summaryrefslogtreecommitdiffstats
path: root/deploy/adapters/ansible/roles/config-osa
diff options
context:
space:
mode:
Diffstat (limited to 'deploy/adapters/ansible/roles/config-osa')
-rw-r--r--deploy/adapters/ansible/roles/config-osa/files/haproxy.yml263
-rwxr-xr-xdeploy/adapters/ansible/roles/config-osa/tasks/main.yml23
-rw-r--r--deploy/adapters/ansible/roles/config-osa/tasks/meters.yml8
-rw-r--r--deploy/adapters/ansible/roles/config-osa/templates/user_variables.yml.j24
4 files changed, 282 insertions, 16 deletions
diff --git a/deploy/adapters/ansible/roles/config-osa/files/haproxy.yml b/deploy/adapters/ansible/roles/config-osa/files/haproxy.yml
new file mode 100644
index 00000000..3085f6aa
--- /dev/null
+++ b/deploy/adapters/ansible/roles/config-osa/files/haproxy.yml
@@ -0,0 +1,263 @@
+---
+haproxy_default_services:
+ - service:
+ haproxy_service_name: galera
+ haproxy_backend_nodes: "{{ [groups['galera_all'][0]] | default([]) }}" # list expected
+ haproxy_backup_nodes: "{{ groups['galera_all'][1:] | default([]) }}"
+ haproxy_bind: "{{ [internal_lb_vip_address] }}"
+ haproxy_port: 3306
+ haproxy_balance_type: tcp
+ haproxy_timeout_client: 5000s
+ haproxy_timeout_server: 5000s
+ haproxy_backend_options:
+ - "mysql-check user {{ galera_monitoring_user }}"
+ haproxy_whitelist_networks: "{{ haproxy_galera_whitelist_networks }}"
+ - service:
+ haproxy_service_name: repo_git
+ haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}"
+ haproxy_bind: "{{ [internal_lb_vip_address] }}"
+ haproxy_port: 9418
+ haproxy_balance_type: tcp
+ haproxy_backend_options:
+ - tcp-check
+ haproxy_whitelist_networks: "{{ haproxy_repo_git_whitelist_networks }}"
+ - service:
+ haproxy_service_name: repo_all
+ haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}"
+ haproxy_bind: "{{ [internal_lb_vip_address] }}"
+ haproxy_port: 8181
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk HEAD /"
+ - service:
+ haproxy_service_name: repo_cache
+ haproxy_backend_nodes: "{{ [groups['repo_all'][0]] | default([]) }}" # list expected
+ haproxy_backup_nodes: "{{ groups['repo_all'][1:] | default([]) }}"
+ haproxy_bind: "{{ [internal_lb_vip_address] }}"
+ haproxy_port: "{{ repo_pkg_cache_port }}"
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk HEAD /acng-report.html"
+ haproxy_whitelist_networks: "{{ haproxy_repo_cache_whitelist_networks }}"
+ - service:
+ haproxy_service_name: glance_api
+ haproxy_backend_nodes: "{{ groups['glance_api'] | default([]) }}"
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_port: 9292
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk /healthcheck"
+ - service:
+ haproxy_service_name: glance_registry
+ haproxy_backend_nodes: "{{ groups['glance_registry'] | default([]) }}"
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_port: 9191
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk /healthcheck"
+ haproxy_whitelist_networks: "{{ haproxy_glance_registry_whitelist_networks }}"
+ - service:
+ haproxy_service_name: gnocchi
+ haproxy_backend_nodes: "{{ groups['gnocchi_all'] | default([]) }}"
+ haproxy_port: 8041
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk /healthcheck"
+ - service:
+ haproxy_service_name: heat_api_cfn
+ haproxy_backend_nodes: "{{ groups['heat_api_cfn'] | default([]) }}"
+ haproxy_port: 8000
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk HEAD /"
+ - service:
+ haproxy_service_name: heat_api_cloudwatch
+ haproxy_backend_nodes: "{{ groups['heat_api_cloudwatch'] | default([]) }}"
+ haproxy_port: 8003
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk HEAD /"
+ - service:
+ haproxy_service_name: heat_api
+ haproxy_backend_nodes: "{{ groups['heat_api'] | default([]) }}"
+ haproxy_port: 8004
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk HEAD /"
+ - service:
+ haproxy_service_name: keystone_service
+ haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}"
+ haproxy_port: 5000
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_balance_type: "http"
+ haproxy_backend_options:
+ - "httpchk HEAD /"
+ - service:
+ haproxy_service_name: keystone_admin
+ haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}"
+ haproxy_port: 35357
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_balance_type: "http"
+ haproxy_backend_options:
+ - "httpchk HEAD /"
+ haproxy_whitelist_networks: "{{ haproxy_keystone_admin_whitelist_networks }}"
+ - service:
+ haproxy_service_name: neutron_server
+ haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}"
+ haproxy_port: 9696
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk GET /"
+ - service:
+ haproxy_service_name: nova_api_metadata
+ haproxy_backend_nodes: "{{ groups['nova_api_metadata'] | default([]) }}"
+ haproxy_port: 8775
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk HEAD /"
+ haproxy_whitelist_networks: "{{ haproxy_nova_metadata_whitelist_networks }}"
+ - service:
+ haproxy_service_name: nova_api_os_compute
+ haproxy_backend_nodes: "{{ groups['nova_api_os_compute'] | default([]) }}"
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_port: 8774
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk HEAD /"
+ - service:
+ haproxy_service_name: nova_api_placement
+ haproxy_backend_nodes: "{{ groups['nova_api_placement'] | default([]) }}"
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_port: 8780
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk HEAD /"
+ haproxy_backend_httpcheck_options:
+ - "expect status 401"
+ - service:
+ haproxy_service_name: nova_console
+ haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}"
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_port: "{{ nova_console_port }}"
+ haproxy_balance_type: http
+ haproxy_timeout_client: 60m
+ haproxy_timeout_server: 60m
+ haproxy_balance_alg: source
+ haproxy_backend_options:
+ - "httpchk HEAD /"
+ haproxy_backend_httpcheck_options:
+ - "expect status 404"
+ - service:
+ haproxy_service_name: cinder_api
+ haproxy_backend_nodes: "{{ groups['cinder_api'] | default([]) }}"
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_port: 8776
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk HEAD /"
+ - service:
+ haproxy_service_name: horizon
+ haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}"
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_ssl_all_vips: true
+ haproxy_port: "{{ haproxy_ssl | ternary(443,80) }}"
+ haproxy_backend_port: 80
+ haproxy_redirect_http_port: 80
+ haproxy_balance_type: http
+ haproxy_balance_alg: source
+ haproxy_backend_options:
+ - "httpchk HEAD /"
+ - service:
+ haproxy_service_name: sahara_api
+ haproxy_backend_nodes: "{{ groups['sahara_api'] | default([]) }}"
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_balance_alg: source
+ haproxy_port: 8386
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk /healthcheck"
+ - service:
+ haproxy_service_name: swift_proxy
+ haproxy_backend_nodes: "{{ groups['swift_proxy'] | default([]) }}"
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_balance_alg: source
+ haproxy_port: 8080
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk /healthcheck"
+ - service:
+ haproxy_service_name: aodh_api
+ haproxy_backend_nodes: "{{ groups['aodh_api'] | default([]) }}"
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_port: 8042
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk HEAD /"
+ haproxy_backend_httpcheck_options:
+ - "expect status 200"
+ - service:
+ haproxy_service_name: ironic_api
+ haproxy_backend_nodes: "{{ groups['ironic_api'] | default([]) }}"
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_port: 6385
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk GET /"
+ - service:
+ haproxy_service_name: rabbitmq_mgmt
+ haproxy_backend_nodes: "{{ groups['rabbitmq'] | default([]) }}"
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_port: 15672
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk HEAD /"
+ haproxy_whitelist_networks: "{{ haproxy_rabbitmq_management_whitelist_networks }}"
+ - service:
+ haproxy_service_name: magnum
+ haproxy_backend_nodes: "{{ groups['magnum_all'] | default([]) }}"
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_port: 9511
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk GET /"
+ - service:
+ haproxy_service_name: trove
+ haproxy_backend_nodes: "{{ groups['trove_api'] | default([]) }}"
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_port: 8779
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk HEAD /"
+ - service:
+ haproxy_service_name: barbican
+ haproxy_backend_nodes: "{{ groups['barbican_api'] | default([]) }}"
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_port: 9311
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk GET /"
+ - service:
+ haproxy_service_name: designate_api
+ haproxy_backend_nodes: "{{ groups['designate_api'] | default([]) }}"
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_port: 9001
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "forwardfor"
+ - "httpchk /versions"
+ - "httplog"
+ - service:
+ haproxy_service_name: octavia
+ haproxy_backend_nodes: "{{ groups['octavia_all'] | default([]) }}"
+ haproxy_ssl: "{{ haproxy_ssl }}"
+ haproxy_port: 9876
+ haproxy_balance_type: http
+ haproxy_backend_options:
+ - "httpchk GET /"
+ haproxy_whitelist_networks: "{{ haproxy_octavia_whitelist_networks }}"
diff --git a/deploy/adapters/ansible/roles/config-osa/tasks/main.yml b/deploy/adapters/ansible/roles/config-osa/tasks/main.yml
index d96a83da..2f6186fc 100755
--- a/deploy/adapters/ansible/roles/config-osa/tasks/main.yml
+++ b/deploy/adapters/ansible/roles/config-osa/tasks/main.yml
@@ -34,6 +34,7 @@
register: checkresult
ignore_errors: "true"
+# yamllint disable rule:line-length
- name: add mariadb local repository
blockinfile:
dest: /etc/openstack_deploy/user_variables.yml
@@ -44,8 +45,8 @@
when:
- checkresult.rc == 0
- offline_deployment is defined and offline_deployment == "Disable"
+ - hostvars[hostvars[inventory_hostname]['groups']['controller'][0]]['local_mirror'] == 'Ubuntu'
-# yamllint disable rule:line-length
- name: add mariadb local repository
blockinfile:
dest: /etc/openstack_deploy/user_variables.yml
@@ -96,7 +97,7 @@
- name: remove repo_build_pip_no_binary
lineinfile:
- dest: /opt/openstack-ansible/playbooks/inventory/group_vars/repo_all.yml
+ dest: /opt/openstack-ansible/group_vars/repo_all.yml
state: absent
regexp: "{{ item }}"
with_items: ['^repo_build_pip_no_binary:', '^ - libvirt-python']
@@ -139,10 +140,10 @@
when: offline_deployment is defined and offline_deployment == "Enable"
# This is a bug in ocata, will be removed in the future
-- name: limit the version of networking-sfc in os_tacker
- shell: |
- sed -i 's/networking-sfc$/networking-sfc=={{ networking_sfc_version }}/g' \
- /etc/ansible/roles/os_tacker/defaults/main.yml
+# - name: limit the version of networking-sfc in os_tacker
+# shell: |
+# sed -i 's/networking-sfc$/networking-sfc=={{ networking_sfc_version }}/g' \
+# /etc/ansible/roles/os_tacker/defaults/main.yml
- name: add rally and tempest to requirement.txt
blockinfile:
@@ -270,10 +271,10 @@
src: repo_fix_pandas.yml
dest: /etc/ansible/roles/repo_build/tasks/repo_fix_pandas.yml
-- name: change repore build
- lineinfile:
- dest: /etc/ansible/roles/repo_build/tasks/main.yml
- insertafter: "^- include: repo_post_build.yml"
- line: "- include: repo_fix_pandas.yml"
+# - name: change repore build
+# lineinfile:
+# dest: /etc/ansible/roles/repo_build/tasks/main.yml
+# insertafter: "^- include: repo_post_build.yml"
+# line: "- include: repo_fix_pandas.yml"
- include: meters.yml
diff --git a/deploy/adapters/ansible/roles/config-osa/tasks/meters.yml b/deploy/adapters/ansible/roles/config-osa/tasks/meters.yml
index 163fc69d..8f06a884 100644
--- a/deploy/adapters/ansible/roles/config-osa/tasks/meters.yml
+++ b/deploy/adapters/ansible/roles/config-osa/tasks/meters.yml
@@ -8,10 +8,10 @@
# #############################################################################
---
- name: modify the aodh haproxy config
- replace:
- dest: /opt/openstack-ansible/playbooks/vars/configs/haproxy_config.yml
- regexp: '- "expect status 401"'
- replace: '- "expect status 200"'
+ copy:
+ dest: /opt/openstack-ansible/group_vars/all/haproxy.yml
+ src: haproxy.yml
+ mode: 0664
- name: add OS_AUTH_TYPE in openrc
lineinfile:
diff --git a/deploy/adapters/ansible/roles/config-osa/templates/user_variables.yml.j2 b/deploy/adapters/ansible/roles/config-osa/templates/user_variables.yml.j2
index ebd8ff09..a6e69683 100644
--- a/deploy/adapters/ansible/roles/config-osa/templates/user_variables.yml.j2
+++ b/deploy/adapters/ansible/roles/config-osa/templates/user_variables.yml.j2
@@ -38,7 +38,7 @@ nfs_file_gw: False
%}
openstack_host_specific_kernel_modules:
- name: "openvswitch"
- pattern: "CONFIG_OPENVSWITCH="
+ pattern: "CONFIG_OPENVSWITCH"
group: "network_hosts"
neutron_plugin_type: ml2.ovs
@@ -61,3 +61,5 @@ neutron_provider_networks:
{% endfor %}
network_mappings: "{{ ','.join(controller_mappings) }}"
{% endif %}
+
+security_sshd_permit_root_login: no