From 8593f2378b4955ea117813b6db8374a09746565c Mon Sep 17 00:00:00 2001
From: Dmitry Tantsur <dtantsur@protonmail.com>
Date: Wed, 3 Jun 2020 11:30:48 +0200
Subject: [PATCH] Install uWSGI from PyPI to repair CentOS 8 support

CentOS 8 does not have uWSGI, not even in EPEL:
https://bugzilla.redhat.com/show_bug.cgi?id=1757157

Since it's installable from PyPI, let's do it instead.
Also update SELinux to enable uWSGI+nginx to operate.

Change-Id: I44d0582e221e24404f427b261bf6d366f5c32775
---
 .../required_defaults_Debian_family.yml       |  4 ---
 .../required_defaults_RedHat_family.yml       |  4 +--
 .../required_defaults_Suse_family.yml         |  3 +--
 .../defaults/required_defaults_Ubuntu.yml     |  4 ---
 .../files/keystone_policy.te                  | 11 ++++++++
 .../tasks/bootstrap.yml                       | 27 +++++++++++++++++++
 .../tasks/install.yml                         |  8 ++++++
 .../centos-keystone-acad21e70153067d.yaml     |  4 +++
 zuul.d/bifrost-jobs.yaml                      |  7 +++++
 zuul.d/project.yaml                           |  2 ++
 10 files changed, 62 insertions(+), 12 deletions(-)
 create mode 100644 playbooks/roles/bifrost-keystone-install/files/keystone_policy.te
 create mode 100644 releasenotes/notes/centos-keystone-acad21e70153067d.yaml

diff --git a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Debian_family.yml b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Debian_family.yml
index a18886934..ead98a4ee 100644
--- a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Debian_family.yml
+++ b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Debian_family.yml
@@ -14,7 +14,3 @@ required_packages:
   - libssl-dev
   - libxml2-dev
   - nginx
-  - uwsgi
-  - uwsgi-core
-  # - python-django-uwsgi - This may not be needed
-  - uwsgi-plugin-python
diff --git a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_RedHat_family.yml b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_RedHat_family.yml
index b223f6eb3..341cfa7c7 100644
--- a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_RedHat_family.yml
+++ b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_RedHat_family.yml
@@ -15,10 +15,10 @@ required_packages:
   - python3-devel
   - python3-PyMySQL
   - python3-iniparse
+  - python3-libselinux
+  - python3-policycoreutils
   - libffi-devel
   - libxslt-devel
   - openssl-devel
   - libxml2-devel
   - nginx
-  - uwsgi
-  - uwsgi-plugin-python3
diff --git a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Suse_family.yml b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Suse_family.yml
index 93b44eacf..98240713a 100644
--- a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Suse_family.yml
+++ b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Suse_family.yml
@@ -6,6 +6,7 @@ mysql_service_name: mysql
 required_packages:
   - python-selinux
   - mariadb
+  - policycoreutils-python
   - python-devel
   - python-MySQL-python
   - python-iniparse
@@ -14,5 +15,3 @@ required_packages:
   - libopenssl-devel
   - libxml2-devel
   - nginx
-  - uwsgi
-  - uwsgi-python
diff --git a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Ubuntu.yml b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Ubuntu.yml
index 2f199ddaa..6f2902139 100644
--- a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Ubuntu.yml
+++ b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Ubuntu.yml
@@ -13,7 +13,3 @@ required_packages:
   - libssl-dev
   - libxml2-dev
   - nginx
-  - uwsgi
-  - uwsgi-core
-  # - python-django-uwsgi - This may not be needed
-  - uwsgi-plugin-python3
diff --git a/playbooks/roles/bifrost-keystone-install/files/keystone_policy.te b/playbooks/roles/bifrost-keystone-install/files/keystone_policy.te
new file mode 100644
index 000000000..b7e8b745c
--- /dev/null
+++ b/playbooks/roles/bifrost-keystone-install/files/keystone_policy.te
@@ -0,0 +1,11 @@
+module keystone_policy 1.0;
+
+require {
+	type var_run_t;
+	type httpd_t;
+	class sock_file write;
+}
+
+#============= httpd_t ==============
+
+allow httpd_t var_run_t:sock_file write;
diff --git a/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml
index b69370b52..b64a32737 100644
--- a/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml
+++ b/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml
@@ -284,3 +284,30 @@
 - name: "Remove uwsgi sysvinit init script"
   command: update-rc.d -f uwsgi remove
   ignore_errors: yes
+
+- block:
+    - name: "Explicitly allow keystone port (TCP) on selinux"
+      seport:
+        ports: "5000"
+        proto: tcp
+        setype: http_port_t
+        state: present
+
+    - name: Copy keystone policy file to temporary directory
+      copy:
+        src: keystone_policy.te
+        dest: /tmp/keystone_policy.te
+
+    - name: Check keystone policy module
+      command: checkmodule -M -m -o /tmp/keystone_policy.mod /tmp/keystone_policy.te
+
+    - name: Package keystone policy module
+      command: semodule_package -m /tmp/keystone_policy.mod -o /tmp/keystone_policy.pp
+
+    - name: Include keystone policy module
+      command: semodule -i /tmp/keystone_policy.pp
+
+    - name: Enable keystone policy module
+      command: semodule -e keystone_policy
+  when: (ansible_os_family == 'RedHat' or ansible_os_family == 'Suse') and
+         ansible_selinux.status == 'enabled' and ansible_selinux.mode == "enforcing"
diff --git a/playbooks/roles/bifrost-keystone-install/tasks/install.yml b/playbooks/roles/bifrost-keystone-install/tasks/install.yml
index e4bc29b7d..c5be50602 100644
--- a/playbooks/roles/bifrost-keystone-install/tasks/install.yml
+++ b/playbooks/roles/bifrost-keystone-install/tasks/install.yml
@@ -45,6 +45,14 @@
     - skip_install is not defined
     - enable_venv | bool == true
 
+- name: "Install uWSGI in venv if using"
+  include: pip_install.yml
+    package=uWSGI
+    virtualenv=bifrost_venv_dir
+  when:
+    - skip_install is not defined
+    - enable_venv | bool == true
+
 - name: "Install python-openstackclient in venv if using"
   include: pip_install.yml
     package=python-openstackclient
diff --git a/releasenotes/notes/centos-keystone-acad21e70153067d.yaml b/releasenotes/notes/centos-keystone-acad21e70153067d.yaml
new file mode 100644
index 000000000..0cc9804bb
--- /dev/null
+++ b/releasenotes/notes/centos-keystone-acad21e70153067d.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Fixes installing Keystone under CentOS 8.
diff --git a/zuul.d/bifrost-jobs.yaml b/zuul.d/bifrost-jobs.yaml
index 83b5ccb44..6258770bb 100644
--- a/zuul.d/bifrost-jobs.yaml
+++ b/zuul.d/bifrost-jobs.yaml
@@ -109,6 +109,13 @@
     parent: bifrost-integration-tinyipa
     nodeset: centos-8
 
+- job:
+    name: bifrost-integration-tinyipa-keystone-centos-8
+    parent: bifrost-integration-tinyipa
+    nodeset: centos-8
+    vars:
+      enable_keystone: true
+
 - job:
     name: bifrost-integration-tinyipa-debian-buster
     parent: bifrost-integration-tinyipa
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index 80e6f976a..6a1a69d12 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -10,6 +10,7 @@
         - bifrost-integration-tinyipa-ubuntu-bionic
         - bifrost-integration-tinyipa-centos-8
         - bifrost-integration-tinyipa-keystone-ubuntu-bionic
+        - bifrost-integration-tinyipa-keystone-centos-8
         # Non-voting jobs
         - bifrost-integration-tinyipa-opensuse-15:
             voting: false
@@ -36,3 +37,4 @@
         - bifrost-integration-tinyipa-ubuntu-bionic
         - bifrost-integration-tinyipa-centos-8
         - bifrost-integration-tinyipa-keystone-ubuntu-bionic
+        - bifrost-integration-tinyipa-keystone-centos-8