Implement keystone venv support

This commit conditionally allows the os_keystone role to install build and deploy within a venv. This is the new default behavior of the role however the functionality can be disabled. Change-Id: Ie9e51926c96125a543e05eaa1912684fb01fecda Implements: blueprint enable-venv-support-within-the-roles Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2015-09-30 11:30:44 -05:00 · 2015-09-30 11:30:44 -05:00 · 423d0cfa7d
commit 423d0cfa7d
parent c411af7b80
11 changed files with 126 additions and 20 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -13,12 +13,22 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-# Defines that the role will be deployed on a host machine
-is_metal: true
-
 ## Verbosity Options
 debug: False
 verbose: True
+
+# Name of the virtual env to deploy into
+keystone_venv_tag: untagged
+keystone_venv_bin: "/openstack/venvs/keystone-{{ keystone_venv_tag }}/bin"
+
+# Set this to enable or disable installing in a venv
+keystone_venv_enabled: true
+
+# The bin path defaults to the venv path however if installation in a
+#  venv is disabled the bin path will be dynamically set based on the
+#  system path used when the installing.
+keystone_bin: "{{ keystone_venv_bin }}"
+
 keystone_fatal_deprecations: False

 ## System info
@ -334,6 +344,11 @@ keystone_idp_apt_packages:
  - ssl-cert
  - xmlsec1

+# Keystone packages that must be installed before anything else
+keystone_requires_pip_packages:
+  - virtualenv
+  - python-keystoneclient # Keystoneclient needed to OSA keystone lib
+
 # Common pip packages
 keystone_pip_packages:
  - keystone
--- a/tasks/keystone_db_setup.yml
+++ b/tasks/keystone_db_setup.yml
@ -40,10 +40,11 @@
    - keystone-db-setup

 - name: Perform a Keystone DB sync
-  command: keystone-manage db_sync
+  command: "{{ keystone_bin }}/keystone-manage db_sync"
  sudo: yes
  sudo_user: "{{ keystone_system_user_name }}"
  tags:
    - keystone-db-setup
    - keystone-db-sync
    - keystone-setup
+    - keystone-command-bin
--- a/tasks/keystone_fernet_keys_create.yml
+++ b/tasks/keystone_fernet_keys_create.yml
@ -22,21 +22,25 @@

 - name: Create fernet keys for Keystone
  command: >
-    keystone-manage fernet_setup --keystone-user "{{ keystone_system_user_name }}"
-                                 --keystone-group "{{ keystone_system_group_name }}"
+    {{ keystone_bin }}/keystone-manage fernet_setup
+                                       --keystone-user "{{ keystone_system_user_name }}"
+                                       --keystone-group "{{ keystone_system_group_name }}"
  sudo: yes
  sudo_user: "{{ keystone_system_user_name }}"
  when: not _fernet_keys.stat.exists
  tags:
    - keystone-setup
    - keystone-fernet
+    - keystone-command-bin

 - name: Rotate fernet keys for Keystone
  command: >
-    keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}"
-                                  --keystone-group "{{ keystone_system_group_name }}"
+    {{ keystone_bin }}/keystone-manage fernet_rotate
+                                       --keystone-user "{{ keystone_system_user_name }}"
+                                       --keystone-group "{{ keystone_system_group_name }}"
  sudo: yes
  sudo_user: "{{ keystone_system_user_name }}"
  when: _fernet_keys.stat.exists
  tags:
    - keystone-fernet
+    - keystone-command-bin
--- a/tasks/keystone_idp_metadata.yml
+++ b/tasks/keystone_idp_metadata.yml
@ -14,7 +14,8 @@
 # limitations under the License.

 - name: Generate IdP metadata
-  shell: "keystone-manage saml_idp_metadata > {{ keystone_idp.idp_metadata_path }}"
+  shell: |
+    {{ keystone_bin }}/keystone-manage saml_idp_metadata > {{ keystone_idp.idp_metadata_path }}
  sudo: yes
  sudo_user: "{{ keystone_system_user_name }}"
  when: keystone_idp is defined
--- a/tasks/keystone_install.yml
+++ b/tasks/keystone_install.yml
@ -34,6 +34,7 @@
  delay: 2
  with_items: keystone_apt_packages
  tags:
+    - keystone-install
    - keystone-apt-packages

 - name: Install IdP apt packages
@ -47,6 +48,7 @@
  with_items: keystone_idp_apt_packages
  when: keystone_idp is defined
  tags:
+    - keystone-install
    - keystone-apt-packages

 - name: Install SP apt packages
@ -60,9 +62,43 @@
  with_items: keystone_sp_apt_packages
  when: keystone_sp is defined
  tags:
+    - keystone-install
    - keystone-apt-packages

- name: Install pip packages
+- name: Install requires pip packages
+  pip:
+    name: "{{ item }}"
+    state: present
+    extra_args: "{{ pip_install_options|default('') }}"
+  register: install_packages
+  until: install_packages|success
+  retries: 5
+  delay: 2
+  with_items:
+    - "{{ keystone_requires_pip_packages }}"
+  tags:
+    - keystone-install
+    - keystone-pip-packages
+
+- name: Install pip packages (venv)
+  pip:
+    name: "{{ item }}"
+    state: present
+    virtualenv: "{{ keystone_venv_bin | dirname }}"
+    virtualenv_site_packages: "no"
+    extra_args: "{{ pip_install_options|default('') }}"
+  register: install_packages
+  until: install_packages|success
+  retries: 5
+  delay: 2
+  with_items:
+    - "{{ keystone_pip_packages }}"
+  when: keystone_venv_enabled | bool
+  tags:
+    - keystone-install
+    - keystone-pip-packages
+
+- name: Install pip packages (no venv)
  pip:
    name: "{{ item }}"
    state: present
@ -73,5 +109,7 @@
  delay: 2
  with_items:
    - "{{ keystone_pip_packages }}"
+  when: not keystone_venv_enabled | bool
  tags:
+    - keystone-install
    - keystone-pip-packages
--- a/tasks/keystone_post_install.yml
+++ b/tasks/keystone_post_install.yml
@ -53,9 +53,38 @@
    mode: "{{ item.mode|default('0644') }}"
  with_items:
    - { src: "sso_callback_template.html", dest: "/etc/keystone/sso_callback_template.html" }
-    - { src: "keystone-wsgi.py", dest: "/var/www/cgi-bin/keystone/admin", mode: "0755" }
-    - { src: "keystone-wsgi.py", dest: "/var/www/cgi-bin/keystone/main", mode: "0755" }
  notify:
    - Restart Apache
  tags:
    - keystone-config
+
+- name: Drop Keystone WSGI Configs
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "{{ keystone_system_user_name }}"
+    group: "{{ keystone_system_group_name }}"
+    mode: "{{ item.mode|default('0644') }}"
+  with_items:
+    - { src: "keystone-wsgi.py.j2", dest: "/var/www/cgi-bin/keystone/admin", mode: "0755" }
+    - { src: "keystone-wsgi.py.j2", dest: "/var/www/cgi-bin/keystone/main", mode: "0755" }
+  notify:
+    - Restart Apache
+  tags:
+    - keystone-config
+
+- name: Get keystone command path
+  command: which keystone
+  register: keystone_command_path
+  when:
+    - not keystone_venv_enabled | bool
+  tags:
+    - keystone-command-bin
+
+- name: Set keystone command path
+  set_fact:
+    keystone_bin: "{{ keystone_command_path.stdout | dirname }}"
+  when:
+    - not keystone_venv_enabled | bool
+  tags:
+    - keystone-command-bin
--- a/tasks/keystone_pre_install.yml
+++ b/tasks/keystone_pre_install.yml
@ -67,6 +67,7 @@
    group: "{{ item.group|default(keystone_system_group_name) }}"
    mode: "{{ item.mode|default(0755) }}"
  with_items:
+    - { path: "/openstack", mode: "0755", owner: "root", group: "root" }
    - { path: "/etc/keystone" }
    - { path: "{{ keystone_ldap_domain_config_dir }}" }
    - { path: "/etc/keystone/ssl" }
@ -78,6 +79,17 @@
  tags:
    - keystone-dirs

+- name: Create keystone venv dir
+  file:
+    path: "{{ item.path }}"
+    state: directory
+  with_items:
+    - { path: "/openstack/venvs" }
+    - { path: "{{ keystone_venv_bin }}" }
+  when: keystone_venv_enabled | bool
+  tags:
+    - keystone-dirs
+
 - name: Test for log directory or link
  shell: |
    if [ -h "/var/log/keystone"  ]; then
--- a/tasks/keystone_token_cleanup.yml
+++ b/tasks/keystone_token_cleanup.yml
@ -17,9 +17,7 @@
  cron:
    name: "Clear out stale keystone tokens"
    minute: 0
-    job: "/usr/local/bin/keystone-manage token_flush"
+    job: "{{ keystone_bin }}/keystone-manage token_flush"
    user: "{{ keystone_system_user_name }}"
-  when: >
-    'sql' in keystone_token_driver
  tags:
    - keystone-config
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -15,6 +15,7 @@

 - include: keystone_pre_install.yml
 - include: keystone_install.yml
+- include: keystone_post_install.yml

 - include: keystone_key_setup.yml
  tags:
@ -27,8 +28,6 @@
  when: >
    'fernet' in keystone_token_provider

- include: keystone_post_install.yml
-
 - include: keystone_federation_sp_setup.yml
  when: >
    keystone_sp is defined
@ -37,9 +36,12 @@
  when: >
    inventory_hostname == groups['keystone_all'][0]

+- include: keystone_token_cleanup.yml
+  when: >
+    'sql' in keystone_token_driver
+
 - include: keystone_ssl.yml
 - include: keystone_apache.yml
- include: keystone_token_cleanup.yml

 - include: keystone_service_setup.yml
  when: >
--- a/templates/keystone-fernet-rotate.sh.j2
+++ b/templates/keystone-fernet-rotate.sh.j2
@ -23,8 +23,9 @@

 function autorotate {
    # Rotate the keys
-    keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}" \
-                                  --keystone-group "{{ keystone_system_group_name }}"
+    {{ keystone_bin }}/keystone-manage fernet_rotate \
+                                       --keystone-user "{{ keystone_system_user_name }}" \
+                                       --keystone-group "{{ keystone_system_group_name }}"
    {% for host in groups['keystone_all'] %}

    {% if inventory_hostname != host %}
--- a/templates/keystone-wsgi.py.j2
+++ b/templates/keystone-wsgi.py.j2
@ -14,6 +14,11 @@

 import os

+{% if keystone_venv_enabled | bool %}
+activate_this = os.path.expanduser("{{ keystone_venv_bin }}/activate_this.py")
+execfile(activate_this, dict(__file__=activate_this))
+{% endif %}
+
 from keystone.server import wsgi as wsgi_server