diff --git a/tasks/designate_post_install.yml b/tasks/designate_post_install.yml index 2258b45..2731c04 100644 --- a/tasks/designate_post_install.yml +++ b/tasks/designate_post_install.yml @@ -17,8 +17,8 @@ config_template: src: "{{ item.src }}" dest: "{{ item.dest }}" - owner: "{{ designate_system_user_name }}" - group: "{{ designate_system_group_name }}" + owner: "{{ item.owner|default(designate_system_user_name) }}" + group: "{{ item.group|default(designate_system_group_name) }}" mode: "0644" config_overrides: "{{ item.config_overrides }}" config_type: "{{ item.config_type }}" @@ -48,12 +48,10 @@ - name: Copy designate rootwrap filter config copy: - src: "{{ item.src }}" - dest: "{{ item.dest }}" + src: "rootwrap.d/bind9.filters" + dest: "/etc/designate/rootwrap.d/bind9.filters" owner: "root" group: "root" - with_items: - - { src: "rootwrap.d/bind9.filters", dest: "/etc/designate/rootwrap.d/bind9.filters" } notify: Restart designate services tags: - designate-config diff --git a/tasks/designate_pre_install.yml b/tasks/designate_pre_install.yml index b06c2b4..e784d09 100644 --- a/tasks/designate_pre_install.yml +++ b/tasks/designate_pre_install.yml @@ -43,6 +43,8 @@ with_items: - { path: "/etc/designate" } - { path: "/etc/designate/rootwrap.d" } + - { path: "/etc/designate/rootwrap.d", owner: "root", group: "root" } + - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" } - { path: "{{ designate_system_user_home }}" } - { path: "{{ designate_system_user_home }}/.ssh", mode: "0700" } - { path: "/var/cache/designate", mode: "0700" } @@ -89,6 +91,17 @@ - designate-dirs - designate-logs +- name: Drop sudoers file + template: + src: "sudoers.j2" + dest: "/etc/sudoers.d/{{ designate_system_user_name }}_sudoers" + mode: "0440" + owner: "root" + group: "root" + tags: + - sudoers + - designate-sudoers + - include: designate_messaging_setup.yml - when: > - inventory_hostname == groups['designate_all'][0] + when: + - inventory_hostname == groups['designate_all'][0] diff --git a/templates/sudoers.j2 b/templates/sudoers.j2 new file mode 100644 index 0000000..5c4a5f4 --- /dev/null +++ b/templates/sudoers.j2 @@ -0,0 +1,6 @@ +# {{ ansible_managed }} + +Defaults:{{ designate_system_user_name }} !requiretty +Defaults:{{ designate_system_user_name }} secure_path="{{ designate_bin }}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + +{{ designate_system_user_name }} ALL = (root) NOPASSWD: {{ designate_bin }}/{{ designate_service_name }}-rootwrap diff --git a/tests/inventory b/tests/inventory index c117b78..6c0833a 100644 --- a/tests/inventory +++ b/tests/inventory @@ -1,35 +1,2 @@ [all] localhost ansible_connection=local ansible_become=True - -[rabbitmq_all:children] -infra1 - -[galera_all:children] -infra1 - -[designate_all:children] -designate_api - -[designate_api:children] -openstack1 - -[designate_central:children] -openstack1 - -[designate_mdns:children] -openstack1 - -[designate_pool_manager:children] -openstack1 - -[designate_sink:children] -openstack1 - -[keystone_all:children] -openstack1 - -[infra1] -10.100.100.101 - -[openstack1] -10.100.100.102 diff --git a/tests/test-include-inventory.yml b/tests/test-include-inventory.yml new file mode 100644 index 0000000..2fc4746 --- /dev/null +++ b/tests/test-include-inventory.yml @@ -0,0 +1,46 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Inventory is being pre-loaded using a post tasks instead of through a dynamic +# inventory system. While this is not a usual method for deployment it's being +# done for functional testing. + +- name: Create container hosts + add_host: + groups: "{{ item.groups }}" + hostname: "{{ item.name }}" + inventory_hostname: "{{ item.name }}" + ansible_ssh_host: "{{ item.address }}" + ansible_become: true + properties: + service_name: "{{ item.service }}" + container_networks: + management_address: + address: "{{ item.address }}" + bridge: "lxcbr0" + interface: "eth1" + netmask: "255.255.252.0" + type: "veth" + physical_host: localhost + container_name: "{{ item.name }}" + with_items: + - name: "infra1" + service: "infra1" + address: "10.100.100.101" + groups: "all,all_containers,rabbitmq_all,galera_all,service_all" + - name: "openstack1" + service: "openstack1" + address: "10.100.100.102" + groups: "all,all_containers,keystone_all,designate_all,designate_api,designate_central,designate_pool_manager,designate_mdns,designate_sink" diff --git a/tests/test-install-designate.yml b/tests/test-install-designate.yml index 74341d5..002f269 100644 --- a/tests/test-install-designate.yml +++ b/tests/test-install-designate.yml @@ -13,44 +13,18 @@ # See the License for the specific language governing permissions and # limitations under the License. +- name: Prepare the inventory + hosts: localhost + connection: local + become: yes + tasks: + - include: test-include-inventory.yml + - name: Playbook for deploying designate hosts: designate_all user: root gather_facts: true roles: - role: "{{ rolename | basename }}" - vars: - debug: True - external_lb_vip_address: 10.100.100.102 - internal_lb_vip_address: 10.100.100.102 - designate_galera_address: 10.100.100.101 - designate_container_mysql_password: "SuperSecrete" - designate_pool_manager_galera_address: 10.100.100.101 - designate_pool_manager_container_mysql_password: "SuperSecrete" - galera_client_drop_config_file: false - galera_root_password: "secrete" - designate_rabbitmq_password: "secrete" - designate_rabbitmq_userid: designate - designate_rabbitmq_vhost: /designate - rabbitmq_servers: 10.100.100.101 - rabbitmq_use_ssl: False - rabbitmq_port: 5672 - keystone_auth_admin_token: "SuperSecreteTestToken" - keystone_auth_admin_password: "SuperSecretePassword" - keystone_service_adminuri_insecure: false - keystone_service_internaluri_insecure: false - keystone_service_internaluri: "http://{{ internal_lb_vip_address }}:5000" - keystone_service_internalurl: "{{ keystone_service_internaluri }}/v3" - keystone_service_adminuri: "http://{{ internal_lb_vip_address }}:35357" - keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3" - designate_venv_tag: "testing" - designate_developer_mode: true - designate_git_install_branch: 4df88d7b28a05cb3556573ce4f1c7c66abf944bb # HEAD of "master" as of 17.01.2016 - designate_requirements_git_install_branch: 332278d456e06870150835564342570ec9d5f5a0 # HEAD of "master" as of 17.01.2016 - designate_service_password: "secrete" - designate_profiler_hmac_key: "secrete" - openrc_os_auth_url: "{{ keystone_service_internalurl }}" - openrc_os_password: "{{ keystone_auth_admin_password }}" - openrc_os_domain_name: "Default" - memcached_servers: 127.0.0.1 - memcached_encryption_key: "secrete" + vars_files: + - test-vars.yml diff --git a/tests/test-install-infra.yml b/tests/test-install-infra.yml index d8e0235..a7e2cf7 100644 --- a/tests/test-install-infra.yml +++ b/tests/test-install-infra.yml @@ -13,6 +13,13 @@ # See the License for the specific language governing permissions and # limitations under the License. +- name: Prepare the inventory + hosts: localhost + connection: local + become: yes + tasks: + - include: test-include-inventory.yml + - name: Playbook for deploying infra services hosts: service_all user: root diff --git a/tests/test-install-keystone.yml b/tests/test-install-keystone.yml index af718e4..6b717e1 100644 --- a/tests/test-install-keystone.yml +++ b/tests/test-install-keystone.yml @@ -13,6 +13,13 @@ # See the License for the specific language governing permissions and # limitations under the License. +- name: Prepare the inventory + hosts: localhost + connection: local + become: yes + tasks: + - include: test-include-inventory.yml + - name: Playbook for deploying keystone hosts: keystone_all user: root @@ -61,23 +68,5 @@ when: inventory_hostname == groups['keystone_all'][0] roles: - role: os_keystone - vars: - external_lb_vip_address: 10.100.100.102 - internal_lb_vip_address: 10.100.100.102 - keystone_galera_address: 10.100.100.101 - keystone_galera_database: keystone - keystone_venv_tag: "testing" - keystone_developer_mode: true - keystone_git_install_branch: a55128044f763f5cfe2fdc57c738eaca97636448 # HEAD of "master" as of 17.01.2016 - keystone_requirements_git_install_branch: 332278d456e06870150835564342570ec9d5f5a0 # HEAD of "master" as of 17.01.2016 - keystone_auth_admin_token: "SuperSecreteTestToken" - keystone_auth_admin_password: "SuperSecretePassword" - keystone_service_password: "secrete" - keystone_rabbitmq_password: "secrete" - keystone_container_mysql_password: "SuperSecrete" - keystone_rabbitmq_port: 5671 - keystone_rabbitmq_userid: keystone - keystone_rabbitmq_vhost: /keystone - keystone_rabbitmq_servers: 10.100.100.101 - keystone_rabbitmq_use_ssl: true - galera_client_drop_config_file: false + vars_files: + - test-vars.yml diff --git a/tests/test-prepare-containers.yml b/tests/test-prepare-containers.yml index 932d681..7aac7a3 100644 --- a/tests/test-prepare-containers.yml +++ b/tests/test-prepare-containers.yml @@ -13,6 +13,13 @@ # See the License for the specific language governing permissions and # limitations under the License. +- name: Prepare the inventory + hosts: localhost + connection: local + become: yes + tasks: + - include: test-include-inventory.yml + - name: Playbook for creating containers hosts: all_containers connection: local diff --git a/tests/test-prepare-host.yml b/tests/test-prepare-host.yml index e55fe16..6943797 100644 --- a/tests/test-prepare-host.yml +++ b/tests/test-prepare-host.yml @@ -42,6 +42,7 @@ name: "trusty.tgz" sha256sum: "56c6a6e132ea7d10be2f3e8104f47136ccf408b30e362133f0dc4a0a9adb4d0c" chroot_path: trusty/rootfs-amd64 + - role: "openstack_openrc" post_tasks: - name: Install pip packages pip: @@ -53,4 +54,8 @@ retries: 5 delay: 2 with_items: + - lxc-python2 - python-openstackclient + - python-designateclient + vars_files: + - test-vars.yml diff --git a/tests/test-vars.yml b/tests/test-vars.yml new file mode 100644 index 0000000..de1a2d2 --- /dev/null +++ b/tests/test-vars.yml @@ -0,0 +1,62 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug: True +external_lb_vip_address: 10.100.100.102 +internal_lb_vip_address: 10.100.100.102 +galera_client_drop_config_file: false +galera_root_password: "secrete" +rabbitmq_servers: 10.100.100.101 +rabbitmq_use_ssl: False +rabbitmq_port: 5672 +memcached_servers: 127.0.0.1 +memcached_encryption_key: "secrete" +keystone_venv_tag: "testing" +keystone_developer_mode: true +keystone_git_install_branch: a55128044f763f5cfe2fdc57c738eaca97636448 # HEAD of "master" as of 17.01.2016 +keystone_requirements_git_install_branch: 332278d456e06870150835564342570ec9d5f5a0 # HEAD of "master" as of 17.01.2016 +keystone_service_password: "secrete" +keystone_galera_address: 10.100.100.101 +keystone_galera_database: keystone +keystone_container_mysql_password: "SuperSecrete" +keystone_auth_admin_token: "SuperSecreteTestToken" +keystone_auth_admin_password: "SuperSecretePassword" +keystone_service_adminuri_insecure: false +keystone_service_internaluri_insecure: false +keystone_service_internaluri: "http://{{ internal_lb_vip_address }}:5000" +keystone_service_internalurl: "{{ keystone_service_internaluri }}/v3" +keystone_service_adminuri: "http://{{ internal_lb_vip_address }}:35357" +keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3" +keystone_rabbitmq_vhost: /keystone +keystone_rabbitmq_userid: keystone +keystone_rabbitmq_password: "secrete" +keystone_rabbitmq_use_ssl: false +keystone_rabbitmq_port: 5672 +keystone_rabbitmq_servers: 10.100.100.101 +openrc_os_auth_url: "{{ keystone_service_internalurl }}" +openrc_os_password: "{{ keystone_auth_admin_password }}" +openrc_os_domain_name: "Default" +designate_venv_tag: "testing" +designate_developer_mode: true +designate_git_install_branch: 4df88d7b28a05cb3556573ce4f1c7c66abf944bb # HEAD of "master" as of 17.01.2016 +designate_requirements_git_install_branch: 332278d456e06870150835564342570ec9d5f5a0 # HEAD of "master" as of 17.01.2016 +designate_service_password: "secrete" +designate_galera_address: 10.100.100.101 +designate_container_mysql_password: "SuperSecrete" +designate_pool_manager_galera_address: 10.100.100.101 +designate_pool_manager_container_mysql_password: "SuperSecrete" +designate_rabbitmq_password: "secrete" +designate_rabbitmq_userid: designate +designate_rabbitmq_vhost: /designate diff --git a/vars/main.yml b/vars/main.yml deleted file mode 100644 index 55aa69d..0000000 --- a/vars/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -# vars file for os_designate/ -