From bea0057eac89983bba576a0f4a2dad44bf04fade Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 11 Jun 2019 15:16:49 +0000 Subject: [PATCH] fed-cloud09: remove playbook. It hasn't run in a long time, if it did it might mess up the fragile openstack, and glance_image is no longer available. Signed-off-by: Kevin Fenzi --- master.yml | 1 - .../fed-cloud09.cloud.fedoraproject.org.yml | 1311 ----------------- 2 files changed, 1312 deletions(-) delete mode 100644 playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml diff --git a/master.yml b/master.yml index cde5bc70b5..117c80e91e 100644 --- a/master.yml +++ b/master.yml @@ -133,7 +133,6 @@ - import_playbook: /srv/web/infra/ansible/playbooks/hosts/data-analysis01.phx2.fedoraproject.org.yml - import_playbook: /srv/web/infra/ansible/playbooks/hosts/developer.fedorainfracloud.org.yml - import_playbook: /srv/web/infra/ansible/playbooks/hosts/fas2-dev.fedorainfracloud.org.yml -#- import_playbook: /srv/web/infra/ansible/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml - import_playbook: /srv/web/infra/ansible/playbooks/hosts/fedora-bootstrap.fedorainfracloud.org.yml - import_playbook: /srv/web/infra/ansible/playbooks/hosts/fedimg-dev.fedorainfracloud.org.yml - import_playbook: /srv/web/infra/ansible/playbooks/hosts/glittergallery-dev.fedorainfracloud.org.yml diff --git a/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml b/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml deleted file mode 100644 index 501d150599..0000000000 --- a/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml +++ /dev/null @@ -1,1311 +0,0 @@ ---- -- name: Prepare storage on compute nodes - hosts: openstack_compute - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - tasks: - # This is in fact duplicate from compute nodes, just be sure in case we did not run - # compute nodes playbook yet. - - name: Create logical volume for Swift - lvol: vg=vg_server lv=swift_store size=100g shrink=no - - name: Create FS on Swift storage - filesystem: fstype=ext4 dev=/dev/vg_server/swift_store - - name: SSH authorized key for root user - authorized_key: user=root key="{{ lookup('file', files + '/fedora-cloud/fed09-ssh-key.pub') }}" - -- name: deploy Open Stack controler - hosts: fed-cloud09.cloud.fedoraproject.org - gather_facts: True - - vars: - # this is actually without admin tenant - all_tenants: ['cloudintern', 'cloudsig', 'copr', 'coprdev', 'infrastructure', - 'persistent', 'pythonbots', 'qa', 'scratch', 'transient', 'openshift', 'maintainertest', 'aos-ci-cd'] - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - /srv/web/infra/ansible/vars/fedora-cloud.yml - - /srv/private/ansible/files/openstack/passwords.yml - - roles: - - base - - rkhunter - - nagios_client - - fas_client - - sudo - - handlers: - - import_tasks: "{{ handlers_path }}/restart_services.yml" - - tasks: - - import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml" - vars: - root_auth_users: msuchy - - import_tasks: "{{ tasks_path }}/motd.yml" - - import_tasks: "{{ tasks_path }}/2fa_client.yml" - - - name: set root passwd - user: name=root password={{ cloud_rootpw }} state=present - tags: - - rootpw - - name: Set the hostname - hostname: name={{ controller_hostname }} - - - name: Deploy root private SSH key - copy: src={{ private }}/files/openstack/fed-cloud09-root.key dest=/root/.ssh/id_rsa mode=600 owner=root group=root - - name: Deploy root public SSH key - copy: src={{ files }}/fedora-cloud/fed09-ssh-key.pub dest=/root/.ssh/id_rsa.pub mode=600 owner=root group=root - - authorized_key: user=root key="{{ lookup('file', files + '/fedora-cloud/fed09-ssh-key.pub') }}" - - - name: install core pkgs - package: state=present pkg={{ item }} - with_items: - - libselinux-python - - ntp - - wget - - scsi-target-utils - - lvm2 - - iptables-services - - - name: disable selinux - selinux: policy=targeted state=permissive - - - service: name=tgtd state=started enabled=yes - - - name: Create logical volume for Swift - lvol: vg=vg_server lv=swift_store size=100g shrink=no - - name: Create FS on Swift storage - filesystem: fstype=ext4 dev=/dev/vg_server/swift_store - - - template: src={{ files }}/fedora-cloud/hosts dest=/etc/hosts owner=root mode=0644 - - - stat: path=/etc/packstack_sucessfully_finished - register: packstack_sucessfully_finished - - # http://docs.openstack.org/trunk/install-guide/install/yum/content/basics-networking.html - - service: name=NetworkManager state=stopped enabled=no - - service: name=network enabled=yes - - service: name=firewalld state=stopped enabled=no - ignore_errors: yes - - service: name=iptables state=started enabled=yes - - - name: ensure iptables is configured to allow rabbitmq traffic (port 5672/tcp) - lineinfile: - dest=/etc/sysconfig/iptables - state=present - regexp="^.*INPUT.*172\.24\.0\.10/24.*tcp.*{{ item }}.*ACCEPT" - insertbefore="^.*INPUT.*RELATED,ESTABLISHED.*ACCEPT" - line="-A INPUT -s 172.24.0.10/24 -p tcp -m multiport --dports {{ item }} -m comment --comment \"added by fedora-infra ansible\" -j ACCEPT" - backup=yes - with_items: - - 80,443 - - 3260 - - 3306 - - 5671 - - 5672 - - 6000,6001,6002,873 - - 8777 - - 27017 - - 5900:5999,16509 - - 16509,49152:49215 - notify: restart iptables - - # http://docs.openstack.org/trunk/install-guide/install/yum/content/basics-neutron-networking-controller-node.html - - command: ifdown br-tun - when: packstack_sucessfully_finished.stat.exists == False - ignore_errors: yes - - lineinfile: dest=/etc/sysconfig/network-scripts/ifcfg-eth1 regexp="^ONBOOT=" line="ONBOOT=yes" - notify: - - restart network - # only for first run - - lineinfile: dest=/etc/sysconfig/network-scripts/ifcfg-eth1 regexp="^NETMASK=" line="NETMASK=255.255.255.0" - when: packstack_sucessfully_finished.stat.exists == False - notify: - - restart network - - lineinfile: dest=/etc/sysconfig/network-scripts/ifcfg-eth1 regexp="^IPADDR=" line="IPADDR={{controller_private_ip}}" - when: packstack_sucessfully_finished.stat.exists == False - notify: - - restart network - - lineinfile: dest=/etc/sysconfig/network-scripts/ifcfg-eth1 regexp="BOOTPROTO=" line="BOOTPROTO=none" - notify: - - restart network - - template: src={{files}}/fedora-cloud/ifcfg-br-ex dest=/etc/sysconfig/network-scripts/ifcfg-br-ex owner=root mode=0644 - when: packstack_sucessfully_finished.stat.exists == False - notify: - - restart network - - template: src={{files}}/fedora-cloud/ifcfg-eth0 dest=/etc/sysconfig/network-scripts/ifcfg-eth0 owner=root mode=0644 - when: packstack_sucessfully_finished.stat.exists == False - notify: - - restart network - - command: ifup eth1 - when: packstack_sucessfully_finished.stat.exists == False - - meta: flush_handlers - - # http://docs.openstack.org/trunk/install-guide/install/yum/content/basics-ntp.html - - service: name=ntpd state=started enabled=yes - - # this two step can be done in one, but Ansible will then always show the action as changed - #- name: make sure epel-release is installed - # get_url: url=http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm dest=/root/ - #- package: state=present name=/root/epel-release-latest-7.noarch.rpm - - #- name: make sure latest openvswitch is installed - # get_url: url=http://people.redhat.com/~lkellogg/rpms/openvswitch-2.3.1-2.git20150113.el7.x86_64.rpm dest=/root/ - #- package: state=present name=/root/openvswitch-2.3.1-2.git20150113.el7.x86_64.rpm - - #- name: make sure latest openstack-utils is installed - # get_url: url=https://repos.fedorapeople.org/repos/openstack/openstack-juno/epel-7/openstack-utils-2014.2-1.el7.centos.noarch.rpm dest=/root/ - #- package: state=present name=/root/openstack-utils-2014.2-1.el7.centos.noarch.rpm - - - name: install basic openstack packages - package: state=present name={{ item }} - with_items: - - openstack-utils - - openstack-selinux - - openstack-packstack - - python-glanceclient - - rabbitmq-server - - ansible-openstack-modules - - openstack-keystone - - openstack-neutron - - openstack-nova-common - - haproxy - - - name: install etckeeper - package: state=present name=etckeeper - - name: init etckeeper - shell: cd /etc && etckeeper init - - - - name: add ssl cert files - copy: src={{ private }}/files/openstack/fedorainfracloud.org.{{item}} dest=/etc/pki/tls/certs/fedorainfracloud.org.{{item}} mode=0644 owner=root group=root - with_items: - - pem - - digicert.pem - - name: add ssl key file - copy: src={{ private }}/files/openstack/fedorainfracloud.org.key dest=/etc/pki/tls/private/fedorainfracloud.org.key mode=0600 owner=root group=root - changed_when: False - - - name: allow services key access - acl: name=/etc/pki/tls/private/fedorainfracloud.org.key entity={{item}} etype=user permissions="r" state=present - with_items: - - keystone - - neutron - - nova - - rabbitmq - - cinder - - ceilometer - - swift - - - file: state=directory path=/var/www/pub mode=0755 - - copy: src={{ private }}/files/openstack/fedorainfracloud.org.pem dest=/var/www/pub/ mode=644 - - # http://docs.openstack.org/trunk/install-guide/install/yum/content/basics-database-controller.html - - name: install mysql packages - package: state=present pkg={{ item }} - with_items: - - mariadb-galera-server - - MySQL-python - - ini_file: dest=/etc/my.cnf section="mysqld" option="bind-address" value="{{ controller_public_ip }}" - - ini_file: dest=/etc/my.cnf section="mysqld" option="default-storage-engine" value="innodb" - - ini_file: dest=/etc/my.cnf section="mysqld" option="collation-server" value="utf8_general_ci" - - ini_file: dest=/etc/my.cnf section="mysqld" option="init-connect" value="'SET NAMES utf8'" - - ini_file: dest=/etc/my.cnf section="mysqld" option="character-set-server" value="utf8" - - service: name=mariadb state=started enabled=yes - # 'localhost' needs to be the last item for idempotency, see - # http://ansible.cc/docs/modules.html#mysql-user - - name: update mysql root password for localhost before setting .my.cnf - mysql_user: name=root host=localhost password={{ DBPASSWORD }} - - name: copy .my.cnf file with root password credentials - template: src={{ files }}/fedora-cloud/my.cnf dest=/root/.my.cnf owner=root mode=0600 - - name: update mysql root password for all root accounts - mysql_user: name=root host={{ item }} password={{ DBPASSWORD }} - with_items: - - "{{ controller_public_ip }}" - - 127.0.0.1 - - ::1 - - name: copy .my.cnf file with root password credentials - template: src={{ files }}/fedora-cloud/my.cnf dest=/root/.my.cnf owner=root mode=0600 - - name: delete anonymous MySQL server user for $server_hostname - mysql_user: user="" host="{{ controller_public_ip }}" state="absent" - - name: delete anonymous MySQL server user for localhost - mysql_user: user="" state="absent" - - name: remove the MySQL test database - mysql_db: db=test state=absent - - # WORKAROUNDS - already reported to OpenStack team - - lineinfile: - dest=/usr/lib/python2.7/site-packages/packstack/plugins/dashboard_500.py - regexp=" host_resources\.append\(*ssl_key, 'ssl_ps_server.key'\)*" - line=" host_resources.append((ssl_key, 'ssl_ps_server.key'))" - backup=yes - - lineinfile: - dest=/usr/share/openstack-puppet/modules/rabbitmq/manifests/config.pp - regexp="RABBITMQ_NODE_PORT" - line=" 'RABBITMQ_NODE_PORTTTTT' => $port," - backup=yes - - package: state=present pkg=mongodb-server - - ini_file: dest=/usr/lib/systemd/system/mongod.service section=Service option=PIDFile value=/var/run/mongodb/mongod.pid - - lineinfile: - dest=/usr/lib/python2.7/site-packages/packstack/puppet/templates/mongodb.pp - regexp="pidfilepath" - line=" pidfilepath => '/var/run/mongodb/mongod.pid'" - insertbefore="^}" - - meta: flush_handlers - # http://openstack.redhat.com/Quickstart - - template: src={{ files }}/fedora-cloud/packstack-controller-answers.txt dest=/root/ owner=root mode=0600 - - command: packstack --answer-file=/root/packstack-controller-answers.txt - when: packstack_sucessfully_finished.stat.exists == False - - file: path=/etc/packstack_sucessfully_finished state=touch - when: packstack_sucessfully_finished.stat.exists == False - # FIXME we should really reboot here - - - name: Set shell to nova user to allow cold migrations - user: name=nova shell=/bin/bash - - name: SSH authorized key for nova user - authorized_key: user=nova key="{{fed_cloud09_nova_public_key}}" - - name: SSH public key for nova user - template: src={{ files }}/fedora-cloud/fed_cloud09_nova_public_key dest=/var/lib/nova/.ssh/id_rsa.pub owner=nova group=nova - - name: Deploy private SSH key - copy: src={{ private }}/files/openstack/fed-cloud09-nova.key dest=/var/lib/nova/.ssh/id_rsa mode=600 owner=nova group=nova - - copy: src={{files}}/fedora-cloud/nova-ssh-config dest=/var/lib/nova/.ssh/config owner=nova group=nova mode=640 - - # http://docs.openstack.org/icehouse/install-guide/install/yum/content/basics-queue.html - # https://openstack.redhat.com/Securing_services#qpid - #### FIXME - - lineinfile: dest=/etc/rabbitmq/rabbitmq-env.conf regexp="^RABBITMQ_NODE_PORT=" state="absent" - - service: name=rabbitmq-server state=started - - # flip endpoints internalurl to internal IP - # ceilometer - - shell: source /root/keystonerc_admin && keystone service-list | grep ceilometer | awk '{print $2}' - register: SERVICE_ID - check_mode: no - changed_when: false - - shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}' - register: ENDPOINT_ID - check_mode: no - changed_when: false - - shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_publicname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_publicname }}:8777' --adminurl 'https://{{ controller_publicname }}:8777' --internalurl 'https://{{ controller_publicname }}:8777' ) || true - # cinder - - shell: source /root/keystonerc_admin && keystone service-list | grep 'cinder ' | awk '{print $2}' - register: SERVICE_ID - check_mode: no - changed_when: false - - shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}' - register: ENDPOINT_ID - check_mode: no - changed_when: false - - shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_publicname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_publicname }}:8776/v1/%(tenant_id)s' --adminurl 'https://{{ controller_publicname }}:8776/v1/%(tenant_id)s' --internalurl 'https://{{ controller_publicname }}:8776/v1/%(tenant_id)s' ) || true - # cinderv2 - - shell: source /root/keystonerc_admin && keystone service-list | grep 'cinderv2' | awk '{print $2}' - register: SERVICE_ID - check_mode: no - changed_when: false - - shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}' - register: ENDPOINT_ID - check_mode: no - changed_when: false - - shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_publicname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_publicname }}:8776/v2/%(tenant_id)s' --adminurl 'https://{{ controller_publicname }}:8776/v2/%(tenant_id)s' --internalurl 'https://{{ controller_publicname }}:8776/v2/%(tenant_id)s' ) || true - # glance - - shell: source /root/keystonerc_admin && keystone service-list | grep 'glance' | awk '{print $2}' - register: SERVICE_ID - check_mode: no - changed_when: false - - shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}' - register: ENDPOINT_ID - check_mode: no - changed_when: false - - shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_publicname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_publicname }}:9292' --adminurl 'https://{{ controller_publicname }}:9292' --internalurl 'https://{{ controller_publicname }}:9292' ) || true - # neutron - - shell: source /root/keystonerc_admin && keystone service-list | grep 'neutron' | awk '{print $2}' - check_mode: no - changed_when: false - register: SERVICE_ID - - shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}' - check_mode: no - changed_when: false - register: ENDPOINT_ID - - shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_publicname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_publicname }}:9696/' --adminurl 'https://{{ controller_publicname }}:9696/' --internalurl 'https://{{ controller_publicname }}:9696/' ) || true - # nova - - shell: source /root/keystonerc_admin && keystone service-list | grep 'nova ' | awk '{print $2}' - check_mode: no - changed_when: false - register: SERVICE_ID - - shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}' - check_mode: no - changed_when: false - register: ENDPOINT_ID - - shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_publicname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_publicname }}:8774/v2/%(tenant_id)s' --adminurl 'https://{{ controller_publicname }}:8774/v2/%(tenant_id)s' --internalurl 'https://{{ controller_publicname }}:8774/v2/%(tenant_id)s' ) || true - # nova_ec2 - - shell: source /root/keystonerc_admin && keystone service-list | grep 'nova_ec2' | awk '{print $2}' - check_mode: no - changed_when: false - register: SERVICE_ID - - shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}' - check_mode: no - changed_when: false - register: ENDPOINT_ID - - shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_publicname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_publicname }}:8773/services/Cloud' --adminurl 'https://{{ controller_publicname }}:8773/services/Admin' --internalurl 'https://{{ controller_publicname }}:8773/services/Cloud' ) || true - # novav3 - - shell: source /root/keystonerc_admin && keystone service-list | grep 'novav3' | awk '{print $2}' - check_mode: no - changed_when: false - register: SERVICE_ID - - shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}' - check_mode: no - changed_when: false - register: ENDPOINT_ID - - shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_publicname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_publicname }}:8774/v3' --adminurl 'https://{{ controller_publicname }}:8774/v3' --internalurl 'https://{{ controller_publicname }}:8774/v3' ) || true - # swift - - shell: source /root/keystonerc_admin && keystone service-list | grep 'swift ' | awk '{print $2}' - check_mode: no - changed_when: false - register: SERVICE_ID - - shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}' - check_mode: no - changed_when: false - register: ENDPOINT_ID - - shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_publicname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{controller_publicname}}:8080/v1/AUTH_%(tenant_id)s' --adminurl 'https://{{controller_publicname}}:8080' --internalurl 'https://{{controller_publicname}}:8080/v1/AUTH_%(tenant_id)s' ) || true - # swift_s3 - - shell: source /root/keystonerc_admin && keystone service-list | grep 'swift_s3' | awk '{print $2}' - check_mode: no - changed_when: false - register: SERVICE_ID - - shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}' - check_mode: no - changed_when: false - register: ENDPOINT_ID - - shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_publicname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_publicname }}:8080' --adminurl 'https://{{ controller_publicname }}:8080' --internalurl 'https://{{ controller_publicname }}:8080' ) || true - # keystone --- !!!!! we need to use ADMIN_TOKEN here - this MUST be last before we restart OS and set up haproxy - - shell: source /root/keystonerc_admin && keystone service-list | grep 'keystone' | awk '{print $2}' - check_mode: no - changed_when: false - register: SERVICE_ID - - shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}' - check_mode: no - changed_when: false - register: ENDPOINT_ID - - ini_file: dest=/etc/keystone/keystone.conf section=ssl option=certfile value=/etc/haproxy/fedorainfracloud.org.combined - - ini_file: dest=/etc/keystone/keystone.conf section=ssl option=keyfile value=/etc/pki/tls/private/fedorainfracloud.org.key - - ini_file: dest=/etc/keystone/keystone.conf section=ssl option=ca_certs value=/etc/pki/tls/certs/fedorainfracloud.org.digicert.pem - - shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_publicname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone --os-token '{{ADMIN_TOKEN}}' --os-endpoint 'http://{{ controller_publicname }}:35357/v2.0' endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_publicname }}:5000/v2.0' --adminurl 'https://{{ controller_publicname }}:35357/v2.0' --internalurl 'https://{{ controller_publicname }}:5000/v2.0' ) || true - - ini_file: dest=/etc/keystone/keystone.conf section=ssl option=enable value=True - - lineinfile: dest=/root/keystonerc_admin regexp="^export OS_AUTH_URL" line="export OS_AUTH_URL=https://{{ controller_publicname }}:5000/v2.0/" - - # Setup sysconfig file for novncproxy - - copy: src={{ files }}/fedora-cloud/openstack-nova-novncproxy dest=/etc/sysconfig/openstack-nova-novncproxy mode=644 owner=root group=root - - - ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=novncproxy_base_url value=https://{{ controller_publicname }}:6080/vnc_auto.html - - # set SSL for services - - ini_file: dest=/etc/nova/nova.conf section=keystone_authtoken option=auth_uri value=https://{{ controller_publicname }}:5000 - - ini_file: dest=/etc/nova/nova.conf section=keystone_authtoken option=auth_protocol value=https - - ini_file: dest=/etc/nova/nova.conf section=keystone_authtoken option=auth_host value={{ controller_publicname }} - - ini_file: dest=/etc/nova/nova.conf section=keystone_authtoken option=cafile value=/etc/pki/tls/certs/fedorainfracloud.org.digicert.pem - - ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=neutron_admin_auth_url value=https://{{ controller_publicname }}:35357/v2.0 - - ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=neutron_url value=https://{{ controller_publicname }}:9696 - - ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=osapi_compute_listen_port value=6774 - - ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=ec2_listen_port value=6773 - - ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=glance_api_servers value=https://{{ controller_publicname }}:9292 - - ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=cert value=/etc/pki/tls/certs/fedorainfracloud.org.pem - - ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=key value=/etc/pki/tls/private/fedorainfracloud.org.key - - ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=ca value=/etc/pki/tls/certs/fedorainfracloud.org.digicert.pem - - ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=novncproxy_host value={{ controller_publicname }} - - ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=ssl_only value=False - - ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=scheduler_default_filters value=RetryFilter,AvailabilityZoneFilter,RamFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,CoreFilter,DiskFilter - - ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=default_floating_pool value=external - - - ini_file: dest=/etc/glance/glance-api.conf section=keystone_authtoken option=auth_uri value=https://{{ controller_publicname }}:5000 - - ini_file: dest=/etc/glance/glance-api.conf section=keystone_authtoken option=auth_protocol value=https - - ini_file: dest=/etc/glance/glance-api.conf section=keystone_authtoken option=auth_host value={{ controller_publicname }} - - ini_file: dest=/etc/glance/glance-api.conf section=keystone_authtoken option=cafile value=/etc/pki/tls/certs/fedorainfracloud.org.digicert.pem - - ini_file: dest=/etc/glance/glance-api.conf section=DEFAULT option=bind_port value=7292 - # configure Glance to use Swift as backend - - ini_file: dest=/etc/glance/glance-api.conf section=DEFAULT option=default_store value=swift - - ini_file: dest=/etc/glance/glance-api.conf section=DEFAULT option=stores value=glance.store.swift.Store - - ini_file: dest=/etc/glance/glance-api.conf section=DEFAULT option=swift_store_auth_address value=https://{{ controller_publicname }}:5000/v2.0 - - ini_file: dest=/etc/glance/glance-api.conf section=DEFAULT option=swift_store_user value="services:swift" - - ini_file: dest=/etc/glance/glance-api.conf section=DEFAULT option=swift_store_key value="{{ SWIFT_PASS }}" - - ini_file: dest=/etc/glance/glance-api.conf section=DEFAULT option=swift_store_create_container_on_put value="True" - - shell: rsync /usr/share/glance/glance-api-dist-paste.ini /etc/glance/glance-api-paste.ini - - shell: rsync /usr/share/glance/glance-registry-dist-paste.ini /etc/glance/glance-registry-paste.ini - - - ini_file: dest=/etc/glance/glance-registry.conf section=keystone_authtoken option=auth_uri value=https://{{ controller_publicname }}:5000 - - ini_file: dest=/etc/glance/glance-registry.conf section=keystone_authtoken option=auth_host value={{ controller_publicname }} - - ini_file: dest=/etc/glance/glance-registry.conf section=keystone_authtoken option=auth_protocol value=https - - ini_file: dest=/etc/glance/glance-registry.conf section=keystone_authtoken option=cafile value=/etc/pki/tls/certs/fedorainfracloud.org.digicert.pem - - - ini_file: dest=/etc/glance/glance-cache.conf section=DEFAULT option=auth_url value=https://{{ controller_publicname }}:5000/v2.0 - - - ini_file: dest=/etc/glance/glance-scrubber.conf section=DEFAULT option=auth_url value=https://{{ controller_publicname }}:5000/v2.0 - - - ini_file: dest=/etc/cinder/cinder.conf section=keystone_authtoken option=auth_uri value=https://{{ controller_publicname }}:5000 - - ini_file: dest=/etc/cinder/cinder.conf section=keystone_authtoken option=auth_protocol value=https - - ini_file: dest=/etc/cinder/cinder.conf section=keystone_authtoken option=cafile value=/etc/pki/tls/certs/fedorainfracloud.org.digicert.pem - - ini_file: dest=/etc/cinder/cinder.conf section=DEFAULT option=backup_swift_url value=https://{{ controller_publicname }}:8080/v1/AUTH_ - - ini_file: dest=/etc/cinder/cinder.conf section=DEFAULT option=osapi_volume_listen_port value=6776 - - ini_file: dest=/etc/cinder/api-paste.conf section="filter:authtoken" option=auth_uri value=https://{{ controller_publicname }}:5000 - - ini_file: dest=/etc/cinder/api-paste.conf section="filter:authtoken" option=auth_host value={{ controller_publicname }} - - ini_file: dest=/etc/cinder/api-paste.conf section="filter:authtoken" option=auth_protocol value=https - - ini_file: dest=/etc/cinder/api-paste.conf section="filter:authtoken" option=service_protocol value=https - - ini_file: dest=/etc/cinder/api-paste.conf section="filter:authtoken" option=cafile value=/etc/pki/tls/certs/fedorainfracloud.org.digicert.pem - - ini_file: dest=/etc/cinder/api-paste.ini section="filter:authtoken" option=auth_uri value=https://{{ controller_publicname }}:5000 - - ini_file: dest=/etc/cinder/api-paste.ini section="filter:authtoken" option=auth_host value={{ controller_publicname }} - - ini_file: dest=/etc/cinder/api-paste.ini section="filter:authtoken" option=auth_protocol value=https - - ini_file: dest=/etc/cinder/api-paste.ini section="filter:authtoken" option=service_host value={{ controller_publicname }} - - ini_file: dest=/etc/cinder/api-paste.ini section="filter:authtoken" option=cafile value=/etc/pki/tls/certs/fedorainfracloud.org.digicert.pem - - - ini_file: dest=/etc/neutron/neutron.conf section=keystone_authtoken option=auth_uri value=https://{{ controller_publicname }}:5000 - - ini_file: dest=/etc/neutron/neutron.conf section=keystone_authtoken option=auth_protocol value=https - - ini_file: dest=/etc/neutron/neutron.conf section=keystone_authtoken option=auth_host value={{ controller_publicname }} - - ini_file: dest=/etc/neutron/neutron.conf section=keystone_authtoken option=cafile value=/etc/pki/tls/certs/fedorainfracloud.org.digicert.pem - - ini_file: dest=/etc/neutron/neutron.conf section=DEFAULT option=nova_url value=https://{{ controller_publicname }}:8774/v2 - - ini_file: dest=/etc/neutron/neutron.conf section=DEFAULT option=nova_admin_auth_url value=https://{{ controller_publicname }}:35357/v2.0 - - ini_file: dest=/etc/neutron/neutron.conf section=DEFAULT option=use_ssl value=False - - ini_file: dest=/etc/neutron/neutron.conf section=DEFAULT option=ssl_cert_file value=/etc/pki/tls/certs/fedorainfracloud.org.pem - - ini_file: dest=/etc/neutron/neutron.conf section=DEFAULT option=ssl_key_file value=/etc/pki/tls/private/fedorainfracloud.org.key - - ini_file: dest=/etc/neutron/neutron.conf section=DEFAULT option=ssl_ca_file value=/etc/pki/tls/certs/fedorainfracloud.org.digicert.pem - - ini_file: dest=/etc/neutron/neutron.conf section=DEFAULT option=bind_port value=8696 - - lineinfile: dest=/etc/neutron/neutron.conf regexp="^service_provider = LOADBALANCER" line="service_provider = LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default" insertafter="\[service_providers]" - - lineinfile: dest=/etc/neutron/neutron.conf regexp="^service_provider = FIREWALL" line="service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default" insertafter="\[service_providers]" - - - ini_file: dest=/etc/neutron/api-paste.conf section="filter:authtoken" option=auth_uri value=https://{{ controller_publicname }}:5000 - - ini_file: dest=/etc/neutron/api-paste.conf section="filter:authtoken" option=auth_host value={{ controller_publicname }} - - ini_file: dest=/etc/neutron/api-paste.conf section="filter:authtoken" option=auth_protocol value=https - - ini_file: dest=/etc/neutron/api-paste.conf section="filter:authtoken" option=cafile value=/etc/pki/tls/certs/fedorainfracloud.org.digicert.pem - - - ini_file: dest=/etc/neutron/metadata_agent.ini section="filter:authtoken" option=auth_url value=https://{{ controller_publicname }}:35357/v2.0 - - ini_file: dest=/etc/neutron/metadata_agent.ini section=DEFAULT option=auth_url value=https://{{ controller_publicname }}:35357/v2.0 - - - ini_file: dest=/etc/swift/proxy-server.conf section="filter:authtoken" option=auth_uri value=https://{{ controller_publicname }}:5000 - - ini_file: dest=/etc/swift/proxy-server.conf section="filter:authtoken" option=auth_protocol value=https - - ini_file: dest=/etc/swift/proxy-server.conf section="filter:authtoken" option=auth_host value={{ controller_publicname }} - - ini_file: dest=/etc/swift/proxy-server.conf section="filter:authtoken" option=cafile value=/etc/pki/tls/certs/fedorainfracloud.org.digicert.pem - - ini_file: dest=/etc/swift/proxy-server.conf section=DEFAULT option=bind_port value=7080 - - ini_file: dest=/etc/swift/proxy-server.conf section=DEFAULT option=bind_ip value=127.0.0.1 - - - ini_file: dest=/etc/ceilometer/ceilometer.conf section=keystone_authtoken option=auth_uri value=https://{{ controller_publicname }}:5000 - - ini_file: dest=/etc/ceilometer/ceilometer.conf section=keystone_authtoken option=auth_protocol value=https - - ini_file: dest=/etc/ceilometer/ceilometer.conf section=keystone_authtoken option=auth_host value={{ controller_publicname }} - - ini_file: dest=/etc/ceilometer/ceilometer.conf section=keystone_authtoken option=cafile value=/etc/pki/tls/certs/fedorainfracloud.org.digicert.pem - - ini_file: dest=/etc/ceilometer/ceilometer.conf section=service_credentials option=os_auth_url value=https://{{ controller_publicname }}:35357/v2.0 - - ini_file: dest=/etc/ceilometer/ceilometer.conf section=api option=port value=6777 - - # enable stunell to neutron - - shell: cat /etc/pki/tls/certs/fedorainfracloud.org.pem /etc/pki/tls/certs/fedorainfracloud.org.digicert.pem /etc/pki/tls/private/fedorainfracloud.org.key > /etc/haproxy/fedorainfracloud.org.combined - - file: path=/etc/haproxy/fedorainfracloud.org.combined owner=haproxy mode=644 - - copy: src={{ files }}/fedora-cloud/haproxy.cfg dest=/etc/haproxy/haproxy.cfg mode=644 owner=root group=root - # first OS have to free ports so haproxy can bind it, then we start OS on modified ports - #- shell: openstack-service stop - #- service: name=haproxy state=started enabled=yes - #- shell: openstack-service start - - - lineinfile: dest=/etc/openstack-dashboard/local_settings regexp="^OPENSTACK_KEYSTONE_URL " line="OPENSTACK_KEYSTONE_URL = 'https://{{controller_publicname}}:5000/v2.0'" - notify: - - reload httpd - - lineinfile: dest=/etc/openstack-dashboard/local_settings regexp="OPENSTACK_SSL_CACERT " line="OPENSTACK_SSL_CACERT = '/etc/pki/tls/certs/fedorainfracloud.org.digicert.pem'" - notify: - - reload httpd - - # configure cider with multi back-end - # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Cloud_Administrator_Guide/section_manage-volumes.html - - ini_file: dest=/etc/cinder/cinder.conf section=DEFAULT option="enabled_backends" value="equallogic-1,lvmdriver-1" - notify: - - restart cinder api - - restart cinder scheduler - - restart cinder volume - # LVM - - ini_file: dest=/etc/cinder/cinder.conf section="lvmdriver-1" option="volume_group" value="cinder-volumes" - notify: - - restart cinder api - - restart cinder scheduler - - restart cinder volume - - ini_file: dest=/etc/cinder/cinder.conf section="lvmdriver-1" option="volume_driver" value="cinder.volume.drivers.lvm.LVMISCSIDriver" - notify: - - restart cinder api - - restart cinder scheduler - - restart cinder volume - - ini_file: dest=/etc/cinder/cinder.conf section="lvmdriver-1" option="volume_backend_name" value="LVM_iSCSI" - notify: - - restart cinder api - - restart cinder scheduler - - restart cinder volume - # Dell EqualLogic - http://docs.openstack.org/trunk/config-reference/content/dell-equallogic-driver.html - - ini_file: dest=/etc/cinder/cinder.conf section="equallogic-1" option="volume_driver" value="cinder.volume.drivers.eqlx.DellEQLSanISCSIDriver" - notify: - - restart cinder api - - restart cinder scheduler - - restart cinder volume - - ini_file: dest=/etc/cinder/cinder.conf section="equallogic-1" option="san_ip" value="{{ IP_EQLX }}" - notify: - - restart cinder api - - restart cinder scheduler - - restart cinder volume - - ini_file: dest=/etc/cinder/cinder.conf section="equallogic-1" option="san_login" value="{{ SAN_UNAME }}" - notify: - - restart cinder api - - restart cinder scheduler - - restart cinder volume - - name: set password for equallogic-1 - ini_file: dest=/etc/cinder/cinder.conf section="equallogic-1" option="san_password" value="{{ SAN_PW }}" - notify: - - restart cinder api - - restart cinder scheduler - - restart cinder volume - - ini_file: dest=/etc/cinder/cinder.conf section="equallogic-1" option="eqlx_group_name" value="{{ EQLX_GROUP }}" - notify: - - restart cinder api - - restart cinder scheduler - - restart cinder volume - - ini_file: dest=/etc/cinder/cinder.conf section="equallogic-1" option="eqlx_pool" value="{{ EQLX_POOL }}" - notify: - - restart cinder api - - restart cinder scheduler - - restart cinder volume - - ini_file: dest=/etc/cinder/cinder.conf section="equallogic-1" option="volume_backend_name" value="equallogic" - notify: - - restart cinder api - - restart cinder scheduler - - restart cinder volume - - # flush handlers_path here in case cinder changes and we need to restart it. - - meta: flush_handlers - - # create storage types - # note that existing keys can be retrieved using: cinder extra-specs-list - - shell: source /root/keystonerc_admin && cinder type-create lvm - ignore_errors: yes - - shell: source /root/keystonerc_admin && cinder type-key lvm set volume_backend_name=lvm - - shell: source /root/keystonerc_admin && cinder type-create equallogic - ignore_errors: yes - - shell: source /root/keystonerc_admin && cinder type-key equallogic set volume_backend_name=equallogic - - # http://docs.openstack.org/icehouse/install-guide/install/yum/content/glance-verify.html - - file: path=/root/images state=directory - - get_url: url=http://cdn.download.cirros-cloud.net/0.3.2/cirros-0.3.2-x86_64-disk.img dest=/root/images/cirros-0.3.2-x86_64-disk.img mode=0440 - - - name: Add the cirros-0.3.2-x86_64 image - glance_image: - login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin" - auth_url="https://{{controller_publicname}}:35357/v2.0" - name=cirros-0.3.2-x86_64 - disk_format=qcow2 - is_public=True - file=/root/images/cirros-0.3.2-x86_64-disk.img - - - name: create non-standard flavor - nova_flavor: - login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin" - auth_url="https://{{controller_publicname}}:35357/v2.0" - name="{{item.name}}" ram="{{item.ram}}" root="{{item.disk}}" vcpus="{{item.vcpus}}" swap="{{item.swap}}" - ephemeral=0 - with_items: - - { name: m1.builder, ram: 5120, disk: 50, vcpus: 2, swap: 5120 } - - { name: ms2.builder, ram: 5120, disk: 20, vcpus: 2, swap: 100000 } - - { name: m2.prepare_builder, ram: 5000, disk: 16, vcpus: 2, swap: 0 } - # same as m.* but with swap - - { name: ms1.tiny, ram: 512, disk: 1, vcpus: 1, swap: 512 } - - { name: ms1.small, ram: 2048, disk: 20, vcpus: 1, swap: 2048 } - - { name: ms1.medium, ram: 4096, disk: 40, vcpus: 2, swap: 4096 } - - { name: ms1.medium.bigswap, ram: 4096, disk: 40, vcpus: 2, swap: 40000 } - - { name: ms1.large, ram: 8192, disk: 50, vcpus: 4, swap: 4096 } - - { name: ms1.xlarge, ram: 16384, disk: 160, vcpus: 8, swap: 16384 } - # inspired by http://aws.amazon.com/ec2/instance-types/ - - { name: c4.large, ram: 3072, disk: 0, vcpus: 2, swap: 0 } - - { name: c4.xlarge, ram: 7168, disk: 0, vcpus: 4, swap: 0 } - - { name: c4.2xlarge, ram: 14336, disk: 0, vcpus: 8, swap: 0 } - - { name: r3.large, ram: 16384, disk: 32, vcpus: 2, swap: 16384 } - - - ##### download common Images ##### - # restricted images (RHEL) are handled two steps below - - name: Add the images - glance_image: - login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin" - auth_url="https://{{controller_publicname}}:35357/v2.0" - name="{{ item.name }}" - disk_format=qcow2 - is_public=True - copy_from="{{ item.copy_from }}" - with_items: - - name: Fedora-x86_64-20-20131211.1 - copy_from: https://dl.fedoraproject.org/pub/fedora/linux/releases/20/Images/x86_64/Fedora-x86_64-20-20131211.1-sda.qcow2 - - name: Fedora-x86_64-20-20140407 - copy_from: https://dl.fedoraproject.org/pub/fedora/linux/updates/20/Images/x86_64/Fedora-x86_64-20-20140407-sda.qcow2 - - name: Fedora-Cloud-Base-20141203-21.x86_64 - copy_from: https://dl.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.qcow2 - - name: Fedora-Cloud-Base-20141203-21.i386 - copy_from: https://dl.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/i386/Fedora-Cloud-Base-20141203-21.i386.qcow2 - - name: Fedora-Cloud-Atomic-22_Alpha-20150305.x86_64 - copy_from: https://dl.fedoraproject.org/pub/fedora/linux/releases/test/22_Alpha/Cloud/x86_64/Images/Fedora-Cloud-Atomic-22_Alpha-20150305.x86_64.qcow2 - - name: Fedora-Cloud-Base-22_Alpha-20150305.x86_64 - copy_from: https://dl.fedoraproject.org/pub/fedora/linux/releases/test/22_Alpha/Cloud/x86_64/Images/Fedora-Cloud-Base-22_Alpha-20150305.x86_64.qcow2 - - name: Fedora-Cloud-Atomic-22_Beta-20150415.x86_64 - copy_from: https://dl.fedoraproject.org/pub/fedora/linux/releases/test/22_Beta/Cloud/x86_64/Images/Fedora-Cloud-Atomic-22_Beta-20150415.x86_64.qcow2 - - name: Fedora-Cloud-Base-22_Beta-20150415.x86_64 - copy_from: https://dl.fedoraproject.org/pub/fedora/linux/releases/test/22_Beta/Cloud/x86_64/Images/Fedora-Cloud-Base-22_Beta-20150415.x86_64.qcow2 - - name: Fedora-Cloud-Atomic-22-20150521.x86_64 - copy_from: http://dl.fedoraproject.org/pub/fedora/linux/releases/22/Cloud/x86_64/Images/Fedora-Cloud-Atomic-22-20150521.x86_64.qcow2 - - name: Fedora-Cloud-Base-22-20150521.x86_64 - copy_from: http://dl.fedoraproject.org/pub/fedora/linux/releases/22/Cloud/x86_64/Images/Fedora-Cloud-Base-22-20150521.x86_64.qcow2 - - name: Fedora-Cloud-Base-23-20151030.x86_64 - copy_from: http://dl.fedoraproject.org/pub/fedora/linux/releases/23/Cloud/x86_64/Images/Fedora-Cloud-Base-23-20151030.x86_64.qcow2 - - name: CentOS-7-x86_64-GenericCloud-1503 - copy_from: http://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud-1503.qcow2 - - name: CentOS-6-x86_64-GenericCloud-20141129_01 - copy_from: http://cloud.centos.org/centos/6/images/CentOS-6-x86_64-GenericCloud-20141129_01.qcow2 - - name: Fedora-Cloud-Base-24_Alpha-7.x86_64.qcow2 - copy_from: http://dl.fedoraproject.org/pub/fedora/linux/releases/test/24_Alpha/CloudImages/x86_64/images/Fedora-Cloud-Base-24_Alpha-7.x86_64.qcow2 - - name: Fedora-Cloud-Base-24-1.2.x86_64.qcow2 - copy_from: https://dl.fedoraproject.org/pub/fedora/linux/releases/24/CloudImages/x86_64/images/Fedora-Cloud-Base-24-1.2.x86_64.qcow2 - - name: Fedora-Cloud-Base-27-1.6.x86_64 - copy_from: https://download.fedoraproject.org/pub/fedora/linux/releases/27/CloudImages/x86_64/images/Fedora-Cloud-Base-27-1.6.x86_64.qcow2 - - name: Fedora-Cloud-Base-27-1.6.ppc64le - copy_from: https://download.fedoraproject.org/pub/fedora-secondary/releases/27/CloudImages/ppc64le/images/Fedora-Cloud-Base-27-1.6.ppc64le.qcow2 - # RHEL6 can be downloaded from https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=16952 - - stat: path=/root/images/rhel-guest-image-6.6-20141222.0.x86_64.qcow2 - register: rhel6_image - - name: Add the RHEL6 image - glance_image: - login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin" - auth_url="https://{{controller_publicname}}:35357/v2.0" - name="rhel-guest-image-6.6-20141222.0.x86_64" - disk_format=qcow2 - is_public=True - file="/root/images/rhel-guest-image-6.6-20141222.0.x86_64.qcow2" - when: rhel6_image.stat.exists == True - - # RHEL7 can be download from https://access.redhat.com/downloads/content/69/ver=/rhel---7/7.0/x86_64/product-downloads - - stat: path=/root/images/rhel-guest-image-7.0-20140930.0.x86_64.qcow2 - register: rhel7_image - - name: Add the RHEL7 image - glance_image: - login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin" - auth_url="https://{{controller_publicname}}:35357/v2.0" - name="rhel-guest-image-7.0-20140930.0.x86_64" - disk_format=qcow2 - is_public=True - file="/root/images/rhel-guest-image-7.0-20140930.0.x86_64.qcow2" - when: rhel7_image.stat.exists == True - - - ##### PROJECTS ###### - - name: Create tenants - keystone_user: - login_user="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin" - endpoint="https://{{controller_publicname}}:35357/v2.0" - tenant="{{ item.name }}" - tenant_description="{{ item.desc }}" - state=present - with_items: - - { name: persistent, desc: "persistent instances" } - - { name: qa, desc: "developmnet and test-day applications of QA" } - - { name: transient, desc: 'transient instances' } - - { name: infrastructure, desc: "one off instances for infrastructure folks to test or check something (proof-of-concept)" } - - { name: cloudintern, desc: 'project for the cloudintern under mattdm' } - - { name: cloudsig, desc: 'Fedora cloud sig folks.' } - - { name: copr, desc: 'Space for Copr builders' } - - { name: coprdev, desc: 'Development version of Copr' } - - { name: pythonbots, desc: 'project for python build bot users - twisted, etc' } - - { name: scratch, desc: 'scratch and short term instances' } - - { name: openshift, desc: 'Tenant for openshift deployment' } - - { name: maintainertest, desc: 'Tenant for maintainer test machines' } - - { name: aos-ci-cd, desc: 'Tenant for aos-ci-cd' } - - - ##### USERS ##### - - name: Create users - keystone_user: - login_user="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin" - endpoint="https://{{controller_publicname}}:35357/v2.0" - user="{{ item.name }}" - email="{{ item.email }}" - tenant="{{ item.tenant }}" - password="{{ item.password }}" - state=present - no_log: True - with_items: - - { name: anthomas, email: 'anthomas@redhat.com', tenant: cloudintern, password: "{{anthomas_password}}" } - - { name: ausil, email: 'dennis@ausil.us', tenant: infrastructure, password: "{{ausil_password}}" } - - { name: atomic, email: 'walters@redhat.com', tenant: scratch, password: "{{cockpit_password}}" } - - { name: codeblock, email: 'codeblock@elrod.me', tenant: infrastructure, password: "{{codeblock_password}}" } - - { name: copr, email: 'admin@fedoraproject.org', tenant: copr, password: "{{copr_password}}" } - - { name: gholms, email: 'gholms@fedoraproject.org', tenant: cloudintern, password: "{{gholms_password}}" } - - { name: jskladan, email: 'jskladan@redhat.com', tenant: qa, password: "{{jskladan_password}}" } - - { name: kevin, email: 'kevin@fedoraproject.org', tenant: infrastructure, password: "{{kevin_password}}" } - - { name: laxathom, email: 'laxathom@fedoraproject.org', tenant: infrastructure, password: "{{laxathom_password}}" } - - { name: mattdm, email: 'mattdm@fedoraproject.org', tenant: infrastructure, password: "{{mattdm_password}}" } - - { name: msuchy, email: 'msuchy@redhat.com', tenant: copr, password: "{{msuchy_password}}" } - - { name: nb, email: 'nb@fedoraproject.org', tenant: infrastructure, password: "{{nb_password}}" } - - { name: pingou, email: 'pingou@pingoured.fr', tenant: infrastructure, password: "{{pingou_password}}" } - - { name: puiterwijk, email: 'puiterwijk@fedoraproject.org', tenant: infrastructure, password: "{{puiterwijk_password}}" } - - { name: stefw, email: 'stefw@fedoraproject.org', tenant: scratch, password: "{{stefw_password}}" } - - { name: mizdebsk, email: 'mizdebsk@fedoraproject.org', tenant: infrastructure, password: "{{mizdebsk_password}}" } - - { name: kushal, email: 'kushal@fedoraproject.org', tenant: infrastructure, password: "{{kushal_password}}" } - - { name: red, email: 'red@fedoraproject.org', tenant: infrastructure, password: "{{red_password}}" } - - { name: samkottler, email: 'samkottler@fedoraproject.org', tenant: infrastructure, password: "{{samkottler_password}}" } - - { name: tflink, email: 'tflink@fedoraproject.org', tenant: qa, password: "{{tflink_password}}" } - - { name: twisted, email: 'buildbot@twistedmatrix.com', tenant: pythonbots, password: "{{twisted_password}}" } - - { name: roshi, email: 'roshi@fedoraproject.org', tenant: qa, password: "{{roshi_password}}" } - - { name: maxamillion, email: 'maxamillion@fedoraproject.org', tenant: infrastructure, password: "{{maxamillion_password}}" } - - { name: jkadlcik, email: 'jkadlcik@redhat.com', tenant: copr, password: "{{clime_password}}" } - - { name: misc, email: 'misc@redhat.com', tenant: openshift, password: "{{misc_password}}" } - - { name: bowlofeggs, email: 'bowlofeggs@fedoraproject.org', tenant: transient, password: "{{bowlofeggs_password}}" } - - { name: alivigni, email: 'alivigni@redhat.com', tenant: aos-ci-cd, password: "{{alivigni_password}}" } - - { name: jbieren, email: 'jbieren@redhat.com', tenant: aos-ci-cd, password: "{{jbieren_password}}" } - - { name: bpeck, email: 'bpeck@redhat.com', tenant: aos-ci-cd, password: "{{bpeck_password}}" } - - { name: srallaba, email: 'srallaba@redhat.com', tenant: aos-ci-cd, password: "{{srallaba_password}}" } - - { name: jburke, email: 'jburke@redhat.com', tenant: aos-ci-cd, password: "{{jburke_password}}" } - - { name: praiskup, email: 'praiskup@fedoraproject.org', tenant: copr, password: "{{praiskup_password}}" } - tags: - - openstack_users - - - name: upload SSH keys for users - nova_keypair: - auth_url="https://{{controller_publicname}}:35357/v2.0" - login_username="{{ item.username }}" - login_password="{{ item.password }}" login_tenant_name="{{item.tenant}}" name="{{ item.name }}" - public_key="{{ item.public_key }}" - ignore_errors: yes - no_log: True - with_items: - - { username: anthomas, name: anthomas, tenant: cloudintern, password: "{{anthomas_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas anthomas') }}" } - - { username: ausil, name: ausil, tenant: infrastructure, password: "{{ausil_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas ausil') }}" } - - { username: codeblock, name: codeblock, tenant: infrastructure, password: "{{codeblock_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas codeblock') }}" } - - { username: buildsys, name: buildsys, tenant: copr, password: "{{copr_password}}", public_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCeTO0ddXuhDZYM9HyM0a47aeV2yIVWhTpddrQ7/RAIs99XyrsicQLABzmdMBfiZnP0FnHBF/e+2xEkT8hHJpX6bX81jjvs2bb8KP18Nh8vaXI3QospWrRygpu1tjzqZT0Llh4ZVFscum8TrMw4VWXclzdDw6x7csCBjSttqq8F3iTJtQ9XM9/5tCAAOzGBKJrsGKV1CNIrfUo5CSzY+IUVIr8XJ93IB2ZQVASK34T/49egmrWlNB32fqAbDMC+XNmobgn6gO33Yq5Ly7Dk4kqTUx2TEaqDkZfhsVu0YcwV81bmqsltRvpj6bIXrEoMeav7nbuqKcPLTxWEY/2icePF" } - - { username: gholms, name: gholms, tenant: cloudintern, password: "{{gholms_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas gholms') }}" } - - { username: jskladan, name: jskladan, tenant: qa, password: "{{jskladan_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas jskladan') }}" } - - { username: kevin, name: kevin, tenant: infrastructure, password: "{{kevin_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas kevin') }}" } - - { username: maxamillion, name: maxamillion, tenant: infrastructure, password: "{{maxamillion_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas maxamillion') }}" } - - { username: laxathom, name: laxathom, tenant: infrastructure, password: "{{laxathom_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas laxathom') }}" } - - { username: mattdm, name: mattdm, tenant: infrastructure, password: "{{mattdm_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas mattdm') }}" } - - { username: msuchy, name: msuchy, tenant: copr, password: "{{msuchy_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas msuchy') }}" } - - { username: nb, name: nb, tenant: infrastructure, password: "{{nb_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas nb') }}" } - - { username: pingou, name: pingou, tenant: infrastructure, password: "{{pingou_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas pingou') }}" } - - { username: puiterwijk, name: puiterwijk, tenant: infrastructure, password: "{{puiterwijk_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas puiterwijk') }}" } - - { username: stefw, name: stefw, tenant: scratch, password: "{{stefw_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas stefw') }}" } - - { username: mizdebsk, name: mizdebsk, tenant: infrastructure, password: "{{mizdebsk_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas mizdebsk') }}" } - - { username: kushal, name: kushal, tenant: infrastructure, password: "{{kushal_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas kushal') }}" } - - { username: red, name: red, tenant: infrastructure, password: "{{red_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas red') }}" } - - { username: roshi, name: roshi, tenant: qa, password: "{{roshi_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas roshi') }}" } - - { username: samkottler, name: samkottler, tenant: infrastructure, password: "{{samkottler_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas skottler') }}" } - - { username: tflink, name: tflink, tenant: qa, password: "{{tflink_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas tflink') }}" } - - { username: atomic, name: atomic, tenant: scratch, password: "{{cockpit_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas walters') }}" } -# - { name: twisted, tenant: pythonbots, password: "{{twisted_password}}", public_key: "" } - - { username: admin, name: fedora-admin-20130801, tenant: admin, password: "{{ADMIN_PASS}}", public_key: "{{ lookup('file', files + '/fedora-cloud/fedora-admin-20130801.pub') }}" } - - { username: asamalik, name: asamalik, tenant: scratch, password: "{{asamalik_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas asamalik') }}" } - - { username: jkadlcik, name: jkadlcik, tenant: copr, password: "{{clime_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas jkadlcik') }}" } - - { username: misc, name: misc, tenant: openshift, password: "{{misc_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas misc') }}" } - - { username: alivigni, name: alivigni, tenant: aos-ci-cd, password: "{{alivigni_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas alivigni') }}" } - - { username: jbieren, name: jbieren, tenant: aos-ci-cd, password: "{{jbieren_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas jbieren') }}" } - - { username: bpeck, name: bpeck, tenant: aos-ci-cd, password: "{{bpeck_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas bpeck') }}" } - - { username: srallaba, name: srallaba, tenant: aos-ci-cd, password: "{{srallaba_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas srallaba') }}" } - - { username: jburke, name: jburke, tenant: aos-ci-cd, password: "{{jburke_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas jburke') }}" } - - { username: praiskup, name: praiskup, tenant: infrastructure, password: "{{praiskup_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas praiskup') }}" } - tags: - - openstack_users - - - name: Create roles for additional tenants - shell: source /root/keystonerc_admin && keystone role-list |grep ' {{item}} ' || keystone role-create --name {{ item }} - with_items: "{{all_tenants}}" - - name: Assign users to secondary tentants - shell: source /root/keystonerc_admin && keystone user-role-list --user "{{item.user}}" --tenant "{{item.tenant}}" | grep ' {{item.tenant }} ' || keystone user-role-add --user {{item.user}} --role {{item.tenant}} --tenant {{item.tenant}} || true - #keystone_user: - # endpoint="https://{{controller_publicname}}:35357/v2.0" - # login_user="admin" login_password="{{ ADMIN_PASS }}" - # role=coprdev user={{ item }} tenant=coprdev - with_items: - - { user: admin, tenant: cloudintern } - - { user: admin, tenant: cloudsig } - - { user: admin, tenant: copr } - - { user: admin, tenant: coprdev } - - { user: admin, tenant: persistent } - - { user: admin, tenant: pythonbots } - - { user: admin, tenant: qa } - - { user: admin, tenant: infrastructure } - - { user: admin, tenant: scratch } - - { user: admin, tenant: transient } - - { user: admin, tenant: maintainertest } - - { user: admin, tenant: aos-ci-cd } - - { user: copr, tenant: coprdev } - - { user: kevin, tenant: cloudintern } - - { user: kevin, tenant: cloudsig } - - { user: kevin, tenant: copr } - - { user: kevin, tenant: coprdev } - - { user: kevin, tenant: persistent } - - { user: kevin, tenant: pythonbots } - - { user: kevin, tenant: qa } - - { user: kevin, tenant: scratch } - - { user: kevin, tenant: transient } - - { user: kevin, tenant: maintainertest } - - { user: kevin, tenant: aos-ci-cd } - - { user: msuchy, tenant: cloudintern } - - { user: msuchy, tenant: cloudsig } - - { user: msuchy, tenant: coprdev } - - { user: msuchy, tenant: infrastructure } - - { user: msuchy, tenant: persistent } - - { user: msuchy, tenant: pythonbots } - - { user: msuchy, tenant: qa } - - { user: msuchy, tenant: scratch } - - { user: msuchy, tenant: transient } - - { user: pingou, tenant: persistent } - - { user: puiterwijk, tenant: cloudintern } - - { user: puiterwijk, tenant: cloudsig } - - { user: puiterwijk, tenant: copr } - - { user: puiterwijk, tenant: coprdev } - - { user: puiterwijk, tenant: persistent } - - { user: puiterwijk, tenant: pythonbots } - - { user: puiterwijk, tenant: qa } - - { user: puiterwijk, tenant: scratch } - - { user: puiterwijk, tenant: transient } - - { user: puiterwijk, tenant: maintainertest } - - { user: puiterwijk, tenant: aos-ci-cd } - - { user: mizdebsk, tenant: aos-ci-cd } - - { user: mizdebsk, tenant: cloudintern } - - { user: mizdebsk, tenant: cloudsig } - - { user: mizdebsk, tenant: copr } - - { user: mizdebsk, tenant: coprdev } - - { user: mizdebsk, tenant: infrastructure } - - { user: mizdebsk, tenant: maintainertest } - - { user: mizdebsk, tenant: openshift } - - { user: mizdebsk, tenant: persistent } - - { user: mizdebsk, tenant: pythonbots } - - { user: mizdebsk, tenant: qa } - - { user: mizdebsk, tenant: scratch } - - { user: mizdebsk, tenant: transient } - - { user: clime, tenant: coprdev } - - { user: clime, tenant: persistent } - - { user: jkadlcik, tenant: coprdev } - - { user: praiskup, tenant: copr } - - { user: praiskup, tenant: coprdev } - - { user: praiskup, tenant: persistent } - tags: - - openstack_users - - ##### NETWORK #### - # http://docs.openstack.org/havana/install-guide/install/apt/content/install-neutron.configure-networks.html - # - # external network is a class C: 209.132.184.0/24 - # 209.132.184.1 to .25 - reserved for hardware. - # 209.132.184.26 to .30 - reserver for test cloud external ips - # 209.132.184.31 to .69 - icehouse cloud - # 209.132.184.70 to .89 - reserved for arm03 SOCs - # 209.132.184.90 to .251 - folsom cloud - # - - name: Create en external network - neutron_network: - login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin" - auth_url="https://{{controller_publicname}}:35357/v2.0" - name=external - router_external=True - provider_network_type=flat - provider_physical_network=floatnet - register: EXTERNAL_ID - - name: Create an external subnet - neutron_subnet: - login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin" - auth_url="https://{{controller_publicname}}:35357/v2.0" - name=external-subnet - network_name=external - cidr="{{ public_interface_cidr }}" - allocation_pool_start="{{ public_floating_start }}" - allocation_pool_end="{{ public_floating_end }}" - gateway_ip="{{ public_gateway_ip }}" - enable_dhcp=false - register: EXTERNAL_SUBNET_ID - #- shell: source /root/keystonerc_admin && nova floating-ip-create external - # when: packstack_sucessfully_finished.stat.exists == False - - # 172.16.0.1/16 -- 172.22.0.1/16 - free (can be split to /20) - # 172.23.0.1/16 - free (but used by old cloud) - # 172.24.0.1/24 - RESERVED it is used internally for OS - # 172.24.1.0/24 -- 172.24.255.0/24 - likely free (?) - # 172.25.0.1/20 - Cloudintern (172.25.0.1 - 172.25.15.254) - # 172.25.16.1/20 - infrastructure (172.25.16.1 - 172.25.31.254) - # 172.25.32.1/20 - persistent (172.25.32.1 - 172.25.47.254) - # 172.25.48.1/20 - transient (172.25.48.1 - 172.25.63.254) - # 172.25.64.1/20 - scratch (172.25.64.1 - 172.25.79.254) - # 172.25.80.1/20 - copr (172.25.80.1 - 172.25.95.254) - # 172.25.96.1/20 - cloudsig (172.25.96.1 - 172.25.111.254) - # 172.25.112.1/20 - qa (172.25.112.1 - 172.25.127.254) - # 172.25.128.1/20 - pythonbots (172.25.128.1 - 172.25.143.254) - # 172.25.144.1/20 - coprdev (172.25.144.1 - 172.25.159.254) - # 172.25.160.1/20 -- 172.25.240.1/20 - free - # 172.26.0.1/16 -- 172.31.0.1/16 - free (can be split to /20) - - - name: Create a router for all tenants - neutron_router: - login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin" - auth_url="https://{{controller_publicname}}:35357/v2.0" - tenant_name="{{ item }}" - name="ext-to-{{ item }}" - with_items: "{{all_tenants}}" - - name: "Connect router's gateway to the external network" - neutron_router_gateway: - login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin" - auth_url="https://{{controller_publicname}}:35357/v2.0" - router_name="ext-to-{{ item }}" - network_name="external" - with_items: "{{all_tenants}}" - - name: Create a private network for all tenants - neutron_network: - login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin" - auth_url="https://{{controller_publicname}}:35357/v2.0" - tenant_name="{{ item.name }}" - name="{{ item.name }}-net" - shared="{{ item.shared }}" - with_items: - - { name: cloudintern, shared: false } - - { name: cloudsig, shared: false } - - { name: copr, shared: true } - - { name: coprdev, shared: true } - - { name: infrastructure, shared: false } - - { name: persistent, shared: false } - - { name: pythonbots, shared: false } - - { name: qa, shared: false } - - { name: scratch, shared: false } - - { name: transient, shared: false } - - { name: openshift, shared: false } - - { name: maintainertest, shared: false } - - { name: aos-ci-cd, shared: false } - - name: Create a subnet for all tenants - neutron_subnet: - login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin" - auth_url="https://{{controller_publicname}}:35357/v2.0" - tenant_name="{{ item.name }}" - network_name="{{ item.name }}-net" - name="{{ item.name }}-subnet" - cidr="{{ item.cidr }}" - gateway_ip="{{ item.gateway }}" - dns_nameservers="66.35.62.163,140.211.169.201" - with_items: - - { name: cloudintern, cidr: '172.25.0.1/20', gateway: '172.25.0.1' } - - { name: cloudsig, cidr: '172.25.96.1/20', gateway: '172.25.96.1' } - - { name: copr, cidr: '172.25.80.1/20', gateway: '172.25.80.1' } - - { name: coprdev, cidr: '172.25.144.1/20', gateway: '172.25.144.1' } - - { name: infrastructure, cidr: '172.25.16.1/20', gateway: '172.25.16.1' } - - { name: persistent, cidr: '172.25.32.1/20', gateway: '172.25.32.1' } - - { name: pythonbots, cidr: '172.25.128.1/20', gateway: '172.25.128.1' } - - { name: qa, cidr: '172.25.112.1/20', gateway: '172.25.112.1' } - - { name: scratch, cidr: '172.25.64.1/20', gateway: '172.25.64.1' } - - { name: transient, cidr: '172.25.48.1/20', gateway: '172.25.48.1' } - - { name: openshift, cidr: '172.25.160.1/20', gateway: '172.25.160.1' } - - { name: maintainertest, cidr: '172.25.176.1/20', gateway: '172.25.176.1' } - - { name: aos-ci-cd, cidr: '172.25.180.1/20', gateway: '172.25.180.1' } - - name: "Connect router's interface to the TENANT-subnet" - neutron_router_interface: - login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin" - auth_url="https://{{controller_publicname}}:35357/v2.0" - tenant_name="{{ item }}" - router_name="ext-to-{{ item }}" - subnet_name="{{ item }}-subnet" - with_items: "{{all_tenants}}" - - ################# - # Security Groups - ################ - - name: "Create 'ssh-anywhere' security group" - neutron_sec_group: - login_username: "admin" - login_password: "{{ ADMIN_PASS }}" - login_tenant_name: "admin" - auth_url: "https://{{controller_publicname}}:35357/v2.0" - state: "present" - name: 'ssh-anywhere-{{item}}' - description: "allow ssh from anywhere" - tenant_name: "{{item}}" - rules: - - direction: "ingress" - port_range_min: "22" - port_range_max: "22" - ethertype: "IPv4" - protocol: "tcp" - remote_ip_prefix: "0.0.0.0/0" - with_items: "{{all_tenants}}" - - - name: "Allow nagios checks" - neutron_sec_group: - login_username: "admin" - login_password: "{{ ADMIN_PASS }}" - login_tenant_name: "admin" - auth_url: "https://{{controller_publicname}}:35357/v2.0" - state: "present" - name: 'allow-nagios-{{item}}' - description: "allow nagios checks" - tenant_name: "{{item}}" - rules: - - direction: "ingress" - port_range_min: "5666" - port_range_max: "5666" - ethertype: "IPv4" - protocol: "tcp" - remote_ip_prefix: "209.132.181.35/32" - - direction: "ingress" - ethertype: "IPv4" - protocol: "icmp" - remote_ip_prefix: "209.132.181.35/32" - with_items: - - persistent - - - name: "Create 'ssh-from-persistent' security group" - neutron_sec_group: - login_username: "admin" - login_password: "{{ ADMIN_PASS }}" - login_tenant_name: "admin" - auth_url: "https://{{controller_publicname}}:35357/v2.0" - state: "present" - name: 'ssh-from-persistent-{{item}}' - description: "allow ssh from persistent" - tenant_name: "{{item}}" - rules: - - direction: "ingress" - port_range_min: "22" - port_range_max: "22" - ethertype: "IPv4" - protocol: "tcp" - remote_ip_prefix: "172.25.32.1/20" - with_items: - - copr - - coprdev - - - - name: "Create 'ssh-internal' security group" - neutron_sec_group: - login_username: "admin" - login_password: "{{ ADMIN_PASS }}" - login_tenant_name: "admin" - auth_url: "https://{{controller_publicname}}:35357/v2.0" - state: "present" - name: 'ssh-internal-{{item.name}}' - description: "allow ssh from {{item.name}}-network" - tenant_name: "{{ item.name }}" - rules: - - direction: "ingress" - port_range_min: "22" - port_range_max: "22" - ethertype: "IPv4" - protocol: "tcp" - remote_ip_prefix: "{{ item.prefix }}" - with_items: - - { name: cloudintern, prefix: '172.25.0.1/20' } - - { name: cloudsig, prefix: '172.25.96.1/20' } - - { name: copr, prefix: '172.25.80.1/20' } - - { name: coprdev, prefix: '172.25.80.1/20' } - - { name: infrastructure, prefix: "172.25.16.1/20" } - - { name: persistent, prefix: "172.25.32.1/20" } - - { name: pythonbots, prefix: '172.25.128.1/20' } - - { name: qa, prefix: "172.25.112.1/20" } - - { name: scratch, prefix: '172.25.64.1/20' } - - { name: transient, prefix: '172.25.48.1/20' } - - { name: openshift, prefix: '172.25.160.1/20' } - - { name: maintainertest, prefix: '172.25.180.1/20' } - - { name: aos-ci-cd, prefix: '172.25.200.1/20' } - - - name: "Create 'web-80-anywhere' security group" - neutron_sec_group: - login_username: "admin" - login_password: "{{ ADMIN_PASS }}" - login_tenant_name: "admin" - auth_url: "https://{{controller_publicname}}:35357/v2.0" - state: "present" - name: 'web-80-anywhere-{{item}}' - description: "allow web-80 from anywhere" - tenant_name: "{{item}}" - rules: - - direction: "ingress" - port_range_min: "80" - port_range_max: "80" - ethertype: "IPv4" - protocol: "tcp" - remote_ip_prefix: "0.0.0.0/0" - with_items: "{{all_tenants}}" - - - name: "Create 'web-443-anywhere' security group" - neutron_sec_group: - login_username: "admin" - login_password: "{{ ADMIN_PASS }}" - login_tenant_name: "admin" - auth_url: "https://{{controller_publicname}}:35357/v2.0" - state: "present" - name: 'web-443-anywhere-{{item}}' - description: "allow web-443 from anywhere" - tenant_name: "{{item}}" - rules: - - direction: "ingress" - port_range_min: "443" - port_range_max: "443" - ethertype: "IPv4" - protocol: "tcp" - remote_ip_prefix: "0.0.0.0/0" - with_items: "{{all_tenants}}" - - - name: "Create 'oci-registry-5000-anywhere' security group" - neutron_sec_group: - login_username: "admin" - login_password: "{{ ADMIN_PASS }}" - login_tenant_name: "admin" - auth_url: "https://{{controller_publicname}}:35357/v2.0" - state: "present" - name: 'oci-registry-5000-anywhere-{{item}}' - description: "allow oci-registry-5000 from anywhere" - tenant_name: "{{item}}" - rules: - - direction: "ingress" - port_range_min: "5000" - port_range_max: "5000" - ethertype: "IPv4" - protocol: "tcp" - remote_ip_prefix: "0.0.0.0/0" - with_items: "{{all_tenants}}" - - - name: "Create 'wide-open' security group" - neutron_sec_group: - login_username: "admin" - login_password: "{{ ADMIN_PASS }}" - login_tenant_name: "admin" - auth_url: "https://{{controller_publicname}}:35357/v2.0" - state: "present" - name: 'wide-open-{{item}}' - description: "allow anything from anywhere" - tenant_name: "{{item}}" - rules: - - direction: "ingress" - port_range_min: "0" - port_range_max: "65535" - ethertype: "IPv4" - protocol: "tcp" - remote_ip_prefix: "0.0.0.0/0" - - direction: "ingress" - port_range_min: "0" - port_range_max: "65535" - ethertype: "IPv4" - protocol: "udp" - remote_ip_prefix: "0.0.0.0/0" - with_items: "{{all_tenants}}" - - - name: "Create 'ALL ICMP' security group" - neutron_sec_group: - login_username: "admin" - login_password: "{{ ADMIN_PASS }}" - login_tenant_name: "admin" - auth_url: "https://{{controller_publicname}}:35357/v2.0" - state: "present" - name: 'all-icmp-{{item}}' - description: "allow all ICMP traffic" - tenant_name: "{{item}}" - rules: - - direction: "ingress" - ethertype: "IPv4" - protocol: "icmp" - remote_ip_prefix: "0.0.0.0/0" - with_items: "{{all_tenants}}" - - - name: "Create 'keygen-persistent' security group" - neutron_sec_group: - login_username: "admin" - login_password: "{{ ADMIN_PASS }}" - login_tenant_name: "admin" - auth_url: "https://{{controller_publicname}}:35357/v2.0" - state: "present" - name: 'keygen-persistent' - description: "rules for copr-keygen" - tenant_name: "persistent" - rules: - - direction: "ingress" - port_range_min: "5167" - port_range_max: "5167" - ethertype: "IPv4" - protocol: "tcp" - remote_ip_prefix: "172.25.32.1/20" - - direction: "ingress" - port_range_min: "80" - port_range_max: "80" - ethertype: "IPv4" - protocol: "tcp" - remote_ip_prefix: "172.25.32.1/20" - - - name: "Create 'pg-5432-anywhere' security group" - neutron_sec_group: - login_username: "admin" - login_password: "{{ ADMIN_PASS }}" - login_tenant_name: "admin" - auth_url: "https://{{controller_publicname}}:35357/v2.0" - state: "present" - name: 'pg-5432-anywhere-{{item}}' - description: "allow postgresql-5432 from anywhere" - tenant_name: "{{item}}" - rules: - - direction: "ingress" - port_range_min: "5432" - port_range_max: "5432" - ethertype: "IPv4" - protocol: "tcp" - remote_ip_prefix: "0.0.0.0/0" - with_items: "{{all_tenants}}" - - - name: "Create 'fedmsg-relay-persistent' security group" - neutron_sec_group: - login_username: "admin" - login_password: "{{ ADMIN_PASS }}" - login_tenant_name: "admin" - auth_url: "https://{{controller_publicname}}:35357/v2.0" - state: "present" - name: 'fedmsg-relay-persistent' - description: "allow incoming 2003 and 4001 from internal network" - tenant_name: "{{item}}" - rules: - - direction: "ingress" - port_range_min: "2003" - port_range_max: "2003" - ethertype: "IPv4" - protocol: "tcp" - remote_ip_prefix: "172.25.80.1/16" - - direction: "ingress" - port_range_min: "4001" - port_range_max: "4001" - ethertype: "IPv4" - protocol: "tcp" - remote_ip_prefix: "172.25.80.1/16" - with_items: "{{all_tenants}}" - - # Update quota for Copr - # SEE: - # nova quota-defaults - # nova quota-show --tenant $TENANT_ID - # default is 10 instances, 20 cores, 51200 RAM, 10 floating IPs - - shell: source /root/keystonerc_admin && keystone tenant-list | grep 'copr ' | awk '{print $2}' - register: TENANT_ID - check_mode: no - changed_when: false - - shell: source /root/keystonerc_admin && nova quota-update --instances 50 --cores 100 --ram 350000 --floating-ips 10 --security-groups 20 {{ TENANT_ID.stdout }} - - - shell: source /root/keystonerc_admin && keystone tenant-list | grep 'coprdev ' | awk '{print $2}' - check_mode: no - changed_when: false - register: TENANT_ID - - shell: source /root/keystonerc_admin && nova quota-update --instances 40 --cores 80 --ram 300000 --floating-ips 10 --security-groups 20 {{ TENANT_ID.stdout }} - -# -# Note that we set manually the amount of volumes for this tenant to 20 in the web interface. -# nova quota-update cannot do so. -# - - shell: source /root/keystonerc_admin && keystone tenant-list | grep 'persistent ' | awk '{print $2}' - check_mode: no - changed_when: false - register: TENANT_ID - - shell: source /root/keystonerc_admin && nova quota-update --instances 60 --cores 175 --ram 288300 --security-groups 20 {{ TENANT_ID.stdout }} - -# Transient quota - - shell: source /root/keystonerc_admin && keystone tenant-list | grep 'transient ' | awk '{print $2}' - check_mode: no - changed_when: false - register: TENANT_ID - - shell: source /root/keystonerc_admin && nova quota-update --instances 30 --cores 70 --ram 153600 --security-groups 20 {{ TENANT_ID.stdout }} -