openstack/openstack-ansible
Code Issues Proposed changes

Ensure that permissions are permissible enough for the rsyslog container

Browse Source 
The rsyslog container is unable to read the log files produced by the
other containers due to permissions issues and inconsistant user:group
ownership and user:group presence between containers.

The simplest way of dealing with this is to ensure that the log
directory allows read and traversal rights for all users.

This patch ensures that the log directory is always created by the
container_common role for containers.

This patch also add the processing of swift logs to logstash. The
template was always there, but had no task which deployed it.

Change-Id: I6ec12b2f2302e0cffc2a36096d38cb85e4b3ab04
Closes-Bug: #1407633
Related-Bug: #1403890
This commit is contained in:
Jesse Pretorius 2015-01-02 16:52:13 +00:00
parent d163a58951
commit f932317df8
19 changed files with 41 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rpc_deployment/inventory/group_vars/cinder_all.yml
View File

@ -69,7 +69,7 @@ service_names:
- cinder-volume - cinder-volume
container_directories: container_directories:
- { name: /var/log/cinder } - { name: /var/log/cinder, mode: 755 }
- { name: /var/lib/cinder } - { name: /var/lib/cinder }
- { name: /var/lib/cinder/volumes } - { name: /var/lib/cinder/volumes }
- { name: /etc/cinder } - { name: /etc/cinder }

4
rpc_deployment/inventory/group_vars/elasticsearch.yml
View File

@ -21,3 +21,7 @@ verbose: True
container_lvm_fstype: ext4 container_lvm_fstype: ext4
container_lvm_fssize: 5GB container_lvm_fssize: 5GB
# Directories to create
container_directories:
- { name: /var/log/elasticsearch, mode: 755 }

4
rpc_deployment/inventory/group_vars/galera.yml
View File

@ -33,3 +33,7 @@ service_pip_dependencies:
- MySQL-python - MySQL-python
- python-memcached - python-memcached
- pycrypto - pycrypto
# Directories to create
container_directories:
- { name: '/var/log/mysql', mode: 755 }

2
rpc_deployment/inventory/group_vars/glance_all.yml
View File

@ -71,7 +71,7 @@ service_names:
flavor: "keystone+cachemanagement" flavor: "keystone+cachemanagement"
container_directories: container_directories:
- { name: /var/log/glance } - { name: /var/log/glance, mode: 755 }
- { name: /var/lib/glance } - { name: /var/lib/glance }
- { name: /var/lib/glance/cache } - { name: /var/lib/glance/cache }
- { name: /var/lib/glance/cache/api } - { name: /var/lib/glance/cache/api }

2
rpc_deployment/inventory/group_vars/heat_all.yml
View File

@ -69,4 +69,4 @@ container_directories:
- { name: /etc/heat/templates } - { name: /etc/heat/templates }
- { name: /var/cache/heat } - { name: /var/cache/heat }
- { name: /var/lib/heat } - { name: /var/lib/heat }
- { name: /var/log/heat } - { name: /var/log/heat, mode: 755 }

1
rpc_deployment/inventory/group_vars/horizon.yml
View File

@ -49,6 +49,7 @@ horizon_help_url: http://docs.rackspace.com/rpc/api/v9/rpc-faq-v9/content/rpc-co
install_lib_dir: /usr/local/lib/python2.7/dist-packages install_lib_dir: /usr/local/lib/python2.7/dist-packages
container_directories: container_directories:
- { name: /var/log/horizon, mode: 755 }
- { name: /etc/horizon } - { name: /etc/horizon }
- { name: /var/lib/horizon } - { name: /var/lib/horizon }
- { name: /usr/local/lib/python2.7/dist-packages/static } - { name: /usr/local/lib/python2.7/dist-packages/static }

2
rpc_deployment/inventory/group_vars/keystone_all.yml
View File

@ -66,5 +66,5 @@ container_directories:
- { name: /etc/keystone } - { name: /etc/keystone }
- { name: /etc/keystone/ssl } - { name: /etc/keystone/ssl }
- { name: /var/lib/keystone } - { name: /var/lib/keystone }
- { name: /var/log/keystone } - { name: /var/log/keystone, mode: 755 }
- { name: /var/www/cgi-bin/keystone, mode: 755 } - { name: /var/www/cgi-bin/keystone, mode: 755 }

4
rpc_deployment/inventory/group_vars/kibana.yml
View File

@ -29,3 +29,7 @@ kibana_fqdn: "{{ external_vip_address }}"
kibana_server_name: "{{ container_name }}" kibana_server_name: "{{ container_name }}"
kibana_self_signed: true kibana_self_signed: true
kibana_ssl_port: 8443 kibana_ssl_port: 8443
# Directories to create
container_directories:
- { name: /var/log/kibana, mode: 755 }

4
rpc_deployment/inventory/group_vars/logstash.yml
View File

@ -28,3 +28,7 @@ container_lvm_fssize: 5GB
# Change this with caution, anything other than 1 will currently # Change this with caution, anything other than 1 will currently
# break multiline filtering # break multiline filtering
logstash_workers: 1 logstash_workers: 1
# Directories to create
container_directories:
- { name: /var/log/logstash, mode: 755 }

4
rpc_deployment/inventory/group_vars/memcached.yml
View File

@ -18,3 +18,7 @@ service_name: memcached
# only used when the lxc vg is present on the target # only used when the lxc vg is present on the target
container_lvm_fstype: ext4 container_lvm_fstype: ext4
container_lvm_fssize: 5GB container_lvm_fssize: 5GB
# Directories to create
container_directories:
- { name: '/var/log/memcached', mode: 755 }

2
rpc_deployment/inventory/group_vars/neutron_all.yml
View File

@ -84,5 +84,5 @@ container_directories:
- { name: /var/lib/neutron, mode: 755 } - { name: /var/lib/neutron, mode: 755 }
- { name: /var/lib/neutron/ha_confs } - { name: /var/lib/neutron/ha_confs }
- { name: /var/lock/neutron } - { name: /var/lock/neutron }
- { name: /var/log/neutron } - { name: /var/log/neutron, mode: 755 }
- { name: /var/run/neutron } - { name: /var/run/neutron }

2
rpc_deployment/inventory/group_vars/nova_all.yml
View File

@ -87,7 +87,7 @@ nova_scheduler_max_attempts: 5
nova_scheduler_weight_classes: nova.scheduler.weights.all_weighers nova_scheduler_weight_classes: nova.scheduler.weights.all_weighers
container_directories: container_directories:
- { name: /var/log/nova, skip_group: nova_compute } - { name: /var/log/nova, mode: 755, skip_group: nova_compute }
- { name: /var/lib/nova, mode: 755 } - { name: /var/lib/nova, mode: 755 }
- { name: /var/lib/nova/instances, mode: 755 } - { name: /var/lib/nova/instances, mode: 755 }
- { name: /var/lib/nova/cache } - { name: /var/lib/nova/cache }

3
rpc_deployment/inventory/group_vars/rabbit.yml
View File

@ -24,3 +24,6 @@ enable_management_plugin: true
rabbit_cluster_name: rpc rabbit_cluster_name: rpc
# Directories to create
container_directories:
- { name: '/var/log/rabbitmq', mode: 755 }

6
rpc_deployment/playbooks/infrastructure/galera-post-config.yml
View File

@ -17,9 +17,3 @@
user: root user: root
roles: roles:
- galera_setup - galera_setup
- hosts: galera
user: root
roles:
- galera_post_config

1
rpc_deployment/roles/container_common/tasks/container_user_create.yml
View File

@ -25,6 +25,7 @@
name: "{{ system_user }}" name: "{{ system_user }}"
shell: "/bin/false" shell: "/bin/false"
group: "{{ system_group }}" group: "{{ system_group }}"
groups: adm
home: "/var/lib/{{ system_user }}" home: "/var/lib/{{ system_user }}"
system: "yes" system: "yes"
createhome: "yes" createhome: "yes"

25
rpc_deployment/roles/galera_post_config/tasks/main.yml
View File

@ -1,25 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Ensure permissions on Log dir make it readable by syslog
file:
path: "{{ item.path }}"
state: "directory"
group: "{{ item.owner }}"
owner: "{{ item.owner }}"
mode: "0755"
recurse: "true"
with_items:
- { path: '/var/log/mysql/', owner: 'mysql' }

1
rpc_deployment/roles/logstash/tasks/main.yml
View File

@ -28,6 +28,7 @@
- 05-cinder.conf - 05-cinder.conf
- 06-nova.conf - 06-nova.conf
- 07-sqlalchemy.conf - 07-sqlalchemy.conf
- 08-swift.conf
- 09-apache.conf - 09-apache.conf
- 10-mysql.conf - 10-mysql.conf
- 11-neutron.conf - 11-neutron.conf

2
rpc_deployment/roles/swift_common/tasks/log_setup.yml
View File

@ -18,7 +18,7 @@
path: "{{ item }}" path: "{{ item }}"
state: "directory" state: "directory"
owner: "syslog" owner: "syslog"
group: "syslog" group: "adm"
with_items: with_items:
- /var/log/swift - /var/log/swift
- /openstack/log/{{ inventory_hostname }} - /openstack/log/{{ inventory_hostname }}

8
rpc_deployment/roles/swift_common/templates/swift-rsyslog.conf.j2
View File

@ -5,6 +5,11 @@
#$template HourlyProxyLog,"/openstack/log/{{ inventory_hostname }}/hourly/%$YEAR%%$MONTH%%$DAY%%$HOUR%" #$template HourlyProxyLog,"/openstack/log/{{ inventory_hostname }}/hourly/%$YEAR%%$MONTH%%$DAY%%$HOUR%"
#local1.*;local1.!notice ?HourlyProxyLog #local1.*;local1.!notice ?HourlyProxyLog
# Even if rsyslog is a member of the adm group, rsyslogd cannot read the
# account/container/object logs. To work around this we need to ensure that
# the logs are readable by all users.
$FileCreateMode 0644
local1.*;local1.!notice /var/log/swift/proxy.log local1.*;local1.!notice /var/log/swift/proxy.log
local1.notice /var/log/swift/proxy-error.log local1.notice /var/log/swift/proxy-error.log
local1.* ~ local1.* ~
@ -20,3 +25,6 @@ local3.* ~
local4.*;local4.!notice /openstack/log/{{ inventory_hostname }}/object.log local4.*;local4.!notice /openstack/log/{{ inventory_hostname }}/object.log
local4.notice /openstack/log/{{ inventory_hostname }}/object-error.log local4.notice /openstack/log/{{ inventory_hostname }}/object-error.log
local4.* ~ local4.* ~
# Set the file create mode back to the default
$FileCreateMode 0640