├── roles
├── ipaclient
│ ├── templates
│ │ ├── main.yml
│ │ ├── resolv.conf.j2
│ │ └── ifcfg-eth0.j2
│ └── tasks
│ │ └── main.yml
├── openstack-inventory
│ ├── vars
│ │ └── main.yml
│ └── tasks
│ │ └── main.yml
├── provision
│ ├── libvirt
│ │ ├── vars
│ │ │ └── main.yml
│ │ ├── templates
│ │ │ ├── macvtap.xml
│ │ │ ├── macvtap.xml.j2
│ │ │ ├── ifcfg-eth2.j2
│ │ │ └── ifcfg-eth1.j2
│ │ ├── defaults
│ │ │ └── main.yml
│ │ └── tasks
│ │ │ └── main.yml
│ ├── openstack
│ │ ├── vars
│ │ │ └── main.yml
│ │ ├── tasks
│ │ │ ├── main.yml
│ │ │ ├── teardown_network.yml
│ │ │ ├── oce.yml
│ │ │ ├── ssh.yml
│ │ │ ├── teardown.yml
│ │ │ └── create.yml
│ │ ├── defaults
│ │ │ └── main.yml
│ │ └── templates
│ │ │ └── inventory.ini.j2
│ └── azure
│ │ ├── tasks
│ │ ├── cfme.yml
│ │ └── main.yml
│ │ └── vars
│ │ └── main.yml
├── tripleo
│ ├── files
│ │ ├── sudoers
│ │ ├── registry_config.yml
│ │ ├── container_prep.sh
│ │ └── undercloud.conf
│ ├── defaults
│ │ └── main.yml
│ ├── templates
│ │ └── ipmi.json.j2
│ └── tasks
│ │ └── main.yml
├── common
│ ├── vars
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── files
│ │ ├── rngd.service
│ │ ├── lslebodn-sssd-1-13-epel-7.repo
│ │ ├── rhel-server.repo
│ │ ├── public_keys
│ │ │ ├── lappy.pub
│ │ │ ├── nkinder.pub
│ │ │ ├── ayoung.pub
│ │ │ └── work.pub
│ │ └── jdennis-keycloak-httpd-client-install.repo
│ └── tasks
│ │ └── main.yaml
├── nova-ipa
│ ├── defaults
│ │ └── main.yml
│ ├── templates
│ │ ├── ifcfg-eth0
│ │ ├── ifcfg-br-ex
│ │ └── ipaclient.conf
│ ├── files
│ │ ├── setup-iptables.sh
│ │ ├── wait_for_ping.sh
│ │ ├── cloud-config.json
│ │ ├── wait_for_active_vm.sh
│ │ └── setup-ipa-client.sh
│ ├── vars
│ │ └── main.yml
│ └── handlers
│ │ └── main.yml
├── packstack
│ ├── files
│ │ ├── gssapi.conf
│ │ ├── 55-lookup_identity.conf
│ │ ├── test
│ │ ├── RH7-RHOS-7.0.repo
│ │ ├── RH7-RHOS-8.0.repo
│ │ └── mapping_ipsilon_saml2.json
│ ├── templates
│ │ ├── server.cnf
│ │ ├── keystone-ssl.conf.j2
│ │ ├── kerb-accrc.j2
│ │ ├── demorc.j2
│ │ ├── adminrc.j2
│ │ ├── keystone-federation.conf.j2
│ │ ├── qpidd.acl.j2
│ │ ├── qpidd.conf.j2
│ │ ├── fed-accrc.j2
│ │ ├── 10-keystone_wsgi_main.conf.j2
│ │ ├── 10-keystone_wsgi_admin.conf.j2
│ │ ├── metadata-config.py.j2
│ │ ├── mapping_sssd.json.j2
│ │ ├── keystone-federation-ipsilon.conf.j2
│ │ ├── haproxy.cfg
│ │ ├── answers.txt.j2
│ │ └── answers.txt.autoregister-neutron
│ ├── tasks
│ │ ├── horizon.yml
│ │ ├── packstack.yml
│ │ ├── infopipe.yml
│ │ ├── keystone-sssd.yml
│ │ ├── ipa-pre-packstack.yml
│ │ ├── main.yml
│ │ ├── ipa-post-packstack.yml
│ │ ├── haproxy-fixups.yml
│ │ ├── serviceauth.yml
│ │ ├── keystone.yml
│ │ ├── haproxy.yml
│ │ └── keystone-environment.yml
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── vars
│ │ └── main.yml
│ └── library
│ │ └── ipauser
├── ipaserver
│ ├── files
│ │ └── ipa.repo
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ └── library
│ │ └── resolver
├── ipsilonserver
│ ├── files
│ │ ├── ipsilon_ecp
│ │ └── ipsilon-idp-ecp.conf
│ ├── handlers
│ │ └── main.yml
│ └── tasks
│ │ └── main.yml
├── cfmeconf
│ ├── templates
│ │ └── resolv.conf.j2
│ └── tasks
│ │ └── main.yml
├── satelliteserver
│ ├── handlers
│ │ └── main.yml
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ └── satellite.repo
│ ├── tasks
│ │ ├── main.yml
│ │ ├── setup.yml
│ │ └── install.yml
│ └── templates
│ │ └── ipsilon.conf.j2
├── cfme
│ ├── vars
│ │ └── main.yml
│ └── tasks
│ │ ├── main.yml
│ │ ├── teardown.yml
│ │ └── create.yml
├── mariadb-kerberos
│ ├── files
│ │ ├── maria-galera.repo
│ │ ├── rharwood-galera-maria.repo
│ │ └── rharwood-mariadb-epel-7.repo
│ └── tasks
│ │ ├── maria-prep.yml
│ │ ├── mysql.yml
│ │ └── mariadb-kerberos.yml
├── websso
│ ├── handlers
│ │ └── main.yml
│ ├── files
│ │ └── websso-proxy.conf
│ ├── templates
│ │ └── websso.service.j2
│ ├── vars
│ │ └── main.yml
│ ├── library
│ │ └── ipaservice
│ └── tasks
│ │ └── main.yml
├── barbican
│ ├── files
│ │ └── barbican.repo
│ └── tasks
│ │ ├── test-encrypted-volumes.yml
│ │ └── main.yml
├── teardown
│ ├── libvirt
│ │ ├── defaults
│ │ │ └── main.yml
│ │ └── tasks
│ │ │ └── main.yml
│ └── openstack
│ │ ├── defaults
│ │ └── main.yml
│ │ └── tasks
│ │ └── main.yml
├── unsubscribe
│ └── tasks
│ │ └── main.yml
├── rhsso
│ ├── handlers
│ │ └── main.yml
│ ├── files
│ │ └── rhsso-proxy.conf
│ ├── templates
│ │ └── rhsso.service.j2
│ ├── vars
│ │ └── main.yml
│ └── tasks
│ │ └── main.yml
├── keycloak
│ ├── handlers
│ │ └── main.yml
│ ├── files
│ │ └── keycloak-proxy.conf
│ ├── templates
│ │ ├── keycloak.service.j2
│ │ └── freeipa-realm.json
│ ├── vars
│ │ └── main.yml
│ └── tasks
│ │ └── main.yml
├── openstack-clean
│ └── tasks
│ │ ├── main.yml~
│ │ └── main.yml
├── bastion
│ └── tasks
│ │ └── main.yml
├── keyfed
│ ├── handlers
│ │ └── main.yml
│ ├── files
│ │ ├── 11-keystone_wsgi_main.conf
│ │ ├── 11-keystone_wsgi_admin.conf
│ │ ├── mapping_ipsilon_saml2.json
│ │ └── 12-keystone-federation.conf
│ ├── vars
│ │ └── main.yml
│ └── templates
│ │ └── metadata-config.py.j2
├── proton
│ └── files
│ │ └── kgiusti-t-demo.repo
├── staticnetwork
│ ├── templates
│ │ └── static-ifcfg-eth0
│ └── tasks
│ │ └── main.yml
├── rhsso-saml-idp
│ ├── files
│ │ ├── jdennis-keycloak-httpd-client-install.repo
│ │ └── mapping_rhsso_saml2.json
│ └── vars
│ │ └── main.yml
├── keycloak-saml-idp
│ ├── files
│ │ ├── jdennis-keycloak-httpd-client-install.repo
│ │ └── mapping_keycloak_saml2.json
│ └── vars
│ │ └── main.yml
├── update
│ └── tasks
│ │ └── main.yml
├── netteardown
│ └── tasks
│ │ └── main.yml
├── rhv
│ ├── tasks
│ │ └── main.yml
│ └── templates
│ │ └── answers.txt.j2
├── firewalld
│ └── tasks
│ │ └── main.yml
├── jbosseap
│ └── tasks
│ │ └── main.yml
├── subscribe
│ └── tasks
│ │ └── main.yml
├── ipsilon-saml-idp
│ └── tasks
│ │ └── keystone-ipsilon.yml
└── oce-master
│ └── tasks
│ └── main.yml
├── .gitignore
├── playbooks
├── azure.yml
├── openstack-net-teardown.yml
├── openstack-teardown.yml
├── teardown-cfme.yml
├── unsubscribe.yml
├── rhv.yml
├── teardown-libvirt.yml
├── subscribe.yml
├── openstack-provision.yml
├── teardown_networks.yml
├── update.yml
├── tripleo.yml
├── os_test.yml
├── provision-libvirt.yml
├── jbosseap.yml
├── create-cfme.yml
├── satellite.yml
├── ipsilon.yml
├── bastion.yml
├── common.yml
├── websso.yml
├── rhsso-saml-idp.yml
├── keycloak-saml-idp.yml
├── baseline.yml
├── keyfed.yml
├── rhsso.yml
├── group_vars
│ └── all.yml
├── ipa.yml
├── keycloak.yml
├── tower.yml
├── oce.yml
├── openstack-clean.yml
├── localvirt.yml
├── packstack.yml
├── testcred.yml
├── downstream.yml
├── site.yml
└── R.yaml
├── ansible.cfg
├── library
├── ipaservice
└── ipsilonprovider
└── README.rst
/roles/ipaclient/templates/main.yml:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/roles/openstack-inventory/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
--------------------------------------------------------------------------------
/roles/provision/libvirt/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | *~
2 | */clouds.yaml
3 | */*.retry
4 |
--------------------------------------------------------------------------------
/roles/tripleo/files/sudoers:
--------------------------------------------------------------------------------
1 | stack ALL=(root) NOPASSWD:ALL
--------------------------------------------------------------------------------
/roles/common/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dotfiles_dir: ~/dotfiles
3 |
--------------------------------------------------------------------------------
/roles/nova-ipa/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ipa_dm_password: password
3 |
--------------------------------------------------------------------------------
/playbooks/azure.yml:
--------------------------------------------------------------------------------
1 | - hosts: localhost
2 | roles:
3 | - provision/azure
--------------------------------------------------------------------------------
/playbooks/openstack-net-teardown.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | roles:
4 | - netteardown
--------------------------------------------------------------------------------
/roles/packstack/files/gssapi.conf:
--------------------------------------------------------------------------------
1 | LoadModule auth_gssapi_module modules/mod_auth_gssapi.so
2 |
--------------------------------------------------------------------------------
/roles/ipaserver/files/ipa.repo:
--------------------------------------------------------------------------------
1 | [ipa]
2 | name=hacked ipa
3 | baseurl=file:///iparepo
4 | gpgcheck=0
5 |
--------------------------------------------------------------------------------
/playbooks/openstack-teardown.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - hosts: localhost
4 | roles:
5 | - teardown/openstack
--------------------------------------------------------------------------------
/roles/ipsilonserver/files/ipsilon_ecp:
--------------------------------------------------------------------------------
1 | auth required pam_sss.so
2 | account required pam_sss.so
3 |
--------------------------------------------------------------------------------
/roles/packstack/files/55-lookup_identity.conf:
--------------------------------------------------------------------------------
1 | LoadModule lookup_identity_module modules/mod_lookup_identity.so
2 |
--------------------------------------------------------------------------------
/playbooks/teardown-cfme.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - hosts: localhost
4 | vars:
5 | teardown: true
6 | roles:
7 | - cfme
--------------------------------------------------------------------------------
/playbooks/unsubscribe.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: all
3 | become: yes
4 | become_user: root
5 | roles:
6 | - unsubscribe
--------------------------------------------------------------------------------
/roles/common/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart network
3 | sudo: yes
4 | service: name=network state=restarted
5 |
--------------------------------------------------------------------------------
/roles/ipsilonserver/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart httpd
3 | service: name=httpd enabled=yes state=restarted
4 |
--------------------------------------------------------------------------------
/roles/cfmeconf/templates/resolv.conf.j2:
--------------------------------------------------------------------------------
1 | ## handled by ansible
2 | search {{ ipa_domain }}
3 |
4 | nameserver {{ nameserver }}
5 |
--------------------------------------------------------------------------------
/roles/ipaclient/templates/resolv.conf.j2:
--------------------------------------------------------------------------------
1 | ## handled by ansible
2 | search {{ ipa_domain }}
3 |
4 | nameserver {{ nameserver }}
5 |
--------------------------------------------------------------------------------
/roles/ipaserver/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ipa_admin_password: password
3 | ipa_dm_password: password
4 |
5 | ipa_realm: FEDTEST.ORG
6 |
--------------------------------------------------------------------------------
/roles/satelliteserver/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart httpd
3 | sudo: yes
4 | service: name=httpd state=restarted
5 |
6 |
--------------------------------------------------------------------------------
/playbooks/rhv.yml:
--------------------------------------------------------------------------------
1 | - hosts: zubat
2 | become: yes
3 | remote_user: ayoung
4 | become_user: root
5 | roles:
6 | - subscribe
7 | - rhv
8 |
--------------------------------------------------------------------------------
/roles/cfme/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | config_dir: "{{ lookup('env', 'HOME') }}/rippowam"
3 | cluster_dir: "{{ config_dir }}/deployments/{{ clustername }}"
4 |
--------------------------------------------------------------------------------
/roles/packstack/templates/server.cnf:
--------------------------------------------------------------------------------
1 | [server]
2 | kerberos_keytab_path=/var/lib/mysql/mysql.keytab
3 | kerberos_principal_name={{ mysql_principal }}
4 |
--------------------------------------------------------------------------------
/ansible.cfg:
--------------------------------------------------------------------------------
1 | [defaults]
2 | pipelining=True
3 | host_key_checking=False
4 | roles_path = roles
5 | library = /usr/share/ansible:../ansible-getcert
6 |
7 |
--------------------------------------------------------------------------------
/playbooks/teardown-libvirt.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: hypervisor
3 | become: yes
4 | remote_user: cloud-user
5 | roles:
6 | - teardown/libvirt
7 |
8 |
--------------------------------------------------------------------------------
/roles/cfme/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - include_tasks: create.yml
3 | when: not teardown
4 |
5 | - include_tasks: teardown.yml
6 | when: teardown
7 |
8 |
--------------------------------------------------------------------------------
/playbooks/subscribe.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: all
3 | become: yes
4 | become_user: root
5 | remote_user: "{{ cloud_user }}"
6 | roles:
7 | - subscribe
8 |
--------------------------------------------------------------------------------
/playbooks/openstack-provision.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | vars:
4 | teardown: false
5 | teardown_network: false
6 | roles:
7 | - provision/openstack
--------------------------------------------------------------------------------
/playbooks/teardown_networks.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - hosts: localhost
4 | vars:
5 | teardown: true
6 | teardown_network: true
7 | roles:
8 | - provision/openstack
--------------------------------------------------------------------------------
/playbooks/update.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: all
3 | become: yes
4 | become_user: root
5 | remote_user: "{{ cloud_user }}"
6 | roles:
7 | - subscribe
8 | - update
9 |
--------------------------------------------------------------------------------
/roles/packstack/templates/keystone-ssl.conf.j2:
--------------------------------------------------------------------------------
1 | SSLEngine on
2 | SSLCertificateFile {{ ssl_cert }}
3 | SSLCertificateKeyFile {{ ssl_key }}
4 | SSLCACertificateFile /etc/ipa/ca.crt
5 |
--------------------------------------------------------------------------------
/playbooks/tripleo.yml:
--------------------------------------------------------------------------------
1 | - hosts: director
2 | become: yes
3 | remote_user: cloud-user
4 | vars:
5 | teardown: false
6 | teardown_network: false
7 | roles:
8 | - tripleo
--------------------------------------------------------------------------------
/roles/nova-ipa/templates/ifcfg-eth0:
--------------------------------------------------------------------------------
1 | DEVICE=eth0
2 | HWADDR={{ ansible_eth0.macaddress }}
3 | TYPE=OVSPort
4 | DEVICETYPE=ovs
5 | OVS_BRIDGE=br-ex
6 | ONBOOT=yes
7 | NM_CONTROLLED=no
8 |
--------------------------------------------------------------------------------
/roles/mariadb-kerberos/files/maria-galera.repo:
--------------------------------------------------------------------------------
1 | [rharwood-mariadb]
2 | name=GSSAPI Mariadb with galera
3 | baseurl=https://admiyo.fedorapeople.org/maria-galera/
4 | enabled=1
5 | gpgcheck=0
6 |
--------------------------------------------------------------------------------
/roles/nova-ipa/files/setup-iptables.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
3 | iptables -I FORWARD 1 -j ACCEPT
4 | iptables-save > /etc/sysconfig/iptables
5 |
--------------------------------------------------------------------------------
/playbooks/os_test.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | tasks:
4 | - name: Get list of clouds from OpenStack client config
5 | os_client_config:
6 | - debug: var=openstack.clouds
7 |
--------------------------------------------------------------------------------
/roles/provision/libvirt/templates/macvtap.xml:
--------------------------------------------------------------------------------
1 |
2 | macvtap-net
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/roles/websso/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: reload systemd
2 | sudo: yes
3 | command: systemctl daemon-reload
4 |
5 | - name: restart websso
6 | service: name=rh-sso7 enabled=yes state=restarted
7 |
--------------------------------------------------------------------------------
/roles/mariadb-kerberos/files/rharwood-galera-maria.repo:
--------------------------------------------------------------------------------
1 | [rharwood-mariadb]
2 | name=GSSAPI Mariadb with galera
3 | baseurl=http://file.bos.redhat.com/rharwood/maria-galera
4 | enabled=1
5 | gpgcheck=0
6 |
--------------------------------------------------------------------------------
/roles/barbican/files/barbican.repo:
--------------------------------------------------------------------------------
1 | [barbican]
2 | name=barbican
3 | baseurl=https://copr-be.cloud.fedoraproject.org/results/vakwetu/barbican/fedora-22-$basearch/
4 | gpgcheck=0
5 | enabled=1
6 | enabled_metadata=1
7 |
--------------------------------------------------------------------------------
/roles/packstack/tasks/horizon.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Install local settings file
3 | template: src=local_settings.j2
4 | dest=/etc/openstack-dashboard/local_settings
5 | notify:
6 | - restart httpd
7 |
--------------------------------------------------------------------------------
/roles/provision/openstack/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | clustername: "{{username }}.{{ cloudname }}"
3 | config_dir: "{{ lookup('env', 'HOME') }}/rippowam"
4 | cluster_dir: "{{ config_dir }}/deployments/{{ clustername }}"
5 |
6 |
--------------------------------------------------------------------------------
/roles/teardown/libvirt/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | cluster_hosts:
3 | - {name: passimian }
4 |
5 |
6 | macvtap_networks:
7 | - {cluster_host: passimian, device: em1 }
8 | - {cluster_host: passimian, device: em2 }
9 |
--------------------------------------------------------------------------------
/roles/ipaserver/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: createrepo file
3 | command: createrepo /iparepo
4 |
5 | - name: restart firewalld
6 | service: name=firewalld
7 | enabled=yes
8 | state=restarted
9 |
--------------------------------------------------------------------------------
/playbooks/provision-libvirt.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: hypervisor
3 | become: yes
4 | remote_user: cloud-user
5 | vars:
6 | teardown: false
7 | teardown_network: false
8 | roles:
9 | - provision/libvirt
10 |
11 |
--------------------------------------------------------------------------------
/roles/ipaclient/templates/ifcfg-eth0.j2:
--------------------------------------------------------------------------------
1 | DEVICE="eth0"
2 | BOOTPROTO="dhcp"
3 | ONBOOT="yes"
4 | TYPE="Ethernet"
5 | USERCTL="yes"
6 | PEERDNS="yes"
7 | IPV6INIT="no"
8 | PERSISTENT_DHCLIENT="1"
9 | DNS1="{{ nameserver }}"
10 |
--------------------------------------------------------------------------------
/roles/provision/libvirt/templates/macvtap.xml.j2:
--------------------------------------------------------------------------------
1 |
2 | macvtap-{{ item.cluster_host }}-{{ item.device }}
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/roles/provision/openstack/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - include_tasks: create.yml
3 | when: not teardown
4 |
5 | - include_tasks: teardown.yml
6 | when: teardown
7 |
8 | - include_tasks: teardown_network.yml
9 | when: teardown_network
--------------------------------------------------------------------------------
/roles/common/files/rngd.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Hardware RNG Entropy Gatherer Daemon
3 |
4 | [Service]
5 | ExecStart=/sbin/rngd -f -r /dev/urandom
6 | SuccessExitStatus=66
7 |
8 | [Install]
9 | WantedBy=multi-user.target
10 |
--------------------------------------------------------------------------------
/roles/ipsilonserver/files/ipsilon-idp-ecp.conf:
--------------------------------------------------------------------------------
1 |
2 | AuthType Basic
3 | AuthName "Ipsilon ECP"
4 | AuthBasicProvider PAM
5 | AuthPAMService ipsilon_ecp
6 | Require valid-user
7 |
8 |
--------------------------------------------------------------------------------
/roles/unsubscribe/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: Unsubscribe
2 | redhat_subscription:
3 | state: absent
4 | username: "{{ redhat_user }}"
5 | password: "{{ redhat_password }}"
6 | pool_ids: "{{ redhat_pool_id }}"
7 | ignore_errors: yes
--------------------------------------------------------------------------------
/playbooks/jbosseap.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: all
3 | #eventually this will be scoped only to eap hosts
4 | #hosts: eap
5 | become: yes
6 | become_user: root
7 | remote_user: "{{ cloud_user }}"
8 | roles:
9 | - subscribe
10 | - jbosseap
11 |
--------------------------------------------------------------------------------
/roles/rhsso/handlers/main.yml:
--------------------------------------------------------------------------------
1 |
2 | - include: ../../packstack/handlers/main.yml
3 |
4 | - name: reload systemd
5 | sudo: yes
6 | command: systemctl daemon-reload
7 |
8 | - name: restart rhsso
9 | service: name=rhsso enabled=yes state=restarted
10 |
--------------------------------------------------------------------------------
/roles/packstack/files/test:
--------------------------------------------------------------------------------
1 | import pprint
2 | import webob
3 | import webob.dec
4 |
5 |
6 | @webob.dec.wsgify
7 | def application(req):
8 | return webob.Response(pprint.pformat(req.environ),
9 | content_type='application/json')
10 |
--------------------------------------------------------------------------------
/playbooks/create-cfme.yml:
--------------------------------------------------------------------------------
1 | ---
2 | #- hosts: localhost
3 | # vars:
4 | # teardown: false
5 | # roles:
6 | # - cfme
7 |
8 | - hosts: cfme
9 | become: yes
10 | remote_user: ayoung
11 | become_user: root
12 | roles:
13 | - subscribe
14 | - cfmeconf
--------------------------------------------------------------------------------
/playbooks/satellite.yml:
--------------------------------------------------------------------------------
1 | # To be run after the site.yml file. Sets up a satellite server
2 |
3 | - hosts: satellite
4 | sudo: yes
5 | remote_user: "{{ cloud_user }}"
6 | tags:
7 | - satellite
8 | roles:
9 | - subscribe
10 | - satelliteserver
11 |
--------------------------------------------------------------------------------
/roles/keycloak/handlers/main.yml:
--------------------------------------------------------------------------------
1 |
2 | - include: ../../packstack/handlers/main.yml
3 |
4 | - name: reload systemd
5 | sudo: yes
6 | command: systemctl daemon-reload
7 |
8 | - name: restart keycloak
9 | service: name=keycloak enabled=yes state=restarted
10 |
--------------------------------------------------------------------------------
/roles/openstack-clean/tasks/main.yml~:
--------------------------------------------------------------------------------
1 | ---
2 |
3 |
4 | - name: kinit
5 | tags:
6 | - cleanup
7 | shell: klist &>/dev/null || echo {{ ipa_admin_password }} | kinit admin@{{ ipa_realm }}
8 | changed_when: false
9 |
10 |
11 | name: remove host entry for openstack
12 |
--------------------------------------------------------------------------------
/playbooks/ipsilon.yml:
--------------------------------------------------------------------------------
1 | - hosts: ipa
2 | sudo: yes
3 | remote_user: "{{ cloud_user }}"
4 | tags:
5 | - ipa
6 | roles:
7 | - common
8 | - ipsilonserver
9 | vars:
10 | hostname: "{{ ansible_fqdn }}"
11 | ipa_admin_password: "{{ ipa_admin_user_password }}"
12 |
--------------------------------------------------------------------------------
/playbooks/bastion.yml:
--------------------------------------------------------------------------------
1 |
2 | - hosts: bastion
3 | remote_user: "{{ cloud_user }}"
4 | tags: all
5 | tasks: []
6 |
7 | - hosts: bastion
8 | sudo: yes
9 | remote_user: "{{ cloud_user }}"
10 | tags: ipaclient
11 | roles:
12 | # - subscribe
13 | # - ipaclient
14 | - bastion
15 |
--------------------------------------------------------------------------------
/playbooks/common.yml:
--------------------------------------------------------------------------------
1 | - hosts: all
2 | sudo: yes
3 | remote_user: "{{ cloud_user }}"
4 | tags:
5 | - openstack
6 | roles:
7 | - common
8 | vars:
9 | hostname: "{{ ansible_fqdn }}"
10 | dns_search: "{{ ipa_domain }}"
11 | ipa_admin_password: "{{ipa_admin_user_password }}"
12 |
--------------------------------------------------------------------------------
/playbooks/websso.yml:
--------------------------------------------------------------------------------
1 |
2 | - hosts: sso
3 | sudo: yes
4 | remote_user: "{{ cloud_user }}"
5 | tags:
6 | - ipa
7 | roles:
8 | - subscribe
9 | - ipaclient
10 | - websso
11 | vars:
12 | hostname: "{{ ansible_fqdn }}"
13 | ipa_admin_password: "{{ ipa_admin_user_password }}"
14 |
--------------------------------------------------------------------------------
/roles/packstack/templates/kerb-accrc.j2:
--------------------------------------------------------------------------------
1 | export OS_AUTH_TYPE=v3fedkerb
2 | export OS_AUTH_URL=https://openstack.{{ ipa_domain }}:5000/v3
3 | export OS_IDENTITY_PROVIDER=sssd
4 | export OS_PROTOCOL=kerberos
5 | export OS_PROJECT_NAME=demo
6 | export OS_PROJECT_DOMAIN_ID=default
7 | export OS_IDENTITY_API_VERSION=3
8 |
--------------------------------------------------------------------------------
/roles/rhsso/files/rhsso-proxy.conf:
--------------------------------------------------------------------------------
1 | # matches for RH-SSO IdP
2 |
3 | NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
4 | NSSVerifyClient optional
5 | ProxyPassMatch ajp://localhost:8109
6 | ProxyPassReverse ajp://localhost:8109
7 |
8 |
9 |
--------------------------------------------------------------------------------
/roles/websso/files/websso-proxy.conf:
--------------------------------------------------------------------------------
1 | # matches for Websso IdP
2 |
3 | SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
4 | SSLVerifyClient optional
5 | ProxyPassMatch ajp://localhost:8009
6 | ProxyPassReverse ajp://localhost:8009
7 |
8 |
9 |
--------------------------------------------------------------------------------
/roles/keycloak/files/keycloak-proxy.conf:
--------------------------------------------------------------------------------
1 | # matches for Keycloak IdP
2 |
3 | NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
4 | NSSVerifyClient optional
5 | ProxyPassMatch ajp://localhost:8109
6 | ProxyPassReverse ajp://localhost:8109
7 |
8 |
9 |
--------------------------------------------------------------------------------
/playbooks/rhsso-saml-idp.yml:
--------------------------------------------------------------------------------
1 | - hosts: openstack
2 | sudo: yes
3 | remote_user: "{{ cloud_user }}"
4 | tags:
5 | - rhsso-idp
6 | roles:
7 | - rhsso-saml-idp
8 | vars:
9 | hostname: "{{ ansible_fqdn }}"
10 | dns_search: "{{ ipa_domain }}"
11 | ipa_admin_password: "{{ipa_admin_user_password }}"
12 |
--------------------------------------------------------------------------------
/roles/bastion/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: enable only OpenShift Repos
4 | tags:
5 | - oce-master
6 | shell: subscription-manager repos --enable="rhel-7-server-ose-3.7-rpms"
7 |
8 |
9 | - yum:
10 | name: "{{ item }}"
11 | with_items:
12 | - openshift-ansible
13 | - openshift-ansible-playbooks
14 |
--------------------------------------------------------------------------------
/playbooks/keycloak-saml-idp.yml:
--------------------------------------------------------------------------------
1 | - hosts: openstack
2 | sudo: yes
3 | remote_user: "{{ cloud_user }}"
4 | tags:
5 | - keycloak-idp
6 | roles:
7 | - keycloak-saml-idp
8 | vars:
9 | hostname: "{{ ansible_fqdn }}"
10 | dns_search: "{{ ipa_domain }}"
11 | ipa_admin_password: "{{ipa_admin_user_password }}"
12 |
--------------------------------------------------------------------------------
/roles/tripleo/files/registry_config.yml:
--------------------------------------------------------------------------------
1 | # this becomes /etc/docker-distribution/registry/config.yml
2 | version: 0.1
3 | log:
4 | fields:
5 | service: registry
6 | storage:
7 | cache:
8 | layerinfo: inmemory
9 | filesystem:
10 | rootdirectory: /var/lib/registry
11 | http:
12 | addr: 10.127.0.1:8787
13 |
--------------------------------------------------------------------------------
/roles/nova-ipa/files/wait_for_ping.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | ii=$2
3 | while [ $ii -gt 0 ] ; do
4 | if ping -q -W1 -c1 -n $1 ; then
5 | exit 0
6 | fi
7 | ii=`expr $ii - 1`
8 | sleep 1
9 | done
10 | if [ $ii = 0 ] ; then
11 | echo $LINENO server $1 did not respond after $2 seconds
12 | exit 1
13 | fi
14 | exit 0
15 |
--------------------------------------------------------------------------------
/roles/packstack/templates/demorc.j2:
--------------------------------------------------------------------------------
1 | export OS_AUTH_TYPE=v3password
2 | export OS_AUTH_URL=https://{{ hostname }}:5000/v3
3 | export OS_USERNAME=demo
4 | export OS_PASSWORD={{ keystone_demo_password }}
5 | export OS_PROJECT_NAME=demo
6 | export OS_USER_DOMAIN_ID=default
7 | export OS_PROJECT_DOMAIN_ID=default
8 | export OS_IDENTITY_API_VERSION=3
9 |
--------------------------------------------------------------------------------
/roles/satelliteserver/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ssl_certs_dir: /etc/httpd/conf
3 | ssl_cert: "{{ ssl_certs_dir }}/server.crt"
4 | ssl_key: "{{ ssl_certs_dir }}/server.key"
5 | ssl_req: "{{ ssl_certs_dir }}/server.req"
6 |
7 | saml_conf_dir: /etc/httpd/saml2
8 |
9 | organization: rippowam
10 | dev_lifecycle: Dev
11 | product: rippowam
12 |
--------------------------------------------------------------------------------
/playbooks/baseline.yml:
--------------------------------------------------------------------------------
1 | - hosts: baseline
2 | sudo: yes
3 | remote_user: "{{ cloud_user }}"
4 | tags:
5 | - baseline
6 | roles:
7 | # - common
8 | - rhos
9 | - packstack
10 | vars:
11 | hostname: "{{ ansible_fqdn }}"
12 | dns_search: "{{ ipa_domain }}"
13 | ipa_admin_password: "{{ipa_admin_user_password }}"
14 |
--------------------------------------------------------------------------------
/playbooks/keyfed.yml:
--------------------------------------------------------------------------------
1 | - hosts: overcloud-controller-0
2 | sudo: yes
3 | remote_user: "{{ cloud_user }}"
4 | tags:
5 | - openstack
6 | roles:
7 | - ipaclient
8 | - keyfed
9 | vars:
10 | hostname: "{{ ansible_fqdn }}"
11 | dns_search: "{{ ipa_domain }}"
12 | ipa_admin_password: "{{ipa_admin_user_password }}"
13 |
--------------------------------------------------------------------------------
/roles/nova-ipa/files/cloud-config.json:
--------------------------------------------------------------------------------
1 | {"cloud-init": "#cloud-config\nsystem_info:\n default_user:\n name: cloud-user\n plain_text_passwd: password\n lock_passwd: False\npackages:\n - python-simplejson\n - ipa-client\n - ipa-admintools\n - openldap-clients\nruncmd:\n - sh -x /tmp/setup-ipa-client.sh > /var/log/setup-ipa-client.sh.log 2>&1"}
2 |
--------------------------------------------------------------------------------
/roles/packstack/templates/adminrc.j2:
--------------------------------------------------------------------------------
1 | export OS_AUTH_TYPE=v3password
2 | export OS_AUTH_URL=https://{{ hostname }}:5000/v3
3 | export OS_USERNAME=admin
4 | export OS_PASSWORD={{ keystone_admin_password }}
5 | export OS_PROJECT_NAME=admin
6 | export OS_USER_DOMAIN_ID=default
7 | export OS_PROJECT_DOMAIN_ID=default
8 | export OS_IDENTITY_API_VERSION=3
9 |
--------------------------------------------------------------------------------
/roles/nova-ipa/templates/ifcfg-br-ex:
--------------------------------------------------------------------------------
1 | DEVICE=br-ex
2 | DEVICETYPE=ovs
3 | TYPE=OVSBridge
4 | MACADDR={{ ansible_eth0.macaddress }}
5 | BOOTPROTO=static
6 | IPADDR={{ ansible_eth0.ipv4.address }}
7 | NETMASK=255.255.255.0
8 | GATEWAY={{ network_gw_ip.stdout }}
9 | DNS1={{ nameserver }}
10 | DNS2={{ ipa_forwarder }}
11 | ONBOOT=yes
12 | NM_CONTROLLED=no
13 |
--------------------------------------------------------------------------------
/playbooks/rhsso.yml:
--------------------------------------------------------------------------------
1 |
2 | - hosts: ipa
3 | remote_user: "{{ cloud_user }}"
4 | tags: all
5 | tasks: []
6 |
7 | - hosts: ipa
8 | sudo: yes
9 | remote_user: "{{ cloud_user }}"
10 | tags:
11 | - ipa
12 | roles:
13 | - rhsso
14 | vars:
15 | hostname: "{{ ansible_fqdn }}"
16 | ipa_admin_password: "{{ ipa_admin_user_password }}"
17 |
--------------------------------------------------------------------------------
/roles/keyfed/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 |
4 | - name: restart httpd
5 | sudo: yes
6 | service: name=httpd state=restarted
7 |
8 | - name: restart sssd
9 | service: name=sssd state=restarted
10 |
11 | - name: restart firewalld
12 | service: name=firewalld state=restarted
13 |
14 | - name: restart haproxy
15 | service: name=haproxy state=restarted
16 |
--------------------------------------------------------------------------------
/roles/proton/files/kgiusti-t-demo.repo:
--------------------------------------------------------------------------------
1 | [kgiusti-t-demo]
2 | name=Copr repo for some AMQP/Openstack messaging builds
3 | baseurl=https://copr-be.cloud.fedoraproject.org/results/kgiusti/t-demo/epel-7-$basearch/
4 | skip_if_unavailable=True
5 | gpgcheck=1
6 | gpgkey=https://copr-be.cloud.fedoraproject.org/results/kgiusti/t-demo/pubkey.gpg
7 | enabled=1
8 | enabled_metadata=1
9 |
--------------------------------------------------------------------------------
/roles/common/files/lslebodn-sssd-1-13-epel-7.repo:
--------------------------------------------------------------------------------
1 | [lslebodn-sssd-1-13]
2 | name=Copr repo for sssd-1-13 owned by lslebodn
3 | baseurl=https://copr-be.cloud.fedoraproject.org/results/lslebodn/sssd-1-13/epel-7-$basearch/
4 | skip_if_unavailable=True
5 | gpgcheck=1
6 | gpgkey=https://copr-be.cloud.fedoraproject.org/results/lslebodn/sssd-1-13/pubkey.gpg
7 | enabled=1
8 | enabled_metadata=1
--------------------------------------------------------------------------------
/roles/mariadb-kerberos/files/rharwood-mariadb-epel-7.repo:
--------------------------------------------------------------------------------
1 | [rharwood-mariadb]
2 | name=Copr repo for mariadb owned by rharwood
3 | baseurl=https://copr-be.cloud.fedoraproject.org/results/rharwood/mariadb/epel-7-$basearch/
4 | skip_if_unavailable=True
5 | gpgcheck=1
6 | gpgkey=https://copr-be.cloud.fedoraproject.org/results/rharwood/mariadb/pubkey.gpg
7 | enabled=1
8 | enabled_metadata=1
--------------------------------------------------------------------------------
/roles/keyfed/files/11-keystone_wsgi_main.conf:
--------------------------------------------------------------------------------
1 | WSGIApplicationGroup %{GLOBAL}
2 | WSGIDaemonProcess keystone_main_11 display-name=keystone-main group=keystone processes=1 threads=1 user=keystone
3 | WSGIProcessGroup keystone_main_11
4 | WSGIScriptAlias /identity/main "/var/www/cgi-bin/keystone/main"
5 |
6 | WSGIProcessGroup keystone_main_11
7 |
8 |
--------------------------------------------------------------------------------
/roles/common/files/rhel-server.repo:
--------------------------------------------------------------------------------
1 | [rhel-server]
2 | name=RHEL 7.2 Server
3 | baseurl=http://download.devel.redhat.com/released/RHEL-7/7.2/Server/$basearch/os/
4 | gpgcheck=0
5 | enabled=1
6 |
7 | [rhel-server-optional]
8 | name=RHEL 7.2 Server Optional
9 | baseurl=http://download.devel.redhat.com/released/RHEL-7/7.2/Server-optional/$basearch/os/
10 | gpgcheck=0
11 | enabled=0
12 |
--------------------------------------------------------------------------------
/roles/keyfed/files/11-keystone_wsgi_admin.conf:
--------------------------------------------------------------------------------
1 | WSGIApplicationGroup %{GLOBAL}
2 | WSGIDaemonProcess keystone_admin_11 display-name=keystone-admin group=keystone processes=1 threads=1 user=keystone
3 | WSGIProcessGroup keystone_admin_11
4 | WSGIScriptAlias /identity/admin "/var/www/cgi-bin/keystone/admin"
5 |
6 | WSGIProcessGroup keystone_admin_11
7 |
8 |
--------------------------------------------------------------------------------
/playbooks/group_vars/all.yml:
--------------------------------------------------------------------------------
1 | ---
2 | username: "{{ lookup('env','USER') }}"
3 | clustername: "{{username }}.{{ cloudname }}"
4 | ipa_domain: "{{ clustername }}"
5 | ipa_realm: "{{ clustername|upper }}"
6 | ssh_config_path: "{{ ansible_env.HOME }}/.ssh/config"
7 | netname: "{{ username }}-private-net"
8 | securitygroupname: "{{username }}-rdu-all-open"
9 | sshkeyname: "{{ username }}-pubkey"
10 |
--------------------------------------------------------------------------------
/roles/openstack-clean/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 |
4 | - name: kinit
5 | tags:
6 | - cleanup
7 | shell: klist &>/dev/null || echo {{ ipa_admin_password }} | kinit admin@{{ ipa_realm }}
8 | changed_when: false
9 |
10 |
11 | - name: remove host entry for openstack
12 | command: ipa host-del --updatedns openstack.{{ ipa_domain }}
13 |
14 | - name: kdestroy
15 | command: kdestroy
16 |
--------------------------------------------------------------------------------
/playbooks/ipa.yml:
--------------------------------------------------------------------------------
1 | - hosts: ipa
2 | remote_user: "{{ cloud_user }}"
3 | tags: all
4 | tasks: []
5 |
6 | - hosts: ipa
7 | sudo: yes
8 | remote_user: "{{ cloud_user }}"
9 | tags:
10 | - ipa
11 | roles:
12 | - subscribe
13 | - update
14 | - ipaserver
15 |
16 | vars:
17 | ipa_fqdn: "idm.awx.devstack"
18 | ipa_admin_password: "{{ ipa_admin_user_password }}"
19 |
--------------------------------------------------------------------------------
/playbooks/keycloak.yml:
--------------------------------------------------------------------------------
1 |
2 | - hosts: ipa
3 | remote_user: "{{ cloud_user }}"
4 | tags: all
5 | tasks: []
6 |
7 | - hosts: ipa
8 | sudo: yes
9 | remote_user: "{{ cloud_user }}"
10 | tags:
11 | - ipa
12 | roles:
13 | # - common
14 | # - ipaclient
15 | - keycloak
16 | vars:
17 | hostname: "{{ ansible_fqdn }}"
18 | ipa_admin_password: "{{ ipa_admin_user_password }}"
19 |
--------------------------------------------------------------------------------
/roles/staticnetwork/templates/static-ifcfg-eth0:
--------------------------------------------------------------------------------
1 | DEVICE="eth0"
2 | BOOTPROTO="static"
3 | DHCPCLASS=
4 | HWADDR={{ ansible_eth0.macaddress }}
5 | IPADDR={{ ansible_eth0.ipv4.address }}
6 | NETMASK=255.255.255.0
7 | GATEWAY={{ network_gw_ip.stdout }}
8 | ONBOOT=yes
9 | NM_CONTROLLED=no
10 | TYPE="Ethernet"
11 | USERCTL="yes"
12 | PEERDNS="yes"
13 | DNS1={{ nameserver }}
14 | DNS2={{ ipa_forwarder }}
15 | IPV6INIT="no"
16 |
--------------------------------------------------------------------------------
/playbooks/tower.yml:
--------------------------------------------------------------------------------
1 | - hosts: localhost
2 | vars:
3 | teardown: false
4 | roles:
5 | - openstack-inventory
6 |
7 |
8 |
9 |
10 | - hosts: tower
11 | sudo: yes
12 | remote_user: "{{ cloud_user }}"
13 | tags:
14 | - ipa
15 | roles:
16 | - subscribe
17 | - ipaclient
18 | - tower
19 | vars:
20 | hostname: "{{ ansible_fqdn }}"
21 | ipa_admin_password: "{{ ipa_admin_user_password }}"
22 |
--------------------------------------------------------------------------------
/roles/common/files/public_keys/lappy.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCswZCcLL05Ft0or5iv+mLEYzcq7GIaXGLed3ZXmLwQRU9WCWKxh0+LOwCwnxXt3MiRhUCgGO1/waA8osraiTcv7wHKEjfCPYjkyGpHBXcyPPch7azRwRchR2sUC54Nd2svQj1buVZU/rnvftuden02RxqBx/x1I7wrxwXY4DPO5Qru7h20nhFThaFJqghQH4N7Cx5zmFBfB+1aNlIJRlxsN38TAOjotixT8jaA45u8vGDknmBKRrPpVC7roycCxQins20axYsXJ91IKnCtmnkKjT48LTfLEO5Vrl/uOOsrrQ2xHH64g3/af+RDLnD1iHyWpZZK3N5SCPe38cVjAHCT jamie-black-lappy
2 |
--------------------------------------------------------------------------------
/roles/openstack-inventory/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - os_server_facts:
3 | cloud: "{{ cloudname }}"
4 | register: openstack_servers
5 |
6 | - name: add IPA clients
7 | add_host:
8 | groups:
9 | - ipaclients
10 | name: "{{ item.name }}"
11 | with_items: "{{ openstack_servers }}"
12 | when: item.name != "idm.{{ ipa_domain }}"
13 |
14 | - debug:
15 | var: item
16 | with_items: "{{ groups.ipaclients }}"
--------------------------------------------------------------------------------
/playbooks/oce.yml:
--------------------------------------------------------------------------------
1 |
2 | - hosts: masters
3 | remote_user: "{{ cloud_user }}"
4 | tags: all
5 | tasks: []
6 |
7 | - hosts: masters, nodes, bastion
8 | sudo: yes
9 | remote_user: "{{ cloud_user }}"
10 | tags: ipaclient
11 | roles:
12 | - subscribe
13 | - ipaclient
14 |
15 |
16 | - hosts: masters
17 | sudo: yes
18 | remote_user: "{{ cloud_user }}"
19 | tags: oce
20 | roles:
21 | - oce-master
22 |
23 |
--------------------------------------------------------------------------------
/playbooks/openstack-clean.yml:
--------------------------------------------------------------------------------
1 |
2 | - hosts: ipa
3 | remote_user: "{{ cloud_user }}"
4 | tags: all
5 | tasks: []
6 |
7 | - hosts: ipa
8 | sudo: yes
9 | remote_user: "{{ cloud_user }}"
10 | tags:
11 | - ipa
12 | roles:
13 | - openstack-clean
14 | vars:
15 | hostname: "{{ ansible_fqdn }}"
16 | ipa_admin_password: "{{ ipa_admin_user_password }}"
17 | ipa_dns_forwarder: "{{ ipa_forwarder }}"
18 |
19 |
--------------------------------------------------------------------------------
/roles/common/files/public_keys/nkinder.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsx2U9ek+3xqYGbylxZa3CuuaetgOcs1pA01ABumHAQjDFClB2hM+hXw764QCdKXYuQyvqO3IuujB/63JU0l1lW13z1E04slQA6QT0dbQPTA+WO9L3Jc9Dkjs5QqG1hjPVO2ki3HgyXoYcw91wF///Nuv1ZJzHS+AEO4li/zrCXodj3m33NkYuXoD+lM+c+r2y+p9Bhim0q0jW/lE50D8sl6MU7EDWpPLkRhQjhAwr5iHTqxtTCYw0si77Tb1vXxaN2LjDQIKMu2YJeHqZcF3OCt8PpYz+gpn85VFrG4K5qWJvpKMTpYFDYHfuJIoAiKlXlnsi+POJ9eOL8Thz1qAkQ== nkinder@redhat.com
2 |
--------------------------------------------------------------------------------
/roles/nova-ipa/files/wait_for_active_vm.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | ii=$2
3 | while [ $ii -gt 0 ] ; do
4 | if openstack server show $1|grep ACTIVE ; then
5 | exit 0
6 | fi
7 | if openstack server show $1|grep ERROR ; then
8 | echo could not create server
9 | openstack server show $1
10 | exit 1
11 | fi
12 | ii=`expr $ii - 1`
13 | done
14 | echo timedout waiting $2 seconds for server $1
15 | exit 1
16 |
--------------------------------------------------------------------------------
/roles/common/files/public_keys/ayoung.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0OUPe+UxaIXwwyjD15YiooQM3KoIbLD7/T+o4Ji8Q+bX6BMxNvtgF04Z1lFu7X4U5Rtro8pegxV2weH7jNs5vGvyOgKnNsEY6aeZI1K/e7OPoDDARr2CQ4addxZNtpmlQQ6snvEoypKuzsQDO//wzKGdd7GXD8HiHPkfNjkjYmbUFGuntZibY2vUQOsbCi8D9J8RgycNe0DTjVkDKvJcSJsNiPVOoefX7ZnLclXGgYFMZCAsIPhVWjGgQ7rIB7fEgDTvEiFfNW4JRF4Q6WuYDGiFQ/G3v2XKRghk54xPPJZljM1SyZo8VL1Dn29dfj1dwH4oSTbOLisQM0LJ/EgzT ayoung@ayoung.boston.devel.redhat.com
2 |
3 |
--------------------------------------------------------------------------------
/roles/common/files/jdennis-keycloak-httpd-client-install.repo:
--------------------------------------------------------------------------------
1 | [jdennis-keycloak-httpd-client-install]
2 | name=Copr repo for keycloak-httpd-client-install owned by jdennis
3 | baseurl=https://copr-be.cloud.fedoraproject.org/results/jdennis/keycloak-httpd-client-install/epel-7-$basearch/
4 | skip_if_unavailable=True
5 | gpgcheck=1
6 | gpgkey=https://copr-be.cloud.fedoraproject.org/results/jdennis/keycloak-httpd-client-install/pubkey.gpg
7 | enabled=1
8 | enabled_metadata=1
9 |
--------------------------------------------------------------------------------
/roles/rhsso-saml-idp/files/jdennis-keycloak-httpd-client-install.repo:
--------------------------------------------------------------------------------
1 | [jdennis-keycloak-httpd-client-install]
2 | name=Copr repo for keycloak-httpd-client-install owned by jdennis
3 | baseurl=https://copr-be.cloud.fedoraproject.org/results/jdennis/keycloak-httpd-client-install/epel-7-$basearch/
4 | skip_if_unavailable=True
5 | gpgcheck=0
6 | gpgkey=https://copr-be.cloud.fedoraproject.org/results/jdennis/keycloak-httpd-client-install/pubkey.gpg
7 | enabled=1
8 | enabled_metadata=1
--------------------------------------------------------------------------------
/roles/keycloak-saml-idp/files/jdennis-keycloak-httpd-client-install.repo:
--------------------------------------------------------------------------------
1 | [jdennis-keycloak-httpd-client-install]
2 | name=Copr repo for keycloak-httpd-client-install owned by jdennis
3 | baseurl=https://copr-be.cloud.fedoraproject.org/results/jdennis/keycloak-httpd-client-install/epel-7-$basearch/
4 | skip_if_unavailable=True
5 | gpgcheck=0
6 | gpgkey=https://copr-be.cloud.fedoraproject.org/results/jdennis/keycloak-httpd-client-install/pubkey.gpg
7 | enabled=1
8 | enabled_metadata=1
--------------------------------------------------------------------------------
/roles/provision/openstack/tasks/teardown_network.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - os_router:
3 | cloud: "{{ cloudname }}"
4 | state: absent
5 | name: "{{ netname }}_router"
6 |
7 | - os_subnet:
8 | cloud: "{{ cloudname }}"
9 | state: absent
10 | network_name: "{{ netname }}_network"
11 | name: "{{ netname }}_subnet"
12 |
13 | - os_network:
14 | cloud: "{{ cloudname }}"
15 | state: absent
16 | name: "{{ netname }}_network"
17 | external: false
18 |
--------------------------------------------------------------------------------
/playbooks/localvirt.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Create Local RHEL VMs
3 | hosts: localhost
4 | vars:
5 | baseimage: rhel-server-7.5-update-1-x86_64-kvm.qcow2
6 |
7 | tasks:
8 | - name: Ensure we have an image file
9 | copy:
10 | src: "{{ ansible_env.HOME }}/Downloads/{{ baseimage }}"
11 | dest: /var/lib/libvirt/images/tower.qcow2
12 |
13 |
14 | - name: start vm
15 | virt:
16 | name: 'tower'
17 | state: running
18 | uri: 'qemu:///system'
19 |
--------------------------------------------------------------------------------
/roles/packstack/templates/keystone-federation.conf.j2:
--------------------------------------------------------------------------------
1 |
2 | AuthType GSSAPI
3 | AuthName GSSAPI-SSO
4 | GssapiCredStore keytab:/etc/httpd/conf/openstack.keytab
5 | GssapiSSLonly On
6 | Require valid-user
7 | LookupUserAttr mail REMOTE_USER_EMAIL
8 | LookupUserGroups REMOTE_USER_GROUPS ;
9 |
10 | SetEnv IDP_ID SSSD
11 |
12 |
13 |
--------------------------------------------------------------------------------
/roles/provision/libvirt/templates/ifcfg-eth2.j2:
--------------------------------------------------------------------------------
1 | TYPE=Ethernet
2 | PROXY_METHOD=none
3 | BROWSER_ONLY=no
4 | BOOTPROTO=none
5 | IPADDR=10.127.0.2
6 | PREFIX=24
7 | GATEWAY=10.127.0.1
8 | DEFROUTE=yes
9 | IPV4_FAILURE_FATAL=no
10 | IPV6INIT=yes
11 | IPV6_AUTOCONF=yes
12 | IPV6_DEFROUTE=yes
13 | IPV6_FAILURE_FATAL=no
14 | IPV6_ADDR_GEN_MODE=stable-privacy
15 | NAME=eth2
16 | DEVICE=eth2
17 | ONBOOT=no
18 | ZONE=public
19 | DNS1=10.127.0.7
20 | PEERDNS=no
21 | UUID=c621d43c-8b8b-41f2-b1b5-2744680026f1
22 |
--------------------------------------------------------------------------------
/roles/provision/libvirt/templates/ifcfg-eth1.j2:
--------------------------------------------------------------------------------
1 | TYPE=Ethernet
2 | PROXY_METHOD=none
3 | BROWSER_ONLY=no
4 | BOOTPROTO=none
5 | IPADDR={{ static_ip_address }}
6 | PREFIX=24
7 | GATEWAY=10.127.0.1
8 | DEFROUTE=yes
9 | IPV4_FAILURE_FATAL=no
10 | IPV6INIT=yes
11 | IPV6_AUTOCONF=yes
12 | IPV6_DEFROUTE=yes
13 | IPV6_FAILURE_FATAL=no
14 | IPV6_ADDR_GEN_MODE=stable-privacy
15 | NAME=eth1
16 | DEVICE=eth1
17 | ONBOOT=yes
18 | ZONE=public
19 | DNS1=10.127.0.7
20 | PEERDNS=no
21 | UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04
22 |
--------------------------------------------------------------------------------
/roles/websso/templates/websso.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Jboss Application Server
3 | After=network.target
4 |
5 | [Service]
6 | Type=idle
7 | Environment=JBOSS_HOME={{ rhsso_dir }} JBOSS_LOG_DIR={{ websso_log_dir }} "JAVA_OPTS=-Xms1024m -Xmx20480m -XX:MaxPermSize=768m"
8 | User=websso
9 | Group=websso
10 | ExecStart={{ rhsso_dir }}/bin/standalone.sh -Djava.net.preferIPv4Stack=true -c standalone-ha.xml
11 | TimeoutStartSec=600
12 | TimeoutStopSec=600
13 |
14 | [Install]
15 | WantedBy=multi-user.target
16 |
--------------------------------------------------------------------------------
/roles/rhsso/templates/rhsso.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Jboss Application Server
3 | After=network.target
4 |
5 | [Service]
6 | Type=idle
7 | Environment=JBOSS_HOME={{ rhsso_jboss_home }} JBOSS_LOG_DIR={{ rhsso_log_dir }} "JAVA_OPTS=-Xms1024m -Xmx20480m -XX:MaxPermSize=768m"
8 | User=rhsso
9 | Group=rhsso
10 | ExecStart={{ rhsso_jboss_home }}/bin/standalone.sh -Djboss.socket.binding.port-offset=100 -c standalone-ha.xml
11 | TimeoutStartSec=600
12 | TimeoutStopSec=600
13 |
14 | [Install]
15 | WantedBy=multi-user.target
16 |
--------------------------------------------------------------------------------
/roles/tripleo/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | host_name: passimian
3 | cluster_domain: home.younglogic.net
4 |
5 | source_image_file: rhel-server-7.5-x86_64-kvm.qcow2
6 | source_image_dir: /home/ayoung/Downloads
7 | target_image_dir: /var/lib/libvirt/images
8 |
9 | source_keystore_dir: /home/ayoung/.ssh
10 | source_pubkey_file: id_rsa.pub
11 | hypervisor_keystore_dir: /tmp
12 | target_keystore_dir: /home/cloud-user/.ssh
13 | target_pubkey_file: authorized_keys
14 |
15 |
16 | ethernet_device: em1
17 | static_ip_address: 10.127.0.3
18 |
--------------------------------------------------------------------------------
/roles/update/tasks/main.yml:
--------------------------------------------------------------------------------
1 |
2 | - name: upgrade all packages
3 | yum:
4 | name: '*'
5 | state: latest
6 | register: rpms_updates
7 |
8 |
9 | - name: Reboot immediately if there was a change.
10 | shell: "sleep 5 && reboot"
11 | async: 1
12 | poll: 0
13 | when: rpms_updates.changed
14 |
15 |
16 |
17 | - name: Wait for the reboot to complete if there was a change.
18 | wait_for_connection:
19 | connect_timeout: 20
20 | sleep: 5
21 | delay: 5
22 | timeout: 300
23 | when: sshd_contents.changed
24 |
--------------------------------------------------------------------------------
/roles/packstack/templates/qpidd.acl.j2:
--------------------------------------------------------------------------------
1 | acl allow barbican/{{ ansible_fqdn }}@{{ ipa_realm }} all all
2 | acl allow cinder/{{ ansible_fqdn }}@{{ ipa_realm }} all all
3 | acl allow glance/{{ ansible_fqdn }}@{{ ipa_realm }} all all
4 | acl allow keystone/{{ ansible_fqdn }}@{{ ipa_realm }} all all
5 | acl allow neutron/{{ ansible_fqdn }}@{{ ipa_realm }} all all
6 | acl allow nova/{{ ansible_fqdn }}@{{ ipa_realm }} all all
7 | acl allow qpidd/{{ ansible_fqdn }}@{{ ipa_realm }} all all
8 | acl allow admin@{{ ipa_realm }} all all
9 | acl deny all all
10 |
--------------------------------------------------------------------------------
/roles/keycloak/templates/keycloak.service.j2:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Jboss Application Server
3 | After=network.target
4 |
5 | [Service]
6 | Type=idle
7 | Environment=JBOSS_HOME={{ keycloak_jboss_home }} JBOSS_LOG_DIR={{ keycloak_log_dir }} "JAVA_OPTS=-Xms1024m -Xmx20480m -XX:MaxPermSize=768m"
8 | User=keycloak
9 | Group=keycloak
10 | ExecStart={{ keycloak_jboss_home }}/bin/standalone.sh -Djboss.socket.binding.port-offset=100 -c standalone-ha.xml
11 | TimeoutStartSec=600
12 | TimeoutStopSec=600
13 |
14 | [Install]
15 | WantedBy=multi-user.target
16 |
--------------------------------------------------------------------------------
/roles/tripleo/templates/ipmi.json.j2:
--------------------------------------------------------------------------------
1 | cat ~/ipmi.json
2 | [
3 | {
4 | "description": "Set default IPMI credentials",
5 | "conditions": [
6 | {"op": "eq", "field": "data://auto_discovered", "value": true}
7 | ],
8 | "actions": [
9 | {"action": "set-attribute", "path": "driver_info/ipmi_username",
10 | "value": "root"},
11 | {"action": "set-attribute", "path": "driver_info/ipmi_password",
12 | "value": "{{ password }}"}
13 | ]
14 | }
15 | ]
16 |
17 |
--------------------------------------------------------------------------------
/roles/keyfed/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | openstack_api_versions:
3 | \"identity\": 3
4 |
5 | os_env:
6 | OS_NO_CACHE: True
7 | OS_CLOUDNAME: overcloud
8 | OS_AUTH_URL: http://10.45.2.8/identity/main
9 | NOVA_VERSION: 1.1
10 | COMPUTE_API_VERSION: 1.1
11 | OS_USERNAME: admin
12 | OS_PASSWORD: dH4YvqZuMT2VUKrpybyxy2vj8
13 | PYTHONWARNINGS: "ignore:Certificate has no, ignore:A true SSLContext object is not available"
14 | OS_PROJECT_NAME: admin
15 | OS_PROJECT_DOMAIN_ID: default
16 | OS_USER_DOMAIN_ID: default
17 | OS_IDENTITY_API_VERSION: 3
18 |
--------------------------------------------------------------------------------
/roles/tripleo/files/container_prep.sh:
--------------------------------------------------------------------------------
1 | export REGISTRY_IP=10.127.0.3
2 |
3 | sudo openstack overcloud container image prepare \
4 | --namespace=registry.access.redhat.com/rhosp13 \
5 | --push-destination=$REGSITRY_IP:8787 \
6 | --prefix=openstack- \
7 | --tag-from-label {version}-{release} \
8 | --output-env-file=/home/stack/templates/overcloud_images.yaml \
9 | --output-images-file /home/stack/local_registry_images.yaml
10 |
11 | sudo openstack overcloud container image upload \
12 | --config-file /home/stack/local_registry_images.yaml \
13 | --verbose
14 |
--------------------------------------------------------------------------------
/playbooks/packstack.yml:
--------------------------------------------------------------------------------
1 |
2 | - hosts: ipa
3 | remote_user: "{{ cloud_user }}"
4 | tags: all
5 | tasks: []
6 |
7 | - hosts: openstack
8 | sudo: yes
9 | remote_user: "{{ cloud_user }}"
10 | tags:
11 | - openstack
12 | roles:
13 | - common
14 | - { role: staticnetwork, when: ipa_nova_join is defined }
15 | - ipaclient
16 | - packstack
17 | - { role: nova-ipa, when: ipa_nova_join is defined }
18 | vars:
19 | hostname: "{{ ansible_fqdn }}"
20 | dns_search: "{{ ipa_domain }}"
21 | ipa_admin_password: "{{ipa_admin_user_password }}"
22 |
--------------------------------------------------------------------------------
/roles/satelliteserver/files/satellite.repo:
--------------------------------------------------------------------------------
1 | [satellite]
2 | name=Satellite
3 | baseurl=http://download.devel.redhat.com/released/RHEL-7-Satellite/6.0.4/Satellite/$basearch/os/
4 | enabled=1
5 | gpgcheck=0
6 |
7 | [scl]
8 | name=RHSCL
9 | baseurl=http://download.devel.redhat.com/released/RHSCL/2.0/RHEL-7/Server/$basearch/os/
10 | enabled=1
11 | gpgcheck=0
12 |
13 | [rhel-satellite-server-optional]
14 | name=RHEL Satellite 7.2 Server Optional
15 | baseurl=http://download.devel.redhat.com/nightly/latest-RHEL-7/compose/Server-optional/$basearch/os/
16 | gpgcheck=0
17 | enabled=1
18 |
--------------------------------------------------------------------------------
/roles/provision/openstack/tasks/oce.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: create openshift var volume
4 | os_volume:
5 | cloud: "{{ cloudname }}"
6 | size: 40
7 | display_name: "{{ item.volume_name }}"
8 | register: openshift_var_volume
9 | with_items: "{{ cluster_volumes }}"
10 |
11 | - name: attach var volume to OCE Master
12 | os_server_volume:
13 | cloud: "{{ cloudname }}"
14 | state: present
15 | server: "{{ item.server_name }}.{{ clustername }}"
16 | volume: "{{ item.volume_name }}"
17 | device: /dev/vdb
18 | with_items: "{{ cluster_volumes }}"
19 |
--------------------------------------------------------------------------------
/roles/nova-ipa/files/setup-ipa-client.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | # get OTP
4 | ii=60
5 | while [ $ii -gt 0 ] ; do
6 | otp=`curl -s http://169.254.169.254/openstack/latest/meta_data.json | python -c 'import json; import sys; obj = json.load(sys.stdin); print "%s\n" % obj["meta"]["ipaotp"]'`
7 | if [ -n "$otp" ] ; then
8 | break
9 | fi
10 | sleep 1
11 | ii=`expr $ii - 1`
12 | done
13 |
14 | if [ -z "$otp" ] ; then
15 | echo Error: could not get IPA OTP after 60 seconds - exiting
16 | exit 1
17 | fi
18 |
19 | # run ipa-client-install
20 | ipa-client-install -U -w $otp
21 |
--------------------------------------------------------------------------------
/roles/packstack/tasks/packstack.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Install packstack
4 | yum: name=openstack-packstack
5 | state=present
6 | update_cache=yes
7 |
8 | - name: Copy answer file
9 | template: src=answers.txt.j2
10 | dest=/answers.txt
11 | register: answers
12 |
13 | - name: Run packstack
14 | command: "packstack --answer-file /answers.txt"
15 | when: answers.changed
16 | ignore_errors: yes
17 |
18 |
19 | - name: remove ssl from ports
20 | lineinfile: dest=/etc/httpd/conf/ports.conf
21 | state=absent
22 | line="Listen 443"
23 |
24 |
--------------------------------------------------------------------------------
/roles/packstack/files/RH7-RHOS-7.0.repo:
--------------------------------------------------------------------------------
1 | [RH7-RHOS-7.0]
2 | name=RH7-RHOS-7.0
3 | baseurl=http://download.devel.redhat.com/rel-eng/OpenStack/7.0-RHEL-7/latest/RH7-RHOS-7.0/$basearch/os
4 | gpgcheck=0
5 | enabled=1
6 |
7 | [RH7-RHOS-7.0-debug]
8 | name=RH7-RHOS-7.0 Debuginfo
9 | baseurl=http://download.devel.redhat.com/rel-eng/OpenStack/7.0-RHEL-7/latest/RH7-RHOS-7.0/$basearch/debuginfo
10 | gpgcheck=0
11 | enabled=0
12 |
13 | [RH7-RHOS-7.0-sources]
14 | name=RH7-RHOS-7.0 Sources
15 | baseurl=http://download.devel.redhat.com/rel-eng/OpenStack/7.0-RHEL-7/latest/RH7-RHOS-7.0/source
16 | gpgcheck=0
17 | enabled=0
18 |
19 |
--------------------------------------------------------------------------------
/roles/packstack/files/RH7-RHOS-8.0.repo:
--------------------------------------------------------------------------------
1 | [RH7-RHOS-8.0]
2 | name=RH7-RHOS-8.0
3 | baseurl=http://download.devel.redhat.com/rel-eng/OpenStack/8.0-RHEL-7/2016-04-11.1/RH7-RHOS-8.0/$basearch/os
4 | gpgcheck=0
5 | enabled=1
6 |
7 | [RH7-RHOS-8.0-debug]
8 | name=RH7-RHOS-8.0 Debuginfo
9 | baseurl=http://download.devel.redhat.com/rel-eng/OpenStack/8.0-RHEL-7/2016-04-11.1/RH7-RHOS-8.0/$basearch/debuginfo
10 | gpgcheck=0
11 | enabled=0
12 |
13 | [RH7-RHOS-8.0-sources]
14 | name=RH7-RHOS-8.0 Sources
15 | baseurl=http://download.devel.redhat.com/rel-eng/OpenStack/8.0-RHEL-7/2016-04-11.1/RH7-RHOS-8.0/source
16 | gpgcheck=0
17 | enabled=0
18 |
--------------------------------------------------------------------------------
/roles/netteardown/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - os_router:
3 | cloud: "{{ cloudname }}"
4 | state: absent
5 | name: "{{ netname }}_router"
6 |
7 | - os_subnet:
8 | cloud: "{{ cloudname }}"
9 | state: absent
10 | network_name: "{{ netname }}_network"
11 | name: "{{ netname }}_subnet"
12 |
13 | - os_network:
14 | cloud: "{{ cloudname }}"
15 | state: absent
16 | name: "{{ netname }}_network"
17 | external: false
18 |
19 |
20 | - os_security_group:
21 | cloud: "{{ cloudname }}"
22 | state: absent
23 | name: "{{ securitygroupname }}"
24 | description: security group for foo servers
25 |
--------------------------------------------------------------------------------
/roles/rhsso-saml-idp/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | openstack_api_versions:
3 | \"identity\": 3
4 |
5 |
6 | rhsso_master_admin_username: admim
7 | rhsso_master_admin_password: "{{ ipa_admin_user_password }}"
8 |
9 | os_env:
10 | OS_AUTH_TYPE: v3password
11 | OS_AUTH_URL: https://openstack.{{ ipa_domain }}:5000/v3
12 | OS_USERNAME: admin
13 | OS_PROJECT_NAME: admin
14 | OS_PASSWORD: password
15 | OS_USER_DOMAIN_ID: default
16 | OS_PROJECT_DOMAIN_ID: default
17 | OS_IDENTITY_API_VERSION: 3
18 | OS_NO_CACHE: True
19 | OS_CLOUDNAME: overcloud
20 | NOVA_VERSION: 1.1
21 | COMPUTE_API_VERSION: 1.1
22 | OS_USERNAME: admin
23 |
--------------------------------------------------------------------------------
/roles/keycloak-saml-idp/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | openstack_api_versions:
3 | \"identity\": 3
4 |
5 |
6 | keycloak_master_admin_username: admim
7 | keycloak_master_admin_password: "{{ ipa_admin_user_password }}"
8 |
9 | os_env:
10 | OS_AUTH_TYPE: v3password
11 | OS_AUTH_URL: https://openstack.{{ ipa_domain }}:5000/v3
12 | OS_USERNAME: admin
13 | OS_PROJECT_NAME: admin
14 | OS_PASSWORD: password
15 | OS_USER_DOMAIN_ID: default
16 | OS_PROJECT_DOMAIN_ID: default
17 | OS_IDENTITY_API_VERSION: 3
18 | OS_NO_CACHE: True
19 | OS_CLOUDNAME: overcloud
20 | NOVA_VERSION: 1.1
21 | COMPUTE_API_VERSION: 1.1
22 | OS_USERNAME: admin
23 |
--------------------------------------------------------------------------------
/roles/packstack/tasks/infopipe.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: install sssd dbus
3 | yum: name=sssd-dbus state=installed
4 |
5 | - name: Infopipe for SSSD
6 | ini_file: dest=/etc/sssd/sssd.conf
7 | section=sssd
8 | option=services
9 | value="nss, sudo, pam, ssh, ifp"
10 | notify:
11 | - restart sssd
12 |
13 | - name: Infopipe users
14 | ini_file: dest=/etc/sssd/sssd.conf
15 | section=ifp
16 | option={{ item.key }}
17 | value={{ item.value }}
18 | with_dict:
19 | allowed_uids: "apache,root"
20 | user_attributes: "+givenname,+sn,+ui"
21 | notify:
22 | - restart sssd
23 |
--------------------------------------------------------------------------------
/roles/packstack/templates/qpidd.conf.j2:
--------------------------------------------------------------------------------
1 | # Configuration file for qpidd. Entries are of the form:
2 | # name=value
3 | #
4 | # (Note: no spaces on either side of '='). Using default settings:
5 | # "qpidd --help" or "man qpidd" for more details.
6 | port=5672
7 | max-connections=65530
8 | worker-threads=17
9 | connection-backlog=10
10 | auth=yes
11 | realm={{ ipa_realm }}
12 | data-dir=/var/lib/qpidd
13 |
14 | sasl-service-name=amqp
15 |
16 | queue-patterns=exclusive
17 | queue-patterns=unicast
18 | topic-patterns=broadcast
19 |
20 |
21 | log-to-file=/tmp/qpidd.log
22 |
23 |
24 | log-enable=trace+:Protocol
25 | log-enable=trace+:Security
26 | log-enable=info+
27 |
--------------------------------------------------------------------------------
/roles/packstack/templates/fed-accrc.j2:
--------------------------------------------------------------------------------
1 | export OS_AUTH_TYPE=v3unscopedsaml
2 | export OS_AUTH_URL=https://openstack.{{ ipa_domain }}:5000/v3
3 | export OS_IDENTITY_PROVIDER=ipsilon
4 | export OS_IDENTITY_PROVIDER_URL=https://ipa.{{ ipa_domain }}/idp/saml2/SSO/SOAP
5 | export OS_PROTOCOL=saml2
6 | export OS_PROJECT_NAME=demo
7 | export OS_PROJECT_DOMAIN_ID=default
8 | export OS_IDENTITY_API_VERSION=3
9 |
10 | if [ -z "$OS_USERNAME" ]; then
11 | echo -n "IPA Username: "
12 | read -r OS_USERNAME
13 | export OS_USERNAME
14 | fi
15 |
16 | if [ -z "$OS_PASSWORD" ]; then
17 | echo -n "IPA Password: "
18 | read -sr OS_PASSWORD
19 | export OS_PASSWORD
20 | echo
21 | fi
22 |
--------------------------------------------------------------------------------
/roles/packstack/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | cinder_password: cinder
3 | cinder_db_password: cinder
4 |
5 | glance_password: glance
6 | glance_db_password: glance
7 |
8 | admin_token: ADMIN
9 | keystone_db_password: keystone
10 |
11 | nova_password: nova
12 | nova_db_password: nova
13 |
14 | neutron_password: neutron
15 | neutron_db_password: neutron
16 |
17 | keystone_admin_password: password
18 | keystone_demo_password: password
19 |
20 | ssl_certs_dir: /etc/httpd/conf
21 | ssl_cert: "{{ ssl_certs_dir }}/server.crt"
22 | ssl_key: "{{ ssl_certs_dir }}/server.key"
23 |
24 | haproxy_certs: /etc/haproxy/cert.pem
25 |
26 | keytab: /etc/httpd/conf/openstack.keytab
27 |
28 | packstack_dir: /packstack
29 |
--------------------------------------------------------------------------------
/roles/nova-ipa/templates/ipaclient.conf:
--------------------------------------------------------------------------------
1 | [DEFAULT]
2 |
3 | keytab = /etc/nova/ipauser.keytab
4 | service_name = HTTP@ipa.{{ ipa_domain }}
5 | url = https://ipa.{{ ipa_domain }}/ipa/json
6 | cacert = /etc/ipa/ca.crt
7 | connect_retries = 1
8 | json_rpc_version = 2.147
9 | inject_files = /etc/nova/setup-ipa-client.sh /tmp/setup-ipa-client.sh
10 | inject_files = /etc/ipa/ca.crt
11 | inject_files = /etc/yum.repos.d/rhel-server.repo
12 | #inject_files = /etc/yum.repos.d/rhel-server-optional.repo
13 | # inject_files = /etc/yum.repos.d/rhel7.repo
14 | # inject_files = /etc/yum.repos.d/rhel7_optional.repo
15 | # inject_files = /etc/yum.repos.d/rhel7_debuginfo.repo
16 | # inject_files = /etc/yum.repos.d/rhel7_optional_debug.repo
17 |
--------------------------------------------------------------------------------
/playbooks/testcred.yml:
--------------------------------------------------------------------------------
1 | - hosts: localhost
2 | gather_facts: false
3 | vars:
4 | config_file: "{{ lookup('env', 'OS_CLIENT_CONFIG_FILE') }}"
5 | tasks:
6 | - debug: msg="{{ config_file }}"
7 | - stat: path="{{ config_file }}"
8 | register: st
9 | - include_vars: "{{ config_file }}"
10 | when: st.stat.exists and st.stat.isreg
11 |
12 | - name: "Print out clouds variable"
13 | debug: msg="{{ clouds|default('No clouds found') }}"
14 |
15 | - name: "Setting nova instance state to: {{ nova_instance_state }}"
16 | local_action:
17 | module: os_server_facts
18 | cloud: "{{ cloudname }}"
19 |
20 | - name: list server facts
21 | debug: msg="{{ openstack_servers }}"
--------------------------------------------------------------------------------
/roles/provision/libvirt/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | cluster_hosts:
3 | - {name: passimian }
4 |
5 |
6 | macvtap_networks:
7 | - {cluster_host: passimian, device: em1 }
8 | - {cluster_host: passimian, device: em2 }
9 |
10 |
11 | cluster_domain: home.younglogic.net
12 |
13 | source_image_file: rhel-server-7.5-x86_64-kvm.qcow2
14 | source_image_dir: /home/ayoung/Downloads
15 | target_image_dir: /var/lib/libvirt/images
16 |
17 |
18 | source_keystore_dir: /home/ayoung/.ssh
19 | source_pubkey_file: id_rsa.pub
20 | hypervisor_keystore_dir: /tmp
21 | target_keystore_dir: /home/cloud-user/.ssh
22 | target_pubkey_file: authorized_keys
23 |
24 |
25 | ethernet_device_1: em1
26 | ethernet_device_2: em2
27 | static_ip_address: 10.127.0.3
28 |
--------------------------------------------------------------------------------
/roles/mariadb-kerberos/tasks/maria-prep.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: install GSSAPI enabled Maria repo
3 | copy: src={{ item }}
4 | dest=/etc/yum.repos.d/{{ item }}
5 | with_items:
6 | - rharwood-galera-maria.repo
7 |
8 |
9 | # /etc/my.cnf was owned by mariadb-libs before
10 | # but now is owned by mariadb-config.
11 | # Upgrading them seperately avoids a collision and
12 | # failure
13 | - name: preinstall Kerberized maridb libs
14 | yum: name={{ item }} state=latest
15 | with_items:
16 | - mariadb-libs
17 |
18 | - name: preinstall Kerberized maridb
19 | yum: name={{ item }} state=latest
20 | with_items:
21 | - mariadb-galera-server
22 | - mariadb-config
23 | - mariadb
24 | - mariadb-errmsg
25 | - mariadb-common
26 |
--------------------------------------------------------------------------------
/roles/rhsso/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | rhsso_version: 7.0.0
3 | rhsso_dir: /var/lib/rhsso
4 | rhsso_archive: rh-sso-{{ rhsso_version }}.CR2.zip
5 | rhsso_url: http://download.lab.bos.redhat.com/devel/candidates/jboss/sso/JBSSO-{{ rhsso_version }}.CR2/{{ rhsso_archive }}
6 | rhsso_jboss_home: "{{ rhsso_dir }}/rh-sso-7.0"
7 | rhsso_log_dir: "{{ rhsso_jboss_home }}/standalone/log"
8 | rhsso_config_dir: "{{ rhsso_jboss_home }}/standalone/configuration"
9 | rhsso_master_admin_username: admin
10 | rhsso_port_offset: 100
11 | rhsso_http_port: 8180
12 | rhsso_https_port: 8443
13 | rhsso_ajp_port: 8009
14 | rhsso_http_management_port: 9990
15 | rhsso_https_management_port: 9993
16 | rhsso_master_admin_username: admin
17 | rhsso_master_admin_password: "{{ ipa_admin_user_password }}"
18 |
--------------------------------------------------------------------------------
/playbooks/downstream.yml:
--------------------------------------------------------------------------------
1 |
2 | - hosts: ipa
3 | remote_user: "{{ cloud_user }}"
4 | tags: all
5 | tasks: []
6 |
7 | - hosts: ipa
8 | sudo: yes
9 | remote_user: "{{ cloud_user }}"
10 | tags:
11 | - ipa
12 | roles:
13 | - common
14 | - ipaserver
15 | - rhsso
16 | vars:
17 | hostname: "{{ ansible_fqdn }}"
18 | ipa_admin_password: "{{ ipa_admin_user_password }}"
19 |
20 |
21 | - hosts: openstack
22 | sudo: yes
23 | remote_user: "{{ cloud_user }}"
24 | tags:
25 | - openstack
26 | roles:
27 | - common
28 | - ipaclient
29 | - packstack
30 | - rhsso-saml-idp
31 | vars:
32 | hostname: "{{ ansible_fqdn }}"
33 | dns_search: "{{ ipa_domain }}"
34 | ipa_admin_password: "{{ipa_admin_user_password }}"
35 |
--------------------------------------------------------------------------------
/playbooks/site.yml:
--------------------------------------------------------------------------------
1 |
2 | - hosts: ipa
3 | remote_user: "{{ cloud_user }}"
4 | tags: all
5 | tasks: []
6 |
7 | - hosts: ipa
8 | sudo: yes
9 | remote_user: "{{ cloud_user }}"
10 | tags:
11 | - ipa
12 | roles:
13 | - common
14 | - ipaserver
15 | - keycloak
16 | vars:
17 | hostname: "{{ ansible_fqdn }}"
18 | ipa_admin_password: "{{ ipa_admin_user_password }}"
19 |
20 |
21 | - hosts: openstack
22 | sudo: yes
23 | remote_user: "{{ cloud_user }}"
24 | tags:
25 | - openstack
26 | roles:
27 | - common
28 | - ipaclient
29 | - packstack
30 | - keycloak-saml-idp
31 | vars:
32 | hostname: "{{ ansible_fqdn }}"
33 | dns_search: "{{ ipa_domain }}"
34 | ipa_admin_password: "{{ipa_admin_user_password }}"
35 |
--------------------------------------------------------------------------------
/roles/rhsso-saml-idp/files/mapping_rhsso_saml2.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "local": [
4 | {
5 | "user": {
6 | "name": "{0}",
7 | "domain": {"name": "Default"}
8 | }
9 | }
10 | ],
11 | "remote": [
12 | {
13 | "type": "MELLON_NAME_ID"
14 | }
15 | ]
16 | },
17 | {
18 | "local": [
19 | {
20 | "groups": "demo",
21 | "domain": {
22 | "name": "Default"
23 | }
24 | }
25 | ],
26 | "remote": [
27 | {
28 | "type": "MELLON_NAME_ID"
29 | }
30 | ]
31 | }
32 | ]
33 |
--------------------------------------------------------------------------------
/roles/keycloak-saml-idp/files/mapping_keycloak_saml2.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "local": [
4 | {
5 | "user": {
6 | "name": "{0}",
7 | "domain": {"name": "Default"}
8 | }
9 | }
10 | ],
11 | "remote": [
12 | {
13 | "type": "MELLON_NAME_ID"
14 | }
15 | ]
16 | },
17 | {
18 | "local": [
19 | {
20 | "groups": "demo",
21 | "domain": {
22 | "name": "Default"
23 | }
24 | }
25 | ],
26 | "remote": [
27 | {
28 | "type": "MELLON_NAME_ID"
29 | }
30 | ]
31 | }
32 | ]
33 |
--------------------------------------------------------------------------------
/roles/common/files/public_keys/work.pub:
--------------------------------------------------------------------------------
1 | ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAuA2+nImEPFGNKu98uSnr0PEU6o/hYVs/VtyLSsjoMFIb58DynVjBu85U5md47oX3/REdlSQE5Y+dxibkbe/WxTE4wyu+Rja/qQCNbcJWYgEpQv5TzrDUSQK38oDskIfR8SyfJ9fuMrI7FUq5DJ5bSn/EeZ/7BLnRDjfglmwZwaeh3yzmhfuHPL0DmJO0l+zbfvWVvdonZ7yzExzj0cimuyNhdtnyHJazxMDvo4a8xHSvs3zpkKnB5/upHVHPWee2wbwpZQivFuZxC5hcr48/RudDjB3hUQP8ev4wG+VMaOBdA+g5NzQZkSlSb+YkFMBsOo6xpRTqa8YQIhCfxyLkcOt5BQNgh59eQTto9ItXhy9VBNfqOU3CEA75KL3cGnsngTuLm90LOFBoFXuY7TKw4HG/iHGtjtNSZnepvDfoOZbnBeJHGgYcOANbQwWas5O47vmspKaIRpVVGurxS9W1TQ+kqMiQrmh8nvFQfOOSvLGz7ghZ8W1lwoDdbmSRDyQsjijY8X0p4JZJoyD0FhEYeJabwOQ8ilJUIFrhJuF3PSgKxatBJhRem2ykN0DE1KRx5JztIsZ1a98B0zrKKoGPTZBIr2n10/LAnoxVsAceKaR9TbPxMnh/SjlzuHAHAIKlmWH1q78UesauNeXvcj2X61GKiIiuSN6HGiflNLSpnZk= New RSA key generated on Wed Aug 20 20:03:13 MDT 2008
2 |
--------------------------------------------------------------------------------
/roles/rhv/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - shell: "{{ item }}"
3 | with_items:
4 | - subscription-manager repos --disable='*'
5 | - >
6 | subscription-manager repos
7 | --enable="rhel-7-server-rpms"
8 | --enable="rhel-7-server-supplementary-rpms"
9 | --enable="rhel-7-server-rhv-4.1-manager-rpms"
10 | --enable="rhel-7-server-rhv-4-manager-tools-rpms"
11 | --enable="jb-eap-7-for-rhel-7-server-rpms"
12 |
13 | - name: upgrade all packages
14 | yum:
15 | name: '*'
16 | state: latest
17 |
18 |
19 | - name: install rhevm package
20 | yum:
21 | name: rhevm
22 | state: latest
23 |
24 | - name: copy answer file
25 | template:
26 | src: answers.txt.j2
27 | dest: /answers.txt
28 |
29 | - name: engine-setup
30 | command: engine-setup --config=/answers.txt
--------------------------------------------------------------------------------
/roles/keycloak/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | keycloak_version: 1.9.4.Final
3 | keycloak_dir: /var/lib/keycloak
4 | keycloak_archive: keycloak-{{ keycloak_version }}.tar.gz
5 | keycloak_url: http://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{keycloak_archive }}
6 | keycloak_jboss_home: "{{ keycloak_dir }}/keycloak-{{ keycloak_version }}"
7 | keycloak_log_dir: "{{ keycloak_jboss_home }}/standalone/log"
8 | keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration"
9 | keycloak_master_admin_username: admin
10 | keycloak_port_offset: 100
11 | keycloak_http_port: 8180
12 | keycloak_https_port: 8443
13 | keycloak_ajp_port: 8009
14 | keycloak_http_management_port: 9990
15 | keycloak_https_management_port: 9993
16 | keycloak_master_admin_username: admin
17 | keycloak_master_admin_password: "{{ ipa_admin_user_password }}"
--------------------------------------------------------------------------------
/roles/keyfed/files/mapping_ipsilon_saml2.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "local": [
4 | {
5 | "user": {
6 | "name": "{0}",
7 | "domain": {"name": "Default"}
8 | }
9 | }
10 | ],
11 | "remote": [
12 | {
13 | "type": "MELLON_NAME_ID"
14 | }
15 | ]
16 | },
17 |
18 | {
19 | "local": [
20 | {
21 | "groups": "{0}",
22 | "domain": {
23 | "name": "Default"
24 | }
25 | }
26 | ],
27 | "remote": [
28 | {
29 | "type": "MELLON_groups",
30 | "whitelist": ["ipausers", "admins"]
31 | }
32 | ]
33 | }
34 | ]
35 |
--------------------------------------------------------------------------------
/roles/packstack/files/mapping_ipsilon_saml2.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "local": [
4 | {
5 | "user": {
6 | "name": "{0}",
7 | "domain": {"name": "Default"}
8 | }
9 | }
10 | ],
11 | "remote": [
12 | {
13 | "type": "MELLON_NAME_ID"
14 | }
15 | ]
16 | },
17 |
18 | {
19 | "local": [
20 | {
21 | "groups": "{0}",
22 | "domain": {
23 | "name": "Default"
24 | }
25 | }
26 | ],
27 | "remote": [
28 | {
29 | "type": "MELLON_groups",
30 | "whitelist": ["ipausers", "admins"]
31 | }
32 | ]
33 | }
34 | ]
35 |
--------------------------------------------------------------------------------
/roles/firewalld/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Uninstall iptables
3 | yum: name=iptables state=absent
4 |
5 | - name: Install firewalld
6 | yum: name=firewalld
7 | state=installed
8 |
9 | - name: start firewalld
10 | service: name=firewalld
11 | state=started
12 | enabled=yes
13 |
14 | - name: Open Firewall for services
15 | firewalld: service={{ item }} permanent=true state=enabled immediate=true
16 | with_items:
17 | - http
18 | - https
19 |
20 | - name: Open Firewall for ports
21 | firewalld: port={{ item }} permanent=true state=enabled immediate=true
22 | with_items:
23 | - 5000/tcp
24 | - 35357/tcp
25 | - 8773/tcp
26 | - 8774/tcp
27 | - 8775/tcp
28 | - 3333/tcp
29 | - 6080/tcp
30 | - 8776/tcp
31 | - 9191/tcp
32 | - 9292/tcp
33 | - 5672/tcp
34 |
--------------------------------------------------------------------------------
/roles/websso/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | rhsso_dir: /opt/rh/rh-sso7/root/usr/share/keycloak
3 |
4 | websso_master_admin_username: admin
5 | websso_http_port: 80
6 | websso_https_port: 443
7 | websso_http_management_port: 9990
8 | websso_https_management_port: 9993
9 | websso_master_admin_username: admin
10 | websso_master_admin_password: "{{ ipa_admin_user_password }}"
11 |
12 |
13 | websso_firewall_ports:
14 | - "{{ websso_http_port }}"
15 | - "{{ websso_https_port }}"
16 | - "{{ websso_http_management_port }}"
17 | - "{{ websso_https_management_port }}"
18 |
19 |
20 | ssl_cert: /etc/pki/tls/certs/rhsso-cert.pem
21 | ssl_key: /etc/pki/tls/private/rhsso-key.pem
22 | remote_hostname: sso@"{{ ipa_realm | lower }}"
23 | websso_pkcs12: /etc/pki/tls/rhsso.p12
24 | websso_keystore: /etc/opt/rh/rh-sso7/keycloak/standalone/keycloak.jks
25 |
--------------------------------------------------------------------------------
/roles/cfme/tasks/teardown.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - os_server_facts:
4 | cloud: "{{ cloudname }}"
5 | server: "cfme.{{ clustername }}"
6 | register: cfme_server
7 |
8 | - lineinfile:
9 | path: "{{ ssh_config_path }}"
10 | line: " Hostname {{ item.interface_ip }}"
11 | state: absent
12 | with_items: "{{ cfme_server.ansible_facts.openstack_servers }}"
13 |
14 | - lineinfile:
15 | path: "{{ ssh_config_path }}"
16 | line: Host "cfme.{{ clustername }}"
17 | state: absent
18 |
19 | - os_server:
20 | cloud: "{{ cloudname }}"
21 | state: absent
22 | name: "cfme.{{ clustername }}"
23 |
24 | - os_volume:
25 | cloud: "{{ cloudname }}"
26 | display_name: cfme_volume
27 | state: absent
28 |
29 | - os_volume:
30 | cloud: "{{ cloudname }}"
31 | display_name: cfme_db_volume
32 | state: absent
33 |
--------------------------------------------------------------------------------
/roles/provision/openstack/tasks/ssh.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - file:
3 | path: "{{ ssh_config_path }}"
4 | state: touch
5 |
6 | - lineinfile:
7 | insertbefore: "BOF"
8 | path: "{{ ssh_config_path }}"
9 | line: "{{ item }}"
10 | with_items:
11 | - "ControlMaster auto"
12 | - "ControlPath /tmp/ssh_mux_%h_%p_%rA"
13 |
14 | - lineinfile:
15 | path: "{{ ssh_config_path }}"
16 | line: Host "{{ item.server.name }}"
17 | with_items: "{{ osservers.results }}"
18 |
19 | - lineinfile:
20 | path: "{{ ssh_config_path }}"
21 | line: " Hostname {{ item.server.interface_ip }}"
22 | insertafter: '{{ item.server.name }}'
23 | with_items: "{{ osservers.results }}"
24 |
25 | - command: ssh-keygen -R {{ item.server.interface_ip }}
26 | with_items: "{{ osservers.results }}"
27 |
28 | - command: ssh-keygen -R {{ item.server.name }}
29 | with_items: "{{ osservers.results }}"
30 |
--------------------------------------------------------------------------------
/roles/jbosseap/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Enable a RHSM repository
3 | rhsm_repository:
4 | name: jb-eap-7-for-rhel-7-server-rpms
5 | state: present
6 | when: ansible_distribution == 'RedHat' and ansible_distribution_major_version == '7'
7 |
8 |
9 | - name: install EAP packages
10 | tags:
11 | - eap
12 | command: yum -y groupinstall jboss-eap7
13 | args:
14 | warn: false
15 |
16 | #- name: Open Firewall for services
17 | # tags:
18 | # - eap
19 | # firewalld: port={{ item }}/tcp
20 | # permanent=true
21 | # state=enabled
22 | # immediate=yes
23 | # with_items:
24 | # - "{{ eap_http_port }}"
25 | # - "{{ eap_https_port }}"
26 | # - "{{ eap_http_management_port }}"
27 | # - "{{ eap_https_management_port }}"
28 |
29 | - name: JBoss systemd service enable and start
30 | tags:
31 | - eap
32 | service: name=eap7-standalone
33 | enabled=yes
34 | state=started
35 |
36 |
37 |
--------------------------------------------------------------------------------
/roles/packstack/templates/10-keystone_wsgi_main.conf.j2:
--------------------------------------------------------------------------------
1 |
2 | ServerName {{ hostname }}
3 |
4 | ## Vhost docroot
5 | DocumentRoot "/var/www/cgi-bin/keystone"
6 |
7 | ## Directories, there should at least be a declaration for /var/www/cgi-bin/keystone
8 |
9 |
10 | Options Indexes FollowSymLinks MultiViews
11 | AllowOverride None
12 | Require all granted
13 |
14 |
15 | ## Logging
16 | ErrorLog "/var/log/httpd/keystone_wsgi_main_error.log"
17 | ServerSignature Off
18 | CustomLog "/var/log/httpd/keystone_wsgi_main_access.log" combined
19 |
20 | Include "/etc/httpd/conf/keystone-ssl.conf"
21 | Include "/etc/httpd/conf/keystone-federation.conf"
22 |
23 | WSGIDaemonProcess keystone_main display-name=keystone-main group=keystone processes=1 threads=2 user=keystone
24 | WSGIProcessGroup keystone_main
25 | WSGIScriptAlias / "/var/www/cgi-bin/keystone/main"
26 |
27 |
--------------------------------------------------------------------------------
/roles/ipsilonserver/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Install Ipsilon Packages
3 | yum: name=ipsilon,ipsilon-saml2,ipsilon-authgssapi,ipsilon-tools-ipa,ipsilon-infosssd
4 | state=present
5 |
6 | - name: Install ipsilon server
7 | command: ipsilon-server-install --ipa=yes --gssapi=yes --form=yes --info-sssd=yes --admin-user=admin
8 | args:
9 | creates: /etc/ipsilon/idp/idp.conf
10 | notify: restart httpd
11 |
12 | - name: Use NSS rather than SSL
13 | replace: regexp=SSLRequireSSL
14 | replace=NSSRequireSSL
15 | dest=/etc/httpd/conf.d/ipsilon-idp.conf
16 | notify: restart httpd
17 |
18 | - name: Remove SSL conf file
19 | file: path=/etc/httpd/conf.d/ssl.conf
20 | state=absent
21 | notify: restart httpd
22 |
23 | - name: Add ECP PAM file
24 | copy: src=ipsilon_ecp
25 | dest=/etc/pam.d/ipsilon_ecp
26 |
27 | - name: Add ECP HTTPd conf file
28 | copy: src=ipsilon-idp-ecp.conf
29 | dest=/etc/httpd/conf.d/ipsilon-idp-ecp.conf
30 | notify: restart httpd
31 |
--------------------------------------------------------------------------------
/roles/satelliteserver/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Disable all RHSM repositories
3 | rhsm_repository:
4 | name: '*'
5 | state: disabled
6 |
7 | - name: Enable Satellite repositories
8 | rhsm_repository:
9 | name: "{{ item }}"
10 | state: enabled
11 | with_items:
12 | - rhel-7-server-rpms
13 | - rhel-server-rhscl-7-rpms
14 | - rhel-7-server-satellite-6.4-rpms
15 | - rhel-7-server-satellite-maintenance-6-rpms
16 | - rhel-7-server-ansible-2.6-rpms
17 |
18 | - name: upgrade all packages
19 | yum:
20 | name: '*'
21 | state: latest
22 |
23 | - name: upgrade all packages
24 | yum:
25 | name: satellite
26 | state: latest
27 |
28 | - name: install and configure
29 | command: satellite-installer --scenario satellite \
30 | --foreman-admin-username admin \
31 | --foreman-admin-password redhat \
32 | --foreman-proxy-puppetca true \
33 | --foreman-proxy-tftp true \
34 | --enable-foreman-plugin-discovery
35 |
36 |
37 |
38 | #- include: setup.yml
39 |
--------------------------------------------------------------------------------
/playbooks/R.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: R
3 | become: yes
4 | become_user: root
5 | remote_user: "{{ cloud_user }}"
6 | roles:
7 | - subscribe
8 | - update
9 |
10 | - hosts: R
11 | #eventually this will be scoped only to eap hosts
12 | #hosts: eap
13 | become: yes
14 | become_user: root
15 | remote_user: "{{ cloud_user }}"
16 | tasks:
17 | - command: yum -y groupinstall 'Development Tools'
18 | - name: Enable a RHSM repository
19 | rhsm_repository:
20 | name: rhel-7-server-optional-rpms
21 | state: present
22 | when: ansible_distribution == 'RedHat' and ansible_distribution_major_version == '7'
23 |
24 | - yum:
25 | name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
26 | state: present
27 |
28 | - yum:
29 | name: "{{ packages }}"
30 | vars:
31 | packages:
32 | - libcurl-devel
33 | - openssl-devel
34 | - libxml2-devel
35 | - R
36 |
37 |
38 |
--------------------------------------------------------------------------------
/roles/staticnetwork/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: set password for cloud-user in case network is b0rked
3 | user: name=cloud-user password='$6$ndP/VMmA8.yDNiQI$cee4x3Qe1O5foUWdgwukRuy.Wetc9vop9o43C.PPKZS1liuFMr6Ezm.vtW8O9ruuKfJXionr7.oQ0UEeNwKdO.'
4 |
5 | - name: Get network gateway IP address
6 | shell: ip route show | awk '/^default/ {print $3; exit}'
7 | register: network_gw_ip
8 | changed_when: false
9 |
10 | - name: disable NetworkManager
11 | service: name=NetworkManager state=stopped enabled=no
12 |
13 | - name: set up static networking
14 | template: src=static-ifcfg-eth0 dest=/etc/sysconfig/network-scripts/ifcfg-eth0
15 | notify:
16 | - restart network
17 |
18 | - name: Restart networking if necessary
19 | meta: flush_handlers
20 | when: ipa_nova_join is defined
21 |
22 | - name: Wait for server to restart
23 | local_action:
24 | module: wait_for
25 | host=openstack.{{ ipa_domain }}
26 | port=22
27 | delay=1
28 | timeout=300
29 | when: ipa_nova_join is defined
30 |
--------------------------------------------------------------------------------
/roles/packstack/templates/10-keystone_wsgi_admin.conf.j2:
--------------------------------------------------------------------------------
1 |
2 | ServerName {{ hostname }}
3 |
4 | ## Vhost docroot
5 | DocumentRoot "/var/www/cgi-bin/keystone"
6 |
7 | ## Directories, there should at least be a declaration for /var/www/cgi-bin/keystone
8 |
9 |
10 | Options Indexes FollowSymLinks MultiViews
11 | AllowOverride None
12 | Require all granted
13 |
14 |
15 | ## Logging
16 | ErrorLog "/var/log/httpd/keystone_wsgi_admin_error.log"
17 | ServerSignature Off
18 | CustomLog "/var/log/httpd/keystone_wsgi_admin_access.log" combined
19 |
20 | Include "/etc/httpd/conf/keystone-ssl.conf"
21 | Include "/etc/httpd/conf/keystone-federation.conf"
22 |
23 | WSGIDaemonProcess keystone_admin display-name=keystone-admin group=keystone processes=1 threads=2 user=keystone
24 | WSGIProcessGroup keystone_admin
25 | WSGIScriptAlias / "/var/www/cgi-bin/keystone/admin"
26 |
27 |
--------------------------------------------------------------------------------
/roles/provision/openstack/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | username: ayoung
3 |
4 | cloud_user: cloud-user
5 | ipa_forwarder: 192.168.52.3
6 | lab_nameserver1: 8.8.8.8
7 | lab_nameserver2: 8.8.8.7
8 | lab_nameserver3: 8.8.8.8
9 | public_network_name: Public
10 | image_name: rhel-guest-image-7.4-0
11 |
12 |
13 | cluster_hosts: []
14 |
15 |
16 | # - {name: idm, flavor: m1.medium}
17 | # - {name: sso, flavor: m1.medium}
18 | # - {name: master0, flavor: m1.medium} #this needs to be xlarge IAW OSC docs
19 | # - {name: master1, flavor: m1.medium}
20 | # - {name: master2, flavor: m1.medium}
21 | # - {name: node0, flavor: m1.medium}
22 | # - {name: node1, flavor: m1.medium}
23 | # - {name: node2, flavor: m1.medium}
24 | # - {name: bastion, flavor: m1.small}
25 |
26 |
27 | cluster_volumes: []
28 |
29 | # - {server_name: master0, volume_name: master0_var_volume, size: 30}
30 | # - {server_name: master1, volume_name: master1_var_volume, size: 30}
31 | # - {server_name: master2, volume_name: master2_var_volume, size: 30}
32 |
33 |
34 |
--------------------------------------------------------------------------------
/roles/teardown/openstack/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | username: ayoung
3 |
4 | cloud_user: cloud-user
5 | ipa_forwarder: 192.168.52.3
6 | lab_nameserver1: 8.8.8.8
7 | lab_nameserver2: 8.8.8.7
8 | lab_nameserver3: 8.8.8.8
9 | public_network_name: Public
10 | image_name: rhel-guest-image-7.4-0
11 |
12 |
13 | cluster_hosts: []
14 |
15 |
16 | # - {name: idm, flavor: m1.medium}
17 | # - {name: sso, flavor: m1.medium}
18 | # - {name: master0, flavor: m1.medium} #this needs to be xlarge IAW OSC docs
19 | # - {name: master1, flavor: m1.medium}
20 | # - {name: master2, flavor: m1.medium}
21 | # - {name: node0, flavor: m1.medium}
22 | # - {name: node1, flavor: m1.medium}
23 | # - {name: node2, flavor: m1.medium}
24 | # - {name: bastion, flavor: m1.small}
25 |
26 |
27 | cluster_volumes: []
28 |
29 | # - {server_name: master0, volume_name: master0_var_volume, size: 30}
30 | # - {server_name: master1, volume_name: master1_var_volume, size: 30}
31 | # - {server_name: master2, volume_name: master2_var_volume, size: 30}
32 |
33 |
34 |
--------------------------------------------------------------------------------
/roles/packstack/tasks/keystone-sssd.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: copy rules file
3 | template: src=mapping_sssd.json.j2
4 | dest=/mapping_sssd.json
5 |
6 | - name: SSSD identity provider
7 | command: openstack identity provider create --remote-id SSSD sssd
8 | environment: os_env
9 | when: '"\"sssd\"" not in os_idps.stdout_lines'
10 |
11 | - name: create SSSD mapping
12 | command: openstack mapping create --rules /mapping_sssd.json kerberos_mapping
13 | environment: os_env
14 | when: ' "\"kerberos_mapping\"" not in os_mappings.stdout_lines'
15 |
16 | - name: list protocols SSSD
17 | command: openstack federation protocol list --identity-provider sssd -c id -f csv
18 | environment: os_env
19 | register: os_sssd_protocols
20 | changed_when: false
21 |
22 | - name: federation SSSD protocol create
23 | command: >
24 | openstack federation protocol create
25 | --identity-provider sssd
26 | --mapping kerberos_mapping
27 | kerberos
28 | environment: os_env
29 | when: ' "\"kerberos\"" not in os_sssd_protocols.stdout_lines'
30 |
--------------------------------------------------------------------------------
/roles/subscribe/tasks/main.yml:
--------------------------------------------------------------------------------
1 |
2 |
3 | - lineinfile:
4 | path: /etc/ssh/sshd_config
5 | state: present
6 | line: "{{ item }}"
7 | with_items:
8 | - "ClientAliveInterval 120"
9 | - "ClientAliveCountMax 720"
10 | when: ansible_distribution == 'RedHat' and ansible_distribution_major_version == '7'
11 | register: sshd_contents
12 |
13 | - debug:
14 | msg: " sshd_contents {{ sshd_contents }} "
15 |
16 | - name: Restart service sshd, if there was a change to the sshd config file
17 | service:
18 | name: sshd
19 | state: restarted
20 | when: sshd_contents.changed
21 |
22 |
23 | - name: Subscribe
24 | redhat_subscription:
25 | state: present
26 | username: "{{ redhat_user }}"
27 | password: "{{ redhat_password }}"
28 | pool_ids: "{{ redhat_pool_id }}"
29 | ignore_errors: yes
30 |
31 |
32 | - name: Disable htb repository
33 | rhsm_repository:
34 | name: rhel-7-server-htb-rpms
35 | state: absent
36 | when: ansible_distribution == 'RedHat' and ansible_distribution_major_version == '7'
37 |
38 |
--------------------------------------------------------------------------------
/roles/teardown/libvirt/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: stop vm
3 | virt:
4 | name: "{{ item.name }}"
5 | uri: qemu:///session
6 | state: destroyed
7 | with_items: "{{ cluster_hosts }}"
8 | ignore_errors: yes
9 |
10 | - name: delete vm
11 | virt:
12 | name: "{{ item.name }}"
13 | command: undefine
14 | uri: qemu:///session
15 | with_items: "{{ cluster_hosts }}"
16 | ignore_errors: yes
17 |
18 | - name: remove VM backing store
19 | file:
20 | path: "{{ target_image_dir }}/{{ item.name }}.qcow2"
21 | state: absent
22 | with_items: "{{ cluster_hosts }}"
23 |
24 | - name: destroy macvtap networks
25 | virt_net:
26 | command: destroy
27 | name: "macvtap-{{ item.cluster_host }}-{{ item.device }}"
28 | with_items: "{{ macvtap_networks }}"
29 | ignore_errors: yes
30 |
31 |
32 | - name: undefine macvtap networks
33 | virt_net:
34 | command: undefine
35 | name: "macvtap-{{ item.cluster_host }}-{{ item.device }}"
36 | with_items: "{{ macvtap_networks }}"
37 | ignore_errors: yes
38 |
39 |
--------------------------------------------------------------------------------
/roles/teardown/openstack/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - os_server_facts:
4 | cloud: "{{ cloudname }}"
5 | server: "{{ item.name }}.{{ clustername }}"
6 | with_items: "{{ cluster_hosts }}"
7 | register: os_servers
8 |
9 | - debug:
10 | var: os_servers
11 |
12 | - os_server_facts:
13 | cloud: "{{ cloudname }}"
14 | server: "cfme.{{ clustername }}"
15 | register: cfme_server
16 |
17 | - os_server:
18 | cloud: "{{ cloudname }}"
19 | state: absent
20 | name: "cfme.{{ clustername }}"
21 |
22 | - os_volume:
23 | cloud: "{{ cloudname }}"
24 | display_name: cfme_volume
25 | state: absent
26 |
27 | - os_volume:
28 | cloud: "{{ cloudname }}"
29 | display_name: cfme_db_volume
30 | state: absent
31 |
32 | - os_server:
33 | cloud: "{{ cloudname }}"
34 | state: absent
35 | name: "{{ item.name }}.{{ clustername }}"
36 | with_items: "{{ cluster_hosts }}"
37 |
38 | - os_volume:
39 | cloud: "{{ cloudname }}"
40 | display_name: "{{ item.volume_name }}"
41 | state: absent
42 | with_items: "{{ cluster_volumes }}"
43 |
--------------------------------------------------------------------------------
/roles/nova-ipa/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | openstack_api_versions:
3 | \"identity\": 3
4 |
5 | os_env:
6 | OS_AUTH_TYPE: v3password
7 | OS_AUTH_URL: https://{{ ansible_fqdn }}:5000/v3
8 | OS_USERNAME: admin
9 | OS_PASSWORD: password
10 | OS_PROJECT_NAME: admin
11 | OS_USER_DOMAIN_ID: default
12 | OS_PROJECT_DOMAIN_ID: default
13 | OS_IDENTITY_API_VERSION: 3
14 |
15 | os_env_v2:
16 | OS_AUTH_URL: https://{{ ansible_fqdn }}:5000/v2.0
17 | OS_USERNAME: admin
18 | OS_PASSWORD: password
19 | OS_PROJECT_NAME: admin
20 | OS_IDENTITY_API_VERSION: 2
21 | OS_TENANT_NAME: admin
22 |
23 | service_authtoken:
24 | auth_uri: "https://{{ hostname }}:5000"
25 | auth_plugin: v3fedkerb
26 | auth_url: "https://{{ hostname }}:5000/v3"
27 | identity_provider: sssd
28 | protocol: kerberos
29 | project_name: services
30 | project_domain_id: default
31 |
32 | mysql_principal: MySQL/{{ ansible_fqdn }}@{{ ipa_realm }}
33 |
34 | glance_api_haproxy_port: 9293
35 | cinder_api_haproxy_port: 8777
36 | neutron_api_haproxy_port: 9697
37 | nova_api_haproxy_port: 8778
38 | nova_ec2_haproxy_port: 8779
39 |
--------------------------------------------------------------------------------
/roles/ipsilon-saml-idp/tasks/keystone-ipsilon.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: copy rules file
3 | copy: src=mapping_ipsilon_saml2.json
4 | dest=/mapping_ipsilon_saml2.json
5 |
6 | - name: Ipsilon identity provider
7 | command: >
8 | openstack identity provider create
9 | --remote-id https://ipa.{{ ipa_domain }}/idp/saml2/metadata
10 | ipsilon
11 | environment: os_env
12 | when: '"\"ipsilon\"" not in os_idps.stdout_lines'
13 |
14 | - name: create Ipsilon mapping
15 | command: openstack mapping create --rules /mapping_ipsilon_saml2.json ipsilon_mapping
16 | environment: os_env
17 | when: ' "\"ipsilon_mapping\"" not in os_mappings.stdout_lines'
18 |
19 | - name: list protocols Ipsilon
20 | command: openstack federation protocol list --identity-provider ipsilon -c id -f csv
21 | environment: os_env
22 | register: os_ipsilon_protocols
23 | changed_when: false
24 |
25 | - name: federation protocol create
26 | command: >
27 | openstack federation protocol create
28 | --identity-provider ipsilon
29 | --mapping ipsilon_mapping
30 | saml2
31 | environment: os_env
32 | when: ' "\"saml2\"" not in os_ipsilon_protocols.stdout_lines'
33 |
--------------------------------------------------------------------------------
/roles/packstack/tasks/ipa-pre-packstack.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Install httpd for conf directories
3 | yum: name=httpd
4 | state=installed
5 |
6 | - name: Start certmonger
7 | service: name=certmonger
8 | enabled=true
9 | state=started
10 |
11 | - name: kinit
12 | shell: klist &>/dev/null || echo {{ ipa_admin_password }} | kinit admin@{{ ipa_realm }}
13 | changed_when: false
14 |
15 | - name: Add HTTP/openstack service
16 | ipaservice: principal=HTTP/{{ hostname }}@{{ ipa_realm }}
17 |
18 | - name: Get HTTP certificate
19 | command: >
20 | ipa-getcert request -w
21 | -f {{ ssl_cert }}
22 | -k {{ ssl_key }}
23 | -D "{{ hostname }}"
24 | -K HTTP/{{ hostname }}
25 | args:
26 | creates: "{{ ssl_cert }}"
27 | notify:
28 | - restart httpd
29 |
30 | - name: Get Keytab
31 | command: >
32 | ipa-getkeytab
33 | -s ipa.{{ ipa_domain }}
34 | -k {{ keytab }}
35 | -p HTTP/{{ hostname }}@{{ ipa_realm }}
36 | args:
37 | creates: "{{ keytab }}"
38 |
39 | - name: Set Keytab permissions
40 | file: path="{{ keytab }}" owner=apache group=apache mode=0600
41 |
42 | - name: kdestroy
43 | command: kdestroy
44 | changed_when: false
45 |
--------------------------------------------------------------------------------
/roles/cfmeconf/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Install IPA Client packages
4 | tags:
5 | - ipaclient
6 | yum: name=ipa-client,ipa-admintools,python-memcached
7 | state=present
8 |
9 | - name: Set nameserver
10 | tags:
11 | - ipaclient
12 | lineinfile:
13 | path: /etc/sysconfig/network-scripts/ifcfg-eth0
14 | line: DNS1={{ nameserver }}
15 |
16 | - name: Setup resolv.conf
17 | tags:
18 | - ipaclient
19 | template: src=resolv.conf.j2
20 | dest=/etc/resolv.conf
21 |
22 | - name: ipa-client
23 | shell: >
24 | /opt/rh/cfme-gemset/bin/appliance_console_cli --host cfme.{{ ipa_domain }} --ipaserver idm.{{ ipa_domain }} --iparealm {{ ipa_realm }} --ipaprincipal admin --ipapassword {{ ipa_server_password }}
25 | creates: /etc/ipa/default.conf
26 | when: False
27 |
28 |
29 | - name: configure primary database and region
30 | shell: >
31 | /opt/rh/cfme-gemset/bin/appliance_console_cli --internal --username admin --password {{ ipa_server_password }} --region 1 --dbdisk /dev/sdc
32 | creates: /var/www/miq/vmdb/config/database.yml
33 |
34 |
35 | - name: start evmserverd
36 | service:
37 | name: evmserverd
38 | state: started
39 | enabled: yes
--------------------------------------------------------------------------------
/roles/tripleo/files/undercloud.conf:
--------------------------------------------------------------------------------
1 | [DEFAULT]
2 | undercloud_hostname = passimian.home.younglogic.net
3 | local_interface = eth2
4 | local_mtu = 1500
5 | local_ip = 10.127.0.1/24
6 | undercloud_public_host = passimian.home.younglogic.net
7 | undercloud_admin_host = passimian.home.younglogic.net
8 | undercloud_service_certificate =
9 | generate_service_certificate = True
10 | scheduler_max_attempts = 10
11 | certificate_generation_ca = local
12 | enable_node_discovery = True
13 | discovery_default_driver = ipmi
14 |
15 |
16 |
17 |
18 |
19 |
20 | # Deprecated names for compatibility with older releases
21 | discovery_iprange = 10.127.0.128,10.127.0.139
22 | undercloud_public_vip = passimian.home.younglogic.net
23 | undercloud_admin_vip = passimian.home.younglogic.net
24 | network_cidr = 10.127.0.2/24
25 | dhcp_start = 10.127.0.64
26 | dhcp_end = 10.127.0.75
27 | inspection_iprange = 10.127.0.128,10.127.0.139
28 | network_gateway = 10.127.0.1
29 | masquerade_network = 10.127.0.2/24
30 | # End of deprecated names
31 |
32 | [ctlplane-subnet]
33 | cidr = 10.127.0.2/24
34 | gateway = 10.127.0.1
35 | dhcp_start = 10.127.0.64
36 | dhcp_end = 10.127.0.75
37 | inspection_iprange = 10.127.0.128,10.127.0.139
38 | masquerade = true
39 |
40 |
41 |
--------------------------------------------------------------------------------
/roles/keyfed/templates/metadata-config.py.j2:
--------------------------------------------------------------------------------
1 | from saml2.entity_category.edugain import COC
2 | from saml2 import BINDING_HTTP_REDIRECT
3 | from saml2 import BINDING_PAOS
4 | from saml2.saml import NAME_FORMAT_BASIC
5 | from saml2.saml import NAMEID_FORMAT_UNSPECIFIED1
6 |
7 | BASE = 'https://openstack.{{ ipa_domain }}:5000'
8 | PATH = '/v3/OS-FEDERATION/identity_providers/ipsilon/protocols/saml2/auth'
9 | URL = BASE + PATH
10 |
11 |
12 | CONFIG = {
13 | "entityid": URL,
14 | # 'entity_category': [COC],
15 | "description": "ECP Authentication to OpenStack",
16 | "service": {
17 | "sp": {
18 | "authn_requests_signed": True,
19 | "logout_requests_signed": True,
20 | "name_id_format": NAMEID_FORMAT_UNSPECIFIED1,
21 | "endpoints": {
22 | "assertion_consumer_service": [
23 | ("%s/paosResponse" % URL, BINDING_PAOS)
24 | ],
25 | # "single_logout_service": [
26 | # ("%s/logout" % URL, BINDING_HTTP_REDIRECT)
27 | # ],
28 | }
29 | },
30 | },
31 | "key_file": "metadata.key",
32 | "cert_file": "metadata.cert",
33 | "metadata": {"local": ["idp-metadata.xml"]},
34 | }
35 |
--------------------------------------------------------------------------------
/roles/packstack/templates/metadata-config.py.j2:
--------------------------------------------------------------------------------
1 | from saml2.entity_category.edugain import COC
2 | from saml2 import BINDING_HTTP_REDIRECT
3 | from saml2 import BINDING_PAOS
4 | from saml2.saml import NAME_FORMAT_BASIC
5 | from saml2.saml import NAMEID_FORMAT_UNSPECIFIED1
6 |
7 | BASE = 'https://openstack.{{ ipa_domain }}:5000'
8 | PATH = '/v3/OS-FEDERATION/identity_providers/ipsilon/protocols/saml2/auth'
9 | URL = BASE + PATH
10 |
11 |
12 | CONFIG = {
13 | "entityid": URL,
14 | # 'entity_category': [COC],
15 | "description": "ECP Authentication to OpenStack",
16 | "service": {
17 | "sp": {
18 | "authn_requests_signed": True,
19 | "logout_requests_signed": True,
20 | "name_id_format": NAMEID_FORMAT_UNSPECIFIED1,
21 | "endpoints": {
22 | "assertion_consumer_service": [
23 | ("%s/paosResponse" % URL, BINDING_PAOS)
24 | ],
25 | # "single_logout_service": [
26 | # ("%s/logout" % URL, BINDING_HTTP_REDIRECT)
27 | # ],
28 | }
29 | },
30 | },
31 | "key_file": "metadata.key",
32 | "cert_file": "metadata.cert",
33 | "metadata": {"local": ["idp-metadata.xml"]},
34 | }
35 |
--------------------------------------------------------------------------------
/roles/oce-master/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: disable all repos
3 | tags:
4 | - oce-master
5 | shell: subscription-manager repos --disable='*'
6 |
7 | - name: enable only OpenShift Repos
8 | tags:
9 | - oce-master
10 | shell: subscription-manager repos
11 | --enable="rhel-7-server-rpms" \
12 | --enable="rhel-7-server-extras-rpms" \
13 | --enable="rhel-7-server-ose-3.7-rpms" \
14 | --enable="rhel-7-fast-datapath-rpms"
15 |
16 |
17 | - name: install the prereqs
18 | yum:
19 | name: "{{ item }}"
20 | with_items:
21 | - wget
22 | - git
23 | - net-tools
24 | - bind-utils
25 | - iptables-services
26 | - bridge-utils
27 | - bash-completion
28 | - kexec-tools
29 | - sos
30 | - psacct
31 |
32 | - name: upgrade all packages
33 | yum:
34 | name: '*'
35 | state: latest
36 |
37 |
38 | - name: install the atomic package
39 | yum:
40 | name: atomic-openshift-utils
41 |
42 |
43 | - name: install the right docker version
44 | yum:
45 | name: docker-1.12.6
46 |
47 | - lineinfile:
48 | path: /etc/sysconfig/docker-storage-setup
49 | line: "{{ item }}"
50 | with_items:
51 | - STORAGE_DRIVER=devicemapper
52 | - DEVS=vdb
53 | - VG=docker-vg
54 | - AUTO_EXTEND_POOL=true
55 |
56 |
57 | - command: docker-storage-setup
58 |
59 |
--------------------------------------------------------------------------------
/roles/satelliteserver/templates/ipsilon.conf.j2:
--------------------------------------------------------------------------------
1 | LoadModule auth_mellon_module modules/mod_auth_mellon.so
2 |
3 |
4 | MellonEnable "info"
5 | MellonSPPrivateKeyFile {{ saml_conf_dir }}/certificate.key
6 | MellonSPCertFile {{ saml_conf_dir }}/certificate.pem
7 | MellonSPMetadataFile {{ saml_conf_dir }}/metadata.xml
8 | MellonIdPMetadataFile {{ saml_conf_dir }}/idp-metadata.xml
9 | MellonEndpointPath /saml2
10 | MellonIdP "IDP"
11 | MellonEnvVarsIndexStart 1
12 | MellonEnvVarsSetCount On
13 | MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email
14 | MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" givenname
15 | MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" surname
16 | MellonSetEnvNoPrefix "REMOTE_USER_GROUP" groups
17 |
18 |
19 |
20 | SSLRequireSSL
21 | AuthType "Mellon"
22 | MellonEnable "auth"
23 | ErrorDocument 401 'SAML authentication did not pass.'
24 | # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087
25 | ErrorDocument 500 'SAML authentication did not pass.'
26 |
27 |
28 |
29 | SSLRequireSSL
30 | AuthType "Mellon"
31 | MellonEnable "auth"
32 |
33 |
--------------------------------------------------------------------------------
/roles/ipaclient/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: upgrade all packages
4 | yum:
5 | name: '*'
6 | state: latest
7 |
8 | - name: Install IPA Client packages
9 | tags:
10 | - ipaclient
11 | yum: name=ipa-client,ipa-admintools,python-memcached
12 | state=present
13 |
14 | - name: Setup resolv.conf
15 | tags:
16 | - ipaclient
17 | template: src=resolv.conf.j2
18 | dest=/etc/resolv.conf
19 |
20 | - name: Setup network
21 | tags:
22 | - ipaclient
23 | register: network_eth0
24 | template: src=ifcfg-eth0.j2
25 | dest=/etc/sysconfig/network-scripts/ifcfg-eth0
26 |
27 | # Restarting network is super unreliable when done over ansible, it tends to
28 | # hang or fail. In the case of network manager you can:
29 | # nmcli con load /etc/sysconfig/network-scripts/ifcfg-eth0
30 | # but NM isn't used in the packstack case. As our problem is currently only DNS
31 | # we can skip the restart, add the static DNS to ifcfg and resolv, eventually
32 | # NM or something else will overwrite resolv but it won't matter.
33 | # - name: restart network
34 | # service: name=network
35 | # state=restarted
36 | # when: network_eth0.changed
37 | #
38 | - name: Register IPA Client
39 | tags:
40 | - ipaclient
41 | command: >
42 | ipa-client-install -U
43 | --principal admin@{{ ipa_realm }}
44 | --password {{ ipa_admin_password }}
45 | --domain {{ ipa_domain }}
46 | --force --force-ntpd --force-join
47 | args:
48 | creates: /etc/ipa/ca.crt
49 |
--------------------------------------------------------------------------------
/roles/nova-ipa/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart nova-api
3 | sudo: yes
4 | service: name=openstack-nova-api state=restarted
5 |
6 | - name: restart nova-compute
7 | sudo: yes
8 | service: name=openstack-nova-compute state=restarted
9 |
10 | - name: restart glance-api
11 | sudo: yes
12 | service: name=openstack-glance-api state=restarted
13 |
14 | - name: restart glance-registry
15 | sudo: yes
16 | service: name=openstack-glance-registry state=restarted
17 |
18 | - name: restart cinder-api
19 | sudo: yes
20 | service: name=openstack-cinder-api state=restarted
21 |
22 | - name: restart neutron-api
23 | sudo: yes
24 | service: name=neutron-server state=restarted
25 |
26 | - name: restart httpd
27 | sudo: yes
28 | service: name=httpd state=restarted
29 |
30 | - name: restart sssd
31 | service: name=sssd state=restarted
32 |
33 | - name: restart firewalld
34 | service: name=firewalld state=restarted
35 |
36 | - name: restart neutron-dhcp-agent
37 | sudo: yes
38 | service: name=neutron-dhcp-agent state=restarted
39 |
40 | - name: restart neutron-metadata-agent
41 | sudo: yes
42 | service: name=neutron-metadata-agent state=restarted
43 |
44 | - name: restart neutron-l3-agent
45 | sudo: yes
46 | service: name=neutron-l3-agent state=restarted
47 |
48 | - name: restart neutron-openvswitch-agent
49 | sudo: yes
50 | service: name=neutron-openvswitch-agent state=restarted
51 |
52 | - name: restart network
53 | sudo: yes
54 | service: name=network state=restarted
55 |
--------------------------------------------------------------------------------
/roles/provision/openstack/templates/inventory.ini.j2:
--------------------------------------------------------------------------------
1 | [all]
2 | {% for item in osservers.results %}
3 | {{ item.server.name }}
4 | {% endfor %}
5 |
6 |
7 | [ipa]
8 | {% for item in osservers.results %}
9 | {% if item.server.name.startswith('idm') %}
10 | {{ item.server.name }}
11 | {% endif %}
12 | {% endfor %}
13 |
14 | [sso]
15 | {% for item in osservers.results %}
16 | {% if item.server.name.startswith('sso') %}
17 | {{ item.server.name }}
18 | {% endif %}
19 | {% endfor %}
20 |
21 | [bastion]
22 | {% for item in osservers.results %}
23 | {% if item.server.name.startswith('bastion') %}
24 | {{ item.server.name }}
25 | {% endif %}
26 | {% endfor %}
27 |
28 |
29 |
30 | [masters]
31 | {% for item in osservers.results %}
32 | {% if item.server.name.startswith('master') %}
33 | {{ item.server.name }}
34 | {% endif %}
35 | {% endfor %}
36 |
37 | [nodes]
38 | {% for item in osservers.results %}
39 | {% if item.server.name.startswith('node') %}
40 | {{ item.server.name }}
41 | {% endif %}
42 | {% endfor %}
43 |
44 |
45 |
46 |
47 | [all:vars]
48 | ipa_server_password={{ ipa_server_password }}
49 | ipa_domain={{ clustername }}
50 | deployment_dir={{ cluster_dir }}
51 | ipa_realm={{ clustername|upper }}
52 | cloud_user=cloud-user
53 | ipa_admin_user_password={{ ipa_admin_password }}
54 | ipa_forwarder={{ ipa_forwarder }}
55 | lab_nameserver1={{ lab_nameserver1 }}
56 | lab_nameserver2={{ lab_nameserver2 }}
57 | lab_nameserver3={{ lab_nameserver3 }}
58 | {% for item in osservers.results %}
59 | {% if item.server.name.startswith('idm') %}
60 | nameserver={{ item.server.private_v4 }}
61 | {% endif %}
62 | {% endfor %}
63 |
--------------------------------------------------------------------------------
/roles/mariadb-kerberos/tasks/mysql.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: upgrade to kerberized mariadb
3 | tags:
4 | - mariadb
5 | yum: name=mariadb-galera-server
6 | state=latest
7 |
8 | - name: kinit
9 | tags:
10 | - mariadb
11 | shell: klist &>/dev/null || echo {{ ipa_admin_password }} | kinit admin@{{ ipa_realm }}
12 | changed_when: false
13 |
14 | - name: MySQL service
15 | tags:
16 | - mariadb
17 | ipaservice: principal={{ mysql_principal }}
18 |
19 | - name: Get Keytab
20 | tags:
21 | - mariadb
22 | command: >
23 | ipa-getkeytab
24 | -s ipa.{{ ipa_domain }}
25 | -k /var/lib/mysql/mysql.keytab
26 | -p "{{ mysql_principal }}"
27 | args:
28 | creates: /var/lib/mysql/mysql.keytab
29 | notify:
30 | - restart mariadb
31 |
32 | - name: kdestroy
33 | tags:
34 | - mariadb
35 | shell: kdestroy
36 | changed_when: false
37 |
38 | - name: set keytab permissions
39 | tags:
40 | - mariadb
41 | file: owner=mysql
42 | group=mysql
43 | mode=0600
44 | path=/var/lib/mysql/mysql.keytab
45 | notify:
46 | - restart mariadb
47 |
48 |
49 | - name: reset my.cnf
50 | tags:
51 | - mariadb
52 | ini_file: dest=/etc/my.cnf
53 | section=mysqld
54 | option={{ item.key }}
55 | value={{ item.value }}
56 | with_dict: "{{ my_cnf }}"
57 |
58 |
59 | - name: upgrade database
60 | tags:
61 | - mariadb
62 | command: mysql_upgrade
63 | ignore_errors: yes
64 |
65 | - name: install server.cnf
66 | tags:
67 | - mariadb
68 | template: src=server.cnf
69 | dest=/etc/my.cnf.d/server.cnf
70 | notify:
71 | - restart mariadb
72 |
73 |
74 |
--------------------------------------------------------------------------------
/roles/packstack/templates/mapping_sssd.json.j2:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "local": [
4 | {
5 | "user": {
6 | "name": "{0}",
7 | "domain": {"name": "Default"}
8 | }
9 | }
10 | ],
11 | "remote": [
12 | {
13 | "type": "REMOTE_USER"
14 | }
15 | ]
16 | },
17 |
18 | {
19 | "local": [
20 | {
21 | "groups": "{0}",
22 | "domain": {
23 | "name": "Default"
24 | }
25 | }
26 | ],
27 | "remote": [
28 | {
29 | "type": "REMOTE_USER_GROUPS",
30 | "whitelist": ["ipausers", "admins"]
31 | }
32 | ]
33 | },
34 |
35 | {
36 | "local": [
37 | {
38 | "group": {
39 | "name": "services",
40 | "domain": {
41 | "name": "Default"
42 | }
43 | }
44 | }
45 | ],
46 | "remote": [
47 | {
48 | "type": "GSS_NAME",
49 | "any_one_of": [
50 | "glance/openstack.{{ ipa_domain }}@{{ ipa_realm }}",
51 | "cinder/openstack.{{ ipa_domain }}@{{ ipa_realm }}",
52 | "nova/openstack.{{ ipa_domain }}@{{ ipa_realm }}",
53 | "barbican/openstack.{{ ipa_domain }}@{{ ipa_realm }}",
54 | "neutron/openstack.{{ ipa_domain }}@{{ ipa_realm }}"
55 | ]
56 | }
57 | ]
58 | }
59 | ]
60 |
--------------------------------------------------------------------------------
/roles/packstack/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Install rhos-release
3 | register: packstackrepo
4 | command: rpm -ivh http://rhos-release.virt.bos.redhat.com/repos/rhos-release/rhos-release-latest.noarch.rpm
5 | ignore_errors: yes
6 | when: ansible_distribution == "RedHat"
7 |
8 |
9 | - name: Install repos
10 | register: packstackrepo
11 | command: rhos-release 8
12 | ignore_errors: yes
13 | when: ansible_distribution == "RedHat"
14 |
15 | - name: Install rho-release
16 | register: packstackrepo
17 | command: yum install -y https://repos.fedorapeople.org/repos/openstack/rdo-release.rpm
18 | ignore_errors: yes
19 | when: ansible_distribution == "CentOS"
20 |
21 | - name: upgrade all packages
22 | yum: name=* state=latest
23 |
24 | - include: ipa-pre-packstack.yml
25 | - include: packstack.yml
26 | - include: serviceauth.yml
27 | - include: haproxy.yml
28 | - include: haproxy-fixups.yml
29 | - include: infopipe.yml
30 | - include: keystone.yml
31 | - include: horizon.yml
32 | - include: ipa-post-packstack.yml
33 | # - include: firewall.yml
34 | - meta: flush_handlers
35 | - include: keystone-environment.yml
36 | - include: keystone-sssd.yml
37 | #- include: test-encrypted-volumes.yml
38 |
39 | - name: install accrc files
40 | sudo: no
41 | template: src={{ item }}.j2
42 | dest=~/{{ item }}
43 | with_items:
44 | - adminrc
45 | - demorc
46 | - kerb-accrc
47 | - fed-accrc
48 |
49 |
50 |
51 | - name: get local copies of rc files
52 | sudo: no
53 | local_action: template src={{ item }}.j2
54 | dest={{ deployment_dir }}/{{ item }}
55 | with_items:
56 | - adminrc
57 | - demorc
58 | - kerb-accrc
59 | - fed-accrc
60 |
--------------------------------------------------------------------------------
/roles/provision/openstack/tasks/teardown.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 |
4 | - os_server_facts:
5 | cloud: "{{ cloudname }}"
6 | server: "{{ item.name }}.{{ clustername }}"
7 | with_items: "{{ cluster_hosts }}"
8 | register: os_servers
9 |
10 | - debug:
11 | var: os_servers
12 |
13 | - lineinfile:
14 | path: "{{ ssh_config_path }}"
15 | line: " Hostname {{ item.ansible_facts.openstack_servers.0.interface_ip }}"
16 | state: absent
17 | with_items: "{{ os_servers.results }}"
18 | ignore_errors: yes
19 |
20 | - os_server_facts:
21 | cloud: "{{ cloudname }}"
22 | server: "cfme.{{ clustername }}"
23 | register: cfme_server
24 |
25 | - lineinfile:
26 | path: "{{ ssh_config_path }}"
27 | line: " Hostname {{ item.interface_ip }}"
28 | state: absent
29 | with_items: "{{ cfme_server.ansible_facts.openstack_servers }}"
30 |
31 | - lineinfile:
32 | path: "{{ ssh_config_path }}"
33 | line: Host "cfme.{{ clustername }}"
34 | state: absent
35 |
36 | - lineinfile:
37 | path: "{{ ssh_config_path }}"
38 | line: Host "{{ item }}.{{ clustername }}"
39 | state: absent
40 | with_items: "{{ cluster_hosts }}"
41 |
42 |
43 | - os_server:
44 | cloud: "{{ cloudname }}"
45 | state: absent
46 | name: "cfme.{{ clustername }}"
47 |
48 | - os_volume:
49 | cloud: "{{ cloudname }}"
50 | display_name: cfme_volume
51 | state: absent
52 |
53 | - os_volume:
54 | cloud: "{{ cloudname }}"
55 | display_name: cfme_db_volume
56 | state: absent
57 |
58 | - os_server:
59 | cloud: "{{ cloudname }}"
60 | state: absent
61 | name: "{{ item.name }}.{{ clustername }}"
62 | with_items: "{{ cluster_hosts }}"
63 |
64 | - os_volume:
65 | cloud: "{{ cloudname }}"
66 | display_name: "{{ item.volume_name }}"
67 | state: absent
68 | with_items: "{{ cluster_volumes }}"
69 |
--------------------------------------------------------------------------------
/roles/keyfed/files/12-keystone-federation.conf:
--------------------------------------------------------------------------------
1 |
2 |
3 | MellonEnable "auth"
4 | MellonSPPrivateKeyFile "/etc/httpd/saml2/websso/certificate.key"
5 | MellonSPCertFile "/etc/httpd/saml2/websso/certificate.pem"
6 | MellonSPMetadataFile "/etc/httpd/saml2/websso/metadata.xml"
7 | MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
8 | MellonEndpointPath /v3/auth/OS-FEDERATION/websso/saml2
9 | MellonVariable "saml-sesion-cookie"
10 | # Comment out the next two lines if you want to allow logins on bare HTTP
11 | #MellonsecureCookie On
12 | #SSLRequireSSL
13 | MellonUser "NAME_ID"
14 | MellonIdP "IDP"
15 | MellonSessionLength 3600
16 | # MellonNoCookieErrorPage "https://idp.example.com/no-cookie-error.html"
17 | # MellonPostDirectory "/var/lib/ipsilon/post_cache"
18 | # MellonPostReplay On
19 | MellonMergeEnvVars On
20 |
21 |
22 |
23 | MellonEnable "auth"
24 | MellonSPPrivateKeyFile "/etc/httpd/saml2/ecp/metadata.key"
25 | MellonSPCertFile "/etc/httpd/saml2/ecp/metadata.cert"
26 | MellonSPMetadataFile "/etc/httpd/saml2/ecp/metadata.xml"
27 | MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
28 | MellonEndpointPath /v3/OS-FEDERATION/identity_providers/ipsilon/protocols/saml2/auth
29 | MellonVariable "saml-sesion-cookie"
30 | # Comment out the next two lines if you want to allow logins on bare HTTP
31 | #MellonsecureCookie On
32 | #SSLRequireSSL
33 | MellonUser "NAME_ID"
34 | MellonIdP "IDP"
35 | MellonSessionLength 3600
36 | # MellonNoCookieErrorPage "https://idp.example.com/no-cookie-error.html"
37 | # MellonPostDirectory "/var/lib/ipsilon/post_cache"
38 | # MellonPostReplay On
39 | MellonMergeEnvVars On
40 |
41 |
--------------------------------------------------------------------------------
/roles/packstack/tasks/ipa-post-packstack.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - yum: name=ipa-python state=installed
3 |
4 | - name: Add local service user
5 | user: createhome=no
6 | name={{ item }}
7 | home=/var/lib/{{ item }}
8 | with_items:
9 | - keystone # used for mysql keytabs rather than token validation
10 | - nova
11 | - glance
12 | - cinder
13 | - neutron
14 | - barbican
15 | register: packstack_users
16 |
17 | - name: kinit
18 | shell: klist &>/dev/null || echo {{ ipa_admin_password }} | kinit admin@{{ ipa_realm }}
19 | changed_when: false
20 |
21 | - name: Add service principals
22 | ipaservice: principal={{ item.name }}/{{ hostname }}@{{ ipa_realm }}
23 | with_items: packstack_users.results
24 |
25 | - name: Add service keytab directories
26 | file: state=directory
27 | path="/var/kerberos/krb5/user/{{ item.uid }}"
28 | mode=0700
29 | owner={{ item.name }}
30 | group={{ item.name }}
31 | with_items: packstack_users.results
32 |
33 | - name: Get service user keytabs
34 | command: >
35 | ipa-getkeytab
36 | -s ipa.{{ ipa_domain }}
37 | -k /var/kerberos/krb5/user/{{ item.uid }}/client.keytab
38 | -p {{ item.name }}/{{ hostname }}@{{ ipa_realm }}
39 | args:
40 | creates: /var/kerberos/krb5/user/{{ item.uid }}/client.keytab
41 | with_items: packstack_users.results
42 | notify:
43 | - restart cinder-api
44 | - restart glance-api
45 | - restart nova-api
46 | - restart neutron-api
47 | - restart httpd
48 |
49 | - name: Change service user keytab ownership
50 | file: path="/var/kerberos/krb5/user/{{ item.uid }}/client.keytab"
51 | mode=0700
52 | owner={{ item.name }}
53 | group={{ item.name }}
54 | with_items: packstack_users.results
55 |
56 | - name: copy kra agent pem file
57 | copy: dest=/etc/barbican src={{ inventory_dir }}/kra-agent.pem
58 |
59 | - name: kdestroy
60 | command: kdestroy
61 | changed_when: false
62 |
--------------------------------------------------------------------------------
/roles/provision/azure/tasks/cfme.yml:
--------------------------------------------------------------------------------
1 | - name: Create storage account
2 | azure_rm_storageaccount:
3 | resource_group: "{{ az_resources }}"
4 | name: "{{ az_storage }}"
5 | account_type: Standard_LRS
6 |
7 |
8 | - name: create vm
9 | command: az vm create -n {{ item.name }} -g {{ az_resources }} --image RHEL
10 | with_items: "{{ cluster_hosts }}"
11 | register: osservers
12 |
13 |
14 |
15 | - name: Create virtual machine
16 | azure_rm_virtualmachine:
17 | resource_group: "{{ az_resources }}"
18 | name: "{{ item.name }}"
19 | vm_size: Standard_D1
20 | managed_disk_type: "Standard_LRS"
21 | admin_username: "{{ az_username }}"
22 | admin_password: "{{ az_password }}"
23 | ssh_public_keys: "{{ ayoung_publickey }}"
24 | network_interfaces: "{{ item.name }}.nic"
25 | image:
26 | offer: RHEL
27 | publisher: RedHat
28 | sku: '7.3'
29 | urn: 'RedHat:RHEL:7.3:latest'
30 | version: '7.3.2017090723'
31 | with_items: "{{ cluster_hosts }}"
32 | register: osservers
33 |
34 | - name: Create CFME virtual machine
35 | azure_rm_virtualmachine:
36 | resource_group: "{{ az_resources }}"
37 | name: CloudForms
38 | vm_size: Standard_D1
39 | admin_username: "{{ az_username }}"
40 | admin_password: "{{ az_password }}"
41 | network_interfaces: "{{ az_nic }}"
42 | image:
43 | name: cfme-azure-5.9.0.22-1
44 | resource_group: CFME-NE
45 | when: True
46 |
47 | - name: create additional volumes
48 | azure_rm_managed_disk:
49 | name: "{{ item.volume_name }}"
50 | location: eastus
51 | resource_group: "{{ az_resources }}"
52 | disk_size_gb: 40
53 | managed_by: "{{ item.server_name }}"
54 | register: cluster_volumes_attached
55 | with_items: "{{ cluster_volumes }}"
56 |
57 |
58 | - name: create additional CFME volumes
59 | azure_rm_managed_disk:
60 | name: CloudForms_var_volume
61 | location: eastus
62 | resource_group: "{{ az_resources }}"
63 | disk_size_gb: 40
64 | managed_by: CloudForms
65 | when: True
66 |
67 |
68 |
--------------------------------------------------------------------------------
/library/ipaservice:
--------------------------------------------------------------------------------
1 | #!/bin/env python
2 |
3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may
4 | # not use this file except in compliance with the License. You may obtain
5 | # a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12 | # License for the specific language governing permissions and limitations
13 | # under the License.
14 |
15 | DOCUMENTATION = '''
16 | ---
17 | module: ipaservice
18 | short_description: Add services to FreeIPA
19 | author: Jamie Lennox
20 | notes:
21 | - No attempt is made to handle authentication in this module. This means that
22 | you will probably want to ensure a valid kerberos ticket before running.
23 | - This module does not create the hosts as part of the service enrollment.
24 | That will need to be done seperately.
25 | requirements:
26 | - ipalib
27 | - six
28 | '''
29 |
30 |
31 | import six
32 | from ipalib import api, errors
33 |
34 | api.bootstrap(context='cli')
35 | api.finalize()
36 | api.Backend.rpcclient.connect()
37 |
38 |
39 | from ansible.module_utils.basic import * # noqa
40 |
41 | module = AnsibleModule(
42 | argument_spec=dict(
43 | principal=dict(required=True),
44 | )
45 | )
46 |
47 |
48 | def main():
49 | def _param(p):
50 | v = module.params[p]
51 |
52 | if isinstance(v, six.binary_type):
53 | v = v.decode('utf-8')
54 |
55 | return v
56 |
57 | principal = _param('principal')
58 |
59 | resp = api.Command['service_find'](krbprincipalname=principal)
60 |
61 | if resp['result']:
62 | module.exit_json(changed=False)
63 | else:
64 | api.Command['service_add'](principal, force=True)
65 | module.exit_json(changed=True)
66 |
67 |
68 | if __name__ == '__main__':
69 | try:
70 | main()
71 | except errors.PublicError as e:
72 | module.fail_json(msg=e.msg)
73 |
--------------------------------------------------------------------------------
/roles/websso/library/ipaservice:
--------------------------------------------------------------------------------
1 | #!/bin/env python
2 |
3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may
4 | # not use this file except in compliance with the License. You may obtain
5 | # a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12 | # License for the specific language governing permissions and limitations
13 | # under the License.
14 |
15 | DOCUMENTATION = '''
16 | ---
17 | module: ipaservice
18 | short_description: Add services to FreeIPA
19 | author: Jamie Lennox
20 | notes:
21 | - No attempt is made to handle authentication in this module. This means that
22 | you will probably want to ensure a valid kerberos ticket before running.
23 | - This module does not create the hosts as part of the service enrollment.
24 | That will need to be done seperately.
25 | requirements:
26 | - ipalib
27 | - six
28 | '''
29 |
30 |
31 | import six
32 | from ipalib import api, errors
33 |
34 | api.bootstrap(context='cli')
35 | api.finalize()
36 | api.Backend.rpcclient.connect()
37 |
38 |
39 | from ansible.module_utils.basic import * # noqa
40 |
41 | module = AnsibleModule(
42 | argument_spec=dict(
43 | principal=dict(required=True),
44 | )
45 | )
46 |
47 |
48 | def main():
49 | def _param(p):
50 | v = module.params[p]
51 |
52 | if isinstance(v, six.binary_type):
53 | v = v.decode('utf-8')
54 |
55 | return v
56 |
57 | principal = _param('principal')
58 |
59 | resp = api.Command['service_find'](krbprincipalname=principal)
60 |
61 | if resp['result']:
62 | module.exit_json(changed=False)
63 | else:
64 | api.Command['service_add'](principal, force=True)
65 | module.exit_json(changed=True)
66 |
67 |
68 | if __name__ == '__main__':
69 | try:
70 | main()
71 | except errors.PublicError as e:
72 | module.fail_json(msg=e.msg)
73 |
--------------------------------------------------------------------------------
/roles/cfme/tasks/create.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: create CFME volume
4 | os_volume:
5 | cloud: "{{ cloudname }}"
6 | image: cfme-46-ga
7 | size: 80
8 | display_name: cfme_volume
9 | api_timeout: 120
10 | register: cfme_volume
11 |
12 | - os_networks_facts:
13 | cloud: "{{ cloudname }}"
14 | name: "{{ netname }}_network"
15 | register: osnetwork
16 |
17 |
18 | - debug:
19 | var: osnetwork
20 |
21 | - name: create CFME server
22 | os_server:
23 | cloud: "{{ cloudname }}"
24 | state: present
25 | name: "cfme.{{ clustername }}"
26 | key_name: "{{ sshkeyname }}"
27 | timeout: 200
28 | flavor: 2
29 | boot_volume: "{{ cfme_volume.volume.id }}"
30 | security_groups:
31 | - "{{ securitygroupname }}"
32 | meta:
33 | hostname: "cfme.{{ clustername }}"
34 | fqdn: "cfme.{{ clustername }}"
35 | nics:
36 | - net-id: "{{ osnetwork.ansible_facts.openstack_networks.0.id }}"
37 | net-name: "{{ netname }}_network"
38 | register: cfme_server
39 |
40 | - name: create CFME database volume
41 | os_volume:
42 | cloud: "{{ cloudname }}"
43 | size: 80
44 | display_name: cfme_db_volume
45 | register: cfme_db_volume
46 |
47 | - name: attach db volume to CFME
48 | os_server_volume:
49 | cloud: "{{ cloudname }}"
50 | state: present
51 | server: "cfme.{{ clustername }}"
52 | volume: cfme_db_volume
53 | device: /dev/vdb
54 |
55 | - lineinfile:
56 | path: "{{ ssh_config_path }}"
57 | line: Host "cfme.{{ clustername }}"
58 |
59 | - lineinfile:
60 | path: "{{ ssh_config_path }}"
61 | line: " Hostname {{ cfme_server.server.interface_ip }}"
62 | insertafter: "cfme.{{ clustername }}"
63 |
64 | - name: Wait 60 seconds for target connection to become reachable/usable
65 | hosts: cfme
66 | wait_for_connection:
67 | timeout: 180
68 |
69 | - command: ssh-keygen -R {{ cfme_server.server.interface_ip }}
70 | - command: ssh-keygen -R cfme.{{ clustername }}
71 |
72 | - name: add to inventory
73 | add_host:
74 | groups:
75 | - cfme
76 | name: "{{ cfme_server.server.interface_ip }}"
77 |
78 |
79 |
80 |
--------------------------------------------------------------------------------
/roles/common/tasks/main.yaml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: initialize nameservers
4 | lineinfile: dest=/etc/resolv.conf
5 | line='nameserver {{ ipa_forwarder }}'
6 | insertafter='^search'
7 |
8 | - name: disable selinux
9 | tags:
10 | - common
11 | selinux: state=disabled
12 |
13 | - name: Install repos
14 | tags:
15 | - common
16 | copy: src="{{ item }}"
17 | dest=/etc/yum.repos.d/{{ item }}
18 | with_items:
19 | - rhel-server.repo
20 | when: ansible_distribution == "RedHat" and ansible_distribution_major_version == "7"
21 |
22 |
23 | - name: upgrade all packages
24 | tags:
25 | - common
26 | yum: name=* state=latest
27 |
28 | - name: Install packages
29 | tags:
30 | - common
31 | yum: name=rng-tools,NetworkManager
32 |
33 | - name: patch rngd
34 | tags:
35 | - common
36 | copy: src=rngd.service dest=/etc/systemd/system/rngd.service
37 | register: rngd
38 |
39 | - name: reload systemd units
40 | tags:
41 | - common
42 | command: systemctl daemon-reload
43 | when: rngd.changed
44 |
45 | - name: Start the rngd service
46 | tags:
47 | - common
48 | service: name=rngd enabled=yes state=started
49 |
50 | - name: Start Network manager
51 | tags:
52 | - common
53 | service: name=NetworkManager state=started enabled=yes
54 | when: ipa_nova_join is undefined
55 |
56 | - name: Add second ethernet interface
57 | tags:
58 | - common
59 | command: nmcli connection add type ethernet ifname eth1 con-name ethernet-eth1
60 | when: (ipa_nova_join is undefined) and (not ansible_eth1.ipv4 is defined)
61 |
62 | - name: Set up authorized_keys for the deploy user
63 | tags:
64 | - common
65 | authorized_key: user="{{ ansible_user_id }}"
66 | key="{{ item }}"
67 | with_file:
68 | - public_keys/work.pub
69 |
70 | - name: tty-less sudo
71 | tags:
72 | - common
73 | sudo: yes
74 | lineinfile: dest=/etc/sudoers
75 | state=absent
76 | regexp='^Defaults(\s+)requiretty(\s*)$'
77 | validate='visudo -cf %s'
78 |
79 | - name: Set server hostname
80 | tags:
81 | - common
82 | sudo: yes
83 | hostname: name={{ hostname }}
84 |
--------------------------------------------------------------------------------
/roles/provision/openstack/tasks/create.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: int_network
3 | os_network:
4 | cloud: "{{ cloudname }}"
5 | state: present
6 | name: "{{ netname }}_network"
7 | external: false
8 | register: osnetwork
9 |
10 | - os_subnet:
11 | cloud: "{{ cloudname }}"
12 | state: present
13 | network_name: "{{ netname }}_network"
14 | name: "{{ netname }}_subnet"
15 | cidr: 192.168.24.0/23
16 | dns_nameservers:
17 | - "{{ lab_nameserver1 }}"
18 | - "{{ lab_nameserver2 }}"
19 |
20 | - os_router:
21 | cloud: "{{ cloudname }}"
22 | state: present
23 | name: "{{ netname }}_router"
24 | interfaces: "{{ netname }}_subnet"
25 | network: "{{ public_network_name }}"
26 |
27 | - os_security_group:
28 | cloud: "{{ cloudname }}"
29 | state: present
30 | name: "{{ securitygroupname }}"
31 | description: security group for foo servers
32 |
33 | - os_security_group_rule:
34 | cloud: "{{ cloudname }}"
35 | security_group: "{{ securitygroupname }}"
36 | protocol: "{{ item }}"
37 | port_range_min: 1
38 | port_range_max: 65535
39 | remote_ip_prefix: 0.0.0.0/0
40 | with_items:
41 | - tcp
42 | - udp
43 |
44 | - debug:
45 | msg: "Keyname is {{ sshkeyname }}"
46 |
47 |
48 | - name: create servers
49 | os_server:
50 | cloud: "{{ cloudname }}"
51 | state: present
52 | name: "{{ item.name }}.{{ clustername }}"
53 | image: "{{ image_name }}"
54 | key_name: "{{ sshkeyname }}"
55 | timeout: 200
56 | flavor: "{{ item.flavor }}"
57 | security_groups:
58 | - "{{ securitygroupname }}"
59 | nics:
60 | - net-id: "{{ osnetwork.network.id }}"
61 | net-name: "{{ netname }}_network"
62 | meta:
63 | hostname: "{{ item.name }}.{{ clustername }}"
64 | fqdn: "{{ item.name }}.{{ clustername }}"
65 | userdata: |
66 | #cloud-config
67 | hostname: "{{ item.name }}.{{ clustername }}"
68 | fqdn: "{{ item.name }}.{{ clustername }}"
69 | write_files:
70 | - path: /etc/sudoers.d/999-ansible-requiretty
71 | permissions: 440
72 | content: |
73 | Defaults:{{ netname }} !requiretty
74 | with_items: "{{ cluster_hosts }}"
75 | register: osservers
76 |
77 |
--------------------------------------------------------------------------------
/roles/provision/azure/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | az_username: ayoung
3 | az_location: eastus
4 | az_resources: ayoung_resources
5 | az_storage: ayoung1storage
6 | az_subnet: subnet001ay
7 | az_sec_group: secgroup001
8 | az_nic: aynic01
9 | az_network: testvn001
10 | az_password: e8f58a03-3fb6-4fa0-b7af-0F1A71A93605
11 | az_av_set: ayoung_av_set
12 |
13 | cluster_hosts:
14 | - {name: idm, flavor: m1.medium}
15 | - {name: tower, flavor: m1.medium}
16 |
17 | # - {name: sso, flavor: m1.medium}
18 | # - {name: master0, flavor: m1.medium} #this needs to be xlarge IAW OSC docs
19 | # - {name: master1, flavor: m1.medium}
20 | # - {name: master2, flavor: m1.medium}
21 | # - {name: node0, flavor: m1.medium}
22 | # - {name: node1, flavor: m1.medium}
23 | # - {name: node2, flavor: m1.medium}
24 |
25 |
26 | cluster_volumes: []
27 | # - {server_name: idm, volume_name: idm_dirsrv_volume, size: 30}
28 | # - {server_name: master0, volume_name: master0_tmp_volume, size: 30}
29 | # - {server_name: master1, volume_name: master1_tmp_volume, size: 30}
30 | # - {server_name: master2, volume_name: master2_tmp_volume, size: 30}
31 | # - {server_name: master0, volume_name: master0_local_volume, size: 30}
32 | # - {server_name: master1, volume_name: master1_local_volume, size: 30}
33 | # - {server_name: master2, volume_name: master2_local_volume, size: 30}
34 | # - {server_name: master0, volume_name: master0_docker_volume, size: 30}
35 | # - {server_name: master1, volume_name: master1_docker_volume, size: 30}
36 | # - {server_name: master2, volume_name: master2_docker_volume, size: 30}
37 | # - {server_name: node0, volume_name: node0_tmp_volume, size: 30}
38 | # - {server_name: node1, volume_name: node1_tmp_volume, size: 30}
39 | # - {server_name: node2, volume_name: node2_tmp_volume, size: 30}
40 |
41 |
42 |
43 |
44 | ayoung_publickey:
45 | - {path: /home/ayoung/.ssh/authorized_keys, key_data: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0OUPe+UxaIXwwyjD15YiooQM3KoIbLD7/T+o4Ji8Q+bX6BMxNvtgF04Z1lFu7X4U5Rtro8pegxV2weH7jNs5vGvyOgKnNsEY6aeZI1K/e7OPoDDARr2CQ4addxZNtpmlQQ6snvEoypKuzsQDO//wzKGdd7GXD8HiHPkfNjkjYmbUFGuntZibY2vUQOsbCi8D9J8RgycNe0DTjVkDKvJcSJsNiPVOoefX7ZnLclXGgYFMZCAsIPhVWjGgQ7rIB7fEgDTvEiFfNW4JRF4Q6WuYDGiFQ/G3v2XKRghk54xPPJZljM1SyZo8VL1Dn29dfj1dwH4oSTbOLisQM0LJ/EgzT ayoung@ayoung.boston.devel.redhat.com"}
--------------------------------------------------------------------------------
/roles/packstack/templates/keystone-federation-ipsilon.conf.j2:
--------------------------------------------------------------------------------
1 |
2 | AuthType GSSAPI
3 | AuthName GSSAPI-SSO
4 | GssapiCredStore keytab:/etc/httpd/conf/openstack.keytab
5 | GssapiSSLonly On
6 | Require valid-user
7 | LookupUserAttr mail REMOTE_USER_EMAIL
8 | LookupUserGroups REMOTE_USER_GROUPS ;
9 |
10 | SetEnv IDP_ID SSSD
11 |
12 |
13 |
14 | MellonEnable "auth"
15 | MellonSPPrivateKeyFile "/etc/httpd/saml2/websso/certificate.key"
16 | MellonSPCertFile "/etc/httpd/saml2/websso/certificate.pem"
17 | MellonSPMetadataFile "/etc/httpd/saml2/websso/metadata.xml"
18 | MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
19 | MellonEndpointPath /v3/auth/OS-FEDERATION/websso/saml2
20 | MellonVariable "saml-sesion-cookie"
21 | # Comment out the next two lines if you want to allow logins on bare HTTP
22 | MellonsecureCookie On
23 | SSLRequireSSL
24 | MellonUser "NAME_ID"
25 | MellonIdP "IDP"
26 | MellonSessionLength 3600
27 | # MellonNoCookieErrorPage "https://idp.example.com/no-cookie-error.html"
28 | # MellonPostDirectory "/var/lib/ipsilon/post_cache"
29 | # MellonPostReplay On
30 | MellonMergeEnvVars On
31 |
32 |
33 |
34 | MellonEnable "auth"
35 | MellonSPPrivateKeyFile "/etc/httpd/saml2/ecp/metadata.key"
36 | MellonSPCertFile "/etc/httpd/saml2/ecp/metadata.cert"
37 | MellonSPMetadataFile "/etc/httpd/saml2/ecp/metadata.xml"
38 | MellonIdPMetadataFile "/etc/httpd/saml2/idp-metadata.xml"
39 | MellonEndpointPath /v3/OS-FEDERATION/identity_providers/ipsilon/protocols/saml2/auth
40 | MellonVariable "saml-sesion-cookie"
41 | # Comment out the next two lines if you want to allow logins on bare HTTP
42 | MellonsecureCookie On
43 | SSLRequireSSL
44 | MellonUser "NAME_ID"
45 | MellonIdP "IDP"
46 | MellonSessionLength 3600
47 | # MellonNoCookieErrorPage "https://idp.example.com/no-cookie-error.html"
48 | # MellonPostDirectory "/var/lib/ipsilon/post_cache"
49 | # MellonPostReplay On
50 | MellonMergeEnvVars On
51 |
52 |
--------------------------------------------------------------------------------
/roles/packstack/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart nova-api
3 | sudo: yes
4 | service: name=openstack-nova-api state=restarted
5 |
6 | - name: restart nova-compute
7 | sudo: yes
8 | service: name=openstack-nova-compute state=restarted
9 |
10 | - name: restart nova-cert
11 | sudo: yes
12 | service: name=openstack-nova-cert state=restarted
13 |
14 | - name: restart nova-conductor
15 | sudo: yes
16 | service: name=openstack-nova-conductor state=restarted
17 |
18 | - name: restart nova-consoleauth
19 | sudo: yes
20 | service: name=openstack-nova-consoleauth state=restarted
21 |
22 | - name: restart nova-novncproxy
23 | sudo: yes
24 | service: name=openstack-nova-novncproxy state=restarted
25 |
26 | - name: restart nova-scheduler
27 | sudo: yes
28 | service: name=openstack-nova-scheduler state=restarted
29 |
30 | - name: restart glance-api
31 | sudo: yes
32 | service: name=openstack-glance-api state=restarted
33 |
34 | - name: restart glance-registry
35 | sudo: yes
36 | service: name=openstack-glance-registry state=restarted
37 |
38 | - name: restart cinder-api
39 | sudo: yes
40 | service: name=openstack-cinder-api state=restarted
41 |
42 | - name: restart cinder-scheduler
43 | sudo: yes
44 | service: name=openstack-cinder-scheduler state=restarted
45 |
46 | - name: restart cinder-volume
47 | sudo: yes
48 | service: name=openstack-cinder-scheduler state=restarted
49 |
50 | - name: restart neutron-api
51 | sudo: yes
52 | service: name=neutron-server state=restarted
53 |
54 | - name: restart neutron-dhcp
55 | sudo: yes
56 | service: name=neutron-dhcp-agent state=restarted
57 |
58 | - name: restart neutron-l3
59 | sudo: yes
60 | service: name=neutron-l3-agent state=restarted
61 |
62 | - name: restart neutron-metadata
63 | sudo: yes
64 | service: name=neutron-metadata-agent state=restarted
65 |
66 | - name: restart neutron-openvswitch
67 | sudo: yes
68 | service: name=neutron-openvswitch-agent state=restarted
69 |
70 | - name: restart httpd
71 | sudo: yes
72 | service: name=httpd state=restarted
73 |
74 | - name: restart sssd
75 | service: name=sssd state=restarted
76 |
77 | - name: restart firewalld
78 | service: name=firewalld state=restarted
79 |
80 | - name: restart mariadb
81 | service: name=mariadb state=restarted
82 |
83 | - name: restart haproxy
84 | service: name=haproxy state=restarted
85 |
86 | - name: restart qpidd
87 | service: name=qpidd state=restarted
88 |
89 |
--------------------------------------------------------------------------------
/roles/packstack/templates/haproxy.cfg:
--------------------------------------------------------------------------------
1 | global
2 | # to have these messages end up in /var/log/haproxy.log you will
3 | # need to:
4 | #
5 | # 1) configure syslog to accept network log events. This is done
6 | # by adding the '-r' option to the SYSLOGD_OPTIONS in
7 | # /etc/sysconfig/syslog
8 | #
9 | # 2) configure local2 events to go to the /var/log/haproxy.log
10 | # file. A line like the following can be added to
11 | # /etc/sysconfig/syslog
12 | #
13 | # local2.* /var/log/haproxy.log
14 | #
15 | log 127.0.0.1 local2
16 |
17 | chroot /var/lib/haproxy
18 | pidfile /var/run/haproxy.pid
19 | maxconn 4000
20 | user haproxy
21 | group haproxy
22 | daemon
23 |
24 | # turn on stats unix socket
25 | stats socket /var/lib/haproxy/stats
26 |
27 | #---------------------------------------------------------------------
28 | # common defaults that all the 'listen' and 'backend' sections will
29 | # use if not designated in their block
30 | #---------------------------------------------------------------------
31 | defaults
32 | mode http
33 | timeout connect 10s
34 | timeout client 10s
35 | timeout server 10s
36 | maxconn 10000
37 | balance roundrobin
38 | option forwardfor
39 |
40 |
41 | backend glance-api
42 | server glance-01 127.0.0.1:{{ glance_api_haproxy_port }} check inter 10s
43 |
44 | frontend glance-api
45 | bind 0.0.0.0:9292 ssl crt {{ haproxy_certs }}
46 | default_backend glance-api
47 |
48 | backend cinder-api
49 | server cinder-01 127.0.0.1:{{ cinder_api_haproxy_port }} check inter 10s
50 |
51 | frontend cinder-api
52 | bind 0.0.0.0:8776 ssl crt {{ haproxy_certs }}
53 | default_backend cinder-api
54 |
55 | backend neutron-api
56 | server neutron-01 127.0.0.1:{{ neutron_api_haproxy_port }} check inter 10s
57 |
58 | frontend neutron-api
59 | bind 0.0.0.0:9696 ssl crt {{ haproxy_certs }}
60 | default_backend neutron-api
61 |
62 | backend nova-api
63 | server nova-01 127.0.0.1:{{ nova_api_haproxy_port }} check inter 10s
64 |
65 | frontend nova-api
66 | bind 0.0.0.0:8774 ssl crt {{ haproxy_certs }}
67 | default_backend nova-api
68 |
69 | backend nova-ec2
70 | server nova-ec2-01 127.0.0.1:{{ nova_ec2_haproxy_port }} check inter 10s
71 |
72 | frontend nova-ec2
73 | bind 0.0.0.0:8773 ssl crt {{ haproxy_certs }}
74 | default_backend nova-ec2
75 |
--------------------------------------------------------------------------------
/roles/ipaserver/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: get hostname to resolve via /etc/hosts file
4 | lineinfile:
5 | path: /etc/hosts
6 | line: "{{ ansible_default_ipv4.address }} {{ ipa_fqdn }}"
7 | state: present
8 |
9 |
10 |
11 | - name: install ipa packages
12 | tags:
13 | - ipaserver
14 | yum: name={{ item }} state=present
15 | with_items:
16 | - ipa-server-dns
17 | - ipa-server
18 | - firewalld
19 |
20 | # next two tasks are a workaround for
21 | # https://bugzilla.redhat.com/show_bug.cgi?id=1519206
22 | - name: create symlink to keep dbus happy
23 | file:
24 | src: /usr/libexec/dbus-1
25 | dest: /lib64/dbus-1
26 | state: link
27 |
28 | - name: restart dbus service
29 | systemd:
30 | state: restarted
31 | name: dbus
32 |
33 |
34 |
35 | - name: Get default DNS
36 | resolver:
37 | register: dns_forwarder
38 | changed_when: false
39 |
40 | - name: install ipa
41 | tags:
42 | - ipaserver
43 | command: >
44 | ipa-server-install -U
45 | --realm {{ ipa_realm }}
46 | --domain {{ ipa_realm | lower }}
47 | --ds-password {{ ipa_dm_password }}
48 | --admin-password {{ ipa_admin_password }}
49 | --setup-dns
50 | --ip-address {{ ansible_default_ipv4.address }}
51 | --forwarder {{ dns_forwarder.nameservers[0] }}
52 | args:
53 | creates: /etc/ipa/ca.crt
54 |
55 | - name: enable firewalld
56 | tags:
57 | - ipaserver
58 | service: enabled=yes
59 | state=started
60 | name=firewalld
61 |
62 | - name: Open Firewall for services
63 | tags:
64 | - ipaserver
65 | firewalld: service={{ item }}
66 | permanent=true
67 | state=enabled
68 | immediate=yes
69 | with_items:
70 | - http
71 | - https
72 | - ldap
73 | - ldaps
74 | - dns
75 | - kerberos
76 | - kpasswd
77 | - ntp
78 |
79 | - name: Open Firewall for ports
80 | tags:
81 | - ipaserver
82 | firewalld: port={{ item }}
83 | permanent=true
84 | state=enabled
85 | immediate=yes
86 | with_items:
87 | - 9180/tcp
88 | - 9443-9446/tcp
89 | - 9701/tcp
90 | - 7389/tcp
91 | - 8443/tcp
92 |
93 | - name: Fetch krb5config
94 | fetch: src=/etc/krb5.conf
95 | dest={{ inventory_dir }}/krb5.conf
96 | flat=yes
97 |
98 | - name: Fetch cacert
99 | fetch: src=/etc/ipa/ca.crt
100 | dest={{ inventory_dir }}/ca.crt
101 | flat=yes
102 |
103 |
--------------------------------------------------------------------------------
/roles/packstack/tasks/haproxy-fixups.yml:
--------------------------------------------------------------------------------
1 | # This is essentially a hit list of bad openstack decisions that should be fixed
2 | ---
3 | - name: remove old cinder to glance link
4 | ini_file: dest=/etc/cinder/cinder.conf
5 | section=DEFAULT
6 | option=glance_host
7 | state=absent
8 | notify:
9 | - restart cinder-api # i'm not sure this is required
10 | - restart cinder-volume
11 |
12 | - name: name add cinder to glance link
13 | ini_file: dest=/etc/cinder/cinder.conf
14 | section=DEFAULT
15 | option=glance_api_servers
16 | state=present
17 | value=https://{{ hostname }}:9292
18 | notify:
19 | - restart cinder-api # i'm not sure this is required
20 | - restart cinder-volume
21 |
22 | - name: Fix nova novnc host
23 | ini_file: dest=/etc/nova/nova.conf
24 | section=DEFAULT
25 | option=novncproxy_base_url
26 | value=https://{{ hostname }}:6080/vnc_auto.html
27 | notify:
28 | - restart nova-api
29 | - restart nova-novncproxy
30 | - restart nova-scheduler
31 |
32 | - name: Fix nova neutron url
33 | ini_file: dest=/etc/nova/nova.conf
34 | section=neutron
35 | option=url
36 | value=https://{{ hostname }}:9696
37 | notify:
38 | - restart nova-api
39 | - restart nova-novncproxy
40 | - restart nova-scheduler
41 |
42 | - name: Fix nova glance url
43 | ini_file: dest=/etc/nova/nova.conf
44 | section=glance
45 | option=api_servers
46 | value=https://{{ hostname }}:9292
47 | notify:
48 | - restart nova-api
49 | - restart nova-novncproxy
50 | - restart nova-scheduler
51 |
52 | - name: Fix neutron nova url
53 | ini_file: dest=/etc/neutron/neutron.conf
54 | section=DEFAULT
55 | option=nova_url
56 | value=https://{{ hostname }}:8774/v2
57 | notify:
58 | - restart neutron-api
59 |
60 | - name: Fix neutron metadata auth
61 | ini_file: dest=/etc/neutron/metadata_agent.ini
62 | section=DEFAULT
63 | option=auth_url
64 | value=https://{{ hostname }}:5000/v2.0
65 | notify:
66 | - restart neutron-metadata
67 |
68 | - name: Fix neutron metadata nova url
69 | ini_file: dest=/etc/neutron/metadata_agent.ini
70 | section=DEFAULT
71 | option={{ item.key }}
72 | value={{ item.value }}
73 | with_dict:
74 | nova_metadata_ip: "{{ hostname }}"
75 | nova_metadata_protocol: https
76 | notify:
77 | - restart neutron-metadata
78 |
--------------------------------------------------------------------------------
/roles/mariadb-kerberos/tasks/mariadb-kerberos.yml:
--------------------------------------------------------------------------------
1 | - name: get mysql grants
2 | tags:
3 | - mariadb
4 | command: mysql -u root --execute="select User from mysql.user where plugin='kerberos';"
5 | register: kerberos_users
6 | changed_when: false
7 |
8 | - name: add keystone kerberos grant
9 | tags:
10 | - mariadb
11 | command: >
12 | mysql -u root
13 | --execute="DROP USER keystone_admin; CREATE USER keystone_admin IDENTIFIED VIA kerberos AS 'keystone/{{ hostname }}@{{ ipa_realm }}'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone_admin';"
14 | when: "'keystone_admin' not in kerberos_users.stdout"
15 | notify:
16 | - restart httpd
17 |
18 | - name: add glance kerberos grant
19 | tags:
20 | - mariadb
21 | command: >
22 | mysql -u root
23 | --execute="DROP USER glance; CREATE USER glance IDENTIFIED VIA kerberos AS 'glance/{{ hostname }}@{{ ipa_realm }}'; GRANT ALL PRIVILEGES ON glance.* TO 'glance';"
24 | when: "'glance' not in kerberos_users.stdout"
25 | notify:
26 | - restart glance-api
27 | - restart glance-registry
28 |
29 | - name: add cinder kerberos grant
30 | tags:
31 | - mariadb
32 | command: >
33 | mysql -u root
34 | --execute="DROP USER cinder; CREATE USER cinder IDENTIFIED VIA kerberos AS 'cinder/{{ hostname }}@{{ ipa_realm }}'; GRANT ALL PRIVILEGES ON cinder.* TO 'cinder';"
35 | when: "'cinder' not in kerberos_users.stdout"
36 | notify:
37 | - restart cinder-api
38 | - restart cinder-scheduler
39 | - restart cinder-volume
40 |
41 | - name: add nova kerberos grant
42 | tags:
43 | - mariadb
44 | command: >
45 | mysql -u root
46 | --execute="DROP USER nova; CREATE USER nova IDENTIFIED VIA kerberos AS 'nova/{{ hostname }}@{{ ipa_realm }}'; GRANT ALL PRIVILEGES ON nova.* TO 'nova';"
47 | when: "'nova' not in kerberos_users.stdout"
48 | notify:
49 | - restart nova-compute
50 | - restart nova-cert
51 | - restart nova-conductor
52 | - restart nova-consoleauth
53 | - restart nova-novncproxy
54 | - restart nova-scheduler
55 |
56 | - name: add neutron kerberos grant
57 | tags:
58 | - mariadb
59 | command: >
60 | mysql -u root
61 | --execute="DROP USER neutron; CREATE USER neutron IDENTIFIED VIA kerberos AS 'neutron/{{ hostname }}@{{ ipa_realm }}'; GRANT ALL PRIVILEGES ON neutron.* TO 'neutron';"
62 | when: "'neutron' not in kerberos_users.stdout"
63 | notify:
64 | - restart neutron-api
65 | - restart neutron-dhcp
66 | - restart neutron-l3
67 | - restart neutron-metadata
68 | - restart neutron-openvswitch
69 |
--------------------------------------------------------------------------------
/roles/packstack/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | openstack_api_versions:
3 | \"identity\": 3
4 |
5 | os_env:
6 | OS_AUTH_TYPE: v3password
7 | OS_AUTH_URL: https://{{ ansible_fqdn }}:5000/v3
8 | OS_USERNAME: admin
9 | OS_PASSWORD: password
10 | OS_PROJECT_NAME: admin
11 | OS_USER_DOMAIN_ID: default
12 | OS_PROJECT_DOMAIN_ID: default
13 | OS_IDENTITY_API_VERSION: 3
14 |
15 | os_env_v2:
16 | OS_AUTH_TYPE: v3password
17 | OS_AUTH_URL: https://{{ ansible_fqdn }}:5000/v3
18 | OS_USERNAME: admin
19 | OS_PASSWORD: password
20 | OS_PROJECT_NAME: admin
21 | OS_USER_DOMAIN_ID: default
22 | OS_PROJECT_DOMAIN_ID: default
23 | OS_IDENTITY_API_VERSION: 2
24 | OS_TENANT_NAME: admin
25 |
26 | service_authtoken:
27 | auth_uri: "https://{{ hostname }}:5000"
28 | auth_plugin: v3fedkerb
29 | auth_url: "https://{{ hostname }}:5000/v3"
30 | identity_provider: sssd
31 | protocol: kerberos
32 | project_name: services
33 | project_domain_id: default
34 |
35 | mysql_principal: MySQL/{{ ansible_fqdn }}@{{ ipa_realm }}
36 |
37 | glance_api_haproxy_port: 9293
38 | cinder_api_haproxy_port: 8777
39 | neutron_api_haproxy_port: 9697
40 | nova_api_haproxy_port: 8778
41 | nova_ec2_haproxy_port: 8779
42 |
43 |
44 | #Messaging options
45 |
46 |
47 |
48 | oslo_messaging_ampq:
49 | allow_insecure_clients: True
50 | broadcast_prefix: broadcast
51 | group_request_prefix: unicast
52 | idle_timeout: 0
53 | server_request_prefix: exclusive
54 | trace: False
55 | sasl_mechanisms: GSSAPI
56 |
57 | # Set of options to remove: these are
58 | # setup by packstack in the default section of the
59 | # services config files
60 | default_messaging_options:
61 | - qpid_hostname
62 | - qpid_username
63 | - qpid_password
64 | - qpid_heartbeat
65 | - qpid_protocol
66 | - qpid_tcp_nodelay
67 | - qpid_port
68 | - rpc_backend
69 |
70 | rabbit_messaging_options:
71 | - rabbit_host
72 | - rabbit_port
73 | - rabbit_hosts
74 | - rabbit_use_ssl
75 | - rabbit_userid
76 | - rabbit_password
77 | - rabbit_virtual_host
78 | - rabbit_ha_queues
79 | - heartbeat_timeout_threshold
80 | - heartbeat_rate
81 |
82 |
83 | ampq_conf_options:
84 | topic-patterns: broadcast
85 | queue-patterns: unicast
86 | queue-patterns: exclusive
87 |
88 | amqp_transport_url: amqp://{{ ansible_fqdn }}
89 |
90 | my_cnf:
91 | datadir: /var/lib/mysql
92 | socket: /var/lib/mysql/mysql.sock
93 | log-error: /var/log/mariadb/mariadb.log
94 | pid-file: /var/run/mariadb/mariadb.pid
95 |
--------------------------------------------------------------------------------
/roles/barbican/tasks/test-encrypted-volumes.yml:
--------------------------------------------------------------------------------
1 | - name: enable barbican key manager in nova
2 | ini_file: dest=/etc/nova/nova.conf
3 | section=keymgr
4 | option={{ item.key }}
5 | value={{ item.value }}
6 | with_dict:
7 | api_class: "nova.keymgr.barbican.BarbicanKeyManager"
8 | encryption_auth_url: "https://{{ hostname }}:5000/v3"
9 | notify:
10 | - restart nova-api
11 |
12 | - name: enable barbican key manager in cinder
13 | ini_file: dest=/etc/cinder/cinder.conf
14 | section=keymgr
15 | option={{ item.key }}
16 | value={{ item.value }}
17 | with_dict:
18 | api_class: "cinder.keymgr.barbican.BarbicanKeyManager"
19 | encryption_auth_url: "https://{{ hostname }}:5000/v3"
20 | notify:
21 | - restart cinder-api
22 |
23 | - name: list volume types
24 | command: openstack volume type list -c Name -f csv
25 | environment: os_env
26 | register: os_volume_type_list
27 | changed_when: false
28 |
29 | - name: list volumes
30 | command: openstack volume list -c "Display Name" -f csv
31 | environment: os_env
32 | register: os_volume_list
33 | changed_when: false
34 |
35 | - name: list encrypted volume types
36 | shell: cinder encryption-type-list |awk '{print $4}'
37 | environment: os_env_v2
38 | register: os_encrypted_volume_type_list
39 | changed_when: false
40 |
41 | - name: create volume type LUKS
42 | command: openstack volume type create LUKS
43 | environment: os_env
44 | when: '"\"LUKS\"" not in os_volume_type_list.stdout_lines'
45 |
46 | - name: create volume encryption type for LUKS
47 | command: >
48 | cinder encryption-type-create
49 | --cipher aes-xts-plain64
50 | --key_size 512 --control_location front-end
51 | LUKS
52 | nova.volume.encryptors.luks.LuksEncryptor
53 | environment: os_env_v2
54 | when: '"nova.volume.encryptors.luks.LuksEncryptor" not in os_encrypted_volume_type_list.stdout_lines'
55 |
56 | - name: create encrypted volume
57 | command: >
58 | openstack volume create
59 | --size 1
60 | --type LUKS
61 | encrypted_volume
62 | environment: os_env
63 | when: '"\"encrypted_volume\"" not in os_volume_list.stdout_lines'
64 |
65 | #- name: create new server
66 | # command: >
67 | # openstack server create
68 | # --flavor 1
69 | # --image os_image_id
70 | # --nic "net-id={{ os_net_id }}"
71 | # vm-test
72 | # environment: os_env
73 |
74 | #- name: attach encrypted volume to server
75 | # command: >
76 | # openstack server add volume --device /dev/vdc testvm encrypted_volume
77 | # environment: os_env
78 |
--------------------------------------------------------------------------------
/roles/keycloak/templates/freeipa-realm.json:
--------------------------------------------------------------------------------
1 | {
2 | "id": "freeipa",
3 | "realm": "freeipa",
4 | "enabled": true,
5 | "sslRequired": "none",
6 | "registrationAllowed": false,
7 | "resetPasswordAllowed": false,
8 | "passwordCredentialGrantAllowed": false,
9 | "privateKey": "MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=",
10 | "publicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
11 | "requiredCredentials": [ "kerberos", "password" ],
12 | "userFederationProviders" : [
13 | {
14 | "displayName" : "freeipa-ldap",
15 | "providerName" : "ldap",
16 | "priority" : 1,
17 | "config" : {
18 | "userDnSuffix" : "cn=users,cn=accounts,{{ ipa_base_dn }}",
19 | "bindDn" : "cn=Directory Manager",
20 | "userObjectClasses" : "person",
21 | "baseDn" : "{{ ipa_base_dn }}",
22 | "vendor" : "rhds",
23 | "kerberosRealm" : "{{ ipa_realm }}",
24 | "syncRegistrations" : "false",
25 | "userAccountControlsAfterPasswordUpdate" : "true",
26 | "debug" : "true",
27 | "connectionPooling" : "true",
28 | "serverPrincipal" : "HTTP/${{ host }}@{{ ipa_realm }}",
29 | "usernameLDAPAttribute" : "uid",
30 | "allowKerberosAuthentication" : "true",
31 | "useKerberosForPasswordAuthentication" : "false",
32 | "keyTab" : "/etc/httpd/conf/ipa.keytab",
33 | "bindCredential" : "{{ ipa_server_password }}",
34 | "connectionUrl" : "ldap://{{ ansible_fqdn }}:389",
35 | "batchSizeForSync" : "1000",
36 | "editMode" : "WRITABLE",
37 | "pagination" : "true"
38 | }
39 | }
40 | ]
41 | }
42 |
43 |
--------------------------------------------------------------------------------
/roles/tripleo/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Subscribe
4 | redhat_subscription:
5 | state: present
6 | username: "{{ redhat_user }}"
7 | password: "{{ redhat_password }}"
8 | pool_ids: "{{ redhat_pool_id }}"
9 | ignore_errors: no
10 |
11 |
12 | - name: Disable all RHSM repositories
13 | rhsm_repository:
14 | name: '*'
15 | state: disabled
16 |
17 | - name: Enable OpenStack repositories
18 | rhsm_repository:
19 | name: "{{ item }}"
20 | state: enabled
21 | with_items:
22 | - rhel-7-server-rpms
23 | - rhel-7-server-extras-rpms
24 | - rhel-7-server-rh-common-rpms
25 | - rhel-ha-for-rhel-7-server-rpms
26 | - rhel-7-server-openstack-13-rpms
27 |
28 |
29 | - name: upgrade all packages
30 | yum:
31 | name: '*'
32 | state: latest
33 |
34 |
35 | - name: install openstack packages
36 | package:
37 | name: "{{ item }}"
38 | state: present
39 | with_items:
40 | - python-tripleoclient
41 | # - ceph-ansible
42 | - screen
43 | - python-novajoin
44 |
45 | - name: Add the 'stack' user
46 | user:
47 | name: stack
48 | comment: stack installer
49 |
50 |
51 | - name: Set authorized key taken from file
52 | authorized_key:
53 | user: stack
54 | state: present
55 | key: "{{ lookup('file', '/home/ayoung/.ssh/id_rsa.pub') }}"
56 |
57 | - name: setup passwordless sudo for stack
58 | copy:
59 | src: sudoers
60 | dest: /etc/sudoers.d/stack
61 | owner: root
62 | group: root
63 | mode: 0440
64 |
65 | - name: undercloud.conf
66 | copy:
67 | src: undercloud.conf
68 | dest: /home/stack
69 | owner: stack
70 | group: stack
71 |
72 | - name: stack directories
73 | file:
74 | path: /home/stack/{{ item }}
75 | state: directory
76 | owner: stack
77 | group: stack
78 |
79 | with_items:
80 | - images
81 | - templates
82 |
83 |
84 | - name: hostname
85 | hostname:
86 | name: "{{ host_name }}.{{ cluster_domain }}"
87 |
88 | - name: add hostname entry into /etc/hosts
89 | lineinfile:
90 | path: /etc/hosts
91 | line: "{{ static_ip_address }} {{ host_name }}.{{ cluster_domain }} {{ host_name }}"
92 |
93 |
94 |
95 |
96 |
97 |
98 | #In /etc/sysconfig/docker make sure INSECURE_REGISTRY reads
99 | #INSECURE_REGISTRY="--insecure-registry 10.127.0.1:8787 --insecure-registry passimian.home.younglogic.net:8787 --insecure-registry 10.127.0.3:8787"
100 |
101 | # systemctl restart docker:wq
102 |
103 |
104 |
105 | # 48 sudo openstack overcloud container image upload --config-file /home/stack/local_registry_images.yaml --verbose
106 |
--------------------------------------------------------------------------------
/roles/packstack/templates/answers.txt.j2:
--------------------------------------------------------------------------------
1 | [general]
2 |
3 | CONFIG_DEFAULT_PASSWORD=password
4 | CONFIG_MARIADB_INSTALL=y
5 | CONFIG_GLANCE_INSTALL=y
6 | CONFIG_MANILA_INSTALL=n
7 | CONFIG_NOVA_INSTALL=y
8 | CONFIG_NEUTRON_INSTALL=y
9 | CONFIG_HORIZON_INSTALL=y
10 | CONFIG_SWIFT_INSTALL=n
11 | CONFIG_CEILOMETER_INSTALL=n
12 | CONFIG_HEAT_INSTALL=n
13 | CONFIG_SAHARA_INSTALL=n
14 | CONFIG_TROVE_INSTALL=n
15 | CONFIG_IRONIC_INSTALL=n
16 | CONFIG_CLIENT_INSTALL=n
17 | CONFIG_NAGIOS_INSTALL=n
18 | CONFIG_DEBUG_MODE=n
19 | CONFIG_USE_EPEL=n
20 |
21 | CONFIG_SSL_CACERT_SELFSIGN=n
22 | CONFIG_SSL_CACERT_FILE=/etc/ipa/ca.crt
23 | CONFIG_SSL_KEY_FILE={{ ssl_key }}
24 |
25 |
26 | CONFIG_KEYSTONE_ADMIN_TOKEN={{ admin_token }}
27 |
28 | CONFIG_KEYSTONE_SERVICE_NAME=httpd
29 | CONFIG_KEYSTONE_IDENTITY_BACKEND=sql
30 | CONFIG_KEYSTONE_DB_PW={{ keystone_db_password }}
31 | CONFIG_KEYSTONE_ADMIN_PW={{ keystone_admin_password }}
32 | CONFIG_KEYSTONE_DEMO_PW={{ keystone_demo_password }}
33 |
34 | CONFIG_CINDER_BACKEND=lvm
35 | CONFIG_CINDER_VOLUMES_CREATE=y
36 | CONFIG_CINDER_VOLUMES_SIZE=20G
37 | CONFIG_CINDER_DB_PW={{ cinder_db_password }}
38 | CONFIG_CINDER_KS_PW={{ cinder_password }}
39 |
40 | CONFIG_GLANCE_KS_PW={{ glance_password }}
41 |
42 | CONFIG_NOVA_SCHED_CPU_ALLOC_RATIO=16.0
43 | CONFIG_NOVA_SCHED_RAM_ALLOC_RATIO=1.5
44 | CONFIG_NOVA_COMPUTE_MANAGER=nova.compute.manager.ComputeManager
45 | CONFIG_NOVA_NETWORK_NUMBER=1
46 | CONFIG_NOVA_NETWORK_SIZE=255
47 | CONFIG_NOVA_NETWORK_VLAN_START=100
48 | CONFIG_NOVA_NETWORK_AUTOASSIGNFLOATINGIP=n
49 | CONFIG_NOVA_KS_PW={{ nova_password }}
50 | CONFIG_NOVA_DB_PW={{ nova_db_password }}
51 |
52 | CONFIG_NEUTRON_KS_PW={{ neutron_password }}
53 | CONFIG_NEUTRON_DB_PW={{ neutron_db_password }}
54 |
55 | CONFIG_HORIZON_SSL=y
56 | CONFIG_HORIZON_SSL_CACERT=/etc/ipa/ca.crt
57 | CONFIG_HORIZON_SSL_KEY={{ ssl_key }}
58 | CONFIG_HORIZON_SSL_CERT={{ ssl_cert }}
59 |
60 | CONFIG_VNC_SSL_CERT={{ ssl_cert }}
61 | CONFIG_VNC_SSL_KEY={{ ssl_key }}
62 |
63 | CONFIG_PROVISION_TEMPEST=n
64 | CONFIG_PROVISION_DEMO=n
65 |
66 | CONFIG_PROVISION_IMAGE_NAME=cirros
67 | CONFIG_PROVISION_IMAGE_URL=http://download.cirros-cloud.net/0.3.3/cirros-0.3.3-x86_64-disk.img
68 | CONFIG_PROVISION_IMAGE_FORMAT=qcow2
69 | CONFIG_PROVISION_IMAGE_SSH_USER=cirros
70 |
71 | CONFIG_NOVA_COMPUTE_PRIVIF={{ ansible_default_ipv4.interface }}
72 | CONFIG_NOVA_NETWORK_PRIVIF={{ ansible_default_ipv4.interface }}
73 | CONFIG_NOVA_NETWORK_PUBIF={{ ansible_default_ipv4.interface }}
74 | CONFIG_NOVA_NETWORK_FIXEDRANGE=192.168.32.0/22
75 |
76 |
77 |
78 | CONFIG_AMQP_BACKEND=rabbitmq
79 | CONFIG_AMQP_HOST={{ ansible_default_ipv4.address }}
80 | CONFIG_AMQP_ENABLE_SSL=n
81 | CONFIG_AMQP_ENABLE_AUTH=n
82 | CONFIG_AMQP_NSS_CERTDB_PW=password
83 | CONFIG_AMQP_AUTH_USER=amqp_user
84 | CONFIG_AMQP_AUTH_PASSWORD=password
85 |
86 |
87 |
--------------------------------------------------------------------------------
/roles/packstack/templates/answers.txt.autoregister-neutron:
--------------------------------------------------------------------------------
1 | [general]
2 |
3 | CONFIG_DEFAULT_PASSWORD=password
4 | CONFIG_MARIADB_INSTALL=y
5 | CONFIG_GLANCE_INSTALL=y
6 | CONFIG_MANILA_INSTALL=n
7 | CONFIG_NOVA_INSTALL=y
8 | CONFIG_NEUTRON_INSTALL=y
9 | CONFIG_HORIZON_INSTALL=y
10 | CONFIG_SWIFT_INSTALL=n
11 | CONFIG_CEILOMETER_INSTALL=n
12 | CONFIG_HEAT_INSTALL=n
13 | CONFIG_SAHARA_INSTALL=n
14 | CONFIG_TROVE_INSTALL=n
15 | CONFIG_IRONIC_INSTALL=n
16 | CONFIG_CLIENT_INSTALL=n
17 | CONFIG_NAGIOS_INSTALL=n
18 | CONFIG_DEBUG_MODE=n
19 | CONFIG_USE_EPEL=n
20 |
21 | CONFIG_SSL_CACERT_SELFSIGN=n
22 | CONFIG_SSL_CACERT_FILE=/etc/ipa/ca.crt
23 | CONFIG_SSL_KEY_FILE={{ ssl_key }}
24 |
25 |
26 | CONFIG_KEYSTONE_ADMIN_TOKEN={{ admin_token }}
27 |
28 | CONFIG_KEYSTONE_SERVICE_NAME=httpd
29 | CONFIG_KEYSTONE_IDENTITY_BACKEND=sql
30 | CONFIG_KEYSTONE_DB_PW={{ keystone_db_password }}
31 | CONFIG_KEYSTONE_ADMIN_PW={{ keystone_admin_password }}
32 | CONFIG_KEYSTONE_DEMO_PW={{ keystone_demo_password }}
33 |
34 | CONFIG_CINDER_BACKEND=lvm
35 | CONFIG_CINDER_VOLUMES_CREATE=y
36 | CONFIG_CINDER_VOLUMES_SIZE=20G
37 | CONFIG_CINDER_DB_PW={{ cinder_db_password }}
38 | CONFIG_CINDER_KS_PW={{ cinder_password }}
39 |
40 | CONFIG_GLANCE_KS_PW={{ glance_password }}
41 |
42 | CONFIG_NOVA_SCHED_CPU_ALLOC_RATIO=16.0
43 | CONFIG_NOVA_SCHED_RAM_ALLOC_RATIO=1.5
44 | CONFIG_NOVA_COMPUTE_MANAGER=nova.compute.manager.ComputeManager
45 | CONFIG_NOVA_NETWORK_NUMBER=1
46 | CONFIG_NOVA_NETWORK_SIZE=255
47 | CONFIG_NOVA_NETWORK_VLAN_START=100
48 | CONFIG_NOVA_NETWORK_AUTOASSIGNFLOATINGIP=n
49 | CONFIG_NOVA_KS_PW={{ nova_password }}
50 | CONFIG_NOVA_DB_PW={{ nova_db_password }}
51 |
52 | CONFIG_NEUTRON_KS_PW={{ neutron_password }}
53 | CONFIG_NEUTRON_DB_PW={{ neutron_db_password }}
54 |
55 | CONFIG_HORIZON_SSL=y
56 | CONFIG_HORIZON_SSL_CACERT=/etc/ipa/ca.crt
57 | CONFIG_HORIZON_SSL_KEY={{ ssl_key }}
58 | CONFIG_HORIZON_SSL_CERT={{ ssl_cert }}
59 |
60 | CONFIG_VNC_SSL_CERT={{ ssl_cert }}
61 | CONFIG_VNC_SSL_KEY={{ ssl_key }}
62 |
63 | CONFIG_PROVISION_TEMPEST=n
64 | CONFIG_PROVISION_DEMO=n
65 |
66 | CONFIG_PROVISION_IMAGE_NAME=cirros
67 | CONFIG_PROVISION_IMAGE_URL=http://download.cirros-cloud.net/0.3.3/cirros-0.3.3-x86_64-disk.img
68 | CONFIG_PROVISION_IMAGE_FORMAT=qcow2
69 | CONFIG_PROVISION_IMAGE_SSH_USER=cirros
70 |
71 | CONFIG_NOVA_COMPUTE_PRIVIF={{ ansible_default_ipv4.interface }}
72 | CONFIG_NOVA_NETWORK_PRIVIF={{ ansible_default_ipv4.interface }}
73 | CONFIG_NOVA_NETWORK_PUBIF={{ ansible_default_ipv4.interface }}
74 | CONFIG_NOVA_NETWORK_FIXEDRANGE=192.168.32.0/22
75 |
76 |
77 |
78 | CONFIG_AMQP_BACKEND=qpid
79 | CONFIG_AMQP_HOST={{ ansible_eth0.ipv4.address }}
80 | CONFIG_AMQP_ENABLE_SSL=n
81 | CONFIG_AMQP_ENABLE_AUTH=n
82 | CONFIG_AMQP_NSS_CERTDB_PW=password
83 | CONFIG_AMQP_AUTH_USER=amqp_user
84 | CONFIG_AMQP_AUTH_PASSWORD=password
85 |
86 |
87 |
--------------------------------------------------------------------------------
/roles/provision/azure/tasks/main.yml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | - name: login
5 | command: az login --service-principal --username {{ name }} --password {{ password }} --tenant {{ tenant }}
6 |
7 |
8 | - name: create resource group
9 | command: az group create --name {{ az_resources }} \
10 | --location {{ az_location }}
11 |
12 |
13 | - name: Create virtual network
14 | command: az network vnet create \
15 | --resource-group {{ az_resources }} \
16 | --name "{{ az_network }}" \
17 | --address-prefix 192.168.0.0/16 \
18 | --subnet-name "{{ az_subnet }}" \
19 | --subnet-prefix 192.168.1.0/24
20 |
21 |
22 | - name: Create a public IP address
23 | command: az network public-ip create \
24 | --resource-group {{ az_resources }} \
25 | --name "{{ item.name }}.publicip" \
26 | --dns-name {{ item.name }}ayoung
27 | with_items: "{{ cluster_hosts }}"
28 |
29 | - name: Create a network security group
30 | command: az network nsg create \
31 | --resource-group {{ az_resources }} \
32 | --name "{{ az_sec_group }}"
33 |
34 | - name: Allow SSH traffic
35 | command: az network nsg rule create \
36 | --resource-group {{ az_resources }} \
37 | --nsg-name "{{ az_sec_group }}" \
38 | --name "{{ az_sec_group }}SSH" \
39 | --protocol tcp \
40 | --priority 1000 \
41 | --destination-port-range 22 \
42 | --access allow
43 |
44 | - name: Allow HTTP traffic
45 | command: az network nsg rule create \
46 | --resource-group {{ az_resources }} \
47 | --nsg-name "{{ az_sec_group }}" \
48 | --name "{{ az_sec_group }}HTTP" \
49 | --protocol tcp \
50 | --priority 1001 \
51 | --destination-port-range 80 \
52 | --access allow
53 |
54 | - name: Allow HTTPS traffic
55 | command: az network nsg rule create \
56 | --resource-group {{ az_resources }} \
57 | --nsg-name "{{ az_sec_group }}" \
58 | --name "{{ az_sec_group }}HTTPS" \
59 | --protocol tcp \
60 | --priority 1002 \
61 | --destination-port-range 443 \
62 | --access allow
63 |
64 | - name: Create a Virtual NIC
65 | command: az network nic create \
66 | --resource-group {{ az_resources }} \
67 | --name "{{ item.name }}.nic"
68 | --vnet-name "{{ az_network }}" \
69 | --subnet "{{ az_subnet }}" \
70 | --public-ip-address "{{ item.name }}.publicip" \
71 | --network-security-group "{{ az_sec_group }}"
72 | with_items: "{{ cluster_hosts }}"
73 |
74 | - name: Create an availability set
75 | command: az vm availability-set create \
76 | --resource-group {{ az_resources }} \
77 | --name {{ az_av_set }}
78 |
79 | - name: create vm
80 | command: az vm create \
81 | -n {{ item.name }} \
82 | -g {{ az_resources }} \
83 | --image RHEL \
84 | --availability-set {{ az_av_set }} \
85 | --nics "{{ item.name }}.nic" \
86 | --admin-username cloud-user \
87 | --ssh-key-value "{{ pubkey }}"
88 | with_items: "{{ cluster_hosts }}"
89 | register: osservers
90 |
91 |
92 |
93 | - name: logout
94 | command: az logout
--------------------------------------------------------------------------------
/roles/packstack/tasks/serviceauth.yml:
--------------------------------------------------------------------------------
1 | ---
2 | #- name: python-keystoneclient-kerberos
3 | # yum: name=python-keystoneclient-kerberos
4 | # state=installed
5 |
6 | - name: nova v3 authentication
7 | ini_file: section=keystone_authtoken
8 | dest=/etc/nova/nova.conf
9 | option={{ item.key }}
10 | value={{ item.value }}
11 | with_dict: "{{ service_authtoken }}"
12 |
13 | notify:
14 | - restart nova-api
15 |
16 | - name: nova v3 authentication for cinder
17 | ini_file: section=cinder
18 | dest=/etc/nova/nova.conf
19 | option={{ item.key }}
20 | value={{ item.value }}
21 | with_dict: "{{ service_authtoken }}"
22 |
23 | notify:
24 | - restart nova-api
25 |
26 | - name: glance-api v3 authentication
27 | ini_file: section=keystone_authtoken
28 | dest=/etc/glance/glance-api.conf
29 | option={{ item.key }}
30 | value={{ item.value }}
31 | with_dict: "{{ service_authtoken }}"
32 | notify:
33 | - restart glance-api
34 |
35 | - name: glance-registry v3 authentication
36 | ini_file: section=keystone_authtoken
37 | dest=/etc/glance/glance-registry.conf
38 | option={{ item.key }}
39 | value={{ item.value }}
40 | with_dict: "{{ service_authtoken }}"
41 | notify:
42 | - restart glance-registry
43 |
44 | - name: cinder v3 authentication
45 | ini_file: section=keystone_authtoken
46 | dest=/etc/cinder/cinder.conf
47 | option={{ item.key }}
48 | value={{ item.value }}
49 | with_dict: "{{ service_authtoken }}"
50 | notify:
51 | - restart cinder-api
52 |
53 | - name: neutron v3 authentication
54 | ini_file: section=keystone_authtoken
55 | dest=/etc/neutron/neutron.conf
56 | option={{ item.key }}
57 | value={{ item.value }}
58 | with_dict: "{{ service_authtoken }}"
59 | notify:
60 | - restart neutron-api
61 |
62 | - name: neutron v3 authentication for nova
63 | ini_file: section=nova
64 | dest=/etc/neutron/neutron.conf
65 | option={{ item.key }}
66 | value={{ item.value }}
67 | with_dict: "{{ service_authtoken }}"
68 | notify:
69 | - restart neutron-api
70 |
71 | - name: neutron v3 authentication continued
72 | ini_file: section=DEFAULT
73 | dest=/etc/neutron/neutron.conf
74 | option=nova_admin_auth_url
75 | value="https://{{ hostname }}:5000/v3"
76 | notify:
77 | - restart neutron-api
78 |
79 | - name: nova/neutron v3 authentication
80 | ini_file: section=neutron
81 | dest=/etc/nova/nova.conf
82 | option={{ item.key }}
83 | value={{ item.value }}
84 | with_dict: "{{ service_authtoken }}"
85 | notify:
86 | - restart nova-compute
87 |
88 | - name: remove nova v2 overrides
89 | ini_file: dest=/usr/share/nova/nova-dist.conf
90 | section=keystone_authtoken
91 | state=absent
92 | notify:
93 | - restart nova-api
94 |
--------------------------------------------------------------------------------
/roles/rhv/templates/answers.txt.j2:
--------------------------------------------------------------------------------
1 | # action=setup
2 | [environment:default]
3 | OVESETUP_DIALOG/confirmSettings=bool:True
4 | OVESETUP_CONFIG/applicationMode=str:both
5 | OVESETUP_CONFIG/remoteEngineSetupStyle=none:None
6 | OVESETUP_CONFIG/sanWipeAfterDelete=bool:False
7 | OVESETUP_CONFIG/storageIsLocal=bool:False
8 | OVESETUP_CONFIG/firewallManager=str:firewalld
9 | OVESETUP_CONFIG/remoteEngineHostRootPassword=none:None
10 | OVESETUP_CONFIG/firewallChangesReview=none:None
11 | OVESETUP_CONFIG/updateFirewall=bool:True
12 | OVESETUP_CONFIG/remoteEngineHostSshPort=none:None
13 | OVESETUP_CONFIG/fqdn=str:zubat.younglogic.net
14 | OVESETUP_CONFIG/storageType=none:None
15 | OSETUP_RPMDISTRO/requireRollback=none:None
16 | OSETUP_RPMDISTRO/enableUpgrade=none:None
17 | OVESETUP_PROVISIONING/postgresProvisioningEnabled=bool:True
18 | OVESETUP_APACHE/configureRootRedirection=bool:True
19 | OVESETUP_APACHE/configureSsl=bool:True
20 | OVESETUP_DB/secured=bool:False
21 | OVESETUP_DB/fixDbConfiguration=none:None
22 | OVESETUP_DB/user=str:engine
23 | OVESETUP_DB/dumper=str:pg_custom
24 | OVESETUP_DB/database=str:engine
25 | OVESETUP_DB/fixDbViolations=none:None
26 | OVESETUP_DB/engineVacuumFull=none:None
27 | OVESETUP_DB/host=str:localhost
28 | OVESETUP_DB/port=int:5432
29 | OVESETUP_DB/filter=none:None
30 | OVESETUP_DB/restoreJobs=int:2
31 | OVESETUP_DB/securedHostValidation=bool:False
32 | OVESETUP_ENGINE_CORE/enable=bool:True
33 | OVESETUP_CORE/engineStop=none:None
34 | OVESETUP_SYSTEM/memCheckEnabled=bool:True
35 | OVESETUP_SYSTEM/nfsConfigEnabled=bool:False
36 | OVESETUP_PKI/organization=str:younglogic.net
37 | OVESETUP_PKI/renew=none:None
38 | OVESETUP_CONFIG/isoDomainName=none:None
39 | OVESETUP_CONFIG/engineHeapMax=str:3967M
40 | OVESETUP_CONFIG/ignoreVdsgroupInNotifier=none:None
41 | OVESETUP_CONFIG/adminPassword=str:FreeIPA4All
42 | OVESETUP_CONFIG/isoDomainACL=none:None
43 | OVESETUP_CONFIG/isoDomainMountPoint=none:None
44 | OVESETUP_ENGINE_CONFIG/fqdn=str:zubat.younglogic.net
45 | OVESETUP_CONFIG/engineDbBackupDir=str:/var/lib/ovirt-engine/backups
46 | OVESETUP_CONFIG/engineHeapMin=str:3967M
47 | OVESETUP_DWH_CORE/enable=bool:True
48 | OVESETUP_DWH_CONFIG/scale=str:1
49 | OVESETUP_DWH_CONFIG/dwhDbBackupDir=str:/var/lib/ovirt-engine-dwh/backups
50 | OVESETUP_DWH_DB/secured=bool:False
51 | OVESETUP_DWH_DB/restoreBackupLate=bool:True
52 | OVESETUP_DWH_DB/disconnectExistingDwh=none:None
53 | OVESETUP_DWH_DB/host=str:localhost
54 | OVESETUP_DWH_DB/user=str:ovirt_engine_history
55 | OVESETUP_DWH_DB/dumper=str:pg_custom
56 | OVESETUP_DWH_DB/database=str:ovirt_engine_history
57 | OVESETUP_DWH_DB/performBackup=none:None
58 | OVESETUP_DWH_DB/port=int:5432
59 | OVESETUP_DWH_DB/filter=none:None
60 | OVESETUP_DWH_DB/restoreJobs=int:2
61 | OVESETUP_DWH_DB/securedHostValidation=bool:False
62 | OVESETUP_DWH_PROVISIONING/postgresProvisioningEnabled=bool:True
63 | OVESETUP_CONFIG/imageioProxyConfig=bool:True
64 | OVESETUP_RHEVM_DIALOG/confirmUpgrade=bool:True
65 | OVESETUP_VMCONSOLE_PROXY_CONFIG/vmconsoleProxyConfig=bool:True
66 | OVESETUP_CONFIG/websocketProxyConfig=bool:True
67 |
--------------------------------------------------------------------------------
/roles/packstack/tasks/keystone.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: add test file to federation
3 | copy: src=test
4 | dest=/var/www/cgi-bin/keystone/test
5 | notify:
6 | - restart httpd
7 |
8 | - name: Apache modules for SSSD
9 | tags:
10 | - ipsilon
11 | yum: name=mod_auth_gssapi,mod_lookup_identity,mod_auth_mellon,ipsilon-client
12 | state=present
13 |
14 | - name: Fix mod_lookup_identity conf file
15 | copy: src=55-lookup_identity.conf
16 | dest=/etc/httpd/conf.modules.d/55-lookup_identity.conf
17 |
18 | - name: enable apache identity modules
19 | tags:
20 | - ipsilon
21 | file: state=link
22 | src=/etc/httpd/conf.modules.d/{{ item }}.conf
23 | dest=/etc/httpd/conf.d/{{ item }}.conf
24 | with_items:
25 | # - 10-auth_mellon
26 | # - 10-auth_gssapi
27 | - 55-lookup_identity
28 | notify:
29 | - restart httpd
30 |
31 | - name: Apache common config files
32 | tags:
33 | - ipsilon
34 | template: src={{ item }}.j2
35 | dest=/etc/httpd/conf/{{ item }}
36 | with_items:
37 | - keystone-federation.conf
38 | - keystone-ssl.conf
39 | notify:
40 | - restart httpd
41 |
42 | - name: Keystone main conf
43 | tags:
44 | - ipsilon
45 | template: src={{ item }}.j2
46 | dest=/etc/httpd/conf.d/{{ item }}
47 | with_items:
48 | - 10-keystone_wsgi_main.conf
49 | - 10-keystone_wsgi_admin.conf
50 | notify:
51 | - restart httpd
52 |
53 |
54 | - name: Kerberos as Login mechanism
55 | ini_file: dest=/etc/keystone/keystone.conf
56 | section=auth
57 | option={{ item.key }}
58 | value={{ item.value }}
59 | with_dict:
60 | methods: external,password,token,saml2,kerberos
61 | kerberos: keystone.auth.plugins.mapped.Mapped
62 | saml2: keystone.auth.plugins.mapped.Mapped
63 | notify:
64 | - restart httpd
65 |
66 | - name: Kerberos as Login mechanism
67 | ini_file: dest=/etc/keystone/keystone.conf
68 | section=federation
69 | option={{ item.key }}
70 | value={{ item.value }}
71 | with_dict:
72 | trusted_dashboard: https://{{ ansible_fqdn }}/dashboard/auth/websso/
73 | sso_callback_template: /etc/keystone/sso_callback_template.html
74 | remote_id_attribute: MELLON_IDP
75 | notify:
76 | - restart httpd
77 |
78 | - name: Kerberos as Login mechanism
79 | ini_file: dest=/etc/keystone/keystone.conf
80 | section=kerberos
81 | option=remote_id_attribute
82 | value=IDP_ID
83 | notify:
84 | - restart httpd
85 |
86 | - name: update keystone endpoints - public
87 | command: mysql -vv -u root keystone -e "update endpoint set url=\"https://{{ hostname }}:5000/v2.0\" where url like \"http://%:5000/v2.0\";"
88 | register: keystonesqlpublic
89 | changed_when: '"0 rows affected" not in keystonesqlpublic.stdout'
90 |
91 | - name: update keystone endpoints - admin
92 | command: mysql -vv -u root keystone -e "update endpoint set url=\"https://{{ hostname }}:35357/v2.0\" where url like \"http://%:35357/v2.0\";"
93 | register: keystonesqladmin
94 | changed_when: '"0 rows affected" not in keystonesqladmin.stdout'
95 |
--------------------------------------------------------------------------------
/roles/ipaserver/library/resolver:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # -*- coding: utf-8 -*-
3 |
4 | # (c) 2013, Jan-Piet Mens
5 | #
6 | # This file is part of Ansible
7 | #
8 | # Ansible is free software: you can redistribute it and/or modify
9 | # it under the terms of the GNU General Public License as published by
10 | # the Free Software Foundation, either version 3 of the License, or
11 | # (at your option) any later version.
12 | #
13 | # Ansible is distributed in the hope that it will be useful,
14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 | # GNU General Public License for more details.
17 | #
18 | # You should have received a copy of the GNU General Public License
19 | # along with Ansible. If not, see .
20 | #
21 | #
22 |
23 | import sys
24 | try:
25 | import json
26 | except ImportError:
27 | import simplejson as json
28 | import re
29 |
30 | DOCUMENTATION = '''
31 | ---
32 | module: resolver
33 | short_description: Get information from the system's resolver
34 | description:
35 | - Obtains nameserver addresses from C(/etc/resolv.conf)
36 | version_added: "1.3"
37 | options:
38 | resolvconf:
39 | description:
40 | - the file (in C(/etc/resolv.conf)-format) to parse
41 | required: false
42 | default: /etc/resolv.conf
43 | aliases: []
44 | author: Jan-Piet Mens
45 | '''
46 |
47 | EXAMPLES='''
48 | # Get nameserver entries from /etc/resolv.conf and print first one
49 | - resolver:
50 | register: res
51 | - debug: msg={{ res.nameservers[0] }}
52 | '''
53 |
54 | # ===========================================
55 | # Support methods
56 |
57 | def get_nameservers(module, resolvconf=None):
58 | nameservers=[]
59 | searchlist=None
60 |
61 | if resolvconf is None:
62 | resolvconf = '/etc/resolv.conf'
63 |
64 | r = open(resolvconf)
65 | line = r.readline()
66 | while line:
67 | try:
68 | s = re.search(r"^search\s+(.+)", line)
69 | if s is not None:
70 | searchlist = s.group(1).split()
71 | except:
72 | pass
73 | try:
74 | ip = re.search(r"^nameserver\s+([^\s]+)", line)
75 | if ip is not None:
76 | nameservers.append(ip.group(1))
77 | except:
78 | pass
79 | line = r.readline()
80 |
81 | r.close()
82 | return dict(nameservers=nameservers, searchlist=searchlist)
83 |
84 | # ==============================================================
85 | # main
86 |
87 | def main():
88 |
89 | module = AnsibleModule(
90 | argument_spec = dict(
91 | resolvconf = dict(required=False),
92 | )
93 | )
94 |
95 | resolvconf = module.params['resolvconf']
96 |
97 | data = get_nameservers(module, resolvconf=resolvconf)
98 |
99 | # Mission complete
100 | print json.dumps(data, indent=4)
101 |
102 |
103 | # this is magic, see lib/ansible/module_common.py
104 | #<>
105 |
106 | main()
107 |
--------------------------------------------------------------------------------
/library/ipsilonprovider:
--------------------------------------------------------------------------------
1 | #!/bin/env python
2 |
3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may
4 | # not use this file except in compliance with the License. You may obtain
5 | # a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12 | # License for the specific language governing permissions and limitations
13 | # under the License.
14 |
15 | DOCUMENTATION = '''
16 | ---
17 | module: ipsilonprovider
18 | short_description: Register a service provider with ipsilon
19 | author: Jamie Lennox
20 | notes:
21 | - there is no rest API to either delete or modify an existing service
22 | provider so if a provider of the same name exists it is presumed to be ok.
23 | requirements:
24 | - requests
25 | '''
26 |
27 | import requests
28 | from six.moves.urllib.parse import urlencode
29 |
30 | from ansible.module_utils.basic import * # noqa
31 |
32 | module = AnsibleModule(
33 | argument_spec=dict(
34 | username=dict(required=True),
35 | password=dict(required=True),
36 | name=dict(required=True),
37 | metadata=dict(required=True),
38 | url=dict(required=True),
39 | link=dict(required=True),
40 | )
41 | )
42 |
43 |
44 | def main():
45 | session = requests.Session()
46 |
47 | try:
48 | with open(module.params['metadata'], 'r') as f:
49 | metadata = f.read()
50 | except IOError as e:
51 | module.fail_json(msg='Failed to read the metadata file: %s' % e)
52 |
53 | url = module.params['url'].rstrip('/')
54 | auth_data = {'login_name': module.params['username'],
55 | 'login_password': module.params['password']}
56 |
57 | resp = session.post('%s/login/form' % url, data=auth_data)
58 |
59 | if not resp.ok:
60 | module.fail_json(msg='Failed to authenticate with ipsilon server')
61 |
62 | sp_url = '%s/rest/providers/saml2/SPS/%s' % (url, module.params['name'])
63 |
64 | resp = session.get(sp_url, headers={'Accept': 'application/json'})
65 |
66 | if resp.ok:
67 | # I can check the data but i can't change it so i may as well not
68 | module.exit_json(changed=False)
69 |
70 | # try:
71 | # existing_metadata = resp.json().get('result', [])[0]['metadata']
72 | # except (KeyError, IndexError):
73 | # module.fail_json(msg='Unexpected existing metadata format')
74 |
75 | # if existing_metadata == metadata:
76 | # module.exit_json(changed=False)
77 |
78 | sp_headers = {'Content-type': 'application/x-www-form-urlencoded',
79 | 'Referer': sp_url}
80 | sp_data = {'metadata': metadata,
81 | 'splink': module.params['link']}
82 |
83 | resp = session.post(sp_url, headers=sp_headers, data=urlencode(sp_data))
84 |
85 | if resp.ok:
86 | module.exit_json(changed=True)
87 | else:
88 | module.fail_json(msg="Couldn't create new sp: %s" % resp.text)
89 |
90 |
91 | if __name__ == '__main__':
92 | main()
93 |
--------------------------------------------------------------------------------
/roles/packstack/library/ipauser:
--------------------------------------------------------------------------------
1 | #!/bin/env python
2 |
3 | # Licensed under the Apache License, Version 2.0 (the "License"); you may
4 | # not use this file except in compliance with the License. You may obtain
5 | # a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12 | # License for the specific language governing permissions and limitations
13 | # under the License.
14 |
15 | DOCUMENTATION = '''
16 | ---
17 | module: ipauser
18 | short_description: Add and modify a user in FreeIPA.
19 | author: Jamie Lennox
20 | notes:
21 | - No attempt is made to handle authentication in this module. This means that
22 | you will probably want to ensure a valid kerberos ticket before running.
23 | requirements:
24 | - ipalib
25 | - six
26 | '''
27 |
28 | import six
29 | from ipalib import api, errors
30 |
31 | api.bootstrap(context='cli')
32 | api.finalize()
33 | api.Backend.rpcclient.connect()
34 |
35 | # A list of the RPC methods in some sort of autogenerated format is available:
36 | # https://git.fedorahosted.org/cgit/freeipa.git/tree/API.txt
37 |
38 | # We convert the RPC parameter names to the cli "pretty" names in the same way
39 | # that the CLI does based on the cli= param in the above API.txt doc
40 | RPC_TO_CLI = {
41 | u'givenname': u'first',
42 | u'sn': u'last',
43 | }
44 |
45 | CLI_TO_RPC = {v: k for k, v in six.iteritems(RPC_TO_CLI)}
46 |
47 |
48 | from ansible.module_utils.basic import * # noqa
49 |
50 | module = AnsibleModule(
51 | argument_spec=dict(
52 | uid=dict(required=True),
53 | first=dict(),
54 | last=dict(),
55 | password=dict(),
56 | )
57 | )
58 |
59 |
60 | def main():
61 | def _param(p):
62 | v = module.params[p]
63 |
64 | if isinstance(v, six.binary_type):
65 | v = v.decode('utf-8')
66 |
67 | return v
68 |
69 | uid = _param('uid')
70 |
71 | cli_params = {k: _param(k) for k in CLI_TO_RPC if module.params[k]}
72 | rpc_params = {CLI_TO_RPC[k]: v for k, v in six.iteritems(cli_params) if v}
73 |
74 | resp = api.Command['user_find'](uid=uid, all=True)
75 |
76 | if resp['result']:
77 | update_params = {k: v
78 | for k, v in six.iteritems(rpc_params)
79 | if v != resp['result'][0].get(k, (None,))[0]}
80 |
81 | if update_params:
82 | if not module.check_mode:
83 | api.Command['user_mod'](uid, **update_params)
84 |
85 | module.exit_json(changed=True)
86 | else:
87 | module.exit_json(changed=False)
88 |
89 | else:
90 | if module.params['password']:
91 | rpc_params['userpassword'] = _param('password')
92 |
93 | if not module.check_mode:
94 | api.Command['user_add'](uid, **rpc_params)
95 |
96 | module.exit_json(changed=True)
97 |
98 |
99 | if __name__ == '__main__':
100 | try:
101 | main()
102 | except errors.PublicError as e:
103 | module.fail_json(msg=e.msg)
104 |
--------------------------------------------------------------------------------
/roles/websso/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: enable websso repository
4 | command: subscription-manager repos --enable=rh-sso-7.2-for-rhel-7-server-rpms
5 |
6 | - name: enable websso repository
7 | command: subscription-manager repos --enable=jb-eap-7.1-for-rhel-7-server-rpms
8 |
9 |
10 | - name: install websso prereqs
11 | tags:
12 | - websso
13 | yum: name={{ item }} state=present
14 | with_items:
15 | - java-1.8.0-openjdk.x86_64
16 | - firewalld
17 | - ipa-admintools
18 | - openldap-clients
19 | - openssl
20 | - httpd
21 | - mod_ssl
22 |
23 | - name: upgrade all packages
24 | yum:
25 | name: '*'
26 | state: latest
27 |
28 | - name: install websso yum group
29 | tags:
30 | - websso
31 | yum: name="@rh-sso7" state=present
32 |
33 | - name: create symlink to keep dbus happy
34 | file:
35 | src: /usr/libexec/dbus-1
36 | dest: /lib64/dbus-1
37 | state: link
38 |
39 | - name: restart dbus service
40 | systemd:
41 | state: restarted
42 | name: dbus
43 |
44 | - name: kinit
45 | shell: klist &>/dev/null || echo {{ ipa_admin_password }} | kinit admin@{{ ipa_realm }}
46 | changed_when: false
47 |
48 | - name: Add service principals
49 | ipaservice: principal="HTTP/sso.{{ ipa_realm | lower }}@{{ ipa_realm }}"
50 |
51 |
52 | - name: HTTPS certificate OpenSSL
53 | getcert:
54 | key_file: /etc/pki/tls/private/localhost.key
55 | certificate_file: /etc/pki/tls/certs/localhost.crt
56 | kerberos_principal: "HTTP/sso.{{ ipa_realm | lower }}@{{ ipa_realm }}"
57 | bits: 2048
58 | ca: IPA
59 |
60 | #TODO change group on these to match apache
61 | # key_file: /etc/pki/tls/private/localhost.key
62 | # certificate_file: /etc/pki/tls/certs/localhost.crt
63 |
64 |
65 | #HTTPD as reverse proxy
66 |
67 | - name: set up apache proxy
68 | tags:
69 | - keycloak
70 | copy: src=websso-proxy.conf
71 | dest=/etc/httpd/conf.d/websso-proxy.conf
72 | owner=root group=root mode="u=rw,g=r,o=r"
73 |
74 |
75 | - name: enable standalone-ha.xml
76 | lineinfile:
77 | path: /opt/rh/rh-sso7/service-environment
78 | line: WILDFLY_SERVER_CONFIG=standalone-ha.xml
79 |
80 |
81 | - name: rh_sso systemd services
82 | tags:
83 | - websso
84 | service: name={{ item }}
85 | enabled=yes
86 | state=started
87 | with_items:
88 | - httpd
89 | - rh-sso7
90 |
91 | - name: create websso master admin user
92 | tags:
93 | - websso
94 | command: >
95 | {{ rhsso_dir }}/bin/add-user-keycloak.sh
96 | -r master
97 | -u {{ websso_master_admin_username }}
98 | -p {{ websso_master_admin_password }}
99 | register: add_user_result
100 | failed_when: not ( add_user_result.rc == 0 or "already added" in add_user_result.stderr )
101 | changed_when: add_user_result.rc == 0
102 | notify: restart websso
103 |
104 | - name: enable firewalld
105 | tags:
106 | - websso
107 | service: enabled=yes
108 | state=started
109 | name=firewalld
110 |
111 | - name: Open Firewall for services
112 | tags:
113 | - websso
114 | firewalld: port={{ item }}/tcp
115 | permanent=true
116 | state=enabled
117 | immediate=yes
118 | with_items: "{{ websso_firewall_ports }}"
119 |
--------------------------------------------------------------------------------
/README.rst:
--------------------------------------------------------------------------------
1 | ==========
2 | Rippowam
3 | ==========
4 |
5 | Rippowam is an ansible playbook for setting up flavors of OpenStack on top of
6 | RPM based Operating systems. The current focus is on the RHEL-OSP12 release
7 | and RHEL 7.3 Base Operating system.
8 |
9 |
10 | Rippowam creates an inventory file used to populate the initial variables and
11 | host entries to run Rippowam. An Example of the inventory file is at the
12 | bottom of this document. Ossipee uses $USER as the default name for
13 | the deployment, and many things make use of the name, such as the
14 | hostname and Kerberos Realm. You will see the strings yourname and
15 | YOURNAME in this document that are generated from the name.
16 |
17 | Running
18 | =======
19 |
20 | Because Rippowam needs OpenStack credentials to provision the systems, you
21 | should manage the clouds.yaml file locally.
22 |
23 |
24 |
25 | To run Rippowam to provision:
26 | cd $YOURPATH/rippowam
27 |
28 | ansible-playbook playbooks/provision.yml
29 | ansible-playbook -e @$HOME/vault.yml playbooks/provision.yml
30 |
31 |
32 | ansible-playbook -i ~/rippowam/deployments/yourname/inventory.ini ~/devel/rippowam/site.yml
33 |
34 |
35 | ansible-playbook -i ~/rippowam/deployments/ayoung.rdusalab/inventory.ini -e @/home/ayoung/vault.yml --start-at-task "realm in standalone.xml" playbooks/websso.yml
36 |
37 |
38 | Once the playbook completes, you should have a working IPA server and
39 | OpenStack deployment.
40 |
41 | Hostnames
42 | =========
43 |
44 | It is easiest to work with the machines via hostnames. Add entries to
45 | /.etc/hosts for the publically accessable IP addresses of the two
46 | hosts such as:
47 |
48 | 10.16.19.101 ipa.yourname.test
49 | 10.16.18.245 openstack.yourname.test
50 |
51 | You should have ssh access to the hosts using an SSH keypair.
52 |
53 | Kerberos
54 | ========
55 |
56 | To enable Kerberos, scp the krb5.conf file from the ipa server:
57 |
58 | scp ipa.yourname.test:/etc/krb5.conf /home/yourname/.ossipee/inventory/yourname.krb5.conf
59 | export KRB5_CONFIG=/home/yourname/.ossipee/inventory/yourname.krb5.conf
60 | kinit admin@YOURNAME.TEST
61 |
62 | The password comes from the inventory file.
63 |
64 | You should be able to ssh to the ipa server with
65 |
66 | ssh -K ipa.yourname.test
67 |
68 | To test the ipa web UI browse to
69 |
70 | https://ipa.yourname.test
71 |
72 |
73 |
74 |
75 | Sample inventory file
76 | =====================
77 |
78 | [openstack]
79 | 10.16.19.101
80 |
81 | [openstack:vars]
82 | ipa_server_password=FreeIPA4All
83 | ipa_domain=yourname.test
84 | ipa_realm=YOURNAME.TEST
85 | cloud_user=cloud-user
86 | ipa_admin_user_password=FreeIPA4All
87 | ipa_forwarder=192.168.52.3
88 | nameserver=192.168.52.4
89 |
90 | [ipa]
91 | 10.16.18.245
92 |
93 | [ipa:vars]
94 | ipa_server_password=FreeIPA4All
95 | ipa_domain=yourname.test
96 | ipa_realm=YOURNAME.TEST
97 | cloud_user=cloud-user
98 | ipa_admin_user_password=FreeIPA4All
99 | ipa_forwarder=192.168.52.3
100 | nameserver=192.168.52.4
101 |
102 | [ipa_clients]
103 | 10.16.19.101
104 | [%ipa_clients:vars]
105 | ipa_server_password=FreeIPA4All
106 | ipa_domain=yourname.test
107 | ipa_realm=YOURNAME.TEST
108 | cloud_user=cloud-user
109 | ipa_admin_user_password=FreeIPA4All
110 | ipa_forwarder=192.168.52.3
111 |
--------------------------------------------------------------------------------
/roles/satelliteserver/tasks/setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: find organizations
3 | tags:
4 | - test
5 | command: >
6 | hammer
7 | -u admin
8 | -p {{ ipa_server_password }}
9 | organization list
10 | --search {{ organization }}
11 | changed_when: False
12 | register: find_org
13 |
14 | - debug: var=find_org
15 | tags:
16 | - test
17 |
18 | - name: create organization
19 | tags:
20 | - test
21 | command: >
22 | hammer
23 | -u admin
24 | -p {{ ipa_server_password }}
25 | organization create
26 | --name {{ organization }}
27 | --label {{ organization }}
28 | --description "Default Rippowam Organization"
29 | when: '"{{ organization }}" not in find_org.stdout'
30 |
31 | - name: find environment lifecycle
32 | tags:
33 | - test
34 | command: >
35 | hammer
36 | -u admin
37 | -p {{ ipa_server_password }}
38 | lifecycle-environment list
39 | --organization {{ organization }}
40 | changed_when: False
41 | register: find_env
42 |
43 | - name: create environment lifecycle
44 | tags:
45 | - test
46 | command: >
47 | hammer
48 | -u admin
49 | -p {{ ipa_server_password }}
50 | lifecycle-environment create
51 | --name {{ dev_lifecycle }}
52 | --organization {{ organization }}
53 | --description "Development Environment"
54 | --prior Library
55 | when: '"{{ dev_lifecycle }}" not in find_env.stdout'
56 |
57 | - name: find product
58 | tags:
59 | - test
60 | command: >
61 | hammer
62 | -u admin
63 | -p {{ ipa_server_password }}
64 | product list
65 | --organization {{ organization }}
66 | --search {{ product }}
67 | changed_when: False
68 | register: find_prod
69 |
70 | - name: create product
71 | tags:
72 | - test
73 | command: >
74 | hammer
75 | -u admin
76 | -p {{ ipa_server_password }}
77 | product create
78 | --name {{ product }}
79 | --label {{ product }}
80 | --organization {{ organization }}
81 | --description "Rippowam Product"
82 | when: '"{{ product }}" not in find_prod.stdout'
83 |
84 | - name: find repositories
85 | tags:
86 | - test
87 | command: >
88 | hammer
89 | -u admin
90 | -p {{ ipa_server_password }}
91 | repository list
92 | --organization {{ organization }}
93 | --product {{ product }}
94 | changed_when: False
95 | register: find_repo
96 |
97 | - name: create nightly repository
98 | tags:
99 | - test
100 | command: >
101 | hammer
102 | -u admin
103 | -p {{ ipa_server_password }}
104 | repository create
105 | --organization {{ organization }}
106 | --product {{ product }}
107 | --name rhel-nightly
108 | --content-type yum
109 | --publish-via-http true
110 | --url http://download.devel.redhat.com/composes/nightly/latest-RHEL-7/compose/Server/x86_64/os/
111 | when: '"rhel-nightly" not in find_repo.stdout'
112 |
113 | - name: create rippowam repository
114 | tags:
115 | - test
116 | command: >
117 | hammer
118 | -u admin
119 | -p {{ ipa_server_password }}
120 | repository create
121 | --organization {{ organization }}
122 | --product {{ product }}
123 | --name rippowam-updates
124 | --content-type yum
125 | --publish-via-http true
126 | --url https://copr-be.cloud.fedoraproject.org/results/jamielennox/rippowam-updates/epel-7-$basearch/
127 | when: '"rippowam-updates" not in find_repo.stdout'
128 |
--------------------------------------------------------------------------------
/roles/satelliteserver/tasks/install.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Install repos
3 | tags:
4 | - common
5 | copy: src="{{ item }}"
6 | dest=/etc/yum.repos.d/{{ item }}
7 | with_items:
8 | - satellite.repo
9 |
10 | - name: Install deps
11 | yum: name=httpd,ipsilon-client
12 | state=installed
13 |
14 | - name: Start certmonger
15 | service: name=certmonger
16 | enabled=true
17 | state=started
18 |
19 | - name: kinit
20 | shell: klist &>/dev/null || echo {{ ipa_admin_password }} | kinit admin@{{ ipa_realm }}
21 | changed_when: false
22 |
23 | - name: Add HTTP/satellite service
24 | ipaservice: principal=HTTP/{{ hostname }}@{{ ipa_realm }}
25 |
26 | - name: Get HTTP certificate
27 | command: >
28 | ipa-getcert request -w
29 | -f {{ ssl_cert }}
30 | -k {{ ssl_key }}
31 | -D "{{ hostname }}"
32 | -K HTTP/{{ hostname }}
33 | args:
34 | creates: "{{ ssl_cert }}"
35 | notify:
36 | - restart httpd
37 |
38 | - name: kdestroy
39 | command: kdestroy
40 | changed_when: false
41 |
42 | - name: create empty certificate request
43 | copy: content=""
44 | dest={{ ssl_req }}
45 | force=no
46 |
47 | - name: Install katello rpms
48 | yum: name=katello,foreman-proxy state=installed
49 |
50 | - name: setup foreman smart proxy
51 | shell: echo {{ ipa_admin_user_password }} | foreman-prepare-realm admin realm-capsule
52 | args:
53 | chdir: /etc/foreman-proxy
54 | creates: /etc/foreman-proxy/freeipa.keytab
55 |
56 | - name: Install katello
57 | command: >
58 | katello-installer
59 | --foreman-ipa-authentication
60 | --foreman-ssl
61 | --certs-server-key={{ ssl_key }}
62 | --certs-server-cert={{ ssl_cert }}
63 | --certs-server-cert-req={{ ssl_req }}
64 | --certs-server-ca-cert=/etc/ipa/ca.crt
65 | --foreman-admin-password={{ ipa_admin_user_password }}
66 | --capsule-realm=true
67 | --capsule-realm-keytab=/etc/foreman-proxy/freeipa.keytab
68 | --capsule-realm-principal=realm-capsule@{{ ipa_realm }}
69 | --capsule-realm-provider=freeipa
70 | --verbose
71 | --no-colors
72 | notify:
73 | - restart httpd
74 |
75 | # --foreman-server-ssl-ca=/etc/ipa/ca.crt
76 | # --foreman-server-ssl-cert={{ ssl_cert }}
77 | # --foreman-server-ssl-key={{ ssl_key }}
78 |
79 | - name: remove katello auth
80 | file: state=absent
81 | name=/etc/httpd/conf.d/05-foreman-ssl.d/{{ item }}
82 | with_items:
83 | - auth_kerb.conf
84 | - lookup_identity.conf
85 | notify:
86 | - restart httpd
87 |
88 | - name: SAML2 config dirs
89 | file: state=directory
90 | path={{ saml_conf_dir }}
91 | owner=apache
92 | mode=0750
93 |
94 | - name: Install Ipsilon
95 | shell: >
96 | echo {{ ipa_admin_user_password }} | ipsilon-client-install
97 | --saml
98 | --saml-base /
99 | --saml-sp /saml2
100 | --saml-sp-name satellite
101 | --saml-idp-url https://ipa.{{ ipa_domain }}/idp
102 | --saml-no-httpd
103 | --admin-user admin
104 | --admin-password -
105 | args:
106 | creates: "{{ saml_conf_dir }}/metadata.xml"
107 | chdir: "{{ saml_conf_dir }}"
108 | environment:
109 | IPSILON_ADMIN_PASSWORD: "{{ ipa_admin_user_password }}"
110 |
111 | - name: Download IDP metadata
112 | get_url: url=https://ipa.{{ ipa_domain }}/idp/saml2/metadata
113 | dest={{ saml_conf_dir }}/idp-metadata.xml
114 | notify:
115 | - restart httpd
116 |
117 | - name: SAML auth config
118 | template: src=ipsilon.conf.j2
119 | dest=/etc/httpd/conf.d/05-foreman-ssl.d/ipsilon.conf
120 | notify:
121 | - restart httpd
122 |
--------------------------------------------------------------------------------
/roles/packstack/tasks/haproxy.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: install haproxy
3 | yum: name=haproxy state=installed
4 |
5 | - name: setup glance haproxy
6 | ini_file: section=DEFAULT
7 | dest=/etc/glance/glance-api.conf
8 | option={{ item.key }}
9 | value={{ item.value }}
10 | with_dict:
11 | bind_host: 127.0.0.1
12 | bind_port: "{{ glance_api_haproxy_port }}"
13 | notify:
14 | - restart glance-api
15 |
16 | - name: update glance endpoints
17 | command: mysql -vv -u root keystone -e "update endpoint set url=\"https://{{ hostname }}:9292\" where url like \"http://%:9292\";"
18 | register: glancemysqlendpoint
19 | changed_when: '"0 rows affected" not in glancemysqlendpoint.stdout'
20 |
21 | - name: setup cinder haproxy
22 | ini_file: section=DEFAULT
23 | dest=/etc/cinder/cinder.conf
24 | option={{ item.key }}
25 | value={{ item.value }}
26 | with_dict:
27 | osapi_volume_listen: 127.0.0.1
28 | osapi_volume_listen_port: "{{ cinder_api_haproxy_port }}"
29 | notify:
30 | - restart cinder-api
31 |
32 | - name: update cinder endpoints
33 | command: mysql -vv -u root keystone -e "update endpoint set url=\"https://{{ hostname }}:8776/v1/%(tenant_id)s\" where url like \"http://%:8776/%\";"
34 | register: cindermysqlendpoint
35 | changed_when: '"0 rows affected" not in cindermysqlendpoint.stdout'
36 |
37 | - name: setup neutron haproxy
38 | ini_file: section=DEFAULT
39 | dest=/etc/neutron/neutron.conf
40 | option={{ item.key }}
41 | value={{ item.value }}
42 | with_dict:
43 | bind_host: 127.0.0.1
44 | bind_port: "{{ neutron_api_haproxy_port }}"
45 | notify:
46 | - restart neutron-api
47 |
48 | - name: update neutron endpoints
49 | command: mysql -vv -u root keystone -e "update endpoint set url=\"https://{{ hostname }}:9696\" where url like \"http://%:9696\";"
50 | register: neutronmysqlendpoint
51 | changed_when: '"0 rows affected" not in neutronmysqlendpoint.stdout'
52 |
53 | - name: setup nova haproxy
54 | ini_file: section=DEFAULT
55 | dest=/etc/nova/nova.conf
56 | option={{ item.key }}
57 | value={{ item.value }}
58 | with_dict:
59 | osapi_compute_listen: 127.0.0.1
60 | osapi_compute_listen_port: "{{ nova_api_haproxy_port }}"
61 | ec2_listen: 127.0.0.1
62 | ec2_listen_port: "{{ nova_ec2_haproxy_port }}"
63 | notify:
64 | - restart nova-api
65 |
66 | - name: update nova endpoints
67 | command: mysql -vv -u root keystone -e "update endpoint set url=\"https://{{ hostname }}:8774/v2/%(tenant_id)s\" where url like \"http://%:8774/v2/%\";"
68 | register: novamysqlendpoint
69 | changed_when: '"0 rows affected" not in novamysqlendpoint.stdout'
70 |
71 | - name: update ec2 endpoints
72 | command: mysql -vv -u root keystone -e "update endpoint set url=\"https://{{ hostname }}:8773/services/Admin\" where url like \"http://%:8773/%\";"
73 | register: ec2mysqlendpoint
74 | changed_when: '"0 rows affected" not in ec2mysqlendpoint.stdout'
75 |
76 | - meta: flush_handlers
77 |
78 | - name: copy certs for haproxy
79 | shell: cat {{ ssl_cert }} {{ ssl_key }} > {{ haproxy_certs }}
80 | args:
81 | creates: "{{ haproxy_certs }}"
82 | notify:
83 | - restart haproxy
84 |
85 | - name: haproxy cert permissions
86 | file: name={{ haproxy_certs }}
87 | mode=0600
88 | owner=haproxy
89 | notify:
90 | - restart haproxy
91 |
92 | - name: install config file
93 | template: src=haproxy.cfg
94 | dest=/etc/haproxy/haproxy.cfg
95 | notify:
96 | - restart haproxy
97 |
98 | - name: start haproxy
99 | service: name=haproxy
100 | state=started
101 | enabled=yes
102 |
103 | - meta: flush_handlers
104 |
--------------------------------------------------------------------------------
/roles/packstack/tasks/keystone-environment.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: list users
3 | command: openstack user list -c Name -f csv
4 | environment: os_env
5 | register: os_users
6 | changed_when: false
7 |
8 | - name: list groups
9 | command: openstack group list -c Name -f csv
10 | environment: os_env
11 | register: os_groups
12 | changed_when: false
13 |
14 | - name: list roles
15 | command: openstack role list -c Name -f csv
16 | environment: os_env
17 | register: os_roles
18 | changed_when: false
19 |
20 | - name: list services
21 | command: openstack service list -c Name -f csv
22 | environment: os_env
23 | register: os_services
24 | changed_when: false
25 |
26 | - name: list projects
27 | command: openstack project list -c Name -f csv
28 | environment: os_env
29 | register: os_projects
30 | changed_when: false
31 |
32 | - name: list endpoints
33 | command: openstack endpoint list -c "Service Name" -c "Interface" -f csv
34 | environment: os_env
35 | register: os_endpoints
36 | changed_when: false
37 |
38 | - name: demo project
39 | command: openstack project create demo
40 | environment: os_env
41 | when: '"\"demo\"" not in os_projects.stdout_lines'
42 |
43 | - name: services project
44 | command: openstack project create services
45 | environment: os_env
46 | when: '"\"services\"" not in os_projects.stdout_lines'
47 |
48 | - name: demo user
49 | command: openstack user create demo --password "{{ keystone_demo_password }}"
50 | environment: os_env
51 | when: '"\"demo\"" not in os_users.stdout_lines'
52 |
53 | - name: admins group
54 | command: openstack group create admins
55 | environment: os_env
56 | when: '"\"admins\"" not in os_groups.stdout_lines'
57 |
58 | - name: ipausers group
59 | command: openstack group create ipausers
60 | environment: os_env
61 | when: '"\"ipausers\"" not in os_groups.stdout_lines'
62 |
63 | - name: services group
64 | command: openstack group create services
65 | environment: os_env
66 | when: '"\"services\"" not in os_groups.stdout_lines'
67 |
68 | - name: demo group
69 | command: openstack group create demo
70 | environment: os_env
71 | when: '"\"demo\"" not in os_groups.stdout_lines'
72 |
73 | - name: create Member role
74 | command: openstack role create Member
75 | environment: os_env
76 | when: '"\"Member\"" not in os_roles.stdout_lines'
77 |
78 | - name: create service role
79 | command: openstack role create service
80 | environment: os_env
81 | when: '"\"Member\"" not in os_roles.stdout_lines'
82 |
83 | - name: add creator role
84 | command: openstack role create creator
85 | environment: os_env
86 | when: '"\"creator\"" not in os_roles.stdout_lines'
87 |
88 | - name: add observer role
89 | command: openstack role create observer
90 | environment: os_env
91 | when: '"\"observer\"" not in os_roles.stdout_lines'
92 |
93 | - name: add audit role
94 | command: openstack role create audit
95 | environment: os_env
96 | when: '"\"audit\"" not in os_roles.stdout_lines'
97 |
98 | - name: Member role on demo project
99 | command: openstack role add --project demo --group ipausers Member
100 | environment: os_env
101 |
102 | - name: service role on services project
103 | command: openstack role add --project services --group services service
104 | environment: os_env
105 |
106 | - name: admin role for services group on services project
107 | command: openstack role add --project services --group services admin
108 | environment: os_env
109 |
110 | - name: list idps
111 | command: openstack identity provider list -c ID -f csv
112 | environment: os_env
113 | register: os_idps
114 | changed_when: false
115 |
116 | - name: list mappings
117 | command: openstack mapping list -c ID -f csv
118 | environment: os_env
119 | register: os_mappings
120 | changed_when: false
121 |
--------------------------------------------------------------------------------
/roles/barbican/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: install barbican repo
3 | copy: src=barbican.repo
4 | dest=/etc/yum.repos.d/barbican.repo
5 |
6 | - name: install barbican packages
7 | yum: name={{ item }} state=installed
8 | with_items:
9 | - openstack-barbican
10 | - openstack-barbican-api
11 |
12 | - name: install barbican client package
13 | yum: name={{ item }} state=installed
14 | with_items:
15 | - python-barbicanclient
16 |
17 | - name: set write permission for barbican database
18 | file: path=/var/lib/barbican state=directory mode=0757
19 |
20 | - name: set ownership of /etc/barbican
21 | file: path=/etc/barbican state=directory owner=barbican group=barbican
22 |
23 | - name: install pki-base for Dogtag client libraries
24 | yum: name=pki-base state=installed
25 |
26 | - name: configure dogtag_plugin in barbican-api.conf
27 | ini_file: dest=/etc/barbican/barbican-api.conf
28 | section=dogtag_plugin
29 | option={{ item.key }}
30 | value={{ item.value }}
31 | with_dict:
32 | dogtag_host: "ipa.{{ ipa_domain }}"
33 | dogtag_port: "8443"
34 | pem_path: "/etc/barbican/kra-agent.pem"
35 |
36 | - name: enable dogtag secret store in barbican-api.conf
37 | ini_file: dest=/etc/barbican/barbican-api.conf
38 | section=secretstore
39 | option=enabled_secretstore_plugins
40 | value="dogtag_crypto"
41 |
42 | - name: enable dogtag secret cert plugin in barbican-api.conf
43 | ini_file: dest=/etc/barbican/barbican-api.conf
44 | section=certificate
45 | option=enabled_certificate_plugins
46 | value="dogtag"
47 |
48 | - name: configure barbican-api-paste to talk to keystone
49 | ini_file: dest=/etc/barbican/barbican-api-paste.ini
50 | section=pipeline:barbican_api
51 | option=pipeline
52 | value="keystone_authtoken context apiapp"
53 |
54 | - name: configure barbican-api-paste to talk to keystone
55 | ini_file: dest=/etc/barbican/barbican-api-paste.ini
56 | section=filter:keystone_authtoken
57 | option={{ item.key }}
58 | value={{ item.value }}
59 | with_dict:
60 | identity_uri: "https://{{ hostname }}:35357"
61 | admin_tenant_name: "services"
62 |
63 | - name: restart barbican server
64 | service: name=openstack-barbican-api state=restarted
65 |
66 | - name: list users
67 | command: openstack user list -c Name -f csv
68 | environment: os_env
69 | register: os_users
70 | changed_when: false
71 |
72 | - name: create barbican service user
73 | command: openstack user create --password=orange --email=barbican@example.com barbican
74 | environment: os_env
75 | when: '"\"barbican\"" not in os_users.stdout_lines'
76 |
77 | # - name: create services project
78 | # command: openstack project create --name=service --description="Tenant for Openstack services"
79 | # environment: os_env
80 | # when: '"\"services\"" not in os_projects.stdout_lines'
81 |
82 | - name: add admin role for barbican service user
83 | command: openstack role add --user=barbican --project=services admin
84 | environment: os_env
85 |
86 | - name: add barbican service
87 | command: >
88 | openstack service create
89 | --name=barbican
90 | --description="Barbican Key Management Service"
91 | key-manager
92 | environment: os_env
93 | when: '"\"barbican\"" not in os_services.stdout_lines'
94 |
95 | - name: add barbican public endpoint
96 | command: >
97 | openstack endpoint create
98 | --region RegionOne
99 | barbican public http://{{ hostname }}:9311
100 | environment: os_env
101 | when: '"\"barbican\",\"public\"" not in os_endpoints.stdout_lines'
102 |
103 | - name: add barbican internal endpoint
104 | command: >
105 | openstack endpoint create
106 | --region RegionOne
107 | barbican internal http://{{ hostname }}:9311
108 | environment: os_env
109 | when: '"\"barbican\",\"internal\"" not in os_endpoints.stdout_lines'
110 |
--------------------------------------------------------------------------------
/roles/keycloak/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - stat: path={{ keycloak_jboss_home }}
3 | tags:
4 | - keycloak
5 | register: keycloak_installation
6 |
7 | - name: install keycloak prerequisites
8 | tags:
9 | - keycloak
10 | yum: name={{ item }} state=present
11 | with_items:
12 | - java-1.8.0-openjdk.x86_64
13 | - firewalld
14 |
15 | - name: create keycloak user
16 | tags:
17 | - keyclock
18 | user: name=keycloak
19 |
20 | - name: keycloak target directory
21 | tags:
22 | - keyclock
23 | file: dest={{ keycloak_dir }}
24 | mode=755
25 | owner=root
26 | group=root
27 | state=directory
28 |
29 |
30 | - name: get Keycloak distribution tarball
31 | tags:
32 | - keycloak
33 | get_url: url={{ keycloak_url }}
34 | dest={{ keycloak_dir }}
35 | when: keycloak_installation.stat.exists == False
36 |
37 | - name: unpack keycloak
38 | tags:
39 | - keycloak
40 | unarchive: src={{ keycloak_dir }}/{{keycloak_archive}}
41 | dest={{ keycloak_dir }}
42 | copy=no
43 | when: keycloak_installation.stat.exists == False
44 |
45 | - name: keycloak log directory
46 | tags:
47 | - keyclock
48 | file: dest={{ keycloak_log_dir }}
49 | mode=755
50 | owner=keycloak
51 | group=keycloak
52 | state=directory
53 |
54 | - name: keycloak data directory
55 | tags:
56 | - keyclock
57 | file: dest={{ keycloak_jboss_home }}/standalone/data
58 | mode=755
59 | owner=keycloak
60 | group=keycloak
61 | state=directory
62 |
63 |
64 | - name: keycloak tmp directory
65 | tags:
66 | - keyclock
67 | file: dest={{ keycloak_jboss_home }}/standalone/tmp
68 | mode=755
69 | owner=keycloak
70 | group=keycloak
71 | state=directory
72 |
73 | - name: make keycloak configuration directory readable
74 | tags:
75 | - keyclock
76 | file: dest={{ keycloak_jboss_home }}/standalone/configuration
77 | mode=755
78 | owner=keycloak
79 | group=keycloak
80 | state=directory
81 | recurse=yes
82 |
83 | - name: keycloak systemd setup
84 | tags:
85 | - keycloak
86 | template:
87 | owner=root group=root mode=0644
88 | src=keycloak.service.j2
89 | dest=/etc/systemd/system/keycloak.service
90 | notify:
91 | - reload systemd
92 |
93 | - name: enable firewalld
94 | tags:
95 | - ipaserver
96 | service: enabled=yes
97 | state=started
98 | name=firewalld
99 |
100 | - name: Open Firewall for services
101 | tags:
102 | - keycloak
103 | firewalld: port={{ item }}/tcp
104 | permanent=true
105 | state=enabled
106 | immediate=yes
107 | with_items:
108 | - "{{ keycloak_http_port }}"
109 | - "{{ keycloak_https_port }}"
110 | - "{{ keycloak_http_management_port }}"
111 | - "{{ keycloak_https_management_port }}"
112 |
113 | - name: keycloak systemd service enable and start
114 | tags:
115 | - keycloak
116 | service: name=keycloak
117 | enabled=yes
118 | state=started
119 |
120 |
121 | - name: set up apache proxy
122 | tags:
123 | - keycloak
124 | copy: src=keycloak-proxy.conf
125 | dest=/etc/httpd/conf.d/keycloak-proxy.conf
126 | owner=root group=root mode="u=rw,g=r,o=r"
127 | notify: restart httpd
128 |
129 | - name: create keycloak master admin user
130 | tags:
131 | - keycloak
132 | command: >
133 | {{ keycloak_jboss_home }}/bin/add-user-keycloak.sh
134 | -r master
135 | -u {{ keycloak_master_admin_username }}
136 | -p {{ keycloak_master_admin_password }}
137 | register: add_user_result
138 | failed_when: not ( add_user_result.rc == 0 or "already added" in add_user_result.stderr )
139 | changed_when: add_user_result.rc == 0
140 | notify: restart keycloak
141 |
142 | - name: TODO restart with a notify on previous task
143 | tags:
144 | - keycloak
145 | service: name=httpd
146 | enabled=yes
147 | state=started
148 |
--------------------------------------------------------------------------------
/roles/rhsso/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - stat: path={{ rhsso_jboss_home }}
3 | tags:
4 | - rhsso
5 | register: rhsso_installation
6 |
7 | - name: install rhsso prerequisites
8 | tags:
9 | - rhsso
10 | yum: name={{ item }} state=present
11 | with_items:
12 | - java-1.8.0-openjdk.x86_64
13 | - firewalld
14 | - unzip
15 |
16 | - name: create rhsso user
17 | tags:
18 | - rhsso
19 | user: name=rhsso
20 |
21 | - name: rhsso target directory
22 | tags:
23 | - rhsso
24 | file: dest={{ rhsso_dir }}
25 | mode=755
26 | owner=root
27 | group=root
28 | state=directory
29 |
30 |
31 | - name: get Rhsso distribution Archive
32 | tags:
33 | - rhsso
34 | get_url: url={{ rhsso_url }}
35 | dest={{ rhsso_dir }}
36 |
37 | # has trouble due to a path with spaces in it. Ignore unzip failure
38 | - name: unpack rhsso
39 | tags:
40 | - rhsso
41 | unarchive: src={{ rhsso_dir }}/{{rhsso_archive}}
42 | dest={{ rhsso_dir }}
43 | copy=no
44 | ignore_errors: yes
45 |
46 | - name: rhsso log directory
47 | tags:
48 | - rhsso
49 | file: dest={{ rhsso_log_dir }}
50 | mode=755
51 | owner=rhsso
52 | group=rhsso
53 | state=directory
54 |
55 | - name: rhsso data directory
56 | tags:
57 | - rhsso
58 | file: dest={{ rhsso_jboss_home }}/standalone/data
59 | mode=755
60 | owner=rhsso
61 | group=rhsso
62 | state=directory
63 |
64 |
65 | - name: rhsso tmp directory
66 | tags:
67 | - rhsso
68 | file: dest={{ rhsso_jboss_home }}/standalone/tmp
69 | mode=755
70 | owner=rhsso
71 | group=rhsso
72 | state=directory
73 |
74 | - name: make rhsso configuration directory readable
75 | tags:
76 | - rhsso
77 | file: dest={{ rhsso_jboss_home }}/standalone/configuration
78 | mode=755
79 | owner=rhsso
80 | group=rhsso
81 | state=directory
82 | recurse=yes
83 |
84 | - name: rhsso systemd setup
85 | tags:
86 | - rhsso
87 | template:
88 | owner=root group=root mode=0644
89 | src=rhsso.service.j2
90 | dest=/etc/systemd/system/rhsso.service
91 | notify:
92 | - reload systemd
93 |
94 | - name: enable firewalld
95 | tags:
96 | - ipaserver
97 | service: enabled=yes
98 | state=started
99 | name=firewalld
100 |
101 | - name: Open Firewall for services
102 | tags:
103 | - rhsso
104 | firewalld: port={{ item }}/tcp
105 | permanent=true
106 | state=enabled
107 | immediate=yes
108 | with_items:
109 | - "{{ rhsso_http_port }}"
110 | - "{{ rhsso_https_port }}"
111 | - "{{ rhsso_http_management_port }}"
112 | - "{{ rhsso_https_management_port }}"
113 |
114 | - name: rhsso systemd service enable and start
115 | tags:
116 | - rhsso
117 | service: name=rhsso
118 | enabled=yes
119 | state=started
120 |
121 |
122 | - name: set up apache proxy
123 | tags:
124 | - rhsso
125 | copy: src=rhsso-proxy.conf
126 | dest=/etc/httpd/conf.d/rhsso-proxy.conf
127 | owner=root group=root mode="u=rw,g=r,o=r"
128 | notify: restart httpd
129 |
130 | - name: create rhsso master admin user
131 | tags:
132 | - rhsso
133 | command: >
134 | {{ rhsso_jboss_home }}/bin/add-user-keycloak.sh
135 | -r master
136 | -u {{ rhsso_master_admin_username }}
137 | -p {{ rhsso_master_admin_password }}
138 | register: add_user_result
139 | failed_when: not ( add_user_result.rc == 0 or "already added" in add_user_result.stderr )
140 | changed_when: add_user_result.rc == 0
141 | notify: restart rhsso
142 |
143 | - name: TODO restart with a notify on previous task
144 | tags:
145 | - rhsso
146 | service: name=rhsso
147 | enabled=yes
148 | state=restarted
149 |
150 |
151 | - name: TODO restart with a notify on previous task
152 | tags:
153 | - rhsso
154 | service: name=httpd
155 | enabled=yes
156 | state=restarted
157 |
--------------------------------------------------------------------------------
/roles/provision/libvirt/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: install libguestfs-tools-c
3 | package:
4 | name: "{{ item }}"
5 | state: present
6 | with_items:
7 | - libguestfs-tools-c
8 | - libselinux-python
9 |
10 | - name: push base vm image to hypervisor
11 | copy:
12 | src: "{{ source_image_dir }}/{{ source_image_file }}"
13 | dest: "{{ target_image_dir }}/{{ source_image_file }}"
14 | owner: qemu
15 | group: qemu
16 | mode: u=rw,g=r,o=r
17 |
18 | - name: push pubkey to hypervisor
19 | copy:
20 | src: "{{ source_keystore_dir }}/{{ source_pubkey_file }}"
21 | dest: "{{ hypervisor_keystore_dir }}/{{ target_pubkey_file }}"
22 | owner: qemu
23 | group: qemu
24 | mode: u=rw,g=r,o=r
25 |
26 | - template:
27 | src: "ifcfg-eth{{ item }}.j2"
28 | dest: '{{ hypervisor_keystore_dir }}/ifcfg-eth{{ item }}'
29 | with_items:
30 | - 1
31 | - 2
32 |
33 | - name: create vm backing store from base vm image
34 | copy: remote_src=True
35 | src="{{ target_image_dir }}/{{ source_image_file }}"
36 | dest="{{ target_image_dir }}/{{ item.name }}.qcow2"
37 | force=no # Do not recopy if it has been modified
38 | with_items: "{{ cluster_hosts }}"
39 |
40 | - name: Ensure the backing store is large enough
41 | command: qemu-img resize "{{ target_image_dir }}/{{ item.name }}.qcow2" 30G
42 | with_items: "{{ cluster_hosts }}"
43 |
44 | - name: Grow the partition
45 | command: "virt-resize --expand /dev/sda1 {{ target_image_dir }}/{{ source_image_file }} {{ target_image_dir }}/{{ item.name }}.qcow2"
46 | with_items: "{{ cluster_hosts }}"
47 |
48 |
49 | - name: add cloud-user and keys
50 | command: virt-customize -a {{ target_image_dir }}/{{ item.name }}.qcow2 --run-command 'id -u cloud-user &>/dev/null || /usr/sbin/useradd -u 1000 cloud-user' --ssh-inject cloud-user:file:/tmp/authorized_keys --hostname {{ item.name }}.{{ cluster_domain }} --copy-in {{ hypervisor_keystore_dir }}/ifcfg-eth1:/etc/sysconfig/network-scripts --copy-in {{ hypervisor_keystore_dir }}/ifcfg-eth2:/etc/sysconfig/network-scripts --selinux-relabel --root-password password:FreeIPA4All
51 | with_items: "{{ cluster_hosts }}"
52 |
53 |
54 | - name: define vm
55 | virt:
56 | name: "{{ item.name }}"
57 | command: define
58 | xml: "{{ lookup('template', 'vm.xml.j2') }}"
59 | uri: qemu:///session
60 | with_items: "{{ cluster_hosts }}"
61 |
62 | - name: define macvtap networks
63 | virt_net:
64 | command: define
65 | name: "macvtap-{{ item.cluster_host }}-{{ item.device }}"
66 | xml: '{{ lookup("template", "macvtap.xml.j2") }}'
67 | with_items: "{{ macvtap_networks }}"
68 |
69 | - name: define macvtap networks
70 | virt_net:
71 | name: "macvtap-{{ item.cluster_host }}-{{ item.device }}"
72 | autostart: yes
73 | with_items: "{{ macvtap_networks }}"
74 |
75 |
76 | - name: start macvtap networks
77 | virt_net:
78 | name: "macvtap-{{ item.cluster_host }}-{{ item.device }}"
79 | state: active
80 | autostart: yes
81 | xml: '{{ lookup("template", "macvtap.xml.j2") }}'
82 | with_items: "{{ macvtap_networks }}"
83 |
84 |
85 | - name: run vm
86 | virt:
87 | name: "{{ item.name }}"
88 | uri: qemu:///session
89 | state: running
90 | with_items: "{{ cluster_hosts }}"
91 |
92 | - name: add macvtap interfaces
93 | command: virsh --connect qemu:///session attach-interface \
94 | --domain {{ item.cluster_host }}.home.younglogic.net \
95 | --type network \
96 | --source macvtap-{{ item.cluster_host }}-{{ item.device }} \
97 | --model virtio --config --live
98 | with_items: "{{ macvtap_networks }}"
99 |
100 |
101 |
102 | - name: reset ssh keys for hostname
103 | become: no
104 | local_action:
105 | module: command ssh-keygen -R {{ item.name }}
106 | with_items: "{{ cluster_hosts }}"
107 |
108 | - name: reset ssh keys for FQDN
109 | become: no
110 | local_action:
111 | module: command ssh-keygen -R {{ item.name }}.{{ cluster_domain }}
112 | with_items: "{{ cluster_hosts }}"
113 |
114 |
115 | - name: reset ssh keys for ip address
116 | become: no
117 | local_action:
118 | module: command ssh-keygen -R {{ static_ip_address }}
119 |
--------------------------------------------------------------------------------