Update paste, policy and rootwrap configurations 2017-12-19

The locations of the previously included templates have been moved to the standard location used in all other roles. This helps to allow the sources-branch-updater script be able to automatically place the updated files processed from the upstream git repositories. As there is now a rootwrap filter file, the appropriate tasks to create the directory and to add the file have been implemented. A little clean-up of syntax of tasks near those modified have been included. Finally - to resolve the ansible-lint issue the use of systemctl has been removed. Change-Id: I9b64d5e99dc81a6f35d74c0366ee2bbe7d15d327
2017-12-19 21:18:18 +00:00 · 2017-12-19 21:18:18 +00:00 · f02127ab83
commit f02127ab83
parent edc9c555b3
11 changed files with 48 additions and 647 deletions
--- a/files/rootwrap.d/tacker.filters
+++ b/files/rootwrap.d/tacker.filters
@ -0,0 +1,10 @@
 # tacker-rootwrap command filters for nodes on which tacker is
 # expected to control network
 #
 # This file should be owned by (and only-writeable by) the root user
 # format seems to be
 # cmd-name: filter-name, raw-command, user, args
 [Filters]
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -18,8 +18,10 @@
 - name: Restart tacker services
  service:
    name: "{{ item }}"
    enabled: yes
    state: restarted
    pattern: "{{ item }}"
    daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
  with_items: "{{ tacker_service_names }}"
  failed_when: false
--- a/tasks/tacker_init_systemd.yml
+++ b/tasks/tacker_init_systemd.yml
@ -38,6 +38,8 @@
    mode: "0644"
    owner: "root"
    group: "root"
  notify:
    - Restart tacker services
 - name: Place the systemd init script
  template:
@ -47,10 +49,6 @@
    owner: "root"
    group: "root"
  register: systemd_init
 - name: Reload the systemd daemon
  command: "systemctl daemon-reload"
  when: systemd_init | changed
  notify:
    - Restart tacker services
--- a/tasks/tacker_post_install.yml
+++ b/tasks/tacker_post_install.yml
@ -41,22 +41,32 @@
    config_overrides: "{{ item.config_overrides }}"
    config_type: "{{ item.config_type }}"
  with_items:
-    - src: "etc/tacker/tacker.conf.j2"
+    - src: "tacker.conf.j2"
      dest: "{{ tacker_etc_dir }}/tacker.conf"
      config_overrides: "{{ tacker_tacker_conf_overrides }}"
      config_type: "ini"
-    - src: "etc/tacker/api-paste.ini.j2"
+    - src: "api-paste.ini.j2"
      dest: "{{ tacker_etc_dir }}/api-paste.ini"
      config_overrides: "{{ tacker_api_paste_ini_overrides }}"
      config_type: "ini"
-    - src: "etc/tacker/rootwrap.conf.j2"
+    - src: "rootwrap.conf.j2"
-      dest: "{{ tacker_etc_dir}}/rootwrap.conf"
+      dest: "{{ tacker_etc_dir }}/rootwrap.conf"
      config_overrides: "{{ tacker_rootwrap_overrides }}"
      config_type: "ini"
-    - src: "etc/tacker/policy.json.j2"
+    - src: "policy.json.j2"
      dest: "{{ tacker_etc_dir }}/policy.json"
      config_overrides: "{{ tacker_policy_overrides }}"
      config_type: "json"
  notify:
    - Restart tacker services
 - name: Copy rootwrap filters
  copy:
    src: "{{ item }}"
    dest: "{{ tacker_etc_dir }}/rootwrap.d/"
    owner: "root"
    group: "root"
  with_fileglob:
    - rootwrap.d/*
  notify:
    - Restart tacker services
--- a/tasks/tacker_pre_install.yml
+++ b/tasks/tacker_pre_install.yml
@ -35,14 +35,21 @@
  file:
    path: "{{ item.path }}"
    state: directory
-    owner: "{{ item.owner|default(tacker_system_user_name) }}"
+    owner: "{{ item.owner | default(tacker_system_user_name) }}"
-    group: "{{ item.group|default(tacker_system_group_name) }}"
+    group: "{{ item.group | default(tacker_system_group_name) }}"
-    mode: "{{ item.mode|default('0755') }}"
+    mode: "{{ item.mode | default('0755') }}"
  with_items:
-    - { path: "/openstack", mode: "0755", owner: "root", group: "root" }
+    - path: "/openstack"
-    - { path: "/etc/tacker" }
+      mode: "0755"
-    - { path: "/var/cache/tacker" }
+      owner: "root"
-    - { path: "{{ tacker_system_user_home }}" }
+      group: "root"
    - path: "{{ tacker_etc_dir }}"
    - path: "/var/cache/tacker"
    - path: "{{ tacker_system_user_home }}"
    - path: "{{ tacker_etc_dir }}/rootwrap.d"
      owner: "root"
      group: "root"
 #- name: Create tacker venv dir
  #file:
--- a/templates/etc/tacker/api-paste.ini.j2
+++ b/templates/etc/tacker/api-paste.ini.j2
@ -6,7 +6,7 @@ use = egg:Paste#urlmap
 [composite:tackerapi_v1_0]
 use = call:tacker.auth:pipeline_factory
 noauth = request_id catch_errors extensions tackerapiapp_v1_0
-keystone = request_id catch_errors authtoken keystonecontext extensions tackerapiapp_v1_0
+keystone = request_id catch_errors alarm_receiver authtoken keystonecontext extensions tackerapiapp_v1_0
 [filter:request_id]
 paste.filter_factory = oslo_middleware:RequestId.factory
@ -14,6 +14,9 @@ paste.filter_factory = oslo_middleware:RequestId.factory
 [filter:catch_errors]
 paste.filter_factory = oslo_middleware:CatchErrors.factory
 [filter:alarm_receiver]
 paste.filter_factory = tacker.alarm_receiver:AlarmReceiver.factory
 [filter:keystonecontext]
 paste.filter_factory = tacker.auth:TackerKeystoneContext.factory
--- a/templates/etc/tacker/tacker.conf.devstack_master
+++ b/templates/etc/tacker/tacker.conf.devstack_master
@ -1,311 +0,0 @@
 [DEFAULT]
 nova_region_name = RegionOne
 nova_api_insecure = False
 nova_ca_certificates_file = 
 nova_admin_auth_url = http://10.18.133.120/identity_v2_admin
 nova_admin_tenant_id = service
 nova_admin_password = devstack
 nova_admin_user_name = nova
 nova_url = http://127.0.0.1:8774/v2
 auth_strategy = keystone
 policy_file = /etc/tacker/policy.json
 debug = True
 logging_context_format_string = %(asctime)s.%(msecs)03d %(levelname)s %(name)s [%(request_id)s %(user_name)s %(project_name)s] %(instance)s%(message)s
 use_syslog = False
 state_path = /opt/stack/data/tacker
 transport_url = rabbit://stackrabbit:devstack@10.18.133.120:5672/
 #
 # From tacker.common.config
 #
 # The host IP to bind to (string value)
 #bind_host = 0.0.0.0
 # The port to bind to (integer value)
 #bind_port = 9890
 # The API paste config file to use (string value)
 #api_paste_config = api-paste.ini
 # The path for API extensions (string value)
 #api_extensions_path =
 # The service plugins Tacker will use (list value)
 #service_plugins = nfvo,vnfm,commonservices
 # The policy file to use (string value)
 #policy_file = policy.json
 # The type of authentication to use (string value)
 #auth_strategy = keystone
 # Allow the usage of the bulk API (boolean value)
 #allow_bulk = true
 # Allow the usage of the pagination (boolean value)
 #allow_pagination = false
 # Allow the usage of the sorting (boolean value)
 #allow_sorting = false
 # The maximum number of items returned in a single response, value was
 # 'infinite' or negative integer means no limit (string value)
 #pagination_max_limit = -1
 # The hostname Tacker is running on (string value)
 #host = stellarstack-1473375405-000
 # URL for connection to nova (string value)
 #nova_url = http://127.0.0.1:8774/v2
 # Username for connecting to nova in admin context (string value)
 #nova_admin_username = <None>
 # Password for connection to nova in admin context (string value)
 #nova_admin_password = <None>
 # The uuid of the admin nova tenant (string value)
 #nova_admin_tenant_id = <None>
 # Authorization URL for connecting to nova in admin context (string value)
 #nova_admin_auth_url = http://localhost:5000/v2.0
 # CA file for novaclient to verify server certificates (string value)
 #nova_ca_certificates_file = <None>
 # If True, ignore any SSL validation issues (boolean value)
 #nova_api_insecure = false
 # Name of nova region to use. Useful if keystone manages more than one region.
 # (string value)
 #nova_region_name = <None>
 # Where to store Tacker state files. This directory must be writable by the
 # agent. (string value)
 #state_path = /var/lib/tacker
 #
 # From tacker.service
 #
 # Seconds between running periodic tasks (integer value)
 #periodic_interval = 40
 # Number of separate worker processes for service (integer value)
 #api_workers = 0
 # Range of seconds to randomly delay when starting the periodic task scheduler
 # to reduce stampeding. (Disable by setting to 0) (integer value)
 #periodic_fuzzy_delay = 5
 #
 # From tacker.wsgi
 #
 # Number of backlog requests to configure the socket with (integer value)
 #backlog = 4096
 # Sets the value of TCP_KEEPIDLE in seconds for each server socket. Not
 # supported on OS X. (integer value)
 #tcp_keepidle = 600
 # Number of seconds to keep retrying to listen (integer value)
 #retry_until_window = 30
 # Max header line to accommodate large tokens (integer value)
 #max_header_line = 16384
 # Enable SSL on the API server (boolean value)
 #use_ssl = false
 # CA certificate file to use to verify connecting clients (string value)
 #ssl_ca_file = <None>
 # Certificate file to use when starting the server securely (string value)
 #ssl_cert_file = <None>
 # Private key file to use when starting the server securely (string value)
 #ssl_key_file = <None>
 [monitor]
 #
 # From tacker.vnfm.monitor
 #
 # check interval for monitor (integer value)
 #check_intvl = 10
 [monitor_http_ping]
 #
 # From tacker.vnfm.monitor_drivers.http_ping.http_ping
 #
 # number of times to retry (integer value)
 #retry = 5
 # number of seconds to wait for a response (integer value)
 #timeout = 1
 # HTTP port number to send request (integer value)
 #port = 80
 [monitor_ping]
 #
 # From tacker.vnfm.monitor_drivers.ping.ping
 #
 # number of ICMP packets to send (string value)
 #count = 1
 # number of seconds to wait for a response (string value)
 #timeout = 1
 # number of seconds to wait between packets (string value)
 #interval = 1
 [nfvo]
 #
 # From tacker.nfvo.nfvo_plugin
 #
 # VIM driver for launching VNFs (list value)
 #vim_drivers = openstack
 # Interval to check for VIM health (integer value)
 #monitor_interval = 30
 [nfvo_vim]
 default_vim = VIM0
 #
 # From tacker.vnfm.vim_client
 #
 # DEPRECATED: Default VIM for launching VNFs. This option is deprecated and
 # will be removed in Ocata release. (string value)
 # This option is deprecated for removal.
 # Its value may be silently ignored in the future.
 #default_vim = <None>
 [openwrt]
 #
 # From tacker.vnfm.mgmt_drivers.openwrt.openwrt
 #
 # user name to login openwrt (string value)
 #user = root
 # password to login openwrt (string value)
 #password =
 [tacker]
 #
 # From tacker.vnfm.monitor
 #
 # Monitor driver to communicate with Hosting VNF/logical service instance
 # tacker plugin will use (list value)
 #monitor_driver = ping,http_ping
 #
 # From tacker.vnfm.plugin
 #
 # MGMT driver to communicate with Hosting VNF/logical service instance tacker
 # plugin will use (list value)
 #mgmt_driver = noop,openwrt
 # Time interval to wait for VM to boot (integer value)
 #boot_wait = 30
 # Hosting vnf drivers tacker plugin will use (list value)
 #infra_driver = nova,heat,noop,openstack
 [tacker_heat]
 stack_retry_wait = 5
 stack_retries = 60
 heat_uri = http://10.18.133.120:8004/v1
 #
 # From tacker.vnfm.infra_drivers.heat.heat
 #
 # Number of attempts to retry for stack creation/deletion (integer value)
 #stack_retries = 60
 # Wait time (in seconds) between consecutive stack create/delete retries
 # (integer value)
 #stack_retry_wait = 5
 # Flavor Extra Specs (dict value)
 #flavor_extra_specs =
 [vim_keys]
 #
 # From tacker.nfvo.drivers.vim.openstack_driver
 #
 # Dir.path to store fernet keys. (string value)
 #openstack = /etc/tacker/vim/fernet_keys
 [vim_monitor]
 #
 # From tacker.nfvo.drivers.vim.openstack_driver
 #
 # number of ICMP packets to send (string value)
 #count = 1
 # number of seconds to wait for a response (string value)
 #timeout = 1
 # number of seconds to wait between packets (string value)
 #interval = 1
 [database]
 connection = mysql+pymysql://root:devstack@127.0.0.1/tacker?charset=utf8
 [keystone_authtoken]
 memcached_servers = 10.18.133.120:11211
 signing_dir = /var/cache/tacker
 cafile = /opt/stack/data/ca-bundle.pem
 auth_uri = http://10.18.133.120/identity
 project_domain_name = Default
 project_name = service
 user_domain_name = Default
 password = devstack
 username = tacker
 auth_url = http://10.18.133.120/identity_v2_admin
 auth_type = password
 [tacker_nova]
 region_name = RegionOne
 project_domain_id = default
 project_name = service
 user_domain_id = default
 password = devstack
 username = nova
 auth_url = http://10.18.133.120/identity_v2_admin
 auth_plugin = password
 [agent]
 root_helper = sudo /usr/local/bin/tacker-rootwrap /etc/tacker/rootwrap.conf
--- a/templates/etc/tacker/tacker.conf.sample
+++ b/templates/etc/tacker/tacker.conf.sample
@ -1,318 +0,0 @@
 [DEFAULT]
 #
 # From tacker.common.config
 #
 # The host IP to bind to (string value)
 #bind_host = 0.0.0.0
 # The port to bind to (integer value)
 #bind_port = 9890
 # The API paste config file to use (string value)
 #api_paste_config = api-paste.ini
 # The path for API extensions (string value)
 #api_extensions_path =
 # The service plugins Tacker will use (list value)
 #service_plugins = nfvo,vnfm
 # The policy file to use (string value)
 #policy_file = policy.json
 # The type of authentication to use (string value)
 #auth_strategy = keystone
 # Allow the usage of the bulk API (boolean value)
 #allow_bulk = true
 # Allow the usage of the pagination (boolean value)
 #allow_pagination = false
 # Allow the usage of the sorting (boolean value)
 #allow_sorting = false
 # The maximum number of items returned in a single response, value was
 # 'infinite' or negative integer means no limit (string value)
 #pagination_max_limit = -1
 # The hostname Tacker is running on (string value)
 #host = aio1-tacker-container-c4f3e5cd
 # URL for connection to nova (string value)
 #nova_url = http://127.0.0.1:8774/v2
 # Username for connecting to nova in admin context (string value)
 #nova_admin_username = <None>
 # Password for connection to nova in admin context (string value)
 #nova_admin_password = <None>
 # The uuid of the admin nova tenant (string value)
 #nova_admin_tenant_id = <None>
 # Authorization URL for connecting to nova in admin context (string value)
 #nova_admin_auth_url = http://localhost:5000/v2.0
 # CA file for novaclient to verify server certificates (string value)
 #nova_ca_certificates_file = <None>
 # If True, ignore any SSL validation issues (boolean value)
 #nova_api_insecure = false
 # Name of nova region to use. Useful if keystone manages more than one region.
 # (string value)
 #nova_region_name = <None>
 # Where to store Tacker state files. This directory must be writable by the
 # agent. (string value)
 #state_path = /var/lib/tacker
 #
 # From tacker.service
 #
 # Seconds between running periodic tasks (integer value)
 #periodic_interval = 40
 # Number of separate worker processes for service (integer value)
 #api_workers = 0
 # Range of seconds to randomly delay when starting the periodic task scheduler
 # to reduce stampeding. (Disable by setting to 0) (integer value)
 #periodic_fuzzy_delay = 5
 #
 # From tacker.wsgi
 #
 # Number of backlog requests to configure the socket with (integer value)
 #backlog = 4096
 # Sets the value of TCP_KEEPIDLE in seconds for each server socket. Not
 # supported on OS X. (integer value)
 #tcp_keepidle = 600
 # Number of seconds to keep retrying to listen (integer value)
 #retry_until_window = 30
 # Max header line to accommodate large tokens (integer value)
 #max_header_line = 16384
 # Enable SSL on the API server (boolean value)
 #use_ssl = false
 # CA certificate file to use to verify connecting clients (string value)
 #ssl_ca_file = <None>
 # Certificate file to use when starting the server securely (string value)
 #ssl_cert_file = <None>
 # Private key file to use when starting the server securely (string value)
 #ssl_key_file = <None>
 [alarm_auth]
 #
 # From tacker.alarm_receiver
 #
 # User name for alarm monitoring (string value)
 #username = tacker
 # password for alarm monitoring (string value)
 #password = nomoresecret
 # project name for alarm monitoring (string value)
 #project_name = service
 # url for alarm monitoring (string value)
 #url = http://localhost:35357/v3
 [ceilometer]
 #
 # From tacker.vnfm.monitor_drivers.ceilometer.ceilometer
 #
 # Address which drivers use to trigger (string value)
 #host = aio1-tacker-container-c4f3e5cd
 # port number which drivers use to trigger (port value)
 # Minimum value: 0
 # Maximum value: 65535
 #port = 9890
 [monitor]
 #
 # From tacker.vnfm.monitor
 #
 # check interval for monitor (integer value)
 #check_intvl = 10
 [monitor_http_ping]
 #
 # From tacker.vnfm.monitor_drivers.http_ping.http_ping
 #
 # number of times to retry (integer value)
 #retry = 5
 # number of seconds to wait for a response (integer value)
 #timeout = 1
 # HTTP port number to send request (integer value)
 #port = 80
 [monitor_ping]
 #
 # From tacker.vnfm.monitor_drivers.ping.ping
 #
 # number of ICMP packets to send (string value)
 #count = 1
 # number of seconds to wait for a response (string value)
 #timeout = 1
 # number of seconds to wait between packets (string value)
 #interval = 1
 [nfvo]
 #
 # From tacker.nfvo.nfvo_plugin
 #
 # VIM driver for launching VNFs (list value)
 #vim_drivers = openstack
 # Interval to check for VIM health (integer value)
 #monitor_interval = 30
 [nfvo_vim]
 #
 # From tacker.vnfm.vim_client
 #
 # DEPRECATED: Default VIM for launching VNFs. This option is deprecated and
 # will be removed in Ocata release. (string value)
 # This option is deprecated for removal.
 # Its value may be silently ignored in the future.
 #default_vim = <None>
 [openstack_vim]
 #
 # From tacker.vnfm.infra_drivers.openstack.openstack
 #
 # Number of attempts to retry for stack creation/deletion (integer value)
 #stack_retries = 60
 # Wait time (in seconds) between consecutive stack create/delete retries
 # (integer value)
 #stack_retry_wait = 5
 # Flavor Extra Specs (dict value)
 #flavor_extra_specs =
 [openwrt]
 #
 # From tacker.vnfm.mgmt_drivers.openwrt.openwrt
 #
 # user name to login openwrt (string value)
 #user = root
 # password to login openwrt (string value)
 #password =
 [tacker]
 #
 # From tacker.vnfm.monitor
 #
 # Monitor driver to communicate with Hosting VNF/logical service instance
 # tacker plugin will use (list value)
 #monitor_driver = ping,http_ping
 # Alarm monitoring driver to communicate with Hosting VNF/logical service
 # instance tacker plugin will use (list value)
 #alarm_monitor_driver = ceilometer
 #
 # From tacker.vnfm.plugin
 #
 # MGMT driver to communicate with Hosting VNF/logical service instance tacker
 # plugin will use (list value)
 #mgmt_driver = noop,openwrt
 # Time interval to wait for VM to boot (integer value)
 #boot_wait = 30
 # Hosting vnf drivers tacker plugin will use (list value)
 #infra_driver = nova,heat,noop,openstack
 [tacker_heat]
 #
 # From tacker.vnfm.infra_drivers.heat.heat
 #
 # Number of attempts to retry for stack creation/deletion (integer value)
 #stack_retries = 60
 # Wait time (in seconds) between consecutive stack create/delete retries
 # (integer value)
 #stack_retry_wait = 5
 # Flavor Extra Specs (dict value)
 #flavor_extra_specs =
 [vim_keys]
 #
 # From tacker.nfvo.drivers.vim.openstack_driver
 #
 # Dir.path to store fernet keys. (string value)
 #openstack = /etc/tacker/vim/fernet_keys
 [vim_monitor]
 #
 # From tacker.nfvo.drivers.vim.openstack_driver
 #
 # number of ICMP packets to send (string value)
 #count = 1
 # number of seconds to wait for a response (string value)
 #timeout = 1
 # number of seconds to wait between packets (string value)
 #interval = 1
--- a/templates/etc/tacker/policy.json.j2
+++ b/templates/etc/tacker/policy.json.j2
--- a/templates/etc/tacker/rootwrap.conf.j2
+++ b/templates/etc/tacker/rootwrap.conf.j2
@ -10,7 +10,7 @@ filters_path=/etc/tacker/rootwrap.d,/usr/share/tacker/rootwrap
 # explicitely specify a full path (separated by ',')
 # If not specified, defaults to system PATH environment variable.
 # These directories MUST all be only writeable by root !
-exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
+exec_dirs={{ tacker_bin }},/sbin,/usr/sbin,/bin,/usr/bin
 # Enable logging to syslog
 # Default value is False
--- a/templates/etc/tacker/tacker.conf.j2
+++ b/templates/etc/tacker/tacker.conf.j2