Implement keystone venv support

This commit conditionally allows the os_keystone role to install build and deploy within a venv. This is the new default behavior of the role however the functionality can be disabled. Change-Id: Ie9e51926c96125a543e05eaa1912684fb01fecda Implements: blueprint enable-venv-support-within-the-roles Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
openstack · Oct 14, 2015 · 423d0cf · 423d0cf
1 parent c411af7
commit 423d0cf
Show file tree

Hide file tree

Showing 11 changed files with 126 additions and 20 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -13,12 +13,22 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Defines that the role will be deployed on a host machine
-is_metal: true
-
 ## Verbosity Options
 debug: False
 verbose: True
+
+# Name of the virtual env to deploy into
+keystone_venv_tag: untagged
+keystone_venv_bin: "/openstack/venvs/keystone-{{ keystone_venv_tag }}/bin"
+
+# Set this to enable or disable installing in a venv
+keystone_venv_enabled: true
+
+# The bin path defaults to the venv path however if installation in a
+#  venv is disabled the bin path will be dynamically set based on the
+#  system path used when the installing.
+keystone_bin: "{{ keystone_venv_bin }}"
+
 keystone_fatal_deprecations: False
 
 ## System info
@@ -334,6 +344,11 @@ keystone_idp_apt_packages:
   - ssl-cert
   - xmlsec1
 
+# Keystone packages that must be installed before anything else
+keystone_requires_pip_packages:
+  - virtualenv
+  - python-keystoneclient # Keystoneclient needed to OSA keystone lib
+
 # Common pip packages
 keystone_pip_packages:
   - keystone

diff --git a/tasks/keystone_db_setup.yml b/tasks/keystone_db_setup.yml
@@ -40,10 +40,11 @@
     - keystone-db-setup
 
 - name: Perform a Keystone DB sync
-  command: keystone-manage db_sync
+  command: "{{ keystone_bin }}/keystone-manage db_sync"
   sudo: yes
   sudo_user: "{{ keystone_system_user_name }}"
   tags:
     - keystone-db-setup
     - keystone-db-sync
     - keystone-setup
+    - keystone-command-bin
diff --git a/tasks/keystone_fernet_keys_create.yml b/tasks/keystone_fernet_keys_create.yml
@@ -22,21 +22,25 @@
 
 - name: Create fernet keys for Keystone
   command: >
-    keystone-manage fernet_setup --keystone-user "{{ keystone_system_user_name }}"
-                                 --keystone-group "{{ keystone_system_group_name }}"
+    {{ keystone_bin }}/keystone-manage fernet_setup
+                                       --keystone-user "{{ keystone_system_user_name }}"
+                                       --keystone-group "{{ keystone_system_group_name }}"
   sudo: yes
   sudo_user: "{{ keystone_system_user_name }}"
   when: not _fernet_keys.stat.exists
   tags:
     - keystone-setup
     - keystone-fernet
+    - keystone-command-bin
 
 - name: Rotate fernet keys for Keystone
   command: >
-    keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}"
-                                  --keystone-group "{{ keystone_system_group_name }}"
+    {{ keystone_bin }}/keystone-manage fernet_rotate
+                                       --keystone-user "{{ keystone_system_user_name }}"
+                                       --keystone-group "{{ keystone_system_group_name }}"
   sudo: yes
   sudo_user: "{{ keystone_system_user_name }}"
   when: _fernet_keys.stat.exists
   tags:
     - keystone-fernet
+    - keystone-command-bin
diff --git a/tasks/keystone_idp_metadata.yml b/tasks/keystone_idp_metadata.yml
@@ -14,7 +14,8 @@
 # limitations under the License.
 
 - name: Generate IdP metadata
-  shell: "keystone-manage saml_idp_metadata > {{ keystone_idp.idp_metadata_path }}"
+  shell: |
+    {{ keystone_bin }}/keystone-manage saml_idp_metadata > {{ keystone_idp.idp_metadata_path }}
   sudo: yes
   sudo_user: "{{ keystone_system_user_name }}"
   when: keystone_idp is defined

diff --git a/tasks/keystone_install.yml b/tasks/keystone_install.yml
@@ -34,6 +34,7 @@
   delay: 2
   with_items: keystone_apt_packages
   tags:
+    - keystone-install
     - keystone-apt-packages
 
 - name: Install IdP apt packages
@@ -47,6 +48,7 @@
   with_items: keystone_idp_apt_packages
   when: keystone_idp is defined
   tags:
+    - keystone-install
     - keystone-apt-packages
 
 - name: Install SP apt packages
@@ -60,9 +62,43 @@
   with_items: keystone_sp_apt_packages
   when: keystone_sp is defined
   tags:
+    - keystone-install
     - keystone-apt-packages
 
-- name: Install pip packages
+- name: Install requires pip packages
+  pip:
+    name: "{{ item }}"
+    state: present
+    extra_args: "{{ pip_install_options|default('') }}"
+  register: install_packages
+  until: install_packages|success
+  retries: 5
+  delay: 2
+  with_items:
+    - "{{ keystone_requires_pip_packages }}"
+  tags:
+    - keystone-install
+    - keystone-pip-packages
+
+- name: Install pip packages (venv)
+  pip:
+    name: "{{ item }}"
+    state: present
+    virtualenv: "{{ keystone_venv_bin | dirname }}"
+    virtualenv_site_packages: "no"
+    extra_args: "{{ pip_install_options|default('') }}"
+  register: install_packages
+  until: install_packages|success
+  retries: 5
+  delay: 2
+  with_items:
+    - "{{ keystone_pip_packages }}"
+  when: keystone_venv_enabled | bool
+  tags:
+    - keystone-install
+    - keystone-pip-packages
+
+- name: Install pip packages (no venv)
   pip:
     name: "{{ item }}"
     state: present
@@ -73,5 +109,7 @@
   delay: 2
   with_items:
     - "{{ keystone_pip_packages }}"
+  when: not keystone_venv_enabled | bool
   tags:
+    - keystone-install
     - keystone-pip-packages
diff --git a/tasks/keystone_post_install.yml b/tasks/keystone_post_install.yml
@@ -53,9 +53,38 @@
     mode: "{{ item.mode|default('0644') }}"
   with_items:
     - { src: "sso_callback_template.html", dest: "/etc/keystone/sso_callback_template.html" }
-    - { src: "keystone-wsgi.py", dest: "/var/www/cgi-bin/keystone/admin", mode: "0755" }
-    - { src: "keystone-wsgi.py", dest: "/var/www/cgi-bin/keystone/main", mode: "0755" }
   notify:
     - Restart Apache
   tags:
     - keystone-config
+
+- name: Drop Keystone WSGI Configs
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "{{ keystone_system_user_name }}"
+    group: "{{ keystone_system_group_name }}"
+    mode: "{{ item.mode|default('0644') }}"
+  with_items:
+    - { src: "keystone-wsgi.py.j2", dest: "/var/www/cgi-bin/keystone/admin", mode: "0755" }
+    - { src: "keystone-wsgi.py.j2", dest: "/var/www/cgi-bin/keystone/main", mode: "0755" }
+  notify:
+    - Restart Apache
+  tags:
+    - keystone-config
+
+- name: Get keystone command path
+  command: which keystone
+  register: keystone_command_path
+  when:
+    - not keystone_venv_enabled | bool
+  tags:
+    - keystone-command-bin
+
+- name: Set keystone command path
+  set_fact:
+    keystone_bin: "{{ keystone_command_path.stdout | dirname }}"
+  when:
+    - not keystone_venv_enabled | bool
+  tags:
+    - keystone-command-bin
diff --git a/tasks/keystone_pre_install.yml b/tasks/keystone_pre_install.yml
@@ -67,6 +67,7 @@
     group: "{{ item.group|default(keystone_system_group_name) }}"
     mode: "{{ item.mode|default(0755) }}"
   with_items:
+    - { path: "/openstack", mode: "0755", owner: "root", group: "root" }
     - { path: "/etc/keystone" }
     - { path: "{{ keystone_ldap_domain_config_dir }}" }
     - { path: "/etc/keystone/ssl" }
@@ -78,6 +79,17 @@
   tags:
     - keystone-dirs
 
+- name: Create keystone venv dir
+  file:
+    path: "{{ item.path }}"
+    state: directory
+  with_items:
+    - { path: "/openstack/venvs" }
+    - { path: "{{ keystone_venv_bin }}" }
+  when: keystone_venv_enabled | bool
+  tags:
+    - keystone-dirs
+
 - name: Test for log directory or link
   shell: |
     if [ -h "/var/log/keystone"  ]; then

diff --git a/tasks/keystone_token_cleanup.yml b/tasks/keystone_token_cleanup.yml
@@ -17,9 +17,7 @@
   cron:
     name: "Clear out stale keystone tokens"
     minute: 0
-    job: "/usr/local/bin/keystone-manage token_flush"
+    job: "{{ keystone_bin }}/keystone-manage token_flush"
     user: "{{ keystone_system_user_name }}"
-  when: >
-    'sql' in keystone_token_driver
   tags:
     - keystone-config
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -15,6 +15,7 @@
 
 - include: keystone_pre_install.yml
 - include: keystone_install.yml
+- include: keystone_post_install.yml
 
 - include: keystone_key_setup.yml
   tags:
@@ -27,8 +28,6 @@
   when: >
     'fernet' in keystone_token_provider
 
-- include: keystone_post_install.yml
-
 - include: keystone_federation_sp_setup.yml
   when: >
     keystone_sp is defined
@@ -37,9 +36,12 @@
   when: >
     inventory_hostname == groups['keystone_all'][0]
 
+- include: keystone_token_cleanup.yml
+  when: >
+    'sql' in keystone_token_driver
+
 - include: keystone_ssl.yml
 - include: keystone_apache.yml
-- include: keystone_token_cleanup.yml
 
 - include: keystone_service_setup.yml
   when: >

diff --git a/templates/keystone-fernet-rotate.sh.j2 b/templates/keystone-fernet-rotate.sh.j2
@@ -23,8 +23,9 @@
 
 function autorotate {
     # Rotate the keys
-    keystone-manage fernet_rotate --keystone-user "{{ keystone_system_user_name }}" \
-                                  --keystone-group "{{ keystone_system_group_name }}"
+    {{ keystone_bin }}/keystone-manage fernet_rotate \
+                                       --keystone-user "{{ keystone_system_user_name }}" \
+                                       --keystone-group "{{ keystone_system_group_name }}"
     {% for host in groups['keystone_all'] %}
 
     {% if inventory_hostname != host %}

diff --git a/files/keystone-wsgi.py → templates/keystone-wsgi.py.j2 b/files/keystone-wsgi.py → templates/keystone-wsgi.py.j2
@@ -14,6 +14,11 @@
 
 import os
 
+{% if keystone_venv_enabled | bool %}
+activate_this = os.path.expanduser("{{ keystone_venv_bin }}/activate_this.py")
+execfile(activate_this, dict(__file__=activate_this))
+{% endif %}
+
 from keystone.server import wsgi as wsgi_server