diff --git a/playbooks/roles/bifrost-ironic-install/templates/nginx.conf.j2 b/playbooks/roles/bifrost-ironic-install/templates/nginx.conf.j2 index bd9709e7b..1ecd22ff6 100644 --- a/playbooks/roles/bifrost-ironic-install/templates/nginx.conf.j2 +++ b/playbooks/roles/bifrost-ironic-install/templates/nginx.conf.j2 @@ -47,4 +47,5 @@ http { alias {{ http_boot_folder }}/; } } + include /etc/nginx/conf.d/bifrost*.conf; } diff --git a/playbooks/roles/bifrost-keystone-install/README.md b/playbooks/roles/bifrost-keystone-install/README.md new file mode 100644 index 000000000..a0626e2d1 --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/README.md @@ -0,0 +1,119 @@ +bifrost-keystone-install +======================== + +This role installs keystone for a bifrost/stand-alone ironic deployment +with all required substrate to allow for keystone configuration, +including MySQL, RabbitMQ, dnsmasq, and nginx. + +Requirements +------------ + +This role requires: + +- Ansible 2.1 + +Role Variables +-------------- + +Due to the required configuration steps, the configuration must be +fairly explicit. The defaults should work for a user without any +issues, however it is highly recommended that the parameters are +reviewed and modified prior to deployment. + +The main settings are in a nested data structure under the name +``keystone``. In order to logically separate the settings in order +to provide the greatest flexibility for change, under ``keystone`` +exists three subsections. ``bootstrap``, ``message_queue``, and +``database``. + +The ``keystone.bootstrap`` settings provide the information to access +keystone as it provides the main administrative credentials. +If keystone is being installed, then these credentials will be used +to bootstrap keystone the keystone installation. +Along with those settings we provide the ability to define the initial +``region_name``, as well as ``admin_url``, ``public_url``, and +``internal_url`` endpoints URLs for keystone. + +If the intent is to utilize a pre-existing keystone service that has +already undergone bootstrapping, set the ``keystone.bootstrap.enabled`` +setting to false, in order to prevent bifrost from attempting to +bootstrap a new keystone. The ``keystone.bootstrap`` settings are +expected to be available by the ``bifrost-ironic-install`` role, +which has the same datastructure available in it's defaults/main.yml +file. These settings are used by the ``birost-ironic-install`` role +in order to create users, roles, and endpoints for Ironic's operation. + +Under the ``message_queue`` and ``database`` structures, variables +are used to define the connection URLs to the message queue, +and database. + +Below is the full data structure. + + keystone: + debug: true + bootstrap: + enabled: true + username: admin + password: ChangeThisPa55w0rd + project_name: admin + admin_url: "http://127.0.0.1:35357/v2.0/" + public_url: "http://127.0.0.1:5000/v2.0/" + internal_url: "http://127.0.0.1:5000/v2.0/" + region_name: "RegionOne" + message_queue: + username: keystone + password: ChangeThisPa55w0rd + host: 127.0.0.1 + database: + name: keystone + username: keystone + password: ChangeThisPa55w0rd + host: 127.0.0.1 + +Notes +----- + +None + +Dependencies +------------ + +The ansible module, os_keystone_session, is required by this module. + +The env-setup.sh script should collect this file and place it in the +proper location prior to executing this role. + +Example Playbook +---------------- + +# NOTE: The bifrost-keystone-install playbook +# should be run before the ironic install playbook +# to enable the same variables to be utilized. +- hosts: localhost + connection: local + name: "Install ironic locally" + become: yes + gather_facts: yes + roles: + - role: bifrost-keystone-install + - role: bifrost-ironic-install + +License +------- + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +Author Information +------------------ + +Ironic Developers diff --git a/playbooks/roles/bifrost-keystone-install/defaults/dummy-defaults.yml b/playbooks/roles/bifrost-keystone-install/defaults/dummy-defaults.yml new file mode 100644 index 000000000..c1a20659d --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/defaults/dummy-defaults.yml @@ -0,0 +1,3 @@ +--- +# NOTE(cinerama) This file is intentionally left blank - do not +# add variables here. diff --git a/playbooks/roles/bifrost-keystone-install/defaults/main.yml b/playbooks/roles/bifrost-keystone-install/defaults/main.yml new file mode 100644 index 000000000..78435c7bf --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/defaults/main.yml @@ -0,0 +1,57 @@ +--- +keystone_source_install: true +# *_git_url can be overridden by local clones for offline installs +keystone_git_url: https://git.openstack.org/openstack/keystone +keystone_git_folder: /opt/stack/keystone + +# set to true to skip installing ironic dependencies +skip_package_install: False +# set to true to skip generation of configs, ironic db and rabbitmq configuration +skip_bootstrap: False +# set to true to skip starting ironic services and dependencies +skip_start: False + +# Parameters for connecting to mysql for database manipulation. +mysql_username: "root" +mysql_password: "" + +# Support for CORS configuration +# By default CORS support is disabled. +enable_cors: false +# Origin to accept for CORS requests +cors_allowed_origin: "http://localhost:8000" +# bifrost utilizes noauth mode by default and as such +# the setting should be set to false. This setting should +# not need to be modified by the user. +enable_cors_credential_support: false + +# Settings related to installing bifrost in a virtual environment +enable_venv: false +bifrost_venv_dir: "{{ lookup('env', 'VENV') | default('/opt/stack/bifrost') }}" +bifrost_venv_env: + VIRTUAL_ENV: "{{ bifrost_venv_dir }}" + PATH: "{{ bifrost_venv_dir }}/bin:{{ ansible_env.PATH }}" # include regular path via lookup env + pydoc: "python -m pydoc" + + +keystone: + debug: true + bootstrap: + enabled: true + username: admin + password: ChangeThisPa55w0rd + project_name: admin + admin_url: "http://127.0.0.1:35357/v3/" + public_url: "http://127.0.0.1:5000/v3/" + internal_url: "http://127.0.0.1:5000/v3/" + region_name: "RegionOne" + message_queue: + username: keystone + password: ChangeThisPa55w0rd + host: 127.0.0.1 + database: + name: keystone + username: keystone + password: ChangeThisPa55w0rd + host: 127.0.0.1 + diff --git a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Debian_family.yml b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Debian_family.yml new file mode 100644 index 000000000..a53386af7 --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Debian_family.yml @@ -0,0 +1,21 @@ +--- +init_template: upstart_template.j2 +init_dest_dir: /etc/init/ +init_ext: .conf +nginx_user: www-data +mysql_service_name: mysql +required_packages: + - mysql-server + - rabbitmq-server + - python-dev + - python-mysqldb + - python-configparser + - libffi-dev + - libxslt1-dev + - libssl-dev + - libxml2-dev + - nginx + - uwsgi + - uwsgi-core + # - python-django-uwsgi - This may not be needed + - uwsgi-plugin-python diff --git a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Debian_jessie.yml b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Debian_jessie.yml new file mode 100644 index 000000000..aa172dcda --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Debian_jessie.yml @@ -0,0 +1,20 @@ +--- +init_template: systemd_template.j2 +init_dest_dir: /usr/lib/systemd/system/ +init_ext: .service +nginx_user: www-data +mysql_service_name: mysql +required_packages: + - mysql-server + - rabbitmq-server + - python-dev + - python-mysqldb + - python-configparser + - libffi-dev + - libxslt1-dev + - libssl-dev + - libxml2-dev + - nginx + - uwsgi + - uwsgi-core + - uwsgi-plugin-python diff --git a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Fedora_22.yml b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Fedora_22.yml new file mode 100644 index 000000000..a263349ec --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Fedora_22.yml @@ -0,0 +1,5 @@ +--- +# NOTE(cinerama): On Fedora 22, ansible 1.9, ansible_pkg_mgr +# defaults to yum, which may not be installed. This can be safely +# removed when we start using an ansible release which prefers dnf. +ansible_pkg_mgr: "dnf" diff --git a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_RedHat_family.yml b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_RedHat_family.yml new file mode 100644 index 000000000..3d1021b40 --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_RedHat_family.yml @@ -0,0 +1,25 @@ +--- +init_template: systemd_template.j2 +init_dest_dir: /usr/lib/systemd/system/ +init_ext: .service +syslinux_tftp_dir: /var/lib/tftpboot +ipxe_dir: /usr/share/ipxe/ +ipxe_full_binary: ipxe.lkrn +sgabios_dir: /usr/share/sgabios/ +nginx_user: nginx +virt_group: libvirt +mysql_service_name: mariadb +tftp_service_name: tftp +required_packages: + - mariadb-server + - rabbitmq-server + - python-devel + - MySQL-python + - python-iniparse + - libffi-devel + - libxslt-devel + - openssl-devel + - libxml2-devel + - nginx + - uwsgi + - uwsgi-plugin-python diff --git a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Ubuntu_15.04.yml b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Ubuntu_15.04.yml new file mode 100644 index 000000000..ff67dda1c --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Ubuntu_15.04.yml @@ -0,0 +1,4 @@ +--- +init_template: systemd_template.j2 +init_dest_dir: /lib/systemd/system/ +init_ext: .service diff --git a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Ubuntu_15.10.yml b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Ubuntu_15.10.yml new file mode 100644 index 000000000..ff67dda1c --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Ubuntu_15.10.yml @@ -0,0 +1,4 @@ +--- +init_template: systemd_template.j2 +init_dest_dir: /lib/systemd/system/ +init_ext: .service diff --git a/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Ubuntu_16.04.yml b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Ubuntu_16.04.yml new file mode 100644 index 000000000..ff67dda1c --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/defaults/required_defaults_Ubuntu_16.04.yml @@ -0,0 +1,4 @@ +--- +init_template: systemd_template.j2 +init_dest_dir: /lib/systemd/system/ +init_ext: .service diff --git a/playbooks/roles/bifrost-keystone-install/meta/main.yml b/playbooks/roles/bifrost-keystone-install/meta/main.yml new file mode 100644 index 000000000..29b3dc45a --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: Ironic Developers + description: Install keystone for Bifrost + company: OpenStack + license: Apache + min_ansible_version: 2.1 + platforms: + - name: Ubuntu + versions: + - xenial + categories: + - cloud + - cloud:openstack +dependencies: [] diff --git a/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml new file mode 100644 index 000000000..748ffa9c8 --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml @@ -0,0 +1,274 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +# NOTE(TheJulia): There is significant commonality between this playbook +# and the bifrost bootstrap process. +- name: "If VENV is set in the environment, enable installation into venv" + set_fact: + enable_venv: true + when: lookup('env', 'VENV') | length > 0 + +- name: "Get uwsgi install location" + shell: echo $(dirname $(which uwsgi)) + register: uwsgi_install_prefix + environment: "{{ bifrost_venv_env if enable_venv else '{}' }}" + +- name: "Get keystone-wsgi-admin location" + shell: echo $(dirname $(which keystone-wsgi-admin)) + register: keystone_install_prefix + environment: "{{ bifrost_venv_env if enable_venv else '{}' }}" + +# NOTE(sean-k-mooney) only the RabbitMQ server and MySQL db are started +# during bootstrapping. all other services are started in the Start phase. +- name: "Start database service" + service: name={{ mysql_service_name }} state=started + +- name: "Start rabbitmq-server" + service: name=rabbitmq-server state=started + +# NOTE(cinerama): on some systems, rabbit may not be ready when we want to +# make changes to users if we don't wait first +- name: "Wait for rabbitmq" + wait_for: port=5672 delay=5 + +- name: "Ensure guest user is removed from rabbitmq" + rabbitmq_user: + user: "guest" + state: absent + force: yes + +- name: "Create keystone user in RabbitMQ" + rabbitmq_user: + user: "{{ keystone.message_queue.username }}" + password: "{{ keystone.message_queue.password }}" + force: yes + state: present + configure_priv: ".*" + write_priv: ".*" + read_priv: ".*" + no_log: true + +- name: "Set mysql_username if environment variable mysql_user is set" + set_fact: + mysql_username: "{{ lookup('env', 'mysql_user') }}" + when: lookup('env', 'mysql_user') | length > 0 + no_log: true + +- name: "Set mysql_password if environment variable mysql_pass is set" + set_fact: + mysql_password: "{{ lookup('env', 'mysql_pass') }}" + when: lookup('env', 'mysql_pass') | length > 0 + no_log: true + +- name: "MySQL - Creating DB" + mysql_db: + name: "{{ keystone.database.name }}" + state: present + encoding: utf8 + login_user: "{{ mysql_username | default(None) }}" + login_password: "{{ mysql_password | default(None) }}" + register: test_created_keystone_db + +- name: "MySQL - Creating user for keystone" + mysql_user: + name: "{{ keystone.database.username }}" + password: "{{ keystone.database.password }}" + priv: "{{ keystone.database.name }}.*:ALL" + state: present + login_user: "{{ mysql_username | default(None) }}" + login_password: "{{ mysql_password | default(None) }}" + +- name: "Create an keystone service group" + group: + name: "keystone" + +- name: "Create an keystone service user" + user: + name: "keystone" + group: "keystone" + +- name: "Ensure /etc/keystone exists" + file: + name: "/etc/keystone" + state: directory + owner: "keystone" + group: "keystone" + mode: 0755 + +- name: "Write keystone configuration from template" + template: + src: keystone.conf.j2 + dest: "/etc/keystone/keystone.conf" + owner: "keystone" + group: "keystone" + mode: 0755 + +- name: "Copy policy.json to /etc/keystone" + copy: + src: "{{ keystone_git_folder }}/etc/policy.json" + dest: "/etc/keystone/" + owner: "keystone" + group: "keystone" + mode: 0644 + +- name: "Copy keystone-paste.ini to /etc/keystone" + copy: + src: "{{ keystone_git_folder }}/etc/keystone-paste.ini" + dest: "/etc/keystone/" + owner: "keystone" + group: "keystone" + mode: 0644 + +- name: "Apply/Update keystone DB Schema" + command: keystone-manage db_sync + environment: "{{ bifrost_venv_env if enable_venv else '{}' }}" + +- name: "Setup Keystone Credentials" + command: > + keystone-manage credential_setup + --keystone-user=keystone --keystone-group=keystone + +- name: "Bootstrap Keystone Database" + command: > + keystone-manage bootstrap + --bootstrap-username="{{ keystone.bootstrap.username }}" + --bootstrap-password="{{ keystone.bootstrap.password }}" + --bootstrap-project-name="{{ keystone.bootstrap.project_name }}" + --bootstrap-service-name="keystone" + --bootstrap-admin-url="{{ keystone.bootstrap.admin_url }}" + --bootstrap-public-url="{{ keystone.bootstrap.public_url }}" + --bootstrap-internal-url="{{ keystone.bootstrap.internal_url }}" + --bootstrap-region-id="{{ keystone.bootstrap.region_name }}" + environment: "{{ bifrost_venv_env if enable_venv else '{}' }}" + when: > + test_created_keystone_db.changed | bool == true and + keystone.bootstrap.enabled | bool == true + +- name: "Reserve keystone admin port" + sysctl: + name: "net.ipv4.ip_local_reserved_ports" + value: 35357 + sysctl_set: yes + state: present + reload: yes + +- name: "Ensure /var/www/keystone exists" + file: + name: "/var/www/keystone" + state: directory + owner: "keystone" + group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group. + mode: 0755 + +- name: "Add keystone to web server group" + user: + name: "keystone" + append: yes + groups: "{{nginx_user}}" # TODO(TheJulia): Split webserver user/group. + +- name: "Make folder for keystone logs" + file: + name: "/var/log/nginx/keystone" + state: directory + owner: "{{ nginx_user }}" + group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group. + mode: 0755 + +- name: "Copy keystone-wsgi-public to /var/www/keystone/public" + copy: + src: "{{ keystone_install_prefix.stdout }}/keystone-wsgi-public" + dest: /var/www/keystone/public + owner: "keystone" + group: "{{nginx_user}}" + mode: 0754 + +- name: "Copy keystone-wsgi-admin to /var/www/keystone/admin" + copy: + src: "{{ keystone_install_prefix.stdout }}/keystone-wsgi-admin" + dest: /var/www/keystone/admin + owner: "keystone" + group: "{{nginx_user}}" + mode: 0754 + +- name: "Ensure /etc/uwsgi exists" + file: + name: "/etc/uwsgi" + state: directory + owner: "{{ nginx_user }}" + group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group. + mode: 0755 + +- name: "Ensure /run/uwsgi exists" + file: + name: "/run/uwsgi" + state: directory + owner: "{{ nginx_user }}" + group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group. + mode: 0775 + +- name: "Place keystone public uwsgi config" + template: + src: keystone-public.ini.j2 + dest: /etc/uwsgi/apps-available/keystone-public.ini + owner: "{{ nginx_user }}" + group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group. + mode: 0755 + +- name: "Place keystone admin uwsgi config" + template: + src: keystone-admin.ini.j2 + dest: /etc/uwsgi/apps-available/keystone-admin.ini + owner: "{{ nginx_user }}" + group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group. + mode: 0755 + +- name: "Enable keystone-public in uwsgi" + file: + src: "/etc/uwsgi/apps-available/keystone-public.ini" + dest: "/etc/uwsgi/apps-enabled/keystone-public.ini" + state: link + +- name: "Enable keystone-admin in uwsgi" + file: + src: "/etc/uwsgi/apps-available/keystone-admin.ini" + dest: "/etc/uwsgi/apps-enabled/keystone-admin.ini" + state: link + +- name: "Place nginx core configuration" + # TODO(TheJulia): Refactor this out so we don't have anything related to + # bifrost it's self in the main config file. + template: + src: nginx.conf.j2 + dest: /etc/nginx/nginx.conf + owner: "{{ nginx_user }}" + group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group. + mode: 0755 + +- name: "Place nginx configuration for keystone" + # TODO(TheJulia): Refactor this so we use sites-enabled, but bifrost's + # handling of co-existence needs to be cleaned up first. + template: + src: nginx_conf.d_bifrost-keystone.conf.j2 + dest: /etc/nginx/conf.d/bifrost-keystone.conf + owner: "{{ nginx_user }}" + group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group. + mode: 0755 + +- name: "Place uwsgi services" + template: + src: "{{ init_template }}" + dest: "{{ init_dest_dir }}{{ item.service_name }}{{ init_ext }}" + owner: "root" + group: "root" + with_items: + - { service_path: "{{ uwsgi_install_prefix.stdout }}", service_name: 'uwsgi', username: "{{nginx_user}}", args: '--master --emperor /etc/uwsgi/apps-enabled'} diff --git a/playbooks/roles/bifrost-keystone-install/tasks/install.yml b/playbooks/roles/bifrost-keystone-install/tasks/install.yml new file mode 100644 index 000000000..b3455ad0c --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/tasks/install.yml @@ -0,0 +1,47 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +- name: "Install packages" + action: "{{ ansible_pkg_mgr }} name={{ item }} state=present" + with_items: required_packages + +- name: "If VENV is set in the environment, enable installation into venv" + set_fact: + enable_venv: true + when: lookup('env', 'VENV') | length > 0 + +# NOTE(TheJulia) While we don't necessarilly require /opt/stack any longer +# and it should already be created by the Ansible setup, we will leave this +# here for the time being. +- name: "Ensure /opt/stack is present" + file: name=/opt/stack state=directory owner=root group=root + when: skip_install is not defined + +# NOTE(TheJulia): Part of Bifrost's install does this as well, but +# duplicating here as we are installing a separate service with this. +# We may wish to refactor this at a later point in time. +- name: "Install configparser in venv if using" + include: pip_install.yml package=configparser virtualenv=bifrost_venv_dir + when: skip_install is not defined and (enable_venv | bool == true) + +- name: "Install pymysql in venv if using" + include: pip_install.yml package=pymysql virtualenv=bifrost_venv_dir + when: skip_install is not defined and (enable_venv | bool == true) + +- name: "Install keystone using pip" + include: pip_install.yml + package=keystone + state=latest + sourcedir={{ keystone_git_folder }} + source_install={{ keystone_source_install | bool }} + when: skip_install is not defined diff --git a/playbooks/roles/bifrost-keystone-install/tasks/main.yml b/playbooks/roles/bifrost-keystone-install/tasks/main.yml new file mode 100644 index 000000000..0cc12c838 --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/tasks/main.yml @@ -0,0 +1,46 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +# NOTE(cinerama) dummy-defaults.yml is an empty defaults file. We use it +# here to ensure that with_first_found won't fail should we not have +# defaults for a particular distribution, version, etc. +- name: Include OS family-specific defaults + include_vars: "{{ item }}" + with_first_found: + - "../defaults/required_defaults_{{ ansible_os_family }}_family.yml" + - "../defaults/dummy-defaults.yml" + +- name: Include OS distribution-specific defaults + include_vars: "{{ item }}" + with_first_found: + - "../defaults/required_defaults_{{ ansible_distribution }}.yml" + - "../defaults/dummy-defaults.yml" + +- name: Include OS version-specific defaults + include_vars: "{{ item }}" + with_first_found: + - "../defaults/required_defaults_{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml" + - "../defaults/required_defaults_{{ ansible_distribution }}_{{ ansible_distribution_version }}.yml" + - "../defaults/dummy-defaults.yml" + +- name: "Install Keystone" + include: install.yml + when: enable_keystone is defined and enable_keystone |bool == True and skip_package_install | bool != True + +- name: "Bootstrap Keystone" + include: bootstrap.yml + when: enable_keystone is defined and enable_keystone |bool == True and skip_bootstrap | bool != True + +- name: "Start Keystone services" + include: start.yml + when: enable_keystone is defined and enable_keystone |bool == True and skip_start | bool != True diff --git a/playbooks/roles/bifrost-keystone-install/tasks/pip_install.yml b/playbooks/roles/bifrost-keystone-install/tasks/pip_install.yml new file mode 100644 index 000000000..f16221159 --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/tasks/pip_install.yml @@ -0,0 +1,27 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +- name: "Install {{ package }} package from pip" + pip: + name: "{{ package }}" + state: "{{ state | default(omit) }}" + version: "{{ version | default(omit) }}" + virtualenv: "{{ bifrost_venv_dir if enable_venv else omit }}" + when: source_install is not defined or source_install == false +# NOTE (cinerama): We should be able to use the pip module here and +# possibly merge these two tasks when +# https://github.com/ansible/ansible-modules-core/pull/2600 lands. +- name: "Install from {{ sourcedir }} using pip" + command: pip install --upgrade --force-reinstall {{ sourcedir }} + when: source_install is defined and (source_install | bool == true) + environment: "{{ bifrost_venv_env if enable_venv else '{}' }}" diff --git a/playbooks/roles/bifrost-keystone-install/tasks/start.yml b/playbooks/roles/bifrost-keystone-install/tasks/start.yml new file mode 100644 index 000000000..cddcca11a --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/tasks/start.yml @@ -0,0 +1,32 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +- name: "Reload systemd configuration" + command: systemctl daemon-reload + when: init_template == 'systemd_template.j2' + +- name: "Ensure required services are started" + service: name={{ item }} state=started + with_items: + - nginx + - uwsgi + +# In the event that this server was already running, +# we need to HUP the service to help ensure that it +# has the latest configuration. We do this because we +# cannot trust what service returns as each init system +# behaves differently. +- name: "Send services a reload signal" + service: name={{ item }} state=reloaded + with_items: + - nginx diff --git a/playbooks/roles/bifrost-keystone-install/templates/keystone-admin.ini.j2 b/playbooks/roles/bifrost-keystone-install/templates/keystone-admin.ini.j2 new file mode 100644 index 000000000..9cfa7aaca --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/templates/keystone-admin.ini.j2 @@ -0,0 +1,18 @@ +{{ ansible_managed }} +[uwsgi] +master = true +processes = 2 +threads = 2 +plugin = python +no-orphans = true +chmod-socket = 660 + +socket = /run/uwsgi/keystone-admin.socket +pidfile = /run/uwsgi/keystone-admin.pid + +name = keystone +uid = keystone +gid = {{ nginx_user }} + +chdir = /var/www/keystone/ +wsgi-file = /var/www/keystone/admin diff --git a/playbooks/roles/bifrost-keystone-install/templates/keystone-public.ini.j2 b/playbooks/roles/bifrost-keystone-install/templates/keystone-public.ini.j2 new file mode 100644 index 000000000..33e5db1a6 --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/templates/keystone-public.ini.j2 @@ -0,0 +1,18 @@ +{{ ansible_managed }} +[uwsgi] +master = true +processes = 2 +threads = 2 +plugin = python +no-orphans = true +chmod-socket = 660 + +socket = /run/uwsgi/keystone-public.socket +pidfile = /run/uwsgi/keystone-public.pid + +name = keystone +uid = keystone +gid = {{ nginx_user }} + +chdir = /var/www/keystone/ +wsgi-file = /var/www/keystone/public diff --git a/playbooks/roles/bifrost-keystone-install/templates/keystone.conf.j2 b/playbooks/roles/bifrost-keystone-install/templates/keystone.conf.j2 new file mode 100644 index 000000000..55fe65293 --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/templates/keystone.conf.j2 @@ -0,0 +1,23 @@ +{{ ansible_managed }} +[DEFAULT] + +debug = {{ keystone.debug | bool }} +transport_url = amqp://{{ keystone.message_queue.username }}:{{ keystone.message_queue.password }}@{{ keystone.message_queue.host }}:{{ keystone.message_queue.port | default('5672') }}/ + +[auth] + +methods = password,token + +{% if enable_cors | bool == true %} +[cors] +allowed_origin = {{ cors_allowed_origin | default('allowed_origin=http://localhost:8000') }} +allow_credentials = {{ enable_cors_credential_support | default('true') }} +{% endif %} + +[database] + +connection = mysql+pymysql://{{ keystone.database.username }}:{{ keystone.database.password }}@{{ keystone.database.host }}/{{ keystone.database.name }}?charset=utf8 +use_db_reconnect = true + +[security_compliance] +lockout_failure_attempts = 3 diff --git a/playbooks/roles/bifrost-keystone-install/templates/nginx.conf.j2 b/playbooks/roles/bifrost-keystone-install/templates/nginx.conf.j2 new file mode 100644 index 000000000..0054713ff --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/templates/nginx.conf.j2 @@ -0,0 +1,52 @@ +{{ ansible_managed }} +user {{ nginx_user }}; +worker_processes 2; +pid /run/nginx.pid; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + + server { + listen {{ file_url_port }}; + server_name {{ ansible_hostname }}; + root {{ http_boot_folder }}; + location {{ http_boot_folder }}/ { + alias {{ http_boot_folder }}/; + } + } + include /etc/nginx/conf.d/bifrost*.conf; +} diff --git a/playbooks/roles/bifrost-keystone-install/templates/nginx_conf.d_bifrost-keystone.conf.j2 b/playbooks/roles/bifrost-keystone-install/templates/nginx_conf.d_bifrost-keystone.conf.j2 new file mode 100644 index 000000000..a048b3484 --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/templates/nginx_conf.d_bifrost-keystone.conf.j2 @@ -0,0 +1,21 @@ +{{ ansible_managed }} +server { + listen 5000; + access_log /var/log/nginx/keystone/access.log; + error_log /var/log/nginx/keystone/error.log; + location / { + uwsgi_pass unix:///run/uwsgi/keystone-public.socket; + include uwsgi_params; + uwsgi_param SCRIPT_NAME ''; + } +} +server { + listen 35357; + access_log /var/log/nginx/keystone/access.log; + error_log /var/log/nginx/keystone/error.log; + location / { + uwsgi_pass unix:///run/uwsgi/keystone-admin.socket; + include uwsgi_params; + uwsgi_param SCRIPT_NAME ''; + } +} diff --git a/playbooks/roles/bifrost-keystone-install/templates/systemd_template.j2 b/playbooks/roles/bifrost-keystone-install/templates/systemd_template.j2 new file mode 100644 index 000000000..1b5a384f3 --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/templates/systemd_template.j2 @@ -0,0 +1,10 @@ +[Unit] +Description={{ item.service_name }} service + +[Service] +ExecStart={{ item.service_path }}/{{ item.service_name }} {{ item.args }} +User={{ item.username }} + +[Install] +WantedBy=multi-user.target +Alias={{ item.service_name }}{{ init_ext }} diff --git a/playbooks/roles/bifrost-keystone-install/templates/upstart_template.j2 b/playbooks/roles/bifrost-keystone-install/templates/upstart_template.j2 new file mode 100644 index 000000000..7c2d93825 --- /dev/null +++ b/playbooks/roles/bifrost-keystone-install/templates/upstart_template.j2 @@ -0,0 +1,10 @@ +start on runlevel [2345] +stop on runlevel [016] +pre-start script + mkdir -p /var/run/{{ item.username }} + chown -R {{ item.username }}:{{ item.username }} /var/run/{{ item.username }} +end script +respawn +respawn limit 2 10 + +exec start-stop-daemon --start -c {{ item.username }} --exec {{ item.service_path }}/{{ item.service_name }} -- {{ item.args }} diff --git a/releasenotes/notes/keystone-installation-3b812d9f673c7bbe.yaml b/releasenotes/notes/keystone-installation-3b812d9f673c7bbe.yaml new file mode 100644 index 000000000..ae282ad85 --- /dev/null +++ b/releasenotes/notes/keystone-installation-3b812d9f673c7bbe.yaml @@ -0,0 +1,5 @@ +--- +features: + - An ansible role enabling the installation of keystone has + been added in preparation for the addition of keystone + support to bifrost. diff --git a/scripts/env-setup.sh b/scripts/env-setup.sh index 07a319b4a..e2c62eba0 100755 --- a/scripts/env-setup.sh +++ b/scripts/env-setup.sh @@ -198,6 +198,10 @@ check_get_module `pwd`/lib/ansible/modules/core/cloud/openstack/os_ironic_node.p check_get_module `pwd`/lib/ansible/modules/extras/cloud/openstack/os_ironic_inspect.py \ https://raw.githubusercontent.com/juliakreger/ansible-modules-extras/feature/os-ironic-inspect/cloud/openstack/os_ironic_inspect.py +# os_keystone_service is targeted for Ansible 2.2 +check_get_module `pwd`/lib/ansible/modules/extras/cloud/openstack/os_keystone_service.py \ + https://raw.githubusercontent.com/ansible/ansible-modules-extras/devel/cloud/openstack/os_keystone_service.py + if [ -n "${VENV-}" ]; then sudo -H -E ${PIP} install --upgrade ${ANSIBLE_INSTALL_ROOT}/ansible echo