#!/bin/sh set -e ### Start of included pkgos_func library #!/bin/sh # -*- mode: shell-script -*- pkgos_gen_pass () { i=$(dd if=/dev/random bs=64 count=1 2>|/dev/null | md5sum) echo ${i% *} } # This function removes a section, because we need that in the case # of an upgrade from one version to the next. It is for example # needed for keystone to upgrade from Grizzly to Havana. # Params: # $1 Init file path # $2 Section to remove pkgos_remove_section () { local REMOVESEC_INIFILE REMOVESEC_SEARCH_SECTION REMOVESEC_INIFILE_CNT REMOVESEC_LINE REMOVESEC_FOUND_SECTION REMOVESEC_START_LINE REMOVESEC_END_LINE REMOVESEC_INIFILE=${1} REMOVESEC_SEARCH_SECTION=${2} if [ ! -r ${REMOVESEC_INIFILE} ] ; then return ; fi # Iterate through all lines of the file to search for section start/end line number REMOVESEC_INIFILE_CNT=0 REMOVESEC_FOUND_SECTION="" REMOVESEC_START_LINE="" REMOVESEC_END_LINE="" while read REMOVESEC_LINE ; do REMOVESEC_INIFILE_CNT=$((${REMOVESEC_INIFILE_CNT} + 1 )) if echo ${REMOVESEC_LINE} | grep -q '^[ \t]*\[.*\][ \t]*$' ; then REMOVESEC_FOUND_SECTION=`echo ${REMOVESEC_LINE} | sed -e 's/\[//' | sed -e 's/\]//'` if [ "${REMOVESEC_FOUND_SECTION}" = "${REMOVESEC_SEARCH_SECTION}" ] ; then REMOVESEC_START_LINE=$(( ${REMOVESEC_INIFILE_CNT} - 1 )) else if [ -n "${REMOVESEC_START_LINE}" ] && [ -z "${REMOVESEC_END_LINE}" ] ; then REMOVESEC_END_LINE=$(( ${REMOVESEC_INIFILE_CNT} -1 )) fi fi fi done < ${REMOVESEC_INIFILE} # Case where the section is last in the file if [ -n "${REMOVESEC_START_LINE}" ] && [ -z "${REMOVESEC_END_LINE}" ] ; then REMOVESEC_END_LINE=${REMOVESEC_INIFILE_CNT} fi # Section found, remove it! if [ -n "${REMOVESEC_START_LINE}" ] && [ -n "${REMOVESEC_END_LINE}" ] ; then REMOVESEC_CONF_LINES_NUM=`wc -l ${REMOVESEC_INIFILE} | cut -d" " -f1` REMOVESEC_CUT_END=$((${REMOVESEC_CONF_LINES_NUM} - ${REMOVESEC_END_LINE} )) REMOVESEC_TMPFILE=`mktemp -t pkgos_removesec.XXXXXX` head -n ${REMOVESEC_START_LINE} ${REMOVESEC_INIFILE} >${REMOVESEC_TMPFILE} tail -n ${REMOVESEC_CUT_END} ${REMOVESEC_INIFILE} >>${REMOVESEC_TMPFILE} cat <${REMOVESEC_TMPFILE} >${REMOVESEC_INIFILE} rm ${REMOVESEC_TMPFILE} fi } # This function lookup if a directive exists in a section. If it doesn't # then it will add it there, with the specified comment. pkgos_add_directive () { local ADDDIRECTIVE_CONF_FILE ADDDIRECTIVE_SECTION ADDDIRECTIVE_DIRECTIVE ADDDIRECTIVE_COMMENT ADDDIRECTIVE_TOT_NUM_LINES ADDDIRECTIVE_SECTION_START ADDDIRECTIVE_UNTIL_END_FILE ADDDIRECTIVE_TMP_FILE ADDDIRECTIVE_VALUE ADDDIRECTIVE_CONF_FILE=${1} ADDDIRECTIVE_SECTION=${2} ADDDIRECTIVE_DIRECTIVE=${3} ADDDIRECTIVE_COMMENT=${4} ADDDIRECTIVE_VALUE=${5} pkgos_search_directive_line_num ${ADDDIRECTIVE_CONF_FILE} ${ADDDIRECTIVE_SECTION} ${ADDDIRECTIVE_DIRECTIVE} if [ "${RET}" = "NOT_FOUND" ] ; then # Calculate section start and end line ADDDIRECTIVE_TOT_NUM_LINES=$(cat ${ADDDIRECTIVE_CONF_FILE} | wc -l) ADDDIRECTIVE_SECTION_START=$(grep -n -E '^[ \t]*\['${ADDDIRECTIVE_SECTION}'\][ \t]*' ${ADDDIRECTIVE_CONF_FILE} | cut -d: -f1) ADDDIRECTIVE_UNTIL_END_FILE=$((${ADDDIRECTIVE_TOT_NUM_LINES} - ${ADDDIRECTIVE_SECTION_START})) ADDDIRECTIVE_TMP_FILE=$(mktemp pkgos_add_directive.XXXXXX) head -n ${ADDDIRECTIVE_SECTION_START} ${ADDDIRECTIVE_CONF_FILE} >${ADDDIRECTIVE_TMP_FILE} echo ${ADDDIRECTIVE_COMMENT} >>${ADDDIRECTIVE_TMP_FILE} if [ -n "${ADDDIRECTIVE_VALUE}" ] ; then echo "${ADDDIRECTIVE_DIRECTIVE} ${ADDDIRECTIVE_VALUE}" >>${ADDDIRECTIVE_TMP_FILE} else echo "#${ADDDIRECTIVE_DIRECTIVE}" >>${ADDDIRECTIVE_TMP_FILE} fi echo "" >>${ADDDIRECTIVE_TMP_FILE} tail -n ${ADDDIRECTIVE_UNTIL_END_FILE} ${ADDDIRECTIVE_CONF_FILE} >>${ADDDIRECTIVE_TMP_FILE} cp ${ADDDIRECTIVE_TMP_FILE} ${ADDDIRECTIVE_CONF_FILE} rm ${ADDDIRECTIVE_TMP_FILE} fi } # This function lookup if an old directive is set in a configuration file, # if so, it picks-up its value, then set the new directive with the value # found in the old one. If the new directive doesn't exist, it adds it to # the configuration file. # Params: # $1 config_file pkgos_deprecate_directive () { local DEPRECATE_CONF_FILE DEPRECATE_OLD_SECTION DEPRECATE_OLD_DIRECTIVE DEPRECATE_NEW_SECTION DEPRECATE_NEW_DIRECTIVE DEPRECATE_VALUE DEPRECATE_LINE_NUM DEPRECATE_CONF_FILE=${1} DEPRECATE_OLD_SECTION=${2} DEPRECATE_OLD_DIRECTIVE=${3} DEPRECATE_NEW_SECTION=${4} DEPRECATE_NEW_DIRECTIVE=${5} pkgos_inifile get ${DEPRECATE_CONF_FILE} ${DEPRECATE_OLD_SECTION} ${DEPRECATE_OLD_DIRECTIVE} DEPRECATE_VALUE=${RET} if [ "${RET}" = "NOT_FOUND" ] || [ "${RET}" = "" ] ; then return fi pkgos_comment_out_directive ${DEPRECATE_CONF_FILE} ${DEPRECATE_OLD_SECTION} ${DEPRECATE_OLD_DIRECTIVE} pkgos_inifile set ${DEPRECATE_CONF_FILE} ${DEPRECATE_NEW_SECTION} ${DEPRECATE_NEW_DIRECTIVE} ${DEPRECATE_VALUE} } # This comments out a directive if it is not commented. # Params: $1 config_file # $2 section # $3 directive pkgos_comment_out_directive () { local COMMENT_OUT_CONF_FILE COMMENT_OUT_SECTION COMMENT_OUT_DIRECTIVE COMMENT_OUT_LINE_NUM COMMENT_OUT_CONF_FILE=${1} COMMENT_OUT_SECTION=${2} COMMENT_OUT_DIRECTIVE=${3} pkgos_search_directive_line_num ${COMMENT_OUT_CONF_FILE} ${COMMENT_OUT_SECTION} ${COMMENT_OUT_DIRECTIVE} COMMENT_OUT_LINE_NUM=${RET} if [ "${RET}" != "NOT_FOUND" ] && [ -n "${RET}" ] ; then sed -i ${COMMENT_OUT_LINE_NUM}'s|^'${COMMENT_OUT_DIRECTIVE}'|#'${COMMENT_OUT_DIRECTIVE}'|' ${COMMENT_OUT_CONF_FILE} fi } # Using sed to set passwords with arguments on the command line makes # it possible to see the new passwords using ps. This function creates # a temp file which is used as a script for sed (using the -f option). # This is safe because what's put in the file is done with echo, which # is a built-in shell command, so it will not appear in /proc. # Params: # $1 Sed script to replace values in a config file # $2 Config file to change pkgos_safesed () { local SAFESED_SCRIPT SAFESED_CONFIG_FILENAME SAFESED_TMPFILE SAFESED_SCRIPT=${1} SAFESED_CONFIG_FILENAME=${2} SAFESED_TMPFILE=`mktemp -t pkgos_safe_sed.XXXXXX` echo "${SAFESED_SCRIPT}" >${SAFESED_TMPFILE} sed -i -f ${SAFESED_TMPFILE} ${SAFESED_CONFIG_FILENAME} rm ${SAFESED_TMPFILE} } # Param: $1 conf file # $2 section # $3 directive pkgos_search_directive_line_num () { local CONF_FILE SECTION DIRECTIVE TOT_NUM_LINES CONF_FILE=${1} SECTION=${2} DIRECTIVE=${3} # Check if file is readable if ! [ -r ${CONF_FILE} ] ; then RET=NOT_FOUND return fi # Check if section exists if ! grep -q -E '^[ \t]*\['${SECTION}'\][ \t]*$' ${CONF_FILE} ; then RET=NOT_FOUND return fi # Calculate section start and end line TOT_NUM_LINES=$(cat ${CONF_FILE} | wc -l) SECTION_START=$(grep -n -E '^[ \t]*\['${SECTION}'\][ \t]*' ${CONF_FILE} | cut -d: -f1) UNTIL_END_FILE=$((${TOT_NUM_LINES} - ${SECTION_START})) SECTION_NUM_LINES=$(( $(tail -n ${UNTIL_END_FILE} ${CONF_FILE} | grep -n -E '^\[' | head -n 1 | cut -d: -f1) - 1)) if [ $SECTION_NUM_LINES = -1 ] ; then SECTION_NUM_LINES=$UNTIL_END_FILE fi if ! tail -n ${UNTIL_END_FILE} ${CONF_FILE} | head -n ${SECTION_NUM_LINES} | grep -q '^[#; \t]*'${DIRECTIVE}'[ \t]*[=\:][ \t]*' ; then RET=NOT_FOUND return fi DIR_LINE_IN_SEC=$(tail -n ${UNTIL_END_FILE} ${CONF_FILE} | head -n ${SECTION_NUM_LINES} | grep -n '^[#; \t]*'${DIRECTIVE}'[ \t]*[=\:][ \t]*' | head -n 1 | cut -d: -f1) RET=$((${SECTION_START} + ${DIR_LINE_IN_SEC})) } # Params: $1 = set or get (set means read mode and return a directive value, get means write a new value in it) # $2 = config file path (example: /etc/nova/nova.conf) # $3 = .ini file section (example: DEFAULT) # $4 = directive name (example: sql_connection) # $5 = only present in "set" mode: new value to replace in the .ini file # Note that if $3 = NO_SECTION, then get or set mode will not manage sections at all, # and will totally ignore the sections in the .ini file. # # Example (get the value of keystone hostname in your Nova box): # parse_ini_file /etc/nova/api-paste.ini filter:authtoken auth_host # # Returns: $RET: either NOT_FOUND, or the (previous, in the case of set) value of the searched directive pkgos_inifile () { local INIFILE_SHELL_INCLUDE INIFILE_ACCESS_MODE INIFILE_MYCONFIG INIFILE_SEARCH_SECTION SEARCH_DIRECTIVE INIFILE_CNT INIFILE_DIRECTIVE INIFILE_VALUE INIFILE_SECTION INIFILE_LINE DIRECTIVE_TYPE INIFILE_NEW_VALUE if [ "${1}" = "-shinc" ] ; then INIFILE_SHELL_INCLUDE=yes shift else INIFILE_SHELL_INCLUDE=no fi INIFILE_ACCESS_MODE=${1} ; INIFILE_MYCONFIG=${2} ; INIFILE_SEARCH_SECTION=${3} ; SEARCH_DIRECTIVE=${4} if [ "${PKGOS_VERBOSE}" = "yes" ] ; then if [ "x${INIFILE_ACCESS_MODE}" = "xset" ] ; then echo "pkgos_inifile: Setting value in ${INIFILE_MYCONFIG}:[${INIFILE_SEARCH_SECTION}]/${SEARCH_DIRECTIVE}" else echo "pkgos_inifile: Getting value in ${INIFILE_MYCONFIG}:[${INIFILE_SEARCH_SECTION}]/${SEARCH_DIRECTIVE}" fi fi if [ "x${INIFILE_ACCESS_MODE}" = "xset" ] ; then INIFILE_NEW_VALUE=${5} ; else INIFILE_NEW_VALUE="pkgos_inifile_function_called_with_wrong_access_mode" ; fi INIFILE_CNT=0 RET=NOT_FOUND if [ ! -r "${INIFILE_MYCONFIG}" ] ; then if [ "${PKGOS_VERBOSE}" = "yes" ] ; then echo "Config file ${INIFILE_MYCONFIG} not readable: exiting" ; fi return fi pkgos_search_directive_line_num ${INIFILE_MYCONFIG} ${INIFILE_SEARCH_SECTION} ${SEARCH_DIRECTIVE} if [ "${RET}" = "NOT_FOUND" ] ; then return fi INIFILE_CNT=${RET} INIFILE_LINE=$(head -n ${RET} ${INIFILE_MYCONFIG} | tail -n 1) if [ "x${INIFILE_ACCESS_MODE}" = "xget" ] ; then # This is a commented out directive if echo ${INIFILE_LINE} | grep -q -E '^[ \t]*#.*$' ; then RET="" return fi # This is a directive which uses the equal sign (directive = value) if echo ${INIFILE_LINE} | grep -q '^[ \t]*[\._\/a-zA-Z0-9]*[ \t]*=[ \t]*' ; then RET=`echo ${INIFILE_LINE} | cut -d= -f2 | sed -e 's/^[ \t]//g'` return # This one uses the semi-column sign (/directive: value) else RET=`echo ${INIFILE_LINE} | cut -d':' -f2 | sed -e 's/^[ \t]//g'` return fi elif [ "x${INIFILE_ACCESS_MODE}" = "xset" ] ; then # This is a directive which uses the equal sign (directive = value) if echo ${INIFILE_LINE} | grep -q '^[ \t#]*[\._\/a-zA-Z0-9]*[ \t]*=[ \t]*' ; then pkgos_safesed "${INIFILE_CNT} s|.*|${SEARCH_DIRECTIVE} = ${INIFILE_NEW_VALUE}|" ${INIFILE_MYCONFIG} # This one uses the semi-column sign (/directive: value) else pkgos_safesed" ${INIFILE_CNT} s|.*|${SEARCH_DIRECTIVE}: ${INIFILE_NEW_VALUE}|" ${INIFILE_MYCONFIG} fi else RET="wrong mode" fi } # Read the value of a directive in a config file, # then prompt the user about it. # Example (options in this order please...): # pkgos_read_config -p medium /etc/keystone/keystone.conf auth_token keystone/auth-token DEFAULT # To be used in: config pkgos_read_config () { local READ_CONFIG_DIRECTIVE CONF_PATH READ_CONFIG_DEBCONF_NAME READ_CONFIG_SECTION FSET_SEEN READ_CONFIG_MY_PRIORITY if [ "${1}" = "-p" ] ; then READ_CONFIG_MY_PRIORITY=${2} shift shift else READ_CONFIG_MY_PRIORITY=high fi CONF_PATH=${1} READ_CONFIG_SECTION=${2} READ_CONFIG_DIRECTIVE=${3} READ_CONFIG_DEBCONF_NAME=${4} pkgos_inifile get ${CONF_PATH} ${READ_CONFIG_SECTION} ${READ_CONFIG_DIRECTIVE} if [ -n "${RET}" ] && [ ! "${RET}" = "NOT_FOUND" ] ; then db_set ${READ_CONFIG_DEBCONF_NAME} ${RET} fi db_input ${READ_CONFIG_MY_PRIORITY} ${READ_CONFIG_DEBCONF_NAME} || true db_go db_get ${READ_CONFIG_DEBCONF_NAME} } # Read the current configuration for rabbitMQ and sets that into debconf # Params: $1 Path to config file # $2 Section in the config file # $3 prefix for the debconf template (eg: if we have nova/rabbit-host, then use "nova") # To be used in: config # Example call: pkgos_rabbit_read_conf /etc/nova/nova.conf DEFAULT nova pkgos_rabbit_read_conf () { local RB_CONF_PATH RB_SECTION RB_DEBCONF_PREFIX NO_PROTO RB_HOST RB_USER_PASS RB_USER RB_PASS RB_CONF_PATH=${1} RB_SECTION=${2} RB_DEBCONF_PREFIX=${3} db_input high ${RB_DEBCONF_PREFIX}/configure_rabbit || true db_go || true db_get ${RB_DEBCONF_PREFIX}/configure_rabbit if [ "$RET" = "true" ] ; then if [ -r ${RB_CONF_PATH} ] && grep -q -E '^[ \t]*transport_url[ \t]*=.*' ${RB_CONF_PATH} ; then pkgos_inifile get ${RB_CONF_PATH} DEFAULT transport_url if [ -n "${RET}" ] && [ ! "${RET}" = "NOT_FOUND" ] ; then NO_PROTO=$(echo ${RET} | sed 's|^rabbit://||') RB_HOST=$(echo ${NO_PROTO} | cut -d@ -f2) RB_USER_PASS=$(echo ${NO_PROTO} | cut -d@ -f1) RB_USER=$(echo ${RB_USER_PASS} | cut -d: -f1) RB_PASS=$(echo ${RB_USER_PASS} | cut -d: -f2) if [ -n "${RB_HOST}" ] ; then db_set ${RB_DEBCONF_PREFIX}/rabbit-host ${RB_HOST} fi if [ -n "${RB_USER}" ] ; then db_set ${RB_DEBCONF_PREFIX}/rabbit-userid ${RB_USER} fi if [ -n "${RB_PASS}" ] ; then db_set ${RB_DEBCONF_PREFIX}/rabbit-password ${RB_PASS} fi db_input high ${RB_DEBCONF_PREFIX}/rabbit-host || true db_input high ${RB_DEBCONF_PREFIX}/rabbit-userid || true db_input high ${RB_DEBCONF_PREFIX}/rabbit-password || true db_go fi else pkgos_read_config ${RB_CONF_PATH} ${RB_SECTION} rabbit_host ${RB_DEBCONF_PREFIX}/rabbit-host pkgos_read_config ${RB_CONF_PATH} ${RB_SECTION} rabbit_userid ${RB_DEBCONF_PREFIX}/rabbit-userid pkgos_read_config ${RB_CONF_PATH} ${RB_SECTION} rabbit_password ${RB_DEBCONF_PREFIX}/rabbit-password fi fi } # Write the configuration for rabbitMQ # Params: $1 Path to config file # $2 Section in the config file # $3 prefix for the debconf template (eg: if we have nova/rabbit-host, then use "nova") # To be used in: postinst # Example call: pkgos_rabbit_write_conf /etc/nova/nova.conf DEFAULT nova pkgos_rabbit_write_conf () { local RB_CONF_PATH RB_SECTION RB_DEBCONF_PREFIX RB_HOST RB_USERID RB_PASS RB_CONF_PATH=${1} RB_SECTION=${2} RB_DEBCONF_PREFIX=${3} db_get ${RB_DEBCONF_PREFIX}/configure_rabbit if [ "$RET" = "true" ] ; then db_get ${RB_DEBCONF_PREFIX}/rabbit-host RB_HOST=${RET} db_get ${RB_DEBCONF_PREFIX}/rabbit-userid RB_USERID=${RET} db_get ${RB_DEBCONF_PREFIX}/rabbit-password RB_PASS=${RET} if ! grep -q -E '^[ \t#]*transport_url[ \t]*=.*' ${RB_CONF_PATH} ; then pkgos_add_directive ${RB_CONF_PATH} DEFAULT "transport_url =" "# Connection to the message queue." fi pkgos_comment_out_directive ${RB_CONF_PATH} ${RB_SECTION} rabbit_host pkgos_comment_out_directive ${RB_CONF_PATH} ${RB_SECTION} rabbit_userid pkgos_comment_out_directive ${RB_CONF_PATH} ${RB_SECTION} rabbit_password echo "===> openstack-pkg-tools: writing RabbitMQ credentials: rabbit://${RB_USERID}:XXXXXX@${RB_HOST} ..." pkgos_inifile set ${RB_CONF_PATH} DEFAULT transport_url rabbit://${RB_USERID}:${RB_PASS}@${RB_HOST} fi # Debconf isn't a registry, and this value has to be # asked on each install/upgrade. Also, if the user switches # to non-interactive, we don't want to do anything. db_unregister ${RB_DEBCONF_PREFIX}/configure_rabbit } # Read the connection directive from a config file # and fills the dbc_* variable accordingly, # then call dbconfig to do the actual configuration. # To be used in: config # Example call: pkgos_dbc_read_conf -pkg glance-common /etc/glance/glance-registry.conf glance DEFAULT sql_connection $@ pkgos_dbc_read_conf () { local ADDR BEFORE_AT AFTER_AT SERVER_PORT CONN_STRING PKG_NAME CONF_PATH PARSED_DB_TYPE PARSED_USER PARSED_PASS PARSED_DB_NAME PARSED_SERVER PARSED_PORT # This works around a bug in either dpkg, apt or debconf: in fact, # likely in debconf, the variable DPKG_MAINTSCRIPT_PACKAGE isn't # always set as it should. if [ "${1}" = "-pkg" ] ; then if [ -z "${DPKG_MAINTSCRIPT_PACKAGE}" ] ; then DPKG_MAINTSCRIPT_PACKAGE=$2 fi shift shift fi CONF_PATH=${1} CONN_SECTION=${2} CONN_DIRECTIVE=${3} PKG_NAME=${4} # Do not remove what's bellow. # We need to shift, because we're using $@ in the dbc_go call later shift shift shift shift db_input high ${PKG_NAME}/configure_db || true db_go || true db_get ${PKG_NAME}/configure_db DEFAULT_DBNAME=$(echo ${PKG_NAME}db | sed s/-//g) if [ "$RET" = "true" ] && [ -f /usr/share/dbconfig-common/dpkg/config ] ; then . /usr/share/dbconfig-common/dpkg/config if [ -e "${CONF_PATH}" ] ; then pkgos_inifile get ${CONF_PATH} ${CONN_SECTION} ${CONN_DIRECTIVE} if [ -n "${RET}" ] && [ ! "${RET}" = "NOT_FOUND" ] ; then CONN_STRING=${RET} fi else CONN_STRING="" fi PARSED_DB_TYPE=${CONN_STRING%%:*} # If we have an undefined SQL type, we go back to a more sane default (eg: SQLite) case "${PARSED_DB_TYPE}" in "mysql+pymysql") PARSED_DB_TYPE=mysql ;; sqlite|mysql|pgsql) ;; postgresql*) PARSED_DB_TYPE=pgsql ;; *) CONN_STRING="sqlite:///var/lib/${PKG_NAME}/${DEFAULT_DBNAME}" PARSED_DB_TYPE="sqlite" ;; esac if [ "${PARSED_DB_TYPE}" = "sqlite" ] ; then if [ "${CONN_STRING}" = "sqlite:///${PKG_NAME}.db" ] ; then CONN_STRING="sqlite:///var/lib/${PKG_NAME}/${DEFAULT_DBNAME}" fi PARSED_DB_PATH=${CONN_STRING#sqlite://} if [ -z "${PARSED_DB_PATH}" ] ; then PARSED_DB_PATH=/var/lib/${PKG_NAME}/${DEFAULT_DBNAME} fi dbc_basepath=`dirname "${PARSED_DB_PATH}"` dbc_dbname=`basename "${PARSED_DB_PATH}"` dbc_dbtypes="sqlite3, mysql, pgsql" else ADDR=${CONN_STRING#*sql://} BEFORE_AT=${ADDR%%@*} AFTER_AT=${ADDR#*@} SERVER_PORT=${AFTER_AT%%/*} PARSED_USER=${BEFORE_AT%%:*} PARSED_PASS=${BEFORE_AT#*:} PARSED_DB_NAME=${AFTER_AT#*/} PARSED_SERVER=${SERVER_PORT%%:*} case "${SERVER_PORT}" in *:*) PARSED_PORT=${SERVER_PORT#*:} ;; *) PARSED_PORT="" ;; esac if [ -n "${PARSED_USER}" ] && [ -n "${PARSED_PASS}" ] && [ -n "${PARSED_SERVER}" ] && [ -n "${PARSED_DB_NAME}" ] ; then dbc_dbuser=${PARSED_USER} dbc_dbpass=${PARSED_PASS} dbc_dbserver=${PARSED_SERVER} dbc_dbport=${PARSED_PORT} dbc_dbname=${PARSED_DB_NAME} fi if [ "${PARSED_DB_TYPE}" = "mysql" ] ; then dbc_dbtypes="mysql, pgsql, sqlite3" else dbc_dbtypes="pgsql, mysql, sqlite3" fi dbc_authmethod_user="password" fi dbc_mysql_createdb_encoding="UTF8" dbc_pgsql_createdb_encoding="UTF8" echo "PKG-Openstack now calling: dbc_go "${DPKG_MAINTSCRIPT_PACKAGE} $@ dbc_go "${DPKG_MAINTSCRIPT_PACKAGE}" $@ fi } # Perform a MySQL query in a safe way (eg: no password or queries in the command line) pkgos_mysql_query () { local MYSQL_Q_TMP MYSQL_P_TMP MYSQL_DBUSER MYSQL_DBPASS MYSQL_DBHOST MYSQL_DBPORT MYSQL_DBNAME MYSQL_QUERY MY_PORT MYSQL_DBUSER=${1} MYSQL_DBPASS=${2} MYSQL_DBHOST=${3} MYSQL_DBPORT=${4} MYSQL_DBNAME=${5} MYSQL_QUERY=${6} MYSQL_P_TMP=`mktemp -t OpenStack-mysql-statement.XXXXXXXXXX` MYSQL_Q_TMP=`mktemp -t OpenStack-mysql-statement.XXXXXXXXXX` echo "[client] password=${MYSQL_DBPASS}" >${MYSQL_P_TMP} echo ${MYSQL_QUERY} >${MYSQL_Q_TMP} if [ -n "${MYSQL_DBPORT}" ] ; then MY_PORT="--port=${MYSQL_DBPORT}" fi mysql --defaults-file=${MYSQL_P_TMP} -h${MYSQL_DBHOST} ${MY_PORT} -u${MYSQL_DBUSER} -D${MYSQL_DBNAME} < ${MYSQL_Q_TMP} rm -f ${MYSQL_Q_TMP} ${MYSQL_P_TMP} } # Read values configured by dbconfig-common, # and set a connection directive accordingly # in a configuration file # # Caller should use something like this: # pkgos_dbc_postinst /etc/keystone/keystone.conf keystone connection $@ # since dbc_go expect $@ as well. pkgos_dbc_postinst () { local DBC_POST_CONF_PATH CONF_DIR DBC_POST_CONF_FNAME PKG_NAME SUITE if [ "${1}" = "--suite" ] ; then SUITE=${2} shift shift else SUITE=${4} fi DBC_POST_CONF_PATH=${1} CONN_SECTION=${2} CONN_DIRECTIVE=${3} PKG_NAME=${4} shift shift shift shift CONF_DIR=`dirname ${DBC_POST_CONF_PATH}` DBC_POST_CONF_FNAME=`basename ${DBC_POST_CONF_PATH}` # Create config files if they don't exist if [ ! -d ${CONF_DIR} ] ; then mkdir -p ${CONF_DIR} fi chmod 0770 ${CONF_DIR} chown ${SUITE}:${SUITE} ${CONF_DIR} if [ ! -e ${DBC_POST_CONF_PATH} ] ; then install -D -m 0660 -o ${SUITE} -g ${SUITE} /usr/share/${DPKG_MAINTSCRIPT_PACKAGE}/${DBC_POST_CONF_FNAME} ${DBC_POST_CONF_PATH} fi db_get ${PKG_NAME}/configure_db if [ "$RET" = "true" ] && [ -r /usr/share/dbconfig-common/dpkg/postinst ] ; then . /usr/share/dbconfig-common/dpkg/postinst dbc_dbfile_owner="${SUITE}:${SUITE}" dbc_mysql_createdb_encoding="UTF8" dbc_pgsql_createdb_encoding="UTF8" dbc_go "${DPKG_MAINTSCRIPT_PACKAGE}" $@ if [ "$dbc_install" = "true" ] ; then case "$dbc_dbtype" in mysql) if [ -n "$dbc_dbport" ] ; then dbport=:$dbc_dbport fi SQL_CONNECTION="mysql+pymysql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname" # Set the DB as UTF8 Q="ALTER DATABASE \`${dbc_dbname}\` CHARACTER SET utf8 COLLATE utf8_unicode_ci" pkgos_mysql_query ${dbc_dbuser} ${dbc_dbpass} ${dbc_dbserver:-localhost} "${dbc_dbport}" ${dbc_dbname} "${Q}" echo "===> opensatck-pkg-tools: writing db credentials: mysql+pymysql://$dbc_dbuser:XXXXXX@${dbc_dbserver:-localhost}$dbport/$dbc_dbname ..." ;; postgresql*|pgsql) if [ -n "$dbc_dbport" ] ; then dbport=:$dbc_dbport fi SQL_CONNECTION="postgresql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname" echo "===> opensatck-pkg-tools: writing db credentials: postgresql://$dbc_dbuser:XXXXXX@${dbc_dbserver:-localhost}$dbport/$dbc_dbname ..." ;; *) SQL_CONNECTION="sqlite:///$dbc_basepath/$dbc_dbname" echo "===> opensatck-pkg-tools: writing db credentials: ${SQL_CONNECTION} ..." ;; esac pkgos_inifile set ${DBC_POST_CONF_PATH} ${CONN_SECTION} ${CONN_DIRECTIVE} ${SQL_CONNECTION} fi fi } # Reads auth_host, admin_tenant_name, admin_user and admin_password from old types of keystone_authtoken # or a www_authenticate_uri URL otherwise. # Prototype: pkgos_read_admin_creds
# Example calls: # pkgos_read_admin_creds /etc/glance/glance-api.conf keystone_authtoken glance # To be used in: .config scripts pkgos_read_admin_creds () { local READ_ADMIN_CRED_CONF_FNAME READ_ADMIN_CRED_PKG_NAME READ_ADMIN_CRED_SEARCH_SECTION READ_ADMIN_CRED_CONF_FNAME=${1} READ_ADMIN_CRED_SEARCH_SECTION=${2} READ_ADMIN_CRED_PKG_NAME=${3} db_input high ${READ_ADMIN_CRED_PKG_NAME}/configure_ksat || true db_go db_get ${READ_ADMIN_CRED_PKG_NAME}/configure_ksat if [ "${RET}" = "true" ] ; then # If the file is there, attempt to convert it from Pike and prior to Queens and above if [ -r "${READ_ADMIN_CRED_CONF_FNAME}" ] ; then # First, we migrate from old directives admin_tenant_name -> project_name, etc. # ### admin_password -> password ### pkgos_inifile get ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} password if [ "${RET}" = "NOT_FOUND" ] ; then pkgos_add_directive ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} "password =" "# Password for auth." fi pkgos_deprecate_directive ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} admin_password ${READ_ADMIN_CRED_SEARCH_SECTION} password # ### admin_tenant_name -> project_name ### pkgos_inifile get ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} project_name if [ "${RET}" = "NOT_FOUND" ] ; then pkgos_add_directive ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} "project_name =" "# Project name for auth." fi pkgos_deprecate_directive ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} admin_tenant_name ${READ_ADMIN_CRED_SEARCH_SECTION} project_name # ### admin_user -> username ### pkgos_inifile get ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} username if [ "${RET}" = "NOT_FOUND" ] ; then pkgos_add_directive ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} "username =" "# Username for auth." fi pkgos_deprecate_directive ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} admin_user ${READ_ADMIN_CRED_SEARCH_SECTION} username # Then we manage auth_host -> www_authenticate_uri # and auth_uri -> www_authenticate_uri pkgos_inifile get ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} www_authenticate_uri if [ "${RET}" = "NOT_FOUND" ] ; then pkgos_add_directive ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} "www_authenticate_uri =" "# Complete 'public' Identity API endpoint." fi pkgos_deprecate_directive ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} auth_uri ${READ_ADMIN_CRED_SEARCH_SECTION} www_authenticate_uri pkgos_inifile get ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} auth_host if [ "${RET}" != "NOT_FOUND" ] && [ -n "${RET}" ] ; then pkgos_inifile set ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} www_authenticate_uri http://${RET}:5000 fi pkgos_inifile get ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} auth_protocol if [ "${RET}" = "http" ] ; then PROTO=http else PROTO=https fi pkgos_inifile get ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} auth_host ADDR=${RET} if [ "${RET}" != "NOT_FOUND" ] && [ -n "${RET}" ] ; then pkgos_inifile get ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} www_authenticate_uri if [ -z "${RET}" ] ; then pkgos_inifile set ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} www_authenticate_uri ${PROTO}://${ADDR}:5000 fi pkgos_inifile get ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} auth_url if [ -z "${RET}" ] ; then pkgos_inifile set ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} auth_url ${PROTO}://${ADDR}:35357 fi fi pkgos_search_directive_line_num ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} auth_host if [ "${RET}" != "NOT_FOUND" ] && [ -n "${RET}" ] ; then sed -i ${RET}'s/^auth_host/#auth_host/' ${READ_ADMIN_CRED_CONF_FNAME} fi pkgos_search_directive_line_num ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} auth_protocol if [ "${RET}" != "NOT_FOUND" ] && [ -n "${RET}" ] ; then sed -i ${RET}'s/^auth_protocol/#auth_protocol/' ${READ_ADMIN_CRED_CONF_FNAME} fi fi # Get the public & admin endpoint of keystone + region name pkgos_inifile get ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} www_authenticate_uri [ -n "${RET}" ] && [ ! "${RET}" = "NOT_FOUND" ] && db_set ${READ_ADMIN_CRED_PKG_NAME}/ksat-public-url ${RET} db_input high ${READ_ADMIN_CRED_PKG_NAME}/ksat-public-url || true pkgos_inifile get ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} auth_url [ -n "${RET}" ] && [ ! "${RET}" = "NOT_FOUND" ] && db_set ${READ_ADMIN_CRED_PKG_NAME}/ksat-admin-url ${RET} db_input high ${READ_ADMIN_CRED_PKG_NAME}/ksat-admin-url || true pkgos_inifile get ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} region_name [ -n "${RET}" ] && [ ! "${RET}" = "NOT_FOUND" ] && db_set ${READ_ADMIN_CRED_PKG_NAME}/ksat-region ${RET} db_input high ${READ_ADMIN_CRED_PKG_NAME}/ksat-region || true db_input high ${READ_ADMIN_CRED_PKG_NAME}/ksat-create-service-user || true db_go # If we must create a new user, then what is the admin credentials in Keystone to do it? db_get ${READ_ADMIN_CRED_PKG_NAME}/ksat-create-service-user if [ "${RET}" = "true" ] ; then db_input high ${READ_ADMIN_CRED_PKG_NAME}/ksat-admin-username || true db_input high ${READ_ADMIN_CRED_PKG_NAME}/ksat-admin-project-name || true db_input high ${READ_ADMIN_CRED_PKG_NAME}/ksat-admin-password || true fi # Get the credentials to write in the keystone_authtoken pkgos_inifile get ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} username if [ -n "${RET}" ] && [ ! "${RET}" = "NOT_FOUND" ] ; then db_set ${READ_ADMIN_CRED_PKG_NAME}/ksat-service-username ${RET} else DEF_USERNAME=$(echo ${READ_ADMIN_CRED_PKG_NAME} | sed s/-common//) db_set ${READ_ADMIN_CRED_PKG_NAME}/ksat-service-username ${DEF_USERNAME} fi db_input high ${READ_ADMIN_CRED_PKG_NAME}/ksat-service-username || true pkgos_inifile get ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} project_name [ -n "${RET}" ] && [ ! "${RET}" = "NOT_FOUND" ] && db_set ${READ_ADMIN_CRED_PKG_NAME}/ksat-service-project-name ${RET} db_input high ${READ_ADMIN_CRED_PKG_NAME}/ksat-service-project-name || true pkgos_inifile get ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} password [ -n "${RET}" ] && [ ! "${RET}" = "NOT_FOUND" ] && db_set ${READ_ADMIN_CRED_PKG_NAME}/ksat-service-password ${RET} db_input high ${READ_ADMIN_CRED_PKG_NAME}/ksat-service-password || true db_go fi } # To be used in: postinst pkgos_write_admin_creds () { local WRITE_CRED_CONF_FNAME WRITE_CRED_PKG_NAME WRITE_CRED_SECTION NO_PROTO AFTER_PORT WRITE_CRED_URL WRITE_CRED_PROTO WRITE_CRED_CONF_FNAME=${1} WRITE_CRED_SECTION=${2} WRITE_CRED_PKG_NAME=${3} db_get ${WRITE_CRED_PKG_NAME}/configure_ksat if [ "${RET}" = "true" ] ; then db_get ${WRITE_CRED_PKG_NAME}/ksat-public-url KEYSTONE_PUBLIC_ENDPOINT=${RET} pkgos_inifile set ${WRITE_CRED_CONF_FNAME} ${WRITE_CRED_SECTION} www_authenticate_uri ${RET} db_get ${WRITE_CRED_PKG_NAME}/ksat-admin-url pkgos_inifile set ${WRITE_CRED_CONF_FNAME} ${WRITE_CRED_SECTION} auth_uri ${RET} db_get ${WRITE_CRED_PKG_NAME}/ksat-admin-url pkgos_inifile set ${WRITE_CRED_CONF_FNAME} ${WRITE_CRED_SECTION} auth_url ${RET} db_get ${WRITE_CRED_PKG_NAME}/ksat-region pkgos_inifile set ${WRITE_CRED_CONF_FNAME} ${WRITE_CRED_SECTION} region_name ${RET} db_get ${WRITE_CRED_PKG_NAME}/ksat-service-username SERVICE_USERNAME=${RET} db_get ${WRITE_CRED_PKG_NAME}/ksat-service-project-name SERVICE_PROJECTNAME=${RET} db_get ${WRITE_CRED_PKG_NAME}/ksat-service-password SERVICE_PASSWORD=${RET} # Should we create a new keystone user? db_get ${WRITE_CRED_PKG_NAME}/ksat-create-service-user if [ "${RET}" = "true" ] ; then # Set command line credentials db_get ${WRITE_CRED_PKG_NAME}/ksat-admin-username export OS_USERNAME=${RET} db_get ${WRITE_CRED_PKG_NAME}/ksat-admin-project-name export OS_TENANT_NAME=${RET} export OS_PROJECT_NAME=${RET} db_get ${WRITE_CRED_PKG_NAME}/ksat-admin-password export OS_PASSWORD=${RET} export OS_AUTH_URL=${KEYSTONE_PUBLIC_ENDPOINT} export OS_IDENTITY_API_VERSION=3 export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_AUTH_TYPE=password # And create that new service user with role admin echo "Creating project ${SERVICE_PROJECTNAME} ..." openstack project create --or-show ${SERVICE_PROJECTNAME} --description "Debian service project" echo "Creating user ${SERVICE_USERNAME} ..." openstack user create --or-show --password ${SERVICE_PASSWORD} --project ${SERVICE_PROJECTNAME} --email root@localhost --enable ${SERVICE_USERNAME} # This should not be needed right now, so removing it... # Edit: This is not truth, admin role is needed, it is also documented in documentation {kevko} echo "Adding role admin to the user ${SERVICE_USERNAME}" openstack role add --project ${SERVICE_PROJECTNAME} --user ${SERVICE_USERNAME} admin # Edit : This is bad >> {kevko} #echo "Adding role service to the user ${SERVICE_USERNAME} ..." #openstack role add --project ${SERVICE_PROJECTNAME} --user ${SERVICE_USERNAME} service fi echo "===> opensatck-pkg-tools: writing ${WRITE_CRED_SECTION} credentials for user ${SERVICE_USERNAME} and project ${SERVICE_PROJECTNAME} ..." pkgos_inifile set ${WRITE_CRED_CONF_FNAME} ${WRITE_CRED_SECTION} username ${SERVICE_USERNAME} pkgos_inifile set ${WRITE_CRED_CONF_FNAME} ${WRITE_CRED_SECTION} project_name ${SERVICE_PROJECTNAME} pkgos_inifile set ${WRITE_CRED_CONF_FNAME} ${WRITE_CRED_SECTION} password ${SERVICE_PASSWORD} fi # For security reasons, we don't keep the auth-token in the debconf # memory, so we purge it with db_unregister. db_unregister ${WRITE_CRED_PKG_NAME}/ksat-admin-password # Very likely, we don't want any upgrade to touch an already # working value of keystone_authtoken, so it's best to just # unregister this. db_unregister ${WRITE_CRED_PKG_NAME}/configure_ksat } pkgos_write_new_conf () { local WRITE_N_CONF_PKG_NAME CONF_FNAME WRITE_N_CONF_PKG_NAME=${1} CONF_FNAME=${2} SRC_PATH=/usr/share/${DPKG_MAINTSCRIPT_PACKAGE}/${CONF_FNAME} DST_DIR=/etc/${WRITE_N_CONF_PKG_NAME} DST_PATH=${DST_DIR}/${CONF_FNAME} # Create /etc/{package}/ directory and set right owner, group and permissions install -g ${WRITE_N_CONF_PKG_NAME} -o ${WRITE_N_CONF_PKG_NAME} -m 0750 -d ${DST_DIR} if [ ! -e ${DST_PATH} ] ; then # Copy config to /etc/{package}/ install -D -m 0640 -o root -g ${WRITE_N_CONF_PKG_NAME} ${SRC_PATH} ${DST_PATH} else # Set right owner, group and permissions for sure, if config already exist chown root:${WRITE_N_CONF_PKG_NAME} ${DST_PATH} chmod 0640 ${DST_PATH} fi } pkgos_adduser () { local VAR_UG_PKG_NAME local VAR_UG_SHELL VAR_UG_PKG_NAME=${1} VAR_UG_SHELL=${2} if [ -z "${VAR_UG_SHELL}" ] ; then VAR_UG_SHELL='/bin/false' fi # These are reserved UID/GID allocation # See https://bugs.debian.org/884178 case "${VAR_UG_PKG_NAME}" in "nova") ADDGROUP_PARAM="--gid 64060" ADDUSER_PARAM="--uid 64060" ;; "cinder") ADDGROUP_PARAM="--gid 64061" ADDUSER_PARAM="--uid 64061" ;; "glance") ADDGROUP_PARAM="--gid 64062" ADDUSER_PARAM="--uid 64062" ;; *) ADDGROUP_PARAM="" ADDUSER_PARAM="" ;; esac # Create user and groups if they don't exist if ! getent group ${VAR_UG_PKG_NAME} > /dev/null 2>&1 ; then addgroup --quiet --system ${VAR_UG_PKG_NAME} ${ADDGROUP_PARAM} fi if ! getent passwd ${VAR_UG_PKG_NAME} > /dev/null 2>&1 ; then adduser --system \ --home /var/lib/${VAR_UG_PKG_NAME} \ --no-create-home \ --quiet \ --disabled-password \ --shell ${VAR_UG_SHELL} \ --group ${VAR_UG_PKG_NAME} ${ADDUSER_PARAM} else usermod \ --shell ${VAR_UG_SHELL} \ ${VAR_UG_PKG_NAME} >/dev/null 2>&1 fi } pkgos_var_user_group () { local VAR_UG_PKG_NAME local VAR_UG_SHELL VAR_UG_PKG_NAME=${1} VAR_UG_SHELL=${2} # Remove user from adm group, because we was adding it nonintentionally deluser -q ${VAR_UG_PKG_NAME} adm 2>/dev/null || true pkgos_adduser ${VAR_UG_PKG_NAME} ${VAR_UG_SHELL} # Create /var/{lib,log}/ with that user/group if it doesn't exist if [ ! -d /var/lib/${VAR_UG_PKG_NAME} ] ; then mkdir -p /var/lib/${VAR_UG_PKG_NAME} fi chown ${VAR_UG_PKG_NAME}:${VAR_UG_PKG_NAME} /var/lib/${VAR_UG_PKG_NAME} if [ "${VAR_UG_PKG_NAME}" = "nova" ] ; then chmod 755 /var/lib/nova else chmod 0750 /var/lib/${VAR_UG_PKG_NAME} fi if [ ! -d /var/log/${VAR_UG_PKG_NAME} ] ; then mkdir -p /var/log/${VAR_UG_PKG_NAME} fi chown ${VAR_UG_PKG_NAME}:adm /var/log/${VAR_UG_PKG_NAME} chmod 0750 /var/log/${VAR_UG_PKG_NAME} } pkgos_init () { INIT_SCRIPT_NAME=${1} if [ -x /etc/init.d/${INIT_SCRIPT_NAME} ] ; then update-rc.d ${INIT_SCRIPT_NAME} defaults >/dev/null invoke-rc.d ${INIT_SCRIPT_NAME} start || true fi } pkgos_get_id () { SERVICE_ENDPOINT=${SERVICE_ENDPOINT:-http://127.0.0.1:35357/v2.0/} SERVICE_TOKEN=${AUTH_TOKEN} "$@" | awk '/ id / { print $4 }' } # Asks the debconf questions for registering a service and its endpoint in keystone # Prototype: pkgos_register_endpoint_config # Example: pkgos_register_endpoint_config glance # To be used in: config pkgos_register_endpoint_config () { local REG_ENDP_PKG_NAME DEFROUTE_IF DEFROUTE_IP REG_ENDP_PKG_NAME=${1} db_input high ${REG_ENDP_PKG_NAME}/configure_api-endpoint || true db_go db_get ${REG_ENDP_PKG_NAME}/configure_api-endpoint if [ "${RET}" = "true" ] ; then db_get ${REG_ENDP_PKG_NAME}/api-keystone-address if [ -z "${RET}" ] ; then db_set ${REG_ENDP_PKG_NAME}/api-keystone-address 127.0.0.1 fi db_input medium ${REG_ENDP_PKG_NAME}/api-keystone-address || true db_input medium ${REG_ENDP_PKG_NAME}/api-keystone-proto || true db_input low ${REG_ENDP_PKG_NAME}/api-keystone-admin-username || true db_input low ${REG_ENDP_PKG_NAME}/api-keystone-admin-project-name || true db_input high ${REG_ENDP_PKG_NAME}/api-keystone-admin-password || true db_get ${REG_ENDP_PKG_NAME}/api-endpoint-address || true if [ -z "${RET}" ] ; then if which ip >/dev/null 2>&1 ; then DEFROUTE_IF=`awk '{ if ( $2 == "00000000" ) print $1 }' /proc/net/route | head -n 1` DEFROUTE_IP=`LC_ALL=C ip addr show "${DEFROUTE_IF}" | grep inet | head -n 1 | awk '{print $2}' | cut -d/ -f1 | grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'` else DEFROUTE_IP=`hostname -i | grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'` fi if [ -n "${DEFROUTE_IP}" ] ; then db_set ${REG_ENDP_PKG_NAME}/api-endpoint-address ${DEFROUTE_IP} fi fi db_input medium ${REG_ENDP_PKG_NAME}/api-endpoint-address || true db_input medium ${REG_ENDP_PKG_NAME}/api-endpoint-proto || true db_input medium ${REG_ENDP_PKG_NAME}/api-endpoint-region-name || true db_go fi } # Register a service and its endpoint in keystone # Prototype: # Example: pkgos_register_endpoint_postinst glance glance image "Glance Image Service" 9292 /v1 # To be used in: postinst pkgos_register_endpoint_postinst () { local PKG_NAME SERVICE_NAME SERVICE_TYPE SERVICE_DESC SERVICE_PORT SERVICE_URL KEYSTONE_ENDPOINT_IP AUTH_TOKEN PKG_ENDPOINT_IP REGION_NAME PKG_SERVICE_ID PKG_ENDPOINT_PROTO PKG_NAME=${1} SERVICE_NAME=${2} SERVICE_TYPE=${3} SERVICE_DESC=${4} SERVICE_PORT=${5} SERVICE_URL=${6} REG_ENDPOINT_IPV4_REGEX='^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' REG_ENDPOINT_IPV6_REGEX="^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$" REG_ENDPOINT_FQDN_REGEX='^((([a-z0-9]([-a-z0-9]*[a-z0-9])?)|(#[0-9]+)|(\[((([01]?[0-9]{0,2})|(2(([0-4][0-9])|(5[0-5]))))\.){3}(([01]?[0-9]{0,2})|(2(([0-4][0-9])|(5[0-5]))))\]))\.)*(([a-z]([-a-z0-9]*[a-z0-9])?)|(#[0-9]+)|(\[((([01]?[0-9]{0,2})|(2(([0-4][0-9])|(5[0-5]))))\.){3}(([01]?[0-9]{0,2})|(2(([0-4][0-9])|(5[0-5]))))\]))$' REG_ENDPOINT_REGION_REGEX="^([_a-zA-Z0-9]+)([_.a-zA-Z0-9-]*)([_.a-zA-Z0-9]+)\$" db_get ${PKG_NAME}/configure_api-endpoint if [ "${RET}" = "true" ] ; then # Get and validate the format of Keystone's host address (ie: ipv4, ipv6, or fqdn) db_get ${PKG_NAME}/api-keystone-address KEYSTONE_ENDPOINT_IP=`echo "${RET}" | egrep ${REG_ENDPOINT_IPV4_REGEX}` || true if [ -z "${KEYSTONE_ENDPOINT_IP}" ] ; then KEYSTONE_ENDPOINT_IP=`echo "${RET}" | egrep ${REG_ENDPOINT_IPV6_REGEX}` || true if [ -z ${KEYSTONE_ENDPOINT_IP} ] ; then KEYSTONE_ENDPOINT_IP=`echo ${RET} | egrep ${REG_ENDPOINT_FQDN_REGEX}` || true if [ -z ${KEYSTONE_ENDPOINT_IP} ] ; then echo "Keystone's address could not be validated: will not register endpoint." return fi fi fi # Get and validate the keystone server proto db_get ${PKG_NAME}/api-keystone-proto if [ "${RET}" = "https" ] ; then KEYSTONE_ENDPOINT_PROTO=https else KEYSTONE_ENDPOINT_PROTO=http fi # Get and validate the format of service endpoint hostname (ie: ipv4, ipv6, or fqdn) db_get ${PKG_NAME}/api-endpoint-address PKG_ENDPOINT_IP=`echo ${RET} | egrep ${REG_ENDPOINT_IPV4_REGEX}` || true if [ -z "${PKG_ENDPOINT_IP}" ] ; then PKG_ENDPOINT_IP=`echo "${RET}" | egrep ${REG_ENDPOINT_IPV6_REGEX}` || true if [ -z ${PKG_ENDPOINT_IP} ] ; then PKG_ENDPOINT_IP=`echo ${RET} | egrep ${REG_ENDPOINT_FQDN_REGEX}` || true if [ -z ${PKG_ENDPOINT_IP} ] ; then echo "This service address could not be validated: will not register endpoint." return fi fi fi # Get and validate the format of the region of the endpoint (ie: string with dots and dash) db_get ${PKG_NAME}/api-endpoint-region-name REGION_NAME=`echo "${RET}" | egrep ${REG_ENDPOINT_REGION_REGEX}` || true if [ -z "${REGION_NAME}" ] ; then echo "This region could not be validated: will not register endpoint." return fi db_get ${PKG_NAME}/api-endpoint-proto if [ "${RET}" = "https" ] ; then PKG_ENDPOINT_PROTO=https else PKG_ENDPOINT_PROTO=http fi db_get ${PKG_NAME}/api-keystone-admin-username KEYSTONE_ADMIN_NAME=${RET} db_get ${PKG_NAME}/api-keystone-admin-project-name KEYSTONE_PROJECT_NAME=${RET} db_get ${PKG_NAME}/api-keystone-admin-password KEYSTONE_ADMIN_PASSWORD=${RET} if [ -n "${KEYSTONE_ENDPOINT_IP}" ] && [ -n "${PKG_ENDPOINT_IP}" ] && [ -n "${REGION_NAME}" ] && [ -n "${KEYSTONE_PROJECT_NAME}" ] && [ -n "${KEYSTONE_ADMIN_NAME}" ] && [ -n "${KEYSTONE_ADMIN_PASSWORD}" ]; then echo "Registering service and endpoints for ${SERVICE_NAME} with type ${SERVICE_TYPE} at ${PKG_ENDPOINT_PROTO}://${PKG_ENDPOINT_IP}:${SERVICE_PORT}${SERVICE_URL}" export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_TENANT_NAME=${KEYSTONE_PROJECT_NAME} export OS_PROJECT_NAME=${KEYSTONE_PROJECT_NAME} export OS_USERNAME=${KEYSTONE_ADMIN_NAME} export OS_PASSWORD=${KEYSTONE_ADMIN_PASSWORD} export OS_AUTH_URL=${KEYSTONE_ENDPOINT_PROTO}://${KEYSTONE_ENDPOINT_IP}:35357/v3/ export OS_IDENTITY_API_VERSION=3 export OS_AUTH_VERSION=3 export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_NO_CACHE=1 NUM_LINES=$(OS_PASSWORD=${KEYSTONE_ADMIN_PASSWORD} openstack service list --format=csv | q -d , -H 'SELECT ID FROM - WHERE `Type`="'${SERVICE_TYPE}'"' | wc -l) if [ "${NUM_LINES}" = "0" ] ; then openstack service create --name=${SERVICE_NAME} --description="${SERVICE_DESC}" ${SERVICE_TYPE} openstack endpoint create --region "${REGION_NAME}" ${SERVICE_NAME} public ${PKG_ENDPOINT_PROTO}://${PKG_ENDPOINT_IP}:${SERVICE_PORT}${SERVICE_URL} openstack endpoint create --region "${REGION_NAME}" ${SERVICE_NAME} internal ${PKG_ENDPOINT_PROTO}://${PKG_ENDPOINT_IP}:${SERVICE_PORT}${SERVICE_URL} openstack endpoint create --region "${REGION_NAME}" ${SERVICE_NAME} admin ${PKG_ENDPOINT_PROTO}://${PKG_ENDPOINT_IP}:${SERVICE_PORT}${SERVICE_URL} else echo "Service already registered: skipping service endpoint creation." fi else echo "Problem in endpoint parameter (IPs or otherwise). Will skip service endpoint creation." fi # Since there's very little chance a 2nd registration of the # endpoint will be needed, we forget the value of # ${PKG_NAME}/register-endpoint. If later on the # administrator of the server upgrades, it will be asked # again, or eventually, dpkg-reconfigure can # be used. db_unregister ${PKG_NAME}/configure_api-endpoint else echo "Will not register "${SERVICE_NAME}" endpoint this time (no user request for it)." fi # For security reasons, we don't keep the auth-token in the debconf # memory, so we purge it with db_unregister. db_unregister ${PKG_NAME}/api-keystone-admin-password } # Before removing the package, ask if we should remove the db # Prototype: pkgos_prerm_db_clean ${1} # Example: pkgos_prerm_db_clean ${1} neutron neutron-common pkgos_prerm_db_clean () { local PKPRM_TEMPLATE_PREFIX PKPRM_PACKAGE_NAME PKPRM_TEMPLATE_PREFIX=${1} PKPRM_PACKAGE_NAME=${2} shift shift DPKG_COMMAND=${1} if [ "${1}" = "remove" ] ; then . /usr/share/debconf/confmodule # We unregister the value, since we don't want to use # debconf as a register, and prefer a volatile thing. db_unregister ${PKPRM_TEMPLATE_PREFIX}/configure_db db_input ${PKPRM_TEMPLATE_PREFIX}/configure_db || true db_get ${PKPRM_TEMPLATE_PREFIX}/configure_db if [ "$RET" = "true" ]; then if [ -e /usr/share/dbconfig-common/dpkg/prerm ] ; then . /usr/share/dbconfig-common/dpkg/prerm dbc_go ${neutron-common} $@ fi fi fi } # Perform dbconfig-common cleanups when removing a package # Prototype: pkgos_postrm_db_clean $@ # Example: pkgos_postrm_db_clean neutron neutron-common $@ pkgos_postrm_db_clean () { local PKPRM_TEMPLATE_PREFIX PKPRM_PACKAGE_NAME PKPRM_TEMPLATE_PREFIX=${1} PKPRM_PACKAGE_NAME=${2} shift shift # Purge db on purge if [ -f /usr/share/debconf/confmodule ] ; then . /usr/share/debconf/confmodule db_get ${PKPRM_TEMPLATE_PREFIX}/configure_db if [ "$RET" = "true" ] ; then if [ -f /usr/share/dbconfig-common/dpkg/postrm ] ; then . /usr/share/dbconfig-common/dpkg/postrm dbc_go ${PKPRM_PACKAGE_NAME} $@ else rm -f /etc/dbconfig-common/${PKPRM_PACKAGE_NAME}.conf if which ucf >/dev/null 2>&1; then ucf --purge /etc/dbconfig-common/${PKPRM_PACKAGE_NAME}.conf ucfr --purge ${PKPRM_PACKAGE_NAME} /etc/dbconfig-common/${PKPRM_PACKAGE_NAME}.conf fi fi fi fi } # Perform cleanups when removing a package # Prototype: pkgos_postrm $@ # Example: pkgos_postrm neutron neutron-common $@ pkgos_postrm () { local PKPRM_TEMPLATE_PREFIX PKPRM_PACKAGE_NAME pkgos_postrm_db_clean $@ PKPRM_TEMPLATE_PREFIX=${1} PKPRM_PACKAGE_NAME=${2} shift shift rm -rf /var/lib/${PKPRM_TEMPLATE_PREFIX} /var/log/${PKPRM_TEMPLATE_PREFIX} /var/lock/${PKPRM_TEMPLATE_PREFIX} } ### End of included pkgos_func library KEY_CONF=/etc/keystone/keystone.conf keystone_get_debconf_admin_credentials () { db_get keystone/admin-user ADMIN_USER_NAME=${RET:-admin} db_get keystone/admin-password ADMIN_USER_PW=${RET:-$(gen_password)} db_get keystone/admin-email ADMIN_USER_EMAIL=${RET:-root@localhost} db_get keystone/admin-tenant-name ADMIN_TENANT_NAME=${RET:-admin} db_get keystone/admin-role-name ADMIN_ROLE_NAME=${RET:-admin} # We export the retrived credentials for later use export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_USERNAME=admin export OS_PASSWORD=${ADMIN_USER_PW} export OS_TENANT_NAME=${ADMIN_TENANT_NAME} export OS_PROJECT_NAME=${ADMIN_TENANT_NAME} export OS_AUTH_URL=http://127.0.0.1:35357/v3/ export OS_IDENTITY_API_VERSION=3 export OS_AUTH_VERSION=3 export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_NO_CACHE=1 } keystone_bootstrap_admin () { # This is the new way to bootstrap the admin user of Keystone # and we shouldn't use the admin auth token anymore. export OS_BOOTSTRAP_USERNAME=${ADMIN_USER_NAME} export OS_BOOTSTRAP_PROJECT_NAME=${ADMIN_TENANT_NAME} export OS_BOOTSTRAP_PASSWORD=${ADMIN_USER_PW} REG_ENDPOINT_IPV4_REGEX='^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' REG_ENDPOINT_IPV6_REGEX="^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$" REG_ENDPOINT_FQDN_REGEX='^((([a-z0-9]([-a-z0-9]*[a-z0-9])?)|(#[0-9]+)|(\[((([01]?[0-9]{0,2})|(2(([0-4][0-9])|(5[0-5]))))\.){3}(([01]?[0-9]{0,2})|(2(([0-4][0-9])|(5[0-5]))))\]))\.)*(([a-z]([-a-z0-9]*[a-z0-9])?)|(#[0-9]+)|(\[((([01]?[0-9]{0,2})|(2(([0-4][0-9])|(5[0-5]))))\.){3}(([01]?[0-9]{0,2})|(2(([0-4][0-9])|(5[0-5]))))\]))$' REG_ENDPOINT_REGION_REGEX="^([_a-zA-Z0-9]+)([_.a-zA-Z0-9-]*)([_.a-zA-Z0-9]+)\$" db_get keystone/register-endpoint if [ "$RET" = "true" ] ; then do_REGISTER_THE_KS_ENDPOINT=yes db_get keystone/region-name my_REGION_NAME=${RET} REGION_NAME=${RET} db_get keystone/endpoint-ip # Validate that the choosen endpoint is an IPv4, IPv6 or FQDN KEYSTONE_ENDPOINT_IP=`echo "${RET}" | egrep ${REG_ENDPOINT_IPV4_REGEX}` || true if [ -z "${KEYSTONE_ENDPOINT_IP}" ] ; then KEYSTONE_ENDPOINT_IP=`echo "${RET}" | egrep ${REG_ENDPOINT_IPV6_REGEX}` || true if [ -z ${KEYSTONE_ENDPOINT_IP} ] ; then KEYSTONE_ENDPOINT_IP=`echo ${RET} | egrep ${REG_ENDPOINT_FQDN_REGEX}` || true if [ -z ${KEYSTONE_ENDPOINT_IP} ] ; then echo "Keystone's address could not be validated: will not register endpoint." do_REGISTER_THE_KS_ENDPOINT=no fi fi fi # Validate that the region name has only chars, dashes and dots my_REGION_NAME=`echo "${REGION_NAME}" | egrep ${REG_ENDPOINT_REGION_REGEX}` || true if [ -z "${my_REGION_NAME}" ] ; then echo "This region could not be validated: will not register endpoint." do_REGISTER_THE_KS_ENDPOINT=no fi if [ "${do_REGISTER_THE_KS_ENDPOINT}" = "yes" ] ; then db_get keystone/endpoint-proto PROTO=${RET} BOOTSTRAP_ADDED_PARAMS="--bootstrap-region-id ${REGION_NAME} --bootstrap-admin-url ${PROTO}://${KEYSTONE_ENDPOINT_IP}:35357 --bootstrap-public-url ${PROTO}://${KEYSTONE_ENDPOINT_IP}:5000 --bootstrap-internal-url ${PROTO}://${KEYSTONE_ENDPOINT_IP}:5000" else BOOTSTRAP_ADDED_PARAMS="" fi else BOOTSTRAP_ADDED_PARAMS="" fi echo "Now doing: su keystone -s /bin/sh -c 'keystone-manage bootstrap --bootstrap-role-name admin --bootstrap-service-name keystone ${BOOTSTRAP_ADDED_PARAMS}'" su keystone -s /bin/sh -c "keystone-manage bootstrap --bootstrap-role-name admin --bootstrap-service-name keystone ${BOOTSTRAP_ADDED_PARAMS}" } keystone_create_admin_tenant () { echo -n "Fixing-up: admin-project-desc " openstack project set --description "Default Debian admin project" $ADMIN_TENANT_NAME echo -n "service-project " openstack project create --or-show service --description "Default Debian service project" >/dev/null echo -n "default-admin-email " openstack user set --description "Default Debian admin user" --email ${ADMIN_USER_EMAIL} --enable $ADMIN_USER_NAME echo "...done!" # Note: heat_stack_owner is needed for heat to work, and Member ResellerAdmin # are needed for swift auto account creation. echo -n "Adding roles: " for i in KeystoneAdmin KeystoneServiceAdmin heat_stack_owner Member ResellerAdmin rating service owner ; do echo -n "${i} " openstack role create --or-show ${i} >/dev/null openstack role add --project $ADMIN_TENANT_NAME --user $ADMIN_USER_NAME ${i} >/dev/null done echo "...done!" } if [ "$1" = "configure" ] ; then . /usr/share/debconf/confmodule . /usr/share/dbconfig-common/dpkg/postinst # Create user and group keystone, plus /var/log and /var/lib owned by it # We need a bash shell so that keystone-manage pkg_setup works, and the # Wheezy package doesn't have it, failing upgrades pkgos_var_user_group keystone /bin/sh # Make sure we have a folder to create certs, that isn't world readable mkdir -p /etc/keystone/ssl/certs chown keystone:keystone /etc/keystone/ssl/certs chmod 750 /etc/keystone/ssl/certs chown keystone:keystone /etc/keystone/ssl chmod 750 /etc/keystone/ssl # Create keystone.conf if it's not there pkgos_write_new_conf keystone keystone.conf pkgos_write_new_conf keystone policy.json OSTACKCLI_PARAMS="--os-url=http://127.0.0.1:35357/v3/ --os-domain-name default --os-identity-api-version=3" # Make sure /var/log/keystone/keystone.log is owned by keystone # BEFORE any keystone-manage calls. chown -R keystone:keystone /var/log/keystone # Upgrade or create the db if directed to do so db_get keystone/configure_db if [ "$RET" = "true" ] ; then # Configure the SQL connection of keystone.conf according to dbconfig-common pkgos_dbc_postinst ${KEY_CONF} database connection keystone $@ echo "Running: su keystone -s /bin/sh -c 'keystone-manage db_sync'..." su keystone -s /bin/sh -c "keystone-manage db_sync" echo "Running: su keystone -s /bin/sh -c 'keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone'..." su keystone -s /bin/sh -c 'keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone' echo "Running: su keystone -s /bin/sh -c 'keystone-manage credential_setup --keystone-user keystone --keystone-group keystone'..." su keystone -s /bin/sh -c 'keystone-manage credential_setup --keystone-user keystone --keystone-group keystone' fi chown keystone:adm /var/log/keystone # Activate the Apache vhost a2enmod wsgi || true a2ensite wsgi-keystone.conf || true invoke-rc.d apache2 restart || true # This is for uwsgi, which unfortunately failed with intermitent apache 104 error # which stands for "TCP connection reset by peer". So we switch back to Apache # until we can find a fix for that. # if [ -n $(which systemctl)"" ] ; then # systemctl enable keystone-admin # systemctl enable keystone-public # fi # if [ -n $(which update-rc.d)"" ] ; then # update-rc.d keystone-admin defaults # update-rc.d keystone-public defaults # fi # invoke-rc.d keystone-admin start # invoke-rc.d keystone-public start db_get keystone/create-admin-tenant if [ "$RET" = "true" ] ; then echo -n "Sleeping 10 seconds to make sure the keystone daemon is up and running: 10..." sleep 1 echo -n "9..." sleep 1 echo -n "8..." sleep 1 echo -n "7..." sleep 1 echo -n "6..." sleep 1 echo -n "5..." sleep 1 echo -n "4..." sleep 1 echo -n "3..." sleep 1 echo -n "2..." sleep 1 echo -n "1..." sleep 1 echo "0" keystone_get_debconf_admin_credentials echo "===> Bootstraping tenants with 'keystone-manage bootstrap':" keystone_get_debconf_admin_credentials keystone_bootstrap_admin db_unregister keystone/register-endpoint echo "===> Editing bootstraped tenants and adding default roles" keystone_create_admin_tenant echo "done!" fi db_unregister keystone/create-admin-tenant db_stop fi exit 0