Perform an atomic policy file change

The policy.json file is currently read continually by the services and is not only read on service start. We therefore cannot template directly to the file read by the service (if the service is already running) because the new policies may not be valid until the service restarts. This is particularly important during a major upgrade. We therefore only put the policy file in place after the service restart. This patch also tidies up the handlers and some of the install tasks to simplify them and reduce the tasks/code a little. Change-Id: Ia9df064ff145bec862e2a2cc0fd180a9188c5238
2017-04-24 12:05:54 +01:00 · 2017-04-24 12:05:54 +01:00 · fb807f2a60
commit fb807f2a60
parent 4a4cdf792e
5 changed files with 54 additions and 36 deletions
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -14,16 +14,62 @@
 # limitations under the License.

 - name: Restart cinder services
-  systemd:
+  command: "/bin/true"
+  notify:
+    - Stop services
+    - Copy new policy file into place
+    - Start services
+
+- name: Stop services
+  service:
    name: "{{ item.value.service_name }}"
-    state: restarted
-    daemon_reload: yes
+    enabled: yes
+    state: stopped
+    daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
  with_dict: "{{ cinder_services }}"
  when:
    - inventory_hostname in groups[item.value.group]
-    - "{{ item.value.condition | default(true) }}"
+    - "item.value.condition | default(true)"
+  register: _stop
+  until: _stop | success
+  retries: 5
+  delay: 2
+
+# Note (odyssey4me):
+# The policy.json file is currently read continually by the services
+# and is not only read on service start. We therefore cannot template
+# directly to the file read by the service because the new policies
+# may not be valid until the service restarts. This is particularly
+# important during a major upgrade. We therefore only put the policy
+# file in place after the service has been stopped.
+#
+- name: Copy new policy file into place
+  copy:
+    src: "/etc/cinder/policy.json-{{ cinder_venv_tag }}"
+    dest: "/etc/cinder/policy.json"
+    owner: "root"
+    group: "{{ cinder_system_group_name }}"
+    mode: "0640"
+    remote_src: yes
+
+- name: Start services
+  service:
+    name: "{{ item.value.service_name }}"
+    enabled: yes
+    state: "started"
+    daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
+  with_dict: "{{ cinder_services }}"
+  when:
+    - inventory_hostname in groups[item.value.group]
+    - "item.value.condition | default(true)"
+  register: _start
+  until: _start | success
+  retries: 5
+  delay: 2

 - name: Ensure tgt service restarted
  service:
    name: "{{ tgt_service_name }}"
+    enabled: yes
    state: restarted
+    daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
--- a/tasks/cinder_init_common.yml
+++ b/tasks/cinder_init_common.yml
@ -1,30 +0,0 @@
---
-# Copyright 2016, Rackspace US, Inc.
-# Copyright 2016, IBM Corporation.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
- include: cinder_init_systemd.yml
-  when:
-    - ansible_service_mgr == 'systemd'
-
- name: Load service
-  service:
-   name: "{{ item.value.service_name }}"
-   enabled: "yes"
-  with_dict: "{{ cinder_services }}"
-  when:
-    - inventory_hostname in groups[item.value.group]
-    - "{{ item.value.condition | default(true) }}"
-  notify:
-    - Restart cinder services
--- a/tasks/cinder_init_systemd.yml
+++ b/tasks/cinder_init_systemd.yml
@ -61,6 +61,8 @@
  when:
    - inventory_hostname in groups[item.value.group]
    - "{{ item.value.condition | default(true) }}"
+  notify:
+    - Restart cinder services

 - name: Place the systemd init script
  config_template:
--- a/tasks/cinder_post_install.yml
+++ b/tasks/cinder_post_install.yml
@ -36,7 +36,7 @@
      config_overrides: "{{ cinder_rootwrap_conf_overrides }}"
      config_type: "ini"
    - src: "policy.json.j2"
-      dest: "/etc/cinder/policy.json"
+      dest: "/etc/cinder/policy.json-{{ cinder_venv_tag }}"
      config_overrides: "{{ cinder_policy_overrides }}"
      config_type: "json"
  notify:
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -51,7 +51,7 @@
  tags:
    - cinder-config

- include: cinder_init_common.yml
+- include: "cinder_init_{{ ansible_service_mgr }}.yml"
  tags:
    - cinder-config