Browse Source

Rearanged the playbook to use ansible roles:

http://docs.ansible.com/ansible/playbooks_roles.html

also made keystone run
feature/cinder-volume-encryption
erijpkema 5 years ago
parent
commit
90b25a6d6c
  1. 9
      README.md
  2. 2
      ansible.cfg
  3. 20
      docker-keystone/Dockerfile
  4. 6
      hosts
  5. 13
      main.yml
  6. 20
      mariadb.yml
  7. 88
      roles/common/files/sshd_config
  8. 7
      roles/common/tasks/docker.yml
  9. 28
      roles/common/tasks/main.yml
  10. 21
      roles/common/tasks/users.yml
  11. 38
      roles/keystone/files/Dockerfile
  12. 14
      roles/keystone/files/keystone.service
  13. 35
      roles/keystone/tasks/main.yml
  14. 0
      roles/mariadb/files/mysql.service
  15. 16
      roles/mariadb/tasks/main.yml

9
README.md

@ -0,0 +1,9 @@ @@ -0,0 +1,9 @@
#hpc-cloud
This repository will contain playbooks to bring up openstack components inside docker containers.
It makes use of [/home/egon/projects/hpc-cloud/roles/common/tasks/users.yml](ansible roles).
The roles can be set in the inventory file (hosts)
Cirrently,Tue 25 Apr 2017 02:45:20 PM CEST, only mariadb and keystone are implemented. They can be brought up with
$ ansible-playbook main.yml

2
ansible.cfg

@ -0,0 +1,2 @@ @@ -0,0 +1,2 @@
[defaults]
hostfile = hosts

20
docker-keystone/Dockerfile

@ -1,20 +0,0 @@ @@ -1,20 +0,0 @@
FROM python:2.7
RUN git clone https://git.openstack.org/openstack/keystone.git
WORKDIR /keystone
RUN pip install MySQL-python==1.2.5 \
uWSGI==2.0.15 \
requests==2.12
CMD tail -f /dev/null
RUN pip install .
RUN mkdir /etc/keystone
RUN cp -R etc/* /etc/keystone/
RUN sed "s|database]|database]\nconnection = mysql://keystone:keystone@mariadb/keystone|g" /etc/keystone/keystone.conf.sample > /etc/keystone/keystone.conf
RUN sed -i 's/#admin_token = ADMIN/admin_token = SuperSecreteKeystoneToken/g' /etc/keystone/keystone.conf
RUN mkdir /etc/keystone/fernet-keys
RUN keystone-manage db_sync
RUN keystone-manage fernet_setup --keystone-user root --keystone-group root
CMD uwsgi --http 127.0.0.1:35357 --wsgi-file /usr/local/bin/keystone-wsgi-admin

6
hosts

@ -0,0 +1,6 @@ @@ -0,0 +1,6 @@
[databases]
ansible-test
[keystone]
ansible-test

13
main.yml

@ -0,0 +1,13 @@ @@ -0,0 +1,13 @@
---
# Run all plays as root.
- hosts: databases
become: True
roles:
- common
- mariadb
- hosts: keystone
become: True
roles:
- common
- keystone

20
mariadb.yml

@ -1,20 +0,0 @@ @@ -1,20 +0,0 @@
# Install a docker based mariadb.
---
- name: Install a mariadb server with databases in a persistent volume
hosts: all # Should be specified of course
become: True
tasks:
- include: tasks/docker.yml
- name: install service file.
template:
src: files/mysql.service
dest: /etc/systemd/system/mysql.service
mode: 644
owner: root
group: root
- name: install service file
command: systemctl daemon-reload
- name: make sure service is started
systemd:
name: mysql.service
state: started

88
roles/common/files/sshd_config

@ -0,0 +1,88 @@ @@ -0,0 +1,88 @@
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

7
tasks/docker.yml → roles/common/tasks/docker.yml

@ -8,5 +8,8 @@ @@ -8,5 +8,8 @@
repo: deb https://apt.dockerproject.org/repo ubuntu-xenial main
update_cache: yes
- apt:
name: docker-engine
- name: install docker
apt: pkg={{ item }} state=latest
with_items:
- docker-engine
- python-docker

28
roles/common/tasks/main.yml

@ -0,0 +1,28 @@ @@ -0,0 +1,28 @@
- group:
name: admin
state: present
- name: Passwordless sudo for admins
lineinfile: dest=/etc/sudoers line="%admin ALL=(ALL:ALL) NOPASSWD:ALL"
- include: users.yml
- name: common | install packages
apt: pkg={{ item }} state=latest update_cache=yes
with_items:
- curl
- htop
- molly-guard
- sudo
- tree
- vim
- python-simplejson
- name: sshd_config
file:
src: files/sshd_config
dest: /etc/ssh/sshd_config
mode: 0644
owner: root
group: root

21
roles/common/tasks/users.yml

@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
---
# Tasks to set users
- user:
group: admin
name: "{{ item }}"
with_items:
- egon
- wim
- name: wim key
authorized_key:
user: wim
key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPcJbucOFOFrPZwM1DKOvscYpDGYXKsgeh3/6skmZn/IhLWYHY6oanm4ifmY3kU0oNXpKgHR43x3JdkIRKmrEpYULspwdlj/ZKPYxFWhVaSTjJvmSJEgy7ET1xk+eVoKV1xRWm/BugWpbseFAOcI9ZwfH++S8JhfX6GgCIy06RUpM8EcFAWb/GO699ZnQ67qMxNdSWYHtK1zu+9svWgEzPk4zc2TihJsc7DxcfQCNfQ4vKH1Im3+QfG5bRtdyVl9yjbE+o4EWhPEWsTBgBosJfbqfywsuzibhTgyybR0Zzm4JN6Wh5wVazvNutAB291dIJt22XEx5tCyOAjLPybLy3 wim@wim-HP-Compaq-Elite-8300-MT'
state: present
- name: egon_key
authorized_key:
user: egon
key: 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUBdTEHUj6MxvfEU7KcI+UPAvqJ9jGJ7hHm3e7XFTb9 egon@egon-pc'
state: present

38
roles/keystone/files/Dockerfile

@ -0,0 +1,38 @@ @@ -0,0 +1,38 @@
# Build keystone. It needs to be run with
# --add-host=mariadb:<ip mariadb listens tp>
# Wen starting with an initialized db,
# run keystone-manage db_sync from this docker first:
# $ docker run hpc/keystone --add-host=mariadb:<ip mariadb> "keystone-manage db_sync"
FROM python:2.7
# Clone the offical keystone repo and checkout ocata.
RUN git clone https://git.openstack.org/openstack/keystone.git -b stable/ocata
# all furter commands are done from /keystone directory.
WORKDIR /keystone
# Install python dependencies
RUN pip install MySQL-python==1.2.5 \
uWSGI==2.0.15 \
requests==2.12
# Install keystone.
RUN pip install .
#Install keystone settings files
RUN mkdir /etc/keystone
RUN cp -R etc/* /etc/keystone/
# configure keystone to connect to mariadb host.
RUN sed "s|database]|database]\nconnection = mysql://keystone:keystone@mariadb/keystone|g" /etc/keystone/keystone.conf.sample > /etc/keystone/keystone.conf
# set admin token TODO: make this a secret
RUN sed -i 's/#admin_token = ADMIN/admin_token = SuperSecreteKeystoneToken/g' /etc/keystone/keystone.conf
RUN mkdir /etc/keystone/fernet-keys
#RUN keystone-manage db_sync
CMD keystone-manage fernet_setup --keystone-user root --keystone-group root && \
uwsgi --http 127.0.0.1:35357 --wsgi-file /usr/local/bin/keystone-wsgi-admin

14
roles/keystone/files/keystone.service

@ -0,0 +1,14 @@ @@ -0,0 +1,14 @@
[Unit]
Description=Openstack Keystone Container
After=docker.service
Requires=docker.service
[Service]
TimeoutStartSec=0
Restart=always
ExecStartPre=-/usr/bin/docker stop %n
ExecStartPre=-/usr/bin/docker rm %n
ExecStart=/usr/bin/docker run --name %n --add-host="mariadb:172.29.236.13" hpc/keystone
[Install]
WantedBy=multi-user.target

35
roles/keystone/tasks/main.yml

@ -0,0 +1,35 @@ @@ -0,0 +1,35 @@
# Build and install a docker image for keystone.
---
- include: ../common/tasks/docker.yml
- name: Make docker build dir
file:
path: /srv/keystone
state: directory
mode: 0755
- name: install Dockerfile
copy:
src: files/Dockerfile
dest: /srv/keystone
- name: build keystone image
docker_image:
path: /srv/keystone
name: hpc/keystone
- name: install service file.
template:
src: files/keystone.service
dest: /etc/systemd/system/keystone.service
mode: 644
owner: root
group: root
- name: install service file
command: systemctl daemon-reload
- name: make sure service is started
systemd:
name: keystone.service
state: started

0
files/mysql.service → roles/mariadb/files/mysql.service

16
roles/mariadb/tasks/main.yml

@ -0,0 +1,16 @@ @@ -0,0 +1,16 @@
# Install a docker based mariadb.
---
- include: ../common/tasks/docker.yml
- name: install service file.
template:
src: files/mysql.service
dest: /etc/systemd/system/mysql.service
mode: 644
owner: root
group: root
- name: install service file
command: systemctl daemon-reload
- name: make sure service is started
systemd:
name: mysql.service
state: started
Loading…
Cancel
Save