openstack/openstack-ansible-os_keystone
Code Issues Proposed changes
Files
c0b5e8c90a159e9930651da9d217176080b5ff82
openstack-ansible-os_keystone/handlers/main.yml
Jesse Pretorius 94293c86c2 Perform an atomic policy file change 
The policy.json file is currently read continually by the
services and is not only read on service start. We therefore
cannot template directly to the file read by the service
(if the service is already running) because the new policies
may not be valid until the service restarts. This is
particularly important during a major upgrade. We therefore
only put the policy file in place after the service restart.

This patch also tidies up the handlers and some of the install
tasks to simplify them and reduce the tasks/code a little.

Change-Id: Ie913e5eb75f3601107b53bab7bda4a02ab1c1024
2017-04-04 10:49:52 +01:00

178 lines
4.6 KiB
YAML
Raw Blame History

---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Restart web server on first node
debug:
msg: "Restarting web server on first node"
changed_when: true
notify:
- Restart web server
- Wait for web server to complete starting
when:
- inventory_hostname == groups['keystone_all'][0]
tags:
- keystone-config
- name: Restart web server on other nodes
debug:
msg: "Restarting web server on other nodes"
changed_when: true
notify:
- Restart web server
- Wait for web server to complete starting
when:
- inventory_hostname != groups['keystone_all'][0]
tags:
- keystone-config
- name: Restart web server
service:
name: "{{ (keystone_apache_enabled | bool) | ternary(keystone_system_service_name, 'nginx') }}"
enabled: yes
state: restarted
daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
register: _restart
until: _restart | success
retries: 5
delay: 2
tags:
- keystone-config
- name: Wait for web server to complete starting
wait_for:
port: "{{ item }}"
timeout: 25
delay: 10
with_items:
- "{{ keystone_service_port }}"
- "{{ keystone_admin_port }}"
register: _wait_check
until: _wait_check | success
retries: 5
tags:
- keystone-config
- name: Restart uWSGI on first node
debug:
msg: "Restart uWSGI on first node"
changed_when: true
when:
- inventory_hostname == groups['keystone_all'][0]
notify:
- Stop uWSGI
- Copy new policy file into place
- Start uWSGI
- Wait for uWSGI socket to be ready
tags:
- keystone-config
- name: Restart uWSGI on other nodes
debug:
msg: "Restart uWSGI on other nodes"
changed_when: true
when:
- inventory_hostname != groups['keystone_all'][0]
notify:
- Stop uWSGI
- Copy new policy file into place
- Start uWSGI
- Wait for uWSGI socket to be ready
tags:
- keystone-config
- name: Stop uWSGI
service:
name: "{{ item }}"
state: "stopped"
daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
register: _stop
until: _stop | success
retries: 5
delay: 2
with_items: "{{ keystone_wsgi_program_names }}"
when:
- not keystone_mod_wsgi_enabled | bool
tags:
- keystone-config
# Note (odyssey4me):
# The policy.json file is currently read continually by the services
# and is not only read on service start. We therefore cannot template
# directly to the file read by the service because the new policies
# may not be valid until the service restarts. This is particularly
# important during a major upgrade. We therefore only put the policy
# file in place after the service has been stopped.
#
- name: Copy new policy file into place
copy:
src: "/etc/keystone/policy.json-{{ keystone_venv_tag }}"
dest: "/etc/keystone/policy.json"
remote_src: yes
tags:
- keystone-config
- name: Start uWSGI
service:
name: "{{ item }}"
enabled: yes
state: "started"
daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
register: _start
until: _start | success
retries: 5
delay: 2
with_items: "{{ keystone_wsgi_program_names }}"
when:
- not keystone_mod_wsgi_enabled | bool
tags:
- keystone-config
- name: Wait for uWSGI socket to be ready
wait_for:
port: "{{ item }}"
timeout: 25
delay: 10
with_items:
- "{{ keystone_uwsgi_ports['keystone-wsgi-admin']['socket'] }}"
- "{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}"
when:
- not keystone_mod_wsgi_enabled | bool
register: _wait_check
until: _wait_check | success
retries: 5
tags:
- keystone-config
- name: Restart Shibd
service:
name: "shibd"
enabled: yes
state: "restarted"
daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
register: _restart
until: _restart | success
retries: 5
delay: 2
tags:
- keystone-config
- name: Perform a Keystone DB sync contract
command: "{{ keystone_bin }}/keystone-manage db_sync --contract"
become: yes
become_user: "{{ keystone_system_user_name }}"
tags:
- keystone-config
View Git Blame Copy Permalink