Merge "Cleanup files and templates using smart sources"
This commit is contained in:
commit
b047ad2109
|
@ -279,8 +279,8 @@ cinder_backend_lvm_inuse: '{{ (cinder_backends|default("")|to_json).find("lvm")
|
|||
cinder_backend_rbd_inuse: '{{ (cinder_backends|default("")|to_json).find("cinder.volume.drivers.rbd.RBDDriver") != -1 }}'
|
||||
|
||||
## Policy vars
|
||||
# Provide a list of access controls to update the default policy.json with. These changes will be merged
|
||||
# with the access controls in the default policy.json. E.g.
|
||||
# Provide a list of access controls to merge with the default
|
||||
# access controls in the service code.
|
||||
#cinder_policy_overrides:
|
||||
# "volume:create": ""
|
||||
# "volume:delete": ""
|
||||
|
|
|
@ -28,26 +28,6 @@
|
|||
- "Restart cinder services"
|
||||
- "venv changed"
|
||||
|
||||
# Note (odyssey4me):
|
||||
# The policy.json file is currently read continually by the services
|
||||
# and is not only read on service start. We therefore cannot template
|
||||
# directly to the file read by the service because the new policies
|
||||
# may not be valid until the service restarts. This is particularly
|
||||
# important during a major upgrade. We therefore only put the policy
|
||||
# file in place after the service has been stopped.
|
||||
#
|
||||
- name: Copy new policy file into place
|
||||
copy:
|
||||
src: "/etc/cinder/policy.json-{{ cinder_venv_tag }}"
|
||||
dest: "/etc/cinder/policy.json"
|
||||
owner: "root"
|
||||
group: "{{ cinder_system_group_name }}"
|
||||
mode: "0640"
|
||||
remote_src: yes
|
||||
listen:
|
||||
- "Restart cinder services"
|
||||
- "venv changed"
|
||||
|
||||
- name: Start services
|
||||
service:
|
||||
name: "{{ item.service_name }}"
|
||||
|
|
|
@ -56,6 +56,12 @@
|
|||
option: "venv_tag"
|
||||
value: "{{ cinder_venv_tag }}"
|
||||
|
||||
- name: Link in the os-brick rootwrap filters
|
||||
file:
|
||||
src: "{{ cinder_bin | dirname }}/etc/os-brick/rootwrap.d/os-brick.filters"
|
||||
dest: /etc/cinder/rootwrap.d/os-brick.filters
|
||||
state: link
|
||||
|
||||
- name: Copy cinder rootwrap filters
|
||||
command: >-
|
||||
rsync --archive --itemize-changes --delete
|
||||
|
|
|
@ -13,6 +13,33 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# NOTE(cloudnull): This task is required to copy rootwrap filters that we need
|
||||
# and cinder does not provide by default.
|
||||
- name: Create aux cinder dir
|
||||
file:
|
||||
path: "/etc/cinder/rootwrap.d"
|
||||
state: "directory"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
|
||||
- name: Generate cinder config
|
||||
config_template:
|
||||
src: "cinder.conf.j2"
|
||||
dest: "/etc/cinder/cinder.conf"
|
||||
owner: "root"
|
||||
group: "{{ cinder_system_group_name }}"
|
||||
mode: "0640"
|
||||
config_overrides: "{{ cinder_cinder_conf_overrides }}"
|
||||
config_type: "ini"
|
||||
notify:
|
||||
- Manage LB
|
||||
- Restart cinder services
|
||||
tags:
|
||||
- cinder-config
|
||||
- cinder-post-install
|
||||
|
||||
# TODO(cloudnull): Once "master" OSA is using a recent pull for
|
||||
# cinder this task and templte can be removed.
|
||||
- name: Copy cinder configs
|
||||
config_template:
|
||||
src: "{{ item.src }}"
|
||||
|
@ -23,29 +50,71 @@
|
|||
config_overrides: "{{ item.config_overrides }}"
|
||||
config_type: "{{ item.config_type }}"
|
||||
with_items:
|
||||
- src: "cinder.conf.j2"
|
||||
dest: "/etc/cinder/cinder.conf"
|
||||
config_overrides: "{{ cinder_cinder_conf_overrides }}"
|
||||
config_type: "ini"
|
||||
- src: "api-paste.ini.j2"
|
||||
dest: "/etc/cinder/api-paste.ini"
|
||||
config_overrides: "{{ cinder_api_paste_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
- src: "resource_filters.json.j2"
|
||||
dest: "/etc/cinder/resource_filters.json"
|
||||
config_overrides: "{{ cinder_resource_filters_overrides }}"
|
||||
config_type: "json"
|
||||
- src: "rootwrap.conf.j2"
|
||||
dest: "/etc/cinder/rootwrap.conf"
|
||||
config_overrides: "{{ cinder_rootwrap_conf_overrides }}"
|
||||
config_type: "ini"
|
||||
- src: "policy.json.j2"
|
||||
dest: "/etc/cinder/policy.json-{{ cinder_venv_tag }}"
|
||||
config_overrides: "{{ cinder_policy_overrides }}"
|
||||
config_type: "json"
|
||||
notify:
|
||||
- Manage LB
|
||||
- Restart cinder services
|
||||
tags:
|
||||
- cinder-config
|
||||
- cinder-post-install
|
||||
|
||||
- name: Implement policy.json if there are overrides configured
|
||||
copy:
|
||||
content: "{{ cinder_policy_overrides | to_nice_json }}"
|
||||
dest: "/etc/cinder/policy.json"
|
||||
when:
|
||||
- cinder_policy_overrides != {}
|
||||
|
||||
# NOTE(cloudnull): This is using "cp" instead of copy with a remote_source
|
||||
# because we only want to copy the original files once. and we
|
||||
# don't want to need multiple tasks.
|
||||
- name: Preserve original configuration file(s)
|
||||
command: "cp {{ item.target_f }} {{ item.target_f }}.original"
|
||||
args:
|
||||
creates: "{{ item.target_f }}.original"
|
||||
with_items: "{{ cinder_core_files }}"
|
||||
|
||||
- name: Fetch override files
|
||||
fetch:
|
||||
src: "{{ item.target_f }}.original"
|
||||
dest: "{{ item.tmp_f }}"
|
||||
flat: yes
|
||||
changed_when: false
|
||||
with_items: "{{ cinder_core_files }}"
|
||||
run_once: true
|
||||
|
||||
- name: Copy common config
|
||||
config_template:
|
||||
src: "{{ item.tmp_f }}"
|
||||
dest: "{{ item.target_f }}"
|
||||
owner: "{{ item.owner | default('root') }}"
|
||||
group: "{{ item.group | default(cinder_system_group_name) }}"
|
||||
mode: "{{ item.mode | default('0640') }}"
|
||||
config_overrides: "{{ item.config_overrides }}"
|
||||
config_type: "{{ item.config_type }}"
|
||||
with_items: "{{ cinder_core_files }}"
|
||||
notify:
|
||||
- Restart cinder services
|
||||
|
||||
- name: Cleanup fetched temp files
|
||||
file:
|
||||
path: "{{ item.tmp_f }}"
|
||||
state: absent
|
||||
changed_when: false
|
||||
delegate_to: localhost
|
||||
with_items: "{{ cinder_core_files }}"
|
||||
|
||||
# NOTE(cloudnull): This will ensure strong permissions on all rootwrap files.
|
||||
- name: Set rootwrap.d permissions
|
||||
file:
|
||||
path: "/etc/cinder/rootwrap.d"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0640"
|
||||
recurse: true
|
||||
|
||||
- name: Ensure cinder tgt include
|
||||
lineinfile:
|
||||
|
|
|
@ -31,17 +31,62 @@
|
|||
createhome: "yes"
|
||||
home: "{{ cinder_system_home_folder }}"
|
||||
|
||||
# NOTE(cloudnull): During an upgrade the local directory may exist on a source
|
||||
# install. If the directory does exist it will need to be
|
||||
# removed. This is required on source installs because the
|
||||
# config directory is a link.
|
||||
- name: Source config block
|
||||
block:
|
||||
- name: Stat config directory
|
||||
stat:
|
||||
path: "/etc/cinder"
|
||||
register: cinder_conf_dir_stat
|
||||
|
||||
- name: Remove the config directory
|
||||
file:
|
||||
path: "/etc/cinder"
|
||||
state: absent
|
||||
when:
|
||||
- cinder_conf_dir_stat.stat.isdir is defined and
|
||||
cinder_conf_dir_stat.stat.isdir
|
||||
when:
|
||||
- cinder_install_method == 'source'
|
||||
|
||||
- name: Create cinder dir
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
owner: "{{ item.owner|default(cinder_system_user_name) }}"
|
||||
group: "{{ item.group|default(cinder_system_group_name) }}"
|
||||
mode: "{{ item.mode|default('0755') }}"
|
||||
path: "{{ item.path | default(omit) }}"
|
||||
src: "{{ item.src | default(omit) }}"
|
||||
dest: "{{ item.dest | default(omit) }}"
|
||||
state: "{{ item.state | default('directory') }}"
|
||||
owner: "{{ item.owner | default(cinder_system_user_name) }}"
|
||||
group: "{{ item.group | default(cinder_system_group_name) }}"
|
||||
mode: "{{ item.mode | default(omit) }}"
|
||||
force: "{{ item.force | default(omit) }}"
|
||||
when:
|
||||
- (item.condition | default(true)) | bool
|
||||
with_items:
|
||||
- { path: "/openstack", mode: "0755", owner: "root", group: "root" }
|
||||
- { path: "/var/cache/cinder", mode: "0700" }
|
||||
- { path: "/etc/cinder", mode: "0750" }
|
||||
- { path: "/etc/cinder/rootwrap.d", owner: "root", group: "root", mode: "0750" }
|
||||
- { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
|
||||
- { path: "{{ cinder_system_home_folder }}" }
|
||||
- path: "/openstack"
|
||||
mode: "0755"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
- path: "/var/cache/cinder"
|
||||
mode: "0700"
|
||||
- path: "{{ (cinder_install_method == 'distro') | ternary('/etc/cinder', (cinder_bin | dirname) + '/etc/cinder') }}"
|
||||
mode: "0755"
|
||||
# NOTE(cloudnull): The "src" path is relative. This ensures all files remain
|
||||
# within the host/container confines when connecting to
|
||||
# them using the connection plugin or the root filesystem.
|
||||
- dest: "/etc/cinder"
|
||||
src: "{{ cinder_bin | dirname | regex_replace('^/', '../') }}/etc/cinder"
|
||||
state: link
|
||||
force: true
|
||||
condition: "{{ cinder_install_method == 'source' }}"
|
||||
- path: "/etc/cinder/rootwrap.d"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0750"
|
||||
- path: "/etc/sudoers.d"
|
||||
mode: "0750"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
- path: "{{ cinder_system_home_folder }}"
|
||||
|
|
|
@ -1,65 +0,0 @@
|
|||
#############
|
||||
# OpenStack #
|
||||
#############
|
||||
|
||||
[composite:osapi_volume]
|
||||
use = call:cinder.api:root_app_factory
|
||||
/: apiversions
|
||||
/v2: openstack_volume_api_v2
|
||||
/v3: openstack_volume_api_v3
|
||||
|
||||
[composite:openstack_volume_api_v2]
|
||||
use = call:cinder.api.middleware.auth:pipeline_factory
|
||||
noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2
|
||||
keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
|
||||
keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
|
||||
|
||||
[composite:openstack_volume_api_v3]
|
||||
use = call:cinder.api.middleware.auth:pipeline_factory
|
||||
noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3
|
||||
keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
|
||||
keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
|
||||
|
||||
[filter:request_id]
|
||||
paste.filter_factory = oslo_middleware.request_id:RequestId.factory
|
||||
|
||||
[filter:http_proxy_to_wsgi]
|
||||
paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
|
||||
|
||||
[filter:cors]
|
||||
paste.filter_factory = oslo_middleware.cors:filter_factory
|
||||
oslo_config_project = cinder
|
||||
|
||||
[filter:faultwrap]
|
||||
paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory
|
||||
|
||||
[filter:osprofiler]
|
||||
paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
|
||||
|
||||
[filter:noauth]
|
||||
paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
|
||||
|
||||
[filter:sizelimit]
|
||||
paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
|
||||
|
||||
[app:apiv2]
|
||||
paste.app_factory = cinder.api.v2.router:APIRouter.factory
|
||||
|
||||
[app:apiv3]
|
||||
paste.app_factory = cinder.api.v3.router:APIRouter.factory
|
||||
|
||||
[pipeline:apiversions]
|
||||
pipeline = cors http_proxy_to_wsgi faultwrap osvolumeversionapp
|
||||
|
||||
[app:osvolumeversionapp]
|
||||
paste.app_factory = cinder.api.versions:Versions.factory
|
||||
|
||||
##########
|
||||
# Shared #
|
||||
##########
|
||||
|
||||
[filter:keystonecontext]
|
||||
paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory
|
||||
|
||||
[filter:authtoken]
|
||||
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
|
|
@ -1,14 +0,0 @@
|
|||
{
|
||||
|
||||
"consistencygroup:create" : "group:nobody",
|
||||
"consistencygroup:delete": "group:nobody",
|
||||
"consistencygroup:update": "group:nobody",
|
||||
"consistencygroup:get": "group:nobody",
|
||||
"consistencygroup:get_all": "group:nobody",
|
||||
|
||||
"consistencygroup:create_cgsnapshot" : "group:nobody",
|
||||
"consistencygroup:delete_cgsnapshot": "group:nobody",
|
||||
"consistencygroup:get_cgsnapshot": "group:nobody",
|
||||
"consistencygroup:get_all_cgsnapshots": "group:nobody"
|
||||
|
||||
}
|
|
@ -1,27 +0,0 @@
|
|||
# Configuration for cinder-rootwrap
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
[DEFAULT]
|
||||
# List of directories to load filter definitions from (separated by ',').
|
||||
# These directories MUST all be only writeable by root !
|
||||
filters_path=/etc/cinder/rootwrap.d,/usr/share/cinder/rootwrap
|
||||
|
||||
# List of directories to search executables in, in case filters do not
|
||||
# explicitely specify a full path (separated by ',')
|
||||
# If not specified, defaults to system PATH environment variable.
|
||||
# These directories MUST all be only writeable by root !
|
||||
exec_dirs={{ cinder_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/usr/lpp/mmfs/bin
|
||||
|
||||
# Enable logging to syslog
|
||||
# Default value is False
|
||||
use_syslog=False
|
||||
|
||||
# Which syslog facility to use.
|
||||
# Valid values include auth, authpriv, syslog, local0, local1...
|
||||
# Default value is 'syslog'
|
||||
syslog_log_facility=syslog
|
||||
|
||||
# Which messages to log.
|
||||
# INFO means log all usage
|
||||
# ERROR means only log unsuccessful attempts
|
||||
syslog_log_level=ERROR
|
|
@ -13,6 +13,11 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
_cinder_rootwrap_conf_overrides:
|
||||
DEFAULT:
|
||||
filters_path: "/etc/cinder/rootwrap.d,/usr/share/cinder/rootwrap"
|
||||
exec_dirs: "{{ cinder_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin"
|
||||
|
||||
#
|
||||
# Compile a list of the services on a host based on whether
|
||||
# the host is in the host group and the service is enabled.
|
||||
|
@ -29,3 +34,23 @@ filtered_cinder_services: |-
|
|||
{% endif %}
|
||||
{% endfor %}
|
||||
{{ services | sort(attribute='start_order') }}
|
||||
|
||||
cinder_core_files:
|
||||
- tmp_f: "/tmp/api-paste.ini"
|
||||
target_f: "/etc/cinder/api-paste.ini"
|
||||
config_overrides: "{{ cinder_api_paste_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
- tmp_f: "/tmp/rootwrap.conf"
|
||||
target_f: "/etc/cinder/rootwrap.conf"
|
||||
config_overrides: "{{ _cinder_rootwrap_conf_overrides | combine(cinder_rootwrap_conf_overrides, recursive=True) }}"
|
||||
config_type: "ini"
|
||||
owner: "root"
|
||||
group: "{{ cinder_system_group_name }}"
|
||||
mode: "0640"
|
||||
- tmp_f: "/tmp/resource_filters.json"
|
||||
target_f: "/etc/cinder/resource_filters.json"
|
||||
config_overrides: "{{ cinder_resource_filters_overrides }}"
|
||||
config_type: "json"
|
||||
owner: "root"
|
||||
group: "{{ cinder_system_group_name }}"
|
||||
mode: "0640"
|
||||
|
|
Loading…
Reference in New Issue