Convert role to use a common systemd service role
This removes the systemd service templates and tasks from this role and leverages a common systemd service role instead. This change removes a lot of code duplication across all roles all without sacrificing features or functionality. The intention of this change is to ensure uniformity and reduce the maintenance burden on the community when sweeping changes are needed. The systemd journal would normally be populated with the standard out of a service however with the use of uwsgi this is not actually happening resulting in us only capturing the logs from the uwsgi process instead of the service itself. This change implements journal logging in the service config, which is part of OSLO logging. OSLO logging docs found here: <https://docs.openstack.org/oslo.log/3.28.1/journal.html> Change-Id: Ic5b57a650bd9f5c385ed0a0a3efd1d530a2d7e81 Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
parent
6cdb8fad56
commit
005e5b61ca
|
@ -38,7 +38,6 @@ barbican_system_user_name: barbican
|
|||
barbican_system_user_comment: Barbican System User
|
||||
barbican_system_user_shell: /bin/false
|
||||
barbican_system_user_home: "/var/lib/{{ barbican_system_user_name }}"
|
||||
barbican_log_directory: /var/log/barbican
|
||||
barbican_etc_directory: /etc/barbican
|
||||
barbican_vassals_directory: "{{ barbican_etc_directory }}/vassals"
|
||||
|
||||
|
@ -47,8 +46,19 @@ barbican_api_program_name: barbican-api
|
|||
barbican_keystone_listener_program_name: barbican-keystone-listener
|
||||
barbican_worker_program_name: barbican-worker
|
||||
barbican_retry_program_name: barbican-retry
|
||||
barbican_uwsgi_program_name: uwsgi
|
||||
barbican_uwsgi_options: "--master --die-on-term --emperor {{ barbican_vassals_directory }}"
|
||||
|
||||
## Service Name-Group Mapping
|
||||
barbican_services:
|
||||
barbican:
|
||||
group: barbican_all
|
||||
service_name: barbican
|
||||
init_config_overrides: "{{ barbican_init_config_overrides }}"
|
||||
execstarts: >-
|
||||
{{ barbican_uwsgi_bin }}/uwsgi
|
||||
--master
|
||||
--die-on-term
|
||||
--emperor {{ barbican_vassals_directory }}
|
||||
start_order: 1
|
||||
|
||||
## Service Type and Data
|
||||
barbican_service_name: barbican
|
||||
|
@ -74,6 +84,7 @@ barbican_service_publicurl: "{{ barbican_service_publicuri_proto }}://{{ externa
|
|||
barbican_service_internalurl: "{{ barbican_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}"
|
||||
barbican_service_adminurl: "{{ barbican_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}"
|
||||
|
||||
barbican_init_config_overrides: {}
|
||||
barbican_config_overrides: {}
|
||||
barbican_policy_overrides: {}
|
||||
barbican_paste_overrides: {}
|
||||
|
@ -168,6 +179,7 @@ barbican_pip_packages:
|
|||
- osprofiler
|
||||
- PyMySQL
|
||||
- python-memcached
|
||||
- systemd-python
|
||||
- uwsgi
|
||||
|
||||
# This variable is used by the repo_build process to determine
|
||||
|
|
|
@ -13,19 +13,9 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Restart Apache
|
||||
systemd:
|
||||
name: "apache2"
|
||||
state: "restarted"
|
||||
daemon_reload: yes
|
||||
register: apache_restart
|
||||
until: apache_restart is success
|
||||
retries: 5
|
||||
delay: 2
|
||||
|
||||
- name: Restart barbican services
|
||||
systemd:
|
||||
name: "{{ barbican_uwsgi_program_name }}"
|
||||
name: "{{ item.service_name }}"
|
||||
state: "restarted"
|
||||
daemon_reload: yes
|
||||
|
||||
with_items: "{{ filtered_barbican_services }}"
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
deprecations:
|
||||
- The log path, ``/var/log/barbican`` is no longer used to capture service
|
||||
logs. All logging for the barbican service will now be sent directly to the
|
||||
systemd journal.
|
|
@ -1,25 +0,0 @@
|
|||
---
|
||||
# Copyright 2016, Ian Cordasco
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- include: barbican_init_common.yml
|
||||
vars:
|
||||
program_name: "{{ barbican_uwsgi_program_name }}"
|
||||
program_bin: "{{ barbican_uwsgi_bin }}"
|
||||
program_config_options: "{{ barbican_uwsgi_options }}"
|
||||
service_name: "{{ barbican_service_name }}"
|
||||
system_user: "{{ barbican_system_user_name }}"
|
||||
system_group: "{{ barbican_system_group_name }}"
|
||||
service_home: "{{ barbican_system_user_home }}"
|
||||
log_directory: "{{ barbican_log_directory }}"
|
|
@ -1,26 +0,0 @@
|
|||
---
|
||||
# Copyright 2016, Comcast Corporation.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- include: barbican_init_systemd.yml
|
||||
static: no
|
||||
when:
|
||||
- ansible_service_mgr == 'systemd'
|
||||
|
||||
- name: Load service
|
||||
service:
|
||||
name: "{{ program_name }}"
|
||||
enabled: "yes"
|
||||
notify:
|
||||
- Restart barbican services
|
|
@ -1,50 +0,0 @@
|
|||
---
|
||||
# Copyright 2016, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Create TEMP run dir
|
||||
file:
|
||||
path: "/var/run/{{ program_name }}"
|
||||
state: directory
|
||||
owner: "{{ system_user }}"
|
||||
group: "{{ system_group }}"
|
||||
mode: "02755"
|
||||
|
||||
- name: Create TEMP lock dir
|
||||
file:
|
||||
path: "/var/lock/{{ program_name }}"
|
||||
state: directory
|
||||
owner: "{{ system_user }}"
|
||||
group: "{{ system_group }}"
|
||||
mode: "02755"
|
||||
|
||||
- name: Create tempfile.d entry
|
||||
template:
|
||||
src: "barbican-systemd-tempfiles.j2"
|
||||
dest: "/etc/tmpfiles.d/barbican.conf"
|
||||
mode: "0644"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
|
||||
- name: Place the systemd init script
|
||||
config_template:
|
||||
src: "barbican-systemd-init.j2"
|
||||
dest: "/etc/systemd/system/{{ program_name }}.service"
|
||||
mode: "0644"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
config_overrides: "{{ barbican_uwsgi_init_overrides }}"
|
||||
config_type: "ini"
|
||||
notify:
|
||||
- Restart barbican services
|
|
@ -40,24 +40,3 @@
|
|||
- path: "/etc/barbican"
|
||||
- path: "/etc/barbican/vassals"
|
||||
- path: "{{ barbican_system_user_home }}"
|
||||
|
||||
- name: Test for Barbican log directory or link
|
||||
shell: |
|
||||
if [ -h "{{ barbican_log_directory }}" ]; then
|
||||
chown -h {{ barbican_system_user_name }}:{{ barbican_system_group_name }} {{ barbican_log_directory }}
|
||||
chown -R {{ barbican_system_user_name }}:{{ barbican_system_group_name }} "$(readlink {{ barbican_log_directory }})"
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
register: log_dir
|
||||
failed_when: false
|
||||
changed_when: log_dir.rc != 0
|
||||
|
||||
- name: Create Barbican log directory
|
||||
file:
|
||||
path: "{{ barbican_log_directory }}"
|
||||
state: "directory"
|
||||
owner: "{{ barbican_system_user_name }}"
|
||||
group: "{{ barbican_system_group_name }}"
|
||||
mode: "0750"
|
||||
when: log_dir.rc != 0
|
||||
|
|
|
@ -53,9 +53,33 @@
|
|||
tags:
|
||||
- barbican-config
|
||||
|
||||
- include: barbican_init.yml
|
||||
- name: Run the systemd service role
|
||||
include_role:
|
||||
name: systemd_service
|
||||
private: true
|
||||
vars:
|
||||
systemd_user_name: "{{ barbican_system_user_name }}"
|
||||
systemd_group_name: "{{ barbican_system_group_name }}"
|
||||
systemd_service_restart_changed: false
|
||||
systemd_tempd_prefix: openstack
|
||||
systemd_slice_name: barbican
|
||||
systemd_lock_path: /var/lock/barbican
|
||||
systemd_CPUAccounting: true
|
||||
systemd_BlockIOAccounting: true
|
||||
systemd_MemoryAccounting: true
|
||||
systemd_TasksAccounting: true
|
||||
systemd_services:
|
||||
- service_name: "{{ service_var.service_name }}"
|
||||
enabled: true
|
||||
execstarts: "{{ service_var.execstarts }}"
|
||||
execreloads: "{{ service_var.execreloads | default([]) }}"
|
||||
config_overrides: "{{ service_var.init_config_overrides }}"
|
||||
with_items: "{{ filtered_barbican_services }}"
|
||||
loop_control:
|
||||
loop_var: service_var
|
||||
tags:
|
||||
- barbican-config
|
||||
- systemd-service
|
||||
|
||||
- include_tasks: mq_setup.yml
|
||||
when:
|
||||
|
|
|
@ -1,58 +0,0 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
<VirtualHost *:{{ barbican_service_port }}>
|
||||
WSGIDaemonProcess barbican-service user={{ barbican_system_user_name }} group={{ barbican_system_group_name }} processes={{ barbican_wsgi_processes }} threads={{ barbican_wsgi_threads }} display-name=%{GROUP}
|
||||
WSGIProcessGroup barbican-service
|
||||
WSGIScriptAlias / /var/www/cgi-bin/barbican/main
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
|
||||
LogLevel {{ barbican_apache_log_level }}
|
||||
ErrorLog {{ barbican_log_directory }}/barbican-apache-error.log
|
||||
CustomLog {{ barbican_log_directory }}/ssl_access.log combined
|
||||
Options +FollowSymLinks
|
||||
|
||||
{% if barbican_ssl | bool and barbican_service_internaluri_proto == "https" -%}
|
||||
SSLEngine on
|
||||
SSLCertificateFile {{ barbican_ssl_cert }}
|
||||
SSLCertificateKeyFile {{ barbican_ssl_key }}
|
||||
{% if barbican_user_ssl_ca_cert is defined -%}
|
||||
SSLCACertificateFile {{ barbican_ssl_ca_cert }}
|
||||
{% endif -%}
|
||||
SSLCompression Off
|
||||
SSLProtocol {{ barbican_ssl_protocol }}
|
||||
SSLHonorCipherOrder On
|
||||
SSLCipherSuite {{ barbican_ssl_cipher_suite }}
|
||||
SSLOptions +StdEnvVars +ExportCertData
|
||||
{% endif %}
|
||||
|
||||
{% if barbican_sp is defined -%}
|
||||
ShibURLScheme {{ barbican_service_publicuri_proto }}
|
||||
|
||||
<Location /Shibboleth.sso>
|
||||
SetHandler shib
|
||||
</Location>
|
||||
|
||||
<Location /v3/auth/OS-FEDERATION/websso/saml2>
|
||||
AuthType shibboleth
|
||||
ShibRequestSetting requireSession 1
|
||||
ShibRequestSetting exportAssertion 1
|
||||
ShibRequireSession On
|
||||
ShibExportAssertion On
|
||||
Require valid-user
|
||||
</Location>
|
||||
|
||||
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
|
||||
ShibRequestSetting requireSession 1
|
||||
AuthType shibboleth
|
||||
ShibExportAssertion Off
|
||||
Require valid-user
|
||||
</LocationMatch>
|
||||
|
||||
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/barbican/main/$1
|
||||
{% endif %}
|
||||
</VirtualHost>
|
|
@ -1,4 +0,0 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
Listen {{ keystone_service_port }}
|
||||
Listen {{ keystone_admin_port }}
|
|
@ -1,34 +0,0 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
[Unit]
|
||||
Description=barbican openstack service
|
||||
After=syslog.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User={{ system_user }}
|
||||
Group={{ system_group }}
|
||||
|
||||
{% if program_override is defined %}
|
||||
ExecStart={{ program_override }} {{ program_config_options|default('') }}
|
||||
{% else %}
|
||||
ExecStart={{ program_bin }}/{{ program_name }} {{ program_config_options|default('') }}
|
||||
{% endif %}
|
||||
|
||||
# Give a reasonable amount of time for the server to start up/shut down
|
||||
TimeoutSec=120
|
||||
Restart=on-failure
|
||||
RestartSec=2
|
||||
|
||||
# This creates a specific slice which all services will operate from
|
||||
# The accounting options give us the ability to see resource usage through
|
||||
# the `systemd-cgtop` command.
|
||||
Slice=barbican.slice
|
||||
CPUAccounting=true
|
||||
BlockIOAccounting=true
|
||||
MemoryAccounting=false
|
||||
TasksAccounting=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,4 +0,0 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
D /var/lock/{{ program_name }} 2755 {{ system_user }} {{ system_group }}
|
||||
D /var/run/{{ program_name }} 2755 {{ system_user }} {{ system_group }}
|
|
@ -1,11 +1,12 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
[DEFAULT]
|
||||
use_journal = True
|
||||
# Disable stderr logging
|
||||
use_stderr = False
|
||||
# Show debugging output in logs (sets DEBUG log level output)
|
||||
debug = {{ debug }}
|
||||
|
||||
use_json = {{ debug }}
|
||||
# Address to bind the API server
|
||||
bind_host = 0.0.0.0
|
||||
|
||||
|
@ -17,10 +18,6 @@ bind_port = 9311
|
|||
# communicate back with this service.
|
||||
host_href = {{ barbican_service_publicurl }}
|
||||
|
||||
# Log to this file. Make sure you do not set the same log
|
||||
# file for both the API and registry servers!
|
||||
#log_file = /var/log/barbican/api.log
|
||||
|
||||
# Backlog requests when creating socket
|
||||
backlog = 4096
|
||||
|
||||
|
|
|
@ -16,19 +16,22 @@ barbican_distro_packages:
|
|||
- git
|
||||
|
||||
barbican_devel_distro_packages:
|
||||
- python-dev
|
||||
- libssl-dev
|
||||
- libpq-dev
|
||||
- build-essential
|
||||
- gettext
|
||||
- git
|
||||
- libffi-dev
|
||||
- gettext
|
||||
- build-essential
|
||||
- libpq-dev
|
||||
- libssl-dev
|
||||
- libsystemd-dev
|
||||
- python-dev
|
||||
|
||||
barbican_service_distro_packages:
|
||||
- barbican-api
|
||||
- barbican-keystone-listener
|
||||
- barbican-worker
|
||||
- python-pymysql # needed by /usr/bin/barbican-manage db upgrade.
|
||||
- python-systemd
|
||||
- python3-systemd
|
||||
- uwsgi
|
||||
- uwsgi-plugin-python
|
||||
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
# Copyright 2018, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
#
|
||||
# Compile a list of the services on a host based on whether
|
||||
# the host is in the host group and the service is enabled.
|
||||
# The service list is provided in the defined start order.
|
||||
#
|
||||
filtered_barbican_services: |-
|
||||
{% set services = [] %}
|
||||
{% for key, value in barbican_services.items() %}
|
||||
{% if (value['group'] in group_names) and
|
||||
(('condition' not in value) or
|
||||
('condition' in value and value['condition'])) %}
|
||||
{% set _ = value.update({'service_key': key}) %}
|
||||
{% set _ = services.append(value) %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{{ services | sort(attribute='start_order') }}
|
|
@ -24,12 +24,14 @@ barbican_devel_distro_packages:
|
|||
- openssl-devel
|
||||
- postgresql-libs
|
||||
- python-devel
|
||||
- systemd-devel
|
||||
|
||||
barbican_service_distro_packages:
|
||||
- openstack-barbican
|
||||
- openstack-barbican-api
|
||||
- openstack-barbican-keystone-listener
|
||||
- openstack-barbican-worker
|
||||
- systemd-python
|
||||
- uwsgi
|
||||
- uwsgi-plugin-python
|
||||
|
||||
|
|
|
@ -21,6 +21,8 @@ barbican_devel_distro_packages:
|
|||
- libopenssl-devel
|
||||
- postgresql-devel
|
||||
- python-devel
|
||||
- pkg-config
|
||||
- systemd-devel
|
||||
|
||||
barbican_service_distro_packages:
|
||||
- openstack-barbican
|
||||
|
@ -28,6 +30,7 @@ barbican_service_distro_packages:
|
|||
- openstack-barbican-keystone-listener
|
||||
- openstack-barbican-retry
|
||||
- openstack-barbican-worker
|
||||
- python-systemd
|
||||
- uwsgi
|
||||
- uwsgi-python
|
||||
|
||||
|
|
Loading…
Reference in New Issue