Various changes to make convergence test work
- Ensure that rootwrap files are appropriately secured. - Implement sudoers to make rootwrap work. - Restructure tests to reduce duplication.
This commit is contained in:
Jesse Pretorius
parent
f59db83194
commit
a07a073cc1
|
|
@ -17,8 +17,8 @@
|
|||
config_template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
owner: "{{ designate_system_user_name }}"
|
||||
group: "{{ designate_system_group_name }}"
|
||||
owner: "{{ item.owner|default(designate_system_user_name) }}"
|
||||
group: "{{ item.group|default(designate_system_group_name) }}"
|
||||
mode: "0644"
|
||||
config_overrides: "{{ item.config_overrides }}"
|
||||
config_type: "{{ item.config_type }}"
|
||||
|
|
@ -48,12 +48,10 @@
|
|||
|
||||
- name: Copy designate rootwrap filter config
|
||||
copy:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
src: "rootwrap.d/bind9.filters"
|
||||
dest: "/etc/designate/rootwrap.d/bind9.filters"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
with_items:
|
||||
- { src: "rootwrap.d/bind9.filters", dest: "/etc/designate/rootwrap.d/bind9.filters" }
|
||||
notify: Restart designate services
|
||||
tags:
|
||||
- designate-config
|
||||
|
|
|
|||
|
|
@ -43,6 +43,8 @@
|
|||
with_items:
|
||||
- { path: "/etc/designate" }
|
||||
- { path: "/etc/designate/rootwrap.d" }
|
||||
- { path: "/etc/designate/rootwrap.d", owner: "root", group: "root" }
|
||||
- { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
|
||||
- { path: "{{ designate_system_user_home }}" }
|
||||
- { path: "{{ designate_system_user_home }}/.ssh", mode: "0700" }
|
||||
- { path: "/var/cache/designate", mode: "0700" }
|
||||
|
|
@ -89,6 +91,17 @@
|
|||
- designate-dirs
|
||||
- designate-logs
|
||||
|
||||
- name: Drop sudoers file
|
||||
template:
|
||||
src: "sudoers.j2"
|
||||
dest: "/etc/sudoers.d/{{ designate_system_user_name }}_sudoers"
|
||||
mode: "0440"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
tags:
|
||||
- sudoers
|
||||
- designate-sudoers
|
||||
|
||||
- include: designate_messaging_setup.yml
|
||||
when: >
|
||||
inventory_hostname == groups['designate_all'][0]
|
||||
when:
|
||||
- inventory_hostname == groups['designate_all'][0]
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
Defaults:{{ designate_system_user_name }} !requiretty
|
||||
Defaults:{{ designate_system_user_name }} secure_path="{{ designate_bin }}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
|
||||
{{ designate_system_user_name }} ALL = (root) NOPASSWD: {{ designate_bin }}/{{ designate_service_name }}-rootwrap
|
||||
|
|
@ -1,35 +1,2 @@
|
|||
[all]
|
||||
localhost ansible_connection=local ansible_become=True
|
||||
|
||||
[rabbitmq_all:children]
|
||||
infra1
|
||||
|
||||
[galera_all:children]
|
||||
infra1
|
||||
|
||||
[designate_all:children]
|
||||
designate_api
|
||||
|
||||
[designate_api:children]
|
||||
openstack1
|
||||
|
||||
[designate_central:children]
|
||||
openstack1
|
||||
|
||||
[designate_mdns:children]
|
||||
openstack1
|
||||
|
||||
[designate_pool_manager:children]
|
||||
openstack1
|
||||
|
||||
[designate_sink:children]
|
||||
openstack1
|
||||
|
||||
[keystone_all:children]
|
||||
openstack1
|
||||
|
||||
[infra1]
|
||||
10.100.100.101
|
||||
|
||||
[openstack1]
|
||||
10.100.100.102
|
||||
|
|
|
|||
|
|
@ -0,0 +1,46 @@
|
|||
---
|
||||
# Copyright 2016, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# Inventory is being pre-loaded using a post tasks instead of through a dynamic
|
||||
# inventory system. While this is not a usual method for deployment it's being
|
||||
# done for functional testing.
|
||||
|
||||
- name: Create container hosts
|
||||
add_host:
|
||||
groups: "{{ item.groups }}"
|
||||
hostname: "{{ item.name }}"
|
||||
inventory_hostname: "{{ item.name }}"
|
||||
ansible_ssh_host: "{{ item.address }}"
|
||||
ansible_become: true
|
||||
properties:
|
||||
service_name: "{{ item.service }}"
|
||||
container_networks:
|
||||
management_address:
|
||||
address: "{{ item.address }}"
|
||||
bridge: "lxcbr0"
|
||||
interface: "eth1"
|
||||
netmask: "255.255.252.0"
|
||||
type: "veth"
|
||||
physical_host: localhost
|
||||
container_name: "{{ item.name }}"
|
||||
with_items:
|
||||
- name: "infra1"
|
||||
service: "infra1"
|
||||
address: "10.100.100.101"
|
||||
groups: "all,all_containers,rabbitmq_all,galera_all,service_all"
|
||||
- name: "openstack1"
|
||||
service: "openstack1"
|
||||
address: "10.100.100.102"
|
||||
groups: "all,all_containers,keystone_all,designate_all,designate_api,designate_central,designate_pool_manager,designate_mdns,designate_sink"
|
||||
|
|
@ -13,44 +13,18 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Prepare the inventory
|
||||
hosts: localhost
|
||||
connection: local
|
||||
become: yes
|
||||
tasks:
|
||||
- include: test-include-inventory.yml
|
||||
|
||||
- name: Playbook for deploying designate
|
||||
hosts: designate_all
|
||||
user: root
|
||||
gather_facts: true
|
||||
roles:
|
||||
- role: "{{ rolename | basename }}"
|
||||
vars:
|
||||
debug: True
|
||||
external_lb_vip_address: 10.100.100.102
|
||||
internal_lb_vip_address: 10.100.100.102
|
||||
designate_galera_address: 10.100.100.101
|
||||
designate_container_mysql_password: "SuperSecrete"
|
||||
designate_pool_manager_galera_address: 10.100.100.101
|
||||
designate_pool_manager_container_mysql_password: "SuperSecrete"
|
||||
galera_client_drop_config_file: false
|
||||
galera_root_password: "secrete"
|
||||
designate_rabbitmq_password: "secrete"
|
||||
designate_rabbitmq_userid: designate
|
||||
designate_rabbitmq_vhost: /designate
|
||||
rabbitmq_servers: 10.100.100.101
|
||||
rabbitmq_use_ssl: False
|
||||
rabbitmq_port: 5672
|
||||
keystone_auth_admin_token: "SuperSecreteTestToken"
|
||||
keystone_auth_admin_password: "SuperSecretePassword"
|
||||
keystone_service_adminuri_insecure: false
|
||||
keystone_service_internaluri_insecure: false
|
||||
keystone_service_internaluri: "http://{{ internal_lb_vip_address }}:5000"
|
||||
keystone_service_internalurl: "{{ keystone_service_internaluri }}/v3"
|
||||
keystone_service_adminuri: "http://{{ internal_lb_vip_address }}:35357"
|
||||
keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3"
|
||||
designate_venv_tag: "testing"
|
||||
designate_developer_mode: true
|
||||
designate_git_install_branch: 4df88d7b28a05cb3556573ce4f1c7c66abf944bb # HEAD of "master" as of 17.01.2016
|
||||
designate_requirements_git_install_branch: 332278d456e06870150835564342570ec9d5f5a0 # HEAD of "master" as of 17.01.2016
|
||||
designate_service_password: "secrete"
|
||||
designate_profiler_hmac_key: "secrete"
|
||||
openrc_os_auth_url: "{{ keystone_service_internalurl }}"
|
||||
openrc_os_password: "{{ keystone_auth_admin_password }}"
|
||||
openrc_os_domain_name: "Default"
|
||||
memcached_servers: 127.0.0.1
|
||||
memcached_encryption_key: "secrete"
|
||||
vars_files:
|
||||
- test-vars.yml
|
||||
|
|
|
|||
|
|
@ -13,6 +13,13 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Prepare the inventory
|
||||
hosts: localhost
|
||||
connection: local
|
||||
become: yes
|
||||
tasks:
|
||||
- include: test-include-inventory.yml
|
||||
|
||||
- name: Playbook for deploying infra services
|
||||
hosts: service_all
|
||||
user: root
|
||||
|
|
|
|||
|
|
@ -13,6 +13,13 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Prepare the inventory
|
||||
hosts: localhost
|
||||
connection: local
|
||||
become: yes
|
||||
tasks:
|
||||
- include: test-include-inventory.yml
|
||||
|
||||
- name: Playbook for deploying keystone
|
||||
hosts: keystone_all
|
||||
user: root
|
||||
|
|
@ -61,23 +68,5 @@
|
|||
when: inventory_hostname == groups['keystone_all'][0]
|
||||
roles:
|
||||
- role: os_keystone
|
||||
vars:
|
||||
external_lb_vip_address: 10.100.100.102
|
||||
internal_lb_vip_address: 10.100.100.102
|
||||
keystone_galera_address: 10.100.100.101
|
||||
keystone_galera_database: keystone
|
||||
keystone_venv_tag: "testing"
|
||||
keystone_developer_mode: true
|
||||
keystone_git_install_branch: a55128044f763f5cfe2fdc57c738eaca97636448 # HEAD of "master" as of 17.01.2016
|
||||
keystone_requirements_git_install_branch: 332278d456e06870150835564342570ec9d5f5a0 # HEAD of "master" as of 17.01.2016
|
||||
keystone_auth_admin_token: "SuperSecreteTestToken"
|
||||
keystone_auth_admin_password: "SuperSecretePassword"
|
||||
keystone_service_password: "secrete"
|
||||
keystone_rabbitmq_password: "secrete"
|
||||
keystone_container_mysql_password: "SuperSecrete"
|
||||
keystone_rabbitmq_port: 5671
|
||||
keystone_rabbitmq_userid: keystone
|
||||
keystone_rabbitmq_vhost: /keystone
|
||||
keystone_rabbitmq_servers: 10.100.100.101
|
||||
keystone_rabbitmq_use_ssl: true
|
||||
galera_client_drop_config_file: false
|
||||
vars_files:
|
||||
- test-vars.yml
|
||||
|
|
|
|||
|
|
@ -13,6 +13,13 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Prepare the inventory
|
||||
hosts: localhost
|
||||
connection: local
|
||||
become: yes
|
||||
tasks:
|
||||
- include: test-include-inventory.yml
|
||||
|
||||
- name: Playbook for creating containers
|
||||
hosts: all_containers
|
||||
connection: local
|
||||
|
|
|
|||
|
|
@ -42,6 +42,7 @@
|
|||
name: "trusty.tgz"
|
||||
sha256sum: "56c6a6e132ea7d10be2f3e8104f47136ccf408b30e362133f0dc4a0a9adb4d0c"
|
||||
chroot_path: trusty/rootfs-amd64
|
||||
- role: "openstack_openrc"
|
||||
post_tasks:
|
||||
- name: Install pip packages
|
||||
pip:
|
||||
|
|
@ -53,4 +54,8 @@
|
|||
retries: 5
|
||||
delay: 2
|
||||
with_items:
|
||||
- lxc-python2
|
||||
- python-openstackclient
|
||||
- python-designateclient
|
||||
vars_files:
|
||||
- test-vars.yml
|
||||
|
|
|
|||
|
|
@ -0,0 +1,62 @@
|
|||
---
|
||||
# Copyright 2016, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
debug: True
|
||||
external_lb_vip_address: 10.100.100.102
|
||||
internal_lb_vip_address: 10.100.100.102
|
||||
galera_client_drop_config_file: false
|
||||
galera_root_password: "secrete"
|
||||
rabbitmq_servers: 10.100.100.101
|
||||
rabbitmq_use_ssl: False
|
||||
rabbitmq_port: 5672
|
||||
memcached_servers: 127.0.0.1
|
||||
memcached_encryption_key: "secrete"
|
||||
keystone_venv_tag: "testing"
|
||||
keystone_developer_mode: true
|
||||
keystone_git_install_branch: a55128044f763f5cfe2fdc57c738eaca97636448 # HEAD of "master" as of 17.01.2016
|
||||
keystone_requirements_git_install_branch: 332278d456e06870150835564342570ec9d5f5a0 # HEAD of "master" as of 17.01.2016
|
||||
keystone_service_password: "secrete"
|
||||
keystone_galera_address: 10.100.100.101
|
||||
keystone_galera_database: keystone
|
||||
keystone_container_mysql_password: "SuperSecrete"
|
||||
keystone_auth_admin_token: "SuperSecreteTestToken"
|
||||
keystone_auth_admin_password: "SuperSecretePassword"
|
||||
keystone_service_adminuri_insecure: false
|
||||
keystone_service_internaluri_insecure: false
|
||||
keystone_service_internaluri: "http://{{ internal_lb_vip_address }}:5000"
|
||||
keystone_service_internalurl: "{{ keystone_service_internaluri }}/v3"
|
||||
keystone_service_adminuri: "http://{{ internal_lb_vip_address }}:35357"
|
||||
keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3"
|
||||
keystone_rabbitmq_vhost: /keystone
|
||||
keystone_rabbitmq_userid: keystone
|
||||
keystone_rabbitmq_password: "secrete"
|
||||
keystone_rabbitmq_use_ssl: false
|
||||
keystone_rabbitmq_port: 5672
|
||||
keystone_rabbitmq_servers: 10.100.100.101
|
||||
openrc_os_auth_url: "{{ keystone_service_internalurl }}"
|
||||
openrc_os_password: "{{ keystone_auth_admin_password }}"
|
||||
openrc_os_domain_name: "Default"
|
||||
designate_venv_tag: "testing"
|
||||
designate_developer_mode: true
|
||||
designate_git_install_branch: 4df88d7b28a05cb3556573ce4f1c7c66abf944bb # HEAD of "master" as of 17.01.2016
|
||||
designate_requirements_git_install_branch: 332278d456e06870150835564342570ec9d5f5a0 # HEAD of "master" as of 17.01.2016
|
||||
designate_service_password: "secrete"
|
||||
designate_galera_address: 10.100.100.101
|
||||
designate_container_mysql_password: "SuperSecrete"
|
||||
designate_pool_manager_galera_address: 10.100.100.101
|
||||
designate_pool_manager_container_mysql_password: "SuperSecrete"
|
||||
designate_rabbitmq_password: "secrete"
|
||||
designate_rabbitmq_userid: designate
|
||||
designate_rabbitmq_vhost: /designate
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
---
|
||||
# vars file for os_designate/
|
||||
|
||||
Loading…
Reference in New Issue