An Ansible role for keystone. Specifically, the responsibilities of this role are to:
- Install a keystone
- Configure a keystone
- Support SQLite or MySQL engine
- Add user, project and role to keystone
- Ansible 2.4
Variable | Default | Comments (type) |
---|---|---|
openio_keystone_bind_interface |
"{{ ansible_default_ipv4.alias }}" |
Name of the NIC to use |
openio_keystone_bind_address |
"{{ hostvars[inventory_hostname]['ansible_' + openio_keystone_bind_interface]['ipv4']['address'] }}" |
IP address to use |
openio_keystone_bindir |
/usr/bin |
OpenStack's bin folde |
openio_keystone_bootstrap_all_nodes |
false |
Bootstrap the first endpoint on all nodes |
openio_keystone_cloudname |
openio |
The cloud name in the /etc/openstack/clouds.yaml |
openio_keystone_config_cache_backend |
dogpile.cache.memcached |
Cache in memcached |
openio_keystone_config_cache_debug_cache_backend |
"" |
No debug cache |
openio_keystone_config_cache_enabled |
true |
Cache in memcached |
openio_keystone_config_cache_memcache_dead_retry |
"" |
|
openio_keystone_config_cache_memcache_servers |
`` | IP :PORT for memcahed |
openio_keystone_config_default_admin_token |
"" |
|
openio_keystone_config_default_debug |
false |
|
openio_keystone_config_default_log_dir |
"/var/log/keystone" |
Logs folder |
openio_keystone_config_dir |
/etc/keystone |
Keystone's config folder |
openio_keystone_credentials_tokens_key_repository |
/etc/keystone/credential-keys/ |
Credential folder |
openio_keystone_database_connection |
sqlite:///{{ openio_keystone_database_sqlite_directory }}/{{ openio_keystone_database_sqlite_file }} |
Connection string |
openio_keystone_database_mysql_connection_address |
`` | Database's IP |
openio_keystone_database_mysql_connection_database |
keystone |
DB name |
openio_keystone_database_mysql_connection_password |
`` | Password for keystone user |
openio_keystone_database_mysql_connection_user |
keystone |
DB user |
openio_keystone_database_sqlite_directory |
/var/lib/keystone |
SQLite folder |
openio_keystone_database_sqlite_file |
keystone.db |
SQLite file |
openio_keystone_fernet_tokens_key_repository |
/etc/keystone/fernet-keys/ |
Fernet keys folder |
openio_keystone_gridinit_dir |
"/etc/gridinit.d/{{ openio_keystone_namespace }}" |
Path to copy the gridinit conf |
openio_keystone_gridinit_file_prefix |
"" |
Maybe set it to {{ openio_keystone_namespace }}- for old gridinit's style |
openio_keystone_namespace |
"OPENIO" |
Namespace |
openio_keystone_no_log |
true |
For sensible output |
openio_keystone_nodes_group |
openio_keystone |
Groupname in your inventory |
openio_keystone_openstack_distribution |
pike |
Release of OpenStack |
openio_keystone_projects |
`` | dict of projects to declare |
openio_keystone_repo_managed |
false |
Manage repository |
openio_keystone_serviceid |
"0" |
ID in gridinit |
openio_keystone_services |
`` | dict of services to declare |
openio_keystone_services_to_bootstrap |
`` | dict of services to bootstrap |
openio_keystone_system_group_name |
keystone |
Process group |
openio_keystone_system_user_name |
keystone |
Process user |
openio_keystone_tmp_keys_dir |
/tmp |
temporary folder |
openio_keystone_token_provider |
fernet |
|
openio_keystone_users |
`` | dict of services to declare |
openio_keystone_uwsgi_bind |
`` | dict of uwsgi endpoint |
openio_keystone_wsgi_admin_program_name |
keystone-wsgi-admin |
|
openio_keystone_wsgi_processes |
ansible_processor_vcpus * 2 |
ansible_processor_vcpus * 2 limited to openio_keystone_wsgi_processes_max |
openio_keystone_wsgi_processes_max |
16 |
Max of openio_keystone_wsgi_processes |
openio_keystone_wsgi_program_names |
`` | WSGI endpoint to run |
openio_keystone_wsgi_public_program_name |
keystone-wsgi-public |
|
openio_keystone_wsgi_threads |
1 |
|
openio_keystone_provision_only |
false |
Provision only without restarting / bootstrapping |
After a bootstrap, it s possible to declare users, services, and projects into keystone
Like this:
- USERS
openio_keystone_users:
- name: demo
password: DEMO_PASS
- name: swift
password: SWIFT_PASS
- SERVICES
openio_keystone_services:
- name: openio-swift
type: object-store
description: OpenIO SDS swift proxy
endpoint:
- interface: admin
url: "http://foo.com:6007"
- interface: internal
url: "http://foo.com:6007/v1/AUTH_%(tenant_id)s"
- interface: public
url: "http://foo.com:6007/v1/AUTH_%(tenant_id)s"
- PROJECTS
openio_keystone_projects:
- name: service
domain_id: default
roles:
- user: swift
role: admin
- name: demo
description: OpenIO demo project
domain_id: default
roles:
- user: demo
role: _member_
- user: demo
role: admin
- Epel for RedHat familly
- This role don't install a MariaDB server (in case of mysql engine). You have to install it
- hosts: my_keystones
gather_facts: true
become: true
roles:
- role: repository
- role: users
- role: gridinit
- role: memcached
openio_memcached_namespace: "{{ namespace }}"
openio_memcached_serviceid: "0"
openio_memcached_bind_address: "{{ ansible_default_ipv4.address }}"
#mysql
- role: mariadb
mariadb_bind_address: "{{ ansible_default_ipv4.address }}"
mariadb_root_password: "{{ keystone_mysql_rootuser_password }}"
mariadb_databases:
- name: keystone
mariadb_users:
- name: keystone
password: "{{ keystone_mysql_keystoneuser_password }}"
priv: 'keystone.*:ALL'
host: '%'
- name: keystone
password: "{{ keystone_mysql_keystoneuser_password }}"
priv: '*.*:SUPER'
append_privs: "yes"
host: '%'
- role: keystone
openio_keystone_bind_interface: "{{ ansible_default_ipv4.alias }}"
openio_keystone_namespace: "{{ namespace }}"
openio_keystone_nodes_group: "my_keystones"
openio_keystone_config_cache_memcache_servers: "127.0.01:6019"
openio_keystone_database_engine: mysql
#openio_keystone_database_mysql_connection_user: keystone
openio_keystone_database_mysql_connection_password: "{{ keystone_mysql_keystoneuser_password }}"
openio_keystone_database_mysql_connection_address: "{{ groups['db'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | list | first }}"
#openio_keystone_database_mysql_connection_database: keystone
openio_keystone_bind_interface: "{{ ansible_default_ipv4.alias }}"
#openio_keystone_config_cache_memcache_servers: "127.0.01:6019"
openio_keystone_services_to_bootstrap:
- name: keystone
user: admin
password: "{{ keystone_mysql_keystoneuser_password }}"
project: admin
role: admin
regionid: "us-east-1"
# eventually a VIP
adminurl: "http://{{ VIP.address }}:35357"
publicurl: "http://{{ VIP.address }}:5000"
internalurl: "http://{{ VIP.address }}:5000"
openio_keystone_services:
- name: openio-swift
type: object-store
description: OpenIO SDS swift proxy
endpoint:
# eventually a VIP
- interface: admin
url: "http://{{ VIP.address }}:6007/v1/AUTH_%(tenant_id)s"
- interface: internal
url: "http://{{ VIP.address }}:6007/v1/AUTH_%(tenant_id)s"
- interface: public
url: "http://{{ VIP.address }}:6007/v1/AUTH_%(tenant_id)s"
#shorter way with defaults and a local database
#- role: keystone
# openio_keystone_namespace: "{{ namespace }}"
# openio_keystone_bind_interface: eth0
# openio_keystone_database_engine: mysql
# openio_keystone_database_mysql_connection_user: keystone
# openio_keystone_database_mysql_connection_password: keystonepass
[my_keystones]
node1 ansible_host=192.168.1.173
If you encounter problems with the synchronize
tasks for the fernet tokens,
like the following example:
fatal: [mars2]: UNREACHABLE! => {"changed": false, "msg": "Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in \"/tmp\". Failed command was: ( umask 77 && mkdir -p \"` echo /root/.ansible/tmp/ansible-tmp-1527081553.09-268394055831894 `\" && echo ansible-tmp-1527081553.09-268394055831894=\"` echo /root/.ansible/tmp/ansible-tmp-1527081553.09-268394055831894 `\" ), exited with result 1", "unreachable": true}
You can try to add the following line to your ansible.cfg
: remote_tmp=/tmp
For reference, see this bug report.
Issues, feature requests, ideas are appreciated and can be posted in the Issues section.
Pull requests are also very welcome. The best way to submit a PR is by first creating a fork of this Github project, then creating a topic branch for the suggested change and pushing that branch to your own fork. Github can then easily create a PR based on that branch.
GNU AFFERO GENERAL PUBLIC LICENSE, Version 3
- Cedric DELGEHIER (maintainer)
- Romain ACCIARI (maintainer)
- Pierre Mavro