diff --git a/ansible/roles/magnum/tasks/register.yml b/ansible/roles/magnum/tasks/register.yml index bf4e847868..042f0b9771 100644 --- a/ansible/roles/magnum/tasks/register.yml +++ b/ansible/roles/magnum/tasks/register.yml @@ -38,3 +38,55 @@ retries: 10 delay: 5 run_once: True + +- name: Creating Magnum trustee domain + command: docker exec -t kolla_toolbox /usr/bin/ansible localhost + -m os_keystone_domain + -a "name=magnum + description='Owns users and projects created by magnum' + auth={{ '{{ openstack_magnum_auth }}' }}" + -e "{'openstack_magnum_auth':{{ openstack_magnum_auth }}}" + register: trustee_domain + changed_when: "{{ trustee_domain.stdout.find('localhost | SUCCESS => ') != -1 and (trustee_domain.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}" + until: trustee_domain.stdout.split()[2] == 'SUCCESS' + retries: 10 + delay: 5 + run_once: True + +- name: Setting Magnum trustee domain value + set_fact: + magnum_trustee_domain_id: "{{ (trustee_domain.stdout.split('localhost | SUCCESS => ')[1]|from_json).id }}" + +- name: Creating Magnum trustee user + command: docker exec -t kolla_toolbox /usr/bin/ansible localhost + -m os_user + -a "name=magnum_trustee_domain_admin + domain=magnum + password={{ magnum_keystone_password }} + auth={{ '{{ openstack_magnum_auth }}' }}" + -e "{'openstack_magnum_auth':{{ openstack_magnum_auth }}}" + register: trustee_user + changed_when: "{{ trustee_user.stdout.find('localhost | SUCCESS => ') != -1 and (trustee_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}" + until: trustee_user.stdout.split()[2] == 'SUCCESS' + retries: 10 + delay: 5 + run_once: True + +- name: Setting Magnum trustee user value + set_fact: + magnum_trustee_domain_admin_id: "{{ (trustee_user.stdout.split('localhost | SUCCESS => ')[1]|from_json).user.id }}" + +- name: Creating Magnum trustee user role + command: docker exec -t kolla_toolbox /usr/bin/ansible localhost + -m os_user_role + -a "domain={{ magnum_trustee_domain_id }} + user={{ magnum_trustee_domain_admin_id }} + role=admin + auth={{ '{{ openstack_magnum_auth }}' }}" + -e "{'openstack_magnum_auth':{{ openstack_magnum_auth }}}" + register: magnum_user_role_result + changed_when: "{{ magnum_user_role_result.stdout.find('localhost | SUCCESS => ') != -1 and (magnum_user_role_result.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed }}" + until: magnum_user_role_result.stdout.split()[2] == 'SUCCESS' + retries: 10 + delay: 5 + run_once: True diff --git a/ansible/roles/magnum/tasks/start.yml b/ansible/roles/magnum/tasks/start.yml index d283aee1d8..b43839484d 100644 --- a/ansible/roles/magnum/tasks/start.yml +++ b/ansible/roles/magnum/tasks/start.yml @@ -20,5 +20,6 @@ volumes: - "{{ node_config_directory }}/magnum-conductor/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" + - "magnum:/var/lib/magnum/" - "kolla_logs:/var/log/kolla/" when: inventory_hostname in groups['magnum-conductor'] diff --git a/ansible/roles/magnum/templates/magnum.conf.j2 b/ansible/roles/magnum/templates/magnum.conf.j2 index e7cf2ed9a0..86049e2b3c 100644 --- a/ansible/roles/magnum/templates/magnum.conf.j2 +++ b/ansible/roles/magnum/templates/magnum.conf.j2 @@ -1,6 +1,6 @@ [DEFAULT] debug = {{ magnum_logging_debug }} - +state_path = /var/lib/magnum log_dir = /var/log/kolla/magnum transport_url = rabbit://{% for host in groups['rabbitmq'] %}{{ rabbitmq_user }}:{{ rabbitmq_password }}@{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rabbitmq_port }}{% if not loop.last %},{% endif %}{% endfor %} @@ -11,6 +11,9 @@ port = {{ magnum_api_port }} host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }} {% endif %} +[oslo_policy] +policy_file = /etc/magnum/policy.json + [database] connection = mysql+pymysql://{{ magnum_database_user }}:{{ magnum_database_password }}@{{ magnum_database_address}}/{{ magnum_database_name }} max_retries = -1 @@ -18,18 +21,24 @@ max_retries = -1 [heat_client] region_name = {{ openstack_region_name }} -[keystone_authtoken] -auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }} -auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }} -auth_type = password -project_domain_id = default -user_domain_id = default -project_name = service -username = {{ magnum_keystone_user }} -password = {{ magnum_keystone_password }} +[cinder_client] +region_name = {{ openstack_region_name }} -[trustee] -auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }} +[barbican_client] +region_name = {{ openstack_region_name }} + +[keystone_auth] +auth_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}/v3 +user_domain_id = default +project_domain_id = default +project_name = service +password = {{ magnum_keystone_password }} +username = {{ magnum_keystone_user }} +auth_type = password + +[keystone_authtoken] +auth_version = v3 +auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}/v3 auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }} auth_type = password project_domain_id = default @@ -42,6 +51,17 @@ memcache_security_strategy = ENCRYPT memcache_secret_key = {{ memcache_secret_key }} memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} +[trust] +trustee_domain_admin_password = {{ magnum_keystone_password }} +trustee_domain_admin_id = {{ magnum_trustee_domain_admin_id }} +trustee_domain_id = {{ magnum_trustee_domain_id}} [oslo_concurrency] lock_path = /var/lib/magnum/tmp + +[certificates] +{% if enable_barbican | bool %} +cert_manager_type = barbican +{% else %} +cert_manager_type = x509keypair +{% endif %} diff --git a/docker/kolla-toolbox/Dockerfile.j2 b/docker/kolla-toolbox/Dockerfile.j2 index b05d1a5123..78b0a6cbde 100644 --- a/docker/kolla-toolbox/Dockerfile.j2 +++ b/docker/kolla-toolbox/Dockerfile.j2 @@ -57,7 +57,7 @@ RUN curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py \ MySQL-python \ os-client-config==1.16.0 \ pyudev \ - shade==1.4.0 + shade==1.5.0 RUN useradd -m --user-group ansible --groups kolla \ && mkdir -p /etc/ansible /usr/share/ansible \ diff --git a/docker/magnum/magnum-base/Dockerfile.j2 b/docker/magnum/magnum-base/Dockerfile.j2 index f9b7abc33c..32b597289d 100644 --- a/docker/magnum/magnum-base/Dockerfile.j2 +++ b/docker/magnum/magnum-base/Dockerfile.j2 @@ -21,9 +21,9 @@ ADD magnum-base-archive /magnum-base-source RUN ln -s magnum-base-source/* magnum \ && useradd --user-group magnum \ && /var/lib/kolla/venv/bin/pip --no-cache-dir install --upgrade -c requirements/upper-constraints.txt /magnum \ - && mkdir -p /etc/magnum /home/magnum \ + && mkdir -p /etc/magnum /home/magnum /var/lib/magnum \ && cp -r /magnum/etc/magnum/* /etc/magnum \ - && chown -R magnum: /etc/magnum /home/magnum + && chown -R magnum: /etc/magnum /home/magnum /var/lib/magnum {% endif %}