Various changes to make convergence test work 

- Ensure that rootwrap files are appropriately secured.
 - Implement sudoers to make rootwrap work.
 - Restructure tests to reduce duplication.
This commit is contained in:
Jesse Pretorius
2016年03月11日 19:26:22 +00:00
parent f59db83194
commit a07a073cc1

View File

@@ -17,8 +17,8 @@
config_template:
src:"{{ item.src }}"
dest:"{{ item.dest }}"
owner:"{{ designate_system_user_name }}"
group:"{{ designate_system_group_name }}"
owner:"{{ item.owner|default(designate_system_user_name) }}"
group:"{{ item.group|default(designate_system_group_name) }}"
mode:"0644"
config_overrides:"{{ item.config_overrides }}"
config_type:"{{ item.config_type }}"
@@ -48,12 +48,10 @@
- name:Copy designate rootwrap filter config
copy:
src:"{{ item.src }}"
dest:"{{ item.dest }}"
src:"rootwrap.d/bind9.filters"
dest:"/etc/designate/rootwrap.d/bind9.filters"
owner:"root"
group:"root"
with_items:
- {src:"rootwrap.d/bind9.filters", dest:"/etc/designate/rootwrap.d/bind9.filters"}
notify:Restart designate services
tags:
- designate-config

View File

@@ -43,6 +43,8 @@
with_items:
- {path:"/etc/designate"}
- {path:"/etc/designate/rootwrap.d"}
- {path:"/etc/designate/rootwrap.d", owner:"root", group:"root"}
- {path:"/etc/sudoers.d", mode:"0750", owner:"root", group:"root"}
- {path:"{{ designate_system_user_home }}"}
- {path:"{{ designate_system_user_home }}/.ssh", mode:"0700"}
- {path:"/var/cache/designate", mode:"0700"}
@@ -89,6 +91,17 @@
- designate-dirs
- designate-logs
- name:Drop sudoers file
template:
src:"sudoers.j2"
dest:"/etc/sudoers.d/{{ designate_system_user_name }}_sudoers"
mode:"0440"
owner:"root"
group:"root"
tags:
- sudoers
- designate-sudoers
- include:designate_messaging_setup.yml
when:>
inventory_hostname == groups['designate_all'][0]
when:
- inventory_hostname == groups['designate_all'][0]

6
templates/sudoers.j2 Normal file
View File

@@ -0,0 +1,6 @@
# {{ ansible_managed }}
Defaults:{{ designate_system_user_name }} !requiretty
Defaults:{{ designate_system_user_name }} secure_path="{{ designate_bin }}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
{{ designate_system_user_name }} ALL = (root) NOPASSWD: {{ designate_bin }}/{{ designate_service_name }}-rootwrap

View File

@@ -1,35 +1,2 @@
[all]
localhost ansible_connection=local ansible_become=True
[rabbitmq_all:children]
infra1
[galera_all:children]
infra1
[designate_all:children]
designate_api
[designate_api:children]
openstack1
[designate_central:children]
openstack1
[designate_mdns:children]
openstack1
[designate_pool_manager:children]
openstack1
[designate_sink:children]
openstack1
[keystone_all:children]
openstack1
[infra1]
10.100.100.101
[openstack1]
10.100.100.102

View File

@@ -0,0 +1,46 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Inventory is being pre-loaded using a post tasks instead of through a dynamic
# inventory system. While this is not a usual method for deployment it's being
# done for functional testing.
- name:Create container hosts
add_host:
groups:"{{ item.groups }}"
hostname:"{{ item.name }}"
inventory_hostname:"{{ item.name }}"
ansible_ssh_host:"{{ item.address }}"
ansible_become:true
properties:
service_name:"{{ item.service }}"
container_networks:
management_address:
address:"{{ item.address }}"
bridge:"lxcbr0"
interface:"eth1"
netmask:"255.255.252.0"
type:"veth"
physical_host:localhost
container_name:"{{ item.name }}"
with_items:
- name:"infra1"
service:"infra1"
address:"10.100.100.101"
groups:"all,all_containers,rabbitmq_all,galera_all,service_all"
- name:"openstack1"
service:"openstack1"
address:"10.100.100.102"
groups:"all,all_containers,keystone_all,designate_all,designate_api,designate_central,designate_pool_manager,designate_mdns,designate_sink"

View File

@@ -13,44 +13,18 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name:Prepare the inventory
hosts:localhost
connection:local
become:yes
tasks:
- include:test-include-inventory.yml
- name:Playbook for deploying designate
hosts:designate_all
user:root
gather_facts:true
roles:
- role:"{{ rolename | basename }}"
vars:
debug:True
external_lb_vip_address:10.100.100.102
internal_lb_vip_address:10.100.100.102
designate_galera_address:10.100.100.101
designate_container_mysql_password:"SuperSecrete"
designate_pool_manager_galera_address:10.100.100.101
designate_pool_manager_container_mysql_password:"SuperSecrete"
galera_client_drop_config_file:false
galera_root_password:"secrete"
designate_rabbitmq_password:"secrete"
designate_rabbitmq_userid:designate
designate_rabbitmq_vhost:/designate
rabbitmq_servers:10.100.100.101
rabbitmq_use_ssl:False
rabbitmq_port:5672
keystone_auth_admin_token:"SuperSecreteTestToken"
keystone_auth_admin_password:"SuperSecretePassword"
keystone_service_adminuri_insecure:false
keystone_service_internaluri_insecure:false
keystone_service_internaluri:"http://{{ internal_lb_vip_address }}:5000"
keystone_service_internalurl:"{{ keystone_service_internaluri }}/v3"
keystone_service_adminuri:"http://{{ internal_lb_vip_address }}:35357"
keystone_service_adminurl:"{{ keystone_service_adminuri }}/v3"
designate_venv_tag:"testing"
designate_developer_mode:true
designate_git_install_branch:4df88d7b28a05cb3556573ce4f1c7c66abf944bb# HEAD of "master" as of 17.01.2016
designate_requirements_git_install_branch:332278d456e06870150835564342570ec9d5f5a0# HEAD of "master" as of 17.01.2016
designate_service_password:"secrete"
designate_profiler_hmac_key:"secrete"
openrc_os_auth_url:"{{ keystone_service_internalurl }}"
openrc_os_password:"{{ keystone_auth_admin_password }}"
openrc_os_domain_name:"Default"
memcached_servers:127.0.0.1
memcached_encryption_key:"secrete"
vars_files:
- test-vars.yml

View File

@@ -13,6 +13,13 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name:Prepare the inventory
hosts:localhost
connection:local
become:yes
tasks:
- include:test-include-inventory.yml
- name:Playbook for deploying infra services
hosts:service_all
user:root

View File

@@ -13,6 +13,13 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name:Prepare the inventory
hosts:localhost
connection:local
become:yes
tasks:
- include:test-include-inventory.yml
- name:Playbook for deploying keystone
hosts:keystone_all
user:root
@@ -61,23 +68,5 @@
when:inventory_hostname == groups['keystone_all'][0]
roles:
- role:os_keystone
vars:
external_lb_vip_address:10.100.100.102
internal_lb_vip_address:10.100.100.102
keystone_galera_address:10.100.100.101
keystone_galera_database:keystone
keystone_venv_tag:"testing"
keystone_developer_mode:true
keystone_git_install_branch:a55128044f763f5cfe2fdc57c738eaca97636448# HEAD of "master" as of 17.01.2016
keystone_requirements_git_install_branch:332278d456e06870150835564342570ec9d5f5a0# HEAD of "master" as of 17.01.2016
keystone_auth_admin_token:"SuperSecreteTestToken"
keystone_auth_admin_password:"SuperSecretePassword"
keystone_service_password:"secrete"
keystone_rabbitmq_password:"secrete"
keystone_container_mysql_password:"SuperSecrete"
keystone_rabbitmq_port:5671
keystone_rabbitmq_userid:keystone
keystone_rabbitmq_vhost:/keystone
keystone_rabbitmq_servers:10.100.100.101
keystone_rabbitmq_use_ssl:true
galera_client_drop_config_file:false
vars_files:
- test-vars.yml

View File

@@ -13,6 +13,13 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name:Prepare the inventory
hosts:localhost
connection:local
become:yes
tasks:
- include:test-include-inventory.yml
- name:Playbook for creating containers
hosts:all_containers
connection:local

View File

@@ -42,6 +42,7 @@
name:"trusty.tgz"
sha256sum:"56c6a6e132ea7d10be2f3e8104f47136ccf408b30e362133f0dc4a0a9adb4d0c"
chroot_path:trusty/rootfs-amd64
- role:"openstack_openrc"
post_tasks:
- name:Install pip packages
pip:
@@ -53,4 +54,8 @@
retries:5
delay:2
with_items:
- lxc-python2
- python-openstackclient
- python-designateclient
vars_files:
- test-vars.yml

62
tests/test-vars.yml Normal file
View File

@@ -0,0 +1,62 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
debug:True
external_lb_vip_address:10.100.100.102
internal_lb_vip_address:10.100.100.102
galera_client_drop_config_file:false
galera_root_password:"secrete"
rabbitmq_servers:10.100.100.101
rabbitmq_use_ssl:False
rabbitmq_port:5672
memcached_servers:127.0.0.1
memcached_encryption_key:"secrete"
keystone_venv_tag:"testing"
keystone_developer_mode:true
keystone_git_install_branch:a55128044f763f5cfe2fdc57c738eaca97636448# HEAD of "master" as of 17.01.2016
keystone_requirements_git_install_branch:332278d456e06870150835564342570ec9d5f5a0# HEAD of "master" as of 17.01.2016
keystone_service_password:"secrete"
keystone_galera_address:10.100.100.101
keystone_galera_database:keystone
keystone_container_mysql_password:"SuperSecrete"
keystone_auth_admin_token:"SuperSecreteTestToken"
keystone_auth_admin_password:"SuperSecretePassword"
keystone_service_adminuri_insecure:false
keystone_service_internaluri_insecure:false
keystone_service_internaluri:"http://{{ internal_lb_vip_address }}:5000"
keystone_service_internalurl:"{{ keystone_service_internaluri }}/v3"
keystone_service_adminuri:"http://{{ internal_lb_vip_address }}:35357"
keystone_service_adminurl:"{{ keystone_service_adminuri }}/v3"
keystone_rabbitmq_vhost:/keystone
keystone_rabbitmq_userid:keystone
keystone_rabbitmq_password:"secrete"
keystone_rabbitmq_use_ssl:false
keystone_rabbitmq_port:5672
keystone_rabbitmq_servers:10.100.100.101
openrc_os_auth_url:"{{ keystone_service_internalurl }}"
openrc_os_password:"{{ keystone_auth_admin_password }}"
openrc_os_domain_name:"Default"
designate_venv_tag:"testing"
designate_developer_mode:true
designate_git_install_branch:4df88d7b28a05cb3556573ce4f1c7c66abf944bb# HEAD of "master" as of 17.01.2016
designate_requirements_git_install_branch:332278d456e06870150835564342570ec9d5f5a0# HEAD of "master" as of 17.01.2016
designate_service_password:"secrete"
designate_galera_address:10.100.100.101
designate_container_mysql_password:"SuperSecrete"
designate_pool_manager_galera_address:10.100.100.101
designate_pool_manager_container_mysql_password:"SuperSecrete"
designate_rabbitmq_password:"secrete"
designate_rabbitmq_userid:designate
designate_rabbitmq_vhost:/designate

View File

@@ -1,3 +0,0 @@
---
# vars file for os_designate/
Reference in New Issue
openstack/openstack-ansible-os_designate
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.

The note is not visible to the blocked user.