Added a shibboleth attribute

This reverts commit 7ecc7154a5.

.drone.yml

@@ -0,0 +1,204 @@
+---
+# When the issue below is resolved, we can build the
+# image that was actually changed.
+# https://github.com/drone/drone/issues/1021
+
+pipeline:
+  cinder_controller:
+    image: plugins/docker
+    dockerfile: cinder_controller/Dockerfile
+    context: cinder_controller
+    secrets: [docker_username, docker_password]
+    registry: registry.webhosting.rug.nl
+    repo: registry.webhosting.rug.nl/hpc/openstack-cinder-controller
+    tag: latest
+    when:
+      branch: master
+  cinder_storage:
+    image: plugins/docker
+    dockerfile: cinder_storage/Dockerfile
+    context: cinder_storage
+    secrets: [docker_username, docker_password]
+    registry: registry.webhosting.rug.nl
+    repo: registry.webhosting.rug.nl/hpc/openstack-cinder-storage
+    tag: latest
+    when:
+      branch: master
+  glance:
+    image: plugins/docker
+    dockerfile: glance/Dockerfile
+    context: glance
+    secrets: [docker_username, docker_password]
+    registry: registry.webhosting.rug.nl
+    repo: registry.webhosting.rug.nl/hpc/openstack-glance
+    tag: latest
+    when:
+      branch: master
+  heat:
+    image: plugins/docker
+    dockerfile: heat/Dockerfile
+    context: heat
+    secrets: [docker_username, docker_password]
+    registry: registry.webhosting.rug.nl
+    repo: registry.webhosting.rug.nl/hpc/openstack-heat
+    tag: latest
+    when:
+      branch: master
+  horizon:
+    image: plugins/docker
+    dockerfile: horizon/Dockerfile
+    context: horizon
+    secrets: [docker_username, docker_password]
+    registry: registry.webhosting.rug.nl
+    repo: registry.webhosting.rug.nl/hpc/openstack-horizon
+    tag: latest
+    when:
+      branch: master
+  keystone:
+    image: plugins/docker
+    dockerfile: keystone/Dockerfile
+    context: keystone
+    secrets: [docker_username, docker_password]
+    registry: registry.webhosting.rug.nl
+    repo: registry.webhosting.rug.nl/hpc/openstack-keystone
+    tag: latest
+    when:
+      branch: master
+  neutron_controller:
+    image: plugins/docker
+    dockerfile: neutron_controller/Dockerfile
+    context: neutron_controller
+    secrets: [docker_username, docker_password]
+    registry: registry.webhosting.rug.nl
+    repo: registry.webhosting.rug.nl/hpc/openstack-neutron-controller
+    tag: latest
+    when:
+      branch: master
+  nova_service:
+    image: plugins/docker
+    dockerfile: nova_service/Dockerfile
+    context: nova_service
+    secrets: [docker_username, docker_password]
+    registry: registry.webhosting.rug.nl
+    repo: registry.webhosting.rug.nl/hpc/openstack-nova-service
+    tag: latest
+    when:
+      branch: master
+  nova_compute:
+    image: plugins/docker
+    dockerfile: nova_compute/Dockerfile
+    context: nova_compute
+    secrets: [docker_username, docker_password]
+    registry: registry.webhosting.rug.nl
+    repo: registry.webhosting.rug.nl/hpc/openstack-nova-compute
+    tag: latest
+    when:
+      branch: master
+  keystone_merlin:
+    image: plugins/docker
+    dockerfile: keystone/Dockerfile
+    context: keystone
+    secrets: [docker_username, docker_password]
+    registry: registry.webhosting.rug.nl
+    repo: registry.webhosting.rug.nl/hpc/openstack-keystone-merlin
+    tag: latest
+    when:
+      branch: merlin
+  nova_service_merlin:
+    image: plugins/docker
+    dockerfile: nova_service/Dockerfile
+    context: nova_service
+    secrets: [docker_username, docker_password]
+    registry: registry.webhosting.rug.nl
+    repo: registry.webhosting.rug.nl/hpc/openstack-nova-service-merlin
+    tag: latest
+    when:
+      branch: merlin
+  horizon_merlin:
+    image: plugins/docker
+    dockerfile: horizon/Dockerfile
+    context: horizon
+    secrets: [docker_username, docker_password]
+    registry: registry.webhosting.rug.nl
+    repo: registry.webhosting.rug.nl/hpc/openstack-horizon-merlin
+    tag: latest
+    when:
+      branch: merlin
+  neutron_controller_merlin:
+    image: plugins/docker
+    dockerfile: neutron_controller/Dockerfile
+    context: neutron_controller
+    secrets: [docker_username, docker_password]
+    registry: registry.webhosting.rug.nl
+    repo: registry.webhosting.rug.nl/hpc/openstack-neutron-controller-merlin
+    tag: latest
+    when:
+      branch: merlin
+  cinder_controller_merlin:
+    image: plugins/docker
+    dockerfile: cinder_controller/Dockerfile
+    context: cinder_controller
+    secrets: [docker_username, docker_password]
+    registry: registry.webhosting.rug.nl
+    repo: registry.webhosting.rug.nl/hpc/openstack-cinder-controller-merlin
+    tag: latest
+    when:
+      branch: mwelin
+  cinder_storage_merlin:
+    image: plugins/docker
+    dockerfile: cinder_storage/Dockerfile
+    context: cinder_storage
+    secrets: [docker_username, docker_password]
+    registry: registry.webhosting.rug.nl
+    repo: registry.webhosting.rug.nl/hpc/openstack-cinder-storage-merlin
+    tag: latest
+    when:
+      branch: merlin
+  nova_compute_merlin:
+    image: plugins/docker
+    dockerfile: nova_compute/Dockerfile
+    context: nova_compute
+    secrets: [docker_username, docker_password]
+    registry: registry.webhosting.rug.nl
+    repo: registry.webhosting.rug.nl/hpc/openstack-nova-compute-merlin
+    tag: latest
+    when:
+      branch: merlin
+  glance_merlin:
+    image: plugins/docker
+    dockerfile: glance/Dockerfile
+    context: glance
+    secrets: [docker_username, docker_password]
+    registry: registry.webhosting.rug.nl
+    repo: registry.webhosting.rug.nl/hpc/openstack-glance-merlin
+    tag: latest
+    when:
+      branch: merlin
+  heat_merlin:
+    image: plugins/docker
+    dockerfile: heat/Dockerfile
+    context: heat
+    secrets: [docker_username, docker_password]
+    registry: registry.webhosting.rug.nl
+    repo: registry.webhosting.rug.nl/hpc/openstack-heat-merlin
+    tag: latest
+    when:
+      branch: merlin
+  notify:
+    image: drillster/drone-email
+    host: smtp.rug.nl
+    port: 25
+    skip_verify: true
+    from: drone@webhosting.rug.nl
+    # recipients: [e.m.a.rijpkema@rug.nl, w.k.nap@rug.nl]
+    recipients: [e.m.a.rijpkema@rug.nl]
+    recipients_only: true
+    when:
+      status: [success, changed, failure]
+#  slack:
+#    image: plugins/slack
+#    webhook:
+#    channel: docker
+#    when:
+#      branch: [master, merlin]
+#      status: [success, failure]

cinder_controller/Dockerfile

@@ -15,6 +15,8 @@ RUN set -x \
         python-oslo.cache \
         cinder-api \
         cinder-scheduler \
+        python-ceph \
+        python-rbd \
     && apt-get -y clean
 
 EXPOSE 8776

cinder_controller/admin-openrc.sh

@@ -9,7 +9,7 @@ export OS_IDENTITY_API_VERSION=3
 export OS_USERNAME=admin
 export OS_PASSWORD=geheim
 export OS_TENANT_NAME=admin
-export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
+export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
 
 export OS_PROJECT_DOMAIN_NAME=default
 export OS_USER_DOMAIN_NAME=default

cinder_controller/bootstrap.sh

@@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
 export OS_TENANT_NAME=admin
 export OS_USERNAME=admin
 export OS_PASSWORD=${OS_PASSWORD}
-export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
+export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
 export OS_IDENTITY_API_VERSION=3
 
 export OS_PROJECT_DOMAIN_NAME=default

cinder_controller/run.sh

@@ -7,6 +7,7 @@ cinder-scheduler -d &
 sleep 5
 apachectl -DFOREGROUND &
 
+tail -f /var/log/apache2/* &
 # If any process fails, kill the rest.
 # This ensures the container stops and systemd will restart it.
 

cinder_controller/write_conf.sh

@@ -11,11 +11,12 @@ connection = mysql+pymysql://$CINDER_USER:$CINDER_PASSWORD@$MYSQL_HOST/cinder
 [DEFAULT]
 auth_strategy = keystone
 transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$MY_IP
+enabled_backends = RBD-backend
 my_ip = $MY_IP
 
 [keystone_authtoken]
-auth_uri = http://$KEYSTONE_HOST:5000
+auth_uri = https://$KEYSTONE_HOST:5000
-auth_url = http://$KEYSTONE_HOST:35357
+auth_url = https://$KEYSTONE_HOST:35357
 memcached_servers = $MEMCACHED_HOST:11211
 auth_type = password
 project_domain_name = Default
@@ -27,4 +28,14 @@ password = $CINDER_PASSWORD
 [oslo_concurrency]
 lock_path = /var/lib/cinder/tmp
 
+[RBD-backend]
+volume_backend_name = RBD-backend
+rbd_pool = volumes
+rbd_user = volumes
+rbd_secret_uuid = $RBD_SECRET_UUID
+volume_driver = cinder.volume.drivers.rbd.RBDDriver
+rbd_ceph_conf = /etc/ceph/ceph.conf
+
 EOF
+
+echo "172.23.59.101        merlin.hpc.rug.nl" >> /etc/hosts

cinder_storage/Dockerfile

@@ -15,8 +15,9 @@ RUN set -x \
         python-openstackclient \
         python-oslo.cache \
         lvm2 \
-	python-ceph \
+        python-ceph \
         python-rbd \
+        ceph-common \
 
     && apt-get -y clean
 

cinder_storage/admin-openrc.sh

@@ -9,7 +9,7 @@ export OS_IDENTITY_API_VERSION=3
 export OS_USERNAME=admin
 export OS_PASSWORD=geheim
 export OS_TENANT_NAME=admin
-export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
+export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
 
 export OS_PROJECT_DOMAIN_NAME=default
 export OS_USER_DOMAIN_NAME=default

cinder_storage/bootstrap.sh

@@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
 export OS_TENANT_NAME=admin
 export OS_USERNAME=admin
 export OS_PASSWORD=${OS_PASSWORD}
-export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
+export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
 export OS_IDENTITY_API_VERSION=3
 
 export OS_PROJECT_DOMAIN_NAME=default

cinder_storage/write_conf.sh

@@ -10,14 +10,14 @@ connection = mysql+pymysql://$CINDER_USER:$CINDER_PASSWORD@$MYSQL_HOST/cinder
 
 [DEFAULT]
 auth_strategy = keystone
-transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$MY_IP
+transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$RABBIT_HOST
 my_ip = $MY_IP
 enabled_backends = RBD-backend
 glance_api_servers = http://$GLANCE_HOST:9292
 
 [keystone_authtoken]
-auth_uri = http://$KEYSTONE_HOST:5000
+auth_uri = https://$KEYSTONE_HOST:5000
-auth_url = http://$KEYSTONE_HOST:35357
+auth_url = https://$KEYSTONE_HOST:35357
 memcached_servers = $MEMCACHED_HOST:11211
 auth_type = password
 project_domain_name = Default
@@ -30,11 +30,13 @@ password = $CINDER_PASSWORD
 lock_path = /var/lib/cinder/tmp
 
 [RBD-backend]
-volume_backend_name=RBD-backend
+volume_backend_name = RBD-backend
-rbd_pool=volumes
+rbd_pool = volumes
-rbd_user=volumes
+rbd_user = volumes
-rbd_secret_uuid=d0db6ba7-a0c9-4da6-b0bc-aa7846325333
+rbd_secret_uuid = $RBD_SECRET_UUID
-volume_driver=cinder.volume.drivers.rbd.RBDDriver
+volume_driver = cinder.volume.drivers.rbd.RBDDriver
-rbd_ceph_conf=/etc/ceph/ceph.conf
+rbd_ceph_conf = /etc/ceph/ceph.conf
 
 EOF
+
+echo "172.23.59.101        merlin.hpc.rug.nl" >> /etc/hosts

glance/admin-openrc.sh

@@ -8,7 +8,7 @@ export OS_IDENTITY_API_VERSION=3
 export OS_USERNAME=admin
 export OS_PASSWORD=geheim
 export OS_TENANT_NAME=admin
-export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
+export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
 
 export OS_PROJECT_DOMAIN_NAME=default
 export OS_USER_DOMAIN_NAME=default

glance/bootstrap.sh

@@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
 export OS_TENANT_NAME=admin
 export OS_USERNAME=admin
 export OS_PASSWORD=${OS_PASSWORD}
-export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
+export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
 export OS_IDENTITY_API_VERSION=3
 
 export GLANCE_USER_NAME=glance

glance/write_conf.sh

@@ -9,8 +9,8 @@ cat << EOF > /etc/glance/glance-api.conf
 connection = mysql+pymysql://$GLANCE_USER:$GLANCE_PASSWORD@$MYSQL_HOST/glance
 [image_format]
 [keystone_authtoken]
-auth_uri = http://$KEYSTONE_HOST:5000
+auth_uri = https://$KEYSTONE_HOST:5000
-auth_url = http://$KEYSTONE_HOST:35357
+auth_url = https://$KEYSTONE_HOST:35357
 memcached_servers = $MEMCACHED_HOST:11211
 auth_type = password
 project_domain_name = Default
@@ -57,8 +57,8 @@ rbd_store_user = images
 rbd_store_ceph_conf = /etc/ceph/ceph.conf
 
 [keystone_authtoken]
-auth_uri = http://$KEYSTONE_HOST:5000
+auth_uri = https://$KEYSTONE_HOST:5000
-auth_url = http://$KEYSTONE_HOST:35357
+auth_url = https://$KEYSTONE_HOST:35357
 memcached_servers = $MEMCACHED_HOST:11211
 auth_type = password
 project_domain_name = Default
@@ -79,3 +79,6 @@ rabbit_password = $RABBIT_PASSWORD
 flavor = keystone
 
 EOF
+
+echo "172.23.59.101        merlin.hpc.rug.nl" >> /etc/hosts
+

heat/admin-openrc.sh

@@ -5,7 +5,7 @@ export OS_IDENTITY_API_VERSION=3
 export OS_USERNAME=admin
 export OS_PASSWORD=geheim
 export OS_TENANT_NAME=admin
-export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
+export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
 
 export OS_PROJECT_DOMAIN_NAME=default
 export OS_USER_DOMAIN_NAME=default

heat/bootstrap.sh

@@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
 export OS_TENANT_NAME=admin
 export OS_USERNAME=admin
 export OS_PASSWORD=${OS_PASSWORD}
-export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
+export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
 export OS_IDENTITY_API_VERSION=3
 
 export HEAT_USER=heat

heat/write_conf.sh

@@ -15,8 +15,8 @@ heat_waitcondition_server_url = http://$HEAT_HOST:8000/v1/waitcondition
 
 
 [keystone_authtoken]
-auth_uri = http://$KEYSTONE_HOST:5000
+auth_uri = https://$KEYSTONE_HOST:5000
-auth_url = http://$KEYSTONE_HOST:35357
+auth_url = https://$KEYSTONE_HOST:35357
 memcached_servers = $MEMCACHED_HOST:11211
 auth_type = password
 project_domain_name = Default
@@ -27,9 +27,11 @@ password = $HEAT_PASSWORD
 
 [trustee]
 auth_plugin = password
-auth_url = http://$KEYSTONE_HOST:35357
+auth_url = https://$KEYSTONE_HOST:35357
 username = $HEAT_USER
 password = $HEAT_PASSWORD
 user_domain_name = Default
 
 EOF
+
+echo "172.23.59.101        merlin.hpc.rug.nl" >> /etc/hosts

horizon/.gitignore

@@ -1,8 +0,0 @@
-# ---> Vim
-[._]*.s[a-w][a-z]
-[._]s[a-w][a-z]
-*.un~
-Session.vim
-.netrwhist
-*~
-

horizon/Dockerfile

@@ -38,7 +38,7 @@ RUN a2enmod ssl
 RUN a2enmod headers
 RUN a2enmod rewrite
 
-RUN  chown /var/lib/openstack-dashboard/secret_key horizon
+#RUN  chown /var/lib/openstack-dashboard/secret_key horizon
 
 CMD /etc/run.sh
 

horizon/admin-openrc.sh

@@ -5,7 +5,7 @@ export OS_IDENTITY_API_VERSION=3
 export OS_USERNAME=admin
 export OS_PASSWORD=geheim
 export OS_TENANT_NAME=admin
-export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
+export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
 
 export OS_PROJECT_DOMAIN_NAME=default
 export OS_USER_DOMAIN_NAME=default

horizon/local_settings.py

@@ -100,7 +100,7 @@ OPENSTACK_CINDER_FEATURES = {
 # services provided by neutron. Options currently available are load
 # balancer service, security groups, quotas, VPN service.
 OPENSTACK_NEUTRON_NETWORK = {
-    'enable_router': False,
+    'enable_router': True,
     'enable_quotas': False,
     'enable_ipv6': False,
     'enable_distributed_router': False,

horizon/openstack-dashboard.conf

@@ -1,17 +1,18 @@
 <VirtualHost *:80>
     RedirectMatch    "^/$"  "/horizon"
-    ServerName oscloudtest01.hpc.rug.nl
+    ServerName merlin.hpc.rug.nl
     RewriteEngine On
     RewriteCond %{HTTPS} off
     RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
 </VirtualHost>
 <VirtualHost *:443>
     RedirectMatch    "^/$"  "/horizon"
-    ServerName oscloudtest01.hpc.rug.nl
+    ServerName merlin.hpc.rug.nl
 
     SSLEngine On
-    SSLCertificateFile "/certs/oscloudtest01.hpc.rug.nl.crt"
+    SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt"
-    SSLCertificateKeyFile "/certs/oscloudtest01.hpc.rug.nl.key"
+    SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key"
+    SSLCACertificateFile "/certs/DigiCertCA.crt"
     SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
 
     # HTTP Strict Transport Security (HSTS) enforces that all communications

horizon/run.sh

@@ -3,4 +3,10 @@
 #Making the console log console again...
 tail -f /var/log/horizon.log &
 
+tail -f /var/log/apache2/* &
+
+cat /etc/openstack-dashboard/local_settings.py >> \
+    /usr/share/openstack-dashboard/openstack_dashboard/settings.py
+
+
 apachectl -DFOREGROUND

keystone/.gitignore

@@ -1,8 +0,0 @@
-# ---> Vim
-[._]*.s[a-w][a-z]
-[._]s[a-w][a-z]
-*.un~
-Session.vim
-.netrwhist
-*~
-

keystone/Dockerfile

@@ -13,16 +13,36 @@ RUN set -x \
     && apt-get -y update \
     && apt-get -y install \
     && apt-get -y install keystone python-openstackclient \
+    && apt-get -y install libapache2-mod-shib2 \
     && apt-get -y clean
 
 # set admin token TODO: make this a secret
 # in volume of met env
 COPY keystone.conf /etc/keystone/keystone.conf
 
+COPY apache-keystone.conf /etc/apache2/sites-available/keystone.conf
+
+COPY shibboleth2.xml /etc/shibboleth/shibboleth2.xml
+COPY attribute-map.xml /etc/shibboleth/attribute-map.xml
+COPY attribute-policy.xml /etc/shibboleth/attribute-policy.xml
+
+COPY sso_callback_template.html /etc/keystone/sso_callback_template.html
+
+RUN mkdir /var/run/shibboleth
+
+COPY run.sh /etc/run.sh
+
 RUN mkdir /etc/keystone/fernet-keys
 
 RUN chown keystone: /etc/keystone/fernet-keys
 
+RUN a2enmod shib2
+
 COPY bootstrap.sh /etc/bootstrap.sh
 
-CMD apachectl -DFOREGROUND
+# Testing only!!!
+RUN mkdir -p /var/www/html/secure
+RUN apt-get -y install php libapache2-mod-php
+COPY test.php /var/www/html/secure/test.php
+
+CMD /etc/run.sh

keystone/apache-keystone.conf

@@ -0,0 +1,128 @@
+LoadModule ssl_module modules/mod_ssl.so
+
+Listen 5000
+Listen 35357
+
+<Location /secure>
+  AuthType shibboleth
+  ShibRequestSetting requireSession 1
+  require valid-user
+</Location>
+
+Alias "/secure" "/var/www/html/secure"
+
+<VirtualHost *:5000>
+    ServerName https://merlin.hpc.rug.nl:5000
+    SSLEngine on
+    SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt"
+    SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key"
+    SSLCACertificateFile "/certs/DigiCertCA.crt"
+    UseCanonicalName On
+    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
+    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+    WSGIProcessGroup keystone-public
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+    LimitRequestBody 114688
+
+    # Added for federation.
+    WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/local/bin/keystone-wsgi-public/$1
+
+    <IfVersion >= 2.4>
+      ErrorLogFormat "%{cu}t %M"
+    </IfVersion>
+
+    ErrorLog /var/log/apache2/keystone.log
+    CustomLog /var/log/apache2/keystone_access.log combined
+
+    <Directory /usr/bin>
+        <IfVersion >= 2.4>
+            Require all granted
+        </IfVersion>
+        <IfVersion < 2.4>
+            Order allow,deny
+            Allow from all
+        </IfVersion>
+    </Directory>
+
+    <Location /Shibboleth.sso>
+        SetHandler shib
+    </Location>
+
+    <Location /v3/OS-FEDERATION/identity_providers/nikhefwave/protocols/mapped/auth>
+        ShibRequestSetting requireSession 1
+        AuthType shibboleth
+        ShibExportAssertion Off
+        Require valid-user
+
+        <IfVersion < 2.4>
+            ShibRequireSession On
+            ShibRequireAll On
+       </IfVersion>
+    </Location>
+
+    <Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
+      AuthType shibboleth
+      Require valid-user
+      ShibRequestSetting requireSession 1
+      ShibRequireSession On
+      ShibExportAssertion Off
+    </Location>
+    <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/nikhefwave/protocols/mapped/websso/">
+      AuthType shibboleth
+      Require valid-user
+    </Location>
+
+</VirtualHost>
+
+<VirtualHost *:35357>
+    ServerName https://merlin.hpc.rug.nl:35357
+    SSLEngine on
+    SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt"
+    SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key"
+    SSLCACertificateFile "/certs/DigiCertCA.crt"
+    UseCanonicalName On
+    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
+    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+    WSGIProcessGroup keystone-admin
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+    LimitRequestBody 114688
+
+    <IfVersion >= 2.4>
+      ErrorLogFormat "%{cu}t %M"
+    </IfVersion>
+
+    ErrorLog /var/log/apache2/keystone.log
+    CustomLog /var/log/apache2/keystone_access.log combined
+
+    <Directory /usr/bin>
+        <IfVersion >= 2.4>
+            Require all granted
+        </IfVersion>
+        <IfVersion < 2.4>
+            Order allow,deny
+            Allow from all
+        </IfVersion>
+    </Directory>
+</VirtualHost>
+
+Alias /identity /usr/bin/keystone-wsgi-public
+<Location /identity>
+    SetHandler wsgi-script
+    Options +ExecCGI
+
+    WSGIProcessGroup keystone-public
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+</Location>
+
+Alias /identity_admin /usr/bin/keystone-wsgi-admin
+<Location /identity_admin>
+    SetHandler wsgi-script
+    Options +ExecCGI
+
+    WSGIProcessGroup keystone-admin
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+</Location>

keystone/attribute-map.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0"?>
+
+
+
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+  <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+    <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name" defaultQualifiers="true"/>
+  </Attribute>
+  <Attribute name="eduPersonPrincipalName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="eppn"/>
+
+  <!-- Added for nikhef -->
+  <Attribute name="openstackGroupEntitlements" id="openstackGroupEntitlements" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
+  <!-- Added after mail 18-10-2018 -->
+  <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
+
+  <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10"     nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-user"/>
+  <Attribute name="urn:oid:2.5.4.4"                       nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-surName"/>
+  <Attribute name="urn:oid:2.5.4.42"                      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-givenName"/>
+  <Attribute name="urn:oid:2.5.4.3"                       nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-commonName"/>
+  <Attribute name="urn:oid:2.16.840.1.113730.3.1.241"     nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-displayName"/>
+  <Attribute name="urn:oid:0.9.2342.19200300.100.1.3"     nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-email"/>
+  <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9"       nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-HomeOrg"/>
+  <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-HomeOrgType"/>
+  <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-PersonalUnqiueCode"/>
+  <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-Affiliation"/>
+  <Attribute name="urn:oid:1.3.6.1.4.1.1466.115.121.1.15" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-ScopedAffiliation"/>
+  <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-Entitlement"/>
+  <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-eduPersonPN"/>
+  <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-memberOf"/>
+  <Attribute name="urn:oid:0.9.2342.19200300.100.1.1"     nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-uid"/>
+  <Attribute name="urn:oid:2.16.840.1.113730.3.1.39"      nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-language"/>
+</Attributes>

keystone/attribute-policy.xml

@@ -0,0 +1,71 @@
+<afp:AttributeFilterPolicyGroup
+    xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
+    xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
+    xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
+    xmlns:afp="urn:mace:shibboleth:2.0:afp"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!-- Shared rule for affiliation values. -->
+    <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
+        <Rule xsi:type="AttributeValueString" value="faculty"/>
+        <Rule xsi:type="AttributeValueString" value="student"/>
+        <Rule xsi:type="AttributeValueString" value="staff"/>
+        <Rule xsi:type="AttributeValueString" value="alum"/>
+        <Rule xsi:type="AttributeValueString" value="member"/>
+        <Rule xsi:type="AttributeValueString" value="affiliate"/>
+        <Rule xsi:type="AttributeValueString" value="employee"/>
+        <Rule xsi:type="AttributeValueString" value="library-walk-in"/>
+    </afp:PermitValueRule>
+    
+    <!--
+    Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
+    an AttributeRule for each attribute you want to check.
+    -->
+    <afp:PermitValueRule id="ScopingRules" xsi:type="basic:ANY"/>
+    <!-- # Hacked for Nikhef federation
+    <afp:PermitValueRule id="ScopingRules" xsi:type="AND">
+        <Rule xsi:type="NOT">
+            <Rule xsi:type="AttributeValueRegex" regex="@"/>
+        </Rule>
+        <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
+    </afp:PermitValueRule>
+    -->
+    <afp:AttributeFilterPolicy>
+        <!-- This policy is in effect in all cases. -->
+        <afp:PolicyRequirementRule xsi:type="ANY"/>
+
+        <!-- Filter out undefined affiliations and ensure only one primary. -->
+        <afp:AttributeRule attributeID="affiliation">
+            <afp:PermitValueRule xsi:type="AND">
+                <RuleReference ref="eduPersonAffiliationValues"/>
+                <RuleReference ref="ScopingRules"/>
+            </afp:PermitValueRule>
+        </afp:AttributeRule>
+        <afp:AttributeRule attributeID="unscoped-affiliation">
+            <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
+        </afp:AttributeRule>
+        <afp:AttributeRule attributeID="primary-affiliation">
+            <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
+        </afp:AttributeRule>
+        
+        <afp:AttributeRule attributeID="eppn">
+            <afp:PermitValueRuleReference ref="ScopingRules"/>
+        </afp:AttributeRule>
+
+        <afp:AttributeRule attributeID="targeted-id">
+            <afp:PermitValueRuleReference ref="ScopingRules"/>
+        </afp:AttributeRule>
+
+        <!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
+        <afp:AttributeRule attributeID="persistent-id">
+            <afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
+        </afp:AttributeRule>
+
+        <!-- Catch-all that passes everything else through unmolested. -->
+        <afp:AttributeRule attributeID="*">
+            <afp:PermitValueRule xsi:type="ANY"/>
+        </afp:AttributeRule>
+        
+    </afp:AttributeFilterPolicy>
+
+</afp:AttributeFilterPolicyGroup>

keystone/bootstrap.sh

@@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
 export OS_TENANT_NAME=admin
 export OS_USERNAME=admin
 export OS_PASSWORD=${OS_PASSWORD}
-export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
+export OS_AUTH_URL=https://${KEYSTONE_HOST}:35357/v3
 export OS_IDENTITY_API_VERSION=3
 EOF
 
@@ -16,7 +16,7 @@ cat << EOF > /root/demo-openrc.sh
 export OS_TENANT_NAME=demo
 export OS_USERNAME=demo
 export OS_PASSWORD=${OS_DEMO_PASSWORD}
-export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
+export OS_AUTH_URL=https://${KEYSTONE_HOST}:35357/v3
 export OS_IDENTITY_API_VERSION=3
 EOF
 

keystone/keystone.conf

@@ -1,6 +1,8 @@
 [DEFAULT]
 
 verbose = true
+# debug = true
+log_file = /var/log/keystone/keystone.log
 
 [database]
 connection = mysql+pymysql://keystone:keystone@mariadb/keystone
@@ -8,5 +10,15 @@ connection = mysql+pymysql://keystone:keystone@mariadb/keystone
 [token]
 provider = fernet
 
+[auth]
+methods = password,token,mapped,openid,saml2
+
+[federation]
+trusted_dashboard = https://merlin.hpc.rug.nl/horizon/auth/websso/
+sso_calback_template = /etc/keystone/sso_calback_template.html
+
+[mapped]
+remote_id_attribute = Shib-Identity-Provider
+
 [identity]
 default_domain_id = default

keystone/routers.py

@@ -0,0 +1,252 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import functools
+
+from keystone.common import json_home
+from keystone.common import wsgi
+from keystone.federation import controllers
+
+
+build_resource_relation = functools.partial(
+    json_home.build_v3_extension_resource_relation,
+    extension_name='OS-FEDERATION', extension_version='1.0')
+
+build_parameter_relation = functools.partial(
+    json_home.build_v3_extension_parameter_relation,
+    extension_name='OS-FEDERATION', extension_version='1.0')
+
+IDP_ID_PARAMETER_RELATION = build_parameter_relation(parameter_name='idp_id')
+PROTOCOL_ID_PARAMETER_RELATION = build_parameter_relation(
+    parameter_name='protocol_id')
+SP_ID_PARAMETER_RELATION = build_parameter_relation(parameter_name='sp_id')
+
+
+class Routers(wsgi.RoutersBase):
+    """API Endpoints for the Federation extension.
+
+    The API looks like::
+
+        PUT /OS-FEDERATION/identity_providers/{idp_id}
+        GET /OS-FEDERATION/identity_providers
+        GET /OS-FEDERATION/identity_providers/{idp_id}
+        DELETE /OS-FEDERATION/identity_providers/{idp_id}
+        PATCH /OS-FEDERATION/identity_providers/{idp_id}
+
+        PUT /OS-FEDERATION/identity_providers/
+            {idp_id}/protocols/{protocol_id}
+        GET /OS-FEDERATION/identity_providers/
+            {idp_id}/protocols
+        GET /OS-FEDERATION/identity_providers/
+            {idp_id}/protocols/{protocol_id}
+        PATCH /OS-FEDERATION/identity_providers/
+            {idp_id}/protocols/{protocol_id}
+        DELETE /OS-FEDERATION/identity_providers/
+            {idp_id}/protocols/{protocol_id}
+
+        PUT /OS-FEDERATION/mappings
+        GET /OS-FEDERATION/mappings
+        PATCH /OS-FEDERATION/mappings/{mapping_id}
+        GET /OS-FEDERATION/mappings/{mapping_id}
+        DELETE /OS-FEDERATION/mappings/{mapping_id}
+
+        GET /OS-FEDERATION/projects
+        GET /OS-FEDERATION/domains
+
+        PUT /OS-FEDERATION/service_providers/{sp_id}
+        GET /OS-FEDERATION/service_providers
+        GET /OS-FEDERATION/service_providers/{sp_id}
+        DELETE /OS-FEDERATION/service_providers/{sp_id}
+        PATCH /OS-FEDERATION/service_providers/{sp_id}
+
+        GET /OS-FEDERATION/identity_providers/{idp_id}/
+            protocols/{protocol_id}/auth
+        POST /OS-FEDERATION/identity_providers/{idp_id}/
+            protocols/{protocol_id}/auth
+        GET /auth/OS-FEDERATION/identity_providers/
+            {idp_id}/protocols/{protocol_id}/websso
+            ?origin=https%3A//horizon.example.com
+        POST /auth/OS-FEDERATION/identity_providers/
+            {idp_id}/protocols/{protocol_id}/websso
+            ?origin=https%3A//horizon.example.com
+
+
+        POST /auth/OS-FEDERATION/saml2
+        POST /auth/OS-FEDERATION/saml2/ecp
+        GET /OS-FEDERATION/saml2/metadata
+
+        GET /auth/OS-FEDERATION/websso/{protocol_id}
+            ?origin=https%3A//horizon.example.com
+
+        POST /auth/OS-FEDERATION/websso/{protocol_id}
+             ?origin=https%3A//horizon.example.com
+
+    """
+
+    def _construct_url(self, suffix):
+        return "/OS-FEDERATION/%s" % suffix
+
+    def append_v3_routers(self, mapper, routers):
+        auth_controller = controllers.Auth()
+        idp_controller = controllers.IdentityProvider()
+        protocol_controller = controllers.FederationProtocol()
+        mapping_controller = controllers.MappingController()
+        project_controller = controllers.ProjectAssignmentV3()
+        domain_controller = controllers.DomainV3()
+        saml_metadata_controller = controllers.SAMLMetadataV3()
+        sp_controller = controllers.ServiceProvider()
+
+        # Identity Provider CRUD operations
+
+        self._add_resource(
+            mapper, idp_controller,
+            path=self._construct_url('identity_providers/{idp_id}'),
+            get_action='get_identity_provider',
+            put_action='create_identity_provider',
+            patch_action='update_identity_provider',
+            delete_action='delete_identity_provider',
+            rel=build_resource_relation(resource_name='identity_provider'),
+            path_vars={
+                'idp_id': IDP_ID_PARAMETER_RELATION,
+            })
+        self._add_resource(
+            mapper, idp_controller,
+            path=self._construct_url('identity_providers'),
+            get_action='list_identity_providers',
+            rel=build_resource_relation(resource_name='identity_providers'))
+
+        # Protocol CRUD operations
+
+        self._add_resource(
+            mapper, protocol_controller,
+            path=self._construct_url('identity_providers/{idp_id}/protocols/'
+                                     '{protocol_id}'),
+            get_action='get_protocol',
+            put_action='create_protocol',
+            patch_action='update_protocol',
+            delete_action='delete_protocol',
+            rel=build_resource_relation(
+                resource_name='identity_provider_protocol'),
+            path_vars={
+                'idp_id': IDP_ID_PARAMETER_RELATION,
+                'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
+            })
+        self._add_resource(
+            mapper, protocol_controller,
+            path=self._construct_url('identity_providers/{idp_id}/protocols'),
+            get_action='list_protocols',
+            rel=build_resource_relation(
+                resource_name='identity_provider_protocols'),
+            path_vars={
+                'idp_id': IDP_ID_PARAMETER_RELATION,
+            })
+
+        # Mapping CRUD operations
+
+        self._add_resource(
+            mapper, mapping_controller,
+            path=self._construct_url('mappings/{mapping_id}'),
+            get_action='get_mapping',
+            put_action='create_mapping',
+            patch_action='update_mapping',
+            delete_action='delete_mapping',
+            rel=build_resource_relation(resource_name='mapping'),
+            path_vars={
+                'mapping_id': build_parameter_relation(
+                    parameter_name='mapping_id'),
+            })
+        self._add_resource(
+            mapper, mapping_controller,
+            path=self._construct_url('mappings'),
+            get_action='list_mappings',
+            rel=build_resource_relation(resource_name='mappings'))
+
+        # Service Providers CRUD operations
+
+        self._add_resource(
+            mapper, sp_controller,
+            path=self._construct_url('service_providers/{sp_id}'),
+            get_action='get_service_provider',
+            put_action='create_service_provider',
+            patch_action='update_service_provider',
+            delete_action='delete_service_provider',
+            rel=build_resource_relation(resource_name='service_provider'),
+            path_vars={
+                'sp_id': SP_ID_PARAMETER_RELATION,
+            })
+
+        self._add_resource(
+            mapper, sp_controller,
+            path=self._construct_url('service_providers'),
+            get_action='list_service_providers',
+            rel=build_resource_relation(resource_name='service_providers'))
+
+        self._add_resource(
+            mapper, domain_controller,
+            path=self._construct_url('domains'),
+            new_path='/auth/domains',
+            get_action='list_domains_for_user',
+            rel=build_resource_relation(resource_name='domains'))
+        self._add_resource(
+            mapper, project_controller,
+            path=self._construct_url('projects'),
+            new_path='/auth/projects',
+            get_action='list_projects_for_user',
+            rel=build_resource_relation(resource_name='projects'))
+
+        # Auth operations
+        self._add_resource(
+            mapper, auth_controller,
+            path=self._construct_url('identity_providers/{idp_id}/'
+                                     'protocols/{protocol_id}/auth'),
+            get_post_action='federated_authentication',
+            rel=build_resource_relation(
+                resource_name='identity_provider_protocol_auth'),
+            path_vars={
+                'idp_id': IDP_ID_PARAMETER_RELATION,
+                'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
+            })
+        self._add_resource(
+            mapper, auth_controller,
+            path='/auth' + self._construct_url('saml2'),
+            post_action='create_saml_assertion',
+            rel=build_resource_relation(resource_name='saml2'))
+        self._add_resource(
+            mapper, auth_controller,
+            path='/auth' + self._construct_url('saml2/ecp'),
+            post_action='create_ecp_assertion',
+            rel=build_resource_relation(resource_name='ecp'))
+        self._add_resource(
+            mapper, auth_controller,
+            path='/auth' + self._construct_url('websso/{protocol_id}'),
+            get_post_action='federated_sso_auth',
+            rel=build_resource_relation(resource_name='websso'),
+            path_vars={
+                'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
+            })
+        self._add_resource(
+            mapper, auth_controller,
+            path='/auth' + self._construct_url(
+                 'identity_providers/{idp_id}/protocols/{protocol_id}/websso'),
+            get_post_action='federated_idp_specific_sso_auth',
+            rel=build_resource_relation(resource_name='identity_providers'),
+            path_vars={
+                'idp_id': IDP_ID_PARAMETER_RELATION,
+                'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
+            })
+
+        # Keystone-Identity-Provider metadata endpoint
+        self._add_resource(
+            mapper, saml_metadata_controller,
+            path=self._construct_url('saml2/metadata'),
+            get_action='get_metadata',
+            rel=build_resource_relation(resource_name='metadata'))

keystone/rules.json

@@ -0,0 +1,20 @@
+[
+    {
+        "local": [
+            {
+                "group_ids": "{1}",
+                "user": {
+                    "name": "{0}"
+                }
+            }
+        ],
+        "remote": [
+            {
+                "type": "REMOTE_USER"
+            },
+            {
+                "type": "openstackGroupEntitlements"
+            }
+        ]
+    }
+]

keystone/run.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+# start nova compute service
+
+chown keystone: /etc/keystone/fernet-keys
+chmod 700 /etc/keystone/fernet-keys
+
+# Start apache
+a2enmod ssl
+apachectl -DFOREGROUND &
+
+tail -f /var/log/apache2/* &
+
+chown _shibd: /etc/shibboleth/sp*.pem
+
+shibd -f -F &
+
+# If any process fails, kill the rest.
+# This ensures the container stops and systemd will restart it.
+
+wait -n
+pkill -P $$
+

keystone/shibboleth2.xml

@@ -0,0 +1,114 @@
+<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+
+    <!--
+    By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
+    are used. See example-shibboleth2.xml for samples of explicitly configuring them.
+    -->
+
+    <!--
+    To customize behavior for specific resources on Apache, and to link vhosts or
+    resources to ApplicationOverride settings below, use web server options/commands.
+    See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
+    
+    For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
+    file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
+    -->
+
+    <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
+    <ApplicationDefaults entityID="https://merlin.hpc.rug.nl"
+                         REMOTE_USER="eppn persistent-id targeted-id">
+
+        <!--
+        Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
+        You MUST supply an effectively unique handlerURL value for each of your applications.
+        The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
+        a relative value based on the virtual host. Using handlerSSL="true", the default, will force
+        the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
+        Note that while we default checkAddress to "false", this has a negative impact on the
+        security of your site. Stealing sessions via cookie theft is much easier with this disabled.
+        -->
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+
+            <!--
+            Configures SSO for a default IdP. To allow for >1 IdP, remove
+            entityID property and adjust discoveryURL to point to discovery service.
+            (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
+            You can also override entityID on /Login query string, or in RequestMap/htaccess.
+            -->
+            <SSO entityID="https://osfedpx.nikhef.nl/simplesaml/saml2/idp/metadata.php">
+              SAML2
+            </SSO>
+
+            <!-- SAML and local-only logout. -->
+            <Logout>SAML2 Local</Logout>
+            
+            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+
+            <!-- Status reporting service. -->
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+
+            <!-- Session diagnostic service. -->
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+
+            <!-- JSON feed of discovery information. -->
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+
+        <!--
+        Allows overriding of error template information/filenames. You can
+        also add attributes with values that can be plugged into the templates.
+        -->
+        <Errors supportContact="root@localhost"
+            helpLocation="/about.html"
+            styleSheet="/shibboleth-sp/main.css"/>
+        
+        <!-- Example of remotely supplied batch of signed metadata. -->
+        <MetadataProvider type="XML" uri="https://osfedpx.nikhef.nl/simplesaml/saml2/idp/metadata.php"
+              backingFilePath="federation-metadata.xml" reloadInterval="7200">
+        </MetadataProvider>
+
+        <!-- Example of locally maintained metadata. -->
+        <!--
+        <MetadataProvider type="XML" file="partner-metadata.xml"/>
+        -->
+
+        <!-- Map to extract attributes from SAML assertions. -->
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        
+        <!-- Use a SAML query if no attributes are supplied during SSO. -->
+        <AttributeResolver type="Query" subjectMatch="true"/>
+
+        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+
+        <!-- Simple file-based resolver for using a single keypair. -->
+        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
+
+        <!--
+        The default settings can be overridden by creating ApplicationOverride elements (see
+        the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
+        Resource requests are mapped by web server commands, or the RequestMapper, to an
+        applicationId setting.
+        
+        Example of a second application (for a second vhost) that has a different entityID.
+        Resources on the vhost would map to an applicationId of "admin":
+        -->
+        <!--
+        <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
+        -->
+    </ApplicationDefaults>
+    
+    <!-- Policies that determine how to process and authenticate runtime messages. -->
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+
+    <!-- Low-level configuration about protocols and bindings available for use. -->
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>

keystone/sso_callback_template.html

@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>Keystone WebSSO redirect</title>
+  </head>
+  <body>
+     <form id="sso" name="sso" action="$host" method="post">
+       Please wait...
+       <br/>
+       <input type="hidden" name="token" id="token" value="$token"/>
+       <noscript>
+         <input type="submit" name="submit_no_javascript" id="submit_no_javascript"
+            value="If your JavaScript is disabled, please click to continue"/>
+       </noscript>
+     </form>
+     <script type="text/javascript">
+       window.onload = function() {
+         document.forms['sso'].submit();
+       }
+     </script>
+  </body>
+</html>

keystone/test.php

@@ -0,0 +1,4 @@
+<html>
+<head><title>Shibboleth test</title></head>
+<body><pre><?php print_r($_SERVER); ?></pre></body>
+</html>

neutron_controller/bootstrap.sh

@@ -11,7 +11,7 @@ cat << EOF > /root/admin-openrc.sh
 export OS_TENANT_NAME=admin
 export OS_USERNAME=admin
 export OS_PASSWORD=${OS_PASSWORD}
-export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
+export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
 export OS_IDENTITY_API_VERSION=3
 
 export OS_PROJECT_DOMAIN_NAME=default

neutron_controller/run.sh

@@ -36,7 +36,6 @@ neutron-l3-agent \
 --config-file /etc/neutron/metadata_agent.ini \
 --config-dir /etc/neutron/ \
 -v -d &
-
 # If any process fails, kill the rest.
 # This ensures the container stops and systemd will restart it.
 

neutron_controller/write_conf.sh

@@ -22,8 +22,8 @@ root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
 connection = mysql+pymysql://$NEUTRON_USER:$NEUTRON_PASSWORD@mariadb/neutron
 
 [keystone_authtoken]
-auth_uri = http://$KEYSTONE_HOST:5000
+auth_uri = https://$KEYSTONE_HOST:5000
-auth_url = http://$KEYSTONE_HOST:35357
+auth_url = https://$KEYSTONE_HOST:35357
 memcached_servers = $MEMCACHED_HOST:11211
 auth_type = password
 project_domain_name = Default
@@ -33,7 +33,7 @@ username = $NEUTRON_USER
 password = $NEUTRON_PASSWORD
 
 [nova]
-auth_url = http://$KEYSTONE_HOST:35357
+auth_url = https://$KEYSTONE_HOST:35357
 auth_type = password
 project_domain_name = Default
 user_domain_name = Default
@@ -74,13 +74,6 @@ metadata_proxy_shared_secret = $METADATA_SECRET
 
 EOF
 
-cat << EOF > /etc/neutron/l3_agent.ini
-
-[DEFAULT]
-interface_driver = linuxbridge
-external_network_bridge =
-
-EOF
 
 cat << EOF > /etc/neutron/plugins/ml2/linuxbridge_agent.ini
 
@@ -105,3 +98,5 @@ interface_driver = linuxbridge
 external_network_bridge =
 
 EOF
+
+echo "172.23.59.101        merlin.hpc.rug.nl" >> /etc/hosts

neutron_controller_ovs/Dockerfile

@@ -0,0 +1,31 @@
+FROM ubuntu:16.04
+# install packages
+
+RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA
+
+RUN set -x \
+    && echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main" > /etc/apt/sources.list.d/ocata.list \
+    && apt-get -y update \
+    && apt-get -y install ubuntu-cloud-keyring \
+    && apt-get -y update \
+    && apt-get -y install \
+        mysql-client \
+        python-mysqldb \
+        python-openstackclient \
+        neutron-server \
+        neutron-plugin-ml2 \
+        neutron-linuxbridge-agent \
+        neutron-l3-agent \
+        neutron-metadata-agent \
+    && apt-get -y clean
+
+# add bootstrap script and make it executable
+COPY bootstrap.sh /etc/bootstrap.sh
+
+# Workaround for vlan_transparent parameter set to None.
+COPY db_base_plugin_v2.py /usr/lib/python2.7/dist-packages/neutron/db/db_base_plugin_v2.py
+
+COPY run.sh /etc/run.sh
+COPY write_conf.sh /etc/write_conf.sh
+
+CMD ["/etc/run.sh"]

neutron_controller_ovs/README.md

@@ -0,0 +1,21 @@
+# ubuntu 16.04 openstack ocata neutron controler node
+
+## How to build the docker image.
+```
+docker  build . -t="hpc/neutroncontroller"
+```
+
+## How to bootstrap the service.
+Before we can take the container into service we need accounts in keystone.
+We also need an initial database. Both of these tasks are performed by the bootstrap script.
+```
+docker run --rm --it --add-host="controller:<keystone_ip>" hpc/neutroncontroler /etc/bootstrap.sh
+```
+
+## How to run
+This image needs a lot of environment variables. It should be run via the `hpc-cloud` ansible repository.
+
+
+## Notes
+This image is designed to be deployed from the [hpc-cloud repo](https://git.webhosting.rug.nl/HPC/hpc-cloud)
+The -p option is added to the run command to make the container accessible from (containers on ) other hosts than the container host.

neutron_controller_ovs/bootstrap.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+#
+# This script sets up the openstack users and regions..
+# as well as the database for the nova controller.
+# This guide was used:
+# https://docs.openstack.org/ocata/install-guide-ubuntu/nova-controller-install.
+
+# Create admin-openrc.sh from secrets that are in the environment during bootstrap.
+cat << EOF > /root/admin-openrc.sh
+#!/bin/bash
+export OS_TENANT_NAME=admin
+export OS_USERNAME=admin
+export OS_PASSWORD=${OS_PASSWORD}
+export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
+export OS_IDENTITY_API_VERSION=3
+
+export OS_PROJECT_DOMAIN_NAME=default
+export OS_USER_DOMAIN_NAME=default
+export OS_PROJECT_NAME=admin
+export OS_IMAGE_API_VERSION=2
+
+EOF
+
+source /root/admin-openrc.sh
+
+# create database for neutron.
+SQL_SCRIPT=/root/neutron.sql
+mysql -uroot -p"$MYSQL_ROOT_PASSWORD" -h "$MYSQL_HOST" << EOF
+DROP DATABASE  IF EXISTS neutron;
+CREATE DATABASE neutron;
+
+GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
+    IDENTIFIED BY "${NEUTRON_PASSWORD}";
+
+GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
+    IDENTIFIED BY "${NEUTRON_PASSWORD}";
+EOF
+
+openstack user create "$NEUTRON_USER" --domain default --password "$NEUTRON_PASSWORD"
+openstack role add --project service --user neutron admin
+openstack service create --name neutron --description "OpenStack Networking" network
+
+# neutron endpoints
+openstack endpoint create --region RegionOne \
+  network public http://$MY_IP:9696
+
+openstack endpoint create --region RegionOne \
+  network internal http://$MY_IP:9696
+
+openstack endpoint create --region RegionOne \
+  network admin http://$MY_IP:9696
+
+# population of the database requires complete server and plug-in configuration files.
+/etc/write_conf.sh
+
+# Ugly hacks to prevent the manage command from failing
+sed -i "/    op.drop_column('networks', 'shared')/ s/^#*/#/" /usr/lib/python2.7/dist-packages/neutron/db/migration/alembic_migrations/versions/liberty/contract/4ffceebfada_rbac_network.py
+sed -i "/    op.drop_column('subnets', 'shared')/ s/^#*/#/" /usr/lib/python2.7/dist-packages/neutron/db/migration/alembic_migrations/versions/liberty/contract/4ffceebfada_rbac_network.py
+sed -i "/    op.drop_column('qos_policies', 'shared')/ s/^#*/#/" /usr/lib/python2.7/dist-packages/neutron/db/migration/alembic_migrations/versions/mitaka/contract/c6c112992c9_rbac_qos_policy.py
+
+neutron-db-manage --config-file /etc/neutron/neutron.conf \
+                  --config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head
+
+# And now we drop the colums and constraints that the ORM fails to drop.
+mysql -uroot -p"$MYSQL_ROOT_PASSWORD" -h "$MYSQL_HOST" neutron << EOF
+
+ALTER TABLE networks DROP CONSTRAINT CONSTRAINT_2;
+alter table networks drop column shared;
+
+ALTER TABLE subnets DROP CONSTRAINT CONSTRAINT_2;
+ALTER TABLE subnets DROP COLUMN shared;
+
+ALTER TABLE qos_policies DROP CONSTRAINT CONSTRAINT_1;
+ALTER TABLE qos_policies drop column shared
+
+EOF

neutron_controller_ovs/run.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+# start neutron services
+
+/etc/write_conf.sh
+
+/usr/bin/neutron-server \
+--config-file /etc/neutron/neutron.conf \
+--config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
+--config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini \
+--config-file /etc/neutron/metadata_agent.ini \
+--config-dir /etc/neutron/ \
+-v -d &
+
+sleep 3
+/usr/bin/neutron-linuxbridge-agent \
+--config-file /etc/neutron/neutron.conf \
+--config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
+--config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini \
+--config-file /etc/neutron/metadata_agent.ini \
+--config-dir /etc/neutron/ \
+-v -d &
+
+sleep 3
+neutron-metadata-agent \
+--config-file /etc/neutron/neutron.conf \
+--config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
+--config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini \
+--config-file /etc/neutron/metadata_agent.ini \
+--config-dir /etc/neutron/ \
+-v -d &
+
+sleep 3
+neutron-l3-agent \
+--config-file /etc/neutron/l3_agent.ini \
+--config-file /etc/neutron/neutron.conf \
+--config-file /etc/neutron/metadata_agent.ini \
+--config-dir /etc/neutron/ \
+-v -d &
+# If any process fails, kill the rest.
+# This ensures the container stops and systemd will restart it.
+
+wait -n
+pkill -P $$

neutron_controller_ovs/write_conf.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+#
+# Generate config files from environments values.
+# These are to be passed to the docker container using -e
+
+cat << EOF > /etc/neutron/neutron.conf
+
+[DEFAULT]
+core_plugin = ml2
+service_plugins = router
+allow_overlapping_ips = True
+transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$MY_IP
+auth_strategy = keystone
+notify_nova_on_port_status_changes = true
+notify_nova_on_port_data_changes = true
+dhcp_agents_per_network = 2
+
+[agent]
+root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
+
+[database]
+connection = mysql+pymysql://$NEUTRON_USER:$NEUTRON_PASSWORD@mariadb/neutron
+
+[keystone_authtoken]
+auth_uri = https://$KEYSTONE_HOST:5000
+auth_url = https://$KEYSTONE_HOST:35357
+memcached_servers = $MEMCACHED_HOST:11211
+auth_type = password
+project_domain_name = Default
+user_domain_name = Default
+project_name = service
+username = $NEUTRON_USER
+password = $NEUTRON_PASSWORD
+
+[nova]
+auth_url = https://$KEYSTONE_HOST:35357
+auth_type = password
+project_domain_name = Default
+user_domain_name = Default
+region_name = RegionOne
+project_name = service
+username = $NOVA_USER
+password = $NOVA_PASSWORD
+
+EOF
+
+cat << EOF > /etc/neutron/plugins/ml2/ml2_conf.ini
+
+[ml2]
+type_drivers = flat,vlan,vxlan
+tenant_network_types = vxlan
+mechanism_drivers = linuxbridge,l2population
+extension_drivers = port_security
+
+[ml2_type_vlan]
+network_vlan_ranges = provider
+
+[ml2_type_flat]
+flat_networks = provider
+
+[ml2_type_vxlan]
+vni_ranges = 1:1000
+
+[securitygroup]
+enable_ipset = true
+
+EOF
+
+cat << EOF > /etc/neutron/metadata_agent.ini
+
+[DEFAULT]
+nova_metadata_ip = $MY_IP
+metadata_proxy_shared_secret = $METADATA_SECRET
+
+EOF
+
+
+cat << EOF > /etc/neutron/plugins/ml2/linuxbridge_agent.ini
+
+[linux_bridge]
+physical_interface_mappings = $PHYSICAL_INTERFACE_MAPPINGS
+
+[vxlan]
+enable_vxlan = True
+l2_population = True
+local_ip = $OVERLAY_IP
+
+[securitygroup]
+enable_security_group = true
+firewall_driver = iptables
+
+EOF
+
+cat << EOF > /etc/neutron/l3_agent.ini
+
+[DEFAULT]
+interface_driver = linuxbridge
+external_network_bridge =
+
+EOF
+
+echo "172.23.59.101        merlin.hpc.rug.nl" >> /etc/hosts

nova_compute/Dockerfile

@@ -12,11 +12,12 @@ RUN set -x \
         python-openstackclient \
         nova-compute \
         neutron-linuxbridge-agent \
-	neutron-l3-agent \
+        neutron-l3-agent \
         neutron-dhcp-agent \
         neutron-metadata-agent \
         python-ceph \
         python-rbd \
+        ceph-common \
     && apt-get -y clean
 
 COPY write_conf.sh /etc/write_conf.sh

nova_compute/run.sh

@@ -27,13 +27,6 @@ neutron-metadata-agent \
 --config-dir /etc/neutron/ \
 -v -d &
 
-sleep 3
-neutron-l3-agent \
---config-file /etc/neutron/l3_agent.ini \
---config-file /etc/neutron/neutron.conf \
---config-file /etc/neutron/metadata_agent.ini \
---config-dir /etc/neutron/ \
--v -d &
 
 # If any process fails, kill the rest.
 # This ensures the container stops and systemd will restart it.

nova_compute/write_conf.sh

@@ -8,7 +8,7 @@ cat << EOF > /root/admin-openrc.sh
 export OS_TENANT_NAME=admin
 export OS_USERNAME=admin
 export OS_PASSWORD=${OS_PASSWORD}
-export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
+export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
 export OS_IDENTITY_API_VERSION=3
 
 export OS_PROJECT_DOMAIN_NAME=default
@@ -36,11 +36,12 @@ firewall_driver = nova.virt.firewall.NoopFirewallDriver
 scheduler_default_filters = AllHostsFilter
 allow_migrate_to_same_host = True
 allow_resize_to_same_host = True
+security_group_api=neutron
 
 
 [neutron]
 url = http://$NEUTRON_CONTROLLER_HOST:9696
-auth_url = http://$KEYSTONE_HOST:35357
+auth_url = https://$KEYSTONE_HOST:35357
 auth_type = password
 project_domain_name = Default
 user_domain_name = Default
@@ -65,8 +66,8 @@ lock_path = /var/lib/nova/tmp
 auth_strategy = keystone
 
 [keystone_authtoken]
-auth_uri = http://$KEYSTONE_HOST:5000
+auth_uri = https://$KEYSTONE_HOST:5000
-auth_url = http://$KEYSTONE_HOST:35357
+auth_url = https://$KEYSTONE_HOST:35357
 memcached_servers = $MEMCACHED_HOST:11211
 auth_type = password
 project_domain_name = Default
@@ -90,7 +91,7 @@ project_domain_name = Default
 project_name = service
 auth_type = password
 user_domain_name = Default
-auth_url = http://$KEYSTONE_HOST:35357/v3
+auth_url = https://$KEYSTONE_HOST:35357/v3
 username = $NOVA_PLACEMENT_USER
 password = $NOVA_PLACEMENT_PASSWORD
 
@@ -123,10 +124,11 @@ allow_resize_to_same_host = True
 [libvirt]
 virt_type = kvm
 images_type = rbd
-images_rbd_pool = vms
+images_rbd_pool = volumes
 images_rbd_ceph_conf = /etc/ceph/ceph.conf
-rbd_user = nova
+rbd_user = volumes
-rbd_secret_uuid = b5044271-1918-4070-822c-f19ed14d7494
+rbd_secret_uuid = $RBD_SECRET_UUID
+
 
 [vnc]
 enabled = True
@@ -144,8 +146,8 @@ lock_path = /var/lib/nova/tmp
 auth_strategy = keystone
 
 [keystone_authtoken]
-auth_uri = http://$KEYSTONE_HOST:5000
+auth_uri = https://$KEYSTONE_HOST:5000
-auth_url = http://$KEYSTONE_HOST:35357
+auth_url = https://$KEYSTONE_HOST:35357
 memcached_servers = $MEMCACHED_HOST:11211
 auth_type = password
 project_domain_name = Default
@@ -169,7 +171,7 @@ project_domain_name = Default
 project_name = service
 auth_type = password
 user_domain_name = Default
-auth_url = http://$KEYSTONE_HOST:35357/v3
+auth_url = https://$KEYSTONE_HOST:35357/v3
 username = $NOVA_PLACEMENT_USER
 password = $NOVA_PLACEMENT_PASSWORD
 
@@ -178,7 +180,7 @@ api_paste_config=/etc/nova/api-paste.ini
 
 [neutron]
 url = http://$NEUTRON_CONTROLLER_HOST:9696
-auth_url = http://$KEYSTONE_HOST:35357
+auth_url = https://$KEYSTONE_HOST:35357
 auth_type = password
 project_domain_name = Default
 user_domain_name = Default
@@ -199,10 +201,11 @@ allow_overlapping_ips = True
 transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$RABBIT_HOST
 auth_strategy = keystone
 core_plugin = ml2
+global_physnet_mtu = $GLOBAL_PHYSNET_MTU
 
 [keystone_authtoken]
-auth_uri = http://$KEYSTONE_HOST:5000
+auth_uri = https://$KEYSTONE_HOST:5000
-auth_url = http://$KEYSTONE_HOST:35357
+auth_url = https://$KEYSTONE_HOST:35357
 memcached_servers = $MEMCACHED_HOST:11211
 auth_type = password
 project_domain_name = Default
@@ -212,7 +215,7 @@ username = $NEUTRON_USER
 password = $NEUTRON_PASSWORD
 
 [nova]
-auth_url = http://$KEYSTONE_HOST:35357
+auth_url = https://$KEYSTONE_HOST:35357
 auth_type = password
 project_domain_name = Default
 user_domain_name = Default
@@ -273,9 +276,44 @@ EOF
 
 cat << EOF > /etc/neutron/plugins/ml2/linuxbridge_agent.ini
 
+[linux_bridge]
+physical_interface_mappings = $PHYSICAL_INTERFACE_MAPPINGS
+
+[securitygroup]
+enable_security_group = true
+firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
+
 [vxlan]
 enable_vxlan = True
 l2_population = True
 local_ip = $OVERLAY_IP
 
 EOF
+
+if [ $USE_CEPH = true ]
+    then cat << EOF > /etc/ceph/ceph.conf
+[global]
+fsid = $FSID
+mon_initial_members = $MON_INITIAL_MEMBERS
+mon_host = $MON_HOST
+auth_cluster_required = cephx
+auth_service_required = cephx
+auth_client_required = cephx
+
+# Your network address
+public network = $PUBLIC_NETWORK
+osd pool default size = $OSD_POOL_DEFAULT_SIZE
+
+[client.compute]
+keyring = /etc/ceph/ceph.client.compute.keyring
+EOF
+
+cat << EOF > /etc/neutron/l3_agent.ini
+
+[DEFAULT]
+interface_driver = linuxbridge
+external_network_bridge =
+
+EOF
+
+echo "172.23.59.101        merlin.hpc.rug.nl" >> /etc/hosts

nova_service/bootstrap.sh

@@ -13,7 +13,7 @@ cat << EOF > /root/admin-openrc.sh
 export OS_TENANT_NAME=admin
 export OS_USERNAME=admin
 export OS_PASSWORD=${OS_PASSWORD}
-export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
+export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
 export OS_IDENTITY_API_VERSION=3
 
 export OS_PROJECT_DOMAIN_NAME=default

nova_service/write_conf.sh

@@ -20,10 +20,11 @@ allow_migrate_to_same_host = True
 allow_resize_to_same_host = True
 firewall_driver = nova.virt.firewall.NoopFirewallDriver
 enabled_apis=osapi_compute,metadata
+security_group_api=neutron
 
 [neutron]
 url = http://$NEUTRON_CONTROLLER_HOST:9696
-auth_url = http://$KEYSTONE_HOST:35357
+auth_url = https://$KEYSTONE_HOST:35357
 auth_type = password
 project_domain_name = Default
 user_domain_name = Default
@@ -38,8 +39,8 @@ metadata_proxy_shared_secret = $METADATA_SECRET
 auth_strategy = keystone
 
 [keystone_authtoken]
-auth_uri = http://$KEYSTONE_HOST:5000
+auth_uri = https://$KEYSTONE_HOST:5000
-auth_url = http://$KEYSTONE_HOST:35357
+auth_url = https://$KEYSTONE_HOST:35357
 memcached_servers = $MEMCACHED_HOST:11211
 auth_type = password
 project_domain_name = Default
@@ -65,7 +66,7 @@ project_domain_name = Default
 project_name = service
 auth_type = password
 user_domain_name = Default
-auth_url = http://$KEYSTONE_HOST:35357/v3
+auth_url = https://$KEYSTONE_HOST:35357/v3
 username = $NOVA_PLACEMENT_USER
 password = $NOVA_PLACEMENT_PASSWORD
 
@@ -73,3 +74,5 @@ password = $NOVA_PLACEMENT_PASSWORD
 os_region_name = RegionOne
 
 EOF
+
+echo "172.23.59.101        merlin.hpc.rug.nl" >> /etc/hosts

openstack_client/bootstrap.sh

@@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
 export OS_TENANT_NAME=admin
 export OS_USERNAME=admin
 export OS_PASSWORD=${OS_PASSWORD}
-export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
+export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
 export OS_IDENTITY_API_VERSION=3
 EOF
 
@@ -16,6 +16,6 @@ cat << EOF > /root/demo-openrc.sh
 export OS_TENANT_NAME=demo
 export OS_USERNAME=demo
 export OS_PASSWORD=${OS_DEMO_PASSWORD}
-export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
+export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
 export OS_IDENTITY_API_VERSION=3
 EOF