openstack/tripleo-common
Code Issues Proposed changes
b62fc4d5c6
tripleo-common/playbooks/rotate-keys.yaml
Juan Antonio Osorio Robles 6b039f4bbb chown fernet keys to match container's keystone user and group 
We used to use the host's keystone user and group. This is wrong since
we need to use the container's keystone user and group, which differs
from the host. This fixes that.

Change-Id: I0a64843c94bb173bb9e418bfca26927c1e2a123f
Closes-Bug: #1726727
2017-10-24 09:10:29 +00:00

61 lines
1.8 KiB
YAML
Raw Blame History

---
- hosts: keystone
tasks:
- name: Check for containerized keystone fernet repository
stat:
path: /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/
register: containerized_keystone_dir
- set_fact:
is_container: containerized_keystone_dir.stat.isdir is defined and containerized_keystone_dir.stat.isdir
- name: Rotate fernet keys for keystone container
block:
- set_fact:
keystone_base: /var/lib/config-data/puppet-generated/keystone
- name: Remove previous fernet keys
shell: rm -rf /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/*
args:
warn: false
- name: Persist fernet keys to repository
copy:
dest: "{{ keystone_base }}{{ item.key }}"
content: "{{ item.value.content }}"
mode: 0600
with_dict: "{{ fernet_keys }}"
no_log: true
- name: Set permissions to match container's user
shell: chown --reference={{ keystone_base }}/etc/keystone/fernet-keys {{ keystone_base }}{{ item.key }}
with_dict: "{{ fernet_keys }}"
no_log: true
- name: Restart keystone container
shell: docker restart keystone
when: is_container
- name: Rotate fernet keys for keystone (no container)
block:
- name: Remove previous fernet keys
shell: rm -rf /etc/keystone/fernet-keys/*
args:
warn: false
- name: Persist fernet keys to repository
copy:
dest: "{{ item.key }}"
content: "{{ item.value.content }}"
mode: 0600
owner: keystone
group: keystone
with_dict: "{{ fernet_keys }}"
no_log: true
- name: Reload apache
service:
name: httpd
state: reloaded
when: not is_container
View Git Blame Copy Permalink