Cleanup files and templates using smart sources
The files and templates we carry are almost always in a state of maintenance. The upstream services are maintaining these files and there's really no reason we need to carry duplicate copies of them. This change removes all of the files we expect to get from the upstream service. while the focus of this change is to remove configuration file maintenance burdens it also allows the role to execute faster. * Source installs have the configuration files within the venv at "<<VENV_PATH>>/etc/<<SERVICE_NAME>>". The role will now link the default configuration path to this directory. When the service is upgraded the link will move to the new venv path. * Distro installs package all of the required configuration files. To maintain our current capabilities to override configuration the role will fetch files from the disk whenever an override is provided and then push the fetched file back to the target using `config_template`. Change-Id: Ib3447cd5b0bcada4cdf82d9e4a9fe5160299f9c3 Signed-off-by: Kevin Carter <kevin.carter@rackspace.com> Signed-off-by: Kevin Carter <kevin@cloudnull.com>
This commit is contained in:
parent
6355e1e47d
commit
f3f956e904
@ -279,8 +279,8 @@ cinder_backend_lvm_inuse: '{{ (cinder_backends|default("")|to_json).find("lvm")
|
||||
cinder_backend_rbd_inuse: '{{ (cinder_backends|default("")|to_json).find("cinder.volume.drivers.rbd.RBDDriver") != -1 }}'
|
||||
|
||||
## Policy vars
|
||||
# Provide a list of access controls to update the default policy.json with. These changes will be merged
|
||||
# with the access controls in the default policy.json. E.g.
|
||||
# Provide a list of access controls to merge with the default
|
||||
# access controls in the service code.
|
||||
#cinder_policy_overrides:
|
||||
# "volume:create": ""
|
||||
# "volume:delete": ""
|
||||
|
@ -28,26 +28,6 @@
|
||||
- "Restart cinder services"
|
||||
- "venv changed"
|
||||
|
||||
# Note (odyssey4me):
|
||||
# The policy.json file is currently read continually by the services
|
||||
# and is not only read on service start. We therefore cannot template
|
||||
# directly to the file read by the service because the new policies
|
||||
# may not be valid until the service restarts. This is particularly
|
||||
# important during a major upgrade. We therefore only put the policy
|
||||
# file in place after the service has been stopped.
|
||||
#
|
||||
- name: Copy new policy file into place
|
||||
copy:
|
||||
src: "/etc/cinder/policy.json-{{ cinder_venv_tag }}"
|
||||
dest: "/etc/cinder/policy.json"
|
||||
owner: "root"
|
||||
group: "{{ cinder_system_group_name }}"
|
||||
mode: "0640"
|
||||
remote_src: yes
|
||||
listen:
|
||||
- "Restart cinder services"
|
||||
- "venv changed"
|
||||
|
||||
- name: Start services
|
||||
service:
|
||||
name: "{{ item.service_name }}"
|
||||
|
@ -56,6 +56,12 @@
|
||||
option: "venv_tag"
|
||||
value: "{{ cinder_venv_tag }}"
|
||||
|
||||
- name: Link in the os-brick rootwrap filters
|
||||
file:
|
||||
src: "{{ cinder_bin | dirname }}/etc/os-brick/rootwrap.d/os-brick.filters"
|
||||
dest: /etc/cinder/rootwrap.d/os-brick.filters
|
||||
state: link
|
||||
|
||||
- name: Copy cinder rootwrap filters
|
||||
command: >-
|
||||
rsync --archive --itemize-changes --delete
|
||||
|
@ -13,6 +13,33 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# NOTE(cloudnull): This task is required to copy rootwrap filters that we need
|
||||
# and cinder does not provide by default.
|
||||
- name: Create aux cinder dir
|
||||
file:
|
||||
path: "/etc/cinder/rootwrap.d"
|
||||
state: "directory"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
|
||||
- name: Generate cinder config
|
||||
config_template:
|
||||
src: "cinder.conf.j2"
|
||||
dest: "/etc/cinder/cinder.conf"
|
||||
owner: "root"
|
||||
group: "{{ cinder_system_group_name }}"
|
||||
mode: "0640"
|
||||
config_overrides: "{{ cinder_cinder_conf_overrides }}"
|
||||
config_type: "ini"
|
||||
notify:
|
||||
- Manage LB
|
||||
- Restart cinder services
|
||||
tags:
|
||||
- cinder-config
|
||||
- cinder-post-install
|
||||
|
||||
# TODO(cloudnull): Once "master" OSA is using a recent pull for
|
||||
# cinder this task and templte can be removed.
|
||||
- name: Copy cinder configs
|
||||
config_template:
|
||||
src: "{{ item.src }}"
|
||||
@ -23,29 +50,71 @@
|
||||
config_overrides: "{{ item.config_overrides }}"
|
||||
config_type: "{{ item.config_type }}"
|
||||
with_items:
|
||||
- src: "cinder.conf.j2"
|
||||
dest: "/etc/cinder/cinder.conf"
|
||||
config_overrides: "{{ cinder_cinder_conf_overrides }}"
|
||||
config_type: "ini"
|
||||
- src: "api-paste.ini.j2"
|
||||
dest: "/etc/cinder/api-paste.ini"
|
||||
config_overrides: "{{ cinder_api_paste_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
- src: "resource_filters.json.j2"
|
||||
dest: "/etc/cinder/resource_filters.json"
|
||||
config_overrides: "{{ cinder_resource_filters_overrides }}"
|
||||
config_type: "json"
|
||||
- src: "rootwrap.conf.j2"
|
||||
dest: "/etc/cinder/rootwrap.conf"
|
||||
config_overrides: "{{ cinder_rootwrap_conf_overrides }}"
|
||||
config_type: "ini"
|
||||
- src: "policy.json.j2"
|
||||
dest: "/etc/cinder/policy.json-{{ cinder_venv_tag }}"
|
||||
config_overrides: "{{ cinder_policy_overrides }}"
|
||||
config_type: "json"
|
||||
notify:
|
||||
- Manage LB
|
||||
- Restart cinder services
|
||||
tags:
|
||||
- cinder-config
|
||||
- cinder-post-install
|
||||
|
||||
- name: Implement policy.json if there are overrides configured
|
||||
copy:
|
||||
content: "{{ cinder_policy_overrides | to_nice_json }}"
|
||||
dest: "/etc/cinder/policy.json"
|
||||
when:
|
||||
- cinder_policy_overrides != {}
|
||||
|
||||
# NOTE(cloudnull): This is using "cp" instead of copy with a remote_source
|
||||
# because we only want to copy the original files once. and we
|
||||
# don't want to need multiple tasks.
|
||||
- name: Preserve original configuration file(s)
|
||||
command: "cp {{ item.target_f }} {{ item.target_f }}.original"
|
||||
args:
|
||||
creates: "{{ item.target_f }}.original"
|
||||
with_items: "{{ cinder_core_files }}"
|
||||
|
||||
- name: Fetch override files
|
||||
fetch:
|
||||
src: "{{ item.target_f }}.original"
|
||||
dest: "{{ item.tmp_f }}"
|
||||
flat: yes
|
||||
changed_when: false
|
||||
with_items: "{{ cinder_core_files }}"
|
||||
run_once: true
|
||||
|
||||
- name: Copy common config
|
||||
config_template:
|
||||
src: "{{ item.tmp_f }}"
|
||||
dest: "{{ item.target_f }}"
|
||||
owner: "{{ item.owner | default('root') }}"
|
||||
group: "{{ item.group | default(cinder_system_group_name) }}"
|
||||
mode: "{{ item.mode | default('0640') }}"
|
||||
config_overrides: "{{ item.config_overrides }}"
|
||||
config_type: "{{ item.config_type }}"
|
||||
with_items: "{{ cinder_core_files }}"
|
||||
notify:
|
||||
- Restart cinder services
|
||||
|
||||
- name: Cleanup fetched temp files
|
||||
file:
|
||||
path: "{{ item.tmp_f }}"
|
||||
state: absent
|
||||
changed_when: false
|
||||
delegate_to: localhost
|
||||
with_items: "{{ cinder_core_files }}"
|
||||
|
||||
# NOTE(cloudnull): This will ensure strong permissions on all rootwrap files.
|
||||
- name: Set rootwrap.d permissions
|
||||
file:
|
||||
path: "/etc/cinder/rootwrap.d"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0640"
|
||||
recurse: true
|
||||
|
||||
- name: Ensure cinder tgt include
|
||||
lineinfile:
|
||||
|
@ -31,17 +31,62 @@
|
||||
createhome: "yes"
|
||||
home: "{{ cinder_system_home_folder }}"
|
||||
|
||||
# NOTE(cloudnull): During an upgrade the local directory may exist on a source
|
||||
# install. If the directory does exist it will need to be
|
||||
# removed. This is required on source installs because the
|
||||
# config directory is a link.
|
||||
- name: Source config block
|
||||
block:
|
||||
- name: Stat config directory
|
||||
stat:
|
||||
path: "/etc/cinder"
|
||||
register: cinder_conf_dir_stat
|
||||
|
||||
- name: Remove the config directory
|
||||
file:
|
||||
path: "/etc/cinder"
|
||||
state: absent
|
||||
when:
|
||||
- cinder_conf_dir_stat.stat.isdir is defined and
|
||||
cinder_conf_dir_stat.stat.isdir
|
||||
when:
|
||||
- cinder_install_method == 'source'
|
||||
|
||||
- name: Create cinder dir
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
path: "{{ item.path | default(omit) }}"
|
||||
src: "{{ item.src | default(omit) }}"
|
||||
dest: "{{ item.dest | default(omit) }}"
|
||||
state: "{{ item.state | default('directory') }}"
|
||||
owner: "{{ item.owner | default(cinder_system_user_name) }}"
|
||||
group: "{{ item.group | default(cinder_system_group_name) }}"
|
||||
mode: "{{ item.mode|default('0755') }}"
|
||||
mode: "{{ item.mode | default(omit) }}"
|
||||
force: "{{ item.force | default(omit) }}"
|
||||
when:
|
||||
- (item.condition | default(true)) | bool
|
||||
with_items:
|
||||
- { path: "/openstack", mode: "0755", owner: "root", group: "root" }
|
||||
- { path: "/var/cache/cinder", mode: "0700" }
|
||||
- { path: "/etc/cinder", mode: "0750" }
|
||||
- { path: "/etc/cinder/rootwrap.d", owner: "root", group: "root", mode: "0750" }
|
||||
- { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
|
||||
- { path: "{{ cinder_system_home_folder }}" }
|
||||
- path: "/openstack"
|
||||
mode: "0755"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
- path: "/var/cache/cinder"
|
||||
mode: "0700"
|
||||
- path: "{{ (cinder_install_method == 'distro') | ternary('/etc/cinder', (cinder_bin | dirname) + '/etc/cinder') }}"
|
||||
mode: "0755"
|
||||
# NOTE(cloudnull): The "src" path is relative. This ensures all files remain
|
||||
# within the host/container confines when connecting to
|
||||
# them using the connection plugin or the root filesystem.
|
||||
- dest: "/etc/cinder"
|
||||
src: "{{ cinder_bin | dirname | regex_replace('^/', '../') }}/etc/cinder"
|
||||
state: link
|
||||
force: true
|
||||
condition: "{{ cinder_install_method == 'source' }}"
|
||||
- path: "/etc/cinder/rootwrap.d"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0750"
|
||||
- path: "/etc/sudoers.d"
|
||||
mode: "0750"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
- path: "{{ cinder_system_home_folder }}"
|
||||
|
@ -1,65 +0,0 @@
|
||||
#############
|
||||
# OpenStack #
|
||||
#############
|
||||
|
||||
[composite:osapi_volume]
|
||||
use = call:cinder.api:root_app_factory
|
||||
/: apiversions
|
||||
/v2: openstack_volume_api_v2
|
||||
/v3: openstack_volume_api_v3
|
||||
|
||||
[composite:openstack_volume_api_v2]
|
||||
use = call:cinder.api.middleware.auth:pipeline_factory
|
||||
noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2
|
||||
keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
|
||||
keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
|
||||
|
||||
[composite:openstack_volume_api_v3]
|
||||
use = call:cinder.api.middleware.auth:pipeline_factory
|
||||
noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3
|
||||
keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
|
||||
keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
|
||||
|
||||
[filter:request_id]
|
||||
paste.filter_factory = oslo_middleware.request_id:RequestId.factory
|
||||
|
||||
[filter:http_proxy_to_wsgi]
|
||||
paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
|
||||
|
||||
[filter:cors]
|
||||
paste.filter_factory = oslo_middleware.cors:filter_factory
|
||||
oslo_config_project = cinder
|
||||
|
||||
[filter:faultwrap]
|
||||
paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory
|
||||
|
||||
[filter:osprofiler]
|
||||
paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
|
||||
|
||||
[filter:noauth]
|
||||
paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
|
||||
|
||||
[filter:sizelimit]
|
||||
paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
|
||||
|
||||
[app:apiv2]
|
||||
paste.app_factory = cinder.api.v2.router:APIRouter.factory
|
||||
|
||||
[app:apiv3]
|
||||
paste.app_factory = cinder.api.v3.router:APIRouter.factory
|
||||
|
||||
[pipeline:apiversions]
|
||||
pipeline = cors http_proxy_to_wsgi faultwrap osvolumeversionapp
|
||||
|
||||
[app:osvolumeversionapp]
|
||||
paste.app_factory = cinder.api.versions:Versions.factory
|
||||
|
||||
##########
|
||||
# Shared #
|
||||
##########
|
||||
|
||||
[filter:keystonecontext]
|
||||
paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory
|
||||
|
||||
[filter:authtoken]
|
||||
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
|
@ -1,14 +0,0 @@
|
||||
{
|
||||
|
||||
"consistencygroup:create" : "group:nobody",
|
||||
"consistencygroup:delete": "group:nobody",
|
||||
"consistencygroup:update": "group:nobody",
|
||||
"consistencygroup:get": "group:nobody",
|
||||
"consistencygroup:get_all": "group:nobody",
|
||||
|
||||
"consistencygroup:create_cgsnapshot" : "group:nobody",
|
||||
"consistencygroup:delete_cgsnapshot": "group:nobody",
|
||||
"consistencygroup:get_cgsnapshot": "group:nobody",
|
||||
"consistencygroup:get_all_cgsnapshots": "group:nobody"
|
||||
|
||||
}
|
@ -1,27 +0,0 @@
|
||||
# Configuration for cinder-rootwrap
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
[DEFAULT]
|
||||
# List of directories to load filter definitions from (separated by ',').
|
||||
# These directories MUST all be only writeable by root !
|
||||
filters_path=/etc/cinder/rootwrap.d,/usr/share/cinder/rootwrap
|
||||
|
||||
# List of directories to search executables in, in case filters do not
|
||||
# explicitely specify a full path (separated by ',')
|
||||
# If not specified, defaults to system PATH environment variable.
|
||||
# These directories MUST all be only writeable by root !
|
||||
exec_dirs={{ cinder_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/usr/lpp/mmfs/bin
|
||||
|
||||
# Enable logging to syslog
|
||||
# Default value is False
|
||||
use_syslog=False
|
||||
|
||||
# Which syslog facility to use.
|
||||
# Valid values include auth, authpriv, syslog, local0, local1...
|
||||
# Default value is 'syslog'
|
||||
syslog_log_facility=syslog
|
||||
|
||||
# Which messages to log.
|
||||
# INFO means log all usage
|
||||
# ERROR means only log unsuccessful attempts
|
||||
syslog_log_level=ERROR
|
@ -13,6 +13,11 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
_cinder_rootwrap_conf_overrides:
|
||||
DEFAULT:
|
||||
filters_path: "/etc/cinder/rootwrap.d,/usr/share/cinder/rootwrap"
|
||||
exec_dirs: "{{ cinder_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin"
|
||||
|
||||
#
|
||||
# Compile a list of the services on a host based on whether
|
||||
# the host is in the host group and the service is enabled.
|
||||
@ -29,3 +34,23 @@ filtered_cinder_services: |-
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{{ services | sort(attribute='start_order') }}
|
||||
|
||||
cinder_core_files:
|
||||
- tmp_f: "/tmp/api-paste.ini"
|
||||
target_f: "/etc/cinder/api-paste.ini"
|
||||
config_overrides: "{{ cinder_api_paste_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
- tmp_f: "/tmp/rootwrap.conf"
|
||||
target_f: "/etc/cinder/rootwrap.conf"
|
||||
config_overrides: "{{ _cinder_rootwrap_conf_overrides | combine(cinder_rootwrap_conf_overrides, recursive=True) }}"
|
||||
config_type: "ini"
|
||||
owner: "root"
|
||||
group: "{{ cinder_system_group_name }}"
|
||||
mode: "0640"
|
||||
- tmp_f: "/tmp/resource_filters.json"
|
||||
target_f: "/etc/cinder/resource_filters.json"
|
||||
config_overrides: "{{ cinder_resource_filters_overrides }}"
|
||||
config_type: "json"
|
||||
owner: "root"
|
||||
group: "{{ cinder_system_group_name }}"
|
||||
mode: "0640"
|
||||
|
Loading…
Reference in New Issue
Block a user