6 files changed, 166 insertions, 14 deletions
diff --git a/deploy/adapters/ansible/roles/config-osa/files/chrony.conf.j2 b/deploy/adapters/ansible/roles/config-osa/files/chrony.conf.j2
new file mode 100644
index 00000000..1c2443e0
--- /dev/null
+++ b/deploy/adapters/ansible/roles/config-osa/files/chrony.conf.j2
@@ -0,0 +1,104 @@
+# {{ ansible_managed }}
+#
+# This the default chrony.conf file for the Debian chrony package.  After
+# editing this file use the command 'invoke-rc.d chrony restart' to make
+# your changes take effect.  John Hasler <jhasler@debian.org> 1998-2008
+
+# See www.pool.ntp.org for an explanation of these servers.  Please
+# consider joining the project if possible.  If you can't or don't want to
+# use these servers I suggest that you try your ISP's nameservers.  We mark
+# the servers 'offline' so that chronyd won't try to connect when the link
+# is down.  Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc
+# commands to switch it on when a dialup link comes up and off when it goes
+# down.  Code in /etc/init.d/chrony attempts to determine whether or not
+# the link is up at boot time and set the online status accordingly.  If
+# you have an always-on connection such as cable omit the 'offline'
+# directive and chronyd will default to online.
+#
+# Note that if Chrony tries to go "online" and dns lookup of the servers
+# fails they will be discarded.  Thus under some circumstances it is
+# better to use IP numbers than host names.
+
+{% for ntp_server in security_ntp_servers %}
+server {{ ntp_server }} maxpoll 10 minpoll 8
+{% endfor %}
+
+# Look here for the admin password needed for chronyc.  The initial
+# password is generated by a random process at install time.  You may
+# change it if you wish.
+
+keyfile /etc/chrony/chrony.keys
+
+# Set runtime command key.  Note that if you change the key (not the
+# password) to anything other than 1 you will need to edit
+# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony
+# and /etc/cron.weekly/chrony as these scripts use it to get the password.
+
+commandkey 1
+
+# I moved the driftfile to /var/lib/chrony to comply with the Debian
+# filesystem standard.
+
+driftfile /var/lib/chrony/chrony.drift
+
+# Comment this line out to turn off logging.
+
+log tracking measurements statistics
+logdir /var/log/chrony
+
+# Stop bad estimates upsetting machine clock.
+
+maxupdateskew 100.0
+
+# Dump measurements when daemon exits.
+
+dumponexit
+
+# Specify directory for dumping measurements.
+
+dumpdir /var/lib/chrony
+
+# Let computer be a server when it is unsynchronised.
+
+local stratum 10
+
+# Allow computers on the unrouted nets to use the server.
+
+{% for subnet in security_allowed_ntp_subnets %}
+allow {{ subnet }}
+{% endfor %}
+
+# This directive forces `chronyd' to send a message to syslog if it
+# makes a system clock adjustment larger than a threshold value in seconds.
+
+logchange 0.5
+
+# This directive defines an email address to which mail should be sent
+# if chronyd applies a correction exceeding a particular threshold to the
+# system clock.
+
+# mailonchange root@localhost 0.5
+
+# This directive tells chrony to regulate the real-time clock and tells it
+# Where to store related data.  It may not work on some newer motherboards
+# that use the HPET real-time clock.  It requires enhanced real-time
+# support in the kernel.  I've commented it out because with certain
+# combinations of motherboard and kernel it is reported to cause lockups.
+
+# rtcfile /var/lib/chrony/chrony.rtc
+
+# If the last line of this file reads 'rtconutc' chrony will assume that
+# the CMOS clock is on UTC (GMT).  If it reads '# rtconutc' or is absent
+# chrony will assume local time.  The line (if any) was written by the
+# chrony postinst based on what it found in /etc/default/rcS.  You may
+# change it if necessary.
+rtconutc
+
+{% if security_ntp_bind_local_interfaces_only | bool %}
+# Listen for NTP requests only on local interfaces.
+port 0
+bindcmdaddress 127.0.0.1
+{% if not security_disable_ipv6 | bool %}
+bindcmdaddress ::1
+{% endif %}
+{% endif %}
diff --git a/deploy/adapters/ansible/roles/config-osa/tasks/fix_pip_version.yml b/deploy/adapters/ansible/roles/config-osa/tasks/fix_pip_version.yml
new file mode 100644
index 00000000..61d263b4
--- /dev/null
+++ b/deploy/adapters/ansible/roles/config-osa/tasks/fix_pip_version.yml
@@ -0,0 +1,25 @@
+# #############################################################################
+# Copyright (c) 2017 HUAWEI TECHNOLOGIES CO.,LTD and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+# #############################################################################
+---
+- name: copy the repo_fix_andas.yml
+  template:
+    src: repo_fix_pandas.yml
+    dest: /etc/ansible/roles/repo_build/tasks/repo_fix_pandas.yml
+
+- name: fix the python-ldap version
+  lineinfile:
+    dest: /etc/ansible/roles/os_keystone/defaults/main.yml
+    regexp: '^  - python-ldap'
+    line: '  - python-ldap==2.5.2'
+
+- name: add pkgconfig in gnocchi requires pip packages
+  lineinfile:
+    dest: /etc/ansible/roles/repo_build/defaults/main.yml
+    insertafter: "repo_pip_packages:"
+    line: '  - pkgconfig'
diff --git a/deploy/adapters/ansible/roles/config-osa/tasks/fix_rescue.yml b/deploy/adapters/ansible/roles/config-osa/tasks/fix_rescue.yml
index eea06b48..ff7d4250 100644
--- a/deploy/adapters/ansible/roles/config-osa/tasks/fix_rescue.yml
+++ b/deploy/adapters/ansible/roles/config-osa/tasks/fix_rescue.yml
@@ -41,3 +41,13 @@
     dest: "/opt/openstack-ansible/playbooks/lxc-hosts-setup.yml"
     regexp: "max_fail_percentage*"
     state: absent
+
+- name: fix rescue problem for setup-openstack
+  blockinfile:
+    dest: "/opt/openstack-ansible/playbooks/setup-openstack.yml"
+    block: |
+      - hosts: localhost
+        user: root
+        tasks:
+          - name: Mark setup-openstack completed
+            shell: echo "Setup openstack completed!"
diff --git a/deploy/adapters/ansible/roles/config-osa/tasks/main.yml b/deploy/adapters/ansible/roles/config-osa/tasks/main.yml
index 49e4e26d..f9eef749 100755
--- a/deploy/adapters/ansible/roles/config-osa/tasks/main.yml
+++ b/deploy/adapters/ansible/roles/config-osa/tasks/main.yml
@@ -7,11 +7,24 @@
 # http://www.apache.org/licenses/LICENSE-2.0
 # #############################################################################
 ---
+- name: remove osa log directory if exist
+  file:
+    path: /var/log/osa/
+    state: absent
+
 - name: create osa log directory
   file:
     path: /var/log/osa/
     state: directory
 
+- name: remove osa user secrets if exist
+  shell: cp -rf /opt/openstack-ansible/etc/openstack_deploy/user_secrets.yml /etc/openstack_deploy/
+
+- name: generate the osa password
+  command: python pw-token-gen.py --file /etc/openstack_deploy/user_secrets.yml
+  args:
+    chdir: "/opt/openstack-ansible/scripts"
+
 - name: disable kernel update in rt_kvm scenario
   lineinfile:
     dest: /etc/ansible/roles/openstack_hosts/vars/ubuntu-16.04.yml
@@ -88,6 +101,11 @@
         delay: 10
   when: hostvars[hostvars[inventory_hostname]['groups']['controller'][0]]['local_mirror'] == 'CentOS'
 
+- name: copy chrony.conf
+  copy:
+    src: chrony.conf.j2
+    dest: /etc/ansible/roles/ansible-hardening/templates/
+
 - name: update the directory of chrony key
   lineinfile:
     dest: /etc/ansible/roles/ansible-hardening/templates/chrony.conf.j2
@@ -314,11 +332,6 @@
   when:
     - "{{ hostvars[inventory_hostname]['groups']['controller'] | length < 2 }}"
 
-- name: copy the repo_fix_andas.yml
-  template:
-    src: repo_fix_pandas.yml
-    dest: /etc/ansible/roles/repo_build/tasks/repo_fix_pandas.yml
-
 # - name: change repore build
 #  lineinfile:
 #    dest: /etc/ansible/roles/repo_build/tasks/main.yml
@@ -327,10 +340,8 @@
 
 - include: meters.yml
 
-- name: fix the python-ldap version
-  lineinfile:
-    dest: /etc/ansible/roles/os_keystone/defaults/main.yml
-    regexp: '^  - python-ldap'
-    line: '  - python-ldap==2.5.2'
+# upstream has fix this issue so somments it
+# maybe will use in the furture
+- include: fix_pip_version.yml
 
 - include: fix_rescue.yml
diff --git a/deploy/adapters/ansible/roles/config-osa/templates/openstack_user_config.yml.j2 b/deploy/adapters/ansible/roles/config-osa/templates/openstack_user_config.yml.j2
index be119fbe..a4f54b43 100644
--- a/deploy/adapters/ansible/roles/config-osa/templates/openstack_user_config.yml.j2
+++ b/deploy/adapters/ansible/roles/config-osa/templates/openstack_user_config.yml.j2
@@ -123,9 +123,11 @@ haproxy_hosts:
 {% endfor %}
 
 # rsyslog server
-#log_hosts:
- # log1:
- #  ip: 10.1.0.53
+log_hosts:
+{% for host in groups.controller%}
+  {{host}}:
+    ip: {{ hostvars[host]['ansible_ssh_host'] }}
+{% endfor %}
 
 ###
 ### OpenStack
diff --git a/deploy/adapters/ansible/roles/config-osa/templates/user_variables.yml.j2 b/deploy/adapters/ansible/roles/config-osa/templates/user_variables.yml.j2
index 5fa999a5..130b5ad1 100644
--- a/deploy/adapters/ansible/roles/config-osa/templates/user_variables.yml.j2
+++ b/deploy/adapters/ansible/roles/config-osa/templates/user_variables.yml.j2
@@ -65,4 +65,4 @@ neutron_provider_networks:
 security_sshd_permit_root_login: yes
 
 security_ntp_servers:
-  - 45.79.111.114
+  - {{ ntp_server }}