Commit Graph

49 Commits

Author SHA1 Message Date
Dmitriy Rabotyagov c15dc767fd Add quorum queues support for service
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.

In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.

Change-Id: I9b9de6cdfac8ba3a89b874cd920df8d5b01e81f2
2023-10-25 09:45:55 +00:00
Dmitriy Rabotyagov 4382257d3f Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: I9aaf6680c274453a16b6f9879cf488ae2050e71f
2023-07-14 20:07:26 +02:00
Damian Dabrowski 168e116a36 Add TLS support to tacker backends
By overriding the variable `tacker_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the tacker backend api.

The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Ib5dd3a2494bed81add670e331085294910d7f425
2023-04-29 18:44:02 +02:00
Dmitriy Rabotyagov 3aa5aefb1b Ensure service is restarted on unit file changes
At the moment we don't restart services if systemd unit file is changed.

We knowingly prevent systemd_service role handlers to execute
by providing `state: started` as otherwise service will be restarted twice.
With that now  we ensure that role handlers will also listen for systemd
unit changes.

Change-Id: I4ebae4853fc0bc2840d3ea79546f10a12051bea9
2023-04-11 12:50:24 +02:00
Dmitriy Rabotyagov a2800f0d28 Add deployment of tacker-scheduler
There's a long-standing bug from 2017 that tacker requires scheduler
service to run. However it seemed no real interest to tacker among OSA
users. Nevertheless it's better late then never fixing it.

Change-Id: I70264ef5ffd6ebb851e4d3c4c86c28ea222f7139
Closes-Bug: #1710874
2022-10-19 12:52:03 +02:00
Dmitriy Rabotyagov 0e27d6a3a1 Support service tokens
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.

Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I9fa323e544849f7c24ccd7b860160bb5756ada28
2022-06-15 17:42:11 +00:00
Damian Dabrowski 68bdc789cb Database connection pooling improvements
- Implemented new variable ``connection_recycle_time`` responsible for SQLAlchemy's connection recycling
- Set new default values for db pooling variables which are inherited from the global ones.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819424
Change-Id: I36f5315ad27904c817f4349151fca4181180e811
2021-12-03 11:41:49 +01:00
Dmitriy Rabotyagov a0cb1f7b7c Refactor galera_use_ssl behaviour
With PKI role in place in most cases you don't need to explicitly
provide path to the CA file because PKI role ensures that CA is trusted
by the system overall. In the meanwhile in PyMySQL [1] you must either
provide CA file or cert/key or enable verify.

Since current behaviour is to provide path to the custom CA we expect
certificate being trusted overall. Thus we enable cert verification when
galera_use_ssl is True.

[1] 78f0cf99e5/pymysql/connections.py (L267)

Change-Id: I42d544d80d8fef5be9a68e6ef7090f85d0daa88c
2021-09-21 17:23:03 +03:00
Jonathan Rosser e52a036f2c Add variables for rabbitmq ssl configuration
Change-Id: Ief236b1d9599e40ff47de5016c31ca12a2b3eb34
2021-05-17 12:11:04 +00:00
Jonathan Rosser 6c7e6847b7 Use ansible_facts[] instead of fact variables
See https://github.com/ansible/ansible/issues/73654

Change-Id: I964783d5d992feff42021e5a3017d89326ea2e70
2021-03-16 08:22:12 +00:00
Jonathan Rosser 7482efafa2 Switch default virtualenv to python3
Change-Id: Ia418086218c12db73a33e1afbe0abb3ad1acae82
2021-03-10 09:05:22 +00:00
Jonathan Rosser eb449a9cff Move tacker pip packages from constraints to requirements
This is necessary to use the new pip resolver

Change-Id: I02342575151053c8bdd1a5b22514a82fef0613a2
2021-01-25 10:32:57 +00:00
Dmitriy Rabotyagov 74db1fd747 Use global service variables
Instead of overriding each service separatelly it might make
sense for deployers to define some higher level variable that
will be used first or fallback to default variable.

Change-Id: I1dd906a82e3963d2b4f0497570195885abab0530
2021-01-08 18:58:13 +02:00
Dmitriy Rabotyagov 2e04617116 Use the utility host for db setup tasks
Move it to the service setup host (defaults to utility[0]) instead
of the galera[0] host, and use galera_address (defaults to internal VIP)
as the endpoint instead of a local connection on the db host.

Change-Id: I065c079fb95f299f90b51e22e8aad42fc5dbb618
2020-08-20 19:41:57 +03:00
Dmitriy Rabotyagov 777be60987 Cleanup after repo_build and pip_install retirement
Change-Id: I7c4cd5227a76772ef391afa796c53bf5efd58326
2020-05-12 23:09:23 +03:00
Dmitriy Rabotyagov 292df1e012 Replace git.openstack.org with opendev.org
This patch replaces git.openstack.org with opendev.org as redirection
from old path was enabled.
Also we change upper constraints url due to [1]

[1] http://lists.openstack.org/pipermail/openstack-discuss/2019-May/006478.html

Change-Id: Id6fc2021367bda6650b419e7855c99b4e795720d
2019-11-14 18:57:00 +02:00
Andrew Gibb 3ce5a120ec Add global override for service bind address
Change-Id: Ic1c2d8a13137fb35aa409154c44e9cded3ff2be4
2019-09-19 13:43:57 +01:00
Jonathan Rosser 98e74e0f0d Allow venv python interpreter to be overridden
Change-Id: Ia73fc0cce59810cdb9e5479213a582c2e8674de2
2019-09-11 21:29:26 +01:00
Dmitriy Rabotyagov 47e2784138 Use systemd-journald instead of log files
This patch aims to migrate service from usage of regular syslog files
to journald. We also disable uwsgi logging, since it dublicates
requests that are logged by service itself.

Change-Id: Id68c80b52fe72bd209e96dba230b4f2cb12f900d
2019-07-18 09:02:45 +03:00
Dmitriy Rabotjagov 2a199a9621 Update role for new source build process
The variables tacker_developer_mode and tacker_venv_download
no longer carry any meaning. This review changes tacker to
do the equivalent of what developer_mode was all the time,
meaning that it always builds the venv and never requires
the repo server, but it will use a repo server when available.

As part of this, we move the source build out of its own file
because it's now a single task to include the venv build role.
This is just to make it easier to follow the code.

We also change include_tasks to import_tasks and include_role
to import_role so that the tags in the python_venv_build role
will work.

In addition tacker init was replaced by the standard systemd_service
role. Due to this was added new variable tacker_init_config_overrides.
program_override variable has no influence now.

In config notification_driver was deprecated in favor of driver from
oslo_messaging_notifications

Change-Id: Id5629cb631b23887383fa23f472052477edbc4eb
2019-03-28 17:33:58 +00:00
Jesse Pretorius f47ce32ee6 Enable overriding the service setup host python interpreter
In order to enable the service setup host python interpreter to
be changed easily, we make it a variable. This will be useful
when someone sets the service setup host to be the utility
container, because we'll be able to set this var by default.

Change-Id: Ia3b8ac0cc8ca895c39b20eac30763ad4873f78b1
2018-11-30 16:44:17 +00:00
Zuul 7fde8d74cb Merge "Update messaging notification configuration" 2018-11-10 10:28:20 +00:00
Panagiotis Karalis dc536599f8 Tacker uses OpenStack Barbican for secret keys
Use the OpenStack Barbican component instead of OpenStack Keystone
as secret key handler.
The reason behind is the way that Tacker handles the secret keys of
complex scenarios (specially the scenarios with HA) and how they are
stored or retrieved between different VMs or Blades.

Change-Id: I63d40c5239d2585e8bb7ac3b9338252c9e28c4c6
Signed-off-by: Panagiotis Karalis <pkaralis@intracom-telecom.com>
2018-10-05 10:37:51 +03:00
caoyuan 8ddb25da3f Clean up the remaining stuff for dashboard
The tacker horizon is been done in openstack-ansible-os_horiozn[0],
the temporary tacker horizon dashboard setup should be removed.

[0]: https://review.openstack.org/#/c/603832/

Change-Id: Iccbb526773694b486534ffe16927237cb7c76371
Closes-Bug: #1796015
2018-10-04 14:36:25 +08:00
ZhijunWei 56dc20030b Update messaging notification configuration
This patch add the conditional inclusion of the notification
section of the service configuration. This ensures that oslo.messaging
notifications use the correct transport for deployments that have
separate rpc and notify messaging backends. For example, if the
transport_url is not provided in the notification section of the
service configuration, the transport_url specified in the default
section will be used instead.

This patch conditionally selects the notifier driver. The noop
driver will be selected when notification publishing is disabled.
The messagingv2 driver is selected when notification publishing is
enabled.

Change-Id: I60e92e14c0893b80f4023b6b6681864fee5228e5
Closes-Bug: #1794320
2018-09-27 02:17:29 +00:00
ZhijunWei 88a678bbad Remove the unnecessary verbose defined
Change-Id: Ie188de9270e6666f2ca1e5c755f6db757375abb8
Closes-Bug: #1794320
2018-09-19 10:11:01 -04:00
Jesse Pretorius 4f1fe6ead3 Remove mysql-python
The mysql-python package is no longer maintained. We are using
pymysql instead, so this package does not need to be installed.

The tacker.conf file wasn't set to use pymysql, so we correct
that.

Change-Id: I7346071d52f2b12802af42236af69b362f2f9d9d
2018-09-15 13:04:02 -06:00
Jesse Pretorius 142dadbf29 Use a common python build/install role
In order to radically simplify how we prepare the service
venvs, we use a common role to do the wheel builds and the
venv preparation. This makes the process far simpler to
understand, because the role does its own building and
installing. It also reduces the code maintenance burden,
because instead of duplicating the build processes in the
repo_build role and the service role - we only have it all
done in a single place.

We also change the role venv tag var to use the integrated
build's common venv tag so that we can remove the role's
venv tag in group_vars in the integrated build. This reduces
memory consumption and also reduces the duplication.

This is by no means the final stop in the simplification
process, but it is a step forward. The will be work to follow
which:

1. Replaces 'developer mode' with an equivalent mechanism
   that uses the common role and is simpler to understand.
   We will also simplify the provisioning of pip install
   arguments when doing this.

Depends-On: https://review.openstack.org/598957
Change-Id: I8b213b0590891b7862aa304f01504295371ea167
Implements: blueprint python-build-install-simplification
Signed-off-by: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
2018-09-03 17:46:02 +01:00
Jesse Pretorius 59e61f1390 Move MQ vhost/user creation into role
There is no record for why we implement the MQ vhost/user creation
outside of the role in the playbook, when we could do it inside the
role.

Implementing it inside the role allows us to reduce the quantity of
group_vars duplicated from the role, and allows us to better document
the required variables in the role. The delegation can still be done
as it is done in the playbook too.

In this patch we implement two new variables:
- tacker_oslomsg_rpc_setup_host
- tacker_oslomsg_notify_setup_host

These are used in the role to allow delegation of the MQ vhost/user
setup for each type to any host, but they default to using the first
member of the applicable oslomsg host group.

We also adjust some of the defaults to automatically inherit existing
vars set in group_vars form the integrated build so that we do not
need to do the wiring in the integrated build's group vars. We still
default them in the role too for independent role usage.

Finally, we remove the test mq setup tasks and clean up any unused
or unnecessary variables configured in tests.

Change-Id: I481b2358bf3b93fba3057b825fc9e0f626d616ba
2018-07-27 11:21:35 +00:00
Andy Smith 96e911f446 Update to use oslo.messaging service for RPC and Notify
This introduces oslo.messaging variables that define the RPC and
Notify transports for the OpenStack services. These parameters replace
the rabbitmq values and are used to generate the messaging
transport_url for the service.

This patch:
* Add oslo.messaging variables for RPC and Notify to defaults
* Add transport_url generation to conf
* Add oslo.messaging to tests inventory and update tests
* Install extra packages for optional drivers

Change-Id: I88fa6bd04ebad08211570d46ed464409b5896123
2018-07-26 09:08:53 +00:00
Jesse Pretorius e911fcf505 Execute service setup against a delegated host using Ansible built-in modules
In order to reduce the packages required to pip install on to the hosts,
we allow the service setup to be delegated to a specific host, defaulting
to the deploy host. We also switch as many tasks as possible to using the
built-in Ansible modules which make use of the shade library.

The 'virtualenv' package is now installed appropriately by the openstack_hosts
role, so there's no need to install it any more. The 'httplib2' package is a
legacy Ansible requirement for the get_url/get_uri module which is no longer
needed. The keystone client library is not required any more now that we're
using the upstream modules. As there are no required packages left, the task
to install them is also removed.

Change-Id: Ia6c57495b8d6090a0b98f17554288a310388c3e2
2018-07-14 14:25:03 +00:00
Jesse Pretorius c1d339219e Move database creation into role
There is no record for why we implement the database creation outside
of the role in the playbook, when we could do it inside the role.

Implementing it inside the role allows us to reduce the quantity of
group_vars duplicated from the role, and allows us to better document
the required variables in the role. The delegation can still be done
as it is done in the playbook too.

In this patch we implement a new variable called 'tacker_db_setup_host'
which is used in the role to allow delegation of the database setup
task to any host, but defaults to the first member of the galera_all
host group. We also document the variable 'tacker_galera_address' which
has been used for a long time, but never documented. A bunch of unused
variables have also been removed.

The extras folder is removed given that tacker's playbooks have been
merged into the integrated repository.

Change-Id: I7c300ca89657863d58f8dc1178f6c57400bcaa80
2018-06-28 16:56:47 +01:00
Kevin Carter 3a12e99512
Add packages required for osprofiler
The following packages are required in-order to run osprofiler.
these packages will provide deployers the ability to profile
a service on demand should they choose to enable the profile
functionality.

Change-Id: Ib3ef07c8a9019245fa276c142246db2bb0249c41
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2018-06-11 22:59:13 -05:00
Jesse Pretorius 50515b6995 Update installation mechanism
The following adjustments are made in order to modernise
bring the role into line with the other mainline roles:

1. Simplify the constraints mechanism.

2. Add the developer mode constraints functionality.

3. Clean up developer mode logic to allow pip installs
   into an existing venv if the deployer chooses to do so.

4. Normalise the distro package install task to make it
   use the same name, to add retries and ensure that the
   cache updates appropriately.

5. Clean up some commented vars and tasks which were not
   used.

6. Simplify the use of checksums for the venv downloads
   to use modern Ansible functionality.

7. Add additional python venv prep for SuSE/CentOS.

8. Add the recording of the current venv tag deployed.

Change-Id: I9daa4352aa818db03f682eb0d1a65eefff9bb6f6
2018-02-15 15:16:59 +00:00
Manuel Buil 9fed11c01e Modify the etc directory in default/main
Following the example of other roles, we will use /etc/tacker as the conf.
directory instead of using the etc/ directory in the venv. Otherwise, the
permission handling gets a bit messy because the venv gets deleted and
recreated, so the creation of tacker directories should happen after that,
which will change the role structure a bit

Change-Id: Ie052dd7680218e31ed5a6e405db4167ee37471a8
2018-01-30 14:08:23 +00:00
Zuul 18779ed05f Merge "Replace virtualenv-tools by a script" 2018-01-16 12:58:50 +00:00
Jean-Philippe Evrard bf7e349e5d Replace virtualenv-tools by a script
virtualenv-tools has a bug which gets triggered in gates: it can't
change the shebang of a virtualenv python bin/ files if they
were generated with a virtualenv script whose shebang ends with
python2 instead of python.

Because we can't modify virtualenv-tools, we use shell scripts
instead.

Change-Id: I06b22225177c8c57995601d1ab39245965f66150
Partial-Bug: #1741634
2018-01-15 14:17:30 +00:00
Jimmy McCrory edc9c555b3 Add MySQL connection SSL support
When 'tacker_galera_use_ssl' is True, use an encrypted connection to
the database using either a self-signed or user-provided CA certificate.

A new non-voting test has been added to verify that the role remains
functional when enabling SSL features.

Change-Id: I9165a04de869197ac05e60be799f59a263e98a7b
Partial-Bug: 1667789
2017-12-14 11:42:20 -08:00
Andy McCrae f1e8533a91 Revert "Update roles & vars for stable/pike"
This was meant for stable/pike branch and has now been properly PR'd
against stable/pike:

https://review.openstack.org/#/c/499955/

This reverts commit cff34226fe.

Change-Id: Ia8e04bfa674ef3beb4910666b59568d6cd1b83e3
2017-09-01 11:17:31 +01:00
Andy McCrae cff34226fe Update roles & vars for stable/pike
Change-Id: I1483889e01b994a77e6d101cdf0f435fae457ae9
2017-08-30 15:58:21 +01:00
Jenkins 58855a0e63 Merge "Bug fix: Changed the tacker server tcp port" 2017-08-22 15:14:55 +00:00
Manuel Buil 410c01c6fb Bug fix: networking-sfc package missing in venv
If we want to use the tacker vnfo pluging to configure SFC, the networking-sfc
package must be installed in the venv. Otherwise, the neutron client is
missing required methods such as 'create_flow_classifier'

Change-Id: I4d1504deffbaec4e81091593acf0ac3dd5b43510
Signed-off-by: Manuel Buil <mbuil@suse.com>
2017-08-21 12:07:50 +02:00
Manuel Buil 61db3ab8ad Bug fix: Changed the tacker server tcp port
The official tacker port is 9890 and not 8888

Change-Id: I10a6a4ce176ffb351a4a8f1fd1e944396e84cefa
Signed-off-by: Manuel Buil <mbuil@suse.com>
2017-08-21 12:01:57 +02:00
Manuel Buil b873fcd409 Fill the tests directory
The tests directory is needed to pass the gates

Change-Id: I647d7487177a046120e5f7f43adf48e2aa821f8a
Signed-off-by: Manuel Buil <mbuil@suse.com>
2017-08-09 10:30:28 +02:00
Manuel Buil c1f38edcea ansible-linters fixes
https://review.openstack.org/#/c/485259/ is throwing linters problems related
to this role. I think all of them are fixed with this patch

Change-Id: If3924bb1b7823a9c70edf68d0127b9415885a2d9
2017-07-21 10:39:13 +02:00
root d7002e46e5 minor updates 2016-10-03 09:19:22 +00:00
root 4da3eabbf5 add python-tackerclient to utility container 2016-09-22 05:58:13 +00:00
root 75f0e428f6 add python-heatclient to tacker_pip_packages 2016-09-21 21:28:28 +00:00
root bb87b62ea4 first commit 2016-09-20 19:19:12 +00:00