4bad718783
This is a large and invasive change to the underlying guts. Most casual use should not notice a difference, but advanced users, especially those using the Profile or Authenticator interfaces or making use of pluggable providers will be broken. The overall intent is to align directly on top of the mechanisms that came from os-client-config for config and to use keystoneauth1's Adapter interface to make use of the canonical implementations of such things as service and version discovery. The end goal is that openstacksdk provides the REST interaction layer for python-openstackclient, shade, Ansible and nodepool. Replace profile with openstack.config os-client-config is used by shade and python-openstackclient to read and process configuration. openstacksdk also can use the os-client-config interface, but translates it internally into the Profile object. As os-client-config has been injested into openstack.config, remove Profile and just use the config classes. Make proxy subclass of adapter This gives every service a generic passthrough for REST calls, which means we can map unknown service-type values to a generic proxy. Strip endpoint_filter We're passing Adapters around, not sessions. Doing so means that self.service and endpoint_filter have become unnecessary. Rename _Request.uri to _Request.url This is a stepping-stone to replacing _Request with requests.Request and using requests.Session.prepare_request inside of _prepare_request. Rename service proxy instances to match their official service-type. Aliases are kept for the old versions, but make the canonical versions match the official name. Rename bare_metal to baremetal Rename cluster to clustering Rename block_store to block_storage Rename telemetry to meter Create generic proxies for all services in STA Every service listed in service types authority is an OpenStack service. Even if we don't know about it in SDK, we should at the very least have a low-level Adapter for it so that people can use REST calls while waiting on the SDK to add higher-level constructs. The pypy jobs are happily green. Run them as voting rather than non-voting. Add syntatic sugar alias for making connections Typing: import openstack.connection conn = openstack.connection.Connection(cloud='example') is annoying. This allows: import openstack conn = openstack.connect(cloud='example') Use task_manager and Adapter from shade As a stepping-stone towards shade and sdk codepaths being rationalized, we need to get SDK using the Adapter from shade that submits requests into the TaskManager. For normal operation this is a passthrough/no-op sort of thing, but it's essential for high-volume consumers such as nodepool. This exposes a bunch of places in tests where we're mocking a bit too deeply. We should go back through and fix all of those via requests_mock, but that's WAY too much for today. This was a 'for later' task, but it turns out that the move to Adapter was causing exceptions to be thrown that were not the exceptions that were intended to be caught in the SDK layer, which was causing functional tests of things like GET operations to fail. So it became a today task. Change-Id: I7b46e263a76d84573bdfbbece57b1048764ed939
308 lines
9.6 KiB
ReStructuredText
308 lines
9.6 KiB
ReStructuredText
===========================================
|
|
Configuring os-client-config Applications
|
|
===========================================
|
|
|
|
.. _config-environment-variables:
|
|
|
|
Environment Variables
|
|
---------------------
|
|
|
|
`os-client-config` honors all of the normal `OS_*` variables. It does not
|
|
provide backwards compatibility to service-specific variables such as
|
|
`NOVA_USERNAME`.
|
|
|
|
If you have OpenStack environment variables set, `os-client-config` will produce
|
|
a cloud config object named `envvars` containing your values from the
|
|
environment. If you don't like the name `envvars`, that's ok, you can override
|
|
it by setting `OS_CLOUD_NAME`.
|
|
|
|
Service specific settings, like the nova service type, are set with the
|
|
default service type as a prefix. For instance, to set a special service_type
|
|
for trove set
|
|
|
|
.. code-block:: bash
|
|
|
|
export OS_DATABASE_SERVICE_TYPE=rax:database
|
|
|
|
.. _config-clouds-yaml:
|
|
|
|
Config Files
|
|
------------
|
|
|
|
`os-client-config` will look for a file called `clouds.yaml` in the following
|
|
locations:
|
|
|
|
* Current Directory
|
|
* ~/.config/openstack
|
|
* /etc/openstack
|
|
|
|
The first file found wins.
|
|
|
|
You can also set the environment variable `OS_CLIENT_CONFIG_FILE` to an
|
|
absolute path of a file to look for and that location will be inserted at the
|
|
front of the file search list.
|
|
|
|
The keys are all of the keys you'd expect from `OS_*` - except lower case
|
|
and without the OS prefix. So, region name is set with `region_name`.
|
|
|
|
Service specific settings, like the nova service type, are set with the
|
|
default service type as a prefix. For instance, to set a special service_type
|
|
for trove (because you're using Rackspace) set:
|
|
|
|
.. code-block:: yaml
|
|
|
|
database_service_type: 'rax:database'
|
|
|
|
|
|
Site Specific File Locations
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
In addition to `~/.config/openstack` and `/etc/openstack` - some platforms
|
|
have other locations they like to put things. `os-client-config` will also
|
|
look in an OS specific config dir
|
|
|
|
* `USER_CONFIG_DIR`
|
|
* `SITE_CONFIG_DIR`
|
|
|
|
`USER_CONFIG_DIR` is different on Linux, OSX and Windows.
|
|
|
|
* Linux: `~/.config/openstack`
|
|
* OSX: `~/Library/Application Support/openstack`
|
|
* Windows: `C:\\Users\\USERNAME\\AppData\\Local\\OpenStack\\openstack`
|
|
|
|
`SITE_CONFIG_DIR` is different on Linux, OSX and Windows.
|
|
|
|
* Linux: `/etc/openstack`
|
|
* OSX: `/Library/Application Support/openstack`
|
|
* Windows: `C:\\ProgramData\\OpenStack\\openstack`
|
|
|
|
An example config file is probably helpful:
|
|
|
|
.. code-block:: yaml
|
|
|
|
clouds:
|
|
mtvexx:
|
|
profile: vexxhost
|
|
auth:
|
|
username: mordred@inaugust.com
|
|
password: XXXXXXXXX
|
|
project_name: mordred@inaugust.com
|
|
region_name: ca-ymq-1
|
|
dns_api_version: 1
|
|
mordred:
|
|
region_name: RegionOne
|
|
auth:
|
|
username: 'mordred'
|
|
password: XXXXXXX
|
|
project_name: 'shade'
|
|
auth_url: 'https://montytaylor-sjc.openstack.blueboxgrid.com:5001/v2.0'
|
|
infra:
|
|
profile: rackspace
|
|
auth:
|
|
username: openstackci
|
|
password: XXXXXXXX
|
|
project_id: 610275
|
|
regions:
|
|
- DFW
|
|
- ORD
|
|
- IAD
|
|
|
|
You may note a few things. First, since `auth_url` settings are silly
|
|
and embarrassingly ugly, known cloud vendor profile information is included and
|
|
may be referenced by name. One of the benefits of that is that `auth_url`
|
|
isn't the only thing the vendor defaults contain. For instance, since
|
|
Rackspace lists `rax:database` as the service type for trove, `os-client-config`
|
|
knows that so that you don't have to. In case the cloud vendor profile is not
|
|
available, you can provide one called `clouds-public.yaml`, following the same
|
|
location rules previously mentioned for the config files.
|
|
|
|
`regions` can be a list of regions. When you call `get_all_clouds`,
|
|
you'll get a cloud config object for each cloud/region combo.
|
|
|
|
As seen with `dns_service_type`, any setting that makes sense to be per-service,
|
|
like `service_type` or `endpoint` or `api_version` can be set by prefixing
|
|
the setting with the default service type. That might strike you funny when
|
|
setting `service_type` and it does me too - but that's just the world we live
|
|
in.
|
|
|
|
Auth Settings
|
|
-------------
|
|
|
|
Keystone has auth plugins - which means it's not possible to know ahead of time
|
|
which auth settings are needed. `os-client-config` sets the default plugin type
|
|
to `password`, which is what things all were before plugins came about. In
|
|
order to facilitate validation of values, all of the parameters that exist
|
|
as a result of a chosen plugin need to go into the auth dict. For password
|
|
auth, this includes `auth_url`, `username` and `password` as well as anything
|
|
related to domains, projects and trusts.
|
|
|
|
Splitting Secrets
|
|
-----------------
|
|
|
|
In some scenarios, such as configuration management controlled environments,
|
|
it might be easier to have secrets in one file and non-secrets in another.
|
|
This is fully supported via an optional file `secure.yaml` which follows all
|
|
the same location rules as `clouds.yaml`. It can contain anything you put
|
|
in `clouds.yaml` and will take precedence over anything in the `clouds.yaml`
|
|
file.
|
|
|
|
.. code-block:: yaml
|
|
|
|
# clouds.yaml
|
|
clouds:
|
|
internap:
|
|
profile: internap
|
|
auth:
|
|
username: api-55f9a00fb2619
|
|
project_name: inap-17037
|
|
regions:
|
|
- ams01
|
|
- nyj01
|
|
# secure.yaml
|
|
clouds:
|
|
internap:
|
|
auth:
|
|
password: XXXXXXXXXXXXXXXXX
|
|
|
|
SSL Settings
|
|
------------
|
|
|
|
When the access to a cloud is done via a secure connection, `os-client-config`
|
|
will always verify the SSL cert by default. This can be disabled by setting
|
|
`verify` to `False`. In case the cert is signed by an unknown CA, a specific
|
|
cacert can be provided via `cacert`. **WARNING:** `verify` will always have
|
|
precedence over `cacert`, so when setting a CA cert but disabling `verify`, the
|
|
cloud cert will never be validated.
|
|
|
|
Client certs are also configurable. `cert` will be the client cert file
|
|
location. In case the cert key is not included within the client cert file,
|
|
its file location needs to be set via `key`.
|
|
|
|
.. code-block:: yaml
|
|
|
|
# clouds.yaml
|
|
clouds:
|
|
secure:
|
|
auth: ...
|
|
key: /home/myhome/client-cert.key
|
|
cert: /home/myhome/client-cert.crt
|
|
cacert: /home/myhome/ca.crt
|
|
insecure:
|
|
auth: ...
|
|
verify: False
|
|
|
|
Cache Settings
|
|
--------------
|
|
|
|
Accessing a cloud is often expensive, so it's quite common to want to do some
|
|
client-side caching of those operations. To facilitate that, `os-client-config`
|
|
understands passing through cache settings to dogpile.cache, with the following
|
|
behaviors:
|
|
|
|
* Listing no config settings means you get a null cache.
|
|
* `cache.expiration_time` and nothing else gets you memory cache.
|
|
* Otherwise, `cache.class` and `cache.arguments` are passed in
|
|
|
|
Different cloud behaviors are also differently expensive to deal with. If you
|
|
want to get really crazy and tweak stuff, you can specify different expiration
|
|
times on a per-resource basis by passing values, in seconds to an expiration
|
|
mapping keyed on the singular name of the resource. A value of `-1` indicates
|
|
that the resource should never expire.
|
|
|
|
`os-client-config` does not actually cache anything itself, but it collects
|
|
and presents the cache information so that your various applications that
|
|
are connecting to OpenStack can share a cache should you desire.
|
|
|
|
.. code-block:: yaml
|
|
|
|
cache:
|
|
class: dogpile.cache.pylibmc
|
|
expiration_time: 3600
|
|
arguments:
|
|
url:
|
|
- 127.0.0.1
|
|
expiration:
|
|
server: 5
|
|
flavor: -1
|
|
clouds:
|
|
mtvexx:
|
|
profile: vexxhost
|
|
auth:
|
|
username: mordred@inaugust.com
|
|
password: XXXXXXXXX
|
|
project_name: mordred@inaugust.com
|
|
region_name: ca-ymq-1
|
|
dns_api_version: 1
|
|
|
|
|
|
IPv6
|
|
----
|
|
|
|
IPv6 is the future, and you should always use it if your cloud supports it and
|
|
if your local network supports it. Both of those are easily detectable and all
|
|
friendly software should do the right thing. However, sometimes you might
|
|
exist in a location where you have an IPv6 stack, but something evil has
|
|
caused it to not actually function. In that case, there is a config option
|
|
you can set to unbreak you `force_ipv4`, or `OS_FORCE_IPV4` boolean
|
|
environment variable.
|
|
|
|
.. code-block:: yaml
|
|
|
|
client:
|
|
force_ipv4: true
|
|
clouds:
|
|
mtvexx:
|
|
profile: vexxhost
|
|
auth:
|
|
username: mordred@inaugust.com
|
|
password: XXXXXXXXX
|
|
project_name: mordred@inaugust.com
|
|
region_name: ca-ymq-1
|
|
dns_api_version: 1
|
|
monty:
|
|
profile: rax
|
|
auth:
|
|
username: mordred@inaugust.com
|
|
password: XXXXXXXXX
|
|
project_name: mordred@inaugust.com
|
|
region_name: DFW
|
|
|
|
The above snippet will tell client programs to prefer returning an IPv4
|
|
address.
|
|
|
|
Per-region settings
|
|
-------------------
|
|
|
|
Sometimes you have a cloud provider that has config that is common to the
|
|
cloud, but also with some things you might want to express on a per-region
|
|
basis. For instance, Internap provides a public and private network specific
|
|
to the user in each region, and putting the values of those networks into
|
|
config can make consuming programs more efficient.
|
|
|
|
To support this, the region list can actually be a list of dicts, and any
|
|
setting that can be set at the cloud level can be overridden for that
|
|
region.
|
|
|
|
.. code-block:: yaml
|
|
|
|
clouds:
|
|
internap:
|
|
profile: internap
|
|
auth:
|
|
password: XXXXXXXXXXXXXXXXX
|
|
username: api-55f9a00fb2619
|
|
project_name: inap-17037
|
|
regions:
|
|
- name: ams01
|
|
values:
|
|
networks:
|
|
- name: inap-17037-WAN1654
|
|
routes_externally: true
|
|
- name: inap-17037-LAN6745
|
|
- name: nyj01
|
|
values:
|
|
networks:
|
|
- name: inap-17037-WAN1654
|
|
routes_externally: true
|
|
- name: inap-17037-LAN6745
|