diff --git a/defaults/main.yml b/defaults/main.yml
index 58c72b43..4167ddfd 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -20,6 +20,9 @@ debug: False
# Options are 'present' and 'latest'
keystone_package_state: "latest"
+# Role standard API override this option in the OS variable files
+keystone_shibboleth_repo: {}
+
# These variables are used in 'developer mode' in order to allow the role
# to build an environment directly from a git source without the presence
# of an OpenStack-Ansible repo_server.
@@ -44,7 +47,7 @@ keystone_system_user_name: keystone
keystone_system_group_name: keystone
keystone_system_additional_groups:
- ssl_cert
-keystone_system_service_name: apache2
+
keystone_system_shell: /bin/bash
keystone_system_comment: keystone system user
keystone_system_user_home: "/var/lib/{{ keystone_system_user_name }}"
@@ -381,10 +384,6 @@ keystone_sp: {}
keystone_service_in_ldap: false
-# Keystone Federation SP Packages
-keystone_sp_apt_packages:
- - libapache2-mod-shib2
-
# Keystone notification settings
keystone_ceilometer_enabled: false
diff --git a/handlers/main.yml b/handlers/main.yml
index e1cf1fdf..e7acbb78 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -13,13 +13,13 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-- name: Restart Apache
+- name: Restart service
service:
- name: "apache2"
- state: "restarted"
- pattern: "apache2"
- register: apache_restart
- until: apache_restart|success
+ name: "{{ keystone_system_service_name }}"
+ state: restarted
+ pattern: "{{ keystone_system_service_name }}"
+ register: _restart
+ until: _restart|success
retries: 5
delay: 2
when: keystone_apache_mod_wsgi_enabled | bool
diff --git a/manual-test.rc b/manual-test.rc
new file mode 100644
index 00000000..fa1cdf95
--- /dev/null
+++ b/manual-test.rc
@@ -0,0 +1,22 @@
+export VIRTUAL_ENV=$(pwd)
+export ANSIBLE_HOST_KEY_CHECKING=False
+export ANSIBLE_SSH_CONTROL_PATH=/tmp/%%h-%%r
+
+# TODO (odyssey4me) These are only here as they are non-standard folder
+# names for Ansible 1.9.x. We are using the standard folder names for
+# Ansible v2.x. We can remove this when we move to Ansible 2.x.
+export ANSIBLE_ACTION_PLUGINS=${HOME}/.ansible/plugins/action
+export ANSIBLE_CALLBACK_PLUGINS=${HOME}/.ansible/plugins/callback
+export ANSIBLE_FILTER_PLUGINS=${HOME}/.ansible/plugins/filter
+export ANSIBLE_LOOKUP_PLUGINS=${HOME}/.ansible/plugins/lookup
+
+# This is required as the default is the current path or a path specified
+# in ansible.cfg
+export ANSIBLE_LIBRARY=${HOME}/.ansible/plugins/library
+
+# This is required as the default is '/etc/ansible/roles' or a path
+# specified in ansible.cfg
+export ANSIBLE_ROLES_PATH=${HOME}/.ansible/roles:$(pwd)/..
+
+echo "Run manual functional tests by executing the following:"
+echo "# ./.tox/functional/bin/ansible-playbook -i tests/inventory tests/test.yml -e \"rolename=$(pwd)\""
diff --git a/meta/main.yml b/meta/main.yml
index 2535a0dd..cfe91b5d 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -24,6 +24,9 @@ galaxy_info:
versions:
- trusty
- xenial
+ - name: EL
+ versions:
+ - 7
categories:
- cloud
- python
diff --git a/releasenotes/notes/os_keystone-centos7-support-0a5d97f81ac42e44.yaml b/releasenotes/notes/os_keystone-centos7-support-0a5d97f81ac42e44.yaml
new file mode 100644
index 00000000..7a91a8cd
--- /dev/null
+++ b/releasenotes/notes/os_keystone-centos7-support-0a5d97f81ac42e44.yaml
@@ -0,0 +1,10 @@
+---
+features:
+ - CentOS7/RHEL support has been added to the os_keystone
+ role.
+deprecations:
+ - The following variables have been deprecated.
+ `keystone_developer_apt_packages`, `keystone_sp_apt_packages`,
+ `keystone_idp_apt_packages`, and `keystone_apt_packages`. While
+ these options are still available when deploying on Ubuntu
+ 14.04, they will be removed during the Ocata cycle.
diff --git a/tasks/keystone_apache.yml b/tasks/keystone_apache.yml
index 413c8ea4..2d76e0d3 100644
--- a/tasks/keystone_apache.yml
+++ b/tasks/keystone_apache.yml
@@ -13,68 +13,89 @@
# See the License for the specific language governing permissions and
# limitations under the License.
+- name: Create apache nogroup group
+ group:
+ name: "nogroup"
+ system: "yes"
+
+- name: Create apache nogroup user
+ user:
+ name: "nogroup"
+ group: "nogroup"
+ system: "yes"
+ shell: "/bin/false"
+
- name: Drop apache2 config files
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "root"
group: "root"
- with_items:
- - { src: "keystone-ports.conf.j2", dest: "/etc/apache2/ports.conf" }
- - { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" }
- - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
+ with_items: "{{ keystone_apache_configs }}"
notify:
- - Restart Apache
+ - Restart service
- name: Disable default apache site
file:
- path: "/etc/apache2/sites-enabled/000-default.conf"
+ path: "{{ item }}"
state: "absent"
+ with_items: "{{ keystone_apache_default_sites }}"
notify:
- - Restart Apache
+ - Restart service
- name: Enabled keystone vhost
file:
- src: "/etc/apache2/sites-available/keystone-httpd.conf"
- dest: "/etc/apache2/sites-enabled/keystone-httpd.conf"
+ src: "{{ keystone_apache_site_available }}"
+ dest: "{{ keystone_apache_site_enabled }}"
state: "link"
+ when:
+ - keystone_apache_site_available is defined
+ - keystone_apache_site_enabled is defined
notify:
- - Restart Apache
+ - Restart service
- name: Ensure Apache ServerName
lineinfile:
- dest: "/etc/apache2/apache2.conf"
+ dest: "{{ keystone_apache_conf }}"
line: "ServerName {{ ansible_hostname }}"
notify:
- - Restart Apache
+ - Restart service
- name: Ensure Apache ServerTokens
lineinfile:
- dest: "/etc/apache2/conf-available/security.conf"
+ dest: "{{ keystone_apache_security_conf }}"
regexp: '^ServerTokens'
line: "ServerTokens {{ keystone_apache_servertokens }}"
notify:
- - Restart Apache
+ - Restart service
- name: Ensure Apache ServerSignature
lineinfile:
- dest: "/etc/apache2/conf-available/security.conf"
+ dest: "{{ keystone_apache_security_conf }}"
regexp: '^ServerSignature'
line: "ServerSignature {{ keystone_apache_serversignature }}"
notify:
- - Restart Apache
+ - Restart service
+## NOTE(cloudnull):
+## Module enable/disable process is only functional on Debian based systems.
- name: Enable/disable mod_ssl for apache2
apache2_module:
name: ssl
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
+ when:
+ - ansible_pkg_mgr == 'apt'
notify:
- - Restart Apache
+ - Restart service
+## NOTE(cloudnull):
+## Module enable/disable process is only functional on Debian based systems.
- name: Enable/disable mod_shib2 for apache2
apache2_module:
name: shib2
state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}"
ignore_errors: yes
+ when:
+ - ansible_pkg_mgr == 'apt'
notify:
- - Restart Apache
+ - Restart service
diff --git a/tasks/keystone_federation_sp_setup.yml b/tasks/keystone_federation_sp_setup.yml
index 62159266..f28ce0ac 100644
--- a/tasks/keystone_federation_sp_setup.yml
+++ b/tasks/keystone_federation_sp_setup.yml
@@ -32,7 +32,7 @@
creates: "/etc/shibboleth/sp-cert.pem"
when: inventory_hostname == groups['keystone_all'][0]
notify:
- - Restart Apache
+ - Restart service
- Restart Shibd
- name: Store Shibboleth SP key-pair
@@ -69,7 +69,7 @@
delay: 2
when: inventory_hostname != groups['keystone_all'][0]
notify:
- - Restart Apache
+ - Restart service
- Restart Shibd
- name: Set appropriate file ownership on the Shibboleth SP key-pair
@@ -82,5 +82,5 @@
- "/etc/shibboleth/sp-key.pem"
when: inventory_hostname != groups['keystone_all'][0]
notify:
- - Restart Apache
+ - Restart service
- Restart Shibd
diff --git a/tasks/keystone_idp_metadata.yml b/tasks/keystone_idp_metadata.yml
index 8d5f9690..974b180e 100644
--- a/tasks/keystone_idp_metadata.yml
+++ b/tasks/keystone_idp_metadata.yml
@@ -20,5 +20,5 @@
become_user: "{{ keystone_system_user_name }}"
when: keystone_idp != {}
notify:
- - Restart Apache
- - Restart Keystone APIs
\ No newline at end of file
+ - Restart Keystone APIs
+ - Restart service
diff --git a/tasks/keystone_idp_self_signed_create.yml b/tasks/keystone_idp_self_signed_create.yml
index 2168b8b7..22243a49 100644
--- a/tasks/keystone_idp_self_signed_create.yml
+++ b/tasks/keystone_idp_self_signed_create.yml
@@ -32,7 +32,8 @@
creates={{ keystone_idp.certfile }}
when: >
inventory_hostname == groups['keystone_all'][0]
- notify: Restart Apache
+ notify:
+ - Restart service
- name: Set appropriate file ownership on the IdP self-signed cert
file:
diff --git a/tasks/keystone_idp_self_signed_distribute.yml b/tasks/keystone_idp_self_signed_distribute.yml
index 77215407..c2f71226 100644
--- a/tasks/keystone_idp_self_signed_distribute.yml
+++ b/tasks/keystone_idp_self_signed_distribute.yml
@@ -29,7 +29,8 @@
until: memcache_keys|success
retries: 5
delay: 2
- notify: Restart Apache
+ notify:
+ - Restart service
- name: Set appropriate file ownership on the IdP self-signed cert
file:
diff --git a/tasks/keystone_install.yml b/tasks/keystone_install.yml
index ca12053a..d7a45afe 100644
--- a/tasks/keystone_install.yml
+++ b/tasks/keystone_install.yml
@@ -17,6 +17,10 @@
when:
- ansible_pkg_mgr == 'apt'
+- include: keystone_install_yum.yml
+ when:
+ - ansible_pkg_mgr == 'yum'
+
- name: Create WSGI symlinks
file:
src: "{{ item.src }}"
@@ -132,8 +136,8 @@
- not keystone_developer_mode | bool
- keystone_get_venv | changed or keystone_venv_dir | changed
notify:
- - Restart Apache
- Restart Keystone APIs
+ - Restart service
- name: Install pip packages
pip:
@@ -149,8 +153,8 @@
when:
- keystone_get_venv | failed or keystone_developer_mode | bool
notify:
- - Restart Apache
- Restart Keystone APIs
+ - Restart service
- name: Update virtualenv path
command: >
diff --git a/tasks/keystone_install_apt.yml b/tasks/keystone_install_apt.yml
index 7dff1ca7..ed7175fc 100644
--- a/tasks/keystone_install_apt.yml
+++ b/tasks/keystone_install_apt.yml
@@ -30,7 +30,7 @@
until: install_packages|success
retries: 5
delay: 2
- with_items: "{{ keystone_apt_packages }}"
+ with_items: "{{ keystone_packages }}"
- name: Install Apache apt packages
apt:
@@ -40,7 +40,7 @@
until: install_packages|success
retries: 5
delay: 2
- with_items: "{{ keystone_apache_apt_packages }}"
+ with_items: "{{ keystone_apache_packages }}"
when: keystone_apache_mod_wsgi_enabled | bool
- name: Install IdP apt packages
@@ -51,7 +51,7 @@
until: install_packages|success
retries: 5
delay: 2
- with_items: "{{ keystone_idp_apt_packages }}"
+ with_items: "{{ keystone_idp_packages }}"
when:
- keystone_apache_mod_wsgi_enabled | bool
- keystone_idp != {}
@@ -64,7 +64,7 @@
until: install_packages|success
retries: 5
delay: 2
- with_items: "{{ keystone_sp_apt_packages }}"
+ with_items: "{{ keystone_sp_packages }}"
when:
- keystone_apache_mod_wsgi_enabled | bool
- keystone_sp != {}
@@ -77,6 +77,6 @@
until: install_packages|success
retries: 5
delay: 2
- with_items: "{{ keystone_developer_apt_packages }}"
+ with_items: "{{ keystone_developer_packages }}"
when:
- keystone_developer_mode | bool
diff --git a/tasks/keystone_install_yum.yml b/tasks/keystone_install_yum.yml
new file mode 100644
index 00000000..4b813551
--- /dev/null
+++ b/tasks/keystone_install_yum.yml
@@ -0,0 +1,114 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Create keystone dir
+ file:
+ path: "{{ item.path }}"
+ state: directory
+ owner: "{{ item.owner|default(keystone_system_user_name) }}"
+ group: "{{ item.group|default(keystone_system_group_name) }}"
+ mode: "{{ item.mode|default('0755') }}"
+ with_items:
+ - { path: "/etc/pki/tls/certs", owner: "root", group: "root" }
+ - { path: "/etc/pki/tls/private", owner: "root", group: "root" }
+ - { path: "/var/lock/keystone", mode: "2755" }
+ - { path: "/var/log/httpd", mode: "2755" }
+
+- name: Create system links
+ file:
+ src: "{{ item.src }}"
+ dest: "{{ item.dest }}"
+ state: "link"
+ with_items:
+ - { src: "/etc/pki/tls/certs", dest: "/etc/ssl/certs" }
+ - { src: "/etc/pki/tls/private", dest: "/etc/ssl/private" }
+ - { src: "/var/log/httpd", dest: "/var/log/apache2" }
+
+- name: Install yum packages
+ yum:
+ pkg: "{{ item }}"
+ state: "{{ keystone_package_state }}"
+ register: install_packages
+ until: install_packages|success
+ retries: 5
+ delay: 2
+ with_items: keystone_packages
+
+- name: Install Apache yum packages
+ yum:
+ pkg: "{{ item }}"
+ state: "{{ keystone_package_state }}"
+ register: install_packages
+ until: install_packages|success
+ retries: 5
+ delay: 2
+ with_items: "{{ keystone_apache_packages }}"
+ when: keystone_apache_mod_wsgi_enabled | bool
+
+- name: Install IdP yum packages
+ yum:
+ pkg: "{{ item }}"
+ state: "{{ keystone_package_state }}"
+ register: install_packages
+ until: install_packages|success
+ retries: 5
+ delay: 2
+ with_items: keystone_idp_packages
+ when: keystone_idp is defined
+
+#TODO(cloudnull) Remove this task once we move to Ansible 2.1
+# where we can leverage the `yum_repository` module:
+# https://docs.ansible.com/ansible/yum_repository_module.html
+- name: Add shibboleth repo
+ copy:
+ content: |
+ [{{ item.name }}]
+ name={{ item.name }}
+ description={{ item.description }}
+ baseurl={{ item.baseurl }}
+ gpgkey={{ item.gpgkey }}
+ gpgcheck=1
+ enabled=1
+ dest: "/etc/yum.repos.d/{{ item.file }}.repo"
+ register: add_repos
+ until: add_repos|success
+ retries: 5
+ delay: 2
+ with_items:
+ - "{{ keystone_shibboleth_repo }}"
+ when: keystone_sp is defined
+
+- name: Install SP yum packages
+ yum:
+ pkg: "{{ item }}"
+ state: "{{ keystone_package_state }}"
+ register: install_packages
+ until: install_packages|success
+ retries: 5
+ delay: 2
+ with_items: keystone_sp_packages
+ when: keystone_sp is defined
+
+- name: Install developer mode yum packages
+ yum:
+ pkg: "{{ item }}"
+ state: "{{ keystone_package_state }}"
+ register: install_packages
+ until: install_packages|success
+ retries: 5
+ delay: 2
+ with_items: keystone_developer_packages
+ when:
+ - keystone_developer_mode | bool
diff --git a/tasks/keystone_key_distribute.yml b/tasks/keystone_key_distribute.yml
index f56b647e..82c77499 100644
--- a/tasks/keystone_key_distribute.yml
+++ b/tasks/keystone_key_distribute.yml
@@ -17,5 +17,5 @@
authorized_key:
user: "{{ keystone_system_user_name }}"
key: "{{ hostvars[item]['keystone_pubkey'] | b64decode }}"
- with_items: "{{ groups['keystone_all'] }}"
when: hostvars[item]['keystone_pubkey'] is defined
+ with_items: "{{ groups['keystone_all'] }}"
diff --git a/tasks/keystone_ldap_setup.yml b/tasks/keystone_ldap_setup.yml
index 39daf6c7..e65cde12 100644
--- a/tasks/keystone_ldap_setup.yml
+++ b/tasks/keystone_ldap_setup.yml
@@ -35,8 +35,8 @@
mode: "0644"
with_dict: "{{ keystone_ldap }}"
notify:
- - Restart Apache
- Restart Keystone APIs
+ - Restart service
# Bug 1547542 - Older versions of the keystone role would deploy a blank
# keystone.Default.conf and this will cause errors when adding LDAP-backed
@@ -47,5 +47,5 @@
state: absent
when: keystone_ldap.Default is not defined
notify:
- - Restart Apache
- Restart Keystone APIs
+ - Restart service
diff --git a/tasks/keystone_post_install.yml b/tasks/keystone_post_install.yml
index ca0abcdf..1f19a4bd 100644
--- a/tasks/keystone_post_install.yml
+++ b/tasks/keystone_post_install.yml
@@ -36,8 +36,8 @@
config_overrides: "{{ keystone_policy_overrides }}"
config_type: "json"
notify:
- - Restart Apache
- Restart Keystone APIs
+ - Restart service
- name: Drop Keystone Configs
copy:
@@ -47,6 +47,6 @@
group: "{{ keystone_system_group_name }}"
mode: "0644"
notify:
- - Restart Apache
- Restart Keystone APIs
+ - Restart service
diff --git a/tasks/keystone_ssl_key_create.yml b/tasks/keystone_ssl_key_create.yml
index eaa8d2ad..d9eec8a8 100644
--- a/tasks/keystone_ssl_key_create.yml
+++ b/tasks/keystone_ssl_key_create.yml
@@ -28,7 +28,8 @@
-out {{ keystone_ssl_cert }}
-extensions v3_ca
creates={{ keystone_ssl_cert }}
- notify: Restart Apache
+ notify:
+ - Restart service
- name: Ensure keystone user owns the self-signed key and certificate
file:
@@ -39,4 +40,5 @@
with_items:
- "{{ keystone_ssl_key }}"
- "{{ keystone_ssl_cert }}"
- notify: Restart Apache
+ notify:
+ - Restart service
diff --git a/tasks/keystone_ssl_user_provided.yml b/tasks/keystone_ssl_user_provided.yml
index ccb569e4..3a197bc4 100644
--- a/tasks/keystone_ssl_user_provided.yml
+++ b/tasks/keystone_ssl_user_provided.yml
@@ -21,7 +21,8 @@
group: "root"
mode: "0644"
when: keystone_user_ssl_cert is defined
- notify: Restart Apache
+ notify:
+ - Restart service
- name: Drop user provided ssl key
copy:
@@ -31,7 +32,8 @@
group: "root"
mode: "0640"
when: keystone_user_ssl_key is defined
- notify: Restart Apache
+ notify:
+ - Restart service
- name: Drop user provided ssl CA cert
copy:
@@ -41,4 +43,5 @@
group: "root"
mode: "0644"
when: keystone_user_ssl_ca_cert is defined
- notify: Restart Apache
+ notify:
+ - Restart service
diff --git a/tasks/main.yml b/tasks/main.yml
index c1c405a1..e996a7f5 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -28,6 +28,7 @@
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_distribution | lower }}.yml"
+ - "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
- "{{ ansible_os_family | lower }}.yml"
tags:
- always
diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2
index 39b43044..8c3449a1 100644
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@@ -56,6 +56,14 @@
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1
{% endif %}
+
+
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride All
+ Order allow,deny
+ allow from all
+
+
@@ -88,4 +96,11 @@
SSLCipherSuite {{ keystone_ssl_cipher_suite }}
SSLOptions +StdEnvVars +ExportCertData
{% endif %}
+
+
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride All
+ Order allow,deny
+ allow from all
+
diff --git a/tests/test-install-keystone.yml b/tests/test-install-keystone.yml
index 760b18af..2f07a156 100644
--- a/tests/test-install-keystone.yml
+++ b/tests/test-install-keystone.yml
@@ -14,16 +14,14 @@
# limitations under the License.
- name: Playbook for deploying keystone
- hosts: keystone_all
+ hosts: "infra1"
user: root
gather_facts: true
- pre_tasks:
+ tasks:
- name: Ensure rabbitmq vhost
rabbitmq_vhost:
name: "{{ keystone_rabbitmq_vhost }}"
state: "present"
- delegate_to: "10.100.100.2"
- when: inventory_hostname == groups['keystone_all'][0]
- name: Ensure rabbitmq user
rabbitmq_user:
user: "{{ keystone_rabbitmq_userid }}"
@@ -33,22 +31,18 @@
read_priv: ".*"
write_priv: ".*"
state: "present"
- delegate_to: "10.100.100.2"
- when: inventory_hostname == groups['keystone_all'][0]
- name: Create DB for service
mysql_db:
login_user: "root"
login_password: "secrete"
- login_host: "localhost"
+ login_host: "127.0.0.1"
name: "{{ keystone_galera_database }}"
state: "present"
- delegate_to: "10.100.100.2"
- when: inventory_hostname == groups['keystone_all'][0]
- name: Grant access to the DB for the service
mysql_user:
login_user: "root"
login_password: "secrete"
- login_host: "localhost"
+ login_host: "127.0.0.1"
name: "{{ keystone_galera_database }}"
password: "{{ keystone_container_mysql_password }}"
host: "{{ item }}"
@@ -57,8 +51,13 @@
with_items:
- "localhost"
- "%"
- delegate_to: "10.100.100.2"
- when: inventory_hostname == groups['keystone_all'][0]
+ vars_files:
+ - test-vars.yml
+
+- name: Playbook for deploying keystone
+ hosts: keystone_all
+ user: root
+ gather_facts: true
roles:
- role: "{{ rolename | basename }}"
tasks:
diff --git a/tests/test-prepare-containers.yml b/tests/test-prepare-containers.yml
index c0d539ea..2945549e 100644
--- a/tests/test-prepare-containers.yml
+++ b/tests/test-prepare-containers.yml
@@ -20,6 +20,7 @@
- role: "lxc_container_create"
lxc_container_release: trusty
lxc_container_backing_store: dir
+ debug: true
global_environment_variables:
PATH: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
post_tasks:
diff --git a/tests/test-prepare-host.yml b/tests/test-prepare-host.yml
index f8926411..aa4a3e92 100644
--- a/tests/test-prepare-host.yml
+++ b/tests/test-prepare-host.yml
@@ -16,11 +16,11 @@
- name: Playbook for configuring LXC host
hosts: localhost
pre_tasks:
- # Make sure OS does not have a stale package cache.
- - name: Update apt cache
+ - name: Ensure apt cache is always refreshed
apt:
update_cache: yes
- when: ansible_os_family == 'Debian'
+ when:
+ - ansible_pkg_mgr == 'apt'
- name: Ensure root's new public ssh key is in authorized_keys
authorized_key:
user: root
@@ -32,11 +32,36 @@
stat:
path: /etc/nodepool/provider
register: nodepool
- - name: Set the files to copy into the container cache for OpenStack-CI instances
+ - name: Set the files to copy into the container cache for OpenStack-CI instances (rhel)
set_fact:
lxc_container_cache_files:
- { src: '/etc/pip.conf', dest: '/etc/pip.conf' }
- when: nodepool.stat.exists | bool
+ when:
+ - nodepool.stat.exists | bool
+ - ansible_pkg_mgr == 'yum'
+ - name: Set the files to copy into the container cache for OpenStack-CI instances (deb)
+ set_fact:
+ lxc_container_cache_files:
+ - { src: '/etc/pip.conf', dest: '/etc/pip.conf' }
+ - { src: '/etc/apt/apt.conf.d/99unauthenticated', dest: '/etc/apt/apt.conf.d/99unauthenticated' }
+ when:
+ - nodepool.stat.exists | bool
+ - ansible_pkg_mgr == 'apt'
+ - name: Determine the existing Ubuntu repo configuration
+ shell: 'awk "/^deb .*ubuntu\/? {{ ansible_distribution_release }} main/ {print \$2; exit}" /etc/apt/sources.list'
+ register: ubuntu_repo
+ changed_when: false
+ when: ansible_pkg_mgr == 'apt'
+ - name: Set apt repo facts based on discovered information
+ set_fact:
+ lxc_container_template_main_apt_repo: "{{ ubuntu_repo.stdout }}"
+ lxc_container_template_security_apt_rep: "{{ ubuntu_repo.stdout }}"
+ when: ansible_pkg_mgr == 'apt'
+ - name: install the epel repo rpm from a remote repo
+ yum:
+ name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
+ state: "present"
+ when: ansible_pkg_mgr == 'yum'
roles:
- role: "lxc_hosts"
lxc_net_address: 10.100.100.1
diff --git a/tests/test-vars.yml b/tests/test-vars.yml
index 382145ea..e339cee8 100644
--- a/tests/test-vars.yml
+++ b/tests/test-vars.yml
@@ -28,10 +28,10 @@ keystone_rabbitmq_password: "secrete"
keystone_rabbitmq_port: 5671
keystone_rabbitmq_servers: 10.100.100.2
keystone_rabbitmq_use_ssl: true
-keystone_ssl: true
keystone_rabbitmq_userid: keystone
keystone_rabbitmq_vhost: /keystone
keystone_requirements_git_install_branch: master
+keystone_ssl: true
keystone_service_adminuri: "http://{{ internal_lb_vip_address }}:35357"
keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3"
keystone_service_password: "secrete"
diff --git a/tox.ini b/tox.ini
index affd9e27..e9338e15 100644
--- a/tox.ini
+++ b/tox.ini
@@ -145,6 +145,11 @@ commands =
[testenv:functional]
+# Ignore_errors is set to true so that the logs are collected at the
+# end of the run. This will not produce a failse positive. Any
+# exception will be mark the run as "failed" and exit 1 after all of
+# the commands have been iterated through.
+ignore_errors = True
# NOTE(odyssey4me): this target does not use constraints because
# it doesn't work in OpenStack-CI yet. Once that's fixed, we can
# drop the install_command.
@@ -160,7 +165,8 @@ commands =
-e "rolename={toxinidir}" \
-e "install_test_packages=True" \
{toxinidir}/tests/test.yml -vvvv
-
+ bash -c 'mkdir -p {toxinidir}/logs'
+ bash -c 'rsync -av --ignore-errors /var/log/ /openstack/log/ {toxinidir}/logs/ || true'
# NOTE(andymccr): this will test keystone with uwsgi & nginx
[testenv:func_uwsgi-nginx]
diff --git a/vars/redhat-7.yml b/vars/redhat-7.yml
new file mode 100644
index 00000000..194981ad
--- /dev/null
+++ b/vars/redhat-7.yml
@@ -0,0 +1,67 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+keystone_shibboleth_repo:
+ state: "present"
+ name: "shibboleth"
+ description: "shibboleth Repo"
+ file: shibboleth
+ baseurl: "http://download.opensuse.org/repositories/security:/shibboleth/CentOS_7/"
+ gpgkey: "http://download.opensuse.org/repositories/security:/shibboleth/CentOS_7//repodata/repomd.xml.key"
+
+keystone_packages:
+ - ca-certificates
+ - cronie
+ - cronie-anacron
+ - git
+ - libffi-devel
+ - libgsasl-devel
+ - libxml2-devel
+ - libxslt-devel
+ - mod_ssl
+ - mod_wsgi
+ - openldap
+ - openldap-devel
+ - openssl
+ - python-devel
+ - rsync
+
+keystone_apache_packages:
+ - httpd
+ - httpd-tools
+
+keystone_idp_packages:
+ - xmlsec1
+
+keystone_sp_packages:
+ - shibboleth
+
+keystone_developer_packages:
+ - '@Development Tools'
+
+keystone_apache_default_sites:
+ - "/etc/httpd/conf.d/userdir.conf"
+ - "/etc/httpd/conf.d/welcome.conf"
+ - "/etc/httpd/conf.d/ssl.conf"
+
+keystone_apache_conf: "/etc/httpd/conf/httpd.conf"
+keystone_apache_security_conf: "{{ keystone_apache_conf }}"
+
+keystone_apache_configs:
+ - { src: "keystone-ports.conf.j2", dest: "/etc/httpd/conf.d/ports.conf" }
+ - { src: "keystone-httpd.conf.j2", dest: "/etc/httpd/conf.d/keystone-httpd.conf" }
+ - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/httpd/conf.modules.d/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
+
+keystone_system_service_name: httpd
diff --git a/vars/ubuntu-14.04.yml b/vars/ubuntu-14.04.yml
index 7bf701b5..770ef033 100644
--- a/vars/ubuntu-14.04.yml
+++ b/vars/ubuntu-14.04.yml
@@ -14,7 +14,8 @@
# limitations under the License.
# Common apt packages
-keystone_apt_packages:
+# The old name has been deprecated, remove the variables with the deprecation filers and change the package variable names.
+_keystone_packages:
- debhelper
- dh-apparmor
- docutils-common
@@ -30,14 +31,43 @@ keystone_apt_packages:
- python-dev
- rsync
-keystone_idp_apt_packages:
- - ssl-cert
- - xmlsec1
+keystone_packages: '{{ _keystone_packages | deprecated(keystone_apt_packages, "keystone_apt_packages", "keystone_packages", "ocata", keystone_fatal_deprecations) }}'
-keystone_developer_apt_packages:
- - build-essential
-
-keystone_apache_apt_packages:
+keystone_apache_packages:
- apache2
- apache2-utils
- libapache2-mod-wsgi
+
+# The old name has been deprecated, remove the variables with the deprecation filers and change the package variable names.
+_keystone_idp_packages:
+ - ssl-cert
+ - xmlsec1
+
+keystone_idp_packages: '{{ _keystone_idp_packages | deprecated(keystone_idp_apt_packages, "keystone_idp_apt_packages", "keystone_idp_packages", "ocata", keystone_fatal_deprecations) }}'
+
+# The old name has been deprecated, remove the variables with the deprecation filers and change the package variable names.
+_keystone_sp_packages:
+ - libapache2-mod-shib2
+
+keystone_sp_packages: '{{ _keystone_sp_packages | deprecated(keystone_sp_apt_packages, "keystone_sp_apt_packages", "keystone_sp_packages", "ocata", keystone_fatal_deprecations) }}'
+
+# The old name has been deprecated, remove the variables with the deprecation filers and change the package variable names.
+_keystone_developer_packages:
+ - build-essential
+
+keystone_developer_packages: '{{ _keystone_developer_packages | deprecated(keystone_developer_apt_packages, "keystone_developer_apt_packages", "keystone_developer_packages", "ocata", keystone_fatal_deprecations) }}'
+
+keystone_apache_default_sites:
+ - "/etc/apache2/sites-enabled/000-default.conf"
+
+keystone_apache_site_available: "/etc/apache2/sites-available/keystone-httpd.conf"
+keystone_apache_site_enabled: "/etc/apache2/sites-enabled/keystone-httpd.conf"
+keystone_apache_conf: "/etc/apache2/apache2.conf"
+keystone_apache_security_conf: "/etc/apache2/conf-available/security.conf"
+
+keystone_apache_configs:
+ - { src: "keystone-ports.conf.j2", dest: "/etc/apache2/ports.conf" }
+ - { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" }
+ - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
+
+keystone_system_service_name: apache2
diff --git a/vars/ubuntu-16.04.yml b/vars/ubuntu-16.04.yml
index 77232e8c..9a4535bd 100644
--- a/vars/ubuntu-16.04.yml
+++ b/vars/ubuntu-16.04.yml
@@ -14,7 +14,7 @@
# limitations under the License.
# Common apt packages
-keystone_apt_packages:
+keystone_packages:
- debhelper
- dh-apparmor
- docutils-common
@@ -30,14 +30,30 @@ keystone_apt_packages:
- python-dev
- rsync
-keystone_idp_apt_packages:
- - ssl-cert
- - xmlsec1
-
-keystone_developer_apt_packages:
- - build-essential
-
-keystone_apache_apt_packages:
+keystone_apache_packages:
- apache2
- apache2-utils
- libapache2-mod-wsgi
+
+keystone_idp_packages:
+ - ssl-cert
+ - xmlsec1
+
+keystone_sp_packages:
+ - libapache2-mod-shib2
+
+keystone_developer_packages:
+ - build-essential
+
+keystone_apache_default_sites:
+ - "/etc/apache2/sites-enabled/000-default.conf"
+keystone_apache_site_available: "/etc/apache2/sites-available/keystone-httpd.conf"
+keystone_apache_site_enabled: "/etc/apache2/sites-enabled/keystone-httpd.conf"
+keystone_apache_conf: "/etc/apache2/apache2.conf"
+keystone_apache_security_conf: "/etc/apache2/conf-available/security.conf"
+keystone_apache_configs:
+ - { src: "keystone-ports.conf.j2", dest: "/etc/apache2/ports.conf" }
+ - { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" }
+ - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
+
+keystone_system_service_name: apache2