Update to apache2 ~> 8.0 cookbook

This brings us up to date with the latest apache2 cookbook which included a major refactor in 6.0.0 removing all of the definitions and recipe with proper resources. Instead of using the apache2_default_site resource, directly use a template and then enable the config file using the apache2_site resource. This gives us the most flexibility. Other changes: - Remove selinux for depends as it's not being referenced anywhere in the cookbook - Included more ChefSpec tests for api recipe - Update WSGI template - Include additional cookbooks in Berksfile required for CI Depends-On: https://review.opendev.org/702772 Depends-On: https://review.opendev.org/701824 Change-Id: I289091f54750dd5068e98fd4f4853880f4b72c6c
2020-01-09 16:44:48 -08:00 · 2020-01-09 16:44:48 -08:00 · 873b58d13b
parent b81d56bdc7
commit 873b58d13b
10 changed files with 227 additions and 94 deletions
--- a/14
+++ b/14
@ -1,6 +1,18 @@
 source 'https://supermarket.chef.io'
-%w(client -image -identity -common).each do |cookbook|
+solver :ruby, :required
 %w(
  client
  -common
  -dns
  -identity
  -image
  -integration-test
  -network
  -ops-database
  -ops-messaging
 ).each do |cookbook|
  if Dir.exist?("../cookbook-openstack#{cookbook}")
    cookbook "openstack#{cookbook}", path: "../cookbook-openstack#{cookbook}"
  else
--- a/README.rst
+++ b/README.rst
@ -36,13 +36,12 @@ Cookbooks
 The following cookbooks are dependencies:
- 'apache2', '5.0.1'
+- 'apache2', '~> 8.0'
 - 'lvm'
 - 'openstackclient'
 - 'openstack-common', '>= 18.0.0'
 - 'openstack-identity', '>= 18.0.0'
 - 'openstack-image', '>= 18.0.0'
 - 'selinux'
 Attributes
 ==========
--- a/attributes/default.rb
+++ b/attributes/default.rb
@ -87,7 +87,7 @@ when 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this
  default['openstack']['block-storage']['volume']['iscsi_helper'] = 'lioadm'
  default['openstack']['block-storage']['platform'] = {
    'cinder_common_packages' => ['openstack-cinder'],
-    'cinder_api_packages' => ['openstack-cinder'],
+    'cinder_api_packages' => ['openstack-cinder', 'mod_wsgi'],
    'cinder_api_service' => 'openstack-cinder-api',
    'cinder_volume_packages' => ['qemu-img-ev'],
    'cinder_volume_service' => 'openstack-cinder-volume',
--- a/metadata.rb
+++ b/metadata.rb
@ -17,14 +17,12 @@ recipe 'volume', 'Installs the cinder-volume service'
  supports os
 end
 depends 'apache2', '~> 8.0'
 depends 'lvm'
 depends 'openstackclient'
 depends 'openstack-common', '>= 18.0.0'
 depends 'openstack-identity', '>= 18.0.0'
 depends 'openstack-image', '>= 18.0.0'
 depends 'openstackclient'
 depends 'apache2', '5.0.1'
 depends 'lvm'
 depends 'selinux'
 issues_url 'https://launchpad.net/openstack-chef'
 source_url 'https://opendev.org/openstack/cookbook-openstack-block-storage'
--- a/recipes/api.rb
+++ b/recipes/api.rb
@ -23,6 +23,7 @@
 # Make Openstack object available in Chef::Recipe
 class ::Chef::Recipe
  include ::Openstack
  include Apache2::Cookbook::Helpers
 end
 include_recipe 'openstack-block-storage::cinder-common'
@ -68,43 +69,42 @@ if node['openstack']['block-storage']['policyfile_url']
  end
 end
 # Finds and appends the listen port to the apache2_install[openstack]
 # resource which is defined in openstack-identity::server-apache.
 apache_resource = find_resource(:apache2_install, 'openstack')
 if apache_resource
  apache_resource.listen = [apache_resource.listen, "#{bind_service['host']}:#{bind_service['port']}"].flatten
 else
  apache2_install 'openstack' do
    listen "#{bind_service['host']}:#{bind_service['port']}"
  end
 end
 apache2_module 'wsgi'
 apache2_module 'ssl' if node['openstack']['block-storage']['ssl']['enabled']
 # remove the cinder-wsgi.conf automatically generated from package
-apache_config 'cinder-wsgi' do
+apache2_conf 'cinder-wsgi' do
-  enable false
+  action :disable
 end
-web_app 'cinder-api' do
+template "#{apache_dir}/sites-available/cinder-api.conf" do
-  template 'wsgi-template.conf.erb'
+  extend Apache2::Cookbook::Helpers
-  daemon_process 'cinder-wsgi'
+  source 'wsgi-template.conf.erb'
-  server_host bind_service['host']
+  variables(
-  server_port bind_service['port']
+    daemon_process: 'cinder-wsgi',
-  server_entry '/usr/bin/cinder-wsgi'
+    server_host: bind_service['host'],
-  log_dir node['apache']['log_dir']
+    server_port: bind_service['port'],
-  run_dir node['apache']['run_dir']
+    server_entry: '/usr/bin/cinder-wsgi',
-  user node['openstack']['block-storage']['user']
+    log_dir: default_log_dir,
-  group node['openstack']['block-storage']['group']
+    run_dir: lock_dir,
-  use_ssl node['openstack']['block-storage']['ssl']['enabled']
+    user: node['openstack']['block-storage']['user'],
-  cert_file node['openstack']['block-storage']['ssl']['certfile']
+    group: node['openstack']['block-storage']['group']
-  chain_file node['openstack']['block-storage']['ssl']['chainfile']
+  )
-  key_file node['openstack']['block-storage']['ssl']['keyfile']
+  notifies :restart, 'service[apache2]'
  ca_certs_path node['openstack']['block-storage']['ssl']['ca_certs_path']
  cert_required node['openstack']['block-storage']['ssl']['cert_required']
  protocol node['openstack']['block-storage']['ssl']['protocol']
  ciphers node['openstack']['block-storage']['ssl']['ciphers']
 end
-# Hack until Apache cookbook has lwrp's for proper use of notify restart
+apache2_site 'cinder-api' do
 # apache2 after keystone if completely configured. Whenever a cinder
 # config is updated, have it notify the resource which clears the lock
 # so the service can be restarted.
 # TODO(ramereth): This should be removed once this cookbook is updated
 # to use the newer apache2 cookbook which uses proper resources.
 edit_resource(:template, "#{node['apache']['dir']}/sites-available/cinder-api.conf") do
  notifies :run, 'execute[Clear cinder-api apache restart]', :immediately
 end
 execute 'cinder-api apache restart' do
  command "touch #{Chef::Config[:file_cache_path]}/cinder-api-apache-restarted"
  creates "#{Chef::Config[:file_cache_path]}/cinder-api-apache-restarted"
  notifies :restart, 'service[apache2]', :immediately
 end
--- a/recipes/cinder-common.rb
+++ b/recipes/cinder-common.rb
@ -83,8 +83,13 @@ end
 # merge all config options and secrets to be used in the cinder.conf.erb
 cinder_conf_options = merge_config_options 'block-storage'
-execute 'Clear cinder-api apache restart' do
+# service['apache2'] is defined in the apache2_default_install resource
-  command "rm -f #{Chef::Config[:file_cache_path]}/cinder-api-apache-restarted"
+# but other resources are currently unable to reference it.  To work
 # around this issue, define the following helper in your cookbook:
 service 'apache2' do
  extend Apache2::Cookbook::Helpers
  service_name lazy { apache_platform_service_name }
  supports restart: true, status: true, reload: true
  action :nothing
 end
@ -97,7 +102,7 @@ template '/etc/cinder/cinder.conf' do
  variables(
    service_config: cinder_conf_options
  )
-  notifies :run, 'execute[Clear cinder-api apache restart]', :immediately
+  notifies :restart, 'service[apache2]'
 end
 # delete all secrets saved in the attribute
--- a/spec/api-redhat_spec.rb
+++ b/spec/api-redhat_spec.rb
@ -12,8 +12,13 @@ describe 'openstack-block-storage::api' do
    include_context 'block-storage-stubs'
    it do
      expect(chef_run).to_not create_file('/etc/apache2/conf-available/cinder-wsgi.conf')
    end
    it 'upgrades cinder api package' do
      expect(chef_run).to upgrade_package 'openstack-cinder'
      expect(chef_run).to upgrade_package 'mod_wsgi'
    end
    it 'upgrades mysql python package' do
--- a/spec/api_spec.rb
+++ b/spec/api_spec.rb
@ -12,34 +12,15 @@ describe 'openstack-block-storage::api' do
    include_context 'block-storage-stubs'
    include_examples 'common-logging'
-    include_examples 'creates_cinder_conf', 'execute[Clear cinder-api apache restart]', 'cinder', 'cinder', 'run'
+    include_examples 'creates_cinder_conf', 'service[apache2]', 'cinder', 'cinder', 'restart'
    it do
-      expect(chef_run).to nothing_execute('Clear cinder-api apache restart')
+      expect(chef_run).to create_file('/etc/apache2/conf-available/cinder-wsgi.conf').with(
-        .with(
+        owner: 'root',
-          command: 'rm -f /var/chef/cache/cinder-api-apache-restarted'
+        group: 'www-data',
-        )
+        mode: '0640',
-    end
+        content: '# Chef openstack-block-storage: file to block config from package'
-
+      )
    %w(
      /etc/cinder/cinder.conf
      /etc/apache2/sites-available/cinder-api.conf
    ).each do |f|
      it "#{f} notifies execute[Clear cinder-api apache restart]" do
        expect(chef_run.template(f)).to notify('execute[Clear cinder-api apache restart]').to(:run).immediately
      end
    end
    it do
      expect(chef_run).to run_execute('cinder-api apache restart')
        .with(
          command: 'touch /var/chef/cache/cinder-api-apache-restarted',
          creates: '/var/chef/cache/cinder-api-apache-restarted'
        )
    end
    it do
      expect(chef_run.execute('cinder-api apache restart')).to notify('service[apache2]').to(:restart).immediately
    end
    it 'upgrades cinder api packages' do
@ -56,6 +37,116 @@ describe 'openstack-block-storage::api' do
      expect(chef_run).to run_execute('cinder-manage db sync').with(user: 'cinder', group: 'cinder')
    end
    describe 'apache wsgi' do
      let(:file) { '/etc/apache2/sites-available/cinder-api.conf' }
      it do
        expect(chef_run).to create_template(file).with(
          source: 'wsgi-template.conf.erb',
          variables: {
            daemon_process: 'cinder-wsgi',
            group: 'cinder',
            log_dir: '/var/log/apache2',
            run_dir: '/var/lock/apache2',
            server_entry: '/usr/bin/cinder-wsgi',
            server_host: '127.0.0.1',
            server_port: '8776',
            user: 'cinder',
          }
        )
      end
      it 'configures cinder-api.conf' do
        [
          /VirtualHost 127.0.0.1:8776/,
          /WSGIDaemonProcess cinder-wsgi processes=2 threads=10 user=cinder group=cinder display-name=%{GROUP}/,
          /WSGIProcessGroup cinder-wsgi/,
          %r{WSGIScriptAlias / /usr/bin/cinder-wsgi},
          %r{ErrorLog /var/log/apache2/cinder-wsgi_error.log},
          %r{CustomLog /var/log/apache2/cinder-wsgi_access.log combined},
          %r{WSGISocketPrefix /var/lock/apache2},
        ].each do |line|
          expect(chef_run).to render_file(file).with_content(line)
        end
        expect(chef_run).to_not render_file(file).with_content(/SSLEngine On/)
      end
      it do
        expect(chef_run.template(file)).to notify('service[apache2]').to(:restart)
      end
      it do
        expect(chef_run).to install_apache2_install('openstack').with(listen: '127.0.0.1:8776')
      end
      it do
        expect(chef_run).to enable_apache2_module('wsgi')
      end
      it do
        expect(chef_run).to_not enable_apache2_module('ssl')
      end
      it do
        expect(chef_run).to disable_apache2_conf('cinder-wsgi')
      end
      it do
        expect(chef_run).to enable_apache2_site('cinder-api')
      end
      it do
        expect(chef_run.apache2_site('cinder-api')).to notify('service[apache2]').to(:restart).immediately
      end
      context 'Enable SSL' do
        cached(:chef_run) do
          node.override['openstack']['block-storage']['ssl']['enabled'] = true
          node.override['openstack']['block-storage']['ssl']['certfile'] = 'certfile'
          node.override['openstack']['block-storage']['ssl']['keyfile'] = 'keyfile'
          node.override['openstack']['block-storage']['ssl']['ca_certs_path'] = 'ca_certs_path'
          node.override['openstack']['block-storage']['ssl']['protocol'] = 'protocol'
          runner.converge(described_recipe)
        end
        it do
          expect(chef_run).to enable_apache2_module('ssl')
        end
        it 'configures cinder-api.conf' do
          [
            /SSLEngine On/,
            /SSLCertificateFile certfile/,
            /SSLCertificateKeyFile keyfile/,
            /SSLCACertificatePath ca_certs_path/,
            /SSLProtocol protocol/,
          ].each do |line|
            expect(chef_run).to render_file(file).with_content(line)
          end
          [
            /SSLCertificateChainFile/,
            /SSLCipherSuite/,
            /SSLVerifyClient/,
          ].each do |line|
            expect(chef_run).to_not render_file(file).with_content(line)
          end
        end
        context 'Enable chainfile, ciphers & cert_required' do
          cached(:chef_run) do
            node.override['openstack']['block-storage']['ssl']['enabled'] = true
            node.override['openstack']['block-storage']['ssl']['chainfile'] = 'chainfile'
            node.override['openstack']['block-storage']['ssl']['ciphers'] = 'ciphers'
            node.override['openstack']['block-storage']['ssl']['cert_required'] = true
            runner.converge(described_recipe)
          end
          it 'configures cinder-api.conf' do
            [
              /SSLCertificateChainFile chainfile/,
              /SSLCipherSuite ciphers/,
              /SSLVerifyClient require/,
            ].each do |line|
              expect(chef_run).to render_file(file).with_content(line)
            end
          end
        end
      end
    end
    describe 'policy file' do
      it 'does not manage policy file unless specified' do
        expect(chef_run).not_to create_remote_file('/etc/cinder/policy.json')
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@ -56,6 +56,35 @@ shared_context 'block-storage-stubs' do
    stub_command('/usr/sbin/httpd -t').and_return(true)
    stub_command('/usr/sbin/apache2 -t').and_return(true)
    allow(Chef::Application).to receive(:fatal!)
    # identity stubs
    allow_any_instance_of(Chef::Recipe).to receive(:secret)
      .with('secrets', 'credential_key0')
      .and_return('thisiscredentialkey0')
    allow_any_instance_of(Chef::Recipe).to receive(:secret)
      .with('secrets', 'credential_key1')
      .and_return('thisiscredentialkey1')
    allow_any_instance_of(Chef::Recipe).to receive(:secret)
      .with('secrets', 'fernet_key0')
      .and_return('thisisfernetkey0')
    allow_any_instance_of(Chef::Recipe).to receive(:secret)
      .with('secrets', 'fernet_key1')
      .and_return('thisisfernetkey1')
    allow_any_instance_of(Chef::Recipe).to receive(:search_for)
      .with('os-identity').and_return(
        [{
          'openstack' => {
            'identity' => {
              'admin_tenant_name' => 'admin',
              'admin_user' => 'admin',
            },
          },
        }]
      )
    allow_any_instance_of(Chef::Recipe).to receive(:memcached_servers)
      .and_return([])
    allow_any_instance_of(Chef::Recipe).to receive(:rabbit_transport_url)
      .with('identity')
      .and_return('rabbit://openstack:mypass@127.0.0.1:5672')
  end
 end
--- a/templates/default/wsgi-template.conf.erb
+++ b/templates/default/wsgi-template.conf.erb
@ -1,11 +1,9 @@
 <%= node["openstack"]["block-storage"]["custom_template_banner"] %>
-Listen <%= @params[:server_host] %>:<%= @params[:server_port] %>
+<VirtualHost <%= @server_host %>:<%= @server_port %>>
-
+  WSGIDaemonProcess <%= @daemon_process %> processes=2 threads=10 user=<%= @user %> group=<%= @group %> display-name=%{GROUP}
-<VirtualHost <%= @params[:server_host] %>:<%= @params[:server_port] %>>
+  WSGIProcessGroup <%= @daemon_process %>
-  WSGIDaemonProcess <%= @params[:daemon_process] %> processes=2 threads=10 user=<%= @params[:user] %> group=<%= @params[:group] %> display-name=%{GROUP}
+  WSGIScriptAlias / <%= @server_entry %>
  WSGIProcessGroup <%= @params[:daemon_process] %>
  WSGIScriptAlias / <%= @params[:server_entry] %>
  WSGIApplicationGroup %{GLOBAL}
  WSGIPassAuthorization On
@ -14,29 +12,25 @@ Listen <%= @params[:server_host] %>:<%= @params[:server_port] %>
  </Directory>
  ErrorLogFormat "%{cu}t %M"
-  ErrorLog <%= @params[:log_dir] %>/<%= @params[:daemon_process] %>_error.log
+  ErrorLog <%= @log_dir %>/<%= @daemon_process %>_error.log
-  CustomLog <%= @params[:log_dir] %>/<%= @params[:daemon_process] %>_access.log combined
+  CustomLog <%= @log_dir %>/<%= @daemon_process %>_access.log combined
-<% if [true, 'true', 'True'].include?(@params[:log_debug]) -%>
+<% if node['openstack']['block-storage']['ssl']['enabled'] -%>
  LogLevel debug
 <% end -%>
 <% if @params[:use_ssl] -%>
  SSLEngine On
-  SSLCertificateFile <%= @params[:cert_file] %>
+  SSLCertificateFile <%= node['openstack']['block-storage']['ssl']['certfile'] %>
-  SSLCertificateKeyFile <%= @params[:key_file] %>
+  SSLCertificateKeyFile <%= node['openstack']['block-storage']['ssl']['keyfile'] %>
-  SSLCACertificatePath <%= @params[:ca_certs_path] %>
+  SSLCACertificatePath <%= node['openstack']['block-storage']['ssl']['ca_certs_path'] %>
-<%   if @params[:chain_file] %>
+<%   unless node['openstack']['block-storage']['ssl']['chainfile'].empty? %>
-  SSLCertificateChainFile <%= @params[:chain_file] %>
+  SSLCertificateChainFile <%= node['openstack']['block-storage']['ssl']['chainfile'] %>
 <%   end -%>
-  SSLProtocol <%= @params[:protocol] %>
+  SSLProtocol <%= node['openstack']['block-storage']['ssl']['protocol'] %>
-<%   if @params[:ciphers] -%>
+<%   unless node['openstack']['block-storage']['ssl']['ciphers'].empty? -%>
-  SSLCipherSuite <%= @params[:ciphers] %>
+  SSLCipherSuite <%= node['openstack']['block-storage']['ssl']['ciphers'] %>
 <%   end -%>
-<%   if @params[:cert_required] -%>
+<%   if node['openstack']['block-storage']['ssl']['cert_required'] -%>
  SSLVerifyClient require
 <%   end -%>
 <% end -%>
 </VirtualHost>
-WSGISocketPrefix <%= @params[:run_dir] -%>
+WSGISocketPrefix <%= @run_dir -%>