Move all EC2 cred creation to eucarc

Dean Troyer · Dean Troyer · commit 0bd2410d469f · 2012-03-09T21:41:00.000-06:00
* Remove credential creation from files/keystone_data.sh
* Remove EC2 cert setup from openrc
* Remove sourcing of ec2rc from stackrc
* Collect the above in eucarc
* Allow rc files to be sourced from other directories; based on Chmouel's
  4881 proposal but is simpler and doesn't actually change the directory
* Create S3 endpoint
* Get EC2 and S3 endpoints from Keystone service catalog
* Add EC2 credential checks to exercises/client-env.sh
* exercises/bundle.sh and exercises/euca.sh use eucarc

Updates:
* remove readlink -f to stay bash 3 compatible
* use service catalog
* create S3 endpoint

Fixes bug 949528

Change-Id: I58caea8cecbbd10661779bc2d150d241f4a5822e
diff --git a/README.md b/README.md
@@ -41,6 +41,11 @@ We also provide an environment file that you can use to interact with your cloud
     . openrc
     # list instances
     nova list
+
+If the EC2 API is your cup-o-tea, you can create credentials and use euca2ools:
+
+    # source eucarc to generate EC2 credentials and set up the environment
+    . eucarc
     # list instances using ec2 api
     euca-describe-instances
 
diff --git a/eucarc b/eucarc
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+#
+# source eucarc [username] [tenantname]
+#
+# Create EC2 credentials for the current user as defined by OS_TENANT_NAME:OS_USERNAME
+# Optionally set the tenant/username via openrc
+
+if [[ -n "$1" ]]; then
+    USERNAME=$1
+fi
+if [[ -n "$2" ]]; then
+    TENANT=$2
+fi
+
+# Find the other rc files
+RC_DIR=$(cd $(dirname "$BASH_SOURCE") && pwd)
+
+# Get user configuration
+source $RC_DIR/openrc
+
+# Set the ec2 url so euca2ools works
+export EC2_URL=$(keystone catalog --service ec2 | awk '/ publicURL / { print $4 }')
+
+# Create EC2 credentials for the current user
+CREDS=$(keystone ec2-credentials-create)
+export EC2_ACCESS_KEY=$(echo "$CREDS" | awk '/ access / { print $4 }')
+export EC2_SECRET_KEY=$(echo "$CREDS" | awk '/ secret / { print $4 }')
+
+# Euca2ools Certificate stuff for uploading bundles
+# See exercises/bundle.sh to see how to get certs using nova cli
+NOVA_KEY_DIR=${NOVA_KEY_DIR:-$RC_DIR}
+export S3_URL=$(keystone catalog --service s3 | awk '/ publicURL / { print $4 }')
+export EC2_USER_ID=42 # nova does not use user id, but bundling requires it
+export EC2_PRIVATE_KEY=${NOVA_KEY_DIR}/pk.pem
+export EC2_CERT=${NOVA_KEY_DIR}/cert.pem
+export NOVA_CERT=${NOVA_KEY_DIR}/cacert.pem
+export EUCALYPTUS_CERT=${NOVA_CERT} # euca-bundle-image seems to require this set
+alias ec2-bundle-image="ec2-bundle-image --cert ${EC2_CERT} --privatekey ${EC2_PRIVATE_KEY} --user ${EC2_USER_ID} --ec2cert ${NOVA_CERT}"
+alias ec2-upload-bundle="ec2-upload-bundle -a ${EC2_ACCESS_KEY} -s ${EC2_SECRET_KEY} --url ${S3_URL} --ec2cert ${NOVA_CERT}"
+
diff --git a/exercises/bundle.sh b/exercises/bundle.sh
@@ -18,24 +18,24 @@ set -o xtrace
 # Settings
 # ========
 
-# Use openrc + stackrc + localrc for settings
-pushd $(cd $(dirname "$0")/.. && pwd) >/dev/null
+# Keep track of the current directory
+EXERCISE_DIR=$(cd $(dirname "$0") && pwd)
+TOP_DIR=$(cd $EXERCISE_DIR/..; pwd)
 
 # Import common functions
-source ./functions
+source $TOP_DIR/functions
 
-# Import configuration
-source ./openrc
+# Import EC2 configuration
+source $TOP_DIR/eucarc
 
 # Remove old certificates
-rm -f cacert.pem
-rm -f cert.pem
-rm -f pk.pem
+rm -f $TOP_DIR/cacert.pem
+rm -f $TOP_DIR/cert.pem
+rm -f $TOP_DIR/pk.pem
 
 # Get Certificates
-nova x509-get-root-cert
-nova x509-create-cert
-popd >/dev/null
+nova x509-get-root-cert $TOP_DIR/cacert.pem
+nova x509-create-cert $TOP_DIR/pk.pem $TOP_DIR/cert.pem
 
 # Max time to wait for image to be registered
 REGISTER_TIMEOUT=${REGISTER_TIMEOUT:-15}
diff --git a/exercises/client-env.sh b/exercises/client-env.sh
@@ -12,15 +12,15 @@ VERIFY=${1:-""}
 # Settings
 # ========
 
-# Use openrc + stackrc + localrc for settings
-pushd $(cd $(dirname "$0")/.. && pwd) >/dev/null
+# Keep track of the current directory
+EXERCISE_DIR=$(cd $(dirname "$0") && pwd)
+TOP_DIR=$(cd $EXERCISE_DIR/..; pwd)
 
 # Import common functions
-source ./functions
+source $TOP_DIR/functions
 
 # Import configuration
-source ./openrc
-popd >/dev/null
+source $TOP_DIR/openrc
 
 # Unset all of the known NOVA_ vars
 unset NOVA_API_KEY
@@ -53,7 +53,7 @@ if [[ "$ENABLED_SERVICES" =~ "key" ]]; then
         STATUS_KEYSTONE="Skipped"
     else
         echo -e "\nTest Keystone"
-        if keystone service-list; then
+        if keystone catalog --service identity; then
             STATUS_KEYSTONE="Succeeded"
         else
             STATUS_KEYSTONE="Failed"
@@ -68,14 +68,31 @@ fi
 if [[ "$ENABLED_SERVICES" =~ "n-api" ]]; then
     if [[ "$SKIP_EXERCISES" =~ "n-api" ]] ; then
         STATUS_NOVA="Skipped"
+        STATUS_EC2="Skipped"
     else
+        # Test OSAPI
         echo -e "\nTest Nova"
         if nova flavor-list; then
             STATUS_NOVA="Succeeded"
         else
             STATUS_NOVA="Failed"
             RETURN=1
         fi
+
+        # Test EC2 API
+        echo -e "\nTest EC2"
+        # Get EC2 creds
+        source $TOP_DIR/eucarc
+
+        if euca-describe-images; then
+            STATUS_EC2="Succeeded"
+        else
+            STATUS_EC2="Failed"
+            RETURN=1
+        fi
+
+        # Clean up side effects
+        unset NOVA_VERSION
     fi
 fi
 
@@ -125,6 +142,7 @@ function report() {
 echo -e "\n"
 report "Keystone" $STATUS_KEYSTONE
 report "Nova" $STATUS_NOVA
+report "EC2" $STATUS_EC2
 report "Glance" $STATUS_GLANCE
 report "Swift" $STATUS_SWIFT
 
diff --git a/exercises/euca.sh b/exercises/euca.sh
@@ -18,15 +18,15 @@ set -o xtrace
 # Settings
 # ========
 
-# Use openrc + stackrc + localrc for settings
-pushd $(cd $(dirname "$0")/.. && pwd) >/dev/null
+# Keep track of the current directory
+EXERCISE_DIR=$(cd $(dirname "$0") && pwd)
+TOP_DIR=$(cd $EXERCISE_DIR/..; pwd)
 
 # Import common functions
-source ./functions
+source $TOP_DIR/functions
 
-# Import configuration
-source ./openrc
-popd >/dev/null
+# Import EC2 configuration
+source $TOP_DIR/eucarc
 
 # Max time to wait while vm goes from build to active state
 ACTIVE_TIMEOUT=${ACTIVE_TIMEOUT:-30}
diff --git a/files/default_catalog.templates b/files/default_catalog.templates
@@ -24,6 +24,12 @@ catalog.RegionOne.ec2.internalURL = http://%SERVICE_HOST%:8773/services/Cloud
 catalog.RegionOne.ec2.name = 'EC2 Service'
 
 
+catalog.RegionOne.s3.publicURL = http://%SERVICE_HOST%:3333
+catalog.RegionOne.s3.adminURL = http://%SERVICE_HOST%:3333
+catalog.RegionOne.s3.internalURL = http://%SERVICE_HOST%:3333
+catalog.RegionOne.s3.name = 'S3 Service'
+
+
 catalog.RegionOne.image.publicURL = http://%SERVICE_HOST%:9292/v1
 catalog.RegionOne.image.adminURL = http://%SERVICE_HOST%:9292/v1
 catalog.RegionOne.image.internalURL = http://%SERVICE_HOST%:9292/v1
diff --git a/files/keystone_data.sh b/files/keystone_data.sh
@@ -2,9 +2,6 @@
 #
 # Initial data for Keystone using python-keystoneclient
 #
-# A set of EC2-compatible credentials is created for both admin and demo
-# users and placed in $DEVSTACK_DIR/ec2rc.
-#
 # Tenant               User      Roles
 # -------------------------------------------------------
 # admin                admin     admin
@@ -48,6 +45,7 @@ DEMO_USER=$(get_id keystone user-create --name=demo \
                                         --pass="$ADMIN_PASSWORD" \
                                         --email=demo@example.com)
 
+
 # Roles
 ADMIN_ROLE=$(get_id keystone role-create --name=admin)
 KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)
@@ -135,20 +133,3 @@ if [[ "$ENABLED_SERVICES" =~ "quantum" ]]; then
                            --user $QUANTUM_USER \
                            --role $ADMIN_ROLE
 fi
-
-# create ec2 creds and parse the secret and access key returned
-RESULT=$(keystone ec2-credentials-create --tenant_id=$ADMIN_TENANT --user=$ADMIN_USER)
-ADMIN_ACCESS=$(echo "$RESULT" | awk '/ access / { print $4 }')
-ADMIN_SECRET=$(echo "$RESULT" | awk '/ secret / { print $4 }')
-
-RESULT=$(keystone ec2-credentials-create --tenant_id=$DEMO_TENANT --user=$DEMO_USER)
-DEMO_ACCESS=$(echo "$RESULT" | awk '/ access / { print $4 }')
-DEMO_SECRET=$(echo "$RESULT" | awk '/ secret / { print $4 }')
-
-# write the secret and access to ec2rc
-cat > $DEVSTACK_DIR/ec2rc <<EOF
-ADMIN_ACCESS=$ADMIN_ACCESS
-ADMIN_SECRET=$ADMIN_SECRET
-DEMO_ACCESS=$DEMO_ACCESS
-DEMO_SECRET=$DEMO_SECRET
-EOF
diff --git a/openrc b/openrc
@@ -17,8 +17,11 @@ if [[ -n "$2" ]]; then
     TENANT=$2
 fi
 
+# Find the other rc files
+RC_DIR=$(cd $(dirname "$BASH_SOURCE") && pwd)
+
 # Load local configuration
-source ./stackrc
+source $RC_DIR/stackrc
 
 # The introduction of Keystone to the OpenStack ecosystem has standardized the
 # term **tenant** as the entity that owns resources.  In some places references
@@ -59,30 +62,8 @@ export NOVA_VERSION=${NOVA_VERSION:-1.1}
 # In the future this will change names:
 export COMPUTE_API_VERSION=${COMPUTE_API_VERSION:-$NOVA_VERSION}
 
-# Set the ec2 url so euca2ools works
-export EC2_URL=${EC2_URL:-http://$SERVICE_HOST:8773/services/Cloud}
-
-# Access key is set in the initial keystone data to be the same as username
-export EC2_ACCESS_KEY=${DEMO_ACCESS}
-
-# Secret key is set in the initial keystone data to the admin password
-export EC2_SECRET_KEY=${DEMO_SECRET}
-
-# Euca2ools Certificate stuff for uploading bundles
-# See exercises/bundle.sh to see how to get certs using nova cli
-NOVARC=$(readlink -f "${BASH_SOURCE:-${0}}" 2>/dev/null) ||
-        NOVARC=$(python -c 'import os,sys; print os.path.abspath(os.path.realpath(sys.argv[1]))' "${BASH_SOURCE:-${0}}")
-NOVA_KEY_DIR=${NOVARC%/*}
-export S3_URL=http://$SERVICE_HOST:3333
-export EC2_USER_ID=42 # nova does not use user id, but bundling requires it
-export EC2_PRIVATE_KEY=${NOVA_KEY_DIR}/pk.pem
-export EC2_CERT=${NOVA_KEY_DIR}/cert.pem
-export NOVA_CERT=${NOVA_KEY_DIR}/cacert.pem
-export EUCALYPTUS_CERT=${NOVA_CERT} # euca-bundle-image seems to require this set
-alias ec2-bundle-image="ec2-bundle-image --cert ${EC2_CERT} --privatekey ${EC2_PRIVATE_KEY} --user 42 --ec2cert ${NOVA_CERT}"
-alias ec2-upload-bundle="ec2-upload-bundle -a ${EC2_ACCESS_KEY} -s ${EC2_SECRET_KEY} --url ${S3_URL} --ec2cert ${NOVA_CERT}"
-
 # set log level to DEBUG (helps debug issues)
+# export KEYSTONECLIENT_DEBUG=1
 # export NOVACLIENT_DEBUG=1
 
 # Max time till the vm is bootable
diff --git a/stackrc b/stackrc
@@ -1,3 +1,6 @@
+# Find the other rc files
+RC_DIR=$(cd $(dirname "$BASH_SOURCE") && pwd)
+
 # compute service
 NOVA_REPO=https://github.com/openstack/nova.git
 NOVA_BRANCH=master
@@ -76,12 +79,7 @@ case "$LIBVIRT_TYPE" in
         IMAGE_URLS="http://launchpad.net/cirros/trunk/0.3.0/+download/cirros-0.3.0-x86_64-uec.tar.gz";;
 esac
 
-# use stored ec2 env variables
-if [ -f ./ec2rc ]; then
-    source ./ec2rc
-fi
-
 # allow local overrides of env variables
-if [ -f ./localrc ]; then
-    source ./localrc
+if [ -f $RC_DIR/localrc ]; then
+    source $RC_DIR/localrc
 fi
