From 0de819e92afdb67bd6babf1502c5e463d8c4ed57 Mon Sep 17 00:00:00 2001 From: Kevin Carter Date: Mon, 23 May 2016 23:08:24 -0500 Subject: [PATCH] Implement CentOS 7 support in os_keystone This change implements CentOS 7 support within the os_keystone role. Depends-on: I333fb1887339e8dc9ebf10ff137dda3cff629dc0 Change-Id: Ib339cd0657f7008fa48bf74f8d6ddd4b8add2ea1 Signed-off-by: Kevin Carter --- defaults/main.yml | 9 +- handlers/main.yml | 12 +- manual-test.rc | 22 ++++ meta/main.yml | 3 + ...tone-centos7-support-0a5d97f81ac42e44.yaml | 10 ++ tasks/keystone_apache.yml | 57 ++++++--- tasks/keystone_federation_sp_setup.yml | 6 +- tasks/keystone_idp_metadata.yml | 4 +- tasks/keystone_idp_self_signed_create.yml | 3 +- tasks/keystone_idp_self_signed_distribute.yml | 3 +- tasks/keystone_install.yml | 8 +- tasks/keystone_install_apt.yml | 10 +- tasks/keystone_install_yum.yml | 114 ++++++++++++++++++ tasks/keystone_key_distribute.yml | 2 +- tasks/keystone_ldap_setup.yml | 4 +- tasks/keystone_post_install.yml | 4 +- tasks/keystone_ssl_key_create.yml | 6 +- tasks/keystone_ssl_user_provided.yml | 9 +- tasks/main.yml | 1 + templates/keystone-httpd.conf.j2 | 15 +++ tests/test-install-keystone.yml | 23 ++-- tests/test-prepare-containers.yml | 1 + tests/test-prepare-host.yml | 35 +++++- tests/test-vars.yml | 2 +- tox.ini | 8 +- vars/redhat-7.yml | 67 ++++++++++ vars/ubuntu-14.04.yml | 46 +++++-- vars/ubuntu-16.04.yml | 34 ++++-- 28 files changed, 429 insertions(+), 89 deletions(-) create mode 100644 manual-test.rc create mode 100644 releasenotes/notes/os_keystone-centos7-support-0a5d97f81ac42e44.yaml create mode 100644 tasks/keystone_install_yum.yml create mode 100644 vars/redhat-7.yml diff --git a/defaults/main.yml b/defaults/main.yml index 58c72b43..4167ddfd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -20,6 +20,9 @@ debug: False # Options are 'present' and 'latest' keystone_package_state: "latest" +# Role standard API override this option in the OS variable files +keystone_shibboleth_repo: {} + # These variables are used in 'developer mode' in order to allow the role # to build an environment directly from a git source without the presence # of an OpenStack-Ansible repo_server. @@ -44,7 +47,7 @@ keystone_system_user_name: keystone keystone_system_group_name: keystone keystone_system_additional_groups: - ssl_cert -keystone_system_service_name: apache2 + keystone_system_shell: /bin/bash keystone_system_comment: keystone system user keystone_system_user_home: "/var/lib/{{ keystone_system_user_name }}" @@ -381,10 +384,6 @@ keystone_sp: {} keystone_service_in_ldap: false -# Keystone Federation SP Packages -keystone_sp_apt_packages: - - libapache2-mod-shib2 - # Keystone notification settings keystone_ceilometer_enabled: false diff --git a/handlers/main.yml b/handlers/main.yml index e1cf1fdf..e7acbb78 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -13,13 +13,13 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Restart Apache +- name: Restart service service: - name: "apache2" - state: "restarted" - pattern: "apache2" - register: apache_restart - until: apache_restart|success + name: "{{ keystone_system_service_name }}" + state: restarted + pattern: "{{ keystone_system_service_name }}" + register: _restart + until: _restart|success retries: 5 delay: 2 when: keystone_apache_mod_wsgi_enabled | bool diff --git a/manual-test.rc b/manual-test.rc new file mode 100644 index 00000000..fa1cdf95 --- /dev/null +++ b/manual-test.rc @@ -0,0 +1,22 @@ +export VIRTUAL_ENV=$(pwd) +export ANSIBLE_HOST_KEY_CHECKING=False +export ANSIBLE_SSH_CONTROL_PATH=/tmp/%%h-%%r + +# TODO (odyssey4me) These are only here as they are non-standard folder +# names for Ansible 1.9.x. We are using the standard folder names for +# Ansible v2.x. We can remove this when we move to Ansible 2.x. +export ANSIBLE_ACTION_PLUGINS=${HOME}/.ansible/plugins/action +export ANSIBLE_CALLBACK_PLUGINS=${HOME}/.ansible/plugins/callback +export ANSIBLE_FILTER_PLUGINS=${HOME}/.ansible/plugins/filter +export ANSIBLE_LOOKUP_PLUGINS=${HOME}/.ansible/plugins/lookup + +# This is required as the default is the current path or a path specified +# in ansible.cfg +export ANSIBLE_LIBRARY=${HOME}/.ansible/plugins/library + +# This is required as the default is '/etc/ansible/roles' or a path +# specified in ansible.cfg +export ANSIBLE_ROLES_PATH=${HOME}/.ansible/roles:$(pwd)/.. + +echo "Run manual functional tests by executing the following:" +echo "# ./.tox/functional/bin/ansible-playbook -i tests/inventory tests/test.yml -e \"rolename=$(pwd)\"" diff --git a/meta/main.yml b/meta/main.yml index 2535a0dd..cfe91b5d 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -24,6 +24,9 @@ galaxy_info: versions: - trusty - xenial + - name: EL + versions: + - 7 categories: - cloud - python diff --git a/releasenotes/notes/os_keystone-centos7-support-0a5d97f81ac42e44.yaml b/releasenotes/notes/os_keystone-centos7-support-0a5d97f81ac42e44.yaml new file mode 100644 index 00000000..7a91a8cd --- /dev/null +++ b/releasenotes/notes/os_keystone-centos7-support-0a5d97f81ac42e44.yaml @@ -0,0 +1,10 @@ +--- +features: + - CentOS7/RHEL support has been added to the os_keystone + role. +deprecations: + - The following variables have been deprecated. + `keystone_developer_apt_packages`, `keystone_sp_apt_packages`, + `keystone_idp_apt_packages`, and `keystone_apt_packages`. While + these options are still available when deploying on Ubuntu + 14.04, they will be removed during the Ocata cycle. diff --git a/tasks/keystone_apache.yml b/tasks/keystone_apache.yml index 413c8ea4..2d76e0d3 100644 --- a/tasks/keystone_apache.yml +++ b/tasks/keystone_apache.yml @@ -13,68 +13,89 @@ # See the License for the specific language governing permissions and # limitations under the License. +- name: Create apache nogroup group + group: + name: "nogroup" + system: "yes" + +- name: Create apache nogroup user + user: + name: "nogroup" + group: "nogroup" + system: "yes" + shell: "/bin/false" + - name: Drop apache2 config files template: src: "{{ item.src }}" dest: "{{ item.dest }}" owner: "root" group: "root" - with_items: - - { src: "keystone-ports.conf.j2", dest: "/etc/apache2/ports.conf" } - - { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" } - - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" } + with_items: "{{ keystone_apache_configs }}" notify: - - Restart Apache + - Restart service - name: Disable default apache site file: - path: "/etc/apache2/sites-enabled/000-default.conf" + path: "{{ item }}" state: "absent" + with_items: "{{ keystone_apache_default_sites }}" notify: - - Restart Apache + - Restart service - name: Enabled keystone vhost file: - src: "/etc/apache2/sites-available/keystone-httpd.conf" - dest: "/etc/apache2/sites-enabled/keystone-httpd.conf" + src: "{{ keystone_apache_site_available }}" + dest: "{{ keystone_apache_site_enabled }}" state: "link" + when: + - keystone_apache_site_available is defined + - keystone_apache_site_enabled is defined notify: - - Restart Apache + - Restart service - name: Ensure Apache ServerName lineinfile: - dest: "/etc/apache2/apache2.conf" + dest: "{{ keystone_apache_conf }}" line: "ServerName {{ ansible_hostname }}" notify: - - Restart Apache + - Restart service - name: Ensure Apache ServerTokens lineinfile: - dest: "/etc/apache2/conf-available/security.conf" + dest: "{{ keystone_apache_security_conf }}" regexp: '^ServerTokens' line: "ServerTokens {{ keystone_apache_servertokens }}" notify: - - Restart Apache + - Restart service - name: Ensure Apache ServerSignature lineinfile: - dest: "/etc/apache2/conf-available/security.conf" + dest: "{{ keystone_apache_security_conf }}" regexp: '^ServerSignature' line: "ServerSignature {{ keystone_apache_serversignature }}" notify: - - Restart Apache + - Restart service +## NOTE(cloudnull): +## Module enable/disable process is only functional on Debian based systems. - name: Enable/disable mod_ssl for apache2 apache2_module: name: ssl state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}" + when: + - ansible_pkg_mgr == 'apt' notify: - - Restart Apache + - Restart service +## NOTE(cloudnull): +## Module enable/disable process is only functional on Debian based systems. - name: Enable/disable mod_shib2 for apache2 apache2_module: name: shib2 state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}" ignore_errors: yes + when: + - ansible_pkg_mgr == 'apt' notify: - - Restart Apache + - Restart service diff --git a/tasks/keystone_federation_sp_setup.yml b/tasks/keystone_federation_sp_setup.yml index 62159266..f28ce0ac 100644 --- a/tasks/keystone_federation_sp_setup.yml +++ b/tasks/keystone_federation_sp_setup.yml @@ -32,7 +32,7 @@ creates: "/etc/shibboleth/sp-cert.pem" when: inventory_hostname == groups['keystone_all'][0] notify: - - Restart Apache + - Restart service - Restart Shibd - name: Store Shibboleth SP key-pair @@ -69,7 +69,7 @@ delay: 2 when: inventory_hostname != groups['keystone_all'][0] notify: - - Restart Apache + - Restart service - Restart Shibd - name: Set appropriate file ownership on the Shibboleth SP key-pair @@ -82,5 +82,5 @@ - "/etc/shibboleth/sp-key.pem" when: inventory_hostname != groups['keystone_all'][0] notify: - - Restart Apache + - Restart service - Restart Shibd diff --git a/tasks/keystone_idp_metadata.yml b/tasks/keystone_idp_metadata.yml index 8d5f9690..974b180e 100644 --- a/tasks/keystone_idp_metadata.yml +++ b/tasks/keystone_idp_metadata.yml @@ -20,5 +20,5 @@ become_user: "{{ keystone_system_user_name }}" when: keystone_idp != {} notify: - - Restart Apache - - Restart Keystone APIs \ No newline at end of file + - Restart Keystone APIs + - Restart service diff --git a/tasks/keystone_idp_self_signed_create.yml b/tasks/keystone_idp_self_signed_create.yml index 2168b8b7..22243a49 100644 --- a/tasks/keystone_idp_self_signed_create.yml +++ b/tasks/keystone_idp_self_signed_create.yml @@ -32,7 +32,8 @@ creates={{ keystone_idp.certfile }} when: > inventory_hostname == groups['keystone_all'][0] - notify: Restart Apache + notify: + - Restart service - name: Set appropriate file ownership on the IdP self-signed cert file: diff --git a/tasks/keystone_idp_self_signed_distribute.yml b/tasks/keystone_idp_self_signed_distribute.yml index 77215407..c2f71226 100644 --- a/tasks/keystone_idp_self_signed_distribute.yml +++ b/tasks/keystone_idp_self_signed_distribute.yml @@ -29,7 +29,8 @@ until: memcache_keys|success retries: 5 delay: 2 - notify: Restart Apache + notify: + - Restart service - name: Set appropriate file ownership on the IdP self-signed cert file: diff --git a/tasks/keystone_install.yml b/tasks/keystone_install.yml index ca12053a..d7a45afe 100644 --- a/tasks/keystone_install.yml +++ b/tasks/keystone_install.yml @@ -17,6 +17,10 @@ when: - ansible_pkg_mgr == 'apt' +- include: keystone_install_yum.yml + when: + - ansible_pkg_mgr == 'yum' + - name: Create WSGI symlinks file: src: "{{ item.src }}" @@ -132,8 +136,8 @@ - not keystone_developer_mode | bool - keystone_get_venv | changed or keystone_venv_dir | changed notify: - - Restart Apache - Restart Keystone APIs + - Restart service - name: Install pip packages pip: @@ -149,8 +153,8 @@ when: - keystone_get_venv | failed or keystone_developer_mode | bool notify: - - Restart Apache - Restart Keystone APIs + - Restart service - name: Update virtualenv path command: > diff --git a/tasks/keystone_install_apt.yml b/tasks/keystone_install_apt.yml index 7dff1ca7..ed7175fc 100644 --- a/tasks/keystone_install_apt.yml +++ b/tasks/keystone_install_apt.yml @@ -30,7 +30,7 @@ until: install_packages|success retries: 5 delay: 2 - with_items: "{{ keystone_apt_packages }}" + with_items: "{{ keystone_packages }}" - name: Install Apache apt packages apt: @@ -40,7 +40,7 @@ until: install_packages|success retries: 5 delay: 2 - with_items: "{{ keystone_apache_apt_packages }}" + with_items: "{{ keystone_apache_packages }}" when: keystone_apache_mod_wsgi_enabled | bool - name: Install IdP apt packages @@ -51,7 +51,7 @@ until: install_packages|success retries: 5 delay: 2 - with_items: "{{ keystone_idp_apt_packages }}" + with_items: "{{ keystone_idp_packages }}" when: - keystone_apache_mod_wsgi_enabled | bool - keystone_idp != {} @@ -64,7 +64,7 @@ until: install_packages|success retries: 5 delay: 2 - with_items: "{{ keystone_sp_apt_packages }}" + with_items: "{{ keystone_sp_packages }}" when: - keystone_apache_mod_wsgi_enabled | bool - keystone_sp != {} @@ -77,6 +77,6 @@ until: install_packages|success retries: 5 delay: 2 - with_items: "{{ keystone_developer_apt_packages }}" + with_items: "{{ keystone_developer_packages }}" when: - keystone_developer_mode | bool diff --git a/tasks/keystone_install_yum.yml b/tasks/keystone_install_yum.yml new file mode 100644 index 00000000..4b813551 --- /dev/null +++ b/tasks/keystone_install_yum.yml @@ -0,0 +1,114 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Create keystone dir + file: + path: "{{ item.path }}" + state: directory + owner: "{{ item.owner|default(keystone_system_user_name) }}" + group: "{{ item.group|default(keystone_system_group_name) }}" + mode: "{{ item.mode|default('0755') }}" + with_items: + - { path: "/etc/pki/tls/certs", owner: "root", group: "root" } + - { path: "/etc/pki/tls/private", owner: "root", group: "root" } + - { path: "/var/lock/keystone", mode: "2755" } + - { path: "/var/log/httpd", mode: "2755" } + +- name: Create system links + file: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + state: "link" + with_items: + - { src: "/etc/pki/tls/certs", dest: "/etc/ssl/certs" } + - { src: "/etc/pki/tls/private", dest: "/etc/ssl/private" } + - { src: "/var/log/httpd", dest: "/var/log/apache2" } + +- name: Install yum packages + yum: + pkg: "{{ item }}" + state: "{{ keystone_package_state }}" + register: install_packages + until: install_packages|success + retries: 5 + delay: 2 + with_items: keystone_packages + +- name: Install Apache yum packages + yum: + pkg: "{{ item }}" + state: "{{ keystone_package_state }}" + register: install_packages + until: install_packages|success + retries: 5 + delay: 2 + with_items: "{{ keystone_apache_packages }}" + when: keystone_apache_mod_wsgi_enabled | bool + +- name: Install IdP yum packages + yum: + pkg: "{{ item }}" + state: "{{ keystone_package_state }}" + register: install_packages + until: install_packages|success + retries: 5 + delay: 2 + with_items: keystone_idp_packages + when: keystone_idp is defined + +#TODO(cloudnull) Remove this task once we move to Ansible 2.1 +# where we can leverage the `yum_repository` module: +# https://docs.ansible.com/ansible/yum_repository_module.html +- name: Add shibboleth repo + copy: + content: | + [{{ item.name }}] + name={{ item.name }} + description={{ item.description }} + baseurl={{ item.baseurl }} + gpgkey={{ item.gpgkey }} + gpgcheck=1 + enabled=1 + dest: "/etc/yum.repos.d/{{ item.file }}.repo" + register: add_repos + until: add_repos|success + retries: 5 + delay: 2 + with_items: + - "{{ keystone_shibboleth_repo }}" + when: keystone_sp is defined + +- name: Install SP yum packages + yum: + pkg: "{{ item }}" + state: "{{ keystone_package_state }}" + register: install_packages + until: install_packages|success + retries: 5 + delay: 2 + with_items: keystone_sp_packages + when: keystone_sp is defined + +- name: Install developer mode yum packages + yum: + pkg: "{{ item }}" + state: "{{ keystone_package_state }}" + register: install_packages + until: install_packages|success + retries: 5 + delay: 2 + with_items: keystone_developer_packages + when: + - keystone_developer_mode | bool diff --git a/tasks/keystone_key_distribute.yml b/tasks/keystone_key_distribute.yml index f56b647e..82c77499 100644 --- a/tasks/keystone_key_distribute.yml +++ b/tasks/keystone_key_distribute.yml @@ -17,5 +17,5 @@ authorized_key: user: "{{ keystone_system_user_name }}" key: "{{ hostvars[item]['keystone_pubkey'] | b64decode }}" - with_items: "{{ groups['keystone_all'] }}" when: hostvars[item]['keystone_pubkey'] is defined + with_items: "{{ groups['keystone_all'] }}" diff --git a/tasks/keystone_ldap_setup.yml b/tasks/keystone_ldap_setup.yml index 39daf6c7..e65cde12 100644 --- a/tasks/keystone_ldap_setup.yml +++ b/tasks/keystone_ldap_setup.yml @@ -35,8 +35,8 @@ mode: "0644" with_dict: "{{ keystone_ldap }}" notify: - - Restart Apache - Restart Keystone APIs + - Restart service # Bug 1547542 - Older versions of the keystone role would deploy a blank # keystone.Default.conf and this will cause errors when adding LDAP-backed @@ -47,5 +47,5 @@ state: absent when: keystone_ldap.Default is not defined notify: - - Restart Apache - Restart Keystone APIs + - Restart service diff --git a/tasks/keystone_post_install.yml b/tasks/keystone_post_install.yml index ca0abcdf..1f19a4bd 100644 --- a/tasks/keystone_post_install.yml +++ b/tasks/keystone_post_install.yml @@ -36,8 +36,8 @@ config_overrides: "{{ keystone_policy_overrides }}" config_type: "json" notify: - - Restart Apache - Restart Keystone APIs + - Restart service - name: Drop Keystone Configs copy: @@ -47,6 +47,6 @@ group: "{{ keystone_system_group_name }}" mode: "0644" notify: - - Restart Apache - Restart Keystone APIs + - Restart service diff --git a/tasks/keystone_ssl_key_create.yml b/tasks/keystone_ssl_key_create.yml index eaa8d2ad..d9eec8a8 100644 --- a/tasks/keystone_ssl_key_create.yml +++ b/tasks/keystone_ssl_key_create.yml @@ -28,7 +28,8 @@ -out {{ keystone_ssl_cert }} -extensions v3_ca creates={{ keystone_ssl_cert }} - notify: Restart Apache + notify: + - Restart service - name: Ensure keystone user owns the self-signed key and certificate file: @@ -39,4 +40,5 @@ with_items: - "{{ keystone_ssl_key }}" - "{{ keystone_ssl_cert }}" - notify: Restart Apache + notify: + - Restart service diff --git a/tasks/keystone_ssl_user_provided.yml b/tasks/keystone_ssl_user_provided.yml index ccb569e4..3a197bc4 100644 --- a/tasks/keystone_ssl_user_provided.yml +++ b/tasks/keystone_ssl_user_provided.yml @@ -21,7 +21,8 @@ group: "root" mode: "0644" when: keystone_user_ssl_cert is defined - notify: Restart Apache + notify: + - Restart service - name: Drop user provided ssl key copy: @@ -31,7 +32,8 @@ group: "root" mode: "0640" when: keystone_user_ssl_key is defined - notify: Restart Apache + notify: + - Restart service - name: Drop user provided ssl CA cert copy: @@ -41,4 +43,5 @@ group: "root" mode: "0644" when: keystone_user_ssl_ca_cert is defined - notify: Restart Apache + notify: + - Restart service diff --git a/tasks/main.yml b/tasks/main.yml index c1c405a1..e996a7f5 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -28,6 +28,7 @@ - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml" - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml" - "{{ ansible_distribution | lower }}.yml" + - "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml" - "{{ ansible_os_family | lower }}.yml" tags: - always diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2 index 39b43044..8c3449a1 100644 --- a/templates/keystone-httpd.conf.j2 +++ b/templates/keystone-httpd.conf.j2 @@ -56,6 +56,14 @@ WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1 {% endif %} + + + Options Indexes FollowSymLinks MultiViews + AllowOverride All + Order allow,deny + allow from all + + @@ -88,4 +96,11 @@ SSLCipherSuite {{ keystone_ssl_cipher_suite }} SSLOptions +StdEnvVars +ExportCertData {% endif %} + + + Options Indexes FollowSymLinks MultiViews + AllowOverride All + Order allow,deny + allow from all + diff --git a/tests/test-install-keystone.yml b/tests/test-install-keystone.yml index 760b18af..2f07a156 100644 --- a/tests/test-install-keystone.yml +++ b/tests/test-install-keystone.yml @@ -14,16 +14,14 @@ # limitations under the License. - name: Playbook for deploying keystone - hosts: keystone_all + hosts: "infra1" user: root gather_facts: true - pre_tasks: + tasks: - name: Ensure rabbitmq vhost rabbitmq_vhost: name: "{{ keystone_rabbitmq_vhost }}" state: "present" - delegate_to: "10.100.100.2" - when: inventory_hostname == groups['keystone_all'][0] - name: Ensure rabbitmq user rabbitmq_user: user: "{{ keystone_rabbitmq_userid }}" @@ -33,22 +31,18 @@ read_priv: ".*" write_priv: ".*" state: "present" - delegate_to: "10.100.100.2" - when: inventory_hostname == groups['keystone_all'][0] - name: Create DB for service mysql_db: login_user: "root" login_password: "secrete" - login_host: "localhost" + login_host: "127.0.0.1" name: "{{ keystone_galera_database }}" state: "present" - delegate_to: "10.100.100.2" - when: inventory_hostname == groups['keystone_all'][0] - name: Grant access to the DB for the service mysql_user: login_user: "root" login_password: "secrete" - login_host: "localhost" + login_host: "127.0.0.1" name: "{{ keystone_galera_database }}" password: "{{ keystone_container_mysql_password }}" host: "{{ item }}" @@ -57,8 +51,13 @@ with_items: - "localhost" - "%" - delegate_to: "10.100.100.2" - when: inventory_hostname == groups['keystone_all'][0] + vars_files: + - test-vars.yml + +- name: Playbook for deploying keystone + hosts: keystone_all + user: root + gather_facts: true roles: - role: "{{ rolename | basename }}" tasks: diff --git a/tests/test-prepare-containers.yml b/tests/test-prepare-containers.yml index c0d539ea..2945549e 100644 --- a/tests/test-prepare-containers.yml +++ b/tests/test-prepare-containers.yml @@ -20,6 +20,7 @@ - role: "lxc_container_create" lxc_container_release: trusty lxc_container_backing_store: dir + debug: true global_environment_variables: PATH: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" post_tasks: diff --git a/tests/test-prepare-host.yml b/tests/test-prepare-host.yml index f8926411..aa4a3e92 100644 --- a/tests/test-prepare-host.yml +++ b/tests/test-prepare-host.yml @@ -16,11 +16,11 @@ - name: Playbook for configuring LXC host hosts: localhost pre_tasks: - # Make sure OS does not have a stale package cache. - - name: Update apt cache + - name: Ensure apt cache is always refreshed apt: update_cache: yes - when: ansible_os_family == 'Debian' + when: + - ansible_pkg_mgr == 'apt' - name: Ensure root's new public ssh key is in authorized_keys authorized_key: user: root @@ -32,11 +32,36 @@ stat: path: /etc/nodepool/provider register: nodepool - - name: Set the files to copy into the container cache for OpenStack-CI instances + - name: Set the files to copy into the container cache for OpenStack-CI instances (rhel) set_fact: lxc_container_cache_files: - { src: '/etc/pip.conf', dest: '/etc/pip.conf' } - when: nodepool.stat.exists | bool + when: + - nodepool.stat.exists | bool + - ansible_pkg_mgr == 'yum' + - name: Set the files to copy into the container cache for OpenStack-CI instances (deb) + set_fact: + lxc_container_cache_files: + - { src: '/etc/pip.conf', dest: '/etc/pip.conf' } + - { src: '/etc/apt/apt.conf.d/99unauthenticated', dest: '/etc/apt/apt.conf.d/99unauthenticated' } + when: + - nodepool.stat.exists | bool + - ansible_pkg_mgr == 'apt' + - name: Determine the existing Ubuntu repo configuration + shell: 'awk "/^deb .*ubuntu\/? {{ ansible_distribution_release }} main/ {print \$2; exit}" /etc/apt/sources.list' + register: ubuntu_repo + changed_when: false + when: ansible_pkg_mgr == 'apt' + - name: Set apt repo facts based on discovered information + set_fact: + lxc_container_template_main_apt_repo: "{{ ubuntu_repo.stdout }}" + lxc_container_template_security_apt_rep: "{{ ubuntu_repo.stdout }}" + when: ansible_pkg_mgr == 'apt' + - name: install the epel repo rpm from a remote repo + yum: + name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm" + state: "present" + when: ansible_pkg_mgr == 'yum' roles: - role: "lxc_hosts" lxc_net_address: 10.100.100.1 diff --git a/tests/test-vars.yml b/tests/test-vars.yml index 382145ea..e339cee8 100644 --- a/tests/test-vars.yml +++ b/tests/test-vars.yml @@ -28,10 +28,10 @@ keystone_rabbitmq_password: "secrete" keystone_rabbitmq_port: 5671 keystone_rabbitmq_servers: 10.100.100.2 keystone_rabbitmq_use_ssl: true -keystone_ssl: true keystone_rabbitmq_userid: keystone keystone_rabbitmq_vhost: /keystone keystone_requirements_git_install_branch: master +keystone_ssl: true keystone_service_adminuri: "http://{{ internal_lb_vip_address }}:35357" keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3" keystone_service_password: "secrete" diff --git a/tox.ini b/tox.ini index affd9e27..e9338e15 100644 --- a/tox.ini +++ b/tox.ini @@ -145,6 +145,11 @@ commands = [testenv:functional] +# Ignore_errors is set to true so that the logs are collected at the +# end of the run. This will not produce a failse positive. Any +# exception will be mark the run as "failed" and exit 1 after all of +# the commands have been iterated through. +ignore_errors = True # NOTE(odyssey4me): this target does not use constraints because # it doesn't work in OpenStack-CI yet. Once that's fixed, we can # drop the install_command. @@ -160,7 +165,8 @@ commands = -e "rolename={toxinidir}" \ -e "install_test_packages=True" \ {toxinidir}/tests/test.yml -vvvv - + bash -c 'mkdir -p {toxinidir}/logs' + bash -c 'rsync -av --ignore-errors /var/log/ /openstack/log/ {toxinidir}/logs/ || true' # NOTE(andymccr): this will test keystone with uwsgi & nginx [testenv:func_uwsgi-nginx] diff --git a/vars/redhat-7.yml b/vars/redhat-7.yml new file mode 100644 index 00000000..194981ad --- /dev/null +++ b/vars/redhat-7.yml @@ -0,0 +1,67 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +keystone_shibboleth_repo: + state: "present" + name: "shibboleth" + description: "shibboleth Repo" + file: shibboleth + baseurl: "http://download.opensuse.org/repositories/security:/shibboleth/CentOS_7/" + gpgkey: "http://download.opensuse.org/repositories/security:/shibboleth/CentOS_7//repodata/repomd.xml.key" + +keystone_packages: + - ca-certificates + - cronie + - cronie-anacron + - git + - libffi-devel + - libgsasl-devel + - libxml2-devel + - libxslt-devel + - mod_ssl + - mod_wsgi + - openldap + - openldap-devel + - openssl + - python-devel + - rsync + +keystone_apache_packages: + - httpd + - httpd-tools + +keystone_idp_packages: + - xmlsec1 + +keystone_sp_packages: + - shibboleth + +keystone_developer_packages: + - '@Development Tools' + +keystone_apache_default_sites: + - "/etc/httpd/conf.d/userdir.conf" + - "/etc/httpd/conf.d/welcome.conf" + - "/etc/httpd/conf.d/ssl.conf" + +keystone_apache_conf: "/etc/httpd/conf/httpd.conf" +keystone_apache_security_conf: "{{ keystone_apache_conf }}" + +keystone_apache_configs: + - { src: "keystone-ports.conf.j2", dest: "/etc/httpd/conf.d/ports.conf" } + - { src: "keystone-httpd.conf.j2", dest: "/etc/httpd/conf.d/keystone-httpd.conf" } + - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/httpd/conf.modules.d/mpm_{{ keystone_httpd_mpm_backend }}.conf" } + +keystone_system_service_name: httpd diff --git a/vars/ubuntu-14.04.yml b/vars/ubuntu-14.04.yml index 7bf701b5..770ef033 100644 --- a/vars/ubuntu-14.04.yml +++ b/vars/ubuntu-14.04.yml @@ -14,7 +14,8 @@ # limitations under the License. # Common apt packages -keystone_apt_packages: +# The old name has been deprecated, remove the variables with the deprecation filers and change the package variable names. +_keystone_packages: - debhelper - dh-apparmor - docutils-common @@ -30,14 +31,43 @@ keystone_apt_packages: - python-dev - rsync -keystone_idp_apt_packages: - - ssl-cert - - xmlsec1 +keystone_packages: '{{ _keystone_packages | deprecated(keystone_apt_packages, "keystone_apt_packages", "keystone_packages", "ocata", keystone_fatal_deprecations) }}' -keystone_developer_apt_packages: - - build-essential - -keystone_apache_apt_packages: +keystone_apache_packages: - apache2 - apache2-utils - libapache2-mod-wsgi + +# The old name has been deprecated, remove the variables with the deprecation filers and change the package variable names. +_keystone_idp_packages: + - ssl-cert + - xmlsec1 + +keystone_idp_packages: '{{ _keystone_idp_packages | deprecated(keystone_idp_apt_packages, "keystone_idp_apt_packages", "keystone_idp_packages", "ocata", keystone_fatal_deprecations) }}' + +# The old name has been deprecated, remove the variables with the deprecation filers and change the package variable names. +_keystone_sp_packages: + - libapache2-mod-shib2 + +keystone_sp_packages: '{{ _keystone_sp_packages | deprecated(keystone_sp_apt_packages, "keystone_sp_apt_packages", "keystone_sp_packages", "ocata", keystone_fatal_deprecations) }}' + +# The old name has been deprecated, remove the variables with the deprecation filers and change the package variable names. +_keystone_developer_packages: + - build-essential + +keystone_developer_packages: '{{ _keystone_developer_packages | deprecated(keystone_developer_apt_packages, "keystone_developer_apt_packages", "keystone_developer_packages", "ocata", keystone_fatal_deprecations) }}' + +keystone_apache_default_sites: + - "/etc/apache2/sites-enabled/000-default.conf" + +keystone_apache_site_available: "/etc/apache2/sites-available/keystone-httpd.conf" +keystone_apache_site_enabled: "/etc/apache2/sites-enabled/keystone-httpd.conf" +keystone_apache_conf: "/etc/apache2/apache2.conf" +keystone_apache_security_conf: "/etc/apache2/conf-available/security.conf" + +keystone_apache_configs: + - { src: "keystone-ports.conf.j2", dest: "/etc/apache2/ports.conf" } + - { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" } + - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" } + +keystone_system_service_name: apache2 diff --git a/vars/ubuntu-16.04.yml b/vars/ubuntu-16.04.yml index 77232e8c..9a4535bd 100644 --- a/vars/ubuntu-16.04.yml +++ b/vars/ubuntu-16.04.yml @@ -14,7 +14,7 @@ # limitations under the License. # Common apt packages -keystone_apt_packages: +keystone_packages: - debhelper - dh-apparmor - docutils-common @@ -30,14 +30,30 @@ keystone_apt_packages: - python-dev - rsync -keystone_idp_apt_packages: - - ssl-cert - - xmlsec1 - -keystone_developer_apt_packages: - - build-essential - -keystone_apache_apt_packages: +keystone_apache_packages: - apache2 - apache2-utils - libapache2-mod-wsgi + +keystone_idp_packages: + - ssl-cert + - xmlsec1 + +keystone_sp_packages: + - libapache2-mod-shib2 + +keystone_developer_packages: + - build-essential + +keystone_apache_default_sites: + - "/etc/apache2/sites-enabled/000-default.conf" +keystone_apache_site_available: "/etc/apache2/sites-available/keystone-httpd.conf" +keystone_apache_site_enabled: "/etc/apache2/sites-enabled/keystone-httpd.conf" +keystone_apache_conf: "/etc/apache2/apache2.conf" +keystone_apache_security_conf: "/etc/apache2/conf-available/security.conf" +keystone_apache_configs: + - { src: "keystone-ports.conf.j2", dest: "/etc/apache2/ports.conf" } + - { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" } + - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" } + +keystone_system_service_name: apache2