Merge "Cleanup files and templates using smart sources"

2019-02-25 22:49:10 +00:00 · 2019-02-25 22:49:10 +00:00 · 77148fb080
parent c22d786120 9748e6b154
commit 77148fb080
15 changed files with 168 additions and 300 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -55,7 +55,7 @@ glance_bin: "{{ _glance_bin }}"
 #  This is used for role access to the db migrations.
 #  Example:
 #  glance_etc_dir: "/usr/local/etc/glance"
-glance_etc_dir: "{{ _glance_etc }}/glance"
+glance_etc_dir: "/etc/glance"
 # venv_download, even when true, will use the fallback method of building the
 # venv from scratch if the venv download fails.
@ -313,6 +313,5 @@ glance_glance_registry_conf_overrides: {}
 glance_glance_scrubber_conf_overrides: {}
 glance_glance_scheme_json_overrides: {}
 glance_glance_swift_store_conf_overrides: {}
 glance_glance_rootwrap_conf_overrides: {}
 glance_policy_overrides: {}
 glance_api_uwsgi_ini_overrides: {}
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -82,26 +82,6 @@
    - "Restart glance services"
    - "venv changed"
 # Note (odyssey4me):
 # The policy.json file is currently read continually by the services
 # and is not only read on service start. We therefore cannot template
 # directly to the file read by the service because the new policies
 # may not be valid until the service restarts. This is particularly
 # important during a major upgrade. We therefore only put the policy
 # file in place after the service has been stopped.
 #
 - name: Copy new policy file into place
  copy:
    src: "/etc/glance/policy.json-{{ glance_venv_tag }}"
    dest: "/etc/glance/policy.json"
    owner: "root"
    group: "{{ glance_system_group_name }}"
    mode: "0640"
    remote_src: yes
  listen:
    - "Restart glance services"
    - "venv changed"
 - name: Start services
  service:
    name: "{{ item.service_name }}"
--- a/tasks/glance_install.yml
+++ b/tasks/glance_install.yml
@ -52,22 +52,58 @@
    mode: "0755"
  with_items: "{{ glance_nfs_client }}"
 # NOTE(cloudnull): During an upgrade the local directory may exist on a source
 #                  install. If the directory does exist it will need to be
 #                  removed. This is required on source installs because the
 #                  config directory is a link.
 - name: Source config block
  block:
    - name: Stat config directory
      stat:
        path: "{{ glance_etc_dir }}"
      register: glance_conf_dir_stat
    - name: Remove the config directory
      file:
        path: "{{ glance_etc_dir }}"
        state: absent
      when:
        - glance_conf_dir_stat.stat.isdir is defined and
          glance_conf_dir_stat.stat.isdir
  when:
    - glance_install_method == 'source'
 - name: Create glance directories
  file:
-    path: "{{ item.path | realpath }}"
+    path: "{{ item.path | default(omit) }}"
-    state: directory
+    src: "{{ item.src | default(omit) }}"
-    owner: "{{ item.owner | default(glance_system_user_name) }}"
+    dest: "{{ item.dest | default(omit) }}"
-    group: "{{ item.group | default(glance_system_group_name) }}"
+    state: "{{ item.state | default('directory') }}"
    owner: "{{ item.owner|default(glance_system_user_name) }}"
    group: "{{ item.group|default(glance_system_group_name) }}"
    mode: "{{ item.mode | default(omit) }}"
    force: "{{ item.force | default(omit) }}"
  when:
-    - "item.path not in glance_mount_points"
+    - (item.condition | default(true)) | bool
    - (item.dest | default(item.path)) not in glance_mount_points
  with_items:
    - path: "/openstack"
      mode: "0755"
      owner: "root"
      group: "root"
-    - path: "/etc/glance"
+    - path: "{{ (glance_install_method == 'distro') | ternary(glance_etc_dir, (glance_bin | dirname) + glance_etc_dir) }}"
-      mode: "0750"
+      mode: "0755"
    # NOTE(cloudnull): The "src" path is relative. This ensures all files remain
    #                  within the host/container confines when connecting to
    #                  them using the connection plugin or the root filesystem.
    - dest: "{{ glance_etc_dir }}"
      src: "{{ glance_bin | dirname | regex_replace('^/', '../') }}/etc/glance"
      state: link
      force: true
      condition: "{{ glance_install_method == 'source' }}"
    - path: "{{ glance_etc_dir }}/rootwrap.d"
      owner: "root"
      group: "root"
    - path: "/var/cache/glance"
    - path: "{{ glance_system_user_home }}"
    - path: "{{ glance_system_user_home }}/cache"
--- a/tasks/glance_install_source.yml
+++ b/tasks/glance_install_source.yml
@ -50,3 +50,9 @@
      - section: "glance"
        option: "venv_tag"
        value: "{{ glance_venv_tag }}"
 - name: Link in the os-brick rootwrap filters
  file:
    src: "{{ glance_bin | dirname }}/etc/os-brick/rootwrap.d/os-brick.filters"
    dest: "{{ glance_etc_dir }}/rootwrap.d/os-brick.filters"
    state: link
--- a/tasks/glance_post_install.yml
+++ b/tasks/glance_post_install.yml
@ -24,60 +24,88 @@
    config_type: "{{ item.config_type }}"
  when: item.condition | default(True)
  with_items:
    - src: "glance-api-paste.ini.j2"
      dest: "/etc/glance/glance-api-paste.ini"
      config_overrides: "{{ glance_glance_api_paste_ini_overrides }}"
      config_type: "ini"
    - src: "glance-api.conf.j2"
-      dest: "/etc/glance/glance-api.conf"
+      dest: "{{ glance_etc_dir }}/glance-api.conf"
      config_overrides: "{{ glance_glance_api_conf_overrides }}"
      config_type: "ini"
    - src: "glance-cache.conf.j2"
-      dest: "/etc/glance/glance-cache.conf"
+      dest: "{{ glance_etc_dir }}/glance-cache.conf"
      config_overrides: "{{ glance_glance_cache_conf_overrides }}"
      config_type: "ini"
    - src: "glance-manage.conf.j2"
-      dest: "/etc/glance/glance-manage.conf"
+      dest: "{{ glance_etc_dir }}/glance-manage.conf"
      config_overrides: "{{ glance_glance_manage_conf_overrides }}"
      config_type: "ini"
    - src: "glance-registry-paste.ini.j2"
      dest: "/etc/glance/glance-registry-paste.ini"
      config_overrides: "{{ glance_glance_registry_paste_ini_overrides }}"
      config_type: "ini"
      condition: "{{ glance_services['glance-registry']['condition'] | bool }}"
    - src: "glance-registry.conf.j2"
-      dest: "/etc/glance/glance-registry.conf"
+      dest: "{{ glance_etc_dir }}/glance-registry.conf"
      config_overrides: "{{ glance_glance_registry_conf_overrides }}"
      config_type: "ini"
      condition: "{{ glance_services['glance-registry']['condition'] | bool }}"
    - src: "glance-scrubber.conf.j2"
-      dest: "/etc/glance/glance-scrubber.conf"
+      dest: "{{ glance_etc_dir }}/glance-scrubber.conf"
      config_overrides: "{{ glance_glance_scrubber_conf_overrides }}"
      config_type: "ini"
    - src: "glance-swift-store.conf.j2"
-      dest: "/etc/glance/glance-swift-store.conf"
+      dest: "{{ glance_etc_dir }}/glance-swift-store.conf"
      config_overrides: "{{ glance_glance_swift_store_conf_overrides }}"
      config_type: "ini"
-    - src: "policy.json.j2"
+    - src: "schema-image.json.j2"
-      dest: "/etc/glance/policy.json-{{ glance_venv_tag }}"
+      dest: "{{ glance_etc_dir }}/schema-image.json"
      config_overrides: "{{ glance_policy_overrides }}"
      config_type: "json"
    - src: "schema.json.j2"
      dest: "/etc/glance/schema.json"
      config_overrides: "{{ glance_glance_scheme_json_overrides }}"
      config_type: "json"
    - src: "schema.json.j2"
      dest: "/etc/glance/schema-image.json"
      config_overrides: "{{ glance_glance_scheme_json_overrides }}"
      config_type: "json"
    - src: "rootwrap.conf.j2"
      dest: "/etc/glance/rootwrap.conf"
      config_overrides: "{{ glance_glance_rootwrap_conf_overrides }}"
      config_type: "ini"
  notify:
    - Manage LB
    - Restart glance services
 # NOTE(cloudnull): This is using "cp" instead of copy with a remote_source
 #                  because we only want to copy the original files once. and we
 #                  don't want to need multiple tasks.
 - name: Preserve original configuration file(s)
  command: "cp {{ item.target_f }} {{ item.target_f }}.original"
  args:
    creates: "{{ item.target_f }}.original"
  with_items: "{{ glance_core_files }}"
 - name: Fetch override files
  fetch:
    src: "{{ item.target_f }}"
    dest: "{{ item.tmp_f }}"
    flat: yes
  changed_when: false
  run_once: true
  with_items: "{{ glance_core_files }}"
 - name: Copy common config
  config_template:
    src: "{{ item.tmp_f }}"
    dest: "{{ item.target_f_override | default(item.target_f) }}"
    owner: "{{ item.owner | default('root') }}"
    group: "{{ item.group | default(glance_system_group_name) }}"
    mode: "{{ item.mode | default('0640') }}"
    config_overrides: "{{ item.config_overrides }}"
    config_type: "{{ item.config_type }}"
  with_items: "{{ glance_core_files }}"
  notify:
    - Restart glance services
 - name: Cleanup fetched temp files
  file:
    path: "{{ item.tmp_f }}"
    state: absent
  changed_when: false
  delegate_to: localhost
  run_once: true
  with_items: "{{ glance_core_files }}"
 # NOTE(cloudnull): This will ensure strong permissions on all rootwrap files.
 - name: Set rootwrap.d permissions
  file:
    path: "{{ glance_etc_dir }}/rootwrap.d"
    owner: "root"
    group: "root"
    mode: "0640"
    recurse: true
 - name: Run the systemd mount role
  include_role:
    name: systemd_mount
--- a/templates/glance-api-paste.ini.j2
+++ b/templates/glance-api-paste.ini.j2
@ -1,86 +0,0 @@
 # Use this pipeline for no auth or image caching - DEFAULT
 [pipeline:glance-api]
 pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context rootapp
 # Use this pipeline for image caching and no auth
 [pipeline:glance-api-caching]
 pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache rootapp
 # Use this pipeline for caching w/ management interface but no auth
 [pipeline:glance-api-cachemanagement]
 pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
 # Use this pipeline for keystone auth
 [pipeline:glance-api-keystone]
 pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context  rootapp
 # Use this pipeline for keystone auth with image caching
 [pipeline:glance-api-keystone+caching]
 pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache rootapp
 # Use this pipeline for keystone auth with caching and cache management
 [pipeline:glance-api-keystone+cachemanagement]
 pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache cachemanage rootapp
 # Use this pipeline for authZ only. This means that the registry will treat a
 # user as authenticated without making requests to keystone to reauthenticate
 # the user.
 [pipeline:glance-api-trusted-auth]
 pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context rootapp
 # Use this pipeline for authZ only. This means that the registry will treat a
 # user as authenticated without making requests to keystone to reauthenticate
 # the user and uses cache management
 [pipeline:glance-api-trusted-auth+cachemanagement]
 pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context cache cachemanage rootapp
 [composite:rootapp]
 paste.composite_factory = glance.api:root_app_factory
 /: apiversions
 /v2: apiv2app
 [app:apiversions]
 paste.app_factory = glance.api.versions:create_resource
 [app:apiv2app]
 paste.app_factory = glance.api.v2.router:API.factory
 [filter:healthcheck]
 paste.filter_factory = oslo_middleware:Healthcheck.factory
 backends = disable_by_file
 disable_by_file_path = /etc/glance/healthcheck_disable
 [filter:versionnegotiation]
 paste.filter_factory = glance.api.middleware.version_negotiation:VersionNegotiationFilter.factory
 [filter:cache]
 paste.filter_factory = glance.api.middleware.cache:CacheFilter.factory
 [filter:cachemanage]
 paste.filter_factory = glance.api.middleware.cache_manage:CacheManageFilter.factory
 [filter:context]
 paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory
 [filter:unauthenticated-context]
 paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
 [filter:authtoken]
 paste.filter_factory = keystonemiddleware.auth_token:filter_factory
 delay_auth_decision = true
 [filter:gzip]
 paste.filter_factory = glance.api.middleware.gzip:GzipMiddleware.factory
 [filter:osprofiler]
 paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
 hmac_keys = {{ glance_profiler_hmac_key }}  #DEPRECATED
 enabled = yes  #DEPRECATED
 [filter:cors]
 paste.filter_factory =  oslo_middleware.cors:filter_factory
 oslo_config_project = glance
 oslo_config_program = glance-api
 [filter:http_proxy_to_wsgi]
 paste.filter_factory = oslo_middleware:HTTPProxyToWSGI.factory
--- a/templates/glance-api.conf.j2
+++ b/templates/glance-api.conf.j2
@ -88,7 +88,7 @@ filesystem_store_datadir = {{ glance_system_user_home }}/images/
 {% endif %}
 {% if 'swift' in glance_available_stores %}
-swift_store_config_file = /etc/glance/glance-swift-store.conf
+swift_store_config_file = {{ glance_etc_dir }}/glance-swift-store.conf
 default_swift_reference = swift1
 swift_store_auth_insecure = {{ glance_swift_store_auth_insecure | bool }}
 swift_store_region = {{ glance_swift_store_region }}
--- a/templates/glance-registry-paste.ini.j2
+++ b/templates/glance-registry-paste.ini.j2
@ -1,35 +0,0 @@
 # Use this pipeline for no auth - DEFAULT
 [pipeline:glance-registry]
 pipeline = healthcheck osprofiler unauthenticated-context registryapp
 # Use this pipeline for keystone auth
 [pipeline:glance-registry-keystone]
 pipeline = healthcheck osprofiler authtoken context registryapp
 # Use this pipeline for authZ only. This means that the registry will treat a
 # user as authenticated without making requests to keystone to reauthenticate
 # the user.
 [pipeline:glance-registry-trusted-auth]
 pipeline = healthcheck osprofiler context registryapp
 [app:registryapp]
 paste.app_factory = glance.registry.api:API.factory
 [filter:healthcheck]
 paste.filter_factory = oslo_middleware:Healthcheck.factory
 backends = disable_by_file
 disable_by_file_path = /etc/glance/healthcheck_disable
 [filter:context]
 paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory
 [filter:unauthenticated-context]
 paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
 [filter:authtoken]
 paste.filter_factory = keystonemiddleware.auth_token:filter_factory
 [filter:osprofiler]
 paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
 hmac_keys = {{ glance_profiler_hmac_key }}  #DEPRECATED
 enabled = yes  #DEPRECATED
--- a/templates/policy.json.j2
+++ b/templates/policy.json.j2
@ -1,63 +0,0 @@
 {
    "context_is_admin":  "role:admin",
    "default": "role:admin",
    "add_image": "",
    "delete_image": "",
    "get_image": "",
    "get_images": "",
    "modify_image": "",
    "publicize_image": "role:admin",
    "communitize_image": "",
    "copy_from": "",
    "download_image": "",
    "upload_image": "",
    "delete_image_location": "",
    "get_image_location": "",
    "set_image_location": "",
    "add_member": "",
    "delete_member": "",
    "get_member": "",
    "get_members": "",
    "modify_member": "",
    "manage_image_cache": "role:admin",
    "get_task": "",
    "get_tasks": "",
    "add_task": "",
    "modify_task": "",
    "tasks_api_access": "role:admin",
    "deactivate": "",
    "reactivate": "",
    "get_metadef_namespace": "",
    "get_metadef_namespaces":"",
    "modify_metadef_namespace":"",
    "add_metadef_namespace":"",
    "get_metadef_object":"",
    "get_metadef_objects":"",
    "modify_metadef_object":"",
    "add_metadef_object":"",
    "list_metadef_resource_types":"",
    "get_metadef_resource_type":"",
    "add_metadef_resource_type_association":"",
    "get_metadef_property":"",
    "get_metadef_properties":"",
    "modify_metadef_property":"",
    "add_metadef_property":"",
    "get_metadef_tag":"",
    "get_metadef_tags":"",
    "modify_metadef_tag":"",
    "add_metadef_tag":"",
    "add_metadef_tags":""
 }
--- a/templates/rootwrap.conf.j2
+++ b/templates/rootwrap.conf.j2
@ -1,27 +0,0 @@
 # Configuration for glance-rootwrap
 # This file should be owned by (and only-writable by) the root user
 [DEFAULT]
 # List of directories to load filter definitions from (separated by ',').
 # These directories MUST all be only writeable by root !
 filters_path=/etc/glance/rootwrap.d,/usr/share/glance/rootwrap
 # List of directories to search executables in, in case filters do not
 # explicitely specify a full path (separated by ',')
 # If not specified, defaults to system PATH environment variable.
 # These directories MUST all be only writeable by root !
 exec_dirs={{ glance_bin }},/sbin,/usr/sbin,/bin,/usr/bin
 # Enable logging to syslog
 # Default value is False
 use_syslog=False
 # Which syslog facility to use.
 # Valid values include auth, authpriv, syslog, local0, local1...
 # Default value is 'syslog'
 syslog_log_facility=syslog
 # Which messages to log.
 # INFO means log all usage
 # ERROR means only log unsuccessful attempts
 syslog_log_level=ERROR
--- a/templates/schema-image.json.j2
+++ b/templates/schema-image.json.j2
@ -1,28 +1,28 @@
-{
+{
-    "kernel_id": {
+    "kernel_id": {
-        "type": ["null", "string"],
+        "type": ["null", "string"],
-        "pattern": "^([0-9a-fA-F]){8}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){12}$",
+        "pattern": "^([0-9a-fA-F]){8}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){12}$",
-        "description": "ID of image stored in Glance that should be used as the kernel when booting an AMI-style image."
+        "description": "ID of image stored in Glance that should be used as the kernel when booting an AMI-style image."
-    },
+    },
-    "ramdisk_id": {
+    "ramdisk_id": {
-        "type": ["null", "string"],
+        "type": ["null", "string"],
-        "pattern": "^([0-9a-fA-F]){8}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){12}$",
+        "pattern": "^([0-9a-fA-F]){8}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){12}$",
-        "description": "ID of image stored in Glance that should be used as the ramdisk when booting an AMI-style image."
+        "description": "ID of image stored in Glance that should be used as the ramdisk when booting an AMI-style image."
-    },
+    },
-    "instance_uuid": {
+    "instance_uuid": {
-        "type": "string",
+        "type": "string",
-        "description": "ID of instance used to create this image."
+        "description": "Metadata which can be used to record which instance this image is associated with. (Informational only, does not create an instance snapshot.)"
-    },
+    },
-    "architecture": {
+    "architecture": {
-        "description": "Operating system architecture as specified in http://docs.openstack.org/trunk/openstack-compute/admin/content/adding-images.html",
+        "description": "Operating system architecture as specified in https://docs.openstack.org/python-glanceclient/latest/cli/property-keys.html",
-        "type": "string"
+        "type": "string"
-    },
+    },
-    "os_distro": {
+    "os_distro": {
-        "description": "Common name of operating system distribution as specified in http://docs.openstack.org/trunk/openstack-compute/admin/content/adding-images.html",
+        "description": "Common name of operating system distribution as specified in https://docs.openstack.org/python-glanceclient/latest/cli/property-keys.html",
-        "type": "string"
+        "type": "string"
-    },
+    },
-    "os_version": {
+    "os_version": {
-        "description": "Operating system version as specified by the distributor",
+        "description": "Operating system version as specified by the distributor",
-        "type": "string"
+        "type": "string"
-    }
+    }
-}
+}
--- a/vars/distro_install.yml
+++ b/vars/distro_install.yml
@ -21,4 +21,3 @@ glance_package_list: |-
  {{ packages }}
 _glance_bin: "/usr/bin"
 _glance_etc: "/etc"
--- a/vars/main.yml
+++ b/vars/main.yml
@ -39,3 +39,18 @@ glance_mount_points: |-
  {%   set _ = mps.append(mp.local_path) %}
  {% endfor %}
  {{ mps }}
 glance_core_files:
  - tmp_f: "/tmp/policy.json"
    target_f: "{{ glance_etc_dir }}/policy.json"
    config_overrides: "{{ glance_policy_overrides }}"
    config_type: "json"
    condition: true
  - tmp_f: "/tmp/glance-registry-paste.ini"
    target_f: "{{ glance_etc_dir }}/glance-registry-paste.ini"
    config_overrides: "{{ glance_glance_registry_paste_ini_overrides }}"
    config_type: "ini"
  - tmp_f: "/tmp/glance-api-paste.ini"
    target_f: "{{ glance_etc_dir }}/glance-api-paste.ini"
    config_overrides: "{{ glance_glance_api_paste_ini_overrides }}"
    config_type: "ini"
--- a/vars/redhat-7.yml
+++ b/vars/redhat-7.yml
@ -34,3 +34,20 @@ glance_oslomsg_amqp1_distro_packages:
  - cyrus-sasl-md5
 glance_uwsgi_bin: '/usr/sbin'
 glance_core_files:
  - tmp_f: "/tmp/policy.json"
    target_f: "{{ glance_etc_dir }}/policy.json"
    config_overrides: "{{ glance_policy_overrides }}"
    config_type: "json"
    condition: true
  - tmp_f: "/tmp/glance-registry-dist-paste.ini"
    target_f: "{{ (glance_install_method == 'source') | ternary((glance_etc_dir ~ '/glance-registry-paste.ini'), '/usr/share/glance/glance-registry-dist-paste.ini') }}"
    target_f_override: "{{ glance_etc_dir }}/glance-registry-paste.ini"
    config_overrides: "{{ glance_glance_registry_paste_ini_overrides }}"
    config_type: "ini"
  - tmp_f: "/tmp/glance-api-dist-paste.ini"
    target_f: "{{ (glance_install_method == 'source') | ternary((glance_etc_dir ~ '/glance-api-paste.ini'), '/usr/share/glance/glance-api-dist-paste.ini') }}"
    target_f_override: "{{ glance_etc_dir }}/glance-api-paste.ini"
    config_overrides: "{{ glance_glance_api_paste_ini_overrides }}"
    config_type: "ini"
--- a/vars/source_install.yml
+++ b/vars/source_install.yml
@ -21,5 +21,4 @@ glance_package_list: |-
  {{ packages }}
 _glance_bin: "/openstack/venvs/glance-{{ glance_venv_tag }}/bin"
 _glance_etc: "{{ _glance_bin | dirname + '/etc' }}"
 glance_uwsgi_bin: "{{ _glance_bin }}"