Remove ansible_become from (Keystone and Worker)adjustment playbooks
+ Removing ansible_become from causing individual tasks to run with sudo that did not actually need it. This make maintaining the playbooks easier as we know what tasks need sudo vs every task gets sudo + Check if variables are set (token_provider, ceilometer_backend, etc) with "pre_tasks" tasks inside playbook + Set "become" as second options for simplicty in determining if task uses root privileges Change-Id: I890148878d41bb86aa428ecc884c44205f7c3bd3
This commit is contained in:
parent
f14ed22fab
commit
30d277c145
|
@ -9,5 +9,9 @@
|
|||
|
||||
- hosts: controller
|
||||
remote_user: heat-admin
|
||||
pre_tasks:
|
||||
- name: Check for variable (ceilometer_backend)
|
||||
fail: msg="ceilometer_backend not defined"
|
||||
when: ceilometer_backend is undefined
|
||||
roles:
|
||||
- ceilometer-backend
|
||||
|
|
|
@ -9,7 +9,9 @@
|
|||
|
||||
- hosts: controller
|
||||
remote_user: heat-admin
|
||||
vars:
|
||||
ansible_become: true
|
||||
pre_tasks:
|
||||
- name: Check for variable (token_provider)
|
||||
fail: msg="token_provider not defined"
|
||||
when: token_provider is undefined
|
||||
roles:
|
||||
- keystone-token
|
||||
|
|
|
@ -1,10 +1,13 @@
|
|||
---
|
||||
#
|
||||
# Playbook to change number of workers for nova,cinder and keystone services
|
||||
# Playbook to change number of workers for nova, neutron, cinder and keystone services
|
||||
#
|
||||
# Change Workers Example:
|
||||
# ansible-playbook -i hosts browbeat/adjustment-workers.yml -e "workers=12"
|
||||
#
|
||||
# Change Workers Example and change Keystone Threads (If deployed in httpd)
|
||||
# ansible-playbook -i hosts browbeat/adjustment-workers.yml -e "workers=12 threads=1"
|
||||
#
|
||||
# Change Workers and Keystone Deployment Example:
|
||||
# ansible-playbook -i hosts browbeat/adjustment-workers.yml -e "workers=12 keystone_deployment=httpd"
|
||||
#
|
||||
|
@ -13,11 +16,23 @@
|
|||
remote_user: heat-admin
|
||||
gather_facts: false
|
||||
vars:
|
||||
ansible_become: true
|
||||
workers: 24
|
||||
threads: 6
|
||||
default_threads: 6
|
||||
pre_tasks:
|
||||
- name: Check for variable (workers)
|
||||
fail: msg="workers not defined"
|
||||
when: workers is undefined
|
||||
- name: Check for variable (threads)
|
||||
debug: msg="threads (Keystone only) not set, using default ({{default_threads}})"
|
||||
when: threads is undefined
|
||||
- name: Set default threads variable for Keystone
|
||||
set_fact:
|
||||
threads: "{{default_threads}}"
|
||||
when: threads is undefined
|
||||
- name: Determine if keystone_deployment is set
|
||||
debug: msg="keystone_deployment is not set therefore not changing keystone deployment"
|
||||
when: keystone_deployment is undefined
|
||||
roles:
|
||||
- nova-workers
|
||||
- neutron-workers
|
||||
- keystone-workers
|
||||
- cinder-workers
|
||||
- keystone-workers
|
||||
- nova-workers
|
||||
- neutron-workers
|
||||
- cinder-workers
|
||||
|
|
|
@ -4,10 +4,6 @@
|
|||
# * Change backend between database and gnocchi
|
||||
#
|
||||
|
||||
- name: Check for variable
|
||||
fail: msg="ceilometer_backend not defined"
|
||||
when: ceilometer_backend is undefined
|
||||
|
||||
- name: Get current backend(s)
|
||||
become: true
|
||||
command: crudini --get /etc/ceilometer/ceilometer.conf DEFAULT meter_dispatchers
|
||||
|
@ -33,6 +29,6 @@
|
|||
- pacemaker cleanup gnocchi
|
||||
|
||||
- name: Configure for gnocchi
|
||||
when: ("'{{ ceilometer_backend }}' == 'gnocchi'") and (inventory_hostname == groups['controller'][0])
|
||||
become: true
|
||||
when: ("'{{ ceilometer_backend }}' == 'gnocchi'") and (inventory_hostname == groups['controller'][0])
|
||||
shell: gnocchi-upgrade --create-legacy-resource-types
|
||||
|
|
|
@ -4,23 +4,27 @@
|
|||
#
|
||||
|
||||
- name: unmanage cinder services
|
||||
become: true
|
||||
command: pcs resource unmanage {{ item }}
|
||||
with_items:
|
||||
- openstack-cinder-api
|
||||
ignore_errors: true
|
||||
|
||||
- name: restart cinder services
|
||||
become: true
|
||||
service: name={{ item }} state=restarted
|
||||
with_items:
|
||||
- openstack-cinder-api
|
||||
|
||||
- name: manage cinder services
|
||||
become: true
|
||||
command: pcs resource manage {{ item }}
|
||||
with_items:
|
||||
- openstack-cinder-api
|
||||
ignore_errors: true
|
||||
|
||||
- name: cleanup cinder services
|
||||
become: true
|
||||
command: pcs resource cleanup {{ item }}
|
||||
with_items:
|
||||
- openstack-cinder-api
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
#
|
||||
|
||||
- name: Configure cinder.conf
|
||||
become: true
|
||||
ini_file:
|
||||
dest: /etc/cinder/cinder.conf
|
||||
mode: 0640
|
||||
|
|
|
@ -4,24 +4,31 @@
|
|||
#
|
||||
|
||||
- name: pacemaker default unmanaged
|
||||
become: true
|
||||
command: pcs property set is-managed-default=false
|
||||
|
||||
- name: stop keystone service
|
||||
become: true
|
||||
service: name=openstack-keystone state=stopped
|
||||
when: "'httpd' in '{{ keystone_deployment }}'"
|
||||
|
||||
- name: restart httpd service
|
||||
become: true
|
||||
service: name=httpd state=restarted
|
||||
when: "'httpd' in '{{ keystone_deployment }}'"
|
||||
|
||||
- name: restart keystone service
|
||||
become: true
|
||||
service: name=openstack-keystone state=restarted
|
||||
when: "'eventlet' in '{{ keystone_deployment }}'"
|
||||
|
||||
- name: pacemaker default managed
|
||||
become: true
|
||||
command: pcs property set is-managed-default=true
|
||||
when: "'eventlet' in '{{ keystone_deployment }}'"
|
||||
|
||||
- name: pacemaker cleanup keystone
|
||||
become: true
|
||||
command: pcs resource cleanup openstack-keystone
|
||||
when: "'eventlet' in '{{ keystone_deployment }}'"
|
||||
when: "'eventlet' in '{{ keystone_deployment }}'"
|
||||
ignore_errors: true
|
||||
|
|
|
@ -23,6 +23,7 @@
|
|||
#
|
||||
|
||||
- name: Check Keystone Token Provider
|
||||
become: true
|
||||
command: crudini --get /etc/keystone/keystone.conf token provider
|
||||
register: keystone_token_provider
|
||||
changed_when: false
|
||||
|
@ -45,6 +46,7 @@
|
|||
#
|
||||
|
||||
- name: Change token provider
|
||||
become: true
|
||||
command: crudini --set /etc/keystone/keystone.conf token provider "keystone.token.providers.{{ token_provider }}.Provider"
|
||||
when: "'{{ current_token_provider }}' != '{{ token_provider }}'"
|
||||
notify:
|
||||
|
@ -60,6 +62,7 @@
|
|||
#
|
||||
|
||||
- name: Create fernet keys directory
|
||||
become: true
|
||||
file:
|
||||
path=/etc/keystone/fernet-keys
|
||||
state=directory
|
||||
|
@ -69,10 +72,12 @@
|
|||
when: "'{{ token_provider }}' == 'fernet'"
|
||||
|
||||
- name: Setup fernet keys
|
||||
become: true
|
||||
command: keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
|
||||
when: ("'{{ token_provider }}' == 'fernet'") and (inventory_hostname == groups['controller'][0])
|
||||
when: ('{{ token_provider }}' == 'fernet') and (inventory_hostname == groups['controller'][0])
|
||||
|
||||
- name: Get fernet keys
|
||||
become: true
|
||||
fetch: src=/etc/keystone/fernet-keys/{{ item }} dest=roles/keystone-token/files/{{ item }} flat=yes
|
||||
with_items:
|
||||
- 0
|
||||
|
@ -81,26 +86,31 @@
|
|||
changed_when: false
|
||||
|
||||
- name: Copy fernet keys
|
||||
become: true
|
||||
copy: src={{ item }} dest=/etc/keystone/fernet-keys/{{ item }}
|
||||
with_items:
|
||||
- "0"
|
||||
- "1"
|
||||
when: ("'{{ token_provider }}' == 'fernet'") and (inventory_hostname != groups['controller'][0])
|
||||
when: ('{{ token_provider }}' == 'fernet') and (inventory_hostname != groups['controller'][0])
|
||||
|
||||
- name: Copy keystone type enforcement file
|
||||
become: true
|
||||
copy:
|
||||
src: my-keystone.te
|
||||
dest: /root/my-keystone.te
|
||||
when: "'{{ token_provider }}' == 'fernet'"
|
||||
|
||||
- name: Create keystone.mod file
|
||||
become: true
|
||||
command: checkmodule -M -m -o /root/my-keystone.mod /root/my-keystone.te
|
||||
when: "'{{ token_provider }}' == 'fernet'"
|
||||
|
||||
- name: Create keystone.pp file
|
||||
become: true
|
||||
command: semodule_package -o /root/my-keystone.pp -m /root/my-keystone.mod
|
||||
when: "'{{ token_provider }}' == 'fernet'"
|
||||
|
||||
- name: Install keystone selinux policy
|
||||
become: true
|
||||
shell: semodule -i /root/my-keystone.pp
|
||||
when: "'{{ token_provider }}' == 'fernet'"
|
||||
|
|
|
@ -14,12 +14,28 @@
|
|||
|
||||
import os
|
||||
|
||||
from oslo_log import log
|
||||
from oslo_log import versionutils
|
||||
|
||||
from keystone.i18n import _LW
|
||||
from keystone.server import wsgi as wsgi_server
|
||||
|
||||
|
||||
name = os.path.basename(__file__)
|
||||
LOG = log.getLogger(__name__)
|
||||
|
||||
|
||||
def deprecation_warning():
|
||||
versionutils.report_deprecated_feature(
|
||||
LOG,
|
||||
_LW('httpd/keystone.py is deprecated as of Mitaka'
|
||||
' in favor of keystone-wsgi-admin and keystone-wsgi-public'
|
||||
' and may be removed in O.')
|
||||
)
|
||||
|
||||
# NOTE(ldbragst): 'application' is required in this context by WSGI spec.
|
||||
# The following is a reference to Python Paste Deploy documentation
|
||||
# http://pythonpaste.org/deploy/
|
||||
application = wsgi_server.initialize_application(name)
|
||||
application = wsgi_server.initialize_application(
|
||||
name,
|
||||
post_log_configured_function=deprecation_warning)
|
||||
|
|
|
@ -4,31 +4,39 @@
|
|||
#
|
||||
|
||||
- name: pacemaker unmanaged default
|
||||
become: true
|
||||
command: pcs property set is-managed-default=false
|
||||
ignore_errors: true
|
||||
|
||||
- name: stop keystone eventlet
|
||||
become: true
|
||||
service: name=openstack-keystone state=stopped
|
||||
when: "'httpd' in '{{ keystone_deployment }}'"
|
||||
ignore_errors: true
|
||||
|
||||
- name: restart httpd
|
||||
become: true
|
||||
service: name=httpd state=restarted
|
||||
|
||||
- name: restart keystone
|
||||
become: true
|
||||
service: name=openstack-keystone state=restarted
|
||||
when: "'eventlet' in '{{ keystone_deployment }}'"
|
||||
|
||||
- name: pacemaker managed default
|
||||
become: true
|
||||
command: pcs property set is-managed-default=true
|
||||
when: "'eventlet' in '{{ keystone_deployment }}'"
|
||||
# OSP8 and below uncomment, so only pcs managed when keystone in eventlet
|
||||
# when: "'eventlet' in '{{ keystone_deployment }}'"
|
||||
ignore_errors: true
|
||||
|
||||
- name: cleanup keystone
|
||||
become: true
|
||||
command: pcs resource cleanup openstack-keystone
|
||||
when: "'eventlet' in '{{ keystone_deployment }}'"
|
||||
ignore_errors: true
|
||||
|
||||
- name: cleanup httpd
|
||||
become: true
|
||||
command: pcs resource cleanup httpd
|
||||
ignore_errors: true
|
||||
|
|
|
@ -21,11 +21,13 @@
|
|||
when: keystone_deployment is undefined
|
||||
|
||||
- name: Get keystone admin ip address
|
||||
become: true
|
||||
command: crudini --get /etc/keystone/keystone.conf DEFAULT admin_bind_host
|
||||
register: admin_ip_addr
|
||||
changed_when: false
|
||||
|
||||
- name: Get keystone public ip address
|
||||
become: true
|
||||
command: crudini --get /etc/keystone/keystone.conf DEFAULT public_bind_host
|
||||
register: public_ip_addr
|
||||
changed_when: false
|
||||
|
@ -35,13 +37,14 @@
|
|||
#
|
||||
|
||||
- name: Configure eventlet workers
|
||||
become: true
|
||||
ini_file:
|
||||
dest: /etc/keystone/keystone.conf
|
||||
mode: 0640
|
||||
section: "{{ item.section }}"
|
||||
option: "{{ item.option }}"
|
||||
value: "{{ item.value }}"
|
||||
backup: yes
|
||||
backup: true
|
||||
with_items:
|
||||
- { section: DEFAULT, option: public_workers, value: "{{ workers }}" }
|
||||
- { section: DEFAULT, option: admin_workers, value: "{{ workers }}" }
|
||||
|
@ -56,6 +59,7 @@
|
|||
- cleanup keystone
|
||||
|
||||
- name: Unconfigure keystone in httpd if eventlet
|
||||
become: true
|
||||
file:
|
||||
path: /etc/httpd/conf.d/10-keystone_wsgi_{{ item }}.conf
|
||||
state: absent
|
||||
|
@ -68,6 +72,7 @@
|
|||
- cleanup httpd
|
||||
|
||||
- name: Create keystone in httpd wsgi directory
|
||||
become: true
|
||||
file:
|
||||
path: /var/www/cgi-bin/keystone
|
||||
state: directory
|
||||
|
@ -76,24 +81,29 @@
|
|||
when: "'httpd' in '{{ keystone_deployment }}'"
|
||||
|
||||
- name: Copy keystone in httpd files over
|
||||
become: true
|
||||
copy:
|
||||
src: keystone_httpd
|
||||
dest: /var/www/cgi-bin/keystone/{{ item }}
|
||||
owner: keystone
|
||||
group: keystone
|
||||
mode: 0744
|
||||
backup: true
|
||||
with_items:
|
||||
- admin
|
||||
- main
|
||||
when: "'httpd' in '{{ keystone_deployment }}'"
|
||||
ignore_errors: true
|
||||
|
||||
- name: Configure httpd processes/threads
|
||||
become: true
|
||||
template:
|
||||
src=keystone_wsgi.conf.j2
|
||||
dest=/etc/httpd/conf.d/10-keystone_wsgi_{{ item.interface }}.conf
|
||||
owner=root
|
||||
group=root
|
||||
mode=0644
|
||||
src: keystone_wsgi.conf.j2
|
||||
dest: /etc/httpd/conf.d/10-keystone_wsgi_{{ item.interface }}.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
backup: true
|
||||
with_items:
|
||||
- ip_address: "{{ admin_ip_addr.stdout }}"
|
||||
interface: "admin"
|
||||
|
@ -111,17 +121,33 @@
|
|||
- stop keystone eventlet
|
||||
- restart httpd
|
||||
|
||||
- name: Configure/Unconfigure httpd ports.conf for keystone
|
||||
template:
|
||||
src=keystone_ports.conf.j2
|
||||
dest=/etc/httpd/conf/ports.conf
|
||||
owner=root
|
||||
group=root
|
||||
mode=0644
|
||||
- name: Configure/Unconfigure httpd ports.conf for keystone (httpd)
|
||||
become: true
|
||||
lineinfile:
|
||||
dest: /etc/httpd/conf/ports.conf
|
||||
line: "Listen {{item}}"
|
||||
backup: true
|
||||
with_items:
|
||||
- admin_ip_address: "{{ admin_ip_addr.stdout }}"
|
||||
public_ip_address: "{{ public_ip_addr.stdout }}"
|
||||
deployment: "{{ keystone_deployment }}"
|
||||
- "{{ public_ip_addr.stdout }}:5000"
|
||||
- "{{ admin_ip_addr.stdout }}:35357"
|
||||
when: "'httpd' in '{{ keystone_deployment }}'"
|
||||
notify:
|
||||
- pacemaker unmanaged default
|
||||
- stop keystone eventlet
|
||||
- restart keystone
|
||||
- pacemaker managed default
|
||||
- cleanup keystone
|
||||
|
||||
- name: Configure/Unconfigure httpd ports.conf for keystone (eventlet)
|
||||
become: true
|
||||
lineinfile:
|
||||
dest: /etc/httpd/conf/ports.conf
|
||||
line: "Listen {{item}}"
|
||||
state: absent
|
||||
with_items:
|
||||
- "{{ public_ip_addr.stdout }}:5000"
|
||||
- "{{ admin_ip_addr.stdout }}:35357"
|
||||
when: "'eventlet' in '{{ keystone_deployment }}'"
|
||||
notify:
|
||||
- pacemaker unmanaged default
|
||||
- stop keystone eventlet
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
<VirtualHost {{ item.ip_address }}:{{ item.port }}>
|
||||
ServerName keystone_wsgi_{{ item.interface }}
|
||||
ServerName {{inventory_hostname}}
|
||||
|
||||
## Vhost docroot
|
||||
DocumentRoot "/var/www/cgi-bin/keystone"
|
||||
|
@ -14,10 +14,11 @@
|
|||
|
||||
## Logging
|
||||
ErrorLog "/var/log/httpd/keystone_wsgi_{{ item.interface }}_error.log"
|
||||
LogLevel info
|
||||
ServerSignature Off
|
||||
CustomLog "/var/log/httpd/keystone_wsgi_{{ item.interface }}_access.log" combined
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIDaemonProcess keystone_{{ item.interface }} display-name=keystone-{{ item.interface }} group=keystone processes={{ item.processes }} threads={{ item.threads }} user=keystone
|
||||
WSGIProcessGroup keystone_{{ item.interface }}
|
||||
WSGIScriptAlias / "/var/www/cgi-bin/keystone/{{ item.interface }}"
|
||||
</VirtualHost>
|
||||
WSGIPassAuthorization On
|
||||
</VirtualHost>
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
#
|
||||
|
||||
- name: unmanage neutron services
|
||||
become: true
|
||||
command: pcs resource unmanage {{ item }}
|
||||
with_items:
|
||||
- neutron-server
|
||||
|
@ -11,12 +12,14 @@
|
|||
ignore_errors: true
|
||||
|
||||
- name: restart neutron services
|
||||
become: true
|
||||
service: name={{ item }} state=restarted
|
||||
with_items:
|
||||
- neutron-server
|
||||
- neutron-metadata-agent
|
||||
|
||||
- name: manage neutron services
|
||||
become: true
|
||||
command: pcs resource manage {{ item }}
|
||||
with_items:
|
||||
- neutron-server
|
||||
|
@ -24,6 +27,7 @@
|
|||
ignore_errors: true
|
||||
|
||||
- name: cleanup neutron services
|
||||
become: true
|
||||
command: pcs resource cleanup {{ item }}
|
||||
with_items:
|
||||
- neutron-server
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
#
|
||||
|
||||
- name: Configure neutron.conf
|
||||
become: true
|
||||
ini_file:
|
||||
dest: /etc/neutron/neutron.conf
|
||||
mode: 0640
|
||||
|
@ -22,6 +23,7 @@
|
|||
- cleanup neutron services
|
||||
|
||||
- name: Configure metadata_agent.ini
|
||||
become: true
|
||||
ini_file:
|
||||
dest: /etc/neutron/metadata_agent.ini
|
||||
mode: 0640
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
#
|
||||
|
||||
- name: unmanage nova services
|
||||
become: true
|
||||
command: pcs resource unmanage {{ item }}
|
||||
with_items:
|
||||
- openstack-nova-api
|
||||
|
@ -12,6 +13,7 @@
|
|||
ignore_errors: true
|
||||
|
||||
- name: restart nova services
|
||||
become: true
|
||||
service: name={{ item }} state=restarted
|
||||
with_items:
|
||||
- openstack-nova-api
|
||||
|
@ -19,6 +21,7 @@
|
|||
- openstack-nova-conductor
|
||||
|
||||
- name: manage nova services
|
||||
become: true
|
||||
command: pcs resource manage {{ item }}
|
||||
with_items:
|
||||
- openstack-nova-api
|
||||
|
@ -27,6 +30,7 @@
|
|||
ignore_errors: true
|
||||
|
||||
- name: cleanup nova services
|
||||
become: true
|
||||
command: pcs resource cleanup {{ item }}
|
||||
with_items:
|
||||
- openstack-nova-api
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
#
|
||||
|
||||
- name: Ensure nova.conf is properly configured
|
||||
become: true
|
||||
ini_file:
|
||||
dest: /etc/nova/nova.conf
|
||||
mode: 0640
|
||||
|
|
Loading…
Reference in New Issue