Merge "Move sysinv bootstrap from Puppet to Ansible"
This commit is contained in:
commit
a2c8b3db0b
|
@ -0,0 +1,125 @@
|
|||
#!/usr/bin/python
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
"""
|
||||
Creates the sysinv's user, grant it admin role and setup its services and endpoints.
|
||||
After the setup, the ignore_lockout_failure_attempts option is set up for both the
|
||||
sysinv and admin users.
|
||||
|
||||
It's necessary to perform the sysinv endpoint creation outside the
|
||||
openstack_config_endpoints.py script because all of the other endpoints are created
|
||||
in sysinv, requiring it to be configured priorly in order to provide access to the
|
||||
API.
|
||||
"""
|
||||
|
||||
import os
|
||||
import sys
|
||||
from subprocess import Popen, PIPE
|
||||
|
||||
from sysinv.common import openstack_config_endpoints
|
||||
|
||||
from keystoneauth1 import loading, session
|
||||
from keystoneclient.v3 import client
|
||||
|
||||
|
||||
SYSINV_USER_TO_CREATE = [
|
||||
{
|
||||
"name": "sysinv",
|
||||
"password": "",
|
||||
"email": "sysinv@localhost",
|
||||
}
|
||||
]
|
||||
|
||||
SERVICES_TO_CREATE = [
|
||||
{
|
||||
"name": "sysinv",
|
||||
"description": "SysInvService",
|
||||
"type": "platform",
|
||||
}
|
||||
]
|
||||
|
||||
ENDPOINTS_TO_CREATE = [
|
||||
{
|
||||
"service": "sysinv",
|
||||
"region": "RegionOne",
|
||||
"endpoints": {
|
||||
"admin": "http://127.0.0.1:6385/v1/",
|
||||
"internal": "http://127.0.0.1:6385/v1/",
|
||||
"public": "http://127.0.0.1:6385/v1/"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
||||
IGNORE_LOCKOUT_FAILURE_ATTEMPTS_OPTION = {"ignore_lockout_failure_attempts": True}
|
||||
|
||||
|
||||
def _retrieve_environment_variables(username, password):
|
||||
with open(os.devnull, "w") as fnull:
|
||||
process = Popen(
|
||||
["bash", "-c", "source /etc/platform/openrc --no_credentials && env"],
|
||||
stdout=PIPE, stderr=fnull, universal_newlines=True
|
||||
)
|
||||
|
||||
env_vars = {}
|
||||
env_vars["username"] = username
|
||||
env_vars["password"] = password
|
||||
env_vars["user_domain_name"] = "Default"
|
||||
env_vars["project_domain_name"] = "Default"
|
||||
|
||||
for line in process.stdout:
|
||||
key, _, value = line.partition("=")
|
||||
if key == "OS_AUTH_URL":
|
||||
env_vars["auth_url"] = value.strip()
|
||||
elif key == "OS_REGION_NAME":
|
||||
env_vars["region_name"] = value.strip()
|
||||
elif key == "OS_PROJECT_NAME":
|
||||
env_vars["project_name"] = value.strip()
|
||||
elif key == "OS_USER_DOMAIN_NAME":
|
||||
env_vars["user_domain_name"] = value.strip()
|
||||
elif key == "OS_PROJECT_DOMAIN_NAME":
|
||||
env_vars["project_domain_name"] = value.strip()
|
||||
|
||||
process.communicate()
|
||||
|
||||
return env_vars
|
||||
|
||||
|
||||
def _generate_auth(env_vars):
|
||||
loader = loading.get_plugin_loader("password")
|
||||
|
||||
return loader.load_from_options(
|
||||
auth_url=env_vars["auth_url"], username=env_vars["username"],
|
||||
password=env_vars["password"], project_name=env_vars["project_name"],
|
||||
user_domain_name=env_vars["user_domain_name"],
|
||||
project_domain_name=env_vars["project_domain_name"]
|
||||
)
|
||||
|
||||
|
||||
def _create_keystone_client(env_vars):
|
||||
return client.Client(session=session.Session(auth=_generate_auth(env_vars)))
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
username = sys.argv[1]
|
||||
password = sys.argv[2]
|
||||
SYSINV_USER_TO_CREATE[0]["password"] = sys.argv[3]
|
||||
admin_username = sys.argv[4]
|
||||
|
||||
env_vars = _retrieve_environment_variables(username, password)
|
||||
ENDPOINTS_TO_CREATE[0]["region"] = env_vars["region_name"]
|
||||
|
||||
keystone = _create_keystone_client(env_vars)
|
||||
|
||||
openstack_config_endpoints.create_users(keystone, SYSINV_USER_TO_CREATE)
|
||||
openstack_config_endpoints.grant_admin_role(
|
||||
keystone, SYSINV_USER_TO_CREATE, "services"
|
||||
)
|
||||
openstack_config_endpoints.create_services(keystone, SERVICES_TO_CREATE)
|
||||
openstack_config_endpoints.create_endpoints(keystone, ENDPOINTS_TO_CREATE)
|
||||
openstack_config_endpoints.set_users_options(
|
||||
keystone, ["sysinv", admin_username], IGNORE_LOCKOUT_FAILURE_ATTEMPTS_OPTION
|
||||
)
|
|
@ -320,10 +320,13 @@
|
|||
for details.
|
||||
when: bootstrap_manifest.rc != 0
|
||||
|
||||
- name: Configure Barbican bootstrap
|
||||
- name: Import barbican bootstrap tasks
|
||||
import_tasks: barbican_bootstrap.yml
|
||||
|
||||
- name: Import mtce bootstrap
|
||||
- name: Import sysinv bootstrap tasks
|
||||
import_tasks: sysinv_bootstrap.yml
|
||||
|
||||
- name: Import mtce bootstrap tasks
|
||||
import_tasks: mtce_bootstrap.yml
|
||||
|
||||
- block:
|
||||
|
@ -338,7 +341,7 @@
|
|||
become_user: postgres
|
||||
when: distributed_cloud_role == 'subcloud'
|
||||
|
||||
- name: Prepare FM Manager
|
||||
- name: Import fm bootstrap tasks
|
||||
import_tasks: fm_bootstrap.yml
|
||||
|
||||
- name: Remove runtime hieradata
|
||||
|
|
|
@ -0,0 +1,176 @@
|
|||
---
|
||||
#
|
||||
# Copyright (c) 2024 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
# SUB-TASK DESCRIPTION:
|
||||
# These tasks create and configure sysinv.
|
||||
#
|
||||
# Steps:
|
||||
# - Store sysinv's variables and convert them to a dictionary
|
||||
# - Create the database connection string and setup the database and user
|
||||
# - Setup sysinv's openstack user, role, service and enpoint and set the
|
||||
# ignore_lockout_failure_attempts option to true for both sysinv and admin users
|
||||
# - Update the database's actor_id and user id to match the system controller's
|
||||
# when bootstrapping a subcloud
|
||||
# - Ensure sysinv-agent is running and enabled
|
||||
# - Configure sysinv's group, user and directory
|
||||
# - Generate sysinv.conf and api-paste.ini
|
||||
# - Check controller's software version
|
||||
# - Execute sysinv-dbsync
|
||||
# - Ensure sysinv-api, sysinv-conductor and sysinv-agent are running and enabled
|
||||
|
||||
- name: Retrieve sysinv's variables
|
||||
shell: >-
|
||||
grep -h "sysinv::" secure_static.yaml static.yaml &&
|
||||
grep -h "keystone::roles::admin::admin_tenant:" personality.yaml &&
|
||||
grep -h "platform::client::params::admin_username" static.yaml &&
|
||||
grep -h "platform::client::params::admin_password:" secure_static.yaml &&
|
||||
grep -h "platform::client::params::identity_auth_url" personality.yaml
|
||||
args:
|
||||
chdir: /tmp/puppet/hieradata
|
||||
register: sysinv_variables
|
||||
|
||||
- name: Convert sysinv variables to a dictionary
|
||||
set_fact:
|
||||
sysinv_var_dict: "{{ sysinv_variables.stdout | from_yaml }}"
|
||||
|
||||
- name: Create database connection string
|
||||
set_fact:
|
||||
database_connection: "{{ sysinv_var_dict['sysinv::database_connection'] |
|
||||
regex_replace('^postgresql:', 'postgresql+psycopg2:') }}"
|
||||
|
||||
- name: Ensure PostgreSQL database and user are created
|
||||
postgresql_db:
|
||||
name: sysinv
|
||||
state: present
|
||||
|
||||
- name: Set PostgreSQL user password
|
||||
postgresql_user:
|
||||
db: sysinv
|
||||
name: "{{ sysinv_var_dict['sysinv::db::postgresql::user'] }}"
|
||||
password: "{{ sysinv_var_dict['sysinv::db::postgresql::password'] }}"
|
||||
priv: ALL
|
||||
|
||||
- name: Create sysinv endpoints
|
||||
script: >
|
||||
create_sysinv_endpoints.py {{ OS_USERNAME }} {{ OS_PASSWORD }} {{ sysinv_password }} {{ admin_username }}
|
||||
vars:
|
||||
- OS_USERNAME: "{{ sysinv_var_dict['keystone::roles::admin::admin_tenant'] }}"
|
||||
- OS_PASSWORD: "{{ sysinv_var_dict['platform::client::params::admin_password'] }}"
|
||||
- sysinv_password: "{{ sysinv_var_dict['sysinv::api::keystone_password'] }}"
|
||||
- admin_username: "{{ sysinv_var_dict['platform::client::params::admin_username'] }}"
|
||||
|
||||
- block:
|
||||
- name: Retrieve dc_sysinv_user_id_dict
|
||||
command: grep -h "platform::sysinv::bootstrap::dc_sysinv_user_id" static.yaml
|
||||
args:
|
||||
chdir: /tmp/puppet/hieradata
|
||||
register: dc_sysinv_user_id_yaml
|
||||
|
||||
- name: Store dc_sysinv_user_id_dict
|
||||
set_fact:
|
||||
dc_sysinv_user_id_dict: "{{ dc_sysinv_user_id_yaml.stdout | from_yaml }}"
|
||||
|
||||
- name: Store dc_sysinv_user_id
|
||||
set_fact:
|
||||
dc_sysinv_user_id: "{{ dc_sysinv_user_id_dict['platform::sysinv::bootstrap::dc_sysinv_user_id'] }}"
|
||||
|
||||
- name: Update keystone sysinv assignment actor_id to match system controller
|
||||
command: >-
|
||||
psql -d keystone -c "update public.assignment set actor_id='{{ dc_sysinv_user_id }}'
|
||||
from public.local_user where public.assignment.actor_id=public.local_user.user_id and
|
||||
public.local_user.name='sysinv'"
|
||||
become_user: postgres
|
||||
|
||||
# The create_sysinv_endpoints.py as the last step, configures the
|
||||
# ignore_lockout_failure_attempts option for both the sysinv and admin users,
|
||||
# which creates entries in the public.user_option table.
|
||||
# Because its foreign key does not have the on update cascade configuration,
|
||||
# it's necessary to remove it, update the tables and recreate the constraint.
|
||||
- name: Update keystone sysinv user id to match system controller
|
||||
command: >-
|
||||
psql -d keystone
|
||||
-c "alter table public.user_option drop constraint user_option_user_id_fkey"
|
||||
-c "update public.user_option set user_id='{{ dc_sysinv_user_id }}' from
|
||||
public.local_user where public.local_user.user_id=public.user_option.user_id
|
||||
and public.local_user.name='sysinv'"
|
||||
-c "update public.user set id='{{ dc_sysinv_user_id }}'
|
||||
from public.local_user where public.user.id=public.local_user.user_id and
|
||||
public.local_user.name='sysinv'"
|
||||
-c "alter table public.user_option add constraint user_option_user_id_fkey
|
||||
foreign key (user_id) references public."user"(id) on delete cascade"
|
||||
become_user: postgres
|
||||
when: distributed_cloud_role == "subcloud"
|
||||
|
||||
- name: Configure sysinv group
|
||||
group:
|
||||
name: sysinv
|
||||
state: present
|
||||
gid: 168
|
||||
|
||||
- name: Configure sysinv user
|
||||
user:
|
||||
name: sysinv
|
||||
state: present
|
||||
comment: sysinv Daemons
|
||||
group: sysinv
|
||||
groups: nobody, sysinv, sys_protected
|
||||
home: /var/lib/sysinv
|
||||
shell: /sbin/nologin
|
||||
uid: 168
|
||||
|
||||
- name: Configure sysinv directory
|
||||
file:
|
||||
path: /etc/sysinv
|
||||
state: directory
|
||||
owner: sysinv
|
||||
group: sysinv
|
||||
mode: 0750
|
||||
|
||||
- name: Generate sysinv.conf
|
||||
template:
|
||||
src: sysinv/sysinv.conf.j2
|
||||
dest: /etc/sysinv/sysinv.conf
|
||||
owner: sysinv
|
||||
group: sysinv
|
||||
mode: 0600
|
||||
|
||||
- name: Generate api-paste.ini
|
||||
template:
|
||||
src: sysinv/api-paste.ini.j2
|
||||
dest: /etc/sysinv/api-paste.ini
|
||||
owner: sysinv
|
||||
group: sysinv
|
||||
mode: 0600
|
||||
|
||||
- name: Check if controllers software version mismatch
|
||||
command: echo $CONTROLLER_SW_VERSIONS_MISMATCH
|
||||
register: controller_sw_versions_mismatch
|
||||
|
||||
- name: Execute sysinv-dbsync
|
||||
command:
|
||||
cmd: sysinv-dbsync
|
||||
chdir: /usr/bin
|
||||
become: true
|
||||
become_user: sysinv
|
||||
when: controller_sw_versions_mismatch.stdout != 'true'
|
||||
|
||||
- name: Ensure sysinv-api service is running and enabled
|
||||
service:
|
||||
name: sysinv-api
|
||||
state: started
|
||||
enabled: yes
|
||||
|
||||
- name: Ensure sysinv-conductor service is running and enabled
|
||||
systemd:
|
||||
name: sysinv-conductor
|
||||
state: started
|
||||
enabled: yes
|
||||
|
||||
- name: Ensure sysinv-agent service is running and enabled
|
||||
service:
|
||||
name: sysinv-agent
|
||||
state: started
|
||||
enabled: yes
|
|
@ -9,4 +9,4 @@ acl_public_routes={{ acl_public_routes }}
|
|||
paste.filter_factory={{ authtoken_filter_factory }}
|
||||
|
||||
[app:api_v1]
|
||||
paste.app_factory={{ app_factory }}
|
||||
paste.app_factory={{ app_factory }}
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
[filter:authtoken]
|
||||
region_name=
|
||||
auth_url=http://localhost:5000
|
||||
auth_uri=http://localhost:5000
|
||||
project_name=services
|
||||
username=sysinv
|
||||
password={{ sysinv_var_dict['sysinv::api::keystone_password'] }}
|
||||
user_domain_name=Default
|
||||
project_domain_name=Default
|
|
@ -0,0 +1,86 @@
|
|||
[lldp]
|
||||
drivers=ldpd
|
||||
|
||||
[DEFAULT]
|
||||
control_exchange=openstack
|
||||
verbose=True
|
||||
debug=False
|
||||
api_paste_config=/etc/sysinv/api-paste.ini
|
||||
syslog_log_facility=local6
|
||||
sysinv_api_port=6385
|
||||
MTC_INV_LABEL=/v1/hosts/
|
||||
logging_context_format_string=sysinv %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user)s %(tenant)s] %(instance)s%(message)s
|
||||
logging_default_format_string=sysinv %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
|
||||
sysinv_api_bind_ip=::
|
||||
auth_strategy=keystone
|
||||
sysinv_api_pxeboot_ip=
|
||||
sysinv_api_workers=1
|
||||
|
||||
[database]
|
||||
connection={{ database_connection }}
|
||||
connection_recycle_time=60
|
||||
max_pool_size=1
|
||||
max_overflow=64
|
||||
|
||||
[journal]
|
||||
journal_max_size=51200
|
||||
journal_min_size=1024
|
||||
journal_default_size=1024
|
||||
|
||||
[keystone_authtoken]
|
||||
region_name=
|
||||
auth_url=http://localhost:5000
|
||||
auth_uri=http://localhost:5000
|
||||
auth_type=password
|
||||
project_name=services
|
||||
username=sysinv
|
||||
password={{ sysinv_var_dict['sysinv::keystone::auth::password'] }}
|
||||
user_domain_name=Default
|
||||
project_domain_name=Default
|
||||
interface=internal
|
||||
|
||||
[openstack_keystone_authtoken]
|
||||
region_name=
|
||||
neutron_region_name=
|
||||
cinder_region_name=
|
||||
nova_region_name=
|
||||
barbican_region_name=
|
||||
auth_url=http://localhost:5000
|
||||
auth_uri=http://localhost:5000
|
||||
auth_type=password
|
||||
project_name=admin
|
||||
username=admin
|
||||
user_domain_name=Default
|
||||
project_domain_name=Default
|
||||
keyring_service=CGCS
|
||||
|
||||
[fm]
|
||||
catalog_info=faultmanagement:fm:internalURL
|
||||
os_region_name=
|
||||
|
||||
[fernet_repo]
|
||||
key_repository=/opt/platform/keystone/fernet-keys
|
||||
|
||||
[conductor_periodic_task_intervals]
|
||||
default=60
|
||||
agent_update_request=60
|
||||
kubernetes_local_secrets=86400
|
||||
deferred_runtime_config=60
|
||||
controller_config_active_apply=60
|
||||
upgrade_status=180
|
||||
install_states=60
|
||||
kubernetes_labels=180
|
||||
image_conversion=60
|
||||
storage_backend_failure=400
|
||||
k8s_application=60
|
||||
device_image_update=300
|
||||
k8s_cluster_health=180
|
||||
|
||||
[agent_periodic_task_intervals]
|
||||
default=60
|
||||
inventory_audit=60
|
||||
lldp_audit=300
|
||||
|
||||
[app_framework]
|
||||
fluxcd_hr_reconcile_check_delay=60
|
||||
missing_auto_update=True
|
Loading…
Reference in New Issue