merge Merge branch 'master' of github.com:open-cloud/xos into service_permissions

commit: d972c8dd8073804b93a8bbab68704edd0b6a0baa [log] [tgz]
author: Tony Mack <tmack@cs.princeton.edu> Wed May 06 12:32:21 2015 -0400
committer: Tony Mack <tmack@cs.princeton.edu> Wed May 06 12:32:21 2015 -0400
tree: 285e29115eb65c48dc485cb82a8219cb63cd5161
parent: 9d2ea09d8290948fd212a315a33b11841852705f [diff]
parent: 91dd0751b9e0384ccd14f2c1711e85ff19e91145 [diff]
diff --git a/xos/cord/models.py b/xos/cord/models.py
index a0f712d..86beba1 100644
--- a/xos/cord/models.py
+++ b/xos/cord/models.py

@@ -1,5 +1,5 @@
 from django.db import models
-from core.models import Service, PlCoreBase, Slice, Sliver, Tenant, Node, Image
+from core.models import Service, PlCoreBase, Slice, Sliver, Tenant, Node, Image, User
 from core.models.plcorebase import StrippedCharField
 import os
 from django.db import models
@@ -35,6 +35,16 @@
 for v in VOLTTenant.objects.all():
     v.caller = User.objects.all()[0]
     v.delete()
+
+for v in VOLTTenant.objects.all():
+    if not v.creator:
+        v.creator= User.objects.all()[0]
+        v.save()
+
+for v in VCPETenant.objects.all():
+    if not v.creator:
+        v.creator= User.objects.all()[0]
+        v.save()
 """
 
 class ConfigurationError(Exception):
@@ -85,7 +95,7 @@
         if not vcpes:
             return None
         vcpe=vcpes[0]
-        vcpe.caller = getattr(self, "caller", None)
+        vcpe.caller = self.creator
         self.cached_vcpe = vcpe
         return vcpe
 
@@ -97,6 +107,28 @@
             self.cached_vcpe=None
         self.set_attribute("vcpe_id", value)
 
+    @property
+    def creator(self):
+        if getattr(self, "cached_creator", None):
+            return self.cached_creator
+        creator_id=self.get_attribute("creator_id")
+        if not creator_id:
+            return None
+        users=User.objects.filter(id=creator_id)
+        if not users:
+            return None
+        user=users[0]
+        self.cached_creator = users[0]
+        return user
+
+    @creator.setter
+    def creator(self, value):
+        if value:
+            value = value.id
+        if (value != self.get_attribute("creator_id", None)):
+            self.cached_creator=None
+        self.set_attribute("creator_id", value)
+
     def manage_vcpe(self):
         # Each VOLT object owns exactly one VCPE object
 
@@ -110,7 +142,7 @@
 
             vcpe = VCPETenant(provider_service = vcpeServices[0],
                               subscriber_tenant = self)
-            vcpe.caller = self.caller
+            vcpe.caller = self.creator
             vcpe.save()
 
             try:
@@ -128,8 +160,14 @@
     def save(self, *args, **kwargs):
         self.validate_unique_service_specific_id()
 
-        if not getattr(self, "caller", None):
-            raise XOSProgrammingError("VOLTTenant's self.caller was not set")
+        if not self.creator:
+            if not getattr(self, "caller", None):
+                # caller must be set when creating a vCPE since it creates a slice
+                raise XOSProgrammingError("VOLTTenant's self.caller was not set")
+            self.creator = self.caller
+            if not self.creator:
+                raise XOSProgrammingError("VOLTTenant's self.creator was not set")
+
         super(VOLTTenant, self).save(*args, **kwargs)
         self.manage_vcpe()
 
@@ -155,6 +193,12 @@
 
     KIND = "vCPE"
 
+    sync_attributes = ("firewall_enable",
+                       "firewall_rules",
+                       "url_filter_enable",
+                       "url_filter_rules",
+                       "cdn_enable")
+
     default_attributes = {"firewall_enable": False,
                           "firewall_rules": "accept all anywhere anywhere",
                           "url_filter_enable": False,
@@ -190,7 +234,7 @@
         if not slivers:
             return None
         sliver=slivers[0]
-        sliver.caller = getattr(self, "caller", None)
+        sliver.caller = self.creator
         self.cached_sliver = sliver
         return sliver
 
@@ -203,6 +247,28 @@
         self.set_attribute("sliver_id", value)
 
     @property
+    def creator(self):
+        if getattr(self, "cached_creator", None):
+            return self.cached_creator
+        creator_id=self.get_attribute("creator_id")
+        if not creator_id:
+            return None
+        users=User.objects.filter(id=creator_id)
+        if not users:
+            return None
+        user=users[0]
+        self.cached_creator = users[0]
+        return user
+
+    @creator.setter
+    def creator(self, value):
+        if value:
+            value = value.id
+        if (value != self.get_attribute("creator_id", None)):
+            self.cached_creator=None
+        self.set_attribute("creator_id", value)
+
+    @property
     def vbng(self):
         if getattr(self, "cached_vbng", None):
             return self.cached_vbng
@@ -213,7 +279,7 @@
         if not vbngs:
             return None
         vbng=vbngs[0]
-        vbng.caller = getattr(self, "caller", None)
+        vbng.caller = self.creator
         self.cached_vbng = vbng
         return vbng
 
@@ -281,6 +347,7 @@
         if (self.sliver is not None) and (self.sliver.image != self.image):
             self.sliver.delete()
             self.sliver = None
+
         if self.sliver is None:
             if not self.provider_service.slices.count():
                 raise XOSConfigurationError("The VCPE service has no slicers")
@@ -289,7 +356,7 @@
             sliver = Sliver(slice = self.provider_service.slices.all()[0],
                             node = node,
                             image = self.image,
-                            creator = self.caller,
+                            creator = self.creator,
                             deployment = node.site_deployment.deployment)
             sliver.save()
 
@@ -318,7 +385,7 @@
 
             vbng = VBNGTenant(provider_service = vbngServices[0],
                               subscriber_tenant = self)
-            vbng.caller = self.caller
+            vbng.caller = self.creator
             vbng.save()
 
             try:
@@ -334,8 +401,14 @@
             self.vbng = None
 
     def save(self, *args, **kwargs):
-        if not getattr(self, "caller", None):
-            raise XOSProgrammingError("VCPETenant's self.caller was not set")
+        if not self.creator:
+            if not getattr(self, "caller", None):
+                # caller must be set when creating a vCPE since it creates a slice
+                raise XOSProgrammingError("VBNGTenant's self.caller was not set")
+            self.creator = self.caller
+            if not self.creator:
+                raise XOSProgrammingError("VCPETenant's self.caller was not set")
+
         super(VCPETenant, self).save(*args, **kwargs)
         self.manage_sliver()
         self.manage_vbng()

diff --git a/xos/core/admin.py b/xos/core/admin.py
index 50f3f53..69cae61 100644
--- a/xos/core/admin.py
+++ b/xos/core/admin.py

@@ -756,7 +756,7 @@
 class ServiceAdmin(XOSBaseAdmin):
     list_display = ("backend_status_icon","name","kind","versionNumber","enabled","published")
     list_display_links = ('backend_status_icon', 'name', )
-    fieldList = ["backend_status_text","name","kind","description","versionNumber","enabled","published","view_url","icon_url"]
+    fieldList = ["backend_status_text","name","kind","description","versionNumber","enabled","published","view_url","icon_url","public_key"]
     fieldsets = [(None, {'fields': fieldList, 'classes':['suit-tab suit-tab-general']})]
     inlines = [ServiceAttrAsTabInline,SliceInline,ProviderTenantInline,SubscriberTenantInline]
     readonly_fields = ('backend_status_text', )

diff --git a/xos/core/models/service.py b/xos/core/models/service.py
index 6dd67a0..038d71a 100644
--- a/xos/core/models/service.py
+++ b/xos/core/models/service.py

@@ -16,6 +16,7 @@
     published = models.BooleanField(default=True)
     view_url = StrippedCharField(blank=True, null=True, max_length=1024)
     icon_url = StrippedCharField(blank=True, null=True, max_length=1024)
+    public_key = models.TextField(null=True, blank=True, max_length=1024, help_text="Public key string")
 
     def __init__(self, *args, **kwargs):
         # for subclasses, set the default kind appropriately
@@ -139,6 +140,10 @@
     def get_tenant_objects(cls):
         return cls.objects.filter(kind = cls.KIND)
 
+    @classmethod
+    def get_deleted_tenant_objects(cls):
+        return cls.deleted_objects.filter(kind = cls.KIND)
+
     # helper function to be used in subclasses that want to ensure service_specific_id is unique
     def validate_unique_service_specific_id(self):
         if self.pk is None:

diff --git a/xos/core/xoslib/methods/hpcview.py b/xos/core/xoslib/methods/hpcview.py
index f1a10ab..41f6051 100644
--- a/xos/core/xoslib/methods/hpcview.py
+++ b/xos/core/xoslib/methods/hpcview.py

@@ -134,8 +134,13 @@
                 sliver_nameservers.append(ns["name"])
                 ns["hit"]=True
 
+        # now find the dnsredir sliver that is also on this node
+        watcherd_dnsredir = "no-redir-sliver"
+        for dnsredir_sliver in dnsredir_slice.slivers.all():
+            if dnsredir_sliver.node == sliver.node:
+                watcherd_dnsredir = lookup_tag(dnsredir_service, dnsredir_sliver, "watcher.watcher.msg")
+
         watcherd_dnsdemux = lookup_tag(dnsdemux_service, sliver, "watcher.watcher.msg")
-        watcherd_dnsredir = lookup_tag(dnsredir_service, sliver, "watcher.watcher.msg")
 
         dnsdemux.append( {"name": sliver.node.name,
                        "watcher.DNS.msg": lookup_tag(dnsdemux_service, sliver, "watcher.DNS.msg"),

diff --git a/xos/hpc_observer/hpc_watcher.py b/xos/hpc_observer/hpc_watcher.py
index 15adce9..9eb8afe 100644
--- a/xos/hpc_observer/hpc_watcher.py
+++ b/xos/hpc_observer/hpc_watcher.py

@@ -390,11 +390,15 @@
 
             ip = sliver.get_public_ip()
             if not ip:
-                ip = socket.gethostbyname(sliver.node.name)
+                try:
+                    ip = socket.gethostbyname(sliver.node.name)
+                except:
+                    self.set_status(sliver, service, "watcher.DNS", "dns resolution failure")
+                    continue
 
-            #if not ip:
-            #    self.set_status(sliver, service, "watcher.DNS", "no public IP")
-            #    continue
+            if not ip:
+                self.set_status(sliver, service, "watcher.DNS", "no IP address")
+                continue
 
             checks = HpcHealthCheck.objects.filter(kind="dns")
             if not checks:
@@ -518,7 +522,15 @@
         for sliver in slivers:
             ip = sliver.get_public_ip()
             if not ip:
-                ip = socket.gethostbyname(sliver.node.name)
+                try:
+                    ip = socket.gethostbyname(sliver.node.name)
+                except:
+                    self.set_status(sliver, service, "watcher.watcher", "dns resolution failure")
+                    continue
+
+            if not ip:
+                self.set_status(sliver, service, "watcher.watcher", "no IP address")
+                continue
 
             port = 8015
             if ("redir" in sliver.slice.name):

diff --git a/xos/observers/vcpe/observer_ansible_test.py b/xos/observers/vcpe/observer_ansible_test.py
new file mode 100644
index 0000000..1b4358d
--- /dev/null
+++ b/xos/observers/vcpe/observer_ansible_test.py

@@ -0,0 +1,44 @@
+#!/usr/bin/env python
+import os
+import sys
+
+sys.path.append("../..")
+import observer.ansible
+
+print sys.argv
+
+private_key="""-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAtJiuarud5S4Y2quDeWyaS0UCQGQtfuSzzNhplFwujYnJGL65

+e14REtv+UuHGymyr/SfkTrBd8vH5NI2UZ/4sZW13ieI/1d97OeVe2+ct0Y4BaFEI

+3Hja6DIpsY3Q2cBQsWUwcQzbMIF9jIq8SzwR1zk8UtZi09fNxqjCchRPlBvbiLKX

+g0/yirN237WbaKzK++8EPy3nuv83216MXHFFSjuxfICe/RhjaqMzVp7isSbv1suU

+geyvNNzU71c/K13gTggdcIXeRQBiJYio2Sn3h2nsV6AFqFH4fjERxWG55Q4e3jeE

+tWM/Dw+hqYKg/25UcmM862a6sUmuDCmM5S3VEQIDAQABAoIBACH88iZoNOki6c6N

+pOq/Q7KSxD+2GtHc3PHacNRZHPHKUqxziJjtNS1lddHHaBBEr4GvdkpQ6v2ECLCZ

+TKrdrSFRnsO2bukjbB+TSWz9byQXI7CsP4yuuhQlDK+7zuiMRyN7tcgw8TeJx0Uh

+/xnxrjHhNbcpXeQcoz+WFzI9HFT1MEGmMS4Lyp/zLB/pmfY9h7V9d+EeRZDi78jq

+Vir6MI6iCTa0T02dvHUFOg+wXLb0nb8V1xKDL+6cAJla7LzwoG8lTnvp5DSYCojI

+5JrILYafeO8RbBV2GWmaE5mkHgeBkFZ+qZQ7K0MjR30Yh6tajB7P3+F/Max8FUgW

+xLHr8AECgYEA2+o0ge3HtZcepEFBKKYnLTwoEpPCfLElWZHzUJYDz259s4JLsfak

+tROANFEdsJUjpmWG52MCL+bgKFFOedDkt4p1jgcIneaHk0jvoU11wG7W3jZZVy1q

+WjQNH5vDU+hg5tm/CREwm7lbUxR9Xuj9K63CNAAGp8KO7h2tOH8woIECgYEA0jrb

+LUg30RxO3+vrq9dUYohrDRisk5zKXuRLfxRA+E+ruvZ7CctG2OpM+658/qZM/w95

+7pOj6zz3//w7tAvH9erY+JOISnzaYKx04sYC1MfbFiFkq5j0gpuYm/MULDYNvFqr

+NU2Buj4dW+ZB+SeficsQOqm5QeNxh1kgiDCs7JECgYEAjSLGCAzeesA9vhTTCI95

+3SIaZbHGw9e8rLtqeHGOiHXU3nvksJYmJsAZK3pTn5xXgNbvuVhlcvCtM7LatntG

+DjUiNMB22z+0CuZoRBE+XP3FkF84/yX6d2Goenyw4wzkA8QDQoJxu789yRgBTgQh

+VwLw/AZ4PvoyWMdbAENApgECgYEAvFikosYP09XTyIPaKaOKY5iqqBoSC1GucSOB

+jAG+T3k5dxB6nQS0nYQUomvqak7drqnT6O33Lrr5ySrW5nCjnmvgJZwvv+Rp1bDM

+K5uRT8caPpJ+Wcp4TUdPi3BVA2MOHVDyEJg3AH/D1+DL/IgGQ/JcwOHsKt61iLhO

+EBXj5zECgYEAk+HuwksUPkSxg/AiJGbapGDK6XGymEUzo2duWlnofRqGcZ3NT3bB

+/kDI1KxQdlpODXSi4/BuTpbQiFOrzcEq5e5ytoMxlCHh3Fl3Jxl+JlgO21vAUvP6

+4SET7Q/6LxmfBlCVRg0dXDwcfJLgbnWxyvprIcz4e0FSFVZTBs/6tFk=

+-----END RSA PRIVATE KEY-----
+"""
+
+observer.ansible.run_template_ssh("test.yaml",
+                                  {"sliver_name": "onlab_test405-378",
+                                   "instance_id": "instance-0000004d",
+                                   "hostname": "node67.washington.vicci.org",
+                                   "private_key": private_key})
+

diff --git a/xos/observers/vcpe/run.sh b/xos/observers/vcpe/run.sh
new file mode 100644
index 0000000..c582842
--- /dev/null
+++ b/xos/observers/vcpe/run.sh

@@ -0,0 +1,6 @@
+if [[ ! -e ./vcpe-observer.py ]]; then
+    ln -s ../../xos-observer.py vcpe-observer.py
+fi
+
+export XOS_DIR=/opt/xos
+python vcpe-observer.py  -C $XOS_DIR/observers/vcpe/vcpe_observer_config

diff --git a/xos/observers/vcpe/start.sh b/xos/observers/vcpe/start.sh
new file mode 100644
index 0000000..96cb6e4
--- /dev/null
+++ b/xos/observers/vcpe/start.sh

@@ -0,0 +1,6 @@
+if [[ ! -e ./vcpe-observer.py ]]; then
+    ln -s ../../xos-observer.py vcpe-observer.py
+fi
+
+export XOS_DIR=/opt/xos
+nohup python vcpe-observer.py  -C $XOS_DIR/observers/vcpe/vcpe_observer_config > /dev/null 2>&1 &

diff --git a/xos/observers/vcpe/steps/ansible_test/inventory.txt b/xos/observers/vcpe/steps/ansible_test/inventory.txt
new file mode 100644
index 0000000..d5ff47e
--- /dev/null
+++ b/xos/observers/vcpe/steps/ansible_test/inventory.txt

@@ -0,0 +1,7 @@
+[onlab_hpc-355]
+node67.washington.vicci.org instance_id=instance-00000045 sliver_name=onlab_hpc-355
+
+[onlab_test405-372]
+node67.washington.vicci.org instance_id=instance-0000004c sliver_name=onlab_test405-372
+
+

diff --git a/xos/observers/vcpe/steps/ansible_test/test.sh b/xos/observers/vcpe/steps/ansible_test/test.sh
new file mode 100755
index 0000000..157ba9c
--- /dev/null
+++ b/xos/observers/vcpe/steps/ansible_test/test.sh

@@ -0,0 +1,2 @@
+#! /bin/bash
+ansible-playbook --private-key /home/smbaker/.ssh/id_rsa -i ./inventory.txt test.yaml

diff --git a/xos/observers/vcpe/steps/ansible_test/test.yaml b/xos/observers/vcpe/steps/ansible_test/test.yaml
new file mode 100644
index 0000000..6a29d56
--- /dev/null
+++ b/xos/observers/vcpe/steps/ansible_test/test.yaml

@@ -0,0 +1,12 @@
+---
+- hosts: onlab_test405-372
+  connection: xos
+  user: ubuntu
+  vars:
+     foo: 25
+#  instance_name: instance-00000045
+#  slice_name: onlab_hpc-355
+
+  tasks:
+    - name: foobar
+      shell: echo foo > /tmp/foobar

diff --git a/xos/observers/vcpe/steps/ansible_test/xos.py b/xos/observers/vcpe/steps/ansible_test/xos.py
new file mode 100755
index 0000000..3ef72ab
--- /dev/null
+++ b/xos/observers/vcpe/steps/ansible_test/xos.py

@@ -0,0 +1,444 @@
+# (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
+#
+# This file is part of Ansible
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+import re
+import subprocess
+import shlex
+import pipes
+import random
+import select
+import fcntl
+import hmac
+import pwd
+import gettext
+import pty
+from hashlib import sha1
+import ansible.constants as C
+from ansible.callbacks import vvv
+from ansible import errors
+from ansible import utils
+
+class Connection(object):
+    ''' ssh based connections '''
+
+    def __init__(self, runner, host, port, user, password, private_key_file, *args, **kwargs):
+        self.runner = runner
+        self.host = host
+        self.ipv6 = ':' in self.host
+        self.port = port
+        self.user = str(user)
+        self.password = password
+        self.private_key_file = private_key_file
+        self.HASHED_KEY_MAGIC = "|1|"
+        self.has_pipelining = True
+        #self.instance_id = "instance-00000045" # C.get_config(C.p, "xos", "instance_id", "INSTANCE_ID", None)
+        #self.sliver_name = "onlab_hpc-355" # C.get_config(C.p, "xos", "sliver_name", "SLIVER_NAME", None)
+
+        inject={}
+        inject= utils.combine_vars(inject, self.runner.inventory.get_variables(self.host))
+
+        self.instance_id = inject["instance_id"]
+        self.sliver_name = inject["sliver_name"]
+
+        fcntl.lockf(self.runner.process_lockfile, fcntl.LOCK_EX)
+        self.cp_dir = utils.prepare_writeable_dir('$HOME/.ansible/cp',mode=0700)
+        fcntl.lockf(self.runner.process_lockfile, fcntl.LOCK_UN)
+
+    def connect(self):
+        ''' connect to the remote host '''
+
+        vvv("ESTABLISH CONNECTION FOR USER: %s" % self.user, host=self.host)
+
+        self.common_args = []
+        extra_args = C.ANSIBLE_SSH_ARGS
+        if extra_args is not None:
+            # make sure there is no empty string added as this can produce weird errors
+            self.common_args += [x.strip() for x in shlex.split(extra_args) if x.strip()]
+        else:
+            self.common_args += ["-o", "ControlMaster=auto",
+                                 "-o", "ControlPersist=60s",
+                                 "-o", "ControlPath=%s" % (C.ANSIBLE_SSH_CONTROL_PATH % dict(directory=self.cp_dir))]
+
+        self.common_args += ["-o", "ProxyCommand ssh -q -i %s %s@%s" % (self.private_key_file, self.instance_id, self.host)]
+
+        cp_in_use = False
+        cp_path_set = False
+        for arg in self.common_args:
+            if "ControlPersist" in arg:
+                cp_in_use = True
+            if "ControlPath" in arg:
+                cp_path_set = True
+
+        if cp_in_use and not cp_path_set:
+            self.common_args += ["-o", "ControlPath=%s" % (C.ANSIBLE_SSH_CONTROL_PATH % dict(directory=self.cp_dir))]
+
+        if not C.HOST_KEY_CHECKING:
+            self.common_args += ["-o", "StrictHostKeyChecking=no"]
+
+        if self.port is not None:
+            self.common_args += ["-o", "Port=%d" % (self.port)]
+        if self.private_key_file is not None:
+            self.common_args += ["-o", "IdentityFile=\"%s\"" % os.path.expanduser(self.private_key_file)]
+        elif self.runner.private_key_file is not None:
+            self.common_args += ["-o", "IdentityFile=\"%s\"" % os.path.expanduser(self.runner.private_key_file)]
+        if self.password:
+            self.common_args += ["-o", "GSSAPIAuthentication=no",
+                                 "-o", "PubkeyAuthentication=no"]
+        else:
+            self.common_args += ["-o", "KbdInteractiveAuthentication=no",
+                                 "-o", "PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey",
+                                 "-o", "PasswordAuthentication=no"]
+        if self.user != pwd.getpwuid(os.geteuid())[0]:
+            self.common_args += ["-o", "User="+self.user]
+        self.common_args += ["-o", "ConnectTimeout=%d" % self.runner.timeout]
+
+        return self
+
+    def _run(self, cmd, indata):
+        if indata:
+            # do not use pseudo-pty
+            p = subprocess.Popen(cmd, stdin=subprocess.PIPE,
+                                     stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+            stdin = p.stdin
+        else:
+            # try to use upseudo-pty
+            try:
+                # Make sure stdin is a proper (pseudo) pty to avoid: tcgetattr errors
+                master, slave = pty.openpty()
+                p = subprocess.Popen(cmd, stdin=slave,
+                                     stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+                stdin = os.fdopen(master, 'w', 0)
+                os.close(slave)
+            except:
+                p = subprocess.Popen(cmd, stdin=subprocess.PIPE,
+                                     stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+                stdin = p.stdin
+
+        return (p, stdin)
+
+    def _password_cmd(self):
+        if self.password:
+            try:
+                p = subprocess.Popen(["sshpass"], stdin=subprocess.PIPE,
+                    stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+                p.communicate()
+            except OSError:
+                raise errors.AnsibleError("to use the 'ssh' connection type with passwords, you must install the sshpass program")
+            (self.rfd, self.wfd) = os.pipe()
+            return ["sshpass", "-d%d" % self.rfd]
+        return []
+
+    def _send_password(self):
+        if self.password:
+            os.close(self.rfd)
+            os.write(self.wfd, "%s\n" % self.password)
+            os.close(self.wfd)
+
+    def _communicate(self, p, stdin, indata, su=False, sudoable=False, prompt=None):
+        fcntl.fcntl(p.stdout, fcntl.F_SETFL, fcntl.fcntl(p.stdout, fcntl.F_GETFL) & ~os.O_NONBLOCK)
+        fcntl.fcntl(p.stderr, fcntl.F_SETFL, fcntl.fcntl(p.stderr, fcntl.F_GETFL) & ~os.O_NONBLOCK)
+        # We can't use p.communicate here because the ControlMaster may have stdout open as well
+        stdout = ''
+        stderr = ''
+        rpipes = [p.stdout, p.stderr]
+        if indata:
+            try:
+                stdin.write(indata)
+                stdin.close()
+            except:
+                raise errors.AnsibleError('SSH Error: data could not be sent to the remote host. Make sure this host can be reached over ssh')
+        # Read stdout/stderr from process
+        while True:
+            rfd, wfd, efd = select.select(rpipes, [], rpipes, 1)
+
+            # fail early if the sudo/su password is wrong
+            if self.runner.sudo and sudoable:
+                if self.runner.sudo_pass:
+                    incorrect_password = gettext.dgettext(
+                        "sudo", "Sorry, try again.")
+                    if stdout.endswith("%s\r\n%s" % (incorrect_password,
+                                                     prompt)):
+                        raise errors.AnsibleError('Incorrect sudo password')
+
+                if stdout.endswith(prompt):
+                    raise errors.AnsibleError('Missing sudo password')
+
+            if self.runner.su and su and self.runner.su_pass:
+                incorrect_password = gettext.dgettext(
+                    "su", "Sorry")
+                if stdout.endswith("%s\r\n%s" % (incorrect_password, prompt)):
+                    raise errors.AnsibleError('Incorrect su password')
+
+            if p.stdout in rfd:
+                dat = os.read(p.stdout.fileno(), 9000)
+                stdout += dat
+                if dat == '':
+                    rpipes.remove(p.stdout)
+            if p.stderr in rfd:
+                dat = os.read(p.stderr.fileno(), 9000)
+                stderr += dat
+                if dat == '':
+                    rpipes.remove(p.stderr)
+            # only break out if no pipes are left to read or
+            # the pipes are completely read and
+            # the process is terminated
+            if (not rpipes or not rfd) and p.poll() is not None:
+                break
+            # No pipes are left to read but process is not yet terminated
+            # Only then it is safe to wait for the process to be finished
+            # NOTE: Actually p.poll() is always None here if rpipes is empty
+            elif not rpipes and p.poll() == None:
+                p.wait()
+                # The process is terminated. Since no pipes to read from are
+                # left, there is no need to call select() again.
+                break
+        # close stdin after process is terminated and stdout/stderr are read
+        # completely (see also issue #848)
+        stdin.close()
+        return (p.returncode, stdout, stderr)
+
+    def not_in_host_file(self, host):
+        if 'USER' in os.environ:
+            user_host_file = os.path.expandvars("~${USER}/.ssh/known_hosts")
+        else:
+            user_host_file = "~/.ssh/known_hosts"
+        user_host_file = os.path.expanduser(user_host_file)
+        
+        host_file_list = []
+        host_file_list.append(user_host_file)
+        host_file_list.append("/etc/ssh/ssh_known_hosts")
+        host_file_list.append("/etc/ssh/ssh_known_hosts2")
+        
+        hfiles_not_found = 0
+        for hf in host_file_list:
+            if not os.path.exists(hf):
+                hfiles_not_found += 1
+                continue
+            try:
+                host_fh = open(hf)
+            except IOError, e:
+                hfiles_not_found += 1
+                continue
+            else:
+                data = host_fh.read()
+                host_fh.close()
+                
+            for line in data.split("\n"):
+                if line is None or " " not in line:
+                    continue
+                tokens = line.split()
+                if tokens[0].find(self.HASHED_KEY_MAGIC) == 0:
+                    # this is a hashed known host entry
+                    try:
+                        (kn_salt,kn_host) = tokens[0][len(self.HASHED_KEY_MAGIC):].split("|",2)
+                        hash = hmac.new(kn_salt.decode('base64'), digestmod=sha1)
+                        hash.update(host)
+                        if hash.digest() == kn_host.decode('base64'):
+                            return False
+                    except:
+                        # invalid hashed host key, skip it
+                        continue
+                else:
+                    # standard host file entry
+                    if host in tokens[0]:
+                        return False
+
+        if (hfiles_not_found == len(host_file_list)):
+            vvv("EXEC previous known host file not found for %s" % host)
+        return True
+
+    def exec_command(self, cmd, tmp_path, sudo_user=None, sudoable=False, executable='/bin/sh', in_data=None, su_user=None, su=False):
+        ''' run a command on the remote host '''
+
+        ssh_cmd = self._password_cmd()
+        ssh_cmd += ["ssh", "-C"]
+        if not in_data:
+            # we can only use tty when we are not pipelining the modules. piping data into /usr/bin/python
+            # inside a tty automatically invokes the python interactive-mode but the modules are not
+            # compatible with the interactive-mode ("unexpected indent" mainly because of empty lines)
+            ssh_cmd += ["-tt"]
+        if utils.VERBOSITY > 3:
+            ssh_cmd += ["-vvv"]
+        else:
+            ssh_cmd += ["-q"]
+        ssh_cmd += self.common_args
+
+        if self.ipv6:
+            ssh_cmd += ['-6']
+        #ssh_cmd += [self.host]
+        ssh_cmd += [self.sliver_name]
+
+        if su and su_user:
+            sudocmd, prompt, success_key = utils.make_su_cmd(su_user, executable, cmd)
+            prompt_re = re.compile(prompt)
+            ssh_cmd.append(sudocmd)
+        elif not self.runner.sudo or not sudoable:
+            prompt = None
+            if executable:
+                ssh_cmd.append(executable + ' -c ' + pipes.quote(cmd))
+            else:
+                ssh_cmd.append(cmd)
+        else:
+            sudocmd, prompt, success_key = utils.make_sudo_cmd(sudo_user, executable, cmd)
+            ssh_cmd.append(sudocmd)
+
+        vvv("EXEC %s" % ssh_cmd, host=self.host)
+
+        not_in_host_file = self.not_in_host_file(self.host)
+
+        if C.HOST_KEY_CHECKING and not_in_host_file:
+            # lock around the initial SSH connectivity so the user prompt about whether to add 
+            # the host to known hosts is not intermingled with multiprocess output.
+            fcntl.lockf(self.runner.process_lockfile, fcntl.LOCK_EX)
+            fcntl.lockf(self.runner.output_lockfile, fcntl.LOCK_EX)
+
+        # create process
+        (p, stdin) = self._run(ssh_cmd, in_data)
+
+        self._send_password()
+
+        if (self.runner.sudo and sudoable and self.runner.sudo_pass) or \
+                (self.runner.su and su and self.runner.su_pass):
+            # several cases are handled for sudo privileges with password
+            # * NOPASSWD (tty & no-tty): detect success_key on stdout
+            # * without NOPASSWD:
+            #   * detect prompt on stdout (tty)
+            #   * detect prompt on stderr (no-tty)
+            fcntl.fcntl(p.stdout, fcntl.F_SETFL,
+                        fcntl.fcntl(p.stdout, fcntl.F_GETFL) | os.O_NONBLOCK)
+            fcntl.fcntl(p.stderr, fcntl.F_SETFL,
+                        fcntl.fcntl(p.stderr, fcntl.F_GETFL) | os.O_NONBLOCK)
+            sudo_output = ''
+            sudo_errput = ''
+
+            while True:
+                if success_key in sudo_output or \
+                    (self.runner.sudo_pass and sudo_output.endswith(prompt)) or \
+                    (self.runner.su_pass and prompt_re.match(sudo_output)):
+                    break
+
+                rfd, wfd, efd = select.select([p.stdout, p.stderr], [],
+                                              [p.stdout], self.runner.timeout)
+                if p.stderr in rfd:
+                    chunk = p.stderr.read()
+                    if not chunk:
+                        raise errors.AnsibleError('ssh connection closed waiting for sudo or su password prompt')
+                    sudo_errput += chunk
+                    incorrect_password = gettext.dgettext(
+                        "sudo", "Sorry, try again.")
+                    if sudo_errput.strip().endswith("%s%s" % (prompt, incorrect_password)):
+                        raise errors.AnsibleError('Incorrect sudo password')
+                    elif sudo_errput.endswith(prompt):
+                        stdin.write(self.runner.sudo_pass + '\n')
+
+                if p.stdout in rfd:
+                    chunk = p.stdout.read()
+                    if not chunk:
+                        raise errors.AnsibleError('ssh connection closed waiting for sudo or su password prompt')
+                    sudo_output += chunk
+
+                if not rfd:
+                    # timeout. wrap up process communication
+                    stdout = p.communicate()
+                    raise errors.AnsibleError('ssh connection error waiting for sudo or su password prompt')
+
+            if success_key not in sudo_output:
+                if sudoable:
+                    stdin.write(self.runner.sudo_pass + '\n')
+                elif su:
+                    stdin.write(self.runner.su_pass + '\n')
+
+        (returncode, stdout, stderr) = self._communicate(p, stdin, in_data, su=su, sudoable=sudoable, prompt=prompt)
+
+        if C.HOST_KEY_CHECKING and not_in_host_file:
+            # lock around the initial SSH connectivity so the user prompt about whether to add 
+            # the host to known hosts is not intermingled with multiprocess output.
+            fcntl.lockf(self.runner.output_lockfile, fcntl.LOCK_UN)
+            fcntl.lockf(self.runner.process_lockfile, fcntl.LOCK_UN)
+        controlpersisterror = 'Bad configuration option: ControlPersist' in stderr or \
+                              'unknown configuration option: ControlPersist' in stderr
+
+        if C.HOST_KEY_CHECKING:
+            if ssh_cmd[0] == "sshpass" and p.returncode == 6:
+                raise errors.AnsibleError('Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this.  Please add this host\'s fingerprint to your known_hosts file to manage this host.')
+
+        if p.returncode != 0 and controlpersisterror:
+            raise errors.AnsibleError('using -c ssh on certain older ssh versions may not support ControlPersist, set ANSIBLE_SSH_ARGS="" (or ssh_args in [ssh_connection] section of the config file) before running again')
+        if p.returncode == 255 and (in_data or self.runner.module_name == 'raw'):
+            raise errors.AnsibleError('SSH Error: data could not be sent to the remote host. Make sure this host can be reached over ssh')
+
+        return (p.returncode, '', stdout, stderr)
+
+    def put_file(self, in_path, out_path):
+        ''' transfer a file from local to remote '''
+        vvv("PUT %s TO %s" % (in_path, out_path), host=self.host)
+        if not os.path.exists(in_path):
+            raise errors.AnsibleFileNotFound("file or module does not exist: %s" % in_path)
+        cmd = self._password_cmd()
+
+        host = self.host
+        if self.ipv6:
+            host = '[%s]' % host
+
+        if C.DEFAULT_SCP_IF_SSH:
+            cmd += ["scp"] + self.common_args
+            cmd += [in_path,host + ":" + pipes.quote(out_path)]
+            indata = None
+        else:
+            cmd += ["sftp"] + self.common_args + [host]
+            indata = "put %s %s\n" % (pipes.quote(in_path), pipes.quote(out_path))
+
+        (p, stdin) = self._run(cmd, indata)
+
+        self._send_password()
+
+        (returncode, stdout, stderr) = self._communicate(p, stdin, indata)
+
+        if returncode != 0:
+            raise errors.AnsibleError("failed to transfer file to %s:\n%s\n%s" % (out_path, stdout, stderr))
+
+    def fetch_file(self, in_path, out_path):
+        ''' fetch a file from remote to local '''
+        vvv("FETCH %s TO %s" % (in_path, out_path), host=self.host)
+        cmd = self._password_cmd()
+
+        host = self.host
+        if self.ipv6:
+            host = '[%s]' % host
+
+        if C.DEFAULT_SCP_IF_SSH:
+            cmd += ["scp"] + self.common_args
+            cmd += [host + ":" + in_path, out_path]
+            indata = None
+        else:
+            cmd += ["sftp"] + self.common_args + [host]
+            indata = "get %s %s\n" % (in_path, out_path)
+
+        p = subprocess.Popen(cmd, stdin=subprocess.PIPE,
+                             stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+        self._send_password()
+        stdout, stderr = p.communicate(indata)
+
+        if p.returncode != 0:
+            raise errors.AnsibleError("failed to transfer file from %s:\n%s\n%s" % (in_path, stdout, stderr))
+
+    def close(self):
+        ''' not applicable since we're executing openssh binaries '''
+        pass
+

diff --git a/xos/observers/vcpe/steps/sync_vcpetenant.py b/xos/observers/vcpe/steps/sync_vcpetenant.py
new file mode 100644
index 0000000..cc1d520
--- /dev/null
+++ b/xos/observers/vcpe/steps/sync_vcpetenant.py

@@ -0,0 +1,111 @@
+import os
+import socket
+import sys
+import base64
+from django.db.models import F, Q
+from xos.config import Config
+from observer.syncstep import SyncStep
+from observer.ansible import run_template_ssh
+from core.models import Service
+from cord.models import VCPEService, VCPETenant, VOLTTenant
+from hpc.models import HpcService, CDNPrefix
+from util.logger import Logger, logging
+
+# hpclibrary will be in steps/..
+parentdir = os.path.join(os.path.dirname(__file__),"..")
+sys.path.insert(0,parentdir)
+
+logger = Logger(level=logging.INFO)
+
+class SyncVCPETenant(SyncStep):
+    provides=[VCPETenant]
+    observes=VCPETenant
+    requested_interval=0
+    template_name = "sync_vcpetenant.yaml"
+    service_key_name = "/opt/xos/observers/vcpe/vcpe_private_key"
+
+    def __init__(self, **args):
+        SyncStep.__init__(self, **args)
+
+    def defer_sync(self, o, reason):
+        o.backend_register="{}"
+        o.backend_status = "2 - " + reason
+        o.save(update_fields=['enacted','backend_status','backend_register'])
+        logger.info("defer object %s due to %s" % (str(o), reason))
+
+    def fetch_pending(self, deleted):
+        if (not deleted):
+            objs = VCPETenant.get_tenant_objects().filter(Q(enacted__lt=F('updated')) | Q(enacted=None),Q(lazy_blocked=False))
+        else:
+            objs = VCPETenant.get_deleted_tenant_objects()
+
+        return objs
+
+    def get_extra_attributes(self, o):
+        # This is a place to include extra attributes that aren't part of the
+        # object itself. In our case, it's handy to know the VLAN IDs when
+        # configuring the VCPE.
+
+        dnsdemux_ip = "none"
+        for service in HpcService.objects.all():
+            for slice in service.slices.all():
+                if "dnsdemux" in slice.name:
+                    for sliver in slice.slivers.all():
+                        if dnsdemux_ip=="none":
+                            try:
+                                dnsdemux_ip = socket.gethostbyname(sliver.node.name)
+                            except:
+                                pass
+
+        volts = [x for x in VOLTTenant.get_tenant_objects() if x.vcpe.id==o.id]
+        vlan_ids = [x.vlan_id for x in volts]
+        return {"vlan_ids": vlan_ids,
+                "dnsdemux_ip": dnsdemux_ip}
+
+    def get_sliver(self, o):
+        # We need to know what slivers is associated with the object.
+        # For vCPE this is easy, as VCPETenant has a sliver field.
+
+        return o.sliver
+
+    def sync_record(self, o):
+        logger.info("sync'ing VCPETenant %s" % str(o))
+
+        sliver = self.get_sliver(o)
+        if not sliver:
+            self.defer_sync(o, "waiting on sliver")
+            return
+
+        service = o.sliver.slice.service
+        if not service:
+            # Ansible uses the service's keypair in order to SSH into the
+            # instance. It would be bad if the slice had no service.
+
+            raise Exception("Slice %s is not associated with a service" % sliver.slice.name)
+
+        if not os.path.exists(self.service_key_name):
+            raise Exception("Service key %s does not exist" % self.service_key_name)
+
+        service_key = file(self.service_key_name).read()
+
+        fields = { "sliver_name": sliver.name,
+                   "hostname": sliver.node.name,
+                   "instance_id": sliver.instance_id,
+                   "private_key": service_key,
+                 }
+
+        if hasattr(o, "sync_attributes"):
+            for attribute_name in o.sync_attributes:
+                 fields[attribute_name] = getattr(o, attribute_name)
+
+        fields.update(self.get_extra_attributes(o))
+
+        print fields
+
+        run_template_ssh(self.template_name, fields)
+
+        o.save()
+
+    def delete_record(self, m):
+        pass
+

diff --git a/xos/observers/vcpe/steps/sync_vcpetenant.yaml b/xos/observers/vcpe/steps/sync_vcpetenant.yaml
new file mode 100644
index 0000000..d45b38a
--- /dev/null
+++ b/xos/observers/vcpe/steps/sync_vcpetenant.yaml

@@ -0,0 +1,31 @@
+---
+- hosts: {{ sliver_name }}
+  connection: ssh
+  user: ubuntu
+  sudo: yes
+  vars:
+      cdn_enable: {{ cdn_enable }}
+      dnsdemux_ip: {{ dnsdemux_ip }}
+      firewall_enable: {{ firewall_enable }}
+      url_filter_enable: {{ url_filter_enable }}
+      vlan_ids:
+        {% for vlan_id in vlan_ids %}
+        - {{ vlan_id }}
+        {% endfor %}
+      firewall_rules:
+        {% for firewall_rule in firewall_rules.split("\n") %}
+        - {{ firewall_rule }}
+        {% endfor %}
+
+  tasks:
+    - name: make sure /etc/dnsmasq.d exists
+      file: path=/etc/dnsmasq.d state=directory owner=root group=root
+   
+    - name: configure dnsmasq servers
+      template: src=/opt/xos/observers/vcpe/templates/dnsmasq_servers.j2 dest=/etc/dnsmasq.d/servers.conf owner=root group=root
+
+    - name: setup networking
+      template: src=/opt/xos/observers/vcpe/templates/vlan_sample.j2 dest=/etc/vlan_sample owner=root group=root
+
+    - name: setup firewall
+      template: src=/opt/xos/observers/vcpe/templates/firewall_sample.j2 dest=/etc/firewall_sample owner=root group=root

diff --git a/xos/observers/vcpe/steps/test.yaml b/xos/observers/vcpe/steps/test.yaml
new file mode 100644
index 0000000..dbda94d
--- /dev/null
+++ b/xos/observers/vcpe/steps/test.yaml

@@ -0,0 +1,7 @@
+---
+- hosts: {{ sliver_name }}
+  connection: ssh
+  user: ubuntu
+  tasks:
+    - name: foobar
+      shell: echo foo > /tmp/foobar

diff --git a/xos/observers/vcpe/stop.sh b/xos/observers/vcpe/stop.sh
new file mode 100644
index 0000000..e90e16c
--- /dev/null
+++ b/xos/observers/vcpe/stop.sh

@@ -0,0 +1 @@
+pkill -9 -f vcpe-observer.py

diff --git a/xos/observers/vcpe/templates/dnsmasq_servers.j2 b/xos/observers/vcpe/templates/dnsmasq_servers.j2
new file mode 100644
index 0000000..ac97035
--- /dev/null
+++ b/xos/observers/vcpe/templates/dnsmasq_servers.j2

@@ -0,0 +1,15 @@
+# This file autogenerated by vCPE observer
+# It contains a list of DNS servers for dnsmasq to use.
+
+{% if cdn_enable %}
+# CDN 
+server=/foo.com/{{ dnsdemux_ip }}
+{% endif %}
+
+{% if url_filter_enable %}
+# placeholder; figure out what to really use...
+server=dns.xerocole.com
+{% else %}
+# use google's DNS service
+server=8.8.8.8
+{% endif %}

diff --git a/xos/observers/vcpe/templates/firewall_sample.j2 b/xos/observers/vcpe/templates/firewall_sample.j2
new file mode 100644
index 0000000..ce85e68
--- /dev/null
+++ b/xos/observers/vcpe/templates/firewall_sample.j2

@@ -0,0 +1,5 @@
+firewall_enable = {{ firewall_enable }}
+
+{% for firewall_rule in firewall_rules %}
+{{ firewall_rule }}
+{% endfor %}

diff --git a/xos/observers/vcpe/templates/vlan_sample.j2 b/xos/observers/vcpe/templates/vlan_sample.j2
new file mode 100644
index 0000000..a26c840
--- /dev/null
+++ b/xos/observers/vcpe/templates/vlan_sample.j2

@@ -0,0 +1,5 @@
+# below is a list of all vlan_ids associated with this vcpe
+
+{% for vlan_id in vlan_ids %}
+{{ vlan_id }}
+{% endfor %}

diff --git a/xos/observers/vcpe/vcpe_observer_config b/xos/observers/vcpe/vcpe_observer_config
new file mode 100644
index 0000000..c6500ae
--- /dev/null
+++ b/xos/observers/vcpe/vcpe_observer_config

@@ -0,0 +1,37 @@
+
+[plc]
+name=plc
+deployment=VICCI
+
+[db]
+name=xos
+user=postgres
+password=password
+host=localhost
+port=5432
+
+[api]
+host=128.112.171.237
+port=8000
+ssl_key=None
+ssl_cert=None
+ca_ssl_cert=None
+ratelimit_enabled=0
+omf_enabled=0
+mail_support_address=support@localhost
+nova_enabled=True
+
+[observer]
+name=vcpe
+dependency_graph=/opt/xos/observers/vcpe/model-deps
+steps_dir=/opt/xos/observers/vcpe/steps
+sys_dir=/opt/xos/observer/vcpe/sys
+deleters_dir=/opt/xos/observers/vcpe/deleters
+log_file=console
+#/var/log/hpc.log
+driver=None
+pretend=False
+
+[feefie]
+client_id='vicci_dev_central'
+user_id='pl'

diff --git a/xos/openstack_observer/ansible.py b/xos/openstack_observer/ansible.py
index 4466cb3..cf6106a 100644
--- a/xos/openstack_observer/ansible.py
+++ b/xos/openstack_observer/ansible.py

@@ -7,6 +7,8 @@
 import string
 import random
 import re
+import traceback
+import subprocess
 from xos.config import Config, XOS_DIR
 
 try:
@@ -47,7 +49,7 @@
 def shellquote(s):
     return "'" + s.replace("'", "'\\''") + "'"
 
-def run_template(name, opts,path='', expected_num=None):
+def run_template(name, opts,path='', expected_num=None, ansible_config=None, ansible_hosts=None, run_ansible_script=None):
     template = os_template_env.get_template(name)
     buffer = template.render(opts)
 
@@ -64,25 +66,35 @@
     f.write(buffer)
     f.flush()
 
-    
+    # This is messy -- there's no way to specify ansible config file from
+    # the command line, but we can specify it using the environment.
+    env = os.environ.copy()
+    if ansible_config:
+       env["ANSIBLE_CONFIG"] = ansible_config
+    if ansible_hosts:
+       env["ANSIBLE_HOSTS"] = ansible_hosts
+
     if (not Config().observer_pretend):
-        run = os.popen(XOS_DIR + '/observer/run_ansible %s'%shellquote(fqp))
+        if not run_ansible_script:
+            run_ansible_script = os.path.join(XOS_DIR, "observer/run_ansible")
+
+        #run = os.popen(XOS_DIR + '/observer/run_ansible %s'%shellquote(fqp), env=env)
+        run = subprocess.Popen("%s %s" % (run_ansible_script, shellquote(fqp)), shell=True, stdout=subprocess.PIPE, env=env).stdout
         msg = run.read()
         status = run.close()
 
         
     else:
         msg = open(fqp+'.out').read()
-        
+
     try:
         ok_results = parse_output(msg)
-        if (len(ok_results) != expected_num):
-            raise ValueError('Unexpected num')
+        if (expected_num is not None) and (len(ok_results) != expected_num):
+            raise ValueError('Unexpected num %s!=%d' % (str(expected_num), len(ok_results)) )
     except ValueError,e:
-        all_fatal = re.findall(r'^msg: (.*)',msg,re.MULTILINE)
+        all_fatal = [e.message] + re.findall(r'^msg: (.*)',msg,re.MULTILINE)
         all_fatal2 = re.findall(r'^ERROR: (.*)',msg,re.MULTILINE)
 
-
         all_fatal.extend(all_fatal2)
         try:
             error = ' // '.join(all_fatal)
@@ -92,6 +104,44 @@
 
     return ok_results
 
+def run_template_ssh(name, opts, path='', expected_num=None):
+    instance_id = opts["instance_id"]
+    sliver_name = opts["sliver_name"]
+    hostname = opts["hostname"]
+    private_key = opts["private_key"]
+
+    (private_key_handle, private_key_pathname) = tempfile.mkstemp()
+    (config_handle, config_pathname) = tempfile.mkstemp()
+    (hosts_handle, hosts_pathname) = tempfile.mkstemp()
+
+    try:
+        proxy_command = "ProxyCommand ssh -q -i %s %s@%s" % (private_key_pathname, instance_id, hostname)
+
+        os.write(private_key_handle, private_key)
+        os.close(private_key_handle)
+
+        os.write(config_handle, "[ssh_connection]\n")
+        os.write(config_handle, 'ssh_args = -o "%s"\n' % proxy_command)
+        os.write(config_handle, 'scp_if_ssh = True\n')
+        os.close(config_handle)
+
+        os.write(hosts_handle, "[%s]\n" % sliver_name)
+        os.write(hosts_handle, "%s ansible_ssh_private_key_file=%s\n" % (hostname, private_key_pathname))
+        os.close(hosts_handle)
+
+        print "ANSIBLE_CONFIG=%s" % config_pathname
+        print "ANSIBLE_HOSTS=%s" % hosts_pathname
+
+        return run_template(name, opts, path, expected_num, ansible_config = config_pathname, ansible_hosts = hosts_pathname, run_ansible_script="/opt/xos/observer/run_ansible_verbose")
+
+    finally:
+        #os.remove(private_key_pathname)
+        #os.remove(config_pathname)
+        #os.remove(hosts_pathname)
+        pass
+
+
+
 def main():
     run_template('ansible/sync_user_deployments.yaml',{ "endpoint" : "http://172.31.38.128:5000/v2.0/",
              "name" : "Sapan Bhatia",

diff --git a/xos/openstack_observer/backend.py b/xos/openstack_observer/backend.py
index 48dae2e..23ec352 100644
--- a/xos/openstack_observer/backend.py
+++ b/xos/openstack_observer/backend.py

@@ -1,3 +1,5 @@
+import os
+import sys
 import threading
 import time
 from observer.event_loop import XOSObserver
@@ -22,6 +24,7 @@
             model_policy_thread = threading.Thread(target=run_policy)
             model_policy_thread.start()
         else:
+            model_policy_thread = None
             print "Skipping model policies thread for service observer."
 
 
@@ -29,3 +32,16 @@
         #event_manager = EventListener(wake_up=observer.wake_up)
         #event_manager_thread = threading.Thread(target=event_manager.run)
         #event_manager_thread.start()
+
+        print "entering keyboard wait loop"
+        while True:
+            try:
+                time.sleep(1000)
+            except KeyboardInterrupt:
+                print "exiting due to keyboard interrupt"
+                # TODO: See about setting the threads as daemons
+                observer_thread._Thread__stop()
+                if model_policy_thread:
+                    model_policy_thread._Threat__stop()
+                sys.exit(1)
+

diff --git a/xos/openstack_observer/steps/sync_slivers.py b/xos/openstack_observer/steps/sync_slivers.py
index de17791..9ee7cfa 100644
--- a/xos/openstack_observer/steps/sync_slivers.py
+++ b/xos/openstack_observer/steps/sync_slivers.py

@@ -47,6 +47,9 @@
         if sliver.slice.creator.public_key:
             pubkeys.add(sliver.slice.creator.public_key)
 
+        if sliver.slice.service and sliver.slice.service.public_key:
+            pubkeys.add(sliver.slice.service.public_key)
+
         nics = []
         networks = [ns.network for ns in NetworkSlice.objects.filter(slice=sliver.slice)]
         controller_networks = ControllerNetwork.objects.filter(network__in=networks,
@@ -54,8 +57,10 @@
 
         for controller_network in controller_networks:
             if controller_network.network.template.visibility == 'private' and \
-               controller_network.network.template.translation == 'none' and controller_network.net_id:
-                nics.append(controller_network.net_id)
+               controller_network.network.template.translation == 'none':
+                   if not controller_network.net_id:
+                        raise Exception("Private Network %s has no id; Try again later" % controller_network.network.name)
+                   nics.append(controller_network.net_id)
 
         # now include network template
         network_templates = [network.template.shared_network_name for network in networks \
@@ -73,16 +78,20 @@
                 if net['name']=='public':
                     nics.append(net['id'])
 
-        # look up image id
-        if (not sliver.image.id):
+        image_id = None
+        controller_images = sliver.image.controllerimages.filter(controller=sliver.node.site_deployment.controller)
+        if controller_images:
+            image_id = controller_images[0].glance_image_id
+            logger.info("using image_id from ControllerImage object: " + str(image_id))
+
+        if image_id is None:
             controller_driver = self.driver.admin_driver(controller=sliver.node.site_deployment.controller)
             image_id = None
             images = controller_driver.shell.glanceclient.images.list()
             for image in images:
                 if image.name == sliver.image.name or not image_id:
                     image_id = image.id
-        else:
-            image_id = sliver.image.id
+                    logger.info("using image_id from glance: " + str(image_id))
 
         try:
             legacy = Config().observer_legacy
commit	d972c8dd8073804b93a8bbab68704edd0b6a0baa	[log] [tgz]
author	Tony Mack <tmack@cs.princeton.edu>	Wed May 06 12:32:21 2015 -0400
committer	Tony Mack <tmack@cs.princeton.edu>	Wed May 06 12:32:21 2015 -0400
tree	285e29115eb65c48dc485cb82a8219cb63cd5161
parent	9d2ea09d8290948fd212a315a33b11841852705f [diff]
parent	91dd0751b9e0384ccd14f2c1711e85ff19e91145 [diff]