Change task ordering to perform smooth upgrades

Currently we symlink /etc/neutron to empty directory at pre-stage,
and filling it with config only during post_install. This means,
that policies and rootwrap filters are not working properly until
playbook execution finish. Additionally, we replace sudoers file
with new path in it, which makes current operations impossible for
the service, since rootwrap can not gain sudo privileges.

With this change we move symlinking and rootwrap steps to handlers,
which means that we will do replace configs while service is stopped.

During post_install we place all of the configs inside the venv,
which is versioned at the moment.

This way we minimise downtime of the service while performing upgrades

Change-Id: I6d1686ab79647acfc086f21864bde14c8a1a1a49

handlers/main.yml

@@ -70,6 +70,30 @@
     - "Restart neutron services"
     - "venv changed"
 
+- name: Symlink neutron config directory
+  file:
+    # NOTE(cloudnull): The "src" path is relative. This ensures all files remain
+    #                  within the host/container confines when connecting to
+    #                  them using the connection plugin or the root filesystem.
+    src: "{{ neutron_conf_version_dir | regex_replace('^/', '../') }}"
+    dest: "{{ neutron_conf_dir }}"
+    state: link
+    force: true
+  when: neutron_install_method == 'source'
+  listen:
+    - "venv changed"
+
+- name: Drop sudoers file
+  template:
+    src: "sudoers.j2"
+    dest: "/etc/sudoers.d/{{ neutron_system_user_name }}_sudoers"
+    mode: "0440"
+    owner: "root"
+    group: "root"
+  listen:
+    - "Restart neutron services"
+    - "venv changed"
+
 - name: Perform a DB contract
   command: "{{ neutron_bin }}/neutron-db-manage upgrade --contract"
   become: yes

tasks/neutron_db_setup.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: Perform a DB expand
-  command: "{{ neutron_bin }}/neutron-db-manage upgrade --expand"
+  command: "{{ neutron_bin }}/neutron-db-manage --config-file {{ neutron_conf_version_dir }}/neutron.conf upgrade --expand"
   become: yes
   become_user: "{{ neutron_system_user_name }}"
   when:
@@ -29,7 +29,7 @@
     value: "False"
 
 - name: Check for available offline migrations
-  command: "{{ neutron_bin }}/neutron-db-manage has_offline_migrations"
+  command: "{{ neutron_bin }}/neutron-db-manage --config-file {{ neutron_conf_version_dir }}/neutron.conf has_offline_migrations"
   environment:
     LANGUAGE: en_US.UTF-8
   become: yes

tasks/neutron_post_install.yml

@@ -21,11 +21,11 @@
     group: "{{ item.group|default(neutron_system_group_name) }}"
     mode: "{{ item.mode | default(omit) }}"
   with_items:
-    - path: "{{ neutron_conf_dir }}/plugins"
+    - path: "{{ neutron_conf_version_dir }}/plugins"
       mode: "0750"
-    - path: "{{ neutron_conf_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}"
+    - path: "{{ neutron_conf_version_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}"
       mode: "0750"
-    - path: "{{ neutron_conf_dir }}/rootwrap.d"
+    - path: "{{ neutron_conf_version_dir }}/rootwrap.d"
       owner: "root"
       group: "root"
 
@@ -34,7 +34,7 @@
 - name: Copy extra neutron rootwrap filters
   copy:
     src: "{{ item }}"
-    dest: "{{ neutron_conf_dir }}/rootwrap.d/"
+    dest: "{{ neutron_conf_version_dir }}/rootwrap.d/"
     owner: "root"
     group: "root"
   with_fileglob:
@@ -53,11 +53,11 @@
     config_type: "{{ item.config_type }}"
   with_items:
     - src: "neutron.conf.j2"
-      dest: "{{ neutron_conf_dir }}/neutron.conf"
+      dest: "{{ neutron_conf_version_dir }}/neutron.conf"
       config_overrides: "{{ neutron_neutron_conf_overrides }}"
       config_type: "ini"
     - src: "{{ neutron_plugins[neutron_plugin_type].plugin_ini }}.j2"
-      dest: "{{ neutron_conf_dir }}/{{ neutron_plugins[neutron_plugin_type].plugin_ini }}"
+      dest: "{{ neutron_conf_version_dir }}/{{ neutron_plugins[neutron_plugin_type].plugin_ini }}"
       config_overrides: "{{ neutron_plugins[neutron_plugin_type].plugin_conf_ini_overrides }}"
       config_type: "ini"
   notify:
@@ -66,7 +66,7 @@
 - name: Implement policy.yaml if there are overrides configured
   config_template:
     content: "{{ neutron_policy_overrides }}"
-    dest: "{{ neutron_conf_dir }}/policy.yaml"
+    dest: "{{ neutron_conf_version_dir }}/policy.yaml"
     owner: "root"
     group: "{{ neutron_system_group_name }}"
     mode: "0640"
@@ -88,7 +88,7 @@
 - name: Place api-paste.ini to the correct path in RedHat
   file:
     src: "/usr/share/neutron/api-paste.ini"
-    dest: "{{ neutron_conf_dir }}/api-paste.ini"
+    dest: "{{ neutron_conf_version_dir }}/api-paste.ini"
     owner: "root"
     group: "{{ neutron_system_group_name }}"
     mode: "0640"
@@ -141,7 +141,7 @@
 # NOTE(cloudnull): This will ensure strong permissions on all rootwrap files.
 - name: Set rootwrap.d permissions
   file:
-    path: "{{ neutron_conf_dir }}/rootwrap.d"
+    path: "{{ neutron_conf_version_dir }}/rootwrap.d"
     owner: "root"
     group: "root"
     mode: "0640"
@@ -150,7 +150,7 @@
 - name: Copy neutron ml2 plugin config
   config_template:
     src: "{{ ('plugin_conf_bare' not in neutron_plugins[item]) | ternary(neutron_plugins[item].plugin_ini ~ '.j2', omit) }}"
-    dest: "{{ neutron_conf_dir }}/{{ neutron_plugins[item].plugin_ini }}"
+    dest: "{{ neutron_conf_version_dir }}/{{ neutron_plugins[item].plugin_ini }}"
     owner: "root"
     group: "{{ neutron_system_group_name }}"
     mode: "0640"
@@ -161,7 +161,7 @@
 - name: Generate neutron dnsmasq Config
   template:
     src: "dnsmasq-neutron.conf.j2"
-    dest: "{{ neutron_conf_dir }}/dnsmasq-neutron.conf"
+    dest: "{{ neutron_conf_version_dir }}/dnsmasq-neutron.conf"
     owner: "root"
     group: "{{ neutron_system_group_name }}"
     mode: "0640"
@@ -189,7 +189,7 @@
 - name: Generate neutron bgpvpn networking configuration
   template:
     src: "networking_bgpvpn.conf.j2"
-    dest: "{{ neutron_conf_dir }}/networking_bgpvpn.conf"
+    dest: "{{ neutron_conf_version_dir }}/networking_bgpvpn.conf"
     owner: "root"
     group: "{{ neutron_system_group_name }}"
     mode: "0640"

tasks/neutron_pre_install.yml

@@ -53,29 +53,18 @@
 - name: Create neutron dir
   file:
     path: "{{ item.path | default(omit) }}"
-    src: "{{ item.src | default(omit) }}"
-    dest: "{{ item.dest | default(omit) }}"
     state: "{{ item.state | default('directory') }}"
     owner: "{{ item.owner | default(neutron_system_user_name) }}"
     group: "{{ item.group | default(neutron_system_group_name) }}"
     mode: "{{ item.mode | default(omit) }}"
-    force: "{{ item.force | default(omit) }}"
   when:
     - (item.condition | default(true)) | bool
   with_items:
     - path: "/openstack"
       owner: "root"
       group: "root"
-    - path: "{{ (neutron_install_method == 'distro') | ternary(neutron_conf_dir, (neutron_bin | dirname) + '/etc/neutron') }}"
+    - path: "{{ neutron_conf_version_dir }}"
       mode: "0755"
-    # NOTE(cloudnull): The "src" path is relative. This ensures all files remain
-    #                  within the host/container confines when connecting to
-    #                  them using the connection plugin or the root filesystem.
-    - dest: "{{ neutron_conf_dir }}"
-      src: "{{ neutron_bin | dirname | regex_replace('^/', '../') }}/etc/neutron"
-      state: link
-      force: true
-      condition: "{{ neutron_install_method == 'source' }}"
     - path: "/etc/sudoers.d"
       mode: "0750"
       owner: "root"
@@ -87,14 +76,6 @@
       mode: "0755"
     - path: "{{ neutron_system_home_folder }}/ha_confs"
 
-- name: Drop sudoers file
-  template:
-    src: "sudoers.j2"
-    dest: "/etc/sudoers.d/{{ neutron_system_user_name }}_sudoers"
-    mode: "0440"
-    owner: "root"
-    group: "root"
-
 - name: Add dependency repos for Neutron
   package:
     name: "{{ neutron_repos }}"

vars/main.yml

@@ -122,6 +122,7 @@ neutron_venv_packages: >-
 ###
 
 neutron_conf_dir: /etc/neutron
+neutron_conf_version_dir: "{{ (neutron_install_method == 'distro') | ternary(neutron_conf_dir, (neutron_bin | dirname) + '/etc/neutron') }}"
 neutron_lock_path: "/var/lock/neutron"
 neutron_system_user_name: neutron
 neutron_system_group_name: neutron
@@ -348,7 +349,7 @@ neutron_services:
     group: neutron_dhcp_agent
     service_name: neutron-dhcp-agent
     service_en: "{{ neutron_dhcp | bool }}"
-    service_conf_path: "{{ neutron_conf_dir }}"
+    service_conf_path: "{{ neutron_conf_version_dir }}"
     service_conf: dhcp_agent.ini
     service_rootwrap: rootwrap.d/dhcp.filters
     execstarts: "{{ neutron_bin }}/neutron-dhcp-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/dhcp_agent.ini"
@@ -360,7 +361,7 @@ neutron_services:
     group: neutron_openvswitch_agent
     service_name: neutron-openvswitch-agent
     service_en: "{{ neutron_plugin_type in ['ml2.ovs', 'ml2.ovs.dvr'] }}"
-    service_conf_path: "{{ neutron_conf_dir }}"
+    service_conf_path: "{{ neutron_conf_version_dir }}"
     service_conf: plugins/ml2/openvswitch_agent.ini
     service_rootwrap: rootwrap.d/openvswitch-plugin.filters
     execstarts: "{{ neutron_bin }}/neutron-openvswitch-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/openvswitch_agent.ini"
@@ -372,7 +373,7 @@ neutron_services:
     group: neutron_linuxbridge_agent
     service_name: neutron-linuxbridge-agent
     service_en: "{{ neutron_plugin_type == 'ml2.lxb' }}"
-    service_conf_path: "{{ neutron_conf_dir }}"
+    service_conf_path: "{{ neutron_conf_version_dir }}"
     service_conf: plugins/ml2/linuxbridge_agent.ini
     service_rootwrap: rootwrap.d/linuxbridge-plugin.filters
     execstarts: "{{ neutron_bin }}/neutron-linuxbridge-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/linuxbridge_agent.ini"
@@ -384,7 +385,7 @@ neutron_services:
     group: neutron_metadata_agent
     service_name: neutron-metadata-agent
     service_en: "{{ neutron_metadata | bool }}"
-    service_conf_path: "{{ neutron_conf_dir }}"
+    service_conf_path: "{{ neutron_conf_version_dir }}"
     service_conf: metadata_agent.ini
     execstarts: "{{ neutron_bin }}/neutron-metadata-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metadata_agent.ini"
     config_overrides: "{{ neutron_metadata_agent_ini_overrides }}"
@@ -395,7 +396,7 @@ neutron_services:
     group: neutron_metering_agent
     service_name: neutron-metering-agent
     service_en: "{{ neutron_metering | bool }}"
-    service_conf_path: "{{ neutron_conf_dir }}"
+    service_conf_path: "{{ neutron_conf_version_dir }}"
     service_conf: metering_agent.ini
     execstarts: "{{ neutron_bin }}/neutron-metering-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metering_agent.ini"
     config_overrides: "{{ neutron_metering_agent_ini_overrides }}"
@@ -407,7 +408,7 @@ neutron_services:
     group: neutron_l3_agent
     service_name: neutron-l3-agent
     service_en: "{{ neutron_l3 | bool }}"
-    service_conf_path: "{{ neutron_conf_dir }}"
+    service_conf_path: "{{ neutron_conf_version_dir }}"
     service_conf: l3_agent.ini
     service_rootwrap: rootwrap.d/l3.filters
     environment:
@@ -421,7 +422,7 @@ neutron_services:
     group: neutron_bgp_dragent
     service_name: neutron-bgp-dragent
     service_en: "{{ neutron_bgp | bool }}"
-    service_conf_path: "{{ neutron_conf_dir }}"
+    service_conf_path: "{{ neutron_conf_version_dir }}"
     service_conf: bgp_dragent.ini
     execstarts: "{{ neutron_bin }}/neutron-bgp-dragent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/bgp_dragent.ini"
     config_overrides: "{{ neutron_bgp_dragent_ini_overrides }}"
@@ -436,7 +437,7 @@ neutron_services:
     group: neutron_l3_agent
     service_name: neutron-vpn-agent
     service_en: false
-    service_conf_path: "{{ neutron_conf_dir }}"
+    service_conf_path: "{{ neutron_conf_version_dir }}"
     service_conf: vpnaas_agent.ini
     service_rootwrap: rootwrap.d/vpnaas.filters
     execstarts: "{{ neutron_bin }}/neutron-vpn-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/vpnaas_agent.ini"
@@ -480,7 +481,7 @@ neutron_services:
     group: neutron_sriov_nic_agent
     service_name: neutron-sriov-nic-agent
     service_en: "{{ 'ml2.sriov' in neutron_plugin_types }}"
-    service_conf_path: "{{ neutron_conf_dir }}"
+    service_conf_path: "{{ neutron_conf_version_dir }}"
     service_conf: plugins/ml2/sriov_nic_agent.ini
     execstarts: "{{ neutron_bin }}/neutron-sriov-nic-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/sriov_nic_agent.ini"
     config_overrides: "{{ neutron_sriov_nic_agent_ini_overrides }}"
@@ -499,7 +500,7 @@ neutron_services:
     systemd_group_name: root
     service_name: neutron-ovn-metadata-agent
     service_en: "{{ neutron_plugin_type == 'ml2.ovn' }}"
-    service_conf_path: "{{ neutron_conf_dir }}"
+    service_conf_path: "{{ neutron_conf_version_dir }}"
     service_conf: neutron_ovn_metadata_agent.ini
     service_rootwrap: rootwrap.d/ovn-plugin.filters
     execstarts: "{{ neutron_bin }}/neutron-ovn-metadata-agent --config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/neutron_ovn_metadata_agent.ini"
@@ -543,11 +544,11 @@ neutron_role_project_group: neutron_all
 
 neutron_core_files:
   - tmp_f: "/tmp/api-paste.ini.original"
-    target_f: "{{ neutron_conf_dir }}/api-paste.ini"
+    target_f: "{{ neutron_conf_version_dir }}/api-paste.ini"
     config_overrides: "{{ _neutron_api_paste_ini_overrides | combine(neutron_api_paste_ini_overrides, recursive=True) }}"
     config_type: "ini"
   - tmp_f: "/tmp/rootwrap.conf.original"
-    target_f: "{{ neutron_conf_dir }}/rootwrap.conf"
+    target_f: "{{ neutron_conf_version_dir }}/rootwrap.conf"
     config_overrides: "{{ _neutron_rootwrap_conf_overrides | combine(neutron_rootwrap_conf_overrides, recursive=True) }}"
     config_type: "ini"
     owner: "root"