Merge "Update ironic.conf for swift and keystone compat"

defaults/main.yml

@@ -17,7 +17,6 @@
 
 # Verbosity Options
 debug: False
-verbose: True
 
 # These variables are used in 'developer mode' in order to allow the role
 # to build an environment directly from a git source without the presence
@@ -73,19 +72,35 @@ ironic_service_project_name: "service"
 ironic_service_project_domain_id: default
 ironic_service_user_domain_id: default
 ironic_service_role_name: "admin"
-
 ironic_service_in_ldap: False
 
+# Ironic image store information
+ironic_swift_image_container: glance_images
+ironic_swift_api_version: v1
+# The ironic swift auth account and swift endpoints will be generated using the
+#  known swift data as provided by swift stat. If you wish to set either of these
+#  items to something else define these variables.
+# ironic_swift_auth_account: AUTH_1234567890
+# ironic_swift_endpoint: https://localhost:8080
 
 # Is this Ironic installation working standalone?
 # If you're wanting Ironic to work without being integrated to other OpenStack
 # services, set this to True, and update the dhcp configuration appropriately
 ironic_standalone: False
 
+# Enables or disables automated cleaning. Automated cleaning
+# is a configurable set of steps, such as erasing disk drives,
+# that are performed on the node to ensure it is in a baseline
+# state and ready to be deployed to.
+ironic_automated_clean: false
+
 # Database
 ironic_galera_user: ironic
 ironic_galera_database: ironic
 
+## Keystone authentication middleware
+ironic_keystone_auth_plugin: password
+
 # Integrated Openstack configuration
 ironic_openstack_driver_list: agent_ipmitool
 ironic_openstack_auth_strategy: keystone
@@ -102,6 +117,11 @@ ironic_standalone_dhcp_provider: none
 ironic_standalone_sync_power_state_interval: -1
 ironic_standalone_db_connection_string: "mysql+pymysql://{{ ironic_galera_user }}:{{ ironic_galera_password }}@{{ ironic_galera_address }}/ironic"
 
+# Ironic db tuning
+ironic_db_max_overflow: 10
+ironic_db_max_pool_size: 120
+ironic_db_pool_timeout: 30
+
 # Common configuration
 ironic_node_name: ironic
 
@@ -114,6 +134,8 @@ ironic_bin: "{{ ironic_venv_bin }}"
 
 ironic_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/ironic.tgz
 
+ironic_tftp_server_address: "{{ ansible_ssh_host }}"
+
 ironic_requires_pip_packages:
   - virtualenv
   - virtualenv-tools
@@ -124,6 +146,7 @@ ironic_pip_packages:
   - PyMySQL
   - ironic
   - python-ironicclient
+  - python-swiftclient
 
 ironic_api_apt_packages:
   - apache2
@@ -164,7 +187,6 @@ ironic_wsgi_processes: "{{ (_ironic_wsgi_processes | int > 1) | ternary(_ironic_
 ironic_glance_auth_strategy: "{{ ironic_openstack_auth_strategy }}"
 
 # Neutron
-# neutron_service_adminurl:
 ironic_neutron_auth_strategy: "{{ ironic_openstack_auth_strategy }}"
 
 ### Config Overrides

tasks/ironic_post_install.yml

@@ -21,7 +21,9 @@
     ironic_dhcp_provider: "{{ ironic_standalone_dhcp_provider }}"
     ironic_sync_power_state_interval: "{{ ironic_standalone_sync_power_state_interval }}"
     ironic_db_connection_string: "{{ ironic_standalone_db_connection_string }}"
-  when: ironic_standalone
+  when: ironic_standalone | bool
+  tags:
+    - always
 
 - name: Setup ironic for integrated Openstack usage
   set_fact:
@@ -31,7 +33,9 @@
     ironic_dhcp_provider: "{{ ironic_openstack_dhcp_provider }}"
     ironic_sync_power_state_interval: "{{ ironic_openstack_sync_power_state_interval }}"
     ironic_db_connection_string: "{{ ironic_openstack_db_connection_string }}"
-  when: not ironic_standalone
+  when: not ironic_standalone | bool
+  tags:
+    - always
 
 - name: Get ironic command path
   command: which ironic
@@ -49,6 +53,72 @@
   tags:
     - ironic-command-bin
 
+- name: Post swift tempURL secret key
+  shell: |
+    . ~/openrc
+    {{ ironic_bin }}/swift \
+        --os-username "service:{{ glance_service_user_name }}" \
+        --os-password {{ glance_service_password }} \
+        --os-auth-url {{ keystone_service_internalurl }} \
+        --os-identity-api-version {{ keystone_service_internalurl.split('/v')[-1] }} \
+        post -m temp-url-key:{{ ironic_swift_temp_url_secret_key }}
+  when:
+    - inventory_hostname == groups['ironic_all'][0]
+    - not ironic_standalone | bool
+  tags:
+    - ironic-swift-auth
+    - always
+
+- name: Get swift account
+  shell: |
+    . ~/openrc
+    {{ ironic_bin }}/swift \
+        --os-username "service:{{ glance_service_user_name }}" \
+        --os-password {{ glance_service_password }} \
+        --os-auth-url {{ keystone_service_internalurl }} \
+        --os-identity-api-version {{ keystone_service_internalurl.split('/v')[-1] }} \
+        stat -v | awk '/StorageURL\:/ {print $2}'
+  register: swift_storage_url
+  when:
+    - (ironic_swift_auth_account is undefined) or (ironic_swift_endpoint is undefined)
+    - not ironic_standalone | bool
+  tags:
+    - ironic-swift-auth
+    - always
+
+- name: Validate swift output
+  fail:
+    msg: |
+      No StorageURL output found using the `swift stat` command and either
+      the ``ironic_swift_auth_account`` or ``ironic_swift_auth_account``
+      variables are undefined. Ensure swift is functional and/or define
+      those variables.
+  when:
+    - (ironic_swift_auth_account is undefined) and (ironic_swift_endpoint is undefined)
+    - not ironic_standalone | bool
+    - not swift_storage_url.stdout
+  tags:
+    - ironic-swift-auth
+    - always
+
+- name: Set the swift auth facts
+  set_fact:
+    ironic_swift_auth_account: "{{ swift_storage_url.stdout.split('/v1/')[-1] }}"
+  when:
+    - ironic_swift_auth_account is undefined
+    - not ironic_standalone | bool
+  tags:
+    - always
+
+- name: Set the swift endpoint facts
+  set_fact:
+    ironic_swift_endpoint: "{{ swift_storage_url.stdout.split('/v1/')[0] }}"
+  when:
+    - ironic_swift_endpoint is undefined
+    - not ironic_standalone | bool
+  tags:
+    - always
+
 - name: Generate ironic config
   config_template:
     src: "{{ item.src }}"

tasks/ironic_pre_install.yml

@@ -66,6 +66,7 @@
     - { path: "{{ ironic_system_home_folder }}/.ssh", mode: "0700" }
     - { path: "{{ ironic_system_home_folder }}/images" }
     - { path: "{{ ironic_system_home_folder }}/master_images" }
+    - { path: "{{ ironic_system_home_folder }}/cache/api", mode: "0700" }
     - { path: "/var/lock/ironic" }
     - { path: "/var/run/ironic" }
     - { path: "/var/www/cgi-bin", owner: root, group: root }

tests/test-rest-api.yml

@@ -7,14 +7,26 @@
     # needed by the functional test playbook below
     - name: Install httplib2 so we can use the uri module
       pip:
-        name: httplib2
+        name: "{{ item }}"
+      with_items:
+        - httplib2
+        - python-openstackclient
+    - name: Get auth token
+      shell: >
+        . /root/openrc && openstack token issue --format yaml | awk '/^id\:/ {print $2}'
+      register: get_keystone_token
+    - name: set token
+      set_fact:
+        keystone_token: "{{ get_keystone_token.stdout }}"
     - name: Check the ironic-api
       uri:
         url: "{{ ironic_service_publicuri }}"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         status_code: 200
     - name: list chassis
       uri:
         url: "{{ ironic_service_publicuri }}/v1/chassis"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         status_code: 200
         return_content: yes
       register: chassis_list
@@ -22,6 +34,7 @@
       assert: that="chassis_list.json.chassis == []"
     - name: list drivers
       uri:
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         url: "{{ ironic_service_publicuri }}/v1/drivers"
         status_code: 200
         return_content: yes
@@ -31,6 +44,7 @@
     - name: list nodes
       uri:
         url: "{{ ironic_service_publicuri }}/v1/nodes"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         status_code: 200
         return_content: yes
       register: node_list
@@ -42,6 +56,7 @@
         method: POST
         HEADER_Content-Type: "application/json"
         HEADER_X-OpenStack-Ironic-API-Version: "1.9"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         body_format: json
         body: "{\"name\": \"restnode\", \"driver\": \"agent_ipmitool\", \"driver_info\": {\"ipmi_address\": \"1.2.3.4\"}}"
         status_code: 201
@@ -58,15 +73,17 @@
         method: POST
         HEADER_Content-Type: "application/json"
         HEADER_X-OpenStack-Ironic-API-Version: "1.9"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         body_format: json
         body: " {\"node_uuid\": \"{{ node_response.json.uuid }}\", \"address\": \"00:00:00:00:00:01\"}"
         status_code: 201
         return_content: yes
     - name: list ports
       uri:
+        url: "{{ ironic_service_publicuri }}/v1/ports"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         HEADER_Content-Type: "application/json"
         HEADER_X-OpenStack-Ironic-API-Version: "1.9"
-        url: "{{ ironic_service_publicuri }}/v1/ports"
         body: " {\"node\": \"{{ node_response.json.uuid }}\"}"
         body_format: json
         return_content: yes
@@ -82,15 +99,17 @@
         method: POST
         HEADER_Content-Type: "application/json"
         HEADER_X-OpenStack-Ironic-API-Version: "1.9"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         body_format: json
         body: " {\"node_uuid\": \"{{ node_response.json.uuid }}\", \"address\": \"00:00:00:00:00:02\"}"
         status_code: 201
         return_content: yes
     - name: list ports again
       uri:
+        url: "{{ ironic_service_publicuri }}/v1/ports"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         HEADER_Content-Type: "application/json"
         HEADER_X-OpenStack-Ironic-API-Version: "1.9"
-        url: "{{ ironic_service_publicuri }}/v1/ports"
         body: " {\"node\": \"{{ node_response.json.uuid }}\"}"
         body_format: json
         return_content: yes
@@ -104,6 +123,7 @@
         url: "{{ ironic_service_publicuri }}/v1/nodes/restnode/validate"
         method: GET
         HEADER_X-OpenStack-Ironic-API-Version: "1.9"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         status_code: 200
         return_content: yes
       register: validate_node
@@ -123,6 +143,7 @@
           - "validate_node.json.raid.result == true"
     - name: update a node
       uri:
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         url: "{{ ironic_service_publicuri }}/v1/nodes/restnode"
         body: " [{\"path\": \"/name\", \"value\": \"renamednode\", \"op\": \"replace\"}]"
         method: PATCH
@@ -139,6 +160,7 @@
         method: DELETE
         HEADER_Content-Type: "application/json"
         HEADER_X-OpenStack-Ironic-API-Version: "1.9"
+        HEADER_X-Auth-Token: "{{ keystone_token }}"
         status_code: 204
         return_content: yes
   vars_files:

tests/test-vars.yml

@@ -19,6 +19,7 @@ galera_root_user: root
 galera_root_password: "secrete"
 rabbitmq_servers: 10.100.100.101:5672
 rabbitmq_use_ssl: False
+rabbitmq_port: 5672
 memcached_servers: 127.0.0.1
 memcached_encryption_key: "secrete"
 keystone_venv_tag: "testing"
@@ -29,7 +30,7 @@ keystone_service_password: "secrete"
 keystone_galera_address: 10.100.100.101
 keystone_galera_database: keystone
 keystone_galera_user: keystone
-keystone_container_mysql_password: "SuperSecrete"
+keystone_container_mysql_password: "secrete"
 keystone_auth_admin_token: "SuperSecreteTestToken"
 keystone_admin_user_name: admin
 keystone_admin_tenant_name: admin
@@ -62,8 +63,20 @@ ironic_service_password: "secrete"
 ironic_galera_address: 10.100.100.101
 ironic_galera_database: ironic
 ironic_galera_user: ironic
-ironic_galera_password: "SuperSecrete"
+ironic_galera_password: "secrete"
 ironic_rabbitmq_password: "secrete"
 ironic_rabbitmq_userid: ironic
 ironic_rabbitmq_vhost: /ironic
 ironic_standalone: True
+ironic_swift_endpoint: "http://localhost:8080"
+ironic_swift_auth_account: "AUTH_1234567890"
+ironic_swift_temp_url_secret_key: secrete
+ironic_rabbitmq_userid: ironic
+ironic_rabbitmq_password: secrete
+ironic_rabbitmq_vhost: /ironic
+glance_api_servers: http://localhost:9292
+neutron_service_adminurl: http://localhost:9696
+neutron_service_region: RegionOne
+neutron_service_password: secrete
+neutron_service_project_name: ironic
+neutron_service_user_name: ironic