From 2559ed4f13cd242c9f02cd023a7242db56650b0d Mon Sep 17 00:00:00 2001 From: Kevin Carter Date: Mon, 23 Nov 2015 14:35:16 -0600 Subject: [PATCH] Fixes playbook runtime issues with ldap When using an LDAP backend the plabooks fail when "ensuring.*" which is a keystone client action. The reason for the failure is related to how ldap backend, and is triggered when the service users are within the ldap and not SQL. To resolve the issue a boolean conditional was created on the various OS_.* roles to skip specific tasks when the service users have already been added into LDAP. Change-Id: I64a8d1e926c54b821f8bfb561a8b6f755bc1ed93 Closes-Bug: #1518351 Closes-Bug: #1519174 Signed-off-by: Kevin Carter --- playbooks/inventory/group_vars/hosts.yml | 29 ++++++++++++++----- playbooks/roles/os_aodh/defaults/main.yml | 2 ++ .../roles/os_aodh/tasks/aodh_service_add.yml | 2 ++ .../roles/os_ceilometer/defaults/main.yml | 2 ++ .../tasks/ceilometer_service_add.yml | 2 ++ playbooks/roles/os_cinder/defaults/main.yml | 2 ++ .../os_cinder/tasks/cinder_service_add.yml | 2 ++ playbooks/roles/os_glance/defaults/main.yml | 2 ++ .../os_glance/tasks/glance_service_setup.yml | 2 ++ playbooks/roles/os_heat/defaults/main.yml | 2 ++ .../roles/os_heat/tasks/heat_service_add.yml | 2 ++ playbooks/roles/os_keystone/defaults/main.yml | 2 ++ .../tasks/keystone_service_setup.yml | 3 ++ playbooks/roles/os_neutron/defaults/main.yml | 2 ++ .../os_neutron/tasks/neutron_service_add.yml | 2 ++ playbooks/roles/os_nova/defaults/main.yml | 2 ++ .../roles/os_nova/tasks/nova_service_add.yml | 2 ++ playbooks/roles/os_swift/defaults/main.yml | 2 ++ .../os_swift/tasks/swift_service_setup.yml | 3 ++ 19 files changed, 60 insertions(+), 7 deletions(-) diff --git a/playbooks/inventory/group_vars/hosts.yml b/playbooks/inventory/group_vars/hosts.yml index 9310492a5c..b664cfb012 100644 --- a/playbooks/inventory/group_vars/hosts.yml +++ b/playbooks/inventory/group_vars/hosts.yml @@ -83,6 +83,10 @@ dhcp_domain: openstacklocal #openstack_service_adminuri_proto: http #openstack_service_internaluri_proto: http +## LDAP enabled toggle +service_ldap_backend_enabled: "{{ keystone_ldap is defined }}" + + ## Aodh # DB info aodh_database_name: aodh @@ -91,6 +95,7 @@ aodh_db_type: mongodb aodh_db_ip: localhost aodh_db_port: 27017 aodh_connection_string: "{{ aodh_db_type }}://{{ aodh_database_user }}:{{ aodh_container_db_password }}@{{ aodh_db_ip }}:{{ aodh_db_port }}/{{ aodh_database_name }}" +aodh_service_in_ldap: "{{ service_ldap_backend_enabled }}" ## Ceilometer @@ -103,6 +108,7 @@ ceilometer_service_adminurl: "{{ ceilometer_service_adminuri }}/" ceilometer_service_region: "{{ service_region }}" ceilometer_rabbitmq_userid: ceilometer ceilometer_rabbitmq_vhost: /ceilometer +ceilometer_service_in_ldap: "{{ service_ldap_backend_enabled }}" ## Nova @@ -121,6 +127,7 @@ nova_keystone_auth_plugin: password nova_ceph_client: '{{ cinder_ceph_client }}' nova_ceph_client_uuid: '{{ cinder_ceph_client_uuid | default() }}' nova_dhcp_domain: "{{ dhcp_domain }}" +nova_service_in_ldap: "{{ service_ldap_backend_enabled }}" ## Neutron @@ -135,6 +142,7 @@ neutron_service_adminuri: "{{ neutron_service_adminuri_proto }}://{{ internal_lb neutron_service_adminurl: "{{ neutron_service_adminuri }}" neutron_service_region: "{{ service_region }}" neutron_dhcp_domain: "{{ dhcp_domain }}" +neutron_service_in_ldap: "{{ service_ldap_backend_enabled }}" ## Glance @@ -147,6 +155,7 @@ glance_service_project_domain_id: default glance_service_user_domain_id: default glance_service_adminurl: "{{ glance_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ glance_service_port }}" glance_service_region: "{{ service_region }}" +glance_service_in_ldap: "{{ service_ldap_backend_enabled }}" # Only specify this if you want to list the servers - by default LB host/port will be used #glance_api_servers: "{% for host in groups['glance_all'] %}{{ hostvars[host]['container_address'] }}:{{ glance_service_port }}{% if not loop.last %},{% endif %}{% endfor %}" @@ -177,6 +186,7 @@ keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3" keystone_cache_backend_argument: "url:{% for host in groups['memcached'] %}{{ hostvars[host]['container_address'] }}{% if not loop.last %},{% endif %}{% endfor %}:{{ memcached_port }}" keystone_memcached_servers: "{% for host in groups['keystone_all'] %}{{ hostvars[host]['container_address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}" +keystone_service_in_ldap: "{{ service_ldap_backend_enabled }}" ## Horizon @@ -187,6 +197,7 @@ horizon_enable_neutron_lbaas: "{% if neutron_plugin_base is defined and 'neutron ## Heat heat_service_region: "{{ service_region }}" +heat_service_in_ldap: "{{ service_ldap_backend_enabled }}" ## Cinder @@ -208,6 +219,17 @@ cinder_ceph_client: cinder # cinder_backend_lvm_inuse: True if current host has an lvm backend cinder_backend_lvm_inuse: '{{ (cinder_backends|default("")|to_json).find("cinder.volume.drivers.lvm.LVMVolumeDriver") != -1 }}' cinder_service_region: "{{ service_region }}" +cinder_service_in_ldap: "{{ service_ldap_backend_enabled }}" + + +## Swift +swift_system_user_name: swift +swift_system_group_name: swift +swift_system_shell: /bin/bash +swift_system_comment: swift system user +swift_system_home_folder: "/var/lib/{{ swift_system_user_name }}" +swift_service_region: "{{ service_region }}" +swift_service_in_ldap: "{{ service_ldap_backend_enabled }}" ## OpenStack Openrc @@ -226,13 +248,6 @@ tempest_pip_instructions: > --trusted-host pypi.python.org --trusted-host {{ openstack_repo_url | netloc_no_port }} -## Swift -swift_system_user_name: swift -swift_system_group_name: swift -swift_system_shell: /bin/bash -swift_system_comment: swift system user -swift_system_home_folder: "/var/lib/{{ swift_system_user_name }}" -swift_service_region: "{{ service_region }}" ## HAProxy haproxy_bind_on_non_local: "{% if groups.haproxy_hosts[1] is defined and internal_lb_vip_address != external_lb_vip_address %}True{% else %}False{% endif %}" diff --git a/playbooks/roles/os_aodh/defaults/main.yml b/playbooks/roles/os_aodh/defaults/main.yml index c2f6284ca1..d21295e768 100644 --- a/playbooks/roles/os_aodh/defaults/main.yml +++ b/playbooks/roles/os_aodh/defaults/main.yml @@ -80,6 +80,8 @@ aodh_service_internalurl: "{{ aodh_service_internaluri }}" aodh_service_adminuri: "{{ aodh_service_proto }}://{{ internal_lb_vip_address }}:{{ aodh_service_port }}" aodh_service_adminurl: "{{ aodh_service_adminuri }}" +aodh_service_in_ldap: false + # Common apt packages aodh_apt_packages: - rpcbind diff --git a/playbooks/roles/os_aodh/tasks/aodh_service_add.yml b/playbooks/roles/os_aodh/tasks/aodh_service_add.yml index 31761a4c98..7e24205d6e 100644 --- a/playbooks/roles/os_aodh/tasks/aodh_service_add.yml +++ b/playbooks/roles/os_aodh/tasks/aodh_service_add.yml @@ -39,6 +39,7 @@ role_name: "{{ role_name }}" password: "{{ aodh_service_password }}" register: add_service + when: not aodh_service_in_ldap | bool until: add_service|success retries: 5 delay: 10 @@ -55,6 +56,7 @@ tenant_name: "{{ aodh_service_project_name }}" role_name: "{{ aodh_role_name }}" register: add_admin_role + when: not aodh_service_in_ldap | bool until: add_admin_role|success retries: 5 delay: 10 diff --git a/playbooks/roles/os_ceilometer/defaults/main.yml b/playbooks/roles/os_ceilometer/defaults/main.yml index 239c26b2a1..232ba9d305 100644 --- a/playbooks/roles/os_ceilometer/defaults/main.yml +++ b/playbooks/roles/os_ceilometer/defaults/main.yml @@ -80,6 +80,8 @@ ceilometer_service_internalurl: "{{ ceilometer_service_internaluri }}" ceilometer_service_adminuri: "{{ ceilometer_service_proto }}://{{ internal_lb_vip_address }}:{{ ceilometer_service_port }}" ceilometer_service_adminurl: "{{ ceilometer_service_adminuri }}" + +ceilometer_service_in_ldap: false ## Ceilometer config # If the following variables are unset in user_variables, the value set will be half the number of available VCPUs # ceilometer_api_workers: 1 diff --git a/playbooks/roles/os_ceilometer/tasks/ceilometer_service_add.yml b/playbooks/roles/os_ceilometer/tasks/ceilometer_service_add.yml index 6b97bfc6b9..74ce7bbf3a 100644 --- a/playbooks/roles/os_ceilometer/tasks/ceilometer_service_add.yml +++ b/playbooks/roles/os_ceilometer/tasks/ceilometer_service_add.yml @@ -39,6 +39,7 @@ role_name: "{{ role_name }}" password: "{{ ceilometer_service_password }}" register: add_service + when: not ceilometer_service_in_ldap | bool until: add_service|success retries: 5 delay: 10 @@ -55,6 +56,7 @@ tenant_name: "{{ ceilometer_service_project_name }}" role_name: "{{ ceilometer_role_name }}" register: add_admin_role + when: not ceilometer_service_in_ldap | bool until: add_admin_role|success retries: 5 delay: 10 diff --git a/playbooks/roles/os_cinder/defaults/main.yml b/playbooks/roles/os_cinder/defaults/main.yml index b686284d7f..dbb5acc1e6 100644 --- a/playbooks/roles/os_cinder/defaults/main.yml +++ b/playbooks/roles/os_cinder/defaults/main.yml @@ -210,6 +210,8 @@ cinder_quota_backup_gigabytes: 1000 cinder_glance_host: 127.0.0.1 cinder_glance_service_port: 9292 +cinder_service_in_ldap: false + # Common apt packages cinder_apt_packages: - dmeventd diff --git a/playbooks/roles/os_cinder/tasks/cinder_service_add.yml b/playbooks/roles/os_cinder/tasks/cinder_service_add.yml index a538c4a316..a5375ebee6 100644 --- a/playbooks/roles/os_cinder/tasks/cinder_service_add.yml +++ b/playbooks/roles/os_cinder/tasks/cinder_service_add.yml @@ -43,6 +43,7 @@ password: "{{ service_password }}" insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service + when: not cinder_service_in_ldap | bool until: add_service|success retries: 5 delay: 10 @@ -62,6 +63,7 @@ role_name: "{{ role_name }}" insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service + when: not cinder_service_in_ldap | bool until: add_service|success retries: 5 delay: 10 diff --git a/playbooks/roles/os_glance/defaults/main.yml b/playbooks/roles/os_glance/defaults/main.yml index ceffaacc57..659d1f165a 100644 --- a/playbooks/roles/os_glance/defaults/main.yml +++ b/playbooks/roles/os_glance/defaults/main.yml @@ -165,6 +165,8 @@ glance_rbd_store_pool: images glance_rbd_store_user: '{{ glance_ceph_client }}' glance_rbd_store_chunk_size: 8 +glance_service_in_ldap: false + # Common apt packages glance_apt_packages: - rpcbind diff --git a/playbooks/roles/os_glance/tasks/glance_service_setup.yml b/playbooks/roles/os_glance/tasks/glance_service_setup.yml index a154d8af9c..e061d72101 100644 --- a/playbooks/roles/os_glance/tasks/glance_service_setup.yml +++ b/playbooks/roles/os_glance/tasks/glance_service_setup.yml @@ -43,6 +43,7 @@ password: "{{ glance_service_password }}" insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service + when: not glance_service_in_ldap | bool until: add_service|success retries: 5 delay: 10 @@ -62,6 +63,7 @@ role_name: "{{ glance_role_name }}" insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service + when: not glance_service_in_ldap | bool until: add_service|success retries: 5 delay: 10 diff --git a/playbooks/roles/os_heat/defaults/main.yml b/playbooks/roles/os_heat/defaults/main.yml index 6c60098af1..f5be695f48 100644 --- a/playbooks/roles/os_heat/defaults/main.yml +++ b/playbooks/roles/os_heat/defaults/main.yml @@ -150,6 +150,8 @@ heat_watch_server_url: "{{ heat_watch_server_uri }}" # heat_engine_workers: 4 # heat_api_workers: 4 +heat_service_in_ldap: false + ## Plugin dirs heat_plugin_dirs: - /usr/lib/heat diff --git a/playbooks/roles/os_heat/tasks/heat_service_add.yml b/playbooks/roles/os_heat/tasks/heat_service_add.yml index 3eb6692e9f..dfe1266ce9 100644 --- a/playbooks/roles/os_heat/tasks/heat_service_add.yml +++ b/playbooks/roles/os_heat/tasks/heat_service_add.yml @@ -43,6 +43,7 @@ password: "{{ service_password }}" insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service + when: not heat_service_in_ldap | bool until: add_service|success retries: 5 delay: 10 @@ -62,6 +63,7 @@ role_name: "{{ role_name }}" insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service + when: not heat_service_in_ldap | bool until: add_service|success retries: 5 delay: 10 diff --git a/playbooks/roles/os_keystone/defaults/main.yml b/playbooks/roles/os_keystone/defaults/main.yml index ef1f8904df..204b9ae90a 100644 --- a/playbooks/roles/os_keystone/defaults/main.yml +++ b/playbooks/roles/os_keystone/defaults/main.yml @@ -322,6 +322,8 @@ keystone_recreate_keys: False # - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn' # id: upn +keystone_service_in_ldap: false + # Keystone Federation SP Packages keystone_sp_apt_packages: - libapache2-mod-shib2 diff --git a/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml b/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml index d4faa89ad5..c7e19f6d10 100644 --- a/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml +++ b/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml @@ -87,6 +87,7 @@ password: "{{ keystone_auth_admin_password }}" insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service + when: not keystone_service_in_ldap | bool until: add_service|success retries: 5 delay: 10 @@ -121,6 +122,7 @@ role_name: "{{ keystone_role_name }}" insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service + when: not keystone_service_in_ldap | bool until: add_service|success retries: 5 delay: 10 @@ -137,6 +139,7 @@ role_name: "{{ keystone_default_role_name }}" insecure: "{{ keystone_service_adminuri_insecure }}" register: add_member_role + when: not keystone_service_in_ldap | bool until: add_member_role|success retries: 5 delay: 10 diff --git a/playbooks/roles/os_neutron/defaults/main.yml b/playbooks/roles/os_neutron/defaults/main.yml index 1f6f8a607e..e0dc1498ac 100644 --- a/playbooks/roles/os_neutron/defaults/main.yml +++ b/playbooks/roles/os_neutron/defaults/main.yml @@ -288,6 +288,8 @@ neutron_rpc_conn_pool_size: 30 neutron_rpc_response_timeout: 60 neutron_rpc_workers: 1 +neutron_service_in_ldap: false + ## Policy vars # Provide a list of access controls to update the default policy.json with. These changes will be merged # with the access controls in the default policy.json. E.g. diff --git a/playbooks/roles/os_neutron/tasks/neutron_service_add.yml b/playbooks/roles/os_neutron/tasks/neutron_service_add.yml index 7430c2fd11..1173774481 100644 --- a/playbooks/roles/os_neutron/tasks/neutron_service_add.yml +++ b/playbooks/roles/os_neutron/tasks/neutron_service_add.yml @@ -43,6 +43,7 @@ password: "{{ service_password }}" insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service + when: not neutron_service_in_ldap | bool until: add_service|success retries: 5 delay: 10 @@ -62,6 +63,7 @@ role_name: "{{ role_name }}" insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service + when: not neutron_service_in_ldap | bool until: add_service|success retries: 5 delay: 10 diff --git a/playbooks/roles/os_nova/defaults/main.yml b/playbooks/roles/os_nova/defaults/main.yml index 44313d8193..2bce931e67 100644 --- a/playbooks/roles/os_nova/defaults/main.yml +++ b/playbooks/roles/os_nova/defaults/main.yml @@ -235,6 +235,8 @@ nova_ceph_client_uuid: 517a4663-3927-44bc-9ea7-4a90e1cd4c66 # "compute:create": "" # "compute:create:attach_network": "" +nova_service_in_ldap: false + ## libvirtd config options nova_libvirtd_listen_tls: 1 nova_libvirtd_listen_tcp: 0 diff --git a/playbooks/roles/os_nova/tasks/nova_service_add.yml b/playbooks/roles/os_nova/tasks/nova_service_add.yml index 13478fdcfb..60603fcffc 100644 --- a/playbooks/roles/os_nova/tasks/nova_service_add.yml +++ b/playbooks/roles/os_nova/tasks/nova_service_add.yml @@ -43,6 +43,7 @@ password: "{{ service_password }}" insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service + when: not nova_service_in_ldap | bool until: add_service|success retries: 5 delay: 10 @@ -62,6 +63,7 @@ role_name: "{{ role_name }}" insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service + when: not nova_service_in_ldap | bool until: add_service|success retries: 5 delay: 10 diff --git a/playbooks/roles/os_swift/defaults/main.yml b/playbooks/roles/os_swift/defaults/main.yml index 04795ea389..8b386ec16f 100644 --- a/playbooks/roles/os_swift/defaults/main.yml +++ b/playbooks/roles/os_swift/defaults/main.yml @@ -159,6 +159,8 @@ swift_proxy_server_program_config_options: /etc/swift/proxy-server/proxy-server. swift_storage_address: 127.0.0.1 swift_replication_address: 127.0.0.1 +swift_service_in_ldap: false + # Basic swift configuration for the cluster swift: {} diff --git a/playbooks/roles/os_swift/tasks/swift_service_setup.yml b/playbooks/roles/os_swift/tasks/swift_service_setup.yml index 829447ea7c..7024ed6781 100644 --- a/playbooks/roles/os_swift/tasks/swift_service_setup.yml +++ b/playbooks/roles/os_swift/tasks/swift_service_setup.yml @@ -43,6 +43,7 @@ password: "{{ swift_service_password }}" insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service + when: not swift_service_in_ldap | bool until: add_service|success retries: 5 delay: 10 @@ -62,6 +63,7 @@ role_name: "{{ swift_service_role_name }}" insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service + when: not swift_service_in_ldap | bool until: add_service|success retries: 5 delay: 10 @@ -96,6 +98,7 @@ password: "{{ swift_dispersion_password }}" insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service + when: not swift_service_in_ldap | bool until: add_service|success retries: 5 delay: 10