Cleanup files and templates using smart sources

The files and templates we carry are almost always in a state of
maintenance. The upstream services are maintaining these files and
there's really no reason we need to carry duplicate copies of them. This
change removes all of the files we expect to get from the upstream
service. while the focus of this change is to remove configuration file
maintenance burdens it also allows the role to execute faster.

  * Source installs have the configuration files within the venv at
    "<<VENV_PATH>>/etc/<<SERVICE_NAME>>". The role will now link the
    default configuration path to this directory. When the service is
    upgraded the link will move to the new venv path.
  * Distro installs package all of the required configuration files.

To maintain our current capabilities to override configuration the
role will fetch files from the disk whenever an override is provided and
then push the fetched file back to the target using `config_template`.

Change-Id: I3e7283bf778a9d686f3ae500b289c1fb43b42b92
Signed-off-by: cloudnull <kevin@cloudnull.com>

defaults/main.yml

@@ -55,7 +55,7 @@ glance_bin: "{{ _glance_bin }}"
 #  This is used for role access to the db migrations.
 #  Example:
 #  glance_etc_dir: "/usr/local/etc/glance"
-glance_etc_dir: "{{ _glance_etc }}/glance"
+glance_etc_dir: "/etc/glance"
 
 # venv_download, even when true, will use the fallback method of building the
 # venv from scratch if the venv download fails.
@@ -313,6 +313,5 @@ glance_glance_registry_conf_overrides: {}
 glance_glance_scrubber_conf_overrides: {}
 glance_glance_scheme_json_overrides: {}
 glance_glance_swift_store_conf_overrides: {}
-glance_glance_rootwrap_conf_overrides: {}
 glance_policy_overrides: {}
 glance_api_uwsgi_ini_overrides: {}

handlers/main.yml

@@ -82,26 +82,6 @@
     - "Restart glance services"
     - "venv changed"
 
-# Note (odyssey4me):
-# The policy.json file is currently read continually by the services
-# and is not only read on service start. We therefore cannot template
-# directly to the file read by the service because the new policies
-# may not be valid until the service restarts. This is particularly
-# important during a major upgrade. We therefore only put the policy
-# file in place after the service has been stopped.
-#
-- name: Copy new policy file into place
-  copy:
-    src: "/etc/glance/policy.json-{{ glance_venv_tag }}"
-    dest: "/etc/glance/policy.json"
-    owner: "root"
-    group: "{{ glance_system_group_name }}"
-    mode: "0640"
-    remote_src: yes
-  listen:
-    - "Restart glance services"
-    - "venv changed"
-
 - name: Start services
   service:
     name: "{{ item.service_name }}"

tasks/glance_install.yml

@@ -52,22 +52,58 @@
     mode: "0755"
   with_items: "{{ glance_nfs_client }}"
 
+# NOTE(cloudnull): During an upgrade the local directory may exist on a source
+#                  install. If the directory does exist it will need to be
+#                  removed. This is required on source installs because the
+#                  config directory is a link.
+- name: Source config block
+  block:
+    - name: Stat config directory
+      stat:
+        path: "{{ glance_etc_dir }}"
+      register: glance_conf_dir_stat
+
+    - name: Remove the config directory
+      file:
+        path: "{{ glance_etc_dir }}"
+        state: absent
+      when:
+        - glance_conf_dir_stat.stat.isdir is defined and
+          glance_conf_dir_stat.stat.isdir
+  when:
+    - glance_install_method == 'source'
+
 - name: Create glance directories
   file:
-    path: "{{ item.path | realpath }}"
-    state: directory
+    path: "{{ item.path | default(omit) }}"
+    src: "{{ item.src | default(omit) }}"
+    dest: "{{ item.dest | default(omit) }}"
+    state: "{{ item.state | default('directory') }}"
     owner: "{{ item.owner|default(glance_system_user_name) }}"
     group: "{{ item.group|default(glance_system_group_name) }}"
     mode: "{{ item.mode | default(omit) }}"
+    force: "{{ item.force | default(omit) }}"
   when:
-    - "item.path not in glance_mount_points"
+    - (item.condition | default(true)) | bool
+    - (item.dest | default(item.path)) not in glance_mount_points
   with_items:
     - path: "/openstack"
       mode: "0755"
       owner: "root"
       group: "root"
-    - path: "/etc/glance"
-      mode: "0750"
+    - path: "{{ (glance_install_method == 'distro') | ternary(glance_etc_dir, (glance_bin | dirname) + glance_etc_dir) }}"
+      mode: "0755"
+    # NOTE(cloudnull): The "src" path is relative. This ensures all files remain
+    #                  within the host/container confines when connecting to
+    #                  them using the connection plugin or the root filesystem.
+    - dest: "{{ glance_etc_dir }}"
+      src: "{{ glance_bin | dirname | regex_replace('^/', '../') }}/etc/glance"
+      state: link
+      force: true
+      condition: "{{ glance_install_method == 'source' }}"
+    - path: "{{ glance_etc_dir }}/rootwrap.d"
+      owner: "root"
+      group: "root"
     - path: "/var/cache/glance"
     - path: "{{ glance_system_user_home }}"
     - path: "{{ glance_system_user_home }}/cache"

tasks/glance_install_source.yml

@@ -51,3 +51,9 @@
       - section: "glance"
         option: "venv_tag"
         value: "{{ glance_venv_tag }}"
+
+- name: Link in the os-brick rootwrap filters
+  file:
+    src: "{{ glance_bin | dirname }}/etc/os-brick/rootwrap.d/os-brick.filters"
+    dest: "{{ glance_etc_dir }}/rootwrap.d/os-brick.filters"
+    state: link

tasks/glance_post_install.yml

@@ -24,60 +24,88 @@
     config_type: "{{ item.config_type }}"
   when: item.condition | default(True)
   with_items:
-    - src: "glance-api-paste.ini.j2"
-      dest: "/etc/glance/glance-api-paste.ini"
-      config_overrides: "{{ glance_glance_api_paste_ini_overrides }}"
-      config_type: "ini"
     - src: "glance-api.conf.j2"
-      dest: "/etc/glance/glance-api.conf"
+      dest: "{{ glance_etc_dir }}/glance-api.conf"
       config_overrides: "{{ glance_glance_api_conf_overrides }}"
       config_type: "ini"
     - src: "glance-cache.conf.j2"
-      dest: "/etc/glance/glance-cache.conf"
+      dest: "{{ glance_etc_dir }}/glance-cache.conf"
       config_overrides: "{{ glance_glance_cache_conf_overrides }}"
       config_type: "ini"
     - src: "glance-manage.conf.j2"
-      dest: "/etc/glance/glance-manage.conf"
+      dest: "{{ glance_etc_dir }}/glance-manage.conf"
       config_overrides: "{{ glance_glance_manage_conf_overrides }}"
       config_type: "ini"
-    - src: "glance-registry-paste.ini.j2"
-      dest: "/etc/glance/glance-registry-paste.ini"
-      config_overrides: "{{ glance_glance_registry_paste_ini_overrides }}"
-      config_type: "ini"
-      condition: "{{ glance_services['glance-registry']['condition'] | bool }}"
     - src: "glance-registry.conf.j2"
-      dest: "/etc/glance/glance-registry.conf"
+      dest: "{{ glance_etc_dir }}/glance-registry.conf"
       config_overrides: "{{ glance_glance_registry_conf_overrides }}"
       config_type: "ini"
       condition: "{{ glance_services['glance-registry']['condition'] | bool }}"
     - src: "glance-scrubber.conf.j2"
-      dest: "/etc/glance/glance-scrubber.conf"
+      dest: "{{ glance_etc_dir }}/glance-scrubber.conf"
       config_overrides: "{{ glance_glance_scrubber_conf_overrides }}"
       config_type: "ini"
     - src: "glance-swift-store.conf.j2"
-      dest: "/etc/glance/glance-swift-store.conf"
+      dest: "{{ glance_etc_dir }}/glance-swift-store.conf"
       config_overrides: "{{ glance_glance_swift_store_conf_overrides }}"
       config_type: "ini"
-    - src: "policy.json.j2"
-      dest: "/etc/glance/policy.json-{{ glance_venv_tag }}"
-      config_overrides: "{{ glance_policy_overrides }}"
-      config_type: "json"
-    - src: "schema.json.j2"
-      dest: "/etc/glance/schema.json"
+    - src: "schema-image.json.j2"
+      dest: "{{ glance_etc_dir }}/schema-image.json"
       config_overrides: "{{ glance_glance_scheme_json_overrides }}"
       config_type: "json"
-    - src: "schema.json.j2"
-      dest: "/etc/glance/schema-image.json"
-      config_overrides: "{{ glance_glance_scheme_json_overrides }}"
-      config_type: "json"
-    - src: "rootwrap.conf.j2"
-      dest: "/etc/glance/rootwrap.conf"
-      config_overrides: "{{ glance_glance_rootwrap_conf_overrides }}"
-      config_type: "ini"
   notify:
     - Manage LB
     - Restart glance services
 
+# NOTE(cloudnull): This is using "cp" instead of copy with a remote_source
+#                  because we only want to copy the original files once. and we
+#                  don't want to need multiple tasks.
+- name: Preserve original configuration file(s)
+  command: "cp {{ item.target_f }} {{ item.target_f }}.original"
+  args:
+    creates: "{{ item.target_f }}.original"
+  with_items: "{{ glance_core_files }}"
+
+- name: Fetch override files
+  fetch:
+    src: "{{ item.target_f }}"
+    dest: "{{ item.tmp_f }}"
+    flat: yes
+  changed_when: false
+  run_once: true
+  with_items: "{{ glance_core_files }}"
+
+- name: Copy common config
+  config_template:
+    src: "{{ item.tmp_f }}"
+    dest: "{{ item.target_f_override | default(item.target_f) }}"
+    owner: "{{ item.owner | default('root') }}"
+    group: "{{ item.group | default(glance_system_group_name) }}"
+    mode: "{{ item.mode | default('0640') }}"
+    config_overrides: "{{ item.config_overrides }}"
+    config_type: "{{ item.config_type }}"
+  with_items: "{{ glance_core_files }}"
+  notify:
+    - Restart glance services
+
+- name: Cleanup fetched temp files
+  file:
+    path: "{{ item.tmp_f }}"
+    state: absent
+  changed_when: false
+  delegate_to: localhost
+  run_once: true
+  with_items: "{{ glance_core_files }}"
+
+# NOTE(cloudnull): This will ensure strong permissions on all rootwrap files.
+- name: Set rootwrap.d permissions
+  file:
+    path: "{{ glance_etc_dir }}/rootwrap.d"
+    owner: "root"
+    group: "root"
+    mode: "0640"
+    recurse: true
+
 - name: Run the systemd mount role
   include_role:
     name: systemd_mount

templates/glance-api-paste.ini.j2

@@ -1,86 +0,0 @@
-# Use this pipeline for no auth or image caching - DEFAULT
-[pipeline:glance-api]
-pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context rootapp
-
-# Use this pipeline for image caching and no auth
-[pipeline:glance-api-caching]
-pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache rootapp
-
-# Use this pipeline for caching w/ management interface but no auth
-[pipeline:glance-api-cachemanagement]
-pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
-
-# Use this pipeline for keystone auth
-[pipeline:glance-api-keystone]
-pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context  rootapp
-
-# Use this pipeline for keystone auth with image caching
-[pipeline:glance-api-keystone+caching]
-pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache rootapp
-
-# Use this pipeline for keystone auth with caching and cache management
-[pipeline:glance-api-keystone+cachemanagement]
-pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache cachemanage rootapp
-
-# Use this pipeline for authZ only. This means that the registry will treat a
-# user as authenticated without making requests to keystone to reauthenticate
-# the user.
-[pipeline:glance-api-trusted-auth]
-pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context rootapp
-
-# Use this pipeline for authZ only. This means that the registry will treat a
-# user as authenticated without making requests to keystone to reauthenticate
-# the user and uses cache management
-[pipeline:glance-api-trusted-auth+cachemanagement]
-pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context cache cachemanage rootapp
-
-[composite:rootapp]
-paste.composite_factory = glance.api:root_app_factory
-/: apiversions
-/v2: apiv2app
-
-[app:apiversions]
-paste.app_factory = glance.api.versions:create_resource
-
-[app:apiv2app]
-paste.app_factory = glance.api.v2.router:API.factory
-
-[filter:healthcheck]
-paste.filter_factory = oslo_middleware:Healthcheck.factory
-backends = disable_by_file
-disable_by_file_path = /etc/glance/healthcheck_disable
-
-[filter:versionnegotiation]
-paste.filter_factory = glance.api.middleware.version_negotiation:VersionNegotiationFilter.factory
-
-[filter:cache]
-paste.filter_factory = glance.api.middleware.cache:CacheFilter.factory
-
-[filter:cachemanage]
-paste.filter_factory = glance.api.middleware.cache_manage:CacheManageFilter.factory
-
-[filter:context]
-paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory
-
-[filter:unauthenticated-context]
-paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
-
-[filter:authtoken]
-paste.filter_factory = keystonemiddleware.auth_token:filter_factory
-delay_auth_decision = true
-
-[filter:gzip]
-paste.filter_factory = glance.api.middleware.gzip:GzipMiddleware.factory
-
-[filter:osprofiler]
-paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
-hmac_keys = {{ glance_profiler_hmac_key }}  #DEPRECATED
-enabled = yes  #DEPRECATED
-
-[filter:cors]
-paste.filter_factory =  oslo_middleware.cors:filter_factory
-oslo_config_project = glance
-oslo_config_program = glance-api
-
-[filter:http_proxy_to_wsgi]
-paste.filter_factory = oslo_middleware:HTTPProxyToWSGI.factory

templates/glance-api.conf.j2

@@ -88,7 +88,7 @@ filesystem_store_datadir = {{ glance_system_user_home }}/images/
 {% endif %}
 
 {% if 'swift' in glance_available_stores %}
-swift_store_config_file = /etc/glance/glance-swift-store.conf
+swift_store_config_file = {{ glance_etc_dir }}/glance-swift-store.conf
 default_swift_reference = swift1
 swift_store_auth_insecure = {{ glance_swift_store_auth_insecure | bool }}
 swift_store_region = {{ glance_swift_store_region }}

templates/glance-registry-paste.ini.j2

@@ -1,35 +0,0 @@
-# Use this pipeline for no auth - DEFAULT
-[pipeline:glance-registry]
-pipeline = healthcheck osprofiler unauthenticated-context registryapp
-
-# Use this pipeline for keystone auth
-[pipeline:glance-registry-keystone]
-pipeline = healthcheck osprofiler authtoken context registryapp
-
-# Use this pipeline for authZ only. This means that the registry will treat a
-# user as authenticated without making requests to keystone to reauthenticate
-# the user.
-[pipeline:glance-registry-trusted-auth]
-pipeline = healthcheck osprofiler context registryapp
-
-[app:registryapp]
-paste.app_factory = glance.registry.api:API.factory
-
-[filter:healthcheck]
-paste.filter_factory = oslo_middleware:Healthcheck.factory
-backends = disable_by_file
-disable_by_file_path = /etc/glance/healthcheck_disable
-
-[filter:context]
-paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory
-
-[filter:unauthenticated-context]
-paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
-
-[filter:authtoken]
-paste.filter_factory = keystonemiddleware.auth_token:filter_factory
-
-[filter:osprofiler]
-paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
-hmac_keys = {{ glance_profiler_hmac_key }}  #DEPRECATED
-enabled = yes  #DEPRECATED

templates/policy.json.j2

@@ -1,63 +0,0 @@
-{
-    "context_is_admin":  "role:admin",
-    "default": "role:admin",
-
-    "add_image": "",
-    "delete_image": "",
-    "get_image": "",
-    "get_images": "",
-    "modify_image": "",
-    "publicize_image": "role:admin",
-    "communitize_image": "",
-    "copy_from": "",
-
-    "download_image": "",
-    "upload_image": "",
-
-    "delete_image_location": "",
-    "get_image_location": "",
-    "set_image_location": "",
-
-    "add_member": "",
-    "delete_member": "",
-    "get_member": "",
-    "get_members": "",
-    "modify_member": "",
-
-    "manage_image_cache": "role:admin",
-
-    "get_task": "",
-    "get_tasks": "",
-    "add_task": "",
-    "modify_task": "",
-    "tasks_api_access": "role:admin",
-
-    "deactivate": "",
-    "reactivate": "",
-
-    "get_metadef_namespace": "",
-    "get_metadef_namespaces":"",
-    "modify_metadef_namespace":"",
-    "add_metadef_namespace":"",
-
-    "get_metadef_object":"",
-    "get_metadef_objects":"",
-    "modify_metadef_object":"",
-    "add_metadef_object":"",
-
-    "list_metadef_resource_types":"",
-    "get_metadef_resource_type":"",
-    "add_metadef_resource_type_association":"",
-
-    "get_metadef_property":"",
-    "get_metadef_properties":"",
-    "modify_metadef_property":"",
-    "add_metadef_property":"",
-
-    "get_metadef_tag":"",
-    "get_metadef_tags":"",
-    "modify_metadef_tag":"",
-    "add_metadef_tag":"",
-    "add_metadef_tags":""
-
-}

templates/rootwrap.conf.j2

@@ -1,27 +0,0 @@
-# Configuration for glance-rootwrap
-# This file should be owned by (and only-writable by) the root user
-
-[DEFAULT]
-# List of directories to load filter definitions from (separated by ',').
-# These directories MUST all be only writeable by root !
-filters_path=/etc/glance/rootwrap.d,/usr/share/glance/rootwrap
-
-# List of directories to search executables in, in case filters do not
-# explicitely specify a full path (separated by ',')
-# If not specified, defaults to system PATH environment variable.
-# These directories MUST all be only writeable by root !
-exec_dirs={{ glance_bin }},/sbin,/usr/sbin,/bin,/usr/bin
-
-# Enable logging to syslog
-# Default value is False
-use_syslog=False
-
-# Which syslog facility to use.
-# Valid values include auth, authpriv, syslog, local0, local1...
-# Default value is 'syslog'
-syslog_log_facility=syslog
-
-# Which messages to log.
-# INFO means log all usage
-# ERROR means only log unsuccessful attempts
-syslog_log_level=ERROR

templates/schema-image.json.j2

@@ -11,14 +11,14 @@
     },
     "instance_uuid": {
         "type": "string",
-        "description": "ID of instance used to create this image."
+        "description": "Metadata which can be used to record which instance this image is associated with. (Informational only, does not create an instance snapshot.)"
     },
     "architecture": {
-        "description": "Operating system architecture as specified in http://docs.openstack.org/trunk/openstack-compute/admin/content/adding-images.html",
+        "description": "Operating system architecture as specified in https://docs.openstack.org/python-glanceclient/latest/cli/property-keys.html",
         "type": "string"
     },
     "os_distro": {
-        "description": "Common name of operating system distribution as specified in http://docs.openstack.org/trunk/openstack-compute/admin/content/adding-images.html",
+        "description": "Common name of operating system distribution as specified in https://docs.openstack.org/python-glanceclient/latest/cli/property-keys.html",
         "type": "string"
     },
     "os_version": {

vars/distro_install.yml

@@ -21,4 +21,3 @@ glance_package_list: |-
   {{ packages }}
 
 _glance_bin: "/usr/bin"
-_glance_etc: "/etc"

vars/main.yml

@@ -39,3 +39,18 @@ glance_mount_points: |-
   {%   set _ = mps.append(mp.local_path) %}
   {% endfor %}
   {{ mps }}
+
+glance_core_files:
+  - tmp_f: "/tmp/policy.json"
+    target_f: "{{ glance_etc_dir }}/policy.json"
+    config_overrides: "{{ glance_policy_overrides }}"
+    config_type: "json"
+    condition: true
+  - tmp_f: "/tmp/glance-registry-paste.ini"
+    target_f: "{{ glance_etc_dir }}/glance-registry-paste.ini"
+    config_overrides: "{{ glance_glance_registry_paste_ini_overrides }}"
+    config_type: "ini"
+  - tmp_f: "/tmp/glance-api-paste.ini"
+    target_f: "{{ glance_etc_dir }}/glance-api-paste.ini"
+    config_overrides: "{{ glance_glance_api_paste_ini_overrides }}"
+    config_type: "ini"

vars/redhat-7.yml

@@ -34,3 +34,20 @@ glance_oslomsg_amqp1_distro_packages:
   - cyrus-sasl-md5
 
 glance_uwsgi_bin: '/usr/sbin'
+
+glance_core_files:
+  - tmp_f: "/tmp/policy.json"
+    target_f: "{{ glance_etc_dir }}/policy.json"
+    config_overrides: "{{ glance_policy_overrides }}"
+    config_type: "json"
+    condition: true
+  - tmp_f: "/tmp/glance-registry-dist-paste.ini"
+    target_f: "{{ (glance_install_method == 'source') | ternary((glance_etc_dir ~ '/glance-registry-paste.ini'), '/usr/share/glance/glance-registry-dist-paste.ini') }}"
+    target_f_override: "{{ glance_etc_dir }}/glance-registry-paste.ini"
+    config_overrides: "{{ glance_glance_registry_paste_ini_overrides }}"
+    config_type: "ini"
+  - tmp_f: "/tmp/glance-api-dist-paste.ini"
+    target_f: "{{ (glance_install_method == 'source') | ternary((glance_etc_dir ~ '/glance-api-paste.ini'), '/usr/share/glance/glance-api-dist-paste.ini') }}"
+    target_f_override: "{{ glance_etc_dir }}/glance-api-paste.ini"
+    config_overrides: "{{ glance_glance_api_paste_ini_overrides }}"
+    config_type: "ini"

vars/source_install.yml

@@ -21,5 +21,4 @@ glance_package_list: |-
   {{ packages }}
 
 _glance_bin: "/openstack/venvs/glance-{{ glance_venv_tag }}/bin"
-_glance_etc: "{{ _glance_bin | dirname + '/etc' }}"
 glance_uwsgi_bin: "{{ _glance_bin }}"