colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

keystone: rip

Browse Source 
part of openstack cleanup
This commit is contained in:
makefu 2017-12-13 18:18:48 +01:00
parent 5369400bb0
commit d3d94992cf
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
7 changed files with 2 additions and 362 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nixos/modules/misc/ids.nix
View File

@ -281,7 +281,7 @@
stanchion = 262;
riak-cs = 263;
infinoted = 264;
keystone = 265;
# keystone = 265; # unused, removed 2017-12-13
glance = 266;
couchpotato = 267;
gogs = 268;
@ -551,7 +551,7 @@
stanchion = 262;
riak-cs = 263;
infinoted = 264;
keystone = 265;
# keystone = 265; # unused, removed 2017-12-13
glance = 266;
couchpotato = 267;
gogs = 268;

1
nixos/modules/module-list.nix
View File

@ -748,6 +748,5 @@
./virtualisation/vmware-guest.nix
./virtualisation/xen-dom0.nix
./virtualisation/xe-guest-utilities.nix
./virtualisation/openstack/keystone.nix
./virtualisation/openstack/glance.nix
]

220
nixos/modules/virtualisation/openstack/keystone.nix
View File

@ -1,220 +0,0 @@
{ config, lib, pkgs, ... }:
with lib; with import ./common.nix {inherit lib;};
let
cfg = config.virtualisation.openstack.keystone;
keystoneConfTpl = pkgs.writeText "keystone.conf" ''
[DEFAULT]
admin_token = ${cfg.adminToken.pattern}
policy_file=${cfg.package}/etc/policy.json
[database]
connection = "mysql://${cfg.database.user}:${cfg.database.password.pattern}@${cfg.database.host}/${cfg.database.name}"
[paste_deploy]
config_file = ${cfg.package}/etc/keystone-paste.ini
${cfg.extraConfig}
'';
keystoneConf = "/var/lib/keystone/keystone.conf";
in {
options.virtualisation.openstack.keystone = {
package = mkOption {
type = types.package;
example = literalExample "pkgs.keystone";
description = ''
Keystone package to use.
'';
};
enable = mkOption {
default = false;
type = types.bool;
description = ''
Enable Keystone, the OpenStack Identity Service
'';
};
extraConfig = mkOption {
default = "";
type = types.lines;
description = ''
Additional text appended to <filename>keystone.conf</filename>,
the main Keystone configuration file.
'';
};
adminToken = mkSecretOption {
name = "adminToken";
description = ''
This is the admin token used to boostrap keystone,
ie. to provision first resources.
'';
};
bootstrap = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Bootstrap the Keystone service by creating the service
tenant, an admin account and a public endpoint. This options
provides a ready-to-use admin account. This is only done at
the first Keystone execution by the systemd post start.
Note this option is a helper for setting up development or
testing environments.
'';
};
endpointPublic = mkOption {
type = types.str;
default = "http://localhost:5000/v2.0";
description = ''
The public identity endpoint. The link <link
xlink:href="http://docs.openstack.org/liberty/install-guide-rdo/keystone-services.html">
create keystone endpoint</link> provides more informations
about that.
'';
};
adminUsername = mkOption {
type = types.str;
default = "admin";
description = ''
A keystone admin username.
'';
};
adminPassword = mkSecretOption {
name = "keystoneAdminPassword";
description = ''
The keystone admin user's password.
'';
};
adminTenant = mkOption {
type = types.str;
default = "admin";
description = ''
A keystone admin tenant name.
'';
};
};
database = {
host = mkOption {
type = types.str;
default = "localhost";
description = ''
Host of the database.
'';
};
name = mkOption {
type = types.str;
default = "keystone";
description = ''
Name of the existing database.
'';
};
user = mkOption {
type = types.str;
default = "keystone";
description = ''
The database user. The user must exist and has access to
the specified database.
'';
};
password = mkSecretOption {
name = "mysqlPassword";
description = "The database user's password";};
};
};
config = mkIf cfg.enable {
# Note: when changing the default, make it conditional on
# system.stateVersion to maintain compatibility with existing
# systems!
virtualisation.openstack.keystone.package = mkDefault pkgs.keystone;
users.extraUsers = [{
name = "keystone";
group = "keystone";
uid = config.ids.uids.keystone;
}];
users.extraGroups = [{
name = "keystone";
gid = config.ids.gids.keystone;
}];
systemd.services.keystone-all = {
description = "OpenStack Keystone Daemon";
after = [ "network.target"];
path = [ cfg.package pkgs.mysql pkgs.curl pkgs.pythonPackages.keystoneclient pkgs.gawk ];
wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -m 755 -p /var/lib/keystone
cp ${keystoneConfTpl} ${keystoneConf};
chown keystone:keystone ${keystoneConf};
chmod 640 ${keystoneConf}
${replaceSecret cfg.database.password keystoneConf}
${replaceSecret cfg.adminToken keystoneConf}
# Initialise the database
${cfg.package}/bin/keystone-manage --config-file=${keystoneConf} db_sync
# Set up the keystone's PKI infrastructure
${cfg.package}/bin/keystone-manage --config-file=${keystoneConf} pki_setup --keystone-user keystone --keystone-group keystone
'';
postStart = optionalString cfg.bootstrap.enable ''
set -eu
# Wait until the keystone is available for use
count=0
while ! curl --fail -s http://localhost:35357/v2.0 > /dev/null
do
if [ $count -eq 30 ]
then
echo "Tried 30 times, giving up..."
exit 1
fi
echo "Keystone not yet started. Waiting for 1 second..."
count=$((count++))
sleep 1
done
# We use the service token to create a first admin user
export OS_SERVICE_ENDPOINT=http://localhost:35357/v2.0
export OS_SERVICE_TOKEN=${getSecret cfg.adminToken}
# If the tenant service doesn't exist, we consider
# keystone is not initialized
if ! keystone tenant-get service
then
keystone tenant-create --name service
keystone tenant-create --name ${cfg.bootstrap.adminTenant}
keystone user-create --name ${cfg.bootstrap.adminUsername} --tenant ${cfg.bootstrap.adminTenant} --pass ${getSecret cfg.bootstrap.adminPassword}
keystone role-create --name admin
keystone role-create --name Member
keystone user-role-add --tenant ${cfg.bootstrap.adminTenant} --user ${cfg.bootstrap.adminUsername} --role admin
keystone service-create --type identity --name keystone
ID=$(keystone service-get keystone | awk '/ id / { print $4 }')
keystone endpoint-create --region RegionOne --service $ID --publicurl ${cfg.bootstrap.endpointPublic} --adminurl http://localhost:35357/v2.0 --internalurl http://localhost:5000/v2.0
fi
'';
serviceConfig = {
PermissionsStartOnly = true; # preStart must be run as root
TimeoutStartSec = "600"; # 10min for initial db migrations
User = "keystone";
Group = "keystone";
ExecStart = "${cfg.package}/bin/keystone-all --config-file=${keystoneConf}";
};
};
};
}

1
nixos/release.nix
View File

@ -293,7 +293,6 @@ in rec {
tests.kernel-copperhead = callTest tests/kernel-copperhead.nix {};
tests.kernel-latest = callTest tests/kernel-latest.nix {};
tests.kernel-lts = callTest tests/kernel-lts.nix {};
tests.keystone = callTest tests/keystone.nix {};
tests.kubernetes = hydraJob (import tests/kubernetes/default.nix { system = "x86_64-linux"; });
tests.latestKernel.login = callTest tests/login.nix { latestKernel = true; };
tests.ldap = callTest tests/ldap.nix {};

82
nixos/tests/keystone.nix
View File

@ -1,82 +0,0 @@
{ system ? builtins.currentSystem }:
with import ../lib/testing.nix { inherit system; };
with pkgs.lib;
let
keystoneMysqlPassword = "keystoneMysqlPassword";
keystoneMysqlPasswordFile = "/var/run/keystoneMysqlPassword";
keystoneAdminPassword = "keystoneAdminPassword";
createKeystoneDb = pkgs.writeText "create-keystone-db.sql" ''
create database keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '${keystoneMysqlPassword}';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '${keystoneMysqlPassword}';
'';
# The admin keystone account
adminOpenstackCmd = "OS_TENANT_NAME=admin OS_USERNAME=admin OS_PASSWORD=${keystoneAdminPassword} OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack";
# The created demo keystone account
demoOpenstackCmd = "OS_TENANT_NAME=demo OS_USERNAME=demo OS_PASSWORD=demo OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack";
in makeTest {
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ lewo ];
};
machine =
{ config, pkgs, ... }:
{
# This is to simulate nixops deployment process.
# https://nixos.org/nixops/manual/#opt-deployment.keys
boot.postBootCommands = "echo ${keystoneMysqlPassword} > ${keystoneMysqlPasswordFile}";
services.mysql.enable = true;
services.mysql.initialScript = createKeystoneDb;
virtualisation = {
openstack.keystone = {
enable = true;
# Check if we can get the secret from a file
database.password = {
value = keystoneMysqlPasswordFile;
storage = "fromFile";
};
adminToken = {
value = "adminToken";
storage = "fromNixStore";
};
bootstrap.enable = true;
# Check if we can get the secret from the store
bootstrap.adminPassword = {
value = keystoneAdminPassword;
storage = "fromNixStore";
};
};
memorySize = 2096;
diskSize = 4 * 1024;
};
environment.systemPackages = with pkgs.pythonPackages; with pkgs; [
openstackclient
];
};
testScript =
''
$machine->waitForUnit("keystone-all.service");
# Verify that admin ccount is working
$machine->succeed("${adminOpenstackCmd} token issue");
# Try to create a new user
$machine->succeed("${adminOpenstackCmd} project create --domain default --description 'Demo Project' demo");
$machine->succeed("${adminOpenstackCmd} user create --domain default --password demo demo");
$machine->succeed("${adminOpenstackCmd} role create user");
$machine->succeed("${adminOpenstackCmd} role add --project demo --user demo user");
# Verify this new account is working
$machine->succeed("${demoOpenstackCmd} token issue");
'';
}

55
pkgs/applications/virtualization/openstack/keystone.nix
View File

@ -1,55 +0,0 @@
{ stdenv, fetchurl, python2Packages, xmlsec, which, openssl }:
python2Packages.buildPythonApplication rec {
name = "keystone-${version}";
version = "8.0.0";
namePrefix = "";
PBR_VERSION = "${version}";
src = fetchurl {
url = "https://github.com/openstack/keystone/archive/${version}.tar.gz";
sha256 = "1xbrs7xgwjzrs07zyxxcl2lq18dh582gd6lx1zzzji8c0qmffy0z";
};
# remove on next version bump
patches = [ ./remove-oslo-policy-tests.patch ];
# https://github.com/openstack/keystone/blob/stable/liberty/requirements.txt
propagatedBuildInputs = with python2Packages; [
pbr webob eventlet greenlet PasteDeploy paste routes cryptography six
sqlalchemy sqlalchemy_migrate stevedore passlib keystoneclient memcached
keystonemiddleware oauthlib pysaml2 dogpile_cache jsonschema pycadf msgpack
xmlsec MySQL_python
# oslo
oslo-cache oslo-concurrency oslo-config oslo-context oslo-messaging oslo-db
oslo-i18n oslo-log oslo-middleware oslo-policy oslo-serialization oslo-service
oslo-utils
];
buildInputs = with python2Packages; [
coverage fixtures mock subunit tempest-lib testtools testrepository
ldap ldappool webtest requests oslotest pep8 pymongo which
];
makeWrapperArgs = ["--prefix PATH : '${openssl.bin}/bin:$PATH'"];
postInstall = ''
# install .ini files
mkdir -p $out/etc
cp etc/* $out/etc
# check all binaries don't crash
for i in $out/bin/*; do
$i --help
done
'';
meta = with stdenv.lib; {
homepage = http://keystone.openstack.org/;
description = "Authentication, authorization and service discovery mechanisms via HTTP";
license = stdenv.lib.licenses.asl20;
platforms = stdenv.lib.platforms.linux;
};
}

1
pkgs/top-level/all-packages.nix
View File

@ -16113,7 +16113,6 @@ with pkgs;
notmuch-addrlookup = callPackage ../applications/networking/mailreaders/notmuch-addrlookup { };
# Open Stack
keystone = callPackage ../applications/virtualization/openstack/keystone.nix { };
neutron = callPackage ../applications/virtualization/openstack/neutron.nix { };
glance = callPackage ../applications/virtualization/openstack/glance.nix { };