openstack/openstack-ansible-os_keystone
Code Issues Proposed changes
beebf1196e
openstack-ansible-os_keystone/tasks/keystone_pre_install.yml
Jonathan Rosser 8e1f7f4ad8 Fix loss of fernet and credential keys during Rocky to Stein upgrade 
This applies only to source based installations.

The introduction of smart-sources in [1] created a code path
which deletes the /etc/keystone directory before symlinking it
into the keystone venv and creating the necessary config files.

Unfortunatley this has the side effect of also deleting any fernet
and credential keys which pre-existed in the case of an upgrade from
Rocky. The original keys were deleted simulataneously across the whole
keystone_all group in a way which is makes them unrecoverable in
the absence of a backup taken by the operator.

This change simplifies the smart-sources code to always keep the
keystone config files and fernet keys in the host /etc/keystone.
This ensures that the lifecycle of the fernet keys is not coupled
to the lifecycle of the keystone venvs.

In addition, a task is added to rescue any keys which have been
created in the keystone venv by installations from the Stein
release-candidate.

[1] https://review.opendev.org/#/c/588960/

Closes-Bug: 1833414
Change-Id: Ide611fd3d88e352367220f05dbcf4186ac20319f
2019-06-20 15:46:28 +00:00

151 lines
5.0 KiB
YAML
Raw Blame History

---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: create the system group
group:
name: "{{ keystone_system_group_name }}"
state: "present"
system: "yes"
delegate_to: "{{ item }}"
with_items: "{{ ansible_play_hosts }}"
when: "inventory_hostname == ansible_play_hosts[0]"
- name: create additional groups
group:
name: "{{ item[1] }}"
state: "present"
system: "yes"
delegate_to: "{{ item[0] }}"
with_nested:
- "{{ ansible_play_hosts }}"
- "{{ keystone_system_additional_groups }}"
when: "inventory_hostname == ansible_play_hosts[0]"
- name: Remove old key file(s) if found
file:
path: "{{ item[1] }}"
state: "absent"
with_nested:
- "{{ ansible_play_hosts }}"
- - "{{ keystone_system_user_home }}/.ssh/authorized_keys"
- "{{ keystone_system_user_home }}/.ssh/id_rsa"
- "{{ keystone_system_user_home }}/.ssh/id_rsa.pub"
when:
- keystone_recreate_keys | bool
- "inventory_hostname == ansible_play_hosts[0]"
delegate_to: "{{ item[0] }}"
- name: Create the keystone system user
user:
name: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}"
groups: "{{ keystone_system_additional_groups | join(',') }}"
comment: "{{ keystone_system_comment }}"
shell: "{{ keystone_system_shell }}"
system: "yes"
createhome: "yes"
home: "{{ keystone_system_user_home }}"
delegate_to: "{{ item }}"
with_items: "{{ ansible_play_hosts }}"
when: "inventory_hostname == ansible_play_hosts[0]"
# NOTE(jrosser) this block is to undo symlinking of /etc/keystone into
# the keystone venv introduced in change-id I93cb6463ca1eb93ab7f4e7a3970a7de829efaf66.
# The smart-sources behaviour of deleting the /etc/keystone directory caused the total
# loss of all fernet keys and credential keys during an R->S upgrade using the Stein
# release candidate.
# Remove this code in the Train release.
- name: Source config block
block:
- name: Stat config directory
stat:
path: "/etc/keystone"
register: keystone_conf_dir_stat
with_items:
- "{{ ansible_play_hosts }}"
delegate_to: "{{ item }}"
run_once: yes
- name: Remove the config directory symlink, if it exists
file:
path: "/etc/keystone"
state: absent
with_items:
- "{{ keystone_conf_dir_stat.results }}"
delegate_to: "{{ item.item }}"
when:
- item.stat.islnk is defined and
item.stat.islnk
run_once: yes
when:
- keystone_install_method == 'source'
# The fernet key repository is needed on all hosts even if only running against
# one host, so the delegation preps the directories on all hosts at once.
- name: Create keystone dir
file:
path: "{{ item[1].path | default(omit) }}"
src: "{{ item[1].src | default(omit) }}"
dest: "{{ item[1].dest | default(omit) }}"
state: "{{ item[1].state | default('directory') }}"
owner: "{{ item[1].owner|default(keystone_system_user_name) }}"
group: "{{ item[1].group|default(keystone_system_group_name) }}"
mode: "{{ item[1].mode | default(omit) }}"
force: "{{ item[1].force | default(omit) }}"
with_nested:
- "{{ ansible_play_hosts }}"
- - path: "/openstack"
mode: "0755"
owner: "root"
group: "root"
- dest: "/etc/keystone"
mode: "0755"
- path: "{{ keystone_credential_key_repository }}"
mode: "0750"
- path: "{{ keystone_ldap_domain_config_dir }}"
mode: "0750"
- path: "/etc/keystone/ssl"
- path: "{{ keystone_fernet_tokens_key_repository }}"
mode: "2750"
- path: "{{ keystone_system_user_home }}"
- path: "/var/www/cgi-bin"
owner: root
group: root
- path: "/var/www/cgi-bin/keystone"
- path: "/etc/ansible/facts.d"
owner: root
group: root
delegate_to: "{{ item[0] }}"
when: "inventory_hostname == ansible_play_hosts[0]"
# NOTE (jrosser) This recovers Stein release candidate deployments into a
# state where the fernet and credential keys will not be lost on subsequent upgrades.
# Remove in Train release
- name: Rescue fernet keys previously symlinked into the ansible venv
command: >
cp -rp {{ item.stat.lnk_target | regex_replace('^../', '/') }} /etc/keystone
with_items:
- "{{ keystone_conf_dir_stat.results }}"
delegate_to: "{{ item.item }}"
when:
- keystone_install_method == 'source'
- item.stat.islnk is defined and
item.stat.islnk
run_once: yes
tags:
- skip_ansible_lint
View Git Blame Copy Permalink