diff --git a/defaults/main.yml b/defaults/main.yml index 632dd07c..46690864 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -55,7 +55,7 @@ glance_bin: "{{ _glance_bin }}" # This is used for role access to the db migrations. # Example: # glance_etc_dir: "/usr/local/etc/glance" -glance_etc_dir: "{{ _glance_etc }}/glance" +glance_etc_dir: "/etc/glance" # venv_download, even when true, will use the fallback method of building the # venv from scratch if the venv download fails. @@ -313,6 +313,5 @@ glance_glance_registry_conf_overrides: {} glance_glance_scrubber_conf_overrides: {} glance_glance_scheme_json_overrides: {} glance_glance_swift_store_conf_overrides: {} -glance_glance_rootwrap_conf_overrides: {} glance_policy_overrides: {} glance_api_uwsgi_ini_overrides: {} diff --git a/handlers/main.yml b/handlers/main.yml index bf891d5a..f3ae2d12 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -82,26 +82,6 @@ - "Restart glance services" - "venv changed" -# Note (odyssey4me): -# The policy.json file is currently read continually by the services -# and is not only read on service start. We therefore cannot template -# directly to the file read by the service because the new policies -# may not be valid until the service restarts. This is particularly -# important during a major upgrade. We therefore only put the policy -# file in place after the service has been stopped. -# -- name: Copy new policy file into place - copy: - src: "/etc/glance/policy.json-{{ glance_venv_tag }}" - dest: "/etc/glance/policy.json" - owner: "root" - group: "{{ glance_system_group_name }}" - mode: "0640" - remote_src: yes - listen: - - "Restart glance services" - - "venv changed" - - name: Start services service: name: "{{ item.service_name }}" diff --git a/tasks/glance_install.yml b/tasks/glance_install.yml index c018d367..849a6e23 100644 --- a/tasks/glance_install.yml +++ b/tasks/glance_install.yml @@ -52,22 +52,58 @@ mode: "0755" with_items: "{{ glance_nfs_client }}" +# NOTE(cloudnull): During an upgrade the local directory may exist on a source +# install. If the directory does exist it will need to be +# removed. This is required on source installs because the +# config directory is a link. +- name: Source config block + block: + - name: Stat config directory + stat: + path: "{{ glance_etc_dir }}" + register: glance_conf_dir_stat + + - name: Remove the config directory + file: + path: "{{ glance_etc_dir }}" + state: absent + when: + - glance_conf_dir_stat.stat.isdir is defined and + glance_conf_dir_stat.stat.isdir + when: + - glance_install_method == 'source' + - name: Create glance directories file: - path: "{{ item.path | realpath }}" - state: directory - owner: "{{ item.owner | default(glance_system_user_name) }}" - group: "{{ item.group | default(glance_system_group_name) }}" + path: "{{ item.path | default(omit) }}" + src: "{{ item.src | default(omit) }}" + dest: "{{ item.dest | default(omit) }}" + state: "{{ item.state | default('directory') }}" + owner: "{{ item.owner|default(glance_system_user_name) }}" + group: "{{ item.group|default(glance_system_group_name) }}" mode: "{{ item.mode | default(omit) }}" + force: "{{ item.force | default(omit) }}" when: - - "item.path not in glance_mount_points" + - (item.condition | default(true)) | bool + - (item.dest | default(item.path)) not in glance_mount_points with_items: - path: "/openstack" mode: "0755" owner: "root" group: "root" - - path: "/etc/glance" - mode: "0750" + - path: "{{ (glance_install_method == 'distro') | ternary(glance_etc_dir, (glance_bin | dirname) + glance_etc_dir) }}" + mode: "0755" + # NOTE(cloudnull): The "src" path is relative. This ensures all files remain + # within the host/container confines when connecting to + # them using the connection plugin or the root filesystem. + - dest: "{{ glance_etc_dir }}" + src: "{{ glance_bin | dirname | regex_replace('^/', '../') }}/etc/glance" + state: link + force: true + condition: "{{ glance_install_method == 'source' }}" + - path: "{{ glance_etc_dir }}/rootwrap.d" + owner: "root" + group: "root" - path: "/var/cache/glance" - path: "{{ glance_system_user_home }}" - path: "{{ glance_system_user_home }}/cache" diff --git a/tasks/glance_install_source.yml b/tasks/glance_install_source.yml index 6ee1da22..aee6571c 100644 --- a/tasks/glance_install_source.yml +++ b/tasks/glance_install_source.yml @@ -50,3 +50,9 @@ - section: "glance" option: "venv_tag" value: "{{ glance_venv_tag }}" + +- name: Link in the os-brick rootwrap filters + file: + src: "{{ glance_bin | dirname }}/etc/os-brick/rootwrap.d/os-brick.filters" + dest: "{{ glance_etc_dir }}/rootwrap.d/os-brick.filters" + state: link diff --git a/tasks/glance_post_install.yml b/tasks/glance_post_install.yml index 62a83347..91c0cd5c 100644 --- a/tasks/glance_post_install.yml +++ b/tasks/glance_post_install.yml @@ -24,60 +24,88 @@ config_type: "{{ item.config_type }}" when: item.condition | default(True) with_items: - - src: "glance-api-paste.ini.j2" - dest: "/etc/glance/glance-api-paste.ini" - config_overrides: "{{ glance_glance_api_paste_ini_overrides }}" - config_type: "ini" - src: "glance-api.conf.j2" - dest: "/etc/glance/glance-api.conf" + dest: "{{ glance_etc_dir }}/glance-api.conf" config_overrides: "{{ glance_glance_api_conf_overrides }}" config_type: "ini" - src: "glance-cache.conf.j2" - dest: "/etc/glance/glance-cache.conf" + dest: "{{ glance_etc_dir }}/glance-cache.conf" config_overrides: "{{ glance_glance_cache_conf_overrides }}" config_type: "ini" - src: "glance-manage.conf.j2" - dest: "/etc/glance/glance-manage.conf" + dest: "{{ glance_etc_dir }}/glance-manage.conf" config_overrides: "{{ glance_glance_manage_conf_overrides }}" config_type: "ini" - - src: "glance-registry-paste.ini.j2" - dest: "/etc/glance/glance-registry-paste.ini" - config_overrides: "{{ glance_glance_registry_paste_ini_overrides }}" - config_type: "ini" - condition: "{{ glance_services['glance-registry']['condition'] | bool }}" - src: "glance-registry.conf.j2" - dest: "/etc/glance/glance-registry.conf" + dest: "{{ glance_etc_dir }}/glance-registry.conf" config_overrides: "{{ glance_glance_registry_conf_overrides }}" config_type: "ini" condition: "{{ glance_services['glance-registry']['condition'] | bool }}" - src: "glance-scrubber.conf.j2" - dest: "/etc/glance/glance-scrubber.conf" + dest: "{{ glance_etc_dir }}/glance-scrubber.conf" config_overrides: "{{ glance_glance_scrubber_conf_overrides }}" config_type: "ini" - src: "glance-swift-store.conf.j2" - dest: "/etc/glance/glance-swift-store.conf" + dest: "{{ glance_etc_dir }}/glance-swift-store.conf" config_overrides: "{{ glance_glance_swift_store_conf_overrides }}" config_type: "ini" - - src: "policy.json.j2" - dest: "/etc/glance/policy.json-{{ glance_venv_tag }}" - config_overrides: "{{ glance_policy_overrides }}" - config_type: "json" - - src: "schema.json.j2" - dest: "/etc/glance/schema.json" + - src: "schema-image.json.j2" + dest: "{{ glance_etc_dir }}/schema-image.json" config_overrides: "{{ glance_glance_scheme_json_overrides }}" config_type: "json" - - src: "schema.json.j2" - dest: "/etc/glance/schema-image.json" - config_overrides: "{{ glance_glance_scheme_json_overrides }}" - config_type: "json" - - src: "rootwrap.conf.j2" - dest: "/etc/glance/rootwrap.conf" - config_overrides: "{{ glance_glance_rootwrap_conf_overrides }}" - config_type: "ini" notify: - Manage LB - Restart glance services +# NOTE(cloudnull): This is using "cp" instead of copy with a remote_source +# because we only want to copy the original files once. and we +# don't want to need multiple tasks. +- name: Preserve original configuration file(s) + command: "cp {{ item.target_f }} {{ item.target_f }}.original" + args: + creates: "{{ item.target_f }}.original" + with_items: "{{ glance_core_files }}" + +- name: Fetch override files + fetch: + src: "{{ item.target_f }}" + dest: "{{ item.tmp_f }}" + flat: yes + changed_when: false + run_once: true + with_items: "{{ glance_core_files }}" + +- name: Copy common config + config_template: + src: "{{ item.tmp_f }}" + dest: "{{ item.target_f_override | default(item.target_f) }}" + owner: "{{ item.owner | default('root') }}" + group: "{{ item.group | default(glance_system_group_name) }}" + mode: "{{ item.mode | default('0640') }}" + config_overrides: "{{ item.config_overrides }}" + config_type: "{{ item.config_type }}" + with_items: "{{ glance_core_files }}" + notify: + - Restart glance services + +- name: Cleanup fetched temp files + file: + path: "{{ item.tmp_f }}" + state: absent + changed_when: false + delegate_to: localhost + run_once: true + with_items: "{{ glance_core_files }}" + +# NOTE(cloudnull): This will ensure strong permissions on all rootwrap files. +- name: Set rootwrap.d permissions + file: + path: "{{ glance_etc_dir }}/rootwrap.d" + owner: "root" + group: "root" + mode: "0640" + recurse: true + - name: Run the systemd mount role include_role: name: systemd_mount diff --git a/templates/glance-api-paste.ini.j2 b/templates/glance-api-paste.ini.j2 deleted file mode 100644 index d2f10722..00000000 --- a/templates/glance-api-paste.ini.j2 +++ /dev/null @@ -1,86 +0,0 @@ -# Use this pipeline for no auth or image caching - DEFAULT -[pipeline:glance-api] -pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context rootapp - -# Use this pipeline for image caching and no auth -[pipeline:glance-api-caching] -pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache rootapp - -# Use this pipeline for caching w/ management interface but no auth -[pipeline:glance-api-cachemanagement] -pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp - -# Use this pipeline for keystone auth -[pipeline:glance-api-keystone] -pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context rootapp - -# Use this pipeline for keystone auth with image caching -[pipeline:glance-api-keystone+caching] -pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache rootapp - -# Use this pipeline for keystone auth with caching and cache management -[pipeline:glance-api-keystone+cachemanagement] -pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache cachemanage rootapp - -# Use this pipeline for authZ only. This means that the registry will treat a -# user as authenticated without making requests to keystone to reauthenticate -# the user. -[pipeline:glance-api-trusted-auth] -pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context rootapp - -# Use this pipeline for authZ only. This means that the registry will treat a -# user as authenticated without making requests to keystone to reauthenticate -# the user and uses cache management -[pipeline:glance-api-trusted-auth+cachemanagement] -pipeline = cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context cache cachemanage rootapp - -[composite:rootapp] -paste.composite_factory = glance.api:root_app_factory -/: apiversions -/v2: apiv2app - -[app:apiversions] -paste.app_factory = glance.api.versions:create_resource - -[app:apiv2app] -paste.app_factory = glance.api.v2.router:API.factory - -[filter:healthcheck] -paste.filter_factory = oslo_middleware:Healthcheck.factory -backends = disable_by_file -disable_by_file_path = /etc/glance/healthcheck_disable - -[filter:versionnegotiation] -paste.filter_factory = glance.api.middleware.version_negotiation:VersionNegotiationFilter.factory - -[filter:cache] -paste.filter_factory = glance.api.middleware.cache:CacheFilter.factory - -[filter:cachemanage] -paste.filter_factory = glance.api.middleware.cache_manage:CacheManageFilter.factory - -[filter:context] -paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory - -[filter:unauthenticated-context] -paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory - -[filter:authtoken] -paste.filter_factory = keystonemiddleware.auth_token:filter_factory -delay_auth_decision = true - -[filter:gzip] -paste.filter_factory = glance.api.middleware.gzip:GzipMiddleware.factory - -[filter:osprofiler] -paste.filter_factory = osprofiler.web:WsgiMiddleware.factory -hmac_keys = {{ glance_profiler_hmac_key }} #DEPRECATED -enabled = yes #DEPRECATED - -[filter:cors] -paste.filter_factory = oslo_middleware.cors:filter_factory -oslo_config_project = glance -oslo_config_program = glance-api - -[filter:http_proxy_to_wsgi] -paste.filter_factory = oslo_middleware:HTTPProxyToWSGI.factory diff --git a/templates/glance-api.conf.j2 b/templates/glance-api.conf.j2 index 463e0228..283d1887 100644 --- a/templates/glance-api.conf.j2 +++ b/templates/glance-api.conf.j2 @@ -88,7 +88,7 @@ filesystem_store_datadir = {{ glance_system_user_home }}/images/ {% endif %} {% if 'swift' in glance_available_stores %} -swift_store_config_file = /etc/glance/glance-swift-store.conf +swift_store_config_file = {{ glance_etc_dir }}/glance-swift-store.conf default_swift_reference = swift1 swift_store_auth_insecure = {{ glance_swift_store_auth_insecure | bool }} swift_store_region = {{ glance_swift_store_region }} diff --git a/templates/glance-registry-paste.ini.j2 b/templates/glance-registry-paste.ini.j2 deleted file mode 100644 index 496529a3..00000000 --- a/templates/glance-registry-paste.ini.j2 +++ /dev/null @@ -1,35 +0,0 @@ -# Use this pipeline for no auth - DEFAULT -[pipeline:glance-registry] -pipeline = healthcheck osprofiler unauthenticated-context registryapp - -# Use this pipeline for keystone auth -[pipeline:glance-registry-keystone] -pipeline = healthcheck osprofiler authtoken context registryapp - -# Use this pipeline for authZ only. This means that the registry will treat a -# user as authenticated without making requests to keystone to reauthenticate -# the user. -[pipeline:glance-registry-trusted-auth] -pipeline = healthcheck osprofiler context registryapp - -[app:registryapp] -paste.app_factory = glance.registry.api:API.factory - -[filter:healthcheck] -paste.filter_factory = oslo_middleware:Healthcheck.factory -backends = disable_by_file -disable_by_file_path = /etc/glance/healthcheck_disable - -[filter:context] -paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory - -[filter:unauthenticated-context] -paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddleware.factory - -[filter:authtoken] -paste.filter_factory = keystonemiddleware.auth_token:filter_factory - -[filter:osprofiler] -paste.filter_factory = osprofiler.web:WsgiMiddleware.factory -hmac_keys = {{ glance_profiler_hmac_key }} #DEPRECATED -enabled = yes #DEPRECATED diff --git a/templates/policy.json.j2 b/templates/policy.json.j2 deleted file mode 100644 index 5b1f6be7..00000000 --- a/templates/policy.json.j2 +++ /dev/null @@ -1,63 +0,0 @@ -{ - "context_is_admin": "role:admin", - "default": "role:admin", - - "add_image": "", - "delete_image": "", - "get_image": "", - "get_images": "", - "modify_image": "", - "publicize_image": "role:admin", - "communitize_image": "", - "copy_from": "", - - "download_image": "", - "upload_image": "", - - "delete_image_location": "", - "get_image_location": "", - "set_image_location": "", - - "add_member": "", - "delete_member": "", - "get_member": "", - "get_members": "", - "modify_member": "", - - "manage_image_cache": "role:admin", - - "get_task": "", - "get_tasks": "", - "add_task": "", - "modify_task": "", - "tasks_api_access": "role:admin", - - "deactivate": "", - "reactivate": "", - - "get_metadef_namespace": "", - "get_metadef_namespaces":"", - "modify_metadef_namespace":"", - "add_metadef_namespace":"", - - "get_metadef_object":"", - "get_metadef_objects":"", - "modify_metadef_object":"", - "add_metadef_object":"", - - "list_metadef_resource_types":"", - "get_metadef_resource_type":"", - "add_metadef_resource_type_association":"", - - "get_metadef_property":"", - "get_metadef_properties":"", - "modify_metadef_property":"", - "add_metadef_property":"", - - "get_metadef_tag":"", - "get_metadef_tags":"", - "modify_metadef_tag":"", - "add_metadef_tag":"", - "add_metadef_tags":"" - -} diff --git a/templates/rootwrap.conf.j2 b/templates/rootwrap.conf.j2 deleted file mode 100644 index 290338eb..00000000 --- a/templates/rootwrap.conf.j2 +++ /dev/null @@ -1,27 +0,0 @@ -# Configuration for glance-rootwrap -# This file should be owned by (and only-writable by) the root user - -[DEFAULT] -# List of directories to load filter definitions from (separated by ','). -# These directories MUST all be only writeable by root ! -filters_path=/etc/glance/rootwrap.d,/usr/share/glance/rootwrap - -# List of directories to search executables in, in case filters do not -# explicitely specify a full path (separated by ',') -# If not specified, defaults to system PATH environment variable. -# These directories MUST all be only writeable by root ! -exec_dirs={{ glance_bin }},/sbin,/usr/sbin,/bin,/usr/bin - -# Enable logging to syslog -# Default value is False -use_syslog=False - -# Which syslog facility to use. -# Valid values include auth, authpriv, syslog, local0, local1... -# Default value is 'syslog' -syslog_log_facility=syslog - -# Which messages to log. -# INFO means log all usage -# ERROR means only log unsuccessful attempts -syslog_log_level=ERROR diff --git a/templates/schema.json.j2 b/templates/schema-image.json.j2 similarity index 72% rename from templates/schema.json.j2 rename to templates/schema-image.json.j2 index d9f433bd..26ea3982 100644 --- a/templates/schema.json.j2 +++ b/templates/schema-image.json.j2 @@ -1,28 +1,28 @@ -{ - "kernel_id": { - "type": ["null", "string"], - "pattern": "^([0-9a-fA-F]){8}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){12}$", - "description": "ID of image stored in Glance that should be used as the kernel when booting an AMI-style image." - }, - "ramdisk_id": { - "type": ["null", "string"], - "pattern": "^([0-9a-fA-F]){8}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){12}$", - "description": "ID of image stored in Glance that should be used as the ramdisk when booting an AMI-style image." - }, - "instance_uuid": { - "type": "string", - "description": "ID of instance used to create this image." - }, - "architecture": { - "description": "Operating system architecture as specified in http://docs.openstack.org/trunk/openstack-compute/admin/content/adding-images.html", - "type": "string" - }, - "os_distro": { - "description": "Common name of operating system distribution as specified in http://docs.openstack.org/trunk/openstack-compute/admin/content/adding-images.html", - "type": "string" - }, - "os_version": { - "description": "Operating system version as specified by the distributor", - "type": "string" - } -} +{ + "kernel_id": { + "type": ["null", "string"], + "pattern": "^([0-9a-fA-F]){8}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){12}$", + "description": "ID of image stored in Glance that should be used as the kernel when booting an AMI-style image." + }, + "ramdisk_id": { + "type": ["null", "string"], + "pattern": "^([0-9a-fA-F]){8}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){12}$", + "description": "ID of image stored in Glance that should be used as the ramdisk when booting an AMI-style image." + }, + "instance_uuid": { + "type": "string", + "description": "Metadata which can be used to record which instance this image is associated with. (Informational only, does not create an instance snapshot.)" + }, + "architecture": { + "description": "Operating system architecture as specified in https://docs.openstack.org/python-glanceclient/latest/cli/property-keys.html", + "type": "string" + }, + "os_distro": { + "description": "Common name of operating system distribution as specified in https://docs.openstack.org/python-glanceclient/latest/cli/property-keys.html", + "type": "string" + }, + "os_version": { + "description": "Operating system version as specified by the distributor", + "type": "string" + } +} diff --git a/vars/distro_install.yml b/vars/distro_install.yml index 40512433..d27f5654 100644 --- a/vars/distro_install.yml +++ b/vars/distro_install.yml @@ -21,4 +21,3 @@ glance_package_list: |- {{ packages }} _glance_bin: "/usr/bin" -_glance_etc: "/etc" diff --git a/vars/main.yml b/vars/main.yml index 8bf3c9d0..ec1689c2 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -39,3 +39,18 @@ glance_mount_points: |- {% set _ = mps.append(mp.local_path) %} {% endfor %} {{ mps }} + +glance_core_files: + - tmp_f: "/tmp/policy.json" + target_f: "{{ glance_etc_dir }}/policy.json" + config_overrides: "{{ glance_policy_overrides }}" + config_type: "json" + condition: true + - tmp_f: "/tmp/glance-registry-paste.ini" + target_f: "{{ glance_etc_dir }}/glance-registry-paste.ini" + config_overrides: "{{ glance_glance_registry_paste_ini_overrides }}" + config_type: "ini" + - tmp_f: "/tmp/glance-api-paste.ini" + target_f: "{{ glance_etc_dir }}/glance-api-paste.ini" + config_overrides: "{{ glance_glance_api_paste_ini_overrides }}" + config_type: "ini" diff --git a/vars/redhat-7.yml b/vars/redhat-7.yml index 1b9ecb26..a12a27ee 100644 --- a/vars/redhat-7.yml +++ b/vars/redhat-7.yml @@ -34,3 +34,20 @@ glance_oslomsg_amqp1_distro_packages: - cyrus-sasl-md5 glance_uwsgi_bin: '/usr/sbin' + +glance_core_files: + - tmp_f: "/tmp/policy.json" + target_f: "{{ glance_etc_dir }}/policy.json" + config_overrides: "{{ glance_policy_overrides }}" + config_type: "json" + condition: true + - tmp_f: "/tmp/glance-registry-dist-paste.ini" + target_f: "{{ (glance_install_method == 'source') | ternary((glance_etc_dir ~ '/glance-registry-paste.ini'), '/usr/share/glance/glance-registry-dist-paste.ini') }}" + target_f_override: "{{ glance_etc_dir }}/glance-registry-paste.ini" + config_overrides: "{{ glance_glance_registry_paste_ini_overrides }}" + config_type: "ini" + - tmp_f: "/tmp/glance-api-dist-paste.ini" + target_f: "{{ (glance_install_method == 'source') | ternary((glance_etc_dir ~ '/glance-api-paste.ini'), '/usr/share/glance/glance-api-dist-paste.ini') }}" + target_f_override: "{{ glance_etc_dir }}/glance-api-paste.ini" + config_overrides: "{{ glance_glance_api_paste_ini_overrides }}" + config_type: "ini" diff --git a/vars/source_install.yml b/vars/source_install.yml index 9695c677..3aa73c3b 100644 --- a/vars/source_install.yml +++ b/vars/source_install.yml @@ -21,5 +21,4 @@ glance_package_list: |- {{ packages }} _glance_bin: "/openstack/venvs/glance-{{ glance_venv_tag }}/bin" -_glance_etc: "{{ _glance_bin | dirname + '/etc' }}" glance_uwsgi_bin: "{{ _glance_bin }}"