nixos/glance: init at liberty version

This commit is based on initial works made by domenkozar.

nixos/modules/misc/ids.nix

@@ -281,6 +281,7 @@
       riak-cs = 263;
       infinoted = 264;
       keystone = 265;
+      glance = 266;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -532,6 +533,7 @@
       riak-cs = 263;
       infinoted = 264;
       keystone = 265;
+      glance = 266;
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal

nixos/modules/module-list.nix

@@ -632,4 +632,5 @@
   ./virtualisation/xen-dom0.nix
   ./virtualisation/xe-guest-utilities.nix
   ./virtualisation/openstack/keystone.nix
+  ./virtualisation/openstack/glance.nix
 ]

nixos/modules/virtualisation/openstack/common.nix

@@ -51,4 +51,34 @@ rec {
 	      };
             };});
   };
+  
+  databaseOption = name: {
+    host = mkOption {
+      type = types.str;
+      default = "localhost";
+      description = ''
+        Host of the database.
+      '';
+    };
+
+    name = mkOption {
+      type = types.str;
+      default = name;
+      description = ''
+        Name of the existing database.
+      '';
+    };
+
+    user = mkOption {
+      type = types.str;
+      default = name;
+      description = ''
+        The database user. The user must exist and has access to
+        the specified database.
+      '';
+    };
+    password = mkSecretOption {
+      name = name + "MysqlPassword";
+      description = "The database user's password";};
+  };
 }

nixos/modules/virtualisation/openstack/glance.nix

@@ -0,0 +1,249 @@
+{ config, lib, pkgs, ... }:
+
+with lib; with import ./common.nix {inherit lib;};
+
+let
+  cfg = config.virtualisation.openstack.glance;
+  commonConf = ''
+    [database]
+    connection = "mysql://${cfg.database.user}:${cfg.database.password.pattern}@${cfg.database.host}/${cfg.database.name}"
+    notification_driver = noop
+
+    [keystone_authtoken]
+    auth_url = ${cfg.authUrl}
+    auth_plugin = password
+    project_name = service
+    project_domain_id = default
+    user_domain_id = default
+    username = ${cfg.serviceUsername}
+    password = ${cfg.servicePassword.pattern}
+
+    [glance_store]
+    default_store = file
+    filesystem_store_datadir = /var/lib/glance/images/
+  '';
+  glanceApiConfTpl = pkgs.writeText "glance-api.conf" ''
+    ${commonConf}
+
+    [paste_deploy]
+    flavor = keystone
+    config_file = ${cfg.package}/etc/glance-api-paste.ini
+  '';
+  glanceRegistryConfTpl = pkgs.writeText "glance-registry.conf" ''
+    ${commonConf}
+
+    [paste_deploy]
+    config_file = ${cfg.package}/etc/glance-registry-paste.ini
+  '';
+  glanceApiConf = "/var/lib/glance/glance-api.conf";
+  glanceRegistryConf = "/var/lib/glance/glance-registry.conf";
+
+in {
+  options.virtualisation.openstack.glance = {
+    package = mkOption {
+      type = types.package;
+      example = literalExample "pkgs.glance";
+      description = ''
+        Glance package to use.
+      '';
+    };
+
+    enable = mkOption {
+      default = false;
+      type = types.bool;
+      description = ''
+        This option enables Glance as a single-machine
+        installation. That is, all of Glance's components are
+        enabled on this machine. This is useful for evaluating and
+        experimenting with Glance. Note we are currently not
+        providing any configurations for a multi-node setup.
+      '';
+    };
+
+    authUrl = mkOption {
+      type = types.str;
+      default = http://localhost:5000;
+      description = ''
+        Complete public Identity (Keystone) API endpoint. Note this is
+        unversionned.
+      '';
+    };
+
+    serviceUsername = mkOption {
+      type = types.str;
+      default = "glance";
+      description = ''
+        The Glance service username. This user is created if bootstrap
+        is enable, otherwise it has to be manually created before
+        starting this service.
+      '';
+    };
+
+    servicePassword = mkSecretOption {
+      name = "glanceAdminPassword";
+      description = ''
+        The Glance service user's password.
+      '';
+    };
+
+    database = databaseOption "glance";
+
+    bootstrap = {
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+        description = ''
+          Bootstrap the Glance service by creating the service tenant,
+          an admin account and a public endpoint. This option provides
+          a ready-to-use glance service. This is only done at the
+          first Glance execution by the systemd post start section.
+          The keystone admin account is used to create required
+          Keystone resource for the Glance service.
+
+          <note><para> This option is a helper for setting up
+          development or testing environments.</para></note>
+        '';
+      };
+
+      endpointPublic = mkOption {
+        type = types.str;
+        default = "http://localhost:9292";
+        description = ''
+          The public image endpoint. The link <link
+          xlink:href="http://docs.openstack.org/liberty/install-guide-rdo/keystone-services.html">
+          create endpoint</link> provides more informations
+          about that.
+        '';
+      };
+
+      keystoneAdminUsername = mkOption {
+        type = types.str;
+        default = "admin";
+        description = ''
+          The keystone admin user name used to create the Glance account.
+        '';
+      };
+
+      keystoneAdminPassword = mkSecretOption {
+        name = "keystoneAdminPassword";
+        description = ''
+          The keystone admin user's password.
+        '';
+      };
+
+      keystoneAdminTenant = mkOption {
+        type = types.str;
+        default = "admin";
+        description = ''
+          The keystone admin tenant used to create the Glance account.
+        '';
+      };
+      keystoneAuthUrl = mkOption {
+        type = types.str;
+        default = "http://localhost:5000/v2.0";
+        description = ''
+          The keystone auth url used to create the Glance account.
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Note: when changing the default, make it conditional on
+    # ‘system.stateVersion’ to maintain compatibility with existing
+    # systems!
+    virtualisation.openstack.glance.package = mkDefault pkgs.glance;
+
+    users.extraUsers = [{
+      name = "glance";
+      group = "glance";
+      uid = config.ids.gids.glance;
+
+    }];
+    users.extraGroups = [{
+      name = "glance";
+      gid = config.ids.gids.glance;
+    }];
+
+    systemd.services.glance-registry = {
+      description = "OpenStack Glance Registry Daemon";
+      after = [ "network.target"];
+      path = [ pkgs.curl pkgs.pythonPackages.keystoneclient pkgs.gawk ];
+      wantedBy = [ "multi-user.target" ];
+      preStart = ''
+        mkdir -m 775 -p /var/lib/glance/{images,scrubber,image_cache}
+        chown glance:glance /var/lib/glance/{images,scrubber,image_cache}
+
+        # Secret file managment
+        cp ${glanceRegistryConfTpl} ${glanceRegistryConf};
+        chown glance:glance ${glanceRegistryConf};
+        chmod 640 ${glanceRegistryConf}
+        ${replaceSecret cfg.database.password glanceRegistryConf}
+        ${replaceSecret cfg.servicePassword glanceRegistryConf}
+
+        cp ${glanceApiConfTpl} ${glanceApiConf};
+        chown glance:glance ${glanceApiConf};
+        chmod 640 ${glanceApiConf}
+        ${replaceSecret cfg.database.password glanceApiConf}
+        ${replaceSecret cfg.servicePassword glanceApiConf}
+
+        # Initialise the database
+        ${cfg.package}/bin/glance-manage --config-file=${glanceApiConf} --config-file=${glanceRegistryConf} db_sync
+      '';
+      postStart = ''
+        set -eu
+        export OS_AUTH_URL=${cfg.bootstrap.keystoneAuthUrl}
+        export OS_USERNAME=${cfg.bootstrap.keystoneAdminUsername}
+        export OS_PASSWORD=${getSecret cfg.bootstrap.keystoneAdminPassword}
+        export OS_TENANT_NAME=${cfg.bootstrap.keystoneAdminTenant}
+
+        # Wait until the keystone is available for use
+        count=0
+        while ! keystone user-get ${cfg.bootstrap.keystoneAdminUsername} > /dev/null
+        do
+            if [ $count -eq 30 ]
+            then
+                echo "Tried 30 times, giving up..."
+                exit 1
+            fi
+
+            echo "Keystone not yet started. Waiting for 1 second..."
+            count=$((count++))
+            sleep 1
+        done
+
+        # If the service glance doesn't exist, we consider glance is
+        # not initialized
+        if ! keystone service-get glance
+        then
+            keystone service-create --type image --name glance
+            ID=$(keystone service-get glance | awk '/ id / { print $4 }')
+            keystone endpoint-create --region RegionOne --service $ID --internalurl http://localhost:9292 --adminurl http://localhost:9292 --publicurl ${cfg.bootstrap.endpointPublic}
+
+            keystone user-create --name ${cfg.serviceUsername} --tenant service --pass ${getSecret cfg.servicePassword}
+            keystone user-role-add --tenant service --user ${cfg.serviceUsername} --role admin
+        fi
+        '';
+      serviceConfig = {
+        PermissionsStartOnly = true; # preStart must be run as root
+        TimeoutStartSec = "600"; # 10min for initial db migrations
+        User = "glance";
+        Group = "glance";
+        ExecStart = "${cfg.package}/bin/glance-registry --config-file=${glanceRegistryConf}";
+      };
+    };
+    systemd.services.glance-api = {
+      description = "OpenStack Glance API Daemon";
+      after = [ "glance-registry.service" "network.target"];
+      requires = [ "glance-registry.service" "network.target"]; 
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        PermissionsStartOnly = true; # preStart must be run as root
+        User = "glance";
+        Group = "glance";
+        ExecStart = "${cfg.package}/bin/glance-api --config-file=${glanceApiConf}";
+      };
+    };
+  };
+
+}