Commit Graph

22 Commits

Author SHA1 Message Date
Dmitriy Rabotyagov eb9a0c6cea Drop Nginx webserver support
There is no reason to support multiple web servers as a proxy for
keystone. Nginx is missing modules to support federation. With it's
removal we simplify code and reduce maintaining efforts needed.

Change-Id: Ib3f90a72dfc8f78cf304b0f130883befdeb09220
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/818674
2021-11-22 10:36:35 +00:00
Jonathan Rosser 0f2b8e16c9 Remove references to unsupported operating systems
All references to Gentoo, SUSE, Debian stretch and Centos-7  are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible

Change-Id: I1624730385a7b54cf36a94d313cc298430129736
2021-03-10 12:16:38 +00:00
Jonathan Rosser 489c169874 Use ansible_facts[] instead of fact variables
See https://github.com/ansible/ansible/issues/73654

Change-Id: I8721b4fa97b41fb0c92f9eb99b61d31634e9aac6
2021-02-23 18:06:10 +00:00
Dmitriy Rabotyagov e377209297 Use absolute path for uwsgi_params include
Nginx config verification that is performed by ansible [1] is made
in tmp "on fly" which fails because of the relative import.

We also move task that replaces ports for nginx.conf to the end
so that config validation was accomplished after all configurations
are applied.

[1] https://opendev.org/openstack/openstack-ansible-os_keystone/src/branch/master/tasks/keystone_nginx.yml#L44

Change-Id: Ic52fc7dbdb0324ab8f4b71d25398f23a05df05d7
2021-02-16 11:55:57 +02:00
Dmitriy Rabotyagov dacf3e8666 Fix keystone nginx behaviour
When keystone and horizon are both deployed on metal, it's important that
after keystone run horizon won't get stopped.

Also this patch replaces of default listen on 80, in case it's set
in /etc/nginx/nginx.conf rather as an include file (like in CentOS8) with
port 8008 which is not used by any OpenStack services [1] and is stated
as alternate http port [2]

[1] https://docs.openstack.org/install-guide/firewalls-default-ports.html
[2] https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=http-alt

Change-Id: I064c2a432b1b8de26d93dc26932874a106e2cf58
2020-10-06 07:06:48 +00:00
Guilherme Steinmüller 46f3456cf1 Remove nginx default conf
This patch make sure Default.conf from nginx
is remove as it causes socket conflict when
we deploy it on metal. Also, we remove the
task created by kevin for Q -> S deployments
as it is not required to S -> T upgrades.

Change-Id: Ic2e3bc66161217b2884001018a706dbe2187c498
2019-07-22 13:18:57 +00:00
Matthew Thode f4bf2620fb
add gentoo support to keystone
need to drop our own nginx.conf, should probably be abstracted somewhere
other than keystone.

Change-Id: If2e8825d6d7a9a76853fd09fcba9148762d73c10
2019-02-26 09:04:07 -06:00
Kevin Carter 7fc3f62c73 Add tasks to remove legacy files
The change removes legacy files which conflict with new services being
deployed during a rolling upgrade. This change adds two tasks to remove
any legacy files should they be found and removes old cleanup handlers
that are no longer in service.

Change-Id: Ie593a80e0e6708c50f7809171fa47c7043a2e136
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2019-01-04 14:53:13 -06:00
Jesse Pretorius bbd70d5f9b Use a nginx conf.d file for the custom logging
To cater for the situation where there are no containers, or
nginx is shared in some way, it's better to add custom directives
for nginx.conf into a conf.d file. That way it's never overwritten.

To resolve the situation where repo_server overwrites the config
laid down by os_keystone, we implement the custom log in this way.

The task which verifies that the right config directories exist
is modified to ensure that both the sites and the conf.d directories
exist before this configuration is laid down. For CentOS/OpenSUSE
they are the same directory, but for Ubuntu they are different.

This patch also ensurs that the previous implementation is removed,
otherwise an upgrade fails. This patch should be back portable to
ensure that zero-container deploys for Queens work properly.

Change-Id: I2ab0f591c1cdeae43a002d9c8cf9bbfdd69597f1
2018-04-20 15:09:56 +01:00
Kevin Carter fbf7ab1c4a Convert role to use a common systemd service role
This removes the systemd service templates and tasks from this role and
leverages a common systemd service role instead. This change removes a
lot of code duplication across all roles all without sacrificing features
or functionality. The intention of this change is to ensure uniformity and
reduce the maintenance burden on the community when sweeping changes are
needed.

In converting this role to use the common systemd_service role a
keystone_service dictionary was created in the defaults main.yml file.
This change follows the pattern of other services.

Change-Id: I65902f2483ef2f18ac2d229c5ebd9d090b6ae040
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2018-03-27 09:13:24 -05:00
Jesse Pretorius (odyssey4me) 30612195ab Revert "Convert role to use a common systemd init role"
Until all the roles are ready and have this new role in the
ansible-role-requirements, we should not be merging this. We
should also ensure that the integrated a-r-r includes this
role before merging this.

This reverts commit b42eef0dc4.

Change-Id: I8a944db87948ff783028240d3548016a52ab5af4
2018-03-13 11:54:18 +00:00
Kevin Carter b42eef0dc4 Convert role to use a common systemd init role
This removes the systemd service templates and tasks from this role and
leverages a common systemd service role instead. This change removes a
lot of code duplication across all roles all without sacrificing features
or functionality. The intention of this change is to ensure uniformity and
reduce the maintenance burden on the community when sweeping changes are
needed.

In converting this role to use the common systemd_service role a
keystone_service dictionary was created in the defaults main.yml file.
This change follows the pattern of other services.

Change-Id: I70e1f6007d9f88f05ccdc737b210415274580a46
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2018-03-12 01:45:07 +00:00
Logan V 5e23c765b3 Add external LB management handler hook interface
Based on conversation on an ansible issue[1], I implemented
a LB orchestration role[2] similar to the POC here[3].

This will allow external loadbalancer management roles to hook
into a universal notify listener "Manage LB" to perform before/
after endpoint management actions when the service is being
restarted.

[1]: https://github.com/ansible/ansible/issues/27813
[2]: https://github.com/Logan2211/ansible-haproxy-endpoints
[3]: https://github.com/Logan2211/tmp-ansible-27813

Change-Id: Ide9efbc79e4fd2c761a3ee4f463f501181da1df2
2017-09-16 13:41:28 -05:00
Markos Chandras 8c1ebb02a9 Add support for the openSUSE Leap distributions
Add support for the openSUSE Leap distributions. Additionally,
for openSUSE, we need to load some extra apache2 modules which are
not there by default.

Change-Id: Iac555cefa0a7a6ecf344761d54644fd3fa2443f9
2017-07-04 16:30:04 +01:00
Jesse Pretorius aad8144bfb Implement serialisable rolling upgrade
The current rolling upgrade implementation
relies on the role to orchestrate the rolling
upgrade. When the role is executed using
playbook serialisation, the db sync contract
is executed before all hosts are upgraded,
potentially resulting in data corruption.

This patch returns the role to the simpler,
best practice model of expecting that the role
is applied to a single host and that the
playbook handles orchestration. This method
can be used with any form of serialisation.

Depends-On: Ie90cdcbf9e73082a2074c8832b7490d188e178af
Change-Id: I5650f16b9a115bd392012b743788057a94d09226
2017-06-19 19:32:45 +00:00
Jesse Pretorius 94293c86c2 Perform an atomic policy file change
The policy.json file is currently read continually by the
services and is not only read on service start. We therefore
cannot template directly to the file read by the service
(if the service is already running) because the new policies
may not be valid until the service restarts. This is
particularly important during a major upgrade. We therefore
only put the policy file in place after the service restart.

This patch also tidies up the handlers and some of the install
tasks to simplify them and reduce the tasks/code a little.

Change-Id: Ie913e5eb75f3601107b53bab7bda4a02ab1c1024
2017-04-04 10:49:52 +01:00
Andy McCrae 6a6e377853 Remove Trusty support from os_keystone role
Change-Id: I5ad6944b5e43aa46582acf313ac8793ab4d226f7
Implements: blueprint trusty-removal
2016-12-15 13:18:55 +00:00
Jimmy McCrory 04737f5dbd Implement zero downtime upgrades
This patch implements upgrading keystone with zero downtime as the
default installation process. Handlers have been modified to ensure that
the first keystone node is stopped, facilitates the database migrations,
and that it is started and available before restarting any other keystone
nodes. Migrations also now only occur when there is a change within the
installed keystone venv.

This process is documented at
http://docs.openstack.org/developer/keystone/upgrading.html#upgrading-without-downtime

A new test scenario has been added for testing basic upgradability
between releases.

Implements: blueprint upgrade-testing
Change-Id: I0d3cfcb80b64d005d60f4c8445f991855f844796
2016-11-17 08:10:57 -08:00
Marc Gariepy 94114142d6 Fix depreciation "Using bare variables"
add full variable syntax

Change-Id: Ic945ffb3c321a93db14776d5b1892d790c146ca4
2016-09-12 11:51:14 -04:00
Andy McCrae 15733bbd2f Fix nginx to work with RedHat/CentOS
The CentOS version of nginx uses a conf.d style directory for virtual
hosts instead of a sites-available/sites-enabled approach.

We can add a var to select where the configuration file is placed, and
only perform the link on Debian based systems.

Change-Id: I00b8af093e17a4450b642a1534b8ec647c9d2513
2016-09-01 10:30:22 +01:00
Steve Lewis db7248bdc1 Isolate mod_wsgi from Apache install
This allows deploys to elect to have Keystone run off of Apache
without implying the use of mod_wsgi, such as with uwsgi. A
following patch will introduce the Apache configuration needed to
link Apache to uwsgi so that existing Federation support can be
used.

Release notes summarizing all changes for this blueprint will follow
in the final patch in the series.

Change-Id: Idf9e48b0c93174648982cf27cf922d3801565c74
Related: blueprint keystone-uwsgi
2016-08-31 17:09:19 +00:00
Steve Lewis 4edb378b1e Install and configure Nginx
Apply configuration to add request time to the access log.
Creates virtual hosts for each Keystone service.
Enables SSL termination within Nginx.

The Uwsgi sockets are updated to match the Keystone developer docs
to improve consistency of experience for operators.

No Shibboleth integration is included.
Not introducing any additional Nginx restarts based on changes in
Federation configuration yet for this reason.

Change-Id: Iec42810be7ff6d05fa38deb23996e66e0c34da8e
Related: blueprint keystone-uwsgi
2016-08-29 17:03:07 -07:00