diff options
Diffstat (limited to 'deploy/adapters/ansible/roles/keystone')
11 files changed, 325 insertions, 104 deletions
diff --git a/deploy/adapters/ansible/roles/keystone/tasks/keystone_config.yml b/deploy/adapters/ansible/roles/keystone/tasks/keystone_config.yml index e7e9297e..ea211470 100644 --- a/deploy/adapters/ansible/roles/keystone/tasks/keystone_config.yml +++ b/deploy/adapters/ansible/roles/keystone/tasks/keystone_config.yml @@ -7,55 +7,90 @@ # http://www.apache.org/licenses/LICENSE-2.0 ############################################################################## --- +- include_vars: "{{ ansible_os_family }}.yml" + - name: keystone-manage db-sync - #keystone_manage: action=dbsync shell: su -s /bin/sh -c 'keystone-manage db_sync' keystone +- name: Check if fernet keys already exist + stat: + path: "/etc/keystone/fernet-keys/0" + register: fernet_keys_0 + +- name: Create fernet keys for Keystone + command: + keystone-manage fernet_setup + --keystone-user keystone + --keystone-group keystone + when: not fernet_keys_0.stat.exists + notify: + - restart keystone services + +- name: Rotate fernet keys for Keystone + command: + keystone-manage fernet_rotate + --keystone-user keystone + --keystone-group keystone + when: fernet_keys_0.stat.exists + notify: + - restart keystone services + +- name: Distribute the fernet key repository + shell: rsync -e 'ssh -o StrictHostKeyChecking=no' \ + -avz \ + --delete \ + /etc/keystone/fernet-keys \ + root@{{ hostvars[ item ].ansible_eth0.ipv4.address }}:/etc/keystone/ + with_items: groups['controller'][1:] + notify: + - restart keystone services + +- name: Check if credential keys already exist + stat: + path: "/etc/keystone/credential-keys/0" + register: credential_keys_0 + +- name: Create credential keys for Keystone + command: + keystone-manage credential_setup + --keystone-user keystone + --keystone-group keystone + when: not credential_keys_0.stat.exists + notify: + - restart keystone services + +- name: Rotate credential keys for Keystone + command: + keystone-manage credential_rotate + --keystone-user keystone + --keystone-group keystone + when: credential_keys_0.stat.exists + notify: + - restart keystone services + +- name: Distribute the credential key repository + shell: rsync -e 'ssh -o StrictHostKeyChecking=no' \ + -avz \ + --delete \ + /etc/keystone/credential-keys \ + root@{{ hostvars[ item ].ansible_eth0.ipv4.address }}:/etc/keystone/ + with_items: groups['controller'][1:] + notify: + - restart keystone services + +- name: Bootstrap the Identity service + shell: + keystone-manage bootstrap \ + --bootstrap-password {{ ADMIN_PASS }} \ + --bootstrap-admin-url http://{{ internal_ip }}:35357/v3/ \ + --bootstrap-internal-url http://{{ internal_ip }}:35357/v3/ \ + --bootstrap-public-url http://{{ internal_ip }}:5000/v3/ + --bootstrap-region-id RegionOne \ + notify: + - restart keystone services + +- meta: flush_handlers + - name: wait for keystone ready - wait_for: port=35357 delay=3 timeout=10 host={{ internal_ip }} - -- name: cron job to purge expired tokens hourly - cron: - name: 'purge expired tokens' - special_time: hourly - job: '/usr/bin/keystone-manage token_flush > /var/log/keystone/keystone-tokenflush.log 2>&1' - -- name: add tenants - keystone_user: - token: "{{ ADMIN_TOKEN }}" - endpoint: "http://{{ internal_ip }}:35357/v2.0" - tenant: "{{ item.tenant }}" - tenant_description: "{{ item.tenant_description }}" - with_items: "{{ os_users }}" - -- name: add users - keystone_user: - token: "{{ ADMIN_TOKEN }}" - endpoint: "http://{{ internal_ip }}:35357/v2.0" - user: "{{ item.user }}" - tenant: "{{ item.tenant }}" - password: "{{ item.password }}" - email: "{{ item.email }}" - with_items: "{{ os_users }}" - -- name: grant roles - keystone_user: - token: "{{ ADMIN_TOKEN }}" - endpoint: "http://{{ internal_ip }}:35357/v2.0" - user: "{{ item.user }}" - role: "{{ item.role }}" - tenant: "{{ item.tenant }}" - with_items: "{{ os_users }}" - -- name: add endpoints - keystone_service: - token: "{{ ADMIN_TOKEN }}" - endpoint: "http://{{ internal_ip }}:35357/v2.0" - name: "{{ item.name }}" - type: "{{ item.type }}" - region: "{{ item.region}}" - description: "{{ item.description }}" - publicurl: "{{ item.publicurl }}" - internalurl: "{{ item.internalurl }}" - adminurl: "{{ item.adminurl }}" - with_items: "{{ os_services }}" + wait_for: port=35357 delay=15 timeout=60 host={{ internal_ip }} + diff --git a/deploy/adapters/ansible/roles/keystone/tasks/keystone_create.yml b/deploy/adapters/ansible/roles/keystone/tasks/keystone_create.yml new file mode 100644 index 00000000..53077776 --- /dev/null +++ b/deploy/adapters/ansible/roles/keystone/tasks/keystone_create.yml @@ -0,0 +1,93 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +--- +- name: set keystone endpoint + shell: + . /opt/admin-openrc.sh; + openstack endpoint set \ + --interface public \ + --url {{ item.publicurl }} \ + $(openstack endpoint list | grep keystone | grep public | awk '{print $2}'); + openstack endpoint set \ + --interface internal \ + --url {{ item.internalurl }} \ + $(openstack endpoint list | grep keystone | grep internal | awk '{print $2}'); + openstack endpoint set \ + --interface admin \ + --url {{ item.adminurl }} \ + $(openstack endpoint list | grep keystone | grep admin | awk '{print $2}'); + with_items: "{{ os_services[0:1] }}" + +- name: add service + shell: + . /opt/admin-openrc.sh; + openstack service create \ + --name "{{ item.name }}" + --description "{{ item.description }}" \ + {{ item.type }} + with_items: "{{ os_services[1:] }}" + +- name: add project + shell: + . /opt/admin-openrc.sh; + openstack project create --description "Service Project" service; + openstack project create --domain default --description "Demo Project" demo; + +- name: set admin user + shell: + . /opt/admin-openrc.sh; + openstack user set \ + --email "{{ item.email }}" \ + --project "{{ item.tenant }}" \ + --description "{{ item.tenant_description }}" \ + --password "{{ item.password }}" \ + {{ item.user }} + with_items: "{{ os_users }}" + when: item["user"] == "admin" + +- name: add user + shell: + . /opt/admin-openrc.sh; + openstack user create \ + --email "{{ item.email }}" \ + --project "{{ item.tenant }}" \ + --description "{{ item.tenant_description }}" \ + --password "{{ item.password }}" \ + {{ item.user }} + with_items: "{{ os_users[1:] }}" + +- name: add roles + shell: + . /opt/admin-openrc.sh; + openstack role create {{ item.role }} + with_items: "{{ os_users }}" + when: item["user"] == "demo" + +- name: grant roles + shell: + . /opt/admin-openrc.sh; + openstack role add \ + --project "{{ item.tenant }}" \ + --user "{{ item.user }}" \ + {{ item.role }} + with_items: "{{ os_users }}" + +- name: add endpoints + shell: + . /opt/admin-openrc.sh; + openstack endpoint create \ + --region {{ item.region }} \ + {{ item.name }} public {{ item.publicurl }}; + openstack endpoint create \ + --region {{ item.region }} \ + {{ item.name }} internal {{ item.internalurl }}; + openstack endpoint create \ + --region {{ item.region }} \ + {{ item.name }} admin {{ item.adminurl }}; + with_items: "{{ os_services[1:] }}" diff --git a/deploy/adapters/ansible/roles/keystone/tasks/keystone_install.yml b/deploy/adapters/ansible/roles/keystone/tasks/keystone_install.yml index ea6926f4..757349c5 100644 --- a/deploy/adapters/ansible/roles/keystone/tasks/keystone_install.yml +++ b/deploy/adapters/ansible/roles/keystone/tasks/keystone_install.yml @@ -26,6 +26,16 @@ state=absent when: ansible_os_family == "Debian" +- name: disable boot auto start + file: + path={{ item }} + state=absent + with_items: + - /etc/init.d/keystone + - /etc/init/keystone.conf + - /lib/systemd/system/keystone.service + when: ansible_os_family == "Debian" + - name: generate keystone service list lineinfile: dest=/opt/service create=yes line='{{ item }}' with_items: services | union(services_noarch) @@ -56,7 +66,7 @@ - name: update apache2 configs template: src: wsgi-keystone.conf.j2 - dest: '{{ apache_config_dir }}/sites-available/wsgi-keystone.conf' + dest: '{{ apache_config_dir }}/sites-available/keystone.conf' when: ansible_os_family == 'Debian' notify: - restart keystone services @@ -64,15 +74,15 @@ - name: update apache2 configs template: src: wsgi-keystone.conf.j2 - dest: '{{ apache_config_dir }}/wsgi-keystone.conf' + dest: '{{ apache_config_dir }}/keystone.conf' when: ansible_os_family == 'RedHat' notify: - restart keystone services - name: enable keystone server file: - src: "{{ apache_config_dir }}/sites-available/wsgi-keystone.conf" - dest: "{{ apache_config_dir }}/sites-enabled/wsgi-keystone.conf" + src: "{{ apache_config_dir }}/sites-available/keystone.conf" + dest: "{{ apache_config_dir }}/sites-enabled/keystone.conf" state: "link" when: ansible_os_family == 'Debian' notify: @@ -82,7 +92,7 @@ template: src={{ item }} dest=/opt/{{ item }} with_items: - admin-openrc.sh + - admin-openrc-v2.sh - demo-openrc.sh - - admin-openrc-v3.sh - meta: flush_handlers diff --git a/deploy/adapters/ansible/roles/keystone/tasks/main.yml b/deploy/adapters/ansible/roles/keystone/tasks/main.yml index 21939fa7..ad619d40 100644 --- a/deploy/adapters/ansible/roles/keystone/tasks/main.yml +++ b/deploy/adapters/ansible/roles/keystone/tasks/main.yml @@ -20,4 +20,11 @@ - keystone_config - keystone +- include: keystone_create.yml + when: inventory_hostname == groups['controller'][0] + tags: + - config + - keystone_create + - keystone + - meta: flush_handlers diff --git a/deploy/adapters/ansible/roles/keystone/templates/admin-openrc-v2.sh b/deploy/adapters/ansible/roles/keystone/templates/admin-openrc-v2.sh new file mode 100644 index 00000000..6ba620ff --- /dev/null +++ b/deploy/adapters/ansible/roles/keystone/templates/admin-openrc-v2.sh @@ -0,0 +1,15 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +# Verify the Identity Service installation +export OS_PASSWORD={{ ADMIN_PASS }} +export OS_TENANT_NAME=admin +export OS_AUTH_URL=http://{{ internal_vip.ip }}:35357/v2.0 +export OS_USERNAME=admin +export OS_VOLUME_API_VERSION=2 + diff --git a/deploy/adapters/ansible/roles/keystone/templates/admin-openrc.sh b/deploy/adapters/ansible/roles/keystone/templates/admin-openrc.sh index 6ba620ff..94d5850f 100644 --- a/deploy/adapters/ansible/roles/keystone/templates/admin-openrc.sh +++ b/deploy/adapters/ansible/roles/keystone/templates/admin-openrc.sh @@ -7,9 +7,12 @@ # http://www.apache.org/licenses/LICENSE-2.0 ############################################################################## # Verify the Identity Service installation -export OS_PASSWORD={{ ADMIN_PASS }} +export OS_PROJECT_DOMAIN_NAME=default +export OS_USER_DOMAIN_NAME=default export OS_TENANT_NAME=admin -export OS_AUTH_URL=http://{{ internal_vip.ip }}:35357/v2.0 +export OS_PROJECT_NAME=admin export OS_USERNAME=admin -export OS_VOLUME_API_VERSION=2 - +export OS_PASSWORD={{ ADMIN_PASS }} +export OS_AUTH_URL=http://{{ internal_vip.ip }}:35357/v3 +export OS_IDENTITY_API_VERSION=3 +export OS_IMAGE_API_VERSION=2 diff --git a/deploy/adapters/ansible/roles/keystone/templates/demo-openrc.sh b/deploy/adapters/ansible/roles/keystone/templates/demo-openrc.sh index 5807e868..920f42ed 100644 --- a/deploy/adapters/ansible/roles/keystone/templates/demo-openrc.sh +++ b/deploy/adapters/ansible/roles/keystone/templates/demo-openrc.sh @@ -6,8 +6,12 @@ # which accompanies this distribution, and is available at # http://www.apache.org/licenses/LICENSE-2.0 ############################################################################## +export OS_PROJECT_DOMAIN_NAME=default +export OS_USER_DOMAIN_NAME=default +export OS_TENANT_NAME=demo +export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD={{ DEMO_PASS }} -export OS_TENANT_NAME=demo -export OS_AUTH_URL=http://{{ internal_vip.ip }}:35357/v2.0 - +export OS_AUTH_URL=http://{{ internal_vip.ip }}:5000/v3 +export OS_IDENTITY_API_VERSION=3 +export OS_IMAGE_API_VERSION=2 diff --git a/deploy/adapters/ansible/roles/keystone/templates/keystone.conf b/deploy/adapters/ansible/roles/keystone/templates/keystone.conf index 649fc32c..919be344 100644 --- a/deploy/adapters/ansible/roles/keystone/templates/keystone.conf +++ b/deploy/adapters/ansible/roles/keystone/templates/keystone.conf @@ -7,51 +7,52 @@ {% set memcached_servers = memcached_servers|join(',') %} {% set rabbitmq_servers = rabbitmq_servers|join(',') %} [DEFAULT] -admin_token={{ ADMIN_TOKEN }} debug={{ DEBUG }} log_dir = /var/log/keystone [cache] -backend=keystone.cache.memcache_pool -memcache_servers={{ memcached_servers}} +backend = keystone.cache.memcache_pool +memcache_servers = {{ memcached_servers}} enabled=true [revoke] -driver=sql -expiration_buffer=3600 -caching=true +driver = sql +expiration_buffer = 3600 +caching = true [database] connection = mysql://keystone:{{ KEYSTONE_DBPASS }}@{{ db_host }}/keystone?charset=utf8 -idle_timeout=30 -min_pool_size=5 -max_pool_size=120 -pool_timeout=30 +idle_timeout = 30 +min_pool_size = 5 +max_pool_size = 120 +pool_timeout = 30 +[fernet_tokens] +key_repository = /etc/keystone/fernet-keys/ [identity] -default_domain_id=default -driver=sql +default_domain_id = default +driver = sql [assignment] -driver=sql +driver = sql [resource] -driver=sql -caching=true -cache_time=3600 - +driver = sql +caching = true +cache_time = 3600 + [token] -enforce_token_bind=permissive -expiration=43200 -provider=uuid -driver=sql -caching=true -cache_time=3600 +enforce_token_bind = permissive +expiration = 43200 +provider = fernet +driver = sql +caching = true +cache_time = 3600 [eventlet_server] -public_bind_host= {{ identity_host }} -admin_bind_host= {{ identity_host }} +public_bind_host = {{ identity_host }} +admin_bind_host = {{ identity_host }} [oslo_messaging_rabbit] rabbit_userid = {{ RABBIT_USER }} diff --git a/deploy/adapters/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/deploy/adapters/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 index 64d864af..55c89839 100644 --- a/deploy/adapters/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 +++ b/deploy/adapters/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 @@ -1,6 +1,10 @@ - {% set work_threads = (ansible_processor_vcpus + 1) // 2 %} +{% set work_threads = (ansible_processor_vcpus + 1) // 2 %} +{% if work_threads > 10 %} +{% set work_threads = 10 %} +{% endif %} + <VirtualHost {{ internal_ip }}:5000> - WSGIDaemonProcess keystone-public processes={{ work_threads }} threads={{ work_threads }} user=keystone group=keystone display-name=%{GROUP} + WSGIDaemonProcess keystone-public processes=4 threads={{ work_threads }} user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} @@ -23,7 +27,7 @@ </VirtualHost> <VirtualHost {{ internal_ip }}:35357> - WSGIDaemonProcess keystone-admin processes={{ work_threads }} threads={{ work_threads }} user=keystone group=keystone display-name=%{GROUP} + WSGIDaemonProcess keystone-admin processes=4 threads={{ work_threads }} user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} diff --git a/deploy/adapters/ansible/roles/keystone/vars/Debian.yml b/deploy/adapters/ansible/roles/keystone/vars/Debian.yml index b8d8e7c2..89bfbe0a 100644 --- a/deploy/adapters/ansible/roles/keystone/vars/Debian.yml +++ b/deploy/adapters/ansible/roles/keystone/vars/Debian.yml @@ -11,8 +11,11 @@ cron_path: "/var/spool/cron/crontabs" packages: - - keystone + - apache2 + - libapache2-mod-wsgi + - python-keystone - python-openstackclient + - keystone services: - apache2 diff --git a/deploy/adapters/ansible/roles/keystone/vars/main.yml b/deploy/adapters/ansible/roles/keystone/vars/main.yml index 655cd98d..ecaf7b51 100644 --- a/deploy/adapters/ansible/roles/keystone/vars/main.yml +++ b/deploy/adapters/ansible/roles/keystone/vars/main.yml @@ -9,6 +9,7 @@ --- packages_noarch: - python-keystoneclient + - python3-keystoneclient services_noarch: [] os_services: @@ -16,9 +17,9 @@ os_services: type: identity region: RegionOne description: "OpenStack Identity" - publicurl: "http://{{ public_vip.ip }}:5000/v2.0" - internalurl: "http://{{ internal_vip.ip }}:5000/v2.0" - adminurl: "http://{{ internal_vip.ip }}:35357/v2.0" + publicurl: "http://{{ public_vip.ip }}:5000/v3" + internalurl: "http://{{ internal_vip.ip }}:5000/v3" + adminurl: "http://{{ internal_vip.ip }}:35357/v3" - name: glance type: image @@ -32,9 +33,9 @@ os_services: type: compute region: RegionOne description: "OpenStack Compute" - publicurl: "http://{{ public_vip.ip }}:8774/v2/%(tenant_id)s" - internalurl: "http://{{ internal_vip.ip }}:8774/v2/%(tenant_id)s" - adminurl: "http://{{ internal_vip.ip }}:8774/v2/%(tenant_id)s" + publicurl: "http://{{ public_vip.ip }}:8774/v2.1/%\\(tenant_id\\)s" + internalurl: "http://{{ internal_vip.ip }}:8774/v2.1/%\\(tenant_id\\)s" + adminurl: "http://{{ internal_vip.ip }}:8774/v2.1/%\\(tenant_id\\)s" - name: neutron type: network @@ -52,29 +53,37 @@ os_services: internalurl: "http://{{ internal_vip.ip }}:8777" adminurl: "http://{{ internal_vip.ip }}:8777" + - name: aodh + type: alarming + region: RegionOne + description: "OpenStack Telemetry" + publicurl: "http://{{ public_vip.ip }}:8042" + internalurl: "http://{{ internal_vip.ip }}:8042" + adminurl: "http://{{ internal_vip.ip }}:8042" + - name: cinder type: volume region: RegionOne description: "OpenStack Block Storage" - publicurl: "http://{{ public_vip.ip }}:8776/v1/%(tenant_id)s" - internalurl: "http://{{ internal_vip.ip }}:8776/v1/%(tenant_id)s" - adminurl: "http://{{ internal_vip.ip }}:8776/v1/%(tenant_id)s" + publicurl: "http://{{ public_vip.ip }}:8776/v1/%\\(tenant_id\\)s" + internalurl: "http://{{ internal_vip.ip }}:8776/v1/%\\(tenant_id\\)s" + adminurl: "http://{{ internal_vip.ip }}:8776/v1/%\\(tenant_id\\)s" - name: cinderv2 type: volumev2 region: RegionOne description: "OpenStack Block Storage v2" - publicurl: "http://{{ public_vip.ip }}:8776/v2/%(tenant_id)s" - internalurl: "http://{{ internal_vip.ip }}:8776/v2/%(tenant_id)s" - adminurl: "http://{{ internal_vip.ip }}:8776/v2/%(tenant_id)s" + publicurl: "http://{{ public_vip.ip }}:8776/v2/%\\(tenant_id\\)s" + internalurl: "http://{{ internal_vip.ip }}:8776/v2/%\\(tenant_id\\)s" + adminurl: "http://{{ internal_vip.ip }}:8776/v2/%\\(tenant_id\\)s" - name: heat type: orchestration region: RegionOne description: "OpenStack Orchestration" - publicurl: "http://{{ public_vip.ip }}:8004/v1/%(tenant_id)s" - internalurl: "http://{{ internal_vip.ip }}:8004/v1/%(tenant_id)s" - adminurl: "http://{{ internal_vip.ip }}:8004/v1/%(tenant_id)s" + publicurl: "http://{{ public_vip.ip }}:8004/v1/%\\(tenant_id\\)s" + internalurl: "http://{{ internal_vip.ip }}:8004/v1/%\\(tenant_id\\)s" + adminurl: "http://{{ internal_vip.ip }}:8004/v1/%\\(tenant_id\\)s" - name: heat-cfn type: cloudformation @@ -84,6 +93,22 @@ os_services: internalurl: "http://{{ internal_vip.ip }}:8000/v1" adminurl: "http://{{ internal_vip.ip }}:8000/v1" + - name: congress + type: policy + region: RegionOne + description: "OpenStack Policy Service" + publicurl: "http://{{ public_vip.ip }}:1789" + internalurl: "http://{{ internal_vip.ip }}:1789" + adminurl: "http://{{ internal_vip.ip }}:1789" + +# - name: swift +# type: object-store +# region: RegionOne +# description: "OpenStack Object Storage" +# publicurl: "http://{{ public_vip.ip }}:8080/v1/AUTH_%\\(tenant_id\\)s" +# internalurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%\\(tenant_id\\)s" +# adminurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%\\(tenant_id\\)s" + os_users: - user: admin password: "{{ ADMIN_PASS }}" @@ -134,6 +159,13 @@ os_users: tenant: service tenant_description: "Service Tenant" + - user: aodh + password: "{{ AODH_PASS }}" + email: aodh@admin.com + role: admin + tenant: service + tenant_description: "Service Tenant" + - user: heat password: "{{ HEAT_PASS }}" email: heat@admin.com @@ -141,9 +173,23 @@ os_users: tenant: service tenant_description: "Service Tenant" + - user: congress + password: "{{ CONGRESS_PASS }}" + email: congress@admin.com + role: admin + tenant: service + tenant_description: "Service Tenant" + - user: demo password: "{{ DEMO_PASS }}" email: heat@demo.com role: heat_stack_user tenant: demo tenant_description: "Demo Tenant" + +# - user: swift +# password: "{{ CINDER_PASS }}" +# email: swift@admin.com +# role: admin +# tenant: service +# tenant_description: "Service Tenant" |