diff --git a/files/rootwrap.d/api-metadata.filters b/files/rootwrap.d/api-metadata.filters deleted file mode 100644 index 1aa6f83e..00000000 --- a/files/rootwrap.d/api-metadata.filters +++ /dev/null @@ -1,13 +0,0 @@ -# nova-rootwrap command filters for api-metadata nodes -# This is needed on nova-api hosts running with "metadata" in enabled_apis -# or when running nova-api-metadata -# This file should be owned by (and only-writeable by) the root user - -[Filters] -# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... -iptables-save: CommandFilter, iptables-save, root -ip6tables-save: CommandFilter, ip6tables-save, root - -# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) -iptables-restore: CommandFilter, iptables-restore, root -ip6tables-restore: CommandFilter, ip6tables-restore, root diff --git a/files/rootwrap.d/compute.filters b/files/rootwrap.d/compute.filters deleted file mode 100644 index 0ef8c901..00000000 --- a/files/rootwrap.d/compute.filters +++ /dev/null @@ -1,158 +0,0 @@ -# nova-rootwrap command filters for compute nodes -# This file should be owned by (and only-writeable by) the root user - -[Filters] - -# nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path -# nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device -blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.* - -# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap' -# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up' -# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev -# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i.. -# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'.. -# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',.. -# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',.. -# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev) -# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1] -# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge -# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', .. -# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',.. -# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ... -# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,.. -# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up' -# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up' -# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, .. -# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, .. -# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up' -# nova/network/linux_net.py: 'ip', 'route', 'add', .. -# nova/network/linux_net.py: 'ip', 'route', 'del', . -# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev -ip: CommandFilter, ip, root - -# nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev -# nova/network/linux_net.py: 'tunctl', '-b', '-t', dev -tunctl: CommandFilter, tunctl, root - -# nova/virt/libvirt/vif.py: 'ovs-vsctl', ... -# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ... -# nova/network/linux_net.py: 'ovs-vsctl', .... -ovs-vsctl: CommandFilter, ovs-vsctl, root - -# nova/network/linux_net.py: 'ivs-ctl', .... -ivs-ctl: CommandFilter, ivs-ctl, root - -# nova/network/linux_net.py: 'ovs-ofctl', .... -ovs-ofctl: CommandFilter, ovs-ofctl, root - -# nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ... -iscsiadm: CommandFilter, iscsiadm, root - -# nova/virt/libvirt/volume/aoe.py: 'aoe-revalidate', aoedev -# nova/virt/libvirt/volume/aoe.py: 'aoe-discover' -aoe-revalidate: CommandFilter, aoe-revalidate, root -aoe-discover: CommandFilter, aoe-discover, root - -# nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path -pygrub: CommandFilter, pygrub, root - -# nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s -fdisk: CommandFilter, fdisk, root - -# nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path -# nova/virt/disk/api.py: e2fsck, -f, -p, image -e2fsck: CommandFilter, e2fsck, root - -# nova/virt/xenapi/vm_utils.py: resize2fs, partition_path -# nova/virt/disk/api.py: resize2fs, image -resize2fs: CommandFilter, resize2fs, root - -# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... -iptables-save: CommandFilter, iptables-save, root -ip6tables-save: CommandFilter, ip6tables-save, root - -# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) -iptables-restore: CommandFilter, iptables-restore, root -ip6tables-restore: CommandFilter, ip6tables-restore, root - -# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ... -# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],.. -arping: CommandFilter, arping, root - -# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address -dhcp_release: CommandFilter, dhcp_release, root - -# nova/network/linux_net.py: 'kill', '-9', pid -# nova/network/linux_net.py: 'kill', '-HUP', pid -kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP - -# nova/network/linux_net.py: 'kill', pid -kill_radvd: KillFilter, root, /usr/sbin/radvd - -# nova/network/linux_net.py: dnsmasq call -dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq - -# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'.. -radvd: CommandFilter, radvd, root - -# nova/network/linux_net.py: 'brctl', 'addbr', bridge -# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0 -# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off' -# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface -brctl: CommandFilter, brctl, root - -# nova/virt/libvirt/utils.py: 'mkswap' -# nova/virt/xenapi/vm_utils.py: 'mkswap' -mkswap: CommandFilter, mkswap, root - -# nova/virt/xenapi/vm_utils.py: 'mkfs' -# nova/utils.py: 'mkfs', fs, path, label -mkfs: CommandFilter, mkfs, root - -# nova/virt/libvirt/utils.py: 'qemu-img' -qemu-img: CommandFilter, qemu-img, root - -# nova/virt/disk/api.py: -mkfs.ext3: CommandFilter, mkfs.ext3, root -mkfs.ext4: CommandFilter, mkfs.ext4, root -mkfs.ntfs: CommandFilter, mkfs.ntfs, root - -# os-brick needed commands -read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi -multipath: CommandFilter, multipath, root -# multipathd show status -multipathd: CommandFilter, multipathd, root -systool: CommandFilter, systool, root -vgc-cluster: CommandFilter, vgc-cluster, root -# os_brick/initiator/connector.py -drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid - -# TODO(smcginnis) Temporary fix. -# Need to pull in os-brick os-brick.filters file instead and clean -# out stale brick values from this file. -scsi_id: CommandFilter, /lib/udev/scsi_id, root -# os_brick.privileged.default oslo.privsep context -# This line ties the superuser privs with the config files, context name, -# and (implicitly) the actual python code invoked. -privsep-rootwrap-os_brick: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.* - -privsep-rootwrap-sys_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.sys_admin_pctxt, --privsep_sock_path, /tmp/.* - -# nova/virt/libvirt/storage/dmcrypt.py: -cryptsetup: CommandFilter, cryptsetup, root - -# nova/virt/xenapi/vm_utils.py: -xenstore-read: CommandFilter, xenstore-read, root - -# nova/virt/libvirt/utils.py: -rbd: CommandFilter, rbd, root - -# nova/virt/libvirt/volume/volume.py: 'cp', '/dev/stdin', delete_control.. -cp: CommandFilter, cp, root - -# nova/virt/xenapi/vm_utils.py: -sync: CommandFilter, sync, root - -# nova/virt/libvirt/volume/vzstorage.py -pstorage-mount: CommandFilter, pstorage-mount, root diff --git a/files/rootwrap.d/network.filters b/files/rootwrap.d/network.filters deleted file mode 100644 index 52b7130e..00000000 --- a/files/rootwrap.d/network.filters +++ /dev/null @@ -1,91 +0,0 @@ -# nova-rootwrap command filters for network nodes -# This file should be owned by (and only-writeable by) the root user - -[Filters] -# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap' -# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up' -# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev -# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i.. -# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'.. -# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',.. -# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',.. -# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev) -# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1] -# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge -# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', .. -# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',.. -# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ... -# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,.. -# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up' -# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up' -# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, .. -# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, .. -# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up' -# nova/network/linux_net.py: 'ip', 'route', 'add', .. -# nova/network/linux_net.py: 'ip', 'route', 'del', . -# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev -ip: CommandFilter, ip, root - -# nova/virt/libvirt/vif.py: 'ovs-vsctl', ... -# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ... -# nova/network/linux_net.py: 'ovs-vsctl', .... -ovs-vsctl: CommandFilter, ovs-vsctl, root - -# nova/network/linux_net.py: 'ovs-ofctl', .... -ovs-ofctl: CommandFilter, ovs-ofctl, root - -# nova/virt/libvirt/vif.py: 'ivs-ctl', ... -# nova/virt/libvirt/vif.py: 'ivs-ctl', 'del-port', ... -# nova/network/linux_net.py: 'ivs-ctl', .... -ivs-ctl: CommandFilter, ivs-ctl, root - -# nova/virt/libvirt/vif.py: 'ifc_ctl', ... -ifc_ctl: CommandFilter, /opt/pg/bin/ifc_ctl, root - -# nova/network/linux_net.py: 'ebtables', '-D' ... -# nova/network/linux_net.py: 'ebtables', '-I' ... -ebtables: CommandFilter, ebtables, root -ebtables_usr: CommandFilter, ebtables, root - -# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ... -iptables-save: CommandFilter, iptables-save, root -ip6tables-save: CommandFilter, ip6tables-save, root - -# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,) -iptables-restore: CommandFilter, iptables-restore, root -ip6tables-restore: CommandFilter, ip6tables-restore, root - -# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ... -# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],.. -arping: CommandFilter, arping, root - -# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address -dhcp_release: CommandFilter, dhcp_release, root - -# nova/network/linux_net.py: 'kill', '-9', pid -# nova/network/linux_net.py: 'kill', '-HUP', pid -kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP - -# nova/network/linux_net.py: 'kill', pid -kill_radvd: KillFilter, root, /usr/sbin/radvd - -# nova/network/linux_net.py: dnsmasq call -dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq - -# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'.. -radvd: CommandFilter, radvd, root - -# nova/network/linux_net.py: 'brctl', 'addbr', bridge -# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0 -# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off' -# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface -brctl: CommandFilter, brctl, root - -# nova/network/linux_net.py: 'sysctl', .... -sysctl: CommandFilter, sysctl, root - -# nova/network/linux_net.py: 'conntrack' -conntrack: CommandFilter, conntrack, root - -# nova/network/linux_net.py: 'fp-vdev' -fp-vdev: CommandFilter, fp-vdev, root diff --git a/handlers/main.yml b/handlers/main.yml index 0bd288f3..5107c76c 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -35,26 +35,6 @@ - "Restart nova services" - "venv changed" -# Note (odyssey4me): -# The policy.json file is currently read continually by the services -# and is not only read on service start. We therefore cannot template -# directly to the file read by the service because the new policies -# may not be valid until the service restarts. This is particularly -# important during a major upgrade. We therefore only put the policy -# file in place after the service has been stopped. -# -- name: Copy new policy file into place - copy: - src: "/etc/nova/policy.json-{{ nova_venv_tag }}" - dest: "/etc/nova/policy.json" - owner: "root" - group: "{{ nova_system_group_name }}" - mode: "0640" - remote_src: yes - listen: - - "Restart nova services" - - "venv changed" - - name: Start services service: name: "{{ item.service_name }}" diff --git a/tasks/nova_post_install.yml b/tasks/nova_post_install.yml index 9225fecb..530d3483 100644 --- a/tasks/nova_post_install.yml +++ b/tasks/nova_post_install.yml @@ -25,42 +25,19 @@ - nova-config - nova-post-install -- name: Generate nova config - config_template: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: "root" +# NOTE(cloudnull): This task is required to copy rootwrap filters that we need +# and nova does not provide by default. +- name: Create aux nova dir + file: + path: "{{ item.path | default(omit) }}" + state: "directory" + owner: "{{ item.owner|default(nova_system_user_name) }}" group: "{{ item.group|default(nova_system_group_name) }}" - mode: "0640" - config_overrides: "{{ item.config_overrides }}" - config_type: "{{ item.config_type }}" + mode: "{{ item.mode | default(omit) }}" with_items: - - src: "nova.conf.j2" - dest: "/etc/nova/nova.conf" - config_overrides: "{{ nova_nova_conf_overrides }}" - config_type: "ini" - - src: "rootwrap.conf.j2" - dest: "/etc/nova/rootwrap.conf" - config_overrides: "{{ nova_rootwrap_conf_overrides }}" - config_type: "ini" - - src: "api-paste.ini.j2" - dest: "/etc/nova/api-paste.ini" - config_overrides: "{{ nova_api_paste_ini_overrides }}" - config_type: "ini" - - src: "vendor_data.json.j2" - dest: "/etc/nova/vendor_data.json" - config_overrides: "{{ nova_vendor_data_overrides }}" - config_type: "json" - - src: "policy.json.j2" - dest: "/etc/nova/policy.json-{{ nova_venv_tag }}" - config_overrides: "{{ nova_policy_overrides }}" - config_type: "json" - notify: - - Manage LB - - Restart nova services - tags: - - nova-config - - nova-post-install + - path: "/etc/nova/rootwrap.d" + owner: "root" + group: "root" - name: Copy nova rootwrap filter config copy: @@ -77,6 +54,78 @@ - nova-config - nova-post-install +- name: Generate nova config + config_template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: "root" + group: "{{ item.group|default(nova_system_group_name) }}" + mode: "0640" + config_overrides: "{{ item.config_overrides }}" + config_type: "{{ item.config_type }}" + with_items: + - src: "nova.conf.j2" + dest: "/etc/nova/nova.conf" + config_overrides: "{{ nova_nova_conf_overrides }}" + config_type: "ini" + - src: "vendor_data.json.j2" + dest: "/etc/nova/vendor_data.json" + config_overrides: "{{ nova_vendor_data_overrides }}" + config_type: "json" + notify: + - Manage LB + - Restart nova services + tags: + - nova-config + - nova-post-install + +- name: Implement policy.json if there are overrides configured + copy: + content: "{{ nova_policy_overrides | to_nice_json }}" + dest: "/etc/nova/policy.json" + when: + - nova_policy_overrides != {} + +# NOTE(cloudnull): This is using "cp" instead of copy with a remote_source +# because we only want to copy the original files once. and we +# don't want to need multiple tasks. +- name: Preserve original configuration file(s) + command: "cp {{ item.target_f }} {{ item.target_f }}.original" + args: + creates: "{{ item.target_f }}.original" + with_items: "{{ nova_core_files }}" + +- name: Fetch override files + fetch: + src: "{{ item.target_f }}" + dest: "{{ item.tmp_f }}" + flat: yes + changed_when: false + run_once: true + with_items: "{{ nova_core_files }}" + +- name: Copy common config + config_template: + src: "{{ item.tmp_f }}" + dest: "{{ item.target_f }}" + owner: "root" + group: "{{ item.group | default(nova_system_group_name) }}" + mode: "0640" + config_overrides: "{{ item.config_overrides }}" + config_type: "{{ item.config_type }}" + with_items: "{{ nova_core_files }}" + notify: + - Restart nova services + +- name: Cleanup fetched temp files + file: + path: "{{ item.tmp_f }}" + state: absent + changed_when: false + delegate_to: localhost + run_once: true + with_items: "{{ nova_core_files }}" + - name: Remove nova-compute config file: path: /etc/nova/nova-compute.conf diff --git a/tasks/nova_pre_install.yml b/tasks/nova_pre_install.yml index 1c540cab..26311ed2 100644 --- a/tasks/nova_pre_install.yml +++ b/tasks/nova_pre_install.yml @@ -61,28 +61,68 @@ tags: - nova-dirs +# NOTE(cloudnull): During an upgrade the local directory may exist on a source +# install. If the directory does exist it will need to be +# removed. This is required on source installs because the +# config directory is a link. +- name: Source config block + block: + - name: Stat config directory + stat: + path: "/etc/nova" + register: nova_conf_dir_stat + + - name: Remove the config directory + file: + path: "/etc/nova" + state: absent + when: + - nova_conf_dir_stat.stat.isdir is defined and + nova_conf_dir_stat.stat.isdir + when: + - nova_install_method == 'source' + - name: Create nova dir file: - path: "{{ item.path }}" - state: directory + path: "{{ item.path | default(omit) }}" + src: "{{ item.src | default(omit) }}" + dest: "{{ item.dest | default(omit) }}" + state: "{{ item.state | default('directory') }}" owner: "{{ item.owner|default(nova_system_user_name) }}" group: "{{ item.group|default(nova_system_group_name) }}" - mode: "{{ item.mode|default('0755') }}" + mode: "{{ item.mode | default('0755') }}" + force: "{{ item.force | default(omit) }}" when: - - "item.path not in nova_mount_points" + - (item.condition | default(true)) | bool + - item.path not in nova_mount_points with_items: - - { path: "/openstack", owner: "root", group: "root" } - - { path: "/etc/nova", mode: "0750" } - - { path: "/etc/nova/rootwrap.d", owner: "root", group: "root" } - - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" } - - { path: "/var/cache/nova" } - - { path: "{{ nova_system_home_folder }}" } - - { path: "{{ nova_system_home_folder }}/.ssh", mode: "0700" } - - { path: "{{ nova_system_home_folder }}/cache/api" } - - { path: "{{ nova_system_home_folder }}/instances" } - - { path: "{{ nova_libvirt_save_path }}", mode: "0750" } - - { path: "{{ nova_lock_path }}" } - - { path: "/var/run/nova" } + - path: "/openstack" + owner: "root" + group: "root" + - path: "{{ (nova_install_method == 'distro') | ternary('/etc/nova', (nova_bin | dirname) + '/etc/nova') }}" + mode: "0755" + # NOTE(cloudnull): The "src" path is relative. This ensures all files remain + # within the host/container confines when connecting to + # them using the connection plugin or the root filesystem. + - dest: "/etc/nova" + src: "{{ nova_bin | dirname | regex_replace('^/', '../') }}/etc/nova" + state: link + force: true + condition: "{{ nova_install_method == 'source' }}" + - path: "/etc/sudoers.d" + mode: "0750" + owner: "root" + group: "root" + - path: "/var/cache/nova" + - path: "{{ nova_system_home_folder }}" + - path: "{{ nova_system_home_folder }}/.ssh" + mode: "0700" + - path: "{{ nova_system_home_folder }}/cache/api" + - path: "{{ nova_system_home_folder }}/instances" + - path: "{{ nova_libvirt_save_path }}" + mode: "0750" + - path: "{{ nova_lock_path }}" + - path: "/var/run/nova" tags: - nova-dirs diff --git a/templates/api-paste.ini.j2 b/templates/api-paste.ini.j2 deleted file mode 100644 index 8bde418b..00000000 --- a/templates/api-paste.ini.j2 +++ /dev/null @@ -1,84 +0,0 @@ -############ -# Metadata # -############ -[composite:metadata] -use = egg:Paste#urlmap -/: meta - -[pipeline:meta] -pipeline = cors metaapp - -[app:metaapp] -paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory - -############# -# OpenStack # -############# - -[composite:osapi_compute] -use = call:nova.api.openstack.urlmap:urlmap_factory -/: oscomputeversions -# v21 is an exactly feature match for v2, except it has more stringent -# input validation on the wsgi surface (prevents fuzzing early on the -# API). It also provides new features via API microversions which are -# opt into for clients. Unaware clients will receive the same frozen -# v2 API feature set, but with some relaxed validation -/v2: openstack_compute_api_v21_legacy_v2_compatible -/v2.1: openstack_compute_api_v21 - -[composite:openstack_compute_api_v21] -use = call:nova.api.auth:pipeline_factory_v21 -noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 osapi_compute_app_v21 -keystone = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler authtoken keystonecontext osapi_compute_app_v21 - -[composite:openstack_compute_api_v21_legacy_v2_compatible] -use = call:nova.api.auth:pipeline_factory_v21 -noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 legacy_v2_compatible osapi_compute_app_v21 -keystone = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21 - -[filter:request_log] -paste.filter_factory = nova.api.openstack.requestlog:RequestLog.factory - -[filter:compute_req_id] -paste.filter_factory = nova.api.compute_req_id:ComputeReqIdMiddleware.factory - -[filter:faultwrap] -paste.filter_factory = nova.api.openstack:FaultWrapper.factory - -[filter:noauth2] -paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory - -[filter:osprofiler] -paste.filter_factory = nova.profiler:WsgiMiddleware.factory - -[filter:sizelimit] -paste.filter_factory = oslo_middleware:RequestBodySizeLimiter.factory - -[filter:http_proxy_to_wsgi] -paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory - -[filter:legacy_v2_compatible] -paste.filter_factory = nova.api.openstack:LegacyV2CompatibleWrapper.factory - -[app:osapi_compute_app_v21] -paste.app_factory = nova.api.openstack.compute:APIRouterV21.factory - -[pipeline:oscomputeversions] -pipeline = cors faultwrap request_log http_proxy_to_wsgi oscomputeversionapp - -[app:oscomputeversionapp] -paste.app_factory = nova.api.openstack.compute.versions:Versions.factory - -########## -# Shared # -########## - -[filter:cors] -paste.filter_factory = oslo_middleware.cors:filter_factory -oslo_config_project = nova - -[filter:keystonecontext] -paste.filter_factory = nova.api.auth:NovaKeystoneContext.factory - -[filter:authtoken] -paste.filter_factory = keystonemiddleware.auth_token:filter_factory diff --git a/templates/policy.json.j2 b/templates/policy.json.j2 deleted file mode 100644 index 2c63c085..00000000 --- a/templates/policy.json.j2 +++ /dev/null @@ -1,2 +0,0 @@ -{ -} diff --git a/templates/rootwrap.conf.j2 b/templates/rootwrap.conf.j2 deleted file mode 100644 index 37a3d95c..00000000 --- a/templates/rootwrap.conf.j2 +++ /dev/null @@ -1,27 +0,0 @@ -# Configuration for nova-rootwrap -# This file should be owned by (and only-writeable by) the root user - -[DEFAULT] -# List of directories to load filter definitions from (separated by ','). -# These directories MUST all be only writeable by root ! -filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap - -# List of directories to search executables in, in case filters do not -# explicitly specify a full path (separated by ',') -# If not specified, defaults to system PATH environment variable. -# These directories MUST all be only writeable by root ! -exec_dirs={{ nova_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/sbin,/usr/local/bin - -# Enable logging to syslog -# Default value is False -use_syslog=False - -# Which syslog facility to use. -# Valid values include auth, authpriv, syslog, local0, local1... -# Default value is 'syslog' -syslog_log_facility=syslog - -# Which messages to log. -# INFO means log all usage -# ERROR means only log unsuccessful attempts -syslog_log_level=ERROR diff --git a/vars/main.yml b/vars/main.yml index 22ef2784..568ed9ba 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -38,3 +38,21 @@ nova_mount_points: |- {% set _ = mps.append(mp.local_path) %} {% endfor %} {{ mps }} + +_nova_rootwrap_conf_overrides: + DEFAULT: + filters_path: "/etc/nova/rootwrap.d,/usr/share/nova/rootwrap" + exec_dirs: "{{ nova_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin" + +nova_core_files: + - tmp_f: "/tmp/api-paste.ini" + target_f: "/etc/nova/api-paste.ini" + config_overrides: "{{ nova_api_paste_ini_overrides }}" + config_type: "ini" + - tmp_f: "/tmp/rootwrap.conf" + target_f: "/etc/nova/rootwrap.conf" + config_overrides: "{{ _nova_rootwrap_conf_overrides | combine(nova_rootwrap_conf_overrides, recursive=True) }}" + config_type: "ini" + owner: "root" + group: "{{ nova_system_group_name }}" + mode: "0640"