Add keystone installation playbook
In order to support use of keystone, bifrost needs to be able to install keystone in a minimalistic fashion alongside of ironic. This commit adds the role, and required changes for that configuration to be bootstrapped. Change-Id: Icb1c5dfded5574d901444bbca72e5d74a336093f
This commit is contained in:
parent
3e8a84f9b4
commit
a5c688a9ab
@ -47,4 +47,5 @@ http {
|
||||
alias {{ http_boot_folder }}/;
|
||||
}
|
||||
}
|
||||
include /etc/nginx/conf.d/bifrost*.conf;
|
||||
}
|
||||
|
119
playbooks/roles/bifrost-keystone-install/README.md
Normal file
119
playbooks/roles/bifrost-keystone-install/README.md
Normal file
@ -0,0 +1,119 @@
|
||||
bifrost-keystone-install
|
||||
========================
|
||||
|
||||
This role installs keystone for a bifrost/stand-alone ironic deployment
|
||||
with all required substrate to allow for keystone configuration,
|
||||
including MySQL, RabbitMQ, dnsmasq, and nginx.
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
||||
This role requires:
|
||||
|
||||
- Ansible 2.1
|
||||
|
||||
Role Variables
|
||||
--------------
|
||||
|
||||
Due to the required configuration steps, the configuration must be
|
||||
fairly explicit. The defaults should work for a user without any
|
||||
issues, however it is highly recommended that the parameters are
|
||||
reviewed and modified prior to deployment.
|
||||
|
||||
The main settings are in a nested data structure under the name
|
||||
``keystone``. In order to logically separate the settings in order
|
||||
to provide the greatest flexibility for change, under ``keystone``
|
||||
exists three subsections. ``bootstrap``, ``message_queue``, and
|
||||
``database``.
|
||||
|
||||
The ``keystone.bootstrap`` settings provide the information to access
|
||||
keystone as it provides the main administrative credentials.
|
||||
If keystone is being installed, then these credentials will be used
|
||||
to bootstrap keystone the keystone installation.
|
||||
Along with those settings we provide the ability to define the initial
|
||||
``region_name``, as well as ``admin_url``, ``public_url``, and
|
||||
``internal_url`` endpoints URLs for keystone.
|
||||
|
||||
If the intent is to utilize a pre-existing keystone service that has
|
||||
already undergone bootstrapping, set the ``keystone.bootstrap.enabled``
|
||||
setting to false, in order to prevent bifrost from attempting to
|
||||
bootstrap a new keystone. The ``keystone.bootstrap`` settings are
|
||||
expected to be available by the ``bifrost-ironic-install`` role,
|
||||
which has the same datastructure available in it's defaults/main.yml
|
||||
file. These settings are used by the ``birost-ironic-install`` role
|
||||
in order to create users, roles, and endpoints for Ironic's operation.
|
||||
|
||||
Under the ``message_queue`` and ``database`` structures, variables
|
||||
are used to define the connection URLs to the message queue,
|
||||
and database.
|
||||
|
||||
Below is the full data structure.
|
||||
|
||||
keystone:
|
||||
debug: true
|
||||
bootstrap:
|
||||
enabled: true
|
||||
username: admin
|
||||
password: ChangeThisPa55w0rd
|
||||
project_name: admin
|
||||
admin_url: "http://127.0.0.1:35357/v2.0/"
|
||||
public_url: "http://127.0.0.1:5000/v2.0/"
|
||||
internal_url: "http://127.0.0.1:5000/v2.0/"
|
||||
region_name: "RegionOne"
|
||||
message_queue:
|
||||
username: keystone
|
||||
password: ChangeThisPa55w0rd
|
||||
host: 127.0.0.1
|
||||
database:
|
||||
name: keystone
|
||||
username: keystone
|
||||
password: ChangeThisPa55w0rd
|
||||
host: 127.0.0.1
|
||||
|
||||
Notes
|
||||
-----
|
||||
|
||||
None
|
||||
|
||||
Dependencies
|
||||
------------
|
||||
|
||||
The ansible module, os_keystone_session, is required by this module.
|
||||
|
||||
The env-setup.sh script should collect this file and place it in the
|
||||
proper location prior to executing this role.
|
||||
|
||||
Example Playbook
|
||||
----------------
|
||||
|
||||
# NOTE: The bifrost-keystone-install playbook
|
||||
# should be run before the ironic install playbook
|
||||
# to enable the same variables to be utilized.
|
||||
- hosts: localhost
|
||||
connection: local
|
||||
name: "Install ironic locally"
|
||||
become: yes
|
||||
gather_facts: yes
|
||||
roles:
|
||||
- role: bifrost-keystone-install
|
||||
- role: bifrost-ironic-install
|
||||
|
||||
License
|
||||
-------
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
|
||||
Author Information
|
||||
------------------
|
||||
|
||||
Ironic Developers
|
@ -0,0 +1,3 @@
|
||||
---
|
||||
# NOTE(cinerama) This file is intentionally left blank - do not
|
||||
# add variables here.
|
57
playbooks/roles/bifrost-keystone-install/defaults/main.yml
Normal file
57
playbooks/roles/bifrost-keystone-install/defaults/main.yml
Normal file
@ -0,0 +1,57 @@
|
||||
---
|
||||
keystone_source_install: true
|
||||
# *_git_url can be overridden by local clones for offline installs
|
||||
keystone_git_url: https://git.openstack.org/openstack/keystone
|
||||
keystone_git_folder: /opt/stack/keystone
|
||||
|
||||
# set to true to skip installing ironic dependencies
|
||||
skip_package_install: False
|
||||
# set to true to skip generation of configs, ironic db and rabbitmq configuration
|
||||
skip_bootstrap: False
|
||||
# set to true to skip starting ironic services and dependencies
|
||||
skip_start: False
|
||||
|
||||
# Parameters for connecting to mysql for database manipulation.
|
||||
mysql_username: "root"
|
||||
mysql_password: ""
|
||||
|
||||
# Support for CORS configuration
|
||||
# By default CORS support is disabled.
|
||||
enable_cors: false
|
||||
# Origin to accept for CORS requests
|
||||
cors_allowed_origin: "http://localhost:8000"
|
||||
# bifrost utilizes noauth mode by default and as such
|
||||
# the setting should be set to false. This setting should
|
||||
# not need to be modified by the user.
|
||||
enable_cors_credential_support: false
|
||||
|
||||
# Settings related to installing bifrost in a virtual environment
|
||||
enable_venv: false
|
||||
bifrost_venv_dir: "{{ lookup('env', 'VENV') | default('/opt/stack/bifrost') }}"
|
||||
bifrost_venv_env:
|
||||
VIRTUAL_ENV: "{{ bifrost_venv_dir }}"
|
||||
PATH: "{{ bifrost_venv_dir }}/bin:{{ ansible_env.PATH }}" # include regular path via lookup env
|
||||
pydoc: "python -m pydoc"
|
||||
|
||||
|
||||
keystone:
|
||||
debug: true
|
||||
bootstrap:
|
||||
enabled: true
|
||||
username: admin
|
||||
password: ChangeThisPa55w0rd
|
||||
project_name: admin
|
||||
admin_url: "http://127.0.0.1:35357/v3/"
|
||||
public_url: "http://127.0.0.1:5000/v3/"
|
||||
internal_url: "http://127.0.0.1:5000/v3/"
|
||||
region_name: "RegionOne"
|
||||
message_queue:
|
||||
username: keystone
|
||||
password: ChangeThisPa55w0rd
|
||||
host: 127.0.0.1
|
||||
database:
|
||||
name: keystone
|
||||
username: keystone
|
||||
password: ChangeThisPa55w0rd
|
||||
host: 127.0.0.1
|
||||
|
@ -0,0 +1,21 @@
|
||||
---
|
||||
init_template: upstart_template.j2
|
||||
init_dest_dir: /etc/init/
|
||||
init_ext: .conf
|
||||
nginx_user: www-data
|
||||
mysql_service_name: mysql
|
||||
required_packages:
|
||||
- mysql-server
|
||||
- rabbitmq-server
|
||||
- python-dev
|
||||
- python-mysqldb
|
||||
- python-configparser
|
||||
- libffi-dev
|
||||
- libxslt1-dev
|
||||
- libssl-dev
|
||||
- libxml2-dev
|
||||
- nginx
|
||||
- uwsgi
|
||||
- uwsgi-core
|
||||
# - python-django-uwsgi - This may not be needed
|
||||
- uwsgi-plugin-python
|
@ -0,0 +1,20 @@
|
||||
---
|
||||
init_template: systemd_template.j2
|
||||
init_dest_dir: /usr/lib/systemd/system/
|
||||
init_ext: .service
|
||||
nginx_user: www-data
|
||||
mysql_service_name: mysql
|
||||
required_packages:
|
||||
- mysql-server
|
||||
- rabbitmq-server
|
||||
- python-dev
|
||||
- python-mysqldb
|
||||
- python-configparser
|
||||
- libffi-dev
|
||||
- libxslt1-dev
|
||||
- libssl-dev
|
||||
- libxml2-dev
|
||||
- nginx
|
||||
- uwsgi
|
||||
- uwsgi-core
|
||||
- uwsgi-plugin-python
|
@ -0,0 +1,5 @@
|
||||
---
|
||||
# NOTE(cinerama): On Fedora 22, ansible 1.9, ansible_pkg_mgr
|
||||
# defaults to yum, which may not be installed. This can be safely
|
||||
# removed when we start using an ansible release which prefers dnf.
|
||||
ansible_pkg_mgr: "dnf"
|
@ -0,0 +1,25 @@
|
||||
---
|
||||
init_template: systemd_template.j2
|
||||
init_dest_dir: /usr/lib/systemd/system/
|
||||
init_ext: .service
|
||||
syslinux_tftp_dir: /var/lib/tftpboot
|
||||
ipxe_dir: /usr/share/ipxe/
|
||||
ipxe_full_binary: ipxe.lkrn
|
||||
sgabios_dir: /usr/share/sgabios/
|
||||
nginx_user: nginx
|
||||
virt_group: libvirt
|
||||
mysql_service_name: mariadb
|
||||
tftp_service_name: tftp
|
||||
required_packages:
|
||||
- mariadb-server
|
||||
- rabbitmq-server
|
||||
- python-devel
|
||||
- MySQL-python
|
||||
- python-iniparse
|
||||
- libffi-devel
|
||||
- libxslt-devel
|
||||
- openssl-devel
|
||||
- libxml2-devel
|
||||
- nginx
|
||||
- uwsgi
|
||||
- uwsgi-plugin-python
|
@ -0,0 +1,4 @@
|
||||
---
|
||||
init_template: systemd_template.j2
|
||||
init_dest_dir: /lib/systemd/system/
|
||||
init_ext: .service
|
@ -0,0 +1,4 @@
|
||||
---
|
||||
init_template: systemd_template.j2
|
||||
init_dest_dir: /lib/systemd/system/
|
||||
init_ext: .service
|
@ -0,0 +1,4 @@
|
||||
---
|
||||
init_template: systemd_template.j2
|
||||
init_dest_dir: /lib/systemd/system/
|
||||
init_ext: .service
|
15
playbooks/roles/bifrost-keystone-install/meta/main.yml
Normal file
15
playbooks/roles/bifrost-keystone-install/meta/main.yml
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
galaxy_info:
|
||||
author: Ironic Developers
|
||||
description: Install keystone for Bifrost
|
||||
company: OpenStack
|
||||
license: Apache
|
||||
min_ansible_version: 2.1
|
||||
platforms:
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- xenial
|
||||
categories:
|
||||
- cloud
|
||||
- cloud:openstack
|
||||
dependencies: []
|
274
playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml
Normal file
274
playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml
Normal file
@ -0,0 +1,274 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
# implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
---
|
||||
# NOTE(TheJulia): There is significant commonality between this playbook
|
||||
# and the bifrost bootstrap process.
|
||||
- name: "If VENV is set in the environment, enable installation into venv"
|
||||
set_fact:
|
||||
enable_venv: true
|
||||
when: lookup('env', 'VENV') | length > 0
|
||||
|
||||
- name: "Get uwsgi install location"
|
||||
shell: echo $(dirname $(which uwsgi))
|
||||
register: uwsgi_install_prefix
|
||||
environment: "{{ bifrost_venv_env if enable_venv else '{}' }}"
|
||||
|
||||
- name: "Get keystone-wsgi-admin location"
|
||||
shell: echo $(dirname $(which keystone-wsgi-admin))
|
||||
register: keystone_install_prefix
|
||||
environment: "{{ bifrost_venv_env if enable_venv else '{}' }}"
|
||||
|
||||
# NOTE(sean-k-mooney) only the RabbitMQ server and MySQL db are started
|
||||
# during bootstrapping. all other services are started in the Start phase.
|
||||
- name: "Start database service"
|
||||
service: name={{ mysql_service_name }} state=started
|
||||
|
||||
- name: "Start rabbitmq-server"
|
||||
service: name=rabbitmq-server state=started
|
||||
|
||||
# NOTE(cinerama): on some systems, rabbit may not be ready when we want to
|
||||
# make changes to users if we don't wait first
|
||||
- name: "Wait for rabbitmq"
|
||||
wait_for: port=5672 delay=5
|
||||
|
||||
- name: "Ensure guest user is removed from rabbitmq"
|
||||
rabbitmq_user:
|
||||
user: "guest"
|
||||
state: absent
|
||||
force: yes
|
||||
|
||||
- name: "Create keystone user in RabbitMQ"
|
||||
rabbitmq_user:
|
||||
user: "{{ keystone.message_queue.username }}"
|
||||
password: "{{ keystone.message_queue.password }}"
|
||||
force: yes
|
||||
state: present
|
||||
configure_priv: ".*"
|
||||
write_priv: ".*"
|
||||
read_priv: ".*"
|
||||
no_log: true
|
||||
|
||||
- name: "Set mysql_username if environment variable mysql_user is set"
|
||||
set_fact:
|
||||
mysql_username: "{{ lookup('env', 'mysql_user') }}"
|
||||
when: lookup('env', 'mysql_user') | length > 0
|
||||
no_log: true
|
||||
|
||||
- name: "Set mysql_password if environment variable mysql_pass is set"
|
||||
set_fact:
|
||||
mysql_password: "{{ lookup('env', 'mysql_pass') }}"
|
||||
when: lookup('env', 'mysql_pass') | length > 0
|
||||
no_log: true
|
||||
|
||||
- name: "MySQL - Creating DB"
|
||||
mysql_db:
|
||||
name: "{{ keystone.database.name }}"
|
||||
state: present
|
||||
encoding: utf8
|
||||
login_user: "{{ mysql_username | default(None) }}"
|
||||
login_password: "{{ mysql_password | default(None) }}"
|
||||
register: test_created_keystone_db
|
||||
|
||||
- name: "MySQL - Creating user for keystone"
|
||||
mysql_user:
|
||||
name: "{{ keystone.database.username }}"
|
||||
password: "{{ keystone.database.password }}"
|
||||
priv: "{{ keystone.database.name }}.*:ALL"
|
||||
state: present
|
||||
login_user: "{{ mysql_username | default(None) }}"
|
||||
login_password: "{{ mysql_password | default(None) }}"
|
||||
|
||||
- name: "Create an keystone service group"
|
||||
group:
|
||||
name: "keystone"
|
||||
|
||||
- name: "Create an keystone service user"
|
||||
user:
|
||||
name: "keystone"
|
||||
group: "keystone"
|
||||
|
||||
- name: "Ensure /etc/keystone exists"
|
||||
file:
|
||||
name: "/etc/keystone"
|
||||
state: directory
|
||||
owner: "keystone"
|
||||
group: "keystone"
|
||||
mode: 0755
|
||||
|
||||
- name: "Write keystone configuration from template"
|
||||
template:
|
||||
src: keystone.conf.j2
|
||||
dest: "/etc/keystone/keystone.conf"
|
||||
owner: "keystone"
|
||||
group: "keystone"
|
||||
mode: 0755
|
||||
|
||||
- name: "Copy policy.json to /etc/keystone"
|
||||
copy:
|
||||
src: "{{ keystone_git_folder }}/etc/policy.json"
|
||||
dest: "/etc/keystone/"
|
||||
owner: "keystone"
|
||||
group: "keystone"
|
||||
mode: 0644
|
||||
|
||||
- name: "Copy keystone-paste.ini to /etc/keystone"
|
||||
copy:
|
||||
src: "{{ keystone_git_folder }}/etc/keystone-paste.ini"
|
||||
dest: "/etc/keystone/"
|
||||
owner: "keystone"
|
||||
group: "keystone"
|
||||
mode: 0644
|
||||
|
||||
- name: "Apply/Update keystone DB Schema"
|
||||
command: keystone-manage db_sync
|
||||
environment: "{{ bifrost_venv_env if enable_venv else '{}' }}"
|
||||
|
||||
- name: "Setup Keystone Credentials"
|
||||
command: >
|
||||
keystone-manage credential_setup
|
||||
--keystone-user=keystone --keystone-group=keystone
|
||||
|
||||
- name: "Bootstrap Keystone Database"
|
||||
command: >
|
||||
keystone-manage bootstrap
|
||||
--bootstrap-username="{{ keystone.bootstrap.username }}"
|
||||
--bootstrap-password="{{ keystone.bootstrap.password }}"
|
||||
--bootstrap-project-name="{{ keystone.bootstrap.project_name }}"
|
||||
--bootstrap-service-name="keystone"
|
||||
--bootstrap-admin-url="{{ keystone.bootstrap.admin_url }}"
|
||||
--bootstrap-public-url="{{ keystone.bootstrap.public_url }}"
|
||||
--bootstrap-internal-url="{{ keystone.bootstrap.internal_url }}"
|
||||
--bootstrap-region-id="{{ keystone.bootstrap.region_name }}"
|
||||
environment: "{{ bifrost_venv_env if enable_venv else '{}' }}"
|
||||
when: >
|
||||
test_created_keystone_db.changed | bool == true and
|
||||
keystone.bootstrap.enabled | bool == true
|
||||
|
||||
- name: "Reserve keystone admin port"
|
||||
sysctl:
|
||||
name: "net.ipv4.ip_local_reserved_ports"
|
||||
value: 35357
|
||||
sysctl_set: yes
|
||||
state: present
|
||||
reload: yes
|
||||
|
||||
- name: "Ensure /var/www/keystone exists"
|
||||
file:
|
||||
name: "/var/www/keystone"
|
||||
state: directory
|
||||
owner: "keystone"
|
||||
group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
|
||||
mode: 0755
|
||||
|
||||
- name: "Add keystone to web server group"
|
||||
user:
|
||||
name: "keystone"
|
||||
append: yes
|
||||
groups: "{{nginx_user}}" # TODO(TheJulia): Split webserver user/group.
|
||||
|
||||
- name: "Make folder for keystone logs"
|
||||
file:
|
||||
name: "/var/log/nginx/keystone"
|
||||
state: directory
|
||||
owner: "{{ nginx_user }}"
|
||||
group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
|
||||
mode: 0755
|
||||
|
||||
- name: "Copy keystone-wsgi-public to /var/www/keystone/public"
|
||||
copy:
|
||||
src: "{{ keystone_install_prefix.stdout }}/keystone-wsgi-public"
|
||||
dest: /var/www/keystone/public
|
||||
owner: "keystone"
|
||||
group: "{{nginx_user}}"
|
||||
mode: 0754
|
||||
|
||||
- name: "Copy keystone-wsgi-admin to /var/www/keystone/admin"
|
||||
copy:
|
||||
src: "{{ keystone_install_prefix.stdout }}/keystone-wsgi-admin"
|
||||
dest: /var/www/keystone/admin
|
||||
owner: "keystone"
|
||||
group: "{{nginx_user}}"
|
||||
mode: 0754
|
||||
|
||||
- name: "Ensure /etc/uwsgi exists"
|
||||
file:
|
||||
name: "/etc/uwsgi"
|
||||
state: directory
|
||||
owner: "{{ nginx_user }}"
|
||||
group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
|
||||
mode: 0755
|
||||
|
||||
- name: "Ensure /run/uwsgi exists"
|
||||
file:
|
||||
name: "/run/uwsgi"
|
||||
state: directory
|
||||
owner: "{{ nginx_user }}"
|
||||
group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
|
||||
mode: 0775
|
||||
|
||||
- name: "Place keystone public uwsgi config"
|
||||
template:
|
||||
src: keystone-public.ini.j2
|
||||
dest: /etc/uwsgi/apps-available/keystone-public.ini
|
||||
owner: "{{ nginx_user }}"
|
||||
group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
|
||||
mode: 0755
|
||||
|
||||
- name: "Place keystone admin uwsgi config"
|
||||
template:
|
||||
src: keystone-admin.ini.j2
|
||||
dest: /etc/uwsgi/apps-available/keystone-admin.ini
|
||||
owner: "{{ nginx_user }}"
|
||||
group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
|
||||
mode: 0755
|
||||
|
||||
- name: "Enable keystone-public in uwsgi"
|
||||
file:
|
||||
src: "/etc/uwsgi/apps-available/keystone-public.ini"
|
||||
dest: "/etc/uwsgi/apps-enabled/keystone-public.ini"
|
||||
state: link
|
||||
|
||||
- name: "Enable keystone-admin in uwsgi"
|
||||
file:
|
||||
src: "/etc/uwsgi/apps-available/keystone-admin.ini"
|
||||
dest: "/etc/uwsgi/apps-enabled/keystone-admin.ini"
|
||||
state: link
|
||||
|
||||
- name: "Place nginx core configuration"
|
||||
# TODO(TheJulia): Refactor this out so we don't have anything related to
|
||||
# bifrost it's self in the main config file.
|
||||
template:
|
||||
src: nginx.conf.j2
|
||||
dest: /etc/nginx/nginx.conf
|
||||
owner: "{{ nginx_user }}"
|
||||
group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
|
||||
mode: 0755
|
||||
|
||||
- name: "Place nginx configuration for keystone"
|
||||
# TODO(TheJulia): Refactor this so we use sites-enabled, but bifrost's
|
||||
# handling of co-existence needs to be cleaned up first.
|
||||
template:
|
||||
src: nginx_conf.d_bifrost-keystone.conf.j2
|
||||
dest: /etc/nginx/conf.d/bifrost-keystone.conf
|
||||
owner: "{{ nginx_user }}"
|
||||
group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
|
||||
mode: 0755
|
||||
|
||||
- name: "Place uwsgi services"
|
||||
template:
|
||||
src: "{{ init_template }}"
|
||||
dest: "{{ init_dest_dir }}{{ item.service_name }}{{ init_ext }}"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
with_items:
|
||||
- { service_path: "{{ uwsgi_install_prefix.stdout }}", service_name: 'uwsgi', username: "{{nginx_user}}", args: '--master --emperor /etc/uwsgi/apps-enabled'}
|
47
playbooks/roles/bifrost-keystone-install/tasks/install.yml
Normal file
47
playbooks/roles/bifrost-keystone-install/tasks/install.yml
Normal file
@ -0,0 +1,47 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
# implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
---
|
||||
- name: "Install packages"
|
||||
action: "{{ ansible_pkg_mgr }} name={{ item }} state=present"
|
||||
with_items: required_packages
|
||||
|
||||
- name: "If VENV is set in the environment, enable installation into venv"
|
||||
set_fact:
|
||||
enable_venv: true
|
||||
when: lookup('env', 'VENV') | length > 0
|
||||
|
||||
# NOTE(TheJulia) While we don't necessarilly require /opt/stack any longer
|
||||
# and it should already be created by the Ansible setup, we will leave this
|
||||
# here for the time being.
|
||||
- name: "Ensure /opt/stack is present"
|
||||
file: name=/opt/stack state=directory owner=root group=root
|
||||
when: skip_install is not defined
|
||||
|
||||
# NOTE(TheJulia): Part of Bifrost's install does this as well, but
|
||||
# duplicating here as we are installing a separate service with this.
|
||||
# We may wish to refactor this at a later point in time.
|
||||
- name: "Install configparser in venv if using"
|
||||
include: pip_install.yml package=configparser virtualenv=bifrost_venv_dir
|
||||
when: skip_install is not defined and (enable_venv | bool == true)
|
||||
|
||||
- name: "Install pymysql in venv if using"
|
||||
include: pip_install.yml package=pymysql virtualenv=bifrost_venv_dir
|
||||
when: skip_install is not defined and (enable_venv | bool == true)
|
||||
|
||||
- name: "Install keystone using pip"
|
||||
include: pip_install.yml
|
||||
package=keystone
|
||||
state=latest
|
||||
sourcedir={{ keystone_git_folder }}
|
||||
source_install={{ keystone_source_install | bool }}
|
||||
when: skip_install is not defined
|
46
playbooks/roles/bifrost-keystone-install/tasks/main.yml
Normal file
46
playbooks/roles/bifrost-keystone-install/tasks/main.yml
Normal file
@ -0,0 +1,46 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
# implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
---
|
||||
# NOTE(cinerama) dummy-defaults.yml is an empty defaults file. We use it
|
||||
# here to ensure that with_first_found won't fail should we not have
|
||||
# defaults for a particular distribution, version, etc.
|
||||
- name: Include OS family-specific defaults
|
||||
include_vars: "{{ item }}"
|
||||
with_first_found:
|
||||
- "../defaults/required_defaults_{{ ansible_os_family }}_family.yml"
|
||||
- "../defaults/dummy-defaults.yml"
|
||||
|
||||
- name: Include OS distribution-specific defaults
|
||||
include_vars: "{{ item }}"
|
||||
with_first_found:
|
||||
- "../defaults/required_defaults_{{ ansible_distribution }}.yml"
|
||||
- "../defaults/dummy-defaults.yml"
|
||||
|
||||
- name: Include OS version-specific defaults
|
||||
include_vars: "{{ item }}"
|
||||
with_first_found:
|
||||
- "../defaults/required_defaults_{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml"
|
||||
- "../defaults/required_defaults_{{ ansible_distribution }}_{{ ansible_distribution_version }}.yml"
|
||||
- "../defaults/dummy-defaults.yml"
|
||||
|
||||
- name: "Install Keystone"
|
||||
include: install.yml
|
||||
when: enable_keystone is defined and enable_keystone |bool == True and skip_package_install | bool != True
|
||||
|
||||
- name: "Bootstrap Keystone"
|
||||
include: bootstrap.yml
|
||||
when: enable_keystone is defined and enable_keystone |bool == True and skip_bootstrap | bool != True
|
||||
|
||||
- name: "Start Keystone services"
|
||||
include: start.yml
|
||||
when: enable_keystone is defined and enable_keystone |bool == True and skip_start | bool != True
|
@ -0,0 +1,27 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
# implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
---
|
||||
- name: "Install {{ package }} package from pip"
|
||||
pip:
|
||||
name: "{{ package }}"
|
||||
state: "{{ state | default(omit) }}"
|
||||
version: "{{ version | default(omit) }}"
|
||||
virtualenv: "{{ bifrost_venv_dir if enable_venv else omit }}"
|
||||
when: source_install is not defined or source_install == false
|
||||
# NOTE (cinerama): We should be able to use the pip module here and
|
||||
# possibly merge these two tasks when
|
||||
# https://github.com/ansible/ansible-modules-core/pull/2600 lands.
|
||||
- name: "Install from {{ sourcedir }} using pip"
|
||||
command: pip install --upgrade --force-reinstall {{ sourcedir }}
|
||||
when: source_install is defined and (source_install | bool == true)
|
||||
environment: "{{ bifrost_venv_env if enable_venv else '{}' }}"
|
32
playbooks/roles/bifrost-keystone-install/tasks/start.yml
Normal file
32
playbooks/roles/bifrost-keystone-install/tasks/start.yml
Normal file
@ -0,0 +1,32 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
# implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
---
|
||||
- name: "Reload systemd configuration"
|
||||
command: systemctl daemon-reload
|
||||
when: init_template == 'systemd_template.j2'
|
||||
|
||||
- name: "Ensure required services are started"
|
||||
service: name={{ item }} state=started
|
||||
with_items:
|
||||
- nginx
|
||||
- uwsgi
|
||||
|
||||
# In the event that this server was already running,
|
||||
# we need to HUP the service to help ensure that it
|
||||
# has the latest configuration. We do this because we
|
||||
# cannot trust what service returns as each init system
|
||||
# behaves differently.
|
||||
- name: "Send services a reload signal"
|
||||
service: name={{ item }} state=reloaded
|
||||
with_items:
|
||||
- nginx
|
@ -0,0 +1,18 @@
|
||||
{{ ansible_managed }}
|
||||
[uwsgi]
|
||||
master = true
|
||||
processes = 2
|
||||
threads = 2
|
||||
plugin = python
|
||||
no-orphans = true
|
||||
chmod-socket = 660
|
||||
|
||||
socket = /run/uwsgi/keystone-admin.socket
|
||||
pidfile = /run/uwsgi/keystone-admin.pid
|
||||
|
||||
name = keystone
|
||||
uid = keystone
|
||||
gid = {{ nginx_user }}
|
||||
|
||||
chdir = /var/www/keystone/
|
||||
wsgi-file = /var/www/keystone/admin
|
@ -0,0 +1,18 @@
|
||||
{{ ansible_managed }}
|
||||
[uwsgi]
|
||||
master = true
|
||||
processes = 2
|
||||
threads = 2
|
||||
plugin = python
|
||||
no-orphans = true
|
||||
chmod-socket = 660
|
||||
|
||||
socket = /run/uwsgi/keystone-public.socket
|
||||
pidfile = /run/uwsgi/keystone-public.pid
|
||||
|
||||
name = keystone
|
||||
uid = keystone
|
||||
gid = {{ nginx_user }}
|
||||
|
||||
chdir = /var/www/keystone/
|
||||
wsgi-file = /var/www/keystone/public
|
@ -0,0 +1,23 @@
|
||||
{{ ansible_managed }}
|
||||
[DEFAULT]
|
||||
|
||||
debug = {{ keystone.debug | bool }}
|
||||
transport_url = amqp://{{ keystone.message_queue.username }}:{{ keystone.message_queue.password }}@{{ keystone.message_queue.host }}:{{ keystone.message_queue.port | default('5672') }}/
|
||||
|
||||
[auth]
|
||||
|
||||
methods = password,token
|
||||
|
||||
{% if enable_cors | bool == true %}
|
||||
[cors]
|
||||
allowed_origin = {{ cors_allowed_origin | default('allowed_origin=http://localhost:8000') }}
|
||||
allow_credentials = {{ enable_cors_credential_support | default('true') }}
|
||||
{% endif %}
|
||||
|
||||
[database]
|
||||
|
||||
connection = mysql+pymysql://{{ keystone.database.username }}:{{ keystone.database.password }}@{{ keystone.database.host }}/{{ keystone.database.name }}?charset=utf8
|
||||
use_db_reconnect = true
|
||||
|
||||
[security_compliance]
|
||||
lockout_failure_attempts = 3
|
@ -0,0 +1,52 @@
|
||||
{{ ansible_managed }}
|
||||
user {{ nginx_user }};
|
||||
worker_processes 2;
|
||||
pid /run/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 768;
|
||||
# multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 2048;
|
||||
# server_tokens off;
|
||||
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
##
|
||||
|
||||
access_log /var/log/nginx/access.log;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
|
||||
server {
|
||||
listen {{ file_url_port }};
|
||||
server_name {{ ansible_hostname }};
|
||||
root {{ http_boot_folder }};
|
||||
location {{ http_boot_folder }}/ {
|
||||
alias {{ http_boot_folder }}/;
|
||||
}
|
||||
}
|
||||
include /etc/nginx/conf.d/bifrost*.conf;
|
||||
}
|
@ -0,0 +1,21 @@
|
||||
{{ ansible_managed }}
|
||||
server {
|
||||
listen 5000;
|
||||
access_log /var/log/nginx/keystone/access.log;
|
||||
error_log /var/log/nginx/keystone/error.log;
|
||||
location / {
|
||||
uwsgi_pass unix:///run/uwsgi/keystone-public.socket;
|
||||
include uwsgi_params;
|
||||
uwsgi_param SCRIPT_NAME '';
|
||||
}
|
||||
}
|
||||
server {
|
||||
listen 35357;
|
||||
access_log /var/log/nginx/keystone/access.log;
|
||||
error_log /var/log/nginx/keystone/error.log;
|
||||
location / {
|
||||
uwsgi_pass unix:///run/uwsgi/keystone-admin.socket;
|
||||
include uwsgi_params;
|
||||
uwsgi_param SCRIPT_NAME '';
|
||||
}
|
||||
}
|
@ -0,0 +1,10 @@
|
||||
[Unit]
|
||||
Description={{ item.service_name }} service
|
||||
|
||||
[Service]
|
||||
ExecStart={{ item.service_path }}/{{ item.service_name }} {{ item.args }}
|
||||
User={{ item.username }}
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Alias={{ item.service_name }}{{ init_ext }}
|
@ -0,0 +1,10 @@
|
||||
start on runlevel [2345]
|
||||
stop on runlevel [016]
|
||||
pre-start script
|
||||
mkdir -p /var/run/{{ item.username }}
|
||||
chown -R {{ item.username }}:{{ item.username }} /var/run/{{ item.username }}
|
||||
end script
|
||||
respawn
|
||||
respawn limit 2 10
|
||||
|
||||
exec start-stop-daemon --start -c {{ item.username }} --exec {{ item.service_path }}/{{ item.service_name }} -- {{ item.args }}
|
@ -0,0 +1,5 @@
|
||||
---
|
||||
features:
|
||||
- An ansible role enabling the installation of keystone has
|
||||
been added in preparation for the addition of keystone
|
||||
support to bifrost.
|
@ -198,6 +198,10 @@ check_get_module `pwd`/lib/ansible/modules/core/cloud/openstack/os_ironic_node.p
|
||||
check_get_module `pwd`/lib/ansible/modules/extras/cloud/openstack/os_ironic_inspect.py \
|
||||
https://raw.githubusercontent.com/juliakreger/ansible-modules-extras/feature/os-ironic-inspect/cloud/openstack/os_ironic_inspect.py
|
||||
|
||||
# os_keystone_service is targeted for Ansible 2.2
|
||||
check_get_module `pwd`/lib/ansible/modules/extras/cloud/openstack/os_keystone_service.py \
|
||||
https://raw.githubusercontent.com/ansible/ansible-modules-extras/devel/cloud/openstack/os_keystone_service.py
|
||||
|
||||
if [ -n "${VENV-}" ]; then
|
||||
sudo -H -E ${PIP} install --upgrade ${ANSIBLE_INSTALL_ROOT}/ansible
|
||||
echo
|
||||
|
Loading…
x
Reference in New Issue
Block a user