#!/bin/sh
#
#
# OpenStack Keystone
#
# Description:  Manages an OpenStack Keystone process as an HA resource
#
# Authors:      Martin Gerhard Loschwitz
#
# Support:      openstack@lists.launchpad.net
# License:      Apache Software License (ASL) 2.0
#
# (c) 2012      hastexo Professional Services GmbH
#
# See usage() function below for more details ...
#
# OCF instance parameters:
#   OCF_RESKEY_binary
#   OCF_RESKEY_client_binary
#   OCF_RESKEY_config
#   OCF_RESKEY_os_username
#   OCF_RESKEY_os_password
#   OCF_RESKEY_os_tenant_name
#   OCF_RESKEY_os_auth_url
#   OCF_RESKEY_user
#   OCF_RESKEY_pid
#   OCF_RESKEY_additional_parameters
#######################################################################
# Initialization:

: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}
. ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs

#######################################################################

# Fill in some defaults if no values are specified

OCF_RESKEY_binary_default="keystone-all"
OCF_RESKEY_config_default="/etc/keystone/keystone.conf"
OCF_RESKEY_pid_default="$HA_RSCTMP/$OCF_RESOURCE_INSTANCE.pid"
OCF_RESKEY_user_default="keystone"
OCF_RESKEY_client_binary_default="keystone"

: ${OCF_RESKEY_binary=${OCF_RESKEY_binary_default}}
: ${OCF_RESKEY_config=${OCF_RESKEY_config_default}}
: ${OCF_RESKEY_user=${OCF_RESKEY_user_default}}
: ${OCF_RESKEY_pid=${OCF_RESKEY_pid_default}}
: ${OCF_RESKEY_client_binary=${OCF_RESKEY_client_binary_default}}

#######################################################################

usage() {
    cat <<UEND
        usage: $0 (start|stop|validate-all|meta-data|status|monitor)

        $0 manages an OpenStack Keystone process as an HA resource

        The 'start' operation starts the identity service.
        The 'stop' operation stops the identity service.
        The 'validate-all' operation reports whether the parameters are valid
        The 'meta-data' operation reports this RA's meta-data information
        The 'status' operation reports whether the identity service is running
        The 'monitor' operation reports whether the identity service seems to be working

UEND
}

meta_data() {
    cat <<END
<?xml version="1.0"?>
<!DOCTYPE resource-agent SYSTEM "ra-api-1.dtd">
<resource-agent name="keystone">
<version>1.0</version>

<longdesc lang="en">
Resource agent for the OpenStack Identity Service (Keystone)
May manage a keystone-all instance or a clone set that
creates a distributed keystone cluster.
</longdesc>
<shortdesc lang="en">Manages the OpenStack Identity Service (Keystone)</shortdesc>
<parameters>

<parameter name="binary" unique="0" required="0">
<longdesc lang="en">
Location of the OpenStack Identity Service server binary (keystone-all)
</longdesc>
<shortdesc lang="en">Keystone server binary (keystone-all)</shortdesc>
<content type="string" default="${OCF_RESKEY_binary_default}" />
</parameter>

<parameter name="client_binary" unique="0" required="0">
<longdesc lang="en">
Location of the OpenStack Identity Service client binary (keystone)
</longdesc>
<shortdesc lang="en">Keystone server binary (keystone)</shortdesc>
<content type="string" default="${OCF_RESKEY_client_binary_default}" />
</parameter>

<parameter name="config" unique="0" required="0">
<longdesc lang="en">
Location of the OpenStack Identity Service configuration file
</longdesc>
<shortdesc lang="en">Keystone configuration file</shortdesc>
<content type="string" default="${OCF_RESKEY_config_default}" />
</parameter>

<parameter name="os_username" unique="0" required="0">
<longdesc lang="en">
The username to use when logging into Keystone for monitoring purposes
</longdesc>
<shortdesc lang="en">Keystone monitoring login</shortdesc>
<content type="string" />
</parameter>

<parameter name="os_password" unique="0" required="0">
<longdesc lang="en">
The password to use when logging into Keystone for monitoring purposes
</longdesc>
<shortdesc lang="en">Keystone monitoring password</shortdesc>
<content type="string" />
</parameter>

<parameter name="os_tenant_name" unique="0" required="0">
<longdesc lang="en">
The tenant to use when logging into Keystone for monitoring purposes
</longdesc>
<shortdesc lang="en">Keystone monitoring tenant</shortdesc>
<content type="string" />
</parameter>

<parameter name="os_auth_url" unique="0" required="0">
<longdesc lang="en">
The URL pointing to this Keystone instance to use when logging in for monitoring purposes
</longdesc>
<shortdesc lang="en">Keystone URL for monitoring login</shortdesc>
<content type="string" />
</parameter>

<parameter name="user" unique="0" required="0">
<longdesc lang="en">
User running OpenStack Identity (Keystone)
</longdesc>
<shortdesc lang="en">OpenStack Identity (Keystone) user</shortdesc>
<content type="string" default="${OCF_RESKEY_user_default}" />
</parameter>

<parameter name="pid" unique="0" required="0">
<longdesc lang="en">
The pid file to use for this Keystone instance (keystone-all)
</longdesc>
<shortdesc lang="en">OpenStack Identity (Keystone) pid file</shortdesc>
<content type="string" default="${OCF_RESKEY_pid_default}" />
</parameter>

<parameter name="additional_parameters" unique="0" required="0">
<longdesc lang="en">
Additional parameters to pass on to the Keystone server (keystone-all)
</longdesc>
<shortdesc lang="en">Additional parameters for the Keystone server</shortdesc>
<content type="string" />
</parameter>

</parameters>

<actions>
<action name="start" timeout="20" />
<action name="stop" timeout="20" />
<action name="status" timeout="20" />
<action name="monitor" timeout="30" interval="20" />
<action name="validate-all" timeout="5" />
<action name="meta-data" timeout="5" />
</actions>
</resource-agent>
END
}

#######################################################################
# Functions invoked by resource manager actions

keystone_validate() {
    local rc

    check_binary $OCF_RESKEY_binary
    check_binary $OCF_RESKEY_client_binary

    # A config file on shared storage that is not available
    # during probes is OK.
    if [ ! -f $OCF_RESKEY_config ]; then
        if ! ocf_is_probe; then
            ocf_log err "Config $OCF_RESKEY_config doesn't exist"
            return $OCF_ERR_INSTALLED
        fi
        ocf_log_warn "Config $OCF_RESKEY_config not available during a probe"
    fi

    getent passwd $OCF_RESKEY_user >/dev/null 2>&1
    rc=$?
    if [ $rc -ne 0 ]; then
        ocf_log err "User $OCF_RESKEY_user doesn't exist"
        return $OCF_ERR_INSTALLED
    fi

    true
}

keystone_status() {
    local pid
    local rc

    if [ ! -f $OCF_RESKEY_pid ]; then
        ocf_log info "OpenStack Identity (Keystone) is not running"
        return $OCF_NOT_RUNNING
    else
    pid=`cat $OCF_RESKEY_pid`
    fi

    ocf_run -warn kill -s 0 $pid
    rc=$?
    if [ $rc -eq 0 ]; then
        return $OCF_SUCCESS
    else
        ocf_log info "Old PID file found, but OpenStack Identity (Keystone) is not running"
        return $OCF_NOT_RUNNING
    fi
}

keystone_monitor() {
    local rc

    keystone_status
    rc=$?

    # If status returned anything but success, return that immediately
    if [ $rc -ne $OCF_SUCCESS ]; then
        return $rc
    fi

    # Check whether we are supposed to monitor by logging into Keystone
    # and do it if that's the case.
    if [ -n "$OCF_RESKEY_client_binary" ] && [ -n "$OCF_RESKEY_os_username" ] \
    && [ -n "$OCF_RESKEY_os_password" ] && [ -n "$OCF_RESKEY_os_tenant_name" ] \
    && [ -n "$OCF_RESKEY_os_auth_url" ]; then
        ocf_run -q $OCF_RESKEY_client_binary \
        --os-username "$OCF_RESKEY_os_username" \
        --os-password "$OCF_RESKEY_os_password" \
        --os-tenant-name "$OCF_RESKEY_os_tenant_name" \
        --os-auth-url "$OCF_RESKEY_os_auth_url" \
        user-list > /dev/null 2>&1
        rc=$?
        if [ $rc -ne 0 ]; then
            ocf_log err "Failed to connect to the OpenStack Identity (Keystone): $rc"
            return $OCF_NOT_RUNNING
        fi
    fi

    ocf_log debug "OpenStack Identity (Keystone) monitor succeeded"
    return $OCF_SUCCESS
}

keystone_start() {
    local rc

    keystone_status
    rc=$?
    if [ $rc -eq $OCF_SUCCESS ]; then
        ocf_log info "OpenStack Identity (Keystone) already running"
        return $OCF_SUCCESS
    fi

    # run the actual keystone daemon. Don't use ocf_run as we're sending the tool's output
    # straight to /dev/null anyway and using ocf_run would break stdout-redirection here.
    su ${OCF_RESKEY_user} -s /bin/sh -c "${OCF_RESKEY_binary} --config-file $OCF_RESKEY_config \
        $OCF_RESKEY_additional_parameters"' >> /dev/null 2>&1 & echo $!' > $OCF_RESKEY_pid

    # Spin waiting for the server to come up.
    # Let the CRM/LRM time us out if required
    while true; do
    sleep 1
    keystone_monitor
    rc=$?
    [ $rc -eq $OCF_SUCCESS ] && break
    if [ $rc -ne $OCF_NOT_RUNNING ]; then
        ocf_log err "OpenStack Identity (Keystone) start failed"
        exit $OCF_ERR_GENERIC
    fi
    done

    ocf_log info "OpenStack Identity (Keystone) started"
    return $OCF_SUCCESS
}

keystone_stop() {
    local rc
    local pid

    keystone_status
    rc=$?
    if [ $rc -eq $OCF_NOT_RUNNING ]; then
        ocf_log info "OpenStack Identity (Keystone) already stopped"
        return $OCF_SUCCESS
    fi

    # Try SIGTERM
    pid=`cat $OCF_RESKEY_pid`
    ocf_run kill -s TERM $pid
    rc=$?
    if [ $rc -ne 0 ]; then
        ocf_log err "OpenStack Identity (Keystone) couldn't be stopped"
        exit $OCF_ERR_GENERIC
    fi

    # stop waiting
    shutdown_timeout=15
    if [ -n "$OCF_RESKEY_CRM_meta_timeout" ]; then
        shutdown_timeout=$((($OCF_RESKEY_CRM_meta_timeout/1000)-5))
    fi
    count=0
    while [ $count -lt $shutdown_timeout ]; do
        keystone_status
        rc=$?
        if [ $rc -eq $OCF_NOT_RUNNING ]; then
            break
        fi
        count=`expr $count + 1`
        sleep 1
        ocf_log debug "OpenStack Identity (Keystone) still hasn't stopped yet. Waiting ..."
    done

    keystone_status
    rc=$?
    if [ $rc -ne $OCF_NOT_RUNNING ]; then
        # SIGTERM didn't help either, try SIGKILL
        ocf_log info "OpenStack Identity (Keystone) failed to stop after ${shutdown_timeout}s \
            using SIGTERM. Trying SIGKILL ..."
        ocf_run kill -s KILL $pid
    fi

    ocf_log info "OpenStack Identity (Keystone) stopped"

    rm -f $OCF_RESKEY_pid

    return $OCF_SUCCESS
}

#######################################################################

case "$1" in
    meta-data)
        meta_data
        exit $OCF_SUCCESS
        ;;
    usage|help)
        usage
        exit $OCF_SUCCESS
        ;;
esac

# Anything except meta-data and help must pass validation
keystone_validate || exit $?

# What kind of method was invoked?
case "$1" in
    start)
        keystone_start
        ;;
    stop)
        keystone_stop
        ;;
    status)
        keystone_status
        ;;
    monitor)
        keystone_monitor
        ;;
    validate-all)
        ;;
    *)
        usage
        exit $OCF_ERR_UNIMPLEMENTED
        ;;
esac