summaryrefslogtreecommitdiffstats
path: root/files/push_readonly_policies_to_overcloud.sh
blob: 208a5ed1022032cc2b339936e4ddc3aadcc4ac76 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

#!/bin/bash
# $Id$
set -uf -o pipefail
CTLR_LIST=""
declare -A IP_LIST
src_config=""
dst_config=""
sev1_backup=""
svc_name=""
declare -i restart_svc=0

# This tool is used to push policies on the overcloud
[ "$BASH" ] && function whence
{
	type -p "$@"
}
#
TOP_DIR="$(cd $(/usr/bin/dirname $(whence -- $0 || echo $0));cd ..;pwd)"


# Sanity checks
if [ "x$(id -n -u)" = "xstack" ]; then
	if [ -f ${HOME}/stackrc ]; then
		stack_installed=OK
	else
		echo "(**) No ${HOME}/stackrc, exit!" ; exit 127
	fi
else
	echo "(**) Not stack, exit!" ; exit 127
fi

if [ -r ${HOME}/overcloudrc ]; then
	. ${HOME}/overcloudrc
else
	echo "(**) No ${HOME}/overcloudrc, exit!" ; exit 127
fi

for mydir in "${TOP_DIR}/etc" "${TOP_DIR}/etc/nova" "${TOP_DIR}/etc/neutron"
do
	if [ -d ${mydir} ]; then
		echo "(II) Found directory ${mydir}..."
	else
		echo "(**) Directory ${mydir} not found! Exit!" ; exit 127
	fi
done

# Verify syntax, abort if error..
for mysvc in aodh ceilometer cinder glance gnocchi heat ironic keystone manila mistral neutron nova sahara zaqar
do
	src_config="${TOP_DIR}/etc/${mysvc}/policy.json"
	json_verify -q < ${src_config}
	if [ $? -ne 0 ]; then
		echo "Testing JSON syntax of ${src_config} failed!!" ; exit 127
	fi
done

# Obtain list of Controllers from nova (they will be running consoleauth)
CTLR_LIST=$(nova host-list| awk '/consoleauth/ {split($2,a,".") ; print a[1]}'|xargs)
if [ "x${CTLR_LIST}" != "x" ]; then
	echo "(II) Found controller(s): ${CTLR_LIST}"
else
	echo "(**) Unable to find controllers running consoleauth!"; exit 127
fi


# Obtain IP addresses from Controllers
. ${HOME}/stackrc
for myctrl in ${CTLR_LIST}
do
	res=$(openstack server show -c addresses -f value ${myctrl}|sed -e 's/ctlplane=//g')
	if [ "x${res}" != "x" ]; then
		IP_LIST["${myctrl}"]="${res}"
	fi
done
if [ ${#IP_LIST[@]} -gt 0 ]; then
	echo "(II) Found this/these IP(s) for controller(s): ${IP_LIST[@]}"
else
	echo "(**) Unable to find controllers IP Addresses!"; exit 127
fi

# Inject Services...
for myctrl in "${!IP_LIST[@]}"
do
	myip=${IP_LIST[${myctrl}]}
	# Test controller
	echo -n "(II) Testing ssh/sudo access to controller ${myctrl} (${myip}): "
	ssh -q heat-admin@${myip} sudo -l|grep -q 'ALL.*NOPASSWD.*ALL'
	if [ $? -ne 0 ]; then
		echo "NOK" ; exit 127
	else
		echo "OK"
	fi

	rsync -a ${TOP_DIR}/etc heat-admin@${myip}:/home/heat-admin

	for mysvc in aodh ceilometer cinder glance gnocchi heat ironic keystone manila mistral neutron nova sahara zaqar
	do
		src_config="/home/heat-admin/etc/${mysvc}/policy.json"
		dst_config="/etc/${mysvc}/policy.json"
		sev1_backup="${dst_config}.pre-sevone"

		# Take a backup, if not present already..
		ssh -q heat-admin@${myip} "sudo test -f ${sev1_backup}"
		if [ $? -ne 0 ]; then
			echo "  (II) Taking a backup of ${dst_config} as ${sev1_backup}"
			ssh -q heat-admin@${myip} "sudo test -f ${dst_config}" && ssh -q heat-admin@${myip} "sudo /bin/cp -afx ${dst_config} ${sev1_backup}"
		fi

		# Compare files and copy if necessary...
		ssh -q heat-admin@${myip} "sudo cmp -s ${src_config} ${dst_config}"
		if [ $? -eq 0 ]; then
			echo "  (II) No update needed on ${myctrl}:${dst_config}"
		else
			# Overwrite service config file....
			echo "  (WW) Updating ${myctrl}:${dst_config} with ${src_config}..."
			ssh -q heat-admin@${myip} "sudo /bin/cp -f ${src_config} ${dst_config}"

			# Repairs permissions and SELinux context:
			ssh -q heat-admin@${myip} "sudo chown root:${mysvc} ${dst_config} && sudo chmod 640 ${dst_config}"
			ssh -q heat-admin@${myip} "sudo restorecon ${dst_config} 2>/dev/null"

			# This is disabled by default as restarting services isn't necessary for policy.json updates.
			if [ ${restart_svc} -eq 1 ]; then
				# Restart service appropriately... Only 'neutron' does not have an 'openstack' prefix in its service name
				case "${mysvc}" in
					neutron)
						svc_name="${mysvc}"
						;;
					*)
						svc_name="openstack-${mysvc}"
						;;
				esac
				echo -n "  (WW) Restarting (systemctl) ${svc_name}-\* services on ${myctrl} ..."
				ssh -q heat-admin@${myip} sudo systemctl restart "${svc_name}-\*" && echo OK
			fi
		fi
	done
done

if [ $? -eq 0 ]; then
	echo "(II) ALL done."
else
	echo "(**) Failures seen, please check..."
fi
generated by cgit (git 2.34.1) at 2024-04-18 19:55:40 +0000