diff --git a/defaults/main.yml b/defaults/main.yml index 7360dc7..9e8b910 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -38,7 +38,6 @@ barbican_system_user_name: barbican barbican_system_user_comment: Barbican System User barbican_system_user_shell: /bin/false barbican_system_user_home: "/var/lib/{{ barbican_system_user_name }}" -barbican_log_directory: /var/log/barbican barbican_etc_directory: /etc/barbican barbican_vassals_directory: "{{ barbican_etc_directory }}/vassals" @@ -47,8 +46,19 @@ barbican_api_program_name: barbican-api barbican_keystone_listener_program_name: barbican-keystone-listener barbican_worker_program_name: barbican-worker barbican_retry_program_name: barbican-retry -barbican_uwsgi_program_name: uwsgi -barbican_uwsgi_options: "--master --die-on-term --emperor {{ barbican_vassals_directory }}" + +## Service Name-Group Mapping +barbican_services: + barbican: + group: barbican_all + service_name: barbican + init_config_overrides: "{{ barbican_init_config_overrides }}" + execstarts: >- + {{ barbican_uwsgi_bin }}/uwsgi + --master + --die-on-term + --emperor {{ barbican_vassals_directory }} + start_order: 1 ## Service Type and Data barbican_service_name: barbican @@ -74,6 +84,7 @@ barbican_service_publicurl: "{{ barbican_service_publicuri_proto }}://{{ externa barbican_service_internalurl: "{{ barbican_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}" barbican_service_adminurl: "{{ barbican_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}" +barbican_init_config_overrides: {} barbican_config_overrides: {} barbican_policy_overrides: {} barbican_paste_overrides: {} @@ -168,6 +179,7 @@ barbican_pip_packages: - osprofiler - PyMySQL - python-memcached + - systemd-python - uwsgi # This variable is used by the repo_build process to determine diff --git a/handlers/main.yml b/handlers/main.yml index 1048825..9110ad4 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -13,19 +13,9 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Restart Apache - systemd: - name: "apache2" - state: "restarted" - daemon_reload: yes - register: apache_restart - until: apache_restart is success - retries: 5 - delay: 2 - - name: Restart barbican services systemd: - name: "{{ barbican_uwsgi_program_name }}" + name: "{{ item.service_name }}" state: "restarted" daemon_reload: yes - + with_items: "{{ filtered_barbican_services }}" diff --git a/releasenotes/notes/journal-log-ccba504642b49612.yaml b/releasenotes/notes/journal-log-ccba504642b49612.yaml new file mode 100644 index 0000000..08aa874 --- /dev/null +++ b/releasenotes/notes/journal-log-ccba504642b49612.yaml @@ -0,0 +1,5 @@ +--- +deprecations: + - The log path, ``/var/log/barbican`` is no longer used to capture service + logs. All logging for the barbican service will now be sent directly to the + systemd journal. diff --git a/tasks/barbican_init.yml b/tasks/barbican_init.yml deleted file mode 100644 index feb2efd..0000000 --- a/tasks/barbican_init.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# Copyright 2016, Ian Cordasco -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- include: barbican_init_common.yml - vars: - program_name: "{{ barbican_uwsgi_program_name }}" - program_bin: "{{ barbican_uwsgi_bin }}" - program_config_options: "{{ barbican_uwsgi_options }}" - service_name: "{{ barbican_service_name }}" - system_user: "{{ barbican_system_user_name }}" - system_group: "{{ barbican_system_group_name }}" - service_home: "{{ barbican_system_user_home }}" - log_directory: "{{ barbican_log_directory }}" diff --git a/tasks/barbican_init_common.yml b/tasks/barbican_init_common.yml deleted file mode 100644 index ca70ff3..0000000 --- a/tasks/barbican_init_common.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Copyright 2016, Comcast Corporation. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- include: barbican_init_systemd.yml - static: no - when: - - ansible_service_mgr == 'systemd' - -- name: Load service - service: - name: "{{ program_name }}" - enabled: "yes" - notify: - - Restart barbican services diff --git a/tasks/barbican_init_systemd.yml b/tasks/barbican_init_systemd.yml deleted file mode 100644 index 25974cf..0000000 --- a/tasks/barbican_init_systemd.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Create TEMP run dir - file: - path: "/var/run/{{ program_name }}" - state: directory - owner: "{{ system_user }}" - group: "{{ system_group }}" - mode: "02755" - -- name: Create TEMP lock dir - file: - path: "/var/lock/{{ program_name }}" - state: directory - owner: "{{ system_user }}" - group: "{{ system_group }}" - mode: "02755" - -- name: Create tempfile.d entry - template: - src: "barbican-systemd-tempfiles.j2" - dest: "/etc/tmpfiles.d/barbican.conf" - mode: "0644" - owner: "root" - group: "root" - -- name: Place the systemd init script - config_template: - src: "barbican-systemd-init.j2" - dest: "/etc/systemd/system/{{ program_name }}.service" - mode: "0644" - owner: "root" - group: "root" - config_overrides: "{{ barbican_uwsgi_init_overrides }}" - config_type: "ini" - notify: - - Restart barbican services diff --git a/tasks/barbican_pre_install.yml b/tasks/barbican_pre_install.yml index d1555e3..4b19386 100644 --- a/tasks/barbican_pre_install.yml +++ b/tasks/barbican_pre_install.yml @@ -40,24 +40,3 @@ - path: "/etc/barbican" - path: "/etc/barbican/vassals" - path: "{{ barbican_system_user_home }}" - -- name: Test for Barbican log directory or link - shell: | - if [ -h "{{ barbican_log_directory }}" ]; then - chown -h {{ barbican_system_user_name }}:{{ barbican_system_group_name }} {{ barbican_log_directory }} - chown -R {{ barbican_system_user_name }}:{{ barbican_system_group_name }} "$(readlink {{ barbican_log_directory }})" - else - exit 1 - fi - register: log_dir - failed_when: false - changed_when: log_dir.rc != 0 - -- name: Create Barbican log directory - file: - path: "{{ barbican_log_directory }}" - state: "directory" - owner: "{{ barbican_system_user_name }}" - group: "{{ barbican_system_group_name }}" - mode: "0750" - when: log_dir.rc != 0 diff --git a/tasks/main.yml b/tasks/main.yml index 5ad7a9c..45f96e9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -53,9 +53,33 @@ tags: - barbican-config -- include: barbican_init.yml +- name: Run the systemd service role + include_role: + name: systemd_service + private: true + vars: + systemd_user_name: "{{ barbican_system_user_name }}" + systemd_group_name: "{{ barbican_system_group_name }}" + systemd_service_restart_changed: false + systemd_tempd_prefix: openstack + systemd_slice_name: barbican + systemd_lock_path: /var/lock/barbican + systemd_CPUAccounting: true + systemd_BlockIOAccounting: true + systemd_MemoryAccounting: true + systemd_TasksAccounting: true + systemd_services: + - service_name: "{{ service_var.service_name }}" + enabled: true + execstarts: "{{ service_var.execstarts }}" + execreloads: "{{ service_var.execreloads | default([]) }}" + config_overrides: "{{ service_var.init_config_overrides }}" + with_items: "{{ filtered_barbican_services }}" + loop_control: + loop_var: service_var tags: - barbican-config + - systemd-service - include_tasks: mq_setup.yml when: diff --git a/templates/barbican-httpd.conf.j2 b/templates/barbican-httpd.conf.j2 deleted file mode 100644 index 49de436..0000000 --- a/templates/barbican-httpd.conf.j2 +++ /dev/null @@ -1,58 +0,0 @@ -# {{ ansible_managed }} - - - WSGIDaemonProcess barbican-service user={{ barbican_system_user_name }} group={{ barbican_system_group_name }} processes={{ barbican_wsgi_processes }} threads={{ barbican_wsgi_threads }} display-name=%{GROUP} - WSGIProcessGroup barbican-service - WSGIScriptAlias / /var/www/cgi-bin/barbican/main - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - - = 2.4> - ErrorLogFormat "%{cu}t %M" - - - LogLevel {{ barbican_apache_log_level }} - ErrorLog {{ barbican_log_directory }}/barbican-apache-error.log - CustomLog {{ barbican_log_directory }}/ssl_access.log combined - Options +FollowSymLinks - - {% if barbican_ssl | bool and barbican_service_internaluri_proto == "https" -%} - SSLEngine on - SSLCertificateFile {{ barbican_ssl_cert }} - SSLCertificateKeyFile {{ barbican_ssl_key }} - {% if barbican_user_ssl_ca_cert is defined -%} - SSLCACertificateFile {{ barbican_ssl_ca_cert }} - {% endif -%} - SSLCompression Off - SSLProtocol {{ barbican_ssl_protocol }} - SSLHonorCipherOrder On - SSLCipherSuite {{ barbican_ssl_cipher_suite }} - SSLOptions +StdEnvVars +ExportCertData - {% endif %} - - {% if barbican_sp is defined -%} - ShibURLScheme {{ barbican_service_publicuri_proto }} - - - SetHandler shib - - - - AuthType shibboleth - ShibRequestSetting requireSession 1 - ShibRequestSetting exportAssertion 1 - ShibRequireSession On - ShibExportAssertion On - Require valid-user - - - - ShibRequestSetting requireSession 1 - AuthType shibboleth - ShibExportAssertion Off - Require valid-user - - - WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/barbican/main/$1 - {% endif %} - diff --git a/templates/barbican-ports.conf.j2 b/templates/barbican-ports.conf.j2 deleted file mode 100644 index 35891dc..0000000 --- a/templates/barbican-ports.conf.j2 +++ /dev/null @@ -1,4 +0,0 @@ -# {{ ansible_managed }} - -Listen {{ keystone_service_port }} -Listen {{ keystone_admin_port }} diff --git a/templates/barbican-systemd-init.j2 b/templates/barbican-systemd-init.j2 deleted file mode 100644 index 4d91845..0000000 --- a/templates/barbican-systemd-init.j2 +++ /dev/null @@ -1,34 +0,0 @@ -# {{ ansible_managed }} - -[Unit] -Description=barbican openstack service -After=syslog.target -After=network.target - -[Service] -Type=simple -User={{ system_user }} -Group={{ system_group }} - -{% if program_override is defined %} -ExecStart={{ program_override }} {{ program_config_options|default('') }} -{% else %} -ExecStart={{ program_bin }}/{{ program_name }} {{ program_config_options|default('') }} -{% endif %} - -# Give a reasonable amount of time for the server to start up/shut down -TimeoutSec=120 -Restart=on-failure -RestartSec=2 - -# This creates a specific slice which all services will operate from -# The accounting options give us the ability to see resource usage through -# the `systemd-cgtop` command. -Slice=barbican.slice -CPUAccounting=true -BlockIOAccounting=true -MemoryAccounting=false -TasksAccounting=true - -[Install] -WantedBy=multi-user.target diff --git a/templates/barbican-systemd-tempfiles.j2 b/templates/barbican-systemd-tempfiles.j2 deleted file mode 100644 index 3e73b16..0000000 --- a/templates/barbican-systemd-tempfiles.j2 +++ /dev/null @@ -1,4 +0,0 @@ -# {{ ansible_managed }} - -D /var/lock/{{ program_name }} 2755 {{ system_user }} {{ system_group }} -D /var/run/{{ program_name }} 2755 {{ system_user }} {{ system_group }} \ No newline at end of file diff --git a/templates/barbican.conf.j2 b/templates/barbican.conf.j2 index 212822a..ecbd587 100644 --- a/templates/barbican.conf.j2 +++ b/templates/barbican.conf.j2 @@ -1,11 +1,12 @@ # {{ ansible_managed }} [DEFAULT] +use_journal = True # Disable stderr logging use_stderr = False # Show debugging output in logs (sets DEBUG log level output) debug = {{ debug }} - +use_json = {{ debug }} # Address to bind the API server bind_host = 0.0.0.0 @@ -17,10 +18,6 @@ bind_port = 9311 # communicate back with this service. host_href = {{ barbican_service_publicurl }} -# Log to this file. Make sure you do not set the same log -# file for both the API and registry servers! -#log_file = /var/log/barbican/api.log - # Backlog requests when creating socket backlog = 4096 diff --git a/vars/debian.yml b/vars/debian.yml index e204d57..09c686a 100644 --- a/vars/debian.yml +++ b/vars/debian.yml @@ -16,19 +16,22 @@ barbican_distro_packages: - git barbican_devel_distro_packages: - - python-dev - - libssl-dev - - libpq-dev + - build-essential + - gettext - git - libffi-dev - - gettext - - build-essential + - libpq-dev + - libssl-dev + - libsystemd-dev + - python-dev barbican_service_distro_packages: - barbican-api - barbican-keystone-listener - barbican-worker - python-pymysql # needed by /usr/bin/barbican-manage db upgrade. + - python-systemd + - python3-systemd - uwsgi - uwsgi-plugin-python diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..da55dce --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,31 @@ +--- +# Copyright 2018, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# +# Compile a list of the services on a host based on whether +# the host is in the host group and the service is enabled. +# The service list is provided in the defined start order. +# +filtered_barbican_services: |- + {% set services = [] %} + {% for key, value in barbican_services.items() %} + {% if (value['group'] in group_names) and + (('condition' not in value) or + ('condition' in value and value['condition'])) %} + {% set _ = value.update({'service_key': key}) %} + {% set _ = services.append(value) %} + {% endif %} + {% endfor %} + {{ services | sort(attribute='start_order') }} diff --git a/vars/redhat.yml b/vars/redhat.yml index ada702b..628d243 100644 --- a/vars/redhat.yml +++ b/vars/redhat.yml @@ -24,12 +24,14 @@ barbican_devel_distro_packages: - openssl-devel - postgresql-libs - python-devel + - systemd-devel barbican_service_distro_packages: - openstack-barbican - openstack-barbican-api - openstack-barbican-keystone-listener - openstack-barbican-worker + - systemd-python - uwsgi - uwsgi-plugin-python diff --git a/vars/suse.yml b/vars/suse.yml index 9850509..cf033f8 100644 --- a/vars/suse.yml +++ b/vars/suse.yml @@ -21,6 +21,8 @@ barbican_devel_distro_packages: - libopenssl-devel - postgresql-devel - python-devel + - pkg-config + - systemd-devel barbican_service_distro_packages: - openstack-barbican @@ -28,6 +30,7 @@ barbican_service_distro_packages: - openstack-barbican-keystone-listener - openstack-barbican-retry - openstack-barbican-worker + - python-systemd - uwsgi - uwsgi-python