From 10d3ee9026dba0fbb3a42597d2ea6be6563f7259 Mon Sep 17 00:00:00 2001 From: Andy McCrae Date: Tue, 13 Sep 2016 12:12:57 +0100 Subject: [PATCH] Add check for swift_hash_path_ variables We should never change the swift_hash_path_prefix/suffix variables on a running cluster. This PR implements a check that will fail if the variable is different to what is already on disk. To ensure this is still possible this PR implements a "swift_force_change_hashes" variable which can be set to "True" in order to force change the swift_hash_path variables regardless of whether they are different or not. Change-Id: Idaedc125aede22c347668afd9e98ed1823eb142c --- defaults/main.yml | 4 ++ ...ft-force-hash-change-45b09eeb8b0368a6.yaml | 14 +++++ tasks/main.yml | 7 +++ tasks/swift_check_hashes.yml | 55 +++++++++++++++++++ 4 files changed, 80 insertions(+) create mode 100644 releasenotes/notes/swift-force-hash-change-45b09eeb8b0368a6.yaml create mode 100644 tasks/swift_check_hashes.yml diff --git a/defaults/main.yml b/defaults/main.yml index 600e0573..47ddf237 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -154,6 +154,10 @@ swift_account_disable_fallocate: "{{ swift_disable_fallocate }}" swift_container_disable_fallocate: "{{ swift_disable_fallocate }}" swift_object_disable_fallocate: "{{ swift_disable_fallocate }}" +# This variable will protect against changing swift_hash_path_* variables unintentionally. +# If you wish to change them intentionally set the swift_force_change_hashes variable to True. +swift_force_change_hashes: False + ## Swift ceilometer variables swift_reselleradmin_role: ResellerAdmin diff --git a/releasenotes/notes/swift-force-hash-change-45b09eeb8b0368a6.yaml b/releasenotes/notes/swift-force-hash-change-45b09eeb8b0368a6.yaml new file mode 100644 index 00000000..dd109cdf --- /dev/null +++ b/releasenotes/notes/swift-force-hash-change-45b09eeb8b0368a6.yaml @@ -0,0 +1,14 @@ +--- +features: + - The ``openstack-ansible-os_swift`` role will now prevent + deployers from changing the ``swift_hash_path_prefix`` and + ``swift_hash_path_suffix`` variables on clusters that already + have a value set in ``/etc/swift/swift.conf``. + You can set the new ``swift_force_change_hashes`` variable to + ``True`` to force the ``swift_hash_path_`` variables to be + changed. + We recommend setting this by running the os-swift.yml playbook + with ``-e swift_force_change_hashes=True``, to avoid changing + the ``swift_hash_path_`` variables unintentionally. + Use with caution, changing the ``swift_hash_path_`` values + causes end-user impact. diff --git a/tasks/main.yml b/tasks/main.yml index ad2ed2b1..3273674c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -37,6 +37,13 @@ tags: - always +# Check the swift_hash_path_* variables haven't changed +- include: swift_check_hashes.yml + when: + - not swift_force_change_hashes | bool + tags: + - swift-config + - include: swift_pre_install.yml when: - swift_do_setup | bool diff --git a/tasks/swift_check_hashes.yml b/tasks/swift_check_hashes.yml new file mode 100644 index 00000000..37a7afc2 --- /dev/null +++ b/tasks/swift_check_hashes.yml @@ -0,0 +1,55 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Test if swift.conf exists + stat: + path: "/etc/swift/swift.conf" + register: swift_conf + +- name: Get value of swift_hash_path_suffix from file + command: "awk '/swift_hash_path_suffix/{ print $3 }' /etc/swift/swift.conf" + register: swift_conf_hash_path_suffix + when: + - swift_conf.stat.exists | bool + +- name: Fail if swift_hash_path_suffix doesnt match file value + fail: + msg: > + "The swift_hash_path_suffix variable does not match what is in the file. + Check your swift_hash_path_suffix setting in your user_*.yml files in /etc/openstack_deploy + and compare to the current value in /etc/swift/swift.conf on the host. + If you are sure you want to change this variable you can force change your + swift_hash_path_* variables by setting 'swift_force_change_hashes: True'" + when: + - swift_conf.stat.exists | bool + - swift_hash_path_suffix != swift_conf_hash_path_suffix.stdout + +- name: Get value of swift_hash_path_prefix from file + command: "awk '/swift_hash_path_prefix/{ print $3 }' /etc/swift/swift.conf" + register: swift_conf_hash_path_prefix + when: + - swift_conf.stat.exists | bool + +- name: Fail if swift_hash_path_prefix doesnt match file value + fail: + msg: > + "The swift_hash_path_prefix variable does not match what is in the file. + Check your swift_hash_path_prefix setting in your user_*.yml files in /etc/openstack_deploy + and compare to the current value in /etc/swift/swift.conf on the host. + If you are sure you want to change this variable you can force change your + swift_hash_path_* variables by setting 'swift_force_change_hashes: True'" + when: + - swift_conf.stat.exists | bool + - swift_hash_path_prefix != swift_conf_hash_path_prefix.stdout