Commit Graph

31 Commits

Author SHA1 Message Date
James Gibson 736d36b79d Add TLS support to glance backends
By overriding the variable `glance_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the glance backend api.

The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: I5a0302c2fcc73a869de5633b2332a3b53c99590e
2023-04-29 18:36:46 +02:00
Dmitriy Rabotyagov f7c7e4864e Ensure service is restarted on unit file changes
At the moment we don't restart services if systemd unit file is changed.

We knowingly prevent systemd_service role handlers to execute
by providing `state: started` as otherwise service will be restarted twice.
With that now  we ensure that role handlers will also listen for systemd
unit changes.

Change-Id: I5a52c0de14ee3a6215edb64dbc3bd48512d57e2e
Closes-Bug: #2009029
2023-04-07 08:27:38 +00:00
Dmitriy Rabotyagov 613e645a20 Remove mention of haproxy-endpoints role
Role was never migrated to usage of haproxy-endpoints role
and included task was used instead the whole time.
With that to reduce complexity and to have unified approach, all mention
of the role and handler are removed from the code.

Change-Id: I01225e479e22f3867e811055c8e5e87f644bf46e
2022-06-14 18:02:05 +00:00
Jonathan Rosser cab9cb90f5 Remove legacy policy.json cleanup handler
Change-Id: Icbf12fb0c09ef2e0a856e7339fa43aaf3557715a
2022-02-02 04:11:25 -05:00
Dmitriy Rabotyagov 6ed40be146 [goal] Deprecate the JSON formatted policy file
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to replace policy.json to
policy.yaml and remove deprecated policy.json.

[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html

Change-Id: I03a29bab6663d1d0ee6130707ea5865ebbd916d5
2021-05-05 19:13:33 +00:00
Jonathan Rosser ae6c72997c Use ansible_facts[] instead of fact variables
See https://github.com/ansible/ansible/issues/73654

Change-Id: I03b51e2cf342b8b1434503f2bd0f4b30dcd5258e
2021-02-23 18:05:14 +00:00
Dmitriy Rabotyagov ed736fd783 Cleanup glance-registry service
Glance-registry service has been removed in V cycle with [1]

We do all necessary cleanup to fully remove service deployment.

[1] https://review.opendev.org/738671/

Change-Id: I0b2e2e39040fd0daef04724f94a39f2d11e4d105
2020-07-07 07:30:17 +03:00
Kevin Carter 9748e6b154
Cleanup files and templates using smart sources
The files and templates we carry are almost always in a state of
maintenance. The upstream services are maintaining these files and
there's really no reason we need to carry duplicate copies of them. This
change removes all of the files we expect to get from the upstream
service. while the focus of this change is to remove configuration file
maintenance burdens it also allows the role to execute faster.

  * Source installs have the configuration files within the venv at
    "<<VENV_PATH>>/etc/<<SERVICE_NAME>>". The role will now link the
    default configuration path to this directory. When the service is
    upgraded the link will move to the new venv path.
  * Distro installs package all of the required configuration files.

To maintain our current capabilities to override configuration the
role will fetch files from the disk whenever an override is provided and
then push the fetched file back to the target using `config_template`.

Change-Id: I3e7283bf778a9d686f3ae500b289c1fb43b42b92
Signed-off-by: cloudnull <kevin@cloudnull.com>
2019-02-18 09:06:26 -06:00
Jesse Pretorius e98b2d6116 Use a common python build/install role
In order to radically simplify how we prepare the service
venvs, we use a common role to do the wheel builds and the
venv preparation. This makes the process far simpler to
understand, because the role does its own building and
installing. It also reduces the code maintenance burden,
because instead of duplicating the build processes in the
repo_build role and the service role - we only have it all
done in a single place.

We also change the role venv tag var to use the integrated
build's common venv tag so that we can remove the role's
venv tag in group_vars in the integrated build. This reduces
memory consumption and also reduces the duplication.

This is by no means the final stop in the simplification
process, but it is a step forward. The will be work to follow
which:

1. Replaces 'developer mode' with an equivalent mechanism
   that uses the common role and is simpler to understand.
   We will also simplify the provisioning of pip install
   arguments when doing this.
2. Simplifies the installation of optional pip packages.
   Right now it's more complicated than it needs to be due
   to us needing to keep the py_pkgs plugin working in the
   integrated build.
3. Deduplicates the distro package installs. Right now the
   role installs the distro packages twice - just before
   building the venv, and during the python_venv_build role
   execution.

Depends-On: https://review.openstack.org/598957
Change-Id: I18cc964196dbbf5019bc116c41861cb39e466e14
Implements: blueprint python-build-install-simplification
Signed-off-by: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
2018-09-03 11:11:57 +00:00
Kevin Carter 659e3278d0 Convert role to use a common systemd mount role
The systemd unit files are being converted to use common roles to reduce
code sprawl throughout the playbooks. This change allows us to use a
common systemd_mount role as an include which will give us a consistent
experience when deploying services and setting up their resournces on
OS's that uses systemd.

Closes-Bug: #1774037
Change-Id: I11d083788cd388dab0695878193ab18af1b5038b
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2018-07-30 18:39:12 +00:00
zhulingjie 5b44a334fc Remove the unnecessary space
Change-Id: Ic219247ccc57bc174c3e2eae0eb00d234be6b739
2018-07-11 23:19:16 -04:00
Jean-Philippe Evrard fb2802d2e4 Fix usage of "|" for tests
With the more recent versions of ansible, we should now use
"is" instead of the "|" sign for the tests.

This should fix it.

Change-Id: I6749670146cc64cb39b67efb26a9226208828ae7
2018-07-12 16:44:20 +02:00
Jesse Pretorius (odyssey4me) 49ed28890e Revert "Use a common python build/install role for source-base deployment"
This is causing some trouble with the integrated build. For now,
while we work out the role's build/storage delegation, let's revert
this.

This reverts commit 975675b659, except
for the a-r-r entry which is left in place as it will be needed later.

Change-Id: I111baaf1e3d70c036508cccc31887e0f328a67ce
2018-03-29 13:25:42 +01:00
Jesse Pretorius 975675b659 Use a common python build/install role for source-base deployment
Instead of copying a common set of code between all the roles,
switch to using a common role which checks whether a deploy host
already has the appropriate venv package. If it does not, build
it on the fly and pull it to the deploy host.

Implementing this does away with the requirement to do builds
on the repo container. Once this has been implemented into all
roles then the repo_build role will be retired.

Depends-On: https://review.openstack.org/556840
Change-Id: I57e87406bee5c7d10aa824f18d3142f8f3ac6ab4
2018-03-27 13:37:10 +01:00
Kevin Carter 477d44cab9
Update glance NFS for systemd
Systemd has the ability to manage mounts and ensure functionality
/ resource management. Using a systemd mount has the benifit of not
requiring writes to the legacy fstab file which can impact OS
functionality especially when deploying on baremetal. This change
moves the glance NFS mount to a systemd unit file allowing systemd
to manage it independently with no potentially breaking impact to
the underlying operating system.

Changes:
 - This PR corrects a long standing issue when using Glance+NFS where
   initial deployment would work but if the playbooks were run again
   it would fail due to the glance images location being an NFS mount
   point with a potentially different UID/GID. To correct this we stat
   the directory and if it does NOT exist it is created.
 - Following the nova pattern options have been provided to set the UID
   and GID of the glance user.
 - To ensure out NFS backend solution works with the installation of
   glance a test has been added to deploy glance using an NFS backend.
 - An upgrade task has been added to this commit to clean up legacy
   mounts, This task should be removed in R.

Change-Id: I716c9fe35391629532e67e212d45ea27a5422d1b
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2017-12-12 17:49:55 -06:00
Zuul 976a9921fd Merge "Disable glance-registry and the v1 API by default" 2017-11-21 11:15:15 +00:00
Jesse Pretorius 4fa9872510 Disable glance-registry and the v1 API by default
When using the glance v2 API the glance-registry service is
optional, and the intention is to remove the glance-registry
service in the S cycle.

The glance v1 API is scheduled to be removed in Queens.
This patch therefore disables the v1 API by default to give
us as much time as possible to identify the impact of that
and to get the issues resolved before it is removed from
the code-base.

The patch also cleans up the glance-registry init files
to handle the transition in an existing environment.

Tests are added to validate that enabling the v1 API still
works, and enabling the v2 registry still works.

Change-Id: I4c27aa0ca5b649e4fa76cfd0f326d80f50074db1
2017-11-20 12:48:55 +00:00
Logan V 5842a24cd3 Add external LB management handler hook interface
Based on conversation on an ansible issue[1], I implemented
a LB orchestration role[2] similar to the POC here[3].

This will allow external loadbalancer management roles to hook
into a universal notify listener "Manage LB" to perform before/
after endpoint management actions when the service is being
restarted.

[1]: https://github.com/ansible/ansible/issues/27813
[2]: https://github.com/Logan2211/ansible-haproxy-endpoints
[3]: https://github.com/Logan2211/tmp-ansible-27813

Change-Id: I7d2f47e94826526e9a5a99d32575f691fb6b30fd
2017-11-03 02:55:24 +00:00
Jesse Pretorius af9142ec9b Use listen instead of chained notifiers
From Ansible 2.2 onwards, listen can be used for
handlers instead of chaining notifiers. The
handlers are then executed in the sequence
present in the handler file.

Change-Id: Ia185ab830005f311f37d4eb7dfab1ae116419e3b
2017-06-30 13:39:03 +01:00
Jesse Pretorius 545e362b05 Ensure that services restart in a particular order
Currently when multiple services share a host, the
restart order is random. This is due to an unordered
dict being used to facilitate the mapping of services
to their groups, names and other options.

This patch implements changes to the role to ensure
that services on the same host are restarted in the
correct order when the software/config changes.

Change-Id: I52fc66f861ce98cc8299c84edcfd5f18d74306b3
2017-06-30 13:27:56 +01:00
Jenkins 12ba6009f9 Merge "Ensure that policy file has correct group/mode" 2017-05-25 00:00:07 +00:00
Jesse Pretorius aa4910a1cc Use command instead of debug for handlers
Due to the debug message plugin the handler restart
messages show at the end of the playbook execution
which is a little confusing. Using debug also
requires setting changed_when to true which is a
little extra bit of code which we do not have to
carry.

Instead we use the command module which is simple,
works and less wordy.

Change-Id: I7096ca81dd6e1126926c95f3c2b7437d0c9d452f
2017-05-24 11:29:52 +01:00
Jesse Pretorius 4d6e4d857c Ensure that policy file has correct group/mode
When the policy file is copied from the templated
file to the active file, it loses its group/mode
settings. This patch ensures that they are properly
replicated during the copy.

Change-Id: I39f3c80244f9565d290f420eadeb28e8b77d2d33
2017-05-23 23:31:45 +01:00
Jesse Pretorius cadb6bda61 Perform an atomic policy file change
The policy.json file is currently read continually by the
services and is not only read on service start. We therefore
cannot template directly to the file read by the service
(if the service is already running) because the new policies
may not be valid until the service restarts. This is
particularly important during a major upgrade. We therefore
only put the policy file in place after the service restart.

This patch also tidies up the handlers and some of the install
tasks to simplify them and reduce the tasks/code a little.

Change-Id: I81de53d8ddc4b462b878b412e53a6de219b71f86
2017-04-21 15:49:01 +01:00
Cuong Nguyen 441a4918b8 Use systemd module instead of shell
Using ansible systemd module to daemon reload and service reload is the solution for the future.

Change-Id: Ie532a7892e12c9d869883d49e5d0e2fabcc05f65
2017-01-23 17:14:46 +07:00
Andy McCrae 42838c971c Remove Trusty support from os_glance role
Change-Id: If44365b0c00588a40802afe12f937b0c5ae797f8
Implements: blueprint trusty-removal
2016-12-15 13:17:08 +00:00
Logan V e718101366 Fix linting issues for ansible-lint 3.4.1
Preparing this role for the ansible-lint version bump

Change-Id: If3a68d50f07711b4dff101dda1c5c997e46e71d2
2016-11-02 11:57:22 +00:00
Jesse Pretorius 3e522f6ef9 Use dictionary for service group mappings
Change the 'glance_service_names' from a list to a dictionary mapping
of services, groups that install those services. This brings the
method into line with that used in the os_neutron role in order to
implement a more standardised method.

The init tasks have been updated to run once and loop through this
mapping rather than being included multiple times and re-run against
each host. This may potentially reduce role run times.

Currently the reload of upstart/systemd scripts may not happen if
only one script changes as the task uses a loop with only one result
register. This patch implements handlers to reload upstart/systemd
scripts to ensure that this happens when any one of the scripts
change.

The handler to reload the services now only tries to restart the
service if the host is in the group for the service according to the
service group mapping. This allows us to ensure that handler
failures are no longer ignored and that no execution time is wasted
trying to restart services which do not exist on the host.

Finally:
- Common variables shared by each service's template files have
  been updated to use the service namespaced variables.
- Unused handlers have been removed.
- Unused variables have been removed.

Change-Id: Ia74bbcac35c27928f7e96056b9449932253b75de
2016-10-12 15:42:20 +01:00
Travis Truman 696414750b Ansible 2.x - Address deprecation warning of bare variables
Ansible 2.2 will not allow "bare" variable references
in with_* loops. See https://docs.ansible.com/ansible/porting_guide_2.0.html#deprecated
for details.

Change-Id: I7475fbbfcf04ba528ea8718117b8d6afdd6f4971
2016-04-22 09:13:41 -04:00
Andy McCrae ac85a73b39 Fix glance_nfs_client setting
glance_nfs_client adds 2 fstab entries, with then handler entry being
incorrectly ordered (src and name are the wrong way around).

This patch removes the redundant handler and moves the existing fstab
task to use the "mount" module which will add the entry to fstab and
ensure the filesystems are mounted.

Additionally this fixes a documentation bug where an incorrect variable
is referenced (glance_nfs_mounts).

Change-Id: I6e0f964d4279800d31119f380a239e2c4ae61cb5
Fixes-Bug: #1477081
2015-07-23 00:28:19 +00:00
Kevin Carter fc2e3a54b6 Convert existing roles into galaxy roles
This change implements the blueprint to convert all roles and plays into
a more generic setup, following upstream ansible best practices.

Items Changed:
* All tasks have tags.
* All roles use namespaced variables.
* All redundant tasks within a given play and role have been removed.
* All of the repetitive plays have been removed in-favor of a more
  simplistic approach. This change duplicates code within the roles but
  ensures that the roles only ever run within their own scope.
* All roles have been built using an ansible galaxy syntax.
* The `*requirement.txt` files have been reformatted follow upstream
  Openstack practices.
* Dynamically generated inventory is now more organized, this should assist
  anyone who may want or need to dive into the JSON blob that is created.
  In the inventory a properties field is used for items that customize containers
  within the inventory.
* The environment map has been modified to support additional host groups to
  enable the seperation of infrastructure pieces. While the old infra_hosts group
  will still work this change allows for groups to be divided up into seperate
  chunks; eg: deployment of a swift only stack.
* The LXC logic now exists within the plays.
* etc/openstack_deploy/user_variables.yml has all password/token
  variables extracted into the separate file
  etc/openstack_deploy/user_secrets.yml in order to allow seperate
  security settings on that file.

Items Excised:
* All of the roles have had the LXC logic removed from within them which
  should allow roles to be consumed outside of the `os-ansible-deployment`
  reference architecture.

Note:
* the directory rpc_deployment still exists and is presently pointed at plays
  containing a deprecation warning instructing the user to move to the standard
  playbooks directory.
* While all of the rackspace specific components and variables have been removed
  and or were refactored the repository still relies on an upstream mirror of
  Openstack built python files and container images. This upstream mirror is hosted
  at rackspace at "http://rpc-repo.rackspace.com" though this is
  not locked to and or tied to rackspace specific installations. This repository
  contains all of the needed code to create and/or clone your own mirror.

DocImpact
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Closes-Bug: #1403676
Implements: blueprint galaxy-roles
Change-Id: I03df3328b7655f0cc9e43ba83b02623d038d214e
2015-02-18 10:56:25 +00:00