diff options
Diffstat (limited to 'deploy/adapters/ansible/roles/config-osa')
4 files changed, 282 insertions, 16 deletions
diff --git a/deploy/adapters/ansible/roles/config-osa/files/haproxy.yml b/deploy/adapters/ansible/roles/config-osa/files/haproxy.yml new file mode 100644 index 00000000..3085f6aa --- /dev/null +++ b/deploy/adapters/ansible/roles/config-osa/files/haproxy.yml @@ -0,0 +1,263 @@ +--- +haproxy_default_services: + - service: + haproxy_service_name: galera + haproxy_backend_nodes: "{{ [groups['galera_all'][0]] | default([]) }}" # list expected + haproxy_backup_nodes: "{{ groups['galera_all'][1:] | default([]) }}" + haproxy_bind: "{{ [internal_lb_vip_address] }}" + haproxy_port: 3306 + haproxy_balance_type: tcp + haproxy_timeout_client: 5000s + haproxy_timeout_server: 5000s + haproxy_backend_options: + - "mysql-check user {{ galera_monitoring_user }}" + haproxy_whitelist_networks: "{{ haproxy_galera_whitelist_networks }}" + - service: + haproxy_service_name: repo_git + haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}" + haproxy_bind: "{{ [internal_lb_vip_address] }}" + haproxy_port: 9418 + haproxy_balance_type: tcp + haproxy_backend_options: + - tcp-check + haproxy_whitelist_networks: "{{ haproxy_repo_git_whitelist_networks }}" + - service: + haproxy_service_name: repo_all + haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}" + haproxy_bind: "{{ [internal_lb_vip_address] }}" + haproxy_port: 8181 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD /" + - service: + haproxy_service_name: repo_cache + haproxy_backend_nodes: "{{ [groups['repo_all'][0]] | default([]) }}" # list expected + haproxy_backup_nodes: "{{ groups['repo_all'][1:] | default([]) }}" + haproxy_bind: "{{ [internal_lb_vip_address] }}" + haproxy_port: "{{ repo_pkg_cache_port }}" + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD /acng-report.html" + haproxy_whitelist_networks: "{{ haproxy_repo_cache_whitelist_networks }}" + - service: + haproxy_service_name: glance_api + haproxy_backend_nodes: "{{ groups['glance_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_port: 9292 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk /healthcheck" + - service: + haproxy_service_name: glance_registry + haproxy_backend_nodes: "{{ groups['glance_registry'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_port: 9191 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk /healthcheck" + haproxy_whitelist_networks: "{{ haproxy_glance_registry_whitelist_networks }}" + - service: + haproxy_service_name: gnocchi + haproxy_backend_nodes: "{{ groups['gnocchi_all'] | default([]) }}" + haproxy_port: 8041 + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk /healthcheck" + - service: + haproxy_service_name: heat_api_cfn + haproxy_backend_nodes: "{{ groups['heat_api_cfn'] | default([]) }}" + haproxy_port: 8000 + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD /" + - service: + haproxy_service_name: heat_api_cloudwatch + haproxy_backend_nodes: "{{ groups['heat_api_cloudwatch'] | default([]) }}" + haproxy_port: 8003 + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD /" + - service: + haproxy_service_name: heat_api + haproxy_backend_nodes: "{{ groups['heat_api'] | default([]) }}" + haproxy_port: 8004 + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD /" + - service: + haproxy_service_name: keystone_service + haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}" + haproxy_port: 5000 + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_balance_type: "http" + haproxy_backend_options: + - "httpchk HEAD /" + - service: + haproxy_service_name: keystone_admin + haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}" + haproxy_port: 35357 + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_balance_type: "http" + haproxy_backend_options: + - "httpchk HEAD /" + haproxy_whitelist_networks: "{{ haproxy_keystone_admin_whitelist_networks }}" + - service: + haproxy_service_name: neutron_server + haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}" + haproxy_port: 9696 + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET /" + - service: + haproxy_service_name: nova_api_metadata + haproxy_backend_nodes: "{{ groups['nova_api_metadata'] | default([]) }}" + haproxy_port: 8775 + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD /" + haproxy_whitelist_networks: "{{ haproxy_nova_metadata_whitelist_networks }}" + - service: + haproxy_service_name: nova_api_os_compute + haproxy_backend_nodes: "{{ groups['nova_api_os_compute'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_port: 8774 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD /" + - service: + haproxy_service_name: nova_api_placement + haproxy_backend_nodes: "{{ groups['nova_api_placement'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_port: 8780 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD /" + haproxy_backend_httpcheck_options: + - "expect status 401" + - service: + haproxy_service_name: nova_console + haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_port: "{{ nova_console_port }}" + haproxy_balance_type: http + haproxy_timeout_client: 60m + haproxy_timeout_server: 60m + haproxy_balance_alg: source + haproxy_backend_options: + - "httpchk HEAD /" + haproxy_backend_httpcheck_options: + - "expect status 404" + - service: + haproxy_service_name: cinder_api + haproxy_backend_nodes: "{{ groups['cinder_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_port: 8776 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD /" + - service: + haproxy_service_name: horizon + haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_ssl_all_vips: true + haproxy_port: "{{ haproxy_ssl | ternary(443,80) }}" + haproxy_backend_port: 80 + haproxy_redirect_http_port: 80 + haproxy_balance_type: http + haproxy_balance_alg: source + haproxy_backend_options: + - "httpchk HEAD /" + - service: + haproxy_service_name: sahara_api + haproxy_backend_nodes: "{{ groups['sahara_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_balance_alg: source + haproxy_port: 8386 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk /healthcheck" + - service: + haproxy_service_name: swift_proxy + haproxy_backend_nodes: "{{ groups['swift_proxy'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_balance_alg: source + haproxy_port: 8080 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk /healthcheck" + - service: + haproxy_service_name: aodh_api + haproxy_backend_nodes: "{{ groups['aodh_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_port: 8042 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD /" + haproxy_backend_httpcheck_options: + - "expect status 200" + - service: + haproxy_service_name: ironic_api + haproxy_backend_nodes: "{{ groups['ironic_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_port: 6385 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET /" + - service: + haproxy_service_name: rabbitmq_mgmt + haproxy_backend_nodes: "{{ groups['rabbitmq'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_port: 15672 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD /" + haproxy_whitelist_networks: "{{ haproxy_rabbitmq_management_whitelist_networks }}" + - service: + haproxy_service_name: magnum + haproxy_backend_nodes: "{{ groups['magnum_all'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_port: 9511 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET /" + - service: + haproxy_service_name: trove + haproxy_backend_nodes: "{{ groups['trove_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_port: 8779 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD /" + - service: + haproxy_service_name: barbican + haproxy_backend_nodes: "{{ groups['barbican_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_port: 9311 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET /" + - service: + haproxy_service_name: designate_api + haproxy_backend_nodes: "{{ groups['designate_api'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_port: 9001 + haproxy_balance_type: http + haproxy_backend_options: + - "forwardfor" + - "httpchk /versions" + - "httplog" + - service: + haproxy_service_name: octavia + haproxy_backend_nodes: "{{ groups['octavia_all'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_port: 9876 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk GET /" + haproxy_whitelist_networks: "{{ haproxy_octavia_whitelist_networks }}" diff --git a/deploy/adapters/ansible/roles/config-osa/tasks/main.yml b/deploy/adapters/ansible/roles/config-osa/tasks/main.yml index d96a83da..2f6186fc 100755 --- a/deploy/adapters/ansible/roles/config-osa/tasks/main.yml +++ b/deploy/adapters/ansible/roles/config-osa/tasks/main.yml @@ -34,6 +34,7 @@ register: checkresult ignore_errors: "true" +# yamllint disable rule:line-length - name: add mariadb local repository blockinfile: dest: /etc/openstack_deploy/user_variables.yml @@ -44,8 +45,8 @@ when: - checkresult.rc == 0 - offline_deployment is defined and offline_deployment == "Disable" + - hostvars[hostvars[inventory_hostname]['groups']['controller'][0]]['local_mirror'] == 'Ubuntu' -# yamllint disable rule:line-length - name: add mariadb local repository blockinfile: dest: /etc/openstack_deploy/user_variables.yml @@ -96,7 +97,7 @@ - name: remove repo_build_pip_no_binary lineinfile: - dest: /opt/openstack-ansible/playbooks/inventory/group_vars/repo_all.yml + dest: /opt/openstack-ansible/group_vars/repo_all.yml state: absent regexp: "{{ item }}" with_items: ['^repo_build_pip_no_binary:', '^ - libvirt-python'] @@ -139,10 +140,10 @@ when: offline_deployment is defined and offline_deployment == "Enable" # This is a bug in ocata, will be removed in the future -- name: limit the version of networking-sfc in os_tacker - shell: | - sed -i 's/networking-sfc$/networking-sfc=={{ networking_sfc_version }}/g' \ - /etc/ansible/roles/os_tacker/defaults/main.yml +# - name: limit the version of networking-sfc in os_tacker +# shell: | +# sed -i 's/networking-sfc$/networking-sfc=={{ networking_sfc_version }}/g' \ +# /etc/ansible/roles/os_tacker/defaults/main.yml - name: add rally and tempest to requirement.txt blockinfile: @@ -270,10 +271,10 @@ src: repo_fix_pandas.yml dest: /etc/ansible/roles/repo_build/tasks/repo_fix_pandas.yml -- name: change repore build - lineinfile: - dest: /etc/ansible/roles/repo_build/tasks/main.yml - insertafter: "^- include: repo_post_build.yml" - line: "- include: repo_fix_pandas.yml" +# - name: change repore build +# lineinfile: +# dest: /etc/ansible/roles/repo_build/tasks/main.yml +# insertafter: "^- include: repo_post_build.yml" +# line: "- include: repo_fix_pandas.yml" - include: meters.yml diff --git a/deploy/adapters/ansible/roles/config-osa/tasks/meters.yml b/deploy/adapters/ansible/roles/config-osa/tasks/meters.yml index 163fc69d..8f06a884 100644 --- a/deploy/adapters/ansible/roles/config-osa/tasks/meters.yml +++ b/deploy/adapters/ansible/roles/config-osa/tasks/meters.yml @@ -8,10 +8,10 @@ # ############################################################################# --- - name: modify the aodh haproxy config - replace: - dest: /opt/openstack-ansible/playbooks/vars/configs/haproxy_config.yml - regexp: '- "expect status 401"' - replace: '- "expect status 200"' + copy: + dest: /opt/openstack-ansible/group_vars/all/haproxy.yml + src: haproxy.yml + mode: 0664 - name: add OS_AUTH_TYPE in openrc lineinfile: diff --git a/deploy/adapters/ansible/roles/config-osa/templates/user_variables.yml.j2 b/deploy/adapters/ansible/roles/config-osa/templates/user_variables.yml.j2 index ebd8ff09..a6e69683 100644 --- a/deploy/adapters/ansible/roles/config-osa/templates/user_variables.yml.j2 +++ b/deploy/adapters/ansible/roles/config-osa/templates/user_variables.yml.j2 @@ -38,7 +38,7 @@ nfs_file_gw: False %} openstack_host_specific_kernel_modules: - name: "openvswitch" - pattern: "CONFIG_OPENVSWITCH=" + pattern: "CONFIG_OPENVSWITCH" group: "network_hosts" neutron_plugin_type: ml2.ovs @@ -61,3 +61,5 @@ neutron_provider_networks: {% endfor %} network_mappings: "{{ ','.join(controller_mappings) }}" {% endif %} + +security_sshd_permit_root_login: no |