openstack/openstack-ansible-os_keystone
Code Issues Proposed changes
Files
04737f5dbd1568fb21bc21588f618716d9899411
openstack-ansible-os_keystone/tasks/keystone_apache.yml
Jimmy McCrory 04737f5dbd Implement zero downtime upgrades 
This patch implements upgrading keystone with zero downtime as the
default installation process. Handlers have been modified to ensure that
the first keystone node is stopped, facilitates the database migrations,
and that it is started and available before restarting any other keystone
nodes. Migrations also now only occur when there is a change within the
installed keystone venv.

This process is documented at
http://docs.openstack.org/developer/keystone/upgrading.html#upgrading-without-downtime

A new test scenario has been added for testing basic upgradability
between releases.

Implements: blueprint upgrade-testing
Change-Id: I0d3cfcb80b64d005d60f4c8445f991855f844796
2016-11-17 08:10:57 -08:00

129 lines
4.1 KiB
YAML
Raw Blame History

---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create apache nogroup group
group:
name: "nogroup"
system: "yes"
- name: Create apache nogroup user
user:
name: "nogroup"
group: "nogroup"
system: "yes"
shell: "/bin/false"
## Workaround for https://github.com/ansible/ansible-modules-core/issues/5328
## TODO: Replace using apache2_module when fixed in Ansible release
## NOTE(cloudnull):
## Module enable/disable process is only functional on Debian based systems.
- name: Enable/disable apache2 modules
command: "{{ (item.state == 'present') | ternary('a2enmod','a2dismod') }} {{ item.name }}"
register: horizon_apache2_module
changed_when:
- horizon_apache2_module.stdout.find('{{ item.name }} already') == -1
- horizon_apache2_module.stderr.find('{{ item.name }} does not exist') == -1
failed_when: false
with_items:
- "{{ { 'name': 'ssl', 'state': (keystone_ssl | bool) | ternary('present', 'absent') } }}"
- "{{ { 'name': 'shib2', 'state': ( keystone_sp != {} ) | ternary('present', 'absent') } }}"
- "{{ { 'name': 'proxy_http', 'state': (keystone_mod_wsgi_enabled | bool) | ternary('absent', 'present') } }}"
when:
- ansible_pkg_mgr == 'apt'
notify:
- Restart service on first node
- Restart service on other nodes
## NOTE(andymccr):
## We need to enable a module for httpd on RedHat/CentOS using LoadModule inside conf files
- name: Enable/disable proxy_uwsgi_module
lineinfile:
dest: '/etc/httpd/conf.modules.d/00-proxy.conf'
line: 'LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so'
state: "{{ (keystone_mod_wsgi_enabled | bool) | ternary('absent', 'present') }}"
when:
- ansible_pkg_mgr == 'yum'
notify:
- Restart service on first node
- Restart service on other nodes
- name: Drop apache2 config files
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "root"
group: "root"
with_items: "{{ keystone_apache_configs }}"
notify:
- Restart service on first node
- Restart service on other nodes
- name: Disable default apache site
file:
path: "{{ item }}"
state: "absent"
with_items: "{{ keystone_apache_default_sites }}"
notify:
- Restart service on first node
- Restart service on other nodes
- name: Enabled keystone vhost
file:
src: "{{ keystone_apache_site_available }}"
dest: "{{ keystone_apache_site_enabled }}"
state: "link"
when:
- keystone_apache_site_available is defined
- keystone_apache_site_enabled is defined
notify:
- Restart service on first node
- Restart service on other nodes
- name: Ensure Apache ServerName
lineinfile:
dest: "{{ keystone_apache_conf }}"
line: "ServerName {{ ansible_hostname }}"
notify:
- Restart service on first node
- Restart service on other nodes
- name: Ensure Apache ServerTokens
lineinfile:
dest: "{{ keystone_apache_security_conf }}"
regexp: '^ServerTokens'
line: "ServerTokens {{ keystone_apache_servertokens }}"
notify:
- Restart service on first node
- Restart service on other nodes
- name: Ensure Apache ServerSignature
lineinfile:
dest: "{{ keystone_apache_security_conf }}"
regexp: '^ServerSignature'
line: "ServerSignature {{ keystone_apache_serversignature }}"
notify:
- Restart service on first node
- Restart service on other nodes
## NOTE(mgariepy):
## We need to enable httpd on CentOS if not it won't start when the container is restarted.
- name: Load service
service:
name: "{{ keystone_system_service_name }}"
enabled: "yes"
notify:
- Restart service on first node
- Restart service on other nodes
View Git Blame Copy Permalink