Use fixed templates for glance configuration

This change moves away from the template generation to using fixed template files. This allows us to conditionally write blocks of configurations, which I have done for the swift_store options. This work is largely ripped from @cloudnull's cdc branch. Note that there are a few minor configuration changes introduced here by (from @cloudnull's branch), such as worker count in glance-api.conf.
2014-09-09 13:37:08 +01:00 · 2014-09-09 13:37:08 +01:00 · d60f55f0d6
commit d60f55f0d6
parent cfe01cb2a6
10 changed files with 268 additions and 276 deletions
--- a/rpc_deployment/playbooks/openstack/glance-api.yml
+++ b/rpc_deployment/playbooks/openstack/glance-api.yml
@ -41,7 +41,6 @@
    - init_script
    - glance_cache_crons
  vars_files:
    - vars/config_vars/glance_config.yml
    - vars/openstack_service_vars/glance_api.yml
  handlers:
    - include: handlers/services.yml
@ -54,7 +53,6 @@
    - init_script
    - glance_cache_crons
  vars_files:
    - vars/config_vars/glance_config.yml
    - vars/openstack_service_vars/glance_api.yml
  handlers:
    - include: handlers/services.yml
--- a/rpc_deployment/playbooks/openstack/glance-registry.yml
+++ b/rpc_deployment/playbooks/openstack/glance-registry.yml
@ -26,7 +26,6 @@
    - galera_client_cnf
    - init_script
  vars_files:
    - vars/config_vars/glance_config.yml
    - vars/openstack_service_vars/glance_registry.yml
  handlers:
    - include: handlers/services.yml
--- a/rpc_deployment/roles/glance_common/tasks/glance_config.yml
+++ b/rpc_deployment/roles/glance_common/tasks/glance_config.yml
@ -13,29 +13,20 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
- name: Drop Glance Config
+- name: Drop Glance Config(s)
-  template: >
+  template:
-    src={{ item }}
+    src: "{{ item }}"
-    dest=/etc/glance/{{ item }}
+    dest: "/etc/glance/{{ item }}"
-    owner={{ system_user }}
+    owner: "{{ system_user }}"
-    group={{ system_group }}
+    group: "{{ system_group }}"
  with_items:
    - glance-api-paste.ini
    - glance-api.conf
    - glance-cache.conf
    - glance-registry-paste.ini
    - glance-registry.conf
    - glance-scrubber.conf
    - policy.json
      - schema.json
    - schema-image.json
-  notify: Restart os service
+    - schema.json
 - name: Generate Glance Config
  template: >
    src=template_gen
    dest=/etc/glance/{{ item.file }}
    owner={{ system_user }}
    group={{ system_group }}
  with_items:
      - { file: glance-registry-paste.ini, var: "{{ glance_registry_paste_ini }}" }
      - { file: glance-api-paste.ini, var: "{{ glance_api_paste_ini }}" }
      - { file: glance-registry.conf, var: "{{ glance_registry_conf }}" }
      - { file: glance-api.conf, var: "{{ glance_api_conf }}" }
      - { file: glance-cache.conf, var: "{{ glance_cache_conf }}" }
      - { file: glance-scrubber.conf, var: "{{ glance_scrubber_conf }}" }
  notify: Restart os service
--- a/rpc_deployment/roles/glance_common/templates/glance-api-paste.ini
+++ b/rpc_deployment/roles/glance_common/templates/glance-api-paste.ini
@ -0,0 +1,72 @@
 # Use this pipeline for no auth or image caching - DEFAULT
 [pipeline:glance-api]
 pipeline = versionnegotiation unauthenticated-context rootapp
 # Use this pipeline for image caching and no auth
 [pipeline:glance-api-caching]
 pipeline = versionnegotiation unauthenticated-context cache rootapp
 # Use this pipeline for caching w/ management interface but no auth
 [pipeline:glance-api-cachemanagement]
 pipeline = versionnegotiation unauthenticated-context cache cachemanage rootapp
 # Use this pipeline for keystone auth
 [pipeline:glance-api-keystone]
 pipeline = versionnegotiation authtoken context rootapp
 # Use this pipeline for keystone auth with image caching
 [pipeline:glance-api-keystone+caching]
 pipeline = versionnegotiation authtoken context cache rootapp
 # Use this pipeline for keystone auth with caching and cache management
 [pipeline:glance-api-keystone+cachemanagement]
 pipeline = versionnegotiation authtoken context cache cachemanage rootapp
 # Use this pipeline for authZ only. This means that the registry will treat a
 # user as authenticated without making requests to keystone to reauthenticate
 # the user.
 [pipeline:glance-api-trusted-auth]
 pipeline = versionnegotiation context rootapp
 # Use this pipeline for authZ only. This means that the registry will treat a
 # user as authenticated without making requests to keystone to reauthenticate
 # the user and uses cache management
 [pipeline:glance-api-trusted-auth+cachemanagement]
 pipeline = versionnegotiation context cache cachemanage rootapp
 [composite:rootapp]
 paste.composite_factory = glance.api:root_app_factory
 /: apiversions
 /v1: apiv1app
 /v2: apiv2app
 [app:apiversions]
 paste.app_factory = glance.api.versions:create_resource
 [app:apiv1app]
 paste.app_factory = glance.api.v1.router:API.factory
 [app:apiv2app]
 paste.app_factory = glance.api.v2.router:API.factory
 [filter:versionnegotiation]
 paste.filter_factory = glance.api.middleware.version_negotiation:VersionNegotiationFilter.factory
 [filter:cache]
 paste.filter_factory = glance.api.middleware.cache:CacheFilter.factory
 [filter:cachemanage]
 paste.filter_factory = glance.api.middleware.cache_manage:CacheManageFilter.factory
 [filter:context]
 paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory
 [filter:unauthenticated-context]
 paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
 [filter:authtoken]
 paste.filter_factory = keystonemiddleware.auth_token:filter_factory
 delay_auth_decision = true
 [filter:gzip]
 paste.filter_factory = glance.api.middleware.gzip:GzipMiddleware.factory
--- a/rpc_deployment/roles/glance_common/templates/glance-api.conf
+++ b/rpc_deployment/roles/glance_common/templates/glance-api.conf
@ -0,0 +1,75 @@
 [DEFAULT]
 verbose = {{ verbose }}
 debug = {{ debug }}
 log_file = /var/log/glance/glance-api.log
 use_syslog = False
 sql_connection = mysql://{{ container_mysql_user }}:{{ container_mysql_password }}@{{ mysql_address }}/{{ container_database }}?charset=utf8
 default_store = {{ default_store }}
 known_stores = glance.store.filesystem.Store,
               glance.store.http.Store,
               glance.store.cinder.Store,
               glance.store.swift.Store
 bind_host = 0.0.0.0
 bind_port = 9292
 backlog = 4096
 workers = 4
 registry_host = {{ registry_host }}
 registry_port = 9191
 registry_client_protocol = http
 cinder_catalog_info = volume:cinder:internalURL
 ##### RPC MESSAGING OPTIONS #####
 notification_driver = messaging
 rpc_backend = {{ rpc_backend }}
 rabbit_hosts = {{ rabbit_hosts }}
 rabbit_port = {{ rabbit_port }}
 rabbit_use_ssl = {{ rabbit_use_ssl }}
 rabbit_userid = {{ rabbit_userid }}
 rabbit_password = {{ rabbit_password }}
 rabbit_virtual_host = {{ rabbit_virtual_host }}
 rabbit_notification_exchange = glance
 rabbit_notification_topic = notifications
 rabbit_durable_queues = False
 {% if default_store == "swift" %}
 ##### STORE OPTIONS #####
 swift_store_auth_version = 2
 swift_store_auth_address = {{ swift_store_auth_address }}
 swift_store_user = {{ swift_store_user }}
 swift_store_key = {{ swift_store_key }}
 swift_store_region = {{ swift_store_region }}
 swift_store_container = {{ swift_store_container }}
 swift_store_create_container_on_put = True
 swift_store_large_object_size = 5120
 swift_store_large_object_chunk_size = 200
 swift_store_retry_get_count = 5
 swift_store_endpoint_type = {{ glance_swift_store_endpoint_type }}
 {% endif %}
 filesystem_store_datadir = /var/lib/glance/images/
 delayed_delete = False
 scrub_time = 43200
 scrubber_datadir = /var/lib/glance/scrubber/
 image_cache_dir = /var/lib/glance/cache/
 [keystone_authtoken]
 signing_dir = /var/lib/glance/cache/api
 identity_uri = {{ auth_protocol }}://{{ auth_host }}:{{ auth_port }}
 auth_uri = {{ auth_identity_uri }}
 admin_tenant_name = {{ service_admin_tenant_name }}
 admin_user = {{ service_admin_username }}
 admin_password = {{ service_admin_password }}
 memcached_servers = {{ internal_vip_address }}:{{ memcached_port }}
 token_cache_time = 300
 revocation_cache_time = 60
 # if your memcached server is shared, use these settings to avoid cache poisoning
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcached_secret_key }}
 # if your keystone deployment uses PKI, and you value security over performance:
 check_revocations_for_cached = {{ hostvars[groups['keystone_all'][0]]['keystone_use_pki'] }}
 [paste_deploy]
 flavor = {{ flavor }}
--- a/rpc_deployment/roles/glance_common/templates/glance-cache.conf
+++ b/rpc_deployment/roles/glance_common/templates/glance-cache.conf
@ -0,0 +1,14 @@
 [DEFAULT]
 verbose = {{ verbose }}
 debug = {{ debug }}
 admin_password = {{ glance_service_password }}
 admin_user = glance
 admin_tenant_name = service
 use_syslog = False
 image_cache_dir = /var/lib/glance/cache/
 image_cache_stall_time = 86400
 image_cache_max_size = 10737418240
 registry_host = {{ registry_host }}
 registry_port = 9191
 auth_url = {{ auth_admin_uri }}
 filesystem_store_datadir = /var/lib/glance/images/
--- a/rpc_deployment/roles/glance_common/templates/glance-registry-paste.ini
+++ b/rpc_deployment/roles/glance_common/templates/glance-registry-paste.ini
@ -0,0 +1,25 @@
 # Use this pipeline for no auth - DEFAULT
 [pipeline:glance-registry]
 pipeline = unauthenticated-context registryapp
 # Use this pipeline for keystone auth
 [pipeline:glance-registry-keystone]
 pipeline = authtoken context registryapp
 # Use this pipeline for authZ only. This means that the registry will treat a
 # user as authenticated without making requests to keystone to reauthenticate
 # the user.
 [pipeline:glance-registry-trusted-auth]
 pipeline = context registryapp
 [app:registryapp]
 paste.app_factory = glance.registry.api:API.factory
 [filter:context]
 paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory
 [filter:unauthenticated-context]
 paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory
 [filter:authtoken]
 paste.filter_factory = keystonemiddleware.auth_token:filter_factory
--- a/rpc_deployment/roles/glance_common/templates/glance-registry.conf
+++ b/rpc_deployment/roles/glance_common/templates/glance-registry.conf
@ -0,0 +1,33 @@
 [DEFAULT]
 verbose = {{ verbose }}
 debug = {{ debug }}
 log_file = /var/log/glance/glance-registry.log
 use_syslog = False
 sql_connection = mysql://{{ container_mysql_user }}:{{ container_mysql_password }}@{{ mysql_address }}/{{ container_database }}?charset=utf8
 bind_host = 0.0.0.0
 bind_port = 9191
 backlog = 4096
 api_limit_max = 1000
 limit_param_default = 25
 [keystone_authtoken]
 signing_dir = /var/lib/glance/cache/registry/
 identity_uri = {{ auth_protocol }}://{{ auth_host }}:{{ auth_port }}
 auth_uri = {{ auth_identity_uri }}
 admin_tenant_name = {{ service_admin_tenant_name }}
 admin_user = {{ service_admin_username }}
 admin_password = {{ service_admin_password }}
 memcached_servers = {{ internal_vip_address }}:{{ memcached_port }}
 token_cache_time = 300
 revocation_cache_time = 60
 # if your memcached server is shared, use these settings to avoid cache poisoning
 memcache_security_strategy = ENCRYPT
 memcache_secret_key = {{ memcached_secret_key }}
 # if your keystone deployment uses PKI, and you value security over performance:
 check_revocations_for_cached = {{ hostvars[groups['keystone_all'][0]]['keystone_use_pki'] }}
 [paste_deploy]
 flavor = keystone
--- a/rpc_deployment/roles/glance_common/templates/glance-scrubber.conf
+++ b/rpc_deployment/roles/glance_common/templates/glance-scrubber.conf
@ -0,0 +1,34 @@
 [DEFAULT]
 verbose = {{ verbose }}
 debug = {{ debug }}
 # Log to this file. Make sure you do not set the same log file for both the API
 # and registry servers!
 #
 # If `log_file` is omitted and `use_syslog` is false, then log messages are
 # sent to stdout as a fallback.
 log_file = /var/log/glance/scrubber.log
 # Send logs to syslog (/dev/log) instead of to file specified by `log_file`
 #use_syslog: False
 # Should we run our own loop or rely on cron/scheduler to run us
 daemon = False
 # Loop time between checking for new items to schedule for delete
 wakeup_time = 300
 # Directory that the scrubber will use to remind itself of what to delete
 # Make sure this is also set in glance-api.conf
 scrubber_datadir = /var/lib/glance/scrubber
 # Only one server in your deployment should be designated the cleanup host
 cleanup_scrubber = False
 # pending_delete items older than this time are candidates for cleanup
 cleanup_scrubber_time = 86400
 # Address to find the registry server for cleanups
 registry_host = 0.0.0.0
 # Port the registry server is listening on
 registry_port = 9191
--- a/rpc_deployment/vars/config_vars/glance_config.yml
+++ b/rpc_deployment/vars/config_vars/glance_config.yml
@ -1,249 +0,0 @@
 # Copyright 2014, Rackspace US, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 glance_api_conf:
  DEFAULT:
    verbose: "{{ verbose }}"
    debug: "{{ debug }}"
    log_file: /var/log/glance/glance-api.log
    use_syslog: False
    sql_connection: "mysql://{{ container_mysql_user }}:{{ container_mysql_password }}@{{ mysql_address }}/{{ container_database }}?charset=utf8"
    default_store: "{{ default_store }}"
    bind_host: 0.0.0.0
    bind_port: 9292
    backlog: 4096
    workers: 1
    registry_host: "{{ registry_host }}"
    registry_port: 9191
    registry_client_protocol: http
    cinder_catalog_info: "volume:cinder:internalURL"
    ##### RPC MESSAGING OPTIONS #####
    notification_driver: messaging
    rpc_backend: "{{ rpc_backend }}"
    rabbit_hosts: "{{ rabbit_hosts }}"
    rabbit_port: "{{ rabbit_port }}"
    rabbit_use_ssl: "{{ rabbit_use_ssl }}"
    rabbit_userid: "{{ rabbit_userid }}"
    rabbit_password: "{{ rabbit_password }}"
    rabbit_virtual_host: "{{ rabbit_virtual_host }}"
    rabbit_notification_exchange: glance
    rabbit_notification_topic: notifications
    rabbit_durable_queues: False
    ##### STORE OPTIONS #####
    swift_store_auth_version: 2
    swift_store_auth_address: "{{ swift_store_auth_address }}"
    swift_store_user: "{{ swift_store_user }}"
    swift_store_key: "{{ swift_store_key }}"
    swift_store_region: "{{ swift_store_region }}"
    swift_store_container: "{{ swift_store_container }}"
    swift_store_create_container_on_put: True
    swift_store_large_object_size: 5120
    swift_store_large_object_chunk_size: 200
    swift_store_retry_get_count: 5
    swift_store_endpoint_type: "{{ glance_swift_store_endpoint_type }}"
    filesystem_store_datadir: /var/lib/glance/images/
    delayed_delete: False
    scrub_time: 43200
    scrubber_datadir: /var/lib/glance/scrubber/
    image_cache_dir: /var/lib/glance/cache/
  keystone_authtoken:
    signing_dir: /var/lib/glance/cache/api
    identity_uri: "{{ auth_protocol }}://{{ auth_host }}:{{ auth_port }}"
    auth_uri: "{{ auth_identity_uri }}"
    admin_tenant_name: "{{ service_admin_tenant_name }}"
    admin_user: "{{ service_admin_username }}"
    admin_password: "{{ service_admin_password }}"
    memcached_servers: "{{ internal_vip_address }}:{{ memcached_port }}"
    token_cache_time: 300
    revocation_cache_time: 60
    # if your memcached server is shared, use these settings to avoid cache poisoning
    memcache_security_strategy: ENCRYPT
    memcache_secret_key: "{{ memcached_secret_key }}"
    # if your keystone deployment uses PKI, and you value security over performance:
    check_revocations_for_cached: "{{ hostvars[groups['keystone_all'][0]]['keystone_use_pki'] }}"
  paste_deploy:
    flavor: "{{ flavor }}"
 glance_cache_conf:
  DEFAULT:
    verbose: "{{ verbose }}"
    debug: "{{ debug }}"
    admin_password: "{{ glance_service_password }}"
    admin_user: glance
    admin_tenant_name: service
    use_syslog: False
    image_cache_dir: /var/lib/glance/cache/
    image_cache_stall_time: 86400
    image_cache_max_size: 10737418240
    registry_host: "{{ registry_host }}"
    registry_port: 9191
    auth_url: "{{ auth_admin_uri }}"
    filesystem_store_datadir: /var/lib/glance/images/
 glance_registry_conf:
  DEFAULT:
    verbose: "{{ verbose }}"
    debug: "{{ debug }}"
    log_file: /var/log/glance/glance-registry.log
    use_syslog: False
    sql_connection: "mysql://{{ container_mysql_user }}:{{ container_mysql_password }}@{{ mysql_address }}/{{ container_database }}?charset=utf8"
    bind_host: 0.0.0.0
    bind_port: 9191
    backlog: 4096
    api_limit_max: 1000
    limit_param_default: 25
  keystone_authtoken:
    signing_dir: /var/lib/glance/cache/registry/
    identity_uri: "{{ auth_protocol }}://{{ auth_host }}:{{ auth_port }}"
    auth_uri: "{{ auth_identity_uri }}"
    admin_tenant_name: "{{ service_admin_tenant_name }}"
    admin_user: "{{ service_admin_username }}"
    admin_password: "{{ service_admin_password }}"
    memcached_servers: "{{ internal_vip_address }}:{{ memcached_port }}"
    token_cache_time: 300
    revocation_cache_time: 60
    # if your memcached server is shared, use these settings to avoid cache poisoning
    memcache_security_strategy: ENCRYPT
    memcache_secret_key: "{{ memcached_secret_key }}"
    # if your keystone deployment uses PKI, and you value security over performance:
    check_revocations_for_cached: "{{ hostvars[groups['keystone_all'][0]]['keystone_use_pki'] }}"
  paste_deploy:
    flavor: keystone
 glance_scrubber_conf:
  DEFAULT:
    verbose: "{{ verbose }}"
    debug: "{{ debug }}"
    # Log to this file. Make sure you do not set the same log file for both the API
    # and registry servers!
    #
    # If `log_file` is omitted and `use_syslog` is false, then log messages are
    # sent to stdout as a fallback.
    log_file: /var/log/glance/scrubber.log
    # Send logs to syslog (/dev/log) instead of to file specified by `log_file`
    #use_syslog: False
    # Should we run our own loop or rely on cron/scheduler to run us
    daemon: False
    # Loop time between checking for new items to schedule for delete
    wakeup_time: 300
    # Directory that the scrubber will use to remind itself of what to delete
    # Make sure this is also set in glance-api.conf
    scrubber_datadir: /var/lib/glance/scrubber
    # Only one server in your deployment should be designated the cleanup host
    cleanup_scrubber: False
    # pending_delete items older than this time are candidates for cleanup
    cleanup_scrubber_time: 86400
    # Address to find the registry server for cleanups
    registry_host: 0.0.0.0
    # Port the registry server is listening on
    registry_port: 9191
 glance_api_paste_ini:
  # Use this pipeline for no auth or image caching - DEFAULT
  pipeline:glance-api:
    pipeline: "versionnegotiation unauthenticated-context rootapp"
  # Use this pipeline for image caching and no auth
  pipeline:glance-api-caching:
    pipeline: "versionnegotiation unauthenticated-context cache rootapp"
  # Use this pipeline for caching w/ management interface but no auth
  pipeline:glance-api-cachemanagement:
    pipeline: "versionnegotiation unauthenticated-context cache cachemanage rootapp"
  # Use this pipeline for keystone auth
  pipeline:glance-api-keystone:
    pipeline: "versionnegotiation authtoken context rootapp"
  # Use this pipeline for keystone auth with image caching
  pipeline:glance-api-keystone+caching:
    pipeline: "versionnegotiation authtoken context cache rootapp"
  # Use this pipeline for keystone auth with caching and cache management
  pipeline:glance-api-keystone+cachemanagement:
    pipeline: "versionnegotiation authtoken context cache cachemanage rootapp"
  # Use this pipeline for authZ only. This means that the registry will treat a
  # user as authenticated without making requests to keystone to reauthenticate
  # the user.
  pipeline:glance-api-trusted-auth:
    pipeline: "versionnegotiation context rootapp"
  # Use this pipeline for authZ only. This means that the registry will treat a
  # user as authenticated without making requests to keystone to reauthenticate
  # the user and uses cache management
  pipeline:glance-api-trusted-auth+cachemanagement:
    pipeline: "versionnegotiation context cache cachemanage rootapp"
  composite:rootapp:
    paste.composite_factory: "glance.api:root_app_factory"
    /: "apiversions"
    /v1: "apiv1app"
    /v2: "apiv2app"
  app:apiversions:
    paste.app_factory: "glance.api.versions:create_resource"
  app:apiv1app:
    paste.app_factory: "glance.api.v1.router:API.factory"
  app:apiv2app:
    paste.app_factory: "glance.api.v2.router:API.factory"
  filter:versionnegotiation:
    paste.filter_factory: "glance.api.middleware.version_negotiation:VersionNegotiationFilter.factory"
  filter:cache:
    paste.filter_factory: "glance.api.middleware.cache:CacheFilter.factory"
  filter:cachemanage:
    paste.filter_factory: "glance.api.middleware.cache_manage:CacheManageFilter.factory"
  filter:context:
    paste.filter_factory: "glance.api.middleware.context:ContextMiddleware.factory"
  filter:unauthenticated-context:
    paste.filter_factory: "glance.api.middleware.context:UnauthenticatedContextMiddleware.factory"
  filter:authtoken:
    paste.filter_factory: "keystonemiddleware.auth_token:filter_factory"
    delay_auth_decision: true
  filter:gzip:
    paste.filter_factory: "glance.api.middleware.gzip:GzipMiddleware.factory"
 glance_registry_paste_ini:
  pipeline:glance-registry:
    pipeline: "unauthenticated-context registryapp"
  pipeline:glance-registry-keystone:
    pipeline: "authtoken context registryapp"
  pipeline:glance-registry-trusted-auth:
    pipeline: "context registryapp"
  app:registryapp:
    paste.app_factory: "glance.registry.api:API.factory"
  filter:context:
    paste.filter_factory: "glance.api.middleware.context:ContextMiddleware.factory"
  filter:unauthenticated-context:
    paste.filter_factory: "glance.api.middleware.context:UnauthenticatedContextMiddleware.factory"
  filter:authtoken:
    paste.filter_factory: "keystonemiddleware.auth_token:filter_factory"