From 9b472d3d74105fe3b94c7799d7d30dbdf25f720c Mon Sep 17 00:00:00 2001 From: git-harry Date: Thu, 26 Mar 2015 12:34:44 +0000 Subject: [PATCH] Update cinder services to kilo The project is moving to support kilo in master. This requires that the cinder galaxy role be updated to support installing the kilo release of cinder. This commit makes changes not added by the minimum viable kilo install patch - https://review.openstack.org/#/c/166986/ Changes: cinder.conf - [DEFAULT] backup_metadata_version is now configurable because the version has changed. The default is 2, in juno it was 1. - [DEFAULT] client_socket_timeout is now configurable because the value has changed. The default is 900, in juno it was 0. - [profiler] profiler_enabled is now configurable but disabled by default. Although this feature is part of juno the api-paste.ini file was not updated in os-a-d juno to make use of it. - [profiler] trace_sqlalchemy is now configurable but disabled by default. - [DEFAULT] rabbit_port -> [oslo_messaging_rabbit] rabbit_port - [DEFAULT] rabbit_userid -> [oslo_messaging_rabbit] rabbit_userid - [DEFAULT] rabbit_password -> [oslo_messaging_rabbit] rabbit_password - [DEFAULT] rabbit_hosts -> [oslo_messaging_rabbit] rabbit_hosts - [DEFAULT] lock_path -> [oslo_concurrency] lock_path - [DEFAULT] enable_v1_api is now configurable. The default is true. This has been added because the v1 API is deprecated and will be removed in liberty. - [DEFAULT] enable_v2_api is now configurable. The default is true. policy.json - Update policy.json from icehouse default to kilo default version. This adds/modifies a number of rules and also updates the format of the file to the current version. api-paste.ini - Add the osprofiler filter. This file is now deployed using a template so that the hmac_keys configuration option can be set using the var cinder_profiler_hmac_key. - replace deprecated middleware with oslo_middleware versions. rootwrap.conf Updates the file to match kilo default. volume.filters Updates the file to match the kilo default. The volume_driver var has been updated to use the new LVM driver class. The signing_dir, /var/cache/cinder, permissions changed from 0755 to 0700 for fix warning by keystonemiddleware. Implements: blueprint master-kilofication Change-Id: I91f2385969568b18635bc534a98138d3dd5c5af2 --- defaults/main.yml | 14 +- files/policy.json | 123 +++++++++++------- files/rootwrap.conf | 2 +- files/volume.filters | 30 +++++ tasks/cinder_post_install.yml | 6 +- tasks/cinder_pre_install.yml | 2 +- .../api-paste.ini.j2 | 21 +-- templates/cinder.conf.j2 | 24 +++- 8 files changed, 155 insertions(+), 67 deletions(-) rename files/api-paste.ini => templates/api-paste.ini.j2 (59%) diff --git a/defaults/main.yml b/defaults/main.yml index 438af092..bdb718a5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -41,6 +41,10 @@ cinder_system_home_folder: "/var/lib/{{ cinder_system_user_name }}" cinder_service_admin_tenant_name: "service" cinder_service_admin_username: "cinder" +## Cinder API's enabled +cinder_enable_v1_api: true +cinder_enable_v2_api: true + ## Cinder api service type and data cinder_service_name: cinder cinder_service_user_name: cinder @@ -89,6 +93,7 @@ cinder_service_backup_swift_object_size: 52428800 cinder_service_backup_swift_retry_attempts: 3 cinder_service_backup_swift_retry_backoff: 2 cinder_service_backup_compression_algorithm: zlib +cinder_service_backup_metadata_version: 2 cinder_service_volume_program_name: cinder-volume @@ -120,13 +125,20 @@ cinder_volume_clear_size: 0 cinder_volume_name_template: volume-%s +# osprofiler +cinder_profiler_enabled: false +# cinder_profiler_hmac_key is set in user_secrets.yml +cinder_profiler_trace_sqlalchemy: false + +cinder_client_socket_timeout: 900 + ## General configuration ## Set this in rpc_user_config.yml UNLESS you want all hosts to use the same ## Cinder backends. See the rpc_user_config example for more on how this is done. # cinder_backends: # lvm: # volume_group: cinder-volumes -# volume_driver: cinder.volume.drivers.lvm.LVMISCSIDriver +# volume_driver: cinder.volume.drivers.lvm.LVMVolumeDriver # volume_backend_name: LVM_iSCSI ## Define nfs information for cinder. When the cinder_nfs_client dictionary is defined, diff --git a/files/policy.json b/files/policy.json index 202efe1d..a552c012 100644 --- a/files/policy.json +++ b/files/policy.json @@ -1,59 +1,86 @@ { - "context_is_admin": [["role:admin"]], - "admin_or_owner": [["is_admin:True"], ["project_id:%(project_id)s"]], - "default": [["rule:admin_or_owner"]], + "context_is_admin": "role:admin", + "admin_or_owner": "is_admin:True or project_id:%(project_id)s", + "default": "rule:admin_or_owner", - "admin_api": [["is_admin:True"]], + "admin_api": "is_admin:True", - "volume:create": [], - "volume:get_all": [], - "volume:get_volume_metadata": [], - "volume:get_volume_admin_metadata": [["rule:admin_api"]], - "volume:delete_volume_admin_metadata": [["rule:admin_api"]], - "volume:update_volume_admin_metadata": [["rule:admin_api"]], - "volume:get_snapshot": [], - "volume:get_all_snapshots": [], - "volume:extend": [], - "volume:update_readonly_flag": [], - "volume:retype": [], + "volume:create": "", + "volume:delete": "", + "volume:get": "", + "volume:get_all": "", + "volume:get_volume_metadata": "", + "volume:get_volume_admin_metadata": "rule:admin_api", + "volume:delete_volume_admin_metadata": "rule:admin_api", + "volume:update_volume_admin_metadata": "rule:admin_api", + "volume:get_snapshot": "", + "volume:get_all_snapshots": "", + "volume:extend": "", + "volume:update_readonly_flag": "", + "volume:retype": "", - "volume_extension:types_manage": [["rule:admin_api"]], - "volume_extension:types_extra_specs": [["rule:admin_api"]], - "volume_extension:volume_type_encryption": [["rule:admin_api"]], - "volume_extension:volume_encryption_metadata": [["rule:admin_or_owner"]], - "volume_extension:extended_snapshot_attributes": [], - "volume_extension:volume_image_metadata": [], + "volume_extension:types_manage": "rule:admin_api", + "volume_extension:types_extra_specs": "rule:admin_api", + "volume_extension:volume_type_access": "", + "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api", + "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api", + "volume_extension:volume_type_encryption": "rule:admin_api", + "volume_extension:volume_encryption_metadata": "rule:admin_or_owner", + "volume_extension:extended_snapshot_attributes": "", + "volume_extension:volume_image_metadata": "", - "volume_extension:quotas:show": [], - "volume_extension:quotas:update": [["rule:admin_api"]], - "volume_extension:quota_classes": [], + "volume_extension:quotas:show": "", + "volume_extension:quotas:update": "rule:admin_api", + "volume_extension:quota_classes": "", - "volume_extension:volume_admin_actions:reset_status": [["rule:admin_api"]], - "volume_extension:snapshot_admin_actions:reset_status": [["rule:admin_api"]], - "volume_extension:volume_admin_actions:force_delete": [["rule:admin_api"]], - "volume_extension:snapshot_admin_actions:force_delete": [["rule:admin_api"]], - "volume_extension:volume_admin_actions:migrate_volume": [["rule:admin_api"]], - "volume_extension:volume_admin_actions:migrate_volume_completion": [["rule:admin_api"]], + "volume_extension:volume_admin_actions:reset_status": "rule:admin_api", + "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api", + "volume_extension:backup_admin_actions:reset_status": "rule:admin_api", + "volume_extension:volume_admin_actions:force_delete": "rule:admin_api", + "volume_extension:volume_admin_actions:force_detach": "rule:admin_api", + "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api", + "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api", + "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api", - "volume_extension:volume_host_attribute": [["rule:admin_api"]], - "volume_extension:volume_tenant_attribute": [["rule:admin_or_owner"]], - "volume_extension:volume_mig_status_attribute": [["rule:admin_api"]], - "volume_extension:hosts": [["rule:admin_api"]], - "volume_extension:services": [["rule:admin_api"]], - "volume:services": [["rule:admin_api"]], + "volume_extension:volume_host_attribute": "rule:admin_api", + "volume_extension:volume_tenant_attribute": "rule:admin_or_owner", + "volume_extension:volume_mig_status_attribute": "rule:admin_api", + "volume_extension:hosts": "rule:admin_api", + "volume_extension:services": "rule:admin_api", - "volume:create_transfer": [], - "volume:accept_transfer": [], - "volume:delete_transfer": [], - "volume:get_all_transfers": [], + "volume_extension:volume_manage": "rule:admin_api", + "volume_extension:volume_unmanage": "rule:admin_api", - "backup:create" : [], - "backup:delete": [], - "backup:get": [], - "backup:get_all": [], - "backup:restore": [], - "backup:backup-import": [["rule:admin_api"]], - "backup:backup-export": [["rule:admin_api"]], + "volume:services": "rule:admin_api", - "snapshot_extension:snapshot_actions:update_snapshot_status": [] + "volume:create_transfer": "", + "volume:accept_transfer": "", + "volume:delete_transfer": "", + "volume:get_all_transfers": "", + + "volume_extension:replication:promote": "rule:admin_api", + "volume_extension:replication:reenable": "rule:admin_api", + + "backup:create" : "", + "backup:delete": "", + "backup:get": "", + "backup:get_all": "", + "backup:restore": "", + "backup:backup-import": "rule:admin_api", + "backup:backup-export": "rule:admin_api", + + "snapshot_extension:snapshot_actions:update_snapshot_status": "", + + "consistencygroup:create" : "group:nobody", + "consistencygroup:delete": "group:nobody", + "consistencygroup:update": "group:nobody", + "consistencygroup:get": "group:nobody", + "consistencygroup:get_all": "group:nobody", + + "consistencygroup:create_cgsnapshot" : "group:nobody", + "consistencygroup:delete_cgsnapshot": "group:nobody", + "consistencygroup:get_cgsnapshot": "group:nobody", + "consistencygroup:get_all_cgsnapshots": "group:nobody", + + "scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api" } diff --git a/files/rootwrap.conf b/files/rootwrap.conf index 001b90af..4d280eae 100644 --- a/files/rootwrap.conf +++ b/files/rootwrap.conf @@ -10,7 +10,7 @@ filters_path=/etc/cinder/rootwrap.d,/usr/share/cinder/rootwrap # explicitely specify a full path (separated by ',') # If not specified, defaults to system PATH environment variable. # These directories MUST all be only writeable by root ! -exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin +exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin # Enable logging to syslog # Default value is False diff --git a/files/volume.filters b/files/volume.filters index 2d23743f..36a037bb 100644 --- a/files/volume.filters +++ b/files/volume.filters @@ -5,8 +5,10 @@ # cinder/volume/iscsi.py: iscsi_helper '--op' ... ietadm: CommandFilter, ietadm, root tgtadm: CommandFilter, tgtadm, root +iscsictl: CommandFilter, iscsictl, root tgt-admin: CommandFilter, tgt-admin, root cinder-rtstool: CommandFilter, cinder-rtstool, root +scstadmin: CommandFilter, scstadmin, root # LVM related show commands pvs: EnvFilter, env, root, LC_ALL=C, pvs @@ -14,6 +16,25 @@ vgs: EnvFilter, env, root, LC_ALL=C, vgs lvs: EnvFilter, env, root, LC_ALL=C, lvs lvdisplay: EnvFilter, env, root, LC_ALL=C, lvdisplay +# LVM conf var +pvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, pvs +vgs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, vgs +lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvs +lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvdisplay + +# cinder/volumes/drivers/srb.py: 'pvresize', '--setphysicalvolumesize', sizestr, pvname +pvresize: CommandFilter, pvresize, root + +# cinder/brick/local_dev/lvm.py: 'vgcreate', vg_name, pv_list +vgcreate: CommandFilter, vgcreate, root + +# cinder/volumes/drivers/srb.py: 'vgremove', '-f', vgname +vgremove: CommandFilter, vgremove, root + +# cinder/volumes/drivers/srb.py: 'vgchange', '-an', vgname +# cinder/volumes/drivers/srb.py: 'vgchange', '-ay', vgname +vgchange: CommandFilter, vgchange, root + # cinder/volume/driver.py: 'lvcreate', '-L', sizestr, '-n', volume_name,.. # cinder/volume/driver.py: 'lvcreate', '-L', ... lvcreate: CommandFilter, lvcreate, root @@ -28,6 +49,7 @@ lvremove: CommandFilter, lvremove, root lvrename: CommandFilter, lvrename, root # cinder/volume/driver.py: 'lvextend', '-L' '%(new_size)s', '%(lv_name)s' ... +# cinder/volume/driver.py: 'lvextend', '-L' '%(new_size)s', '%(thin_pool)s' ... lvextend: CommandFilter, lvextend, root # cinder/brick/local_dev/lvm.py: 'lvchange -a y -K ' @@ -93,12 +115,14 @@ ssc: CommandFilter, ssc, root ls: CommandFilter, ls, root tee: CommandFilter, tee, root multipath: CommandFilter, multipath, root +multipathd: CommandFilter, multipathd, root systool: CommandFilter, systool, root # cinder/volume/drivers/block_device.py blockdev: CommandFilter, blockdev, root # cinder/volume/drivers/ibm/gpfs.py +cp: CommandFilter, cp, root mv: CommandFilter, mv, root mmgetstate: CommandFilter, /usr/lpp/mmfs/bin/mmgetstate, root mmclone: CommandFilter, /usr/lpp/mmfs/bin/mmclone, root @@ -108,6 +132,12 @@ mmlsconfig: CommandFilter, /usr/lpp/mmfs/bin/mmlsconfig, root mmlsfs: CommandFilter, /usr/lpp/mmfs/bin/mmlsfs, root mmlspool: CommandFilter, /usr/lpp/mmfs/bin/mmlspool, root mkfs: CommandFilter, mkfs, root +mmcrfileset: CommandFilter, /usr/lpp/mmfs/bin/mmcrfileset, root +mmlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmlinkfileset, root +mmunlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmunlinkfileset, root +mmdelfileset: CommandFilter, /usr/lpp/mmfs/bin/mmdelfileset, root +mmcrsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmcrsnapshot, root +mmdelsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmdelsnapshot, root # cinder/volume/drivers/ibm/gpfs.py # cinder/volume/drivers/ibm/ibmnas.py diff --git a/tasks/cinder_post_install.yml b/tasks/cinder_post_install.yml index b67e5286..1c5dfe07 100644 --- a/tasks/cinder_post_install.yml +++ b/tasks/cinder_post_install.yml @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Generate cinder Config +- name: Generate cinder configs template: src: "{{ item.src }}" dest: "{{ item.dest }}" @@ -21,19 +21,19 @@ group: "{{ cinder_system_group_name }}" with_items: - { src: "cinder.conf.j2", dest: "/etc/cinder/cinder.conf" } + - { src: "api-paste.ini.j2", dest: "/etc/cinder/api-paste.ini" } notify: - Restart cinder services tags: - cinder-config -- name: Drop cinder Configs +- name: Drop cinder configs copy: src: "{{ item.src }}" dest: "{{ item.dest }}" owner: "{{ cinder_system_user_name }}" group: "{{ cinder_system_group_name }}" with_items: - - { src: "api-paste.ini", dest: "/etc/cinder/api-paste.ini" } - { src: "policy.json", dest: "/etc/cinder/policy.json" } - { src: "volume.filters", dest: "/etc/cinder/rootwrap.d/volume.filters" } - { src: "rootwrap.conf", dest: "/etc/cinder/rootwrap.conf" } diff --git a/tasks/cinder_pre_install.yml b/tasks/cinder_pre_install.yml index d4941189..b8d10833 100644 --- a/tasks/cinder_pre_install.yml +++ b/tasks/cinder_pre_install.yml @@ -40,7 +40,7 @@ owner: "{{ item.owner|default(cinder_system_user_name) }}" group: "{{ item.group|default(cinder_system_group_name) }}" with_items: - - { path: "/var/cache/cinder" } + - { path: "/var/cache/cinder", mode: "0700" } - { path: "/etc/cinder" } - { path: "/etc/cinder/rootwrap.d" } - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" } diff --git a/files/api-paste.ini b/templates/api-paste.ini.j2 similarity index 59% rename from files/api-paste.ini rename to templates/api-paste.ini.j2 index ff7f1197..0d79c813 100644 --- a/files/api-paste.ini +++ b/templates/api-paste.ini.j2 @@ -10,27 +10,32 @@ use = call:cinder.api:root_app_factory [composite:openstack_volume_api_v1] use = call:cinder.api.middleware.auth:pipeline_factory -noauth = request_id faultwrap sizelimit noauth apiv1 -keystone = request_id faultwrap sizelimit authtoken keystonecontext apiv1 -keystone_nolimit = request_id faultwrap sizelimit authtoken keystonecontext apiv1 +noauth = request_id faultwrap sizelimit osprofiler noauth apiv1 +keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1 +keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv1 [composite:openstack_volume_api_v2] use = call:cinder.api.middleware.auth:pipeline_factory -noauth = request_id faultwrap sizelimit noauth apiv2 -keystone = request_id faultwrap sizelimit authtoken keystonecontext apiv2 -keystone_nolimit = request_id faultwrap sizelimit authtoken keystonecontext apiv2 +noauth = request_id faultwrap sizelimit osprofiler noauth apiv2 +keystone = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2 +keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2 [filter:request_id] -paste.filter_factory = cinder.openstack.common.middleware.request_id:RequestIdMiddleware.factory +paste.filter_factory = oslo_middleware.request_id:RequestId.factory [filter:faultwrap] paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory +[filter:osprofiler] +paste.filter_factory = osprofiler.web:WsgiMiddleware.factory +hmac_keys = {{ cinder_profiler_hmac_key }} +enabled = yes + [filter:noauth] paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory [filter:sizelimit] -paste.filter_factory = cinder.api.middleware.sizelimit:RequestBodySizeLimiter.factory +paste.filter_factory = oslo_middleware:RequestBodySizeLimiter.factory [app:apiv1] paste.app_factory = cinder.api.v1.router:APIRouter.factory diff --git a/templates/cinder.conf.j2 b/templates/cinder.conf.j2 index 71798604..51e8b183 100644 --- a/templates/cinder.conf.j2 +++ b/templates/cinder.conf.j2 @@ -11,11 +11,14 @@ my_ip = {{ cinder_storage_address }} osapi_volume_workers = {{ cinder_osapi_volume_workers | default(api_threads) }} -lock_path = /var/lock/cinder rootwrap_config = /etc/cinder/rootwrap.conf api_paste_config = /etc/cinder/api-paste.ini auth_strategy = keystone +## Cinder API's enabled +enable_v1_api = {{ cinder_enable_v1_api }} +enable_v2_api = {{ cinder_enable_v2_api }} + {% if inventory_hostname not in groups['cinder_volume'] %} {% if cinder_service_backup_program_enabled == true %} {% if cinder_service_backup_swift_url is defined and cinder_service_backup_swift_user is defined and cinder_service_backup_swift_key is defined %} @@ -30,16 +33,13 @@ backup_swift_object_size = {{ cinder_service_backup_swift_object_size }} backup_swift_retry_attempts = {{ cinder_service_backup_swift_retry_attempts }} backup_swift_retry_backoff = {{ cinder_service_backup_swift_retry_backoff }} backup_compression_algorithm = {{ cinder_service_backup_compression_algorithm }} +backup_metadata_version = {{ cinder_service_backup_metadata_version }} {% endif %} {% endif %} {% endif %} ## RabbitMQ rpc_backend = {{ cinder_rpc_backend }} -rabbit_port = {{ rabbitmq_port }} -rabbit_userid = {{ rabbitmq_userid }} -rabbit_password = {{ rabbitmq_password }} -rabbit_hosts = {{ rabbitmq_servers }} ## Nova nova_catalog_info = {{ cinder_nova_catalog_info }} @@ -65,6 +65,8 @@ iscsi_ip_address = $my_ip iscsi_num_targets = {{ cinder_iscsi_num_targets }} iscsi_port = {{ cinder_iscsi_port }} +client_socket_timeout = {{ cinder_client_socket_timeout }} + {% if cinder_default_volume_type is defined %} default_volume_type = {{ cinder_default_volume_type }} {% endif %} @@ -88,6 +90,18 @@ nfs_shares_config={{ cinder_nfs_client.nfs_shares_config }} [database] connection = mysql://{{ cinder_galera_user }}:{{ cinder_container_mysql_password }}@{{ galera_address }}/{{ cinder_galera_database }}?charset=utf8 +[oslo_messaging_rabbit] +rabbit_port = {{ rabbitmq_port }} +rabbit_userid = {{ rabbitmq_userid }} +rabbit_password = {{ rabbitmq_password }} +rabbit_hosts = {{ rabbitmq_servers }} + +[oslo_concurrency] +lock_path = /var/lock/cinder + +[profiler] +profiler_enabled = {{ cinder_profiler_enabled }} +trace_sqlalchemy = {{ cinder_profiler_trace_sqlalchemy }} [keystone_authtoken] signing_dir = /var/cache/cinder