#!/bin/bash # $Id$ set -uf -o pipefail CTLR_LIST="" declare -A IP_LIST src_config="" dst_config="" sev1_backup="" svc_name="" declare -i restart_svc=0 # This tool is used to push policies on the overcloud [ "$BASH" ] && function whence { type -p "$@" } # TOP_DIR="$(cd $(/usr/bin/dirname $(whence -- $0 || echo $0));cd ..;pwd)" # Sanity checks if [ "x$(id -n -u)" = "xstack" ]; then if [ -f ${HOME}/stackrc ]; then stack_installed=OK else echo "(**) No ${HOME}/stackrc, exit!" ; exit 127 fi else echo "(**) Not stack, exit!" ; exit 127 fi if [ -r ${HOME}/overcloudrc ]; then . ${HOME}/overcloudrc else echo "(**) No ${HOME}/overcloudrc, exit!" ; exit 127 fi for mydir in "${TOP_DIR}/etc" "${TOP_DIR}/etc/nova" "${TOP_DIR}/etc/neutron" do if [ -d ${mydir} ]; then echo "(II) Found directory ${mydir}..." else echo "(**) Directory ${mydir} not found! Exit!" ; exit 127 fi done # Verify syntax, abort if error.. for mysvc in aodh ceilometer cinder glance gnocchi heat ironic keystone manila mistral neutron nova sahara zaqar do src_config="${TOP_DIR}/etc/${mysvc}/policy.json" json_verify -q < ${src_config} if [ $? -ne 0 ]; then echo "Testing JSON syntax of ${src_config} failed!!" ; exit 127 fi done # Obtain list of Controllers from nova (they will be running consoleauth) CTLR_LIST=$(nova host-list| awk '/consoleauth/ {split($2,a,".") ; print a[1]}'|xargs) if [ "x${CTLR_LIST}" != "x" ]; then echo "(II) Found controller(s): ${CTLR_LIST}" else echo "(**) Unable to find controllers running consoleauth!"; exit 127 fi # Obtain IP addresses from Controllers . ${HOME}/stackrc for myctrl in ${CTLR_LIST} do res=$(openstack server show -c addresses -f value ${myctrl}|sed -e 's/ctlplane=//g') if [ "x${res}" != "x" ]; then IP_LIST["${myctrl}"]="${res}" fi done if [ ${#IP_LIST[@]} -gt 0 ]; then echo "(II) Found this/these IP(s) for controller(s): ${IP_LIST[@]}" else echo "(**) Unable to find controllers IP Addresses!"; exit 127 fi # Inject Services... for myctrl in "${!IP_LIST[@]}" do myip=${IP_LIST[${myctrl}]} # Test controller echo -n "(II) Testing ssh/sudo access to controller ${myctrl} (${myip}): " ssh -q heat-admin@${myip} sudo -l|grep -q 'ALL.*NOPASSWD.*ALL' if [ $? -ne 0 ]; then echo "NOK" ; exit 127 else echo "OK" fi rsync -a ${TOP_DIR}/etc heat-admin@${myip}:/home/heat-admin for mysvc in aodh ceilometer cinder glance gnocchi heat ironic keystone manila mistral neutron nova sahara zaqar do src_config="/home/heat-admin/etc/${mysvc}/policy.json" dst_config="/etc/${mysvc}/policy.json" sev1_backup="${dst_config}.pre-sevone" # Take a backup, if not present already.. ssh -q heat-admin@${myip} "sudo test -f ${sev1_backup}" if [ $? -ne 0 ]; then ssh -q heat-admin@${myip} "sudo test -f ${dst_config}" && ssh -q heat-admin@${myip} "sudo /bin/cp -afv ${dst_config} ${sev1_backup}" fi # Compare files and copy if necessary... ssh -q heat-admin@${myip} "sudo cmp -s ${src_config} ${dst_config}" if [ $? -eq 0 ]; then echo " (II) No update needed on ${myctrl}:${dst_config}" else # Overwrite service config file.... echo " (WW) Updating ${myctrl}:${dst_config} with ${src_config}..." ssh -q heat-admin@${myip} "sudo /bin/cp -f ${src_config} ${dst_config}" # Repairs permissions and SELinux context: ssh -q heat-admin@${myip} "sudo chown root:${mysvc} ${dst_config} && sudo chmod 640 ${dst_config}" ssh -q heat-admin@${myip} "sudo restorecon ${dst_config} 2>/dev/null" # This is disabled by default as restarting services isn't necessary for policy.json updates. if [ ${restart_svc} -eq 1 ]; then # Restart service appropriately... Only 'neutron' does not have an 'openstack' prefix in its service name case "${mysvc}" in neutron) svc_name="${mysvc}" ;; *) svc_name="openstack-${mysvc}" ;; esac echo -n " (WW) Restarting (systemctl) ${svc_name}-\* services on ${myctrl} ..." ssh -q heat-admin@${myip} sudo systemctl restart "${svc_name}-\*" && echo OK fi fi done done if [ $? -eq 0 ]; then echo "(II) ALL done." else echo "(**) Failures seen, please check..." fi