x/snap.openstack
Code Issues Proposed changes

Add automatic setup of REQUESTS_CA_BUNDLE

Browse Source 
Add automatic addition of REQUESTS_CA_BUNDLE to the execution
environment if $SNAP_COMMON/etc/ssl/certs/ca-certificates.crt
is detected, allowing the certs from the core snap to be
overridden on a per snap basis.

This supports use of privately signed certificates in snap
based deployments.

Change-Id: Iac789d25b9a5d0e71ba0afdc8462ff0c2344ef7b
Related-Bug: 1724012
This commit is contained in:
James Page 2017-10-26 09:39:42 +01:00
parent f9ae8f4813
commit b2b84c96a9
3 changed files with 48 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
snap_openstack/base.py
View File

@ -134,6 +134,23 @@ def _get_os_log_file(entry_point):
return option return option
def _build_environment():
'''Prepare any snap specific environment additions
This function will automatically add REQUEST_CA_BUNDLE
if $SNAP_COMMON/etc/ssl/certs/ca-certificates.crt is detected.
'''
utils = SnapUtils()
env = os.environ.copy()
ca_certs = (
'{snap_common}/etc/ssl/certs/ca-certificates.crt'.format(
**utils.snap_env)
)
if os.path.exists(ca_certs):
env['REQUESTS_CA_BUNDLE'] = ca_certs
return env
class OpenStackSnap(object): class OpenStackSnap(object):
'''Main executor class for snap-openstack''' '''Main executor class for snap-openstack'''
@ -295,4 +312,4 @@ class OpenStackSnap(object):
', skipping'.format(cfile)) ', skipping'.format(cfile))
LOG.debug('Executing command {}'.format(' '.join(cmd))) LOG.debug('Executing command {}'.format(' '.join(cmd)))
os.execvp(cmd[0], cmd) os.execvpe(cmd[0], cmd, _build_environment())

43
snap_openstack/tests/test_snap_openstack.py
View File

@ -82,15 +82,17 @@ class TestOpenStackSnapExecute(test_base.TestCase):
snap = base.OpenStackSnap(os.path.join(TEST_DIR, snap = base.OpenStackSnap(os.path.join(TEST_DIR,
'snap-openstack.yaml')) 'snap-openstack.yaml'))
mock_os.path.exists.side_effect = self.mock_exists mock_os.path.exists.side_effect = self.mock_exists
mock_os.environ = {}
mock_os.path.basename.side_effect = 'keystone.conf' mock_os.path.basename.side_effect = 'keystone.conf'
snap.execute(['snap-openstack', snap.execute(['snap-openstack',
'keystone-manage']) 'keystone-manage'])
mock_os.execvp.assert_called_with( mock_os.execvpe.assert_called_with(
'/snap/keystone/current/bin/keystone-manage', '/snap/keystone/current/bin/keystone-manage',
['/snap/keystone/current/bin/keystone-manage', ['/snap/keystone/current/bin/keystone-manage',
'--config-file=/snap/keystone/current/etc/keystone/keystone.conf', '--config-file=/snap/keystone/current/etc/keystone/keystone.conf',
'--config-dir=/var/snap/keystone/common/etc/keystone/' '--config-dir=/var/snap/keystone/common/etc/keystone/'
'keystone.conf.d'] 'keystone.conf.d'],
{},
) )
@patch.object(base, 'SnapFileRenderer') @patch.object(base, 'SnapFileRenderer')
@ -103,16 +105,18 @@ class TestOpenStackSnapExecute(test_base.TestCase):
snap = base.OpenStackSnap(os.path.join(TEST_DIR, snap = base.OpenStackSnap(os.path.join(TEST_DIR,
'snap-openstack.yaml')) 'snap-openstack.yaml'))
mock_os.path.exists.side_effect = self.mock_exists_overrides mock_os.path.exists.side_effect = self.mock_exists_overrides
mock_os.environ = {}
mock_os.path.basename.side_effect = 'keystone.conf' mock_os.path.basename.side_effect = 'keystone.conf'
snap.execute(['snap-openstack', snap.execute(['snap-openstack',
'keystone-manage']) 'keystone-manage'])
mock_os.execvp.assert_called_with( mock_os.execvpe.assert_called_with(
'/snap/keystone/current/bin/keystone-manage', '/snap/keystone/current/bin/keystone-manage',
['/snap/keystone/current/bin/keystone-manage', ['/snap/keystone/current/bin/keystone-manage',
'--config-file=/var/snap/keystone/common/etc/keystone/' '--config-file=/var/snap/keystone/common/etc/keystone/'
'keystone.conf', 'keystone.conf',
'--config-dir=/var/snap/keystone/common/etc/keystone/' '--config-dir=/var/snap/keystone/common/etc/keystone/'
'keystone.conf.d'] 'keystone.conf.d'],
{},
) )
@patch.object(base, 'SnapFileRenderer') @patch.object(base, 'SnapFileRenderer')
@ -125,17 +129,19 @@ class TestOpenStackSnapExecute(test_base.TestCase):
snap = base.OpenStackSnap(os.path.join(TEST_DIR, snap = base.OpenStackSnap(os.path.join(TEST_DIR,
'snap-openstack.yaml')) 'snap-openstack.yaml'))
mock_os.path.exists.side_effect = self.mock_exists mock_os.path.exists.side_effect = self.mock_exists
mock_os.environ = {}
mock_os.path.basename.side_effect = 'keystone.conf' mock_os.path.basename.side_effect = 'keystone.conf'
snap.execute(['snap-openstack', snap.execute(['snap-openstack',
'keystone-manage', 'keystone-manage',
'db', 'sync']) 'db', 'sync'])
mock_os.execvp.assert_called_with( mock_os.execvpe.assert_called_with(
'/snap/keystone/current/bin/keystone-manage', '/snap/keystone/current/bin/keystone-manage',
['/snap/keystone/current/bin/keystone-manage', ['/snap/keystone/current/bin/keystone-manage',
'--config-file=/snap/keystone/current/etc/keystone/keystone.conf', '--config-file=/snap/keystone/current/etc/keystone/keystone.conf',
'--config-dir=/var/snap/keystone/common/etc/keystone/' '--config-dir=/var/snap/keystone/common/etc/keystone/'
'keystone.conf.d', 'keystone.conf.d',
'db', 'sync'] 'db', 'sync'],
{},
) )
@patch.object(base, 'SnapFileRenderer') @patch.object(base, 'SnapFileRenderer')
@ -148,6 +154,7 @@ class TestOpenStackSnapExecute(test_base.TestCase):
snap = base.OpenStackSnap(os.path.join(TEST_DIR, snap = base.OpenStackSnap(os.path.join(TEST_DIR,
'snap-openstack.yaml')) 'snap-openstack.yaml'))
mock_os.path.exists.side_effect = self.mock_exists mock_os.path.exists.side_effect = self.mock_exists
mock_os.environ = {}
self.assertRaises(ValueError, self.assertRaises(ValueError,
snap.execute, snap.execute,
['snap-openstack', ['snap-openstack',
@ -163,6 +170,7 @@ class TestOpenStackSnapExecute(test_base.TestCase):
snap = base.OpenStackSnap(os.path.join(TEST_DIR, snap = base.OpenStackSnap(os.path.join(TEST_DIR,
'snap-openstack.yaml')) 'snap-openstack.yaml'))
mock_os.path.exists.side_effect = self.mock_exists mock_os.path.exists.side_effect = self.mock_exists
mock_os.environ = {}
mock_os.path.basename.side_effect = 'keystone.conf' mock_os.path.basename.side_effect = 'keystone.conf'
builtin = '__builtin__' builtin = '__builtin__'
if sys.version_info > (3, 0): if sys.version_info > (3, 0):
@ -170,12 +178,13 @@ class TestOpenStackSnapExecute(test_base.TestCase):
with patch('{}.open'.format(builtin), mock_open(), create=True): with patch('{}.open'.format(builtin), mock_open(), create=True):
snap.execute(['snap-openstack', snap.execute(['snap-openstack',
'keystone-uwsgi']) 'keystone-uwsgi'])
mock_os.execvp.assert_called_with( mock_os.execvpe.assert_called_with(
'/snap/keystone/current/bin/uwsgi', '/snap/keystone/current/bin/uwsgi',
['/snap/keystone/current/bin/uwsgi', '--master', ['/snap/keystone/current/bin/uwsgi', '--master',
'--die-on-term', '-H', '/snap/keystone/current/usr', '--die-on-term', '-H', '/snap/keystone/current/usr',
'--emperor', '/var/snap/keystone/common/etc/uwsgi/snap', '--emperor', '/var/snap/keystone/common/etc/uwsgi/snap',
'--logto', '/var/snap/keystone/common/log/uwsgi.log'] '--logto', '/var/snap/keystone/common/log/uwsgi.log'],
{},
) )
@patch.object(base, 'SnapFileRenderer') @patch.object(base, 'SnapFileRenderer')
@ -188,6 +197,7 @@ class TestOpenStackSnapExecute(test_base.TestCase):
snap = base.OpenStackSnap(os.path.join(TEST_DIR, snap = base.OpenStackSnap(os.path.join(TEST_DIR,
'snap-openstack.yaml')) 'snap-openstack.yaml'))
mock_os.path.exists.side_effect = self.mock_exists_overrides mock_os.path.exists.side_effect = self.mock_exists_overrides
mock_os.environ = {}
mock_os.path.basename.side_effect = 'keystone.conf' mock_os.path.basename.side_effect = 'keystone.conf'
mock_os.listdir.side_effect = ( mock_os.listdir.side_effect = (
'/var/snap/keystone/common/etc/uwsgi/config.ini' '/var/snap/keystone/common/etc/uwsgi/config.ini'
@ -198,12 +208,13 @@ class TestOpenStackSnapExecute(test_base.TestCase):
with patch('{}.open'.format(builtin), mock_open(), create=True): with patch('{}.open'.format(builtin), mock_open(), create=True):
snap.execute(['snap-openstack', snap.execute(['snap-openstack',
'keystone-uwsgi']) 'keystone-uwsgi'])
mock_os.execvp.assert_called_with( mock_os.execvpe.assert_called_with(
'/snap/keystone/current/bin/uwsgi', '/snap/keystone/current/bin/uwsgi',
['/snap/keystone/current/bin/uwsgi', '--master', ['/snap/keystone/current/bin/uwsgi', '--master',
'--die-on-term', '-H', '/snap/keystone/current/usr', '--die-on-term', '-H', '/snap/keystone/current/usr',
'--emperor', '/var/snap/keystone/common/etc/uwsgi', '--emperor', '/var/snap/keystone/common/etc/uwsgi',
'--logto', '/var/snap/keystone/common/log/uwsgi.log'] '--logto', '/var/snap/keystone/common/log/uwsgi.log'],
{},
) )
@patch.object(base, 'SnapFileRenderer') @patch.object(base, 'SnapFileRenderer')
@ -216,13 +227,15 @@ class TestOpenStackSnapExecute(test_base.TestCase):
snap = base.OpenStackSnap(os.path.join(TEST_DIR, snap = base.OpenStackSnap(os.path.join(TEST_DIR,
'snap-openstack.yaml')) 'snap-openstack.yaml'))
mock_os.path.exists.side_effect = self.mock_exists mock_os.path.exists.side_effect = self.mock_exists
mock_os.environ = {}
snap.execute(['snap-openstack', snap.execute(['snap-openstack',
'keystone-nginx']) 'keystone-nginx'])
mock_os.execvp.assert_called_with( mock_os.execvpe.assert_called_with(
'/snap/keystone/current/usr/sbin/nginx', '/snap/keystone/current/usr/sbin/nginx',
['/snap/keystone/current/usr/sbin/nginx', '-g', ['/snap/keystone/current/usr/sbin/nginx', '-g',
'daemon on; master_process on;', 'daemon on; master_process on;',
'-c', '/var/snap/keystone/common/etc/nginx/snap/nginx.conf'] '-c', '/var/snap/keystone/common/etc/nginx/snap/nginx.conf'],
{},
) )
@patch.object(base, 'SnapFileRenderer') @patch.object(base, 'SnapFileRenderer')
@ -235,13 +248,15 @@ class TestOpenStackSnapExecute(test_base.TestCase):
snap = base.OpenStackSnap(os.path.join(TEST_DIR, snap = base.OpenStackSnap(os.path.join(TEST_DIR,
'snap-openstack.yaml')) 'snap-openstack.yaml'))
mock_os.path.exists.side_effect = self.mock_exists_overrides mock_os.path.exists.side_effect = self.mock_exists_overrides
mock_os.environ = {}
snap.execute(['snap-openstack', snap.execute(['snap-openstack',
'keystone-nginx']) 'keystone-nginx'])
mock_os.execvp.assert_called_with( mock_os.execvpe.assert_called_with(
'/snap/keystone/current/usr/sbin/nginx', '/snap/keystone/current/usr/sbin/nginx',
['/snap/keystone/current/usr/sbin/nginx', '-g', ['/snap/keystone/current/usr/sbin/nginx', '-g',
'daemon on; master_process on;', 'daemon on; master_process on;',
'-c', '/var/snap/keystone/common/etc/nginx/nginx.conf'] '-c', '/var/snap/keystone/common/etc/nginx/nginx.conf'],
{},
) )
@patch.object(base, 'SnapFileRenderer') @patch.object(base, 'SnapFileRenderer')

2
tox.ini
View File

@ -1,6 +1,6 @@
[tox] [tox]
minversion = 2.0 minversion = 2.0
envlist = py35,py27,pep8 envlist = py35,py36,py27,pep8
skipsdist = True skipsdist = True
[testenv] [testenv]