Reduce dependencies on the dest nodes

Currently we require a slew of deps on each destination node, this
includes a gcc compiler and installing things via pip. We can remove
these dependencies by containerizing them and running and Ansible
inside the container itself. The container would then report back
facts about idempotency.

DocImpact
Closes-Bug: #1481495
Implements: blueprint containerize-dependencies
Change-Id: I3dfccbf9fafc06ffc36e78f3006fe5d3367891df

ansible/roles/bootstrap.yml

@@ -1,38 +1,45 @@
 ---
 - name: Creating database
-  mysql_db:
+  command: docker exec -t kolla_ansible /usr/bin/ansible localhost
-    login_host: "{{ database_address }}"
+    -m mysql_db
-    login_user: "{{ database_user }}"
+    -a "login_host='{{ database_address }}'
-    login_password: "{{ database_password }}"
+        login_user='{{ database_user }}'
-    name: "{{ service_database_name }}"
+        login_password='{{ database_password }}'
+        name='{{ service_database_name }}'"
   register: database
+  changed_when: "{{ database.stdout.find('localhost | SUCCESS => ') != -1 and (database.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+  failed_when: database.stdout.split()[2] != 'SUCCESS'
   run_once: True
 
 - name: Creating database user and setting permissions
-  mysql_user:
+  command: docker exec -t kolla_ansible /usr/bin/ansible localhost
-    login_host: "{{ database_address }}"
+    -m mysql_user
-    login_user: "{{ database_user }}"
+    -a "login_host='{{ database_address }}'
-    login_password: "{{ database_password }}"
+        login_user='{{ database_user }}'
-    name: "{{ service_database_name }}"
+        login_password='{{ database_password }}'
-    password: "{{ service_database_password }}"
+        name='{{ service_database_name }}'
-    host: "%"
+        password='{{ service_database_password }}'
-    priv: "{{ service_database_name }}.*:ALL"
+        host='%'
-    append_privs: "yes"
+        priv='{{ service_database_name }}.*:ALL'
+        append_privs='yes'"
+  register: database_user
+  changed_when: "{{ database.stdout.find('localhost | SUCCESS => ') != -1 and (database_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+  failed_when: database_user.stdout.split()[2] != 'SUCCESS'
   run_once: True
 
 - include: start.yml
   vars:
     run_once: True
-  when: database|changed
+  when: database.stdout.find('localhost | SUCCESS => ') != -1 and (database.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed
 
 # https://github.com/ansible/ansible-modules-core/pull/1031
 - name: Waiting for bootstrap container to exit
   command: docker wait "{{ container_name }}"
-  when: database|changed
+  when: database.stdout.find('localhost | SUCCESS => ') != -1 and (database.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed
 
 - name: Cleaning up boostrap container
   docker:
     name: "{{ container_name }}"
     image: "{{ container_image }}"
     state: "absent"
-  when: database|changed
+  when: database.stdout.find('localhost | SUCCESS => ') != -1 and (database.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed

ansible/roles/common/defaults/main.yml

@@ -0,0 +1,13 @@
+---
+####################
+# Docker
+####################
+docker_ansible_registry: "{{ docker_registry ~ '/' if docker_registry else '' }}"
+docker_ansible_namespace: "{{ docker_namespace }}"
+kolla_ansible_base_distro: "{{ kolla_base_distro }}"
+kolla_ansible_install_type: "{{ kolla_install_type }}"
+kolla_ansible_container_name: "kolla-ansible"
+
+docker_ansible_image: "{{ docker_ansible_registry }}{{ docker_ansible_namespace }}/{{ kolla_ansible_base_distro }}-{{ kolla_ansible_install_type }}-{{ kolla_ansible_container_name }}"
+docker_ansible_tag: "{{ openstack_release }}"
+docker_ansible_image_full: "{{ docker_ansible_image }}:{{ docker_ansible_tag }}"

ansible/roles/common/tasks/main.yml

@@ -0,0 +1,2 @@
+---
+- include: start.yml

ansible/roles/common/tasks/start.yml

@@ -0,0 +1,9 @@
+---
+- include: ../../start.yml
+  vars:
+    container_command: "/bin/sleep infinity"
+    container_environment:
+      ANSIBLE_NOCOLOR: "1"
+      ANSIBLE_LIBRARY: "/usr/share/ansible"
+    container_image: "{{ docker_ansible_image_full }}"
+    container_name: "kolla_ansible"

ansible/roles/glance/defaults/main.yml

@@ -44,3 +44,5 @@ glance_logging_verbose: "{{ openstack_logging_verbose }}"
 glance_logging_debug: "{{ openstack_logging_debug }}"
 
 glance_keystone_user: "glance"
+
+openstack_glance_auth: "{'auth_url':'{{ openstack_auth_v2.auth_url }}','username':'{{ openstack_auth_v2.username }}','password':'{{ openstack_auth_v2.password }}','project_name':'{{ openstack_auth_v2.project_name }}'}"

ansible/roles/glance/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: common }

ansible/roles/glance/tasks/register.yml

@@ -1,23 +1,37 @@
 ---
 - name: Creating the Glance service and endpoint
-  kolla_keystone_service:
+  command: docker exec -t kolla_ansible /usr/bin/ansible localhost
-    service_name: "glance"
+    -m kolla_keystone_service
-    service_type: "image"
+    -a "service_name=glance
-    description: "Openstack Image"
+        service_type=image
-    endpoint_region: "{{ openstack_region_name }}"
+        description='Openstack Image'
-    admin_url: "http://{{ kolla_internal_address }}:{{ glance_api_port }}"
+        endpoint_region={{ openstack_region_name }}
-    internal_url: "http://{{ kolla_internal_address }}:{{ glance_api_port }}"
+        admin_url='http://{{ kolla_internal_address }}:{{ glance_api_port }}'
-    public_url: "http://{{ kolla_external_address }}:{{ glance_api_port }}"
+        internal_url='http://{{ kolla_internal_address }}:{{ glance_api_port }}'
-    auth: "{{ openstack_auth_v2 }}"
+        public_url='http://{{ kolla_external_address }}:{{ glance_api_port }}'
-    region_name: "{{ openstack_region_name }}"
+        region_name={{ openstack_region_name }}
+        auth={{ '{{ openstack_glance_auth }}' }}"
+    -e "{'openstack_glance_auth':{{ openstack_glance_auth }}}"
+  register: glance_endpoint
+  changed_when: "{{ glance_endpoint.stdout.find('localhost | SUCCESS => ') != -1 and (glance_endpoint.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+  until: glance_endpoint.stdout.split()[2] == 'SUCCESS'
+  retries: 10
+  delay: 5
   run_once: True
 
 - name: Creating the Glance project, user, and role
-  kolla_keystone_user:
+  command: docker exec -t kolla_ansible /usr/bin/ansible localhost
-    project: "service"
+    -m kolla_keystone_user
-    user: "glance"
+    -a "project=service
-    password: "{{ glance_keystone_password }}"
+        user=glance
-    role: "admin"
+        password={{ glance_keystone_password }}
-    auth: "{{ openstack_auth_v2 }}"
+        role=admin
-    region_name: "{{ openstack_region_name }}"
+        region_name={{ openstack_region_name }}
+        auth={{ '{{ openstack_glance_auth }}' }}"
+    -e "{'openstack_glance_auth':{{ openstack_glance_auth }}}"
+  register: glance_user
+  changed_when: "{{ glance_user.stdout.find('localhost | SUCCESS => ') != -1 and (glance_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+  until: glance_user.stdout.split()[2] == 'SUCCESS'
+  retries: 10
+  delay: 5
   run_once: True

ansible/roles/haproxy/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: common }

ansible/roles/keystone/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: common }

ansible/roles/mariadb/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: common }

ansible/roles/mariadb/tasks/register.yml

@@ -1,15 +1,31 @@
 ---
+- include: ../../start.yml
+  vars:
+    container_environment:
+      KOLLA_BOOTSTRAP:
+      KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
+      DB_ROOT_PASSWORD: "{{ database_password }}"
+    container_image: "{{ docker_database_image_full }}"
+    container_name: "mariadb"
+    container_restart_policy: "no"
+    container_volumes:
+      - "{{ node_config_directory }}/mariadb/:/opt/kolla/mariadb/:ro"
+    container_volumes_from:
+      - "mariadb_data"
+  when: delegate_host == 'None' and inventory_hostname == groups['mariadb'][0]
+
 - name: Creating haproxy mysql user
-  mysql_user:
+  command: docker exec -t kolla_ansible /usr/bin/ansible localhost
-    login_host: "{{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}"
+    -m mysql_user
-    login_user: "{{ database_user }}"
+    -a "login_host='{{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}'
-    login_password: "{{ database_password }}"
+        login_user='{{ database_user }}'
-    name: "haproxy"
+        login_password='{{ database_password }}'
-    password: ""
+        name='haproxy'
-    host: "%"
+        password=''
-    priv: "*.*:USAGE"
+        host='%'"
-  register: status
+  register: haproxy_user
-  until: status|success
+  changed_when: "{{ (haproxy_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+  until: haproxy_user.stdout.split()[2] == 'SUCCESS'
   retries: 10
   delay: 5
 

ansible/roles/neutron/defaults/main.yml

@@ -66,3 +66,5 @@ neutron_logging_debug: "{{ openstack_logging_debug }}"
 neutron_keystone_user: "neutron"
 
 neutron_bridge_name: "br-ex"
+
+openstack_neutron_auth: "{'auth_url':'{{ openstack_auth_v2.auth_url }}','username':'{{ openstack_auth_v2.username }}','password':'{{ openstack_auth_v2.password }}','project_name':'{{ openstack_auth_v2.project_name }}'}"

ansible/roles/neutron/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: common }

ansible/roles/neutron/tasks/register.yml

@@ -1,23 +1,37 @@
 ---
 - name: Creating the Neutron service and endpoint
-  kolla_keystone_service:
+  command: docker exec -t kolla_ansible /usr/bin/ansible localhost
-    service_name: "neutron"
+    -m kolla_keystone_service
-    service_type: "network"
+    -a "service_name=neutron
-    description: "OpenStack Networking"
+        service_type=image
-    endpoint_region: "{{ openstack_region_name }}"
+        description='Openstack Networking'
-    admin_url: "http://{{ kolla_internal_address }}:{{ neutron_server_port }}"
+        endpoint_region={{ openstack_region_name }}
-    internal_url: "http://{{ kolla_internal_address }}:{{ neutron_server_port }}"
+        admin_url='http://{{ kolla_internal_address }}:{{ neutron_server_port }}'
-    public_url: "http://{{ kolla_external_address }}:{{ neutron_server_port }}"
+        internal_url='http://{{ kolla_internal_address }}:{{ neutron_server_port }}'
-    auth: "{{ openstack_auth_v2 }}"
+        public_url='http://{{ kolla_external_address }}:{{ neutron_server_port }}'
-    region_name: "{{ openstack_region_name }}"
+        region_name={{ openstack_region_name }}
+        auth={{ '{{ openstack_neutron_auth }}' }}"
+    -e "{'openstack_neutron_auth':{{ openstack_neutron_auth }}}"
+  register: neutron_endpoint
+  changed_when: "{{ neutron_endpoint.stdout.find('localhost | SUCCESS => ') != -1 and (neutron_endpoint.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+  until: neutron_endpoint.stdout.split()[2] == 'SUCCESS'
+  retries: 10
+  delay: 5
   run_once: True
 
 - name: Creating the Neutron project, user, and role
-  kolla_keystone_user:
+  command: docker exec -t kolla_ansible /usr/bin/ansible localhost
-    project: "service"
+    -m kolla_keystone_user
-    user: "neutron"
+    -a "project=service
-    password: "{{ neutron_keystone_password }}"
+        user=neutron
-    role: "admin"
+        password={{ neutron_keystone_password }}
-    auth: "{{ openstack_auth_v2 }}"
+        role=admin
-    region_name: "{{ openstack_region_name }}"
+        region_name={{ openstack_region_name }}
+        auth={{ '{{ openstack_neutron_auth }}' }}"
+    -e "{'openstack_neutron_auth':{{ openstack_neutron_auth }}}"
+  register: neutron_user
+  changed_when: "{{ neutron_user.stdout.find('localhost | SUCCESS => ') != -1 and (neutron_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+  until: neutron_user.stdout.split()[2] == 'SUCCESS'
+  retries: 10
+  delay: 5
   run_once: True

ansible/roles/nova/defaults/main.yml

@@ -69,3 +69,5 @@ nova_logging_verbose: "{{ openstack_logging_verbose }}"
 nova_logging_debug: "{{ openstack_logging_debug }}"
 
 nova_keystone_user: "nova"
+
+openstack_nova_auth: "{'auth_url':'{{ openstack_auth_v2.auth_url }}','username':'{{ openstack_auth_v2.username }}','password':'{{ openstack_auth_v2.password }}','project_name':'{{ openstack_auth_v2.project_name }}'}"

ansible/roles/nova/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: common }

ansible/roles/nova/tasks/register.yml

@@ -1,23 +1,38 @@
 ---
 - name: Creating the Nova service and endpoint
-  kolla_keystone_service:
+  command: docker exec -t kolla_ansible /usr/bin/ansible localhost
-    service_name: "nova"
+    -m kolla_keystone_service
-    service_type: "compute"
+    -a "service_name=nova
-    description: "Openstack Compute"
+        service_type=compute
-    endpoint_region: "{{ openstack_region_name }}"
+        description='Openstack Compute'
-    admin_url: "http://{{ kolla_internal_address }}:{{ nova_api_port }}/v2/%(tenant_id)s"
+        endpoint_region={{ openstack_region_name }}
-    internal_url: "http://{{ kolla_internal_address }}:{{ nova_api_port }}/v2/%(tenant_id)s"
+        admin_url='http://{{ kolla_internal_address }}:{{ nova_api_port }}/v2/%(tenant_id)s'
-    public_url: "http://{{ kolla_external_address }}:{{ nova_api_port }}/v2/%(tenant_id)s"
+        internal_url='http://{{ kolla_internal_address }}:{{ nova_api_port }}/v2/%(tenant_id)s'
-    auth: "{{ openstack_auth_v2 }}"
+        public_url='http://{{ kolla_external_address }}:{{ nova_api_port }}/v2/%(tenant_id)s'
-    region_name: "{{ openstack_region_name }}"
+        region_name={{ openstack_region_name }}
+        auth={{ '{{ openstack_nova_auth }}' }}"
+    -e "{'openstack_nova_auth':{{ openstack_nova_auth }}}"
+  register: nova_endpoint
+  changed_when: "{{ nova_endpoint.stdout.find('localhost | SUCCESS => ') != -1 and (nova_endpoint.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+  until: nova_endpoint.stdout.split()[2] == 'SUCCESS'
+  retries: 10
+  delay: 5
   run_once: True
 
+
 - name: Creating the Nova project, user, and role
-  kolla_keystone_user:
+  command: docker exec -t kolla_ansible /usr/bin/ansible localhost
-    project: "service"
+    -m kolla_keystone_user
-    user: "nova"
+    -a "project=service
-    password: "{{ nova_keystone_password }}"
+        user=nova
-    role: "admin"
+        password={{ nova_keystone_password }}
-    auth: "{{ openstack_auth_v2 }}"
+        role=admin
-    region_name: "{{ openstack_region_name }}"
+        region_name={{ openstack_region_name }}
+        auth={{ '{{ openstack_nova_auth }}' }}"
+    -e "{'openstack_nova_auth':{{ openstack_nova_auth }}}"
+  register: nova_user
+  changed_when: "{{ nova_user.stdout.find('localhost | SUCCESS => ') != -1 and (nova_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}"
+  until: nova_user.stdout.split()[2] == 'SUCCESS'
+  retries: 10
+  delay: 5
   run_once: True

ansible/roles/rabbitmq/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: common }

ansible/roles/start.yml

@@ -27,7 +27,7 @@
     restart_policy_retry: "{{ docker_restart_policy_retry }}"
     state: "reloaded"
     username: "{{ docker_registry_username }}"
-    volumes: "{{ container_volumes }}"
+    volumes: "{{ container_volumes | default([]) }}"
     volumes_from: "{{ container_volumes_from | default([]) }}"
   run_once: "{{ run_once | default('False') }}"
   when: not container_pid|default(False)
@@ -51,7 +51,7 @@
     restart_policy_retry: "{{ docker_restart_policy_retry }}"
     state: "reloaded"
     username: "{{ docker_registry_username }}"
-    volumes: "{{ container_volumes }}"
+    volumes: "{{ container_volumes | default([]) }}"
     volumes_from: "{{ container_volumes_from | default([]) }}"
   run_once: "{{ run_once | default('False') }}"
   when: container_pid|default(False)

docker/centos/binary/kolla-ansible/Dockerfile

@@ -0,0 +1,27 @@
+FROM %%KOLLA_NAMESPACE%%/%%KOLLA_PREFIX%%base:%%KOLLA_TAG%%
+MAINTAINER Kolla Project (https://launchpad.net/kolla)
+
+RUN yum -y install \
+        git \
+        gcc \
+        libffi-devel \
+        libxml2-devel \
+        libxslt-devel \
+        MySQL-python \
+        openssl-devel \
+        python-devel \
+        openssh-clients \
+    && yum clean all
+
+RUN pip install -U pip wheel \
+    && pip install python-openstackclient shade
+
+RUN git clone https://github.com/ansible/ansible.git \
+    && cd ansible \
+    && git submodule update --init --recursive \
+    && pip install .
+
+RUN mkdir -p /etc/ansible /usr/share/ansible \
+    && echo 'localhost ansible_connection=local' > /etc/ansible/hosts
+
+COPY kolla_keystone_service.py kolla_keystone_user.py /usr/share/ansible/

docker/centos/binary/kolla-ansible/build

@@ -0,0 +1 @@
+../../../../tools/build-docker-image

docs/minimal-environment-vars.md

@@ -329,6 +329,10 @@ In order for each service to function, there is a minimum set of required variab
     KEYSTONE_PUBLIC_SERVICE_HOST
     PUBLIC_IP
 
+# Kolla-ansible
+
+    None
+
 # Magnum-api
 
     ADMIN_TENANT_NAME

tox.ini

@@ -58,4 +58,4 @@ commands =
 
 [flake8]
 show-source = True
-exclude=.git,.tox,doc,ansible/library
+exclude=.git,.tox,doc,ansible/library,docker/centos/binary/kolla-ansible