0242d33adb
This commit registers all policies formally kept in policy.json as defaults in code. This is an effort to make policy management easier for operators. More information on this initiative can be found below: https://governance.openstack.org/tc/goals/queens/policy-in-code.html bp policy-and-docs-in-code Change-Id: Ibab08f8e1c95b86e08737c67a39c293566dbabc7
332 lines
11 KiB
Bash
332 lines
11 KiB
Bash
#!/bin/bash
|
|
#
|
|
# lib/watcher
|
|
# Functions to control the configuration and operation of the watcher services
|
|
|
|
# Dependencies:
|
|
#
|
|
# - ``functions`` file
|
|
# - ``SERVICE_{TENANT_NAME|PASSWORD}`` must be defined
|
|
# - ``DEST``, ``DATA_DIR``, ``STACK_USER`` must be defined
|
|
|
|
# ``stack.sh`` calls the entry points in this order:
|
|
#
|
|
# - is_watcher_enabled
|
|
# - install_watcher
|
|
# - configure_watcher
|
|
# - create_watcher_conf
|
|
# - init_watcher
|
|
# - start_watcher
|
|
# - stop_watcher
|
|
# - cleanup_watcher
|
|
|
|
# Save trace setting
|
|
_XTRACE_WATCHER=$(set +o | grep xtrace)
|
|
set +o xtrace
|
|
|
|
|
|
# Defaults
|
|
# --------
|
|
|
|
# Set up default directories
|
|
WATCHER_REPO=${WATCHER_REPO:-${GIT_BASE}/openstack/watcher.git}
|
|
WATCHER_BRANCH=${WATCHER_BRANCH:-master}
|
|
WATCHER_DIR=$DEST/watcher
|
|
|
|
GITREPO["python-watcherclient"]=${WATCHERCLIENT_REPO:-${GIT_BASE}/openstack/python-watcherclient.git}
|
|
GITBRANCH["python-watcherclient"]=${WATCHERCLIENT_BRANCH:-master}
|
|
GITDIR["python-watcherclient"]=$DEST/python-watcherclient
|
|
|
|
WATCHER_STATE_PATH=${WATCHER_STATE_PATH:=$DATA_DIR/watcher}
|
|
WATCHER_AUTH_CACHE_DIR=${WATCHER_AUTH_CACHE_DIR:-/var/cache/watcher}
|
|
|
|
WATCHER_CONF_DIR=/etc/watcher
|
|
WATCHER_CONF=$WATCHER_CONF_DIR/watcher.conf
|
|
WATCHER_POLICY_YAML=$WATCHER_CONF_DIR/policy.yaml.sample
|
|
|
|
WATCHER_DEVSTACK_DIR=$WATCHER_DIR/devstack
|
|
WATCHER_DEVSTACK_FILES_DIR=$WATCHER_DEVSTACK_DIR/files
|
|
|
|
NOVA_CONF_DIR=/etc/nova
|
|
NOVA_CONF=$NOVA_CONF_DIR/nova.conf
|
|
|
|
if is_ssl_enabled_service "watcher" || is_service_enabled tls-proxy; then
|
|
WATCHER_SERVICE_PROTOCOL="https"
|
|
fi
|
|
|
|
WATCHER_USE_MOD_WSGI=$(trueorfalse True WATCHER_USE_MOD_WSGI)
|
|
|
|
if is_suse; then
|
|
WATCHER_WSGI_DIR=${WATCHER_WSGI_DIR:-/srv/www/htdocs/watcher}
|
|
else
|
|
WATCHER_WSGI_DIR=${WATCHER_WSGI_DIR:-/var/www/watcher}
|
|
fi
|
|
# Public facing bits
|
|
WATCHER_SERVICE_HOST=${WATCHER_SERVICE_HOST:-$HOST_IP}
|
|
WATCHER_SERVICE_PORT=${WATCHER_SERVICE_PORT:-9322}
|
|
WATCHER_SERVICE_PORT_INT=${WATCHER_SERVICE_PORT_INT:-19322}
|
|
WATCHER_SERVICE_PROTOCOL=${WATCHER_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
|
|
|
|
# Support entry points installation of console scripts
|
|
if [[ -d $WATCHER_DIR/bin ]]; then
|
|
WATCHER_BIN_DIR=$WATCHER_DIR/bin
|
|
else
|
|
WATCHER_BIN_DIR=$(get_python_exec_prefix)
|
|
fi
|
|
|
|
# Entry Points
|
|
# ------------
|
|
|
|
# Test if any watcher services are enabled
|
|
# is_watcher_enabled
|
|
function is_watcher_enabled {
|
|
[[ ,${ENABLED_SERVICES} =~ ,"watcher-" ]] && return 0
|
|
return 1
|
|
}
|
|
|
|
#_cleanup_watcher_apache_wsgi - Remove wsgi files,
|
|
#disable and remove apache vhost file
|
|
function _cleanup_watcher_apache_wsgi {
|
|
sudo rm -rf $WATCHER_WSGI_DIR
|
|
sudo rm -f $(apache_site_config_for watcher-api)
|
|
restart_apache_server
|
|
}
|
|
|
|
# cleanup_watcher() - Remove residual data files, anything left over from previous
|
|
# runs that a clean run would need to clean up
|
|
function cleanup_watcher {
|
|
sudo rm -rf $WATCHER_STATE_PATH $WATCHER_AUTH_CACHE_DIR
|
|
if [[ "$WATCHER_USE_MOD_WSGI" == "True" ]]; then
|
|
_cleanup_watcher_apache_wsgi
|
|
fi
|
|
}
|
|
|
|
# configure_watcher() - Set config files, create data dirs, etc
|
|
function configure_watcher {
|
|
# Put config files in ``/etc/watcher`` for everyone to find
|
|
sudo install -d -o $STACK_USER $WATCHER_CONF_DIR
|
|
|
|
local project=watcher
|
|
local project_uc
|
|
project_uc=$(echo watcher|tr a-z A-Z)
|
|
local conf_dir="${project_uc}_CONF_DIR"
|
|
# eval conf dir to get the variable
|
|
conf_dir="${!conf_dir}"
|
|
local project_dir="${project_uc}_DIR"
|
|
# eval project dir to get the variable
|
|
project_dir="${!project_dir}"
|
|
local sample_conf_dir="${project_dir}/etc/${project}"
|
|
local sample_policy_dir="${project_dir}/etc/${project}/policy.d"
|
|
local sample_policy_generator="${project_dir}/etc/${project}/oslo-policy-generator/watcher-policy-generator.conf"
|
|
|
|
# first generate policy.yaml
|
|
oslopolicy-sample-generator --config-file $sample_policy_generator
|
|
# then optionally copy over policy.d
|
|
if [[ -d $sample_policy_dir ]]; then
|
|
cp -r $sample_policy_dir $conf_dir/policy.d
|
|
fi
|
|
|
|
# Rebuild the config file from scratch
|
|
create_watcher_conf
|
|
}
|
|
|
|
# create_watcher_accounts() - Set up common required watcher accounts
|
|
#
|
|
# Project User Roles
|
|
# ------------------------------------------------------------------
|
|
# SERVICE_TENANT_NAME watcher service
|
|
function create_watcher_accounts {
|
|
create_service_user "watcher" "admin"
|
|
|
|
local watcher_service=$(get_or_create_service "watcher" \
|
|
"infra-optim" "Watcher Infrastructure Optimization Service")
|
|
get_or_create_endpoint $watcher_service \
|
|
"$REGION_NAME" \
|
|
"$WATCHER_SERVICE_PROTOCOL://$WATCHER_SERVICE_HOST:$WATCHER_SERVICE_PORT" \
|
|
"$WATCHER_SERVICE_PROTOCOL://$WATCHER_SERVICE_HOST:$WATCHER_SERVICE_PORT" \
|
|
"$WATCHER_SERVICE_PROTOCOL://$WATCHER_SERVICE_HOST:$WATCHER_SERVICE_PORT"
|
|
}
|
|
|
|
# _config_watcher_apache_wsgi() - Set WSGI config files of watcher
|
|
function _config_watcher_apache_wsgi {
|
|
local watcher_apache_conf
|
|
if [[ "$WATCHER_USE_MOD_WSGI" == "True" ]]; then
|
|
sudo mkdir -p $WATCHER_WSGI_DIR
|
|
sudo cp $WATCHER_DIR/watcher/api/app.wsgi $WATCHER_WSGI_DIR/app.wsgi
|
|
watcher_apache_conf=$(apache_site_config_for watcher-api)
|
|
sudo cp $WATCHER_DEVSTACK_FILES_DIR/apache-watcher-api.template $watcher_apache_conf
|
|
sudo sed -e "
|
|
s|%WATCHER_SERVICE_PORT%|$WATCHER_SERVICE_PORT|g;
|
|
s|%WATCHER_WSGI_DIR%|$WATCHER_WSGI_DIR|g;
|
|
s|%USER%|$STACK_USER|g;
|
|
s|%APIWORKERS%|$API_WORKERS|g;
|
|
s|%APACHE_NAME%|$APACHE_NAME|g;
|
|
" -i $watcher_apache_conf
|
|
enable_apache_site watcher-api
|
|
tail_log watcher-access /var/log/$APACHE_NAME/watcher-api-access.log
|
|
tail_log watcher-api /var/log/$APACHE_NAME/watcher-api.log
|
|
fi
|
|
|
|
}
|
|
|
|
# create_watcher_conf() - Create a new watcher.conf file
|
|
function create_watcher_conf {
|
|
# (Re)create ``watcher.conf``
|
|
rm -f $WATCHER_CONF
|
|
|
|
iniset $WATCHER_CONF DEFAULT debug "$ENABLE_DEBUG_LOG_LEVEL"
|
|
iniset $WATCHER_CONF DEFAULT control_exchange watcher
|
|
|
|
iniset $WATCHER_CONF database connection $(database_connection_url watcher)
|
|
iniset $WATCHER_CONF api host "$WATCHER_SERVICE_HOST"
|
|
iniset $WATCHER_CONF api port "$WATCHER_SERVICE_PORT"
|
|
|
|
iniset $WATCHER_CONF oslo_policy policy_file $WATCHER_POLICY_YAML
|
|
|
|
iniset $WATCHER_CONF oslo_messaging_rabbit rabbit_userid $RABBIT_USERID
|
|
iniset $WATCHER_CONF oslo_messaging_rabbit rabbit_password $RABBIT_PASSWORD
|
|
iniset $WATCHER_CONF oslo_messaging_rabbit rabbit_host $RABBIT_HOST
|
|
|
|
iniset $WATCHER_CONF oslo_messaging_notifications driver "messagingv2"
|
|
|
|
iniset $NOVA_CONF oslo_messaging_notifications topics "notifications,watcher_notifications"
|
|
iniset $NOVA_CONF notifications notify_on_state_change "vm_and_task_state"
|
|
|
|
configure_auth_token_middleware $WATCHER_CONF watcher $WATCHER_AUTH_CACHE_DIR
|
|
configure_auth_token_middleware $WATCHER_CONF watcher $WATCHER_AUTH_CACHE_DIR "watcher_clients_auth"
|
|
|
|
if is_fedora || is_suse; then
|
|
# watcher defaults to /usr/local/bin, but fedora and suse pip like to
|
|
# install things in /usr/bin
|
|
iniset $WATCHER_CONF DEFAULT bindir "/usr/bin"
|
|
fi
|
|
|
|
if [ -n "$WATCHER_STATE_PATH" ]; then
|
|
iniset $WATCHER_CONF DEFAULT state_path "$WATCHER_STATE_PATH"
|
|
iniset $WATCHER_CONF oslo_concurrency lock_path "$WATCHER_STATE_PATH"
|
|
fi
|
|
|
|
if [ "$SYSLOG" != "False" ]; then
|
|
iniset $WATCHER_CONF DEFAULT use_syslog "True"
|
|
fi
|
|
|
|
# Format logging
|
|
if [ "$LOG_COLOR" == "True" ] && [ "$SYSLOG" == "False" ]; then
|
|
setup_colorized_logging $WATCHER_CONF DEFAULT
|
|
else
|
|
# Show user_name and project_name instead of user_id and project_id
|
|
iniset $WATCHER_CONF DEFAULT logging_context_format_string "%(asctime)s.%(msecs)03d %(levelname)s %(name)s [%(request_id)s %(project_domain)s %(user_name)s %(project_name)s] %(instance)s%(message)s"
|
|
fi
|
|
|
|
#config apache files
|
|
if [[ "$WATCHER_USE_MOD_WSGI" == "True" ]]; then
|
|
_config_watcher_apache_wsgi
|
|
fi
|
|
# Register SSL certificates if provided
|
|
if is_ssl_enabled_service watcher; then
|
|
ensure_certificates WATCHER
|
|
|
|
iniset $WATCHER_CONF DEFAULT ssl_cert_file "$WATCHER_SSL_CERT"
|
|
iniset $WATCHER_CONF DEFAULT ssl_key_file "$WATCHER_SSL_KEY"
|
|
|
|
iniset $WATCHER_CONF DEFAULT enabled_ssl_apis "$WATCHER_ENABLED_APIS"
|
|
fi
|
|
|
|
if is_service_enabled ceilometer; then
|
|
iniset $WATCHER_CONF watcher_messaging notifier_driver "messaging"
|
|
fi
|
|
}
|
|
|
|
# create_watcher_cache_dir() - Part of the init_watcher() process
|
|
function create_watcher_cache_dir {
|
|
# Create cache dir
|
|
sudo install -d -o $STACK_USER $WATCHER_AUTH_CACHE_DIR
|
|
rm -rf $WATCHER_AUTH_CACHE_DIR/*
|
|
}
|
|
|
|
# init_watcher() - Initialize databases, etc.
|
|
function init_watcher {
|
|
# clean up from previous (possibly aborted) runs
|
|
# create required data files
|
|
if is_service_enabled $DATABASE_BACKENDS && is_service_enabled watcher-api; then
|
|
# (Re)create watcher database
|
|
recreate_database watcher
|
|
|
|
# Create watcher schema
|
|
$WATCHER_BIN_DIR/watcher-db-manage --config-file $WATCHER_CONF upgrade
|
|
fi
|
|
create_watcher_cache_dir
|
|
}
|
|
|
|
# install_watcherclient() - Collect source and prepare
|
|
function install_watcherclient {
|
|
if use_library_from_git "python-watcherclient"; then
|
|
git_clone_by_name "python-watcherclient"
|
|
setup_dev_lib "python-watcherclient"
|
|
fi
|
|
}
|
|
|
|
# install_watcher() - Collect source and prepare
|
|
function install_watcher {
|
|
git_clone $WATCHER_REPO $WATCHER_DIR $WATCHER_BRANCH
|
|
setup_develop $WATCHER_DIR
|
|
if [[ "$WATCHER_USE_MOD_WSGI" == "True" ]]; then
|
|
install_apache_wsgi
|
|
fi
|
|
}
|
|
|
|
# start_watcher_api() - Start the API process ahead of other things
|
|
function start_watcher_api {
|
|
# Get right service port for testing
|
|
|
|
local service_port=$WATCHER_SERVICE_PORT
|
|
local service_protocol=$WATCHER_SERVICE_PROTOCOL
|
|
if is_service_enabled tls-proxy; then
|
|
service_port=$WATCHER_SERVICE_PORT_INT
|
|
service_protocol="http"
|
|
fi
|
|
if [[ "$WATCHER_USE_MOD_WSGI" == "True" ]]; then
|
|
restart_apache_server
|
|
else
|
|
run_process watcher-api "$WATCHER_BIN_DIR/watcher-api --config-file $WATCHER_CONF"
|
|
fi
|
|
echo "Waiting for watcher-api to start..."
|
|
if ! wait_for_service $SERVICE_TIMEOUT $service_protocol://$WATCHER_SERVICE_HOST:$service_port; then
|
|
die $LINENO "watcher-api did not start"
|
|
fi
|
|
|
|
# Start proxies if enabled
|
|
if is_service_enabled tls-proxy; then
|
|
start_tls_proxy '*' $WATCHER_SERVICE_PORT $WATCHER_SERVICE_HOST $WATCHER_SERVICE_PORT_INT &
|
|
start_tls_proxy '*' $EC2_SERVICE_PORT $WATCHER_SERVICE_HOST $WATCHER_SERVICE_PORT_INT &
|
|
fi
|
|
}
|
|
|
|
# start_watcher() - Start running processes, including screen
|
|
function start_watcher {
|
|
# ``run_process`` checks ``is_service_enabled``, it is not needed here
|
|
start_watcher_api
|
|
run_process watcher-decision-engine "$WATCHER_BIN_DIR/watcher-decision-engine --config-file $WATCHER_CONF"
|
|
run_process watcher-applier "$WATCHER_BIN_DIR/watcher-applier --config-file $WATCHER_CONF"
|
|
}
|
|
|
|
# stop_watcher() - Stop running processes (non-screen)
|
|
function stop_watcher {
|
|
if [[ "$WATCHER_USE_MOD_WSGI" == "True" ]]; then
|
|
disable_apache_site watcher-api
|
|
else
|
|
stop_process watcher-api
|
|
fi
|
|
for serv in watcher-decision-engine watcher-applier; do
|
|
stop_process $serv
|
|
done
|
|
}
|
|
|
|
# Restore xtrace
|
|
$_XTRACE_WATCHER
|
|
|
|
# Tell emacs to use shell-script-mode
|
|
## Local variables:
|
|
## mode: shell-script
|
|
## End:
|