Cleanup files and templates using smart sources

The files and templates we carry are almost always in a state of
maintenance. The upstream services are maintaining these files and
there's really no reason we need to carry duplicate copies of them. This
change removes all of the files we expect to get from the upstream
service. while the focus of this change is to remove configuration file
maintenance burdens it also allows the role to execute faster.

  * Source installs have the configuration files within the venv at
    "<<VENV_PATH>>/etc/<<SERVICE_NAME>>". The role will now link the
    default configuration path to this directory. When the service is
    upgraded the link will move to the new venv path.
  * Distro installs package all of the required configuration files.

To maintain our current capabilities to override configuration the
role will fetch files from the disk whenever an override is provided and
then push the fetched file back to the target using `config_template`.

Change-Id: I3e7283bf778a9d686f3ae500b289c1fb43b42b92
Signed-off-by: cloudnull <kevin@cloudnull.com>
This commit is contained in:
Kevin Carter 2018-08-05 01:13:21 -05:00 committed by cloudnull
parent 2edb1b1a4d
commit 9748e6b154
No known key found for this signature in database
GPG Key ID: 9443251A787B9FB3
15 changed files with 168 additions and 300 deletions

View File

@ -55,7 +55,7 @@ glance_bin: "{{ _glance_bin }}"
# This is used for role access to the db migrations. # This is used for role access to the db migrations.
# Example: # Example:
# glance_etc_dir: "/usr/local/etc/glance" # glance_etc_dir: "/usr/local/etc/glance"
glance_etc_dir: "{{ _glance_etc }}/glance" glance_etc_dir: "/etc/glance"
# venv_download, even when true, will use the fallback method of building the # venv_download, even when true, will use the fallback method of building the
# venv from scratch if the venv download fails. # venv from scratch if the venv download fails.
@ -313,6 +313,5 @@ glance_glance_registry_conf_overrides: {}
glance_glance_scrubber_conf_overrides: {} glance_glance_scrubber_conf_overrides: {}
glance_glance_scheme_json_overrides: {} glance_glance_scheme_json_overrides: {}
glance_glance_swift_store_conf_overrides: {} glance_glance_swift_store_conf_overrides: {}
glance_glance_rootwrap_conf_overrides: {}
glance_policy_overrides: {} glance_policy_overrides: {}
glance_api_uwsgi_ini_overrides: {} glance_api_uwsgi_ini_overrides: {}

View File

@ -82,26 +82,6 @@
- "Restart glance services" - "Restart glance services"
- "venv changed" - "venv changed"
# Note (odyssey4me):
# The policy.json file is currently read continually by the services
# and is not only read on service start. We therefore cannot template
# directly to the file read by the service because the new policies
# may not be valid until the service restarts. This is particularly
# important during a major upgrade. We therefore only put the policy
# file in place after the service has been stopped.
#
- name: Copy new policy file into place
copy:
src: "/etc/glance/policy.json-{{ glance_venv_tag }}"
dest: "/etc/glance/policy.json"
owner: "root"
group: "{{ glance_system_group_name }}"
mode: "0640"
remote_src: yes
listen:
- "Restart glance services"
- "venv changed"
- name: Start services - name: Start services
service: service:
name: "{{ item.service_name }}" name: "{{ item.service_name }}"

View File

@ -52,22 +52,58 @@
mode: "0755" mode: "0755"
with_items: "{{ glance_nfs_client }}" with_items: "{{ glance_nfs_client }}"
# NOTE(cloudnull): During an upgrade the local directory may exist on a source
# install. If the directory does exist it will need to be
# removed. This is required on source installs because the
# config directory is a link.
- name: Source config block
block:
- name: Stat config directory
stat:
path: "{{ glance_etc_dir }}"
register: glance_conf_dir_stat
- name: Remove the config directory
file:
path: "{{ glance_etc_dir }}"
state: absent
when:
- glance_conf_dir_stat.stat.isdir is defined and
glance_conf_dir_stat.stat.isdir
when:
- glance_install_method == 'source'
- name: Create glance directories - name: Create glance directories
file: file:
path: "{{ item.path | realpath }}" path: "{{ item.path | default(omit) }}"
state: directory src: "{{ item.src | default(omit) }}"
dest: "{{ item.dest | default(omit) }}"
state: "{{ item.state | default('directory') }}"
owner: "{{ item.owner|default(glance_system_user_name) }}" owner: "{{ item.owner|default(glance_system_user_name) }}"
group: "{{ item.group|default(glance_system_group_name) }}" group: "{{ item.group|default(glance_system_group_name) }}"
mode: "{{ item.mode | default(omit) }}" mode: "{{ item.mode | default(omit) }}"
force: "{{ item.force | default(omit) }}"
when: when:
- "item.path not in glance_mount_points" - (item.condition | default(true)) | bool
- (item.dest | default(item.path)) not in glance_mount_points
with_items: with_items:
- path: "/openstack" - path: "/openstack"
mode: "0755" mode: "0755"
owner: "root" owner: "root"
group: "root" group: "root"
- path: "/etc/glance" - path: "{{ (glance_install_method == 'distro') | ternary(glance_etc_dir, (glance_bin | dirname) + glance_etc_dir) }}"
mode: "0750" mode: "0755"
# NOTE(cloudnull): The "src" path is relative. This ensures all files remain
# within the host/container confines when connecting to
# them using the connection plugin or the root filesystem.
- dest: "{{ glance_etc_dir }}"
src: "{{ glance_bin | dirname | regex_replace('^/', '../') }}/etc/glance"
state: link
force: true
condition: "{{ glance_install_method == 'source' }}"
- path: "{{ glance_etc_dir }}/rootwrap.d"
owner: "root"
group: "root"
- path: "/var/cache/glance" - path: "/var/cache/glance"
- path: "{{ glance_system_user_home }}" - path: "{{ glance_system_user_home }}"
- path: "{{ glance_system_user_home }}/cache" - path: "{{ glance_system_user_home }}/cache"

View File

@ -51,3 +51,9 @@
- section: "glance" - section: "glance"
option: "venv_tag" option: "venv_tag"
value: "{{ glance_venv_tag }}" value: "{{ glance_venv_tag }}"
- name: Link in the os-brick rootwrap filters
file:
src: "{{ glance_bin | dirname }}/etc/os-brick/rootwrap.d/os-brick.filters"
dest: "{{ glance_etc_dir }}/rootwrap.d/os-brick.filters"
state: link

View File

@ -24,60 +24,88 @@
config_type: "{{ item.config_type }}" config_type: "{{ item.config_type }}"
when: item.condition | default(True) when: item.condition | default(True)
with_items: with_items:
- src: "glance-api-paste.ini.j2"
dest: "/etc/glance/glance-api-paste.ini"
config_overrides: "{{ glance_glance_api_paste_ini_overrides }}"
config_type: "ini"
- src: "glance-api.conf.j2" - src: "glance-api.conf.j2"
dest: "/etc/glance/glance-api.conf" dest: "{{ glance_etc_dir }}/glance-api.conf"
config_overrides: "{{ glance_glance_api_conf_overrides }}" config_overrides: "{{ glance_glance_api_conf_overrides }}"
config_type: "ini" config_type: "ini"
- src: "glance-cache.conf.j2" - src: "glance-cache.conf.j2"
dest: "/etc/glance/glance-cache.conf" dest: "{{ glance_etc_dir }}/glance-cache.conf"
config_overrides: "{{ glance_glance_cache_conf_overrides }}" config_overrides: "{{ glance_glance_cache_conf_overrides }}"
config_type: "ini" config_type: "ini"
- src: "glance-manage.conf.j2" - src: "glance-manage.conf.j2"
dest: "/etc/glance/glance-manage.conf" dest: "{{ glance_etc_dir }}/glance-manage.conf"
config_overrides: "{{ glance_glance_manage_conf_overrides }}" config_overrides: "{{ glance_glance_manage_conf_overrides }}"
config_type: "ini" config_type: "ini"
- src: "glance-registry-paste.ini.j2"
dest: "/etc/glance/glance-registry-paste.ini"
config_overrides: "{{ glance_glance_registry_paste_ini_overrides }}"
config_type: "ini"
condition: "{{ glance_services['glance-registry']['condition'] | bool }}"
- src: "glance-registry.conf.j2" - src: "glance-registry.conf.j2"
dest: "/etc/glance/glance-registry.conf" dest: "{{ glance_etc_dir }}/glance-registry.conf"
config_overrides: "{{ glance_glance_registry_conf_overrides }}" config_overrides: "{{ glance_glance_registry_conf_overrides }}"
config_type: "ini" config_type: "ini"
condition: "{{ glance_services['glance-registry']['condition'] | bool }}" condition: "{{ glance_services['glance-registry']['condition'] | bool }}"
- src: "glance-scrubber.conf.j2" - src: "glance-scrubber.conf.j2"
dest: "/etc/glance/glance-scrubber.conf" dest: "{{ glance_etc_dir }}/glance-scrubber.conf"
config_overrides: "{{ glance_glance_scrubber_conf_overrides }}" config_overrides: "{{ glance_glance_scrubber_conf_overrides }}"
config_type: "ini" config_type: "ini"
- src: "glance-swift-store.conf.j2" - src: "glance-swift-store.conf.j2"
dest: "/etc/glance/glance-swift-store.conf" dest: "{{ glance_etc_dir }}/glance-swift-store.conf"
config_overrides: "{{ glance_glance_swift_store_conf_overrides }}" config_overrides: "{{ glance_glance_swift_store_conf_overrides }}"
config_type: "ini" config_type: "ini"
- src: "policy.json.j2" - src: "schema-image.json.j2"
dest: "/etc/glance/policy.json-{{ glance_venv_tag }}" dest: "{{ glance_etc_dir }}/schema-image.json"
config_overrides: "{{ glance_policy_overrides }}"
config_type: "json"
- src: "schema.json.j2"
dest: "/etc/glance/schema.json"
config_overrides: "{{ glance_glance_scheme_json_overrides }}" config_overrides: "{{ glance_glance_scheme_json_overrides }}"
config_type: "json" config_type: "json"
- src: "schema.json.j2"
dest: "/etc/glance/schema-image.json"
config_overrides: "{{ glance_glance_scheme_json_overrides }}"
config_type: "json"
- src: "rootwrap.conf.j2"
dest: "/etc/glance/rootwrap.conf"
config_overrides: "{{ glance_glance_rootwrap_conf_overrides }}"
config_type: "ini"
notify: notify:
- Manage LB - Manage LB
- Restart glance services - Restart glance services
# NOTE(cloudnull): This is using "cp" instead of copy with a remote_source
# because we only want to copy the original files once. and we
# don't want to need multiple tasks.
- name: Preserve original configuration file(s)
command: "cp {{ item.target_f }} {{ item.target_f }}.original"
args:
creates: "{{ item.target_f }}.original"
with_items: "{{ glance_core_files }}"
- name: Fetch override files
fetch:
src: "{{ item.target_f }}"
dest: "{{ item.tmp_f }}"
flat: yes
changed_when: false
run_once: true
with_items: "{{ glance_core_files }}"
- name: Copy common config
config_template:
src: "{{ item.tmp_f }}"
dest: "{{ item.target_f_override | default(item.target_f) }}"
owner: "{{ item.owner | default('root') }}"
group: "{{ item.group | default(glance_system_group_name) }}"
mode: "{{ item.mode | default('0640') }}"
config_overrides: "{{ item.config_overrides }}"
config_type: "{{ item.config_type }}"
with_items: "{{ glance_core_files }}"
notify:
- Restart glance services
- name: Cleanup fetched temp files
file:
path: "{{ item.tmp_f }}"
state: absent
changed_when: false
delegate_to: localhost
run_once: true
with_items: "{{ glance_core_files }}"
# NOTE(cloudnull): This will ensure strong permissions on all rootwrap files.
- name: Set rootwrap.d permissions
file:
path: "{{ glance_etc_dir }}/rootwrap.d"
owner: "root"
group: "root"
mode: "0640"
recurse: true
- name: Run the systemd mount role - name: Run the systemd mount role
include_role: include_role:
name: systemd_mount name: systemd_mount

View File

@ -1,86 +0,0 @@
# Use this pipeline for no auth or image caching - DEFAULT
[pipeline:glance-api]
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context rootapp
# Use this pipeline for image caching and no auth
[pipeline:glance-api-caching]
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache rootapp
# Use this pipeline for caching w/ management interface but no auth
[pipeline:glance-api-cachemanagement]
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
# Use this pipeline for keystone auth
[pipeline:glance-api-keystone]
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context rootapp
# Use this pipeline for keystone auth with image caching
[pipeline:glance-api-keystone+caching]
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache rootapp
# Use this pipeline for keystone auth with caching and cache management
[pipeline:glance-api-keystone+cachemanagement]
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache cachemanage rootapp
# Use this pipeline for authZ only. This means that the registry will treat a
# user as authenticated without making requests to keystone to reauthenticate
# the user.
[pipeline:glance-api-trusted-auth]
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context rootapp
# Use this pipeline for authZ only. This means that the registry will treat a
# user as authenticated without making requests to keystone to reauthenticate
# the user and uses cache management
[pipeline:glance-api-trusted-auth+cachemanagement]
pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context cache cachemanage rootapp
[composite:rootapp]
paste.composite_factory = glance.api:root_app_factory
/: apiversions
/v2: apiv2app
[app:apiversions]
paste.app_factory = glance.api.versions:create_resource
[app:apiv2app]
paste.app_factory = glance.api.v2.router:API.factory
[filter:healthcheck]
paste.filter_factory = oslo_middleware:Healthcheck.factory
backends = disable_by_file
disable_by_file_path = /etc/glance/healthcheck_disable
[filter:versionnegotiation]
paste.filter_factory = glance.api.middleware.version_negotiation:VersionNegotiationFilter.factory
[filter:cache]
paste.filter_factory = glance.api.middleware.cache:CacheFilter.factory
[filter:cachemanage]
paste.filter_factory = glance.api.middleware.cache_manage:CacheManageFilter.factory
[filter:context]
paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory
[filter:unauthenticated-context]
paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
delay_auth_decision = true
[filter:gzip]
paste.filter_factory = glance.api.middleware.gzip:GzipMiddleware.factory
[filter:osprofiler]
paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
hmac_keys = {{ glance_profiler_hmac_key }} #DEPRECATED
enabled = yes #DEPRECATED
[filter:cors]
paste.filter_factory = oslo_middleware.cors:filter_factory
oslo_config_project = glance
oslo_config_program = glance-api
[filter:http_proxy_to_wsgi]
paste.filter_factory = oslo_middleware:HTTPProxyToWSGI.factory

View File

@ -88,7 +88,7 @@ filesystem_store_datadir = {{ glance_system_user_home }}/images/
{% endif %} {% endif %}
{% if 'swift' in glance_available_stores %} {% if 'swift' in glance_available_stores %}
swift_store_config_file = /etc/glance/glance-swift-store.conf swift_store_config_file = {{ glance_etc_dir }}/glance-swift-store.conf
default_swift_reference = swift1 default_swift_reference = swift1
swift_store_auth_insecure = {{ glance_swift_store_auth_insecure | bool }} swift_store_auth_insecure = {{ glance_swift_store_auth_insecure | bool }}
swift_store_region = {{ glance_swift_store_region }} swift_store_region = {{ glance_swift_store_region }}

View File

@ -1,35 +0,0 @@
# Use this pipeline for no auth - DEFAULT
[pipeline:glance-registry]
pipeline = healthcheck osprofiler unauthenticated-context registryapp
# Use this pipeline for keystone auth
[pipeline:glance-registry-keystone]
pipeline = healthcheck osprofiler authtoken context registryapp
# Use this pipeline for authZ only. This means that the registry will treat a
# user as authenticated without making requests to keystone to reauthenticate
# the user.
[pipeline:glance-registry-trusted-auth]
pipeline = healthcheck osprofiler context registryapp
[app:registryapp]
paste.app_factory = glance.registry.api:API.factory
[filter:healthcheck]
paste.filter_factory = oslo_middleware:Healthcheck.factory
backends = disable_by_file
disable_by_file_path = /etc/glance/healthcheck_disable
[filter:context]
paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory
[filter:unauthenticated-context]
paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
[filter:osprofiler]
paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
hmac_keys = {{ glance_profiler_hmac_key }} #DEPRECATED
enabled = yes #DEPRECATED

View File

@ -1,63 +0,0 @@
{
"context_is_admin": "role:admin",
"default": "role:admin",
"add_image": "",
"delete_image": "",
"get_image": "",
"get_images": "",
"modify_image": "",
"publicize_image": "role:admin",
"communitize_image": "",
"copy_from": "",
"download_image": "",
"upload_image": "",
"delete_image_location": "",
"get_image_location": "",
"set_image_location": "",
"add_member": "",
"delete_member": "",
"get_member": "",
"get_members": "",
"modify_member": "",
"manage_image_cache": "role:admin",
"get_task": "",
"get_tasks": "",
"add_task": "",
"modify_task": "",
"tasks_api_access": "role:admin",
"deactivate": "",
"reactivate": "",
"get_metadef_namespace": "",
"get_metadef_namespaces":"",
"modify_metadef_namespace":"",
"add_metadef_namespace":"",
"get_metadef_object":"",
"get_metadef_objects":"",
"modify_metadef_object":"",
"add_metadef_object":"",
"list_metadef_resource_types":"",
"get_metadef_resource_type":"",
"add_metadef_resource_type_association":"",
"get_metadef_property":"",
"get_metadef_properties":"",
"modify_metadef_property":"",
"add_metadef_property":"",
"get_metadef_tag":"",
"get_metadef_tags":"",
"modify_metadef_tag":"",
"add_metadef_tag":"",
"add_metadef_tags":""
}

View File

@ -1,27 +0,0 @@
# Configuration for glance-rootwrap
# This file should be owned by (and only-writable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/glance/rootwrap.d,/usr/share/glance/rootwrap
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs={{ glance_bin }},/sbin,/usr/sbin,/bin,/usr/bin
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR

View File

@ -11,14 +11,14 @@
}, },
"instance_uuid": { "instance_uuid": {
"type": "string", "type": "string",
"description": "ID of instance used to create this image." "description": "Metadata which can be used to record which instance this image is associated with. (Informational only, does not create an instance snapshot.)"
}, },
"architecture": { "architecture": {
"description": "Operating system architecture as specified in http://docs.openstack.org/trunk/openstack-compute/admin/content/adding-images.html", "description": "Operating system architecture as specified in https://docs.openstack.org/python-glanceclient/latest/cli/property-keys.html",
"type": "string" "type": "string"
}, },
"os_distro": { "os_distro": {
"description": "Common name of operating system distribution as specified in http://docs.openstack.org/trunk/openstack-compute/admin/content/adding-images.html", "description": "Common name of operating system distribution as specified in https://docs.openstack.org/python-glanceclient/latest/cli/property-keys.html",
"type": "string" "type": "string"
}, },
"os_version": { "os_version": {

View File

@ -21,4 +21,3 @@ glance_package_list: |-
{{ packages }} {{ packages }}
_glance_bin: "/usr/bin" _glance_bin: "/usr/bin"
_glance_etc: "/etc"

View File

@ -39,3 +39,18 @@ glance_mount_points: |-
{% set _ = mps.append(mp.local_path) %} {% set _ = mps.append(mp.local_path) %}
{% endfor %} {% endfor %}
{{ mps }} {{ mps }}
glance_core_files:
- tmp_f: "/tmp/policy.json"
target_f: "{{ glance_etc_dir }}/policy.json"
config_overrides: "{{ glance_policy_overrides }}"
config_type: "json"
condition: true
- tmp_f: "/tmp/glance-registry-paste.ini"
target_f: "{{ glance_etc_dir }}/glance-registry-paste.ini"
config_overrides: "{{ glance_glance_registry_paste_ini_overrides }}"
config_type: "ini"
- tmp_f: "/tmp/glance-api-paste.ini"
target_f: "{{ glance_etc_dir }}/glance-api-paste.ini"
config_overrides: "{{ glance_glance_api_paste_ini_overrides }}"
config_type: "ini"

View File

@ -34,3 +34,20 @@ glance_oslomsg_amqp1_distro_packages:
- cyrus-sasl-md5 - cyrus-sasl-md5
glance_uwsgi_bin: '/usr/sbin' glance_uwsgi_bin: '/usr/sbin'
glance_core_files:
- tmp_f: "/tmp/policy.json"
target_f: "{{ glance_etc_dir }}/policy.json"
config_overrides: "{{ glance_policy_overrides }}"
config_type: "json"
condition: true
- tmp_f: "/tmp/glance-registry-dist-paste.ini"
target_f: "{{ (glance_install_method == 'source') | ternary((glance_etc_dir ~ '/glance-registry-paste.ini'), '/usr/share/glance/glance-registry-dist-paste.ini') }}"
target_f_override: "{{ glance_etc_dir }}/glance-registry-paste.ini"
config_overrides: "{{ glance_glance_registry_paste_ini_overrides }}"
config_type: "ini"
- tmp_f: "/tmp/glance-api-dist-paste.ini"
target_f: "{{ (glance_install_method == 'source') | ternary((glance_etc_dir ~ '/glance-api-paste.ini'), '/usr/share/glance/glance-api-dist-paste.ini') }}"
target_f_override: "{{ glance_etc_dir }}/glance-api-paste.ini"
config_overrides: "{{ glance_glance_api_paste_ini_overrides }}"
config_type: "ini"

View File

@ -21,5 +21,4 @@ glance_package_list: |-
{{ packages }} {{ packages }}
_glance_bin: "/openstack/venvs/glance-{{ glance_venv_tag }}/bin" _glance_bin: "/openstack/venvs/glance-{{ glance_venv_tag }}/bin"
_glance_etc: "{{ _glance_bin | dirname + '/etc' }}"
glance_uwsgi_bin: "{{ _glance_bin }}" glance_uwsgi_bin: "{{ _glance_bin }}"