upgrades: deploy mod_ssl when upgrading apache

1) When Apache is upgraded, install mod_ssl rpm.
   See https://bugs.launchpad.net/tripleo/+bug/1682448
   to understand why we need mod_ssl.

2) All services that run Apache for API will use the snippet from
   Apache service to deploy mod_ssl, so we don't duplicate the code
   in all services. It's using the same mechanism as ovs upgrade to
   compile upgrade_tasks between both services.

Change-Id: Ia2f6fea45c2c09790c49baab19b1efcab25e9a84
Closes-Bug: #1686503
This commit is contained in:
Emilien Macchi 2017-04-26 15:56:41 -04:00
parent 933dd62de3
commit a6041608ca
10 changed files with 150 additions and 95 deletions

View File

@ -93,6 +93,12 @@ outputs:
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
upgrade_tasks:
- name: Stop aodh_api service (running under httpd)
tags: step1
service: name=httpd state=stopped
yaql:
expression: $.data.apache_upgrade + $.data.aodh_api_upgrade
data:
apache_upgrade:
get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
aodh_api_upgrade:
- name: Stop aodh_api service (running under httpd)
tags: step1
service: name=httpd state=stopped

View File

@ -112,3 +112,6 @@ outputs:
shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b'
when: httpd_enabled.rc == 0
tags: step0,validation
- name: Ensure mod_ssl package is installed
tags: step3
yum: name=mod_ssl state=latest

View File

@ -153,16 +153,22 @@ outputs:
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
upgrade_tasks:
- name: Check if barbican_api is deployed
command: systemctl is-enabled openstack-barbican-api
tags: common
ignore_errors: True
register: barbican_api_enabled
- name: "PreUpgrade step0,validation: Check service openstack-barbican-api is running"
shell: /usr/bin/systemctl show 'openstack-barbican-api' --property ActiveState | grep '\bactive\b'
when: barbican_api_enabled.rc == 0
tags: step0,validation
- name: Install openstack-barbican-api package if it was disabled
tags: step3
yum: name=openstack-barbican-api state=latest
when: barbican_api_enabled.rc != 0
yaql:
expression: $.data.apache_upgrade + $.data.barbican_api_upgrade
data:
apache_upgrade:
get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
barbican_api_upgrade:
- name: Check if barbican_api is deployed
command: systemctl is-enabled openstack-barbican-api
tags: common
ignore_errors: True
register: barbican_api_enabled
- name: "PreUpgrade step0,validation: Check service openstack-barbican-api is running"
shell: /usr/bin/systemctl show 'openstack-barbican-api' --property ActiveState | grep '\bactive\b'
when: barbican_api_enabled.rc == 0
tags: step0,validation
- name: Install openstack-barbican-api package if it was disabled
tags: step3
yum: name=openstack-barbican-api state=latest
when: barbican_api_enabled.rc != 0

View File

@ -100,6 +100,12 @@ outputs:
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
upgrade_tasks:
- name: Stop ceilometer_api service (running under httpd)
tags: step1
service: name=httpd state=stopped
yaql:
expression: $.data.apache_upgrade + $.data.ceilometer_api_upgrade
data:
apache_upgrade:
get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
ceilometer_api_upgrade:
- name: Stop ceilometer_api service (running under httpd)
tags: step1
service: name=httpd state=stopped

View File

@ -159,25 +159,31 @@ outputs:
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
upgrade_tasks:
- name: Check if cinder_api is deployed
command: systemctl is-enabled openstack-cinder-api
tags: common
ignore_errors: True
register: cinder_api_enabled
- name: "PreUpgrade step0,validation: Check service openstack-cinder-api is running"
shell: /usr/bin/systemctl show 'openstack-cinder-api' --property ActiveState | grep '\bactive\b'
when: cinder_api_enabled.rc == 0
tags: step0,validation
- name: check for cinder running under apache (post upgrade)
tags: step1
shell: "httpd -t -D DUMP_VHOSTS | grep -q cinder"
register: cinder_apache
ignore_errors: true
- name: Stop cinder_api service (running under httpd)
tags: step1
service: name=httpd state=stopped
when: cinder_apache.rc == 0
- name: Stop and disable cinder_api service (pre-upgrade not under httpd)
tags: step1
when: cinder_api_enabled.rc == 0
service: name=openstack-cinder-api state=stopped enabled=no
yaql:
expression: $.data.apache_upgrade + $.data.cinder_api_upgrade
data:
apache_upgrade:
get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
cinder_api_upgrade:
- name: Check if cinder_api is deployed
command: systemctl is-enabled openstack-cinder-api
tags: common
ignore_errors: True
register: cinder_api_enabled
- name: "PreUpgrade step0,validation: Check service openstack-cinder-api is running"
shell: /usr/bin/systemctl show 'openstack-cinder-api' --property ActiveState | grep '\bactive\b'
when: cinder_api_enabled.rc == 0
tags: step0,validation
- name: check for cinder running under apache (post upgrade)
tags: step1
shell: "httpd -t -D DUMP_VHOSTS | grep -q cinder"
register: cinder_apache
ignore_errors: true
- name: Stop cinder_api service (running under httpd)
tags: step1
service: name=httpd state=stopped
when: cinder_apache.rc == 0
- name: Stop and disable cinder_api service (pre-upgrade not under httpd)
tags: step1
when: cinder_api_enabled.rc == 0
service: name=openstack-cinder-api state=stopped enabled=no

View File

@ -133,6 +133,12 @@ outputs:
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
upgrade_tasks:
- name: Stop gnocchi_api service (running under httpd)
tags: step1
service: name=httpd state=stopped
yaql:
expression: $.data.apache_upgrade + $.data.gnocchi_api_upgrade
data:
apache_upgrade:
get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
gnocchi_api_upgrade:
- name: Stop gnocchi_api service (running under httpd)
tags: step1
service: name=httpd state=stopped

View File

@ -339,10 +339,15 @@ outputs:
horizon::keystone_multidomain_support: true
horizon::keystone_default_domain: 'Default'
- {}
# Ansible tasks to handle upgrade
upgrade_tasks:
- name: Stop keystone service (running under httpd)
tags: step1
service: name=httpd state=stopped
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
upgrade_tasks:
yaql:
expression: $.data.apache_upgrade + $.data.keystone_upgrade
data:
apache_upgrade:
get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
keystone_upgrade:
- name: Stop keystone service (running under httpd)
tags: step1
service: name=httpd state=stopped

View File

@ -92,21 +92,27 @@ outputs:
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
upgrade_tasks:
- name: Check if httpd is deployed
command: systemctl is-enabled httpd
tags: common
ignore_errors: True
register: httpd_enabled
- name: "PreUpgrade step0,validation: Check if httpd is running"
shell: >
/usr/bin/systemctl show 'httpd' --property ActiveState |
grep '\bactive\b'
when: httpd_enabled.rc == 0
tags: step0,validation
- name: Stop panko-api service (running under httpd)
tags: step1
service: name=httpd state=stopped
when: httpd_enabled.rc == 0
- name: Install openstack-panko-api package if it was not installed
tags: step3
yum: name=openstack-panko-api state=latest
yaql:
expression: $.data.apache_upgrade + $.data.panko_api_upgrade
data:
apache_upgrade:
get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
panko_api_upgrade:
- name: Check if httpd is deployed
command: systemctl is-enabled httpd
tags: common
ignore_errors: True
register: httpd_enabled
- name: "PreUpgrade step0,validation: Check if httpd is running"
shell: >
/usr/bin/systemctl show 'httpd' --property ActiveState |
grep '\bactive\b'
when: httpd_enabled.rc == 0
tags: step0,validation
- name: Stop panko-api service (running under httpd)
tags: step1
service: name=httpd state=stopped
when: httpd_enabled.rc == 0
- name: Install openstack-panko-api package if it was not installed
tags: step3
yum: name=openstack-panko-api state=latest

View File

@ -0,0 +1,5 @@
---
upgrade:
- When a service is deployed in WSGI with Apache, make sure mode_ssl
package is deployed during the upgrade process, it's now required
by default so Apache can start properly.

View File

@ -105,31 +105,37 @@ outputs:
step_config: |
include ::tripleo::profile::base::zaqar
upgrade_tasks:
- name: Check if zaqar is deployed
command: systemctl is-enabled openstack-zaqar
tags: common
ignore_errors: True
register: zaqar_enabled
- name: "PreUpgrade step0,validation: Check if openstack-zaqar is running"
shell: >
/usr/bin/systemctl show 'openstack-zaqar' --property ActiveState |
grep '\bactive\b'
when: zaqar_enabled.rc == 0
tags: step0,validation
- name: Check for zaqar running under apache (post upgrade)
tags: step1
shell: "httpd -t -D DUMP_VHOSTS | grep -q zaqar_wsgi"
register: zaqar_apache
ignore_errors: true
- name: Stop zaqar service (running under httpd)
tags: step1
service: name=httpd state=stopped
when: zaqar_apache.rc == 0
- name: Stop and disable zaqar service (pre-upgrade not under httpd)
tags: step1
when: zaqar_enabled.rc == 0
service: name=openstack-zaqar state=stopped enabled=no
- name: Install openstack-zaqar package if it was disabled
tags: step3
yum: name=openstack-zaqar state=latest
when: zaqar_enabled.rc != 0
yaql:
expression: $.data.apache_upgrade + $.data.zaqar_upgrade
data:
apache_upgrade:
get_attr: [ApacheServiceBase, role_data, upgrade_tasks]
zaqar_upgrade:
- name: Check if zaqar is deployed
command: systemctl is-enabled openstack-zaqar
tags: common
ignore_errors: True
register: zaqar_enabled
- name: "PreUpgrade step0,validation: Check if openstack-zaqar is running"
shell: >
/usr/bin/systemctl show 'openstack-zaqar' --property ActiveState |
grep '\bactive\b'
when: zaqar_enabled.rc == 0
tags: step0,validation
- name: Check for zaqar running under apache (post upgrade)
tags: step1
shell: "httpd -t -D DUMP_VHOSTS | grep -q zaqar_wsgi"
register: zaqar_apache
ignore_errors: true
- name: Stop zaqar service (running under httpd)
tags: step1
service: name=httpd state=stopped
when: zaqar_apache.rc == 0
- name: Stop and disable zaqar service (pre-upgrade not under httpd)
tags: step1
when: zaqar_enabled.rc == 0
service: name=openstack-zaqar state=stopped enabled=no
- name: Install openstack-zaqar package if it was disabled
tags: step3
yum: name=openstack-zaqar state=latest
when: zaqar_enabled.rc != 0