Add dockerfiles for keystone fernet

This adds the docker aspects of fernet key bootstrapping as well as
distributed key rotation.

- Bootstrapping is handled in the same way as keystone bootstrap.
- A new keystone-fernet and keystone-ssh container is created to allow
  the nodes to communicate with each other (taken from nova-ssh).
- The keystone-fernet is a keystone container with crontab installed.
  This will handle key rotations through keystone-manage and trigger
  an rsync to push new tokens to other nodes.

The Ansible component is implemented in:
  https://review.openstack.org/#/c/349366

Change-Id: Id610e00e8c63c7f1bc0974c0aa1b3f44c18e1019
Partially-Implements: blueprint keystone-fernet-token
Partially-Implements: blueprint third-party-plugin-support
This commit is contained in:
Shaun Smekel 2016-08-05 07:44:42 +10:00
parent 1e222274e1
commit 524868c632
11 changed files with 230 additions and 23 deletions

View File

@ -1,34 +1,32 @@
FROM {{ namespace }}/{{ image_prefix }}openstack-base:{{ tag }}
MAINTAINER {{ maintainer }}
{% import "macros.j2" as macros with context %}
{% if install_type == 'binary' %}
{% if base_distro in ['fedora', 'centos', 'oraclelinux', 'rhel'] %}
{% set keystone_packages = [
'openstack-keystone',
{% set keystone_base_packages = [
'openstack-keystone',
'python-keystoneclient',
'httpd',
'mod_wsgi',
'python-ldappool'
] %}
{{ macros.install_packages(keystone_packages | customizable("packages")) }}
{{ macros.install_packages(keystone_base_packages | customizable("packages")) }}
RUN mkdir -p /var/www/cgi-bin/keystone \
&& cp -a /usr/share/keystone/keystone.wsgi /var/www/cgi-bin/keystone/main \
&& cp -a /usr/share/keystone/keystone.wsgi /var/www/cgi-bin/keystone/admin \
&& sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
{% elif base_distro in ['ubuntu'] %}
{% set keystone_packages = [
{% set keystone_base_packages = [
'keystone',
'apache2',
'libapache2-mod-wsgi',
'python-ldappool'
] %}
{{ macros.install_packages(keystone_packages | customizable("packages")) }}
{{ macros.install_packages(keystone_base_packages | customizable("packages")) }}
RUN mkdir -p /var/www/cgi-bin/keystone \
&& cp -a /usr/share/keystone/wsgi.py /var/www/cgi-bin/keystone/main \
&& cp -a /usr/share/keystone/wsgi.py /var/www/cgi-bin/keystone/admin \
@ -38,28 +36,27 @@ RUN mkdir -p /var/www/cgi-bin/keystone \
{% endif %}
{% elif install_type == 'source' %}
{% if base_distro in ['fedora', 'centos', 'oraclelinux', 'rhel'] %}
{% set keystone_packages = [
{% set keystone_base_packages = [
'httpd',
'mod_wsgi',
'python-ldappool'
] %}
{{ macros.install_packages(keystone_packages | customizable("packages")) }}
{{ macros.install_packages(keystone_base_packages | customizable("packages")) }}
RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
{% elif base_distro in ['ubuntu', 'debian'] %}
{% set keystone_packages = [
{% set keystone_base_packages = [
'apache2',
'libapache2-mod-wsgi',
'python-ldappool'
] %}
{{ macros.install_packages(keystone_packages | customizable("packages")) }}
{{ macros.install_packages(keystone_base_packages | customizable("packages")) }}
RUN echo > /etc/apache2/ports.conf
{% endif %}
ADD keystone-archive /keystone-source
RUN ln -s keystone-source/* keystone \
ADD keystone-base-archive /keystone-base-source
RUN ln -s keystone-base-source/* keystone \
&& useradd --user-group keystone \
&& /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /keystone \
&& mkdir -p /etc/keystone /var/www/cgi-bin/keystone /var/log/apache2 /home/keystone \
@ -74,11 +71,6 @@ RUN usermod -a -G kolla keystone \
&& chown -R keystone: /var/www/cgi-bin/keystone \
&& chmod 755 /var/www/cgi-bin/keystone/*
COPY keystone_bootstrap.sh /usr/local/bin/kolla_keystone_bootstrap
COPY extend_start.sh /usr/local/bin/kolla_extend_start
RUN chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_keystone_bootstrap
{% block keystone_footer %}{% endblock %}
{% block keystone_base_footer %}{% endblock %}
{% block footer %}{% endblock %}
{{ include_footer }}
{{ include_footer }}

View File

@ -0,0 +1,25 @@
FROM {{ namespace }}/{{ image_prefix }}keystone-base:{{ tag }}
MAINTAINER {{ maintainer }}
{% import "macros.j2" as macros with context %}
{% if base_distro in ['fedora', 'centos', 'oraclelinux', 'rhel'] %}
{% set keystone_fernet_packages = [
'cronie',
'rsync'
] %}
{% elif base_distro in ['ubuntu', 'debian'] %}
{% set keystone_fernet_packages = [
'cron',
'rsync'
] %}
{% endif %}
{{ macros.install_packages(keystone_fernet_packages | customizable("packages")) }}
COPY fetch_fernet_tokens.py /usr/bin/
COPY keystone_bootstrap.sh /usr/local/bin/kolla_keystone_bootstrap
COPY extend_start.sh /usr/local/bin/kolla_extend_start
RUN chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_keystone_bootstrap /usr/bin/fetch_fernet_tokens.py
{% block keystone_fernet_footer %}{% endblock %}
{% block footer %}{% endblock %}
{{ include_footer }}

View File

@ -0,0 +1,12 @@
#!/bin/bash
FERNET_SYNC=/usr/bin/fernet-node-sync.sh
FERNET_TOKEN_DIR="/etc/keystone/fernet-keys"
if [[ -f "${FERNET_SYNC}" ]]; then
${FERNET_SYNC}
fi
if [[ $(stat -c %U:%G ${FERNET_TOKEN_DIR}) != "keystone:keystone" ]]; then
chown keystone:keystone ${FERNET_TOKEN_DIR}
fi

View File

@ -0,0 +1,84 @@
#!/usr/bin/python
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Basically this module will fetch the fernet tokens and compare them to the
# required time constrains to determine whether the host needs to resync with
# other nodes in the cluster.
from __future__ import print_function
import argparse
from datetime import datetime
from datetime import timedelta
import json
import os
import sys
TOKEN_PATH = '/etc/keystone/fernet-keys'
def json_exit(msg=None, failed=False, changed=False):
if type(msg) is not dict:
msg = {'msg': str(msg)}
msg.update({'failed': failed, 'changed': changed})
print(json.dumps(msg))
sys.exit()
def has_file(filename_path):
if not os.path.exists(filename_path):
return False
return True
def num_tokens():
_, _, files = os.walk(TOKEN_PATH).next()
return len(files)
def tokens_populated(expected):
return num_tokens() == int(expected)
def token_stale(seconds, filename='0'):
max_token_age = datetime.now() - timedelta(seconds=int(seconds))
filename_path = os.path.join(TOKEN_PATH, filename)
if not has_file(filename_path):
return True
modified_date = datetime.fromtimestamp(os.path.getmtime(filename_path))
return modified_date < max_token_age
def main():
parser = argparse.ArgumentParser(description='''Checks to see if a fernet
token no older than a desired time.''')
parser.add_argument('-t', '--time',
help='Time in seconds for a token rotation',
required=True)
parser.add_argument('-f', '--filename',
help='Filename of token to check',
default='0')
parser.add_argument('-n', '--number',
help='Number of tokens that should exist',
required=True)
args = parser.parse_args()
json_exit({
'populated': tokens_populated(args.number),
'update_required': token_stale(args.time, args.filename),
})
if __name__ == '__main__':
main()

View File

@ -0,0 +1,43 @@
#!/bin/bash
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -x
USERNAME=$1
GROUP=$2
function fail_json {
echo '{"failed": true, "msg": "'$1'", "changed": true}'
exit 1
}
function exit_json {
echo '{"failed": false, "changed": '"${changed}"'}'
}
changed="false"
keystone_bootstrap=$(keystone-manage --config-file /etc/keystone/keystone.conf fernet_setup --keystone-user ${USERNAME} --keystone-group ${GROUP} 2>&1)
if [[ $? != 0 ]]; then
fail_json "${keystone_bootstrap}"
fi
changed=$(echo "${keystone_bootstrap}" | awk '
/Key repository is already initialized/ {count++}
END {
if (count == 1) changed="true"; else changed="false"
print changed
}'
)
exit_json

View File

@ -0,0 +1,21 @@
FROM {{ namespace }}/{{ image_prefix }}keystone-base:{{ tag }}
MAINTAINER {{ maintainer }}
{% import "macros.j2" as macros with context %}
{% if base_distro in ['centos', 'fedora', 'oraclelinux', 'rhel'] %}
{% set keystone_ssh_packages = ['openssh-server'] %}
{% elif base_distro in ['ubuntu', 'debian'] %}
{% set keystone_ssh_packages = ['openssh-server'] %}
RUN mkdir -p /var/run/sshd \
&& chmod 0755 /var/run/sshd
{% endif %}
{{ macros.install_packages(keystone_ssh_packages | customizable("packages")) }}
COPY extend_start.sh /usr/local/bin/kolla_extend_start
RUN chmod 755 /usr/local/bin/kolla_extend_start
{% block keystone_ssh_footer %}{% endblock %}
{% block footer %}{% endblock %}
{{ include_footer }}

View File

@ -0,0 +1,20 @@
#!/bin/bash
if [[ ! -L /dev/log ]]; then
ln -sf /var/lib/kolla/heka/log /dev/log
fi
SSH_HOST_KEY_TYPES=( "rsa" "dsa" "ecdsa" "ed25519" )
for key_type in ${SSH_HOST_KEY_TYPES[@]}; do
KEY_PATH=/etc/ssh/ssh_host_${key_type}_key
if [[ ! -f "${KEY_PATH}" ]]; then
ssh-keygen -q -t ${key_type} -f ${KEY_PATH} -N ""
fi
done
mkdir -p /var/lib/keystone/.ssh
if [[ $(stat -c %U:%G /var/lib/keystone/.ssh) != "keystone:keystone" ]]; then
sudo chown keystone: /var/lib/keystone/.ssh
fi

View File

@ -0,0 +1,10 @@
FROM {{ namespace }}/{{ image_prefix }}keystone-base:{{ tag }}
MAINTAINER {{ maintainer }}
COPY keystone_bootstrap.sh /usr/local/bin/kolla_keystone_bootstrap
COPY extend_start.sh /usr/local/bin/kolla_extend_start
RUN chmod 755 /usr/local/bin/kolla_extend_start /usr/local/bin/kolla_keystone_bootstrap
{% block keystone_footer %}{% endblock %}
{% block footer %}{% endblock %}
{{ include_footer }}

View File

@ -207,7 +207,7 @@ SOURCES = {
'type': 'url',
'location': ('http://tarballs.openstack.org/ironic/'
'ironic-master.tar.gz')},
'keystone': {
'keystone-base': {
'type': 'url',
'location': ('http://tarballs.openstack.org/keystone/'
'keystone-master.tar.gz')},