Merge "Execute service setup against a delegated host using Ansible built-in modules"

defaults/main.yml

@@ -26,6 +26,11 @@ nova_ceilometer_enabled: False
 ## Verbosity Options
 debug: False
 
+# Set the host which will execute the shade modules
+# for the service setup. The host must already have
+# clouds.yaml properly configured.
+nova_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
+
 # Set the package install state for distribution and pip packages
 # Options are 'present' and 'latest'
 nova_package_state: "latest"
@@ -528,10 +533,6 @@ nova_services:
 nova_novnc_pip_packages:
   - websockify
 
-# nova packages that must be installed before anything else
-nova_requires_pip_packages:
-  - virtualenv
-
 nova_compute_ironic_pip_packages:
   - python-ironicclient
 
@@ -545,6 +546,7 @@ nova_pip_packages:
   - python-keystoneclient
   - python-memcached
   - python-novaclient
+  - python-openstackclient
   - uWSGI
 
 nova_compute_lxd_pip_packages:

handlers/main.yml

@@ -64,17 +64,6 @@
   delay: 2
   listen: "Restart nova services"
 
-- name: Wait for the nova-compute service to initialize
-  command: "openstack --os-cloud default compute service list --service nova-compute --format value --column Host"
-  register: _compute_host_list
-  retries: 10
-  delay: 5
-  until: "ansible_nodename in _compute_host_list.stdout_lines"
-  when:
-    - "nova_services['nova-compute']['group'] in group_names"
-    - "nova_discover_hosts_in_cells_interval | int < 1"
-  listen: "Restart nova services"
-
 - meta: noop
   listen: Manage LB
   when: false

meta/main.yml

@@ -40,4 +40,3 @@ galaxy_info:
 dependencies:
   - apt_package_pinning
   - galera_client
-  - openstack_openrc

releasenotes/notes/nova-service-setup-host-f62d2eaede77d23c.yaml

@@ -0,0 +1,17 @@
+---
+features:
+  - |
+    The service setup in keystone for nova will now be executed
+    through delegation to the ``nova_service_setup_host`` which,
+    by default, is ``localhost`` (the deploy host). Deployers can
+    opt to rather change this to the utility container by implementing
+    the following override in ``user_variables.yml``.
+
+    .. code-block:: yaml
+
+      nova_service_setup_host: "{{ groups['utility_all'][0] }}"
+
+deprecations:
+  - |
+    The variable ``nova_requires_pip_packages`` is no longer required
+    and has therefore been removed.

tasks/main.yml

@@ -179,6 +179,20 @@
 - name: Flush handlers
   meta: flush_handlers
 
+# We delegate this back to the conductor because that is
+# where we want to isolate the clouds.yaml configuration,
+# rather than have it implemented on all compute nodes.
+- import_tasks: nova_compute_wait.yml
+  delegate_to: "{{ first_conductor }}"
+  when:
+    - "nova_services['nova-compute']['group'] in group_names"
+    - "nova_discover_hosts_in_cells_interval | int < 1"
+  vars:
+    first_conductor: "{{ groups[nova_services['nova-conductor']['group']][0] }}"
+    compute_host_to_wait_for: "{{ ansible_nodename }}"
+  tags:
+    - nova-config
+
 # We have to delegate this back to the conductor
 # because the compute hosts do not have access to
 # the database connection string and therefore

tasks/nova_compute_wait.yml

@@ -0,0 +1,30 @@
+---
+# Copyright 2017, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Implement openrc/clouds.yaml
+  include_role:
+    name: "openstack_openrc"
+
+- name: Set the delegated task facts
+  set_fact:
+    _wait_nova_bin: "{{ hostvars[first_conductor]['nova_bin'] | default(nova_bin) }}"
+
+- name: Wait for the nova-compute service to initialize
+  command: "{{ _wait_nova_bin }}/openstack --os-cloud default compute service list --service nova-compute --format value --column Host"
+  changed_when: false
+  register: _compute_host_list
+  retries: 10
+  delay: 5
+  until: "compute_host_to_wait_for in _compute_host_list.stdout_lines"

tasks/nova_install_source.yml

@@ -25,21 +25,6 @@
   tags:
     - nova-pip-packages
 
-- name: Install required pip packages
-  pip:
-    name: "{{ nova_requires_pip_packages }}"
-    state: "{{ nova_pip_package_state }}"
-    extra_args: >-
-      {{ nova_developer_mode | ternary(pip_install_developer_constraints | default('--constraint /opt/developer-pip-constraints.txt'), '') }}
-      {{ (pip_install_upper_constraints is defined) | ternary('--constraint ' + pip_install_upper_constraints | default(''),'') }}
-      {{ pip_install_options | default('') }}
-  register: install_packages
-  until: install_packages is success
-  retries: 5
-  delay: 2
-  tags:
-    - nova-pip-packages
-
 - name: Retrieve checksum for venv download
   uri:
     url: "{{ nova_venv_download_url | replace('tgz', 'checksum') }}"

tasks/nova_service_setup.yml

@@ -13,194 +13,120 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Create a service
-- name: Ensure nova service
-  keystone:
-    command: "ensure_service"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    service_name: "{{ nova_service_name }}"
-    service_type: "{{ nova_service_type }}"
-    description: "{{ nova_service_description }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  register: add_service
-  until: add_service is success
-  retries: 5
-  delay: 2
-  no_log: True
-  tags:
-    - nova-api-setup
-    - nova-service-add
-    - nova-setup
+# We set the python interpreter to the ansible runtime venv if
+# the delegation is to localhost so that we get access to the
+# appropriate python libraries in that venv. If the delegation
+# is to another host, we assume that it is accessible by the
+# system python instead.
+- name: Setup the service
+  delegate_to: "{{ nova_service_setup_host }}"
+  vars:
+    ansible_python_interpreter: >-
+      {{ (nova_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_python['executable']) }}
+  block:
+    - name: Add services to the keystone service catalog
+      os_keystone_service:
+        cloud: default
+        state: present
+        name: "{{ item.name }}"
+        service_type: "{{ item.service_type }}"
+        description: "{{ item.description }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_service
+      until: add_service is success
+      retries: 5
+      delay: 10
+      with_items:
+        - name: "{{ nova_service_name }}"
+          service_type: "{{ nova_service_type }}"
+          description: "{{ nova_service_description }}"
+        - name: "{{ nova_placement_service_name }}"
+          service_type: "{{ nova_placement_service_type }}"
+          description: "{{ nova_placement_service_description }}"
 
-# Create an admin user
-- name: Ensure nova user
-  keystone:
-    command: "ensure_user"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    user_name: "{{ nova_service_user_name }}"
-    tenant_name: "{{ nova_service_project_name }}"
-    password: "{{ nova_service_password }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  register: add_service
-  when:
-    - not nova_service_in_ldap | bool
-  until: add_service is success
-  retries: 5
-  delay: 10
-  no_log: True
-  tags:
-    - nova-api-setup
-    - nova-service-add
-    - nova-setup
+    - name: Add service users
+      os_user:
+        cloud: default
+        state: present
+        name: "{{ item.name }}"
+        password: "{{ item.password }}"
+        domain: default
+        default_project: "{{ item.default_project }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_service
+      when: "{{ item.condition }}"
+      until: add_service is success
+      retries: 5
+      delay: 10
+      no_log: True
+      with_items:
+        - name: "{{ nova_service_user_name }}"
+          password: "{{ nova_service_password }}"
+          default_project: "{{ nova_service_project_name }}"
+          condition: "{{ not nova_service_in_ldap | bool }}"
+        - name: "{{ nova_placement_service_username }}"
+          password: "{{ nova_placement_service_password }}"
+          default_project: "{{ nova_placement_service_project_name }}"
+          condition: "{{ not nova_service_in_ldap | bool }}"
+      loop_control:
+        label: "{{ item.name }}"
 
-# Add a role to the user
-- name: Ensure nova user to admin role
-  keystone:
-    command: "ensure_user_role"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    user_name: "{{ nova_service_user_name }}"
-    tenant_name: "{{ nova_service_project_name }}"
-    role_name: "{{ nova_service_role_name }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  register: add_service
-  when:
-    - not nova_service_in_ldap | bool
-  until: add_service is success
-  retries: 5
-  delay: 10
-  no_log: True
-  tags:
-    - nova-api-setup
-    - nova-service-add
-    - nova-setup
+    - name: Add service users to admin roles
+      os_user_role:
+        cloud: default
+        state: present
+        user: "{{ item.user }}"
+        role: "{{ item.role }}"
+        project: "{{ item.project }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_service
+      when: "{{ item.condition }}"
+      until: add_service is success
+      retries: 5
+      delay: 10
+      with_items:
+        - user: "{{ nova_service_user_name }}"
+          role: "{{ nova_service_role_name }}"
+          project: "{{ nova_service_project_name }}"
+          condition: "{{ not nova_service_in_ldap | bool }}"
+        - user: "{{ nova_placement_service_username }}"
+          role: "{{ nova_placement_service_role_name }}"
+          project: "{{ nova_placement_service_project_name }}"
+          condition: "{{ not nova_placement_service_in_ldap | bool }}"
 
-# Create an endpoint
-- name: Ensure nova endpoint
-  keystone:
-    command: "ensure_endpoint"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    region_name: "{{ nova_service_region }}"
-    service_name: "{{ nova_service_name }}"
-    service_type: "{{ nova_service_type }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-    endpoint_list:
-      - url: "{{ nova_service_publicurl }}"
-        interface: "public"
-      - url: "{{ nova_service_internalurl }}"
-        interface: "internal"
-      - url: "{{ nova_service_adminurl }}"
-        interface: "admin"
-  register: add_service
-  until: add_service is success
-  retries: 5
-  delay: 10
-  no_log: True
-  tags:
-    - nova-api-setup
-    - nova-service-add
-    - nova-setup
-
-# Create a service
-- name: Ensure nova placement service
-  keystone:
-    command: "ensure_service"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    service_name: "{{ nova_placement_service_name }}"
-    service_type: "{{ nova_placement_service_type }}"
-    description: "{{ nova_placement_service_description }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  register: add_service
-  until: add_service is success
-  retries: 5
-  delay: 2
-  no_log: True
-  tags:
-    - nova-api-setup
-    - nova-service-add
-
-# Create an admin user
-- name: Ensure nova placement user
-  keystone:
-    command: "ensure_user"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    user_name: "{{ nova_placement_service_username }}"
-    tenant_name: "{{ nova_placement_service_project_name }}"
-    password: "{{ nova_placement_service_password }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  register: add_service
-  when: not nova_placement_service_in_ldap | bool
-  until: add_service is success
-  retries: 5
-  delay: 10
-  no_log: True
-  tags:
-    - nova-api-setup
-    - nova-service-add
-
-# Add a role to the user
-- name: Ensure nova user to admin role
-  keystone:
-    command: "ensure_user_role"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    user_name: "{{ nova_placement_service_username }}"
-    tenant_name: "{{ nova_placement_service_project_name }}"
-    role_name: "{{ nova_placement_service_role_name }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  register: add_service
-  when: not nova_placement_service_in_ldap | bool
-  until: add_service is success
-  retries: 5
-  delay: 10
-  no_log: True
-  tags:
-    - nova-api-setup
-    - nova-service-add
-
-# Create an endpoint
-- name: Ensure nova endpoint
-  keystone:
-    command: "ensure_endpoint"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    region_name: "{{ nova_placement_service_region }}"
-    service_name: "{{ nova_placement_service_name }}"
-    service_type: "{{ nova_placement_service_type }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-    endpoint_list:
-      - url: "{{ nova_placement_service_publicurl }}"
-        interface: "public"
-      - url: "{{ nova_placement_service_internalurl }}"
-        interface: "internal"
-      - url: "{{ nova_placement_service_adminurl }}"
-        interface: "admin"
-  register: add_service
-  until: add_service is success
-  retries: 5
-  delay: 10
-  no_log: True
-  tags:
-    - nova-api-setup
-    - nova-service-add
+    - name: Add endpoints to keystone endpoint catalog
+      os_keystone_endpoint:
+        cloud: default
+        state: present
+        service: "{{ item.service }}"
+        endpoint_interface: "{{ item.interface }}"
+        url: "{{ item.url }}"
+        region: "{{ nova_service_region }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_service
+      until: add_service is success
+      retries: 5
+      delay: 10
+      with_items:
+        - service: "{{ nova_service_name }}"
+          interface: "public"
+          url: "{{ nova_service_publicurl }}"
+        - service: "{{ nova_service_name }}"
+          interface: "internal"
+          url: "{{ nova_service_internalurl }}"
+        - service: "{{ nova_service_name }}"
+          interface: "admin"
+          url: "{{ nova_service_adminurl }}"
+        - service: "{{ nova_placement_service_name }}"
+          interface: "public"
+          url: "{{ nova_placement_service_publicurl }}"
+        - service: "{{ nova_placement_service_name }}"
+          interface: "internal"
+          url: "{{ nova_placement_service_internalurl }}"
+        - service: "{{ nova_placement_service_name }}"
+          interface: "admin"
+          url: "{{ nova_placement_service_adminurl }}"