Commit Graph

21 Commits

Author SHA1 Message Date
Damian Dabrowski 96a262b26b Add TLS support to swift backends
By overriding the variable `swift_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the swift backend api.

The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Idb7882775a90ada9bb9e1450168916c73bf8ae4b
2023-04-29 18:43:51 +02:00
Dmitriy Rabotyagov 78e75642e7 Ensure service is restarted on unit file changes
At the moment we don't restart services if systemd unit file is changed.

We knowingly prevent systemd_service role handlers to execute
by providing `state: started` as otherwise service will be restarted twice.
With that now  we ensure that role handlers will also listen for systemd
unit changes.

Change-Id: I78c9888f7f2b97bd901d9fcce636bc22b6411eb9
2023-04-11 12:47:24 +02:00
Dmitriy Rabotyagov d0fac1b559 Use systemd-journald instead of log files
This patch aims to migrate service from usage of regular syslog files
to journald.
By this we mean dropping rsyslog client installation. log_address is set
by default to /dev/log, which is served by journald.

Change-Id: I6dd0d77004394bb1ad674b53538b0679b056bb0f
2019-07-19 15:10:49 +03:00
Jesse Pretorius 7126647d7d Use a common python build/install role
In order to radically simplify how we prepare the service
venvs, we use a common role to do the wheel builds and the
venv preparation. This makes the process far simpler to
understand, because the role does its own building and
installing. It also reduces the code maintenance burden,
because instead of duplicating the build processes in the
repo_build role and the service role - we only have it all
done in a single place.

We also change the role venv tag var to use the integrated
build's common venv tag so that we can remove the role's
venv tag in group_vars in the integrated build. This reduces
memory consumption and also reduces the duplication.

This is by no means the final stop in the simplification
process, but it is a step forward. The will be work to follow
which:

1. Replaces 'developer mode' with an equivalent mechanism
   that uses the common role and is simpler to understand.
   We will also simplify the provisioning of pip install
   arguments when doing this.
2. Simplifies the installation of optional pip packages.
   Right now it's more complicated than it needs to be due
   to us needing to keep the py_pkgs plugin working in the
   integrated build.
3. Deduplicates the distro package installs. Right now the
   role installs the distro packages twice - just before
   building the venv, and during the python_venv_build role
   execution.

Depends-On: https://review.openstack.org/598957
Change-Id: Iecb64d28afe3acfbae7060af55c1a891310e5ef4
Implements: blueprint python-build-install-simplification
Signed-off-by: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
2018-09-03 11:07:02 +00:00
Kevin Carter 8f1cb4dde5 Convert role to use a common systemd service role
This removes the systemd service templates and tasks from this role and
leverages a common systemd service role instead. This change removes a
lot of code duplication across all roles all without sacrificing features
or functionality. The intention of this change is to ensure uniformity and
reduce the maintenance burden on the community when sweeping changes are
needed. The exterior role is built to be OSA compatible and may be pulled
into tree should we deem it necessary.

Change-Id: Icb7ca523cb19c560de5c84b0d60a06305029192c
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2018-04-22 14:00:27 +00:00
Major Hayden e115fe9d6a Remove systemd conditionals
Change-Id: I9a81e660d57525be08d9cce44c00fa22c0a53226
2018-02-16 19:32:57 +00:00
Major Hayden 97f29d75c0
Remove sleep option from service handlers
The systemd module doesn't support the sleep option and this patch
removes it from the handlers.

Closes-Bug: 1735786
Change-Id: Ida1d83903dc4d3cd85029735a0882bf342d21dca
2017-12-01 10:27:43 -06:00
Andy McCrae d860153400 Use a list instead of a dict for filtered_services
Swift should mirror other roles and use a list instead of a dictionary
for it's filtered_services.

This patch makes that change.

Change-Id: Ie6bf282a36ed63d73996447a88c3c5f6056465a7
2017-07-31 17:24:34 +01:00
Jesse Pretorius 01c3728efc Optimise the execution of the role
This patch implements the use of dynamic includes,
the filtered service list and the elimination of
redundant tasks in order to optimise the role
execution.

Change-Id: Ia957bd80ec6a97a29b4b3a1c28bf37dfc9226ab1
2017-07-07 17:52:12 +01:00
Andy McCrae 06471b9977 Remove pattern reference in service restart
As part of the Trusty removal, the "pattern:" option for service
restarts can be removed. This prevents the following warning message
from appearing in the Ansible runs:

[WARNING]: Ignoring "pattern" as it is not used in "systemd"

Change-Id: I38e04f48360ef558fa7d99e90fb0e73a9cb887be
2016-12-12 11:01:03 +00:00
Andy McCrae 26bd8127b6 Remove Trusty support from os_swift role
As a part of removing Trusty from OpenStack-Ansible we shall aim to
remove this from all the roles.

Testing has already been removed for Trusty in the integrated build and
all individual repositories on master (Ocata), as such we can now go
ahead and remove the support within the roles.

Change-Id: I89ba35fd15703aba2a05d11d4550690704bdf272
Implements: blueprint trusty-removal
2016-12-08 11:50:58 +00:00
Andy McCrae 42acde5ee9 Add CentOS7 support for Swift
This PR Adds CentOS 7 support for Swift.
The following was required to get CentOS 7 to work:
* Add yum install path + packages
* Variablize rsync service name
* Gather network interface facts prior to setting storage/repl IPs
* Ensure /etc/defaults/rsync is only set for apt installations.
* Ensure the rsyslog service is started and enabled.

Change-Id: Ibaf8bc8d54b55820e8b527b52940c61c05c732d8
2016-11-14 17:03:02 +00:00
Logan V 7de60df8c3 Fix linting issues for ansible-lint 3.4.1
Preparing this role for the ansible-lint version bump

Change-Id: Ib78b5fd36dcd23d18fc13382359f5099405856d0
2016-11-02 13:03:19 +00:00
Andy McCrae 033aa502e5 Fix swift init scripts w/o dedicated replication
When not using dedicated replication systemd still puts init scripts
down, which take a long time to restart/start. upstart scripts get
around this by setting blank scripts.

Now that we are using a service dict we can do better by defining an
"service_en" flag and not setting up scripts when the service isn't
enabled.

Additionally, the systemd tempfiles and init files were not using the
appropriate "program_binary" variable at all, this has been fixed.

Change-Id: Iae569bfe38a440fb09e56658b3a934799a8821e8
2016-10-14 18:19:51 +01:00
Andy McCrae bf1ab1750a Use dictionary for service mappings
Change the 'swift_x_program_names' from a list to a dictionary
mapping of services, groups that install those services. This
brings the method into line with that used in the os_neutron role
in order to implement a more standardised method.

The init tasks have been updated to run once and loop through this
mapping rather than being included multiple times and re-run against
each host. This may potentially reduce role run times.

Currently the reload of upstart/systemd scripts may not happen if
only one script changes as the task uses a loop with only one result
register. This patch implements handlers to reload upstart/systemd
scripts to ensure that this happens when any one of the scripts
change.

The handler to reload the services now only tries to restart the
service if the host is in the group for the service according to the
service group mapping. This allows us to ensure that handler
failures are no longer ignored and that no execution time is wasted
trying to restart services which do not exist on the host.

Finally:
- Common variables shared by each service's template files have
  been updated to use the service namespaced variables.
- Unused handlers have been removed.
- Unused variables have been removed.

Change-Id: Id35de501acf6b3164221085f8f9e142234ea0d73
2016-10-13 13:30:58 +01:00
Travis Truman 5140edef3e Address Ansible bare variable usage
When executing the role with Ansible 2.1, the following
deprecation warning is issued in the output for some tasks.

[DEPRECATION WARNING]: Using bare variables is deprecated.

This patch addresses the tasks to fix the behaviour appropriately.

Also removed a single usage of with_items that contained one item
in favor of a simple non-looping task.

Change-Id: Ief1a53bb0804dfdbd742bfe919438d80428287da
2016-07-12 09:55:27 +01:00
git-harry 8a9605ba57 Fix rsync service restart in os_swift
The rsync service is currently restarted using two handlers, one to stop
the service and a second to start it. There is not a sufficient delay
between the two task and so the rsync pid has not been removed before
the attempt is made to start the service.

This commit replaces the two handlers with a single one that will do the
restart in one go.

Change-Id: I8ed4630da1add7205552b6ec731a143dbe45112b
Closes-bug: 1538649
2016-01-27 16:51:14 +00:00
Hugh Saunders 2f56558c6d Remove double register in swift handlers
Change-Id: Ifa224ae4b913c1765c9fd57216ea8cf2f34bde82
2015-09-04 11:30:21 +01:00
Steve Lewis e230b449b5 Ensure rsync restarts fully during swift setup
Existing rsync stop/start handlers were relying on the pattern
parameter to the Ansible service module which relies on the results
of ps to determine if the service is running. This is unnecessary
because the rsync service script is well-behaved and responds
appropriately to start stop and restart commands. Removal of the
pattern param ensures that the response from the service command is
used instead.

Root cause of the bug is that when Keystone was changed to share
fernet secrets via rsync over ssh tunnel, an rsync process was
introduced in AIOs, Swift stand-alones, and other deployment
configurations that contain Keystone containers on the storage hosts.

The resulting rsync processes within Keystone containers pollute the
results of ps commands on the host, fooling Ansible into thinking
that an rsync service is running on the standard port when it is not.

Secondly, the handler responsible for stopping rsync was not causing
the notice for "Ensure rsync service running" to trigger cleanly in
my testing, so the tasks were changed to trigger both notices in an
ordered list.

Change-Id: I5ed47f7c1974d6b22eeb2ff5816ee6fa30ee9309
Closes-Bug: 1481121
2015-09-03 05:45:50 +00:00
Andy McCrae c306a1308c Handler should only restart relevent swift services
* Adjust the handler to include a "restart" handler for each of account,
container, object and proxy service groups.
* Add a variable in defaults listing program names for each swift
service group.
* Remove the over-arching "all swift program_names" variable.
* Change the storage and proxy host tasks to call the appropriate
* handler.

Change-Id: I25adfa152fc7a3da83ca7c12d57977eec8b51d7b
Closes-Bug: #1427601
2015-03-04 09:53:08 +00:00
Kevin Carter 64b7659015 Convert existing roles into galaxy roles
This change implements the blueprint to convert all roles and plays into
a more generic setup, following upstream ansible best practices.

Items Changed:
* All tasks have tags.
* All roles use namespaced variables.
* All redundant tasks within a given play and role have been removed.
* All of the repetitive plays have been removed in-favor of a more
  simplistic approach. This change duplicates code within the roles but
  ensures that the roles only ever run within their own scope.
* All roles have been built using an ansible galaxy syntax.
* The `*requirement.txt` files have been reformatted follow upstream
  Openstack practices.
* Dynamically generated inventory is now more organized, this should assist
  anyone who may want or need to dive into the JSON blob that is created.
  In the inventory a properties field is used for items that customize containers
  within the inventory.
* The environment map has been modified to support additional host groups to
  enable the seperation of infrastructure pieces. While the old infra_hosts group
  will still work this change allows for groups to be divided up into seperate
  chunks; eg: deployment of a swift only stack.
* The LXC logic now exists within the plays.
* etc/openstack_deploy/user_variables.yml has all password/token
  variables extracted into the separate file
  etc/openstack_deploy/user_secrets.yml in order to allow seperate
  security settings on that file.

Items Excised:
* All of the roles have had the LXC logic removed from within them which
  should allow roles to be consumed outside of the `os-ansible-deployment`
  reference architecture.

Note:
* the directory rpc_deployment still exists and is presently pointed at plays
  containing a deprecation warning instructing the user to move to the standard
  playbooks directory.
* While all of the rackspace specific components and variables have been removed
  and or were refactored the repository still relies on an upstream mirror of
  Openstack built python files and container images. This upstream mirror is hosted
  at rackspace at "http://rpc-repo.rackspace.com" though this is
  not locked to and or tied to rackspace specific installations. This repository
  contains all of the needed code to create and/or clone your own mirror.

DocImpact
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Closes-Bug: #1403676
Implements: blueprint galaxy-roles
Change-Id: I03df3328b7655f0cc9e43ba83b02623d038d214e
2015-02-18 10:56:25 +00:00