This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
Change-Id: Ia51971c077cef647c3d4e07d6cbc14b7bac70788
While <service>_galera_port is defined and used for db_setup
role, it's not in fact used in a connection string for oslo.db.
Change-Id: I707dd7ccaa112cc11c3ee32c3fc8029352c8649a
With [1] we've updated barbican api paste file and added healthcheck
bit. However, it was missed to add /healthcheck to main, so it was not
working at the end.
[1] 78a1984517
Change-Id: I7d61d990b973bea538c7ca2ae059f8bea1bb2039
We've used quite old version of api-paste file for Barbican that
did not support microversion or healthcheck.
Change-Id: I612315a459e891725850743e0af20e7934319577
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I6a5e16a4fc2a81dedc4bc459f13ac7781292f5a8
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: Ic58f085c8b1250b1db831fa8c74215abd2519704
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.
Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.
[1] 78f0cf99e5/pymysql/connections.py (L267)
Change-Id: Ia55488a9fcc6b2824276bf824197ae8ea7af0177
This patch introduces 2 new variables that are designed to help deployer
with barbican configuration. They are designed to support multibackend
caonfiguration of the barbican while default behavior should not change.
Change-Id: I3369c4254f3b48f12ed9731f18d980044e6d0b43
Drop out default or misconfigured variables from barbican.conf to
make config file readable.
This should not affect existing deployments since plugin config has to be
overriden anyway.
Depends-On: https://review.opendev.org/759082
Change-Id: I2a0756b851c9e862b2312b47d37b723386d6915c
This patch aims to add a prefix for memcached_server
on each role to give the ability for deployers to
override the location of memcached cluster. I.e users
wants to create a single memcached cluster with k8s
for each service.
We also add pymemcache based on [1]
[1] https://review.opendev.org/711429
Change-Id: Ibd5decc06f205f5e1de9dbc0d7e9cde5e9435c4e
Move service to use uWSGI role instead of iternal task for uwsgi
deployment. This aims to ease the maintenance of uWSGI and speedup
metal deployments as the same uwsgi environment will be used
across all services.
Change-Id: I8492d52d8155e1bd75f99deb4fd19d445a831816
Beginning in the Stein release, Ubuntu distro packages are now using
Python3. This requires additionally installing and using the uwsgi
python3 plugin.
Install the 'python3-barbican' package instead of 'barbican-api'.
barbican-api installs apache which conflicts with the OSA provided
service config.
The 'barbican-keystone-listener' and 'barbican-worker' packages have
been removed. They provide service configs for each of those services,
but neither are implemented in the role yet and, if they are at some
point, service configs would be provided by the role.
Change-Id: I96cce9426946c3c888bb46900906317e134dd23d
With Ia64eac1eb4e30457b323c6ab99d26d3d40c28060 merged there
is no longer a default policy.json file in the venv, so we
need to change how we implement the file, and should only do
so if there is a config override configured for it.
Depends-On: https://review.openstack.org/628979
Change-Id: I87da4f747965e549d9c64d1dccd24613efa648da
This removes the systemd service templates and tasks from this role and
leverages a common systemd service role instead. This change removes a
lot of code duplication across all roles all without sacrificing features
or functionality. The intention of this change is to ensure uniformity and
reduce the maintenance burden on the community when sweeping changes are
needed.
The systemd journal would normally be populated with the standard out of
a service however with the use of uwsgi this is not actually happening
resulting in us only capturing the logs from the uwsgi process instead
of the service itself. This change implements journal logging in the
service config, which is part of OSLO logging.
OSLO logging docs found here: <https://docs.openstack.org/oslo.log/3.28.1/journal.html>
Change-Id: Ic5b57a650bd9f5c385ed0a0a3efd1d530a2d7e81
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This introduces oslo.messaging variables that define the RPC and
Notify transports for the OpenStack services. These parameters replace
the rabbitmq values and are used to generate the messaging
transport_url for the service. The association of the messaging
backend server to the oslo.messaging services will then be transparent
to the barbican service.
This patch:
* Add oslo.messaging variables for RPC and Notify to defaults
* Add transport_url generation to conf
* Add oslo.messaging to tests inventory
* Update tets
* Update examples
* Add release note
Change-Id: I0657c88799e06987c6df90edd55fda859faf6035
Distributions provide packages for the OpenStack services so we add
support for using these instead of the pip ones.
Change-Id: I1c2b4ad14fb40ce3958ed197115ccf45468544c6
Implements: blueprint openstack-distribution-packages
Option auth_uri from group keystone_authtoken is deprecated[1].
Use option www_authenticate_uri from group keystone_authtoken.
[1]https://review.openstack.org/#/c/508522/
Change-Id: Ie4d52a2981bda8c65033a114174cfe39233e4972
Implements: blueprint deprecate-auth-uri-option
Users can configure the number of worker threads however when it's
not specified the calculated number of workers can get too large on
hosts with a large number of CPUs.
This also adds the setting of threads and processes to the UWSGI
configuration.
Change-Id: I003ab426488966cce46bd6fd297c79ada13c9668
Closes-Bug: #1745631
When 'barbican_galera_use_ssl' is True, use an encrypted connection to
the database using either a self-signed or user-provided CA certificate.
A new non-voting test has been added to verify that the role remains
functional when enabling SSL features.
Partial-Bug: 1667789
Change-Id: I10c578f32c54138cac87ad42adc0ab38d62da9a6
Depends-On: I95cc994df5118fce7ce588fc0bff979bc283a6f3
The systemd unit 'TimeoutSec' value which controls the time
between sending a SIGTERM signal and a SIGKILL signal when
stopping or restarting the service has been reduced from 300
seconds to 120 seconds. This provides 2 minutes for long-lived
sessions to drain while preventing new ones from starting
before a restart or a stop.
The 'RestartSec' value which controls the time between the
service stop and start when restarting has been reduced from
150 seconds to 2 seconds to make the restart happen faster.
These values can be adjusted by using the *_init_config_overrides
variables which use the config_template task to change template
defaults.
Change-Id: Ib20bb6b939837b660a8d57ae1c8cdb6dcdf286a1
This creates a specific slice which all OpenStack services will operate
from. By creating an independent slice these components will be governed
away from the system slice allowing us to better optimise resource
consumption.
See the following for more information on slices:
* https://www.freedesktop.org/software/systemd/man/systemd.slice.html
See for following for more information on resource controls:
* https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html
Tools like ``systemd-cgtop`` and ``systemd-cgls`` will now give us
insight into specific processes, process groups, and resouce consumption
in ways that we've not had access to before. To enable some of this reporting
the accounting options have been added to the [Service] section of the unit
file.
Change-Id: I469845201a4ebd756e70dd2ed5e462f0f6e4dcf9
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
To avoid errors with API calls from clients to barbican, update the
host_href setting within barbican.conf to the publicURL of the barbican
service instead of localhost.
A notify has also been added to restart barbican services when
configuration files are changed.
Change-Id: I7460ad294d9b645170f9cce52d2e846ab04b46fa
Barbican's default API pipeline is noauth, a variable to
toggle between noauth and keystone, 'barbican__keystone_auth' has been
added. keystone_authtoken information has been moved to a better home
in barbican.conf.
python-memcached has also been added to the pip package list since it's
a requirement when using keystone authentication with token caching.
Change-Id: I5e731d63f442edf970845f2b821b98ce57176e48
OSLO logging currently defaults the 'use_stderr' option to True
which results duplicate logs in service daemon logs for both
upstart and systemd. To correct this issue the use_stderr
option has been set to false.
Change-Id: I22a5a53420f074b64d290e7d19c29343d8556b97
Closes-Bug: 1588051
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This change updates the barbican role to support Ubuntu 14.04 with
upstart init and 16.04 with systemd init.
Change-Id: I6d1221481c6ad97b265eece2b23c3ab83ef49248
Implements: blueprint support-ubuntu-1604
The role had no previous support for installation in a virtualenv
Change-Id: I176f811e5ec7e0705037f53997f28bdbed40f0d9
Implements: blueprint only-install-venvs
A test playbook has been created to validate basic functionality of
barbican.
The api-paste template has been updated to use keystone auth_token by
default.
Change-Id: Ib542f5a0112b504e70d8bab6b49e9c6f5367f9e7
This change adds variables and tasks for enabling developer mode to
allow for installing barbican without a repo server, moves the tasks
creating the barbican rabbit virtual host and mysql database from the
role to a playbook, and adds functional convergence test playbooks to
deploy rabbitmq, galera, keystone, and barbican.
The barbican.conf template has been updated to make use of the deployed
rabbit and galera servers and all other templated configuration files
have been updated from the current head of master.
Change-Id: I2716fbe6a5dbad2a3b7ce6e406098e463cf7d943
Dmitriy Rabotyagov