Skip to content

Commit

Permalink
Option to install FreeIPA
Browse files Browse the repository at this point in the history
Option to setup FreeIPA server and join hosts into IPA. If also SSL for
AMQP or Horizon is enabled it gets all certificates from freeipa.

Currently experimental and unsupported option. Joining FreeIPA domain
requires change of resolver on hosts and mod_ssl colides with mod_nss in
case of running FreeIPA server on Controller node thus making allinone
setup difficult.

Requires: redhat-openstack/openstack-puppet-modules#244
Change-Id: I84e0dee07bf3a4066350a66aebb45678a9a316ba
Closes-Bug: rhbz#903645
  • Loading branch information
xbezdick committed Feb 8, 2015
1 parent 69a00b8 commit 25755ad
Show file tree
Hide file tree
Showing 29 changed files with 955 additions and 129 deletions.
11 changes: 11 additions & 0 deletions packstack/installer/output_messages.py
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,17 @@
WARN_NM_ENABLED = ("Warning: NetworkManager is active on %s. OpenStack "
"networking currently does not work on systems that have "
"the Network Manager service enabled.")
WARN_IPA_INSTALLED = ("Warning: In order to join domain IPA hosts have their "
"DNS resolver set to CONFIG_IPA_HOST!")
WARN_IPA_CONTROLLER_SWIFT = ("Warning: FreeIPA was set up on controller node! "
"We had to switch swift_proxy port to 8081 and this "
"port isn't labeled properly so unless you set SElinux to "
"permissive mode, swift proxy won't work.")
WARN_IPA_CONTROLLER_HORIZON = ("Warning: FreeIPA was set up on controller node! "
"We couldn't set dashboard configuration from puppet-horizon. "
"Any Horizon SSL configuration will be ignored, dashboard will"
"be accessible from http and https with certificates "
"provided by ipa mod_nss configuration.")

ERR_PING = "Error: the provided hostname is unreachable"
ERR_SSH = "Error: could not connect to the ssh server: %s"
Expand Down
54 changes: 54 additions & 0 deletions packstack/modules/ospluginutils.py
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,60 @@ def createFirewallResources(hiera_key, default_value='{}'):
return "create_resources(packstack::firewall, %s)\n\n" % hiera_function


def createIpaHostResources(hiera_key, default_value='{}'):
hiera_function = "hiera('%s', %s)" % (hiera_key, default_value)
return "create_resources(ipa::hostadd, %s)\n\n" % hiera_function


def createIpaClientResources(hiera_key, default_value='{}'):
hiera_function = "hiera('%s', %s)" % (hiera_key, default_value)
return "create_resources(packstack::ipa_client, %s)\n\n" % hiera_function


def createIpaServiceResources(hiera_key, default_value='{}'):
hiera_function = "hiera('%s', %s)" % (hiera_key, default_value)
return "create_resources(ipa::serviceadd, %s)\n\n" % hiera_function


def createIpaCertmongerResources(hiera_key, default_value='{}'):
hiera_function = "hiera('%s', %s)" % (hiera_key, default_value)
return ("create_resources(certmonger::request_ipa_cert, %s)\n\n"
% hiera_function)


def generateIpaServiceManifests(config, ipa_host, ipa_service, ssl_key_file,
ssl_cert_file):
ipa_hosts = config['IPA_HOSTS_DICT']
ipa_hostname = ipa_hosts.get(ipa_host)
ipa_server_service = dict()
key = "freeipa_service_%s_%s" % (ipa_host, ipa_service)
config_name = "FREEIPA_SERVICE_%s_%s" % (ipa_host, ipa_service)
ipa_server_service.setdefault(key, {})
ipa_server_service[key]['name'] = ("%s/%s.packstack@PACKSTACK"
% (ipa_service, ipa_hostname))
config[config_name] = ipa_server_service
manifestfile = "%s_ipa.pp" % config['CONFIG_IPA_HOST']
manifestdata = createIpaServiceResources(config_name)
appendManifestFile(manifestfile, manifestdata)

ipa_client_cert = dict()
key = "freeipa_cert_%s_%s" % (ipa_host, ipa_service)
config_name = "FREEIPA_CERTIFICATE_%s_%s" % (ipa_host, ipa_service)
ipa_client_cert.setdefault(key, {})
ipa_client_cert[key]['name'] = ("openssl-%s/%s.packstack@PACKSTACK"
% (ipa_service, ipa_hostname))
ipa_client_cert[key]['seclib'] = 'openssl'
ipa_client_cert[key]['principal'] = ("%s/%s.packstack@PACKSTACK"
% (ipa_service, ipa_hostname))
ipa_client_cert[key]['key'] = ssl_key_file
ipa_client_cert[key]['cert'] = ssl_cert_file
ipa_client_cert[key]['hostname'] = "%s.packstack" % ipa_hostname
config[config_name] = ipa_client_cert
manifestfile = "%s_ipa_crts.pp" % ipa_host
manifestdata = createIpaCertmongerResources(config_name)
appendManifestFile(manifestfile, manifestdata, 'ipa-crts')


def gethostlist(CONF):
hosts = []
for key, value in CONF.items():
Expand Down
39 changes: 32 additions & 7 deletions packstack/plugins/amqp_002.py → packstack/plugins/amqp_003.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
from packstack.modules.ospluginutils import appendManifestFile
from packstack.modules.ospluginutils import createFirewallResources
from packstack.modules.ospluginutils import getManifestTemplate
from packstack.modules.ospluginutils import generateIpaServiceManifests

# ------------- AMQP Packstack Plugin Initialization --------------

Expand Down Expand Up @@ -156,6 +157,21 @@ def initConfig(controller):
"NEED_CONFIRM": False,
"CONDITION": False},

{"CMD_OPTION": "amqp-ssl-cacert-file",
"USAGE": ("The filename of the CAcertificate that the AMQP service "
"is going to use for verification"),
"PROMPT": ("Enter the filename of the SSL CAcertificate for the AMQP"
" service"),
"OPTION_LIST": [],
"VALIDATORS": [validators.validate_not_empty],
"DEFAULT_VALUE": "/etc/pki/tls/certs/amqp_selfcert.pem",
"MASK_INPUT": False,
"LOOSE_VALIDATION": True,
"CONF_NAME": "CONFIG_AMQP_SSL_CACERT_FILE",
"USE_DEFAULT": False,
"NEED_CONFIRM": False,
"CONDITION": False},

{"CMD_OPTION": "amqp-ssl-key-file",
"USAGE": ("The filename of the private key that the AMQP service "
"is going to use"),
Expand Down Expand Up @@ -245,13 +261,22 @@ def create_manifest(config, messages):
config['CONFIG_AMQP_PROTOCOL'] = 'ssl'
config['CONFIG_AMQP_CLIENTS_PORT'] = "5671"
if config['CONFIG_AMQP_SSL_SELF_SIGNED'] == 'y':
server.append(
"openssl req -batch -new -x509 -nodes -keyout %s "
"-out %s -days 1095"
% (config['CONFIG_AMQP_SSL_KEY_FILE'],
config['CONFIG_AMQP_SSL_CERT_FILE'])
)
server.execute()
if config['CONFIG_IPA_INSTALL'] != 'y':
server.append(
"openssl req -batch -new -x509 -nodes -keyout %s "
"-out %s -days 1095"
% (config['CONFIG_AMQP_SSL_KEY_FILE'],
config['CONFIG_AMQP_SSL_CERT_FILE'])
)
server.execute()
else:
config['CONFIG_AMQP_SSL_CACERT_FILE'] = '/etc/ipa/ca.crt'
ipa_host = config['CONFIG_AMQP_HOST']
ipa_service = 'AMQP'
ssl_key_file = config['CONFIG_AMQP_SSL_KEY_FILE']
ssl_cert_file = config['CONFIG_AMQP_SSL_CERT_FILE']
generateIpaServiceManifests(config, ipa_host, ipa_service,
ssl_key_file, ssl_cert_file)
else:
# Set default values
config['CONFIG_AMQP_CLIENTS_PORT'] = "5672"
Expand Down
11 changes: 11 additions & 0 deletions packstack/plugins/ceilometer_800.py
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
from packstack.modules.ospluginutils import appendManifestFile
from packstack.modules.ospluginutils import createFirewallResources
from packstack.modules.ospluginutils import getManifestTemplate
from packstack.modules.ospluginutils import generateIpaServiceManifests

# ------------- Ceilometer Packstack Plugin Initialization --------------

Expand Down Expand Up @@ -275,6 +276,16 @@ def create_manifest(config, messages):
sentinel_fallbacks = ''
config['CONFIG_REDIS_SENTINEL_FALLBACKS'] = sentinel_fallbacks

if (config['CONFIG_IPA_INSTALL'] == 'y' and
config['CONFIG_AMQP_ENABLE_SSL'] and
config['CONFIG_AMQP_SSL_SELF_SIGNED'] == 'y'):
ipa_host = config['CONFIG_CONTROLLER_HOST']
ssl_key_file = '/etc/pki/tls/private/ssl_amqp_ceilometer.key'
ssl_cert_file = '/etc/pki/tls/certs/ssl_amqp_ceilometer.crt'
ipa_service = 'ceilometer'
generateIpaServiceManifests(config, ipa_host, ipa_service,
ssl_key_file, ssl_cert_file)

fw_details = dict()
key = "ceilometer_api"
fw_details.setdefault(key, {})
Expand Down
11 changes: 11 additions & 0 deletions packstack/plugins/cinder_250.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
from packstack.modules.ospluginutils import appendManifestFile
from packstack.modules.ospluginutils import createFirewallResources
from packstack.modules.ospluginutils import getManifestTemplate
from packstack.modules.ospluginutils import generateIpaServiceManifests

# ------------------ Cinder Packstack Plugin initialization ------------------

Expand Down Expand Up @@ -729,6 +730,16 @@ def create_manifest(config, messages):
if config['CONFIG_UNSUPPORTED'] != 'y':
config['CONFIG_STORAGE_HOST'] = config['CONFIG_CONTROLLER_HOST']

if (config['CONFIG_IPA_INSTALL'] == 'y' and
config['CONFIG_AMQP_ENABLE_SSL'] and
config['CONFIG_AMQP_SSL_SELF_SIGNED'] == 'y'):
ipa_host = config['CONFIG_STORAGE_HOST']
ssl_key_file = '/etc/pki/tls/private/ssl_amqp_cinder.key'
ssl_cert_file = '/etc/pki/tls/certs/ssl_amqp_cinder.crt'
ipa_service = 'cinder'
generateIpaServiceManifests(config, ipa_host, ipa_service,
ssl_key_file, ssl_cert_file)

manifestdata = getManifestTemplate(get_mq(config, "cinder"))
manifestfile = "%s_cinder.pp" % config['CONFIG_STORAGE_HOST']
manifestdata += getManifestTemplate("cinder")
Expand Down
25 changes: 19 additions & 6 deletions packstack/plugins/dashboard_500.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@

from packstack.modules.ospluginutils import appendManifestFile
from packstack.modules.ospluginutils import getManifestTemplate
from packstack.modules.ospluginutils import generateIpaServiceManifests

# ------------- Horizon Packstack Plugin Initialization --------------

Expand Down Expand Up @@ -129,7 +130,6 @@ def initSequences(controller):
def create_manifest(config, messages):
config["CONFIG_HORIZON_SECRET_KEY"] = uuid.uuid4().hex
horizon_host = config['CONFIG_CONTROLLER_HOST']
manifestfile = "%s_horizon.pp" % horizon_host

proto = "http"
config["CONFIG_HORIZON_PORT"] = 80
Expand All @@ -141,6 +141,9 @@ def create_manifest(config, messages):

# Are we using the users cert/key files
if config["CONFIG_SSL_CERT"]:
if config['CONFIG_IPA_HOST'] == config['CONFIG_CONTROLLER_HOST']:
raise RuntimeError("FreeIPA on same host as controller won't "
" work with user provided certificates.")
ssl_cert = config["CONFIG_SSL_CERT"]
ssl_key = config["CONFIG_SSL_KEY"]
ssl_chain = config["CONFIG_SSL_CACHAIN"]
Expand All @@ -163,11 +166,20 @@ def create_manifest(config, messages):
host_resources.append((ssl_key, 'ssl_ps_server.key'))
host_resources.append((ssl_chain, 'ssl_ps_chain.crt'))
else:
messages.append(
"%sNOTE%s : A certificate was generated to be used for ssl, "
"You should change the ssl certificate configured in "
"/etc/httpd/conf.d/ssl.conf on %s to use a CA signed cert."
% (utils.COLORS['red'], utils.COLORS['nocolor'], horizon_host))
if config['CONFIG_IPA_INSTALL'] == 'y':
ipa_host = config['CONFIG_CONTROLLER_HOST']
ssl_key_file = '/etc/pki/tls/private/ssl_ps_server.key'
ssl_cert_file = '/etc/pki/tls/certs/ssl_ps_server.crt'
ipa_service = 'HTTP'
generateIpaServiceManifests(config, ipa_host, ipa_service,
ssl_key_file, ssl_cert_file)
else:
messages.append(
"%sNOTE%s : A certificate was generated to be used for "
"ssl, You should change the ssl certificate configured "
"in /etc/httpd/conf.d/ssl.conf on %s to use a CA signed "
"cert." % (utils.COLORS['red'], utils.COLORS['nocolor'],
horizon_host))
else:
config["CONFIG_HORIZON_SSL"] = False

Expand All @@ -180,6 +192,7 @@ def create_manifest(config, messages):
if config["CONFIG_NEUTRON_FWAAS"] == 'y':
config["CONFIG_HORIZON_NEUTRON_FW"] = True

manifestfile = "%s_horizon.pp" % horizon_host
manifestdata = getManifestTemplate("horizon")
appendManifestFile(manifestfile, manifestdata)

Expand Down
Loading

0 comments on commit 25755ad

Please sign in to comment.