From 57638854532690b61c4abc6d735c17f31950b7e6 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Wed, 28 Apr 2021 17:48:43 +0300 Subject: [PATCH] Change task ordering to perform smooth upgrades Currently we symlink /etc/neutron to empty directory at pre-stage, and filling it with config only during post_install. This means, that policies and rootwrap filters are not working properly until playbook execution finish. Additionally, we replace sudoers file with new path in it, which makes current operations impossible for the service, since rootwrap can not gain sudo privileges. With this change we move symlinking and rootwrap steps to handlers, which means that we will do replace configs while service is stopped. During post_install we place all of the configs inside the venv, which is versioned at the moment. This way we minimise downtime of the service while performing upgrades Change-Id: I6d1686ab79647acfc086f21864bde14c8a1a1a49 --- handlers/main.yml | 24 ++++++++++++++++++++++++ tasks/neutron_db_setup.yml | 4 ++-- tasks/neutron_post_install.yml | 24 ++++++++++++------------ tasks/neutron_pre_install.yml | 21 +-------------------- vars/main.yml | 25 +++++++++++++------------ 5 files changed, 52 insertions(+), 46 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 23d0e4c6..dee33c89 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -70,6 +70,30 @@ - "Restart neutron services" - "venv changed" +- name: Symlink neutron config directory + file: + # NOTE(cloudnull): The "src" path is relative. This ensures all files remain + # within the host/container confines when connecting to + # them using the connection plugin or the root filesystem. + src: "{{ neutron_conf_version_dir | regex_replace('^/', '../') }}" + dest: "{{ neutron_conf_dir }}" + state: link + force: true + when: neutron_install_method == 'source' + listen: + - "venv changed" + +- name: Drop sudoers file + template: + src: "sudoers.j2" + dest: "/etc/sudoers.d/{{ neutron_system_user_name }}_sudoers" + mode: "0440" + owner: "root" + group: "root" + listen: + - "Restart neutron services" + - "venv changed" + - name: Perform a DB contract command: "{{ neutron_bin }}/neutron-db-manage upgrade --contract" become: yes diff --git a/tasks/neutron_db_setup.yml b/tasks/neutron_db_setup.yml index 2ca65cc4..a36937e2 100644 --- a/tasks/neutron_db_setup.yml +++ b/tasks/neutron_db_setup.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Perform a DB expand - command: "{{ neutron_bin }}/neutron-db-manage upgrade --expand" + command: "{{ neutron_bin }}/neutron-db-manage --config-file {{ neutron_conf_version_dir }}/neutron.conf upgrade --expand" become: yes become_user: "{{ neutron_system_user_name }}" when: @@ -29,7 +29,7 @@ value: "False" - name: Check for available offline migrations - command: "{{ neutron_bin }}/neutron-db-manage has_offline_migrations" + command: "{{ neutron_bin }}/neutron-db-manage --config-file {{ neutron_conf_version_dir }}/neutron.conf has_offline_migrations" environment: LANGUAGE: en_US.UTF-8 become: yes diff --git a/tasks/neutron_post_install.yml b/tasks/neutron_post_install.yml index ac7976d7..5cdf131d 100644 --- a/tasks/neutron_post_install.yml +++ b/tasks/neutron_post_install.yml @@ -21,11 +21,11 @@ group: "{{ item.group|default(neutron_system_group_name) }}" mode: "{{ item.mode | default(omit) }}" with_items: - - path: "{{ neutron_conf_dir }}/plugins" + - path: "{{ neutron_conf_version_dir }}/plugins" mode: "0750" - - path: "{{ neutron_conf_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}" + - path: "{{ neutron_conf_version_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}" mode: "0750" - - path: "{{ neutron_conf_dir }}/rootwrap.d" + - path: "{{ neutron_conf_version_dir }}/rootwrap.d" owner: "root" group: "root" @@ -34,7 +34,7 @@ - name: Copy extra neutron rootwrap filters copy: src: "{{ item }}" - dest: "{{ neutron_conf_dir }}/rootwrap.d/" + dest: "{{ neutron_conf_version_dir }}/rootwrap.d/" owner: "root" group: "root" with_fileglob: @@ -53,11 +53,11 @@ config_type: "{{ item.config_type }}" with_items: - src: "neutron.conf.j2" - dest: "{{ neutron_conf_dir }}/neutron.conf" + dest: "{{ neutron_conf_version_dir }}/neutron.conf" config_overrides: "{{ neutron_neutron_conf_overrides }}" config_type: "ini" - src: "{{ neutron_plugins[neutron_plugin_type].plugin_ini }}.j2" - dest: "{{ neutron_conf_dir }}/{{ neutron_plugins[neutron_plugin_type].plugin_ini }}" + dest: "{{ neutron_conf_version_dir }}/{{ neutron_plugins[neutron_plugin_type].plugin_ini }}" config_overrides: "{{ neutron_plugins[neutron_plugin_type].plugin_conf_ini_overrides }}" config_type: "ini" notify: @@ -66,7 +66,7 @@ - name: Implement policy.yaml if there are overrides configured config_template: content: "{{ neutron_policy_overrides }}" - dest: "{{ neutron_conf_dir }}/policy.yaml" + dest: "{{ neutron_conf_version_dir }}/policy.yaml" owner: "root" group: "{{ neutron_system_group_name }}" mode: "0640" @@ -88,7 +88,7 @@ - name: Place api-paste.ini to the correct path in RedHat file: src: "/usr/share/neutron/api-paste.ini" - dest: "{{ neutron_conf_dir }}/api-paste.ini" + dest: "{{ neutron_conf_version_dir }}/api-paste.ini" owner: "root" group: "{{ neutron_system_group_name }}" mode: "0640" @@ -141,7 +141,7 @@ # NOTE(cloudnull): This will ensure strong permissions on all rootwrap files. - name: Set rootwrap.d permissions file: - path: "{{ neutron_conf_dir }}/rootwrap.d" + path: "{{ neutron_conf_version_dir }}/rootwrap.d" owner: "root" group: "root" mode: "0640" @@ -150,7 +150,7 @@ - name: Copy neutron ml2 plugin config config_template: src: "{{ ('plugin_conf_bare' not in neutron_plugins[item]) | ternary(neutron_plugins[item].plugin_ini ~ '.j2', omit) }}" - dest: "{{ neutron_conf_dir }}/{{ neutron_plugins[item].plugin_ini }}" + dest: "{{ neutron_conf_version_dir }}/{{ neutron_plugins[item].plugin_ini }}" owner: "root" group: "{{ neutron_system_group_name }}" mode: "0640" @@ -161,7 +161,7 @@ - name: Generate neutron dnsmasq Config template: src: "dnsmasq-neutron.conf.j2" - dest: "{{ neutron_conf_dir }}/dnsmasq-neutron.conf" + dest: "{{ neutron_conf_version_dir }}/dnsmasq-neutron.conf" owner: "root" group: "{{ neutron_system_group_name }}" mode: "0640" @@ -189,7 +189,7 @@ - name: Generate neutron bgpvpn networking configuration template: src: "networking_bgpvpn.conf.j2" - dest: "{{ neutron_conf_dir }}/networking_bgpvpn.conf" + dest: "{{ neutron_conf_version_dir }}/networking_bgpvpn.conf" owner: "root" group: "{{ neutron_system_group_name }}" mode: "0640" diff --git a/tasks/neutron_pre_install.yml b/tasks/neutron_pre_install.yml index a15d71a8..1766b8c1 100644 --- a/tasks/neutron_pre_install.yml +++ b/tasks/neutron_pre_install.yml @@ -53,29 +53,18 @@ - name: Create neutron dir file: path: "{{ item.path | default(omit) }}" - src: "{{ item.src | default(omit) }}" - dest: "{{ item.dest | default(omit) }}" state: "{{ item.state | default('directory') }}" owner: "{{ item.owner | default(neutron_system_user_name) }}" group: "{{ item.group | default(neutron_system_group_name) }}" mode: "{{ item.mode | default(omit) }}" - force: "{{ item.force | default(omit) }}" when: - (item.condition | default(true)) | bool with_items: - path: "/openstack" owner: "root" group: "root" - - path: "{{ (neutron_install_method == 'distro') | ternary(neutron_conf_dir, (neutron_bin | dirname) + '/etc/neutron') }}" + - path: "{{ neutron_conf_version_dir }}" mode: "0755" - # NOTE(cloudnull): The "src" path is relative. This ensures all files remain - # within the host/container confines when connecting to - # them using the connection plugin or the root filesystem. - - dest: "{{ neutron_conf_dir }}" - src: "{{ neutron_bin | dirname | regex_replace('^/', '../') }}/etc/neutron" - state: link - force: true - condition: "{{ neutron_install_method == 'source' }}" - path: "/etc/sudoers.d" mode: "0750" owner: "root" @@ -87,14 +76,6 @@ mode: "0755" - path: "{{ neutron_system_home_folder }}/ha_confs" -- name: Drop sudoers file - template: - src: "sudoers.j2" - dest: "/etc/sudoers.d/{{ neutron_system_user_name }}_sudoers" - mode: "0440" - owner: "root" - group: "root" - - name: Add dependency repos for Neutron package: name: "{{ neutron_repos }}" diff --git a/vars/main.yml b/vars/main.yml index a94de306..66f4aaf8 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -122,6 +122,7 @@ neutron_venv_packages: >- ### neutron_conf_dir: /etc/neutron +neutron_conf_version_dir: "{{ (neutron_install_method == 'distro') | ternary(neutron_conf_dir, (neutron_bin | dirname) + '/etc/neutron') }}" neutron_lock_path: "/var/lock/neutron" neutron_system_user_name: neutron neutron_system_group_name: neutron @@ -348,7 +349,7 @@ neutron_services: group: neutron_dhcp_agent service_name: neutron-dhcp-agent service_en: "{{ neutron_dhcp | bool }}" - service_conf_path: "{{ neutron_conf_dir }}" + service_conf_path: "{{ neutron_conf_version_dir }}" service_conf: dhcp_agent.ini service_rootwrap: rootwrap.d/dhcp.filters execstarts: "{{ neutron_bin }}/neutron-dhcp-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/dhcp_agent.ini" @@ -360,7 +361,7 @@ neutron_services: group: neutron_openvswitch_agent service_name: neutron-openvswitch-agent service_en: "{{ neutron_plugin_type in ['ml2.ovs', 'ml2.ovs.dvr'] }}" - service_conf_path: "{{ neutron_conf_dir }}" + service_conf_path: "{{ neutron_conf_version_dir }}" service_conf: plugins/ml2/openvswitch_agent.ini service_rootwrap: rootwrap.d/openvswitch-plugin.filters execstarts: "{{ neutron_bin }}/neutron-openvswitch-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/openvswitch_agent.ini" @@ -372,7 +373,7 @@ neutron_services: group: neutron_linuxbridge_agent service_name: neutron-linuxbridge-agent service_en: "{{ neutron_plugin_type == 'ml2.lxb' }}" - service_conf_path: "{{ neutron_conf_dir }}" + service_conf_path: "{{ neutron_conf_version_dir }}" service_conf: plugins/ml2/linuxbridge_agent.ini service_rootwrap: rootwrap.d/linuxbridge-plugin.filters execstarts: "{{ neutron_bin }}/neutron-linuxbridge-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/linuxbridge_agent.ini" @@ -384,7 +385,7 @@ neutron_services: group: neutron_metadata_agent service_name: neutron-metadata-agent service_en: "{{ neutron_metadata | bool }}" - service_conf_path: "{{ neutron_conf_dir }}" + service_conf_path: "{{ neutron_conf_version_dir }}" service_conf: metadata_agent.ini execstarts: "{{ neutron_bin }}/neutron-metadata-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metadata_agent.ini" config_overrides: "{{ neutron_metadata_agent_ini_overrides }}" @@ -395,7 +396,7 @@ neutron_services: group: neutron_metering_agent service_name: neutron-metering-agent service_en: "{{ neutron_metering | bool }}" - service_conf_path: "{{ neutron_conf_dir }}" + service_conf_path: "{{ neutron_conf_version_dir }}" service_conf: metering_agent.ini execstarts: "{{ neutron_bin }}/neutron-metering-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metering_agent.ini" config_overrides: "{{ neutron_metering_agent_ini_overrides }}" @@ -407,7 +408,7 @@ neutron_services: group: neutron_l3_agent service_name: neutron-l3-agent service_en: "{{ neutron_l3 | bool }}" - service_conf_path: "{{ neutron_conf_dir }}" + service_conf_path: "{{ neutron_conf_version_dir }}" service_conf: l3_agent.ini service_rootwrap: rootwrap.d/l3.filters environment: @@ -421,7 +422,7 @@ neutron_services: group: neutron_bgp_dragent service_name: neutron-bgp-dragent service_en: "{{ neutron_bgp | bool }}" - service_conf_path: "{{ neutron_conf_dir }}" + service_conf_path: "{{ neutron_conf_version_dir }}" service_conf: bgp_dragent.ini execstarts: "{{ neutron_bin }}/neutron-bgp-dragent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/bgp_dragent.ini" config_overrides: "{{ neutron_bgp_dragent_ini_overrides }}" @@ -436,7 +437,7 @@ neutron_services: group: neutron_l3_agent service_name: neutron-vpn-agent service_en: false - service_conf_path: "{{ neutron_conf_dir }}" + service_conf_path: "{{ neutron_conf_version_dir }}" service_conf: vpnaas_agent.ini service_rootwrap: rootwrap.d/vpnaas.filters execstarts: "{{ neutron_bin }}/neutron-vpn-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/vpnaas_agent.ini" @@ -480,7 +481,7 @@ neutron_services: group: neutron_sriov_nic_agent service_name: neutron-sriov-nic-agent service_en: "{{ 'ml2.sriov' in neutron_plugin_types }}" - service_conf_path: "{{ neutron_conf_dir }}" + service_conf_path: "{{ neutron_conf_version_dir }}" service_conf: plugins/ml2/sriov_nic_agent.ini execstarts: "{{ neutron_bin }}/neutron-sriov-nic-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/sriov_nic_agent.ini" config_overrides: "{{ neutron_sriov_nic_agent_ini_overrides }}" @@ -499,7 +500,7 @@ neutron_services: systemd_group_name: root service_name: neutron-ovn-metadata-agent service_en: "{{ neutron_plugin_type == 'ml2.ovn' }}" - service_conf_path: "{{ neutron_conf_dir }}" + service_conf_path: "{{ neutron_conf_version_dir }}" service_conf: neutron_ovn_metadata_agent.ini service_rootwrap: rootwrap.d/ovn-plugin.filters execstarts: "{{ neutron_bin }}/neutron-ovn-metadata-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/neutron_ovn_metadata_agent.ini" @@ -543,11 +544,11 @@ neutron_role_project_group: neutron_all neutron_core_files: - tmp_f: "/tmp/api-paste.ini.original" - target_f: "{{ neutron_conf_dir }}/api-paste.ini" + target_f: "{{ neutron_conf_version_dir }}/api-paste.ini" config_overrides: "{{ _neutron_api_paste_ini_overrides | combine(neutron_api_paste_ini_overrides, recursive=True) }}" config_type: "ini" - tmp_f: "/tmp/rootwrap.conf.original" - target_f: "{{ neutron_conf_dir }}/rootwrap.conf" + target_f: "{{ neutron_conf_version_dir }}/rootwrap.conf" config_overrides: "{{ _neutron_rootwrap_conf_overrides | combine(neutron_rootwrap_conf_overrides, recursive=True) }}" config_type: "ini" owner: "root"