--- # Copyright 2014, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # The openstack_openrc role gets executed on a designated service # host which will handle all service/user/domain/project/role # management for the roles. It is executed here as this is the # first role which will use it and the implementation of the # clouds.yaml file is useless until keystone is in place. - name: Implement openrc/clouds.yaml on the designated service host hosts: "{{ openstack_service_setup_host | default('localhost') }}" gather_facts: no become: yes tags: - openrc roles: - role: "openstack_openrc" - name: Prepare MQ/DB services hosts: keystone_all gather_facts: no user: root environment: "{{ deployment_environment_variables | default({}) }}" tags: - keystone tasks: - name: Configure oslo messaging rpc vhost/user include: common-tasks/oslomsg-rpc-vhost-user.yml static: no vars: rpc_user: "{{ keystone_oslomsg_rpc_userid }}" rpc_password: "{{ keystone_oslomsg_rpc_password }}" rpc_vhost: "{{ keystone_oslomsg_rpc_vhost }}" when: - groups[keystone_oslomsg_rpc_host_group] | length > 0 run_once: yes - name: Configure oslo messaging notify vhost/user include: common-tasks/oslomsg-notify-vhost-user.yml static: no vars: notify_user: "{{ keystone_oslomsg_notify_userid }}" notify_password: "{{ keystone_oslomsg_notify_password }}" notify_vhost: "{{ keystone_oslomsg_notify_vhost }}" when: - "keystone_ceilometer_enabled | bool" - groups[keystone_oslomsg_notify_host_group] | length > 0 run_once: yes - name: Installation and setup of Keystone hosts: keystone_all serial: "{{ keystone_serial | default(['1', '100%']) }}" gather_facts: "{{ osa_gather_facts | default(True) }}" user: root environment: "{{ deployment_environment_variables | default({}) }}" tags: - keystone pre_tasks: # In order to ensure that any container, software or # config file changes which causes a container/service # restart do not cause an unexpected outage, we drain # the load balancer back end for this container. - include: common-tasks/haproxy-endpoint-manage.yml vars: haproxy_backend: "{{ item }}" haproxy_state: disabled when: "groups['keystone_all'] | length > 1" with_items: - "keystone_service-back" - "keystone_admin-back" - name: Configure container include: "common-tasks/os-{{ container_tech | default('lxc') }}-container-setup.yml" vars: extra_container_config_no_restart: - "lxc.start.order=19" - name: Configure log directories (on metal) include: common-tasks/os-log-dir-setup.yml vars: log_dirs: - src: "/openstack/log/{{ inventory_hostname }}-keystone" dest: "/var/log/keystone" - include: common-tasks/unbound-clients.yml static: no when: - hostvars['localhost']['resolvconf_enabled'] | bool # todo(cloudnull): this task is being run only if/when keystone is installed on a physical host. # This is not being run within a container because it is an unsupported action due to this # issue: (https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1279041) # This issue was resolved however we'll need to eval it in the next LTS release. # Related OSA Bug: https://launchpad.net/bugs/1426371 - name: Add keystone reserved port to physical host sysctl: name: "{{ item.key }}" value: "{{ item.value }}" sysctl_set: "{{ item.set|default('yes') }}" state: "{{ item.state|default('present') }}" reload: "{{ item.reload|default('yes') }}" with_items: - { key: "net.ipv4.ip_local_reserved_ports", value: "{{ keystone_admin_port }}"} when: is_metal | bool roles: - role: "os_keystone" - role: "system_crontab_coordination" tags: - crontab post_tasks: - include_tasks: "common-tasks/rsyslog-client.yml" vars: rsyslog_client_log_rotate_file: keystone_log_rotate rsyslog_client_log_dir: "/var/log/keystone" rsyslog_client_config_name: "99-keystone-rsyslog-client.conf" # Now that container changes are done, we can set # the load balancer back end for this container # to available again. - include: common-tasks/haproxy-endpoint-manage.yml vars: haproxy_backend: "{{ item }}" haproxy_state: enabled when: "groups['keystone_all'] | length > 1" with_items: - "keystone_service-back" - "keystone_admin-back" # These facts are set against the deployment host to ensure that # they are fast to access. This is done in preference to setting # them against each target as the hostvars extraction will take # a long time if executed against a large inventory. - name: Finalise data migrations if required hosts: keystone_all gather_facts: no user: root environment: "{{ deployment_environment_variables | default({}) }}" tags: - keystone tasks: - name: refresh local facts setup: filter: ansible_local gather_subset: "!all" # This variable contains the values of the local fact set for the keystone # venv tag for all hosts in the 'keystone_all' host group. - name: Gather software version list set_fact: keystone_all_software_versions: "{{ (groups['keystone_all'] | map('extract', hostvars, ['ansible_local', 'openstack_ansible', 'keystone', 'venv_tag'])) | list }}" delegate_to: localhost run_once: yes # This variable outputs a boolean value which is True when # keystone_all_software_versions contains a list of defined # values. If they are not defined, it means that not all # hosts have their software deployed yet. - name: Set software deployed fact set_fact: keystone_all_software_deployed: "{{ (keystone_all_software_versions | select('defined')) | list == keystone_all_software_versions }}" delegate_to: localhost run_once: yes # This variable outputs a boolean when all the values in # keystone_all_software_versions are the same and the software # has been deployed to all hosts in the group. - name: Set software updated fact set_fact: keystone_all_software_updated: "{{ ((keystone_all_software_versions | unique) | length == 1) and (keystone_all_software_deployed | bool) }}" delegate_to: localhost run_once: yes - name: Perform a Keystone DB sync contract command: "{{ keystone_bin }}/keystone-manage db_sync --contract" become: yes become_user: "{{ keystone_system_user_name }}" when: - "keystone_all_software_updated | bool" - "ansible_local['openstack_ansible']['keystone']['need_db_contract'] | bool" register: dbsync_contract run_once: yes - name: Disable the need for any further db sync ini_file: dest: "/etc/ansible/facts.d/openstack_ansible.fact" section: keystone option: "need_db_contract" value: False when: - "dbsync_contract | succeeded"