1 files changed, 129 insertions, 0 deletions

diff --git a/files/restore_default_OSP_policies_on_overcloud.sh b/files/restore_default_OSP_policies_on_overcloud.sh
new file mode 100755
index 0000000..845b5c7
--- /dev/null
+++ b/files/restore_default_OSP_policies_on_overcloud.sh
@@ -0,0 +1,129 @@
+#!/bin/bash
+# $Id$
+set -uf -o pipefail
+CTLR_LIST=""
+declare -A IP_LIST
+src_config=""
+dst_config=""
+sev1_backup=""
+svc_name=""
+declare -i restart_svc=0
+
+# This tool is used to push policies on the overcloud
+[ "$BASH" ] && function whence
+{
+	type -p "$@"
+}
+#
+TOP_DIR="$(cd $(/usr/bin/dirname $(whence -- $0 || echo $0));cd ..;pwd)"
+
+
+# Sanity checks
+if [ "x$(id -n -u)" = "xstack" ]; then
+	if [ -f ${HOME}/stackrc ]; then
+		stack_installed=OK
+	else
+		echo "(**) No ${HOME}/stackrc, exit!" ; exit 127
+	fi
+else
+	echo "(**) Not stack, exit!" ; exit 127
+fi
+
+if [ -r ${HOME}/overcloudrc ]; then
+	. ${HOME}/overcloudrc
+else
+	echo "(**) No ${HOME}/overcloudrc, exit!" ; exit 127
+fi
+
+for mydir in "${TOP_DIR}/etc" "${TOP_DIR}/etc/nova" "${TOP_DIR}/etc/neutron"
+do
+	if [ -d ${mydir} ]; then
+		echo "(II) Found directory ${mydir}..."
+	else
+		echo "(**) Directory ${mydir} not found! Exit!" ; exit 127
+	fi
+done
+
+# Obtain list of Controllers from nova (they will be running consoleauth)
+CTLR_LIST=$(nova host-list| awk '/consoleauth/ {split($2,a,".") ; print a[1]}'|xargs)
+if [ "x${CTLR_LIST}" != "x" ]; then
+	echo "(II) Found controller(s): ${CTLR_LIST}"
+else
+	echo "(**) Unable to find controllers running consoleauth!"; exit 127
+fi
+
+
+# Obtain IP addresses from Controllers
+. ${HOME}/stackrc
+for myctrl in ${CTLR_LIST}
+do
+	res=$(openstack server show -c addresses -f value ${myctrl}|sed -e 's/ctlplane=//g')
+	if [ "x${res}" != "x" ]; then
+		IP_LIST["${myctrl}"]="${res}"
+	fi
+done
+if [ ${#IP_LIST[@]} -gt 0 ]; then
+	echo "(II) Found this/these IP(s) for controller(s): ${IP_LIST[@]}"
+else
+	echo "(**) Unable to find controllers IP Addresses!"; exit 127
+fi
+
+# Inject Services...
+for myctrl in "${!IP_LIST[@]}"
+do
+	myip=${IP_LIST[${myctrl}]}
+	# Test controller
+	echo -n "(II) Testing ssh/sudo access to controller ${myctrl} (${myip}): "
+	ssh -q heat-admin@${myip} sudo -l|grep -q 'ALL.*NOPASSWD.*ALL'
+	if [ $? -ne 0 ]; then
+		echo "NOK" ; exit 127
+	else
+		echo "OK"
+	fi
+
+	for mysvc in aodh ceilometer cinder glance gnocchi heat ironic keystone manila mistral neutron nova sahara zaqar
+	do
+		dst_config="/etc/${mysvc}/policy.json"
+		sev1_backup="${dst_config}.pre-sevone"
+
+		# Restore backup, if already present, if not then just skip file..
+		ssh -q heat-admin@${myip} "sudo test -f ${sev1_backup}"
+		if [ $? -eq 0 ]; then
+
+			# Compare files and copy if necessary...
+			ssh -q heat-admin@${myip} "sudo cmp -s ${sev1_backup} ${dst_config}"
+			if [ $? -eq 0 ]; then
+				echo "  (II) No update needed on ${myctrl}:${dst_config}"
+			else
+				# Overwrite service config file....
+				echo "  (WW) Restoring ${myctrl}:${sev1_backup} to ${myctrl}:${dst_config} ..."
+				ssh -q heat-admin@${myip} "sudo /bin/cp -afv ${sev1_backup} ${dst_config}"
+
+				# Repairs permissions and SELinux context:
+				ssh -q heat-admin@${myip} "sudo chown root:${mysvc} ${dst_config} && sudo chmod 640 ${dst_config}"
+				ssh -q heat-admin@${myip} "sudo restorecon ${dst_config} 2>/dev/null"
+
+				# This is disabled by default as restarting services isn't necessary for policy.json updates.
+				if [ ${restart_svc} -eq 1 ]; then
+					# Restart service appropriately... Only 'neutron' does not have an 'openstack' prefix in its service name
+					case "${mysvc}" in
+						neutron)
+							svc_name="${mysvc}"
+							;;
+						*)
+							svc_name="openstack-${mysvc}"
+							;;
+					esac
+					echo -n "  (WW) Restarting (systemctl) ${svc_name}-\* services on ${myctrl} ..."
+					ssh -q heat-admin@${myip} sudo systemctl restart "${svc_name}-\*" && echo OK
+				fi
+			fi
+		fi
+	done
+done
+
+if [ $? -eq 0 ]; then
+	echo "(II) ALL done."
+else
+	echo "(**) Failures seen, please check..."
+fi
\ No newline at end of file