Remove ansible_become from (Keystone and Worker)adjustment playbooks

+ Removing ansible_become from causing individual tasks to run with
  sudo that did not actually need it.  This make maintaining the
  playbooks easier as we know what tasks need sudo vs every task gets
  sudo
+ Check if variables are set (token_provider, ceilometer_backend, etc)
  with "pre_tasks" tasks inside playbook
+ Set "become" as second options for simplicty in determining if task
  uses root privileges

Change-Id: I890148878d41bb86aa428ecc884c44205f7c3bd3

ansible/browbeat/adjustment-ceilometer.yml

@@ -9,5 +9,9 @@
 
 - hosts: controller
   remote_user: heat-admin
+  pre_tasks:
+    - name: Check for variable (ceilometer_backend)
+      fail: msg="ceilometer_backend not defined"
+      when: ceilometer_backend is undefined
   roles:
     - ceilometer-backend

ansible/browbeat/adjustment-keystone-token.yml

@@ -9,7 +9,9 @@
 
 - hosts: controller
   remote_user: heat-admin
-  vars:
-    ansible_become: true
+  pre_tasks:
+    - name: Check for variable (token_provider)
+      fail: msg="token_provider not defined"
+      when: token_provider is undefined
   roles:
     - keystone-token

ansible/browbeat/adjustment-workers.yml

@@ -1,10 +1,13 @@
 ---
 #
-# Playbook to change number of workers for nova,cinder and keystone services
+# Playbook to change number of workers for nova, neutron, cinder and keystone services
 #
 # Change Workers Example:
 # ansible-playbook -i hosts browbeat/adjustment-workers.yml -e "workers=12"
 #
+# Change Workers Example and change Keystone Threads (If deployed in httpd)
+# ansible-playbook -i hosts browbeat/adjustment-workers.yml -e "workers=12 threads=1"
+#
 # Change Workers and Keystone Deployment Example:
 # ansible-playbook -i hosts browbeat/adjustment-workers.yml -e "workers=12 keystone_deployment=httpd"
 #
@@ -13,11 +16,23 @@
   remote_user: heat-admin
   gather_facts: false
   vars:
-    ansible_become: true
-    workers: 24
-    threads: 6
+    default_threads: 6
+  pre_tasks:
+    - name: Check for variable (workers)
+      fail: msg="workers not defined"
+      when: workers is undefined
+    - name: Check for variable (threads)
+      debug: msg="threads (Keystone only) not set, using default ({{default_threads}})"
+      when: threads is undefined
+    - name: Set default threads variable for Keystone
+      set_fact:
+        threads: "{{default_threads}}"
+      when: threads is undefined
+    - name: Determine if keystone_deployment is set
+      debug: msg="keystone_deployment is not set therefore not changing keystone deployment"
+      when: keystone_deployment is undefined
   roles:
-  - nova-workers
-  - neutron-workers
-  - keystone-workers
-  - cinder-workers
+    - keystone-workers
+    - nova-workers
+    - neutron-workers
+    - cinder-workers

ansible/browbeat/roles/ceilometer-backend/tasks/main.yml

@@ -4,10 +4,6 @@
 # * Change backend between database and gnocchi
 #
 
-- name: Check for variable
-  fail: msg="ceilometer_backend not defined"
-  when: ceilometer_backend is undefined
-
 - name:  Get current backend(s)
   become: true
   command: crudini --get /etc/ceilometer/ceilometer.conf DEFAULT meter_dispatchers
@@ -33,6 +29,6 @@
     - pacemaker cleanup gnocchi
 
 - name: Configure for gnocchi
-  when: ("'{{ ceilometer_backend }}' == 'gnocchi'") and (inventory_hostname == groups['controller'][0])
   become: true
+  when: ("'{{ ceilometer_backend }}' == 'gnocchi'") and (inventory_hostname == groups['controller'][0])
   shell:  gnocchi-upgrade --create-legacy-resource-types

ansible/browbeat/roles/cinder-workers/handlers/main.yml

@@ -4,23 +4,27 @@
 #
 
 - name: unmanage cinder services
+  become: true
   command: pcs resource unmanage {{ item }}
   with_items:
     - openstack-cinder-api
   ignore_errors: true
 
 - name: restart cinder services
+  become: true
   service: name={{ item }} state=restarted
   with_items:
     - openstack-cinder-api
 
 - name: manage cinder services
+  become: true
   command: pcs resource manage {{ item }}
   with_items:
     - openstack-cinder-api
   ignore_errors: true
 
 - name: cleanup cinder services
+  become: true
   command: pcs resource cleanup {{ item }}
   with_items:
     - openstack-cinder-api

ansible/browbeat/roles/cinder-workers/tasks/main.yml

@@ -5,6 +5,7 @@
 #
 
 - name: Configure cinder.conf
+  become: true
   ini_file:
     dest: /etc/cinder/cinder.conf
     mode: 0640

ansible/browbeat/roles/keystone-token/handlers/main.yml

@@ -4,24 +4,31 @@
 #
 
 - name: pacemaker default unmanaged
+  become: true
   command: pcs property set is-managed-default=false
 
 - name: stop keystone service
+  become: true
   service: name=openstack-keystone state=stopped
   when: "'httpd' in '{{ keystone_deployment }}'"
 
 - name: restart httpd service
+  become: true
   service: name=httpd state=restarted
   when: "'httpd' in '{{ keystone_deployment }}'"
 
 - name: restart keystone service
+  become: true
   service: name=openstack-keystone state=restarted
   when: "'eventlet' in '{{ keystone_deployment }}'"
 
 - name: pacemaker default managed
+  become: true
   command: pcs property set is-managed-default=true
   when: "'eventlet' in '{{ keystone_deployment }}'"
 
 - name: pacemaker cleanup keystone
+  become: true
   command: pcs resource cleanup openstack-keystone
-  when: "'eventlet' in '{{ keystone_deployment }}'"
+  when: "'eventlet' in '{{ keystone_deployment }}'"
+  ignore_errors: true

ansible/browbeat/roles/keystone-token/tasks/main.yml

@@ -23,6 +23,7 @@
 #
 
 - name: Check Keystone Token Provider
+  become: true
   command: crudini --get /etc/keystone/keystone.conf token provider
   register: keystone_token_provider
   changed_when: false
@@ -45,6 +46,7 @@
 #
 
 - name: Change token provider
+  become: true
   command: crudini --set /etc/keystone/keystone.conf token provider "keystone.token.providers.{{ token_provider }}.Provider"
   when: "'{{ current_token_provider }}' != '{{ token_provider }}'"
   notify:
@@ -60,6 +62,7 @@
 #
 
 - name: Create fernet keys directory
+  become: true
   file:
     path=/etc/keystone/fernet-keys
     state=directory
@@ -69,10 +72,12 @@
   when: "'{{ token_provider }}' == 'fernet'"
 
 - name: Setup fernet keys
+  become: true
   command: keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
-  when: ("'{{ token_provider }}' == 'fernet'") and (inventory_hostname == groups['controller'][0])
+  when: ('{{ token_provider }}' == 'fernet') and (inventory_hostname == groups['controller'][0])
 
 - name: Get fernet keys
+  become: true
   fetch: src=/etc/keystone/fernet-keys/{{ item }} dest=roles/keystone-token/files/{{ item }} flat=yes
   with_items:
     - 0
@@ -81,26 +86,31 @@
   changed_when: false
 
 - name: Copy fernet keys
+  become: true
   copy: src={{ item }} dest=/etc/keystone/fernet-keys/{{ item }}
   with_items:
     - "0"
     - "1"
-  when: ("'{{ token_provider }}' == 'fernet'") and (inventory_hostname != groups['controller'][0])
+  when: ('{{ token_provider }}' == 'fernet') and (inventory_hostname != groups['controller'][0])
 
 - name: Copy keystone type enforcement file
+  become: true
   copy:
     src: my-keystone.te
     dest: /root/my-keystone.te
   when: "'{{ token_provider }}' == 'fernet'"
 
 - name: Create keystone.mod file
+  become: true
   command: checkmodule -M -m -o /root/my-keystone.mod /root/my-keystone.te
   when: "'{{ token_provider }}' == 'fernet'"
 
 - name: Create keystone.pp file
+  become: true
   command: semodule_package -o /root/my-keystone.pp -m /root/my-keystone.mod
   when: "'{{ token_provider }}' == 'fernet'"
 
 - name: Install keystone selinux policy
+  become: true
   shell: semodule -i /root/my-keystone.pp
   when: "'{{ token_provider }}' == 'fernet'"

ansible/browbeat/roles/keystone-workers/files/keystone_httpd

@@ -14,12 +14,28 @@
 
 import os
 
+from oslo_log import log
+from oslo_log import versionutils
+
+from keystone.i18n import _LW
 from keystone.server import wsgi as wsgi_server
 
 
 name = os.path.basename(__file__)
+LOG = log.getLogger(__name__)
+
+
+def deprecation_warning():
+    versionutils.report_deprecated_feature(
+        LOG,
+        _LW('httpd/keystone.py is deprecated as of Mitaka'
+            ' in favor of keystone-wsgi-admin and keystone-wsgi-public'
+            ' and may be removed in O.')
+    )
 
 # NOTE(ldbragst): 'application' is required in this context by WSGI spec.
 # The following is a reference to Python Paste Deploy documentation
 # http://pythonpaste.org/deploy/
-application = wsgi_server.initialize_application(name)
+application = wsgi_server.initialize_application(
+    name,
+    post_log_configured_function=deprecation_warning)

ansible/browbeat/roles/keystone-workers/handlers/main.yml

@@ -4,31 +4,39 @@
 #
 
 - name: pacemaker unmanaged default
+  become: true
   command: pcs property set is-managed-default=false
   ignore_errors: true
 
 - name: stop keystone eventlet
+  become: true
   service: name=openstack-keystone state=stopped
   when: "'httpd' in '{{ keystone_deployment }}'"
   ignore_errors: true
 
 - name: restart httpd
+  become: true
   service: name=httpd state=restarted
 
 - name: restart keystone
+  become: true
   service: name=openstack-keystone state=restarted
   when: "'eventlet' in '{{ keystone_deployment }}'"
 
 - name: pacemaker managed default
+  become: true
   command: pcs property set is-managed-default=true
-  when: "'eventlet' in '{{ keystone_deployment }}'"
+  # OSP8 and below uncomment, so only pcs managed when keystone in eventlet
+  # when: "'eventlet' in '{{ keystone_deployment }}'"
   ignore_errors: true
 
 - name: cleanup keystone
+  become: true
   command: pcs resource cleanup openstack-keystone
   when: "'eventlet' in '{{ keystone_deployment }}'"
   ignore_errors: true
 
 - name: cleanup httpd
+  become: true
   command: pcs resource cleanup httpd
   ignore_errors: true

ansible/browbeat/roles/keystone-workers/tasks/main.yml

@@ -21,11 +21,13 @@
   when: keystone_deployment is undefined
 
 - name: Get keystone admin ip address
+  become: true
   command: crudini --get /etc/keystone/keystone.conf DEFAULT admin_bind_host
   register: admin_ip_addr
   changed_when: false
 
 - name: Get keystone public ip address
+  become: true
   command: crudini --get /etc/keystone/keystone.conf DEFAULT public_bind_host
   register: public_ip_addr
   changed_when: false
@@ -35,13 +37,14 @@
 #
 
 - name: Configure eventlet workers
+  become: true
   ini_file:
     dest: /etc/keystone/keystone.conf
     mode: 0640
     section: "{{ item.section }}"
     option: "{{ item.option }}"
     value: "{{ item.value }}"
-    backup: yes
+    backup: true
   with_items:
     - { section: DEFAULT, option: public_workers, value: "{{ workers }}" }
     - { section: DEFAULT, option: admin_workers, value: "{{ workers }}" }
@@ -56,6 +59,7 @@
     - cleanup keystone
 
 - name: Unconfigure keystone in httpd if eventlet
+  become: true
   file:
     path: /etc/httpd/conf.d/10-keystone_wsgi_{{ item }}.conf
     state: absent
@@ -68,6 +72,7 @@
     - cleanup httpd
 
 - name: Create keystone in httpd wsgi directory
+  become: true
   file:
     path: /var/www/cgi-bin/keystone
     state: directory
@@ -76,24 +81,29 @@
   when: "'httpd' in '{{ keystone_deployment }}'"
 
 - name: Copy keystone in httpd files over
+  become: true
   copy:
     src: keystone_httpd
     dest: /var/www/cgi-bin/keystone/{{ item }}
     owner: keystone
     group: keystone
     mode: 0744
+    backup: true
   with_items:
     - admin
     - main
   when: "'httpd' in '{{ keystone_deployment }}'"
+  ignore_errors: true
 
 - name: Configure httpd processes/threads
+  become: true
   template:
-    src=keystone_wsgi.conf.j2
-    dest=/etc/httpd/conf.d/10-keystone_wsgi_{{ item.interface }}.conf
-    owner=root
-    group=root
-    mode=0644
+    src: keystone_wsgi.conf.j2
+    dest: /etc/httpd/conf.d/10-keystone_wsgi_{{ item.interface }}.conf
+    owner: root
+    group: root
+    mode: 0644
+    backup: true
   with_items:
     - ip_address: "{{ admin_ip_addr.stdout }}"
       interface: "admin"
@@ -111,17 +121,33 @@
     - stop keystone eventlet
     - restart httpd
 
-- name: Configure/Unconfigure httpd ports.conf for keystone
-  template:
-    src=keystone_ports.conf.j2
-    dest=/etc/httpd/conf/ports.conf
-    owner=root
-    group=root
-    mode=0644
+- name: Configure/Unconfigure httpd ports.conf for keystone (httpd)
+  become: true
+  lineinfile:
+    dest: /etc/httpd/conf/ports.conf
+    line: "Listen {{item}}"
+    backup: true
   with_items:
-    - admin_ip_address: "{{ admin_ip_addr.stdout }}"
-      public_ip_address: "{{ public_ip_addr.stdout }}"
-      deployment: "{{ keystone_deployment }}"
+    - "{{ public_ip_addr.stdout }}:5000"
+    - "{{ admin_ip_addr.stdout }}:35357"
+  when: "'httpd' in '{{ keystone_deployment }}'"
+  notify:
+    - pacemaker unmanaged default
+    - stop keystone eventlet
+    - restart keystone
+    - pacemaker managed default
+    - cleanup keystone
+
+- name: Configure/Unconfigure httpd ports.conf for keystone (eventlet)
+  become: true
+  lineinfile:
+    dest: /etc/httpd/conf/ports.conf
+    line: "Listen {{item}}"
+    state: absent
+  with_items:
+    - "{{ public_ip_addr.stdout }}:5000"
+    - "{{ admin_ip_addr.stdout }}:35357"
+  when: "'eventlet' in '{{ keystone_deployment }}'"
   notify:
     - pacemaker unmanaged default
     - stop keystone eventlet

ansible/browbeat/roles/keystone-workers/templates/keystone_wsgi.conf.j2

@@ -1,5 +1,5 @@
 <VirtualHost {{ item.ip_address }}:{{ item.port }}>
-  ServerName  keystone_wsgi_{{ item.interface }}
+  ServerName  {{inventory_hostname}}
 
   ## Vhost docroot
   DocumentRoot "/var/www/cgi-bin/keystone"
@@ -14,10 +14,11 @@
 
   ## Logging
   ErrorLog "/var/log/httpd/keystone_wsgi_{{ item.interface }}_error.log"
-  LogLevel info
   ServerSignature Off
   CustomLog "/var/log/httpd/keystone_wsgi_{{ item.interface }}_access.log" combined
+  WSGIApplicationGroup %{GLOBAL}
   WSGIDaemonProcess keystone_{{ item.interface }} display-name=keystone-{{ item.interface }} group=keystone processes={{ item.processes }} threads={{ item.threads }} user=keystone
   WSGIProcessGroup keystone_{{ item.interface }}
   WSGIScriptAlias / "/var/www/cgi-bin/keystone/{{ item.interface }}"
-</VirtualHost>
+  WSGIPassAuthorization On
+</VirtualHost>

ansible/browbeat/roles/neutron-workers/handlers/main.yml

@@ -4,6 +4,7 @@
 #
 
 - name: unmanage neutron services
+  become: true
   command: pcs resource unmanage {{ item }}
   with_items:
     - neutron-server
@@ -11,12 +12,14 @@
   ignore_errors: true
 
 - name: restart neutron services
+  become: true
   service: name={{ item }} state=restarted
   with_items:
     - neutron-server
     - neutron-metadata-agent
 
 - name: manage neutron services
+  become: true
   command: pcs resource manage {{ item }}
   with_items:
     - neutron-server
@@ -24,6 +27,7 @@
   ignore_errors: true
 
 - name: cleanup neutron services
+  become: true
   command: pcs resource cleanup {{ item }}
   with_items:
     - neutron-server

ansible/browbeat/roles/neutron-workers/tasks/main.yml

@@ -5,6 +5,7 @@
 #
 
 - name: Configure neutron.conf
+  become: true
   ini_file:
     dest: /etc/neutron/neutron.conf
     mode: 0640
@@ -22,6 +23,7 @@
     - cleanup neutron services
 
 - name: Configure metadata_agent.ini
+  become: true
   ini_file:
     dest: /etc/neutron/metadata_agent.ini
     mode: 0640

ansible/browbeat/roles/nova-workers/handlers/main.yml

@@ -4,6 +4,7 @@
 #
 
 - name: unmanage nova services
+  become: true
   command: pcs resource unmanage {{ item }}
   with_items:
     - openstack-nova-api
@@ -12,6 +13,7 @@
   ignore_errors: true
 
 - name: restart nova services
+  become: true
   service: name={{ item }} state=restarted
   with_items:
     - openstack-nova-api
@@ -19,6 +21,7 @@
     - openstack-nova-conductor
 
 - name: manage nova services
+  become: true
   command: pcs resource manage {{ item }}
   with_items:
     - openstack-nova-api
@@ -27,6 +30,7 @@
   ignore_errors: true
 
 - name: cleanup nova services
+  become: true
   command: pcs resource cleanup {{ item }}
   with_items:
     - openstack-nova-api

ansible/browbeat/roles/nova-workers/tasks/main.yml

@@ -5,6 +5,7 @@
 #
 
 - name: Ensure nova.conf is properly configured
+  become: true
   ini_file:
     dest: /etc/nova/nova.conf
     mode: 0640