Update cinder services to kilo

The project is moving to support kilo in master. This requires that the
cinder galaxy role be updated to support installing the kilo release of
cinder.

This commit makes changes not added by the minimum viable kilo install
patch - https://review.openstack.org/#/c/166986/

Changes:

cinder.conf
- [DEFAULT] backup_metadata_version is now configurable because the
version has changed. The default is 2, in juno it was 1.
- [DEFAULT] client_socket_timeout is now configurable because the value
has changed. The default is 900, in juno it was 0.
- [profiler] profiler_enabled is now configurable but disabled by
default. Although this feature is part of juno the api-paste.ini file
was not updated in os-a-d juno to make use of it.
- [profiler] trace_sqlalchemy is now configurable but disabled by
default.
- [DEFAULT] rabbit_port -> [oslo_messaging_rabbit] rabbit_port
- [DEFAULT] rabbit_userid -> [oslo_messaging_rabbit] rabbit_userid
- [DEFAULT] rabbit_password -> [oslo_messaging_rabbit] rabbit_password
- [DEFAULT] rabbit_hosts -> [oslo_messaging_rabbit] rabbit_hosts
- [DEFAULT] lock_path -> [oslo_concurrency] lock_path
- [DEFAULT] enable_v1_api is now configurable. The default is true.
This has been added because the v1 API is deprecated and will be
removed in liberty.
- [DEFAULT] enable_v2_api is now configurable. The default is true.

policy.json
- Update policy.json from icehouse default to kilo default version. This
adds/modifies a number of rules and also updates the format of the file
to the current version.

api-paste.ini
- Add the osprofiler filter. This file is now deployed using a template
so that the hmac_keys configuration option can be set using the var
cinder_profiler_hmac_key.
- replace deprecated middleware with oslo_middleware versions.

rootwrap.conf
Updates the file to match kilo default.

volume.filters
Updates the file to match the kilo default.

The volume_driver var has been updated to use the new LVM driver class.

The signing_dir, /var/cache/cinder, permissions changed from 0755 to
0700 for fix warning by keystonemiddleware.

Implements: blueprint master-kilofication
Change-Id: I91f2385969568b18635bc534a98138d3dd5c5af2

defaults/main.yml

@@ -41,6 +41,10 @@ cinder_system_home_folder: "/var/lib/{{ cinder_system_user_name }}"
 cinder_service_admin_tenant_name: "service"
 cinder_service_admin_username: "cinder"
 
+## Cinder API's enabled
+cinder_enable_v1_api: true
+cinder_enable_v2_api: true
+
 ## Cinder api service type and data
 cinder_service_name: cinder
 cinder_service_user_name: cinder
@@ -89,6 +93,7 @@ cinder_service_backup_swift_object_size: 52428800
 cinder_service_backup_swift_retry_attempts: 3
 cinder_service_backup_swift_retry_backoff: 2
 cinder_service_backup_compression_algorithm: zlib
+cinder_service_backup_metadata_version: 2
 
 cinder_service_volume_program_name: cinder-volume
 
@@ -120,13 +125,20 @@ cinder_volume_clear_size: 0
 
 cinder_volume_name_template: volume-%s
 
+# osprofiler
+cinder_profiler_enabled: false
+# cinder_profiler_hmac_key is set in user_secrets.yml
+cinder_profiler_trace_sqlalchemy: false
+
+cinder_client_socket_timeout: 900
+
 ## General configuration
 ## Set this in rpc_user_config.yml UNLESS you want all hosts to use the same
 ## Cinder backends.  See the rpc_user_config example for more on how this is done.
 # cinder_backends:
 #   lvm:
 #     volume_group: cinder-volumes
-#     volume_driver: cinder.volume.drivers.lvm.LVMISCSIDriver
+#     volume_driver: cinder.volume.drivers.lvm.LVMVolumeDriver
 #     volume_backend_name: LVM_iSCSI
 
 ## Define nfs information for cinder. When the cinder_nfs_client dictionary is defined,

files/policy.json

@@ -1,59 +1,86 @@
 {
-    "context_is_admin": [["role:admin"]],
-    "admin_or_owner":  [["is_admin:True"], ["project_id:%(project_id)s"]],
-    "default": [["rule:admin_or_owner"]],
+    "context_is_admin": "role:admin",
+    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
+    "default": "rule:admin_or_owner",
 
-    "admin_api": [["is_admin:True"]],
+    "admin_api": "is_admin:True",
 
-    "volume:create": [],
-    "volume:get_all": [],
-    "volume:get_volume_metadata": [],
-    "volume:get_volume_admin_metadata": [["rule:admin_api"]],
-    "volume:delete_volume_admin_metadata": [["rule:admin_api"]],
-    "volume:update_volume_admin_metadata": [["rule:admin_api"]],
-    "volume:get_snapshot": [],
-    "volume:get_all_snapshots": [],
-    "volume:extend": [],
-    "volume:update_readonly_flag": [],
-    "volume:retype": [],
+    "volume:create": "",
+    "volume:delete": "",
+    "volume:get": "",
+    "volume:get_all": "",
+    "volume:get_volume_metadata": "",
+    "volume:get_volume_admin_metadata": "rule:admin_api",
+    "volume:delete_volume_admin_metadata": "rule:admin_api",
+    "volume:update_volume_admin_metadata": "rule:admin_api",
+    "volume:get_snapshot": "",
+    "volume:get_all_snapshots": "",
+    "volume:extend": "",
+    "volume:update_readonly_flag": "",
+    "volume:retype": "",
 
-    "volume_extension:types_manage": [["rule:admin_api"]],
-    "volume_extension:types_extra_specs": [["rule:admin_api"]],
-    "volume_extension:volume_type_encryption": [["rule:admin_api"]],
-    "volume_extension:volume_encryption_metadata": [["rule:admin_or_owner"]],
-    "volume_extension:extended_snapshot_attributes": [],
-    "volume_extension:volume_image_metadata": [],
+    "volume_extension:types_manage": "rule:admin_api",
+    "volume_extension:types_extra_specs": "rule:admin_api",
+    "volume_extension:volume_type_access": "",
+    "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api",
+    "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
+    "volume_extension:volume_type_encryption": "rule:admin_api",
+    "volume_extension:volume_encryption_metadata": "rule:admin_or_owner",
+    "volume_extension:extended_snapshot_attributes": "",
+    "volume_extension:volume_image_metadata": "",
 
-    "volume_extension:quotas:show": [],
-    "volume_extension:quotas:update": [["rule:admin_api"]],
-    "volume_extension:quota_classes": [],
+    "volume_extension:quotas:show": "",
+    "volume_extension:quotas:update": "rule:admin_api",
+    "volume_extension:quota_classes": "",
 
-    "volume_extension:volume_admin_actions:reset_status": [["rule:admin_api"]],
-    "volume_extension:snapshot_admin_actions:reset_status": [["rule:admin_api"]],
-    "volume_extension:volume_admin_actions:force_delete": [["rule:admin_api"]],
-    "volume_extension:snapshot_admin_actions:force_delete": [["rule:admin_api"]],
-    "volume_extension:volume_admin_actions:migrate_volume": [["rule:admin_api"]],
-    "volume_extension:volume_admin_actions:migrate_volume_completion": [["rule:admin_api"]],
+    "volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
+    "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
+    "volume_extension:backup_admin_actions:reset_status": "rule:admin_api",
+    "volume_extension:volume_admin_actions:force_delete": "rule:admin_api",
+    "volume_extension:volume_admin_actions:force_detach": "rule:admin_api",
+    "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api",
+    "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api",
+    "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api",
 
-    "volume_extension:volume_host_attribute": [["rule:admin_api"]],
-    "volume_extension:volume_tenant_attribute": [["rule:admin_or_owner"]],
-    "volume_extension:volume_mig_status_attribute": [["rule:admin_api"]],
-    "volume_extension:hosts": [["rule:admin_api"]],
-    "volume_extension:services": [["rule:admin_api"]],
-    "volume:services": [["rule:admin_api"]],
+    "volume_extension:volume_host_attribute": "rule:admin_api",
+    "volume_extension:volume_tenant_attribute": "rule:admin_or_owner",
+    "volume_extension:volume_mig_status_attribute": "rule:admin_api",
+    "volume_extension:hosts": "rule:admin_api",
+    "volume_extension:services": "rule:admin_api",
 
-    "volume:create_transfer": [],
-    "volume:accept_transfer": [],
-    "volume:delete_transfer": [],
-    "volume:get_all_transfers": [],
+    "volume_extension:volume_manage": "rule:admin_api",
+    "volume_extension:volume_unmanage": "rule:admin_api",
 
-    "backup:create" : [],
-    "backup:delete": [],
-    "backup:get": [],
-    "backup:get_all": [],
-    "backup:restore": [],
-    "backup:backup-import": [["rule:admin_api"]],
-    "backup:backup-export": [["rule:admin_api"]],
+    "volume:services": "rule:admin_api",
 
-    "snapshot_extension:snapshot_actions:update_snapshot_status": []
+    "volume:create_transfer": "",
+    "volume:accept_transfer": "",
+    "volume:delete_transfer": "",
+    "volume:get_all_transfers": "",
+
+    "volume_extension:replication:promote": "rule:admin_api",
+    "volume_extension:replication:reenable": "rule:admin_api",
+
+    "backup:create" : "",
+    "backup:delete": "",
+    "backup:get": "",
+    "backup:get_all": "",
+    "backup:restore": "",
+    "backup:backup-import": "rule:admin_api",
+    "backup:backup-export": "rule:admin_api",
+
+    "snapshot_extension:snapshot_actions:update_snapshot_status": "",
+
+    "consistencygroup:create" : "group:nobody",
+    "consistencygroup:delete": "group:nobody",
+    "consistencygroup:update": "group:nobody",
+    "consistencygroup:get": "group:nobody",
+    "consistencygroup:get_all": "group:nobody",
+
+    "consistencygroup:create_cgsnapshot" : "group:nobody",
+    "consistencygroup:delete_cgsnapshot": "group:nobody",
+    "consistencygroup:get_cgsnapshot": "group:nobody",
+    "consistencygroup:get_all_cgsnapshots": "group:nobody",
+
+    "scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api"
 }

files/rootwrap.conf

@@ -10,7 +10,7 @@ filters_path=/etc/cinder/rootwrap.d,/usr/share/cinder/rootwrap
 # explicitely specify a full path (separated by ',')
 # If not specified, defaults to system PATH environment variable.
 # These directories MUST all be only writeable by root !
-exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
+exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin
 
 # Enable logging to syslog
 # Default value is False

files/volume.filters

@@ -5,8 +5,10 @@
 # cinder/volume/iscsi.py: iscsi_helper '--op' ...
 ietadm: CommandFilter, ietadm, root
 tgtadm: CommandFilter, tgtadm, root
+iscsictl: CommandFilter, iscsictl, root
 tgt-admin: CommandFilter, tgt-admin, root
 cinder-rtstool: CommandFilter, cinder-rtstool, root
+scstadmin: CommandFilter, scstadmin, root
 
 # LVM related show commands
 pvs: EnvFilter, env, root, LC_ALL=C, pvs
@@ -14,6 +16,25 @@ vgs: EnvFilter, env, root, LC_ALL=C, vgs
 lvs: EnvFilter, env, root, LC_ALL=C, lvs
 lvdisplay: EnvFilter, env, root, LC_ALL=C, lvdisplay
 
+# LVM conf var
+pvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, pvs
+vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, vgs
+lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvs
+lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvdisplay
+
+# cinder/volumes/drivers/srb.py: 'pvresize', '--setphysicalvolumesize', sizestr, pvname
+pvresize: CommandFilter, pvresize, root
+
+# cinder/brick/local_dev/lvm.py: 'vgcreate', vg_name, pv_list
+vgcreate: CommandFilter, vgcreate, root
+
+# cinder/volumes/drivers/srb.py: 'vgremove', '-f', vgname
+vgremove: CommandFilter, vgremove, root
+
+# cinder/volumes/drivers/srb.py: 'vgchange', '-an', vgname
+# cinder/volumes/drivers/srb.py: 'vgchange', '-ay', vgname
+vgchange: CommandFilter, vgchange, root
+
 # cinder/volume/driver.py: 'lvcreate', '-L', sizestr, '-n', volume_name,..
 # cinder/volume/driver.py: 'lvcreate', '-L', ...
 lvcreate: CommandFilter, lvcreate, root
@@ -28,6 +49,7 @@ lvremove: CommandFilter, lvremove, root
 lvrename: CommandFilter, lvrename, root
 
 # cinder/volume/driver.py: 'lvextend', '-L' '%(new_size)s', '%(lv_name)s' ...
+# cinder/volume/driver.py: 'lvextend', '-L' '%(new_size)s', '%(thin_pool)s' ...
 lvextend: CommandFilter, lvextend, root
 
 # cinder/brick/local_dev/lvm.py: 'lvchange -a y -K <lv>'
@@ -93,12 +115,14 @@ ssc: CommandFilter, ssc, root
 ls: CommandFilter, ls, root
 tee: CommandFilter, tee, root
 multipath: CommandFilter, multipath, root
+multipathd: CommandFilter, multipathd, root
 systool: CommandFilter, systool, root
 
 # cinder/volume/drivers/block_device.py
 blockdev: CommandFilter, blockdev, root
 
 # cinder/volume/drivers/ibm/gpfs.py
+cp: CommandFilter, cp, root
 mv: CommandFilter, mv, root
 mmgetstate: CommandFilter, /usr/lpp/mmfs/bin/mmgetstate, root
 mmclone: CommandFilter, /usr/lpp/mmfs/bin/mmclone, root
@@ -108,6 +132,12 @@ mmlsconfig: CommandFilter, /usr/lpp/mmfs/bin/mmlsconfig, root
 mmlsfs: CommandFilter, /usr/lpp/mmfs/bin/mmlsfs, root
 mmlspool: CommandFilter, /usr/lpp/mmfs/bin/mmlspool, root
 mkfs: CommandFilter, mkfs, root
+mmcrfileset: CommandFilter, /usr/lpp/mmfs/bin/mmcrfileset, root
+mmlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmlinkfileset, root
+mmunlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmunlinkfileset, root
+mmdelfileset: CommandFilter, /usr/lpp/mmfs/bin/mmdelfileset, root
+mmcrsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmcrsnapshot, root
+mmdelsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmdelsnapshot, root
 
 # cinder/volume/drivers/ibm/gpfs.py
 # cinder/volume/drivers/ibm/ibmnas.py

tasks/cinder_post_install.yml

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Generate cinder Config
+- name: Generate cinder configs
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
@@ -21,19 +21,19 @@
     group: "{{ cinder_system_group_name }}"
   with_items:
     - { src: "cinder.conf.j2", dest: "/etc/cinder/cinder.conf" }
+    - { src: "api-paste.ini.j2", dest: "/etc/cinder/api-paste.ini" }
   notify:
     - Restart cinder services
   tags:
     - cinder-config
 
-- name: Drop cinder Configs
+- name: Drop cinder configs
   copy:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
     owner: "{{ cinder_system_user_name }}"
     group: "{{ cinder_system_group_name }}"
   with_items:
-    - { src: "api-paste.ini", dest: "/etc/cinder/api-paste.ini" }
     - { src: "policy.json", dest: "/etc/cinder/policy.json" }
     - { src: "volume.filters", dest: "/etc/cinder/rootwrap.d/volume.filters" }
     - { src: "rootwrap.conf", dest: "/etc/cinder/rootwrap.conf" }

tasks/cinder_pre_install.yml

@@ -40,7 +40,7 @@
     owner: "{{ item.owner|default(cinder_system_user_name) }}"
     group: "{{ item.group|default(cinder_system_group_name) }}"
   with_items:
-    - { path: "/var/cache/cinder" }
+    - { path: "/var/cache/cinder", mode: "0700" }
     - { path: "/etc/cinder" }
     - { path: "/etc/cinder/rootwrap.d" }
     - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }

templates/api-paste.ini.j2

@@ -10,27 +10,32 @@ use = call:cinder.api:root_app_factory
 
 [composite:openstack_volume_api_v1]
 use = call:cinder.api.middleware.auth:pipeline_factory
-noauth = request_id faultwrap sizelimit noauth apiv1
-keystone = request_id faultwrap sizelimit authtoken keystonecontext apiv1
-keystone_nolimit = request_id faultwrap sizelimit authtoken keystonecontext apiv1
+noauth = request_id faultwrap sizelimit osprofiler noauth apiv1
+keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
+keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1
 
 [composite:openstack_volume_api_v2]
 use = call:cinder.api.middleware.auth:pipeline_factory
-noauth = request_id faultwrap sizelimit noauth apiv2
-keystone = request_id faultwrap sizelimit authtoken keystonecontext apiv2
-keystone_nolimit = request_id faultwrap sizelimit authtoken keystonecontext apiv2
+noauth = request_id faultwrap sizelimit osprofiler noauth apiv2
+keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
+keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
 
 [filter:request_id]
-paste.filter_factory = cinder.openstack.common.middleware.request_id:RequestIdMiddleware.factory
+paste.filter_factory = oslo_middleware.request_id:RequestId.factory
 
 [filter:faultwrap]
 paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory
 
+[filter:osprofiler]
+paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
+hmac_keys = {{ cinder_profiler_hmac_key }}
+enabled = yes
+
 [filter:noauth]
 paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
 
 [filter:sizelimit]
-paste.filter_factory = cinder.api.middleware.sizelimit:RequestBodySizeLimiter.factory
+paste.filter_factory = oslo_middleware:RequestBodySizeLimiter.factory
 
 [app:apiv1]
 paste.app_factory = cinder.api.v1.router:APIRouter.factory

templates/cinder.conf.j2

@@ -11,11 +11,14 @@ my_ip = {{ cinder_storage_address }}
 
 osapi_volume_workers = {{ cinder_osapi_volume_workers | default(api_threads) }}
 
-lock_path = /var/lock/cinder
 rootwrap_config = /etc/cinder/rootwrap.conf
 api_paste_config = /etc/cinder/api-paste.ini
 auth_strategy = keystone
 
+## Cinder API's enabled
+enable_v1_api = {{ cinder_enable_v1_api }}
+enable_v2_api = {{ cinder_enable_v2_api }}
+
 {% if inventory_hostname not in groups['cinder_volume'] %}
 {% if cinder_service_backup_program_enabled == true %}
 {% if cinder_service_backup_swift_url is defined and cinder_service_backup_swift_user is defined and cinder_service_backup_swift_key is defined %}
@@ -30,16 +33,13 @@ backup_swift_object_size = {{ cinder_service_backup_swift_object_size }}
 backup_swift_retry_attempts = {{ cinder_service_backup_swift_retry_attempts }}
 backup_swift_retry_backoff = {{ cinder_service_backup_swift_retry_backoff }}
 backup_compression_algorithm = {{ cinder_service_backup_compression_algorithm }}
+backup_metadata_version = {{ cinder_service_backup_metadata_version }}
 {% endif %}
 {% endif %}
 {% endif %}
 
 ## RabbitMQ
 rpc_backend = {{ cinder_rpc_backend }}
-rabbit_port = {{ rabbitmq_port }}
-rabbit_userid = {{ rabbitmq_userid }}
-rabbit_password = {{ rabbitmq_password }}
-rabbit_hosts = {{ rabbitmq_servers }}
 
 ## Nova
 nova_catalog_info = {{ cinder_nova_catalog_info }}
@@ -65,6 +65,8 @@ iscsi_ip_address = $my_ip
 iscsi_num_targets = {{ cinder_iscsi_num_targets }}
 iscsi_port = {{ cinder_iscsi_port }}
 
+client_socket_timeout = {{ cinder_client_socket_timeout }}
+
 {% if cinder_default_volume_type is defined %}
 default_volume_type = {{ cinder_default_volume_type }}
 {% endif %}
@@ -88,6 +90,18 @@ nfs_shares_config={{ cinder_nfs_client.nfs_shares_config }}
 [database]
 connection = mysql://{{ cinder_galera_user }}:{{ cinder_container_mysql_password }}@{{ galera_address }}/{{ cinder_galera_database }}?charset=utf8
 
+[oslo_messaging_rabbit]
+rabbit_port = {{ rabbitmq_port }}
+rabbit_userid = {{ rabbitmq_userid }}
+rabbit_password = {{ rabbitmq_password }}
+rabbit_hosts = {{ rabbitmq_servers }}
+
+[oslo_concurrency]
+lock_path = /var/lock/cinder
+
+[profiler]
+profiler_enabled = {{ cinder_profiler_enabled }}
+trace_sqlalchemy = {{ cinder_profiler_trace_sqlalchemy }}
 
 [keystone_authtoken]
 signing_dir = /var/cache/cinder