Fixes playbook runtime issues with ldap

When using an LDAP backend the plabooks fail when "ensuring.*" which is a keystone client action. The reason for the failure is related to how ldap backend, and is triggered when the service users are within the ldap and not SQL. To resolve the issue a boolean conditional was created on the various OS_.* roles to skip specific tasks when the service users have already been added into LDAP. Change-Id: I64a8d1e926c54b821f8bfb561a8b6f755bc1ed93 Closes-Bug: #1518351 Closes-Bug: #1519174 Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2015-11-23 14:35:16 -06:00 · 2015-11-23 14:35:16 -06:00 · 2559ed4f13
parent e142145b0e
commit 2559ed4f13
19 changed files with 60 additions and 7 deletions
--- a/playbooks/inventory/group_vars/hosts.yml
+++ b/playbooks/inventory/group_vars/hosts.yml
@ -83,6 +83,10 @@ dhcp_domain: openstacklocal
 #openstack_service_adminuri_proto: http
 #openstack_service_internaluri_proto: http

+## LDAP enabled toggle
+service_ldap_backend_enabled: "{{ keystone_ldap is defined }}"
+
+
 ## Aodh
 # DB info
 aodh_database_name: aodh
@ -91,6 +95,7 @@ aodh_db_type: mongodb
 aodh_db_ip: localhost
 aodh_db_port: 27017
 aodh_connection_string: "{{ aodh_db_type }}://{{ aodh_database_user }}:{{ aodh_container_db_password }}@{{ aodh_db_ip }}:{{ aodh_db_port }}/{{ aodh_database_name }}"
+aodh_service_in_ldap: "{{ service_ldap_backend_enabled }}"


 ## Ceilometer
@ -103,6 +108,7 @@ ceilometer_service_adminurl: "{{ ceilometer_service_adminuri }}/"
 ceilometer_service_region: "{{ service_region }}"
 ceilometer_rabbitmq_userid: ceilometer
 ceilometer_rabbitmq_vhost: /ceilometer
+ceilometer_service_in_ldap: "{{ service_ldap_backend_enabled }}"


 ## Nova
@ -121,6 +127,7 @@ nova_keystone_auth_plugin: password
 nova_ceph_client: '{{ cinder_ceph_client }}'
 nova_ceph_client_uuid: '{{ cinder_ceph_client_uuid | default() }}'
 nova_dhcp_domain: "{{ dhcp_domain }}"
+nova_service_in_ldap: "{{ service_ldap_backend_enabled }}"


 ## Neutron
@ -135,6 +142,7 @@ neutron_service_adminuri: "{{ neutron_service_adminuri_proto }}://{{ internal_lb
 neutron_service_adminurl: "{{ neutron_service_adminuri }}"
 neutron_service_region: "{{ service_region }}"
 neutron_dhcp_domain: "{{ dhcp_domain }}"
+neutron_service_in_ldap: "{{ service_ldap_backend_enabled }}"


 ## Glance
@ -147,6 +155,7 @@ glance_service_project_domain_id: default
 glance_service_user_domain_id: default
 glance_service_adminurl: "{{ glance_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ glance_service_port }}"
 glance_service_region: "{{ service_region }}"
+glance_service_in_ldap: "{{ service_ldap_backend_enabled }}"
 # Only specify this if you want to list the servers - by default LB host/port will be used
 #glance_api_servers: "{% for host in groups['glance_all'] %}{{ hostvars[host]['container_address'] }}:{{ glance_service_port }}{% if not loop.last %},{% endif %}{% endfor %}"

@ -177,6 +186,7 @@ keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3"

 keystone_cache_backend_argument: "url:{% for host in groups['memcached'] %}{{ hostvars[host]['container_address'] }}{% if not loop.last %},{% endif %}{% endfor %}:{{ memcached_port }}"
 keystone_memcached_servers: "{% for host in groups['keystone_all'] %}{{ hostvars[host]['container_address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}"
+keystone_service_in_ldap: "{{ service_ldap_backend_enabled }}"


 ## Horizon
@ -187,6 +197,7 @@ horizon_enable_neutron_lbaas: "{% if neutron_plugin_base is defined and 'neutron

 ## Heat
 heat_service_region: "{{ service_region }}"
+heat_service_in_ldap: "{{ service_ldap_backend_enabled }}"


 ## Cinder
@ -208,6 +219,17 @@ cinder_ceph_client: cinder
 # cinder_backend_lvm_inuse: True if current host has an lvm backend
 cinder_backend_lvm_inuse: '{{ (cinder_backends|default("")|to_json).find("cinder.volume.drivers.lvm.LVMVolumeDriver") != -1 }}'
 cinder_service_region: "{{ service_region }}"
+cinder_service_in_ldap: "{{ service_ldap_backend_enabled }}"
+
+
+## Swift
+swift_system_user_name: swift
+swift_system_group_name: swift
+swift_system_shell: /bin/bash
+swift_system_comment: swift system user
+swift_system_home_folder: "/var/lib/{{ swift_system_user_name }}"
+swift_service_region: "{{ service_region }}"
+swift_service_in_ldap: "{{ service_ldap_backend_enabled }}"


 ## OpenStack Openrc
@ -226,13 +248,6 @@ tempest_pip_instructions: >
  --trusted-host pypi.python.org
  --trusted-host {{ openstack_repo_url | netloc_no_port }}

-## Swift
-swift_system_user_name: swift
-swift_system_group_name: swift
-swift_system_shell: /bin/bash
-swift_system_comment: swift system user
-swift_system_home_folder: "/var/lib/{{ swift_system_user_name }}"
-swift_service_region: "{{ service_region }}"

 ## HAProxy
 haproxy_bind_on_non_local: "{% if groups.haproxy_hosts[1] is defined and internal_lb_vip_address != external_lb_vip_address %}True{% else %}False{% endif %}"
--- a/playbooks/roles/os_aodh/defaults/main.yml
+++ b/playbooks/roles/os_aodh/defaults/main.yml
@ -80,6 +80,8 @@ aodh_service_internalurl: "{{ aodh_service_internaluri }}"
 aodh_service_adminuri: "{{ aodh_service_proto }}://{{ internal_lb_vip_address }}:{{ aodh_service_port }}"
 aodh_service_adminurl: "{{ aodh_service_adminuri }}"

+aodh_service_in_ldap: false
+
 # Common apt packages
 aodh_apt_packages:
  - rpcbind
--- a/playbooks/roles/os_aodh/tasks/aodh_service_add.yml
+++ b/playbooks/roles/os_aodh/tasks/aodh_service_add.yml
@ -39,6 +39,7 @@
    role_name: "{{ role_name }}"
    password: "{{ aodh_service_password }}"
  register: add_service
+  when: not aodh_service_in_ldap | bool
  until: add_service|success
  retries: 5
  delay: 10
@ -55,6 +56,7 @@
    tenant_name: "{{ aodh_service_project_name }}"
    role_name: "{{ aodh_role_name }}"
  register: add_admin_role
+  when: not aodh_service_in_ldap | bool
  until: add_admin_role|success
  retries: 5
  delay: 10
--- a/playbooks/roles/os_ceilometer/defaults/main.yml
+++ b/playbooks/roles/os_ceilometer/defaults/main.yml
@ -80,6 +80,8 @@ ceilometer_service_internalurl: "{{ ceilometer_service_internaluri }}"
 ceilometer_service_adminuri: "{{ ceilometer_service_proto }}://{{ internal_lb_vip_address }}:{{ ceilometer_service_port }}"
 ceilometer_service_adminurl: "{{ ceilometer_service_adminuri }}"

+
+ceilometer_service_in_ldap: false
 ## Ceilometer config
 # If the following variables are unset in user_variables, the value set will be half the number of available VCPUs
 # ceilometer_api_workers: 1
--- a/playbooks/roles/os_ceilometer/tasks/ceilometer_service_add.yml
+++ b/playbooks/roles/os_ceilometer/tasks/ceilometer_service_add.yml
@ -39,6 +39,7 @@
    role_name: "{{ role_name }}"
    password: "{{ ceilometer_service_password }}"
  register: add_service
+  when: not ceilometer_service_in_ldap | bool
  until: add_service|success
  retries: 5
  delay: 10
@ -55,6 +56,7 @@
    tenant_name: "{{ ceilometer_service_project_name }}"
    role_name: "{{ ceilometer_role_name }}"
  register: add_admin_role
+  when: not ceilometer_service_in_ldap | bool
  until: add_admin_role|success
  retries: 5
  delay: 10
--- a/playbooks/roles/os_cinder/defaults/main.yml
+++ b/playbooks/roles/os_cinder/defaults/main.yml
@ -210,6 +210,8 @@ cinder_quota_backup_gigabytes: 1000
 cinder_glance_host: 127.0.0.1
 cinder_glance_service_port: 9292

+cinder_service_in_ldap: false
+
 # Common apt packages
 cinder_apt_packages:
  - dmeventd
--- a/playbooks/roles/os_cinder/tasks/cinder_service_add.yml
+++ b/playbooks/roles/os_cinder/tasks/cinder_service_add.yml
@ -43,6 +43,7 @@
    password: "{{ service_password }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
  register: add_service
+  when: not cinder_service_in_ldap | bool
  until: add_service|success
  retries: 5
  delay: 10
@ -62,6 +63,7 @@
    role_name: "{{ role_name }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
  register: add_service
+  when: not cinder_service_in_ldap | bool
  until: add_service|success
  retries: 5
  delay: 10
--- a/playbooks/roles/os_glance/defaults/main.yml
+++ b/playbooks/roles/os_glance/defaults/main.yml
@ -165,6 +165,8 @@ glance_rbd_store_pool: images
 glance_rbd_store_user: '{{ glance_ceph_client }}'
 glance_rbd_store_chunk_size: 8

+glance_service_in_ldap: false
+
 # Common apt packages
 glance_apt_packages:
  - rpcbind
--- a/playbooks/roles/os_glance/tasks/glance_service_setup.yml
+++ b/playbooks/roles/os_glance/tasks/glance_service_setup.yml
@ -43,6 +43,7 @@
    password: "{{ glance_service_password }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
  register: add_service
+  when: not glance_service_in_ldap | bool
  until: add_service|success
  retries: 5
  delay: 10
@ -62,6 +63,7 @@
    role_name: "{{ glance_role_name }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
  register: add_service
+  when: not glance_service_in_ldap | bool
  until: add_service|success
  retries: 5
  delay: 10
--- a/playbooks/roles/os_heat/defaults/main.yml
+++ b/playbooks/roles/os_heat/defaults/main.yml
@ -150,6 +150,8 @@ heat_watch_server_url: "{{ heat_watch_server_uri }}"
 # heat_engine_workers: 4
 # heat_api_workers: 4

+heat_service_in_ldap: false
+
 ## Plugin dirs
 heat_plugin_dirs:
  - /usr/lib/heat
--- a/playbooks/roles/os_heat/tasks/heat_service_add.yml
+++ b/playbooks/roles/os_heat/tasks/heat_service_add.yml
@ -43,6 +43,7 @@
    password: "{{ service_password }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
  register: add_service
+  when: not heat_service_in_ldap | bool
  until: add_service|success
  retries: 5
  delay: 10
@ -62,6 +63,7 @@
    role_name: "{{ role_name }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
  register: add_service
+  when: not heat_service_in_ldap | bool
  until: add_service|success
  retries: 5
  delay: 10
--- a/playbooks/roles/os_keystone/defaults/main.yml
+++ b/playbooks/roles/os_keystone/defaults/main.yml
@ -322,6 +322,8 @@ keystone_recreate_keys: False
 #            - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
 #              id: upn

+keystone_service_in_ldap: false
+
 # Keystone Federation SP Packages
 keystone_sp_apt_packages:
  - libapache2-mod-shib2
--- a/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml
+++ b/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml
@ -87,6 +87,7 @@
    password: "{{ keystone_auth_admin_password }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
  register: add_service
+  when: not keystone_service_in_ldap | bool
  until: add_service|success
  retries: 5
  delay: 10
@ -121,6 +122,7 @@
    role_name: "{{ keystone_role_name }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
  register: add_service
+  when: not keystone_service_in_ldap | bool
  until: add_service|success
  retries: 5
  delay: 10
@ -137,6 +139,7 @@
    role_name: "{{ keystone_default_role_name }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
  register: add_member_role
+  when: not keystone_service_in_ldap | bool
  until: add_member_role|success
  retries: 5
  delay: 10
--- a/playbooks/roles/os_neutron/defaults/main.yml
+++ b/playbooks/roles/os_neutron/defaults/main.yml
@ -288,6 +288,8 @@ neutron_rpc_conn_pool_size: 30
 neutron_rpc_response_timeout: 60
 neutron_rpc_workers: 1

+neutron_service_in_ldap: false
+
 ## Policy vars
 # Provide a list of access controls to update the default policy.json with. These changes will be merged
 # with the access controls in the default policy.json. E.g.
--- a/playbooks/roles/os_neutron/tasks/neutron_service_add.yml
+++ b/playbooks/roles/os_neutron/tasks/neutron_service_add.yml
@ -43,6 +43,7 @@
    password: "{{ service_password }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
  register: add_service
+  when: not neutron_service_in_ldap | bool
  until: add_service|success
  retries: 5
  delay: 10
@ -62,6 +63,7 @@
    role_name: "{{ role_name }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
  register: add_service
+  when: not neutron_service_in_ldap | bool
  until: add_service|success
  retries: 5
  delay: 10
--- a/playbooks/roles/os_nova/defaults/main.yml
+++ b/playbooks/roles/os_nova/defaults/main.yml
@ -235,6 +235,8 @@ nova_ceph_client_uuid: 517a4663-3927-44bc-9ea7-4a90e1cd4c66
 #  "compute:create": ""
 #  "compute:create:attach_network": ""

+nova_service_in_ldap: false
+
 ## libvirtd config options
 nova_libvirtd_listen_tls: 1
 nova_libvirtd_listen_tcp: 0
--- a/playbooks/roles/os_nova/tasks/nova_service_add.yml
+++ b/playbooks/roles/os_nova/tasks/nova_service_add.yml
@ -43,6 +43,7 @@
    password: "{{ service_password }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
  register: add_service
+  when: not nova_service_in_ldap | bool
  until: add_service|success
  retries: 5
  delay: 10
@ -62,6 +63,7 @@
    role_name: "{{ role_name }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
  register: add_service
+  when: not nova_service_in_ldap | bool
  until: add_service|success
  retries: 5
  delay: 10
--- a/playbooks/roles/os_swift/defaults/main.yml
+++ b/playbooks/roles/os_swift/defaults/main.yml
@ -159,6 +159,8 @@ swift_proxy_server_program_config_options: /etc/swift/proxy-server/proxy-server.
 swift_storage_address: 127.0.0.1
 swift_replication_address: 127.0.0.1

+swift_service_in_ldap: false
+
 # Basic swift configuration for the cluster
 swift: {}

--- a/playbooks/roles/os_swift/tasks/swift_service_setup.yml
+++ b/playbooks/roles/os_swift/tasks/swift_service_setup.yml
@ -43,6 +43,7 @@
    password: "{{ swift_service_password }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
  register: add_service
+  when: not swift_service_in_ldap | bool
  until: add_service|success
  retries: 5
  delay: 10
@ -62,6 +63,7 @@
    role_name: "{{ swift_service_role_name }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
  register: add_service
+  when: not swift_service_in_ldap | bool
  until: add_service|success
  retries: 5
  delay: 10
@ -96,6 +98,7 @@
    password: "{{ swift_dispersion_password }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
  register: add_service
+  when: not swift_service_in_ldap | bool
  until: add_service|success
  retries: 5
  delay: 10