This patch adds the variable 'pip_install_options' which is passed to the pip
install module as extra arguments in order to allow the use of options like
'--force-reinstall' when executing playbooks.
eg: openstack-ansible -e pip_install_options="--force-reinstall" \
setup-openstack.yml
This is required due to constant upstream changes in dependencies which
result in python wheel version upgrades and downgrades between tagged
versions of openstack-ansible.
The intention is that this can be used whenever a deployer switches between
tags for both upgrades and downgrades.
DocImpact
Closes-Bug: #1489251
Closes-Bug: #1499451
Related-Bug: #1501114
Change-Id: I996185e009a4c4af4f23798619bdbd0d490360c9
In Keystone v3, the _member_ role is not implicitly created on first
use like it is in v2.
This patch adds variables to define the default role name for users:
- keystone_default_role_name:
this is the default role name from Keystone's point of view
- horizon_default_role_name:
this is the default user role from Horizon's point of view
Both Keystone and Horizon's tasks ensure that the role they're using
are registered in the Keystone database.
To maintain backwards compatibility the default value for both
variables is '_member_'.
DocImpact
Closes-bug: 1474916
Change-Id: Ie01e1771c0b435815dfe55fc0ba9a6d803ebe958
In order to make it more difficult to know which
httpd server is running, here is a change to
reduce the ServerTokens OS to ServerTokens Prod
and the ServerSignature On to ServerSignature Off.
This removes ServerName and version report
on page footer and reduces the detail of the httpd
server running in the headers to "Apache".
These options can be overwritten by an user variable
Change-Id: I1aaffaa3b6b7d6574aefac65b6027e62240a702b
Closes-Bug: #1484256
This patch revises the SSL certificate management and
distribution with something that is more consistent with how
it's done everywhere else in the project. It also repairs the
current user provided certificate distribution which was broken.
* The server key/certificate (and optionally a CA cert) are
distributed to all horizon containers.
* Two new variables have been implemented for a user-provided
server key and certificate:
- horizon_user_ssl_cert: <path to cert on deployment host>
- horizon_user_ssl_key: <path to cert on deployment host>
If either of these is not defined, then the missing cert/key
will be self generated on the first Horizon container and
distributed to the other containers.
* A new variable has been implemented for a user-provided CA
certificate:
- horizon_user_ssl_ca_cert: <path to cert on deployment host>
* A new variable called 'horizon_ssl_self_signed_subject' has
been implemented to allow the user to override the self-signed
certificate properties, such as the CN and subjectAltName.
Upgrade notes:
* The Apache configuration appropriately implements the
'SSLCACertificateFile' instead of the 'SSLCACertificatePath'
directive in order to ensure that the appropriate signing
certificate is provided to the browser.
* The variable 'horizon_self_signed' (which defaulted to true)
has been removed. The decision of whether to generate a
self-signed certificate has been made based on whether a
user provided key/cert pair has been provided.
* The 'horizon_self_signed_regen' variable has been renamed
to 'horizon_ssl_self_signed_regen'.
* The default names for the deployed keys/certificates have been
changed:
- /etc/ssl/certs/apache.cert > /etc/ssl/certs/horizon.pem
- /etc/ssl/private/apache.key > /etc/ssl/private/horizon.key
DocImpact
UpgradeImpact
Closes-Bug: #1475578
Change-Id: I7089abbd81ce422b21ce65488e8bc32053ba32ca
A random minute in the 21st hour UTC, daily, was chosen arbitrarily.
That it is run on a single arbitrary host from the set was done to
prevent unnecessary work being done until Bug #1424705 provides us with
a cleaner solution.
Adjusted to run once per day just to be sure that the operation doesn't
lock the table for a meaningful duration.
Making this configurable or tunable does not seem
to be necessary at this time.
Change-Id: I87164926a4d6a65d3c9f733d625a2d4af91c2597
Closes-Bug: #1466126
This change adds a specific update task to all tasks that all the
apt ansible module. This change was done to ensure that the cache
is updated as expected when instructed to do so. The reason that
the cache update is being removed from the grouping is because
there is an upstream bug that is effecting the process by which
the apt cache is updated when there is a package list to process
within the same task. The work around to make this function as
expected is to move the update into its own task without a package
list.
Upstream Ansible bug:
- https://github.com/ansible/ansible-modules-core/issues/1497
Change-Id: Ic06d89a76d772c12888b4bc4bbf147be58b0c150
Related-Bug: 1464771
SHA-1 certificates are being deprecated and browsers are starting to
issue warnings about their use. We should begin generating SHA-2
certificates for Horizon.
Closes-bug: 1461983
Change-Id: I7f1933680e2859e007f6b8be262852b164f90b33
To enable partitioning of DB traffic by-service, each service needs to
use a custom connection string. Defaulting the service address to a
common galera_address makes things continue to work by default.
While the galera_address could be overridden on a container or host
basis this requires repeating that behavior across each infra node in
the inventory. Providing service-specific connection address variables
simplifies the management somewhat for large deployments and may reduce
error rates.
The service install playbooks now default the service-specific variables
instead of galera_address to the internal lb vip from inventory to
maintain the ease-of-use currently available.
Any value for a service-specific variable set in user_variables.yml will
override the value in the playbook's vars to provide selective
customization as needed.
Change-Id: I4c98bf906a0c1cb11ddd41277a855dce22ff646a
Closes-Bug: 1462529
This change ensures that apache2 is restarted after the horizon
configuration is changed.
Closes-Bug: #1441110
Change-Id: I7713995b1fa91e42b27a28856cdf21814c037b6f
This change implements the blueprint to convert all roles and plays into
a more generic setup, following upstream ansible best practices.
Items Changed:
* All tasks have tags.
* All roles use namespaced variables.
* All redundant tasks within a given play and role have been removed.
* All of the repetitive plays have been removed in-favor of a more
simplistic approach. This change duplicates code within the roles but
ensures that the roles only ever run within their own scope.
* All roles have been built using an ansible galaxy syntax.
* The `*requirement.txt` files have been reformatted follow upstream
Openstack practices.
* Dynamically generated inventory is now more organized, this should assist
anyone who may want or need to dive into the JSON blob that is created.
In the inventory a properties field is used for items that customize containers
within the inventory.
* The environment map has been modified to support additional host groups to
enable the seperation of infrastructure pieces. While the old infra_hosts group
will still work this change allows for groups to be divided up into seperate
chunks; eg: deployment of a swift only stack.
* The LXC logic now exists within the plays.
* etc/openstack_deploy/user_variables.yml has all password/token
variables extracted into the separate file
etc/openstack_deploy/user_secrets.yml in order to allow seperate
security settings on that file.
Items Excised:
* All of the roles have had the LXC logic removed from within them which
should allow roles to be consumed outside of the `os-ansible-deployment`
reference architecture.
Note:
* the directory rpc_deployment still exists and is presently pointed at plays
containing a deprecation warning instructing the user to move to the standard
playbooks directory.
* While all of the rackspace specific components and variables have been removed
and or were refactored the repository still relies on an upstream mirror of
Openstack built python files and container images. This upstream mirror is hosted
at rackspace at "http://rpc-repo.rackspace.com" though this is
not locked to and or tied to rackspace specific installations. This repository
contains all of the needed code to create and/or clone your own mirror.
DocImpact
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Closes-Bug: #1403676
Implements: blueprint galaxy-roles
Change-Id: I03df3328b7655f0cc9e43ba83b02623d038d214e
