Cleanup files and templates using smart sources

The files and templates we carry are almost always in a state of
maintenance. The upstream services are maintaining these files and
there's really no reason we need to carry duplicate copies of them. This
change removes all of the files we expect to get from the upstream
service. while the focus of this change is to remove configuration file
maintenance burdens it also allows the role to execute faster.

  * Source installs have the configuration files within the venv at
    "<<VENV_PATH>>/etc/<<SERVICE_NAME>>". The role will now link the
    default configuration path to this directory. When the service is
    upgraded the link will move to the new venv path.
  * Distro installs package all of the required configuration files.

To maintain our current capabilities to override configuration the
role will fetch files from the disk whenever an override is provided and
then push the fetched file back to the target using `config_template`.

Change-Id: Ib3447cd5b0bcada4cdf82d9e4a9fe5160299f9c3
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
This commit is contained in:
Kevin Carter 2018-08-04 23:41:14 -05:00 committed by Kevin Carter
parent 6355e1e47d
commit f3f956e904
9 changed files with 174 additions and 155 deletions

View File

@ -279,8 +279,8 @@ cinder_backend_lvm_inuse: '{{ (cinder_backends|default("")|to_json).find("lvm")
cinder_backend_rbd_inuse: '{{ (cinder_backends|default("")|to_json).find("cinder.volume.drivers.rbd.RBDDriver") != -1 }}'
## Policy vars
# Provide a list of access controls to update the default policy.json with. These changes will be merged
# with the access controls in the default policy.json. E.g.
# Provide a list of access controls to merge with the default
# access controls in the service code.
#cinder_policy_overrides:
# "volume:create": ""
# "volume:delete": ""

View File

@ -28,26 +28,6 @@
- "Restart cinder services"
- "venv changed"
# Note (odyssey4me):
# The policy.json file is currently read continually by the services
# and is not only read on service start. We therefore cannot template
# directly to the file read by the service because the new policies
# may not be valid until the service restarts. This is particularly
# important during a major upgrade. We therefore only put the policy
# file in place after the service has been stopped.
#
- name: Copy new policy file into place
copy:
src: "/etc/cinder/policy.json-{{ cinder_venv_tag }}"
dest: "/etc/cinder/policy.json"
owner: "root"
group: "{{ cinder_system_group_name }}"
mode: "0640"
remote_src: yes
listen:
- "Restart cinder services"
- "venv changed"
- name: Start services
service:
name: "{{ item.service_name }}"

View File

@ -56,6 +56,12 @@
option: "venv_tag"
value: "{{ cinder_venv_tag }}"
- name: Link in the os-brick rootwrap filters
file:
src: "{{ cinder_bin | dirname }}/etc/os-brick/rootwrap.d/os-brick.filters"
dest: /etc/cinder/rootwrap.d/os-brick.filters
state: link
- name: Copy cinder rootwrap filters
command: >-
rsync --archive --itemize-changes --delete

View File

@ -13,6 +13,33 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# NOTE(cloudnull): This task is required to copy rootwrap filters that we need
# and cinder does not provide by default.
- name: Create aux cinder dir
file:
path: "/etc/cinder/rootwrap.d"
state: "directory"
owner: "root"
group: "root"
- name: Generate cinder config
config_template:
src: "cinder.conf.j2"
dest: "/etc/cinder/cinder.conf"
owner: "root"
group: "{{ cinder_system_group_name }}"
mode: "0640"
config_overrides: "{{ cinder_cinder_conf_overrides }}"
config_type: "ini"
notify:
- Manage LB
- Restart cinder services
tags:
- cinder-config
- cinder-post-install
# TODO(cloudnull): Once "master" OSA is using a recent pull for
# cinder this task and templte can be removed.
- name: Copy cinder configs
config_template:
src: "{{ item.src }}"
@ -23,29 +50,71 @@
config_overrides: "{{ item.config_overrides }}"
config_type: "{{ item.config_type }}"
with_items:
- src: "cinder.conf.j2"
dest: "/etc/cinder/cinder.conf"
config_overrides: "{{ cinder_cinder_conf_overrides }}"
config_type: "ini"
- src: "api-paste.ini.j2"
dest: "/etc/cinder/api-paste.ini"
config_overrides: "{{ cinder_api_paste_ini_overrides }}"
config_type: "ini"
- src: "resource_filters.json.j2"
dest: "/etc/cinder/resource_filters.json"
config_overrides: "{{ cinder_resource_filters_overrides }}"
config_type: "json"
- src: "rootwrap.conf.j2"
dest: "/etc/cinder/rootwrap.conf"
config_overrides: "{{ cinder_rootwrap_conf_overrides }}"
config_type: "ini"
- src: "policy.json.j2"
dest: "/etc/cinder/policy.json-{{ cinder_venv_tag }}"
config_overrides: "{{ cinder_policy_overrides }}"
config_type: "json"
notify:
- Manage LB
- Restart cinder services
tags:
- cinder-config
- cinder-post-install
- name: Implement policy.json if there are overrides configured
copy:
content: "{{ cinder_policy_overrides | to_nice_json }}"
dest: "/etc/cinder/policy.json"
when:
- cinder_policy_overrides != {}
# NOTE(cloudnull): This is using "cp" instead of copy with a remote_source
# because we only want to copy the original files once. and we
# don't want to need multiple tasks.
- name: Preserve original configuration file(s)
command: "cp {{ item.target_f }} {{ item.target_f }}.original"
args:
creates: "{{ item.target_f }}.original"
with_items: "{{ cinder_core_files }}"
- name: Fetch override files
fetch:
src: "{{ item.target_f }}.original"
dest: "{{ item.tmp_f }}"
flat: yes
changed_when: false
with_items: "{{ cinder_core_files }}"
run_once: true
- name: Copy common config
config_template:
src: "{{ item.tmp_f }}"
dest: "{{ item.target_f }}"
owner: "{{ item.owner | default('root') }}"
group: "{{ item.group | default(cinder_system_group_name) }}"
mode: "{{ item.mode | default('0640') }}"
config_overrides: "{{ item.config_overrides }}"
config_type: "{{ item.config_type }}"
with_items: "{{ cinder_core_files }}"
notify:
- Restart cinder services
- name: Cleanup fetched temp files
file:
path: "{{ item.tmp_f }}"
state: absent
changed_when: false
delegate_to: localhost
with_items: "{{ cinder_core_files }}"
# NOTE(cloudnull): This will ensure strong permissions on all rootwrap files.
- name: Set rootwrap.d permissions
file:
path: "/etc/cinder/rootwrap.d"
owner: "root"
group: "root"
mode: "0640"
recurse: true
- name: Ensure cinder tgt include
lineinfile:

View File

@ -31,17 +31,62 @@
createhome: "yes"
home: "{{ cinder_system_home_folder }}"
# NOTE(cloudnull): During an upgrade the local directory may exist on a source
# install. If the directory does exist it will need to be
# removed. This is required on source installs because the
# config directory is a link.
- name: Source config block
block:
- name: Stat config directory
stat:
path: "/etc/cinder"
register: cinder_conf_dir_stat
- name: Remove the config directory
file:
path: "/etc/cinder"
state: absent
when:
- cinder_conf_dir_stat.stat.isdir is defined and
cinder_conf_dir_stat.stat.isdir
when:
- cinder_install_method == 'source'
- name: Create cinder dir
file:
path: "{{ item.path }}"
state: directory
owner: "{{ item.owner|default(cinder_system_user_name) }}"
group: "{{ item.group|default(cinder_system_group_name) }}"
mode: "{{ item.mode|default('0755') }}"
path: "{{ item.path | default(omit) }}"
src: "{{ item.src | default(omit) }}"
dest: "{{ item.dest | default(omit) }}"
state: "{{ item.state | default('directory') }}"
owner: "{{ item.owner | default(cinder_system_user_name) }}"
group: "{{ item.group | default(cinder_system_group_name) }}"
mode: "{{ item.mode | default(omit) }}"
force: "{{ item.force | default(omit) }}"
when:
- (item.condition | default(true)) | bool
with_items:
- { path: "/openstack", mode: "0755", owner: "root", group: "root" }
- { path: "/var/cache/cinder", mode: "0700" }
- { path: "/etc/cinder", mode: "0750" }
- { path: "/etc/cinder/rootwrap.d", owner: "root", group: "root", mode: "0750" }
- { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
- { path: "{{ cinder_system_home_folder }}" }
- path: "/openstack"
mode: "0755"
owner: "root"
group: "root"
- path: "/var/cache/cinder"
mode: "0700"
- path: "{{ (cinder_install_method == 'distro') | ternary('/etc/cinder', (cinder_bin | dirname) + '/etc/cinder') }}"
mode: "0755"
# NOTE(cloudnull): The "src" path is relative. This ensures all files remain
# within the host/container confines when connecting to
# them using the connection plugin or the root filesystem.
- dest: "/etc/cinder"
src: "{{ cinder_bin | dirname | regex_replace('^/', '../') }}/etc/cinder"
state: link
force: true
condition: "{{ cinder_install_method == 'source' }}"
- path: "/etc/cinder/rootwrap.d"
owner: "root"
group: "root"
mode: "0750"
- path: "/etc/sudoers.d"
mode: "0750"
owner: "root"
group: "root"
- path: "{{ cinder_system_home_folder }}"

View File

@ -1,65 +0,0 @@
#############
# OpenStack #
#############
[composite:osapi_volume]
use = call:cinder.api:root_app_factory
/: apiversions
/v2: openstack_volume_api_v2
/v3: openstack_volume_api_v3
[composite:openstack_volume_api_v2]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv2
keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv2
[composite:openstack_volume_api_v3]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler noauth apiv3
keystone = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
keystone_nolimit = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler authtoken keystonecontext apiv3
[filter:request_id]
paste.filter_factory = oslo_middleware.request_id:RequestId.factory
[filter:http_proxy_to_wsgi]
paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
[filter:cors]
paste.filter_factory = oslo_middleware.cors:filter_factory
oslo_config_project = cinder
[filter:faultwrap]
paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory
[filter:osprofiler]
paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
[filter:noauth]
paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
[filter:sizelimit]
paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
[app:apiv2]
paste.app_factory = cinder.api.v2.router:APIRouter.factory
[app:apiv3]
paste.app_factory = cinder.api.v3.router:APIRouter.factory
[pipeline:apiversions]
pipeline = cors http_proxy_to_wsgi faultwrap osvolumeversionapp
[app:osvolumeversionapp]
paste.app_factory = cinder.api.versions:Versions.factory
##########
# Shared #
##########
[filter:keystonecontext]
paste.filter_factory = cinder.api.middleware.auth:CinderKeystoneContext.factory
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory

View File

@ -1,14 +0,0 @@
{
"consistencygroup:create" : "group:nobody",
"consistencygroup:delete": "group:nobody",
"consistencygroup:update": "group:nobody",
"consistencygroup:get": "group:nobody",
"consistencygroup:get_all": "group:nobody",
"consistencygroup:create_cgsnapshot" : "group:nobody",
"consistencygroup:delete_cgsnapshot": "group:nobody",
"consistencygroup:get_cgsnapshot": "group:nobody",
"consistencygroup:get_all_cgsnapshots": "group:nobody"
}

View File

@ -1,27 +0,0 @@
# Configuration for cinder-rootwrap
# This file should be owned by (and only-writeable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/cinder/rootwrap.d,/usr/share/cinder/rootwrap
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs={{ cinder_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/usr/lpp/mmfs/bin
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR

View File

@ -13,6 +13,11 @@
# See the License for the specific language governing permissions and
# limitations under the License.
_cinder_rootwrap_conf_overrides:
DEFAULT:
filters_path: "/etc/cinder/rootwrap.d,/usr/share/cinder/rootwrap"
exec_dirs: "{{ cinder_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin"
#
# Compile a list of the services on a host based on whether
# the host is in the host group and the service is enabled.
@ -29,3 +34,23 @@ filtered_cinder_services: |-
{% endif %}
{% endfor %}
{{ services | sort(attribute='start_order') }}
cinder_core_files:
- tmp_f: "/tmp/api-paste.ini"
target_f: "/etc/cinder/api-paste.ini"
config_overrides: "{{ cinder_api_paste_ini_overrides }}"
config_type: "ini"
- tmp_f: "/tmp/rootwrap.conf"
target_f: "/etc/cinder/rootwrap.conf"
config_overrides: "{{ _cinder_rootwrap_conf_overrides | combine(cinder_rootwrap_conf_overrides, recursive=True) }}"
config_type: "ini"
owner: "root"
group: "{{ cinder_system_group_name }}"
mode: "0640"
- tmp_f: "/tmp/resource_filters.json"
target_f: "/etc/cinder/resource_filters.json"
config_overrides: "{{ cinder_resource_filters_overrides }}"
config_type: "json"
owner: "root"
group: "{{ cinder_system_group_name }}"
mode: "0640"