#!/bin/sh # # # OpenStack Key Management API Service (barbican-api) # # Description: Manages an OpenStack Key Management API Service as an HA resource # # Authors: Alex Kozyrev # # Support: openstack@lists.launchpad.net # License: Apache Software License (ASL) 2.0 # # Copyright (c) 2018 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # # # See usage() function below for more details ... # # OCF instance parameters: # OCF_RESKEY_binary # OCF_RESKEY_config # OCF_RESKEY_user # OCF_RESKEY_pid # OCF_RESKEY_monitor_binary # OCF_RESKEY_server_port # OCF_RESKEY_additional_parameters ####################################################################### # Initialization: : ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat} . ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs ####################################################################### # Fill in some defaults if no values are specified OCF_RESKEY_binary_default="/etc/barbican/gunicorn-config.py" OCF_RESKEY_config_default="/etc/barbican/barbican.conf" OCF_RESKEY_user_default="root" OCF_RESKEY_pid_default="/run/barbican/pid" OCF_RESKEY_server_port_default="9311" : ${OCF_RESKEY_binary=${OCF_RESKEY_binary_default}} : ${OCF_RESKEY_config=${OCF_RESKEY_config_default}} : ${OCF_RESKEY_user=${OCF_RESKEY_user_default}} : ${OCF_RESKEY_pid=${OCF_RESKEY_pid_default}} : ${OCF_RESKEY_server_port=${OCF_RESKEY_server_port_default}} ####################################################################### usage() { cat < 1.0 Resource agent for the OpenStack Key Management API Service (barbican-api) May Manage a barbican-api instance or a clone set that creates a distributed barbican-api cluster. Manages the OpenStack Key Management API Service (barbican-api) Location of the OpenStack Key Management API server binary (barbican-api) OpenStack Key Management API server binary (barbican-api) Location of the OpenStack Key Management API Service (barbican-api) configuration file OpenStack Key Management API (barbican-api) config file User running OpenStack Key Management API Service (barbican-api) OpenStack Key Management API Service (barbican-api) user The pid file to use for this OpenStack Key Management API Service (barbican-api) instance OpenStack Key Management API Service (barbican-api) pid file The listening port number of the barbican-api server. barbican-api listening port END } ####################################################################### # Functions invoked by resource Manager actions barbican_api_check_port() { # This function has been taken from the squid RA and improved a bit # The length of the integer must be 4 # Examples of valid port: "1080", "0080" # Examples of invalid port: "1080bad", "0", "0000", "" local int local cnt int="$1" cnt=${#int} echo $int |egrep -qx '[0-9]+(:[0-9]+)?(,[0-9]+(:[0-9]+)?)*' if [ $? -ne 0 ] || [ $cnt -ne 4 ]; then ocf_log err "Invalid port number: $1" exit $OCF_ERR_CONFIGURED fi } barbican_api_validate() { local rc check_binary netstat barbican_api_check_port $OCF_RESKEY_server_port # A config file on shared storage that is not available # during probes is OK. if [ ! -f $OCF_RESKEY_config ]; then if ! ocf_is_probe; then ocf_log err "Config $OCF_RESKEY_config doesn't exist" return $OCF_ERR_INSTALLED fi ocf_log_warn "Config $OCF_RESKEY_config not available during a probe" fi getent passwd $OCF_RESKEY_user >/dev/null 2>&1 rc=$? if [ $rc -ne 0 ]; then ocf_log err "User $OCF_RESKEY_user doesn't exist" return $OCF_ERR_INSTALLED fi true } barbican_api_status() { local pid local rc if [ ! -f $OCF_RESKEY_pid ]; then ocf_log info "OpenStack Key Management API (barbican-api) is not running" return $OCF_NOT_RUNNING else pid=`cat $OCF_RESKEY_pid` fi ocf_run -warn kill -s 0 $pid rc=$? if [ $rc -eq 0 ]; then return $OCF_SUCCESS else ocf_log info "Old PID file found, but OpenStack Key Management API \ (barbican-api) is not running" rm -f $OCF_RESKEY_pid return $OCF_NOT_RUNNING fi } barbican_api_monitor() { local rc local pid local rc_db local engine_db_check barbican_api_status rc=$? # If status returned anything but success, return that immediately if [ $rc -ne $OCF_SUCCESS ]; then return $rc fi # Check the server is listening on the server port engine_db_check=`netstat -an | grep -s "$OCF_RESKEY_console_port" | grep -qs "LISTEN"` rc_db=$? if [ $rc_db -ne 0 ]; then ocf_log err "barbican-api is not listening on $OCF_RESKEY_console_port: $rc_db" return $OCF_NOT_RUNNING fi ocf_log debug "OpenStack Key Management API (barbican-api) monitor succeeded" return $OCF_SUCCESS } barbican_api_start() { local rc local host barbican_api_status rc=$? if [ $rc -eq $OCF_SUCCESS ]; then ocf_log info "OpenStack Key Management API (barbican-api) already running" return $OCF_SUCCESS fi # run the actual barbican-api daemon. Don't use ocf_run as we're sending the tool's output # straight to /dev/null anyway and using ocf_run would break stdout-redirection here. su ${OCF_RESKEY_user} mkdir -p /run/barbican chown barbican:barbican /run/barbican /bin/python /usr/bin/gunicorn --pid $OCF_RESKEY_pid --config /etc/barbican/gunicorn-config.py \ --paste /etc/barbican/barbican-api-paste.ini >> /var/log/barbican/barbican-api.log 2>&1 & # Spin waiting for the server to come up. while true; do barbican_api_monitor rc=$? [ $rc -eq $OCF_SUCCESS ] && break if [ $rc -ne $OCF_NOT_RUNNING ]; then ocf_log err "OpenStack Key Management API (barbican-api) start failed" exit $OCF_ERR_GENERIC fi sleep 1 done ocf_log info "OpenStack Key Management API (barbican-api) started" return $OCF_SUCCESS } barbican_api_confirm_stop() { local my_bin local my_processes my_processes=`pgrep -l -f "gunicorn.*master.*barbican-api"` if [ -n "${my_processes}" ] then ocf_log info "About to SIGKILL the following: ${my_processes}" pkill -KILL -f "gunicorn.*master.*barbican-api" fi } barbican_api_stop() { local rc local pid barbican_api_status rc=$? if [ $rc -eq $OCF_NOT_RUNNING ]; then ocf_log info "OpenStack Key Management API (barbican-api) already stopped" barbican_api_confirm_stop return $OCF_SUCCESS fi # Try SIGTERM pid=`cat $OCF_RESKEY_pid` ocf_run kill -s TERM $pid rc=$? if [ $rc -ne 0 ]; then ocf_log err "OpenStack Key Management API (barbican-api) couldn't be stopped" barbican_api_confirm_stop exit $OCF_ERR_GENERIC fi # stop waiting shutdown_timeout=15 if [ -n "$OCF_RESKEY_CRM_meta_timeout" ]; then shutdown_timeout=$((($OCF_RESKEY_CRM_meta_timeout/1000)-5)) fi count=0 while [ $count -lt $shutdown_timeout ]; do barbican_api_status rc=$? if [ $rc -eq $OCF_NOT_RUNNING ]; then break fi count=`expr $count + 1` sleep 1 ocf_log debug "OpenStack Key Management API (barbican-api) still hasn't stopped yet. \ Waiting ..." done barbican_api_status rc=$? if [ $rc -ne $OCF_NOT_RUNNING ]; then # SIGTERM didn't help either, try SIGKILL ocf_log info "OpenStack Key Management API (barbican-api) failed to stop after \ ${shutdown_timeout}s using SIGTERM. Trying SIGKILL ..." ocf_run kill -s KILL $pid fi barbican_api_confirm_stop ocf_log info "OpenStack Key Management API (barbican-api) stopped" rm -f $OCF_RESKEY_pid return $OCF_SUCCESS } ####################################################################### case "$1" in meta-data) meta_data exit $OCF_SUCCESS;; usage|help) usage exit $OCF_SUCCESS;; esac # Anything except meta-data and help must pass validation barbican_api_validate || exit $? # What kind of method was invoked? case "$1" in start) barbican_api_start;; stop) barbican_api_stop;; status) barbican_api_status;; monitor) barbican_api_monitor;; validate-all) ;; *) usage exit $OCF_ERR_UNIMPLEMENTED;; esac