diff --git a/.gitreview b/.gitreview index e2d776a..2462699 100644 --- a/.gitreview +++ b/.gitreview @@ -2,4 +2,3 @@ host=review.openstack.org port=29418 project=openstack/ansible-role-qdrouterd.git -defaultbranch=master diff --git a/defaults/main.yml b/defaults/main.yml index 3ff7ecc..0f00f6a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -30,24 +30,25 @@ qdrouterd_log_file: "/var/log/qdrouterd/qdrouterd.log" qdrouterd_host_count: "{{ groups['qdrouterd_all'] | length}}" qdrouterd_mode: "{% if qdrouterd_host_count == '1' %}standalone{% else %}interior{% endif %}" qdrouterd_listener_addr: 0.0.0.0 -qdrouterd_listener_port: 31459 +qdrouterd_listener_port_ssl: 31459 +qdrouterd_listener_port_plain: 31460 qdrouterd_listener_auth_peer: "no" -qdrouterd_listener_sasl_mech: "ANONYMOUS" +qdrouterd_listener_sasl_mech: "ANONYMOUS PLAIN" qdrouterd_irl_addr: 0.0.0.0 -qdrouterd_irl_port: 31460 +qdrouterd_irl_port_ssl: 31461 +qdrouterd_irl_port_plain: 31462 qdrouterd_irl_auth_peer: "no" -qdrouterd_irl_sasl_mech: "ANONYMOUS" +qdrouterd_irl_sasl_mech: "ANONYMOUS PLAIN" qdrouterd_worker_threads: 4 qdrouterd_sasl_conf_path: "/etc/sasl2" qdrouterd_sasl_conf_file: "/etc/sasl2/qdrouterd.conf" qdrouterd_log_module: "DEFAULT" -qdrouterd_log_enable: "info+" +qdrouterd_log_enable: "trace+" # Qdrouterd SSL support -qdrouterd_require_ssl: "yes" -qdrouterd_ssl_cert: "{{ qdrouterd_etc_conf_path }}/qdrouterd.pem" -qdrouterd_ssl_key: "{{ qdrouterd_etc_conf_path }}/qdrouterd.key" -#qdrouterd_ssl_ca_cert: "{{ qdrouterd_etc_conf_path }}/qdrouterd-ca.pem" +qdrouterd_ssl_cert: "{{ qdrouterd_etc_conf_path }}/ssl/qdrouterd.pem" +qdrouterd_ssl_key: "{{ qdrouterd_etc_conf_path }}/ssl/qdrouterd.key" +#qdrouterd_ssl_ca_cert: "{{ qdrouterd_etc_conf_path }}/ssl/qdrouterd-ca.pem" # Set qdrouterd_ssl_sefl_signed_regen to true if you want to generate a new # SSL certificate for Qdrouterd when this playbook runs. You can also change diff --git a/meta/main.yml b/meta/main.yml index dd11f94..08c2bac 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -23,8 +23,8 @@ galaxy_info: - 7 - name: Ubuntu versions: - - trusty - xenial + - bionic categories: - messaging - cloud diff --git a/tasks/main.yml b/tasks/main.yml index 5c7042c..26849ea 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -24,10 +24,9 @@ tags: - always -- include: qdrouterd_pre_install.yml +- import_tasks: qdrouterd_pre_install.yml -- include: qdrouterd_install.yml - static: no +- import_tasks: qdrouterd_install.yml # Qdrouterd SSL/TLS listener configuration # @@ -39,18 +38,17 @@ # # playbooks/roles/qdrouterd/defaults/main.yml # -- include: qdrouterd_ssl_self_signed.yml - static: no +- include_tasks: qdrouterd_ssl_self_signed.yml when: > qdrouterd_user_ssl_cert is not defined or qdrouterd_user_ssl_key is not defined tags: - qdrouterd-config -- include: qdrouterd_ssl_user_provided.yml +- import_tasks: qdrouterd_ssl_user_provided.yml tags: - qdrouterd-config -- include: qdrouterd_post_install.yml - - +- import_tasks: qdrouterd_post_install.yml + tags: + - qdrouterd-config diff --git a/tasks/qdrouterd_install.yml b/tasks/qdrouterd_install.yml index 3011c30..2a9a44b 100644 --- a/tasks/qdrouterd_install.yml +++ b/tasks/qdrouterd_install.yml @@ -13,22 +13,18 @@ # See the License for the specific language governing permissions and # limitations under the License. -- include: "qdrouterd_install_{{ ansible_pkg_mgr }}.yml" +- include_tasks: "qdrouterd_install_{{ ansible_pkg_mgr }}.yml" tags: - - qdrouterd-apt-packages - - qdrouterd-yum-packages - qdrouterd_server-install - name: Reload the systemd daemon systemd: daemon_reload: yes when: - - install_qdrouterd is changed + - install_qdrouterd is changed tags: - - qdrouterd-apt-packages - - qdrouterd-yum-packages - qdrouterd_server-install -- include: qdrouterd_started.yml +- import_tasks: qdrouterd_started.yml tags: - qdrouterd_server-config diff --git a/tasks/qdrouterd_install_apt.yml b/tasks/qdrouterd_install_apt.yml index 009dd23..57c3327 100644 --- a/tasks/qdrouterd_install_apt.yml +++ b/tasks/qdrouterd_install_apt.yml @@ -25,7 +25,7 @@ apt_repository: repo: "{{ qdrouterd_ppa_repo }}" update_cache: True - codename: xenial + codename: "{{ ansible_distribution_release }}" state: present tags: - qdrouterd-rep diff --git a/tasks/qdrouterd_post_install.yml b/tasks/qdrouterd_post_install.yml index cdda0f7..8fc6e36 100644 --- a/tasks/qdrouterd_post_install.yml +++ b/tasks/qdrouterd_post_install.yml @@ -26,13 +26,11 @@ tags: - qdrouterd-config -- name: Create the log directory +- name: Create the lib directory file: path: "/var/lib/qdrouterd/" state: "directory" - group: "qdrouterd" - owner: "qdrouterd" - recurse: true + mode: "0755" tags: - qdrouterd-config @@ -46,6 +44,5 @@ tags: - qdrouterd-config -- include: qdrouterd_restart.yml - static: no +- include_tasks: qdrouterd_restart.yml when: qdrouterd_config_changed is changed diff --git a/tasks/qdrouterd_restart.yml b/tasks/qdrouterd_restart.yml index a14733b..6b2224c 100644 --- a/tasks/qdrouterd_restart.yml +++ b/tasks/qdrouterd_restart.yml @@ -13,7 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. -- include: qdrouterd_stopped.yml -- include: qdrouterd_started.yml - - +- import_tasks: qdrouterd_stopped.yml +- import_tasks: qdrouterd_started.yml diff --git a/tasks/qdrouterd_ssl_self_signed.yml b/tasks/qdrouterd_ssl_self_signed.yml index b9d1294..bd46a07 100644 --- a/tasks/qdrouterd_ssl_self_signed.yml +++ b/tasks/qdrouterd_ssl_self_signed.yml @@ -15,11 +15,11 @@ # We create the self-signed SSL certificate and key only on the first # Qdrouterd container. -- include: qdrouterd_ssl_key_create.yml +- include_tasks: qdrouterd_ssl_key_create.yml when: inventory_hostname == groups[qdrouterd_host_group][0] -- include: qdrouterd_ssl_key_store.yml +- include_tasks: qdrouterd_ssl_key_store.yml when: inventory_hostname == groups[qdrouterd_host_group][0] -- include: qdrouterd_ssl_key_distribute.yml +- include_tasks: qdrouterd_ssl_key_distribute.yml when: inventory_hostname != groups[qdrouterd_host_group][0] diff --git a/templates/qdrouterd.conf.j2 b/templates/qdrouterd.conf.j2 index 590f6d9..76ab3c3 100644 --- a/templates/qdrouterd.conf.j2 +++ b/templates/qdrouterd.conf.j2 @@ -7,7 +7,6 @@ router { saslConfigName: {{ qdrouterd_service_name }} } -{% if qdrouterd_require_ssl == 'yes' %} sslProfile { name: {{ ansible_hostname }} {% if qdrouterd_ssl_ca_cert is defined %} @@ -16,15 +15,20 @@ sslProfile { certFile: {{ qdrouterd_ssl_cert }} keyFile: {{ qdrouterd_ssl_key }} } -{% endif %} listener { host: {{ qdrouterd_listener_addr }} - port: {{ qdrouterd_listener_port }} + port: {{ qdrouterd_listener_port_ssl }} role: normal -{% if qdrouterd_require_ssl == 'yes' %} sslProfile: {{ ansible_hostname }} -{% endif %} + authenticatePeer: {{ qdrouterd_listener_auth_peer }} + saslMechanisms: {{ qdrouterd_listener_sasl_mech }} +} + +listener { + host: {{ qdrouterd_listener_addr }} + port: {{ qdrouterd_listener_port_plain }} + role: normal authenticatePeer: {{ qdrouterd_listener_auth_peer }} saslMechanisms: {{ qdrouterd_listener_sasl_mech }} } @@ -32,11 +36,17 @@ listener { {% if qdrouterd_host_count > '1' %} listener { host: {{ qdrouterd_irl_addr }} - port: {{ qdrouterd_irl_port }} + port: {{ qdrouterd_irl_port_ssl }} role: inter-router -{% if qdrouterd_require_ssl == 'yes' %} sslProfile: {{ ansible_hostname }} -{% endif %} + authenticatePeer: {{ qdrouterd_irl_auth_peer }} + saslMechanisms: {{ qdrouterd_irl_sasl_mech }} +} + +listener { + host: {{ qdrouterd_irl_addr }} + port: {{ qdrouterd_irl_port_plain }} + role: inter-router authenticatePeer: {{ qdrouterd_irl_auth_peer }} saslMechanisms: {{ qdrouterd_irl_sasl_mech }} } @@ -47,7 +57,7 @@ listener { connector { host: {{ hostvars[router]['ansible_eth0']['ipv4']['address'] }} role: inter-router - port: {{ qdrouterd_irl_port }} + port: {{ qdrouterd_irl_port_plain }} } {% endif %} {% endfor %} diff --git a/tests/qdrouterd-overrides.yml b/tests/qdrouterd-overrides.yml index 38ece51..1d8bde8 100644 --- a/tests/qdrouterd-overrides.yml +++ b/tests/qdrouterd-overrides.yml @@ -16,6 +16,7 @@ qdrouterd_ssl_cert: /etc/qpid-dispatch/ssl/qdrouterd.pem qdrouterd_ssl_key: /etc/qpid-dispatch/ssl/qdrouterd.key qdrouterd_worker_threads: 2 -qdrouterd_require_ssl: no -qdrouterd_listener_port: 31459 -qdrouterd_irl_port: 31460 +qdrouterd_listener_port_ssl: 31459 +qdrouterd_listener_port_plain: 31460 +qdrouterd_irl_port_ssl: 31461 +qdrouterd_irl_port_plain: 31462 diff --git a/tests/test-qdrouterd-functional.yml b/tests/test-qdrouterd-functional.yml index d5f081d..aac8195 100644 --- a/tests/test-qdrouterd-functional.yml +++ b/tests/test-qdrouterd-functional.yml @@ -65,26 +65,59 @@ that: - "'workerThreads' in qdrouterd_config_contents" - - name: Get general statistics of qdrouterd + - name: Get general statistics of qdrouterd plain + command: "qdstat -g -b 0.0.0.0:31460" + register: qdrouterd_statistics_plain + changed_when: false + + - name: Print qdrouterd_statistics plain + debug: + var: qdrouterd_statistics_plain + + - name: Get qdrouterd node view using plain + command: "qdstat -nv -b 0.0.0.0:31460" + register: qdrouterd_nv_plain + changed_when: false + + - name: Print qdrouterd_nv using plain + debug: + var: qdrouterd_nv_plain + + - name: Get general statistics of qdrouterd using ssl command: "qdstat -g -b 0.0.0.0:31459" - register: qdrouterd_statistics + register: qdrouterd_statistics_ssl changed_when: false - - name: Print qdrouterd_statistics + - name: Print qdrouterd_statistics using ssl debug: - var: qdrouterd_statistics + var: qdrouterd_statistics_ssl - - name: Get qdrouterd node view + - name: Get qdrouterd node view using ssl command: "qdstat -nv -b 0.0.0.0:31459" - register: qdrouterd_nv + register: qdrouterd_nv_ssl changed_when: false - - name: Print qdrouterd_nv + - name: Print qdrouterd_nv using ssl debug: - var: qdrouterd_nv + var: qdrouterd_nv_ssl - name: Ensure SSL cert/key checksums are identical across the mesh assert: that: - hostvars['container1']['qdrouterd_ssl_cert_checksum'] == hostvars['container2']['qdrouterd_ssl_cert_checksum'] == hostvars['container3']['qdrouterd_ssl_cert_checksum'] - hostvars['container1']['qdrouterd_ssl_key_checksum'] == hostvars['container2']['qdrouterd_ssl_key_checksum'] == hostvars['container3']['qdrouterd_ssl_key_checksum'] + + - name: Create a sasl user + shell: "echo secret | saslpasswd2 -c -p -f /var/lib/qdrouterd/qdrouterd.sasldb -u QPID myguest" + args: + creates: /var/lib/qdrouterd/qdrouterd.sasldb + + - name: Get sasl user list + command: "sasldblistusers2 -f /var/lib/qdrouterd/qdrouterd.sasldb" + register: sasl_list + changed_when: false + + - name: Check for user in sasl list + assert: + that: + - "'myguest@QPID:' in sasl_list.stdout" diff --git a/tests/test.yml b/tests/test.yml index 273ff88..a295f2f 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -14,10 +14,10 @@ # limitations under the License. # Setup the host -- include: common/test-setup-host.yml +- import_playbook: common/test-setup-host.yml -# Install previous version qdrouterd server -- include: test-install-qdrouterd.yml +# Install Qdrouterd server +- import_playbook: test-install-qdrouterd.yml # Run functional tests -- include: test-qdrouterd-functional.yml +- import_playbook: test-qdrouterd-functional.yml diff --git a/vars/redhat.yml b/vars/redhat.yml index 96b4bf2..c643183 100644 --- a/vars/redhat.yml +++ b/vars/redhat.yml @@ -14,9 +14,11 @@ # limitations under the License. qdrouterd_distro_packages: + - openssl - python-qpid-proton - cyrus-sasl-lib - cyrus-sasl-plain + - cyrus-sasl-md5 - qpid-dispatch-router - qpid-dispatch-tools diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 615560d..5808e76 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -20,15 +20,15 @@ check: jobs: - openstack-ansible-linters - - openstack-ansible-functional-centos-7: - voting: false + - openstack-ansible-functional-centos-7 - openstack-ansible-functional-opensuse-423: voting: false - - openstack-ansible-functional-ubuntu-xenial: - voting: false + - openstack-ansible-functional-ubuntu-bionic experimental: jobs: - openstack-ansible-integrated-deploy-aio gate: jobs: - openstack-ansible-linters + - openstack-ansible-functional-centos-7 + - openstack-ansible-functional-ubuntu-bionic