Fix tls-proxy issues with the devstack plugin

Enabling tls-proxy allows devstack to
set up a tls proxy server that front-ends
interactions with the manila-api and
terminates tls connections.

Also enable tls-proxy in dummy and lvm
jobs. The dummy driver job is configured
to run the in-built wsgi server, the lvm
job is configured to use mod-wsgi.

Closes-Bug: #1816836
Change-Id: I48b0ccc082604d78242ba61bee94a45efeb2467b
This commit is contained in:
Goutham Pacha Ravi 2019-02-20 18:00:45 -08:00
parent 1701821b89
commit 8f1c7dc91f
4 changed files with 22 additions and 11 deletions

View File

@ -71,7 +71,7 @@ function _config_manila_apache_wsgi {
sudo sed -e "
s|%APACHE_NAME%|$APACHE_NAME|g;
s|%MANILA_BIN_DIR%|$MANILA_BIN_DIR|g;
s|%PORT%|$MANILA_SERVICE_PORT|g;
s|%PORT%|$REAL_MANILA_SERVICE_PORT|g;
s|%APIWORKERS%|$API_WORKERS|g;
s|%USER%|$STACK_USER|g;
" -i $manila_api_apache_conf
@ -277,9 +277,14 @@ function configure_manila {
iniset $MANILA_CONF DEFAULT manila_service_keypair_name $MANILA_SERVICE_KEYPAIR_NAME
REAL_MANILA_SERVICE_PORT=$MANILA_SERVICE_PORT
if is_service_enabled tls-proxy; then
# Set the protocol to 'https', and set the default port
MANILA_SERVICE_PROTOCOL="https"
REAL_MANILA_SERVICE_PORT=$MANILA_SERVICE_PORT_INT
# Set the service port for a proxy to take the original
iniset $MANILA_CONF DEFAULT osapi_share_listen_port $MANILA_SERVICE_PORT_INT
iniset $MANILA_CONF DEFAULT osapi_share_listen_port $REAL_MANILA_SERVICE_PORT
iniset $MANILA_CONF oslo_middleware enable_proxy_headers_parsing True
fi
iniset_rpc_backend manila $MANILA_CONF DEFAULT
@ -509,11 +514,6 @@ function create_default_share_group_type {
# type identified by $MANILA_DEFAULT_SHARE_TYPE is still created, but not
# configured as default.
function create_default_share_type {
echo "Waiting for Manila API to start..."
if ! wait_for_service 60 $MANILA_SERVICE_PROTOCOL://$MANILA_SERVICE_HOST:$MANILA_SERVICE_PORT; then
die $LINENO "Manila did not start"
fi
enabled_backends=(${MANILA_ENABLED_BACKENDS//,/ })
driver_handles_share_servers=$(iniget $MANILA_CONF ${enabled_backends[0]} driver_handles_share_servers)
@ -826,14 +826,20 @@ function start_manila_api {
run_process m-api "$MANILA_BIN_DIR/manila-api --config-file $MANILA_CONF"
fi
echo "Waiting for Manila API to start..."
if ! wait_for_service $SERVICE_TIMEOUT $MANILA_SERVICE_PROTOCOL://$MANILA_SERVICE_HOST:$MANILA_SERVICE_PORT; then
# This is a health check against the manila-api service we just started.
# We use the port ($REAL_MANILA_SERVICE_PORT) here because we want to hit
# the bare service endpoint, even if the tls tunnel should be enabled.
# We're making sure that the internal port is checked using unencryted
# traffic at this point.
if ! wait_for_service $SERVICE_TIMEOUT $MANILA_SERVICE_PROTOCOL://$MANILA_SERVICE_HOST:$REAL_MANILA_SERVICE_PORT; then
die $LINENO "Manila API did not start"
fi
# Start proxies if enabled
if is_service_enabled tls-proxy; then
start_tls_proxy '*' $MANILA_SERVICE_PORT $MANILA_SERVICE_HOST $MANILA_SERVICE_PORT_INT &
start_tls_proxy manila '*' $MANILA_SERVICE_PORT $MANILA_SERVICE_HOST $MANILA_SERVICE_PORT_INT
fi
}

View File

@ -184,7 +184,10 @@ Optionally, you can deploy with Manila, Nova, Neutron, Glance and Tempest::
ENABLED_SERVICES+=q-svc,q-dhcp,q-meta,q-l3,q-agt
ENABLED_SERVICES+=tempest
You can also enable ``tls-proxy`` with ``ENABLED_SERVICES`` to allow
devstack to use Apache and setup a TLS proxy to terminate TLS connections.
Using tls-proxy secures all OpenStack service API endpoints and inter-service
communication on your devstack.
Bootstrapping Tempest
`````````````````````

View File

@ -44,7 +44,7 @@
export DEVSTACK_GATE_NEUTRON=1
export DEVSTACK_PROJECT_FROM_GIT="python-manilaclient"
# Basic services needed for minimal job
export OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest
export OVERRIDE_ENABLED_SERVICES=key,mysql,rabbit,tempest,tls-proxy
export DEVSTACK_GATE_USE_PYTHON3=True
export PYTHON3_VERSION="3.6"

View File

@ -57,6 +57,8 @@
OVERRIDE_ENABLED_SERVICES+=,n-api,n-cpu,n-cond,n-sch,n-crt,n-cauth,n-obj
# Enable neutron for scenario tests
OVERRIDE_ENABLED_SERVICES+=,q-svc,q-dhcp,q-meta,q-l3,q-agt
# Enable tls-proxy
OVERRIDE_ENABLED_SERVICES+=,tls-proxy
# Enable mandatory placement services for nova starting with ocata
if [[ "stable/newton" != $ZUUL_BRANCH ]]; then