Source template files from git or deploy host

Instead of sourcing the paste/policy files from the role, the deploy host will first be checked, then the git source. The current mechanism uses a lookup, causing the fetch of the default templates to happen via curl from the deployment node. This causes problems if the deployment node does not have access to the repo server web service, which may be the case in high security environments. This patch changes the mechanism to only use the lookup module for the file content that is on the deployment node, then falls back to using the uri module to fetch the default content. This ensures that the deployment node does not have to reach into the environment for the content. The pattern applied is the same as that used in the combination of the following two reference patches: - https://review.openstack.org/446235 - https://review.openstack.org/463390 The rootwrap.conf template is re-added because it cannot be used verbatim from the upstream repository. It requires the addition of the service venv bin in the exec_dirs. A mechanism to implement this dynamically will be figured out in a later review along with an implementation which will fetch the rootwrap files directly from the git source too. Conflicts: defaults/main.yml tasks/ceilometer_post_install.yml Change-Id: I248910a544f611b590bc93449aea98434802cae3 (cherry picked from commit 9e96b65126)
2017-05-11 14:04:26 +01:00 · 2017-05-11 14:04:26 +01:00 · b4fa7cfc85
parent 9641155f61
commit b4fa7cfc85
5 changed files with 155 additions and 54 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -27,7 +27,6 @@ ceilometer_developer_mode: false
 ## The git source/branch
 ceilometer_git_repo: https://git.openstack.org/openstack/ceilometer
 ceilometer_git_install_branch: stable/ocata
-ceilometer_git_config_lookup_location: https://git.openstack.org/cgit/openstack/ceilometer/plain/

 ## The packages to build from source (used in developer mode)
 ceilometer_developer_constraints:
@ -194,18 +193,47 @@ ceilometer_required_secrets:
 # by the py_pkgs lookup.
 ceilometer_role_project_group: ceilometer_all

-## Tunable overrides
-ceilometer_policy_overrides: {}
-ceilometer_rootwrap_conf_overrides: {}
-ceilometer_ceilometer_conf_overrides: {}
+#: Tunable file-based overrides
+# The contents of these files, if they exist, are read from the
+# specified path on the deployment host, interpreted by the
+# template engine and copied to the target host. If they do
+# not exist then the default files will be sourced from the
+# service git repository.
+ceilometer_api_paste_default_file_path: "/etc/openstack_deploy/ceilometer/api_paste.ini"
+ceilometer_event_definitions_default_file_path: "/etc/openstack_deploy/ceilometer/event_definitions.yaml"
+ceilometer_event_pipeline_default_file_path: "/etc/openstack_deploy/ceilometer/event_pipeline.yaml"
+ceilometer_gnocchi_resources_default_file_path: "/etc/openstack_deploy/ceilometer/gnocchi_resources.yaml"
+ceilometer_loadbalancer_v2_meter_definitions_default_file_path: "/etc/openstack_deploy/ceilometer/loadbalancer_v2_meter_definitions.yaml"
+ceilometer_osprofiler_event_definitions_default_file_path: "/etc/openstack_deploy/ceilometer/osprofiler_event_definitions.yaml"
+ceilometer_policy_default_file_path: "/etc/openstack_deploy/ceilometer/policy.json"
+ceilometer_polling_default_file_path: "/etc/openstack_deploy/ceilometer/polling.yaml"
+
+# If the above-mentioned files do not exist, then these
+# paths will be used to find the files from the git config
+# lookup location.
+ceilometer_git_config_lookup_location: https://git.openstack.org/cgit/openstack/ceilometer/plain
+ceilometer_api_paste_git_file_path: "etc/ceilometer/api_paste.ini?h={{ ceilometer_git_install_branch }}"
+ceilometer_event_definitions_git_file_path: "etc/ceilometer/event_definitions.yaml?h={{ ceilometer_git_install_branch }}"
+ceilometer_event_pipeline_git_file_path: "etc/ceilometer/event_pipeline.yaml?h={{ ceilometer_git_install_branch }}"
+ceilometer_gnocchi_resources_git_file_path: "ceilometer/dispatcher/data/gnocchi_resources.yaml?h={{ ceilometer_git_install_branch }}"
+ceilometer_loadbalancer_v2_meter_definitions_git_file_path: "etc/ceilometer/examples/loadbalancer_v2_meter_definitions.yaml?h={{ ceilometer_git_install_branch }}"
+ceilometer_osprofiler_event_definitions_git_file_path: "etc/ceilometer/examples/osprofiler_event_definitions.yaml?h={{ ceilometer_git_install_branch }}"
+ceilometer_policy_git_file_path: "etc/ceilometer/policy.json?h={{ ceilometer_git_install_branch }}"
+ceilometer_polling_git_file_path: "etc/ceilometer/polling.yaml?h={{ ceilometer_git_install_branch }}"
+
+## Tunable var-based overrides
+# The contents of these are templated over the default files.
 ceilometer_api_paste_ini_overrides: {}
+ceilometer_ceilometer_conf_overrides: {}
 ceilometer_event_definitions_yaml_overrides: {}
 ceilometer_event_pipeline_yaml_overrides: {}
-ceilometer_pipeline_yaml_overrides: {}
 # The incorrectly spelled "ceilometer_gnocci_resources_yaml_overrides" is deprecated and
 # will be removed in Pike.
 ceilometer_gnocci_resources_yaml_overrides: {}
 ceilometer_gnocchi_resources_yaml_overrides: "{{ ceilometer_gnocci_resources_yaml_overrides }}"
-ceilometer_osprofiler_event_definitions_yaml_overrides: {}
 ceilometer_loadbalancer_v2_meter_definitions_yaml_overrides: {}
+ceilometer_osprofiler_event_definitions_yaml_overrides: {}
+ceilometer_pipeline_yaml_overrides: {}
+ceilometer_policy_overrides: {}
 ceilometer_polling_yaml_overrides: {}
+ceilometer_rootwrap_conf_overrides: {}
--- a/releasenotes/notes/deploy-node-config-files-1b272a3ec7ed71b8.yaml
+++ b/releasenotes/notes/deploy-node-config-files-1b272a3ec7ed71b8.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - The ``os_ceilometer`` role now includes a facility where you
+    can place your own templates in ``/etc/openstack_deploy/ceilometer``
+    (by default) and it will be deployed to the target host after being
+    interpreted by the template engine. If no file is found there, the
+    fallback of the git sourced template is used.
--- a/tasks/ceilometer_post_install.yml
+++ b/tasks/ceilometer_post_install.yml
@ -13,13 +13,29 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- name: Copy ceilometer config
+- name: Retrieve default configuration files
+  uri:
+    url: "{{ item }}"
+    return_content: yes
+  with_items:
+    - "{{ ceilometer_git_config_lookup_location }}/{{ ceilometer_api_paste_git_file_path }}"
+    - "{{ ceilometer_git_config_lookup_location }}/{{ ceilometer_event_definitions_git_file_path }}"
+    - "{{ ceilometer_git_config_lookup_location }}/{{ ceilometer_event_pipeline_git_file_path }}"
+    - "{{ ceilometer_git_config_lookup_location }}/{{ ceilometer_gnocchi_resources_git_file_path }}"
+    - "{{ ceilometer_git_config_lookup_location }}/{{ ceilometer_loadbalancer_v2_meter_definitions_git_file_path }}"
+    - "{{ ceilometer_git_config_lookup_location }}/{{ ceilometer_osprofiler_event_definitions_git_file_path }}"
+    - "{{ ceilometer_git_config_lookup_location }}/{{ ceilometer_policy_git_file_path }}"
+    - "{{ ceilometer_git_config_lookup_location }}/{{ ceilometer_polling_git_file_path }}"
+  register: _git_file_fetch
+
+- name: Copy ceilometer configuration files
  config_template:
-    src: "{{ item.src }}"
+    content: "{{ item.content | default(omit) }}"
+    src: "{{ item.src  | default(omit) }}"
    dest: "{{ item.dest }}"
-    owner: "{{ item.owner|default(ceilometer_system_user_name) }}"
-    group: "{{ item.group|default(ceilometer_system_group_name) }}"
-    mode: "0644"
+    owner: "{{ item.owner | default(ceilometer_system_user_name) }}"
+    group: "{{ item.group | default(ceilometer_system_group_name) }}"
+    mode: "{{ item.mode | default('0644') }}"
    config_overrides: "{{ item.config_overrides }}"
    config_type: "{{ item.config_type }}"
    list_extend: "{{ item.list_extend | default(omit) }}"
@ -33,67 +49,48 @@
      config_overrides: "{{ ceilometer_pipeline_yaml_overrides }}"
      config_type: "yaml"
      list_extend: false
-  notify:
-    - Restart ceilometer services
-    - Restart web server
-
- name: Retrieve and config_template upstream files
-  config_template:
-    content: "{{ lookup('pipe', 'curl ' ~ ceilometer_git_config_lookup_location ~ item.path | default('etc/ceilometer/') ~ item.name + '?h=' ~ ceilometer_git_install_branch) | string }}"
-    dest: "{{ item.dest }}"
-    owner: "{{ item.owner | default(ceilometer_system_user_name ) }}"
-    group: "{{ item.group | default(ceilometer_system_group_name) }}"
-    config_overrides: "{{ item.config_overrides }}"
-    config_type: "{{ item.config_type }}"
-    list_extend: "{{ item.list_extend | default(omit) }}"
-  with_items:
-    - name: "gnocchi_resources.yaml"
-      dest: "/etc/ceilometer/gnocchi_resources.yaml"
-      config_overrides: "{{ ceilometer_gnocchi_resources_yaml_overrides }}"
-      config_type: "yaml"
-      list_extend: false
-      path: "ceilometer/dispatcher/data/"
-    - name: "rootwrap.conf"
+    - src: "rootwrap.conf.j2"
      dest: "/etc/ceilometer/rootwrap.conf"
      owner: "root"
      group: "root"
      config_overrides: "{{ ceilometer_rootwrap_conf_overrides }}"
      config_type: "ini"
-    - name: "api_paste.ini"
-      dest: "/etc/ceilometer/api_paste.ini"
+    - dest: "/etc/ceilometer/api_paste.ini"
      config_overrides: "{{ ceilometer_api_paste_ini_overrides }}"
      config_type: "ini"
-    - name: "event_pipeline.yaml"
-      dest: "/etc/ceilometer/event_pipeline.yaml"
-      config_overrides: "{{ ceilometer_event_pipeline_yaml_overrides }}"
-      config_type: "yaml"
-      list_extend: false
-    - name: "event_definitions.yaml"
-      dest: "/etc/ceilometer/event_definitions.yaml"
+      content: "{{ ceilometer_api_paste_user_content | default(ceilometer_api_paste_default_content, true) }}"
+    - dest: "/etc/ceilometer/event_definitions.yaml"
      config_overrides: "{{ ceilometer_event_definitions_yaml_overrides }}"
      config_type: "yaml"
-      list_extend: false
-    - name: "osprofiler_event_definitions.yaml"
-      dest: "/etc/ceilometer/osprofiler_event_definitions.yaml"
-      config_overrides: "{{ ceilometer_osprofiler_event_definitions_yaml_overrides }}"
+      content: "{{ ceilometer_event_definitions_user_content | default(ceilometer_event_definitions_default_content, true) }}"
+    - dest: "/etc/ceilometer/event_pipeline.yaml"
+      config_overrides: "{{ ceilometer_event_pipeline_yaml_overrides }}"
+      config_type: "yaml"
+      content: "{{ ceilometer_event_pipeline_user_content | default(ceilometer_event_pipeline_default_content, true) }}"
+    - dest: "/etc/ceilometer/gnocchi_resources.yaml"
+      config_overrides: "{{ ceilometer_gnocchi_resources_yaml_overrides }}"
      config_type: "yaml"
      list_extend: false
-      path: "etc/ceilometer/examples/"
-    - name: "loadbalancer_v2_meter_definitions.yaml"
-      dest: "/etc/ceilometer/loadbalancer_v2_meter_definitions.yaml"
+      content: "{{ ceilometer_gnocchi_resources_user_content | default(ceilometer_gnocchi_resources_default_content, true) }}"
+    - dest: "/etc/ceilometer/loadbalancer_v2_meter_definitions.yaml"
      config_overrides: "{{ ceilometer_loadbalancer_v2_meter_definitions_yaml_overrides }}"
      config_type: "yaml"
      list_extend: false
-      path: "etc/ceilometer/examples/"
-    - name: "policy.json"
-      dest: "/etc/ceilometer/policy.json-{{ ceilometer_venv_tag }}"
+      content: "{{ ceilometer_loadbalancer_v2_meter_definitions_user_content | default(ceilometer_loadbalancer_v2_meter_definitions_default_content, true) }}"
+    - dest: "/etc/ceilometer/osprofiler_event_definitions.yaml"
+      config_overrides: "{{ ceilometer_osprofiler_event_definitions_yaml_overrides }}"
+      config_type: "yaml"
+      list_extend: false
+      content: "{{ ceilometer_osprofiler_event_definitions_user_content | default(ceilometer_osprofiler_event_definitions_default_content, true) }}"
+    - dest: "/etc/ceilometer/policy.json-{{ ceilometer_venv_tag }}"
      config_overrides: "{{ ceilometer_policy_overrides }}"
      config_type: "json"
-    - name: "polling.yaml"
-      dest: "/etc/ceilometer/polling.yaml"
+      content: "{{ ceilometer_policy_user_content | default(ceilometer_policy_default_content, true) }}"
+    - dest: "/etc/ceilometer/polling.yaml"
      config_overrides: "{{ ceilometer_polling_yaml_overrides }}"
      config_type: "yaml"
      list_extend: false
+      content: "{{ ceilometer_polling_user_content | default(ceilometer_polling_default_content, true) }}"
  notify:
    - Restart ceilometer services
    - Restart web server
--- a/templates/rootwrap.conf.j2
+++ b/templates/rootwrap.conf.j2
@ -0,0 +1,27 @@
+# Configuration for ceilometer-rootwrap
+# This file should be owned by (and only-writeable by) the root user
+
+[DEFAULT]
+# List of directories to load filter definitions from (separated by ',').
+# These directories MUST all be only writeable by root !
+filters_path=/etc/ceilometer/rootwrap.d,/usr/share/ceilometer/rootwrap
+
+# List of directories to search executables in, in case filters do not
+# explicitely specify a full path (separated by ',')
+# If not specified, defaults to system PATH environment variable.
+# These directories MUST all be only writeable by root !
+exec_dirs={{ ceilometer_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/sbin,/usr/local/bin
+
+# Enable logging to syslog
+# Default value is False
+use_syslog=False
+
+# Which syslog facility to use.
+# Valid values include auth, authpriv, syslog, user0, user1...
+# Default value is 'syslog'
+syslog_log_facility=syslog
+
+# Which messages to log.
+# INFO means log all usage
+# ERROR means only log unsuccessful attempts
+syslog_log_level=ERROR
--- a/vars/main.yml
+++ b/vars/main.yml
@ -0,0 +1,42 @@
+---
+# Copyright 2017, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# These vars find a file on the deployment node, if it exists - otherwise the result is empty.
+ceilometer_api_paste_user_content: "{{ lookup('pipe', 'cat ' ~ ceilometer_api_paste_default_file_path ~ ' 2>/dev/null || true') }}"
+ceilometer_event_definitions_user_content: "{{ lookup('pipe', 'cat ' ~ ceilometer_event_definitions_default_file_path ~ ' 2>/dev/null || true') }}"
+ceilometer_event_pipeline_user_content: "{{ lookup('pipe', 'cat ' ~ ceilometer_event_pipeline_default_file_path ~ ' 2>/dev/null || true') }}"
+ceilometer_gnocchi_resources_user_content: "{{ lookup('pipe', 'cat ' ~ ceilometer_gnocchi_resources_default_file_path ~ ' 2>/dev/null || true') }}"
+ceilometer_loadbalancer_v2_meter_definitions_user_content: "{{ lookup('pipe', 'cat ' ~ ceilometer_loadbalancer_v2_meter_definitions_default_file_path ~ ' 2>/dev/null || true') }}"
+ceilometer_osprofiler_event_definitions_user_content: "{{ lookup('pipe', 'cat ' ~ ceilometer_osprofiler_event_definitions_default_file_path ~ ' 2>/dev/null || true') }}"
+ceilometer_policy_user_content: "{{ lookup('pipe', 'cat ' ~ ceilometer_policy_default_file_path ~ ' 2>/dev/null || true') }}"
+ceilometer_polling_user_content: "{{ lookup('pipe', 'cat ' ~ ceilometer_polling_default_file_path ~ ' 2>/dev/null || true') }}"
+
+# These vars find the appropriate result content from the with_items loop
+ceilometer_api_paste_default_content: |
+  {{ _git_file_fetch.results | selectattr('item', 'equalto', ceilometer_git_config_lookup_location ~ '/' ~ ceilometer_api_paste_git_file_path) | map(attribute='content') | first }}
+ceilometer_event_definitions_default_content: |
+  {{ _git_file_fetch.results | selectattr('item', 'equalto', ceilometer_git_config_lookup_location ~ '/' ~ ceilometer_event_definitions_git_file_path) | map(attribute='content') | first }}
+ceilometer_event_pipeline_default_content: |
+  {{ _git_file_fetch.results | selectattr('item', 'equalto', ceilometer_git_config_lookup_location ~ '/' ~ ceilometer_event_pipeline_git_file_path) | map(attribute='content') | first }}
+ceilometer_gnocchi_resources_default_content: |
+  {{ _git_file_fetch.results | selectattr('item', 'equalto', ceilometer_git_config_lookup_location ~ '/' ~ ceilometer_gnocchi_resources_git_file_path) | map(attribute='content') | first }}
+ceilometer_loadbalancer_v2_meter_definitions_default_content: |
+  {{ _git_file_fetch.results | selectattr('item', 'equalto', ceilometer_git_config_lookup_location ~ '/' ~ ceilometer_loadbalancer_v2_meter_definitions_git_file_path) | map(attribute='content') | first }}
+ceilometer_osprofiler_event_definitions_default_content: |
+  {{ _git_file_fetch.results | selectattr('item', 'equalto', ceilometer_git_config_lookup_location ~ '/' ~ ceilometer_osprofiler_event_definitions_git_file_path) | map(attribute='content') | first }}
+ceilometer_policy_default_content: |
+  {{ _git_file_fetch.results | selectattr('item', 'equalto', ceilometer_git_config_lookup_location ~ '/' ~ ceilometer_policy_git_file_path) | map(attribute='content') | first }}
+ceilometer_polling_default_content: |
+  {{ _git_file_fetch.results | selectattr('item', 'equalto', ceilometer_git_config_lookup_location ~ '/' ~ ceilometer_polling_git_file_path) | map(attribute='content') | first }}