Move Nginx code to a new role bifrost-nginx-install

There is currently a lot of duplication between nginx setup for keystone
(identity API) and ironic (httpboot directory). This change moves the
common code to a new role and makes the httpboot configuration a
separate nginx configuration file.

Change-Id: Ic5239aba764f632c48a422812fde7010ffb1a339

playbooks/roles/bifrost-ironic-install/defaults/main.yml

@@ -229,9 +229,6 @@ inspector_manage_firewall: false
 #inspector_log_dir:
 inspector_ramdisk_logs_local_path: /var/log/ironic-inspector/ramdisk
 
-# Set nginx_log_dir to use a non-default log directory for nginx.
-nginx_log_dir: /var/log/nginx
-
 inspector_store_ramdisk_logs: true
 # Note: inspector_port_addition has three valid values: all, active, pxe
 inspector_port_addition: "pxe"

playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Debian_family.yml

@@ -3,7 +3,6 @@ init_dest_dir: /lib/systemd/system/
 ipxe_dir: /usr/lib/ipxe/
 ipxe_full_binary: ipxe.pxe
 ironic_rootwrap_dir: /usr/local/bin/
-nginx_user: www-data
 mysql_service_name: mysql
 tftp_service_name: tftpd-hpa
 efi_distro: debian
@@ -22,7 +21,6 @@ required_packages:
   - parted
   - ipmitool
   - psmisc
-  - nginx
   - wget
   - genisoimage
   - kpartx

playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Fedora.yml

@@ -3,7 +3,6 @@ init_dest_dir: /usr/lib/systemd/system/
 ipxe_dir: /usr/share/ipxe/
 ipxe_full_binary: ipxe.lkrn
 ironic_rootwrap_dir: /usr/bin/
-nginx_user: nginx
 mysql_service_name: mariadb
 tftp_service_name: tftp
 efi_distro: fedora
@@ -22,7 +21,6 @@ required_packages:
   - libxml2-devel
   - libxslt-devel
   - mariadb-server
-  - nginx
   - openssl-devel
   - parted
   - policycoreutils-python-utils

playbooks/roles/bifrost-ironic-install/defaults/required_defaults_RedHat_family.yml

@@ -4,7 +4,6 @@ ipxe_dir: /usr/share/ipxe/
 ipxe_full_binary: ipxe.lkrn
 ipxe_efi_binary: ipxe-x86_64.efi
 ironic_rootwrap_dir: /usr/bin/
-nginx_user: nginx
 mysql_service_name: mariadb
 tftp_service_name: tftp
 shim_efi_binary: /boot/efi/EFI/BOOT/BOOTX64.EFI
@@ -22,7 +21,6 @@ required_packages:
   - parted
   - ipmitool
   - psmisc
-  - nginx
   - wget
   - genisoimage
   - kpartx

playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Suse_family.yml

@@ -4,7 +4,6 @@ ipxe_dir: /usr/share/ipxe
 ipxe_full_binary: ipxe.lkrn
 ipxe_efi_binary: ipxe-x86_64.efi
 ironic_rootwrap_dir: /usr/bin/
-nginx_user: nginx
 mysql_service_name: mysql
 tftp_service_name: tftp
 # FIXME(dtantsur): this may be incorrect, but I cannot figure out the correct
@@ -27,7 +26,6 @@ required_packages:
   - parted
   - ipmitool
   - psmisc
-  - nginx
   - wget
   - mkisofs
   - kpartx

playbooks/roles/bifrost-ironic-install/defaults/required_defaults_Ubuntu.yml

@@ -17,7 +17,6 @@ required_packages:
   - iptables
   - bsdmainutils
   - psmisc
-  - nginx
   - wget
   - genisoimage
   - kpartx

playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml

@@ -219,18 +219,6 @@
   register: ironic_install_prefix
   environment: "{{ bifrost_venv_env }}"
 
-- name: "Set permissions for /var/lib/ironic for the ironic user"
-  file:
-    path: "{{ item }}"
-    state: directory
-    mode: 0750
-    owner: "ironic"
-    group: "{{ nginx_user }}"
-  loop:
-    - "/var/lib/ironic"
-    - "/var/lib/ironic/master_images"
-    - "/var/lib/ironic/images"
-
 - name: "Place ironic services"
   template:
     src: systemd_template.j2
@@ -343,8 +331,6 @@
     - include_dhcp_server | bool
     - test_libvirt_dnsmasq.stat.exists
     - testing | bool
-- name: "Deploy nginx configuration file for serving HTTP requests"
-  template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
 - name: "Download Ironic Python Agent kernel & image"
   include: download_ipa_image.yml
   when:
@@ -371,6 +357,31 @@
         mode: 0644
   when: use_cirros | bool
 
+- name: "Bootstrap Nginx"
+  import_role:
+    name: bifrost-nginx-install
+    tasks_from: bootstrap
+
+- name: "Place nginx configuration for ironic"
+  template:
+    src: nginx_conf.d_bifrost-httpboot.conf.j2
+    dest: /etc/nginx/conf.d/bifrost-httpboot.conf
+    owner: "{{ nginx_user }}"
+    group: "{{ nginx_user }}"
+    mode: 0755
+
+- name: "Set permissions for /var/lib/ironic for the ironic user"
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "ironic"
+    group: "{{ nginx_user }}"
+  loop:
+    - "/var/lib/ironic"
+    - "/var/lib/ironic/master_images"
+    - "/var/lib/ironic/images"
+
 - name: >
     "Explicitly permit nginx port (TCP) for file downloads from nodes to be provisioned
      and TCP/6385 for IPA callback"

playbooks/roles/bifrost-ironic-install/tasks/install.yml

@@ -22,6 +22,11 @@
     name: "{{ required_packages }}"
     state: present
 
+- name: "Install Nginx"
+  import_role:
+    name: bifrost-nginx-install
+    tasks_from: install
+
 # NOTE(TheJulia) While we don't necessarilly require /opt/stack any longer
 # and it should already be created by the Ansible setup, we will leave this
 # here for the time being.

playbooks/roles/bifrost-ironic-install/tasks/start.yml

@@ -42,9 +42,6 @@
 - name: "Start ironic-api"
   service: name=ironic-api state=restarted
 
-- name: "Ensure nginx is running with current config"
-  service: name=nginx state=restarted enabled=yes
-
 - name: "Start ironic-prometheus-exporter"
   include: prometheus_exporter_start.yml
   when: enable_prometheus_exporter | bool and not skip_start | bool
@@ -60,9 +57,11 @@
     - dnsmasq
   when: include_dhcp_server | bool
 
-- name: "Send nginx a reload signal"
-  service: name=nginx state=reloaded
-
 - name: "Send dnsmasq a force-reload signal"
   service: name=dnsmasq state=restarted
   when: include_dhcp_server | bool
+
+- name: "Start nginx"
+  import_role:
+    name: bifrost-nginx-install
+    tasks_from: start

playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-httpboot.conf.j2

@@ -0,0 +1,8 @@
+server {
+        listen {{ file_url_port }};
+        server_name {{ ansible_hostname }};
+        root {{ http_boot_folder }};
+        location {{ http_boot_folder }}/ {
+                alias {{ http_boot_folder }}/;
+        }
+}

playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Debian_family.yml

@@ -1,6 +1,5 @@
 ---
 init_dest_dir: /lib/systemd/system/
-nginx_user: www-data
 mysql_service_name: mysql
 required_packages:
   - mariadb-server
@@ -11,4 +10,3 @@ required_packages:
   - libxslt1-dev
   - libssl-dev
   - libxml2-dev
-  - nginx

playbooks/roles/bifrost-keystone-install/defaults/required_defaults_RedHat_family.yml

@@ -1,6 +1,5 @@
 ---
 init_dest_dir: /usr/lib/systemd/system/
-nginx_user: nginx
 virt_group: libvirt
 mysql_service_name: mariadb
 required_packages:
@@ -14,4 +13,3 @@ required_packages:
   - libxslt-devel
   - openssl-devel
   - libxml2-devel
-  - nginx

playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Suse_family.yml

@@ -12,4 +12,3 @@ required_packages:
   - libxslt-devel
   - libopenssl-devel
   - libxml2-devel
-  - nginx

playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml

@@ -88,6 +88,11 @@
     login_password: "{{ mysql_password | default(None) }}"
   when: keystone.database.host == 'localhost'
 
+- name: "Bootstrap Nginx"
+  import_role:
+    name: bifrost-nginx-install
+    tasks_from: bootstrap
+
 - name: "Generate TLS parameters"
   include_role:
     name: bifrost-tls
@@ -271,16 +276,6 @@
     dest: "/etc/uwsgi/apps-enabled/keystone-admin.ini"
     state: link
 
-- name: "Place nginx core configuration"
-  # TODO(TheJulia): Refactor this out so we don't have anything related to
-  # bifrost it's self in the main config file.
-  template:
-    src: nginx.conf.j2
-    dest: /etc/nginx/nginx.conf
-    owner: "{{ nginx_user }}"
-    group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
-    mode: 0755
-
 - name: "Place nginx configuration for keystone"
   # TODO(TheJulia): Refactor this so we use sites-enabled, but bifrost's
   # handling of co-existence needs to be cleaned up first.

playbooks/roles/bifrost-keystone-install/tasks/install.yml

@@ -16,6 +16,11 @@
     name: "{{ required_packages }}"
     state: present
 
+- name: "Install Nginx"
+  import_role:
+    name: bifrost-nginx-install
+    tasks_from: install
+
 # NOTE(TheJulia) While we don't necessarilly require /opt/stack any longer
 # and it should already be created by the Ansible setup, we will leave this
 # here for the time being.

playbooks/roles/bifrost-keystone-install/tasks/start.yml

@@ -15,8 +15,10 @@
   systemd:
     daemon_reload: yes
 
-- name: "Ensure services are running with current config"
+- name: "Start Nginx"
-  service: name={{ item }} state=restarted enabled=yes
+  import_role:
-  loop:
+    name: bifrost-nginx-install
-    - nginx
+    tasks_from: start
-    - uwsgi
+
+- name: "Ensure uwsgi is running with current config"
+  service: name=uwsgi state=restarted enabled=yes

playbooks/roles/bifrost-keystone-install/templates/nginx.conf.j2

@@ -1,52 +0,0 @@
-# {{ ansible_managed }}
-user {{ nginx_user }};
-worker_processes 2;
-pid /run/nginx.pid;
-
-events {
-	worker_connections 768;
-	# multi_accept on;
-}
-
-http {
-
-	##
-	# Basic Settings
-	##
-
-	sendfile on;
-	tcp_nopush on;
-	tcp_nodelay on;
-	keepalive_timeout 65;
-	types_hash_max_size 2048;
-	# server_tokens off;
-
-	# server_names_hash_bucket_size 64;
-	# server_name_in_redirect off;
-
-	include /etc/nginx/mime.types;
-	default_type application/octet-stream;
-
-	##
-	# Logging Settings
-	##
-
-	access_log /var/log/nginx/access.log;
-	error_log /var/log/nginx/error.log;
-
-	##
-	# Gzip Settings
-	##
-
-	gzip on;
-
-	server {
-		listen {{ file_url_port }};
-		server_name {{ ansible_hostname }};
-		root {{ http_boot_folder }};
-		location {{ http_boot_folder }}/ {
-			alias {{ http_boot_folder }}/;
-		}
-	}
-        include /etc/nginx/conf.d/bifrost*.conf;
-}

playbooks/roles/bifrost-keystone-install/templates/nginx_conf.d_bifrost-keystone.conf.j2

@@ -7,8 +7,8 @@ server {
 {% else %}
     listen 5000;
 {% endif %}
-    access_log /var/log/nginx/keystone/access.log;
+    access_log {{ nginx_log_dir }}/keystone/access.log;
-    error_log /var/log/nginx/keystone/error.log;
+    error_log {{ nginx_log_dir }}/keystone/error.log;
     location / {
         uwsgi_pass unix:///run/uwsgi/keystone-public.socket;
         include uwsgi_params;
@@ -23,8 +23,8 @@ server {
 {% else %}
     listen 35357;
 {% endif %}
-    access_log /var/log/nginx/keystone/access.log;
+    access_log {{ nginx_log_dir }}/keystone/access.log;
-    error_log /var/log/nginx/keystone/error.log;
+    error_log {{ nginx_log_dir }}/keystone/error.log;
     location / {
         uwsgi_pass unix:///run/uwsgi/keystone-admin.socket;
         include uwsgi_params;

playbooks/roles/bifrost-nginx-install/defaults/main.yml

@@ -0,0 +1,17 @@
+---
+# If testing is true, then the environment is setup for using libvirt
+# virtual machines for the hardware instead of real hardware.
+testing: false
+
+# set to true to skip installation completely
+skip_install: False
+# set to true to skip installing dependencies
+skip_package_install: False
+# set to true to skip generation of configs and database configuration
+skip_bootstrap: False
+# set to true to skip starting services
+skip_start: False
+
+nginx_user: "{{ 'www-data' if ansible_os_family == 'Debian' else 'nginx' }}"
+# Set nginx_log_dir to use a non-default log directory for nginx.
+nginx_log_dir: /var/log/nginx

playbooks/roles/bifrost-nginx-install/tasks/bootstrap.yml

@@ -0,0 +1,17 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: "Deploy nginx configuration file for serving HTTP requests"
+  template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/nginx.conf

playbooks/roles/bifrost-nginx-install/tasks/install.yml

@@ -0,0 +1,22 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: "Update Package Cache"
+  apt:
+    update_cache: yes
+  when: ansible_os_family == 'Debian'
+
+- name: "Install Nginx"
+  package:
+    name: nginx
+    state: present

playbooks/roles/bifrost-nginx-install/tasks/main.yml

@@ -0,0 +1,24 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: "Install Nginx"
+  include: install.yml
+  when: not skip_package_install | bool
+
+- name: "Bootstrap Nginx"
+  include: bootstrap.yml
+  when: not skip_bootstrap | bool
+
+- name: "Start Nginx"
+  include: start.yml
+  when: not skip_start | bool

playbooks/roles/bifrost-nginx-install/tasks/start.yml

@@ -0,0 +1,18 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+- name: "Ensure nginx is running with current config"
+  service:
+    name: nginx
+    state: restarted
+    enabled: yes

playbooks/roles/bifrost-nginx-install/templates/nginx.conf.j2

@@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 user {{ nginx_user }};
 worker_processes 2;
 pid /run/nginx.pid;
@@ -38,14 +39,5 @@ http {
 	##
 
 	gzip on;
-
-	server {
-		listen {{ file_url_port }};
-		server_name {{ ansible_hostname }};
-		root {{ http_boot_folder }};
-		location {{ http_boot_folder }}/ {
-			alias {{ http_boot_folder }}/;
-		}
-	}
         include /etc/nginx/conf.d/bifrost*.conf;
 }

releasenotes/notes/bifrost-nginx-install-8a824b4be58201c7.yaml

@@ -0,0 +1,5 @@
+---
+other:
+  - |
+    Moves the generic code for managing Nginx into a new role
+    ``bifrost-nginx-install``.