#!/bin/sh set -e ### Start of included pkgos_func library #!/bin/sh # -*- mode: shell-script -*- pkgos_gen_pass () { i=$(dd if=/dev/random bs=64 count=1 2>|/dev/null | md5sum) echo ${i% *} } # This function removes a section, because we need that in the case # of an upgrade from one version to the next. It is for example # needed for keystone to upgrade from Grizzly to Havana. # Params: # $1 Init file path # $2 Section to remove pkgos_remove_section () { local REMOVESEC_INIFILE REMOVESEC_SEARCH_SECTION REMOVESEC_INIFILE_CNT REMOVESEC_LINE REMOVESEC_FOUND_SECTION REMOVESEC_START_LINE REMOVESEC_END_LINE REMOVESEC_INIFILE=${1} REMOVESEC_SEARCH_SECTION=${2} if [ ! -r ${REMOVESEC_INIFILE} ] ; then return ; fi # Iterate through all lines of the file to search for section start/end line number REMOVESEC_INIFILE_CNT=0 REMOVESEC_FOUND_SECTION="" REMOVESEC_START_LINE="" REMOVESEC_END_LINE="" while read REMOVESEC_LINE ; do REMOVESEC_INIFILE_CNT=$((${REMOVESEC_INIFILE_CNT} + 1 )) if echo ${REMOVESEC_LINE} | grep -q '^[ \t]*\[.*\][ \t]*$' ; then REMOVESEC_FOUND_SECTION=`echo ${REMOVESEC_LINE} | sed -e 's/\[//' | sed -e 's/\]//'` echo "Found section: ${REMOVESEC_FOUND_SECTION}" if [ "${REMOVESEC_FOUND_SECTION}" = "${REMOVESEC_SEARCH_SECTION}" ] ; then REMOVESEC_START_LINE=$(( ${REMOVESEC_INIFILE_CNT} - 1 )) else if [ -n "${REMOVESEC_START_LINE}" ] && [ -z "${REMOVESEC_END_LINE}" ] ; then REMOVESEC_END_LINE=$(( ${REMOVESEC_INIFILE_CNT} -1 )) fi fi fi done < ${REMOVESEC_INIFILE} # Case where the section is last in the file if [ -n "${REMOVESEC_START_LINE}" ] && [ -z "${REMOVESEC_END_LINE}" ] ; then REMOVESEC_END_LINE=${REMOVESEC_INIFILE_CNT} fi # Section found, remove it! if [ -n "${REMOVESEC_START_LINE}" ] && [ -n "${REMOVESEC_END_LINE}" ] ; then REMOVESEC_CONF_LINES_NUM=`wc -l ${REMOVESEC_INIFILE} | cut -d" " -f1` REMOVESEC_CUT_END=$((${REMOVESEC_CONF_LINES_NUM} - ${REMOVESEC_END_LINE} )) REMOVESEC_TMPFILE=`mktemp -t pkgos_removesec.XXXXXX` head -n ${REMOVESEC_START_LINE} ${REMOVESEC_INIFILE} >${REMOVESEC_TMPFILE} tail -n ${REMOVESEC_CUT_END} ${REMOVESEC_INIFILE} >>${REMOVESEC_TMPFILE} cat <${REMOVESEC_TMPFILE} >${REMOVESEC_INIFILE} rm ${REMOVESEC_TMPFILE} fi } # Using sed to set passwords with arguments on the command line makes # it possible to see the new passwords using ps. This function creates # a temp file which is used as a script for sed (using the -f option). # This is safe because what's put in the file is done with echo, which # is a built-in shell command, so it will not appear in /proc. # Params: # $1 Sed script to replace values in a config file # $2 Config file to change pkgos_safesed () { local SAFESED_SCRIPT SAFESED_CONFIG_FILENAME SAFESED_TMPFILE SAFESED_SCRIPT=${1} SAFESED_CONFIG_FILENAME=${2} SAFESED_TMPFILE=`mktemp -t pkgos_safe_sed.XXXXXX` echo "${SAFESED_SCRIPT}" >${SAFESED_TMPFILE} sed -i -f ${SAFESED_TMPFILE} ${SAFESED_CONFIG_FILENAME} rm ${SAFESED_TMPFILE} } # Params: $1 = set or get (set means read mode and return a directive value, get means write a new value in it) # $2 = config file path (example: /etc/nova/nova.conf) # $3 = .ini file section (example: DEFAULT) # $4 = directive name (example: sql_connection) # $5 = only present in "set" mode: new value to replace in the .ini file # Note that if $3 = NO_SECTION, then get or set mode will not manage sections at all, # and will totally ignore the sections in the .ini file. # # Example (get the value of keystone hostname in your Nova box): # parse_ini_file /etc/nova/api-paste.ini filter:authtoken auth_host # # Returns: $RET: either NOT_FOUND, or the (previous, in the case of set) value of the searched directive pkgos_inifile () { local INIFILE_SHELL_INCLUDE INIFILE_ACCESS_MODE INIFILE_MYCONFIG INIFILE_SEARCH_SECTION SEARCH_DIRECTIVE INIFILE_CNT INIFILE_DIRECTIVE INIFILE_VALUE INIFILE_SECTION INIFILE_LINE DIRECTIVE_TYPE INIFILE_NEW_VALUE if [ "${1}" = "-shinc" ] ; then INIFILE_SHELL_INCLUDE=yes shift else INIFILE_SHELL_INCLUDE=no fi INIFILE_ACCESS_MODE=${1} ; INIFILE_MYCONFIG=${2} ; INIFILE_SEARCH_SECTION=${3} ; SEARCH_DIRECTIVE=${4} if [ "${PKGOS_VERBOSE}" = "yes" ] ; then if [ "x${INIFILE_ACCESS_MODE}" = "xset" ] ; then echo "pkgos_inifile: Setting value in ${INIFILE_MYCONFIG}:[${INIFILE_SEARCH_SECTION}]/${SEARCH_DIRECTIVE}" else echo "pkgos_inifile: Getting value in ${INIFILE_MYCONFIG}:[${INIFILE_SEARCH_SECTION}]/${SEARCH_DIRECTIVE}" fi fi if [ "x${INIFILE_ACCESS_MODE}" = "xset" ] ; then INIFILE_NEW_VALUE=${5} ; else INIFILE_NEW_VALUE="pkgos_inifile_function_called_with_wrong_access_mode" ; fi INIFILE_CNT=0 RET=NOT_FOUND if [ ! -r "${INIFILE_MYCONFIG}" ] ; then if [ "${PKGOS_VERBOSE}" = "yes" ] ; then echo "Config file ${INIFILE_MYCONFIG} not readable: exiting" ; fi return fi # Iterate through all lines of the file while read INIFILE_LINE ; do INIFILE_CNT=$((${INIFILE_CNT} + 1 )) # This is a section block: [DEFAULT] if echo ${INIFILE_LINE} | grep -q '^[ \t]*\[.*\][ \t]*$' ; then if [ ! "${INIFILE_SEARCH_SECTION}" = "NO_SECTION" ] ; then INIFILE_SECTION=`echo ${INIFILE_LINE} | sed -e 's/\[//' -e 's/\]//'` #echo "===> $INIFILE_SECTION" fi continue fi # If we aren't in the section we're searching for, let's end things here for this line if ! [ "${INIFILE_SECTION}" = "${INIFILE_SEARCH_SECTION}" ] ; then continue fi # This is a directive: auth_host = 127.0.0.1 if echo ${INIFILE_LINE} | grep -q '^[;#]*[ \t]*[\._\/a-zA-Z0-9]*[ \t]*[=\:][ \t]*' ; then # This is a commented out directive, let's remove the comment # if there's no such active directive in the file if grep -q '^[#;][ \t]*[\._\/a-zA-Z0-9]*[ \t]*[=\:][ \t]*' ${INIFILE_MYCONFIG} ; then if echo ${INIFILE_LINE} | grep -q '^[#;][ \t]*'${SEARCH_DIRECTIVE}'[ \t]*[=\:][ \t]*' ; then INIFILE_LINE=`echo ${INIFILE_LINE} | sed -e 's/^#//'` fi fi # This is a directive which uses the equal sign (directive = value) if echo ${INIFILE_LINE} | grep -q '^[ \t]*[\._\/a-zA-Z0-9]*[ \t]*=[ \t]*' ; then INIFILE_DIRECTIVE=`echo ${INIFILE_LINE} | cut -d= -f1 | awk '{print $1}'` DIRECTIVE_TYPE="equal" INIFILE_VALUE=`echo ${INIFILE_LINE} | cut -d= -f2 | sed -e 's/^[ \t]//'` #echo ${INIFILE_DIRECTIVE}=${INIFILE_VALUE} # This one uses the semi-column sign (/directive: value) else INIFILE_DIRECTIVE=`echo ${INIFILE_LINE} | cut -d':' -f1 | awk '{print $1}'` DIRECTIVE_TYPE="dots" INIFILE_VALUE=`echo ${INIFILE_LINE} | cut -d':' -f2 | sed -e 's/^[ \t]//'` #echo ${INIFILE_DIRECTIVE}: ${INIFILE_VALUE} fi if [ "${INIFILE_SECTION}" = "${INIFILE_SEARCH_SECTION}" ] && [ "${INIFILE_DIRECTIVE}" = "${SEARCH_DIRECTIVE}" ] ; then RET=${INIFILE_VALUE} if [ "x${INIFILE_ACCESS_MODE}" = "xset" ] ; then if [ "${DIRECTIVE_TYPE}" = "equal" ] ; then if [ "${INIFILE_SHELL_INCLUDE}" = "yes" ] ; then pkgos_safesed ${INIFILE_CNT}' s|.*|'${INIFILE_DIRECTIVE}'='${INIFILE_NEW_VALUE}'|' ${INIFILE_MYCONFIG} else pkgos_safesed ${INIFILE_CNT}' s|.*|'${INIFILE_DIRECTIVE}' = '${INIFILE_NEW_VALUE}'|' ${INIFILE_MYCONFIG} fi else pkgos_safesed ${INIFILE_CNT}' s|.*|'${INIFILE_DIRECTIVE}': '${INIFILE_NEW_VALUE}'|' ${INIFILE_MYCONFIG} fi fi return fi # This is a comment block elif echo $INIFILE_LINE | grep -q '^[ \t]*#.*$' ; then echo -n "" fi done < ${INIFILE_MYCONFIG} } # Read the value of a directive in a config file, # then prompt the user about it. # Example (options in this order please...): # pkgos_read_config -p medium /etc/keystone/keystone.conf auth_token keystone/auth-token DEFAULT # To be used in: config pkgos_read_config () { local READ_CONFIG_DIRECTIVE CONF_PATH READ_CONFIG_DEBCONF_NAME READ_CONFIG_SECTION FSET_SEEN READ_CONFIG_MY_PRIORITY if [ "${1}" = "-p" ] ; then READ_CONFIG_MY_PRIORITY=${2} shift shift else READ_CONFIG_MY_PRIORITY=high fi CONF_PATH=${1} READ_CONFIG_SECTION=${2} READ_CONFIG_DIRECTIVE=${3} READ_CONFIG_DEBCONF_NAME=${4} pkgos_inifile get ${CONF_PATH} ${READ_CONFIG_SECTION} ${READ_CONFIG_DIRECTIVE} if [ -n "${RET}" ] && [ ! "${RET}" = "NOT_FOUND" ] ; then db_set ${READ_CONFIG_DEBCONF_NAME} ${RET} fi db_input ${READ_CONFIG_MY_PRIORITY} ${READ_CONFIG_DEBCONF_NAME} || true db_go db_get ${READ_CONFIG_DEBCONF_NAME} } # Read the current configuration for rabbitMQ and sets that into debconf # Params: $1 Path to config file # $2 Section in the config file # $3 prefix for the debconf template (eg: if we have nova/rabbit_host, then use "nova") # To be used in: config # Example call: pkgos_rabbit_read_conf /etc/nova/nova.conf DEFAULT nova pkgos_rabbit_read_conf () { local RB_CONF_PATH RB_SECTION RB_DEBCONF_PREFIX RB_CONF_PATH=${1} RB_SECTION=${2} RB_DEBCONF_PREFIX=${3} pkgos_read_config ${RB_CONF_PATH} ${RB_SECTION} rabbit_host ${RB_DEBCONF_PREFIX}/rabbit_host pkgos_read_config ${RB_CONF_PATH} ${RB_SECTION} rabbit_userid ${RB_DEBCONF_PREFIX}/rabbit_userid pkgos_read_config ${RB_CONF_PATH} ${RB_SECTION} rabbit_password ${RB_DEBCONF_PREFIX}/rabbit_password } # Write the configuration for rabbitMQ # Params: $1 Path to config file # $2 Section in the config file # $3 prefix for the debconf template (eg: if we have nova/rabbit_host, then use "nova") # To be used in: postinst # Example call: pkgos_rabbit_write_conf /etc/nova/nova.conf DEFAULT nova pkgos_rabbit_write_conf () { local RB_CONF_PATH RB_SECTION RB_DEBCONF_PREFIX RB_CONF_PATH=${1} RB_SECTION=${2} RB_DEBCONF_PREFIX=${3} db_get ${RB_DEBCONF_PREFIX}/rabbit_host pkgos_inifile set ${RB_CONF_PATH} ${RB_SECTION} rabbit_host ${RET} db_get ${RB_DEBCONF_PREFIX}/rabbit_userid pkgos_inifile set ${RB_CONF_PATH} ${RB_SECTION} rabbit_userid ${RET} db_get ${RB_DEBCONF_PREFIX}/rabbit_password pkgos_inifile set ${RB_CONF_PATH} ${RB_SECTION} rabbit_password ${RET} } # Read the connection directive from a config file # and fills the dbc_* variable accordingly, # then call dbconfig to do the actual configuration. # To be used in: config # Example call: pkgos_dbc_read_conf -pkg glance-common /etc/glance/glance-registry.conf glance DEFAULT sql_connection $@ pkgos_dbc_read_conf () { local ADDR BEFORE_AT AFTER_AT SERVER_PORT CONN_STRING PKG_NAME CONF_PATH PARSED_DB_TYPE PARSED_USER PARSED_PASS PARSED_DB_NAME PARSED_SERVER PARSED_PORT # This works around a bug in either dpkg, apt or debconf: in fact, # likely in debconf, the variable DPKG_MAINTSCRIPT_PACKAGE isn't # always set as it should. if [ "${1}" = "-pkg" ] ; then if [ -z "${DPKG_MAINTSCRIPT_PACKAGE}" ] ; then DPKG_MAINTSCRIPT_PACKAGE=$2 fi shift shift fi CONF_PATH=${1} CONN_SECTION=${2} CONN_DIRECTIVE=${3} PKG_NAME=${4} # Do not remove what's bellow. # We need to shift, because we're using $@ in the dbc_go call later shift shift shift shift db_input high ${PKG_NAME}/configure_db || true db_go || true db_get ${PKG_NAME}/configure_db DEFAULT_DBNAME=$(echo ${PKG_NAME}db | sed s/-//g) if [ "$RET" = "true" ] && [ -f /usr/share/dbconfig-common/dpkg/config ] ; then . /usr/share/dbconfig-common/dpkg/config if [ -e "${CONF_PATH}" ] ; then pkgos_inifile get ${CONF_PATH} ${CONN_SECTION} ${CONN_DIRECTIVE} if [ -n "${RET}" ] && [ ! "${RET}" = "NOT_FOUND" ] ; then CONN_STRING=${RET} fi else CONN_STRING="" fi PARSED_DB_TYPE=${CONN_STRING%%:*} # If we have an undefined SQL type, we go back to a more sane default (eg: SQLite) case "${PARSED_DB_TYPE}" in "mysql+pymysql") PARSED_DB_TYPE=mysql ;; sqlite|mysql|pgsql) ;; postgresql*) PARSED_DB_TYPE=pgsql ;; *) CONN_STRING="sqlite:///var/lib/${PKG_NAME}/${DEFAULT_DBNAME}" PARSED_DB_TYPE="sqlite" ;; esac if [ "${PARSED_DB_TYPE}" = "sqlite" ] ; then if [ "${CONN_STRING}" = "sqlite:///${PKG_NAME}.db" ] ; then CONN_STRING="sqlite:///var/lib/${PKG_NAME}/${DEFAULT_DBNAME}" fi PARSED_DB_PATH=${CONN_STRING#sqlite://} if [ -z "${PARSED_DB_PATH}" ] ; then PARSED_DB_PATH=/var/lib/${PKG_NAME}/${DEFAULT_DBNAME} fi dbc_basepath=`dirname "${PARSED_DB_PATH}"` dbc_dbname=`basename "${PARSED_DB_PATH}"` dbc_dbtypes="sqlite3, mysql, pgsql" else ADDR=${CONN_STRING#*sql://} BEFORE_AT=${ADDR%%@*} AFTER_AT=${ADDR#*@} SERVER_PORT=${AFTER_AT%%/*} PARSED_USER=${BEFORE_AT%%:*} PARSED_PASS=${BEFORE_AT#*:} PARSED_DB_NAME=${AFTER_AT#*/} PARSED_SERVER=${SERVER_PORT%%:*} case "${SERVER_PORT}" in *:*) PARSED_PORT=${SERVER_PORT#*:} ;; *) PARSED_PORT="" ;; esac if [ -n "${PARSED_USER}" ] && [ -n "${PARSED_PASS}" ] && [ -n "${PARSED_SERVER}" ] && [ -n "${PARSED_DB_NAME}" ] ; then dbc_dbuser=${PARSED_USER} dbc_dbpass=${PARSED_PASS} dbc_dbserver=${PARSED_SERVER} dbc_dbport=${PARSED_PORT} dbc_dbname=${PARSED_DB_NAME} fi if [ "${PARSED_DB_TYPE}" = "mysql" ] ; then dbc_dbtypes="mysql, pgsql, sqlite3" else dbc_dbtypes="pgsql, mysql, sqlite3" fi dbc_authmethod_user="password" fi dbc_mysql_createdb_encoding="UTF8" dbc_pgsql_createdb_encoding="UTF8" echo "PKG-Openstack now calling: dbc_go "${DPKG_MAINTSCRIPT_PACKAGE} $@ dbc_go "${DPKG_MAINTSCRIPT_PACKAGE}" $@ fi } # Perform a MySQL query in a safe way (eg: no password or queries in the command line) pkgos_mysql_query () { local MYSQL_Q_TMP MYSQL_P_TMP MYSQL_DBUSER MYSQL_DBPASS MYSQL_DBHOST MYSQL_DBPORT MYSQL_DBNAME MYSQL_QUERY MY_PORT MYSQL_DBUSER=${1} MYSQL_DBPASS=${2} MYSQL_DBHOST=${3} MYSQL_DBPORT=${4} MYSQL_DBNAME=${5} MYSQL_QUERY=${6} MYSQL_P_TMP=`mktemp -t OpenStack-mysql-statement.XXXXXXXXXX` MYSQL_Q_TMP=`mktemp -t OpenStack-mysql-statement.XXXXXXXXXX` echo "[client] password=${MYSQL_DBPASS}" >${MYSQL_P_TMP} echo ${MYSQL_QUERY} >${MYSQL_Q_TMP} if [ -n "${MYSQL_DBPORT}" ] ; then MY_PORT="--port=${MYSQL_DBPORT}" fi mysql --defaults-file=${MYSQL_P_TMP} -h${MYSQL_DBHOST} ${MY_PORT} -u${MYSQL_DBUSER} -D${MYSQL_DBNAME} < ${MYSQL_Q_TMP} rm -f ${MYSQL_Q_TMP} ${MYSQL_P_TMP} } # Read values configured by dbconfig-common, # and set a connection directive accordingly # in a configuration file # # Caller should use something like this: # pkgos_dbc_postinst /etc/keystone/keystone.conf keystone connection $@ # since dbc_go expect $@ as well. pkgos_dbc_postinst () { local DBC_POST_CONF_PATH CONF_DIR DBC_POST_CONF_FNAME PKG_NAME SUITE if [ "${1}" = "--suite" ] ; then SUITE=${2} shift shift else SUITE=${4} fi DBC_POST_CONF_PATH=${1} CONN_SECTION=${2} CONN_DIRECTIVE=${3} PKG_NAME=${4} shift shift shift shift CONF_DIR=`dirname ${DBC_POST_CONF_PATH}` DBC_POST_CONF_FNAME=`basename ${DBC_POST_CONF_PATH}` # Create config files if they don't exist if [ ! -d ${CONF_DIR} ] ; then mkdir -p ${CONF_DIR} fi chmod 0770 ${CONF_DIR} chown ${SUITE}:${SUITE} ${CONF_DIR} if [ ! -e ${DBC_POST_CONF_PATH} ] ; then install -D -m 0660 -o ${SUITE} -g ${SUITE} /usr/share/${DPKG_MAINTSCRIPT_PACKAGE}/${DBC_POST_CONF_FNAME} ${DBC_POST_CONF_PATH} fi db_get ${PKG_NAME}/configure_db if [ "$RET" = "true" ] && [ -r /usr/share/dbconfig-common/dpkg/postinst ] ; then . /usr/share/dbconfig-common/dpkg/postinst dbc_dbfile_owner="${SUITE}:${SUITE}" dbc_mysql_createdb_encoding="UTF8" dbc_pgsql_createdb_encoding="UTF8" dbc_go "${DPKG_MAINTSCRIPT_PACKAGE}" $@ if [ "$dbc_install" = "true" ] ; then case "$dbc_dbtype" in mysql) if [ -n "$dbc_dbport" ] ; then dbport=:$dbc_dbport fi SQL_CONNECTION="mysql+pymysql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname" # Set the DB as UTF8 Q="ALTER DATABASE \`${dbc_dbname}\` CHARACTER SET utf8 COLLATE utf8_unicode_ci" pkgos_mysql_query ${dbc_dbuser} ${dbc_dbpass} ${dbc_dbserver:-localhost} "${dbc_dbport}" ${dbc_dbname} "${Q}" ;; postgresql*|pgsql) if [ -n "$dbc_dbport" ] ; then dbport=:$dbc_dbport fi SQL_CONNECTION="postgresql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname" ;; *) SQL_CONNECTION="sqlite:///$dbc_basepath/$dbc_dbname" ;; esac pkgos_inifile set ${DBC_POST_CONF_PATH} ${CONN_SECTION} ${CONN_DIRECTIVE} ${SQL_CONNECTION} fi fi } # Reads auth_host, admin_tenant_name, admin_user and admin_password # values with debconf # Prototype: pkgos_read_admin_creds
# Example calls: # pkgos_read_admin_creds /etc/glance/glance-api.conf glance keystone_authtoken # To be used in: config pkgos_read_admin_creds () { local READ_ADMIN_CRED_CONF_FNAME READ_ADMIN_CRED_PKG_NAME READ_ADMIN_CRED_SEARCH_SECTION READ_ADMIN_CRED_CONF_FNAME=${1} READ_ADMIN_CRED_SEARCH_SECTION=${2} READ_ADMIN_CRED_PKG_NAME=${3} if [ ! -r "${READ_ADMIN_CRED_CONF_FNAME}" ] ; then # If the file doesn't exist, just ask... db_input high ${READ_ADMIN_CRED_PKG_NAME}/auth-host || true else if grep -q auth_host ${READ_ADMIN_CRED_CONF_FNAME} ; then pkgos_read_config ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} auth_host ${READ_ADMIN_CRED_PKG_NAME}/auth-host else # This is needed for l3_agent.ini if grep -q auth_url ${READ_ADMIN_CRED_CONF_FNAME} ; then pkgos_inifile get ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} auth_url if [ -n "${RET}" ] && [ ! "${RET}" = "NOT_FOUND" ] ; then NO_PROTO=${RET#http://} if [ ${NO_PROTO} = ${RET} ] ; then NO_PROTO=${RET#https://} fi BEFORE_PORT=$(echo ${NO_PROTO} | cut -d":" -f1) if [ -n "${BEFORE_PORT}" ] ; then db_set ${READ_ADMIN_CRED_PKG_NAME}/auth-host ${BEFORE_PORT} fi fi db_input high ${READ_ADMIN_CRED_PKG_NAME}/auth-host || true db_go else echo "Couldn't find either auth_host or auth_url :(" fi fi fi pkgos_read_config -p medium ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} admin_tenant_name ${READ_ADMIN_CRED_PKG_NAME}/admin-tenant-name pkgos_read_config -p medium ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} admin_user ${READ_ADMIN_CRED_PKG_NAME}/admin-user pkgos_read_config ${READ_ADMIN_CRED_CONF_FNAME} ${READ_ADMIN_CRED_SEARCH_SECTION} admin_password ${READ_ADMIN_CRED_PKG_NAME}/admin-password } # To be used in: postinst pkgos_write_admin_creds () { local WRITE_CRED_CONF_FNAME WRITE_CRED_PKG_NAME WRITE_CRED_SECTION NO_PROTO AFTER_PORT WRITE_CRED_URL WRITE_CRED_PROTO WRITE_CRED_CONF_FNAME=${1} WRITE_CRED_SECTION=${2} WRITE_CRED_PKG_NAME=${3} db_get ${WRITE_CRED_PKG_NAME}/auth-host WRITE_CRED_AUTH_HOST=${RET} if grep -q auth_host ${WRITE_CRED_CONF_FNAME} ; then pkgos_inifile set ${WRITE_CRED_CONF_FNAME} ${WRITE_CRED_SECTION} auth_host ${RET} else # This is needed for l3_agent.ini if grep -q auth_url ${WRITE_CRED_CONF_FNAME} ; then pkgos_inifile get ${WRITE_CRED_CONF_FNAME} ${WRITE_CRED_SECTION} auth_url if [ -n "${RET}" ] && [ ! "${RET}" = "NOT_FOUND" ] ; then NO_PROTO=${RET#http://} WRITE_CRED_PROTO="http" if [ ${NO_PROTO} = ${RET} ] ; then WRITE_CRED_PROTO="https" NO_PROTO=${RET#https://} fi AFTER_PORT=$(echo ${NO_PROTO} | cut -d":" -f2) else WRITE_CRED_PROTO="http" AFTER_PORT="35357/" fi WRITE_CRED_URL="${WRITE_CRED_PROTO}://${WRITE_CRED_AUTH_HOST}:${AFTER_PORT}" pkgos_inifile set ${WRITE_CRED_CONF_FNAME} ${WRITE_CRED_SECTION} auth_url ${WRITE_CRED_URL} else echo "Couldn't find either auth_host or auth_url :(" fi fi db_get ${WRITE_CRED_PKG_NAME}/admin-tenant-name pkgos_inifile set ${WRITE_CRED_CONF_FNAME} ${WRITE_CRED_SECTION} admin_tenant_name ${RET} db_get ${WRITE_CRED_PKG_NAME}/admin-user pkgos_inifile set ${WRITE_CRED_CONF_FNAME} ${WRITE_CRED_SECTION} admin_user ${RET} db_get ${WRITE_CRED_PKG_NAME}/admin-password pkgos_inifile set ${WRITE_CRED_CONF_FNAME} ${WRITE_CRED_SECTION} admin_password ${RET} } pkgos_write_new_conf () { local WRITE_N_CONF_PKG_NAME CONF_FNAME WRITE_N_CONF_PKG_NAME=${1} CONF_FNAME=${2} SRC_PATH=/usr/share/${DPKG_MAINTSCRIPT_PACKAGE}/${CONF_FNAME} DST_DIR=/etc/${WRITE_N_CONF_PKG_NAME} DST_PATH=${DST_DIR}/${CONF_FNAME} if [ ! -d ${DST_DIR} ] ; then mkdir -p ${DST_DIR} fi chmod 0750 ${DST_DIR} chown ${WRITE_N_CONF_PKG_NAME}:${WRITE_N_CONF_PKG_NAME} ${DST_DIR} if [ ! -e ${DST_PATH} ] ; then install -D -m 640 -o ${WRITE_N_CONF_PKG_NAME} -g ${WRITE_N_CONF_PKG_NAME} ${SRC_PATH} ${DST_PATH} fi } pkgos_adduser () { local VAR_UG_PKG_NAME local VAR_UG_SHELL VAR_UG_PKG_NAME=${1} VAR_UG_SHELL=${2} if [ -z "${VAR_UG_SHELL}" ] ; then VAR_UG_SHELL='/bin/false' fi # Create user and groups if they don't exist if ! getent group ${VAR_UG_PKG_NAME} > /dev/null 2>&1 ; then addgroup --quiet --system ${VAR_UG_PKG_NAME} fi if ! getent passwd ${VAR_UG_PKG_NAME} > /dev/null 2>&1 ; then adduser --system \ --home /var/lib/${VAR_UG_PKG_NAME} \ --no-create-home \ --quiet \ --disabled-password \ --shell ${VAR_UG_SHELL} \ --group ${VAR_UG_PKG_NAME} else usermod \ --shell ${VAR_UG_SHELL} \ ${VAR_UG_PKG_NAME} >/dev/null 2>&1 fi } pkgos_var_user_group () { local VAR_UG_PKG_NAME local VAR_UG_SHELL VAR_UG_PKG_NAME=${1} VAR_UG_SHELL=${2} # Remove user from adm group, because we was adding it nonintentionally deluser -q ${VAR_UG_PKG_NAME} adm 2>/dev/null || true pkgos_adduser ${VAR_UG_PKG_NAME} ${VAR_UG_SHELL} # Create /var/{lib,log}/ with that user/group if it doesn't exist if [ ! -d /var/lib/${VAR_UG_PKG_NAME} ] ; then mkdir -p /var/lib/${VAR_UG_PKG_NAME}/cache fi chown ${VAR_UG_PKG_NAME}:${VAR_UG_PKG_NAME} /var/lib/${VAR_UG_PKG_NAME} if [ "${VAR_UG_PKG_NAME}" = "nova" ] ; then chmod 755 /var/lib/nova else chmod 0750 /var/lib/${VAR_UG_PKG_NAME} fi if [ ! -d /var/log/${VAR_UG_PKG_NAME} ] ; then mkdir -p /var/log/${VAR_UG_PKG_NAME} fi chown ${VAR_UG_PKG_NAME}:adm /var/log/${VAR_UG_PKG_NAME} chmod 0750 /var/log/${VAR_UG_PKG_NAME} } pkgos_init () { INIT_SCRIPT_NAME=${1} if [ -x /etc/init.d/${INIT_SCRIPT_NAME} ] ; then update-rc.d ${INIT_SCRIPT_NAME} defaults >/dev/null invoke-rc.d ${INIT_SCRIPT_NAME} start || true fi } pkgos_get_id () { SERVICE_ENDPOINT=${SERVICE_ENDPOINT:-http://127.0.0.1:35357/v2.0/} SERVICE_TOKEN=${AUTH_TOKEN} "$@" | awk '/ id / { print $4 }' } # Asks the debconf questions for registering a service and its endpoint in keystone # Prototype: pkgos_register_endpoint_config # Example: pkgos_register_endpoint_config glance # To be used in: config pkgos_register_endpoint_config () { local REG_ENDP_PKG_NAME DEFROUTE_IF DEFROUTE_IP REG_ENDP_PKG_NAME=${1} db_input high ${REG_ENDP_PKG_NAME}/register-endpoint || true db_go db_get ${REG_ENDP_PKG_NAME}/register-endpoint if [ "${RET}" = "true" ] ; then db_get ${REG_ENDP_PKG_NAME}/keystone-ip if [ -z "${RET}" ] ; then db_set ${REG_ENDP_PKG_NAME}/keystone-ip 127.0.0.1 fi db_input medium ${REG_ENDP_PKG_NAME}/keystone-ip || true # Attempt to use keystone project, admin-name and passwrod if there's # no ${REG_ENDP_PKG_NAME}/keystone-auth-token, so that we stay backward # compatible with older version of openstack-pkg-tools. if db_get ${REG_ENDP_PKG_NAME}/keystone-auth-token ; then db_input high ${REG_ENDP_PKG_NAME}/keystone-auth-token || true else db_input low ${REG_ENDP_PKG_NAME}/keystone-project-name || true db_input low ${REG_ENDP_PKG_NAME}/keystone-admin-name || true db_input high ${REG_ENDP_PKG_NAME}/keystone-admin-password || true fi db_get ${REG_ENDP_PKG_NAME}/endpoint-ip || true if [ -z "${RET}" ] ; then if [ -x /bin/ip ] ; then DEFROUTE_IF=`awk '{ if ( $2 == "00000000" ) print $1 }' /proc/net/route` DEFROUTE_IP=`LC_ALL=C ip addr show "${DEFROUTE_IF}" | grep inet | head -n 1 | awk '{print $2}' | cut -d/ -f1 | grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'` else DEFROUTE_IP=`hostname -i | grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'` fi if [ -n "${DEFROUTE_IP}" ] ; then db_set ${REG_ENDP_PKG_NAME}/endpoint-ip ${DEFROUTE_IP} fi fi db_input medium ${REG_ENDP_PKG_NAME}/endpoint-ip || true db_input medium ${REG_ENDP_PKG_NAME}/region-name || true db_go fi } # Register a service and its endpoint in keystone # Prototype: # Example: pkgos_register_endpoint_postinst glance glance image "Glance Image Service" 9292 /v1 # To be used in: postinst pkgos_register_endpoint_postinst () { local PKG_NAME SERVICE_NAME SERVICE_TYPE SERVICE_DESC SERVICE_PORT SERVICE_URL KEYSTONE_ENDPOINT_IP AUTH_TOKEN PKG_ENDPOINT_IP REGION_NAME PKG_SERVICE_ID PKG_NAME=${1} SERVICE_NAME=${2} SERVICE_TYPE=${3} SERVICE_DESC=${4} SERVICE_PORT=${5} SERVICE_URL=${6} db_get ${PKG_NAME}/register-endpoint if [ "${RET}" = "true" ] ; then db_get ${PKG_NAME}/keystone-ip KEYSTONE_ENDPOINT_IP=`echo ${RET} | egrep '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'` db_get ${PKG_NAME}/endpoint-ip PKG_ENDPOINT_IP=`echo ${RET} | egrep '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'` db_get ${PKG_NAME}/region-name REGION_NAME=${RET} if db_get ${PKG_NAME}/keystone-auth-token ; then AUTH_TOKEN=${RET} if [ -n "${KEYSTONE_ENDPOINT_IP}" ] && [ -n "${PKG_ENDPOINT_IP}" ] && [ -n "${REGION_NAME}" ] && [ -n "${AUTH_TOKEN}" ] ; then echo "Registering service and endpoints for ${SERVICE_NAME} with type ${SERVICE_TYPE} at http://${PKG_ENDPOINT_IP}:${SERVICE_PORT}${SERVICE_URL}" NUM_LINES=$(openstack --os-token ${AUTH_TOKEN} --os-url=http://${KEYSTONE_ENDPOINT_IP}:35357/v3/ --os-domain-name default --os-identity-api-version=3 service list --format=csv | q -d , -H 'SELECT ID FROM - WHERE `Type`="'${SERVICE_TYPE}'"' | wc -l) if [ "${NUM_LINES}" = "0" ] ; then openstack --os-token ${AUTH_TOKEN} --os-url=http://${KEYSTONE_ENDPOINT_IP}:35357/v3/ --os-domain-name default --os-identity-api-version=3 service create \ --name=${SERVICE_NAME} --description="${SERVICE_DESC}" ${SERVICE_TYPE} openstack --os-token ${AUTH_TOKEN} --os-url=http://${KEYSTONE_ENDPOINT_IP}:35357/v3/ --os-domain-name default --os-identity-api-version=3 endpoint create \ --region "${REGION_NAME}" \ ${SERVICE_NAME} public http://${PKG_ENDPOINT_IP}:${SERVICE_PORT}${SERVICE_URL} openstack --os-token ${AUTH_TOKEN} --os-url=http://${KEYSTONE_ENDPOINT_IP}:35357/v3/ --os-domain-name default --os-identity-api-version=3 endpoint create \ --region "${REGION_NAME}" \ ${SERVICE_NAME} internal http://${PKG_ENDPOINT_IP}:${SERVICE_PORT}${SERVICE_URL} openstack --os-token ${AUTH_TOKEN} --os-url=http://${KEYSTONE_ENDPOINT_IP}:35357/v3/ --os-domain-name default --os-identity-api-version=3 endpoint create \ --region "${REGION_NAME}" \ ${SERVICE_NAME} admin http://${PKG_ENDPOINT_IP}:${SERVICE_PORT}${SERVICE_URL} else echo "Service already registered: skipping service endpoint creation. Will skip service endpoint creation." fi else echo "Problem in endpoint parameter (IPs or otherwise)." fi else db_get ${PKG_NAME}/keystone-project-name KEYSTONE_PROJECT_NAME=${RET} db_get ${PKG_NAME}/keystone-admin-name KEYSTONE_ADMIN_NAME=${RET} db_get ${PKG_NAME}/keystone-admin-password KEYSTONE_ADMIN_PASSWORD=${RET} if [ -n "${KEYSTONE_ENDPOINT_IP}" ] && [ -n "${PKG_ENDPOINT_IP}" ] && [ -n "${REGION_NAME}" ] && [ -n "${KEYSTONE_PROJECT_NAME}" ] && [ -n "${KEYSTONE_ADMIN_NAME}" ] && [ -n "${KEYSTONE_ADMIN_PASSWORD}" ]; then echo "Registering service and endpoints for ${SERVICE_NAME} with type ${SERVICE_TYPE} at http://${PKG_ENDPOINT_IP}:${SERVICE_PORT}${SERVICE_URL}" export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_TENANT_NAME=${KEYSTONE_PROJECT_NAME} export OS_PROJECT_NAME=${KEYSTONE_PROJECT_NAME} export OS_USERNAME=${KEYSTONE_ADMIN_NAME} export OS_PASSWORD=${KEYSTONE_ADMIN_PASSWORD} export OS_AUTH_URL=http://${KEYSTONE_ENDPOINT_IP}:35357/v3/ export OS_IDENTITY_API_VERSION=3 export OS_AUTH_VERSION=3 export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_NO_CACHE=1 NUM_LINES=$(OS_PASSWORD=${KEYSTONE_ADMIN_PASSWORD} openstack service list --format=csv | q -d , -H 'SELECT ID FROM - WHERE `Type`="'${SERVICE_TYPE}'"' | wc -l) if [ "${NUM_LINES}" = "0" ] ; then openstack service create --name=${SERVICE_NAME} --description="${SERVICE_DESC}" ${SERVICE_TYPE} openstack endpoint create --region "${REGION_NAME}" ${SERVICE_NAME} public http://${PKG_ENDPOINT_IP}:${SERVICE_PORT}${SERVICE_URL} openstack endpoint create --region "${REGION_NAME}" ${SERVICE_NAME} internal http://${PKG_ENDPOINT_IP}:${SERVICE_PORT}${SERVICE_URL} openstack endpoint create --region "${REGION_NAME}" ${SERVICE_NAME} admin http://${PKG_ENDPOINT_IP}:${SERVICE_PORT}${SERVICE_URL} else echo "Service already registered: skipping service endpoint creation." fi else echo "Problem in endpoint parameter (IPs or otherwise). Will skip service endpoint creation." fi fi # Since there's very little chance a 2nd registration of the # endpoint will be needed, we forget the value of # ${PKG_NAME}/register-endpoint. If later on the # administrator of the server upgrades, it will be asked # again, or eventually, dpkg-reconfigure can # be used. db_unregister ${PKG_NAME}/register-endpoint else echo "Will not register "${SERVICE_NAME}" endpoint this time (no user request for it)." fi # For security reasons, we don't keep the auth-token in the debconf # memory, so we purge it with db_unregister. # And same for the new system: we must forget keystone-admin-password. if db_get ${PKG_NAME}/keystone-auth-token ; then db_unregister ${PKG_NAME}/keystone-auth-token else db_unregister ${PKG_NAME}/keystone-admin-password fi } # Before removing the package, ask if we should remove the db # Prototype: pkgos_prerm_db_clean ${1} # Example: pkgos_prerm_db_clean ${1} neutron neutron-common pkgos_prerm_db_clean () { local PKPRM_TEMPLATE_PREFIX PKPRM_PACKAGE_NAME PKPRM_TEMPLATE_PREFIX=${1} PKPRM_PACKAGE_NAME=${2} shift shift DPKG_COMMAND=${1} if [ "${1}" = "remove" ] ; then . /usr/share/debconf/confmodule # We unregister the value, since we don't want to use # debconf as a register, and prefer a volatile thing. db_unregister ${PKPRM_TEMPLATE_PREFIX}/configure_db db_input ${PKPRM_TEMPLATE_PREFIX}/configure_db || true db_get ${PKPRM_TEMPLATE_PREFIX}/configure_db if [ "$RET" = "true" ]; then if [ -e /usr/share/dbconfig-common/dpkg/prerm ] ; then . /usr/share/dbconfig-common/dpkg/prerm dbc_go ${neutron-common} $@ fi fi fi } # Perform dbconfig-common cleanups when removing a package # Prototype: pkgos_postrm_db_clean $@ # Example: pkgos_postrm_db_clean neutron neutron-common $@ pkgos_postrm_db_clean () { local PKPRM_TEMPLATE_PREFIX PKPRM_PACKAGE_NAME PKPRM_TEMPLATE_PREFIX=${1} PKPRM_PACKAGE_NAME=${2} shift shift # Purge db on purge if [ -f /usr/share/debconf/confmodule ] ; then . /usr/share/debconf/confmodule db_get ${PKPRM_TEMPLATE_PREFIX}/configure_db if [ "$RET" = "true" ] ; then if [ -f /usr/share/dbconfig-common/dpkg/postrm ] ; then . /usr/share/dbconfig-common/dpkg/postrm dbc_go ${PKPRM_PACKAGE_NAME} $@ else rm -f /etc/dbconfig-common/${PKPRM_PACKAGE_NAME}.conf if which ucf >/dev/null 2>&1; then ucf --purge /etc/dbconfig-common/${PKPRM_PACKAGE_NAME}.conf ucfr --purge ${PKPRM_PACKAGE_NAME} /etc/dbconfig-common/${PKPRM_PACKAGE_NAME}.conf fi fi fi fi } # Perform cleanups when removing a package # Prototype: pkgos_postrm $@ # Example: pkgos_postrm neutron neutron-common $@ pkgos_postrm () { local PKPRM_TEMPLATE_PREFIX PKPRM_PACKAGE_NAME pkgos_postrm_db_clean $@ PKPRM_TEMPLATE_PREFIX=${1} PKPRM_PACKAGE_NAME=${2} shift shift rm -rf /var/lib/${PKPRM_TEMPLATE_PREFIX} /var/log/${PKPRM_TEMPLATE_PREFIX} /var/lock/${PKPRM_TEMPLATE_PREFIX} } ### End of included pkgos_func library KEY_CONF=/etc/keystone/keystone.conf keystone_get_debconf_admin_credentials () { db_get keystone/admin-user ADMIN_USER_NAME=${RET:-admin} db_get keystone/admin-password ADMIN_USER_PW=${RET:-$(gen_password)} db_get keystone/admin-email ADMIN_USER_EMAIL=${RET:-root@localhost} db_get keystone/admin-tenant-name ADMIN_TENANT_NAME=${RET:-admin} db_get keystone/admin-role-name ADMIN_ROLE_NAME=${RET:-admin} # We export the retrived credentials for later use export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_USERNAME=admin export OS_PASSWORD=${ADMIN_USER_PW} export OS_TENANT_NAME=${ADMIN_TENANT_NAME} export OS_PROJECT_NAME=${ADMIN_TENANT_NAME} export OS_AUTH_URL=http://127.0.0.1:35357/v3/ export OS_IDENTITY_API_VERSION=3 export OS_AUTH_VERSION=3 export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_NO_CACHE=1 } keystone_bootstrap_admin () { # This is the new way to bootstrap the admin user of Keystone # and we shouldn't use the admin auth token anymore. export OS_BOOTSTRAP_USERNAME=${ADMIN_USER_NAME} export OS_BOOTSTRAP_PROJECT_NAME=${ADMIN_TENANT_NAME} export OS_BOOTSTRAP_PASSWORD=${ADMIN_USER_PW} keystone-manage bootstrap } keystone_create_admin_tenant () { echo -n "Fixing-up: admin-project-desc " openstack project set --description "Default Debian admin project" $ADMIN_TENANT_NAME echo -n "service-project " openstack project create --or-show service --description "Default Debian service project" >/dev/null echo -n "default-admin-email " openstack user set --description "Default Debian admin user" --email ${ADMIN_USER_EMAIL} --enable $ADMIN_USER_NAME echo "...done!" # Note: heat_stack_owner is needed for heat to work, and Member ResellerAdmin # are needed for swift auto account creation. echo -n "Adding roles: " for i in admin KeystoneAdmin KeystoneServiceAdmin heat_stack_owner Member ResellerAdmin ; do echo -n "${i} " openstack role create --or-show ${i} >/dev/null openstack role add --project $ADMIN_TENANT_NAME --user $ADMIN_USER_NAME ${i} >/dev/null done echo "...done!" } keystone_create_endpoint_postinst () { local PKG_NAME PKG_NAME=${1} db_get keystone/endpoint-ip # Make sure a valid IP has been entered in Debconf. KEYSTONE_ENDPOINT_IP=`echo ${RET} | egrep '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'` if [ -n ${KEYSTONE_ENDPOINT_IP} ] ; then db_get keystone/region-name REGION_NAME=${RET} if [ -n "${REGION_NAME}" ] ; then NUM_LINES=$(OS_TOKEN=`openstack token issue -c id -f value` openstack service list --format=csv --os-url http://localhost:5000/v3 | q -d , -H 'SELECT ID FROM - WHERE `Type`="identity"' | wc -l) if [ "${NUM_LINES}" = "0" ] ; then echo -n "Setting-up: create-keystone-service " OS_TOKEN=`openstack token issue -c id -f value` openstack service create --name=keystone --description="Keystone Identity Service" identity --os-url http://localhost:5000/v3 >/dev/null echo -n "create-public-endpoint " OS_TOKEN=`openstack token issue -c id -f value` openstack endpoint create --region "${REGION_NAME}" \ keystone public http://${KEYSTONE_ENDPOINT_IP}:5000/v2.0 --os-url http://localhost:5000/v3 >/dev/null echo -n "create-internal-endpoint " OS_TOKEN=`openstack token issue -c id -f value` openstack endpoint create --region "${REGION_NAME}" \ keystone internal http://${KEYSTONE_ENDPOINT_IP}:5000/v2.0 --os-url http://localhost:5000/v3 >/dev/null echo -n "create-admin-endpoint " OS_TOKEN=`openstack token issue -c id -f value` openstack endpoint create --region "${REGION_NAME}" \ keystone admin http://${KEYSTONE_ENDPOINT_IP}:35357/v2.0 --os-url http://localhost:5000/v3 >/dev/null echo "...done!" else echo -n "Keystone service already registered..." fi fi fi } if [ "$1" = "configure" ] ; then . /usr/share/debconf/confmodule . /usr/share/dbconfig-common/dpkg/postinst # Create user and group keystone, plus /var/log and /var/lib owned by it # We need a bash shell so that keystone-manage pkg_setup works, and the # Wheezy package doesn't have it, failing upgrades pkgos_var_user_group keystone /bin/sh # Make sure we have a folder to create certs, that isn't world readable mkdir -p /etc/keystone/ssl/certs chown keystone:keystone /etc/keystone/ssl/certs chmod 750 /etc/keystone/ssl/certs chown keystone:keystone /etc/keystone/ssl chmod 750 /etc/keystone/ssl # Create keystone.conf if it's not there pkgos_write_new_conf keystone keystone.conf # Set the auth_token directive in in keystone.conf db_get keystone/auth-token AUTH_TOKEN=${RET} if [ -z "${AUTH_TOKEN}" ] ; then AUTH_TOKEN=`pkgos_gen_pass` fi pkgos_inifile set ${KEY_CONF} DEFAULT admin_token ${AUTH_TOKEN} OSTACKCLI_PARAMS="--os-url=http://127.0.0.1:35357/v3/ --os-domain-name default --os-identity-api-version=3" # Make sure /var/log/keystone/keystone.log is owned by keystone # BEFORE any keystone-manage calls. chown -R keystone:keystone /var/log/keystone # Upgrade or create the db if directed to do so db_get keystone/configure_db if [ "$RET" = "true" ] ; then # Configure the SQL connection of keystone.conf according to dbconfig-common pkgos_dbc_postinst ${KEY_CONF} database connection keystone $@ echo "Running su keystone -s /bin/sh -c 'keystone-manage --noverbose db_sync'..." if [ "${PKGOS_VERBOSE}" = "yes" ] ; then su keystone -s /bin/sh -c "keystone-manage --verbose db_sync" else su keystone -s /bin/sh -c "keystone-manage --noverbose db_sync" fi fi # Generate the ssl keys for keystone. # It seems that starting it each time this script is launch # isn't a problem. #su keystone -s /bin/sh -c "keystone-manage pki_setup" # Activate the keystone*.service # for k in keystone-admin keystone-public ; do # deb-systemd-helper unmask ${k}.service >/dev/null || true # if deb-systemd-helper --quiet was-enabled ${k}.service ; then # deb-systemd-helper enable ${k}.service >/dev/null || true # else # deb-systemd-helper update-state ${k}.service >/dev/null || true # fi # # # Setup init script and start keystone # pkgos_init ${k} # done chown keystone:adm /var/log/keystone a2enmod wsgi || true a2ensite wsgi-keystone.conf || true invoke-rc.d apache2 restart || true db_get keystone/create-admin-tenant if [ "$RET" = "true" ] ; then echo -n "Sleeping 5 seconds to make sure the keystone daemon is up and running: 5..." sleep 1 echo -n "4..." sleep 1 echo -n "3..." sleep 1 echo -n "2..." sleep 1 echo -n "1..." sleep 1 echo "0" keystone_get_debconf_admin_credentials echo "===> Bootstraping tenants with 'keystone-manage bootstrap':" keystone_get_debconf_admin_credentials keystone_bootstrap_admin db_get keystone/register-endpoint if [ "$RET" = "true" ] ; then echo "===> Registering keystone endpoint" keystone_create_endpoint_postinst fi db_unregister keystone/register-endpoint echo "===> Editing bootstraped tenants and adding default roles" keystone_create_admin_tenant echo "done!" fi db_unregister keystone/create-admin-tenant db_stop fi exit 0