Convert role to use a common systemd service role

This removes the systemd service templates and tasks from this role and
leverages a common systemd service role instead. This change removes a
lot of code duplication across all roles all without sacrificing features
or functionality. The intention of this change is to ensure uniformity and
reduce the maintenance burden on the community when sweeping changes are
needed.

The systemd journal would normally be populated with the standard out of
a service however with the use of uwsgi this is not actually happening
resulting in us only capturing the logs from the uwsgi process instead
of the service itself. This change implements journal logging in the
service config, which is part of OSLO logging.

OSLO logging docs found here: <https://docs.openstack.org/oslo.log/3.28.1/journal.html>

Change-Id: Ic5b57a650bd9f5c385ed0a0a3efd1d530a2d7e81
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

defaults/main.yml

@@ -38,7 +38,6 @@ barbican_system_user_name: barbican
 barbican_system_user_comment: Barbican System User
 barbican_system_user_shell: /bin/false
 barbican_system_user_home: "/var/lib/{{ barbican_system_user_name }}"
-barbican_log_directory: /var/log/barbican
 barbican_etc_directory: /etc/barbican
 barbican_vassals_directory: "{{ barbican_etc_directory }}/vassals"
 
@@ -47,8 +46,19 @@ barbican_api_program_name: barbican-api
 barbican_keystone_listener_program_name: barbican-keystone-listener
 barbican_worker_program_name: barbican-worker
 barbican_retry_program_name: barbican-retry
-barbican_uwsgi_program_name: uwsgi
-barbican_uwsgi_options: "--master --die-on-term --emperor {{ barbican_vassals_directory }}"
+
+## Service Name-Group Mapping
+barbican_services:
+  barbican:
+    group: barbican_all
+    service_name: barbican
+    init_config_overrides: "{{ barbican_init_config_overrides }}"
+    execstarts: >-
+      {{ barbican_uwsgi_bin }}/uwsgi
+      --master
+      --die-on-term
+      --emperor {{ barbican_vassals_directory }}
+    start_order: 1
 
 ## Service Type and Data
 barbican_service_name: barbican
@@ -74,6 +84,7 @@ barbican_service_publicurl: "{{ barbican_service_publicuri_proto }}://{{ externa
 barbican_service_internalurl: "{{ barbican_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}"
 barbican_service_adminurl: "{{ barbican_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}"
 
+barbican_init_config_overrides: {}
 barbican_config_overrides: {}
 barbican_policy_overrides: {}
 barbican_paste_overrides: {}
@@ -168,6 +179,7 @@ barbican_pip_packages:
   - osprofiler
   - PyMySQL
   - python-memcached
+  - systemd-python
   - uwsgi
 
 # This variable is used by the repo_build process to determine

handlers/main.yml

@@ -13,19 +13,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Restart Apache
-  systemd:
-    name: "apache2"
-    state: "restarted"
-    daemon_reload: yes
-  register: apache_restart
-  until: apache_restart is success
-  retries: 5
-  delay: 2
-
 - name: Restart barbican services
   systemd:
-    name: "{{ barbican_uwsgi_program_name }}"
+    name: "{{ item.service_name }}"
     state: "restarted"
     daemon_reload: yes
-
+  with_items: "{{ filtered_barbican_services }}"

releasenotes/notes/journal-log-ccba504642b49612.yaml

@@ -0,0 +1,5 @@
+---
+deprecations:
+  - The log path, ``/var/log/barbican`` is no longer used to capture service
+    logs. All logging for the barbican service will now be sent directly to the
+    systemd journal.

tasks/barbican_init.yml

@@ -1,25 +0,0 @@
----
-# Copyright 2016, Ian Cordasco
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-- include: barbican_init_common.yml
-  vars:
-    program_name: "{{ barbican_uwsgi_program_name }}"
-    program_bin: "{{ barbican_uwsgi_bin }}"
-    program_config_options: "{{ barbican_uwsgi_options }}"
-    service_name: "{{ barbican_service_name }}"
-    system_user: "{{ barbican_system_user_name }}"
-    system_group: "{{ barbican_system_group_name }}"
-    service_home: "{{ barbican_system_user_home }}"
-    log_directory: "{{ barbican_log_directory }}"

tasks/barbican_init_common.yml

@@ -1,26 +0,0 @@
----
-# Copyright 2016, Comcast Corporation.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-- include: barbican_init_systemd.yml
-  static: no
-  when:
-    - ansible_service_mgr == 'systemd'
-
-- name: Load service
-  service:
-   name: "{{ program_name }}"
-   enabled: "yes"
-  notify:
-    - Restart barbican services

tasks/barbican_init_systemd.yml

@@ -1,50 +0,0 @@
----
-# Copyright 2016, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-- name: Create TEMP run dir
-  file:
-    path: "/var/run/{{ program_name }}"
-    state: directory
-    owner: "{{ system_user }}"
-    group: "{{ system_group }}"
-    mode: "02755"
-
-- name: Create TEMP lock dir
-  file:
-    path: "/var/lock/{{ program_name }}"
-    state: directory
-    owner: "{{ system_user }}"
-    group: "{{ system_group }}"
-    mode: "02755"
-
-- name: Create tempfile.d entry
-  template:
-    src: "barbican-systemd-tempfiles.j2"
-    dest: "/etc/tmpfiles.d/barbican.conf"
-    mode: "0644"
-    owner: "root"
-    group: "root"
-
-- name: Place the systemd init script
-  config_template:
-    src: "barbican-systemd-init.j2"
-    dest: "/etc/systemd/system/{{ program_name }}.service"
-    mode: "0644"
-    owner: "root"
-    group: "root"
-    config_overrides: "{{ barbican_uwsgi_init_overrides }}"
-    config_type: "ini"
-  notify:
-    - Restart barbican services

tasks/barbican_pre_install.yml

@@ -40,24 +40,3 @@
     - path: "/etc/barbican"
     - path: "/etc/barbican/vassals"
     - path: "{{ barbican_system_user_home }}"
-
-- name: Test for Barbican log directory or link
-  shell: |
-    if [ -h "{{ barbican_log_directory }}" ]; then
-      chown -h {{ barbican_system_user_name }}:{{ barbican_system_group_name }} {{ barbican_log_directory }}
-      chown -R {{ barbican_system_user_name }}:{{ barbican_system_group_name }} "$(readlink {{ barbican_log_directory }})"
-    else
-      exit 1
-    fi
-  register: log_dir
-  failed_when: false
-  changed_when: log_dir.rc != 0
-
-- name: Create Barbican log directory
-  file:
-    path: "{{ barbican_log_directory }}"
-    state: "directory"
-    owner: "{{ barbican_system_user_name }}"
-    group: "{{ barbican_system_group_name }}"
-    mode: "0750"
-  when: log_dir.rc != 0

tasks/main.yml

@@ -53,9 +53,33 @@
   tags:
     - barbican-config
 
-- include: barbican_init.yml
+- name: Run the systemd service role
+  include_role:
+    name: systemd_service
+    private: true
+  vars:
+    systemd_user_name: "{{ barbican_system_user_name }}"
+    systemd_group_name: "{{ barbican_system_group_name }}"
+    systemd_service_restart_changed: false
+    systemd_tempd_prefix: openstack
+    systemd_slice_name: barbican
+    systemd_lock_path: /var/lock/barbican
+    systemd_CPUAccounting: true
+    systemd_BlockIOAccounting: true
+    systemd_MemoryAccounting: true
+    systemd_TasksAccounting: true
+    systemd_services:
+      - service_name: "{{ service_var.service_name }}"
+        enabled: true
+        execstarts: "{{ service_var.execstarts }}"
+        execreloads: "{{ service_var.execreloads | default([]) }}"
+        config_overrides: "{{ service_var.init_config_overrides }}"
+  with_items: "{{ filtered_barbican_services }}"
+  loop_control:
+    loop_var: service_var
   tags:
     - barbican-config
+    - systemd-service
 
 - include_tasks: mq_setup.yml
   when:

templates/barbican-httpd.conf.j2

@@ -1,58 +0,0 @@
-# {{ ansible_managed }}
-
-<VirtualHost *:{{ barbican_service_port }}>
-    WSGIDaemonProcess     barbican-service user={{ barbican_system_user_name }} group={{ barbican_system_group_name }} processes={{ barbican_wsgi_processes }} threads={{ barbican_wsgi_threads }} display-name=%{GROUP}
-    WSGIProcessGroup      barbican-service
-    WSGIScriptAlias       / /var/www/cgi-bin/barbican/main
-    WSGIApplicationGroup  %{GLOBAL}
-    WSGIPassAuthorization On
-
-    <IfVersion >= 2.4>
-      ErrorLogFormat "%{cu}t %M"
-    </IfVersion>
-
-    LogLevel  {{ barbican_apache_log_level }}
-    ErrorLog  {{ barbican_log_directory }}/barbican-apache-error.log
-    CustomLog {{ barbican_log_directory }}/ssl_access.log combined
-    Options +FollowSymLinks
-
-    {% if barbican_ssl | bool and barbican_service_internaluri_proto == "https" -%}
-    SSLEngine on
-    SSLCertificateFile    {{ barbican_ssl_cert }}
-    SSLCertificateKeyFile {{ barbican_ssl_key }}
-    {% if barbican_user_ssl_ca_cert is defined -%}
-    SSLCACertificateFile  {{ barbican_ssl_ca_cert }}
-    {% endif -%}
-    SSLCompression Off
-    SSLProtocol {{ barbican_ssl_protocol }}
-    SSLHonorCipherOrder On
-    SSLCipherSuite {{ barbican_ssl_cipher_suite }}
-    SSLOptions +StdEnvVars +ExportCertData
-    {% endif %}
-
-    {% if barbican_sp is defined -%}
-    ShibURLScheme {{ barbican_service_publicuri_proto }}
-
-    <Location /Shibboleth.sso>
-        SetHandler shib
-    </Location>
-
-    <Location /v3/auth/OS-FEDERATION/websso/saml2>
-        AuthType shibboleth
-        ShibRequestSetting requireSession 1
-        ShibRequestSetting exportAssertion 1
-        ShibRequireSession On
-        ShibExportAssertion On
-        Require valid-user
-    </Location>
-
-    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>
-        ShibRequestSetting requireSession 1
-        AuthType shibboleth
-        ShibExportAssertion Off
-        Require valid-user
-    </LocationMatch>
-
-    WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/barbican/main/$1
-    {% endif %}
-</VirtualHost>

templates/barbican-ports.conf.j2

@@ -1,4 +0,0 @@
-# {{ ansible_managed }}
-
-Listen {{ keystone_service_port }}
-Listen {{ keystone_admin_port }}

templates/barbican-systemd-init.j2

@@ -1,34 +0,0 @@
-# {{ ansible_managed }}
-
-[Unit]
-Description=barbican openstack service
-After=syslog.target
-After=network.target
-
-[Service]
-Type=simple
-User={{ system_user }}
-Group={{ system_group }}
-
-{% if program_override is defined %}
-ExecStart={{ program_override }} {{ program_config_options|default('') }}
-{% else %}
-ExecStart={{ program_bin }}/{{ program_name }} {{ program_config_options|default('') }}
-{% endif %}
-
-# Give a reasonable amount of time for the server to start up/shut down
-TimeoutSec=120
-Restart=on-failure
-RestartSec=2
-
-# This creates a specific slice which all services will operate from
-#  The accounting options give us the ability to see resource usage through
-#  the `systemd-cgtop` command.
-Slice=barbican.slice
-CPUAccounting=true
-BlockIOAccounting=true
-MemoryAccounting=false
-TasksAccounting=true
-
-[Install]
-WantedBy=multi-user.target

templates/barbican-systemd-tempfiles.j2

@@ -1,4 +0,0 @@
-# {{ ansible_managed }}
-
-D /var/lock/{{ program_name }} 2755 {{ system_user }} {{ system_group }}
-D /var/run/{{ program_name }} 2755 {{ system_user }} {{ system_group }}

templates/barbican.conf.j2

@@ -1,11 +1,12 @@
 # {{ ansible_managed }}
 
 [DEFAULT]
+use_journal = True
 # Disable stderr logging
 use_stderr = False
 # Show debugging output in logs (sets DEBUG log level output)
 debug = {{ debug }}
-
+use_json = {{ debug }}
 # Address to bind the API server
 bind_host = 0.0.0.0
 
@@ -17,10 +18,6 @@ bind_port = 9311
 #  communicate back with this service.
 host_href = {{ barbican_service_publicurl }}
 
-# Log to this file. Make sure you do not set the same log
-# file for both the API and registry servers!
-#log_file = /var/log/barbican/api.log
-
 # Backlog requests when creating socket
 backlog = 4096
 

vars/debian.yml

@@ -16,19 +16,22 @@ barbican_distro_packages:
   - git
 
 barbican_devel_distro_packages:
-  - python-dev
-  - libssl-dev
-  - libpq-dev
+  - build-essential
+  - gettext
   - git
   - libffi-dev
-  - gettext
-  - build-essential
+  - libpq-dev
+  - libssl-dev
+  - libsystemd-dev
+  - python-dev
 
 barbican_service_distro_packages:
   - barbican-api
   - barbican-keystone-listener
   - barbican-worker
   - python-pymysql # needed by /usr/bin/barbican-manage db upgrade.
+  - python-systemd
+  - python3-systemd
   - uwsgi
   - uwsgi-plugin-python
 

vars/main.yml

@@ -0,0 +1,31 @@
+---
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# Compile a list of the services on a host based on whether
+# the host is in the host group and the service is enabled.
+# The service list is provided in the defined start order.
+#
+filtered_barbican_services: |-
+  {% set services = [] %}
+  {% for key, value in barbican_services.items() %}
+  {%   if (value['group'] in group_names) and
+          (('condition' not in value) or
+           ('condition' in value and value['condition'])) %}
+  {%     set _ = value.update({'service_key': key}) %}
+  {%     set _ = services.append(value) %}
+  {%   endif %}
+  {% endfor %}
+  {{ services | sort(attribute='start_order') }}

vars/redhat.yml

@@ -24,12 +24,14 @@ barbican_devel_distro_packages:
   - openssl-devel
   - postgresql-libs
   - python-devel
+  - systemd-devel
 
 barbican_service_distro_packages:
   - openstack-barbican
   - openstack-barbican-api
   - openstack-barbican-keystone-listener
   - openstack-barbican-worker
+  - systemd-python
   - uwsgi
   - uwsgi-plugin-python
 

vars/suse.yml

@@ -21,6 +21,8 @@ barbican_devel_distro_packages:
   - libopenssl-devel
   - postgresql-devel
   - python-devel
+  - pkg-config
+  - systemd-devel
 
 barbican_service_distro_packages:
   - openstack-barbican
@@ -28,6 +30,7 @@ barbican_service_distro_packages:
   - openstack-barbican-keystone-listener
   - openstack-barbican-retry
   - openstack-barbican-worker
+  - python-systemd
   - uwsgi
   - uwsgi-python