diff options
author | Jörg Thalheim <Mic92@users.noreply.github.com> | 2017-12-15 10:06:23 -0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-12-15 10:06:23 -0800 |
commit | 5687f61b1984edc13e9a6427d9185747e7a540d4 (patch) | |
tree | caf1e6fe761e28c79f976dfd102b868f51c4e46a /nixos/modules | |
parent | 101b4ec5463f64e231dc251ac486562e5a7a952e (diff) | |
parent | 1c870ef3585489670c535eb31d762b19b6bc7ce7 (diff) | |
download | nixlib-5687f61b1984edc13e9a6427d9185747e7a540d4.tar nixlib-5687f61b1984edc13e9a6427d9185747e7a540d4.tar.gz nixlib-5687f61b1984edc13e9a6427d9185747e7a540d4.tar.bz2 nixlib-5687f61b1984edc13e9a6427d9185747e7a540d4.tar.lz nixlib-5687f61b1984edc13e9a6427d9185747e7a540d4.tar.xz nixlib-5687f61b1984edc13e9a6427d9185747e7a540d4.tar.zst nixlib-5687f61b1984edc13e9a6427d9185747e7a540d4.zip |
Merge pull request #32637 from makefu/pkgs/openstack/nuke
nuke openstack (again)
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/misc/ids.nix | 8 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 2 | ||||
-rw-r--r-- | nixos/modules/virtualisation/nova.nix | 174 | ||||
-rw-r--r-- | nixos/modules/virtualisation/openstack/common.nix | 84 | ||||
-rw-r--r-- | nixos/modules/virtualisation/openstack/glance.nix | 245 | ||||
-rw-r--r-- | nixos/modules/virtualisation/openstack/keystone.nix | 220 |
6 files changed, 4 insertions, 729 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index c10b5a0ec932..678593a2d8b4 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -281,8 +281,8 @@ stanchion = 262; riak-cs = 263; infinoted = 264; - keystone = 265; - glance = 266; + # keystone = 265; # unused, removed 2017-12-13 + # glance = 266; # unused, removed 2017-12-13 couchpotato = 267; gogs = 268; pdns-recursor = 269; @@ -551,8 +551,8 @@ stanchion = 262; riak-cs = 263; infinoted = 264; - keystone = 265; - glance = 266; + # keystone = 265; # unused, removed 2017-12-13 + # glance = 266; # unused, removed 2017-12-13 couchpotato = 267; gogs = 268; kresd = 270; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index b03d9aa2fcb7..8063df4334e2 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -749,6 +749,4 @@ ./virtualisation/vmware-guest.nix ./virtualisation/xen-dom0.nix ./virtualisation/xe-guest-utilities.nix - ./virtualisation/openstack/keystone.nix - ./virtualisation/openstack/glance.nix ] diff --git a/nixos/modules/virtualisation/nova.nix b/nixos/modules/virtualisation/nova.nix deleted file mode 100644 index c2837d0e2e24..000000000000 --- a/nixos/modules/virtualisation/nova.nix +++ /dev/null @@ -1,174 +0,0 @@ -# Module for Nova, a.k.a. OpenStack Compute. - -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.virtualisation.nova; - - nova = pkgs.nova; - - novaConf = pkgs.writeText "nova.conf" - '' - --nodaemon - --verbose - ${cfg.extraConfig} - ''; - -in - -{ - - ###### interface - - options = { - - virtualisation.nova.enableSingleNode = - mkOption { - default = false; - description = - '' - This option enables Nova, also known as OpenStack Compute, - a cloud computing system, as a single-machine - installation. That is, all of Nova's components are - enabled on this machine, using SQLite as Nova's database. - This is useful for evaluating and experimenting with Nova. - However, for a real cloud computing environment, you'll - want to enable some of Nova's services on other machines, - and use a database such as MySQL. - ''; - }; - - virtualisation.nova.extraConfig = - mkOption { - default = ""; - description = - '' - Additional text appended to <filename>nova.conf</filename>, - the main Nova configuration file. - ''; - }; - - }; - - - ###### implementation - - config = mkIf cfg.enableSingleNode { - - environment.systemPackages = [ nova pkgs.euca2ools pkgs.novaclient ]; - - environment.etc = - [ { source = novaConf; - target = "nova/nova.conf"; - } - ]; - - # Nova requires libvirtd and RabbitMQ. - virtualisation.libvirtd.enable = true; - services.rabbitmq.enable = true; - - # `qemu-nbd' required the `nbd' kernel module. - boot.kernelModules = [ "nbd" ]; - - system.activationScripts.nova = - '' - mkdir -m 755 -p /var/lib/nova - mkdir -m 755 -p /var/lib/nova/networks - mkdir -m 700 -p /var/lib/nova/instances - mkdir -m 700 -p /var/lib/nova/keys - - # Allow the CA certificate generation script (called by - # nova-api) to work. - mkdir -m 700 -p /var/lib/nova/CA /var/lib/nova/CA/private - - # Initialise the SQLite database. - ${nova}/bin/nova-manage db sync - ''; - - # `nova-api' receives and executes external client requests from - # tools such as euca2ools. It listens on port 8773 (XML) and 8774 - # (JSON). - jobs.nova_api = - { name = "nova-api"; - - description = "Nova API service"; - - startOn = "ip-up"; - - # `openssl' is required to generate the CA. `openssh' is - # required to generate key pairs. - path = [ pkgs.openssl config.programs.ssh.package pkgs.bash ]; - - respawn = false; - - exec = "${nova}/bin/nova-api --flagfile=${novaConf} --api_paste_config=${nova}/etc/nova/api-paste.ini"; - }; - - # `nova-objectstore' is a simple image server. Useful if you're - # not running the OpenStack Imaging Service (Swift). It serves - # images placed in /var/lib/nova/images/. - jobs.nova_objectstore = - { name = "nova-objectstore"; - - description = "Nova Simple Object Store Service"; - - startOn = "ip-up"; - - preStart = - '' - mkdir -m 700 -p /var/lib/nova/images - ''; - - exec = "${nova}/bin/nova-objectstore --flagfile=${novaConf}"; - }; - - # `nova-scheduler' schedules VM execution requests. - jobs.nova_scheduler = - { name = "nova-scheduler"; - - description = "Nova Scheduler Service"; - - startOn = "ip-up"; - - exec = "${nova}/bin/nova-scheduler --flagfile=${novaConf}"; - }; - - # `nova-compute' starts and manages virtual machines. - jobs.nova_compute = - { name = "nova-compute"; - - description = "Nova Compute Service"; - - startOn = "ip-up"; - - path = - [ pkgs.sudo pkgs.vlan pkgs.nettools pkgs.iptables pkgs.qemu_kvm - pkgs.e2fsprogs pkgs.utillinux pkgs.multipath-tools pkgs.iproute - pkgs.bridge-utils - ]; - - exec = "${nova}/bin/nova-compute --flagfile=${novaConf}"; - }; - - # `nova-network' manages networks and allocates IP addresses. - jobs.nova_network = - { name = "nova-network"; - - description = "Nova Network Service"; - - startOn = "ip-up"; - - path = - [ pkgs.sudo pkgs.vlan pkgs.dnsmasq pkgs.nettools pkgs.iptables - pkgs.iproute pkgs.bridge-utils pkgs.radvd - ]; - - exec = "${nova}/bin/nova-network --flagfile=${novaConf}"; - }; - - }; - -} diff --git a/nixos/modules/virtualisation/openstack/common.nix b/nixos/modules/virtualisation/openstack/common.nix deleted file mode 100644 index 2feb0a873951..000000000000 --- a/nixos/modules/virtualisation/openstack/common.nix +++ /dev/null @@ -1,84 +0,0 @@ -{ lib }: - -with lib; - -rec { - # A shell script string helper to get the value of a secret at - # runtime. - getSecret = secretOption: - if secretOption.storage == "fromFile" - then ''$(cat ${secretOption.value})'' - else ''${secretOption.value}''; - - - # A shell script string help to replace at runtime in a file the - # pattern of a secret by its value. - replaceSecret = secretOption: filename: '' - sed -i "s/${secretOption.pattern}/${getSecret secretOption}/g" ${filename} - ''; - - # This generates an option that can be used to declare secrets which - # can be stored in the nix store, or not. A pattern is written in - # the nix store to represent the secret. The pattern can - # then be overwritten with the value of the secret at runtime. - mkSecretOption = {name, description ? ""}: - mkOption { - description = description; - type = types.submodule ({ - options = { - pattern = mkOption { - type = types.str; - default = "##${name}##"; - description = "The pattern that represent the secret."; - }; - storage = mkOption { - type = types.enum [ "fromNixStore" "fromFile" ]; - description = '' - Choose the way the password is provisionned. If - fromNixStore is used, the value is the password and it is - written in the nix store. If fromFile is used, the value - is a path from where the password will be read at - runtime. This is generally used with <link - xlink:href="https://nixos.org/nixops/manual/#opt-deployment.keys"> - deployment keys</link> of Nixops. - '';}; - value = mkOption { - type = types.str; - description = '' - If the storage is fromNixStore, the value is the password itself, - otherwise it is a path to the file that contains the password. - ''; - }; - };}); - }; - - databaseOption = name: { - host = mkOption { - type = types.str; - default = "localhost"; - description = '' - Host of the database. - ''; - }; - - name = mkOption { - type = types.str; - default = name; - description = '' - Name of the existing database. - ''; - }; - - user = mkOption { - type = types.str; - default = name; - description = '' - The database user. The user must exist and has access to - the specified database. - ''; - }; - password = mkSecretOption { - name = name + "MysqlPassword"; - description = "The database user's password";}; - }; -} diff --git a/nixos/modules/virtualisation/openstack/glance.nix b/nixos/modules/virtualisation/openstack/glance.nix deleted file mode 100644 index 7862409a65ec..000000000000 --- a/nixos/modules/virtualisation/openstack/glance.nix +++ /dev/null @@ -1,245 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; with import ./common.nix {inherit lib;}; - -let - cfg = config.virtualisation.openstack.glance; - commonConf = '' - [database] - connection = "mysql://${cfg.database.user}:${cfg.database.password.pattern}@${cfg.database.host}/${cfg.database.name}" - notification_driver = noop - - [keystone_authtoken] - auth_url = ${cfg.authUrl} - auth_plugin = password - project_name = service - project_domain_id = default - user_domain_id = default - username = ${cfg.serviceUsername} - password = ${cfg.servicePassword.pattern} - - [glance_store] - default_store = file - filesystem_store_datadir = /var/lib/glance/images/ - ''; - glanceApiConfTpl = pkgs.writeText "glance-api.conf" '' - ${commonConf} - - [paste_deploy] - flavor = keystone - config_file = ${cfg.package}/etc/glance-api-paste.ini - ''; - glanceRegistryConfTpl = pkgs.writeText "glance-registry.conf" '' - ${commonConf} - - [paste_deploy] - config_file = ${cfg.package}/etc/glance-registry-paste.ini - ''; - glanceApiConf = "/var/lib/glance/glance-api.conf"; - glanceRegistryConf = "/var/lib/glance/glance-registry.conf"; - -in { - options.virtualisation.openstack.glance = { - package = mkOption { - type = types.package; - default = pkgs.glance; - defaultText = "pkgs.glance"; - description = '' - Glance package to use. - ''; - }; - - enable = mkOption { - default = false; - type = types.bool; - description = '' - This option enables Glance as a single-machine - installation. That is, all of Glance's components are - enabled on this machine. This is useful for evaluating and - experimenting with Glance. Note we are currently not - providing any configurations for a multi-node setup. - ''; - }; - - authUrl = mkOption { - type = types.str; - default = http://localhost:5000; - description = '' - Complete public Identity (Keystone) API endpoint. Note this is - unversionned. - ''; - }; - - serviceUsername = mkOption { - type = types.str; - default = "glance"; - description = '' - The Glance service username. This user is created if bootstrap - is enable, otherwise it has to be manually created before - starting this service. - ''; - }; - - servicePassword = mkSecretOption { - name = "glanceAdminPassword"; - description = '' - The Glance service user's password. - ''; - }; - - database = databaseOption "glance"; - - bootstrap = { - enable = mkOption { - default = false; - type = types.bool; - description = '' - Bootstrap the Glance service by creating the service tenant, - an admin account and a public endpoint. This option provides - a ready-to-use glance service. This is only done at the - first Glance execution by the systemd post start section. - The keystone admin account is used to create required - Keystone resource for the Glance service. - - <note><para> This option is a helper for setting up - development or testing environments.</para></note> - ''; - }; - - endpointPublic = mkOption { - type = types.str; - default = "http://localhost:9292"; - description = '' - The public image endpoint. The link <link - xlink:href="http://docs.openstack.org/liberty/install-guide-rdo/keystone-services.html"> - create endpoint</link> provides more informations - about that. - ''; - }; - - keystoneAdminUsername = mkOption { - type = types.str; - default = "admin"; - description = '' - The keystone admin user name used to create the Glance account. - ''; - }; - - keystoneAdminPassword = mkSecretOption { - name = "keystoneAdminPassword"; - description = '' - The keystone admin user's password. - ''; - }; - - keystoneAdminTenant = mkOption { - type = types.str; - default = "admin"; - description = '' - The keystone admin tenant used to create the Glance account. - ''; - }; - keystoneAuthUrl = mkOption { - type = types.str; - default = "http://localhost:5000/v2.0"; - description = '' - The keystone auth url used to create the Glance account. - ''; - }; - }; - }; - - config = mkIf cfg.enable { - users.extraUsers = [{ - name = "glance"; - group = "glance"; - uid = config.ids.gids.glance; - - }]; - users.extraGroups = [{ - name = "glance"; - gid = config.ids.gids.glance; - }]; - - systemd.services.glance-registry = { - description = "OpenStack Glance Registry Daemon"; - after = [ "network.target"]; - path = [ pkgs.curl pkgs.pythonPackages.keystoneclient pkgs.gawk ]; - wantedBy = [ "multi-user.target" ]; - preStart = '' - mkdir -m 775 -p /var/lib/glance/{images,scrubber,image_cache} - chown glance:glance /var/lib/glance/{images,scrubber,image_cache} - - # Secret file managment - cp ${glanceRegistryConfTpl} ${glanceRegistryConf}; - chown glance:glance ${glanceRegistryConf}; - chmod 640 ${glanceRegistryConf} - ${replaceSecret cfg.database.password glanceRegistryConf} - ${replaceSecret cfg.servicePassword glanceRegistryConf} - - cp ${glanceApiConfTpl} ${glanceApiConf}; - chown glance:glance ${glanceApiConf}; - chmod 640 ${glanceApiConf} - ${replaceSecret cfg.database.password glanceApiConf} - ${replaceSecret cfg.servicePassword glanceApiConf} - - # Initialise the database - ${cfg.package}/bin/glance-manage --config-file=${glanceApiConf} --config-file=${glanceRegistryConf} db_sync - ''; - postStart = '' - set -eu - export OS_AUTH_URL=${cfg.bootstrap.keystoneAuthUrl} - export OS_USERNAME=${cfg.bootstrap.keystoneAdminUsername} - export OS_PASSWORD=${getSecret cfg.bootstrap.keystoneAdminPassword} - export OS_TENANT_NAME=${cfg.bootstrap.keystoneAdminTenant} - - # Wait until the keystone is available for use - count=0 - while ! keystone user-get ${cfg.bootstrap.keystoneAdminUsername} > /dev/null - do - if [ $count -eq 30 ] - then - echo "Tried 30 times, giving up..." - exit 1 - fi - - echo "Keystone not yet started. Waiting for 1 second..." - count=$((count++)) - sleep 1 - done - - # If the service glance doesn't exist, we consider glance is - # not initialized - if ! keystone service-get glance - then - keystone service-create --type image --name glance - ID=$(keystone service-get glance | awk '/ id / { print $4 }') - keystone endpoint-create --region RegionOne --service $ID --internalurl http://localhost:9292 --adminurl http://localhost:9292 --publicurl ${cfg.bootstrap.endpointPublic} - - keystone user-create --name ${cfg.serviceUsername} --tenant service --pass ${getSecret cfg.servicePassword} - keystone user-role-add --tenant service --user ${cfg.serviceUsername} --role admin - fi - ''; - serviceConfig = { - PermissionsStartOnly = true; # preStart must be run as root - TimeoutStartSec = "600"; # 10min for initial db migrations - User = "glance"; - Group = "glance"; - ExecStart = "${cfg.package}/bin/glance-registry --config-file=${glanceRegistryConf}"; - }; - }; - systemd.services.glance-api = { - description = "OpenStack Glance API Daemon"; - after = [ "glance-registry.service" "network.target"]; - requires = [ "glance-registry.service" "network.target"]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - PermissionsStartOnly = true; # preStart must be run as root - User = "glance"; - Group = "glance"; - ExecStart = "${cfg.package}/bin/glance-api --config-file=${glanceApiConf}"; - }; - }; - }; - -} diff --git a/nixos/modules/virtualisation/openstack/keystone.nix b/nixos/modules/virtualisation/openstack/keystone.nix deleted file mode 100644 index e32c5a4cae1b..000000000000 --- a/nixos/modules/virtualisation/openstack/keystone.nix +++ /dev/null @@ -1,220 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; with import ./common.nix {inherit lib;}; - -let - cfg = config.virtualisation.openstack.keystone; - keystoneConfTpl = pkgs.writeText "keystone.conf" '' - [DEFAULT] - admin_token = ${cfg.adminToken.pattern} - policy_file=${cfg.package}/etc/policy.json - - [database] - - connection = "mysql://${cfg.database.user}:${cfg.database.password.pattern}@${cfg.database.host}/${cfg.database.name}" - - [paste_deploy] - config_file = ${cfg.package}/etc/keystone-paste.ini - - ${cfg.extraConfig} - ''; - keystoneConf = "/var/lib/keystone/keystone.conf"; - -in { - options.virtualisation.openstack.keystone = { - package = mkOption { - type = types.package; - example = literalExample "pkgs.keystone"; - description = '' - Keystone package to use. - ''; - }; - - enable = mkOption { - default = false; - type = types.bool; - description = '' - Enable Keystone, the OpenStack Identity Service - ''; - }; - - extraConfig = mkOption { - default = ""; - type = types.lines; - description = '' - Additional text appended to <filename>keystone.conf</filename>, - the main Keystone configuration file. - ''; - }; - - adminToken = mkSecretOption { - name = "adminToken"; - description = '' - This is the admin token used to boostrap keystone, - ie. to provision first resources. - ''; - }; - - bootstrap = { - enable = mkOption { - default = false; - type = types.bool; - description = '' - Bootstrap the Keystone service by creating the service - tenant, an admin account and a public endpoint. This options - provides a ready-to-use admin account. This is only done at - the first Keystone execution by the systemd post start. - - Note this option is a helper for setting up development or - testing environments. - ''; - }; - - endpointPublic = mkOption { - type = types.str; - default = "http://localhost:5000/v2.0"; - description = '' - The public identity endpoint. The link <link - xlink:href="http://docs.openstack.org/liberty/install-guide-rdo/keystone-services.html"> - create keystone endpoint</link> provides more informations - about that. - ''; - }; - - adminUsername = mkOption { - type = types.str; - default = "admin"; - description = '' - A keystone admin username. - ''; - }; - - adminPassword = mkSecretOption { - name = "keystoneAdminPassword"; - description = '' - The keystone admin user's password. - ''; - }; - - adminTenant = mkOption { - type = types.str; - default = "admin"; - description = '' - A keystone admin tenant name. - ''; - }; - }; - - database = { - host = mkOption { - type = types.str; - default = "localhost"; - description = '' - Host of the database. - ''; - }; - - name = mkOption { - type = types.str; - default = "keystone"; - description = '' - Name of the existing database. - ''; - }; - - user = mkOption { - type = types.str; - default = "keystone"; - description = '' - The database user. The user must exist and has access to - the specified database. - ''; - }; - password = mkSecretOption { - name = "mysqlPassword"; - description = "The database user's password";}; - }; - }; - - config = mkIf cfg.enable { - # Note: when changing the default, make it conditional on - # ‘system.stateVersion’ to maintain compatibility with existing - # systems! - virtualisation.openstack.keystone.package = mkDefault pkgs.keystone; - - users.extraUsers = [{ - name = "keystone"; - group = "keystone"; - uid = config.ids.uids.keystone; - }]; - users.extraGroups = [{ - name = "keystone"; - gid = config.ids.gids.keystone; - }]; - - systemd.services.keystone-all = { - description = "OpenStack Keystone Daemon"; - after = [ "network.target"]; - path = [ cfg.package pkgs.mysql pkgs.curl pkgs.pythonPackages.keystoneclient pkgs.gawk ]; - wantedBy = [ "multi-user.target" ]; - preStart = '' - mkdir -m 755 -p /var/lib/keystone - - cp ${keystoneConfTpl} ${keystoneConf}; - chown keystone:keystone ${keystoneConf}; - chmod 640 ${keystoneConf} - - ${replaceSecret cfg.database.password keystoneConf} - ${replaceSecret cfg.adminToken keystoneConf} - - # Initialise the database - ${cfg.package}/bin/keystone-manage --config-file=${keystoneConf} db_sync - # Set up the keystone's PKI infrastructure - ${cfg.package}/bin/keystone-manage --config-file=${keystoneConf} pki_setup --keystone-user keystone --keystone-group keystone - ''; - postStart = optionalString cfg.bootstrap.enable '' - set -eu - # Wait until the keystone is available for use - count=0 - while ! curl --fail -s http://localhost:35357/v2.0 > /dev/null - do - if [ $count -eq 30 ] - then - echo "Tried 30 times, giving up..." - exit 1 - fi - - echo "Keystone not yet started. Waiting for 1 second..." - count=$((count++)) - sleep 1 - done - - # We use the service token to create a first admin user - export OS_SERVICE_ENDPOINT=http://localhost:35357/v2.0 - export OS_SERVICE_TOKEN=${getSecret cfg.adminToken} - - # If the tenant service doesn't exist, we consider - # keystone is not initialized - if ! keystone tenant-get service - then - keystone tenant-create --name service - keystone tenant-create --name ${cfg.bootstrap.adminTenant} - keystone user-create --name ${cfg.bootstrap.adminUsername} --tenant ${cfg.bootstrap.adminTenant} --pass ${getSecret cfg.bootstrap.adminPassword} - keystone role-create --name admin - keystone role-create --name Member - keystone user-role-add --tenant ${cfg.bootstrap.adminTenant} --user ${cfg.bootstrap.adminUsername} --role admin - keystone service-create --type identity --name keystone - ID=$(keystone service-get keystone | awk '/ id / { print $4 }') - keystone endpoint-create --region RegionOne --service $ID --publicurl ${cfg.bootstrap.endpointPublic} --adminurl http://localhost:35357/v2.0 --internalurl http://localhost:5000/v2.0 - fi - ''; - serviceConfig = { - PermissionsStartOnly = true; # preStart must be run as root - TimeoutStartSec = "600"; # 10min for initial db migrations - User = "keystone"; - Group = "keystone"; - ExecStart = "${cfg.package}/bin/keystone-all --config-file=${keystoneConf}"; - }; - }; - }; -} |