From b6c6533824667d782fbb2f907327e663b5c6c83c Mon Sep 17 00:00:00 2001 From: Egon Rijpkema Date: Mon, 23 Apr 2018 14:57:26 +0200 Subject: [PATCH] First commit (Contains all the master branches of the previous repositories) --- docker-cinder-controller/.gitignore | 8 + docker-cinder-controller/Dockerfile | 32 + docker-cinder-controller/README.md | 41 + docker-cinder-controller/admin-openrc.sh | 17 + docker-cinder-controller/bootstrap.sh | 48 + docker-cinder-controller/run.sh | 14 + docker-cinder-controller/write_conf.sh | 30 + docker-cinder-storage/.gitignore | 8 + docker-cinder-storage/Dockerfile | 36 + docker-cinder-storage/README.md | 41 + docker-cinder-storage/admin-openrc.sh | 17 + docker-cinder-storage/bootstrap.sh | 27 + docker-cinder-storage/lvm.conf | 1887 +++++++++++++++++ docker-cinder-storage/run.sh | 14 + docker-cinder-storage/write_conf.sh | 39 + docker-glance/.gitignore | 1 + docker-glance/Dockerfile | 32 + docker-glance/README.md | 33 + docker-glance/admin-openrc.sh | 16 + docker-glance/bootstrap.sh | 45 + docker-glance/run.sh | 14 + docker-glance/write_conf.sh | 78 + docker-heat/.gitignore | 8 + docker-heat/Dockerfile | 34 + docker-heat/README.md | 8 + docker-heat/admin-openrc.sh | 13 + docker-heat/bootstrap.sh | 57 + docker-heat/run.sh | 15 + docker-heat/write_conf.sh | 35 + docker-horizon/.gitignore | 8 + docker-horizon/000-default.conf | 11 + docker-horizon/Dockerfile | 35 + docker-horizon/README.md | 9 + docker-horizon/admin-openrc.sh | 13 + docker-horizon/local_settings.py | 518 +++++ docker-keystone/.gitignore | 8 + docker-keystone/Dockerfile | 28 + docker-keystone/README.md | 9 + docker-keystone/bootstrap.sh | 46 + docker-keystone/keystone.conf | 12 + docker-keystone/keystone.service | 17 + docker-neutron-controller/.gitignore | 8 + docker-neutron-controller/Dockerfile | 31 + docker-neutron-controller/README.md | 21 + docker-neutron-controller/bootstrap.sh | 76 + .../db_base_plugin_v2.py | 1388 ++++++++++++ docker-neutron-controller/run.sh | 36 + docker-neutron-controller/write_conf.sh | 86 + docker-nova-compute/.drone.yml | 26 + docker-nova-compute/Dockerfile | 23 + docker-nova-compute/README.md | 9 + docker-nova-compute/run.sh | 34 + docker-nova-compute/write_conf.sh | 269 +++ docker-nova-service/.gitignore | 8 + docker-nova-service/Dockerfile | 32 + docker-nova-service/README.md | 24 + docker-nova-service/bootstrap.sh | 116 + docker-nova-service/run.sh | 23 + docker-nova-service/write_conf.sh | 75 + docker-openstack-client/.gitignore | 8 + docker-openstack-client/Dockerfile | 19 + docker-openstack-client/README.md | 21 + docker-openstack-client/bootstrap.sh | 21 + docker-openstack-client/demo-openrc.sh | 13 + 64 files changed, 5729 insertions(+) create mode 100644 docker-cinder-controller/.gitignore create mode 100644 docker-cinder-controller/Dockerfile create mode 100644 docker-cinder-controller/README.md create mode 100644 docker-cinder-controller/admin-openrc.sh create mode 100755 docker-cinder-controller/bootstrap.sh create mode 100755 docker-cinder-controller/run.sh create mode 100755 docker-cinder-controller/write_conf.sh create mode 100644 docker-cinder-storage/.gitignore create mode 100644 docker-cinder-storage/Dockerfile create mode 100644 docker-cinder-storage/README.md create mode 100644 docker-cinder-storage/admin-openrc.sh create mode 100755 docker-cinder-storage/bootstrap.sh create mode 100644 docker-cinder-storage/lvm.conf create mode 100755 docker-cinder-storage/run.sh create mode 100755 docker-cinder-storage/write_conf.sh create mode 100644 docker-glance/.gitignore create mode 100644 docker-glance/Dockerfile create mode 100644 docker-glance/README.md create mode 100644 docker-glance/admin-openrc.sh create mode 100755 docker-glance/bootstrap.sh create mode 100755 docker-glance/run.sh create mode 100755 docker-glance/write_conf.sh create mode 100644 docker-heat/.gitignore create mode 100644 docker-heat/Dockerfile create mode 100644 docker-heat/README.md create mode 100644 docker-heat/admin-openrc.sh create mode 100755 docker-heat/bootstrap.sh create mode 100755 docker-heat/run.sh create mode 100755 docker-heat/write_conf.sh create mode 100644 docker-horizon/.gitignore create mode 100644 docker-horizon/000-default.conf create mode 100644 docker-horizon/Dockerfile create mode 100644 docker-horizon/README.md create mode 100644 docker-horizon/admin-openrc.sh create mode 100644 docker-horizon/local_settings.py create mode 100644 docker-keystone/.gitignore create mode 100644 docker-keystone/Dockerfile create mode 100644 docker-keystone/README.md create mode 100755 docker-keystone/bootstrap.sh create mode 100644 docker-keystone/keystone.conf create mode 100644 docker-keystone/keystone.service create mode 100644 docker-neutron-controller/.gitignore create mode 100644 docker-neutron-controller/Dockerfile create mode 100644 docker-neutron-controller/README.md create mode 100755 docker-neutron-controller/bootstrap.sh create mode 100644 docker-neutron-controller/db_base_plugin_v2.py create mode 100755 docker-neutron-controller/run.sh create mode 100755 docker-neutron-controller/write_conf.sh create mode 100644 docker-nova-compute/.drone.yml create mode 100644 docker-nova-compute/Dockerfile create mode 100644 docker-nova-compute/README.md create mode 100755 docker-nova-compute/run.sh create mode 100755 docker-nova-compute/write_conf.sh create mode 100644 docker-nova-service/.gitignore create mode 100644 docker-nova-service/Dockerfile create mode 100644 docker-nova-service/README.md create mode 100755 docker-nova-service/bootstrap.sh create mode 100755 docker-nova-service/run.sh create mode 100755 docker-nova-service/write_conf.sh create mode 100644 docker-openstack-client/.gitignore create mode 100644 docker-openstack-client/Dockerfile create mode 100644 docker-openstack-client/README.md create mode 100755 docker-openstack-client/bootstrap.sh create mode 100644 docker-openstack-client/demo-openrc.sh diff --git a/docker-cinder-controller/.gitignore b/docker-cinder-controller/.gitignore new file mode 100644 index 0000000..f432e90 --- /dev/null +++ b/docker-cinder-controller/.gitignore @@ -0,0 +1,8 @@ +# ---> Vim +[._]*.s[a-w][a-z] +[._]s[a-w][a-z] +*.un~ +Session.vim +.netrwhist +*~ + diff --git a/docker-cinder-controller/Dockerfile b/docker-cinder-controller/Dockerfile new file mode 100644 index 0000000..0a8f0da --- /dev/null +++ b/docker-cinder-controller/Dockerfile @@ -0,0 +1,32 @@ +FROM ubuntu:16.04 +# install packages + +RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA + +RUN set -x \ + && echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main" > /etc/apt/sources.list.d/ocata.list \ + && apt-get -y update \ + && apt-get -y install ubuntu-cloud-keyring \ + && apt-get -y update \ + && apt-get -y install \ + mysql-client \ + python-mysqldb \ + python-openstackclient \ + python-oslo.cache \ + cinder-api \ + cinder-scheduler \ + && apt-get -y clean + +EXPOSE 8776 + +#file that writes configs +COPY write_conf.sh /etc/write_conf.sh +# add bootstrap script and make it executable +COPY bootstrap.sh /etc/bootstrap.sh + +COPY run.sh /etc/run.sh + +RUN chown root.root /etc/bootstrap.sh && chmod a+x /etc/bootstrap.sh +RUN chown root.root /etc/run.sh && chmod a+x /etc/run.sh + +CMD ["/etc/run.sh"] diff --git a/docker-cinder-controller/README.md b/docker-cinder-controller/README.md new file mode 100644 index 0000000..5d0c68f --- /dev/null +++ b/docker-cinder-controller/README.md @@ -0,0 +1,41 @@ +# How to build +``` +docker build . -t hpc/openstack-cinder-controller +``` + +# Bootstrap +``` + docker run --rm + -e "MY_IP={{ ansible_default_ipv4.address }}" + -e "CINDER_HOST={{ hostvars[groups['cinder-controller'][0]]['ansible_default_ipv4']['address'] }}" + -e "CINDER_PASSWORD={{ secrets['CINDER_PASSWORD'] }}" + -e "CINDER_USER=cinder" + -e "KEYSTONE_HOST={{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}" + -e "MYSQL_HOST={{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}" + -e "MYSQL_ROOT_PASSWORD={{ secrets['MYSQL_ROOT_PASSWORD'] }}" + -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}" + -e "RABBIT_HOST={{ hostvars[groups['rabbitmq'][0]]['ansible_default_ipv4']['address'] }}" + -e "RABBIT_PASSWORD={{ secrets['RABBIT_PASSWORD'] }}" + -e "RABBIT_USER=openstack" + hpc/openstack-cinder /etc/bootstrap.sh + +``` + +# Run an image + +``` +/usr/bin/docker run \ + -e "MY_IP={{ ansible_default_ipv4.address }}" + -e "CINDER_HOST={{ hostvars[groups['cinder-controller'][0]]['ansible_default_ipv4']['address'] }}" + -e "CINDER_PASSWORD={{ secrets['CINDER_PASSWORD'] }}" + -e "CINDER_USER=cinder" + -e "KEYSTONE_HOST={{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}" + -e "MYSQL_HOST={{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}" + -e "MYSQL_ROOT_PASSWORD={{ secrets['MYSQL_ROOT_PASSWORD'] }}" + -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}" + -e "RABBIT_HOST={{ hostvars[groups['rabbitmq'][0]]['ansible_default_ipv4']['address'] }}" + -e "RABBIT_PASSWORD={{ secrets['RABBIT_PASSWORD'] }}" + -e "RABBIT_USER=openstack" + -p 8776:8776 \ + hpc/openstack-cinder-controller +``` diff --git a/docker-cinder-controller/admin-openrc.sh b/docker-cinder-controller/admin-openrc.sh new file mode 100644 index 0000000..9013f2e --- /dev/null +++ b/docker-cinder-controller/admin-openrc.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# a admin-openrc.sh file +export MYSQL_ROOT_PASSWORD="geheim" + +# To create the Identity service credentials +GLANCE_USER_NAME=glance +GLANCE_PASSWORD=geheim +export OS_IDENTITY_API_VERSION=3 +export OS_USERNAME=admin +export OS_PASSWORD=geheim +export OS_TENANT_NAME=admin +export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 + +export OS_PROJECT_DOMAIN_NAME=default +export OS_USER_DOMAIN_NAME=default +export OS_PROJECT_NAME=admin +export OS_IMAGE_API_VERSION=2 diff --git a/docker-cinder-controller/bootstrap.sh b/docker-cinder-controller/bootstrap.sh new file mode 100755 index 0000000..d815fe6 --- /dev/null +++ b/docker-cinder-controller/bootstrap.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +# Create admin-openrc.sh from secrets that are in the environment during bootstrap. +cat << EOF > /root/admin-openrc.sh +#!/bin/bash +export OS_TENANT_NAME=admin +export OS_USERNAME=admin +export OS_PASSWORD=${OS_PASSWORD} +export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 +export OS_IDENTITY_API_VERSION=3 + +export OS_PROJECT_DOMAIN_NAME=default +export OS_USER_DOMAIN_NAME=default +export OS_PROJECT_NAME=admin +export OS_IMAGE_API_VERSION=2 +EOF + +source /root/admin-openrc.sh + +# Write the config files +/etc/write_conf.sh + +# create database for cinder +mysql -uroot -p"$MYSQL_ROOT_PASSWORD" -h "$MYSQL_HOST" << EOF +drop database if exists cinder; +create database cinder; +GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'localhost' IDENTIFIED BY "$CINDER_PASSWORD"; +GRANT ALL PRIVILEGES ON cinder.* TO 'cinder'@'%' IDENTIFIED BY "$CINDER_PASSWORD"; +EOF + +openstack user create cinder --domain default --password "$CINDER_PASSWORD" +openstack role add --user cinder --project service admin + +openstack service create --name cinderv2 --description "OpenStack Block Service" volumev2 +openstack service create --name cinderv3 --description "OpenStack Block Service" volumev3 + +openstack endpoint create volumev2 public http://"${CINDER_HOST}":8776/v2/%\(project_id\)s --region RegionOne +openstack endpoint create volumev2 internal http://"${CINDER_HOST}":8776/v2/%\(project_id\)s --region RegionOne +openstack endpoint create volumev2 admin http://"${CINDER_HOST}":8776/v2/%\(project_id\)s --region RegionOne + +openstack endpoint create volumev3 public http://"${CINDER_HOST}":8776/v3/%\(project_id\)s --region RegionOne +openstack endpoint create volumev3 internal http://"${CINDER_HOST}":8776/v3/%\(project_id\)s --region RegionOne +openstack endpoint create volumev3 admin http://"${CINDER_HOST}":8776/v3/%\(project_id\)s --region RegionOne + +# sync the database +cinder-manage db sync + + diff --git a/docker-cinder-controller/run.sh b/docker-cinder-controller/run.sh new file mode 100755 index 0000000..a15c696 --- /dev/null +++ b/docker-cinder-controller/run.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +# Write the config files +/etc/write_conf.sh +# start glance service +cinder-scheduler -d & +sleep 5 +apachectl -DFOREGROUND & + +# If any process fails, kill the rest. +# This ensures the container stops and systemd will restart it. + +wait -n +pkill -P $$ diff --git a/docker-cinder-controller/write_conf.sh b/docker-cinder-controller/write_conf.sh new file mode 100755 index 0000000..713a91c --- /dev/null +++ b/docker-cinder-controller/write_conf.sh @@ -0,0 +1,30 @@ +#!/bin/bash +# +# Generate config files from environments values. +# These are to be passed to the docker container using -e + +cat << EOF > /etc/cinder/cinder.conf + +[database] +connection = mysql+pymysql://$CINDER_USER:$CINDER_PASSWORD@$MYSQL_HOST/cinder + +[DEFAULT] +auth_strategy = keystone +transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$MY_IP +my_ip = $MY_IP + +[keystone_authtoken] +auth_uri = http://$KEYSTONE_HOST:5000 +auth_url = http://$KEYSTONE_HOST:35357 +memcached_servers = $MEMCACHED_HOST:11211 +auth_type = password +project_domain_name = Default +user_domain_name = Default +project_name = service +username = $CINDER_USER +password = $CINDER_PASSWORD + +[oslo_concurrency] +lock_path = /var/lib/cinder/tmp + +EOF diff --git a/docker-cinder-storage/.gitignore b/docker-cinder-storage/.gitignore new file mode 100644 index 0000000..f432e90 --- /dev/null +++ b/docker-cinder-storage/.gitignore @@ -0,0 +1,8 @@ +# ---> Vim +[._]*.s[a-w][a-z] +[._]s[a-w][a-z] +*.un~ +Session.vim +.netrwhist +*~ + diff --git a/docker-cinder-storage/Dockerfile b/docker-cinder-storage/Dockerfile new file mode 100644 index 0000000..644eaba --- /dev/null +++ b/docker-cinder-storage/Dockerfile @@ -0,0 +1,36 @@ +FROM ubuntu:16.04 +# install packages + +RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA + +RUN set -x \ + && echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main" > /etc/apt/sources.list.d/ocata.list \ + && apt-get -y update \ + && apt-get -y install ubuntu-cloud-keyring \ + && apt-get -y update \ + && apt-get -y install \ + cinder-volume \ + mysql-client \ + python-mysqldb \ + python-openstackclient \ + python-oslo.cache \ + lvm2 \ + tgt \ + + && apt-get -y clean + +EXPOSE 8776 + +#file that writes configs +COPY write_conf.sh /etc/write_conf.sh +# add bootstrap script and make it executable +COPY bootstrap.sh /etc/bootstrap.sh + +COPY run.sh /etc/run.sh + +COPY lvm.conf /etc/lvm/lvm.conf + +RUN chown root.root /etc/bootstrap.sh && chmod a+x /etc/bootstrap.sh +RUN chown root.root /etc/run.sh && chmod a+x /etc/run.sh + +CMD ["/etc/run.sh"] diff --git a/docker-cinder-storage/README.md b/docker-cinder-storage/README.md new file mode 100644 index 0000000..2ebf1ed --- /dev/null +++ b/docker-cinder-storage/README.md @@ -0,0 +1,41 @@ +# How to build +``` +docker build . -t hpc/openstack-cinder-storage +``` + +# Bootstrap +``` + docker run --rm + -e "MY_IP={{ ansible_default_ipv4.address }}" + -e "CINDER_HOST={{ hostvars[groups['cinder-storage'][0]]['ansible_default_ipv4']['address'] }}" + -e "CINDER_PASSWORD={{ secrets['CINDER_PASSWORD'] }}" + -e "CINDER_USER=cinder" + -e "KEYSTONE_HOST={{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}" + -e "MYSQL_HOST={{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}" + -e "MYSQL_ROOT_PASSWORD={{ secrets['MYSQL_ROOT_PASSWORD'] }}" + -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}" + -e "RABBIT_HOST={{ hostvars[groups['rabbitmq'][0]]['ansible_default_ipv4']['address'] }}" + -e "RABBIT_PASSWORD={{ secrets['RABBIT_PASSWORD'] }}" + -e "RABBIT_USER=openstack" + hpc/openstack-cinder /etc/bootstrap.sh + +``` + +# Run an image + +``` +/usr/bin/docker run \ + -e "MY_IP={{ ansible_default_ipv4.address }}" + -e "CINDER_HOST={{ hostvars[groups['cinder-storage'][0]]['ansible_default_ipv4']['address'] }}" + -e "CINDER_PASSWORD={{ secrets['CINDER_PASSWORD'] }}" + -e "CINDER_USER=cinder" + -e "KEYSTONE_HOST={{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}" + -e "MYSQL_HOST={{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}" + -e "MYSQL_ROOT_PASSWORD={{ secrets['MYSQL_ROOT_PASSWORD'] }}" + -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}" + -e "RABBIT_HOST={{ hostvars[groups['rabbitmq'][0]]['ansible_default_ipv4']['address'] }}" + -e "RABBIT_PASSWORD={{ secrets['RABBIT_PASSWORD'] }}" + -e "RABBIT_USER=openstack" + -p 8776:8776 \ + hpc/openstack-cinder-storage +``` diff --git a/docker-cinder-storage/admin-openrc.sh b/docker-cinder-storage/admin-openrc.sh new file mode 100644 index 0000000..9013f2e --- /dev/null +++ b/docker-cinder-storage/admin-openrc.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# a admin-openrc.sh file +export MYSQL_ROOT_PASSWORD="geheim" + +# To create the Identity service credentials +GLANCE_USER_NAME=glance +GLANCE_PASSWORD=geheim +export OS_IDENTITY_API_VERSION=3 +export OS_USERNAME=admin +export OS_PASSWORD=geheim +export OS_TENANT_NAME=admin +export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 + +export OS_PROJECT_DOMAIN_NAME=default +export OS_USER_DOMAIN_NAME=default +export OS_PROJECT_NAME=admin +export OS_IMAGE_API_VERSION=2 diff --git a/docker-cinder-storage/bootstrap.sh b/docker-cinder-storage/bootstrap.sh new file mode 100755 index 0000000..831abd0 --- /dev/null +++ b/docker-cinder-storage/bootstrap.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +# Create admin-openrc.sh from secrets that are in the environment during bootstrap. +cat << EOF > /root/admin-openrc.sh +#!/bin/bash +export OS_TENANT_NAME=admin +export OS_USERNAME=admin +export OS_PASSWORD=${OS_PASSWORD} +export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 +export OS_IDENTITY_API_VERSION=3 + +export OS_PROJECT_DOMAIN_NAME=default +export OS_USER_DOMAIN_NAME=default +export OS_PROJECT_NAME=admin +export OS_IMAGE_API_VERSION=2 +EOF + +source /root/admin-openrc.sh + +# Write the config files +/etc/write_conf.sh + +# create a LVM physical volume and volume group. +# This device should be available tpo the container +pvcreate /dev/cinder_storage_volume +vgcreate cinder-volumes /dev/cinder_storage_volume + diff --git a/docker-cinder-storage/lvm.conf b/docker-cinder-storage/lvm.conf new file mode 100644 index 0000000..bf6e667 --- /dev/null +++ b/docker-cinder-storage/lvm.conf @@ -0,0 +1,1887 @@ +# This is an example configuration file for the LVM2 system. +# It contains the default settings that would be used if there was no +# /etc/lvm/lvm.conf file. +# +# Refer to 'man lvm.conf' for further information including the file layout. +# +# Refer to 'man lvm.conf' for information about how settings configured in +# this file are combined with built-in values and command line options to +# arrive at the final values used by LVM. +# +# Refer to 'man lvmconfig' for information about displaying the built-in +# and configured values used by LVM. +# +# If a default value is set in this file (not commented out), then a +# new version of LVM using this file will continue using that value, +# even if the new version of LVM changes the built-in default value. +# +# To put this file in a different directory and override /etc/lvm set +# the environment variable LVM_SYSTEM_DIR before running the tools. +# +# N.B. Take care that each setting only appears once if uncommenting +# example settings in this file. + + +# Configuration section config. +# How LVM configuration settings are handled. +config { + + # Configuration option config/checks. + # If enabled, any LVM configuration mismatch is reported. + # This implies checking that the configuration key is understood by + # LVM and that the value of the key is the proper type. If disabled, + # any configuration mismatch is ignored and the default value is used + # without any warning (a message about the configuration key not being + # found is issued in verbose mode only). + checks = 1 + + # Configuration option config/abort_on_errors. + # Abort the LVM process if a configuration mismatch is found. + abort_on_errors = 0 + + # Configuration option config/profile_dir. + # Directory where LVM looks for configuration profiles. + profile_dir = "/etc/lvm/profile" +} + +# Configuration section devices. +# How LVM uses block devices. +devices { + + # Configuration option devices/dir. + # Directory in which to create volume group device nodes. + # Commands also accept this as a prefix on volume group names. + # This configuration option is advanced. + dir = "/dev" + + # Configuration option devices/scan. + # Directories containing device nodes to use with LVM. + # This configuration option is advanced. + scan = [ "/dev" ] + + # Configuration option devices/obtain_device_list_from_udev. + # Obtain the list of available devices from udev. + # This avoids opening or using any inapplicable non-block devices or + # subdirectories found in the udev directory. Any device node or + # symlink not managed by udev in the udev directory is ignored. This + # setting applies only to the udev-managed device directory; other + # directories will be scanned fully. LVM needs to be compiled with + # udev support for this setting to apply. + obtain_device_list_from_udev = 0 + + # Configuration option devices/external_device_info_source. + # Select an external device information source. + # Some information may already be available in the system and LVM can + # use this information to determine the exact type or use of devices it + # processes. Using an existing external device information source can + # speed up device processing as LVM does not need to run its own native + # routines to acquire this information. For example, this information + # is used to drive LVM filtering like MD component detection, multipath + # component detection, partition detection and others. + # + # Accepted values: + # none + # No external device information source is used. + # udev + # Reuse existing udev database records. Applicable only if LVM is + # compiled with udev support. + # + external_device_info_source = "none" + + # Configuration option devices/preferred_names. + # Select which path name to display for a block device. + # If multiple path names exist for a block device, and LVM needs to + # display a name for the device, the path names are matched against + # each item in this list of regular expressions. The first match is + # used. Try to avoid using undescriptive /dev/dm-N names, if present. + # If no preferred name matches, or if preferred_names are not defined, + # the following built-in preferences are applied in order until one + # produces a preferred name: + # Prefer names with path prefixes in the order of: + # /dev/mapper, /dev/disk, /dev/dm-*, /dev/block. + # Prefer the name with the least number of slashes. + # Prefer a name that is a symlink. + # Prefer the path with least value in lexicographical order. + # + # Example + # preferred_names = [ "^/dev/mpath/", "^/dev/mapper/mpath", "^/dev/[hs]d" ] + # + # This configuration option does not have a default value defined. + + # Configuration option devices/filter. + # Limit the block devices that are used by LVM commands. + # This is a list of regular expressions used to accept or reject block + # device path names. Each regex is delimited by a vertical bar '|' + # (or any character) and is preceded by 'a' to accept the path, or + # by 'r' to reject the path. The first regex in the list to match the + # path is used, producing the 'a' or 'r' result for the device. + # When multiple path names exist for a block device, if any path name + # matches an 'a' pattern before an 'r' pattern, then the device is + # accepted. If all the path names match an 'r' pattern first, then the + # device is rejected. Unmatching path names do not affect the accept + # or reject decision. If no path names for a device match a pattern, + # then the device is accepted. Be careful mixing 'a' and 'r' patterns, + # as the combination might produce unexpected results (test changes.) + # Run vgscan after changing the filter to regenerate the cache. + # See the use_lvmetad comment for a special case regarding filters. + # + # Example + # Accept every block device: + # filter = [ "a|.*/|" ] + # Reject the cdrom drive: + # filter = [ "r|/dev/cdrom|" ] + # Work with just loopback devices, e.g. for testing: + # filter = [ "a|loop|", "r|.*|" ] + # Accept all loop devices and ide drives except hdc: + # filter = [ "a|loop|", "r|/dev/hdc|", "a|/dev/ide|", "r|.*|" ] + # Use anchors to be very specific: + # filter = [ "a|^/dev/hda8$|", "r|.*/|" ] + # + # This configuration option has an automatic default value. + # filter = [ "a|.*/|" ] + + # Configuration option devices/global_filter. + # Limit the block devices that are used by LVM system components. + # Because devices/filter may be overridden from the command line, it is + # not suitable for system-wide device filtering, e.g. udev and lvmetad. + # Use global_filter to hide devices from these LVM system components. + # The syntax is the same as devices/filter. Devices rejected by + # global_filter are not opened by LVM. + # This configuration option has an automatic default value. + # global_filter = [ "a|.*/|" ] + + # Configuration option devices/cache_dir. + # Directory in which to store the device cache file. + # The results of filtering are cached on disk to avoid rescanning dud + # devices (which can take a very long time). By default this cache is + # stored in a file named .cache. It is safe to delete this file; the + # tools regenerate it. If obtain_device_list_from_udev is enabled, the + # list of devices is obtained from udev and any existing .cache file + # is removed. + cache_dir = "/run/lvm" + + # Configuration option devices/cache_file_prefix. + # A prefix used before the .cache file name. See devices/cache_dir. + cache_file_prefix = "" + + # Configuration option devices/write_cache_state. + # Enable/disable writing the cache file. See devices/cache_dir. + write_cache_state = 1 + + # Configuration option devices/types. + # List of additional acceptable block device types. + # These are of device type names from /proc/devices, followed by the + # maximum number of partitions. + # + # Example + # types = [ "fd", 16 ] + # + # This configuration option is advanced. + # This configuration option does not have a default value defined. + + # Configuration option devices/sysfs_scan. + # Restrict device scanning to block devices appearing in sysfs. + # This is a quick way of filtering out block devices that are not + # present on the system. sysfs must be part of the kernel and mounted.) + sysfs_scan = 1 + + # Configuration option devices/multipath_component_detection. + # Ignore devices that are components of DM multipath devices. + multipath_component_detection = 1 + + # Configuration option devices/md_component_detection. + # Ignore devices that are components of software RAID (md) devices. + md_component_detection = 1 + + # Configuration option devices/fw_raid_component_detection. + # Ignore devices that are components of firmware RAID devices. + # LVM must use an external_device_info_source other than none for this + # detection to execute. + fw_raid_component_detection = 0 + + # Configuration option devices/md_chunk_alignment. + # Align PV data blocks with md device's stripe-width. + # This applies if a PV is placed directly on an md device. + md_chunk_alignment = 1 + + # Configuration option devices/default_data_alignment. + # Default alignment of the start of a PV data area in MB. + # If set to 0, a value of 64KiB will be used. + # Set to 1 for 1MiB, 2 for 2MiB, etc. + # This configuration option has an automatic default value. + # default_data_alignment = 1 + + # Configuration option devices/data_alignment_detection. + # Detect PV data alignment based on sysfs device information. + # The start of a PV data area will be a multiple of minimum_io_size or + # optimal_io_size exposed in sysfs. minimum_io_size is the smallest + # request the device can perform without incurring a read-modify-write + # penalty, e.g. MD chunk size. optimal_io_size is the device's + # preferred unit of receiving I/O, e.g. MD stripe width. + # minimum_io_size is used if optimal_io_size is undefined (0). + # If md_chunk_alignment is enabled, that detects the optimal_io_size. + # This setting takes precedence over md_chunk_alignment. + data_alignment_detection = 1 + + # Configuration option devices/data_alignment. + # Alignment of the start of a PV data area in KiB. + # If a PV is placed directly on an md device and md_chunk_alignment or + # data_alignment_detection are enabled, then this setting is ignored. + # Otherwise, md_chunk_alignment and data_alignment_detection are + # disabled if this is set. Set to 0 to use the default alignment or the + # page size, if larger. + data_alignment = 0 + + # Configuration option devices/data_alignment_offset_detection. + # Detect PV data alignment offset based on sysfs device information. + # The start of a PV aligned data area will be shifted by the + # alignment_offset exposed in sysfs. This offset is often 0, but may + # be non-zero. Certain 4KiB sector drives that compensate for windows + # partitioning will have an alignment_offset of 3584 bytes (sector 7 + # is the lowest aligned logical block, the 4KiB sectors start at + # LBA -1, and consequently sector 63 is aligned on a 4KiB boundary). + # pvcreate --dataalignmentoffset will skip this detection. + data_alignment_offset_detection = 1 + + # Configuration option devices/ignore_suspended_devices. + # Ignore DM devices that have I/O suspended while scanning devices. + # Otherwise, LVM waits for a suspended device to become accessible. + # This should only be needed in recovery situations. + ignore_suspended_devices = 0 + + # Configuration option devices/ignore_lvm_mirrors. + # Do not scan 'mirror' LVs to avoid possible deadlocks. + # This avoids possible deadlocks when using the 'mirror' segment type. + # This setting determines whether LVs using the 'mirror' segment type + # are scanned for LVM labels. This affects the ability of mirrors to + # be used as physical volumes. If this setting is enabled, it is + # impossible to create VGs on top of mirror LVs, i.e. to stack VGs on + # mirror LVs. If this setting is disabled, allowing mirror LVs to be + # scanned, it may cause LVM processes and I/O to the mirror to become + # blocked. This is due to the way that the mirror segment type handles + # failures. In order for the hang to occur, an LVM command must be run + # just after a failure and before the automatic LVM repair process + # takes place, or there must be failures in multiple mirrors in the + # same VG at the same time with write failures occurring moments before + # a scan of the mirror's labels. The 'mirror' scanning problems do not + # apply to LVM RAID types like 'raid1' which handle failures in a + # different way, making them a better choice for VG stacking. + ignore_lvm_mirrors = 1 + + # Configuration option devices/disable_after_error_count. + # Number of I/O errors after which a device is skipped. + # During each LVM operation, errors received from each device are + # counted. If the counter of a device exceeds the limit set here, + # no further I/O is sent to that device for the remainder of the + # operation. Setting this to 0 disables the counters altogether. + disable_after_error_count = 0 + + # Configuration option devices/require_restorefile_with_uuid. + # Allow use of pvcreate --uuid without requiring --restorefile. + require_restorefile_with_uuid = 1 + + # Configuration option devices/pv_min_size. + # Minimum size in KiB of block devices which can be used as PVs. + # In a clustered environment all nodes must use the same value. + # Any value smaller than 512KiB is ignored. The previous built-in + # value was 512. + pv_min_size = 2048 + + # Configuration option devices/issue_discards. + # Issue discards to PVs that are no longer used by an LV. + # Discards are sent to an LV's underlying physical volumes when the LV + # is no longer using the physical volumes' space, e.g. lvremove, + # lvreduce. Discards inform the storage that a region is no longer + # used. Storage that supports discards advertise the protocol-specific + # way discards should be issued by the kernel (TRIM, UNMAP, or + # WRITE SAME with UNMAP bit set). Not all storage will support or + # benefit from discards, but SSDs and thinly provisioned LUNs + # generally do. If enabled, discards will only be issued if both the + # storage and kernel provide support. + issue_discards = 1 +} + +# Configuration section allocation. +# How LVM selects space and applies properties to LVs. +allocation { + + # Configuration option allocation/cling_tag_list. + # Advise LVM which PVs to use when searching for new space. + # When searching for free space to extend an LV, the 'cling' allocation + # policy will choose space on the same PVs as the last segment of the + # existing LV. If there is insufficient space and a list of tags is + # defined here, it will check whether any of them are attached to the + # PVs concerned and then seek to match those PV tags between existing + # extents and new extents. + # + # Example + # Use the special tag "@*" as a wildcard to match any PV tag: + # cling_tag_list = [ "@*" ] + # LVs are mirrored between two sites within a single VG, and + # PVs are tagged with either @site1 or @site2 to indicate where + # they are situated: + # cling_tag_list = [ "@site1", "@site2" ] + # + # This configuration option does not have a default value defined. + + # Configuration option allocation/maximise_cling. + # Use a previous allocation algorithm. + # Changes made in version 2.02.85 extended the reach of the 'cling' + # policies to detect more situations where data can be grouped onto + # the same disks. This setting can be used to disable the changes + # and revert to the previous algorithm. + maximise_cling = 1 + + # Configuration option allocation/use_blkid_wiping. + # Use blkid to detect existing signatures on new PVs and LVs. + # The blkid library can detect more signatures than the native LVM + # detection code, but may take longer. LVM needs to be compiled with + # blkid wiping support for this setting to apply. LVM native detection + # code is currently able to recognize: MD device signatures, + # swap signature, and LUKS signatures. To see the list of signatures + # recognized by blkid, check the output of the 'blkid -k' command. + use_blkid_wiping = 1 + + # Configuration option allocation/wipe_signatures_when_zeroing_new_lvs. + # Look for and erase any signatures while zeroing a new LV. + # The --wipesignatures option overrides this setting. + # Zeroing is controlled by the -Z/--zero option, and if not specified, + # zeroing is used by default if possible. Zeroing simply overwrites the + # first 4KiB of a new LV with zeroes and does no signature detection or + # wiping. Signature wiping goes beyond zeroing and detects exact types + # and positions of signatures within the whole LV. It provides a + # cleaner LV after creation as all known signatures are wiped. The LV + # is not claimed incorrectly by other tools because of old signatures + # from previous use. The number of signatures that LVM can detect + # depends on the detection code that is selected (see + # use_blkid_wiping.) Wiping each detected signature must be confirmed. + # When this setting is disabled, signatures on new LVs are not detected + # or erased unless the --wipesignatures option is used directly. + wipe_signatures_when_zeroing_new_lvs = 1 + + # Configuration option allocation/mirror_logs_require_separate_pvs. + # Mirror logs and images will always use different PVs. + # The default setting changed in version 2.02.85. + mirror_logs_require_separate_pvs = 0 + + # Configuration option allocation/cache_pool_metadata_require_separate_pvs. + # Cache pool metadata and data will always use different PVs. + cache_pool_metadata_require_separate_pvs = 0 + + # Configuration option allocation/cache_mode. + # The default cache mode used for new cache. + # + # Accepted values: + # writethrough + # Data blocks are immediately written from the cache to disk. + # writeback + # Data blocks are written from the cache back to disk after some + # delay to improve performance. + # + # This setting replaces allocation/cache_pool_cachemode. + # This configuration option has an automatic default value. + # cache_mode = "writethrough" + + # Configuration option allocation/cache_policy. + # The default cache policy used for new cache volume. + # Since kernel 4.2 the default policy is smq (Stochastic multique), + # otherwise the older mq (Multiqueue) policy is selected. + # This configuration option does not have a default value defined. + + # Configuration section allocation/cache_settings. + # Settings for the cache policy. + # See documentation for individual cache policies for more info. + # This configuration section has an automatic default value. + # cache_settings { + # } + + # Configuration option allocation/cache_pool_chunk_size. + # The minimal chunk size in KiB for cache pool volumes. + # Using a chunk_size that is too large can result in wasteful use of + # the cache, where small reads and writes can cause large sections of + # an LV to be mapped into the cache. However, choosing a chunk_size + # that is too small can result in more overhead trying to manage the + # numerous chunks that become mapped into the cache. The former is + # more of a problem than the latter in most cases, so the default is + # on the smaller end of the spectrum. Supported values range from + # 32KiB to 1GiB in multiples of 32. + # This configuration option does not have a default value defined. + + # Configuration option allocation/thin_pool_metadata_require_separate_pvs. + # Thin pool metdata and data will always use different PVs. + thin_pool_metadata_require_separate_pvs = 0 + + # Configuration option allocation/thin_pool_zero. + # Thin pool data chunks are zeroed before they are first used. + # Zeroing with a larger thin pool chunk size reduces performance. + # This configuration option has an automatic default value. + # thin_pool_zero = 1 + + # Configuration option allocation/thin_pool_discards. + # The discards behaviour of thin pool volumes. + # + # Accepted values: + # ignore + # nopassdown + # passdown + # + # This configuration option has an automatic default value. + # thin_pool_discards = "passdown" + + # Configuration option allocation/thin_pool_chunk_size_policy. + # The chunk size calculation policy for thin pool volumes. + # + # Accepted values: + # generic + # If thin_pool_chunk_size is defined, use it. Otherwise, calculate + # the chunk size based on estimation and device hints exposed in + # sysfs - the minimum_io_size. The chunk size is always at least + # 64KiB. + # performance + # If thin_pool_chunk_size is defined, use it. Otherwise, calculate + # the chunk size for performance based on device hints exposed in + # sysfs - the optimal_io_size. The chunk size is always at least + # 512KiB. + # + # This configuration option has an automatic default value. + # thin_pool_chunk_size_policy = "generic" + + # Configuration option allocation/thin_pool_chunk_size. + # The minimal chunk size in KiB for thin pool volumes. + # Larger chunk sizes may improve performance for plain thin volumes, + # however using them for snapshot volumes is less efficient, as it + # consumes more space and takes extra time for copying. When unset, + # lvm tries to estimate chunk size starting from 64KiB. Supported + # values are in the range 64KiB to 1GiB. + # This configuration option does not have a default value defined. + + # Configuration option allocation/physical_extent_size. + # Default physical extent size in KiB to use for new VGs. + # This configuration option has an automatic default value. + # physical_extent_size = 4096 +} + +# Configuration section log. +# How LVM log information is reported. +log { + + # Configuration option log/verbose. + # Controls the messages sent to stdout or stderr. + verbose = 0 + + # Configuration option log/silent. + # Suppress all non-essential messages from stdout. + # This has the same effect as -qq. When enabled, the following commands + # still produce output: dumpconfig, lvdisplay, lvmdiskscan, lvs, pvck, + # pvdisplay, pvs, version, vgcfgrestore -l, vgdisplay, vgs. + # Non-essential messages are shifted from log level 4 to log level 5 + # for syslog and lvm2_log_fn purposes. + # Any 'yes' or 'no' questions not overridden by other arguments are + # suppressed and default to 'no'. + silent = 0 + + # Configuration option log/syslog. + # Send log messages through syslog. + syslog = 1 + + # Configuration option log/file. + # Write error and debug log messages to a file specified here. + # This configuration option does not have a default value defined. + + # Configuration option log/overwrite. + # Overwrite the log file each time the program is run. + overwrite = 0 + + # Configuration option log/level. + # The level of log messages that are sent to the log file or syslog. + # There are 6 syslog-like log levels currently in use: 2 to 7 inclusive. + # 7 is the most verbose (LOG_DEBUG). + level = 0 + + # Configuration option log/indent. + # Indent messages according to their severity. + indent = 1 + + # Configuration option log/command_names. + # Display the command name on each line of output. + command_names = 0 + + # Configuration option log/prefix. + # A prefix to use before the log message text. + # (After the command name, if selected). + # Two spaces allows you to see/grep the severity of each message. + # To make the messages look similar to the original LVM tools use: + # indent = 0, command_names = 1, prefix = " -- " + prefix = " " + + # Configuration option log/activation. + # Log messages during activation. + # Don't use this in low memory situations (can deadlock). + activation = 0 + + # Configuration option log/debug_classes. + # Select log messages by class. + # Some debugging messages are assigned to a class and only appear in + # debug output if the class is listed here. Classes currently + # available: memory, devices, activation, allocation, lvmetad, + # metadata, cache, locking, lvmpolld. Use "all" to see everything. + debug_classes = [ "memory", "devices", "activation", "allocation", "lvmetad", "metadata", "cache", "locking", "lvmpolld" ] +} + +# Configuration section backup. +# How LVM metadata is backed up and archived. +# In LVM, a 'backup' is a copy of the metadata for the current system, +# and an 'archive' contains old metadata configurations. They are +# stored in a human readable text format. +backup { + + # Configuration option backup/backup. + # Maintain a backup of the current metadata configuration. + # Think very hard before turning this off! + backup = 1 + + # Configuration option backup/backup_dir. + # Location of the metadata backup files. + # Remember to back up this directory regularly! + backup_dir = "/etc/lvm/backup" + + # Configuration option backup/archive. + # Maintain an archive of old metadata configurations. + # Think very hard before turning this off. + archive = 1 + + # Configuration option backup/archive_dir. + # Location of the metdata archive files. + # Remember to back up this directory regularly! + archive_dir = "/etc/lvm/archive" + + # Configuration option backup/retain_min. + # Minimum number of archives to keep. + retain_min = 10 + + # Configuration option backup/retain_days. + # Minimum number of days to keep archive files. + retain_days = 30 +} + +# Configuration section shell. +# Settings for running LVM in shell (readline) mode. +shell { + + # Configuration option shell/history_size. + # Number of lines of history to store in ~/.lvm_history. + history_size = 100 +} + +# Configuration section global. +# Miscellaneous global LVM settings. +global { + + # Configuration option global/umask. + # The file creation mask for any files and directories created. + # Interpreted as octal if the first digit is zero. + umask = 077 + + # Configuration option global/test. + # No on-disk metadata changes will be made in test mode. + # Equivalent to having the -t option on every command. + test = 0 + + # Configuration option global/units. + # Default value for --units argument. + units = "h" + + # Configuration option global/si_unit_consistency. + # Distinguish between powers of 1024 and 1000 bytes. + # The LVM commands distinguish between powers of 1024 bytes, + # e.g. KiB, MiB, GiB, and powers of 1000 bytes, e.g. KB, MB, GB. + # If scripts depend on the old behaviour, disable this setting + # temporarily until they are updated. + si_unit_consistency = 1 + + # Configuration option global/suffix. + # Display unit suffix for sizes. + # This setting has no effect if the units are in human-readable form + # (global/units = "h") in which case the suffix is always displayed. + suffix = 1 + + # Configuration option global/activation. + # Enable/disable communication with the kernel device-mapper. + # Disable to use the tools to manipulate LVM metadata without + # activating any logical volumes. If the device-mapper driver + # is not present in the kernel, disabling this should suppress + # the error messages. + activation = 1 + + # Configuration option global/fallback_to_lvm1. + # Try running LVM1 tools if LVM cannot communicate with DM. + # This option only applies to 2.4 kernels and is provided to help + # switch between device-mapper kernels and LVM1 kernels. The LVM1 + # tools need to be installed with .lvm1 suffices, e.g. vgscan.lvm1. + # They will stop working once the lvm2 on-disk metadata format is used. + # This configuration option has an automatic default value. + # fallback_to_lvm1 = 0 + + # Configuration option global/format. + # The default metadata format that commands should use. + # The -M 1|2 option overrides this setting. + # + # Accepted values: + # lvm1 + # lvm2 + # + # This configuration option has an automatic default value. + # format = "lvm2" + + # Configuration option global/format_libraries. + # Shared libraries that process different metadata formats. + # If support for LVM1 metadata was compiled as a shared library use + # format_libraries = "liblvm2format1.so" + # This configuration option does not have a default value defined. + + # Configuration option global/segment_libraries. + # This configuration option does not have a default value defined. + + # Configuration option global/proc. + # Location of proc filesystem. + # This configuration option is advanced. + proc = "/proc" + + # Configuration option global/etc. + # Location of /etc system configuration directory. + etc = "/etc" + + # Configuration option global/locking_type. + # Type of locking to use. + # + # Accepted values: + # 0 + # Turns off locking. Warning: this risks metadata corruption if + # commands run concurrently. + # 1 + # LVM uses local file-based locking, the standard mode. + # 2 + # LVM uses the external shared library locking_library. + # 3 + # LVM uses built-in clustered locking with clvmd. + # This is incompatible with lvmetad. If use_lvmetad is enabled, + # LVM prints a warning and disables lvmetad use. + # 4 + # LVM uses read-only locking which forbids any operations that + # might change metadata. + # 5 + # Offers dummy locking for tools that do not need any locks. + # You should not need to set this directly; the tools will select + # when to use it instead of the configured locking_type. + # Do not use lvmetad or the kernel device-mapper driver with this + # locking type. It is used by the --readonly option that offers + # read-only access to Volume Group metadata that cannot be locked + # safely because it belongs to an inaccessible domain and might be + # in use, for example a virtual machine image or a disk that is + # shared by a clustered machine. + # + locking_type = 1 + + # Configuration option global/wait_for_locks. + # When disabled, fail if a lock request would block. + wait_for_locks = 1 + + # Configuration option global/fallback_to_clustered_locking. + # Attempt to use built-in cluster locking if locking_type 2 fails. + # If using external locking (type 2) and initialisation fails, with + # this enabled, an attempt will be made to use the built-in clustered + # locking. Disable this if using a customised locking_library. + fallback_to_clustered_locking = 1 + + # Configuration option global/fallback_to_local_locking. + # Use locking_type 1 (local) if locking_type 2 or 3 fail. + # If an attempt to initialise type 2 or type 3 locking failed, perhaps + # because cluster components such as clvmd are not running, with this + # enabled, an attempt will be made to use local file-based locking + # (type 1). If this succeeds, only commands against local VGs will + # proceed. VGs marked as clustered will be ignored. + fallback_to_local_locking = 1 + + # Configuration option global/locking_dir. + # Directory to use for LVM command file locks. + # Local non-LV directory that holds file-based locks while commands are + # in progress. A directory like /tmp that may get wiped on reboot is OK. + locking_dir = "/run/lock/lvm" + + # Configuration option global/prioritise_write_locks. + # Allow quicker VG write access during high volume read access. + # When there are competing read-only and read-write access requests for + # a volume group's metadata, instead of always granting the read-only + # requests immediately, delay them to allow the read-write requests to + # be serviced. Without this setting, write access may be stalled by a + # high volume of read-only requests. This option only affects + # locking_type 1 viz. local file-based locking. + prioritise_write_locks = 1 + + # Configuration option global/library_dir. + # Search this directory first for shared libraries. + # This configuration option does not have a default value defined. + + # Configuration option global/locking_library. + # The external locking library to use for locking_type 2. + # This configuration option has an automatic default value. + # locking_library = "liblvm2clusterlock.so" + + # Configuration option global/abort_on_internal_errors. + # Abort a command that encounters an internal error. + # Treat any internal errors as fatal errors, aborting the process that + # encountered the internal error. Please only enable for debugging. + abort_on_internal_errors = 0 + + # Configuration option global/detect_internal_vg_cache_corruption. + # Internal verification of VG structures. + # Check if CRC matches when a parsed VG is used multiple times. This + # is useful to catch unexpected changes to cached VG structures. + # Please only enable for debugging. + detect_internal_vg_cache_corruption = 0 + + # Configuration option global/metadata_read_only. + # No operations that change on-disk metadata are permitted. + # Additionally, read-only commands that encounter metadata in need of + # repair will still be allowed to proceed exactly as if the repair had + # been performed (except for the unchanged vg_seqno). Inappropriate + # use could mess up your system, so seek advice first! + metadata_read_only = 0 + + # Configuration option global/mirror_segtype_default. + # The segment type used by the short mirroring option -m. + # The --type mirror|raid1 option overrides this setting. + # + # Accepted values: + # mirror + # The original RAID1 implementation from LVM/DM. It is + # characterized by a flexible log solution (core, disk, mirrored), + # and by the necessity to block I/O while handling a failure. + # There is an inherent race in the dmeventd failure handling logic + # with snapshots of devices using this type of RAID1 that in the + # worst case could cause a deadlock. (Also see + # devices/ignore_lvm_mirrors.) + # raid1 + # This is a newer RAID1 implementation using the MD RAID1 + # personality through device-mapper. It is characterized by a + # lack of log options. (A log is always allocated for every + # device and they are placed on the same device as the image, + # so no separate devices are required.) This mirror + # implementation does not require I/O to be blocked while + # handling a failure. This mirror implementation is not + # cluster-aware and cannot be used in a shared (active/active) + # fashion in a cluster. + # + mirror_segtype_default = "raid1" + + # Configuration option global/raid10_segtype_default. + # The segment type used by the -i -m combination. + # The --type raid10|mirror option overrides this setting. + # The --stripes/-i and --mirrors/-m options can both be specified + # during the creation of a logical volume to use both striping and + # mirroring for the LV. There are two different implementations. + # + # Accepted values: + # raid10 + # LVM uses MD's RAID10 personality through DM. This is the + # preferred option. + # mirror + # LVM layers the 'mirror' and 'stripe' segment types. The layering + # is done by creating a mirror LV on top of striped sub-LVs, + # effectively creating a RAID 0+1 array. The layering is suboptimal + # in terms of providing redundancy and performance. + # + raid10_segtype_default = "raid10" + + # Configuration option global/sparse_segtype_default. + # The segment type used by the -V -L combination. + # The --type snapshot|thin option overrides this setting. + # The combination of -V and -L options creates a sparse LV. There are + # two different implementations. + # + # Accepted values: + # snapshot + # The original snapshot implementation from LVM/DM. It uses an old + # snapshot that mixes data and metadata within a single COW + # storage volume and performs poorly when the size of stored data + # passes hundreds of MB. + # thin + # A newer implementation that uses thin provisioning. It has a + # bigger minimal chunk size (64KiB) and uses a separate volume for + # metadata. It has better performance, especially when more data + # is used. It also supports full snapshots. + # + sparse_segtype_default = "thin" + + # Configuration option global/lvdisplay_shows_full_device_path. + # Enable this to reinstate the previous lvdisplay name format. + # The default format for displaying LV names in lvdisplay was changed + # in version 2.02.89 to show the LV name and path separately. + # Previously this was always shown as /dev/vgname/lvname even when that + # was never a valid path in the /dev filesystem. + # This configuration option has an automatic default value. + # lvdisplay_shows_full_device_path = 0 + + # Configuration option global/use_lvmetad. + # Use lvmetad to cache metadata and reduce disk scanning. + # When enabled (and running), lvmetad provides LVM commands with VG + # metadata and PV state. LVM commands then avoid reading this + # information from disks which can be slow. When disabled (or not + # running), LVM commands fall back to scanning disks to obtain VG + # metadata. lvmetad is kept updated via udev rules which must be set + # up for LVM to work correctly. (The udev rules should be installed + # by default.) Without a proper udev setup, changes in the system's + # block device configuration will be unknown to LVM, and ignored + # until a manual 'pvscan --cache' is run. If lvmetad was running + # while use_lvmetad was disabled, it must be stopped, use_lvmetad + # enabled, and then started. When using lvmetad, LV activation is + # switched to an automatic, event-based mode. In this mode, LVs are + # activated based on incoming udev events that inform lvmetad when + # PVs appear on the system. When a VG is complete (all PVs present), + # it is auto-activated. The auto_activation_volume_list setting + # controls which LVs are auto-activated (all by default.) + # When lvmetad is updated (automatically by udev events, or directly + # by pvscan --cache), devices/filter is ignored and all devices are + # scanned by default. lvmetad always keeps unfiltered information + # which is provided to LVM commands. Each LVM command then filters + # based on devices/filter. This does not apply to other, non-regexp, + # filtering settings: component filters such as multipath and MD + # are checked during pvscan --cache. To filter a device and prevent + # scanning from the LVM system entirely, including lvmetad, use + # devices/global_filter. + use_lvmetad = 1 + + # Configuration option global/use_lvmlockd. + # Use lvmlockd for locking among hosts using LVM on shared storage. + # See lvmlockd(8) for more information. + use_lvmlockd = 0 + + # Configuration option global/lvmlockd_lock_retries. + # Retry lvmlockd lock requests this many times. + # This configuration option has an automatic default value. + # lvmlockd_lock_retries = 3 + + # Configuration option global/sanlock_lv_extend. + # Size in MiB to extend the internal LV holding sanlock locks. + # The internal LV holds locks for each LV in the VG, and after enough + # LVs have been created, the internal LV needs to be extended. lvcreate + # will automatically extend the internal LV when needed by the amount + # specified here. Setting this to 0 disables the automatic extension + # and can cause lvcreate to fail. + # This configuration option has an automatic default value. + # sanlock_lv_extend = 256 + + # Configuration option global/thin_check_executable. + # The full path to the thin_check command. + # LVM uses this command to check that a thin metadata device is in a + # usable state. When a thin pool is activated and after it is + # deactivated, this command is run. Activation will only proceed if + # the command has an exit status of 0. Set to "" to skip this check. + # (Not recommended.) Also see thin_check_options. + # (See package device-mapper-persistent-data or thin-provisioning-tools) + # This configuration option has an automatic default value. + # thin_check_executable = "/usr/sbin/thin_check" + + # Configuration option global/thin_dump_executable. + # The full path to the thin_dump command. + # LVM uses this command to dump thin pool metadata. + # (See package device-mapper-persistent-data or thin-provisioning-tools) + # This configuration option has an automatic default value. + # thin_dump_executable = "/usr/sbin/thin_dump" + + # Configuration option global/thin_repair_executable. + # The full path to the thin_repair command. + # LVM uses this command to repair a thin metadata device if it is in + # an unusable state. Also see thin_repair_options. + # (See package device-mapper-persistent-data or thin-provisioning-tools) + # This configuration option has an automatic default value. + # thin_repair_executable = "/usr/sbin/thin_repair" + + # Configuration option global/thin_check_options. + # List of options passed to the thin_check command. + # With thin_check version 2.1 or newer you can add the option + # --ignore-non-fatal-errors to let it pass through ignorable errors + # and fix them later. With thin_check version 3.2 or newer you should + # include the option --clear-needs-check-flag. + # This configuration option has an automatic default value. + # thin_check_options = [ "-q", "--clear-needs-check-flag" ] + + # Configuration option global/thin_repair_options. + # List of options passed to the thin_repair command. + # This configuration option has an automatic default value. + # thin_repair_options = [ "" ] + + # Configuration option global/thin_disabled_features. + # Features to not use in the thin driver. + # This can be helpful for testing, or to avoid using a feature that is + # causing problems. Features include: block_size, discards, + # discards_non_power_2, external_origin, metadata_resize, + # external_origin_extend, error_if_no_space. + # + # Example + # thin_disabled_features = [ "discards", "block_size" ] + # + # This configuration option does not have a default value defined. + + # Configuration option global/cache_disabled_features. + # Features to not use in the cache driver. + # This can be helpful for testing, or to avoid using a feature that is + # causing problems. Features include: policy_mq, policy_smq. + # + # Example + # cache_disabled_features = [ "policy_smq" ] + # + # This configuration option does not have a default value defined. + + # Configuration option global/cache_check_executable. + # The full path to the cache_check command. + # LVM uses this command to check that a cache metadata device is in a + # usable state. When a cached LV is activated and after it is + # deactivated, this command is run. Activation will only proceed if the + # command has an exit status of 0. Set to "" to skip this check. + # (Not recommended.) Also see cache_check_options. + # (See package device-mapper-persistent-data or thin-provisioning-tools) + # This configuration option has an automatic default value. + # cache_check_executable = "/usr/sbin/cache_check" + + # Configuration option global/cache_dump_executable. + # The full path to the cache_dump command. + # LVM uses this command to dump cache pool metadata. + # (See package device-mapper-persistent-data or thin-provisioning-tools) + # This configuration option has an automatic default value. + # cache_dump_executable = "/usr/sbin/cache_dump" + + # Configuration option global/cache_repair_executable. + # The full path to the cache_repair command. + # LVM uses this command to repair a cache metadata device if it is in + # an unusable state. Also see cache_repair_options. + # (See package device-mapper-persistent-data or thin-provisioning-tools) + # This configuration option has an automatic default value. + # cache_repair_executable = "/usr/sbin/cache_repair" + + # Configuration option global/cache_check_options. + # List of options passed to the cache_check command. + # With cache_check version 5.0 or newer you should include the option + # --clear-needs-check-flag. + # This configuration option has an automatic default value. + # cache_check_options = [ "-q", "--clear-needs-check-flag" ] + + # Configuration option global/cache_repair_options. + # List of options passed to the cache_repair command. + # This configuration option has an automatic default value. + # cache_repair_options = [ "" ] + + # Configuration option global/system_id_source. + # The method LVM uses to set the local system ID. + # Volume Groups can also be given a system ID (by vgcreate, vgchange, + # or vgimport.) A VG on shared storage devices is accessible only to + # the host with a matching system ID. See 'man lvmsystemid' for + # information on limitations and correct usage. + # + # Accepted values: + # none + # The host has no system ID. + # lvmlocal + # Obtain the system ID from the system_id setting in the 'local' + # section of an lvm configuration file, e.g. lvmlocal.conf. + # uname + # Set the system ID from the hostname (uname) of the system. + # System IDs beginning localhost are not permitted. + # machineid + # Use the contents of the machine-id file to set the system ID. + # Some systems create this file at installation time. + # See 'man machine-id' and global/etc. + # file + # Use the contents of another file (system_id_file) to set the + # system ID. + # + system_id_source = "none" + + # Configuration option global/system_id_file. + # The full path to the file containing a system ID. + # This is used when system_id_source is set to 'file'. + # Comments starting with the character # are ignored. + # This configuration option does not have a default value defined. + + # Configuration option global/use_lvmpolld. + # Use lvmpolld to supervise long running LVM commands. + # When enabled, control of long running LVM commands is transferred + # from the original LVM command to the lvmpolld daemon. This allows + # the operation to continue independent of the original LVM command. + # After lvmpolld takes over, the LVM command displays the progress + # of the ongoing operation. lvmpolld itself runs LVM commands to + # manage the progress of ongoing operations. lvmpolld can be used as + # a native systemd service, which allows it to be started on demand, + # and to use its own control group. When this option is disabled, LVM + # commands will supervise long running operations by forking themselves. + use_lvmpolld = 1 +} + +# Configuration section activation. +activation { + + # Configuration option activation/checks. + # Perform internal checks of libdevmapper operations. + # Useful for debugging problems with activation. Some of the checks may + # be expensive, so it's best to use this only when there seems to be a + # problem. + checks = 0 + + # Configuration option activation/udev_sync. + # Use udev notifications to synchronize udev and LVM. + # The --nodevsync option overrides this setting. + # When disabled, LVM commands will not wait for notifications from + # udev, but continue irrespective of any possible udev processing in + # the background. Only use this if udev is not running or has rules + # that ignore the devices LVM creates. If enabled when udev is not + # running, and LVM processes are waiting for udev, run the command + # 'dmsetup udevcomplete_all' to wake them up. + udev_sync = 0 + + # Configuration option activation/udev_rules. + # Use udev rules to manage LV device nodes and symlinks. + # When disabled, LVM will manage the device nodes and symlinks for + # active LVs itself. Manual intervention may be required if this + # setting is changed while LVs are active. + udev_rules = 0 + + # Configuration option activation/verify_udev_operations. + # Use extra checks in LVM to verify udev operations. + # This enables additional checks (and if necessary, repairs) on entries + # in the device directory after udev has completed processing its + # events. Useful for diagnosing problems with LVM/udev interactions. + verify_udev_operations = 0 + + # Configuration option activation/retry_deactivation. + # Retry failed LV deactivation. + # If LV deactivation fails, LVM will retry for a few seconds before + # failing. This may happen because a process run from a quick udev rule + # temporarily opened the device. + retry_deactivation = 1 + + # Configuration option activation/missing_stripe_filler. + # Method to fill missing stripes when activating an incomplete LV. + # Using 'error' will make inaccessible parts of the device return I/O + # errors on access. You can instead use a device path, in which case, + # that device will be used in place of missing stripes. Using anything + # other than 'error' with mirrored or snapshotted volumes is likely to + # result in data corruption. + # This configuration option is advanced. + missing_stripe_filler = "error" + + # Configuration option activation/use_linear_target. + # Use the linear target to optimize single stripe LVs. + # When disabled, the striped target is used. The linear target is an + # optimised version of the striped target that only handles a single + # stripe. + use_linear_target = 1 + + # Configuration option activation/reserved_stack. + # Stack size in KiB to reserve for use while devices are suspended. + # Insufficent reserve risks I/O deadlock during device suspension. + reserved_stack = 64 + + # Configuration option activation/reserved_memory. + # Memory size in KiB to reserve for use while devices are suspended. + # Insufficent reserve risks I/O deadlock during device suspension. + reserved_memory = 8192 + + # Configuration option activation/process_priority. + # Nice value used while devices are suspended. + # Use a high priority so that LVs are suspended + # for the shortest possible time. + process_priority = -18 + + # Configuration option activation/volume_list. + # Only LVs selected by this list are activated. + # If this list is defined, an LV is only activated if it matches an + # entry in this list. If this list is undefined, it imposes no limits + # on LV activation (all are allowed). + # + # Accepted values: + # vgname + # The VG name is matched exactly and selects all LVs in the VG. + # vgname/lvname + # The VG name and LV name are matched exactly and selects the LV. + # @tag + # Selects an LV if the specified tag matches a tag set on the LV + # or VG. + # @* + # Selects an LV if a tag defined on the host is also set on the LV + # or VG. See tags/hosttags. If any host tags exist but volume_list + # is not defined, a default single-entry list containing '@*' is + # assumed. + # + # Example + # volume_list = [ "vg1", "vg2/lvol1", "@tag1", "@*" ] + # + # This configuration option does not have a default value defined. + + # Configuration option activation/auto_activation_volume_list. + # Only LVs selected by this list are auto-activated. + # This list works like volume_list, but it is used only by + # auto-activation commands. It does not apply to direct activation + # commands. If this list is defined, an LV is only auto-activated + # if it matches an entry in this list. If this list is undefined, it + # imposes no limits on LV auto-activation (all are allowed.) If this + # list is defined and empty, i.e. "[]", then no LVs are selected for + # auto-activation. An LV that is selected by this list for + # auto-activation, must also be selected by volume_list (if defined) + # before it is activated. Auto-activation is an activation command that + # includes the 'a' argument: --activate ay or -a ay. The 'a' (auto) + # argument for auto-activation is meant to be used by activation + # commands that are run automatically by the system, as opposed to LVM + # commands run directly by a user. A user may also use the 'a' flag + # directly to perform auto-activation. Also see pvscan(8) for more + # information about auto-activation. + # + # Accepted values: + # vgname + # The VG name is matched exactly and selects all LVs in the VG. + # vgname/lvname + # The VG name and LV name are matched exactly and selects the LV. + # @tag + # Selects an LV if the specified tag matches a tag set on the LV + # or VG. + # @* + # Selects an LV if a tag defined on the host is also set on the LV + # or VG. See tags/hosttags. If any host tags exist but volume_list + # is not defined, a default single-entry list containing '@*' is + # assumed. + # + # Example + # volume_list = [ "vg1", "vg2/lvol1", "@tag1", "@*" ] + # + # This configuration option does not have a default value defined. + + # Configuration option activation/read_only_volume_list. + # LVs in this list are activated in read-only mode. + # If this list is defined, each LV that is to be activated is checked + # against this list, and if it matches, it is activated in read-only + # mode. This overrides the permission setting stored in the metadata, + # e.g. from --permission rw. + # + # Accepted values: + # vgname + # The VG name is matched exactly and selects all LVs in the VG. + # vgname/lvname + # The VG name and LV name are matched exactly and selects the LV. + # @tag + # Selects an LV if the specified tag matches a tag set on the LV + # or VG. + # @* + # Selects an LV if a tag defined on the host is also set on the LV + # or VG. See tags/hosttags. If any host tags exist but volume_list + # is not defined, a default single-entry list containing '@*' is + # assumed. + # + # Example + # volume_list = [ "vg1", "vg2/lvol1", "@tag1", "@*" ] + # + # This configuration option does not have a default value defined. + + # Configuration option activation/raid_region_size. + # Size in KiB of each raid or mirror synchronization region. + # For raid or mirror segment types, this is the amount of data that is + # copied at once when initializing, or moved at once by pvmove. + raid_region_size = 512 + + # Configuration option activation/error_when_full. + # Return errors if a thin pool runs out of space. + # The --errorwhenfull option overrides this setting. + # When enabled, writes to thin LVs immediately return an error if the + # thin pool is out of data space. When disabled, writes to thin LVs + # are queued if the thin pool is out of space, and processed when the + # thin pool data space is extended. New thin pools are assigned the + # behavior defined here. + # This configuration option has an automatic default value. + # error_when_full = 0 + + # Configuration option activation/readahead. + # Setting to use when there is no readahead setting in metadata. + # + # Accepted values: + # none + # Disable readahead. + # auto + # Use default value chosen by kernel. + # + readahead = "auto" + + # Configuration option activation/raid_fault_policy. + # Defines how a device failure in a RAID LV is handled. + # This includes LVs that have the following segment types: + # raid1, raid4, raid5*, and raid6*. + # If a device in the LV fails, the policy determines the steps + # performed by dmeventd automatically, and the steps perfomed by the + # manual command lvconvert --repair --use-policies. + # Automatic handling requires dmeventd to be monitoring the LV. + # + # Accepted values: + # warn + # Use the system log to warn the user that a device in the RAID LV + # has failed. It is left to the user to run lvconvert --repair + # manually to remove or replace the failed device. As long as the + # number of failed devices does not exceed the redundancy of the LV + # (1 device for raid4/5, 2 for raid6), the LV will remain usable. + # allocate + # Attempt to use any extra physical volumes in the VG as spares and + # replace faulty devices. + # + raid_fault_policy = "warn" + + # Configuration option activation/mirror_image_fault_policy. + # Defines how a device failure in a 'mirror' LV is handled. + # An LV with the 'mirror' segment type is composed of mirror images + # (copies) and a mirror log. A disk log ensures that a mirror LV does + # not need to be re-synced (all copies made the same) every time a + # machine reboots or crashes. If a device in the LV fails, this policy + # determines the steps perfomed by dmeventd automatically, and the steps + # performed by the manual command lvconvert --repair --use-policies. + # Automatic handling requires dmeventd to be monitoring the LV. + # + # Accepted values: + # remove + # Simply remove the faulty device and run without it. If the log + # device fails, the mirror would convert to using an in-memory log. + # This means the mirror will not remember its sync status across + # crashes/reboots and the entire mirror will be re-synced. If a + # mirror image fails, the mirror will convert to a non-mirrored + # device if there is only one remaining good copy. + # allocate + # Remove the faulty device and try to allocate space on a new + # device to be a replacement for the failed device. Using this + # policy for the log is fast and maintains the ability to remember + # sync state through crashes/reboots. Using this policy for a + # mirror device is slow, as it requires the mirror to resynchronize + # the devices, but it will preserve the mirror characteristic of + # the device. This policy acts like 'remove' if no suitable device + # and space can be allocated for the replacement. + # allocate_anywhere + # Not yet implemented. Useful to place the log device temporarily + # on the same physical volume as one of the mirror images. This + # policy is not recommended for mirror devices since it would break + # the redundant nature of the mirror. This policy acts like + # 'remove' if no suitable device and space can be allocated for the + # replacement. + # + mirror_image_fault_policy = "remove" + + # Configuration option activation/mirror_log_fault_policy. + # Defines how a device failure in a 'mirror' log LV is handled. + # The mirror_image_fault_policy description for mirrored LVs also + # applies to mirrored log LVs. + mirror_log_fault_policy = "allocate" + + # Configuration option activation/snapshot_autoextend_threshold. + # Auto-extend a snapshot when its usage exceeds this percent. + # Setting this to 100 disables automatic extension. + # The minimum value is 50 (a smaller value is treated as 50.) + # Also see snapshot_autoextend_percent. + # Automatic extension requires dmeventd to be monitoring the LV. + # + # Example + # Using 70% autoextend threshold and 20% autoextend size, when a 1G + # snapshot exceeds 700M, it is extended to 1.2G, and when it exceeds + # 840M, it is extended to 1.44G: + # snapshot_autoextend_threshold = 70 + # + snapshot_autoextend_threshold = 100 + + # Configuration option activation/snapshot_autoextend_percent. + # Auto-extending a snapshot adds this percent extra space. + # The amount of additional space added to a snapshot is this + # percent of its current size. + # + # Example + # Using 70% autoextend threshold and 20% autoextend size, when a 1G + # snapshot exceeds 700M, it is extended to 1.2G, and when it exceeds + # 840M, it is extended to 1.44G: + # snapshot_autoextend_percent = 20 + # + snapshot_autoextend_percent = 20 + + # Configuration option activation/thin_pool_autoextend_threshold. + # Auto-extend a thin pool when its usage exceeds this percent. + # Setting this to 100 disables automatic extension. + # The minimum value is 50 (a smaller value is treated as 50.) + # Also see thin_pool_autoextend_percent. + # Automatic extension requires dmeventd to be monitoring the LV. + # + # Example + # Using 70% autoextend threshold and 20% autoextend size, when a 1G + # thin pool exceeds 700M, it is extended to 1.2G, and when it exceeds + # 840M, it is extended to 1.44G: + # thin_pool_autoextend_threshold = 70 + # + thin_pool_autoextend_threshold = 100 + + # Configuration option activation/thin_pool_autoextend_percent. + # Auto-extending a thin pool adds this percent extra space. + # The amount of additional space added to a thin pool is this + # percent of its current size. + # + # Example + # Using 70% autoextend threshold and 20% autoextend size, when a 1G + # thin pool exceeds 700M, it is extended to 1.2G, and when it exceeds + # 840M, it is extended to 1.44G: + # thin_pool_autoextend_percent = 20 + # + thin_pool_autoextend_percent = 20 + + # Configuration option activation/mlock_filter. + # Do not mlock these memory areas. + # While activating devices, I/O to devices being (re)configured is + # suspended. As a precaution against deadlocks, LVM pins memory it is + # using so it is not paged out, and will not require I/O to reread. + # Groups of pages that are known not to be accessed during activation + # do not need to be pinned into memory. Each string listed in this + # setting is compared against each line in /proc/self/maps, and the + # pages corresponding to lines that match are not pinned. On some + # systems, locale-archive was found to make up over 80% of the memory + # used by the process. + # + # Example + # mlock_filter = [ "locale/locale-archive", "gconv/gconv-modules.cache" ] + # + # This configuration option is advanced. + # This configuration option does not have a default value defined. + + # Configuration option activation/use_mlockall. + # Use the old behavior of mlockall to pin all memory. + # Prior to version 2.02.62, LVM used mlockall() to pin the whole + # process's memory while activating devices. + use_mlockall = 0 + + # Configuration option activation/monitoring. + # Monitor LVs that are activated. + # The --ignoremonitoring option overrides this setting. + # When enabled, LVM will ask dmeventd to monitor activated LVs. + monitoring = 1 + + # Configuration option activation/polling_interval. + # Check pvmove or lvconvert progress at this interval (seconds). + # When pvmove or lvconvert must wait for the kernel to finish + # synchronising or merging data, they check and report progress at + # intervals of this number of seconds. If this is set to 0 and there + # is only one thing to wait for, there are no progress reports, but + # the process is awoken immediately once the operation is complete. + polling_interval = 15 + + # Configuration option activation/auto_set_activation_skip. + # Set the activation skip flag on new thin snapshot LVs. + # The --setactivationskip option overrides this setting. + # An LV can have a persistent 'activation skip' flag. The flag causes + # the LV to be skipped during normal activation. The lvchange/vgchange + # -K option is required to activate LVs that have the activation skip + # flag set. When this setting is enabled, the activation skip flag is + # set on new thin snapshot LVs. + # This configuration option has an automatic default value. + # auto_set_activation_skip = 1 + + # Configuration option activation/activation_mode. + # How LVs with missing devices are activated. + # The --activationmode option overrides this setting. + # + # Accepted values: + # complete + # Only allow activation of an LV if all of the Physical Volumes it + # uses are present. Other PVs in the Volume Group may be missing. + # degraded + # Like complete, but additionally RAID LVs of segment type raid1, + # raid4, raid5, radid6 and raid10 will be activated if there is no + # data loss, i.e. they have sufficient redundancy to present the + # entire addressable range of the Logical Volume. + # partial + # Allows the activation of any LV even if a missing or failed PV + # could cause data loss with a portion of the LV inaccessible. + # This setting should not normally be used, but may sometimes + # assist with data recovery. + # + activation_mode = "degraded" + + # Configuration option activation/lock_start_list. + # Locking is started only for VGs selected by this list. + # The rules are the same as those for volume_list. + # This configuration option does not have a default value defined. + + # Configuration option activation/auto_lock_start_list. + # Locking is auto-started only for VGs selected by this list. + # The rules are the same as those for auto_activation_volume_list. + # This configuration option does not have a default value defined. +} + +# Configuration section metadata. +# This configuration section has an automatic default value. +# metadata { + + # Configuration option metadata/pvmetadatacopies. + # Number of copies of metadata to store on each PV. + # The --pvmetadatacopies option overrides this setting. + # + # Accepted values: + # 2 + # Two copies of the VG metadata are stored on the PV, one at the + # front of the PV, and one at the end. + # 1 + # One copy of VG metadata is stored at the front of the PV. + # 0 + # No copies of VG metadata are stored on the PV. This may be + # useful for VGs containing large numbers of PVs. + # + # This configuration option is advanced. + # This configuration option has an automatic default value. + # pvmetadatacopies = 1 + + # Configuration option metadata/vgmetadatacopies. + # Number of copies of metadata to maintain for each VG. + # The --vgmetadatacopies option overrides this setting. + # If set to a non-zero value, LVM automatically chooses which of the + # available metadata areas to use to achieve the requested number of + # copies of the VG metadata. If you set a value larger than the the + # total number of metadata areas available, then metadata is stored in + # them all. The value 0 (unmanaged) disables this automatic management + # and allows you to control which metadata areas are used at the + # individual PV level using pvchange --metadataignore y|n. + # This configuration option has an automatic default value. + # vgmetadatacopies = 0 + + # Configuration option metadata/pvmetadatasize. + # Approximate number of sectors to use for each metadata copy. + # VGs with large numbers of PVs or LVs, or VGs containing complex LV + # structures, may need additional space for VG metadata. The metadata + # areas are treated as circular buffers, so unused space becomes filled + # with an archive of the most recent previous versions of the metadata. + # This configuration option has an automatic default value. + # pvmetadatasize = 255 + + # Configuration option metadata/pvmetadataignore. + # Ignore metadata areas on a new PV. + # The --metadataignore option overrides this setting. + # If metadata areas on a PV are ignored, LVM will not store metadata + # in them. + # This configuration option is advanced. + # This configuration option has an automatic default value. + # pvmetadataignore = 0 + + # Configuration option metadata/stripesize. + # This configuration option is advanced. + # This configuration option has an automatic default value. + # stripesize = 64 + + # Configuration option metadata/dirs. + # Directories holding live copies of text format metadata. + # These directories must not be on logical volumes! + # It's possible to use LVM with a couple of directories here, + # preferably on different (non-LV) filesystems, and with no other + # on-disk metadata (pvmetadatacopies = 0). Or this can be in addition + # to on-disk metadata areas. The feature was originally added to + # simplify testing and is not supported under low memory situations - + # the machine could lock up. Never edit any files in these directories + # by hand unless you are absolutely sure you know what you are doing! + # Use the supplied toolset to make changes (e.g. vgcfgrestore). + # + # Example + # dirs = [ "/etc/lvm/metadata", "/mnt/disk2/lvm/metadata2" ] + # + # This configuration option is advanced. + # This configuration option does not have a default value defined. +# } + +# Configuration section report. +# LVM report command output formatting. +# This configuration section has an automatic default value. +# report { + + # Configuration option report/compact_output. + # Do not print empty values for all report fields. + # If enabled, all fields that don't have a value set for any of the + # rows reported are skipped and not printed. Compact output is + # applicable only if report/buffered is enabled. If you need to + # compact only specified fields, use compact_output=0 and define + # report/compact_output_cols configuration setting instead. + # This configuration option has an automatic default value. + # compact_output = 0 + + # Configuration option report/compact_output_cols. + # Do not print empty values for specified report fields. + # If defined, specified fields that don't have a value set for any + # of the rows reported are skipped and not printed. Compact output + # is applicable only if report/buffered is enabled. If you need to + # compact all fields, use compact_output=1 instead in which case + # the compact_output_cols setting is then ignored. + # This configuration option has an automatic default value. + # compact_output_cols = "" + + # Configuration option report/aligned. + # Align columns in report output. + # This configuration option has an automatic default value. + # aligned = 1 + + # Configuration option report/buffered. + # Buffer report output. + # When buffered reporting is used, the report's content is appended + # incrementally to include each object being reported until the report + # is flushed to output which normally happens at the end of command + # execution. Otherwise, if buffering is not used, each object is + # reported as soon as its processing is finished. + # This configuration option has an automatic default value. + # buffered = 1 + + # Configuration option report/headings. + # Show headings for columns on report. + # This configuration option has an automatic default value. + # headings = 1 + + # Configuration option report/separator. + # A separator to use on report after each field. + # This configuration option has an automatic default value. + # separator = " " + + # Configuration option report/list_item_separator. + # A separator to use for list items when reported. + # This configuration option has an automatic default value. + # list_item_separator = "," + + # Configuration option report/prefixes. + # Use a field name prefix for each field reported. + # This configuration option has an automatic default value. + # prefixes = 0 + + # Configuration option report/quoted. + # Quote field values when using field name prefixes. + # This configuration option has an automatic default value. + # quoted = 1 + + # Configuration option report/colums_as_rows. + # Output each column as a row. + # If set, this also implies report/prefixes=1. + # This configuration option has an automatic default value. + # colums_as_rows = 0 + + # Configuration option report/binary_values_as_numeric. + # Use binary values 0 or 1 instead of descriptive literal values. + # For columns that have exactly two valid values to report + # (not counting the 'unknown' value which denotes that the + # value could not be determined). + # This configuration option has an automatic default value. + # binary_values_as_numeric = 0 + + # Configuration option report/time_format. + # Set time format for fields reporting time values. + # Format specification is a string which may contain special character + # sequences and ordinary character sequences. Ordinary character + # sequences are copied verbatim. Each special character sequence is + # introduced by the '%' character and such sequence is then + # substituted with a value as described below. + # + # Accepted values: + # %a + # The abbreviated name of the day of the week according to the + # current locale. + # %A + # The full name of the day of the week according to the current + # locale. + # %b + # The abbreviated month name according to the current locale. + # %B + # The full month name according to the current locale. + # %c + # The preferred date and time representation for the current + # locale (alt E) + # %C + # The century number (year/100) as a 2-digit integer. (alt E) + # %d + # The day of the month as a decimal number (range 01 to 31). + # (alt O) + # %D + # Equivalent to %m/%d/%y. (For Americans only. Americans should + # note that in other countries%d/%m/%y is rather common. This + # means that in international context this format is ambiguous and + # should not be used. + # %e + # Like %d, the day of the month as a decimal number, but a leading + # zero is replaced by a space. (alt O) + # %E + # Modifier: use alternative local-dependent representation if + # available. + # %F + # Equivalent to %Y-%m-%d (the ISO 8601 date format). + # %G + # The ISO 8601 week-based year with century as adecimal number. + # The 4-digit year corresponding to the ISO week number (see %V). + # This has the same format and value as %Y, except that if the + # ISO week number belongs to the previous or next year, that year + # is used instead. + # %g + # Like %G, but without century, that is, with a 2-digit year + # (00-99). + # %h + # Equivalent to %b. + # %H + # The hour as a decimal number using a 24-hour clock + # (range 00 to 23). (alt O) + # %I + # The hour as a decimal number using a 12-hour clock + # (range 01 to 12). (alt O) + # %j + # The day of the year as a decimal number (range 001 to 366). + # %k + # The hour (24-hour clock) as a decimal number (range 0 to 23); + # single digits are preceded by a blank. (See also %H.) + # %l + # The hour (12-hour clock) as a decimal number (range 1 to 12); + # single digits are preceded by a blank. (See also %I.) + # %m + # The month as a decimal number (range 01 to 12). (alt O) + # %M + # The minute as a decimal number (range 00 to 59). (alt O) + # %O + # Modifier: use alternative numeric symbols. + # %p + # Either "AM" or "PM" according to the given time value, + # or the corresponding strings for the current locale. Noon is + # treated as "PM" and midnight as "AM". + # %P + # Like %p but in lowercase: "am" or "pm" or a corresponding + # string for the current locale. + # %r + # The time in a.m. or p.m. notation. In the POSIX locale this is + # equivalent to %I:%M:%S %p. + # %R + # The time in 24-hour notation (%H:%M). For a version including + # the seconds, see %T below. + # %s + # The number of seconds since the Epoch, + # 1970-01-01 00:00:00 +0000 (UTC) + # %S + # The second as a decimal number (range 00 to 60). (The range is + # up to 60 to allow for occasional leap seconds.) (alt O) + # %t + # A tab character. + # %T + # The time in 24-hour notation (%H:%M:%S). + # %u + # The day of the week as a decimal, range 1 to 7, Monday being 1. + # See also %w. (alt O) + # %U + # The week number of the current year as a decimal number, + # range 00 to 53, starting with the first Sunday as the first + # day of week 01. See also %V and %W. (alt O) + # %V + # The ISO 8601 week number of the current year as a decimal number, + # range 01 to 53, where week 1 is the first week that has at least + # 4 days in the new year. See also %U and %W. (alt O) + # %w + # The day of the week as a decimal, range 0 to 6, Sunday being 0. + # See also %u. (alt O) + # %W + # The week number of the current year as a decimal number, + # range 00 to 53, starting with the first Monday as the first day + # of week 01. (alt O) + # %x + # The preferred date representation for the current locale without + # the time. (alt E) + # %X + # The preferred time representation for the current locale without + # the date. (alt E) + # %y + # The year as a decimal number without a century (range 00 to 99). + # (alt E, alt O) + # %Y + # The year as a decimal number including the century. (alt E) + # %z + # The +hhmm or -hhmm numeric timezone (that is, the hour and minute + # offset from UTC). + # %Z + # The timezone name or abbreviation. + # %% + # A literal '%' character. + # + # This configuration option has an automatic default value. + # time_format = "%Y-%m-%d %T %z" + + # Configuration option report/devtypes_sort. + # List of columns to sort by when reporting 'lvm devtypes' command. + # See 'lvm devtypes -o help' for the list of possible fields. + # This configuration option has an automatic default value. + # devtypes_sort = "devtype_name" + + # Configuration option report/devtypes_cols. + # List of columns to report for 'lvm devtypes' command. + # See 'lvm devtypes -o help' for the list of possible fields. + # This configuration option has an automatic default value. + # devtypes_cols = "devtype_name,devtype_max_partitions,devtype_description" + + # Configuration option report/devtypes_cols_verbose. + # List of columns to report for 'lvm devtypes' command in verbose mode. + # See 'lvm devtypes -o help' for the list of possible fields. + # This configuration option has an automatic default value. + # devtypes_cols_verbose = "devtype_name,devtype_max_partitions,devtype_description" + + # Configuration option report/lvs_sort. + # List of columns to sort by when reporting 'lvs' command. + # See 'lvs -o help' for the list of possible fields. + # This configuration option has an automatic default value. + # lvs_sort = "vg_name,lv_name" + + # Configuration option report/lvs_cols. + # List of columns to report for 'lvs' command. + # See 'lvs -o help' for the list of possible fields. + # This configuration option has an automatic default value. + # lvs_cols = "lv_name,vg_name,lv_attr,lv_size,pool_lv,origin,data_percent,metadata_percent,move_pv,mirror_log,copy_percent,convert_lv" + + # Configuration option report/lvs_cols_verbose. + # List of columns to report for 'lvs' command in verbose mode. + # See 'lvs -o help' for the list of possible fields. + # This configuration option has an automatic default value. + # lvs_cols_verbose = "lv_name,vg_name,seg_count,lv_attr,lv_size,lv_major,lv_minor,lv_kernel_major,lv_kernel_minor,pool_lv,origin,data_percent,metadata_percent,move_pv,copy_percent,mirror_log,convert_lv,lv_uuid,lv_profile" + + # Configuration option report/vgs_sort. + # List of columns to sort by when reporting 'vgs' command. + # See 'vgs -o help' for the list of possible fields. + # This configuration option has an automatic default value. + # vgs_sort = "vg_name" + + # Configuration option report/vgs_cols. + # List of columns to report for 'vgs' command. + # See 'vgs -o help' for the list of possible fields. + # This configuration option has an automatic default value. + # vgs_cols = "vg_name,pv_count,lv_count,snap_count,vg_attr,vg_size,vg_free" + + # Configuration option report/vgs_cols_verbose. + # List of columns to report for 'vgs' command in verbose mode. + # See 'vgs -o help' for the list of possible fields. + # This configuration option has an automatic default value. + # vgs_cols_verbose = "vg_name,vg_attr,vg_extent_size,pv_count,lv_count,snap_count,vg_size,vg_free,vg_uuid,vg_profile" + + # Configuration option report/pvs_sort. + # List of columns to sort by when reporting 'pvs' command. + # See 'pvs -o help' for the list of possible fields. + # This configuration option has an automatic default value. + # pvs_sort = "pv_name" + + # Configuration option report/pvs_cols. + # List of columns to report for 'pvs' command. + # See 'pvs -o help' for the list of possible fields. + # This configuration option has an automatic default value. + # pvs_cols = "pv_name,vg_name,pv_fmt,pv_attr,pv_size,pv_free" + + # Configuration option report/pvs_cols_verbose. + # List of columns to report for 'pvs' command in verbose mode. + # See 'pvs -o help' for the list of possible fields. + # This configuration option has an automatic default value. + # pvs_cols_verbose = "pv_name,vg_name,pv_fmt,pv_attr,pv_size,pv_free,dev_size,pv_uuid" + + # Configuration option report/segs_sort. + # List of columns to sort by when reporting 'lvs --segments' command. + # See 'lvs --segments -o help' for the list of possible fields. + # This configuration option has an automatic default value. + # segs_sort = "vg_name,lv_name,seg_start" + + # Configuration option report/segs_cols. + # List of columns to report for 'lvs --segments' command. + # See 'lvs --segments -o help' for the list of possible fields. + # This configuration option has an automatic default value. + # segs_cols = "lv_name,vg_name,lv_attr,stripes,segtype,seg_size" + + # Configuration option report/segs_cols_verbose. + # List of columns to report for 'lvs --segments' command in verbose mode. + # See 'lvs --segments -o help' for the list of possible fields. + # This configuration option has an automatic default value. + # segs_cols_verbose = "lv_name,vg_name,lv_attr,seg_start,seg_size,stripes,segtype,stripesize,chunksize" + + # Configuration option report/pvsegs_sort. + # List of columns to sort by when reporting 'pvs --segments' command. + # See 'pvs --segments -o help' for the list of possible fields. + # This configuration option has an automatic default value. + # pvsegs_sort = "pv_name,pvseg_start" + + # Configuration option report/pvsegs_cols. + # List of columns to sort by when reporting 'pvs --segments' command. + # See 'pvs --segments -o help' for the list of possible fields. + # This configuration option has an automatic default value. + # pvsegs_cols = "pv_name,vg_name,pv_fmt,pv_attr,pv_size,pv_free,pvseg_start,pvseg_size" + + # Configuration option report/pvsegs_cols_verbose. + # List of columns to sort by when reporting 'pvs --segments' command in verbose mode. + # See 'pvs --segments -o help' for the list of possible fields. + # This configuration option has an automatic default value. + # pvsegs_cols_verbose = "pv_name,vg_name,pv_fmt,pv_attr,pv_size,pv_free,pvseg_start,pvseg_size,lv_name,seg_start_pe,segtype,seg_pe_ranges" +# } + +# Configuration section dmeventd. +# Settings for the LVM event daemon. +dmeventd { + + # Configuration option dmeventd/mirror_library. + # The library dmeventd uses when monitoring a mirror device. + # libdevmapper-event-lvm2mirror.so attempts to recover from + # failures. It removes failed devices from a volume group and + # reconfigures a mirror as necessary. If no mirror library is + # provided, mirrors are not monitored through dmeventd. + mirror_library = "libdevmapper-event-lvm2mirror.so" + + # Configuration option dmeventd/raid_library. + # This configuration option has an automatic default value. + # raid_library = "libdevmapper-event-lvm2raid.so" + + # Configuration option dmeventd/snapshot_library. + # The library dmeventd uses when monitoring a snapshot device. + # libdevmapper-event-lvm2snapshot.so monitors the filling of snapshots + # and emits a warning through syslog when the usage exceeds 80%. The + # warning is repeated when 85%, 90% and 95% of the snapshot is filled. + snapshot_library = "libdevmapper-event-lvm2snapshot.so" + + # Configuration option dmeventd/thin_library. + # The library dmeventd uses when monitoring a thin device. + # libdevmapper-event-lvm2thin.so monitors the filling of a pool + # and emits a warning through syslog when the usage exceeds 80%. The + # warning is repeated when 85%, 90% and 95% of the pool is filled. + thin_library = "libdevmapper-event-lvm2thin.so" + + # Configuration option dmeventd/executable. + # The full path to the dmeventd binary. + # This configuration option has an automatic default value. + # executable = "/sbin/dmeventd" +} + +# Configuration section tags. +# Host tag settings. +# This configuration section has an automatic default value. +# tags { + + # Configuration option tags/hosttags. + # Create a host tag using the machine name. + # The machine name is nodename returned by uname(2). + # This configuration option has an automatic default value. + # hosttags = 0 + + # Configuration section tags/. + # Replace this subsection name with a custom tag name. + # Multiple subsections like this can be created. The '@' prefix for + # tags is optional. This subsection can contain host_list, which is a + # list of machine names. If the name of the local machine is found in + # host_list, then the name of this subsection is used as a tag and is + # applied to the local machine as a 'host tag'. If this subsection is + # empty (has no host_list), then the subsection name is always applied + # as a 'host tag'. + # + # Example + # The host tag foo is given to all hosts, and the host tag + # bar is given to the hosts named machine1 and machine2. + # tags { foo { } bar { host_list = [ "machine1", "machine2" ] } } + # + # This configuration section has variable name. + # This configuration section has an automatic default value. + # tag { + + # Configuration option tags//host_list. + # A list of machine names. + # These machine names are compared to the nodename returned + # by uname(2). If the local machine name matches an entry in + # this list, the name of the subsection is applied to the + # machine as a 'host tag'. + # This configuration option does not have a default value defined. + # } +# } diff --git a/docker-cinder-storage/run.sh b/docker-cinder-storage/run.sh new file mode 100755 index 0000000..58eaeee --- /dev/null +++ b/docker-cinder-storage/run.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +# Write the config files +/etc/write_conf.sh +# start cinder processes. +tgtd + +cinder-volume -d & + +# If any process fails, kill the rest. +# This ensures the container stops and systemd will restart it. + +wait -n +pkill -P $$ diff --git a/docker-cinder-storage/write_conf.sh b/docker-cinder-storage/write_conf.sh new file mode 100755 index 0000000..cad5927 --- /dev/null +++ b/docker-cinder-storage/write_conf.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# +# Generate config files from environments values. +# These are to be passed to the docker container using -e + +cat << EOF > /etc/cinder/cinder.conf + +[database] +connection = mysql+pymysql://$CINDER_USER:$CINDER_PASSWORD@$MYSQL_HOST/cinder + +[DEFAULT] +auth_strategy = keystone +transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$RABBIT_HOST +my_ip = $MY_IP +enabled_backends = lvm +glance_api_servers = http://$GLANCE_HOST:9292 + +[keystone_authtoken] +auth_uri = http://$KEYSTONE_HOST:5000 +auth_url = http://$KEYSTONE_HOST:35357 +memcached_servers = $MEMCACHED_HOST:11211 +auth_type = password +project_domain_name = Default +user_domain_name = Default +project_name = service +username = $CINDER_USER +password = $CINDER_PASSWORD + +[oslo_concurrency] +lock_path = /var/lib/cinder/tmp + +[lvm] +volume_driver = cinder.volume.drivers.lvm.LVMVolumeDriver +volume_group = cinder-volumes +iscsi_protocol = iscsi +iscsi_helper = tgtadm +volumes_dir = /var/lib/cinder/volumes + +EOF diff --git a/docker-glance/.gitignore b/docker-glance/.gitignore new file mode 100644 index 0000000..88a84e5 --- /dev/null +++ b/docker-glance/.gitignore @@ -0,0 +1 @@ +build.sh diff --git a/docker-glance/Dockerfile b/docker-glance/Dockerfile new file mode 100644 index 0000000..008624a --- /dev/null +++ b/docker-glance/Dockerfile @@ -0,0 +1,32 @@ +FROM ubuntu:16.04 +# install packages + +RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA + +RUN set -x \ + && echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main" > /etc/apt/sources.list.d/ocata.list \ + && apt-get -y update \ + && apt-get -y install ubuntu-cloud-keyring \ + && apt-get -y update \ + && apt-get -y install \ + mysql-client \ + glance \ + python-mysqldb \ + python-openstackclient \ + python-oslo.cache \ + && apt-get -y clean \ + && rm -f /var/lib/glance/glance.sqlite + +EXPOSE 9292 + +#file that writes configs +COPY write_conf.sh /etc/write_conf.sh +# add bootstrap script and make it executable +COPY bootstrap.sh /etc/bootstrap.sh + +COPY run.sh /etc/run.sh + +RUN chown root.root /etc/bootstrap.sh && chmod a+x /etc/bootstrap.sh +RUN chown root.root /etc/run.sh && chmod a+x /etc/run.sh + +CMD ["/etc/run.sh"] diff --git a/docker-glance/README.md b/docker-glance/README.md new file mode 100644 index 0000000..67db98e --- /dev/null +++ b/docker-glance/README.md @@ -0,0 +1,33 @@ +# How to build +``` +docker build . -t hpc/openstack-glance +``` + +# Bootstrap +``` + docker run --rm + -e "RABBIT_HOST={{ hostvars[groups['rabbitmq'][0]]['ansible_default_ipv4']['address'] }}" + -e "MEMCACHED_HOST={{ hostvars[groups['memcached'][0]]['ansible_default_ipv4']['address'] }}" + -e "MYSQL_HOST={{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}" + -e "MYSQL_ROOT_PASSWORD=geheim" + -e "KEYSTONE_HOST={{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}" + -e "GLANCE_HOST={{ hostvars[groups['glance'][0]]['ansible_default_ipv4']['address'] }}" + -e "GLANCE_PASSWORD=geheim" + hpc/openstack-glance /etc/bootstrap.sh + +``` + +# Run an image + +``` +/usr/bin/docker run --name %n \ + -e "RABBIT_HOST={{ hostvars[groups['rabbitmq'][0]]['ansible_default_ipv4']['address'] }}" \ + -e "MEMCACHED_HOST={{ hostvars[groups['memcached'][0]]['ansible_default_ipv4']['address'] }}" \ + -e "MYSQL_HOST={{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}" \ + -e "MYSQL_ROOT_PASSWORD=geheim" \ + -e "KEYSTONE_HOST={{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}" \ + -e "GLANCE_HOST={{ hostvars[groups['glance'][0]]['ansible_default_ipv4']['address'] }}" \ + -e "GLANCE_PASSWORD=geheim" \ + -p 9292:9292 \ + hpc/openstack-glance +``` diff --git a/docker-glance/admin-openrc.sh b/docker-glance/admin-openrc.sh new file mode 100644 index 0000000..009dc93 --- /dev/null +++ b/docker-glance/admin-openrc.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# a admin-openrc.sh file + +# To create the Identity service credentials +GLANCE_USER_NAME=glance +GLANCE_PASSWORD=geheim +export OS_IDENTITY_API_VERSION=3 +export OS_USERNAME=admin +export OS_PASSWORD=geheim +export OS_TENANT_NAME=admin +export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 + +export OS_PROJECT_DOMAIN_NAME=default +export OS_USER_DOMAIN_NAME=default +export OS_PROJECT_NAME=admin +export OS_IMAGE_API_VERSION=2 diff --git a/docker-glance/bootstrap.sh b/docker-glance/bootstrap.sh new file mode 100755 index 0000000..6b51a70 --- /dev/null +++ b/docker-glance/bootstrap.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +# Create admin-openrc.sh from secrets that are in the environment during bootstrap. +cat << EOF > /root/admin-openrc.sh +#!/bin/bash +export OS_TENANT_NAME=admin +export OS_USERNAME=admin +export OS_PASSWORD=${OS_PASSWORD} +export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 +export OS_IDENTITY_API_VERSION=3 + +export GLANCE_USER_NAME=glance +export GLANCE_PASSWORD=${GLANCE_PASSWORD} +export OS_PROJECT_DOMAIN_NAME=default +export OS_USER_DOMAIN_NAME=default +export OS_PROJECT_NAME=admin +export OS_IMAGE_API_VERSION=2 +EOF + +source /root/admin-openrc.sh + +# Write the config files +/etc/write_conf.sh + +# create database for glance +mysql -uroot -p"$MYSQL_ROOT_PASSWORD" -h "$MYSQL_HOST" << EOF +drop database if exists glance; +create database glance; +GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY "$GLANCE_PASSWORD"; +GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY "$GLANCE_PASSWORD"; +EOF + +openstack user create "$GLANCE_USER" --domain default --password "$GLANCE_PASSWORD" +openstack role add --user glance --project service admin +openstack service create --name glance --description "OpenStack Image Service" image +openstack endpoint create glance admin http://"${GLANCE_HOST}":9292 --region RegionOne +openstack endpoint create glance public http://"${GLANCE_HOST}":9292 --region RegionOne +openstack endpoint create glance internal http://"${GLANCE_HOST}":9292 --region RegionOne + +# Workaround, see https://bugs.launchpad.net/glance/+bug/1697835 +sed -i "/op.drop_index('ix_images_is_public', 'images')/a \ \ \ \ op.execute(\"\"\"ALTER TABLE images DROP CONSTRAINT CONSTRAINT_1\"\"\")" \ + /usr/lib/python2.7/dist-packages/glance/db/sqlalchemy/alembic_migrations/versions/ocata01_add_visibility_remove_is_public.py + +# sync the database +su -s /bin/sh -c "glance-manage db_sync" glance diff --git a/docker-glance/run.sh b/docker-glance/run.sh new file mode 100755 index 0000000..520ca01 --- /dev/null +++ b/docker-glance/run.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +# Write the config files +/etc/write_conf.sh +# start glance service +glance-registry -v -d & +sleep 5 +glance-api -v -d & + +# If any process fails, kill the rest. +# This insures the container stops and systemd will restart it. + +wait -n +pkill -P $$ diff --git a/docker-glance/write_conf.sh b/docker-glance/write_conf.sh new file mode 100755 index 0000000..65f6bad --- /dev/null +++ b/docker-glance/write_conf.sh @@ -0,0 +1,78 @@ +#!/bin/bash +# +# Generate config files from environments values. +# These are to be passed to the docker container using -e + +cat << EOF > /etc/glance/glance-api.conf + +[database] +connection = mysql+pymysql://$GLANCE_USER:$GLANCE_PASSWORD@$MYSQL_HOST/glance +[image_format] +[keystone_authtoken] +auth_uri = http://$KEYSTONE_HOST:5000 +auth_url = http://$KEYSTONE_HOST:35357 +memcached_servers = $MEMCACHED_HOST:11211 +auth_type = password +project_domain_name = Default +user_domain_name = Default +project_name = service +username = glance +password = $GLANCE_PASSWORD + +[oslo_messaging_notifications] +driver = messagingv2 + +[oslo_messaging_rabbit] +rabbit_host = $RABBIT_HOST +rabbit_userid = $RABBIT_USER +rabbit_password = $RABBIT_PASSWORD + +[paste_deploy] +flavor = keystone + + +[glance_store] +stores = file,http +default_store = file +filesystem_store_datadir = /var/lib/glance/images/ + +EOF + + +cat << EOF > /etc/glance/glance-registry.conf + +[DEFAULT] +workers = 4 +rpc_backend = rabbit + +[database] +connection = mysql+pymysql://$GLANCE_USER:$GLANCE_PASSWORD@$MYSQL_HOST/glance + +[glance_store] +stores = file,http +default_store = file +filesystem_store_datadir = /var/lib/glance/images/ + +[keystone_authtoken] +auth_uri = http://$KEYSTONE_HOST:5000 +auth_url = http://$KEYSTONE_HOST:35357 +memcached_servers = $MEMCACHED_HOST:11211 +auth_type = password +project_domain_name = Default +user_domain_name = Default +project_name = service +username = glance +password = $GLANCE_PASSWORD + +[oslo_messaging_notifications] +driver = messagingv2 + +[oslo_messaging_rabbit] +rabbit_host = $RABBIT_HOST +rabbit_userid = $RABBIT_USER +rabbit_password = $RABBIT_PASSWORD + +[paste_deploy] +flavor = keystone + +EOF diff --git a/docker-heat/.gitignore b/docker-heat/.gitignore new file mode 100644 index 0000000..f432e90 --- /dev/null +++ b/docker-heat/.gitignore @@ -0,0 +1,8 @@ +# ---> Vim +[._]*.s[a-w][a-z] +[._]s[a-w][a-z] +*.un~ +Session.vim +.netrwhist +*~ + diff --git a/docker-heat/Dockerfile b/docker-heat/Dockerfile new file mode 100644 index 0000000..3a03963 --- /dev/null +++ b/docker-heat/Dockerfile @@ -0,0 +1,34 @@ +FROM ubuntu:16.04 +# install packages + +RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA + +RUN set -x \ + && echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main" > /etc/apt/sources.list.d/ocata.list \ + && apt-get -y update \ + && apt-get -y install ubuntu-cloud-keyring \ + && apt-get -y update \ + && apt-get -y install \ + mysql-client \ + python-mysqldb \ + python-openstackclient \ + python-oslo.cache \ + heat-api \ + heat-api-cfn \ + heat-engine \ + && apt-get -y clean + +EXPOSE 8000 +EXPOSE 8004 + +#file that writes configs +COPY write_conf.sh /etc/write_conf.sh +# add bootstrap script and make it executable +COPY bootstrap.sh /etc/bootstrap.sh + +COPY run.sh /etc/run.sh + +RUN chown root.root /etc/bootstrap.sh && chmod a+x /etc/bootstrap.sh +RUN chown root.root /etc/run.sh && chmod a+x /etc/run.sh + +CMD ["/etc/run.sh"] diff --git a/docker-heat/README.md b/docker-heat/README.md new file mode 100644 index 0000000..65c9106 --- /dev/null +++ b/docker-heat/README.md @@ -0,0 +1,8 @@ +# Openstack heat +This docker image provides [Openstack Heat](https://wiki.openstack.org/wiki/Heat). It is meant to be run as part of the [HPC Cloud](https://git.webhosting.rug.nl/HPC/hpc-cloud). + +## How to build +``` +docker build . -t hpc/openstack-heat + +``` diff --git a/docker-heat/admin-openrc.sh b/docker-heat/admin-openrc.sh new file mode 100644 index 0000000..2485c88 --- /dev/null +++ b/docker-heat/admin-openrc.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +# To create the Identity service credentials +export OS_IDENTITY_API_VERSION=3 +export OS_USERNAME=admin +export OS_PASSWORD=geheim +export OS_TENANT_NAME=admin +export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 + +export OS_PROJECT_DOMAIN_NAME=default +export OS_USER_DOMAIN_NAME=default +export OS_PROJECT_NAME=admin +export OS_IMAGE_API_VERSION=2 diff --git a/docker-heat/bootstrap.sh b/docker-heat/bootstrap.sh new file mode 100755 index 0000000..7c75f1c --- /dev/null +++ b/docker-heat/bootstrap.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# Create admin-openrc.sh from secrets that are in the environment during bootstrap. +cat << EOF > /root/admin-openrc.sh +#!/bin/bash +export OS_TENANT_NAME=admin +export OS_USERNAME=admin +export OS_PASSWORD=${OS_PASSWORD} +export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 +export OS_IDENTITY_API_VERSION=3 + +export HEAT_USER=heat +export HEAT_PASSWORD=${HEAT_PASSWORD} +export OS_PROJECT_DOMAIN_NAME=default +export OS_USER_DOMAIN_NAME=default +export OS_PROJECT_NAME=admin +export OS_IMAGE_API_VERSION=2 +EOF + +source /root/admin-openrc.sh + +# Write the config files +/etc/write_conf.sh + +# create database for heat +mysql -uroot -p"$MYSQL_ROOT_PASSWORD" -h "$MYSQL_HOST" << EOF +drop database if exists heat; +create database heat; +GRANT ALL PRIVILEGES ON heat.* TO 'heat'@'localhost' IDENTIFIED BY "$HEAT_PASSWORD"; +GRANT ALL PRIVILEGES ON heat.* TO 'heat'@'%' IDENTIFIED BY "$HEAT_PASSWORD"; +EOF + +openstack user create "$HEAT_USER" --domain Default --password "$HEAT_PASSWORD" +openstack role add --project service --user heat admin + +openstack service create --name heat --description "Orchestration" orchestration +openstack service create --name heat-cfn --description "Orchestration" cloudformation + +openstack endpoint create orchestration public http://"${HEAT_HOST}":8004/v1/%\(tenant_id\)s --region RegionOne +openstack endpoint create orchestration internal http://"${HEAT_HOST}":8004/v1/%\(tenant_id\)s --region RegionOne +openstack endpoint create orchestration admin http://"${HEAT_HOST}":8004/v1/%\(tenant_id\)s --region RegionOne + +openstack endpoint create cloudformation public http://"${HEAT_HOST}":8000/v1 --region RegionOne +openstack endpoint create cloudformation internal http://"${HEAT_HOST}":8000/v1 --region RegionOne +openstack endpoint create cloudformation admin http://"${HEAT_HOST}":8000/v1 --region RegionOne + +openstack domain create --description "Stack projects and users" heat + +openstack user create --domain heat --password "$HEAT_PASSWORD" heat_domain_admin +openstack role add --domain heat --user-domain heat --user heat_domain_admin admin + +openstack role create heat_stack_owner +openstack role add --project demo --user demo heat_stack_owner +openstack role create heat_stack_user + +# sync the database +su -s /bin/sh -c "heat-manage db_sync" heat diff --git a/docker-heat/run.sh b/docker-heat/run.sh new file mode 100755 index 0000000..50347f3 --- /dev/null +++ b/docker-heat/run.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +# Write the config files +/etc/write_conf.sh + +heat-api -v -d & +sleep 5 +heat-api-cfn -v -d & +sleep 5 +heat-engine -v -d & +# If any process fails, kill the rest. +# This insures the container stops and systemd will restart it. + +wait -n +pkill -P $$ diff --git a/docker-heat/write_conf.sh b/docker-heat/write_conf.sh new file mode 100755 index 0000000..75f4e93 --- /dev/null +++ b/docker-heat/write_conf.sh @@ -0,0 +1,35 @@ +#!/bin/bash +# +# Generate config files from environments values. +# These are to be passed to the docker container using -e + +cat << EOF > /etc/heat/heat.conf + +[database] +connection = mysql+pymysql://heat:$HEAT_PASSWORD@$MYSQL_HOST/heat + +[DEFAULT] +transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$RABBIT_HOST +heat_metadata_server_url = http://$HEAT_HOST:8000 +heat_waitcondition_server_url = http://$HEAT_HOST:8000/v1/waitcondition + + +[keystone_authtoken] +auth_uri = http://$KEYSTONE_HOST:5000 +auth_url = http://$KEYSTONE_HOST:35357 +memcached_servers = $MEMCACHED_HOST:11211 +auth_type = password +project_domain_name = Default +user_domain_name = Default +project_name = service +username = $HEAT_USER +password = $HEAT_PASSWORD + +[trustee] +auth_plugin = password +auth_url = http://$KEYSTONE_HOST:35357 +username = $HEAT_USER +password = $HEAT_PASSWORD +user_domain_name = Default + +EOF diff --git a/docker-horizon/.gitignore b/docker-horizon/.gitignore new file mode 100644 index 0000000..f432e90 --- /dev/null +++ b/docker-horizon/.gitignore @@ -0,0 +1,8 @@ +# ---> Vim +[._]*.s[a-w][a-z] +[._]s[a-w][a-z] +*.un~ +Session.vim +.netrwhist +*~ + diff --git a/docker-horizon/000-default.conf b/docker-horizon/000-default.conf new file mode 100644 index 0000000..8347d35 --- /dev/null +++ b/docker-horizon/000-default.conf @@ -0,0 +1,11 @@ + + RedirectMatch "^/$" "/horizon" + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/docker-horizon/Dockerfile b/docker-horizon/Dockerfile new file mode 100644 index 0000000..3a3d72b --- /dev/null +++ b/docker-horizon/Dockerfile @@ -0,0 +1,35 @@ +# Build keystone. It needs to be run with +# --add-host=mariadb: +# Wen starting with an initialized db, +# run keystone-manage db_sync from this docker first: +# $ docker run hpc/keystone --add-host=mariadb: "keystone-manage db_sync" + +FROM ubuntu:16.04 + +RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA + +RUN set -x \ + && echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main" > /etc/apt/sources.list.d/ocata.list \ + && apt-get -y update \ + && apt-get -y install \ + && apt-get -y install openstack-dashboard \ + python-openstackclient \ + && apt-get -y clean + +EXPOSE 80 + +COPY local_settings.py /etc/openstack-dashboard/local_settings.py + +# Add a redirect to /keystone instead of the "It works! page" +COPY 000-default.conf /etc/apache2/sites-available + +RUN chown -R www-data: /var/lib/openstack-dashboard/ + +RUN touch /var/log/horizon.log + +RUN chown www-data: /var/log/horizon.log + +RUN chown horizon: /var/lib/openstack-dashboard/secret_key + +CMD apachectl -DFOREGROUND + diff --git a/docker-horizon/README.md b/docker-horizon/README.md new file mode 100644 index 0000000..03b15ea --- /dev/null +++ b/docker-horizon/README.md @@ -0,0 +1,9 @@ +# docker-horizon + +Docker image to build horizon + +To run, use the following command: + +``` +docker run -e "MEMCACHED_SERVER=172.23.38.123" -e "OPENSTACK_HOST=172.23.38.123" -it --rm +``` diff --git a/docker-horizon/admin-openrc.sh b/docker-horizon/admin-openrc.sh new file mode 100644 index 0000000..2485c88 --- /dev/null +++ b/docker-horizon/admin-openrc.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +# To create the Identity service credentials +export OS_IDENTITY_API_VERSION=3 +export OS_USERNAME=admin +export OS_PASSWORD=geheim +export OS_TENANT_NAME=admin +export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 + +export OS_PROJECT_DOMAIN_NAME=default +export OS_USER_DOMAIN_NAME=default +export OS_PROJECT_NAME=admin +export OS_IMAGE_API_VERSION=2 diff --git a/docker-horizon/local_settings.py b/docker-horizon/local_settings.py new file mode 100644 index 0000000..0897fd4 --- /dev/null +++ b/docker-horizon/local_settings.py @@ -0,0 +1,518 @@ +# -*- coding: utf-8 -*- + +import os + +from django.utils.translation import ugettext_lazy as _ + +from horizon.utils import secret_key + +from openstack_dashboard.settings import HORIZON_CONFIG + +DEBUG = False + +WEBROOT = '/' + +LOCAL_PATH = os.path.dirname(os.path.abspath(__file__)) + +SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/openstack-dashboard/secret_key') + +SESSION_ENGINE = 'django.contrib.sessions.backends.cache' + +MEMCACHED_SERVER = os.environ['MEMCACHED_SERVER'] + +CACHES = { + 'default': { + 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', + 'LOCATION': '{}:11211'.format(MEMCACHED_SERVER), + }, +} + +# Send email to the console by default +EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend' + +# Configure these for your outgoing email host +#EMAIL_HOST = 'smtp.my-company.com' +#EMAIL_PORT = 25 +#EMAIL_HOST_USER = 'djangomail' +#EMAIL_HOST_PASSWORD = 'top-secret!' + +OPENSTACK_HOST = os.environ['KEYSTONE_HOST'] +OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST +OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_" + + +OPENSTACK_API_VERSIONS = { + "identity": 3, + "image": 2, + "volume": 2, +} + + +# Disable SSL certificate checks (useful for self-signed certificates): +#OPENSTACK_SSL_NO_VERIFY = True + +# The CA certificate to use to verify SSL connections +#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem' + +# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the +# capabilities of the auth backend for Keystone. +# If Keystone has been configured to use LDAP as the auth backend then set +# can_edit_user to False and name to 'ldap'. +# +# TODO(tres): Remove these once Keystone has an API to identify auth backend. +OPENSTACK_KEYSTONE_BACKEND = { + 'name': 'native', + 'can_edit_user': True, + 'can_edit_group': True, + 'can_edit_project': True, + 'can_edit_domain': True, + 'can_edit_role': True, +} + +# Setting this to True, will add a new "Retrieve Password" action on instance, +# allowing Admin session password retrieval/decryption. +#OPENSTACK_ENABLE_PASSWORD_RETRIEVE = False + +# Toggle LAUNCH_INSTANCE_LEGACY_ENABLED and LAUNCH_INSTANCE_NG_ENABLED to +# determine the experience to enable. Set them both to true to enable +# both. +#LAUNCH_INSTANCE_LEGACY_ENABLED = True +#LAUNCH_INSTANCE_NG_ENABLED = False + +# The Xen Hypervisor has the ability to set the mount point for volumes +# attached to instances (other Hypervisors currently do not). Setting +# can_set_mount_point to True will add the option to set the mount point +# from the UI. +OPENSTACK_HYPERVISOR_FEATURES = { + 'can_set_mount_point': False, + 'can_set_password': False, + 'requires_keypair': False, + 'enable_quotas': True +} + +# The OPENSTACK_CINDER_FEATURES settings can be used to enable optional +# services provided by cinder that is not exposed by its extension API. +OPENSTACK_CINDER_FEATURES = { + 'enable_backup': False, +} + +# The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional +# services provided by neutron. Options currently available are load +# balancer service, security groups, quotas, VPN service. +OPENSTACK_NEUTRON_NETWORK = { + 'enable_router': False, + 'enable_quotas': False, + 'enable_ipv6': False, + 'enable_distributed_router': False, + 'enable_ha_router': False, + 'enable_lb': False, + 'enable_firewall': False, + 'enable_vpn': False, + 'enable_fip_topology_check': False, + + # profile_support can be turned on if needed. + 'profile_support': None, + #'profile_support': 'cisco', + 'supported_vnic_types': ['*'], +} + +# The OPENSTACK_HEAT_STACK settings can be used to disable password +# field required while launching the stack. +OPENSTACK_HEAT_STACK = { + 'enable_user_pass': True, +} + +#OPENSTACK_IMAGE_BACKEND = { +# 'image_formats': [ +# ('', _('Select format')), +# ('aki', _('AKI - Amazon Kernel Image')), +# ('ami', _('AMI - Amazon Machine Image')), +# ('ari', _('ARI - Amazon Ramdisk Image')), +# ('docker', _('Docker')), +# ('iso', _('ISO - Optical Disk Image')), +# ('ova', _('OVA - Open Virtual Appliance')), +# ('qcow2', _('QCOW2 - QEMU Emulator')), +# ('raw', _('Raw')), +# ('vdi', _('VDI - Virtual Disk Image')), +# ('vhd', _('VHD - Virtual Hard Disk')), +# ('vmdk', _('VMDK - Virtual Machine Disk')), +# ], +#} + +# The IMAGE_CUSTOM_PROPERTY_TITLES settings is used to customize the titles for +# image custom property attributes that appear on image detail pages. +IMAGE_CUSTOM_PROPERTY_TITLES = { + "architecture": _("Architecture"), + "kernel_id": _("Kernel ID"), + "ramdisk_id": _("Ramdisk ID"), + "image_state": _("Euca2ools state"), + "project_id": _("Project ID"), + "image_type": _("Image Type"), +} + +# The IMAGE_RESERVED_CUSTOM_PROPERTIES setting is used to specify which image +# custom properties should not be displayed in the Image Custom Properties +# table. +IMAGE_RESERVED_CUSTOM_PROPERTIES = [] + +# Set to 'legacy' or 'direct' to allow users to upload images to glance via +# Horizon server. When enabled, a file form field will appear on the create +# image form. If set to 'off', there will be no file form field on the create +# image form. See documentation for deployment considerations. +#HORIZON_IMAGES_UPLOAD_MODE = 'legacy' + +# Allow a location to be set when creating or updating Glance images. +# If using Glance V2, this value should be False unless the Glance +# configuration and policies allow setting locations. +#IMAGES_ALLOW_LOCATION = False + +# OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints +# in the Keystone service catalog. Use this setting when Horizon is running +# external to the OpenStack environment. The default is 'publicURL'. +OPENSTACK_ENDPOINT_TYPE = "publicURL" + +# SECONDARY_ENDPOINT_TYPE specifies the fallback endpoint type to use in the +# case that OPENSTACK_ENDPOINT_TYPE is not present in the endpoints +# in the Keystone service catalog. Use this setting when Horizon is running +# external to the OpenStack environment. The default is None. This +# value should differ from OPENSTACK_ENDPOINT_TYPE if used. +#SECONDARY_ENDPOINT_TYPE = None + +# The number of objects (Swift containers/objects or images) to display +# on a single page before providing a paging element (a "more" link) +# to paginate results. +API_RESULT_LIMIT = 1000 +API_RESULT_PAGE_SIZE = 20 + +# The size of chunk in bytes for downloading objects from Swift +SWIFT_FILE_TRANSFER_CHUNK_SIZE = 512 * 1024 + +# The default number of lines displayed for instance console log. +INSTANCE_LOG_LENGTH = 35 + +# Specify a maximum number of items to display in a dropdown. +DROPDOWN_MAX_ITEMS = 30 + +# The timezone of the server. This should correspond with the timezone +# of your entire OpenStack installation, and hopefully be in UTC. +TIME_ZONE = "UTC" + +# When launching an instance, the menu of available flavors is +# sorted by RAM usage, ascending. If you would like a different sort order, +# you can provide another flavor attribute as sorting key. Alternatively, you +# can provide a custom callback method to use for sorting. You can also provide +# a flag for reverse sort. For more info, see +# http://docs.python.org/2/library/functions.html#sorted +#CREATE_INSTANCE_FLAVOR_SORT = { +# 'key': 'name', +# # or +# 'key': my_awesome_callback_method, +# 'reverse': False, +#} + +# Set this to True to display an 'Admin Password' field on the Change Password +# form to verify that it is indeed the admin logged-in who wants to change +# the password. +#ENFORCE_PASSWORD_CHECK = False + +# Modules that provide /auth routes that can be used to handle different types +# of user authentication. Add auth plugins that require extra route handling to +# this list. +#AUTHENTICATION_URLS = [ +# 'openstack_auth.urls', +#] + +# The Horizon Policy Enforcement engine uses these values to load per service +# policy rule files. The content of these files should match the files the +# OpenStack services are using to determine role based access control in the +# target installation. + +# Path to directory containing policy.json files +#POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf") + +# Map of local copy of service policy files. +# Please insure that your identity policy file matches the one being used on +# your keystone servers. There is an alternate policy file that may be used +# in the Keystone v3 multi-domain case, policy.v3cloudsample.json. +# This file is not included in the Horizon repository by default but can be +# found at +# http://git.openstack.org/cgit/openstack/keystone/tree/etc/ \ +# policy.v3cloudsample.json +# Having matching policy files on the Horizon and Keystone servers is essential +# for normal operation. This holds true for all services and their policy files. +#POLICY_FILES = { +# 'identity': 'keystone_policy.json', +# 'compute': 'nova_policy.json', +# 'volume': 'cinder_policy.json', +# 'image': 'glance_policy.json', +# 'orchestration': 'heat_policy.json', +# 'network': 'neutron_policy.json', +#} + +# TODO: (david-lyle) remove when plugins support adding settings. +# Note: Only used when trove-dashboard plugin is configured to be used by +# Horizon. +# Trove user and database extension support. By default support for +# creating users and databases on database instances is turned on. +# To disable these extensions set the permission here to something +# unusable such as ["!"]. +#TROVE_ADD_USER_PERMS = [] +#TROVE_ADD_DATABASE_PERMS = [] + +# Change this patch to the appropriate list of tuples containing +# a key, label and static directory containing two files: +# _variables.scss and _styles.scss +#AVAILABLE_THEMES = [ +# ('default', 'Default', 'themes/default'), +# ('material', 'Material', 'themes/material'), +#] + +LOGGING = { + 'version': 1, + # When set to True this will disable all logging except + # for loggers specified in this configuration dictionary. Note that + # if nothing is specified here and disable_existing_loggers is True, + # django.db.backends will still log unless it is disabled explicitly. + 'disable_existing_loggers': False, + 'formatters': { + 'operation': { + # The format of "%(message)s" is defined by + # OPERATION_LOG_OPTIONS['format'] + 'format': '%(asctime)s %(message)s' + }, + }, + 'handlers': { + 'null': { + 'level': 'DEBUG', + 'class': 'logging.NullHandler', + }, + 'console': { + # Set the level to "DEBUG" for verbose output logging. + 'level': 'INFO', + 'class': 'logging.StreamHandler', + }, + 'operation': { + 'level': 'INFO', + 'class': 'logging.StreamHandler', + 'formatter': 'operation', + }, + }, + 'loggers': { + # Logging from django.db.backends is VERY verbose, send to null + # by default. + 'django.db.backends': { + 'handlers': ['null'], + 'propagate': False, + }, + 'requests': { + 'handlers': ['null'], + 'propagate': False, + }, + 'horizon': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'horizon.operation_log': { + 'handlers': ['operation'], + 'level': 'INFO', + 'propagate': False, + }, + 'openstack_dashboard': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'novaclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'cinderclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'keystoneclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'keystoneauth': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'glanceclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'neutronclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'heatclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'swiftclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'openstack_auth': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'nose.plugins.manager': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'django': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'iso8601': { + 'handlers': ['null'], + 'propagate': False, + }, + 'scss': { + 'handlers': ['null'], + 'propagate': False, + }, + }, +} + +# 'direction' should not be specified for all_tcp/udp/icmp. +# It is specified in the form. +SECURITY_GROUP_RULES = { + 'all_tcp': { + 'name': _('All TCP'), + 'ip_protocol': 'tcp', + 'from_port': '1', + 'to_port': '65535', + }, + 'all_udp': { + 'name': _('All UDP'), + 'ip_protocol': 'udp', + 'from_port': '1', + 'to_port': '65535', + }, + 'all_icmp': { + 'name': _('All ICMP'), + 'ip_protocol': 'icmp', + 'from_port': '-1', + 'to_port': '-1', + }, + 'ssh': { + 'name': 'SSH', + 'ip_protocol': 'tcp', + 'from_port': '22', + 'to_port': '22', + }, + 'smtp': { + 'name': 'SMTP', + 'ip_protocol': 'tcp', + 'from_port': '25', + 'to_port': '25', + }, + 'dns': { + 'name': 'DNS', + 'ip_protocol': 'tcp', + 'from_port': '53', + 'to_port': '53', + }, + 'http': { + 'name': 'HTTP', + 'ip_protocol': 'tcp', + 'from_port': '80', + 'to_port': '80', + }, + 'pop3': { + 'name': 'POP3', + 'ip_protocol': 'tcp', + 'from_port': '110', + 'to_port': '110', + }, + 'imap': { + 'name': 'IMAP', + 'ip_protocol': 'tcp', + 'from_port': '143', + 'to_port': '143', + }, + 'ldap': { + 'name': 'LDAP', + 'ip_protocol': 'tcp', + 'from_port': '389', + 'to_port': '389', + }, + 'https': { + 'name': 'HTTPS', + 'ip_protocol': 'tcp', + 'from_port': '443', + 'to_port': '443', + }, + 'smtps': { + 'name': 'SMTPS', + 'ip_protocol': 'tcp', + 'from_port': '465', + 'to_port': '465', + }, + 'imaps': { + 'name': 'IMAPS', + 'ip_protocol': 'tcp', + 'from_port': '993', + 'to_port': '993', + }, + 'pop3s': { + 'name': 'POP3S', + 'ip_protocol': 'tcp', + 'from_port': '995', + 'to_port': '995', + }, + 'ms_sql': { + 'name': 'MS SQL', + 'ip_protocol': 'tcp', + 'from_port': '1433', + 'to_port': '1433', + }, + 'mysql': { + 'name': 'MYSQL', + 'ip_protocol': 'tcp', + 'from_port': '3306', + 'to_port': '3306', + }, + 'rdp': { + 'name': 'RDP', + 'ip_protocol': 'tcp', + 'from_port': '3389', + 'to_port': '3389', + }, +} + +REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES', + 'LAUNCH_INSTANCE_DEFAULTS', + 'OPENSTACK_IMAGE_FORMATS', + 'OPENSTACK_KEYSTONE_DEFAULT_DOMAIN'] + + # The default theme if no cookie is present +DEFAULT_THEME = 'ubuntu' + +# Default Ubuntu apache configuration uses /horizon as the application root. +WEBROOT='/horizon/' + +# By default, validation of the HTTP Host header is disabled. Production +# installations should have this set accordingly. For more information +# see https://docs.djangoproject.com/en/dev/ref/settings/. +ALLOWED_HOSTS = '*' + +# Compress all assets offline as part of packaging installation +COMPRESS_OFFLINE = True + +ALLOWED_PRIVATE_SUBNET_CIDR = {'ipv4': [], 'ipv6': []} diff --git a/docker-keystone/.gitignore b/docker-keystone/.gitignore new file mode 100644 index 0000000..f432e90 --- /dev/null +++ b/docker-keystone/.gitignore @@ -0,0 +1,8 @@ +# ---> Vim +[._]*.s[a-w][a-z] +[._]s[a-w][a-z] +*.un~ +Session.vim +.netrwhist +*~ + diff --git a/docker-keystone/Dockerfile b/docker-keystone/Dockerfile new file mode 100644 index 0000000..d757a54 --- /dev/null +++ b/docker-keystone/Dockerfile @@ -0,0 +1,28 @@ +# Build keystone. It needs to be run with +# --add-host=mariadb: +# Wen starting with an initialized db, +# run keystone-manage db_sync from this docker first: +# $ docker run hpc/keystone --add-host=mariadb: "keystone-manage db_sync" + +FROM ubuntu:16.04 + +RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA + +RUN set -x \ + && echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main" > /etc/apt/sources.list.d/ocata.list \ + && apt-get -y update \ + && apt-get -y install \ + && apt-get -y install keystone python-openstackclient \ + && apt-get -y clean + +# set admin token TODO: make this a secret +# in volume of met env +COPY keystone.conf /etc/keystone/keystone.conf + +RUN mkdir /etc/keystone/fernet-keys + +RUN chown keystone: /etc/keystone/fernet-keys + +COPY bootstrap.sh /etc/bootstrap.sh + +CMD apachectl -DFOREGROUND diff --git a/docker-keystone/README.md b/docker-keystone/README.md new file mode 100644 index 0000000..83f60b6 --- /dev/null +++ b/docker-keystone/README.md @@ -0,0 +1,9 @@ +# ubuntu 16.04 openstack ocata keystone + +## How to build the docker image. +``` +docker build . -t hpc/openstack-keystone +``` + +## Notes +This image is designed to be deployed from the [hpc-cloud repo](https://git.webhosting.rug.nl/HPC/hpc-cloud) diff --git a/docker-keystone/bootstrap.sh b/docker-keystone/bootstrap.sh new file mode 100755 index 0000000..041f602 --- /dev/null +++ b/docker-keystone/bootstrap.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +# Create admin-openrc.sh from secrets that are in the environment during bootstrap. +cat << EOF > /root/admin-openrc.sh +#!/bin/bash +export OS_TENANT_NAME=admin +export OS_USERNAME=admin +export OS_PASSWORD=${OS_PASSWORD} +export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 +export OS_IDENTITY_API_VERSION=3 +EOF + +# Create demo-openrc.sh +cat << EOF > /root/demo-openrc.sh +#!/bin/bash +export OS_TENANT_NAME=demo +export OS_USERNAME=demo +export OS_PASSWORD=${OS_DEMO_PASSWORD} +export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 +export OS_IDENTITY_API_VERSION=3 +EOF + +source /root/admin-openrc.sh + +sleep 3 + +openstack project create --domain default \ + --description "Service Project" service + +sleep 3 + +openstack project create --domain default \ + --description "Demo Project" demo + +sleep 3 + +openstack user create --domain default \ + --password "$OS_DEMO_PASSWORD" demo + +sleep 3 + +openstack role create user + +sleep 3 + +openstack role add --project demo --user demo user diff --git a/docker-keystone/keystone.conf b/docker-keystone/keystone.conf new file mode 100644 index 0000000..ae08a24 --- /dev/null +++ b/docker-keystone/keystone.conf @@ -0,0 +1,12 @@ +[DEFAULT] + +verbose = true + +[database] +connection = mysql+pymysql://keystone:keystone@mariadb/keystone + +[token] +provider = fernet + +[identity] +default_domain_id = default diff --git a/docker-keystone/keystone.service b/docker-keystone/keystone.service new file mode 100644 index 0000000..4fef167 --- /dev/null +++ b/docker-keystone/keystone.service @@ -0,0 +1,17 @@ +[Unit] +Description=Openstack Keystone Container +After=docker.service +Requires=docker.service + +[Service] +TimeoutStartSec=0 +Restart=always +ExecStartPre=-/usr/bin/docker rm -f %n +ExecStart=/usr/bin/docker run --name %n \ + --add-host=mariadb:{{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }} \ + -p 5000:5000 -p 35357:35357 \ + -v /srv/keystone/fernet-keys:/etc/keystone/fernet-keys \ + hpc/keystone + +[Install] +WantedBy=multi-user.target diff --git a/docker-neutron-controller/.gitignore b/docker-neutron-controller/.gitignore new file mode 100644 index 0000000..f432e90 --- /dev/null +++ b/docker-neutron-controller/.gitignore @@ -0,0 +1,8 @@ +# ---> Vim +[._]*.s[a-w][a-z] +[._]s[a-w][a-z] +*.un~ +Session.vim +.netrwhist +*~ + diff --git a/docker-neutron-controller/Dockerfile b/docker-neutron-controller/Dockerfile new file mode 100644 index 0000000..e0a6ff2 --- /dev/null +++ b/docker-neutron-controller/Dockerfile @@ -0,0 +1,31 @@ +FROM ubuntu:16.04 +# install packages + +RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA + +RUN set -x \ + && echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main" > /etc/apt/sources.list.d/ocata.list \ + && apt-get -y update \ + && apt-get -y install ubuntu-cloud-keyring \ + && apt-get -y update \ + && apt-get -y install \ + mysql-client \ + python-mysqldb \ + python-openstackclient \ + neutron-server \ + neutron-plugin-ml2 \ + neutron-linuxbridge-agent \ + neutron-l3-agent \ + neutron-metadata-agent \ + && apt-get -y clean + +# add bootstrap script and make it executable +COPY bootstrap.sh /etc/bootstrap.sh + +# Workaround for vlan_transparent parameter set to None. +COPY db_base_plugin_v2.py /usr/lib/python2.7/dist-packages/neutron/db/db_base_plugin_v2.py + +COPY run.sh /etc/run.sh +COPY write_conf.sh /etc/write_conf.sh + +CMD ["/etc/run.sh"] diff --git a/docker-neutron-controller/README.md b/docker-neutron-controller/README.md new file mode 100644 index 0000000..6661a20 --- /dev/null +++ b/docker-neutron-controller/README.md @@ -0,0 +1,21 @@ +# ubuntu 16.04 openstack ocata neutron controler node + +## How to build the docker image. +``` +docker build . -t="hpc/neutroncontroller" +``` + +## How to bootstrap the service. +Before we can take the container into service we need accounts in keystone. +We also need an initial database. Both of these tasks are performed by the bootstrap script. +``` +docker run --rm --it --add-host="controller:" hpc/neutroncontroler /etc/bootstrap.sh +``` + +## How to run +This image needs a lot of environment variables. It should be run via the `hpc-cloud` ansible repository. + + +## Notes +This image is designed to be deployed from the [hpc-cloud repo](https://git.webhosting.rug.nl/HPC/hpc-cloud) +The -p option is added to the run command to make the container accessible from (containers on ) other hosts than the container host. diff --git a/docker-neutron-controller/bootstrap.sh b/docker-neutron-controller/bootstrap.sh new file mode 100755 index 0000000..065a6c6 --- /dev/null +++ b/docker-neutron-controller/bootstrap.sh @@ -0,0 +1,76 @@ +#!/bin/bash +# +# This script sets up the openstack users and regions.. +# as well as the database for the nova controller. +# This guide was used: +# https://docs.openstack.org/ocata/install-guide-ubuntu/nova-controller-install. + +# Create admin-openrc.sh from secrets that are in the environment during bootstrap. +cat << EOF > /root/admin-openrc.sh +#!/bin/bash +export OS_TENANT_NAME=admin +export OS_USERNAME=admin +export OS_PASSWORD=${OS_PASSWORD} +export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 +export OS_IDENTITY_API_VERSION=3 + +export OS_PROJECT_DOMAIN_NAME=default +export OS_USER_DOMAIN_NAME=default +export OS_PROJECT_NAME=admin +export OS_IMAGE_API_VERSION=2 + +EOF + +source /root/admin-openrc.sh + +# create database for neutron. +SQL_SCRIPT=/root/neutron.sql +mysql -uroot -p"$MYSQL_ROOT_PASSWORD" -h "$MYSQL_HOST" << EOF +DROP DATABASE IF EXISTS neutron; +CREATE DATABASE neutron; + +GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \ + IDENTIFIED BY "${NEUTRON_PASSWORD}"; + +GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \ + IDENTIFIED BY "${NEUTRON_PASSWORD}"; +EOF + +openstack user create "$NEUTRON_USER" --domain default --password "$NEUTRON_PASSWORD" +openstack role add --project service --user neutron admin +openstack service create --name neutron --description "OpenStack Networking" network + +# neutron endpoints +openstack endpoint create --region RegionOne \ + network public http://$MY_IP:9696 + +openstack endpoint create --region RegionOne \ + network internal http://$MY_IP:9696 + +openstack endpoint create --region RegionOne \ + network admin http://$MY_IP:9696 + +# population of the database requires complete server and plug-in configuration files. +/etc/write_conf.sh + +# Ugly hacks to prevent the manage command from failing +sed -i "/ op.drop_column('networks', 'shared')/ s/^#*/#/" /usr/lib/python2.7/dist-packages/neutron/db/migration/alembic_migrations/versions/liberty/contract/4ffceebfada_rbac_network.py +sed -i "/ op.drop_column('subnets', 'shared')/ s/^#*/#/" /usr/lib/python2.7/dist-packages/neutron/db/migration/alembic_migrations/versions/liberty/contract/4ffceebfada_rbac_network.py +sed -i "/ op.drop_column('qos_policies', 'shared')/ s/^#*/#/" /usr/lib/python2.7/dist-packages/neutron/db/migration/alembic_migrations/versions/mitaka/contract/c6c112992c9_rbac_qos_policy.py + +neutron-db-manage --config-file /etc/neutron/neutron.conf \ + --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head + +# And now we drop the colums and constraints that the ORM fails to drop. +mysql -uroot -p"$MYSQL_ROOT_PASSWORD" -h "$MYSQL_HOST" neutron << EOF + +ALTER TABLE networks DROP CONSTRAINT CONSTRAINT_2; +alter table networks drop column shared; + +ALTER TABLE subnets DROP CONSTRAINT CONSTRAINT_2; +ALTER TABLE subnets DROP COLUMN shared; + +ALTER TABLE qos_policies DROP CONSTRAINT CONSTRAINT_1; +ALTER TABLE qos_policies drop column shared + +EOF diff --git a/docker-neutron-controller/db_base_plugin_v2.py b/docker-neutron-controller/db_base_plugin_v2.py new file mode 100644 index 0000000..865eaad --- /dev/null +++ b/docker-neutron-controller/db_base_plugin_v2.py @@ -0,0 +1,1388 @@ +# Copyright (c) 2012 OpenStack Foundation. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import functools + +import netaddr +from neutron_lib.api import validators +from neutron_lib import constants +from neutron_lib import exceptions as exc +from neutron_lib.plugins import directory +from oslo_config import cfg +from oslo_db import exception as os_db_exc +from oslo_log import log as logging +from oslo_utils import excutils +from oslo_utils import uuidutils +from sqlalchemy import and_ +from sqlalchemy import exc as sql_exc +from sqlalchemy import not_ + +from neutron._i18n import _, _LE, _LI +from neutron.api.rpc.agentnotifiers import l3_rpc_agent_api +from neutron.api.v2 import attributes +from neutron.callbacks import events +from neutron.callbacks import exceptions +from neutron.callbacks import registry +from neutron.callbacks import resources +from neutron.common import constants as n_const +from neutron.common import exceptions as n_exc +from neutron.common import ipv6_utils +from neutron.common import utils +from neutron import context as ctx +from neutron.db import _utils as ndb_utils +from neutron.db import api as db_api +from neutron.db import db_base_plugin_common +from neutron.db import ipam_pluggable_backend +from neutron.db import models_v2 +from neutron.db import rbac_db_mixin as rbac_mixin +from neutron.db import rbac_db_models as rbac_db +from neutron.db import standardattrdescription_db as stattr_db +from neutron.extensions import ip_allocation as ipa +from neutron.extensions import l3 +from neutron import ipam +from neutron.ipam import exceptions as ipam_exc +from neutron.ipam import subnet_alloc +from neutron import neutron_plugin_base_v2 +from neutron.objects import base as base_obj +from neutron.objects import subnetpool as subnetpool_obj + + +LOG = logging.getLogger(__name__) + +# Ports with the following 'device_owner' values will not prevent +# network deletion. If delete_network() finds that all ports on a +# network have these owners, it will explicitly delete each port +# and allow network deletion to continue. Similarly, if delete_subnet() +# finds out that all existing IP Allocations are associated with ports +# with these owners, it will allow subnet deletion to proceed with the +# IP allocations being cleaned up by cascade. +AUTO_DELETE_PORT_OWNERS = [constants.DEVICE_OWNER_DHCP] + +DNS_DOMAIN_DEFAULT = 'openstacklocal.' +FQDN_MAX_LEN = 255 + + +def _check_subnet_not_used(context, subnet_id): + try: + kwargs = {'context': context, 'subnet_id': subnet_id} + registry.notify( + resources.SUBNET, events.BEFORE_DELETE, None, **kwargs) + except exceptions.CallbackFailure as e: + raise exc.SubnetInUse(subnet_id=subnet_id, reason=e) + + +def _update_subnetpool_dict(orig_pool, new_pool): + updated = dict((k, v) for k, v in orig_pool.to_dict().items() + if k not in orig_pool.synthetic_fields) + + new_pool = new_pool.copy() + new_prefixes = new_pool.pop('prefixes', constants.ATTR_NOT_SPECIFIED) + for k, v in new_pool.items(): + if k not in orig_pool.fields_no_update: + updated[k] = v + if new_prefixes is not constants.ATTR_NOT_SPECIFIED: + orig_ip_set = netaddr.IPSet(orig_pool.prefixes) + new_ip_set = netaddr.IPSet(new_prefixes) + if not orig_ip_set.issubset(new_ip_set): + msg = _("Existing prefixes must be " + "a subset of the new prefixes") + raise n_exc.IllegalSubnetPoolPrefixUpdate(msg=msg) + new_ip_set.compact() + updated['prefixes'] = [str(prefix.cidr) + for prefix in new_ip_set.iter_cidrs()] + else: + updated['prefixes'] = [str(prefix) + for prefix in orig_pool.prefixes] + return updated + + +class NeutronDbPluginV2(db_base_plugin_common.DbBasePluginCommon, + neutron_plugin_base_v2.NeutronPluginBaseV2, + rbac_mixin.RbacPluginMixin, + stattr_db.StandardAttrDescriptionMixin): + """V2 Neutron plugin interface implementation using SQLAlchemy models. + + Whenever a non-read call happens the plugin will call an event handler + class method (e.g., network_created()). The result is that this class + can be sub-classed by other classes that add custom behaviors on certain + events. + """ + + # This attribute specifies whether the plugin supports or not + # bulk/pagination/sorting operations. Name mangling is used in + # order to ensure it is qualified by class + __native_bulk_support = True + __native_pagination_support = True + __native_sorting_support = True + + def __init__(self): + self.set_ipam_backend() + if cfg.CONF.notify_nova_on_port_status_changes: + # Import nova conditionally to support the use case of Neutron + # being used outside of an OpenStack context. + from neutron.notifiers import nova + # NOTE(arosen) These event listeners are here to hook into when + # port status changes and notify nova about their change. + self.nova_notifier = nova.Notifier.get_instance() + db_api.sqla_listen(models_v2.Port, 'after_insert', + self.nova_notifier.send_port_status) + db_api.sqla_listen(models_v2.Port, 'after_update', + self.nova_notifier.send_port_status) + db_api.sqla_listen(models_v2.Port.status, 'set', + self.nova_notifier.record_port_status_changed) + for e in (events.BEFORE_CREATE, events.BEFORE_UPDATE, + events.BEFORE_DELETE): + registry.subscribe(self.validate_network_rbac_policy_change, + rbac_mixin.RBAC_POLICY, e) + + @db_api.retry_if_session_inactive() + def validate_network_rbac_policy_change(self, resource, event, trigger, + context, object_type, policy, + **kwargs): + """Validates network RBAC policy changes. + + On creation, verify that the creator is an admin or that it owns the + network it is sharing. + + On update and delete, make sure the tenant losing access does not have + resources that depend on that access. + """ + if object_type != 'network' or policy['action'] != 'access_as_shared': + # we only care about shared network policies + return + # The object a policy targets cannot be changed so we can look + # at the original network for the update event as well. + net = self._get_network(context, policy['object_id']) + if event in (events.BEFORE_CREATE, events.BEFORE_UPDATE): + # we still have to verify that the caller owns the network because + # _get_network will succeed on a shared network + if not context.is_admin and net['tenant_id'] != context.tenant_id: + msg = _("Only admins can manipulate policies on networks " + "they do not own") + raise exc.InvalidInput(error_message=msg) + + tenant_to_check = None + self_sharing = policy['target_tenant'] == net['tenant_id'] + if self_sharing: + return + if event == events.BEFORE_UPDATE: + new_tenant = kwargs['policy_update']['target_tenant'] + if policy['target_tenant'] != new_tenant: + tenant_to_check = policy['target_tenant'] + + if event == events.BEFORE_DELETE: + tenant_to_check = policy['target_tenant'] + + if tenant_to_check: + self.ensure_no_tenant_ports_on_network(net['id'], net['tenant_id'], + tenant_to_check) + + def ensure_no_tenant_ports_on_network(self, network_id, net_tenant_id, + tenant_id): + ctx_admin = ctx.get_admin_context() + rb_model = rbac_db.NetworkRBAC + other_rbac_entries = self._model_query(ctx_admin, rb_model).filter( + and_(rb_model.object_id == network_id, + rb_model.action == 'access_as_shared')) + ports = self._model_query(ctx_admin, models_v2.Port).filter( + models_v2.Port.network_id == network_id) + if tenant_id == '*': + # for the wildcard we need to get all of the rbac entries to + # see if any allow the remaining ports on the network. + other_rbac_entries = other_rbac_entries.filter( + rb_model.target_tenant != tenant_id) + # any port with another RBAC entry covering it or one belonging to + # the same tenant as the network owner is ok + allowed_tenants = [entry['target_tenant'] + for entry in other_rbac_entries] + allowed_tenants.append(net_tenant_id) + ports = ports.filter( + ~models_v2.Port.tenant_id.in_(allowed_tenants)) + else: + # if there is a wildcard rule, we can return early because it + # allows any ports + query = other_rbac_entries.filter(rb_model.target_tenant == '*') + if query.count(): + return + ports = ports.filter(models_v2.Port.tenant_id == tenant_id) + if ports.count(): + raise n_exc.InvalidSharedSetting(network=network_id) + + def set_ipam_backend(self): + self.ipam = ipam_pluggable_backend.IpamPluggableBackend() + + def _validate_host_route(self, route, ip_version): + try: + netaddr.IPNetwork(route['destination']) + netaddr.IPAddress(route['nexthop']) + except netaddr.core.AddrFormatError: + err_msg = _("Invalid route: %s") % route + raise exc.InvalidInput(error_message=err_msg) + except ValueError: + # netaddr.IPAddress would raise this + err_msg = _("Invalid route: %s") % route + raise exc.InvalidInput(error_message=err_msg) + self._validate_ip_version(ip_version, route['nexthop'], 'nexthop') + self._validate_ip_version(ip_version, route['destination'], + 'destination') + + def _validate_shared_update(self, context, id, original, updated): + # The only case that needs to be validated is when 'shared' + # goes from True to False + if updated['shared'] == original.shared or updated['shared']: + return + ports = self._model_query( + context, models_v2.Port).filter(models_v2.Port.network_id == id) + ports = ports.filter(not_(models_v2.Port.device_owner.startswith( + constants.DEVICE_OWNER_NETWORK_PREFIX))) + subnets = self._model_query( + context, models_v2.Subnet).filter( + models_v2.Subnet.network_id == id) + tenant_ids = set([port['tenant_id'] for port in ports] + + [subnet['tenant_id'] for subnet in subnets]) + # raise if multiple tenants found or if the only tenant found + # is not the owner of the network + if (len(tenant_ids) > 1 or len(tenant_ids) == 1 and + tenant_ids.pop() != original.tenant_id): + raise n_exc.InvalidSharedSetting(network=original.name) + + def _validate_ipv6_attributes(self, subnet, cur_subnet): + if cur_subnet: + self._validate_ipv6_update_dhcp(subnet, cur_subnet) + return + ra_mode_set = validators.is_attr_set(subnet.get('ipv6_ra_mode')) + address_mode_set = validators.is_attr_set( + subnet.get('ipv6_address_mode')) + self._validate_ipv6_dhcp(ra_mode_set, address_mode_set, + subnet['enable_dhcp']) + if ra_mode_set and address_mode_set: + self._validate_ipv6_combination(subnet['ipv6_ra_mode'], + subnet['ipv6_address_mode']) + if address_mode_set or ra_mode_set: + self._validate_eui64_applicable(subnet) + + def _validate_eui64_applicable(self, subnet): + # Per RFC 4862, section 5.5.3, prefix length and interface + # id together should be equal to 128. Currently neutron supports + # EUI64 interface id only, thus limiting the prefix + # length to be 64 only. + if ipv6_utils.is_auto_address_subnet(subnet): + if netaddr.IPNetwork(subnet['cidr']).prefixlen != 64: + msg = _('Invalid CIDR %s for IPv6 address mode. ' + 'OpenStack uses the EUI-64 address format, ' + 'which requires the prefix to be /64') + raise exc.InvalidInput( + error_message=(msg % subnet['cidr'])) + + def _validate_ipv6_combination(self, ra_mode, address_mode): + if ra_mode != address_mode: + msg = _("ipv6_ra_mode set to '%(ra_mode)s' with ipv6_address_mode " + "set to '%(addr_mode)s' is not valid. " + "If both attributes are set, they must be the same value" + ) % {'ra_mode': ra_mode, 'addr_mode': address_mode} + raise exc.InvalidInput(error_message=msg) + + def _validate_ipv6_dhcp(self, ra_mode_set, address_mode_set, enable_dhcp): + if (ra_mode_set or address_mode_set) and not enable_dhcp: + msg = _("ipv6_ra_mode or ipv6_address_mode cannot be set when " + "enable_dhcp is set to False") + raise exc.InvalidInput(error_message=msg) + + def _validate_ipv6_update_dhcp(self, subnet, cur_subnet): + if ('enable_dhcp' in subnet and not subnet['enable_dhcp']): + msg = _("Cannot disable enable_dhcp with " + "ipv6 attributes set") + + ra_mode_set = validators.is_attr_set(subnet.get('ipv6_ra_mode')) + address_mode_set = validators.is_attr_set( + subnet.get('ipv6_address_mode')) + + if ra_mode_set or address_mode_set: + raise exc.InvalidInput(error_message=msg) + + old_ra_mode_set = validators.is_attr_set( + cur_subnet.get('ipv6_ra_mode')) + old_address_mode_set = validators.is_attr_set( + cur_subnet.get('ipv6_address_mode')) + + if old_ra_mode_set or old_address_mode_set: + raise exc.InvalidInput(error_message=msg) + + def _create_bulk(self, resource, context, request_items): + objects = [] + collection = "%ss" % resource + items = request_items[collection] + context.session.begin(subtransactions=True) + try: + for item in items: + obj_creator = getattr(self, 'create_%s' % resource) + objects.append(obj_creator(context, item)) + context.session.commit() + except Exception: + context.session.rollback() + with excutils.save_and_reraise_exception(): + LOG.error(_LE("An exception occurred while creating " + "the %(resource)s:%(item)s"), + {'resource': resource, 'item': item}) + return objects + + @db_api.retry_if_session_inactive() + def create_network_bulk(self, context, networks): + return self._create_bulk('network', context, networks) + + @db_api.retry_if_session_inactive() + def create_network(self, context, network): + """Handle creation of a single network.""" + net_db = self.create_network_db(context, network) + return self._make_network_dict(net_db, process_extensions=False, + context=context) + + def create_network_db(self, context, network): + # single request processing + n = network['network'] + # NOTE(jkoelker) Get the tenant_id outside of the session to avoid + # unneeded db action if the operation raises + tenant_id = n['tenant_id'] + with context.session.begin(subtransactions=True): + args = {'tenant_id': tenant_id, + 'id': n.get('id') or uuidutils.generate_uuid(), + 'name': n['name'], + 'admin_state_up': n['admin_state_up'], + 'status': n.get('status', constants.NET_STATUS_ACTIVE), + # Hack by egon + 'vlan_transparent': False, + 'description': n.get('description')} + network = models_v2.Network(**args) + if n['shared']: + entry = rbac_db.NetworkRBAC( + network=network, action='access_as_shared', + target_tenant='*', tenant_id=network['tenant_id']) + context.session.add(entry) + context.session.add(network) + return network + + @db_api.retry_if_session_inactive() + def update_network(self, context, id, network): + n = network['network'] + with context.session.begin(subtransactions=True): + network = self._get_network(context, id) + # validate 'shared' parameter + if 'shared' in n: + entry = None + for item in network.rbac_entries: + if (item.action == 'access_as_shared' and + item.target_tenant == '*'): + entry = item + break + setattr(network, 'shared', True if entry else False) + self._validate_shared_update(context, id, network, n) + update_shared = n.pop('shared') + if update_shared and not entry: + entry = rbac_db.NetworkRBAC( + network=network, action='access_as_shared', + target_tenant='*', tenant_id=network['tenant_id']) + context.session.add(entry) + elif not update_shared and entry: + context.session.delete(entry) + context.session.expire(network, ['rbac_entries']) + # The filter call removes attributes from the body received from + # the API that are logically tied to network resources but are + # stored in other database tables handled by extensions + network.update( + ndb_utils.filter_non_model_columns(n, models_v2.Network)) + return self._make_network_dict(network, context=context) + + @db_api.retry_if_session_inactive() + def delete_network(self, context, id): + with context.session.begin(subtransactions=True): + network = self._get_network(context, id) + + auto_delete_ports = context.session.query( + models_v2.Port).filter_by(network_id=id).filter( + models_v2.Port.device_owner.in_(AUTO_DELETE_PORT_OWNERS)) + for port in auto_delete_ports: + context.session.delete(port) + + port_in_use = context.session.query(models_v2.Port).filter_by( + network_id=id).first() + + if port_in_use: + raise exc.NetworkInUse(net_id=id) + + # clean up subnets + subnets = self._get_subnets_by_network(context, id) + for subnet in subnets: + self.delete_subnet(context, subnet['id']) + + context.session.delete(network) + + @db_api.retry_if_session_inactive() + def get_network(self, context, id, fields=None): + network = self._get_network(context, id) + return self._make_network_dict(network, fields, context=context) + + @db_api.retry_if_session_inactive() + def get_networks(self, context, filters=None, fields=None, + sorts=None, limit=None, marker=None, + page_reverse=False): + marker_obj = self._get_marker_obj(context, 'network', limit, marker) + make_network_dict = functools.partial(self._make_network_dict, + context=context) + return self._get_collection(context, models_v2.Network, + make_network_dict, + filters=filters, fields=fields, + sorts=sorts, + limit=limit, + marker_obj=marker_obj, + page_reverse=page_reverse) + + @db_api.retry_if_session_inactive() + def get_networks_count(self, context, filters=None): + return self._get_collection_count(context, models_v2.Network, + filters=filters) + + @db_api.retry_if_session_inactive() + def create_subnet_bulk(self, context, subnets): + return self._create_bulk('subnet', context, subnets) + + def _validate_ip_version(self, ip_version, addr, name): + """Check IP field of a subnet match specified ip version.""" + ip = netaddr.IPNetwork(addr) + if ip.version != ip_version: + data = {'name': name, + 'addr': addr, + 'ip_version': ip_version} + msg = _("%(name)s '%(addr)s' does not match " + "the ip_version '%(ip_version)s'") % data + raise exc.InvalidInput(error_message=msg) + + def _validate_subnet(self, context, s, cur_subnet=None): + """Validate a subnet spec.""" + + # This method will validate attributes which may change during + # create_subnet() and update_subnet(). + # The method requires the subnet spec 's' has 'ip_version' field. + # If 's' dict does not have 'ip_version' field in an API call + # (e.g., update_subnet()), you need to set 'ip_version' field + # before calling this method. + + ip_ver = s['ip_version'] + + if validators.is_attr_set(s.get('cidr')): + self._validate_ip_version(ip_ver, s['cidr'], 'cidr') + + # TODO(watanabe.isao): After we found a way to avoid the re-sync + # from the agent side, this restriction could be removed. + if cur_subnet: + dhcp_was_enabled = cur_subnet.enable_dhcp + else: + dhcp_was_enabled = False + if s.get('enable_dhcp') and not dhcp_was_enabled: + subnet_prefixlen = netaddr.IPNetwork(s['cidr']).prefixlen + error_message = _("Subnet has a prefix length that is " + "incompatible with DHCP service enabled") + if ((ip_ver == 4 and subnet_prefixlen > 30) or + (ip_ver == 6 and subnet_prefixlen > 126)): + raise exc.InvalidInput(error_message=error_message) + + net = netaddr.IPNetwork(s['cidr']) + if net.is_multicast(): + error_message = _("Multicast IP subnet is not supported " + "if enable_dhcp is True") + raise exc.InvalidInput(error_message=error_message) + elif net.is_loopback(): + error_message = _("Loopback IP subnet is not supported " + "if enable_dhcp is True") + raise exc.InvalidInput(error_message=error_message) + + if validators.is_attr_set(s.get('gateway_ip')): + self._validate_ip_version(ip_ver, s['gateway_ip'], 'gateway_ip') + is_gateway_not_valid = ( + ipam.utils.check_gateway_invalid_in_subnet( + s['cidr'], s['gateway_ip'])) + if is_gateway_not_valid: + error_message = _("Gateway is not valid on subnet") + raise exc.InvalidInput(error_message=error_message) + # Ensure the gateway IP is not assigned to any port + # skip this check in case of create (s parameter won't have id) + # NOTE(salv-orlando): There is slight chance of a race, when + # a subnet-update and a router-interface-add operation are + # executed concurrently + if cur_subnet and not ipv6_utils.is_ipv6_pd_enabled(s): + ipal = models_v2.IPAllocation + alloc_qry = context.session.query(ipal) + alloc_qry = alloc_qry.join("port", "routerport") + allocated = alloc_qry.filter( + ipal.ip_address == cur_subnet['gateway_ip'], + ipal.subnet_id == cur_subnet['id']).first() + if allocated and allocated['port_id']: + raise n_exc.GatewayIpInUse( + ip_address=cur_subnet['gateway_ip'], + port_id=allocated['port_id']) + + if validators.is_attr_set(s.get('dns_nameservers')): + if len(s['dns_nameservers']) > cfg.CONF.max_dns_nameservers: + raise n_exc.DNSNameServersExhausted( + subnet_id=s.get('id', _('new subnet')), + quota=cfg.CONF.max_dns_nameservers) + for dns in s['dns_nameservers']: + try: + netaddr.IPAddress(dns) + except Exception: + raise exc.InvalidInput( + error_message=(_("Error parsing dns address %s") % + dns)) + self._validate_ip_version(ip_ver, dns, 'dns_nameserver') + + if validators.is_attr_set(s.get('host_routes')): + if len(s['host_routes']) > cfg.CONF.max_subnet_host_routes: + raise n_exc.HostRoutesExhausted( + subnet_id=s.get('id', _('new subnet')), + quota=cfg.CONF.max_subnet_host_routes) + # check if the routes are all valid + for rt in s['host_routes']: + self._validate_host_route(rt, ip_ver) + + if ip_ver == 4: + if validators.is_attr_set(s.get('ipv6_ra_mode')): + raise exc.InvalidInput( + error_message=(_("ipv6_ra_mode is not valid when " + "ip_version is 4"))) + if validators.is_attr_set(s.get('ipv6_address_mode')): + raise exc.InvalidInput( + error_message=(_("ipv6_address_mode is not valid when " + "ip_version is 4"))) + if ip_ver == 6: + self._validate_ipv6_attributes(s, cur_subnet) + + def _validate_subnet_for_pd(self, subnet): + """Validates that subnet parameters are correct for IPv6 PD""" + if (subnet.get('ip_version') != constants.IP_VERSION_6): + reason = _("Prefix Delegation can only be used with IPv6 " + "subnets.") + raise exc.BadRequest(resource='subnets', msg=reason) + + mode_list = [constants.IPV6_SLAAC, + constants.DHCPV6_STATELESS] + + ra_mode = subnet.get('ipv6_ra_mode') + if ra_mode not in mode_list: + reason = _("IPv6 RA Mode must be SLAAC or Stateless for " + "Prefix Delegation.") + raise exc.BadRequest(resource='subnets', msg=reason) + + address_mode = subnet.get('ipv6_address_mode') + if address_mode not in mode_list: + reason = _("IPv6 Address Mode must be SLAAC or Stateless for " + "Prefix Delegation.") + raise exc.BadRequest(resource='subnets', msg=reason) + + def _update_router_gw_ports(self, context, network, subnet): + l3plugin = directory.get_plugin(constants.L3) + if l3plugin: + gw_ports = self._get_router_gw_ports_by_network(context, + network['id']) + router_ids = [p['device_id'] for p in gw_ports] + for id in router_ids: + try: + self._update_router_gw_port(context, id, network, subnet) + except l3.RouterNotFound: + LOG.debug("Router %(id)s was concurrently deleted while " + "updating GW port for subnet %(s)s", + {'id': id, 's': subnet}) + + def _update_router_gw_port(self, context, router_id, network, subnet): + l3plugin = directory.get_plugin(constants.L3) + ctx_admin = context.elevated() + ext_subnets_dict = {s['id']: s for s in network['subnets']} + router = l3plugin.get_router(ctx_admin, router_id) + external_gateway_info = router['external_gateway_info'] + # Get all stateful (i.e. non-SLAAC/DHCPv6-stateless) fixed ips + fips = [f for f in external_gateway_info['external_fixed_ips'] + if not ipv6_utils.is_auto_address_subnet( + ext_subnets_dict[f['subnet_id']])] + num_fips = len(fips) + # Don't add the fixed IP to the port if it already + # has a stateful fixed IP of the same IP version + if num_fips > 1: + return + if num_fips == 1 and netaddr.IPAddress( + fips[0]['ip_address']).version == subnet['ip_version']: + return + external_gateway_info['external_fixed_ips'].append( + {'subnet_id': subnet['id']}) + info = {'router': {'external_gateway_info': + external_gateway_info}} + l3plugin.update_router(context, router_id, info) + + @db_api.retry_if_session_inactive() + def _create_subnet_postcommit(self, context, result, network, ipam_subnet): + if hasattr(network, 'external') and network.external: + self._update_router_gw_ports(context, + network, + result) + # If this subnet supports auto-addressing, then update any + # internal ports on the network with addresses for this subnet. + if ipv6_utils.is_auto_address_subnet(result): + updated_ports = self.ipam.add_auto_addrs_on_network_ports(context, + result, ipam_subnet) + for port_id in updated_ports: + port_info = {'port': {'id': port_id}} + try: + self.update_port(context, port_id, port_info) + except exc.PortNotFound: + LOG.debug("Port %(p)s concurrently deleted while adding " + "address for new subnet %(s)s.", {'p': port_id, + 's': result}) + + def _get_subnetpool_id(self, context, subnet): + """Return the subnetpool id for this request + + :param subnet: The subnet dict from the request + """ + use_default_subnetpool = subnet.get('use_default_subnetpool') + if use_default_subnetpool == constants.ATTR_NOT_SPECIFIED: + use_default_subnetpool = False + subnetpool_id = subnet.get('subnetpool_id') + if subnetpool_id == constants.ATTR_NOT_SPECIFIED: + subnetpool_id = None + + if use_default_subnetpool and subnetpool_id: + msg = _('subnetpool_id and use_default_subnetpool cannot both be ' + 'specified') + raise exc.BadRequest(resource='subnets', msg=msg) + + if subnetpool_id: + return subnetpool_id + + if not use_default_subnetpool: + return + + cidr = subnet.get('cidr') + if validators.is_attr_set(cidr): + ip_version = netaddr.IPNetwork(cidr).version + else: + ip_version = subnet.get('ip_version') + if not validators.is_attr_set(ip_version): + msg = _('ip_version must be specified in the absence of ' + 'cidr and subnetpool_id') + raise exc.BadRequest(resource='subnets', msg=msg) + + if ip_version == 6 and cfg.CONF.ipv6_pd_enabled: + return constants.IPV6_PD_POOL_ID + + subnetpool = self.get_default_subnetpool(context, ip_version) + if subnetpool: + return subnetpool['id'] + + msg = _('No default subnetpool found for IPv%s') % ip_version + raise exc.BadRequest(resource='subnets', msg=msg) + + @db_api.retry_if_session_inactive() + def create_subnet(self, context, subnet): + result, net, ipam_sub = self._create_subnet_precommit(context, subnet) + self._create_subnet_postcommit(context, result, net, ipam_sub) + return result + + def _create_subnet_precommit(self, context, subnet): + """Creates subnet in DB, returns result, network, and ipam_subnet.""" + s = subnet['subnet'] + cidr = s.get('cidr', constants.ATTR_NOT_SPECIFIED) + prefixlen = s.get('prefixlen', constants.ATTR_NOT_SPECIFIED) + has_cidr = validators.is_attr_set(cidr) + has_prefixlen = validators.is_attr_set(prefixlen) + + if has_cidr and has_prefixlen: + msg = _('cidr and prefixlen must not be supplied together') + raise exc.BadRequest(resource='subnets', msg=msg) + + if has_cidr: + # turn the CIDR into a proper subnet + net = netaddr.IPNetwork(s['cidr']) + subnet['subnet']['cidr'] = '%s/%s' % (net.network, net.prefixlen) + + subnetpool_id = self._get_subnetpool_id(context, s) + if not subnetpool_id and not has_cidr: + msg = _('a subnetpool must be specified in the absence of a cidr') + raise exc.BadRequest(resource='subnets', msg=msg) + + if subnetpool_id: + self.ipam.validate_pools_with_subnetpool(s) + if subnetpool_id == constants.IPV6_PD_POOL_ID: + if has_cidr: + # We do not currently support requesting a specific + # cidr with IPv6 prefix delegation. Set the subnetpool_id + # to None and allow the request to continue as normal. + subnetpool_id = None + self._validate_subnet(context, s) + else: + prefix = n_const.PROVISIONAL_IPV6_PD_PREFIX + subnet['subnet']['cidr'] = prefix + self._validate_subnet_for_pd(s) + else: + if not has_cidr: + msg = _('A cidr must be specified in the absence of a ' + 'subnet pool') + raise exc.BadRequest(resource='subnets', msg=msg) + self._validate_subnet(context, s) + + with context.session.begin(subtransactions=True): + network = self._get_network(context, + subnet['subnet']['network_id']) + subnet, ipam_subnet = self.ipam.allocate_subnet(context, + network, + subnet['subnet'], + subnetpool_id) + result = self._make_subnet_dict(subnet, context=context) + return result, network, ipam_subnet + + def _update_allocation_pools(self, subnet): + """Gets new allocation pools and formats them correctly""" + allocation_pools = self.ipam.generate_pools(subnet['cidr'], + subnet['gateway_ip']) + return [{'start': str(netaddr.IPAddress(p.first, + subnet['ip_version'])), + 'end': str(netaddr.IPAddress(p.last, subnet['ip_version']))} + for p in allocation_pools] + + @db_api.retry_if_session_inactive() + def update_subnet(self, context, id, subnet): + """Update the subnet with new info. + + The change however will not be realized until the client renew the + dns lease or we support gratuitous DHCP offers + """ + orig = self.get_subnet(context, id) + result = self._update_subnet_precommit(context, id, subnet) + return self._update_subnet_postcommit(context, orig, result) + + def _update_subnet_precommit(self, context, id, subnet): + """All subnet update operations safe to enclose in a transaction. + + :param context: neutron api request context + :param id: subnet id + :param subnet: API request dictionary + """ + s = subnet['subnet'] + new_cidr = s.get('cidr') + db_subnet = self._get_subnet(context, id) + # Fill 'ip_version' and 'allocation_pools' fields with the current + # value since _validate_subnet() expects subnet spec has 'ip_version' + # and 'allocation_pools' fields. + s['ip_version'] = db_subnet.ip_version + s['cidr'] = db_subnet.cidr + s['id'] = db_subnet.id + s['tenant_id'] = db_subnet.tenant_id + s['subnetpool_id'] = db_subnet.subnetpool_id + self._validate_subnet(context, s, cur_subnet=db_subnet) + db_pools = [netaddr.IPRange(p['first_ip'], p['last_ip']) + for p in db_subnet.allocation_pools] + + if new_cidr and ipv6_utils.is_ipv6_pd_enabled(s): + # This is an ipv6 prefix delegation-enabled subnet being given an + # updated cidr by the process_prefix_update RPC + s['cidr'] = new_cidr + net = netaddr.IPNetwork(s['cidr'], s['ip_version']) + # Update gateway_ip and allocation pools based on new cidr + s['gateway_ip'] = utils.get_first_host_ip(net, s['ip_version']) + s['allocation_pools'] = self._update_allocation_pools(s) + + range_pools = None + if s.get('allocation_pools') is not None: + # Convert allocation pools to IPRange to simplify future checks + range_pools = self.ipam.pools_to_ip_range(s['allocation_pools']) + self.ipam.validate_allocation_pools(range_pools, s['cidr']) + s['allocation_pools'] = range_pools + + # If either gateway_ip or allocation_pools were specified + gateway_ip = s.get('gateway_ip', db_subnet.gateway_ip) + gateway_ip_changed = gateway_ip != db_subnet.gateway_ip + if gateway_ip_changed or s.get('allocation_pools') is not None: + pools = range_pools if range_pools is not None else db_pools + if gateway_ip: + self.ipam.validate_gw_out_of_pools(gateway_ip, pools) + + if gateway_ip_changed: + # Provide pre-update notification not to break plugins that don't + # support gateway ip change + kwargs = {'context': context, 'subnet_id': id, + 'network_id': db_subnet.network_id} + registry.notify(resources.SUBNET_GATEWAY, events.BEFORE_UPDATE, + self, **kwargs) + + with context.session.begin(subtransactions=True): + subnet, changes = self.ipam.update_db_subnet(context, id, s, + db_pools) + # we expire here since ipam may have made changes to relationships + # that will be stale on any subsequent lookups while the subnet object + # is in the session otherwise. + context.session.expire(subnet) + return self._make_subnet_dict(subnet, context=context) + + def _update_subnet_postcommit(self, context, orig, result): + """Subnet update operations that happen after transaction completes. + + :param context: neutron api request context + :param orig: subnet dictionary representing state before update + :param result: subnet dictionary representing state after update + """ + update_ports_needed = (result['cidr'] != orig['cidr'] and + ipv6_utils.is_ipv6_pd_enabled(result)) + if update_ports_needed: + # Find ports that have not yet been updated + # with an IP address by Prefix Delegation, and update them + filters = {'fixed_ips': {'subnet_id': [result['id']]}} + ports = self.get_ports(context, filters=filters) + routers = [] + for port in ports: + for ip in port['fixed_ips']: + if ip['subnet_id'] == result['id']: + if (port['device_owner'] in + constants.ROUTER_INTERFACE_OWNERS): + routers.append(port['device_id']) + ip['ip_address'] = result['gateway_ip'] + else: + # We remove ip_address and pass only PD subnet_id + # in port's fixed_ip for port_update. Later, IPAM + # drivers will allocate eui64 address with new + # prefix when they find PD subnet_id in port's + # fixed_ip. + ip.pop('ip_address', None) + self.update_port(context, port['id'], {'port': port}) + # Send router_update to l3_agent + if routers: + l3_rpc_notifier = l3_rpc_agent_api.L3AgentNotifyAPI() + l3_rpc_notifier.routers_updated(context, routers) + + if orig['gateway_ip'] != result['gateway_ip']: + kwargs = {'context': context, 'subnet_id': result['id'], + 'network_id': result['network_id']} + registry.notify(resources.SUBNET_GATEWAY, events.AFTER_UPDATE, + self, **kwargs) + + return result + + def _subnet_get_user_allocation(self, context, subnet_id): + """Check if there are any user ports on subnet and return first.""" + # need to join with ports table as IPAllocation's port + # is not joined eagerly and thus producing query which yields + # incorrect results + return (context.session.query(models_v2.IPAllocation). + filter_by(subnet_id=subnet_id).join(models_v2.Port). + filter(~models_v2.Port.device_owner. + in_(AUTO_DELETE_PORT_OWNERS)).first()) + + def _subnet_check_ip_allocations_internal_router_ports(self, context, + subnet_id): + # Do not delete the subnet if IP allocations for internal + # router ports still exist + allocs = context.session.query(models_v2.IPAllocation).filter_by( + subnet_id=subnet_id).join(models_v2.Port).filter( + models_v2.Port.device_owner.in_( + constants.ROUTER_INTERFACE_OWNERS) + ).first() + if allocs: + LOG.debug("Subnet %s still has internal router ports, " + "cannot delete", subnet_id) + raise exc.SubnetInUse(subnet_id=subnet_id) + + @db_api.retry_if_session_inactive() + def _remove_subnet_from_port(self, context, sub_id, port_id, auto_subnet): + try: + fixed = [f for f in self.get_port(context, port_id)['fixed_ips'] + if f['subnet_id'] != sub_id] + if auto_subnet: + # special flag to avoid re-allocation on auto subnets + fixed.append({'subnet_id': sub_id, 'delete_subnet': True}) + data = {attributes.PORT: {'fixed_ips': fixed}} + self.update_port(context, port_id, data) + except exc.PortNotFound: + # port is gone + return + except exc.SubnetNotFound as e: + # another subnet in the fixed ips was concurrently removed. retry + raise os_db_exc.RetryRequest(e) + + def _ensure_no_user_ports_on_subnet(self, context, id): + alloc = self._subnet_get_user_allocation(context, id) + if alloc: + LOG.info(_LI("Found port (%(port_id)s, %(ip)s) having IP " + "allocation on subnet " + "%(subnet)s, cannot delete"), + {'ip': alloc.ip_address, + 'port_id': alloc.port_id, + 'subnet': id}) + raise exc.SubnetInUse(subnet_id=id) + + @db_api.retry_if_session_inactive() + def _remove_subnet_ip_allocations_from_ports(self, context, id): + # Do not allow a subnet to be deleted if a router is attached to it + self._subnet_check_ip_allocations_internal_router_ports( + context, id) + subnet = self._get_subnet(context, id) + is_auto_addr_subnet = ipv6_utils.is_auto_address_subnet(subnet) + if not is_auto_addr_subnet: + # we only automatically remove IP addresses from user ports if + # the IPs come from auto allocation subnets. + self._ensure_no_user_ports_on_subnet(context, id) + net_allocs = (context.session.query(models_v2.IPAllocation.port_id). + filter_by(subnet_id=id)) + port_ids_on_net = [ipal.port_id for ipal in net_allocs] + for port_id in port_ids_on_net: + self._remove_subnet_from_port(context, id, port_id, + auto_subnet=is_auto_addr_subnet) + + @db_api.retry_if_session_inactive() + def delete_subnet(self, context, id): + LOG.debug("Deleting subnet %s", id) + # Make sure the subnet isn't used by other resources + _check_subnet_not_used(context, id) + self._remove_subnet_ip_allocations_from_ports(context, id) + # retry integrity errors to catch ip allocation races + with db_api.exc_to_retry(sql_exc.IntegrityError), \ + context.session.begin(subtransactions=True): + subnet_db = self._get_subnet(context, id) + subnet = self._make_subnet_dict(subnet_db, context=context) + registry.notify(resources.SUBNET, events.PRECOMMIT_DELETE, + self, context=context, subnet_id=id) + context.session.delete(subnet_db) + # Delete related ipam subnet manually, + # since there is no FK relationship + self.ipam.delete_subnet(context, id) + registry.notify(resources.SUBNET, events.AFTER_DELETE, + self, context=context, subnet=subnet) + + @db_api.retry_if_session_inactive() + def get_subnet(self, context, id, fields=None): + subnet = self._get_subnet(context, id) + return self._make_subnet_dict(subnet, fields, context=context) + + @db_api.retry_if_session_inactive() + def get_subnets(self, context, filters=None, fields=None, + sorts=None, limit=None, marker=None, + page_reverse=False): + return self._get_subnets(context, filters, fields, sorts, limit, + marker, page_reverse) + + @db_api.retry_if_session_inactive() + def get_subnets_count(self, context, filters=None): + return self._get_collection_count(context, models_v2.Subnet, + filters=filters) + + @db_api.retry_if_session_inactive() + def get_subnets_by_network(self, context, network_id): + return [self._make_subnet_dict(subnet_db) for subnet_db in + self._get_subnets_by_network(context, network_id)] + + def _validate_address_scope_id(self, context, address_scope_id, + subnetpool_id, sp_prefixes, ip_version): + """Validate the address scope before associating. + + Subnetpool can associate with an address scope if + - the tenant user is the owner of both the subnetpool and + address scope + - the admin is associating the subnetpool with the shared + address scope + - there is no prefix conflict with the existing subnetpools + associated with the address scope. + - the address family of the subnetpool and address scope + are the same + """ + if not validators.is_attr_set(address_scope_id): + return + + if not self.is_address_scope_owned_by_tenant(context, + address_scope_id): + raise n_exc.IllegalSubnetPoolAssociationToAddressScope( + subnetpool_id=subnetpool_id, address_scope_id=address_scope_id) + + as_ip_version = self.get_ip_version_for_address_scope(context, + address_scope_id) + + if ip_version != as_ip_version: + raise n_exc.IllegalSubnetPoolIpVersionAssociationToAddressScope( + subnetpool_id=subnetpool_id, address_scope_id=address_scope_id, + ip_version=as_ip_version) + + subnetpools = subnetpool_obj.SubnetPool.get_objects( + context, address_scope_id=address_scope_id) + + new_set = netaddr.IPSet(sp_prefixes) + for sp in subnetpools: + if sp.id == subnetpool_id: + continue + sp_set = netaddr.IPSet(sp.prefixes) + if sp_set.intersection(new_set): + raise n_exc.AddressScopePrefixConflict() + + def _check_subnetpool_update_allowed(self, context, subnetpool_id, + address_scope_id): + """Check if the subnetpool can be updated or not. + + If the subnetpool is associated to a shared address scope not owned + by the tenant, then the subnetpool cannot be updated. + """ + + if not self.is_address_scope_owned_by_tenant(context, + address_scope_id): + msg = _("subnetpool %(subnetpool_id)s cannot be updated when" + " associated with shared address scope " + "%(address_scope_id)s") % { + 'subnetpool_id': subnetpool_id, + 'address_scope_id': address_scope_id} + raise n_exc.IllegalSubnetPoolUpdate(reason=msg) + + def _check_default_subnetpool_exists(self, context, ip_version): + """Check if a default already exists for the given IP version. + + There can only be one default subnetpool for each IP family. Raise an + InvalidInput error if a default has already been set. + """ + if self.get_default_subnetpool(context, ip_version): + msg = _("A default subnetpool for this IP family has already " + "been set. Only one default may exist per IP family") + raise exc.InvalidInput(error_message=msg) + + @db_api.retry_if_session_inactive() + def create_subnetpool(self, context, subnetpool): + sp = subnetpool['subnetpool'] + sp_reader = subnet_alloc.SubnetPoolReader(sp) + if sp_reader.is_default: + self._check_default_subnetpool_exists(context, + sp_reader.ip_version) + self._validate_address_scope_id(context, sp_reader.address_scope_id, + id, sp_reader.prefixes, + sp_reader.ip_version) + pool_args = {'project_id': sp['tenant_id'], + 'id': sp_reader.id, + 'name': sp_reader.name, + 'ip_version': sp_reader.ip_version, + 'default_prefixlen': + sp_reader.default_prefixlen, + 'min_prefixlen': sp_reader.min_prefixlen, + 'max_prefixlen': sp_reader.max_prefixlen, + 'is_default': sp_reader.is_default, + 'shared': sp_reader.shared, + 'default_quota': sp_reader.default_quota, + 'address_scope_id': sp_reader.address_scope_id, + 'description': sp_reader.description, + 'prefixes': sp_reader.prefixes} + subnetpool = subnetpool_obj.SubnetPool(context, **pool_args) + subnetpool.create() + + return self._make_subnetpool_dict(subnetpool.db_obj) + + @db_api.retry_if_session_inactive() + def update_subnetpool(self, context, id, subnetpool): + new_sp = subnetpool['subnetpool'] + + with context.session.begin(subtransactions=True): + orig_sp = self._get_subnetpool(context, id=id) + updated = _update_subnetpool_dict(orig_sp, new_sp) + reader = subnet_alloc.SubnetPoolReader(updated) + if reader.is_default and not orig_sp.is_default: + self._check_default_subnetpool_exists(context, + reader.ip_version) + if orig_sp.address_scope_id: + self._check_subnetpool_update_allowed(context, id, + orig_sp.address_scope_id) + + self._validate_address_scope_id(context, reader.address_scope_id, + id, reader.prefixes, + reader.ip_version) + address_scope_changed = ( + orig_sp.address_scope_id != reader.address_scope_id) + + orig_sp.update_fields(reader.subnetpool) + orig_sp.update() + + if address_scope_changed: + # Notify about the update of subnetpool's address scope + kwargs = {'context': context, 'subnetpool_id': id} + registry.notify(resources.SUBNETPOOL_ADDRESS_SCOPE, + events.AFTER_UPDATE, + self.update_subnetpool, + **kwargs) + + for key in ['min_prefixlen', 'max_prefixlen', 'default_prefixlen']: + updated['key'] = str(updated[key]) + self._apply_dict_extend_functions(attributes.SUBNETPOOLS, + updated, orig_sp.db_obj) + return updated + + @db_api.retry_if_session_inactive() + def get_subnetpool(self, context, id, fields=None): + subnetpool = self._get_subnetpool(context, id) + return self._make_subnetpool_dict(subnetpool.db_obj, fields) + + @db_api.retry_if_session_inactive() + def get_subnetpools(self, context, filters=None, fields=None, + sorts=None, limit=None, marker=None, + page_reverse=False): + pager = base_obj.Pager(sorts, limit, page_reverse, marker) + filters = filters or {} + subnetpools = subnetpool_obj.SubnetPool.get_objects( + context, _pager=pager, validate_filters=False, **filters) + return [ + self._make_subnetpool_dict(pool.db_obj, fields) + for pool in subnetpools + ] + + @db_api.retry_if_session_inactive() + def get_default_subnetpool(self, context, ip_version): + """Retrieve the default subnetpool for the given IP version.""" + filters = {'is_default': True, + 'ip_version': ip_version} + subnetpool = self.get_subnetpools(context, filters=filters) + if subnetpool: + return subnetpool[0] + + @db_api.retry_if_session_inactive() + def delete_subnetpool(self, context, id): + with context.session.begin(subtransactions=True): + subnetpool = self._get_subnetpool(context, id=id) + subnets = self._get_subnets_by_subnetpool(context, id) + if subnets: + reason = _("Subnet pool has existing allocations") + raise n_exc.SubnetPoolDeleteError(reason=reason) + subnetpool.delete() + + def _check_mac_addr_update(self, context, port, new_mac, device_owner): + if (device_owner and + device_owner.startswith(constants.DEVICE_OWNER_NETWORK_PREFIX)): + raise n_exc.UnsupportedPortDeviceOwner( + op=_("mac address update"), port_id=id, + device_owner=device_owner) + + @db_api.retry_if_session_inactive() + def create_port_bulk(self, context, ports): + return self._create_bulk('port', context, ports) + + def _create_db_port_obj(self, context, port_data): + mac_address = port_data.pop('mac_address', None) + if mac_address: + if self._is_mac_in_use(context, port_data['network_id'], + mac_address): + raise exc.MacAddressInUse(net_id=port_data['network_id'], + mac=mac_address) + else: + mac_address = self._generate_mac() + db_port = models_v2.Port(mac_address=mac_address, **port_data) + context.session.add(db_port) + return db_port + + @db_api.retry_if_session_inactive() + def create_port(self, context, port): + db_port = self.create_port_db(context, port) + return self._make_port_dict(db_port, process_extensions=False) + + def create_port_db(self, context, port): + p = port['port'] + port_id = p.get('id') or uuidutils.generate_uuid() + network_id = p['network_id'] + # NOTE(jkoelker) Get the tenant_id outside of the session to avoid + # unneeded db action if the operation raises + tenant_id = p['tenant_id'] + if p.get('device_owner'): + self._enforce_device_owner_not_router_intf_or_device_id( + context, p.get('device_owner'), p.get('device_id'), tenant_id) + + port_data = dict(tenant_id=tenant_id, + name=p['name'], + id=port_id, + network_id=network_id, + admin_state_up=p['admin_state_up'], + status=p.get('status', constants.PORT_STATUS_ACTIVE), + device_id=p['device_id'], + device_owner=p['device_owner'], + description=p.get('description')) + if p.get('mac_address') is not constants.ATTR_NOT_SPECIFIED: + port_data['mac_address'] = p.get('mac_address') + with context.session.begin(subtransactions=True): + # Ensure that the network exists. + self._get_network(context, network_id) + + # Create the port + db_port = self._create_db_port_obj(context, port_data) + p['mac_address'] = db_port['mac_address'] + + try: + self.ipam.allocate_ips_for_port_and_store( + context, port, port_id) + db_port['ip_allocation'] = ipa.IP_ALLOCATION_IMMEDIATE + except ipam_exc.DeferIpam: + db_port['ip_allocation'] = ipa.IP_ALLOCATION_DEFERRED + fixed_ips = p['fixed_ips'] + if validators.is_attr_set(fixed_ips) and not fixed_ips: + # [] was passed explicitly as fixed_ips. An unaddressed port. + db_port['ip_allocation'] = ipa.IP_ALLOCATION_NONE + + return db_port + + def _validate_port_for_update(self, context, db_port, new_port, new_mac): + changed_owner = 'device_owner' in new_port + current_owner = (new_port.get('device_owner') or + db_port['device_owner']) + changed_device_id = new_port.get('device_id') != db_port['device_id'] + current_device_id = new_port.get('device_id') or db_port['device_id'] + + if current_owner and changed_device_id or changed_owner: + self._enforce_device_owner_not_router_intf_or_device_id( + context, current_owner, current_device_id, + db_port['tenant_id']) + + if new_mac and new_mac != db_port['mac_address']: + self._check_mac_addr_update(context, db_port, + new_mac, current_owner) + + @db_api.retry_if_session_inactive() + def update_port(self, context, id, port): + new_port = port['port'] + + with context.session.begin(subtransactions=True): + db_port = self._get_port(context, id) + new_mac = new_port.get('mac_address') + self._validate_port_for_update(context, db_port, new_port, new_mac) + # Note: _make_port_dict is called here to load extension data + # (specifically host binding). The IPAM plugin is separate from + # the core plugin, so extensions are not loaded. + # + # The IPAM code could cheat and get it directly from db_port but it + # would have to know about the implementation (remember ml2 has its + # own port binding schema that differs from the generic one) + # + # This code could extract just the port binding host here and pass + # that in. The problem is that db_base_plugin_common shouldn't + # know anything about port binding. This compromise sends IPAM a + # port_dict with all of the extension data loaded. + try: + self.ipam.update_port( + context, + old_port_db=db_port, + old_port=self._make_port_dict(db_port), + new_port=new_port) + except ipam_exc.IpAddressAllocationNotFound as e: + # If a port update and a subnet delete interleave, there is a + # chance that the IPAM update operation raises this exception. + # Rather than throwing that up to the user under some sort of + # conflict, bubble up a retry instead that should bring things + # back to sanity. + raise os_db_exc.RetryRequest(e) + result = self._make_port_dict(db_port) + return result + + @db_api.retry_if_session_inactive() + def delete_port(self, context, id): + with context.session.begin(subtransactions=True): + self.ipam.delete_port(context, id) + + def delete_ports_by_device_id(self, context, device_id, network_id=None): + query = (context.session.query(models_v2.Port.id) + .enable_eagerloads(False) + .filter(models_v2.Port.device_id == device_id)) + if network_id: + query = query.filter(models_v2.Port.network_id == network_id) + port_ids = [p[0] for p in query] + for port_id in port_ids: + try: + self.delete_port(context, port_id) + except exc.PortNotFound: + # Don't raise if something else concurrently deleted the port + LOG.debug("Ignoring PortNotFound when deleting port '%s'. " + "The port has already been deleted.", + port_id) + + @db_api.retry_if_session_inactive() + def get_port(self, context, id, fields=None): + port = self._get_port(context, id) + return self._make_port_dict(port, fields) + + def _get_ports_query(self, context, filters=None, *args, **kwargs): + Port = models_v2.Port + IPAllocation = models_v2.IPAllocation + + filters = filters or {} + fixed_ips = filters.pop('fixed_ips', {}) + query = self._get_collection_query(context, Port, filters=filters, + *args, **kwargs) + ip_addresses = fixed_ips.get('ip_address') + subnet_ids = fixed_ips.get('subnet_id') + if ip_addresses: + query = query.filter( + Port.fixed_ips.any(IPAllocation.ip_address.in_(ip_addresses))) + if subnet_ids: + query = query.filter( + Port.fixed_ips.any(IPAllocation.subnet_id.in_(subnet_ids))) + return query + + @db_api.retry_if_session_inactive() + def get_ports(self, context, filters=None, fields=None, + sorts=None, limit=None, marker=None, + page_reverse=False): + marker_obj = self._get_marker_obj(context, 'port', limit, marker) + query = self._get_ports_query(context, filters=filters, + sorts=sorts, limit=limit, + marker_obj=marker_obj, + page_reverse=page_reverse) + items = [self._make_port_dict(c, fields) for c in query] + if limit and page_reverse: + items.reverse() + return items + + @db_api.retry_if_session_inactive() + def get_ports_count(self, context, filters=None): + return self._get_ports_query(context, filters).count() + + def _enforce_device_owner_not_router_intf_or_device_id(self, context, + device_owner, + device_id, + tenant_id): + """Prevent tenants from replacing the device id of router ports with + a router uuid belonging to another tenant. + """ + if device_owner not in constants.ROUTER_INTERFACE_OWNERS: + return + if not context.is_admin: + # check to make sure device_id does not match another tenants + # router. + if device_id: + if hasattr(self, 'get_router'): + try: + ctx_admin = context.elevated() + router = self.get_router(ctx_admin, device_id) + except l3.RouterNotFound: + return + else: + l3plugin = directory.get_plugin(constants.L3) + if l3plugin: + try: + ctx_admin = context.elevated() + router = l3plugin.get_router(ctx_admin, + device_id) + except l3.RouterNotFound: + return + else: + # raise as extension doesn't support L3 anyways. + raise n_exc.DeviceIDNotOwnedByTenant( + device_id=device_id) + if tenant_id != router['tenant_id']: + raise n_exc.DeviceIDNotOwnedByTenant(device_id=device_id) + + db_base_plugin_common.DbBasePluginCommon.register_model_query_hook( + models_v2.Port, + "port", + None, + '_port_filter_hook', + None) diff --git a/docker-neutron-controller/run.sh b/docker-neutron-controller/run.sh new file mode 100755 index 0000000..be77ca3 --- /dev/null +++ b/docker-neutron-controller/run.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# start neutron services + +/etc/write_conf.sh + +/usr/bin/neutron-server \ +--config-file /etc/neutron/neutron.conf \ +--config-file /etc/neutron/plugins/ml2/ml2_conf.ini \ +--config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini \ +--config-file /etc/neutron/metadata_agent.ini \ +--config-dir /etc/neutron/ \ +-v -d & + +sleep 3 +/usr/bin/neutron-linuxbridge-agent \ +--config-file /etc/neutron/neutron.conf \ +--config-file /etc/neutron/plugins/ml2/ml2_conf.ini \ +--config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini \ +--config-file /etc/neutron/metadata_agent.ini \ +--config-dir /etc/neutron/ \ +-v -d & + +sleep 3 +neutron-metadata-agent \ +--config-file /etc/neutron/neutron.conf \ +--config-file /etc/neutron/plugins/ml2/ml2_conf.ini \ +--config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini \ +--config-file /etc/neutron/metadata_agent.ini \ +--config-dir /etc/neutron/ \ +-v -d & + +# If any process fails, kill the rest. +# This insures the container stops and systemd will restart it. + +wait -n +pkill -P $$ diff --git a/docker-neutron-controller/write_conf.sh b/docker-neutron-controller/write_conf.sh new file mode 100755 index 0000000..40500d3 --- /dev/null +++ b/docker-neutron-controller/write_conf.sh @@ -0,0 +1,86 @@ +#!/bin/bash +# +# Generate config files from environments values. +# These are to be passed to the docker container using -e + +cat << EOF > /etc/neutron/neutron.conf +[DEFAULT] +core_plugin = ml2 +service_plugins = +transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$MY_IP +auth_strategy = keystone +notify_nova_on_port_status_changes = true +notify_nova_on_port_data_changes = true +dhcp_agents_per_network = 2 +global_physnet_mtu = $GLOBAL_PHYSNET_MTU + +[agent] +root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf + +[database] +connection = mysql+pymysql://$NEUTRON_USER:$NEUTRON_PASSWORD@mariadb/neutron + +[keystone_authtoken] +auth_uri = http://$KEYSTONE_HOST:5000 +auth_url = http://$KEYSTONE_HOST:35357 +memcached_servers = $MEMCACHED_HOST:11211 +auth_type = password +project_domain_name = Default +user_domain_name = Default +project_name = service +username = $NEUTRON_USER +password = $NEUTRON_PASSWORD + +[nova] +auth_url = http://$KEYSTONE_HOST:35357 +auth_type = password +project_domain_name = Default +user_domain_name = Default +region_name = RegionOne +project_name = service +username = $NOVA_USER +password = $NOVA_PASSWORD + +EOF + +cat << EOF > /etc/neutron/plugins/ml2/ml2_conf.ini + +[ml2] +type_drivers = flat,vlan +tenant_network_types = +mechanism_drivers = linuxbridge +extension_drivers = port_security +path_mtu = $GLOBAL_PHYSNET_MTU + +[ml2_type_vlan] +network_vlan_ranges = provider + +[ml2_type_flat] +flat_networks = provider + +[securitygroup] +enable_ipset = true + +EOF + +cat << EOF > /etc/neutron/plugins/ml2/linuxbridge_agent.ini + +[linux_bridge] +physical_interface_mappings = $PHYSICAL_INTERFACE_MAPPINGS + +[vxlan] +enable_vxlan = false + +[securitygroup] +enable_security_group = true +firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver + +EOF + +cat << EOF > /etc/neutron/metadata_agent.ini + +[DEFAULT] +nova_metadata_ip = $MY_IP +metadata_proxy_shared_secret = $METADATA_SECRET + +EOF diff --git a/docker-nova-compute/.drone.yml b/docker-nova-compute/.drone.yml new file mode 100644 index 0000000..15eee08 --- /dev/null +++ b/docker-nova-compute/.drone.yml @@ -0,0 +1,26 @@ +--- +pipeline: + docker: + image: plugins/docker + secrets: [docker_username, docker_password] + registry: registry.webhosting.rug.nl + repo: registry.webhosting.rug.nl/hpc/openstack-nova-compute + tag: latest + notify: + image: drillster/drone-email + host: smtp.rug.nl + port: 25 + skip_verify: true + from: drone@webhosting.rug.nl + recipients: [e.m.a.rijpkema@rug.nl] + recipients: [e.m.a.rijpkema@rug.nl, w.k.nap@rug.nl] + recipients_only: true + when: + status: [success, changed, failure] +# slack: +# image: plugins/slack +# webhook: +# channel: docker +# when: +# branch: [master, merlin] +# status: [success, failure] diff --git a/docker-nova-compute/Dockerfile b/docker-nova-compute/Dockerfile new file mode 100644 index 0000000..b70eb3f --- /dev/null +++ b/docker-nova-compute/Dockerfile @@ -0,0 +1,23 @@ +FROM ubuntu:16.04 +# install packages + +RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA + +RUN set -x \ + && echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main" > /etc/apt/sources.list.d/ocata.list \ + && apt-get -y update \ + && apt-get -y install ubuntu-cloud-keyring \ + && apt-get -y update \ + && apt-get -y install \ + python-openstackclient \ + nova-compute \ + neutron-linuxbridge-agent \ + neutron-dhcp-agent \ + neutron-metadata-agent \ + && apt-get -y clean + +COPY write_conf.sh /etc/write_conf.sh + +COPY run.sh /etc/run.sh +RUN echo hoi +CMD ["/etc/run.sh"] diff --git a/docker-nova-compute/README.md b/docker-nova-compute/README.md new file mode 100644 index 0000000..33c04c5 --- /dev/null +++ b/docker-nova-compute/README.md @@ -0,0 +1,9 @@ +# ubuntu 16.04 openstack ocata nova compute node + +# How to build the docker image. +``` +docker build . -t hpc/novacompute +``` + +# Notes +This image is designed to be deployed from the [hpc-cloud repo](https://git.webhosting.rug.nl/HPC/hpc-cloud) diff --git a/docker-nova-compute/run.sh b/docker-nova-compute/run.sh new file mode 100755 index 0000000..5804b29 --- /dev/null +++ b/docker-nova-compute/run.sh @@ -0,0 +1,34 @@ +#!/bin/bash +# start nova compute service + +/etc/write_conf.sh + +/usr/bin/neutron-linuxbridge-agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini -v -d & + +/usr/bin/nova-compute --config-file=/etc/nova/nova-compute.conf & + +sleep 3 +/usr/bin/neutron-dhcp-agent \ +--config-file /etc/neutron/neutron.conf \ +--config-file /etc/neutron/plugins/ml2/ml2_conf.ini \ +--config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini \ +--config-file /etc/neutron/dhcp_agent.ini \ +--config-file /etc/neutron/metadata_agent.ini \ +--config-dir /etc/neutron/ \ +-v -d & + +sleep 3 +neutron-metadata-agent \ +--config-file /etc/neutron/neutron.conf \ +--config-file /etc/neutron/plugins/ml2/ml2_conf.ini \ +--config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini \ +--config-file /etc/neutron/dhcp_agent.ini \ +--config-file /etc/neutron/metadata_agent.ini \ +--config-dir /etc/neutron/ \ +-v -d & + +# If any process fails, kill the rest. +# This ensures the container stops and systemd will restart it. + +wait -n +pkill -P $$ diff --git a/docker-nova-compute/write_conf.sh b/docker-nova-compute/write_conf.sh new file mode 100755 index 0000000..ea57993 --- /dev/null +++ b/docker-nova-compute/write_conf.sh @@ -0,0 +1,269 @@ +#!/bin/bash +# +# Generate config files from environments values. +# These are to be passed to the docker container using -e + +cat << EOF > /root/admin-openrc.sh +#!/bin/bash +export OS_TENANT_NAME=admin +export OS_USERNAME=admin +export OS_PASSWORD=${OS_PASSWORD} +export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 +export OS_IDENTITY_API_VERSION=3 + +export OS_PROJECT_DOMAIN_NAME=default +export OS_USER_DOMAIN_NAME=default +export OS_PROJECT_NAME=admin +export OS_IMAGE_API_VERSION=2 + +EOF + +cat << EOF > /etc/nova/nova.conf + +[DEFAULT] +transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$RABBIT_HOST +rabbit_host = $RABBIT_HOST +dhcpbridge_flagfile=/etc/nova/nova.conf +dhcpbridge=/usr/bin/nova-dhcpbridge +force_dhcp_release=true +state_path=/var/lib/nova +enabled_apis=osapi_compute,metadata +service_metadata_proxy = True +metadata_proxy_shared_secret = $METADATA_SECRET +my_ip = $MY_IP +use_neutron = True +firewall_driver = nova.virt.firewall.NoopFirewallDriver +scheduler_default_filters = AllHostsFilter +allow_migrate_to_same_host = True +allow_resize_to_same_host = True + + +[neutron] +url = http://$NEUTRON_CONTROLLER_HOST:9696 +auth_url = http://$KEYSTONE_HOST:35357 +auth_type = password +project_domain_name = Default +user_domain_name = Default +region_name = RegionOne +project_name = service +username = $NEUTRON_USER +password = $NEUTRON_PASSWORD + +[vnc] +enabled = True +vncserver_listen = 0.0.0.0 +vncserver_proxyclient_address = $MY_IP +novncproxy_base_url = http://$NOVA_CONTROLLER_HOST:6080/vnc_auto.html + +[glance] +api_servers = http://$GLANCE_CONTROLLER_HOST:9292 + +[oslo_concurrency] +lock_path = /var/lib/nova/tmp + +[api] +auth_strategy = keystone + +[keystone_authtoken] +auth_uri = http://$KEYSTONE_HOST:5000 +auth_url = http://$KEYSTONE_HOST:35357 +memcached_servers = $MEMCACHED_HOST:11211 +auth_type = password +project_domain_name = Default +user_domain_name = Default +project_name = service +username = $NOVA_USER +password = $NOVA_PASSWORD + +[api_database] +connection = mysql+pymysql://$NOVA_COMPUTE_USER:$NOVA_PASSWORD@mariadb/nova_api + +[barbican] +[cache] + +[cells] +enable=False + +[placement] +os_region_name = RegionOne +project_domain_name = Default +project_name = service +auth_type = password +user_domain_name = Default +auth_url = http://$KEYSTONE_HOST:35357/v3 +username = $NOVA_PLACEMENT_USER +password = $NOVA_PLACEMENT_PASSWORD + +[cinder] +os_region_name = RegionOne + +[wsgi] +api_paste_config=/etc/nova/api-paste.ini + +EOF + + +cat << EOF > /etc/nova/nova-compute.conf +[DEFAULT] +compute_driver=libvirt.LibvirtDriver +transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$RABBIT_HOST +rabbit_host = $RABBIT_HOST +dhcpbridge_flagfile=/etc/nova/nova.conf +dhcpbridge=/usr/bin/nova-dhcpbridge +force_dhcp_release=true +state_path=/var/lib/nova +enabled_apis=osapi_compute,metadata +my_ip = $MY_IP +use_neutron = True +firewall_driver = nova.virt.firewall.NoopFirewallDriver +scheduler_default_filters = AllHostsFilter +allow_migrate_to_same_host = True +allow_resize_to_same_host = True + +[libvirt] +virt_type=kvm + +[vnc] +enabled = True +vncserver_listen = 0.0.0.0 +vncserver_proxyclient_address = $MY_IP +novncproxy_base_url = http://$NOVA_CONTROLLER_HOST:6080/vnc_auto.html + +[glance] +api_servers = http://$GLANCE_CONTROLLER_HOST:9292 + +[oslo_concurrency] +lock_path = /var/lib/nova/tmp + +[api] +auth_strategy = keystone + +[keystone_authtoken] +auth_uri = http://$KEYSTONE_HOST:5000 +auth_url = http://$KEYSTONE_HOST:35357 +memcached_servers = $MEMCACHED_HOST:11211 +auth_type = password +project_domain_name = Default +user_domain_name = Default +project_name = service +username = $NOVA_USER +password = $NOVA_PASSWORD + +[api_database] +connection = mysql+pymysql://$NOVA_COMPUTE_USER:$NOVA_PASSWORD@mariadb/nova_api + +[barbican] +[cache] + +[cells] +enable=False + +[placement] +os_region_name = RegionOne +project_domain_name = Default +project_name = service +auth_type = password +user_domain_name = Default +auth_url = http://$KEYSTONE_HOST:35357/v3 +username = $NOVA_PLACEMENT_USER +password = $NOVA_PLACEMENT_PASSWORD + +[wsgi] +api_paste_config=/etc/nova/api-paste.ini + +[neutron] +url = http://$NEUTRON_CONTROLLER_HOST:9696 +auth_url = http://$KEYSTONE_HOST:35357 +auth_type = password +project_domain_name = Default +user_domain_name = Default +region_name = RegionOne +project_name = service +username = $NEUTRON_USER +password = $NEUTRON_PASSWORD + +[cinder] +os_region_name = RegionOne + +EOF + +cat << EOF > /etc/neutron/neutron.conf +[DEFAULT] +transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$RABBIT_HOST +auth_strategy = keystone +core_plugin = ml2 +global_physnet_mtu = $GLOBAL_PHYSNET_MTU + +[keystone_authtoken] +auth_uri = http://$KEYSTONE_HOST:5000 +auth_url = http://$KEYSTONE_HOST:35357 +memcached_servers = $MEMCACHED_HOST:11211 +auth_type = password +project_domain_name = Default +user_domain_name = Default +project_name = service +username = $NEUTRON_USER +password = $NEUTRON_PASSWORD + +[nova] +auth_url = http://$KEYSTONE_HOST:35357 +auth_type = password +project_domain_name = Default +user_domain_name = Default +region_name = RegionOne +project_name = service +username = $NOVA_USER +password = $NOVA_PASSWORD + +EOF + +cat << EOF > /etc/neutron/plugins/ml2/linuxbridge_agent.ini + +[linux_bridge] +physical_interface_mappings = $PHYSICAL_INTERFACE_MAPPINGS + +[vxlan] +enable_vxlan = false + +[securitygroup] +enable_security_group = true +firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver + +EOF + +cat << EOF > /etc/neutron/dhcp_agent.ini + +[DEFAULT] +interface_driver = linuxbridge +dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq +enable_isolated_metadata = true + +EOF + +cat << EOF > /etc/neutron/metadata_agent.ini + +[DEFAULT] +nova_metadata_ip = $NEUTRON_CONTROLLER_HOST +metadata_proxy_shared_secret = $METADATA_SECRET + +EOF + +cat << EOF > /etc/neutron/plugins/ml2/ml2_conf.ini + +[ml2] +type_drivers = flat,vlan +tenant_network_types = +mechanism_drivers = linuxbridge +extension_drivers = port_security +path_mtu = $GLOBAL_PHYSNET_MTU + +[ml2_type_vlan] +network_vlan_ranges = provider + +[ml2_type_flat] +flat_networks = provider + +[securitygroup] +enable_ipset = true + +EOF diff --git a/docker-nova-service/.gitignore b/docker-nova-service/.gitignore new file mode 100644 index 0000000..f432e90 --- /dev/null +++ b/docker-nova-service/.gitignore @@ -0,0 +1,8 @@ +# ---> Vim +[._]*.s[a-w][a-z] +[._]s[a-w][a-z] +*.un~ +Session.vim +.netrwhist +*~ + diff --git a/docker-nova-service/Dockerfile b/docker-nova-service/Dockerfile new file mode 100644 index 0000000..9d66bff --- /dev/null +++ b/docker-nova-service/Dockerfile @@ -0,0 +1,32 @@ +FROM ubuntu:16.04 +# install packages + +RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA + +RUN set -x \ + && echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main" > /etc/apt/sources.list.d/ocata.list \ + && apt-get -y update \ + && apt-get -y install ubuntu-cloud-keyring \ + && apt-get -y update \ + && apt-get -y install \ + mysql-client \ + python-mysqldb \ + python-openstackclient \ + python-oslo.cache \ + nova-api \ + nova-conductor \ + nova-consoleauth \ + nova-novncproxy \ + nova-scheduler \ + nova-placement-api \ + && apt-get -y clean + +EXPOSE 8774 +EXPOSE 8778 + +# add bootstrap script and make it executable +COPY bootstrap.sh /etc/bootstrap.sh +COPY run.sh /etc/run.sh +COPY write_conf.sh /etc/write_conf.sh + +CMD ["/etc/run.sh"] diff --git a/docker-nova-service/README.md b/docker-nova-service/README.md new file mode 100644 index 0000000..9029bac --- /dev/null +++ b/docker-nova-service/README.md @@ -0,0 +1,24 @@ +# ubuntu 16.04 openstack ocata nova controler node + +# How to build the docker image. +``` +docker build . -t="hpc/openstack-nova-service" +``` + +# How to bootstrap the service. +Before we can take the container into service we need accounts in keystone. +We also need an initial database. Both of these tasks are performed by the bootstrap script. +``` +docker run --rm --it --add-host="controller:" hpc/novacontroler /etc/bootstrap.sh +``` + +# How to run +``` +docker run --rm --add-host="controller:" --privileged -p 8774:8774 -p 8778:8778 hpc/novacontroler /etc/run.sh +``` + +Where keystone_ip is the ip of the docker host where our keystone service is running. + +# Notes +This image is designed to be deployed from the [hpc-cloud repo](https://git.webhosting.rug.nl/HPC/hpc-cloud) +The -p option is added to the run command to make the container accessible from (containers on ) other hosts than the container host. diff --git a/docker-nova-service/bootstrap.sh b/docker-nova-service/bootstrap.sh new file mode 100755 index 0000000..03c8685 --- /dev/null +++ b/docker-nova-service/bootstrap.sh @@ -0,0 +1,116 @@ +#!/bin/bash +# +# This script sets up the openstack users and regions.. +# as well as the database for the nova controller. +# This guide was used: +# https://docs.openstack.org/ocata/install-guide-ubuntu/nova-controller-install. + +# write the configuration files with values from the environment. +/etc/write_conf.sh + +cat << EOF > /root/admin-openrc.sh +#!/bin/bash +export OS_TENANT_NAME=admin +export OS_USERNAME=admin +export OS_PASSWORD=${OS_PASSWORD} +export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 +export OS_IDENTITY_API_VERSION=3 + +export OS_PROJECT_DOMAIN_NAME=default +export OS_USER_DOMAIN_NAME=default +export OS_PROJECT_NAME=admin +export OS_IMAGE_API_VERSION=2 + +EOF + +source /root/admin-openrc.sh + +# create database for nova +mysql -uroot -p"$MYSQL_ROOT_PASSWORD" -h "$MYSQL_HOST" << EOF + +DROP DATABASE IF EXISTS nova; +DROP DATABASE IF EXISTS nova_compute; -- db for nova compute service +DROP DATABASE IF EXISTS nova_api; +DROP DATABASE IF EXISTS nova_cell0; +CREATE DATABASE nova; +CREATE DATABASE nova_compute; +CREATE DATABASE nova_api; +CREATE DATABASE nova_cell0; + +GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'localhost' \ + IDENTIFIED BY "${NOVA_PASSWORD}"; + +GRANT ALL PRIVILEGES ON nova.* TO 'nova'@'%' \ + IDENTIFIED BY "${NOVA_PASSWORD}"; + +GRANT ALL PRIVILEGES ON nova_compute.* TO 'nova_compute'@'localhost' \ + IDENTIFIED BY "${NOVA_PASSWORD}"; + +GRANT ALL PRIVILEGES ON nova_compute.* TO 'nova_compute'@'%' \ + IDENTIFIED BY "${NOVA_PASSWORD}"; + +GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'localhost' \ + IDENTIFIED BY "${NOVA_PASSWORD}"; + +GRANT ALL PRIVILEGES ON nova_api.* TO 'nova'@'%' \ + IDENTIFIED BY "${NOVA_PASSWORD}"; + +GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'localhost' \ + IDENTIFIED BY "${NOVA_PASSWORD}"; + +GRANT ALL PRIVILEGES ON nova_cell0.* TO 'nova'@'%' \ + IDENTIFIED BY "${NOVA_PASSWORD}"; + +EOF + +openstack user create nova --domain default --password "$NOVA_PASSWORD" +openstack role add --project service --user nova admin +openstack service create --name nova --description "OpenStack Compute" compute + +# compute endpoints +openstack endpoint create --region RegionOne \ + compute public http://"$MY_IP":8774/v2.1 + +openstack endpoint create --region RegionOne \ + compute internal http://"$MY_IP":8774/v2.1 + +openstack endpoint create --region RegionOne \ + compute admin http://"$MY_IP":8774/v2.1 + +openstack user create --domain default --password "$NOVA_PLACEMENT_PASSWORD" placement +openstack role add --project service --user placement admin + +openstack service create --name placement --description "Placement API" placement + +# placement endpoints +openstack endpoint create --region RegionOne placement public http://"$MY_IP":8778 +openstack endpoint create --region RegionOne placement internal http://"$MY_IP":8778 +openstack endpoint create --region RegionOne placement admin http://"$MY_IP":8778 + +#Populate the nova-api database +nova-manage api_db sync + +# Register the cell0 database: +nova-manage cell_v2 map_cell0 + +# Create the cel1 cell +nova-manage cell_v2 create_cell --name=cell1 --verbose + +# sync the database +nova-manage db sync + +e nova_api; + +# Prevent crashes when nova api server tries to insert None in config_drive +mysql -uroot -p"$MYSQL_ROOT_PASSWORD" -h "$MYSQL_HOST" << EOF + +alter table nova_api.build_requests drop constraint CONSTRAINT_1; + +EOF + +# https://bugs.launchpad.net/packstack/+bug/1673305 +# discover compute hosts. +nova-manage cell_v2 discover_hosts + +# Verify nova cell0 and cell1 are registered correctly: +nova-manage cell_v2 list_cells diff --git a/docker-nova-service/run.sh b/docker-nova-service/run.sh new file mode 100755 index 0000000..c92df8c --- /dev/null +++ b/docker-nova-service/run.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# start nova service + +# write the configuration files with values from the environment. +/etc/write_conf.sh + +nova-api -v -d & +sleep 3 +nova-consoleauth -v -d & +sleep 3 +nova-scheduler -v -d & +sleep 3 +nova-conductor -v -d & +sleep 3 +nova-novncproxy -v -d & +# start the placement api +apachectl -DFOREGROUND & + +# If any process fails, kill the rest. +# This insures the container stops and systemd will restart it. + +wait -n +pkill -P $$ diff --git a/docker-nova-service/write_conf.sh b/docker-nova-service/write_conf.sh new file mode 100755 index 0000000..a9b69e4 --- /dev/null +++ b/docker-nova-service/write_conf.sh @@ -0,0 +1,75 @@ +#!/bin/bash +# +# Generate config files from environments values. +# These are to be passed to the docker container using -e + +cat << EOF > /etc/nova/nova.conf + +[api_database] +connection = mysql+pymysql://$NOVA_USER:$NOVA_PASSWORD@mariadb/nova_api + +[database] +connection = mysql+pymysql://$NOVA_USER:$NOVA_PASSWORD@mariadb/nova + +[DEFAULT] +use_neutron = True +my_ip = $MY_IP +transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$MY_IP +scheduler_default_filters = AllHostsFilter +allow_migrate_to_same_host = True +allow_resize_to_same_host = True +firewall_driver = nova.virt.firewall.NoopFirewallDriver +enabled_apis=osapi_compute,metadata + +[neutron] +url = http://$NEUTRON_CONTROLLER_HOST:9696 +auth_url = http://$KEYSTONE_HOST:35357 +auth_type = password +project_domain_name = Default +user_domain_name = Default +region_name = RegionOne +project_name = service +username = $NEUTRON_USER +password = $NEUTRON_PASSWORD +service_metadata_proxy = True +metadata_proxy_shared_secret = $METADATA_SECRET + +[api] +auth_strategy = keystone + +[keystone_authtoken] +auth_uri = http://$KEYSTONE_HOST:5000 +auth_url = http://$KEYSTONE_HOST:35357 +memcached_servers = $MEMCACHED_HOST:11211 +auth_type = password +project_domain_name = Default +user_domain_name = Default +project_name = service +username = $NOVA_USER +password = $NOVA_PASSWORD + +[vnc] +enabled = true +vncserver_listen = $MY_IP +vncserver_proxyclient_address = $MY_IP + +[glance] +api_servers = http://$GLANCE_CONTROLLER_HOST:9292 + +[oslo_concurrency] +lock_path = /var/lib/nova/tmp + +[placement] +os_region_name = RegionOne +project_domain_name = Default +project_name = service +auth_type = password +user_domain_name = Default +auth_url = http://$KEYSTONE_HOST:35357/v3 +username = $NOVA_PLACEMENT_USER +password = $NOVA_PLACEMENT_PASSWORD + +[cinder] +os_region_name = RegionOne + +EOF diff --git a/docker-openstack-client/.gitignore b/docker-openstack-client/.gitignore new file mode 100644 index 0000000..f432e90 --- /dev/null +++ b/docker-openstack-client/.gitignore @@ -0,0 +1,8 @@ +# ---> Vim +[._]*.s[a-w][a-z] +[._]s[a-w][a-z] +*.un~ +Session.vim +.netrwhist +*~ + diff --git a/docker-openstack-client/Dockerfile b/docker-openstack-client/Dockerfile new file mode 100644 index 0000000..493f62e --- /dev/null +++ b/docker-openstack-client/Dockerfile @@ -0,0 +1,19 @@ +FROM ubuntu:16.04 +# install packages + +RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA + +RUN set -x \ + && echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main" > /etc/apt/sources.list.d/ocata.list \ + && apt-get -y update \ + && apt-get -y install ubuntu-cloud-keyring \ + && apt-get -y update \ + && apt-get -y install \ + python-openstackclient \ + && apt-get -y clean + +# add bootstrap script and make it executable +COPY admin-openrc.sh /root/admin-openrc.sh + +COPY demo-openrc.sh /root/demo-openrc.sh + diff --git a/docker-openstack-client/README.md b/docker-openstack-client/README.md new file mode 100644 index 0000000..6661a20 --- /dev/null +++ b/docker-openstack-client/README.md @@ -0,0 +1,21 @@ +# ubuntu 16.04 openstack ocata neutron controler node + +## How to build the docker image. +``` +docker build . -t="hpc/neutroncontroller" +``` + +## How to bootstrap the service. +Before we can take the container into service we need accounts in keystone. +We also need an initial database. Both of these tasks are performed by the bootstrap script. +``` +docker run --rm --it --add-host="controller:" hpc/neutroncontroler /etc/bootstrap.sh +``` + +## How to run +This image needs a lot of environment variables. It should be run via the `hpc-cloud` ansible repository. + + +## Notes +This image is designed to be deployed from the [hpc-cloud repo](https://git.webhosting.rug.nl/HPC/hpc-cloud) +The -p option is added to the run command to make the container accessible from (containers on ) other hosts than the container host. diff --git a/docker-openstack-client/bootstrap.sh b/docker-openstack-client/bootstrap.sh new file mode 100755 index 0000000..b217b39 --- /dev/null +++ b/docker-openstack-client/bootstrap.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +# Create admin-openrc.sh from secrets that are in the environment during bootstrap. +cat << EOF > /root/admin-openrc.sh +#!/bin/bash +export OS_TENANT_NAME=admin +export OS_USERNAME=admin +export OS_PASSWORD=${OS_PASSWORD} +export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 +export OS_IDENTITY_API_VERSION=3 +EOF + +# Create demo-openrc.sh +cat << EOF > /root/demo-openrc.sh +#!/bin/bash +export OS_TENANT_NAME=demo +export OS_USERNAME=demo +export OS_PASSWORD=${OS_DEMO_PASSWORD} +export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 +export OS_IDENTITY_API_VERSION=3 +EOF diff --git a/docker-openstack-client/demo-openrc.sh b/docker-openstack-client/demo-openrc.sh new file mode 100644 index 0000000..0346632 --- /dev/null +++ b/docker-openstack-client/demo-openrc.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# a admin-openrc.sh file +KEYSTONE_HOST=keystone # to be set via docker run --host option +export OS_IDENTITY_API_VERSION=3 +export OS_USERNAME=demo +export OS_PASSWORD=geheim +export OS_TENANT_NAME=admin +export OS_AUTH_URL=http://${KEYSTONE_HOST}:5000/v3 + +export OS_PROJECT_DOMAIN_NAME=default +export OS_USER_DOMAIN_NAME=default +export OS_PROJECT_NAME=demo +export OS_IMAGE_API_VERSION=2