511ba9f6a2
When kolla_copy_ca_into_containers is set to "yes", the Certificate Authority in /etc/kolla/certificates will be copied into service containers to enable trust for that CA. This is especially useful when the CA is self signed, and would not be trusted by default. Partially-Implements: blueprint custom-cacerts Change-Id: I4368f8994147580460ebe7533850cf63a419d0b4
231 lines
7.0 KiB
YAML
231 lines
7.0 KiB
YAML
---
|
|
- name: Setting sysctl values
|
|
become: true
|
|
sysctl: name={{ item.name }} value={{ item.value }} sysctl_set=yes
|
|
with_items:
|
|
- { name: "net.bridge.bridge-nf-call-iptables", value: 1}
|
|
- { name: "net.bridge.bridge-nf-call-ip6tables", value: 1}
|
|
- { name: "net.ipv4.conf.all.rp_filter", value: "{{ nova_compute_host_rp_filter_mode }}"}
|
|
- { name: "net.ipv4.conf.default.rp_filter", value: "{{ nova_compute_host_rp_filter_mode }}"}
|
|
when:
|
|
- set_sysctl | bool
|
|
- inventory_hostname in groups[nova_cell_compute_group]
|
|
|
|
- name: Ensuring config directories exist
|
|
become: true
|
|
file:
|
|
path: "{{ node_config_directory }}/{{ item.key }}"
|
|
state: "directory"
|
|
owner: "{{ config_owner_user }}"
|
|
group: "{{ config_owner_group }}"
|
|
mode: "0770"
|
|
when:
|
|
- inventory_hostname in groups[item.value.group]
|
|
- item.value.enabled | bool
|
|
with_dict: "{{ nova_cell_services }}"
|
|
|
|
- name: Copying over extra CA certificates
|
|
become: true
|
|
copy:
|
|
src: "{{ node_config }}/certificates/ca/"
|
|
dest: "{{ node_config_directory }}/{{ item.key }}/ca-certificates"
|
|
mode: "0644"
|
|
when:
|
|
- item.value.enabled | bool
|
|
- inventory_hostname in groups[item.value.group]
|
|
- kolla_copy_ca_into_containers | bool
|
|
with_dict: "{{ nova_cell_services }}"
|
|
|
|
- include_tasks: ceph.yml
|
|
when:
|
|
- enable_ceph | bool and nova_backend == "rbd"
|
|
- inventory_hostname in groups[nova_cell_conductor_group] or
|
|
inventory_hostname in groups[nova_cell_compute_group]
|
|
|
|
- include_tasks: external_ceph.yml
|
|
when:
|
|
- not enable_ceph | bool and (nova_backend == "rbd" or cinder_backend_ceph | bool)
|
|
- inventory_hostname in groups[nova_cell_compute_group]
|
|
|
|
- name: Check if policies shall be overwritten
|
|
stat:
|
|
path: "{{ item }}"
|
|
delegate_to: localhost
|
|
run_once: True
|
|
register: nova_policy
|
|
with_first_found:
|
|
- files: "{{ supported_policy_format_list }}"
|
|
paths:
|
|
- "{{ node_custom_config }}/nova/"
|
|
skip: true
|
|
|
|
- name: Set nova policy file
|
|
set_fact:
|
|
nova_policy_file: "{{ nova_policy.results.0.stat.path | basename }}"
|
|
nova_policy_file_path: "{{ nova_policy.results.0.stat.path }}"
|
|
when:
|
|
- nova_policy.results
|
|
|
|
- name: Copying over config.json files for services
|
|
become: true
|
|
template:
|
|
src: "{{ item.key }}.json.j2"
|
|
dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
|
|
mode: "0660"
|
|
when:
|
|
- inventory_hostname in groups[item.value.group]
|
|
- item.value.enabled | bool
|
|
with_dict: "{{ nova_cell_services }}"
|
|
notify:
|
|
- "Restart {{ item.key }} container"
|
|
|
|
- name: Set XenAPI facts
|
|
set_fact:
|
|
xenapi_facts: "{{ lookup('file', xenapi_facts_root + '/' + inventory_hostname + '/' + xenapi_facts_file) | from_json }}"
|
|
when:
|
|
- nova_compute_virt_type == 'xenapi'
|
|
- inventory_hostname in groups[nova_cell_compute_group]
|
|
|
|
- name: Copying over nova.conf
|
|
become: true
|
|
vars:
|
|
service_name: "{{ item.key }}"
|
|
merge_configs:
|
|
sources:
|
|
- "{{ role_path }}/templates/nova.conf.j2"
|
|
- "{{ node_custom_config }}/global.conf"
|
|
- "{{ node_custom_config }}/nova.conf"
|
|
- "{{ node_custom_config }}/nova/{{ item.key }}.conf"
|
|
- "{{ node_custom_config }}/nova/{{ inventory_hostname }}/nova.conf"
|
|
dest: "{{ node_config_directory }}/{{ item.key }}/nova.conf"
|
|
mode: "0660"
|
|
when:
|
|
- inventory_hostname in groups[item.value.group]
|
|
- item.value.enabled | bool
|
|
- item.key in nova_cell_services_require_nova_conf
|
|
with_dict: "{{ nova_cell_services }}"
|
|
notify:
|
|
- "Restart {{ item.key }} container"
|
|
|
|
- name: Copying over libvirt configuration
|
|
become: true
|
|
vars:
|
|
service: "{{ nova_cell_services['nova-libvirt'] }}"
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ node_config_directory }}/nova-libvirt/{{ item.dest }}"
|
|
mode: "0660"
|
|
when:
|
|
- inventory_hostname in groups[service.group]
|
|
- service.enabled | bool
|
|
with_items:
|
|
- { src: "qemu.conf.j2", dest: "qemu.conf" }
|
|
- { src: "libvirtd.conf.j2", dest: "libvirtd.conf" }
|
|
notify:
|
|
- Restart nova-libvirt container
|
|
|
|
- name: Copying over libvirt TLS keys (nova-libvirt)
|
|
include_tasks: "config-libvirt-tls.yml"
|
|
vars:
|
|
service: "{{ nova_cell_services['nova-libvirt'] }}"
|
|
service_name: nova-libvirt
|
|
file: "{{ item }}"
|
|
when:
|
|
- inventory_hostname in groups[service.group]
|
|
- service.enabled | bool
|
|
- libvirt_tls | bool
|
|
- libvirt_tls_manage_certs | bool
|
|
with_items:
|
|
- cacert.pem
|
|
- servercert.pem
|
|
- serverkey.pem
|
|
- clientcert.pem
|
|
- clientkey.pem
|
|
|
|
- name: Copying over libvirt TLS keys (nova-compute)
|
|
include_tasks: "config-libvirt-tls.yml"
|
|
vars:
|
|
service: "{{ nova_cell_services['nova-compute'] }}"
|
|
service_name: nova-compute
|
|
file: "{{ item }}"
|
|
when:
|
|
- inventory_hostname in groups[service.group]
|
|
- service.enabled | bool
|
|
- libvirt_tls | bool
|
|
- libvirt_tls_manage_certs | bool
|
|
with_items:
|
|
- cacert.pem
|
|
- clientcert.pem
|
|
- clientkey.pem
|
|
|
|
- name: Copying files for nova-ssh
|
|
become: true
|
|
vars:
|
|
service: "{{ nova_cell_services['nova-ssh'] }}"
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ node_config_directory }}/nova-ssh/{{ item.dest }}"
|
|
mode: "0660"
|
|
when:
|
|
- inventory_hostname in groups[service.group]
|
|
- service.enabled | bool
|
|
with_items:
|
|
- { src: "sshd_config.j2", dest: "sshd_config" }
|
|
- { src: "id_rsa", dest: "id_rsa" }
|
|
- { src: "id_rsa.pub", dest: "id_rsa.pub" }
|
|
- { src: "ssh_config.j2", dest: "ssh_config" }
|
|
notify:
|
|
- Restart nova-ssh container
|
|
|
|
- name: Copying VMware vCenter CA file
|
|
vars:
|
|
service: "{{ nova_cell_services['nova-compute'] }}"
|
|
copy:
|
|
src: "{{ node_custom_config }}/vmware_ca"
|
|
dest: "{{ node_config_directory }}/nova-compute/vmware_ca"
|
|
mode: "0660"
|
|
when:
|
|
- nova_compute_virt_type == "vmware"
|
|
- not vmware_vcenter_insecure | bool
|
|
- inventory_hostname in groups[service.group]
|
|
- service.enabled | bool
|
|
notify:
|
|
- Restart nova-compute container
|
|
|
|
- name: Copying 'release' file for nova_compute
|
|
vars:
|
|
service: "{{ nova_cell_services['nova-compute'] }}"
|
|
copy:
|
|
src: "{{ item }}"
|
|
dest: "{{ node_config_directory }}/nova-compute/release"
|
|
mode: "0660"
|
|
with_first_found:
|
|
- files:
|
|
- "{{ node_custom_config }}/nova_compute/{{ inventory_hostname }}/release"
|
|
- "{{ node_custom_config }}/nova_compute/release"
|
|
- "{{ node_custom_config }}/nova/release"
|
|
skip: true
|
|
when:
|
|
- inventory_hostname in groups[service.group]
|
|
- service.enabled | bool
|
|
notify:
|
|
- Restart nova-compute container
|
|
|
|
- name: Copying over existing policy file
|
|
become: true
|
|
template:
|
|
src: "{{ nova_policy_file_path }}"
|
|
dest: "{{ node_config_directory }}/{{ item.key }}/{{ nova_policy_file }}"
|
|
mode: "0660"
|
|
when:
|
|
- inventory_hostname in groups[item.value.group]
|
|
- item.value.enabled | bool
|
|
- nova_policy_file is defined
|
|
- item.key in nova_cell_services_require_policy_json
|
|
with_dict: "{{ nova_cell_services }}"
|
|
notify:
|
|
- "Restart {{ item.key }} container"
|
|
|
|
- include_tasks: check-containers.yml
|
|
when: kolla_action != "config"
|