Merge "Cleanup files and templates using smart sources"

defaults/main.yml

@@ -279,8 +279,8 @@ cinder_backend_lvm_inuse: '{{ (cinder_backends|default("")|to_json).find("lvm")
 cinder_backend_rbd_inuse: '{{ (cinder_backends|default("")|to_json).find("cinder.volume.drivers.rbd.RBDDriver") != -1 }}'
 
 ## Policy vars
-# Provide a list of access controls to update the default policy.json with. These changes will be merged
-# with the access controls in the default policy.json. E.g.
+# Provide a list of access controls to merge with the default
+# access controls in the service code.
 #cinder_policy_overrides:
 #  "volume:create": ""
 #  "volume:delete": ""

handlers/main.yml

@@ -28,26 +28,6 @@
     - "Restart cinder services"
     - "venv changed"
 
-# Note (odyssey4me):
-# The policy.json file is currently read continually by the services
-# and is not only read on service start. We therefore cannot template
-# directly to the file read by the service because the new policies
-# may not be valid until the service restarts. This is particularly
-# important during a major upgrade. We therefore only put the policy
-# file in place after the service has been stopped.
-#
-- name: Copy new policy file into place
-  copy:
-    src: "/etc/cinder/policy.json-{{ cinder_venv_tag }}"
-    dest: "/etc/cinder/policy.json"
-    owner: "root"
-    group: "{{ cinder_system_group_name }}"
-    mode: "0640"
-    remote_src: yes
-  listen:
-    - "Restart cinder services"
-    - "venv changed"
-
 - name: Start services
   service:
     name: "{{ item.service_name }}"

tasks/cinder_install_source.yml

@@ -56,6 +56,12 @@
         option: "venv_tag"
         value: "{{ cinder_venv_tag }}"
 
+- name: Link in the os-brick rootwrap filters
+  file:
+    src: "{{ cinder_bin | dirname }}/etc/os-brick/rootwrap.d/os-brick.filters"
+    dest: /etc/cinder/rootwrap.d/os-brick.filters
+    state: link
+
 - name: Copy cinder rootwrap filters
   command: >-
     rsync --archive --itemize-changes --delete

tasks/cinder_post_install.yml

@@ -13,6 +13,33 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# NOTE(cloudnull): This task is required to copy rootwrap filters that we need
+#                  and cinder does not provide by default.
+- name: Create aux cinder dir
+  file:
+    path: "/etc/cinder/rootwrap.d"
+    state: "directory"
+    owner: "root"
+    group: "root"
+
+- name: Generate cinder config
+  config_template:
+    src: "cinder.conf.j2"
+    dest: "/etc/cinder/cinder.conf"
+    owner: "root"
+    group: "{{ cinder_system_group_name }}"
+    mode: "0640"
+    config_overrides: "{{ cinder_cinder_conf_overrides }}"
+    config_type: "ini"
+  notify:
+    - Manage LB
+    - Restart cinder services
+  tags:
+    - cinder-config
+    - cinder-post-install
+
+# TODO(cloudnull): Once "master" OSA is using a recent pull for
+#                  cinder this task and templte can be removed.
 - name: Copy cinder configs
   config_template:
     src: "{{ item.src }}"
@@ -23,29 +50,71 @@
     config_overrides: "{{ item.config_overrides }}"
     config_type: "{{ item.config_type }}"
   with_items:
-    - src: "cinder.conf.j2"
-      dest: "/etc/cinder/cinder.conf"
-      config_overrides: "{{ cinder_cinder_conf_overrides }}"
-      config_type: "ini"
-    - src: "api-paste.ini.j2"
-      dest: "/etc/cinder/api-paste.ini"
-      config_overrides: "{{ cinder_api_paste_ini_overrides }}"
-      config_type: "ini"
     - src: "resource_filters.json.j2"
       dest: "/etc/cinder/resource_filters.json"
       config_overrides: "{{ cinder_resource_filters_overrides }}"
       config_type: "json"
-    - src: "rootwrap.conf.j2"
-      dest: "/etc/cinder/rootwrap.conf"
-      config_overrides: "{{ cinder_rootwrap_conf_overrides }}"
-      config_type: "ini"
-    - src: "policy.json.j2"
-      dest: "/etc/cinder/policy.json-{{ cinder_venv_tag }}"
-      config_overrides: "{{ cinder_policy_overrides }}"
-      config_type: "json"
   notify:
     - Manage LB
     - Restart cinder services
+  tags:
+    - cinder-config
+    - cinder-post-install
+
+- name: Implement policy.json if there are overrides configured
+  copy:
+    content: "{{ cinder_policy_overrides | to_nice_json }}"
+    dest: "/etc/cinder/policy.json"
+  when:
+    - cinder_policy_overrides != {}
+
+# NOTE(cloudnull): This is using "cp" instead of copy with a remote_source
+#                  because we only want to copy the original files once. and we
+#                  don't want to need multiple tasks.
+- name: Preserve original configuration file(s)
+  command: "cp {{ item.target_f }} {{ item.target_f }}.original"
+  args:
+    creates: "{{ item.target_f }}.original"
+  with_items: "{{ cinder_core_files }}"
+
+- name: Fetch override files
+  fetch:
+    src: "{{ item.target_f }}.original"
+    dest: "{{ item.tmp_f }}"
+    flat: yes
+  changed_when: false
+  with_items: "{{ cinder_core_files }}"
+  run_once: true
+
+- name: Copy common config
+  config_template:
+    src: "{{ item.tmp_f }}"
+    dest: "{{ item.target_f }}"
+    owner: "{{ item.owner | default('root') }}"
+    group: "{{ item.group | default(cinder_system_group_name) }}"
+    mode: "{{ item.mode | default('0640') }}"
+    config_overrides: "{{ item.config_overrides }}"
+    config_type: "{{ item.config_type }}"
+  with_items: "{{ cinder_core_files }}"
+  notify:
+    - Restart cinder services
+
+- name: Cleanup fetched temp files
+  file:
+    path: "{{ item.tmp_f }}"
+    state: absent
+  changed_when: false
+  delegate_to: localhost
+  with_items: "{{ cinder_core_files }}"
+
+# NOTE(cloudnull): This will ensure strong permissions on all rootwrap files.
+- name: Set rootwrap.d permissions
+  file:
+    path: "/etc/cinder/rootwrap.d"
+    owner: "root"
+    group: "root"
+    mode: "0640"
+    recurse: true
 
 - name: Ensure cinder tgt include
   lineinfile:

tasks/cinder_pre_install.yml

@@ -31,17 +31,62 @@
     createhome: "yes"
     home: "{{ cinder_system_home_folder }}"
 
+# NOTE(cloudnull): During an upgrade the local directory may exist on a source
+#                  install. If the directory does exist it will need to be
+#                  removed. This is required on source installs because the
+#                  config directory is a link.
+- name: Source config block
+  block:
+    - name: Stat config directory
+      stat:
+        path: "/etc/cinder"
+      register: cinder_conf_dir_stat
+
+    - name: Remove the config directory
+      file:
+        path: "/etc/cinder"
+        state: absent
+      when:
+        - cinder_conf_dir_stat.stat.isdir is defined and
+          cinder_conf_dir_stat.stat.isdir
+  when:
+    - cinder_install_method == 'source'
+
 - name: Create cinder dir
   file:
-    path: "{{ item.path }}"
-    state: directory
-    owner: "{{ item.owner|default(cinder_system_user_name) }}"
-    group: "{{ item.group|default(cinder_system_group_name) }}"
-    mode: "{{ item.mode|default('0755') }}"
+    path: "{{ item.path | default(omit) }}"
+    src: "{{ item.src | default(omit) }}"
+    dest: "{{ item.dest | default(omit) }}"
+    state: "{{ item.state | default('directory') }}"
+    owner: "{{ item.owner | default(cinder_system_user_name) }}"
+    group: "{{ item.group | default(cinder_system_group_name) }}"
+    mode: "{{ item.mode | default(omit) }}"
+    force: "{{ item.force | default(omit) }}"
+  when:
+    - (item.condition | default(true)) | bool
   with_items:
-    - { path: "/openstack", mode: "0755", owner: "root", group: "root" }
-    - { path: "/var/cache/cinder", mode: "0700" }
-    - { path: "/etc/cinder", mode: "0750" }
-    - { path: "/etc/cinder/rootwrap.d", owner: "root", group: "root", mode: "0750" }
-    - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
-    - { path: "{{ cinder_system_home_folder }}" }
+    - path: "/openstack"
+      mode: "0755"
+      owner: "root"
+      group: "root"
+    - path: "/var/cache/cinder"
+      mode: "0700"
+    - path: "{{ (cinder_install_method == 'distro') | ternary('/etc/cinder', (cinder_bin | dirname) + '/etc/cinder') }}"
+      mode: "0755"
+    # NOTE(cloudnull): The "src" path is relative. This ensures all files remain
+    #                  within the host/container confines when connecting to
+    #                  them using the connection plugin or the root filesystem.
+    - dest: "/etc/cinder"
+      src: "{{ cinder_bin | dirname | regex_replace('^/', '../') }}/etc/cinder"
+      state: link
+      force: true
+      condition: "{{ cinder_install_method == 'source' }}"
+    - path: "/etc/cinder/rootwrap.d"
+      owner: "root"
+      group: "root"
+      mode: "0750"
+    - path: "/etc/sudoers.d"
+      mode: "0750"
+      owner: "root"
+      group: "root"
+    - path: "{{ cinder_system_home_folder }}"

templates/api-paste.ini.j2

@@ -1,65 +0,0 @@
-#############
-# OpenStack #
-#############
-
-[composite:osapi_volume]
-use = call:cinder.api:root_app_factory
-/: apiversions
-/v2: openstack_volume_api_v2
-/v3: openstack_volume_api_v3
-
-[composite:openstack_volume_api_v2]
-use = call:cinder.api.middleware.auth:pipeline_factory
-noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2
-keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
-keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
-
-[composite:openstack_volume_api_v3]
-use = call:cinder.api.middleware.auth:pipeline_factory
-noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3
-keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
-keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
-
-[filter:request_id]
-paste.filter_factory = oslo_middleware.request_id:RequestId.factory
-
-[filter:http_proxy_to_wsgi]
-paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
-
-[filter:cors]
-paste.filter_factory = oslo_middleware.cors:filter_factory
-oslo_config_project = cinder
-
-[filter:faultwrap]
-paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory
-
-[filter:osprofiler]
-paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
-
-[filter:noauth]
-paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
-
-[filter:sizelimit]
-paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
-
-[app:apiv2]
-paste.app_factory = cinder.api.v2.router:APIRouter.factory
-
-[app:apiv3]
-paste.app_factory = cinder.api.v3.router:APIRouter.factory
-
-[pipeline:apiversions]
-pipeline = cors http_proxy_to_wsgi faultwrap osvolumeversionapp
-
-[app:osvolumeversionapp]
-paste.app_factory = cinder.api.versions:Versions.factory
-
-##########
-# Shared #
-##########
-
-[filter:keystonecontext]
-paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory
-
-[filter:authtoken]
-paste.filter_factory = keystonemiddleware.auth_token:filter_factory

templates/policy.json.j2

@@ -1,14 +0,0 @@
-{
-
-    "consistencygroup:create" : "group:nobody",
-    "consistencygroup:delete": "group:nobody",
-    "consistencygroup:update": "group:nobody",
-    "consistencygroup:get": "group:nobody",
-    "consistencygroup:get_all": "group:nobody",
-
-    "consistencygroup:create_cgsnapshot" : "group:nobody",
-    "consistencygroup:delete_cgsnapshot": "group:nobody",
-    "consistencygroup:get_cgsnapshot": "group:nobody",
-    "consistencygroup:get_all_cgsnapshots": "group:nobody"
-
-}

templates/rootwrap.conf.j2

@@ -1,27 +0,0 @@
-# Configuration for cinder-rootwrap
-# This file should be owned by (and only-writeable by) the root user
-
-[DEFAULT]
-# List of directories to load filter definitions from (separated by ',').
-# These directories MUST all be only writeable by root !
-filters_path=/etc/cinder/rootwrap.d,/usr/share/cinder/rootwrap
-
-# List of directories to search executables in, in case filters do not
-# explicitely specify a full path (separated by ',')
-# If not specified, defaults to system PATH environment variable.
-# These directories MUST all be only writeable by root !
-exec_dirs={{ cinder_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/usr/lpp/mmfs/bin
-
-# Enable logging to syslog
-# Default value is False
-use_syslog=False
-
-# Which syslog facility to use.
-# Valid values include auth, authpriv, syslog, local0, local1...
-# Default value is 'syslog'
-syslog_log_facility=syslog
-
-# Which messages to log.
-# INFO means log all usage
-# ERROR means only log unsuccessful attempts
-syslog_log_level=ERROR

vars/main.yml

@@ -13,6 +13,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+_cinder_rootwrap_conf_overrides:
+  DEFAULT:
+    filters_path: "/etc/cinder/rootwrap.d,/usr/share/cinder/rootwrap"
+    exec_dirs: "{{ cinder_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin"
+
 #
 # Compile a list of the services on a host based on whether
 # the host is in the host group and the service is enabled.
@@ -29,3 +34,23 @@ filtered_cinder_services: |-
   {%   endif %}
   {% endfor %}
   {{ services | sort(attribute='start_order') }}
+
+cinder_core_files:
+  - tmp_f: "/tmp/api-paste.ini"
+    target_f: "/etc/cinder/api-paste.ini"
+    config_overrides: "{{ cinder_api_paste_ini_overrides }}"
+    config_type: "ini"
+  - tmp_f: "/tmp/rootwrap.conf"
+    target_f: "/etc/cinder/rootwrap.conf"
+    config_overrides: "{{ _cinder_rootwrap_conf_overrides | combine(cinder_rootwrap_conf_overrides, recursive=True) }}"
+    config_type: "ini"
+    owner: "root"
+    group: "{{ cinder_system_group_name }}"
+    mode: "0640"
+  - tmp_f: "/tmp/resource_filters.json"
+    target_f: "/etc/cinder/resource_filters.json"
+    config_overrides: "{{ cinder_resource_filters_overrides }}"
+    config_type: "json"
+    owner: "root"
+    group: "{{ cinder_system_group_name }}"
+    mode: "0640"