'):
-- for unit in relation_list(relation_id=id):
-- juju_log("Re-exec'ing identity-service-changed for: %s - %s" %
-- (id, unit))
-- identity_changed(relation_id=id, remote_unit=unit)
++
++ if cluster.eligible_leader(CLUSTER_RES):
++ ensure_initial_admin(config)
++ # If the backend database has been switched to something new and there
++ # are existing identity-service relations,, service entries need to be
++ # recreated in the new database. Re-executing identity-service-changed
++ # will do this.
++ for rid in utils.relation_ids('identity-service'):
++ for unit in utils.relation_list(rid=rid):
++ utils.juju_log('INFO',
++ "Re-exec'ing identity-service-changed"
++ " for: %s - %s" % (rid, unit))
++ identity_changed(relation_id=rid, remote_unit=unit)
++
++
++def ensure_valid_service(service):
++ if service not in valid_services.keys():
++ utils.juju_log('WARNING',
++ "Invalid service requested: '%s'" % service)
++ utils.relation_set(admin_token=-1)
++ return
++
++
++def add_endpoint(region, service, publicurl, adminurl, internalurl):
++ desc = valid_services[service]["desc"]
++ service_type = valid_services[service]["type"]
++ create_service_entry(service, service_type, desc)
++ create_endpoint_template(region=region, service=service,
++ publicurl=publicurl,
++ adminurl=adminurl,
++ internalurl=internalurl)
++
  def identity_joined():
  """ Do nothing until we get information about requested service """
  pass
++
  def identity_changed(relation_id=None, remote_unit=None):
  """ A service has advertised its API endpoints, create an entry in the
  service catalog.
  Optionally allow this hook to be re-fired for an existing
  relation+unit, for context see see db_changed().
  """
-- def ensure_valid_service(service):
-- if service not in valid_services.keys():
-- juju_log("WARN: Invalid service requested: '%s'" % service)
-- realtion_set({ "admin_token": -1 })
-- return
--
-- def add_endpoint(region, service, public_url, admin_url, internal_url):
-- desc = valid_services[service]["desc"]
-- service_type = valid_services[service]["type"]
-- create_service_entry(service, service_type, desc)
-- create_endpoint_template(region=region, service=service,
-- public_url=public_url,
-- admin_url=admin_url,
-- internal_url=internal_url)
--
-- settings = relation_get_dict(relation_id=relation_id,
-- remote_unit=remote_unit)
++ if not cluster.eligible_leader(CLUSTER_RES):
++ utils.juju_log('INFO',
++ 'Deferring identity_changed() to service leader.')
++ return
++
++ settings = utils.relation_get_dict(relation_id=relation_id,
++ remote_unit=remote_unit)
  # the minimum settings needed per endpoint
  single = set(['service', 'region', 'public_url', 'admin_url',
  'internal_url'])
  if single.issubset(settings):
  # other end of relation advertised only one endpoint
--
-- if 'None' in [v for k,v in settings.iteritems()]:
++ if 'None' in [v for k, v in settings.iteritems()]:
  # Some backend services advertise no endpoint but require a
  # hook execution to update auth strategy.
++ relation_data = {}
++ # Check if clustered and use vip + haproxy ports if so
++ if cluster.is_clustered():
++ relation_data["auth_host"] = config['vip']
++ relation_data["service_host"] = config['vip']
++ else:
++ relation_data["auth_host"] = config['hostname']
++ relation_data["service_host"] = config['hostname']
++ relation_data["auth_port"] = config['admin-port']
++ relation_data["service_port"] = config['service-port']
++ if config['https-service-endpoints'] in ['True', 'true']:
++ # Pass CA cert as client will need it to
++ # verify https connections
++ ca = get_ca(user=SSH_USER)
++ ca_bundle = ca.get_ca_bundle()
++ relation_data['https_keystone'] = 'True'
++ relation_data['ca_cert'] = b64encode(ca_bundle)
++ utils.relation_set(**relation_data)
  return
  ensure_valid_service(settings['service'])
++
  add_endpoint(region=settings['region'], service=settings['service'],
-- public_url=settings['public_url'],
-- admin_url=settings['admin_url'],
-- internal_url=settings['internal_url'])
++ publicurl=settings['public_url'],
++ adminurl=settings['admin_url'],
++ internalurl=settings['internal_url'])
  service_username = settings['service']
++ https_cn = urlparse.urlparse(settings['internal_url'])
++ https_cn = https_cn.hostname
  else:
  # assemble multiple endpoints from relation data. service name
  # should be prepended to setting name, ie:
@@ -171,13 +270,14 @@
  # }
  # }
  endpoints = {}
-- for k,v in settings.iteritems():
++ for k, v in settings.iteritems():
  ep = k.split('_')[0]
  x = '_'.join(k.split('_')[1:])
-- if ep not in endpoints:
++ if ep not in endpoints:
  endpoints[ep] = {}
  endpoints[ep][x] = v
  services = []
++ https_cn = None
  for ep in endpoints:
  # weed out any unrelated relation stuff Juju might have added
  # by ensuring each possible endpiont has appropriate fields
@@ -186,40 +286,39 @@
  ep = endpoints[ep]
  ensure_valid_service(ep['service'])
  add_endpoint(region=ep['region'], service=ep['service'],
-- public_url=ep['public_url'],
-- admin_url=ep['admin_url'],
-- internal_url=ep['internal_url'])
++ publicurl=ep['public_url'],
++ adminurl=ep['admin_url'],
++ internalurl=ep['internal_url'])
  services.append(ep['service'])
++ if not https_cn:
++ https_cn = urlparse.urlparse(ep['internal_url'])
++ https_cn = https_cn.hostname
  service_username = '_'.join(services)
-- if 'None' in [v for k,v in settings.iteritems()]:
++ if 'None' in [v for k, v in settings.iteritems()]:
  return
  if not service_username:
  return
  token = get_admin_token()
-- juju_log("Creating service credentials for '%s'" % service_username)
--
-- stored_passwd = '/var/lib/keystone/%s.passwd' % service_username
-- if os.path.isfile(stored_passwd):
-- juju_log("Loading stored service passwd from %s" % stored_passwd)
-- service_password = open(stored_passwd, 'r').readline().strip('\n')
-- else:
-- juju_log("Generating a new service password for %s" % service_username)
-- service_password = execute('pwgen -c 32 1', die=True)[0].strip()
-- open(stored_passwd, 'w+').writelines("%s\n" % service_password)
--
++ utils.juju_log('INFO',
++ "Creating service credentials for '%s'" % service_username)
++
++ service_password = get_service_password(service_username)
  create_user(service_username, service_password, config['service-tenant'])
-- grant_role(service_username, config['admin-role'], config['service-tenant'])
++ grant_role(service_username, config['admin-role'],
++ config['service-tenant'])
  # Allow the remote service to request creation of any additional roles.
-- # Currently used by Swift.
-- if 'requested_roles' in settings:
++ # Currently used by Swift and Ceilometer.
++ if 'requested_roles' in settings and settings['requested_roles'] != 'None':
  roles = settings['requested_roles'].split(',')
-- juju_log("Creating requested roles: %s" % roles)
++ utils.juju_log('INFO',
++ "Creating requested roles: %s" % roles)
  for role in roles:
-- create_role(role, user=config['admin-user'], tenant='admin')
++ create_role(role, service_username, config['service-tenant'])
++ grant_role(service_username, role, config['service-tenant'])
  # As of https://review.openstack.org/#change,4675, all nodes hosting
  # an endpoint(s) needs a service username and password assigned to
@@ -235,22 +334,193 @@
  "auth_port": config["admin-port"],
  "service_username": service_username,
  "service_password": service_password,
-- "service_tenant": config['service-tenant']
++ "service_tenant": config['service-tenant'],
++ "https_keystone": "False",
++ "ssl_cert": "",
++ "ssl_key": "",
++ "ca_cert": ""
+ }
-- relation_set(relation_data)
++
++ if relation_id:
++ relation_data['rid'] = relation_id
++
++ # Check if clustered and use vip + haproxy ports if so
++ if cluster.is_clustered():
++ relation_data["auth_host"] = config['vip']
++ relation_data["service_host"] = config['vip']
++
++ # generate or get a new cert/key for service if set to manage certs.
++ if config['https-service-endpoints'] in ['True', 'true']:
++ ca = get_ca(user=SSH_USER)
++ cert, key = ca.get_cert_and_key(common_name=https_cn)
++ ca_bundle = ca.get_ca_bundle()
++ relation_data['ssl_cert'] = b64encode(cert)
++ relation_data['ssl_key'] = b64encode(key)
++ relation_data['ca_cert'] = b64encode(ca_bundle)
++ relation_data['https_keystone'] = 'True'
++ unison.sync_to_peers(peer_interface='cluster',
++ paths=[SSL_DIR], user=SSH_USER, verbose=True)
++ utils.relation_set(**relation_data)
++ synchronize_service_credentials()
++
  def config_changed():
++ unison.ensure_user(user=SSH_USER, group='keystone')
++ execute("chmod -R g+wrx /var/lib/keystone/")
  # Determine whether or not we should do an upgrade, based on the
  # the version offered in keyston-release.
  available = get_os_codename_install_source(config['openstack-origin'])
  installed = get_os_codename_package('keystone')
-- if get_os_version_codename(available) > get_os_version_codename(installed):
-- do_openstack_upgrade(config['openstack-origin'], packages)
++ if (available and
++ get_os_version_codename(available) > \
++ get_os_version_codename(installed)):
++ # TODO: fixup this call to work like utils.install()
++ do_openstack_upgrade(config['openstack-origin'], ' '.join(packages))
++ # Ensure keystone group permissions
++ execute("chmod -R g+wrx /var/lib/keystone/")
++
++ env_vars = {'OPENSTACK_SERVICE_KEYSTONE': 'keystone',
++ 'OPENSTACK_PORT_ADMIN': cluster.determine_api_port(
++ config['admin-port']),
++ 'OPENSTACK_PORT_PUBLIC': cluster.determine_api_port(
++ config['service-port'])}
++ save_script_rc(**env_vars)
  set_admin_token(config['admin-token'])
-- ensure_initial_admin(config)
++
++ if cluster.eligible_leader(CLUSTER_RES):
++ utils.juju_log('INFO',
++ 'Cluster leader - ensuring endpoint configuration'
++ ' is up to date')
++ ensure_initial_admin(config)
++
++ update_config_block('logger_root', level=config['log-level'],
++ file='/etc/keystone/logging.conf')
++ if get_os_version_package('keystone') >= '2013.1':
++ # PKI introduced in Grizzly
++ configure_pki_tokens(config)
++
++ if config_dirty():
++ utils.restart('keystone')
++
++ if cluster.eligible_leader(CLUSTER_RES):
++ utils.juju_log('INFO',
++ 'Firing identity_changed hook'
++ ' for all related services.')
++ # HTTPS may have been set - so fire all identity relations
++ # again
++ for r_id in utils.relation_ids('identity-service'):
++ for unit in utils.relation_list(r_id):
++ identity_changed(relation_id=r_id,
++ remote_unit=unit)
++
++
++def upgrade_charm():
++ # Ensure all required packages are installed
++ utils.install(*packages)
++ cluster_changed()
++ if cluster.eligible_leader(CLUSTER_RES):
++ utils.juju_log('INFO',
++ 'Cluster leader - ensuring endpoint configuration'
++ ' is up to date')
++ ensure_initial_admin(config)
++
++
++def cluster_joined():
++ unison.ssh_authorized_peers(user=SSH_USER,
++ group='keystone',
++ peer_interface='cluster',
++ ensure_local_user=True)
++ update_config_block('DEFAULT',
++ public_port=cluster.determine_api_port(config["service-port"]))
++ update_config_block('DEFAULT',
++ admin_port=cluster.determine_api_port(config["admin-port"]))
++ if config_dirty():
++ utils.restart('keystone')
++ service_ports = {
++ "keystone_admin": [
++ cluster.determine_haproxy_port(config['admin-port']),
++ cluster.determine_api_port(config["admin-port"])
++ ],
++ "keystone_service": [
++ cluster.determine_haproxy_port(config['service-port']),
++ cluster.determine_api_port(config["service-port"])
++ ]
++ }
++ haproxy.configure_haproxy(service_ports)
++
++
++def cluster_changed():
++ unison.ssh_authorized_peers(user=SSH_USER,
++ group='keystone',
++ peer_interface='cluster',
++ ensure_local_user=True)
++ synchronize_service_credentials()
++ service_ports = {
++ "keystone_admin": [
++ cluster.determine_haproxy_port(config['admin-port']),
++ cluster.determine_api_port(config["admin-port"])
++ ],
++ "keystone_service": [
++ cluster.determine_haproxy_port(config['service-port']),
++ cluster.determine_api_port(config["service-port"])
++ ]
++ }
++ haproxy.configure_haproxy(service_ports)
++
++
++def ha_relation_changed():
++ relation_data = utils.relation_get_dict()
++ if ('clustered' in relation_data and
++ cluster.is_leader(CLUSTER_RES)):
++ utils.juju_log('INFO',
++ 'Cluster configured, notifying other services'
++ ' and updating keystone endpoint configuration')
++ # Update keystone endpoint to point at VIP
++ ensure_initial_admin(config)
++ # Tell all related services to start using
++ # the VIP and haproxy ports instead
++ for r_id in utils.relation_ids('identity-service'):
++ utils.relation_set(rid=r_id,
++ auth_host=config['vip'],
++ service_host=config['vip'])
++
++
++def ha_relation_joined():
++ # Obtain the config values necessary for the cluster config. These
++ # include multicast port and interface to bind to.
++ corosync_bindiface = config['ha-bindiface']
++ corosync_mcastport = config['ha-mcastport']
++ vip = config['vip']
++ vip_cidr = config['vip_cidr']
++ vip_iface = config['vip_iface']
++
++ # Obtain resources
++ resources = {
++ 'res_ks_vip': 'ocf:heartbeat:IPaddr2',
++ 'res_ks_haproxy': 'lsb:haproxy'
++ }
++ resource_params = {
++ 'res_ks_vip': 'params ip="%s" cidr_netmask="%s" nic="%s"' % \
++ (vip, vip_cidr, vip_iface),
++ 'res_ks_haproxy': 'op monitor interval="5s"'
++ }
++ init_services = {
++ 'res_ks_haproxy': 'haproxy'
++ }
++ clones = {
++ 'cl_ks_haproxy': 'res_ks_haproxy'
++ }
++
++ utils.relation_set(init_services=init_services,
++ corosync_bindiface=corosync_bindiface,
++ corosync_mcastport=corosync_mcastport,
++ resources=resources,
++ resource_params=resource_params,
++ clones=clones)
++
  hooks = {
  "install": install_hook,
@@ -258,12 +528,13 @@
  "shared-db-relation-changed": db_changed,
  "identity-service-relation-joined": identity_joined,
  "identity-service-relation-changed": identity_changed,
-- "config-changed": config_changed
++ "config-changed": config_changed,
++ "cluster-relation-joined": cluster_joined,
++ "cluster-relation-changed": cluster_changed,
++ "cluster-relation-departed": cluster_changed,
++ "ha-relation-joined": ha_relation_joined,
++ "ha-relation-changed": ha_relation_changed,
++ "upgrade-charm": upgrade_charm
+ }
--# keystone-hooks gets called by symlink corresponding to the requested relation
--# hook.
--arg0 = sys.argv[0].split("/").pop()
--if arg0 not in hooks.keys():
-- error_out("Unsupported hook: %s" % arg0)
--hooks[arg0]()
++utils.do_hooks(hooks)
 === added file 'hooks/keystone_ssl.py'
 --- hooks/keystone_ssl.py	1970-01-01 00:00:00 +0000
 +++ hooks/keystone_ssl.py	2013-05-29 18:13:26 +0000
@@ -0,0 +1,301 @@
++#!/usr/bin/python
++
++import os
++import shutil
++import subprocess
++import tarfile
++import tempfile
++
++CA_EXPIRY = '365'
++ORG_NAME = 'Ubuntu'
++ORG_UNIT = 'Ubuntu Cloud'
++CA_BUNDLE = '/usr/local/share/ca-certificates/juju_ca_cert.crt'
++
++CA_CONFIG = """
++[ ca ]
++default_ca = CA_default
++
++[ CA_default ]
++dir = %(ca_dir)s
++policy = policy_match
++database = $dir/index.txt
++serial = $dir/serial
++certs = $dir/certs
++crl_dir = $dir/crl
++new_certs_dir = $dir/newcerts
++certificate = $dir/cacert.pem
++private_key = $dir/private/cacert.key
++RANDFILE = $dir/private/.rand
++default_md = default
++
++[ req ]
++default_bits = 1024
++default_md = sha1
++
++prompt = no
++distinguished_name = ca_distinguished_name
++
++x509_extensions = ca_extensions
++
++[ ca_distinguished_name ]
++organizationName = %(org_name)s
++organizationalUnitName = %(org_unit_name)s Certificate Authority
++commonName = %(common_name)s
++
++[ policy_match ]
++countryName = optional
++stateOrProvinceName = optional
++organizationName = match
++organizationalUnitName = optional
++commonName = supplied
++
++[ ca_extensions ]
++basicConstraints = critical,CA:true
++subjectKeyIdentifier = hash
++authorityKeyIdentifier = keyid:always, issuer
++keyUsage = cRLSign, keyCertSign
++"""
++
++SIGNING_CONFIG = """
++[ ca ]
++default_ca = CA_default
++
++[ CA_default ]
++dir = %(ca_dir)s
++policy = policy_match
++database = $dir/index.txt
++serial = $dir/serial
++certs = $dir/certs
++crl_dir = $dir/crl
++new_certs_dir = $dir/newcerts
++certificate = $dir/cacert.pem
++private_key = $dir/private/cacert.key
++RANDFILE = $dir/private/.rand
++default_md = default
++
++[ req ]
++default_bits = 1024
++default_md = sha1
++
++prompt = no
++distinguished_name = req_distinguished_name
++
++x509_extensions = req_extensions
++
++[ req_distinguished_name ]
++organizationName = %(org_name)s
++organizationalUnitName = %(org_unit_name)s Server Farm
++
++[ policy_match ]
++countryName = optional
++stateOrProvinceName = optional
++organizationName = match
++organizationalUnitName = optional
++commonName = supplied
++
++[ req_extensions ]
++basicConstraints = CA:false
++subjectKeyIdentifier = hash
++authorityKeyIdentifier = keyid:always, issuer
++keyUsage = digitalSignature, keyEncipherment, keyAgreement
++extendedKeyUsage = serverAuth, clientAuth
++"""
++
++
++def init_ca(ca_dir, common_name, org_name=ORG_NAME, org_unit_name=ORG_UNIT):
++ print 'Ensuring certificate authority exists at %s.' % ca_dir
++ if not os.path.exists(ca_dir):
++ print 'Initializing new certificate authority at %s' % ca_dir
++ os.mkdir(ca_dir)
++
++ for i in ['certs', 'crl', 'newcerts', 'private']:
++ d = os.path.join(ca_dir, i)
++ if not os.path.exists(d):
++ print 'Creating %s.' % d
++ os.mkdir(d)
++ os.chmod(os.path.join(ca_dir, 'private'), 0710)
++
++ if not os.path.isfile(os.path.join(ca_dir, 'serial')):
++ with open(os.path.join(ca_dir, 'serial'), 'wb') as out:
++ out.write('01\n')
++
++ if not os.path.isfile(os.path.join(ca_dir, 'index.txt')):
++ with open(os.path.join(ca_dir, 'index.txt'), 'wb') as out:
++ out.write('')
++ if not os.path.isfile(os.path.join(ca_dir, 'ca.cnf')):
++ print 'Creating new CA config in %s' % ca_dir
++ with open(os.path.join(ca_dir, 'ca.cnf'), 'wb') as out:
++ out.write(CA_CONFIG % locals())
++
++
++def root_ca_crt_key(ca_dir):
++ init = False
++ crt = os.path.join(ca_dir, 'cacert.pem')
++ key = os.path.join(ca_dir, 'private', 'cacert.key')
++ for f in [crt, key]:
++ if not os.path.isfile(f):
++ print 'Missing %s, will re-initialize cert+key.' % f
++ init = True
++ else:
++ print 'Found %s.' % f
++ if init:
++ cmd = ['openssl', 'req', '-config', os.path.join(ca_dir, 'ca.cnf'),
++ '-x509', '-nodes', '-newkey', 'rsa', '-days', '21360',
++ '-keyout', key, '-out', crt, '-outform', 'PEM']
++ subprocess.check_call(cmd)
++ return crt, key
++
++
++def intermediate_ca_csr_key(ca_dir):
++ print 'Creating new intermediate CSR.'
++ key = os.path.join(ca_dir, 'private', 'cacert.key')
++ csr = os.path.join(ca_dir, 'cacert.csr')
++ cmd = ['openssl', 'req', '-config', os.path.join(ca_dir, 'ca.cnf'),
++ '-sha1', '-newkey', 'rsa', '-nodes', '-keyout', key, '-out',
++ csr, '-outform',
++ 'PEM']
++ subprocess.check_call(cmd)
++ return csr, key
++
++
++def sign_int_csr(ca_dir, csr, common_name):
++ print 'Signing certificate request %s.' % csr
++ crt = os.path.join(ca_dir, 'certs',
++ '%s.crt' % os.path.basename(csr).split('.')[0])
++ subj = '/O=%s/OU=%s/CN=%s' % (ORG_NAME, ORG_UNIT, common_name)
++ cmd = ['openssl', 'ca', '-batch', '-config',
++ os.path.join(ca_dir, 'ca.cnf'),
++ '-extensions', 'ca_extensions', '-days', CA_EXPIRY, '-notext',
++ '-in', csr, '-out', crt, '-subj', subj, '-batch']
++ print ' '.join(cmd)
++ subprocess.check_call(cmd)
++ return crt
++
++
++def init_root_ca(ca_dir, common_name):
++ init_ca(ca_dir, common_name)
++ return root_ca_crt_key(ca_dir)
++
++
++def init_intermediate_ca(ca_dir, common_name, root_ca_dir,
++ org_name=ORG_NAME, org_unit_name=ORG_UNIT):
++ init_ca(ca_dir, common_name)
++ if not os.path.isfile(os.path.join(ca_dir, 'cacert.pem')):
++ csr, key = intermediate_ca_csr_key(ca_dir)
++ crt = sign_int_csr(root_ca_dir, csr, common_name)
++ shutil.copy(crt, os.path.join(ca_dir, 'cacert.pem'))
++ else:
++ print 'Intermediate CA certificate already exists.'
++
++ if not os.path.isfile(os.path.join(ca_dir, 'signing.cnf')):
++ print 'Creating new signing config in %s' % ca_dir
++ with open(os.path.join(ca_dir, 'signing.cnf'), 'wb') as out:
++ out.write(SIGNING_CONFIG % locals())
++
++
++def create_certificate(ca_dir, service):
++ common_name = service
++ subj = '/O=%s/OU=%s/CN=%s' % (ORG_NAME, ORG_UNIT, common_name)
++ csr = os.path.join(ca_dir, 'certs', '%s.csr' % service)
++ key = os.path.join(ca_dir, 'certs', '%s.key' % service)
++ cmd = ['openssl', 'req', '-sha1', '-newkey', 'rsa', '-nodes', '-keyout',
++ key, '-out', csr, '-subj', subj]
++ subprocess.check_call(cmd)
++ crt = sign_int_csr(ca_dir, csr, common_name)
++ print 'Signed new CSR, crt @ %s' % crt
++ return
++
++
++def update_bundle(bundle_file, new_bundle):
++ return
++ if os.path.isfile(bundle_file):
++ current = open(bundle_file, 'r').read().strip()
++ if new_bundle == current:
++ print 'CA Bundle @ %s is up to date.' % bundle_file
++ return
++ else:
++ print 'Updating CA bundle @ %s.' % bundle_file
++
++ with open(bundle_file, 'wb') as out:
++ out.write(new_bundle)
++ subprocess.check_call(['update-ca-certificates'])
++
++
++def tar_directory(path):
++ cwd = os.getcwd()
++ parent = os.path.dirname(path)
++ directory = os.path.basename(path)
++ tmp = tempfile.TemporaryFile()
++ os.chdir(parent)
++ tarball = tarfile.TarFile(fileobj=tmp, mode='w')
++ tarball.add(directory)
++ tarball.close()
++ tmp.seek(0)
++ out = tmp.read()
++ tmp.close()
++ os.chdir(cwd)
++ return out
++
++
++class JujuCA(object):
++ def __init__(self, name, ca_dir, root_ca_dir, user, group):
++ root_crt, root_key = init_root_ca(root_ca_dir,
++ '%s Certificate Authority' % name)
++ init_intermediate_ca(ca_dir,
++ '%s Intermediate Certificate Authority' % name,
++ root_ca_dir)
++ cmd = ['chown', '-R', '%s.%s' % (user, group), ca_dir]
++ subprocess.check_call(cmd)
++ cmd = ['chown', '-R', '%s.%s' % (user, group), root_ca_dir]
++ subprocess.check_call(cmd)
++ self.ca_dir = ca_dir
++ self.root_ca_dir = root_ca_dir
++ self.user = user
++ self.group = group
++ update_bundle(CA_BUNDLE, self.get_ca_bundle())
++
++ def _sign_csr(self, csr, service, common_name):
++ subj = '/O=%s/OU=%s/CN=%s' % (ORG_NAME, ORG_UNIT, common_name)
++ crt = os.path.join(self.ca_dir, 'certs', '%s.crt' % common_name)
++ cmd = ['openssl', 'ca', '-config',
++ os.path.join(self.ca_dir, 'signing.cnf'), '-extensions',
++ 'req_extensions', '-days', '365', '-notext', '-in', csr,
++ '-out', crt, '-batch', '-subj', subj]
++ subprocess.check_call(cmd)
++ return crt
++
++ def _create_certificate(self, service, common_name):
++ subj = '/O=%s/OU=%s/CN=%s' % (ORG_NAME, ORG_UNIT, common_name)
++ csr = os.path.join(self.ca_dir, 'certs', '%s.csr' % service)
++ key = os.path.join(self.ca_dir, 'certs', '%s.key' % service)
++ cmd = ['openssl', 'req', '-sha1', '-newkey', 'rsa', '-nodes',
++ '-keyout', key, '-out', csr, '-subj', subj]
++ subprocess.check_call(cmd)
++ crt = self._sign_csr(csr, service, common_name)
++ cmd = ['chown', '-R', '%s.%s' % (self.user, self.group), self.ca_dir]
++ subprocess.check_call(cmd)
++ print 'Signed new CSR, crt @ %s' % crt
++ return crt, key
++
++ def get_cert_and_key(self, common_name):
++ print 'Getting certificate and key for %s.' % common_name
++ key = os.path.join(self.ca_dir, 'certs', '%s.key' % common_name)
++ crt = os.path.join(self.ca_dir, 'certs', '%s.crt' % common_name)
++ if os.path.isfile(crt):
++ print 'Found existing certificate for %s.' % common_name
++ crt = open(crt, 'r').read()
++ try:
++ key = open(key, 'r').read()
++ except:
++ print 'Could not load ssl private key for %s from %s' %\
++ (common_name, key)
++ exit(1)
++ return crt, key
++ crt, key = self._create_certificate(common_name, common_name)
++ return open(crt, 'r').read(), open(key, 'r').read()
++
++ def get_ca_bundle(self):
++ int_cert = open(os.path.join(self.ca_dir, 'cacert.pem')).read()
++ root_cert = open(os.path.join(self.root_ca_dir, 'cacert.pem')).read()
++ # NOTE: ordering of certs in bundle matters!
++ return int_cert + root_cert
 === renamed file 'hooks/utils.py' => 'hooks/keystone_utils.py'
 --- hooks/utils.py	2012-12-12 03:52:41 +0000
 +++ hooks/keystone_utils.py	2013-05-29 18:13:26 +0000
@@ -1,18 +1,37 @@
  #!/usr/bin/python
--import subprocess
++import ConfigParser
  import sys
  import json
++import time
++import subprocess
  import os
--import time
--
--from lib.openstack_common import *
++
++from lib.openstack_common import(
++ get_os_codename_install_source,
++ get_os_codename_package,
++ error_out,
++ configure_installation_source
++ )
++
++import keystone_ssl as ssl
++import lib.unison as unison
++import lib.utils as utils
++import lib.cluster_utils as cluster
++
  keystone_conf = "/etc/keystone/keystone.conf"
  stored_passwd = "/var/lib/keystone/keystone.passwd"
  stored_token = "/var/lib/keystone/keystone.token"
++SERVICE_PASSWD_PATH = '/var/lib/keystone/services.passwd'
++
++SSL_DIR = '/var/lib/keystone/juju_ssl/'
++SSL_CA_NAME = 'Ubuntu Cloud'
++CLUSTER_RES = 'res_ks_vip'
++SSH_USER = 'juju_keystone'
++
  def execute(cmd, die=False, echo=False):
-- """ Executes a command
++ """ Executes a command
  if die=True, script will exit(1) if command does not return 0
  if echo=True, output of command will be printed to stdout
@@ -23,8 +42,8 @@
  stdout=subprocess.PIPE,
  stdin=subprocess.PIPE,
  stderr=subprocess.PIPE)
-- stdout=""
-- stderr=""
++ stdout = ""
++ stderr = ""
  def print_line(l):
  if echo:
@@ -47,7 +66,7 @@
  def config_get():
-- """ Obtain the units config via 'config-get'
++ """ Obtain the units config via 'config-get'
  Returns a dict representing current config.
  private-address and IP of the unit is also tacked on for
  convienence
@@ -56,75 +75,38 @@
  config = json.loads(output)
  # make sure no config element is blank after config-get
  for c in config.keys():
-- if not config[c]:
++ if not config[c]:
  error_out("ERROR: Config option has no paramter: %s" % c)
  # tack on our private address and ip
-- hostname = execute("unit-get private-address")[0].strip()
-- config["hostname"] = execute("unit-get private-address")[0].strip()
++ config["hostname"] = utils.unit_get('private-address')
  return config
--def relation_ids(relation_name=None):
-- j = execute('relation-ids --format=json %s' % relation_name)[0]
-- return json.loads(j)
--
--def relation_list(relation_id=None):
-- cmd = 'relation-list --format=json'
-- if relation_id:
-- cmd += ' -r %s' % relation_id
-- j = execute(cmd)[0]
-- return json.loads(j)
--
--def relation_set(relation_data):
-- """ calls relation-set for all key=values in dict """
-- for k in relation_data:
-- execute("relation-set %s=%s" % (k, relation_data[k]), die=True)
--
--def relation_get(relation_data):
-- """ Obtain all current relation data
-- relation_data is a list of options to query from the relation
-- Returns a k,v dict of the results.
-- Leave empty responses out of the results as they haven't yet been
-- set on the other end.
-- Caller can then "len(results.keys()) == len(relation_data)" to find out if
-- all relation values have been set on the other side
-- """
-- results = {}
-- for r in relation_data:
-- result = execute("relation-get %s" % r, die=True)[0].strip('\n')
-- if result != "":
-- results[r] = result
-- return results
--
--def relation_get_dict(relation_id=None, remote_unit=None):
-- """Obtain all relation data as dict by way of JSON"""
-- cmd = 'relation-get --format=json'
-- if relation_id:
-- cmd += ' -r %s' % relation_id
-- if remote_unit:
-- remote_unit_orig = os.getenv('JUJU_REMOTE_UNIT', None)
-- os.environ['JUJU_REMOTE_UNIT'] = remote_unit
-- j = execute(cmd, die=True)[0]
-- if remote_unit and remote_unit_orig:
-- os.environ['JUJU_REMOTE_UNIT'] = remote_unit_orig
-- d = json.loads(j)
-- settings = {}
-- # convert unicode to strings
-- for k, v in d.iteritems():
-- settings[str(k)] = str(v)
-- return settings
++
++@utils.cached
++def get_local_endpoint():
++ """ Returns the URL for the local end-point bypassing haproxy/ssl """
++ local_endpoint = 'http://localhost:{}/v2.0/'.format(
++ cluster.determine_api_port(utils.config_get('admin-port'))
++ )
++ return local_endpoint
++
  def set_admin_token(admin_token):
  """Set admin token according to deployment config or use a randomly
  generated token if none is specified (default).
  """
  if admin_token != 'None':
-- juju_log('Configuring Keystone to use a pre-configured admin token.')
++ utils.juju_log('INFO',
++ 'Configuring Keystone to use'
++ ' a pre-configured admin token.')
  token = admin_token
  else:
-- juju_log('Configuring Keystone to use a random admin token.')
++ utils.juju_log('INFO',
++ 'Configuring Keystone to use a random admin token.')
  if os.path.isfile(stored_token):
-- msg = 'Loading a previously generated admin token from %s' % stored_token
-- juju_log(msg)
++ msg = 'Loading a previously generated' \
++ ' admin token from %s' % stored_token
++ utils.juju_log('INFO', msg)
  f = open(stored_token, 'r')
  token = f.read().strip()
  f.close()
@@ -135,174 +117,130 @@
  out.close()
  update_config_block('DEFAULT', admin_token=token)
++
  def get_admin_token():
  """Temporary utility to grab the admin token as configured in
  keystone.conf
  """
-- f = open(keystone_conf, 'r+')
-- for l in open(keystone_conf, 'r+').readlines():
-- if l.split(' ')[0] == 'admin_token':
-- try:
-- return l.split('=')[1].strip()
-- except:
-- error_out('Could not parse admin_token line from %s' %
-- keystone_conf)
++ with open(keystone_conf, 'r') as f:
++ for l in f.readlines():
++ if l.split(' ')[0] == 'admin_token':
++ try:
++ return l.split('=')[1].strip()
++ except:
++ error_out('Could not parse admin_token line from %s' %
++ keystone_conf)
  error_out('Could not find admin_token line in %s' % keystone_conf)
--def update_config_block(block, **kwargs):
++
++# Track all updated config settings.
++_config_dirty = [False]
++
++def config_dirty():
++ return True in _config_dirty
++
++def update_config_block(section, **kwargs):
  """ Updates keystone.conf blocks given kwargs.
-- Can be used to update driver settings for a particular backend,
-- setting the sql connection, etc.
--
-- Parses block heading as '[block]'
--
-- If block does not exist, a new block will be created at end of file with
-- given kwargs
-- """
-- f = open(keystone_conf, "r+")
-- orig = f.readlines()
-- new = []
-- found_block = ""
-- heading = "[%s]\n" % block
--
-- lines = len(orig)
-- ln = 0
--
-- def update_block(block):
-- for k, v in kwargs.iteritems():
-- for l in block:
-- if l.strip().split(" ")[0] == k:
-- block[block.index(l)] = "%s = %s\n" % (k, v)
-- return
-- block.append('%s = %s\n' % (k, v))
-- block.append('\n')
--
-- try:
-- found = False
-- while ln < lines:
-- if orig[ln] != heading:
-- new.append(orig[ln])
-- ln += 1
-- else:
-- new.append(orig[ln])
-- ln += 1
-- block = []
-- while orig[ln].strip() != '':
-- block.append(orig[ln])
-- ln += 1
-- update_block(block)
-- new += block
-- found = True
--
-- if not found:
-- if new[(len(new) - 1)].strip() != '':
-- new.append('\n')
-- new.append('%s' % heading)
-- for k, v in kwargs.iteritems():
-- new.append('%s = %s\n' % (k, v))
-- new.append('\n')
-- except:
-- error_out('Error while attempting to update config block. '\
-- 'Refusing to overwite existing config.')
--
-- return
--
-- # backup original config
-- backup = open(keystone_conf + '.juju-back', 'w+')
-- for l in orig:
-- backup.write(l)
-- backup.close()
--
-- # update config
-- f.seek(0)
-- f.truncate()
-- for l in new:
-- f.write(l)
--
--
--def keystone_conf_update(opt, val):
-- """ Updates keystone.conf values
-- If option exists, it is reset to new value
-- If it does not, it added to the top of the config file after the [DEFAULT]
-- heading to keep it out of the paste deploy config
-- """
-- f = open(keystone_conf, "r+")
-- orig = f.readlines()
-- new = ""
-- found = False
-- for l in orig:
-- if l.split(' ')[0] == opt:
-- juju_log("Updating %s, setting %s = %s" % (keystone_conf, opt, val))
-- new += "%s = %s\n" % (opt, val)
-- found = True
-- else:
-- new += l
-- new = new.split('\n')
-- # insert a new value at the top of the file, after the 'DEFAULT' header so
-- # as not to muck up paste deploy configuration later in the file
-- if not found:
-- juju_log("Adding new config option %s = %s" % (opt, val))
-- header = new.index("[DEFAULT]")
-- new.insert((header+1), "%s = %s" % (opt, val))
-- f.seek(0)
-- f.truncate()
-- for l in new:
-- f.write("%s\n" % l)
-- f.close
++ Update a config setting in a specific setting of a config
++ file (/etc/keystone/keystone.conf, by default)
++ """
++ if 'file' in kwargs:
++ conf_file = kwargs['file']
++ del kwargs['file']
++ else:
++ conf_file = keystone_conf
++ config = ConfigParser.RawConfigParser()
++ config.read(conf_file)
++
++ if section != 'DEFAULT' and not config.has_section(section):
++ config.add_section(section)
++ _config_dirty[0] = True
++
++ for k, v in kwargs.iteritems():
++ try:
++ cur = config.get(section, k)
++ if cur != v:
++ _config_dirty[0] = True
++ except (ConfigParser.NoSectionError,
++ ConfigParser.NoOptionError):
++ _config_dirty[0] = True
++ config.set(section, k, v)
++ with open(conf_file, 'wb') as out:
++ config.write(out)
++
  def create_service_entry(service_name, service_type, service_desc, owner=None):
  """ Add a new service entry to keystone if one does not already exist """
  import manager
-- manager = manager.KeystoneManager(endpoint='http://localhost:35357/v2.0/',
++ manager = manager.KeystoneManager(endpoint=get_local_endpoint(),
  token=get_admin_token())
  for service in [s._info for s in manager.api.services.list()]:
  if service['name'] == service_name:
-- juju_log("Service entry for '%s' already exists." % service_name)
++ utils.juju_log('INFO',
++ "Service entry for '%s' already exists." % \
++ service_name)
  return
  manager.api.services.create(name=service_name,
  service_type=service_type,
  description=service_desc)
-- juju_log("Created new service entry '%s'" % service_name)
--
--def create_endpoint_template(region, service, public_url, admin_url,
-- internal_url):
++ utils.juju_log('INFO', "Created new service entry '%s'" % service_name)
++
++
++def create_endpoint_template(region, service, publicurl, adminurl,
++ internalurl):
  """ Create a new endpoint template for service if one does not already
  exist matching name *and* region """
  import manager
-- manager = manager.KeystoneManager(endpoint='http://localhost:35357/v2.0/',
++ manager = manager.KeystoneManager(endpoint=get_local_endpoint(),
  token=get_admin_token())
  service_id = manager.resolve_service_id(service)
  for ep in [e._info for e in manager.api.endpoints.list()]:
  if ep['service_id'] == service_id and ep['region'] == region:
-- juju_log("Endpoint template already exists for '%s' in '%s'"
-- % (service, region))
-- return
++ utils.juju_log('INFO',
++ "Endpoint template already exists for '%s' in '%s'"
++ % (service, region))
++
++ up_to_date = True
++ for k in ['publicurl', 'adminurl', 'internalurl']:
++ if ep[k] != locals()[k]:
++ up_to_date = False
++
++ if up_to_date:
++ return
++ else:
++ # delete endpoint and recreate if endpoint urls need updating.
++ utils.juju_log('INFO',
++ "Updating endpoint template with"
++ " new endpoint urls.")
++ manager.api.endpoints.delete(ep['id'])
  manager.api.endpoints.create(region=region,
  service_id=service_id,
-- publicurl=public_url,
-- adminurl=admin_url,
-- internalurl=internal_url)
-- juju_log("Created new endpoint template for '%s' in '%s'" %
-- (region, service))
++ publicurl=publicurl,
++ adminurl=adminurl,
++ internalurl=internalurl)
++ utils.juju_log('INFO', "Created new endpoint template for '%s' in '%s'" %
++ (region, service))
++
  def create_tenant(name):
  """ creates a tenant if it does not already exist """
  import manager
-- manager = manager.KeystoneManager(endpoint='http://localhost:35357/v2.0/',
++ manager = manager.KeystoneManager(endpoint=get_local_endpoint(),
  token=get_admin_token())
  tenants = [t._info for t in manager.api.tenants.list()]
  if not tenants or name not in [t['name'] for t in tenants]:
  manager.api.tenants.create(tenant_name=name,
  description='Created by Juju')
-- juju_log("Created new tenant: %s" % name)
++ utils.juju_log('INFO', "Created new tenant: %s" % name)
  return
-- juju_log("Tenant '%s' already exists." % name)
++ utils.juju_log('INFO', "Tenant '%s' already exists." % name)
++
  def create_user(name, password, tenant):
  """ creates a user if it doesn't already exist, as a member of tenant """
  import manager
-- manager = manager.KeystoneManager(endpoint='http://localhost:35357/v2.0/',
++ manager = manager.KeystoneManager(endpoint=get_local_endpoint(),
  token=get_admin_token())
  users = [u._info for u in manager.api.users.list()]
  if not users or name not in [u['name'] for u in users]:
@@ -313,21 +251,23 @@
  password=password,
  email='juju@localhost',
  tenant_id=tenant_id)
-- juju_log("Created new user '%s' tenant: %s" % (name, tenant_id))
++ utils.juju_log('INFO', "Created new user '%s' tenant: %s" % \
++ (name, tenant_id))
  return
-- juju_log("A user named '%s' already exists" % name)
++ utils.juju_log('INFO', "A user named '%s' already exists" % name)
++
  def create_role(name, user=None, tenant=None):
  """ creates a role if it doesn't already exist. grants role to user """
  import manager
-- manager = manager.KeystoneManager(endpoint='http://localhost:35357/v2.0/',
++ manager = manager.KeystoneManager(endpoint=get_local_endpoint(),
  token=get_admin_token())
  roles = [r._info for r in manager.api.roles.list()]
  if not roles or name not in [r['name'] for r in roles]:
  manager.api.roles.create(name=name)
-- juju_log("Created new role '%s'" % name)
++ utils.juju_log('INFO', "Created new role '%s'" % name)
  else:
-- juju_log("A role named '%s' already exists" % name)
++ utils.juju_log('INFO', "A role named '%s' already exists" % name)
  if not user and not tenant:
  return
@@ -338,49 +278,55 @@
  tenant_id = manager.resolve_tenant_id(tenant)
  if None in [user_id, role_id, tenant_id]:
-- error_out("Could not resolve [user_id, role_id, tenant_id]" %
-- [user_id, role_id, tenant_id])
++ error_out("Could not resolve [%s, %s, %s]" %
++ (user_id, role_id, tenant_id))
  grant_role(user, name, tenant)
++
  def grant_role(user, role, tenant):
  """grant user+tenant a specific role"""
  import manager
-- manager = manager.KeystoneManager(endpoint='http://localhost:35357/v2.0/',
++ manager = manager.KeystoneManager(endpoint=get_local_endpoint(),
  token=get_admin_token())
-- juju_log("Granting user '%s' role '%s' on tenant '%s'" %\
-- (user, role, tenant))
++ utils.juju_log('INFO', "Granting user '%s' role '%s' on tenant '%s'" % \
++ (user, role, tenant))
  user_id = manager.resolve_user_id(user)
  role_id = manager.resolve_role_id(role)
  tenant_id = manager.resolve_tenant_id(tenant)
-- cur_roles = manager.api.roles.roles_for_user(user_id, tenant_id)
++ cur_roles = manager.api.roles.roles_for_user(user_id, tenant_id)
  if not cur_roles or role_id not in [r.id for r in cur_roles]:
  manager.api.roles.add_user_role(user=user_id,
  role=role_id,
  tenant=tenant_id)
-- juju_log("Granted user '%s' role '%s' on tenant '%s'" %\
-- (user, role, tenant))
++ utils.juju_log('INFO', "Granted user '%s' role '%s' on tenant '%s'" % \
++ (user, role, tenant))
  else:
-- juju_log("User '%s' already has role '%s' on tenant '%s'" %\
-- (user, role, tenant))
++ utils.juju_log('INFO',
++ "User '%s' already has role '%s' on tenant '%s'" % \
++ (user, role, tenant))
++
  def generate_admin_token(config):
  """ generate and add an admin token """
  import manager
-- manager = manager.KeystoneManager(endpoint='http://localhost:35357/v2.0/',
++ manager = manager.KeystoneManager(endpoint=get_local_endpoint(),
  token='ADMIN')
  if config["admin-token"] == "None":
  import random
  token = random.randrange(1000000000000, 9999999999999)
  else:
  return config["admin-token"]
-- manager.api.add_token(token, config["admin-user"], "admin", config["token-expiry"])
-- juju_log("Generated and added new random admin token.")
++ manager.api.add_token(token, config["admin-user"],
++ "admin", config["token-expiry"])
++ utils.juju_log('INFO', "Generated and added new random admin token.")
  return token
++
  def ensure_initial_admin(config):
-- """ Ensures the minimum admin stuff exists in whatever database we're using.
++ """ Ensures the minimum admin stuff exists in whatever database we're
++ using.
  This and the helper functions it calls are meant to be idempotent and
  run during install as well as during db-changed. This will maintain
  the admin tenant, user, role, service entry and endpoint across every
@@ -395,10 +341,11 @@
  if config["admin-password"] != "None":
  passwd = config["admin-password"]
  elif os.path.isfile(stored_passwd):
-- juju_log("Loading stored passwd from %s" % stored_passwd)
++ utils.juju_log('INFO', "Loading stored passwd from %s" % stored_passwd)
  passwd = open(stored_passwd, 'r').readline().strip('\n')
  if passwd == "":
-- juju_log("Generating new passwd for user: %s" % config["admin-user"])
++ utils.juju_log('INFO', "Generating new passwd for user: %s" % \
++ config["admin-user"])
  passwd = execute("pwgen -c 16 1", die=True)[0]
  open(stored_passwd, 'w+').writelines("%s\n" % passwd)
@@ -409,26 +356,82 @@
  create_role("KeystoneAdmin", config["admin-user"], 'admin')
  create_role("KeystoneServiceAdmin", config["admin-user"], 'admin')
  create_service_entry("keystone", "identity", "Keystone Identity Service")
-- # following documentation here, perhaps we should be using juju
-- # public/private addresses for public/internal urls.
-- public_url = "http://%s:%s/v2.0" % (config["hostname"], config["service-port"])
-- admin_url = "http://%s:%s/v2.0" % (config["hostname"], config["admin-port"])
-- internal_url = "http://%s:%s/v2.0" % (config["hostname"], config["service-port"])
-- create_endpoint_template("RegionOne", "keystone", public_url,
++
++ if cluster.is_clustered():
++ utils.juju_log('INFO', "Creating endpoint for clustered configuration")
++ service_host = auth_host = config["vip"]
++ else:
++ utils.juju_log('INFO', "Creating standard endpoint")
++ service_host = auth_host = config["hostname"]
++
++ for region in config['region'].split():
++ create_keystone_endpoint(service_host=service_host,
++ service_port=config["service-port"],
++ auth_host=auth_host,
++ auth_port=config["admin-port"],
++ region=region)
++
++
++def create_keystone_endpoint(service_host, service_port,
++ auth_host, auth_port, region):
++ public_url = "http://%s:%s/v2.0" % (service_host, service_port)
++ admin_url = "http://%s:%s/v2.0" % (auth_host, auth_port)
++ internal_url = "http://%s:%s/v2.0" % (service_host, service_port)
++ create_endpoint_template(region, "keystone", public_url,
  admin_url, internal_url)
++
  def update_user_password(username, password):
  import manager
-- manager = manager.KeystoneManager(endpoint='http://localhost:35357/v2.0/',
++ manager = manager.KeystoneManager(endpoint=get_local_endpoint(),
  token=get_admin_token())
-- juju_log("Updating password for user '%s'" % username)
++ utils.juju_log('INFO', "Updating password for user '%s'" % username)
  user_id = manager.resolve_user_id(username)
  if user_id is None:
  error_out("Could not resolve user id for '%s'" % username)
  manager.api.users.update_password(user=user_id, password=password)
-- juju_log("Successfully updated password for user '%s'" % username)
++ utils.juju_log('INFO', "Successfully updated password for user '%s'" % \
++ username)
++
++
++def load_stored_passwords(path=SERVICE_PASSWD_PATH):
++ creds = {}
++ if not os.path.isfile(path):
++ return creds
++
++ stored_passwd = open(path, 'r')
++ for l in stored_passwd.readlines():
++ user, passwd = l.strip().split(':')
++ creds[user] = passwd
++ return creds
++
++
++def save_stored_passwords(path=SERVICE_PASSWD_PATH, **creds):
++ with open(path, 'wb') as stored_passwd:
++ [stored_passwd.write('%s:%s\n' % (u, p)) for u, p in creds.iteritems()]
++
++
++def get_service_password(service_username):
++ creds = load_stored_passwords()
++ if service_username in creds:
++ return creds[service_username]
++
++ passwd = subprocess.check_output(['pwgen', '-c', '32', '1']).strip()
++ creds[service_username] = passwd
++ save_stored_passwords(**creds)
++
++ return passwd
++
++
++def configure_pki_tokens(config):
++ '''Configure PKI token signing, if enabled.'''
++ if config['enable-pki'] not in ['True', 'true']:
++ update_config_block('signing', token_format='UUID')
++ else:
++ utils.juju_log('INFO', 'TODO: PKI Support, setting to UUID for now.')
++ update_config_block('signing', token_format='UUID')
  def do_openstack_upgrade(install_src, packages):
@@ -438,10 +441,12 @@
  old_vers = get_os_codename_package('keystone')
  new_vers = get_os_codename_install_source(install_src)
-- juju_log("Beginning Keystone upgrade: %s -> %s" % (old_vers, new_vers))
++ utils.juju_log('INFO',
++ "Beginning Keystone upgrade: %s -> %s" % \
++ (old_vers, new_vers))
  # Backup previous config.
-- juju_log("Backing up contents of /etc/keystone.")
++ utils.juju_log('INFO', "Backing up contents of /etc/keystone.")
  stamp = time.strftime('%Y%m%d%H%M')
  cmd = 'tar -pcf /var/lib/juju/keystone-backup-%s.tar /etc/keystone' % stamp
  execute(cmd, die=True, echo=True)
@@ -458,15 +463,17 @@
  set_admin_token(config['admin-token'])
  # set the sql connection string if a shared-db relation is found.
-- ids = relation_ids(relation_name='shared-db')
++ ids = utils.relation_ids('shared-db')
  if ids:
-- for id in ids:
-- for unit in relation_list(id):
-- juju_log('Configuring new keystone.conf for datbase access '\
-- 'on existing database relation to %s' % unit)
-- relation_data = relation_get_dict(relation_id=id,
-- remote_unit=unit)
++ for rid in ids:
++ for unit in utils.relation_list(rid):
++ utils.juju_log('INFO',
++ 'Configuring new keystone.conf for '
++ 'database access on existing database'
++ ' relation to %s' % unit)
++ relation_data = utils.relation_get_dict(relation_id=rid,
++ remote_unit=unit)
  update_config_block('sql', connection="mysql://%s:%s@%s/%s" %
  (config["database-user"],
@@ -474,9 +481,64 @@
  relation_data["private-address"],
  config["database"]))
-- juju_log('Running database migrations for %s' % new_vers)
-- execute('service keystone stop', echo=True)
-- execute('keystone-manage db_sync', echo=True, die=True)
-- execute('service keystone start', echo=True)
++ utils.stop('keystone')
++ if (cluster.eligible_leader(CLUSTER_RES)):
++ utils.juju_log('INFO',
++ 'Running database migrations for %s' % new_vers)
++ execute('keystone-manage db_sync', echo=True, die=True)
++ else:
++ utils.juju_log('INFO',
++ 'Not cluster leader; snoozing whilst'
++ ' leader upgrades DB')
++ time.sleep(10)
++ utils.start('keystone')
  time.sleep(5)
-- juju_log('Completed Keystone upgrade: %s -> %s' % (old_vers, new_vers))
++ utils.juju_log('INFO',
++ 'Completed Keystone upgrade: '
++ '%s -> %s' % (old_vers, new_vers))
++
++
++def synchronize_service_credentials():
++ '''
++ Broadcast service credentials to peers or consume those that have been
++ broadcasted by peer, depending on hook context.
++ '''
++ if (not cluster.eligible_leader(CLUSTER_RES) or
++ not os.path.isfile(SERVICE_PASSWD_PATH)):
++ return
++ utils.juju_log('INFO', 'Synchronizing service passwords to all peers.')
++ unison.sync_to_peers(peer_interface='cluster',
++ paths=[SERVICE_PASSWD_PATH], user=SSH_USER,
++ verbose=True)
++
++CA = []
++
++
++def get_ca(user='keystone', group='keystone'):
++ """
++ Initialize a new CA object if one hasn't already been loaded.
++ This will create a new CA or load an existing one.
++ """
++ if not CA:
++ if not os.path.isdir(SSL_DIR):
++ os.mkdir(SSL_DIR)
++ d_name = '_'.join(SSL_CA_NAME.lower().split(' '))
++ ca = ssl.JujuCA(name=SSL_CA_NAME, user=user, group=group,
++ ca_dir=os.path.join(SSL_DIR,
++ '%s_intermediate_ca' % d_name),
++ root_ca_dir=os.path.join(SSL_DIR,
++ '%s_root_ca' % d_name))
++ # SSL_DIR is synchronized via all peers over unison+ssh, need
++ # to ensure permissions.
++ execute('chown -R %s.%s %s' % (user, group, SSL_DIR))
++ execute('chmod -R g+rwx %s' % SSL_DIR)
++ CA.append(ca)
++ return CA[0]
++
++
++def https():
++ if (utils.config_get('https-service-endpoints') in ["yes", "true", "True"]
++ or cluster.https()):
++ return True
++ else:
++ return False
 === added file 'hooks/lib/apache_utils.py'
 --- hooks/lib/apache_utils.py	1970-01-01 00:00:00 +0000
 +++ hooks/lib/apache_utils.py	2013-05-29 18:13:26 +0000
@@ -0,0 +1,196 @@
++#
++# Copyright 2012 Canonical Ltd.
++#
++# This file is sourced from lp:openstack-charm-helpers
++#
++# Authors:
++# James Page <james.page@ubuntu.com>
++# Adam Gandelman <adamg@ubuntu.com>
++#
++
++from lib.utils import (
++ relation_ids,
++ relation_list,
++ relation_get,
++ render_template,
++ juju_log,
++ config_get,
++ install,
++ get_host_ip,
++ restart
++ )
++from lib.cluster_utils import https
++
++import os
++import subprocess
++from base64 import b64decode
++
++APACHE_SITE_DIR = "/etc/apache2/sites-available"
++SITE_TEMPLATE = "apache2_site.tmpl"
++RELOAD_CHECK = "To activate the new configuration"
++
++
++def get_cert():
++ cert = config_get('ssl_cert')
++ key = config_get('ssl_key')
++ if not (cert and key):
++ juju_log('INFO',
++ "Inspecting identity-service relations for SSL certificate.")
++ cert = key = None
++ for r_id in relation_ids('identity-service'):
++ for unit in relation_list(r_id):
++ if not cert:
++ cert = relation_get('ssl_cert',
++ rid=r_id, unit=unit)
++ if not key:
++ key = relation_get('ssl_key',
++ rid=r_id, unit=unit)
++ return (cert, key)
++
++
++def get_ca_cert():
++ ca_cert = None
++ juju_log('INFO',
++ "Inspecting identity-service relations for CA SSL certificate.")
++ for r_id in relation_ids('identity-service'):
++ for unit in relation_list(r_id):
++ if not ca_cert:
++ ca_cert = relation_get('ca_cert',
++ rid=r_id, unit=unit)
++ return ca_cert
++
++
++def install_ca_cert(ca_cert):
++ if ca_cert:
++ with open('/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt',
++ 'w') as crt:
++ crt.write(ca_cert)
++ subprocess.check_call(['update-ca-certificates', '--fresh'])
++
++
++def enable_https(port_maps, namespace, cert, key, ca_cert=None):
++ '''
++ For a given number of port mappings, configures apache2
++ HTTPs local reverse proxying using certficates and keys provided in
++ either configuration data (preferred) or relation data. Assumes ports
++ are not in use (calling charm should ensure that).
++
++ port_maps: dict: external to internal port mappings
++ namespace: str: name of charm
++ '''
++ def _write_if_changed(path, new_content):
++ content = None
++ if os.path.exists(path):
++ with open(path, 'r') as f:
++ content = f.read().strip()
++ if content != new_content:
++ with open(path, 'w') as f:
++ f.write(new_content)
++ return True
++ else:
++ return False
++
++ juju_log('INFO', "Enabling HTTPS for port mappings: {}".format(port_maps))
++ http_restart = False
++
++ if cert:
++ cert = b64decode(cert)
++ if key:
++ key = b64decode(key)
++ if ca_cert:
++ ca_cert = b64decode(ca_cert)
++
++ if not cert and not key:
++ juju_log('ERROR',
++ "Expected but could not find SSL certificate data, not "
++ "configuring HTTPS!")
++ return False
++
++ install('apache2')
++ if RELOAD_CHECK in subprocess.check_output(['a2enmod', 'ssl',
++ 'proxy', 'proxy_http']):
++ http_restart = True
++
++ ssl_dir = os.path.join('/etc/apache2/ssl', namespace)
++ if not os.path.exists(ssl_dir):
++ os.makedirs(ssl_dir)
++
++ if (_write_if_changed(os.path.join(ssl_dir, 'cert'), cert)):
++ http_restart = True
++ if (_write_if_changed(os.path.join(ssl_dir, 'key'), key)):
++ http_restart = True
++ os.chmod(os.path.join(ssl_dir, 'key'), 0600)
++
++ install_ca_cert(ca_cert)
++
++ sites_dir = '/etc/apache2/sites-available'
++ for ext_port, int_port in port_maps.items():
++ juju_log('INFO',
++ 'Creating apache2 reverse proxy vhost'
++ ' for {}:{}'.format(ext_port,
++ int_port))
++ site = "{}_{}".format(namespace, ext_port)
++ site_path = os.path.join(sites_dir, site)
++ with open(site_path, 'w') as fsite:
++ context = {
++ "ext": ext_port,
++ "int": int_port,
++ "namespace": namespace,
++ "private_address": get_host_ip()
++ }
++ fsite.write(render_template(SITE_TEMPLATE,
++ context))
++
++ if RELOAD_CHECK in subprocess.check_output(['a2ensite', site]):
++ http_restart = True
++
++ if http_restart:
++ restart('apache2')
++
++ return True
++
++
++def disable_https(port_maps, namespace):
++ '''
++ Ensure HTTPS reverse proxying is disables for given port mappings
++
++ port_maps: dict: of ext -> int port mappings
++ namespace: str: name of chamr
++ '''
++ juju_log('INFO', 'Ensuring HTTPS disabled for {}'.format(port_maps))
++
++ if (not os.path.exists('/etc/apache2') or
++ not os.path.exists(os.path.join('/etc/apache2/ssl', namespace))):
++ return
++
++ http_restart = False
++ for ext_port in port_maps.keys():
++ if os.path.exists(os.path.join(APACHE_SITE_DIR,
++ "{}_{}".format(namespace,
++ ext_port))):
++ juju_log('INFO',
++ "Disabling HTTPS reverse proxy"
++ " for {} {}.".format(namespace,
++ ext_port))
++ if (RELOAD_CHECK in
++ subprocess.check_output(['a2dissite',
++ '{}_{}'.format(namespace,
++ ext_port)])):
++ http_restart = True
++
++ if http_restart:
++ restart(['apache2'])
++
++
++def setup_https(port_maps, namespace, cert, key, ca_cert=None):
++ '''
++ Ensures HTTPS is either enabled or disabled for given port
++ mapping.
++
++ port_maps: dict: of ext -> int port mappings
++ namespace: str: name of charm
++ '''
++ if not https:
++ disable_https(port_maps, namespace)
++ else:
++ enable_https(port_maps, namespace, cert, key, ca_cert)
 === added file 'hooks/lib/cluster_utils.py'
 --- hooks/lib/cluster_utils.py	1970-01-01 00:00:00 +0000
 +++ hooks/lib/cluster_utils.py	2013-05-29 18:13:26 +0000
@@ -0,0 +1,130 @@
++#
++# Copyright 2012 Canonical Ltd.
++#
++# This file is sourced from lp:openstack-charm-helpers
++#
++# Authors:
++# James Page <james.page@ubuntu.com>
++# Adam Gandelman <adamg@ubuntu.com>
++#
++
++from lib.utils import (
++ juju_log,
++ relation_ids,
++ relation_list,
++ relation_get,
++ get_unit_hostname,
++ config_get
++ )
++import subprocess
++import os
++
++
++def is_clustered():
++ for r_id in (relation_ids('ha') or []):
++ for unit in (relation_list(r_id) or []):
++ clustered = relation_get('clustered',
++ rid=r_id,
++ unit=unit)
++ if clustered:
++ return True
++ return False
++
++
++def is_leader(resource):
++ cmd = [
++ "crm", "resource",
++ "show", resource
++ ]
++ try:
++ status = subprocess.check_output(cmd)
++ except subprocess.CalledProcessError:
++ return False
++ else:
++ if get_unit_hostname() in status:
++ return True
++ else:
++ return False
++
++
++def peer_units():
++ peers = []
++ for r_id in (relation_ids('cluster') or []):
++ for unit in (relation_list(r_id) or []):
++ peers.append(unit)
++ return peers
++
++
++def oldest_peer(peers):
++ local_unit_no = int(os.getenv('JUJU_UNIT_NAME').split('/')[1])
++ for peer in peers:
++ remote_unit_no = int(peer.split('/')[1])
++ if remote_unit_no < local_unit_no:
++ return False
++ return True
++
++
++def eligible_leader(resource):
++ if is_clustered():
++ if not is_leader(resource):
++ juju_log('INFO', 'Deferring action to CRM leader.')
++ return False
++ else:
++ peers = peer_units()
++ if peers and not oldest_peer(peers):
++ juju_log('INFO', 'Deferring action to oldest service unit.')
++ return False
++ return True
++
++
++def https():
++ '''
++ Determines whether enough data has been provided in configuration
++ or relation data to configure HTTPS
++ .
++ returns: boolean
++ '''
++ if config_get('use-https') == "yes":
++ return True
++ if config_get('ssl_cert') and config_get('ssl_key'):
++ return True
++ for r_id in relation_ids('identity-service'):
++ for unit in relation_list(r_id):
++ if (relation_get('https_keystone', rid=r_id, unit=unit) and
++ relation_get('ssl_cert', rid=r_id, unit=unit) and
++ relation_get('ssl_key', rid=r_id, unit=unit) and
++ relation_get('ca_cert', rid=r_id, unit=unit)):
++ return True
++ return False
++
++
++def determine_api_port(public_port):
++ '''
++ Determine correct API server listening port based on
++ existence of HTTPS reverse proxy and/or haproxy.
++
++ public_port: int: standard public port for given service
++
++ returns: int: the correct listening port for the API service
++ '''
++ i = 0
++ if len(peer_units()) > 0 or is_clustered():
++ i += 1
++ if https():
++ i += 1
++ return public_port - (i * 10)
++
++
++def determine_haproxy_port(public_port):
++ '''
++ Description: Determine correct proxy listening port based on public IP +
++ existence of HTTPS reverse proxy.
++
++ public_port: int: standard public port for given service
++
++ returns: int: the correct listening port for the HAProxy service
++ '''
++ i = 0
++ if https():
++ i += 1
++ return public_port - (i * 10)
 === added file 'hooks/lib/haproxy_utils.py'
 --- hooks/lib/haproxy_utils.py	1970-01-01 00:00:00 +0000
 +++ hooks/lib/haproxy_utils.py	2013-05-29 18:13:26 +0000
@@ -0,0 +1,55 @@
++#
++# Copyright 2012 Canonical Ltd.
++#
++# This file is sourced from lp:openstack-charm-helpers
++#
++# Authors:
++# James Page <james.page@ubuntu.com>
++# Adam Gandelman <adamg@ubuntu.com>
++#
++
++from lib.utils import (
++ relation_ids,
++ relation_list,
++ relation_get,
++ unit_get,
++ reload,
++ render_template
++ )
++import os
++
++HAPROXY_CONF = '/etc/haproxy/haproxy.cfg'
++HAPROXY_DEFAULT = '/etc/default/haproxy'
++
++
++def configure_haproxy(service_ports):
++ '''
++ Configure HAProxy based on the current peers in the service
++ cluster using the provided port map:
++
++ "swift": [ 8080, 8070 ]
++
++ HAproxy will also be reloaded/started if required
++
++ service_ports: dict: dict of lists of [ frontend, backend ]
++ '''
++ cluster_hosts = {}
++ cluster_hosts[os.getenv('JUJU_UNIT_NAME').replace('/', '-')] = \
++ unit_get('private-address')
++ for r_id in relation_ids('cluster'):
++ for unit in relation_list(r_id):
++ cluster_hosts[unit.replace('/', '-')] = \
++ relation_get(attribute='private-address',
++ rid=r_id,
++ unit=unit)
++ context = {
++ 'units': cluster_hosts,
++ 'service_ports': service_ports
++ }
++ with open(HAPROXY_CONF, 'w') as f:
++ f.write(render_template(os.path.basename(HAPROXY_CONF),
++ context))
++ with open(HAPROXY_DEFAULT, 'w') as f:
++ f.write('ENABLED=1')
++
++ reload('haproxy')
 === modified file 'hooks/lib/openstack_common.py'
 --- hooks/lib/openstack_common.py	2012-12-05 20:35:05 +0000
 +++ hooks/lib/openstack_common.py	2013-05-29 18:13:26 +0000
@@ -2,7 +2,9 @@
  # Common python helper functions used for OpenStack charms.
++import apt_pkg as apt
  import subprocess
++import os
  CLOUD_ARCHIVE_URL = "http://ubuntu-cloud.archive.canonical.com/ubuntu"
  CLOUD_ARCHIVE_KEY_ID = '5EDB1B62EC4926EA'
@@ -11,7 +13,7 @@
  'oneiric': 'diablo',
  'precise': 'essex',
  'quantal': 'folsom',
-- 'raring' : 'grizzly'
++ 'raring': 'grizzly',
+ }
@@ -19,7 +21,18 @@
  '2011.2': 'diablo',
  '2012.1': 'essex',
  '2012.2': 'folsom',
-- '2013.1': 'grizzly'
++ '2013.1': 'grizzly',
++ '2013.2': 'havana',
++}
++
++# The ugly duckling
++swift_codenames = {
++ '1.4.3': 'diablo',
++ '1.4.8': 'essex',
++ '1.7.4': 'folsom',
++ '1.7.6': 'grizzly',
++ '1.7.7': 'grizzly',
++ '1.8.0': 'grizzly',
+ }
@@ -62,11 +75,12 @@
  return ca_rel
  # Best guess match based on deb string provided
-- if src.startswith('deb'):
++ if src.startswith('deb') or src.startswith('ppa'):
  for k, v in openstack_codenames.iteritems():
  if v in src:
  return v
++
  def get_os_codename_version(vers):
  '''Determine OpenStack codename from version number.'''
  try:
@@ -88,52 +102,54 @@
  def get_os_codename_package(pkg):
  '''Derive OpenStack release codename from an installed package.'''
-- cmd = ['dpkg', '-l', pkg]
--
++ apt.init()
++ cache = apt.Cache()
  try:
-- output = subprocess.check_output(cmd)
-- except subprocess.CalledProcessError:
-- e = 'Could not derive OpenStack version from package that is not '\
-- 'installed; %s' % pkg
-- error_out(e)
--
-- def _clean(line):
-- line = line.split(' ')
-- clean = []
-- for c in line:
-- if c != '':
-- clean.append(c)
-- return clean
--
-- vers = None
-- for l in output.split('\n'):
-- if l.startswith('ii'):
-- l = _clean(l)
-- if l[1] == pkg:
-- vers = l[2]
--
-- if not vers:
++ pkg = cache[pkg]
++ except:
  e = 'Could not determine version of installed package: %s' % pkg
  error_out(e)
-- vers = vers[:6]
++ vers = apt.UpstreamVersion(pkg.current_ver.ver_str)
++
  try:
-- return openstack_codenames[vers]
++ if 'swift' in pkg.name:
++ vers = vers[:5]
++ return swift_codenames[vers]
++ else:
++ vers = vers[:6]
++ return openstack_codenames[vers]
  except KeyError:
  e = 'Could not determine OpenStack codename for version %s' % vers
  error_out(e)
++def get_os_version_package(pkg):
++ '''Derive OpenStack version number from an installed package.'''
++ codename = get_os_codename_package(pkg)
++
++ if 'swift' in pkg:
++ vers_map = swift_codenames
++ else:
++ vers_map = openstack_codenames
++
++ for version, cname in vers_map.iteritems():
++ if cname == codename:
++ return version
++ e = "Could not determine OpenStack version for package: %s" % pkg
++ error_out(e)
++
++
  def configure_installation_source(rel):
  '''Configure apt installation source.'''
-- def _import_key(id):
++ def _import_key(keyid):
  cmd = "apt-key adv --keyserver keyserver.ubuntu.com " \
-- "--recv-keys %s" % id
++ "--recv-keys %s" % keyid
  try:
  subprocess.check_call(cmd.split(' '))
-- except:
-- error_out("Error importing repo key %s" % id)
++ except subprocess.CalledProcessError:
++ error_out("Error importing repo key %s" % keyid)
  if rel == 'distro':
  return
@@ -142,7 +158,7 @@
  subprocess.check_call(["add-apt-repository", "-y", src])
  elif rel[:3] == "deb":
  l = len(rel.split('|'))
-- if l == 2:
++ if l == 2:
  src, key = rel.split('|')
  juju_log("Importing PPA key from keyserver for %s" % src)
  _import_key(key)
@@ -164,9 +180,11 @@
  'version (%s)' % (ca_rel, ubuntu_rel)
  error_out(e)
-- if ca_rel == 'folsom/staging':
++ if 'staging' in ca_rel:
  # staging is just a regular PPA.
-- cmd = 'add-apt-repository -y ppa:ubuntu-cloud-archive/folsom-staging'
++ os_rel = ca_rel.split('/')[0]
++ ppa = 'ppa:ubuntu-cloud-archive/%s-staging' % os_rel
++ cmd = 'add-apt-repository -y %s' % ppa
  subprocess.check_call(cmd.split(' '))
  return
@@ -174,7 +192,10 @@
  pockets = {
  'folsom': 'precise-updates/folsom',
  'folsom/updates': 'precise-updates/folsom',
-- 'folsom/proposed': 'precise-proposed/folsom'
++ 'folsom/proposed': 'precise-proposed/folsom',
++ 'grizzly': 'precise-updates/grizzly',
++ 'grizzly/updates': 'precise-updates/grizzly',
++ 'grizzly/proposed': 'precise-proposed/grizzly'
+ }
  try:
@@ -191,3 +212,19 @@
  else:
  error_out("Invalid openstack-release specified: %s" % rel)
++
++def save_script_rc(script_path="scripts/scriptrc", **env_vars):
++ """
++ Write an rc file in the charm-delivered directory containing
++ exported environment variables provided by env_vars. Any charm scripts run
++ outside the juju hook environment can source this scriptrc to obtain
++ updated config information necessary to perform health checks or
++ service changes.
++ """
++ charm_dir = os.getenv('CHARM_DIR')
++ juju_rc_path = "%s/%s" % (charm_dir, script_path)
++ with open(juju_rc_path, 'wb') as rc_script:
++ rc_script.write(
++ "#!/bin/bash\n")
++ [rc_script.write('export %s=%s\n' % (u, p))
++ for u, p in env_vars.iteritems() if u != "script_path"]
 === added file 'hooks/lib/unison.py'
 --- hooks/lib/unison.py	1970-01-01 00:00:00 +0000
 +++ hooks/lib/unison.py	2013-05-29 18:13:26 +0000
@@ -0,0 +1,220 @@
++#!/usr/bin/python
++#
++# Easy file synchronization among peer units using ssh + unison.
++#
++# From *both* peer relation -joined and -changed, add a call to
++# ssh_authorized_peers() describing the peer relation and the desired
++# user + group. After all peer relations have settled, all hosts should
++# be able to connect to on another via key auth'd ssh as the specified user.
++#
++# Other hooks are then free to synchronize files and directories using
++# sync_to_peers().
++#
++# For a peer relation named 'cluster', for example:
++#
++# cluster-relation-joined:
++# ...
++# ssh_authorized_peers(peer_interface='cluster',
++# user='juju_ssh', group='juju_ssh',
++# ensure_user=True)
++# ...
++#
++# cluster-relation-changed:
++# ...
++# ssh_authorized_peers(peer_interface='cluster',
++# user='juju_ssh', group='juju_ssh',
++# ensure_user=True)
++# ...
++#
++# Hooks are now free to sync files as easily as:
++#
++# files = ['/etc/fstab', '/etc/apt.conf.d/']
++# sync_to_peers(peer_interface='cluster',
++# user='juju_ssh, paths=[files])
++#
++# It is assumed the charm itself has setup permissions on each unit
++# such that 'juju_ssh' has read + write permissions. Also assumed
++# that the calling charm takes care of leader delegation.
++#
++# TODO: Currently depends on the utils.py shipped with the keystone charm.
++# Either copy required functionality to this library or depend on
++# something more generic.
++
++import os
++import sys
++import lib.utils as utils
++import subprocess
++import grp
++import pwd
++
++
++def get_homedir(user):
++ try:
++ user = pwd.getpwnam(user)
++ return user.pw_dir
++ except KeyError:
++ utils.juju_log('INFO',
++ 'Could not get homedir for user %s: user exists?')
++ sys.exit(1)
++
++
++def get_keypair(user):
++ home_dir = get_homedir(user)
++ ssh_dir = os.path.join(home_dir, '.ssh')
++ if not os.path.isdir(ssh_dir):
++ os.mkdir(ssh_dir)
++
++ priv_key = os.path.join(ssh_dir, 'id_rsa')
++ if not os.path.isfile(priv_key):
++ utils.juju_log('INFO', 'Generating new ssh key for user %s.' % user)
++ cmd = ['ssh-keygen', '-q', '-N', '', '-t', 'rsa', '-b', '2048',
++ '-f', priv_key]
++ subprocess.check_call(cmd)
++
++ pub_key = '%s.pub' % priv_key
++ if not os.path.isfile(pub_key):
++ utils.juju_log('INFO', 'Generatring missing ssh public key @ %s.' % \
++ pub_key)
++ cmd = ['ssh-keygen', '-y', '-f', priv_key]
++ p = subprocess.check_output(cmd).strip()
++ with open(pub_key, 'wb') as out:
++ out.write(p)
++ subprocess.check_call(['chown', '-R', user, ssh_dir])
++ return open(priv_key, 'r').read().strip(), \
++ open(pub_key, 'r').read().strip()
++
++
++def write_authorized_keys(user, keys):
++ home_dir = get_homedir(user)
++ ssh_dir = os.path.join(home_dir, '.ssh')
++ auth_keys = os.path.join(ssh_dir, 'authorized_keys')
++ utils.juju_log('INFO', 'Syncing authorized_keys @ %s.' % auth_keys)
++ with open(auth_keys, 'wb') as out:
++ for k in keys:
++ out.write('%s\n' % k)
++
++
++def write_known_hosts(user, hosts):
++ home_dir = get_homedir(user)
++ ssh_dir = os.path.join(home_dir, '.ssh')
++ known_hosts = os.path.join(ssh_dir, 'known_hosts')
++ khosts = []
++ for host in hosts:
++ cmd = ['ssh-keyscan', '-H', '-t', 'rsa', host]
++ remote_key = subprocess.check_output(cmd).strip()
++ khosts.append(remote_key)
++ utils.juju_log('INFO', 'Syncing known_hosts @ %s.' % known_hosts)
++ with open(known_hosts, 'wb') as out:
++ for host in khosts:
++ out.write('%s\n' % host)
++
++
++def ensure_user(user, group=None):
++ # need to ensure a bash shell'd user exists.
++ try:
++ pwd.getpwnam(user)
++ except KeyError:
++ utils.juju_log('INFO', 'Creating new user %s.%s.' % (user, group))
++ cmd = ['adduser', '--system', '--shell', '/bin/bash', user]
++ if group:
++ try:
++ grp.getgrnam(group)
++ except KeyError:
++ subprocess.check_call(['addgroup', group])
++ cmd += ['--ingroup', group]
++ subprocess.check_call(cmd)
++
++
++def ssh_authorized_peers(peer_interface, user, group=None, ensure_local_user=False):
++ """
++ Main setup function, should be called from both peer -changed and -joined
++ hooks with the same parameters.
++ """
++ if ensure_local_user:
++ ensure_user(user, group)
++ priv_key, pub_key = get_keypair(user)
++ hook = os.path.basename(sys.argv[0])
++ if hook == '%s-relation-joined' % peer_interface:
++ utils.relation_set(ssh_pub_key=pub_key)
++ print 'joined'
++ elif hook == '%s-relation-changed' % peer_interface:
++ hosts = []
++ keys = []
++ for r_id in utils.relation_ids(peer_interface):
++ for unit in utils.relation_list(r_id):
++ settings = utils.relation_get_dict(relation_id=r_id,
++ remote_unit=unit)
++ if 'ssh_pub_key' in settings:
++ keys.append(settings['ssh_pub_key'])
++ hosts.append(settings['private-address'])
++ else:
++ utils.juju_log('INFO',
++ 'ssh_authorized_peers(): ssh_pub_key '\
++ 'missing for unit %s, skipping.' % unit)
++ write_authorized_keys(user, keys)
++ write_known_hosts(user, hosts)
++ authed_hosts = ':'.join(hosts)
++ utils.relation_set(ssh_authorized_hosts=authed_hosts)
++
++
++def _run_as_user(user):
++ try:
++ user = pwd.getpwnam(user)
++ except KeyError:
++ utils.juju_log('INFO', 'Invalid user: %s' % user)
++ sys.exit(1)
++ uid, gid = user.pw_uid, user.pw_gid
++ os.environ['HOME'] = user.pw_dir
++
++ def _inner():
++ os.setgid(gid)
++ os.setuid(uid)
++ return _inner
++
++
++def run_as_user(user, cmd):
++ return subprocess.check_output(cmd, preexec_fn=_run_as_user(user))
++
++
++def sync_to_peers(peer_interface, user, paths=[], verbose=False):
++ base_cmd = ['unison', '-auto', '-batch=true', '-confirmbigdel=false',
++ '-fastcheck=true', '-group=false', '-owner=false',
++ '-prefer=newer', '-times=true']
++ if not verbose:
++ base_cmd.append('-silent')
++
++ hosts = []
++ for r_id in (utils.relation_ids(peer_interface) or []):
++ for unit in utils.relation_list(r_id):
++ settings = utils.relation_get_dict(relation_id=r_id,
++ remote_unit=unit)
++ try:
++ authed_hosts = settings['ssh_authorized_hosts'].split(':')
++ except KeyError:
++ print 'unison sync_to_peers: peer has not authorized *any* '\
++ 'hosts yet.'
++ return
++
++ unit_hostname = utils.unit_get('private-address')
++ add_host = None
++ for authed_host in authed_hosts:
++ if unit_hostname == authed_host:
++ add_host = settings['private-address']
++ if add_host:
++ hosts.append(settings['private-address'])
++ else:
++ print 'unison sync_to_peers: peer (%s) has not authorized '\
++ '*this* host yet, skipping.' %\
++ settings['private-address']
++
++ for path in paths:
++ # removing trailing slash from directory paths, unison
++ # doesn't like these.
++ if path.endswith('/'):
++ path = path[:(len(path) - 1)]
++ for host in hosts:
++ cmd = base_cmd + [path, 'ssh://%s@%s/%s' % (user, host, path)]
++ utils.juju_log('INFO', 'Syncing local path %s to %s@%s:%s' %\
++ (path, user, host, path))
++ print ' '.join(cmd)
++ run_as_user(user, cmd)
 === added file 'hooks/lib/utils.py'
 --- hooks/lib/utils.py	1970-01-01 00:00:00 +0000
 +++ hooks/lib/utils.py	2013-05-29 18:13:26 +0000
@@ -0,0 +1,332 @@
++#
++# Copyright 2012 Canonical Ltd.
++#
++# This file is sourced from lp:openstack-charm-helpers
++#
++# Authors:
++# James Page <james.page@ubuntu.com>
++# Paul Collins <paul.collins@canonical.com>
++# Adam Gandelman <adamg@ubuntu.com>
++#
++
++import json
++import os
++import subprocess
++import socket
++import sys
++
++
++def do_hooks(hooks):
++ hook = os.path.basename(sys.argv[0])
++
++ try:
++ hook_func = hooks[hook]
++ except KeyError:
++ juju_log('INFO',
++ "This charm doesn't know how to handle '{}'.".format(hook))
++ else:
++ hook_func()
++
++
++def install(*pkgs):
++ cmd = [
++ 'apt-get',
++ '-y',
++ 'install'
++ ]
++ for pkg in pkgs:
++ cmd.append(pkg)
++ subprocess.check_call(cmd)
++
++TEMPLATES_DIR = 'templates'
++
++try:
++ import jinja2
++except ImportError:
++ install('python-jinja2')
++ import jinja2
++
++try:
++ import dns.resolver
++except ImportError:
++ install('python-dnspython')
++ import dns.resolver
++
++
++def render_template(template_name, context, template_dir=TEMPLATES_DIR):
++ templates = jinja2.Environment(
++ loader=jinja2.FileSystemLoader(template_dir)
++ )
++ template = templates.get_template(template_name)
++ return template.render(context)
++
++CLOUD_ARCHIVE = \
++""" # Ubuntu Cloud Archive
++deb http://ubuntu-cloud.archive.canonical.com/ubuntu {} main
++"""
++
++CLOUD_ARCHIVE_POCKETS = {
++ 'folsom': 'precise-updates/folsom',
++ 'folsom/updates': 'precise-updates/folsom',
++ 'folsom/proposed': 'precise-proposed/folsom',
++ 'grizzly': 'precise-updates/grizzly',
++ 'grizzly/updates': 'precise-updates/grizzly',
++ 'grizzly/proposed': 'precise-proposed/grizzly'
++ }
++
++
++def configure_source():
++ source = str(config_get('openstack-origin'))
++ if not source:
++ return
++ if source.startswith('ppa:'):
++ cmd = [
++ 'add-apt-repository',
++ source
++ ]
++ subprocess.check_call(cmd)
++ if source.startswith('cloud:'):
++ # CA values should be formatted as cloud:ubuntu-openstack/pocket, eg:
++ # cloud:precise-folsom/updates or cloud:precise-folsom/proposed
++ install('ubuntu-cloud-keyring')
++ pocket = source.split(':')[1]
++ pocket = pocket.split('-')[1]
++ with open('/etc/apt/sources.list.d/cloud-archive.list', 'w') as apt:
++ apt.write(CLOUD_ARCHIVE.format(CLOUD_ARCHIVE_POCKETS[pocket]))
++ if source.startswith('deb'):
++ l = len(source.split('|'))
++ if l == 2:
++ (apt_line, key) = source.split('|')
++ cmd = [
++ 'apt-key',
++ 'adv', '--keyserver keyserver.ubuntu.com',
++ '--recv-keys', key
++ ]
++ subprocess.check_call(cmd)
++ elif l == 1:
++ apt_line = source
++
++ with open('/etc/apt/sources.list.d/quantum.list', 'w') as apt:
++ apt.write(apt_line + "\n")
++ cmd = [
++ 'apt-get',
++ 'update'
++ ]
++ subprocess.check_call(cmd)
++
++# Protocols
++TCP = 'TCP'
++UDP = 'UDP'
++
++
++def expose(port, protocol='TCP'):
++ cmd = [
++ 'open-port',
++ '{}/{}'.format(port, protocol)
++ ]
++ subprocess.check_call(cmd)
++
++
++def juju_log(severity, message):
++ cmd = [
++ 'juju-log',
++ '--log-level', severity,
++ message
++ ]
++ subprocess.check_call(cmd)
++
++
++cache = {}
++
++
++def cached(func):
++ def wrapper(*args, **kwargs):
++ global cache
++ key = str((func, args, kwargs))
++ try:
++ return cache[key]
++ except KeyError:
++ res = func(*args, **kwargs)
++ cache[key] = res
++ return res
++ return wrapper
++
++
++@cached
++def relation_ids(relation):
++ cmd = [
++ 'relation-ids',
++ relation
++ ]
++ result = str(subprocess.check_output(cmd)).split()
++ if result == "":
++ return None
++ else:
++ return result
++
++
++@cached
++def relation_list(rid):
++ cmd = [
++ 'relation-list',
++ '-r', rid,
++ ]
++ result = str(subprocess.check_output(cmd)).split()
++ if result == "":
++ return None
++ else:
++ return result
++
++
++@cached
++def relation_get(attribute, unit=None, rid=None):
++ cmd = [
++ 'relation-get',
++ ]
++ if rid:
++ cmd.append('-r')
++ cmd.append(rid)
++ cmd.append(attribute)
++ if unit:
++ cmd.append(unit)
++ value = subprocess.check_output(cmd).strip() # IGNORE:E1103
++ if value == "":
++ return None
++ else:
++ return value
++
++
++@cached
++def relation_get_dict(relation_id=None, remote_unit=None):
++ """Obtain all relation data as dict by way of JSON"""
++ cmd = [
++ 'relation-get', '--format=json'
++ ]
++ if relation_id:
++ cmd.append('-r')
++ cmd.append(relation_id)
++ if remote_unit:
++ remote_unit_orig = os.getenv('JUJU_REMOTE_UNIT', None)
++ os.environ['JUJU_REMOTE_UNIT'] = remote_unit
++ j = subprocess.check_output(cmd)
++ if remote_unit and remote_unit_orig:
++ os.environ['JUJU_REMOTE_UNIT'] = remote_unit_orig
++ d = json.loads(j)
++ settings = {}
++ # convert unicode to strings
++ for k, v in d.iteritems():
++ settings[str(k)] = str(v)
++ return settings
++
++
++def relation_set(**kwargs):
++ cmd = [
++ 'relation-set'
++ ]
++ args = []
++ for k, v in kwargs.items():
++ if k == 'rid':
++ if v:
++ cmd.append('-r')
++ cmd.append(v)
++ else:
++ args.append('{}={}'.format(k, v))
++ cmd += args
++ subprocess.check_call(cmd)
++
++
++@cached
++def unit_get(attribute):
++ cmd = [
++ 'unit-get',
++ attribute
++ ]
++ value = subprocess.check_output(cmd).strip() # IGNORE:E1103
++ if value == "":
++ return None
++ else:
++ return value
++
++
++@cached
++def config_get(attribute):
++ cmd = [
++ 'config-get',
++ '--format',
++ 'json',
++ ]
++ out = subprocess.check_output(cmd).strip() # IGNORE:E1103
++ cfg = json.loads(out)
++
++ try:
++ return cfg[attribute]
++ except KeyError:
++ return None
++
++
++@cached
++def get_unit_hostname():
++ return socket.gethostname()
++
++
++@cached
++def get_host_ip(hostname=unit_get('private-address')):
++ try:
++ # Test to see if already an IPv4 address
++ socket.inet_aton(hostname)
++ return hostname
++ except socket.error:
++ answers = dns.resolver.query(hostname, 'A')
++ if answers:
++ return answers[0].address
++ return None
++
++
++def _svc_control(service, action):
++ subprocess.check_call(['service', service, action])
++
++
++def restart(*services):
++ for service in services:
++ _svc_control(service, 'restart')
++
++
++def stop(*services):
++ for service in services:
++ _svc_control(service, 'stop')
++
++
++def start(*services):
++ for service in services:
++ _svc_control(service, 'start')
++
++
++def reload(*services):
++ for service in services:
++ try:
++ _svc_control(service, 'reload')
++ except subprocess.CalledProcessError:
++ # Reload failed - either service does not support reload
++ # or it was not running - restart will fixup most things
++ _svc_control(service, 'restart')
++
++
++def running(service):
++ try:
++ output = subprocess.check_output(['service', service, 'status'])
++ except subprocess.CalledProcessError:
++ return False
++ else:
++ if ("start/running" in output or
++ "is running" in output):
++ return True
++ else:
++ return False
++
++
++def is_relation_made(relation, key='private-address'):
++ for r_id in (relation_ids(relation) or []):
++ for unit in (relation_list(r_id) or []):
++ if relation_get(key, rid=r_id, unit=unit):
++ return True
++ return False
 === modified file 'hooks/manager.py'
 --- hooks/manager.py	2012-02-29 01:18:17 +0000
 +++ hooks/manager.py	2013-05-29 18:13:26 +0000
@@ -1,6 +1,7 @@
  #!/usr/bin/python
  from keystoneclient.v2_0 import client
++
  class KeystoneManager(object):
  def __init__(self, endpoint, token):
  self.api = client.Client(endpoint=endpoint, token=token)
 === modified symlink 'hooks/shared-db-relation-changed'
 === target changed u'keystone-hooks' => u'keystone_hooks.py'
 === modified symlink 'hooks/shared-db-relation-joined'
 === target changed u'keystone-hooks' => u'keystone_hooks.py'
 === added symlink 'hooks/upgrade-charm'
 === target is u'keystone_hooks.py'
 === modified file 'metadata.yaml'
 --- metadata.yaml	2013-04-22 19:39:48 +0000
 +++ metadata.yaml	2013-05-29 18:13:26 +0000
@@ -12,3 +12,9 @@
  requires:
  shared-db:
  interface: mysql-shared
++ ha:
++ interface: hacluster
++ scope: container
++peers:
++ cluster:
++ interface: keystone-ha
 === modified file 'revision'
 --- revision	2012-12-12 03:52:01 +0000
 +++ revision	2013-05-29 18:13:26 +0000
@@ -1,1 +1,1 @@
--165
++221
 === added directory 'scripts'
 === added file 'scripts/add_to_cluster'
 --- scripts/add_to_cluster	1970-01-01 00:00:00 +0000
 +++ scripts/add_to_cluster	2013-05-29 18:13:26 +0000
@@ -0,0 +1,13 @@
++#!/bin/bash
++service corosync start || /bin/true
++sleep 2
++while ! service pacemaker start; do
++ echo "Attempting to start pacemaker"
++ sleep 1;
++done;
++crm node online
++sleep 2
++while crm status | egrep -q 'Stopped$'; do
++ echo "Waiting for nodes to come online"
++ sleep 1
++done
 === added file 'scripts/remove_from_cluster'
 --- scripts/remove_from_cluster	1970-01-01 00:00:00 +0000
 +++ scripts/remove_from_cluster	2013-05-29 18:13:26 +0000
@@ -0,0 +1,4 @@
++#!/bin/bash
++crm node standby
++service pacemaker stop
++service corosync stop
 === added directory 'templates'
 === added file 'templates/haproxy.cfg'
 --- templates/haproxy.cfg	1970-01-01 00:00:00 +0000
 +++ templates/haproxy.cfg	2013-05-29 18:13:26 +0000
@@ -0,0 +1,35 @@
++global
++ log 127.0.0.1 local0
++ log 127.0.0.1 local1 notice
++ maxconn 20000
++ user haproxy
++ group haproxy
++ spread-checks 0
++
++defaults
++ log global
++ mode http
++ option httplog
++ option dontlognull
++ retries 3
++ timeout queue 1000
++ timeout connect 1000
++ timeout client 30000
++ timeout server 30000
++
++listen stats :8888
++ mode http
++ stats enable
++ stats hide-version
++ stats realm Haproxy\ Statistics
++ stats uri /
++ stats auth admin:password
++
++{% for service, ports in service_ports.iteritems() -%}
++listen {{ service }} 0.0.0.0:{{ ports[0] }}
++ balance roundrobin
++ option tcplog
++ {% for unit, address in units.iteritems() -%}
++ server {{ unit }} {{ address }}:{{ ports[1] }} check
++ {% endfor %}
++{% endfor %}

Juju Charms Collectionkeystone package

Merge lp:~openstack-charmers/charms/precise/keystone/ha-support into lp:~charmers/charms/precise/keystone/trunk

Commit message

Description of the change

Preview Diff

Subscribers

Juju Charms Collection
keystone package