# Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or # implied. # See the License for the specific language governing permissions and # limitations under the License. --- # NOTE(TheJulia): There is significant commonality between this playbook # and the bifrost bootstrap process. - name: "If VENV is set in the environment, enable installation into venv" set_fact: enable_venv: true when: lookup('env', 'VENV') | length > 0 - name: "Get uwsgi install location" shell: echo $(dirname $(which uwsgi)) register: uwsgi_install_prefix environment: "{{ bifrost_venv_env if enable_venv else '{}' }}" - name: "Get keystone-wsgi-admin location" shell: echo $(dirname $(which keystone-wsgi-admin)) register: keystone_install_prefix environment: "{{ bifrost_venv_env if enable_venv else '{}' }}" # NOTE(sean-k-mooney) only the RabbitMQ server and MySQL db are started # during bootstrapping. all other services are started in the Start phase. - name: "Start database service" service: name={{ mysql_service_name }} state=started - name: "Start rabbitmq-server" service: name=rabbitmq-server state=started # NOTE(cinerama): on some systems, rabbit may not be ready when we want to # make changes to users if we don't wait first - name: "Wait for rabbitmq" wait_for: port=5672 delay=5 - name: "Ensure guest user is removed from rabbitmq" rabbitmq_user: user: "guest" state: absent force: yes - name: "Create keystone user in RabbitMQ" rabbitmq_user: user: "{{ keystone.message_queue.username }}" password: "{{ keystone.message_queue.password }}" force: yes state: present configure_priv: ".*" write_priv: ".*" read_priv: ".*" no_log: true - name: "Set mysql_username if environment variable mysql_user is set" set_fact: mysql_username: "{{ lookup('env', 'mysql_user') }}" when: lookup('env', 'mysql_user') | length > 0 no_log: true - name: "Set mysql_password if environment variable mysql_pass is set" set_fact: mysql_password: "{{ lookup('env', 'mysql_pass') }}" when: lookup('env', 'mysql_pass') | length > 0 no_log: true - name: "MySQL - Creating DB" mysql_db: name: "{{ keystone.database.name }}" state: present encoding: utf8 login_user: "{{ mysql_username | default(None) }}" login_password: "{{ mysql_password | default(None) }}" register: test_created_keystone_db - name: "MySQL - Creating user for keystone" mysql_user: name: "{{ keystone.database.username }}" password: "{{ keystone.database.password }}" priv: "{{ keystone.database.name }}.*:ALL" state: present login_user: "{{ mysql_username | default(None) }}" login_password: "{{ mysql_password | default(None) }}" - name: "Create an keystone service group" group: name: "keystone" - name: "Create an keystone service user" user: name: "keystone" group: "keystone" - name: "Ensure /etc/keystone exists" file: name: "/etc/keystone" state: directory owner: "keystone" group: "keystone" mode: 0755 - name: "Write keystone configuration from template" template: src: keystone.conf.j2 dest: "/etc/keystone/keystone.conf" owner: "keystone" group: "keystone" mode: 0755 - name: "Copy policy.json to /etc/keystone" copy: src: "{{ keystone_git_folder }}/etc/policy.json" dest: "/etc/keystone/" owner: "keystone" group: "keystone" mode: 0644 - name: "Copy keystone-paste.ini to /etc/keystone" copy: src: "{{ keystone_git_folder }}/etc/keystone-paste.ini" dest: "/etc/keystone/" owner: "keystone" group: "keystone" mode: 0644 - name: "Apply/Update keystone DB Schema" command: keystone-manage db_sync environment: "{{ bifrost_venv_env if enable_venv else '{}' }}" - name: "Setup Keystone Credentials" command: > keystone-manage credential_setup --keystone-user=keystone --keystone-group=keystone - name: "Bootstrap Keystone Database" command: > keystone-manage bootstrap --bootstrap-username="{{ keystone.bootstrap.username }}" --bootstrap-password="{{ keystone.bootstrap.password }}" --bootstrap-project-name="{{ keystone.bootstrap.project_name }}" --bootstrap-service-name="keystone" --bootstrap-admin-url="{{ keystone.bootstrap.admin_url }}" --bootstrap-public-url="{{ keystone.bootstrap.public_url }}" --bootstrap-internal-url="{{ keystone.bootstrap.internal_url }}" --bootstrap-region-id="{{ keystone.bootstrap.region_name }}" environment: "{{ bifrost_venv_env if enable_venv else '{}' }}" when: > test_created_keystone_db.changed | bool == true and keystone.bootstrap.enabled | bool == true - name: "Reserve keystone admin port" sysctl: name: "net.ipv4.ip_local_reserved_ports" value: 35357 sysctl_set: yes state: present reload: yes - name: "Ensure /var/www/keystone exists" file: name: "/var/www/keystone" state: directory owner: "keystone" group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group. mode: 0755 - name: "Add keystone to web server group" user: name: "keystone" append: yes groups: "{{nginx_user}}" # TODO(TheJulia): Split webserver user/group. - name: "Make folder for keystone logs" file: name: "/var/log/nginx/keystone" state: directory owner: "{{ nginx_user }}" group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group. mode: 0755 - name: "Copy keystone-wsgi-public to /var/www/keystone/public" copy: src: "{{ keystone_install_prefix.stdout }}/keystone-wsgi-public" dest: /var/www/keystone/public owner: "keystone" group: "{{nginx_user}}" mode: 0754 - name: "Copy keystone-wsgi-admin to /var/www/keystone/admin" copy: src: "{{ keystone_install_prefix.stdout }}/keystone-wsgi-admin" dest: /var/www/keystone/admin owner: "keystone" group: "{{nginx_user}}" mode: 0754 - name: "Ensure /etc/uwsgi exists" file: name: "/etc/uwsgi" state: directory owner: "{{ nginx_user }}" group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group. mode: 0755 - name: "Ensure /run/uwsgi exists" file: name: "/run/uwsgi" state: directory owner: "{{ nginx_user }}" group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group. mode: 0775 - name: "Place keystone public uwsgi config" template: src: keystone-public.ini.j2 dest: /etc/uwsgi/apps-available/keystone-public.ini owner: "{{ nginx_user }}" group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group. mode: 0755 - name: "Place keystone admin uwsgi config" template: src: keystone-admin.ini.j2 dest: /etc/uwsgi/apps-available/keystone-admin.ini owner: "{{ nginx_user }}" group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group. mode: 0755 - name: "Enable keystone-public in uwsgi" file: src: "/etc/uwsgi/apps-available/keystone-public.ini" dest: "/etc/uwsgi/apps-enabled/keystone-public.ini" state: link - name: "Enable keystone-admin in uwsgi" file: src: "/etc/uwsgi/apps-available/keystone-admin.ini" dest: "/etc/uwsgi/apps-enabled/keystone-admin.ini" state: link - name: "Place nginx core configuration" # TODO(TheJulia): Refactor this out so we don't have anything related to # bifrost it's self in the main config file. template: src: nginx.conf.j2 dest: /etc/nginx/nginx.conf owner: "{{ nginx_user }}" group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group. mode: 0755 - name: "Place nginx configuration for keystone" # TODO(TheJulia): Refactor this so we use sites-enabled, but bifrost's # handling of co-existence needs to be cleaned up first. template: src: nginx_conf.d_bifrost-keystone.conf.j2 dest: /etc/nginx/conf.d/bifrost-keystone.conf owner: "{{ nginx_user }}" group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group. mode: 0755 - name: "Place uwsgi services" template: src: "{{ init_template }}" dest: "{{ init_dest_dir }}{{ item.service_name }}{{ init_ext }}" owner: "root" group: "root" with_items: - { service_path: "{{ uwsgi_install_prefix.stdout }}", service_name: 'uwsgi', username: "{{nginx_user}}", args: '--master --emperor /etc/uwsgi/apps-enabled'}