commit 6c94d6437daa5d9d46ea3b4fc8cb4b4e6eb145cf

+2

nixos/modules/misc/ids.nix

··· 281 riak-cs = 263; 282 infinoted = 264; 283 keystone = 265; 284 285 # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! 286 ··· 532 riak-cs = 263; 533 infinoted = 264; 534 keystone = 265; 535 536 # When adding a gid, make sure it doesn't match an existing 537 # uid. Users and groups with the same name should have equal

··· 281 riak-cs = 263; 282 infinoted = 264; 283 keystone = 265; 284 + glance = 266; 285 286 # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! 287 ··· 533 riak-cs = 263; 534 infinoted = 264; 535 keystone = 265; 536 + glance = 266; 537 538 # When adding a gid, make sure it doesn't match an existing 539 # uid. Users and groups with the same name should have equal

+1

nixos/modules/module-list.nix

··· 632 ./virtualisation/xen-dom0.nix 633 ./virtualisation/xe-guest-utilities.nix 634 ./virtualisation/openstack/keystone.nix 635 ]

··· 632 ./virtualisation/xen-dom0.nix 633 ./virtualisation/xe-guest-utilities.nix 634 ./virtualisation/openstack/keystone.nix 635 + ./virtualisation/openstack/glance.nix 636 ]

+30

nixos/modules/virtualisation/openstack/common.nix

··· 51 }; 52 };}); 53 }; 54 }

··· 51 }; 52 };}); 53 }; 54 + 55 + databaseOption = name: { 56 + host = mkOption { 57 + type = types.str; 58 + default = "localhost"; 59 + description = '' 60 + Host of the database. 61 + ''; 62 + }; 63 + 64 + name = mkOption { 65 + type = types.str; 66 + default = name; 67 + description = '' 68 + Name of the existing database. 69 + ''; 70 + }; 71 + 72 + user = mkOption { 73 + type = types.str; 74 + default = name; 75 + description = '' 76 + The database user. The user must exist and has access to 77 + the specified database. 78 + ''; 79 + }; 80 + password = mkSecretOption { 81 + name = name + "MysqlPassword"; 82 + description = "The database user's password";}; 83 + }; 84 }

+249

nixos/modules/virtualisation/openstack/glance.nix

···

··· 1 + { config, lib, pkgs, ... }: 2 + 3 + with lib; with import ./common.nix {inherit lib;}; 4 + 5 + let 6 + cfg = config.virtualisation.openstack.glance; 7 + commonConf = '' 8 + [database] 9 + connection = "mysql://${cfg.database.user}:${cfg.database.password.pattern}@${cfg.database.host}/${cfg.database.name}" 10 + notification_driver = noop 11 + 12 + [keystone_authtoken] 13 + auth_url = ${cfg.authUrl} 14 + auth_plugin = password 15 + project_name = service 16 + project_domain_id = default 17 + user_domain_id = default 18 + username = ${cfg.serviceUsername} 19 + password = ${cfg.servicePassword.pattern} 20 + 21 + [glance_store] 22 + default_store = file 23 + filesystem_store_datadir = /var/lib/glance/images/ 24 + ''; 25 + glanceApiConfTpl = pkgs.writeText "glance-api.conf" '' 26 + ${commonConf} 27 + 28 + [paste_deploy] 29 + flavor = keystone 30 + config_file = ${cfg.package}/etc/glance-api-paste.ini 31 + ''; 32 + glanceRegistryConfTpl = pkgs.writeText "glance-registry.conf" '' 33 + ${commonConf} 34 + 35 + [paste_deploy] 36 + config_file = ${cfg.package}/etc/glance-registry-paste.ini 37 + ''; 38 + glanceApiConf = "/var/lib/glance/glance-api.conf"; 39 + glanceRegistryConf = "/var/lib/glance/glance-registry.conf"; 40 + 41 + in { 42 + options.virtualisation.openstack.glance = { 43 + package = mkOption { 44 + type = types.package; 45 + example = literalExample "pkgs.glance"; 46 + description = '' 47 + Glance package to use. 48 + ''; 49 + }; 50 + 51 + enable = mkOption { 52 + default = false; 53 + type = types.bool; 54 + description = '' 55 + This option enables Glance as a single-machine 56 + installation. That is, all of Glance's components are 57 + enabled on this machine. This is useful for evaluating and 58 + experimenting with Glance. Note we are currently not 59 + providing any configurations for a multi-node setup. 60 + ''; 61 + }; 62 + 63 + authUrl = mkOption { 64 + type = types.str; 65 + default = http://localhost:5000; 66 + description = '' 67 + Complete public Identity (Keystone) API endpoint. Note this is 68 + unversionned. 69 + ''; 70 + }; 71 + 72 + serviceUsername = mkOption { 73 + type = types.str; 74 + default = "glance"; 75 + description = '' 76 + The Glance service username. This user is created if bootstrap 77 + is enable, otherwise it has to be manually created before 78 + starting this service. 79 + ''; 80 + }; 81 + 82 + servicePassword = mkSecretOption { 83 + name = "glanceAdminPassword"; 84 + description = '' 85 + The Glance service user's password. 86 + ''; 87 + }; 88 + 89 + database = databaseOption "glance"; 90 + 91 + bootstrap = { 92 + enable = mkOption { 93 + default = false; 94 + type = types.bool; 95 + description = '' 96 + Bootstrap the Glance service by creating the service tenant, 97 + an admin account and a public endpoint. This option provides 98 + a ready-to-use glance service. This is only done at the 99 + first Glance execution by the systemd post start section. 100 + The keystone admin account is used to create required 101 + Keystone resource for the Glance service. 102 + 103 + <note><para> This option is a helper for setting up 104 + development or testing environments.</para></note> 105 + ''; 106 + }; 107 + 108 + endpointPublic = mkOption { 109 + type = types.str; 110 + default = "http://localhost:9292"; 111 + description = '' 112 + The public image endpoint. The link <link 113 + xlink:href="http://docs.openstack.org/liberty/install-guide-rdo/keystone-services.html"> 114 + create endpoint</link> provides more informations 115 + about that. 116 + ''; 117 + }; 118 + 119 + keystoneAdminUsername = mkOption { 120 + type = types.str; 121 + default = "admin"; 122 + description = '' 123 + The keystone admin user name used to create the Glance account. 124 + ''; 125 + }; 126 + 127 + keystoneAdminPassword = mkSecretOption { 128 + name = "keystoneAdminPassword"; 129 + description = '' 130 + The keystone admin user's password. 131 + ''; 132 + }; 133 + 134 + keystoneAdminTenant = mkOption { 135 + type = types.str; 136 + default = "admin"; 137 + description = '' 138 + The keystone admin tenant used to create the Glance account. 139 + ''; 140 + }; 141 + keystoneAuthUrl = mkOption { 142 + type = types.str; 143 + default = "http://localhost:5000/v2.0"; 144 + description = '' 145 + The keystone auth url used to create the Glance account. 146 + ''; 147 + }; 148 + }; 149 + }; 150 + 151 + config = mkIf cfg.enable { 152 + # Note: when changing the default, make it conditional on 153 + # ‘system.stateVersion’ to maintain compatibility with existing 154 + # systems! 155 + virtualisation.openstack.glance.package = mkDefault pkgs.glance; 156 + 157 + users.extraUsers = [{ 158 + name = "glance"; 159 + group = "glance"; 160 + uid = config.ids.gids.glance; 161 + 162 + }]; 163 + users.extraGroups = [{ 164 + name = "glance"; 165 + gid = config.ids.gids.glance; 166 + }]; 167 + 168 + systemd.services.glance-registry = { 169 + description = "OpenStack Glance Registry Daemon"; 170 + after = [ "network.target"]; 171 + path = [ pkgs.curl pkgs.pythonPackages.keystoneclient pkgs.gawk ]; 172 + wantedBy = [ "multi-user.target" ]; 173 + preStart = '' 174 + mkdir -m 775 -p /var/lib/glance/{images,scrubber,image_cache} 175 + chown glance:glance /var/lib/glance/{images,scrubber,image_cache} 176 + 177 + # Secret file managment 178 + cp ${glanceRegistryConfTpl} ${glanceRegistryConf}; 179 + chown glance:glance ${glanceRegistryConf}; 180 + chmod 640 ${glanceRegistryConf} 181 + ${replaceSecret cfg.database.password glanceRegistryConf} 182 + ${replaceSecret cfg.servicePassword glanceRegistryConf} 183 + 184 + cp ${glanceApiConfTpl} ${glanceApiConf}; 185 + chown glance:glance ${glanceApiConf}; 186 + chmod 640 ${glanceApiConf} 187 + ${replaceSecret cfg.database.password glanceApiConf} 188 + ${replaceSecret cfg.servicePassword glanceApiConf} 189 + 190 + # Initialise the database 191 + ${cfg.package}/bin/glance-manage --config-file=${glanceApiConf} --config-file=${glanceRegistryConf} db_sync 192 + ''; 193 + postStart = '' 194 + set -eu 195 + export OS_AUTH_URL=${cfg.bootstrap.keystoneAuthUrl} 196 + export OS_USERNAME=${cfg.bootstrap.keystoneAdminUsername} 197 + export OS_PASSWORD=${getSecret cfg.bootstrap.keystoneAdminPassword} 198 + export OS_TENANT_NAME=${cfg.bootstrap.keystoneAdminTenant} 199 + 200 + # Wait until the keystone is available for use 201 + count=0 202 + while ! keystone user-get ${cfg.bootstrap.keystoneAdminUsername} > /dev/null 203 + do 204 + if [ $count -eq 30 ] 205 + then 206 + echo "Tried 30 times, giving up..." 207 + exit 1 208 + fi 209 + 210 + echo "Keystone not yet started. Waiting for 1 second..." 211 + count=$((count++)) 212 + sleep 1 213 + done 214 + 215 + # If the service glance doesn't exist, we consider glance is 216 + # not initialized 217 + if ! keystone service-get glance 218 + then 219 + keystone service-create --type image --name glance 220 + ID=$(keystone service-get glance | awk '/ id / { print $4 }') 221 + keystone endpoint-create --region RegionOne --service $ID --internalurl http://localhost:9292 --adminurl http://localhost:9292 --publicurl ${cfg.bootstrap.endpointPublic} 222 + 223 + keystone user-create --name ${cfg.serviceUsername} --tenant service --pass ${getSecret cfg.servicePassword} 224 + keystone user-role-add --tenant service --user ${cfg.serviceUsername} --role admin 225 + fi 226 + ''; 227 + serviceConfig = { 228 + PermissionsStartOnly = true; # preStart must be run as root 229 + TimeoutStartSec = "600"; # 10min for initial db migrations 230 + User = "glance"; 231 + Group = "glance"; 232 + ExecStart = "${cfg.package}/bin/glance-registry --config-file=${glanceRegistryConf}"; 233 + }; 234 + }; 235 + systemd.services.glance-api = { 236 + description = "OpenStack Glance API Daemon"; 237 + after = [ "glance-registry.service" "network.target"]; 238 + requires = [ "glance-registry.service" "network.target"]; 239 + wantedBy = [ "multi-user.target" ]; 240 + serviceConfig = { 241 + PermissionsStartOnly = true; # preStart must be run as root 242 + User = "glance"; 243 + Group = "glance"; 244 + ExecStart = "${cfg.package}/bin/glance-api --config-file=${glanceApiConf}"; 245 + }; 246 + }; 247 + }; 248 + 249 + }