Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions
ansible/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
Miroslav Suchý 4b4a3fd570 define sec-group for keygen
2015-05-19 16:16:27 +02:00

1050 lines
63 KiB
YAML
Raw Blame History

---
- name: Prepare storage on compute nodes
hosts: openstack-compute
user: root
sudo: yes
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
# This is in fact duplicate from compute nodes, just be sure in case we did not run
# compute nodes playbook yet.
- name: Create logical volume for Swift
lvol: vg=vg_server lv=swift_store size=100g
- name: Create FS on Swift storage
filesystem: fstype=ext4 dev=/dev/vg_server/swift_store
- name: SSH authorized key for root user
authorized_key: user=root key="{{ lookup('file', files + '/fedora-cloud/fed09-ssh-key.pub') }}"
- name: deploy Open Stack controler
hosts: fed-cloud09.cloud.fedoraproject.org
user: root
sudo: yes
gather_facts: True
vars:
# this is actually without admin tenant
all_tenants: ['cloudintern', 'cloudsig', 'copr', 'coprdev', 'infrastructure',
'persistent', 'pythonbots', 'qa', 'scratch', 'transient']
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
- /srv/web/infra/ansible/vars/fedora-cloud.yml
- /srv/private/ansible/files/openstack/passwords.yml
roles:
- base
- rkhunter
- nagios_client
- fas_client
- sudo
handlers:
- include: "{{ handlers }}/restart_services.yml"
tasks:
- include: "{{ tasks }}/cloud_setup_basic.yml"
vars:
root_auth_users: msuchy
- include: "{{ tasks }}/motd.yml"
- include: "{{ tasks }}/2fa_client.yml"
- name: set root passwd
user: name=root password={{ cloud_rootpw }} state=present
tags:
- rootpw
- name: Set the hostname
action: hostname name={{ controller_hostname }}
- name: Deploy root private SSH key
copy: src={{ private }}/files/openstack/fed-cloud09-root.key dest=/root/.ssh/id_rsa mode=600 owner=root group=root
- name: Deploy root public SSH key
copy: src={{ files }}/fedora-cloud/fed09-ssh-key.pub dest=/root/.ssh/id_rsa.pub mode=600 owner=root group=root
- authorized_key: user=root key="{{ lookup('file', files + '/fedora-cloud/fed09-ssh-key.pub') }}"
- name: install core pkgs
action: yum state=present pkg={{ item }}
with_items:
- libselinux-python
- ntp
- wget
- scsi-target-utils
- lvm2
- iptables-services
- name: disable selinux
action: selinux policy=targeted state=permissive
- service: name=tgtd state=started enabled=yes
- command: vgrename vg_guests cinder-volumes
ignore_errors: yes
- lvg: vg=cinder-volumes pvs=/dev/md127 pesize=32 vg_options=""
- name: Create logical volume for Swift
lvol: vg=vg_server lv=swift_store size=100g
- name: Create FS on Swift storage
filesystem: fstype=ext4 dev=/dev/vg_server/swift_store
- template: src={{ files }}/fedora-cloud/hosts dest=/etc/hosts owner=root mode=0644
- stat: path=/etc/packstack_sucessfully_finished
register: packstack_sucessfully_finished
# http://docs.openstack.org/trunk/install-guide/install/yum/content/basics-networking.html
- service: name=NetworkManager state=stopped enabled=no
- service: name=network enabled=yes
- service: name=firewalld state=stopped enabled=no
ignore_errors: yes
- service: name=iptables state=started enabled=yes
- name: ensure iptables is configured to allow rabbitmq traffic (port 5672/tcp)
lineinfile:
dest=/etc/sysconfig/iptables
state=present
regexp="^.*INPUT.*172\.24\.0\.10/24.*tcp.*{{ item }}.*ACCEPT"
insertbefore="^.*INPUT.*RELATED,ESTABLISHED.*ACCEPT"
line="-A INPUT -s 172.24.0.10/24 -p tcp -m multiport --dports {{ item }} -m comment --comment \"added by fedora-infra ansible\" -j ACCEPT"
backup=yes
with_items:
- 80,443
- 3260
- 3306
- 5671
- 5672
- 6000,6001,6002,873
- 8777
- 27017
- 5900:5999,16509
- 16509,49152:49215
notify: restart iptables
# http://docs.openstack.org/trunk/install-guide/install/yum/content/basics-neutron-networking-controller-node.html
- command: ifdown br-tun
when: packstack_sucessfully_finished.stat.exists == False
ignore_errors: yes
- lineinfile: dest=/etc/sysconfig/network-scripts/ifcfg-eth1 regexp="^ONBOOT=" line="ONBOOT=yes"
notify:
- restart network
# only for first run
- lineinfile: dest=/etc/sysconfig/network-scripts/ifcfg-eth1 regexp="^NETMASK=" line="NETMASK=255.255.255.0"
when: packstack_sucessfully_finished.stat.exists == False
notify:
- restart network
- lineinfile: dest=/etc/sysconfig/network-scripts/ifcfg-eth1 regexp="^IPADDR=" line="IPADDR={{controller_private_ip}}"
when: packstack_sucessfully_finished.stat.exists == False
notify:
- restart network
- lineinfile: dest=/etc/sysconfig/network-scripts/ifcfg-eth1 regexp="BOOTPROTO=" line="BOOTPROTO=none"
notify:
- restart network
- template: src={{files}}/fedora-cloud/ifcfg-br-ex dest=/etc/sysconfig/network-scripts/ifcfg-br-ex owner=root mode=0644
when: packstack_sucessfully_finished.stat.exists == False
notify:
- restart network
- template: src={{files}}/fedora-cloud/ifcfg-eth0 dest=/etc/sysconfig/network-scripts/ifcfg-eth0 owner=root mode=0644
when: packstack_sucessfully_finished.stat.exists == False
notify:
- restart network
- command: ifup eth1
when: packstack_sucessfully_finished.stat.exists == False
- meta: flush_handlers
# http://docs.openstack.org/trunk/install-guide/install/yum/content/basics-ntp.html
- service: name=ntpd state=started enabled=yes
# http://docs.openstack.org/icehouse/install-guide/install/yum/content/basics-packages.html
- action: yum state=present name=https://repos.fedorapeople.org/repos/openstack/openstack-icehouse/rdo-release-icehouse-4.noarch.rpm
- name: install basic openstack packages
action: yum state=present name={{ item }}
with_items:
- http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
- openstack-utils
- openstack-selinux
- openstack-packstack
- python-glanceclient
- rabbitmq-server
- ansible-openstack-modules
- openstack-keystone
- openstack-neutron
- openstack-nova-common
- haproxy
- http://people.redhat.com/~lkellogg/rpms/openvswitch-2.3.1-2.git20150113.el7.x86_64.rpm
- https://repos.fedorapeople.org/repos/openstack/openstack-juno/epel-7/openstack-utils-2014.2-1.el7.centos.noarch.rpm
- name: add ssl cert
copy: src={{ private }}/files/openstack/fed-cloud09.pem dest=/etc/pki/tls/certs/fed-cloud09.pem mode=600 owner=rabbitmq group=root
- name: add ssl key
copy: src={{ private }}/files/openstack/fed-cloud09.key dest=/etc/pki/tls/private/fed-cloud09.key mode=600 owner=rabbitmq group=root
- name: add cert to ca-bundle.crt so plain curl works
copy: src={{ private }}/files/openstack/fed-cloud09.pem dest=/etc/pki/ca-trust/source/anchors/ mode=600 owner=root group=root
notify:
- update ca-trust
- name: add ssl cert for keystone
copy: src={{ private }}/files/openstack/fed-cloud09.pem dest=/etc/pki/tls/certs/fed-cloud09-keystone.pem mode=644 owner=keystone group=root
- name: add ssl key for keystone
copy: src={{ private }}/files/openstack/fed-cloud09.key dest=/etc/pki/tls/private/fed-cloud09-keystone.key mode=600 owner=keystone group=root
- name: add ssl cert for neutron
copy: src={{ private }}/files/openstack/fed-cloud09.pem dest=/etc/pki/tls/certs/fed-cloud09-neutron.pem mode=600 owner=neutron group=root
- name: add ssl key for neutron
copy: src={{ private }}/files/openstack/fed-cloud09.key dest=/etc/pki/tls/private/fed-cloud09-neutron.key mode=600 owner=neutron group=root
- name: add ssl cert for nova
copy: src={{ private }}/files/openstack/fed-cloud09.pem dest=/etc/pki/tls/certs/fed-cloud09-nova.pem mode=600 owner=nova group=root
- name: add ssl key for nova
copy: src={{ private }}/files/openstack/fed-cloud09.key dest=/etc/pki/tls/private/fed-cloud09-nova.key mode=600 owner=nova group=root
- file: state=directory path=/var/www/pub mode=0755
- copy: src={{ private }}/files/openstack/fed-cloud09.pem dest=/var/www/pub/ mode=644
# http://docs.openstack.org/trunk/install-guide/install/yum/content/basics-database-controller.html
- name: install mysql packages
action: yum state=present pkg={{ item }}
with_items:
- mariadb-galera-server
- MySQL-python
- ini_file: dest=/etc/my.cnf section="mysqld" option="bind-address" value="{{ controller_public_ip }}"
- ini_file: dest=/etc/my.cnf section="mysqld" option="default-storage-engine" value="innodb"
- ini_file: dest=/etc/my.cnf section="mysqld" option="collation-server" value="utf8_general_ci"
- ini_file: dest=/etc/my.cnf section="mysqld" option="init-connect" value="'SET NAMES utf8'"
- ini_file: dest=/etc/my.cnf section="mysqld" option="character-set-server" value="utf8"
- service: name=mariadb state=started enabled=yes
# 'localhost' needs to be the last item for idempotency, see
# http://ansible.cc/docs/modules.html#mysql-user
- name: update mysql root password for localhost before setting .my.cnf
mysql_user: name=root host=localhost password={{ DBPASSWORD }}
- name: copy .my.cnf file with root password credentials
template: src={{ files }}/fedora-cloud/my.cnf dest=/root/.my.cnf owner=root mode=0600
- name: update mysql root password for all root accounts
mysql_user: name=root host={{ item }} password={{ DBPASSWORD }}
with_items:
- "{{ controller_public_ip }}"
- 127.0.0.1
- ::1
- name: copy .my.cnf file with root password credentials
template: src={{ files }}/fedora-cloud/my.cnf dest=/root/.my.cnf owner=root mode=0600
- name: delete anonymous MySQL server user for $server_hostname
action: mysql_user user="" host="{{ controller_public_ip }}" state="absent"
- name: delete anonymous MySQL server user for localhost
action: mysql_user user="" state="absent"
- name: remove the MySQL test database
action: mysql_db db=test state=absent
# WORKAROUNDS - already reported to OpenStack team
- lineinfile:
dest=/usr/lib/python2.7/site-packages/packstack/plugins/dashboard_500.py
regexp=" host_resources\.append\(*ssl_key, 'ssl_ps_server.key'\)*"
line=" host_resources.append((ssl_key, 'ssl_ps_server.key'))"
backup=yes
- lineinfile:
dest=/usr/share/openstack-puppet/modules/rabbitmq/manifests/config.pp
regexp="RABBITMQ_NODE_PORT"
line=" 'RABBITMQ_NODE_PORTTTTT' => $port,"
backup=yes
- action: yum state=present pkg=mongodb-server
- ini_file: dest=/usr/lib/systemd/system/mongod.service section=Service option=PIDFile value=/var/run/mongodb/mongod.pid
- lineinfile:
dest=/usr/lib/python2.7/site-packages/packstack/puppet/templates/mongodb.pp
regexp="pidfilepath"
line=" pidfilepath => '/var/run/mongodb/mongod.pid'"
insertbefore="^}"
- meta: flush_handlers
# http://openstack.redhat.com/Quickstart
- template: src={{ files }}/fedora-cloud/packstack-controller-answers.txt dest=/root/ owner=root mode=0600
- command: packstack --answer-file=/root/packstack-controller-answers.txt
when: packstack_sucessfully_finished.stat.exists == False
- file: path=/etc/packstack_sucessfully_finished state=touch
# FIXME we should really reboot here
- name: Set shell to nova user to allow cold migrations
user: name=nova shell=/bin/bash
- name: SSH authorized key for nova user
authorized_key: user=nova key="{{fed_cloud09_nova_public_key}}"
- name: SSH public key for nova user
template: src={{ files }}/fedora-cloud/fed_cloud09_nova_public_key dest=/var/lib/nova/.ssh/id_rsa.pub owner=nova group=nova
- name: Deploy private SSH key
copy: src={{ private }}/files/openstack/fed-cloud09-nova.key dest=/var/lib/nova/.ssh/id_rsa mode=600 owner=nova group=nova
- copy: src={{files}}/fedora-cloud/nova-ssh-config dest=/var/lib/nova/.ssh/config owner=nova group=nova mode=640
# http://docs.openstack.org/icehouse/install-guide/install/yum/content/basics-queue.html
# https://openstack.redhat.com/Securing_services#qpid
#### FIXME
- lineinfile: dest=/etc/rabbitmq/rabbitmq-env.conf regexp="^RABBITMQ_NODE_PORT=" state="absent"
- service: name=rabbitmq-server state=started
# flip endpoints internalurl to internal IP
# ceilometer
- shell: source /root/keystonerc_admin && keystone service-list | grep ceilometer | awk '{print $2}'
register: SERVICE_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}'
register: ENDPOINT_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_hostname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_hostname }}:8777' --adminurl 'https://{{ controller_hostname }}:8777' --internalurl 'https://{{ controller_hostname }}:8777' ) || true
# cinder
- shell: source /root/keystonerc_admin && keystone service-list | grep 'cinder ' | awk '{print $2}'
register: SERVICE_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}'
register: ENDPOINT_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_hostname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_hostname }}:8776/v1/%(tenant_id)s' --adminurl 'https://{{ controller_hostname }}:8776/v1/%(tenant_id)s' --internalurl 'https://{{ controller_hostname }}:8776/v1/%(tenant_id)s' ) || true
# cinderv2
- shell: source /root/keystonerc_admin && keystone service-list | grep 'cinderv2' | awk '{print $2}'
register: SERVICE_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}'
register: ENDPOINT_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_hostname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_hostname }}:8776/v2/%(tenant_id)s' --adminurl 'https://{{ controller_hostname }}:8776/v2/%(tenant_id)s' --internalurl 'https://{{ controller_hostname }}:8776/v2/%(tenant_id)s' ) || true
# glance
- shell: source /root/keystonerc_admin && keystone service-list | grep 'glance' | awk '{print $2}'
register: SERVICE_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}'
register: ENDPOINT_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_hostname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_hostname }}:9292' --adminurl 'https://{{ controller_hostname }}:9292' --internalurl 'https://{{ controller_hostname }}:9292' ) || true
# neutron
- shell: source /root/keystonerc_admin && keystone service-list | grep 'neutron' | awk '{print $2}'
register: SERVICE_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}'
register: ENDPOINT_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_hostname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_hostname }}:9696/' --adminurl 'https://{{ controller_hostname }}:9696/' --internalurl 'https://{{ controller_hostname }}:9696/' ) || true
# nova
- shell: source /root/keystonerc_admin && keystone service-list | grep 'nova ' | awk '{print $2}'
register: SERVICE_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}'
register: ENDPOINT_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_hostname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_hostname }}:8774/v2/%(tenant_id)s' --adminurl 'https://{{ controller_hostname }}:8774/v2/%(tenant_id)s' --internalurl 'https://{{ controller_hostname }}:8774/v2/%(tenant_id)s' ) || true
# nova_ec2
- shell: source /root/keystonerc_admin && keystone service-list | grep 'nova_ec2' | awk '{print $2}'
register: SERVICE_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}'
register: ENDPOINT_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_hostname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_hostname }}:8773/services/Cloud' --adminurl 'https://{{ controller_hostname }}:8773/services/Admin' --internalurl 'https://{{ controller_hostname }}:8773/services/Cloud' ) || true
# novav3
- shell: source /root/keystonerc_admin && keystone service-list | grep 'novav3' | awk '{print $2}'
register: SERVICE_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}'
register: ENDPOINT_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_hostname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_hostname }}:8774/v3' --adminurl 'https://{{ controller_hostname }}:8774/v3' --internalurl 'https://{{ controller_hostname }}:8774/v3' ) || true
# swift
- shell: source /root/keystonerc_admin && keystone service-list | grep 'swift ' | awk '{print $2}'
register: SERVICE_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}'
register: ENDPOINT_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_hostname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{controller_hostname}}:8080/v1/AUTH_%(tenant_id)s' --adminurl 'https://{{controller_hostname}}:8080' --internalurl 'https://{{controller_hostname}}:8080/v1/AUTH_%(tenant_id)s' ) || true
# swift_s3
- shell: source /root/keystonerc_admin && keystone service-list | grep 'swift_s3' | awk '{print $2}'
register: SERVICE_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}'
register: ENDPOINT_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_hostname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_hostname }}:8080' --adminurl 'https://{{ controller_hostname }}:8080' --internalurl 'https://{{ controller_hostname }}:8080' ) || true
# keystone --- !!!!! we need to use ADMIN_TOKEN here - this MUST be last before we restart OS and set up haproxy
- shell: source /root/keystonerc_admin && keystone service-list | grep 'keystone' | awk '{print $2}'
register: SERVICE_ID
- shell: source /root/keystonerc_admin && keystone endpoint-list | grep {{SERVICE_ID.stdout}} | awk '{print $2}'
register: ENDPOINT_ID
- ini_file: dest=/etc/keystone/keystone.conf section=ssl option=certfile value=/etc/pki/tls/certs/fed-cloud09-keystone.pem
- ini_file: dest=/etc/keystone/keystone.conf section=ssl option=keyfile value=/etc/pki/tls/private/fed-cloud09-keystone.key
- shell: source /root/keystonerc_admin && keystone endpoint-list |grep {{SERVICE_ID.stdout}} |grep -v {{ controller_hostname }} && (keystone endpoint-delete {{ENDPOINT_ID.stdout}} && keystone --os-token '{{ADMIN_TOKEN}}' --os-endpoint 'http://{{ controller_hostname }}:35357/v2.0' endpoint-create --region 'RegionOne' --service {{SERVICE_ID.stdout}} --publicurl 'https://{{ controller_hostname }}:5000/v2.0' --adminurl 'https://{{ controller_hostname }}:35357/v2.0' --internalurl 'https://{{ controller_hostname }}:5000/v2.0' ) || true
- ini_file: dest=/etc/keystone/keystone.conf section=ssl option=enable value=True
- lineinfile: dest=/root/keystonerc_admin regexp="^export OS_AUTH_URL" line="export OS_AUTH_URL=https://{{ controller_hostname }}:5000/v2.0/"
- lineinfile: dest=/root/keystonerc_admin line="export OS_CACERT=/etc/pki/tls/certs/fed-cloud09-keystone.pem"
# Setup sysconfig file for novncproxy
- copy: src={{ files }}/fedora-cloud/openstack-nova-novncproxy dest=/etc/sysconfig/openstack-nova-novncproxy mode=644 owner=root group=root
- ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=novncproxy_base_url value=https://{{ controller_hostname }}:6080/vnc_auto.html
# set SSL for services
- ini_file: dest=/etc/nova/nova.conf section=keystone_authtoken option=auth_uri value=https://{{ controller_hostname }}:5000
- ini_file: dest=/etc/nova/nova.conf section=keystone_authtoken option=auth_protocol value=https
- ini_file: dest=/etc/nova/nova.conf section=keystone_authtoken option=auth_host value={{ controller_hostname }}
- ini_file: dest=/etc/nova/nova.conf section=keystone_authtoken option=cafile value=/etc/pki/tls/certs/fed-cloud09-keystone.pem
- ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=neutron_admin_auth_url value=https://{{ controller_hostname }}:35357/v2.0
- ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=neutron_url value=https://{{ controller_hostname }}:9696
- ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=osapi_compute_listen_port value=6774
- ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=ec2_listen_port value=6773
- ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=glance_api_servers value=https://{{ controller_hostname }}:9292
- ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=cert value=/etc/pki/tls/certs/fed-cloud09-nova.pem
- ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=key value=/etc/pki/tls/private/fed-cloud09-nova.key
- ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=novncproxy_host value={{ controller_hostname }}
- ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=ssl_only value=False
- ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=scheduler_default_filters value=RetryFilter,AvailabilityZoneFilter,RamFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,CoreFilter,DiskFilter
- ini_file: dest=/etc/nova/nova.conf section=DEFAULT option=default_floating_pool value=external
- ini_file: dest=/etc/glance/glance-api.conf section=keystone_authtoken option=auth_uri value=https://{{ controller_hostname }}:5000
- ini_file: dest=/etc/glance/glance-api.conf section=keystone_authtoken option=auth_protocol value=https
- ini_file: dest=/etc/glance/glance-api.conf section=keystone_authtoken option=auth_host value={{ controller_hostname }}
- ini_file: dest=/etc/glance/glance-api.conf section=keystone_authtoken option=cafile value=/etc/pki/tls/certs/fed-cloud09-keystone.pem
- ini_file: dest=/etc/glance/glance-api.conf section=DEFAULT option=bind_port value=7292
# configure Glance to use Swift as backend
- ini_file: dest=/etc/glance/glance-api.conf section=DEFAULT option=default_store value=swift
- ini_file: dest=/etc/glance/glance-api.conf section=DEFAULT option=stores value=glance.store.swift.Store
- ini_file: dest=/etc/glance/glance-api.conf section=DEFAULT option=swift_store_auth_address value=https://{{ controller_hostname }}:5000/v2.0
- ini_file: dest=/etc/glance/glance-api.conf section=DEFAULT option=swift_store_user value="services:swift"
- ini_file: dest=/etc/glance/glance-api.conf section=DEFAULT option=swift_store_key value="{{ SWIFT_PASS }}"
- ini_file: dest=/etc/glance/glance-api.conf section=DEFAULT option=swift_store_create_container_on_put value="True"
- shell: rsync /usr/share/glance/glance-api-dist-paste.ini /etc/glance/glance-api-paste.ini
- shell: rsync /usr/share/glance/glance-registry-dist-paste.ini /etc/glance/glance-registry-paste.ini
- ini_file: dest=/etc/glance/glance-registry.conf section=keystone_authtoken option=auth_uri value=https://{{ controller_hostname }}:5000
- ini_file: dest=/etc/glance/glance-registry.conf section=keystone_authtoken option=auth_host value={{ controller_hostname }}
- ini_file: dest=/etc/glance/glance-registry.conf section=keystone_authtoken option=auth_protocol value=https
- ini_file: dest=/etc/glance/glance-registry.conf section=keystone_authtoken option=cafile value=/etc/pki/tls/certs/fed-cloud09-keystone.pem
- ini_file: dest=/etc/glance/glance-cache.conf section=DEFAULT option=auth_url value=https://{{ controller_hostname }}:5000/v2.0
- ini_file: dest=/etc/glance/glance-scrubber.conf section=DEFAULT option=auth_url value=https://{{ controller_hostname }}:5000/v2.0
- ini_file: dest=/etc/cinder/cinder.conf section=keystone_authtoken option=auth_uri value=https://{{ controller_hostname }}:5000
- ini_file: dest=/etc/cinder/cinder.conf section=keystone_authtoken option=auth_protocol value=https
- ini_file: dest=/etc/cinder/cinder.conf section=keystone_authtoken option=cafile value=/etc/pki/tls/certs/fed-cloud09-keystone.pem
- ini_file: dest=/etc/cinder/cinder.conf section=DEFAULT option=backup_swift_url value=https://{{ controller_hostname }}:8080/v1/AUTH_
- ini_file: dest=/etc/cinder/cinder.conf section=DEFAULT option=osapi_volume_listen_port value=6776
- ini_file: dest=/etc/cinder/api-paste.conf section="filter:authtoken" option=auth_uri value=https://{{ controller_hostname }}:5000
- ini_file: dest=/etc/cinder/api-paste.conf section="filter:authtoken" option=auth_host value={{ controller_hostname }}
- ini_file: dest=/etc/cinder/api-paste.conf section="filter:authtoken" option=auth_protocol value=https
- ini_file: dest=/etc/cinder/api-paste.conf section="filter:authtoken" option=service_protocol value=https
- ini_file: dest=/etc/cinder/api-paste.conf section="filter:authtoken" option=cafile value=/etc/pki/tls/certs/fed-cloud09-keystone.pem
- ini_file: dest=/etc/cinder/api-paste.ini section="filter:authtoken" option=auth_uri value=https://{{ controller_hostname }}:5000
- ini_file: dest=/etc/cinder/api-paste.ini section="filter:authtoken" option=auth_host value={{ controller_hostname }}
- ini_file: dest=/etc/cinder/api-paste.ini section="filter:authtoken" option=auth_protocol value=https
- ini_file: dest=/etc/cinder/api-paste.ini section="filter:authtoken" option=service_host value={{ controller_hostname }}
- ini_file: dest=/etc/cinder/api-paste.ini section="filter:authtoken" option=cafile value=/etc/pki/tls/certs/fed-cloud09-keystone.pem
- ini_file: dest=/etc/neutron/neutron.conf section=keystone_authtoken option=auth_uri value=https://{{ controller_hostname }}:5000
- ini_file: dest=/etc/neutron/neutron.conf section=keystone_authtoken option=auth_protocol value=https
- ini_file: dest=/etc/neutron/neutron.conf section=keystone_authtoken option=auth_host value={{ controller_hostname }}
- ini_file: dest=/etc/neutron/neutron.conf section=keystone_authtoken option=cafile value=/etc/pki/tls/certs/fed-cloud09-keystone.pem
- ini_file: dest=/etc/neutron/neutron.conf section=DEFAULT option=nova_url value=https://{{ controller_hostname }}:8774/v2
- ini_file: dest=/etc/neutron/neutron.conf section=DEFAULT option=nova_admin_auth_url value=https://{{ controller_hostname }}:35357/v2.0
- ini_file: dest=/etc/neutron/neutron.conf section=DEFAULT option=use_ssl value=False
- ini_file: dest=/etc/neutron/neutron.conf section=DEFAULT option=ssl_cert_file value=/etc/pki/tls/certs/fed-cloud09-neutron.pem
- ini_file: dest=/etc/neutron/neutron.conf section=DEFAULT option=ssl_key_file value=/etc/pki/tls/private/fed-cloud09-neutron.key
- ini_file: dest=/etc/neutron/neutron.conf section=DEFAULT option=ssl_ca_file value=/etc/pki/tls/certs/fed-cloud09-neutron.pem
- ini_file: dest=/etc/neutron/neutron.conf section=DEFAULT option=bind_port value=8696
- lineinfile: dest=/etc/neutron/neutron.conf regexp="^service_provider = LOADBALANCER" line="service_provider = LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default" insertafter="\[service_providers]"
- lineinfile: dest=/etc/neutron/neutron.conf regexp="^service_provider = FIREWALL" line="service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default" insertafter="\[service_providers]"
- ini_file: dest=/etc/neutron/api-paste.conf section="filter:authtoken" option=auth_uri value=https://{{ controller_hostname }}:5000
- ini_file: dest=/etc/neutron/api-paste.conf section="filter:authtoken" option=auth_host value={{ controller_hostname }}
- ini_file: dest=/etc/neutron/api-paste.conf section="filter:authtoken" option=auth_protocol value=https
- ini_file: dest=/etc/neutron/api-paste.conf section="filter:authtoken" option=cafile value=/etc/pki/tls/certs/fed-cloud09-keystone.pem
- ini_file: dest=/etc/neutron/metadata_agent.ini section="filter:authtoken" option=auth_url value=https://{{ controller_hostname }}:35357/v2.0
- ini_file: dest=/etc/neutron/metadata_agent.ini section=DEFAULT option=auth_url value=https://{{ controller_hostname }}:35357/v2.0
- ini_file: dest=/etc/swift/proxy-server.conf section="filter:authtoken" option=auth_uri value=https://{{ controller_hostname }}:5000
- ini_file: dest=/etc/swift/proxy-server.conf section="filter:authtoken" option=auth_protocol value=https
- ini_file: dest=/etc/swift/proxy-server.conf section="filter:authtoken" option=auth_host value={{ controller_hostname }}
- ini_file: dest=/etc/swift/proxy-server.conf section="filter:authtoken" option=cafile value=/etc/pki/tls/certs/fed-cloud09-keystone.pem
- ini_file: dest=/etc/swift/proxy-server.conf section=DEFAULT option=bind_port value=7080
- ini_file: dest=/etc/swift/proxy-server.conf section=DEFAULT option=bind_ip value=127.0.0.1
- ini_file: dest=/etc/ceilometer/ceilometer.conf section=keystone_authtoken option=auth_uri value=https://{{ controller_hostname }}:5000
- ini_file: dest=/etc/ceilometer/ceilometer.conf section=keystone_authtoken option=auth_protocol value=https
- ini_file: dest=/etc/ceilometer/ceilometer.conf section=keystone_authtoken option=auth_host value={{ controller_hostname }}
- ini_file: dest=/etc/ceilometer/ceilometer.conf section=keystone_authtoken option=cafile value=/etc/pki/tls/certs/fed-cloud09-keystone.pem
- ini_file: dest=/etc/ceilometer/ceilometer.conf section=service_credentials option=os_auth_url value=https://{{ controller_hostname }}:35357/v2.0
- ini_file: dest=/etc/ceilometer/ceilometer.conf section=api option=port value=6777
# enable stunell to neutron
- shell: cat /etc/pki/tls/certs/fed-cloud09-keystone.pem /etc/pki/tls/private/fed-cloud09.key > /etc/haproxy/fed-cloud09.combined
- file: path=/etc/haproxy/fed-cloud09.combined owner=haproxy mode=644
- copy: src={{ files }}/fedora-cloud/haproxy.cfg dest=/etc/haproxy/haproxy.cfg mode=644 owner=root group=root
# first OS have to free ports so haproxy can bind it, then we start OS on modified ports
- shell: openstack-service stop
- service: name=haproxy state=started enabled=yes
- shell: openstack-service start
- lineinfile: dest=/etc/openstack-dashboard/local_settings regexp="^OPENSTACK_KEYSTONE_URL " line="OPENSTACK_KEYSTONE_URL = 'https://{{controller_hostname}}:5000/v2.0'"
notify:
- restart httpd
- lineinfile: dest=/etc/openstack-dashboard/local_settings regexp="OPENSTACK_SSL_CACERT " line="OPENSTACK_SSL_CACERT = '/etc/pki/tls/certs/fed-cloud09-keystone.pem'"
notify:
- restart httpd
# configure cider with multi back-end
# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Cloud_Administrator_Guide/section_manage-volumes.html
- ini_file: dest=/etc/cinder/cinder.conf section=DEFAULT option="enabled_backends" value="equallogic-1,lvmdriver-1"
# LVM
- ini_file: dest=/etc/cinder/cinder.conf section="lvmdriver-1" option="volume_group" value="cinder-volumes"
- ini_file: dest=/etc/cinder/cinder.conf section="lvmdriver-1" option="volume_driver" value="cinder.volume.drivers.lvm.LVMISCSIDriver"
- ini_file: dest=/etc/cinder/cinder.conf section="lvmdriver-1" option="volume_backend_name" value="LVM_iSCSI"
# Dell EqualLogic - http://docs.openstack.org/trunk/config-reference/content/dell-equallogic-driver.html
- ini_file: dest=/etc/cinder/cinder.conf section="equallogic-1" option="volume_driver" value="cinder.volume.drivers.eqlx.DellEQLSanISCSIDriver"
- ini_file: dest=/etc/cinder/cinder.conf section="equallogic-1" option="san_ip" value="{{ IP_EQLX }}"
- ini_file: dest=/etc/cinder/cinder.conf section="equallogic-1" option="san_login" value="{{ SAN_UNAME }}"
- name: set password for equallogic-1
ini_file: dest=/etc/cinder/cinder.conf section="equallogic-1" option="san_password" value="{{ SAN_PW }}"
- ini_file: dest=/etc/cinder/cinder.conf section="equallogic-1" option="eqlx_group_name" value="{{ EQLX_GROUP }}"
- ini_file: dest=/etc/cinder/cinder.conf section="equallogic-1" option="eqlx_pool" value="{{ EQLX_POOL }}"
- ini_file: dest=/etc/cinder/cinder.conf section="equallogic-1" option="volume_backend_name" value="equallogic"
- service: name=openstack-cinder-api state=restarted
- service: name=openstack-cinder-scheduler state=restarted
- service: name=openstack-cinder-volume state=restarted
# create storage types
# note that existing keys can be retrieved using: cinder extra-specs-list
- shell: source /root/keystonerc_admin && cinder type-create lvm
ignore_errors: yes
- shell: source /root/keystonerc_admin && cinder type-key lvm set volume_backend_name=lvm
- shell: source /root/keystonerc_admin && cinder type-create equallogic
ignore_errors: yes
- shell: source /root/keystonerc_admin && cinder type-key equallogic set volume_backend_name=equallogic
# http://docs.openstack.org/icehouse/install-guide/install/yum/content/glance-verify.html
- file: path=/root/images state=directory
- get_url: url=http://cdn.download.cirros-cloud.net/0.3.2/cirros-0.3.2-x86_64-disk.img dest=/root/images/cirros-0.3.2-x86_64-disk.img mode=0440
- name: Add the cirros-0.3.2-x86_64 image
glance_image:
login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin"
auth_url="https://{{controller_hostname}}:35357/v2.0"
name=cirros-0.3.2-x86_64
disk_format=qcow2
is_public=True
file=/root/images/cirros-0.3.2-x86_64-disk.img
- name: create non-standard flavor
nova_flavor:
login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin"
auth_url="https://{{controller_hostname}}:35357/v2.0"
name="{{item.name}}" ram="{{item.ram}}" disk="{{item.disk}}" vcpus="{{item.vcpus}}" swap="{{item.swap}}"
with_items:
- { name: m1.builder, ram: 5120, disk: 50, vcpus: 2, swap: 5120 }
# same as m.* but with swap
- { name: ms1.tiny, ram: 512, disk: 1, vcpus: 1, swap: 512 }
- { name: ms1.small, ram: 2048, disk: 20, vcpus: 1, swap: 2048 }
- { name: ms1.medium, ram: 4096, disk: 40, vcpus: 2, swap: 4096 }
- { name: ms1.large, ram: 8192, disk: 50, vcpus: 4, swap: 4096 }
- { name: ms1.xlarge, ram: 16384, disk: 160, vcpus: 8, swap: 16384 }
# inspired by http://aws.amazon.com/ec2/instance-types/
- { name: c4.large, ram: 3072, disk: 0, vcpus: 2, swap: 0 }
- { name: c4.xlarge, ram: 7168, disk: 0, vcpus: 4, swap: 0 }
- { name: c4.2xlarge, ram: 14336, disk: 0, vcpus: 8, swap: 0 }
- { name: r3.large, ram: 16384, disk: 32, vcpus: 2, swap: 16384 }
##### download common Images #####
# restricted images (RHEL) are handled two steps below
- name: Add the images
glance_image:
login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin"
auth_url="https://{{controller_hostname}}:35357/v2.0"
name="{{ item.name }}"
disk_format=qcow2
is_public=True
copy_from="{{ item.copy_from }}"
with_items:
- name: Fedora-x86_64-20-20131211.1
copy_from: https://dl.fedoraproject.org/pub/fedora/linux/releases/20/Images/x86_64/Fedora-x86_64-20-20131211.1-sda.qcow2
- name: Fedora-x86_64-20-20140407
copy_from: https://dl.fedoraproject.org/pub/fedora/linux/updates/20/Images/x86_64/Fedora-x86_64-20-20140407-sda.qcow2
- name: Fedora-Cloud-Base-20141203-21.x86_64
copy_from: https://dl.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.qcow2
- name: Fedora-Cloud-Base-20141203-21.i386
copy_from: https://dl.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/i386/Fedora-Cloud-Base-20141203-21.i386.qcow2
- name: Fedora-Cloud-Atomic-22_Alpha-20150305.x86_64
copy_from: https://dl.fedoraproject.org/pub/fedora/linux/releases/test/22_Alpha/Cloud/x86_64/Images/Fedora-Cloud-Atomic-22_Alpha-20150305.x86_64.qcow2
- name: Fedora-Cloud-Base-22_Alpha-20150305.x86_64
copy_from: https://dl.fedoraproject.org/pub/fedora/linux/releases/test/22_Alpha/Cloud/x86_64/Images/Fedora-Cloud-Base-22_Alpha-20150305.x86_64.qcow2
- name: Fedora-Cloud-Atomic-22_Beta-20150415.x86_64
copy_from: https://dl.fedoraproject.org/pub/fedora/linux/releases/test/22_Beta/Cloud/x86_64/Images/Fedora-Cloud-Atomic-22_Beta-20150415.x86_64.qcow2
- name: Fedora-Cloud-Base-22_Beta-20150415.x86_64
copy_from: https://dl.fedoraproject.org/pub/fedora/linux/releases/test/22_Beta/Cloud/x86_64/Images/Fedora-Cloud-Base-22_Beta-20150415.x86_64.qcow2
- name: CentOS-7-x86_64-GenericCloud-1503
copy_from: http://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud-1503.qcow2
- name: CentOS-6-x86_64-GenericCloud-20141129_01
copy_from: http://cloud.centos.org/centos/6/images/CentOS-6-x86_64-GenericCloud-20141129_01.qcow2
# RHEL6 can be downloaded from https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=16952
- stat: path=/root/images/rhel-guest-image-6.6-20141222.0.x86_64.qcow2
register: rhel6_image
- name: Add the RHEL6 image
glance_image:
login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin"
auth_url="https://{{controller_hostname}}:35357/v2.0"
name="rhel-guest-image-6.6-20141222.0.x86_64"
disk_format=qcow2
is_public=True
file="/root/images/rhel-guest-image-6.6-20141222.0.x86_64.qcow2"
when: rhel6_image.stat.exists == True
# RHEL7 can be download from https://access.redhat.com/downloads/content/69/ver=/rhel---7/7.0/x86_64/product-downloads
- stat: path=/root/images/rhel-guest-image-7.0-20140930.0.x86_64.qcow2
register: rhel7_image
- name: Add the RHEL7 image
glance_image:
login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin"
auth_url="https://{{controller_hostname}}:35357/v2.0"
name="rhel-guest-image-7.0-20140930.0.x86_64"
disk_format=qcow2
is_public=True
file="/root/images/rhel-guest-image-7.0-20140930.0.x86_64.qcow2"
when: rhel7_image.stat.exists == True
##### PROJECTS ######
- name: Create tenants
keystone_user:
login_user="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin"
endpoint="https://{{controller_hostname}}:35357/v2.0"
tenant="{{ item.name }}"
tenant_description="{{ item.desc }}"
state=present
with_items:
- { name: persistent, desc: "persistent instances" }
- { name: qa, desc: "developmnet and test-day applications of QA" }
- { name: transient, desc: 'transient instances' }
- { name: infrastructure, desc: "one off instances for infrastructure folks to test or check something (proof-of-concept)" }
- { name: cloudintern, desc: 'project for the cloudintern under mattdm' }
- { name: cloudsig, desc: 'Fedora cloud sig folks.' }
- { name: copr, desc: 'Space for Copr builders' }
- { name: coprdev, desc: 'Development version of Copr' }
- { name: pythonbots, desc: 'project for python build bot users - twisted, etc' }
- { name: scratch, desc: 'scratch and short term instances' }
##### USERS #####
- name: Create users
keystone_user:
login_user="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin"
endpoint="https://{{controller_hostname}}:35357/v2.0"
user="{{ item.name }}"
email="{{ item.email }}"
tenant="{{ item.tenant }}"
password="{{ item.password }}"
state=present
no_log: True
with_items:
- { name: anthomas, email: 'anthomas@redhat.com', tenant: cloudintern, password: "{{anthomas_password}}" }
- { name: ausil, email: 'dennis@ausil.us', tenant: infrastructure, password: "{{ausil_password}}" }
- { name: atomic, email: 'walters@redhat.com', tenant: scratch, password: "{{cockpit_password}}" }
- { name: codeblock, email: 'codeblock@elrod.me', tenant: infrastructure, password: "{{codeblock_password}}" }
- { name: copr, email: 'admin@fedoraproject.org', tenant: copr, password: "{{copr_password}}" }
- { name: gholms, email: 'gholms@fedoraproject.org', tenant: cloudintern, password: "{{gholms_password}}" }
- { name: jskladan, email: 'jskladan@redhat.com', tenant: qa, password: "{{jskladan_password}}" }
- { name: kevin, email: 'kevin@fedoraproject.org', tenant: infrastructure, password: "{{kevin_password}}" }
- { name: laxathom, email: 'laxathom@fedoraproject.org', tenant: infrastructure, password: "{{laxathom_password}}" }
- { name: mattdm, email: 'mattdm@fedoraproject.org', tenant: infrastructure, password: "{{mattdm_password}}" }
- { name: msuchy, email: 'msuchy@redhat.com', tenant: copr, password: "{{msuchy_password}}" }
- { name: nb, email: 'nb@fedoraproject.org', tenant: infrastructure, password: "{{nb_password}}" }
- { name: pingou, email: 'pingou@pingoured.fr', tenant: infrastructure, password: "{{pingou_password}}" }
- { name: puiterwijk, email: 'puiterwijk@fedoraproject.org', tenant: infrastructure, password: "{{puiterwijk_password}}" }
- { name: red, email: 'red@fedoraproject.org', tenant: infrastructure, password: "{{red_password}}" }
- { name: samkottler, email: 'samkottler@fedoraproject.org', tenant: infrastructure, password: "{{samkottler_password}}" }
- { name: tflink, email: 'tflink@fedoraproject.org', tenant: qa, password: "{{tflink_password}}" }
- { name: twisted, email: 'buildbot@twistedmatrix.com', tenant: pythonbots, password: "{{twisted_password}}" }
- { name: vgologuz, email: 'vgologuz@redhat.com', tenant: copr, password: "{{vgologuz_password}}" }
- { name: roshi, email: 'roshi@fedoraproject.org', tenant: qa, password: "{{roshi_password}}" }
- { name: maxamillion, email: 'maxamillion@fedoraproject.org', tenant: infrastructure, password: "{{maxamillion_password}}" }
- name: upload SSH keys for users
nova_keypair:
auth_url="https://{{controller_hostname}}:35357/v2.0"
login_username="{{ item.username }}"
login_password="{{ item.password }}" login_tenant_name="{{item.tenant}}" name="{{ item.name }}"
public_key="{{ item.public_key }}"
ignore_errors: yes
no_log: True
with_items:
- { username: anthomas, name: anthomas, tenant: cloudintern, password: "{{anthomas_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas anthomas') }}" }
- { username: ausil, name: ausil, tenant: infrastructure, password: "{{ausil_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas ausil') }}" }
- { username: codeblock, name: codeblock, tenant: infrastructure, password: "{{codeblock_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas codeblock') }}" }
- { username: buildsys, name: buildsys, tenant: copr, password: "{{copr_password}}", public_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCeTO0ddXuhDZYM9HyM0a47aeV2yIVWhTpddrQ7/RAIs99XyrsicQLABzmdMBfiZnP0FnHBF/e+2xEkT8hHJpX6bX81jjvs2bb8KP18Nh8vaXI3QospWrRygpu1tjzqZT0Llh4ZVFscum8TrMw4VWXclzdDw6x7csCBjSttqq8F3iTJtQ9XM9/5tCAAOzGBKJrsGKV1CNIrfUo5CSzY+IUVIr8XJ93IB2ZQVASK34T/49egmrWlNB32fqAbDMC+XNmobgn6gO33Yq5Ly7Dk4kqTUx2TEaqDkZfhsVu0YcwV81bmqsltRvpj6bIXrEoMeav7nbuqKcPLTxWEY/2icePF" }
- { username: gholms, name: gholms, tenant: cloudintern, password: "{{gholms_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas gholms') }}" }
- { username: jskladan, name: jskladan, tenant: qa, password: "{{jskladan_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas jskladan') }}" }
- { username: kevin, name: kevin, tenant: infrastructure, password: "{{kevin_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas kevin') }}" }
- { username: maxamillion, name: maxamillion, tenant: infrastructure, password: "{{maxamillion_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas maxamillion') }}" }
- { username: laxathom, name: laxathom, tenant: infrastructure, password: "{{laxathom_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas laxathom') }}" }
- { username: mattdm, name: mattdm, tenant: infrastructure, password: "{{mattdm_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas mattdm') }}" }
- { username: msuchy, name: msuchy, tenant: copr, password: "{{msuchy_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas msuchy') }}" }
- { username: nb, name: nb, tenant: infrastructure, password: "{{nb_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas nb') }}" }
- { username: pingou, name: pingou, tenant: infrastructure, password: "{{pingou_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas pingou') }}" }
- { username: puiterwijk, name: puiterwijk, tenant: infrastructure, password: "{{puiterwijk_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas puiterwijk') }}" }
- { username: red, name: red, tenant: infrastructure, password: "{{red_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas red') }}" }
- { username: roshi, name: roshi, tenant: qa, password: "{{roshi_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas roshi') }}" }
- { username: samkottler, name: samkottler, tenant: infrastructure, password: "{{samkottler_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas skottler') }}" }
- { username: tflink, name: tflink, tenant: qa, password: "{{tflink_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas tflink') }}" }
- { username: atomic, name: atomic, tenant: scratch, password: "{{cockpit_password}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas walters') }}" }
# - { name: twisted, tenant: pythonbots, password: "{{twisted_password}}", public_key: "" }
- { username: admin, name: fedora-admin-20130801, tenant: admin, password: "{{ADMIN_PASS}}", public_key: "{{ lookup('file', files + '/fedora-cloud/fedora-admin-20130801.pub') }}" }
- { username: admin, name: asamalik, tenant: scratch, password: "{{ADMIN_PASS}}", public_key: "{{ lookup('pipe', '/srv/web/infra/ansible/scripts/auth-keys-from-fas asamalik') }}" }
- name: Create roles for additional tenants
shell: source /root/keystonerc_admin && keystone role-list |grep ' {{item}} ' || keystone role-create --name {{ item }}
with_items: all_tenants
- name: Assign users to secondary tentants
shell: source /root/keystonerc_admin && keystone user-role-list --user "{{item.user}}" --tenant "{{item.tenant}}" | grep ' {{item.tenant }} ' || keystone user-role-add --user {{item.user}} --role {{item.tenant}} --tenant {{item.tenant}} || true
#keystone_user:
# endpoint="https://{{controller_hostname}}:35357/v2.0"
# login_user="admin" login_password="{{ ADMIN_PASS }}"
# role=coprdev user={{ item }} tenant=coprdev
with_items:
- { user: admin, tenant: cloudintern }
- { user: admin, tenant: cloudsig }
- { user: admin, tenant: copr }
- { user: admin, tenant: coprdev }
- { user: admin, tenant: persistent }
- { user: admin, tenant: pythonbots }
- { user: admin, tenant: qa }
- { user: admin, tenant: infrastructure }
- { user: admin, tenant: scratch }
- { user: admin, tenant: transient }
- { user: copr, tenant: coprdev }
- { user: kevin, tenant: cloudintern }
- { user: kevin, tenant: cloudsig }
- { user: kevin, tenant: copr }
- { user: kevin, tenant: coprdev }
- { user: kevin, tenant: persistent }
- { user: kevin, tenant: pythonbots }
- { user: kevin, tenant: qa }
- { user: kevin, tenant: scratch }
- { user: kevin, tenant: transient }
- { user: msuchy, tenant: cloudintern }
- { user: msuchy, tenant: cloudsig }
- { user: msuchy, tenant: coprdev }
- { user: msuchy, tenant: infrastructure }
- { user: msuchy, tenant: persistent }
- { user: msuchy, tenant: pythonbots }
- { user: msuchy, tenant: qa }
- { user: msuchy, tenant: scratch }
- { user: msuchy, tenant: transient }
- { user: puiterwijk, tenant: cloudintern }
- { user: puiterwijk, tenant: cloudsig }
- { user: puiterwijk, tenant: copr }
- { user: puiterwijk, tenant: coprdev }
- { user: puiterwijk, tenant: persistent }
- { user: puiterwijk, tenant: pythonbots }
- { user: puiterwijk, tenant: qa }
- { user: puiterwijk, tenant: scratch }
- { user: puiterwijk, tenant: transient }
- { user: vgologuz, tenant: coprdev }
##### NETWORK ####
# http://docs.openstack.org/havana/install-guide/install/apt/content/install-neutron.configure-networks.html
#
# external network is a class C: 209.132.184.0/24
# 209.132.184.1 to .25 - reserved for hardware.
# 209.132.184.26 to .30 - reserver for test cloud external ips
# 209.132.184.31 to .69 - icehouse cloud
# 209.132.184.70 to .89 - reserved for arm03 SOCs
# 209.132.184.90 to .251 - folsom cloud
#
- name: Create en external network
neutron_network:
login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin"
auth_url="https://{{controller_hostname}}:35357/v2.0"
name=external
router_external=True
provider_network_type=flat
provider_physical_network=floatnet
register: EXTERNAL_ID
- name: Create an external subnet
neutron_subnet:
login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin"
auth_url="https://{{controller_hostname}}:35357/v2.0"
name=external-subnet
network_name=external
cidr="{{ public_interface_cidr }}"
allocation_pool_start="{{ public_floating_start }}"
allocation_pool_end="{{ public_floating_end }}"
gateway_ip="{{ public_gateway_ip }}"
enable_dhcp=false
register: EXTERNAL_SUBNET_ID
- shell: source /root/keystonerc_admin && nova floating-ip-create external
when: packstack_sucessfully_finished.stat.exists == False
# 172.16.0.1/16 -- 172.22.0.1/16 - free (can be split to /20)
# 172.23.0.1/16 - free (but used by old cloud)
# 172.24.0.1/24 - RESERVED it is used internally for OS
# 172.24.1.0/24 -- 172.24.255.0/24 - likely free (?)
# 172.25.0.1/20 - Cloudintern (172.25.0.1 - 172.25.15.254)
# 172.25.16.1/20 - infrastructure (172.25.16.1 - 172.25.31.254)
# 172.25.32.1/20 - persistent (172.25.32.1 - 172.25.47.254)
# 172.25.48.1/20 - transient (172.25.48.1 - 172.25.63.254)
# 172.25.64.1/20 - scratch (172.25.64.1 - 172.25.79.254)
# 172.25.80.1/20 - copr (172.25.80.1 - 172.25.95.254)
# 172.25.96.1/20 - cloudsig (172.25.96.1 - 172.25.111.254)
# 172.25.112.1/20 - qa (172.25.112.1 - 172.25.127.254)
# 172.25.128.1/20 - pythonbots (172.25.128.1 - 172.25.143.254)
# 172.25.144.1/20 - coprdev (172.25.144.1 - 172.25.159.254)
# 172.25.160.1/20 -- 172.25.240.1/20 - free
# 172.26.0.1/16 -- 172.31.0.1/16 - free (can be split to /20)
- name: Create a router for all tenants
neutron_router:
login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin"
auth_url="https://{{controller_hostname}}:35357/v2.0"
tenant_name="{{ item }}"
name="ext-to-{{ item }}"
with_items: all_tenants
- name: "Connect router's gateway to the external network"
neutron_router_gateway:
login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin"
auth_url="https://{{controller_hostname}}:35357/v2.0"
router_name="ext-to-{{ item }}"
network_name="external"
with_items: all_tenants
- name: Create a private network for all tenants
neutron_network:
login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin"
auth_url="https://{{controller_hostname}}:35357/v2.0"
tenant_name="{{ item.name }}"
name="{{ item.name }}-net"
shared="{{ item.shared }}"
with_items:
- { name: cloudintern, shared: false }
- { name: cloudsig, shared: false }
- { name: copr, shared: true }
- { name: coprdev, shared: true }
- { name: infrastructure, shared: false }
- { name: persistent, shared: false }
- { name: pythonbots, shared: false }
- { name: qa, shared: false }
- { name: scratch, shared: false }
- { name: transient, shared: false }
- name: Create a subnet for all tenants
neutron_subnet:
login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin"
auth_url="https://{{controller_hostname}}:35357/v2.0"
tenant_name="{{ item.name }}"
network_name="{{ item.name }}-net"
name="{{ item.name }}-subnet"
cidr="{{ item.cidr }}"
gateway_ip="{{ item.gateway }}"
dns_nameservers="66.35.62.163,140.211.169.201"
with_items:
- { name: cloudintern, cidr: '172.25.0.1/20', gateway: '172.25.0.1' }
- { name: cloudsig, cidr: '172.25.96.1/20', gateway: '172.25.96.1' }
- { name: copr, cidr: '172.25.80.1/20', gateway: '172.25.80.1' }
- { name: coprdev, cidr: '172.25.144.1/20', gateway: '172.25.144.1' }
- { name: infrastructure, cidr: '172.25.16.1/20', gateway: '172.25.16.1' }
- { name: persistent, cidr: '172.25.32.1/20', gateway: '172.25.32.1' }
- { name: pythonbots, cidr: '172.25.128.1/20', gateway: '172.25.128.1' }
- { name: qa, cidr: '172.25.112.1/20', gateway: '172.25.112.1' }
- { name: scratch, cidr: '172.25.64.1/20', gateway: '172.25.64.1' }
- { name: transient, cidr: '172.25.48.1/20', gateway: '172.25.48.1' }
- name: "Connect router's interface to the TENANT-subnet"
neutron_router_interface:
login_username="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin"
auth_url="https://{{controller_hostname}}:35357/v2.0"
tenant_name="{{ item }}"
router_name="ext-to-{{ item }}"
subnet_name="{{ item }}-subnet"
with_items: all_tenants
#################
# Security Groups
################
- name: "Create 'ssh-anywhere' security group"
neutron_sec_group:
login_username: "admin"
login_password: "{{ ADMIN_PASS }}"
login_tenant_name: "admin"
auth_url: "https://{{controller_hostname}}:35357/v2.0"
state: "present"
name: 'ssh-anywhere-{{item}}'
description: "allow ssh from anywhere"
tenant_name: "{{item}}"
rules:
- direction: "ingress"
port_range_min: "22"
port_range_max: "22"
ethertype: "IPv4"
protocol: "tcp"
remote_ip_prefix: "0.0.0.0/0"
with_items: all_tenants
- name: "Allow nagios checks"
neutron_sec_group:
login_username: "admin"
login_password: "{{ ADMIN_PASS }}"
login_tenant_name: "admin"
auth_url: "https://{{controller_hostname}}:35357/v2.0"
state: "present"
name: 'allow-nagios-{{item}}'
description: "allow nagios checks"
tenant_name: "{{item}}"
rules:
- direction: "ingress"
port_range_min: "5666"
port_range_max: "5666"
ethertype: "IPv4"
protocol: "tcp"
remote_ip_prefix: "209.132.181.35/32"
- direction: "ingress"
ethertype: "IPv4"
protocol: "icmp"
remote_ip_prefix: "209.132.181.35/32"
with_items:
- persistent
- name: "Create 'ssh-from-persistent' security group"
neutron_sec_group:
login_username: "admin"
login_password: "{{ ADMIN_PASS }}"
login_tenant_name: "admin"
auth_url: "https://{{controller_hostname}}:35357/v2.0"
state: "present"
name: 'ssh-from-persistent-{{item}}'
description: "allow ssh from persistent"
tenant_name: "{{item}}"
rules:
- direction: "ingress"
port_range_min: "22"
port_range_max: "22"
ethertype: "IPv4"
protocol: "tcp"
remote_ip_prefix: "172.25.32.1/20"
with_items:
- copr
- coprdev
- name: "Create 'ssh-internal' security group"
neutron_sec_group:
login_username: "admin"
login_password: "{{ ADMIN_PASS }}"
login_tenant_name: "admin"
auth_url: "https://{{controller_hostname}}:35357/v2.0"
state: "present"
name: 'ssh-internal-{{item.name}}'
description: "allow ssh from {{item.name}}-network"
tenant_name: "{{ item.name }}"
rules:
- direction: "ingress"
port_range_min: "22"
port_range_max: "22"
ethertype: "IPv4"
protocol: "tcp"
remote_ip_prefix: "{{ item.prefix }}"
with_items:
- { name: cloudintern, prefix: '172.25.0.1/20' }
- { name: cloudsig, prefix: '172.25.96.1/20' }
- { name: copr, prefix: '172.25.80.1/20' }
- { name: coprdev, prefix: '172.25.80.1/20' }
- { name: infrastructure, prefix: "172.25.16.1/20" }
- { name: persistent, prefix: "172.25.32.1/20" }
- { name: pythonbots, prefix: '172.25.128.1/20' }
- { name: qa, prefix: "172.25.112.1/20" }
- { name: scratch, prefix: '172.25.64.1/20' }
- { name: transient, prefix: '172.25.48.1/20' }
- name: "Create 'web-80-anywhere' security group"
neutron_sec_group:
login_username: "admin"
login_password: "{{ ADMIN_PASS }}"
login_tenant_name: "admin"
auth_url: "https://{{controller_hostname}}:35357/v2.0"
state: "present"
name: 'web-80-anywhere-{{item}}'
description: "allow web-80 from anywhere"
tenant_name: "{{item}}"
rules:
- direction: "ingress"
port_range_min: "80"
port_range_max: "80"
ethertype: "IPv4"
protocol: "tcp"
remote_ip_prefix: "0.0.0.0/0"
with_items: all_tenants
- name: "Create 'web-443-anywhere' security group"
neutron_sec_group:
login_username: "admin"
login_password: "{{ ADMIN_PASS }}"
login_tenant_name: "admin"
auth_url: "https://{{controller_hostname}}:35357/v2.0"
state: "present"
name: 'web-443-anywhere-{{item}}'
description: "allow web-443 from anywhere"
tenant_name: "{{item}}"
rules:
- direction: "ingress"
port_range_min: "443"
port_range_max: "443"
ethertype: "IPv4"
protocol: "tcp"
remote_ip_prefix: "0.0.0.0/0"
with_items: all_tenants
- name: "Create 'wide-open' security group"
neutron_sec_group:
login_username: "admin"
login_password: "{{ ADMIN_PASS }}"
login_tenant_name: "admin"
auth_url: "https://{{controller_hostname}}:35357/v2.0"
state: "present"
name: 'wide-open-{{item}}'
description: "allow anything from anywhere"
tenant_name: "{{item}}"
rules:
- direction: "ingress"
port_range_min: "0"
port_range_max: "65535"
ethertype: "IPv4"
protocol: "tcp"
remote_ip_prefix: "0.0.0.0/0"
with_items: all_tenants
- name: "Create 'ALL ICMP' security group"
neutron_sec_group:
login_username: "admin"
login_password: "{{ ADMIN_PASS }}"
login_tenant_name: "admin"
auth_url: "https://{{controller_hostname}}:35357/v2.0"
state: "present"
name: 'all-icmp-{{item}}'
description: "allow all ICMP traffic"
tenant_name: "{{item}}"
rules:
- direction: "ingress"
ethertype: "IPv4"
protocol: "icmp"
remote_ip_prefix: "0.0.0.0/0"
with_items: all_tenants
- name: "Create 'keygen-persistent' security group"
neutron_sec_group:
login_username: "admin"
login_password: "{{ ADMIN_PASS }}"
login_tenant_name: "admin"
auth_url: "https://{{controller_hostname}}:35357/v2.0"
state: "present"
name: 'keygen-persistent'
description: "rules for copr-keygen"
tenant_name: "{{item}}"
rules:
- direction: "ingress"
port_range_min: "5167"
port_range_max: "5167"
ethertype: "IPv4"
protocol: "tcp"
remote_ip_prefix: "172.25.32.1/20"
- direction: "ingress"
port_range_min: "80"
port_range_max: "80"
ethertype: "IPv4"
protocol: "tcp"
remote_ip_prefix: "172.25.32.1/20"
with_items: all_tenants
# Update quota for Copr
# SEE:
# nova quota-defaults
# nova quota-show --tenant $TENANT_ID
# default is 10 instances, 20 cores, 51200 RAM, 10 floating IPs
- shell: source /root/keystonerc_admin && keystone tenant-list | grep 'copr ' | awk '{print $2}'
register: TENANT_ID
- shell: source /root/keystonerc_admin && nova quota-update --instances 40 --cores 80 --ram 300000 --floating-ips 10 --security-groups 20 {{ TENANT_ID.stdout }}
- shell: source /root/keystonerc_admin && keystone tenant-list | grep 'coprdev ' | awk '{print $2}'
register: TENANT_ID
- shell: source /root/keystonerc_admin && nova quota-update --instances 40 --cores 80 --ram 300000 --floating-ips 10 --security-groups 20 {{ TENANT_ID.stdout }}
- shell: source /root/keystonerc_admin && keystone tenant-list | grep 'persistent ' | awk '{print $2}'
register: TENANT_ID
- shell: source /root/keystonerc_admin && nova quota-update --instances 20 --cores 40 --ram 102200 --security-groups 20 {{ TENANT_ID.stdout }}
Reference in a new issue View git blame Copy permalink