Fixes playbook runtime issues with ldap
When using an LDAP backend the playbooks fail when "ensuring.*"
which is a keystone client action. The reason for the failure is
related to how ldap backend, and is triggered when the service
users are within the ldap and not SQL. To resolve the issue a boolean
conditional was created on the various OS_.* roles to skip specific
tasks when the service users have already been added into LDAP.
Change-Id: I64a8d1e926c54b821f8bfb561a8b6f755bc1ed93
Closes-Bug: #1518351
Closes-Bug: #1519174
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
(cherry picked from commit 2559ed4f13
)
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
parent
2f4df4cdf4
commit
b73c95d80a
|
@ -83,6 +83,10 @@ dhcp_domain: openstacklocal
|
|||
#openstack_service_internaluri_proto: http
|
||||
|
||||
|
||||
## LDAP enabled toggle
|
||||
service_ldap_backend_enabled: "{{ keystone_ldap is defined }}"
|
||||
|
||||
|
||||
## Ceilometer
|
||||
ceilometer_service_port: 8777
|
||||
ceilometer_service_proto: http
|
||||
|
@ -91,6 +95,7 @@ ceilometer_service_tenant_name: service
|
|||
ceilometer_service_adminuri: "{{ ceilometer_service_proto }}://{{ internal_lb_vip_address }}:{{ ceilometer_service_port }}"
|
||||
ceilometer_service_adminurl: "{{ ceilometer_service_adminuri }}/"
|
||||
ceilometer_service_region: "{{ service_region }}"
|
||||
ceilometer_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
||||
|
||||
|
||||
## Nova
|
||||
|
@ -109,6 +114,7 @@ nova_keystone_auth_plugin: password
|
|||
nova_ceph_client: '{{ cinder_ceph_client }}'
|
||||
nova_ceph_client_uuid: '{{ cinder_ceph_client_uuid | default() }}'
|
||||
nova_dhcp_domain: "{{ dhcp_domain }}"
|
||||
nova_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
||||
|
||||
|
||||
## Neutron
|
||||
|
@ -123,6 +129,7 @@ neutron_service_adminuri: "{{ neutron_service_adminuri_proto }}://{{ internal_lb
|
|||
neutron_service_adminurl: "{{ neutron_service_adminuri }}"
|
||||
neutron_service_region: "{{ service_region }}"
|
||||
neutron_dhcp_domain: "{{ dhcp_domain }}"
|
||||
neutron_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
||||
|
||||
|
||||
## Glance
|
||||
|
@ -135,6 +142,7 @@ glance_service_project_domain_id: default
|
|||
glance_service_user_domain_id: default
|
||||
glance_service_adminurl: "{{ glance_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ glance_service_port }}"
|
||||
glance_service_region: "{{ service_region }}"
|
||||
glance_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
||||
# Only specify this if you want to list the servers - by default LB host/port will be used
|
||||
#glance_api_servers: "{% for host in groups['glance_all'] %}{{ hostvars[host]['container_address'] }}:{{ glance_service_port }}{% if not loop.last %},{% endif %}{% endfor %}"
|
||||
|
||||
|
@ -168,6 +176,7 @@ keystone_memcached_servers: "{% for host in groups['keystone_all'] %}{{ hostvars
|
|||
keystone_service_region: "{{ service_region }}"
|
||||
keystone_service_adminuri_insecure: false
|
||||
keystone_service_internaluri_insecure: false
|
||||
keystone_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
||||
|
||||
|
||||
## Horizon
|
||||
|
@ -177,6 +186,7 @@ horizon_enable_cinder_backup: "{% if cinder_service_backup_program_enabled is de
|
|||
|
||||
## Heat
|
||||
heat_service_region: "{{ service_region }}"
|
||||
heat_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
||||
|
||||
|
||||
## Cinder
|
||||
|
@ -198,6 +208,17 @@ cinder_ceph_client: cinder
|
|||
# cinder_backend_lvm_inuse: True if current host has an lvm backend
|
||||
cinder_backend_lvm_inuse: '{{ (cinder_backends|default("")|to_json).find("cinder.volume.drivers.lvm.LVMVolumeDriver") != -1 }}'
|
||||
cinder_service_region: "{{ service_region }}"
|
||||
cinder_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
||||
|
||||
|
||||
## Swift
|
||||
swift_system_user_name: swift
|
||||
swift_system_group_name: swift
|
||||
swift_system_shell: /bin/bash
|
||||
swift_system_comment: swift system user
|
||||
swift_system_home_folder: "/var/lib/{{ swift_system_user_name }}"
|
||||
swift_service_region: "{{ service_region }}"
|
||||
swift_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
||||
|
||||
|
||||
## OpenStack Openrc
|
||||
|
@ -216,13 +237,6 @@ tempest_pip_instructions: >
|
|||
--trusted-host pypi.python.org
|
||||
--trusted-host {{ openstack_upstream_domain }}
|
||||
|
||||
## Swift
|
||||
swift_system_user_name: swift
|
||||
swift_system_group_name: swift
|
||||
swift_system_shell: /bin/bash
|
||||
swift_system_comment: swift system user
|
||||
swift_system_home_folder: "/var/lib/{{ swift_system_user_name }}"
|
||||
swift_service_region: "{{ service_region }}"
|
||||
|
||||
## HAProxy
|
||||
haproxy_bind_on_non_local: "{% if groups.haproxy_hosts[1] is defined and internal_lb_vip_address != external_lb_vip_address %}True{% else %}False{% endif %}"
|
||||
|
|
|
@ -65,6 +65,8 @@ ceilometer_service_internalurl: "{{ ceilometer_service_internaluri }}"
|
|||
ceilometer_service_adminuri: "{{ ceilometer_service_proto }}://{{ internal_lb_vip_address }}:{{ ceilometer_service_port }}"
|
||||
ceilometer_service_adminurl: "{{ ceilometer_service_adminuri }}"
|
||||
|
||||
|
||||
ceilometer_service_in_ldap: false
|
||||
## Ceilometer config
|
||||
|
||||
# Common apt packages
|
||||
|
|
|
@ -39,6 +39,7 @@
|
|||
role_name: "{{ role_name }}"
|
||||
password: "{{ ceilometer_service_password }}"
|
||||
register: add_service
|
||||
when: not ceilometer_service_in_ldap | bool
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
|
@ -55,6 +56,7 @@
|
|||
tenant_name: "{{ ceilometer_service_project_name }}"
|
||||
role_name: "{{ ceilometer_role_name }}"
|
||||
register: add_admin_role
|
||||
when: not ceilometer_service_in_ldap | bool
|
||||
until: add_admin_role|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
|
|
|
@ -184,6 +184,8 @@ cinder_quota_backup_gigabytes: 1000
|
|||
# "volume:create": ""
|
||||
# "volume:delete": ""
|
||||
|
||||
cinder_service_in_ldap: false
|
||||
|
||||
# Common apt packages
|
||||
cinder_apt_packages:
|
||||
- dmeventd
|
||||
|
|
|
@ -43,6 +43,7 @@
|
|||
password: "{{ service_password }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_service
|
||||
when: not cinder_service_in_ldap | bool
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
|
@ -62,6 +63,7 @@
|
|||
role_name: "{{ role_name }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_service
|
||||
when: not cinder_service_in_ldap | bool
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
|
|
|
@ -140,6 +140,8 @@ glance_rbd_store_pool: images
|
|||
glance_rbd_store_user: '{{ glance_ceph_client }}'
|
||||
glance_rbd_store_chunk_size: 8
|
||||
|
||||
glance_service_in_ldap: false
|
||||
|
||||
# Common apt packages
|
||||
glance_apt_packages:
|
||||
- rpcbind
|
||||
|
|
|
@ -43,6 +43,7 @@
|
|||
password: "{{ glance_service_password }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_service
|
||||
when: not glance_service_in_ldap | bool
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
|
@ -62,6 +63,7 @@
|
|||
role_name: "{{ glance_role_name }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_service
|
||||
when: not glance_service_in_ldap | bool
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
|
|
|
@ -124,6 +124,8 @@ heat_watch_port: 8003
|
|||
heat_watch_server_uri: "{{ heat_watch_proto }}://{{ external_lb_vip_address }}:{{ heat_watch_port }}"
|
||||
heat_watch_server_url: "{{ heat_watch_server_uri }}"
|
||||
|
||||
heat_service_in_ldap: false
|
||||
|
||||
## Plugin dirs
|
||||
heat_plugin_dirs:
|
||||
- /usr/lib/heat
|
||||
|
|
|
@ -43,6 +43,7 @@
|
|||
password: "{{ service_password }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_service
|
||||
when: not heat_service_in_ldap | bool
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
|
@ -62,6 +63,7 @@
|
|||
role_name: "{{ role_name }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_service
|
||||
when: not heat_service_in_ldap | bool
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
|
|
|
@ -306,6 +306,8 @@ keystone_recreate_keys: False
|
|||
# - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
|
||||
# id: upn
|
||||
|
||||
keystone_service_in_ldap: false
|
||||
|
||||
# Keystone Federation SP Packages
|
||||
keystone_sp_apt_packages:
|
||||
- libapache2-mod-shib2
|
||||
|
|
|
@ -87,6 +87,7 @@
|
|||
password: "{{ keystone_auth_admin_password }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_service
|
||||
when: not keystone_service_in_ldap | bool
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
|
@ -121,6 +122,7 @@
|
|||
role_name: "{{ keystone_role_name }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_service
|
||||
when: not keystone_service_in_ldap | bool
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
|
@ -137,6 +139,7 @@
|
|||
role_name: "{{ keystone_default_role_name }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_member_role
|
||||
when: not keystone_service_in_ldap | bool
|
||||
until: add_member_role|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
|
|
|
@ -264,6 +264,8 @@ neutron_rpc_thread_pool_size: 64
|
|||
neutron_rpc_conn_pool_size: 30
|
||||
neutron_rpc_response_timeout: 60
|
||||
|
||||
neutron_service_in_ldap: false
|
||||
|
||||
## Policy vars
|
||||
# Provide a list of access controls to update the default policy.json with. These changes will be merged
|
||||
# with the access controls in the default policy.json. E.g.
|
||||
|
|
|
@ -43,6 +43,7 @@
|
|||
password: "{{ service_password }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_service
|
||||
when: not neutron_service_in_ldap | bool
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
|
@ -62,6 +63,7 @@
|
|||
role_name: "{{ role_name }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_service
|
||||
when: not neutron_service_in_ldap | bool
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
|
|
|
@ -296,6 +296,8 @@ nova_ceph_client_uuid: 517a4663-3927-44bc-9ea7-4a90e1cd4c66
|
|||
# "compute:create": ""
|
||||
# "compute:create:attach_network": ""
|
||||
|
||||
nova_service_in_ldap: false
|
||||
|
||||
## libvirtd config options
|
||||
nova_libvirtd_listen_tls: 1
|
||||
nova_libvirtd_listen_tcp: 0
|
||||
|
|
|
@ -43,6 +43,7 @@
|
|||
password: "{{ service_password }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_service
|
||||
when: not nova_service_in_ldap | bool
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
|
@ -62,6 +63,7 @@
|
|||
role_name: "{{ role_name }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_service
|
||||
when: not nova_service_in_ldap | bool
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
|
|
|
@ -138,6 +138,8 @@ swift_proxy_server_program_config_options: /etc/swift/proxy-server/proxy-server.
|
|||
# of available VCPUS to compute the number of api workers to use.
|
||||
# swift_proxy_server_workers: 16
|
||||
|
||||
swift_service_in_ldap: false
|
||||
|
||||
swift_pip_packages:
|
||||
- ceilometermiddleware
|
||||
- dnspython
|
||||
|
|
|
@ -43,6 +43,7 @@
|
|||
password: "{{ swift_service_password }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_service
|
||||
when: not swift_service_in_ldap | bool
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
|
@ -62,6 +63,7 @@
|
|||
role_name: "{{ swift_service_role_name }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_service
|
||||
when: not swift_service_in_ldap | bool
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
|
@ -96,6 +98,7 @@
|
|||
password: "{{ swift_dispersion_password }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
register: add_service
|
||||
when: not swift_service_in_ldap | bool
|
||||
until: add_service|success
|
||||
retries: 5
|
||||
delay: 10
|
||||
|
|
Loading…
Reference in New Issue