Kevin Carter 676d574623
Run security hardening when leaping a deployment
The security hardening playbook was not being executed. This change adds
the security hardning playbook to the defeault re-deployment process. If
a deployer wishes to opt-out of the default security hardening they can
disable it using the `apply_security_hardening` option.

Change-Id: I69baa1d2cb209cf3686ca2da00e698ed5dbf92f9
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2017-10-25 10:47:48 -05:00

154 lines
5.1 KiB
Bash
Executable File

#!/usr/bin/env bash
# Copyright 2017, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## Shell Opts ----------------------------------------------------------------
set -e -u
## Main ----------------------------------------------------------------------
source lib/vars.sh
source lib/functions.sh
### Set lock file to notate redeploy has started
# Notate that redeploy has started, if it fails midway, it can be
# resumed from the starting script without getting prompted to
# set the version again.
touch /etc/openstack_deploy/upgrade-leap/redeploy-started.complete
### Run the redeploy tasks
# Forget about the old neutron agent container in inventory.
# This is done to maximize uptime by leaving the old systems in
# place while the redeployment work is going on.
# TODO(evrardjp): Move this to a playbook, this way it will follow the
# RUN_TASKS model
if [ ! -f /etc/openstack_deploy/upgrade-leap/neutron-container-forget.complete ];then
SCRIPTS_PATH="/opt/leap42/openstack-ansible-${NEWTON_RELEASE}/scripts" \
MAIN_PATH="/opt/leap42/openstack-ansible-${NEWTON_RELEASE}" \
${UPGRADE_UTILS}/neutron-container-forget.sh
touch /etc/openstack_deploy/upgrade-leap/neutron-container-forget.complete
fi
link_release "/opt/leap42/openstack-ansible-${NEWTON_RELEASE}"
RUN_TASKS=()
# Pre-setup-hosts hook
if [[ -n ${PRE_SETUP_HOSTS_HOOK+x} ]]; then
RUN_TASKS+=("$PRE_SETUP_HOSTS_HOOK")
fi
# Setup Hosts
RUN_TASKS+=("openstack-hosts-setup.yml -e redeploy_rerun=true")
# Run the security-hardening playbook in redeployment
RUN_TASKS+=("security-hardening.yml")
# Ensure the same pip everywhere, even if requirement met or above
RUN_TASKS+=("${UPGRADE_UTILS}/pip-unify.yml -e release_version=\"${NEWTON_RELEASE}\"")
RUN_TASKS+=("${UPGRADE_UTILS}/db-stop.yml")
RUN_TASKS+=("${UPGRADE_UTILS}/ansible_fact_cleanup.yml")
# Physical host cleanup
RUN_TASKS+=("${UPGRADE_UTILS}/destroy-old-containers.yml")
# Permissions for qemu save, because physical host cleanup
RUN_TASKS+=("${UPGRADE_UTILS}/nova-libvirt-fix.yml")
RUN_TASKS+=("lxc-hosts-setup.yml")
RUN_TASKS+=("lxc-containers-create.yml")
# Post-setup-hosts hook
if [[ -n ${POST_SETUP_HOSTS_HOOK+x} ]]; then
RUN_TASKS+=("$POST_SETUP_HOSTS_HOOK")
fi
# Pre-setup-infrastructure hook
if [[ -n ${PRE_SETUP_INFRASTRUCTURE_HOOK+x} ]]; then
RUN_TASKS+=("$PRE_SETUP_INFRASTRUCTURE_HOOK")
fi
# Setup Infrastructure
RUN_TASKS+=("unbound-install.yml")
RUN_TASKS+=("repo-install.yml")
RUN_TASKS+=("${UPGRADE_UTILS}/haproxy-cleanup.yml")
RUN_TASKS+=("haproxy-install.yml")
RUN_TASKS+=("memcached-install.yml")
RUN_TASKS+=("galera-install.yml")
RUN_TASKS+=("rabbitmq-install.yml")
RUN_TASKS+=("etcd-install.yml")
RUN_TASKS+=("utility-install.yml")
RUN_TASKS+=("rsyslog-install.yml")
# MariaDB sync for major maria upgrades and cluster schema sync
RUN_TASKS+=("${UPGRADE_UTILS}/db-force-upgrade.yml")
# Post-setup-infrastructure hook
if [[ -n ${POST_SETUP_INFRASTRUCTURE_HOOK+x} ]]; then
RUN_TASKS+=("$POST_SETUP_INFRASTRUCTURE_HOOK")
fi
# Pre-setup-openstack hook
if [[ -n ${PRE_SETUP_OPENSTACK_HOOK+x} ]]; then
RUN_TASKS+=("$PRE_SETUP_OPENSTACK_HOOK")
fi
# Setup OpenStack
RUN_TASKS+=("os-keystone-install.yml")
RUN_TASKS+=("os-glance-install.yml")
RUN_TASKS+=("os-cinder-install.yml")
# The first run will install everything everywhere and restart the nova services
RUN_TASKS+=("os-nova-install.yml")
# This is being run before hand to ensure a speedy service upgrade to maintain running VMs.
# this also works around an issue where very early versions of libvirt may not be fully
# replaced on the first run.
RUN_TASKS+=("os-nova-install.yml --limit nova_compute")
RUN_TASKS+=("os-neutron-install.yml")
RUN_TASKS+=("${UPGRADE_UTILS}/neutron-remove-old-containers.yml")
RUN_TASKS+=("os-heat-install.yml")
RUN_TASKS+=("os-horizon-install.yml")
RUN_TASKS+=("os-ceilometer-install.yml")
RUN_TASKS+=("os-aodh-install.yml")
if grep -rni "^gnocchi_storage_driver" /etc/openstack_deploy/*.{yaml,yml} | grep -qw "swift"; then
RUN_TASKS+=("os-gnocchi-install.yml -e gnocchi_identity_only=true")
fi
RUN_TASKS+=("os-swift-install.yml")
RUN_TASKS+=("os-gnocchi-install.yml")
RUN_TASKS+=("os-ironic-install.yml")
RUN_TASKS+=("os-magnum-install.yml")
RUN_TASKS+=("os-sahara-install.yml")
RUN_TASKS+=("${UPGRADE_UTILS}/post-redeploy-cleanup.yml")
# Post-setup-openstack hook
if [[ -n ${POST_SETUP_OPENSTACK_HOOK+x} ]]; then
RUN_TASKS+=("$POST_SETUP_OPENSTACK_HOOK")
fi
# Loads a shell script that can be used to modify
# the RUN_TASKS behavior.
if [[ ${REDEPLOY_EXTRA_SCRIPT:-} ]]; then
notice "Running extra script before re-deploy"
source ${REDEPLOY_EXTRA_SCRIPT}
fi
run_items "${REDEPLOY_OA_FOLDER}"
### Run the redeploy tasks