Merge "Cleanup files and templates using smart sources"
This commit is contained in:
Zuul
Gerrit Code Review
commit
adf9af4998
@ -1,13 +0,0 @@
|
||||
# nova-rootwrap command filters for api-metadata nodes
|
||||
# This is needed on nova-api hosts running with "metadata" in enabled_apis
|
||||
# or when running nova-api-metadata
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
[Filters]
|
||||
# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
|
||||
iptables-save: CommandFilter, iptables-save, root
|
||||
ip6tables-save: CommandFilter, ip6tables-save, root
|
||||
|
||||
# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
|
||||
iptables-restore: CommandFilter, iptables-restore, root
|
||||
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
||||
@ -1,158 +0,0 @@
|
||||
# nova-rootwrap command filters for compute nodes
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
[Filters]
|
||||
|
||||
# nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path
|
||||
# nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device
|
||||
blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
|
||||
|
||||
# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
|
||||
# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
|
||||
# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
|
||||
# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
|
||||
# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
|
||||
# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
|
||||
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
|
||||
# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
|
||||
# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
|
||||
# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
|
||||
# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
|
||||
# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
|
||||
# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
|
||||
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
|
||||
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
|
||||
# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
|
||||
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
|
||||
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
|
||||
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
|
||||
# nova/network/linux_net.py: 'ip', 'route', 'add', ..
|
||||
# nova/network/linux_net.py: 'ip', 'route', 'del', .
|
||||
# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
|
||||
ip: CommandFilter, ip, root
|
||||
|
||||
# nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev
|
||||
# nova/network/linux_net.py: 'tunctl', '-b', '-t', dev
|
||||
tunctl: CommandFilter, tunctl, root
|
||||
|
||||
# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
|
||||
# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
|
||||
# nova/network/linux_net.py: 'ovs-vsctl', ....
|
||||
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
||||
|
||||
# nova/network/linux_net.py: 'ivs-ctl', ....
|
||||
ivs-ctl: CommandFilter, ivs-ctl, root
|
||||
|
||||
# nova/network/linux_net.py: 'ovs-ofctl', ....
|
||||
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
||||
|
||||
# nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ...
|
||||
iscsiadm: CommandFilter, iscsiadm, root
|
||||
|
||||
# nova/virt/libvirt/volume/aoe.py: 'aoe-revalidate', aoedev
|
||||
# nova/virt/libvirt/volume/aoe.py: 'aoe-discover'
|
||||
aoe-revalidate: CommandFilter, aoe-revalidate, root
|
||||
aoe-discover: CommandFilter, aoe-discover, root
|
||||
|
||||
# nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path
|
||||
pygrub: CommandFilter, pygrub, root
|
||||
|
||||
# nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s
|
||||
fdisk: CommandFilter, fdisk, root
|
||||
|
||||
# nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path
|
||||
# nova/virt/disk/api.py: e2fsck, -f, -p, image
|
||||
e2fsck: CommandFilter, e2fsck, root
|
||||
|
||||
# nova/virt/xenapi/vm_utils.py: resize2fs, partition_path
|
||||
# nova/virt/disk/api.py: resize2fs, image
|
||||
resize2fs: CommandFilter, resize2fs, root
|
||||
|
||||
# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
|
||||
iptables-save: CommandFilter, iptables-save, root
|
||||
ip6tables-save: CommandFilter, ip6tables-save, root
|
||||
|
||||
# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
|
||||
iptables-restore: CommandFilter, iptables-restore, root
|
||||
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
||||
|
||||
# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
|
||||
# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
|
||||
arping: CommandFilter, arping, root
|
||||
|
||||
# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
|
||||
dhcp_release: CommandFilter, dhcp_release, root
|
||||
|
||||
# nova/network/linux_net.py: 'kill', '-9', pid
|
||||
# nova/network/linux_net.py: 'kill', '-HUP', pid
|
||||
kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
|
||||
|
||||
# nova/network/linux_net.py: 'kill', pid
|
||||
kill_radvd: KillFilter, root, /usr/sbin/radvd
|
||||
|
||||
# nova/network/linux_net.py: dnsmasq call
|
||||
dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
|
||||
|
||||
# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
|
||||
radvd: CommandFilter, radvd, root
|
||||
|
||||
# nova/network/linux_net.py: 'brctl', 'addbr', bridge
|
||||
# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
|
||||
# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
|
||||
# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
|
||||
brctl: CommandFilter, brctl, root
|
||||
|
||||
# nova/virt/libvirt/utils.py: 'mkswap'
|
||||
# nova/virt/xenapi/vm_utils.py: 'mkswap'
|
||||
mkswap: CommandFilter, mkswap, root
|
||||
|
||||
# nova/virt/xenapi/vm_utils.py: 'mkfs'
|
||||
# nova/utils.py: 'mkfs', fs, path, label
|
||||
mkfs: CommandFilter, mkfs, root
|
||||
|
||||
# nova/virt/libvirt/utils.py: 'qemu-img'
|
||||
qemu-img: CommandFilter, qemu-img, root
|
||||
|
||||
# nova/virt/disk/api.py:
|
||||
mkfs.ext3: CommandFilter, mkfs.ext3, root
|
||||
mkfs.ext4: CommandFilter, mkfs.ext4, root
|
||||
mkfs.ntfs: CommandFilter, mkfs.ntfs, root
|
||||
|
||||
# os-brick needed commands
|
||||
read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
|
||||
multipath: CommandFilter, multipath, root
|
||||
# multipathd show status
|
||||
multipathd: CommandFilter, multipathd, root
|
||||
systool: CommandFilter, systool, root
|
||||
vgc-cluster: CommandFilter, vgc-cluster, root
|
||||
# os_brick/initiator/connector.py
|
||||
drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
|
||||
|
||||
# TODO(smcginnis) Temporary fix.
|
||||
# Need to pull in os-brick os-brick.filters file instead and clean
|
||||
# out stale brick values from this file.
|
||||
scsi_id: CommandFilter, /lib/udev/scsi_id, root
|
||||
# os_brick.privileged.default oslo.privsep context
|
||||
# This line ties the superuser privs with the config files, context name,
|
||||
# and (implicitly) the actual python code invoked.
|
||||
privsep-rootwrap-os_brick: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
|
||||
|
||||
privsep-rootwrap-sys_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.sys_admin_pctxt, --privsep_sock_path, /tmp/.*
|
||||
|
||||
# nova/virt/libvirt/storage/dmcrypt.py:
|
||||
cryptsetup: CommandFilter, cryptsetup, root
|
||||
|
||||
# nova/virt/xenapi/vm_utils.py:
|
||||
xenstore-read: CommandFilter, xenstore-read, root
|
||||
|
||||
# nova/virt/libvirt/utils.py:
|
||||
rbd: CommandFilter, rbd, root
|
||||
|
||||
# nova/virt/libvirt/volume/volume.py: 'cp', '/dev/stdin', delete_control..
|
||||
cp: CommandFilter, cp, root
|
||||
|
||||
# nova/virt/xenapi/vm_utils.py:
|
||||
sync: CommandFilter, sync, root
|
||||
|
||||
# nova/virt/libvirt/volume/vzstorage.py
|
||||
pstorage-mount: CommandFilter, pstorage-mount, root
|
||||
@ -1,91 +0,0 @@
|
||||
# nova-rootwrap command filters for network nodes
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
[Filters]
|
||||
# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
|
||||
# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
|
||||
# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
|
||||
# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
|
||||
# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
|
||||
# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
|
||||
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
|
||||
# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
|
||||
# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
|
||||
# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
|
||||
# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
|
||||
# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
|
||||
# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
|
||||
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
|
||||
# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
|
||||
# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
|
||||
# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
|
||||
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
|
||||
# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
|
||||
# nova/network/linux_net.py: 'ip', 'route', 'add', ..
|
||||
# nova/network/linux_net.py: 'ip', 'route', 'del', .
|
||||
# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
|
||||
ip: CommandFilter, ip, root
|
||||
|
||||
# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
|
||||
# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
|
||||
# nova/network/linux_net.py: 'ovs-vsctl', ....
|
||||
ovs-vsctl: CommandFilter, ovs-vsctl, root
|
||||
|
||||
# nova/network/linux_net.py: 'ovs-ofctl', ....
|
||||
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
||||
|
||||
# nova/virt/libvirt/vif.py: 'ivs-ctl', ...
|
||||
# nova/virt/libvirt/vif.py: 'ivs-ctl', 'del-port', ...
|
||||
# nova/network/linux_net.py: 'ivs-ctl', ....
|
||||
ivs-ctl: CommandFilter, ivs-ctl, root
|
||||
|
||||
# nova/virt/libvirt/vif.py: 'ifc_ctl', ...
|
||||
ifc_ctl: CommandFilter, /opt/pg/bin/ifc_ctl, root
|
||||
|
||||
# nova/network/linux_net.py: 'ebtables', '-D' ...
|
||||
# nova/network/linux_net.py: 'ebtables', '-I' ...
|
||||
ebtables: CommandFilter, ebtables, root
|
||||
ebtables_usr: CommandFilter, ebtables, root
|
||||
|
||||
# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
|
||||
iptables-save: CommandFilter, iptables-save, root
|
||||
ip6tables-save: CommandFilter, ip6tables-save, root
|
||||
|
||||
# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
|
||||
iptables-restore: CommandFilter, iptables-restore, root
|
||||
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
||||
|
||||
# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
|
||||
# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
|
||||
arping: CommandFilter, arping, root
|
||||
|
||||
# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
|
||||
dhcp_release: CommandFilter, dhcp_release, root
|
||||
|
||||
# nova/network/linux_net.py: 'kill', '-9', pid
|
||||
# nova/network/linux_net.py: 'kill', '-HUP', pid
|
||||
kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
|
||||
|
||||
# nova/network/linux_net.py: 'kill', pid
|
||||
kill_radvd: KillFilter, root, /usr/sbin/radvd
|
||||
|
||||
# nova/network/linux_net.py: dnsmasq call
|
||||
dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
|
||||
|
||||
# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
|
||||
radvd: CommandFilter, radvd, root
|
||||
|
||||
# nova/network/linux_net.py: 'brctl', 'addbr', bridge
|
||||
# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
|
||||
# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
|
||||
# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
|
||||
brctl: CommandFilter, brctl, root
|
||||
|
||||
# nova/network/linux_net.py: 'sysctl', ....
|
||||
sysctl: CommandFilter, sysctl, root
|
||||
|
||||
# nova/network/linux_net.py: 'conntrack'
|
||||
conntrack: CommandFilter, conntrack, root
|
||||
|
||||
# nova/network/linux_net.py: 'fp-vdev'
|
||||
fp-vdev: CommandFilter, fp-vdev, root
|
||||
@ -35,26 +35,6 @@
|
||||
- "Restart nova services"
|
||||
- "venv changed"
|
||||
|
||||
# Note (odyssey4me):
|
||||
# The policy.json file is currently read continually by the services
|
||||
# and is not only read on service start. We therefore cannot template
|
||||
# directly to the file read by the service because the new policies
|
||||
# may not be valid until the service restarts. This is particularly
|
||||
# important during a major upgrade. We therefore only put the policy
|
||||
# file in place after the service has been stopped.
|
||||
#
|
||||
- name: Copy new policy file into place
|
||||
copy:
|
||||
src: "/etc/nova/policy.json-{{ nova_venv_tag }}"
|
||||
dest: "/etc/nova/policy.json"
|
||||
owner: "root"
|
||||
group: "{{ nova_system_group_name }}"
|
||||
mode: "0640"
|
||||
remote_src: yes
|
||||
listen:
|
||||
- "Restart nova services"
|
||||
- "venv changed"
|
||||
|
||||
- name: Start services
|
||||
service:
|
||||
name: "{{ item.service_name }}"
|
||||
|
||||
@ -25,42 +25,19 @@
|
||||
- nova-config
|
||||
- nova-post-install
|
||||
|
||||
- name: Generate nova config
|
||||
config_template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
owner: "root"
|
||||
# NOTE(cloudnull): This task is required to copy rootwrap filters that we need
|
||||
# and nova does not provide by default.
|
||||
- name: Create aux nova dir
|
||||
file:
|
||||
path: "{{ item.path | default(omit) }}"
|
||||
state: "directory"
|
||||
owner: "{{ item.owner|default(nova_system_user_name) }}"
|
||||
group: "{{ item.group|default(nova_system_group_name) }}"
|
||||
mode: "0640"
|
||||
config_overrides: "{{ item.config_overrides }}"
|
||||
config_type: "{{ item.config_type }}"
|
||||
mode: "{{ item.mode | default(omit) }}"
|
||||
with_items:
|
||||
- src: "nova.conf.j2"
|
||||
dest: "/etc/nova/nova.conf"
|
||||
config_overrides: "{{ nova_nova_conf_overrides }}"
|
||||
config_type: "ini"
|
||||
- src: "rootwrap.conf.j2"
|
||||
dest: "/etc/nova/rootwrap.conf"
|
||||
config_overrides: "{{ nova_rootwrap_conf_overrides }}"
|
||||
config_type: "ini"
|
||||
- src: "api-paste.ini.j2"
|
||||
dest: "/etc/nova/api-paste.ini"
|
||||
config_overrides: "{{ nova_api_paste_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
- src: "vendor_data.json.j2"
|
||||
dest: "/etc/nova/vendor_data.json"
|
||||
config_overrides: "{{ nova_vendor_data_overrides }}"
|
||||
config_type: "json"
|
||||
- src: "policy.json.j2"
|
||||
dest: "/etc/nova/policy.json-{{ nova_venv_tag }}"
|
||||
config_overrides: "{{ nova_policy_overrides }}"
|
||||
config_type: "json"
|
||||
notify:
|
||||
- Manage LB
|
||||
- Restart nova services
|
||||
tags:
|
||||
- nova-config
|
||||
- nova-post-install
|
||||
- path: "/etc/nova/rootwrap.d"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
|
||||
- name: Copy nova rootwrap filter config
|
||||
copy:
|
||||
@ -77,6 +54,78 @@
|
||||
- nova-config
|
||||
- nova-post-install
|
||||
|
||||
- name: Generate nova config
|
||||
config_template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
owner: "root"
|
||||
group: "{{ item.group|default(nova_system_group_name) }}"
|
||||
mode: "0640"
|
||||
config_overrides: "{{ item.config_overrides }}"
|
||||
config_type: "{{ item.config_type }}"
|
||||
with_items:
|
||||
- src: "nova.conf.j2"
|
||||
dest: "/etc/nova/nova.conf"
|
||||
config_overrides: "{{ nova_nova_conf_overrides }}"
|
||||
config_type: "ini"
|
||||
- src: "vendor_data.json.j2"
|
||||
dest: "/etc/nova/vendor_data.json"
|
||||
config_overrides: "{{ nova_vendor_data_overrides }}"
|
||||
config_type: "json"
|
||||
notify:
|
||||
- Manage LB
|
||||
- Restart nova services
|
||||
tags:
|
||||
- nova-config
|
||||
- nova-post-install
|
||||
|
||||
- name: Implement policy.json if there are overrides configured
|
||||
copy:
|
||||
content: "{{ nova_policy_overrides | to_nice_json }}"
|
||||
dest: "/etc/nova/policy.json"
|
||||
when:
|
||||
- nova_policy_overrides != {}
|
||||
|
||||
# NOTE(cloudnull): This is using "cp" instead of copy with a remote_source
|
||||
# because we only want to copy the original files once. and we
|
||||
# don't want to need multiple tasks.
|
||||
- name: Preserve original configuration file(s)
|
||||
command: "cp {{ item.target_f }} {{ item.target_f }}.original"
|
||||
args:
|
||||
creates: "{{ item.target_f }}.original"
|
||||
with_items: "{{ nova_core_files }}"
|
||||
|
||||
- name: Fetch override files
|
||||
fetch:
|
||||
src: "{{ item.target_f }}"
|
||||
dest: "{{ item.tmp_f }}"
|
||||
flat: yes
|
||||
changed_when: false
|
||||
run_once: true
|
||||
with_items: "{{ nova_core_files }}"
|
||||
|
||||
- name: Copy common config
|
||||
config_template:
|
||||
src: "{{ item.tmp_f }}"
|
||||
dest: "{{ item.target_f }}"
|
||||
owner: "root"
|
||||
group: "{{ item.group | default(nova_system_group_name) }}"
|
||||
mode: "0640"
|
||||
config_overrides: "{{ item.config_overrides }}"
|
||||
config_type: "{{ item.config_type }}"
|
||||
with_items: "{{ nova_core_files }}"
|
||||
notify:
|
||||
- Restart nova services
|
||||
|
||||
- name: Cleanup fetched temp files
|
||||
file:
|
||||
path: "{{ item.tmp_f }}"
|
||||
state: absent
|
||||
changed_when: false
|
||||
delegate_to: localhost
|
||||
run_once: true
|
||||
with_items: "{{ nova_core_files }}"
|
||||
|
||||
- name: Remove nova-compute config
|
||||
file:
|
||||
path: /etc/nova/nova-compute.conf
|
||||
|
||||
@ -61,28 +61,68 @@
|
||||
tags:
|
||||
- nova-dirs
|
||||
|
||||
# NOTE(cloudnull): During an upgrade the local directory may exist on a source
|
||||
# install. If the directory does exist it will need to be
|
||||
# removed. This is required on source installs because the
|
||||
# config directory is a link.
|
||||
- name: Source config block
|
||||
block:
|
||||
- name: Stat config directory
|
||||
stat:
|
||||
path: "/etc/nova"
|
||||
register: nova_conf_dir_stat
|
||||
|
||||
- name: Remove the config directory
|
||||
file:
|
||||
path: "/etc/nova"
|
||||
state: absent
|
||||
when:
|
||||
- nova_conf_dir_stat.stat.isdir is defined and
|
||||
nova_conf_dir_stat.stat.isdir
|
||||
when:
|
||||
- nova_install_method == 'source'
|
||||
|
||||
- name: Create nova dir
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
path: "{{ item.path | default(omit) }}"
|
||||
src: "{{ item.src | default(omit) }}"
|
||||
dest: "{{ item.dest | default(omit) }}"
|
||||
state: "{{ item.state | default('directory') }}"
|
||||
owner: "{{ item.owner|default(nova_system_user_name) }}"
|
||||
group: "{{ item.group|default(nova_system_group_name) }}"
|
||||
mode: "{{ item.mode|default('0755') }}"
|
||||
mode: "{{ item.mode | default('0755') }}"
|
||||
force: "{{ item.force | default(omit) }}"
|
||||
when:
|
||||
- "item.path not in nova_mount_points"
|
||||
- (item.condition | default(true)) | bool
|
||||
- item.path not in nova_mount_points
|
||||
with_items:
|
||||
- { path: "/openstack", owner: "root", group: "root" }
|
||||
- { path: "/etc/nova", mode: "0750" }
|
||||
- { path: "/etc/nova/rootwrap.d", owner: "root", group: "root" }
|
||||
- { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
|
||||
- { path: "/var/cache/nova" }
|
||||
- { path: "{{ nova_system_home_folder }}" }
|
||||
- { path: "{{ nova_system_home_folder }}/.ssh", mode: "0700" }
|
||||
- { path: "{{ nova_system_home_folder }}/cache/api" }
|
||||
- { path: "{{ nova_system_home_folder }}/instances" }
|
||||
- { path: "{{ nova_libvirt_save_path }}", mode: "0750" }
|
||||
- { path: "{{ nova_lock_path }}" }
|
||||
- { path: "/var/run/nova" }
|
||||
- path: "/openstack"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
- path: "{{ (nova_install_method == 'distro') | ternary('/etc/nova', (nova_bin | dirname) + '/etc/nova') }}"
|
||||
mode: "0755"
|
||||
# NOTE(cloudnull): The "src" path is relative. This ensures all files remain
|
||||
# within the host/container confines when connecting to
|
||||
# them using the connection plugin or the root filesystem.
|
||||
- dest: "/etc/nova"
|
||||
src: "{{ nova_bin | dirname | regex_replace('^/', '../') }}/etc/nova"
|
||||
state: link
|
||||
force: true
|
||||
condition: "{{ nova_install_method == 'source' }}"
|
||||
- path: "/etc/sudoers.d"
|
||||
mode: "0750"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
- path: "/var/cache/nova"
|
||||
- path: "{{ nova_system_home_folder }}"
|
||||
- path: "{{ nova_system_home_folder }}/.ssh"
|
||||
mode: "0700"
|
||||
- path: "{{ nova_system_home_folder }}/cache/api"
|
||||
- path: "{{ nova_system_home_folder }}/instances"
|
||||
- path: "{{ nova_libvirt_save_path }}"
|
||||
mode: "0750"
|
||||
- path: "{{ nova_lock_path }}"
|
||||
- path: "/var/run/nova"
|
||||
tags:
|
||||
- nova-dirs
|
||||
|
||||
|
||||
@ -1,84 +0,0 @@
|
||||
############
|
||||
# Metadata #
|
||||
############
|
||||
[composite:metadata]
|
||||
use = egg:Paste#urlmap
|
||||
/: meta
|
||||
|
||||
[pipeline:meta]
|
||||
pipeline = cors metaapp
|
||||
|
||||
[app:metaapp]
|
||||
paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory
|
||||
|
||||
#############
|
||||
# OpenStack #
|
||||
#############
|
||||
|
||||
[composite:osapi_compute]
|
||||
use = call:nova.api.openstack.urlmap:urlmap_factory
|
||||
/: oscomputeversions
|
||||
# v21 is an exactly feature match for v2, except it has more stringent
|
||||
# input validation on the wsgi surface (prevents fuzzing early on the
|
||||
# API). It also provides new features via API microversions which are
|
||||
# opt into for clients. Unaware clients will receive the same frozen
|
||||
# v2 API feature set, but with some relaxed validation
|
||||
/v2: openstack_compute_api_v21_legacy_v2_compatible
|
||||
/v2.1: openstack_compute_api_v21
|
||||
|
||||
[composite:openstack_compute_api_v21]
|
||||
use = call:nova.api.auth:pipeline_factory_v21
|
||||
noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 osapi_compute_app_v21
|
||||
keystone = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler authtoken keystonecontext osapi_compute_app_v21
|
||||
|
||||
[composite:openstack_compute_api_v21_legacy_v2_compatible]
|
||||
use = call:nova.api.auth:pipeline_factory_v21
|
||||
noauth2 = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler noauth2 legacy_v2_compatible osapi_compute_app_v21
|
||||
keystone = cors http_proxy_to_wsgi compute_req_id faultwrap request_log sizelimit osprofiler authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21
|
||||
|
||||
[filter:request_log]
|
||||
paste.filter_factory = nova.api.openstack.requestlog:RequestLog.factory
|
||||
|
||||
[filter:compute_req_id]
|
||||
paste.filter_factory = nova.api.compute_req_id:ComputeReqIdMiddleware.factory
|
||||
|
||||
[filter:faultwrap]
|
||||
paste.filter_factory = nova.api.openstack:FaultWrapper.factory
|
||||
|
||||
[filter:noauth2]
|
||||
paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory
|
||||
|
||||
[filter:osprofiler]
|
||||
paste.filter_factory = nova.profiler:WsgiMiddleware.factory
|
||||
|
||||
[filter:sizelimit]
|
||||
paste.filter_factory = oslo_middleware:RequestBodySizeLimiter.factory
|
||||
|
||||
[filter:http_proxy_to_wsgi]
|
||||
paste.filter_factory = oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
|
||||
|
||||
[filter:legacy_v2_compatible]
|
||||
paste.filter_factory = nova.api.openstack:LegacyV2CompatibleWrapper.factory
|
||||
|
||||
[app:osapi_compute_app_v21]
|
||||
paste.app_factory = nova.api.openstack.compute:APIRouterV21.factory
|
||||
|
||||
[pipeline:oscomputeversions]
|
||||
pipeline = cors faultwrap request_log http_proxy_to_wsgi oscomputeversionapp
|
||||
|
||||
[app:oscomputeversionapp]
|
||||
paste.app_factory = nova.api.openstack.compute.versions:Versions.factory
|
||||
|
||||
##########
|
||||
# Shared #
|
||||
##########
|
||||
|
||||
[filter:cors]
|
||||
paste.filter_factory = oslo_middleware.cors:filter_factory
|
||||
oslo_config_project = nova
|
||||
|
||||
[filter:keystonecontext]
|
||||
paste.filter_factory = nova.api.auth:NovaKeystoneContext.factory
|
||||
|
||||
[filter:authtoken]
|
||||
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
|
||||
@ -1,2 +0,0 @@
|
||||
{
|
||||
}
|
||||
@ -1,27 +0,0 @@
|
||||
# Configuration for nova-rootwrap
|
||||
# This file should be owned by (and only-writeable by) the root user
|
||||
|
||||
[DEFAULT]
|
||||
# List of directories to load filter definitions from (separated by ',').
|
||||
# These directories MUST all be only writeable by root !
|
||||
filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap
|
||||
|
||||
# List of directories to search executables in, in case filters do not
|
||||
# explicitly specify a full path (separated by ',')
|
||||
# If not specified, defaults to system PATH environment variable.
|
||||
# These directories MUST all be only writeable by root !
|
||||
exec_dirs={{ nova_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/sbin,/usr/local/bin
|
||||
|
||||
# Enable logging to syslog
|
||||
# Default value is False
|
||||
use_syslog=False
|
||||
|
||||
# Which syslog facility to use.
|
||||
# Valid values include auth, authpriv, syslog, local0, local1...
|
||||
# Default value is 'syslog'
|
||||
syslog_log_facility=syslog
|
||||
|
||||
# Which messages to log.
|
||||
# INFO means log all usage
|
||||
# ERROR means only log unsuccessful attempts
|
||||
syslog_log_level=ERROR
|
||||
@ -38,3 +38,21 @@ nova_mount_points: |-
|
||||
{% set _ = mps.append(mp.local_path) %}
|
||||
{% endfor %}
|
||||
{{ mps }}
|
||||
|
||||
_nova_rootwrap_conf_overrides:
|
||||
DEFAULT:
|
||||
filters_path: "/etc/nova/rootwrap.d,/usr/share/nova/rootwrap"
|
||||
exec_dirs: "{{ nova_bin }},/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin"
|
||||
|
||||
nova_core_files:
|
||||
- tmp_f: "/tmp/api-paste.ini"
|
||||
target_f: "/etc/nova/api-paste.ini"
|
||||
config_overrides: "{{ nova_api_paste_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
- tmp_f: "/tmp/rootwrap.conf"
|
||||
target_f: "/etc/nova/rootwrap.conf"
|
||||
config_overrides: "{{ _nova_rootwrap_conf_overrides | combine(nova_rootwrap_conf_overrides, recursive=True) }}"
|
||||
config_type: "ini"
|
||||
owner: "root"
|
||||
group: "{{ nova_system_group_name }}"
|
||||
mode: "0640"
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user