-
-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Openstack modules #19529
Openstack modules #19529
Changes from all commits
6c4a967
a59b4af
5b017f1
5521ec0
fd14833
dfb6107
acf0ffc
06ba7bb
d7034b6
bd3418b
2afbb46
744f337
111855e
d7677d5
14feba9
82ea46f
f0a8ece
09b2b69
35d1bbd
f072149
9e1cff1
8908da3
a121113
67de1a8
59daf08
ac110a1
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,205 @@ | ||
{ config, lib, pkgs, ... }: | ||
|
||
with lib; | ||
|
||
let | ||
cfg = config.virtualisation.glance; | ||
commonConf = '' | ||
[database] | ||
connection = mysql://glance:${cfg.dbPassword}@${cfg.dbHost}/glance | ||
notification_driver = noop | ||
|
||
[keystone_authtoken] | ||
auth_uri = http://localhost:5000 | ||
auth_url = http://localhost:35357 | ||
auth_plugin = password | ||
project_name = service | ||
project_domain_id = default | ||
user_domain_id = default | ||
username = ${cfg.serviceUsername} | ||
password = ${cfg.servicePassword} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. password in nix store |
||
|
||
[glance_store] | ||
default_store = file | ||
filesystem_store_datadir = /var/lib/glance/images/ | ||
''; | ||
glanceApiConf = pkgs.writeText "glance-api.conf" '' | ||
${commonConf} | ||
|
||
[paste_deploy] | ||
flavor = keystone | ||
config_file = ${cfg.package}/etc/glance-api-paste.ini | ||
''; | ||
glanceRegistryConf = pkgs.writeText "glance-registry.conf" '' | ||
${commonConf} | ||
|
||
[paste_deploy] | ||
config_file = ${cfg.package}/etc/glance-registry-paste.ini | ||
''; | ||
in { | ||
|
||
options.virtualisation.glance = { | ||
package = mkOption { | ||
type = types.package; | ||
example = literalExample "pkgs.glance"; | ||
description = '' | ||
Glance package to use. | ||
''; | ||
}; | ||
|
||
enableSingleNode = mkOption { | ||
default = false; | ||
type = types.bool; | ||
description = '' | ||
This option enables Glance as a single-machine | ||
installation. That is, all of Glance's components are | ||
enabled on this machine. This is useful for evaluating and | ||
experimenting with Glance. Note we are currently not | ||
providing any configurations for a multi-node setup. | ||
''; | ||
}; | ||
|
||
serviceUsername = mkOption { | ||
default = "glance"; | ||
description = "The username used for the glance service tenant"; | ||
example = "glance"; | ||
}; | ||
servicePassword = mkOption { | ||
default = "glance"; | ||
description = "The password of the glance service user"; | ||
example = "glance"; | ||
}; | ||
|
||
dbHost = mkOption { | ||
default = "localhost"; | ||
description = "The location of the database server"; | ||
example = "localhost"; | ||
}; | ||
|
||
dbPassword = mkOption { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. password in nix store |
||
default = "glance"; | ||
description = "The mysql password"; | ||
example = "glance"; | ||
}; | ||
|
||
endpointPublic = mkOption { | ||
type = types.str; | ||
default = "localhost"; | ||
description = '' | ||
''; | ||
}; | ||
|
||
keystoneAdminUsername = mkOption { | ||
type = types.str; | ||
default = "admin"; | ||
description = '' | ||
''; | ||
}; | ||
|
||
keystoneAdminPassword = mkOption { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. password in nix store |
||
type = types.str; | ||
default = "admin"; | ||
description = '' | ||
''; | ||
}; | ||
|
||
keystoneAdminTenant = mkOption { | ||
type = types.str; | ||
default = "admin"; | ||
description = '' | ||
''; | ||
}; | ||
}; | ||
|
||
config = mkIf cfg.enableSingleNode { | ||
# Note: when changing the default, make it conditional on | ||
# ‘system.stateVersion’ to maintain compatibility with existing | ||
# systems! | ||
virtualisation.glance.package = mkDefault pkgs.glance; | ||
|
||
users.extraUsers = [{ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think you can lock uid and gid, check how other services are doing that in nixos There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done. |
||
name = "glance"; | ||
group = "glance"; | ||
uid = config.ids.gids.glance; | ||
|
||
}]; | ||
users.extraGroups = [{ | ||
name = "glance"; | ||
gid = config.ids.gids.glance; | ||
}]; | ||
|
||
systemd.services.glance-registry = { | ||
description = "OpenStack Glance Registry Daemon"; | ||
after = [ "mysql.service" "network.target"]; | ||
requires = [ "mysql.service" "network.target"]; | ||
path = [ cfg.package pkgs.mysql pkgs.curl pkgs.pythonPackages.keystoneclient pkgs.gawk ]; | ||
wantedBy = [ "multi-user.target" ]; | ||
preStart = '' | ||
mkdir -m 775 -p /var/lib/glance/{images,scrubber,image_cache} | ||
chown glance:glance /var/lib/glance/{images,scrubber,image_cache} | ||
|
||
# TODO: move out of here | ||
mysql -u root -N -e "create database glance;" || true | ||
mysql -u root -N -e "GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'${cfg.dbHost}' IDENTIFIED BY '${cfg.dbPassword}';" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. another script/config with passwords, you could use systemd environment variables to pass it from file |
||
mysql -u root -N -e "GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY '${cfg.dbPassword}';" | ||
|
||
# Initialise the database | ||
${cfg.package}/bin/glance-manage --config-file=${glanceApiConf} --config-file=${glanceRegistryConf} db_sync | ||
''; | ||
postStart = '' | ||
export OS_AUTH_URL=http://localhost:5000/v2.0 | ||
export OS_USERNAME=${cfg.keystoneAdminUsername} | ||
export OS_PASSWORD=${cfg.keystoneAdminPassword} | ||
export OS_TENANT_NAME=${cfg.keystoneAdminTenant} | ||
|
||
# Wait until the keystone is available for use | ||
count=0 | ||
while ! keystone user-get ${cfg.keystoneAdminUsername} > /dev/null | ||
do | ||
if [ $count -eq 30 ] | ||
then | ||
echo "Tried 30 times, giving up..." | ||
exit 1 | ||
fi | ||
|
||
echo "Keystone not yet started. Waiting for 1 second..." | ||
count=$((count++)) | ||
sleep 1 | ||
done | ||
|
||
# If the service glance doesn't exist, we consider glance is | ||
# not initialized | ||
if ! keystone service-get glance | ||
then | ||
keystone service-create --type image --name glance | ||
ID=$(keystone service-get glance | awk '/ id / { print $4 }') | ||
keystone endpoint-create --region RegionOne --service $ID --internalurl http://localhost:9292 --adminurl http://localhost:9292 --publicurl http://${cfg.endpointPublic}:9292 | ||
|
||
keystone user-create --name ${cfg.serviceUsername} --tenant service --pass ${cfg.servicePassword} | ||
keystone user-role-add --tenant service --user ${cfg.serviceUsername} --role admin | ||
fi | ||
''; | ||
serviceConfig = { | ||
PermissionsStartOnly = true; # preStart must be run as root | ||
TimeoutStartSec = "600"; # 10min for initial db migrations | ||
User = "glance"; | ||
Group = "glance"; | ||
ExecStart = "${cfg.package}/bin/glance-registry --config-file=${glanceRegistryConf}"; | ||
}; | ||
}; | ||
systemd.services.glance-api = { | ||
description = "OpenStack Glance API Daemon"; | ||
after = [ "glance-registry.service" "rabbitmq.service" "mysql.service" "network.target"]; | ||
requires = [ "glance-registry.service" "rabbitmq.service" "mysql.service" "network.target"]; | ||
path = [ cfg.package pkgs.mysql ]; | ||
wantedBy = [ "multi-user.target" ]; | ||
serviceConfig = { | ||
PermissionsStartOnly = true; # preStart must be run as root | ||
User = "glance"; | ||
Group = "glance"; | ||
ExecStart = "${cfg.package}/bin/glance-api --config-file=${glanceApiConf}"; | ||
}; | ||
}; | ||
}; | ||
|
||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
passwords in nix store? I would prefer not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@spinus Could you provide a pointer related to secret managment? I don't know what is secret managment good pratice.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nlewo I don't think we have something like that. But there is known thing that all derivations end up in /nix/store so all the passwords go there.
What I do to avoid it is:
Config files are little harder. If it's possible to use that by the process, use mix of config files and environment variables. If it's not possible, I keep template of config file in nix store, and than, on preStart script I copy this file to /var/lib// and fill the template (for example with sed) with keys from /run/keys.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer to not do this now since this PR is already really big. This will add more complexity. Moreover, current modules target a dev environment, where password are not really important.
What do you think to address this problem in another PR (once/if this one is merged)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I have no merge power here, I'm only talking :-) You don't even have to listen to me :-) probably better to ask people who have merge power.
Personally I woudn't merge thing in that state. I agree it's really big. If I would be doing that, I would create separate PR for each service and than another PR for "top-level" service which configures smaller services.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yep, I also think I have to create a PR per components.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's the best when mysql client uses mysql client config files only. They allow
!include
, and thus you could have non-sensitive parameters in a "public" file and secret file included in it.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ip1981 Sorry, I don't understand your point. Could you point me a doc or an example related to the pattern you are suggesting?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Like this https://github.com/ip1981/mywatch#configuration