stackhpc / ansible-role-os-projects Goto Github PK

Ansible role to register OpenStack projects, users and related resources

License: Apache License 2.0

Jinja 100.00%

ansible-role-os-projects's Introduction

NOTE:

This repository is no longer maintained - role has been moved to Ansible collection now ➡️ https://github.com/stackhpc/ansible-collection-openstack

OpenStack Projects

This role can be used to register projects, users and related resources in OpenStack using the os_* modules.

Requirements

Ansible >=2.9
The OpenStack keystone API should be accessible from the target host.

Role Variables

os_projects_venv is a path to a directory in which to create a virtualenv.

os_projects_auth_type is an authentication type compatible with the auth_type argument of os_* Ansible modules.

os_projects_auth is a dict containing authentication information compatible with the auth argument of os_* Ansible modules.

os_projects_cacert is an optional path to a CA certificate bundle.

os_projects_cloud is an optional name of a cloud in clouds.yaml.

os_projects_interface is the endpoint URL type to fetch from the service catalog. Maybe be one of public, admin, or internal.

os_projects_domains is a list of OpenStack domains to create. Each item should be a dict containing the following items:

name: The name of the domain.
description: Optional description for the domain.

os_projects is a list of projects to register. Each item should be a dict containing the following items:

name: The name of the project.
description: A description of the project.
parent: Optional name or ID of a parent project.
project_domain: The domain in which to register the project.
user_domain: The domain in which to register users.
users: Optional list of users to register. Each user should be a dict containing the following items:
- name: The name of the user.
- description: User name/description (optional)
- email: User email address (optional)
- password: The user's password.
- roles: Optional list of roles to assign to the user in the project.
- domain_roles: Optional list of roles to assign to the user in the user domain.
- openrc_file: Path to an environment file to create.
keypairs: Optional list of SSH key pairs to register with Nova. Each key pair should be a dict containing the following items:
- name: The name of the keypair.
- public_key: The SSH public key contents. Optional.
- public_key_file: Path to the SSH public key on the control host.
quotas: Optional dict mapping quota names to their values.

os_projects_upper_constraints is a path to an upper constraints file which is passed through to the role dependencies.

Dependencies

This role depends on the stackhpc.os_openstacksdk and stackhpc.os-openstackclient roles, plus openstack.cloud collection.

Example Playbook

The following playbook registers an OpenStack project, users and related resources.

---
- name: Ensure OpenStack projects are registered
  hosts: keystone
  roles:
    - role: stackhpc.os-projects
      os_projects_venv: "~/os-projects-venv"
      os_projects_upper_constraints: "https://opendev.org/openstack/requirements/raw/branch/stable/stein/upper-constraints.txt"
      os_projects_auth_type: "password"
      os_projects_auth:
        project_name: <keystone project>
        username: <keystone user>
        password: <keystone password>
        auth_url: <keystone auth URL>
      os_projects:
        - name: project1
          description: An example project
          project_domain: default
          user_domain: default
          users:
            - name: user1
              password: correcthorsebatterystaple
              roles:
                - admin
              openrc_file: /home/user/user1.openrc
          keypairs:
            - name: keypair1
              public_key_file: /path/to/key
          quotas:
            ram: -1

Author Information

Mark Goddard ([email protected])

ansible-role-os-projects's People

Contributors

Stargazers

Watchers

Forkers

verneglobal g-research xiaoruiguo rse-cambridge mtint

ansible-role-os-projects's Issues

Deprecation warnings

[DEPRECATION WARNING]: The 'os_user_facts' module has been renamed to 
'os_user_info', and the renamed one no longer returns ansible_facts. This 
feature will be removed in version 2.13. Deprecation warnings can be disabled 
by setting deprecation_warnings=False in ansible.cfg.

[DEPRECATION WARNING]: 'include' for playbook includes. You should use 
'import_playbook' instead. This feature will be removed in version 2.12. 
Deprecation warnings can be disabled by setting deprecation_warnings=False in 
ansible.cfg.

Problems with virtualenv escape and Ansible 2.2.1

I'm seeing issues when using Ansible-2.2.1 in the virtualenv.
I have Jinja2 2.9.6 inside the virtualenv, which implements the equalto test.
Outside the virtualenv, the system has Jinja2 2.7.2, which does not implement the equalto test.

What I see is the os_user task in users.yml fails with this output:

fatal: [localhost]: FAILED! => { "failed": true, "msg": "The conditional check '{{ openstack_users |\n selectattr('name', 'equalto', item.name) |\n selectattr('enabled') |\n list |\n length == 0 }}\n' failed. The error was: no test named 'equalto'\n\nThe error appears to have been in '/home/stack/p3-config/ansible/roles/stackhpc.os-projects/tasks/users.yml': line 26, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Ensure project users exist\n ^ here\n" }

It appears that the version of Jinja2 being picked up is from the system environment rather than the virtualenv we created.

Something curious is that there is no installation of shade in the system environment, upon which I believe os_user depends. So shade appears to be found in the virtualenv while Jinja2 is not.

This works as expected if the virtualenv is updated to use Ansible 2.3.1.

Add support for deleting users

Refactor `os_*` modules to openstack.cloud collection

Reasons including:

[DEPRECATION WARNING]: openstack.cloud.os_user_info has been deprecated. os_ prefixed module names are deprecated, use openstack.cloud.identity_user_info. This feature will be removed from openstack.cloud in a release after 2021-12-12.

Add support for domains

Add support for creating domains, managing user roles on domains.
I did some work on this here: https://github.com/VerneGlobal/ansible-role-os-projects
But I couldn't get it to work correctly.

Fails on CentOS 7 due to OSC being incompatible with Python 2

When the latest python-openstackclient is installed, we get the following on CentOS 7:

ImportError: No module named queue

Fails on CentOS 8 when /usr/bin/python doesn't exist

CentOS 8 ships without a /usr/bin/python binary, only /usr/bin/python3 is available. It causes the following issues when setting quotas:

"module_stderr": "Shared connection to 127.0.0.1 closed.\r\n", "module_stdout": "/bin/sh: /usr/bin/python: No such file or directory\r\n", "msg": "The module failed to execute correctly, you probably need to set the interpreter.\nSee stdout/stderr for the exact error", "rc": 127

We don't actually need to use this code with recent versions of Ansible since we can use os_quota instead.

Invalid os_quota parameters

"msg": "Unsupported parameters for (os_quota) module: gigabytes_lvm Supported parameters include: api_timeout, auth, auth_type, availability_zone, backup_gigabytes, backups, ca_cert, client_cert, client_key, cloud, cores, fixed_ips, floating_ips, floatingip, gigabytes, gigabytes_types, injected_file_size, injected_files, injected_path_size, instances, interface, key_pairs, loadbalancer, name, network, per_volume_gigabytes, pool, port, project, properties, ram, rbac_policy, region_name, router, security_group, security_group_rule, server_group_members, server_groups, snapshots, snapshots_types, state, subnet, subnetpool, timeout, validate_certs, volumes, volumes_types, wait"}

gigabytes_lvm snapshots_lvm and volumes_lvm are not valid os_quota module parameters despite documentation saying so ([1] [2] [3]).

The correct documentation is here: https://docs.ansible.com/ansible/latest/collections/openstack/cloud/quota_module.html#parameters

openstack_users is undefined

ansible version: 3.2.0
python version: 3.6
os: centos 8

I'm seeing:

TASK [stackhpc.os-projects : Ensure project users exist] ********************************************************************************************************************
task path: /src/ansible/roles/stackhpc.os-projects/tasks/users.yml:25
fatal: [localhost]: FAILED! => {
    "msg": "The conditional check 'openstack_users | selectattr('name', 'equalto', item.name) | selectattr('enabled') | list | length == 0\n' failed. The error was: error while evaluating conditional (openstack_users | selectattr('name', 'equalto', item.name) | selectattr('enabled') | list | length == 0\n): 'openstack_users' is undefined\n\nThe error appears to be in '/src/ansible/roles/stackhpc.os-projects/tasks/users.yml': line 25, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Ensure project users exist\n  ^ here\n"
}

I see the earlier task: Check whether users exist, is retrieving this list, but it isn't available as a fact:

ok: [localhost] => {
    "changed": false,
    "invocation": {
        "module_args": {
            "api_timeout": null,
            "auth": {
                "application_credential_id": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "application_credential_secret": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "auth_url": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
            },
            "auth_type": "v3applicationcredential",
            "availability_zone": null,
            "ca_cert": null,
            "client_cert": null,
            "client_key": null,
            "domain": "default",
            "filters": null,
            "interface": "public",
            "name": null,
            "region_name": null,
            "timeout": 180,
            "validate_certs": false,
            "wait": true
        }
    },
    "openstack_users": [
        {
            "default_project_id": null,
....