HPC/openstack_dockers
8
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: HPC:6a048fc437cf543defdc0d35a789249e7c3d527a
Branches Tags
HPC:master HPC:merlin HPC:feature/federated-login HPC:feature/federated-login-before-rebase HPC:feature/bagpipe
..
compare: HPC:merlin
Branches Tags
HPC:master HPC:merlin HPC:feature/federated-login HPC:feature/federated-login-before-rebase HPC:feature/bagpipe

42 Commits
6a048fc437 ... merlin

Author SHA1 Message Date
Egon Rijpkema
ce60b19fd2 Added a shibboleth attribute 2018-11-06 12:53:48 +01:00
Egon Rijpkema
e9e1778a30 Add a merlin heat 2018-10-08 16:50:13 +02:00
Egon Rijpkema
b502fb98e7 Filthy hack to make sure local settings are loaded. 2018-09-26 13:47:49 +02:00
Egon Rijpkema
3a1636bfee Added entry in /etc/hosts for merlin.hpc.rug.nl 2018-09-25 10:54:42 +02:00
Egon Rijpkema
4426aed663 Build cinder controller 2018-09-24 10:14:20 +02:00
Egon Rijpkema
984c48d2e6 Updated auth_url to https in config files, too 2018-09-24 09:55:01 +02:00
Egon Rijpkema
4b29b7b061 Separate nova service for merlin 2018-09-21 16:59:20 +02:00
Egon Rijpkema
4e46364508 OS_AUTH_URL is https now 2018-09-21 16:24:23 +02:00
Egon Rijpkema
d0cac71af4 Added ceph-common to cinder-storage. 2018-09-20 16:45:08 +02:00
Egon Rijpkema
17ee2aa487 Added ceph config for cinder controller. 2018-09-17 13:25:44 +02:00
Egon Rijpkema
d161a24200 Add apache2 log to container log. 2018-09-17 11:45:36 +02:00
Egon Rijpkema
71d2bc13ea make rbd secrets a variable secret to be set here. 2018-09-13 16:13:49 +02:00
Egon Rijpkema
5ae8a4cf1a Fixed typo 2018-09-13 11:52:18 +02:00
Wim Nap
73e26ea716 changes to nova-compute-docker 2018-09-13 11:49:54 +02:00
Egon Rijpkema
820d2ecb4d Added CA.crt 2018-08-15 15:31:28 +02:00
Egon Rijpkema
f29afdb0b5 Add apache2 logs 2018-08-15 14:41:02 +02:00
Egon Rijpkema
d98bcd7538 Logging convenience 2018-08-15 14:20:24 +02:00
Egon Rijpkema
32ed45e6e5 Keystone merlin version (with federation) 2018-08-10 16:16:09 +02:00
Egon Rijpkema
167d755724 Imported all shibboleth stuff from openstack-test05 2018-08-10 16:15:48 +02:00
Egon Rijpkema
c6c947ce3c updated name 2018-08-10 14:04:40 +02:00
Egon Rijpkema
33d630685b horizon user not present... 2018-08-09 16:57:30 +02:00
Wim Nap
005c0f0c6a changed uuid for nova-compute 2018-08-09 16:47:39 +02:00
Egon Rijpkema
2e372f3b78 Added merlin(federated) horizon. 2018-08-09 13:20:02 +02:00
Egon Rijpkema
8acb4813a1 Merge branch 'feature/federated-login-merlin' into merlin 2018-08-09 12:09:58 +02:00
Egon Rijpkema
776ce0b2d9 Changed tab into spaces. 2018-08-09 12:05:40 +02:00
Egon Rijpkema
b1de9e17e5 Changes for a federated dashboard. 2018-08-09 12:05:40 +02:00
Wim Nap
149590eb35 some changes to nova-compute docker 2018-08-08 15:43:03 +02:00
Wim Nap
4b13a2863a change in nova.conf to make changes to default security group 2018-07-25 11:56:07 +02:00
Egon Rijpkema
2133462f17 Enableling router 2018-07-23 15:50:57 +02:00
Egon Rijpkema
5fdccce28b Took some config from master branch, i whink we need.... 2018-07-23 14:28:51 +02:00
Egon Rijpkema
216a954996 Revert "changed vxlan settings neutron-controller nova-compute" 
This reverts commit 7ecc7154a5.
 2018-07-19 10:32:01 +02:00
Wim Nap
7ecc7154a5 changed vxlan settings neutron-controller nova-compute 2018-07-16 15:42:51 +02:00
Egon Rijpkema
2fc520a2ab Move the l3 agent to the neutron_controller 2018-07-16 14:16:45 +02:00
Egon Rijpkema
e1c49aca56 make ceph variable 2018-06-20 16:00:13 +02:00
Egon Rijpkema
046e1a59d9 Using cinder user. 2018-05-04 14:06:24 +02:00
Wim Nap
4cce6b0485 add ceph-common to Dockerfile 2018-05-04 14:04:33 +02:00
Wim Nap
95c202133e changed rbd settings 2018-05-03 17:05:59 +02:00
Wim Nap
5c264bd448 changed rabbitmq host 2018-05-01 14:24:30 +02:00
Egon Rijpkema
f7c3d56cbf added merlin builds 2018-04-24 09:53:30 +02:00
Egon Rijpkema
94113b8c25 Trying to adhere to python naming convention. 2018-04-23 15:55:16 +02:00
Egon Rijpkema
90a67e531d Docker in name is no longer needed 2018-04-23 15:35:37 +02:00
Egon Rijpkema
791595dcdf All changes in the merlin branches. 2018-04-23 15:07:18 +02:00
58 changed files with 2893 additions and 114 deletions
Expand all files Collapse all files

184
.drone.yml
View File

@ -1,19 +1,197 @@
--- ---
# When the issue below is resolved, we can build the
# image that was actually changed.
# https://github.com/drone/drone/issues/1021
pipeline: pipeline:
nova-compute: cinder_controller:
image: plugins/docker image: plugins/docker
dockerfile: nova-compute/Dockerfile dockerfile: cinder_controller/Dockerfile
context: cinder_controller
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-cinder-controller
tag: latest
when:
branch: master
cinder_storage:
image: plugins/docker
dockerfile: cinder_storage/Dockerfile
context: cinder_storage
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-cinder-storage
tag: latest
when:
branch: master
glance:
image: plugins/docker
dockerfile: glance/Dockerfile
context: glance
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-glance
tag: latest
when:
branch: master
heat:
image: plugins/docker
dockerfile: heat/Dockerfile
context: heat
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-heat
tag: latest
when:
branch: master
horizon:
image: plugins/docker
dockerfile: horizon/Dockerfile
context: horizon
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-horizon
tag: latest
when:
branch: master
keystone:
image: plugins/docker
dockerfile: keystone/Dockerfile
context: keystone
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-keystone
tag: latest
when:
branch: master
neutron_controller:
image: plugins/docker
dockerfile: neutron_controller/Dockerfile
context: neutron_controller
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-neutron-controller
tag: latest
when:
branch: master
nova_service:
image: plugins/docker
dockerfile: nova_service/Dockerfile
context: nova_service
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-nova-service
tag: latest
when:
branch: master
nova_compute:
image: plugins/docker
dockerfile: nova_compute/Dockerfile
context: nova_compute
secrets: [docker_username, docker_password] secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-nova-compute repo: registry.webhosting.rug.nl/hpc/openstack-nova-compute
tag: latest tag: latest
when:
branch: master
keystone_merlin:
image: plugins/docker
dockerfile: keystone/Dockerfile
context: keystone
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-keystone-merlin
tag: latest
when:
branch: merlin
nova_service_merlin:
image: plugins/docker
dockerfile: nova_service/Dockerfile
context: nova_service
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-nova-service-merlin
tag: latest
when:
branch: merlin
horizon_merlin:
image: plugins/docker
dockerfile: horizon/Dockerfile
context: horizon
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-horizon-merlin
tag: latest
when:
branch: merlin
neutron_controller_merlin:
image: plugins/docker
dockerfile: neutron_controller/Dockerfile
context: neutron_controller
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-neutron-controller-merlin
tag: latest
when:
branch: merlin
cinder_controller_merlin:
image: plugins/docker
dockerfile: cinder_controller/Dockerfile
context: cinder_controller
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-cinder-controller-merlin
tag: latest
when:
branch: mwelin
cinder_storage_merlin:
image: plugins/docker
dockerfile: cinder_storage/Dockerfile
context: cinder_storage
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-cinder-storage-merlin
tag: latest
when:
branch: merlin
nova_compute_merlin:
image: plugins/docker
dockerfile: nova_compute/Dockerfile
context: nova_compute
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-nova-compute-merlin
tag: latest
when:
branch: merlin
glance_merlin:
image: plugins/docker
dockerfile: glance/Dockerfile
context: glance
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-glance-merlin
tag: latest
when:
branch: merlin
heat_merlin:
image: plugins/docker
dockerfile: heat/Dockerfile
context: heat
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-heat-merlin
tag: latest
when:
branch: merlin
notify: notify:
image: drillster/drone-email image: drillster/drone-email
host: smtp.rug.nl host: smtp.rug.nl
port: 25 port: 25
skip_verify: true skip_verify: true
from: drone@webhosting.rug.nl from: drone@webhosting.rug.nl
recipients: [e.m.a.rijpkema@rug.nl, w.k.nap@rug.nl] # recipients: [e.m.a.rijpkema@rug.nl, w.k.nap@rug.nl]
recipients: [e.m.a.rijpkema@rug.nl]
recipients_only: true recipients_only: true
when: when:
status: [success, changed, failure] status: [success, changed, failure]

0
.gitignore → cinder_controller/.gitignore vendored
View File

2
cinder_controller/Dockerfile
View File

@ -15,6 +15,8 @@ RUN set -x \
python-oslo.cache \ python-oslo.cache \
cinder-api \ cinder-api \
cinder-scheduler \ cinder-scheduler \
python-ceph \
python-rbd \
&& apt-get -y clean && apt-get -y clean
EXPOSE 8776 EXPOSE 8776

2
cinder_controller/admin-openrc.sh
View File

@ -9,7 +9,7 @@ export OS_IDENTITY_API_VERSION=3
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=geheim export OS_PASSWORD=geheim
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default

2
cinder_controller/bootstrap.sh
View File

@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD} export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default

1
cinder_controller/run.sh
View File

@ -7,6 +7,7 @@ cinder-scheduler -d &
sleep 5 sleep 5
apachectl -DFOREGROUND & apachectl -DFOREGROUND &
tail -f /var/log/apache2/* &
# If any process fails, kill the rest. # If any process fails, kill the rest.
# This ensures the container stops and systemd will restart it. # This ensures the container stops and systemd will restart it.

15
cinder_controller/write_conf.sh
View File

@ -11,11 +11,12 @@ connection = mysql+pymysql://$CINDER_USER:$CINDER_PASSWORD@$MYSQL_HOST/cinder
[DEFAULT] [DEFAULT]
auth_strategy = keystone auth_strategy = keystone
transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$MY_IP transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$MY_IP
enabled_backends = RBD-backend
my_ip = $MY_IP my_ip = $MY_IP
[keystone_authtoken] [keystone_authtoken]
auth_uri = http://$KEYSTONE_HOST:5000 auth_uri = https://$KEYSTONE_HOST:5000
auth_url = http://$KEYSTONE_HOST:35357 auth_url = https://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -27,4 +28,14 @@ password = $CINDER_PASSWORD
[oslo_concurrency] [oslo_concurrency]
lock_path = /var/lib/cinder/tmp lock_path = /var/lib/cinder/tmp
[RBD-backend]
volume_backend_name = RBD-backend
rbd_pool = volumes
rbd_user = volumes
rbd_secret_uuid = $RBD_SECRET_UUID
volume_driver = cinder.volume.drivers.rbd.RBDDriver
rbd_ceph_conf = /etc/ceph/ceph.conf
EOF EOF
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts

8
cinder_storage/.gitignore vendored Normal file
View File

@ -0,0 +1,8 @@
# ---> Vim
[._]*.s[a-w][a-z]
[._]s[a-w][a-z]
*.un~
Session.vim
.netrwhist
*~

6
cinder_storage/Dockerfile
View File

@ -15,7 +15,9 @@ RUN set -x \
python-openstackclient \ python-openstackclient \
python-oslo.cache \ python-oslo.cache \
lvm2 \ lvm2 \
tgt \ python-ceph \
python-rbd \
ceph-common \
&& apt-get -y clean && apt-get -y clean
@ -28,8 +30,6 @@ COPY bootstrap.sh /etc/bootstrap.sh
COPY run.sh /etc/run.sh COPY run.sh /etc/run.sh
COPY lvm.conf /etc/lvm/lvm.conf
RUN chown root.root /etc/bootstrap.sh && chmod a+x /etc/bootstrap.sh RUN chown root.root /etc/bootstrap.sh && chmod a+x /etc/bootstrap.sh
RUN chown root.root /etc/run.sh && chmod a+x /etc/run.sh RUN chown root.root /etc/run.sh && chmod a+x /etc/run.sh

2
cinder_storage/admin-openrc.sh
View File

@ -9,7 +9,7 @@ export OS_IDENTITY_API_VERSION=3
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=geheim export OS_PASSWORD=geheim
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default

6
cinder_storage/bootstrap.sh
View File

@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD} export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default
@ -22,6 +22,6 @@ source /root/admin-openrc.sh
# create a LVM physical volume and volume group. # create a LVM physical volume and volume group.
# This device should be available tpo the container # This device should be available tpo the container
pvcreate /dev/cinder_storage_volume #pvcreate /dev/cinder_storage_volume
vgcreate cinder-volumes /dev/cinder_storage_volume #vgcreate cinder-volumes /dev/cinder_storage_volume

4
cinder_storage/run.sh
View File

@ -3,7 +3,9 @@
# Write the config files # Write the config files
/etc/write_conf.sh /etc/write_conf.sh
# start cinder processes. # start cinder processes.
tgtd cinder-volume -d &
sleep 5
cinder-volume -d & cinder-volume -d &

21
cinder_storage/write_conf.sh
View File

@ -12,12 +12,12 @@ connection = mysql+pymysql://$CINDER_USER:$CINDER_PASSWORD@$MYSQL_HOST/cinder
auth_strategy = keystone auth_strategy = keystone
transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$RABBIT_HOST transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$RABBIT_HOST
my_ip = $MY_IP my_ip = $MY_IP
enabled_backends = lvm enabled_backends = RBD-backend
glance_api_servers = http://$GLANCE_HOST:9292 glance_api_servers = http://$GLANCE_HOST:9292
[keystone_authtoken] [keystone_authtoken]
auth_uri = http://$KEYSTONE_HOST:5000 auth_uri = https://$KEYSTONE_HOST:5000
auth_url = http://$KEYSTONE_HOST:35357 auth_url = https://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -29,11 +29,14 @@ password = $CINDER_PASSWORD
[oslo_concurrency] [oslo_concurrency]
lock_path = /var/lib/cinder/tmp lock_path = /var/lib/cinder/tmp
[lvm] [RBD-backend]
volume_driver = cinder.volume.drivers.lvm.LVMVolumeDriver volume_backend_name = RBD-backend
volume_group = cinder-volumes rbd_pool = volumes
iscsi_protocol = iscsi rbd_user = volumes
iscsi_helper = tgtadm rbd_secret_uuid = $RBD_SECRET_UUID
volumes_dir = /var/lib/cinder/volumes volume_driver = cinder.volume.drivers.rbd.RBDDriver
rbd_ceph_conf = /etc/ceph/ceph.conf
EOF EOF
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts

1
glance/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
build.sh

2
glance/Dockerfile
View File

@ -14,6 +14,8 @@ RUN set -x \
python-mysqldb \ python-mysqldb \
python-openstackclient \ python-openstackclient \
python-oslo.cache \ python-oslo.cache \
python-rbd \
python-ceph \
&& apt-get -y clean \ && apt-get -y clean \
&& rm -f /var/lib/glance/glance.sqlite && rm -f /var/lib/glance/glance.sqlite

2
glance/admin-openrc.sh
View File

@ -8,7 +8,7 @@ export OS_IDENTITY_API_VERSION=3
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=geheim export OS_PASSWORD=geheim
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default

2
glance/bootstrap.sh
View File

@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD} export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
export GLANCE_USER_NAME=glance export GLANCE_USER_NAME=glance

28
glance/write_conf.sh
View File

@ -9,8 +9,8 @@ cat << EOF > /etc/glance/glance-api.conf
connection = mysql+pymysql://$GLANCE_USER:$GLANCE_PASSWORD@$MYSQL_HOST/glance connection = mysql+pymysql://$GLANCE_USER:$GLANCE_PASSWORD@$MYSQL_HOST/glance
[image_format] [image_format]
[keystone_authtoken] [keystone_authtoken]
auth_uri = http://$KEYSTONE_HOST:5000 auth_uri = https://$KEYSTONE_HOST:5000
auth_url = http://$KEYSTONE_HOST:35357 auth_url = https://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -32,13 +32,14 @@ flavor = keystone
[glance_store] [glance_store]
stores = file,http stores = glance.store.rbd.Store
default_store = file default_store = rbd
filesystem_store_datadir = /var/lib/glance/images/ rbd_store_pool = images
rbd_store_user = images
rbd_store_ceph_conf = /etc/ceph/ceph.conf
EOF EOF
cat << EOF > /etc/glance/glance-registry.conf cat << EOF > /etc/glance/glance-registry.conf
[DEFAULT] [DEFAULT]
@ -49,13 +50,15 @@ rpc_backend = rabbit
connection = mysql+pymysql://$GLANCE_USER:$GLANCE_PASSWORD@$MYSQL_HOST/glance connection = mysql+pymysql://$GLANCE_USER:$GLANCE_PASSWORD@$MYSQL_HOST/glance
[glance_store] [glance_store]
stores = file,http stores = glance.store.rbd.Store
default_store = file default_store = rbd
filesystem_store_datadir = /var/lib/glance/images/ rbd_store_pool = images
rbd_store_user = images
rbd_store_ceph_conf = /etc/ceph/ceph.conf
[keystone_authtoken] [keystone_authtoken]
auth_uri = http://$KEYSTONE_HOST:5000 auth_uri = https://$KEYSTONE_HOST:5000
auth_url = http://$KEYSTONE_HOST:35357 auth_url = https://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -76,3 +79,6 @@ rabbit_password = $RABBIT_PASSWORD
flavor = keystone flavor = keystone
EOF EOF
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts

8
heat/.gitignore vendored Normal file
View File

@ -0,0 +1,8 @@
# ---> Vim
[._]*.s[a-w][a-z]
[._]s[a-w][a-z]
*.un~
Session.vim
.netrwhist
*~

2
heat/admin-openrc.sh
View File

@ -5,7 +5,7 @@ export OS_IDENTITY_API_VERSION=3
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=geheim export OS_PASSWORD=geheim
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default

2
heat/bootstrap.sh
View File

@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD} export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
export HEAT_USER=heat export HEAT_USER=heat

8
heat/write_conf.sh
View File

@ -15,8 +15,8 @@ heat_waitcondition_server_url = http://$HEAT_HOST:8000/v1/waitcondition
[keystone_authtoken] [keystone_authtoken]
auth_uri = http://$KEYSTONE_HOST:5000 auth_uri = https://$KEYSTONE_HOST:5000
auth_url = http://$KEYSTONE_HOST:35357 auth_url = https://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -27,9 +27,11 @@ password = $HEAT_PASSWORD
[trustee] [trustee]
auth_plugin = password auth_plugin = password
auth_url = http://$KEYSTONE_HOST:35357 auth_url = https://$KEYSTONE_HOST:35357
username = $HEAT_USER username = $HEAT_USER
password = $HEAT_PASSWORD password = $HEAT_PASSWORD
user_domain_name = Default user_domain_name = Default
EOF EOF
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts

15
horizon/Dockerfile
View File

@ -16,20 +16,29 @@ RUN set -x \
python-openstackclient \ python-openstackclient \
&& apt-get -y clean && apt-get -y clean
EXPOSE 80
EXPOSE 80 443
COPY openstack-dashboard.conf /etc/apache2/conf-available/openstack-dashboard.conf
COPY local_settings.py /etc/openstack-dashboard/local_settings.py COPY local_settings.py /etc/openstack-dashboard/local_settings.py
# Add a redirect to /keystone instead of the "It works! page" # Add a redirect to /keystone instead of the "It works! page"
COPY 000-default.conf /etc/apache2/sites-available COPY 000-default.conf /etc/apache2/sites-available
COPY run.sh /etc/run.sh
RUN chown -R www-data: /var/lib/openstack-dashboard/ RUN chown -R www-data: /var/lib/openstack-dashboard/
RUN touch /var/log/horizon.log RUN touch /var/log/horizon.log
RUN chown www-data: /var/log/horizon.log RUN chown www-data: /var/log/horizon.log
RUN chown horizon: /var/lib/openstack-dashboard/secret_key RUN a2enmod ssl
RUN a2enmod headers
RUN a2enmod rewrite
CMD apachectl -DFOREGROUND #RUN chown /var/lib/openstack-dashboard/secret_key horizon
CMD /etc/run.sh

2
horizon/admin-openrc.sh
View File

@ -5,7 +5,7 @@ export OS_IDENTITY_API_VERSION=3
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=geheim export OS_PASSWORD=geheim
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default

21
horizon/local_settings.py
View File

@ -37,7 +37,7 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
#EMAIL_HOST_PASSWORD = 'top-secret!' #EMAIL_HOST_PASSWORD = 'top-secret!'
OPENSTACK_HOST = os.environ['KEYSTONE_HOST'] OPENSTACK_HOST = os.environ['KEYSTONE_HOST']
OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST OPENSTACK_KEYSTONE_URL = "https://%s:5000/v3" % OPENSTACK_HOST
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_" OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
@ -100,7 +100,7 @@ OPENSTACK_CINDER_FEATURES = {
# services provided by neutron. Options currently available are load # services provided by neutron. Options currently available are load
# balancer service, security groups, quotas, VPN service. # balancer service, security groups, quotas, VPN service.
OPENSTACK_NEUTRON_NETWORK = { OPENSTACK_NEUTRON_NETWORK = {
'enable_router': False, 'enable_router': True,
'enable_quotas': False, 'enable_quotas': False,
'enable_ipv6': False, 'enable_ipv6': False,
'enable_distributed_router': False, 'enable_distributed_router': False,
@ -266,7 +266,6 @@ TIME_ZONE = "UTC"
# ('default', 'Default', 'themes/default'), # ('default', 'Default', 'themes/default'),
# ('material', 'Material', 'themes/material'), # ('material', 'Material', 'themes/material'),
#] #]
LOGGING = { LOGGING = {
'version': 1, 'version': 1,
# When set to True this will disable all logging except # When set to True this will disable all logging except
@ -288,11 +287,12 @@ LOGGING = {
}, },
'console': { 'console': {
# Set the level to "DEBUG" for verbose output logging. # Set the level to "DEBUG" for verbose output logging.
'level': 'INFO', 'level': 'DEBUG',
'class': 'logging.StreamHandler', 'class': 'logging.FileHandler',
'filename': '/var/log/horizon.log',
}, },
'operation': { 'operation': {
'level': 'INFO', 'level': 'DEBUG',
'class': 'logging.StreamHandler', 'class': 'logging.StreamHandler',
'formatter': 'operation', 'formatter': 'operation',
}, },
@ -516,3 +516,12 @@ ALLOWED_HOSTS = '*'
COMPRESS_OFFLINE = True COMPRESS_OFFLINE = True
ALLOWED_PRIVATE_SUBNET_CIDR = {'ipv4': [], 'ipv6': []} ALLOWED_PRIVATE_SUBNET_CIDR = {'ipv4': [], 'ipv6': []}
WEBSSO_ENABLED = True
WEBSSO_CHOICES = (
("credentials", _("Keystone Credentials")),
("mapped", _("Security Assertion Markup Language"))
)
WEBSSO_INITIAL_CHOICE = "mapped"

36
horizon/openstack-dashboard.conf Normal file
View File

@ -0,0 +1,36 @@
<VirtualHost *:80>
RedirectMatch "^/$" "/horizon"
ServerName merlin.hpc.rug.nl
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost *:443>
RedirectMatch "^/$" "/horizon"
ServerName merlin.hpc.rug.nl
SSLEngine On
SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt"
SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key"
SSLCACertificateFile "/certs/DigiCertCA.crt"
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
# HTTP Strict Transport Security (HSTS) enforces that all communications
# with a server go over SSL. This mitigates the threat from attacks such
# as SSL-Strip which replaces links on the wire, stripping away https prefixes
# and potentially allowing an attacker to view confidential information on the
# wire
Header add Strict-Transport-Security "max-age=15768000"
Alias /horizon/static /var/lib/openstack-dashboard/static/
Alias /static /var/lib/openstack-dashboard/static/
<Directory /var/lib/openstack-dashboard/static>
Require all granted
</Directory>
WSGIScriptAlias /horizon /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi process-group=horizon
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10 display-name=%{GROUP}
WSGIProcessGroup horizon
</VirtualHost>

12
horizon/run.sh Executable file
View File

@ -0,0 +1,12 @@
#!/bin/bash
#Making the console log console again...
tail -f /var/log/horizon.log &
tail -f /var/log/apache2/* &
cat /etc/openstack-dashboard/local_settings.py >> \
/usr/share/openstack-dashboard/openstack_dashboard/settings.py
apachectl -DFOREGROUND

22
keystone/Dockerfile
View File

@ -13,16 +13,36 @@ RUN set -x \
&& apt-get -y update \ && apt-get -y update \
&& apt-get -y install \ && apt-get -y install \
&& apt-get -y install keystone python-openstackclient \ && apt-get -y install keystone python-openstackclient \
&& apt-get -y install libapache2-mod-shib2 \
&& apt-get -y clean && apt-get -y clean
# set admin token TODO: make this a secret # set admin token TODO: make this a secret
# in volume of met env # in volume of met env
COPY keystone.conf /etc/keystone/keystone.conf COPY keystone.conf /etc/keystone/keystone.conf
COPY apache-keystone.conf /etc/apache2/sites-available/keystone.conf
COPY shibboleth2.xml /etc/shibboleth/shibboleth2.xml
COPY attribute-map.xml /etc/shibboleth/attribute-map.xml
COPY attribute-policy.xml /etc/shibboleth/attribute-policy.xml
COPY sso_callback_template.html /etc/keystone/sso_callback_template.html
RUN mkdir /var/run/shibboleth
COPY run.sh /etc/run.sh
RUN mkdir /etc/keystone/fernet-keys RUN mkdir /etc/keystone/fernet-keys
RUN chown keystone: /etc/keystone/fernet-keys RUN chown keystone: /etc/keystone/fernet-keys
RUN a2enmod shib2
COPY bootstrap.sh /etc/bootstrap.sh COPY bootstrap.sh /etc/bootstrap.sh
CMD apachectl -DFOREGROUND # Testing only!!!
RUN mkdir -p /var/www/html/secure
RUN apt-get -y install php libapache2-mod-php
COPY test.php /var/www/html/secure/test.php
CMD /etc/run.sh

128
keystone/apache-keystone.conf Normal file
View File

@ -0,0 +1,128 @@
LoadModule ssl_module modules/mod_ssl.so
Listen 5000
Listen 35357
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
</Location>
Alias "/secure" "/var/www/html/secure"
<VirtualHost *:5000>
ServerName https://merlin.hpc.rug.nl:5000
SSLEngine on
SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt"
SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key"
SSLCACertificateFile "/certs/DigiCertCA.crt"
UseCanonicalName On
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LimitRequestBody 114688
# Added for federation.
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/local/bin/keystone-wsgi-public/$1
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
<Location /Shibboleth.sso>
SetHandler shib
</Location>
<Location /v3/OS-FEDERATION/identity_providers/nikhefwave/protocols/mapped/auth>
ShibRequestSetting requireSession 1
AuthType shibboleth
ShibExportAssertion Off
Require valid-user
<IfVersion < 2.4>
ShibRequireSession On
ShibRequireAll On
</IfVersion>
</Location>
<Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
AuthType shibboleth
Require valid-user
ShibRequestSetting requireSession 1
ShibRequireSession On
ShibExportAssertion Off
</Location>
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/nikhefwave/protocols/mapped/websso/">
AuthType shibboleth
Require valid-user
</Location>
</VirtualHost>
<VirtualHost *:35357>
ServerName https://merlin.hpc.rug.nl:35357
SSLEngine on
SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt"
SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key"
SSLCACertificateFile "/certs/DigiCertCA.crt"
UseCanonicalName On
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LimitRequestBody 114688
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
Alias /identity /usr/bin/keystone-wsgi-public
<Location /identity>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup keystone-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
Alias /identity_admin /usr/bin/keystone-wsgi-admin
<Location /identity_admin>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup keystone-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>

32
keystone/attribute-map.xml Normal file
View File

@ -0,0 +1,32 @@
<?xml version="1.0"?>
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name" defaultQualifiers="true"/>
</Attribute>
<Attribute name="eduPersonPrincipalName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="eppn"/>
<!-- Added for nikhef -->
<Attribute name="openstackGroupEntitlements" id="openstackGroupEntitlements" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<!-- Added after mail 18-10-2018 -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-user"/>
<Attribute name="urn:oid:2.5.4.4" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-surName"/>
<Attribute name="urn:oid:2.5.4.42" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-givenName"/>
<Attribute name="urn:oid:2.5.4.3" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-commonName"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-displayName"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-email"/>
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-HomeOrg"/>
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-HomeOrgType"/>
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-PersonalUnqiueCode"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-Affiliation"/>
<Attribute name="urn:oid:1.3.6.1.4.1.1466.115.121.1.15" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-ScopedAffiliation"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-Entitlement"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-eduPersonPN"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-memberOf"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-uid"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.39" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-language"/>
</Attributes>

71
keystone/attribute-policy.xml Normal file
View File

@ -0,0 +1,71 @@
<afp:AttributeFilterPolicyGroup
xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:afp="urn:mace:shibboleth:2.0:afp"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- Shared rule for affiliation values. -->
<afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
<Rule xsi:type="AttributeValueString" value="faculty"/>
<Rule xsi:type="AttributeValueString" value="student"/>
<Rule xsi:type="AttributeValueString" value="staff"/>
<Rule xsi:type="AttributeValueString" value="alum"/>
<Rule xsi:type="AttributeValueString" value="member"/>
<Rule xsi:type="AttributeValueString" value="affiliate"/>
<Rule xsi:type="AttributeValueString" value="employee"/>
<Rule xsi:type="AttributeValueString" value="library-walk-in"/>
</afp:PermitValueRule>
<!--
Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
an AttributeRule for each attribute you want to check.
-->
<afp:PermitValueRule id="ScopingRules" xsi:type="basic:ANY"/>
<!-- # Hacked for Nikhef federation
<afp:PermitValueRule id="ScopingRules" xsi:type="AND">
<Rule xsi:type="NOT">
<Rule xsi:type="AttributeValueRegex" regex="@"/>
</Rule>
<Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
</afp:PermitValueRule>
-->
<afp:AttributeFilterPolicy>
<!-- This policy is in effect in all cases. -->
<afp:PolicyRequirementRule xsi:type="ANY"/>
<!-- Filter out undefined affiliations and ensure only one primary. -->
<afp:AttributeRule attributeID="affiliation">
<afp:PermitValueRule xsi:type="AND">
<RuleReference ref="eduPersonAffiliationValues"/>
<RuleReference ref="ScopingRules"/>
</afp:PermitValueRule>
</afp:AttributeRule>
<afp:AttributeRule attributeID="unscoped-affiliation">
<afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="primary-affiliation">
<afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eppn">
<afp:PermitValueRuleReference ref="ScopingRules"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="targeted-id">
<afp:PermitValueRuleReference ref="ScopingRules"/>
</afp:AttributeRule>
<!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
<afp:AttributeRule attributeID="persistent-id">
<afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
</afp:AttributeRule>
<!-- Catch-all that passes everything else through unmolested. -->
<afp:AttributeRule attributeID="*">
<afp:PermitValueRule xsi:type="ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
</afp:AttributeFilterPolicyGroup>

4
keystone/bootstrap.sh
View File

@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD} export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 export OS_AUTH_URL=https://${KEYSTONE_HOST}:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
EOF EOF
@ -16,7 +16,7 @@ cat << EOF > /root/demo-openrc.sh
export OS_TENANT_NAME=demo export OS_TENANT_NAME=demo
export OS_USERNAME=demo export OS_USERNAME=demo
export OS_PASSWORD=${OS_DEMO_PASSWORD} export OS_PASSWORD=${OS_DEMO_PASSWORD}
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 export OS_AUTH_URL=https://${KEYSTONE_HOST}:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
EOF EOF

12
keystone/keystone.conf
View File

@ -1,6 +1,8 @@
[DEFAULT] [DEFAULT]
verbose = true verbose = true
# debug = true
log_file = /var/log/keystone/keystone.log
[database] [database]
connection = mysql+pymysql://keystone:keystone@mariadb/keystone connection = mysql+pymysql://keystone:keystone@mariadb/keystone
@ -8,5 +10,15 @@ connection = mysql+pymysql://keystone:keystone@mariadb/keystone
[token] [token]
provider = fernet provider = fernet
[auth]
methods = password,token,mapped,openid,saml2
[federation]
trusted_dashboard = https://merlin.hpc.rug.nl/horizon/auth/websso/
sso_calback_template = /etc/keystone/sso_calback_template.html
[mapped]
remote_id_attribute = Shib-Identity-Provider
[identity] [identity]
default_domain_id = default default_domain_id = default

252
keystone/routers.py Normal file
View File

@ -0,0 +1,252 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import functools
from keystone.common import json_home
from keystone.common import wsgi
from keystone.federation import controllers
build_resource_relation = functools.partial(
json_home.build_v3_extension_resource_relation,
extension_name='OS-FEDERATION', extension_version='1.0')
build_parameter_relation = functools.partial(
json_home.build_v3_extension_parameter_relation,
extension_name='OS-FEDERATION', extension_version='1.0')
IDP_ID_PARAMETER_RELATION = build_parameter_relation(parameter_name='idp_id')
PROTOCOL_ID_PARAMETER_RELATION = build_parameter_relation(
parameter_name='protocol_id')
SP_ID_PARAMETER_RELATION = build_parameter_relation(parameter_name='sp_id')
class Routers(wsgi.RoutersBase):
"""API Endpoints for the Federation extension.
The API looks like::
PUT /OS-FEDERATION/identity_providers/{idp_id}
GET /OS-FEDERATION/identity_providers
GET /OS-FEDERATION/identity_providers/{idp_id}
DELETE /OS-FEDERATION/identity_providers/{idp_id}
PATCH /OS-FEDERATION/identity_providers/{idp_id}
PUT /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
GET /OS-FEDERATION/identity_providers/
{idp_id}/protocols
GET /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
PATCH /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
DELETE /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
PUT /OS-FEDERATION/mappings
GET /OS-FEDERATION/mappings
PATCH /OS-FEDERATION/mappings/{mapping_id}
GET /OS-FEDERATION/mappings/{mapping_id}
DELETE /OS-FEDERATION/mappings/{mapping_id}
GET /OS-FEDERATION/projects
GET /OS-FEDERATION/domains
PUT /OS-FEDERATION/service_providers/{sp_id}
GET /OS-FEDERATION/service_providers
GET /OS-FEDERATION/service_providers/{sp_id}
DELETE /OS-FEDERATION/service_providers/{sp_id}
PATCH /OS-FEDERATION/service_providers/{sp_id}
GET /OS-FEDERATION/identity_providers/{idp_id}/
protocols/{protocol_id}/auth
POST /OS-FEDERATION/identity_providers/{idp_id}/
protocols/{protocol_id}/auth
GET /auth/OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}/websso
?origin=https%3A//horizon.example.com
POST /auth/OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}/websso
?origin=https%3A//horizon.example.com
POST /auth/OS-FEDERATION/saml2
POST /auth/OS-FEDERATION/saml2/ecp
GET /OS-FEDERATION/saml2/metadata
GET /auth/OS-FEDERATION/websso/{protocol_id}
?origin=https%3A//horizon.example.com
POST /auth/OS-FEDERATION/websso/{protocol_id}
?origin=https%3A//horizon.example.com
"""
def _construct_url(self, suffix):
return "/OS-FEDERATION/%s" % suffix
def append_v3_routers(self, mapper, routers):
auth_controller = controllers.Auth()
idp_controller = controllers.IdentityProvider()
protocol_controller = controllers.FederationProtocol()
mapping_controller = controllers.MappingController()
project_controller = controllers.ProjectAssignmentV3()
domain_controller = controllers.DomainV3()
saml_metadata_controller = controllers.SAMLMetadataV3()
sp_controller = controllers.ServiceProvider()
# Identity Provider CRUD operations
self._add_resource(
mapper, idp_controller,
path=self._construct_url('identity_providers/{idp_id}'),
get_action='get_identity_provider',
put_action='create_identity_provider',
patch_action='update_identity_provider',
delete_action='delete_identity_provider',
rel=build_resource_relation(resource_name='identity_provider'),
path_vars={
'idp_id': IDP_ID_PARAMETER_RELATION,
})
self._add_resource(
mapper, idp_controller,
path=self._construct_url('identity_providers'),
get_action='list_identity_providers',
rel=build_resource_relation(resource_name='identity_providers'))
# Protocol CRUD operations
self._add_resource(
mapper, protocol_controller,
path=self._construct_url('identity_providers/{idp_id}/protocols/'
'{protocol_id}'),
get_action='get_protocol',
put_action='create_protocol',
patch_action='update_protocol',
delete_action='delete_protocol',
rel=build_resource_relation(
resource_name='identity_provider_protocol'),
path_vars={
'idp_id': IDP_ID_PARAMETER_RELATION,
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
})
self._add_resource(
mapper, protocol_controller,
path=self._construct_url('identity_providers/{idp_id}/protocols'),
get_action='list_protocols',
rel=build_resource_relation(
resource_name='identity_provider_protocols'),
path_vars={
'idp_id': IDP_ID_PARAMETER_RELATION,
})
# Mapping CRUD operations
self._add_resource(
mapper, mapping_controller,
path=self._construct_url('mappings/{mapping_id}'),
get_action='get_mapping',
put_action='create_mapping',
patch_action='update_mapping',
delete_action='delete_mapping',
rel=build_resource_relation(resource_name='mapping'),
path_vars={
'mapping_id': build_parameter_relation(
parameter_name='mapping_id'),
})
self._add_resource(
mapper, mapping_controller,
path=self._construct_url('mappings'),
get_action='list_mappings',
rel=build_resource_relation(resource_name='mappings'))
# Service Providers CRUD operations
self._add_resource(
mapper, sp_controller,
path=self._construct_url('service_providers/{sp_id}'),
get_action='get_service_provider',
put_action='create_service_provider',
patch_action='update_service_provider',
delete_action='delete_service_provider',
rel=build_resource_relation(resource_name='service_provider'),
path_vars={
'sp_id': SP_ID_PARAMETER_RELATION,
})
self._add_resource(
mapper, sp_controller,
path=self._construct_url('service_providers'),
get_action='list_service_providers',
rel=build_resource_relation(resource_name='service_providers'))
self._add_resource(
mapper, domain_controller,
path=self._construct_url('domains'),
new_path='/auth/domains',
get_action='list_domains_for_user',
rel=build_resource_relation(resource_name='domains'))
self._add_resource(
mapper, project_controller,
path=self._construct_url('projects'),
new_path='/auth/projects',
get_action='list_projects_for_user',
rel=build_resource_relation(resource_name='projects'))
# Auth operations
self._add_resource(
mapper, auth_controller,
path=self._construct_url('identity_providers/{idp_id}/'
'protocols/{protocol_id}/auth'),
get_post_action='federated_authentication',
rel=build_resource_relation(
resource_name='identity_provider_protocol_auth'),
path_vars={
'idp_id': IDP_ID_PARAMETER_RELATION,
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
})
self._add_resource(
mapper, auth_controller,
path='/auth' + self._construct_url('saml2'),
post_action='create_saml_assertion',
rel=build_resource_relation(resource_name='saml2'))
self._add_resource(
mapper, auth_controller,
path='/auth' + self._construct_url('saml2/ecp'),
post_action='create_ecp_assertion',
rel=build_resource_relation(resource_name='ecp'))
self._add_resource(
mapper, auth_controller,
path='/auth' + self._construct_url('websso/{protocol_id}'),
get_post_action='federated_sso_auth',
rel=build_resource_relation(resource_name='websso'),
path_vars={
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
})
self._add_resource(
mapper, auth_controller,
path='/auth' + self._construct_url(
'identity_providers/{idp_id}/protocols/{protocol_id}/websso'),
get_post_action='federated_idp_specific_sso_auth',
rel=build_resource_relation(resource_name='identity_providers'),
path_vars={
'idp_id': IDP_ID_PARAMETER_RELATION,
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
})
# Keystone-Identity-Provider metadata endpoint
self._add_resource(
mapper, saml_metadata_controller,
path=self._construct_url('saml2/metadata'),
get_action='get_metadata',
rel=build_resource_relation(resource_name='metadata'))

20
keystone/rules.json Normal file
View File

@ -0,0 +1,20 @@
[
{
"local": [
{
"group_ids": "{1}",
"user": {
"name": "{0}"
}
}
],
"remote": [
{
"type": "REMOTE_USER"
},
{
"type": "openstackGroupEntitlements"
}
]
}
]

22
keystone/run.sh Executable file
View File

@ -0,0 +1,22 @@
#!/bin/bash
# start nova compute service
chown keystone: /etc/keystone/fernet-keys
chmod 700 /etc/keystone/fernet-keys
# Start apache
a2enmod ssl
apachectl -DFOREGROUND &
tail -f /var/log/apache2/* &
chown _shibd: /etc/shibboleth/sp*.pem
shibd -f -F &
# If any process fails, kill the rest.
# This ensures the container stops and systemd will restart it.
wait -n
pkill -P $$

114
keystone/shibboleth2.xml Normal file
View File

@ -0,0 +1,114 @@
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<!--
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
-->
<!--
To customize behavior for specific resources on Apache, and to link vhosts or
resources to ApplicationOverride settings below, use web server options/commands.
See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
-->
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://merlin.hpc.rug.nl"
REMOTE_USER="eppn persistent-id targeted-id">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
Note that while we default checkAddress to "false", this has a negative impact on the
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https">
<!--
Configures SSO for a default IdP. To allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service.
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
<SSO entityID="https://osfedpx.nikhef.nl/simplesaml/saml2/idp/metadata.php">
SAML2
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the templates.
-->
<Errors supportContact="root@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of remotely supplied batch of signed metadata. -->
<MetadataProvider type="XML" uri="https://osfedpx.nikhef.nl/simplesaml/saml2/idp/metadata.php"
backingFilePath="federation-metadata.xml" reloadInterval="7200">
</MetadataProvider>
<!-- Example of locally maintained metadata. -->
<!--
<MetadataProvider type="XML" file="partner-metadata.xml"/>
-->
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
<!--
The default settings can be overridden by creating ApplicationOverride elements (see
the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
Resource requests are mapped by web server commands, or the RequestMapper, to an
applicationId setting.
Example of a second application (for a second vhost) that has a different entityID.
Resources on the vhost would map to an applicationId of "admin":
-->
<!--
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-->
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>

22
keystone/sso_callback_template.html Normal file
View File

@ -0,0 +1,22 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Keystone WebSSO redirect</title>
</head>
<body>
<form id="sso" name="sso" action="$host" method="post">
Please wait...
<br/>
<input type="hidden" name="token" id="token" value="$token"/>
<noscript>
<input type="submit" name="submit_no_javascript" id="submit_no_javascript"
value="If your JavaScript is disabled, please click to continue"/>
</noscript>
</form>
<script type="text/javascript">
window.onload = function() {
document.forms['sso'].submit();
}
</script>
</body>
</html>

4
keystone/test.php Normal file
View File

@ -0,0 +1,4 @@
<html>
<head><title>Shibboleth test</title></head>
<body><pre><?php print_r($_SERVER); ?></pre></body>
</html>

8
neutron_controller/.gitignore vendored Normal file
View File

@ -0,0 +1,8 @@
# ---> Vim
[._]*.s[a-w][a-z]
[._]s[a-w][a-z]
*.un~
Session.vim
.netrwhist
*~

2
neutron_controller/bootstrap.sh
View File

@ -11,7 +11,7 @@ cat << EOF > /root/admin-openrc.sh
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD} export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default

9
neutron_controller/run.sh
View File

@ -29,8 +29,15 @@ neutron-metadata-agent \
--config-dir /etc/neutron/ \ --config-dir /etc/neutron/ \
-v -d & -v -d &
sleep 3
neutron-l3-agent \
--config-file /etc/neutron/l3_agent.ini \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/metadata_agent.ini \
--config-dir /etc/neutron/ \
-v -d &
# If any process fails, kill the rest. # If any process fails, kill the rest.
# This insures the container stops and systemd will restart it. # This ensures the container stops and systemd will restart it.
wait -n wait -n
pkill -P $$ pkill -P $$

62
neutron_controller/write_conf.sh
View File

@ -4,15 +4,16 @@
# These are to be passed to the docker container using -e # These are to be passed to the docker container using -e
cat << EOF > /etc/neutron/neutron.conf cat << EOF > /etc/neutron/neutron.conf
[DEFAULT] [DEFAULT]
core_plugin = ml2 core_plugin = ml2
service_plugins = service_plugins = router
allow_overlapping_ips = True
transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$MY_IP transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$MY_IP
auth_strategy = keystone auth_strategy = keystone
notify_nova_on_port_status_changes = true notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true notify_nova_on_port_data_changes = true
dhcp_agents_per_network = 2 dhcp_agents_per_network = 2
global_physnet_mtu = $GLOBAL_PHYSNET_MTU
[agent] [agent]
root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
@ -21,8 +22,8 @@ root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
connection = mysql+pymysql://$NEUTRON_USER:$NEUTRON_PASSWORD@mariadb/neutron connection = mysql+pymysql://$NEUTRON_USER:$NEUTRON_PASSWORD@mariadb/neutron
[keystone_authtoken] [keystone_authtoken]
auth_uri = http://$KEYSTONE_HOST:5000 auth_uri = https://$KEYSTONE_HOST:5000
auth_url = http://$KEYSTONE_HOST:35357 auth_url = https://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -32,7 +33,7 @@ username = $NEUTRON_USER
password = $NEUTRON_PASSWORD password = $NEUTRON_PASSWORD
[nova] [nova]
auth_url = http://$KEYSTONE_HOST:35357 auth_url = https://$KEYSTONE_HOST:35357
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
user_domain_name = Default user_domain_name = Default
@ -46,11 +47,10 @@ EOF
cat << EOF > /etc/neutron/plugins/ml2/ml2_conf.ini cat << EOF > /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2] [ml2]
type_drivers = flat,vlan type_drivers = flat,vlan,vxlan
tenant_network_types = tenant_network_types = vxlan
mechanism_drivers = linuxbridge mechanism_drivers = linuxbridge,l2population
extension_drivers = port_security extension_drivers = port_security
path_mtu = $GLOBAL_PHYSNET_MTU
[ml2_type_vlan] [ml2_type_vlan]
network_vlan_ranges = provider network_vlan_ranges = provider
@ -58,25 +58,14 @@ network_vlan_ranges = provider
[ml2_type_flat] [ml2_type_flat]
flat_networks = provider flat_networks = provider
[ml2_type_vxlan]
vni_ranges = 1:1000
[securitygroup] [securitygroup]
enable_ipset = true enable_ipset = true
EOF EOF
cat << EOF > /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
physical_interface_mappings = $PHYSICAL_INTERFACE_MAPPINGS
[vxlan]
enable_vxlan = false
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
EOF
cat << EOF > /etc/neutron/metadata_agent.ini cat << EOF > /etc/neutron/metadata_agent.ini
[DEFAULT] [DEFAULT]
@ -84,3 +73,30 @@ nova_metadata_ip = $MY_IP
metadata_proxy_shared_secret = $METADATA_SECRET metadata_proxy_shared_secret = $METADATA_SECRET
EOF EOF
cat << EOF > /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
physical_interface_mappings = $PHYSICAL_INTERFACE_MAPPINGS
[vxlan]
enable_vxlan = True
l2_population = True
local_ip = $OVERLAY_IP
[securitygroup]
enable_security_group = true
firewall_driver = iptables
EOF
cat << EOF > /etc/neutron/l3_agent.ini
[DEFAULT]
interface_driver = linuxbridge
external_network_bridge =
EOF
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts

31
neutron_controller_ovs/Dockerfile Normal file
View File

@ -0,0 +1,31 @@
FROM ubuntu:16.04
# install packages
RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA
RUN set -x \
&& echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main" > /etc/apt/sources.list.d/ocata.list \
&& apt-get -y update \
&& apt-get -y install ubuntu-cloud-keyring \
&& apt-get -y update \
&& apt-get -y install \
mysql-client \
python-mysqldb \
python-openstackclient \
neutron-server \
neutron-plugin-ml2 \
neutron-linuxbridge-agent \
neutron-l3-agent \
neutron-metadata-agent \
&& apt-get -y clean
# add bootstrap script and make it executable
COPY bootstrap.sh /etc/bootstrap.sh
# Workaround for vlan_transparent parameter set to None.
COPY db_base_plugin_v2.py /usr/lib/python2.7/dist-packages/neutron/db/db_base_plugin_v2.py
COPY run.sh /etc/run.sh
COPY write_conf.sh /etc/write_conf.sh
CMD ["/etc/run.sh"]

21
neutron_controller_ovs/README.md Normal file
View File

@ -0,0 +1,21 @@
# ubuntu 16.04 openstack ocata neutron controler node
## How to build the docker image.
```
docker build . -t="hpc/neutroncontroller"
```
## How to bootstrap the service.
Before we can take the container into service we need accounts in keystone.
We also need an initial database. Both of these tasks are performed by the bootstrap script.
```
docker run --rm --it --add-host="controller:<keystone_ip>" hpc/neutroncontroler /etc/bootstrap.sh
```
## How to run
This image needs a lot of environment variables. It should be run via the `hpc-cloud` ansible repository.
## Notes
This image is designed to be deployed from the [hpc-cloud repo](https://git.webhosting.rug.nl/HPC/hpc-cloud)
The -p option is added to the run command to make the container accessible from (containers on ) other hosts than the container host.

76
neutron_controller_ovs/bootstrap.sh Executable file
View File

@ -0,0 +1,76 @@
#!/bin/bash
#
# This script sets up the openstack users and regions..
# as well as the database for the nova controller.
# This guide was used:
# https://docs.openstack.org/ocata/install-guide-ubuntu/nova-controller-install.
# Create admin-openrc.sh from secrets that are in the environment during bootstrap.
cat << EOF > /root/admin-openrc.sh
#!/bin/bash
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_IMAGE_API_VERSION=2
EOF
source /root/admin-openrc.sh
# create database for neutron.
SQL_SCRIPT=/root/neutron.sql
mysql -uroot -p"$MYSQL_ROOT_PASSWORD" -h "$MYSQL_HOST" << EOF
DROP DATABASE IF EXISTS neutron;
CREATE DATABASE neutron;
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
IDENTIFIED BY "${NEUTRON_PASSWORD}";
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
IDENTIFIED BY "${NEUTRON_PASSWORD}";
EOF
openstack user create "$NEUTRON_USER" --domain default --password "$NEUTRON_PASSWORD"
openstack role add --project service --user neutron admin
openstack service create --name neutron --description "OpenStack Networking" network
# neutron endpoints
openstack endpoint create --region RegionOne \
network public http://$MY_IP:9696
openstack endpoint create --region RegionOne \
network internal http://$MY_IP:9696
openstack endpoint create --region RegionOne \
network admin http://$MY_IP:9696
# population of the database requires complete server and plug-in configuration files.
/etc/write_conf.sh
# Ugly hacks to prevent the manage command from failing
sed -i "/ op.drop_column('networks', 'shared')/ s/^#*/#/" /usr/lib/python2.7/dist-packages/neutron/db/migration/alembic_migrations/versions/liberty/contract/4ffceebfada_rbac_network.py
sed -i "/ op.drop_column('subnets', 'shared')/ s/^#*/#/" /usr/lib/python2.7/dist-packages/neutron/db/migration/alembic_migrations/versions/liberty/contract/4ffceebfada_rbac_network.py
sed -i "/ op.drop_column('qos_policies', 'shared')/ s/^#*/#/" /usr/lib/python2.7/dist-packages/neutron/db/migration/alembic_migrations/versions/mitaka/contract/c6c112992c9_rbac_qos_policy.py
neutron-db-manage --config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head
# And now we drop the colums and constraints that the ORM fails to drop.
mysql -uroot -p"$MYSQL_ROOT_PASSWORD" -h "$MYSQL_HOST" neutron << EOF
ALTER TABLE networks DROP CONSTRAINT CONSTRAINT_2;
alter table networks drop column shared;
ALTER TABLE subnets DROP CONSTRAINT CONSTRAINT_2;
ALTER TABLE subnets DROP COLUMN shared;
ALTER TABLE qos_policies DROP CONSTRAINT CONSTRAINT_1;
ALTER TABLE qos_policies drop column shared
EOF

1388
neutron_controller_ovs/db_base_plugin_v2.py Normal file
View File

File diff suppressed because it is too large Load Diff

43
neutron_controller_ovs/run.sh Executable file
View File

@ -0,0 +1,43 @@
#!/bin/bash
# start neutron services
/etc/write_conf.sh
/usr/bin/neutron-server \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
--config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini \
--config-file /etc/neutron/metadata_agent.ini \
--config-dir /etc/neutron/ \
-v -d &
sleep 3
/usr/bin/neutron-linuxbridge-agent \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
--config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini \
--config-file /etc/neutron/metadata_agent.ini \
--config-dir /etc/neutron/ \
-v -d &
sleep 3
neutron-metadata-agent \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
--config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini \
--config-file /etc/neutron/metadata_agent.ini \
--config-dir /etc/neutron/ \
-v -d &
sleep 3
neutron-l3-agent \
--config-file /etc/neutron/l3_agent.ini \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/metadata_agent.ini \
--config-dir /etc/neutron/ \
-v -d &
# If any process fails, kill the rest.
# This ensures the container stops and systemd will restart it.
wait -n
pkill -P $$

102
neutron_controller_ovs/write_conf.sh Executable file
View File

@ -0,0 +1,102 @@
#!/bin/bash
#
# Generate config files from environments values.
# These are to be passed to the docker container using -e
cat << EOF > /etc/neutron/neutron.conf
[DEFAULT]
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = True
transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$MY_IP
auth_strategy = keystone
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true
dhcp_agents_per_network = 2
[agent]
root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
[database]
connection = mysql+pymysql://$NEUTRON_USER:$NEUTRON_PASSWORD@mariadb/neutron
[keystone_authtoken]
auth_uri = https://$KEYSTONE_HOST:5000
auth_url = https://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = $NEUTRON_USER
password = $NEUTRON_PASSWORD
[nova]
auth_url = https://$KEYSTONE_HOST:35357
auth_type = password
project_domain_name = Default
user_domain_name = Default
region_name = RegionOne
project_name = service
username = $NOVA_USER
password = $NOVA_PASSWORD
EOF
cat << EOF > /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2]
type_drivers = flat,vlan,vxlan
tenant_network_types = vxlan
mechanism_drivers = linuxbridge,l2population
extension_drivers = port_security
[ml2_type_vlan]
network_vlan_ranges = provider
[ml2_type_flat]
flat_networks = provider
[ml2_type_vxlan]
vni_ranges = 1:1000
[securitygroup]
enable_ipset = true
EOF
cat << EOF > /etc/neutron/metadata_agent.ini
[DEFAULT]
nova_metadata_ip = $MY_IP
metadata_proxy_shared_secret = $METADATA_SECRET
EOF
cat << EOF > /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
physical_interface_mappings = $PHYSICAL_INTERFACE_MAPPINGS
[vxlan]
enable_vxlan = True
l2_population = True
local_ip = $OVERLAY_IP
[securitygroup]
enable_security_group = true
firewall_driver = iptables
EOF
cat << EOF > /etc/neutron/l3_agent.ini
[DEFAULT]
interface_driver = linuxbridge
external_network_bridge =
EOF
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts

26
nova_compute/.drone.yml Normal file
View File

@ -0,0 +1,26 @@
---
pipeline:
docker:
image: plugins/docker
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-nova-compute
tag: latest
notify:
image: drillster/drone-email
host: smtp.rug.nl
port: 25
skip_verify: true
from: drone@webhosting.rug.nl
recipients: [e.m.a.rijpkema@rug.nl]
recipients: [e.m.a.rijpkema@rug.nl, w.k.nap@rug.nl]
recipients_only: true
when:
status: [success, changed, failure]
# slack:
# image: plugins/slack
# webhook:
# channel: docker
# when:
# branch: [master, merlin]
# status: [success, failure]

6
nova_compute/Dockerfile
View File

@ -12,12 +12,16 @@ RUN set -x \
python-openstackclient \ python-openstackclient \
nova-compute \ nova-compute \
neutron-linuxbridge-agent \ neutron-linuxbridge-agent \
neutron-l3-agent \
neutron-dhcp-agent \ neutron-dhcp-agent \
neutron-metadata-agent \ neutron-metadata-agent \
python-ceph \
python-rbd \
ceph-common \
&& apt-get -y clean && apt-get -y clean
COPY write_conf.sh /etc/write_conf.sh COPY write_conf.sh /etc/write_conf.sh
COPY run.sh /etc/run.sh COPY run.sh /etc/run.sh
RUN echo hoi
CMD ["/etc/run.sh"] CMD ["/etc/run.sh"]

1
nova_compute/run.sh
View File

@ -27,6 +27,7 @@ neutron-metadata-agent \
--config-dir /etc/neutron/ \ --config-dir /etc/neutron/ \
-v -d & -v -d &
# If any process fails, kill the rest. # If any process fails, kill the rest.
# This ensures the container stops and systemd will restart it. # This ensures the container stops and systemd will restart it.

102
nova_compute/write_conf.sh
View File

@ -8,7 +8,7 @@ cat << EOF > /root/admin-openrc.sh
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD} export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default
@ -36,11 +36,12 @@ firewall_driver = nova.virt.firewall.NoopFirewallDriver
scheduler_default_filters = AllHostsFilter scheduler_default_filters = AllHostsFilter
allow_migrate_to_same_host = True allow_migrate_to_same_host = True
allow_resize_to_same_host = True allow_resize_to_same_host = True
security_group_api=neutron
[neutron] [neutron]
url = http://$NEUTRON_CONTROLLER_HOST:9696 url = http://$NEUTRON_CONTROLLER_HOST:9696
auth_url = http://$KEYSTONE_HOST:35357 auth_url = https://$KEYSTONE_HOST:35357
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
user_domain_name = Default user_domain_name = Default
@ -65,8 +66,8 @@ lock_path = /var/lib/nova/tmp
auth_strategy = keystone auth_strategy = keystone
[keystone_authtoken] [keystone_authtoken]
auth_uri = http://$KEYSTONE_HOST:5000 auth_uri = https://$KEYSTONE_HOST:5000
auth_url = http://$KEYSTONE_HOST:35357 auth_url = https://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -90,7 +91,7 @@ project_domain_name = Default
project_name = service project_name = service
auth_type = password auth_type = password
user_domain_name = Default user_domain_name = Default
auth_url = http://$KEYSTONE_HOST:35357/v3 auth_url = https://$KEYSTONE_HOST:35357/v3
username = $NOVA_PLACEMENT_USER username = $NOVA_PLACEMENT_USER
password = $NOVA_PLACEMENT_PASSWORD password = $NOVA_PLACEMENT_PASSWORD
@ -121,7 +122,13 @@ allow_migrate_to_same_host = True
allow_resize_to_same_host = True allow_resize_to_same_host = True
[libvirt] [libvirt]
virt_type=kvm virt_type = kvm
images_type = rbd
images_rbd_pool = volumes
images_rbd_ceph_conf = /etc/ceph/ceph.conf
rbd_user = volumes
rbd_secret_uuid = $RBD_SECRET_UUID
[vnc] [vnc]
enabled = True enabled = True
@ -139,8 +146,8 @@ lock_path = /var/lib/nova/tmp
auth_strategy = keystone auth_strategy = keystone
[keystone_authtoken] [keystone_authtoken]
auth_uri = http://$KEYSTONE_HOST:5000 auth_uri = https://$KEYSTONE_HOST:5000
auth_url = http://$KEYSTONE_HOST:35357 auth_url = https://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -164,7 +171,7 @@ project_domain_name = Default
project_name = service project_name = service
auth_type = password auth_type = password
user_domain_name = Default user_domain_name = Default
auth_url = http://$KEYSTONE_HOST:35357/v3 auth_url = https://$KEYSTONE_HOST:35357/v3
username = $NOVA_PLACEMENT_USER username = $NOVA_PLACEMENT_USER
password = $NOVA_PLACEMENT_PASSWORD password = $NOVA_PLACEMENT_PASSWORD
@ -173,7 +180,7 @@ api_paste_config=/etc/nova/api-paste.ini
[neutron] [neutron]
url = http://$NEUTRON_CONTROLLER_HOST:9696 url = http://$NEUTRON_CONTROLLER_HOST:9696
auth_url = http://$KEYSTONE_HOST:35357 auth_url = https://$KEYSTONE_HOST:35357
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
user_domain_name = Default user_domain_name = Default
@ -189,14 +196,16 @@ EOF
cat << EOF > /etc/neutron/neutron.conf cat << EOF > /etc/neutron/neutron.conf
[DEFAULT] [DEFAULT]
service_plugins = router
allow_overlapping_ips = True
transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$RABBIT_HOST transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$RABBIT_HOST
auth_strategy = keystone auth_strategy = keystone
core_plugin = ml2 core_plugin = ml2
global_physnet_mtu = $GLOBAL_PHYSNET_MTU global_physnet_mtu = $GLOBAL_PHYSNET_MTU
[keystone_authtoken] [keystone_authtoken]
auth_uri = http://$KEYSTONE_HOST:5000 auth_uri = https://$KEYSTONE_HOST:5000
auth_url = http://$KEYSTONE_HOST:35357 auth_url = https://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -206,7 +215,7 @@ username = $NEUTRON_USER
password = $NEUTRON_PASSWORD password = $NEUTRON_PASSWORD
[nova] [nova]
auth_url = http://$KEYSTONE_HOST:35357 auth_url = https://$KEYSTONE_HOST:35357
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
user_domain_name = Default user_domain_name = Default
@ -217,17 +226,12 @@ password = $NOVA_PASSWORD
EOF EOF
cat << EOF > /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge] cat << EOF > /etc/neutron/l3_agent.ini
physical_interface_mappings = $PHYSICAL_INTERFACE_MAPPINGS
[vxlan] [DEFAULT]
enable_vxlan = false interface_driver = linuxbridge
external_network_bridge =
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
EOF EOF
@ -251,11 +255,10 @@ EOF
cat << EOF > /etc/neutron/plugins/ml2/ml2_conf.ini cat << EOF > /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2] [ml2]
type_drivers = flat,vlan type_drivers = flat,vlan,vxlan
tenant_network_types = tenant_network_types = vxlan
mechanism_drivers = linuxbridge mechanism_drivers = linuxbridge,l2population
extension_drivers = port_security extension_drivers = port_security
path_mtu = $GLOBAL_PHYSNET_MTU
[ml2_type_vlan] [ml2_type_vlan]
network_vlan_ranges = provider network_vlan_ranges = provider
@ -263,7 +266,54 @@ network_vlan_ranges = provider
[ml2_type_flat] [ml2_type_flat]
flat_networks = provider flat_networks = provider
[ml2_type_vxlan]
vni_ranges = 1:100
[securitygroup] [securitygroup]
enable_ipset = true enable_ipset = true
EOF EOF
cat << EOF > /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
physical_interface_mappings = $PHYSICAL_INTERFACE_MAPPINGS
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
[vxlan]
enable_vxlan = True
l2_population = True
local_ip = $OVERLAY_IP
EOF
if [ $USE_CEPH = true ]
then cat << EOF > /etc/ceph/ceph.conf
[global]
fsid = $FSID
mon_initial_members = $MON_INITIAL_MEMBERS
mon_host = $MON_HOST
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
# Your network address
public network = $PUBLIC_NETWORK
osd pool default size = $OSD_POOL_DEFAULT_SIZE
[client.compute]
keyring = /etc/ceph/ceph.client.compute.keyring
EOF
cat << EOF > /etc/neutron/l3_agent.ini
[DEFAULT]
interface_driver = linuxbridge
external_network_bridge =
EOF
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts

8
nova_service/.gitignore vendored Normal file
View File

@ -0,0 +1,8 @@
# ---> Vim
[._]*.s[a-w][a-z]
[._]s[a-w][a-z]
*.un~
Session.vim
.netrwhist
*~

2
nova_service/bootstrap.sh
View File

@ -13,7 +13,7 @@ cat << EOF > /root/admin-openrc.sh
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD} export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default

11
nova_service/write_conf.sh
View File

@ -20,10 +20,11 @@ allow_migrate_to_same_host = True
allow_resize_to_same_host = True allow_resize_to_same_host = True
firewall_driver = nova.virt.firewall.NoopFirewallDriver firewall_driver = nova.virt.firewall.NoopFirewallDriver
enabled_apis=osapi_compute,metadata enabled_apis=osapi_compute,metadata
security_group_api=neutron
[neutron] [neutron]
url = http://$NEUTRON_CONTROLLER_HOST:9696 url = http://$NEUTRON_CONTROLLER_HOST:9696
auth_url = http://$KEYSTONE_HOST:35357 auth_url = https://$KEYSTONE_HOST:35357
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
user_domain_name = Default user_domain_name = Default
@ -38,8 +39,8 @@ metadata_proxy_shared_secret = $METADATA_SECRET
auth_strategy = keystone auth_strategy = keystone
[keystone_authtoken] [keystone_authtoken]
auth_uri = http://$KEYSTONE_HOST:5000 auth_uri = https://$KEYSTONE_HOST:5000
auth_url = http://$KEYSTONE_HOST:35357 auth_url = https://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -65,7 +66,7 @@ project_domain_name = Default
project_name = service project_name = service
auth_type = password auth_type = password
user_domain_name = Default user_domain_name = Default
auth_url = http://$KEYSTONE_HOST:35357/v3 auth_url = https://$KEYSTONE_HOST:35357/v3
username = $NOVA_PLACEMENT_USER username = $NOVA_PLACEMENT_USER
password = $NOVA_PLACEMENT_PASSWORD password = $NOVA_PLACEMENT_PASSWORD
@ -73,3 +74,5 @@ password = $NOVA_PLACEMENT_PASSWORD
os_region_name = RegionOne os_region_name = RegionOne
EOF EOF
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts

8
openstack_client/.gitignore vendored Normal file
View File

@ -0,0 +1,8 @@
# ---> Vim
[._]*.s[a-w][a-z]
[._]s[a-w][a-z]
*.un~
Session.vim
.netrwhist
*~

4
openstack_client/bootstrap.sh
View File

@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD} export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
EOF EOF
@ -16,6 +16,6 @@ cat << EOF > /root/demo-openrc.sh
export OS_TENANT_NAME=demo export OS_TENANT_NAME=demo
export OS_USERNAME=demo export OS_USERNAME=demo
export OS_PASSWORD=${OS_DEMO_PASSWORD} export OS_PASSWORD=${OS_DEMO_PASSWORD}
export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3 export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
EOF EOF