From 30d277c1455aa6df40aa93c821de8f4132245b65 Mon Sep 17 00:00:00 2001 From: Alex Krzos Date: Wed, 13 Jul 2016 11:01:56 -0400 Subject: [PATCH] Remove ansible_become from (Keystone and Worker)adjustment playbooks + Removing ansible_become from causing individual tasks to run with sudo that did not actually need it. This make maintaining the playbooks easier as we know what tasks need sudo vs every task gets sudo + Check if variables are set (token_provider, ceilometer_backend, etc) with "pre_tasks" tasks inside playbook + Set "become" as second options for simplicty in determining if task uses root privileges Change-Id: I890148878d41bb86aa428ecc884c44205f7c3bd3 --- ansible/browbeat/adjustment-ceilometer.yml | 4 ++ .../browbeat/adjustment-keystone-token.yml | 6 +- ansible/browbeat/adjustment-workers.yml | 31 +++++++--- .../roles/ceilometer-backend/tasks/main.yml | 6 +- .../roles/cinder-workers/handlers/main.yml | 4 ++ .../roles/cinder-workers/tasks/main.yml | 1 + .../roles/keystone-token/handlers/main.yml | 9 ++- .../roles/keystone-token/tasks/main.yml | 14 ++++- .../keystone-workers/files/keystone_httpd | 18 +++++- .../roles/keystone-workers/handlers/main.yml | 10 +++- .../roles/keystone-workers/tasks/main.yml | 58 ++++++++++++++----- .../templates/keystone_wsgi.conf.j2 | 7 ++- .../roles/neutron-workers/handlers/main.yml | 4 ++ .../roles/neutron-workers/tasks/main.yml | 2 + .../roles/nova-workers/handlers/main.yml | 4 ++ .../roles/nova-workers/tasks/main.yml | 1 + 16 files changed, 140 insertions(+), 39 deletions(-) diff --git a/ansible/browbeat/adjustment-ceilometer.yml b/ansible/browbeat/adjustment-ceilometer.yml index 906e88b57..44a2baabb 100644 --- a/ansible/browbeat/adjustment-ceilometer.yml +++ b/ansible/browbeat/adjustment-ceilometer.yml @@ -9,5 +9,9 @@ - hosts: controller remote_user: heat-admin + pre_tasks: + - name: Check for variable (ceilometer_backend) + fail: msg="ceilometer_backend not defined" + when: ceilometer_backend is undefined roles: - ceilometer-backend diff --git a/ansible/browbeat/adjustment-keystone-token.yml b/ansible/browbeat/adjustment-keystone-token.yml index 51f41374d..b2f7364ca 100644 --- a/ansible/browbeat/adjustment-keystone-token.yml +++ b/ansible/browbeat/adjustment-keystone-token.yml @@ -9,7 +9,9 @@ - hosts: controller remote_user: heat-admin - vars: - ansible_become: true + pre_tasks: + - name: Check for variable (token_provider) + fail: msg="token_provider not defined" + when: token_provider is undefined roles: - keystone-token diff --git a/ansible/browbeat/adjustment-workers.yml b/ansible/browbeat/adjustment-workers.yml index f68fe4714..7dd0557b8 100644 --- a/ansible/browbeat/adjustment-workers.yml +++ b/ansible/browbeat/adjustment-workers.yml @@ -1,10 +1,13 @@ --- # -# Playbook to change number of workers for nova,cinder and keystone services +# Playbook to change number of workers for nova, neutron, cinder and keystone services # # Change Workers Example: # ansible-playbook -i hosts browbeat/adjustment-workers.yml -e "workers=12" # +# Change Workers Example and change Keystone Threads (If deployed in httpd) +# ansible-playbook -i hosts browbeat/adjustment-workers.yml -e "workers=12 threads=1" +# # Change Workers and Keystone Deployment Example: # ansible-playbook -i hosts browbeat/adjustment-workers.yml -e "workers=12 keystone_deployment=httpd" # @@ -13,11 +16,23 @@ remote_user: heat-admin gather_facts: false vars: - ansible_become: true - workers: 24 - threads: 6 + default_threads: 6 + pre_tasks: + - name: Check for variable (workers) + fail: msg="workers not defined" + when: workers is undefined + - name: Check for variable (threads) + debug: msg="threads (Keystone only) not set, using default ({{default_threads}})" + when: threads is undefined + - name: Set default threads variable for Keystone + set_fact: + threads: "{{default_threads}}" + when: threads is undefined + - name: Determine if keystone_deployment is set + debug: msg="keystone_deployment is not set therefore not changing keystone deployment" + when: keystone_deployment is undefined roles: - - nova-workers - - neutron-workers - - keystone-workers - - cinder-workers + - keystone-workers + - nova-workers + - neutron-workers + - cinder-workers diff --git a/ansible/browbeat/roles/ceilometer-backend/tasks/main.yml b/ansible/browbeat/roles/ceilometer-backend/tasks/main.yml index 2e142ff6f..eb9687cf0 100644 --- a/ansible/browbeat/roles/ceilometer-backend/tasks/main.yml +++ b/ansible/browbeat/roles/ceilometer-backend/tasks/main.yml @@ -4,10 +4,6 @@ # * Change backend between database and gnocchi # -- name: Check for variable - fail: msg="ceilometer_backend not defined" - when: ceilometer_backend is undefined - - name: Get current backend(s) become: true command: crudini --get /etc/ceilometer/ceilometer.conf DEFAULT meter_dispatchers @@ -33,6 +29,6 @@ - pacemaker cleanup gnocchi - name: Configure for gnocchi - when: ("'{{ ceilometer_backend }}' == 'gnocchi'") and (inventory_hostname == groups['controller'][0]) become: true + when: ("'{{ ceilometer_backend }}' == 'gnocchi'") and (inventory_hostname == groups['controller'][0]) shell: gnocchi-upgrade --create-legacy-resource-types diff --git a/ansible/browbeat/roles/cinder-workers/handlers/main.yml b/ansible/browbeat/roles/cinder-workers/handlers/main.yml index 557956799..0888b5bd0 100644 --- a/ansible/browbeat/roles/cinder-workers/handlers/main.yml +++ b/ansible/browbeat/roles/cinder-workers/handlers/main.yml @@ -4,23 +4,27 @@ # - name: unmanage cinder services + become: true command: pcs resource unmanage {{ item }} with_items: - openstack-cinder-api ignore_errors: true - name: restart cinder services + become: true service: name={{ item }} state=restarted with_items: - openstack-cinder-api - name: manage cinder services + become: true command: pcs resource manage {{ item }} with_items: - openstack-cinder-api ignore_errors: true - name: cleanup cinder services + become: true command: pcs resource cleanup {{ item }} with_items: - openstack-cinder-api diff --git a/ansible/browbeat/roles/cinder-workers/tasks/main.yml b/ansible/browbeat/roles/cinder-workers/tasks/main.yml index 80a89e54c..1dea8ca2b 100644 --- a/ansible/browbeat/roles/cinder-workers/tasks/main.yml +++ b/ansible/browbeat/roles/cinder-workers/tasks/main.yml @@ -5,6 +5,7 @@ # - name: Configure cinder.conf + become: true ini_file: dest: /etc/cinder/cinder.conf mode: 0640 diff --git a/ansible/browbeat/roles/keystone-token/handlers/main.yml b/ansible/browbeat/roles/keystone-token/handlers/main.yml index 2f7ded1db..d5bc37b5a 100644 --- a/ansible/browbeat/roles/keystone-token/handlers/main.yml +++ b/ansible/browbeat/roles/keystone-token/handlers/main.yml @@ -4,24 +4,31 @@ # - name: pacemaker default unmanaged + become: true command: pcs property set is-managed-default=false - name: stop keystone service + become: true service: name=openstack-keystone state=stopped when: "'httpd' in '{{ keystone_deployment }}'" - name: restart httpd service + become: true service: name=httpd state=restarted when: "'httpd' in '{{ keystone_deployment }}'" - name: restart keystone service + become: true service: name=openstack-keystone state=restarted when: "'eventlet' in '{{ keystone_deployment }}'" - name: pacemaker default managed + become: true command: pcs property set is-managed-default=true when: "'eventlet' in '{{ keystone_deployment }}'" - name: pacemaker cleanup keystone + become: true command: pcs resource cleanup openstack-keystone - when: "'eventlet' in '{{ keystone_deployment }}'" \ No newline at end of file + when: "'eventlet' in '{{ keystone_deployment }}'" + ignore_errors: true diff --git a/ansible/browbeat/roles/keystone-token/tasks/main.yml b/ansible/browbeat/roles/keystone-token/tasks/main.yml index d515030ae..c8d750061 100644 --- a/ansible/browbeat/roles/keystone-token/tasks/main.yml +++ b/ansible/browbeat/roles/keystone-token/tasks/main.yml @@ -23,6 +23,7 @@ # - name: Check Keystone Token Provider + become: true command: crudini --get /etc/keystone/keystone.conf token provider register: keystone_token_provider changed_when: false @@ -45,6 +46,7 @@ # - name: Change token provider + become: true command: crudini --set /etc/keystone/keystone.conf token provider "keystone.token.providers.{{ token_provider }}.Provider" when: "'{{ current_token_provider }}' != '{{ token_provider }}'" notify: @@ -60,6 +62,7 @@ # - name: Create fernet keys directory + become: true file: path=/etc/keystone/fernet-keys state=directory @@ -69,10 +72,12 @@ when: "'{{ token_provider }}' == 'fernet'" - name: Setup fernet keys + become: true command: keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone - when: ("'{{ token_provider }}' == 'fernet'") and (inventory_hostname == groups['controller'][0]) + when: ('{{ token_provider }}' == 'fernet') and (inventory_hostname == groups['controller'][0]) - name: Get fernet keys + become: true fetch: src=/etc/keystone/fernet-keys/{{ item }} dest=roles/keystone-token/files/{{ item }} flat=yes with_items: - 0 @@ -81,26 +86,31 @@ changed_when: false - name: Copy fernet keys + become: true copy: src={{ item }} dest=/etc/keystone/fernet-keys/{{ item }} with_items: - "0" - "1" - when: ("'{{ token_provider }}' == 'fernet'") and (inventory_hostname != groups['controller'][0]) + when: ('{{ token_provider }}' == 'fernet') and (inventory_hostname != groups['controller'][0]) - name: Copy keystone type enforcement file + become: true copy: src: my-keystone.te dest: /root/my-keystone.te when: "'{{ token_provider }}' == 'fernet'" - name: Create keystone.mod file + become: true command: checkmodule -M -m -o /root/my-keystone.mod /root/my-keystone.te when: "'{{ token_provider }}' == 'fernet'" - name: Create keystone.pp file + become: true command: semodule_package -o /root/my-keystone.pp -m /root/my-keystone.mod when: "'{{ token_provider }}' == 'fernet'" - name: Install keystone selinux policy + become: true shell: semodule -i /root/my-keystone.pp when: "'{{ token_provider }}' == 'fernet'" diff --git a/ansible/browbeat/roles/keystone-workers/files/keystone_httpd b/ansible/browbeat/roles/keystone-workers/files/keystone_httpd index 0c7018ff6..05683a91d 100644 --- a/ansible/browbeat/roles/keystone-workers/files/keystone_httpd +++ b/ansible/browbeat/roles/keystone-workers/files/keystone_httpd @@ -14,12 +14,28 @@ import os +from oslo_log import log +from oslo_log import versionutils + +from keystone.i18n import _LW from keystone.server import wsgi as wsgi_server name = os.path.basename(__file__) +LOG = log.getLogger(__name__) + + +def deprecation_warning(): + versionutils.report_deprecated_feature( + LOG, + _LW('httpd/keystone.py is deprecated as of Mitaka' + ' in favor of keystone-wsgi-admin and keystone-wsgi-public' + ' and may be removed in O.') + ) # NOTE(ldbragst): 'application' is required in this context by WSGI spec. # The following is a reference to Python Paste Deploy documentation # http://pythonpaste.org/deploy/ -application = wsgi_server.initialize_application(name) +application = wsgi_server.initialize_application( + name, + post_log_configured_function=deprecation_warning) diff --git a/ansible/browbeat/roles/keystone-workers/handlers/main.yml b/ansible/browbeat/roles/keystone-workers/handlers/main.yml index 3667ccdad..b6a0fda0e 100644 --- a/ansible/browbeat/roles/keystone-workers/handlers/main.yml +++ b/ansible/browbeat/roles/keystone-workers/handlers/main.yml @@ -4,31 +4,39 @@ # - name: pacemaker unmanaged default + become: true command: pcs property set is-managed-default=false ignore_errors: true - name: stop keystone eventlet + become: true service: name=openstack-keystone state=stopped when: "'httpd' in '{{ keystone_deployment }}'" ignore_errors: true - name: restart httpd + become: true service: name=httpd state=restarted - name: restart keystone + become: true service: name=openstack-keystone state=restarted when: "'eventlet' in '{{ keystone_deployment }}'" - name: pacemaker managed default + become: true command: pcs property set is-managed-default=true - when: "'eventlet' in '{{ keystone_deployment }}'" + # OSP8 and below uncomment, so only pcs managed when keystone in eventlet + # when: "'eventlet' in '{{ keystone_deployment }}'" ignore_errors: true - name: cleanup keystone + become: true command: pcs resource cleanup openstack-keystone when: "'eventlet' in '{{ keystone_deployment }}'" ignore_errors: true - name: cleanup httpd + become: true command: pcs resource cleanup httpd ignore_errors: true diff --git a/ansible/browbeat/roles/keystone-workers/tasks/main.yml b/ansible/browbeat/roles/keystone-workers/tasks/main.yml index d0bc2c059..63b64f42f 100644 --- a/ansible/browbeat/roles/keystone-workers/tasks/main.yml +++ b/ansible/browbeat/roles/keystone-workers/tasks/main.yml @@ -21,11 +21,13 @@ when: keystone_deployment is undefined - name: Get keystone admin ip address + become: true command: crudini --get /etc/keystone/keystone.conf DEFAULT admin_bind_host register: admin_ip_addr changed_when: false - name: Get keystone public ip address + become: true command: crudini --get /etc/keystone/keystone.conf DEFAULT public_bind_host register: public_ip_addr changed_when: false @@ -35,13 +37,14 @@ # - name: Configure eventlet workers + become: true ini_file: dest: /etc/keystone/keystone.conf mode: 0640 section: "{{ item.section }}" option: "{{ item.option }}" value: "{{ item.value }}" - backup: yes + backup: true with_items: - { section: DEFAULT, option: public_workers, value: "{{ workers }}" } - { section: DEFAULT, option: admin_workers, value: "{{ workers }}" } @@ -56,6 +59,7 @@ - cleanup keystone - name: Unconfigure keystone in httpd if eventlet + become: true file: path: /etc/httpd/conf.d/10-keystone_wsgi_{{ item }}.conf state: absent @@ -68,6 +72,7 @@ - cleanup httpd - name: Create keystone in httpd wsgi directory + become: true file: path: /var/www/cgi-bin/keystone state: directory @@ -76,24 +81,29 @@ when: "'httpd' in '{{ keystone_deployment }}'" - name: Copy keystone in httpd files over + become: true copy: src: keystone_httpd dest: /var/www/cgi-bin/keystone/{{ item }} owner: keystone group: keystone mode: 0744 + backup: true with_items: - admin - main when: "'httpd' in '{{ keystone_deployment }}'" + ignore_errors: true - name: Configure httpd processes/threads + become: true template: - src=keystone_wsgi.conf.j2 - dest=/etc/httpd/conf.d/10-keystone_wsgi_{{ item.interface }}.conf - owner=root - group=root - mode=0644 + src: keystone_wsgi.conf.j2 + dest: /etc/httpd/conf.d/10-keystone_wsgi_{{ item.interface }}.conf + owner: root + group: root + mode: 0644 + backup: true with_items: - ip_address: "{{ admin_ip_addr.stdout }}" interface: "admin" @@ -111,17 +121,33 @@ - stop keystone eventlet - restart httpd -- name: Configure/Unconfigure httpd ports.conf for keystone - template: - src=keystone_ports.conf.j2 - dest=/etc/httpd/conf/ports.conf - owner=root - group=root - mode=0644 +- name: Configure/Unconfigure httpd ports.conf for keystone (httpd) + become: true + lineinfile: + dest: /etc/httpd/conf/ports.conf + line: "Listen {{item}}" + backup: true with_items: - - admin_ip_address: "{{ admin_ip_addr.stdout }}" - public_ip_address: "{{ public_ip_addr.stdout }}" - deployment: "{{ keystone_deployment }}" + - "{{ public_ip_addr.stdout }}:5000" + - "{{ admin_ip_addr.stdout }}:35357" + when: "'httpd' in '{{ keystone_deployment }}'" + notify: + - pacemaker unmanaged default + - stop keystone eventlet + - restart keystone + - pacemaker managed default + - cleanup keystone + +- name: Configure/Unconfigure httpd ports.conf for keystone (eventlet) + become: true + lineinfile: + dest: /etc/httpd/conf/ports.conf + line: "Listen {{item}}" + state: absent + with_items: + - "{{ public_ip_addr.stdout }}:5000" + - "{{ admin_ip_addr.stdout }}:35357" + when: "'eventlet' in '{{ keystone_deployment }}'" notify: - pacemaker unmanaged default - stop keystone eventlet diff --git a/ansible/browbeat/roles/keystone-workers/templates/keystone_wsgi.conf.j2 b/ansible/browbeat/roles/keystone-workers/templates/keystone_wsgi.conf.j2 index f7267457c..c01a9a8e1 100644 --- a/ansible/browbeat/roles/keystone-workers/templates/keystone_wsgi.conf.j2 +++ b/ansible/browbeat/roles/keystone-workers/templates/keystone_wsgi.conf.j2 @@ -1,5 +1,5 @@ - ServerName keystone_wsgi_{{ item.interface }} + ServerName {{inventory_hostname}} ## Vhost docroot DocumentRoot "/var/www/cgi-bin/keystone" @@ -14,10 +14,11 @@ ## Logging ErrorLog "/var/log/httpd/keystone_wsgi_{{ item.interface }}_error.log" - LogLevel info ServerSignature Off CustomLog "/var/log/httpd/keystone_wsgi_{{ item.interface }}_access.log" combined + WSGIApplicationGroup %{GLOBAL} WSGIDaemonProcess keystone_{{ item.interface }} display-name=keystone-{{ item.interface }} group=keystone processes={{ item.processes }} threads={{ item.threads }} user=keystone WSGIProcessGroup keystone_{{ item.interface }} WSGIScriptAlias / "/var/www/cgi-bin/keystone/{{ item.interface }}" - \ No newline at end of file + WSGIPassAuthorization On + diff --git a/ansible/browbeat/roles/neutron-workers/handlers/main.yml b/ansible/browbeat/roles/neutron-workers/handlers/main.yml index 24354005b..c8ba618d0 100644 --- a/ansible/browbeat/roles/neutron-workers/handlers/main.yml +++ b/ansible/browbeat/roles/neutron-workers/handlers/main.yml @@ -4,6 +4,7 @@ # - name: unmanage neutron services + become: true command: pcs resource unmanage {{ item }} with_items: - neutron-server @@ -11,12 +12,14 @@ ignore_errors: true - name: restart neutron services + become: true service: name={{ item }} state=restarted with_items: - neutron-server - neutron-metadata-agent - name: manage neutron services + become: true command: pcs resource manage {{ item }} with_items: - neutron-server @@ -24,6 +27,7 @@ ignore_errors: true - name: cleanup neutron services + become: true command: pcs resource cleanup {{ item }} with_items: - neutron-server diff --git a/ansible/browbeat/roles/neutron-workers/tasks/main.yml b/ansible/browbeat/roles/neutron-workers/tasks/main.yml index 4e9a60c9b..4efc5ac50 100644 --- a/ansible/browbeat/roles/neutron-workers/tasks/main.yml +++ b/ansible/browbeat/roles/neutron-workers/tasks/main.yml @@ -5,6 +5,7 @@ # - name: Configure neutron.conf + become: true ini_file: dest: /etc/neutron/neutron.conf mode: 0640 @@ -22,6 +23,7 @@ - cleanup neutron services - name: Configure metadata_agent.ini + become: true ini_file: dest: /etc/neutron/metadata_agent.ini mode: 0640 diff --git a/ansible/browbeat/roles/nova-workers/handlers/main.yml b/ansible/browbeat/roles/nova-workers/handlers/main.yml index 3cec085cb..308edbb1f 100644 --- a/ansible/browbeat/roles/nova-workers/handlers/main.yml +++ b/ansible/browbeat/roles/nova-workers/handlers/main.yml @@ -4,6 +4,7 @@ # - name: unmanage nova services + become: true command: pcs resource unmanage {{ item }} with_items: - openstack-nova-api @@ -12,6 +13,7 @@ ignore_errors: true - name: restart nova services + become: true service: name={{ item }} state=restarted with_items: - openstack-nova-api @@ -19,6 +21,7 @@ - openstack-nova-conductor - name: manage nova services + become: true command: pcs resource manage {{ item }} with_items: - openstack-nova-api @@ -27,6 +30,7 @@ ignore_errors: true - name: cleanup nova services + become: true command: pcs resource cleanup {{ item }} with_items: - openstack-nova-api diff --git a/ansible/browbeat/roles/nova-workers/tasks/main.yml b/ansible/browbeat/roles/nova-workers/tasks/main.yml index 77e969461..67fa81f66 100644 --- a/ansible/browbeat/roles/nova-workers/tasks/main.yml +++ b/ansible/browbeat/roles/nova-workers/tasks/main.yml @@ -5,6 +5,7 @@ # - name: Ensure nova.conf is properly configured + become: true ini_file: dest: /etc/nova/nova.conf mode: 0640