diff options
Diffstat (limited to 'deploy/adapters/ansible/openstack_mitaka')
16 files changed, 1065 insertions, 1 deletions
diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/files/congress.conf b/deploy/adapters/ansible/openstack_mitaka/roles/congress/files/congress.conf new file mode 100755 index 00000000..22a64a66 --- /dev/null +++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/files/congress.conf @@ -0,0 +1,37 @@ +description "OpenStack Congress Server" +author "Thomas Goirand <zigo@debian.org>" + +start on runlevel [2345] +stop on runlevel [!2345] + +chdir /var/run + +respawn +respawn limit 20 5 +limit nofile 65535 65535 + +pre-start script + for i in lock run log lib ; do + mkdir -p /var/$i/congress + chown root /var/$i/congress + done +end script + +script + [ -x "/usr/local/bin/congress-server" ] || exit 0 + DAEMON_ARGS="" + CONFIG_FILE="/etc/congress/congress.conf" + USE_SYSLOG="" + USE_LOGFILE="" + NO_OPENSTACK_CONFIG_FILE_DAEMON_ARG="" + [ -r /etc/default/openstack ] && . /etc/default/openstack + [ -r /etc/default/$UPSTART_JOB ] && . /etc/default/$UPSTART_JOB + [ "x$USE_SYSLOG" = "xyes" ] && DAEMON_ARGS="$DAEMON_ARGS --use-syslog" + [ "x$USE_LOGFILE" != "xno" ] && DAEMON_ARGS="$DAEMON_ARGS --log-file=/var/log/congress/congress.log" + [ -z "$NO_OPENSTACK_CONFIG_FILE_DAEMON_ARG" ] && DAEMON_ARGS="$DAEMON_ARGS --config-file=$CONFIG_FILE" + + exec start-stop-daemon --start --chdir /var/lib/congress \ + --chuid root:root --make-pidfile --pidfile /var/run/congress/congress.pid \ + --exec /usr/local/bin/congress-server -- ${DAEMON_ARGS} +end script + diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/files/congress.service b/deploy/adapters/ansible/openstack_mitaka/roles/congress/files/congress.service new file mode 100755 index 00000000..23db7b0e --- /dev/null +++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/files/congress.service @@ -0,0 +1,19 @@ +[Unit] +Description=OpenStack Congress server +After= + +[Service] +User=root +Group=root +Type=simple +WorkingDirectory=/var/lib/congress +PermissionsStartOnly=true +ExecStartPre=/bin/mkdir -p /var/lock/congress /var/log/congress /var/lib/congress +ExecStartPre=/usr/bin/touch /var/log/congress/congress.log +ExecStart=/usr/bin/congress-server --config-file /etc/congress/congress.conf +Restart=on-failure +LimitNOFILE=65535 +TimeoutStopSec=15 + +[Install] +WantedBy=multi-user.target diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/handlers/main.yml b/deploy/adapters/ansible/openstack_mitaka/roles/congress/handlers/main.yml new file mode 100755 index 00000000..cf535a11 --- /dev/null +++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/handlers/main.yml @@ -0,0 +1,12 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +--- +- name: restart congress services + service: name={{ item }} state=restarted enabled=yes + with_items: services | union(services_noarch) diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_config_debian.yml b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_config_debian.yml new file mode 100755 index 00000000..c5d7cce7 --- /dev/null +++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_config_debian.yml @@ -0,0 +1,31 @@ +############################################################################## +## Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +## +## All rights reserved. This program and the accompanying materials +## are made available under the terms of the Apache License, Version 2.0 +## which accompanies this distribution, and is available at +## http://www.apache.org/licenses/LICENSE-2.0 +############################################################################### +--- +- name: upgrade openstackclient + pip: name=python-openstackclient state=latest + +- name: create congress service + copy: src=congress.conf dest=/etc/init + +- name: create congress service work dir + file: path=/var/lib/congress state=directory + +- name: link the congress service + file: + src: /etc/init/congress.conf + dest: /etc/init.d/congress + state: link + +- name: congress db sync + shell: /usr/local/bin/congress-db-manage --config-file /etc/congress/congress.conf upgrade head + when: inventory_hostname == haproxy_hosts.keys()[0] + +- name: start congress service + shell: service congress start + diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_config_redhat.yml b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_config_redhat.yml new file mode 100755 index 00000000..e922c508 --- /dev/null +++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_config_redhat.yml @@ -0,0 +1,31 @@ +############################################################################## +## Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +## +## All rights reserved. This program and the accompanying materials +## are made available under the terms of the Apache License, Version 2.0 +## which accompanies this distribution, and is available at +## http://www.apache.org/licenses/LICENSE-2.0 +############################################################################### +--- +- name: upgrade openstackclient + pip: name=python-openstackclient state=latest + +- name: create congress service + copy: src=congress.service dest=/lib/systemd/system/ + +- name: create congress service work dir + file: path=/var/lib/congress state=directory + +- name: link the congress service + file: + src: /lib/systemd/system/congress.service + dest: /etc/systemd/system/multi-user.target.wants/congress.service + state: link + +- name: congress db sync + shell: /usr/bin/congress-db-manage --config-file /etc/congress/congress.conf upgrade head + when: inventory_hostname == haproxy_hosts.keys()[0] + +- name: start congress service + shell: service congress start + diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_db.yml b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_db.yml new file mode 100755 index 00000000..1883509b --- /dev/null +++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_db.yml @@ -0,0 +1,28 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +--- +- name: create congress db + mysql_db: + login_unix_socket: /var/run/mysqld/mysqld.sock + name: "{{ item.db }}" + state: present + with_items: "{{ credentials }}" + +- name: create congress db user + mysql_user: + login_unix_socket: /var/run/mysqld/mysqld.sock + name: "{{ item[0].user }}" + password: "{{ item[0].password }}" + priv: "*.*:ALL,GRANT" + host: "{{ item[1] }}" + state: present + with_nested: + - "{{ credentials }}" + - ['%', 'localhost'] + diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_install.yml b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_install.yml new file mode 100755 index 00000000..65daff3e --- /dev/null +++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/congress_install.yml @@ -0,0 +1,25 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +--- +- include_vars: "{{ ansible_os_family }}.yml" + +- name: install congress packages + pip: name={{ item }} state=present + with_items: packages + +- name: create congress etc directory + file: path=/etc/congress state=directory + +- name: update congress conf + template: src={{ item }} dest=/etc/congress/{{ item }} + backup=yes + with_items: + - congress.conf + - api-paste.ini + - policy.json diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/main.yml b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/main.yml new file mode 100755 index 00000000..2cbd619c --- /dev/null +++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/tasks/main.yml @@ -0,0 +1,20 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +--- +- include: congress_install.yml + +- include: congress_db.yml + when: + - inventory_hostname == haproxy_hosts.keys()[0] + +- include: congress_config_debian.yml + when: ansible_os_family == "Debian" + +- include: congress_config_redhat.yml + when: ansible_os_family == "RedHat" diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/templates/api-paste.ini b/deploy/adapters/ansible/openstack_mitaka/roles/congress/templates/api-paste.ini new file mode 100755 index 00000000..39be570b --- /dev/null +++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/templates/api-paste.ini @@ -0,0 +1,34 @@ +[composite:congress] +use = egg:Paste#urlmap +/: congressversions +/v1: congress_api_v1 + +[pipeline:congressversions] +pipeline = cors catch_errors congressversionapp + +[app:congressversionapp] +paste.app_factory = congress.api.versions:Versions.factory + +[composite:congress_api_v1] +use = call:congress.auth:pipeline_factory +keystone = cors request_id catch_errors authtoken keystonecontext congress_api +noauth = cors request_id catch_errors congress_api + +[app:congress_api] +paste.app_factory = congress.service:congress_app_factory + +[filter:request_id] +paste.filter_factory = oslo_middleware:RequestId.factory + +[filter:catch_errors] +paste.filter_factory = oslo_middleware:CatchErrors.factory + +[filter:keystonecontext] +paste.filter_factory = congress.auth:CongressKeystoneContext.factory + +[filter:authtoken] +paste.filter_factory = keystonemiddleware.auth_token:filter_factory + +[filter:cors] +paste.filter_factory = oslo_middleware.cors:filter_factory +oslo_config_project = congress diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/templates/congress.conf b/deploy/adapters/ansible/openstack_mitaka/roles/congress/templates/congress.conf new file mode 100755 index 00000000..0305b418 --- /dev/null +++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/templates/congress.conf @@ -0,0 +1,510 @@ +{% set memcached_servers = [] %} +{% set rabbitmq_servers = [] %} +{% for host in haproxy_hosts.values() %} +{% set _ = memcached_servers.append('%s:11211'% host) %} +{% set _ = rabbitmq_servers.append('%s:5672'% host) %} +{% endfor %} +{% set memcached_servers = memcached_servers|join(',') %} +{% set rabbitmq_servers = rabbitmq_servers|join(',') %} +[DEFAULT] + +# +# From congress +# +# The host IP to bind to (string tmq_serversvalue) +bind_host = {{ internal_ip }} + +# The port to bind to (port value) +# Minimum value: 0 +# Maximum value: 65535 +bind_port = 1789 + +# Thread pool size for eventlet. (integer value) +#max_simultaneous_requests = 1024 + +# Set this to true to enable TCP_KEEALIVE socket option on connections received +# by the API server. (boolean value) +#tcp_keepalive = false + +# Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only +# applies if tcp_keepalive is true. Not supported on OS X. (integer value) +#tcp_keepidle = 600 + +# The path to the latest policy dump (string value) +policy_path = /etc/congress/policy.json + +# The file containing datasource configuration (string value) +#datasource_file = <None> + +# The absolute path to the congress repo (string value) +#root_path = <None> + +# The number of worker processes to serve the congress API application. +# (integer value) +#api_workers = 1 + +# The API paste config file to use (string value) +#api_paste_config = api-paste.ini + +# The type of authentication to use (string value) +auth_strategy = keystone + +# List of driver class paths to import. (list value) +drivers = congress.datasources.neutronv2_driver.NeutronV2Driver,congress.datasources.glancev2_driver.GlanceV2Driver,congress.datasources.nova_driver.NovaDriver,congress.datasources.keystone_driver.KeystoneDriver,congress.datasources.ceilometer_driver.CeilometerDriver,congress.datasources.cinder_driver.CinderDriver,congress.datasources.swift_driver.SwiftDriver,congress.datasources.plexxi_driver.PlexxiDriver,congress.datasources.vCenter_driver.VCenterDriver,congress.datasources.cloudfoundryv2_driver.CloudFoundryV2Driver,congress.datasources.murano_driver.MuranoDriver,congress.datasources.ironic_driver.IronicDriver + + +# The number of seconds to wait between synchronizing datasource config from +# the database (integer value) +#datasource_sync_period = 0 + +# Sets the flag to False if you don't want the congress to execute actions. +# (boolean value) +#enable_execute_action = true + +# The flag to use congress new distributed architecture.Don't set it to True in +# L release since the new architecture is under implementation. (boolean value) +#distributed_architecture = false + +# Explicitly specify the temporary working directory (string value) +#tempdir = <None> + +# Make exception message format errors fatal (boolean value) +#fatal_exception_format_errors = false + +# +# From oslo.log +# + +# If set to true, the logging level will be set to DEBUG instead of the default +# INFO level. (boolean value) +# Note: This option can be changed without restarting. +debug = True + +# DEPRECATED: If set to false, the logging level will be set to WARNING instead +# of the default INFO level. (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#verbose = true + +# The name of a logging configuration file. This file is appended to any +# existing logging configuration files. For details about logging configuration +# files, see the Python logging module documentation. Note that when logging +# configuration files are used then all logging configuration is set in the +# configuration file and other logging configuration options are ignored (for +# example, logging_context_format_string). (string value) +# Note: This option can be changed without restarting. +# Deprecated group/name - [DEFAULT]/log_config +#log_config_append = <None> + +# Defines the format string for %%(asctime)s in log records. Default: +# %(default)s . This option is ignored if log_config_append is set. (string +# value) +#log_date_format = %Y-%m-%d %H:%M:%S + +# (Optional) Name of log file to send logging output to. If no default is set, +# logging will go to stderr as defined by use_stderr. This option is ignored if +# log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logfile +log_file = congress.log + +# (Optional) The base directory used for relative log_file paths. This option +# is ignored if log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logdir +log_dir = /var/log/congress + +# Uses logging handler designed to watch file system. When log file is moved or +# removed this handler will open a new log file with specified path +# instantaneously. It makes sense only if log_file option is specified and +# Linux platform is used. This option is ignored if log_config_append is set. +# (boolean value) +#watch_log_file = false + +# Use syslog for logging. Existing syslog format is DEPRECATED and will be +# changed later to honor RFC5424. This option is ignored if log_config_append +# is set. (boolean value) +#use_syslog = false + +# Syslog facility to receive log lines. This option is ignored if +# log_config_append is set. (string value) +#syslog_log_facility = LOG_USER + +# Log output to standard error. This option is ignored if log_config_append is +# set. (boolean value) +#use_stderr = true + +# Format string to use for log messages with context. (string value) +#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s + +# Format string to use for log messages when context is undefined. (string +# value) +#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s + +# Additional data to append to log message when logging level for the message +# is DEBUG. (string value) +#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d + +# Prefix each line of exception output with this format. (string value) +#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s + +# Defines the format string for %(user_identity)s that is used in +# logging_context_format_string. (string value) +#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s + +# List of package logging levels in logger=LEVEL pairs. This option is ignored +# if log_config_append is set. (list value) +#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO + +# Enables or disables publication of error events. (boolean value) +#publish_errors = false + +# The format for an instance that is passed with the log message. (string +# value) +#instance_format = "[instance: %(uuid)s] " + +# The format for an instance UUID that is passed with the log message. (string +# value) +#instance_uuid_format = "[instance: %(uuid)s] " + +# Enables or disables fatal status of deprecations. (boolean value) +#fatal_deprecations = false + + +[cors] + +# +# From oslo.middleware.cors +# + +# Indicate whether this resource may be shared with the domain received in the +# requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing +# slash. Example: https://horizon.example.com (list value) +#allowed_origin = <None> + +# Indicate that the actual request can include user credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple +# Headers. (list value) +#expose_headers = X-Auth-Token,X-OpenStack-Request-ID,X-Subject-Token,X-Service-Token + +# Maximum cache age of CORS preflight requests. (integer value) +#max_age = 3600 + +# Indicate which methods can be used during the actual request. (list value) +#allow_methods = GET,PUT,POST,DELETE,PATCH + +# Indicate which header field names may be used during the actual request. +# (list value) +#allow_headers = X-Auth-Token,X-OpenStack-Request-ID,X-Identity-Status,X-Roles,X-Service-Catalog,X-User-Id,X-Tenant-Id + + +[cors.subdomain] + +# +# From oslo.middleware.cors +# + +# Indicate whether this resource may be shared with the domain received in the +# requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing +# slash. Example: https://horizon.example.com (list value) +#allowed_origin = <None> + +# Indicate that the actual request can include user credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple +# Headers. (list value) +#expose_headers = X-Auth-Token,X-OpenStack-Request-ID,X-Subject-Token,X-Service-Token + +# Maximum cache age of CORS preflight requests. (integer value) +#max_age = 3600 + +# Indicate which methods can be used during the actual request. (list value) +#allow_methods = GET,PUT,POST,DELETE,PATCH + +# Indicate which header field names may be used during the actual request. +# (list value) +#allow_headers = X-Auth-Token,X-OpenStack-Request-ID,X-Identity-Status,X-Roles,X-Service-Catalog,X-User-Id,X-Tenant-Id + + +[database] + +# +# From oslo.db +# + +# DEPRECATED: The file name to use with SQLite. (string value) +# Deprecated group/name - [DEFAULT]/sqlite_db +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Should use config option connection or slave_connection to connect +# the database. +#sqlite_db = oslo.sqlite + +# If True, SQLite uses synchronous mode. (boolean value) +# Deprecated group/name - [DEFAULT]/sqlite_synchronous +#sqlite_synchronous = true + +# The back end to use for the database. (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend = sqlalchemy + +# The SQLAlchemy connection string to use to connect to the database. (string +# value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +connection = mysql+pymysql://congress:{{ CONGRESS_DBPASS }}@{{ db_host }}/congress + +# The SQLAlchemy connection string to use to connect to the slave database. +# (string value) +#slave_connection = <None> + +# The SQL mode to be used for MySQL sessions. This option, including the +# default, overrides any server-set SQL mode. To use whatever SQL mode is set +# by the server configuration, set this to no value. Example: mysql_sql_mode= +# (string value) +#mysql_sql_mode = TRADITIONAL + +# Timeout before idle SQL connections are reaped. (integer value) +# Deprecated group/name - [DEFAULT]/sql_idle_timeout +# Deprecated group/name - [DATABASE]/sql_idle_timeout +# Deprecated group/name - [sql]/idle_timeout +#idle_timeout = 3600 + +# Minimum number of SQL connections to keep open in a pool. (integer value) +# Deprecated group/name - [DEFAULT]/sql_min_pool_size +# Deprecated group/name - [DATABASE]/sql_min_pool_size +#min_pool_size = 1 + +# Maximum number of SQL connections to keep open in a pool. Setting a value of +# 0 indicates no limit. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_pool_size +# Deprecated group/name - [DATABASE]/sql_max_pool_size +#max_pool_size = 5 + +# Maximum number of database connection retries during startup. Set to -1 to +# specify an infinite retry count. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries = 10 + +# Interval between retries of opening a SQL connection. (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval = 10 + +# If set, use this value for max_overflow with SQLAlchemy. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow = 50 + +# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer +# value) +# Minimum value: 0 +# Maximum value: 100 +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug = 0 + +# Add Python stack traces to SQL as comment strings. (boolean value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace = false + +# If set, use this value for pool_timeout with SQLAlchemy. (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout = <None> + +# Enable the experimental use of database reconnect on connection lost. +# (boolean value) +#use_db_reconnect = false + +# Seconds between retries of a database transaction. (integer value) +#db_retry_interval = 1 + +# If True, increases the interval between retries of a database operation up to +# db_max_retry_interval. (boolean value) +#db_inc_retry_interval = true + +# If db_inc_retry_interval is set, the maximum seconds between retries of a +# database operation. (integer value) +#db_max_retry_interval = 10 + +# Maximum retries in case of connection error or deadlock error before error is +# raised. Set to -1 to specify an infinite retry count. (integer value) +#db_max_retries = 20 + + +[keystone_authtoken] + +# +# From keystonemiddleware.auth_token +# + +# Complete "public" Identity API endpoint. This endpoint should not be an +# "admin" endpoint, as it should be accessible by all end users. +# Unauthenticated clients are redirected to this endpoint to authenticate. +# Although this endpoint should ideally be unversioned, client support in the +# wild varies. If you're using a versioned v2 endpoint here, then this should +# *not* be the same endpoint the service user utilizes for validating tokens, +# because normal end users may not be able to reach that endpoint. (string +# value) +auth_uri = http://{{ internal_vip.ip }}:5000 +auth_url = http://{{ internal_vip.ip }}:35357 +memcached_servers = {{ memcached_servers }} +project_name = service +password = {{ CONGRESS_PASS }} +username = congress +auth_type = password +# API version of the admin Identity API endpoint. (string value) + +# Do not handle authorization requests within the middleware, but delegate the +# authorization decision to downstream WSGI components. (boolean value) +#delay_auth_decision = false + +# Request timeout value for communicating with Identity API server. (integer +# value) +#http_connect_timeout = <None> + +# How many times are we trying to reconnect when communicating with Identity +# API Server. (integer value) +#http_request_max_retries = 3 + +# Request environment key where the Swift cache object is stored. When +# auth_token middleware is deployed with a Swift cache, use this option to have +# the middleware share a caching backend with swift. Otherwise, use the +# ``memcached_servers`` option instead. (string value) +#cache = <None> + +# Required if identity server requires client certificate (string value) +#certfile = <None> + +# Required if identity server requires client certificate (string value) +#keyfile = <None> + +# A PEM encoded Certificate Authority to use when verifying HTTPs connections. +# Defaults to system CAs. (string value) +#cafile = <None> + +# Verify HTTPS connections. (boolean value) +#insecure = false + +# The region in which the identity server can be found. (string value) +#region_name = <None> + +# Directory used to cache files related to PKI tokens. (string value) +#signing_dir = <None> + +# Optionally specify a list of memcached server(s) to use for caching. If left +# undefined, tokens will instead be cached in-process. (list value) +# Deprecated group/name - [keystone_authtoken]/memcache_servers +#memcached_servers = <None> + +# In order to prevent excessive effort spent validating tokens, the middleware +# caches previously-seen tokens for a configurable duration (in seconds). Set +# to -1 to disable caching completely. (integer value) +#token_cache_time = 300 + +# Determines the frequency at which the list of revoked tokens is retrieved +# from the Identity service (in seconds). A high number of revocation events +# combined with a low cache duration may significantly reduce performance. Only +# valid for PKI tokens. (integer value) +#revocation_cache_time = 10 + +# (Optional) If defined, indicate whether token data should be authenticated or +# authenticated and encrypted. If MAC, token data is authenticated (with HMAC) +# in the cache. If ENCRYPT, token data is encrypted and authenticated in the +# cache. If the value is not one of these options or empty, auth_token will +# raise an exception on initialization. (string value) +# Allowed values: None, MAC, ENCRYPT +#memcache_security_strategy = None + +# (Optional, mandatory if memcache_security_strategy is defined) This string is +# used for key derivation. (string value) +#memcache_secret_key = <None> + +# (Optional) Number of seconds memcached server is considered dead before it is +# tried again. (integer value) +#memcache_pool_dead_retry = 300 + +# (Optional) Maximum total number of open connections to every memcached +# server. (integer value) +#memcache_pool_maxsize = 10 + +# (Optional) Socket timeout in seconds for communicating with a memcached +# server. (integer value) +#memcache_pool_socket_timeout = 3 + +# (Optional) Number of seconds a connection to memcached is held unused in the +# pool before it is closed. (integer value) +#memcache_pool_unused_timeout = 60 + +# (Optional) Number of seconds that an operation will wait to get a memcached +# client connection from the pool. (integer value) +#memcache_pool_conn_get_timeout = 10 + +# (Optional) Use the advanced (eventlet safe) memcached client pool. The +# advanced pool will only work under python 2.x. (boolean value) +#memcache_use_advanced_pool = false + +# (Optional) Indicate whether to set the X-Service-Catalog header. If False, +# middleware will not ask for service catalog on token validation and will not +# set the X-Service-Catalog header. (boolean value) +#include_service_catalog = true + +# Used to control the use and type of token binding. Can be set to: "disabled" +# to not check token binding. "permissive" (default) to validate binding +# information if the bind type is of a form known to the server and ignore it +# if not. "strict" like "permissive" but if the bind type is unknown the token +# will be rejected. "required" any form of token binding is needed to be +# allowed. Finally the name of a binding method that must be present in tokens. +# (string value) +#enforce_token_bind = permissive + +# If true, the revocation list will be checked for cached tokens. This requires +# that PKI tokens are configured on the identity server. (boolean value) +#check_revocations_for_cached = false + +# Hash algorithms to use for hashing PKI tokens. This may be a single algorithm +# or multiple. The algorithms are those supported by Python standard +# hashlib.new(). The hashes will be tried in the order given, so put the +# preferred one first for performance. The result of the first hash will be +# stored in the cache. This will typically be set to multiple values only while +# migrating from a less secure algorithm to a more secure one. Once all the old +# tokens are expired this option should be set to a single value for better +# performance. (list value) +#hash_algorithms = md5 + +# Authentication type to load (string value) +# Deprecated group/name - [keystone_authtoken]/auth_plugin +#auth_type = <None> + +# Config Section from which to load plugin specific options (string value) +#auth_section = <None> + + +[oslo_policy] + +# +# From oslo.policy +# + +# The JSON file that defines policies. (string value) +# Deprecated group/name - [DEFAULT]/policy_file +#policy_file = policy.json + +# Default rule. Enforced when a requested rule is not found. (string value) +# Deprecated group/name - [DEFAULT]/policy_default_rule +#policy_default_rule = default + +# Directories where policy configuration files are stored. They can be relative +# to any directory in the search path defined by the config_dir option, or +# absolute paths. The file defined by policy_file must exist for these +# directories to be searched. Missing or empty directories are ignored. (multi +# valued) +# Deprecated group/name - [DEFAULT]/policy_dirs +#policy_dirs = policy.d + +[oslo_messaging_rabbit] +rabbit_userid = {{ RABBIT_USER }} +rabbit_password = {{ RABBIT_PASS }} +rabbit_hosts = {{ rabbitmq_servers }} diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/templates/policy.json b/deploy/adapters/ansible/openstack_mitaka/roles/congress/templates/policy.json new file mode 100755 index 00000000..4476051d --- /dev/null +++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/templates/policy.json @@ -0,0 +1,6 @@ +{ + "context_is_admin": "role:admin", + "admin_only": "rule:context_is_admin", + "regular_user": "", + "default": "rule:admin_only" +} diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/vars/Debian.yml b/deploy/adapters/ansible/openstack_mitaka/roles/congress/vars/Debian.yml new file mode 100755 index 00000000..1cc4645e --- /dev/null +++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/vars/Debian.yml @@ -0,0 +1,21 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +--- +packages: + - congress + - python-congressclient + - python-cloudfoundryclient + +service: + - congress + +credentials: + - user: congress + db: congress + password: "{{ CONGRESS_DBPASS }}" diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/vars/RedHat.yml b/deploy/adapters/ansible/openstack_mitaka/roles/congress/vars/RedHat.yml new file mode 100755 index 00000000..15916e69 --- /dev/null +++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/vars/RedHat.yml @@ -0,0 +1,21 @@ +############################################################################## +## Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +## +## All rights reserved. This program and the accompanying materials +## are made available under the terms of the Apache License, Version 2.0 +## which accompanies this distribution, and is available at +## http://www.apache.org/licenses/LICENSE-2.0 +############################################################################### +--- +packages: + - congress + - python-congressclient + - python-cloudfoundryclient + +service: + - congress + +credentials: + - user: congress + db: congress + password: "{{ CONGRESS_DBPASS }}" diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/congress/vars/main.yml b/deploy/adapters/ansible/openstack_mitaka/roles/congress/vars/main.yml new file mode 100755 index 00000000..f6fef749 --- /dev/null +++ b/deploy/adapters/ansible/openstack_mitaka/roles/congress/vars/main.yml @@ -0,0 +1,12 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +--- +packages_noarch: [] + +services_noarch: [] diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/ha/templates/haproxy.cfg b/deploy/adapters/ansible/openstack_mitaka/roles/ha/templates/haproxy.cfg new file mode 100755 index 00000000..5fbcc9d9 --- /dev/null +++ b/deploy/adapters/ansible/openstack_mitaka/roles/ha/templates/haproxy.cfg @@ -0,0 +1,227 @@ + +global + #chroot /var/run/haproxy + daemon + user haproxy + group haproxy + maxconn 4000 + pidfile /var/run/haproxy/haproxy.pid + #log 127.0.0.1 local0 + tune.bufsize 1000000 + stats socket /var/run/haproxy.sock + stats timeout 2m + +defaults + log global + maxconn 8000 + option redispatch + option dontlognull + option splice-auto + timeout http-request 10s + timeout queue 1m + timeout connect 10s + timeout client 50s + timeout server 50s + timeout check 10s + retries 3 + +listen proxy-mysql + bind {{ internal_vip.ip }}:3306 + option tcpka + option tcplog + balance source +{% for host, ip in haproxy_hosts.items() %} +{% if loop.index == 1 %} + server {{ host }} {{ ip }}:3306 weight 1 check inter 2000 rise 2 fall 5 +{% else %} + server {{ host }} {{ ip }}:3306 weight 1 check inter 2000 rise 2 fall 5 backup +{% endif %} +{% endfor %} + +listen proxy-rabbit + bind {{ internal_vip.ip }}:5672 + bind {{ public_vip.ip }}:5672 + + option tcpka + option tcplog + timeout client 3h + timeout server 3h + balance source +{% for host,ip in haproxy_hosts.items() %} + server {{ host }} {{ ip }}:5672 weight 1 check inter 2000 rise 2 fall 5 +{% endfor %} + +listen proxy-glance_registry_cluster + bind {{ internal_vip.ip }}:9191 + bind {{ public_vip.ip }}:9191 + option tcpka + option tcplog + balance source +{% for host,ip in haproxy_hosts.items() %} + server {{ host }} {{ ip }}:9191 weight 1 check inter 2000 rise 2 fall 5 +{% endfor %} + +listen proxy-glance_api_cluster + bind {{ internal_vip.ip }}:9292 + bind {{ public_vip.ip }}:9292 + option tcpka + option tcplog + option httpchk + balance source +{% for host,ip in haproxy_hosts.items() %} + server {{ host }} {{ ip }}:9292 weight 1 check inter 2000 rise 2 fall 5 +{% endfor %} + +listen proxy-nova-novncproxy + bind {{ internal_vip.ip }}:6080 + bind {{ public_vip.ip }}:6080 + option tcpka + option tcplog + balance source +{% for host,ip in haproxy_hosts.items() %} + server {{ host }} {{ ip }}:6080 weight 1 check inter 2000 rise 2 fall 5 +{% endfor %} + +listen proxy-network + bind {{ internal_vip.ip }}:9696 + bind {{ public_vip.ip }}:9696 + option tcpka + option tcplog + balance source + option httpchk +{% for host,ip in haproxy_hosts.items() %} + server {{ host }} {{ ip }}:9696 weight 1 check inter 2000 rise 2 fall 5 +{% endfor %} + +listen proxy-volume + bind {{ internal_vip.ip }}:8776 + bind {{ public_vip.ip }}:8776 + option tcpka + option httpchk + option tcplog + balance source +{% for host,ip in haproxy_hosts.items() %} + server {{ host }} {{ ip }}:8776 weight 1 check inter 2000 rise 2 fall 5 +{% endfor %} + +listen proxy-keystone_admin_cluster + bind {{ internal_vip.ip }}:35357 + bind {{ public_vip.ip }}:35357 + option tcpka + option httpchk + option tcplog + balance source +{% for host,ip in haproxy_hosts.items() %} + server {{ host }} {{ ip }}:35357 weight 1 check inter 2000 rise 2 fall 5 +{% endfor %} + +listen proxy-keystone_public_internal_cluster + bind {{ internal_vip.ip }}:5000 + bind {{ public_vip.ip }}:5000 + option tcpka + option httpchk + option tcplog + balance source +{% for host,ip in haproxy_hosts.items() %} + server {{ host }} {{ ip }}:5000 weight 1 check inter 2000 rise 2 fall 5 +{% endfor %} + +listen proxy-nova_compute_api_cluster + bind {{ internal_vip.ip }}:8774 + bind {{ public_vip.ip }}:8774 + mode tcp + option httpchk + option tcplog + balance source +{% for host,ip in haproxy_hosts.items() %} + server {{ host }} {{ ip }}:8774 weight 1 check inter 2000 rise 2 fall 5 +{% endfor %} + +listen proxy-nova_metadata_api_cluster + bind {{ internal_vip.ip }}:8775 + bind {{ public_vip.ip }}:8775 + option tcpka + option tcplog + balance source +{% for host,ip in haproxy_hosts.items() %} + server {{ host }} {{ ip }}:8775 weight 1 check inter 2000 rise 2 fall 5 +{% endfor %} + +listen proxy-cinder_api_cluster + bind {{ internal_vip.ip }}:8776 + bind {{ public_vip.ip }}:8776 + mode tcp + option httpchk + option tcplog + balance source +{% for host,ip in haproxy_hosts.items() %} + server {{ host }} {{ ip }}:8776 weight 1 check inter 2000 rise 2 fall 5 +{% endfor %} + +#listen proxy-swift-proxy +# bind {{ internal_vip.ip }}:8080 +# bind {{ public_vip.ip }}:8080 +# balance source +# option tcpka +# option tcplog +#{% for host,ip in haproxy_hosts.items() %} +# server {{ host }} {{ ip }}:8080 weight 1 check inter 2000 rise 2 fall 5 +#{% endfor %} + +listen proxy-ceilometer_api_cluster + bind {{ internal_vip.ip }}:8777 + bind {{ public_vip.ip }}:8777 + mode tcp + option tcp-check + option tcplog + balance source +{% for host,ip in haproxy_hosts.items() %} + server {{ host }} {{ ip }}:8777 weight 1 check inter 2000 rise 2 fall 5 +{% endfor %} + +listen proxy-aodh_api_cluster + bind {{ internal_vip.ip }}:8042 + bind {{ public_vip.ip }}:8042 + mode tcp + option tcp-check + option tcplog + balance source +{% for host,ip in haproxy_hosts.items() %} + server {{ host }} {{ ip }}:8042 weight 1 check inter 2000 rise 2 fall 5 +{% endfor %} + +listen proxy-congress_api_cluster + bind {{ internal_vip.ip }}:1789 + bind {{ public_vip.ip }}:1789 + mode tcp + option tcp-check + option tcplog + balance source +{% for host,ip in haproxy_hosts.items() %} + server {{ host }} {{ ip }}:1789 weight 1 check inter 2000 rise 2 fall 5 +{% endfor %} + +listen proxy-dashboarad + bind {{ public_vip.ip }}:80 + mode http + balance source + capture cookie vgnvisitor= len 32 + cookie SERVERID insert indirect nocache + option forwardfor + option httpchk + option httpclose + rspidel ^Set-cookie:\ IP= +{% for host,ip in haproxy_hosts.items() %} + server {{ host }} {{ ip }}:80 cookie {{ host }} weight 1 check inter 2000 rise 2 fall 5 +{% endfor %} + +listen stats + mode http + bind 0.0.0.0:9999 + stats enable + stats refresh 30s + stats uri / + stats realm Global\ statistics + stats auth admin:admin + + diff --git a/deploy/adapters/ansible/openstack_mitaka/roles/keystone/vars/main.yml b/deploy/adapters/ansible/openstack_mitaka/roles/keystone/vars/main.yml index b049ee0b..baaf89e1 100644..100755 --- a/deploy/adapters/ansible/openstack_mitaka/roles/keystone/vars/main.yml +++ b/deploy/adapters/ansible/openstack_mitaka/roles/keystone/vars/main.yml @@ -92,6 +92,22 @@ os_services: internalurl: "http://{{ internal_vip.ip }}:8000/v1" adminurl: "http://{{ internal_vip.ip }}:8000/v1" + - name: congress + type: policy + region: RegionOne + description: "OpenStack Policy Service" + publicurl: "http://{{ public_vip.ip }}:1789" + internalurl: "http://{{ internal_vip.ip }}:1789" + adminurl: "http://{{ internal_vip.ip }}:1789" + +# - name: swift +# type: object-store +# region: RegionOne +# description: "OpenStack Object Storage" +# publicurl: "http://{{ public_vip.ip }}:8080/v1/AUTH_%(tenant_id)s" +# internalurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%(tenant_id)s" +# adminurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%(tenant_id)s" + os_users: - user: admin password: "{{ ADMIN_PASS }}" @@ -156,9 +172,23 @@ os_users: tenant: service tenant_description: "Service Tenant" + - user: congress + password: "{{ CONGRESS_PASS }}" + email: congress@admin.com + role: admin + tenant: service + tenant_description: "Service Tenant" + - user: demo - password: "{{ DEMO_PASS }}" + password: "" email: heat@demo.com role: heat_stack_user tenant: demo tenant_description: "Demo Tenant" + +# - user: swift +# password: "{{ CINDER_PASS }}" +# email: swift@admin.com +# role: admin +# tenant: service +# tenant_description: "Service Tenant" |