#!/bin/bash

# go in a directory everybody can access
# (postgresql commands usually have a 'could not change to "$PWD"' error
# message if the postgres user cannot have access to $PWD...)
cd /

. /etc/openstackquickstartrc

. /usr/lib/openstack-quickstart/functions.sh

echo "Setting up OpenStack demo controller..."

grep -q bash.openstackrc /etc/bash.bashrc.local ||\
echo "export HOST_IP=$IP
. /etc/bash.openstackrc
setcreds admin $pw" >> /etc/bash.bashrc.local

install_packages patterns-OpenStack-controller patterns-OpenStack-clients patterns-OpenStack-network-node crudini psmisc

if [ "x$node_is_compute" = "xyes" ]; then
    install_packages patterns-OpenStack-compute-node
fi

if [ "x$with_tempest" = "xyes" ]; then
    install_packages openstack-ec2-api-s3 openstack-neutron-lbaas-agent \
        openstack-neutron-vpn-agent openstack-neutron-fwaas \
        openstack-tempest-test
    if [ "x$with_manila" = "xyes" ]; then
        install_packages  openstack-manila-test
    fi
fi

if [ "x$with_manila" = "xyes" ]; then
    install_packages openstack-manila openstack-manila-api \
                     openstack-manila-scheduler openstack-manila-share \
                     openstack-manila-data python-manila python-manilaclient
fi

if [ "x$with_magnum" = "xyes" ]; then
    install_packages openstack-magnum openstack-magnum-api \
                     openstack-magnum-conductor python-magnum \
                     python-magnumclient
fi

if [ "x$with_barbican" = "xyes" ]; then
    install_packages openstack-barbican openstack-barbican-api\
		     openstack-barbican-keystone-listener \
		     openstack-barbican-worker openstack-barbican-retry \
		     python-barbican python-barbicanclient
fi

if [ "$DB" = "postgresql" ] ; then
    if grep -q "SUSE Linux Enterprise Server 11" /etc/SuSE-release; then
        install_packages postgresql91-server python-psycopg2
    else
        install_packages postgresql-server python-psycopg2
    fi
fi

# configure NTP, because we need synchronized time between nodes
grep -q ntp.org /etc/ntp.conf || echo server pool.ntp.org >> /etc/ntp.conf

# configure tgt for cinder
if [ -f /etc/tgt/targets.conf ]; then
    grep -q "include /var/lib/cinder/volumes" /etc/tgt/targets.conf || {
        echo "include /var/lib/cinder/volumes/*" >> /etc/tgt/targets.conf
        start_and_enable_service tgtd
    }
fi

# Set up the database
if [ "$DB" = "postgresql" ] ; then
    DATADIR=/var/lib/pgsql/data
    # No database exists? Start and Stop to create the initial files
    if  [ ! -f $DATADIR/PG_VERSION ]; then
        start_and_enable_service $DB
        stop_and_disable_service $DB
    fi

    # increase max connections for multinode setup (this needs a restart)
    sed -i "s/^max_connections =.*/max_connections=1000/g" $DATADIR/postgresql.conf

    if ! grep -q ::/0 $DATADIR/pg_hba.conf ; then
        sed -i "s/^\(host .*\) ident\(.*\)/\1 md5 \2/" "$DATADIR/pg_hba.conf"
        sed -i "s/^\(local \)/local horizon all md5 sameuser\n\1/" "$DATADIR/pg_hba.conf"
        # allow remote connections:
        echo "listen_addresses = '*'" >> $DATADIR/postgresql.conf
        echo "host all all 0.0.0.0/0 md5  sameuser" >> $DATADIR/pg_hba.conf
        echo "host all all      ::/0 md5  sameuser" >> $DATADIR/pg_hba.conf
        if ! rpm -q postgresql | grep -q postgresql-8 ; then
            sed -i 's/\s*sameuser$//' $DATADIR/pg_hba.conf # adapt config syntax to postgresql-9
        fi
    fi
else
    echo | mysql -u root || pwquery=-p
    for DBNAME in nova cinder keystone glance horizon neutron manila barbican ; do
        echo "
        set global character_set_server=latin1;
        set session character_set_server=latin1;
        CREATE DATABASE IF NOT EXISTS $DBNAME;
        GRANT ALL PRIVILEGES ON $DBNAME.* TO '$DBNAME'@localhost IDENTIFIED BY '$mpw';
        GRANT ALL PRIVILEGES ON $DBNAME.* TO '$DBNAME'@'%' IDENTIFIED BY '$mpw';
        " | mysql -u root $pwquery
    done
fi


# start some initial services
for s in ntp ntpd $DB tgtd memcached
do
    start_and_enable_service $s
done

start_and_enable_service iscsid


# Set up the database
if [ "$DB" = "postgresql" ] ; then
    sudo -u postgres dropdb keystone || true # needed for keystone_data.sh
    for DBNAME in nova nova_api cinder keystone glance horizon heat neutron \
                       manila magnum barbican ; do
        # use ALTER if CREATE fails: the role probably already exists
        # in that case
        sudo -u postgres psql -c "CREATE ROLE $DBNAME PASSWORD '$mpw' LOGIN;" || \
        sudo -u postgres psql -c "ALTER ROLE $DBNAME PASSWORD '$mpw' LOGIN;"
        sudo -u postgres createdb -O $DBNAME $DBNAME || true
    done
    sudo -u postgres createuser -s root || :
fi

if [ "x$node_is_compute" = "xyes" ]; then
    setup_node_for_nova_compute
fi

# modprobe for snapshot support
modprobe dm_snapshot || :

disable_firewall_and_enable_forwarding

set -e

#-----------------------------------------
# setup OpenStack Dashboard (optional)
#-----------------------------------------


if [ "x$with_horizon" = "xyes" ]; then
    # configure dashboard/apache sample configuration from the package:
    install -m 644 /etc/apache2/conf.d/openstack-dashboard.conf{.sample,}
    a2enmod rewrite
    a2enmod ssl
    a2enmod wsgi
    a2enmod socache_shmcb
    a2enmod deflate

    DASHBOARD_LOCAL_SET=/srv/www/openstack-dashboard/openstack_dashboard/local/local_settings.py

    if ! grep -q "django.core.cache.backends.memcached.MemcachedCache" $DASHBOARD_LOCAL_SET ; then
        cat - >> $DASHBOARD_LOCAL_SET <<EOF
CACHES = {
    'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache'
    'LOCATION': '127.0.0.1:11211',
}
EOF
    fi

    if ! grep -q "^SESSION_ENGINE =" $DASHBOARD_LOCAL_SET ; then
        cat - >> $DASHBOARD_LOCAL_SET <<EOF
SESSION_ENGINE = "django.contrib.sessions.backends.cached_db"
EOF
    fi

    if [ "$DB" = "postgresql" ] ; then
    cat >> $DASHBOARD_LOCAL_SET <<EODASHDB
DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.postgresql_psycopg2',
        'HOST': '$IP',
        'NAME': 'horizon',
        'USER': 'horizon',
        'PASSWORD': '$mpw',
    }
}
EODASHDB
    fi

    sed -i -e "s/^DEBUG =.*/DEBUG = False/" $DASHBOARD_LOCAL_SET
    sed -i -e "s/^OPENSTACK_HOST = .*/OPENSTACK_HOST = \"$IP\"/" $DASHBOARD_LOCAL_SET

    if grep -q "^USE_SSL =" $DASHBOARD_LOCAL_SET; then
        sed -i -e "s/^USE_SSL =.*/USE_SSL = False/" $DASHBOARD_LOCAL_SET
    else
        echo "USE_SSL = False" >> $DASHBOARD_LOCAL_SET
    fi

    if grep -q "^ALLOWED_HOSTS =" $DASHBOARD_LOCAL_SET; then
        sed -i -e "s/^ALLOWED_HOSTS =.*/ALLOWED_HOSTS = ['*']/" $DASHBOARD_LOCAL_SET
    else
        echo "ALLOWED_HOSTS = ['*', ]" >> $DASHBOARD_LOCAL_SET
    fi

    # Use 'secure' session and CSRF cookies (bnc#753582):
    cat >> $DASHBOARD_LOCAL_SET <<EOSEC
# Use 'secure' cookies when we use SSL, see https://docs.djangoproject.com/en/1.4/topics/security/:
SESSION_COOKIE_SECURE = CSRF_COOKIE_SECURE = USE_SSL
EOSEC
    # sync dashboard DB "after" the database is created
    run_as wwwrun "cd /srv/www/openstack-dashboard; umask 0027; python -m 'manage' syncdb --noinput"

    start_and_enable_service apache2
fi

#-----------------------------------------
# setup keystone client endpoint configuration
#-----------------------------------------

setup_keystone_authtoken /etc/glance/glance-api.conf glance
setup_keystone_authtoken /etc/glance/glance-registry.conf glance
setup_keystone_authtoken /etc/neutron/neutron.conf neutron
setup_keystone_authtoken /etc/neutron/neutron.conf nova nova
setup_keystone_authtoken /etc/cinder/cinder.conf cinder
setup_keystone_authtoken /etc/heat/heat.conf heat
setup_keystone_authtoken /etc/nova/nova.conf nova
setup_keystone_authtoken /etc/nova/nova.conf neutron neutron

if [ "x$with_manila" = "xyes" ]; then
    setup_keystone_authtoken /etc/manila/manila.conf manila
    setup_keystone_authtoken /etc/manila/manila.conf neutron neutron
    setup_keystone_authtoken /etc/manila/manila.conf nova nova
    setup_keystone_authtoken /etc/manila/manila.conf cinder cinder
fi

if [ "x$with_magnum" = "xyes" ]; then
    setup_keystone_authtoken /etc/magnum/magnum.conf magnum
    setup_keystone_authtoken /etc/magnum/magnum.conf magnum keystone_auth
fi

if [ "x$with_barbican" = "xyes" ]; then
    setup_keystone_authtoken /etc/barbican/barbican.conf barbican
    crudini --set /etc/barbican/barbican.conf keystone_authtoken auth_version 'v3.0'
fi

#-----------------------------------------
## setup glance configuration
#-----------------------------------------

crudini --set /etc/glance/glance-api.conf DEFAULT workers "1"
crudini --set /etc/glance/glance-api.conf database connection "$DB://nova:$mpw@$IP/glance"
crudini --set /etc/glance/glance-registry.conf DEFAULT workers "1"
crudini --set /etc/glance/glance-registry.conf database connection "$DB://nova:$mpw@$IP/glance"

#-----------------------------------------
## setup nova configuration
#-----------------------------------------

FIXED_KEY=""
for i in $(seq 1 64); do
    FIXED_KEY+=$(printf "%x\n" $(($RANDOM % 16)))
done

crudini --set /etc/nova/nova.conf database connection "$DB://nova:$mpw@$IP/nova"
crudini --set /etc/nova/nova.conf api_database connection "$DB://nova_api:$mpw@$IP/nova_api"
crudini --set /etc/nova/nova.conf glance host $IP
crudini --set /etc/nova/nova.conf glance api_servers "http://$IP:9292"
crudini --set /etc/nova/nova.conf DEFAULT novncproxy_base_url "http://$IP:6080/vnc_auto.html"
crudini --set /etc/nova/nova.conf DEFAULT default_floating_pool ext
crudini --set /etc/nova/nova.conf DEFAULT my_ip "$IP"
crudini --set /etc/nova/nova.conf DEFAULT osapi_compute_workers "1"
crudini --set /etc/nova/nova.conf DEFAULT ec2_workers "1"
crudini --set /etc/nova/nova.conf DEFAULT metadata_workers "1"
crudini --set /etc/nova/nova.conf conductor workers "1"

metadata_secret=$(echo $ADMIN_PASSWORD | md5sum | cut -d" " -f1)
crudini --set /etc/nova/nova.conf neutron service_metadata_proxy True
crudini --set /etc/nova/nova.conf neutron metadata_proxy_shared_secret $metadata_secret
crudini --set /etc/nova/nova.conf keymgr fixed_key "$FIXED_KEY"

setup_nova_compute

extensions_path=$(ls -d /usr/lib*/python*/site-packages/extensions 2> /dev/null | head -n 1)
if [ -n "$extensions_path" ]; then
    crudini --set /etc/nova/nova.conf DEFAULT osapi_extensions_path "$extensions_path"
fi

# configure cinder
crudini --set /etc/cinder/cinder.conf DEFAULT my_ip "$IP"
crudini --set /etc/cinder/cinder.conf DEFAULT osapi_volume_workers "1"
crudini --set /etc/cinder/cinder.conf database connection "$DB://cinder:${mpw}@${IP}/cinder"
crudini --set /etc/cinder/cinder.conf keymgr fixed_key "$FIXED_KEY"

if [ "x$with_tempest" = "xyes" ]; then
    crudini --set /etc/cinder/cinder.conf DEFAULT volume_clear none
    crudini --set /etc/cinder/cinder.conf DEFAULT lvm_type thin
fi


service_list="cinder heat nova glance neutron"
if [ "x$with_manila" = "xyes" ]; then
    service_list+=" manila"
fi
if [ "x$with_magnum" = "xyes" ]; then
    service_list+=" magnum"
fi
if [ "x$with_barbican" = "xyes" ]; then
    service_list+=" barbican"
fi
for m in $service_list; do
    sed -i -e 's/%SERVICE_TENANT_NAME%/service/' \
           -e "s/%SERVICE_PASSWORD%/$ADMIN_PASSWORD/" \
               /etc/$m/*.ini /etc/$m/$m*.conf
done


# configure keystone
crudini --set /etc/keystone/keystone.conf database connection $DB://keystone:$mpw@$IP/keystone
crudini --set /etc/keystone/keystone.conf DEFAULT admin_token "$SERVICE_TOKEN"
crudini --set /etc/keystone/keystone.conf DEFAULT public_workers 2
crudini --set /etc/keystone/keystone.conf DEFAULT admin_workers 2

/etc/init.d/openstack-keystone restart

sleep 5

keystone_data=/usr/lib/devstack/keystone_data.sh
ENABLED_SERVICES="g-api,g-reg,key,n-api,n-cpu,n-net,n-vol,c-api,n-sch,n-novnc,n-xvnc,q-svc,heat,m-api,mysql,rabbit"
if [ "x$with_horizon" = "xyes" ]; then
    ENABLED_SERVICES+=",horizon"
fi
if [ "x$with_tempest" = "xyes" ]; then
    ENABLED_SERVICES+=",tempest"
fi
if [ "x$with_magnum" = "xyes" ]; then
    ENABLED_SERVICES+=",magnum-api,magnum-cond"
fi
if [ "x$with_barbican" = "xyes" ]; then
    ENABLED_SERVICES+=",barbican-api,barbican-retry,barbican-keystone-listener,barbican-worker"
fi


SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT

ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_HOST=$SERVICE_HOST \
    SERVICE_ENDPOINT=$SERVICE_ENDPOINT DEVSTACK_DIR=/root \
    ENABLED_SERVICES=$ENABLED_SERVICES bash $keystone_data

. /etc/bash.bashrc.local

if which aa-complain >&/dev/null; then
    aa-complain /etc/apparmor.d/usr.sbin.libvirtd
fi
if [ -e /etc/init.d/boot.apparmor ]; then
    stop_and_disable_service boot.apparmor
fi

#-----------------------------------------
## setup neutron configuration
#-----------------------------------------

SERVICE_TENANT_ID=`get_service_tenant_id`
c=/etc/neutron/neutron.conf
crudini --set $c database connection $DB://neutron:$mpw@$IP/neutron
crudini --set $c DEFAULT allow_overlapping_ips true
crudini --set $c DEFAULT notify_nova_on_port_status_change true
crudini --set $c DEFAULT notify_nova_on_port_data_changes true

crudini --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini linux_bridge physical_interface_mappings physnet1:$TENANT_ETH
crudini --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini securitygroup firewall_driver neutron.agent.linux.iptables_firewall.IptablesFirewallDriver
crudini --set /etc/neutron/plugins/ml2/linuxbridge_agent.ini vxlan enable_vxlan False
crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 tenant_network_types vlan
crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2 type_drivers local,flat,vlan
crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini ml2_type_vlan network_vlan_ranges physnet1:$TENANT_VLAN_RANGE
crudini --set /etc/neutron/plugins/ml2/ml2_conf.ini securitygroup enable_ipset False
crudini --set /etc/neutron/dhcp_agent.ini DEFAULT use_namespaces true
crudini --set /etc/neutron/l3_agent.ini DEFAULT use_namespaces true
crudini --set /etc/neutron/metadata_agent.ini DEFAULT metadata_proxy_shared_secret $metadata_secret

if [ "x$with_tempest" = "xyes" ]; then
    crudini --set /etc/neutron/neutron.conf DEFAULT service_plugins "neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2, neutron.services.l3_router.l3_router_plugin.L3RouterPlugin, neutron.services.vpn.plugin.VPNDriverPlugin, neutron.services.metering.metering_plugin.MeteringPlugin, neutron.services.firewall.fwaas_plugin.FirewallPlugin"
    # configure Neutron Lbaas v2 service
    crudini --set /etc/neutron/neutron_lbaas.conf service_providers service_provider "LOADBALANCERV2:Haproxy:neutron_lbaas.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default"
    crudini --set /etc/neutron/lbaas_agent.ini DEFAULT interface_driver neutron.agent.linux.interface.BridgeInterfaceDriver
fi

start_and_enable_service rabbitmq-server

sleep 2
if ! rabbitmqctl list_users|grep -q openstack; then
    rabbitmqctl add_user openstack $ADMIN_PASSWORD
    rabbitmqctl set_permissions openstack ".*" ".*" ".*"
fi

# Start Keystone and Neutron
for s in openstack-keystone \
    openstack-neutron openstack-neutron-linuxbridge-agent openstack-neutron-dhcp-agent \
    openstack-neutron-l3-agent openstack-neutron-metadata-agent
do
    start_and_enable_service $s
done

if [ "x$with_tempest" = "xyes" ]; then
    start_and_enable_service openstack-neutron-lbaasv2-agent
fi

### wait until neutron will start
cnt=0
while : ; do
    if [[ $cnt -gt 6 ]] ; then
        echo "Can't reach neutron server. Exiting !!!" >&2
        exit 1
    fi
    neutron net-list && break
    cnt=$(($cnt+1))
    sleep 2
done
### create subnets
## fixed
neutron net-create fixed --tenant-id $SERVICE_TENANT_ID --shared --provider:network_type vlan \
    --provider:segmentation_id $FIXED_VLAN  --provider:physical_network physnet1

neutron subnet-create --name fixed --dns-nameserver 8.8.8.8 --dns-nameserver 8.8.4.4 fixed $testnet
neutron router-create --tenant-id $SERVICE_TENANT_ID public
neutron router-interface-add public fixed

## floating/external
if [ x$FLOATING_VLAN != x ]; then
    neutron net-create ext --tenant-id $SERVICE_TENANT_ID --provider:network_type vlan \
        --router:external --provider:segmentation_id $FLOATING_VLAN --provider:physical_network physnet1
else
    neutron net-create ext --tenant-id $SERVICE_TENANT_ID --provider:network_type local --router:external
fi

if [ x$FLOATING_VLAN != x ]; then
    ext_network_id=$(neutron net-list | grep ' ext '  | cut -d' ' -f2)
    neutron subnet-create --name ext --disable-dhcp --tenant-id $SERVICE_TENANT_ID $floatingpool $floatinggateway ext $floatingnet
else
    ext_network_id=$(neutron net-list | grep ' ext '  | cut -d' ' -f2)
    neutron subnet-create --name ext --disable-dhcp --tenant-id $SERVICE_TENANT_ID ext $floatingnet
fi
neutron router-gateway-set public ext
# create four floatingip pools
for i in 1 2 3 4; do
neutron floatingip-create ext
done
### create routing configuration for external bridge
ext_bridge_name=`get_ext_bridge_name`
ext_bridge_ip=`get_ext_bridge_ip`/`get_ext_bridge_ip_prefix`
ext_bridge_cidr=`get_ext_bridge_cidr`

if [ x$FLOATING_VLAN = x ]; then
    setup_ext_bridge_on_boot $ext_bridge_name $ext_bridge_ip $ext_bridge_cidr
    systemctl restart wickedd
    ifup $ext_bridge_name
fi
#-----------------------------------------
## end neutron setup configuration
#---------------------------------------

# Start glance and nova
for s in openstack-glance-api openstack-glance-registry \
    openstack-nova-api openstack-nova-conductor openstack-nova-scheduler \
    openstack-nova-novncproxy openstack-nova-consoleauth
do
    start_and_enable_service $s
done

if [ "x$node_is_compute" = "xyes" ]; then
    start_and_enable_service openstack-nova-compute
fi

# migrate data directly
nova-manage db online_data_migrations

if [ "x$with_tempest" = "xyes" ]; then
    start_and_enable_service openstack-ec2-api-s3
fi

if [ "x$with_horizon" = "xyes" ]; then
    # Start nova related services
    start_and_enable_service openstack-nova-console
    start_and_enable_service openstack-nova-consoleauth
    start_and_enable_service openstack-nova-novncproxy
fi

#-----------------------------------------
## setup heat configuration
#-----------------------------------------

setup_messaging_client /etc/heat/heat.conf $IP $pw
crudini --set /etc/heat/heat.conf database connection $DB://heat:$mpw@$IP/heat
crudini --set /etc/heat/heat.conf DEFAULT deferred_auth_method trusts
crudini --set /etc/heat/heat.conf DEFAULT num_engine_workers "1"
crudini --set /etc/heat/heat.conf heat_api workers "1"
crudini --set /etc/heat/heat.conf clients_keystone auth_uri "http://$IP:35357/"
crudini --set /etc/heat/heat.conf trustee auth_plugin password
crudini --set /etc/heat/heat.conf trustee auth_url "http://$IP:35357/"


HEAT_DOMAIN_ID=$(openstack --os-token $SERVICE_TOKEN --os-url=$KEYSTONE_PUBLIC_ENDPOINT_V3 \
    --os-identity-api-version=3 domain create heat \
    --description "Owns users and projects created by heat" \
    | awk '/id/  { print $4 } ')

crudini --set /etc/heat/heat.conf DEFAULT stack_user_domain $HEAT_DOMAIN_ID

openstack --os-token $SERVICE_TOKEN --os-url=$KEYSTONE_PUBLIC_ENDPOINT_V3 \
    --os-identity-api-version=3 user create --password $ADMIN_PASSWORD \
    --domain $HEAT_DOMAIN_ID heat_domain_admin \
    --description "Manages users and projects created by heat"
openstack --os-token $SERVICE_TOKEN --os-url=$KEYSTONE_PUBLIC_ENDPOINT_V3 \
    --os-identity-api-version=3 role add \
    --user heat_domain_admin --domain ${HEAT_DOMAIN_ID} admin

crudini --set /etc/heat/heat.conf DEFAULT stack_domain_admin heat_domain_admin
crudini --set /etc/heat/heat.conf DEFAULT stack_domain_admin_password $ADMIN_PASSWORD

for s in openstack-heat-engine openstack-heat-api-cfn openstack-heat-api; do
    start_and_enable_service $s
done

#-----------------------------------------
## setup loopback LVM configuration
#-----------------------------------------

openstack_loopback_lvm=/usr/sbin/openstack-loopback-lvm
$openstack_loopback_lvm
if [ "$?" -ne "0" ]; then
    # setup failed, so do not use
    for s in api scheduler volume ; do
        insserv -r openstack-cinder-$s
    done
else
    grep -q openstack-loopback-lvm /etc/init.d/boot.local || echo $openstack_loopback_lvm >> /etc/init.d/boot.local
    chmod +x /etc/init.d/boot.local

    # SLE11 and other old distros need boot.lvm enabled
    if [ -z "$(type -p systemctl)" ]; then
        insserv boot.lvm
        /etc/init.d/boot.lvm start
    fi
    start_and_enable_service openstack-cinder-api
    sleep 1
    for s in scheduler volume ; do
        start_and_enable_service openstack-cinder-$s
    done
fi

setcreds admin $pw
for tenant in admin demo ; do
    nova --os-tenant-name $tenant secgroup-add-rule default icmp -1 -1 0.0.0.0/0 # to allow ping
    nova --os-tenant-name $tenant secgroup-add-rule default tcp 22 22 0.0.0.0/0 # to allow only SSH or do
    nova --os-tenant-name $tenant secgroup-add-rule default tcp 1 65535 0.0.0.0/0 # to allow all TCP
    nova --os-tenant-name $tenant secgroup-add-rule default udp 1 65535 0.0.0.0/0 # and all UDP
done

#-----------------------------------------
# setup OpenStack Manila
#-----------------------------------------
if [ "x$with_manila" = "xyes" ]; then
    # nfsserver is needed for the lvm driver
    install_packages nfs-kernel-server nfs-client nfs-utils
    start_and_enable_service nfsserver

    c="/etc/manila/manila.conf"
    setup_messaging_client $c $IP $pw
    crudini --set $c DEFAULT my_ip "$IP"
    crudini --set $c DEFAULT default_share_type "default"
    crudini --set $c database connection "$DB://manila:${mpw}@${IP}/manila"
    crudini --set $c identity uri $KEYSTONE_PUBLIC_ENDPOINT
    crudini --set $c DEFAULT share_volume_fstype ext3

    # create and enable a manila backend
    crudini --set $c DEFAULT enabled_share_backends backend-0
    crudini --set $c backend-0 share_driver manila.share.drivers.lvm.LVMShareDriver
    crudini --set $c backend-0 share_backend_name default
    crudini --set $c backend-0 driver_handles_share_servers false
    crudini --set $c backend-0 lvm_share_volume_group manila-shares
    crudini --set $c backend-0 lvm_share_export_ip $IP

    start_and_enable_service openstack-manila-api
    start_and_enable_service openstack-manila-scheduler
    start_and_enable_service openstack-manila-share
    start_and_enable_service openstack-manila-data

    manila type-create default false
fi

#-----------------------------------------
# setup OpenStack Magnum
#-----------------------------------------
if [ "x$with_magnum" = "xyes" ]; then
    # setup an image
    #MAGNUM_GUEST_IMAGE_URL=${MAGNUM_GUEST_IMAGE_URL:-"https://fedorapeople.org/groups/magnum/fedora-23-atomic-20160405.qcow2"}
    #wget --progress=dot:mega -O /tmp/magnum-test-image.qcow2 $MAGNUM_GUEST_IMAGE_URL
    #openstack image create --public --container-format bare \
    #          --disk-format qcow2 \
    #          --property os_distro=fedora-atomic \
    #          --file /tmp/magnum-test-image.qcow2 \
    #          magnum-fedora-atomic
    # create key
    #ssh-keygen -f ~/.ssh/id_rsa_magnum -t rsa -N ''
    #nova keypair-add --pub-key ~/.ssh/id_rsa_magnum.pub magnum

    c="/etc/magnum/magnum.conf"
    setup_messaging_client $c $IP $pw

    trustee_domain_id=$(get_or_create_domain magnum 'Owns users and projects created by magnum')
    trustee_domain_admin_id=$(get_or_create_user trustee_domain_admin $ADMIN_PASSWORD $trustee_domain_id)
    openstack --os-auth-url $KEYSTONE_PUBLIC_ENDPOINT_V3 \
              --os-identity-api-version 3 role add \
              --user $trustee_domain_admin_id --domain $trustee_domain_id \
              admin
    crudini --set $c trust trustee_domain_id $trustee_domain_id
    crudini --set $c trust trustee_domain_admin_id $trustee_domain_admin_id
    crudini --set $c trust trustee_domain_admin_password $ADMIN_PASSWORD
    crudini --set $c database connection "$DB://magnum:${mpw}@${IP}/magnum"
    crudini --set $c cinder_client region_name RegionOne
    crudini --set $c api host $IP

    start_and_enable_service openstack-magnum-api
    start_and_enable_service openstack-magnum-conductor
fi

#-----------------------------------------
# setup OpenStack Barbican
#-----------------------------------------
if [ "x$with_barbican" = "xyes" ]; then
    c="/etc/barbican/barbican.conf"
    setup_messaging_client $c $IP $pw

    a2enmod rewrite
    a2enmod wsgi

    crudini --set $c database connection "$DB://barbican:${mpw}@${IP}/barbican"
    crudini --set $c DEFAULT host_href http://${IP}:9311

    cp /etc/apache2/conf.d/barbican-api.conf.sample /etc/apache2/conf.d/barbican-api.conf

    start_and_enable_service apache2

    # may be needed if Horizon already started apache2
    service apache2 restart

    start_and_enable_service openstack-barbican-keystone-listener
    start_and_enable_service openstack-barbican-retry
    start_and_enable_service openstack-barbican-worker
fi


#-----------------------------------------
# setup tempest configuration
#-----------------------------------------

if [ "x$with_tempest" = "xyes" -a -e /etc/tempest/tempest.conf ]; then
    crudini --set /etc/tempest/tempest.conf auth allow_tenant_isolation false
    crudini --set /etc/tempest/tempest.conf auth use_dynamic_credentials True
    crudini --set /etc/tempest/tempest.conf auth tempest_roles Member
    crudini --set /etc/tempest/tempest.conf auth admin_domain_name Default
    crudini --set /etc/tempest/tempest.conf auth admin_tenant_name admin
    crudini --set /etc/tempest/tempest.conf auth admin_password $pw
    crudini --set /etc/tempest/tempest.conf auth admin_username admin
    crudini --set /etc/tempest/tempest.conf identity uri $KEYSTONE_PUBLIC_ENDPOINT
    crudini --set /etc/tempest/tempest.conf identity uri_v3 $KEYSTONE_PUBLIC_ENDPOINT_V3
    crudini --set /etc/tempest/tempest.conf identity auth_version v2
    crudini --set /etc/tempest/tempest.conf identity username demo
    crudini --set /etc/tempest/tempest.conf identity tenant_name demo
    crudini --set /etc/tempest/tempest.conf identity alt_password $pw
    crudini --set /etc/tempest/tempest.conf identity password $pw
    crudini --set /etc/tempest/tempest.conf compute-feature-enabled change_password False
    crudini --set /etc/tempest/tempest.conf compute-feature-enabled live_migration False
    crudini --set /etc/tempest/tempest.conf compute-feature-enabled vnc_console true
    crudini --set /etc/tempest/tempest.conf compute-feature-enabled resize true
    crudini --set /etc/tempest/tempest.conf compute fixed_network_name fixed
    crudini --set /etc/tempest/tempest.conf compute network_for_ssh ext
    crudini --set /etc/tempest/tempest.conf compute-admin username admin
    crudini --set /etc/tempest/tempest.conf compute-admin tenant_name admin
    crudini --set /etc/tempest/tempest.conf compute-admin password $pw
    crudini --set /etc/tempest/tempest.conf orchestration stack_owner_role _member_
    crudini --set /etc/tempest/tempest.conf network public_network_id $ext_network_id
    crudini --set /etc/tempest/tempest.conf service_available neutron True
    crudini --set /etc/tempest/tempest.conf service_available swift False
    crudini --set /etc/tempest/tempest.conf service_available ceilometer False
    crudini --set /etc/tempest/tempest.conf service_available heat True
    crudini --set /etc/tempest/tempest.conf service_available manila True
    crudini --set /etc/tempest/tempest.conf stress max_instances 1
    crudini --set /etc/tempest/tempest.conf service_available horizon $with_horizon
    crudini --set /etc/tempest/tempest.conf volume-feature-enabled backup false
    crudini --set /etc/tempest/tempest.conf image-feature-enabled deactivate_image true
    # manila share config
    if [ "x$with_manila" = "xyes" ]; then
        crudini --set /etc/tempest/tempest.conf service_available manila True
        crudini --set /etc/tempest/tempest.conf share run_manage_unmanage_snapshot_tests False
        crudini --set /etc/tempest/tempest.conf share run_manage_unmanage_tests False
        crudini --set /etc/tempest/tempest.conf share run_consistency_group_tests False
        crudini --set /etc/tempest/tempest.conf share enable_user_rules_for_protocols cifs
        crudini --set /etc/tempest/tempest.conf share enable_ip_rules_for_protocols nfs
        crudini --set /etc/tempest/tempest.conf share run_shrink_tests False
        crudini --set /etc/tempest/tempest.conf share multitenancy_enabled False
        crudini --set /etc/tempest/tempest.conf share run_replication_tests False
        crudini --set /etc/tempest/tempest.conf share suppress_errors_in_cleanup True
        crudini --set /etc/tempest/tempest.conf share share_creation_retry_number 2
        crudini --set /etc/tempest/tempest.conf share backend_names backend-0
        crudini --set /etc/tempest/tempest.conf share run_migration_tests True
        crudini --set /etc/tempest/tempest.conf share multi_backend False
    else
        crudini --set /etc/tempest/tempest.conf service_available manila False
    fi
fi
