#!/bin/sh # # # OpenStack Keystone # # Description: Manages an OpenStack Keystone process as an HA resource # # Authors: Martin Gerhard Loschwitz # # Support: openstack@lists.openstack.org # License: Apache Software License (ASL) 2.0 # # (c) 2012 hastexo Professional Services GmbH # # See usage() function below for more details ... # # OCF instance parameters: # OCF_RESKEY_binary # OCF_RESKEY_client_binary # OCF_RESKEY_config # OCF_RESKEY_os_username # OCF_RESKEY_os_password # OCF_RESKEY_os_tenant_name # OCF_RESKEY_os_auth_url # OCF_RESKEY_user # OCF_RESKEY_pid # OCF_RESKEY_additional_parameters ####################################################################### # Initialization: : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat} . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs ####################################################################### # Fill in some defaults if no values are specified OCF_RESKEY_binary_default="keystone-all" OCF_RESKEY_config_default="/etc/keystone/keystone.conf" OCF_RESKEY_pid_default="$HA_RSCTMP/$OCF_RESOURCE_INSTANCE.pid" OCF_RESKEY_user_default="keystone" OCF_RESKEY_client_binary_default="keystone" : ${OCF_RESKEY_binary=${OCF_RESKEY_binary_default}} : ${OCF_RESKEY_config=${OCF_RESKEY_config_default}} : ${OCF_RESKEY_user=${OCF_RESKEY_user_default}} : ${OCF_RESKEY_pid=${OCF_RESKEY_pid_default}} : ${OCF_RESKEY_client_binary=${OCF_RESKEY_client_binary_default}} ####################################################################### usage() { cat < 1.0 Resource agent for the OpenStack Identity Service (Keystone) May manage a keystone-all instance or a clone set that creates a distributed keystone cluster. Manages the OpenStack Identity Service (Keystone) Location of the OpenStack Identity Service server binary (keystone-all) Keystone server binary (keystone-all) Location of the OpenStack Identity Service client binary (keystone) Keystone server binary (keystone) Location of the OpenStack Identity Service configuration file Keystone configuration file The username to use when logging into Keystone for monitoring purposes Keystone monitoring login The password to use when logging into Keystone for monitoring purposes Keystone monitoring password The tenant to use when logging into Keystone for monitoring purposes Keystone monitoring tenant The URL pointing to this Keystone instance to use when logging in for monitoring purposes Keystone URL for monitoring login User running OpenStack Identity (Keystone) OpenStack Identity (Keystone) user The pid file to use for this Keystone instance (keystone-all) OpenStack Identity (Keystone) pid file Additional parameters to pass on to the Keystone server (keystone-all) Additional parameters for the Keystone server END } ####################################################################### # Functions invoked by resource manager actions keystone_validate() { local rc check_binary $OCF_RESKEY_binary check_binary $OCF_RESKEY_client_binary # A config file on shared storage that is not available # during probes is OK. if [ ! -f $OCF_RESKEY_config ]; then if ! ocf_is_probe; then ocf_log err "Config $OCF_RESKEY_config doesn't exist" return $OCF_ERR_INSTALLED fi ocf_log_warn "Config $OCF_RESKEY_config not available during a probe" fi getent passwd $OCF_RESKEY_user >/dev/null 2>&1 rc=$? if [ $rc -ne 0 ]; then ocf_log err "User $OCF_RESKEY_user doesn't exist" return $OCF_ERR_INSTALLED fi true } keystone_status() { local pid local rc if [ ! -f $OCF_RESKEY_pid ]; then ocf_log info "OpenStack Identity (Keystone) is not running" return $OCF_NOT_RUNNING else pid=`cat $OCF_RESKEY_pid` fi ocf_run -warn kill -s 0 $pid rc=$? if [ $rc -eq 0 ]; then return $OCF_SUCCESS else ocf_log info "Old PID file found, but OpenStack Identity (Keystone)" \ "is not running" return $OCF_NOT_RUNNING fi } keystone_monitor() { local rc keystone_status rc=$? # If status returned anything but success, return that immediately if [ $rc -ne $OCF_SUCCESS ]; then return $rc fi # Check whether we are supposed to monitor by logging into Keystone # and do it if that's the case. if [ -n "$OCF_RESKEY_client_binary" ] && [ -n "$OCF_RESKEY_os_username" ] \ && [ -n "$OCF_RESKEY_os_password" ] \ && [ -n "$OCF_RESKEY_os_tenant_name" ] \ && [ -n "$OCF_RESKEY_os_auth_url" ]; then ocf_run -q $OCF_RESKEY_client_binary \ --os-username "$OCF_RESKEY_os_username" \ --os-password "$OCF_RESKEY_os_password" \ --os-tenant-name "$OCF_RESKEY_os_tenant_name" \ --os-auth-url "$OCF_RESKEY_os_auth_url" \ user-list > /dev/null 2>&1 rc=$? if [ $rc -ne 0 ]; then ocf_log err "Failed to connect to the OpenStack Identity" \ "(Keystone): $rc" return $OCF_NOT_RUNNING fi fi ocf_log debug "OpenStack Identity (Keystone) monitor succeeded" return $OCF_SUCCESS } keystone_start() { local rc keystone_status rc=$? if [ $rc -eq $OCF_SUCCESS ]; then ocf_log info "OpenStack Identity (Keystone) already running" return $OCF_SUCCESS fi # run the actual keystone daemon. Don't use ocf_run as we're sending the # tool's output straight to /dev/null anyway and using ocf_run would break # stdout-redirection here. su ${OCF_RESKEY_user} -s /bin/sh -c "${OCF_RESKEY_binary} \ --config-file $OCF_RESKEY_config \ $OCF_RESKEY_additional_parameters"' >> /dev/null 2>&1 & echo $!' \ > $OCF_RESKEY_pid # Spin waiting for the server to come up. # Let the CRM/LRM time us out if required while true; do sleep 1 keystone_monitor rc=$? [ $rc -eq $OCF_SUCCESS ] && break if [ $rc -ne $OCF_NOT_RUNNING ]; then ocf_log err "OpenStack Identity (Keystone) start failed" exit $OCF_ERR_GENERIC fi done ocf_log info "OpenStack Identity (Keystone) started" return $OCF_SUCCESS } keystone_stop() { local rc local pid keystone_status rc=$? if [ $rc -eq $OCF_NOT_RUNNING ]; then ocf_log info "OpenStack Identity (Keystone) already stopped" return $OCF_SUCCESS fi # Try SIGTERM pid=`cat $OCF_RESKEY_pid` ocf_run kill -s TERM $pid rc=$? if [ $rc -ne 0 ]; then ocf_log err "OpenStack Identity (Keystone) couldn't be stopped" exit $OCF_ERR_GENERIC fi # stop waiting shutdown_timeout=15 if [ -n "$OCF_RESKEY_CRM_meta_timeout" ]; then shutdown_timeout=$((($OCF_RESKEY_CRM_meta_timeout/1000)-5)) fi count=0 while [ $count -lt $shutdown_timeout ]; do keystone_status rc=$? if [ $rc -eq $OCF_NOT_RUNNING ]; then break fi count=`expr $count + 1` sleep 1 ocf_log debug "OpenStack Identity (Keystone) still hasn't stopped" \ "yet. Waiting ..." done keystone_status rc=$? if [ $rc -ne $OCF_NOT_RUNNING ]; then # SIGTERM didn't help either, try SIGKILL ocf_log info "OpenStack Identity (Keystone) failed to stop after" \ "${shutdown_timeout}s using SIGTERM. Trying SIGKILL ..." ocf_run kill -s KILL $pid fi ocf_log info "OpenStack Identity (Keystone) stopped" rm -f $OCF_RESKEY_pid return $OCF_SUCCESS } ####################################################################### case "$1" in meta-data) meta_data exit $OCF_SUCCESS ;; usage|help) usage exit $OCF_SUCCESS ;; esac # Anything except meta-data and help must pass validation keystone_validate || exit $? # What kind of method was invoked? case "$1" in start) keystone_start ;; stop) keystone_stop ;; status) keystone_status ;; monitor) keystone_monitor ;; validate-all) ;; *) usage exit $OCF_ERR_UNIMPLEMENTED ;; esac