X-Git-Url: https://osm.etsi.org/gitweb/?a=blobdiff_plain;f=docker%2FKeystone%2Fscripts%2Fstart.sh;h=d7fa2abd55d8bd21940f92a128953a25d03a34c8;hb=HEAD;hp=8dd61ad6ae0ef4ce50c071cca730f6b16e4cd568;hpb=890494eadaa03ca9b1cce692940c818cded5e548;p=osm%2Fdevops.git diff --git a/docker/Keystone/scripts/start.sh b/docker/Keystone/scripts/start.sh index 8dd61ad6..dde1b5ae 100755 --- a/docker/Keystone/scripts/start.sh +++ b/docker/Keystone/scripts/start.sh @@ -19,6 +19,7 @@ ## DB_EXISTS="" +USER_DB_EXISTS="" DB_NOT_EMPTY="" max_attempts=120 @@ -41,6 +42,24 @@ function wait_db(){ return 0 } +function wait_keystone_host(){ + attempt=0 + timeout=2 + echo "Wait until Keystone hostname can be resolved " + while ! nslookup $KEYSTONE_HOST; do + #wait 120 sec + if [ $attempt -ge $max_attempts ]; then + echo + echo "Can not resolve ${KEYSTONE_HOST} during $max_attempts sec" + return 1 + fi + attempt=$[$attempt+1] + echo -n "." + sleep 1 + done + return 0 +} + function is_db_created() { db_host=$1 db_port=$2 @@ -57,36 +76,150 @@ function is_db_created() { fi } +function is_user_db_created() { + db_host=$1 + db_port=$2 + db_user=$3 + db_pswd=$4 + db_user_to_check=$5 + + user_count=$(mysql -h"$db_host" -P"$db_port" -u"$db_user" -p"$db_pswd" --default_character_set utf8 -sse "SELECT COUNT(*) FROM mysql.user WHERE user='$db_user_to_check' AND host='%';") + + if [ $user_count -gt 0 ]; then + echo "DB User $db_name exists" + return 0 + else + echo "DB User $db_name does not exist" + return 1 + fi +} + wait_db "$DB_HOST" "$DB_PORT" || exit 1 is_db_created "$DB_HOST" "$DB_PORT" "$ROOT_DB_USER" "$ROOT_DB_PASSWORD" "keystone" && DB_EXISTS="Y" +is_user_db_created "$DB_HOST" "$DB_PORT" "$ROOT_DB_USER" "$ROOT_DB_PASSWORD" "keystone" && USER_DB_EXISTS="Y" if [ -z $DB_EXISTS ]; then mysql -h"$DB_HOST" -P"$DB_PORT" -u"$ROOT_DB_USER" -p"$ROOT_DB_PASSWORD" --default_character_set utf8 -e "CREATE DATABASE keystone" - mysql -h"$DB_HOST" -P"$DB_PORT" -u"$ROOT_DB_USER" -p"$ROOT_DB_PASSWORD" --default_character_set utf8 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '$KEYSTONE_DB_PASSWORD'" - mysql -h"$DB_HOST" -P"$DB_PORT" -u"$ROOT_DB_USER" -p"$ROOT_DB_PASSWORD" --default_character_set utf8 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '$KEYSTONE_DB_PASSWORD'" else - if [ $(mysql -h"$DB_HOST" -P"$DB_PORT" -u"$ROOT_DB_USER" -p"$ROOT_DB_PASSWORD" --default_character_set utf8 -sse "SELECT COUNT(*) FROM keystone;") -gt 0 ]; then + if [ $(mysql -h"$DB_HOST" -P"$DB_PORT" -u"$ROOT_DB_USER" -p"$ROOT_DB_PASSWORD" --default_character_set utf8 -sse "SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'keystone';") -gt 0 ]; then echo "DB keystone is empty" DB_NOT_EMPTY="y" fi fi +if [ -z $USER_DB_EXISTS ]; then + mysql -h"$DB_HOST" -P"$DB_PORT" -u"$ROOT_DB_USER" -p"$ROOT_DB_PASSWORD" --default_character_set utf8 -e "CREATE USER 'keystone'@'localhost' IDENTIFIED BY '$KEYSTONE_DB_PASSWORD'" + mysql -h"$DB_HOST" -P"$DB_PORT" -u"$ROOT_DB_USER" -p"$ROOT_DB_PASSWORD" --default_character_set utf8 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost'" + mysql -h"$DB_HOST" -P"$DB_PORT" -u"$ROOT_DB_USER" -p"$ROOT_DB_PASSWORD" --default_character_set utf8 -e "CREATE USER 'keystone'@'%' IDENTIFIED BY '$KEYSTONE_DB_PASSWORD'" + mysql -h"$DB_HOST" -P"$DB_PORT" -u"$ROOT_DB_USER" -p"$ROOT_DB_PASSWORD" --default_character_set utf8 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%'" +fi + # Setting Keystone database connection -sed -i "721s%.*%connection = mysql+pymysql://keystone:$KEYSTONE_DB_PASSWORD@$DB_HOST:$DB_PORT/keystone%" /etc/keystone/keystone.conf +sed -i '/^\[database\]$/,/^\[/ s/^connection = .*/connection = mysql+pymysql:\/\/keystone:'$KEYSTONE_DB_PASSWORD'@'$DB_HOST':'$DB_PORT'\/keystone/' /etc/keystone/keystone.conf # Setting Keystone tokens -sed -i "2934s%.*%provider = fernet%" /etc/keystone/keystone.conf +sed -i '/^\[token\]$/,/^\[/ s/^.*provider = .*/provider = fernet/' /etc/keystone/keystone.conf + + +# Use LDAP authentication for Identity +if [ $LDAP_AUTHENTICATION_DOMAIN_NAME ]; then + # Enable Keyston domains + sed -i "s%.*domain_specific_drivers_enabled =.*%domain_specific_drivers_enabled = true%" /etc/keystone/keystone.conf + sed -i "s%.*domain_config_dir =.*%domain_config_dir = /etc/keystone/domains%" /etc/keystone/keystone.conf + mkdir -p /etc/keystone/domains + # Configure domain for LDAP authentication + cat << EOF > /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf +[identity] +driver = ldap +[ldap] +url = $LDAP_URL +user_allow_create=false +user_allow_update=false +user_allow_delete=false +group_allow_create=false +group_allow_update=false +group_allow_delete=false +query_scope = sub +EOF + if [ "$LDAP_BIND_USER" ]; then + echo "user = $LDAP_BIND_USER" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf + fi + if [ "$LDAP_BIND_PASSWORD" ]; then + echo "password = $LDAP_BIND_PASSWORD" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf + fi + if [ "$LDAP_CHASE_REFERRALS" ]; then + echo "chase_referrals = $LDAP_CHASE_REFERRALS" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf + fi + if [ "$LDAP_PAGE_SIZE" ]; then + echo "page_size = $LDAP_PAGE_SIZE" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf + fi + if [ "$LDAP_USER_TREE_DN" ]; then + echo "user_tree_dn = $LDAP_USER_TREE_DN" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf + fi + if [ "$LDAP_USER_OBJECTCLASS" ]; then + echo "user_objectclass = $LDAP_USER_OBJECTCLASS" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf + fi + if [ "$LDAP_USER_ID_ATTRIBUTE" ]; then + echo "user_id_attribute = $LDAP_USER_ID_ATTRIBUTE" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf + fi + if [ "$LDAP_USER_NAME_ATTRIBUTE" ]; then + echo "user_name_attribute = $LDAP_USER_NAME_ATTRIBUTE" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf + fi + if [ "$LDAP_USER_PASS_ATTRIBUTE" ]; then + echo "user_pass_attribute = $LDAP_USER_PASS_ATTRIBUTE" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf + fi + if [ "$LDAP_USER_FILTER" ]; then + echo "user_filter = $LDAP_USER_FILTER" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf + fi + if [ "$LDAP_USER_ENABLED_ATTRIBUTE" ]; then + echo "user_enabled_attribute = $LDAP_USER_ENABLED_ATTRIBUTE" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf + fi + if [ "$LDAP_USER_ENABLED_MASK" ]; then + echo "user_enabled_mask = $LDAP_USER_ENABLED_MASK" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf + fi + if [ "$LDAP_USER_ENABLED_DEFAULT" ]; then + echo "user_enabled_default = $LDAP_USER_ENABLED_DEFAULT" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf + fi + if [ "$LDAP_USER_ENABLED_INVERT" ]; then + echo "user_enabled_invert = $LDAP_USER_ENABLED_INVERT" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf + fi + if [ "$LDAP_GROUP_OBJECTCLASS" ]; then + echo "group_objectclass = $LDAP_GROUP_OBJECTCLASS" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf + fi + if [ "$LDAP_GROUP_TREE_DN" ]; then + echo "group_tree_dn = $LDAP_GROUP_TREE_DN" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf + fi + if [ "$LDAP_TLS_CACERT_BASE64" ]; then + mkdir -p /etc/ssl/certs/ + echo "-----BEGIN CERTIFICATE-----" >> /etc/ssl/certs/ca-certificates.crt + echo $LDAP_TLS_CACERT_BASE64 >> /etc/ssl/certs/ca-certificates.crt + echo "-----END CERTIFICATE-----" >> /etc/ssl/certs/ca-certificates.crt + fi + if [ "$LDAP_USE_STARTTLS" ] && [ "$LDAP_USE_STARTTLS" == "true" ]; then + echo "use_tls = true" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf + mkdir -p /etc/keystone/ssl/certs/ + echo "-----BEGIN CERTIFICATE-----" > /etc/keystone/ssl/certs/ca.pem + echo $LDAP_TLS_CACERT_BASE64 >> /etc/keystone/ssl/certs/ca.pem + echo "-----END CERTIFICATE-----" >> /etc/keystone/ssl/certs/ca.pem + echo "tls_cacertfile = /etc/keystone/ssl/certs/ca.pem" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf + if [ "$LDAP_TLS_REQ_CERT" ]; then + echo "tls_req_cert = $LDAP_TLS_REQ_CERT" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf + fi + fi +fi # Populate Keystone database if [ -z $DB_EXISTS ] || [ -z $DB_NOT_EMPTY ]; then - su -s /bin/sh -c "keystone-manage db_sync" keystone + keystone-manage db_sync fi # Initialize Fernet key repositories keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone keystone-manage credential_setup --keystone-user keystone --keystone-group keystone +wait_keystone_host + # Bootstrap Keystone service if [ -z $DB_EXISTS ] || [ -z $DB_NOT_EMPTY ]; then keystone-manage bootstrap \ @@ -99,6 +232,8 @@ if [ -z $DB_EXISTS ] || [ -z $DB_NOT_EMPTY ]; then --bootstrap-region-id "$REGION_ID" fi +echo "ServerName $KEYSTONE_HOST" >> /etc/apache2/apache2.conf + # Restart Apache Service service apache2 restart @@ -120,7 +255,17 @@ if [ -z $DB_EXISTS ] || [ -z $DB_NOT_EMPTY ]; then openstack user create --domain default --password "$SERVICE_PASSWORD" "$SERVICE_USERNAME" openstack project create --domain default --description "Service Project" "$SERVICE_PROJECT" openstack role add --project "$SERVICE_PROJECT" --user "$SERVICE_USERNAME" admin - openstack role delete _member_ +fi + +if [ $LDAP_AUTHENTICATION_DOMAIN_NAME ]; then + if !(openstack domain list | grep -q $LDAP_AUTHENTICATION_DOMAIN_NAME); then + # Create domain in keystone for LDAP authentication + openstack domain create $LDAP_AUTHENTICATION_DOMAIN_NAME + # Restart Apache Service + service apache2 restart + fi + # Check periodically LDAP for updates + echo "0 1 * * * keystone-manage mapping_purge --domain-name $LDAP_AUTHENTICATION_DOMAIN_NAME; keystone-manage mapping_populate --domain-name $LDAP_AUTHENTICATION_DOMAIN_NAME" >> /var/spool/cron/crontabs/root fi while ps -ef | grep -v grep | grep -q apache2