openstack
/
bifrost
Code Issues Proposed changes
bifrost/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml

329 lines
11 KiB
YAML
Raw Blame History

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# NOTE(TheJulia): There is significant commonality between this playbook
# and the bifrost bootstrap process.
- name: "If VENV is set in the environment, enable installation into venv"
set_fact:
enable_venv: true
uwsgi_venv: "{{ bifrost_venv_env.get('VIRTUAL_ENV', '') }}"
when: lookup('env', 'VENV') | length > 0
- name: "Get uwsgi install location"
shell: echo $(dirname $(which uwsgi))
register: uwsgi_install_prefix
environment: "{{ bifrost_venv_env if enable_venv else {} }}"
- name: "Get keystone-wsgi-admin location"
shell: echo $(dirname $(which keystone-wsgi-admin))
register: keystone_install_prefix
environment: "{{ bifrost_venv_env if enable_venv else {} }}"
# NOTE(sean-k-mooney) only the RabbitMQ server and MySQL db are started
# during bootstrapping. all other services are started in the Start phase.
- name: "Start database service"
service: name={{ mysql_service_name }} state=started enabled=yes
- name: "Start rabbitmq-server"
service: name=rabbitmq-server state=started enabled=yes
# NOTE(cinerama): on some systems, rabbit may not be ready when we want to
# make changes to users if we don't wait first
- name: "Wait for rabbitmq"
wait_for: port="{{ keystone.message_queue.port | default('5672') }}" delay=5
- name: "Ensure guest user is removed from rabbitmq"
rabbitmq_user:
user: "guest"
state: absent
force: yes
- name: "Create keystone user in RabbitMQ"
rabbitmq_user:
user: "{{ keystone.message_queue.username }}"
password: "{{ keystone.message_queue.password }}"
force: yes
state: present
configure_priv: ".*"
write_priv: ".*"
read_priv: ".*"
no_log: true
- name: "Set mysql_username if environment variable mysql_user is set"
set_fact:
mysql_username: "{{ lookup('env', 'mysql_user') }}"
when: lookup('env', 'mysql_user') | length > 0
no_log: true
- name: "Set mysql_password if environment variable mysql_pass is set"
set_fact:
mysql_password: "{{ lookup('env', 'mysql_pass') }}"
when: lookup('env', 'mysql_pass') | length > 0
no_log: true
- name: "MySQL - Creating DB"
mysql_db:
name: "{{ keystone.database.name }}"
state: present
encoding: utf8
login_user: "{{ mysql_username | default(None) }}"
login_password: "{{ mysql_password | default(None) }}"
register: test_created_keystone_db
when: keystone.database.host == 'localhost'
- name: "MySQL - Creating user for keystone"
mysql_user:
name: "{{ keystone.database.username }}"
password: "{{ keystone.database.password }}"
priv: "{{ keystone.database.name }}.*:ALL"
state: present
login_user: "{{ mysql_username | default(None) }}"
login_password: "{{ mysql_password | default(None) }}"
when: keystone.database.host == 'localhost'
- name: "Create an keystone service group"
group:
name: "keystone"
- name: "Create an keystone service user"
user:
name: "keystone"
group: "keystone"
- name: "Ensure /etc/keystone exists"
file:
name: "/etc/keystone"
state: directory
owner: "keystone"
group: "keystone"
mode: 0755
- name: "Retrieve Keystone major version"
command: keystone-manage --version
register: keystone_version_str
environment: "{{ bifrost_venv_env if enable_venv else {} }}"
- name: "Set Keystone major version"
set_fact:
keystone_version: "{{ keystone_version_str.stderr.split('.')[0] }}"
- name: "Set Keystone provider to uuid"
set_fact:
keystone_provider: "uuid"
when: keystone_version | int < 13
- name: "Set Keystone provider to fernet"
set_fact:
keystone_provider: "fernet"
when: keystone_version | int >= 13
- name: "Write keystone configuration from template"
template:
src: keystone.conf.j2
dest: "/etc/keystone/keystone.conf"
owner: "keystone"
group: "keystone"
mode: 0755
- name: "Copy keystone-paste.ini to /etc/keystone"
copy:
src: "{{ keystone_git_folder }}/etc/keystone-paste.ini"
dest: "/etc/keystone/"
remote_src: true
owner: "keystone"
group: "keystone"
mode: 0644
- name: "Apply/Update keystone DB Schema"
command: keystone-manage db_sync
environment: "{{ bifrost_venv_env if enable_venv else {} }}"
- name: "Setup Fernet key repositories"
command: >
keystone-manage fernet_setup
--keystone-user="{{ nginx_user }}" --keystone-group="{{ nginx_user }}"
environment: "{{ bifrost_venv_env if enable_venv else {} }}"
when: keystone_version | int >= 13
- name: "Setup Keystone Credentials"
command: >
keystone-manage credential_setup
--keystone-user="{{ nginx_user }}" --keystone-group="{{ nginx_user }}"
environment: "{{ bifrost_venv_env if enable_venv else {} }}"
- name: "Setting external Keystone public URL"
set_fact:
keystone_public_url: "{{ keystone.bootstrap.public_url | replace('127.0.0.1', public_ip | default(hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'])) }}"
when: use_public_urls | default(false) | bool
- name: "Bootstrap Keystone Database"
command: >
keystone-manage bootstrap
--bootstrap-username="{{ keystone.bootstrap.username }}"
--bootstrap-password="{{ keystone.bootstrap.password }}"
--bootstrap-project-name="{{ keystone.bootstrap.project_name }}"
--bootstrap-service-name="keystone"
--bootstrap-admin-url="{{ keystone.bootstrap.admin_url }}"
--bootstrap-public-url="{{ keystone_public_url | default(keystone.bootstrap.public_url) }}"
--bootstrap-internal-url="{{ keystone.bootstrap.internal_url }}"
--bootstrap-region-id="{{ keystone.bootstrap.region_name }}"
environment: "{{ bifrost_venv_env if enable_venv else {} }}"
when: >
test_created_keystone_db.changed | bool == true and
keystone.bootstrap.enabled | bool == true and
keystone.database.host == 'localhost'
- name: "Reserve keystone admin port"
sysctl:
name: "net.ipv4.ip_local_reserved_ports"
value: 35357
sysctl_set: yes
state: present
reload: yes
- name: "Ensure /var/www/keystone exists"
file:
name: "/var/www/keystone"
state: directory
owner: "keystone"
group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
mode: 0755
- name: "Add keystone to web server group"
user:
name: "keystone"
append: yes
groups: "{{nginx_user}}" # TODO(TheJulia): Split webserver user/group.
- name: "Make folder for keystone logs"
file:
name: "/var/log/nginx/keystone"
state: directory
owner: "{{ nginx_user }}"
group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
mode: 0755
# Note(ashestakov): "copy" module in ansible doesn't support recursive
# copying on remote host. "cp" command used instead.
- name: "Copy keystone-wsgi-public to /var/www/keystone/public"
command: cp -r "{{ keystone_install_prefix.stdout }}/keystone-wsgi-public" /var/www/keystone/public
- name: "Ensure owner and mode of keystone-wsgi-public"
file:
path: /var/www/keystone/public
owner: "keystone"
group: "{{nginx_user}}"
mode: 0754
# Note(ashestakov): "copy" module in ansible doesn't support recursive
# copying on remote host. "cp" command used instead.
- name: "Copy keystone-wsgi-admin to /var/www/keystone/admin"
command: cp -r "{{ keystone_install_prefix.stdout }}/keystone-wsgi-admin" /var/www/keystone/admin
- name: "Ensure owner and mode of keystone-wsgi-admin"
file:
path: /var/www/keystone/admin
owner: "keystone"
group: "{{nginx_user}}"
mode: 0754
- name: "Ensure /etc/uwsgi exists"
file:
name: "/etc/uwsgi"
state: directory
owner: "{{ nginx_user }}"
group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
mode: 0755
- name: "Ensure /etc/uwsgi/apps-available exists"
file:
name: "/etc/uwsgi/apps-available"
state: directory
owner: "{{ nginx_user }}"
group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
mode: 0755
- name: "Ensure /etc/uwsgi/apps-enabled exists"
file:
name: "/etc/uwsgi/apps-enabled"
state: directory
owner: "{{ nginx_user }}"
group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
mode: 0755
- name: "Place keystone public uwsgi config"
template:
src: keystone-public.ini.j2
dest: /etc/uwsgi/apps-available/keystone-public.ini
owner: "{{ nginx_user }}"
group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
mode: 0755
- name: "Place keystone admin uwsgi config"
template:
src: keystone-admin.ini.j2
dest: /etc/uwsgi/apps-available/keystone-admin.ini
owner: "{{ nginx_user }}"
group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
mode: 0755
- name: "Enable keystone-public in uwsgi"
file:
src: "/etc/uwsgi/apps-available/keystone-public.ini"
dest: "/etc/uwsgi/apps-enabled/keystone-public.ini"
state: link
- name: "Enable keystone-admin in uwsgi"
file:
src: "/etc/uwsgi/apps-available/keystone-admin.ini"
dest: "/etc/uwsgi/apps-enabled/keystone-admin.ini"
state: link
- name: "Place nginx core configuration"
# TODO(TheJulia): Refactor this out so we don't have anything related to
# bifrost it's self in the main config file.
template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
owner: "{{ nginx_user }}"
group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
mode: 0755
- name: "Place nginx configuration for keystone"
# TODO(TheJulia): Refactor this so we use sites-enabled, but bifrost's
# handling of co-existence needs to be cleaned up first.
template:
src: nginx_conf.d_bifrost-keystone.conf.j2
dest: /etc/nginx/conf.d/bifrost-keystone.conf
owner: "{{ nginx_user }}"
group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
mode: 0755
- name: "Place uwsgi services"
template:
src: "{{ init_template }}"
dest: "{{ init_dest_dir }}{{ item.service_name }}{{ init_ext }}"
owner: "root"
group: "root"
with_items:
- { service_path: "{{ uwsgi_install_prefix.stdout | default('') }}",
service_name: 'uwsgi',
username: "{{ nginx_user }}",
exec_start_pre: "/usr/bin/install -m 755 -o {{ nginx_user }} -g {{ nginx_user }} -d /run/uwsgi",
args: '--master --emperor /etc/uwsgi/apps-enabled'} # TODO(TheJulia): Split webserver user/group.
# NOTE(ashestakov) https://github.com/ansible/ansible-modules-core/issues/3764
- name: "Remove uwsgi sysvinit init script"
command: update-rc.d -f uwsgi remove
ignore_errors: yes
View Git Blame Copy Permalink