Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Openstack modules #19529

Closed
wants to merge 26 commits into from
Closed

Openstack modules #19529

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
6c4a967
nixos: add keystone, nova, neutron, glance modules
domenkozar Dec 3, 2015
a59b4af
neutron: be able to define plugin packages
domenkozar Dec 11, 2015
5b017f1
neutron: enable snabb
domenkozar Dec 12, 2015
5521ec0
neutron: add extraML2Config option
domenkozar Dec 15, 2015
fd14833
nova: use qemu instead of kvm
domenkozar Feb 11, 2016
dfb6107
make-disk-image.nix: build locally as image may be big
domenkozar Mar 17, 2016
acf0ffc
make-disk-image.nix: preferLocalBuild=true
domenkozar Mar 29, 2016
06ba7bb
neutron: write test temp files to $PWD instead of /tmp/
nlewo Jun 2, 2016
d7034b6
neutron: set default value to extraPackages
nlewo Jun 9, 2016
bd3418b
neutron: enable l3 agent and set various options
nlewo Jun 9, 2016
2afbb46
openstack: default provisionning for a ready to use mode
nlewo Sep 19, 2016
744f337
nova: temporary run it as root to handle iptables
nlewo Oct 6, 2016
111855e
neutron: Fix a conflict on /etc/ethertype file between iptables and
nlewo Oct 6, 2016
d7677d5
openstack: add endpoint_type option
nlewo Oct 11, 2016
14feba9
openstack: use env variables in bootstraping
nlewo Oct 17, 2016
82ea46f
keystone: adminToken as cfg variable
nlewo Oct 19, 2016
f0a8ece
keystone: typo
nlewo Oct 19, 2016
09b2b69
openstack: cfg variables for mysql credentials
nlewo Oct 22, 2016
35d1bbd
openstack: service credentials variabilized
nlewo Nov 3, 2016
f072149
openstack: update descriptions
nlewo Nov 3, 2016
9e1cff1
keystone: cleaning
nlewo Nov 3, 2016
8908da3
neutron: variabilize public interface
nlewo Nov 6, 2016
a121113
openstack: ensure keystone admin has been created
nlewo Nov 6, 2016
67de1a8
nixos/tests/openstack: ping the booted VM
nlewo Nov 9, 2016
59daf08
neutron: variabilize metadata secret
nlewo Nov 21, 2016
ac110a1
openstack: changes according to the spinus's review
nlewo Dec 1, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions nixos/lib/make-disk-image.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ pkgs.vmTools.runInLinuxVM (
mv closure xchg/
'';
buildInputs = [ pkgs.utillinux pkgs.perl pkgs.e2fsprogs pkgs.parted ];
preferLocalBuild = true;
exportReferencesGraph =
[ "closure" config.system.build.toplevel ];
inherit postVM;
Expand Down
8 changes: 8 additions & 0 deletions nixos/modules/misc/ids.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -275,6 +275,10 @@
prometheus = 255;
telegraf = 256;
gitlab-runner = 257;
glance = 258;
keystone = 259;
neutron = 260;
nova = 261;

# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!

Expand Down Expand Up @@ -520,6 +524,10 @@
prometheus = 255;
#telegraf = 256; # unused
gitlab-runner = 257;
glance = 258;
keystone = 259;
neutron = 260;
nova = 261;

# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal
Expand Down
4 changes: 4 additions & 0 deletions nixos/modules/module-list.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -591,6 +591,10 @@
./virtualisation/lxd.nix
./virtualisation/amazon-options.nix
./virtualisation/openvswitch.nix
./virtualisation/keystone.nix
./virtualisation/glance.nix
./virtualisation/neutron.nix
./virtualisation/nova.nix
./virtualisation/parallels-guest.nix
./virtualisation/rkt.nix
./virtualisation/virtualbox-guest.nix
Expand Down
205 changes: 205 additions & 0 deletions nixos/modules/virtualisation/glance.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,205 @@
{ config, lib, pkgs, ... }:

with lib;

let
cfg = config.virtualisation.glance;
commonConf = ''
[database]
connection = mysql://glance:${cfg.dbPassword}@${cfg.dbHost}/glance
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

passwords in nix store? I would prefer not.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@spinus Could you provide a pointer related to secret managment? I don't know what is secret managment good pratice.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nlewo I don't think we have something like that. But there is known thing that all derivations end up in /nix/store so all the passwords go there.

What I do to avoid it is:

run-something --secret "$(</run/keys/<my-secret>)"

Config files are little harder. If it's possible to use that by the process, use mix of config files and environment variables. If it's not possible, I keep template of config file in nix store, and than, on preStart script I copy this file to /var/lib// and fill the template (for example with sed) with keys from /run/keys.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer to not do this now since this PR is already really big. This will add more complexity. Moreover, current modules target a dev environment, where password are not really important.
What do you think to address this problem in another PR (once/if this one is merged)?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I have no merge power here, I'm only talking :-) You don't even have to listen to me :-) probably better to ask people who have merge power.

Personally I woudn't merge thing in that state. I agree it's really big. If I would be doing that, I would create separate PR for each service and than another PR for "top-level" service which configures smaller services.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep, I also think I have to create a PR per components.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's the best when mysql client uses mysql client config files only. They allow !include, and thus you could have non-sensitive parameters in a "public" file and secret file included in it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ip1981 Sorry, I don't understand your point. Could you point me a doc or an example related to the pattern you are suggesting?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Like this https://github.com/ip1981/mywatch#configuration

notification_driver = noop

[keystone_authtoken]
auth_uri = http://localhost:5000
auth_url = http://localhost:35357
auth_plugin = password
project_name = service
project_domain_id = default
user_domain_id = default
username = ${cfg.serviceUsername}
password = ${cfg.servicePassword}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

password in nix store


[glance_store]
default_store = file
filesystem_store_datadir = /var/lib/glance/images/
'';
glanceApiConf = pkgs.writeText "glance-api.conf" ''
${commonConf}

[paste_deploy]
flavor = keystone
config_file = ${cfg.package}/etc/glance-api-paste.ini
'';
glanceRegistryConf = pkgs.writeText "glance-registry.conf" ''
${commonConf}

[paste_deploy]
config_file = ${cfg.package}/etc/glance-registry-paste.ini
'';
in {

options.virtualisation.glance = {
package = mkOption {
type = types.package;
example = literalExample "pkgs.glance";
description = ''
Glance package to use.
'';
};

enableSingleNode = mkOption {
default = false;
type = types.bool;
description = ''
This option enables Glance as a single-machine
installation. That is, all of Glance's components are
enabled on this machine. This is useful for evaluating and
experimenting with Glance. Note we are currently not
providing any configurations for a multi-node setup.
'';
};

serviceUsername = mkOption {
default = "glance";
description = "The username used for the glance service tenant";
example = "glance";
};
servicePassword = mkOption {
default = "glance";
description = "The password of the glance service user";
example = "glance";
};

dbHost = mkOption {
default = "localhost";
description = "The location of the database server";
example = "localhost";
};

dbPassword = mkOption {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

password in nix store

default = "glance";
description = "The mysql password";
example = "glance";
};

endpointPublic = mkOption {
type = types.str;
default = "localhost";
description = ''
'';
};

keystoneAdminUsername = mkOption {
type = types.str;
default = "admin";
description = ''
'';
};

keystoneAdminPassword = mkOption {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

password in nix store

type = types.str;
default = "admin";
description = ''
'';
};

keystoneAdminTenant = mkOption {
type = types.str;
default = "admin";
description = ''
'';
};
};

config = mkIf cfg.enableSingleNode {
# Note: when changing the default, make it conditional on
# ‘system.stateVersion’ to maintain compatibility with existing
# systems!
virtualisation.glance.package = mkDefault pkgs.glance;

users.extraUsers = [{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can lock uid and gid, check how other services are doing that in nixos

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

name = "glance";
group = "glance";
uid = config.ids.gids.glance;

}];
users.extraGroups = [{
name = "glance";
gid = config.ids.gids.glance;
}];

systemd.services.glance-registry = {
description = "OpenStack Glance Registry Daemon";
after = [ "mysql.service" "network.target"];
requires = [ "mysql.service" "network.target"];
path = [ cfg.package pkgs.mysql pkgs.curl pkgs.pythonPackages.keystoneclient pkgs.gawk ];
wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -m 775 -p /var/lib/glance/{images,scrubber,image_cache}
chown glance:glance /var/lib/glance/{images,scrubber,image_cache}

# TODO: move out of here
mysql -u root -N -e "create database glance;" || true
mysql -u root -N -e "GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'${cfg.dbHost}' IDENTIFIED BY '${cfg.dbPassword}';"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

another script/config with passwords, you could use systemd environment variables to pass it from file

mysql -u root -N -e "GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY '${cfg.dbPassword}';"

# Initialise the database
${cfg.package}/bin/glance-manage --config-file=${glanceApiConf} --config-file=${glanceRegistryConf} db_sync
'';
postStart = ''
export OS_AUTH_URL=http://localhost:5000/v2.0
export OS_USERNAME=${cfg.keystoneAdminUsername}
export OS_PASSWORD=${cfg.keystoneAdminPassword}
export OS_TENANT_NAME=${cfg.keystoneAdminTenant}

# Wait until the keystone is available for use
count=0
while ! keystone user-get ${cfg.keystoneAdminUsername} > /dev/null
do
if [ $count -eq 30 ]
then
echo "Tried 30 times, giving up..."
exit 1
fi

echo "Keystone not yet started. Waiting for 1 second..."
count=$((count++))
sleep 1
done

# If the service glance doesn't exist, we consider glance is
# not initialized
if ! keystone service-get glance
then
keystone service-create --type image --name glance
ID=$(keystone service-get glance | awk '/ id / { print $4 }')
keystone endpoint-create --region RegionOne --service $ID --internalurl http://localhost:9292 --adminurl http://localhost:9292 --publicurl http://${cfg.endpointPublic}:9292

keystone user-create --name ${cfg.serviceUsername} --tenant service --pass ${cfg.servicePassword}
keystone user-role-add --tenant service --user ${cfg.serviceUsername} --role admin
fi
'';
serviceConfig = {
PermissionsStartOnly = true; # preStart must be run as root
TimeoutStartSec = "600"; # 10min for initial db migrations
User = "glance";
Group = "glance";
ExecStart = "${cfg.package}/bin/glance-registry --config-file=${glanceRegistryConf}";
};
};
systemd.services.glance-api = {
description = "OpenStack Glance API Daemon";
after = [ "glance-registry.service" "rabbitmq.service" "mysql.service" "network.target"];
requires = [ "glance-registry.service" "rabbitmq.service" "mysql.service" "network.target"];
path = [ cfg.package pkgs.mysql ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
PermissionsStartOnly = true; # preStart must be run as root
User = "glance";
Group = "glance";
ExecStart = "${cfg.package}/bin/glance-api --config-file=${glanceApiConf}";
};
};
};

}
Loading