diff --git a/playbooks/roles/bifrost-ironic-install/defaults/main.yml b/playbooks/roles/bifrost-ironic-install/defaults/main.yml index 2c82cb967..abd6a7c66 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml @@ -229,9 +229,6 @@ inspector_manage_firewall: false #inspector_log_dir: inspector_ramdisk_logs_local_path: /var/log/ironic-inspector/ramdisk -# Set nginx_log_dir to use a non-default log directory for nginx. -nginx_log_dir: /var/log/nginx - inspector_store_ramdisk_logs: true # Note: inspector_port_addition has three valid values: all, active, pxe inspector_port_addition: "pxe" diff --git a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Debian_family.yml b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Debian_family.yml index 3a1b20589..e1f067d2f 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Debian_family.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Debian_family.yml @@ -3,7 +3,6 @@ init_dest_dir: /lib/systemd/system/ ipxe_dir: /usr/lib/ipxe/ ipxe_full_binary: ipxe.pxe ironic_rootwrap_dir: /usr/local/bin/ -nginx_user: www-data mysql_service_name: mysql tftp_service_name: tftpd-hpa efi_distro: debian @@ -22,7 +21,6 @@ required_packages: - parted - ipmitool - psmisc - - nginx - wget - genisoimage - kpartx diff --git a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Fedora.yml b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Fedora.yml index 9e79856da..d790c1b74 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Fedora.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Fedora.yml @@ -3,7 +3,6 @@ init_dest_dir: /usr/lib/systemd/system/ ipxe_dir: /usr/share/ipxe/ ipxe_full_binary: ipxe.lkrn ironic_rootwrap_dir: /usr/bin/ -nginx_user: nginx mysql_service_name: mariadb tftp_service_name: tftp efi_distro: fedora @@ -22,7 +21,6 @@ required_packages: - libxml2-devel - libxslt-devel - mariadb-server - - nginx - openssl-devel - parted - policycoreutils-python-utils diff --git a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml index e003126e4..539719423 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml @@ -4,7 +4,6 @@ ipxe_dir: /usr/share/ipxe/ ipxe_full_binary: ipxe.lkrn ipxe_efi_binary: ipxe-x86_64.efi ironic_rootwrap_dir: /usr/bin/ -nginx_user: nginx mysql_service_name: mariadb tftp_service_name: tftp shim_efi_binary: /boot/efi/EFI/BOOT/BOOTX64.EFI @@ -22,7 +21,6 @@ required_packages: - parted - ipmitool - psmisc - - nginx - wget - genisoimage - kpartx diff --git a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Suse_family.yml b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Suse_family.yml index 8108266fb..e0523f533 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Suse_family.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Suse_family.yml @@ -4,7 +4,6 @@ ipxe_dir: /usr/share/ipxe ipxe_full_binary: ipxe.lkrn ipxe_efi_binary: ipxe-x86_64.efi ironic_rootwrap_dir: /usr/bin/ -nginx_user: nginx mysql_service_name: mysql tftp_service_name: tftp # FIXME(dtantsur): this may be incorrect, but I cannot figure out the correct @@ -27,7 +26,6 @@ required_packages: - parted - ipmitool - psmisc - - nginx - wget - mkisofs - kpartx diff --git a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Ubuntu.yml b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Ubuntu.yml index 380d60f04..7fcbcd467 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Ubuntu.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Ubuntu.yml @@ -17,7 +17,6 @@ required_packages: - iptables - bsdmainutils - psmisc - - nginx - wget - genisoimage - kpartx diff --git a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml index 74ad8d476..76157022c 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml @@ -219,18 +219,6 @@ register: ironic_install_prefix environment: "{{ bifrost_venv_env }}" -- name: "Set permissions for /var/lib/ironic for the ironic user" - file: - path: "{{ item }}" - state: directory - mode: 0750 - owner: "ironic" - group: "{{ nginx_user }}" - loop: - - "/var/lib/ironic" - - "/var/lib/ironic/master_images" - - "/var/lib/ironic/images" - - name: "Place ironic services" template: src: systemd_template.j2 @@ -343,8 +331,6 @@ - include_dhcp_server | bool - test_libvirt_dnsmasq.stat.exists - testing | bool -- name: "Deploy nginx configuration file for serving HTTP requests" - template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf - name: "Download Ironic Python Agent kernel & image" include: download_ipa_image.yml when: @@ -371,6 +357,31 @@ mode: 0644 when: use_cirros | bool +- name: "Bootstrap Nginx" + import_role: + name: bifrost-nginx-install + tasks_from: bootstrap + +- name: "Place nginx configuration for ironic" + template: + src: nginx_conf.d_bifrost-httpboot.conf.j2 + dest: /etc/nginx/conf.d/bifrost-httpboot.conf + owner: "{{ nginx_user }}" + group: "{{ nginx_user }}" + mode: 0755 + +- name: "Set permissions for /var/lib/ironic for the ironic user" + file: + path: "{{ item }}" + state: directory + mode: 0750 + owner: "ironic" + group: "{{ nginx_user }}" + loop: + - "/var/lib/ironic" + - "/var/lib/ironic/master_images" + - "/var/lib/ironic/images" + - name: > "Explicitly permit nginx port (TCP) for file downloads from nodes to be provisioned and TCP/6385 for IPA callback" diff --git a/playbooks/roles/bifrost-ironic-install/tasks/install.yml b/playbooks/roles/bifrost-ironic-install/tasks/install.yml index c66b29ccc..6eaf3dceb 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/install.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/install.yml @@ -22,6 +22,11 @@ name: "{{ required_packages }}" state: present +- name: "Install Nginx" + import_role: + name: bifrost-nginx-install + tasks_from: install + # NOTE(TheJulia) While we don't necessarilly require /opt/stack any longer # and it should already be created by the Ansible setup, we will leave this # here for the time being. diff --git a/playbooks/roles/bifrost-ironic-install/tasks/start.yml b/playbooks/roles/bifrost-ironic-install/tasks/start.yml index 402af51ca..e29ec376f 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/start.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/start.yml @@ -42,9 +42,6 @@ - name: "Start ironic-api" service: name=ironic-api state=restarted -- name: "Ensure nginx is running with current config" - service: name=nginx state=restarted enabled=yes - - name: "Start ironic-prometheus-exporter" include: prometheus_exporter_start.yml when: enable_prometheus_exporter | bool and not skip_start | bool @@ -60,9 +57,11 @@ - dnsmasq when: include_dhcp_server | bool -- name: "Send nginx a reload signal" - service: name=nginx state=reloaded - - name: "Send dnsmasq a force-reload signal" service: name=dnsmasq state=restarted when: include_dhcp_server | bool + +- name: "Start nginx" + import_role: + name: bifrost-nginx-install + tasks_from: start diff --git a/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-httpboot.conf.j2 b/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-httpboot.conf.j2 new file mode 100644 index 000000000..e88749289 --- /dev/null +++ b/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-httpboot.conf.j2 @@ -0,0 +1,8 @@ +server { + listen {{ file_url_port }}; + server_name {{ ansible_hostname }}; + root {{ http_boot_folder }}; + location {{ http_boot_folder }}/ { + alias {{ http_boot_folder }}/; + } +} diff --git a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Debian_family.yml b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Debian_family.yml index 7751a4114..d3472155a 100644 --- a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Debian_family.yml +++ b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Debian_family.yml @@ -1,6 +1,5 @@ --- init_dest_dir: /lib/systemd/system/ -nginx_user: www-data mysql_service_name: mysql required_packages: - mariadb-server @@ -11,4 +10,3 @@ required_packages: - libxslt1-dev - libssl-dev - libxml2-dev - - nginx diff --git a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_RedHat_family.yml b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_RedHat_family.yml index f36529b03..746186444 100644 --- a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_RedHat_family.yml +++ b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_RedHat_family.yml @@ -1,6 +1,5 @@ --- init_dest_dir: /usr/lib/systemd/system/ -nginx_user: nginx virt_group: libvirt mysql_service_name: mariadb required_packages: @@ -14,4 +13,3 @@ required_packages: - libxslt-devel - openssl-devel - libxml2-devel - - nginx diff --git a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Suse_family.yml b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Suse_family.yml index 06f7bc787..d3373088c 100644 --- a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Suse_family.yml +++ b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Suse_family.yml @@ -12,4 +12,3 @@ required_packages: - libxslt-devel - libopenssl-devel - libxml2-devel - - nginx diff --git a/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml index 4f9d6ca61..6d905f2fd 100644 --- a/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml +++ b/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml @@ -88,6 +88,11 @@ login_password: "{{ mysql_password | default(None) }}" when: keystone.database.host == 'localhost' +- name: "Bootstrap Nginx" + import_role: + name: bifrost-nginx-install + tasks_from: bootstrap + - name: "Generate TLS parameters" include_role: name: bifrost-tls @@ -271,16 +276,6 @@ dest: "/etc/uwsgi/apps-enabled/keystone-admin.ini" state: link -- name: "Place nginx core configuration" - # TODO(TheJulia): Refactor this out so we don't have anything related to - # bifrost it's self in the main config file. - template: - src: nginx.conf.j2 - dest: /etc/nginx/nginx.conf - owner: "{{ nginx_user }}" - group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group. - mode: 0755 - - name: "Place nginx configuration for keystone" # TODO(TheJulia): Refactor this so we use sites-enabled, but bifrost's # handling of co-existence needs to be cleaned up first. diff --git a/playbooks/roles/bifrost-keystone-install/tasks/install.yml b/playbooks/roles/bifrost-keystone-install/tasks/install.yml index 988e8693a..5f0be0c2f 100644 --- a/playbooks/roles/bifrost-keystone-install/tasks/install.yml +++ b/playbooks/roles/bifrost-keystone-install/tasks/install.yml @@ -16,6 +16,11 @@ name: "{{ required_packages }}" state: present +- name: "Install Nginx" + import_role: + name: bifrost-nginx-install + tasks_from: install + # NOTE(TheJulia) While we don't necessarilly require /opt/stack any longer # and it should already be created by the Ansible setup, we will leave this # here for the time being. diff --git a/playbooks/roles/bifrost-keystone-install/tasks/start.yml b/playbooks/roles/bifrost-keystone-install/tasks/start.yml index 76de57189..0cc20e584 100644 --- a/playbooks/roles/bifrost-keystone-install/tasks/start.yml +++ b/playbooks/roles/bifrost-keystone-install/tasks/start.yml @@ -15,8 +15,10 @@ systemd: daemon_reload: yes -- name: "Ensure services are running with current config" - service: name={{ item }} state=restarted enabled=yes - loop: - - nginx - - uwsgi +- name: "Start Nginx" + import_role: + name: bifrost-nginx-install + tasks_from: start + +- name: "Ensure uwsgi is running with current config" + service: name=uwsgi state=restarted enabled=yes diff --git a/playbooks/roles/bifrost-keystone-install/templates/nginx.conf.j2 b/playbooks/roles/bifrost-keystone-install/templates/nginx.conf.j2 deleted file mode 100644 index d80f6fa69..000000000 --- a/playbooks/roles/bifrost-keystone-install/templates/nginx.conf.j2 +++ /dev/null @@ -1,52 +0,0 @@ -# {{ ansible_managed }} -user {{ nginx_user }}; -worker_processes 2; -pid /run/nginx.pid; - -events { - worker_connections 768; - # multi_accept on; -} - -http { - - ## - # Basic Settings - ## - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - # server_tokens off; - - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - ## - # Logging Settings - ## - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - - ## - # Gzip Settings - ## - - gzip on; - - server { - listen {{ file_url_port }}; - server_name {{ ansible_hostname }}; - root {{ http_boot_folder }}; - location {{ http_boot_folder }}/ { - alias {{ http_boot_folder }}/; - } - } - include /etc/nginx/conf.d/bifrost*.conf; -} diff --git a/playbooks/roles/bifrost-keystone-install/templates/nginx_conf.d_bifrost-keystone.conf.j2 b/playbooks/roles/bifrost-keystone-install/templates/nginx_conf.d_bifrost-keystone.conf.j2 index d736131f6..808a8dd51 100644 --- a/playbooks/roles/bifrost-keystone-install/templates/nginx_conf.d_bifrost-keystone.conf.j2 +++ b/playbooks/roles/bifrost-keystone-install/templates/nginx_conf.d_bifrost-keystone.conf.j2 @@ -7,8 +7,8 @@ server { {% else %} listen 5000; {% endif %} - access_log /var/log/nginx/keystone/access.log; - error_log /var/log/nginx/keystone/error.log; + access_log {{ nginx_log_dir }}/keystone/access.log; + error_log {{ nginx_log_dir }}/keystone/error.log; location / { uwsgi_pass unix:///run/uwsgi/keystone-public.socket; include uwsgi_params; @@ -23,8 +23,8 @@ server { {% else %} listen 35357; {% endif %} - access_log /var/log/nginx/keystone/access.log; - error_log /var/log/nginx/keystone/error.log; + access_log {{ nginx_log_dir }}/keystone/access.log; + error_log {{ nginx_log_dir }}/keystone/error.log; location / { uwsgi_pass unix:///run/uwsgi/keystone-admin.socket; include uwsgi_params; diff --git a/playbooks/roles/bifrost-nginx-install/defaults/main.yml b/playbooks/roles/bifrost-nginx-install/defaults/main.yml new file mode 100644 index 000000000..287e22b7e --- /dev/null +++ b/playbooks/roles/bifrost-nginx-install/defaults/main.yml @@ -0,0 +1,17 @@ +--- +# If testing is true, then the environment is setup for using libvirt +# virtual machines for the hardware instead of real hardware. +testing: false + +# set to true to skip installation completely +skip_install: False +# set to true to skip installing dependencies +skip_package_install: False +# set to true to skip generation of configs and database configuration +skip_bootstrap: False +# set to true to skip starting services +skip_start: False + +nginx_user: "{{ 'www-data' if ansible_os_family == 'Debian' else 'nginx' }}" +# Set nginx_log_dir to use a non-default log directory for nginx. +nginx_log_dir: /var/log/nginx diff --git a/playbooks/roles/bifrost-nginx-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-nginx-install/tasks/bootstrap.yml new file mode 100644 index 000000000..59e5b96a4 --- /dev/null +++ b/playbooks/roles/bifrost-nginx-install/tasks/bootstrap.yml @@ -0,0 +1,17 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +- name: "Deploy nginx configuration file for serving HTTP requests" + template: + src: nginx.conf.j2 + dest: /etc/nginx/nginx.conf diff --git a/playbooks/roles/bifrost-nginx-install/tasks/install.yml b/playbooks/roles/bifrost-nginx-install/tasks/install.yml new file mode 100644 index 000000000..b07e94752 --- /dev/null +++ b/playbooks/roles/bifrost-nginx-install/tasks/install.yml @@ -0,0 +1,22 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +- name: "Update Package Cache" + apt: + update_cache: yes + when: ansible_os_family == 'Debian' + +- name: "Install Nginx" + package: + name: nginx + state: present diff --git a/playbooks/roles/bifrost-nginx-install/tasks/main.yml b/playbooks/roles/bifrost-nginx-install/tasks/main.yml new file mode 100644 index 000000000..b8f80096c --- /dev/null +++ b/playbooks/roles/bifrost-nginx-install/tasks/main.yml @@ -0,0 +1,24 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +- name: "Install Nginx" + include: install.yml + when: not skip_package_install | bool + +- name: "Bootstrap Nginx" + include: bootstrap.yml + when: not skip_bootstrap | bool + +- name: "Start Nginx" + include: start.yml + when: not skip_start | bool diff --git a/playbooks/roles/bifrost-nginx-install/tasks/start.yml b/playbooks/roles/bifrost-nginx-install/tasks/start.yml new file mode 100644 index 000000000..895a8ac65 --- /dev/null +++ b/playbooks/roles/bifrost-nginx-install/tasks/start.yml @@ -0,0 +1,18 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +- name: "Ensure nginx is running with current config" + service: + name: nginx + state: restarted + enabled: yes diff --git a/playbooks/roles/bifrost-ironic-install/templates/nginx.conf.j2 b/playbooks/roles/bifrost-nginx-install/templates/nginx.conf.j2 similarity index 76% rename from playbooks/roles/bifrost-ironic-install/templates/nginx.conf.j2 rename to playbooks/roles/bifrost-nginx-install/templates/nginx.conf.j2 index 4dbae51f2..5a80b2832 100644 --- a/playbooks/roles/bifrost-ironic-install/templates/nginx.conf.j2 +++ b/playbooks/roles/bifrost-nginx-install/templates/nginx.conf.j2 @@ -1,3 +1,4 @@ +# {{ ansible_managed }} user {{ nginx_user }}; worker_processes 2; pid /run/nginx.pid; @@ -38,14 +39,5 @@ http { ## gzip on; - - server { - listen {{ file_url_port }}; - server_name {{ ansible_hostname }}; - root {{ http_boot_folder }}; - location {{ http_boot_folder }}/ { - alias {{ http_boot_folder }}/; - } - } include /etc/nginx/conf.d/bifrost*.conf; } diff --git a/releasenotes/notes/bifrost-nginx-install-8a824b4be58201c7.yaml b/releasenotes/notes/bifrost-nginx-install-8a824b4be58201c7.yaml new file mode 100644 index 000000000..dfbd6f9f6 --- /dev/null +++ b/releasenotes/notes/bifrost-nginx-install-8a824b4be58201c7.yaml @@ -0,0 +1,5 @@ +--- +other: + - | + Moves the generic code for managing Nginx into a new role + ``bifrost-nginx-install``.