* Fix cloud-init error message when OTP is missing
* Add a log message in novajoin-server
Change-Id: Ib299269c564744af6a5fcded9195d27be1c14ce7
Related-Bug: 1836529
* Always use the FQDN supplied in the metadata.
* Read the metadata from network if hostname could not be determined.
Related: rhbz#1734156
Change-Id: I0aaa32d71569240e5b8ced270f9296782e2e08b8
Adding two helper scripts to unpack cloud-config-novajoin.json to a more
readable form. After editing cloud-config-novajoin.yaml, it still has to
be packed into cloud-config-novajoin.json with tools/cloud-config-pack.py.
Related-Bug: 1836529
Change-Id: I3d6a3e5f97608f7f8a0070f40ddeb8a7113c33b3
To allow PAM to create a home directory for the user who does not have one,
ipa-client-install needs this option.
Change-Id: I550f48e5a6cb808f0bc68ee1bdbddba9660531c2
Related-bug: #1823727
There is no reason not to use the fqdn, as we always check for
it. It is needed in some cases eg. when deploying when the domain
does not match the realm.
Change-Id: Iefefc8d134af64c12d206c75b69ead8d9e94ac39
With python3 we are getting the following error:
Traceback (most recent call last):
File "/usr/bin/novajoin-ipa-setup", line 103, in <module>
args['tls_ca_cert'] = cafile.decode('UTF-8')
AttributeError: 'str' object has no attribute 'decode'
Let's just use the normal assignment in case the .decode() call
fails.
Also apply the same fixes to files/cloud-config-novajoin.json
Tested and we correctly get past this error.
Change-Id: Ia77ebde46ff885c9f929d834f981acb97f26a4ec
Co-Authored-By: Luca Miccini <lmiccini@redhat.com>
Closes-Bug: #1820961
* Add default policy for handling the create request.
* Allow it to be accessed only by nova service.
* Remove unused code copied from cinder.
Change-Id: Ieaa407f27c6774d1fd17850a9571de5554360bae
If there is a Python exception during parsing of status.json,
$config_drive ends up being empty, which causes
[ -b $config_drive ] to be interpreted as true. This change
uses [[]] to prevent word splitting of variable values.
Change-Id: Ia2a1404711ce1deb04fed1d7b7624b3c0382b4d4
Metadata available via the metadata url 169.254.169.254/32, but this
does not work for IPv6 networks (see bug:
https://bugs.launchpad.net/neutron/+bug/1460177).
Metadata can also be available via the config drive, non-dependent
of IPv4 networking and NAT redirect rules on the metadata server.
This changes the novajoin cloud config generated "setup-ipa-client.sh"
script. The script will initially try to load metadata of the
config-drive, and fall back to loading the metadata from the metadata
service url in case the config-drive method fails.
Related-Bug: #1795722
Change-Id: Idaca9de2f9c50b27475fd27ab8b388cb85849d70
In [1] we added a random sleep in the script called by cloud-init
to fetch vendor_data, to lower chances that many nodes connect to
novajoin concurrently. Still, curl failures still happen from
time to time.
Add a retry loop around the call to curl to further increase the
chances of success, as this seems to give good results in practice
when deploying overclouds with tripleo.
[1] 188f09ef22
Closes-Bug: #1766824
Change-Id: I728c2cb0c8a7433b68dd7de2de242e922974d713
This is useful in cases where the kerberos realm isn't the same as
the domain. It gets the kerberos realm that novajoin is using, and gets
the instance to register using that.
Closes-Bug: #1711312
Change-Id: Ic8a32a0ace69b32e1bb66145ac460175c4508a17
We have seen some bare base images failing when hostnamectl is
being called during cloud-init. nova is setting a proper hostname
value in meta_data.json which cloud-init is using so make the
hostname setting optional if it is already correct.
Change-Id: I6920895532f29211b35f46b47d4160762b51dcd5
I'm not exactly sure how but the user was nova and the paths were
to /usr/sbin and not /usr/bin.
The RDO package is going to use these rather than carrying local
copies so it is important that they be correct.
Change-Id: I1222edc55c0571b6fa3512a2d9c9ee107ebf4434
this ensures that the nodes don't try to call nova-metadata at the same
time, and reduces the chances of the call failing. Ideally we should
have a retry for getting the metadata though.
Change-Id: I346415647d7c7f787f2e75580e0a2c41f29df32d
This used to handle IPA connectivity manually by using
python-requests so the URL was necessary. This was replaced
by using the IPA framework instead and the host(s) to
contact are handled by that.
Change-Id: I4009b044ad079fd97591a28d8f47d18621506d6e
The paste configuration doesn't include authentication so there
is no need for keystone_authtoken. This also means that
the option keystone_auth_uri can be removed.
Also drop man page reference to the keystone_identity option.
I compared join.conf with nova.conf and neutron.conf and made
it conform more closely to those two in configuration in thej
keystone_authtoken and service_credentials sections.
The authentication scheme of the REST API is still a bit up
in the air so switch this to not rely/expect authentication
but instead to use the nova service user to talk to other
services.
Eventually this should use its own service user.
This enables us to get images from glance but also to handle
looking up the information we need when Neutron assigns a
floating IP address. This means we can create the hostname
in IPA DNS in advance so it will be on the public network
and not the private one.
Remove some unused options in the Keystone configuration and
add options so the installer can automatically configure things
to work without manual changes.
Add a log_dir to the configuration so all logging is saved.
Authentication is still an open issue with this dynamic
metadata as some requests may come in anonymous (those from
an instance). Leave it open for now.
The nova team doesn't want to pass in system_metadata which
contained the image metadata because the format/naming may
change over time. They'd prefer the caller fetch the image
metadata.
Added that, using the current authenticated token.
At some point will need to add the ability to generate a
token using some special service user given that some/most/all
requests to metadata will be unauthenticated.
Add a new middleware to get the Keystone token from the auth
headers.
Add a simple glance client to retrieve image metadata.
Update the default paste configuration to require auth and
make a copy of the token for internal use.
Set the IPA domain in join.conf so hostnames will get the
IPA domain, instance_name + domain.
Don't blow up if metadata or system_metadata comes in as None.
Add some missing variable definitions caught by pylint.
Read join.conf in the notify server as well.
Re-order the kinit in the installation script to not fail
if the user has no pre-existing ticket.
Don't copy join.conf and api-paste.ini from going into
/usr/share/novajoin.
This is based heavily on the WSGI code in cinder.
There are two services: a REST service and a notification
listener.
Currently both log only to stdout.
The configuration file join.conf controls the REST service.
nova configuration should look like this (assuming the REST
service is running on the nova compute host).
vendordata_providers = StaticJSON, DynamicJSON
vendordata_dynamic_targets = 'join@http://127.0.0.1:9999/v1/'
vendordata_driver = nova.api.metadata.vendordata_http.HTTPFileVendorData
vendordata_dynamic_connect_timeout = 5
vendordata_dynamic_read_timeout = 30
vendordata_jsonfile_path = /etc/nova/cloud-config.json
For the notification service like this:
notification_driver = messaging
notification_topic = notifications
notify_on_state_change = vm_state
Authentication is disabled in api-paste.ini for now.