From d3d94992cf02c9d150ceb5244e520fe1dbeb0012 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 13 Dec 2017 18:18:48 +0100 Subject: [PATCH] keystone: rip part of openstack cleanup --- nixos/modules/misc/ids.nix | 4 +- nixos/modules/module-list.nix | 1 - .../virtualisation/openstack/keystone.nix | 220 ------------------ nixos/release.nix | 1 - nixos/tests/keystone.nix | 82 ------- .../virtualization/openstack/keystone.nix | 55 ----- pkgs/top-level/all-packages.nix | 1 - 7 files changed, 2 insertions(+), 362 deletions(-) delete mode 100644 nixos/modules/virtualisation/openstack/keystone.nix delete mode 100644 nixos/tests/keystone.nix delete mode 100644 pkgs/applications/virtualization/openstack/keystone.nix diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index c10b5a0ec93..1ca1ed0cfbd 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -281,7 +281,7 @@ stanchion = 262; riak-cs = 263; infinoted = 264; - keystone = 265; + # keystone = 265; # unused, removed 2017-12-13 glance = 266; couchpotato = 267; gogs = 268; @@ -551,7 +551,7 @@ stanchion = 262; riak-cs = 263; infinoted = 264; - keystone = 265; + # keystone = 265; # unused, removed 2017-12-13 glance = 266; couchpotato = 267; gogs = 268; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 5f5ebae891f..43548609ee8 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -748,6 +748,5 @@ ./virtualisation/vmware-guest.nix ./virtualisation/xen-dom0.nix ./virtualisation/xe-guest-utilities.nix - ./virtualisation/openstack/keystone.nix ./virtualisation/openstack/glance.nix ] diff --git a/nixos/modules/virtualisation/openstack/keystone.nix b/nixos/modules/virtualisation/openstack/keystone.nix deleted file mode 100644 index e32c5a4cae1..00000000000 --- a/nixos/modules/virtualisation/openstack/keystone.nix +++ /dev/null @@ -1,220 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; with import ./common.nix {inherit lib;}; - -let - cfg = config.virtualisation.openstack.keystone; - keystoneConfTpl = pkgs.writeText "keystone.conf" '' - [DEFAULT] - admin_token = ${cfg.adminToken.pattern} - policy_file=${cfg.package}/etc/policy.json - - [database] - - connection = "mysql://${cfg.database.user}:${cfg.database.password.pattern}@${cfg.database.host}/${cfg.database.name}" - - [paste_deploy] - config_file = ${cfg.package}/etc/keystone-paste.ini - - ${cfg.extraConfig} - ''; - keystoneConf = "/var/lib/keystone/keystone.conf"; - -in { - options.virtualisation.openstack.keystone = { - package = mkOption { - type = types.package; - example = literalExample "pkgs.keystone"; - description = '' - Keystone package to use. - ''; - }; - - enable = mkOption { - default = false; - type = types.bool; - description = '' - Enable Keystone, the OpenStack Identity Service - ''; - }; - - extraConfig = mkOption { - default = ""; - type = types.lines; - description = '' - Additional text appended to keystone.conf, - the main Keystone configuration file. - ''; - }; - - adminToken = mkSecretOption { - name = "adminToken"; - description = '' - This is the admin token used to boostrap keystone, - ie. to provision first resources. - ''; - }; - - bootstrap = { - enable = mkOption { - default = false; - type = types.bool; - description = '' - Bootstrap the Keystone service by creating the service - tenant, an admin account and a public endpoint. This options - provides a ready-to-use admin account. This is only done at - the first Keystone execution by the systemd post start. - - Note this option is a helper for setting up development or - testing environments. - ''; - }; - - endpointPublic = mkOption { - type = types.str; - default = "http://localhost:5000/v2.0"; - description = '' - The public identity endpoint. The link - create keystone endpoint provides more informations - about that. - ''; - }; - - adminUsername = mkOption { - type = types.str; - default = "admin"; - description = '' - A keystone admin username. - ''; - }; - - adminPassword = mkSecretOption { - name = "keystoneAdminPassword"; - description = '' - The keystone admin user's password. - ''; - }; - - adminTenant = mkOption { - type = types.str; - default = "admin"; - description = '' - A keystone admin tenant name. - ''; - }; - }; - - database = { - host = mkOption { - type = types.str; - default = "localhost"; - description = '' - Host of the database. - ''; - }; - - name = mkOption { - type = types.str; - default = "keystone"; - description = '' - Name of the existing database. - ''; - }; - - user = mkOption { - type = types.str; - default = "keystone"; - description = '' - The database user. The user must exist and has access to - the specified database. - ''; - }; - password = mkSecretOption { - name = "mysqlPassword"; - description = "The database user's password";}; - }; - }; - - config = mkIf cfg.enable { - # Note: when changing the default, make it conditional on - # ‘system.stateVersion’ to maintain compatibility with existing - # systems! - virtualisation.openstack.keystone.package = mkDefault pkgs.keystone; - - users.extraUsers = [{ - name = "keystone"; - group = "keystone"; - uid = config.ids.uids.keystone; - }]; - users.extraGroups = [{ - name = "keystone"; - gid = config.ids.gids.keystone; - }]; - - systemd.services.keystone-all = { - description = "OpenStack Keystone Daemon"; - after = [ "network.target"]; - path = [ cfg.package pkgs.mysql pkgs.curl pkgs.pythonPackages.keystoneclient pkgs.gawk ]; - wantedBy = [ "multi-user.target" ]; - preStart = '' - mkdir -m 755 -p /var/lib/keystone - - cp ${keystoneConfTpl} ${keystoneConf}; - chown keystone:keystone ${keystoneConf}; - chmod 640 ${keystoneConf} - - ${replaceSecret cfg.database.password keystoneConf} - ${replaceSecret cfg.adminToken keystoneConf} - - # Initialise the database - ${cfg.package}/bin/keystone-manage --config-file=${keystoneConf} db_sync - # Set up the keystone's PKI infrastructure - ${cfg.package}/bin/keystone-manage --config-file=${keystoneConf} pki_setup --keystone-user keystone --keystone-group keystone - ''; - postStart = optionalString cfg.bootstrap.enable '' - set -eu - # Wait until the keystone is available for use - count=0 - while ! curl --fail -s http://localhost:35357/v2.0 > /dev/null - do - if [ $count -eq 30 ] - then - echo "Tried 30 times, giving up..." - exit 1 - fi - - echo "Keystone not yet started. Waiting for 1 second..." - count=$((count++)) - sleep 1 - done - - # We use the service token to create a first admin user - export OS_SERVICE_ENDPOINT=http://localhost:35357/v2.0 - export OS_SERVICE_TOKEN=${getSecret cfg.adminToken} - - # If the tenant service doesn't exist, we consider - # keystone is not initialized - if ! keystone tenant-get service - then - keystone tenant-create --name service - keystone tenant-create --name ${cfg.bootstrap.adminTenant} - keystone user-create --name ${cfg.bootstrap.adminUsername} --tenant ${cfg.bootstrap.adminTenant} --pass ${getSecret cfg.bootstrap.adminPassword} - keystone role-create --name admin - keystone role-create --name Member - keystone user-role-add --tenant ${cfg.bootstrap.adminTenant} --user ${cfg.bootstrap.adminUsername} --role admin - keystone service-create --type identity --name keystone - ID=$(keystone service-get keystone | awk '/ id / { print $4 }') - keystone endpoint-create --region RegionOne --service $ID --publicurl ${cfg.bootstrap.endpointPublic} --adminurl http://localhost:35357/v2.0 --internalurl http://localhost:5000/v2.0 - fi - ''; - serviceConfig = { - PermissionsStartOnly = true; # preStart must be run as root - TimeoutStartSec = "600"; # 10min for initial db migrations - User = "keystone"; - Group = "keystone"; - ExecStart = "${cfg.package}/bin/keystone-all --config-file=${keystoneConf}"; - }; - }; - }; -} diff --git a/nixos/release.nix b/nixos/release.nix index 426a5eef34a..d5d7e1bf2cc 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -293,7 +293,6 @@ in rec { tests.kernel-copperhead = callTest tests/kernel-copperhead.nix {}; tests.kernel-latest = callTest tests/kernel-latest.nix {}; tests.kernel-lts = callTest tests/kernel-lts.nix {}; - tests.keystone = callTest tests/keystone.nix {}; tests.kubernetes = hydraJob (import tests/kubernetes/default.nix { system = "x86_64-linux"; }); tests.latestKernel.login = callTest tests/login.nix { latestKernel = true; }; tests.ldap = callTest tests/ldap.nix {}; diff --git a/nixos/tests/keystone.nix b/nixos/tests/keystone.nix deleted file mode 100644 index 358e352f776..00000000000 --- a/nixos/tests/keystone.nix +++ /dev/null @@ -1,82 +0,0 @@ -{ system ? builtins.currentSystem }: - -with import ../lib/testing.nix { inherit system; }; -with pkgs.lib; - -let - keystoneMysqlPassword = "keystoneMysqlPassword"; - keystoneMysqlPasswordFile = "/var/run/keystoneMysqlPassword"; - keystoneAdminPassword = "keystoneAdminPassword"; - - createKeystoneDb = pkgs.writeText "create-keystone-db.sql" '' - create database keystone; - GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '${keystoneMysqlPassword}'; - GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '${keystoneMysqlPassword}'; - ''; - # The admin keystone account - adminOpenstackCmd = "OS_TENANT_NAME=admin OS_USERNAME=admin OS_PASSWORD=${keystoneAdminPassword} OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack"; - # The created demo keystone account - demoOpenstackCmd = "OS_TENANT_NAME=demo OS_USERNAME=demo OS_PASSWORD=demo OS_AUTH_URL=http://localhost:5000/v3 OS_IDENTITY_API_VERSION=3 openstack"; - -in makeTest { - meta = with pkgs.stdenv.lib.maintainers; { - maintainers = [ lewo ]; - }; - machine = - { config, pkgs, ... }: - { - # This is to simulate nixops deployment process. - # https://nixos.org/nixops/manual/#opt-deployment.keys - boot.postBootCommands = "echo ${keystoneMysqlPassword} > ${keystoneMysqlPasswordFile}"; - - services.mysql.enable = true; - services.mysql.initialScript = createKeystoneDb; - - virtualisation = { - - openstack.keystone = { - enable = true; - # Check if we can get the secret from a file - database.password = { - value = keystoneMysqlPasswordFile; - storage = "fromFile"; - }; - adminToken = { - value = "adminToken"; - storage = "fromNixStore"; - }; - - bootstrap.enable = true; - # Check if we can get the secret from the store - bootstrap.adminPassword = { - value = keystoneAdminPassword; - storage = "fromNixStore"; - }; - }; - - memorySize = 2096; - diskSize = 4 * 1024; - }; - - environment.systemPackages = with pkgs.pythonPackages; with pkgs; [ - openstackclient - ]; - }; - - testScript = - '' - $machine->waitForUnit("keystone-all.service"); - - # Verify that admin ccount is working - $machine->succeed("${adminOpenstackCmd} token issue"); - - # Try to create a new user - $machine->succeed("${adminOpenstackCmd} project create --domain default --description 'Demo Project' demo"); - $machine->succeed("${adminOpenstackCmd} user create --domain default --password demo demo"); - $machine->succeed("${adminOpenstackCmd} role create user"); - $machine->succeed("${adminOpenstackCmd} role add --project demo --user demo user"); - - # Verify this new account is working - $machine->succeed("${demoOpenstackCmd} token issue"); - ''; -} diff --git a/pkgs/applications/virtualization/openstack/keystone.nix b/pkgs/applications/virtualization/openstack/keystone.nix deleted file mode 100644 index 39c54f0d204..00000000000 --- a/pkgs/applications/virtualization/openstack/keystone.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ stdenv, fetchurl, python2Packages, xmlsec, which, openssl }: - -python2Packages.buildPythonApplication rec { - name = "keystone-${version}"; - version = "8.0.0"; - namePrefix = ""; - - PBR_VERSION = "${version}"; - - src = fetchurl { - url = "https://github.com/openstack/keystone/archive/${version}.tar.gz"; - sha256 = "1xbrs7xgwjzrs07zyxxcl2lq18dh582gd6lx1zzzji8c0qmffy0z"; - }; - - # remove on next version bump - patches = [ ./remove-oslo-policy-tests.patch ]; - - # https://github.com/openstack/keystone/blob/stable/liberty/requirements.txt - propagatedBuildInputs = with python2Packages; [ - pbr webob eventlet greenlet PasteDeploy paste routes cryptography six - sqlalchemy sqlalchemy_migrate stevedore passlib keystoneclient memcached - keystonemiddleware oauthlib pysaml2 dogpile_cache jsonschema pycadf msgpack - xmlsec MySQL_python - - # oslo - oslo-cache oslo-concurrency oslo-config oslo-context oslo-messaging oslo-db - oslo-i18n oslo-log oslo-middleware oslo-policy oslo-serialization oslo-service - oslo-utils - ]; - - buildInputs = with python2Packages; [ - coverage fixtures mock subunit tempest-lib testtools testrepository - ldap ldappool webtest requests oslotest pep8 pymongo which - ]; - - makeWrapperArgs = ["--prefix PATH : '${openssl.bin}/bin:$PATH'"]; - - postInstall = '' - # install .ini files - mkdir -p $out/etc - cp etc/* $out/etc - - # check all binaries don't crash - for i in $out/bin/*; do - $i --help - done - ''; - - meta = with stdenv.lib; { - homepage = http://keystone.openstack.org/; - description = "Authentication, authorization and service discovery mechanisms via HTTP"; - license = stdenv.lib.licenses.asl20; - platforms = stdenv.lib.platforms.linux; - }; -} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 447701e0efc..ed98377fb2a 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -16113,7 +16113,6 @@ with pkgs; notmuch-addrlookup = callPackage ../applications/networking/mailreaders/notmuch-addrlookup { }; # Open Stack - keystone = callPackage ../applications/virtualization/openstack/keystone.nix { }; neutron = callPackage ../applications/virtualization/openstack/neutron.nix { }; glance = callPackage ../applications/virtualization/openstack/glance.nix { };