HPC/openstack_dockers
8
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: HPC:merlin
Branches Tags
HPC:master HPC:merlin HPC:feature/federated-login HPC:feature/federated-login-before-rebase HPC:feature/bagpipe
..
compare: HPC:feature/bagpipe
Branches Tags
HPC:master HPC:merlin HPC:feature/federated-login HPC:feature/federated-login-before-rebase HPC:feature/bagpipe

4 Commits
merlin ... feature/ba

Author SHA1 Message Date
Egon Rijpkema
cd5e1783c8 Trying to adhere to python naming convention. 2018-04-23 15:54:07 +02:00
Egon Rijpkema
9475b68c21 Docker in name is no longer needed 2018-04-23 15:34:55 +02:00
Egon Rijpkema
c961561812 Added l3 agent 2018-04-23 15:19:43 +02:00
Egon Rijpkema
e2c62e15f0 Changes for a federated dashboard. 2018-04-23 15:13:29 +02:00
50 changed files with 95 additions and 2699 deletions
Expand all files Collapse all files

204
.drone.yml
View File

@ -1,204 +0,0 @@
---
# When the issue below is resolved, we can build the
# image that was actually changed.
# https://github.com/drone/drone/issues/1021
pipeline:
cinder_controller:
image: plugins/docker
dockerfile: cinder_controller/Dockerfile
context: cinder_controller
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-cinder-controller
tag: latest
when:
branch: master
cinder_storage:
image: plugins/docker
dockerfile: cinder_storage/Dockerfile
context: cinder_storage
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-cinder-storage
tag: latest
when:
branch: master
glance:
image: plugins/docker
dockerfile: glance/Dockerfile
context: glance
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-glance
tag: latest
when:
branch: master
heat:
image: plugins/docker
dockerfile: heat/Dockerfile
context: heat
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-heat
tag: latest
when:
branch: master
horizon:
image: plugins/docker
dockerfile: horizon/Dockerfile
context: horizon
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-horizon
tag: latest
when:
branch: master
keystone:
image: plugins/docker
dockerfile: keystone/Dockerfile
context: keystone
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-keystone
tag: latest
when:
branch: master
neutron_controller:
image: plugins/docker
dockerfile: neutron_controller/Dockerfile
context: neutron_controller
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-neutron-controller
tag: latest
when:
branch: master
nova_service:
image: plugins/docker
dockerfile: nova_service/Dockerfile
context: nova_service
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-nova-service
tag: latest
when:
branch: master
nova_compute:
image: plugins/docker
dockerfile: nova_compute/Dockerfile
context: nova_compute
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-nova-compute
tag: latest
when:
branch: master
keystone_merlin:
image: plugins/docker
dockerfile: keystone/Dockerfile
context: keystone
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-keystone-merlin
tag: latest
when:
branch: merlin
nova_service_merlin:
image: plugins/docker
dockerfile: nova_service/Dockerfile
context: nova_service
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-nova-service-merlin
tag: latest
when:
branch: merlin
horizon_merlin:
image: plugins/docker
dockerfile: horizon/Dockerfile
context: horizon
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-horizon-merlin
tag: latest
when:
branch: merlin
neutron_controller_merlin:
image: plugins/docker
dockerfile: neutron_controller/Dockerfile
context: neutron_controller
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-neutron-controller-merlin
tag: latest
when:
branch: merlin
cinder_controller_merlin:
image: plugins/docker
dockerfile: cinder_controller/Dockerfile
context: cinder_controller
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-cinder-controller-merlin
tag: latest
when:
branch: mwelin
cinder_storage_merlin:
image: plugins/docker
dockerfile: cinder_storage/Dockerfile
context: cinder_storage
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-cinder-storage-merlin
tag: latest
when:
branch: merlin
nova_compute_merlin:
image: plugins/docker
dockerfile: nova_compute/Dockerfile
context: nova_compute
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-nova-compute-merlin
tag: latest
when:
branch: merlin
glance_merlin:
image: plugins/docker
dockerfile: glance/Dockerfile
context: glance
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-glance-merlin
tag: latest
when:
branch: merlin
heat_merlin:
image: plugins/docker
dockerfile: heat/Dockerfile
context: heat
secrets: [docker_username, docker_password]
registry: registry.webhosting.rug.nl
repo: registry.webhosting.rug.nl/hpc/openstack-heat-merlin
tag: latest
when:
branch: merlin
notify:
image: drillster/drone-email
host: smtp.rug.nl
port: 25
skip_verify: true
from: drone@webhosting.rug.nl
# recipients: [e.m.a.rijpkema@rug.nl, w.k.nap@rug.nl]
recipients: [e.m.a.rijpkema@rug.nl]
recipients_only: true
when:
status: [success, changed, failure]
# slack:
# image: plugins/slack
# webhook:
# channel: docker
# when:
# branch: [master, merlin]
# status: [success, failure]

2
cinder_controller/Dockerfile
View File

@ -15,8 +15,6 @@ RUN set -x \
python-oslo.cache \ python-oslo.cache \
cinder-api \ cinder-api \
cinder-scheduler \ cinder-scheduler \
python-ceph \
python-rbd \
&& apt-get -y clean && apt-get -y clean
EXPOSE 8776 EXPOSE 8776

2
cinder_controller/admin-openrc.sh
View File

@ -9,7 +9,7 @@ export OS_IDENTITY_API_VERSION=3
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=geheim export OS_PASSWORD=geheim
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3 export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default

2
cinder_controller/bootstrap.sh
View File

@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD} export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3 export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default

1
cinder_controller/run.sh
View File

@ -7,7 +7,6 @@ cinder-scheduler -d &
sleep 5 sleep 5
apachectl -DFOREGROUND & apachectl -DFOREGROUND &
tail -f /var/log/apache2/* &
# If any process fails, kill the rest. # If any process fails, kill the rest.
# This ensures the container stops and systemd will restart it. # This ensures the container stops and systemd will restart it.

15
cinder_controller/write_conf.sh
View File

@ -11,12 +11,11 @@ connection = mysql+pymysql://$CINDER_USER:$CINDER_PASSWORD@$MYSQL_HOST/cinder
[DEFAULT] [DEFAULT]
auth_strategy = keystone auth_strategy = keystone
transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$MY_IP transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$MY_IP
enabled_backends = RBD-backend
my_ip = $MY_IP my_ip = $MY_IP
[keystone_authtoken] [keystone_authtoken]
auth_uri = https://$KEYSTONE_HOST:5000 auth_uri = http://$KEYSTONE_HOST:5000
auth_url = https://$KEYSTONE_HOST:35357 auth_url = http://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -28,14 +27,4 @@ password = $CINDER_PASSWORD
[oslo_concurrency] [oslo_concurrency]
lock_path = /var/lib/cinder/tmp lock_path = /var/lib/cinder/tmp
[RBD-backend]
volume_backend_name = RBD-backend
rbd_pool = volumes
rbd_user = volumes
rbd_secret_uuid = $RBD_SECRET_UUID
volume_driver = cinder.volume.drivers.rbd.RBDDriver
rbd_ceph_conf = /etc/ceph/ceph.conf
EOF EOF
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts

1
cinder_storage/Dockerfile
View File

@ -17,7 +17,6 @@ RUN set -x \
lvm2 \ lvm2 \
python-ceph \ python-ceph \
python-rbd \ python-rbd \
ceph-common \
&& apt-get -y clean && apt-get -y clean

2
cinder_storage/admin-openrc.sh
View File

@ -9,7 +9,7 @@ export OS_IDENTITY_API_VERSION=3
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=geheim export OS_PASSWORD=geheim
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3 export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default

2
cinder_storage/bootstrap.sh
View File

@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD} export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3 export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default

20
cinder_storage/write_conf.sh
View File

@ -10,14 +10,14 @@ connection = mysql+pymysql://$CINDER_USER:$CINDER_PASSWORD@$MYSQL_HOST/cinder
[DEFAULT] [DEFAULT]
auth_strategy = keystone auth_strategy = keystone
transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$RABBIT_HOST transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$MY_IP
my_ip = $MY_IP my_ip = $MY_IP
enabled_backends = RBD-backend enabled_backends = RBD-backend
glance_api_servers = http://$GLANCE_HOST:9292 glance_api_servers = http://$GLANCE_HOST:9292
[keystone_authtoken] [keystone_authtoken]
auth_uri = https://$KEYSTONE_HOST:5000 auth_uri = http://$KEYSTONE_HOST:5000
auth_url = https://$KEYSTONE_HOST:35357 auth_url = http://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -30,13 +30,11 @@ password = $CINDER_PASSWORD
lock_path = /var/lib/cinder/tmp lock_path = /var/lib/cinder/tmp
[RBD-backend] [RBD-backend]
volume_backend_name = RBD-backend volume_backend_name=RBD-backend
rbd_pool = volumes rbd_pool=volumes
rbd_user = volumes rbd_user=volumes
rbd_secret_uuid = $RBD_SECRET_UUID rbd_secret_uuid=d0db6ba7-a0c9-4da6-b0bc-aa7846325333
volume_driver = cinder.volume.drivers.rbd.RBDDriver volume_driver=cinder.volume.drivers.rbd.RBDDriver
rbd_ceph_conf = /etc/ceph/ceph.conf rbd_ceph_conf=/etc/ceph/ceph.conf
EOF EOF
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts

2
glance/admin-openrc.sh
View File

@ -8,7 +8,7 @@ export OS_IDENTITY_API_VERSION=3
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=geheim export OS_PASSWORD=geheim
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3 export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default

2
glance/bootstrap.sh
View File

@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD} export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3 export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
export GLANCE_USER_NAME=glance export GLANCE_USER_NAME=glance

11
glance/write_conf.sh
View File

@ -9,8 +9,8 @@ cat << EOF > /etc/glance/glance-api.conf
connection = mysql+pymysql://$GLANCE_USER:$GLANCE_PASSWORD@$MYSQL_HOST/glance connection = mysql+pymysql://$GLANCE_USER:$GLANCE_PASSWORD@$MYSQL_HOST/glance
[image_format] [image_format]
[keystone_authtoken] [keystone_authtoken]
auth_uri = https://$KEYSTONE_HOST:5000 auth_uri = http://$KEYSTONE_HOST:5000
auth_url = https://$KEYSTONE_HOST:35357 auth_url = http://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -57,8 +57,8 @@ rbd_store_user = images
rbd_store_ceph_conf = /etc/ceph/ceph.conf rbd_store_ceph_conf = /etc/ceph/ceph.conf
[keystone_authtoken] [keystone_authtoken]
auth_uri = https://$KEYSTONE_HOST:5000 auth_uri = http://$KEYSTONE_HOST:5000
auth_url = https://$KEYSTONE_HOST:35357 auth_url = http://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -79,6 +79,3 @@ rabbit_password = $RABBIT_PASSWORD
flavor = keystone flavor = keystone
EOF EOF
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts

2
heat/admin-openrc.sh
View File

@ -5,7 +5,7 @@ export OS_IDENTITY_API_VERSION=3
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=geheim export OS_PASSWORD=geheim
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3 export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default

2
heat/bootstrap.sh
View File

@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD} export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3 export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
export HEAT_USER=heat export HEAT_USER=heat

8
heat/write_conf.sh
View File

@ -15,8 +15,8 @@ heat_waitcondition_server_url = http://$HEAT_HOST:8000/v1/waitcondition
[keystone_authtoken] [keystone_authtoken]
auth_uri = https://$KEYSTONE_HOST:5000 auth_uri = http://$KEYSTONE_HOST:5000
auth_url = https://$KEYSTONE_HOST:35357 auth_url = http://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -27,11 +27,9 @@ password = $HEAT_PASSWORD
[trustee] [trustee]
auth_plugin = password auth_plugin = password
auth_url = https://$KEYSTONE_HOST:35357 auth_url = http://$KEYSTONE_HOST:35357
username = $HEAT_USER username = $HEAT_USER
password = $HEAT_PASSWORD password = $HEAT_PASSWORD
user_domain_name = Default user_domain_name = Default
EOF EOF
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts

8
horizon/.gitignore vendored Normal file
View File

@ -0,0 +1,8 @@
# ---> Vim
[._]*.s[a-w][a-z]
[._]s[a-w][a-z]
*.un~
Session.vim
.netrwhist
*~

2
horizon/Dockerfile
View File

@ -38,7 +38,7 @@ RUN a2enmod ssl
RUN a2enmod headers RUN a2enmod headers
RUN a2enmod rewrite RUN a2enmod rewrite
#RUN chown /var/lib/openstack-dashboard/secret_key horizon RUN chown /var/lib/openstack-dashboard/secret_key horizon
CMD /etc/run.sh CMD /etc/run.sh

2
horizon/admin-openrc.sh
View File

@ -5,7 +5,7 @@ export OS_IDENTITY_API_VERSION=3
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=geheim export OS_PASSWORD=geheim
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3 export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default

2
horizon/local_settings.py
View File

@ -100,7 +100,7 @@ OPENSTACK_CINDER_FEATURES = {
# services provided by neutron. Options currently available are load # services provided by neutron. Options currently available are load
# balancer service, security groups, quotas, VPN service. # balancer service, security groups, quotas, VPN service.
OPENSTACK_NEUTRON_NETWORK = { OPENSTACK_NEUTRON_NETWORK = {
'enable_router': True, 'enable_router': False,
'enable_quotas': False, 'enable_quotas': False,
'enable_ipv6': False, 'enable_ipv6': False,
'enable_distributed_router': False, 'enable_distributed_router': False,

9
horizon/openstack-dashboard.conf
View File

@ -1,18 +1,17 @@
<VirtualHost *:80> <VirtualHost *:80>
RedirectMatch "^/$" "/horizon" RedirectMatch "^/$" "/horizon"
ServerName merlin.hpc.rug.nl ServerName oscloudtest01.hpc.rug.nl
RewriteEngine On RewriteEngine On
RewriteCond %{HTTPS} off RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost> </VirtualHost>
<VirtualHost *:443> <VirtualHost *:443>
RedirectMatch "^/$" "/horizon" RedirectMatch "^/$" "/horizon"
ServerName merlin.hpc.rug.nl ServerName oscloudtest01.hpc.rug.nl
SSLEngine On SSLEngine On
SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt" SSLCertificateFile "/certs/oscloudtest01.hpc.rug.nl.crt"
SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key" SSLCertificateKeyFile "/certs/oscloudtest01.hpc.rug.nl.key"
SSLCACertificateFile "/certs/DigiCertCA.crt"
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
# HTTP Strict Transport Security (HSTS) enforces that all communications # HTTP Strict Transport Security (HSTS) enforces that all communications

6
horizon/run.sh
View File

@ -3,10 +3,4 @@
#Making the console log console again... #Making the console log console again...
tail -f /var/log/horizon.log & tail -f /var/log/horizon.log &
tail -f /var/log/apache2/* &
cat /etc/openstack-dashboard/local_settings.py >> \
/usr/share/openstack-dashboard/openstack_dashboard/settings.py
apachectl -DFOREGROUND apachectl -DFOREGROUND

8
keystone/.gitignore vendored Normal file
View File

@ -0,0 +1,8 @@
# ---> Vim
[._]*.s[a-w][a-z]
[._]s[a-w][a-z]
*.un~
Session.vim
.netrwhist
*~

22
keystone/Dockerfile
View File

@ -13,36 +13,16 @@ RUN set -x \
&& apt-get -y update \ && apt-get -y update \
&& apt-get -y install \ && apt-get -y install \
&& apt-get -y install keystone python-openstackclient \ && apt-get -y install keystone python-openstackclient \
&& apt-get -y install libapache2-mod-shib2 \
&& apt-get -y clean && apt-get -y clean
# set admin token TODO: make this a secret # set admin token TODO: make this a secret
# in volume of met env # in volume of met env
COPY keystone.conf /etc/keystone/keystone.conf COPY keystone.conf /etc/keystone/keystone.conf
COPY apache-keystone.conf /etc/apache2/sites-available/keystone.conf
COPY shibboleth2.xml /etc/shibboleth/shibboleth2.xml
COPY attribute-map.xml /etc/shibboleth/attribute-map.xml
COPY attribute-policy.xml /etc/shibboleth/attribute-policy.xml
COPY sso_callback_template.html /etc/keystone/sso_callback_template.html
RUN mkdir /var/run/shibboleth
COPY run.sh /etc/run.sh
RUN mkdir /etc/keystone/fernet-keys RUN mkdir /etc/keystone/fernet-keys
RUN chown keystone: /etc/keystone/fernet-keys RUN chown keystone: /etc/keystone/fernet-keys
RUN a2enmod shib2
COPY bootstrap.sh /etc/bootstrap.sh COPY bootstrap.sh /etc/bootstrap.sh
# Testing only!!! CMD apachectl -DFOREGROUND
RUN mkdir -p /var/www/html/secure
RUN apt-get -y install php libapache2-mod-php
COPY test.php /var/www/html/secure/test.php
CMD /etc/run.sh

128
keystone/apache-keystone.conf
View File

@ -1,128 +0,0 @@
LoadModule ssl_module modules/mod_ssl.so
Listen 5000
Listen 35357
<Location /secure>
AuthType shibboleth
ShibRequestSetting requireSession 1
require valid-user
</Location>
Alias "/secure" "/var/www/html/secure"
<VirtualHost *:5000>
ServerName https://merlin.hpc.rug.nl:5000
SSLEngine on
SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt"
SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key"
SSLCACertificateFile "/certs/DigiCertCA.crt"
UseCanonicalName On
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LimitRequestBody 114688
# Added for federation.
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/local/bin/keystone-wsgi-public/$1
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
<Location /Shibboleth.sso>
SetHandler shib
</Location>
<Location /v3/OS-FEDERATION/identity_providers/nikhefwave/protocols/mapped/auth>
ShibRequestSetting requireSession 1
AuthType shibboleth
ShibExportAssertion Off
Require valid-user
<IfVersion < 2.4>
ShibRequireSession On
ShibRequireAll On
</IfVersion>
</Location>
<Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
AuthType shibboleth
Require valid-user
ShibRequestSetting requireSession 1
ShibRequireSession On
ShibExportAssertion Off
</Location>
<Location ~ "/v3/auth/OS-FEDERATION/identity_providers/nikhefwave/protocols/mapped/websso/">
AuthType shibboleth
Require valid-user
</Location>
</VirtualHost>
<VirtualHost *:35357>
ServerName https://merlin.hpc.rug.nl:35357
SSLEngine on
SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt"
SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key"
SSLCACertificateFile "/certs/DigiCertCA.crt"
UseCanonicalName On
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LimitRequestBody 114688
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
Alias /identity /usr/bin/keystone-wsgi-public
<Location /identity>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup keystone-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
Alias /identity_admin /usr/bin/keystone-wsgi-admin
<Location /identity_admin>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup keystone-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>

32
keystone/attribute-map.xml
View File

@ -1,32 +0,0 @@
<?xml version="1.0"?>
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name" defaultQualifiers="true"/>
</Attribute>
<Attribute name="eduPersonPrincipalName" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="eppn"/>
<!-- Added for nikhef -->
<Attribute name="openstackGroupEntitlements" id="openstackGroupEntitlements" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<!-- Added after mail 18-10-2018 -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-user"/>
<Attribute name="urn:oid:2.5.4.4" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-surName"/>
<Attribute name="urn:oid:2.5.4.42" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-givenName"/>
<Attribute name="urn:oid:2.5.4.3" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-commonName"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-displayName"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-email"/>
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-HomeOrg"/>
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-HomeOrgType"/>
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.14" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-PersonalUnqiueCode"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-Affiliation"/>
<Attribute name="urn:oid:1.3.6.1.4.1.1466.115.121.1.15" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-ScopedAffiliation"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-Entitlement"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-eduPersonPN"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-memberOf"/>
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-uid"/>
<Attribute name="urn:oid:2.16.840.1.113730.3.1.39" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="Shib-language"/>
</Attributes>

71
keystone/attribute-policy.xml
View File

@ -1,71 +0,0 @@
<afp:AttributeFilterPolicyGroup
xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:afp="urn:mace:shibboleth:2.0:afp"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- Shared rule for affiliation values. -->
<afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
<Rule xsi:type="AttributeValueString" value="faculty"/>
<Rule xsi:type="AttributeValueString" value="student"/>
<Rule xsi:type="AttributeValueString" value="staff"/>
<Rule xsi:type="AttributeValueString" value="alum"/>
<Rule xsi:type="AttributeValueString" value="member"/>
<Rule xsi:type="AttributeValueString" value="affiliate"/>
<Rule xsi:type="AttributeValueString" value="employee"/>
<Rule xsi:type="AttributeValueString" value="library-walk-in"/>
</afp:PermitValueRule>
<!--
Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
an AttributeRule for each attribute you want to check.
-->
<afp:PermitValueRule id="ScopingRules" xsi:type="basic:ANY"/>
<!-- # Hacked for Nikhef federation
<afp:PermitValueRule id="ScopingRules" xsi:type="AND">
<Rule xsi:type="NOT">
<Rule xsi:type="AttributeValueRegex" regex="@"/>
</Rule>
<Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
</afp:PermitValueRule>
-->
<afp:AttributeFilterPolicy>
<!-- This policy is in effect in all cases. -->
<afp:PolicyRequirementRule xsi:type="ANY"/>
<!-- Filter out undefined affiliations and ensure only one primary. -->
<afp:AttributeRule attributeID="affiliation">
<afp:PermitValueRule xsi:type="AND">
<RuleReference ref="eduPersonAffiliationValues"/>
<RuleReference ref="ScopingRules"/>
</afp:PermitValueRule>
</afp:AttributeRule>
<afp:AttributeRule attributeID="unscoped-affiliation">
<afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="primary-affiliation">
<afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eppn">
<afp:PermitValueRuleReference ref="ScopingRules"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="targeted-id">
<afp:PermitValueRuleReference ref="ScopingRules"/>
</afp:AttributeRule>
<!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
<afp:AttributeRule attributeID="persistent-id">
<afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
</afp:AttributeRule>
<!-- Catch-all that passes everything else through unmolested. -->
<afp:AttributeRule attributeID="*">
<afp:PermitValueRule xsi:type="ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
</afp:AttributeFilterPolicyGroup>

4
keystone/bootstrap.sh
View File

@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD} export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=https://${KEYSTONE_HOST}:35357/v3 export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
EOF EOF
@ -16,7 +16,7 @@ cat << EOF > /root/demo-openrc.sh
export OS_TENANT_NAME=demo export OS_TENANT_NAME=demo
export OS_USERNAME=demo export OS_USERNAME=demo
export OS_PASSWORD=${OS_DEMO_PASSWORD} export OS_PASSWORD=${OS_DEMO_PASSWORD}
export OS_AUTH_URL=https://${KEYSTONE_HOST}:35357/v3 export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
EOF EOF

12
keystone/keystone.conf
View File

@ -1,8 +1,6 @@
[DEFAULT] [DEFAULT]
verbose = true verbose = true
# debug = true
log_file = /var/log/keystone/keystone.log
[database] [database]
connection = mysql+pymysql://keystone:keystone@mariadb/keystone connection = mysql+pymysql://keystone:keystone@mariadb/keystone
@ -10,15 +8,5 @@ connection = mysql+pymysql://keystone:keystone@mariadb/keystone
[token] [token]
provider = fernet provider = fernet
[auth]
methods = password,token,mapped,openid,saml2
[federation]
trusted_dashboard = https://merlin.hpc.rug.nl/horizon/auth/websso/
sso_calback_template = /etc/keystone/sso_calback_template.html
[mapped]
remote_id_attribute = Shib-Identity-Provider
[identity] [identity]
default_domain_id = default default_domain_id = default

252
keystone/routers.py
View File

@ -1,252 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import functools
from keystone.common import json_home
from keystone.common import wsgi
from keystone.federation import controllers
build_resource_relation = functools.partial(
json_home.build_v3_extension_resource_relation,
extension_name='OS-FEDERATION', extension_version='1.0')
build_parameter_relation = functools.partial(
json_home.build_v3_extension_parameter_relation,
extension_name='OS-FEDERATION', extension_version='1.0')
IDP_ID_PARAMETER_RELATION = build_parameter_relation(parameter_name='idp_id')
PROTOCOL_ID_PARAMETER_RELATION = build_parameter_relation(
parameter_name='protocol_id')
SP_ID_PARAMETER_RELATION = build_parameter_relation(parameter_name='sp_id')
class Routers(wsgi.RoutersBase):
"""API Endpoints for the Federation extension.
The API looks like::
PUT /OS-FEDERATION/identity_providers/{idp_id}
GET /OS-FEDERATION/identity_providers
GET /OS-FEDERATION/identity_providers/{idp_id}
DELETE /OS-FEDERATION/identity_providers/{idp_id}
PATCH /OS-FEDERATION/identity_providers/{idp_id}
PUT /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
GET /OS-FEDERATION/identity_providers/
{idp_id}/protocols
GET /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
PATCH /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
DELETE /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
PUT /OS-FEDERATION/mappings
GET /OS-FEDERATION/mappings
PATCH /OS-FEDERATION/mappings/{mapping_id}
GET /OS-FEDERATION/mappings/{mapping_id}
DELETE /OS-FEDERATION/mappings/{mapping_id}
GET /OS-FEDERATION/projects
GET /OS-FEDERATION/domains
PUT /OS-FEDERATION/service_providers/{sp_id}
GET /OS-FEDERATION/service_providers
GET /OS-FEDERATION/service_providers/{sp_id}
DELETE /OS-FEDERATION/service_providers/{sp_id}
PATCH /OS-FEDERATION/service_providers/{sp_id}
GET /OS-FEDERATION/identity_providers/{idp_id}/
protocols/{protocol_id}/auth
POST /OS-FEDERATION/identity_providers/{idp_id}/
protocols/{protocol_id}/auth
GET /auth/OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}/websso
?origin=https%3A//horizon.example.com
POST /auth/OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}/websso
?origin=https%3A//horizon.example.com
POST /auth/OS-FEDERATION/saml2
POST /auth/OS-FEDERATION/saml2/ecp
GET /OS-FEDERATION/saml2/metadata
GET /auth/OS-FEDERATION/websso/{protocol_id}
?origin=https%3A//horizon.example.com
POST /auth/OS-FEDERATION/websso/{protocol_id}
?origin=https%3A//horizon.example.com
"""
def _construct_url(self, suffix):
return "/OS-FEDERATION/%s" % suffix
def append_v3_routers(self, mapper, routers):
auth_controller = controllers.Auth()
idp_controller = controllers.IdentityProvider()
protocol_controller = controllers.FederationProtocol()
mapping_controller = controllers.MappingController()
project_controller = controllers.ProjectAssignmentV3()
domain_controller = controllers.DomainV3()
saml_metadata_controller = controllers.SAMLMetadataV3()
sp_controller = controllers.ServiceProvider()
# Identity Provider CRUD operations
self._add_resource(
mapper, idp_controller,
path=self._construct_url('identity_providers/{idp_id}'),
get_action='get_identity_provider',
put_action='create_identity_provider',
patch_action='update_identity_provider',
delete_action='delete_identity_provider',
rel=build_resource_relation(resource_name='identity_provider'),
path_vars={
'idp_id': IDP_ID_PARAMETER_RELATION,
})
self._add_resource(
mapper, idp_controller,
path=self._construct_url('identity_providers'),
get_action='list_identity_providers',
rel=build_resource_relation(resource_name='identity_providers'))
# Protocol CRUD operations
self._add_resource(
mapper, protocol_controller,
path=self._construct_url('identity_providers/{idp_id}/protocols/'
'{protocol_id}'),
get_action='get_protocol',
put_action='create_protocol',
patch_action='update_protocol',
delete_action='delete_protocol',
rel=build_resource_relation(
resource_name='identity_provider_protocol'),
path_vars={
'idp_id': IDP_ID_PARAMETER_RELATION,
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
})
self._add_resource(
mapper, protocol_controller,
path=self._construct_url('identity_providers/{idp_id}/protocols'),
get_action='list_protocols',
rel=build_resource_relation(
resource_name='identity_provider_protocols'),
path_vars={
'idp_id': IDP_ID_PARAMETER_RELATION,
})
# Mapping CRUD operations
self._add_resource(
mapper, mapping_controller,
path=self._construct_url('mappings/{mapping_id}'),
get_action='get_mapping',
put_action='create_mapping',
patch_action='update_mapping',
delete_action='delete_mapping',
rel=build_resource_relation(resource_name='mapping'),
path_vars={
'mapping_id': build_parameter_relation(
parameter_name='mapping_id'),
})
self._add_resource(
mapper, mapping_controller,
path=self._construct_url('mappings'),
get_action='list_mappings',
rel=build_resource_relation(resource_name='mappings'))
# Service Providers CRUD operations
self._add_resource(
mapper, sp_controller,
path=self._construct_url('service_providers/{sp_id}'),
get_action='get_service_provider',
put_action='create_service_provider',
patch_action='update_service_provider',
delete_action='delete_service_provider',
rel=build_resource_relation(resource_name='service_provider'),
path_vars={
'sp_id': SP_ID_PARAMETER_RELATION,
})
self._add_resource(
mapper, sp_controller,
path=self._construct_url('service_providers'),
get_action='list_service_providers',
rel=build_resource_relation(resource_name='service_providers'))
self._add_resource(
mapper, domain_controller,
path=self._construct_url('domains'),
new_path='/auth/domains',
get_action='list_domains_for_user',
rel=build_resource_relation(resource_name='domains'))
self._add_resource(
mapper, project_controller,
path=self._construct_url('projects'),
new_path='/auth/projects',
get_action='list_projects_for_user',
rel=build_resource_relation(resource_name='projects'))
# Auth operations
self._add_resource(
mapper, auth_controller,
path=self._construct_url('identity_providers/{idp_id}/'
'protocols/{protocol_id}/auth'),
get_post_action='federated_authentication',
rel=build_resource_relation(
resource_name='identity_provider_protocol_auth'),
path_vars={
'idp_id': IDP_ID_PARAMETER_RELATION,
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
})
self._add_resource(
mapper, auth_controller,
path='/auth' + self._construct_url('saml2'),
post_action='create_saml_assertion',
rel=build_resource_relation(resource_name='saml2'))
self._add_resource(
mapper, auth_controller,
path='/auth' + self._construct_url('saml2/ecp'),
post_action='create_ecp_assertion',
rel=build_resource_relation(resource_name='ecp'))
self._add_resource(
mapper, auth_controller,
path='/auth' + self._construct_url('websso/{protocol_id}'),
get_post_action='federated_sso_auth',
rel=build_resource_relation(resource_name='websso'),
path_vars={
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
})
self._add_resource(
mapper, auth_controller,
path='/auth' + self._construct_url(
'identity_providers/{idp_id}/protocols/{protocol_id}/websso'),
get_post_action='federated_idp_specific_sso_auth',
rel=build_resource_relation(resource_name='identity_providers'),
path_vars={
'idp_id': IDP_ID_PARAMETER_RELATION,
'protocol_id': PROTOCOL_ID_PARAMETER_RELATION,
})
# Keystone-Identity-Provider metadata endpoint
self._add_resource(
mapper, saml_metadata_controller,
path=self._construct_url('saml2/metadata'),
get_action='get_metadata',
rel=build_resource_relation(resource_name='metadata'))

20
keystone/rules.json
View File

@ -1,20 +0,0 @@
[
{
"local": [
{
"group_ids": "{1}",
"user": {
"name": "{0}"
}
}
],
"remote": [
{
"type": "REMOTE_USER"
},
{
"type": "openstackGroupEntitlements"
}
]
}
]

22
keystone/run.sh
View File

@ -1,22 +0,0 @@
#!/bin/bash
# start nova compute service
chown keystone: /etc/keystone/fernet-keys
chmod 700 /etc/keystone/fernet-keys
# Start apache
a2enmod ssl
apachectl -DFOREGROUND &
tail -f /var/log/apache2/* &
chown _shibd: /etc/shibboleth/sp*.pem
shibd -f -F &
# If any process fails, kill the rest.
# This ensures the container stops and systemd will restart it.
wait -n
pkill -P $$

114
keystone/shibboleth2.xml
View File

@ -1,114 +0,0 @@
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<!--
By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
are used. See example-shibboleth2.xml for samples of explicitly configuring them.
-->
<!--
To customize behavior for specific resources on Apache, and to link vhosts or
resources to ApplicationOverride settings below, use web server options/commands.
See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
-->
<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://merlin.hpc.rug.nl"
REMOTE_USER="eppn persistent-id targeted-id">
<!--
Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
You MUST supply an effectively unique handlerURL value for each of your applications.
The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
a relative value based on the virtual host. Using handlerSSL="true", the default, will force
the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
Note that while we default checkAddress to "false", this has a negative impact on the
security of your site. Stealing sessions via cookie theft is much easier with this disabled.
-->
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https">
<!--
Configures SSO for a default IdP. To allow for >1 IdP, remove
entityID property and adjust discoveryURL to point to discovery service.
(Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
You can also override entityID on /Login query string, or in RequestMap/htaccess.
-->
<SSO entityID="https://osfedpx.nikhef.nl/simplesaml/saml2/idp/metadata.php">
SAML2
</SSO>
<!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<!--
Allows overriding of error template information/filenames. You can
also add attributes with values that can be plugged into the templates.
-->
<Errors supportContact="root@localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<!-- Example of remotely supplied batch of signed metadata. -->
<MetadataProvider type="XML" uri="https://osfedpx.nikhef.nl/simplesaml/saml2/idp/metadata.php"
backingFilePath="federation-metadata.xml" reloadInterval="7200">
</MetadataProvider>
<!-- Example of locally maintained metadata. -->
<!--
<MetadataProvider type="XML" file="partner-metadata.xml"/>
-->
<!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
<!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<!-- Simple file-based resolver for using a single keypair. -->
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
<!--
The default settings can be overridden by creating ApplicationOverride elements (see
the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
Resource requests are mapped by web server commands, or the RequestMapper, to an
applicationId setting.
Example of a second application (for a second vhost) that has a different entityID.
Resources on the vhost would map to an applicationId of "admin":
-->
<!--
<ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
-->
</ApplicationDefaults>
<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>

22
keystone/sso_callback_template.html
View File

@ -1,22 +0,0 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Keystone WebSSO redirect</title>
</head>
<body>
<form id="sso" name="sso" action="$host" method="post">
Please wait...
<br/>
<input type="hidden" name="token" id="token" value="$token"/>
<noscript>
<input type="submit" name="submit_no_javascript" id="submit_no_javascript"
value="If your JavaScript is disabled, please click to continue"/>
</noscript>
</form>
<script type="text/javascript">
window.onload = function() {
document.forms['sso'].submit();
}
</script>
</body>
</html>

4
keystone/test.php
View File

@ -1,4 +0,0 @@
<html>
<head><title>Shibboleth test</title></head>
<body><pre><?php print_r($_SERVER); ?></pre></body>
</html>

2
neutron_controller/bootstrap.sh
View File

@ -11,7 +11,7 @@ cat << EOF > /root/admin-openrc.sh
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD} export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3 export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default

1
neutron_controller/run.sh
View File

@ -36,6 +36,7 @@ neutron-l3-agent \
--config-file /etc/neutron/metadata_agent.ini \ --config-file /etc/neutron/metadata_agent.ini \
--config-dir /etc/neutron/ \ --config-dir /etc/neutron/ \
-v -d & -v -d &
# If any process fails, kill the rest. # If any process fails, kill the rest.
# This ensures the container stops and systemd will restart it. # This ensures the container stops and systemd will restart it.

15
neutron_controller/write_conf.sh
View File

@ -22,8 +22,8 @@ root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
connection = mysql+pymysql://$NEUTRON_USER:$NEUTRON_PASSWORD@mariadb/neutron connection = mysql+pymysql://$NEUTRON_USER:$NEUTRON_PASSWORD@mariadb/neutron
[keystone_authtoken] [keystone_authtoken]
auth_uri = https://$KEYSTONE_HOST:5000 auth_uri = http://$KEYSTONE_HOST:5000
auth_url = https://$KEYSTONE_HOST:35357 auth_url = http://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -33,7 +33,7 @@ username = $NEUTRON_USER
password = $NEUTRON_PASSWORD password = $NEUTRON_PASSWORD
[nova] [nova]
auth_url = https://$KEYSTONE_HOST:35357 auth_url = http://$KEYSTONE_HOST:35357
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
user_domain_name = Default user_domain_name = Default
@ -74,6 +74,13 @@ metadata_proxy_shared_secret = $METADATA_SECRET
EOF EOF
cat << EOF > /etc/neutron/l3_agent.ini
[DEFAULT]
interface_driver = linuxbridge
external_network_bridge =
EOF
cat << EOF > /etc/neutron/plugins/ml2/linuxbridge_agent.ini cat << EOF > /etc/neutron/plugins/ml2/linuxbridge_agent.ini
@ -98,5 +105,3 @@ interface_driver = linuxbridge
external_network_bridge = external_network_bridge =
EOF EOF
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts

31
neutron_controller_ovs/Dockerfile
View File

@ -1,31 +0,0 @@
FROM ubuntu:16.04
# install packages
RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA
RUN set -x \
&& echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main" > /etc/apt/sources.list.d/ocata.list \
&& apt-get -y update \
&& apt-get -y install ubuntu-cloud-keyring \
&& apt-get -y update \
&& apt-get -y install \
mysql-client \
python-mysqldb \
python-openstackclient \
neutron-server \
neutron-plugin-ml2 \
neutron-linuxbridge-agent \
neutron-l3-agent \
neutron-metadata-agent \
&& apt-get -y clean
# add bootstrap script and make it executable
COPY bootstrap.sh /etc/bootstrap.sh
# Workaround for vlan_transparent parameter set to None.
COPY db_base_plugin_v2.py /usr/lib/python2.7/dist-packages/neutron/db/db_base_plugin_v2.py
COPY run.sh /etc/run.sh
COPY write_conf.sh /etc/write_conf.sh
CMD ["/etc/run.sh"]

21
neutron_controller_ovs/README.md
View File

@ -1,21 +0,0 @@
# ubuntu 16.04 openstack ocata neutron controler node
## How to build the docker image.
```
docker build . -t="hpc/neutroncontroller"
```
## How to bootstrap the service.
Before we can take the container into service we need accounts in keystone.
We also need an initial database. Both of these tasks are performed by the bootstrap script.
```
docker run --rm --it --add-host="controller:<keystone_ip>" hpc/neutroncontroler /etc/bootstrap.sh
```
## How to run
This image needs a lot of environment variables. It should be run via the `hpc-cloud` ansible repository.
## Notes
This image is designed to be deployed from the [hpc-cloud repo](https://git.webhosting.rug.nl/HPC/hpc-cloud)
The -p option is added to the run command to make the container accessible from (containers on ) other hosts than the container host.

76
neutron_controller_ovs/bootstrap.sh
View File

@ -1,76 +0,0 @@
#!/bin/bash
#
# This script sets up the openstack users and regions..
# as well as the database for the nova controller.
# This guide was used:
# https://docs.openstack.org/ocata/install-guide-ubuntu/nova-controller-install.
# Create admin-openrc.sh from secrets that are in the environment during bootstrap.
cat << EOF > /root/admin-openrc.sh
#!/bin/bash
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_IMAGE_API_VERSION=2
EOF
source /root/admin-openrc.sh
# create database for neutron.
SQL_SCRIPT=/root/neutron.sql
mysql -uroot -p"$MYSQL_ROOT_PASSWORD" -h "$MYSQL_HOST" << EOF
DROP DATABASE IF EXISTS neutron;
CREATE DATABASE neutron;
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' \
IDENTIFIED BY "${NEUTRON_PASSWORD}";
GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' \
IDENTIFIED BY "${NEUTRON_PASSWORD}";
EOF
openstack user create "$NEUTRON_USER" --domain default --password "$NEUTRON_PASSWORD"
openstack role add --project service --user neutron admin
openstack service create --name neutron --description "OpenStack Networking" network
# neutron endpoints
openstack endpoint create --region RegionOne \
network public http://$MY_IP:9696
openstack endpoint create --region RegionOne \
network internal http://$MY_IP:9696
openstack endpoint create --region RegionOne \
network admin http://$MY_IP:9696
# population of the database requires complete server and plug-in configuration files.
/etc/write_conf.sh
# Ugly hacks to prevent the manage command from failing
sed -i "/ op.drop_column('networks', 'shared')/ s/^#*/#/" /usr/lib/python2.7/dist-packages/neutron/db/migration/alembic_migrations/versions/liberty/contract/4ffceebfada_rbac_network.py
sed -i "/ op.drop_column('subnets', 'shared')/ s/^#*/#/" /usr/lib/python2.7/dist-packages/neutron/db/migration/alembic_migrations/versions/liberty/contract/4ffceebfada_rbac_network.py
sed -i "/ op.drop_column('qos_policies', 'shared')/ s/^#*/#/" /usr/lib/python2.7/dist-packages/neutron/db/migration/alembic_migrations/versions/mitaka/contract/c6c112992c9_rbac_qos_policy.py
neutron-db-manage --config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini upgrade head
# And now we drop the colums and constraints that the ORM fails to drop.
mysql -uroot -p"$MYSQL_ROOT_PASSWORD" -h "$MYSQL_HOST" neutron << EOF
ALTER TABLE networks DROP CONSTRAINT CONSTRAINT_2;
alter table networks drop column shared;
ALTER TABLE subnets DROP CONSTRAINT CONSTRAINT_2;
ALTER TABLE subnets DROP COLUMN shared;
ALTER TABLE qos_policies DROP CONSTRAINT CONSTRAINT_1;
ALTER TABLE qos_policies drop column shared
EOF

1388
neutron_controller_ovs/db_base_plugin_v2.py
View File

File diff suppressed because it is too large Load Diff

43
neutron_controller_ovs/run.sh
View File

@ -1,43 +0,0 @@
#!/bin/bash
# start neutron services
/etc/write_conf.sh
/usr/bin/neutron-server \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
--config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini \
--config-file /etc/neutron/metadata_agent.ini \
--config-dir /etc/neutron/ \
-v -d &
sleep 3
/usr/bin/neutron-linuxbridge-agent \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
--config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini \
--config-file /etc/neutron/metadata_agent.ini \
--config-dir /etc/neutron/ \
-v -d &
sleep 3
neutron-metadata-agent \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/ml2/ml2_conf.ini \
--config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini \
--config-file /etc/neutron/metadata_agent.ini \
--config-dir /etc/neutron/ \
-v -d &
sleep 3
neutron-l3-agent \
--config-file /etc/neutron/l3_agent.ini \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/metadata_agent.ini \
--config-dir /etc/neutron/ \
-v -d &
# If any process fails, kill the rest.
# This ensures the container stops and systemd will restart it.
wait -n
pkill -P $$

102
neutron_controller_ovs/write_conf.sh
View File

@ -1,102 +0,0 @@
#!/bin/bash
#
# Generate config files from environments values.
# These are to be passed to the docker container using -e
cat << EOF > /etc/neutron/neutron.conf
[DEFAULT]
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = True
transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$MY_IP
auth_strategy = keystone
notify_nova_on_port_status_changes = true
notify_nova_on_port_data_changes = true
dhcp_agents_per_network = 2
[agent]
root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
[database]
connection = mysql+pymysql://$NEUTRON_USER:$NEUTRON_PASSWORD@mariadb/neutron
[keystone_authtoken]
auth_uri = https://$KEYSTONE_HOST:5000
auth_url = https://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = $NEUTRON_USER
password = $NEUTRON_PASSWORD
[nova]
auth_url = https://$KEYSTONE_HOST:35357
auth_type = password
project_domain_name = Default
user_domain_name = Default
region_name = RegionOne
project_name = service
username = $NOVA_USER
password = $NOVA_PASSWORD
EOF
cat << EOF > /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2]
type_drivers = flat,vlan,vxlan
tenant_network_types = vxlan
mechanism_drivers = linuxbridge,l2population
extension_drivers = port_security
[ml2_type_vlan]
network_vlan_ranges = provider
[ml2_type_flat]
flat_networks = provider
[ml2_type_vxlan]
vni_ranges = 1:1000
[securitygroup]
enable_ipset = true
EOF
cat << EOF > /etc/neutron/metadata_agent.ini
[DEFAULT]
nova_metadata_ip = $MY_IP
metadata_proxy_shared_secret = $METADATA_SECRET
EOF
cat << EOF > /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
physical_interface_mappings = $PHYSICAL_INTERFACE_MAPPINGS
[vxlan]
enable_vxlan = True
l2_population = True
local_ip = $OVERLAY_IP
[securitygroup]
enable_security_group = true
firewall_driver = iptables
EOF
cat << EOF > /etc/neutron/l3_agent.ini
[DEFAULT]
interface_driver = linuxbridge
external_network_bridge =
EOF
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts

1
nova_compute/Dockerfile
View File

@ -17,7 +17,6 @@ RUN set -x \
neutron-metadata-agent \ neutron-metadata-agent \
python-ceph \ python-ceph \
python-rbd \ python-rbd \
ceph-common \
&& apt-get -y clean && apt-get -y clean
COPY write_conf.sh /etc/write_conf.sh COPY write_conf.sh /etc/write_conf.sh

7
nova_compute/run.sh
View File

@ -27,6 +27,13 @@ neutron-metadata-agent \
--config-dir /etc/neutron/ \ --config-dir /etc/neutron/ \
-v -d & -v -d &
sleep 3
neutron-l3-agent \
--config-file /etc/neutron/l3_agent.ini \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/metadata_agent.ini \
--config-dir /etc/neutron/ \
-v -d &
# If any process fails, kill the rest. # If any process fails, kill the rest.
# This ensures the container stops and systemd will restart it. # This ensures the container stops and systemd will restart it.

68
nova_compute/write_conf.sh
View File

@ -8,7 +8,7 @@ cat << EOF > /root/admin-openrc.sh
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD} export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3 export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default
@ -36,12 +36,11 @@ firewall_driver = nova.virt.firewall.NoopFirewallDriver
scheduler_default_filters = AllHostsFilter scheduler_default_filters = AllHostsFilter
allow_migrate_to_same_host = True allow_migrate_to_same_host = True
allow_resize_to_same_host = True allow_resize_to_same_host = True
security_group_api=neutron
[neutron] [neutron]
url = http://$NEUTRON_CONTROLLER_HOST:9696 url = http://$NEUTRON_CONTROLLER_HOST:9696
auth_url = https://$KEYSTONE_HOST:35357 auth_url = http://$KEYSTONE_HOST:35357
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
user_domain_name = Default user_domain_name = Default
@ -66,8 +65,8 @@ lock_path = /var/lib/nova/tmp
auth_strategy = keystone auth_strategy = keystone
[keystone_authtoken] [keystone_authtoken]
auth_uri = https://$KEYSTONE_HOST:5000 auth_uri = http://$KEYSTONE_HOST:5000
auth_url = https://$KEYSTONE_HOST:35357 auth_url = http://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -91,7 +90,7 @@ project_domain_name = Default
project_name = service project_name = service
auth_type = password auth_type = password
user_domain_name = Default user_domain_name = Default
auth_url = https://$KEYSTONE_HOST:35357/v3 auth_url = http://$KEYSTONE_HOST:35357/v3
username = $NOVA_PLACEMENT_USER username = $NOVA_PLACEMENT_USER
password = $NOVA_PLACEMENT_PASSWORD password = $NOVA_PLACEMENT_PASSWORD
@ -124,11 +123,10 @@ allow_resize_to_same_host = True
[libvirt] [libvirt]
virt_type = kvm virt_type = kvm
images_type = rbd images_type = rbd
images_rbd_pool = volumes images_rbd_pool = vms
images_rbd_ceph_conf = /etc/ceph/ceph.conf images_rbd_ceph_conf = /etc/ceph/ceph.conf
rbd_user = volumes rbd_user = nova
rbd_secret_uuid = $RBD_SECRET_UUID rbd_secret_uuid = b5044271-1918-4070-822c-f19ed14d7494
[vnc] [vnc]
enabled = True enabled = True
@ -146,8 +144,8 @@ lock_path = /var/lib/nova/tmp
auth_strategy = keystone auth_strategy = keystone
[keystone_authtoken] [keystone_authtoken]
auth_uri = https://$KEYSTONE_HOST:5000 auth_uri = http://$KEYSTONE_HOST:5000
auth_url = https://$KEYSTONE_HOST:35357 auth_url = http://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -171,7 +169,7 @@ project_domain_name = Default
project_name = service project_name = service
auth_type = password auth_type = password
user_domain_name = Default user_domain_name = Default
auth_url = https://$KEYSTONE_HOST:35357/v3 auth_url = http://$KEYSTONE_HOST:35357/v3
username = $NOVA_PLACEMENT_USER username = $NOVA_PLACEMENT_USER
password = $NOVA_PLACEMENT_PASSWORD password = $NOVA_PLACEMENT_PASSWORD
@ -180,7 +178,7 @@ api_paste_config=/etc/nova/api-paste.ini
[neutron] [neutron]
url = http://$NEUTRON_CONTROLLER_HOST:9696 url = http://$NEUTRON_CONTROLLER_HOST:9696
auth_url = https://$KEYSTONE_HOST:35357 auth_url = http://$KEYSTONE_HOST:35357
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
user_domain_name = Default user_domain_name = Default
@ -201,11 +199,10 @@ allow_overlapping_ips = True
transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$RABBIT_HOST transport_url = rabbit://$RABBIT_USER:$RABBIT_PASSWORD@$RABBIT_HOST
auth_strategy = keystone auth_strategy = keystone
core_plugin = ml2 core_plugin = ml2
global_physnet_mtu = $GLOBAL_PHYSNET_MTU
[keystone_authtoken] [keystone_authtoken]
auth_uri = https://$KEYSTONE_HOST:5000 auth_uri = http://$KEYSTONE_HOST:5000
auth_url = https://$KEYSTONE_HOST:35357 auth_url = http://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -215,7 +212,7 @@ username = $NEUTRON_USER
password = $NEUTRON_PASSWORD password = $NEUTRON_PASSWORD
[nova] [nova]
auth_url = https://$KEYSTONE_HOST:35357 auth_url = http://$KEYSTONE_HOST:35357
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
user_domain_name = Default user_domain_name = Default
@ -276,44 +273,9 @@ EOF
cat << EOF > /etc/neutron/plugins/ml2/linuxbridge_agent.ini cat << EOF > /etc/neutron/plugins/ml2/linuxbridge_agent.ini
[linux_bridge]
physical_interface_mappings = $PHYSICAL_INTERFACE_MAPPINGS
[securitygroup]
enable_security_group = true
firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
[vxlan] [vxlan]
enable_vxlan = True enable_vxlan = True
l2_population = True l2_population = True
local_ip = $OVERLAY_IP local_ip = $OVERLAY_IP
EOF EOF
if [ $USE_CEPH = true ]
then cat << EOF > /etc/ceph/ceph.conf
[global]
fsid = $FSID
mon_initial_members = $MON_INITIAL_MEMBERS
mon_host = $MON_HOST
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
# Your network address
public network = $PUBLIC_NETWORK
osd pool default size = $OSD_POOL_DEFAULT_SIZE
[client.compute]
keyring = /etc/ceph/ceph.client.compute.keyring
EOF
cat << EOF > /etc/neutron/l3_agent.ini
[DEFAULT]
interface_driver = linuxbridge
external_network_bridge =
EOF
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts

2
nova_service/bootstrap.sh
View File

@ -13,7 +13,7 @@ cat << EOF > /root/admin-openrc.sh
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD} export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3 export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default

11
nova_service/write_conf.sh
View File

@ -20,11 +20,10 @@ allow_migrate_to_same_host = True
allow_resize_to_same_host = True allow_resize_to_same_host = True
firewall_driver = nova.virt.firewall.NoopFirewallDriver firewall_driver = nova.virt.firewall.NoopFirewallDriver
enabled_apis=osapi_compute,metadata enabled_apis=osapi_compute,metadata
security_group_api=neutron
[neutron] [neutron]
url = http://$NEUTRON_CONTROLLER_HOST:9696 url = http://$NEUTRON_CONTROLLER_HOST:9696
auth_url = https://$KEYSTONE_HOST:35357 auth_url = http://$KEYSTONE_HOST:35357
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
user_domain_name = Default user_domain_name = Default
@ -39,8 +38,8 @@ metadata_proxy_shared_secret = $METADATA_SECRET
auth_strategy = keystone auth_strategy = keystone
[keystone_authtoken] [keystone_authtoken]
auth_uri = https://$KEYSTONE_HOST:5000 auth_uri = http://$KEYSTONE_HOST:5000
auth_url = https://$KEYSTONE_HOST:35357 auth_url = http://$KEYSTONE_HOST:35357
memcached_servers = $MEMCACHED_HOST:11211 memcached_servers = $MEMCACHED_HOST:11211
auth_type = password auth_type = password
project_domain_name = Default project_domain_name = Default
@ -66,7 +65,7 @@ project_domain_name = Default
project_name = service project_name = service
auth_type = password auth_type = password
user_domain_name = Default user_domain_name = Default
auth_url = https://$KEYSTONE_HOST:35357/v3 auth_url = http://$KEYSTONE_HOST:35357/v3
username = $NOVA_PLACEMENT_USER username = $NOVA_PLACEMENT_USER
password = $NOVA_PLACEMENT_PASSWORD password = $NOVA_PLACEMENT_PASSWORD
@ -74,5 +73,3 @@ password = $NOVA_PLACEMENT_PASSWORD
os_region_name = RegionOne os_region_name = RegionOne
EOF EOF
echo "172.23.59.101 merlin.hpc.rug.nl" >> /etc/hosts

4
openstack_client/bootstrap.sh
View File

@ -6,7 +6,7 @@ cat << EOF > /root/admin-openrc.sh
export OS_TENANT_NAME=admin export OS_TENANT_NAME=admin
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=${OS_PASSWORD} export OS_PASSWORD=${OS_PASSWORD}
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3 export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
EOF EOF
@ -16,6 +16,6 @@ cat << EOF > /root/demo-openrc.sh
export OS_TENANT_NAME=demo export OS_TENANT_NAME=demo
export OS_USERNAME=demo export OS_USERNAME=demo
export OS_PASSWORD=${OS_DEMO_PASSWORD} export OS_PASSWORD=${OS_DEMO_PASSWORD}
export OS_AUTH_URL=https://merlin.hpc.rug.nl:35357/v3 export OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3
export OS_IDENTITY_API_VERSION=3 export OS_IDENTITY_API_VERSION=3
EOF EOF