This commit conditionally allows the os_nova role to
install build and deploy within a venv. This is the new
default behavior of the role however the functionality
can be disabled.
Implements: blueprint enable-venv-support-within-the-roles
Change-Id: I13cf36058d08934a41b24ccf4f1700321ab00547
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
If a cloned repo contains local modifications, the clone task will
fail. This ensures any local modifications are discarded, ensuring a
successful clone.
Change-Id: Ic5799fe07e15739cc11acabba803e3be47606f94
Closes-Bug: #1506590
This patch includes the following updates based on the updated
source in Nova's Liberty release:
- api-paste.ini
- policy.json
- rootwrap.d/compute.filters
- rootwrap.d/network.filters
The Nova S3 and v3 API's have been removed in Liberty, so all
related variables and configuration file entries have been
removed.
The Nova EC2 API is deprecated in Liberty. All related variables in
OpenStack-Ansible and configuration files have been removed as all
deployers are recommended to make use of the actively developed
replacement: https://github.com/stackforge/ec2-api
The Nova v2 and v1.1 API's are enabled using the upstream default
compatibility layer. Neither of these versions will be registered in
the service catalog.
The default API version is set to v2.1. For new environments, no
other API versions are registered in the service catalog.
The following variables have been removed:
- S3 API
- nova_s3_service_name
- nova_s3_service_type
- nova_s3_service_proto
- nova_s3_service_publicuri_proto
- nova_s3_service_adminuri_proto
- nova_s3_service_internaluri_proto
- nova_s3_service_port
- nova_s3_service_description
- nova_s3_service_publicuri
- nova_s3_service_publicurl
- nova_s3_service_adminuri
- nova_s3_service_adminurl
- nova_s3_service_internaluri
- nova_s3_service_internalurl
- nova_s3_program_name
- nova_s3_deprecated_but_enabled
- EC2 API
- nova_ec2_service_name
- nova_ec2_service_type
- nova_ec2_service_proto
- nova_ec2_service_publicuri_proto
- nova_ec2_service_adminuri_proto
- nova_ec2_service_internaluri_proto
- nova_ec2_service_port
- nova_ec2_service_description
- nova_ec2_service_publicuri
- nova_ec2_service_publicurl
- nova_ec2_service_adminuri
- nova_ec2_service_adminurl
- nova_ec2_service_internaluri
- nova_ec2_service_internalurl
- nova_ec2_program_name
- nova_ec2_deprecated_but_enabled
- v3 API
- nova_v3_service_name
- nova_v3_service_type
- nova_v3_service_proto
- nova_v3_service_publicuri_proto
- nova_v3_service_adminuri_proto
- nova_v3_service_internaluri_proto
- nova_v3_service_port
- nova_v3_service_description
- nova_v3_service_publicuri
- nova_v3_service_publicurl
- nova_v3_service_adminuri
- nova_v3_service_adminurl
- nova_v3_service_internaluri
- nova_v3_service_internalurl
- nova_v3_deprecated_but_enabled
- v2.1 API
- nova_v21_service_name -> nova_service_name
- nova_v21_service_type -> nova_service_type
- nova_v21_service_proto -> nova_service_proto
- nova_v21_service_publicuri_proto -> nova_service_publicuri_proto
- nova_v21_service_adminuri_proto -> nova_service_adminuri_proto
- nova_v21_service_internaluri_proto -> nova_service_internaluri_proto
- nova_v21_service_port -> nova_service_port
- nova_v21_service_description -> nova_service_description
- nova_v21_service_publicuri -> nova_service_publicuri
- nova_v21_service_publicurl -> nova_service_publicurl
- nova_v21_service_adminuri -> nova_service_adminuri
- nova_v21_service_adminurl -> nova_service_adminurl
- nova_v21_service_internaluri -> nova_service_internaluri
- nova_v21_service_internalurl -> nova_service_internalurl
- nova_v21_enabled
DocImpact
UpgradeImpact
Implements: blueprint liberty-release
Change-Id: Ie5a42059c10e7fd0bfc4dba8d87dea3f32db968e
'ws://' is currently hardcoded within the spice_auto.html file included
in the packaged release of spice-html5, raising a security error when
accessing consoles over HTTPS.
Remove the existing apt package and install spice-html5 from source
instead since this issue has been corrected as of spice-html5-0.1.6.
Change-Id: Ie308a477143037963f903f2ac21b2b1f0328fcb3
Partial-Bug: #1424797
This change adds in support for the novnc console type in Nova.
* The change adds in a few new variables to the defaults which allow
for the novnc console to be configued.
* A port entry was added to haproxy to support the console type.
* noVNC is being installed from source in the nova_console container.
The git repo has been added to the openstack_other.yml repo-package file
which allows for the repo to be cloned into the repo containers and then
distributed out where needed from within the environment.
Closes-Bug: 1428833
Change-Id: I221557aad77bf266b4e2fae23007ffa210aa1f75
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This patch adds the variable 'pip_install_options' which is passed to the pip
install module as extra arguments in order to allow the use of options like
'--force-reinstall' when executing playbooks.
eg: openstack-ansible -e pip_install_options="--force-reinstall" \
setup-openstack.yml
This is required due to constant upstream changes in dependencies which
result in python wheel version upgrades and downgrades between tagged
versions of openstack-ansible.
The intention is that this can be used whenever a deployer switches between
tags for both upgrades and downgrades.
DocImpact
Closes-Bug: #1489251
Closes-Bug: #1499451
Related-Bug: #1501114
Change-Id: I996185e009a4c4af4f23798619bdbd0d490360c9
The change modifies the nova template tasks such that it's now
using the config_template action plugin. This change will make so that
config files can be dynamically updated, by a deployer, at run time,
without requiring the need to modify the in tree templates or defaults.
Partially implements: blueprint tunable-openstack-configuration
Change-Id: I9842ed3fcb2cc4aa379a582359b1ca5d0747f714
Presently all services use the single root virtual host within RabbitMQ
and while this is “OK” for small to mid sized deployments however it
would be better to divide services into logical resource groups within
RabbitMQ which will bring with it additional security. This change set
provides OSAD better compartmentalization of consumer services that use
RabbitMQ.
UpgradeImpact
DocImpact
Change-Id: I6f9d07522faf133f3c1c84a5b9046a55d5789e52
Implements: blueprint compartmentalize-rabbitmq
This PR replaces the copy_update module with a proper Ansible action
plugin. This change allows for dynamic updates to configuration files
that are ini, json, and yaml.
All of the policy files have been moved to the role templates directories
and the task syntax has been updated to facilitate the new action plugin.
An entry has been added to the ansible.cfg file to inform Ansible to look
into the new directory. In order for the action plugin to work as a
"module" a virtual module was added to the library directory.
Change-Id: I80331628b2c3d426a95c89d9c1b766e2e3f70e6d
Partially implements: blueprint tunable-openstack-configuration
This change removes the forced use of config drive to ensure that a user
can choose to use config drive as needed. This adds ability to
disable/enable config drive and allows libvirt to listen for connections
on tcp as needed for live migrations (prohibited otherwise by config drive).
The following new variables were added to os_nova role:
nova_force_config_drive
nova_libvirtd_listen_tls: 1
nova_libvirtd_listen_tcp: 0
nova_libvirtd_auth_tcp: sasl
Change-Id: I1de35a4b3611b8bc33a21930dae3fd38f9aaa151
Closes-Bug: #1468514
DocImpact
This patch ensures that the authorized_keys ansible module, as well as
the built in "generate_ssh_keys" flag for user creation, so that we can
avoid using shell out commands.
Additionally, this moves the key synchronisation to use ansible
variables instead of the memcache server.
Change-Id: Icd97ebd44f6065fc60fdce1b61e9dc2daa45faa0
Closes-Bug: #1477512
In order to enable and deploy federated Keystone, we need to use version
3 of the Keystone API and the v3 Keystone Client. This work begins that
transition by having a set of backwards compatible library commands.
Specifically, this commit updates the keystone library to use v3
Keystone Client and the usage of ensure_tenant in the os_keystone tasks
to use the v3 admin url.
In version 3 of Keystone's Endpoints (Catalog) API each endpoint only
has one URL and has separate interface types (public, internal, admin).
This change updates all uses of ensure_endpoint to structure the
endpoint data in a better way for the ensure_endpoint command in the
keystone module. As a result, some incidents where internalurl and
adminurl were swapped have been fixed.
Note:
In new deployments the endpoints will be created using the v3 API and
will therefore not be available via the v2 API. This will be a breaking
change to legacy CLI clients. The openstack CLI should be used instead.
DocImpact
Related-Bug: #1470635
Partially-implements: blueprint keystone-federation
Change-Id: I2cd4f505e850b4b113452abc25ee00d486b1637d
This patch introduces an insecure flag for the Keystone internal
and admin endpoints:
* keystone_service_adminuri_insecure
* keystone_service_internaluri_insecure
Both values default to false. If you have setup SSL endpoints
for Keystone using an untrusted certificate then you should
set the appropriate flag to true in your user_variables.
This patch is used to enable testing and development with
Keystone SSL endpoints without having to make use of SSL
certificates signed by a trusted, public CA.
The patch introduces a new optional argument (insecure) to the
keystone, glance and neutron Ansible libraries. This is a
boolean value which, when true, enables these libraries to
access Keystone endpoints 'insecurely'. When these libraries
are used in plays, the appropriate value is set automatically
as per the above conditions.
Implements: blueprint keystone-federation
Change-Id: Ia07e7e201f901042dd06a86efe5c6f6725e9ce13
This change adds a specific update task to all tasks that all the
apt ansible module. This change was done to ensure that the cache
is updated as expected when instructed to do so. The reason that
the cache update is being removed from the grouping is because
there is an upstream bug that is effecting the process by which
the apt cache is updated when there is a package list to process
within the same task. The work around to make this function as
expected is to move the update into its own task without a package
list.
Upstream Ansible bug:
- https://github.com/ansible/ansible-modules-core/issues/1497
Change-Id: Ic06d89a76d772c12888b4bc4bbf147be58b0c150
Related-Bug: 1464771
To enable partitioning of DB traffic by-service, each service needs to
use a custom connection string. Defaulting the service address to a
common galera_address makes things continue to work by default.
While the galera_address could be overridden on a container or host
basis this requires repeating that behavior across each infra node in
the inventory. Providing service-specific connection address variables
simplifies the management somewhat for large deployments and may reduce
error rates.
The service install playbooks now default the service-specific variables
instead of galera_address to the internal lb vip from inventory to
maintain the ease-of-use currently available.
Any value for a service-specific variable set in user_variables.yml will
override the value in the playbook's vars to provide selective
customization as needed.
Change-Id: I4c98bf906a0c1cb11ddd41277a855dce22ff646a
Closes-Bug: 1462529
This patch adds handler flushing as the last task in each role to ensure
that there are log files present when the rsyslog client configuration
task is executed a little later in the playbook that consumes the role.
Closes-Bug: #1458822
Change-Id: I92a26b620aa7bc0fbe33175594d37da7d5aca7df
Adding support for dynamically updating the policy files for
nova, glance, neutron, cinder and heat. Uses the copy_update
plugin to detect any updates and applies the changes to the default
policy.json
Implements: blueprint dynamically-manage-policy.json
Change-Id: I573229d6f18a5fe32460b2373ab8b2c36ac722b4
In the kilo release the nova v2.1 API is tied to the v3 API, so v3 needs
to be enabled for v2.1 to be enabled as well. This change adds a setting
to control whether the v2.1 API should be enabled or disabled. If v2.1
is enabled then v3 will be enabled as well, but without registering it
with the keystone catalog.
Change-Id: I1e80189bbcbef1dd712cd6a527b5b59aa939e9e1
Closes-Bug: #1445524
Update keystone authentication middleware in nova to
support the v3 API in Kilo.
Partially implements: blueprint master-kilofication
Change-Id: I2f38ed9a5ad82d98596835a59f6852f1bd3d8ffc
* API Versions 1.1 and 3 have been deprecated from nova, plays
have been modified to completely remove v1.1 and make v3
optional via nova_v3_deprecated_but_enabled boolean.
* Addition of v2.1 api configuration.
* Elimination of the unused nova_api_ec2 container.
* nova_spice_console has been renamed to nova_console and
nova_spice_console_container has been renamed to
nova_console_container to facilitate different consoles in
the future.
* Spice has been made the default console.
* A standalone task and init scripts for nova_spice.
- Fixed some typos
- Modified HAProxy role to remove nova_api_ec2 and rename
nova_spice_console to nova_console
- Updated user_secrets.yml
- Unbroke things that I broke
Partially Implements Blueprint: master-kilofication
Change-Id: Ia87dfb1e8c0316103a30e2121f11996a9ca87c25
* Updated Keystone wsgi and paste files from upstream.
* Updated all clients in the openstack_client.yml file.
* Kilo services are tracking the head of master.
* Removed pinned middleware because they're pinned else where.
* Added additional service references for neutron vpnaas, fwaas, and
lbaas which have now been moved into their own repos and no longer
exist within the core neutron repository.
* The neutron vpnaas, fwaas, and lbaas have been removed from the
basic plugins being loaded and a comment has been added to describe
how one might add them back in.
* Updated rootwrap filters for neutron dhcp and l3.
* Updated heat policy.json
* Added the `python-libguestfs` to the nova-compute installation
packages.
* Updates all services to point to the latest kilo tag
Services updated due to deprecated configs:
* Keystone
* Glance
* Nova
* Neutron (is still using the deprecated nova auth plugin)
* Heat
* Tempest
Items for future work post initial release:
* roles/os_neutron/files/post-up-checksum-rules:25:
TODO(cloudnull) remove this script once the bug is fixed.
* roles/rabbitmq_server/tasks/rabbitmq_cluster_join.yml:17:
TODO(someone): implement a more robust way of checking
Implements: blueprint minimal-kilo
Closes-Bug: 1428421
Closes-Bug: 1428431
Closes-Bug: 1428437
Closes-Bug: 1428445
Closes-Bug: 1428451
Closes-Bug: 1428469
Closes-Bug: 1428639
Change-Id: I28a305d9e40a9cf70148ef7d7b00d467a65ca076
The logic within the pre_tasks was too loose. The pre_tasks need
to have a bit more restrictive conditionals. Additionall the
`lxc-device add` command which is being used always exits 0
even when the device add fails. While the task does not have
issues with running we should be making sure that our changes
are being recoreded correctly.
Closes-Bug: 1434945
Change-Id: Icb1707db6bde6c0a26af6bca21a1f88dc3c315a8
We are currently not dropping the included config file, which is
preventing nova from being able to resize/migrate from one host to
another. This change simply drops the config file which we already
have under the os_nova role to the correct location.
Change-Id: I2d054f095bc76c821aa7b87f5f2890037260066a
Closes-Bug: #1429188
This change implements the blueprint to convert all roles and plays into
a more generic setup, following upstream ansible best practices.
Items Changed:
* All tasks have tags.
* All roles use namespaced variables.
* All redundant tasks within a given play and role have been removed.
* All of the repetitive plays have been removed in-favor of a more
simplistic approach. This change duplicates code within the roles but
ensures that the roles only ever run within their own scope.
* All roles have been built using an ansible galaxy syntax.
* The `*requirement.txt` files have been reformatted follow upstream
Openstack practices.
* Dynamically generated inventory is now more organized, this should assist
anyone who may want or need to dive into the JSON blob that is created.
In the inventory a properties field is used for items that customize containers
within the inventory.
* The environment map has been modified to support additional host groups to
enable the seperation of infrastructure pieces. While the old infra_hosts group
will still work this change allows for groups to be divided up into seperate
chunks; eg: deployment of a swift only stack.
* The LXC logic now exists within the plays.
* etc/openstack_deploy/user_variables.yml has all password/token
variables extracted into the separate file
etc/openstack_deploy/user_secrets.yml in order to allow seperate
security settings on that file.
Items Excised:
* All of the roles have had the LXC logic removed from within them which
should allow roles to be consumed outside of the `os-ansible-deployment`
reference architecture.
Note:
* the directory rpc_deployment still exists and is presently pointed at plays
containing a deprecation warning instructing the user to move to the standard
playbooks directory.
* While all of the rackspace specific components and variables have been removed
and or were refactored the repository still relies on an upstream mirror of
Openstack built python files and container images. This upstream mirror is hosted
at rackspace at "http://rpc-repo.rackspace.com" though this is
not locked to and or tied to rackspace specific installations. This repository
contains all of the needed code to create and/or clone your own mirror.
DocImpact
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Closes-Bug: #1403676
Implements: blueprint galaxy-roles
Change-Id: I03df3328b7655f0cc9e43ba83b02623d038d214e
