From 005e5b61caa14682a61b6bd55ea9af50e88f1f15 Mon Sep 17 00:00:00 2001 From: Kevin Carter Date: Mon, 30 Jul 2018 11:13:02 -0500 Subject: [PATCH] Convert role to use a common systemd service role This removes the systemd service templates and tasks from this role and leverages a common systemd service role instead. This change removes a lot of code duplication across all roles all without sacrificing features or functionality. The intention of this change is to ensure uniformity and reduce the maintenance burden on the community when sweeping changes are needed. The systemd journal would normally be populated with the standard out of a service however with the use of uwsgi this is not actually happening resulting in us only capturing the logs from the uwsgi process instead of the service itself. This change implements journal logging in the service config, which is part of OSLO logging. OSLO logging docs found here: Change-Id: Ic5b57a650bd9f5c385ed0a0a3efd1d530a2d7e81 Signed-off-by: Kevin Carter --- defaults/main.yml | 18 +++++- handlers/main.yml | 14 +---- .../notes/journal-log-ccba504642b49612.yaml | 5 ++ tasks/barbican_init.yml | 25 -------- tasks/barbican_init_common.yml | 26 --------- tasks/barbican_init_systemd.yml | 50 ---------------- tasks/barbican_pre_install.yml | 21 ------- tasks/main.yml | 26 ++++++++- templates/barbican-httpd.conf.j2 | 58 ------------------- templates/barbican-ports.conf.j2 | 4 -- templates/barbican-systemd-init.j2 | 34 ----------- templates/barbican-systemd-tempfiles.j2 | 4 -- templates/barbican.conf.j2 | 7 +-- vars/debian.yml | 13 +++-- vars/main.yml | 31 ++++++++++ vars/redhat.yml | 2 + vars/suse.yml | 3 + 17 files changed, 93 insertions(+), 248 deletions(-) create mode 100644 releasenotes/notes/journal-log-ccba504642b49612.yaml delete mode 100644 tasks/barbican_init.yml delete mode 100644 tasks/barbican_init_common.yml delete mode 100644 tasks/barbican_init_systemd.yml delete mode 100644 templates/barbican-httpd.conf.j2 delete mode 100644 templates/barbican-ports.conf.j2 delete mode 100644 templates/barbican-systemd-init.j2 delete mode 100644 templates/barbican-systemd-tempfiles.j2 create mode 100644 vars/main.yml diff --git a/defaults/main.yml b/defaults/main.yml index 7360dc7..9e8b910 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -38,7 +38,6 @@ barbican_system_user_name: barbican barbican_system_user_comment: Barbican System User barbican_system_user_shell: /bin/false barbican_system_user_home: "/var/lib/{{ barbican_system_user_name }}" -barbican_log_directory: /var/log/barbican barbican_etc_directory: /etc/barbican barbican_vassals_directory: "{{ barbican_etc_directory }}/vassals" @@ -47,8 +46,19 @@ barbican_api_program_name: barbican-api barbican_keystone_listener_program_name: barbican-keystone-listener barbican_worker_program_name: barbican-worker barbican_retry_program_name: barbican-retry -barbican_uwsgi_program_name: uwsgi -barbican_uwsgi_options: "--master --die-on-term --emperor {{ barbican_vassals_directory }}" + +## Service Name-Group Mapping +barbican_services: + barbican: + group: barbican_all + service_name: barbican + init_config_overrides: "{{ barbican_init_config_overrides }}" + execstarts: >- + {{ barbican_uwsgi_bin }}/uwsgi + --master + --die-on-term + --emperor {{ barbican_vassals_directory }} + start_order: 1 ## Service Type and Data barbican_service_name: barbican @@ -74,6 +84,7 @@ barbican_service_publicurl: "{{ barbican_service_publicuri_proto }}://{{ externa barbican_service_internalurl: "{{ barbican_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}" barbican_service_adminurl: "{{ barbican_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}" +barbican_init_config_overrides: {} barbican_config_overrides: {} barbican_policy_overrides: {} barbican_paste_overrides: {} @@ -168,6 +179,7 @@ barbican_pip_packages: - osprofiler - PyMySQL - python-memcached + - systemd-python - uwsgi # This variable is used by the repo_build process to determine diff --git a/handlers/main.yml b/handlers/main.yml index 1048825..9110ad4 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -13,19 +13,9 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Restart Apache - systemd: - name: "apache2" - state: "restarted" - daemon_reload: yes - register: apache_restart - until: apache_restart is success - retries: 5 - delay: 2 - - name: Restart barbican services systemd: - name: "{{ barbican_uwsgi_program_name }}" + name: "{{ item.service_name }}" state: "restarted" daemon_reload: yes - + with_items: "{{ filtered_barbican_services }}" diff --git a/releasenotes/notes/journal-log-ccba504642b49612.yaml b/releasenotes/notes/journal-log-ccba504642b49612.yaml new file mode 100644 index 0000000..08aa874 --- /dev/null +++ b/releasenotes/notes/journal-log-ccba504642b49612.yaml @@ -0,0 +1,5 @@ +--- +deprecations: + - The log path, ``/var/log/barbican`` is no longer used to capture service + logs. All logging for the barbican service will now be sent directly to the + systemd journal. diff --git a/tasks/barbican_init.yml b/tasks/barbican_init.yml deleted file mode 100644 index feb2efd..0000000 --- a/tasks/barbican_init.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# Copyright 2016, Ian Cordasco -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- include: barbican_init_common.yml - vars: - program_name: "{{ barbican_uwsgi_program_name }}" - program_bin: "{{ barbican_uwsgi_bin }}" - program_config_options: "{{ barbican_uwsgi_options }}" - service_name: "{{ barbican_service_name }}" - system_user: "{{ barbican_system_user_name }}" - system_group: "{{ barbican_system_group_name }}" - service_home: "{{ barbican_system_user_home }}" - log_directory: "{{ barbican_log_directory }}" diff --git a/tasks/barbican_init_common.yml b/tasks/barbican_init_common.yml deleted file mode 100644 index ca70ff3..0000000 --- a/tasks/barbican_init_common.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Copyright 2016, Comcast Corporation. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- include: barbican_init_systemd.yml - static: no - when: - - ansible_service_mgr == 'systemd' - -- name: Load service - service: - name: "{{ program_name }}" - enabled: "yes" - notify: - - Restart barbican services diff --git a/tasks/barbican_init_systemd.yml b/tasks/barbican_init_systemd.yml deleted file mode 100644 index 25974cf..0000000 --- a/tasks/barbican_init_systemd.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Create TEMP run dir - file: - path: "/var/run/{{ program_name }}" - state: directory - owner: "{{ system_user }}" - group: "{{ system_group }}" - mode: "02755" - -- name: Create TEMP lock dir - file: - path: "/var/lock/{{ program_name }}" - state: directory - owner: "{{ system_user }}" - group: "{{ system_group }}" - mode: "02755" - -- name: Create tempfile.d entry - template: - src: "barbican-systemd-tempfiles.j2" - dest: "/etc/tmpfiles.d/barbican.conf" - mode: "0644" - owner: "root" - group: "root" - -- name: Place the systemd init script - config_template: - src: "barbican-systemd-init.j2" - dest: "/etc/systemd/system/{{ program_name }}.service" - mode: "0644" - owner: "root" - group: "root" - config_overrides: "{{ barbican_uwsgi_init_overrides }}" - config_type: "ini" - notify: - - Restart barbican services diff --git a/tasks/barbican_pre_install.yml b/tasks/barbican_pre_install.yml index d1555e3..4b19386 100644 --- a/tasks/barbican_pre_install.yml +++ b/tasks/barbican_pre_install.yml @@ -40,24 +40,3 @@ - path: "/etc/barbican" - path: "/etc/barbican/vassals" - path: "{{ barbican_system_user_home }}" - -- name: Test for Barbican log directory or link - shell: | - if [ -h "{{ barbican_log_directory }}" ]; then - chown -h {{ barbican_system_user_name }}:{{ barbican_system_group_name }} {{ barbican_log_directory }} - chown -R {{ barbican_system_user_name }}:{{ barbican_system_group_name }} "$(readlink {{ barbican_log_directory }})" - else - exit 1 - fi - register: log_dir - failed_when: false - changed_when: log_dir.rc != 0 - -- name: Create Barbican log directory - file: - path: "{{ barbican_log_directory }}" - state: "directory" - owner: "{{ barbican_system_user_name }}" - group: "{{ barbican_system_group_name }}" - mode: "0750" - when: log_dir.rc != 0 diff --git a/tasks/main.yml b/tasks/main.yml index 5ad7a9c..45f96e9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -53,9 +53,33 @@ tags: - barbican-config -- include: barbican_init.yml +- name: Run the systemd service role + include_role: + name: systemd_service + private: true + vars: + systemd_user_name: "{{ barbican_system_user_name }}" + systemd_group_name: "{{ barbican_system_group_name }}" + systemd_service_restart_changed: false + systemd_tempd_prefix: openstack + systemd_slice_name: barbican + systemd_lock_path: /var/lock/barbican + systemd_CPUAccounting: true + systemd_BlockIOAccounting: true + systemd_MemoryAccounting: true + systemd_TasksAccounting: true + systemd_services: + - service_name: "{{ service_var.service_name }}" + enabled: true + execstarts: "{{ service_var.execstarts }}" + execreloads: "{{ service_var.execreloads | default([]) }}" + config_overrides: "{{ service_var.init_config_overrides }}" + with_items: "{{ filtered_barbican_services }}" + loop_control: + loop_var: service_var tags: - barbican-config + - systemd-service - include_tasks: mq_setup.yml when: diff --git a/templates/barbican-httpd.conf.j2 b/templates/barbican-httpd.conf.j2 deleted file mode 100644 index 49de436..0000000 --- a/templates/barbican-httpd.conf.j2 +++ /dev/null @@ -1,58 +0,0 @@ -# {{ ansible_managed }} - - - WSGIDaemonProcess barbican-service user={{ barbican_system_user_name }} group={{ barbican_system_group_name }} processes={{ barbican_wsgi_processes }} threads={{ barbican_wsgi_threads }} display-name=%{GROUP} - WSGIProcessGroup barbican-service - WSGIScriptAlias / /var/www/cgi-bin/barbican/main - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - - = 2.4> - ErrorLogFormat "%{cu}t %M" - - - LogLevel {{ barbican_apache_log_level }} - ErrorLog {{ barbican_log_directory }}/barbican-apache-error.log - CustomLog {{ barbican_log_directory }}/ssl_access.log combined - Options +FollowSymLinks - - {% if barbican_ssl | bool and barbican_service_internaluri_proto == "https" -%} - SSLEngine on - SSLCertificateFile {{ barbican_ssl_cert }} - SSLCertificateKeyFile {{ barbican_ssl_key }} - {% if barbican_user_ssl_ca_cert is defined -%} - SSLCACertificateFile {{ barbican_ssl_ca_cert }} - {% endif -%} - SSLCompression Off - SSLProtocol {{ barbican_ssl_protocol }} - SSLHonorCipherOrder On - SSLCipherSuite {{ barbican_ssl_cipher_suite }} - SSLOptions +StdEnvVars +ExportCertData - {% endif %} - - {% if barbican_sp is defined -%} - ShibURLScheme {{ barbican_service_publicuri_proto }} - - - SetHandler shib - - - - AuthType shibboleth - ShibRequestSetting requireSession 1 - ShibRequestSetting exportAssertion 1 - ShibRequireSession On - ShibExportAssertion On - Require valid-user - - - - ShibRequestSetting requireSession 1 - AuthType shibboleth - ShibExportAssertion Off - Require valid-user - - - WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/barbican/main/$1 - {% endif %} - diff --git a/templates/barbican-ports.conf.j2 b/templates/barbican-ports.conf.j2 deleted file mode 100644 index 35891dc..0000000 --- a/templates/barbican-ports.conf.j2 +++ /dev/null @@ -1,4 +0,0 @@ -# {{ ansible_managed }} - -Listen {{ keystone_service_port }} -Listen {{ keystone_admin_port }} diff --git a/templates/barbican-systemd-init.j2 b/templates/barbican-systemd-init.j2 deleted file mode 100644 index 4d91845..0000000 --- a/templates/barbican-systemd-init.j2 +++ /dev/null @@ -1,34 +0,0 @@ -# {{ ansible_managed }} - -[Unit] -Description=barbican openstack service -After=syslog.target -After=network.target - -[Service] -Type=simple -User={{ system_user }} -Group={{ system_group }} - -{% if program_override is defined %} -ExecStart={{ program_override }} {{ program_config_options|default('') }} -{% else %} -ExecStart={{ program_bin }}/{{ program_name }} {{ program_config_options|default('') }} -{% endif %} - -# Give a reasonable amount of time for the server to start up/shut down -TimeoutSec=120 -Restart=on-failure -RestartSec=2 - -# This creates a specific slice which all services will operate from -# The accounting options give us the ability to see resource usage through -# the `systemd-cgtop` command. -Slice=barbican.slice -CPUAccounting=true -BlockIOAccounting=true -MemoryAccounting=false -TasksAccounting=true - -[Install] -WantedBy=multi-user.target diff --git a/templates/barbican-systemd-tempfiles.j2 b/templates/barbican-systemd-tempfiles.j2 deleted file mode 100644 index 3e73b16..0000000 --- a/templates/barbican-systemd-tempfiles.j2 +++ /dev/null @@ -1,4 +0,0 @@ -# {{ ansible_managed }} - -D /var/lock/{{ program_name }} 2755 {{ system_user }} {{ system_group }} -D /var/run/{{ program_name }} 2755 {{ system_user }} {{ system_group }} \ No newline at end of file diff --git a/templates/barbican.conf.j2 b/templates/barbican.conf.j2 index 212822a..ecbd587 100644 --- a/templates/barbican.conf.j2 +++ b/templates/barbican.conf.j2 @@ -1,11 +1,12 @@ # {{ ansible_managed }} [DEFAULT] +use_journal = True # Disable stderr logging use_stderr = False # Show debugging output in logs (sets DEBUG log level output) debug = {{ debug }} - +use_json = {{ debug }} # Address to bind the API server bind_host = 0.0.0.0 @@ -17,10 +18,6 @@ bind_port = 9311 # communicate back with this service. host_href = {{ barbican_service_publicurl }} -# Log to this file. Make sure you do not set the same log -# file for both the API and registry servers! -#log_file = /var/log/barbican/api.log - # Backlog requests when creating socket backlog = 4096 diff --git a/vars/debian.yml b/vars/debian.yml index e204d57..09c686a 100644 --- a/vars/debian.yml +++ b/vars/debian.yml @@ -16,19 +16,22 @@ barbican_distro_packages: - git barbican_devel_distro_packages: - - python-dev - - libssl-dev - - libpq-dev + - build-essential + - gettext - git - libffi-dev - - gettext - - build-essential + - libpq-dev + - libssl-dev + - libsystemd-dev + - python-dev barbican_service_distro_packages: - barbican-api - barbican-keystone-listener - barbican-worker - python-pymysql # needed by /usr/bin/barbican-manage db upgrade. + - python-systemd + - python3-systemd - uwsgi - uwsgi-plugin-python diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..da55dce --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,31 @@ +--- +# Copyright 2018, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# +# Compile a list of the services on a host based on whether +# the host is in the host group and the service is enabled. +# The service list is provided in the defined start order. +# +filtered_barbican_services: |- + {% set services = [] %} + {% for key, value in barbican_services.items() %} + {% if (value['group'] in group_names) and + (('condition' not in value) or + ('condition' in value and value['condition'])) %} + {% set _ = value.update({'service_key': key}) %} + {% set _ = services.append(value) %} + {% endif %} + {% endfor %} + {{ services | sort(attribute='start_order') }} diff --git a/vars/redhat.yml b/vars/redhat.yml index ada702b..628d243 100644 --- a/vars/redhat.yml +++ b/vars/redhat.yml @@ -24,12 +24,14 @@ barbican_devel_distro_packages: - openssl-devel - postgresql-libs - python-devel + - systemd-devel barbican_service_distro_packages: - openstack-barbican - openstack-barbican-api - openstack-barbican-keystone-listener - openstack-barbican-worker + - systemd-python - uwsgi - uwsgi-plugin-python diff --git a/vars/suse.yml b/vars/suse.yml index 9850509..cf033f8 100644 --- a/vars/suse.yml +++ b/vars/suse.yml @@ -21,6 +21,8 @@ barbican_devel_distro_packages: - libopenssl-devel - postgresql-devel - python-devel + - pkg-config + - systemd-devel barbican_service_distro_packages: - openstack-barbican @@ -28,6 +30,7 @@ barbican_service_distro_packages: - openstack-barbican-keystone-listener - openstack-barbican-retry - openstack-barbican-worker + - python-systemd - uwsgi - uwsgi-python