From f02127ab83d58bdf05f196da1aa7a8d1f2be2260 Mon Sep 17 00:00:00 2001 From: Jesse Pretorius Date: Tue, 19 Dec 2017 21:18:18 +0000 Subject: [PATCH] Update paste, policy and rootwrap configurations 2017-12-19 The locations of the previously included templates have been moved to the standard location used in all other roles. This helps to allow the sources-branch-updater script be able to automatically place the updated files processed from the upstream git repositories. As there is now a rootwrap filter file, the appropriate tasks to create the directory and to add the file have been implemented. A little clean-up of syntax of tasks near those modified have been included. Finally - to resolve the ansible-lint issue the use of systemctl has been removed. Change-Id: I9b64d5e99dc81a6f35d74c0366ee2bbe7d15d327 --- files/rootwrap.d/tacker.filters | 10 + handlers/main.yml | 2 + tasks/tacker_init_systemd.yml | 6 +- tasks/tacker_post_install.yml | 20 +- tasks/tacker_pre_install.yml | 21 +- templates/{etc/tacker => }/api-paste.ini.j2 | 5 +- .../etc/tacker/tacker.conf.devstack_master | 311 ----------------- templates/etc/tacker/tacker.conf.sample | 318 ------------------ templates/{etc/tacker => }/policy.json.j2 | 0 templates/{etc/tacker => }/rootwrap.conf.j2 | 2 +- templates/{etc/tacker => }/tacker.conf.j2 | 0 11 files changed, 48 insertions(+), 647 deletions(-) create mode 100644 files/rootwrap.d/tacker.filters rename templates/{etc/tacker => }/api-paste.ini.j2 (80%) delete mode 100644 templates/etc/tacker/tacker.conf.devstack_master delete mode 100644 templates/etc/tacker/tacker.conf.sample rename templates/{etc/tacker => }/policy.json.j2 (100%) rename templates/{etc/tacker => }/rootwrap.conf.j2 (95%) rename templates/{etc/tacker => }/tacker.conf.j2 (100%) diff --git a/files/rootwrap.d/tacker.filters b/files/rootwrap.d/tacker.filters new file mode 100644 index 0000000..6c99f21 --- /dev/null +++ b/files/rootwrap.d/tacker.filters @@ -0,0 +1,10 @@ +# tacker-rootwrap command filters for nodes on which tacker is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + diff --git a/handlers/main.yml b/handlers/main.yml index 33af4a5..a81d8e4 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -18,8 +18,10 @@ - name: Restart tacker services service: name: "{{ item }}" + enabled: yes state: restarted pattern: "{{ item }}" + daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}" with_items: "{{ tacker_service_names }}" failed_when: false diff --git a/tasks/tacker_init_systemd.yml b/tasks/tacker_init_systemd.yml index c7b2abf..06abc30 100644 --- a/tasks/tacker_init_systemd.yml +++ b/tasks/tacker_init_systemd.yml @@ -38,6 +38,8 @@ mode: "0644" owner: "root" group: "root" + notify: + - Restart tacker services - name: Place the systemd init script template: @@ -47,10 +49,6 @@ owner: "root" group: "root" register: systemd_init - -- name: Reload the systemd daemon - command: "systemctl daemon-reload" - when: systemd_init | changed notify: - Restart tacker services diff --git a/tasks/tacker_post_install.yml b/tasks/tacker_post_install.yml index 875db4a..ab8160a 100644 --- a/tasks/tacker_post_install.yml +++ b/tasks/tacker_post_install.yml @@ -41,22 +41,32 @@ config_overrides: "{{ item.config_overrides }}" config_type: "{{ item.config_type }}" with_items: - - src: "etc/tacker/tacker.conf.j2" + - src: "tacker.conf.j2" dest: "{{ tacker_etc_dir }}/tacker.conf" config_overrides: "{{ tacker_tacker_conf_overrides }}" config_type: "ini" - - src: "etc/tacker/api-paste.ini.j2" + - src: "api-paste.ini.j2" dest: "{{ tacker_etc_dir }}/api-paste.ini" config_overrides: "{{ tacker_api_paste_ini_overrides }}" config_type: "ini" - - src: "etc/tacker/rootwrap.conf.j2" - dest: "{{ tacker_etc_dir}}/rootwrap.conf" + - src: "rootwrap.conf.j2" + dest: "{{ tacker_etc_dir }}/rootwrap.conf" config_overrides: "{{ tacker_rootwrap_overrides }}" config_type: "ini" - - src: "etc/tacker/policy.json.j2" + - src: "policy.json.j2" dest: "{{ tacker_etc_dir }}/policy.json" config_overrides: "{{ tacker_policy_overrides }}" config_type: "json" notify: - Restart tacker services +- name: Copy rootwrap filters + copy: + src: "{{ item }}" + dest: "{{ tacker_etc_dir }}/rootwrap.d/" + owner: "root" + group: "root" + with_fileglob: + - rootwrap.d/* + notify: + - Restart tacker services diff --git a/tasks/tacker_pre_install.yml b/tasks/tacker_pre_install.yml index 29f11dd..ea40a38 100644 --- a/tasks/tacker_pre_install.yml +++ b/tasks/tacker_pre_install.yml @@ -35,14 +35,21 @@ file: path: "{{ item.path }}" state: directory - owner: "{{ item.owner|default(tacker_system_user_name) }}" - group: "{{ item.group|default(tacker_system_group_name) }}" - mode: "{{ item.mode|default('0755') }}" + owner: "{{ item.owner | default(tacker_system_user_name) }}" + group: "{{ item.group | default(tacker_system_group_name) }}" + mode: "{{ item.mode | default('0755') }}" with_items: - - { path: "/openstack", mode: "0755", owner: "root", group: "root" } - - { path: "/etc/tacker" } - - { path: "/var/cache/tacker" } - - { path: "{{ tacker_system_user_home }}" } + - path: "/openstack" + mode: "0755" + owner: "root" + group: "root" + - path: "{{ tacker_etc_dir }}" + - path: "/var/cache/tacker" + - path: "{{ tacker_system_user_home }}" + - path: "{{ tacker_etc_dir }}/rootwrap.d" + owner: "root" + group: "root" + #- name: Create tacker venv dir #file: diff --git a/templates/etc/tacker/api-paste.ini.j2 b/templates/api-paste.ini.j2 similarity index 80% rename from templates/etc/tacker/api-paste.ini.j2 rename to templates/api-paste.ini.j2 index 1e44ef2..02f0dab 100644 --- a/templates/etc/tacker/api-paste.ini.j2 +++ b/templates/api-paste.ini.j2 @@ -6,7 +6,7 @@ use = egg:Paste#urlmap [composite:tackerapi_v1_0] use = call:tacker.auth:pipeline_factory noauth = request_id catch_errors extensions tackerapiapp_v1_0 -keystone = request_id catch_errors authtoken keystonecontext extensions tackerapiapp_v1_0 +keystone = request_id catch_errors alarm_receiver authtoken keystonecontext extensions tackerapiapp_v1_0 [filter:request_id] paste.filter_factory = oslo_middleware:RequestId.factory @@ -14,6 +14,9 @@ paste.filter_factory = oslo_middleware:RequestId.factory [filter:catch_errors] paste.filter_factory = oslo_middleware:CatchErrors.factory +[filter:alarm_receiver] +paste.filter_factory = tacker.alarm_receiver:AlarmReceiver.factory + [filter:keystonecontext] paste.filter_factory = tacker.auth:TackerKeystoneContext.factory diff --git a/templates/etc/tacker/tacker.conf.devstack_master b/templates/etc/tacker/tacker.conf.devstack_master deleted file mode 100644 index 4108810..0000000 --- a/templates/etc/tacker/tacker.conf.devstack_master +++ /dev/null @@ -1,311 +0,0 @@ -[DEFAULT] -nova_region_name = RegionOne -nova_api_insecure = False -nova_ca_certificates_file = -nova_admin_auth_url = http://10.18.133.120/identity_v2_admin -nova_admin_tenant_id = service -nova_admin_password = devstack -nova_admin_user_name = nova -nova_url = http://127.0.0.1:8774/v2 -auth_strategy = keystone -policy_file = /etc/tacker/policy.json -debug = True -logging_context_format_string = %(asctime)s.%(msecs)03d %(levelname)s %(name)s [%(request_id)s %(user_name)s %(project_name)s] %(instance)s%(message)s -use_syslog = False -state_path = /opt/stack/data/tacker -transport_url = rabbit://stackrabbit:devstack@10.18.133.120:5672/ - -# -# From tacker.common.config -# - -# The host IP to bind to (string value) -#bind_host = 0.0.0.0 - -# The port to bind to (integer value) -#bind_port = 9890 - -# The API paste config file to use (string value) -#api_paste_config = api-paste.ini - -# The path for API extensions (string value) -#api_extensions_path = - -# The service plugins Tacker will use (list value) -#service_plugins = nfvo,vnfm,commonservices - -# The policy file to use (string value) -#policy_file = policy.json - -# The type of authentication to use (string value) -#auth_strategy = keystone - -# Allow the usage of the bulk API (boolean value) -#allow_bulk = true - -# Allow the usage of the pagination (boolean value) -#allow_pagination = false - -# Allow the usage of the sorting (boolean value) -#allow_sorting = false - -# The maximum number of items returned in a single response, value was -# 'infinite' or negative integer means no limit (string value) -#pagination_max_limit = -1 - -# The hostname Tacker is running on (string value) -#host = stellarstack-1473375405-000 - -# URL for connection to nova (string value) -#nova_url = http://127.0.0.1:8774/v2 - -# Username for connecting to nova in admin context (string value) -#nova_admin_username = - -# Password for connection to nova in admin context (string value) -#nova_admin_password = - -# The uuid of the admin nova tenant (string value) -#nova_admin_tenant_id = - -# Authorization URL for connecting to nova in admin context (string value) -#nova_admin_auth_url = http://localhost:5000/v2.0 - -# CA file for novaclient to verify server certificates (string value) -#nova_ca_certificates_file = - -# If True, ignore any SSL validation issues (boolean value) -#nova_api_insecure = false - -# Name of nova region to use. Useful if keystone manages more than one region. -# (string value) -#nova_region_name = - -# Where to store Tacker state files. This directory must be writable by the -# agent. (string value) -#state_path = /var/lib/tacker - -# -# From tacker.service -# - -# Seconds between running periodic tasks (integer value) -#periodic_interval = 40 - -# Number of separate worker processes for service (integer value) -#api_workers = 0 - -# Range of seconds to randomly delay when starting the periodic task scheduler -# to reduce stampeding. (Disable by setting to 0) (integer value) -#periodic_fuzzy_delay = 5 - -# -# From tacker.wsgi -# - -# Number of backlog requests to configure the socket with (integer value) -#backlog = 4096 - -# Sets the value of TCP_KEEPIDLE in seconds for each server socket. Not -# supported on OS X. (integer value) -#tcp_keepidle = 600 - -# Number of seconds to keep retrying to listen (integer value) -#retry_until_window = 30 - -# Max header line to accommodate large tokens (integer value) -#max_header_line = 16384 - -# Enable SSL on the API server (boolean value) -#use_ssl = false - -# CA certificate file to use to verify connecting clients (string value) -#ssl_ca_file = - -# Certificate file to use when starting the server securely (string value) -#ssl_cert_file = - -# Private key file to use when starting the server securely (string value) -#ssl_key_file = - - -[monitor] - -# -# From tacker.vnfm.monitor -# - -# check interval for monitor (integer value) -#check_intvl = 10 - - -[monitor_http_ping] - -# -# From tacker.vnfm.monitor_drivers.http_ping.http_ping -# - -# number of times to retry (integer value) -#retry = 5 - -# number of seconds to wait for a response (integer value) -#timeout = 1 - -# HTTP port number to send request (integer value) -#port = 80 - - -[monitor_ping] - -# -# From tacker.vnfm.monitor_drivers.ping.ping -# - -# number of ICMP packets to send (string value) -#count = 1 - -# number of seconds to wait for a response (string value) -#timeout = 1 - -# number of seconds to wait between packets (string value) -#interval = 1 - - -[nfvo] - -# -# From tacker.nfvo.nfvo_plugin -# - -# VIM driver for launching VNFs (list value) -#vim_drivers = openstack - -# Interval to check for VIM health (integer value) -#monitor_interval = 30 - - -[nfvo_vim] -default_vim = VIM0 - -# -# From tacker.vnfm.vim_client -# - -# DEPRECATED: Default VIM for launching VNFs. This option is deprecated and -# will be removed in Ocata release. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#default_vim = - - -[openwrt] - -# -# From tacker.vnfm.mgmt_drivers.openwrt.openwrt -# - -# user name to login openwrt (string value) -#user = root - -# password to login openwrt (string value) -#password = - - -[tacker] - -# -# From tacker.vnfm.monitor -# - -# Monitor driver to communicate with Hosting VNF/logical service instance -# tacker plugin will use (list value) -#monitor_driver = ping,http_ping - -# -# From tacker.vnfm.plugin -# - -# MGMT driver to communicate with Hosting VNF/logical service instance tacker -# plugin will use (list value) -#mgmt_driver = noop,openwrt - -# Time interval to wait for VM to boot (integer value) -#boot_wait = 30 - -# Hosting vnf drivers tacker plugin will use (list value) -#infra_driver = nova,heat,noop,openstack - - -[tacker_heat] -stack_retry_wait = 5 -stack_retries = 60 -heat_uri = http://10.18.133.120:8004/v1 - -# -# From tacker.vnfm.infra_drivers.heat.heat -# - -# Number of attempts to retry for stack creation/deletion (integer value) -#stack_retries = 60 - -# Wait time (in seconds) between consecutive stack create/delete retries -# (integer value) -#stack_retry_wait = 5 - -# Flavor Extra Specs (dict value) -#flavor_extra_specs = - - -[vim_keys] - -# -# From tacker.nfvo.drivers.vim.openstack_driver -# - -# Dir.path to store fernet keys. (string value) -#openstack = /etc/tacker/vim/fernet_keys - - -[vim_monitor] - -# -# From tacker.nfvo.drivers.vim.openstack_driver -# - -# number of ICMP packets to send (string value) -#count = 1 - -# number of seconds to wait for a response (string value) -#timeout = 1 - -# number of seconds to wait between packets (string value) -#interval = 1 - -[database] -connection = mysql+pymysql://root:devstack@127.0.0.1/tacker?charset=utf8 - -[keystone_authtoken] -memcached_servers = 10.18.133.120:11211 -signing_dir = /var/cache/tacker -cafile = /opt/stack/data/ca-bundle.pem -auth_uri = http://10.18.133.120/identity -project_domain_name = Default -project_name = service -user_domain_name = Default -password = devstack -username = tacker -auth_url = http://10.18.133.120/identity_v2_admin -auth_type = password - -[tacker_nova] -region_name = RegionOne -project_domain_id = default -project_name = service -user_domain_id = default -password = devstack -username = nova -auth_url = http://10.18.133.120/identity_v2_admin -auth_plugin = password - -[agent] -root_helper = sudo /usr/local/bin/tacker-rootwrap /etc/tacker/rootwrap.conf diff --git a/templates/etc/tacker/tacker.conf.sample b/templates/etc/tacker/tacker.conf.sample deleted file mode 100644 index 48e356d..0000000 --- a/templates/etc/tacker/tacker.conf.sample +++ /dev/null @@ -1,318 +0,0 @@ -[DEFAULT] - -# -# From tacker.common.config -# - -# The host IP to bind to (string value) -#bind_host = 0.0.0.0 - -# The port to bind to (integer value) -#bind_port = 9890 - -# The API paste config file to use (string value) -#api_paste_config = api-paste.ini - -# The path for API extensions (string value) -#api_extensions_path = - -# The service plugins Tacker will use (list value) -#service_plugins = nfvo,vnfm - -# The policy file to use (string value) -#policy_file = policy.json - -# The type of authentication to use (string value) -#auth_strategy = keystone - -# Allow the usage of the bulk API (boolean value) -#allow_bulk = true - -# Allow the usage of the pagination (boolean value) -#allow_pagination = false - -# Allow the usage of the sorting (boolean value) -#allow_sorting = false - -# The maximum number of items returned in a single response, value was -# 'infinite' or negative integer means no limit (string value) -#pagination_max_limit = -1 - -# The hostname Tacker is running on (string value) -#host = aio1-tacker-container-c4f3e5cd - -# URL for connection to nova (string value) -#nova_url = http://127.0.0.1:8774/v2 - -# Username for connecting to nova in admin context (string value) -#nova_admin_username = - -# Password for connection to nova in admin context (string value) -#nova_admin_password = - -# The uuid of the admin nova tenant (string value) -#nova_admin_tenant_id = - -# Authorization URL for connecting to nova in admin context (string value) -#nova_admin_auth_url = http://localhost:5000/v2.0 - -# CA file for novaclient to verify server certificates (string value) -#nova_ca_certificates_file = - -# If True, ignore any SSL validation issues (boolean value) -#nova_api_insecure = false - -# Name of nova region to use. Useful if keystone manages more than one region. -# (string value) -#nova_region_name = - -# Where to store Tacker state files. This directory must be writable by the -# agent. (string value) -#state_path = /var/lib/tacker - -# -# From tacker.service -# - -# Seconds between running periodic tasks (integer value) -#periodic_interval = 40 - -# Number of separate worker processes for service (integer value) -#api_workers = 0 - -# Range of seconds to randomly delay when starting the periodic task scheduler -# to reduce stampeding. (Disable by setting to 0) (integer value) -#periodic_fuzzy_delay = 5 - -# -# From tacker.wsgi -# - -# Number of backlog requests to configure the socket with (integer value) -#backlog = 4096 - -# Sets the value of TCP_KEEPIDLE in seconds for each server socket. Not -# supported on OS X. (integer value) -#tcp_keepidle = 600 - -# Number of seconds to keep retrying to listen (integer value) -#retry_until_window = 30 - -# Max header line to accommodate large tokens (integer value) -#max_header_line = 16384 - -# Enable SSL on the API server (boolean value) -#use_ssl = false - -# CA certificate file to use to verify connecting clients (string value) -#ssl_ca_file = - -# Certificate file to use when starting the server securely (string value) -#ssl_cert_file = - -# Private key file to use when starting the server securely (string value) -#ssl_key_file = - - -[alarm_auth] - -# -# From tacker.alarm_receiver -# - -# User name for alarm monitoring (string value) -#username = tacker - -# password for alarm monitoring (string value) -#password = nomoresecret - -# project name for alarm monitoring (string value) -#project_name = service - -# url for alarm monitoring (string value) -#url = http://localhost:35357/v3 - - -[ceilometer] - -# -# From tacker.vnfm.monitor_drivers.ceilometer.ceilometer -# - -# Address which drivers use to trigger (string value) -#host = aio1-tacker-container-c4f3e5cd - -# port number which drivers use to trigger (port value) -# Minimum value: 0 -# Maximum value: 65535 -#port = 9890 - - -[monitor] - -# -# From tacker.vnfm.monitor -# - -# check interval for monitor (integer value) -#check_intvl = 10 - - -[monitor_http_ping] - -# -# From tacker.vnfm.monitor_drivers.http_ping.http_ping -# - -# number of times to retry (integer value) -#retry = 5 - -# number of seconds to wait for a response (integer value) -#timeout = 1 - -# HTTP port number to send request (integer value) -#port = 80 - - -[monitor_ping] - -# -# From tacker.vnfm.monitor_drivers.ping.ping -# - -# number of ICMP packets to send (string value) -#count = 1 - -# number of seconds to wait for a response (string value) -#timeout = 1 - -# number of seconds to wait between packets (string value) -#interval = 1 - - -[nfvo] - -# -# From tacker.nfvo.nfvo_plugin -# - -# VIM driver for launching VNFs (list value) -#vim_drivers = openstack - -# Interval to check for VIM health (integer value) -#monitor_interval = 30 - - -[nfvo_vim] - -# -# From tacker.vnfm.vim_client -# - -# DEPRECATED: Default VIM for launching VNFs. This option is deprecated and -# will be removed in Ocata release. (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -#default_vim = - - -[openstack_vim] - -# -# From tacker.vnfm.infra_drivers.openstack.openstack -# - -# Number of attempts to retry for stack creation/deletion (integer value) -#stack_retries = 60 - -# Wait time (in seconds) between consecutive stack create/delete retries -# (integer value) -#stack_retry_wait = 5 - -# Flavor Extra Specs (dict value) -#flavor_extra_specs = - - -[openwrt] - -# -# From tacker.vnfm.mgmt_drivers.openwrt.openwrt -# - -# user name to login openwrt (string value) -#user = root - -# password to login openwrt (string value) -#password = - - -[tacker] - -# -# From tacker.vnfm.monitor -# - -# Monitor driver to communicate with Hosting VNF/logical service instance -# tacker plugin will use (list value) -#monitor_driver = ping,http_ping - -# Alarm monitoring driver to communicate with Hosting VNF/logical service -# instance tacker plugin will use (list value) -#alarm_monitor_driver = ceilometer - -# -# From tacker.vnfm.plugin -# - -# MGMT driver to communicate with Hosting VNF/logical service instance tacker -# plugin will use (list value) -#mgmt_driver = noop,openwrt - -# Time interval to wait for VM to boot (integer value) -#boot_wait = 30 - -# Hosting vnf drivers tacker plugin will use (list value) -#infra_driver = nova,heat,noop,openstack - - -[tacker_heat] - -# -# From tacker.vnfm.infra_drivers.heat.heat -# - -# Number of attempts to retry for stack creation/deletion (integer value) -#stack_retries = 60 - -# Wait time (in seconds) between consecutive stack create/delete retries -# (integer value) -#stack_retry_wait = 5 - -# Flavor Extra Specs (dict value) -#flavor_extra_specs = - - -[vim_keys] - -# -# From tacker.nfvo.drivers.vim.openstack_driver -# - -# Dir.path to store fernet keys. (string value) -#openstack = /etc/tacker/vim/fernet_keys - - -[vim_monitor] - -# -# From tacker.nfvo.drivers.vim.openstack_driver -# - -# number of ICMP packets to send (string value) -#count = 1 - -# number of seconds to wait for a response (string value) -#timeout = 1 - -# number of seconds to wait between packets (string value) -#interval = 1 diff --git a/templates/etc/tacker/policy.json.j2 b/templates/policy.json.j2 similarity index 100% rename from templates/etc/tacker/policy.json.j2 rename to templates/policy.json.j2 diff --git a/templates/etc/tacker/rootwrap.conf.j2 b/templates/rootwrap.conf.j2 similarity index 95% rename from templates/etc/tacker/rootwrap.conf.j2 rename to templates/rootwrap.conf.j2 index 9c51bd4..b363a00 100644 --- a/templates/etc/tacker/rootwrap.conf.j2 +++ b/templates/rootwrap.conf.j2 @@ -10,7 +10,7 @@ filters_path=/etc/tacker/rootwrap.d,/usr/share/tacker/rootwrap # explicitely specify a full path (separated by ',') # If not specified, defaults to system PATH environment variable. # These directories MUST all be only writeable by root ! -exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin +exec_dirs={{ tacker_bin }},/sbin,/usr/sbin,/bin,/usr/bin # Enable logging to syslog # Default value is False diff --git a/templates/etc/tacker/tacker.conf.j2 b/templates/tacker.conf.j2 similarity index 100% rename from templates/etc/tacker/tacker.conf.j2 rename to templates/tacker.conf.j2