Commit Graph

55 Commits

Author SHA1 Message Date
Grzegorz Grasza 4aa08a25b8 Remove functional tests gate for centos7 and workarounds for python2
CentOS 7 job is running with python2, which is no longer supported by
nova. Devstack also dropped it's platform tests for CentOS.

Change-Id: I74b04cf6ecd978bfc5fbf3b2c7484a79d28ae826
2019-12-04 15:46:47 +01:00
Michele Baldessari e8b18c4bd4 Fix python3 errors in novajoin-ipa-setup
With python3 we are getting the following error:
Traceback (most recent call last):
  File "/usr/bin/novajoin-ipa-setup", line 103, in <module>
    args['tls_ca_cert'] = cafile.decode('UTF-8')
  AttributeError: 'str' object has no attribute 'decode'

Let's just use the normal assignment in case the .decode() call
fails.

Also apply the same fixes to files/cloud-config-novajoin.json

Tested and we correctly get past this error.

Change-Id: Ia77ebde46ff885c9f929d834f981acb97f26a4ec
Co-Authored-By: Luca Miccini <lmiccini@redhat.com>
Closes-Bug: #1820961
2019-03-21 08:58:42 +01:00
Grzegorz Grasza e34047457c Install novajoin-ipa-setup script in /usr/libexec
Since novajoin is branchless, we need to support
older releases, which may call this script from the
old location. Additional novajoin-ipa-setup script is
installed in the old location for backward compatibility
and calls the new "compiled" script in the default bin
directory.

Change-Id: I0a25ffb1f5fd3f8723bff8a1bcfc6dfc486b2b4a
2018-12-19 21:05:51 +00:00
Grzegorz Grasza ed1838b7af Fix errors preventing novajoin to start on Python 3
This patch also moves the novajoin-install and novajoin-ipa-setup
scripts to the default python scripts directory. This is because
there is no other way to fixup the #! line for python3, apart from
modifying setup.py, which is managed by the global requirements repo.

Change-Id: I21ccb475905feebdb91aa158ce3845744b2f0a5f
2018-11-26 17:55:15 +01:00
Grzegorz Grasza 609f6e2b2b Support versioned notifications
Support nova versioned notifications. Unversioned notifications
are still supported and the default. The CI is configured to test
versioned notifications, and both implementations use the same methods.
Because of this, testing versioned notifications also covers
unversioned notifications, since the execution path flows through both.

Change-Id: If028afa9e9fbcb344786cd287605e0d9af5d3c01
2018-11-26 10:57:26 +01:00
Grzegorz Grasza 4d997dddc6 Support for associating and disassociating neutron floating IPs
This adds support for creating and removing DNS A records when
floating IPs are associated and disassociated in neutron.
novajoin-install and functional tests are enhanced to test it.

Change-Id: I82c83ad9e8c84ddfd4ecfc4d5c3b31a418af97a7
2018-11-22 15:40:05 +01:00
Grzegorz Grasza fe72231faa Test OpenStack server instance enrollment
A basic test to check that a spawned instance
will be added to and than deleted from FreeIPA.
This also fixes the novajoin-install script to
work by default on devstack.

Change-Id: Id7e940360ade74d605fef9004c6a5454790c55a4
2018-11-20 20:01:06 +01:00
Grzegorz Grasza cfa5af7ca4 Fix vendordata_jsonfile_path path
setup.py points to /etc/novajoin, while novajoin-install
configured nova.conf to point to /etc/nova directory.

Change-Id: I94658945cca795aee2c53344081bca6c1c554b66
2018-11-08 09:40:03 +01:00
Ade Lee b74cae51e3 Fix novajoin-ipa-setup to set logging correctly
In freeipa f62a0fdb904d2a4bb1961847e240dbb6df3b0b67 the IPA
client library was modified to remove the log_manager.  This patch
fixes the novajoin code for all versions of IPA.

See rhbz# 1644747

Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Co-Authored-By: Grzegorz Grasza <xek@redhat.com>
Change-Id: I2da12bedfc8790ebd1005c98f2e05953d127b3b9
2018-11-04 11:39:59 +01:00
Juan Antonio Osorio Robles c48e2c85ee Use the generated ccache in novajoin-ipa-setup
We were falling back to using the KRB5CCNAME that the user had set
beforehand instead of relying on the one that we get from using the
credentials that the user actually provided.

This lead to the credentials being ignored, and the setup failing.

Closes-Bug: #1746989
Change-Id: I90daa2d3341989878b7b4da8ed9cbb23e08da68b
2018-02-02 13:47:08 +00:00
Rob Crittenden 5ab8dac221 Improve compatibility with IPA v4.5.0+
The changes were more significant than just a few imports as
initially thought. The RPC API changed signficantly mostly due
to switching from NSS to OpenSSL as the crypto layer.

Related changes include:

* Handling the new random password generator
* Writing the CA chain to a file instead of an NSS db
* Dealing with certificates having their own object

These are handled via the ipapython.version library to tell
what version of IPA we have. This cannot rely on the API
value because these changes are lower-level.

Change-Id: I8ee03edc4b0b2db566db43f2ea64256fe15a3a8b
2017-09-06 16:47:41 -04:00
Rob Crittenden 0e0abe5c60 Add the default log dir to config created by novajoin-install
Change-Id: I73b367ef75cb26ed2eb3c232df980775f9c89d1a
2017-08-22 14:58:34 -04:00
Rob Crittenden 2b1e620e20 Fix location of join-api-paste.ini
This is installed in the novajoin directory now.

Change-Id: I3ac640b752cb0db081d947e726b1d97b1b5e48a8
2017-08-22 14:54:45 -04:00
Rob Crittenden ac30e4f9dc Make the project_name for authentication configurable
The default in OSP Director is service and in Packstack services.
Use 'service' as the overall default.

Change-Id: I3e209b10d41720b1f0536b0d64d9fb08020f106a
2017-08-22 14:48:45 -04:00
Rob Crittenden 7517fc3969 The certstore import moved in freeIPA 4.5, handle it
Up to 4.4.0 the import was in ipalib. With 4.5.0 it moved
to ipalib/install.

Try both imports before failing.

Change-Id: Ie89108e31f311d74976f946a6df4a24edc5ca879
2017-08-17 12:11:39 -04:00
Jenkins 699964aa31 Merge "Close a few missing quotations in novajoin-install" 2017-05-26 07:32:58 +00:00
Rob Crittenden b6e5a889a7 Automatically generate the server scripts
This brings novajoin in line with other projects and fixes
source-based kolla container installs.

Change-Id: I506b560d44ac15722262da8f8942af76d61d847c
2017-05-25 11:47:05 -04:00
Rob Crittenden 49a6686423 Close a few missing quotations in novajoin-install
Change-Id: I51eec6252944a877200e224f5887749e6eb847a9
2017-05-25 11:43:09 -04:00
Juan Antonio Osorio Robles d55333ea02 Use novajoin-specific directory for configurations
This will allow us to stop depending on openstack-nova-common and to
containerize easier.

Change-Id: I4c402ecd558634ebeaeae34b134083512628025d
2017-05-23 14:20:13 +03:00
Rob Crittenden 428175f823 Configure the keystone_authtoken and vendordata_dynamic_auth sections
We are now requiring a token, provide the configuration needed
to verify the incoming token against Keystone.

Change-Id: I0dbc37b591968b868d09c5952bebd7ff1dec3a6e
2017-03-27 20:54:17 +00:00
Rob Crittenden 552eb7c2ee Use proper default port, set paste config, service creds
The old default port, 9999, was being set in a few places.

In novajoin-install, the standalone installer, a few things
were not being configure.

- The join api_paste_config option wasn't being set
- The service credentials section was incomplete

Change-Id: I3169c68d29be11edea52c74535ae43b75884fb66
2017-03-27 15:05:50 +00:00
Rob Crittenden f2727327bd Work around for "PKCS #11 module returned CKR_DEVICE_ERROR"
Something must be doing a fork somewhere which is causing the
tokens to be reset. This will work around the issue for now.

Change-Id: I2f6b3ff26e49114e730a3d2f36d7771d6c08d049
2017-02-10 11:40:39 -05:00
Rob Crittenden 8078c6161f Add compatibility for IPA 4.4 which requires TGT for API
IPA 4.4 added thin client capabilities. This is done by downloading
the call schema from the IPA server and is done during the
finalize() step. This requires a TGT.

So we need to ensure that a kinit is done before finalize() is
called both in the standalone installer and in the ipa code.

Change-Id: Id87b83cb945c946cf78c425aae19c311d900249a
2017-01-18 15:23:11 -05:00
Ade Lee 0915572da0 Move cloud-config.json to cloud-config-novajoin.json
Change-Id: I042392b816cc2b82b98162153fb145f5a6399310
2017-01-05 16:06:32 -05:00
Rob Crittenden 6dd14fffb4 Drop the template and make direct changes to join.conf
Be more Openstack-ish and expect an auto-generated config file
and make discrete changes to that.

This code expects that /etc/nova/join.conf exists.

This also switches back to using the config object directly
instead of converting it into a dict.

Change-Id: I49166c4be09f7bc59a78582ce5c8b6c813de0051
2017-01-04 20:06:59 +00:00
Rob Crittenden 3de3e6b847 Extend the novajoin-ipa-setup script to precreate IPA entries
For the case of Triple-O we don't want to pass IPA admin
credentials to the undercloud so instead pre-create the IPA
entries for undercloud and pass in an OTP that can be used to
enroll it using ipa-client-install.

Another feature of --precreate is that it doesn't require the
machine to be enrolled as an IPA client. The required options must
be provided on the command-line.

Change-Id: Ia69b5b4fbc275c04f5e07e9d2ef62e3547725ac8
2016-12-16 01:41:09 -05:00
Rob Crittenden f178718979 Remove deprecated url configuration option
This used to handle IPA connectivity manually by using
python-requests so the URL was necessary. This was replaced
by using the IPA framework instead and the host(s) to
contact are handled by that.

Change-Id: I4009b044ad079fd97591a28d8f47d18621506d6e
2016-12-08 19:25:30 +00:00
Rob Crittenden 54dcbc323d Complete changes to use /etc/nova/join.conf
Fix the remaining places that referenced /etc/join/join.conf to
use /etc/nova/join.conf instead.
2016-11-30 04:36:08 +00:00
Rob Crittenden fcae2f2da1 Add missing Apache license header 2016-11-29 15:46:54 +00:00
Rob Crittenden 56e133a7f2 Move the kinit call before the connection, otherwise failure
Also move the user existence code as it is both necessary for
the init and it saves us the trouble of initializing the IPA
API if it fails.
2016-09-20 13:18:28 -04:00
Rob Crittenden ce102a09c1 Fix name and mode of novajoin-ipa-setup in setup.py and MANIFEST.in 2016-09-20 09:02:32 -04:00
Rob Crittenden 5c0ad416f4 Break IPA configuration into a separate module and installer
When installing via puppet the configuration changes aren't
necessary and in fact can cause problems. All that really needs
to happen is the IPA work to add the permissions, privilege and
role and create the nova service and fetch the keytab.

This is broken out into a separate class that can be called from
either the existing novajoin-install or the new
novajoin-ipa-setup. The bash script equivalent was removed.
2016-09-20 09:02:32 -04:00
Rob Crittenden 6195105026 Don't configure keystone_authtoken section, drop keystone_auth_uri
The paste configuration doesn't include authentication so there
is no need for keystone_authtoken. This also means that
the option keystone_auth_uri can be removed.

Also drop man page reference to the keystone_identity option.
2016-09-19 17:41:28 -04:00
Rob Crittenden ce00f62248 Change config template to match upstream, drop keystone-identity
I compared join.conf with nova.conf and neutron.conf and made
it conform more closely to those two in configuration in thej
keystone_authtoken and service_credentials sections.
2016-09-15 16:10:25 -04:00
Rob Crittenden 40d024f4a3 Fix typo and indentation 2016-09-14 11:13:26 -04:00
Rob Crittenden 8341a3a016 Ensure that OpenStack environment variable credentials exist
This is needed for the call to glance to import the metadata.
2016-09-14 11:12:41 -04:00
Rob Crittenden 2b33436b02 Write more nova configuration in the installer 2016-09-07 09:55:12 -04:00
Rob Crittenden 6a89da3d12 Be specific about glance API version when uploading metadata
The command is apparently not available in some versions of
the API so be specific.
2016-08-31 11:33:50 -04:00
Rob Crittenden 60a8e67a8c Use a service user to get Keystone tokens to talk to services
The authentication scheme of the REST API is still a bit up
in the air so switch this to not rely/expect authentication
but instead to use the nova service user to talk to other
services.

Eventually this should use its own service user.

This enables us to get images from glance but also to handle
looking up the information we need when Neutron assigns a
floating IP address. This means we can create the hostname
in IPA DNS in advance so it will be on the public network
and not the private one.
2016-08-25 17:09:55 -04:00
Rob Crittenden cdb6f11205 Add Keystone options to template, installer. Add log location
Remove some unused options in the Keystone configuration and
add options so the installer can automatically configure things
to work without manual changes.

Add a log_dir to the configuration so all logging is saved.
2016-08-18 13:41:59 -04:00
Rob Crittenden 0a6ff6f0a3 Address pep8 issues 2016-07-07 19:49:47 +00:00
Rob Crittenden 215674d542 Set IPA domain, fix errors caught in integration testing
Set the IPA domain in join.conf so hostnames will get the
IPA domain, instance_name + domain.

Don't blow up if metadata or system_metadata comes in as None.

Add some missing variable definitions caught by pylint.

Read join.conf in the notify server as well.

Re-order the kinit in the installation script to not fail
if the user has no pre-existing ticket.

Don't copy join.conf and api-paste.ini from going into
/usr/share/novajoin.
2016-07-07 19:41:54 +00:00
Rob Crittenden 4cabc343e2 Fix setup and installation to more or less work properly
Some manual work is still required, particularly in the nova
configuration.
2016-07-07 14:14:20 +00:00
Rob Crittenden 1c51140028 Initial commit of REST/notification services
This is based heavily on the WSGI code in cinder.

There are two services: a REST service and a notification
listener.

Currently both log only to stdout.

The configuration file join.conf controls the REST service.

nova configuration should look like this (assuming the REST
service is running on the nova compute host).

vendordata_providers = StaticJSON, DynamicJSON
vendordata_dynamic_targets = 'join@http://127.0.0.1:9999/v1/'
vendordata_driver = nova.api.metadata.vendordata_http.HTTPFileVendorData
vendordata_dynamic_connect_timeout = 5
vendordata_dynamic_read_timeout = 30
vendordata_jsonfile_path = /etc/nova/cloud-config.json

For the notification service like this:

notification_driver = messaging
notification_topic = notifications
notify_on_state_change = vm_state

Authentication is disabled in api-paste.ini for now.
2016-07-05 19:53:11 +00:00
Rob Crittenden 61d08ba025 Clean up options: remove cacert, add password-file
Remove the unused cacert option. Rely instead on system certificates.

Add password-file option to pass in the IPA admin password.

Use the IPA-provided user_input which is more robust.

Drop message about loading metadata as it is done automatically now.
2016-02-26 19:52:10 +00:00
Rob Crittenden 2d1ff97005 Fix how return value from executing scripts is handled 2016-02-26 19:52:02 +00:00
Rob Crittenden c2c3dddda9 Remove stray debugging print 2016-02-26 19:52:00 +00:00
Rob Crittenden 009ffcdba5 Execute IPA permissions installer automatically 2016-02-26 19:51:56 +00:00
Rob Crittenden 9e928689fc Install freeipa.json, add it automatically 2016-02-26 19:51:52 +00:00
Rob Crittenden 38d5395f8b Actually can run glance to load the metadata, fix up metadata too 2016-02-26 19:51:49 +00:00