X-Git-Url: https://osm.etsi.org/gitweb/?a=blobdiff_plain;f=docker%2FKeystone%2Fscripts%2Fstart.sh;h=dde1b5ae687f701f1d2933aa17eedb0d730dc421;hb=cca4b8e1c75fa9892c49e041623c2749f8f7bc98;hp=90ff68b270910e82a8060ac7a8c441027a8b67f0;hpb=6fff9afbe86dbb97098229b7d96c7ec0010e2d39;p=osm%2Fdevops.git

diff --git a/docker/Keystone/scripts/start.sh b/docker/Keystone/scripts/start.sh
index 90ff68b2..dde1b5ae 100755
--- a/docker/Keystone/scripts/start.sh
+++ b/docker/Keystone/scripts/start.sh
@@ -19,6 +19,7 @@
 ##
 
 DB_EXISTS=""
+USER_DB_EXISTS=""
 DB_NOT_EMPTY=""
 
 max_attempts=120
@@ -41,6 +42,24 @@ function wait_db(){
     return 0
 }
 
+function wait_keystone_host(){
+    attempt=0
+    timeout=2
+    echo "Wait until Keystone hostname can be resolved "
+    while ! nslookup $KEYSTONE_HOST; do
+        #wait 120 sec
+        if [ $attempt -ge $max_attempts ]; then
+            echo
+            echo "Can not resolve ${KEYSTONE_HOST} during $max_attempts sec"
+            return 1
+        fi
+        attempt=$[$attempt+1]
+        echo -n "."
+        sleep 1
+    done
+    return 0
+}
+
 function is_db_created() {
     db_host=$1
     db_port=$2
@@ -57,26 +76,50 @@ function is_db_created() {
     fi
 }
 
+function is_user_db_created() {
+    db_host=$1
+    db_port=$2
+    db_user=$3
+    db_pswd=$4
+    db_user_to_check=$5
+
+    user_count=$(mysql -h"$db_host" -P"$db_port" -u"$db_user" -p"$db_pswd" --default_character_set utf8 -sse "SELECT COUNT(*) FROM mysql.user WHERE user='$db_user_to_check' AND host='%';")
+
+    if [ $user_count -gt 0 ]; then
+        echo "DB User $db_name exists"
+        return 0
+    else
+        echo "DB User $db_name does not exist"
+        return 1
+    fi
+}
+
 wait_db "$DB_HOST" "$DB_PORT" || exit 1
 
 is_db_created "$DB_HOST" "$DB_PORT" "$ROOT_DB_USER" "$ROOT_DB_PASSWORD" "keystone" && DB_EXISTS="Y"
+is_user_db_created "$DB_HOST" "$DB_PORT" "$ROOT_DB_USER" "$ROOT_DB_PASSWORD" "keystone" && USER_DB_EXISTS="Y"
 
 if [ -z $DB_EXISTS ]; then
     mysql -h"$DB_HOST" -P"$DB_PORT" -u"$ROOT_DB_USER" -p"$ROOT_DB_PASSWORD" --default_character_set utf8 -e "CREATE DATABASE keystone"
-    mysql -h"$DB_HOST" -P"$DB_PORT" -u"$ROOT_DB_USER" -p"$ROOT_DB_PASSWORD" --default_character_set utf8 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '$KEYSTONE_DB_PASSWORD'"
-    mysql -h"$DB_HOST" -P"$DB_PORT" -u"$ROOT_DB_USER" -p"$ROOT_DB_PASSWORD" --default_character_set utf8 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '$KEYSTONE_DB_PASSWORD'"
 else
-    if [ $(mysql -h"$DB_HOST" -P"$DB_PORT" -u"$ROOT_DB_USER" -p"$ROOT_DB_PASSWORD" --default_character_set utf8 -sse "SELECT COUNT(*) FROM keystone;") -gt 0 ]; then
+    if [ $(mysql -h"$DB_HOST" -P"$DB_PORT" -u"$ROOT_DB_USER" -p"$ROOT_DB_PASSWORD" --default_character_set utf8 -sse "SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = 'keystone';") -gt 0 ]; then
         echo "DB keystone is empty"
         DB_NOT_EMPTY="y"
     fi
 fi
 
+if [ -z $USER_DB_EXISTS ]; then
+    mysql -h"$DB_HOST" -P"$DB_PORT" -u"$ROOT_DB_USER" -p"$ROOT_DB_PASSWORD" --default_character_set utf8 -e "CREATE USER 'keystone'@'localhost' IDENTIFIED BY '$KEYSTONE_DB_PASSWORD'"
+    mysql -h"$DB_HOST" -P"$DB_PORT" -u"$ROOT_DB_USER" -p"$ROOT_DB_PASSWORD" --default_character_set utf8 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost'"
+    mysql -h"$DB_HOST" -P"$DB_PORT" -u"$ROOT_DB_USER" -p"$ROOT_DB_PASSWORD" --default_character_set utf8 -e "CREATE USER 'keystone'@'%' IDENTIFIED BY '$KEYSTONE_DB_PASSWORD'"
+    mysql -h"$DB_HOST" -P"$DB_PORT" -u"$ROOT_DB_USER" -p"$ROOT_DB_PASSWORD" --default_character_set utf8 -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%'"
+fi
+
 # Setting Keystone database connection
-sed -i "721s%.*%connection = mysql+pymysql://keystone:$KEYSTONE_DB_PASSWORD@$DB_HOST:$DB_PORT/keystone%" /etc/keystone/keystone.conf
+sed -i '/^\[database\]$/,/^\[/ s/^connection = .*/connection = mysql+pymysql:\/\/keystone:'$KEYSTONE_DB_PASSWORD'@'$DB_HOST':'$DB_PORT'\/keystone/' /etc/keystone/keystone.conf
 
 # Setting Keystone tokens
-sed -i "2934s%.*%provider = fernet%" /etc/keystone/keystone.conf
+sed -i '/^\[token\]$/,/^\[/ s/^.*provider = .*/provider = fernet/' /etc/keystone/keystone.conf
 
 
 # Use LDAP authentication for Identity
@@ -99,50 +142,68 @@ group_allow_update=false
 group_allow_delete=false
 query_scope = sub
 EOF
-    if [ $LDAP_BIND_USER ]; then
+    if [ "$LDAP_BIND_USER" ]; then
         echo "user = $LDAP_BIND_USER" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf
     fi
-    if [ $LDAP_BIND_PASSWORD ]; then
+    if [ "$LDAP_BIND_PASSWORD" ]; then
         echo "password = $LDAP_BIND_PASSWORD" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf
     fi
-    if [ $LDAP_USER_TREE_DN ]; then
+    if [ "$LDAP_CHASE_REFERRALS" ]; then
+        echo "chase_referrals = $LDAP_CHASE_REFERRALS" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf
+    fi
+    if [ "$LDAP_PAGE_SIZE" ]; then
+        echo "page_size = $LDAP_PAGE_SIZE" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf
+    fi
+    if [ "$LDAP_USER_TREE_DN" ]; then
         echo "user_tree_dn = $LDAP_USER_TREE_DN" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf
     fi
-    if [ $LDAP_USER_OBJECTCLASS ]; then
+    if [ "$LDAP_USER_OBJECTCLASS" ]; then
         echo "user_objectclass = $LDAP_USER_OBJECTCLASS" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf
     fi
-    if [ $LDAP_USER_ID_ATTRIBUTE ]; then
+    if [ "$LDAP_USER_ID_ATTRIBUTE" ]; then
         echo "user_id_attribute = $LDAP_USER_ID_ATTRIBUTE" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf
     fi
-    if [ $LDAP_USER_NAME_ATTRIBUTE ]; then
+    if [ "$LDAP_USER_NAME_ATTRIBUTE" ]; then
         echo "user_name_attribute = $LDAP_USER_NAME_ATTRIBUTE" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf
     fi
-    if [ $LDAP_USER_PASS_ATTRIBUTE ]; then
+    if [ "$LDAP_USER_PASS_ATTRIBUTE" ]; then
         echo "user_pass_attribute = $LDAP_USER_PASS_ATTRIBUTE" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf
     fi
-    if [ $LDAP_USER_FILTER ]; then
+    if [ "$LDAP_USER_FILTER" ]; then
         echo "user_filter = $LDAP_USER_FILTER" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf
     fi
-    if [ $LDAP_USER_ENABLED_ATTRIBUTE ]; then
+    if [ "$LDAP_USER_ENABLED_ATTRIBUTE" ]; then
         echo "user_enabled_attribute = $LDAP_USER_ENABLED_ATTRIBUTE" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf
     fi
-    if [ $LDAP_USER_ENABLED_MASK ]; then
+    if [ "$LDAP_USER_ENABLED_MASK" ]; then
         echo "user_enabled_mask = $LDAP_USER_ENABLED_MASK" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf
     fi
-    if [ $LDAP_USER_ENABLED_DEFAULT ]; then
+    if [ "$LDAP_USER_ENABLED_DEFAULT" ]; then
         echo "user_enabled_default = $LDAP_USER_ENABLED_DEFAULT" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf
     fi
-    if [ $LDAP_USER_ENABLED_INVERT ]; then
+    if [ "$LDAP_USER_ENABLED_INVERT" ]; then
         echo "user_enabled_invert = $LDAP_USER_ENABLED_INVERT" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf
     fi
-    if [ $LDAP_USE_STARTTLS ] && [ "$LDAP_USE_STARTTLS" == "true" ]; then
+    if [ "$LDAP_GROUP_OBJECTCLASS" ]; then
+        echo "group_objectclass = $LDAP_GROUP_OBJECTCLASS" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf
+    fi
+    if [ "$LDAP_GROUP_TREE_DN" ]; then
+        echo "group_tree_dn = $LDAP_GROUP_TREE_DN" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf
+    fi
+    if [ "$LDAP_TLS_CACERT_BASE64" ]; then
+        mkdir -p /etc/ssl/certs/
+        echo "-----BEGIN CERTIFICATE-----" >> /etc/ssl/certs/ca-certificates.crt
+        echo $LDAP_TLS_CACERT_BASE64 >> /etc/ssl/certs/ca-certificates.crt
+        echo "-----END CERTIFICATE-----" >> /etc/ssl/certs/ca-certificates.crt
+    fi
+    if [ "$LDAP_USE_STARTTLS" ] && [ "$LDAP_USE_STARTTLS" == "true" ]; then
         echo "use_tls = true" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf
         mkdir -p /etc/keystone/ssl/certs/
         echo "-----BEGIN CERTIFICATE-----" > /etc/keystone/ssl/certs/ca.pem
         echo $LDAP_TLS_CACERT_BASE64 >> /etc/keystone/ssl/certs/ca.pem
         echo "-----END CERTIFICATE-----" >> /etc/keystone/ssl/certs/ca.pem
         echo "tls_cacertfile = /etc/keystone/ssl/certs/ca.pem" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf
-        if [ $LDAP_TLS_REQ_CERT ]; then
+        if [ "$LDAP_TLS_REQ_CERT" ]; then
             echo "tls_req_cert = $LDAP_TLS_REQ_CERT" >> /etc/keystone/domains/keystone.$LDAP_AUTHENTICATION_DOMAIN_NAME.conf
         fi
     fi
@@ -150,13 +211,15 @@ fi
 
 # Populate Keystone database
 if [ -z $DB_EXISTS ] || [ -z $DB_NOT_EMPTY ]; then
-    su -s /bin/sh -c "keystone-manage db_sync" keystone
+    keystone-manage db_sync
 fi
 
 # Initialize Fernet key repositories
 keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
 keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
 
+wait_keystone_host
+
 # Bootstrap Keystone service
 if [ -z $DB_EXISTS ] || [ -z $DB_NOT_EMPTY ]; then
     keystone-manage bootstrap \
@@ -169,6 +232,8 @@ if [ -z $DB_EXISTS ] || [ -z $DB_NOT_EMPTY ]; then
         --bootstrap-region-id "$REGION_ID"
 fi
 
+echo "ServerName $KEYSTONE_HOST" >> /etc/apache2/apache2.conf
+
 # Restart Apache Service
 service apache2 restart