Install Nova into its own venv

Install a couple of optional feature prereqs in hypervisor plugins.

rootwrap is horribly called indirectly via PATH.  The choice, other than fixing
such nonsense, is to force the path in sudo.

TODO:
* python guestfs isn't in pypi, need to specifically install it to not
  use the distro package

Change-Id: Iad9a66d8a937fd0b0d1874005588c702e3d75e04
This commit is contained in:
Dean Troyer 2015-02-17 16:25:38 -06:00
parent 6aaad5f723
commit 4533eeec1f
4 changed files with 49 additions and 21 deletions

View File

@ -23,3 +23,4 @@ libffi-dev
libssl-dev # for pyOpenSSL libssl-dev # for pyOpenSSL
gettext # used for compiling message catalogs gettext # used for compiling message catalogs
openjdk-7-jre-headless # NOPRIME openjdk-7-jre-headless # NOPRIME
pkg-config

View File

@ -12,6 +12,7 @@ openssl-devel # to rebuild pyOpenSSL if needed
libffi-devel libffi-devel
libxml2-devel libxml2-devel
libxslt-devel libxslt-devel
pkgconfig
psmisc psmisc
pylint pylint
python-devel python-devel

View File

@ -32,9 +32,16 @@ set +o xtrace
# Set up default directories # Set up default directories
GITDIR["python-novaclient"]=$DEST/python-novaclient GITDIR["python-novaclient"]=$DEST/python-novaclient
NOVA_DIR=$DEST/nova NOVA_DIR=$DEST/nova
# Nova virtual environment
if [[ ${USE_VENV} = True ]]; then
PROJECT_VENV["nova"]=${NOVA_DIR}.venv
NOVA_BIN_DIR=${PROJECT_VENV["nova"]}/bin
else
NOVA_BIN_DIR=$(get_python_exec_prefix)
fi
NOVA_STATE_PATH=${NOVA_STATE_PATH:=$DATA_DIR/nova} NOVA_STATE_PATH=${NOVA_STATE_PATH:=$DATA_DIR/nova}
# INSTANCES_PATH is the previous name for this # INSTANCES_PATH is the previous name for this
NOVA_INSTANCES_PATH=${NOVA_INSTANCES_PATH:=${INSTANCES_PATH:=$NOVA_STATE_PATH/instances}} NOVA_INSTANCES_PATH=${NOVA_INSTANCES_PATH:=${INSTANCES_PATH:=$NOVA_STATE_PATH/instances}}
@ -69,16 +76,6 @@ NOVA_SERVICE_PROTOCOL=${NOVA_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
EC2_SERVICE_PORT=${EC2_SERVICE_PORT:-8773} EC2_SERVICE_PORT=${EC2_SERVICE_PORT:-8773}
EC2_SERVICE_PORT_INT=${EC2_SERVICE_PORT_INT:-18773} EC2_SERVICE_PORT_INT=${EC2_SERVICE_PORT_INT:-18773}
# Support entry points installation of console scripts
if [[ -d $NOVA_DIR/bin ]]; then
NOVA_BIN_DIR=$NOVA_DIR/bin
else
NOVA_BIN_DIR=$(get_python_exec_prefix)
fi
# Set the paths of certain binaries
NOVA_ROOTWRAP=$(get_rootwrap_location nova)
# Option to enable/disable config drive # Option to enable/disable config drive
# NOTE: Set FORCE_CONFIG_DRIVE="False" to turn OFF config drive # NOTE: Set FORCE_CONFIG_DRIVE="False" to turn OFF config drive
FORCE_CONFIG_DRIVE=${FORCE_CONFIG_DRIVE:-"always"} FORCE_CONFIG_DRIVE=${FORCE_CONFIG_DRIVE:-"always"}
@ -225,9 +222,11 @@ function cleanup_nova {
#fi #fi
} }
# Deploy new rootwrap filters files and configure sudo
# configure_nova_rootwrap() - configure Nova's rootwrap # configure_nova_rootwrap() - configure Nova's rootwrap
function configure_nova_rootwrap { function configure_nova_rootwrap {
# Deploy new rootwrap filters files (owned by root). nova_rootwrap=$NOVA_BIN_DIR/nova-rootwrap
# Wipe any existing rootwrap.d files first # Wipe any existing rootwrap.d files first
if [[ -d $NOVA_CONF_DIR/rootwrap.d ]]; then if [[ -d $NOVA_CONF_DIR/rootwrap.d ]]; then
sudo rm -rf $NOVA_CONF_DIR/rootwrap.d sudo rm -rf $NOVA_CONF_DIR/rootwrap.d
@ -242,14 +241,21 @@ function configure_nova_rootwrap {
sudo sed -e "s:^filters_path=.*$:filters_path=$NOVA_CONF_DIR/rootwrap.d:" -i $NOVA_CONF_DIR/rootwrap.conf sudo sed -e "s:^filters_path=.*$:filters_path=$NOVA_CONF_DIR/rootwrap.d:" -i $NOVA_CONF_DIR/rootwrap.conf
# Specify rootwrap.conf as first parameter to nova-rootwrap # Specify rootwrap.conf as first parameter to nova-rootwrap
local rootwrap_sudoer_cmd="$NOVA_ROOTWRAP $NOVA_CONF_DIR/rootwrap.conf *" local rootwrap_sudoer_cmd="$nova_rootwrap $NOVA_CONF_DIR/rootwrap.conf *"
# Set up the rootwrap sudoers for nova # Set up the rootwrap sudoers for nova
local tempfile=`mktemp` local tempfile=`mktemp`
echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_sudoer_cmd" >$tempfile echo "Defaults:$STACK_USER secure_path=$NOVA_BIN_DIR:/sbin:/usr/sbin:/usr/bin:/bin:/usr/local/sbin:/usr/local/bin" >$tempfile
echo "$STACK_USER ALL=(root) NOPASSWD: $rootwrap_sudoer_cmd" >>$tempfile
chmod 0440 $tempfile chmod 0440 $tempfile
sudo chown root:root $tempfile sudo chown root:root $tempfile
sudo mv $tempfile /etc/sudoers.d/nova-rootwrap sudo mv $tempfile /etc/sudoers.d/nova-rootwrap
# So rootwrap and PATH are broken beyond belief. WTF relies on a SECURE operation
# to blindly follow PATH??? We learned that was a bad idea in the 80's!
# So to fix this in a venv, we must exploit the very hole we want to close by dropping
# a copy of the venv rootwrap binary into /usr/local/bin.
#sudo cp -p $nova_rootwrap /usr/local/bin
} }
# configure_nova() - Set config files, create data dirs, etc # configure_nova() - Set config files, create data dirs, etc
@ -696,6 +702,10 @@ function start_nova_api {
service_protocol="http" service_protocol="http"
fi fi
# Hack to set the path for rootwrap
local old_path=$PATH
export PATH=$NOVA_BIN_DIR:$PATH
run_process n-api "$NOVA_BIN_DIR/nova-api" run_process n-api "$NOVA_BIN_DIR/nova-api"
echo "Waiting for nova-api to start..." echo "Waiting for nova-api to start..."
if ! wait_for_service $SERVICE_TIMEOUT $service_protocol://$SERVICE_HOST:$service_port; then if ! wait_for_service $SERVICE_TIMEOUT $service_protocol://$SERVICE_HOST:$service_port; then
@ -707,10 +717,16 @@ function start_nova_api {
start_tls_proxy '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT & start_tls_proxy '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT &
start_tls_proxy '*' $EC2_SERVICE_PORT $NOVA_SERVICE_HOST $EC2_SERVICE_PORT_INT & start_tls_proxy '*' $EC2_SERVICE_PORT $NOVA_SERVICE_HOST $EC2_SERVICE_PORT_INT &
fi fi
export PATH=$old_path
} }
# start_nova_compute() - Start the compute process # start_nova_compute() - Start the compute process
function start_nova_compute { function start_nova_compute {
# Hack to set the path for rootwrap
local old_path=$PATH
export PATH=$NOVA_BIN_DIR:$PATH
if is_service_enabled n-cell; then if is_service_enabled n-cell; then
local compute_cell_conf=$NOVA_CELLS_CONF local compute_cell_conf=$NOVA_CELLS_CONF
else else
@ -738,10 +754,16 @@ function start_nova_compute {
fi fi
run_process n-cpu "$NOVA_BIN_DIR/nova-compute --config-file $compute_cell_conf" run_process n-cpu "$NOVA_BIN_DIR/nova-compute --config-file $compute_cell_conf"
fi fi
export PATH=$old_path
} }
# start_nova() - Start running processes, including screen # start_nova() - Start running processes, including screen
function start_nova_rest { function start_nova_rest {
# Hack to set the path for rootwrap
local old_path=$PATH
export PATH=$NOVA_BIN_DIR:$PATH
local api_cell_conf=$NOVA_CONF local api_cell_conf=$NOVA_CONF
if is_service_enabled n-cell; then if is_service_enabled n-cell; then
local compute_cell_conf=$NOVA_CELLS_CONF local compute_cell_conf=$NOVA_CELLS_CONF
@ -769,6 +791,8 @@ function start_nova_rest {
# Swift will act as s3 objectstore. # Swift will act as s3 objectstore.
is_service_enabled swift3 || \ is_service_enabled swift3 || \
run_process n-obj "$NOVA_BIN_DIR/nova-objectstore --config-file $api_cell_conf" run_process n-obj "$NOVA_BIN_DIR/nova-objectstore --config-file $api_cell_conf"
export PATH=$old_path
} }
function start_nova { function start_nova {

View File

@ -21,14 +21,16 @@ DEBUG_LIBVIRT=$(trueorfalse False DEBUG_LIBVIRT)
function install_libvirt { function install_libvirt {
if is_ubuntu; then if is_ubuntu; then
install_package qemu-kvm install_package qemu-kvm
install_package libvirt-bin install_package libvirt-bin libvirt-dev
install_package python-libvirt pip_install libvirt-python
install_package python-guestfs install_package libguestfs0
#install_package python-guestfs
#pip_install <there-si-no-guestfs-in-pypi>
elif is_fedora || is_suse; then elif is_fedora || is_suse; then
install_package kvm install_package kvm
install_package libvirt install_package libvirt libvirt-devel
install_package libvirt-python pip_install libvirt-python
install_package python-libguestfs #install_package python-libguestfs
fi fi
# Restart firewalld after install of libvirt to avoid a problem # Restart firewalld after install of libvirt to avoid a problem