Clean up stale ceph keyring

[cbjchen,r=]
Clean up the keyring after ceph relation is broken. So when next
time ceph relation is joined, ensure_ceph_keyring will not ignore
the new key because of the existance of the old one.

.pydevproject

@@ -3,7 +3,7 @@
 <pydev_property name="org.python.pydev.PYTHON_PROJECT_VERSION">python 2.7</pydev_property>
 <pydev_property name="org.python.pydev.PYTHON_PROJECT_INTERPRETER">Default</pydev_property>
 <pydev_pathproperty name="org.python.pydev.PROJECT_SOURCE_PATH">
-<path>/nova-compute/hooks</path>
-<path>/nova-compute/unit_tests</path>
+<path>/nova-compute-charm/hooks</path>
+<path>/nova-compute-charm/unit_tests</path>
 </pydev_pathproperty>
 </pydev_project>

hooks/nova_compute_hooks.py

@@ -34,6 +34,7 @@ from charmhelpers.contrib.storage.linux.ceph import (
     ensure_ceph_keyring,
     CephBrokerRq,
     CephBrokerRsp,
+    delete_keyring,
 )
 from charmhelpers.payload.execd import execd_preinstall
 from nova_compute_utils import (
@@ -282,8 +283,14 @@ def ceph_changed():
                 log("Request(s) sent to Ceph broker (rid=%s)" % (rid))
 
 
+@hooks.hook('ceph-relation-broken')
+def ceph_broken():
+    service = service_name()
+    delete_keyring(service=service)
+    CONFIGS.write_all()
+
+
 @hooks.hook('amqp-relation-broken',
-            'ceph-relation-broken',
             'image-service-relation-broken',
             'shared-db-relation-broken',
             'pgsql-db-relation-broken')

hooks/nova_compute_utils.py

@@ -23,7 +23,8 @@ from charmhelpers.core.hookenv import (
     related_units,
     relation_ids,
     relation_get,
-    DEBUG
+    DEBUG,
+    INFO 
 )
 
 from charmhelpers.contrib.openstack.neutron import neutron_plugin_attribute
@@ -448,9 +449,15 @@ def import_keystone_ca_cert():
 def create_libvirt_secret(secret_file, secret_uuid, key):
     uri = LIBVIRT_URIS[config('virt-type')]
     if secret_uuid in check_output(['virsh', '-c', uri, 'secret-list']):
-        log('Libvirt secret already exists for uuid %s.' % secret_uuid,
-            level=DEBUG)
-        return
+        old_key = check_output(['virsh', '-c', uri, 'secret-get-value',
+                                secret_uuid])
+        if old_key == key:
+            log('Libvirt secret already exists for uuid %s.' % secret_uuid,
+                level=DEBUG)
+            return
+        else:
+            log('Libvirt secret changed for uuid %s.' % secret_uuid,
+                level=INFO)
     log('Defining new libvirt secret for uuid %s.' % secret_uuid)
     cmd = ['virsh', '-c', uri, 'secret-define', '--file', secret_file]
     check_call(cmd)

unit_tests/test_nova_compute_utils.py

@@ -1,6 +1,7 @@
 import itertools
 import tempfile
 
+import nova_compute_context as compute_context
 import nova_compute_utils as utils
 
 from mock import (
@@ -322,3 +323,55 @@ class NovaComputeUtilsTests(CharmTestCase):
         utils.disable_shell('dummy')
         _check_call.assert_called_with(['usermod', '-s', '/bin/false',
                                         'dummy'])
+
+    @patch.object(utils, 'check_call')
+    @patch.object(utils, 'check_output')
+    def test_create_libvirt_key(self, _check_output, _check_call):
+        key = 'AQCR2dRUaFQSOxAAC5fr79sLL3d7wVvpbbRFMg=='
+        self.test_config.set('virt-type', 'kvm')
+        utils.create_libvirt_secret(utils.CEPH_SECRET,
+                                    compute_context.CEPH_SECRET_UUID, key)
+        _check_output.assert_called_with(['virsh', '-c',
+                                          utils.LIBVIRT_URIS['kvm'],
+                                          'secret-list'])
+        _check_call.assert_called_with(['virsh', '-c',
+                                        utils.LIBVIRT_URIS['kvm'],
+                                        'secret-set-value', '--secret',
+                                        compute_context.CEPH_SECRET_UUID,
+                                        '--base64', key])
+
+    @patch.object(utils, 'check_call')
+    @patch.object(utils, 'check_output')
+    def test_create_libvirt_key_existing(self, _check_output, _check_call):
+        key = 'AQCR2dRUaFQSOxAAC5fr79sLL3d7wVvpbbRFMg=='
+        self.test_config.set('virt-type', 'kvm')
+        _check_output.side_effect = [compute_context.CEPH_SECRET_UUID, key]
+        utils.create_libvirt_secret(utils.CEPH_SECRET,
+                                    compute_context.CEPH_SECRET_UUID, key)
+        expected = [call(['virsh', '-c',
+                          utils.LIBVIRT_URIS['kvm'], 'secret-list']),
+                    call(['virsh', '-c',
+                          utils.LIBVIRT_URIS['kvm'], 'secret-get-value',
+                          compute_context.CEPH_SECRET_UUID])]
+        _check_output.assert_has_calls(expected)
+
+    @patch.object(utils, 'check_call')
+    @patch.object(utils, 'check_output')
+    def test_create_libvirt_key_stale(self, _check_output, _check_call):
+        key = 'AQCR2dRUaFQSOxAAC5fr79sLL3d7wVvpbbRFMg=='
+        old_key = 'CCCCCdRUaFQSOxAAC5fr79sLL3d7wVvpbbRFMg=='
+        self.test_config.set('virt-type', 'kvm')
+        _check_output.side_effect = [compute_context.CEPH_SECRET_UUID, old_key]
+        utils.create_libvirt_secret(utils.CEPH_SECRET,
+                                    compute_context.CEPH_SECRET_UUID, key)
+        expected = [call(['virsh', '-c',
+                          utils.LIBVIRT_URIS['kvm'], 'secret-list']),
+                    call(['virsh', '-c',
+                          utils.LIBVIRT_URIS['kvm'], 'secret-get-value',
+                          compute_context.CEPH_SECRET_UUID])]
+        _check_output.assert_has_calls(expected)
+        _check_call.assert_any_call(['virsh', '-c',
+                                     utils.LIBVIRT_URIS['kvm'],
+                                     'secret-set-value', '--secret',
+                                     compute_context.CEPH_SECRET_UUID,
+                                     '--base64', key])