From 28aa6e865764ebf4503b770604f0edbb89635b6c Mon Sep 17 00:00:00 2001 From: Nicola Peditto Date: Wed, 27 Oct 2021 12:31:01 +0200 Subject: [PATCH 01/66] boot version --- 0-CA/ca_create | 22 + 0-CA/client_cert | 37 + 0-docker | 35 + 1-mysql/1-mysql | 27 + 1-mysql/99-openstack.conf | 8 + 1-mysql/create_dbs.sql | 9 + 1-mysql/create_dbs_FELOOCA_TEST.sql | 6 + 1-rabbitmq | 22 + 2-keystone/2-keystone | 57 + 2-keystone/2.5-keystone | 35 + 2-keystone/build/Dockerfile | 21 + 2-keystone/build/build | 4 + 2-keystone/conf/adminrc | 8 + 2-keystone/conf/keystone.conf | 2715 +++++++++++++++++++++++ 3-conductor/3-conductor | 30 + 3-conductor/3.5-conductor | 26 + 3-conductor/build/Dockerfile | 50 + 3-conductor/build/bin/startConductor | 30 + 3-conductor/build/build | 4 + 3-conductor/conf/iotronic.conf | 102 + 4-iotronic-crossbar/4-crossbar | 17 + 4-iotronic-crossbar/confs/config.json | 56 + 4-iotronic-wstun/4-wstun | 20 + 4-iotronic-wstun/Dockerfile | 31 + 4-iotronic-wstun/confs/allowlist | 1 + 4-iotronic-wstun/confs/ssl/iotronic.key | 27 + 4-iotronic-wstun/confs/ssl/iotronic.pem | 20 + 4-iotronic-wstun/confs/ssl/rootCA.pem | 22 + 5-wagent/5-wagent | 36 + 5-wagent/build/Dockerfile | 57 + 5-wagent/build/bin/startWagent | 30 + 5-wagent/build/build | 4 + 5-wagent/build/confs/mapping | 11 + 5-wagent/conf/iotronic.conf | 112 + 6-ui/6-ui | 15 + 6-ui/build/Dockerfile | 42 + 6-ui/build/bin/startUI | 32 + 6-ui/build/build | 4 + 6-ui/conf/local_settings.py | 925 ++++++++ 6-ui/iotronic-ui | 1 + 40 files changed, 4711 insertions(+) create mode 100755 0-CA/ca_create create mode 100755 0-CA/client_cert create mode 100755 0-docker create mode 100755 1-mysql/1-mysql create mode 100644 1-mysql/99-openstack.conf create mode 100644 1-mysql/create_dbs.sql create mode 100644 1-mysql/create_dbs_FELOOCA_TEST.sql create mode 100755 1-rabbitmq create mode 100755 2-keystone/2-keystone create mode 100755 2-keystone/2.5-keystone create mode 100644 2-keystone/build/Dockerfile create mode 100755 2-keystone/build/build create mode 100644 2-keystone/conf/adminrc create mode 100644 2-keystone/conf/keystone.conf create mode 100755 3-conductor/3-conductor create mode 100755 3-conductor/3.5-conductor create mode 100644 3-conductor/build/Dockerfile create mode 100755 3-conductor/build/bin/startConductor create mode 100755 3-conductor/build/build create mode 100644 3-conductor/conf/iotronic.conf create mode 100755 4-iotronic-crossbar/4-crossbar create mode 100644 4-iotronic-crossbar/confs/config.json create mode 100755 4-iotronic-wstun/4-wstun create mode 100644 4-iotronic-wstun/Dockerfile create mode 100644 4-iotronic-wstun/confs/allowlist create mode 100644 4-iotronic-wstun/confs/ssl/iotronic.key create mode 100644 4-iotronic-wstun/confs/ssl/iotronic.pem create mode 100644 4-iotronic-wstun/confs/ssl/rootCA.pem create mode 100755 5-wagent/5-wagent create mode 100644 5-wagent/build/Dockerfile create mode 100755 5-wagent/build/bin/startWagent create mode 100755 5-wagent/build/build create mode 100644 5-wagent/build/confs/mapping create mode 100644 5-wagent/conf/iotronic.conf create mode 100755 6-ui/6-ui create mode 100644 6-ui/build/Dockerfile create mode 100755 6-ui/build/bin/startUI create mode 100755 6-ui/build/build create mode 100644 6-ui/conf/local_settings.py create mode 160000 6-ui/iotronic-ui diff --git a/0-CA/ca_create b/0-CA/ca_create new file mode 100755 index 0000000..182afe4 --- /dev/null +++ b/0-CA/ca_create @@ -0,0 +1,22 @@ +#! /bin/bash + +BIT_ENC=2048 +CA_NAME="SmartME" #same for Organization Name +EXPIRATION=18250 + + + +mkdir -p ./CA +cd ./CA + +## Generate root CA key +openssl genrsa -out $CA_NAME"_CA.key" $BIT_ENC + +#check +openssl rsa -in $CA_NAME"_CA.key" -check + +## Generate root CA certificate +openssl req -x509 -new -nodes -key $CA_NAME"_CA.key" -sha256 -days $EXPIRATION -subj "/C=IT/O="$CA_NAME -out $CA_NAME"_CA.pem" + +#check +openssl x509 -in $CA_NAME"_CA.pem" -text -noout diff --git a/0-CA/client_cert b/0-CA/client_cert new file mode 100755 index 0000000..98bf9c1 --- /dev/null +++ b/0-CA/client_cert @@ -0,0 +1,37 @@ +#! /bin/bash + +if [ "$#" -ne 1 ]; then + echo "Usage: ./client_cert " + exit +fi + +#$1 -> CN == certificate name +BIT_ENC=2048 +CA_NAME="SmartME" #same for Organization Name +EXPIRATION=18250 + + + +mkdir -p "./client_"$1 +cd "./client_"$1 + +## Generate client key +openssl genrsa -out $1".key" $BIT_ENC + +## Generate client certificate request +openssl req -new -days $EXPIRATION -subj "/C=IT/O="$CA_NAME"/CN="$1 -key $1".key" -out $1".csr" + +#check +openssl req -text -noout -verify -in $1".csr" + + +## Generate client certificate +openssl x509 -req -in $1".csr" -CA "../CA/"$CA_NAME"_CA.pem" -CAkey "../CA/"$CA_NAME"_CA.key" -CAcreateserial -out $1".pem" -days $EXPIRATION -sha256 + +#check +openssl x509 -in $1".pem" -text -noout + +chmod 644 $1".key" + +cp ../CA/$CA_NAME"_CA.pem" CA.pem + diff --git a/0-docker b/0-docker new file mode 100755 index 0000000..dc7dd3c --- /dev/null +++ b/0-docker @@ -0,0 +1,35 @@ +#! /bin/bash + +if [ "$EUID" -ne 0 ] + then echo "Please run as root" + exit +fi + +apt-get update && apt-get install -y \ + apt-transport-https \ + ca-certificates \ + curl \ + gnupg-agent \ + software-properties-common + +curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - + +add-apt-repository \ + "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ + $(lsb_release -cs) \ + stable" + +apt-get update && apt-get install -y docker-ce docker-ce-cli containerd.io + +usermod -aG docker $USER +usermod -aG docker iotronic + +systemctl enable docker + +curl -L "https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose +ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose +chmod +x /usr/local/bin/docker-compose + +docker network create iotronic_network + +echo -e "\e[32mCompleted - Log out and log back in so that your group membership is re-evaluated.\e[0m" diff --git a/1-mysql/1-mysql b/1-mysql/1-mysql new file mode 100755 index 0000000..c32e806 --- /dev/null +++ b/1-mysql/1-mysql @@ -0,0 +1,27 @@ +#! /bin/bash + + +#if [ "$EUID" -ne 0 ] +# then echo "Please run as root" +# exit +#fi + +MYSQL_ROOT_PASSWORD="smartme" + + +docker create \ + --name=felooca_test_iotronic_db\ + --network=felooca_test_network \ + -p 53306:3306 \ + --restart unless-stopped\ + -e MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD \ + -v felooca_test_iotronic_db_data:/var/lib/mysql \ + -v felooca_test_iotronic_db_config:/etc/mysql \ +mariadb:focal + +docker cp create_dbs.sql felooca_test_iotronic_db:/docker-entrypoint-initdb.d/create_dbs.sql +docker cp 99-openstack.conf felooca_test_iotronic_db:/etc/mysql/mariadb.conf.d/99-openstack.cnf + +docker start felooca_test_iotronic_db + +echo -e "\e[32mCompleted but wait mariadb to be ready using docker logs -f felooca_test_iotronic_db\e[0m" diff --git a/1-mysql/99-openstack.conf b/1-mysql/99-openstack.conf new file mode 100644 index 0000000..8df566d --- /dev/null +++ b/1-mysql/99-openstack.conf @@ -0,0 +1,8 @@ +[mysqld] +bind-address = 0.0.0.0 + +default-storage-engine = innodb +innodb_file_per_table = on +max_connections = 4096 +collation-server = utf8_general_ci +character-set-server = utf8 \ No newline at end of file diff --git a/1-mysql/create_dbs.sql b/1-mysql/create_dbs.sql new file mode 100644 index 0000000..bf2faf2 --- /dev/null +++ b/1-mysql/create_dbs.sql @@ -0,0 +1,9 @@ +CREATE DATABASE keystone; +GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS'; +GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS'; +CREATE DATABASE iotronic; +GRANT ALL PRIVILEGES ON iotronic.* TO 'iotronic'@'localhost' IDENTIFIED BY 'IOTRONIC_DBPASS'; +GRANT ALL PRIVILEGES ON iotronic.* TO 'iotronic'@'%' IDENTIFIED BY 'IOTRONIC_DBPASS'; +CREATE DATABASE designate; +GRANT ALL PRIVILEGES ON designate.* TO 'designate'@'localhost' IDENTIFIED BY 'DESIGNATE_DBPASS'; +GRANT ALL PRIVILEGES ON designate.* TO 'designate'@'%' IDENTIFIED BY 'DESIGNATE_DBPASS'; \ No newline at end of file diff --git a/1-mysql/create_dbs_FELOOCA_TEST.sql b/1-mysql/create_dbs_FELOOCA_TEST.sql new file mode 100644 index 0000000..bfdd93f --- /dev/null +++ b/1-mysql/create_dbs_FELOOCA_TEST.sql @@ -0,0 +1,6 @@ +CREATE DATABASE felooca_test_keystone; +GRANT ALL PRIVILEGES ON felooca_test_keystone.* TO 'fe_t_keystone'@'localhost' IDENTIFIED BY 'f3l00caTEST'; +GRANT ALL PRIVILEGES ON felooca_test_keystone.* TO 'fe_t_keystone'@'%' IDENTIFIED BY 'f3l00caTEST'; +CREATE DATABASE felooca_test_iotronic; +GRANT ALL PRIVILEGES ON felooca_test_iotronic.* TO 'fe_t_iotronic'@'localhost' IDENTIFIED BY 'f3l00caTEST'; +GRANT ALL PRIVILEGES ON felooca_test_iotronic.* TO 'fe_t_iotronic'@'%' IDENTIFIED BY 'f3l00caTEST'; \ No newline at end of file diff --git a/1-rabbitmq b/1-rabbitmq new file mode 100755 index 0000000..7c8888f --- /dev/null +++ b/1-rabbitmq @@ -0,0 +1,22 @@ +#! /bin/bash + + +#if [ "$EUID" -ne 0 ] +# then echo "Please run as root" +# exit +#cfi + +RABBIT_PASS="smartme" + +docker run -d \ + --name=felooca_test_rabbitmq\ + -p 5672:5672 \ + --network=host \ + --restart unless-stopped \ +rabbitmq:3 + +sleep 30 +docker exec felooca_test_rabbitmq rabbitmqctl add_user openstack $RABBIT_PASS +docker exec felooca_test_rabbitmq rabbitmqctl set_permissions openstack ".*" ".*" ".*" + +echo -e "\e[32mCompleted \e[0m" \ No newline at end of file diff --git a/2-keystone/2-keystone b/2-keystone/2-keystone new file mode 100755 index 0000000..dd1a281 --- /dev/null +++ b/2-keystone/2-keystone @@ -0,0 +1,57 @@ +#! /bin/bash + + +#if [ "$EUID" -ne 0 ] +# then echo "Please run as root" +# exit +#fi + +VERSION=1.0 + +HOST="felooca-test-ctrl.smartme.io" +HTTPS=true +ADMIN_PASS="smartme" + +OS_AUTH_URL="http://$HOST:5000/v3" +if [ "$HTTPS" = true ] ; then + OS_AUTH_URL="https://$HOST:5000/v3" +fi + +echo $OS_AUTH_URL +file="conf/adminrc" + +sed -i "s|OS_AUTH_URL=.*|OS_AUTH_URL=$OS_AUTH_URL|g" $file +sed -i "s|OS_PASSWORD=.*|OS_PASSWORD=$ADMIN_PASS|g" $file + +echo -e "\e[32mThis is your adminrc file\n\n" + +while IFS= read -r line +do + printf 'export %s\n' "$line" +done <"$file" + +echo -e "\e[0m" + +docker create \ + --env-file conf/adminrc \ + --name=felooca_test_keystone \ + --restart unless-stopped\ + --network=felooca_test_network \ + -p 5001:5000 \ + -v felooca_test_keystone_config:/etc/keystone/ \ + -v felooca_test_keystone_data:/var/lib/keystone/ \ + -v /var/log/keystone:/var/log/keystone \ + -v /var/log/keystone-api:/var/log/apache2 \ +smartmeio/keystone-stain:$VERSION + + +docker cp conf/keystone.conf felooca_test_keystone:/etc/keystone/ + +docker run --rm \ + -v /var/log/keystone:/var/log/keystone \ + -v /var/log/keystone-api:/var/log/apache2 \ +smartmeio/keystone-stain:$VERSION \ +/bin/sh -c "chown -R keystone:keystone /var/log/keystone/" + +docker start felooca_test_keystone + diff --git a/2-keystone/2.5-keystone b/2-keystone/2.5-keystone new file mode 100755 index 0000000..1745a19 --- /dev/null +++ b/2-keystone/2.5-keystone @@ -0,0 +1,35 @@ +#! /bin/bash + +HOST="felooca-test-ctrl.smartme.io" +HTTPS=true +ADMIN_PASS="smartme" + +URL="http://$HOST:5000/v3" +if [ "$HTTPS" = true ] ; then + URL="https://$HOST:5000/v3" +fi + +echo $URL + +docker exec felooca_test_keystone /bin/sh -c "keystone-manage db_sync" keystone +echo "db_sync" +docker exec felooca_test_keystone keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone +echo "fernet_setup" +docker exec felooca_test_keystone keystone-manage credential_setup --keystone-user keystone --keystone-group keystone +echo "credential_setup" + + +docker exec felooca_test_keystone keystone-manage bootstrap --bootstrap-password $ADMIN_PASS \ + --bootstrap-admin-url $URL \ + --bootstrap-internal-url $URL \ + --bootstrap-public-url $URL \ + --bootstrap-region-id RegionOne + +echo "bootstrap" + +docker restart felooca_test_keystone +echo "restarting in 5 seconds" +sleep 5 + +docker exec felooca_test_keystone openstack project create --domain default --description "Service Project" service +echo "project created" diff --git a/2-keystone/build/Dockerfile b/2-keystone/build/Dockerfile new file mode 100644 index 0000000..8f44217 --- /dev/null +++ b/2-keystone/build/Dockerfile @@ -0,0 +1,21 @@ +FROM ubuntu:bionic +#ENV VERSION=2.3.9 + +RUN apt-get update \ + && apt-get install nocache -y software-properties-common \ + && add-apt-repository -y cloud-archive:stein \ + && apt-get update && apt-get -y dist-upgrade && apt-get install nocache -y python3-openstackclient nano iputils-ping net-tools + +RUN apt-get install nocache keystone -y + +RUN mkdir -p /var/log/keystone \ +&& touch /var/log/keystone/keystone-manage.log \ +&& touch /var/log/keystone/keystone-wsgi-public.log \ +&& touch /var/log/keystone/keystone.log \ +&& chown -R keystone:keystone /var/log/keystone/ + +VOLUME ["/etc/keystone"] +VOLUME ["/var/log/keystone"] + +EXPOSE 5000 +CMD ["/usr/sbin/apache2ctl", "-D","FOREGROUND"] diff --git a/2-keystone/build/build b/2-keystone/build/build new file mode 100755 index 0000000..4b51563 --- /dev/null +++ b/2-keystone/build/build @@ -0,0 +1,4 @@ +#! /bin/bash + +VERSION=1.0 +docker build -t smartmeio/keystone-stain:$VERSION . \ No newline at end of file diff --git a/2-keystone/conf/adminrc b/2-keystone/conf/adminrc new file mode 100644 index 0000000..35687bb --- /dev/null +++ b/2-keystone/conf/adminrc @@ -0,0 +1,8 @@ +OS_PROJECT_DOMAIN_NAME=Default +OS_USER_DOMAIN_NAME=Default +OS_PROJECT_NAME=admin +OS_USERNAME=admin +OS_PASSWORD=smartme +OS_AUTH_URL=https://felooca-test-ctrl.smartme.io:5000/v3 +OS_IDENTITY_API_VERSION=3 +OS_IMAGE_API_VERSION=2 \ No newline at end of file diff --git a/2-keystone/conf/keystone.conf b/2-keystone/conf/keystone.conf new file mode 100644 index 0000000..2d04d35 --- /dev/null +++ b/2-keystone/conf/keystone.conf @@ -0,0 +1,2715 @@ +[DEFAULT] +debug = True +#log_config = /etc/keystone/logging.conf +log_dir = /var/log/keystone + +# +# From keystone +# + +# Using this feature is *NOT* recommended. Instead, use the `keystone-manage +# bootstrap` command. The value of this option is treated as a "shared secret" +# that can be used to bootstrap Keystone through the API. This "token" does not +# represent a user (it has no identity), and carries no explicit authorization +# (it effectively bypasses most authorization checks). If set to `None`, the +# value is ignored and the `admin_token` middleware is effectively disabled. +# (string value) +#admin_token = + +# The base public endpoint URL for Keystone that is advertised to clients +# (NOTE: this does NOT affect how Keystone listens for connections). Defaults +# to the base host URL of the request. For example, if keystone receives a +# request to `http://server:5000/v3/users`, then this will option will be +# automatically treated as `http://server:5000`. You should only need to set +# option if either the value of the base URL contains a path that keystone does +# not automatically infer (`/prefix/v3`), or if the endpoint should be found on +# a different host. (uri value) +#public_endpoint = + +# DEPRECATED: The base admin endpoint URL for Keystone that is advertised to +# clients (NOTE: this does NOT affect how Keystone listens for connections). +# Defaults to the base host URL of the request. For example, if keystone +# receives a request to `http://server:35357/v3/users`, then this will option +# will be automatically treated as `http://server:35357`. You should only need +# to set option if either the value of the base URL contains a path that +# keystone does not automatically infer (`/prefix/v3`), or if the endpoint +# should be found on a different host. (uri value) +# This option is deprecated for removal since R. +# Its value may be silently ignored in the future. +# Reason: With the removal of the 2.0 API keystone does not distinguish between +# admin and public endpoints. +#admin_endpoint = + +# Maximum depth of the project hierarchy, excluding the project acting as a +# domain at the top of the hierarchy. WARNING: Setting it to a large value may +# adversely impact performance. (integer value) +#max_project_tree_depth = 5 + +# Limit the sizes of user & project ID/names. (integer value) +#max_param_size = 64 + +# Similar to `[DEFAULT] max_param_size`, but provides an exception for token +# values. With Fernet tokens, this can be set as low as 255. With UUID tokens, +# this should be set to 32). (integer value) +#max_token_size = 255 + +# The maximum number of entities that will be returned in a collection. This +# global limit may be then overridden for a specific driver, by specifying a +# list_limit in the appropriate section (for example, `[assignment]`). No limit +# is set by default. In larger deployments, it is recommended that you set this +# to a reasonable number to prevent operations like listing all users and +# projects from placing an unnecessary load on the system. (integer value) +#list_limit = + +# If set to true, strict password length checking is performed for password +# manipulation. If a password exceeds the maximum length, the operation will +# fail with an HTTP 403 Forbidden error. If set to false, passwords are +# automatically truncated to the maximum length. (boolean value) +#strict_password_check = false + +# If set to true, then the server will return information in HTTP responses +# that may allow an unauthenticated or authenticated user to get more +# information than normal, such as additional details about why authentication +# failed. This may be useful for debugging but is insecure. (boolean value) +#insecure_debug = false + +# Default `publisher_id` for outgoing notifications. If left undefined, +# Keystone will default to using the server's host name. (string value) +#default_publisher_id = + +# Define the notification format for identity service events. A `basic` +# notification only has information about the resource being operated on. A +# `cadf` notification has the same information, as well as information about +# the initiator of the event. The `cadf` option is entirely backwards +# compatible with the `basic` option, but is fully CADF-compliant, and is +# recommended for auditing use cases. (string value) +# Possible values: +# basic - +# cadf - +#notification_format = cadf + +# You can reduce the number of notifications keystone emits by explicitly +# opting out. Keystone will not emit notifications that match the patterns +# expressed in this list. Values are expected to be in the form of +# `identity..`. By default, all notifications related +# to authentication are automatically suppressed. This field can be set +# multiple times in order to opt-out of multiple notification topics. For +# example, the following suppresses notifications describing user creation or +# successful authentication events: notification_opt_out=identity.user.create +# notification_opt_out=identity.authenticate.success (multi valued) +#notification_opt_out = identity.authenticate.success +#notification_opt_out = identity.authenticate.pending +#notification_opt_out = identity.authenticate.failed + +# +# From oslo.log +# + +# If set to true, the logging level will be set to DEBUG instead of the default +# INFO level. (boolean value) +# Note: This option can be changed without restarting. +#debug = false + +# The name of a logging configuration file. This file is appended to any +# existing logging configuration files. For details about logging configuration +# files, see the Python logging module documentation. Note that when logging +# configuration files are used then all logging configuration is set in the +# configuration file and other logging configuration options are ignored (for +# example, log-date-format). (string value) +# Note: This option can be changed without restarting. +# Deprecated group/name - [DEFAULT]/log_config +#log_config_append = + +# Defines the format string for %%(asctime)s in log records. Default: +# %(default)s . This option is ignored if log_config_append is set. (string +# value) +#log_date_format = %Y-%m-%d %H:%M:%S + +# (Optional) Name of log file to send logging output to. If no default is set, +# logging will go to stderr as defined by use_stderr. This option is ignored if +# log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logfile +#log_file = + +# (Optional) The base directory used for relative log_file paths. This option +# is ignored if log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logdir +#log_dir = + +# Uses logging handler designed to watch file system. When log file is moved or +# removed this handler will open a new log file with specified path +# instantaneously. It makes sense only if log_file option is specified and +# Linux platform is used. This option is ignored if log_config_append is set. +# (boolean value) +#watch_log_file = false + +# Use syslog for logging. Existing syslog format is DEPRECATED and will be +# changed later to honor RFC5424. This option is ignored if log_config_append +# is set. (boolean value) +#use_syslog = false + +# Enable journald for logging. If running in a systemd environment you may wish +# to enable journal support. Doing so will use the journal native protocol +# which includes structured metadata in addition to log messages.This option is +# ignored if log_config_append is set. (boolean value) +#use_journal = false + +# Syslog facility to receive log lines. This option is ignored if +# log_config_append is set. (string value) +#syslog_log_facility = LOG_USER + +# Use JSON formatting for logging. This option is ignored if log_config_append +# is set. (boolean value) +#use_json = false + +# Log output to standard error. This option is ignored if log_config_append is +# set. (boolean value) +#use_stderr = false + +# Log output to Windows Event Log. (boolean value) +#use_eventlog = false + +# The amount of time before the log files are rotated. This option is ignored +# unless log_rotation_type is setto "interval". (integer value) +#log_rotate_interval = 1 + +# Rotation interval type. The time of the last file change (or the time when +# the service was started) is used when scheduling the next rotation. (string +# value) +# Possible values: +# Seconds - +# Minutes - +# Hours - +# Days - +# Weekday - +# Midnight - +#log_rotate_interval_type = days + +# Maximum number of rotated log files. (integer value) +#max_logfile_count = 30 + +# Log file maximum size in MB. This option is ignored if "log_rotation_type" is +# not set to "size". (integer value) +#max_logfile_size_mb = 200 + +# Log rotation type. (string value) +# Possible values: +# interval - Rotate logs at predefined time intervals. +# size - Rotate logs once they reach a predefined size. +# none - Do not rotate log files. +#log_rotation_type = none + +# Format string to use for log messages with context. Used by +# oslo_log.formatters.ContextFormatter (string value) +#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s + +# Format string to use for log messages when context is undefined. Used by +# oslo_log.formatters.ContextFormatter (string value) +#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s + +# Additional data to append to log message when logging level for the message +# is DEBUG. Used by oslo_log.formatters.ContextFormatter (string value) +#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d + +# Prefix each line of exception output with this format. Used by +# oslo_log.formatters.ContextFormatter (string value) +#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s + +# Defines the format string for %(user_identity)s that is used in +# logging_context_format_string. Used by oslo_log.formatters.ContextFormatter +# (string value) +#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s + +# List of package logging levels in logger=LEVEL pairs. This option is ignored +# if log_config_append is set. (list value) +#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,oslo_policy=INFO,dogpile.core.dogpile=INFO + +# Enables or disables publication of error events. (boolean value) +#publish_errors = false + +# The format for an instance that is passed with the log message. (string +# value) +#instance_format = "[instance: %(uuid)s] " + +# The format for an instance UUID that is passed with the log message. (string +# value) +#instance_uuid_format = "[instance: %(uuid)s] " + +# Interval, number of seconds, of log rate limiting. (integer value) +#rate_limit_interval = 0 + +# Maximum number of logged messages per rate_limit_interval. (integer value) +#rate_limit_burst = 0 + +# Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG +# or empty string. Logs with level greater or equal to rate_limit_except_level +# are not filtered. An empty string means that all levels are filtered. (string +# value) +#rate_limit_except_level = CRITICAL + +# Enables or disables fatal status of deprecations. (boolean value) +#fatal_deprecations = false + +# +# From oslo.messaging +# + +# Size of RPC connection pool. (integer value) +#rpc_conn_pool_size = 30 + +# The pool size limit for connections expiration policy (integer value) +#conn_pool_min_size = 2 + +# The time-to-live in sec of idle connections in the pool (integer value) +#conn_pool_ttl = 1200 + +# Size of executor thread pool when executor is threading or eventlet. (integer +# value) +# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size +#executor_thread_pool_size = 64 + +# Seconds to wait for a response from a call. (integer value) +#rpc_response_timeout = 60 + +# The network address and optional user credentials for connecting to the +# messaging backend, in URL format. The expected format is: +# +# driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query +# +# Example: rabbit://rabbitmq:password@127.0.0.1:5672// +# +# For full details on the fields in the URL see the documentation of +# oslo_messaging.TransportURL at +# https://docs.openstack.org/oslo.messaging/latest/reference/transport.html +# (string value) +#transport_url = rabbit:// + +# The default exchange under which topics are scoped. May be overridden by an +# exchange name specified in the transport_url option. (string value) +#control_exchange = keystone + + +[access_rules_config] + +# +# From keystone +# + +# Entry point for the access rules config backend driver in the +# `keystone.access_rules_config` namespace. Keystone only provides a `json` +# driver, so there is no reason to change this unless you are providing a +# custom entry point. (string value) +#driver = json + +# Toggle for access rules caching. This has no effect unless global caching is +# enabled. (boolean value) +#caching = true + +# Time to cache access rule data in seconds. This has no effect unless global +# caching is enabled. (integer value) +#cache_time = + +# Path to access rules configuration. If not present, no access rule +# configuration will be loaded and application credential access rules will be +# unavailable. (string value) +#rules_file = /etc/keystone/access_rules.json + +# Toggles permissive mode for access rules. When enabled, application +# credentials can be created with any access rules regardless of operator's +# configuration. (boolean value) +#permissive = false + + +[application_credential] + +# +# From keystone +# + +# Entry point for the application credential backend driver in the +# `keystone.application_credential` namespace. Keystone only provides a `sql` +# driver, so there is no reason to change this unless you are providing a +# custom entry point. (string value) +#driver = sql + +# Toggle for application credential caching. This has no effect unless global +# caching is enabled. (boolean value) +#caching = true + +# Time to cache application credential data in seconds. This has no effect +# unless global caching is enabled. (integer value) +#cache_time = + +# Maximum number of application credentials a user is permitted to create. A +# value of -1 means unlimited. If a limit is not set, users are permitted to +# create application credentials at will, which could lead to bloat in the +# keystone database or open keystone to a DoS attack. (integer value) +#user_limit = -1 + + +[assignment] + +# +# From keystone +# + +# Entry point for the assignment backend driver (where role assignments are +# stored) in the `keystone.assignment` namespace. Only a SQL driver is supplied +# by keystone itself. Unless you are writing proprietary drivers for keystone, +# you do not need to set this option. (string value) +#driver = sql + +# A list of role names which are prohibited from being an implied role. (list +# value) +#prohibited_implied_role = admin + + +[auth] + +# +# From keystone +# + +# Allowed authentication methods. Note: You should disable the `external` auth +# method if you are currently using federation. External auth and federation +# both use the REMOTE_USER variable. Since both the mapped and external plugin +# are being invoked to validate attributes in the request environment, it can +# cause conflicts. (list value) +#methods = external,password,token,oauth1,mapped,application_credential + +# Entry point for the password auth plugin module in the +# `keystone.auth.password` namespace. You do not need to set this unless you +# are overriding keystone's own password authentication plugin. (string value) +#password = + +# Entry point for the token auth plugin module in the `keystone.auth.token` +# namespace. You do not need to set this unless you are overriding keystone's +# own token authentication plugin. (string value) +#token = + +# Entry point for the external (`REMOTE_USER`) auth plugin module in the +# `keystone.auth.external` namespace. Supplied drivers are `DefaultDomain` and +# `Domain`. The default driver is `DefaultDomain`, which assumes that all users +# identified by the username specified to keystone in the `REMOTE_USER` +# variable exist within the context of the default domain. The `Domain` option +# expects an additional environment variable be presented to keystone, +# `REMOTE_DOMAIN`, containing the domain name of the `REMOTE_USER` (if +# `REMOTE_DOMAIN` is not set, then the default domain will be used instead). +# You do not need to set this unless you are taking advantage of "external +# authentication", where the application server (such as Apache) is handling +# authentication instead of keystone. (string value) +#external = + +# Entry point for the OAuth 1.0a auth plugin module in the +# `keystone.auth.oauth1` namespace. You do not need to set this unless you are +# overriding keystone's own `oauth1` authentication plugin. (string value) +#oauth1 = + +# Entry point for the mapped auth plugin module in the `keystone.auth.mapped` +# namespace. You do not need to set this unless you are overriding keystone's +# own `mapped` authentication plugin. (string value) +#mapped = + +# Entry point for the application_credential auth plugin module in the +# `keystone.auth.application_credential` namespace. You do not need to set this +# unless you are overriding keystone's own `application_credential` +# authentication plugin. (string value) +#application_credential = + + +[cache] + +# +# From oslo.cache +# + +# Prefix for building the configuration dictionary for the cache region. This +# should not need to be changed unless there is another dogpile.cache region +# with the same configuration name. (string value) +#config_prefix = cache.oslo + +# Default TTL, in seconds, for any cached item in the dogpile.cache region. +# This applies to any cached method that doesn't have an explicit cache +# expiration time defined for it. (integer value) +#expiration_time = 600 + +# Cache backend module. For eventlet-based or environments with hundreds of +# threaded servers, Memcache with pooling (oslo_cache.memcache_pool) is +# recommended. For environments with less than 100 threaded servers, Memcached +# (dogpile.cache.memcached) or Redis (dogpile.cache.redis) is recommended. Test +# environments with a single instance of the server can use the +# dogpile.cache.memory backend. (string value) +# Possible values: +# oslo_cache.memcache_pool - +# oslo_cache.dict - +# oslo_cache.mongo - +# oslo_cache.etcd3gw - +# dogpile.cache.memcached - +# dogpile.cache.pylibmc - +# dogpile.cache.bmemcached - +# dogpile.cache.dbm - +# dogpile.cache.redis - +# dogpile.cache.memory - +# dogpile.cache.memory_pickle - +# dogpile.cache.null - +#backend = dogpile.cache.null + +# Arguments supplied to the backend module. Specify this option once per +# argument to be passed to the dogpile.cache backend. Example format: +# ":". (multi valued) +#backend_argument = + +# Proxy classes to import that will affect the way the dogpile.cache backend +# functions. See the dogpile.cache documentation on changing-backend-behavior. +# (list value) +#proxies = + +# Global toggle for caching. (boolean value) +#enabled = true + +# Extra debugging from the cache backend (cache keys, get/set/delete/etc +# calls). This is only really useful if you need to see the specific cache- +# backend get/set/delete calls with the keys/values. Typically this should be +# left set to false. (boolean value) +#debug_cache_backend = false + +# Memcache servers in the format of "host:port". (dogpile.cache.memcache and +# oslo_cache.memcache_pool backends only). (list value) +#memcache_servers = localhost:11211 + +# Number of seconds memcached server is considered dead before it is tried +# again. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only). +# (integer value) +#memcache_dead_retry = 300 + +# Timeout in seconds for every call to a server. (dogpile.cache.memcache and +# oslo_cache.memcache_pool backends only). (floating point value) +#memcache_socket_timeout = 3.0 + +# Max total number of open connections to every memcached server. +# (oslo_cache.memcache_pool backend only). (integer value) +#memcache_pool_maxsize = 10 + +# Number of seconds a connection to memcached is held unused in the pool before +# it is closed. (oslo_cache.memcache_pool backend only). (integer value) +#memcache_pool_unused_timeout = 60 + +# Number of seconds that an operation will wait to get a memcache client +# connection. (integer value) +#memcache_pool_connection_get_timeout = 10 + + +[catalog] + +# +# From keystone +# + +# Absolute path to the file used for the templated catalog backend. This option +# is only used if the `[catalog] driver` is set to `templated`. (string value) +#template_file = default_catalog.templates + +# Entry point for the catalog driver in the `keystone.catalog` namespace. +# Keystone provides a `sql` option (which supports basic CRUD operations +# through SQL), a `templated` option (which loads the catalog from a templated +# catalog file on disk), and a `endpoint_filter.sql` option (which supports +# arbitrary service catalogs per project). (string value) +#driver = sql + +# Toggle for catalog caching. This has no effect unless global caching is +# enabled. In a typical deployment, there is no reason to disable this. +# (boolean value) +#caching = true + +# Time to cache catalog data (in seconds). This has no effect unless global and +# catalog caching are both enabled. Catalog data (services, endpoints, etc.) +# typically does not change frequently, and so a longer duration than the +# global default may be desirable. (integer value) +#cache_time = + +# Maximum number of entities that will be returned in a catalog collection. +# There is typically no reason to set this, as it would be unusual for a +# deployment to have enough services or endpoints to exceed a reasonable limit. +# (integer value) +#list_limit = + + +[cors] + +# +# From oslo.middleware +# + +# Indicate whether this resource may be shared with the domain received in the +# requests "origin" header. Format: "://[:]", no trailing +# slash. Example: https://horizon.example.com (list value) +#allowed_origin = + +# Indicate that the actual request can include user credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple +# Headers. (list value) +#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,Openstack-Auth-Receipt + +# Maximum cache age of CORS preflight requests. (integer value) +#max_age = 3600 + +# Indicate which methods can be used during the actual request. (list value) +#allow_methods = GET,PUT,POST,DELETE,PATCH + +# Indicate which header field names may be used during the actual request. +# (list value) +#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name,Openstack-Auth-Receipt + + +[credential] + +# +# From keystone +# + +# Entry point for the credential backend driver in the `keystone.credential` +# namespace. Keystone only provides a `sql` driver, so there's no reason to +# change this unless you are providing a custom entry point. (string value) +#driver = sql + +# Entry point for credential encryption and decryption operations in the +# `keystone.credential.provider` namespace. Keystone only provides a `fernet` +# driver, so there's no reason to change this unless you are providing a custom +# entry point to encrypt and decrypt credentials. (string value) +#provider = fernet + +# Directory containing Fernet keys used to encrypt and decrypt credentials +# stored in the credential backend. Fernet keys used to encrypt credentials +# have no relationship to Fernet keys used to encrypt Fernet tokens. Both sets +# of keys should be managed separately and require different rotation policies. +# Do not share this repository with the repository used to manage keys for +# Fernet tokens. (string value) +#key_repository = /etc/keystone/credential-keys/ + + +[database] +connection = mysql+pymysql://fe_t_keystone:KEYSTONE_DBPASS@felooca_test_iotronic_db:3306/felooca_test_keystone + +# +# From oslo.db +# + +# If True, SQLite uses synchronous mode. (boolean value) +#sqlite_synchronous = true + +# The back end to use for the database. (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend = sqlalchemy + +# The SQLAlchemy connection string to use to connect to the database. (string +# value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +#connection = + +# The SQLAlchemy connection string to use to connect to the slave database. +# (string value) +#slave_connection = + +# The SQL mode to be used for MySQL sessions. This option, including the +# default, overrides any server-set SQL mode. To use whatever SQL mode is set +# by the server configuration, set this to no value. Example: mysql_sql_mode= +# (string value) +#mysql_sql_mode = TRADITIONAL + +# If True, transparently enables support for handling MySQL Cluster (NDB). +# (boolean value) +#mysql_enable_ndb = false + +# Connections which have been present in the connection pool longer than this +# number of seconds will be replaced with a new one the next time they are +# checked out from the pool. (integer value) +# Deprecated group/name - [DATABASE]/idle_timeout +# Deprecated group/name - [database]/idle_timeout +# Deprecated group/name - [DEFAULT]/sql_idle_timeout +# Deprecated group/name - [DATABASE]/sql_idle_timeout +# Deprecated group/name - [sql]/idle_timeout +#connection_recycle_time = 3600 + +# DEPRECATED: Minimum number of SQL connections to keep open in a pool. +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_min_pool_size +# Deprecated group/name - [DATABASE]/sql_min_pool_size +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: The option to set the minimum pool size is not supported by +# sqlalchemy. +#min_pool_size = 1 + +# Maximum number of SQL connections to keep open in a pool. Setting a value of +# 0 indicates no limit. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_pool_size +# Deprecated group/name - [DATABASE]/sql_max_pool_size +#max_pool_size = 5 + +# Maximum number of database connection retries during startup. Set to -1 to +# specify an infinite retry count. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries = 10 + +# Interval between retries of opening a SQL connection. (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval = 10 + +# If set, use this value for max_overflow with SQLAlchemy. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow = 50 + +# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer +# value) +# Minimum value: 0 +# Maximum value: 100 +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug = 0 + +# Add Python stack traces to SQL as comment strings. (boolean value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace = false + +# If set, use this value for pool_timeout with SQLAlchemy. (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout = + +# Enable the experimental use of database reconnect on connection lost. +# (boolean value) +#use_db_reconnect = false + +# Seconds between retries of a database transaction. (integer value) +#db_retry_interval = 1 + +# If True, increases the interval between retries of a database operation up to +# db_max_retry_interval. (boolean value) +#db_inc_retry_interval = true + +# If db_inc_retry_interval is set, the maximum seconds between retries of a +# database operation. (integer value) +#db_max_retry_interval = 10 + +# Maximum retries in case of connection error or deadlock error before error is +# raised. Set to -1 to specify an infinite retry count. (integer value) +#db_max_retries = 20 + +# Optional URL parameters to append onto the connection URL at connect time; +# specify as param1=value1¶m2=value2&... (string value) +#connection_parameters = + + +[domain_config] + +# +# From keystone +# + +# Entry point for the domain-specific configuration driver in the +# `keystone.resource.domain_config` namespace. Only a `sql` option is provided +# by keystone, so there is no reason to set this unless you are providing a +# custom entry point. (string value) +#driver = sql + +# Toggle for caching of the domain-specific configuration backend. This has no +# effect unless global caching is enabled. There is normally no reason to +# disable this. (boolean value) +#caching = true + +# Time-to-live (TTL, in seconds) to cache domain-specific configuration data. +# This has no effect unless `[domain_config] caching` is enabled. (integer +# value) +#cache_time = 300 + + +[endpoint_filter] + +# +# From keystone +# + +# Entry point for the endpoint filter driver in the `keystone.endpoint_filter` +# namespace. Only a `sql` option is provided by keystone, so there is no reason +# to set this unless you are providing a custom entry point. (string value) +#driver = sql + +# This controls keystone's behavior if the configured endpoint filters do not +# result in any endpoints for a user + project pair (and therefore a +# potentially empty service catalog). If set to true, keystone will return the +# entire service catalog. If set to false, keystone will return an empty +# service catalog. (boolean value) +#return_all_endpoints_if_no_filter = true + + +[endpoint_policy] + +# +# From keystone +# + +# Entry point for the endpoint policy driver in the `keystone.endpoint_policy` +# namespace. Only a `sql` driver is provided by keystone, so there is no reason +# to set this unless you are providing a custom entry point. (string value) +#driver = sql + + +[eventlet_server] + +# +# From keystone +# + +# DEPRECATED: The IP address of the network interface for the public service to +# listen on. (host address value) +# Deprecated group/name - [DEFAULT]/bind_host +# Deprecated group/name - [DEFAULT]/public_bind_host +# This option is deprecated for removal since K. +# Its value may be silently ignored in the future. +# Reason: Support for running keystone under eventlet has been removed in the +# Newton release. These options remain for backwards compatibility because they +# are used for URL substitutions. +#public_bind_host = 0.0.0.0 + +# DEPRECATED: The port number for the public service to listen on. (port value) +# Minimum value: 0 +# Maximum value: 65535 +# Deprecated group/name - [DEFAULT]/public_port +# This option is deprecated for removal since K. +# Its value may be silently ignored in the future. +# Reason: Support for running keystone under eventlet has been removed in the +# Newton release. These options remain for backwards compatibility because they +# are used for URL substitutions. +#public_port = 5000 + +# DEPRECATED: The IP address of the network interface for the admin service to +# listen on. (host address value) +# Deprecated group/name - [DEFAULT]/bind_host +# Deprecated group/name - [DEFAULT]/admin_bind_host +# This option is deprecated for removal since K. +# Its value may be silently ignored in the future. +# Reason: Support for running keystone under eventlet has been removed in the +# Newton release. These options remain for backwards compatibility because they +# are used for URL substitutions. +#admin_bind_host = 0.0.0.0 + +# DEPRECATED: The port number for the admin service to listen on. (port value) +# Minimum value: 0 +# Maximum value: 65535 +# Deprecated group/name - [DEFAULT]/admin_port +# This option is deprecated for removal since K. +# Its value may be silently ignored in the future. +# Reason: Support for running keystone under eventlet has been removed in the +# Newton release. These options remain for backwards compatibility because they +# are used for URL substitutions. +#admin_port = 35357 + + +[extra_headers] +Distribution = Ubuntu + +# +# From keystone +# + +# Specifies the distribution of the keystone server. (string value) +#Distribution = Ubuntu + + +[federation] + +# +# From keystone +# + +# Entry point for the federation backend driver in the `keystone.federation` +# namespace. Keystone only provides a `sql` driver, so there is no reason to +# set this option unless you are providing a custom entry point. (string value) +#driver = sql + +# Prefix to use when filtering environment variable names for federated +# assertions. Matched variables are passed into the federated mapping engine. +# (string value) +#assertion_prefix = + +# Value to be used to obtain the entity ID of the Identity Provider from the +# environment. For `mod_shib`, this would be `Shib-Identity-Provider`. For +# `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`, +# this could be `MELLON_IDP`. (string value) +#remote_id_attribute = + +# An arbitrary domain name that is reserved to allow federated ephemeral users +# to have a domain concept. Note that an admin will not be able to create a +# domain with this name or update an existing domain to this name. You are not +# advised to change this value unless you really have to. (string value) +#federated_domain_name = Federated + +# A list of trusted dashboard hosts. Before accepting a Single Sign-On request +# to return a token, the origin host must be a member of this list. This +# configuration option may be repeated for multiple values. You must set this +# in order to use web-based SSO flows. For example: +# trusted_dashboard=https://acme.example.com/auth/websso +# trusted_dashboard=https://beta.example.com/auth/websso (multi valued) +#trusted_dashboard = + +# Absolute path to an HTML file used as a Single Sign-On callback handler. This +# page is expected to redirect the user from keystone back to a trusted +# dashboard host, by form encoding a token in a POST request. Keystone's +# default value should be sufficient for most deployments. (string value) +#sso_callback_template = /etc/keystone/sso_callback_template.html + +# Toggle for federation caching. This has no effect unless global caching is +# enabled. There is typically no reason to disable this. (boolean value) +#caching = true + + +[fernet_receipts] + +# +# From keystone +# + +# Directory containing Fernet receipt keys. This directory must exist before +# using `keystone-manage fernet_setup` for the first time, must be writable by +# the user running `keystone-manage fernet_setup` or `keystone-manage +# fernet_rotate`, and of course must be readable by keystone's server process. +# The repository may contain keys in one of three states: a single staged key +# (always index 0) used for receipt validation, a single primary key (always +# the highest index) used for receipt creation and validation, and any number +# of secondary keys (all other index values) used for receipt validation. With +# multiple keystone nodes, each node must share the same key repository +# contents, with the exception of the staged key (index 0). It is safe to run +# `keystone-manage fernet_rotate` once on any one node to promote a staged key +# (index 0) to be the new primary (incremented from the previous highest +# index), and produce a new staged key (a new key with index 0); the resulting +# repository can then be atomically replicated to other nodes without any risk +# of race conditions (for example, it is safe to run `keystone-manage +# fernet_rotate` on host A, wait any amount of time, create a tarball of the +# directory on host A, unpack it on host B to a temporary location, and +# atomically move (`mv`) the directory into place on host B). Running +# `keystone-manage fernet_rotate` *twice* on a key repository without syncing +# other nodes will result in receipts that can not be validated by all nodes. +# (string value) +#key_repository = /etc/keystone/fernet-keys/ + +# This controls how many keys are held in rotation by `keystone-manage +# fernet_rotate` before they are discarded. The default value of 3 means that +# keystone will maintain one staged key (always index 0), one primary key (the +# highest numerical index), and one secondary key (every other index). +# Increasing this value means that additional secondary keys will be kept in +# the rotation. (integer value) +# Minimum value: 1 +#max_active_keys = 3 + + +[fernet_tokens] + +# +# From keystone +# + +# Directory containing Fernet token keys. This directory must exist before +# using `keystone-manage fernet_setup` for the first time, must be writable by +# the user running `keystone-manage fernet_setup` or `keystone-manage +# fernet_rotate`, and of course must be readable by keystone's server process. +# The repository may contain keys in one of three states: a single staged key +# (always index 0) used for token validation, a single primary key (always the +# highest index) used for token creation and validation, and any number of +# secondary keys (all other index values) used for token validation. With +# multiple keystone nodes, each node must share the same key repository +# contents, with the exception of the staged key (index 0). It is safe to run +# `keystone-manage fernet_rotate` once on any one node to promote a staged key +# (index 0) to be the new primary (incremented from the previous highest +# index), and produce a new staged key (a new key with index 0); the resulting +# repository can then be atomically replicated to other nodes without any risk +# of race conditions (for example, it is safe to run `keystone-manage +# fernet_rotate` on host A, wait any amount of time, create a tarball of the +# directory on host A, unpack it on host B to a temporary location, and +# atomically move (`mv`) the directory into place on host B). Running +# `keystone-manage fernet_rotate` *twice* on a key repository without syncing +# other nodes will result in tokens that can not be validated by all nodes. +# (string value) +#key_repository = /etc/keystone/fernet-keys/ + +# This controls how many keys are held in rotation by `keystone-manage +# fernet_rotate` before they are discarded. The default value of 3 means that +# keystone will maintain one staged key (always index 0), one primary key (the +# highest numerical index), and one secondary key (every other index). +# Increasing this value means that additional secondary keys will be kept in +# the rotation. (integer value) +# Minimum value: 1 +#max_active_keys = 3 + + +[healthcheck] + +# +# From oslo.middleware +# + +# DEPRECATED: The path to respond to healtcheck requests on. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#path = /healthcheck + +# Show more detailed information as part of the response. Security note: +# Enabling this option may expose sensitive details about the service being +# monitored. Be sure to verify that it will not violate your security policies. +# (boolean value) +#detailed = false + +# Additional backends that can perform health checks and report that +# information back as part of a request. (list value) +#backends = + +# Check the presence of a file to determine if an application is running on a +# port. Used by DisableByFileHealthcheck plugin. (string value) +#disable_by_file_path = + +# Check the presence of a file based on a port to determine if an application +# is running on a port. Expects a "port:path" list of strings. Used by +# DisableByFilesPortsHealthcheck plugin. (list value) +#disable_by_file_paths = + + +[identity] + +# +# From keystone +# + +# This references the domain to use for all Identity API v2 requests (which are +# not aware of domains). A domain with this ID can optionally be created for +# you by `keystone-manage bootstrap`. The domain referenced by this ID cannot +# be deleted on the v3 API, to prevent accidentally breaking the v2 API. There +# is nothing special about this domain, other than the fact that it must exist +# to order to maintain support for your v2 clients. There is typically no +# reason to change this value. (string value) +#default_domain_id = default + +# A subset (or all) of domains can have their own identity driver, each with +# their own partial configuration options, stored in either the resource +# backend or in a file in a domain configuration directory (depending on the +# setting of `[identity] domain_configurations_from_database`). Only values +# specific to the domain need to be specified in this manner. This feature is +# disabled by default, but may be enabled by default in a future release; set +# to true to enable. (boolean value) +#domain_specific_drivers_enabled = false + +# By default, domain-specific configuration data is read from files in the +# directory identified by `[identity] domain_config_dir`. Enabling this +# configuration option allows you to instead manage domain-specific +# configurations through the API, which are then persisted in the backend +# (typically, a SQL database), rather than using configuration files on disk. +# (boolean value) +#domain_configurations_from_database = false + +# Absolute path where keystone should locate domain-specific `[identity]` +# configuration files. This option has no effect unless `[identity] +# domain_specific_drivers_enabled` is set to true. There is typically no reason +# to change this value. (string value) +#domain_config_dir = /etc/keystone/domains + +# Entry point for the identity backend driver in the `keystone.identity` +# namespace. Keystone provides a `sql` and `ldap` driver. This option is also +# used as the default driver selection (along with the other configuration +# variables in this section) in the event that `[identity] +# domain_specific_drivers_enabled` is enabled, but no applicable domain- +# specific configuration is defined for the domain in question. Unless your +# deployment primarily relies on `ldap` AND is not using domain-specific +# configuration, you should typically leave this set to `sql`. (string value) +#driver = sql + +# Toggle for identity caching. This has no effect unless global caching is +# enabled. There is typically no reason to disable this. (boolean value) +#caching = true + +# Time to cache identity data (in seconds). This has no effect unless global +# and identity caching are enabled. (integer value) +#cache_time = 600 + +# Maximum allowed length for user passwords. Decrease this value to improve +# performance. Changing this value does not effect existing passwords. (integer +# value) +# Maximum value: 4096 +#max_password_length = 4096 + +# Maximum number of entities that will be returned in an identity collection. +# (integer value) +#list_limit = + +# The password hashing algorithm to use for passwords stored within keystone. +# (string value) +# Possible values: +# bcrypt - +# scrypt - +# pbkdf2_sha512 - +#password_hash_algorithm = bcrypt + +# This option represents a trade off between security and performance. Higher +# values lead to slower performance, but higher security. Changing this option +# will only affect newly created passwords as existing password hashes already +# have a fixed number of rounds applied, so it is safe to tune this option in a +# running cluster. The default for bcrypt is 12, must be between 4 and 31, +# inclusive. The default for scrypt is 16, must be within `range(1,32)`. The +# default for pbkdf_sha512 is 60000, must be within `range(1,1<<32)` WARNING: +# If using scrypt, increasing this value increases BOTH time AND memory +# requirements to hash a password. (integer value) +#password_hash_rounds = + +# Optional block size to pass to scrypt hash function (the `r` parameter). +# Useful for tuning scrypt to optimal performance for your CPU architecture. +# This option is only used when the `password_hash_algorithm` option is set to +# `scrypt`. Defaults to 8. (integer value) +#scrypt_block_size = + +# Optional parallelism to pass to scrypt hash function (the `p` parameter). +# This option is only used when the `password_hash_algorithm` option is set to +# `scrypt`. Defaults to 1. (integer value) +#scrypt_parallelism = + +# Number of bytes to use in scrypt and pbkfd2_sha512 hashing salt. Default for +# scrypt is 16 bytes. Default for pbkfd2_sha512 is 16 bytes. Limited to a +# maximum of 96 bytes due to the size of the column used to store password +# hashes. (integer value) +# Minimum value: 0 +# Maximum value: 96 +#salt_bytesize = + + +[identity_mapping] + +# +# From keystone +# + +# Entry point for the identity mapping backend driver in the +# `keystone.identity.id_mapping` namespace. Keystone only provides a `sql` +# driver, so there is no reason to change this unless you are providing a +# custom entry point. (string value) +#driver = sql + +# Entry point for the public ID generator for user and group entities in the +# `keystone.identity.id_generator` namespace. The Keystone identity mapper only +# supports generators that produce 64 bytes or less. Keystone only provides a +# `sha256` entry point, so there is no reason to change this value unless +# you're providing a custom entry point. (string value) +#generator = sha256 + +# The format of user and group IDs changed in Juno for backends that do not +# generate UUIDs (for example, LDAP), with keystone providing a hash mapping to +# the underlying attribute in LDAP. By default this mapping is disabled, which +# ensures that existing IDs will not change. Even when the mapping is enabled +# by using domain-specific drivers (`[identity] +# domain_specific_drivers_enabled`), any users and groups from the default +# domain being handled by LDAP will still not be mapped to ensure their IDs +# remain backward compatible. Setting this value to false will enable the new +# mapping for all backends, including the default LDAP driver. It is only +# guaranteed to be safe to enable this option if you do not already have +# assignments for users and groups from the default LDAP domain, and you +# consider it to be acceptable for Keystone to provide the different IDs to +# clients than it did previously (existing IDs in the API will suddenly +# change). Typically this means that the only time you can set this value to +# false is when configuring a fresh installation, although that is the +# recommended value. (boolean value) +#backward_compatible_ids = true + + +[jwt_tokens] + +# +# From keystone +# + +# Directory containing public keys for validating JWS token signatures. This +# directory must exist in order for keystone's server process to start. It must +# also be readable by keystone's server process. It must contain at least one +# public key that corresponds to a private key in `keystone.conf [jwt_tokens] +# jws_private_key_repository`. This option is only applicable in deployments +# issuing JWS tokens and setting `keystone.conf [tokens] provider = jws`. +# (string value) +#jws_public_key_repository = /etc/keystone/jws-keys/public + +# Directory containing private keys for signing JWS tokens. This directory must +# exist in order for keystone's server process to start. It must also be +# readable by keystone's server process. It must contain at least one private +# key that corresponds to a public key in `keystone.conf [jwt_tokens] +# jws_public_key_repository`. In the event there are multiple private keys in +# this directory, keystone will use a key named `private.pem` to sign tokens. +# In the future, keystone may support the ability to sign tokens with multiple +# private keys. For now, only a key named `private.pem` within this directory +# is required to issue JWS tokens. This option is only applicable in +# deployments issuing JWS tokens and setting `keystone.conf [tokens] provider = +# jws`. (string value) +#jws_private_key_repository = /etc/keystone/jws-keys/private + + +[ldap] + +# +# From keystone +# + +# URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified +# as a comma separated string. The first URL to successfully bind is used for +# the connection. (string value) +#url = ldap://localhost + +# The user name of the administrator bind DN to use when querying the LDAP +# server, if your LDAP server requires it. (string value) +#user = + +# The password of the administrator bind DN to use when querying the LDAP +# server, if your LDAP server requires it. (string value) +#password = + +# The default LDAP server suffix to use, if a DN is not defined via either +# `[ldap] user_tree_dn` or `[ldap] group_tree_dn`. (string value) +#suffix = cn=example,cn=com + +# The search scope which defines how deep to search within the search base. A +# value of `one` (representing `oneLevel` or `singleLevel`) indicates a search +# of objects immediately below to the base object, but does not include the +# base object itself. A value of `sub` (representing `subtree` or +# `wholeSubtree`) indicates a search of both the base object itself and the +# entire subtree below it. (string value) +# Possible values: +# one - +# sub - +#query_scope = one + +# Defines the maximum number of results per page that keystone should request +# from the LDAP server when listing objects. A value of zero (`0`) disables +# paging. (integer value) +# Minimum value: 0 +#page_size = 0 + +# The LDAP dereferencing option to use for queries involving aliases. A value +# of `default` falls back to using default dereferencing behavior configured by +# your `ldap.conf`. A value of `never` prevents aliases from being dereferenced +# at all. A value of `searching` dereferences aliases only after name +# resolution. A value of `finding` dereferences aliases only during name +# resolution. A value of `always` dereferences aliases in all cases. (string +# value) +# Possible values: +# never - +# searching - +# always - +# finding - +# default - +#alias_dereferencing = default + +# Sets the LDAP debugging level for LDAP calls. A value of 0 means that +# debugging is not enabled. This value is a bitmask, consult your LDAP +# documentation for possible values. (integer value) +# Minimum value: -1 +#debug_level = + +# Sets keystone's referral chasing behavior across directory partitions. If +# left unset, the system's default behavior will be used. (boolean value) +#chase_referrals = + +# The search base to use for users. Defaults to the `[ldap] suffix` value. +# (string value) +#user_tree_dn = + +# The LDAP search filter to use for users. (string value) +#user_filter = + +# The LDAP object class to use for users. (string value) +#user_objectclass = inetOrgPerson + +# The LDAP attribute mapped to user IDs in keystone. This must NOT be a +# multivalued attribute. User IDs are expected to be globally unique across +# keystone domains and URL-safe. (string value) +#user_id_attribute = cn + +# The LDAP attribute mapped to user names in keystone. User names are expected +# to be unique only within a keystone domain and are not expected to be URL- +# safe. (string value) +#user_name_attribute = sn + +# The LDAP attribute mapped to user descriptions in keystone. (string value) +#user_description_attribute = description + +# The LDAP attribute mapped to user emails in keystone. (string value) +#user_mail_attribute = mail + +# The LDAP attribute mapped to user passwords in keystone. (string value) +#user_pass_attribute = userPassword + +# The LDAP attribute mapped to the user enabled attribute in keystone. If +# setting this option to `userAccountControl`, then you may be interested in +# setting `[ldap] user_enabled_mask` and `[ldap] user_enabled_default` as well. +# (string value) +#user_enabled_attribute = enabled + +# Logically negate the boolean value of the enabled attribute obtained from the +# LDAP server. Some LDAP servers use a boolean lock attribute where "true" +# means an account is disabled. Setting `[ldap] user_enabled_invert = true` +# will allow these lock attributes to be used. This option will have no effect +# if either the `[ldap] user_enabled_mask` or `[ldap] user_enabled_emulation` +# options are in use. (boolean value) +#user_enabled_invert = false + +# Bitmask integer to select which bit indicates the enabled value if the LDAP +# server represents "enabled" as a bit on an integer rather than as a discrete +# boolean. A value of `0` indicates that the mask is not used. If this is not +# set to `0` the typical value is `2`. This is typically used when `[ldap] +# user_enabled_attribute = userAccountControl`. Setting this option causes +# keystone to ignore the value of `[ldap] user_enabled_invert`. (integer value) +# Minimum value: 0 +#user_enabled_mask = 0 + +# The default value to enable users. This should match an appropriate integer +# value if the LDAP server uses non-boolean (bitmask) values to indicate if a +# user is enabled or disabled. If this is not set to `True`, then the typical +# value is `512`. This is typically used when `[ldap] user_enabled_attribute = +# userAccountControl`. (string value) +#user_enabled_default = True + +# List of user attributes to ignore on create and update, or whether a specific +# user attribute should be filtered for list or show user. (list value) +#user_attribute_ignore = default_project_id + +# The LDAP attribute mapped to a user's default_project_id in keystone. This is +# most commonly used when keystone has write access to LDAP. (string value) +#user_default_project_id_attribute = + +# If enabled, keystone uses an alternative method to determine if a user is +# enabled or not by checking if they are a member of the group defined by the +# `[ldap] user_enabled_emulation_dn` option. Enabling this option causes +# keystone to ignore the value of `[ldap] user_enabled_invert`. (boolean value) +#user_enabled_emulation = false + +# DN of the group entry to hold enabled users when using enabled emulation. +# Setting this option has no effect unless `[ldap] user_enabled_emulation` is +# also enabled. (string value) +#user_enabled_emulation_dn = + +# Use the `[ldap] group_member_attribute` and `[ldap] group_objectclass` +# settings to determine membership in the emulated enabled group. Enabling this +# option has no effect unless `[ldap] user_enabled_emulation` is also enabled. +# (boolean value) +#user_enabled_emulation_use_group_config = false + +# A list of LDAP attribute to keystone user attribute pairs used for mapping +# additional attributes to users in keystone. The expected format is +# `:`, where `ldap_attr` is the attribute in the LDAP +# object and `user_attr` is the attribute which should appear in the identity +# API. (list value) +#user_additional_attribute_mapping = + +# The search base to use for groups. Defaults to the `[ldap] suffix` value. +# (string value) +#group_tree_dn = + +# The LDAP search filter to use for groups. (string value) +#group_filter = + +# The LDAP object class to use for groups. If setting this option to +# `posixGroup`, you may also be interested in enabling the `[ldap] +# group_members_are_ids` option. (string value) +#group_objectclass = groupOfNames + +# The LDAP attribute mapped to group IDs in keystone. This must NOT be a +# multivalued attribute. Group IDs are expected to be globally unique across +# keystone domains and URL-safe. (string value) +#group_id_attribute = cn + +# The LDAP attribute mapped to group names in keystone. Group names are +# expected to be unique only within a keystone domain and are not expected to +# be URL-safe. (string value) +#group_name_attribute = ou + +# The LDAP attribute used to indicate that a user is a member of the group. +# (string value) +#group_member_attribute = member + +# Enable this option if the members of the group object class are keystone user +# IDs rather than LDAP DNs. This is the case when using `posixGroup` as the +# group object class in Open Directory. (boolean value) +#group_members_are_ids = false + +# The LDAP attribute mapped to group descriptions in keystone. (string value) +#group_desc_attribute = description + +# List of group attributes to ignore on create and update. or whether a +# specific group attribute should be filtered for list or show group. (list +# value) +#group_attribute_ignore = + +# A list of LDAP attribute to keystone group attribute pairs used for mapping +# additional attributes to groups in keystone. The expected format is +# `:`, where `ldap_attr` is the attribute in the LDAP +# object and `group_attr` is the attribute which should appear in the identity +# API. (list value) +#group_additional_attribute_mapping = + +# If enabled, group queries will use Active Directory specific filters for +# nested groups. (boolean value) +#group_ad_nesting = false + +# An absolute path to a CA certificate file to use when communicating with LDAP +# servers. This option will take precedence over `[ldap] tls_cacertdir`, so +# there is no reason to set both. (string value) +#tls_cacertfile = + +# An absolute path to a CA certificate directory to use when communicating with +# LDAP servers. There is no reason to set this option if you've also set +# `[ldap] tls_cacertfile`. (string value) +#tls_cacertdir = + +# Enable TLS when communicating with LDAP servers. You should also set the +# `[ldap] tls_cacertfile` and `[ldap] tls_cacertdir` options when using this +# option. Do not set this option if you are using LDAP over SSL (LDAPS) instead +# of TLS. (boolean value) +#use_tls = false + +# Specifies which checks to perform against client certificates on incoming TLS +# sessions. If set to `demand`, then a certificate will always be requested and +# required from the LDAP server. If set to `allow`, then a certificate will +# always be requested but not required from the LDAP server. If set to `never`, +# then a certificate will never be requested. (string value) +# Possible values: +# demand - +# never - +# allow - +#tls_req_cert = demand + +# The connection timeout to use with the LDAP server. A value of `-1` means +# that connections will never timeout. (integer value) +# Minimum value: -1 +#connection_timeout = -1 + +# Enable LDAP connection pooling for queries to the LDAP server. There is +# typically no reason to disable this. (boolean value) +#use_pool = true + +# The size of the LDAP connection pool. This option has no effect unless +# `[ldap] use_pool` is also enabled. (integer value) +# Minimum value: 1 +#pool_size = 10 + +# The maximum number of times to attempt reconnecting to the LDAP server before +# aborting. A value of zero prevents retries. This option has no effect unless +# `[ldap] use_pool` is also enabled. (integer value) +# Minimum value: 0 +#pool_retry_max = 3 + +# The number of seconds to wait before attempting to reconnect to the LDAP +# server. This option has no effect unless `[ldap] use_pool` is also enabled. +# (floating point value) +#pool_retry_delay = 0.1 + +# The connection timeout to use when pooling LDAP connections. A value of `-1` +# means that connections will never timeout. This option has no effect unless +# `[ldap] use_pool` is also enabled. (integer value) +# Minimum value: -1 +#pool_connection_timeout = -1 + +# The maximum connection lifetime to the LDAP server in seconds. When this +# lifetime is exceeded, the connection will be unbound and removed from the +# connection pool. This option has no effect unless `[ldap] use_pool` is also +# enabled. (integer value) +# Minimum value: 1 +#pool_connection_lifetime = 600 + +# Enable LDAP connection pooling for end user authentication. There is +# typically no reason to disable this. (boolean value) +#use_auth_pool = true + +# The size of the connection pool to use for end user authentication. This +# option has no effect unless `[ldap] use_auth_pool` is also enabled. (integer +# value) +# Minimum value: 1 +#auth_pool_size = 100 + +# The maximum end user authentication connection lifetime to the LDAP server in +# seconds. When this lifetime is exceeded, the connection will be unbound and +# removed from the connection pool. This option has no effect unless `[ldap] +# use_auth_pool` is also enabled. (integer value) +# Minimum value: 1 +#auth_pool_connection_lifetime = 60 + + +[memcache] + +# +# From keystone +# + +# Number of seconds memcached server is considered dead before it is tried +# again. This is used by the key value store system. (integer value) +#dead_retry = 300 + +# Timeout in seconds for every call to a server. This is used by the key value +# store system. (integer value) +#socket_timeout = 3 + +# Max total number of open connections to every memcached server. This is used +# by the key value store system. (integer value) +#pool_maxsize = 10 + +# Number of seconds a connection to memcached is held unused in the pool before +# it is closed. This is used by the key value store system. (integer value) +#pool_unused_timeout = 60 + +# Number of seconds that an operation will wait to get a memcache client +# connection. This is used by the key value store system. (integer value) +#pool_connection_get_timeout = 10 + + +[oauth1] + +# +# From keystone +# + +# Entry point for the OAuth backend driver in the `keystone.oauth1` namespace. +# Typically, there is no reason to set this option unless you are providing a +# custom entry point. (string value) +#driver = sql + +# Number of seconds for the OAuth Request Token to remain valid after being +# created. This is the amount of time the user has to authorize the token. +# Setting this option to zero means that request tokens will last forever. +# (integer value) +# Minimum value: 0 +#request_token_duration = 28800 + +# Number of seconds for the OAuth Access Token to remain valid after being +# created. This is the amount of time the consumer has to interact with the +# service provider (which is typically keystone). Setting this option to zero +# means that access tokens will last forever. (integer value) +# Minimum value: 0 +#access_token_duration = 86400 + + +[oslo_messaging_amqp] + +# +# From oslo.messaging +# + +# Name for the AMQP container. must be globally unique. Defaults to a generated +# UUID (string value) +#container_name = + +# Timeout for inactive connections (in seconds) (integer value) +#idle_timeout = 0 + +# Debug: dump AMQP frames to stdout (boolean value) +#trace = false + +# Attempt to connect via SSL. If no other ssl-related parameters are given, it +# will use the system's CA-bundle to verify the server's certificate. (boolean +# value) +#ssl = false + +# CA certificate PEM file used to verify the server's certificate (string +# value) +#ssl_ca_file = + +# Self-identifying certificate PEM file for client authentication (string +# value) +#ssl_cert_file = + +# Private key PEM file used to sign ssl_cert_file certificate (optional) +# (string value) +#ssl_key_file = + +# Password for decrypting ssl_key_file (if encrypted) (string value) +#ssl_key_password = + +# By default SSL checks that the name in the server's certificate matches the +# hostname in the transport_url. In some configurations it may be preferable to +# use the virtual hostname instead, for example if the server uses the Server +# Name Indication TLS extension (rfc6066) to provide a certificate per virtual +# host. Set ssl_verify_vhost to True if the server's SSL certificate uses the +# virtual host name instead of the DNS name. (boolean value) +#ssl_verify_vhost = false + +# Space separated list of acceptable SASL mechanisms (string value) +#sasl_mechanisms = + +# Path to directory that contains the SASL configuration (string value) +#sasl_config_dir = + +# Name of configuration file (without .conf suffix) (string value) +#sasl_config_name = + +# SASL realm to use if no realm present in username (string value) +#sasl_default_realm = + +# Seconds to pause before attempting to re-connect. (integer value) +# Minimum value: 1 +#connection_retry_interval = 1 + +# Increase the connection_retry_interval by this many seconds after each +# unsuccessful failover attempt. (integer value) +# Minimum value: 0 +#connection_retry_backoff = 2 + +# Maximum limit for connection_retry_interval + connection_retry_backoff +# (integer value) +# Minimum value: 1 +#connection_retry_interval_max = 30 + +# Time to pause between re-connecting an AMQP 1.0 link that failed due to a +# recoverable error. (integer value) +# Minimum value: 1 +#link_retry_delay = 10 + +# The maximum number of attempts to re-send a reply message which failed due to +# a recoverable error. (integer value) +# Minimum value: -1 +#default_reply_retry = 0 + +# The deadline for an rpc reply message delivery. (integer value) +# Minimum value: 5 +#default_reply_timeout = 30 + +# The deadline for an rpc cast or call message delivery. Only used when caller +# does not provide a timeout expiry. (integer value) +# Minimum value: 5 +#default_send_timeout = 30 + +# The deadline for a sent notification message delivery. Only used when caller +# does not provide a timeout expiry. (integer value) +# Minimum value: 5 +#default_notify_timeout = 30 + +# The duration to schedule a purge of idle sender links. Detach link after +# expiry. (integer value) +# Minimum value: 1 +#default_sender_link_timeout = 600 + +# Indicates the addressing mode used by the driver. +# Permitted values: +# 'legacy' - use legacy non-routable addressing +# 'routable' - use routable addresses +# 'dynamic' - use legacy addresses if the message bus does not support routing +# otherwise use routable addressing (string value) +#addressing_mode = dynamic + +# Enable virtual host support for those message buses that do not natively +# support virtual hosting (such as qpidd). When set to true the virtual host +# name will be added to all message bus addresses, effectively creating a +# private 'subnet' per virtual host. Set to False if the message bus supports +# virtual hosting using the 'hostname' field in the AMQP 1.0 Open performative +# as the name of the virtual host. (boolean value) +#pseudo_vhost = true + +# address prefix used when sending to a specific server (string value) +#server_request_prefix = exclusive + +# address prefix used when broadcasting to all servers (string value) +#broadcast_prefix = broadcast + +# address prefix when sending to any server in group (string value) +#group_request_prefix = unicast + +# Address prefix for all generated RPC addresses (string value) +#rpc_address_prefix = openstack.org/om/rpc + +# Address prefix for all generated Notification addresses (string value) +#notify_address_prefix = openstack.org/om/notify + +# Appended to the address prefix when sending a fanout message. Used by the +# message bus to identify fanout messages. (string value) +#multicast_address = multicast + +# Appended to the address prefix when sending to a particular RPC/Notification +# server. Used by the message bus to identify messages sent to a single +# destination. (string value) +#unicast_address = unicast + +# Appended to the address prefix when sending to a group of consumers. Used by +# the message bus to identify messages that should be delivered in a round- +# robin fashion across consumers. (string value) +#anycast_address = anycast + +# Exchange name used in notification addresses. +# Exchange name resolution precedence: +# Target.exchange if set +# else default_notification_exchange if set +# else control_exchange if set +# else 'notify' (string value) +#default_notification_exchange = + +# Exchange name used in RPC addresses. +# Exchange name resolution precedence: +# Target.exchange if set +# else default_rpc_exchange if set +# else control_exchange if set +# else 'rpc' (string value) +#default_rpc_exchange = + +# Window size for incoming RPC Reply messages. (integer value) +# Minimum value: 1 +#reply_link_credit = 200 + +# Window size for incoming RPC Request messages (integer value) +# Minimum value: 1 +#rpc_server_credit = 100 + +# Window size for incoming Notification messages (integer value) +# Minimum value: 1 +#notify_server_credit = 100 + +# Send messages of this type pre-settled. +# Pre-settled messages will not receive acknowledgement +# from the peer. Note well: pre-settled messages may be +# silently discarded if the delivery fails. +# Permitted values: +# 'rpc-call' - send RPC Calls pre-settled +# 'rpc-reply'- send RPC Replies pre-settled +# 'rpc-cast' - Send RPC Casts pre-settled +# 'notify' - Send Notifications pre-settled +# (multi valued) +#pre_settled = rpc-cast +#pre_settled = rpc-reply + + +[oslo_messaging_kafka] + +# +# From oslo.messaging +# + +# Max fetch bytes of Kafka consumer (integer value) +#kafka_max_fetch_bytes = 1048576 + +# Default timeout(s) for Kafka consumers (floating point value) +#kafka_consumer_timeout = 1.0 + +# DEPRECATED: Pool Size for Kafka Consumers (integer value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Driver no longer uses connection pool. +#pool_size = 10 + +# DEPRECATED: The pool size limit for connections expiration policy (integer +# value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Driver no longer uses connection pool. +#conn_pool_min_size = 2 + +# DEPRECATED: The time-to-live in sec of idle connections in the pool (integer +# value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Driver no longer uses connection pool. +#conn_pool_ttl = 1200 + +# Group id for Kafka consumer. Consumers in one group will coordinate message +# consumption (string value) +#consumer_group = oslo_messaging_consumer + +# Upper bound on the delay for KafkaProducer batching in seconds (floating +# point value) +#producer_batch_timeout = 0.0 + +# Size of batch for the producer async send (integer value) +#producer_batch_size = 16384 + +# Enable asynchronous consumer commits (boolean value) +#enable_auto_commit = false + +# The maximum number of records returned in a poll call (integer value) +#max_poll_records = 500 + +# Protocol used to communicate with brokers (string value) +# Possible values: +# PLAINTEXT - +# SASL_PLAINTEXT - +# SSL - +# SASL_SSL - +#security_protocol = PLAINTEXT + +# Mechanism when security protocol is SASL (string value) +#sasl_mechanism = PLAIN + +# CA certificate PEM file used to verify the server certificate (string value) +#ssl_cafile = + + +[oslo_messaging_notifications] + +# +# From oslo.messaging +# + +# The Drivers(s) to handle sending notifications. Possible values are +# messaging, messagingv2, routing, log, test, noop (multi valued) +# Deprecated group/name - [DEFAULT]/notification_driver +#driver = + +# A URL representing the messaging driver to use for notifications. If not set, +# we fall back to the same configuration used for RPC. (string value) +# Deprecated group/name - [DEFAULT]/notification_transport_url +#transport_url = + +# AMQP topic used for OpenStack notifications. (list value) +# Deprecated group/name - [rpc_notifier2]/topics +# Deprecated group/name - [DEFAULT]/notification_topics +#topics = notifications + +# The maximum number of attempts to re-send a notification message which failed +# to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite +# (integer value) +#retry = -1 + + +[oslo_messaging_rabbit] + +# +# From oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +#amqp_durable_queues = false + +# Auto-delete queues in AMQP. (boolean value) +#amqp_auto_delete = false + +# Connect over SSL. (boolean value) +# Deprecated group/name - [oslo_messaging_rabbit]/rabbit_use_ssl +#ssl = false + +# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and +# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some +# distributions. (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_version +#ssl_version = + +# SSL key file (valid only if SSL enabled). (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_keyfile +#ssl_key_file = + +# SSL cert file (valid only if SSL enabled). (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_certfile +#ssl_cert_file = + +# SSL certification authority file (valid only if SSL enabled). (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_ca_certs +#ssl_ca_file = + +# How long to wait before reconnecting in response to an AMQP consumer cancel +# notification. (floating point value) +#kombu_reconnect_delay = 1.0 + +# EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not +# be used. This option may not be available in future versions. (string value) +#kombu_compression = + +# How long to wait a missing client before abandoning to send it its replies. +# This value should not be longer than rpc_response_timeout. (integer value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_reconnect_timeout +#kombu_missing_consumer_retry_timeout = 60 + +# Determines how the next RabbitMQ node is chosen in case the one we are +# currently connected to becomes unavailable. Takes effect only if more than +# one RabbitMQ node is provided in config. (string value) +# Possible values: +# round-robin - +# shuffle - +#kombu_failover_strategy = round-robin + +# The RabbitMQ login method. (string value) +# Possible values: +# PLAIN - +# AMQPLAIN - +# RABBIT-CR-DEMO - +#rabbit_login_method = AMQPLAIN + +# How frequently to retry connecting with RabbitMQ. (integer value) +#rabbit_retry_interval = 1 + +# How long to backoff for between retries when connecting to RabbitMQ. (integer +# value) +#rabbit_retry_backoff = 2 + +# Maximum interval of RabbitMQ connection retries. Default is 30 seconds. +# (integer value) +#rabbit_interval_max = 30 + +# Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this +# option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring +# is no longer controlled by the x-ha-policy argument when declaring a queue. +# If you just want to make sure that all queues (except those with auto- +# generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy +# HA '^(?!amq\.).*' '{"ha-mode": "all"}' " (boolean value) +#rabbit_ha_queues = false + +# Positive integer representing duration in seconds for queue TTL (x-expires). +# Queues which are unused for the duration of the TTL are automatically +# deleted. The parameter affects only reply and fanout queues. (integer value) +# Minimum value: 1 +#rabbit_transient_queues_ttl = 1800 + +# Specifies the number of messages to prefetch. Setting to zero allows +# unlimited messages. (integer value) +#rabbit_qos_prefetch_count = 0 + +# Number of seconds after which the Rabbit broker is considered down if +# heartbeat's keep-alive fails (0 disable the heartbeat). EXPERIMENTAL (integer +# value) +#heartbeat_timeout_threshold = 60 + +# How often times during the heartbeat_timeout_threshold we check the +# heartbeat. (integer value) +#heartbeat_rate = 2 + + +[oslo_middleware] + +# +# From oslo.middleware +# + +# The maximum body size for each request, in bytes. (integer value) +# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size +# Deprecated group/name - [DEFAULT]/max_request_body_size +#max_request_body_size = 114688 + +# DEPRECATED: The HTTP Header that will be used to determine what the original +# request protocol scheme was, even if it was hidden by a SSL termination +# proxy. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#secure_proxy_ssl_header = X-Forwarded-Proto + +# Whether the application is behind a proxy or not. This determines if the +# middleware should parse the headers or not. (boolean value) +#enable_proxy_headers_parsing = false + + +[oslo_policy] + +# +# From oslo.policy +# + +# This option controls whether or not to enforce scope when evaluating +# policies. If ``True``, the scope of the token used in the request is compared +# to the ``scope_types`` of the policy being enforced. If the scopes do not +# match, an ``InvalidScope`` exception will be raised. If ``False``, a message +# will be logged informing operators that policies are being invoked with +# mismatching scope. (boolean value) +#enforce_scope = false + +# The file that defines policies. (string value) +#policy_file = policy.json + +# Default rule. Enforced when a requested rule is not found. (string value) +#policy_default_rule = default + +# Directories where policy configuration files are stored. They can be relative +# to any directory in the search path defined by the config_dir option, or +# absolute paths. The file defined by policy_file must exist for these +# directories to be searched. Missing or empty directories are ignored. (multi +# valued) +#policy_dirs = policy.d + +# Content Type to send and receive data for REST based policy check (string +# value) +# Possible values: +# application/x-www-form-urlencoded - +# application/json - +#remote_content_type = application/x-www-form-urlencoded + +# server identity verification for REST based policy check (boolean value) +#remote_ssl_verify_server_crt = false + +# Absolute path to ca cert file for REST based policy check (string value) +#remote_ssl_ca_crt_file = + +# Absolute path to client cert for REST based policy check (string value) +#remote_ssl_client_crt_file = + +# Absolute path client key file REST based policy check (string value) +#remote_ssl_client_key_file = + + +[policy] + +# +# From keystone +# + +# Entry point for the policy backend driver in the `keystone.policy` namespace. +# Supplied drivers are `rules` (which does not support any CRUD operations for +# the v3 policy API) and `sql`. Typically, there is no reason to set this +# option unless you are providing a custom entry point. (string value) +#driver = sql + +# Maximum number of entities that will be returned in a policy collection. +# (integer value) +#list_limit = + + +[profiler] + +# +# From osprofiler +# + +# +# Enable the profiling for all services on this node. +# +# Default value is False (fully disable the profiling feature). +# +# Possible values: +# +# * True: Enables the feature +# * False: Disables the feature. The profiling cannot be started via this +# project +# operations. If the profiling is triggered by another project, this project +# part will be empty. +# (boolean value) +# Deprecated group/name - [profiler]/profiler_enabled +#enabled = false + +# +# Enable SQL requests profiling in services. +# +# Default value is False (SQL requests won't be traced). +# +# Possible values: +# +# * True: Enables SQL requests profiling. Each SQL query will be part of the +# trace and can the be analyzed by how much time was spent for that. +# * False: Disables SQL requests profiling. The spent time is only shown on a +# higher level of operations. Single SQL queries cannot be analyzed this way. +# (boolean value) +#trace_sqlalchemy = false + +# +# Secret key(s) to use for encrypting context data for performance profiling. +# +# This string value should have the following format: +# [,,...], +# where each key is some random string. A user who triggers the profiling via +# the REST API has to set one of these keys in the headers of the REST API call +# to include profiling results of this node for this particular project. +# +# Both "enabled" flag and "hmac_keys" config options should be set to enable +# profiling. Also, to generate correct profiling information across all +# services +# at least one key needs to be consistent between OpenStack projects. This +# ensures it can be used from client side to generate the trace, containing +# information from all possible resources. +# (string value) +#hmac_keys = SECRET_KEY + +# +# Connection string for a notifier backend. +# +# Default value is ``messaging://`` which sets the notifier to oslo_messaging. +# +# Examples of possible values: +# +# * ``messaging://`` - use oslo_messaging driver for sending spans. +# * ``redis://127.0.0.1:6379`` - use redis driver for sending spans. +# * ``mongodb://127.0.0.1:27017`` - use mongodb driver for sending spans. +# * ``elasticsearch://127.0.0.1:9200`` - use elasticsearch driver for sending +# spans. +# * ``jaeger://127.0.0.1:6831`` - use jaeger tracing as driver for sending +# spans. +# (string value) +#connection_string = messaging:// + +# +# Document type for notification indexing in elasticsearch. +# (string value) +#es_doc_type = notification + +# +# This parameter is a time value parameter (for example: es_scroll_time=2m), +# indicating for how long the nodes that participate in the search will +# maintain +# relevant resources in order to continue and support it. +# (string value) +#es_scroll_time = 2m + +# +# Elasticsearch splits large requests in batches. This parameter defines +# maximum size of each batch (for example: es_scroll_size=10000). +# (integer value) +#es_scroll_size = 10000 + +# +# Redissentinel provides a timeout option on the connections. +# This parameter defines that timeout (for example: socket_timeout=0.1). +# (floating point value) +#socket_timeout = 0.1 + +# +# Redissentinel uses a service name to identify a master redis service. +# This parameter defines the name (for example: +# ``sentinal_service_name=mymaster``). +# (string value) +#sentinel_service_name = mymaster + +# +# Enable filter traces that contain error/exception to a separated place. +# +# Default value is set to False. +# +# Possible values: +# +# * True: Enable filter traces that contain error/exception. +# * False: Disable the filter. +# (boolean value) +#filter_error_trace = false + + +[receipt] + +# +# From keystone +# + +# The amount of time that a receipt should remain valid (in seconds). This +# value should always be very short, as it represents how long a user has to +# reattempt auth with the missing auth methods. (integer value) +# Minimum value: 0 +# Maximum value: 86400 +#expiration = 300 + +# Entry point for the receipt provider in the `keystone.receipt.provider` +# namespace. The receipt provider controls the receipt construction and +# validation operations. Keystone includes just the `fernet` receipt provider +# for now. `fernet` receipts do not need to be persisted at all, but require +# that you run `keystone-manage fernet_setup` (also see the `keystone-manage +# fernet_rotate` command). (string value) +#provider = fernet + +# Toggle for caching receipt creation and validation data. This has no effect +# unless global caching is enabled, or if cache_on_issue is disabled as we only +# cache receipts on issue. (boolean value) +#caching = true + +# The number of seconds to cache receipt creation and validation data. This has +# no effect unless both global and `[receipt] caching` are enabled. (integer +# value) +# Minimum value: 0 +#cache_time = 300 + +# Enable storing issued receipt data to receipt validation cache so that first +# receipt validation doesn't actually cause full validation cycle. This option +# has no effect unless global caching and receipt caching are enabled. (boolean +# value) +#cache_on_issue = true + + +[resource] + +# +# From keystone +# + +# DEPRECATED: Entry point for the resource driver in the `keystone.resource` +# namespace. Only a `sql` driver is supplied by keystone. Unless you are +# writing proprietary drivers for keystone, you do not need to set this option. +# (string value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: Non-SQL resource cannot be used with SQL Identity and has been unable +# to be used since Ocata. SQL Resource backend is a requirement as of Pike. +# Setting this option no longer has an effect on how Keystone operates. +#driver = sql + +# Toggle for resource caching. This has no effect unless global caching is +# enabled. (boolean value) +# Deprecated group/name - [assignment]/caching +#caching = true + +# Time to cache resource data in seconds. This has no effect unless global +# caching is enabled. (integer value) +# Deprecated group/name - [assignment]/cache_time +#cache_time = + +# Maximum number of entities that will be returned in a resource collection. +# (integer value) +# Deprecated group/name - [assignment]/list_limit +#list_limit = + +# Name of the domain that owns the `admin_project_name`. If left unset, then +# there is no admin project. `[resource] admin_project_name` must also be set +# to use this option. (string value) +#admin_project_domain_name = + +# This is a special project which represents cloud-level administrator +# privileges across services. Tokens scoped to this project will contain a true +# `is_admin_project` attribute to indicate to policy systems that the role +# assignments on that specific project should apply equally across every +# project. If left unset, then there is no admin project, and thus no explicit +# means of cross-project role assignments. `[resource] +# admin_project_domain_name` must also be set to use this option. (string +# value) +#admin_project_name = + +# This controls whether the names of projects are restricted from containing +# URL-reserved characters. If set to `new`, attempts to create or update a +# project with a URL-unsafe name will fail. If set to `strict`, attempts to +# scope a token with a URL-unsafe project name will fail, thereby forcing all +# project names to be updated to be URL-safe. (string value) +# Possible values: +# off - +# new - +# strict - +#project_name_url_safe = off + +# This controls whether the names of domains are restricted from containing +# URL-reserved characters. If set to `new`, attempts to create or update a +# domain with a URL-unsafe name will fail. If set to `strict`, attempts to +# scope a token with a URL-unsafe domain name will fail, thereby forcing all +# domain names to be updated to be URL-safe. (string value) +# Possible values: +# off - +# new - +# strict - +#domain_name_url_safe = off + + +[revoke] + +# +# From keystone +# + +# Entry point for the token revocation backend driver in the `keystone.revoke` +# namespace. Keystone only provides a `sql` driver, so there is no reason to +# set this option unless you are providing a custom entry point. (string value) +#driver = sql + +# The number of seconds after a token has expired before a corresponding +# revocation event may be purged from the backend. (integer value) +# Minimum value: 0 +#expiration_buffer = 1800 + +# Toggle for revocation event caching. This has no effect unless global caching +# is enabled. (boolean value) +#caching = true + +# Time to cache the revocation list and the revocation events (in seconds). +# This has no effect unless global and `[revoke] caching` are both enabled. +# (integer value) +# Deprecated group/name - [token]/revocation_cache_time +#cache_time = 3600 + + +[role] + +# +# From keystone +# + +# Entry point for the role backend driver in the `keystone.role` namespace. +# Keystone only provides a `sql` driver, so there's no reason to change this +# unless you are providing a custom entry point. (string value) +#driver = + +# Toggle for role caching. This has no effect unless global caching is enabled. +# In a typical deployment, there is no reason to disable this. (boolean value) +#caching = true + +# Time to cache role data, in seconds. This has no effect unless both global +# caching and `[role] caching` are enabled. (integer value) +#cache_time = + +# Maximum number of entities that will be returned in a role collection. This +# may be useful to tune if you have a large number of discrete roles in your +# deployment. (integer value) +#list_limit = + + +[saml] + +# +# From keystone +# + +# Determines the lifetime for any SAML assertions generated by keystone, using +# `NotOnOrAfter` attributes. (integer value) +#assertion_expiration_time = 3600 + +# Name of, or absolute path to, the binary to be used for XML signing. Although +# only the XML Security Library (`xmlsec1`) is supported, it may have a non- +# standard name or path on your system. If keystone cannot find the binary +# itself, you may need to install the appropriate package, use this option to +# specify an absolute path, or adjust keystone's PATH environment variable. +# (string value) +#xmlsec1_binary = xmlsec1 + +# Absolute path to the public certificate file to use for SAML signing. The +# value cannot contain a comma (`,`). (string value) +#certfile = /etc/keystone/ssl/certs/signing_cert.pem + +# Absolute path to the private key file to use for SAML signing. The value +# cannot contain a comma (`,`). (string value) +#keyfile = /etc/keystone/ssl/private/signing_key.pem + +# This is the unique entity identifier of the identity provider (keystone) to +# use when generating SAML assertions. This value is required to generate +# identity provider metadata and must be a URI (a URL is recommended). For +# example: `https://keystone.example.com/v3/OS-FEDERATION/saml2/idp`. (uri +# value) +#idp_entity_id = + +# This is the single sign-on (SSO) service location of the identity provider +# which accepts HTTP POST requests. A value is required to generate identity +# provider metadata. For example: `https://keystone.example.com/v3/OS- +# FEDERATION/saml2/sso`. (uri value) +#idp_sso_endpoint = + +# This is the language used by the identity provider's organization. (string +# value) +#idp_lang = en + +# This is the name of the identity provider's organization. (string value) +#idp_organization_name = SAML Identity Provider + +# This is the name of the identity provider's organization to be displayed. +# (string value) +#idp_organization_display_name = OpenStack SAML Identity Provider + +# This is the URL of the identity provider's organization. The URL referenced +# here should be useful to humans. (uri value) +#idp_organization_url = https://example.com/ + +# This is the company name of the identity provider's contact person. (string +# value) +#idp_contact_company = Example, Inc. + +# This is the given name of the identity provider's contact person. (string +# value) +#idp_contact_name = SAML Identity Provider Support + +# This is the surname of the identity provider's contact person. (string value) +#idp_contact_surname = Support + +# This is the email address of the identity provider's contact person. (string +# value) +#idp_contact_email = support@example.com + +# This is the telephone number of the identity provider's contact person. +# (string value) +#idp_contact_telephone = +1 800 555 0100 + +# This is the type of contact that best describes the identity provider's +# contact person. (string value) +# Possible values: +# technical - +# support - +# administrative - +# billing - +# other - +#idp_contact_type = other + +# Absolute path to the identity provider metadata file. This file should be +# generated with the `keystone-manage saml_idp_metadata` command. There is +# typically no reason to change this value. (string value) +#idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml + +# The prefix of the RelayState SAML attribute to use when generating enhanced +# client and proxy (ECP) assertions. In a typical deployment, there is no +# reason to change this value. (string value) +#relay_state_prefix = ss:mem: + + +[security_compliance] + +# +# From keystone +# + +# The maximum number of days a user can go without authenticating before being +# considered "inactive" and automatically disabled (locked). This feature is +# disabled by default; set any value to enable it. This feature depends on the +# `sql` backend for the `[identity] driver`. When a user exceeds this threshold +# and is considered "inactive", the user's `enabled` attribute in the HTTP API +# may not match the value of the user's `enabled` column in the user table. +# (integer value) +# Minimum value: 1 +#disable_user_account_days_inactive = + +# The maximum number of times that a user can fail to authenticate before the +# user account is locked for the number of seconds specified by +# `[security_compliance] lockout_duration`. This feature is disabled by +# default. If this feature is enabled and `[security_compliance] +# lockout_duration` is not set, then users may be locked out indefinitely until +# the user is explicitly enabled via the API. This feature depends on the `sql` +# backend for the `[identity] driver`. (integer value) +# Minimum value: 1 +#lockout_failure_attempts = + +# The number of seconds a user account will be locked when the maximum number +# of failed authentication attempts (as specified by `[security_compliance] +# lockout_failure_attempts`) is exceeded. Setting this option will have no +# effect unless you also set `[security_compliance] lockout_failure_attempts` +# to a non-zero value. This feature depends on the `sql` backend for the +# `[identity] driver`. (integer value) +# Minimum value: 1 +#lockout_duration = 1800 + +# The number of days for which a password will be considered valid before +# requiring it to be changed. This feature is disabled by default. If enabled, +# new password changes will have an expiration date, however existing passwords +# would not be impacted. This feature depends on the `sql` backend for the +# `[identity] driver`. (integer value) +# Minimum value: 1 +#password_expires_days = + +# This controls the number of previous user password iterations to keep in +# history, in order to enforce that newly created passwords are unique. The +# total number which includes the new password should not be greater or equal +# to this value. Setting the value to zero (the default) disables this feature. +# Thus, to enable this feature, values must be greater than 0. This feature +# depends on the `sql` backend for the `[identity] driver`. (integer value) +# Minimum value: 0 +#unique_last_password_count = 0 + +# The number of days that a password must be used before the user can change +# it. This prevents users from changing their passwords immediately in order to +# wipe out their password history and reuse an old password. This feature does +# not prevent administrators from manually resetting passwords. It is disabled +# by default and allows for immediate password changes. This feature depends on +# the `sql` backend for the `[identity] driver`. Note: If +# `[security_compliance] password_expires_days` is set, then the value for this +# option should be less than the `password_expires_days`. (integer value) +# Minimum value: 0 +#minimum_password_age = 0 + +# The regular expression used to validate password strength requirements. By +# default, the regular expression will match any password. The following is an +# example of a pattern which requires at least 1 letter, 1 digit, and have a +# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature +# depends on the `sql` backend for the `[identity] driver`. (string value) +#password_regex = + +# Describe your password regular expression here in language for humans. If a +# password fails to match the regular expression, the contents of this +# configuration variable will be returned to users to explain why their +# requested password was insufficient. (string value) +#password_regex_description = + +# Enabling this option requires users to change their password when the user is +# created, or upon administrative reset. Before accessing any services, +# affected users will have to change their password. To ignore this requirement +# for specific users, such as service users, set the `options` attribute +# `ignore_change_password_upon_first_use` to `True` for the desired user via +# the update user API. This feature is disabled by default. This feature is +# only applicable with the `sql` backend for the `[identity] driver`. (boolean +# value) +#change_password_upon_first_use = false + + +[shadow_users] + +# +# From keystone +# + +# Entry point for the shadow users backend driver in the +# `keystone.identity.shadow_users` namespace. This driver is used for +# persisting local user references to externally-managed identities (via +# federation, LDAP, etc). Keystone only provides a `sql` driver, so there is no +# reason to change this option unless you are providing a custom entry point. +# (string value) +#driver = sql + + +[signing] + +# +# From keystone +# + +# DEPRECATED: Absolute path to the public certificate file to use for signing +# responses to revocation lists requests. Set this together with `[signing] +# keyfile`. For non-production environments, you may be interested in using +# `keystone-manage pki_setup` to generate self-signed certificates. (string +# value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#certfile = /etc/keystone/ssl/certs/signing_cert.pem + +# DEPRECATED: Absolute path to the private key file to use for signing +# responses to revocation lists requests. Set this together with `[signing] +# certfile`. (string value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#keyfile = /etc/keystone/ssl/private/signing_key.pem + +# DEPRECATED: Absolute path to the public certificate authority (CA) file to +# use when creating self-signed certificates with `keystone-manage pki_setup`. +# Set this together with `[signing] ca_key`. There is no reason to set this +# option unless you are requesting revocation lists in a non-production +# environment. Use a `[signing] certfile` issued from a trusted certificate +# authority instead. (string value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#ca_certs = /etc/keystone/ssl/certs/ca.pem + +# DEPRECATED: Absolute path to the private certificate authority (CA) key file +# to use when creating self-signed certificates with `keystone-manage +# pki_setup`. Set this together with `[signing] ca_certs`. There is no reason +# to set this option unless you are requesting revocation lists in a non- +# production environment. Use a `[signing] certfile` issued from a trusted +# certificate authority instead. (string value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#ca_key = /etc/keystone/ssl/private/cakey.pem + +# DEPRECATED: Key size (in bits) to use when generating a self-signed token +# signing certificate. There is no reason to set this option unless you are +# requesting revocation lists in a non-production environment. Use a `[signing] +# certfile` issued from a trusted certificate authority instead. (integer +# value) +# Minimum value: 1024 +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#key_size = 2048 + +# DEPRECATED: The validity period (in days) to use when generating a self- +# signed token signing certificate. There is no reason to set this option +# unless you are requesting revocation lists in a non-production environment. +# Use a `[signing] certfile` issued from a trusted certificate authority +# instead. (integer value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#valid_days = 3650 + +# DEPRECATED: The certificate subject to use when generating a self-signed +# token signing certificate. There is no reason to set this option unless you +# are requesting revocation lists in a non-production environment. Use a +# `[signing] certfile` issued from a trusted certificate authority instead. +# (string value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com + + +[token] + +provider = fernet + +# +# From keystone +# + +# The amount of time that a token should remain valid (in seconds). Drastically +# reducing this value may break "long-running" operations that involve multiple +# services to coordinate together, and will force users to authenticate with +# keystone more frequently. Drastically increasing this value will increase the +# number of tokens that will be simultaneously valid. Keystone tokens are also +# bearer tokens, so a shorter duration will also reduce the potential security +# impact of a compromised token. (integer value) +# Minimum value: 0 +# Maximum value: 9223372036854775807 +#expiration = 3600 + +# Entry point for the token provider in the `keystone.token.provider` +# namespace. The token provider controls the token construction, validation, +# and revocation operations. Supported upstream providers are `fernet` and +# `jws`. Neither `fernet` or `jws` tokens require persistence and both require +# additional setup. If using `fernet`, you're required to run `keystone-manage +# fernet_setup`, which creates symmetric keys used to encrypt tokens. If using +# `jws`, you're required to generate an ECDSA keypair using a SHA-256 hash +# algorithm for signing and validating token, which can be done with `keystone- +# manage create_jws_keypair`. Note that `fernet` tokens are encrypted and `jws` +# tokens are only signed. Please be sure to consider this if your deployment +# has security requirements regarding payload contents used to generate token +# IDs. (string value) +#provider = fernet + +# Toggle for caching token creation and validation data. This has no effect +# unless global caching is enabled. (boolean value) +#caching = true + +# The number of seconds to cache token creation and validation data. This has +# no effect unless both global and `[token] caching` are enabled. (integer +# value) +# Minimum value: 0 +# Maximum value: 9223372036854775807 +#cache_time = + +# This toggles support for revoking individual tokens by the token identifier +# and thus various token enumeration operations (such as listing all tokens +# issued to a specific user). These operations are used to determine the list +# of tokens to consider revoked. Do not disable this option if you're using the +# `kvs` `[revoke] driver`. (boolean value) +#revoke_by_id = true + +# This toggles whether scoped tokens may be re-scoped to a new project or +# domain, thereby preventing users from exchanging a scoped token (including +# those with a default project scope) for any other token. This forces users to +# either authenticate for unscoped tokens (and later exchange that unscoped +# token for tokens with a more specific scope) or to provide their credentials +# in every request for a scoped token to avoid re-scoping altogether. (boolean +# value) +#allow_rescope_scoped_token = true + +# DEPRECATED: This controls whether roles should be included with tokens that +# are not directly assigned to the token's scope, but are instead linked +# implicitly to other role assignments. (boolean value) +# This option is deprecated for removal since R. +# Its value may be silently ignored in the future. +# Reason: Default roles depend on a chain of implied role assignments. Ex: an +# admin user will also have the reader and member role. By ensuring that all +# these roles will always appear on the token validation response, we can +# improve the simplicity and readability of policy files. +#infer_roles = true + +# DEPRECATED: Enable storing issued token data to token validation cache so +# that first token validation doesn't actually cause full validation cycle. +# This option has no effect unless global caching is enabled and will still +# cache tokens even if `[token] caching = False`. (boolean value) +# This option is deprecated for removal since S. +# Its value may be silently ignored in the future. +# Reason: Keystone already exposes a configuration option for caching tokens. +# Having a separate configuration option to cache tokens when they are issued +# is redundant, unnecessarily complicated, and is misleading if token caching +# is disabled because tokens will still be pre-cached by default when they are +# issued. The ability to pre-cache tokens when they are issued is going to rely +# exclusively on the ``keystone.conf [token] caching`` option in the future. +#cache_on_issue = true + +# This controls the number of seconds that a token can be retrieved for beyond +# the built-in expiry time. This allows long running operations to succeed. +# Defaults to two days. (integer value) +#allow_expired_window = 172800 + + +[tokenless_auth] + +# +# From keystone +# + +# The list of distinguished names which identify trusted issuers of client +# certificates allowed to use X.509 tokenless authorization. If the option is +# absent then no certificates will be allowed. The format for the values of a +# distinguished name (DN) must be separated by a comma and contain no spaces. +# Furthermore, because an individual DN may contain commas, this configuration +# option may be repeated multiple times to represent multiple values. For +# example, keystone.conf would include two consecutive lines in order to trust +# two different DNs, such as `trusted_issuer = CN=john,OU=keystone,O=openstack` +# and `trusted_issuer = CN=mary,OU=eng,O=abc`. (multi valued) +#trusted_issuer = + +# The federated protocol ID used to represent X.509 tokenless authorization. +# This is used in combination with the value of `[tokenless_auth] +# issuer_attribute` to find a corresponding federated mapping. In a typical +# deployment, there is no reason to change this value. (string value) +#protocol = x509 + +# The name of the WSGI environment variable used to pass the issuer of the +# client certificate to keystone. This attribute is used as an identity +# provider ID for the X.509 tokenless authorization along with the protocol to +# look up its corresponding mapping. In a typical deployment, there is no +# reason to change this value. (string value) +#issuer_attribute = SSL_CLIENT_I_DN + + +[trust] + +# +# From keystone +# + +# Allows authorization to be redelegated from one user to another, effectively +# chaining trusts together. When disabled, the `remaining_uses` attribute of a +# trust is constrained to be zero. (boolean value) +#allow_redelegation = false + +# Maximum number of times that authorization can be redelegated from one user +# to another in a chain of trusts. This number may be reduced further for a +# specific trust. (integer value) +#max_redelegation_count = 3 + +# Entry point for the trust backend driver in the `keystone.trust` namespace. +# Keystone only provides a `sql` driver, so there is no reason to change this +# unless you are providing a custom entry point. (string value) +#driver = sql + + +[unified_limit] + +# +# From keystone +# + +# Entry point for the unified limit backend driver in the +# `keystone.unified_limit` namespace. Keystone only provides a `sql` driver, so +# there's no reason to change this unless you are providing a custom entry +# point. (string value) +#driver = sql + +# Toggle for unified limit caching. This has no effect unless global caching is +# enabled. In a typical deployment, there is no reason to disable this. +# (boolean value) +#caching = true + +# Time to cache unified limit data, in seconds. This has no effect unless both +# global caching and `[unified_limit] caching` are enabled. (integer value) +#cache_time = + +# Maximum number of entities that will be returned in a role collection. This +# may be useful to tune if you have a large number of unified limits in your +# deployment. (integer value) +#list_limit = + +# The enforcement model to use when validating limits associated to projects. +# Enforcement models will behave differently depending on the existing limits, +# which may result in backwards incompatible changes if a model is switched in +# a running deployment. (string value) +# Possible values: +# flat - +# strict_two_level - +#enforcement_model = flat + + +[wsgi] + +# +# From keystone +# + +# If set to true, this enables the oslo debug middleware in Keystone. This +# Middleware prints a lot of information about the request and the response. It +# is useful for getting information about the data on the wire (decoded) and +# passed to the WSGI application pipeline. This middleware has no effect on the +# "debug" setting in the [DEFAULT] section of the config file or setting +# Keystone's log-level to "DEBUG"; it is specific to debugging the WSGI data as +# it enters and leaves Keystone (specific request-related data). This option is +# used for introspection on the request and response data between the web +# server (apache, nginx, etc) and Keystone. This middleware is inserted as the +# first element in the middleware chain and will show the data closest to the +# wire. WARNING: NOT INTENDED FOR USE IN PRODUCTION. THIS MIDDLEWARE CAN AND +# WILL EMIT SENSITIVE/PRIVILEGED DATA. (boolean value) +#debug_middleware = false diff --git a/3-conductor/3-conductor b/3-conductor/3-conductor new file mode 100755 index 0000000..f8bb580 --- /dev/null +++ b/3-conductor/3-conductor @@ -0,0 +1,30 @@ +#! /bin/bash + +VERSION="latest" + +docker create \ + --name=felooca_test_iotronic_conductor \ + --restart unless-stopped\ + --network=felooca_test_network \ + --hostname conductor \ + -p 8813:8812 \ + -v felooca_test_iotronic_conductor_config:/etc/iotronic/ \ + -v /var/log/iotronic-conductor:/var/log/iotronic \ +smartme/felooca_test_iotronic_conductor:$VERSION + +docker cp conf/iotronic.conf felooca_test_iotronic_conductor:/etc/iotronic/ + +docker run --rm \ + --network=felooca_test_network \ + -v felooca_test_iotronic_conductor_config:/etc/iotronic/ \ + -v /var/log/iotronic-conductor:/var/log/iotronic \ +smartme/felooca_test_iotronic_conductor:$VERSION \ +/bin/sh -c "chown -R iotronic:iotronic /var/log/iotronic/" + +docker run --rm \ + --network=felooca_test_network \ + -v felooca_test_iotronic_conductor_config:/etc/iotronic/ \ + -v /var/log/iotronic-conductor:/var/log/iotronic \ +smartme/felooca_test_iotronic_conductor:$VERSION /bin/sh -c "iotronic-dbsync" + +docker start felooca_test_iotronic_conductor \ No newline at end of file diff --git a/3-conductor/3.5-conductor b/3-conductor/3.5-conductor new file mode 100755 index 0000000..60a9b6d --- /dev/null +++ b/3-conductor/3.5-conductor @@ -0,0 +1,26 @@ +#! /bin/bash + +IP_IOTRONIC="felooca-test.smartme.io" +HTTPS=true +IOTRONIC_PASS="smartme" + +URL="http://$IP_IOTRONIC:8812" +if [ "$HTTPS" = true ] ; then + URL="https://$IP_IOTRONIC:8812" +fi + +echo $URL + +docker exec felooca_test_keystone openstack service create iot --name Iotronic +docker exec felooca_test_keystone openstack user create --password $IOTRONIC_PASS iotronic +docker exec felooca_test_keystone openstack role add --project service --user iotronic admin +docker exec felooca_test_keystone openstack role create admin_iot_project +docker exec felooca_test_keystone openstack role create manager_iot_project +docker exec felooca_test_keystone openstack role create user_iot +docker exec felooca_test_keystone openstack role add --project service --user iotronic admin_iot_project + +docker exec felooca_test_keystone openstack endpoint create --region RegionOne iot public $URL +docker exec felooca_test_keystone openstack endpoint create --region RegionOne iot internal $URL +docker exec felooca_test_keystone openstack endpoint create --region RegionOne iot admin $URL + +docker exec felooca_test_keystone openstack role add --project admin --user admin admin_iot_project \ No newline at end of file diff --git a/3-conductor/build/Dockerfile b/3-conductor/build/Dockerfile new file mode 100644 index 0000000..c15393c --- /dev/null +++ b/3-conductor/build/Dockerfile @@ -0,0 +1,50 @@ +FROM ubuntu:bionic +#ENV VERSION=2.3.9 + +ENV DEBIAN_FRONTEND=noninteractive + +ENV LC_CTYPE en_US.UTF-8 +ENV LANG en_US.UTF-8 +ENV LANG C.UTF-8 + +RUN apt-get update \ + && apt-get install nocache -y software-properties-common locales tzdata\ + && add-apt-repository -y cloud-archive:stein \ + && apt-get update && apt-get -y dist-upgrade && apt-get install nocache -y build-essential python3-openstackclient python3 python3-setuptools python3-pip vim + +RUN locale-gen en_US.UTF-8 +ENV TZ 'Europe/Rome' +RUN echo $TZ > /etc/timezone && rm -f /etc/localtime && ln -nfs /usr/share/zoneinfo/$TZ /etc/localtime && dpkg-reconfigure -f noninteractive tzdata + +RUN apt-get install nocache -y git apache2 python3-setuptools libapache2-mod-wsgi-py3 +#RUN git clone https://opendev.org/x/iotronic.git /opt/build/iotronic +#RUN git clone -b felooca_dev --depth 1 ssh://git@git.smartme.io:20022/smartme.io/stack4things/iotronic/iotronic.git /opt/build/iotronic +COPY ./iotronic /opt/build/iotronic + +WORKDIR /opt/build/iotronic + +RUN pip3 install --upgrade pip +RUN pip3 install --ignore-installed PyYAML +RUN pip3 install -r requirements.txt +RUN python3 setup.py install +RUN useradd -m -d /var/lib/iotronic iotronic +RUN mkdir -p /var/log/iotronic \ +&& touch /var/log/iotronic/iotronic-conductor.log \ +&& touch /var/log/iotronic/iotronic-api_error.log \ +&& touch /var/log/iotronic/iotronic-api_access.log \ +&& chown -R iotronic:iotronic /var/log/iotronic/ \ +&& cp etc/apache2/iotronic.conf /etc/apache2/sites-available/iotronic.conf + +RUN pip3 uninstall -y SQLAlchemy +RUN pip3 install SQLAlchemy==1.3.20 + + +RUN a2ensite iotronic + +COPY bin/startConductor /usr/local/bin/startConductor +VOLUME ["/etc/iotronic"] +VOLUME ["/var/log/iotronic"] + +EXPOSE 8812 + +CMD ["/usr/local/bin/startConductor"] \ No newline at end of file diff --git a/3-conductor/build/bin/startConductor b/3-conductor/build/bin/startConductor new file mode 100755 index 0000000..a15f458 --- /dev/null +++ b/3-conductor/build/bin/startConductor @@ -0,0 +1,30 @@ +#!/bin/bash + +# Start the first process +/usr/sbin/apache2ctl -D FOREGROUND & +status=$? +if [ $status -ne 0 ]; then + echo "Failed to start APACHE2: $status" + exit $status +fi + +# Start the second process +/usr/local/bin/iotronic-conductor +status=$? +if [ $status -ne 0 ]; then + echo "Failed to start iotronic-conductor: $status" + exit $status +fi + +while sleep 60; do + ps aux |grep apache2 |grep -q -v grep + PROCESS_1_STATUS=$? + ps aux |grep iotronic-conductor |grep -q -v grep + PROCESS_2_STATUS=$? + # If the greps above find anything, they exit with 0 status + # If they are not both 0, then something is wrong + if [ $PROCESS_1_STATUS -ne 0 -o $PROCESS_2_STATUS -ne 0 ]; then + echo "One of the processes has already exited." + exit 1 + fi +done \ No newline at end of file diff --git a/3-conductor/build/build b/3-conductor/build/build new file mode 100755 index 0000000..058342b --- /dev/null +++ b/3-conductor/build/build @@ -0,0 +1,4 @@ +#! /bin/bash + +VERSION="latest" +docker build -t smartme/felooca_test_iotronic_conductor:$VERSION . \ No newline at end of file diff --git a/3-conductor/conf/iotronic.conf b/3-conductor/conf/iotronic.conf new file mode 100644 index 0000000..7518195 --- /dev/null +++ b/3-conductor/conf/iotronic.conf @@ -0,0 +1,102 @@ +[DEFAULT] +transport_url=rabbit://openstack:smartme@felooca_test_rabbitmq:5672/ + +debug=True +log_file = /var/log/iotronic/iotronic-conductor.log +proxy=nginx + + +# Authentication strategy used by iotronic-api: one of +# "keystone" or "noauth". "noauth" should not be used in a +# production environment because all authentication will be +# disabled. (string value) +auth_strategy=keystone + +# Enable pecan debug mode. WARNING: this is insecure and +# should not be used in a production environment. (boolean +# value) +#pecan_debug=false + + +[conductor] +service_port_min=50000 +service_port_max=50100 + +[wamp] +wamp_transport_url = wss://:/ +wamp_realm = s4t +# skip_cert_verify= False +# register_agent = True +service_allow_list=True +service_allow_list_path="/var/lib/iotronic/wstun/allowlist.json" + + + +[database] +connection = mysql+pymysql://fe_t_iotronic:IOTRONIC_DBPASS@felooca_test_iotronic_db/felooca_test_iotronic + +[keystone_authtoken] +www_authenticate_uri = https://felooca-test-ctrl.smartme.io:5000 +auth_url = https://felooca-test-ctrl.smartme.io:5000 +auth_plugin = password +project_domain_id = default +user_domain_id = default +project_name = service +username = iotronic +password = smartme + + +[neutron] +auth_url = http://:5000 +url = http://:9696 +auth_strategy = password +project_domain_name = default +user_domain_name = default +region_name = RegionOne +project_name = service +username = neutron +password = +retries = 3 +project_domain_id= default + + +[designate] +auth_url = https://dev.felooca.eu:5000/ +url = https://dev.felooca.eu:9001 +auth_strategy = password +project_domain_name = default +user_domain_name = default +region_name = RegionOne +project_name = admin +username = admin +password = f3l00caSMDEV +retries = 3 +project_domain_id= default + + +[cors] +# Indicate whether this resource may be shared with the domain +# received in the requests "origin" header. Format: +# "://[:]", no trailing slash. Example: +# https://horizon.example.com (list value) +#allowed_origin = + +# Indicate that the actual request can include user +# credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. +# Defaults to HTTP Simple Headers. (list value) +#expose_headers = + +# Maximum cache age of CORS preflight requests. (integer +# value) +#max_age = 3600 + +# Indicate which methods can be used during the actual +# request. (list value) +#allow_methods = OPTIONS,GET,HEAD,POST,PUT,DELETE,TRACE,PATCH + +# Indicate which header field names may be used during the +# actual request. (list value) +#allow_headers = \ No newline at end of file diff --git a/4-iotronic-crossbar/4-crossbar b/4-iotronic-crossbar/4-crossbar new file mode 100755 index 0000000..c2fc1dd --- /dev/null +++ b/4-iotronic-crossbar/4-crossbar @@ -0,0 +1,17 @@ +#! /bin/bash + +CERT_PATH="/etc/ssl/iotronic/client_iotronic/" + +docker create \ + --name=felooca_test_iotronic_crossbar \ + --network=host \ + --restart unless-stopped\ + -p 8181:8181 \ + -v felooca_test_crossbar_config:/node/.crossbar \ + -v $CERT_PATH:/node/.crossbar/ssl:ro \ +crossbario/crossbar:cpy3-20.2.1 + + +docker cp confs/config.json felooca_test_iotronic_crossbar:/node/.crossbar/ + +docker start felooca_test_iotronic_crossbar diff --git a/4-iotronic-crossbar/confs/config.json b/4-iotronic-crossbar/confs/config.json new file mode 100644 index 0000000..d0aee91 --- /dev/null +++ b/4-iotronic-crossbar/confs/config.json @@ -0,0 +1,56 @@ +{ + "version": 2, + "controller": { + }, + "workers": [ + { + "type": "router", + "realms": [ + { + "name": "s4t", + "roles": [ + { + "name": "anonymous", + "permissions": [ + { + "uri": "*", + "allow": { + "publish": true, + "subscribe": true, + "call": true, + "register": true + } + } + ] + } + ] + } + ], + "transports": [ + { + "type": "websocket", + "endpoint": { + "type": "tcp", + "port":8181, + "tls": { + "chain_certificates": ["/node/.crossbar/ssl/CA.pem"], + "key": "/node/.crossbar/ssl/iotronic.key", + "certificate": "/node/.crossbar/ssl/iotronic.pem" + } + + }, + "options":{ + "enable_webstatus":true, + "fail_by_drop": true, + "open_handshake_timeout": 2500, + "close_handshake_timeout": 1000, + "auto_ping_interval": 20000, + "auto_ping_timeout": 0, + "auto_ping_size": 4 + } + } + ] + } + ] +} + diff --git a/4-iotronic-wstun/4-wstun b/4-iotronic-wstun/4-wstun new file mode 100755 index 0000000..5796d71 --- /dev/null +++ b/4-iotronic-wstun/4-wstun @@ -0,0 +1,20 @@ +#! /bin/bash + +VERSION=allowlist +CERT_PATH="/etc/ssl/iotronic/client_iotronic/" + +ALLOW_PATH="/var/lib/docker/volumes/felooca_test_iotronic_wagent_config/_data/allowlist" + +docker build -t smartmeio/felooca_test_iotronic_wstun:$VERSION . + +RANGE="50000-50100:50000-50100" + +docker run -d \ + --name=felooca_test_iotronic_wstun \ + --network=host \ + --restart unless-stopped\ + -p 8080:8080 \ + -p $RANGE \ +-v $CERT_PATH:/var/lib/iotronic/ssl/:ro \ +-v $ALLOW_PATH:/var/lib/wstun/allowlist:ro \ +smartmeio/felooca_test_iotronic_wstun:$VERSION \ No newline at end of file diff --git a/4-iotronic-wstun/Dockerfile b/4-iotronic-wstun/Dockerfile new file mode 100644 index 0000000..852c026 --- /dev/null +++ b/4-iotronic-wstun/Dockerfile @@ -0,0 +1,31 @@ +FROM node:carbon-alpine +ENV VERSION=allowlist +#1.1.0 + +#RUN npm install -g --unsafe @mdslab/wstun \ +# && npm cache --force clean + +RUN apk --no-cache add git + +RUN npm install -g --unsafe websocket@1.0.26 optimist@0.6.1 node-uuid@1.4.7 under_score log4js@1.1.1 && npm cache --force clean + +RUN git clone -b $VERSION --depth 1 https://github.com/MDSLab/wstun.git /usr/local/lib/node_modules/@mdslab/wstun/ + +#COPY wstun /usr/local/lib/node_modules/@mdslab/wstun + +ENV NODE_PATH=/usr/local/lib/node_modules + +WORKDIR /usr/bin/ + +#EXPOSE 40001-40050 +EXPOSE 8080 + +RUN mkdir -p /var/log/wstun/ + +#RUN mkdir -p /var/lib/iotronic/ssl/ +#COPY ./confs/ssl/ /var/lib/iotronic/ssl/ +#COPY ./confs/allowlist /var/lib/wstun/ + + +#ENTRYPOINT ["node", "/usr/local/lib/node_modules/@mdslab/wstun/bin/wstun.js", "-r", "-s", "8080", "--ssl=false", "-a/var/lib/iotronic/wstun/allowlist"] +ENTRYPOINT ["node", "/usr/local/lib/node_modules/@mdslab/wstun/bin/wstun.js", "-r", "-s", "8080", "--ssl=true", "--key=/var/lib/iotronic/ssl/iotronic.key", "--cert=/var/lib/iotronic/ssl/iotronic.pem", "-a/var/lib/wstun/allowlist"] diff --git a/4-iotronic-wstun/confs/allowlist b/4-iotronic-wstun/confs/allowlist new file mode 100644 index 0000000..0637a08 --- /dev/null +++ b/4-iotronic-wstun/confs/allowlist @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/4-iotronic-wstun/confs/ssl/iotronic.key b/4-iotronic-wstun/confs/ssl/iotronic.key new file mode 100644 index 0000000..2335d51 --- /dev/null +++ b/4-iotronic-wstun/confs/ssl/iotronic.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA32shCWN6dZBE3amafdfKdslf7GpvoRRt6UPNznOkU0n/dvkv +RyC7xdWFecQzda9eJg0q+P6YGIUpY5SdgnyXEBDyxqhMm1TMM34s32a6C4T44PER +k4hQ8qNu0bscTDMc5BwAPGiZDreOoSUO///U/qhazgmfvJ7amG03PWRwCehdm/oj +v3z/m++y/d8vHHKxd/SCb7bNQBPeVKCOkO3MqgbvzFhbVzZ9TvVVOPIsg4Kp3Dg/ +lLmZE1CaBD8fJMqDpEIvLCKxljn7hnC4capXd0WsD0rILP42mzlPVWBY4Ie+4CF1 +RRq3MlujzXrVhm2MrczfZK477u0IvlBJ0TKIkQIDAQABAoIBAHNiyaompV1ISDjO +2ko6A4e70v2vrr1bZrR9XzJLyUd2xSh143PxtOiksQ3FRep2ysIONO5p1rV7OHgE +jiCRJheXGTt+OipS7i9978DlNhqy7zKFblVqppvZymcpIqE8GKS6zWhlgP730ALr +t8aBI0juPA+DKutog28LoOblE3QZhf9tvAKDvPJPdkIDE6ggANaw4TRiE3G/TnD9 +mu37D3+/WPLI154qxEN3BWXscwtxOb49qz+ycG94stu3wHeodalyjp1Ubsz9y7nB +EwDt+ciT7albejYBczPFZKBhIVQBYGuRUBrMmuSQ/8Yw7RxuDoH29UbNv48PFV7p +kPs/LK0CgYEA9JPViWbZGWUrpqxXqv/OSAdQ6RzyNdWED1LRY5+PiOxtG44yPPA6 ++9WUWykldF33ZnSpVrrIZIGwYMgzcnDkoRejlCnUnDHB+Zgpcg3+RSHmoa5msHr7 +upEjliN42UnaOdkYnLyag/4LueL6/W32NrfIk6debii+qP8dCTyddrsCgYEA6dpR +bZtInr8d1koIDUIjBjW6wF0kkqrxlmKFz3swfpu/gUFwyiU5EaeFcPOz36a/khlC +IRsBXhAGctmI3vdfPuCC+7sxcJbcCUktbMgIHQYldUz/gXlcr0PTyENXAi2UEL9Z +p/uLArDrt9okVOmWLhQrMV4YZhiKz6u5jLU5lyMCgYEA7PXuhdlnrfsfd7Sym7KM +Ia007yZkZVQhRtdul58YagjnDTOP6Qq3mxcrTcdnyn7gHBwblTQSw44DXUGa1t4a +JRnKGtsMauiqjzCltyNnn4Ng+HUIeSQukGvelrB3fc7X6AQ2nGT/L7MLmWYY10Ga +sxkM9EHMc952GzZQ44oe5dECgYEA0Fx2exuFu/P7SMiTngSUol7TM7yJ7qijMuQ7 +558SmWx6WFePgH1j+OfzTK3HUfoH7MvWkRq3wDC1HjXW7xsn4SU3b8XdijzQdvGd +qLQeDoZAb+CYM6uHup3LoD7n0of7ymREJRlKRa6PiDO0dXffGNVdmtIFGUq6u8h9 +PfLnClMCgYEAl0/RWJnf74nPKoq94uql4accWAL0+w2nO2jAAqlkbZP8j5p/l3n8 ++3QUZ0/n6VUHVzf8tJQbQZrL97hMrDO5UXaiLyeACBxkSFXma5ePzZXIIZEGhj7K +BB7J6gwhIGcYIFkEDPAayYFzVAmnoxhZlxqW6Ti9JXPfbB580+ac2FY= +-----END RSA PRIVATE KEY----- diff --git a/4-iotronic-wstun/confs/ssl/iotronic.pem b/4-iotronic-wstun/confs/ssl/iotronic.pem new file mode 100644 index 0000000..e758370 --- /dev/null +++ b/4-iotronic-wstun/confs/ssl/iotronic.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWDCCAkACCQD7PL6s5rQAmjANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJJ +VDELMAkGA1UECAwCTUIxHjAcBgNVBAoMFVNhY2VydGlzIEJ1aWxkaW5nIHNybDE3 +MDUGA1UEAwwuYjkwNDQ3Lm1lc3NhZ2luZy5pbnRlcm5ldG9mdGhpbmdzLmlibWNs +b3VkLmNvbTAeFw0xODA1MjgwOTEwMjRaFw0yODA1MjUwOTEwMjRaMGkxCzAJBgNV +BAYTAklUMQswCQYDVQQIDAJNQjEPMA0GA1UEBwwGQWdyYXRlMQwwCgYDVQQKDANJ +Qk0xDjAMBgNVBAsMBVdJT1RQMR4wHAYDVQQDDBVkOnNpbXVsYXRpb246dGVzdGRl +djEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDfayEJY3p1kETdqZp9 +18p2yV/sam+hFG3pQ83Oc6RTSf92+S9HILvF1YV5xDN1r14mDSr4/pgYhSljlJ2C +fJcQEPLGqEybVMwzfizfZroLhPjg8RGTiFDyo27RuxxMMxzkHAA8aJkOt46hJQ7/ +/9T+qFrOCZ+8ntqYbTc9ZHAJ6F2b+iO/fP+b77L93y8ccrF39IJvts1AE95UoI6Q +7cyqBu/MWFtXNn1O9VU48iyDgqncOD+UuZkTUJoEPx8kyoOkQi8sIrGWOfuGcLhx +qld3RawPSsgs/jabOU9VYFjgh77gIXVFGrcyW6PNetWGbYytzN9krjvu7Qi+UEnR +MoiRAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJtZxCusqBD9ezQ3/E7h2i2I9Vv5 +U31lQda+rIGYUqzdzr70cBnARkuHHXidZ+IsZioih4iJU/E7nCXUdWgZFkOTVzTM +U2wljvbmcwN4zPWrH9809nw9QyQKn22o9Rc3mNjk+GMlxcHChrVKcorgnf8TV0DF +ZALcVBDzaqe7SpehClLl7DYGxWwcweUl7C2b0ZyQyzJCy1yEuHE+fxL7+KijB0If +GGBN13vPAqplULOkKm87J4a9sqSQle+lkDPBNT0c82DTwae8tiGDeSsGI0HrTPQl +RmHlkfcC5qEfDwciXTlUdQ83XCmY56xU4ax4xHwZvb+Yv8apI9gzX3QG10Y= +-----END CERTIFICATE----- diff --git a/4-iotronic-wstun/confs/ssl/rootCA.pem b/4-iotronic-wstun/confs/ssl/rootCA.pem new file mode 100644 index 0000000..5789692 --- /dev/null +++ b/4-iotronic-wstun/confs/ssl/rootCA.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuTCCAqGgAwIBAgIJAObwgZHjuyjHMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV +BAYTAklUMQswCQYDVQQIDAJNQjEeMBwGA1UECgwVU2FjZXJ0aXMgQnVpbGRpbmcg +c3JsMTcwNQYDVQQDDC5iOTA0NDcubWVzc2FnaW5nLmludGVybmV0b2Z0aGluZ3Mu +aWJtY2xvdWQuY29tMB4XDTE4MDUwNTE2MTU1M1oXDTIxMDIyMjE2MTU1M1owczEL +MAkGA1UEBhMCSVQxCzAJBgNVBAgMAk1CMR4wHAYDVQQKDBVTYWNlcnRpcyBCdWls +ZGluZyBzcmwxNzA1BgNVBAMMLmI5MDQ0Ny5tZXNzYWdpbmcuaW50ZXJuZXRvZnRo +aW5ncy5pYm1jbG91ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDCkjeYy1F2OzMhzYlFWPPdr4m9lGsL8gidtkxjp0jFRLF/1n98PhA0wVj2JjCP +3o10mTuPeyF6p7bVSjfeW/DtQCaaspHtmv3Q+m3GNYSeLpK9zkC0WqELwBXuSm3D +DTlfVmwu8gW2MDyG6p6O5z6m8RiFvd3icRZ8yVDO6iNQ88q5VPEuCJbt19Iw7glv +j6nkmOgvCJnJH3w/U8oiwLRLcDFMESL2+0aG9094ECtPc2CLFSP5KurIEEiI+lO7 +cuLXsFcNiLzvxYnPAR1zyq231aZ9di/BOX+s00kr143c8VCEhCVUYDNUc/S87RLY +MbHkoTqm/Olxz1FDkGBq9rkjAgMBAAGjUDBOMB0GA1UdDgQWBBQFXEVo9tV1FmpU +KSt9kKej07jYhjAfBgNVHSMEGDAWgBQFXEVo9tV1FmpUKSt9kKej07jYhjAMBgNV +HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCH/6AhUcxN/xzCS9lHwLkxXErp +wnnEzibMBD1pY0hTt5/hWKo2FKMQWnvXUw4nIbFaTTiosqTHpfi3of+f6uhpMKO8 +F39TBsaEJJcrEM3bJ+x52vBmAAF3hdVbhBZQP/nUpzlnbSFhktLJ/2chf/oNvaaw +GEVDf8Zcess9JVESP3shzvyIzN8XISvYVPAkkY/Mz8TdmGFCfnxzoRoGvxp9SJ1l +saOanPo/rGnZNMSXWCKzbphqqwngyIw5WZ8/gAa/KFRKz96IQMMorq2BakQMWaRE +nn7fN/3jTzp+WdLQgBObTTYpTy0r1LQStGmadhnQGcM5LsY7tviYpN1Olqwz +-----END CERTIFICATE----- diff --git a/5-wagent/5-wagent b/5-wagent/5-wagent new file mode 100755 index 0000000..6e22ea6 --- /dev/null +++ b/5-wagent/5-wagent @@ -0,0 +1,36 @@ +#! /bin/bash + + +VERSION="felooca-test" + +docker create \ + --name=felooca_test_iotronic_wagent \ + --restart unless-stopped\ + --network=host \ + -p 80:80 \ + -p 443:443 \ + --hostname wagent1 \ + -v felooca_test_iotronic_wagent_config:/etc/iotronic/ \ + -v felooca_test_iotronic_wagent_nginx:/etc/nginx/ \ + -v /var/log/iotronic-wagent:/var/log/iotronic \ +smartme/felooca_test_iotronic_wagent:$VERSION + +docker run --rm \ + --network=host \ + -v felooca_test_iotronic_wagent_config:/etc/iotronic/ \ + -v /var/log/iotronic-wagent:/var/log/iotronic \ +smartme/felooca_test_iotronic_wagent:$VERSION \ +/bin/sh -c "chown -R iotronic:iotronic /var/log/iotronic/" + + +docker run --rm \ + --network=host \ +-v felooca_test_iotronic_wagent_nginx:/etc/nginx/ \ +smartme/felooca_test_iotronic_wagent:$VERSION \ +/bin/sh -c "echo 'stream { include conf.d/iotronic/mapping; }' >> /etc/nginx/nginx.conf && echo 'include conf.d/iotronic/servers/*;' >> /etc/nginx/sites-enabled/default" + + +docker cp conf/iotronic.conf felooca_test_iotronic_wagent:/etc/iotronic/ + +docker stop felooca_test_iotronic_wagent +docker start felooca_test_iotronic_wagent diff --git a/5-wagent/build/Dockerfile b/5-wagent/build/Dockerfile new file mode 100644 index 0000000..a170b90 --- /dev/null +++ b/5-wagent/build/Dockerfile @@ -0,0 +1,57 @@ +FROM ubuntu:bionic +#ENV VERSION=2.3.9 + +ENV DEBIAN_FRONTEND=noninteractive + +ENV LC_CTYPE en_US.UTF-8 +ENV LANG en_US.UTF-8 +ENV LANG C.UTF-8 + +RUN apt-get update \ + && apt-get install nocache -y software-properties-common locales tzdata\ + && add-apt-repository -y cloud-archive:stein \ + && apt-get update && apt-get -y dist-upgrade && apt-get install nocache -y build-essential python3-openstackclient python3 python3-setuptools python3-pip vim curl iputils-ping + +RUN locale-gen en_US.UTF-8 +ENV TZ 'Europe/Rome' +RUN echo $TZ > /etc/timezone && rm -f /etc/localtime && ln -nfs /usr/share/zoneinfo/$TZ /etc/localtime && dpkg-reconfigure -f noninteractive tzdata + +RUN apt-get install nocache -y git apache2 python3-setuptools libapache2-mod-wsgi-py3 +#RUN git clone https://opendev.org/x/iotronic.git /opt/build/iotronic +#RUN git clone -b felooca_dev --depth 1 ssh://git@git.smartme.io:20022/smartme.io/stack4things/iotronic/iotronic.git /opt/build/iotronic +COPY ./iotronic /opt/build/iotronic + +WORKDIR /opt/build/iotronic + +RUN pip3 install --upgrade pip +RUN pip3 install --ignore-installed PyYAML +RUN pip3 install -r requirements.txt +RUN python3 setup.py install +RUN useradd -m -d /var/lib/iotronic iotronic +RUN mkdir -p /var/log/iotronic \ +&& touch /var/log/iotronic/iotronic-wagent.log \ +&& chown -R iotronic:iotronic /var/log/iotronic/ + +RUN pip3 uninstall -y SQLAlchemy +RUN pip3 install SQLAlchemy==1.3.20 + +VOLUME ["/etc/iotronic"] +VOLUME ["/var/log/iotronic"] + +RUN mkdir -p /etc/nginx/conf.d/iotronic \ +&& mkdir -p /etc/nginx/conf.d/iotronic/maps \ +&& mkdir -p /etc/nginx/conf.d/iotronic/servers \ +&& mkdir -p /etc/nginx/conf.d/iotronic/upstreams +COPY confs/mapping /etc/nginx/conf.d/iotronic/mapping + +RUN echo "stream { include conf.d/iotronic/mapping; }" > /etc/nginx/nginx.conf +RUN echo "include conf.d/iotronic/servers/*" > /etc/nginx/sites-enabled/default + + +EXPOSE 443 +EXPOSE 80 + +COPY bin/startWagent /usr/local/bin/startWagent + +CMD ["/usr/local/bin/startWagent"] +#CMD ["/usr/local/bin/iotronic-wamp-agent"] \ No newline at end of file diff --git a/5-wagent/build/bin/startWagent b/5-wagent/build/bin/startWagent new file mode 100755 index 0000000..6452d02 --- /dev/null +++ b/5-wagent/build/bin/startWagent @@ -0,0 +1,30 @@ +#!/bin/bash + +# Start the first process +/usr/sbin/nginx +status=$? +if [ $status -ne 0 ]; then + echo "Failed to start NGINX: $status" + exit $status +fi + +# Start the second process +/usr/local/bin/iotronic-wamp-agent +status=$? +if [ $status -ne 0 ]; then + echo "Failed to start iotronic-wamp-agent: $status" + exit $status +fi + +while sleep 60; do + ps aux |grep apache2 |grep -q -v grep + PROCESS_1_STATUS=$? + ps aux |grep iotronic-conductor |grep -q -v grep + PROCESS_2_STATUS=$? + # If the greps above find anything, they exit with 0 status + # If they are not both 0, then something is wrong + if [ $PROCESS_1_STATUS -ne 0 -o $PROCESS_2_STATUS -ne 0 ]; then + echo "One of the processes has already exited." + exit 1 + fi +done \ No newline at end of file diff --git a/5-wagent/build/build b/5-wagent/build/build new file mode 100755 index 0000000..e8d2ad4 --- /dev/null +++ b/5-wagent/build/build @@ -0,0 +1,4 @@ +#! /bin/bash + +VERSION="felooca-test" +docker build -t smartme/felooca_test_iotronic_wagent:$VERSION . \ No newline at end of file diff --git a/5-wagent/build/confs/mapping b/5-wagent/build/confs/mapping new file mode 100644 index 0000000..8f94892 --- /dev/null +++ b/5-wagent/build/confs/mapping @@ -0,0 +1,11 @@ +map $ssl_preread_server_name $name { + include conf.d/iotronic/maps/*; +} + +include conf.d/iotronic/upstreams/*; + +server { + listen 443; + proxy_pass $name; + ssl_preread on; +} \ No newline at end of file diff --git a/5-wagent/conf/iotronic.conf b/5-wagent/conf/iotronic.conf new file mode 100644 index 0000000..c273c6f --- /dev/null +++ b/5-wagent/conf/iotronic.conf @@ -0,0 +1,112 @@ +[DEFAULT] +transport_url=rabbit://openstack:smartme@felooca_test_rabbitmq:5672/ + +debug=True +proxy=nginx +#log_file = /var/log/iotronic/iotronic-wagent.log + +# Authentication strategy used by iotronic-api: one of +# "keystone" or "noauth". "noauth" should not be used in a +# production environment because all authentication will be +# disabled. (string value) +auth_strategy=keystone + +# Enable pecan debug mode. WARNING: this is insecure and +# should not be used in a production environment. (boolean +# value) +#pecan_debug=false + + +[wamp] +wamp_transport_url = wss://felooca-test-wagent1.smartme.io:8181/ +wamp_realm = s4t +skip_cert_verify= True +register_agent = True +service_allow_list=True +service_allow_list_path="/etc/iotronic/allowlist" + +[nginx] +nginx_path=/etc/nginx/conf.d/iotronic +wstun_endpoint=localhost + +[database] +connection = mysql+pymysql://fe_t_iotronic:IOTRONIC_DBPASS@felooca_test_iotronic_db/felooca_test_iotronic + +[keystone_authtoken] +www_authenticate_uri = https://felooca-test-ctrl.smartme.io:5000 +auth_url = https://felooca-test-ctrl.smartme.io:5000 +auth_plugin = password +project_domain_id = default +user_domain_id = default +project_name = service +username = iotronic +password = smartme + + +[neutron] +auth_url = http://:35357 +url = http://:9696 +auth_strategy = password +project_domain_name = default +user_domain_name = default +region_name = RegionOne +project_name = service +username = neutron +password = +retries = 3 +project_domain_id= default + + +[designate] +#auth_url = http://:35357 +#url = http://:9001 +#auth_strategy = password +#project_domain_name = default +#user_domain_name = default +#region_name = RegionOne +#project_name = service +#username = designate +#password = +#retries = 3 +#project_domain_id= default + +auth_url = https://dev.felooca.eu:5000/ +url = https://dev.felooca.eu:9001 +auth_strategy = password +project_domain_name = default +user_domain_name = default +region_name = RegionOne +project_name = admin +username = admin +password = f3l00caSMDEV +retries = 3 +project_domain_id= default + + + +[cors] +# Indicate whether this resource may be shared with the domain +# received in the requests "origin" header. Format: +# "://[:]", no trailing slash. Example: +# https://horizon.example.com (list value) +#allowed_origin = + +# Indicate that the actual request can include user +# credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. +# Defaults to HTTP Simple Headers. (list value) +#expose_headers = + +# Maximum cache age of CORS preflight requests. (integer +# value) +#max_age = 3600 + +# Indicate which methods can be used during the actual +# request. (list value) +#allow_methods = OPTIONS,GET,HEAD,POST,PUT,DELETE,TRACE,PATCH + +# Indicate which header field names may be used during the +# actual request. (list value) +#allow_headers = \ No newline at end of file diff --git a/6-ui/6-ui b/6-ui/6-ui new file mode 100755 index 0000000..e3481ec --- /dev/null +++ b/6-ui/6-ui @@ -0,0 +1,15 @@ +#! /bin/bash + +VERSION="latest" +docker create \ + --name=felooca_test_iotronic_ui \ + --restart unless-stopped\ + --network=felooca_test_network \ + -p 8585:80 \ + -v felooca_test_iotronic_ui_config:/etc/openstack-dashboard/ \ + -v /var/log/iotronic-ui:/var/log/apache2/ \ +smartme/felooca_test_iotronic_ui:$VERSION + +docker cp conf/local_settings.py felooca_test_iotronic_ui:/etc/openstack-dashboard + +docker start felooca_test_iotronic_ui \ No newline at end of file diff --git a/6-ui/build/Dockerfile b/6-ui/build/Dockerfile new file mode 100644 index 0000000..ca1052b --- /dev/null +++ b/6-ui/build/Dockerfile @@ -0,0 +1,42 @@ +FROM ubuntu:bionic + + +RUN apt-get update \ + && apt-get install nocache -y software-properties-common \ + #&& add-apt-repository -y cloud-archive:stein \ + #&& add-apt-repository -y cloud-archive:queens \ + && apt-get update && apt-get -y dist-upgrade && apt-get install nocache -y python-openstackclient nano + +RUN apt-get install nocache memcached python-memcache openstack-dashboard git python-pip -y + +#RUN pip install setuptools + +RUN git clone https://opendev.org/x/python-iotronicclient.git /opt/build/python-iotronicclient +WORKDIR /opt/build/python-iotronicclient + +RUN pip install -r requirements.txt +RUN python setup.py install + +#RUN git clone https://opendev.org/x/iotronic-ui.git /opt/build/iotronic-ui +COPY iotronic-ui/ /opt/build/iotronic-ui/ + +WORKDIR /opt/build/iotronic-ui + +RUN pip install -r requirements.txt +RUN python setup.py install +RUN cp iotronic_ui/api/iotronic.py /usr/share/openstack-dashboard/openstack_dashboard/api/ \ +# && cp iotronic_ui/enabled/_60* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ + && cp iotronic_ui/enabled/_6000_iot.py /usr/share/openstack-dashboard/openstack_dashboard/enabled/ \ + && cp iotronic_ui/enabled/_61* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ \ + && cp iotronic_ui/enabled/_62* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ \ + && cp iotronic_ui/enabled/_63* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ \ + && cp iotronic_ui/enabled/_64* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ + +#RUN apt-get remove --auto-remove openstack-dashboard-ubuntu-theme + +COPY bin/startUI /usr/local/bin/startUI + +VOLUME ["/etc/openstack-dashboard/"] + +EXPOSE 80 +CMD ["/usr/local/bin/startUI"] diff --git a/6-ui/build/bin/startUI b/6-ui/build/bin/startUI new file mode 100755 index 0000000..039e7a5 --- /dev/null +++ b/6-ui/build/bin/startUI @@ -0,0 +1,32 @@ +#!/bin/bash + +# clean all pid +rm /run/apache2/apache2.pid +# Start the first process +/usr/sbin/apache2ctl -D FOREGROUND & +status=$? +if [ $status -ne 0 ]; then + echo "Failed to start APACHE2: $status" + exit $status +fi + +# Start the second process +/usr/bin/memcached -u memcache & +status=$? +if [ $status -ne 0 ]; then + echo "Failed to start memcached: $status" + exit $status +fi + +while sleep 60; do + ps aux |grep apache2 |grep -q -v grep + PROCESS_1_STATUS=$? + ps aux |grep memcached |grep -q -v grep + PROCESS_2_STATUS=$? + # If the greps above find anything, they exit with 0 status + # If they are not both 0, then something is wrong + if [ $PROCESS_1_STATUS -ne 0 -o $PROCESS_2_STATUS -ne 0 ]; then + echo "One of the processes has already exited." + exit 1 + fi +done \ No newline at end of file diff --git a/6-ui/build/build b/6-ui/build/build new file mode 100755 index 0000000..d05aab6 --- /dev/null +++ b/6-ui/build/build @@ -0,0 +1,4 @@ +#! /bin/bash + +VERSION="latest" +docker build -t smartme/"felooca_test_iotronic_ui":$VERSION . diff --git a/6-ui/conf/local_settings.py b/6-ui/conf/local_settings.py new file mode 100644 index 0000000..bb9222e --- /dev/null +++ b/6-ui/conf/local_settings.py @@ -0,0 +1,925 @@ +# -*- coding: utf-8 -*- + +import os + +from django.utils.translation import ugettext_lazy as _ + +from horizon.utils import secret_key + +from openstack_dashboard.settings import HORIZON_CONFIG + +DEBUG = False + +# This setting controls whether or not compression is enabled. Disabling +# compression makes Horizon considerably slower, but makes it much easier +# to debug JS and CSS changes +#COMPRESS_ENABLED = not DEBUG + +# This setting controls whether compression happens on the fly, or offline +# with `python manage.py compress` +# See https://django-compressor.readthedocs.io/en/latest/usage/#offline-compression +# for more information +#COMPRESS_OFFLINE = not DEBUG + +# WEBROOT is the location relative to Webserver root +# should end with a slash. +WEBROOT = '/' +#LOGIN_URL = WEBROOT + 'auth/login/' +#LOGOUT_URL = WEBROOT + 'auth/logout/' +# +# LOGIN_REDIRECT_URL can be used as an alternative for +# HORIZON_CONFIG.user_home, if user_home is not set. +# Do not set it to '/home/', as this will cause circular redirect loop +#LOGIN_REDIRECT_URL = WEBROOT + +# If horizon is running in production (DEBUG is False), set this +# with the list of host/domain names that the application can serve. +# For more information see: +# https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts +#ALLOWED_HOSTS = ['horizon.example.com', ] + +# Set SSL proxy settings: +# Pass this header from the proxy after terminating the SSL, +# and don't forget to strip it from the client's request. +# For more information see: +# https://docs.djangoproject.com/en/dev/ref/settings/#secure-proxy-ssl-header +#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') + +# If Horizon is being served through SSL, then uncomment the following two +# settings to better secure the cookies from security exploits +#CSRF_COOKIE_SECURE = True +#SESSION_COOKIE_SECURE = True + +# The absolute path to the directory where message files are collected. +# The message file must have a .json file extension. When the user logins to +# horizon, the message files collected are processed and displayed to the user. +#MESSAGES_PATH=None + +# Overrides for OpenStack API versions. Use this setting to force the +# OpenStack dashboard to use a specific API version for a given service API. +# Versions specified here should be integers or floats, not strings. +# NOTE: The version should be formatted as it appears in the URL for the +# service API. For example, The identity service APIs have inconsistent +# use of the decimal point, so valid options would be 2.0 or 3. +# Minimum compute version to get the instance locked status is 2.9. +#OPENSTACK_API_VERSIONS = { +# "data-processing": 1.1, +# "identity": 3, +# "image": 2, +# "volume": 2, +# "compute": 2, +#} + +# Set this to True if running on a multi-domain model. When this is enabled, it +# will require the user to enter the Domain name in addition to the username +# for login. +#OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False + +# Set this to True if you want available domains displayed as a dropdown menu +# on the login screen. It is strongly advised NOT to enable this for public +# clouds, as advertising enabled domains to unauthenticated customers +# irresponsibly exposes private information. This should only be used for +# private clouds where the dashboard sits behind a corporate firewall. +#OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = False + +# If OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN is enabled, this option can be used to +# set the available domains to choose from. This is a list of pairs whose first +# value is the domain name and the second is the display name. +#OPENSTACK_KEYSTONE_DOMAIN_CHOICES = ( +# ('Default', 'Default'), +#) + +# Overrides the default domain used when running on single-domain model +# with Keystone V3. All entities will be created in the default domain. +# NOTE: This value must be the name of the default domain, NOT the ID. +# Also, you will most likely have a value in the keystone policy file like this +# "cloud_admin": "rule:admin_required and domain_id:" +# This value must be the name of the domain whose ID is specified there. +#OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default' + +# Set this to True to enable panels that provide the ability for users to +# manage Identity Providers (IdPs) and establish a set of rules to map +# federation protocol attributes to Identity API attributes. +# This extension requires v3.0+ of the Identity API. +#OPENSTACK_KEYSTONE_FEDERATION_MANAGEMENT = False + +# Set Console type: +# valid options are "AUTO"(default), "VNC", "SPICE", "RDP", "SERIAL", "MKS" +# or None. Set to None explicitly if you want to deactivate the console. +#CONSOLE_TYPE = "AUTO" + +# Toggle showing the openrc file for Keystone V2. +# If set to false the link will be removed from the user dropdown menu +# and the API Access page +#SHOW_KEYSTONE_V2_RC = True + +# If provided, a "Report Bug" link will be displayed in the site header +# which links to the value of this setting (ideally a URL containing +# information on how to report issues). +#HORIZON_CONFIG["bug_url"] = "http://bug-report.example.com" + +# Show backdrop element outside the modal, do not close the modal +# after clicking on backdrop. +#HORIZON_CONFIG["modal_backdrop"] = "static" + +# Specify a regular expression to validate user passwords. +#HORIZON_CONFIG["password_validator"] = { +# "regex": '.*', +# "help_text": _("Your password does not meet the requirements."), +#} + +# Turn off browser autocompletion for forms including the login form and +# the database creation workflow if so desired. +#HORIZON_CONFIG["password_autocomplete"] = "off" + +# Setting this to True will disable the reveal button for password fields, +# including on the login form. +#HORIZON_CONFIG["disable_password_reveal"] = False + +LOCAL_PATH = os.path.dirname(os.path.abspath(__file__)) + +# Set custom secret key: +# You can either set it to a specific value or you can let horizon generate a +# default secret key that is unique on this machine, e.i. regardless of the +# amount of Python WSGI workers (if used behind Apache+mod_wsgi): However, +# there may be situations where you would want to set this explicitly, e.g. +# when multiple dashboard instances are distributed on different machines +# (usually behind a load-balancer). Either you have to make sure that a session +# gets all requests routed to the same dashboard instance or you set the same +# SECRET_KEY for all of them. +SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/openstack-dashboard/secret_key') + +# We recommend you use memcached for development; otherwise after every reload +# of the django development server, you will have to login again. To use +# memcached set CACHES to something like + +CACHES = { + 'default': { + 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', + 'LOCATION': '127.0.0.1:11211', + }, +} + +#CACHES = { +# 'default': { +# 'BACKEND': 'django.core.cache.backends.locmem.LocMemCache', +# } +#} + +# Send email to the console by default +EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend' +# Or send them to /dev/null +#EMAIL_BACKEND = 'django.core.mail.backends.dummy.EmailBackend' + +# Configure these for your outgoing email host +#EMAIL_HOST = 'smtp.my-company.com' +#EMAIL_PORT = 25 +#EMAIL_HOST_USER = 'djangomail' +#EMAIL_HOST_PASSWORD = 'top-secret!' + +# For multiple regions uncomment this configuration, and add (endpoint, title). +#AVAILABLE_REGIONS = [ +# ('http://cluster1.example.com:5000/v3', 'cluster1'), +# ('http://cluster2.example.com:5000/v3', 'cluster2'), +#] + +OPENSTACK_HOST = "felooca-test-ctrl.smartme.io" +OPENSTACK_KEYSTONE_URL = "https://%s:5000/v3" % OPENSTACK_HOST +OPENSTACK_KEYSTONE_DEFAULT_ROLE = "member" + +# For setting the default service region on a per-endpoint basis. Note that the +# default value for this setting is {}, and below is just an example of how it +# should be specified. +# A key of '*' is an optional global default if no other key matches. +#DEFAULT_SERVICE_REGIONS = { +# '*': 'RegionOne' +# OPENSTACK_KEYSTONE_URL: 'RegionTwo' +#} + +# Enables keystone web single-sign-on if set to True. +#WEBSSO_ENABLED = False + +# Authentication mechanism to be selected as default. +# The value must be a key from WEBSSO_CHOICES. +#WEBSSO_INITIAL_CHOICE = "credentials" + +# The list of authentication mechanisms which include keystone +# federation protocols and identity provider/federation protocol +# mapping keys (WEBSSO_IDP_MAPPING). Current supported protocol +# IDs are 'saml2' and 'oidc' which represent SAML 2.0, OpenID +# Connect respectively. +# Do not remove the mandatory credentials mechanism. +# Note: The last two tuples are sample mapping keys to a identity provider +# and federation protocol combination (WEBSSO_IDP_MAPPING). +#WEBSSO_CHOICES = ( +# ("credentials", _("Keystone Credentials")), +# ("oidc", _("OpenID Connect")), +# ("saml2", _("Security Assertion Markup Language")), +# ("acme_oidc", "ACME - OpenID Connect"), +# ("acme_saml2", "ACME - SAML2"), +#) + +# A dictionary of specific identity provider and federation protocol +# combinations. From the selected authentication mechanism, the value +# will be looked up as keys in the dictionary. If a match is found, +# it will redirect the user to a identity provider and federation protocol +# specific WebSSO endpoint in keystone, otherwise it will use the value +# as the protocol_id when redirecting to the WebSSO by protocol endpoint. +# NOTE: The value is expected to be a tuple formatted as: (, ). +#WEBSSO_IDP_MAPPING = { +# "acme_oidc": ("acme", "oidc"), +# "acme_saml2": ("acme", "saml2"), +#} + +# If set this URL will be used for web single-sign-on authentication +# instead of OPENSTACK_KEYSTONE_URL. This is needed in the deployment +# scenarios where network segmentation is used per security requirement. +# In this case, the controllers are not reachable from public network. +# Therefore, user's browser will not be able to access OPENSTACK_KEYSTONE_URL +# if it is set to the internal endpoint. +#WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3" + +# The Keystone Provider drop down uses Keystone to Keystone federation +# to switch between Keystone service providers. +# Set display name for Identity Provider (dropdown display name) +#KEYSTONE_PROVIDER_IDP_NAME = "Local Keystone" +# This id is used for only for comparison with the service provider IDs. This ID +# should not match any service provider IDs. +#KEYSTONE_PROVIDER_IDP_ID = "localkeystone" + +# Disable SSL certificate checks (useful for self-signed certificates): +#OPENSTACK_SSL_NO_VERIFY = True + +# The CA certificate to use to verify SSL connections +#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem' + +# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the +# capabilities of the auth backend for Keystone. +# If Keystone has been configured to use LDAP as the auth backend then set +# can_edit_user to False and name to 'ldap'. +# +# TODO(tres): Remove these once Keystone has an API to identify auth backend. +OPENSTACK_KEYSTONE_BACKEND = { + 'name': 'native', + 'can_edit_user': True, + 'can_edit_group': True, + 'can_edit_project': True, + 'can_edit_domain': True, + 'can_edit_role': True, +} + +# Setting this to True, will add a new "Retrieve Password" action on instance, +# allowing Admin session password retrieval/decryption. +#OPENSTACK_ENABLE_PASSWORD_RETRIEVE = False + +# The Launch Instance user experience has been significantly enhanced. +# You can choose whether to enable the new launch instance experience, +# the legacy experience, or both. The legacy experience will be removed +# in a future release, but is available as a temporary backup setting to ensure +# compatibility with existing deployments. Further development will not be +# done on the legacy experience. Please report any problems with the new +# experience via the Launchpad tracking system. +# +# Toggle LAUNCH_INSTANCE_LEGACY_ENABLED and LAUNCH_INSTANCE_NG_ENABLED to +# determine the experience to enable. Set them both to true to enable +# both. +#LAUNCH_INSTANCE_LEGACY_ENABLED = True +#LAUNCH_INSTANCE_NG_ENABLED = False + +# A dictionary of settings which can be used to provide the default values for +# properties found in the Launch Instance modal. +#LAUNCH_INSTANCE_DEFAULTS = { +# 'config_drive': False, +# 'enable_scheduler_hints': True, +# 'disable_image': False, +# 'disable_instance_snapshot': False, +# 'disable_volume': False, +# 'disable_volume_snapshot': False, +# 'create_volume': True, +#} + +# The Xen Hypervisor has the ability to set the mount point for volumes +# attached to instances (other Hypervisors currently do not). Setting +# can_set_mount_point to True will add the option to set the mount point +# from the UI. +OPENSTACK_HYPERVISOR_FEATURES = { + 'can_set_mount_point': False, + 'can_set_password': False, + 'requires_keypair': False, + 'enable_quotas': True +} + +# This settings controls whether IP addresses of servers are retrieved from +# neutron in the project instance table. Setting this to ``False`` may mitigate +# a performance issue in the project instance table in large deployments. +#OPENSTACK_INSTANCE_RETRIEVE_IP_ADDRESSES = True + +# The OPENSTACK_CINDER_FEATURES settings can be used to enable optional +# services provided by cinder that is not exposed by its extension API. +OPENSTACK_CINDER_FEATURES = { + 'enable_backup': False, +} + +# The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional +# services provided by neutron. Options currently available are load +# balancer service, security groups, quotas, VPN service. +OPENSTACK_NEUTRON_NETWORK = { + 'enable_router': True, + 'enable_quotas': True, + 'enable_ipv6': True, + 'enable_distributed_router': False, + 'enable_ha_router': False, + 'enable_fip_topology_check': True, + + # Default dns servers you would like to use when a subnet is + # created. This is only a default, users can still choose a different + # list of dns servers when creating a new subnet. + # The entries below are examples only, and are not appropriate for + # real deployments + # 'default_dns_nameservers': ["8.8.8.8", "8.8.4.4", "208.67.222.222"], + + # Set which provider network types are supported. Only the network types + # in this list will be available to choose from when creating a network. + # Network types include local, flat, vlan, gre, vxlan and geneve. + # 'supported_provider_types': ['*'], + + # You can configure available segmentation ID range per network type + # in your deployment. + # 'segmentation_id_range': { + # 'vlan': [1024, 2048], + # 'vxlan': [4094, 65536], + # }, + + # You can define additional provider network types here. + # 'extra_provider_types': { + # 'awesome_type': { + # 'display_name': 'Awesome New Type', + # 'require_physical_network': False, + # 'require_segmentation_id': True, + # } + # }, + + # Set which VNIC types are supported for port binding. Only the VNIC + # types in this list will be available to choose from when creating a + # port. + # VNIC types include 'normal', 'direct', 'direct-physical', 'macvtap', + # 'baremetal' and 'virtio-forwarder' + # Set to empty list or None to disable VNIC type selection. + 'supported_vnic_types': ['*'], + + # Set list of available physical networks to be selected in the physical + # network field on the admin create network modal. If it's set to an empty + # list, the field will be a regular input field. + # e.g. ['default', 'test'] + 'physical_networks': [], + +} + +# The OPENSTACK_HEAT_STACK settings can be used to disable password +# field required while launching the stack. +OPENSTACK_HEAT_STACK = { + 'enable_user_pass': True, +} + +# The OPENSTACK_IMAGE_BACKEND settings can be used to customize features +# in the OpenStack Dashboard related to the Image service, such as the list +# of supported image formats. +#OPENSTACK_IMAGE_BACKEND = { +# 'image_formats': [ +# ('', _('Select format')), +# ('aki', _('AKI - Amazon Kernel Image')), +# ('ami', _('AMI - Amazon Machine Image')), +# ('ari', _('ARI - Amazon Ramdisk Image')), +# ('docker', _('Docker')), +# ('iso', _('ISO - Optical Disk Image')), +# ('ova', _('OVA - Open Virtual Appliance')), +# ('qcow2', _('QCOW2 - QEMU Emulator')), +# ('raw', _('Raw')), +# ('vdi', _('VDI - Virtual Disk Image')), +# ('vhd', _('VHD - Virtual Hard Disk')), +# ('vhdx', _('VHDX - Large Virtual Hard Disk')), +# ('vmdk', _('VMDK - Virtual Machine Disk')), +# ], +#} + +# The IMAGE_CUSTOM_PROPERTY_TITLES settings is used to customize the titles for +# image custom property attributes that appear on image detail pages. +IMAGE_CUSTOM_PROPERTY_TITLES = { + "architecture": _("Architecture"), + "kernel_id": _("Kernel ID"), + "ramdisk_id": _("Ramdisk ID"), + "image_state": _("Euca2ools state"), + "project_id": _("Project ID"), + "image_type": _("Image Type"), +} + +# The IMAGE_RESERVED_CUSTOM_PROPERTIES setting is used to specify which image +# custom properties should not be displayed in the Image Custom Properties +# table. +IMAGE_RESERVED_CUSTOM_PROPERTIES = [] + +# Set to 'legacy' or 'direct' to allow users to upload images to glance via +# Horizon server. When enabled, a file form field will appear on the create +# image form. If set to 'off', there will be no file form field on the create +# image form. See documentation for deployment considerations. +#HORIZON_IMAGES_UPLOAD_MODE = 'legacy' + +# Allow a location to be set when creating or updating Glance images. +# If using Glance V2, this value should be False unless the Glance +# configuration and policies allow setting locations. +#IMAGES_ALLOW_LOCATION = False + +# A dictionary of default settings for create image modal. +#CREATE_IMAGE_DEFAULTS = { +# 'image_visibility': "public", +#} + +# OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints +# in the Keystone service catalog. Use this setting when Horizon is running +# external to the OpenStack environment. The default is 'publicURL'. +#OPENSTACK_ENDPOINT_TYPE = "publicURL" + +# SECONDARY_ENDPOINT_TYPE specifies the fallback endpoint type to use in the +# case that OPENSTACK_ENDPOINT_TYPE is not present in the endpoints +# in the Keystone service catalog. Use this setting when Horizon is running +# external to the OpenStack environment. The default is None. This +# value should differ from OPENSTACK_ENDPOINT_TYPE if used. +#SECONDARY_ENDPOINT_TYPE = None + +# The number of objects (Swift containers/objects or images) to display +# on a single page before providing a paging element (a "more" link) +# to paginate results. +API_RESULT_LIMIT = 1000 +API_RESULT_PAGE_SIZE = 20 + +# The size of chunk in bytes for downloading objects from Swift +SWIFT_FILE_TRANSFER_CHUNK_SIZE = 512 * 1024 + +# The default number of lines displayed for instance console log. +INSTANCE_LOG_LENGTH = 35 + +# Specify a maximum number of items to display in a dropdown. +DROPDOWN_MAX_ITEMS = 30 + +# The timezone of the server. This should correspond with the timezone +# of your entire OpenStack installation, and hopefully be in UTC. +TIME_ZONE = "UTC" + +# When launching an instance, the menu of available flavors is +# sorted by RAM usage, ascending. If you would like a different sort order, +# you can provide another flavor attribute as sorting key. Alternatively, you +# can provide a custom callback method to use for sorting. You can also provide +# a flag for reverse sort. For more info, see +# http://docs.python.org/2/library/functions.html#sorted +#CREATE_INSTANCE_FLAVOR_SORT = { +# 'key': 'name', +# # or +# 'key': my_awesome_callback_method, +# 'reverse': False, +#} + +# Set this to True to display an 'Admin Password' field on the Change Password +# form to verify that it is indeed the admin logged-in who wants to change +# the password. +#ENFORCE_PASSWORD_CHECK = False + +# Modules that provide /auth routes that can be used to handle different types +# of user authentication. Add auth plugins that require extra route handling to +# this list. +#AUTHENTICATION_URLS = [ +# 'openstack_auth.urls', +#] + +# The Horizon Policy Enforcement engine uses these values to load per service +# policy rule files. The content of these files should match the files the +# OpenStack services are using to determine role based access control in the +# target installation. + +# Path to directory containing policy.json files +#POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf") + +# Map of local copy of service policy files. +# Please insure that your identity policy file matches the one being used on +# your keystone servers. There is an alternate policy file that may be used +# in the Keystone v3 multi-domain case, policy.v3cloudsample.json. +# This file is not included in the Horizon repository by default but can be +# found at +# http://git.openstack.org/cgit/openstack/keystone/tree/etc/ \ +# policy.v3cloudsample.json +# Having matching policy files on the Horizon and Keystone servers is essential +# for normal operation. This holds true for all services and their policy files. +#POLICY_FILES = { +# 'identity': 'keystone_policy.json', +# 'compute': 'nova_policy.json', +# 'volume': 'cinder_policy.json', +# 'image': 'glance_policy.json', +# 'network': 'neutron_policy.json', +#} + +# Change this patch to the appropriate list of tuples containing +# a key, label and static directory containing two files: +# _variables.scss and _styles.scss +AVAILABLE_THEMES = [ + ('default', 'Default', 'themes/default'), +# ('material', 'Material', 'themes/material'), +] + +LOGGING = { + 'version': 1, + # When set to True this will disable all logging except + # for loggers specified in this configuration dictionary. Note that + # if nothing is specified here and disable_existing_loggers is True, + # django.db.backends will still log unless it is disabled explicitly. + 'disable_existing_loggers': False, + # If apache2 mod_wsgi is used to deploy OpenStack dashboard + # timestamp is output by mod_wsgi. If WSGI framework you use does not + # output timestamp for logging, add %(asctime)s in the following + # format definitions. + 'formatters': { + 'console': { + 'format': '%(levelname)s %(name)s %(message)s' + }, + 'operation': { + # The format of "%(message)s" is defined by + # OPERATION_LOG_OPTIONS['format'] + 'format': '%(message)s' + }, + }, + 'handlers': { + 'null': { + 'level': 'DEBUG', + 'class': 'logging.NullHandler', + }, + 'console': { + # Set the level to "DEBUG" for verbose output logging. + 'level': 'INFO', + 'class': 'logging.StreamHandler', + 'formatter': 'console', + }, + 'operation': { + 'level': 'INFO', + 'class': 'logging.StreamHandler', + 'formatter': 'operation', + }, + }, + 'loggers': { + 'horizon': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'horizon.operation_log': { + 'handlers': ['operation'], + 'level': 'INFO', + 'propagate': False, + }, + 'openstack_dashboard': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'novaclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'cinderclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'keystoneauth': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'keystoneclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'glanceclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'neutronclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'swiftclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'oslo_policy': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'openstack_auth': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'django': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + # Logging from django.db.backends is VERY verbose, send to null + # by default. + 'django.db.backends': { + 'handlers': ['null'], + 'propagate': False, + }, + 'requests': { + 'handlers': ['null'], + 'propagate': False, + }, + 'urllib3': { + 'handlers': ['null'], + 'propagate': False, + }, + 'chardet.charsetprober': { + 'handlers': ['null'], + 'propagate': False, + }, + 'iso8601': { + 'handlers': ['null'], + 'propagate': False, + }, + 'scss': { + 'handlers': ['null'], + 'propagate': False, + }, + }, +} + +# 'direction' should not be specified for all_tcp/udp/icmp. +# It is specified in the form. +SECURITY_GROUP_RULES = { + 'all_tcp': { + 'name': _('All TCP'), + 'ip_protocol': 'tcp', + 'from_port': '1', + 'to_port': '65535', + }, + 'all_udp': { + 'name': _('All UDP'), + 'ip_protocol': 'udp', + 'from_port': '1', + 'to_port': '65535', + }, + 'all_icmp': { + 'name': _('All ICMP'), + 'ip_protocol': 'icmp', + 'from_port': '-1', + 'to_port': '-1', + }, + 'ssh': { + 'name': 'SSH', + 'ip_protocol': 'tcp', + 'from_port': '22', + 'to_port': '22', + }, + 'smtp': { + 'name': 'SMTP', + 'ip_protocol': 'tcp', + 'from_port': '25', + 'to_port': '25', + }, + 'dns': { + 'name': 'DNS', + 'ip_protocol': 'tcp', + 'from_port': '53', + 'to_port': '53', + }, + 'http': { + 'name': 'HTTP', + 'ip_protocol': 'tcp', + 'from_port': '80', + 'to_port': '80', + }, + 'pop3': { + 'name': 'POP3', + 'ip_protocol': 'tcp', + 'from_port': '110', + 'to_port': '110', + }, + 'imap': { + 'name': 'IMAP', + 'ip_protocol': 'tcp', + 'from_port': '143', + 'to_port': '143', + }, + 'ldap': { + 'name': 'LDAP', + 'ip_protocol': 'tcp', + 'from_port': '389', + 'to_port': '389', + }, + 'https': { + 'name': 'HTTPS', + 'ip_protocol': 'tcp', + 'from_port': '443', + 'to_port': '443', + }, + 'smtps': { + 'name': 'SMTPS', + 'ip_protocol': 'tcp', + 'from_port': '465', + 'to_port': '465', + }, + 'imaps': { + 'name': 'IMAPS', + 'ip_protocol': 'tcp', + 'from_port': '993', + 'to_port': '993', + }, + 'pop3s': { + 'name': 'POP3S', + 'ip_protocol': 'tcp', + 'from_port': '995', + 'to_port': '995', + }, + 'ms_sql': { + 'name': 'MS SQL', + 'ip_protocol': 'tcp', + 'from_port': '1433', + 'to_port': '1433', + }, + 'mysql': { + 'name': 'MYSQL', + 'ip_protocol': 'tcp', + 'from_port': '3306', + 'to_port': '3306', + }, + 'rdp': { + 'name': 'RDP', + 'ip_protocol': 'tcp', + 'from_port': '3389', + 'to_port': '3389', + }, +} + +# Deprecation Notice: +# +# The setting FLAVOR_EXTRA_KEYS has been deprecated. +# Please load extra spec metadata into the Glance Metadata Definition Catalog. +# +# The sample quota definitions can be found in: +# /etc/metadefs/compute-quota.json +# +# The metadata definition catalog supports CLI and API: +# $glance --os-image-api-version 2 help md-namespace-import +# $glance-manage db_load_metadefs +# +# See Metadata Definitions on: +# https://docs.openstack.org/glance/latest/user/glancemetadefcatalogapi.html + +# The hash algorithm to use for authentication tokens. This must +# match the hash algorithm that the identity server and the +# auth_token middleware are using. Allowed values are the +# algorithms supported by Python's hashlib library. +#OPENSTACK_TOKEN_HASH_ALGORITHM = 'md5' + +# AngularJS requires some settings to be made available to +# the client side. Some settings are required by in-tree / built-in horizon +# features. These settings must be added to REST_API_REQUIRED_SETTINGS in the +# form of ['SETTING_1','SETTING_2'], etc. +# +# You may remove settings from this list for security purposes, but do so at +# the risk of breaking a built-in horizon feature. These settings are required +# for horizon to function properly. Only remove them if you know what you +# are doing. These settings may in the future be moved to be defined within +# the enabled panel configuration. +# You should not add settings to this list for out of tree extensions. +# See: https://wiki.openstack.org/wiki/Horizon/RESTAPI +REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES', + 'LAUNCH_INSTANCE_DEFAULTS', + 'OPENSTACK_IMAGE_FORMATS', + 'OPENSTACK_KEYSTONE_BACKEND', + 'OPENSTACK_KEYSTONE_DEFAULT_DOMAIN', + 'CREATE_IMAGE_DEFAULTS', + 'ENFORCE_PASSWORD_CHECK'] + +# Additional settings can be made available to the client side for +# extensibility by specifying them in REST_API_ADDITIONAL_SETTINGS +# !! Please use extreme caution as the settings are transferred via HTTP/S +# and are not encrypted on the browser. This is an experimental API and +# may be deprecated in the future without notice. +#REST_API_ADDITIONAL_SETTINGS = [] + +############################################################################### +# Ubuntu Settings +############################################################################### + + # The default theme if no cookie is present +DEFAULT_THEME = 'default' + +# Default Ubuntu apache configuration uses /horizon as the application root. +WEBROOT='/horizon/' + +# By default, validation of the HTTP Host header is disabled. Production +# installations should have this set accordingly. For more information +# see https://docs.djangoproject.com/en/dev/ref/settings/. +ALLOWED_HOSTS = '*' + +# Compress all assets offline as part of packaging installation +COMPRESS_OFFLINE = True + +# DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded +# within an iframe. Legacy browsers are still vulnerable to a Cross-Frame +# Scripting (XFS) vulnerability, so this option allows extra security hardening +# where iframes are not used in deployment. Default setting is True. +# For more information see: +# http://tinyurl.com/anticlickjack +#DISALLOW_IFRAME_EMBED = True + +# Help URL can be made available for the client. To provide a help URL, edit the +# following attribute to the URL of your choice. +#HORIZON_CONFIG["help_url"] = "http://openstack.mycompany.org" + +# Settings for OperationLogMiddleware +# OPERATION_LOG_ENABLED is flag to use the function to log an operation on +# Horizon. +# mask_targets is arrangement for appointing a target to mask. +# method_targets is arrangement of HTTP method to output log. +# format is the log contents. +#OPERATION_LOG_ENABLED = False +#OPERATION_LOG_OPTIONS = { +# 'mask_fields': ['password'], +# 'target_methods': ['POST'], +# 'ignored_urls': ['/js/', '/static/', '^/api/'], +# 'format': ("[%(client_ip)s] [%(domain_name)s]" +# " [%(domain_id)s] [%(project_name)s]" +# " [%(project_id)s] [%(user_name)s] [%(user_id)s] [%(request_scheme)s]" +# " [%(referer_url)s] [%(request_url)s] [%(message)s] [%(method)s]" +# " [%(http_status)s] [%(param)s]"), +#} + +# The default date range in the Overview panel meters - either minus N +# days (if the value is integer N), or from the beginning of the current month +# until today (if set to None). This setting should be used to limit the amount +# of data fetched by default when rendering the Overview panel. +#OVERVIEW_DAYS_RANGE = 1 + +# To allow operators to require users provide a search criteria first +# before loading any data into the views, set the following dict +# attributes to True in each one of the panels you want to enable this feature. +# Follow the convention . +#FILTER_DATA_FIRST = { +# 'admin.instances': False, +# 'admin.images': False, +# 'admin.networks': False, +# 'admin.routers': False, +# 'admin.volumes': False, +# 'identity.users': False, +# 'identity.projects': False, +# 'identity.groups': False, +# 'identity.roles': False +#} + +# Dict used to restrict user private subnet cidr range. +# An empty list means that user input will not be restricted +# for a corresponding IP version. By default, there is +# no restriction for IPv4 or IPv6. To restrict +# user private subnet cidr range set ALLOWED_PRIVATE_SUBNET_CIDR +# to something like +#ALLOWED_PRIVATE_SUBNET_CIDR = { +# 'ipv4': ['10.0.0.0/8', '192.168.0.0/16'], +# 'ipv6': ['fc00::/7'] +#} +ALLOWED_PRIVATE_SUBNET_CIDR = {'ipv4': [], 'ipv6': []} + +# Projects and users can have extra attributes as defined by keystone v3. +# Horizon has the ability to display these extra attributes via this setting. +# If you'd like to display extra data in the project or user tables, set the +# corresponding dict key to the attribute name, followed by the display name. +# For more information, see horizon's customization +# (https://docs.openstack.org/horizon/latest/configuration/customizing.html#horizon-customization-module-overrides) +#PROJECT_TABLE_EXTRA_INFO = { +# 'phone_num': _('Phone Number'), +#} +#USER_TABLE_EXTRA_INFO = { +# 'phone_num': _('Phone Number'), +#} + +# Password will have an expiration date when using keystone v3 and enabling the +# feature. +# This setting allows you to set the number of days that the user will be alerted +# prior to the password expiration. +# Once the password expires keystone will deny the access and users must +# contact an admin to change their password. +#PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS = 0 + +IOTRONIC_ZONES={'iot.felooca.io', + 'iot.felooca.it', + # 'iot.felooca.com', + 'iot.felooca.net', + 'iot.felooca.org', + 'iot.felooca.eu', + 'iot.felooca.info' +} diff --git a/6-ui/iotronic-ui b/6-ui/iotronic-ui new file mode 160000 index 0000000..4f11f28 --- /dev/null +++ b/6-ui/iotronic-ui @@ -0,0 +1 @@ +Subproject commit 4f11f28c3d726c915c3a8e2c3df4a3e97c3102b7 From 27f87fb5fbbc1d1c332d12f6917d1cef5909c41d Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Fri, 29 Oct 2021 14:27:27 +0200 Subject: [PATCH 02/66] updating docker-compose to release v2.0.1 --- 0-docker | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/0-docker b/0-docker index dc7dd3c..fc38023 100755 --- a/0-docker +++ b/0-docker @@ -5,6 +5,9 @@ if [ "$EUID" -ne 0 ] exit fi +COMPOSE_VERSION="2.0.1" +SYSTEM=$(uname -s | tr '[:upper:]' '[:lower:]') + apt-get update && apt-get install -y \ apt-transport-https \ ca-certificates \ @@ -26,7 +29,8 @@ usermod -aG docker iotronic systemctl enable docker -curl -L "https://github.com/docker/compose/releases/download/1.24.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose +curl -L "https://github.com/docker/compose/releases/download/v${COMPOSE_VERSION}/docker-compose-${SYSTEM}-$(uname -m)" -o /usr/local/bin/docker-compose + ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose chmod +x /usr/local/bin/docker-compose From bc71824e53497920524da8256a3e0626b7c08be5 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Fri, 29 Oct 2021 14:28:44 +0200 Subject: [PATCH 03/66] mysql: adding Dockerfile and switching entries to smartme_test instead of felooca_test --- 1-mysql/1-mysql | 16 ++++++++-------- 1-mysql/Dockerfile | 4 ++++ 2 files changed, 12 insertions(+), 8 deletions(-) create mode 100644 1-mysql/Dockerfile diff --git a/1-mysql/1-mysql b/1-mysql/1-mysql index c32e806..4dfd348 100755 --- a/1-mysql/1-mysql +++ b/1-mysql/1-mysql @@ -10,18 +10,18 @@ MYSQL_ROOT_PASSWORD="smartme" docker create \ - --name=felooca_test_iotronic_db\ - --network=felooca_test_network \ + --name=smartme_test_iotronic_db\ + --network=smartme_test_network \ -p 53306:3306 \ --restart unless-stopped\ -e MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD \ - -v felooca_test_iotronic_db_data:/var/lib/mysql \ - -v felooca_test_iotronic_db_config:/etc/mysql \ + -v smartme_test_iotronic_db_data:/var/lib/mysql \ + -v smartme_test_iotronic_db_config:/etc/mysql \ mariadb:focal -docker cp create_dbs.sql felooca_test_iotronic_db:/docker-entrypoint-initdb.d/create_dbs.sql -docker cp 99-openstack.conf felooca_test_iotronic_db:/etc/mysql/mariadb.conf.d/99-openstack.cnf +docker cp create_dbs.sql smartme_test_iotronic_db:/docker-entrypoint-initdb.d/create_dbs.sql +docker cp 99-openstack.conf smartme_test_iotronic_db:/etc/mysql/mariadb.conf.d/99-openstack.cnf -docker start felooca_test_iotronic_db +docker start smartme_test_iotronic_db -echo -e "\e[32mCompleted but wait mariadb to be ready using docker logs -f felooca_test_iotronic_db\e[0m" +echo -e "\e[32mCompleted but wait mariadb to be ready using docker logs -f smartme_test_iotronic_db\e[0m" diff --git a/1-mysql/Dockerfile b/1-mysql/Dockerfile new file mode 100644 index 0000000..b089a91 --- /dev/null +++ b/1-mysql/Dockerfile @@ -0,0 +1,4 @@ +FROM mariadb:focal + +COPY create_dbs.sql smartme_test_iotronic_db:/docker-entrypoint-initdb.d/create_dbs.sql +COPY 99-openstack.conf /etc/mysql/mariadb.conf.d/99-openstack.conf \ No newline at end of file From 33b48ca0bc03541440d44663e4422d7b8a3eb908 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Fri, 29 Oct 2021 14:29:09 +0200 Subject: [PATCH 04/66] rabbitmq: switching entries to smartme_test instead of felooca_test --- 1-rabbitmq | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1-rabbitmq b/1-rabbitmq index 7c8888f..f8c5106 100755 --- a/1-rabbitmq +++ b/1-rabbitmq @@ -9,7 +9,7 @@ RABBIT_PASS="smartme" docker run -d \ - --name=felooca_test_rabbitmq\ + --name=smartme_test_rabbitmq\ -p 5672:5672 \ --network=host \ --restart unless-stopped \ From c9810674b126784daebcdb3e3dcef8c88e7a36ed Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Fri, 29 Oct 2021 14:33:10 +0200 Subject: [PATCH 05/66] keystone: switching entries to smartme_test instead of felooca_test --- 2-keystone/2-keystone | 14 +++++++------- 2-keystone/2.5-keystone | 15 +++++++-------- 2-keystone/build/Dockerfile | 15 ++++++++------- 2-keystone/conf/adminrc | 2 +- 2-keystone/conf/keystone.conf | 2 +- 5 files changed, 24 insertions(+), 24 deletions(-) diff --git a/2-keystone/2-keystone b/2-keystone/2-keystone index dd1a281..95da1f9 100755 --- a/2-keystone/2-keystone +++ b/2-keystone/2-keystone @@ -8,7 +8,7 @@ VERSION=1.0 -HOST="felooca-test-ctrl.smartme.io" +HOST="demo-test.smartme.io" HTTPS=true ADMIN_PASS="smartme" @@ -34,18 +34,18 @@ echo -e "\e[0m" docker create \ --env-file conf/adminrc \ - --name=felooca_test_keystone \ + --name=smartme_test_keystone \ --restart unless-stopped\ - --network=felooca_test_network \ + --network=smartme_test_network \ -p 5001:5000 \ - -v felooca_test_keystone_config:/etc/keystone/ \ - -v felooca_test_keystone_data:/var/lib/keystone/ \ + -v smartme_test_keystone_config:/etc/keystone/ \ + -v smartme_test_keystone_data:/var/lib/keystone/ \ -v /var/log/keystone:/var/log/keystone \ -v /var/log/keystone-api:/var/log/apache2 \ smartmeio/keystone-stain:$VERSION -docker cp conf/keystone.conf felooca_test_keystone:/etc/keystone/ +docker cp conf/keystone.conf smartme_test_keystone:/etc/keystone/ docker run --rm \ -v /var/log/keystone:/var/log/keystone \ @@ -53,5 +53,5 @@ docker run --rm \ smartmeio/keystone-stain:$VERSION \ /bin/sh -c "chown -R keystone:keystone /var/log/keystone/" -docker start felooca_test_keystone +docker start smartme_test_keystone diff --git a/2-keystone/2.5-keystone b/2-keystone/2.5-keystone index 1745a19..0c3bb7a 100755 --- a/2-keystone/2.5-keystone +++ b/2-keystone/2.5-keystone @@ -1,6 +1,6 @@ #! /bin/bash -HOST="felooca-test-ctrl.smartme.io" +HOST="demo-test.smartme.io" HTTPS=true ADMIN_PASS="smartme" @@ -11,15 +11,14 @@ fi echo $URL -docker exec felooca_test_keystone /bin/sh -c "keystone-manage db_sync" keystone +docker exec smartme_test_keystone /bin/sh -c "keystone-manage db_sync" keystone echo "db_sync" -docker exec felooca_test_keystone keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone +docker exec smartme_test_keystone keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone echo "fernet_setup" -docker exec felooca_test_keystone keystone-manage credential_setup --keystone-user keystone --keystone-group keystone -echo "credential_setup" +docker exec smartme_test_keystone keystone-manage credential_setup --keystone-user keystone --keystone-group keystone -docker exec felooca_test_keystone keystone-manage bootstrap --bootstrap-password $ADMIN_PASS \ +docker exec smartme_test_keystone keystone-manage bootstrap --bootstrap-password $ADMIN_PASS \ --bootstrap-admin-url $URL \ --bootstrap-internal-url $URL \ --bootstrap-public-url $URL \ @@ -27,9 +26,9 @@ docker exec felooca_test_keystone keystone-manage bootstrap --bootstrap-password echo "bootstrap" -docker restart felooca_test_keystone +docker restart smartme_test_keystone echo "restarting in 5 seconds" sleep 5 -docker exec felooca_test_keystone openstack project create --domain default --description "Service Project" service +docker exec smartme_test_keystone openstack project create --domain default --description "Service Project" service echo "project created" diff --git a/2-keystone/build/Dockerfile b/2-keystone/build/Dockerfile index 8f44217..d550e95 100644 --- a/2-keystone/build/Dockerfile +++ b/2-keystone/build/Dockerfile @@ -1,18 +1,19 @@ -FROM ubuntu:bionic +FROM ubuntu:focal #ENV VERSION=2.3.9 RUN apt-get update \ && apt-get install nocache -y software-properties-common \ && add-apt-repository -y cloud-archive:stein \ - && apt-get update && apt-get -y dist-upgrade && apt-get install nocache -y python3-openstackclient nano iputils-ping net-tools + && apt-get update && apt-get -y dist-upgrade && \ + && apt-get install nocache -y python3-openstackclient nano iputils-ping net-tools keystone -RUN apt-get install nocache keystone -y +# RUN apt-get install nocache keystone -y RUN mkdir -p /var/log/keystone \ -&& touch /var/log/keystone/keystone-manage.log \ -&& touch /var/log/keystone/keystone-wsgi-public.log \ -&& touch /var/log/keystone/keystone.log \ -&& chown -R keystone:keystone /var/log/keystone/ + && touch /var/log/keystone/keystone-manage.log \ + && touch /var/log/keystone/keystone-wsgi-public.log \ + && touch /var/log/keystone/keystone.log \ + && chown -R keystone:keystone /var/log/keystone/ VOLUME ["/etc/keystone"] VOLUME ["/var/log/keystone"] diff --git a/2-keystone/conf/adminrc b/2-keystone/conf/adminrc index 35687bb..62b5c27 100644 --- a/2-keystone/conf/adminrc +++ b/2-keystone/conf/adminrc @@ -3,6 +3,6 @@ OS_USER_DOMAIN_NAME=Default OS_PROJECT_NAME=admin OS_USERNAME=admin OS_PASSWORD=smartme -OS_AUTH_URL=https://felooca-test-ctrl.smartme.io:5000/v3 +OS_AUTH_URL=https://demo-test.smartme.io:5000/v3 OS_IDENTITY_API_VERSION=3 OS_IMAGE_API_VERSION=2 \ No newline at end of file diff --git a/2-keystone/conf/keystone.conf b/2-keystone/conf/keystone.conf index 2d04d35..71a6804 100644 --- a/2-keystone/conf/keystone.conf +++ b/2-keystone/conf/keystone.conf @@ -590,7 +590,7 @@ log_dir = /var/log/keystone [database] -connection = mysql+pymysql://fe_t_keystone:KEYSTONE_DBPASS@felooca_test_iotronic_db:3306/felooca_test_keystone +connection = mysql+pymysql://fe_t_keystone:KEYSTONE_DBPASS@smartme_test_iotronic_db:3306/smartme_test_keystone # # From oslo.db From 549916b3a443cfa2b3bb73bfab6b9a652e6f302c Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Fri, 29 Oct 2021 14:37:48 +0200 Subject: [PATCH 06/66] conductor: switching entries to smartme_test instead of felooca_test --- 3-conductor/3-conductor | 26 +++++++++++++------------- 3-conductor/3.5-conductor | 2 +- 3-conductor/build/Dockerfile | 4 ++-- 3-conductor/conf/iotronic.conf | 8 ++++---- 4 files changed, 20 insertions(+), 20 deletions(-) diff --git a/3-conductor/3-conductor b/3-conductor/3-conductor index f8bb580..b3f244b 100755 --- a/3-conductor/3-conductor +++ b/3-conductor/3-conductor @@ -3,28 +3,28 @@ VERSION="latest" docker create \ - --name=felooca_test_iotronic_conductor \ + --name=smartme_test_iotronic_conductor \ --restart unless-stopped\ - --network=felooca_test_network \ + --network=smartme_test_network \ --hostname conductor \ -p 8813:8812 \ - -v felooca_test_iotronic_conductor_config:/etc/iotronic/ \ + -v smartme_test_iotronic_conductor_config:/etc/iotronic/ \ -v /var/log/iotronic-conductor:/var/log/iotronic \ -smartme/felooca_test_iotronic_conductor:$VERSION +smartme/smartme_test_iotronic_conductor:$VERSION -docker cp conf/iotronic.conf felooca_test_iotronic_conductor:/etc/iotronic/ +docker cp conf/iotronic.conf smartme_test_iotronic_conductor:/etc/iotronic/ docker run --rm \ - --network=felooca_test_network \ - -v felooca_test_iotronic_conductor_config:/etc/iotronic/ \ + --network=smartme_test_network \ + -v smartme_test_iotronic_conductor_config:/etc/iotronic/ \ -v /var/log/iotronic-conductor:/var/log/iotronic \ -smartme/felooca_test_iotronic_conductor:$VERSION \ -/bin/sh -c "chown -R iotronic:iotronic /var/log/iotronic/" +smartme/smartme_test_iotronic_conductor:$VERSION \ +/bin/sh -c "chown -R iotronic:iotronic /var/log/iotronic/" docker run --rm \ - --network=felooca_test_network \ - -v felooca_test_iotronic_conductor_config:/etc/iotronic/ \ + --network=smartme_test_network \ + -v smartme_test_iotronic_conductor_config:/etc/iotronic/ \ -v /var/log/iotronic-conductor:/var/log/iotronic \ -smartme/felooca_test_iotronic_conductor:$VERSION /bin/sh -c "iotronic-dbsync" +smartme/smartme_test_iotronic_conductor:$VERSION /bin/sh -c "iotronic-dbsync" -docker start felooca_test_iotronic_conductor \ No newline at end of file +docker start smartme_test_iotronic_conductor \ No newline at end of file diff --git a/3-conductor/3.5-conductor b/3-conductor/3.5-conductor index 60a9b6d..2c5a227 100755 --- a/3-conductor/3.5-conductor +++ b/3-conductor/3.5-conductor @@ -1,6 +1,6 @@ #! /bin/bash -IP_IOTRONIC="felooca-test.smartme.io" +IP_IOTRONIC="demo-test.smartme.io" HTTPS=true IOTRONIC_PASS="smartme" diff --git a/3-conductor/build/Dockerfile b/3-conductor/build/Dockerfile index c15393c..1846765 100644 --- a/3-conductor/build/Dockerfile +++ b/3-conductor/build/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:bionic +FROM ubuntu:focal #ENV VERSION=2.3.9 ENV DEBIAN_FRONTEND=noninteractive @@ -33,7 +33,7 @@ RUN mkdir -p /var/log/iotronic \ && touch /var/log/iotronic/iotronic-api_error.log \ && touch /var/log/iotronic/iotronic-api_access.log \ && chown -R iotronic:iotronic /var/log/iotronic/ \ -&& cp etc/apache2/iotronic.conf /etc/apache2/sites-available/iotronic.conf +&& cp etc/apache2/iotronic.conf /etc/apache2/sites-available/iotronic.conf RUN pip3 uninstall -y SQLAlchemy RUN pip3 install SQLAlchemy==1.3.20 diff --git a/3-conductor/conf/iotronic.conf b/3-conductor/conf/iotronic.conf index 7518195..a5e1771 100644 --- a/3-conductor/conf/iotronic.conf +++ b/3-conductor/conf/iotronic.conf @@ -1,5 +1,5 @@ [DEFAULT] -transport_url=rabbit://openstack:smartme@felooca_test_rabbitmq:5672/ +transport_url=rabbit://openstack:smartme@smartme_test_rabbitmq:5672/ debug=True log_file = /var/log/iotronic/iotronic-conductor.log @@ -33,11 +33,11 @@ service_allow_list_path="/var/lib/iotronic/wstun/allowlist.json" [database] -connection = mysql+pymysql://fe_t_iotronic:IOTRONIC_DBPASS@felooca_test_iotronic_db/felooca_test_iotronic +connection = mysql+pymysql://fe_t_iotronic:IOTRONIC_DBPASS@smartme_test_iotronic_db/smartme_test_iotronic [keystone_authtoken] -www_authenticate_uri = https://felooca-test-ctrl.smartme.io:5000 -auth_url = https://felooca-test-ctrl.smartme.io:5000 +www_authenticate_uri = https://demo-test.smartme.io:5000 +auth_url = https://demo-test.smartme.io:5000 auth_plugin = password project_domain_id = default user_domain_id = default From 0c274b9d67eda55e4c74b7964e1491f769acbfe0 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Fri, 29 Oct 2021 14:38:54 +0200 Subject: [PATCH 07/66] adding first draft of docker-compose YAML file for CONTROLLER machine --- docker-compose-controller.yml | 116 ++++++++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 docker-compose-controller.yml diff --git a/docker-compose-controller.yml b/docker-compose-controller.yml new file mode 100644 index 0000000..8ffcd71 --- /dev/null +++ b/docker-compose-controller.yml @@ -0,0 +1,116 @@ +version: '3.7' +services: + mariadb: + container_name: smartme_test_iotronic_db + restart: unless-stopped + image: mariadb:focal + environment: + - MYSQL_ROOT_PASSWORD="smartme" + volumes: + - 'smartme_test_iotronic_db_data:/var/lib/mysql' + - 'smartme_test_iotronic_db_config:/etc/mysql' + ports: + - '53306:3306' + networks: + - 'default' + + rabbitmq: + container_name: smartme_test_rabbitmq + restart: unless-stopped + image: rabbitmq:3.9.8 + entrypoint: ["/bin/sh","-c"] + environment: + - RABBIT_PASS="smartme" + command: + - | + rabbitmqctl add_user openstack $${RABBIT_PASS} + rabbitmqctl set_permissions openstack ".*" ".*" ".*" + ports: + - '5672:5672' + networks: + - 'default' + + keystone: + container_name: smartme_test_keystone + restart: unless-stopped + image: smartmeio/keystone-stain:1.0 + environment: + - OS_PROJECT_DOMAIN_NAME=Default + - OS_USER_DOMAIN_NAME=Default + - OS_PROJECT_NAME=admin + - OS_USERNAME=admin + - OS_PASSWORD=smartme + - OS_AUTH_URL=https://demo-test.smartme.io:5000/v3 + - OS_IDENTITY_API_VERSION=3 + - OS_IMAGE_API_VERSION=2 + - HOST="demo-test.smartme.io" + - ADMIN_PASS="smartme" + - URL="https://demo-test.smartme.io:5000/v3" + volumes: + - smartme_test_keystone_config:/etc/keystone/ + - smartme_test_keystone_data:/var/lib/keystone/ + - /var/log/keystone:/var/log/keystone + - /var/log/keystone-api:/var/log/apache2 + command: + - | + keystone-manage db_sync + echo "db_sync" + keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone + echo "fernet_setup" + keystone-manage credential_setup --keystone-user keystone --keystone-group keystone + echo "credential_setup" + keystone-manage bootstrap --bootstrap-password $${ADMIN_PASS} --bootstrap-admin-url ${{URL}} \ + --bootstrap-internal-url $${URL} --bootstrap-public-url $${URL} --bootstrap-region-id RegionOne + openstack project create --domain default --description "Service Project" service + ports: + - '5001:5001' + networks: + - 'default' + + conductor: + container_name: smartme_test_iotronic_conductor + restart: unless-stopped + image: smartmeio/conductor + environment: + - URL="demo-test.smartme.io" + - IOTRONIC_PASS="smartme" + hostname: conductor + volumes: + - smartme_test_iotronic_conductor_config:/etc/iotronic/ + - /var/log/iotronic-conductor:/var/log/iotronic + command: + - | + openstack service create iot --name Iotronic + openstack user create --password $${IOTRONIC_PASS} iotronic + openstack role add --project service --user iotronic admin + openstack role create admin_iot_project + openstack role create manager_iot_project + openstack role create user_iot + openstack role add --project service --user iotronic admin_iot_project + openstack endpoint create --region RegionOne iot public $${URL} + openstack endpoint create --region RegionOne iot internal $${URL} + openstack endpoint create --region RegionOne iot admin $${URL} + openstack role add --project admin --user admin admin_iot_project + ports: + - '8813:8812' + networks: + - 'default' + + +volumes: + smartme_test_iotronic_db_data: + name: smartme_test_iotronic_db_data + smartme_test_iotronic_db_config: + name: smartme_test_iotronic_db_config + smartme_test_keystone_config: + name: smartme_test_keystone_config + smartme_test_keystone_data: + name: smartme_test_keystone_data + smartme_test_iotronic_conductor_config: + name: smartme_test_iotronic_conductor_config + + +networks: + default: + name: smartme-controller-network + driver: 'bridge' \ No newline at end of file From cb45453e5e962026c24d7ebceb35f93d22b8213d Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 2 Nov 2021 15:41:43 +0100 Subject: [PATCH 08/66] add initial draft of wagent compose file --- docker-compose-wagent.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 docker-compose-wagent.yml diff --git a/docker-compose-wagent.yml b/docker-compose-wagent.yml new file mode 100644 index 0000000..dab8503 --- /dev/null +++ b/docker-compose-wagent.yml @@ -0,0 +1,25 @@ +version: '3.7' +services: + crossbario: + container_name: smartme_test_iotronic_crossbar + restart: unless-stopped + image: crossbario/crossbar:cpy3-20.2.1 + volumes: + - 'smartme_test_crossbar_config:/node/.crossbar' + - ./etc/ssl/iotronic/client_iotronic/:/node/.crossbar/ssl:ro + ports: + - '8181:8181' + networks: + - 'default' + + +volumes: + felooca_test_iotronic_db_data: + name: felooca_test_iotronic_db_data + felooca_test_iotronic_db_config: + name: felooca_test_iotronic_db_config + +networks: + default: + name: smartme-wagent-network + driver: 'bridge' \ No newline at end of file From d3a7ad23b7608c4559e7a52643aab48a04864f83 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Wed, 3 Nov 2021 15:41:14 +0100 Subject: [PATCH 09/66] rework of Dockerfile(s) for 2-keyston and 3-conductor steps --- 2-keystone/build/Dockerfile | 19 ++++++--- 2-keystone/scripts/keystone-setup.sh | 33 ++++++++++++++ 3-conductor/build/Dockerfile | 45 +++++++++++++------- 3-conductor/build/scripts/openstack-setup.sh | 26 +++++++++++ 4 files changed, 103 insertions(+), 20 deletions(-) create mode 100644 2-keystone/scripts/keystone-setup.sh create mode 100644 3-conductor/build/scripts/openstack-setup.sh diff --git a/2-keystone/build/Dockerfile b/2-keystone/build/Dockerfile index d550e95..38db633 100644 --- a/2-keystone/build/Dockerfile +++ b/2-keystone/build/Dockerfile @@ -1,11 +1,16 @@ FROM ubuntu:focal #ENV VERSION=2.3.9 -RUN apt-get update \ - && apt-get install nocache -y software-properties-common \ - && add-apt-repository -y cloud-archive:stein \ - && apt-get update && apt-get -y dist-upgrade && \ - && apt-get install nocache -y python3-openstackclient nano iputils-ping net-tools keystone +RUN : \ + && apt-get update \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y nocache software-properties-common \ + python3-openstackclient nano iputils-ping net-tools keystone \ + && add-apt-repository -y cloud-archive:wallaby \ + && apt-get update && apt-get -y dist-upgrade \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \ + && wget -qO- https://bootstrap.pypa.io/pip/get-pip.py | python3 \ + && : # RUN apt-get install nocache keystone -y @@ -15,6 +20,10 @@ RUN mkdir -p /var/log/keystone \ && touch /var/log/keystone/keystone.log \ && chown -R keystone:keystone /var/log/keystone/ +COPY scripts/keystone-setup.sh /usr/local/bin/keystone-setup + +RUN chmod +x /usr/local/bin/keystone-setup + VOLUME ["/etc/keystone"] VOLUME ["/var/log/keystone"] diff --git a/2-keystone/scripts/keystone-setup.sh b/2-keystone/scripts/keystone-setup.sh new file mode 100644 index 0000000..1142d4d --- /dev/null +++ b/2-keystone/scripts/keystone-setup.sh @@ -0,0 +1,33 @@ +#!/bin/bash -x + +HOST="demo-test.smartme.io" +HTTPS=true +ADMIN_PASS="smartme" + +URL="http://$HOST:5000/v3" +if [ "$HTTPS" = true ] ; then + URL="https://$HOST:5000/v3" +fi + +echo $URL + +keystone-manage db_sync +echo "db_sync" + +keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone +echo "fernet_setup" + +keystone-manage credential_setup --keystone-user keystone --keystone-group keystone +echo "credential_setup" + +keystone-manage bootstrap --bootstrap-password ${ADMIN_PASS} --bootstrap-admin-url ${URL} \ + --bootstrap-internal-url ${URL} --bootstrap-public-url ${URL} --bootstrap-region-id RegionOne +echo "boostrap" + +openstack project create --domain default --description "Service Project" service +echo "project_created" + +chown -R keystone:keystone /var/log/keystone/ +echo "permissions_to_var_log_keystone" + +echo "restart the container" \ No newline at end of file diff --git a/3-conductor/build/Dockerfile b/3-conductor/build/Dockerfile index 1846765..a4d1108 100644 --- a/3-conductor/build/Dockerfile +++ b/3-conductor/build/Dockerfile @@ -7,39 +7,54 @@ ENV LC_CTYPE en_US.UTF-8 ENV LANG en_US.UTF-8 ENV LANG C.UTF-8 -RUN apt-get update \ - && apt-get install nocache -y software-properties-common locales tzdata\ - && add-apt-repository -y cloud-archive:stein \ - && apt-get update && apt-get -y dist-upgrade && apt-get install nocache -y build-essential python3-openstackclient python3 python3-setuptools python3-pip vim + +RUN : \ + && apt-get update \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y nocache \ + software-properties-common locales tzdata build-essential \ + python3-openstackclient python3 python3-setuptools vim \ + python3-all python3-dev python3-all-dev \ + && add-apt-repository -y cloud-archive:wallaby \ + && apt-get update \ + && apt-get -y dist-upgrade \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \ + && wget -qO- https://bootstrap.pypa.io/pip/get-pip.py | python3 \ + && : RUN locale-gen en_US.UTF-8 ENV TZ 'Europe/Rome' RUN echo $TZ > /etc/timezone && rm -f /etc/localtime && ln -nfs /usr/share/zoneinfo/$TZ /etc/localtime && dpkg-reconfigure -f noninteractive tzdata RUN apt-get install nocache -y git apache2 python3-setuptools libapache2-mod-wsgi-py3 -#RUN git clone https://opendev.org/x/iotronic.git /opt/build/iotronic +RUN git clone -b felooca_dev --depth 1 https://github.com/smartmeio/stack4things-openstack-iotronic.git /opt/build/iotronic #RUN git clone -b felooca_dev --depth 1 ssh://git@git.smartme.io:20022/smartme.io/stack4things/iotronic/iotronic.git /opt/build/iotronic -COPY ./iotronic /opt/build/iotronic +#COPY ./iotronic /opt/build/iotronic WORKDIR /opt/build/iotronic RUN pip3 install --upgrade pip RUN pip3 install --ignore-installed PyYAML -RUN pip3 install -r requirements.txt +RUN pip3 install -r requirements.txt RUN python3 setup.py install RUN useradd -m -d /var/lib/iotronic iotronic RUN mkdir -p /var/log/iotronic \ -&& touch /var/log/iotronic/iotronic-conductor.log \ -&& touch /var/log/iotronic/iotronic-api_error.log \ -&& touch /var/log/iotronic/iotronic-api_access.log \ -&& chown -R iotronic:iotronic /var/log/iotronic/ \ -&& cp etc/apache2/iotronic.conf /etc/apache2/sites-available/iotronic.conf + && touch /var/log/iotronic/iotronic-conductor.log \ + && touch /var/log/iotronic/iotronic-api_error.log \ + && touch /var/log/iotronic/iotronic-api_access.log \ + && chown -R iotronic:iotronic /var/log/iotronic/ \ + && cp etc/apache2/iotronic.conf /etc/apache2/sites-available/iotronic.conf + +# RUN pip3 uninstall -y SQLAlchemy +# RUN pip3 install SQLAlchemy==1.3.20 + -RUN pip3 uninstall -y SQLAlchemy -RUN pip3 install SQLAlchemy==1.3.20 +RUN a2ensite iotronic +COPY conf/iotronic.conf /etc/iotronic/ +COPY scripts/openstack-setup.sh /usr/local/bin/openstack-setup -RUN a2ensite iotronic +RUN chmod +x /usr/local/bin/openstack-setup COPY bin/startConductor /usr/local/bin/startConductor VOLUME ["/etc/iotronic"] diff --git a/3-conductor/build/scripts/openstack-setup.sh b/3-conductor/build/scripts/openstack-setup.sh new file mode 100644 index 0000000..9c261bf --- /dev/null +++ b/3-conductor/build/scripts/openstack-setup.sh @@ -0,0 +1,26 @@ +#! /bin/bash + +IP_IOTRONIC="demo-test.smartme.io" +HTTPS=true +IOTRONIC_PASS="smartme" + +URL="http://$IP_IOTRONIC:8812" +if [ "$HTTPS" = true ] ; then + URL="https://$IP_IOTRONIC:8812" +fi + +echo ${URL} + +openstack service create iot --name Iotronic +openstack user create --password ${IOTRONIC_PASS} iotronic +openstack role add --project service --user iotronic admin +openstack role create admin_iot_project +openstack role create manager_iot_project +openstack role create user_iot +openstack role add --project service --user iotronic admin_iot_project + +openstack endpoint create --region RegionOne iot public ${URL} +openstack endpoint create --region RegionOne iot internal ${URL} +openstack endpoint create --region RegionOne iot admin ${URL} + +openstack role add --project admin --user admin admin_iot_project \ No newline at end of file From c30a4ff2414815cdd39e97207451bd985784af14 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Wed, 3 Nov 2021 16:04:07 +0100 Subject: [PATCH 10/66] additional tweaking to 3-conductor step --- 3-conductor/bin/startConductor | 30 +++++++++++++++++++ 3-conductor/build/Dockerfile | 12 ++++---- .../{build => }/scripts/openstack-setup.sh | 0 3 files changed, 36 insertions(+), 6 deletions(-) create mode 100644 3-conductor/bin/startConductor rename 3-conductor/{build => }/scripts/openstack-setup.sh (100%) diff --git a/3-conductor/bin/startConductor b/3-conductor/bin/startConductor new file mode 100644 index 0000000..a15f458 --- /dev/null +++ b/3-conductor/bin/startConductor @@ -0,0 +1,30 @@ +#!/bin/bash + +# Start the first process +/usr/sbin/apache2ctl -D FOREGROUND & +status=$? +if [ $status -ne 0 ]; then + echo "Failed to start APACHE2: $status" + exit $status +fi + +# Start the second process +/usr/local/bin/iotronic-conductor +status=$? +if [ $status -ne 0 ]; then + echo "Failed to start iotronic-conductor: $status" + exit $status +fi + +while sleep 60; do + ps aux |grep apache2 |grep -q -v grep + PROCESS_1_STATUS=$? + ps aux |grep iotronic-conductor |grep -q -v grep + PROCESS_2_STATUS=$? + # If the greps above find anything, they exit with 0 status + # If they are not both 0, then something is wrong + if [ $PROCESS_1_STATUS -ne 0 -o $PROCESS_2_STATUS -ne 0 ]; then + echo "One of the processes has already exited." + exit 1 + fi +done \ No newline at end of file diff --git a/3-conductor/build/Dockerfile b/3-conductor/build/Dockerfile index a4d1108..8a11b16 100644 --- a/3-conductor/build/Dockerfile +++ b/3-conductor/build/Dockerfile @@ -12,8 +12,8 @@ RUN : \ && apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install -y nocache \ software-properties-common locales tzdata build-essential \ - python3-openstackclient python3 python3-setuptools vim \ - python3-all python3-dev python3-all-dev \ + python3-openstackclient python3 python3-setuptools vim nano \ + python3-all python3-dev python3-all-dev git apache2 libapache2-mod-wsgi-py3 \ && add-apt-repository -y cloud-archive:wallaby \ && apt-get update \ && apt-get -y dist-upgrade \ @@ -26,9 +26,7 @@ RUN locale-gen en_US.UTF-8 ENV TZ 'Europe/Rome' RUN echo $TZ > /etc/timezone && rm -f /etc/localtime && ln -nfs /usr/share/zoneinfo/$TZ /etc/localtime && dpkg-reconfigure -f noninteractive tzdata -RUN apt-get install nocache -y git apache2 python3-setuptools libapache2-mod-wsgi-py3 RUN git clone -b felooca_dev --depth 1 https://github.com/smartmeio/stack4things-openstack-iotronic.git /opt/build/iotronic -#RUN git clone -b felooca_dev --depth 1 ssh://git@git.smartme.io:20022/smartme.io/stack4things/iotronic/iotronic.git /opt/build/iotronic #COPY ./iotronic /opt/build/iotronic WORKDIR /opt/build/iotronic @@ -54,9 +52,11 @@ RUN a2ensite iotronic COPY conf/iotronic.conf /etc/iotronic/ COPY scripts/openstack-setup.sh /usr/local/bin/openstack-setup -RUN chmod +x /usr/local/bin/openstack-setup - COPY bin/startConductor /usr/local/bin/startConductor + +RUN chmod +x /usr/local/bin/openstack-setup \ + && chmod +x /usr/local/bin/startConductor + VOLUME ["/etc/iotronic"] VOLUME ["/var/log/iotronic"] diff --git a/3-conductor/build/scripts/openstack-setup.sh b/3-conductor/scripts/openstack-setup.sh similarity index 100% rename from 3-conductor/build/scripts/openstack-setup.sh rename to 3-conductor/scripts/openstack-setup.sh From 2c4bfd9f9875cb354fc45a0784307be2a660a631 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Wed, 3 Nov 2021 17:30:32 +0100 Subject: [PATCH 11/66] adding modified 4-iotronic-crossbar and 4-iotronic-wstun stages --- 4-iotronic-crossbar/4-crossbar | 4 ++-- 4-iotronic-crossbar/Dockerfile | 9 +++++++++ 4-iotronic-crossbar/build | 4 ++++ 4-iotronic-wstun/4-wstun | 6 +++--- 4-iotronic-wstun/Dockerfile | 8 ++++++-- 4-iotronic-wstun/build | 4 ++++ 6 files changed, 28 insertions(+), 7 deletions(-) create mode 100644 4-iotronic-crossbar/Dockerfile create mode 100755 4-iotronic-crossbar/build create mode 100755 4-iotronic-wstun/build diff --git a/4-iotronic-crossbar/4-crossbar b/4-iotronic-crossbar/4-crossbar index c2fc1dd..5d1983b 100755 --- a/4-iotronic-crossbar/4-crossbar +++ b/4-iotronic-crossbar/4-crossbar @@ -3,7 +3,7 @@ CERT_PATH="/etc/ssl/iotronic/client_iotronic/" docker create \ - --name=felooca_test_iotronic_crossbar \ + --name=smartme_test_iotronic_crossbar \ --network=host \ --restart unless-stopped\ -p 8181:8181 \ @@ -12,6 +12,6 @@ docker create \ crossbario/crossbar:cpy3-20.2.1 -docker cp confs/config.json felooca_test_iotronic_crossbar:/node/.crossbar/ +docker cp confs/config.json smartme_test_iotronic_crossbar:/node/.crossbar/ docker start felooca_test_iotronic_crossbar diff --git a/4-iotronic-crossbar/Dockerfile b/4-iotronic-crossbar/Dockerfile new file mode 100644 index 0000000..503cf3f --- /dev/null +++ b/4-iotronic-crossbar/Dockerfile @@ -0,0 +1,9 @@ +FROM crossbario/crossbar:cpy3-20.2.1 + +ENV DEBIAN_FRONTEND=noninteractive + +ENV LC_CTYPE en_US.UTF-8 +ENV LANG en_US.UTF-8 +ENV LANG C.UTF-8 + +COPY confs/config.json /node/.crossbar/ \ No newline at end of file diff --git a/4-iotronic-crossbar/build b/4-iotronic-crossbar/build new file mode 100755 index 0000000..f8dca5e --- /dev/null +++ b/4-iotronic-crossbar/build @@ -0,0 +1,4 @@ +#! /bin/bash + +VERSION="latest" +docker build -t smartme/smartme_test_iotronic_crossbar:$VERSION . \ No newline at end of file diff --git a/4-iotronic-wstun/4-wstun b/4-iotronic-wstun/4-wstun index 5796d71..5df9c6a 100755 --- a/4-iotronic-wstun/4-wstun +++ b/4-iotronic-wstun/4-wstun @@ -5,16 +5,16 @@ CERT_PATH="/etc/ssl/iotronic/client_iotronic/" ALLOW_PATH="/var/lib/docker/volumes/felooca_test_iotronic_wagent_config/_data/allowlist" -docker build -t smartmeio/felooca_test_iotronic_wstun:$VERSION . +docker build -t smartmeio/smartmeio_test_iotronic_wstun:$VERSION . RANGE="50000-50100:50000-50100" docker run -d \ - --name=felooca_test_iotronic_wstun \ + --name=smartmeio_test_iotronic_wstun \ --network=host \ --restart unless-stopped\ -p 8080:8080 \ -p $RANGE \ -v $CERT_PATH:/var/lib/iotronic/ssl/:ro \ -v $ALLOW_PATH:/var/lib/wstun/allowlist:ro \ -smartmeio/felooca_test_iotronic_wstun:$VERSION \ No newline at end of file +smartmeio/smartmeio_test_iotronic_wstun:$VERSION \ No newline at end of file diff --git a/4-iotronic-wstun/Dockerfile b/4-iotronic-wstun/Dockerfile index 852c026..816b258 100644 --- a/4-iotronic-wstun/Dockerfile +++ b/4-iotronic-wstun/Dockerfile @@ -1,7 +1,11 @@ -FROM node:carbon-alpine -ENV VERSION=allowlist +FROM node:dubnium-alpine +ENV VERSION=allowlist #1.1.0 +ENV LC_CTYPE en_US.UTF-8 +ENV LANG en_US.UTF-8 +ENV LANG C.UTF-8 + #RUN npm install -g --unsafe @mdslab/wstun \ # && npm cache --force clean diff --git a/4-iotronic-wstun/build b/4-iotronic-wstun/build new file mode 100755 index 0000000..ff41842 --- /dev/null +++ b/4-iotronic-wstun/build @@ -0,0 +1,4 @@ +#! /bin/bash + +VERSION="latest" +docker build -t smartme/smartme_test_iotronic_wstun:$VERSION . \ No newline at end of file From 21732e57b9bedff54eb46230762c950f9f572c82 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Wed, 3 Nov 2021 17:31:03 +0100 Subject: [PATCH 12/66] adding 5-wagent stage with optimizations --- 5-wagent/5-wagent | 28 ++++---- 5-wagent/build/Dockerfile | 72 +++++++++++++------ 5-wagent/build/build | 4 +- 5-wagent/build/conf/iotronic.conf | 112 ++++++++++++++++++++++++++++++ 4 files changed, 180 insertions(+), 36 deletions(-) create mode 100644 5-wagent/build/conf/iotronic.conf diff --git a/5-wagent/5-wagent b/5-wagent/5-wagent index 6e22ea6..afc46b9 100755 --- a/5-wagent/5-wagent +++ b/5-wagent/5-wagent @@ -1,36 +1,36 @@ #! /bin/bash -VERSION="felooca-test" +VERSION="smartmeio-test" docker create \ - --name=felooca_test_iotronic_wagent \ + --name=smartmeio_test_iotronic_wagent \ --restart unless-stopped\ --network=host \ -p 80:80 \ -p 443:443 \ --hostname wagent1 \ - -v felooca_test_iotronic_wagent_config:/etc/iotronic/ \ - -v felooca_test_iotronic_wagent_nginx:/etc/nginx/ \ + -v smartmeio_test_iotronic_wagent_config:/etc/iotronic/ \ + -v smartmeio_test_iotronic_wagent_nginx:/etc/nginx/ \ -v /var/log/iotronic-wagent:/var/log/iotronic \ -smartme/felooca_test_iotronic_wagent:$VERSION +smartme/smartmeio_test_iotronic_wagent:$VERSION docker run --rm \ --network=host \ - -v felooca_test_iotronic_wagent_config:/etc/iotronic/ \ + -v smartmeio_test_iotronic_wagent_config:/etc/iotronic/ \ -v /var/log/iotronic-wagent:/var/log/iotronic \ -smartme/felooca_test_iotronic_wagent:$VERSION \ -/bin/sh -c "chown -R iotronic:iotronic /var/log/iotronic/" +smartme/smartmeio_test_iotronic_wagent:$VERSION \ +/bin/sh -c "chown -R iotronic:iotronic /var/log/iotronic/" docker run --rm \ --network=host \ --v felooca_test_iotronic_wagent_nginx:/etc/nginx/ \ -smartme/felooca_test_iotronic_wagent:$VERSION \ +-v smartmeio_test_iotronic_wagent_nginx:/etc/nginx/ \ +smartme/smartmeio_test_iotronic_wagent:$VERSION \ /bin/sh -c "echo 'stream { include conf.d/iotronic/mapping; }' >> /etc/nginx/nginx.conf && echo 'include conf.d/iotronic/servers/*;' >> /etc/nginx/sites-enabled/default" - -docker cp conf/iotronic.conf felooca_test_iotronic_wagent:/etc/iotronic/ -docker stop felooca_test_iotronic_wagent -docker start felooca_test_iotronic_wagent +docker cp conf/iotronic.conf smartmeio_test_iotronic_wagent:/etc/iotronic/ + +docker stop smartmeio_test_iotronic_wagent +docker start smartmeio_test_iotronic_wagent diff --git a/5-wagent/build/Dockerfile b/5-wagent/build/Dockerfile index a170b90..b5c2dd4 100644 --- a/5-wagent/build/Dockerfile +++ b/5-wagent/build/Dockerfile @@ -1,48 +1,78 @@ -FROM ubuntu:bionic +FROM ubuntu:focal #ENV VERSION=2.3.9 ENV DEBIAN_FRONTEND=noninteractive -ENV LC_CTYPE en_US.UTF-8 -ENV LANG en_US.UTF-8 +ENV LC_CTYPE C.UTF-8 +ENV LC_ALL C.UTF-8 +ENV LANGUAGE C.UTF-8 ENV LANG C.UTF-8 +ENV LANG C.UTF-8 + +ARG user=iotronic +ARG group=iotronic +ARG uid=1000 +ARG gid=1000 +ARG IOTRONIC_HOME=/var/lib/iotronic RUN apt-get update \ - && apt-get install nocache -y software-properties-common locales tzdata\ - && add-apt-repository -y cloud-archive:stein \ - && apt-get update && apt-get -y dist-upgrade && apt-get install nocache -y build-essential python3-openstackclient python3 python3-setuptools python3-pip vim curl iputils-ping + && apt-get install nocache -y software-properties-common locales tzdata\ + && add-apt-repository -y cloud-archive:wallaby \ + && apt-get update && apt-get -y dist-upgrade \ + && apt-get install nocache -y build-essential python3-openstackclient \ + python3 python3-all python3-dev python3-all-dev python3-setuptools \ + vim curl iputils-ping wget git apache2 libapache2-mod-wsgi-py3 nginx \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \ + && wget -qO- https://bootstrap.pypa.io/get-pip.py | python3 \ + && : RUN locale-gen en_US.UTF-8 ENV TZ 'Europe/Rome' RUN echo $TZ > /etc/timezone && rm -f /etc/localtime && ln -nfs /usr/share/zoneinfo/$TZ /etc/localtime && dpkg-reconfigure -f noninteractive tzdata -RUN apt-get install nocache -y git apache2 python3-setuptools libapache2-mod-wsgi-py3 +# Iotronic is run with user `iotronic`, uid = 1000 +# If you bind mount a volume from the host or a data container, +# ensure you use the same uid +RUN mkdir -p $IOTRONIC_HOME \ + && chown ${uid}:${gid} $IOTRONIC_HOME \ + && groupadd -g ${gid} ${group} \ + && useradd -d "$IOTRONIC_HOME" -u ${uid} -g ${gid} -m -s /bin/bash ${user} \ + && echo iotronic:smartme | chpasswd \ + && echo root:smartme | chpasswd + +# getting iotronic sudoer permissions +RUN echo "iotronic ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers + #RUN git clone https://opendev.org/x/iotronic.git /opt/build/iotronic -#RUN git clone -b felooca_dev --depth 1 ssh://git@git.smartme.io:20022/smartme.io/stack4things/iotronic/iotronic.git /opt/build/iotronic -COPY ./iotronic /opt/build/iotronic +RUN git clone -b felooca_dev --depth 1 https://github.com/smartmeio/stack4things-openstack-iotronic.git /opt/build/iotronic WORKDIR /opt/build/iotronic -RUN pip3 install --upgrade pip -RUN pip3 install --ignore-installed PyYAML -RUN pip3 install -r requirements.txt +RUN pip3 install -v --upgrade pip +RUN pip3 install -v --ignore-installed PyYAML +RUN pip3 install -v -r requirements.txt RUN python3 setup.py install -RUN useradd -m -d /var/lib/iotronic iotronic + +# RUN useradd -m -d /var/lib/iotronic iotronic + RUN mkdir -p /var/log/iotronic \ -&& touch /var/log/iotronic/iotronic-wagent.log \ -&& chown -R iotronic:iotronic /var/log/iotronic/ + && touch /var/log/iotronic/iotronic-wagent.log \ + && chown -R iotronic:iotronic /var/log/iotronic/ -RUN pip3 uninstall -y SQLAlchemy -RUN pip3 install SQLAlchemy==1.3.20 +# RUN pip3 uninstall -y SQLAlchemy +# RUN pip3 install SQLAlchemy==1.3.20 +RUN pip3 install -v SQLAlchemy VOLUME ["/etc/iotronic"] VOLUME ["/var/log/iotronic"] RUN mkdir -p /etc/nginx/conf.d/iotronic \ -&& mkdir -p /etc/nginx/conf.d/iotronic/maps \ -&& mkdir -p /etc/nginx/conf.d/iotronic/servers \ -&& mkdir -p /etc/nginx/conf.d/iotronic/upstreams + && mkdir -p /etc/nginx/conf.d/iotronic/maps \ + && mkdir -p /etc/nginx/conf.d/iotronic/servers \ + && mkdir -p /etc/nginx/conf.d/iotronic/upstreams COPY confs/mapping /etc/nginx/conf.d/iotronic/mapping +COPY conf/iotronic.conf /etc/iotronic/ RUN echo "stream { include conf.d/iotronic/mapping; }" > /etc/nginx/nginx.conf RUN echo "include conf.d/iotronic/servers/*" > /etc/nginx/sites-enabled/default @@ -53,5 +83,7 @@ EXPOSE 80 COPY bin/startWagent /usr/local/bin/startWagent +RUN chmod +x /usr/local/bin/startWagent + CMD ["/usr/local/bin/startWagent"] #CMD ["/usr/local/bin/iotronic-wamp-agent"] \ No newline at end of file diff --git a/5-wagent/build/build b/5-wagent/build/build index e8d2ad4..cde5316 100755 --- a/5-wagent/build/build +++ b/5-wagent/build/build @@ -1,4 +1,4 @@ #! /bin/bash -VERSION="felooca-test" -docker build -t smartme/felooca_test_iotronic_wagent:$VERSION . \ No newline at end of file +VERSION="smartme-test" +docker build -t smartme/smartme_test_iotronic_wagent:$VERSION . \ No newline at end of file diff --git a/5-wagent/build/conf/iotronic.conf b/5-wagent/build/conf/iotronic.conf new file mode 100644 index 0000000..0645d8c --- /dev/null +++ b/5-wagent/build/conf/iotronic.conf @@ -0,0 +1,112 @@ +[DEFAULT] +transport_url=rabbit://openstack:smartme@smartme_test_rabbitmq:5672/ + +debug=True +proxy=nginx +#log_file = /var/log/iotronic/iotronic-wagent.log + +# Authentication strategy used by iotronic-api: one of +# "keystone" or "noauth". "noauth" should not be used in a +# production environment because all authentication will be +# disabled. (string value) +auth_strategy=keystone + +# Enable pecan debug mode. WARNING: this is insecure and +# should not be used in a production environment. (boolean +# value) +#pecan_debug=false + + +[wamp] +wamp_transport_url = wss://felooca-test-wagent1.smartme.io:8181/ +wamp_realm = s4t +skip_cert_verify= True +register_agent = True +service_allow_list=True +service_allow_list_path="/etc/iotronic/allowlist" + +[nginx] +nginx_path=/etc/nginx/conf.d/iotronic +wstun_endpoint=localhost + +[database] +connection = mysql+pymysql://fe_t_iotronic:IOTRONIC_DBPASS@felooca_test_iotronic_db/felooca_test_iotronic + +[keystone_authtoken] +www_authenticate_uri = https://demo-test.smartme.io:5000 +auth_url = https://demo-test.smartme.io:5000 +auth_plugin = password +project_domain_id = default +user_domain_id = default +project_name = service +username = iotronic +password = smartme + + +[neutron] +auth_url = http://:35357 +url = http://:9696 +auth_strategy = password +project_domain_name = default +user_domain_name = default +region_name = RegionOne +project_name = service +username = neutron +password = +retries = 3 +project_domain_id= default + + +[designate] +#auth_url = http://:35357 +#url = http://:9001 +#auth_strategy = password +#project_domain_name = default +#user_domain_name = default +#region_name = RegionOne +#project_name = service +#username = designate +#password = +#retries = 3 +#project_domain_id= default + +auth_url = https://dev.felooca.eu:5000/ +url = https://dev.felooca.eu:9001 +auth_strategy = password +project_domain_name = default +user_domain_name = default +region_name = RegionOne +project_name = admin +username = admin +password = f3l00caSMDEV +retries = 3 +project_domain_id= default + + + +[cors] +# Indicate whether this resource may be shared with the domain +# received in the requests "origin" header. Format: +# "://[:]", no trailing slash. Example: +# https://horizon.example.com (list value) +#allowed_origin = + +# Indicate that the actual request can include user +# credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. +# Defaults to HTTP Simple Headers. (list value) +#expose_headers = + +# Maximum cache age of CORS preflight requests. (integer +# value) +#max_age = 3600 + +# Indicate which methods can be used during the actual +# request. (list value) +#allow_methods = OPTIONS,GET,HEAD,POST,PUT,DELETE,TRACE,PATCH + +# Indicate which header field names may be used during the +# actual request. (list value) +#allow_headers = \ No newline at end of file From 0d65c385a82afdbc2ee004bf2ba92353f0f225b7 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Wed, 3 Nov 2021 17:31:25 +0100 Subject: [PATCH 13/66] adding 6-ui stage with optimizations --- 6-ui/6-ui | 12 +- 6-ui/build/Dockerfile | 44 +- 6-ui/build/Dockerfile-py3.dockerfile | 54 ++ 6-ui/build/build | 2 +- 6-ui/build/build-py3 | 4 + 6-ui/build/conf/local_settings.py | 925 +++++++++++++++++++++++++++ 6-ui/conf/local_settings.py | 2 +- 7 files changed, 1019 insertions(+), 24 deletions(-) create mode 100644 6-ui/build/Dockerfile-py3.dockerfile create mode 100755 6-ui/build/build-py3 create mode 100644 6-ui/build/conf/local_settings.py diff --git a/6-ui/6-ui b/6-ui/6-ui index e3481ec..f395045 100755 --- a/6-ui/6-ui +++ b/6-ui/6-ui @@ -2,14 +2,14 @@ VERSION="latest" docker create \ - --name=felooca_test_iotronic_ui \ + --name=smartme_test_iotronic_ui \ --restart unless-stopped\ - --network=felooca_test_network \ + --network=smartme_test_network \ -p 8585:80 \ - -v felooca_test_iotronic_ui_config:/etc/openstack-dashboard/ \ + -v smartme_test_iotronic_ui_config:/etc/openstack-dashboard/ \ -v /var/log/iotronic-ui:/var/log/apache2/ \ -smartme/felooca_test_iotronic_ui:$VERSION +smartme/smartme_test_iotronic_ui:$VERSION -docker cp conf/local_settings.py felooca_test_iotronic_ui:/etc/openstack-dashboard +docker cp conf/local_settings.py smartme_test_iotronic_ui:/etc/openstack-dashboard -docker start felooca_test_iotronic_ui \ No newline at end of file +docker start smartme_test_iotronic_ui \ No newline at end of file diff --git a/6-ui/build/Dockerfile b/6-ui/build/Dockerfile index ca1052b..bf3b39f 100644 --- a/6-ui/build/Dockerfile +++ b/6-ui/build/Dockerfile @@ -1,41 +1,53 @@ FROM ubuntu:bionic - -RUN apt-get update \ - && apt-get install nocache -y software-properties-common \ - #&& add-apt-repository -y cloud-archive:stein \ - #&& add-apt-repository -y cloud-archive:queens \ - && apt-get update && apt-get -y dist-upgrade && apt-get install nocache -y python-openstackclient nano - -RUN apt-get install nocache memcached python-memcache openstack-dashboard git python-pip -y +ENV DEBIAN_FRONTEND=noninteractive + +ENV LC_CTYPE en_US.UTF-8 +ENV LANG en_US.UTF-8 +ENV LANG C.UTF-8 + +RUN : \ + && apt-get update \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y nocache \ + software-properties-common python python-all apt-utils \ + python-dev python-all-dev python-openstackclient nano apache2 \ + memcached python-memcache openstack-dashboard git dialog \ + && apt-get update && apt-get -y dist-upgrade \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \ + && wget -qO- https://bootstrap.pypa.io/pip/2.7/get-pip.py | python2 \ + && : #RUN pip install setuptools RUN git clone https://opendev.org/x/python-iotronicclient.git /opt/build/python-iotronicclient WORKDIR /opt/build/python-iotronicclient -RUN pip install -r requirements.txt -RUN python setup.py install +RUN pip2 install -r requirements.txt +RUN python2 setup.py install -#RUN git clone https://opendev.org/x/iotronic-ui.git /opt/build/iotronic-ui -COPY iotronic-ui/ /opt/build/iotronic-ui/ +RUN git clone https://github.com/smartmeio/stack4things-openstack-iotronic-ui.git -b dev /opt/build/iotronic-ui +# COPY iotronic-ui/ /opt/build/iotronic-ui/ WORKDIR /opt/build/iotronic-ui -RUN pip install -r requirements.txt +RUN pip install -r requirements.txt RUN python setup.py install RUN cp iotronic_ui/api/iotronic.py /usr/share/openstack-dashboard/openstack_dashboard/api/ \ -# && cp iotronic_ui/enabled/_60* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ +# && cp iotronic_ui/enabled/_60* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ && cp iotronic_ui/enabled/_6000_iot.py /usr/share/openstack-dashboard/openstack_dashboard/enabled/ \ && cp iotronic_ui/enabled/_61* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ \ && cp iotronic_ui/enabled/_62* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ \ && cp iotronic_ui/enabled/_63* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ \ - && cp iotronic_ui/enabled/_64* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ - + && cp iotronic_ui/enabled/_64* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ + #RUN apt-get remove --auto-remove openstack-dashboard-ubuntu-theme +COPY conf/local_settings.py /etc/openstack-dashboard/ COPY bin/startUI /usr/local/bin/startUI +RUN chmod +x /usr/local/bin/startUI + VOLUME ["/etc/openstack-dashboard/"] EXPOSE 80 diff --git a/6-ui/build/Dockerfile-py3.dockerfile b/6-ui/build/Dockerfile-py3.dockerfile new file mode 100644 index 0000000..43e9118 --- /dev/null +++ b/6-ui/build/Dockerfile-py3.dockerfile @@ -0,0 +1,54 @@ +FROM ubuntu:focal + +ENV DEBIAN_FRONTEND=noninteractive + +ENV LC_CTYPE en_US.UTF-8 +ENV LANG en_US.UTF-8 +ENV LANG C.UTF-8 + +RUN : \ + && apt-get update \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y nocache \ + software-properties-common python3 python3-all apt-utils \ + python3-dev python3-all-dev python3-openstackclient nano apache2 \ + memcached python3-memcache openstack-dashboard git dialog \ + && apt-get update && apt-get -y dist-upgrade \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \ + && wget -qO- https://bootstrap.pypa.io/pip/get-pip.py | python3 \ + && : + +#RUN pip install setuptools + +RUN git clone https://opendev.org/x/python-iotronicclient.git /opt/build/python-iotronicclient +WORKDIR /opt/build/python-iotronicclient + +RUN pip3 install -r requirements.txt +RUN python3 setup.py install + +RUN git clone https://github.com/smartmeio/stack4things-openstack-iotronic-ui.git -b dev /opt/build/iotronic-ui +# COPY iotronic-ui/ /opt/build/iotronic-ui/ + +WORKDIR /opt/build/iotronic-ui + +RUN pip3 install -r requirements.txt +RUN python3 setup.py install +RUN cp iotronic_ui/api/iotronic.py /usr/share/openstack-dashboard/openstack_dashboard/api/ \ +# && cp iotronic_ui/enabled/_60* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ + && cp iotronic_ui/enabled/_6000_iot.py /usr/share/openstack-dashboard/openstack_dashboard/enabled/ \ + && cp iotronic_ui/enabled/_61* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ \ + && cp iotronic_ui/enabled/_62* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ \ + && cp iotronic_ui/enabled/_63* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ \ + && cp iotronic_ui/enabled/_64* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ + +#RUN apt-get remove --auto-remove openstack-dashboard-ubuntu-theme +COPY conf/local_settings.py /etc/openstack-dashboard/ + +COPY bin/startUI /usr/local/bin/startUI + +RUN chmod +x /usr/local/bin/startUI + +VOLUME ["/etc/openstack-dashboard/"] + +EXPOSE 80 +CMD ["/usr/local/bin/startUI"] diff --git a/6-ui/build/build b/6-ui/build/build index d05aab6..6c72870 100755 --- a/6-ui/build/build +++ b/6-ui/build/build @@ -1,4 +1,4 @@ #! /bin/bash VERSION="latest" -docker build -t smartme/"felooca_test_iotronic_ui":$VERSION . +docker build -t smartme/smartme_test_iotronic_ui:$VERSION . diff --git a/6-ui/build/build-py3 b/6-ui/build/build-py3 new file mode 100755 index 0000000..802135b --- /dev/null +++ b/6-ui/build/build-py3 @@ -0,0 +1,4 @@ +#! /bin/bash + +VERSION="latest" +docker build -t smartme/smartme_test_iotronic_ui_py3:$VERSION -f Dockerfile-py3.dockerfile . diff --git a/6-ui/build/conf/local_settings.py b/6-ui/build/conf/local_settings.py new file mode 100644 index 0000000..d5b5ba3 --- /dev/null +++ b/6-ui/build/conf/local_settings.py @@ -0,0 +1,925 @@ +# -*- coding: utf-8 -*- + +import os + +from django.utils.translation import ugettext_lazy as _ + +from horizon.utils import secret_key + +from openstack_dashboard.settings import HORIZON_CONFIG + +DEBUG = False + +# This setting controls whether or not compression is enabled. Disabling +# compression makes Horizon considerably slower, but makes it much easier +# to debug JS and CSS changes +#COMPRESS_ENABLED = not DEBUG + +# This setting controls whether compression happens on the fly, or offline +# with `python manage.py compress` +# See https://django-compressor.readthedocs.io/en/latest/usage/#offline-compression +# for more information +#COMPRESS_OFFLINE = not DEBUG + +# WEBROOT is the location relative to Webserver root +# should end with a slash. +WEBROOT = '/' +#LOGIN_URL = WEBROOT + 'auth/login/' +#LOGOUT_URL = WEBROOT + 'auth/logout/' +# +# LOGIN_REDIRECT_URL can be used as an alternative for +# HORIZON_CONFIG.user_home, if user_home is not set. +# Do not set it to '/home/', as this will cause circular redirect loop +#LOGIN_REDIRECT_URL = WEBROOT + +# If horizon is running in production (DEBUG is False), set this +# with the list of host/domain names that the application can serve. +# For more information see: +# https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts +#ALLOWED_HOSTS = ['horizon.example.com', ] + +# Set SSL proxy settings: +# Pass this header from the proxy after terminating the SSL, +# and don't forget to strip it from the client's request. +# For more information see: +# https://docs.djangoproject.com/en/dev/ref/settings/#secure-proxy-ssl-header +#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') + +# If Horizon is being served through SSL, then uncomment the following two +# settings to better secure the cookies from security exploits +#CSRF_COOKIE_SECURE = True +#SESSION_COOKIE_SECURE = True + +# The absolute path to the directory where message files are collected. +# The message file must have a .json file extension. When the user logins to +# horizon, the message files collected are processed and displayed to the user. +#MESSAGES_PATH=None + +# Overrides for OpenStack API versions. Use this setting to force the +# OpenStack dashboard to use a specific API version for a given service API. +# Versions specified here should be integers or floats, not strings. +# NOTE: The version should be formatted as it appears in the URL for the +# service API. For example, The identity service APIs have inconsistent +# use of the decimal point, so valid options would be 2.0 or 3. +# Minimum compute version to get the instance locked status is 2.9. +#OPENSTACK_API_VERSIONS = { +# "data-processing": 1.1, +# "identity": 3, +# "image": 2, +# "volume": 2, +# "compute": 2, +#} + +# Set this to True if running on a multi-domain model. When this is enabled, it +# will require the user to enter the Domain name in addition to the username +# for login. +#OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False + +# Set this to True if you want available domains displayed as a dropdown menu +# on the login screen. It is strongly advised NOT to enable this for public +# clouds, as advertising enabled domains to unauthenticated customers +# irresponsibly exposes private information. This should only be used for +# private clouds where the dashboard sits behind a corporate firewall. +#OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = False + +# If OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN is enabled, this option can be used to +# set the available domains to choose from. This is a list of pairs whose first +# value is the domain name and the second is the display name. +#OPENSTACK_KEYSTONE_DOMAIN_CHOICES = ( +# ('Default', 'Default'), +#) + +# Overrides the default domain used when running on single-domain model +# with Keystone V3. All entities will be created in the default domain. +# NOTE: This value must be the name of the default domain, NOT the ID. +# Also, you will most likely have a value in the keystone policy file like this +# "cloud_admin": "rule:admin_required and domain_id:" +# This value must be the name of the domain whose ID is specified there. +#OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default' + +# Set this to True to enable panels that provide the ability for users to +# manage Identity Providers (IdPs) and establish a set of rules to map +# federation protocol attributes to Identity API attributes. +# This extension requires v3.0+ of the Identity API. +#OPENSTACK_KEYSTONE_FEDERATION_MANAGEMENT = False + +# Set Console type: +# valid options are "AUTO"(default), "VNC", "SPICE", "RDP", "SERIAL", "MKS" +# or None. Set to None explicitly if you want to deactivate the console. +#CONSOLE_TYPE = "AUTO" + +# Toggle showing the openrc file for Keystone V2. +# If set to false the link will be removed from the user dropdown menu +# and the API Access page +#SHOW_KEYSTONE_V2_RC = True + +# If provided, a "Report Bug" link will be displayed in the site header +# which links to the value of this setting (ideally a URL containing +# information on how to report issues). +#HORIZON_CONFIG["bug_url"] = "http://bug-report.example.com" + +# Show backdrop element outside the modal, do not close the modal +# after clicking on backdrop. +#HORIZON_CONFIG["modal_backdrop"] = "static" + +# Specify a regular expression to validate user passwords. +#HORIZON_CONFIG["password_validator"] = { +# "regex": '.*', +# "help_text": _("Your password does not meet the requirements."), +#} + +# Turn off browser autocompletion for forms including the login form and +# the database creation workflow if so desired. +#HORIZON_CONFIG["password_autocomplete"] = "off" + +# Setting this to True will disable the reveal button for password fields, +# including on the login form. +#HORIZON_CONFIG["disable_password_reveal"] = False + +LOCAL_PATH = os.path.dirname(os.path.abspath(__file__)) + +# Set custom secret key: +# You can either set it to a specific value or you can let horizon generate a +# default secret key that is unique on this machine, e.i. regardless of the +# amount of Python WSGI workers (if used behind Apache+mod_wsgi): However, +# there may be situations where you would want to set this explicitly, e.g. +# when multiple dashboard instances are distributed on different machines +# (usually behind a load-balancer). Either you have to make sure that a session +# gets all requests routed to the same dashboard instance or you set the same +# SECRET_KEY for all of them. +SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/openstack-dashboard/secret_key') + +# We recommend you use memcached for development; otherwise after every reload +# of the django development server, you will have to login again. To use +# memcached set CACHES to something like + +CACHES = { + 'default': { + 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', + 'LOCATION': '127.0.0.1:11211', + }, +} + +#CACHES = { +# 'default': { +# 'BACKEND': 'django.core.cache.backends.locmem.LocMemCache', +# } +#} + +# Send email to the console by default +EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend' +# Or send them to /dev/null +#EMAIL_BACKEND = 'django.core.mail.backends.dummy.EmailBackend' + +# Configure these for your outgoing email host +#EMAIL_HOST = 'smtp.my-company.com' +#EMAIL_PORT = 25 +#EMAIL_HOST_USER = 'djangomail' +#EMAIL_HOST_PASSWORD = 'top-secret!' + +# For multiple regions uncomment this configuration, and add (endpoint, title). +#AVAILABLE_REGIONS = [ +# ('http://cluster1.example.com:5000/v3', 'cluster1'), +# ('http://cluster2.example.com:5000/v3', 'cluster2'), +#] + +OPENSTACK_HOST = "demo-test.smartme.io" +OPENSTACK_KEYSTONE_URL = "https://%s:5000/v3" % OPENSTACK_HOST +OPENSTACK_KEYSTONE_DEFAULT_ROLE = "member" + +# For setting the default service region on a per-endpoint basis. Note that the +# default value for this setting is {}, and below is just an example of how it +# should be specified. +# A key of '*' is an optional global default if no other key matches. +#DEFAULT_SERVICE_REGIONS = { +# '*': 'RegionOne' +# OPENSTACK_KEYSTONE_URL: 'RegionTwo' +#} + +# Enables keystone web single-sign-on if set to True. +#WEBSSO_ENABLED = False + +# Authentication mechanism to be selected as default. +# The value must be a key from WEBSSO_CHOICES. +#WEBSSO_INITIAL_CHOICE = "credentials" + +# The list of authentication mechanisms which include keystone +# federation protocols and identity provider/federation protocol +# mapping keys (WEBSSO_IDP_MAPPING). Current supported protocol +# IDs are 'saml2' and 'oidc' which represent SAML 2.0, OpenID +# Connect respectively. +# Do not remove the mandatory credentials mechanism. +# Note: The last two tuples are sample mapping keys to a identity provider +# and federation protocol combination (WEBSSO_IDP_MAPPING). +#WEBSSO_CHOICES = ( +# ("credentials", _("Keystone Credentials")), +# ("oidc", _("OpenID Connect")), +# ("saml2", _("Security Assertion Markup Language")), +# ("acme_oidc", "ACME - OpenID Connect"), +# ("acme_saml2", "ACME - SAML2"), +#) + +# A dictionary of specific identity provider and federation protocol +# combinations. From the selected authentication mechanism, the value +# will be looked up as keys in the dictionary. If a match is found, +# it will redirect the user to a identity provider and federation protocol +# specific WebSSO endpoint in keystone, otherwise it will use the value +# as the protocol_id when redirecting to the WebSSO by protocol endpoint. +# NOTE: The value is expected to be a tuple formatted as: (, ). +#WEBSSO_IDP_MAPPING = { +# "acme_oidc": ("acme", "oidc"), +# "acme_saml2": ("acme", "saml2"), +#} + +# If set this URL will be used for web single-sign-on authentication +# instead of OPENSTACK_KEYSTONE_URL. This is needed in the deployment +# scenarios where network segmentation is used per security requirement. +# In this case, the controllers are not reachable from public network. +# Therefore, user's browser will not be able to access OPENSTACK_KEYSTONE_URL +# if it is set to the internal endpoint. +#WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3" + +# The Keystone Provider drop down uses Keystone to Keystone federation +# to switch between Keystone service providers. +# Set display name for Identity Provider (dropdown display name) +#KEYSTONE_PROVIDER_IDP_NAME = "Local Keystone" +# This id is used for only for comparison with the service provider IDs. This ID +# should not match any service provider IDs. +#KEYSTONE_PROVIDER_IDP_ID = "localkeystone" + +# Disable SSL certificate checks (useful for self-signed certificates): +#OPENSTACK_SSL_NO_VERIFY = True + +# The CA certificate to use to verify SSL connections +#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem' + +# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the +# capabilities of the auth backend for Keystone. +# If Keystone has been configured to use LDAP as the auth backend then set +# can_edit_user to False and name to 'ldap'. +# +# TODO(tres): Remove these once Keystone has an API to identify auth backend. +OPENSTACK_KEYSTONE_BACKEND = { + 'name': 'native', + 'can_edit_user': True, + 'can_edit_group': True, + 'can_edit_project': True, + 'can_edit_domain': True, + 'can_edit_role': True, +} + +# Setting this to True, will add a new "Retrieve Password" action on instance, +# allowing Admin session password retrieval/decryption. +#OPENSTACK_ENABLE_PASSWORD_RETRIEVE = False + +# The Launch Instance user experience has been significantly enhanced. +# You can choose whether to enable the new launch instance experience, +# the legacy experience, or both. The legacy experience will be removed +# in a future release, but is available as a temporary backup setting to ensure +# compatibility with existing deployments. Further development will not be +# done on the legacy experience. Please report any problems with the new +# experience via the Launchpad tracking system. +# +# Toggle LAUNCH_INSTANCE_LEGACY_ENABLED and LAUNCH_INSTANCE_NG_ENABLED to +# determine the experience to enable. Set them both to true to enable +# both. +#LAUNCH_INSTANCE_LEGACY_ENABLED = True +#LAUNCH_INSTANCE_NG_ENABLED = False + +# A dictionary of settings which can be used to provide the default values for +# properties found in the Launch Instance modal. +#LAUNCH_INSTANCE_DEFAULTS = { +# 'config_drive': False, +# 'enable_scheduler_hints': True, +# 'disable_image': False, +# 'disable_instance_snapshot': False, +# 'disable_volume': False, +# 'disable_volume_snapshot': False, +# 'create_volume': True, +#} + +# The Xen Hypervisor has the ability to set the mount point for volumes +# attached to instances (other Hypervisors currently do not). Setting +# can_set_mount_point to True will add the option to set the mount point +# from the UI. +OPENSTACK_HYPERVISOR_FEATURES = { + 'can_set_mount_point': False, + 'can_set_password': False, + 'requires_keypair': False, + 'enable_quotas': True +} + +# This settings controls whether IP addresses of servers are retrieved from +# neutron in the project instance table. Setting this to ``False`` may mitigate +# a performance issue in the project instance table in large deployments. +#OPENSTACK_INSTANCE_RETRIEVE_IP_ADDRESSES = True + +# The OPENSTACK_CINDER_FEATURES settings can be used to enable optional +# services provided by cinder that is not exposed by its extension API. +OPENSTACK_CINDER_FEATURES = { + 'enable_backup': False, +} + +# The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional +# services provided by neutron. Options currently available are load +# balancer service, security groups, quotas, VPN service. +OPENSTACK_NEUTRON_NETWORK = { + 'enable_router': True, + 'enable_quotas': True, + 'enable_ipv6': True, + 'enable_distributed_router': False, + 'enable_ha_router': False, + 'enable_fip_topology_check': True, + + # Default dns servers you would like to use when a subnet is + # created. This is only a default, users can still choose a different + # list of dns servers when creating a new subnet. + # The entries below are examples only, and are not appropriate for + # real deployments + # 'default_dns_nameservers': ["8.8.8.8", "8.8.4.4", "208.67.222.222"], + + # Set which provider network types are supported. Only the network types + # in this list will be available to choose from when creating a network. + # Network types include local, flat, vlan, gre, vxlan and geneve. + # 'supported_provider_types': ['*'], + + # You can configure available segmentation ID range per network type + # in your deployment. + # 'segmentation_id_range': { + # 'vlan': [1024, 2048], + # 'vxlan': [4094, 65536], + # }, + + # You can define additional provider network types here. + # 'extra_provider_types': { + # 'awesome_type': { + # 'display_name': 'Awesome New Type', + # 'require_physical_network': False, + # 'require_segmentation_id': True, + # } + # }, + + # Set which VNIC types are supported for port binding. Only the VNIC + # types in this list will be available to choose from when creating a + # port. + # VNIC types include 'normal', 'direct', 'direct-physical', 'macvtap', + # 'baremetal' and 'virtio-forwarder' + # Set to empty list or None to disable VNIC type selection. + 'supported_vnic_types': ['*'], + + # Set list of available physical networks to be selected in the physical + # network field on the admin create network modal. If it's set to an empty + # list, the field will be a regular input field. + # e.g. ['default', 'test'] + 'physical_networks': [], + +} + +# The OPENSTACK_HEAT_STACK settings can be used to disable password +# field required while launching the stack. +OPENSTACK_HEAT_STACK = { + 'enable_user_pass': True, +} + +# The OPENSTACK_IMAGE_BACKEND settings can be used to customize features +# in the OpenStack Dashboard related to the Image service, such as the list +# of supported image formats. +#OPENSTACK_IMAGE_BACKEND = { +# 'image_formats': [ +# ('', _('Select format')), +# ('aki', _('AKI - Amazon Kernel Image')), +# ('ami', _('AMI - Amazon Machine Image')), +# ('ari', _('ARI - Amazon Ramdisk Image')), +# ('docker', _('Docker')), +# ('iso', _('ISO - Optical Disk Image')), +# ('ova', _('OVA - Open Virtual Appliance')), +# ('qcow2', _('QCOW2 - QEMU Emulator')), +# ('raw', _('Raw')), +# ('vdi', _('VDI - Virtual Disk Image')), +# ('vhd', _('VHD - Virtual Hard Disk')), +# ('vhdx', _('VHDX - Large Virtual Hard Disk')), +# ('vmdk', _('VMDK - Virtual Machine Disk')), +# ], +#} + +# The IMAGE_CUSTOM_PROPERTY_TITLES settings is used to customize the titles for +# image custom property attributes that appear on image detail pages. +IMAGE_CUSTOM_PROPERTY_TITLES = { + "architecture": _("Architecture"), + "kernel_id": _("Kernel ID"), + "ramdisk_id": _("Ramdisk ID"), + "image_state": _("Euca2ools state"), + "project_id": _("Project ID"), + "image_type": _("Image Type"), +} + +# The IMAGE_RESERVED_CUSTOM_PROPERTIES setting is used to specify which image +# custom properties should not be displayed in the Image Custom Properties +# table. +IMAGE_RESERVED_CUSTOM_PROPERTIES = [] + +# Set to 'legacy' or 'direct' to allow users to upload images to glance via +# Horizon server. When enabled, a file form field will appear on the create +# image form. If set to 'off', there will be no file form field on the create +# image form. See documentation for deployment considerations. +#HORIZON_IMAGES_UPLOAD_MODE = 'legacy' + +# Allow a location to be set when creating or updating Glance images. +# If using Glance V2, this value should be False unless the Glance +# configuration and policies allow setting locations. +#IMAGES_ALLOW_LOCATION = False + +# A dictionary of default settings for create image modal. +#CREATE_IMAGE_DEFAULTS = { +# 'image_visibility': "public", +#} + +# OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints +# in the Keystone service catalog. Use this setting when Horizon is running +# external to the OpenStack environment. The default is 'publicURL'. +#OPENSTACK_ENDPOINT_TYPE = "publicURL" + +# SECONDARY_ENDPOINT_TYPE specifies the fallback endpoint type to use in the +# case that OPENSTACK_ENDPOINT_TYPE is not present in the endpoints +# in the Keystone service catalog. Use this setting when Horizon is running +# external to the OpenStack environment. The default is None. This +# value should differ from OPENSTACK_ENDPOINT_TYPE if used. +#SECONDARY_ENDPOINT_TYPE = None + +# The number of objects (Swift containers/objects or images) to display +# on a single page before providing a paging element (a "more" link) +# to paginate results. +API_RESULT_LIMIT = 1000 +API_RESULT_PAGE_SIZE = 20 + +# The size of chunk in bytes for downloading objects from Swift +SWIFT_FILE_TRANSFER_CHUNK_SIZE = 512 * 1024 + +# The default number of lines displayed for instance console log. +INSTANCE_LOG_LENGTH = 35 + +# Specify a maximum number of items to display in a dropdown. +DROPDOWN_MAX_ITEMS = 30 + +# The timezone of the server. This should correspond with the timezone +# of your entire OpenStack installation, and hopefully be in UTC. +TIME_ZONE = "UTC" + +# When launching an instance, the menu of available flavors is +# sorted by RAM usage, ascending. If you would like a different sort order, +# you can provide another flavor attribute as sorting key. Alternatively, you +# can provide a custom callback method to use for sorting. You can also provide +# a flag for reverse sort. For more info, see +# http://docs.python.org/2/library/functions.html#sorted +#CREATE_INSTANCE_FLAVOR_SORT = { +# 'key': 'name', +# # or +# 'key': my_awesome_callback_method, +# 'reverse': False, +#} + +# Set this to True to display an 'Admin Password' field on the Change Password +# form to verify that it is indeed the admin logged-in who wants to change +# the password. +#ENFORCE_PASSWORD_CHECK = False + +# Modules that provide /auth routes that can be used to handle different types +# of user authentication. Add auth plugins that require extra route handling to +# this list. +#AUTHENTICATION_URLS = [ +# 'openstack_auth.urls', +#] + +# The Horizon Policy Enforcement engine uses these values to load per service +# policy rule files. The content of these files should match the files the +# OpenStack services are using to determine role based access control in the +# target installation. + +# Path to directory containing policy.json files +#POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf") + +# Map of local copy of service policy files. +# Please insure that your identity policy file matches the one being used on +# your keystone servers. There is an alternate policy file that may be used +# in the Keystone v3 multi-domain case, policy.v3cloudsample.json. +# This file is not included in the Horizon repository by default but can be +# found at +# http://git.openstack.org/cgit/openstack/keystone/tree/etc/ \ +# policy.v3cloudsample.json +# Having matching policy files on the Horizon and Keystone servers is essential +# for normal operation. This holds true for all services and their policy files. +#POLICY_FILES = { +# 'identity': 'keystone_policy.json', +# 'compute': 'nova_policy.json', +# 'volume': 'cinder_policy.json', +# 'image': 'glance_policy.json', +# 'network': 'neutron_policy.json', +#} + +# Change this patch to the appropriate list of tuples containing +# a key, label and static directory containing two files: +# _variables.scss and _styles.scss +AVAILABLE_THEMES = [ + ('default', 'Default', 'themes/default'), +# ('material', 'Material', 'themes/material'), +] + +LOGGING = { + 'version': 1, + # When set to True this will disable all logging except + # for loggers specified in this configuration dictionary. Note that + # if nothing is specified here and disable_existing_loggers is True, + # django.db.backends will still log unless it is disabled explicitly. + 'disable_existing_loggers': False, + # If apache2 mod_wsgi is used to deploy OpenStack dashboard + # timestamp is output by mod_wsgi. If WSGI framework you use does not + # output timestamp for logging, add %(asctime)s in the following + # format definitions. + 'formatters': { + 'console': { + 'format': '%(levelname)s %(name)s %(message)s' + }, + 'operation': { + # The format of "%(message)s" is defined by + # OPERATION_LOG_OPTIONS['format'] + 'format': '%(message)s' + }, + }, + 'handlers': { + 'null': { + 'level': 'DEBUG', + 'class': 'logging.NullHandler', + }, + 'console': { + # Set the level to "DEBUG" for verbose output logging. + 'level': 'INFO', + 'class': 'logging.StreamHandler', + 'formatter': 'console', + }, + 'operation': { + 'level': 'INFO', + 'class': 'logging.StreamHandler', + 'formatter': 'operation', + }, + }, + 'loggers': { + 'horizon': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'horizon.operation_log': { + 'handlers': ['operation'], + 'level': 'INFO', + 'propagate': False, + }, + 'openstack_dashboard': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'novaclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'cinderclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'keystoneauth': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'keystoneclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'glanceclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'neutronclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'swiftclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'oslo_policy': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'openstack_auth': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'django': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + # Logging from django.db.backends is VERY verbose, send to null + # by default. + 'django.db.backends': { + 'handlers': ['null'], + 'propagate': False, + }, + 'requests': { + 'handlers': ['null'], + 'propagate': False, + }, + 'urllib3': { + 'handlers': ['null'], + 'propagate': False, + }, + 'chardet.charsetprober': { + 'handlers': ['null'], + 'propagate': False, + }, + 'iso8601': { + 'handlers': ['null'], + 'propagate': False, + }, + 'scss': { + 'handlers': ['null'], + 'propagate': False, + }, + }, +} + +# 'direction' should not be specified for all_tcp/udp/icmp. +# It is specified in the form. +SECURITY_GROUP_RULES = { + 'all_tcp': { + 'name': _('All TCP'), + 'ip_protocol': 'tcp', + 'from_port': '1', + 'to_port': '65535', + }, + 'all_udp': { + 'name': _('All UDP'), + 'ip_protocol': 'udp', + 'from_port': '1', + 'to_port': '65535', + }, + 'all_icmp': { + 'name': _('All ICMP'), + 'ip_protocol': 'icmp', + 'from_port': '-1', + 'to_port': '-1', + }, + 'ssh': { + 'name': 'SSH', + 'ip_protocol': 'tcp', + 'from_port': '22', + 'to_port': '22', + }, + 'smtp': { + 'name': 'SMTP', + 'ip_protocol': 'tcp', + 'from_port': '25', + 'to_port': '25', + }, + 'dns': { + 'name': 'DNS', + 'ip_protocol': 'tcp', + 'from_port': '53', + 'to_port': '53', + }, + 'http': { + 'name': 'HTTP', + 'ip_protocol': 'tcp', + 'from_port': '80', + 'to_port': '80', + }, + 'pop3': { + 'name': 'POP3', + 'ip_protocol': 'tcp', + 'from_port': '110', + 'to_port': '110', + }, + 'imap': { + 'name': 'IMAP', + 'ip_protocol': 'tcp', + 'from_port': '143', + 'to_port': '143', + }, + 'ldap': { + 'name': 'LDAP', + 'ip_protocol': 'tcp', + 'from_port': '389', + 'to_port': '389', + }, + 'https': { + 'name': 'HTTPS', + 'ip_protocol': 'tcp', + 'from_port': '443', + 'to_port': '443', + }, + 'smtps': { + 'name': 'SMTPS', + 'ip_protocol': 'tcp', + 'from_port': '465', + 'to_port': '465', + }, + 'imaps': { + 'name': 'IMAPS', + 'ip_protocol': 'tcp', + 'from_port': '993', + 'to_port': '993', + }, + 'pop3s': { + 'name': 'POP3S', + 'ip_protocol': 'tcp', + 'from_port': '995', + 'to_port': '995', + }, + 'ms_sql': { + 'name': 'MS SQL', + 'ip_protocol': 'tcp', + 'from_port': '1433', + 'to_port': '1433', + }, + 'mysql': { + 'name': 'MYSQL', + 'ip_protocol': 'tcp', + 'from_port': '3306', + 'to_port': '3306', + }, + 'rdp': { + 'name': 'RDP', + 'ip_protocol': 'tcp', + 'from_port': '3389', + 'to_port': '3389', + }, +} + +# Deprecation Notice: +# +# The setting FLAVOR_EXTRA_KEYS has been deprecated. +# Please load extra spec metadata into the Glance Metadata Definition Catalog. +# +# The sample quota definitions can be found in: +# /etc/metadefs/compute-quota.json +# +# The metadata definition catalog supports CLI and API: +# $glance --os-image-api-version 2 help md-namespace-import +# $glance-manage db_load_metadefs +# +# See Metadata Definitions on: +# https://docs.openstack.org/glance/latest/user/glancemetadefcatalogapi.html + +# The hash algorithm to use for authentication tokens. This must +# match the hash algorithm that the identity server and the +# auth_token middleware are using. Allowed values are the +# algorithms supported by Python's hashlib library. +#OPENSTACK_TOKEN_HASH_ALGORITHM = 'md5' + +# AngularJS requires some settings to be made available to +# the client side. Some settings are required by in-tree / built-in horizon +# features. These settings must be added to REST_API_REQUIRED_SETTINGS in the +# form of ['SETTING_1','SETTING_2'], etc. +# +# You may remove settings from this list for security purposes, but do so at +# the risk of breaking a built-in horizon feature. These settings are required +# for horizon to function properly. Only remove them if you know what you +# are doing. These settings may in the future be moved to be defined within +# the enabled panel configuration. +# You should not add settings to this list for out of tree extensions. +# See: https://wiki.openstack.org/wiki/Horizon/RESTAPI +REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES', + 'LAUNCH_INSTANCE_DEFAULTS', + 'OPENSTACK_IMAGE_FORMATS', + 'OPENSTACK_KEYSTONE_BACKEND', + 'OPENSTACK_KEYSTONE_DEFAULT_DOMAIN', + 'CREATE_IMAGE_DEFAULTS', + 'ENFORCE_PASSWORD_CHECK'] + +# Additional settings can be made available to the client side for +# extensibility by specifying them in REST_API_ADDITIONAL_SETTINGS +# !! Please use extreme caution as the settings are transferred via HTTP/S +# and are not encrypted on the browser. This is an experimental API and +# may be deprecated in the future without notice. +#REST_API_ADDITIONAL_SETTINGS = [] + +############################################################################### +# Ubuntu Settings +############################################################################### + + # The default theme if no cookie is present +DEFAULT_THEME = 'default' + +# Default Ubuntu apache configuration uses /horizon as the application root. +WEBROOT='/horizon/' + +# By default, validation of the HTTP Host header is disabled. Production +# installations should have this set accordingly. For more information +# see https://docs.djangoproject.com/en/dev/ref/settings/. +ALLOWED_HOSTS = '*' + +# Compress all assets offline as part of packaging installation +COMPRESS_OFFLINE = True + +# DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded +# within an iframe. Legacy browsers are still vulnerable to a Cross-Frame +# Scripting (XFS) vulnerability, so this option allows extra security hardening +# where iframes are not used in deployment. Default setting is True. +# For more information see: +# http://tinyurl.com/anticlickjack +#DISALLOW_IFRAME_EMBED = True + +# Help URL can be made available for the client. To provide a help URL, edit the +# following attribute to the URL of your choice. +#HORIZON_CONFIG["help_url"] = "http://openstack.mycompany.org" + +# Settings for OperationLogMiddleware +# OPERATION_LOG_ENABLED is flag to use the function to log an operation on +# Horizon. +# mask_targets is arrangement for appointing a target to mask. +# method_targets is arrangement of HTTP method to output log. +# format is the log contents. +#OPERATION_LOG_ENABLED = False +#OPERATION_LOG_OPTIONS = { +# 'mask_fields': ['password'], +# 'target_methods': ['POST'], +# 'ignored_urls': ['/js/', '/static/', '^/api/'], +# 'format': ("[%(client_ip)s] [%(domain_name)s]" +# " [%(domain_id)s] [%(project_name)s]" +# " [%(project_id)s] [%(user_name)s] [%(user_id)s] [%(request_scheme)s]" +# " [%(referer_url)s] [%(request_url)s] [%(message)s] [%(method)s]" +# " [%(http_status)s] [%(param)s]"), +#} + +# The default date range in the Overview panel meters - either minus N +# days (if the value is integer N), or from the beginning of the current month +# until today (if set to None). This setting should be used to limit the amount +# of data fetched by default when rendering the Overview panel. +#OVERVIEW_DAYS_RANGE = 1 + +# To allow operators to require users provide a search criteria first +# before loading any data into the views, set the following dict +# attributes to True in each one of the panels you want to enable this feature. +# Follow the convention . +#FILTER_DATA_FIRST = { +# 'admin.instances': False, +# 'admin.images': False, +# 'admin.networks': False, +# 'admin.routers': False, +# 'admin.volumes': False, +# 'identity.users': False, +# 'identity.projects': False, +# 'identity.groups': False, +# 'identity.roles': False +#} + +# Dict used to restrict user private subnet cidr range. +# An empty list means that user input will not be restricted +# for a corresponding IP version. By default, there is +# no restriction for IPv4 or IPv6. To restrict +# user private subnet cidr range set ALLOWED_PRIVATE_SUBNET_CIDR +# to something like +#ALLOWED_PRIVATE_SUBNET_CIDR = { +# 'ipv4': ['10.0.0.0/8', '192.168.0.0/16'], +# 'ipv6': ['fc00::/7'] +#} +ALLOWED_PRIVATE_SUBNET_CIDR = {'ipv4': [], 'ipv6': []} + +# Projects and users can have extra attributes as defined by keystone v3. +# Horizon has the ability to display these extra attributes via this setting. +# If you'd like to display extra data in the project or user tables, set the +# corresponding dict key to the attribute name, followed by the display name. +# For more information, see horizon's customization +# (https://docs.openstack.org/horizon/latest/configuration/customizing.html#horizon-customization-module-overrides) +#PROJECT_TABLE_EXTRA_INFO = { +# 'phone_num': _('Phone Number'), +#} +#USER_TABLE_EXTRA_INFO = { +# 'phone_num': _('Phone Number'), +#} + +# Password will have an expiration date when using keystone v3 and enabling the +# feature. +# This setting allows you to set the number of days that the user will be alerted +# prior to the password expiration. +# Once the password expires keystone will deny the access and users must +# contact an admin to change their password. +#PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS = 0 + +IOTRONIC_ZONES={'iot.felooca.io', + 'iot.felooca.it', + # 'iot.felooca.com', + 'iot.felooca.net', + 'iot.felooca.org', + 'iot.felooca.eu', + 'iot.felooca.info' +} diff --git a/6-ui/conf/local_settings.py b/6-ui/conf/local_settings.py index bb9222e..d5b5ba3 100644 --- a/6-ui/conf/local_settings.py +++ b/6-ui/conf/local_settings.py @@ -183,7 +183,7 @@ # ('http://cluster2.example.com:5000/v3', 'cluster2'), #] -OPENSTACK_HOST = "felooca-test-ctrl.smartme.io" +OPENSTACK_HOST = "demo-test.smartme.io" OPENSTACK_KEYSTONE_URL = "https://%s:5000/v3" % OPENSTACK_HOST OPENSTACK_KEYSTONE_DEFAULT_ROLE = "member" From a645e2e0fb4d5bda6d62abce71e9bc7fd555b539 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Wed, 3 Nov 2021 17:32:47 +0100 Subject: [PATCH 14/66] updating image name for conductor container --- docker-compose-controller.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docker-compose-controller.yml b/docker-compose-controller.yml index 8ffcd71..22937d5 100644 --- a/docker-compose-controller.yml +++ b/docker-compose-controller.yml @@ -13,7 +13,7 @@ services: - '53306:3306' networks: - 'default' - + rabbitmq: container_name: smartme_test_rabbitmq restart: unless-stopped @@ -29,7 +29,7 @@ services: - '5672:5672' networks: - 'default' - + keystone: container_name: smartme_test_keystone restart: unless-stopped @@ -66,11 +66,11 @@ services: - '5001:5001' networks: - 'default' - + conductor: container_name: smartme_test_iotronic_conductor restart: unless-stopped - image: smartmeio/conductor + image: smartmeio/conductor:latest environment: - URL="demo-test.smartme.io" - IOTRONIC_PASS="smartme" From 22c4df8556bc369be43f0a56eb10028293d843ea Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Wed, 3 Nov 2021 17:33:29 +0100 Subject: [PATCH 15/66] add complete draft of wagent compose file --- docker-compose-wagent.yml | 59 ++++++++++++++++++++++++++++++++++----- 1 file changed, 52 insertions(+), 7 deletions(-) diff --git a/docker-compose-wagent.yml b/docker-compose-wagent.yml index dab8503..62a25f3 100644 --- a/docker-compose-wagent.yml +++ b/docker-compose-wagent.yml @@ -3,21 +3,66 @@ services: crossbario: container_name: smartme_test_iotronic_crossbar restart: unless-stopped - image: crossbario/crossbar:cpy3-20.2.1 + image: smartme_test_iotronic_crossbar:latest volumes: - 'smartme_test_crossbar_config:/node/.crossbar' - - ./etc/ssl/iotronic/client_iotronic/:/node/.crossbar/ssl:ro + - /etc/ssl/iotronic/client_iotronic/:/node/.crossbar/ssl:ro ports: - '8181:8181' networks: - 'default' - + + wstun: + container_name: smartmeio_test_iotronic_wstun + restart: unless-stopped + image: smartmeio/smartmeio_test_iotronic_wstun:allowlist + volumes: + - '/etc/ssl/iotronic/client_iotronic:/var/lib/iotronic/ssl/:ro' + - './allowlist:/var/lib/wstun/allowlist:ro' + ports: + - '8080:8080' + - '50000-50100:50000-50100' + networks: + - 'default' + + wagent: + container_name: smartmeio_test_iotronic_wagent + image: smartmeio/smartmeio_test_iotronic_wagent:smartmeio-test + restart: unless-stopped + hostname: wagent1 + ports: + - '80:80' + - '443:443' + volumes: + - 'smartmeio_test_iotronic_wagent_config:/etc/iotronic/' + - 'smartmeio_test_iotronic_wagent_nginx:/etc/nginx/' + - '/var/log/iotronic-wagent:/var/log/iotronic' + networks: + - 'default' + + ui: + container_name: smartmeio_test_iotronic_ui + image: smartmeio/smartme_test_iotronic_ui:latest + restart: unless-stopped + ports: + - '8585:80' + volumes: + - 'smartme_test_iotronic_ui_config:/etc/openstack-dashboard/' + - '/var/log/iotronic-ui:/var/log/apache2/' + networks: + - 'default' volumes: - felooca_test_iotronic_db_data: - name: felooca_test_iotronic_db_data - felooca_test_iotronic_db_config: - name: felooca_test_iotronic_db_config + smartmeio_test_iotronic_db_data: + name: smartmeio_test_iotronic_db_data + smartmeio_test_iotronic_db_config: + name: smartmeio_test_iotronic_db_config + smartmeio_test_iotronic_wagent_config: + name: smartmeio_test_iotronic_wagent_config + smartmeio_test_iotronic_wagent_nginx: + name: smartmeio_test_iotronic_wagent_nginx + smartme_test_iotronic_ui_config: + name: smartme_test_iotronic_ui_config networks: default: From 3cb12c918cd699e47a2916e45ac3b6fcc7d3dd07 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Wed, 3 Nov 2021 17:38:57 +0100 Subject: [PATCH 16/66] fixing image prefix for docker submission --- 3-conductor/build/build | 2 +- 4-iotronic-crossbar/build | 2 +- 4-iotronic-wstun/build | 2 +- 5-wagent/build/build | 2 +- 6-ui/build/build | 2 +- 6-ui/build/build-py3 | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/3-conductor/build/build b/3-conductor/build/build index 058342b..5ae185d 100755 --- a/3-conductor/build/build +++ b/3-conductor/build/build @@ -1,4 +1,4 @@ #! /bin/bash VERSION="latest" -docker build -t smartme/felooca_test_iotronic_conductor:$VERSION . \ No newline at end of file +docker build -t smartmeio/felooca_test_iotronic_conductor:$VERSION . \ No newline at end of file diff --git a/4-iotronic-crossbar/build b/4-iotronic-crossbar/build index f8dca5e..b27a752 100755 --- a/4-iotronic-crossbar/build +++ b/4-iotronic-crossbar/build @@ -1,4 +1,4 @@ #! /bin/bash VERSION="latest" -docker build -t smartme/smartme_test_iotronic_crossbar:$VERSION . \ No newline at end of file +docker build -t smartmeio/smartme_test_iotronic_crossbar:$VERSION . \ No newline at end of file diff --git a/4-iotronic-wstun/build b/4-iotronic-wstun/build index ff41842..93b203c 100755 --- a/4-iotronic-wstun/build +++ b/4-iotronic-wstun/build @@ -1,4 +1,4 @@ #! /bin/bash VERSION="latest" -docker build -t smartme/smartme_test_iotronic_wstun:$VERSION . \ No newline at end of file +docker build -t smartmeio/smartme_test_iotronic_wstun:$VERSION . \ No newline at end of file diff --git a/5-wagent/build/build b/5-wagent/build/build index cde5316..40c7278 100755 --- a/5-wagent/build/build +++ b/5-wagent/build/build @@ -1,4 +1,4 @@ #! /bin/bash VERSION="smartme-test" -docker build -t smartme/smartme_test_iotronic_wagent:$VERSION . \ No newline at end of file +docker build -t smartmeio/smartme_test_iotronic_wagent:$VERSION . \ No newline at end of file diff --git a/6-ui/build/build b/6-ui/build/build index 6c72870..778b763 100755 --- a/6-ui/build/build +++ b/6-ui/build/build @@ -1,4 +1,4 @@ #! /bin/bash VERSION="latest" -docker build -t smartme/smartme_test_iotronic_ui:$VERSION . +docker build -t smartmeio/smartme_test_iotronic_ui:$VERSION . diff --git a/6-ui/build/build-py3 b/6-ui/build/build-py3 index 802135b..43dbb70 100755 --- a/6-ui/build/build-py3 +++ b/6-ui/build/build-py3 @@ -1,4 +1,4 @@ #! /bin/bash VERSION="latest" -docker build -t smartme/smartme_test_iotronic_ui_py3:$VERSION -f Dockerfile-py3.dockerfile . +docker build -t smartmeio/smartme_test_iotronic_ui_py3:$VERSION -f Dockerfile-py3.dockerfile . From a6cdf1f8faa05baf547893feea52a46eb68c41f0 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Wed, 3 Nov 2021 20:31:39 +0100 Subject: [PATCH 17/66] smoother rework of 1-rabbitmq stage --- 1-rabbitmq => 1-rabbitmq/1-rabbitmq | 0 1-rabbitmq/Dockerfile | 7 +++++++ 1-rabbitmq/build | 4 ++++ 1-rabbitmq/scripts/rabbitmq-setup.sh | 14 ++++++++++++++ 4 files changed, 25 insertions(+) rename 1-rabbitmq => 1-rabbitmq/1-rabbitmq (100%) create mode 100644 1-rabbitmq/Dockerfile create mode 100644 1-rabbitmq/build create mode 100644 1-rabbitmq/scripts/rabbitmq-setup.sh diff --git a/1-rabbitmq b/1-rabbitmq/1-rabbitmq similarity index 100% rename from 1-rabbitmq rename to 1-rabbitmq/1-rabbitmq diff --git a/1-rabbitmq/Dockerfile b/1-rabbitmq/Dockerfile new file mode 100644 index 0000000..c948fc0 --- /dev/null +++ b/1-rabbitmq/Dockerfile @@ -0,0 +1,7 @@ +FROM rabbitmq:3.9.8 + +ENV RABBIT_PASS smartme + +COPY scripts/rabbitmq-setup.sh /usr/local/bin/rabbitmq-setup + +RUN chmod +x /usr/local/bin/rabbitmq-setup \ No newline at end of file diff --git a/1-rabbitmq/build b/1-rabbitmq/build new file mode 100644 index 0000000..6ae96f9 --- /dev/null +++ b/1-rabbitmq/build @@ -0,0 +1,4 @@ +#! /bin/bash + +VERSION=3.9.8 +docker build -t smartmeio/rabbitmq:$VERSION . \ No newline at end of file diff --git a/1-rabbitmq/scripts/rabbitmq-setup.sh b/1-rabbitmq/scripts/rabbitmq-setup.sh new file mode 100644 index 0000000..e521f78 --- /dev/null +++ b/1-rabbitmq/scripts/rabbitmq-setup.sh @@ -0,0 +1,14 @@ +#! /bin/bash + + +#if [ "$EUID" -ne 0 ] +# then echo "Please run as root" +# exit +#cfi + +RABBIT_PASS="smartme" + +rabbitmqctl add_user openstack $RABBIT_PASS +rabbitmqctl set_permissions openstack ".*" ".*" ".*" + +echo -e "\e[32mCompleted \e[0m" \ No newline at end of file From 6e7715787c98c97c535e931a0bcbe356e4bb6779 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Wed, 3 Nov 2021 20:32:02 +0100 Subject: [PATCH 18/66] adding build script for 1-mysql stage --- 1-mysql/build | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 1-mysql/build diff --git a/1-mysql/build b/1-mysql/build new file mode 100644 index 0000000..f94a244 --- /dev/null +++ b/1-mysql/build @@ -0,0 +1,4 @@ +#! /bin/bash + +VERSION=1.0 +docker build -t smartmeio/mariadb:focal . \ No newline at end of file From 23aaa403d50461f4f649110eb94c03e365a440b5 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Wed, 3 Nov 2021 20:33:04 +0100 Subject: [PATCH 19/66] renaming base images for containers in controller compose YAML --- docker-compose-controller.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose-controller.yml b/docker-compose-controller.yml index 22937d5..a6bfb8e 100644 --- a/docker-compose-controller.yml +++ b/docker-compose-controller.yml @@ -3,7 +3,7 @@ services: mariadb: container_name: smartme_test_iotronic_db restart: unless-stopped - image: mariadb:focal + image: smartmeio/mariadb:focal environment: - MYSQL_ROOT_PASSWORD="smartme" volumes: @@ -17,7 +17,7 @@ services: rabbitmq: container_name: smartme_test_rabbitmq restart: unless-stopped - image: rabbitmq:3.9.8 + image: smartmeio/rabbitmq:3.9.8 entrypoint: ["/bin/sh","-c"] environment: - RABBIT_PASS="smartme" From fff639516da5970f6f7e18d0dda4e00bf816d1ba Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Thu, 4 Nov 2021 13:30:58 +0100 Subject: [PATCH 20/66] setting up properly mariadb with predefined settings --- 1-mysql/Dockerfile | 4 ++-- 1-mysql/build | 0 1-mysql/create_dbs_SMARTME_TEST.sql | 12 ++++++++++++ 1-mysql/initfile.sql | 6 ++++++ 4 files changed, 20 insertions(+), 2 deletions(-) mode change 100644 => 100755 1-mysql/build create mode 100644 1-mysql/create_dbs_SMARTME_TEST.sql create mode 100644 1-mysql/initfile.sql diff --git a/1-mysql/Dockerfile b/1-mysql/Dockerfile index b089a91..ff557ca 100644 --- a/1-mysql/Dockerfile +++ b/1-mysql/Dockerfile @@ -1,4 +1,4 @@ FROM mariadb:focal -COPY create_dbs.sql smartme_test_iotronic_db:/docker-entrypoint-initdb.d/create_dbs.sql -COPY 99-openstack.conf /etc/mysql/mariadb.conf.d/99-openstack.conf \ No newline at end of file +COPY initfile.sql /docker-entrypoint-initdb.d/initfile.sql +COPY 99-openstack.conf /etc/mysql/mariadb.conf.d/99-openstack.conf diff --git a/1-mysql/build b/1-mysql/build old mode 100644 new mode 100755 diff --git a/1-mysql/create_dbs_SMARTME_TEST.sql b/1-mysql/create_dbs_SMARTME_TEST.sql new file mode 100644 index 0000000..eecfea3 --- /dev/null +++ b/1-mysql/create_dbs_SMARTME_TEST.sql @@ -0,0 +1,12 @@ +CREATE USER IF NOT EXISTS sme_t_keystone@localhost IDENTIFIED BY 'f3l00caTEST'; +SET PASSWORD FOR sme_t_keystone@localhost = PASSWORD('f3l00caTEST'); + +CREATE USER IF NOT EXISTS sme_t_iotronic@localhost IDENTIFIED BY 'f3l00caTEST'; +SET PASSWORD FOR sme_t_iotronic@localhost = PASSWORD('f3l00caTEST'); + +CREATE DATABASE smartme_test_keystone; +GRANT ALL PRIVILEGES ON smartme_test_keystone.* TO 'sme_t_keystone'@'localhost' IDENTIFIED BY 'f3l00caTEST'; +GRANT ALL PRIVILEGES ON smartme_test_keystone.* TO 'sme_t_keystone'@'%' IDENTIFIED BY 'f3l00caTEST'; +CREATE DATABASE smartme_test_iotronic; +GRANT ALL PRIVILEGES ON smartme_test_iotronic.* TO 'sme_t_iotronic'@'localhost' IDENTIFIED BY 'f3l00caTEST'; +GRANT ALL PRIVILEGES ON smartme_test_iotronic.* TO 'sme_t_iotronic'@'%' IDENTIFIED BY 'f3l00caTEST'; \ No newline at end of file diff --git a/1-mysql/initfile.sql b/1-mysql/initfile.sql new file mode 100644 index 0000000..46f4db4 --- /dev/null +++ b/1-mysql/initfile.sql @@ -0,0 +1,6 @@ +CREATE DATABASE smartme_test_keystone; +GRANT ALL PRIVILEGES ON smartme_test_keystone.* TO 'sme_t_keystone'@'localhost' IDENTIFIED BY 'f3l00caTEST'; +GRANT ALL PRIVILEGES ON smartme_test_keystone.* TO 'sme_t_keystone'@'%' IDENTIFIED BY 'f3l00caTEST'; +CREATE DATABASE smartme_test_iotronic; +GRANT ALL PRIVILEGES ON smartme_test_iotronic.* TO 'sme_t_iotronic'@'localhost' IDENTIFIED BY 'f3l00caTEST'; +GRANT ALL PRIVILEGES ON smartme_test_iotronic.* TO 'sme_t_iotronic'@'%' IDENTIFIED BY 'f3l00caTEST'; \ No newline at end of file From 6bca9c9a4aff98f4d2e46bd2e383e1a555fe3368 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Thu, 4 Nov 2021 13:31:58 +0100 Subject: [PATCH 21/66] tweaking up 2-keyston step with updated settings --- 2-keystone/2-keystone | 6 +++--- 2-keystone/2.5-keystone | 2 +- 2-keystone/build/build | 2 +- 2-keystone/conf/adminrc | 2 +- 2-keystone/conf/keystone.conf | 2 +- 2-keystone/scripts/keystone-setup.sh | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/2-keystone/2-keystone b/2-keystone/2-keystone index 95da1f9..d321aa5 100755 --- a/2-keystone/2-keystone +++ b/2-keystone/2-keystone @@ -8,7 +8,7 @@ VERSION=1.0 -HOST="demo-test.smartme.io" +HOST="demo-controller.smartme.io" HTTPS=true ADMIN_PASS="smartme" @@ -42,7 +42,7 @@ docker create \ -v smartme_test_keystone_data:/var/lib/keystone/ \ -v /var/log/keystone:/var/log/keystone \ -v /var/log/keystone-api:/var/log/apache2 \ -smartmeio/keystone-stain:$VERSION +smartmeio/keystone-wallaby:$VERSION docker cp conf/keystone.conf smartme_test_keystone:/etc/keystone/ @@ -50,7 +50,7 @@ docker cp conf/keystone.conf smartme_test_keystone:/etc/keystone/ docker run --rm \ -v /var/log/keystone:/var/log/keystone \ -v /var/log/keystone-api:/var/log/apache2 \ -smartmeio/keystone-stain:$VERSION \ +smartmeio/keystone-wallaby:$VERSION \ /bin/sh -c "chown -R keystone:keystone /var/log/keystone/" docker start smartme_test_keystone diff --git a/2-keystone/2.5-keystone b/2-keystone/2.5-keystone index 0c3bb7a..7dacf20 100755 --- a/2-keystone/2.5-keystone +++ b/2-keystone/2.5-keystone @@ -1,6 +1,6 @@ #! /bin/bash -HOST="demo-test.smartme.io" +HOST="demo-controller.smartme.io" HTTPS=true ADMIN_PASS="smartme" diff --git a/2-keystone/build/build b/2-keystone/build/build index 4b51563..0a6d298 100755 --- a/2-keystone/build/build +++ b/2-keystone/build/build @@ -1,4 +1,4 @@ #! /bin/bash VERSION=1.0 -docker build -t smartmeio/keystone-stain:$VERSION . \ No newline at end of file +docker build -t smartmeio/keystone-wallaby:$VERSION . \ No newline at end of file diff --git a/2-keystone/conf/adminrc b/2-keystone/conf/adminrc index 62b5c27..313c972 100644 --- a/2-keystone/conf/adminrc +++ b/2-keystone/conf/adminrc @@ -3,6 +3,6 @@ OS_USER_DOMAIN_NAME=Default OS_PROJECT_NAME=admin OS_USERNAME=admin OS_PASSWORD=smartme -OS_AUTH_URL=https://demo-test.smartme.io:5000/v3 +OS_AUTH_URL=https://demo-controller.smartme.io:5000/v3 OS_IDENTITY_API_VERSION=3 OS_IMAGE_API_VERSION=2 \ No newline at end of file diff --git a/2-keystone/conf/keystone.conf b/2-keystone/conf/keystone.conf index 71a6804..506d52a 100644 --- a/2-keystone/conf/keystone.conf +++ b/2-keystone/conf/keystone.conf @@ -590,7 +590,7 @@ log_dir = /var/log/keystone [database] -connection = mysql+pymysql://fe_t_keystone:KEYSTONE_DBPASS@smartme_test_iotronic_db:3306/smartme_test_keystone +connection = mysql+pymysql://sme_t_keystone:KEYSTONE_DBPASS@smartme_test_iotronic_db:3306/smartme_test_keystone # # From oslo.db diff --git a/2-keystone/scripts/keystone-setup.sh b/2-keystone/scripts/keystone-setup.sh index 1142d4d..9f5e39b 100644 --- a/2-keystone/scripts/keystone-setup.sh +++ b/2-keystone/scripts/keystone-setup.sh @@ -1,6 +1,6 @@ #!/bin/bash -x -HOST="demo-test.smartme.io" +HOST="demo-controller.smartme.io" HTTPS=true ADMIN_PASS="smartme" From defb570fcfd19fcf7fe45861d2e286b20bbfdce4 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Thu, 4 Nov 2021 13:32:43 +0100 Subject: [PATCH 22/66] updating a couple of URLs in 3-conductor step --- 3-conductor/build/Dockerfile | 2 +- 3-conductor/conf/iotronic.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/3-conductor/build/Dockerfile b/3-conductor/build/Dockerfile index 8a11b16..db85978 100644 --- a/3-conductor/build/Dockerfile +++ b/3-conductor/build/Dockerfile @@ -26,7 +26,7 @@ RUN locale-gen en_US.UTF-8 ENV TZ 'Europe/Rome' RUN echo $TZ > /etc/timezone && rm -f /etc/localtime && ln -nfs /usr/share/zoneinfo/$TZ /etc/localtime && dpkg-reconfigure -f noninteractive tzdata -RUN git clone -b felooca_dev --depth 1 https://github.com/smartmeio/stack4things-openstack-iotronic.git /opt/build/iotronic +RUN git clone --depth 1 https://github.com/smartmeio/stack4things-openstack-iotronic.git /opt/build/iotronic #COPY ./iotronic /opt/build/iotronic WORKDIR /opt/build/iotronic diff --git a/3-conductor/conf/iotronic.conf b/3-conductor/conf/iotronic.conf index a5e1771..e66afea 100644 --- a/3-conductor/conf/iotronic.conf +++ b/3-conductor/conf/iotronic.conf @@ -33,7 +33,7 @@ service_allow_list_path="/var/lib/iotronic/wstun/allowlist.json" [database] -connection = mysql+pymysql://fe_t_iotronic:IOTRONIC_DBPASS@smartme_test_iotronic_db/smartme_test_iotronic +connection = mysql+pymysql://sme_t_iotronic:IOTRONIC_DBPASS@smartme_test_iotronic_db/smartme_test_iotronic [keystone_authtoken] www_authenticate_uri = https://demo-test.smartme.io:5000 From 79249935652422d53534cc3f3634de255f8387d2 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Mon, 15 Nov 2021 11:45:30 +0100 Subject: [PATCH 23/66] editing entries in iotronic.conf connections setting file --- 5-wagent/build/Dockerfile | 2 +- 5-wagent/build/conf/iotronic.conf | 8 ++++---- 5-wagent/conf/iotronic.conf | 10 +++++----- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/5-wagent/build/Dockerfile b/5-wagent/build/Dockerfile index b5c2dd4..5d70994 100644 --- a/5-wagent/build/Dockerfile +++ b/5-wagent/build/Dockerfile @@ -45,7 +45,7 @@ RUN mkdir -p $IOTRONIC_HOME \ RUN echo "iotronic ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers #RUN git clone https://opendev.org/x/iotronic.git /opt/build/iotronic -RUN git clone -b felooca_dev --depth 1 https://github.com/smartmeio/stack4things-openstack-iotronic.git /opt/build/iotronic +RUN git clone --depth 1 https://github.com/smartmeio/stack4things-openstack-iotronic.git /opt/build/iotronic WORKDIR /opt/build/iotronic diff --git a/5-wagent/build/conf/iotronic.conf b/5-wagent/build/conf/iotronic.conf index 0645d8c..b6158bb 100644 --- a/5-wagent/build/conf/iotronic.conf +++ b/5-wagent/build/conf/iotronic.conf @@ -18,7 +18,7 @@ auth_strategy=keystone [wamp] -wamp_transport_url = wss://felooca-test-wagent1.smartme.io:8181/ +wamp_transport_url = wss://demo-wagent.smartme.io:8181/ wamp_realm = s4t skip_cert_verify= True register_agent = True @@ -30,11 +30,11 @@ nginx_path=/etc/nginx/conf.d/iotronic wstun_endpoint=localhost [database] -connection = mysql+pymysql://fe_t_iotronic:IOTRONIC_DBPASS@felooca_test_iotronic_db/felooca_test_iotronic +connection = mysql+pymysql://sme_t_test_iotronic:IOTRONIC_DBPASS@smartme_test_iotronic_db/smartme_test_iotronic [keystone_authtoken] -www_authenticate_uri = https://demo-test.smartme.io:5000 -auth_url = https://demo-test.smartme.io:5000 +www_authenticate_uri = https://demo-controller.smartme.io:5000 +auth_url = https://demo-controller.smartme.io:5000 auth_plugin = password project_domain_id = default user_domain_id = default diff --git a/5-wagent/conf/iotronic.conf b/5-wagent/conf/iotronic.conf index c273c6f..b6158bb 100644 --- a/5-wagent/conf/iotronic.conf +++ b/5-wagent/conf/iotronic.conf @@ -1,5 +1,5 @@ [DEFAULT] -transport_url=rabbit://openstack:smartme@felooca_test_rabbitmq:5672/ +transport_url=rabbit://openstack:smartme@smartme_test_rabbitmq:5672/ debug=True proxy=nginx @@ -18,7 +18,7 @@ auth_strategy=keystone [wamp] -wamp_transport_url = wss://felooca-test-wagent1.smartme.io:8181/ +wamp_transport_url = wss://demo-wagent.smartme.io:8181/ wamp_realm = s4t skip_cert_verify= True register_agent = True @@ -30,11 +30,11 @@ nginx_path=/etc/nginx/conf.d/iotronic wstun_endpoint=localhost [database] -connection = mysql+pymysql://fe_t_iotronic:IOTRONIC_DBPASS@felooca_test_iotronic_db/felooca_test_iotronic +connection = mysql+pymysql://sme_t_test_iotronic:IOTRONIC_DBPASS@smartme_test_iotronic_db/smartme_test_iotronic [keystone_authtoken] -www_authenticate_uri = https://felooca-test-ctrl.smartme.io:5000 -auth_url = https://felooca-test-ctrl.smartme.io:5000 +www_authenticate_uri = https://demo-controller.smartme.io:5000 +auth_url = https://demo-controller.smartme.io:5000 auth_plugin = password project_domain_id = default user_domain_id = default From d269dff36bf53e507d71d9ce16d58927ae35bcc5 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Mon, 15 Nov 2021 11:46:45 +0100 Subject: [PATCH 24/66] editing entries for user interface stage --- 6-ui/build/Dockerfile | 2 +- 6-ui/build/Dockerfile-py3.dockerfile | 2 +- 6-ui/build/conf/local_settings.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/6-ui/build/Dockerfile b/6-ui/build/Dockerfile index bf3b39f..63a04c7 100644 --- a/6-ui/build/Dockerfile +++ b/6-ui/build/Dockerfile @@ -20,7 +20,7 @@ RUN : \ #RUN pip install setuptools -RUN git clone https://opendev.org/x/python-iotronicclient.git /opt/build/python-iotronicclient +RUN git clone -b felooca_dev --depth 1 https://github.com/smartmeio/stack4things-openstack-iotronic-py-client.git /opt/build/python-iotronicclient WORKDIR /opt/build/python-iotronicclient RUN pip2 install -r requirements.txt diff --git a/6-ui/build/Dockerfile-py3.dockerfile b/6-ui/build/Dockerfile-py3.dockerfile index 43e9118..448ea5b 100644 --- a/6-ui/build/Dockerfile-py3.dockerfile +++ b/6-ui/build/Dockerfile-py3.dockerfile @@ -20,7 +20,7 @@ RUN : \ #RUN pip install setuptools -RUN git clone https://opendev.org/x/python-iotronicclient.git /opt/build/python-iotronicclient +RUN git clone -b felooca_dev --depth 1 https://github.com/smartmeio/stack4things-openstack-iotronic-py-client.git /opt/build/python-iotronicclient WORKDIR /opt/build/python-iotronicclient RUN pip3 install -r requirements.txt diff --git a/6-ui/build/conf/local_settings.py b/6-ui/build/conf/local_settings.py index d5b5ba3..051f88d 100644 --- a/6-ui/build/conf/local_settings.py +++ b/6-ui/build/conf/local_settings.py @@ -183,7 +183,7 @@ # ('http://cluster2.example.com:5000/v3', 'cluster2'), #] -OPENSTACK_HOST = "demo-test.smartme.io" +OPENSTACK_HOST = "demo-wagent.smartme.io" OPENSTACK_KEYSTONE_URL = "https://%s:5000/v3" % OPENSTACK_HOST OPENSTACK_KEYSTONE_DEFAULT_ROLE = "member" From 8b3a6fb2fecb8395780dc8c032f6646d777cd3c4 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Mon, 15 Nov 2021 11:48:09 +0100 Subject: [PATCH 25/66] editing entries in wagent docker-compose YAML file --- docker-compose-controller.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docker-compose-controller.yml b/docker-compose-controller.yml index a6bfb8e..4288783 100644 --- a/docker-compose-controller.yml +++ b/docker-compose-controller.yml @@ -33,19 +33,19 @@ services: keystone: container_name: smartme_test_keystone restart: unless-stopped - image: smartmeio/keystone-stain:1.0 + image: smartmeio/keystone-wallaby:1.0 environment: - OS_PROJECT_DOMAIN_NAME=Default - OS_USER_DOMAIN_NAME=Default - OS_PROJECT_NAME=admin - OS_USERNAME=admin - OS_PASSWORD=smartme - - OS_AUTH_URL=https://demo-test.smartme.io:5000/v3 + - OS_AUTH_URL=https://demo-controller.smartme.io:5000/v3 - OS_IDENTITY_API_VERSION=3 - OS_IMAGE_API_VERSION=2 - - HOST="demo-test.smartme.io" + - HOST="demo-controller.smartme.io" - ADMIN_PASS="smartme" - - URL="https://demo-test.smartme.io:5000/v3" + - URL="https://demo-controller.smartme.io:5000/v3" volumes: - smartme_test_keystone_config:/etc/keystone/ - smartme_test_keystone_data:/var/lib/keystone/ From c126b7f32e9db5dac7dcb00aa963f51012fdcde5 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 16 Nov 2021 16:07:49 +0100 Subject: [PATCH 26/66] redefining entries in 1-mysql stage --- 1-mysql/Dockerfile | 2 +- 1-mysql/create_dbs_SMARTME_TEST.sql | 20 ++++++++++---------- 1-mysql/initfile.sql | 18 ++++++++++++------ 3 files changed, 23 insertions(+), 17 deletions(-) diff --git a/1-mysql/Dockerfile b/1-mysql/Dockerfile index ff557ca..9a988b2 100644 --- a/1-mysql/Dockerfile +++ b/1-mysql/Dockerfile @@ -1,4 +1,4 @@ FROM mariadb:focal COPY initfile.sql /docker-entrypoint-initdb.d/initfile.sql -COPY 99-openstack.conf /etc/mysql/mariadb.conf.d/99-openstack.conf +COPY 99-openstack.conf /etc/mysql/mariadb.conf.d/99-openstack.conf \ No newline at end of file diff --git a/1-mysql/create_dbs_SMARTME_TEST.sql b/1-mysql/create_dbs_SMARTME_TEST.sql index eecfea3..9f11b73 100644 --- a/1-mysql/create_dbs_SMARTME_TEST.sql +++ b/1-mysql/create_dbs_SMARTME_TEST.sql @@ -1,12 +1,12 @@ -CREATE USER IF NOT EXISTS sme_t_keystone@localhost IDENTIFIED BY 'f3l00caTEST'; -SET PASSWORD FOR sme_t_keystone@localhost = PASSWORD('f3l00caTEST'); +CREATE USER IF NOT EXISTS s4t_keystone@localhost IDENTIFIED BY 'sm3d3m0n'; +SET PASSWORD FOR s4t_keystone@localhost = PASSWORD('sm3d3m0n'); -CREATE USER IF NOT EXISTS sme_t_iotronic@localhost IDENTIFIED BY 'f3l00caTEST'; -SET PASSWORD FOR sme_t_iotronic@localhost = PASSWORD('f3l00caTEST'); +CREATE USER IF NOT EXISTS s4t_iotronic@localhost IDENTIFIED BY 'sm3d3m0n'; +SET PASSWORD FOR s4t_iotronic@localhost = PASSWORD('sm3d3m0n'); -CREATE DATABASE smartme_test_keystone; -GRANT ALL PRIVILEGES ON smartme_test_keystone.* TO 'sme_t_keystone'@'localhost' IDENTIFIED BY 'f3l00caTEST'; -GRANT ALL PRIVILEGES ON smartme_test_keystone.* TO 'sme_t_keystone'@'%' IDENTIFIED BY 'f3l00caTEST'; -CREATE DATABASE smartme_test_iotronic; -GRANT ALL PRIVILEGES ON smartme_test_iotronic.* TO 'sme_t_iotronic'@'localhost' IDENTIFIED BY 'f3l00caTEST'; -GRANT ALL PRIVILEGES ON smartme_test_iotronic.* TO 'sme_t_iotronic'@'%' IDENTIFIED BY 'f3l00caTEST'; \ No newline at end of file +CREATE DATABASE s4t_keystone; +GRANT ALL PRIVILEGES ON s4t_keystone.* TO 's4t_keystone'@'localhost' IDENTIFIED BY 'sm3d3m0n'; +GRANT ALL PRIVILEGES ON s4t_keystone.* TO 's4t_keystone'@'%' IDENTIFIED BY 'sm3d3m0n'; +CREATE DATABASE s4t_iotronic; +GRANT ALL PRIVILEGES ON s4t_iotronic.* TO 's4t_iotronic'@'localhost' IDENTIFIED BY 'sm3d3m0n'; +GRANT ALL PRIVILEGES ON s4t_iotronic.* TO 's4t_iotronic'@'%' IDENTIFIED BY 'sm3d3m0n'; \ No newline at end of file diff --git a/1-mysql/initfile.sql b/1-mysql/initfile.sql index 46f4db4..9f11b73 100644 --- a/1-mysql/initfile.sql +++ b/1-mysql/initfile.sql @@ -1,6 +1,12 @@ -CREATE DATABASE smartme_test_keystone; -GRANT ALL PRIVILEGES ON smartme_test_keystone.* TO 'sme_t_keystone'@'localhost' IDENTIFIED BY 'f3l00caTEST'; -GRANT ALL PRIVILEGES ON smartme_test_keystone.* TO 'sme_t_keystone'@'%' IDENTIFIED BY 'f3l00caTEST'; -CREATE DATABASE smartme_test_iotronic; -GRANT ALL PRIVILEGES ON smartme_test_iotronic.* TO 'sme_t_iotronic'@'localhost' IDENTIFIED BY 'f3l00caTEST'; -GRANT ALL PRIVILEGES ON smartme_test_iotronic.* TO 'sme_t_iotronic'@'%' IDENTIFIED BY 'f3l00caTEST'; \ No newline at end of file +CREATE USER IF NOT EXISTS s4t_keystone@localhost IDENTIFIED BY 'sm3d3m0n'; +SET PASSWORD FOR s4t_keystone@localhost = PASSWORD('sm3d3m0n'); + +CREATE USER IF NOT EXISTS s4t_iotronic@localhost IDENTIFIED BY 'sm3d3m0n'; +SET PASSWORD FOR s4t_iotronic@localhost = PASSWORD('sm3d3m0n'); + +CREATE DATABASE s4t_keystone; +GRANT ALL PRIVILEGES ON s4t_keystone.* TO 's4t_keystone'@'localhost' IDENTIFIED BY 'sm3d3m0n'; +GRANT ALL PRIVILEGES ON s4t_keystone.* TO 's4t_keystone'@'%' IDENTIFIED BY 'sm3d3m0n'; +CREATE DATABASE s4t_iotronic; +GRANT ALL PRIVILEGES ON s4t_iotronic.* TO 's4t_iotronic'@'localhost' IDENTIFIED BY 'sm3d3m0n'; +GRANT ALL PRIVILEGES ON s4t_iotronic.* TO 's4t_iotronic'@'%' IDENTIFIED BY 'sm3d3m0n'; \ No newline at end of file From e2bd41d4b6e2ea2deebb419081b12fe6ed548c79 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 16 Nov 2021 16:08:27 +0100 Subject: [PATCH 27/66] redefining entries in 1-rabbitmq stage --- 1-rabbitmq/build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1-rabbitmq/build b/1-rabbitmq/build index 6ae96f9..8f8af3c 100644 --- a/1-rabbitmq/build +++ b/1-rabbitmq/build @@ -1,4 +1,4 @@ #! /bin/bash VERSION=3.9.8 -docker build -t smartmeio/rabbitmq:$VERSION . \ No newline at end of file +docker build -t smartmeio/s4t_rabbitmq:$VERSION . \ No newline at end of file From 49dda745ea72687db785cda6d15570fd6b46d773 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 16 Nov 2021 16:08:52 +0100 Subject: [PATCH 28/66] redefining entries in 2-keystone stage --- 2-keystone/2-keystone | 12 ++++++------ 2-keystone/2.5-keystone | 16 ++++++++-------- 2-keystone/build/Dockerfile | 6 ++++-- 2-keystone/build/build | 4 ++-- 2-keystone/conf/adminrc | 2 +- 2-keystone/conf/keystone.conf | 2 +- 2-keystone/scripts/keystone-setup.sh | 4 ++-- 7 files changed, 24 insertions(+), 22 deletions(-) diff --git a/2-keystone/2-keystone b/2-keystone/2-keystone index d321aa5..fe6261e 100755 --- a/2-keystone/2-keystone +++ b/2-keystone/2-keystone @@ -34,18 +34,18 @@ echo -e "\e[0m" docker create \ --env-file conf/adminrc \ - --name=smartme_test_keystone \ + --name=s4t_keystone \ --restart unless-stopped\ - --network=smartme_test_network \ + --network=s4t_network \ -p 5001:5000 \ - -v smartme_test_keystone_config:/etc/keystone/ \ - -v smartme_test_keystone_data:/var/lib/keystone/ \ + -v s4t_keystone_config:/etc/keystone/ \ + -v s4t_keystone_data:/var/lib/keystone/ \ -v /var/log/keystone:/var/log/keystone \ -v /var/log/keystone-api:/var/log/apache2 \ smartmeio/keystone-wallaby:$VERSION -docker cp conf/keystone.conf smartme_test_keystone:/etc/keystone/ +docker cp conf/keystone.conf s4t_keystone:/etc/keystone/ docker run --rm \ -v /var/log/keystone:/var/log/keystone \ @@ -53,5 +53,5 @@ docker run --rm \ smartmeio/keystone-wallaby:$VERSION \ /bin/sh -c "chown -R keystone:keystone /var/log/keystone/" -docker start smartme_test_keystone +docker start s4t_keystone diff --git a/2-keystone/2.5-keystone b/2-keystone/2.5-keystone index 7dacf20..b4baf75 100755 --- a/2-keystone/2.5-keystone +++ b/2-keystone/2.5-keystone @@ -4,21 +4,21 @@ HOST="demo-controller.smartme.io" HTTPS=true ADMIN_PASS="smartme" -URL="http://$HOST:5000/v3" +URL="http://$HOST:5001/v3" if [ "$HTTPS" = true ] ; then - URL="https://$HOST:5000/v3" + URL="https://$HOST:5001/v3" fi echo $URL -docker exec smartme_test_keystone /bin/sh -c "keystone-manage db_sync" keystone +docker exec s4t_keystone /bin/sh -c "keystone-manage db_sync" keystone echo "db_sync" -docker exec smartme_test_keystone keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone +docker exec s4t_keystone keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone echo "fernet_setup" -docker exec smartme_test_keystone keystone-manage credential_setup --keystone-user keystone --keystone-group keystone +docker exec s4t_keystone keystone-manage credential_setup --keystone-user keystone --keystone-group keystone -docker exec smartme_test_keystone keystone-manage bootstrap --bootstrap-password $ADMIN_PASS \ +docker exec s4t_keystone keystone-manage bootstrap --bootstrap-password $ADMIN_PASS \ --bootstrap-admin-url $URL \ --bootstrap-internal-url $URL \ --bootstrap-public-url $URL \ @@ -26,9 +26,9 @@ docker exec smartme_test_keystone keystone-manage bootstrap --bootstrap-password echo "bootstrap" -docker restart smartme_test_keystone +docker restart s4t_keystone echo "restarting in 5 seconds" sleep 5 -docker exec smartme_test_keystone openstack project create --domain default --description "Service Project" service +docker exec s4t_keystone openstack project create --domain default --description "Service Project" service echo "project created" diff --git a/2-keystone/build/Dockerfile b/2-keystone/build/Dockerfile index 38db633..ad3dc6f 100644 --- a/2-keystone/build/Dockerfile +++ b/2-keystone/build/Dockerfile @@ -1,11 +1,11 @@ -FROM ubuntu:focal +FROM ubuntu:bionic #ENV VERSION=2.3.9 RUN : \ && apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install -y nocache software-properties-common \ python3-openstackclient nano iputils-ping net-tools keystone \ - && add-apt-repository -y cloud-archive:wallaby \ + && add-apt-repository -y cloud-archive:stein \ && apt-get update && apt-get -y dist-upgrade \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \ @@ -22,6 +22,8 @@ RUN mkdir -p /var/log/keystone \ COPY scripts/keystone-setup.sh /usr/local/bin/keystone-setup +COPY conf/keystone.conf /etc/keystone/ + RUN chmod +x /usr/local/bin/keystone-setup VOLUME ["/etc/keystone"] diff --git a/2-keystone/build/build b/2-keystone/build/build index 0a6d298..40040fd 100755 --- a/2-keystone/build/build +++ b/2-keystone/build/build @@ -1,4 +1,4 @@ #! /bin/bash -VERSION=1.0 -docker build -t smartmeio/keystone-wallaby:$VERSION . \ No newline at end of file +VERSION="stein" +docker build -t smartmeio/s4t_keystone:$VERSION . \ No newline at end of file diff --git a/2-keystone/conf/adminrc b/2-keystone/conf/adminrc index 313c972..e68a5c4 100644 --- a/2-keystone/conf/adminrc +++ b/2-keystone/conf/adminrc @@ -3,6 +3,6 @@ OS_USER_DOMAIN_NAME=Default OS_PROJECT_NAME=admin OS_USERNAME=admin OS_PASSWORD=smartme -OS_AUTH_URL=https://demo-controller.smartme.io:5000/v3 +OS_AUTH_URL=https://demo-controller.smartme.io:5001/v3 OS_IDENTITY_API_VERSION=3 OS_IMAGE_API_VERSION=2 \ No newline at end of file diff --git a/2-keystone/conf/keystone.conf b/2-keystone/conf/keystone.conf index 506d52a..eec8f3e 100644 --- a/2-keystone/conf/keystone.conf +++ b/2-keystone/conf/keystone.conf @@ -590,7 +590,7 @@ log_dir = /var/log/keystone [database] -connection = mysql+pymysql://sme_t_keystone:KEYSTONE_DBPASS@smartme_test_iotronic_db:3306/smartme_test_keystone +connection = mysql+pymysql://s4t_keystone:sm3d3m0n@s4t_iotronic_db:3306/s4t_keystone # # From oslo.db diff --git a/2-keystone/scripts/keystone-setup.sh b/2-keystone/scripts/keystone-setup.sh index 9f5e39b..6c219c1 100644 --- a/2-keystone/scripts/keystone-setup.sh +++ b/2-keystone/scripts/keystone-setup.sh @@ -4,9 +4,9 @@ HOST="demo-controller.smartme.io" HTTPS=true ADMIN_PASS="smartme" -URL="http://$HOST:5000/v3" +URL="http://$HOST:5001/v3" if [ "$HTTPS" = true ] ; then - URL="https://$HOST:5000/v3" + URL="https://$HOST:5001/v3" fi echo $URL From c78fde3978075c4a567424ac3daaa00d520e11df Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 16 Nov 2021 16:10:03 +0100 Subject: [PATCH 29/66] redefining entries in 3-conductor stage --- 3-conductor/build/Dockerfile | 4 ++-- 3-conductor/build/build | 2 +- 3-conductor/conf/iotronic.conf | 8 ++++---- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/3-conductor/build/Dockerfile b/3-conductor/build/Dockerfile index db85978..1e7b217 100644 --- a/3-conductor/build/Dockerfile +++ b/3-conductor/build/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:focal +FROM ubuntu:bionic #ENV VERSION=2.3.9 ENV DEBIAN_FRONTEND=noninteractive @@ -14,7 +14,7 @@ RUN : \ software-properties-common locales tzdata build-essential \ python3-openstackclient python3 python3-setuptools vim nano \ python3-all python3-dev python3-all-dev git apache2 libapache2-mod-wsgi-py3 \ - && add-apt-repository -y cloud-archive:wallaby \ + && add-apt-repository -y cloud-archive:stein \ && apt-get update \ && apt-get -y dist-upgrade \ && apt-get clean \ diff --git a/3-conductor/build/build b/3-conductor/build/build index 5ae185d..f493b52 100755 --- a/3-conductor/build/build +++ b/3-conductor/build/build @@ -1,4 +1,4 @@ #! /bin/bash VERSION="latest" -docker build -t smartmeio/felooca_test_iotronic_conductor:$VERSION . \ No newline at end of file +docker build -t smartmeio/s4t_iotronic_conductor:$VERSION . \ No newline at end of file diff --git a/3-conductor/conf/iotronic.conf b/3-conductor/conf/iotronic.conf index e66afea..48b98bf 100644 --- a/3-conductor/conf/iotronic.conf +++ b/3-conductor/conf/iotronic.conf @@ -1,5 +1,5 @@ [DEFAULT] -transport_url=rabbit://openstack:smartme@smartme_test_rabbitmq:5672/ +transport_url=rabbit://openstack:smartme@s4t_rabbitmq:5672/ debug=True log_file = /var/log/iotronic/iotronic-conductor.log @@ -33,11 +33,11 @@ service_allow_list_path="/var/lib/iotronic/wstun/allowlist.json" [database] -connection = mysql+pymysql://sme_t_iotronic:IOTRONIC_DBPASS@smartme_test_iotronic_db/smartme_test_iotronic +connection = mysql+pymysql://s4t_iotronic:sm3d3m0n@s4t_iotronic_db/s4t_iotronic [keystone_authtoken] -www_authenticate_uri = https://demo-test.smartme.io:5000 -auth_url = https://demo-test.smartme.io:5000 +www_authenticate_uri = https://demo-controller.smartme.io:5000 +auth_url = https://demo-controller.smartme.io:5000 auth_plugin = password project_domain_id = default user_domain_id = default From 35f68b6b9a80d3cc1a5704a586f91c9e3bc8674f Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 16 Nov 2021 16:11:00 +0100 Subject: [PATCH 30/66] redefining entries in 4-iotronic-crossbar stage --- 4-iotronic-crossbar/build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/4-iotronic-crossbar/build b/4-iotronic-crossbar/build index b27a752..5e74e0b 100755 --- a/4-iotronic-crossbar/build +++ b/4-iotronic-crossbar/build @@ -1,4 +1,4 @@ #! /bin/bash VERSION="latest" -docker build -t smartmeio/smartme_test_iotronic_crossbar:$VERSION . \ No newline at end of file +docker build -t smartmeio/s4t_iotronic_crossbar:$VERSION . \ No newline at end of file From aa2ab881ef0b756afc770e676a6d64bd9a568d7f Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 16 Nov 2021 16:11:12 +0100 Subject: [PATCH 31/66] redefining entries in 4-iotronic-wstun stage --- 4-iotronic-wstun/Dockerfile | 20 ++++++++++++-------- 4-iotronic-wstun/build | 4 ++-- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/4-iotronic-wstun/Dockerfile b/4-iotronic-wstun/Dockerfile index 816b258..680ec1f 100644 --- a/4-iotronic-wstun/Dockerfile +++ b/4-iotronic-wstun/Dockerfile @@ -1,5 +1,5 @@ FROM node:dubnium-alpine -ENV VERSION=allowlist +ARG VERSION=master #1.1.0 ENV LC_CTYPE en_US.UTF-8 @@ -9,27 +9,31 @@ ENV LANG C.UTF-8 #RUN npm install -g --unsafe @mdslab/wstun \ # && npm cache --force clean -RUN apk --no-cache add git +RUN apk --no-cache add git \ + && mkdir -p /var/lib/iotronic/ssl/ \ + && mkdir -p /var/log/wstun/ RUN npm install -g --unsafe websocket@1.0.26 optimist@0.6.1 node-uuid@1.4.7 under_score log4js@1.1.1 && npm cache --force clean -RUN git clone -b $VERSION --depth 1 https://github.com/MDSLab/wstun.git /usr/local/lib/node_modules/@mdslab/wstun/ +# RUN git clone -b ${VERSION} --depth 1 https://github.com/smartmeio/wstun.git /usr/local/lib/node_modules/@mdslab/wstun/ + +RUN npm install --unsafe-perm -g git+https://github.com/smartmeio/wstun.git #COPY wstun /usr/local/lib/node_modules/@mdslab/wstun -ENV NODE_PATH=/usr/local/lib/node_modules +COPY confs/ssl/* /var/lib/iotronic/ssl/ -WORKDIR /usr/bin/ +ENV NODE_PATH=/usr/local/lib/node_modules #EXPOSE 40001-40050 EXPOSE 8080 -RUN mkdir -p /var/log/wstun/ - #RUN mkdir -p /var/lib/iotronic/ssl/ #COPY ./confs/ssl/ /var/lib/iotronic/ssl/ #COPY ./confs/allowlist /var/lib/wstun/ #ENTRYPOINT ["node", "/usr/local/lib/node_modules/@mdslab/wstun/bin/wstun.js", "-r", "-s", "8080", "--ssl=false", "-a/var/lib/iotronic/wstun/allowlist"] -ENTRYPOINT ["node", "/usr/local/lib/node_modules/@mdslab/wstun/bin/wstun.js", "-r", "-s", "8080", "--ssl=true", "--key=/var/lib/iotronic/ssl/iotronic.key", "--cert=/var/lib/iotronic/ssl/iotronic.pem", "-a/var/lib/wstun/allowlist"] +# ENTRYPOINT ["node", "/usr/local/lib/node_modules/@mdslab/wstun/bin/wstun.js", "-r", "-s", "8080", "--ssl=true", "--key=/var/lib/iotronic/ssl/iotronic.key", "--cert=/var/lib/iotronic/ssl/iotronic.pem", "-a/var/lib/wstun/allowlist"] + +ENTRYPOINT ["wstun", "-r", "-s", "8080", "--ssl=true", "--key=/var/lib/iotronic/ssl/iotronic.key", "--cert=/var/lib/iotronic/ssl/iotronic.pem", "-a/var/lib/wstun/allowlist"] diff --git a/4-iotronic-wstun/build b/4-iotronic-wstun/build index 93b203c..6f9dc92 100755 --- a/4-iotronic-wstun/build +++ b/4-iotronic-wstun/build @@ -1,4 +1,4 @@ #! /bin/bash -VERSION="latest" -docker build -t smartmeio/smartme_test_iotronic_wstun:$VERSION . \ No newline at end of file +VERSION="1.1.0" +docker build -t smartmeio/s4t_iotronic_wstun:$VERSION . \ No newline at end of file From b73c002e8aa6644fc69dca83a2c8d6009620195e Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 16 Nov 2021 16:11:28 +0100 Subject: [PATCH 32/66] redefining entries in 5-wagent stage --- 5-wagent/build/Dockerfile | 8 ++++---- 5-wagent/build/build | 2 +- 5-wagent/build/conf/iotronic.conf | 4 ++-- 5-wagent/conf/iotronic.conf | 4 ++-- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/5-wagent/build/Dockerfile b/5-wagent/build/Dockerfile index 5d70994..cbee9e5 100644 --- a/5-wagent/build/Dockerfile +++ b/5-wagent/build/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:focal +FROM ubuntu:bionic #ENV VERSION=2.3.9 ENV DEBIAN_FRONTEND=noninteractive @@ -17,7 +17,7 @@ ARG IOTRONIC_HOME=/var/lib/iotronic RUN apt-get update \ && apt-get install nocache -y software-properties-common locales tzdata\ - && add-apt-repository -y cloud-archive:wallaby \ + && add-apt-repository -y cloud-archive:stein \ && apt-get update && apt-get -y dist-upgrade \ && apt-get install nocache -y build-essential python3-openstackclient \ python3 python3-all python3-dev python3-all-dev python3-setuptools \ @@ -74,8 +74,8 @@ RUN mkdir -p /etc/nginx/conf.d/iotronic \ COPY confs/mapping /etc/nginx/conf.d/iotronic/mapping COPY conf/iotronic.conf /etc/iotronic/ -RUN echo "stream { include conf.d/iotronic/mapping; }" > /etc/nginx/nginx.conf -RUN echo "include conf.d/iotronic/servers/*" > /etc/nginx/sites-enabled/default +RUN echo "stream { include conf.d/iotronic/mapping; }" >> /etc/nginx/nginx.conf +RUN echo "include conf.d/iotronic/servers/*" >> /etc/nginx/sites-enabled/default EXPOSE 443 diff --git a/5-wagent/build/build b/5-wagent/build/build index 40c7278..d7b9154 100755 --- a/5-wagent/build/build +++ b/5-wagent/build/build @@ -1,4 +1,4 @@ #! /bin/bash VERSION="smartme-test" -docker build -t smartmeio/smartme_test_iotronic_wagent:$VERSION . \ No newline at end of file +docker build -t smartmeio/s4t_iotronic_wagent:$VERSION . \ No newline at end of file diff --git a/5-wagent/build/conf/iotronic.conf b/5-wagent/build/conf/iotronic.conf index b6158bb..f587a2c 100644 --- a/5-wagent/build/conf/iotronic.conf +++ b/5-wagent/build/conf/iotronic.conf @@ -1,5 +1,5 @@ [DEFAULT] -transport_url=rabbit://openstack:smartme@smartme_test_rabbitmq:5672/ +transport_url=rabbit://openstack:smartme@s4t_rabbitmq:5672/ debug=True proxy=nginx @@ -30,7 +30,7 @@ nginx_path=/etc/nginx/conf.d/iotronic wstun_endpoint=localhost [database] -connection = mysql+pymysql://sme_t_test_iotronic:IOTRONIC_DBPASS@smartme_test_iotronic_db/smartme_test_iotronic +connection = mysql+pymysql://s4t_iotronic:sm3d3m0n@s4t_iotronic_db/s4t_iotronic [keystone_authtoken] www_authenticate_uri = https://demo-controller.smartme.io:5000 diff --git a/5-wagent/conf/iotronic.conf b/5-wagent/conf/iotronic.conf index b6158bb..f587a2c 100644 --- a/5-wagent/conf/iotronic.conf +++ b/5-wagent/conf/iotronic.conf @@ -1,5 +1,5 @@ [DEFAULT] -transport_url=rabbit://openstack:smartme@smartme_test_rabbitmq:5672/ +transport_url=rabbit://openstack:smartme@s4t_rabbitmq:5672/ debug=True proxy=nginx @@ -30,7 +30,7 @@ nginx_path=/etc/nginx/conf.d/iotronic wstun_endpoint=localhost [database] -connection = mysql+pymysql://sme_t_test_iotronic:IOTRONIC_DBPASS@smartme_test_iotronic_db/smartme_test_iotronic +connection = mysql+pymysql://s4t_iotronic:sm3d3m0n@s4t_iotronic_db/s4t_iotronic [keystone_authtoken] www_authenticate_uri = https://demo-controller.smartme.io:5000 From acb5f10ad72c5334d8fe4a9828409bde05e44532 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 16 Nov 2021 16:12:17 +0100 Subject: [PATCH 33/66] redefining entries in 6-ui stage --- 6-ui/build/Dockerfile-py3.dockerfile | 2 +- 6-ui/build/build | 2 +- 6-ui/build/build-py3 | 2 +- 6-ui/conf/local_settings.py | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/6-ui/build/Dockerfile-py3.dockerfile b/6-ui/build/Dockerfile-py3.dockerfile index 448ea5b..0a965e3 100644 --- a/6-ui/build/Dockerfile-py3.dockerfile +++ b/6-ui/build/Dockerfile-py3.dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:focal +FROM ubuntu:bionic ENV DEBIAN_FRONTEND=noninteractive diff --git a/6-ui/build/build b/6-ui/build/build index 778b763..fbf71d7 100755 --- a/6-ui/build/build +++ b/6-ui/build/build @@ -1,4 +1,4 @@ #! /bin/bash VERSION="latest" -docker build -t smartmeio/smartme_test_iotronic_ui:$VERSION . +docker build -t smartmeio/s4t_iotronic_ui:$VERSION . diff --git a/6-ui/build/build-py3 b/6-ui/build/build-py3 index 43dbb70..16bc213 100755 --- a/6-ui/build/build-py3 +++ b/6-ui/build/build-py3 @@ -1,4 +1,4 @@ #! /bin/bash VERSION="latest" -docker build -t smartmeio/smartme_test_iotronic_ui_py3:$VERSION -f Dockerfile-py3.dockerfile . +docker build -t smartmeio/s4t_iotronic_ui_py3:$VERSION -f Dockerfile-py3.dockerfile . diff --git a/6-ui/conf/local_settings.py b/6-ui/conf/local_settings.py index d5b5ba3..c96eeb4 100644 --- a/6-ui/conf/local_settings.py +++ b/6-ui/conf/local_settings.py @@ -183,7 +183,7 @@ # ('http://cluster2.example.com:5000/v3', 'cluster2'), #] -OPENSTACK_HOST = "demo-test.smartme.io" +OPENSTACK_HOST = "demo-controller.smartme.io" OPENSTACK_KEYSTONE_URL = "https://%s:5000/v3" % OPENSTACK_HOST OPENSTACK_KEYSTONE_DEFAULT_ROLE = "member" From 41f3e1556101de3b2c79a133e5e7e5166711854a Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 16 Nov 2021 16:12:50 +0100 Subject: [PATCH 34/66] updating entries in controller YAML compose file --- docker-compose-controller.yml | 48 +++++++++++++++++------------------ 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/docker-compose-controller.yml b/docker-compose-controller.yml index 4288783..29b080f 100644 --- a/docker-compose-controller.yml +++ b/docker-compose-controller.yml @@ -1,23 +1,23 @@ version: '3.7' services: mariadb: - container_name: smartme_test_iotronic_db + container_name: s4t_iotronic_db restart: unless-stopped image: smartmeio/mariadb:focal environment: - MYSQL_ROOT_PASSWORD="smartme" volumes: - - 'smartme_test_iotronic_db_data:/var/lib/mysql' - - 'smartme_test_iotronic_db_config:/etc/mysql' + - 's4t_iotronic_db_data:/var/lib/mysql' + - 's4t_iotronic_db_config:/etc/mysql' ports: - '53306:3306' networks: - 'default' rabbitmq: - container_name: smartme_test_rabbitmq + container_name: s4t_rabbitmq restart: unless-stopped - image: smartmeio/rabbitmq:3.9.8 + image: smartmeio/s4t_rabbitmq:3.9.8 entrypoint: ["/bin/sh","-c"] environment: - RABBIT_PASS="smartme" @@ -31,9 +31,9 @@ services: - 'default' keystone: - container_name: smartme_test_keystone + container_name: s4t_keystone restart: unless-stopped - image: smartmeio/keystone-wallaby:1.0 + image: smartmeio/s4t_keystone:stein environment: - OS_PROJECT_DOMAIN_NAME=Default - OS_USER_DOMAIN_NAME=Default @@ -47,8 +47,8 @@ services: - ADMIN_PASS="smartme" - URL="https://demo-controller.smartme.io:5000/v3" volumes: - - smartme_test_keystone_config:/etc/keystone/ - - smartme_test_keystone_data:/var/lib/keystone/ + - s4t_keystone_config:/etc/keystone/ + - s4t_keystone_data:/var/lib/keystone/ - /var/log/keystone:/var/log/keystone - /var/log/keystone-api:/var/log/apache2 command: @@ -63,20 +63,20 @@ services: --bootstrap-internal-url $${URL} --bootstrap-public-url $${URL} --bootstrap-region-id RegionOne openstack project create --domain default --description "Service Project" service ports: - - '5001:5001' + - '5001:5000' networks: - 'default' conductor: - container_name: smartme_test_iotronic_conductor + container_name: s4t_iotronic_conductor restart: unless-stopped - image: smartmeio/conductor:latest + image: smartmeio/s4t_iotronic_conductor:latest environment: - URL="demo-test.smartme.io" - IOTRONIC_PASS="smartme" hostname: conductor volumes: - - smartme_test_iotronic_conductor_config:/etc/iotronic/ + - s4t_iotronic_conductor_config:/etc/iotronic/ - /var/log/iotronic-conductor:/var/log/iotronic command: - | @@ -98,19 +98,19 @@ services: volumes: - smartme_test_iotronic_db_data: - name: smartme_test_iotronic_db_data - smartme_test_iotronic_db_config: - name: smartme_test_iotronic_db_config - smartme_test_keystone_config: - name: smartme_test_keystone_config - smartme_test_keystone_data: - name: smartme_test_keystone_data - smartme_test_iotronic_conductor_config: - name: smartme_test_iotronic_conductor_config + s4t_iotronic_db_data: + name: s4t_iotronic_db_data + s4t_iotronic_db_config: + name: s4t_iotronic_db_config + s4t_keystone_config: + name: s4t_keystone_config + s4t_keystone_data: + name: s4t_keystone_data + s4t_iotronic_conductor_config: + name: s4t_iotronic_conductor_config networks: default: - name: smartme-controller-network + name: s4t-controller-network driver: 'bridge' \ No newline at end of file From 04f8e6dfabf795452d093b385ba69981a53d9363 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 16 Nov 2021 16:13:52 +0100 Subject: [PATCH 35/66] removing command directives in controller YAML compose file --- docker-compose-controller.yml | 28 ---------------------------- 1 file changed, 28 deletions(-) diff --git a/docker-compose-controller.yml b/docker-compose-controller.yml index 29b080f..becf2ac 100644 --- a/docker-compose-controller.yml +++ b/docker-compose-controller.yml @@ -21,10 +21,6 @@ services: entrypoint: ["/bin/sh","-c"] environment: - RABBIT_PASS="smartme" - command: - - | - rabbitmqctl add_user openstack $${RABBIT_PASS} - rabbitmqctl set_permissions openstack ".*" ".*" ".*" ports: - '5672:5672' networks: @@ -51,17 +47,6 @@ services: - s4t_keystone_data:/var/lib/keystone/ - /var/log/keystone:/var/log/keystone - /var/log/keystone-api:/var/log/apache2 - command: - - | - keystone-manage db_sync - echo "db_sync" - keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone - echo "fernet_setup" - keystone-manage credential_setup --keystone-user keystone --keystone-group keystone - echo "credential_setup" - keystone-manage bootstrap --bootstrap-password $${ADMIN_PASS} --bootstrap-admin-url ${{URL}} \ - --bootstrap-internal-url $${URL} --bootstrap-public-url $${URL} --bootstrap-region-id RegionOne - openstack project create --domain default --description "Service Project" service ports: - '5001:5000' networks: @@ -78,19 +63,6 @@ services: volumes: - s4t_iotronic_conductor_config:/etc/iotronic/ - /var/log/iotronic-conductor:/var/log/iotronic - command: - - | - openstack service create iot --name Iotronic - openstack user create --password $${IOTRONIC_PASS} iotronic - openstack role add --project service --user iotronic admin - openstack role create admin_iot_project - openstack role create manager_iot_project - openstack role create user_iot - openstack role add --project service --user iotronic admin_iot_project - openstack endpoint create --region RegionOne iot public $${URL} - openstack endpoint create --region RegionOne iot internal $${URL} - openstack endpoint create --region RegionOne iot admin $${URL} - openstack role add --project admin --user admin admin_iot_project ports: - '8813:8812' networks: From 75ed069a3611f02421f1513ff2321111eee29cb1 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 16 Nov 2021 16:14:17 +0100 Subject: [PATCH 36/66] updating entries in wagent YAML compose file --- docker-compose-wagent.yml | 46 +++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/docker-compose-wagent.yml b/docker-compose-wagent.yml index 62a25f3..a29a3ef 100644 --- a/docker-compose-wagent.yml +++ b/docker-compose-wagent.yml @@ -1,11 +1,11 @@ version: '3.7' services: crossbario: - container_name: smartme_test_iotronic_crossbar + container_name: s4t_iotronic_crossbar restart: unless-stopped - image: smartme_test_iotronic_crossbar:latest + image: smartmeio/s4t_iotronic_crossbar:latest volumes: - - 'smartme_test_crossbar_config:/node/.crossbar' + - 's4t_crossbar_config:/node/.crossbar' - /etc/ssl/iotronic/client_iotronic/:/node/.crossbar/ssl:ro ports: - '8181:8181' @@ -13,12 +13,12 @@ services: - 'default' wstun: - container_name: smartmeio_test_iotronic_wstun + container_name: s4t_iotronic_wstun restart: unless-stopped - image: smartmeio/smartmeio_test_iotronic_wstun:allowlist + image: smartmeio/s4t_iotronic_wstun:1.1.0 volumes: - '/etc/ssl/iotronic/client_iotronic:/var/lib/iotronic/ssl/:ro' - - './allowlist:/var/lib/wstun/allowlist:ro' + - './var/lib/wstun/allowlist:/var/lib/wstun/allowlist:ro' ports: - '8080:8080' - '50000-50100:50000-50100' @@ -26,43 +26,43 @@ services: - 'default' wagent: - container_name: smartmeio_test_iotronic_wagent - image: smartmeio/smartmeio_test_iotronic_wagent:smartmeio-test + container_name: s4t_iotronic_wagent + image: smartmeio/s4t_iotronic_wagent:smartmeio-test restart: unless-stopped hostname: wagent1 ports: - '80:80' - '443:443' volumes: - - 'smartmeio_test_iotronic_wagent_config:/etc/iotronic/' - - 'smartmeio_test_iotronic_wagent_nginx:/etc/nginx/' + - 's4t_iotronic_wagent_config:/etc/iotronic/' + - 's4t_iotronic_wagent_nginx:/etc/nginx/' - '/var/log/iotronic-wagent:/var/log/iotronic' networks: - 'default' ui: - container_name: smartmeio_test_iotronic_ui - image: smartmeio/smartme_test_iotronic_ui:latest + container_name: s4t_iotronic_ui + image: smartmeio/s4t_iotronic_ui:latest restart: unless-stopped ports: - '8585:80' volumes: - - 'smartme_test_iotronic_ui_config:/etc/openstack-dashboard/' + - 's4t_iotronic_ui_config:/etc/openstack-dashboard/' - '/var/log/iotronic-ui:/var/log/apache2/' networks: - 'default' volumes: - smartmeio_test_iotronic_db_data: - name: smartmeio_test_iotronic_db_data - smartmeio_test_iotronic_db_config: - name: smartmeio_test_iotronic_db_config - smartmeio_test_iotronic_wagent_config: - name: smartmeio_test_iotronic_wagent_config - smartmeio_test_iotronic_wagent_nginx: - name: smartmeio_test_iotronic_wagent_nginx - smartme_test_iotronic_ui_config: - name: smartme_test_iotronic_ui_config + s4t_iotronic_db_data: + name: s4t_iotronic_db_data + s4t_iotronic_db_config: + name: s4t_iotronic_db_config + s4t_iotronic_wagent_config: + name: s4t_iotronic_wagent_config + s4t_iotronic_wagent_nginx: + name: s4t_iotronic_wagent_nginx + s4t_iotronic_ui_config: + name: s4t_iotronic_ui_config networks: default: From 0b006b3db004714a078a4a649c22b1dd0a8a7bcd Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 16 Nov 2021 16:36:25 +0100 Subject: [PATCH 37/66] sharing allowlist hosts between wstun and wagent container in a clean way --- 5-wagent/build/Dockerfile | 2 ++ 5-wagent/build/conf/allowlist | 1 + 5-wagent/build/conf/iotronic.conf | 2 +- 5-wagent/conf/allowlist | 1 + docker-compose-wagent.yml | 5 ++++- 5 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 5-wagent/build/conf/allowlist create mode 100644 5-wagent/conf/allowlist diff --git a/5-wagent/build/Dockerfile b/5-wagent/build/Dockerfile index cbee9e5..a7c20c6 100644 --- a/5-wagent/build/Dockerfile +++ b/5-wagent/build/Dockerfile @@ -57,6 +57,7 @@ RUN python3 setup.py install # RUN useradd -m -d /var/lib/iotronic iotronic RUN mkdir -p /var/log/iotronic \ + && mkdir /var/lib/wstun \ && touch /var/log/iotronic/iotronic-wagent.log \ && chown -R iotronic:iotronic /var/log/iotronic/ @@ -73,6 +74,7 @@ RUN mkdir -p /etc/nginx/conf.d/iotronic \ && mkdir -p /etc/nginx/conf.d/iotronic/upstreams COPY confs/mapping /etc/nginx/conf.d/iotronic/mapping COPY conf/iotronic.conf /etc/iotronic/ +COPY conf/allowlist /var/lib/wstun/ RUN echo "stream { include conf.d/iotronic/mapping; }" >> /etc/nginx/nginx.conf RUN echo "include conf.d/iotronic/servers/*" >> /etc/nginx/sites-enabled/default diff --git a/5-wagent/build/conf/allowlist b/5-wagent/build/conf/allowlist new file mode 100644 index 0000000..0637a08 --- /dev/null +++ b/5-wagent/build/conf/allowlist @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/5-wagent/build/conf/iotronic.conf b/5-wagent/build/conf/iotronic.conf index f587a2c..7cb299d 100644 --- a/5-wagent/build/conf/iotronic.conf +++ b/5-wagent/build/conf/iotronic.conf @@ -23,7 +23,7 @@ wamp_realm = s4t skip_cert_verify= True register_agent = True service_allow_list=True -service_allow_list_path="/etc/iotronic/allowlist" +service_allow_list_path="/var/lib/wstun/allowlist" [nginx] nginx_path=/etc/nginx/conf.d/iotronic diff --git a/5-wagent/conf/allowlist b/5-wagent/conf/allowlist new file mode 100644 index 0000000..0637a08 --- /dev/null +++ b/5-wagent/conf/allowlist @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/docker-compose-wagent.yml b/docker-compose-wagent.yml index a29a3ef..890bfbb 100644 --- a/docker-compose-wagent.yml +++ b/docker-compose-wagent.yml @@ -18,7 +18,7 @@ services: image: smartmeio/s4t_iotronic_wstun:1.1.0 volumes: - '/etc/ssl/iotronic/client_iotronic:/var/lib/iotronic/ssl/:ro' - - './var/lib/wstun/allowlist:/var/lib/wstun/allowlist:ro' + - 's4t_iotronic_wagent_wstun:/var/lib/wstun:ro' ports: - '8080:8080' - '50000-50100:50000-50100' @@ -36,6 +36,7 @@ services: volumes: - 's4t_iotronic_wagent_config:/etc/iotronic/' - 's4t_iotronic_wagent_nginx:/etc/nginx/' + - 's4t_iotronic_wagent_wstun:/var/lib/wstun' - '/var/log/iotronic-wagent:/var/log/iotronic' networks: - 'default' @@ -63,6 +64,8 @@ volumes: name: s4t_iotronic_wagent_nginx s4t_iotronic_ui_config: name: s4t_iotronic_ui_config + s4t_iotronic_wagent_wstun: + name: s4t_iotronic_wagent_wstun networks: default: From 43b43947f01e7c727802a692d7e793356ba53843 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 16 Nov 2021 16:43:30 +0100 Subject: [PATCH 38/66] fixing latest entries just to be coherent with the new naming --- 2-keystone/2-keystone | 4 ++-- 3-conductor/3-conductor | 24 ++++++++++++------------ 4-iotronic-crossbar/4-crossbar | 8 ++++---- 4-iotronic-wstun/4-wstun | 6 +++--- 6-ui/6-ui | 12 ++++++------ 5 files changed, 27 insertions(+), 27 deletions(-) diff --git a/2-keystone/2-keystone b/2-keystone/2-keystone index fe6261e..677617d 100755 --- a/2-keystone/2-keystone +++ b/2-keystone/2-keystone @@ -6,7 +6,7 @@ # exit #fi -VERSION=1.0 +VERSION="stein" HOST="demo-controller.smartme.io" HTTPS=true @@ -42,7 +42,7 @@ docker create \ -v s4t_keystone_data:/var/lib/keystone/ \ -v /var/log/keystone:/var/log/keystone \ -v /var/log/keystone-api:/var/log/apache2 \ -smartmeio/keystone-wallaby:$VERSION +smartmeio/s4t_keystone:$VERSION docker cp conf/keystone.conf s4t_keystone:/etc/keystone/ diff --git a/3-conductor/3-conductor b/3-conductor/3-conductor index b3f244b..43a19bd 100755 --- a/3-conductor/3-conductor +++ b/3-conductor/3-conductor @@ -3,28 +3,28 @@ VERSION="latest" docker create \ - --name=smartme_test_iotronic_conductor \ + --name=s4t_iotronic_conductor \ --restart unless-stopped\ - --network=smartme_test_network \ + --network=s4t_network \ --hostname conductor \ -p 8813:8812 \ - -v smartme_test_iotronic_conductor_config:/etc/iotronic/ \ + -v s4t_iotronic_conductor_config:/etc/iotronic/ \ -v /var/log/iotronic-conductor:/var/log/iotronic \ -smartme/smartme_test_iotronic_conductor:$VERSION +smartme/s4t_iotronic_conductor:$VERSION -docker cp conf/iotronic.conf smartme_test_iotronic_conductor:/etc/iotronic/ +docker cp conf/iotronic.conf s4t_iotronic_conductor:/etc/iotronic/ docker run --rm \ - --network=smartme_test_network \ - -v smartme_test_iotronic_conductor_config:/etc/iotronic/ \ + --network=s4t_network \ + -v s4t_iotronic_conductor_config:/etc/iotronic/ \ -v /var/log/iotronic-conductor:/var/log/iotronic \ -smartme/smartme_test_iotronic_conductor:$VERSION \ +smartme/s4t_iotronic_conductor:$VERSION \ /bin/sh -c "chown -R iotronic:iotronic /var/log/iotronic/" docker run --rm \ - --network=smartme_test_network \ - -v smartme_test_iotronic_conductor_config:/etc/iotronic/ \ + --network=s4t_network \ + -v s4t_iotronic_conductor_config:/etc/iotronic/ \ -v /var/log/iotronic-conductor:/var/log/iotronic \ -smartme/smartme_test_iotronic_conductor:$VERSION /bin/sh -c "iotronic-dbsync" +smartme/s4t_iotronic_conductor:$VERSION /bin/sh -c "iotronic-dbsync" -docker start smartme_test_iotronic_conductor \ No newline at end of file +docker start s4t_iotronic_conductor \ No newline at end of file diff --git a/4-iotronic-crossbar/4-crossbar b/4-iotronic-crossbar/4-crossbar index 5d1983b..200571c 100755 --- a/4-iotronic-crossbar/4-crossbar +++ b/4-iotronic-crossbar/4-crossbar @@ -3,15 +3,15 @@ CERT_PATH="/etc/ssl/iotronic/client_iotronic/" docker create \ - --name=smartme_test_iotronic_crossbar \ + --name=s4t_iotronic_crossbar \ --network=host \ --restart unless-stopped\ -p 8181:8181 \ - -v felooca_test_crossbar_config:/node/.crossbar \ + -v s4t_crossbar_config:/node/.crossbar \ -v $CERT_PATH:/node/.crossbar/ssl:ro \ crossbario/crossbar:cpy3-20.2.1 -docker cp confs/config.json smartme_test_iotronic_crossbar:/node/.crossbar/ +docker cp confs/config.json s4t_iotronic_crossbar:/node/.crossbar/ -docker start felooca_test_iotronic_crossbar +docker start s4t_iotronic_crossbar diff --git a/4-iotronic-wstun/4-wstun b/4-iotronic-wstun/4-wstun index 5df9c6a..39a8ea6 100755 --- a/4-iotronic-wstun/4-wstun +++ b/4-iotronic-wstun/4-wstun @@ -5,16 +5,16 @@ CERT_PATH="/etc/ssl/iotronic/client_iotronic/" ALLOW_PATH="/var/lib/docker/volumes/felooca_test_iotronic_wagent_config/_data/allowlist" -docker build -t smartmeio/smartmeio_test_iotronic_wstun:$VERSION . +docker build -t smartmeio/s4t_iotronic_wstun:$VERSION . RANGE="50000-50100:50000-50100" docker run -d \ - --name=smartmeio_test_iotronic_wstun \ + --name=s4t_iotronic_wstun \ --network=host \ --restart unless-stopped\ -p 8080:8080 \ -p $RANGE \ -v $CERT_PATH:/var/lib/iotronic/ssl/:ro \ -v $ALLOW_PATH:/var/lib/wstun/allowlist:ro \ -smartmeio/smartmeio_test_iotronic_wstun:$VERSION \ No newline at end of file +smartmeio/s4t_iotronic_wstun:$VERSION \ No newline at end of file diff --git a/6-ui/6-ui b/6-ui/6-ui index f395045..ff656a2 100755 --- a/6-ui/6-ui +++ b/6-ui/6-ui @@ -2,14 +2,14 @@ VERSION="latest" docker create \ - --name=smartme_test_iotronic_ui \ + --name=s4t_iotronic_ui \ --restart unless-stopped\ - --network=smartme_test_network \ + --network=s4t_network \ -p 8585:80 \ - -v smartme_test_iotronic_ui_config:/etc/openstack-dashboard/ \ + -v s4t_iotronic_ui_config:/etc/openstack-dashboard/ \ -v /var/log/iotronic-ui:/var/log/apache2/ \ -smartme/smartme_test_iotronic_ui:$VERSION +smartme/s4t_iotronic_ui:$VERSION -docker cp conf/local_settings.py smartme_test_iotronic_ui:/etc/openstack-dashboard +docker cp conf/local_settings.py s4t_iotronic_ui:/etc/openstack-dashboard -docker start smartme_test_iotronic_ui \ No newline at end of file +docker start s4t_iotronic_ui \ No newline at end of file From 2332383b031035322f1cb4e47733caeeb9722b2f Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Sat, 20 Nov 2021 01:44:12 +0100 Subject: [PATCH 39/66] 2-keystone: major tweaks for build and setup * adding wget, curl vim and nano to base image * conf/ and scripts/ folder have been copied into build/ folder * restarting apache2 server in keystone-setup.sh script --- 2-keystone/build/Dockerfile | 6 +- 2-keystone/build/conf/adminrc | 8 + 2-keystone/build/conf/keystone.conf | 2715 ++++++++++++++++++++ 2-keystone/build/scripts/keystone-setup.sh | 36 + 2-keystone/scripts/keystone-setup.sh | 9 +- 5 files changed, 2770 insertions(+), 4 deletions(-) create mode 100644 2-keystone/build/conf/adminrc create mode 100644 2-keystone/build/conf/keystone.conf create mode 100644 2-keystone/build/scripts/keystone-setup.sh diff --git a/2-keystone/build/Dockerfile b/2-keystone/build/Dockerfile index ad3dc6f..9cbad2e 100644 --- a/2-keystone/build/Dockerfile +++ b/2-keystone/build/Dockerfile @@ -4,7 +4,7 @@ FROM ubuntu:bionic RUN : \ && apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install -y nocache software-properties-common \ - python3-openstackclient nano iputils-ping net-tools keystone \ + python3-openstackclient nano iputils-ping net-tools keystone wget curl vim nano \ && add-apt-repository -y cloud-archive:stein \ && apt-get update && apt-get -y dist-upgrade \ && apt-get clean \ @@ -26,6 +26,10 @@ COPY conf/keystone.conf /etc/keystone/ RUN chmod +x /usr/local/bin/keystone-setup +RUN echo 'ServerName demo-controller' > /etc/apache2/conf-available/server-name.conf + +RUN a2enconf server-name + VOLUME ["/etc/keystone"] VOLUME ["/var/log/keystone"] diff --git a/2-keystone/build/conf/adminrc b/2-keystone/build/conf/adminrc new file mode 100644 index 0000000..e68a5c4 --- /dev/null +++ b/2-keystone/build/conf/adminrc @@ -0,0 +1,8 @@ +OS_PROJECT_DOMAIN_NAME=Default +OS_USER_DOMAIN_NAME=Default +OS_PROJECT_NAME=admin +OS_USERNAME=admin +OS_PASSWORD=smartme +OS_AUTH_URL=https://demo-controller.smartme.io:5001/v3 +OS_IDENTITY_API_VERSION=3 +OS_IMAGE_API_VERSION=2 \ No newline at end of file diff --git a/2-keystone/build/conf/keystone.conf b/2-keystone/build/conf/keystone.conf new file mode 100644 index 0000000..eec8f3e --- /dev/null +++ b/2-keystone/build/conf/keystone.conf @@ -0,0 +1,2715 @@ +[DEFAULT] +debug = True +#log_config = /etc/keystone/logging.conf +log_dir = /var/log/keystone + +# +# From keystone +# + +# Using this feature is *NOT* recommended. Instead, use the `keystone-manage +# bootstrap` command. The value of this option is treated as a "shared secret" +# that can be used to bootstrap Keystone through the API. This "token" does not +# represent a user (it has no identity), and carries no explicit authorization +# (it effectively bypasses most authorization checks). If set to `None`, the +# value is ignored and the `admin_token` middleware is effectively disabled. +# (string value) +#admin_token = + +# The base public endpoint URL for Keystone that is advertised to clients +# (NOTE: this does NOT affect how Keystone listens for connections). Defaults +# to the base host URL of the request. For example, if keystone receives a +# request to `http://server:5000/v3/users`, then this will option will be +# automatically treated as `http://server:5000`. You should only need to set +# option if either the value of the base URL contains a path that keystone does +# not automatically infer (`/prefix/v3`), or if the endpoint should be found on +# a different host. (uri value) +#public_endpoint = + +# DEPRECATED: The base admin endpoint URL for Keystone that is advertised to +# clients (NOTE: this does NOT affect how Keystone listens for connections). +# Defaults to the base host URL of the request. For example, if keystone +# receives a request to `http://server:35357/v3/users`, then this will option +# will be automatically treated as `http://server:35357`. You should only need +# to set option if either the value of the base URL contains a path that +# keystone does not automatically infer (`/prefix/v3`), or if the endpoint +# should be found on a different host. (uri value) +# This option is deprecated for removal since R. +# Its value may be silently ignored in the future. +# Reason: With the removal of the 2.0 API keystone does not distinguish between +# admin and public endpoints. +#admin_endpoint = + +# Maximum depth of the project hierarchy, excluding the project acting as a +# domain at the top of the hierarchy. WARNING: Setting it to a large value may +# adversely impact performance. (integer value) +#max_project_tree_depth = 5 + +# Limit the sizes of user & project ID/names. (integer value) +#max_param_size = 64 + +# Similar to `[DEFAULT] max_param_size`, but provides an exception for token +# values. With Fernet tokens, this can be set as low as 255. With UUID tokens, +# this should be set to 32). (integer value) +#max_token_size = 255 + +# The maximum number of entities that will be returned in a collection. This +# global limit may be then overridden for a specific driver, by specifying a +# list_limit in the appropriate section (for example, `[assignment]`). No limit +# is set by default. In larger deployments, it is recommended that you set this +# to a reasonable number to prevent operations like listing all users and +# projects from placing an unnecessary load on the system. (integer value) +#list_limit = + +# If set to true, strict password length checking is performed for password +# manipulation. If a password exceeds the maximum length, the operation will +# fail with an HTTP 403 Forbidden error. If set to false, passwords are +# automatically truncated to the maximum length. (boolean value) +#strict_password_check = false + +# If set to true, then the server will return information in HTTP responses +# that may allow an unauthenticated or authenticated user to get more +# information than normal, such as additional details about why authentication +# failed. This may be useful for debugging but is insecure. (boolean value) +#insecure_debug = false + +# Default `publisher_id` for outgoing notifications. If left undefined, +# Keystone will default to using the server's host name. (string value) +#default_publisher_id = + +# Define the notification format for identity service events. A `basic` +# notification only has information about the resource being operated on. A +# `cadf` notification has the same information, as well as information about +# the initiator of the event. The `cadf` option is entirely backwards +# compatible with the `basic` option, but is fully CADF-compliant, and is +# recommended for auditing use cases. (string value) +# Possible values: +# basic - +# cadf - +#notification_format = cadf + +# You can reduce the number of notifications keystone emits by explicitly +# opting out. Keystone will not emit notifications that match the patterns +# expressed in this list. Values are expected to be in the form of +# `identity..`. By default, all notifications related +# to authentication are automatically suppressed. This field can be set +# multiple times in order to opt-out of multiple notification topics. For +# example, the following suppresses notifications describing user creation or +# successful authentication events: notification_opt_out=identity.user.create +# notification_opt_out=identity.authenticate.success (multi valued) +#notification_opt_out = identity.authenticate.success +#notification_opt_out = identity.authenticate.pending +#notification_opt_out = identity.authenticate.failed + +# +# From oslo.log +# + +# If set to true, the logging level will be set to DEBUG instead of the default +# INFO level. (boolean value) +# Note: This option can be changed without restarting. +#debug = false + +# The name of a logging configuration file. This file is appended to any +# existing logging configuration files. For details about logging configuration +# files, see the Python logging module documentation. Note that when logging +# configuration files are used then all logging configuration is set in the +# configuration file and other logging configuration options are ignored (for +# example, log-date-format). (string value) +# Note: This option can be changed without restarting. +# Deprecated group/name - [DEFAULT]/log_config +#log_config_append = + +# Defines the format string for %%(asctime)s in log records. Default: +# %(default)s . This option is ignored if log_config_append is set. (string +# value) +#log_date_format = %Y-%m-%d %H:%M:%S + +# (Optional) Name of log file to send logging output to. If no default is set, +# logging will go to stderr as defined by use_stderr. This option is ignored if +# log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logfile +#log_file = + +# (Optional) The base directory used for relative log_file paths. This option +# is ignored if log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logdir +#log_dir = + +# Uses logging handler designed to watch file system. When log file is moved or +# removed this handler will open a new log file with specified path +# instantaneously. It makes sense only if log_file option is specified and +# Linux platform is used. This option is ignored if log_config_append is set. +# (boolean value) +#watch_log_file = false + +# Use syslog for logging. Existing syslog format is DEPRECATED and will be +# changed later to honor RFC5424. This option is ignored if log_config_append +# is set. (boolean value) +#use_syslog = false + +# Enable journald for logging. If running in a systemd environment you may wish +# to enable journal support. Doing so will use the journal native protocol +# which includes structured metadata in addition to log messages.This option is +# ignored if log_config_append is set. (boolean value) +#use_journal = false + +# Syslog facility to receive log lines. This option is ignored if +# log_config_append is set. (string value) +#syslog_log_facility = LOG_USER + +# Use JSON formatting for logging. This option is ignored if log_config_append +# is set. (boolean value) +#use_json = false + +# Log output to standard error. This option is ignored if log_config_append is +# set. (boolean value) +#use_stderr = false + +# Log output to Windows Event Log. (boolean value) +#use_eventlog = false + +# The amount of time before the log files are rotated. This option is ignored +# unless log_rotation_type is setto "interval". (integer value) +#log_rotate_interval = 1 + +# Rotation interval type. The time of the last file change (or the time when +# the service was started) is used when scheduling the next rotation. (string +# value) +# Possible values: +# Seconds - +# Minutes - +# Hours - +# Days - +# Weekday - +# Midnight - +#log_rotate_interval_type = days + +# Maximum number of rotated log files. (integer value) +#max_logfile_count = 30 + +# Log file maximum size in MB. This option is ignored if "log_rotation_type" is +# not set to "size". (integer value) +#max_logfile_size_mb = 200 + +# Log rotation type. (string value) +# Possible values: +# interval - Rotate logs at predefined time intervals. +# size - Rotate logs once they reach a predefined size. +# none - Do not rotate log files. +#log_rotation_type = none + +# Format string to use for log messages with context. Used by +# oslo_log.formatters.ContextFormatter (string value) +#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s + +# Format string to use for log messages when context is undefined. Used by +# oslo_log.formatters.ContextFormatter (string value) +#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s + +# Additional data to append to log message when logging level for the message +# is DEBUG. Used by oslo_log.formatters.ContextFormatter (string value) +#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d + +# Prefix each line of exception output with this format. Used by +# oslo_log.formatters.ContextFormatter (string value) +#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s + +# Defines the format string for %(user_identity)s that is used in +# logging_context_format_string. Used by oslo_log.formatters.ContextFormatter +# (string value) +#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s + +# List of package logging levels in logger=LEVEL pairs. This option is ignored +# if log_config_append is set. (list value) +#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,oslo_policy=INFO,dogpile.core.dogpile=INFO + +# Enables or disables publication of error events. (boolean value) +#publish_errors = false + +# The format for an instance that is passed with the log message. (string +# value) +#instance_format = "[instance: %(uuid)s] " + +# The format for an instance UUID that is passed with the log message. (string +# value) +#instance_uuid_format = "[instance: %(uuid)s] " + +# Interval, number of seconds, of log rate limiting. (integer value) +#rate_limit_interval = 0 + +# Maximum number of logged messages per rate_limit_interval. (integer value) +#rate_limit_burst = 0 + +# Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG +# or empty string. Logs with level greater or equal to rate_limit_except_level +# are not filtered. An empty string means that all levels are filtered. (string +# value) +#rate_limit_except_level = CRITICAL + +# Enables or disables fatal status of deprecations. (boolean value) +#fatal_deprecations = false + +# +# From oslo.messaging +# + +# Size of RPC connection pool. (integer value) +#rpc_conn_pool_size = 30 + +# The pool size limit for connections expiration policy (integer value) +#conn_pool_min_size = 2 + +# The time-to-live in sec of idle connections in the pool (integer value) +#conn_pool_ttl = 1200 + +# Size of executor thread pool when executor is threading or eventlet. (integer +# value) +# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size +#executor_thread_pool_size = 64 + +# Seconds to wait for a response from a call. (integer value) +#rpc_response_timeout = 60 + +# The network address and optional user credentials for connecting to the +# messaging backend, in URL format. The expected format is: +# +# driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query +# +# Example: rabbit://rabbitmq:password@127.0.0.1:5672// +# +# For full details on the fields in the URL see the documentation of +# oslo_messaging.TransportURL at +# https://docs.openstack.org/oslo.messaging/latest/reference/transport.html +# (string value) +#transport_url = rabbit:// + +# The default exchange under which topics are scoped. May be overridden by an +# exchange name specified in the transport_url option. (string value) +#control_exchange = keystone + + +[access_rules_config] + +# +# From keystone +# + +# Entry point for the access rules config backend driver in the +# `keystone.access_rules_config` namespace. Keystone only provides a `json` +# driver, so there is no reason to change this unless you are providing a +# custom entry point. (string value) +#driver = json + +# Toggle for access rules caching. This has no effect unless global caching is +# enabled. (boolean value) +#caching = true + +# Time to cache access rule data in seconds. This has no effect unless global +# caching is enabled. (integer value) +#cache_time = + +# Path to access rules configuration. If not present, no access rule +# configuration will be loaded and application credential access rules will be +# unavailable. (string value) +#rules_file = /etc/keystone/access_rules.json + +# Toggles permissive mode for access rules. When enabled, application +# credentials can be created with any access rules regardless of operator's +# configuration. (boolean value) +#permissive = false + + +[application_credential] + +# +# From keystone +# + +# Entry point for the application credential backend driver in the +# `keystone.application_credential` namespace. Keystone only provides a `sql` +# driver, so there is no reason to change this unless you are providing a +# custom entry point. (string value) +#driver = sql + +# Toggle for application credential caching. This has no effect unless global +# caching is enabled. (boolean value) +#caching = true + +# Time to cache application credential data in seconds. This has no effect +# unless global caching is enabled. (integer value) +#cache_time = + +# Maximum number of application credentials a user is permitted to create. A +# value of -1 means unlimited. If a limit is not set, users are permitted to +# create application credentials at will, which could lead to bloat in the +# keystone database or open keystone to a DoS attack. (integer value) +#user_limit = -1 + + +[assignment] + +# +# From keystone +# + +# Entry point for the assignment backend driver (where role assignments are +# stored) in the `keystone.assignment` namespace. Only a SQL driver is supplied +# by keystone itself. Unless you are writing proprietary drivers for keystone, +# you do not need to set this option. (string value) +#driver = sql + +# A list of role names which are prohibited from being an implied role. (list +# value) +#prohibited_implied_role = admin + + +[auth] + +# +# From keystone +# + +# Allowed authentication methods. Note: You should disable the `external` auth +# method if you are currently using federation. External auth and federation +# both use the REMOTE_USER variable. Since both the mapped and external plugin +# are being invoked to validate attributes in the request environment, it can +# cause conflicts. (list value) +#methods = external,password,token,oauth1,mapped,application_credential + +# Entry point for the password auth plugin module in the +# `keystone.auth.password` namespace. You do not need to set this unless you +# are overriding keystone's own password authentication plugin. (string value) +#password = + +# Entry point for the token auth plugin module in the `keystone.auth.token` +# namespace. You do not need to set this unless you are overriding keystone's +# own token authentication plugin. (string value) +#token = + +# Entry point for the external (`REMOTE_USER`) auth plugin module in the +# `keystone.auth.external` namespace. Supplied drivers are `DefaultDomain` and +# `Domain`. The default driver is `DefaultDomain`, which assumes that all users +# identified by the username specified to keystone in the `REMOTE_USER` +# variable exist within the context of the default domain. The `Domain` option +# expects an additional environment variable be presented to keystone, +# `REMOTE_DOMAIN`, containing the domain name of the `REMOTE_USER` (if +# `REMOTE_DOMAIN` is not set, then the default domain will be used instead). +# You do not need to set this unless you are taking advantage of "external +# authentication", where the application server (such as Apache) is handling +# authentication instead of keystone. (string value) +#external = + +# Entry point for the OAuth 1.0a auth plugin module in the +# `keystone.auth.oauth1` namespace. You do not need to set this unless you are +# overriding keystone's own `oauth1` authentication plugin. (string value) +#oauth1 = + +# Entry point for the mapped auth plugin module in the `keystone.auth.mapped` +# namespace. You do not need to set this unless you are overriding keystone's +# own `mapped` authentication plugin. (string value) +#mapped = + +# Entry point for the application_credential auth plugin module in the +# `keystone.auth.application_credential` namespace. You do not need to set this +# unless you are overriding keystone's own `application_credential` +# authentication plugin. (string value) +#application_credential = + + +[cache] + +# +# From oslo.cache +# + +# Prefix for building the configuration dictionary for the cache region. This +# should not need to be changed unless there is another dogpile.cache region +# with the same configuration name. (string value) +#config_prefix = cache.oslo + +# Default TTL, in seconds, for any cached item in the dogpile.cache region. +# This applies to any cached method that doesn't have an explicit cache +# expiration time defined for it. (integer value) +#expiration_time = 600 + +# Cache backend module. For eventlet-based or environments with hundreds of +# threaded servers, Memcache with pooling (oslo_cache.memcache_pool) is +# recommended. For environments with less than 100 threaded servers, Memcached +# (dogpile.cache.memcached) or Redis (dogpile.cache.redis) is recommended. Test +# environments with a single instance of the server can use the +# dogpile.cache.memory backend. (string value) +# Possible values: +# oslo_cache.memcache_pool - +# oslo_cache.dict - +# oslo_cache.mongo - +# oslo_cache.etcd3gw - +# dogpile.cache.memcached - +# dogpile.cache.pylibmc - +# dogpile.cache.bmemcached - +# dogpile.cache.dbm - +# dogpile.cache.redis - +# dogpile.cache.memory - +# dogpile.cache.memory_pickle - +# dogpile.cache.null - +#backend = dogpile.cache.null + +# Arguments supplied to the backend module. Specify this option once per +# argument to be passed to the dogpile.cache backend. Example format: +# ":". (multi valued) +#backend_argument = + +# Proxy classes to import that will affect the way the dogpile.cache backend +# functions. See the dogpile.cache documentation on changing-backend-behavior. +# (list value) +#proxies = + +# Global toggle for caching. (boolean value) +#enabled = true + +# Extra debugging from the cache backend (cache keys, get/set/delete/etc +# calls). This is only really useful if you need to see the specific cache- +# backend get/set/delete calls with the keys/values. Typically this should be +# left set to false. (boolean value) +#debug_cache_backend = false + +# Memcache servers in the format of "host:port". (dogpile.cache.memcache and +# oslo_cache.memcache_pool backends only). (list value) +#memcache_servers = localhost:11211 + +# Number of seconds memcached server is considered dead before it is tried +# again. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only). +# (integer value) +#memcache_dead_retry = 300 + +# Timeout in seconds for every call to a server. (dogpile.cache.memcache and +# oslo_cache.memcache_pool backends only). (floating point value) +#memcache_socket_timeout = 3.0 + +# Max total number of open connections to every memcached server. +# (oslo_cache.memcache_pool backend only). (integer value) +#memcache_pool_maxsize = 10 + +# Number of seconds a connection to memcached is held unused in the pool before +# it is closed. (oslo_cache.memcache_pool backend only). (integer value) +#memcache_pool_unused_timeout = 60 + +# Number of seconds that an operation will wait to get a memcache client +# connection. (integer value) +#memcache_pool_connection_get_timeout = 10 + + +[catalog] + +# +# From keystone +# + +# Absolute path to the file used for the templated catalog backend. This option +# is only used if the `[catalog] driver` is set to `templated`. (string value) +#template_file = default_catalog.templates + +# Entry point for the catalog driver in the `keystone.catalog` namespace. +# Keystone provides a `sql` option (which supports basic CRUD operations +# through SQL), a `templated` option (which loads the catalog from a templated +# catalog file on disk), and a `endpoint_filter.sql` option (which supports +# arbitrary service catalogs per project). (string value) +#driver = sql + +# Toggle for catalog caching. This has no effect unless global caching is +# enabled. In a typical deployment, there is no reason to disable this. +# (boolean value) +#caching = true + +# Time to cache catalog data (in seconds). This has no effect unless global and +# catalog caching are both enabled. Catalog data (services, endpoints, etc.) +# typically does not change frequently, and so a longer duration than the +# global default may be desirable. (integer value) +#cache_time = + +# Maximum number of entities that will be returned in a catalog collection. +# There is typically no reason to set this, as it would be unusual for a +# deployment to have enough services or endpoints to exceed a reasonable limit. +# (integer value) +#list_limit = + + +[cors] + +# +# From oslo.middleware +# + +# Indicate whether this resource may be shared with the domain received in the +# requests "origin" header. Format: "://[:]", no trailing +# slash. Example: https://horizon.example.com (list value) +#allowed_origin = + +# Indicate that the actual request can include user credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple +# Headers. (list value) +#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,Openstack-Auth-Receipt + +# Maximum cache age of CORS preflight requests. (integer value) +#max_age = 3600 + +# Indicate which methods can be used during the actual request. (list value) +#allow_methods = GET,PUT,POST,DELETE,PATCH + +# Indicate which header field names may be used during the actual request. +# (list value) +#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name,Openstack-Auth-Receipt + + +[credential] + +# +# From keystone +# + +# Entry point for the credential backend driver in the `keystone.credential` +# namespace. Keystone only provides a `sql` driver, so there's no reason to +# change this unless you are providing a custom entry point. (string value) +#driver = sql + +# Entry point for credential encryption and decryption operations in the +# `keystone.credential.provider` namespace. Keystone only provides a `fernet` +# driver, so there's no reason to change this unless you are providing a custom +# entry point to encrypt and decrypt credentials. (string value) +#provider = fernet + +# Directory containing Fernet keys used to encrypt and decrypt credentials +# stored in the credential backend. Fernet keys used to encrypt credentials +# have no relationship to Fernet keys used to encrypt Fernet tokens. Both sets +# of keys should be managed separately and require different rotation policies. +# Do not share this repository with the repository used to manage keys for +# Fernet tokens. (string value) +#key_repository = /etc/keystone/credential-keys/ + + +[database] +connection = mysql+pymysql://s4t_keystone:sm3d3m0n@s4t_iotronic_db:3306/s4t_keystone + +# +# From oslo.db +# + +# If True, SQLite uses synchronous mode. (boolean value) +#sqlite_synchronous = true + +# The back end to use for the database. (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend = sqlalchemy + +# The SQLAlchemy connection string to use to connect to the database. (string +# value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +#connection = + +# The SQLAlchemy connection string to use to connect to the slave database. +# (string value) +#slave_connection = + +# The SQL mode to be used for MySQL sessions. This option, including the +# default, overrides any server-set SQL mode. To use whatever SQL mode is set +# by the server configuration, set this to no value. Example: mysql_sql_mode= +# (string value) +#mysql_sql_mode = TRADITIONAL + +# If True, transparently enables support for handling MySQL Cluster (NDB). +# (boolean value) +#mysql_enable_ndb = false + +# Connections which have been present in the connection pool longer than this +# number of seconds will be replaced with a new one the next time they are +# checked out from the pool. (integer value) +# Deprecated group/name - [DATABASE]/idle_timeout +# Deprecated group/name - [database]/idle_timeout +# Deprecated group/name - [DEFAULT]/sql_idle_timeout +# Deprecated group/name - [DATABASE]/sql_idle_timeout +# Deprecated group/name - [sql]/idle_timeout +#connection_recycle_time = 3600 + +# DEPRECATED: Minimum number of SQL connections to keep open in a pool. +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_min_pool_size +# Deprecated group/name - [DATABASE]/sql_min_pool_size +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: The option to set the minimum pool size is not supported by +# sqlalchemy. +#min_pool_size = 1 + +# Maximum number of SQL connections to keep open in a pool. Setting a value of +# 0 indicates no limit. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_pool_size +# Deprecated group/name - [DATABASE]/sql_max_pool_size +#max_pool_size = 5 + +# Maximum number of database connection retries during startup. Set to -1 to +# specify an infinite retry count. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries = 10 + +# Interval between retries of opening a SQL connection. (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval = 10 + +# If set, use this value for max_overflow with SQLAlchemy. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow = 50 + +# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer +# value) +# Minimum value: 0 +# Maximum value: 100 +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug = 0 + +# Add Python stack traces to SQL as comment strings. (boolean value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace = false + +# If set, use this value for pool_timeout with SQLAlchemy. (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout = + +# Enable the experimental use of database reconnect on connection lost. +# (boolean value) +#use_db_reconnect = false + +# Seconds between retries of a database transaction. (integer value) +#db_retry_interval = 1 + +# If True, increases the interval between retries of a database operation up to +# db_max_retry_interval. (boolean value) +#db_inc_retry_interval = true + +# If db_inc_retry_interval is set, the maximum seconds between retries of a +# database operation. (integer value) +#db_max_retry_interval = 10 + +# Maximum retries in case of connection error or deadlock error before error is +# raised. Set to -1 to specify an infinite retry count. (integer value) +#db_max_retries = 20 + +# Optional URL parameters to append onto the connection URL at connect time; +# specify as param1=value1¶m2=value2&... (string value) +#connection_parameters = + + +[domain_config] + +# +# From keystone +# + +# Entry point for the domain-specific configuration driver in the +# `keystone.resource.domain_config` namespace. Only a `sql` option is provided +# by keystone, so there is no reason to set this unless you are providing a +# custom entry point. (string value) +#driver = sql + +# Toggle for caching of the domain-specific configuration backend. This has no +# effect unless global caching is enabled. There is normally no reason to +# disable this. (boolean value) +#caching = true + +# Time-to-live (TTL, in seconds) to cache domain-specific configuration data. +# This has no effect unless `[domain_config] caching` is enabled. (integer +# value) +#cache_time = 300 + + +[endpoint_filter] + +# +# From keystone +# + +# Entry point for the endpoint filter driver in the `keystone.endpoint_filter` +# namespace. Only a `sql` option is provided by keystone, so there is no reason +# to set this unless you are providing a custom entry point. (string value) +#driver = sql + +# This controls keystone's behavior if the configured endpoint filters do not +# result in any endpoints for a user + project pair (and therefore a +# potentially empty service catalog). If set to true, keystone will return the +# entire service catalog. If set to false, keystone will return an empty +# service catalog. (boolean value) +#return_all_endpoints_if_no_filter = true + + +[endpoint_policy] + +# +# From keystone +# + +# Entry point for the endpoint policy driver in the `keystone.endpoint_policy` +# namespace. Only a `sql` driver is provided by keystone, so there is no reason +# to set this unless you are providing a custom entry point. (string value) +#driver = sql + + +[eventlet_server] + +# +# From keystone +# + +# DEPRECATED: The IP address of the network interface for the public service to +# listen on. (host address value) +# Deprecated group/name - [DEFAULT]/bind_host +# Deprecated group/name - [DEFAULT]/public_bind_host +# This option is deprecated for removal since K. +# Its value may be silently ignored in the future. +# Reason: Support for running keystone under eventlet has been removed in the +# Newton release. These options remain for backwards compatibility because they +# are used for URL substitutions. +#public_bind_host = 0.0.0.0 + +# DEPRECATED: The port number for the public service to listen on. (port value) +# Minimum value: 0 +# Maximum value: 65535 +# Deprecated group/name - [DEFAULT]/public_port +# This option is deprecated for removal since K. +# Its value may be silently ignored in the future. +# Reason: Support for running keystone under eventlet has been removed in the +# Newton release. These options remain for backwards compatibility because they +# are used for URL substitutions. +#public_port = 5000 + +# DEPRECATED: The IP address of the network interface for the admin service to +# listen on. (host address value) +# Deprecated group/name - [DEFAULT]/bind_host +# Deprecated group/name - [DEFAULT]/admin_bind_host +# This option is deprecated for removal since K. +# Its value may be silently ignored in the future. +# Reason: Support for running keystone under eventlet has been removed in the +# Newton release. These options remain for backwards compatibility because they +# are used for URL substitutions. +#admin_bind_host = 0.0.0.0 + +# DEPRECATED: The port number for the admin service to listen on. (port value) +# Minimum value: 0 +# Maximum value: 65535 +# Deprecated group/name - [DEFAULT]/admin_port +# This option is deprecated for removal since K. +# Its value may be silently ignored in the future. +# Reason: Support for running keystone under eventlet has been removed in the +# Newton release. These options remain for backwards compatibility because they +# are used for URL substitutions. +#admin_port = 35357 + + +[extra_headers] +Distribution = Ubuntu + +# +# From keystone +# + +# Specifies the distribution of the keystone server. (string value) +#Distribution = Ubuntu + + +[federation] + +# +# From keystone +# + +# Entry point for the federation backend driver in the `keystone.federation` +# namespace. Keystone only provides a `sql` driver, so there is no reason to +# set this option unless you are providing a custom entry point. (string value) +#driver = sql + +# Prefix to use when filtering environment variable names for federated +# assertions. Matched variables are passed into the federated mapping engine. +# (string value) +#assertion_prefix = + +# Value to be used to obtain the entity ID of the Identity Provider from the +# environment. For `mod_shib`, this would be `Shib-Identity-Provider`. For +# `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`, +# this could be `MELLON_IDP`. (string value) +#remote_id_attribute = + +# An arbitrary domain name that is reserved to allow federated ephemeral users +# to have a domain concept. Note that an admin will not be able to create a +# domain with this name or update an existing domain to this name. You are not +# advised to change this value unless you really have to. (string value) +#federated_domain_name = Federated + +# A list of trusted dashboard hosts. Before accepting a Single Sign-On request +# to return a token, the origin host must be a member of this list. This +# configuration option may be repeated for multiple values. You must set this +# in order to use web-based SSO flows. For example: +# trusted_dashboard=https://acme.example.com/auth/websso +# trusted_dashboard=https://beta.example.com/auth/websso (multi valued) +#trusted_dashboard = + +# Absolute path to an HTML file used as a Single Sign-On callback handler. This +# page is expected to redirect the user from keystone back to a trusted +# dashboard host, by form encoding a token in a POST request. Keystone's +# default value should be sufficient for most deployments. (string value) +#sso_callback_template = /etc/keystone/sso_callback_template.html + +# Toggle for federation caching. This has no effect unless global caching is +# enabled. There is typically no reason to disable this. (boolean value) +#caching = true + + +[fernet_receipts] + +# +# From keystone +# + +# Directory containing Fernet receipt keys. This directory must exist before +# using `keystone-manage fernet_setup` for the first time, must be writable by +# the user running `keystone-manage fernet_setup` or `keystone-manage +# fernet_rotate`, and of course must be readable by keystone's server process. +# The repository may contain keys in one of three states: a single staged key +# (always index 0) used for receipt validation, a single primary key (always +# the highest index) used for receipt creation and validation, and any number +# of secondary keys (all other index values) used for receipt validation. With +# multiple keystone nodes, each node must share the same key repository +# contents, with the exception of the staged key (index 0). It is safe to run +# `keystone-manage fernet_rotate` once on any one node to promote a staged key +# (index 0) to be the new primary (incremented from the previous highest +# index), and produce a new staged key (a new key with index 0); the resulting +# repository can then be atomically replicated to other nodes without any risk +# of race conditions (for example, it is safe to run `keystone-manage +# fernet_rotate` on host A, wait any amount of time, create a tarball of the +# directory on host A, unpack it on host B to a temporary location, and +# atomically move (`mv`) the directory into place on host B). Running +# `keystone-manage fernet_rotate` *twice* on a key repository without syncing +# other nodes will result in receipts that can not be validated by all nodes. +# (string value) +#key_repository = /etc/keystone/fernet-keys/ + +# This controls how many keys are held in rotation by `keystone-manage +# fernet_rotate` before they are discarded. The default value of 3 means that +# keystone will maintain one staged key (always index 0), one primary key (the +# highest numerical index), and one secondary key (every other index). +# Increasing this value means that additional secondary keys will be kept in +# the rotation. (integer value) +# Minimum value: 1 +#max_active_keys = 3 + + +[fernet_tokens] + +# +# From keystone +# + +# Directory containing Fernet token keys. This directory must exist before +# using `keystone-manage fernet_setup` for the first time, must be writable by +# the user running `keystone-manage fernet_setup` or `keystone-manage +# fernet_rotate`, and of course must be readable by keystone's server process. +# The repository may contain keys in one of three states: a single staged key +# (always index 0) used for token validation, a single primary key (always the +# highest index) used for token creation and validation, and any number of +# secondary keys (all other index values) used for token validation. With +# multiple keystone nodes, each node must share the same key repository +# contents, with the exception of the staged key (index 0). It is safe to run +# `keystone-manage fernet_rotate` once on any one node to promote a staged key +# (index 0) to be the new primary (incremented from the previous highest +# index), and produce a new staged key (a new key with index 0); the resulting +# repository can then be atomically replicated to other nodes without any risk +# of race conditions (for example, it is safe to run `keystone-manage +# fernet_rotate` on host A, wait any amount of time, create a tarball of the +# directory on host A, unpack it on host B to a temporary location, and +# atomically move (`mv`) the directory into place on host B). Running +# `keystone-manage fernet_rotate` *twice* on a key repository without syncing +# other nodes will result in tokens that can not be validated by all nodes. +# (string value) +#key_repository = /etc/keystone/fernet-keys/ + +# This controls how many keys are held in rotation by `keystone-manage +# fernet_rotate` before they are discarded. The default value of 3 means that +# keystone will maintain one staged key (always index 0), one primary key (the +# highest numerical index), and one secondary key (every other index). +# Increasing this value means that additional secondary keys will be kept in +# the rotation. (integer value) +# Minimum value: 1 +#max_active_keys = 3 + + +[healthcheck] + +# +# From oslo.middleware +# + +# DEPRECATED: The path to respond to healtcheck requests on. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#path = /healthcheck + +# Show more detailed information as part of the response. Security note: +# Enabling this option may expose sensitive details about the service being +# monitored. Be sure to verify that it will not violate your security policies. +# (boolean value) +#detailed = false + +# Additional backends that can perform health checks and report that +# information back as part of a request. (list value) +#backends = + +# Check the presence of a file to determine if an application is running on a +# port. Used by DisableByFileHealthcheck plugin. (string value) +#disable_by_file_path = + +# Check the presence of a file based on a port to determine if an application +# is running on a port. Expects a "port:path" list of strings. Used by +# DisableByFilesPortsHealthcheck plugin. (list value) +#disable_by_file_paths = + + +[identity] + +# +# From keystone +# + +# This references the domain to use for all Identity API v2 requests (which are +# not aware of domains). A domain with this ID can optionally be created for +# you by `keystone-manage bootstrap`. The domain referenced by this ID cannot +# be deleted on the v3 API, to prevent accidentally breaking the v2 API. There +# is nothing special about this domain, other than the fact that it must exist +# to order to maintain support for your v2 clients. There is typically no +# reason to change this value. (string value) +#default_domain_id = default + +# A subset (or all) of domains can have their own identity driver, each with +# their own partial configuration options, stored in either the resource +# backend or in a file in a domain configuration directory (depending on the +# setting of `[identity] domain_configurations_from_database`). Only values +# specific to the domain need to be specified in this manner. This feature is +# disabled by default, but may be enabled by default in a future release; set +# to true to enable. (boolean value) +#domain_specific_drivers_enabled = false + +# By default, domain-specific configuration data is read from files in the +# directory identified by `[identity] domain_config_dir`. Enabling this +# configuration option allows you to instead manage domain-specific +# configurations through the API, which are then persisted in the backend +# (typically, a SQL database), rather than using configuration files on disk. +# (boolean value) +#domain_configurations_from_database = false + +# Absolute path where keystone should locate domain-specific `[identity]` +# configuration files. This option has no effect unless `[identity] +# domain_specific_drivers_enabled` is set to true. There is typically no reason +# to change this value. (string value) +#domain_config_dir = /etc/keystone/domains + +# Entry point for the identity backend driver in the `keystone.identity` +# namespace. Keystone provides a `sql` and `ldap` driver. This option is also +# used as the default driver selection (along with the other configuration +# variables in this section) in the event that `[identity] +# domain_specific_drivers_enabled` is enabled, but no applicable domain- +# specific configuration is defined for the domain in question. Unless your +# deployment primarily relies on `ldap` AND is not using domain-specific +# configuration, you should typically leave this set to `sql`. (string value) +#driver = sql + +# Toggle for identity caching. This has no effect unless global caching is +# enabled. There is typically no reason to disable this. (boolean value) +#caching = true + +# Time to cache identity data (in seconds). This has no effect unless global +# and identity caching are enabled. (integer value) +#cache_time = 600 + +# Maximum allowed length for user passwords. Decrease this value to improve +# performance. Changing this value does not effect existing passwords. (integer +# value) +# Maximum value: 4096 +#max_password_length = 4096 + +# Maximum number of entities that will be returned in an identity collection. +# (integer value) +#list_limit = + +# The password hashing algorithm to use for passwords stored within keystone. +# (string value) +# Possible values: +# bcrypt - +# scrypt - +# pbkdf2_sha512 - +#password_hash_algorithm = bcrypt + +# This option represents a trade off between security and performance. Higher +# values lead to slower performance, but higher security. Changing this option +# will only affect newly created passwords as existing password hashes already +# have a fixed number of rounds applied, so it is safe to tune this option in a +# running cluster. The default for bcrypt is 12, must be between 4 and 31, +# inclusive. The default for scrypt is 16, must be within `range(1,32)`. The +# default for pbkdf_sha512 is 60000, must be within `range(1,1<<32)` WARNING: +# If using scrypt, increasing this value increases BOTH time AND memory +# requirements to hash a password. (integer value) +#password_hash_rounds = + +# Optional block size to pass to scrypt hash function (the `r` parameter). +# Useful for tuning scrypt to optimal performance for your CPU architecture. +# This option is only used when the `password_hash_algorithm` option is set to +# `scrypt`. Defaults to 8. (integer value) +#scrypt_block_size = + +# Optional parallelism to pass to scrypt hash function (the `p` parameter). +# This option is only used when the `password_hash_algorithm` option is set to +# `scrypt`. Defaults to 1. (integer value) +#scrypt_parallelism = + +# Number of bytes to use in scrypt and pbkfd2_sha512 hashing salt. Default for +# scrypt is 16 bytes. Default for pbkfd2_sha512 is 16 bytes. Limited to a +# maximum of 96 bytes due to the size of the column used to store password +# hashes. (integer value) +# Minimum value: 0 +# Maximum value: 96 +#salt_bytesize = + + +[identity_mapping] + +# +# From keystone +# + +# Entry point for the identity mapping backend driver in the +# `keystone.identity.id_mapping` namespace. Keystone only provides a `sql` +# driver, so there is no reason to change this unless you are providing a +# custom entry point. (string value) +#driver = sql + +# Entry point for the public ID generator for user and group entities in the +# `keystone.identity.id_generator` namespace. The Keystone identity mapper only +# supports generators that produce 64 bytes or less. Keystone only provides a +# `sha256` entry point, so there is no reason to change this value unless +# you're providing a custom entry point. (string value) +#generator = sha256 + +# The format of user and group IDs changed in Juno for backends that do not +# generate UUIDs (for example, LDAP), with keystone providing a hash mapping to +# the underlying attribute in LDAP. By default this mapping is disabled, which +# ensures that existing IDs will not change. Even when the mapping is enabled +# by using domain-specific drivers (`[identity] +# domain_specific_drivers_enabled`), any users and groups from the default +# domain being handled by LDAP will still not be mapped to ensure their IDs +# remain backward compatible. Setting this value to false will enable the new +# mapping for all backends, including the default LDAP driver. It is only +# guaranteed to be safe to enable this option if you do not already have +# assignments for users and groups from the default LDAP domain, and you +# consider it to be acceptable for Keystone to provide the different IDs to +# clients than it did previously (existing IDs in the API will suddenly +# change). Typically this means that the only time you can set this value to +# false is when configuring a fresh installation, although that is the +# recommended value. (boolean value) +#backward_compatible_ids = true + + +[jwt_tokens] + +# +# From keystone +# + +# Directory containing public keys for validating JWS token signatures. This +# directory must exist in order for keystone's server process to start. It must +# also be readable by keystone's server process. It must contain at least one +# public key that corresponds to a private key in `keystone.conf [jwt_tokens] +# jws_private_key_repository`. This option is only applicable in deployments +# issuing JWS tokens and setting `keystone.conf [tokens] provider = jws`. +# (string value) +#jws_public_key_repository = /etc/keystone/jws-keys/public + +# Directory containing private keys for signing JWS tokens. This directory must +# exist in order for keystone's server process to start. It must also be +# readable by keystone's server process. It must contain at least one private +# key that corresponds to a public key in `keystone.conf [jwt_tokens] +# jws_public_key_repository`. In the event there are multiple private keys in +# this directory, keystone will use a key named `private.pem` to sign tokens. +# In the future, keystone may support the ability to sign tokens with multiple +# private keys. For now, only a key named `private.pem` within this directory +# is required to issue JWS tokens. This option is only applicable in +# deployments issuing JWS tokens and setting `keystone.conf [tokens] provider = +# jws`. (string value) +#jws_private_key_repository = /etc/keystone/jws-keys/private + + +[ldap] + +# +# From keystone +# + +# URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified +# as a comma separated string. The first URL to successfully bind is used for +# the connection. (string value) +#url = ldap://localhost + +# The user name of the administrator bind DN to use when querying the LDAP +# server, if your LDAP server requires it. (string value) +#user = + +# The password of the administrator bind DN to use when querying the LDAP +# server, if your LDAP server requires it. (string value) +#password = + +# The default LDAP server suffix to use, if a DN is not defined via either +# `[ldap] user_tree_dn` or `[ldap] group_tree_dn`. (string value) +#suffix = cn=example,cn=com + +# The search scope which defines how deep to search within the search base. A +# value of `one` (representing `oneLevel` or `singleLevel`) indicates a search +# of objects immediately below to the base object, but does not include the +# base object itself. A value of `sub` (representing `subtree` or +# `wholeSubtree`) indicates a search of both the base object itself and the +# entire subtree below it. (string value) +# Possible values: +# one - +# sub - +#query_scope = one + +# Defines the maximum number of results per page that keystone should request +# from the LDAP server when listing objects. A value of zero (`0`) disables +# paging. (integer value) +# Minimum value: 0 +#page_size = 0 + +# The LDAP dereferencing option to use for queries involving aliases. A value +# of `default` falls back to using default dereferencing behavior configured by +# your `ldap.conf`. A value of `never` prevents aliases from being dereferenced +# at all. A value of `searching` dereferences aliases only after name +# resolution. A value of `finding` dereferences aliases only during name +# resolution. A value of `always` dereferences aliases in all cases. (string +# value) +# Possible values: +# never - +# searching - +# always - +# finding - +# default - +#alias_dereferencing = default + +# Sets the LDAP debugging level for LDAP calls. A value of 0 means that +# debugging is not enabled. This value is a bitmask, consult your LDAP +# documentation for possible values. (integer value) +# Minimum value: -1 +#debug_level = + +# Sets keystone's referral chasing behavior across directory partitions. If +# left unset, the system's default behavior will be used. (boolean value) +#chase_referrals = + +# The search base to use for users. Defaults to the `[ldap] suffix` value. +# (string value) +#user_tree_dn = + +# The LDAP search filter to use for users. (string value) +#user_filter = + +# The LDAP object class to use for users. (string value) +#user_objectclass = inetOrgPerson + +# The LDAP attribute mapped to user IDs in keystone. This must NOT be a +# multivalued attribute. User IDs are expected to be globally unique across +# keystone domains and URL-safe. (string value) +#user_id_attribute = cn + +# The LDAP attribute mapped to user names in keystone. User names are expected +# to be unique only within a keystone domain and are not expected to be URL- +# safe. (string value) +#user_name_attribute = sn + +# The LDAP attribute mapped to user descriptions in keystone. (string value) +#user_description_attribute = description + +# The LDAP attribute mapped to user emails in keystone. (string value) +#user_mail_attribute = mail + +# The LDAP attribute mapped to user passwords in keystone. (string value) +#user_pass_attribute = userPassword + +# The LDAP attribute mapped to the user enabled attribute in keystone. If +# setting this option to `userAccountControl`, then you may be interested in +# setting `[ldap] user_enabled_mask` and `[ldap] user_enabled_default` as well. +# (string value) +#user_enabled_attribute = enabled + +# Logically negate the boolean value of the enabled attribute obtained from the +# LDAP server. Some LDAP servers use a boolean lock attribute where "true" +# means an account is disabled. Setting `[ldap] user_enabled_invert = true` +# will allow these lock attributes to be used. This option will have no effect +# if either the `[ldap] user_enabled_mask` or `[ldap] user_enabled_emulation` +# options are in use. (boolean value) +#user_enabled_invert = false + +# Bitmask integer to select which bit indicates the enabled value if the LDAP +# server represents "enabled" as a bit on an integer rather than as a discrete +# boolean. A value of `0` indicates that the mask is not used. If this is not +# set to `0` the typical value is `2`. This is typically used when `[ldap] +# user_enabled_attribute = userAccountControl`. Setting this option causes +# keystone to ignore the value of `[ldap] user_enabled_invert`. (integer value) +# Minimum value: 0 +#user_enabled_mask = 0 + +# The default value to enable users. This should match an appropriate integer +# value if the LDAP server uses non-boolean (bitmask) values to indicate if a +# user is enabled or disabled. If this is not set to `True`, then the typical +# value is `512`. This is typically used when `[ldap] user_enabled_attribute = +# userAccountControl`. (string value) +#user_enabled_default = True + +# List of user attributes to ignore on create and update, or whether a specific +# user attribute should be filtered for list or show user. (list value) +#user_attribute_ignore = default_project_id + +# The LDAP attribute mapped to a user's default_project_id in keystone. This is +# most commonly used when keystone has write access to LDAP. (string value) +#user_default_project_id_attribute = + +# If enabled, keystone uses an alternative method to determine if a user is +# enabled or not by checking if they are a member of the group defined by the +# `[ldap] user_enabled_emulation_dn` option. Enabling this option causes +# keystone to ignore the value of `[ldap] user_enabled_invert`. (boolean value) +#user_enabled_emulation = false + +# DN of the group entry to hold enabled users when using enabled emulation. +# Setting this option has no effect unless `[ldap] user_enabled_emulation` is +# also enabled. (string value) +#user_enabled_emulation_dn = + +# Use the `[ldap] group_member_attribute` and `[ldap] group_objectclass` +# settings to determine membership in the emulated enabled group. Enabling this +# option has no effect unless `[ldap] user_enabled_emulation` is also enabled. +# (boolean value) +#user_enabled_emulation_use_group_config = false + +# A list of LDAP attribute to keystone user attribute pairs used for mapping +# additional attributes to users in keystone. The expected format is +# `:`, where `ldap_attr` is the attribute in the LDAP +# object and `user_attr` is the attribute which should appear in the identity +# API. (list value) +#user_additional_attribute_mapping = + +# The search base to use for groups. Defaults to the `[ldap] suffix` value. +# (string value) +#group_tree_dn = + +# The LDAP search filter to use for groups. (string value) +#group_filter = + +# The LDAP object class to use for groups. If setting this option to +# `posixGroup`, you may also be interested in enabling the `[ldap] +# group_members_are_ids` option. (string value) +#group_objectclass = groupOfNames + +# The LDAP attribute mapped to group IDs in keystone. This must NOT be a +# multivalued attribute. Group IDs are expected to be globally unique across +# keystone domains and URL-safe. (string value) +#group_id_attribute = cn + +# The LDAP attribute mapped to group names in keystone. Group names are +# expected to be unique only within a keystone domain and are not expected to +# be URL-safe. (string value) +#group_name_attribute = ou + +# The LDAP attribute used to indicate that a user is a member of the group. +# (string value) +#group_member_attribute = member + +# Enable this option if the members of the group object class are keystone user +# IDs rather than LDAP DNs. This is the case when using `posixGroup` as the +# group object class in Open Directory. (boolean value) +#group_members_are_ids = false + +# The LDAP attribute mapped to group descriptions in keystone. (string value) +#group_desc_attribute = description + +# List of group attributes to ignore on create and update. or whether a +# specific group attribute should be filtered for list or show group. (list +# value) +#group_attribute_ignore = + +# A list of LDAP attribute to keystone group attribute pairs used for mapping +# additional attributes to groups in keystone. The expected format is +# `:`, where `ldap_attr` is the attribute in the LDAP +# object and `group_attr` is the attribute which should appear in the identity +# API. (list value) +#group_additional_attribute_mapping = + +# If enabled, group queries will use Active Directory specific filters for +# nested groups. (boolean value) +#group_ad_nesting = false + +# An absolute path to a CA certificate file to use when communicating with LDAP +# servers. This option will take precedence over `[ldap] tls_cacertdir`, so +# there is no reason to set both. (string value) +#tls_cacertfile = + +# An absolute path to a CA certificate directory to use when communicating with +# LDAP servers. There is no reason to set this option if you've also set +# `[ldap] tls_cacertfile`. (string value) +#tls_cacertdir = + +# Enable TLS when communicating with LDAP servers. You should also set the +# `[ldap] tls_cacertfile` and `[ldap] tls_cacertdir` options when using this +# option. Do not set this option if you are using LDAP over SSL (LDAPS) instead +# of TLS. (boolean value) +#use_tls = false + +# Specifies which checks to perform against client certificates on incoming TLS +# sessions. If set to `demand`, then a certificate will always be requested and +# required from the LDAP server. If set to `allow`, then a certificate will +# always be requested but not required from the LDAP server. If set to `never`, +# then a certificate will never be requested. (string value) +# Possible values: +# demand - +# never - +# allow - +#tls_req_cert = demand + +# The connection timeout to use with the LDAP server. A value of `-1` means +# that connections will never timeout. (integer value) +# Minimum value: -1 +#connection_timeout = -1 + +# Enable LDAP connection pooling for queries to the LDAP server. There is +# typically no reason to disable this. (boolean value) +#use_pool = true + +# The size of the LDAP connection pool. This option has no effect unless +# `[ldap] use_pool` is also enabled. (integer value) +# Minimum value: 1 +#pool_size = 10 + +# The maximum number of times to attempt reconnecting to the LDAP server before +# aborting. A value of zero prevents retries. This option has no effect unless +# `[ldap] use_pool` is also enabled. (integer value) +# Minimum value: 0 +#pool_retry_max = 3 + +# The number of seconds to wait before attempting to reconnect to the LDAP +# server. This option has no effect unless `[ldap] use_pool` is also enabled. +# (floating point value) +#pool_retry_delay = 0.1 + +# The connection timeout to use when pooling LDAP connections. A value of `-1` +# means that connections will never timeout. This option has no effect unless +# `[ldap] use_pool` is also enabled. (integer value) +# Minimum value: -1 +#pool_connection_timeout = -1 + +# The maximum connection lifetime to the LDAP server in seconds. When this +# lifetime is exceeded, the connection will be unbound and removed from the +# connection pool. This option has no effect unless `[ldap] use_pool` is also +# enabled. (integer value) +# Minimum value: 1 +#pool_connection_lifetime = 600 + +# Enable LDAP connection pooling for end user authentication. There is +# typically no reason to disable this. (boolean value) +#use_auth_pool = true + +# The size of the connection pool to use for end user authentication. This +# option has no effect unless `[ldap] use_auth_pool` is also enabled. (integer +# value) +# Minimum value: 1 +#auth_pool_size = 100 + +# The maximum end user authentication connection lifetime to the LDAP server in +# seconds. When this lifetime is exceeded, the connection will be unbound and +# removed from the connection pool. This option has no effect unless `[ldap] +# use_auth_pool` is also enabled. (integer value) +# Minimum value: 1 +#auth_pool_connection_lifetime = 60 + + +[memcache] + +# +# From keystone +# + +# Number of seconds memcached server is considered dead before it is tried +# again. This is used by the key value store system. (integer value) +#dead_retry = 300 + +# Timeout in seconds for every call to a server. This is used by the key value +# store system. (integer value) +#socket_timeout = 3 + +# Max total number of open connections to every memcached server. This is used +# by the key value store system. (integer value) +#pool_maxsize = 10 + +# Number of seconds a connection to memcached is held unused in the pool before +# it is closed. This is used by the key value store system. (integer value) +#pool_unused_timeout = 60 + +# Number of seconds that an operation will wait to get a memcache client +# connection. This is used by the key value store system. (integer value) +#pool_connection_get_timeout = 10 + + +[oauth1] + +# +# From keystone +# + +# Entry point for the OAuth backend driver in the `keystone.oauth1` namespace. +# Typically, there is no reason to set this option unless you are providing a +# custom entry point. (string value) +#driver = sql + +# Number of seconds for the OAuth Request Token to remain valid after being +# created. This is the amount of time the user has to authorize the token. +# Setting this option to zero means that request tokens will last forever. +# (integer value) +# Minimum value: 0 +#request_token_duration = 28800 + +# Number of seconds for the OAuth Access Token to remain valid after being +# created. This is the amount of time the consumer has to interact with the +# service provider (which is typically keystone). Setting this option to zero +# means that access tokens will last forever. (integer value) +# Minimum value: 0 +#access_token_duration = 86400 + + +[oslo_messaging_amqp] + +# +# From oslo.messaging +# + +# Name for the AMQP container. must be globally unique. Defaults to a generated +# UUID (string value) +#container_name = + +# Timeout for inactive connections (in seconds) (integer value) +#idle_timeout = 0 + +# Debug: dump AMQP frames to stdout (boolean value) +#trace = false + +# Attempt to connect via SSL. If no other ssl-related parameters are given, it +# will use the system's CA-bundle to verify the server's certificate. (boolean +# value) +#ssl = false + +# CA certificate PEM file used to verify the server's certificate (string +# value) +#ssl_ca_file = + +# Self-identifying certificate PEM file for client authentication (string +# value) +#ssl_cert_file = + +# Private key PEM file used to sign ssl_cert_file certificate (optional) +# (string value) +#ssl_key_file = + +# Password for decrypting ssl_key_file (if encrypted) (string value) +#ssl_key_password = + +# By default SSL checks that the name in the server's certificate matches the +# hostname in the transport_url. In some configurations it may be preferable to +# use the virtual hostname instead, for example if the server uses the Server +# Name Indication TLS extension (rfc6066) to provide a certificate per virtual +# host. Set ssl_verify_vhost to True if the server's SSL certificate uses the +# virtual host name instead of the DNS name. (boolean value) +#ssl_verify_vhost = false + +# Space separated list of acceptable SASL mechanisms (string value) +#sasl_mechanisms = + +# Path to directory that contains the SASL configuration (string value) +#sasl_config_dir = + +# Name of configuration file (without .conf suffix) (string value) +#sasl_config_name = + +# SASL realm to use if no realm present in username (string value) +#sasl_default_realm = + +# Seconds to pause before attempting to re-connect. (integer value) +# Minimum value: 1 +#connection_retry_interval = 1 + +# Increase the connection_retry_interval by this many seconds after each +# unsuccessful failover attempt. (integer value) +# Minimum value: 0 +#connection_retry_backoff = 2 + +# Maximum limit for connection_retry_interval + connection_retry_backoff +# (integer value) +# Minimum value: 1 +#connection_retry_interval_max = 30 + +# Time to pause between re-connecting an AMQP 1.0 link that failed due to a +# recoverable error. (integer value) +# Minimum value: 1 +#link_retry_delay = 10 + +# The maximum number of attempts to re-send a reply message which failed due to +# a recoverable error. (integer value) +# Minimum value: -1 +#default_reply_retry = 0 + +# The deadline for an rpc reply message delivery. (integer value) +# Minimum value: 5 +#default_reply_timeout = 30 + +# The deadline for an rpc cast or call message delivery. Only used when caller +# does not provide a timeout expiry. (integer value) +# Minimum value: 5 +#default_send_timeout = 30 + +# The deadline for a sent notification message delivery. Only used when caller +# does not provide a timeout expiry. (integer value) +# Minimum value: 5 +#default_notify_timeout = 30 + +# The duration to schedule a purge of idle sender links. Detach link after +# expiry. (integer value) +# Minimum value: 1 +#default_sender_link_timeout = 600 + +# Indicates the addressing mode used by the driver. +# Permitted values: +# 'legacy' - use legacy non-routable addressing +# 'routable' - use routable addresses +# 'dynamic' - use legacy addresses if the message bus does not support routing +# otherwise use routable addressing (string value) +#addressing_mode = dynamic + +# Enable virtual host support for those message buses that do not natively +# support virtual hosting (such as qpidd). When set to true the virtual host +# name will be added to all message bus addresses, effectively creating a +# private 'subnet' per virtual host. Set to False if the message bus supports +# virtual hosting using the 'hostname' field in the AMQP 1.0 Open performative +# as the name of the virtual host. (boolean value) +#pseudo_vhost = true + +# address prefix used when sending to a specific server (string value) +#server_request_prefix = exclusive + +# address prefix used when broadcasting to all servers (string value) +#broadcast_prefix = broadcast + +# address prefix when sending to any server in group (string value) +#group_request_prefix = unicast + +# Address prefix for all generated RPC addresses (string value) +#rpc_address_prefix = openstack.org/om/rpc + +# Address prefix for all generated Notification addresses (string value) +#notify_address_prefix = openstack.org/om/notify + +# Appended to the address prefix when sending a fanout message. Used by the +# message bus to identify fanout messages. (string value) +#multicast_address = multicast + +# Appended to the address prefix when sending to a particular RPC/Notification +# server. Used by the message bus to identify messages sent to a single +# destination. (string value) +#unicast_address = unicast + +# Appended to the address prefix when sending to a group of consumers. Used by +# the message bus to identify messages that should be delivered in a round- +# robin fashion across consumers. (string value) +#anycast_address = anycast + +# Exchange name used in notification addresses. +# Exchange name resolution precedence: +# Target.exchange if set +# else default_notification_exchange if set +# else control_exchange if set +# else 'notify' (string value) +#default_notification_exchange = + +# Exchange name used in RPC addresses. +# Exchange name resolution precedence: +# Target.exchange if set +# else default_rpc_exchange if set +# else control_exchange if set +# else 'rpc' (string value) +#default_rpc_exchange = + +# Window size for incoming RPC Reply messages. (integer value) +# Minimum value: 1 +#reply_link_credit = 200 + +# Window size for incoming RPC Request messages (integer value) +# Minimum value: 1 +#rpc_server_credit = 100 + +# Window size for incoming Notification messages (integer value) +# Minimum value: 1 +#notify_server_credit = 100 + +# Send messages of this type pre-settled. +# Pre-settled messages will not receive acknowledgement +# from the peer. Note well: pre-settled messages may be +# silently discarded if the delivery fails. +# Permitted values: +# 'rpc-call' - send RPC Calls pre-settled +# 'rpc-reply'- send RPC Replies pre-settled +# 'rpc-cast' - Send RPC Casts pre-settled +# 'notify' - Send Notifications pre-settled +# (multi valued) +#pre_settled = rpc-cast +#pre_settled = rpc-reply + + +[oslo_messaging_kafka] + +# +# From oslo.messaging +# + +# Max fetch bytes of Kafka consumer (integer value) +#kafka_max_fetch_bytes = 1048576 + +# Default timeout(s) for Kafka consumers (floating point value) +#kafka_consumer_timeout = 1.0 + +# DEPRECATED: Pool Size for Kafka Consumers (integer value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Driver no longer uses connection pool. +#pool_size = 10 + +# DEPRECATED: The pool size limit for connections expiration policy (integer +# value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Driver no longer uses connection pool. +#conn_pool_min_size = 2 + +# DEPRECATED: The time-to-live in sec of idle connections in the pool (integer +# value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Driver no longer uses connection pool. +#conn_pool_ttl = 1200 + +# Group id for Kafka consumer. Consumers in one group will coordinate message +# consumption (string value) +#consumer_group = oslo_messaging_consumer + +# Upper bound on the delay for KafkaProducer batching in seconds (floating +# point value) +#producer_batch_timeout = 0.0 + +# Size of batch for the producer async send (integer value) +#producer_batch_size = 16384 + +# Enable asynchronous consumer commits (boolean value) +#enable_auto_commit = false + +# The maximum number of records returned in a poll call (integer value) +#max_poll_records = 500 + +# Protocol used to communicate with brokers (string value) +# Possible values: +# PLAINTEXT - +# SASL_PLAINTEXT - +# SSL - +# SASL_SSL - +#security_protocol = PLAINTEXT + +# Mechanism when security protocol is SASL (string value) +#sasl_mechanism = PLAIN + +# CA certificate PEM file used to verify the server certificate (string value) +#ssl_cafile = + + +[oslo_messaging_notifications] + +# +# From oslo.messaging +# + +# The Drivers(s) to handle sending notifications. Possible values are +# messaging, messagingv2, routing, log, test, noop (multi valued) +# Deprecated group/name - [DEFAULT]/notification_driver +#driver = + +# A URL representing the messaging driver to use for notifications. If not set, +# we fall back to the same configuration used for RPC. (string value) +# Deprecated group/name - [DEFAULT]/notification_transport_url +#transport_url = + +# AMQP topic used for OpenStack notifications. (list value) +# Deprecated group/name - [rpc_notifier2]/topics +# Deprecated group/name - [DEFAULT]/notification_topics +#topics = notifications + +# The maximum number of attempts to re-send a notification message which failed +# to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite +# (integer value) +#retry = -1 + + +[oslo_messaging_rabbit] + +# +# From oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +#amqp_durable_queues = false + +# Auto-delete queues in AMQP. (boolean value) +#amqp_auto_delete = false + +# Connect over SSL. (boolean value) +# Deprecated group/name - [oslo_messaging_rabbit]/rabbit_use_ssl +#ssl = false + +# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and +# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some +# distributions. (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_version +#ssl_version = + +# SSL key file (valid only if SSL enabled). (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_keyfile +#ssl_key_file = + +# SSL cert file (valid only if SSL enabled). (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_certfile +#ssl_cert_file = + +# SSL certification authority file (valid only if SSL enabled). (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_ca_certs +#ssl_ca_file = + +# How long to wait before reconnecting in response to an AMQP consumer cancel +# notification. (floating point value) +#kombu_reconnect_delay = 1.0 + +# EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not +# be used. This option may not be available in future versions. (string value) +#kombu_compression = + +# How long to wait a missing client before abandoning to send it its replies. +# This value should not be longer than rpc_response_timeout. (integer value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_reconnect_timeout +#kombu_missing_consumer_retry_timeout = 60 + +# Determines how the next RabbitMQ node is chosen in case the one we are +# currently connected to becomes unavailable. Takes effect only if more than +# one RabbitMQ node is provided in config. (string value) +# Possible values: +# round-robin - +# shuffle - +#kombu_failover_strategy = round-robin + +# The RabbitMQ login method. (string value) +# Possible values: +# PLAIN - +# AMQPLAIN - +# RABBIT-CR-DEMO - +#rabbit_login_method = AMQPLAIN + +# How frequently to retry connecting with RabbitMQ. (integer value) +#rabbit_retry_interval = 1 + +# How long to backoff for between retries when connecting to RabbitMQ. (integer +# value) +#rabbit_retry_backoff = 2 + +# Maximum interval of RabbitMQ connection retries. Default is 30 seconds. +# (integer value) +#rabbit_interval_max = 30 + +# Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this +# option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring +# is no longer controlled by the x-ha-policy argument when declaring a queue. +# If you just want to make sure that all queues (except those with auto- +# generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy +# HA '^(?!amq\.).*' '{"ha-mode": "all"}' " (boolean value) +#rabbit_ha_queues = false + +# Positive integer representing duration in seconds for queue TTL (x-expires). +# Queues which are unused for the duration of the TTL are automatically +# deleted. The parameter affects only reply and fanout queues. (integer value) +# Minimum value: 1 +#rabbit_transient_queues_ttl = 1800 + +# Specifies the number of messages to prefetch. Setting to zero allows +# unlimited messages. (integer value) +#rabbit_qos_prefetch_count = 0 + +# Number of seconds after which the Rabbit broker is considered down if +# heartbeat's keep-alive fails (0 disable the heartbeat). EXPERIMENTAL (integer +# value) +#heartbeat_timeout_threshold = 60 + +# How often times during the heartbeat_timeout_threshold we check the +# heartbeat. (integer value) +#heartbeat_rate = 2 + + +[oslo_middleware] + +# +# From oslo.middleware +# + +# The maximum body size for each request, in bytes. (integer value) +# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size +# Deprecated group/name - [DEFAULT]/max_request_body_size +#max_request_body_size = 114688 + +# DEPRECATED: The HTTP Header that will be used to determine what the original +# request protocol scheme was, even if it was hidden by a SSL termination +# proxy. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#secure_proxy_ssl_header = X-Forwarded-Proto + +# Whether the application is behind a proxy or not. This determines if the +# middleware should parse the headers or not. (boolean value) +#enable_proxy_headers_parsing = false + + +[oslo_policy] + +# +# From oslo.policy +# + +# This option controls whether or not to enforce scope when evaluating +# policies. If ``True``, the scope of the token used in the request is compared +# to the ``scope_types`` of the policy being enforced. If the scopes do not +# match, an ``InvalidScope`` exception will be raised. If ``False``, a message +# will be logged informing operators that policies are being invoked with +# mismatching scope. (boolean value) +#enforce_scope = false + +# The file that defines policies. (string value) +#policy_file = policy.json + +# Default rule. Enforced when a requested rule is not found. (string value) +#policy_default_rule = default + +# Directories where policy configuration files are stored. They can be relative +# to any directory in the search path defined by the config_dir option, or +# absolute paths. The file defined by policy_file must exist for these +# directories to be searched. Missing or empty directories are ignored. (multi +# valued) +#policy_dirs = policy.d + +# Content Type to send and receive data for REST based policy check (string +# value) +# Possible values: +# application/x-www-form-urlencoded - +# application/json - +#remote_content_type = application/x-www-form-urlencoded + +# server identity verification for REST based policy check (boolean value) +#remote_ssl_verify_server_crt = false + +# Absolute path to ca cert file for REST based policy check (string value) +#remote_ssl_ca_crt_file = + +# Absolute path to client cert for REST based policy check (string value) +#remote_ssl_client_crt_file = + +# Absolute path client key file REST based policy check (string value) +#remote_ssl_client_key_file = + + +[policy] + +# +# From keystone +# + +# Entry point for the policy backend driver in the `keystone.policy` namespace. +# Supplied drivers are `rules` (which does not support any CRUD operations for +# the v3 policy API) and `sql`. Typically, there is no reason to set this +# option unless you are providing a custom entry point. (string value) +#driver = sql + +# Maximum number of entities that will be returned in a policy collection. +# (integer value) +#list_limit = + + +[profiler] + +# +# From osprofiler +# + +# +# Enable the profiling for all services on this node. +# +# Default value is False (fully disable the profiling feature). +# +# Possible values: +# +# * True: Enables the feature +# * False: Disables the feature. The profiling cannot be started via this +# project +# operations. If the profiling is triggered by another project, this project +# part will be empty. +# (boolean value) +# Deprecated group/name - [profiler]/profiler_enabled +#enabled = false + +# +# Enable SQL requests profiling in services. +# +# Default value is False (SQL requests won't be traced). +# +# Possible values: +# +# * True: Enables SQL requests profiling. Each SQL query will be part of the +# trace and can the be analyzed by how much time was spent for that. +# * False: Disables SQL requests profiling. The spent time is only shown on a +# higher level of operations. Single SQL queries cannot be analyzed this way. +# (boolean value) +#trace_sqlalchemy = false + +# +# Secret key(s) to use for encrypting context data for performance profiling. +# +# This string value should have the following format: +# [,,...], +# where each key is some random string. A user who triggers the profiling via +# the REST API has to set one of these keys in the headers of the REST API call +# to include profiling results of this node for this particular project. +# +# Both "enabled" flag and "hmac_keys" config options should be set to enable +# profiling. Also, to generate correct profiling information across all +# services +# at least one key needs to be consistent between OpenStack projects. This +# ensures it can be used from client side to generate the trace, containing +# information from all possible resources. +# (string value) +#hmac_keys = SECRET_KEY + +# +# Connection string for a notifier backend. +# +# Default value is ``messaging://`` which sets the notifier to oslo_messaging. +# +# Examples of possible values: +# +# * ``messaging://`` - use oslo_messaging driver for sending spans. +# * ``redis://127.0.0.1:6379`` - use redis driver for sending spans. +# * ``mongodb://127.0.0.1:27017`` - use mongodb driver for sending spans. +# * ``elasticsearch://127.0.0.1:9200`` - use elasticsearch driver for sending +# spans. +# * ``jaeger://127.0.0.1:6831`` - use jaeger tracing as driver for sending +# spans. +# (string value) +#connection_string = messaging:// + +# +# Document type for notification indexing in elasticsearch. +# (string value) +#es_doc_type = notification + +# +# This parameter is a time value parameter (for example: es_scroll_time=2m), +# indicating for how long the nodes that participate in the search will +# maintain +# relevant resources in order to continue and support it. +# (string value) +#es_scroll_time = 2m + +# +# Elasticsearch splits large requests in batches. This parameter defines +# maximum size of each batch (for example: es_scroll_size=10000). +# (integer value) +#es_scroll_size = 10000 + +# +# Redissentinel provides a timeout option on the connections. +# This parameter defines that timeout (for example: socket_timeout=0.1). +# (floating point value) +#socket_timeout = 0.1 + +# +# Redissentinel uses a service name to identify a master redis service. +# This parameter defines the name (for example: +# ``sentinal_service_name=mymaster``). +# (string value) +#sentinel_service_name = mymaster + +# +# Enable filter traces that contain error/exception to a separated place. +# +# Default value is set to False. +# +# Possible values: +# +# * True: Enable filter traces that contain error/exception. +# * False: Disable the filter. +# (boolean value) +#filter_error_trace = false + + +[receipt] + +# +# From keystone +# + +# The amount of time that a receipt should remain valid (in seconds). This +# value should always be very short, as it represents how long a user has to +# reattempt auth with the missing auth methods. (integer value) +# Minimum value: 0 +# Maximum value: 86400 +#expiration = 300 + +# Entry point for the receipt provider in the `keystone.receipt.provider` +# namespace. The receipt provider controls the receipt construction and +# validation operations. Keystone includes just the `fernet` receipt provider +# for now. `fernet` receipts do not need to be persisted at all, but require +# that you run `keystone-manage fernet_setup` (also see the `keystone-manage +# fernet_rotate` command). (string value) +#provider = fernet + +# Toggle for caching receipt creation and validation data. This has no effect +# unless global caching is enabled, or if cache_on_issue is disabled as we only +# cache receipts on issue. (boolean value) +#caching = true + +# The number of seconds to cache receipt creation and validation data. This has +# no effect unless both global and `[receipt] caching` are enabled. (integer +# value) +# Minimum value: 0 +#cache_time = 300 + +# Enable storing issued receipt data to receipt validation cache so that first +# receipt validation doesn't actually cause full validation cycle. This option +# has no effect unless global caching and receipt caching are enabled. (boolean +# value) +#cache_on_issue = true + + +[resource] + +# +# From keystone +# + +# DEPRECATED: Entry point for the resource driver in the `keystone.resource` +# namespace. Only a `sql` driver is supplied by keystone. Unless you are +# writing proprietary drivers for keystone, you do not need to set this option. +# (string value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: Non-SQL resource cannot be used with SQL Identity and has been unable +# to be used since Ocata. SQL Resource backend is a requirement as of Pike. +# Setting this option no longer has an effect on how Keystone operates. +#driver = sql + +# Toggle for resource caching. This has no effect unless global caching is +# enabled. (boolean value) +# Deprecated group/name - [assignment]/caching +#caching = true + +# Time to cache resource data in seconds. This has no effect unless global +# caching is enabled. (integer value) +# Deprecated group/name - [assignment]/cache_time +#cache_time = + +# Maximum number of entities that will be returned in a resource collection. +# (integer value) +# Deprecated group/name - [assignment]/list_limit +#list_limit = + +# Name of the domain that owns the `admin_project_name`. If left unset, then +# there is no admin project. `[resource] admin_project_name` must also be set +# to use this option. (string value) +#admin_project_domain_name = + +# This is a special project which represents cloud-level administrator +# privileges across services. Tokens scoped to this project will contain a true +# `is_admin_project` attribute to indicate to policy systems that the role +# assignments on that specific project should apply equally across every +# project. If left unset, then there is no admin project, and thus no explicit +# means of cross-project role assignments. `[resource] +# admin_project_domain_name` must also be set to use this option. (string +# value) +#admin_project_name = + +# This controls whether the names of projects are restricted from containing +# URL-reserved characters. If set to `new`, attempts to create or update a +# project with a URL-unsafe name will fail. If set to `strict`, attempts to +# scope a token with a URL-unsafe project name will fail, thereby forcing all +# project names to be updated to be URL-safe. (string value) +# Possible values: +# off - +# new - +# strict - +#project_name_url_safe = off + +# This controls whether the names of domains are restricted from containing +# URL-reserved characters. If set to `new`, attempts to create or update a +# domain with a URL-unsafe name will fail. If set to `strict`, attempts to +# scope a token with a URL-unsafe domain name will fail, thereby forcing all +# domain names to be updated to be URL-safe. (string value) +# Possible values: +# off - +# new - +# strict - +#domain_name_url_safe = off + + +[revoke] + +# +# From keystone +# + +# Entry point for the token revocation backend driver in the `keystone.revoke` +# namespace. Keystone only provides a `sql` driver, so there is no reason to +# set this option unless you are providing a custom entry point. (string value) +#driver = sql + +# The number of seconds after a token has expired before a corresponding +# revocation event may be purged from the backend. (integer value) +# Minimum value: 0 +#expiration_buffer = 1800 + +# Toggle for revocation event caching. This has no effect unless global caching +# is enabled. (boolean value) +#caching = true + +# Time to cache the revocation list and the revocation events (in seconds). +# This has no effect unless global and `[revoke] caching` are both enabled. +# (integer value) +# Deprecated group/name - [token]/revocation_cache_time +#cache_time = 3600 + + +[role] + +# +# From keystone +# + +# Entry point for the role backend driver in the `keystone.role` namespace. +# Keystone only provides a `sql` driver, so there's no reason to change this +# unless you are providing a custom entry point. (string value) +#driver = + +# Toggle for role caching. This has no effect unless global caching is enabled. +# In a typical deployment, there is no reason to disable this. (boolean value) +#caching = true + +# Time to cache role data, in seconds. This has no effect unless both global +# caching and `[role] caching` are enabled. (integer value) +#cache_time = + +# Maximum number of entities that will be returned in a role collection. This +# may be useful to tune if you have a large number of discrete roles in your +# deployment. (integer value) +#list_limit = + + +[saml] + +# +# From keystone +# + +# Determines the lifetime for any SAML assertions generated by keystone, using +# `NotOnOrAfter` attributes. (integer value) +#assertion_expiration_time = 3600 + +# Name of, or absolute path to, the binary to be used for XML signing. Although +# only the XML Security Library (`xmlsec1`) is supported, it may have a non- +# standard name or path on your system. If keystone cannot find the binary +# itself, you may need to install the appropriate package, use this option to +# specify an absolute path, or adjust keystone's PATH environment variable. +# (string value) +#xmlsec1_binary = xmlsec1 + +# Absolute path to the public certificate file to use for SAML signing. The +# value cannot contain a comma (`,`). (string value) +#certfile = /etc/keystone/ssl/certs/signing_cert.pem + +# Absolute path to the private key file to use for SAML signing. The value +# cannot contain a comma (`,`). (string value) +#keyfile = /etc/keystone/ssl/private/signing_key.pem + +# This is the unique entity identifier of the identity provider (keystone) to +# use when generating SAML assertions. This value is required to generate +# identity provider metadata and must be a URI (a URL is recommended). For +# example: `https://keystone.example.com/v3/OS-FEDERATION/saml2/idp`. (uri +# value) +#idp_entity_id = + +# This is the single sign-on (SSO) service location of the identity provider +# which accepts HTTP POST requests. A value is required to generate identity +# provider metadata. For example: `https://keystone.example.com/v3/OS- +# FEDERATION/saml2/sso`. (uri value) +#idp_sso_endpoint = + +# This is the language used by the identity provider's organization. (string +# value) +#idp_lang = en + +# This is the name of the identity provider's organization. (string value) +#idp_organization_name = SAML Identity Provider + +# This is the name of the identity provider's organization to be displayed. +# (string value) +#idp_organization_display_name = OpenStack SAML Identity Provider + +# This is the URL of the identity provider's organization. The URL referenced +# here should be useful to humans. (uri value) +#idp_organization_url = https://example.com/ + +# This is the company name of the identity provider's contact person. (string +# value) +#idp_contact_company = Example, Inc. + +# This is the given name of the identity provider's contact person. (string +# value) +#idp_contact_name = SAML Identity Provider Support + +# This is the surname of the identity provider's contact person. (string value) +#idp_contact_surname = Support + +# This is the email address of the identity provider's contact person. (string +# value) +#idp_contact_email = support@example.com + +# This is the telephone number of the identity provider's contact person. +# (string value) +#idp_contact_telephone = +1 800 555 0100 + +# This is the type of contact that best describes the identity provider's +# contact person. (string value) +# Possible values: +# technical - +# support - +# administrative - +# billing - +# other - +#idp_contact_type = other + +# Absolute path to the identity provider metadata file. This file should be +# generated with the `keystone-manage saml_idp_metadata` command. There is +# typically no reason to change this value. (string value) +#idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml + +# The prefix of the RelayState SAML attribute to use when generating enhanced +# client and proxy (ECP) assertions. In a typical deployment, there is no +# reason to change this value. (string value) +#relay_state_prefix = ss:mem: + + +[security_compliance] + +# +# From keystone +# + +# The maximum number of days a user can go without authenticating before being +# considered "inactive" and automatically disabled (locked). This feature is +# disabled by default; set any value to enable it. This feature depends on the +# `sql` backend for the `[identity] driver`. When a user exceeds this threshold +# and is considered "inactive", the user's `enabled` attribute in the HTTP API +# may not match the value of the user's `enabled` column in the user table. +# (integer value) +# Minimum value: 1 +#disable_user_account_days_inactive = + +# The maximum number of times that a user can fail to authenticate before the +# user account is locked for the number of seconds specified by +# `[security_compliance] lockout_duration`. This feature is disabled by +# default. If this feature is enabled and `[security_compliance] +# lockout_duration` is not set, then users may be locked out indefinitely until +# the user is explicitly enabled via the API. This feature depends on the `sql` +# backend for the `[identity] driver`. (integer value) +# Minimum value: 1 +#lockout_failure_attempts = + +# The number of seconds a user account will be locked when the maximum number +# of failed authentication attempts (as specified by `[security_compliance] +# lockout_failure_attempts`) is exceeded. Setting this option will have no +# effect unless you also set `[security_compliance] lockout_failure_attempts` +# to a non-zero value. This feature depends on the `sql` backend for the +# `[identity] driver`. (integer value) +# Minimum value: 1 +#lockout_duration = 1800 + +# The number of days for which a password will be considered valid before +# requiring it to be changed. This feature is disabled by default. If enabled, +# new password changes will have an expiration date, however existing passwords +# would not be impacted. This feature depends on the `sql` backend for the +# `[identity] driver`. (integer value) +# Minimum value: 1 +#password_expires_days = + +# This controls the number of previous user password iterations to keep in +# history, in order to enforce that newly created passwords are unique. The +# total number which includes the new password should not be greater or equal +# to this value. Setting the value to zero (the default) disables this feature. +# Thus, to enable this feature, values must be greater than 0. This feature +# depends on the `sql` backend for the `[identity] driver`. (integer value) +# Minimum value: 0 +#unique_last_password_count = 0 + +# The number of days that a password must be used before the user can change +# it. This prevents users from changing their passwords immediately in order to +# wipe out their password history and reuse an old password. This feature does +# not prevent administrators from manually resetting passwords. It is disabled +# by default and allows for immediate password changes. This feature depends on +# the `sql` backend for the `[identity] driver`. Note: If +# `[security_compliance] password_expires_days` is set, then the value for this +# option should be less than the `password_expires_days`. (integer value) +# Minimum value: 0 +#minimum_password_age = 0 + +# The regular expression used to validate password strength requirements. By +# default, the regular expression will match any password. The following is an +# example of a pattern which requires at least 1 letter, 1 digit, and have a +# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature +# depends on the `sql` backend for the `[identity] driver`. (string value) +#password_regex = + +# Describe your password regular expression here in language for humans. If a +# password fails to match the regular expression, the contents of this +# configuration variable will be returned to users to explain why their +# requested password was insufficient. (string value) +#password_regex_description = + +# Enabling this option requires users to change their password when the user is +# created, or upon administrative reset. Before accessing any services, +# affected users will have to change their password. To ignore this requirement +# for specific users, such as service users, set the `options` attribute +# `ignore_change_password_upon_first_use` to `True` for the desired user via +# the update user API. This feature is disabled by default. This feature is +# only applicable with the `sql` backend for the `[identity] driver`. (boolean +# value) +#change_password_upon_first_use = false + + +[shadow_users] + +# +# From keystone +# + +# Entry point for the shadow users backend driver in the +# `keystone.identity.shadow_users` namespace. This driver is used for +# persisting local user references to externally-managed identities (via +# federation, LDAP, etc). Keystone only provides a `sql` driver, so there is no +# reason to change this option unless you are providing a custom entry point. +# (string value) +#driver = sql + + +[signing] + +# +# From keystone +# + +# DEPRECATED: Absolute path to the public certificate file to use for signing +# responses to revocation lists requests. Set this together with `[signing] +# keyfile`. For non-production environments, you may be interested in using +# `keystone-manage pki_setup` to generate self-signed certificates. (string +# value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#certfile = /etc/keystone/ssl/certs/signing_cert.pem + +# DEPRECATED: Absolute path to the private key file to use for signing +# responses to revocation lists requests. Set this together with `[signing] +# certfile`. (string value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#keyfile = /etc/keystone/ssl/private/signing_key.pem + +# DEPRECATED: Absolute path to the public certificate authority (CA) file to +# use when creating self-signed certificates with `keystone-manage pki_setup`. +# Set this together with `[signing] ca_key`. There is no reason to set this +# option unless you are requesting revocation lists in a non-production +# environment. Use a `[signing] certfile` issued from a trusted certificate +# authority instead. (string value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#ca_certs = /etc/keystone/ssl/certs/ca.pem + +# DEPRECATED: Absolute path to the private certificate authority (CA) key file +# to use when creating self-signed certificates with `keystone-manage +# pki_setup`. Set this together with `[signing] ca_certs`. There is no reason +# to set this option unless you are requesting revocation lists in a non- +# production environment. Use a `[signing] certfile` issued from a trusted +# certificate authority instead. (string value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#ca_key = /etc/keystone/ssl/private/cakey.pem + +# DEPRECATED: Key size (in bits) to use when generating a self-signed token +# signing certificate. There is no reason to set this option unless you are +# requesting revocation lists in a non-production environment. Use a `[signing] +# certfile` issued from a trusted certificate authority instead. (integer +# value) +# Minimum value: 1024 +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#key_size = 2048 + +# DEPRECATED: The validity period (in days) to use when generating a self- +# signed token signing certificate. There is no reason to set this option +# unless you are requesting revocation lists in a non-production environment. +# Use a `[signing] certfile` issued from a trusted certificate authority +# instead. (integer value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#valid_days = 3650 + +# DEPRECATED: The certificate subject to use when generating a self-signed +# token signing certificate. There is no reason to set this option unless you +# are requesting revocation lists in a non-production environment. Use a +# `[signing] certfile` issued from a trusted certificate authority instead. +# (string value) +# This option is deprecated for removal since P. +# Its value may be silently ignored in the future. +# Reason: `keystone-manage pki_setup` was deprecated in Mitaka and removed in +# Pike. These options remain for backwards compatibility. +#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com + + +[token] + +provider = fernet + +# +# From keystone +# + +# The amount of time that a token should remain valid (in seconds). Drastically +# reducing this value may break "long-running" operations that involve multiple +# services to coordinate together, and will force users to authenticate with +# keystone more frequently. Drastically increasing this value will increase the +# number of tokens that will be simultaneously valid. Keystone tokens are also +# bearer tokens, so a shorter duration will also reduce the potential security +# impact of a compromised token. (integer value) +# Minimum value: 0 +# Maximum value: 9223372036854775807 +#expiration = 3600 + +# Entry point for the token provider in the `keystone.token.provider` +# namespace. The token provider controls the token construction, validation, +# and revocation operations. Supported upstream providers are `fernet` and +# `jws`. Neither `fernet` or `jws` tokens require persistence and both require +# additional setup. If using `fernet`, you're required to run `keystone-manage +# fernet_setup`, which creates symmetric keys used to encrypt tokens. If using +# `jws`, you're required to generate an ECDSA keypair using a SHA-256 hash +# algorithm for signing and validating token, which can be done with `keystone- +# manage create_jws_keypair`. Note that `fernet` tokens are encrypted and `jws` +# tokens are only signed. Please be sure to consider this if your deployment +# has security requirements regarding payload contents used to generate token +# IDs. (string value) +#provider = fernet + +# Toggle for caching token creation and validation data. This has no effect +# unless global caching is enabled. (boolean value) +#caching = true + +# The number of seconds to cache token creation and validation data. This has +# no effect unless both global and `[token] caching` are enabled. (integer +# value) +# Minimum value: 0 +# Maximum value: 9223372036854775807 +#cache_time = + +# This toggles support for revoking individual tokens by the token identifier +# and thus various token enumeration operations (such as listing all tokens +# issued to a specific user). These operations are used to determine the list +# of tokens to consider revoked. Do not disable this option if you're using the +# `kvs` `[revoke] driver`. (boolean value) +#revoke_by_id = true + +# This toggles whether scoped tokens may be re-scoped to a new project or +# domain, thereby preventing users from exchanging a scoped token (including +# those with a default project scope) for any other token. This forces users to +# either authenticate for unscoped tokens (and later exchange that unscoped +# token for tokens with a more specific scope) or to provide their credentials +# in every request for a scoped token to avoid re-scoping altogether. (boolean +# value) +#allow_rescope_scoped_token = true + +# DEPRECATED: This controls whether roles should be included with tokens that +# are not directly assigned to the token's scope, but are instead linked +# implicitly to other role assignments. (boolean value) +# This option is deprecated for removal since R. +# Its value may be silently ignored in the future. +# Reason: Default roles depend on a chain of implied role assignments. Ex: an +# admin user will also have the reader and member role. By ensuring that all +# these roles will always appear on the token validation response, we can +# improve the simplicity and readability of policy files. +#infer_roles = true + +# DEPRECATED: Enable storing issued token data to token validation cache so +# that first token validation doesn't actually cause full validation cycle. +# This option has no effect unless global caching is enabled and will still +# cache tokens even if `[token] caching = False`. (boolean value) +# This option is deprecated for removal since S. +# Its value may be silently ignored in the future. +# Reason: Keystone already exposes a configuration option for caching tokens. +# Having a separate configuration option to cache tokens when they are issued +# is redundant, unnecessarily complicated, and is misleading if token caching +# is disabled because tokens will still be pre-cached by default when they are +# issued. The ability to pre-cache tokens when they are issued is going to rely +# exclusively on the ``keystone.conf [token] caching`` option in the future. +#cache_on_issue = true + +# This controls the number of seconds that a token can be retrieved for beyond +# the built-in expiry time. This allows long running operations to succeed. +# Defaults to two days. (integer value) +#allow_expired_window = 172800 + + +[tokenless_auth] + +# +# From keystone +# + +# The list of distinguished names which identify trusted issuers of client +# certificates allowed to use X.509 tokenless authorization. If the option is +# absent then no certificates will be allowed. The format for the values of a +# distinguished name (DN) must be separated by a comma and contain no spaces. +# Furthermore, because an individual DN may contain commas, this configuration +# option may be repeated multiple times to represent multiple values. For +# example, keystone.conf would include two consecutive lines in order to trust +# two different DNs, such as `trusted_issuer = CN=john,OU=keystone,O=openstack` +# and `trusted_issuer = CN=mary,OU=eng,O=abc`. (multi valued) +#trusted_issuer = + +# The federated protocol ID used to represent X.509 tokenless authorization. +# This is used in combination with the value of `[tokenless_auth] +# issuer_attribute` to find a corresponding federated mapping. In a typical +# deployment, there is no reason to change this value. (string value) +#protocol = x509 + +# The name of the WSGI environment variable used to pass the issuer of the +# client certificate to keystone. This attribute is used as an identity +# provider ID for the X.509 tokenless authorization along with the protocol to +# look up its corresponding mapping. In a typical deployment, there is no +# reason to change this value. (string value) +#issuer_attribute = SSL_CLIENT_I_DN + + +[trust] + +# +# From keystone +# + +# Allows authorization to be redelegated from one user to another, effectively +# chaining trusts together. When disabled, the `remaining_uses` attribute of a +# trust is constrained to be zero. (boolean value) +#allow_redelegation = false + +# Maximum number of times that authorization can be redelegated from one user +# to another in a chain of trusts. This number may be reduced further for a +# specific trust. (integer value) +#max_redelegation_count = 3 + +# Entry point for the trust backend driver in the `keystone.trust` namespace. +# Keystone only provides a `sql` driver, so there is no reason to change this +# unless you are providing a custom entry point. (string value) +#driver = sql + + +[unified_limit] + +# +# From keystone +# + +# Entry point for the unified limit backend driver in the +# `keystone.unified_limit` namespace. Keystone only provides a `sql` driver, so +# there's no reason to change this unless you are providing a custom entry +# point. (string value) +#driver = sql + +# Toggle for unified limit caching. This has no effect unless global caching is +# enabled. In a typical deployment, there is no reason to disable this. +# (boolean value) +#caching = true + +# Time to cache unified limit data, in seconds. This has no effect unless both +# global caching and `[unified_limit] caching` are enabled. (integer value) +#cache_time = + +# Maximum number of entities that will be returned in a role collection. This +# may be useful to tune if you have a large number of unified limits in your +# deployment. (integer value) +#list_limit = + +# The enforcement model to use when validating limits associated to projects. +# Enforcement models will behave differently depending on the existing limits, +# which may result in backwards incompatible changes if a model is switched in +# a running deployment. (string value) +# Possible values: +# flat - +# strict_two_level - +#enforcement_model = flat + + +[wsgi] + +# +# From keystone +# + +# If set to true, this enables the oslo debug middleware in Keystone. This +# Middleware prints a lot of information about the request and the response. It +# is useful for getting information about the data on the wire (decoded) and +# passed to the WSGI application pipeline. This middleware has no effect on the +# "debug" setting in the [DEFAULT] section of the config file or setting +# Keystone's log-level to "DEBUG"; it is specific to debugging the WSGI data as +# it enters and leaves Keystone (specific request-related data). This option is +# used for introspection on the request and response data between the web +# server (apache, nginx, etc) and Keystone. This middleware is inserted as the +# first element in the middleware chain and will show the data closest to the +# wire. WARNING: NOT INTENDED FOR USE IN PRODUCTION. THIS MIDDLEWARE CAN AND +# WILL EMIT SENSITIVE/PRIVILEGED DATA. (boolean value) +#debug_middleware = false diff --git a/2-keystone/build/scripts/keystone-setup.sh b/2-keystone/build/scripts/keystone-setup.sh new file mode 100644 index 0000000..793da96 --- /dev/null +++ b/2-keystone/build/scripts/keystone-setup.sh @@ -0,0 +1,36 @@ +#!/bin/bash -x + +HOST="demo-controller.smartme.io" +HTTPS=true +ADMIN_PASS="smartme" + +URL="http://$HOST:5000/v3" +if [ "$HTTPS" = true ] ; then + URL="https://$HOST:5000/v3" +fi + +echo $URL + +keystone-manage db_sync +echo "db_sync" + +keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone +echo "fernet_setup" + +keystone-manage credential_setup --keystone-user keystone --keystone-group keystone +echo "credential_setup" + +keystone-manage bootstrap --bootstrap-password ${ADMIN_PASS} --bootstrap-admin-url ${URL} \ + --bootstrap-internal-url ${URL} --bootstrap-public-url ${URL} --bootstrap-region-id RegionOne +echo "boostrap" + +# restarting apache2 server +apachectl -k graceful + +openstack project create --domain default --description "Service Project" service +echo "project_created" + +chown -R keystone:keystone /var/log/keystone/ +echo "permissions_to_var_log_keystone" + +echo "restart the container" diff --git a/2-keystone/scripts/keystone-setup.sh b/2-keystone/scripts/keystone-setup.sh index 6c219c1..793da96 100644 --- a/2-keystone/scripts/keystone-setup.sh +++ b/2-keystone/scripts/keystone-setup.sh @@ -4,9 +4,9 @@ HOST="demo-controller.smartme.io" HTTPS=true ADMIN_PASS="smartme" -URL="http://$HOST:5001/v3" +URL="http://$HOST:5000/v3" if [ "$HTTPS" = true ] ; then - URL="https://$HOST:5001/v3" + URL="https://$HOST:5000/v3" fi echo $URL @@ -24,10 +24,13 @@ keystone-manage bootstrap --bootstrap-password ${ADMIN_PASS} --bootstrap-admin-u --bootstrap-internal-url ${URL} --bootstrap-public-url ${URL} --bootstrap-region-id RegionOne echo "boostrap" +# restarting apache2 server +apachectl -k graceful + openstack project create --domain default --description "Service Project" service echo "project_created" chown -R keystone:keystone /var/log/keystone/ echo "permissions_to_var_log_keystone" -echo "restart the container" \ No newline at end of file +echo "restart the container" From 8ca6f1016a8e5db87d9e66b4b8ba79736a7d6285 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Sat, 20 Nov 2021 01:59:28 +0100 Subject: [PATCH 40/66] 2-keystone: adding execution check for keystone-setup.sh bash script --- 2-keystone/build/scripts/keystone-setup.sh | 39 +++++++++++++--------- 2-keystone/scripts/keystone-setup.sh | 39 +++++++++++++--------- 2 files changed, 46 insertions(+), 32 deletions(-) diff --git a/2-keystone/build/scripts/keystone-setup.sh b/2-keystone/build/scripts/keystone-setup.sh index 793da96..72d2187 100644 --- a/2-keystone/build/scripts/keystone-setup.sh +++ b/2-keystone/build/scripts/keystone-setup.sh @@ -11,26 +11,33 @@ fi echo $URL -keystone-manage db_sync -echo "db_sync" +if [ ! -f ${HOME}/.keystone_setup_completed ] +then + keystone-manage db_sync + echo "db_sync" -keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone -echo "fernet_setup" + keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone + echo "fernet_setup" -keystone-manage credential_setup --keystone-user keystone --keystone-group keystone -echo "credential_setup" + keystone-manage credential_setup --keystone-user keystone --keystone-group keystone + echo "credential_setup" -keystone-manage bootstrap --bootstrap-password ${ADMIN_PASS} --bootstrap-admin-url ${URL} \ - --bootstrap-internal-url ${URL} --bootstrap-public-url ${URL} --bootstrap-region-id RegionOne -echo "boostrap" + keystone-manage bootstrap --bootstrap-password ${ADMIN_PASS} --bootstrap-admin-url ${URL} \ + --bootstrap-internal-url ${URL} --bootstrap-public-url ${URL} --bootstrap-region-id RegionOne + echo "boostrap" -# restarting apache2 server -apachectl -k graceful + # restarting apache2 server + apachectl -k graceful -openstack project create --domain default --description "Service Project" service -echo "project_created" + openstack project create --domain default --description "Service Project" service + echo "project_created" -chown -R keystone:keystone /var/log/keystone/ -echo "permissions_to_var_log_keystone" + chown -R keystone:keystone /var/log/keystone/ + echo "permissions_to_var_log_keystone" -echo "restart the container" + touch ${HOME}/.keystone_setup_completed + + echo "restart the container" +else + echo "no need to setup again keystone !" +fi diff --git a/2-keystone/scripts/keystone-setup.sh b/2-keystone/scripts/keystone-setup.sh index 793da96..72d2187 100644 --- a/2-keystone/scripts/keystone-setup.sh +++ b/2-keystone/scripts/keystone-setup.sh @@ -11,26 +11,33 @@ fi echo $URL -keystone-manage db_sync -echo "db_sync" +if [ ! -f ${HOME}/.keystone_setup_completed ] +then + keystone-manage db_sync + echo "db_sync" -keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone -echo "fernet_setup" + keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone + echo "fernet_setup" -keystone-manage credential_setup --keystone-user keystone --keystone-group keystone -echo "credential_setup" + keystone-manage credential_setup --keystone-user keystone --keystone-group keystone + echo "credential_setup" -keystone-manage bootstrap --bootstrap-password ${ADMIN_PASS} --bootstrap-admin-url ${URL} \ - --bootstrap-internal-url ${URL} --bootstrap-public-url ${URL} --bootstrap-region-id RegionOne -echo "boostrap" + keystone-manage bootstrap --bootstrap-password ${ADMIN_PASS} --bootstrap-admin-url ${URL} \ + --bootstrap-internal-url ${URL} --bootstrap-public-url ${URL} --bootstrap-region-id RegionOne + echo "boostrap" -# restarting apache2 server -apachectl -k graceful + # restarting apache2 server + apachectl -k graceful -openstack project create --domain default --description "Service Project" service -echo "project_created" + openstack project create --domain default --description "Service Project" service + echo "project_created" -chown -R keystone:keystone /var/log/keystone/ -echo "permissions_to_var_log_keystone" + chown -R keystone:keystone /var/log/keystone/ + echo "permissions_to_var_log_keystone" -echo "restart the container" + touch ${HOME}/.keystone_setup_completed + + echo "restart the container" +else + echo "no need to setup again keystone !" +fi From 83755ef8cdce4e9baa3cc2154f72fdeb5433ee37 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Mon, 22 Nov 2021 10:20:40 +0100 Subject: [PATCH 41/66] adding vim, nano, wget and curl to the base image of latest stages --- 4-iotronic-wstun/Dockerfile | 2 +- 5-wagent/build/Dockerfile | 2 +- 6-ui/build/Dockerfile | 2 +- 6-ui/build/Dockerfile-py3.dockerfile | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/4-iotronic-wstun/Dockerfile b/4-iotronic-wstun/Dockerfile index 680ec1f..6571d64 100644 --- a/4-iotronic-wstun/Dockerfile +++ b/4-iotronic-wstun/Dockerfile @@ -9,7 +9,7 @@ ENV LANG C.UTF-8 #RUN npm install -g --unsafe @mdslab/wstun \ # && npm cache --force clean -RUN apk --no-cache add git \ +RUN apk --no-cache add git wget curl \ && mkdir -p /var/lib/iotronic/ssl/ \ && mkdir -p /var/log/wstun/ diff --git a/5-wagent/build/Dockerfile b/5-wagent/build/Dockerfile index a7c20c6..c11f801 100644 --- a/5-wagent/build/Dockerfile +++ b/5-wagent/build/Dockerfile @@ -20,7 +20,7 @@ RUN apt-get update \ && add-apt-repository -y cloud-archive:stein \ && apt-get update && apt-get -y dist-upgrade \ && apt-get install nocache -y build-essential python3-openstackclient \ - python3 python3-all python3-dev python3-all-dev python3-setuptools \ + python3 python3-all python3-dev python3-all-dev python3-setuptools nano \ vim curl iputils-ping wget git apache2 libapache2-mod-wsgi-py3 nginx \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \ diff --git a/6-ui/build/Dockerfile b/6-ui/build/Dockerfile index 63a04c7..69a7804 100644 --- a/6-ui/build/Dockerfile +++ b/6-ui/build/Dockerfile @@ -11,7 +11,7 @@ RUN : \ && DEBIAN_FRONTEND=noninteractive apt-get install -y nocache \ software-properties-common python python-all apt-utils \ python-dev python-all-dev python-openstackclient nano apache2 \ - memcached python-memcache openstack-dashboard git dialog \ + memcached python-memcache openstack-dashboard git dialog curl wget vim \ && apt-get update && apt-get -y dist-upgrade \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \ diff --git a/6-ui/build/Dockerfile-py3.dockerfile b/6-ui/build/Dockerfile-py3.dockerfile index 0a965e3..9287bc1 100644 --- a/6-ui/build/Dockerfile-py3.dockerfile +++ b/6-ui/build/Dockerfile-py3.dockerfile @@ -9,9 +9,9 @@ ENV LANG C.UTF-8 RUN : \ && apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install -y nocache \ - software-properties-common python3 python3-all apt-utils \ + software-properties-common python3 python3-all apt-utils wget vim \ python3-dev python3-all-dev python3-openstackclient nano apache2 \ - memcached python3-memcache openstack-dashboard git dialog \ + memcached python3-memcache openstack-dashboard git dialog curl \ && apt-get update && apt-get -y dist-upgrade \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \ From c188353e9d9fcc418b302f17470e634654dced14 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Mon, 22 Nov 2021 12:03:40 +0100 Subject: [PATCH 42/66] 6-ui: setting OPENSTACK_HOST env to reflect the controller url --- 6-ui/build/conf/local_settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/6-ui/build/conf/local_settings.py b/6-ui/build/conf/local_settings.py index 051f88d..c96eeb4 100644 --- a/6-ui/build/conf/local_settings.py +++ b/6-ui/build/conf/local_settings.py @@ -183,7 +183,7 @@ # ('http://cluster2.example.com:5000/v3', 'cluster2'), #] -OPENSTACK_HOST = "demo-wagent.smartme.io" +OPENSTACK_HOST = "demo-controller.smartme.io" OPENSTACK_KEYSTONE_URL = "https://%s:5000/v3" % OPENSTACK_HOST OPENSTACK_KEYSTONE_DEFAULT_ROLE = "member" From e36eb076ed09f1939b98566a0249676c8dce6103 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Wed, 24 Nov 2021 12:02:47 +0100 Subject: [PATCH 43/66] 3-conductor: adding final tweaks for conductor setup --- 3-conductor/build/Dockerfile | 16 ++- 3-conductor/build/conf/iotronic.conf | 102 +++++++++++++++++++ 3-conductor/build/scripts/openstack-setup.sh | 35 +++++++ 3-conductor/scripts/openstack-setup.sh | 35 ++++--- 4 files changed, 170 insertions(+), 18 deletions(-) create mode 100644 3-conductor/build/conf/iotronic.conf create mode 100644 3-conductor/build/scripts/openstack-setup.sh diff --git a/3-conductor/build/Dockerfile b/3-conductor/build/Dockerfile index 1e7b217..3a63b28 100644 --- a/3-conductor/build/Dockerfile +++ b/3-conductor/build/Dockerfile @@ -11,8 +11,8 @@ ENV LANG C.UTF-8 RUN : \ && apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install -y nocache \ - software-properties-common locales tzdata build-essential \ - python3-openstackclient python3 python3-setuptools vim nano \ + software-properties-common locales tzdata build-essential wget \ + python3-openstackclient python3 python3-setuptools vim nano curl \ python3-all python3-dev python3-all-dev git apache2 libapache2-mod-wsgi-py3 \ && add-apt-repository -y cloud-archive:stein \ && apt-get update \ @@ -44,8 +44,7 @@ RUN mkdir -p /var/log/iotronic \ && cp etc/apache2/iotronic.conf /etc/apache2/sites-available/iotronic.conf # RUN pip3 uninstall -y SQLAlchemy -# RUN pip3 install SQLAlchemy==1.3.20 - +# RUN pip3 install -v SQLAlchemy==1.3.20 RUN a2ensite iotronic @@ -57,9 +56,16 @@ COPY bin/startConductor /usr/local/bin/startConductor RUN chmod +x /usr/local/bin/openstack-setup \ && chmod +x /usr/local/bin/startConductor +# RUN echo 'ServerName conductor' > /etc/apache2/conf-available/server-name.conf +RUN echo 'ServerName demo-controller' > /etc/apache2/conf-available/server-name.conf + +RUN a2enconf server-name + +# RUN pip3 install -v cryptography==3.3.2 + VOLUME ["/etc/iotronic"] VOLUME ["/var/log/iotronic"] EXPOSE 8812 -CMD ["/usr/local/bin/startConductor"] \ No newline at end of file +CMD ["/usr/local/bin/startConductor"] diff --git a/3-conductor/build/conf/iotronic.conf b/3-conductor/build/conf/iotronic.conf new file mode 100644 index 0000000..48b98bf --- /dev/null +++ b/3-conductor/build/conf/iotronic.conf @@ -0,0 +1,102 @@ +[DEFAULT] +transport_url=rabbit://openstack:smartme@s4t_rabbitmq:5672/ + +debug=True +log_file = /var/log/iotronic/iotronic-conductor.log +proxy=nginx + + +# Authentication strategy used by iotronic-api: one of +# "keystone" or "noauth". "noauth" should not be used in a +# production environment because all authentication will be +# disabled. (string value) +auth_strategy=keystone + +# Enable pecan debug mode. WARNING: this is insecure and +# should not be used in a production environment. (boolean +# value) +#pecan_debug=false + + +[conductor] +service_port_min=50000 +service_port_max=50100 + +[wamp] +wamp_transport_url = wss://:/ +wamp_realm = s4t +# skip_cert_verify= False +# register_agent = True +service_allow_list=True +service_allow_list_path="/var/lib/iotronic/wstun/allowlist.json" + + + +[database] +connection = mysql+pymysql://s4t_iotronic:sm3d3m0n@s4t_iotronic_db/s4t_iotronic + +[keystone_authtoken] +www_authenticate_uri = https://demo-controller.smartme.io:5000 +auth_url = https://demo-controller.smartme.io:5000 +auth_plugin = password +project_domain_id = default +user_domain_id = default +project_name = service +username = iotronic +password = smartme + + +[neutron] +auth_url = http://:5000 +url = http://:9696 +auth_strategy = password +project_domain_name = default +user_domain_name = default +region_name = RegionOne +project_name = service +username = neutron +password = +retries = 3 +project_domain_id= default + + +[designate] +auth_url = https://dev.felooca.eu:5000/ +url = https://dev.felooca.eu:9001 +auth_strategy = password +project_domain_name = default +user_domain_name = default +region_name = RegionOne +project_name = admin +username = admin +password = f3l00caSMDEV +retries = 3 +project_domain_id= default + + +[cors] +# Indicate whether this resource may be shared with the domain +# received in the requests "origin" header. Format: +# "://[:]", no trailing slash. Example: +# https://horizon.example.com (list value) +#allowed_origin = + +# Indicate that the actual request can include user +# credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. +# Defaults to HTTP Simple Headers. (list value) +#expose_headers = + +# Maximum cache age of CORS preflight requests. (integer +# value) +#max_age = 3600 + +# Indicate which methods can be used during the actual +# request. (list value) +#allow_methods = OPTIONS,GET,HEAD,POST,PUT,DELETE,TRACE,PATCH + +# Indicate which header field names may be used during the +# actual request. (list value) +#allow_headers = \ No newline at end of file diff --git a/3-conductor/build/scripts/openstack-setup.sh b/3-conductor/build/scripts/openstack-setup.sh new file mode 100644 index 0000000..29dbff6 --- /dev/null +++ b/3-conductor/build/scripts/openstack-setup.sh @@ -0,0 +1,35 @@ +#! /bin/bash -x + +IP_IOTRONIC="demo-controller.smartme.io" +HTTPS=true +IOTRONIC_PASS="smartme" + +URL="http://$IP_IOTRONIC:8812" +if [ "$HTTPS" = true ] ; then + URL="https://$IP_IOTRONIC:8812" +fi + +echo ${URL} + +if [ ! -e ${HOME}/.os_setup_completed ] +then + openstack service create iot --name Iotronic + openstack user create --password ${IOTRONIC_PASS} iotronic + openstack role add --project service --user iotronic admin + openstack role create admin_iot_project + openstack role create manager_iot_project + openstack role create user_iot + openstack role add --project service --user iotronic admin_iot_project + + openstack endpoint create --region RegionOne iot public ${URL} + openstack endpoint create --region RegionOne iot internal ${URL} + openstack endpoint create --region RegionOne iot admin ${URL} + + openstack role add --project admin --user admin admin_iot_project + + apachectl -k graceful + + touch ${HOME}/.os_setup_completed +else + echo "no need to setup openstack !" +fi diff --git a/3-conductor/scripts/openstack-setup.sh b/3-conductor/scripts/openstack-setup.sh index 9c261bf..29dbff6 100644 --- a/3-conductor/scripts/openstack-setup.sh +++ b/3-conductor/scripts/openstack-setup.sh @@ -1,6 +1,6 @@ -#! /bin/bash +#! /bin/bash -x -IP_IOTRONIC="demo-test.smartme.io" +IP_IOTRONIC="demo-controller.smartme.io" HTTPS=true IOTRONIC_PASS="smartme" @@ -11,16 +11,25 @@ fi echo ${URL} -openstack service create iot --name Iotronic -openstack user create --password ${IOTRONIC_PASS} iotronic -openstack role add --project service --user iotronic admin -openstack role create admin_iot_project -openstack role create manager_iot_project -openstack role create user_iot -openstack role add --project service --user iotronic admin_iot_project +if [ ! -e ${HOME}/.os_setup_completed ] +then + openstack service create iot --name Iotronic + openstack user create --password ${IOTRONIC_PASS} iotronic + openstack role add --project service --user iotronic admin + openstack role create admin_iot_project + openstack role create manager_iot_project + openstack role create user_iot + openstack role add --project service --user iotronic admin_iot_project -openstack endpoint create --region RegionOne iot public ${URL} -openstack endpoint create --region RegionOne iot internal ${URL} -openstack endpoint create --region RegionOne iot admin ${URL} + openstack endpoint create --region RegionOne iot public ${URL} + openstack endpoint create --region RegionOne iot internal ${URL} + openstack endpoint create --region RegionOne iot admin ${URL} -openstack role add --project admin --user admin admin_iot_project \ No newline at end of file + openstack role add --project admin --user admin admin_iot_project + + apachectl -k graceful + + touch ${HOME}/.os_setup_completed +else + echo "no need to setup openstack !" +fi From 5ecbfe360ce330298a55c32b52a2f48be8d3a9df Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Wed, 24 Nov 2021 12:05:06 +0100 Subject: [PATCH 44/66] setting OpenStack variables in controller compose YAML file and adding ui service --- docker-compose-controller.yml | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/docker-compose-controller.yml b/docker-compose-controller.yml index becf2ac..13b6dd7 100644 --- a/docker-compose-controller.yml +++ b/docker-compose-controller.yml @@ -18,7 +18,6 @@ services: container_name: s4t_rabbitmq restart: unless-stopped image: smartmeio/s4t_rabbitmq:3.9.8 - entrypoint: ["/bin/sh","-c"] environment: - RABBIT_PASS="smartme" ports: @@ -47,6 +46,9 @@ services: - s4t_keystone_data:/var/lib/keystone/ - /var/log/keystone:/var/log/keystone - /var/log/keystone-api:/var/log/apache2 + depends_on: + - mariadb + - rabbitmq ports: - '5001:5000' networks: @@ -57,17 +59,39 @@ services: restart: unless-stopped image: smartmeio/s4t_iotronic_conductor:latest environment: - - URL="demo-test.smartme.io" + - OS_PROJECT_DOMAIN_NAME=Default + - OS_USER_DOMAIN_NAME=Default + - OS_PROJECT_NAME=admin + - OS_USERNAME=admin + - OS_PASSWORD=smartme + - OS_AUTH_URL=https://demo-controller.smartme.io:5000/v3 + - OS_IDENTITY_API_VERSION=3 + - OS_IMAGE_API_VERSION=2 + - HOST="demo-controller.smartme.io" + - ADMIN_PASS="smartme" - IOTRONIC_PASS="smartme" hostname: conductor volumes: - - s4t_iotronic_conductor_config:/etc/iotronic/ - - /var/log/iotronic-conductor:/var/log/iotronic + - s4t_iotronic_conductor_config:/etc/iotronic/ + - /var/log/iotronic-conductor:/var/log/iotronic + depends_on: + - rabbitmq + - keystone + - mariadb + command: /bin/bash -c 'iotronic-dbsync && openstack-setup && startConductor' ports: - '8813:8812' networks: - 'default' + ui: + container_name: s4t_iotronic_ui + restart: unless-stopped + image: smartmeio/s4t_iotronic_ui_py3:latest + depends_on: + - conductor + networks: + - 'default' volumes: s4t_iotronic_db_data: @@ -85,4 +109,4 @@ volumes: networks: default: name: s4t-controller-network - driver: 'bridge' \ No newline at end of file + driver: 'bridge' From 01e794f6dca14f0fced53abea62a51acfb167f1c Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Wed, 24 Nov 2021 14:41:30 +0100 Subject: [PATCH 45/66] 1-rabbitmq: rework of rabbitmq-setup script --- 1-rabbitmq/build | 0 1-rabbitmq/scripts/rabbitmq-setup.sh | 15 +++++++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) mode change 100644 => 100755 1-rabbitmq/build diff --git a/1-rabbitmq/build b/1-rabbitmq/build old mode 100644 new mode 100755 diff --git a/1-rabbitmq/scripts/rabbitmq-setup.sh b/1-rabbitmq/scripts/rabbitmq-setup.sh index e521f78..3cc160e 100644 --- a/1-rabbitmq/scripts/rabbitmq-setup.sh +++ b/1-rabbitmq/scripts/rabbitmq-setup.sh @@ -6,9 +6,16 @@ # exit #cfi -RABBIT_PASS="smartme" +if [ ! -f ${HOME}/.rabbitmq_setup_completed ] +then + RABBIT_PASS="smartme" -rabbitmqctl add_user openstack $RABBIT_PASS -rabbitmqctl set_permissions openstack ".*" ".*" ".*" + rabbitmqctl add_user openstack $RABBIT_PASS + rabbitmqctl set_permissions openstack ".*" ".*" ".*" -echo -e "\e[32mCompleted \e[0m" \ No newline at end of file + touch ${HOME}/.rabbitmq_setup_completed + + echo -e "\e[32mCompleted \e[0m" +else + echo "no need to setup rabbitmq !" +fi \ No newline at end of file From ee31a7bdbec588f2183e8d59bfebac39357adb75 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Wed, 24 Nov 2021 14:43:18 +0100 Subject: [PATCH 46/66] 6-ui: fine tuning of Dockerfile and PID check in startUI script --- 6-ui/build/Dockerfile-py3.dockerfile | 6 +++++- 6-ui/build/bin/startUI | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/6-ui/build/Dockerfile-py3.dockerfile b/6-ui/build/Dockerfile-py3.dockerfile index 9287bc1..c729b43 100644 --- a/6-ui/build/Dockerfile-py3.dockerfile +++ b/6-ui/build/Dockerfile-py3.dockerfile @@ -11,7 +11,7 @@ RUN : \ && DEBIAN_FRONTEND=noninteractive apt-get install -y nocache \ software-properties-common python3 python3-all apt-utils wget vim \ python3-dev python3-all-dev python3-openstackclient nano apache2 \ - memcached python3-memcache openstack-dashboard git dialog curl \ + memcached python3-memcache openstack-dashboard git dialog curl gcc g++ \ && apt-get update && apt-get -y dist-upgrade \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \ @@ -41,6 +41,10 @@ RUN cp iotronic_ui/api/iotronic.py /usr/share/openstack-dashboard/openstack_dash && cp iotronic_ui/enabled/_63* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ \ && cp iotronic_ui/enabled/_64* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ +RUN echo 'ServerName demo-controller' > /etc/apache2/conf-available/server-name.conf + +RUN a2enconf server-name + #RUN apt-get remove --auto-remove openstack-dashboard-ubuntu-theme COPY conf/local_settings.py /etc/openstack-dashboard/ diff --git a/6-ui/build/bin/startUI b/6-ui/build/bin/startUI index 039e7a5..c6677f7 100755 --- a/6-ui/build/bin/startUI +++ b/6-ui/build/bin/startUI @@ -1,7 +1,7 @@ #!/bin/bash # clean all pid -rm /run/apache2/apache2.pid +[ -f /run/apache2/apache2.pid ] && rm /run/apache2/apache2.pid # Start the first process /usr/sbin/apache2ctl -D FOREGROUND & status=$? From a5de8793aaf3e370df149247584362ff9af8135c Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Wed, 24 Nov 2021 16:35:35 +0100 Subject: [PATCH 47/66] 3-conductor: fixing python3 dependencies --- 3-conductor/build/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/3-conductor/build/Dockerfile b/3-conductor/build/Dockerfile index 3a63b28..ab12723 100644 --- a/3-conductor/build/Dockerfile +++ b/3-conductor/build/Dockerfile @@ -44,7 +44,8 @@ RUN mkdir -p /var/log/iotronic \ && cp etc/apache2/iotronic.conf /etc/apache2/sites-available/iotronic.conf # RUN pip3 uninstall -y SQLAlchemy -# RUN pip3 install -v SQLAlchemy==1.3.20 +RUN pip3 install -v SQLAlchemy==1.3.20 oslo.db==4.33.0 +RUN pip3 install -v -U secretstorage cryptography RUN a2ensite iotronic From aeea6de2aab38f558abb94fa78ebb8ebdd4feed4 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Wed, 24 Nov 2021 16:36:05 +0100 Subject: [PATCH 48/66] main UI should still run on python v2 --- docker-compose-controller.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docker-compose-controller.yml b/docker-compose-controller.yml index 13b6dd7..fdf37a9 100644 --- a/docker-compose-controller.yml +++ b/docker-compose-controller.yml @@ -87,9 +87,11 @@ services: ui: container_name: s4t_iotronic_ui restart: unless-stopped - image: smartmeio/s4t_iotronic_ui_py3:latest + image: smartmeio/s4t_iotronic_ui:latest depends_on: - conductor + ports: + - '8086:80' networks: - 'default' From cc9b997b02c995dfadddbc4c2f719eb89613d92f Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Wed, 24 Nov 2021 15:37:18 +0000 Subject: [PATCH 49/66] 5-wagent: fine tuning of Dockerfile and iotronic.conf settings --- 5-wagent/build/Dockerfile | 7 ++++--- 5-wagent/build/conf/iotronic.conf | 6 +++--- 5-wagent/conf/iotronic.conf | 8 ++++---- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/5-wagent/build/Dockerfile b/5-wagent/build/Dockerfile index c11f801..0cd2403 100644 --- a/5-wagent/build/Dockerfile +++ b/5-wagent/build/Dockerfile @@ -63,7 +63,8 @@ RUN mkdir -p /var/log/iotronic \ # RUN pip3 uninstall -y SQLAlchemy # RUN pip3 install SQLAlchemy==1.3.20 -RUN pip3 install -v SQLAlchemy +RUN pip3 install -v SQLAlchemy==1.3.20 oslo.db==4.33.0 +RUN pip3 install -v -U cryptography secretstorage VOLUME ["/etc/iotronic"] VOLUME ["/var/log/iotronic"] @@ -77,7 +78,7 @@ COPY conf/iotronic.conf /etc/iotronic/ COPY conf/allowlist /var/lib/wstun/ RUN echo "stream { include conf.d/iotronic/mapping; }" >> /etc/nginx/nginx.conf -RUN echo "include conf.d/iotronic/servers/*" >> /etc/nginx/sites-enabled/default +RUN echo "include conf.d/iotronic/servers/*;" >> /etc/nginx/sites-enabled/default EXPOSE 443 @@ -88,4 +89,4 @@ COPY bin/startWagent /usr/local/bin/startWagent RUN chmod +x /usr/local/bin/startWagent CMD ["/usr/local/bin/startWagent"] -#CMD ["/usr/local/bin/iotronic-wamp-agent"] \ No newline at end of file +#CMD ["/usr/local/bin/iotronic-wamp-agent"] diff --git a/5-wagent/build/conf/iotronic.conf b/5-wagent/build/conf/iotronic.conf index 7cb299d..f974aff 100644 --- a/5-wagent/build/conf/iotronic.conf +++ b/5-wagent/build/conf/iotronic.conf @@ -1,5 +1,5 @@ [DEFAULT] -transport_url=rabbit://openstack:smartme@s4t_rabbitmq:5672/ +transport_url=rabbit://openstack:smartme@demo-controller.smartme.io:5672/ debug=True proxy=nginx @@ -30,7 +30,7 @@ nginx_path=/etc/nginx/conf.d/iotronic wstun_endpoint=localhost [database] -connection = mysql+pymysql://s4t_iotronic:sm3d3m0n@s4t_iotronic_db/s4t_iotronic +connection = mysql+pymysql://s4t_iotronic:sm3d3m0n@demo-controller.smartme.io:53306/s4t_iotronic [keystone_authtoken] www_authenticate_uri = https://demo-controller.smartme.io:5000 @@ -109,4 +109,4 @@ project_domain_id= default # Indicate which header field names may be used during the # actual request. (list value) -#allow_headers = \ No newline at end of file +#allow_headers = diff --git a/5-wagent/conf/iotronic.conf b/5-wagent/conf/iotronic.conf index f587a2c..f974aff 100644 --- a/5-wagent/conf/iotronic.conf +++ b/5-wagent/conf/iotronic.conf @@ -1,5 +1,5 @@ [DEFAULT] -transport_url=rabbit://openstack:smartme@s4t_rabbitmq:5672/ +transport_url=rabbit://openstack:smartme@demo-controller.smartme.io:5672/ debug=True proxy=nginx @@ -23,14 +23,14 @@ wamp_realm = s4t skip_cert_verify= True register_agent = True service_allow_list=True -service_allow_list_path="/etc/iotronic/allowlist" +service_allow_list_path="/var/lib/wstun/allowlist" [nginx] nginx_path=/etc/nginx/conf.d/iotronic wstun_endpoint=localhost [database] -connection = mysql+pymysql://s4t_iotronic:sm3d3m0n@s4t_iotronic_db/s4t_iotronic +connection = mysql+pymysql://s4t_iotronic:sm3d3m0n@demo-controller.smartme.io:53306/s4t_iotronic [keystone_authtoken] www_authenticate_uri = https://demo-controller.smartme.io:5000 @@ -109,4 +109,4 @@ project_domain_id= default # Indicate which header field names may be used during the # actual request. (list value) -#allow_headers = \ No newline at end of file +#allow_headers = From 226fadebd93f3f8fafdae9d0105b72e43585fed2 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Wed, 24 Nov 2021 15:38:35 +0000 Subject: [PATCH 50/66] wagent container should run with network_mode set to host --- docker-compose-wagent.yml | 35 +++++++---------------------------- 1 file changed, 7 insertions(+), 28 deletions(-) diff --git a/docker-compose-wagent.yml b/docker-compose-wagent.yml index 890bfbb..d09a242 100644 --- a/docker-compose-wagent.yml +++ b/docker-compose-wagent.yml @@ -7,10 +7,7 @@ services: volumes: - 's4t_crossbar_config:/node/.crossbar' - /etc/ssl/iotronic/client_iotronic/:/node/.crossbar/ssl:ro - ports: - - '8181:8181' - networks: - - 'default' + network_mode: host wstun: container_name: s4t_iotronic_wstun @@ -19,41 +16,23 @@ services: volumes: - '/etc/ssl/iotronic/client_iotronic:/var/lib/iotronic/ssl/:ro' - 's4t_iotronic_wagent_wstun:/var/lib/wstun:ro' - ports: - - '8080:8080' - - '50000-50100:50000-50100' - networks: - - 'default' + network_mode: host wagent: container_name: s4t_iotronic_wagent - image: smartmeio/s4t_iotronic_wagent:smartmeio-test + image: smartmeio/s4t_iotronic_wagent:smartme-test restart: unless-stopped hostname: wagent1 - ports: - - '80:80' - - '443:443' volumes: - 's4t_iotronic_wagent_config:/etc/iotronic/' - 's4t_iotronic_wagent_nginx:/etc/nginx/' - 's4t_iotronic_wagent_wstun:/var/lib/wstun' - '/var/log/iotronic-wagent:/var/log/iotronic' - networks: - - 'default' - - ui: - container_name: s4t_iotronic_ui - image: smartmeio/s4t_iotronic_ui:latest - restart: unless-stopped - ports: - - '8585:80' - volumes: - - 's4t_iotronic_ui_config:/etc/openstack-dashboard/' - - '/var/log/iotronic-ui:/var/log/apache2/' - networks: - - 'default' + network_mode: host volumes: + s4t_crossbar_config: + name: s4t_crossbar_config s4t_iotronic_db_data: name: s4t_iotronic_db_data s4t_iotronic_db_config: @@ -70,4 +49,4 @@ volumes: networks: default: name: smartme-wagent-network - driver: 'bridge' \ No newline at end of file + driver: 'bridge' From 0ac40e085de4c44989614bf380a0f645d0c6d62d Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 14 Dec 2021 16:41:29 +0100 Subject: [PATCH 51/66] adding s4t_designate database and user --- 1-mysql/Dockerfile | 2 +- 1-mysql/initfile.sql | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/1-mysql/Dockerfile b/1-mysql/Dockerfile index 9a988b2..0c94f2b 100644 --- a/1-mysql/Dockerfile +++ b/1-mysql/Dockerfile @@ -1,4 +1,4 @@ -FROM mariadb:focal +FROM mariadb:10.7.1-focal COPY initfile.sql /docker-entrypoint-initdb.d/initfile.sql COPY 99-openstack.conf /etc/mysql/mariadb.conf.d/99-openstack.conf \ No newline at end of file diff --git a/1-mysql/initfile.sql b/1-mysql/initfile.sql index 9f11b73..e7a0761 100644 --- a/1-mysql/initfile.sql +++ b/1-mysql/initfile.sql @@ -4,9 +4,17 @@ SET PASSWORD FOR s4t_keystone@localhost = PASSWORD('sm3d3m0n'); CREATE USER IF NOT EXISTS s4t_iotronic@localhost IDENTIFIED BY 'sm3d3m0n'; SET PASSWORD FOR s4t_iotronic@localhost = PASSWORD('sm3d3m0n'); +CREATE USER IF NOT EXISTS s4t_designate@localhost IDENTIFIED BY 'sm3d3m0n'; +SET PASSWORD FOR s4t_designate@localhost = PASSWORD('sm3d3m0n'); + CREATE DATABASE s4t_keystone; GRANT ALL PRIVILEGES ON s4t_keystone.* TO 's4t_keystone'@'localhost' IDENTIFIED BY 'sm3d3m0n'; GRANT ALL PRIVILEGES ON s4t_keystone.* TO 's4t_keystone'@'%' IDENTIFIED BY 'sm3d3m0n'; + CREATE DATABASE s4t_iotronic; GRANT ALL PRIVILEGES ON s4t_iotronic.* TO 's4t_iotronic'@'localhost' IDENTIFIED BY 'sm3d3m0n'; -GRANT ALL PRIVILEGES ON s4t_iotronic.* TO 's4t_iotronic'@'%' IDENTIFIED BY 'sm3d3m0n'; \ No newline at end of file +GRANT ALL PRIVILEGES ON s4t_iotronic.* TO 's4t_iotronic'@'%' IDENTIFIED BY 'sm3d3m0n'; + +CREATE DATABASE s4t_designate; +GRANT ALL PRIVILEGES ON s4t_designate.* TO 's4t_designate'@'localhost' IDENTIFIED BY 'sm3d3m0n'; +GRANT ALL PRIVILEGES ON s4t_designate.* TO 's4t_designate'@'%' IDENTIFIED BY 'sm3d3m0n'; From cd0484769452270ce6f9702c08fdcdf88cee9d9e Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 14 Dec 2021 16:43:08 +0100 Subject: [PATCH 52/66] 2-keystone: reverting database port to the standard one --- 2-keystone/build/conf/keystone.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/2-keystone/build/conf/keystone.conf b/2-keystone/build/conf/keystone.conf index eec8f3e..5787c42 100644 --- a/2-keystone/build/conf/keystone.conf +++ b/2-keystone/build/conf/keystone.conf @@ -590,7 +590,7 @@ log_dir = /var/log/keystone [database] -connection = mysql+pymysql://s4t_keystone:sm3d3m0n@s4t_iotronic_db:3306/s4t_keystone +connection = mysql+pymysql://s4t_keystone:sm3d3m0n@s4t_iotronic_db/s4t_keystone # # From oslo.db From cd2315aacdab32d308e331f2b1565fbf57534128 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 14 Dec 2021 16:43:25 +0100 Subject: [PATCH 53/66] 5-wagent: reverting database port to the standard one --- 5-wagent/build/conf/iotronic.conf | 2 +- 5-wagent/conf/iotronic.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/5-wagent/build/conf/iotronic.conf b/5-wagent/build/conf/iotronic.conf index f974aff..d580ace 100644 --- a/5-wagent/build/conf/iotronic.conf +++ b/5-wagent/build/conf/iotronic.conf @@ -30,7 +30,7 @@ nginx_path=/etc/nginx/conf.d/iotronic wstun_endpoint=localhost [database] -connection = mysql+pymysql://s4t_iotronic:sm3d3m0n@demo-controller.smartme.io:53306/s4t_iotronic +connection = mysql+pymysql://s4t_iotronic:sm3d3m0n@demo-controller.smartme.io/s4t_iotronic [keystone_authtoken] www_authenticate_uri = https://demo-controller.smartme.io:5000 diff --git a/5-wagent/conf/iotronic.conf b/5-wagent/conf/iotronic.conf index f974aff..d580ace 100644 --- a/5-wagent/conf/iotronic.conf +++ b/5-wagent/conf/iotronic.conf @@ -30,7 +30,7 @@ nginx_path=/etc/nginx/conf.d/iotronic wstun_endpoint=localhost [database] -connection = mysql+pymysql://s4t_iotronic:sm3d3m0n@demo-controller.smartme.io:53306/s4t_iotronic +connection = mysql+pymysql://s4t_iotronic:sm3d3m0n@demo-controller.smartme.io/s4t_iotronic [keystone_authtoken] www_authenticate_uri = https://demo-controller.smartme.io:5000 From e40086fb66468d0d2cb4f2136698a4c49d6b7dcf Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 14 Dec 2021 16:44:04 +0100 Subject: [PATCH 54/66] restoring default database port in controller YAML compose file --- docker-compose-controller.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docker-compose-controller.yml b/docker-compose-controller.yml index fdf37a9..9afab76 100644 --- a/docker-compose-controller.yml +++ b/docker-compose-controller.yml @@ -6,11 +6,12 @@ services: image: smartmeio/mariadb:focal environment: - MYSQL_ROOT_PASSWORD="smartme" + - MARIADB_ROOT_PASSWORD="smartme" volumes: - 's4t_iotronic_db_data:/var/lib/mysql' - 's4t_iotronic_db_config:/etc/mysql' ports: - - '53306:3306' + - '3306:3306' networks: - 'default' From 6585b0f6a6f686ef07e35b78c33750d4251d02de Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 14 Dec 2021 16:59:36 +0100 Subject: [PATCH 55/66] dropping openstack-setup from conductor default command in YAML compose --- docker-compose-controller.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose-controller.yml b/docker-compose-controller.yml index 9afab76..0effef0 100644 --- a/docker-compose-controller.yml +++ b/docker-compose-controller.yml @@ -79,7 +79,7 @@ services: - rabbitmq - keystone - mariadb - command: /bin/bash -c 'iotronic-dbsync && openstack-setup && startConductor' + command: /bin/bash -c 'iotronic-dbsync && startConductor' ports: - '8813:8812' networks: From 5e19263f615fa682f46bc0e37268860aa15edf0a Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Tue, 14 Dec 2021 18:45:48 +0100 Subject: [PATCH 56/66] setting correct MARIADB env variable definition --- docker-compose-controller.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docker-compose-controller.yml b/docker-compose-controller.yml index 0effef0..2c25dce 100644 --- a/docker-compose-controller.yml +++ b/docker-compose-controller.yml @@ -5,8 +5,7 @@ services: restart: unless-stopped image: smartmeio/mariadb:focal environment: - - MYSQL_ROOT_PASSWORD="smartme" - - MARIADB_ROOT_PASSWORD="smartme" + MARIADB_ROOT_PASSWORD: smartme volumes: - 's4t_iotronic_db_data:/var/lib/mysql' - 's4t_iotronic_db_config:/etc/mysql' From 1688bb89b3017e006e60a8cbc5cc1829b1249a01 Mon Sep 17 00:00:00 2001 From: Fabio Verboso Date: Wed, 15 Dec 2021 18:26:49 +0100 Subject: [PATCH 57/66] Update iotronic.conf designate conf removed --- 3-conductor/build/conf/iotronic.conf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/3-conductor/build/conf/iotronic.conf b/3-conductor/build/conf/iotronic.conf index 48b98bf..7a5bc7d 100644 --- a/3-conductor/build/conf/iotronic.conf +++ b/3-conductor/build/conf/iotronic.conf @@ -61,15 +61,15 @@ project_domain_id= default [designate] -auth_url = https://dev.felooca.eu:5000/ -url = https://dev.felooca.eu:9001 +auth_url = http://:5000 +url = https://:9001 auth_strategy = password project_domain_name = default user_domain_name = default region_name = RegionOne -project_name = admin -username = admin -password = f3l00caSMDEV +project_name = service +username = designate +password = retries = 3 project_domain_id= default @@ -99,4 +99,4 @@ project_domain_id= default # Indicate which header field names may be used during the # actual request. (list value) -#allow_headers = \ No newline at end of file +#allow_headers = From 4ce40751bbf259f01d9f13fca7989c13e2995b17 Mon Sep 17 00:00:00 2001 From: Fabio Verboso Date: Wed, 15 Dec 2021 18:27:43 +0100 Subject: [PATCH 58/66] Update iotronic.conf designate conf removed --- 3-conductor/conf/iotronic.conf | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/3-conductor/conf/iotronic.conf b/3-conductor/conf/iotronic.conf index 48b98bf..20dee17 100644 --- a/3-conductor/conf/iotronic.conf +++ b/3-conductor/conf/iotronic.conf @@ -61,19 +61,18 @@ project_domain_id= default [designate] -auth_url = https://dev.felooca.eu:5000/ -url = https://dev.felooca.eu:9001 +auth_url = http://:5000 +url = https://:9001 auth_strategy = password project_domain_name = default user_domain_name = default region_name = RegionOne -project_name = admin -username = admin -password = f3l00caSMDEV +project_name = service +username = designate +password = retries = 3 project_domain_id= default - [cors] # Indicate whether this resource may be shared with the domain # received in the requests "origin" header. Format: @@ -99,4 +98,4 @@ project_domain_id= default # Indicate which header field names may be used during the # actual request. (list value) -#allow_headers = \ No newline at end of file +#allow_headers = From 0f419ce308fb8a957e6447582bacd83b65ecb763 Mon Sep 17 00:00:00 2001 From: Fabio Verboso Date: Wed, 22 Dec 2021 11:13:39 +0100 Subject: [PATCH 59/66] updated iotronic_ui on py3 version by default --- 6-ui/build/Dockerfile | 22 +- ...3.dockerfile => Dockerfile-py2.dockerfile} | 20 +- 6-ui/build/build-py2 | 4 + 6-ui/build/build-py3 | 4 - 6-ui/build/conf/local_settings.py | 586 +---------- 6-ui/conf/local_settings.py | 10 +- 6-ui/conf/py2/local_settings.py | 925 ++++++++++++++++++ 7 files changed, 984 insertions(+), 587 deletions(-) rename 6-ui/build/{Dockerfile-py3.dockerfile => Dockerfile-py2.dockerfile} (76%) create mode 100755 6-ui/build/build-py2 delete mode 100755 6-ui/build/build-py3 create mode 100644 6-ui/conf/py2/local_settings.py diff --git a/6-ui/build/Dockerfile b/6-ui/build/Dockerfile index 69a7804..20ad7b3 100644 --- a/6-ui/build/Dockerfile +++ b/6-ui/build/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:bionic +FROM ubuntu:focal ENV DEBIAN_FRONTEND=noninteractive @@ -9,13 +9,13 @@ ENV LANG C.UTF-8 RUN : \ && apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install -y nocache \ - software-properties-common python python-all apt-utils \ - python-dev python-all-dev python-openstackclient nano apache2 \ - memcached python-memcache openstack-dashboard git dialog curl wget vim \ + software-properties-common python3 python3-all apt-utils wget vim \ + python3-dev python3-all-dev python3-openstackclient nano apache2 \ + memcached python3-memcache openstack-dashboard git dialog curl gcc g++ \ && apt-get update && apt-get -y dist-upgrade \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \ - && wget -qO- https://bootstrap.pypa.io/pip/2.7/get-pip.py | python2 \ + && wget -qO- https://bootstrap.pypa.io/pip/get-pip.py | python3 \ && : #RUN pip install setuptools @@ -23,16 +23,16 @@ RUN : \ RUN git clone -b felooca_dev --depth 1 https://github.com/smartmeio/stack4things-openstack-iotronic-py-client.git /opt/build/python-iotronicclient WORKDIR /opt/build/python-iotronicclient -RUN pip2 install -r requirements.txt -RUN python2 setup.py install +RUN pip3 install -r requirements.txt +RUN python3 setup.py install RUN git clone https://github.com/smartmeio/stack4things-openstack-iotronic-ui.git -b dev /opt/build/iotronic-ui # COPY iotronic-ui/ /opt/build/iotronic-ui/ WORKDIR /opt/build/iotronic-ui -RUN pip install -r requirements.txt -RUN python setup.py install +RUN pip3 install -r requirements.txt +RUN python3 setup.py install RUN cp iotronic_ui/api/iotronic.py /usr/share/openstack-dashboard/openstack_dashboard/api/ \ # && cp iotronic_ui/enabled/_60* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ && cp iotronic_ui/enabled/_6000_iot.py /usr/share/openstack-dashboard/openstack_dashboard/enabled/ \ @@ -41,6 +41,10 @@ RUN cp iotronic_ui/api/iotronic.py /usr/share/openstack-dashboard/openstack_dash && cp iotronic_ui/enabled/_63* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ \ && cp iotronic_ui/enabled/_64* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ +RUN echo 'ServerName demo-controller' > /etc/apache2/conf-available/server-name.conf + +RUN a2enconf server-name + #RUN apt-get remove --auto-remove openstack-dashboard-ubuntu-theme COPY conf/local_settings.py /etc/openstack-dashboard/ diff --git a/6-ui/build/Dockerfile-py3.dockerfile b/6-ui/build/Dockerfile-py2.dockerfile similarity index 76% rename from 6-ui/build/Dockerfile-py3.dockerfile rename to 6-ui/build/Dockerfile-py2.dockerfile index c729b43..69a7804 100644 --- a/6-ui/build/Dockerfile-py3.dockerfile +++ b/6-ui/build/Dockerfile-py2.dockerfile @@ -9,13 +9,13 @@ ENV LANG C.UTF-8 RUN : \ && apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install -y nocache \ - software-properties-common python3 python3-all apt-utils wget vim \ - python3-dev python3-all-dev python3-openstackclient nano apache2 \ - memcached python3-memcache openstack-dashboard git dialog curl gcc g++ \ + software-properties-common python python-all apt-utils \ + python-dev python-all-dev python-openstackclient nano apache2 \ + memcached python-memcache openstack-dashboard git dialog curl wget vim \ && apt-get update && apt-get -y dist-upgrade \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \ - && wget -qO- https://bootstrap.pypa.io/pip/get-pip.py | python3 \ + && wget -qO- https://bootstrap.pypa.io/pip/2.7/get-pip.py | python2 \ && : #RUN pip install setuptools @@ -23,16 +23,16 @@ RUN : \ RUN git clone -b felooca_dev --depth 1 https://github.com/smartmeio/stack4things-openstack-iotronic-py-client.git /opt/build/python-iotronicclient WORKDIR /opt/build/python-iotronicclient -RUN pip3 install -r requirements.txt -RUN python3 setup.py install +RUN pip2 install -r requirements.txt +RUN python2 setup.py install RUN git clone https://github.com/smartmeio/stack4things-openstack-iotronic-ui.git -b dev /opt/build/iotronic-ui # COPY iotronic-ui/ /opt/build/iotronic-ui/ WORKDIR /opt/build/iotronic-ui -RUN pip3 install -r requirements.txt -RUN python3 setup.py install +RUN pip install -r requirements.txt +RUN python setup.py install RUN cp iotronic_ui/api/iotronic.py /usr/share/openstack-dashboard/openstack_dashboard/api/ \ # && cp iotronic_ui/enabled/_60* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ && cp iotronic_ui/enabled/_6000_iot.py /usr/share/openstack-dashboard/openstack_dashboard/enabled/ \ @@ -41,10 +41,6 @@ RUN cp iotronic_ui/api/iotronic.py /usr/share/openstack-dashboard/openstack_dash && cp iotronic_ui/enabled/_63* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ \ && cp iotronic_ui/enabled/_64* /usr/share/openstack-dashboard/openstack_dashboard/enabled/ -RUN echo 'ServerName demo-controller' > /etc/apache2/conf-available/server-name.conf - -RUN a2enconf server-name - #RUN apt-get remove --auto-remove openstack-dashboard-ubuntu-theme COPY conf/local_settings.py /etc/openstack-dashboard/ diff --git a/6-ui/build/build-py2 b/6-ui/build/build-py2 new file mode 100755 index 0000000..46e24ab --- /dev/null +++ b/6-ui/build/build-py2 @@ -0,0 +1,4 @@ +#! /bin/bash + +VERSION="latest" +docker build -t smartmeio/s4t_iotronic_ui:$VERSION -f Dockerfile-py2.dockerfile . diff --git a/6-ui/build/build-py3 b/6-ui/build/build-py3 deleted file mode 100755 index 16bc213..0000000 --- a/6-ui/build/build-py3 +++ /dev/null @@ -1,4 +0,0 @@ -#! /bin/bash - -VERSION="latest" -docker build -t smartmeio/s4t_iotronic_ui_py3:$VERSION -f Dockerfile-py3.dockerfile . diff --git a/6-ui/build/conf/local_settings.py b/6-ui/build/conf/local_settings.py index c96eeb4..fd27ae7 100644 --- a/6-ui/build/conf/local_settings.py +++ b/6-ui/build/conf/local_settings.py @@ -1,5 +1,17 @@ # -*- coding: utf-8 -*- +# ---------------------------------------------------------------------- +# NOTE: The default values of the settings are defined in +# openstack_dashboard/defaults.py. Previously most available settings +# were listed in this example file, but it is no longer true. +# For available settings, see openstack_dashboard/defaults.py and +# the horizon setting reference found at +# https://docs.openstack.org/horizon/latest/configuration/settings.html. +# +# Django related settings and HORIZON_CONFIG still exist here. +# Keep in my mind that they will be revisit in upcoming releases. +# ---------------------------------------------------------------------- + import os from django.utils.translation import ugettext_lazy as _ @@ -21,17 +33,6 @@ # for more information #COMPRESS_OFFLINE = not DEBUG -# WEBROOT is the location relative to Webserver root -# should end with a slash. -WEBROOT = '/' -#LOGIN_URL = WEBROOT + 'auth/login/' -#LOGOUT_URL = WEBROOT + 'auth/logout/' -# -# LOGIN_REDIRECT_URL can be used as an alternative for -# HORIZON_CONFIG.user_home, if user_home is not set. -# Do not set it to '/home/', as this will cause circular redirect loop -#LOGIN_REDIRECT_URL = WEBROOT - # If horizon is running in production (DEBUG is False), set this # with the list of host/domain names that the application can serve. # For more information see: @@ -50,69 +51,6 @@ #CSRF_COOKIE_SECURE = True #SESSION_COOKIE_SECURE = True -# The absolute path to the directory where message files are collected. -# The message file must have a .json file extension. When the user logins to -# horizon, the message files collected are processed and displayed to the user. -#MESSAGES_PATH=None - -# Overrides for OpenStack API versions. Use this setting to force the -# OpenStack dashboard to use a specific API version for a given service API. -# Versions specified here should be integers or floats, not strings. -# NOTE: The version should be formatted as it appears in the URL for the -# service API. For example, The identity service APIs have inconsistent -# use of the decimal point, so valid options would be 2.0 or 3. -# Minimum compute version to get the instance locked status is 2.9. -#OPENSTACK_API_VERSIONS = { -# "data-processing": 1.1, -# "identity": 3, -# "image": 2, -# "volume": 2, -# "compute": 2, -#} - -# Set this to True if running on a multi-domain model. When this is enabled, it -# will require the user to enter the Domain name in addition to the username -# for login. -#OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False - -# Set this to True if you want available domains displayed as a dropdown menu -# on the login screen. It is strongly advised NOT to enable this for public -# clouds, as advertising enabled domains to unauthenticated customers -# irresponsibly exposes private information. This should only be used for -# private clouds where the dashboard sits behind a corporate firewall. -#OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = False - -# If OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN is enabled, this option can be used to -# set the available domains to choose from. This is a list of pairs whose first -# value is the domain name and the second is the display name. -#OPENSTACK_KEYSTONE_DOMAIN_CHOICES = ( -# ('Default', 'Default'), -#) - -# Overrides the default domain used when running on single-domain model -# with Keystone V3. All entities will be created in the default domain. -# NOTE: This value must be the name of the default domain, NOT the ID. -# Also, you will most likely have a value in the keystone policy file like this -# "cloud_admin": "rule:admin_required and domain_id:" -# This value must be the name of the domain whose ID is specified there. -#OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default' - -# Set this to True to enable panels that provide the ability for users to -# manage Identity Providers (IdPs) and establish a set of rules to map -# federation protocol attributes to Identity API attributes. -# This extension requires v3.0+ of the Identity API. -#OPENSTACK_KEYSTONE_FEDERATION_MANAGEMENT = False - -# Set Console type: -# valid options are "AUTO"(default), "VNC", "SPICE", "RDP", "SERIAL", "MKS" -# or None. Set to None explicitly if you want to deactivate the console. -#CONSOLE_TYPE = "AUTO" - -# Toggle showing the openrc file for Keystone V2. -# If set to false the link will be removed from the user dropdown menu -# and the API Access page -#SHOW_KEYSTONE_V2_RC = True - # If provided, a "Report Bug" link will be displayed in the site header # which links to the value of this setting (ideally a URL containing # information on how to report issues). @@ -151,7 +89,9 @@ # We recommend you use memcached for development; otherwise after every reload # of the django development server, you will have to login again. To use -# memcached set CACHES to something like +# memcached set CACHES to something like below. +# For more information, see +# https://docs.djangoproject.com/en/1.11/topics/http/sessions/. CACHES = { 'default': { @@ -166,6 +106,12 @@ # } #} +# If you use ``tox -e runserver`` for developments,then configure +# SESSION_ENGINE to django.contrib.sessions.backends.signed_cookies +# as shown below: +#SESSION_ENGINE = 'django.contrib.sessions.backends.signed_cookies' + + # Send email to the console by default EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend' # Or send them to /dev/null @@ -177,352 +123,21 @@ #EMAIL_HOST_USER = 'djangomail' #EMAIL_HOST_PASSWORD = 'top-secret!' -# For multiple regions uncomment this configuration, and add (endpoint, title). -#AVAILABLE_REGIONS = [ -# ('http://cluster1.example.com:5000/v3', 'cluster1'), -# ('http://cluster2.example.com:5000/v3', 'cluster2'), -#] - OPENSTACK_HOST = "demo-controller.smartme.io" -OPENSTACK_KEYSTONE_URL = "https://%s:5000/v3" % OPENSTACK_HOST -OPENSTACK_KEYSTONE_DEFAULT_ROLE = "member" - -# For setting the default service region on a per-endpoint basis. Note that the -# default value for this setting is {}, and below is just an example of how it -# should be specified. -# A key of '*' is an optional global default if no other key matches. -#DEFAULT_SERVICE_REGIONS = { -# '*': 'RegionOne' -# OPENSTACK_KEYSTONE_URL: 'RegionTwo' -#} - -# Enables keystone web single-sign-on if set to True. -#WEBSSO_ENABLED = False - -# Authentication mechanism to be selected as default. -# The value must be a key from WEBSSO_CHOICES. -#WEBSSO_INITIAL_CHOICE = "credentials" - -# The list of authentication mechanisms which include keystone -# federation protocols and identity provider/federation protocol -# mapping keys (WEBSSO_IDP_MAPPING). Current supported protocol -# IDs are 'saml2' and 'oidc' which represent SAML 2.0, OpenID -# Connect respectively. -# Do not remove the mandatory credentials mechanism. -# Note: The last two tuples are sample mapping keys to a identity provider -# and federation protocol combination (WEBSSO_IDP_MAPPING). -#WEBSSO_CHOICES = ( -# ("credentials", _("Keystone Credentials")), -# ("oidc", _("OpenID Connect")), -# ("saml2", _("Security Assertion Markup Language")), -# ("acme_oidc", "ACME - OpenID Connect"), -# ("acme_saml2", "ACME - SAML2"), -#) - -# A dictionary of specific identity provider and federation protocol -# combinations. From the selected authentication mechanism, the value -# will be looked up as keys in the dictionary. If a match is found, -# it will redirect the user to a identity provider and federation protocol -# specific WebSSO endpoint in keystone, otherwise it will use the value -# as the protocol_id when redirecting to the WebSSO by protocol endpoint. -# NOTE: The value is expected to be a tuple formatted as: (, ). -#WEBSSO_IDP_MAPPING = { -# "acme_oidc": ("acme", "oidc"), -# "acme_saml2": ("acme", "saml2"), -#} - -# If set this URL will be used for web single-sign-on authentication -# instead of OPENSTACK_KEYSTONE_URL. This is needed in the deployment -# scenarios where network segmentation is used per security requirement. -# In this case, the controllers are not reachable from public network. -# Therefore, user's browser will not be able to access OPENSTACK_KEYSTONE_URL -# if it is set to the internal endpoint. -#WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3" - -# The Keystone Provider drop down uses Keystone to Keystone federation -# to switch between Keystone service providers. -# Set display name for Identity Provider (dropdown display name) -#KEYSTONE_PROVIDER_IDP_NAME = "Local Keystone" -# This id is used for only for comparison with the service provider IDs. This ID -# should not match any service provider IDs. -#KEYSTONE_PROVIDER_IDP_ID = "localkeystone" - -# Disable SSL certificate checks (useful for self-signed certificates): -#OPENSTACK_SSL_NO_VERIFY = True - -# The CA certificate to use to verify SSL connections -#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem' - -# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the -# capabilities of the auth backend for Keystone. -# If Keystone has been configured to use LDAP as the auth backend then set -# can_edit_user to False and name to 'ldap'. -# -# TODO(tres): Remove these once Keystone has an API to identify auth backend. -OPENSTACK_KEYSTONE_BACKEND = { - 'name': 'native', - 'can_edit_user': True, - 'can_edit_group': True, - 'can_edit_project': True, - 'can_edit_domain': True, - 'can_edit_role': True, -} - -# Setting this to True, will add a new "Retrieve Password" action on instance, -# allowing Admin session password retrieval/decryption. -#OPENSTACK_ENABLE_PASSWORD_RETRIEVE = False - -# The Launch Instance user experience has been significantly enhanced. -# You can choose whether to enable the new launch instance experience, -# the legacy experience, or both. The legacy experience will be removed -# in a future release, but is available as a temporary backup setting to ensure -# compatibility with existing deployments. Further development will not be -# done on the legacy experience. Please report any problems with the new -# experience via the Launchpad tracking system. -# -# Toggle LAUNCH_INSTANCE_LEGACY_ENABLED and LAUNCH_INSTANCE_NG_ENABLED to -# determine the experience to enable. Set them both to true to enable -# both. -#LAUNCH_INSTANCE_LEGACY_ENABLED = True -#LAUNCH_INSTANCE_NG_ENABLED = False - -# A dictionary of settings which can be used to provide the default values for -# properties found in the Launch Instance modal. -#LAUNCH_INSTANCE_DEFAULTS = { -# 'config_drive': False, -# 'enable_scheduler_hints': True, -# 'disable_image': False, -# 'disable_instance_snapshot': False, -# 'disable_volume': False, -# 'disable_volume_snapshot': False, -# 'create_volume': True, -#} - -# The Xen Hypervisor has the ability to set the mount point for volumes -# attached to instances (other Hypervisors currently do not). Setting -# can_set_mount_point to True will add the option to set the mount point -# from the UI. -OPENSTACK_HYPERVISOR_FEATURES = { - 'can_set_mount_point': False, - 'can_set_password': False, - 'requires_keypair': False, - 'enable_quotas': True -} - -# This settings controls whether IP addresses of servers are retrieved from -# neutron in the project instance table. Setting this to ``False`` may mitigate -# a performance issue in the project instance table in large deployments. -#OPENSTACK_INSTANCE_RETRIEVE_IP_ADDRESSES = True - -# The OPENSTACK_CINDER_FEATURES settings can be used to enable optional -# services provided by cinder that is not exposed by its extension API. -OPENSTACK_CINDER_FEATURES = { - 'enable_backup': False, -} - -# The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional -# services provided by neutron. Options currently available are load -# balancer service, security groups, quotas, VPN service. -OPENSTACK_NEUTRON_NETWORK = { - 'enable_router': True, - 'enable_quotas': True, - 'enable_ipv6': True, - 'enable_distributed_router': False, - 'enable_ha_router': False, - 'enable_fip_topology_check': True, - - # Default dns servers you would like to use when a subnet is - # created. This is only a default, users can still choose a different - # list of dns servers when creating a new subnet. - # The entries below are examples only, and are not appropriate for - # real deployments - # 'default_dns_nameservers': ["8.8.8.8", "8.8.4.4", "208.67.222.222"], - - # Set which provider network types are supported. Only the network types - # in this list will be available to choose from when creating a network. - # Network types include local, flat, vlan, gre, vxlan and geneve. - # 'supported_provider_types': ['*'], - - # You can configure available segmentation ID range per network type - # in your deployment. - # 'segmentation_id_range': { - # 'vlan': [1024, 2048], - # 'vxlan': [4094, 65536], - # }, - - # You can define additional provider network types here. - # 'extra_provider_types': { - # 'awesome_type': { - # 'display_name': 'Awesome New Type', - # 'require_physical_network': False, - # 'require_segmentation_id': True, - # } - # }, - - # Set which VNIC types are supported for port binding. Only the VNIC - # types in this list will be available to choose from when creating a - # port. - # VNIC types include 'normal', 'direct', 'direct-physical', 'macvtap', - # 'baremetal' and 'virtio-forwarder' - # Set to empty list or None to disable VNIC type selection. - 'supported_vnic_types': ['*'], - - # Set list of available physical networks to be selected in the physical - # network field on the admin create network modal. If it's set to an empty - # list, the field will be a regular input field. - # e.g. ['default', 'test'] - 'physical_networks': [], - -} - -# The OPENSTACK_HEAT_STACK settings can be used to disable password -# field required while launching the stack. -OPENSTACK_HEAT_STACK = { - 'enable_user_pass': True, -} - -# The OPENSTACK_IMAGE_BACKEND settings can be used to customize features -# in the OpenStack Dashboard related to the Image service, such as the list -# of supported image formats. -#OPENSTACK_IMAGE_BACKEND = { -# 'image_formats': [ -# ('', _('Select format')), -# ('aki', _('AKI - Amazon Kernel Image')), -# ('ami', _('AMI - Amazon Machine Image')), -# ('ari', _('ARI - Amazon Ramdisk Image')), -# ('docker', _('Docker')), -# ('iso', _('ISO - Optical Disk Image')), -# ('ova', _('OVA - Open Virtual Appliance')), -# ('qcow2', _('QCOW2 - QEMU Emulator')), -# ('raw', _('Raw')), -# ('vdi', _('VDI - Virtual Disk Image')), -# ('vhd', _('VHD - Virtual Hard Disk')), -# ('vhdx', _('VHDX - Large Virtual Hard Disk')), -# ('vmdk', _('VMDK - Virtual Machine Disk')), -# ], -#} - -# The IMAGE_CUSTOM_PROPERTY_TITLES settings is used to customize the titles for -# image custom property attributes that appear on image detail pages. -IMAGE_CUSTOM_PROPERTY_TITLES = { - "architecture": _("Architecture"), - "kernel_id": _("Kernel ID"), - "ramdisk_id": _("Ramdisk ID"), - "image_state": _("Euca2ools state"), - "project_id": _("Project ID"), - "image_type": _("Image Type"), -} - -# The IMAGE_RESERVED_CUSTOM_PROPERTIES setting is used to specify which image -# custom properties should not be displayed in the Image Custom Properties -# table. -IMAGE_RESERVED_CUSTOM_PROPERTIES = [] - -# Set to 'legacy' or 'direct' to allow users to upload images to glance via -# Horizon server. When enabled, a file form field will appear on the create -# image form. If set to 'off', there will be no file form field on the create -# image form. See documentation for deployment considerations. -#HORIZON_IMAGES_UPLOAD_MODE = 'legacy' - -# Allow a location to be set when creating or updating Glance images. -# If using Glance V2, this value should be False unless the Glance -# configuration and policies allow setting locations. -#IMAGES_ALLOW_LOCATION = False - -# A dictionary of default settings for create image modal. -#CREATE_IMAGE_DEFAULTS = { -# 'image_visibility': "public", -#} - -# OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints -# in the Keystone service catalog. Use this setting when Horizon is running -# external to the OpenStack environment. The default is 'publicURL'. -#OPENSTACK_ENDPOINT_TYPE = "publicURL" - -# SECONDARY_ENDPOINT_TYPE specifies the fallback endpoint type to use in the -# case that OPENSTACK_ENDPOINT_TYPE is not present in the endpoints -# in the Keystone service catalog. Use this setting when Horizon is running -# external to the OpenStack environment. The default is None. This -# value should differ from OPENSTACK_ENDPOINT_TYPE if used. -#SECONDARY_ENDPOINT_TYPE = None - -# The number of objects (Swift containers/objects or images) to display -# on a single page before providing a paging element (a "more" link) -# to paginate results. -API_RESULT_LIMIT = 1000 -API_RESULT_PAGE_SIZE = 20 - -# The size of chunk in bytes for downloading objects from Swift -SWIFT_FILE_TRANSFER_CHUNK_SIZE = 512 * 1024 - -# The default number of lines displayed for instance console log. -INSTANCE_LOG_LENGTH = 35 - -# Specify a maximum number of items to display in a dropdown. -DROPDOWN_MAX_ITEMS = 30 +OPENSTACK_KEYSTONE_URL = "https://%s:5000/identity/v3" % OPENSTACK_HOST # The timezone of the server. This should correspond with the timezone # of your entire OpenStack installation, and hopefully be in UTC. TIME_ZONE = "UTC" -# When launching an instance, the menu of available flavors is -# sorted by RAM usage, ascending. If you would like a different sort order, -# you can provide another flavor attribute as sorting key. Alternatively, you -# can provide a custom callback method to use for sorting. You can also provide -# a flag for reverse sort. For more info, see -# http://docs.python.org/2/library/functions.html#sorted -#CREATE_INSTANCE_FLAVOR_SORT = { -# 'key': 'name', -# # or -# 'key': my_awesome_callback_method, -# 'reverse': False, -#} - -# Set this to True to display an 'Admin Password' field on the Change Password -# form to verify that it is indeed the admin logged-in who wants to change -# the password. -#ENFORCE_PASSWORD_CHECK = False - -# Modules that provide /auth routes that can be used to handle different types -# of user authentication. Add auth plugins that require extra route handling to -# this list. -#AUTHENTICATION_URLS = [ -# 'openstack_auth.urls', -#] - -# The Horizon Policy Enforcement engine uses these values to load per service -# policy rule files. The content of these files should match the files the -# OpenStack services are using to determine role based access control in the -# target installation. - -# Path to directory containing policy.json files -#POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf") - -# Map of local copy of service policy files. -# Please insure that your identity policy file matches the one being used on -# your keystone servers. There is an alternate policy file that may be used -# in the Keystone v3 multi-domain case, policy.v3cloudsample.json. -# This file is not included in the Horizon repository by default but can be -# found at -# http://git.openstack.org/cgit/openstack/keystone/tree/etc/ \ -# policy.v3cloudsample.json -# Having matching policy files on the Horizon and Keystone servers is essential -# for normal operation. This holds true for all services and their policy files. -#POLICY_FILES = { -# 'identity': 'keystone_policy.json', -# 'compute': 'nova_policy.json', -# 'volume': 'cinder_policy.json', -# 'image': 'glance_policy.json', -# 'network': 'neutron_policy.json', -#} - # Change this patch to the appropriate list of tuples containing # a key, label and static directory containing two files: # _variables.scss and _styles.scss -AVAILABLE_THEMES = [ - ('default', 'Default', 'themes/default'), +#AVAILABLE_THEMES = [ +# ('default', 'Default', 'themes/default'), # ('material', 'Material', 'themes/material'), -] +# ('example', 'Example', 'themes/example'), +#] LOGGING = { 'version': 1, @@ -552,7 +167,7 @@ }, 'console': { # Set the level to "DEBUG" for verbose output logging. - 'level': 'INFO', + 'level': 'DEBUG' if DEBUG else 'INFO', 'class': 'logging.StreamHandler', 'formatter': 'console', }, @@ -764,59 +379,15 @@ }, } -# Deprecation Notice: -# -# The setting FLAVOR_EXTRA_KEYS has been deprecated. -# Please load extra spec metadata into the Glance Metadata Definition Catalog. -# -# The sample quota definitions can be found in: -# /etc/metadefs/compute-quota.json -# -# The metadata definition catalog supports CLI and API: -# $glance --os-image-api-version 2 help md-namespace-import -# $glance-manage db_load_metadefs -# -# See Metadata Definitions on: -# https://docs.openstack.org/glance/latest/user/glancemetadefcatalogapi.html - -# The hash algorithm to use for authentication tokens. This must -# match the hash algorithm that the identity server and the -# auth_token middleware are using. Allowed values are the -# algorithms supported by Python's hashlib library. -#OPENSTACK_TOKEN_HASH_ALGORITHM = 'md5' - -# AngularJS requires some settings to be made available to -# the client side. Some settings are required by in-tree / built-in horizon -# features. These settings must be added to REST_API_REQUIRED_SETTINGS in the -# form of ['SETTING_1','SETTING_2'], etc. -# -# You may remove settings from this list for security purposes, but do so at -# the risk of breaking a built-in horizon feature. These settings are required -# for horizon to function properly. Only remove them if you know what you -# are doing. These settings may in the future be moved to be defined within -# the enabled panel configuration. -# You should not add settings to this list for out of tree extensions. -# See: https://wiki.openstack.org/wiki/Horizon/RESTAPI -REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES', - 'LAUNCH_INSTANCE_DEFAULTS', - 'OPENSTACK_IMAGE_FORMATS', - 'OPENSTACK_KEYSTONE_BACKEND', - 'OPENSTACK_KEYSTONE_DEFAULT_DOMAIN', - 'CREATE_IMAGE_DEFAULTS', - 'ENFORCE_PASSWORD_CHECK'] - -# Additional settings can be made available to the client side for -# extensibility by specifying them in REST_API_ADDITIONAL_SETTINGS -# !! Please use extreme caution as the settings are transferred via HTTP/S -# and are not encrypted on the browser. This is an experimental API and -# may be deprecated in the future without notice. -#REST_API_ADDITIONAL_SETTINGS = [] +# Help URL can be made available for the client. To provide a help URL, edit the +# following attribute to the URL of your choice. +#HORIZON_CONFIG["help_url"] = "http://openstack.mycompany.org" ############################################################################### # Ubuntu Settings ############################################################################### - # The default theme if no cookie is present +# The default theme if no cookie is present DEFAULT_THEME = 'default' # Default Ubuntu apache configuration uses /horizon as the application root. @@ -829,97 +400,4 @@ # Compress all assets offline as part of packaging installation COMPRESS_OFFLINE = True - -# DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded -# within an iframe. Legacy browsers are still vulnerable to a Cross-Frame -# Scripting (XFS) vulnerability, so this option allows extra security hardening -# where iframes are not used in deployment. Default setting is True. -# For more information see: -# http://tinyurl.com/anticlickjack -#DISALLOW_IFRAME_EMBED = True - -# Help URL can be made available for the client. To provide a help URL, edit the -# following attribute to the URL of your choice. -#HORIZON_CONFIG["help_url"] = "http://openstack.mycompany.org" - -# Settings for OperationLogMiddleware -# OPERATION_LOG_ENABLED is flag to use the function to log an operation on -# Horizon. -# mask_targets is arrangement for appointing a target to mask. -# method_targets is arrangement of HTTP method to output log. -# format is the log contents. -#OPERATION_LOG_ENABLED = False -#OPERATION_LOG_OPTIONS = { -# 'mask_fields': ['password'], -# 'target_methods': ['POST'], -# 'ignored_urls': ['/js/', '/static/', '^/api/'], -# 'format': ("[%(client_ip)s] [%(domain_name)s]" -# " [%(domain_id)s] [%(project_name)s]" -# " [%(project_id)s] [%(user_name)s] [%(user_id)s] [%(request_scheme)s]" -# " [%(referer_url)s] [%(request_url)s] [%(message)s] [%(method)s]" -# " [%(http_status)s] [%(param)s]"), -#} - -# The default date range in the Overview panel meters - either minus N -# days (if the value is integer N), or from the beginning of the current month -# until today (if set to None). This setting should be used to limit the amount -# of data fetched by default when rendering the Overview panel. -#OVERVIEW_DAYS_RANGE = 1 - -# To allow operators to require users provide a search criteria first -# before loading any data into the views, set the following dict -# attributes to True in each one of the panels you want to enable this feature. -# Follow the convention . -#FILTER_DATA_FIRST = { -# 'admin.instances': False, -# 'admin.images': False, -# 'admin.networks': False, -# 'admin.routers': False, -# 'admin.volumes': False, -# 'identity.users': False, -# 'identity.projects': False, -# 'identity.groups': False, -# 'identity.roles': False -#} - -# Dict used to restrict user private subnet cidr range. -# An empty list means that user input will not be restricted -# for a corresponding IP version. By default, there is -# no restriction for IPv4 or IPv6. To restrict -# user private subnet cidr range set ALLOWED_PRIVATE_SUBNET_CIDR -# to something like -#ALLOWED_PRIVATE_SUBNET_CIDR = { -# 'ipv4': ['10.0.0.0/8', '192.168.0.0/16'], -# 'ipv6': ['fc00::/7'] -#} -ALLOWED_PRIVATE_SUBNET_CIDR = {'ipv4': [], 'ipv6': []} - -# Projects and users can have extra attributes as defined by keystone v3. -# Horizon has the ability to display these extra attributes via this setting. -# If you'd like to display extra data in the project or user tables, set the -# corresponding dict key to the attribute name, followed by the display name. -# For more information, see horizon's customization -# (https://docs.openstack.org/horizon/latest/configuration/customizing.html#horizon-customization-module-overrides) -#PROJECT_TABLE_EXTRA_INFO = { -# 'phone_num': _('Phone Number'), -#} -#USER_TABLE_EXTRA_INFO = { -# 'phone_num': _('Phone Number'), -#} - -# Password will have an expiration date when using keystone v3 and enabling the -# feature. -# This setting allows you to set the number of days that the user will be alerted -# prior to the password expiration. -# Once the password expires keystone will deny the access and users must -# contact an admin to change their password. -#PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS = 0 - -IOTRONIC_ZONES={'iot.felooca.io', - 'iot.felooca.it', - # 'iot.felooca.com', - 'iot.felooca.net', - 'iot.felooca.org', - 'iot.felooca.eu', - 'iot.felooca.info' -} +IOTRONIC_ZONES={} \ No newline at end of file diff --git a/6-ui/conf/local_settings.py b/6-ui/conf/local_settings.py index c96eeb4..340e74e 100644 --- a/6-ui/conf/local_settings.py +++ b/6-ui/conf/local_settings.py @@ -915,11 +915,5 @@ # contact an admin to change their password. #PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS = 0 -IOTRONIC_ZONES={'iot.felooca.io', - 'iot.felooca.it', - # 'iot.felooca.com', - 'iot.felooca.net', - 'iot.felooca.org', - 'iot.felooca.eu', - 'iot.felooca.info' -} +IOTRONIC_ZONES={} + diff --git a/6-ui/conf/py2/local_settings.py b/6-ui/conf/py2/local_settings.py new file mode 100644 index 0000000..c96eeb4 --- /dev/null +++ b/6-ui/conf/py2/local_settings.py @@ -0,0 +1,925 @@ +# -*- coding: utf-8 -*- + +import os + +from django.utils.translation import ugettext_lazy as _ + +from horizon.utils import secret_key + +from openstack_dashboard.settings import HORIZON_CONFIG + +DEBUG = False + +# This setting controls whether or not compression is enabled. Disabling +# compression makes Horizon considerably slower, but makes it much easier +# to debug JS and CSS changes +#COMPRESS_ENABLED = not DEBUG + +# This setting controls whether compression happens on the fly, or offline +# with `python manage.py compress` +# See https://django-compressor.readthedocs.io/en/latest/usage/#offline-compression +# for more information +#COMPRESS_OFFLINE = not DEBUG + +# WEBROOT is the location relative to Webserver root +# should end with a slash. +WEBROOT = '/' +#LOGIN_URL = WEBROOT + 'auth/login/' +#LOGOUT_URL = WEBROOT + 'auth/logout/' +# +# LOGIN_REDIRECT_URL can be used as an alternative for +# HORIZON_CONFIG.user_home, if user_home is not set. +# Do not set it to '/home/', as this will cause circular redirect loop +#LOGIN_REDIRECT_URL = WEBROOT + +# If horizon is running in production (DEBUG is False), set this +# with the list of host/domain names that the application can serve. +# For more information see: +# https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts +#ALLOWED_HOSTS = ['horizon.example.com', ] + +# Set SSL proxy settings: +# Pass this header from the proxy after terminating the SSL, +# and don't forget to strip it from the client's request. +# For more information see: +# https://docs.djangoproject.com/en/dev/ref/settings/#secure-proxy-ssl-header +#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') + +# If Horizon is being served through SSL, then uncomment the following two +# settings to better secure the cookies from security exploits +#CSRF_COOKIE_SECURE = True +#SESSION_COOKIE_SECURE = True + +# The absolute path to the directory where message files are collected. +# The message file must have a .json file extension. When the user logins to +# horizon, the message files collected are processed and displayed to the user. +#MESSAGES_PATH=None + +# Overrides for OpenStack API versions. Use this setting to force the +# OpenStack dashboard to use a specific API version for a given service API. +# Versions specified here should be integers or floats, not strings. +# NOTE: The version should be formatted as it appears in the URL for the +# service API. For example, The identity service APIs have inconsistent +# use of the decimal point, so valid options would be 2.0 or 3. +# Minimum compute version to get the instance locked status is 2.9. +#OPENSTACK_API_VERSIONS = { +# "data-processing": 1.1, +# "identity": 3, +# "image": 2, +# "volume": 2, +# "compute": 2, +#} + +# Set this to True if running on a multi-domain model. When this is enabled, it +# will require the user to enter the Domain name in addition to the username +# for login. +#OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False + +# Set this to True if you want available domains displayed as a dropdown menu +# on the login screen. It is strongly advised NOT to enable this for public +# clouds, as advertising enabled domains to unauthenticated customers +# irresponsibly exposes private information. This should only be used for +# private clouds where the dashboard sits behind a corporate firewall. +#OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN = False + +# If OPENSTACK_KEYSTONE_DOMAIN_DROPDOWN is enabled, this option can be used to +# set the available domains to choose from. This is a list of pairs whose first +# value is the domain name and the second is the display name. +#OPENSTACK_KEYSTONE_DOMAIN_CHOICES = ( +# ('Default', 'Default'), +#) + +# Overrides the default domain used when running on single-domain model +# with Keystone V3. All entities will be created in the default domain. +# NOTE: This value must be the name of the default domain, NOT the ID. +# Also, you will most likely have a value in the keystone policy file like this +# "cloud_admin": "rule:admin_required and domain_id:" +# This value must be the name of the domain whose ID is specified there. +#OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default' + +# Set this to True to enable panels that provide the ability for users to +# manage Identity Providers (IdPs) and establish a set of rules to map +# federation protocol attributes to Identity API attributes. +# This extension requires v3.0+ of the Identity API. +#OPENSTACK_KEYSTONE_FEDERATION_MANAGEMENT = False + +# Set Console type: +# valid options are "AUTO"(default), "VNC", "SPICE", "RDP", "SERIAL", "MKS" +# or None. Set to None explicitly if you want to deactivate the console. +#CONSOLE_TYPE = "AUTO" + +# Toggle showing the openrc file for Keystone V2. +# If set to false the link will be removed from the user dropdown menu +# and the API Access page +#SHOW_KEYSTONE_V2_RC = True + +# If provided, a "Report Bug" link will be displayed in the site header +# which links to the value of this setting (ideally a URL containing +# information on how to report issues). +#HORIZON_CONFIG["bug_url"] = "http://bug-report.example.com" + +# Show backdrop element outside the modal, do not close the modal +# after clicking on backdrop. +#HORIZON_CONFIG["modal_backdrop"] = "static" + +# Specify a regular expression to validate user passwords. +#HORIZON_CONFIG["password_validator"] = { +# "regex": '.*', +# "help_text": _("Your password does not meet the requirements."), +#} + +# Turn off browser autocompletion for forms including the login form and +# the database creation workflow if so desired. +#HORIZON_CONFIG["password_autocomplete"] = "off" + +# Setting this to True will disable the reveal button for password fields, +# including on the login form. +#HORIZON_CONFIG["disable_password_reveal"] = False + +LOCAL_PATH = os.path.dirname(os.path.abspath(__file__)) + +# Set custom secret key: +# You can either set it to a specific value or you can let horizon generate a +# default secret key that is unique on this machine, e.i. regardless of the +# amount of Python WSGI workers (if used behind Apache+mod_wsgi): However, +# there may be situations where you would want to set this explicitly, e.g. +# when multiple dashboard instances are distributed on different machines +# (usually behind a load-balancer). Either you have to make sure that a session +# gets all requests routed to the same dashboard instance or you set the same +# SECRET_KEY for all of them. +SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/openstack-dashboard/secret_key') + +# We recommend you use memcached for development; otherwise after every reload +# of the django development server, you will have to login again. To use +# memcached set CACHES to something like + +CACHES = { + 'default': { + 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', + 'LOCATION': '127.0.0.1:11211', + }, +} + +#CACHES = { +# 'default': { +# 'BACKEND': 'django.core.cache.backends.locmem.LocMemCache', +# } +#} + +# Send email to the console by default +EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend' +# Or send them to /dev/null +#EMAIL_BACKEND = 'django.core.mail.backends.dummy.EmailBackend' + +# Configure these for your outgoing email host +#EMAIL_HOST = 'smtp.my-company.com' +#EMAIL_PORT = 25 +#EMAIL_HOST_USER = 'djangomail' +#EMAIL_HOST_PASSWORD = 'top-secret!' + +# For multiple regions uncomment this configuration, and add (endpoint, title). +#AVAILABLE_REGIONS = [ +# ('http://cluster1.example.com:5000/v3', 'cluster1'), +# ('http://cluster2.example.com:5000/v3', 'cluster2'), +#] + +OPENSTACK_HOST = "demo-controller.smartme.io" +OPENSTACK_KEYSTONE_URL = "https://%s:5000/v3" % OPENSTACK_HOST +OPENSTACK_KEYSTONE_DEFAULT_ROLE = "member" + +# For setting the default service region on a per-endpoint basis. Note that the +# default value for this setting is {}, and below is just an example of how it +# should be specified. +# A key of '*' is an optional global default if no other key matches. +#DEFAULT_SERVICE_REGIONS = { +# '*': 'RegionOne' +# OPENSTACK_KEYSTONE_URL: 'RegionTwo' +#} + +# Enables keystone web single-sign-on if set to True. +#WEBSSO_ENABLED = False + +# Authentication mechanism to be selected as default. +# The value must be a key from WEBSSO_CHOICES. +#WEBSSO_INITIAL_CHOICE = "credentials" + +# The list of authentication mechanisms which include keystone +# federation protocols and identity provider/federation protocol +# mapping keys (WEBSSO_IDP_MAPPING). Current supported protocol +# IDs are 'saml2' and 'oidc' which represent SAML 2.0, OpenID +# Connect respectively. +# Do not remove the mandatory credentials mechanism. +# Note: The last two tuples are sample mapping keys to a identity provider +# and federation protocol combination (WEBSSO_IDP_MAPPING). +#WEBSSO_CHOICES = ( +# ("credentials", _("Keystone Credentials")), +# ("oidc", _("OpenID Connect")), +# ("saml2", _("Security Assertion Markup Language")), +# ("acme_oidc", "ACME - OpenID Connect"), +# ("acme_saml2", "ACME - SAML2"), +#) + +# A dictionary of specific identity provider and federation protocol +# combinations. From the selected authentication mechanism, the value +# will be looked up as keys in the dictionary. If a match is found, +# it will redirect the user to a identity provider and federation protocol +# specific WebSSO endpoint in keystone, otherwise it will use the value +# as the protocol_id when redirecting to the WebSSO by protocol endpoint. +# NOTE: The value is expected to be a tuple formatted as: (, ). +#WEBSSO_IDP_MAPPING = { +# "acme_oidc": ("acme", "oidc"), +# "acme_saml2": ("acme", "saml2"), +#} + +# If set this URL will be used for web single-sign-on authentication +# instead of OPENSTACK_KEYSTONE_URL. This is needed in the deployment +# scenarios where network segmentation is used per security requirement. +# In this case, the controllers are not reachable from public network. +# Therefore, user's browser will not be able to access OPENSTACK_KEYSTONE_URL +# if it is set to the internal endpoint. +#WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3" + +# The Keystone Provider drop down uses Keystone to Keystone federation +# to switch between Keystone service providers. +# Set display name for Identity Provider (dropdown display name) +#KEYSTONE_PROVIDER_IDP_NAME = "Local Keystone" +# This id is used for only for comparison with the service provider IDs. This ID +# should not match any service provider IDs. +#KEYSTONE_PROVIDER_IDP_ID = "localkeystone" + +# Disable SSL certificate checks (useful for self-signed certificates): +#OPENSTACK_SSL_NO_VERIFY = True + +# The CA certificate to use to verify SSL connections +#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem' + +# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the +# capabilities of the auth backend for Keystone. +# If Keystone has been configured to use LDAP as the auth backend then set +# can_edit_user to False and name to 'ldap'. +# +# TODO(tres): Remove these once Keystone has an API to identify auth backend. +OPENSTACK_KEYSTONE_BACKEND = { + 'name': 'native', + 'can_edit_user': True, + 'can_edit_group': True, + 'can_edit_project': True, + 'can_edit_domain': True, + 'can_edit_role': True, +} + +# Setting this to True, will add a new "Retrieve Password" action on instance, +# allowing Admin session password retrieval/decryption. +#OPENSTACK_ENABLE_PASSWORD_RETRIEVE = False + +# The Launch Instance user experience has been significantly enhanced. +# You can choose whether to enable the new launch instance experience, +# the legacy experience, or both. The legacy experience will be removed +# in a future release, but is available as a temporary backup setting to ensure +# compatibility with existing deployments. Further development will not be +# done on the legacy experience. Please report any problems with the new +# experience via the Launchpad tracking system. +# +# Toggle LAUNCH_INSTANCE_LEGACY_ENABLED and LAUNCH_INSTANCE_NG_ENABLED to +# determine the experience to enable. Set them both to true to enable +# both. +#LAUNCH_INSTANCE_LEGACY_ENABLED = True +#LAUNCH_INSTANCE_NG_ENABLED = False + +# A dictionary of settings which can be used to provide the default values for +# properties found in the Launch Instance modal. +#LAUNCH_INSTANCE_DEFAULTS = { +# 'config_drive': False, +# 'enable_scheduler_hints': True, +# 'disable_image': False, +# 'disable_instance_snapshot': False, +# 'disable_volume': False, +# 'disable_volume_snapshot': False, +# 'create_volume': True, +#} + +# The Xen Hypervisor has the ability to set the mount point for volumes +# attached to instances (other Hypervisors currently do not). Setting +# can_set_mount_point to True will add the option to set the mount point +# from the UI. +OPENSTACK_HYPERVISOR_FEATURES = { + 'can_set_mount_point': False, + 'can_set_password': False, + 'requires_keypair': False, + 'enable_quotas': True +} + +# This settings controls whether IP addresses of servers are retrieved from +# neutron in the project instance table. Setting this to ``False`` may mitigate +# a performance issue in the project instance table in large deployments. +#OPENSTACK_INSTANCE_RETRIEVE_IP_ADDRESSES = True + +# The OPENSTACK_CINDER_FEATURES settings can be used to enable optional +# services provided by cinder that is not exposed by its extension API. +OPENSTACK_CINDER_FEATURES = { + 'enable_backup': False, +} + +# The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional +# services provided by neutron. Options currently available are load +# balancer service, security groups, quotas, VPN service. +OPENSTACK_NEUTRON_NETWORK = { + 'enable_router': True, + 'enable_quotas': True, + 'enable_ipv6': True, + 'enable_distributed_router': False, + 'enable_ha_router': False, + 'enable_fip_topology_check': True, + + # Default dns servers you would like to use when a subnet is + # created. This is only a default, users can still choose a different + # list of dns servers when creating a new subnet. + # The entries below are examples only, and are not appropriate for + # real deployments + # 'default_dns_nameservers': ["8.8.8.8", "8.8.4.4", "208.67.222.222"], + + # Set which provider network types are supported. Only the network types + # in this list will be available to choose from when creating a network. + # Network types include local, flat, vlan, gre, vxlan and geneve. + # 'supported_provider_types': ['*'], + + # You can configure available segmentation ID range per network type + # in your deployment. + # 'segmentation_id_range': { + # 'vlan': [1024, 2048], + # 'vxlan': [4094, 65536], + # }, + + # You can define additional provider network types here. + # 'extra_provider_types': { + # 'awesome_type': { + # 'display_name': 'Awesome New Type', + # 'require_physical_network': False, + # 'require_segmentation_id': True, + # } + # }, + + # Set which VNIC types are supported for port binding. Only the VNIC + # types in this list will be available to choose from when creating a + # port. + # VNIC types include 'normal', 'direct', 'direct-physical', 'macvtap', + # 'baremetal' and 'virtio-forwarder' + # Set to empty list or None to disable VNIC type selection. + 'supported_vnic_types': ['*'], + + # Set list of available physical networks to be selected in the physical + # network field on the admin create network modal. If it's set to an empty + # list, the field will be a regular input field. + # e.g. ['default', 'test'] + 'physical_networks': [], + +} + +# The OPENSTACK_HEAT_STACK settings can be used to disable password +# field required while launching the stack. +OPENSTACK_HEAT_STACK = { + 'enable_user_pass': True, +} + +# The OPENSTACK_IMAGE_BACKEND settings can be used to customize features +# in the OpenStack Dashboard related to the Image service, such as the list +# of supported image formats. +#OPENSTACK_IMAGE_BACKEND = { +# 'image_formats': [ +# ('', _('Select format')), +# ('aki', _('AKI - Amazon Kernel Image')), +# ('ami', _('AMI - Amazon Machine Image')), +# ('ari', _('ARI - Amazon Ramdisk Image')), +# ('docker', _('Docker')), +# ('iso', _('ISO - Optical Disk Image')), +# ('ova', _('OVA - Open Virtual Appliance')), +# ('qcow2', _('QCOW2 - QEMU Emulator')), +# ('raw', _('Raw')), +# ('vdi', _('VDI - Virtual Disk Image')), +# ('vhd', _('VHD - Virtual Hard Disk')), +# ('vhdx', _('VHDX - Large Virtual Hard Disk')), +# ('vmdk', _('VMDK - Virtual Machine Disk')), +# ], +#} + +# The IMAGE_CUSTOM_PROPERTY_TITLES settings is used to customize the titles for +# image custom property attributes that appear on image detail pages. +IMAGE_CUSTOM_PROPERTY_TITLES = { + "architecture": _("Architecture"), + "kernel_id": _("Kernel ID"), + "ramdisk_id": _("Ramdisk ID"), + "image_state": _("Euca2ools state"), + "project_id": _("Project ID"), + "image_type": _("Image Type"), +} + +# The IMAGE_RESERVED_CUSTOM_PROPERTIES setting is used to specify which image +# custom properties should not be displayed in the Image Custom Properties +# table. +IMAGE_RESERVED_CUSTOM_PROPERTIES = [] + +# Set to 'legacy' or 'direct' to allow users to upload images to glance via +# Horizon server. When enabled, a file form field will appear on the create +# image form. If set to 'off', there will be no file form field on the create +# image form. See documentation for deployment considerations. +#HORIZON_IMAGES_UPLOAD_MODE = 'legacy' + +# Allow a location to be set when creating or updating Glance images. +# If using Glance V2, this value should be False unless the Glance +# configuration and policies allow setting locations. +#IMAGES_ALLOW_LOCATION = False + +# A dictionary of default settings for create image modal. +#CREATE_IMAGE_DEFAULTS = { +# 'image_visibility': "public", +#} + +# OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints +# in the Keystone service catalog. Use this setting when Horizon is running +# external to the OpenStack environment. The default is 'publicURL'. +#OPENSTACK_ENDPOINT_TYPE = "publicURL" + +# SECONDARY_ENDPOINT_TYPE specifies the fallback endpoint type to use in the +# case that OPENSTACK_ENDPOINT_TYPE is not present in the endpoints +# in the Keystone service catalog. Use this setting when Horizon is running +# external to the OpenStack environment. The default is None. This +# value should differ from OPENSTACK_ENDPOINT_TYPE if used. +#SECONDARY_ENDPOINT_TYPE = None + +# The number of objects (Swift containers/objects or images) to display +# on a single page before providing a paging element (a "more" link) +# to paginate results. +API_RESULT_LIMIT = 1000 +API_RESULT_PAGE_SIZE = 20 + +# The size of chunk in bytes for downloading objects from Swift +SWIFT_FILE_TRANSFER_CHUNK_SIZE = 512 * 1024 + +# The default number of lines displayed for instance console log. +INSTANCE_LOG_LENGTH = 35 + +# Specify a maximum number of items to display in a dropdown. +DROPDOWN_MAX_ITEMS = 30 + +# The timezone of the server. This should correspond with the timezone +# of your entire OpenStack installation, and hopefully be in UTC. +TIME_ZONE = "UTC" + +# When launching an instance, the menu of available flavors is +# sorted by RAM usage, ascending. If you would like a different sort order, +# you can provide another flavor attribute as sorting key. Alternatively, you +# can provide a custom callback method to use for sorting. You can also provide +# a flag for reverse sort. For more info, see +# http://docs.python.org/2/library/functions.html#sorted +#CREATE_INSTANCE_FLAVOR_SORT = { +# 'key': 'name', +# # or +# 'key': my_awesome_callback_method, +# 'reverse': False, +#} + +# Set this to True to display an 'Admin Password' field on the Change Password +# form to verify that it is indeed the admin logged-in who wants to change +# the password. +#ENFORCE_PASSWORD_CHECK = False + +# Modules that provide /auth routes that can be used to handle different types +# of user authentication. Add auth plugins that require extra route handling to +# this list. +#AUTHENTICATION_URLS = [ +# 'openstack_auth.urls', +#] + +# The Horizon Policy Enforcement engine uses these values to load per service +# policy rule files. The content of these files should match the files the +# OpenStack services are using to determine role based access control in the +# target installation. + +# Path to directory containing policy.json files +#POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf") + +# Map of local copy of service policy files. +# Please insure that your identity policy file matches the one being used on +# your keystone servers. There is an alternate policy file that may be used +# in the Keystone v3 multi-domain case, policy.v3cloudsample.json. +# This file is not included in the Horizon repository by default but can be +# found at +# http://git.openstack.org/cgit/openstack/keystone/tree/etc/ \ +# policy.v3cloudsample.json +# Having matching policy files on the Horizon and Keystone servers is essential +# for normal operation. This holds true for all services and their policy files. +#POLICY_FILES = { +# 'identity': 'keystone_policy.json', +# 'compute': 'nova_policy.json', +# 'volume': 'cinder_policy.json', +# 'image': 'glance_policy.json', +# 'network': 'neutron_policy.json', +#} + +# Change this patch to the appropriate list of tuples containing +# a key, label and static directory containing two files: +# _variables.scss and _styles.scss +AVAILABLE_THEMES = [ + ('default', 'Default', 'themes/default'), +# ('material', 'Material', 'themes/material'), +] + +LOGGING = { + 'version': 1, + # When set to True this will disable all logging except + # for loggers specified in this configuration dictionary. Note that + # if nothing is specified here and disable_existing_loggers is True, + # django.db.backends will still log unless it is disabled explicitly. + 'disable_existing_loggers': False, + # If apache2 mod_wsgi is used to deploy OpenStack dashboard + # timestamp is output by mod_wsgi. If WSGI framework you use does not + # output timestamp for logging, add %(asctime)s in the following + # format definitions. + 'formatters': { + 'console': { + 'format': '%(levelname)s %(name)s %(message)s' + }, + 'operation': { + # The format of "%(message)s" is defined by + # OPERATION_LOG_OPTIONS['format'] + 'format': '%(message)s' + }, + }, + 'handlers': { + 'null': { + 'level': 'DEBUG', + 'class': 'logging.NullHandler', + }, + 'console': { + # Set the level to "DEBUG" for verbose output logging. + 'level': 'INFO', + 'class': 'logging.StreamHandler', + 'formatter': 'console', + }, + 'operation': { + 'level': 'INFO', + 'class': 'logging.StreamHandler', + 'formatter': 'operation', + }, + }, + 'loggers': { + 'horizon': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'horizon.operation_log': { + 'handlers': ['operation'], + 'level': 'INFO', + 'propagate': False, + }, + 'openstack_dashboard': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'novaclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'cinderclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'keystoneauth': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'keystoneclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'glanceclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'neutronclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'swiftclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'oslo_policy': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'openstack_auth': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'django': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + # Logging from django.db.backends is VERY verbose, send to null + # by default. + 'django.db.backends': { + 'handlers': ['null'], + 'propagate': False, + }, + 'requests': { + 'handlers': ['null'], + 'propagate': False, + }, + 'urllib3': { + 'handlers': ['null'], + 'propagate': False, + }, + 'chardet.charsetprober': { + 'handlers': ['null'], + 'propagate': False, + }, + 'iso8601': { + 'handlers': ['null'], + 'propagate': False, + }, + 'scss': { + 'handlers': ['null'], + 'propagate': False, + }, + }, +} + +# 'direction' should not be specified for all_tcp/udp/icmp. +# It is specified in the form. +SECURITY_GROUP_RULES = { + 'all_tcp': { + 'name': _('All TCP'), + 'ip_protocol': 'tcp', + 'from_port': '1', + 'to_port': '65535', + }, + 'all_udp': { + 'name': _('All UDP'), + 'ip_protocol': 'udp', + 'from_port': '1', + 'to_port': '65535', + }, + 'all_icmp': { + 'name': _('All ICMP'), + 'ip_protocol': 'icmp', + 'from_port': '-1', + 'to_port': '-1', + }, + 'ssh': { + 'name': 'SSH', + 'ip_protocol': 'tcp', + 'from_port': '22', + 'to_port': '22', + }, + 'smtp': { + 'name': 'SMTP', + 'ip_protocol': 'tcp', + 'from_port': '25', + 'to_port': '25', + }, + 'dns': { + 'name': 'DNS', + 'ip_protocol': 'tcp', + 'from_port': '53', + 'to_port': '53', + }, + 'http': { + 'name': 'HTTP', + 'ip_protocol': 'tcp', + 'from_port': '80', + 'to_port': '80', + }, + 'pop3': { + 'name': 'POP3', + 'ip_protocol': 'tcp', + 'from_port': '110', + 'to_port': '110', + }, + 'imap': { + 'name': 'IMAP', + 'ip_protocol': 'tcp', + 'from_port': '143', + 'to_port': '143', + }, + 'ldap': { + 'name': 'LDAP', + 'ip_protocol': 'tcp', + 'from_port': '389', + 'to_port': '389', + }, + 'https': { + 'name': 'HTTPS', + 'ip_protocol': 'tcp', + 'from_port': '443', + 'to_port': '443', + }, + 'smtps': { + 'name': 'SMTPS', + 'ip_protocol': 'tcp', + 'from_port': '465', + 'to_port': '465', + }, + 'imaps': { + 'name': 'IMAPS', + 'ip_protocol': 'tcp', + 'from_port': '993', + 'to_port': '993', + }, + 'pop3s': { + 'name': 'POP3S', + 'ip_protocol': 'tcp', + 'from_port': '995', + 'to_port': '995', + }, + 'ms_sql': { + 'name': 'MS SQL', + 'ip_protocol': 'tcp', + 'from_port': '1433', + 'to_port': '1433', + }, + 'mysql': { + 'name': 'MYSQL', + 'ip_protocol': 'tcp', + 'from_port': '3306', + 'to_port': '3306', + }, + 'rdp': { + 'name': 'RDP', + 'ip_protocol': 'tcp', + 'from_port': '3389', + 'to_port': '3389', + }, +} + +# Deprecation Notice: +# +# The setting FLAVOR_EXTRA_KEYS has been deprecated. +# Please load extra spec metadata into the Glance Metadata Definition Catalog. +# +# The sample quota definitions can be found in: +# /etc/metadefs/compute-quota.json +# +# The metadata definition catalog supports CLI and API: +# $glance --os-image-api-version 2 help md-namespace-import +# $glance-manage db_load_metadefs +# +# See Metadata Definitions on: +# https://docs.openstack.org/glance/latest/user/glancemetadefcatalogapi.html + +# The hash algorithm to use for authentication tokens. This must +# match the hash algorithm that the identity server and the +# auth_token middleware are using. Allowed values are the +# algorithms supported by Python's hashlib library. +#OPENSTACK_TOKEN_HASH_ALGORITHM = 'md5' + +# AngularJS requires some settings to be made available to +# the client side. Some settings are required by in-tree / built-in horizon +# features. These settings must be added to REST_API_REQUIRED_SETTINGS in the +# form of ['SETTING_1','SETTING_2'], etc. +# +# You may remove settings from this list for security purposes, but do so at +# the risk of breaking a built-in horizon feature. These settings are required +# for horizon to function properly. Only remove them if you know what you +# are doing. These settings may in the future be moved to be defined within +# the enabled panel configuration. +# You should not add settings to this list for out of tree extensions. +# See: https://wiki.openstack.org/wiki/Horizon/RESTAPI +REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES', + 'LAUNCH_INSTANCE_DEFAULTS', + 'OPENSTACK_IMAGE_FORMATS', + 'OPENSTACK_KEYSTONE_BACKEND', + 'OPENSTACK_KEYSTONE_DEFAULT_DOMAIN', + 'CREATE_IMAGE_DEFAULTS', + 'ENFORCE_PASSWORD_CHECK'] + +# Additional settings can be made available to the client side for +# extensibility by specifying them in REST_API_ADDITIONAL_SETTINGS +# !! Please use extreme caution as the settings are transferred via HTTP/S +# and are not encrypted on the browser. This is an experimental API and +# may be deprecated in the future without notice. +#REST_API_ADDITIONAL_SETTINGS = [] + +############################################################################### +# Ubuntu Settings +############################################################################### + + # The default theme if no cookie is present +DEFAULT_THEME = 'default' + +# Default Ubuntu apache configuration uses /horizon as the application root. +WEBROOT='/horizon/' + +# By default, validation of the HTTP Host header is disabled. Production +# installations should have this set accordingly. For more information +# see https://docs.djangoproject.com/en/dev/ref/settings/. +ALLOWED_HOSTS = '*' + +# Compress all assets offline as part of packaging installation +COMPRESS_OFFLINE = True + +# DISALLOW_IFRAME_EMBED can be used to prevent Horizon from being embedded +# within an iframe. Legacy browsers are still vulnerable to a Cross-Frame +# Scripting (XFS) vulnerability, so this option allows extra security hardening +# where iframes are not used in deployment. Default setting is True. +# For more information see: +# http://tinyurl.com/anticlickjack +#DISALLOW_IFRAME_EMBED = True + +# Help URL can be made available for the client. To provide a help URL, edit the +# following attribute to the URL of your choice. +#HORIZON_CONFIG["help_url"] = "http://openstack.mycompany.org" + +# Settings for OperationLogMiddleware +# OPERATION_LOG_ENABLED is flag to use the function to log an operation on +# Horizon. +# mask_targets is arrangement for appointing a target to mask. +# method_targets is arrangement of HTTP method to output log. +# format is the log contents. +#OPERATION_LOG_ENABLED = False +#OPERATION_LOG_OPTIONS = { +# 'mask_fields': ['password'], +# 'target_methods': ['POST'], +# 'ignored_urls': ['/js/', '/static/', '^/api/'], +# 'format': ("[%(client_ip)s] [%(domain_name)s]" +# " [%(domain_id)s] [%(project_name)s]" +# " [%(project_id)s] [%(user_name)s] [%(user_id)s] [%(request_scheme)s]" +# " [%(referer_url)s] [%(request_url)s] [%(message)s] [%(method)s]" +# " [%(http_status)s] [%(param)s]"), +#} + +# The default date range in the Overview panel meters - either minus N +# days (if the value is integer N), or from the beginning of the current month +# until today (if set to None). This setting should be used to limit the amount +# of data fetched by default when rendering the Overview panel. +#OVERVIEW_DAYS_RANGE = 1 + +# To allow operators to require users provide a search criteria first +# before loading any data into the views, set the following dict +# attributes to True in each one of the panels you want to enable this feature. +# Follow the convention . +#FILTER_DATA_FIRST = { +# 'admin.instances': False, +# 'admin.images': False, +# 'admin.networks': False, +# 'admin.routers': False, +# 'admin.volumes': False, +# 'identity.users': False, +# 'identity.projects': False, +# 'identity.groups': False, +# 'identity.roles': False +#} + +# Dict used to restrict user private subnet cidr range. +# An empty list means that user input will not be restricted +# for a corresponding IP version. By default, there is +# no restriction for IPv4 or IPv6. To restrict +# user private subnet cidr range set ALLOWED_PRIVATE_SUBNET_CIDR +# to something like +#ALLOWED_PRIVATE_SUBNET_CIDR = { +# 'ipv4': ['10.0.0.0/8', '192.168.0.0/16'], +# 'ipv6': ['fc00::/7'] +#} +ALLOWED_PRIVATE_SUBNET_CIDR = {'ipv4': [], 'ipv6': []} + +# Projects and users can have extra attributes as defined by keystone v3. +# Horizon has the ability to display these extra attributes via this setting. +# If you'd like to display extra data in the project or user tables, set the +# corresponding dict key to the attribute name, followed by the display name. +# For more information, see horizon's customization +# (https://docs.openstack.org/horizon/latest/configuration/customizing.html#horizon-customization-module-overrides) +#PROJECT_TABLE_EXTRA_INFO = { +# 'phone_num': _('Phone Number'), +#} +#USER_TABLE_EXTRA_INFO = { +# 'phone_num': _('Phone Number'), +#} + +# Password will have an expiration date when using keystone v3 and enabling the +# feature. +# This setting allows you to set the number of days that the user will be alerted +# prior to the password expiration. +# Once the password expires keystone will deny the access and users must +# contact an admin to change their password. +#PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS = 0 + +IOTRONIC_ZONES={'iot.felooca.io', + 'iot.felooca.it', + # 'iot.felooca.com', + 'iot.felooca.net', + 'iot.felooca.org', + 'iot.felooca.eu', + 'iot.felooca.info' +} From f5c958e26126b5e388cbc41cf878cf0dd13ba020 Mon Sep 17 00:00:00 2001 From: Fabio Verboso Date: Wed, 29 Dec 2021 16:29:06 +0100 Subject: [PATCH 60/66] init script per designate --- 7-designate/7-designate | 42 + 7-designate/7.5-designate | 18 + 7-designate/build/Dockerfile | 31 + 7-designate/build/bin/startDesignate | 68 + 7-designate/build/build | 4 + 7-designate/conf/designate.conf | 2165 ++++++++++++++++++++++++++ 7-designate/conf/named.conf.options | 40 + 7-designate/conf/pools.yaml | 43 + 8 files changed, 2411 insertions(+) create mode 100755 7-designate/7-designate create mode 100755 7-designate/7.5-designate create mode 100644 7-designate/build/Dockerfile create mode 100755 7-designate/build/bin/startDesignate create mode 100755 7-designate/build/build create mode 100644 7-designate/conf/designate.conf create mode 100644 7-designate/conf/named.conf.options create mode 100644 7-designate/conf/pools.yaml diff --git a/7-designate/7-designate b/7-designate/7-designate new file mode 100755 index 0000000..be8dd48 --- /dev/null +++ b/7-designate/7-designate @@ -0,0 +1,42 @@ +#! /bin/bash + +VERSION="latest" + +docker create \ + --name=s4t_designate \ + --restart unless-stopped\ + --network=s4t-controller-network \ + --hostname designate \ + -p 9002:9001 \ + -p 53:53/udp \ + -p 53:53/tcp \ + -v s4t_designate_config:/etc/designate/ \ + -v /var/log/designate-conductor:/var/log/designate \ +smartme/s4t_designate:$VERSION + +docker cp conf/designate.conf s4t_designate:/etc/designate/ +docker cp conf/pools.yaml s4t_designate:/etc/designate/ +docker cp conf/named.conf.options s4t_designate:/etc/bind/ + +docker run --rm \ + --network=s4t-controller-network \ + -v s4t_designate_config:/etc/designate/ \ + -v /var/log/designate-conductor:/var/log/designate \ +smartme/s4t_designate:$VERSION \ +/bin/sh -c "chown -R designate:designate /var/log/designate/" + +docker run --rm \ + --network=s4t-controller-network \ + -v s4t_designate_config:/etc/designate/ \ + -v /var/log/designate-conductor:/var/log/designate \ +smartme/s4t_designate:$VERSION /bin/sh -c "designate-manage database sync" designate + +docker run --rm \ + --network=s4t-controller-network \ + -v s4t_designate_config:/etc/designate/ \ + -v /var/log/designate-conductor:/var/log/designate \ +smartme/s4t_designate:$VERSION /bin/sh -c "designate-manage pool update" designate + +docker cp build/bin/startDesignate s4t_designate:/usr/local/bin/ + +docker start s4t_designate diff --git a/7-designate/7.5-designate b/7-designate/7.5-designate new file mode 100755 index 0000000..ca101ee --- /dev/null +++ b/7-designate/7.5-designate @@ -0,0 +1,18 @@ +#! /bin/bash + +IP_DESIGNATE="demo-controller.smartme.io" +HTTPS=true +DESIGNATE_PASS="smartme" + +URL="http://$IP_DESIGNATE:9001" +if [ "$HTTPS" = true ] ; then + URL="https://$IP_DESIGNATE:9001" +fi + +echo $URL + +docker exec s4t_keystone openstack service create dns --name Designate +docker exec s4t_keystone openstack user create --password $DESIGNATE_PASS designate +docker exec s4t_keystone openstack role add --project service --user designate admin + +docker exec s4t_keystone openstack endpoint create --region RegionOne dns public $URL diff --git a/7-designate/build/Dockerfile b/7-designate/build/Dockerfile new file mode 100644 index 0000000..c27bbe1 --- /dev/null +++ b/7-designate/build/Dockerfile @@ -0,0 +1,31 @@ +FROM ubuntu:bionic +#ENV VERSION=2.3.9 + +ENV DEBIAN_FRONTEND=noninteractive + +ENV LC_CTYPE en_US.UTF-8 +ENV LANG en_US.UTF-8 +ENV LANG C.UTF-8 + +RUN apt-get update \ + && apt-get install nocache -y software-properties-common locales tzdata\ + && add-apt-repository -y cloud-archive:stein \ + && apt-get update && apt-get -y dist-upgrade && apt-get install nocache -y build-essential python3-openstackclient python3 python3-setuptools python3-pip vim + +RUN locale-gen en_US.UTF-8 +ENV TZ 'Europe/Rome' +RUN echo $TZ > /etc/timezone && rm -f /etc/localtime && ln -nfs /usr/share/zoneinfo/$TZ /etc/localtime && dpkg-reconfigure -f noninteractive tzdata + +RUN apt-get install nocache bind9 bind9utils bind9-doc designate-worker designate-producer designate-mdns -y +#RUN rndc-confgen -a -k designate -c /etc/bind/rndc.key -r /dev/urandom + +COPY bin/startDesignate /usr/local/bin/startDesignate + +VOLUME ["/etc/designate"] +VOLUME ["/var/log/designate"] + +EXPOSE 9001 +EXPOSE 53 +EXPOSE 53/udp + +CMD ["/usr/local/bin/startDesignate"] diff --git a/7-designate/build/bin/startDesignate b/7-designate/build/bin/startDesignate new file mode 100755 index 0000000..488eb49 --- /dev/null +++ b/7-designate/build/bin/startDesignate @@ -0,0 +1,68 @@ +#!/bin/bash + + +/usr/sbin/named -f -u bind & +status=$? +if [ $status -ne 0 ]; then + echo "Failed to start bind9: $status" + exit $status +fi + +# Start the first process +/usr/bin/designate-central --config-file=/etc/designate/designate.conf & +status=$? +if [ $status -ne 0 ]; then + echo "Failed to start designate-central: $status" + exit $status +fi + +# Start the second process +/usr/bin/designate-api --config-file=/etc/designate/designate.conf & +status=$? +if [ $status -ne 0 ]; then + echo "Failed to start designate-api: $status" + exit $status +fi + +/usr/bin/designate-worker --config-file=/etc/designate/designate.conf & +status=$? +if [ $status -ne 0 ]; then + echo "Failed to start designate-worker: $status" + exit $status +fi + +/usr/bin/designate-producer --config-file=/etc/designate/designate.conf & +status=$? +if [ $status -ne 0 ]; then + echo "Failed to start designate-producer: $status" + exit $status +fi + +/usr/bin/designate-mdns --config-file=/etc/designate/designate.conf +status=$? +if [ $status -ne 0 ]; then + echo "Failed to start designate-mdns: $status" + exit $status +fi + + +while sleep 60; do + ps aux |grep named |grep -q -v grep + PROCESS_1_STATUS=$? + ps aux |grep designate-central |grep -q -v grep + PROCESS_2_STATUS=$? + ps aux |grep designate-api |grep -q -v grep + PROCESS_3_STATUS=$? + ps aux |grep designate-worker |grep -q -v grep + PROCESS_4_STATUS=$? + ps aux |grep designate-producer |grep -q -v grep + PROCESS_5_STATUS=$? + ps aux |grep designate-mdns |grep -q -v grep + PROCESS_6_STATUS=$? + # If the greps above find anything, they exit with 0 status + # If they are not both 0, then something is wrong + if [ $PROCESS_1_STATUS -ne 0 -o $PROCESS_2_STATUS -ne 0 -o $PROCESS_3_STATUS -ne 0 -o $PROCESS_4_STATUS -ne 0 -o $PROCESS_5_STATUS -ne 0 -o $PROCESS_6_STATUS -ne 0 ]; then + echo "One of the processes has already exited." + exit 1 + fi +done \ No newline at end of file diff --git a/7-designate/build/build b/7-designate/build/build new file mode 100755 index 0000000..cfe0b99 --- /dev/null +++ b/7-designate/build/build @@ -0,0 +1,4 @@ +#! /bin/bash + +VERSION="latest" +docker build -t smartmeio/s4t_designate:$VERSION . diff --git a/7-designate/conf/designate.conf b/7-designate/conf/designate.conf new file mode 100644 index 0000000..a82f58e --- /dev/null +++ b/7-designate/conf/designate.conf @@ -0,0 +1,2165 @@ +[DEFAULT] +transport_url=rabbit://openstack:smartme@s4t_rabbitmq:5672/ + +# +# From designate.conf +# + +# Name of this node (string value) +# +# This option has a sample default set, which means that +# its actual default value may vary from the one documented +# below. +#host = current_hostname + +# Directory where the designate python module is installed (string value) +# +# This option has a sample default set, which means that +# its actual default value may vary from the one documented +# below. +#pybasedir = + +# Top-level directory for maintaining designate's state (string value) +#state_path = /var/lib/designate + +# Additional modules that contains allowed RPC exceptions. (list value) +# Deprecated group/name - [DEFAULT]/allowed_rpc_exception_modules +#allowed_remote_exmods = + +# TTL Value (integer value) +#default_ttl = 3600 + +# SOA refresh-min value (integer value) +# Deprecated group/name - [DEFAULT]/default_soa_refresh +#default_soa_refresh_min = 3500 + +# SOA max value (integer value) +#default_soa_refresh_max = 3600 + +# SOA retry (integer value) +#default_soa_retry = 600 + +# SOA expire (integer value) +#default_soa_expire = 86400 + +# SOA minimum value (integer value) +#default_soa_minimum = 3600 + +# Supported record types (list value) +#supported_record_type = A,AAAA,CNAME,MX,SRV,TXT,SPF,NS,PTR,SSHFP,SOA,NAPTR,CAA,CERT + +# Number of backlog requests to configure the socket with (integer value) +#backlog = 4096 + +# Sets the value of TCP_KEEPIDLE in seconds for each server socket. Not +# supported on OS X. (integer value) +#tcp_keepidle = 600 + +# designate-rootwrap configuration (string value) +#root_helper = sudo designate-rootwrap /etc/designate/rootwrap.conf + +# Which API to use. (string value) +#network_api = neutron + +# Send notifications if there's a failure in the API. (boolean value) +#notify_api_faults = false + +# The notification plugin to use (string value) +#notification_plugin = default + +# Quota driver to use (string value) +#quota_driver = storage + +# Number of zones allowed per tenant (integer value) +#quota_zones = 10 + +# Number of recordsets allowed per zone (integer value) +#quota_zone_recordsets = 500 + +# Number of records allowed per zone (integer value) +#quota_zone_records = 500 + +# Number of records allowed per recordset (integer value) +#quota_recordset_records = 20 + +# Number of recordsets allowed in a zone export (integer value) +#quota_api_export_size = 1000 + +# +# From oslo.log +# + +# If set to true, the logging level will be set to DEBUG instead of the default +# INFO level. (boolean value) +# Note: This option can be changed without restarting. +#debug = false + +# The name of a logging configuration file. This file is appended to any +# existing logging configuration files. For details about logging configuration +# files, see the Python logging module documentation. Note that when logging +# configuration files are used then all logging configuration is set in the +# configuration file and other logging configuration options are ignored (for +# example, log-date-format). (string value) +# Note: This option can be changed without restarting. +# Deprecated group/name - [DEFAULT]/log_config +#log_config_append = + +# Defines the format string for %%(asctime)s in log records. Default: +# %(default)s . This option is ignored if log_config_append is set. (string +# value) +#log_date_format = %Y-%m-%d %H:%M:%S + +# (Optional) Name of log file to send logging output to. If no default is set, +# logging will go to stderr as defined by use_stderr. This option is ignored if +# log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logfile +#log_file = + +# (Optional) The base directory used for relative log_file paths. This option +# is ignored if log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logdir +#log_dir = + +# Uses logging handler designed to watch file system. When log file is moved or +# removed this handler will open a new log file with specified path +# instantaneously. It makes sense only if log_file option is specified and Linux +# platform is used. This option is ignored if log_config_append is set. (boolean +# value) +#watch_log_file = false + +# Use syslog for logging. Existing syslog format is DEPRECATED and will be +# changed later to honor RFC5424. This option is ignored if log_config_append is +# set. (boolean value) +#use_syslog = false + +# Enable journald for logging. If running in a systemd environment you may wish +# to enable journal support. Doing so will use the journal native protocol which +# includes structured metadata in addition to log messages.This option is +# ignored if log_config_append is set. (boolean value) +#use_journal = false + +# Syslog facility to receive log lines. This option is ignored if +# log_config_append is set. (string value) +#syslog_log_facility = LOG_USER + +# Use JSON formatting for logging. This option is ignored if log_config_append +# is set. (boolean value) +#use_json = false + +# Log output to standard error. This option is ignored if log_config_append is +# set. (boolean value) +#use_stderr = false + +# Log output to Windows Event Log. (boolean value) +#use_eventlog = false + +# The amount of time before the log files are rotated. This option is ignored +# unless log_rotation_type is set to "interval". (integer value) +#log_rotate_interval = 1 + +# Rotation interval type. The time of the last file change (or the time when the +# service was started) is used when scheduling the next rotation. (string value) +# Possible values: +# Seconds - +# Minutes - +# Hours - +# Days - +# Weekday - +# Midnight - +#log_rotate_interval_type = days + +# Maximum number of rotated log files. (integer value) +#max_logfile_count = 30 + +# Log file maximum size in MB. This option is ignored if "log_rotation_type" is +# not set to "size". (integer value) +#max_logfile_size_mb = 200 + +# Log rotation type. (string value) +# Possible values: +# interval - Rotate logs at predefined time intervals. +# size - Rotate logs once they reach a predefined size. +# none - Do not rotate log files. +#log_rotation_type = none + +# Format string to use for log messages with context. Used by +# oslo_log.formatters.ContextFormatter (string value) +#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s + +# Format string to use for log messages when context is undefined. Used by +# oslo_log.formatters.ContextFormatter (string value) +#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s + +# Additional data to append to log message when logging level for the message is +# DEBUG. Used by oslo_log.formatters.ContextFormatter (string value) +#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d + +# Prefix each line of exception output with this format. Used by +# oslo_log.formatters.ContextFormatter (string value) +#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s + +# Defines the format string for %(user_identity)s that is used in +# logging_context_format_string. Used by oslo_log.formatters.ContextFormatter +# (string value) +#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s + +# List of package logging levels in logger=LEVEL pairs. This option is ignored +# if log_config_append is set. (list value) +#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,oslo_policy=INFO,dogpile.core.dogpile=INFO,kazoo.client=WARN,keystone=INFO,oslo_service.loopingcall=WARN + +# Enables or disables publication of error events. (boolean value) +#publish_errors = false + +# The format for an instance that is passed with the log message. (string value) +#instance_format = "[instance: %(uuid)s] " + +# The format for an instance UUID that is passed with the log message. (string +# value) +#instance_uuid_format = "[instance: %(uuid)s] " + +# Interval, number of seconds, of log rate limiting. (integer value) +#rate_limit_interval = 0 + +# Maximum number of logged messages per rate_limit_interval. (integer value) +#rate_limit_burst = 0 + +# Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or +# empty string. Logs with level greater or equal to rate_limit_except_level are +# not filtered. An empty string means that all levels are filtered. (string +# value) +#rate_limit_except_level = CRITICAL + +# Enables or disables fatal status of deprecations. (boolean value) +#fatal_deprecations = false + +# +# From oslo.messaging +# + +# Size of RPC connection pool. (integer value) +# Minimum value: 1 +#rpc_conn_pool_size = 30 + +# The pool size limit for connections expiration policy (integer value) +#conn_pool_min_size = 2 + +# The time-to-live in sec of idle connections in the pool (integer value) +#conn_pool_ttl = 1200 + +# Size of executor thread pool when executor is threading or eventlet. (integer +# value) +# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size +#executor_thread_pool_size = 64 + +# Seconds to wait for a response from a call. (integer value) +#rpc_response_timeout = 60 + +# The network address and optional user credentials for connecting to the +# messaging backend, in URL format. The expected format is: +# +# driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query +# +# Example: rabbit://rabbitmq:password@127.0.0.1:5672// +# +# For full details on the fields in the URL see the documentation of +# oslo_messaging.TransportURL at +# https://docs.openstack.org/oslo.messaging/latest/reference/transport.html +# (string value) +#transport_url = rabbit:// + +# The default exchange under which topics are scoped. May be overridden by an +# exchange name specified in the transport_url option. (string value) +#control_exchange = designate + +# Add an endpoint to answer to ping calls. Endpoint is named +# oslo_rpc_server_ping (boolean value) +#rpc_ping_enabled = false + +# +# From oslo.service.periodic_task +# + +# Some periodic tasks can be run in a separate process. Should we run them here? +# (boolean value) +#run_external_periodic_tasks = true + +# +# From oslo.service.service +# + +# Enable eventlet backdoor. Acceptable values are 0, , and :, +# where 0 results in listening on a random tcp port number; results in +# listening on the specified port number (and not enabling backdoor if that port +# is in use); and : results in listening on the smallest unused port +# number within the specified range of port numbers. The chosen port is +# displayed in the service's log file. (string value) +#backdoor_port = + +# Enable eventlet backdoor, using the provided path as a unix socket that can +# receive connections. This option is mutually exclusive with 'backdoor_port' in +# that only one should be provided. If both are provided then the existence of +# this option overrides the usage of that option. Inside the path {pid} will be +# replaced with the PID of the current process. (string value) +#backdoor_socket = + +# Enables or disables logging values of all registered options when starting a +# service (at DEBUG level). (boolean value) +#log_options = true + +# Specify a timeout after which a gracefully shutdown server will exit. Zero +# value means endless wait. (integer value) +#graceful_shutdown_timeout = 60 + +# +# From oslo.service.wsgi +# + +# File name for the paste.deploy config for api service (string value) +#api_paste_config = api-paste.ini + +# A python format string that is used as the template to generate log lines. The +# following values can beformatted into it: client_ip, date_time, request_line, +# status_code, body_length, wall_seconds. (string value) +#wsgi_log_format = %(client_ip)s "%(request_line)s" status: %(status_code)s len: %(body_length)s time: %(wall_seconds).7f + +# Sets the value of TCP_KEEPIDLE in seconds for each server socket. Not +# supported on OS X. (integer value) +#tcp_keepidle = 600 + +# Size of the pool of greenthreads used by wsgi (integer value) +#wsgi_default_pool_size = 100 + +# Maximum line size of message headers to be accepted. max_header_line may need +# to be increased when using large tokens (typically those generated when +# keystone is configured to use PKI tokens with big service catalogs). (integer +# value) +#max_header_line = 16384 + +# If False, closes the client socket connection explicitly. (boolean value) +#wsgi_keep_alive = true + +# Timeout for client connections' socket operations. If an incoming connection +# is idle for this number of seconds it will be closed. A value of '0' means +# wait forever. (integer value) +#client_socket_timeout = 900 + + +[backend:agent:bind9] + +# +# From designate.conf +# + +# RNDC Host (string value) +#rndc_host = 127.0.0.1 + +# RNDC Port (integer value) +#rndc_port = 953 + +# RNDC Config File (string value) +#rndc_config_file = + +# RNDC Key File (string value) +#rndc_key_file = + +# RNDC command timeout (integer value) +# Minimum value: 0 +#rndc_timeout = 0 + +# Path where zone files are stored (string value) +#zone_file_path = $state_path/zones + +# Host to query when finding zones (string value) +#query_destination = 127.0.0.1 + + +[backend:agent:denominator] + +# +# From designate.conf +# + +# Name of the affected provider (string value) +#name = fake + +# Path to Denominator configuration file (string value) +#config_file = /etc/denominator.conf + + +[backend:agent:djbdns] + +# +# From designate.conf +# + +# tcpclient executable path or rootwrap command name (string value) +#tcpclient_cmd_name = tcpclient + +# axfr-get executable path or rootwrap command name (string value) +#axfr_get_cmd_name = axfr-get + +# tinydns-data executable path or rootwrap command name (string value) +#tinydns_data_cmd_name = tinydns-data + +# TinyDNS data directory (string value) +#tinydns_datadir = /var/lib/djbdns + +# Host to query when finding zones (string value) +#query_destination = 127.0.0.1 + + +[backend:agent:gdnsd] + +# +# From designate.conf +# + +# gdnsd executable path or rootwrap command name (string value) +#gdnsd_cmd_name = gdnsd + +# gdnsd configuration directory path (string value) +#confdir_path = /etc/gdnsd + +# Host to query when finding zones (string value) +#query_destination = 127.0.0.1 + + +[backend:agent:knot2] + +# +# From designate.conf +# + +# knotc executable path or rootwrap command name (string value) +#knotc_cmd_name = knotc + +# Host to query when finding zones (string value) +#query_destination = 127.0.0.1 + + +[backend:dynect] + +# +# From designate.conf +# + +# Timeout in seconds for pulling a job in DynECT. (integer value) +#job_timeout = 30 + +# Timeout in seconds for API Requests. (integer value) +#timeout = 10 + +# Measure requests timings. (boolean value) +#timings = false + + +[backend:infoblox] + +# +# From designate.conf +# + +# DEPRECATED: wapi_url (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#wapi_url = + +# DEPRECATED: username (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#username = + +# DEPRECATED: password (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#password = + +# DEPRECATED: sslverify (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#sslverify = true + +# DEPRECATED: multi_tenant (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#multi_tenant = false + +# DEPRECATED: http_pool_connections (integer value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#http_pool_connections = 100 + +# DEPRECATED: http_pool_maxsize (integer value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#http_pool_maxsize = 100 + +# DEPRECATED: dns_view (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#dns_view = default + +# DEPRECATED: network_view (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#network_view = default + +# DEPRECATED: ns_group (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#ns_group = + + +[coordination] + +# +# From designate.conf +# + +# The backend URL to use for distributed coordination. If unset services that +# need coordination will function as a standalone service. This is a `tooz` url +# - see https://docs.openstack.org/tooz/latest/user/compatibility.html (string +# value) +#backend_url = + +# Number of seconds between heartbeats for distributed coordination. (floating +# point value) +#heartbeat_interval = 5.0 + +# Number of seconds between checks to see if group membership has changed +# (floating point value) +#run_watchers_interval = 10.0 + + +[cors] + +# +# From oslo.middleware +# + +# Indicate whether this resource may be shared with the domain received in the +# requests "origin" header. Format: "://[:]", no trailing +# slash. Example: https://horizon.example.com (list value) +#allowed_origin = + +# Indicate that the actual request can include user credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple +# Headers. (list value) +#expose_headers = X-OpenStack-Request-ID,Host + +# Maximum cache age of CORS preflight requests. (integer value) +#max_age = 3600 + +# Indicate which methods can be used during the actual request. (list value) +#allow_methods = GET,PUT,POST,DELETE,PATCH,HEAD + +# Indicate which header field names may be used during the actual request. (list +# value) +#allow_headers = X-Auth-Token,X-Auth-Sudo-Tenant-ID,X-Auth-Sudo-Project-ID,X-Auth-All-Projects,X-Designate-Edit-Managed-Records,OpenStack-DNS-Hide-Counts + + +[database] + +# +# From oslo.db +# + +# If True, SQLite uses synchronous mode. (boolean value) +#sqlite_synchronous = true + +# The back end to use for the database. (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend = sqlalchemy + +# The SQLAlchemy connection string to use to connect to the database. (string +# value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +#connection = + +# The SQLAlchemy connection string to use to connect to the slave database. +# (string value) +#slave_connection = + +# The SQL mode to be used for MySQL sessions. This option, including the +# default, overrides any server-set SQL mode. To use whatever SQL mode is set by +# the server configuration, set this to no value. Example: mysql_sql_mode= +# (string value) +#mysql_sql_mode = TRADITIONAL + +# If True, transparently enables support for handling MySQL Cluster (NDB). +# (boolean value) +#mysql_enable_ndb = false + +# Connections which have been present in the connection pool longer than this +# number of seconds will be replaced with a new one the next time they are +# checked out from the pool. (integer value) +#connection_recycle_time = 3600 + +# Maximum number of SQL connections to keep open in a pool. Setting a value of 0 +# indicates no limit. (integer value) +#max_pool_size = 5 + +# Maximum number of database connection retries during startup. Set to -1 to +# specify an infinite retry count. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries = 10 + +# Interval between retries of opening a SQL connection. (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval = 10 + +# If set, use this value for max_overflow with SQLAlchemy. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow = 50 + +# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer +# value) +# Minimum value: 0 +# Maximum value: 100 +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug = 0 + +# Add Python stack traces to SQL as comment strings. (boolean value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace = false + +# If set, use this value for pool_timeout with SQLAlchemy. (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout = + +# Enable the experimental use of database reconnect on connection lost. (boolean +# value) +#use_db_reconnect = false + +# Seconds between retries of a database transaction. (integer value) +#db_retry_interval = 1 + +# If True, increases the interval between retries of a database operation up to +# db_max_retry_interval. (boolean value) +#db_inc_retry_interval = true + +# If db_inc_retry_interval is set, the maximum seconds between retries of a +# database operation. (integer value) +#db_max_retry_interval = 10 + +# Maximum retries in case of connection error or deadlock error before error is +# raised. Set to -1 to specify an infinite retry count. (integer value) +#db_max_retries = 20 + +# Optional URL parameters to append onto the connection URL at connect time; +# specify as param1=value1¶m2=value2&... (string value) +#connection_parameters = + + +[handler:neutron_floatingip] + +# +# From designate.conf +# + +# notification any events from neutron (list value) +#notification_topics = notifications + +# control-exchange for neutron notification (string value) +#control_exchange = neutron + +# Zone ID with each notification (string value) +#zone_id = + +# IPv4 format (multi valued) +#formatv4 = + +# DEPRECATED: format which replaced by formatv4/formatv6 (multi valued) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by 'formatv4/formatv6' +#format = + +# IPv6 format (multi valued) +#formatv6 = + + +[handler:nova_fixed] + +# +# From designate.conf +# + +# notification any events from nova (list value) +#notification_topics = notifications + +# control-exchange for nova notification (string value) +#control_exchange = nova + +# Zone ID with each notification (string value) +#zone_id = + +# IPv4 format (multi valued) +#formatv4 = + +# DEPRECATED: format which replaced by formatv4/formatv6 (multi valued) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by 'formatv4/formatv6' +#format = + +# IPv6 format (multi valued) +#formatv6 = + + +[healthcheck] + +# +# From oslo.middleware +# + +# DEPRECATED: The path to respond to healtcheck requests on. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#path = /healthcheck + +# Show more detailed information as part of the response. Security note: +# Enabling this option may expose sensitive details about the service being +# monitored. Be sure to verify that it will not violate your security policies. +# (boolean value) +#detailed = false + +# Additional backends that can perform health checks and report that information +# back as part of a request. (list value) +#backends = + +# Check the presence of a file to determine if an application is running on a +# port. Used by DisableByFileHealthcheck plugin. (string value) +#disable_by_file_path = + +# Check the presence of a file based on a port to determine if an application is +# running on a port. Expects a "port:path" list of strings. Used by +# DisableByFilesPortsHealthcheck plugin. (list value) +#disable_by_file_paths = + + +[heartbeat_emitter] + +# +# From designate.conf +# + +# Number of seconds between heartbeats for reporting state (floating point +# value) +#heartbeat_interval = 10.0 + +# Emitter to use (string value) +#emitter_type = rpc + + +[keystone] + +# +# From designate.conf +# + +# The default service_type for endpoint URL discovery. (string value) +#service_type = + +# The default service_name for endpoint URL discovery. (string value) +#service_name = + +# List of interfaces, in order of preference, for endpoint URL. (list value) +#valid_interfaces = + +# The default region_name for endpoint URL discovery. (string value) +#region_name = + +# Always use this endpoint URL for requests for this client. NOTE: The +# unversioned endpoint should be specified here; to request a particular API +# version, use the `version`, `min-version`, and/or `max-version` options. +# (string value) +#endpoint_override = + +# Minimum Major API version within a given Major API version for endpoint URL +# discovery. Mutually exclusive with min_version and max_version (string value) +#version = + +# The minimum major version of a given API, intended to be used as the lower +# bound of a range with max_version. Mutually exclusive with version. If +# min_version is given with no max_version it is as if max version is "latest". +# (string value) +#min_version = + +# The maximum major version of a given API, intended to be used as the upper +# bound of a range with min_version. Mutually exclusive with version. (string +# value) +#max_version = + +# The maximum number of retries that should be attempted for connection errors. +# (integer value) +#connect_retries = + +# Delay (in seconds) between two retries for connection errors. If not set, +# exponential retry starting with 0.5 seconds up to a maximum of 60 seconds is +# used. (floating point value) +#connect_retry_delay = + +# The maximum number of retries that should be attempted for retriable HTTP +# status codes. (integer value) +#status_code_retries = + +# Delay (in seconds) between two retries for retriable status codes. If not set, +# exponential retry starting with 0.5 seconds up to a maximum of 60 seconds is +# used. (floating point value) +#status_code_retry_delay = + +# DEPRECATED: The default interface for endpoint URL discovery. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Using valid-interfaces is preferrable because it is capable of +# accepting a list of possible interfaces. +#interface = + +# PEM encoded Certificate Authority to use when verifying HTTPs connections. +# (string value) +#cafile = + +# PEM encoded client certificate cert file (string value) +#certfile = + +# PEM encoded client certificate key file (string value) +#keyfile = + +# Verify HTTPS connections. (boolean value) +#insecure = false + +# Timeout value for http requests (integer value) +#timeout = + +# Collect per-API call timing information. (boolean value) +#collect_timing = false + +# Log requests to multiple loggers. (boolean value) +#split_loggers = false + + +[keystone_authtoken] +auth_type = password +username = designate +password = smartme +project_name = service +project_domain_name = Default +user_domain_name = Default +www_authenticate_uri = https://demo-controller.smartme.io:5000 +auth_url = https://demo-controller.smartme.io:5000 +memcached_servers = s4t_keystone:11211 + +# +# From keystonemiddleware.auth_token +# + +# Complete "public" Identity API endpoint. This endpoint should not be an +# "admin" endpoint, as it should be accessible by all end users. Unauthenticated +# clients are redirected to this endpoint to authenticate. Although this +# endpoint should ideally be unversioned, client support in the wild varies. If +# you're using a versioned v2 endpoint here, then this should *not* be the same +# endpoint the service user utilizes for validating tokens, because normal end +# users may not be able to reach that endpoint. (string value) +# Deprecated group/name - [keystone_authtoken]/auth_uri +#www_authenticate_uri = + +# DEPRECATED: Complete "public" Identity API endpoint. This endpoint should not +# be an "admin" endpoint, as it should be accessible by all end users. +# Unauthenticated clients are redirected to this endpoint to authenticate. +# Although this endpoint should ideally be unversioned, client support in the +# wild varies. If you're using a versioned v2 endpoint here, then this should +# *not* be the same endpoint the service user utilizes for validating tokens, +# because normal end users may not be able to reach that endpoint. This option +# is deprecated in favor of www_authenticate_uri and will be removed in the S +# release. (string value) +# This option is deprecated for removal since Queens. +# Its value may be silently ignored in the future. +# Reason: The auth_uri option is deprecated in favor of www_authenticate_uri and +# will be removed in the S release. +#auth_uri = + +# API version of the Identity API endpoint. (string value) +#auth_version = + +# Interface to use for the Identity API endpoint. Valid values are "public", +# "internal" (default) or "admin". (string value) +#interface = internal + +# Do not handle authorization requests within the middleware, but delegate the +# authorization decision to downstream WSGI components. (boolean value) +#delay_auth_decision = false + +# Request timeout value for communicating with Identity API server. (integer +# value) +#http_connect_timeout = + +# How many times are we trying to reconnect when communicating with Identity API +# Server. (integer value) +#http_request_max_retries = 3 + +# Request environment key where the Swift cache object is stored. When +# auth_token middleware is deployed with a Swift cache, use this option to have +# the middleware share a caching backend with swift. Otherwise, use the +# ``memcached_servers`` option instead. (string value) +#cache = + +# Required if identity server requires client certificate (string value) +#certfile = + +# Required if identity server requires client certificate (string value) +#keyfile = + +# A PEM encoded Certificate Authority to use when verifying HTTPs connections. +# Defaults to system CAs. (string value) +#cafile = + +# Verify HTTPS connections. (boolean value) +#insecure = false + +# The region in which the identity server can be found. (string value) +#region_name = + +# Optionally specify a list of memcached server(s) to use for caching. If left +# undefined, tokens will instead be cached in-process. (list value) +# Deprecated group/name - [keystone_authtoken]/memcache_servers +#memcached_servers = + +# In order to prevent excessive effort spent validating tokens, the middleware +# caches previously-seen tokens for a configurable duration (in seconds). Set to +# -1 to disable caching completely. (integer value) +#token_cache_time = 300 + +# (Optional) If defined, indicate whether token data should be authenticated or +# authenticated and encrypted. If MAC, token data is authenticated (with HMAC) +# in the cache. If ENCRYPT, token data is encrypted and authenticated in the +# cache. If the value is not one of these options or empty, auth_token will +# raise an exception on initialization. (string value) +# Possible values: +# None - +# MAC - +# ENCRYPT - +#memcache_security_strategy = None + +# (Optional, mandatory if memcache_security_strategy is defined) This string is +# used for key derivation. (string value) +#memcache_secret_key = + +# (Optional) Number of seconds memcached server is considered dead before it is +# tried again. (integer value) +#memcache_pool_dead_retry = 300 + +# (Optional) Maximum total number of open connections to every memcached server. +# (integer value) +#memcache_pool_maxsize = 10 + +# (Optional) Socket timeout in seconds for communicating with a memcached +# server. (integer value) +#memcache_pool_socket_timeout = 3 + +# (Optional) Number of seconds a connection to memcached is held unused in the +# pool before it is closed. (integer value) +#memcache_pool_unused_timeout = 60 + +# (Optional) Number of seconds that an operation will wait to get a memcached +# client connection from the pool. (integer value) +#memcache_pool_conn_get_timeout = 10 + +# (Optional) Use the advanced (eventlet safe) memcached client pool. (boolean +# value) +#memcache_use_advanced_pool = true + +# (Optional) Indicate whether to set the X-Service-Catalog header. If False, +# middleware will not ask for service catalog on token validation and will not +# set the X-Service-Catalog header. (boolean value) +#include_service_catalog = true + +# Used to control the use and type of token binding. Can be set to: "disabled" +# to not check token binding. "permissive" (default) to validate binding +# information if the bind type is of a form known to the server and ignore it if +# not. "strict" like "permissive" but if the bind type is unknown the token will +# be rejected. "required" any form of token binding is needed to be allowed. +# Finally the name of a binding method that must be present in tokens. (string +# value) +#enforce_token_bind = permissive + +# A choice of roles that must be present in a service token. Service tokens are +# allowed to request that an expired token can be used and so this check should +# tightly control that only actual services should be sending this token. Roles +# here are applied as an ANY check so any role in this list must be present. For +# backwards compatibility reasons this currently only affects the allow_expired +# check. (list value) +#service_token_roles = service + +# For backwards compatibility reasons we must let valid service tokens pass that +# don't pass the service_token_roles check as valid. Setting this true will +# become the default in a future release and should be enabled if possible. +# (boolean value) +#service_token_roles_required = false + +# The name or type of the service as it appears in the service catalog. This is +# used to validate tokens that have restricted access rules. (string value) +#service_type = + +# Authentication type to load (string value) +# Deprecated group/name - [keystone_authtoken]/auth_plugin +#auth_type = + +# Config Section from which to load plugin specific options (string value) +#auth_section = + + +[monasca:statsd] + +# +# From designate.conf +# + +# enable (boolean value) +#enabled = false + +# UDP port (integer value) +#port = 8125 + +# hostname (string value) +#hostname = 127.0.0.1 + + +[network_api:neutron] + +# +# From designate.conf +# + +# URL to use if None in the ServiceCatalog that is passed by the request +# context. Format: | (list value) +#endpoints = + +# Endpoint type to use (string value) +#endpoint_type = publicURL + +# timeout value for connecting to neutron in seconds (integer value) +#timeout = 30 + +# username for connecting to neutron in admin context (string value) +#admin_username = + +# password for connecting to neutron in admin context (string value) +#admin_password = + +# tenant name for connecting to neutron in admin context (string value) +#admin_tenant_name = + +# auth url for connecting to neutron in admin context (string value) +#auth_url = + +# if set, ignore any SSL validation issues (boolean value) +#insecure = false + +# auth strategy for connecting to neutron in admin context (string value) +#auth_strategy = keystone + +# Location of ca certificates file to use for neutron client requests. (string +# value) +#ca_certificates_file = + + +[oslo_concurrency] + +# +# From oslo.concurrency +# + +# Enables or disables inter-process locks. (boolean value) +#disable_process_locking = false + +# Directory to use for lock files. For security, the specified directory should +# only be writable by the user running the processes that need locking. Defaults +# to environment variable OSLO_LOCK_PATH. If external locks are used, a lock +# path must be set. (string value) +#lock_path = $state_path + + +[oslo_messaging_amqp] + +# +# From oslo.messaging +# + +# Name for the AMQP container. must be globally unique. Defaults to a generated +# UUID (string value) +#container_name = + +# Timeout for inactive connections (in seconds) (integer value) +#idle_timeout = 0 + +# Debug: dump AMQP frames to stdout (boolean value) +#trace = false + +# Attempt to connect via SSL. If no other ssl-related parameters are given, it +# will use the system's CA-bundle to verify the server's certificate. (boolean +# value) +#ssl = false + +# CA certificate PEM file used to verify the server's certificate (string value) +#ssl_ca_file = + +# Self-identifying certificate PEM file for client authentication (string value) +#ssl_cert_file = + +# Private key PEM file used to sign ssl_cert_file certificate (optional) (string +# value) +#ssl_key_file = + +# Password for decrypting ssl_key_file (if encrypted) (string value) +#ssl_key_password = + +# By default SSL checks that the name in the server's certificate matches the +# hostname in the transport_url. In some configurations it may be preferable to +# use the virtual hostname instead, for example if the server uses the Server +# Name Indication TLS extension (rfc6066) to provide a certificate per virtual +# host. Set ssl_verify_vhost to True if the server's SSL certificate uses the +# virtual host name instead of the DNS name. (boolean value) +#ssl_verify_vhost = false + +# Space separated list of acceptable SASL mechanisms (string value) +#sasl_mechanisms = + +# Path to directory that contains the SASL configuration (string value) +#sasl_config_dir = + +# Name of configuration file (without .conf suffix) (string value) +#sasl_config_name = + +# SASL realm to use if no realm present in username (string value) +#sasl_default_realm = + +# Seconds to pause before attempting to re-connect. (integer value) +# Minimum value: 1 +#connection_retry_interval = 1 + +# Increase the connection_retry_interval by this many seconds after each +# unsuccessful failover attempt. (integer value) +# Minimum value: 0 +#connection_retry_backoff = 2 + +# Maximum limit for connection_retry_interval + connection_retry_backoff +# (integer value) +# Minimum value: 1 +#connection_retry_interval_max = 30 + +# Time to pause between re-connecting an AMQP 1.0 link that failed due to a +# recoverable error. (integer value) +# Minimum value: 1 +#link_retry_delay = 10 + +# The maximum number of attempts to re-send a reply message which failed due to +# a recoverable error. (integer value) +# Minimum value: -1 +#default_reply_retry = 0 + +# The deadline for an rpc reply message delivery. (integer value) +# Minimum value: 5 +#default_reply_timeout = 30 + +# The deadline for an rpc cast or call message delivery. Only used when caller +# does not provide a timeout expiry. (integer value) +# Minimum value: 5 +#default_send_timeout = 30 + +# The deadline for a sent notification message delivery. Only used when caller +# does not provide a timeout expiry. (integer value) +# Minimum value: 5 +#default_notify_timeout = 30 + +# The duration to schedule a purge of idle sender links. Detach link after +# expiry. (integer value) +# Minimum value: 1 +#default_sender_link_timeout = 600 + +# Indicates the addressing mode used by the driver. +# Permitted values: +# 'legacy' - use legacy non-routable addressing +# 'routable' - use routable addresses +# 'dynamic' - use legacy addresses if the message bus does not support routing +# otherwise use routable addressing (string value) +#addressing_mode = dynamic + +# Enable virtual host support for those message buses that do not natively +# support virtual hosting (such as qpidd). When set to true the virtual host +# name will be added to all message bus addresses, effectively creating a +# private 'subnet' per virtual host. Set to False if the message bus supports +# virtual hosting using the 'hostname' field in the AMQP 1.0 Open performative +# as the name of the virtual host. (boolean value) +#pseudo_vhost = true + +# address prefix used when sending to a specific server (string value) +#server_request_prefix = exclusive + +# address prefix used when broadcasting to all servers (string value) +#broadcast_prefix = broadcast + +# address prefix when sending to any server in group (string value) +#group_request_prefix = unicast + +# Address prefix for all generated RPC addresses (string value) +#rpc_address_prefix = openstack.org/om/rpc + +# Address prefix for all generated Notification addresses (string value) +#notify_address_prefix = openstack.org/om/notify + +# Appended to the address prefix when sending a fanout message. Used by the +# message bus to identify fanout messages. (string value) +#multicast_address = multicast + +# Appended to the address prefix when sending to a particular RPC/Notification +# server. Used by the message bus to identify messages sent to a single +# destination. (string value) +#unicast_address = unicast + +# Appended to the address prefix when sending to a group of consumers. Used by +# the message bus to identify messages that should be delivered in a round-robin +# fashion across consumers. (string value) +#anycast_address = anycast + +# Exchange name used in notification addresses. +# Exchange name resolution precedence: +# Target.exchange if set +# else default_notification_exchange if set +# else control_exchange if set +# else 'notify' (string value) +#default_notification_exchange = + +# Exchange name used in RPC addresses. +# Exchange name resolution precedence: +# Target.exchange if set +# else default_rpc_exchange if set +# else control_exchange if set +# else 'rpc' (string value) +#default_rpc_exchange = + +# Window size for incoming RPC Reply messages. (integer value) +# Minimum value: 1 +#reply_link_credit = 200 + +# Window size for incoming RPC Request messages (integer value) +# Minimum value: 1 +#rpc_server_credit = 100 + +# Window size for incoming Notification messages (integer value) +# Minimum value: 1 +#notify_server_credit = 100 + +# Send messages of this type pre-settled. +# Pre-settled messages will not receive acknowledgement +# from the peer. Note well: pre-settled messages may be +# silently discarded if the delivery fails. +# Permitted values: +# 'rpc-call' - send RPC Calls pre-settled +# 'rpc-reply'- send RPC Replies pre-settled +# 'rpc-cast' - Send RPC Casts pre-settled +# 'notify' - Send Notifications pre-settled +# (multi valued) +#pre_settled = rpc-cast +#pre_settled = rpc-reply + + +[oslo_messaging_kafka] + +# +# From oslo.messaging +# + +# Max fetch bytes of Kafka consumer (integer value) +#kafka_max_fetch_bytes = 1048576 + +# Default timeout(s) for Kafka consumers (floating point value) +#kafka_consumer_timeout = 1.0 + +# DEPRECATED: Pool Size for Kafka Consumers (integer value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Driver no longer uses connection pool. +#pool_size = 10 + +# DEPRECATED: The pool size limit for connections expiration policy (integer +# value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Driver no longer uses connection pool. +#conn_pool_min_size = 2 + +# DEPRECATED: The time-to-live in sec of idle connections in the pool (integer +# value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Driver no longer uses connection pool. +#conn_pool_ttl = 1200 + +# Group id for Kafka consumer. Consumers in one group will coordinate message +# consumption (string value) +#consumer_group = oslo_messaging_consumer + +# Upper bound on the delay for KafkaProducer batching in seconds (floating point +# value) +#producer_batch_timeout = 0.0 + +# Size of batch for the producer async send (integer value) +#producer_batch_size = 16384 + +# The compression codec for all data generated by the producer. If not set, +# compression will not be used. Note that the allowed values of this depend on +# the kafka version (string value) +# Possible values: +# none - +# gzip - +# snappy - +# lz4 - +# zstd - +#compression_codec = none + +# Enable asynchronous consumer commits (boolean value) +#enable_auto_commit = false + +# The maximum number of records returned in a poll call (integer value) +#max_poll_records = 500 + +# Protocol used to communicate with brokers (string value) +# Possible values: +# PLAINTEXT - +# SASL_PLAINTEXT - +# SSL - +# SASL_SSL - +#security_protocol = PLAINTEXT + +# Mechanism when security protocol is SASL (string value) +#sasl_mechanism = PLAIN + +# CA certificate PEM file used to verify the server certificate (string value) +#ssl_cafile = + +# Client certificate PEM file used for authentication. (string value) +#ssl_client_cert_file = + +# Client key PEM file used for authentication. (string value) +#ssl_client_key_file = + +# Client key password file used for authentication. (string value) +#ssl_client_key_password = + + +[oslo_messaging_notifications] + +# +# From oslo.messaging +# + +# The Drivers(s) to handle sending notifications. Possible values are messaging, +# messagingv2, routing, log, test, noop (multi valued) +# Deprecated group/name - [DEFAULT]/notification_driver +#driver = + +# A URL representing the messaging driver to use for notifications. If not set, +# we fall back to the same configuration used for RPC. (string value) +# Deprecated group/name - [DEFAULT]/notification_transport_url +#transport_url = + +# AMQP topic used for OpenStack notifications. (list value) +# Deprecated group/name - [rpc_notifier2]/topics +# Deprecated group/name - [DEFAULT]/notification_topics +#topics = notifications + +# The maximum number of attempts to re-send a notification message which failed +# to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite +# (integer value) +#retry = -1 + + +[oslo_messaging_rabbit] + +# +# From oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +#amqp_durable_queues = false + +# Auto-delete queues in AMQP. (boolean value) +#amqp_auto_delete = false + +# Connect over SSL. (boolean value) +# Deprecated group/name - [oslo_messaging_rabbit]/rabbit_use_ssl +#ssl = false + +# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and +# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some +# distributions. (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_version +#ssl_version = + +# SSL key file (valid only if SSL enabled). (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_keyfile +#ssl_key_file = + +# SSL cert file (valid only if SSL enabled). (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_certfile +#ssl_cert_file = + +# SSL certification authority file (valid only if SSL enabled). (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_ca_certs +#ssl_ca_file = + +# Run the health check heartbeat thread through a native python thread by +# default. If this option is equal to False then the health check heartbeat will +# inherit the execution model from the parent process. For example if the parent +# process has monkey patched the stdlib by using eventlet/greenlet then the +# heartbeat will be run through a green thread. (boolean value) +#heartbeat_in_pthread = true + +# How long to wait before reconnecting in response to an AMQP consumer cancel +# notification. (floating point value) +#kombu_reconnect_delay = 1.0 + +# EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not +# be used. This option may not be available in future versions. (string value) +#kombu_compression = + +# How long to wait a missing client before abandoning to send it its replies. +# This value should not be longer than rpc_response_timeout. (integer value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_reconnect_timeout +#kombu_missing_consumer_retry_timeout = 60 + +# Determines how the next RabbitMQ node is chosen in case the one we are +# currently connected to becomes unavailable. Takes effect only if more than one +# RabbitMQ node is provided in config. (string value) +# Possible values: +# round-robin - +# shuffle - +#kombu_failover_strategy = round-robin + +# The RabbitMQ login method. (string value) +# Possible values: +# PLAIN - +# AMQPLAIN - +# RABBIT-CR-DEMO - +#rabbit_login_method = AMQPLAIN + +# How frequently to retry connecting with RabbitMQ. (integer value) +#rabbit_retry_interval = 1 + +# How long to backoff for between retries when connecting to RabbitMQ. (integer +# value) +#rabbit_retry_backoff = 2 + +# Maximum interval of RabbitMQ connection retries. Default is 30 seconds. +# (integer value) +#rabbit_interval_max = 30 + +# Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this +# option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring +# is no longer controlled by the x-ha-policy argument when declaring a queue. If +# you just want to make sure that all queues (except those with auto-generated +# names) are mirrored across all nodes, run: "rabbitmqctl set_policy HA +# '^(?!amq\.).*' '{"ha-mode": "all"}' " (boolean value) +#rabbit_ha_queues = false + +# Positive integer representing duration in seconds for queue TTL (x-expires). +# Queues which are unused for the duration of the TTL are automatically deleted. +# The parameter affects only reply and fanout queues. (integer value) +# Minimum value: 1 +#rabbit_transient_queues_ttl = 1800 + +# Specifies the number of messages to prefetch. Setting to zero allows unlimited +# messages. (integer value) +#rabbit_qos_prefetch_count = 0 + +# Number of seconds after which the Rabbit broker is considered down if +# heartbeat's keep-alive fails (0 disables heartbeat). (integer value) +#heartbeat_timeout_threshold = 60 + +# How often times during the heartbeat_timeout_threshold we check the heartbeat. +# (integer value) +#heartbeat_rate = 2 + +# DEPRECATED: (DEPRECATED) Enable/Disable the RabbitMQ mandatory flag for direct +# send. The direct send is used as reply, so the MessageUndeliverable exception +# is raised in case the client queue does not exist.MessageUndeliverable +# exception will be used to loop for a timeout to lets a chance to sender to +# recover.This flag is deprecated and it will not be possible to deactivate this +# functionality anymore (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Mandatory flag no longer deactivable. +#direct_mandatory_flag = true + +# Enable x-cancel-on-ha-failover flag so that rabbitmq server will cancel and +# notify consumerswhen queue is down (boolean value) +#enable_cancel_on_failover = false + + +[oslo_middleware] + +# +# From oslo.middleware +# + +# The maximum body size for each request, in bytes. (integer value) +# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size +# Deprecated group/name - [DEFAULT]/max_request_body_size +#max_request_body_size = 114688 + +# DEPRECATED: The HTTP Header that will be used to determine what the original +# request protocol scheme was, even if it was hidden by a SSL termination proxy. +# (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#secure_proxy_ssl_header = X-Forwarded-Proto + +# Whether the application is behind a proxy or not. This determines if the +# middleware should parse the headers or not. (boolean value) +#enable_proxy_headers_parsing = false + +# HTTP basic auth password file. (string value) +#http_basic_auth_user_file = /etc/htpasswd + + +[oslo_policy] + +# +# From oslo.policy +# + +# This option controls whether or not to enforce scope when evaluating policies. +# If ``True``, the scope of the token used in the request is compared to the +# ``scope_types`` of the policy being enforced. If the scopes do not match, an +# ``InvalidScope`` exception will be raised. If ``False``, a message will be +# logged informing operators that policies are being invoked with mismatching +# scope. (boolean value) +#enforce_scope = false + +# This option controls whether or not to use old deprecated defaults when +# evaluating policies. If ``True``, the old deprecated defaults are not going to +# be evaluated. This means if any existing token is allowed for old defaults but +# is disallowed for new defaults, it will be disallowed. It is encouraged to +# enable this flag along with the ``enforce_scope`` flag so that you can get the +# benefits of new defaults and ``scope_type`` together. If ``False``, the +# deprecated policy check string is logically OR'd with the new policy check +# string, allowing for a graceful upgrade experience between releases with new +# policies, which is the default behavior. (boolean value) +#enforce_new_defaults = false + +# The relative or absolute path of a file that maps roles to permissions for a +# given service. Relative paths must be specified in relation to the +# configuration file setting this option. (string value) +#policy_file = policy.yaml + +# Default rule. Enforced when a requested rule is not found. (string value) +#policy_default_rule = default + +# Directories where policy configuration files are stored. They can be relative +# to any directory in the search path defined by the config_dir option, or +# absolute paths. The file defined by policy_file must exist for these +# directories to be searched. Missing or empty directories are ignored. (multi +# valued) +#policy_dirs = policy.d + +# Content Type to send and receive data for REST based policy check (string +# value) +# Possible values: +# application/x-www-form-urlencoded - +# application/json - +#remote_content_type = application/x-www-form-urlencoded + +# server identity verification for REST based policy check (boolean value) +#remote_ssl_verify_server_crt = false + +# Absolute path to ca cert file for REST based policy check (string value) +#remote_ssl_ca_crt_file = + +# Absolute path to client cert for REST based policy check (string value) +#remote_ssl_client_crt_file = + +# Absolute path client key file REST based policy check (string value) +#remote_ssl_client_key_file = + + +[oslo_reports] + +# +# From oslo.reports +# + +# Path to a log directory where to create a file (string value) +#log_dir = + +# The path to a file to watch for changes to trigger the reports, instead of +# signals. Setting this option disables the signal trigger for the reports. If +# application is running as a WSGI application it is recommended to use this +# instead of signals. (string value) +#file_event_handler = + +# How many seconds to wait between polls when file_event_handler is set (integer +# value) +#file_event_handler_interval = 1 + + +[producer_task:delayed_notify] + +# +# From designate.conf +# + +# Run interval in seconds (integer value) +#interval = 5 + +# Default amount of results returned per page (integer value) +#per_page = 100 + +# How many zones to receive NOTIFY on each run (integer value) +#batch_size = 100 + + +[producer_task:periodic_exists] + +# +# From designate.conf +# + +# Run interval in seconds (integer value) +#interval = 3600 + +# Default amount of results returned per page (integer value) +#per_page = 100 + + +[producer_task:periodic_secondary_refresh] + +# +# From designate.conf +# + +# Run interval in seconds (integer value) +#interval = 3600 + +# Default amount of results returned per page (integer value) +#per_page = 100 + + +[producer_task:worker_periodic_recovery] + +# +# From designate.conf +# + +# Run interval in seconds (integer value) +#interval = 120 + +# Default amount of results returned per page (integer value) +#per_page = 100 + + +[producer_task:zone_purge] + +# +# From designate.conf +# + +# Run interval in seconds (integer value) +#interval = 3600 + +# Default amount of results returned per page (integer value) +#per_page = 100 + +# How old deleted zones should be (deleted_at) to be purged, in seconds (integer +# value) +#time_threshold = 604800 + +# How many zones to be purged on each run (integer value) +#batch_size = 100 + + +[proxy] + +# +# From designate.conf +# + +# Proxy HTTP requests via this proxy. (string value) +#http_proxy = + +# Proxy HTTPS requests via this proxy (string value) +#https_proxy = + +# These addresses should not be proxied (list value) +#no_proxy = + + +[service:agent] + +# +# From designate.conf +# + +# Number of agent worker processes to spawn (integer value) +#workers = + +# Number of agent greenthreads to spawn (integer value) +#threads = 1000 + +# Agent host:port pairs to listen on (list value) +#listen = 0.0.0.0:5358 + +# The Agent TCP Backlog (integer value) +#tcp_backlog = 100 + +# Agent TCP Receive Timeout (floating point value) +#tcp_recv_timeout = 0.5 + +# List of IP addresses allowed to NOTIFY The Agent (list value) +#allow_notify = + +# List of masters for the Agent, format ip:port (list value) +#masters = + +# The backend driver to use, e.g. bind9, djbdns, knot2 (string value) +#backend_driver = bind9 + +# An IP address to be used to fetch zones transferred in (string value) +#transfer_source = + +# Delay after a NOTIFY arrives for a zone that the Agent will pause and drop +# subsequent NOTIFYs for that zone (floating point value) +#notify_delay = 0.0 + + +[service:api] + +listen = 0.0.0.0:9001 +auth_strategy = keystone +enable_api_v2 = True +enable_api_admin = True +enable_host_header = True +enabled_extensions_admin = quotas, reports + +# +# From designate.conf +# + +# Number of api worker processes to spawn (integer value) +#workers = + +# Number of api greenthreads to spawn (integer value) +#threads = 1000 + +# Enable host request headers (boolean value) +#enable_host_header = true + +# the url used as the base for all API responses,This should consist of the +# scheme (http/https),the hostname, port, and any paths that are addedto the +# base of Designate is URLs,For example http://dns.openstack.example.com/dns +# (string value) +#api_base_uri = http://127.0.0.1:9001/ + +# API host:port pairs to listen on (list value) +#listen = 0.0.0.0:9001 + +# File name for the paste.deploy config for designate-api (string value) +#api_paste_config = api-paste.ini + +# The strategy to use for auth. Supports noauth or keystone (string value) +#auth_strategy = keystone + +# enable-api-v2 which enable in a future (boolean value) +#enable_api_v2 = true + +# enable-api-admin (boolean value) +#enable_api_admin = false + +# Maximum line size of message headers to be accepted. max_header_line may need +# to be increased when using large tokens (typically those generated by the +# Keystone v3 API with big service catalogs). (integer value) +#max_header_line = 16384 + +# Pecan HTML Debug Interface (boolean value) +#pecan_debug = false + +# Enabled API Extensions for the V2 API (list value) +#enabled_extensions_v2 = + +# Default per-page limit for the V2 API, a value of None means show all results +# by default (integer value) +#default_limit_v2 = 20 + +# Max per-page limit for the V2 API (integer value) +#max_limit_v2 = 1000 + +# Verify that the requested Project ID for quota target is a valid project in +# Keystone. (boolean value) +#quotas_verify_project_id = false + +# Enabled Admin API Extensions (list value) +#enabled_extensions_admin = + +# Default per-page limit for the Admin API, a value of None means show all +# results by default (integer value) +#default_limit_admin = 20 + +# Max per-page limit for the Admin API (integer value) +#max_limit_admin = 1000 + +# Enable API Maintenance Mode (boolean value) +#maintenance_mode = false + +# Role allowed to bypass maintaince mode (string value) +#maintenance_mode_role = admin + +# DEPRECATED: The HTTP Header that will be used to determine which the original +# request protocol scheme was, even if it was removed by an SSL terminating +# proxy. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: This parameter has had no effect since SSLMiddleware was replaced by +# http_proxy_to_wsgi +#secure_proxy_ssl_header = X-Forwarded-Proto + +# DEPRECATED: A scheme that will be used to override the request protocol +# scheme, even if it was set by an SSL terminating proxy. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: This parameter has had no effect since SSLMiddleware was replaced by +# http_proxy_to_wsgi +#override_proto = + + +[service:central] + +# +# From designate.conf +# + +# Number of central worker processes to spawn (integer value) +#workers = + +# Number of central greenthreads to spawn (integer value) +#threads = 1000 + +# The storage driver to use (string value) +#storage_driver = sqlalchemy + +# Enabled Notification Handlers (list value) +#enabled_notification_handlers = + +# Maximum zone name length (integer value) +#max_zone_name_len = 255 + +# Maximum recordset name length (integer value) +# Deprecated group/name - [service:central]/max_record_name_len +#max_recordset_name_len = 255 + +# E-Mail for Managed resources (string value) +#managed_resource_email = hostmaster@example.com + +# The Tenant ID that will own any managed resources. (string value) +#managed_resource_tenant_id = 00000000-0000-0000-0000-000000000000 + +# Minimum TTL allowed (integer value) +#min_ttl = + +# The name of the default pool (string value) +#default_pool_id = 794ccc2c-d751-44fe-b57f-8894c9f5c842 + +# RPC topic name for central (string value) +#topic = central + +# Enabled Pool Scheduling filters (list value) +#scheduler_filters = default_pool + + +[service:mdns] + +# +# From designate.conf +# + +# Number of mdns worker processes to spawn (integer value) +#workers = + +# Number of mdns greenthreads to spawn (integer value) +#threads = 1000 + +# mDNS host:port pairs to listen on (list value) +#listen = 0.0.0.0:5354 + +# mDNS TCP Backlog (integer value) +#tcp_backlog = 100 + +# mDNS TCP Receive Timeout (floating point value) +#tcp_recv_timeout = 0.5 + +# Send all traffic over TCP (boolean value) +#all_tcp = false + +# Enforce all incoming queries (including AXFR) are TSIG signed (boolean value) +#query_enforce_tsig = false + +# The storage driver to use (string value) +#storage_driver = sqlalchemy + +# Maximum message size to emit (integer value) +#max_message_size = 65535 + +# RPC topic name for mdns (string value) +#topic = mdns + +# Timeout in seconds for XFR's. (integer value) +#xfr_timeout = 10 + + +[service:producer] + +# +# From designate.conf +# + +# Number of Producer worker processes to spawn (integer value) +#workers = + +# Number of Producer greenthreads to spawn (integer value) +#threads = 1000 + +# Enabled tasks to run (list value) +#enabled_tasks = + +# The storage driver to use (string value) +#storage_driver = sqlalchemy + +# DEPRECATED: Whether to allow synchronous zone exports (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Migrated to designate-worker +#export_synchronous = true + +# RPC topic name for producer (string value) +#topic = producer + + +[service:sink] + +# +# From designate.conf +# + +# Number of sink worker processes to spawn (integer value) +#workers = + +# Number of sink greenthreads to spawn (integer value) +#threads = 1000 + +# Enabled Notification Handlers (list value) +#enabled_notification_handlers = + +# pool name to use for oslo.messaging notification listener. Note that listener +# pooling is not supported by all oslo.messaging drivers. (string value) +#listener_pool_name = + + +[service:worker] + +# +# From designate.conf +# + +# Number of Worker worker processes to spawn (integer value) +#workers = + +# Number of Worker threads to spawn per process (integer value) +#threads = 200 + +# The storage driver to use (string value) +#storage_driver = sqlalchemy + +# The percentage of servers requiring a successful update for a domain change to +# be considered active (integer value) +#threshold_percentage = 100 + +# The time to wait for a response from a server (integer value) +#poll_timeout = 30 + +# The time between retrying to send a request and waiting for a response from a +# server (integer value) +#poll_retry_interval = 15 + +# The maximum number of times to retry sending a request and wait for a response +# from a server (integer value) +#poll_max_retries = 10 + +# The time to wait before sending the first request to a server (integer value) +#poll_delay = 5 + +# DEPRECATED: Whether to allow worker to send NOTIFYs, this will noop NOTIFYs in +# mdns if true (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: This option is being removed to reduce complexity +#notify = true + +# Whether to allow synchronous zone exports (boolean value) +#export_synchronous = true + +# RPC topic name for worker (string value) +#topic = worker + + +[ssl] + +# +# From oslo.service.sslutils +# + +# CA certificate file to use to verify connecting clients. (string value) +# Deprecated group/name - [DEFAULT]/ssl_ca_file +#ca_file = + +# Certificate file to use when starting the server securely. (string value) +# Deprecated group/name - [DEFAULT]/ssl_cert_file +#cert_file = + +# Private key file to use when starting the server securely. (string value) +# Deprecated group/name - [DEFAULT]/ssl_key_file +#key_file = + +# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and +# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some +# distributions. (string value) +#version = + +# Sets the list of available ciphers. value should be a string in the OpenSSL +# cipher list format. (string value) +#ciphers = + + +[storage:sqlalchemy] + +connection = mysql+pymysql://s4t_designate:sm3d3m0n@s4t_iotronic_db/s4t_designate + +# +# From designate.conf +# + +# If True, SQLite uses synchronous mode. (boolean value) +#sqlite_synchronous = true + +# The back end to use for the database. (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend = sqlalchemy + +# The SQLAlchemy connection string to use to connect to the database. (string +# value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +#connection = + +# The SQLAlchemy connection string to use to connect to the slave database. +# (string value) +#slave_connection = + +# The SQL mode to be used for MySQL sessions. This option, including the +# default, overrides any server-set SQL mode. To use whatever SQL mode is set by +# the server configuration, set this to no value. Example: mysql_sql_mode= +# (string value) +#mysql_sql_mode = TRADITIONAL + +# If True, transparently enables support for handling MySQL Cluster (NDB). +# (boolean value) +#mysql_enable_ndb = false + +# Connections which have been present in the connection pool longer than this +# number of seconds will be replaced with a new one the next time they are +# checked out from the pool. (integer value) +#connection_recycle_time = 3600 + +# Maximum number of SQL connections to keep open in a pool. Setting a value of 0 +# indicates no limit. (integer value) +#max_pool_size = 5 + +# Maximum number of database connection retries during startup. Set to -1 to +# specify an infinite retry count. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries = 10 + +# Interval between retries of opening a SQL connection. (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval = 10 + +# If set, use this value for max_overflow with SQLAlchemy. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow = 50 + +# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer +# value) +# Minimum value: 0 +# Maximum value: 100 +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug = 0 + +# Add Python stack traces to SQL as comment strings. (boolean value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace = false + +# If set, use this value for pool_timeout with SQLAlchemy. (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout = + +# Enable the experimental use of database reconnect on connection lost. (boolean +# value) +#use_db_reconnect = false + +# Seconds between retries of a database transaction. (integer value) +#db_retry_interval = 1 + +# If True, increases the interval between retries of a database operation up to +# db_max_retry_interval. (boolean value) +#db_inc_retry_interval = true + +# If db_inc_retry_interval is set, the maximum seconds between retries of a +# database operation. (integer value) +#db_max_retry_interval = 10 + +# Maximum retries in case of connection error or deadlock error before error is +# raised. Set to -1 to specify an infinite retry count. (integer value) +#db_max_retries = 20 + +# Optional URL parameters to append onto the connection URL at connect time; +# specify as param1=value1¶m2=value2&... (string value) +#connection_parameters = diff --git a/7-designate/conf/named.conf.options b/7-designate/conf/named.conf.options new file mode 100644 index 0000000..ca30d0c --- /dev/null +++ b/7-designate/conf/named.conf.options @@ -0,0 +1,40 @@ +//include "/etc/designate/rndc.key"; +include "/etc/bind/rndc.key"; + +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-validation auto; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; + + allow-new-zones yes; + request-ixfr no; + listen-on port 53 { any; }; + recursion no; + allow-query { any; }; + +}; + +controls { + inet 127.0.0.1 port 953 + allow { 127.0.0.1; } keys { "rndc-key"; }; +}; diff --git a/7-designate/conf/pools.yaml b/7-designate/conf/pools.yaml new file mode 100644 index 0000000..77d7774 --- /dev/null +++ b/7-designate/conf/pools.yaml @@ -0,0 +1,43 @@ +- name: default + # The name is immutable. There will be no option to change the name after + # creation and the only way will to change it will be to delete it + # (and all zones associated with it) and recreate it. + description: Default Pool + + attributes: {} + + # List out the NS records for zones hosted within this pool + # This should be a record that is created outside of designate, that + # points to the public IP of the controller node. + ns_records: + - hostname: demo-controller.smartme.io. + priority: 1 + + # List out the nameservers for this pool. These are the actual BIND servers. + # We use these to verify changes have propagated to all nameservers. + nameservers: + - host: 127.0.0.1 + port: 53 + + # List out the targets for this pool. For BIND there will be one + # entry for each BIND server, as we have to run rndc command on each server + targets: + - type: bind9 + description: BIND9 Server 1 + + # List out the designate-mdns servers from which BIND servers should + # request zone transfers (AXFRs) from. + # This should be the IP of the controller node. + # If you have multiple controllers you can add multiple masters + # by running designate-mdns on them, and adding them here. + masters: + - host: 127.0.0.1 + port: 5354 + + # BIND Configuration options + options: + host: 127.0.0.1 + port: 53 + rndc_host: 127.0.0.1 + rndc_port: 953 + rndc_key_file: /etc/bind/rndc.key From 00758b134a33e49f8be1a6ecaa9aa5d5117607cd Mon Sep 17 00:00:00 2001 From: Fabio Verboso Date: Thu, 30 Dec 2021 17:45:28 +0100 Subject: [PATCH 61/66] consolidati script per designate --- 7-designate/7-designate | 15 +++++++-------- 7-designate/{7.5-designate => 7.1-designate} | 0 7-designate/7.2-designate | 10 ++++++++++ 7-designate/build/Dockerfile | 6 +++--- 7-designate/conf/adminrc | 8 ++++++++ 5 files changed, 28 insertions(+), 11 deletions(-) rename 7-designate/{7.5-designate => 7.1-designate} (100%) create mode 100755 7-designate/7.2-designate create mode 100644 7-designate/conf/adminrc diff --git a/7-designate/7-designate b/7-designate/7-designate index be8dd48..834b0a4 100755 --- a/7-designate/7-designate +++ b/7-designate/7-designate @@ -11,9 +11,13 @@ docker create \ -p 53:53/udp \ -p 53:53/tcp \ -v s4t_designate_config:/etc/designate/ \ + -v s4t_bind:/etc/bind/ \ -v /var/log/designate-conductor:/var/log/designate \ smartme/s4t_designate:$VERSION +docker cp build/bin/startDesignate s4t_designate:/usr/local/bin/ +docker cp conf/adminrc s4t_designate:/root/ + docker cp conf/designate.conf s4t_designate:/etc/designate/ docker cp conf/pools.yaml s4t_designate:/etc/designate/ docker cp conf/named.conf.options s4t_designate:/etc/bind/ @@ -31,12 +35,7 @@ docker run --rm \ -v /var/log/designate-conductor:/var/log/designate \ smartme/s4t_designate:$VERSION /bin/sh -c "designate-manage database sync" designate -docker run --rm \ - --network=s4t-controller-network \ - -v s4t_designate_config:/etc/designate/ \ - -v /var/log/designate-conductor:/var/log/designate \ -smartme/s4t_designate:$VERSION /bin/sh -c "designate-manage pool update" designate - -docker cp build/bin/startDesignate s4t_designate:/usr/local/bin/ - docker start s4t_designate + +echo "aspetto che i servizi siano su" +sleep 10 diff --git a/7-designate/7.5-designate b/7-designate/7.1-designate similarity index 100% rename from 7-designate/7.5-designate rename to 7-designate/7.1-designate diff --git a/7-designate/7.2-designate b/7-designate/7.2-designate new file mode 100755 index 0000000..edaadef --- /dev/null +++ b/7-designate/7.2-designate @@ -0,0 +1,10 @@ +#! /bin/bash + +DNS="test.felooca.info" +EMAIL="dnsmaster@example.com" + +docker exec s4t_designate /bin/sh -c "designate-manage pool update" designate +docker restart s4t_designate +docker exec s4t_designate /bin/bash -c "source /root/adminrc && openstack zone create --email ${EMAIL} ${DNS}." + + diff --git a/7-designate/build/Dockerfile b/7-designate/build/Dockerfile index c27bbe1..843e14f 100644 --- a/7-designate/build/Dockerfile +++ b/7-designate/build/Dockerfile @@ -1,5 +1,4 @@ -FROM ubuntu:bionic -#ENV VERSION=2.3.9 +FROM ubuntu:focal ENV DEBIAN_FRONTEND=noninteractive @@ -9,7 +8,7 @@ ENV LANG C.UTF-8 RUN apt-get update \ && apt-get install nocache -y software-properties-common locales tzdata\ - && add-apt-repository -y cloud-archive:stein \ + && add-apt-repository -y cloud-archive:xena \ && apt-get update && apt-get -y dist-upgrade && apt-get install nocache -y build-essential python3-openstackclient python3 python3-setuptools python3-pip vim RUN locale-gen en_US.UTF-8 @@ -22,6 +21,7 @@ RUN apt-get install nocache bind9 bind9utils bind9-doc designate-worker designat COPY bin/startDesignate /usr/local/bin/startDesignate VOLUME ["/etc/designate"] +VOLUME ["/etc/bind"] VOLUME ["/var/log/designate"] EXPOSE 9001 diff --git a/7-designate/conf/adminrc b/7-designate/conf/adminrc new file mode 100644 index 0000000..15d82ee --- /dev/null +++ b/7-designate/conf/adminrc @@ -0,0 +1,8 @@ +export OS_PROJECT_DOMAIN_NAME=Default +export OS_USER_DOMAIN_NAME=Default +export OS_PROJECT_NAME=admin +export OS_USERNAME=admin +export OS_PASSWORD=smartme +export OS_AUTH_URL=https://demo-controller.smartme.io:5000/v3 +export OS_IDENTITY_API_VERSION=3 +export OS_IMAGE_API_VERSION=2 From 32a794fbba6119cb32ec86c5cef2a2957483b463 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Thu, 13 Jan 2022 15:32:06 +0100 Subject: [PATCH 62/66] 7-designate: rework of designate image and scripts --- 7-designate/build/Dockerfile | 27 +- 7-designate/build/conf/adminrc | 8 + 7-designate/build/conf/designate.conf | 2165 ++++++++++++++++++ 7-designate/build/conf/named.conf.options | 40 + 7-designate/build/conf/pools.yaml | 43 + 7-designate/build/scripts/designate-setup.sh | 23 + 6 files changed, 2302 insertions(+), 4 deletions(-) create mode 100644 7-designate/build/conf/adminrc create mode 100644 7-designate/build/conf/designate.conf create mode 100644 7-designate/build/conf/named.conf.options create mode 100644 7-designate/build/conf/pools.yaml create mode 100644 7-designate/build/scripts/designate-setup.sh diff --git a/7-designate/build/Dockerfile b/7-designate/build/Dockerfile index 843e14f..aa45c01 100644 --- a/7-designate/build/Dockerfile +++ b/7-designate/build/Dockerfile @@ -2,23 +2,42 @@ FROM ubuntu:focal ENV DEBIAN_FRONTEND=noninteractive -ENV LC_CTYPE en_US.UTF-8 -ENV LANG en_US.UTF-8 +ENV LC_CTYPE C.UTF-8 +ENV LC_ALL C.UTF-8 +ENV LANGUAGE C.UTF-8 ENV LANG C.UTF-8 RUN apt-get update \ && apt-get install nocache -y software-properties-common locales tzdata\ && add-apt-repository -y cloud-archive:xena \ - && apt-get update && apt-get -y dist-upgrade && apt-get install nocache -y build-essential python3-openstackclient python3 python3-setuptools python3-pip vim + && apt-get update && apt-get -y dist-upgrade \ + && apt-get install nocache -y build-essential python3-openstackclient \ + python3 python3-all python3-setuptools nano vim wget curl \ + nocache bind9 bind9utils bind9-doc designate-worker designate-producer designate-mdns \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \ + && wget -qO- https://bootstrap.pypa.io/get-pip.py | python3 \ + && : RUN locale-gen en_US.UTF-8 ENV TZ 'Europe/Rome' RUN echo $TZ > /etc/timezone && rm -f /etc/localtime && ln -nfs /usr/share/zoneinfo/$TZ /etc/localtime && dpkg-reconfigure -f noninteractive tzdata -RUN apt-get install nocache bind9 bind9utils bind9-doc designate-worker designate-producer designate-mdns -y #RUN rndc-confgen -a -k designate -c /etc/bind/rndc.key -r /dev/urandom +COPY conf/adminrc /root/ + +COPY conf/designate.conf /etc/designate/ +COPY conf/pools.yaml /etc/designate/ +COPY conf/named.conf.options /etc/bind/ + COPY bin/startDesignate /usr/local/bin/startDesignate +COPY scripts/designate-setup.sh /usr/local/bin/designate-setup + +RUN chown -R designate:designate /var/log/designate/ + +RUN chmod +x /usr/local/bin/startDesignate +RUN chmod +x /usr/local/bin/designate-setup VOLUME ["/etc/designate"] VOLUME ["/etc/bind"] diff --git a/7-designate/build/conf/adminrc b/7-designate/build/conf/adminrc new file mode 100644 index 0000000..15d82ee --- /dev/null +++ b/7-designate/build/conf/adminrc @@ -0,0 +1,8 @@ +export OS_PROJECT_DOMAIN_NAME=Default +export OS_USER_DOMAIN_NAME=Default +export OS_PROJECT_NAME=admin +export OS_USERNAME=admin +export OS_PASSWORD=smartme +export OS_AUTH_URL=https://demo-controller.smartme.io:5000/v3 +export OS_IDENTITY_API_VERSION=3 +export OS_IMAGE_API_VERSION=2 diff --git a/7-designate/build/conf/designate.conf b/7-designate/build/conf/designate.conf new file mode 100644 index 0000000..a82f58e --- /dev/null +++ b/7-designate/build/conf/designate.conf @@ -0,0 +1,2165 @@ +[DEFAULT] +transport_url=rabbit://openstack:smartme@s4t_rabbitmq:5672/ + +# +# From designate.conf +# + +# Name of this node (string value) +# +# This option has a sample default set, which means that +# its actual default value may vary from the one documented +# below. +#host = current_hostname + +# Directory where the designate python module is installed (string value) +# +# This option has a sample default set, which means that +# its actual default value may vary from the one documented +# below. +#pybasedir = + +# Top-level directory for maintaining designate's state (string value) +#state_path = /var/lib/designate + +# Additional modules that contains allowed RPC exceptions. (list value) +# Deprecated group/name - [DEFAULT]/allowed_rpc_exception_modules +#allowed_remote_exmods = + +# TTL Value (integer value) +#default_ttl = 3600 + +# SOA refresh-min value (integer value) +# Deprecated group/name - [DEFAULT]/default_soa_refresh +#default_soa_refresh_min = 3500 + +# SOA max value (integer value) +#default_soa_refresh_max = 3600 + +# SOA retry (integer value) +#default_soa_retry = 600 + +# SOA expire (integer value) +#default_soa_expire = 86400 + +# SOA minimum value (integer value) +#default_soa_minimum = 3600 + +# Supported record types (list value) +#supported_record_type = A,AAAA,CNAME,MX,SRV,TXT,SPF,NS,PTR,SSHFP,SOA,NAPTR,CAA,CERT + +# Number of backlog requests to configure the socket with (integer value) +#backlog = 4096 + +# Sets the value of TCP_KEEPIDLE in seconds for each server socket. Not +# supported on OS X. (integer value) +#tcp_keepidle = 600 + +# designate-rootwrap configuration (string value) +#root_helper = sudo designate-rootwrap /etc/designate/rootwrap.conf + +# Which API to use. (string value) +#network_api = neutron + +# Send notifications if there's a failure in the API. (boolean value) +#notify_api_faults = false + +# The notification plugin to use (string value) +#notification_plugin = default + +# Quota driver to use (string value) +#quota_driver = storage + +# Number of zones allowed per tenant (integer value) +#quota_zones = 10 + +# Number of recordsets allowed per zone (integer value) +#quota_zone_recordsets = 500 + +# Number of records allowed per zone (integer value) +#quota_zone_records = 500 + +# Number of records allowed per recordset (integer value) +#quota_recordset_records = 20 + +# Number of recordsets allowed in a zone export (integer value) +#quota_api_export_size = 1000 + +# +# From oslo.log +# + +# If set to true, the logging level will be set to DEBUG instead of the default +# INFO level. (boolean value) +# Note: This option can be changed without restarting. +#debug = false + +# The name of a logging configuration file. This file is appended to any +# existing logging configuration files. For details about logging configuration +# files, see the Python logging module documentation. Note that when logging +# configuration files are used then all logging configuration is set in the +# configuration file and other logging configuration options are ignored (for +# example, log-date-format). (string value) +# Note: This option can be changed without restarting. +# Deprecated group/name - [DEFAULT]/log_config +#log_config_append = + +# Defines the format string for %%(asctime)s in log records. Default: +# %(default)s . This option is ignored if log_config_append is set. (string +# value) +#log_date_format = %Y-%m-%d %H:%M:%S + +# (Optional) Name of log file to send logging output to. If no default is set, +# logging will go to stderr as defined by use_stderr. This option is ignored if +# log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logfile +#log_file = + +# (Optional) The base directory used for relative log_file paths. This option +# is ignored if log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logdir +#log_dir = + +# Uses logging handler designed to watch file system. When log file is moved or +# removed this handler will open a new log file with specified path +# instantaneously. It makes sense only if log_file option is specified and Linux +# platform is used. This option is ignored if log_config_append is set. (boolean +# value) +#watch_log_file = false + +# Use syslog for logging. Existing syslog format is DEPRECATED and will be +# changed later to honor RFC5424. This option is ignored if log_config_append is +# set. (boolean value) +#use_syslog = false + +# Enable journald for logging. If running in a systemd environment you may wish +# to enable journal support. Doing so will use the journal native protocol which +# includes structured metadata in addition to log messages.This option is +# ignored if log_config_append is set. (boolean value) +#use_journal = false + +# Syslog facility to receive log lines. This option is ignored if +# log_config_append is set. (string value) +#syslog_log_facility = LOG_USER + +# Use JSON formatting for logging. This option is ignored if log_config_append +# is set. (boolean value) +#use_json = false + +# Log output to standard error. This option is ignored if log_config_append is +# set. (boolean value) +#use_stderr = false + +# Log output to Windows Event Log. (boolean value) +#use_eventlog = false + +# The amount of time before the log files are rotated. This option is ignored +# unless log_rotation_type is set to "interval". (integer value) +#log_rotate_interval = 1 + +# Rotation interval type. The time of the last file change (or the time when the +# service was started) is used when scheduling the next rotation. (string value) +# Possible values: +# Seconds - +# Minutes - +# Hours - +# Days - +# Weekday - +# Midnight - +#log_rotate_interval_type = days + +# Maximum number of rotated log files. (integer value) +#max_logfile_count = 30 + +# Log file maximum size in MB. This option is ignored if "log_rotation_type" is +# not set to "size". (integer value) +#max_logfile_size_mb = 200 + +# Log rotation type. (string value) +# Possible values: +# interval - Rotate logs at predefined time intervals. +# size - Rotate logs once they reach a predefined size. +# none - Do not rotate log files. +#log_rotation_type = none + +# Format string to use for log messages with context. Used by +# oslo_log.formatters.ContextFormatter (string value) +#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s + +# Format string to use for log messages when context is undefined. Used by +# oslo_log.formatters.ContextFormatter (string value) +#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s + +# Additional data to append to log message when logging level for the message is +# DEBUG. Used by oslo_log.formatters.ContextFormatter (string value) +#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d + +# Prefix each line of exception output with this format. Used by +# oslo_log.formatters.ContextFormatter (string value) +#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s + +# Defines the format string for %(user_identity)s that is used in +# logging_context_format_string. Used by oslo_log.formatters.ContextFormatter +# (string value) +#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s + +# List of package logging levels in logger=LEVEL pairs. This option is ignored +# if log_config_append is set. (list value) +#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,oslo_policy=INFO,dogpile.core.dogpile=INFO,kazoo.client=WARN,keystone=INFO,oslo_service.loopingcall=WARN + +# Enables or disables publication of error events. (boolean value) +#publish_errors = false + +# The format for an instance that is passed with the log message. (string value) +#instance_format = "[instance: %(uuid)s] " + +# The format for an instance UUID that is passed with the log message. (string +# value) +#instance_uuid_format = "[instance: %(uuid)s] " + +# Interval, number of seconds, of log rate limiting. (integer value) +#rate_limit_interval = 0 + +# Maximum number of logged messages per rate_limit_interval. (integer value) +#rate_limit_burst = 0 + +# Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or +# empty string. Logs with level greater or equal to rate_limit_except_level are +# not filtered. An empty string means that all levels are filtered. (string +# value) +#rate_limit_except_level = CRITICAL + +# Enables or disables fatal status of deprecations. (boolean value) +#fatal_deprecations = false + +# +# From oslo.messaging +# + +# Size of RPC connection pool. (integer value) +# Minimum value: 1 +#rpc_conn_pool_size = 30 + +# The pool size limit for connections expiration policy (integer value) +#conn_pool_min_size = 2 + +# The time-to-live in sec of idle connections in the pool (integer value) +#conn_pool_ttl = 1200 + +# Size of executor thread pool when executor is threading or eventlet. (integer +# value) +# Deprecated group/name - [DEFAULT]/rpc_thread_pool_size +#executor_thread_pool_size = 64 + +# Seconds to wait for a response from a call. (integer value) +#rpc_response_timeout = 60 + +# The network address and optional user credentials for connecting to the +# messaging backend, in URL format. The expected format is: +# +# driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query +# +# Example: rabbit://rabbitmq:password@127.0.0.1:5672// +# +# For full details on the fields in the URL see the documentation of +# oslo_messaging.TransportURL at +# https://docs.openstack.org/oslo.messaging/latest/reference/transport.html +# (string value) +#transport_url = rabbit:// + +# The default exchange under which topics are scoped. May be overridden by an +# exchange name specified in the transport_url option. (string value) +#control_exchange = designate + +# Add an endpoint to answer to ping calls. Endpoint is named +# oslo_rpc_server_ping (boolean value) +#rpc_ping_enabled = false + +# +# From oslo.service.periodic_task +# + +# Some periodic tasks can be run in a separate process. Should we run them here? +# (boolean value) +#run_external_periodic_tasks = true + +# +# From oslo.service.service +# + +# Enable eventlet backdoor. Acceptable values are 0, , and :, +# where 0 results in listening on a random tcp port number; results in +# listening on the specified port number (and not enabling backdoor if that port +# is in use); and : results in listening on the smallest unused port +# number within the specified range of port numbers. The chosen port is +# displayed in the service's log file. (string value) +#backdoor_port = + +# Enable eventlet backdoor, using the provided path as a unix socket that can +# receive connections. This option is mutually exclusive with 'backdoor_port' in +# that only one should be provided. If both are provided then the existence of +# this option overrides the usage of that option. Inside the path {pid} will be +# replaced with the PID of the current process. (string value) +#backdoor_socket = + +# Enables or disables logging values of all registered options when starting a +# service (at DEBUG level). (boolean value) +#log_options = true + +# Specify a timeout after which a gracefully shutdown server will exit. Zero +# value means endless wait. (integer value) +#graceful_shutdown_timeout = 60 + +# +# From oslo.service.wsgi +# + +# File name for the paste.deploy config for api service (string value) +#api_paste_config = api-paste.ini + +# A python format string that is used as the template to generate log lines. The +# following values can beformatted into it: client_ip, date_time, request_line, +# status_code, body_length, wall_seconds. (string value) +#wsgi_log_format = %(client_ip)s "%(request_line)s" status: %(status_code)s len: %(body_length)s time: %(wall_seconds).7f + +# Sets the value of TCP_KEEPIDLE in seconds for each server socket. Not +# supported on OS X. (integer value) +#tcp_keepidle = 600 + +# Size of the pool of greenthreads used by wsgi (integer value) +#wsgi_default_pool_size = 100 + +# Maximum line size of message headers to be accepted. max_header_line may need +# to be increased when using large tokens (typically those generated when +# keystone is configured to use PKI tokens with big service catalogs). (integer +# value) +#max_header_line = 16384 + +# If False, closes the client socket connection explicitly. (boolean value) +#wsgi_keep_alive = true + +# Timeout for client connections' socket operations. If an incoming connection +# is idle for this number of seconds it will be closed. A value of '0' means +# wait forever. (integer value) +#client_socket_timeout = 900 + + +[backend:agent:bind9] + +# +# From designate.conf +# + +# RNDC Host (string value) +#rndc_host = 127.0.0.1 + +# RNDC Port (integer value) +#rndc_port = 953 + +# RNDC Config File (string value) +#rndc_config_file = + +# RNDC Key File (string value) +#rndc_key_file = + +# RNDC command timeout (integer value) +# Minimum value: 0 +#rndc_timeout = 0 + +# Path where zone files are stored (string value) +#zone_file_path = $state_path/zones + +# Host to query when finding zones (string value) +#query_destination = 127.0.0.1 + + +[backend:agent:denominator] + +# +# From designate.conf +# + +# Name of the affected provider (string value) +#name = fake + +# Path to Denominator configuration file (string value) +#config_file = /etc/denominator.conf + + +[backend:agent:djbdns] + +# +# From designate.conf +# + +# tcpclient executable path or rootwrap command name (string value) +#tcpclient_cmd_name = tcpclient + +# axfr-get executable path or rootwrap command name (string value) +#axfr_get_cmd_name = axfr-get + +# tinydns-data executable path or rootwrap command name (string value) +#tinydns_data_cmd_name = tinydns-data + +# TinyDNS data directory (string value) +#tinydns_datadir = /var/lib/djbdns + +# Host to query when finding zones (string value) +#query_destination = 127.0.0.1 + + +[backend:agent:gdnsd] + +# +# From designate.conf +# + +# gdnsd executable path or rootwrap command name (string value) +#gdnsd_cmd_name = gdnsd + +# gdnsd configuration directory path (string value) +#confdir_path = /etc/gdnsd + +# Host to query when finding zones (string value) +#query_destination = 127.0.0.1 + + +[backend:agent:knot2] + +# +# From designate.conf +# + +# knotc executable path or rootwrap command name (string value) +#knotc_cmd_name = knotc + +# Host to query when finding zones (string value) +#query_destination = 127.0.0.1 + + +[backend:dynect] + +# +# From designate.conf +# + +# Timeout in seconds for pulling a job in DynECT. (integer value) +#job_timeout = 30 + +# Timeout in seconds for API Requests. (integer value) +#timeout = 10 + +# Measure requests timings. (boolean value) +#timings = false + + +[backend:infoblox] + +# +# From designate.conf +# + +# DEPRECATED: wapi_url (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#wapi_url = + +# DEPRECATED: username (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#username = + +# DEPRECATED: password (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#password = + +# DEPRECATED: sslverify (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#sslverify = true + +# DEPRECATED: multi_tenant (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#multi_tenant = false + +# DEPRECATED: http_pool_connections (integer value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#http_pool_connections = 100 + +# DEPRECATED: http_pool_maxsize (integer value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#http_pool_maxsize = 100 + +# DEPRECATED: dns_view (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#dns_view = default + +# DEPRECATED: network_view (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#network_view = default + +# DEPRECATED: ns_group (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: All backend options have been migrated to options in the pools.yaml +# file +#ns_group = + + +[coordination] + +# +# From designate.conf +# + +# The backend URL to use for distributed coordination. If unset services that +# need coordination will function as a standalone service. This is a `tooz` url +# - see https://docs.openstack.org/tooz/latest/user/compatibility.html (string +# value) +#backend_url = + +# Number of seconds between heartbeats for distributed coordination. (floating +# point value) +#heartbeat_interval = 5.0 + +# Number of seconds between checks to see if group membership has changed +# (floating point value) +#run_watchers_interval = 10.0 + + +[cors] + +# +# From oslo.middleware +# + +# Indicate whether this resource may be shared with the domain received in the +# requests "origin" header. Format: "://[:]", no trailing +# slash. Example: https://horizon.example.com (list value) +#allowed_origin = + +# Indicate that the actual request can include user credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple +# Headers. (list value) +#expose_headers = X-OpenStack-Request-ID,Host + +# Maximum cache age of CORS preflight requests. (integer value) +#max_age = 3600 + +# Indicate which methods can be used during the actual request. (list value) +#allow_methods = GET,PUT,POST,DELETE,PATCH,HEAD + +# Indicate which header field names may be used during the actual request. (list +# value) +#allow_headers = X-Auth-Token,X-Auth-Sudo-Tenant-ID,X-Auth-Sudo-Project-ID,X-Auth-All-Projects,X-Designate-Edit-Managed-Records,OpenStack-DNS-Hide-Counts + + +[database] + +# +# From oslo.db +# + +# If True, SQLite uses synchronous mode. (boolean value) +#sqlite_synchronous = true + +# The back end to use for the database. (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend = sqlalchemy + +# The SQLAlchemy connection string to use to connect to the database. (string +# value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +#connection = + +# The SQLAlchemy connection string to use to connect to the slave database. +# (string value) +#slave_connection = + +# The SQL mode to be used for MySQL sessions. This option, including the +# default, overrides any server-set SQL mode. To use whatever SQL mode is set by +# the server configuration, set this to no value. Example: mysql_sql_mode= +# (string value) +#mysql_sql_mode = TRADITIONAL + +# If True, transparently enables support for handling MySQL Cluster (NDB). +# (boolean value) +#mysql_enable_ndb = false + +# Connections which have been present in the connection pool longer than this +# number of seconds will be replaced with a new one the next time they are +# checked out from the pool. (integer value) +#connection_recycle_time = 3600 + +# Maximum number of SQL connections to keep open in a pool. Setting a value of 0 +# indicates no limit. (integer value) +#max_pool_size = 5 + +# Maximum number of database connection retries during startup. Set to -1 to +# specify an infinite retry count. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries = 10 + +# Interval between retries of opening a SQL connection. (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval = 10 + +# If set, use this value for max_overflow with SQLAlchemy. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow = 50 + +# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer +# value) +# Minimum value: 0 +# Maximum value: 100 +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug = 0 + +# Add Python stack traces to SQL as comment strings. (boolean value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace = false + +# If set, use this value for pool_timeout with SQLAlchemy. (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout = + +# Enable the experimental use of database reconnect on connection lost. (boolean +# value) +#use_db_reconnect = false + +# Seconds between retries of a database transaction. (integer value) +#db_retry_interval = 1 + +# If True, increases the interval between retries of a database operation up to +# db_max_retry_interval. (boolean value) +#db_inc_retry_interval = true + +# If db_inc_retry_interval is set, the maximum seconds between retries of a +# database operation. (integer value) +#db_max_retry_interval = 10 + +# Maximum retries in case of connection error or deadlock error before error is +# raised. Set to -1 to specify an infinite retry count. (integer value) +#db_max_retries = 20 + +# Optional URL parameters to append onto the connection URL at connect time; +# specify as param1=value1¶m2=value2&... (string value) +#connection_parameters = + + +[handler:neutron_floatingip] + +# +# From designate.conf +# + +# notification any events from neutron (list value) +#notification_topics = notifications + +# control-exchange for neutron notification (string value) +#control_exchange = neutron + +# Zone ID with each notification (string value) +#zone_id = + +# IPv4 format (multi valued) +#formatv4 = + +# DEPRECATED: format which replaced by formatv4/formatv6 (multi valued) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by 'formatv4/formatv6' +#format = + +# IPv6 format (multi valued) +#formatv6 = + + +[handler:nova_fixed] + +# +# From designate.conf +# + +# notification any events from nova (list value) +#notification_topics = notifications + +# control-exchange for nova notification (string value) +#control_exchange = nova + +# Zone ID with each notification (string value) +#zone_id = + +# IPv4 format (multi valued) +#formatv4 = + +# DEPRECATED: format which replaced by formatv4/formatv6 (multi valued) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by 'formatv4/formatv6' +#format = + +# IPv6 format (multi valued) +#formatv6 = + + +[healthcheck] + +# +# From oslo.middleware +# + +# DEPRECATED: The path to respond to healtcheck requests on. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#path = /healthcheck + +# Show more detailed information as part of the response. Security note: +# Enabling this option may expose sensitive details about the service being +# monitored. Be sure to verify that it will not violate your security policies. +# (boolean value) +#detailed = false + +# Additional backends that can perform health checks and report that information +# back as part of a request. (list value) +#backends = + +# Check the presence of a file to determine if an application is running on a +# port. Used by DisableByFileHealthcheck plugin. (string value) +#disable_by_file_path = + +# Check the presence of a file based on a port to determine if an application is +# running on a port. Expects a "port:path" list of strings. Used by +# DisableByFilesPortsHealthcheck plugin. (list value) +#disable_by_file_paths = + + +[heartbeat_emitter] + +# +# From designate.conf +# + +# Number of seconds between heartbeats for reporting state (floating point +# value) +#heartbeat_interval = 10.0 + +# Emitter to use (string value) +#emitter_type = rpc + + +[keystone] + +# +# From designate.conf +# + +# The default service_type for endpoint URL discovery. (string value) +#service_type = + +# The default service_name for endpoint URL discovery. (string value) +#service_name = + +# List of interfaces, in order of preference, for endpoint URL. (list value) +#valid_interfaces = + +# The default region_name for endpoint URL discovery. (string value) +#region_name = + +# Always use this endpoint URL for requests for this client. NOTE: The +# unversioned endpoint should be specified here; to request a particular API +# version, use the `version`, `min-version`, and/or `max-version` options. +# (string value) +#endpoint_override = + +# Minimum Major API version within a given Major API version for endpoint URL +# discovery. Mutually exclusive with min_version and max_version (string value) +#version = + +# The minimum major version of a given API, intended to be used as the lower +# bound of a range with max_version. Mutually exclusive with version. If +# min_version is given with no max_version it is as if max version is "latest". +# (string value) +#min_version = + +# The maximum major version of a given API, intended to be used as the upper +# bound of a range with min_version. Mutually exclusive with version. (string +# value) +#max_version = + +# The maximum number of retries that should be attempted for connection errors. +# (integer value) +#connect_retries = + +# Delay (in seconds) between two retries for connection errors. If not set, +# exponential retry starting with 0.5 seconds up to a maximum of 60 seconds is +# used. (floating point value) +#connect_retry_delay = + +# The maximum number of retries that should be attempted for retriable HTTP +# status codes. (integer value) +#status_code_retries = + +# Delay (in seconds) between two retries for retriable status codes. If not set, +# exponential retry starting with 0.5 seconds up to a maximum of 60 seconds is +# used. (floating point value) +#status_code_retry_delay = + +# DEPRECATED: The default interface for endpoint URL discovery. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Using valid-interfaces is preferrable because it is capable of +# accepting a list of possible interfaces. +#interface = + +# PEM encoded Certificate Authority to use when verifying HTTPs connections. +# (string value) +#cafile = + +# PEM encoded client certificate cert file (string value) +#certfile = + +# PEM encoded client certificate key file (string value) +#keyfile = + +# Verify HTTPS connections. (boolean value) +#insecure = false + +# Timeout value for http requests (integer value) +#timeout = + +# Collect per-API call timing information. (boolean value) +#collect_timing = false + +# Log requests to multiple loggers. (boolean value) +#split_loggers = false + + +[keystone_authtoken] +auth_type = password +username = designate +password = smartme +project_name = service +project_domain_name = Default +user_domain_name = Default +www_authenticate_uri = https://demo-controller.smartme.io:5000 +auth_url = https://demo-controller.smartme.io:5000 +memcached_servers = s4t_keystone:11211 + +# +# From keystonemiddleware.auth_token +# + +# Complete "public" Identity API endpoint. This endpoint should not be an +# "admin" endpoint, as it should be accessible by all end users. Unauthenticated +# clients are redirected to this endpoint to authenticate. Although this +# endpoint should ideally be unversioned, client support in the wild varies. If +# you're using a versioned v2 endpoint here, then this should *not* be the same +# endpoint the service user utilizes for validating tokens, because normal end +# users may not be able to reach that endpoint. (string value) +# Deprecated group/name - [keystone_authtoken]/auth_uri +#www_authenticate_uri = + +# DEPRECATED: Complete "public" Identity API endpoint. This endpoint should not +# be an "admin" endpoint, as it should be accessible by all end users. +# Unauthenticated clients are redirected to this endpoint to authenticate. +# Although this endpoint should ideally be unversioned, client support in the +# wild varies. If you're using a versioned v2 endpoint here, then this should +# *not* be the same endpoint the service user utilizes for validating tokens, +# because normal end users may not be able to reach that endpoint. This option +# is deprecated in favor of www_authenticate_uri and will be removed in the S +# release. (string value) +# This option is deprecated for removal since Queens. +# Its value may be silently ignored in the future. +# Reason: The auth_uri option is deprecated in favor of www_authenticate_uri and +# will be removed in the S release. +#auth_uri = + +# API version of the Identity API endpoint. (string value) +#auth_version = + +# Interface to use for the Identity API endpoint. Valid values are "public", +# "internal" (default) or "admin". (string value) +#interface = internal + +# Do not handle authorization requests within the middleware, but delegate the +# authorization decision to downstream WSGI components. (boolean value) +#delay_auth_decision = false + +# Request timeout value for communicating with Identity API server. (integer +# value) +#http_connect_timeout = + +# How many times are we trying to reconnect when communicating with Identity API +# Server. (integer value) +#http_request_max_retries = 3 + +# Request environment key where the Swift cache object is stored. When +# auth_token middleware is deployed with a Swift cache, use this option to have +# the middleware share a caching backend with swift. Otherwise, use the +# ``memcached_servers`` option instead. (string value) +#cache = + +# Required if identity server requires client certificate (string value) +#certfile = + +# Required if identity server requires client certificate (string value) +#keyfile = + +# A PEM encoded Certificate Authority to use when verifying HTTPs connections. +# Defaults to system CAs. (string value) +#cafile = + +# Verify HTTPS connections. (boolean value) +#insecure = false + +# The region in which the identity server can be found. (string value) +#region_name = + +# Optionally specify a list of memcached server(s) to use for caching. If left +# undefined, tokens will instead be cached in-process. (list value) +# Deprecated group/name - [keystone_authtoken]/memcache_servers +#memcached_servers = + +# In order to prevent excessive effort spent validating tokens, the middleware +# caches previously-seen tokens for a configurable duration (in seconds). Set to +# -1 to disable caching completely. (integer value) +#token_cache_time = 300 + +# (Optional) If defined, indicate whether token data should be authenticated or +# authenticated and encrypted. If MAC, token data is authenticated (with HMAC) +# in the cache. If ENCRYPT, token data is encrypted and authenticated in the +# cache. If the value is not one of these options or empty, auth_token will +# raise an exception on initialization. (string value) +# Possible values: +# None - +# MAC - +# ENCRYPT - +#memcache_security_strategy = None + +# (Optional, mandatory if memcache_security_strategy is defined) This string is +# used for key derivation. (string value) +#memcache_secret_key = + +# (Optional) Number of seconds memcached server is considered dead before it is +# tried again. (integer value) +#memcache_pool_dead_retry = 300 + +# (Optional) Maximum total number of open connections to every memcached server. +# (integer value) +#memcache_pool_maxsize = 10 + +# (Optional) Socket timeout in seconds for communicating with a memcached +# server. (integer value) +#memcache_pool_socket_timeout = 3 + +# (Optional) Number of seconds a connection to memcached is held unused in the +# pool before it is closed. (integer value) +#memcache_pool_unused_timeout = 60 + +# (Optional) Number of seconds that an operation will wait to get a memcached +# client connection from the pool. (integer value) +#memcache_pool_conn_get_timeout = 10 + +# (Optional) Use the advanced (eventlet safe) memcached client pool. (boolean +# value) +#memcache_use_advanced_pool = true + +# (Optional) Indicate whether to set the X-Service-Catalog header. If False, +# middleware will not ask for service catalog on token validation and will not +# set the X-Service-Catalog header. (boolean value) +#include_service_catalog = true + +# Used to control the use and type of token binding. Can be set to: "disabled" +# to not check token binding. "permissive" (default) to validate binding +# information if the bind type is of a form known to the server and ignore it if +# not. "strict" like "permissive" but if the bind type is unknown the token will +# be rejected. "required" any form of token binding is needed to be allowed. +# Finally the name of a binding method that must be present in tokens. (string +# value) +#enforce_token_bind = permissive + +# A choice of roles that must be present in a service token. Service tokens are +# allowed to request that an expired token can be used and so this check should +# tightly control that only actual services should be sending this token. Roles +# here are applied as an ANY check so any role in this list must be present. For +# backwards compatibility reasons this currently only affects the allow_expired +# check. (list value) +#service_token_roles = service + +# For backwards compatibility reasons we must let valid service tokens pass that +# don't pass the service_token_roles check as valid. Setting this true will +# become the default in a future release and should be enabled if possible. +# (boolean value) +#service_token_roles_required = false + +# The name or type of the service as it appears in the service catalog. This is +# used to validate tokens that have restricted access rules. (string value) +#service_type = + +# Authentication type to load (string value) +# Deprecated group/name - [keystone_authtoken]/auth_plugin +#auth_type = + +# Config Section from which to load plugin specific options (string value) +#auth_section = + + +[monasca:statsd] + +# +# From designate.conf +# + +# enable (boolean value) +#enabled = false + +# UDP port (integer value) +#port = 8125 + +# hostname (string value) +#hostname = 127.0.0.1 + + +[network_api:neutron] + +# +# From designate.conf +# + +# URL to use if None in the ServiceCatalog that is passed by the request +# context. Format: | (list value) +#endpoints = + +# Endpoint type to use (string value) +#endpoint_type = publicURL + +# timeout value for connecting to neutron in seconds (integer value) +#timeout = 30 + +# username for connecting to neutron in admin context (string value) +#admin_username = + +# password for connecting to neutron in admin context (string value) +#admin_password = + +# tenant name for connecting to neutron in admin context (string value) +#admin_tenant_name = + +# auth url for connecting to neutron in admin context (string value) +#auth_url = + +# if set, ignore any SSL validation issues (boolean value) +#insecure = false + +# auth strategy for connecting to neutron in admin context (string value) +#auth_strategy = keystone + +# Location of ca certificates file to use for neutron client requests. (string +# value) +#ca_certificates_file = + + +[oslo_concurrency] + +# +# From oslo.concurrency +# + +# Enables or disables inter-process locks. (boolean value) +#disable_process_locking = false + +# Directory to use for lock files. For security, the specified directory should +# only be writable by the user running the processes that need locking. Defaults +# to environment variable OSLO_LOCK_PATH. If external locks are used, a lock +# path must be set. (string value) +#lock_path = $state_path + + +[oslo_messaging_amqp] + +# +# From oslo.messaging +# + +# Name for the AMQP container. must be globally unique. Defaults to a generated +# UUID (string value) +#container_name = + +# Timeout for inactive connections (in seconds) (integer value) +#idle_timeout = 0 + +# Debug: dump AMQP frames to stdout (boolean value) +#trace = false + +# Attempt to connect via SSL. If no other ssl-related parameters are given, it +# will use the system's CA-bundle to verify the server's certificate. (boolean +# value) +#ssl = false + +# CA certificate PEM file used to verify the server's certificate (string value) +#ssl_ca_file = + +# Self-identifying certificate PEM file for client authentication (string value) +#ssl_cert_file = + +# Private key PEM file used to sign ssl_cert_file certificate (optional) (string +# value) +#ssl_key_file = + +# Password for decrypting ssl_key_file (if encrypted) (string value) +#ssl_key_password = + +# By default SSL checks that the name in the server's certificate matches the +# hostname in the transport_url. In some configurations it may be preferable to +# use the virtual hostname instead, for example if the server uses the Server +# Name Indication TLS extension (rfc6066) to provide a certificate per virtual +# host. Set ssl_verify_vhost to True if the server's SSL certificate uses the +# virtual host name instead of the DNS name. (boolean value) +#ssl_verify_vhost = false + +# Space separated list of acceptable SASL mechanisms (string value) +#sasl_mechanisms = + +# Path to directory that contains the SASL configuration (string value) +#sasl_config_dir = + +# Name of configuration file (without .conf suffix) (string value) +#sasl_config_name = + +# SASL realm to use if no realm present in username (string value) +#sasl_default_realm = + +# Seconds to pause before attempting to re-connect. (integer value) +# Minimum value: 1 +#connection_retry_interval = 1 + +# Increase the connection_retry_interval by this many seconds after each +# unsuccessful failover attempt. (integer value) +# Minimum value: 0 +#connection_retry_backoff = 2 + +# Maximum limit for connection_retry_interval + connection_retry_backoff +# (integer value) +# Minimum value: 1 +#connection_retry_interval_max = 30 + +# Time to pause between re-connecting an AMQP 1.0 link that failed due to a +# recoverable error. (integer value) +# Minimum value: 1 +#link_retry_delay = 10 + +# The maximum number of attempts to re-send a reply message which failed due to +# a recoverable error. (integer value) +# Minimum value: -1 +#default_reply_retry = 0 + +# The deadline for an rpc reply message delivery. (integer value) +# Minimum value: 5 +#default_reply_timeout = 30 + +# The deadline for an rpc cast or call message delivery. Only used when caller +# does not provide a timeout expiry. (integer value) +# Minimum value: 5 +#default_send_timeout = 30 + +# The deadline for a sent notification message delivery. Only used when caller +# does not provide a timeout expiry. (integer value) +# Minimum value: 5 +#default_notify_timeout = 30 + +# The duration to schedule a purge of idle sender links. Detach link after +# expiry. (integer value) +# Minimum value: 1 +#default_sender_link_timeout = 600 + +# Indicates the addressing mode used by the driver. +# Permitted values: +# 'legacy' - use legacy non-routable addressing +# 'routable' - use routable addresses +# 'dynamic' - use legacy addresses if the message bus does not support routing +# otherwise use routable addressing (string value) +#addressing_mode = dynamic + +# Enable virtual host support for those message buses that do not natively +# support virtual hosting (such as qpidd). When set to true the virtual host +# name will be added to all message bus addresses, effectively creating a +# private 'subnet' per virtual host. Set to False if the message bus supports +# virtual hosting using the 'hostname' field in the AMQP 1.0 Open performative +# as the name of the virtual host. (boolean value) +#pseudo_vhost = true + +# address prefix used when sending to a specific server (string value) +#server_request_prefix = exclusive + +# address prefix used when broadcasting to all servers (string value) +#broadcast_prefix = broadcast + +# address prefix when sending to any server in group (string value) +#group_request_prefix = unicast + +# Address prefix for all generated RPC addresses (string value) +#rpc_address_prefix = openstack.org/om/rpc + +# Address prefix for all generated Notification addresses (string value) +#notify_address_prefix = openstack.org/om/notify + +# Appended to the address prefix when sending a fanout message. Used by the +# message bus to identify fanout messages. (string value) +#multicast_address = multicast + +# Appended to the address prefix when sending to a particular RPC/Notification +# server. Used by the message bus to identify messages sent to a single +# destination. (string value) +#unicast_address = unicast + +# Appended to the address prefix when sending to a group of consumers. Used by +# the message bus to identify messages that should be delivered in a round-robin +# fashion across consumers. (string value) +#anycast_address = anycast + +# Exchange name used in notification addresses. +# Exchange name resolution precedence: +# Target.exchange if set +# else default_notification_exchange if set +# else control_exchange if set +# else 'notify' (string value) +#default_notification_exchange = + +# Exchange name used in RPC addresses. +# Exchange name resolution precedence: +# Target.exchange if set +# else default_rpc_exchange if set +# else control_exchange if set +# else 'rpc' (string value) +#default_rpc_exchange = + +# Window size for incoming RPC Reply messages. (integer value) +# Minimum value: 1 +#reply_link_credit = 200 + +# Window size for incoming RPC Request messages (integer value) +# Minimum value: 1 +#rpc_server_credit = 100 + +# Window size for incoming Notification messages (integer value) +# Minimum value: 1 +#notify_server_credit = 100 + +# Send messages of this type pre-settled. +# Pre-settled messages will not receive acknowledgement +# from the peer. Note well: pre-settled messages may be +# silently discarded if the delivery fails. +# Permitted values: +# 'rpc-call' - send RPC Calls pre-settled +# 'rpc-reply'- send RPC Replies pre-settled +# 'rpc-cast' - Send RPC Casts pre-settled +# 'notify' - Send Notifications pre-settled +# (multi valued) +#pre_settled = rpc-cast +#pre_settled = rpc-reply + + +[oslo_messaging_kafka] + +# +# From oslo.messaging +# + +# Max fetch bytes of Kafka consumer (integer value) +#kafka_max_fetch_bytes = 1048576 + +# Default timeout(s) for Kafka consumers (floating point value) +#kafka_consumer_timeout = 1.0 + +# DEPRECATED: Pool Size for Kafka Consumers (integer value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Driver no longer uses connection pool. +#pool_size = 10 + +# DEPRECATED: The pool size limit for connections expiration policy (integer +# value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Driver no longer uses connection pool. +#conn_pool_min_size = 2 + +# DEPRECATED: The time-to-live in sec of idle connections in the pool (integer +# value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Driver no longer uses connection pool. +#conn_pool_ttl = 1200 + +# Group id for Kafka consumer. Consumers in one group will coordinate message +# consumption (string value) +#consumer_group = oslo_messaging_consumer + +# Upper bound on the delay for KafkaProducer batching in seconds (floating point +# value) +#producer_batch_timeout = 0.0 + +# Size of batch for the producer async send (integer value) +#producer_batch_size = 16384 + +# The compression codec for all data generated by the producer. If not set, +# compression will not be used. Note that the allowed values of this depend on +# the kafka version (string value) +# Possible values: +# none - +# gzip - +# snappy - +# lz4 - +# zstd - +#compression_codec = none + +# Enable asynchronous consumer commits (boolean value) +#enable_auto_commit = false + +# The maximum number of records returned in a poll call (integer value) +#max_poll_records = 500 + +# Protocol used to communicate with brokers (string value) +# Possible values: +# PLAINTEXT - +# SASL_PLAINTEXT - +# SSL - +# SASL_SSL - +#security_protocol = PLAINTEXT + +# Mechanism when security protocol is SASL (string value) +#sasl_mechanism = PLAIN + +# CA certificate PEM file used to verify the server certificate (string value) +#ssl_cafile = + +# Client certificate PEM file used for authentication. (string value) +#ssl_client_cert_file = + +# Client key PEM file used for authentication. (string value) +#ssl_client_key_file = + +# Client key password file used for authentication. (string value) +#ssl_client_key_password = + + +[oslo_messaging_notifications] + +# +# From oslo.messaging +# + +# The Drivers(s) to handle sending notifications. Possible values are messaging, +# messagingv2, routing, log, test, noop (multi valued) +# Deprecated group/name - [DEFAULT]/notification_driver +#driver = + +# A URL representing the messaging driver to use for notifications. If not set, +# we fall back to the same configuration used for RPC. (string value) +# Deprecated group/name - [DEFAULT]/notification_transport_url +#transport_url = + +# AMQP topic used for OpenStack notifications. (list value) +# Deprecated group/name - [rpc_notifier2]/topics +# Deprecated group/name - [DEFAULT]/notification_topics +#topics = notifications + +# The maximum number of attempts to re-send a notification message which failed +# to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite +# (integer value) +#retry = -1 + + +[oslo_messaging_rabbit] + +# +# From oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +#amqp_durable_queues = false + +# Auto-delete queues in AMQP. (boolean value) +#amqp_auto_delete = false + +# Connect over SSL. (boolean value) +# Deprecated group/name - [oslo_messaging_rabbit]/rabbit_use_ssl +#ssl = false + +# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and +# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some +# distributions. (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_version +#ssl_version = + +# SSL key file (valid only if SSL enabled). (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_keyfile +#ssl_key_file = + +# SSL cert file (valid only if SSL enabled). (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_certfile +#ssl_cert_file = + +# SSL certification authority file (valid only if SSL enabled). (string value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_ssl_ca_certs +#ssl_ca_file = + +# Run the health check heartbeat thread through a native python thread by +# default. If this option is equal to False then the health check heartbeat will +# inherit the execution model from the parent process. For example if the parent +# process has monkey patched the stdlib by using eventlet/greenlet then the +# heartbeat will be run through a green thread. (boolean value) +#heartbeat_in_pthread = true + +# How long to wait before reconnecting in response to an AMQP consumer cancel +# notification. (floating point value) +#kombu_reconnect_delay = 1.0 + +# EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not +# be used. This option may not be available in future versions. (string value) +#kombu_compression = + +# How long to wait a missing client before abandoning to send it its replies. +# This value should not be longer than rpc_response_timeout. (integer value) +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_reconnect_timeout +#kombu_missing_consumer_retry_timeout = 60 + +# Determines how the next RabbitMQ node is chosen in case the one we are +# currently connected to becomes unavailable. Takes effect only if more than one +# RabbitMQ node is provided in config. (string value) +# Possible values: +# round-robin - +# shuffle - +#kombu_failover_strategy = round-robin + +# The RabbitMQ login method. (string value) +# Possible values: +# PLAIN - +# AMQPLAIN - +# RABBIT-CR-DEMO - +#rabbit_login_method = AMQPLAIN + +# How frequently to retry connecting with RabbitMQ. (integer value) +#rabbit_retry_interval = 1 + +# How long to backoff for between retries when connecting to RabbitMQ. (integer +# value) +#rabbit_retry_backoff = 2 + +# Maximum interval of RabbitMQ connection retries. Default is 30 seconds. +# (integer value) +#rabbit_interval_max = 30 + +# Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this +# option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring +# is no longer controlled by the x-ha-policy argument when declaring a queue. If +# you just want to make sure that all queues (except those with auto-generated +# names) are mirrored across all nodes, run: "rabbitmqctl set_policy HA +# '^(?!amq\.).*' '{"ha-mode": "all"}' " (boolean value) +#rabbit_ha_queues = false + +# Positive integer representing duration in seconds for queue TTL (x-expires). +# Queues which are unused for the duration of the TTL are automatically deleted. +# The parameter affects only reply and fanout queues. (integer value) +# Minimum value: 1 +#rabbit_transient_queues_ttl = 1800 + +# Specifies the number of messages to prefetch. Setting to zero allows unlimited +# messages. (integer value) +#rabbit_qos_prefetch_count = 0 + +# Number of seconds after which the Rabbit broker is considered down if +# heartbeat's keep-alive fails (0 disables heartbeat). (integer value) +#heartbeat_timeout_threshold = 60 + +# How often times during the heartbeat_timeout_threshold we check the heartbeat. +# (integer value) +#heartbeat_rate = 2 + +# DEPRECATED: (DEPRECATED) Enable/Disable the RabbitMQ mandatory flag for direct +# send. The direct send is used as reply, so the MessageUndeliverable exception +# is raised in case the client queue does not exist.MessageUndeliverable +# exception will be used to loop for a timeout to lets a chance to sender to +# recover.This flag is deprecated and it will not be possible to deactivate this +# functionality anymore (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Mandatory flag no longer deactivable. +#direct_mandatory_flag = true + +# Enable x-cancel-on-ha-failover flag so that rabbitmq server will cancel and +# notify consumerswhen queue is down (boolean value) +#enable_cancel_on_failover = false + + +[oslo_middleware] + +# +# From oslo.middleware +# + +# The maximum body size for each request, in bytes. (integer value) +# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size +# Deprecated group/name - [DEFAULT]/max_request_body_size +#max_request_body_size = 114688 + +# DEPRECATED: The HTTP Header that will be used to determine what the original +# request protocol scheme was, even if it was hidden by a SSL termination proxy. +# (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#secure_proxy_ssl_header = X-Forwarded-Proto + +# Whether the application is behind a proxy or not. This determines if the +# middleware should parse the headers or not. (boolean value) +#enable_proxy_headers_parsing = false + +# HTTP basic auth password file. (string value) +#http_basic_auth_user_file = /etc/htpasswd + + +[oslo_policy] + +# +# From oslo.policy +# + +# This option controls whether or not to enforce scope when evaluating policies. +# If ``True``, the scope of the token used in the request is compared to the +# ``scope_types`` of the policy being enforced. If the scopes do not match, an +# ``InvalidScope`` exception will be raised. If ``False``, a message will be +# logged informing operators that policies are being invoked with mismatching +# scope. (boolean value) +#enforce_scope = false + +# This option controls whether or not to use old deprecated defaults when +# evaluating policies. If ``True``, the old deprecated defaults are not going to +# be evaluated. This means if any existing token is allowed for old defaults but +# is disallowed for new defaults, it will be disallowed. It is encouraged to +# enable this flag along with the ``enforce_scope`` flag so that you can get the +# benefits of new defaults and ``scope_type`` together. If ``False``, the +# deprecated policy check string is logically OR'd with the new policy check +# string, allowing for a graceful upgrade experience between releases with new +# policies, which is the default behavior. (boolean value) +#enforce_new_defaults = false + +# The relative or absolute path of a file that maps roles to permissions for a +# given service. Relative paths must be specified in relation to the +# configuration file setting this option. (string value) +#policy_file = policy.yaml + +# Default rule. Enforced when a requested rule is not found. (string value) +#policy_default_rule = default + +# Directories where policy configuration files are stored. They can be relative +# to any directory in the search path defined by the config_dir option, or +# absolute paths. The file defined by policy_file must exist for these +# directories to be searched. Missing or empty directories are ignored. (multi +# valued) +#policy_dirs = policy.d + +# Content Type to send and receive data for REST based policy check (string +# value) +# Possible values: +# application/x-www-form-urlencoded - +# application/json - +#remote_content_type = application/x-www-form-urlencoded + +# server identity verification for REST based policy check (boolean value) +#remote_ssl_verify_server_crt = false + +# Absolute path to ca cert file for REST based policy check (string value) +#remote_ssl_ca_crt_file = + +# Absolute path to client cert for REST based policy check (string value) +#remote_ssl_client_crt_file = + +# Absolute path client key file REST based policy check (string value) +#remote_ssl_client_key_file = + + +[oslo_reports] + +# +# From oslo.reports +# + +# Path to a log directory where to create a file (string value) +#log_dir = + +# The path to a file to watch for changes to trigger the reports, instead of +# signals. Setting this option disables the signal trigger for the reports. If +# application is running as a WSGI application it is recommended to use this +# instead of signals. (string value) +#file_event_handler = + +# How many seconds to wait between polls when file_event_handler is set (integer +# value) +#file_event_handler_interval = 1 + + +[producer_task:delayed_notify] + +# +# From designate.conf +# + +# Run interval in seconds (integer value) +#interval = 5 + +# Default amount of results returned per page (integer value) +#per_page = 100 + +# How many zones to receive NOTIFY on each run (integer value) +#batch_size = 100 + + +[producer_task:periodic_exists] + +# +# From designate.conf +# + +# Run interval in seconds (integer value) +#interval = 3600 + +# Default amount of results returned per page (integer value) +#per_page = 100 + + +[producer_task:periodic_secondary_refresh] + +# +# From designate.conf +# + +# Run interval in seconds (integer value) +#interval = 3600 + +# Default amount of results returned per page (integer value) +#per_page = 100 + + +[producer_task:worker_periodic_recovery] + +# +# From designate.conf +# + +# Run interval in seconds (integer value) +#interval = 120 + +# Default amount of results returned per page (integer value) +#per_page = 100 + + +[producer_task:zone_purge] + +# +# From designate.conf +# + +# Run interval in seconds (integer value) +#interval = 3600 + +# Default amount of results returned per page (integer value) +#per_page = 100 + +# How old deleted zones should be (deleted_at) to be purged, in seconds (integer +# value) +#time_threshold = 604800 + +# How many zones to be purged on each run (integer value) +#batch_size = 100 + + +[proxy] + +# +# From designate.conf +# + +# Proxy HTTP requests via this proxy. (string value) +#http_proxy = + +# Proxy HTTPS requests via this proxy (string value) +#https_proxy = + +# These addresses should not be proxied (list value) +#no_proxy = + + +[service:agent] + +# +# From designate.conf +# + +# Number of agent worker processes to spawn (integer value) +#workers = + +# Number of agent greenthreads to spawn (integer value) +#threads = 1000 + +# Agent host:port pairs to listen on (list value) +#listen = 0.0.0.0:5358 + +# The Agent TCP Backlog (integer value) +#tcp_backlog = 100 + +# Agent TCP Receive Timeout (floating point value) +#tcp_recv_timeout = 0.5 + +# List of IP addresses allowed to NOTIFY The Agent (list value) +#allow_notify = + +# List of masters for the Agent, format ip:port (list value) +#masters = + +# The backend driver to use, e.g. bind9, djbdns, knot2 (string value) +#backend_driver = bind9 + +# An IP address to be used to fetch zones transferred in (string value) +#transfer_source = + +# Delay after a NOTIFY arrives for a zone that the Agent will pause and drop +# subsequent NOTIFYs for that zone (floating point value) +#notify_delay = 0.0 + + +[service:api] + +listen = 0.0.0.0:9001 +auth_strategy = keystone +enable_api_v2 = True +enable_api_admin = True +enable_host_header = True +enabled_extensions_admin = quotas, reports + +# +# From designate.conf +# + +# Number of api worker processes to spawn (integer value) +#workers = + +# Number of api greenthreads to spawn (integer value) +#threads = 1000 + +# Enable host request headers (boolean value) +#enable_host_header = true + +# the url used as the base for all API responses,This should consist of the +# scheme (http/https),the hostname, port, and any paths that are addedto the +# base of Designate is URLs,For example http://dns.openstack.example.com/dns +# (string value) +#api_base_uri = http://127.0.0.1:9001/ + +# API host:port pairs to listen on (list value) +#listen = 0.0.0.0:9001 + +# File name for the paste.deploy config for designate-api (string value) +#api_paste_config = api-paste.ini + +# The strategy to use for auth. Supports noauth or keystone (string value) +#auth_strategy = keystone + +# enable-api-v2 which enable in a future (boolean value) +#enable_api_v2 = true + +# enable-api-admin (boolean value) +#enable_api_admin = false + +# Maximum line size of message headers to be accepted. max_header_line may need +# to be increased when using large tokens (typically those generated by the +# Keystone v3 API with big service catalogs). (integer value) +#max_header_line = 16384 + +# Pecan HTML Debug Interface (boolean value) +#pecan_debug = false + +# Enabled API Extensions for the V2 API (list value) +#enabled_extensions_v2 = + +# Default per-page limit for the V2 API, a value of None means show all results +# by default (integer value) +#default_limit_v2 = 20 + +# Max per-page limit for the V2 API (integer value) +#max_limit_v2 = 1000 + +# Verify that the requested Project ID for quota target is a valid project in +# Keystone. (boolean value) +#quotas_verify_project_id = false + +# Enabled Admin API Extensions (list value) +#enabled_extensions_admin = + +# Default per-page limit for the Admin API, a value of None means show all +# results by default (integer value) +#default_limit_admin = 20 + +# Max per-page limit for the Admin API (integer value) +#max_limit_admin = 1000 + +# Enable API Maintenance Mode (boolean value) +#maintenance_mode = false + +# Role allowed to bypass maintaince mode (string value) +#maintenance_mode_role = admin + +# DEPRECATED: The HTTP Header that will be used to determine which the original +# request protocol scheme was, even if it was removed by an SSL terminating +# proxy. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: This parameter has had no effect since SSLMiddleware was replaced by +# http_proxy_to_wsgi +#secure_proxy_ssl_header = X-Forwarded-Proto + +# DEPRECATED: A scheme that will be used to override the request protocol +# scheme, even if it was set by an SSL terminating proxy. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: This parameter has had no effect since SSLMiddleware was replaced by +# http_proxy_to_wsgi +#override_proto = + + +[service:central] + +# +# From designate.conf +# + +# Number of central worker processes to spawn (integer value) +#workers = + +# Number of central greenthreads to spawn (integer value) +#threads = 1000 + +# The storage driver to use (string value) +#storage_driver = sqlalchemy + +# Enabled Notification Handlers (list value) +#enabled_notification_handlers = + +# Maximum zone name length (integer value) +#max_zone_name_len = 255 + +# Maximum recordset name length (integer value) +# Deprecated group/name - [service:central]/max_record_name_len +#max_recordset_name_len = 255 + +# E-Mail for Managed resources (string value) +#managed_resource_email = hostmaster@example.com + +# The Tenant ID that will own any managed resources. (string value) +#managed_resource_tenant_id = 00000000-0000-0000-0000-000000000000 + +# Minimum TTL allowed (integer value) +#min_ttl = + +# The name of the default pool (string value) +#default_pool_id = 794ccc2c-d751-44fe-b57f-8894c9f5c842 + +# RPC topic name for central (string value) +#topic = central + +# Enabled Pool Scheduling filters (list value) +#scheduler_filters = default_pool + + +[service:mdns] + +# +# From designate.conf +# + +# Number of mdns worker processes to spawn (integer value) +#workers = + +# Number of mdns greenthreads to spawn (integer value) +#threads = 1000 + +# mDNS host:port pairs to listen on (list value) +#listen = 0.0.0.0:5354 + +# mDNS TCP Backlog (integer value) +#tcp_backlog = 100 + +# mDNS TCP Receive Timeout (floating point value) +#tcp_recv_timeout = 0.5 + +# Send all traffic over TCP (boolean value) +#all_tcp = false + +# Enforce all incoming queries (including AXFR) are TSIG signed (boolean value) +#query_enforce_tsig = false + +# The storage driver to use (string value) +#storage_driver = sqlalchemy + +# Maximum message size to emit (integer value) +#max_message_size = 65535 + +# RPC topic name for mdns (string value) +#topic = mdns + +# Timeout in seconds for XFR's. (integer value) +#xfr_timeout = 10 + + +[service:producer] + +# +# From designate.conf +# + +# Number of Producer worker processes to spawn (integer value) +#workers = + +# Number of Producer greenthreads to spawn (integer value) +#threads = 1000 + +# Enabled tasks to run (list value) +#enabled_tasks = + +# The storage driver to use (string value) +#storage_driver = sqlalchemy + +# DEPRECATED: Whether to allow synchronous zone exports (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Migrated to designate-worker +#export_synchronous = true + +# RPC topic name for producer (string value) +#topic = producer + + +[service:sink] + +# +# From designate.conf +# + +# Number of sink worker processes to spawn (integer value) +#workers = + +# Number of sink greenthreads to spawn (integer value) +#threads = 1000 + +# Enabled Notification Handlers (list value) +#enabled_notification_handlers = + +# pool name to use for oslo.messaging notification listener. Note that listener +# pooling is not supported by all oslo.messaging drivers. (string value) +#listener_pool_name = + + +[service:worker] + +# +# From designate.conf +# + +# Number of Worker worker processes to spawn (integer value) +#workers = + +# Number of Worker threads to spawn per process (integer value) +#threads = 200 + +# The storage driver to use (string value) +#storage_driver = sqlalchemy + +# The percentage of servers requiring a successful update for a domain change to +# be considered active (integer value) +#threshold_percentage = 100 + +# The time to wait for a response from a server (integer value) +#poll_timeout = 30 + +# The time between retrying to send a request and waiting for a response from a +# server (integer value) +#poll_retry_interval = 15 + +# The maximum number of times to retry sending a request and wait for a response +# from a server (integer value) +#poll_max_retries = 10 + +# The time to wait before sending the first request to a server (integer value) +#poll_delay = 5 + +# DEPRECATED: Whether to allow worker to send NOTIFYs, this will noop NOTIFYs in +# mdns if true (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: This option is being removed to reduce complexity +#notify = true + +# Whether to allow synchronous zone exports (boolean value) +#export_synchronous = true + +# RPC topic name for worker (string value) +#topic = worker + + +[ssl] + +# +# From oslo.service.sslutils +# + +# CA certificate file to use to verify connecting clients. (string value) +# Deprecated group/name - [DEFAULT]/ssl_ca_file +#ca_file = + +# Certificate file to use when starting the server securely. (string value) +# Deprecated group/name - [DEFAULT]/ssl_cert_file +#cert_file = + +# Private key file to use when starting the server securely. (string value) +# Deprecated group/name - [DEFAULT]/ssl_key_file +#key_file = + +# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and +# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some +# distributions. (string value) +#version = + +# Sets the list of available ciphers. value should be a string in the OpenSSL +# cipher list format. (string value) +#ciphers = + + +[storage:sqlalchemy] + +connection = mysql+pymysql://s4t_designate:sm3d3m0n@s4t_iotronic_db/s4t_designate + +# +# From designate.conf +# + +# If True, SQLite uses synchronous mode. (boolean value) +#sqlite_synchronous = true + +# The back end to use for the database. (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend = sqlalchemy + +# The SQLAlchemy connection string to use to connect to the database. (string +# value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +#connection = + +# The SQLAlchemy connection string to use to connect to the slave database. +# (string value) +#slave_connection = + +# The SQL mode to be used for MySQL sessions. This option, including the +# default, overrides any server-set SQL mode. To use whatever SQL mode is set by +# the server configuration, set this to no value. Example: mysql_sql_mode= +# (string value) +#mysql_sql_mode = TRADITIONAL + +# If True, transparently enables support for handling MySQL Cluster (NDB). +# (boolean value) +#mysql_enable_ndb = false + +# Connections which have been present in the connection pool longer than this +# number of seconds will be replaced with a new one the next time they are +# checked out from the pool. (integer value) +#connection_recycle_time = 3600 + +# Maximum number of SQL connections to keep open in a pool. Setting a value of 0 +# indicates no limit. (integer value) +#max_pool_size = 5 + +# Maximum number of database connection retries during startup. Set to -1 to +# specify an infinite retry count. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries = 10 + +# Interval between retries of opening a SQL connection. (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval = 10 + +# If set, use this value for max_overflow with SQLAlchemy. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow = 50 + +# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer +# value) +# Minimum value: 0 +# Maximum value: 100 +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug = 0 + +# Add Python stack traces to SQL as comment strings. (boolean value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace = false + +# If set, use this value for pool_timeout with SQLAlchemy. (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout = + +# Enable the experimental use of database reconnect on connection lost. (boolean +# value) +#use_db_reconnect = false + +# Seconds between retries of a database transaction. (integer value) +#db_retry_interval = 1 + +# If True, increases the interval between retries of a database operation up to +# db_max_retry_interval. (boolean value) +#db_inc_retry_interval = true + +# If db_inc_retry_interval is set, the maximum seconds between retries of a +# database operation. (integer value) +#db_max_retry_interval = 10 + +# Maximum retries in case of connection error or deadlock error before error is +# raised. Set to -1 to specify an infinite retry count. (integer value) +#db_max_retries = 20 + +# Optional URL parameters to append onto the connection URL at connect time; +# specify as param1=value1¶m2=value2&... (string value) +#connection_parameters = diff --git a/7-designate/build/conf/named.conf.options b/7-designate/build/conf/named.conf.options new file mode 100644 index 0000000..ca30d0c --- /dev/null +++ b/7-designate/build/conf/named.conf.options @@ -0,0 +1,40 @@ +//include "/etc/designate/rndc.key"; +include "/etc/bind/rndc.key"; + +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-validation auto; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; + + allow-new-zones yes; + request-ixfr no; + listen-on port 53 { any; }; + recursion no; + allow-query { any; }; + +}; + +controls { + inet 127.0.0.1 port 953 + allow { 127.0.0.1; } keys { "rndc-key"; }; +}; diff --git a/7-designate/build/conf/pools.yaml b/7-designate/build/conf/pools.yaml new file mode 100644 index 0000000..77d7774 --- /dev/null +++ b/7-designate/build/conf/pools.yaml @@ -0,0 +1,43 @@ +- name: default + # The name is immutable. There will be no option to change the name after + # creation and the only way will to change it will be to delete it + # (and all zones associated with it) and recreate it. + description: Default Pool + + attributes: {} + + # List out the NS records for zones hosted within this pool + # This should be a record that is created outside of designate, that + # points to the public IP of the controller node. + ns_records: + - hostname: demo-controller.smartme.io. + priority: 1 + + # List out the nameservers for this pool. These are the actual BIND servers. + # We use these to verify changes have propagated to all nameservers. + nameservers: + - host: 127.0.0.1 + port: 53 + + # List out the targets for this pool. For BIND there will be one + # entry for each BIND server, as we have to run rndc command on each server + targets: + - type: bind9 + description: BIND9 Server 1 + + # List out the designate-mdns servers from which BIND servers should + # request zone transfers (AXFRs) from. + # This should be the IP of the controller node. + # If you have multiple controllers you can add multiple masters + # by running designate-mdns on them, and adding them here. + masters: + - host: 127.0.0.1 + port: 5354 + + # BIND Configuration options + options: + host: 127.0.0.1 + port: 53 + rndc_host: 127.0.0.1 + rndc_port: 953 + rndc_key_file: /etc/bind/rndc.key diff --git a/7-designate/build/scripts/designate-setup.sh b/7-designate/build/scripts/designate-setup.sh new file mode 100644 index 0000000..6d24ed4 --- /dev/null +++ b/7-designate/build/scripts/designate-setup.sh @@ -0,0 +1,23 @@ +IP_DESIGNATE="demo-controller.smartme.io" +HTTPS=true +DESIGNATE_PASS="smartme" + +URL="http://$IP_DESIGNATE:9001" +if [ "$HTTPS" = true ] ; then + URL="https://$IP_DESIGNATE:9001" +fi + +echo $URL + +if [ ! -e ${HOME}/.designate_setup_completed ] +then + openstack service create dns --name Designate + openstack user create --password $DESIGNATE_PASS designate + openstack role add --project service --user designate admin + + openstack endpoint create --region RegionOne dns public $URL + + touch ${HOME}/.designate_setup_completed +else + echo "no need to setup designate !" +fi \ No newline at end of file From 324e5878738db0c0b6a48bb73f41f970beb2ed25 Mon Sep 17 00:00:00 2001 From: Arturo Rinaldi Date: Thu, 13 Jan 2022 15:34:30 +0100 Subject: [PATCH 63/66] adding designate service to controller YAML compose file --- docker-compose-controller.yml | 37 ++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/docker-compose-controller.yml b/docker-compose-controller.yml index 2c25dce..12f7e4c 100644 --- a/docker-compose-controller.yml +++ b/docker-compose-controller.yml @@ -84,6 +84,38 @@ services: networks: - 'default' + designate: + container_name: s4t_iotronic_designate + image: smartmeio/s4t_iotronic_designate:latest + environment: + - OS_PROJECT_DOMAIN_NAME=Default + - OS_USER_DOMAIN_NAME=Default + - OS_PROJECT_NAME=admin + - OS_USERNAME=admin + - OS_PASSWORD=smartme + - OS_AUTH_URL=https://demo-controller.smartme.io:5000/v3 + - OS_IDENTITY_API_VERSION=3 + - OS_IMAGE_API_VERSION=2 + - HOST="demo-controller.smartme.io" + - ADMIN_PASS="smartme" + - IOTRONIC_PASS="smartme" + hostname: designate + volumes: + - s4t_designate_config:/etc/designate + - s4t_bind:/etc/bind + - /var/log/designate-conductor:/var/log/designate + depends_on: + - rabbitmq + - keystone + - mariadb + command: /bin/bash -c 'iotronic-dbsync && startDesignate' + ports: + - '9002:9001' + - '53:53/udp' + - '53:53' + networks: + - 'default' + ui: container_name: s4t_iotronic_ui restart: unless-stopped @@ -106,7 +138,10 @@ volumes: name: s4t_keystone_data s4t_iotronic_conductor_config: name: s4t_iotronic_conductor_config - + s4t_designate_config: + name: s4t_designate_config + s4t_bind: + name: s4t_bind networks: default: From fb4b46cce34aa6b0dfc970309c86337c9b67d5f6 Mon Sep 17 00:00:00 2001 From: Fabio Verboso Date: Tue, 18 Jan 2022 17:50:27 +0100 Subject: [PATCH 64/66] Update designate-setup.sh pool update has been moved in designate-setup --- 7-designate/build/scripts/designate-setup.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/7-designate/build/scripts/designate-setup.sh b/7-designate/build/scripts/designate-setup.sh index 6d24ed4..63cd051 100644 --- a/7-designate/build/scripts/designate-setup.sh +++ b/7-designate/build/scripts/designate-setup.sh @@ -16,8 +16,9 @@ then openstack role add --project service --user designate admin openstack endpoint create --region RegionOne dns public $URL - + /bin/sh -c "designate-manage pool update" designate + touch ${HOME}/.designate_setup_completed else echo "no need to setup designate !" -fi \ No newline at end of file +fi From ba5e53cf37dabfde64380ab766209d211a5f4e9d Mon Sep 17 00:00:00 2001 From: Fabio Verboso Date: Tue, 18 Jan 2022 17:52:44 +0100 Subject: [PATCH 65/66] Update docker-compose-controller.yml correct db sync command before starting designate --- docker-compose-controller.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose-controller.yml b/docker-compose-controller.yml index 12f7e4c..55801aa 100644 --- a/docker-compose-controller.yml +++ b/docker-compose-controller.yml @@ -108,7 +108,7 @@ services: - rabbitmq - keystone - mariadb - command: /bin/bash -c 'iotronic-dbsync && startDesignate' + command: /bin/bash -c 'designate-manage database sync && startDesignate' ports: - '9002:9001' - '53:53/udp' From 80a08990e2560982843bfec86468775aee058e2c Mon Sep 17 00:00:00 2001 From: Fabio Verboso Date: Tue, 18 Jan 2022 18:07:02 +0100 Subject: [PATCH 66/66] Update designate-setup.sh owner forced for the key of bind. --- 7-designate/build/scripts/designate-setup.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/7-designate/build/scripts/designate-setup.sh b/7-designate/build/scripts/designate-setup.sh index 63cd051..d923646 100644 --- a/7-designate/build/scripts/designate-setup.sh +++ b/7-designate/build/scripts/designate-setup.sh @@ -16,6 +16,8 @@ then openstack role add --project service --user designate admin openstack endpoint create --region RegionOne dns public $URL + + chown bind:bind /etc/bind/rndc.key /bin/sh -c "designate-manage pool update" designate touch ${HOME}/.designate_setup_completed