Without host mode the docker container id

is referenced in volume name.
hack that has apparently become nessecary
2018-12-14 15:58:11 +01:00 · 2018-11-27 14:33:29 +01:00 · 2018-11-27 13:52:47 +01:00 · 2018-11-22 13:51:42 +01:00 · 2018-11-22 13:35:03 +01:00 · 2018-10-25 10:24:33 +02:00
96 changed files with 2457 additions and 786 deletions
--- a/README.md
+++ b/README.md
@ -1,8 +1,42 @@
 # hpc-cloud
-This repository will contain playbooks to bring up openstack components inside docker containers.
+This repository contains playbooks to bring up openstack components inside docker containers.
 It makes use of ansible roles for the openstack components and the supporting infrastructure.
 The following roles are installed.
 ### Openstack components.
 * keystone
 * glance-controller
 * horizon
 * neutron-controller
 * nova-controller
 * nova-compute
 * cinder-controller
 * cinder-storage
 ### Auxilary components:
 * database (mariadb)
 * rabbitmq (cluster of three nodes)
 * memcached
 ## Getting started:
 ### Prerequisites:
 * A cluster of servers to install the components on.
  * The machines running nova-compute and neutron-controller need a separate interface for neutron to use.
 * ubuntu 16.04 with python installed (usually already present).
 * Access to the webhost12.service.rug.nl docker repository.
 ### Settings:
 Passwords need be added to `secrets.yml.topol` and it needs to be saved as `secrets.yml`.
 This can be done by running `./generate_secrets.py`.
 Optionally, one can encrypt the secrtets by running `ansible-vault encrypt secrets.yml`.
 ### Secrets:
 It makes use of ansible roles.
 The roles can be set in the inventory file (hosts)
 To bring up one role, for instance keystone, use:
--- a/ansible.cfg
+++ b/ansible.cfg
@ -1,2 +1,6 @@
 [defaults]
-hostfile = hosts
+inventory = merlin
 stdout_callback = debug
 vault_password_file = .vault_pass.txt
 forks = 20
 host_key_checking = false
--- a/cassandra.yml
+++ b/cassandra.yml
@ -3,5 +3,4 @@
 - hosts: cassandra
  become: True
  roles:
      - common
      - cassandra
--- a/ceph.xml
+++ b/ceph.xml
@ -0,0 +1,6 @@
 <secret ephemeral="no" private="no">
 <uuid>d0db6ba7-a0c9-4da6-b0bc-aa7846325333</uuid>
 <usage type="ceph">
 <name>client.volumes secret</name>
 </usage>
 </secret>
--- a/cinder-controller.yml
+++ b/cinder-controller.yml
@ -0,0 +1,11 @@
 ---
 - hosts: all
  name: Dummy to gather facts
  tasks: []
  tags:
     - facts
 - hosts: cinder-controller
  become: True
  roles:
     - cinder-controller
--- a/cinder-storage.yml
+++ b/cinder-storage.yml
@ -0,0 +1,9 @@
 ---
 - hosts: all
  name: Dummy to gather facts
  tasks: []
 - hosts: cinder-storage
  become: True
  roles:
     - cinder-storage
--- a/common.yml
+++ b/common.yml
@ -1,5 +1,12 @@
 ---
 - hosts: all
  become: True
  vars_prompt:
    - name: "docker_user"
      private: no
      prompt: "What is your p number?"
    - name: "docker_pass"
      prompt: "What is your password?"
      private: yes
  roles:
      - common
--- a/5
+++ b/5
@ -0,0 +1,5 @@
 openstack project create --domain default --description "GCC testproject" gcc
 openstack user create --domain default --password-prompt gcc-user
 openstack role add --project gcc --user gcc-user user
 openstack user create --domain default --password-prompt gcc-admin
 openstack role add --project gcc --user gcc-admin admin
--- a/database.yml
+++ b/database.yml
@ -1,5 +0,0 @@
 ---
 - hosts: database
  become: True
  roles:
     - mariadb
--- a/gcc-post-install.yml
+++ b/gcc-post-install.yml
@ -0,0 +1,35 @@
 ---
 - hosts: all
  name: Dummy to gather facts
  tasks: []
 - hosts: keystone
  become: True
  vars_files:
    - settings.yml
  tasks:
    - name: copy public key
      copy:
        content: "{{ rsa_pub }}"
        dest: /srv/keystone/root/id_rsa.pub
    - name: post install configuration
      command: docker exec -i keystone.service bash -c "source /root/admin-openrc.sh && {{ item }}"
      with_items:
        - openstack network create --share --external --provider-physical-network provider --provider-network-type vlan --provider-segment 985 vlan985
        - >
            openstack subnet create --subnet-range 172.23.34.0/24 --gateway 172.23.34.1
            --network vlan985 --allocation-pool start=172.23.34.50,end=172.23.34.60
            --dns-nameserver 8.8.4.4 vlan985_subnet
        - openstack network create --share --external --provider-physical-network provider --provider-network-type vlan --provider-segment 16 vlan16
        - >
            openstack subnet create --subnet-range 195.169.22.0/23 --gateway 195.169.23.251
            --network vlan16 --allocation-pool start=195.169.22.237,end=195.169.22.237
            --dns-nameserver 8.8.4.4 vlan16_subnet
        - openstack flavor create --ram 4096 --disk 40 --vcpus 2  "Molgenis Dual"
        - openstack flavor create --ram 16384 --disk 40 --vcpus 4  "Molgenis Quad 16GB"
        - openstack flavor create --ram 8192 --disk 40 --vcpus 4  "Molgenis Quad 8GB"
        - openstack keypair create --public-key /root/id_rsa.pub adminkey
--- a/gcc-site.yml
+++ b/gcc-site.yml
@ -0,0 +1,14 @@
 ---
 - include: common.yml
 - include: rabbitmq.yml
 - include: memcached.yml
 - include: mariadb.yml
 - include: keystone.yml
 - include: glance-controller.yml
 - include: nova-controller.yml
 - include: neutron-controller.yml
 - include: cinder-controller.yml
 - include: cinder-storage.yml
 - include: nova-compute.yml
 - include: horizon.yml
 - include: gcc-post-install.yml
--- a/generate_secrets.py
+++ b/generate_secrets.py
@ -0,0 +1,35 @@
 #!/usr/bin/env python
 """
 Open the secrets.yml and replace all passwords.
 Original is backed up.
 """
 from os import path
 import random
 import string
 from subprocess import call
 from yaml import load, dump
 try:
    from yaml import CLoader as Loader, CDumper as Dumper
 except ImportError:
    from yaml import Loader, Dumper
 # length of generated passwords.
 pass_length = 20
 with open('secrets.yml.topol', 'r') as f:
    data = load(f, Loader=Loader)
 for key, value in data.iteritems():
    data[key] = ''.join(
        random.choice(string.ascii_letters + string.digits)
        for _ in range(pass_length))
 # Make numbered backups of the secrets file.
 if path.isfile('secrets.yml'):
    call(['cp', '--backup=numbered', 'secrets.yml', 'secrets.yml.bak'])
 with open('secrets.yml', 'w') as f:
    dump(data, f, Dumper=Dumper, default_flow_style=False)
--- a/glance-controller.yml
+++ b/glance-controller.yml
@ -0,0 +1,9 @@
 ---
 - hosts: all
  name: Dummy to gather facts
  tasks: []
 - hosts: glance-controller
  become: True
  roles:
     - glance-controller
--- a/glance.yml
+++ b/glance.yml
@ -1,5 +0,0 @@
 ---
 - hosts: glance
  become: True
  roles:
     - glance
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -0,0 +1,10 @@
 ---
 keystone_external_fqdn: merlin.hpc.rug.nl
 use_ceph: true
 ceph_mon_initial_members:
 ceph_mon_host:
 ceph_public_network:
 ceph_osd_pool_default_size:
 ceph_compute_client_keyring:
 ceph_cinder_client_keyring:
 ceph_images_client_keyring:
--- a/group_vars/horizon.yml
+++ b/group_vars/horizon.yml
@ -0,0 +1,2 @@
 ---
 security_fail2ban_enabled: false
--- a/heat.yml
+++ b/heat.yml
@ -0,0 +1,9 @@
 ---
 - hosts: all
  name: Dummy to gather facts
  tasks: []
 - hosts: heat
  become: True
  roles:
     - heat
--- a/heat_templates/example_cluster.yml
+++ b/heat_templates/example_cluster.yml
@ -0,0 +1,137 @@
 ---
 heat_template_version: 2015-04-30
 description: Simple Example template to deploy a virtual compute cluster.
 parameters:
  image_name:
    type: string
    label: Image Name
    description: Name of image to be used for compute instance
  public_net:
    type: string
    label: Public Net Name
    description: Public network used for router.
  ssh_key:
    type: string
    label: ssh key name.
    description: ssh public key name. (Must be uploaded to openstack first)
  compute_flavor:
    type: string
    label: Flavor for compute nodes,
    description: Flavor with which to start compute nodes.
  aux_flavor:
    type: string
    label: Flavor for auxiliary nodes.
    description: Flavor with which to start auxiliary nodes. (for now only the interface machine)
  cidr:
    type: string
    label: Cidr for internal subnet
    description: Cidr for the subnet of the internal user network.
  internal_net_name:
    type: string
    label: Name for the internal network
    description: Name for the internal network of this cluster.
  volume_size:
    type: string
    label: Size (GB)
    description: Size (GB) of the volume for each compute node
 resources:
  internal_net:
    type: OS::Neutron::Net
    properties:
      name: {get_param: internal_net_name}
  internal_subnet:
    type: OS::Neutron::Subnet
    properties:
      network_id: {get_resource: internal_net}
      cidr: {get_param: cidr}
      dns_nameservers: ["129.125.4.6", "129.125.36.10"]
      ip_version: 4
  internal_router:
    type: OS::Neutron::Router
    properties:
      external_gateway_info: {network: {get_param: public_net}}
  internal_interface:
    type: OS::Neutron::RouterInterface
    properties:
      router_id: {get_resource: internal_router}
      subnet: {get_resource: internal_subnet}
  public_port:
    type: OS::Neutron::Port
    properties:
      network_id: {get_resource: internal_net}
      fixed_ips:
        - subnet_id: {get_resource: internal_subnet}
      security_groups:
        - default
  floating_ip:
    type: OS::Neutron::FloatingIP
    properties:
      floating_network_id: {get_param: public_net}
      port_id: {get_resource: public_port}
  interface:  # User-interface for cluster-operation
    type: OS::Nova::Server
    properties:
      key_name: {get_param: ssh_key}
      image: {get_param: image_name}
      flavor: {get_param: aux_flavor}
      networks:
        - port: {get_resource: public_port}
  admin:  # Machine to run slurm and other admin tools on.
    type: OS::Nova::Server
    properties:
      key_name: {get_param: ssh_key}
      image: {get_param: image_name}
      flavor: {get_param: aux_flavor}
      networks:
        - network: {get_resource: internal_net}
  vcompute01-volume:
    type: OS::Cinder::Volume
    properties:
      size: {get_param: volume_size}
  vcompute01:
    type: OS::Nova::Server
    properties:
      key_name: adminkey
      image: {get_param: image_name}
      flavor: {get_param: compute_flavor}
      networks:
        - network: {get_resource: internal_net}
  vcompute_01_volume_attachment:
    type: OS::Cinder::VolumeAttachment
    properties:
      volume_id: {get_resource: vcompute01-volume}
      instance_uuid: {get_resource: vcompute01}
  vcompute02-volume:
    type: OS::Cinder::Volume
    properties:
      size: {get_param: volume_size}
  vcompute02:
    type: OS::Nova::Server
    properties:
      key_name: adminkey
      image: {get_param: image_name}
      flavor: {get_param: compute_flavor}
      networks:
        - network: {get_resource: internal_net}
  vcompute_02_volume_attachment:
    type: OS::Cinder::VolumeAttachment
    properties:
      volume_id: {get_resource: vcompute02-volume}
      instance_uuid: {get_resource: vcompute02}
--- a/horizon.yml
+++ b/horizon.yml
@ -0,0 +1,10 @@
 ---
 - hosts: all
  name: Dummy to gather facts
  tasks: []
 - hosts: horizon
  become: True
  roles:
     - geerlingguy.security
     - horizon
--- a/51
+++ b/51
@ -1,21 +1,38 @@
 # A demo cluster of three nodes.
 [databases]
 ansible-test
 [keystone]
 ansible-test
 [dockerregistry]
 openstack01-node01
 [rabbitmq]
 ansible-test
 ansible-test-2
 ansible-test-3
 [cassandra]
 openstack01-node[01:03]
 [first_cassandra]
 openstack01-node01
 [next_cassandra]
 openstack01-node02
 openstack01-node03
-[first_cassandra:vars]
+
-run_options=""
+[keystone]
-[next_cassandra:vars]
+openstack01-node03
-run_options="-e CASSANDRA_SEEDS=172.23.41.1"
+
 [glance-controller]
 openstack01-node02
 [horizon]
 openstack01-node03
 [rabbitmq]
 openstack01-node01
 openstack01-node02
 openstack01-node03
 [memcached]
 openstack01-node03
 [neutron-controller]
 openstack01-node01 physical_interface_mappings=provider:ens192
 [nova-controller]
 openstack01-node03
 [cinder-controller]
 openstack01-node03
 [cinder-storage]
 openstack01-node01 storage_volume=/dev/loop0
 [nova-compute]
 openstack01-node04 physical_interface_mappings=provider:enp4s0f0
--- a/26
+++ b/26
@ -0,0 +1,26 @@
 [databases]
 openstack03.gcc.rug.nl
 [keystone]
 openstack03.gcc.rug.nl
 [glance-controller]
 openstack03.gcc.rug.nl
 [horizon]
 openstack03.gcc.rug.nl
 [rabbitmq]
 openstack03.gcc.rug.nl
 [memcached]
 openstack03.gcc.rug.nl
 [neutron-controller]
 openstack03.gcc.rug.nl
 [nova-controller]
 openstack03.gcc.rug.nl
 [nova-compute]
 openstack03.gcc.rug.nl
--- a/keystone.yml
+++ b/keystone.yml
@ -1,4 +1,8 @@
 ---
 - hosts: databases
  name: Dummy to gather facts
  tasks: []
 - hosts: keystone
  become: True
  roles:
--- a/mariadb.yml
+++ b/mariadb.yml
@ -3,5 +3,11 @@
 - hosts: databases
  become: True
  roles:
      - common
      - mariadb
  vars:
      hostname_node0: "{{ hostvars[groups['databases'][0]]['ansible_hostname'] }}"
      hostname_node1: "{{ hostvars[groups['databases'][1]]['ansible_hostname'] }}"
      hostname_node2: "{{ hostvars[groups['databases'][2]]['ansible_hostname'] }}"
      ip_node0: "{{ hostvars[groups['databases'][0]]['listen_ip'] | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}"
      ip_node1: "{{ hostvars[groups['databases'][1]]['listen_ip'] | default(hostvars[groups['databases'][1]]['ansible_default_ipv4']['address']) }}"
      ip_node2: "{{ hostvars[groups['databases'][2]]['listen_ip'] | default(hostvars[groups['databases'][2]]['ansible_default_ipv4']['address']) }}"
--- a/50
+++ b/50
@ -0,0 +1,50 @@
 [nova-compute]
 merlin-node001 physical_interface_mappings=provider:enp130s0f0 overlay_ip=172.23.43.1
 merlin-node002 physical_interface_mappings=provider:enp130s0f0 overlay_ip=172.23.43.2
 merlin-node003 physical_interface_mappings=provider:enp130s0f0 overlay_ip=172.23.43.3
 merlin-node004 physical_interface_mappings=provider:enp130s0f0 overlay_ip=172.23.43.4
 merlin-node005 physical_interface_mappings=provider:enp130s0f0 overlay_ip=172.23.43.5
 [databases]
 merlin-managementnode001
 merlin-managementnode002
 merlin-managementnode003
 [rabbitmq]
 merlin-managementnode001
 merlin-managementnode002
 merlin-managementnode003
 [horizon]
 merlin-managementnode001 horizon_external_fqdn=merlin.hpc.rug.nl
 [memcached]
 merlin-managementnode001
 [nova-controller]
 merlin-managementnode001
 [keystone]
 merlin-managementnode001
 [neutron-controller]
 merlin-managementnode001 physical_interface_mappings=provider:enp5s0f1 overlay_ip=172.23.43.101
 [heat]
 merlin-managementnode001
 [glance-controller]
 merlin-managementnode002
 [cinder-controller]
 merlin-managementnode003
 [cinder-storage]
 merlin-node001
 merlin-node002
 merlin-node003
 merlin-node004
 merlin-node005
 [stor]
 merlin-stor00[1:8]
--- a/50
+++ b/50
@ -0,0 +1,50 @@
 [nova-compute]
 merlin-node008 physical_interface_mappings=provider:enp130s0f0 overlay_ip=172.23.43.8
 merlin-node009 physical_interface_mappings=provider:enp130s0f0 overlay_ip=172.23.43.9
 merlin-node010 physical_interface_mappings=provider:enp130s0f0 overlay_ip=172.23.43.10
 merlin-node011 physical_interface_mappings=provider:enp129s0f1 overlay_ip=172.23.43.11
 merlin-node012 physical_interface_mappings=provider:enp129s0f1 overlay_ip=172.23.43.12
 merlin-node013 physical_interface_mappings=provider:enp129s0f1 overlay_ip=172.23.43.13
 [databases]
 merlin-node007
 merlin-node008
 merlin-node009
 [rabbitmq]
 merlin-node007
 merlin-node008
 merlin-node009
 [horizon]
 merlin-node007
 [memcached]
 merlin-node007
 [nova-controller]
 merlin-node007
 [keystone]
 merlin-node007
 [neutron-controller]
 merlin-node007 physical_interface_mappings=provider:enp130s0f0 overlay_ip=172.23.43.6
 [heat]
 merlin-node007
 [glance-controller]
 merlin-node008
 [cinder-controller]
 merlin-node009
 [cinder-storage]
 merlin-node008
 merlin-node009
 merlin-node010
 merlin-node011
 merlin-node012
 merlin-node013
--- a/37
+++ b/37
@ -0,0 +1,37 @@
 [nova-compute]
 merlin-managementnode002 physical_interface_mappings=provider:eno3
 merlin-managementnode003 physical_interface_mappings=provider:eno3
 merlin-node001 physical_interface_mappings=provider:eno3
 merlin-node003 physical_interface_mappings=provider:eno3
 merlin-node004 physical_interface_mappings=provider:eno3
 [databases]
 merlin-managementnode001
 merlin-managementnode002
 merlin-managementnode003
 [rabbitmq]
 merlin-managementnode001
 merlin-managementnode002
 merlin-managementnode003
 [horizon]
 merlin-managementnode001
 [memcached]
 merlin-managementnode001
 [nova-controller]
 merlin-managementnode001
 [keystone]
 merlin-managementnode001
 [neutron-controller]
 merlin-managementnode001 physical_interface_mappings=provider:eno3
 [heat]
 merlin-managementnode001
 [glance-controller]
 merlin-managementnode001
--- a/meta/main.yml
+++ b/meta/main.yml
@ -0,0 +1 @@
 ---
--- a/neutron-controller.yml
+++ b/neutron-controller.yml
@ -0,0 +1,9 @@
 ---
 - hosts: all
  name: Dummy to gather facts
  tasks: []
 - hosts: neutron-controller
  become: True
  roles:
     - neutron-controller
--- a/nova-compute.yml
+++ b/nova-compute.yml
@ -0,0 +1,9 @@
 ---
 - hosts: all
  name: Dummy to gather facts
  tasks: []
 - hosts: nova-compute
  become: True
  roles:
     - nova-compute
--- a/nova-controller.yml
+++ b/nova-controller.yml
@ -0,0 +1,9 @@
 ---
 - hosts: all
  name: Dummy to gather facts
  tasks: []
 - hosts: nova-controller
  become: True
  roles:
     - nova-controller
--- a/nova-management.yml
+++ b/nova-management.yml
@ -1,5 +0,0 @@
 ---
 - hosts: nova-management
  become: True
  roles:
     - nova-management
--- a/nuke.yml
+++ b/nuke.yml
@ -0,0 +1,33 @@
 ---
 # This playbook will reset the instalation to facilitate a new installation.
 # All data is lost!
 - hosts: all
  become: true
  name: Cleanup tasks on all hosts.
  tasks:
    - name: Stop docker service
      shell: "systemctl stop docker"
    - name: Verify docker is stopped.
      systemd:
        name: docker
        state: stopped
    - name: Purge docker images.
      shell: "rm -rf /var/lib/docker/"
    - name: remove volumes
      shell: "rm -rf /srv"
    - name: remove network namespaces
      shell: "rm /var/run/netns/*"
      ignore_errors: true
    - name: Remove stale vxlan interfaces
      shell: "for interface in $(ip link | grep DOWN | grep -Po 'vxlan-\\d{1,2}'); do ip link del $interface ; done"
      ignore_errors: true
 - hosts: nova-compute
  gather_facts: false
  become: true
  tasks:
    - name: kill all vm's
      shell: "for machine in  $(virsh list --uuid ); do virsh destroy $machine ; done"
    - name: wipe all vm's
      shell: "for machine in  $(virsh list --uuid --all); do virsh undefine $machine ; done"
--- a/35
+++ b/35
@ -0,0 +1,35 @@
 [databases]
 openstack03
 [keystone]
 openstack03
 [glance-controller]
 openstack03
 [horizon]
 openstack03
 [rabbitmq]
 openstack03
 [memcached]
 openstack03
 [neutron-controller]
 openstack03 physical_interface_mappings=provider:enp4s0f0
 [nova-controller]
 openstack03
 [cinder-controller]
 openstack03
 [cinder-storage]
 openstack03 storage_volume=/dev/sdb1
 [nova-compute]
 openstack03 physical_interface_mappings=provider:enp4s0f0
 [all:vars]
 listen_ip=172.23.40.243
--- a/37
+++ b/37
@ -0,0 +1,37 @@
 # An all in one
 [databases]
 os-test
 [keystone]
 os-test
 [glance-controller]
 os-test
 [horizon]
 os-test
 [rabbitmq]
 os-test
 [memcached]
 os-test
 [neutron-controller]
 os-test physical_interface_mappings=provider:enp4s0f0
 [nova-controller]
 os-test
 [cinder-controller]
 os-test
 [cinder-storage]
 os-test storage_volume=/dev/sdb
 [nova-compute]
 os-test physical_interface_mappings=provider:enp4s0f0
 [all:vars]
 listen_ip=129.125.60.194
--- a/post-install.yml
+++ b/post-install.yml
@ -0,0 +1,37 @@
 ---
 - hosts: all
  name: Dummy to gather facts
  tasks: []
 - hosts: keystone
  become: True
  vars_files:
    - settings.yml
  tasks:
    - name: copy public key
      copy:
        content: "{{ rsa_pub }}"
        dest: /srv/keystone/root/id_rsa.pub
    - name: post install configuration
      command: docker exec -i keystone.service bash -c "source /root/admin-openrc.sh && {{ item }}"
      with_items:
        - openstack network create --share --external --provider-physical-network provider --provider-network-type vlan --provider-segment 983 vlan983
        - >
            openstack subnet create --subnet-range 172.23.41.0/24 --gateway 172.23.41.101
            --network vlan983 --allocation-pool start=172.23.41.75,end=172.23.41.100
            --dns-nameserver 8.8.8.8 vlan983_subnet
        - openstack flavor create --id 0 --vcpus 1 --ram 64 --disk 1 m1.nano
        - openstack keypair create --public-key /root/id_rsa.pub adminkey
        - openstack security group rule create --protocol icmp default
        - >
            openstack security group rule create default
            --protocol tcp --dst-port 22:22 --remote-ip 0.0.0.0/0
    - name: Install cirros image
      get_url:
        url: http://download.cirros-cloud.net/0.4.0/cirros-0.4.0-x86_64-disk.img
        dest: /tmp/cirros-0.4.0-x86_64-disk.img
        checksum: sha256:a8dd75ecffd4cdd96072d60c2237b448e0c8b2bc94d57f10fdbc8c481d9005b8
    - shell: >
          bash -c "source /srv/keystone/root/admin-openrc.sh &&
          openstack image create --disk-format qcow2 cirros
          < /tmp/cirros-0.4.0-x86_64-disk.img"
--- a/rabbitmq.yml
+++ b/rabbitmq.yml
@ -3,3 +3,5 @@
  become: True
  roles:
      - rabbitmq
  vars:
      hostname_node0: "{{ hostvars[groups['rabbitmq'][0]]['ansible_hostname'] }}"
--- a/roles/cassandra/tasks/main.yml
+++ b/roles/cassandra/tasks/main.yml
@ -1,6 +1,5 @@
 # Install a docker based cassandra cluster.
 ---
 - include: ../common/tasks/docker.yml
 - name: install service file.
  template:
    src: templates/cassandra.service
@ -8,9 +7,14 @@
    mode: 644
    owner: root
    group: root
 - name: install service file
  command: systemctl daemon-reload
 - name: make sure service is started
  systemd:
    name: cassandra.service
    state: started
 - name: start service at boot.
  command: systemctl reenable cassandra.service
--- a/roles/cassandra/templates/cassandra.service
+++ b/roles/cassandra/templates/cassandra.service
@ -13,7 +13,7 @@ ExecStart=/usr/bin/docker run --name %n -v /srv/lib/cassandra:/var/lib/cassandra
 -p 7000:7000 -p 7001:7001 -p 7199:7199 -p 9042:9042 -p 9160:9160 \
 -e CASSANDRA_BROADCAST_ADDRESS={{ansible_default_ipv4.address}} \
 -e CASSANDRA_START_RPC=True \
- {{run_options}} cassandra:3.10
+ cassandra:3.10
 [Install]
 WantedBy=multi-user.target
--- a/roles/cinder-controller/tasks/main.yml
+++ b/roles/cinder-controller/tasks/main.yml
@ -0,0 +1,73 @@
 # Build and install a docker image for cinder.
 ---
 - name: include secrets
  include_vars:
    file: ../../secrets.yml
    name: secrets
  tags:
    - facts
 - set_fact:
    docker_image: registry.webhosting.rug.nl/hpc/openstack-cinder-controller-merlin:latest
    env_vars: >
        -e "MY_IP={{ listen_ip | default(ansible_default_ipv4.address) }}"
        -e "CINDER_HOST={{ listen_ip | default(hostvars[groups['cinder-controller'][0]]['ansible_default_ipv4']['address']) }}"
        -e "CINDER_PASSWORD={{ secrets['CINDER_PASSWORD'] }}"
        -e "CINDER_USER=cinder"
        -e "KEYSTONE_HOST={{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}"
        -e "MEMCACHED_HOST={{ listen_ip | default(hostvars[groups['memcached'][0]]['ansible_default_ipv4']['address']) }}"
        -e "MYSQL_HOST={{ listen_ip | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}"
        -e "MYSQL_ROOT_PASSWORD={{ secrets['MYSQL_ROOT_PASSWORD'] }}"
        -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}"
        -e "RABBIT_HOST={{ listen_ip | default(hostvars[groups['rabbitmq'][0]]['ansible_default_ipv4']['address']) }}"
        -e "RABBIT_PASSWORD={{ secrets['RABBIT_PASSWORD'] }}"
        -e "RABBIT_USER=openstack"
        -e "RBD_SECRET_UUID={{ secrets['CINDER_RBD_SECRET_UUID']}}"
  tags:
    - facts
 - name: pull docker image
  docker_image:
    name: "{{ docker_image }}"
  tags: pull
 - name: Make build and persistent directories
  file:
    path: "{{ item }}"
    state: directory
    mode: 0777
  with_items:
      - /srv/cinder-controller
      - /srv/cinder-controller/root
 - name: install service file.
  template:
    src: templates/cinder-controller.service
    dest: /etc/systemd/system/cinder-controller.service
    mode: 644
    owner: root
    group: root
  tags:
    - systemd
 - name: start service at boot.
  command: systemctl reenable cinder-controller.service
  tags:
    - systemd
 - command: systemctl daemon-reload
  tags:
    - systemd
 - name: Initialize database.
  command: >
             /usr/bin/docker run --rm
             {{ env_vars }}
             -v /srv/cinder-controller/root:/root \
             {{ docker_image }} /etc/bootstrap.sh
  tags: bootstrap
 - name: make sure service is started
  systemd:
    name: cinder-controller.service
    state: restarted
--- a/roles/cinder-controller/templates/cinder-controller.service
+++ b/roles/cinder-controller/templates/cinder-controller.service
@ -0,0 +1,18 @@
 [Unit]
 Description=Openstack Glance Container
 After=docker.service
 Requires=docker.service
 [Service]
 TimeoutStartSec=0
 Restart=always
 ExecStartPre=-/usr/bin/docker kill %n
 ExecStartPre=-/usr/bin/docker rm %n
 ExecStart=/usr/bin/docker run --name %n \
  {{ env_vars | replace('\n', '') }} \
  -v /srv/cinder-controller/root:/root \
  -p 8776:8776 \
  {{ docker_image }}
 [Install]
 WantedBy=multi-user.target
--- a/roles/cinder-storage/files/ceph.client.volumes.keyring
+++ b/roles/cinder-storage/files/ceph.client.volumes.keyring
@ -0,0 +1,9 @@
 $ANSIBLE_VAULT;1.1;AES256
 39313161646365373665646331613930316437363735326262376531636166346138303139613138
 3361353633616136303365646165643339333130393031380a373934636436626336326436306666
 34316532333165346139633239313930326238333134633365666138326338386632373937343335
 3262383863653136300a393464646365623763663063303936646462313764633736613562633661
 62313961626165363761656363393538396461653936353932303137626435626161316239623338
 65656132353136656430613462663466616432643761303366396461653066616162366666356533
 39386261623861323861633739343237386266306264356436666430313531303238636235393665
 31396533306261393835
--- a/roles/cinder-storage/files/ceph.conf
+++ b/roles/cinder-storage/files/ceph.conf
@ -0,0 +1,14 @@
 [global]
 fsid = ef0b40a2-bc8c-4432-9cde-0ca7c82c8717
 mon_initial_members = merlin-managementnode002
 mon_host = 172.23.59.102
 auth_cluster_required = cephx
 auth_service_required = cephx
 auth_client_required = cephx
 # Your network address
 public network = 172.23.59.0/24
 osd pool default size = 2
 [client.volumes]
 keyring = /etc/ceph/ceph.client.volumes.keyring
--- a/roles/cinder-storage/files/uuid
+++ b/roles/cinder-storage/files/uuid
@ -0,0 +1 @@
 d0db6ba7-a0c9-4da6-b0bc-aa7846325333
--- a/roles/cinder-storage/tasks/main.yml
+++ b/roles/cinder-storage/tasks/main.yml
@ -0,0 +1,95 @@
 # Build and install a docker image for cinder.
 ---
 - name: include secrets
  include_vars:
    file: ../../secrets.yml
    name: secrets
  tags: vars
 #- command: uuidgen
 #  register: uuid
 - set_fact:
    docker_image: registry.webhosting.rug.nl/hpc/openstack-cinder-storage-merlin:latest
    env_vars: >
        -e "MY_IP={{ listen_ip | default(ansible_default_ipv4.address) }}"
        -e "CINDER_HOST={{ listen_ip | default(hostvars[groups['cinder-storage'][0]]['ansible_default_ipv4']['address']) }}"
        -e "CINDER_PASSWORD={{ secrets['CINDER_PASSWORD'] }}"
        -e "CINDER_USER=cinder"
        -e "GLANCE_HOST={{ listen_ip | default(hostvars[groups['glance-controller'][0]]['ansible_default_ipv4']['address']) }}"
        -e "KEYSTONE_HOST={{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}"
        -e "MYSQL_HOST={{ listen_ip | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}"
        -e "MYSQL_ROOT_PASSWORD={{ secrets['MYSQL_ROOT_PASSWORD'] }}"
        -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}"
        -e "RABBIT_HOST={{ listen_ip | default(hostvars[groups['rabbitmq'][0]]['ansible_default_ipv4']['address']) }}"
        -e "RABBIT_PASSWORD={{ secrets['RABBIT_PASSWORD'] }}"
        -e "RABBIT_USER=openstack"
        -e "USE_CEPH={{ use_ceph }}"
        -e "MON_INITIAL_MEMBERS={{ ceph_mon_initial_members }}"
        -e "MON_HOST={{ ceph_mon_host }}"
        -e "PUBLIC_NETWORK={{ ceph_public_network }}"
        -e "OSD_POOL_DEFAULT_SIZE={{ ceph_osd_pool_default_size }}"
        -e "RBD_SECRET_UUID={{ secrets['CINDER_RBD_SECRET_UUID']}}"
  tags: vars
 - name: pull docker image
  docker_image:
    name: "{{ docker_image }}"
  tags: pull
 - name: Make build and persistent directories
  file:
    path: "{{ item }}"
    state: directory
    mode: 0777
  with_items:
    - /srv/cinder-storage
    - /srv/cinder-storage/root
    - /srv/cinder-storage/etc/ceph
 - name: initial setup
  command: >
             /usr/bin/docker run --rm
             --privileged
             {{ env_vars }}
             -v /srv/cinder-storage/root:/root \
             {{ docker_image }} /etc/bootstrap.sh
  tags: bootstrap
 - name: copy ceph-client configurationfile
  copy:
    src: files/ceph.conf
    dest: /srv/cinder-storage/etc/ceph/ceph.conf
    mode: 0644
 - name: copy ceph-client-keyring
  copy:
    src: files/ceph.client.volumes.keyring
    dest: /srv/cinder-storage/etc/ceph/ceph.client.volumes.keyring
    mode: 0644
 - name: install service file.
  template:
    src: templates/cinder-storage.service
    dest: /etc/systemd/system/cinder-storage.service
    mode: 644
    owner: root
    group: root
  tags: systemd
 #- name: set ceph client keyring
 #  copy:
 #    content: "{{ceph_cinder_client_keyring}}"
 #    dest: /srv/cinder-storage/etc/ceph
 #  when: use_ceph
 - command: systemctl daemon-reload
  tags: systemd
 - name: start service at boot.
  command: systemctl reenable cinder-storage.service
 - name: make sure service is started
  systemd:
    name: cinder-storage.service
    state: restarted
--- a/roles/cinder-storage/templates/cinder-storage.service
+++ b/roles/cinder-storage/templates/cinder-storage.service
@ -0,0 +1,22 @@
 [Unit]
 Description=Openstack Cinder Storage container
 After=docker.service
 Requires=docker.service
 [Service]
 TimeoutStartSec=0
 Restart=always
 ExecStartPre=-/usr/bin/docker kill %n
 ExecStartPre=-/usr/bin/docker rm %n
 ExecStart=/usr/bin/docker run --name %n \
  --privileged \
  {{ env_vars | replace('\n', '') }} \
  -v /srv/cinder-storage/root:/root \
  -v /etc/ceph:/etc/ceph \
  -p 8777:8776 \
  -p 3260:3260 \
  --network=host \
  {{ docker_image }}
 [Install]
 WantedBy=multi-user.target
--- a/roles/common/tasks/docker.yml
+++ b/roles/common/tasks/docker.yml
@ -13,3 +13,8 @@
  with_items:
     - docker-engine
     - python-docker
 - name: make sure service is started
  systemd:
    name: docker.service
    state: started
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -5,18 +5,18 @@
 - name: Passwordless sudo for admins
  lineinfile: dest=/etc/sudoers line="%admin  ALL=(ALL:ALL) NOPASSWD:ALL"
- include: users.yml
+- import_tasks: users.yml
 - name: common | install packages
  apt: pkg={{ item }} state=latest update_cache=yes
  with_items:
-     - curl
+    - curl
-     - htop
+    - htop
-     - molly-guard
+    - molly-guard
-     - sudo
+    - sudo
-     - tree
+    - tree
-     - vim
+    - vim
-     - python-simplejson
+    - python-simplejson
 - name: sshd_config
  file:
@ -26,6 +26,13 @@
    owner: root
    group: root
-    #- name: Load secrets file
+- name: disable apparmor
-    #  include_vars:
+  apt: pkg=apparmor state=absent
-    #      file: secrets/password_list.yml
+
 - import_tasks: docker.yml
 - name: Log into DockerHub
  docker_login:
    registry: registry.webhosting.rug.nl
    username: "{{ docker_user }}"
    password: "{{ docker_pass }}"
--- a/roles/dockerregistry/tasks/main.yml
+++ b/roles/dockerregistry/tasks/main.yml
@ -1,6 +1,5 @@
 # Install a docker based mariadb.
 ---
 - include: ../common/tasks/docker.yml
 - name: install service file.
  template:
    src: files/dockerregistry.service
@ -8,13 +7,18 @@
    mode: 644
    owner: root
    group: root
 - name: install service file
  command: systemctl daemon-reload
 - name: make sure service is started
  systemd:
    name: dockerregistry.service
    state: started
 - name: start service at boot.
  command: systemctl reenable dockerregistry.service
 - name: Copy certificates and passwd file
  copy:
    src: "{{ item }}"
--- a/roles/glance-controller/files/ceph.client.images.keyring
+++ b/roles/glance-controller/files/ceph.client.images.keyring
@ -0,0 +1,2 @@
 [client.images]
 	key = AQDCpDNbJ3DqDBAAvUOUcxEoZNvQUfoaU5i8iQ==
--- a/roles/glance-controller/files/ceph.conf
+++ b/roles/glance-controller/files/ceph.conf
@ -0,0 +1,14 @@
 [global]
 fsid = ef0b40a2-bc8c-4432-9cde-0ca7c82c8717
 mon_initial_members = merlin-managementnode002
 mon_host = 172.23.59.102
 auth_cluster_required = cephx
 auth_service_required = cephx
 auth_client_required = cephx
 # Your network address
 public network = 172.23.59.0/24
 osd pool default size = 2
 [client.images]
 keyring = /etc/ceph/ceph.client.images.keyring
--- a/roles/glance-controller/tasks/main.yml
+++ b/roles/glance-controller/tasks/main.yml
@ -0,0 +1,87 @@
 # Build and install a docker image for glance.
 ---
 - name: include secrets
  include_vars:
    file: ../../secrets.yml
    name: secrets
 - set_fact:
    docker_image: registry.webhosting.rug.nl/hpc/openstack-glance-merlin:latest
    env_vars: >
        -e "GLANCE_HOST={{ listen_ip | default(hostvars[groups['glance-controller'][0]]['ansible_default_ipv4']['address']) }}"
        -e "GLANCE_PASSWORD={{ secrets['GLANCE_PASSWORD'] }}"
        -e "GLANCE_USER=glance"
        -e "KEYSTONE_HOST={{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}"
        -e "MEMCACHED_HOST={{ listen_ip | default(hostvars[groups['memcached'][0]]['ansible_default_ipv4']['address']) }}"
        -e "MYSQL_HOST={{ listen_ip | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}"
        -e "MYSQL_ROOT_PASSWORD={{ secrets['MYSQL_ROOT_PASSWORD'] }}"
        -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}"
        -e "RABBIT_HOST={{ listen_ip | default(hostvars[groups['rabbitmq'][0]]['ansible_default_ipv4']['address']) }}"
        -e "RABBIT_PASSWORD={{ secrets['RABBIT_PASSWORD'] }}"
        -e "RABBIT_USER=openstack"
        -e "USE_CEPH={{ use_ceph }}"
        -e "MON_INITIAL_MEMBERS={{ ceph_mon_initial_members }}"
        -e "MON_HOST={{ ceph_mon_host }}"
        -e "PUBLIC_NETWORK={{ ceph_public_network }}"
        -e "OSD_POOL_DEFAULT_SIZE={{ ceph_osd_pool_default_size }}"
 #- name: pull docker image
 #  docker_image:
 #    name: "{{ docker_image }}"
 #  tags: pull
 - name: Make build and persistent directories
  file:
    path: "{{ item }}"
    state: directory
    mode: 0777
  with_items:
      - /srv/glance
      - /srv/glance/root
      - /srv/glance/etc/ceph
 - name: copy ceph-client configurationfile
  copy:
    src: files/ceph.conf
    dest: /srv/glance/etc/ceph/ceph.conf
    mode: 0644
 - name: copy ceph-client-keyring
  copy:
    src: files/ceph.client.images.keyring
    dest: /srv/glance/etc/ceph/ceph.client.images.keyring
    mode: 0644
 #- name: set ceph client keyring
 #  copy:
 #    content: "{{ceph_images_client_keyring}}"
 #    dest: /srv/cinder-storage/etc/ceph/ceph.client.images.keyring
 #  when: use_ceph
 - name: install service file.
  template:
    src: templates/glance.service
    dest: /etc/systemd/system/glance.service
    mode: 644
    owner: root
    group: root
 - name: start service at boot.
  command: systemctl reenable glance.service
 - command: systemctl daemon-reload
 - name: Initialize database.
  command: >
             /usr/bin/docker run --rm
             {{ env_vars }}
             --add-host=keystone:{{ listen_ip | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }} \
             -v /srv/glance/root:/root \
             -v /var/lib/glance/images:/var/lib/glance/images \
             {{ docker_image }} /etc/bootstrap.sh
  tags: bootstrap
 - name: make sure service is started
  systemd:
    name: glance.service
    state: restarted
--- a/roles/glance-controller/templates/glance.service
+++ b/roles/glance-controller/templates/glance.service
@ -6,12 +6,14 @@ Requires=docker.service
 [Service]
 TimeoutStartSec=0
 Restart=always
-ExecStartPre=-/usr/bin/docker stop %n
+ExecStartPre=-/usr/bin/docker kill %n
 ExecStartPre=-/usr/bin/docker rm %n
 ExecStart=/usr/bin/docker run --name %n \
-  --add-host=mariadb:{{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }} \
+  {{ env_vars | replace('\n', '') }} \
  -v /srv/glance/root:/root \
  -v /etc/ceph:/etc/ceph \
  -p 9292:9292 \
-  hpc/openstack-glance
+  {{ docker_image }}
 [Install]
 WantedBy=multi-user.target
--- a/roles/glance/tasks/main.yml
+++ b/roles/glance/tasks/main.yml
@ -1,42 +0,0 @@
 # Build and install a docker image for glance.
 ---
 - include: ../common/tasks/docker.yml
 - name: Make build and persistent directories
  file:
    path: "{{ item }}"
    state: directory
    mode: 0777
  with_items:
      - /srv/glance
 ## Todo: remove this when we have a docker repo
 #- name: clone docker-glance repo
 #  git:
 #    accept_hostkey: True
 #    repo: ssh://git@git.webhosting.rug.nl:222/P256174/docker-glance.git
 #    dest: /srv/glance
 - name: build glance image
  docker_image:
    path: /srv/glance
    name: hpc/openstack-glance
 - name: install service file.
  template:
    src: templates/glance.service
    dest: /etc/systemd/system/glance.service
    mode: 644
    owner: root
    group: root
 - command: systemctl daemon-reload
 - name: Initialize database.
  command: docke run --rm hpc/openstack-glance /etc/bootstrap.sh
  tags: bootstrap
 - name: make sure service is started
  systemd:
    name: glance.service
    state: restarted
--- a/roles/heat/tasks/main.yml
+++ b/roles/heat/tasks/main.yml
@ -0,0 +1,62 @@
 # Build and install a docker image for heat.
 ---
 - name: include secrets
  include_vars:
    file: ../../secrets.yml
    name: secrets
 - set_fact:
    docker_image: registry.webhosting.rug.nl/hpc/openstack-heat-merlin:latest
    env_vars: >
        -e "HEAT_HOST={{ listen_ip | default(hostvars[groups['heat'][0]]['ansible_default_ipv4']['address']) }}"
        -e "HEAT_PASSWORD={{ secrets['HEAT_PASSWORD'] }}"
        -e "HEAT_USER=heat"
        -e "KEYSTONE_HOST={{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}"
        -e "MEMCACHED_HOST={{ listen_ip | default(hostvars[groups['memcached'][0]]['ansible_default_ipv4']['address']) }}"
        -e "MYSQL_HOST={{ listen_ip | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}"
        -e "MYSQL_ROOT_PASSWORD={{ secrets['MYSQL_ROOT_PASSWORD'] }}"
        -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}"
        -e "RABBIT_HOST={{ listen_ip | default(hostvars[groups['rabbitmq'][0]]['ansible_default_ipv4']['address']) }}"
        -e "RABBIT_PASSWORD={{ secrets['RABBIT_PASSWORD'] }}"
        -e "RABBIT_USER=openstack"
 - name: pull docker image
  docker_image:
    name: "{{ docker_image }}"
  tags: pull
 - name: Make build and persistent directories
  file:
    path: "{{ item }}"
    state: directory
    mode: 0777
  with_items:
      - /srv/heat
      - /srv/heat/root
 - name: install service file.
  template:
    src: templates/heat.service
    dest: /etc/systemd/system/heat.service
    mode: 644
    owner: root
    group: root
 - name: start service at boot.
  command: systemctl reenable heat.service
 - command: systemctl daemon-reload
 - name: Initialize database.
  command: >
             /usr/bin/docker run --rm
             {{ env_vars }}
             --add-host=keystone:{{ listen_ip | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }} \
             -v /srv/heat/root:/root \
             {{ docker_image }} /etc/bootstrap.sh
  tags: bootstrap
 - name: make sure service is started
  systemd:
    name: heat.service
    state: restarted
--- a/roles/heat/templates/heat.service
+++ b/roles/heat/templates/heat.service
@ -0,0 +1,19 @@
 [Unit]
 Description=Openstack heat Container
 After=docker.service
 Requires=docker.service
 [Service]
 TimeoutStartSec=0
 Restart=always
 ExecStartPre=-/usr/bin/docker kill %n
 ExecStartPre=-/usr/bin/docker rm %n
 ExecStart=/usr/bin/docker run --name %n \
  {{ env_vars | replace('\n', '') }} \
  -v /srv/heat/root:/root \
  -p 8000:8000 \
  -p 8004:8004 \
  {{ docker_image }}
 [Install]
 WantedBy=multi-user.target
--- a/roles/horizon/files/Dockerfile
+++ b/roles/horizon/files/Dockerfile
@ -1,19 +0,0 @@
 # Build keystone. It needs to be run with
 # --add-host=mariadb:<ip mariadb listens tp>
 # Wen starting with an initialized db,
 # run keystone-manage db_sync from this docker first:
 # $ docker run hpc/keystone --add-host=mariadb:<ip mariadb> "keystone-manage db_sync"
 FROM ubuntu:zesty
 RUN apt-get update
 RUN apt-get install --yes openstack-dashboard
 ADD local_settings.py /etc/openstack-dashboard/local_settings.py
 RUN chown -R www-data: /var/lib/openstack-dashboard/
 #RUN keystone-manage db_sync
 CMD apachectl -DFOREGROUND
--- a/roles/horizon/files/local_settings.py
+++ b/roles/horizon/files/local_settings.py
@ -1,503 +0,0 @@
 # -*- coding: utf-8 -*-
 import os
 from django.utils.translation import ugettext_lazy as _
 from horizon.utils import secret_key
 from openstack_dashboard.settings import HORIZON_CONFIG
 DEBUG = False
 WEBROOT = '/'
 LOCAL_PATH = os.path.dirname(os.path.abspath(__file__))
 SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/openstack-dashboard/secret_key')
 CACHES = {
    'default': {
        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
        'LOCATION': '127.0.0.1:11211',
    },
 }
 # Send email to the console by default
 EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
 # Configure these for your outgoing email host
 #EMAIL_HOST = 'smtp.my-company.com'
 #EMAIL_PORT = 25
 #EMAIL_HOST_USER = 'djangomail'
 #EMAIL_HOST_PASSWORD = 'top-secret!'
 OPENSTACK_HOST = "172.23.38.125"
 OPENSTACK_KEYSTONE_URL = "http://%s:5000/v2.0" % OPENSTACK_HOST
 OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
 # Disable SSL certificate checks (useful for self-signed certificates):
 #OPENSTACK_SSL_NO_VERIFY = True
 # The CA certificate to use to verify SSL connections
 #OPENSTACK_SSL_CACERT = '/path/to/cacert.pem'
 # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
 # capabilities of the auth backend for Keystone.
 # If Keystone has been configured to use LDAP as the auth backend then set
 # can_edit_user to False and name to 'ldap'.
 #
 # TODO(tres): Remove these once Keystone has an API to identify auth backend.
 OPENSTACK_KEYSTONE_BACKEND = {
    'name': 'native',
    'can_edit_user': True,
    'can_edit_group': True,
    'can_edit_project': True,
    'can_edit_domain': True,
    'can_edit_role': True,
 }
 # Setting this to True, will add a new "Retrieve Password" action on instance,
 # allowing Admin session password retrieval/decryption.
 #OPENSTACK_ENABLE_PASSWORD_RETRIEVE = False
 # Toggle LAUNCH_INSTANCE_LEGACY_ENABLED and LAUNCH_INSTANCE_NG_ENABLED to
 # determine the experience to enable.  Set them both to true to enable
 # both.
 #LAUNCH_INSTANCE_LEGACY_ENABLED = True
 #LAUNCH_INSTANCE_NG_ENABLED = False
 # The Xen Hypervisor has the ability to set the mount point for volumes
 # attached to instances (other Hypervisors currently do not). Setting
 # can_set_mount_point to True will add the option to set the mount point
 # from the UI.
 OPENSTACK_HYPERVISOR_FEATURES = {
    'can_set_mount_point': False,
    'can_set_password': False,
    'requires_keypair': False,
    'enable_quotas': True
 }
 # The OPENSTACK_CINDER_FEATURES settings can be used to enable optional
 # services provided by cinder that is not exposed by its extension API.
 OPENSTACK_CINDER_FEATURES = {
    'enable_backup': False,
 }
 # The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional
 # services provided by neutron. Options currently available are load
 # balancer service, security groups, quotas, VPN service.
 OPENSTACK_NEUTRON_NETWORK = {
    'enable_router': True,
    'enable_quotas': True,
    'enable_ipv6': True,
    'enable_distributed_router': False,
    'enable_ha_router': False,
    'enable_lb': True,
    'enable_firewall': True,
    'enable_vpn': True,
    'enable_fip_topology_check': True,
    # profile_support can be turned on if needed.
    'profile_support': None,
    #'profile_support': 'cisco',
    'supported_vnic_types': ['*'],
 }
 # The OPENSTACK_HEAT_STACK settings can be used to disable password
 # field required while launching the stack.
 OPENSTACK_HEAT_STACK = {
    'enable_user_pass': True,
 }
 #OPENSTACK_IMAGE_BACKEND = {
 #    'image_formats': [
 #        ('', _('Select format')),
 #        ('aki', _('AKI - Amazon Kernel Image')),
 #        ('ami', _('AMI - Amazon Machine Image')),
 #        ('ari', _('ARI - Amazon Ramdisk Image')),
 #        ('docker', _('Docker')),
 #        ('iso', _('ISO - Optical Disk Image')),
 #        ('ova', _('OVA - Open Virtual Appliance')),
 #        ('qcow2', _('QCOW2 - QEMU Emulator')),
 #        ('raw', _('Raw')),
 #        ('vdi', _('VDI - Virtual Disk Image')),
 #        ('vhd', _('VHD - Virtual Hard Disk')),
 #        ('vmdk', _('VMDK - Virtual Machine Disk')),
 #    ],
 #}
 # The IMAGE_CUSTOM_PROPERTY_TITLES settings is used to customize the titles for
 # image custom property attributes that appear on image detail pages.
 IMAGE_CUSTOM_PROPERTY_TITLES = {
    "architecture": _("Architecture"),
    "kernel_id": _("Kernel ID"),
    "ramdisk_id": _("Ramdisk ID"),
    "image_state": _("Euca2ools state"),
    "project_id": _("Project ID"),
    "image_type": _("Image Type"),
 }
 # The IMAGE_RESERVED_CUSTOM_PROPERTIES setting is used to specify which image
 # custom properties should not be displayed in the Image Custom Properties
 # table.
 IMAGE_RESERVED_CUSTOM_PROPERTIES = []
 # Set to 'legacy' or 'direct' to allow users to upload images to glance via
 # Horizon server. When enabled, a file form field will appear on the create
 # image form. If set to 'off', there will be no file form field on the create
 # image form. See documentation for deployment considerations.
 #HORIZON_IMAGES_UPLOAD_MODE = 'legacy'
 # Allow a location to be set when creating or updating Glance images.
 # If using Glance V2, this value should be False unless the Glance
 # configuration and policies allow setting locations.
 #IMAGES_ALLOW_LOCATION = False
 # OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints
 # in the Keystone service catalog. Use this setting when Horizon is running
 # external to the OpenStack environment. The default is 'publicURL'.
 OPENSTACK_ENDPOINT_TYPE = "publicURL"
 # SECONDARY_ENDPOINT_TYPE specifies the fallback endpoint type to use in the
 # case that OPENSTACK_ENDPOINT_TYPE is not present in the endpoints
 # in the Keystone service catalog. Use this setting when Horizon is running
 # external to the OpenStack environment. The default is None. This
 # value should differ from OPENSTACK_ENDPOINT_TYPE if used.
 #SECONDARY_ENDPOINT_TYPE = None
 # The number of objects (Swift containers/objects or images) to display
 # on a single page before providing a paging element (a "more" link)
 # to paginate results.
 API_RESULT_LIMIT = 1000
 API_RESULT_PAGE_SIZE = 20
 # The size of chunk in bytes for downloading objects from Swift
 SWIFT_FILE_TRANSFER_CHUNK_SIZE = 512 * 1024
 # The default number of lines displayed for instance console log.
 INSTANCE_LOG_LENGTH = 35
 # Specify a maximum number of items to display in a dropdown.
 DROPDOWN_MAX_ITEMS = 30
 # The timezone of the server. This should correspond with the timezone
 # of your entire OpenStack installation, and hopefully be in UTC.
 TIME_ZONE = "UTC"
 # When launching an instance, the menu of available flavors is
 # sorted by RAM usage, ascending. If you would like a different sort order,
 # you can provide another flavor attribute as sorting key. Alternatively, you
 # can provide a custom callback method to use for sorting. You can also provide
 # a flag for reverse sort. For more info, see
 # http://docs.python.org/2/library/functions.html#sorted
 #CREATE_INSTANCE_FLAVOR_SORT = {
 #    'key': 'name',
 #     # or
 #    'key': my_awesome_callback_method,
 #    'reverse': False,
 #}
 # Set this to True to display an 'Admin Password' field on the Change Password
 # form to verify that it is indeed the admin logged-in who wants to change
 # the password.
 #ENFORCE_PASSWORD_CHECK = False
 # Modules that provide /auth routes that can be used to handle different types
 # of user authentication. Add auth plugins that require extra route handling to
 # this list.
 #AUTHENTICATION_URLS = [
 #    'openstack_auth.urls',
 #]
 # The Horizon Policy Enforcement engine uses these values to load per service
 # policy rule files. The content of these files should match the files the
 # OpenStack services are using to determine role based access control in the
 # target installation.
 # Path to directory containing policy.json files
 #POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf")
 # Map of local copy of service policy files.
 # Please insure that your identity policy file matches the one being used on
 # your keystone servers. There is an alternate policy file that may be used
 # in the Keystone v3 multi-domain case, policy.v3cloudsample.json.
 # This file is not included in the Horizon repository by default but can be
 # found at
 # http://git.openstack.org/cgit/openstack/keystone/tree/etc/ \
 # policy.v3cloudsample.json
 # Having matching policy files on the Horizon and Keystone servers is essential
 # for normal operation. This holds true for all services and their policy files.
 #POLICY_FILES = {
 #    'identity': 'keystone_policy.json',
 #    'compute': 'nova_policy.json',
 #    'volume': 'cinder_policy.json',
 #    'image': 'glance_policy.json',
 #    'orchestration': 'heat_policy.json',
 #    'network': 'neutron_policy.json',
 #}
 # TODO: (david-lyle) remove when plugins support adding settings.
 # Note: Only used when trove-dashboard plugin is configured to be used by
 # Horizon.
 # Trove user and database extension support. By default support for
 # creating users and databases on database instances is turned on.
 # To disable these extensions set the permission here to something
 # unusable such as ["!"].
 #TROVE_ADD_USER_PERMS = []
 #TROVE_ADD_DATABASE_PERMS = []
 # Change this patch to the appropriate list of tuples containing
 # a key, label and static directory containing two files:
 # _variables.scss and _styles.scss
 #AVAILABLE_THEMES = [
 #    ('default', 'Default', 'themes/default'),
 #    ('material', 'Material', 'themes/material'),
 #]
 LOGGING = {
    'version': 1,
    # When set to True this will disable all logging except
    # for loggers specified in this configuration dictionary. Note that
    # if nothing is specified here and disable_existing_loggers is True,
    # django.db.backends will still log unless it is disabled explicitly.
    'disable_existing_loggers': False,
    'formatters': {
        'operation': {
            # The format of "%(message)s" is defined by
            # OPERATION_LOG_OPTIONS['format']
            'format': '%(asctime)s %(message)s'
        },
    },
    'handlers': {
        'null': {
            'level': 'DEBUG',
            'class': 'logging.NullHandler',
        },
        'console': {
            # Set the level to "DEBUG" for verbose output logging.
            'level': 'INFO',
            'class': 'logging.StreamHandler',
        },
        'operation': {
            'level': 'INFO',
            'class': 'logging.StreamHandler',
            'formatter': 'operation',
        },
    },
    'loggers': {
        # Logging from django.db.backends is VERY verbose, send to null
        # by default.
        'django.db.backends': {
            'handlers': ['null'],
            'propagate': False,
        },
        'requests': {
            'handlers': ['null'],
            'propagate': False,
        },
        'horizon': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'horizon.operation_log': {
            'handlers': ['operation'],
            'level': 'INFO',
            'propagate': False,
        },
        'openstack_dashboard': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'novaclient': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'cinderclient': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'keystoneclient': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'glanceclient': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'neutronclient': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'heatclient': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'swiftclient': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'openstack_auth': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'nose.plugins.manager': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'django': {
            'handlers': ['console'],
            'level': 'DEBUG',
            'propagate': False,
        },
        'iso8601': {
            'handlers': ['null'],
            'propagate': False,
        },
        'scss': {
            'handlers': ['null'],
            'propagate': False,
        },
    },
 }
 # 'direction' should not be specified for all_tcp/udp/icmp.
 # It is specified in the form.
 SECURITY_GROUP_RULES = {
    'all_tcp': {
        'name': _('All TCP'),
        'ip_protocol': 'tcp',
        'from_port': '1',
        'to_port': '65535',
    },
    'all_udp': {
        'name': _('All UDP'),
        'ip_protocol': 'udp',
        'from_port': '1',
        'to_port': '65535',
    },
    'all_icmp': {
        'name': _('All ICMP'),
        'ip_protocol': 'icmp',
        'from_port': '-1',
        'to_port': '-1',
    },
    'ssh': {
        'name': 'SSH',
        'ip_protocol': 'tcp',
        'from_port': '22',
        'to_port': '22',
    },
    'smtp': {
        'name': 'SMTP',
        'ip_protocol': 'tcp',
        'from_port': '25',
        'to_port': '25',
    },
    'dns': {
        'name': 'DNS',
        'ip_protocol': 'tcp',
        'from_port': '53',
        'to_port': '53',
    },
    'http': {
        'name': 'HTTP',
        'ip_protocol': 'tcp',
        'from_port': '80',
        'to_port': '80',
    },
    'pop3': {
        'name': 'POP3',
        'ip_protocol': 'tcp',
        'from_port': '110',
        'to_port': '110',
    },
    'imap': {
        'name': 'IMAP',
        'ip_protocol': 'tcp',
        'from_port': '143',
        'to_port': '143',
    },
    'ldap': {
        'name': 'LDAP',
        'ip_protocol': 'tcp',
        'from_port': '389',
        'to_port': '389',
    },
    'https': {
        'name': 'HTTPS',
        'ip_protocol': 'tcp',
        'from_port': '443',
        'to_port': '443',
    },
    'smtps': {
        'name': 'SMTPS',
        'ip_protocol': 'tcp',
        'from_port': '465',
        'to_port': '465',
    },
    'imaps': {
        'name': 'IMAPS',
        'ip_protocol': 'tcp',
        'from_port': '993',
        'to_port': '993',
    },
    'pop3s': {
        'name': 'POP3S',
        'ip_protocol': 'tcp',
        'from_port': '995',
        'to_port': '995',
    },
    'ms_sql': {
        'name': 'MS SQL',
        'ip_protocol': 'tcp',
        'from_port': '1433',
        'to_port': '1433',
    },
    'mysql': {
        'name': 'MYSQL',
        'ip_protocol': 'tcp',
        'from_port': '3306',
        'to_port': '3306',
    },
    'rdp': {
        'name': 'RDP',
        'ip_protocol': 'tcp',
        'from_port': '3389',
        'to_port': '3389',
    },
 }
 REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES',
                              'LAUNCH_INSTANCE_DEFAULTS',
                              'OPENSTACK_IMAGE_FORMATS',
                              'OPENSTACK_KEYSTONE_DEFAULT_DOMAIN']
 # The default theme if no cookie is present
 DEFAULT_THEME = 'ubuntu'
 # Default Ubuntu apache configuration uses /horizon as the application root.
 WEBROOT='/horizon/'
 # By default, validation of the HTTP Host header is disabled.  Production
 # installations should have this set accordingly.  For more information
 # see https://docs.djangoproject.com/en/dev/ref/settings/.
 ALLOWED_HOSTS = '*'
 # Compress all assets offline as part of packaging installation
 COMPRESS_OFFLINE = True
 ALLOWED_PRIVATE_SUBNET_CIDR = {'ipv4': [], 'ipv6': []}
--- a/roles/horizon/tasks/main.yml
+++ b/roles/horizon/tasks/main.yml
@ -0,0 +1,44 @@
 # Run hpc/horizon
 ---
 - set_fact:
    docker_image: registry.webhosting.rug.nl/hpc/openstack-horizon-merlin:latest
 - name: pull docker image
  docker_image:
    name: "{{ docker_image }}"
    force: True
  tags: pull
 - name: Make persistent directories
  file:
    path: /srv/horizon/certs
    state: directory
    mode: 0750
 - name: install ssl files
  template:
    src: templates/certs/{{ item }}
    dest: /srv/horizon/certs/{{ item }}
    mode: 400
  with_items:
    - merlin.hpc.rug.nl.key
    - merlin.hpc.rug.nl.crt
    - DigiCertCA.crt
 - name: install service file.
  template:
    src: templates/horizon.service
    dest: /etc/systemd/system/horizon.service
    mode: 644
    owner: root
    group: root
 - command: systemctl daemon-reload
 - name: start service at boot.
  command: systemctl reenable horizon.service
 - name: make sure service is started
  systemd:
    name: horizon.service
    state: restarted
--- a/roles/horizon/templates/certs/DigiCertCA.crt
+++ b/roles/horizon/templates/certs/DigiCertCA.crt
@ -0,0 +1,29 @@
 -----BEGIN CERTIFICATE-----
 MIIE+zCCA+OgAwIBAgIQCHC8xa8/25Wakctq7u/kZTANBgkqhkiG9w0BAQsFADBl
 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
 d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
 b3QgQ0EwHhcNMTQxMTE4MTIwMDAwWhcNMjQxMTE4MTIwMDAwWjBkMQswCQYDVQQG
 EwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFt
 MQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzCCASIw
 DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMV2Dw/ZQyk7bG3RR63eEL8jwnio
 Snc18SNb4EweQefCMQC9iDdFdd25AhCAHo/tZCMERaegOTuBTc9jP8JJ/yKeiLDS
 lrlcinQfkioq8hLIt2hUtVhBgUBoBhpPhSn7tU08D08/QJYbzqjMXjX/ZJj1dd10
 VAWgNhEEEiRVY++Udy538RV27tOkWUUhn6i+0SftCuirOMo/h9Ha8Y+5Cx9E5+Ct
 85XCFk3shKM6ktTPxn3mvcsaQE+zVLHzj28NHuO+SaNW5Ae8jafOHbBbV1bRxBz8
 mGXRzUYvkZS/RYVJ+G1ShxwCVgEnFqtyLvRx5GG1IKD6JmlqCvGrn223zyUCAwEA
 AaOCAaYwggGiMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMHkG
 CCsGAQUFBwEBBG0wazAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu
 Y29tMEMGCCsGAQUFBzAChjdodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln
 aUNlcnRBc3N1cmVkSURSb290Q0EuY3J0MIGBBgNVHR8EejB4MDqgOKA2hjRodHRw
 Oi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURSb290Q0EuY3Js
 MDqgOKA2hjRodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVk
 SURSb290Q0EuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxo
 dHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMB0GA1UdDgQWBBRn/YggFCeYxwnS
 JRm76VERY3VQYjAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzANBgkq
 hkiG9w0BAQsFAAOCAQEAqSg1esR71tonHqyYzyc2TxEydHTmQN0dzfJodzWvs4xd
 xgS/FfQjZ4u5b5cE60adws3J0aSugS7JurHogNAcyTnBVnZZbJx946nw09E02DxJ
 WYsamM6/xvLYMDX/6W9doK867mZTrqqMaci+mqege9iCSzMTyAfzd9fzZM2eY/lC
 J1OuEDOJcjcV8b73HjWizsMt8tey5gvHacDlH198aZt+ziYaM0TDuncFO7pdP0GJ
 +hY77gRuW6xWS++McPJKe1e9GW6LNgdUJi2GCZQfXzer8CM/jyxflp5HcahE3qm5
 hS+1NGClXwmgmkMd1L8tRNaN2v11y18WoA5hwnA9Ng==
 -----END CERTIFICATE-----
--- a/roles/horizon/templates/certs/merlin.hpc.rug.nl.crt
+++ b/roles/horizon/templates/certs/merlin.hpc.rug.nl.crt
@ -0,0 +1,125 @@
 $ANSIBLE_VAULT;1.1;AES256
 65356336313163323761363666626661373461653034313630353938616666323734663735343630
 3562356361313237623231366332343165613939393230310a613263373434396237633733613865
 38666637616264393237363366396232333664613732623332363136313163616432633366663537
 3135636261656133640a313661316538623765353063373134616663316237363536613761626637
 35316432633638303337343065623262643235356435633936356631383562363037656362316263
 33633136363933316334363965303138343462326536636162383838326138656133363034356561
 33623730626136373733376162663664303763613339343932613731653965313362623737373937
 33333966653538373664633763343239316537366332643135393033343235366564653765303738
 62633063636663343730323736643438323365383262656263326561663733666235623766313732
 39386366303366393339393935366238633966653738643637613266313231346632623535346139
 61343731643063646635623930626165623665343732383639353933313634313838336562303038
 31633532653361353765653836636162363761336338313535346537626432313562346430616232
 30613538326561326232623261623536363366353735323333653039306564616431323035366237
 33333661346437613466363236653463636234393730653765646463613535303439306463643764
 37306665353534393335366537643534383834633239646432373433613432663031363962633761
 33633765336164363165396634316163333739666264663864333632313462636338396339303138
 33333131343261643137373065636537366536336634633266373536633532363563666464306332
 39343136623063303061666564366135383339313866373666336364373663383266303364363437
 34383730393539376338383865373439386230393030633161646465366165343132373438306566
 34383965363366663435393032666366363739393739323335626438656632303266383661366433
 65376234383364313663663564333235303939363036303838393231303566343637346332376161
 30333331613738306338346539343762363562393966373963643964623331643036323935313165
 64626661363461656164626538313336306538666561646637616238643839336334633239393236
 63356139323433346335643031343930353937323333396332333735353861386265373633653532
 32313962616665343536663836326139316662653562373132633537386431356166643433366138
 37623534636264336437366462303266383836666333326333393831396466376132666265316533
 65663734653233666233373064326161643534353930393731313431643765383934353130613137
 66666663346536303363653562313139336333343133343938323030663432643161396538383966
 62646163396161373531663861333230393831333535343137343732393532336631393637383762
 66363632373938316536623161646339316236313966303737643632313839623730643364626266
 66643462663536356337653233353662363238346638396566363961643134613136353062633035
 37653833343032383937653530363331366632386261363661343131376539323335653439623830
 35316131663965353635643364396463346637346232313931326666316165653061346264663331
 63616265396463613666646438393133313865663338623436393466373134396230396561393431
 62353039633564393666373430663035313039633065323539373436323532363138333932633537
 65363338316663623934616130396661376163653636346630383531333263393265336461643363
 39366230613239313635366264303431663534666638663433323639613335376233313535666235
 36383566616532396630373763333566616232383538366163626463633530393165653032363433
 65343561323636616365656466623939383366366438646366393432303465353865623134383532
 35333435663831386130666238376531616362663134383366633736336337653763613135356138
 32336231333237656462383831663132316634313038373861356163663632336231383736316132
 37343430633432303462373664633761616635656462383935353731383431336265333734646166
 35376632383736383463353336383431613761626231356534313539666563633466313530666166
 39646462376236366466306139376238306236323337323463343733663439363631346135636564
 64666239613732326539313638633131333039623535366264383265616661663135343563333466
 34626632623932303630663161633437626532376463373135383131613663663432373233396163
 30666331366137316364376566616431366635613536623339616565623736323730336339653031
 38346335643132636231663837653639323230323238376466623034373763313531363930353335
 66356638666466303466653561626434383839626531333664633337333636333033666335383837
 35353837376130386532373961643962633361363831633632333133383738323436633836646537
 34323037313732386639383666326535383638333239363730383733363235623063626531326366
 33626366366231623638643836343339376361383562633933626332363432393265323335626436
 31613666633362643162616237383433633032366534303338313238626131353633396264333537
 61613166303639663366353539333832633263313333343662393533376437396438323135633865
 33383131363633343333646539386139306131623161633331393866393862383566333234386565
 37663334313039623763663361386531626131303262333063336437326633666438303334353035
 64376535666334623938343337663561636661386430313339633764323834323031303366666464
 31303237383333626433613534343337646134323364623763663062306439333464393366313262
 31386333663334373333393666383732333264383331376238653338333861383439353236303338
 37336466376538303234316663653262363162616439303065633263346139333439303732316632
 34646166313737393334303632326561373831646133376564323763633436323366326634613731
 63663033663338333833653766313938646239623038336430383739313034626663626261623531
 66363339656132643137303339633330653066643265303835356566303161393063383831613565
 35653165646165326531356634623532633964666132663339363334386465323565383732333130
 65613462363133616435633066356136353530383863613266353164616138363531313733636131
 64313166633236633835316239333730653437393064623735363234333663653362373136313361
 30623637393536653833373133346332363738343337633264376565653865633464363163366136
 31336561613333323036353937613764363237636463343461666266613435326239306238646666
 31393863346230663935363832633164663639383333343166373362383336366261656235393038
 63323632303166643837643539346465626435633935353230663262383135656230653934306335
 33333832323436663936613336393433666236363534646430666437646363303236363536666431
 65616332623561336461323632623664393031323637363263633334626232316638623565316632
 61376339323064366637353737396232313666316535333930663638656364396266353534363065
 38323664313435313035643866373535343937623331616136663232396635336463396432333363
 32343733613635313538366136393833623336653736353032366461636633393034303533353661
 31616631373238616566333662356137623139623964326130316235363137393338643930666364
 39306338616234326262373461336365653463636632336233303136363832616561633135323663
 39313839643730393730626139343338303631303066313433383438613730366434656161653936
 37313139626436666535356663396433333635343532303265306134316335613232313038333335
 34626136313933663463666334366466303939643334316261333161623239306632636561663463
 64636538643931623563666438333363303633316431323761643862613763626130383532346539
 31316565636363333331323630623337326133366263643638383339313330636162613666343432
 33666238663739333135363733363361356430643638336133343065366461373736376431373139
 61653231383735393838373731663932633139303362376164356635613130616362343835653536
 30376263376233303234343962663361333439623232636535366364396135356334633465363862
 66646564653061376632383235636330656236663563616166636339313738646166663235373330
 66646637376633616365373735326331313338353263613537386535343733346132663838336164
 31393863323266383563323263303233616533366434663332326530343264343364353839643363
 31643931663131633733666665623665663434666164346364366232313765333063613234393063
 64333333346431643837646139663937303437643830633131613864363663313633393932303538
 33303331613061663138373639396266343830646637306662653337323130313638303237306262
 61393238356633396361333866353838383630393038376133353133613732303061333137306662
 39306138393363626662353532386436333965656234366166383835393763633539346561636430
 65333231643266333732663366393164366234366131373636643034633361393935366236366237
 36616130666663353536336638346232616431333265393432303630663637656539323431633963
 39336564666135646261613361396339306332376131663639353431643564316136643336333466
 34653837316137656662303166623738616533376434316339653136376434623135363633333835
 39343366613265656537363332373862643662633264376432636434393464386666626365346466
 38326361343935363635373932396136363561363037333962303732303535356362383236653464
 37646563306235333863303935353431626133616330366566326531356331353137653165623062
 66636134393536656234323966363137613438306163366236623533373966333736633162623462
 62303463343963353535653462376561623230386563346631383161376434303464613231386165
 65376230396461336530366338356231363432356265376330623334363737383461626462326234
 62383436646236303966666537393231643835663462373435396666366264646335663136613336
 33656230393465663265316166313163313366653861643039383062313966303837396539363732
 36616230383931353632653330623138393939353434363130616533303463353439316131373465
 32373430623065386464643164316566383837373838383062346361623637386662643435303831
 62663430336235306166323761316262383536363939366663323638623765343537616430386635
 65306561646639336462636462646266663034336462663730653032386138316365346262323836
 64363033353937363530383462373133666262613937383536623333386239653935366661623435
 33613462383732636538396134393537343538366562643832333034366438333439353637346363
 33663861323331636538313632366134626137636635323930363363323466383165353166303930
 66386139376139346232373263363262313638666231336564313333343430343837656439636262
 33336438646134393863306631636131633138653037626638633165636136663865666434323665
 39363632636531323633313434333432316136353762653561383230336566316462336664353431
 39333132633533393362313761363339393963393361343161353633346232376666353734306663
 35366366396533643430643863663665646139636465316630393665383532393337616662656530
 36333032633430363165333238666133633264363266336636373736313332306333376637393465
 32343265383933613231623431323364653238343464393164623631663166313830616165323131
 65643661363265386562616232613863343964386130323635323434613639623666633962663432
 31323131363661336233346331376466323635323234643037383238613830626130386131353464
 30633736346633353237636536303436633036316131636530656161323666303131636665383730
 39653135663538656337623334376463323834363866313964386366383936316164663863323031
 33663738653232636665
--- a/roles/horizon/templates/certs/merlin.hpc.rug.nl.key
+++ b/roles/horizon/templates/certs/merlin.hpc.rug.nl.key
@ -0,0 +1,89 @@
 $ANSIBLE_VAULT;1.1;AES256
 65336461353934306534356638306230323835396365363737626131663464643138336135373463
 3435343336346162383039313638303035346162393064660a646166383538633138346535646337
 32616265393438613266363930623031303866316161656261663634616533323035313132313339
 3131636330373734640a366466323366386338626365626665343266666333383966306165353637
 35393461343066363037373234313733363939353235373730373862316133653233363531356638
 33366339303366356439363664393463323037323162623061336462376461333936386666633637
 33666339303738663535626265376561646338613136616539336431366234616562363063323637
 39386261663964353763376232356466333235646332353564323862376663626530393737356361
 63633930633066613239333432306362303432666466616263376234626137386338613537613266
 66656532346161313966346233633236313538656638323762653766613032366662633237633138
 66363137346633353938633933303636323763383231626261373162656363636233653664313539
 36646162643337306131383737313162313162326634663766326335306232356133306665306465
 66613163623631333831623835373036303263343061376435666231393035356662383163656361
 32313636636432393362633662366638313565346561363736363638643034656133636362653233
 61643734376232643361613562383938623530663463616365396533623334646232643434626439
 36623034393564386362613631333137336637353464333634393630326662623033353366616266
 35373963316563346530333439633463613035613031383437393238333862613161373438396336
 38383466333364353236323830323533613636373332383432626164386134643866373530326139
 37306230326363313264303530346338613234336164636665353530393864393163343635656234
 32653731653330313732306461353133393536376433373732383432326236303833303032373436
 63353233396663343937363434623634646261393731653633383830396461386633643434383161
 62353031613532646263633437666331316435386437626439616637663664376566386662306235
 62343239613632643266396365313134393137353962363035633165306261336436363361356134
 65313631363232306364366366353132663864623533323566313238383237663532663165373563
 34333063393365633264343464333862343135323166353233616130666630666436363138393230
 31303461393861366532373963373837316238323435313266653466663138386434303232356463
 64663330383337656435346237613831333865363463313538623037336437616638363337356461
 38623236323134393639643135303939336564313732393861356332653330396430373262333763
 63303961633463616365356663626430613133386466626562636639323762333731363934393561
 39383263393964643639353963653063656565613532303264643431316439613032373130623162
 64363230306231383064363433623734326666323461656438623662346232353934633439313931
 34653330386564333934366134646163356234306462643061343964386164663461633733666563
 33643133613365373032656262366231336639303232346434333061343661323932333130316536
 61366563636265386633333164303539333565613039666563626434623234616135346664633364
 37373937323635643461386262326135666165363163396236623338356233656161303962373566
 35326139646466333934363964366536343439323864613066383435383435333037356362313565
 38326562393339613636303133333164336265646333396333666339383031663464303361366530
 35313033363931386633373566643866323939343765313030383330313830366432353331626339
 37376638326534323932363832373435376265653863633536333032313331356666386164663739
 33356235393537326136623038316434393166373865353461396566356566653835623765393337
 39353434316639313135383337343165353932383331313463366634336663303565316362623130
 39656664306336306662323161616630393234653530383133396463383236303931633635663133
 30333034303835373436353164613536303334633432356230303538373530343262386563623166
 31643036653833386332633933306439303463633163376231393936353665303637326132396332
 66653537343162623363346637333762636366636633316464646264396461303463356232343030
 30323735303535386363333833313966633463616161376633376265643336313765653933616466
 63373938366565376631346431623237326564366539326132393535343736336562376633613164
 38656631623339373263663638386531326136383338346438396438643435353033616365353333
 30386233383539626363343838323261653864633366653362656636623639653661653165346530
 65383732383038616639636335633337393333626336313838653261663733343861386464626638
 66366139396239326634383738373638643634613061393338353638396438333438616164356438
 37346265636535333163383835316334353836666163633166383135326232373936663365363663
 32643161363037666433313239336362303264356164626538643561306463636462643230623466
 62363033303638393137333334626162636465306661376635653664353631353930653165303131
 30326461353032616130643035323461656636373337346131303533656434393830613534656130
 62613939306233356363663661323439353466633565653666366130383861636565313834636230
 36313735316566663530643564663862386461366635666238323365343237373132346137613766
 64373830393664626165633339336266656465373662646661643032386161633339626236313130
 30373165373531626465373961363539313564636133363336376631326464303139643563636439
 63653838313637346132323331363232373234396664306365373435616432636164363464353335
 65663463396333303063626265313964616136316436316239393062646334323163663738313937
 36326230386664643434366332326139633537343630633936346637353732663266313865363538
 31343331653937396230383333653438383536646438373162616263626263636230633566626139
 32333862353066323537343930393832353838623038326666386637306239616662313237323935
 36306233303237383632656164656163313363616264643630333935393066633166303938393062
 61376335623361656461373731653465386233633666323236333737323165373931366263643961
 34313837383933623765346333626537323561326130323262333465653236353133366265623261
 35373734616436373738306636346363613632383636313333626562643638326333333435623437
 34306235306637393737653339303535353030353139653138373631336335323331373231663265
 63383533323739666262353731306439653537386436363137336364623635656266363733333630
 37666463646332373539623761656438383166633538636330316362326137333230653930623965
 64633431616137376230353133613833646235343161633931626661386438323434623831383737
 35393933386365353162333035393832616531636333623331646366343536373138613035396138
 38313366343737626662613266386265666465353332336230353430663031376336303263613863
 38303431666435363939636235313761656436653562643662323535346237333236326331393830
 65323061323263326461616539343364653961616538333436343431373639316439396638396361
 65393032623333353533643565393362346236383934623432386339396439326139333966383164
 38626663323261643865613365636634383331306463633838336530666163356234633564613961
 66326632393533306337613962653437333938316263656365343135626365656461323964326433
 63343430663837613162353661363338396166323766313933393535623332323932373063633963
 61383336313230653833323134303738366365356131366532663961643065393563346364316561
 35616137663837643964376337383531313334616465363038343461373630623236316332386466
 37363132333937313364643561616562623864623666313035313864643362653138393066326431
 35666565383036386464323166353333386337336666363966396535333232663231643666316130
 31376262393832313366663938653637656339663733313364616438636236383762353231666436
 61313563643262343164323830663063663764326132663139366538646536643031316163666662
 63333432653839363865346263343339623561373036393633363937616237313737366334633035
 63393661656138323936
--- a/roles/horizon/templates/horizon.service
+++ b/roles/horizon/templates/horizon.service
@ -0,0 +1,21 @@
 [Unit]
 Description=Openstack Horizon Container
 After=docker.service
 Requires=docker.service
 [Service]
 TimeoutStartSec=0
 Restart=always
 ExecStartPre=-/usr/bin/docker kill %n
 ExecStartPre=-/usr/bin/docker rm %n
 ExecStart=/usr/bin/docker run --name %n \
  -e "MEMCACHED_SERVER={{ hostvars[groups['memcached'][0]]['listen_ip'] | default(hostvars[groups['memcached'][0]]['ansible_default_ipv4']['address']) }}" \
  -e "KEYSTONE_HOST={{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}" \
  --volume=/srv/horizon/certs:/certs \
  --add-host=keystone:{{ hostvars[groups['keystone'][0]]['listen_ip'] | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }} \
  -p 80:80 \
  -p 443:443 \
  {{ docker_image }}
 [Install]
 WantedBy=multi-user.target
--- a/roles/keystone/files/Dockerfile
+++ b/roles/keystone/files/Dockerfile
@ -1,29 +0,0 @@
 # Build keystone. It needs to be run with
 # --add-host=mariadb:<ip mariadb listens tp>
 # Wen starting with an initialized db,
 # run keystone-manage db_sync from this docker first:
 # $ docker run hpc/keystone --add-host=mariadb:<ip mariadb> "keystone-manage db_sync"
 FROM ubuntu:16.04
 RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA
 RUN set -x \
    && echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main" > /etc/apt/sources.list.d/ocata.list \
    && apt-get -y update \
    && apt-get -y install \
    && apt-get -y install keystone python-openstackclient \
    && apt-get -y clean
 # set admin token TODO: make this a secret
 # in volume of met env
 ADD keystone.conf /etc/keystone/keystone.conf
 RUN mkdir /etc/keystone/fernet-keys
 RUN chown keystone: /etc/keystone/fernet-keys
 COPY admin-openrc.sh root/admin-openrc.sh
 #RUN keystone-manage db_sync
 CMD apachectl -DFOREGROUND
--- a/roles/keystone/files/keystone.conf
+++ b/roles/keystone/files/keystone.conf
@ -1,12 +0,0 @@
 [DEFAULT]
 verbose = true
 [database]
 connection = mysql+pymysql://keystone:keystone@mariadb/keystone
 [token]
 provider = fernet
 [identity]
 default_domain_id = default
--- a/roles/keystone/scripts/initialize_db.sh
+++ b/roles/keystone/scripts/initialize_db.sh
@ -1,6 +1,6 @@
 #!/bin/bash
 # Start a mariadb container to use its mysql client to initialize the keystone database.
-docker run -i mariadb:10.1.22 mysql -uroot -pgeheim --host "$1" << EOF
+docker run --rm -i mariadb:10.2 mysql -uroot -p"$MYSQL_ROOT_PASSWORD" --host "$DB_HOST" << EOF
 CREATE DATABASE IF NOT EXISTS keystone;
 GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
 GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
--- a/roles/keystone/tasks/main.yml
+++ b/roles/keystone/tasks/main.yml
@ -1,30 +1,41 @@
 # Build and install a docker image for keystone.
 ---
- include: ../common/tasks/docker.yml
+- name: include secrets
  include_vars:
    file: ../../secrets.yml
    name: secrets
- name: Make build and persistent directories
+- name: Make persistent directories
  file:
    path: "{{ item }}"
    state: directory
    mode: 0777
  with_items:
-      - /srv/keystone
+    - /srv
-      - /srv/keystone/fernet-keys
+    - /srv/keystone
    - /srv/keystone/fernet-keys
    - /srv/keystone/root
    - /srv/keystone/certs
    - /srv/keystone/shibboleth
- name: install Dockerfile
+- name: install ssl files
  copy:
    src: files
    dest: /srv/keystone
 - name: keystone credentials file
  template:
-      src: templates/admin-openrc.sh
+    src: templates/certs/{{ item }}
-      dest: /srv/keystone
+    dest: /srv/keystone/certs/{{ item }}
    mode: 400
  with_items:
    - merlin.hpc.rug.nl.key
    - merlin.hpc.rug.nl.crt
    - DigiCertCA.crt
- name: build keystone image
+- set_fact:
    docker_image: registry.webhosting.rug.nl/hpc/openstack-keystone-merlin:latest
 - name: pull docker image
  docker_image:
-    path: /srv/keystone
+    name: "{{ docker_image }}"
-    name: hpc/keystone
+    force: True
  tags: pull
 - name: install service file.
  template:
@ -37,28 +48,83 @@
 - name: install service file
  command: systemctl daemon-reload
- name: make sure service is started
+- name: start service at boot.
-  systemd:
+  command: systemctl reenable keystone.service
    name: keystone.service
    state: restarted
 - name: Initialize db
-  script: scripts/initialize_db.sh {{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}
+  script: scripts/initialize_db.sh
  environment:
    MYSQL_ROOT_PASSWORD: "{{ secrets['MYSQL_ROOT_PASSWORD'] }}"
    DB_HOST: "{{ listen_ip | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}"
  register: result
  until: result is succeeded
  # sometimes the initial connect fails.
  # Retry until it succeeds.
  retries: 7
  delay: 3
  ignore_errors: yes
- name: keystone manage commands to setup db
+- name: keystone manage commands to setup db_sync
  command: >
             /usr/bin/docker run --rm
-             --add-host=mariadb:{{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}
+             --add-host=mariadb:{{ listen_ip | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}
             -v /srv/keystone/fernet-keys:/etc/keystone/fernet-keys
-             hpc/keystone keystone-manage {{ item }}
+             -e "KEYSTONE_HOST={{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}"
             {{ docker_image }} keystone-manage {{ item }}
  with_items:
      - db_sync
      - fernet_setup --keystone-user keystone --keystone-group keystone
      - credential_setup --keystone-user keystone --keystone-group keystone
      - >
-          bootstrap --bootstrap-password geheim
+          bootstrap --bootstrap-password {{ secrets['OS_PASSWORD'] }}
-                    --bootstrap-admin-url http://{{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}:35357/v3/
+                    --bootstrap-admin-url https://{{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}:35357/v3/
-                    --bootstrap-internal-url http://{{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}:35357/v3/
+                    --bootstrap-internal-url https://{{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}:35357/v3/
-                    --bootstrap-public-url http://{{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}:5000/v3/
+                    --bootstrap-public-url https://{{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}:5000/v3/
                    --bootstrap-region-id RegionOne
  # sometimes the initial connect fails.
  # Retry until it succeeds.
  retries: 7
  delay: 3
  ignore_errors: yes
 - name: make sure service is started
  systemd:
    name: keystone.service
    state: restarted
 - name: Create a domain, projects users and roles
  command: >
             /usr/bin/docker run --rm
             --add-host=mariadb:{{ listen_ip | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}
             -v /srv/keystone/fernet-keys:/etc/keystone/fernet-keys
             -v /srv/keystone/root:/root
             -e "KEYSTONE_HOST={{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}"
             -e "OS_AUTH_URL=https://${KEYSTONE_HOST}:35357/v3"
             -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}"
             {{ docker_image }} bash /etc/bootstrap.sh
  register: result
  retries: 7
  delay: 3
 - name: install openstack repo key host.
  command: apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA
  tags: openstackclient
 - name: install openstack repo on host.
  apt_repository:
      repo: "deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main"
      filename: ocata
  tags: openstackclient
 - name: install openstack client for management
  apt:
    name: python-openstackclient
    state: latest
    update_cache: yes
  tags: openstackclient
 - name: source admin-openrc.sh in root .bashrc
  lineinfile:
    path: /root/.bashrc
    line: 'source /srv/keystone/root/admin-openrc.sh'
--- a/roles/keystone/templates/admin-openrc.sh
+++ b/roles/keystone/templates/admin-openrc.sh
@ -1,5 +1,7 @@
 export OS_PROJECT_DOMAIN_NAME=Default
 export OS_USER_DOMAIN_NAME=Default
 export OS_TENANT_NAME=admin
 export OS_USERNAME=admin
-export OS_PASSWORD=geheim
+export OS_PASSWORD={{ hostvars[groups['keystone'][0]]['OS_PASSWORD'] }}
 export OS_AUTH_URL=http://{{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}:35357/v3
 export OS_IDENTITY_API_VERSION=3
--- a/roles/keystone/templates/certs/DigiCertCA.crt
+++ b/roles/keystone/templates/certs/DigiCertCA.crt
@ -0,0 +1,29 @@
 -----BEGIN CERTIFICATE-----
 MIIE+zCCA+OgAwIBAgIQCHC8xa8/25Wakctq7u/kZTANBgkqhkiG9w0BAQsFADBl
 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
 d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
 b3QgQ0EwHhcNMTQxMTE4MTIwMDAwWhcNMjQxMTE4MTIwMDAwWjBkMQswCQYDVQQG
 EwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFt
 MQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzCCASIw
 DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMV2Dw/ZQyk7bG3RR63eEL8jwnio
 Snc18SNb4EweQefCMQC9iDdFdd25AhCAHo/tZCMERaegOTuBTc9jP8JJ/yKeiLDS
 lrlcinQfkioq8hLIt2hUtVhBgUBoBhpPhSn7tU08D08/QJYbzqjMXjX/ZJj1dd10
 VAWgNhEEEiRVY++Udy538RV27tOkWUUhn6i+0SftCuirOMo/h9Ha8Y+5Cx9E5+Ct
 85XCFk3shKM6ktTPxn3mvcsaQE+zVLHzj28NHuO+SaNW5Ae8jafOHbBbV1bRxBz8
 mGXRzUYvkZS/RYVJ+G1ShxwCVgEnFqtyLvRx5GG1IKD6JmlqCvGrn223zyUCAwEA
 AaOCAaYwggGiMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMHkG
 CCsGAQUFBwEBBG0wazAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu
 Y29tMEMGCCsGAQUFBzAChjdodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln
 aUNlcnRBc3N1cmVkSURSb290Q0EuY3J0MIGBBgNVHR8EejB4MDqgOKA2hjRodHRw
 Oi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVkSURSb290Q0EuY3Js
 MDqgOKA2hjRodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRGlnaUNlcnRBc3N1cmVk
 SURSb290Q0EuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxo
 dHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMB0GA1UdDgQWBBRn/YggFCeYxwnS
 JRm76VERY3VQYjAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzANBgkq
 hkiG9w0BAQsFAAOCAQEAqSg1esR71tonHqyYzyc2TxEydHTmQN0dzfJodzWvs4xd
 xgS/FfQjZ4u5b5cE60adws3J0aSugS7JurHogNAcyTnBVnZZbJx946nw09E02DxJ
 WYsamM6/xvLYMDX/6W9doK867mZTrqqMaci+mqege9iCSzMTyAfzd9fzZM2eY/lC
 J1OuEDOJcjcV8b73HjWizsMt8tey5gvHacDlH198aZt+ziYaM0TDuncFO7pdP0GJ
 +hY77gRuW6xWS++McPJKe1e9GW6LNgdUJi2GCZQfXzer8CM/jyxflp5HcahE3qm5
 hS+1NGClXwmgmkMd1L8tRNaN2v11y18WoA5hwnA9Ng==
 -----END CERTIFICATE-----
--- a/roles/keystone/templates/certs/merlin.hpc.rug.nl.crt
+++ b/roles/keystone/templates/certs/merlin.hpc.rug.nl.crt
@ -0,0 +1,125 @@
 $ANSIBLE_VAULT;1.1;AES256
 65356336313163323761363666626661373461653034313630353938616666323734663735343630
 3562356361313237623231366332343165613939393230310a613263373434396237633733613865
 38666637616264393237363366396232333664613732623332363136313163616432633366663537
 3135636261656133640a313661316538623765353063373134616663316237363536613761626637
 35316432633638303337343065623262643235356435633936356631383562363037656362316263
 33633136363933316334363965303138343462326536636162383838326138656133363034356561
 33623730626136373733376162663664303763613339343932613731653965313362623737373937
 33333966653538373664633763343239316537366332643135393033343235366564653765303738
 62633063636663343730323736643438323365383262656263326561663733666235623766313732
 39386366303366393339393935366238633966653738643637613266313231346632623535346139
 61343731643063646635623930626165623665343732383639353933313634313838336562303038
 31633532653361353765653836636162363761336338313535346537626432313562346430616232
 30613538326561326232623261623536363366353735323333653039306564616431323035366237
 33333661346437613466363236653463636234393730653765646463613535303439306463643764
 37306665353534393335366537643534383834633239646432373433613432663031363962633761
 33633765336164363165396634316163333739666264663864333632313462636338396339303138
 33333131343261643137373065636537366536336634633266373536633532363563666464306332
 39343136623063303061666564366135383339313866373666336364373663383266303364363437
 34383730393539376338383865373439386230393030633161646465366165343132373438306566
 34383965363366663435393032666366363739393739323335626438656632303266383661366433
 65376234383364313663663564333235303939363036303838393231303566343637346332376161
 30333331613738306338346539343762363562393966373963643964623331643036323935313165
 64626661363461656164626538313336306538666561646637616238643839336334633239393236
 63356139323433346335643031343930353937323333396332333735353861386265373633653532
 32313962616665343536663836326139316662653562373132633537386431356166643433366138
 37623534636264336437366462303266383836666333326333393831396466376132666265316533
 65663734653233666233373064326161643534353930393731313431643765383934353130613137
 66666663346536303363653562313139336333343133343938323030663432643161396538383966
 62646163396161373531663861333230393831333535343137343732393532336631393637383762
 66363632373938316536623161646339316236313966303737643632313839623730643364626266
 66643462663536356337653233353662363238346638396566363961643134613136353062633035
 37653833343032383937653530363331366632386261363661343131376539323335653439623830
 35316131663965353635643364396463346637346232313931326666316165653061346264663331
 63616265396463613666646438393133313865663338623436393466373134396230396561393431
 62353039633564393666373430663035313039633065323539373436323532363138333932633537
 65363338316663623934616130396661376163653636346630383531333263393265336461643363
 39366230613239313635366264303431663534666638663433323639613335376233313535666235
 36383566616532396630373763333566616232383538366163626463633530393165653032363433
 65343561323636616365656466623939383366366438646366393432303465353865623134383532
 35333435663831386130666238376531616362663134383366633736336337653763613135356138
 32336231333237656462383831663132316634313038373861356163663632336231383736316132
 37343430633432303462373664633761616635656462383935353731383431336265333734646166
 35376632383736383463353336383431613761626231356534313539666563633466313530666166
 39646462376236366466306139376238306236323337323463343733663439363631346135636564
 64666239613732326539313638633131333039623535366264383265616661663135343563333466
 34626632623932303630663161633437626532376463373135383131613663663432373233396163
 30666331366137316364376566616431366635613536623339616565623736323730336339653031
 38346335643132636231663837653639323230323238376466623034373763313531363930353335
 66356638666466303466653561626434383839626531333664633337333636333033666335383837
 35353837376130386532373961643962633361363831633632333133383738323436633836646537
 34323037313732386639383666326535383638333239363730383733363235623063626531326366
 33626366366231623638643836343339376361383562633933626332363432393265323335626436
 31613666633362643162616237383433633032366534303338313238626131353633396264333537
 61613166303639663366353539333832633263313333343662393533376437396438323135633865
 33383131363633343333646539386139306131623161633331393866393862383566333234386565
 37663334313039623763663361386531626131303262333063336437326633666438303334353035
 64376535666334623938343337663561636661386430313339633764323834323031303366666464
 31303237383333626433613534343337646134323364623763663062306439333464393366313262
 31386333663334373333393666383732333264383331376238653338333861383439353236303338
 37336466376538303234316663653262363162616439303065633263346139333439303732316632
 34646166313737393334303632326561373831646133376564323763633436323366326634613731
 63663033663338333833653766313938646239623038336430383739313034626663626261623531
 66363339656132643137303339633330653066643265303835356566303161393063383831613565
 35653165646165326531356634623532633964666132663339363334386465323565383732333130
 65613462363133616435633066356136353530383863613266353164616138363531313733636131
 64313166633236633835316239333730653437393064623735363234333663653362373136313361
 30623637393536653833373133346332363738343337633264376565653865633464363163366136
 31336561613333323036353937613764363237636463343461666266613435326239306238646666
 31393863346230663935363832633164663639383333343166373362383336366261656235393038
 63323632303166643837643539346465626435633935353230663262383135656230653934306335
 33333832323436663936613336393433666236363534646430666437646363303236363536666431
 65616332623561336461323632623664393031323637363263633334626232316638623565316632
 61376339323064366637353737396232313666316535333930663638656364396266353534363065
 38323664313435313035643866373535343937623331616136663232396635336463396432333363
 32343733613635313538366136393833623336653736353032366461636633393034303533353661
 31616631373238616566333662356137623139623964326130316235363137393338643930666364
 39306338616234326262373461336365653463636632336233303136363832616561633135323663
 39313839643730393730626139343338303631303066313433383438613730366434656161653936
 37313139626436666535356663396433333635343532303265306134316335613232313038333335
 34626136313933663463666334366466303939643334316261333161623239306632636561663463
 64636538643931623563666438333363303633316431323761643862613763626130383532346539
 31316565636363333331323630623337326133366263643638383339313330636162613666343432
 33666238663739333135363733363361356430643638336133343065366461373736376431373139
 61653231383735393838373731663932633139303362376164356635613130616362343835653536
 30376263376233303234343962663361333439623232636535366364396135356334633465363862
 66646564653061376632383235636330656236663563616166636339313738646166663235373330
 66646637376633616365373735326331313338353263613537386535343733346132663838336164
 31393863323266383563323263303233616533366434663332326530343264343364353839643363
 31643931663131633733666665623665663434666164346364366232313765333063613234393063
 64333333346431643837646139663937303437643830633131613864363663313633393932303538
 33303331613061663138373639396266343830646637306662653337323130313638303237306262
 61393238356633396361333866353838383630393038376133353133613732303061333137306662
 39306138393363626662353532386436333965656234366166383835393763633539346561636430
 65333231643266333732663366393164366234366131373636643034633361393935366236366237
 36616130666663353536336638346232616431333265393432303630663637656539323431633963
 39336564666135646261613361396339306332376131663639353431643564316136643336333466
 34653837316137656662303166623738616533376434316339653136376434623135363633333835
 39343366613265656537363332373862643662633264376432636434393464386666626365346466
 38326361343935363635373932396136363561363037333962303732303535356362383236653464
 37646563306235333863303935353431626133616330366566326531356331353137653165623062
 66636134393536656234323966363137613438306163366236623533373966333736633162623462
 62303463343963353535653462376561623230386563346631383161376434303464613231386165
 65376230396461336530366338356231363432356265376330623334363737383461626462326234
 62383436646236303966666537393231643835663462373435396666366264646335663136613336
 33656230393465663265316166313163313366653861643039383062313966303837396539363732
 36616230383931353632653330623138393939353434363130616533303463353439316131373465
 32373430623065386464643164316566383837373838383062346361623637386662643435303831
 62663430336235306166323761316262383536363939366663323638623765343537616430386635
 65306561646639336462636462646266663034336462663730653032386138316365346262323836
 64363033353937363530383462373133666262613937383536623333386239653935366661623435
 33613462383732636538396134393537343538366562643832333034366438333439353637346363
 33663861323331636538313632366134626137636635323930363363323466383165353166303930
 66386139376139346232373263363262313638666231336564313333343430343837656439636262
 33336438646134393863306631636131633138653037626638633165636136663865666434323665
 39363632636531323633313434333432316136353762653561383230336566316462336664353431
 39333132633533393362313761363339393963393361343161353633346232376666353734306663
 35366366396533643430643863663665646139636465316630393665383532393337616662656530
 36333032633430363165333238666133633264363266336636373736313332306333376637393465
 32343265383933613231623431323364653238343464393164623631663166313830616165323131
 65643661363265386562616232613863343964386130323635323434613639623666633962663432
 31323131363661336233346331376466323635323234643037383238613830626130386131353464
 30633736346633353237636536303436633036316131636530656161323666303131636665383730
 39653135663538656337623334376463323834363866313964386366383936316164663863323031
 33663738653232636665
--- a/roles/keystone/templates/certs/merlin.hpc.rug.nl.key
+++ b/roles/keystone/templates/certs/merlin.hpc.rug.nl.key
@ -0,0 +1,89 @@
 $ANSIBLE_VAULT;1.1;AES256
 65336461353934306534356638306230323835396365363737626131663464643138336135373463
 3435343336346162383039313638303035346162393064660a646166383538633138346535646337
 32616265393438613266363930623031303866316161656261663634616533323035313132313339
 3131636330373734640a366466323366386338626365626665343266666333383966306165353637
 35393461343066363037373234313733363939353235373730373862316133653233363531356638
 33366339303366356439363664393463323037323162623061336462376461333936386666633637
 33666339303738663535626265376561646338613136616539336431366234616562363063323637
 39386261663964353763376232356466333235646332353564323862376663626530393737356361
 63633930633066613239333432306362303432666466616263376234626137386338613537613266
 66656532346161313966346233633236313538656638323762653766613032366662633237633138
 66363137346633353938633933303636323763383231626261373162656363636233653664313539
 36646162643337306131383737313162313162326634663766326335306232356133306665306465
 66613163623631333831623835373036303263343061376435666231393035356662383163656361
 32313636636432393362633662366638313565346561363736363638643034656133636362653233
 61643734376232643361613562383938623530663463616365396533623334646232643434626439
 36623034393564386362613631333137336637353464333634393630326662623033353366616266
 35373963316563346530333439633463613035613031383437393238333862613161373438396336
 38383466333364353236323830323533613636373332383432626164386134643866373530326139
 37306230326363313264303530346338613234336164636665353530393864393163343635656234
 32653731653330313732306461353133393536376433373732383432326236303833303032373436
 63353233396663343937363434623634646261393731653633383830396461386633643434383161
 62353031613532646263633437666331316435386437626439616637663664376566386662306235
 62343239613632643266396365313134393137353962363035633165306261336436363361356134
 65313631363232306364366366353132663864623533323566313238383237663532663165373563
 34333063393365633264343464333862343135323166353233616130666630666436363138393230
 31303461393861366532373963373837316238323435313266653466663138386434303232356463
 64663330383337656435346237613831333865363463313538623037336437616638363337356461
 38623236323134393639643135303939336564313732393861356332653330396430373262333763
 63303961633463616365356663626430613133386466626562636639323762333731363934393561
 39383263393964643639353963653063656565613532303264643431316439613032373130623162
 64363230306231383064363433623734326666323461656438623662346232353934633439313931
 34653330386564333934366134646163356234306462643061343964386164663461633733666563
 33643133613365373032656262366231336639303232346434333061343661323932333130316536
 61366563636265386633333164303539333565613039666563626434623234616135346664633364
 37373937323635643461386262326135666165363163396236623338356233656161303962373566
 35326139646466333934363964366536343439323864613066383435383435333037356362313565
 38326562393339613636303133333164336265646333396333666339383031663464303361366530
 35313033363931386633373566643866323939343765313030383330313830366432353331626339
 37376638326534323932363832373435376265653863633536333032313331356666386164663739
 33356235393537326136623038316434393166373865353461396566356566653835623765393337
 39353434316639313135383337343165353932383331313463366634336663303565316362623130
 39656664306336306662323161616630393234653530383133396463383236303931633635663133
 30333034303835373436353164613536303334633432356230303538373530343262386563623166
 31643036653833386332633933306439303463633163376231393936353665303637326132396332
 66653537343162623363346637333762636366636633316464646264396461303463356232343030
 30323735303535386363333833313966633463616161376633376265643336313765653933616466
 63373938366565376631346431623237326564366539326132393535343736336562376633613164
 38656631623339373263663638386531326136383338346438396438643435353033616365353333
 30386233383539626363343838323261653864633366653362656636623639653661653165346530
 65383732383038616639636335633337393333626336313838653261663733343861386464626638
 66366139396239326634383738373638643634613061393338353638396438333438616164356438
 37346265636535333163383835316334353836666163633166383135326232373936663365363663
 32643161363037666433313239336362303264356164626538643561306463636462643230623466
 62363033303638393137333334626162636465306661376635653664353631353930653165303131
 30326461353032616130643035323461656636373337346131303533656434393830613534656130
 62613939306233356363663661323439353466633565653666366130383861636565313834636230
 36313735316566663530643564663862386461366635666238323365343237373132346137613766
 64373830393664626165633339336266656465373662646661643032386161633339626236313130
 30373165373531626465373961363539313564636133363336376631326464303139643563636439
 63653838313637346132323331363232373234396664306365373435616432636164363464353335
 65663463396333303063626265313964616136316436316239393062646334323163663738313937
 36326230386664643434366332326139633537343630633936346637353732663266313865363538
 31343331653937396230383333653438383536646438373162616263626263636230633566626139
 32333862353066323537343930393832353838623038326666386637306239616662313237323935
 36306233303237383632656164656163313363616264643630333935393066633166303938393062
 61376335623361656461373731653465386233633666323236333737323165373931366263643961
 34313837383933623765346333626537323561326130323262333465653236353133366265623261
 35373734616436373738306636346363613632383636313333626562643638326333333435623437
 34306235306637393737653339303535353030353139653138373631336335323331373231663265
 63383533323739666262353731306439653537386436363137336364623635656266363733333630
 37666463646332373539623761656438383166633538636330316362326137333230653930623965
 64633431616137376230353133613833646235343161633931626661386438323434623831383737
 35393933386365353162333035393832616531636333623331646366343536373138613035396138
 38313366343737626662613266386265666465353332336230353430663031376336303263613863
 38303431666435363939636235313761656436653562643662323535346237333236326331393830
 65323061323263326461616539343364653961616538333436343431373639316439396638396361
 65393032623333353533643565393362346236383934623432386339396439326139333966383164
 38626663323261643865613365636634383331306463633838336530666163356234633564613961
 66326632393533306337613962653437333938316263656365343135626365656461323964326433
 63343430663837613162353661363338396166323766313933393535623332323932373063633963
 61383336313230653833323134303738366365356131366532663961643065393563346364316561
 35616137663837643964376337383531313334616465363038343461373630623236316332386466
 37363132333937313364643561616562623864623666313035313864643362653138393066326431
 35666565383036386464323166353333386337336666363966396535333232663231643666316130
 31376262393832313366663938653637656339663733313364616438636236383762353231666436
 61313563643262343164323830663063663764326132663139366538646536643031316163666662
 63333432653839363865346263343339623561373036393633363937616237313737366334633035
 63393661656138323936
--- a/roles/keystone/templates/keystone.service
+++ b/roles/keystone/templates/keystone.service
@ -6,13 +6,18 @@ Requires=docker.service
 [Service]
 TimeoutStartSec=0
 Restart=always
-ExecStartPre=-/usr/bin/docker stop %n
+ExecStartPre=-/usr/bin/docker kill %n
 ExecStartPre=-/usr/bin/docker rm %n
 ExecStart=/usr/bin/docker run --name %n \
-  --add-host=mariadb:{{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }} \
+  --add-host=mariadb:{{ hostvars[groups['databases'][0]]['listen_ip'] | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }} \
  -e "KEYSTONE_HOST={{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}" \
  -p 5000:5000 -p 35357:35357 \
  -v /srv/keystone/fernet-keys:/etc/keystone/fernet-keys \
-  hpc/keystone
+  -v /srv/keystone/root:/root \
  -v /srv/keystone/certs:/certs \
  -v /srv/keystone/shibboleth/sp-key.pem:/etc/shibboleth/sp-key.pem \
  -v /srv/keystone/shibboleth/sp-cert.pem:/etc/shibboleth/sp-cert.pem \
  {{ docker_image }}
 [Install]
 WantedBy=multi-user.target
--- a/roles/mariadb/files/galera.cnf
+++ b/roles/mariadb/files/galera.cnf
@ -0,0 +1,20 @@
 [mysqld]
 binlog_format=ROW
 default-storage-engine=innodb
 innodb_autoinc_lock_mode=2
 bind-address=0.0.0.0
 # Galera Provider Configuration
 wsrep_on=ON
 wsrep_provider=/usr/lib/galera/libgalera_smm.so
 # Galera Cluster Configuration
 wsrep_cluster_name="test_cluster"
 wsrep_cluster_address="gcomm://{{ ip_node0 }},{{ ip_node1 }},{{ ip_node2 }}"
 # Galera Synchronization Configuration
 wsrep_sst_method=rsync
 # Galera Node Configuration
 wsrep_node_address="{{ listen_ip | default(ansible_default_ipv4.address) }}"
 wsrep_node_name="{{ ansible_nodename }}"
--- a/roles/mariadb/files/my.cnf
+++ b/roles/mariadb/files/my.cnf
@ -42,7 +42,7 @@ long_query_time = 10
 expire_logs_days        = 10
 max_binlog_size         = 100M
 default_storage_engine  = InnoDB
-innodb_buffer_pool_size = <t_CO>M
+innodb_buffer_pool_size = 128M
 innodb_log_buffer_size  = 8M
 innodb_file_per_table   = 1
 innodb_open_files       = 400
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@ -1,29 +1,77 @@
 # Install a docker based mariadb.
 ---
- include: ../common/tasks/docker.yml
+- name: include secrets
- name: install service file.
+  include_vars:
-  template:
+    file: ../../secrets.yml
-    src: files/mysql.service
+    name: secrets
    dest: /etc/systemd/system/mysql.service
    mode: 644
    owner: root
    group: root
 - name: make mariadb settings volume
  file:
-    path: /srv/mariadb/etc/mysql
+    path: "{{ item }}"
    state: directory
    mode: 0777
  with_items:
      - /srv/mariadb/lib/mysql
      - /srv/mariadb/etc/mysql
      - /srv/mariadb/etc/mysql/conf.d
 - name: place settings file
  copy:
    src: files/my.cnf
-    dest: /srv/mariadb/etc/mysql
+    dest: /srv/mariadb/etc/mysql/conf.d/my.cnf
    mode: 660
- command: systemctl daemon-reload
+- name: Set galara.cnf on node if we have at least three nodes.
  template:
    src: files/galera.cnf
    dest: /srv/mariadb/etc/mysql/conf.d/galera.cnf
    mode: 660
  when: groups['databases'] | length >= 3
  # This mimics galera_new_cluster.sh
 - name: Initialize a new cluster.
  block:
    - set_fact:
        mariadb_args: "--wsrep-new-cluster"
    - template:
        src: templates/mysql.service
        dest: /etc/systemd/system/mysql.service
        mode: 644
        owner: root
        group: root
    - command: systemctl daemon-reload
    - systemd:
        name: mysql.service
        state: started
  when: groups['databases'] | length >= 3 and ansible_hostname == hostname_node0
 - name: install service file.
  block:
    - set_fact:
        mariadb_args: ""
    - template:
        src: templates/mysql.service
        dest: /etc/systemd/system/mysql.service
        mode: 644
        owner: root
        group: root
 - name: Give the master node some time to initialize the cluster.
  command: bash -c "sleep 60 && systemctl daemon-reload"
 - name: make sure service is started
  systemd:
    name: mysql.service
    state: started
 - name: start service at boot.
  command: systemctl reenable mysql.service
 - name: Give the cluster some time to initialize replication.
  command: bash -c "sleep 60 && systemctl daemon-reload"
  when: groups['databases'] | length >= 3
--- a/roles/mariadb/templates/mysql.service
+++ b/roles/mariadb/templates/mysql.service
@ -6,13 +6,14 @@ Requires=docker.service
 [Service]
 TimeoutStartSec=0
 Restart=always
-ExecStartPre=-/usr/bin/docker stop %n
+ExecStartPre=-/usr/bin/docker kill %n || /bin/true
 ExecStartPre=-/usr/bin/docker rm %n
 ExecStartPre=/usr/bin/docker pull mariadb:10.2
-ExecStart=/usr/bin/docker run  -p 3306:3306 --name %n \
+ExecStart=/usr/bin/docker run --name %n \
 --network host \
 -v /srv/mariadb/lib/mysql:/var/lib/mysql \
- -v /srv/mariadb/etc/mysql:/etc/mysql \
+ -v /srv/mariadb/etc/mysql/conf.d:/etc/mysql/conf.d \
- -e MYSQL_ROOT_PASSWORD=geheim mariadb:10.2
+ -e MYSQL_ROOT_PASSWORD={{ secrets['MYSQL_ROOT_PASSWORD'] }} mariadb:10.2 {{ mariadb_args }}
 [Install]
 WantedBy=multi-user.target
--- a/roles/memcached/tasks/main.yml
+++ b/roles/memcached/tasks/main.yml
@ -1,6 +1,5 @@
 # Install a docker based mariadb.
 ---
 - include: ../common/tasks/docker.yml
 - name: install service file.
  template:
    src: files/memcached.service
@ -8,8 +7,13 @@
    mode: 644
    owner: root
    group: root
 - name: install service file
  command: systemctl daemon-reload
 - name: start service at boot.
  command: systemctl reenable memcached.service
 - name: make sure service is started
  systemd:
    name: memcached.service
--- a/roles/neutron-controller/tasks/main.yml
+++ b/roles/neutron-controller/tasks/main.yml
@ -0,0 +1,66 @@
 # Build and install a docker image for neutron-controller.
 ---
 - name: include secrets
  include_vars:
    file: ../../secrets.yml
    name: secrets
 - set_fact:
    docker_image: "registry.webhosting.rug.nl/hpc/openstack-neutron-controller-merlin:latest"
 - name: pull docker image
  docker_image:
    name: "{{ docker_image }}"
    force: True
  tags: pull
 - set_fact:
    env_vars: >
        -e "KEYSTONE_HOST={{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}"
        -e "MEMCACHED_HOST={{ listen_ip | default(hostvars[groups['memcached'][0]]['ansible_default_ipv4']['address']) }}"
        -e "METADATA_SECRET={{ secrets['METADATA_SECRET'] }}"
        -e "MY_IP={{ listen_ip | default(hostvars[groups['neutron-controller'][0]]['ansible_default_ipv4']['address']) }}"
        -e "MYSQL_HOST={{ listen_ip | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}"
        -e "MYSQL_ROOT_PASSWORD={{ secrets['MYSQL_ROOT_PASSWORD'] }}"
        -e "NEUTRON_PASSWORD={{ secrets['NEUTRON_PASSWORD'] }}"
        -e "NEUTRON_USER=neutron"
        -e "NOVA_USER=nova"
        -e "NOVA_PASSWORD={{ secrets['NOVA_PASSWORD'] }}"
        -e "NOVA_CONTROLLER_HOST={{ listen_ip | default(hostvars[groups['nova-controller'][0]]['ansible_default_ipv4']['address']) }}"
        -e "NOVA_PLACEMENT_PASSWORD={{ secrets['NOVA_PLACEMENT_PASSWORD'] }}"
        -e "NOVA_PLACEMENT_USER=placement"
        -e "OVERLAY_IP={{ overlay_ip }}"
        -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}"
        -e "PHYSICAL_INTERFACE_MAPPINGS={{ physical_interface_mappings }}"
        -e "RABBIT_PASSWORD={{ secrets['RABBIT_PASSWORD'] }}"
        -e "RABBIT_USER=openstack"
  tags: env
 - name: install service file.
  template:
    src: templates/neutron-controller.service
    dest: /etc/systemd/system/neutron-controller.service
    mode: 644
    owner: root
    group: root
 - command: systemctl daemon-reload
 - name: start service at boot.
  command: systemctl reenable neutron-controller.service
 - name: Initialize neutron
  command: >
    /usr/bin/docker run --rm
    {{ env_vars }}
    --add-host=mariadb:{{ listen_ip | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}
    --add-host=keystone:{{ listen_ip | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}
    --network host
    {{ docker_image }}
    /etc/bootstrap.sh
  tags: bootstrap
 - name: make sure service is started
  systemd:
    name: neutron-controller.service
    state: restarted
--- a/roles/neutron-controller/templates/neutron-controller.service
+++ b/roles/neutron-controller/templates/neutron-controller.service
@ -0,0 +1,24 @@
 [Unit]
 Description=Openstack neutron-controller Container
 After=docker.service
 Requires=docker.service
 [Service]
 TimeoutStartSec=0
 Restart=always
 ExecStartPre=-/usr/bin/docker kill %n
 ExecStartPre=-/usr/bin/docker rm %n
 ExecStart=/usr/bin/docker run --name %n \
  {{ env_vars | replace('\n', '') }} \
  --add-host=nova-controller:{{ hostvars[groups['nova-controller'][0]]['listen_ip'] | default(hostvars[groups['nova-controller'][0]]['ansible_default_ipv4']['address']) }} \
  --add-host=mariadb:{{ hostvars[groups['databases'][0]]['listen_ip'] | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }} \
  --add-host=keystone:{{ hostvars[groups['keystone'][0]]['listen_ip'] | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }} \
  --add-host={{ ansible_nodename }}:{{ ansible_default_ipv4.address }} \
  --privileged \
  --network host \
  -v /lib/modules:/lib/modules \
  -v /var/run/netns:/var/run/netns \
  {{ docker_image }} /etc/run.sh
 [Install]
 WantedBy=multi-user.target
--- a/roles/nova-compute/files/ceph.client.compute.keyring
+++ b/roles/nova-compute/files/ceph.client.compute.keyring
--- a/roles/nova-compute/files/ceph.conf
+++ b/roles/nova-compute/files/ceph.conf
@ -0,0 +1,14 @@
 [global]
 fsid = ef0b40a2-bc8c-4432-9cde-0ca7c82c8717
 mon_initial_members = merlin-managementnode002
 mon_host = 172.23.59.102
 auth_cluster_required = cephx
 auth_service_required = cephx
 auth_client_required = cephx
 # Your network address
 public network = 172.23.59.0/24
 osd pool default size = 2
 [client.compute]
 keyring = /etc/ceph/ceph.client.compute.keyring
--- a/roles/nova-compute/files/uuid
+++ b/roles/nova-compute/files/uuid
@ -0,0 +1 @@
 b5044271-1918-4070-822c-f19ed14d7494
--- a/roles/nova-compute/tasks/main.yml
+++ b/roles/nova-compute/tasks/main.yml
@ -0,0 +1,81 @@
 # Build and install a docker image for nova-controller.
 ---
 - name: include secrets
  include_vars:
    file: ../../secrets.yml
    name: secrets
  tags: vars
 - set_fact:
    docker_image: registry.webhosting.rug.nl/hpc/openstack-nova-compute-merlin:latest
  tags: vars
 - name: pull docker image
  docker_image:
    name: "{{ docker_image }}"
    force: True
  tags: pull
 - name: Make build and persistent directories
  file:
    path: "{{ item }}"
    state: directory
    mode: 0777
  with_items:
    - /srv/nova-compute
    - /srv/nova-compute/etc/ceph
 - name: copy ceph-client configurationfile
  copy:
    src: files/ceph.conf
    dest: /srv/nova-compute/etc/ceph/ceph.conf
    mode: 0644
 - name: copy ceph-client-keyring
  copy:
    src: files/ceph.client.compute.keyring
    dest: /srv/nova-compute/etc/ceph/ceph.client.compute.keyring
    mode: 0644
 - name: install service file.
  template:
    src: templates/nova-compute.service
    dest: /etc/systemd/system/nova-compute.service
    mode: 644
    owner: root
    group: root
  tags: systemd
 #- name: set ceph client keyring
 #  copy:
 #    content: "{{ceph_compute_client_keyring}}"
 #    dest: /srv/nova-compute/etc/ceph
 #  when: use_ceph
 - command: systemctl daemon-reload
  tags: systemd
 - apt:
    name: "{{ item }}"
  with_items:
    - kvm
    - libvirt0
    - libvirt-bin
    - qemu
 - name: make sure service is started
  systemd:
    name: nova-compute.service
    state: restarted
 - name: start service at boot.
  command: systemctl reenable nova-compute.service
 - name: let nova controler discover new host
  shell: "sleep 10 && docker exec -i nova-controller.service nova-manage cell_v2 discover_hosts"
  delegate_to: "{{ hostvars[groups['nova-controller'][0]]['ansible_hostname'] }}"
  register: result
  until: result is succeeded
  retries: 7
  delay: 3
  ignore_errors: yes
--- a/roles/nova-compute/templates/nova-compute.service
+++ b/roles/nova-compute/templates/nova-compute.service
@ -0,0 +1,56 @@
 [Unit]
 Description=Openstack nova-compute Container
 After=docker.service
 Requires=docker.service
 [Service]
 TimeoutStartSec=0
 Restart=always
 ExecStartPre=-/usr/bin/docker kill %n
 ExecStartPre=-/usr/bin/docker rm %n
 ExecStart=/usr/bin/docker run --name %n \
    -e "GLANCE_CONTROLLER_HOST={{ hostvars[groups['glance-controller'][0]]['listen_ip'] | default(hostvars[groups['glance-controller'][0]]['ansible_default_ipv4']['address']) }}" \
    -e "KEYSTONE_HOST={{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}" \
    -e "METADATA_SECRET={{ secrets['METADATA_SECRET'] }}" \
    -e "MEMCACHED_HOST={{ hostvars[groups['memcached'][0]]['listen_ip'] | default(hostvars[groups['memcached'][0]]['ansible_default_ipv4']['address']) }}" \
    -e "MY_IP={{ listen_ip | default(ansible_default_ipv4.address) }}" \
    -e "MYSQL_HOST={{ hostvars[groups['databases'][0]]['listen_ip'] | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}" \
    -e "MYSQL_ROOT_PASSWORD={{ secrets['MYSQL_ROOT_PASSWORD'] }}" \
    -e "NEUTRON_CONTROLLER_HOST={{ hostvars[groups['neutron-controller'][0]]['listen_ip'] | default(hostvars[groups['neutron-controller'][0]]['ansible_default_ipv4']['address']) }}" \
    -e "NEUTRON_PASSWORD={{ secrets['NEUTRON_PASSWORD'] }}" \
    -e "NEUTRON_USER=neutron" \
    -e "NOVA_COMPUTE_USER=nova_compute" \
    -e "NOVA_CONTROLLER_HOST={{ hostvars[groups['nova-controller'][0]]['listen_ip'] | default(hostvars[groups['nova-controller'][0]]['ansible_default_ipv4']['address']) }}" \
    -e "NOVA_PASSWORD={{ secrets['NOVA_PASSWORD'] }}" \
    -e "NOVA_PASSWORD={{ secrets['NOVA_PASSWORD'] }}" \
    -e "NOVA_PLACEMENT_PASSWORD={{ secrets['NOVA_PLACEMENT_PASSWORD'] }}" \
    -e "NOVA_PLACEMENT_USER=placement" \
    -e "NOVA_USER=nova" \
    -e "OVERLAY_IP={{ overlay_ip }}" \
    -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}" \
    -e "PHYSICAL_INTERFACE_MAPPINGS={{ physical_interface_mappings }}" \
    -e "RABBIT_HOST={{ hostvars[groups['rabbitmq'][0]]['listen_ip'] | default(hostvars[groups['rabbitmq'][0]]['ansible_default_ipv4']['address']) }}" \
    -e "RABBIT_PASSWORD={{ secrets['RABBIT_PASSWORD'] }}" \
    -e "RABBIT_USER=openstack" \
    -e "USE_CEPH={{ use_ceph }}" \
    -e "MON_INITIAL_MEMBERS={{ ceph_mon_initial_members }}" \
    -e "MON_HOST={{ ceph_mon_host }}" \
    -e "PUBLIC_NETWORK={{ ceph_public_network }}" \
    -e "OSD_POOL_DEFAULT_SIZE={{ ceph_osd_pool_default_size }}" \
    -e "RBD_SECRET_UUID={{ secrets['NOVA_RBD_SECRET_UUID'] }}" \
    --add-host=keystone:{{ hostvars[groups['keystone'][0]]['listen_ip'] | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }} \
    --add-host=mariadb:{{ hostvars[groups['databases'][0]]['listen_ip'] | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }} \
    --privileged \
    -v /dev:/dev \
    -v /var/run/libvirt/libvirt-sock:/var/run/libvirt/libvirt-sock \
    -v /var/lib/nova/instances:/var/lib/nova/instances \
    -v /var/run/netns:/var/run/netns \
    -v /lib/modules:/lib/modules \
    -v /etc/machine-id:/etc/machine-id \
    -v /etc/ceph:/etc/ceph \
    -v /etc/hosts:/etc/hosts \
    --network host \
    {{ docker_image }} /etc/run.sh
 [Install]
 WantedBy=multi-user.target
--- a/roles/nova-controller/tasks/main.yml
+++ b/roles/nova-controller/tasks/main.yml
@ -0,0 +1,73 @@
 # Build and install a docker image for nova-controller.
 ---
 - name: include secrets
  include_vars:
    file: ../../secrets.yml
    name: secrets
 - name: Make persistent directories
  file:
    path: "{ item }}"
    state: directory
    mode: 0777
  with_items:
    - /srv/nova-controller
    - /srv/nova-controller/root
 - set_fact:
    docker_image: registry.webhosting.rug.nl/hpc/openstack-nova-service-merlin:latest
    env_vars: >
        -e "GLANCE_CONTROLLER_HOST={{ listen_ip | default(hostvars[groups['glance-controller'][0]]['ansible_default_ipv4']['address']) }}"
        -e "KEYSTONE_HOST={{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}"
        -e "METADATA_SECRET={{ secrets['METADATA_SECRET'] }}"
        -e "MEMCACHED_HOST={{ listen_ip | default(hostvars[groups['memcached'][0]]['ansible_default_ipv4']['address']) }}"
        -e "MY_IP={{ listen_ip | default(ansible_default_ipv4.address) }}"
        -e "MYSQL_HOST={{ listen_ip | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}"
        -e "MYSQL_ROOT_PASSWORD={{ secrets['MYSQL_ROOT_PASSWORD'] }}"
        -e "NEUTRON_CONTROLLER_HOST={{ hostvars[groups['neutron-controller'][0]]['listen_ip'] | default(hostvars[groups['neutron-controller'][0]]['ansible_default_ipv4']['address']) }}"
        -e "NEUTRON_PASSWORD={{ secrets['NEUTRON_PASSWORD'] }}"
        -e "NEUTRON_USER=neutron"
        -e "NOVA_CONTROLLER_HOST={{ listen_ip | default(hostvars[groups['nova-controller'][0]]['ansible_default_ipv4']['address']) }}"
        -e "NOVA_PASSWORD={{ secrets['NOVA_PASSWORD'] }}"
        -e "NOVA_PLACEMENT_PASSWORD={{ secrets['NOVA_PLACEMENT_PASSWORD'] }}"
        -e "NOVA_PLACEMENT_USER=placement"
        -e "NOVA_USER=nova"
        -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}"
        -e "RABBIT_PASSWORD={{ secrets['RABBIT_PASSWORD'] }}"
        -e "RABBIT_USER=openstack"
  tags: facts
 - name: pull docker image
  docker_image:
    name: "{{ docker_image }}"
    force: True
  tags: pull
 - name: install service file.
  template:
    src: templates/nova-controller.service
    dest: /etc/systemd/system/nova-controller.service
    mode: 644
    owner: root
    group: root
 - command: systemctl daemon-reload
 - name: start service at boot.
  command: systemctl reenable nova-controller.service
 - name: Initialize database.
  command: >
    /usr/bin/docker run --rm
    {{ env_vars }}
    --add-host=mariadb:{{ listen_ip | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}
    --add-host=keystone:{{ listen_ip | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}
    -v /srv/nova-controller/root:/root
    {{ docker_image }}
    /etc/bootstrap.sh
  tags: bootstrap
 - name: make sure service is started
  systemd:
    name: nova-controller.service
    state: restarted
--- a/roles/nova-controller/templates/nova-controller.service
+++ b/roles/nova-controller/templates/nova-controller.service
@ -0,0 +1,24 @@
 [Unit]
 Description=Openstack nova-controller Container
 After=docker.service
 Requires=docker.service
 [Service]
 TimeoutStartSec=0
 Restart=always
 ExecStartPre=-/usr/bin/docker kill %n
 ExecStartPre=-/usr/bin/docker rm %n
 ExecStart=/usr/bin/docker run --name %n \
  {{ env_vars | replace('\n', '') }} \
  --add-host=mariadb:{{ hostvars[groups['databases'][0]]['listen_ip'] | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }} \
  --add-host=keystone:{{ hostvars[groups['keystone'][0]]['listen_ip'] | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }} \
  --privileged \
  -v /srv/nova-controller/root:/root \
  -p 8774:8774 \
  -p 8775:8775 \
  -p 8778:8778 \
  -p 6080:6080 \
  {{ docker_image }} /etc/run.sh
 [Install]
 WantedBy=multi-user.target
--- a/roles/nova-management/tasks/main.yml
+++ b/roles/nova-management/tasks/main.yml
@ -1,48 +0,0 @@
 # Build and install a docker image for nova-controller.
 ---
 - include: ../common/tasks/docker.yml
 - name: Make build and persistent directories
  file:
    path: "{{ item }}"
    state: directory
    mode: 0777
  with_items:
      - /srv/nova-controller
 # Todo: remove this when we have a docker repo
 # Disabled because of https://github.com/ansible/ansible/issues/20653
 #- name: clone docker-glance repo
 #  git:
 #    accept_hostkey: True
 #    repo: ssh://git@git.webhosting.rug.nl:222/HPC/docker-nova-service
 #    dest: /srv/docker-nova-service
 - name: build nova-controller image
  docker_image:
    path: /srv/docker-nova-service
    name: hpc/novacontroller
 - name: install service file.
  template:
    src: templates/nova-controller.service
    dest: /etc/systemd/system/nova-controller.service
    mode: 644
    owner: root
    group: root
 - command: systemctl daemon-reload
 - name: Initialize database.
  command: >
    /usr/bin/docker run --rm
    --add-host=mariadb:{{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}
    --add-host=controller:{{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}
    hpc/novacontroller
    /etc/bootstrap.sh
  tags: bootstrap
 - name: make sure service is started
  systemd:
    name: nova-controller.service
    state: restarted
--- a/roles/nova-management/templates/nova-controller.service
+++ b/roles/nova-management/templates/nova-controller.service
@ -1,19 +0,0 @@
 [Unit]
 Description=Openstack nova-controller Container
 After=docker.service
 Requires=docker.service
 [Service]
 TimeoutStartSec=0
 Restart=always
 ExecStartPre=-/usr/bin/docker stop %n
 ExecStartPre=-/usr/bin/docker rm %n
 ExecStart=/usr/bin/docker run --name %n \
  --add-host=mariadb:{{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }} \
  --add-host=controller:{{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }} \
  -p 8774:8774 \
  -p 8778:8778 \
  hpc/novacontroller /etc/run.sh
 [Install]
 WantedBy=multi-user.target
--- a/roles/rabbitmq/files/rabbitmq.service
+++ b/roles/rabbitmq/files/rabbitmq.service
@ -2,20 +2,22 @@
 Description=rabbitmq Container
 After=docker.service
 Requires=docker.service
- 
+
 [Service]
 TimeoutStartSec=0
 Restart=always
-ExecStartPre=-/usr/bin/docker stop %n
+ExecStartPre=-/usr/bin/docker kill %n
 ExecStartPre=-/usr/bin/docker rm %n
 ExecStartPre=/usr/bin/docker pull rabbitmq:latest
 ExecStart=/usr/bin/docker run \
-          --add-host ansible-test:172.23.38.125 --add-host ansible-test-2:172.23.38.127 --add-host ansible-test-3:172.23.38.128 \
+{% for host in groups['rabbitmq'] %}
          --add-host "{{ host }}:{{ hostvars[host]['listen_ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}" \
 {% endfor %}
          -p 4369:4369 -p 25679:25679 -p 25672:25672 -p 5671-5672:5671-5672 -p 8080:15672 \
-          -e "RABBITMQ_DEFAULT_USER=user" -e "RABBITMQ_DEFAULT_PASS=password" \
+          -e "RABBITMQ_DEFAULT_USER=openstack" -e "RABBITMQ_DEFAULT_PASS={{ secrets['RABBIT_PASSWORD'] }}" \
-          -e "RABBITMQ_ERLANG_COOKIE=IHyW9HpfbXRL+pZkhGd8pA==" \
+          -e "RABBITMQ_ERLANG_COOKIE={{ secrets['RABBITMQ_ERLANG_COOKIE'] }}" \
          -e "RABBITMQ_NODENAME=rabbit_{{ ansible_nodename }}" \
-          --hostname "{{ansible_nodename}}" --name %n rabbitmq:3-management
+          --hostname "{{ ansible_nodename }}" --name %n rabbitmq:3-management
- 
+
 [Install]
 WantedBy=multi-user.target
--- a/roles/rabbitmq/tasks/main.yml
+++ b/roles/rabbitmq/tasks/main.yml
@ -1,6 +1,10 @@
 # Install a docker based rabbitMQ.
 ---
- include: ../common/tasks/docker.yml
+- name: include secrets
  include_vars:
    file: ../../secrets.yml
    name: secrets
 - name: install service file.
  template:
    src: files/rabbitmq.service
@ -8,9 +12,28 @@
    mode: 644
    owner: root
    group: root
 - name: install service file
  command: systemctl daemon-reload
 - name: start service at boot.
  command: systemctl reenable rabbitmq.service
 - name: make sure service is started
  systemd:
    name: rabbitmq.service
    state: started
 - name: wait for container to be started
  wait_for:
      port: 5672
      delay: 5
 - name: setup the cluster
  command: "docker exec -i rabbitmq.service {{ item }}"
  with_items:
      - rabbitmqctl stop_app
      - "rabbitmqctl join_cluster rabbit_{{ hostname_node0 }}@{{ hostname_node0 }}"
      - rabbitmqctl start_app
  when: ansible_nodename != hostname_node0
--- a/secrets.yml
+++ b/secrets.yml
@ -0,0 +1,42 @@
 $ANSIBLE_VAULT;1.1;AES256
 65633261656530663035316431306465633266376462653564613237663833333630663333643764
 6434623237626630356632313933323637316535636235330a323266636338326361343938343931
 63356362343538393030663864663363373633303231643233616563616537376239663337306464
 3164666366623639630a646633636134316561376137646632336139323265636366343938613062
 32663934633366623664636364396130333463366535333336303962633663666432623365356537
 65616339633433623761626537666131646365373334316237663839613264393564353230666134
 63386439323966343065666138636436643433363931373766363632653661363031303138646632
 61646437316265376539333661356239386533663533643864376263653237313533616263666563
 65306465313362396235393366363532353932383633623832393161323265373065326432656338
 34613761373230396332393239323733383937363339373438326434393030646231376531663963
 32623664303935623334326532383334343466613133623532363062396363626262396135626663
 35636636623833623165386137383664633561646630613930333061333466343831376332366266
 65353030383461623665653362613863646331633036616637643838666231653438636332376132
 30356433623662616430353265386632306564326633616538306632386465343636633538623263
 30366139366638613564333532333733383364323063376638613063346665663965356439636636
 32613035653134663733633731356530303338353030333532323762653864616230643931363032
 35653962373030663164383666316636616639666431656638653064303433613431636263333636
 65666138626563653538626164646265373766643131646162343366353835643031663866666137
 39363232616632323035643432626639323233333930646230613732386163383133383964623133
 33623663663130323737646133353139353833653138636338636336656562313639626162646531
 32353331333163373366616666356539306238653865616435633734393966333765313134616338
 34623337623739333439656638303363323534333165303861363334646137373037653665323961
 61623632373330323835653232353961663931326535356162656164616132623437636330653161
 65623861396665386331653734373334663532393731656430333933326264323133396463653239
 33383662303031356564666531613731663166613061383039393431643530656665306339326436
 65303063363163643362643163366365346230643936643231616530373763333536363838656130
 39326235373835326635306366653864316534663061323062376666666466363434363661623636
 31626332643839346138326336353665363838346535373335656466336665613265633461663134
 31323838336465366236353932646330333562363063616437633365353433303962346231663939
 31343133343336343431643564393839373139623365386330623665383264646163396438626539
 38343464343736363936636139653965303731353330653963383465633037633237383064396162
 33363864336235346663616230636633353361613138333236393866316165666162656565383739
 38653233346135373661613739393735343535623230653739316433376165663932366233643431
 39383261623065353932386632646134383136393664306465326637366639666433386162393237
 63663063656461653233643665306366653965393737376532356132623333383337333266316339
 33323934623734353639643330383066313632623166306337323932323933393536366361616564
 33303830333430663233336662353631663633303136346366376163353235303363326165306131
 62393166633232343065663062646435363563313961396132303737343263363363613137636236
 31316464613164353233366364306136663735343361333335353564666131396332643461303966
 65316339616166343232613632363030386432656339623363356661323163353563326238633863
 6431
--- a/secrets.yml.topol
+++ b/secrets.yml.topol
@ -0,0 +1,13 @@
 ---
 GLANCE_PASSWORD:
 METADATA_SECRET:
 MYSQL_ROOT_PASSWORD:
 NEUTRON_PASSWORD:
 NOVA_PASSWORD:
 NOVA_PLACEMENT_PASSWORD:
 OS_PASSWORD:   # Keystone admin password
 OS_DEMO_PASSWORD: # Keystone demo user password
 RABBIT_PASSWORD:
 RABBITMQ_ERLANG_COOKIE:
 CINDER_PASSWORD:
 HEAT_PASSWORD:
--- a/set_ceph_secrets.yml
+++ b/set_ceph_secrets.yml
@ -0,0 +1,17 @@
 ---
 - hosts: nova-compute
  become: true
  tasks:
    - copy:
        src: ceph.xml
        dest: /root/ceph.xml
        mode: 0644
    - name: include secrets
      include_vars:
        file: secrets.yml
        name: secrets
    - command: virsh secret-define --file /root/ceph.xml
    - command: >
          virsh secret-set-value --secret d0db6ba7-a0c9-4da6-b0bc-aa7846325333
          --base64 {{ secrets['ceph_client_volumes_key'] }}
--- a/settings.yml
+++ b/settings.yml
@ -0,0 +1,14 @@
 ---
 - allocation_pool:
    start: 172.23.128.50
    end: 172.23.128.249
 - dns_nameserver: 129.125.4.6
 - gateway: 172.23.128.250
 - subnet_range: 172.23.128.0/24
 - rsa_pub: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDStPUPXkcu81onUm/le54JCu174yXJJDsthDr96Mv8irBVBWuy5FxnaASuDpmC4QE4s0UAIg1iq/SWrr8qdBQ4OVuYFiW0S7ZJvcoKr/40Wh+T5MeltGQfmkDp6kBsfaMSo6M4tF1c8i+XgOgxb4fxHYb8mFhseztRLx6McxJJJLB0nu+T12WQ01nl0XtwD+3EsZWfxRH0KA59VHZSe3Anc5z+Fm7WU+1Vzy6/pkiIhVReI1L6VVhZsIdSu3fQK6fHQcujtfuw6RKEpisZQqnxMUviWQ98yeQXHk6Nx840WCh3vvKveEAoC4Y/UEZa1TMe6PczfUaLjaidUkpulJsP egon@egon-pc
 - use_ceph: True
--- a/site.yml
+++ b/site.yml
@ -1,6 +1,15 @@
 ---
 - include: common.yml
 - include: database.yml
 - include: dockerregistry.yml
 - include: mariadb.yml
 - include: rabbitmq.yml
 - include: memcached.yml
 - include: mariadb.yml
 - include: keystone.yml
 - include: glance-controller.yml
 - include: nova-controller.yml
 - include: neutron-controller.yml
 - include: cinder-controller.yml
 - include: cinder-storage.yml
 - include: nova-compute.yml
 - include: horizon.yml
 - include: heat.yml
 - include: post-install.yml
--- a/48
+++ b/48
@ -0,0 +1,48 @@
 [databases]
 openstack-test05
 openstack-test06
 openstack-test07
 [keystone]
 openstack-test05
 [glance-controller]
 openstack-test05
 [horizon]
 openstack-test05
 [rabbitmq]
 openstack-test05
 openstack-test06
 openstack-test07
 [memcached]
 openstack-test05
 [neutron-controller]
 openstack-test05 physical_interface_mappings=provider:enp4s0f0
 [nova-controller]
 openstack-test05
 [cinder-controller]
 openstack-test05
 [heat]
 openstack-test05
 [cinder-storage]
 openstack-test05 storage_volume=/dev/openstack-test05-vg/cinder
 openstack-test06 storage_volume=/dev/openstack-test06-vg/cinder
 openstack-test07 storage_volume=/dev/openstack-test07-vg/cinder
 openstack-test08 storage_volume=/dev/openstack-test08-vg/cinder
 openstack-test09 storage_volume=/dev/openstack-test09-vg/cinder
 openstack-test10 storage_volume=/dev/openstack-test10-vg/cinder
 [nova-compute]
 openstack-test06 physical_interface_mappings=provider:enp4s0f0
 openstack-test07 physical_interface_mappings=provider:enp4s0f0
 openstack-test08 physical_interface_mappings=provider:enp4s0f0
 openstack-test09 physical_interface_mappings=provider:enp4s0f0
 openstack-test10 physical_interface_mappings=provider:enp4s0f0
--- a/ubuntucloudrepo.yml
+++ b/ubuntucloudrepo.yml
@ -0,0 +1,18 @@
 ---
 - hosts: all
  name: Dummy to gather facts
  become: true
  tasks:
      - name: install openstack repo key host.
        command: apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA
        tags: openstackclient
      - name: install openstack repo on host.
        apt_repository:
            repo: "deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main"
            filename: ocata
        tags: openstackclient
      - apt:
          update_cache: yes
Author	SHA1	Message	Date
Egon Rijpkema	471d22ba03	Without host mode the docker container id is referenced in volume name.	2018-12-14 15:58:11 +01:00
Egon Rijpkema	4911ae69a1	hack that has apparently become nessecary	2018-11-27 14:33:29 +01:00
Egon Rijpkema	584da4f141	make p number visible	2018-11-27 13:52:47 +01:00
Egon Rijpkema	82b408e3ee	fixed syntaxerror	2018-11-22 13:51:42 +01:00
Egon Rijpkema	9d6db2c26b	Login to docker repo is now needed.	2018-11-22 13:35:03 +01:00
Egon Rijpkema	8aff8d97e1	Fixed duplicate key name (That's not proper yaml)	2018-10-25 10:24:33 +02:00
Egon Rijpkema	5cbab0e12a	Heat also needs a separate docker. This is needed because it needs to connect to a https endpoint and another hostfile entry is needed.	2018-10-08 16:46:06 +02:00
Egon Rijpkema	1d56769405	Better security for machine that runs horizon.	2018-10-03 13:47:08 +02:00
Egon Rijpkema	efd914de40	Allow ping and ssh by default.	2018-09-26 15:33:28 +02:00
Egon Rijpkema	75c3a5da4e	Merge branch 'feature/federated-merlin' into merlin	2018-09-26 14:40:07 +02:00
Egon Rijpkema	87514a5705	Changes for federated login on merlin. Not yet working.... Add ssl keystone endpoints Add ssl keystone endpoints use fqdn for keystone everywhere. Iadded certs for horizon. Also increased yield of nuke.yml	2018-09-26 14:39:44 +02:00
Egon Rijpkema	89910a1dba	Fixed syntax error.	2018-09-20 13:45:02 +02:00
Egon Rijpkema	5758bbb7f7	We have a separate cinder-controller for merlin.	2018-09-17 13:45:13 +02:00
Egon Rijpkema	5ab3e6565e	Make systemd unit file install .. without running other tasks	2018-09-17 13:40:50 +02:00
Egon Rijpkema	11f660a51f	add rbd secret uuid cinder controller	2018-09-17 13:28:49 +02:00
Egon Rijpkema	aba7e1fd43	make rbd secrets a variable secret to be set here.	2018-09-13 16:12:26 +02:00
Egon Rijpkema	1b84feb5ed	\d needs to be escaped	2018-09-11 15:49:48 +02:00
Wim Nap	de998c6794	some changes	2018-09-11 10:50:06 +02:00
Egon Rijpkema	fa66218193	Removing old vxlan interfaces in nuke.	2018-08-09 13:52:04 +02:00
Egon Rijpkema	ca112f6977	Added floating ip for interface machine.	2018-07-31 15:11:36 +02:00
Egon Rijpkema	0796ce6311	Syntax fixes: launched a cluster..	2018-07-31 14:36:15 +02:00
Egon Rijpkema	5b3e950e70	See https://ask.openstack.org/en/question/110271/error-unicode-object-has-no-attribute-get-heat/	2018-07-31 13:44:25 +02:00
Egon Rijpkema	aca5d696ad	Made more things variable.	2018-07-31 13:36:31 +02:00
Egon Rijpkema	4885b488fd	Template for small cluster with its own network.	2018-07-30 15:03:58 +02:00
Egon Rijpkema	a66adc2524	Now it shoudl work... really...	2018-07-26 14:50:30 +02:00
Egon Rijpkema	c6b640febd	Double source	2018-07-26 13:26:54 +02:00
Egon Rijpkema	4614ef373c	Forgot hyphen	2018-07-26 13:26:10 +02:00
Egon Rijpkema	26670534a6	adding cirros image	2018-07-25 14:47:07 +02:00
Wim Nap	f5c3261b68	changed client.volumes.key string in secrets.yml	2018-07-25 14:17:58 +02:00
Wim Nap	ac271c2e4e	removed undefined from create virsh secrets	2018-07-25 11:51:11 +02:00
Wim Nap	7d1c3b7de7	changed subnet for provider-network	2018-07-25 10:39:46 +02:00
Egon Rijpkema	ca1dae370e	Added missing undefine	2018-07-23 15:20:16 +02:00
Egon Rijpkema	2bcbd452e6	Copy the required ceph.xml.	2018-07-23 13:38:04 +02:00
Egon Rijpkema	1f1679fef1	Crude playbook to set virsh ceph secrets.	2018-07-23 13:32:52 +02:00
Egon Rijpkema	624326aaef	Get rid of deprication warnings	2018-07-20 11:49:20 +02:00
Egon Rijpkema	4933956416	re-enabled post install	2018-07-20 11:02:10 +02:00
Egon Rijpkema	38936554bd	We actually need the merlin images It's needed for ceph, for instance Revert "Reverting to standard docker images" This reverts commit `3083a84b19`.	2018-07-20 10:07:15 +02:00
Egon Rijpkema	3083a84b19	Reverting to standard docker images	2018-07-19 16:35:07 +02:00
Egon Rijpkema	c49db46a4d	Create vlan985 subnet like in gearshift	2018-07-19 15:42:19 +02:00
Egon Rijpkema	b4d9eed775	This step sometimes fails inexplicably ..and succeeds on retry.	2018-07-19 15:06:12 +02:00
Egon Rijpkema	50d5c672d0	This makes a neutron net-list possible as well as a openstack network list.	2018-07-19 13:59:55 +02:00
Egon Rijpkema	e9c62529ad	Cleanup network namespaces (vxlans)	2018-07-19 13:19:25 +02:00
Egon Rijpkema	3369b5d9d9	added virsh destroy to nuke	2018-07-18 14:05:27 +02:00
Egon Rijpkema	0b92467965	Bind mounting /var/run/netns After reading: https://www.slideshare.net/clayton_oneill/dockerizing-the-hard-services-neutron-amp-nova	2018-07-16 16:38:34 +02:00
Wim Nap	8942c31edc	removed configuration ceph keyring	2018-07-16 14:17:13 +02:00
Wim Nap	4e2477bb94	changed inventory file, removed vlan-tag for physical interface	2018-07-13 15:01:40 +02:00
Egon Rijpkema	b692f83b61	Should be group_vars	2018-07-06 10:48:29 +02:00
Wim Nap	a6b1f53f90	some ceph changes	2018-07-06 09:56:05 +02:00
Wim Nap	239daeceee	changed keyring name for glance	2018-06-29 14:03:44 +02:00
Wim Nap	d013500aae	changes in ceph-configs	2018-06-29 14:03:44 +02:00
Egon Rijpkema	d447413dee	Grouovars for ceph setup	2018-06-29 13:41:58 +02:00
Egon Rijpkema	75f384c579	Added variables ceph for glance and cinder.	2018-06-20 16:39:18 +02:00
Egon Rijpkema	c0555cdcfa	Fixes for variable ceph use	2018-06-20 16:01:30 +02:00
Egon Rijpkema	7cc4e17189	Added variables for ceph and nova compute	2018-06-20 15:48:31 +02:00
Egon Rijpkema	06db21ef4c	added reference to secrets file	2018-06-20 13:44:55 +02:00
Egon Rijpkema	3f8e213bbc	Speed up	2018-06-12 15:01:07 +02:00
Egon Rijpkema	2c6f89a6c3	trew in update cache	2018-06-12 14:15:12 +02:00
Egon Rijpkema	594edf728f	Added storage nodes here, too might dissappear again and moved to ceph-ansible repo.	2018-06-04 16:21:03 +02:00
Egon Rijpkema	056f2bb9fd	Playbook to add the ubuntu cloud repoo on all hosts.	2018-06-04 16:06:23 +02:00
Egon Rijpkema	9af8291517	Removed app armor	2018-05-04 15:40:38 +02:00
Egon Rijpkema	2effda6f58	setting debug to true	2018-05-02 19:37:18 +02:00
Wim Nap	afa6dddb6b	added ceph-conf to systemd-unitfile nova-compute	2018-04-17 15:38:02 +02:00
Wim Nap	e188ea4915	added ceph.conf for nova-compute to systemd-unitfile	2018-04-17 11:13:44 +02:00
Wim Nap	693b20e3bf	small change in systemd-file glance-controller	2018-04-17 10:28:06 +02:00
Wim Nap	6a5b46ace7	added ceph.conf for glance-controller	2018-04-17 10:03:26 +02:00
Wim Nap	4d43334cb3	new ceph.conf for nova-compute and cinder-storage	2018-04-16 17:08:49 +02:00
Wim Nap	0c705f4c7a	changed file permissions ceph.conf	2018-04-16 11:16:37 +02:00
Wim Nap	5a375bc850	added ceph.conf for nova-compute	2018-04-16 10:48:27 +02:00
Wim Nap	c89cf9065f	adding backslash to cinder-storage systemd-unitfile	2018-04-16 10:34:15 +02:00
Wim Nap	62be5bd6b5	changed docker-image for cinder-storage to merlin	2018-04-16 09:59:41 +02:00
Wim Nap	28431dca51	removed lvm-references	2018-04-13 17:56:04 +02:00
Wim Nap	016405ffd7	removed lvm-references	2018-04-13 17:17:37 +02:00
Wim Nap	240a1f22f3	git push --set-upstream origin merlin	2018-04-13 16:19:17 +02:00
Egon Rijpkema	a150b58aaa	Added more nodes	2018-03-14 08:54:18 +01:00
Egon Rijpkema	cc18e247c4	Using half the cluster for linuxbridge.	2018-03-01 15:17:50 +01:00
Egon Rijpkema	7114509697	More sleep for cluster	2018-02-28 10:36:17 +01:00
Egon Rijpkema	6a6ebd0c60	current state merlin	2018-02-22 16:32:40 +01:00
Egon Rijpkema	7a41ca4187	iEnsure installation of same openstack client	2018-02-22 16:31:18 +01:00
Egon Rijpkema	469bcd769c	Added local_ip	2018-02-20 16:24:26 +01:00
Egon Rijpkema	598cbeec9d	hope retries will work this way.	2018-02-20 15:29:14 +01:00
Egon Rijpkema	20ce7bcfc3	set overlay ip	2018-02-20 15:28:54 +01:00
Egon Rijpkema	1bbf1e4270	added retry	2018-02-20 14:24:41 +01:00
Egon Rijpkema	84b901c8b3	make keystone install more resiliant...	2018-02-16 13:39:21 +01:00
Egon Rijpkema	e3f3d5d3b7	Fix syntax error.	2018-02-16 11:45:53 +01:00
Egon Rijpkema	68ac7a0a6d	Added some explanations.	2018-02-06 13:34:56 +01:00
Egon Rijpkema	8da96590ac	It's horizon not glance.	2018-02-05 16:29:12 +01:00
Egon Rijpkema	fea7aaaff6	using the proper test machines	2018-02-05 15:23:33 +01:00
Egon Rijpkema	fb2bdfe543	added missing secrets	2018-01-30 14:50:08 +01:00
Egon Rijpkema	3347fa7c25	switched to nuclear fusion	2018-01-30 14:49:39 +01:00
Egon Rijpkema	f776756205	fixed interface mappings	2018-01-30 14:48:52 +01:00
Egon Rijpkema	59233d8019	playbook to reset a cluster	2018-01-30 09:57:11 +01:00
Egon Rijpkema	35551f69c1	inventory for the merlin cluster	2018-01-30 09:56:45 +01:00
Egon Rijpkema	85dcae1baf	added heat password	2018-01-30 09:55:27 +01:00
Egon Rijpkema	99eba86794	removed depricated hosts key	2018-01-30 09:55:06 +01:00
Egon Rijpkema	646e02ca9c	Sanitized inventory examples	2018-01-19 09:24:28 +01:00
Egon Rijpkema	30567679a2	Fixes made while testing the playbooks. Updated url of docker registry. make a loop for more flexibility. Introducing listen_ip variable that overrides the default listen_ip. make a loop for more flexibility. Get a listen ip specifically for that host. see if components have listen_ip defined before using ansible_default_ipv4 Make service files look for listen_ip variable. implemented listen_ip variable here too map to different port to avoid clashes. Make PHYSICAL_INTERFACE_MAPPINGS variable... instead of just one provuider interface. it should contain something like: physnet2:eth1,physnet3:eth2 add openstack client on machine that is running keystone Added delay to check. enable all services are started at boot Inventory for gcc openstack03 all in one. added volume for glance images Added gcc all in one specific config. Prevent an error when there is no secrets.yml.. to back up removed reference to empty dir. added empty meta/main.yml And now with a list of roles ..and removed the list removed reference to empty dir. Added galera cluster support When at least three database nodes are installed, the playbook will install a galera cluster across them. The galera cnf can be the same template across... nodes. made environment file for the service. I am unable to reproduce systemctl set-environment to work as advertized. Reverted to updating init file by ansible. entrypoint.sh of the mariadb container seems unable to cope when a blank variable is passed by systemd. give the galera master node some time It seems to be nessecary to run in host mode.. for galera to work. I misunderstood pause. need sleep. Inventory for physical test cluster. Added CINDER_PASSWORD Make sure docker is started. If docker was already installed but not running it was not started. fixed refernce to neutron controller Added heat Added port for metadata service Passed metadata secret to be used in config. Listen ip should be the machine's ip... Added openstack client from repo. changed name of subnet added horizon Changed rabbitmq default user to openstack. This makes it no longer nesseccary to create a separate openstack user, which is lost on rabbitmq restart. Added sleep because hosts were usually.. not discovered. Removed unnessecary port mapping Making /dev/lvm available to container. fixed os-test inventory Make iscsi devices available (needed to attach cinder volumes to machines) command module no longer works with && add cinder to test setup	2018-01-19 09:17:50 +01:00
Egon Rijpkema	95ef38a3ba	Cinder needs memcached host	2017-08-29 15:44:22 +02:00
Egon Rijpkema	a3ee754ddb	Small expansion of readme	2017-08-29 14:06:34 +02:00
Egon Rijpkema	1cefcaac0d	Have secrets scriot generate from topology file.	2017-08-29 09:29:53 +02:00
Egon Rijpkema	29c0634bc1	Cinder storage role	2017-08-28 11:52:02 +02:00
Egon Rijpkema	0c28f889b3	script to generate secrets file	2017-08-28 11:51:35 +02:00
Egon Rijpkema	5571858b23	Added cinder block storage.	2017-08-28 11:50:57 +02:00
Egon Rijpkema	b148b04a0b	added post install settings	2017-08-28 11:50:27 +02:00
Egon Rijpkema	233a9debc7	Seems necessary for host networking.	2017-08-25 15:12:29 +02:00
Egon Rijpkema	1010930171	Seccond set of hosts to test deployment.	2017-08-24 16:27:14 +02:00
Egon Rijpkema	2c6a09d079	Added secrets.yml. it is encrypted with a default password...	2017-08-24 16:20:11 +02:00
Egon Rijpkema	7f58d25b58	Added a cinder controller node.	2017-08-21 11:36:43 +02:00
Egon Rijpkema	803451d490	Give neutron the nova credentials... it needs. And also force re downloading of all docker images.	2017-08-17 15:50:39 +02:00
Egon Rijpkema	d964c29c06	Let the new compute host be discovered.	2017-08-17 12:14:41 +02:00
Egon Rijpkema	e59d2c1c98	Merge branch 'feature/encrypted-paswords' into develop	2017-08-17 10:41:17 +02:00
Egon Rijpkema	7a6c9ac360	Made Roles use repo wide secrets file. Made keystone use repo wide secrets file. Made glance-controller use repo wide secrets file. kill and then remove image Made neutron-controller use repo wide secrets file. Made nova-controller use repo wide secrets file Made nova-compute use repo wide secrets file. Made rabbitmq use repo wide secrets file. Allow creation of admin-openrc.sh in docker. added provider_interfaces. added persistent root folder. make each dir explicitely added missing env vars. mapped kvm machine-id from host	2017-08-17 10:41:01 +02:00
Egon Rijpkema	f06a943916	small fixes mostly variable names	2017-08-10 11:17:24 +02:00
Egon Rijpkema	4db6499419	add robustness after testing site.yml	2017-08-02 15:22:10 +02:00
Egon Rijpkema	d907ec4969	now using ips in endpoint urls	2017-08-01 13:02:01 +02:00
Egon Rijpkema	0ac27dcc0d	Port mapping for glance controller.. was accidentially removed	2017-08-01 10:52:37 +02:00
Egon Rijpkema	8a3fbd557d	Tweaks to make install run idempotent	2017-08-01 10:19:54 +02:00
Egon Rijpkema	1a78f649e8	added docker repo	2017-07-31 13:21:03 +02:00
Egon Rijpkema	2b3e8cebae	added some services	2017-07-28 11:43:03 +02:00
Egon Rijpkema	e974eac443	Small fixes on teh neutron config.	2017-07-26 16:31:31 +02:00
Egon Rijpkema	8300652079	Moved env vars to a single variable.	2017-07-26 16:30:19 +02:00
Egon Rijpkema	741ba512bc	added neutron-controller	2017-07-26 09:59:59 +02:00
Egon Rijpkema	482333215a	Merge branch 'feature/keystone-to-docker-repo' into develop	2017-07-24 13:47:46 +02:00
Egon Rijpkema	b727857dae	Previously the keystone image was build here But we since switched to separate repo's for the dockerfiles. These are built with jenkins.	2017-07-24 13:47:31 +02:00
Egon Rijpkema	d42d1495e9	Added nova compute Also configured horizon to display hypervisors.	2017-07-14 10:02:55 +02:00
Egon Rijpkema	1b7fa48714	nova needs the --privileged flag to use iptables	2017-07-13 10:01:58 +02:00
Egon Rijpkema	91ace4d87d	add openstack rabbitmq user	2017-07-13 09:42:10 +02:00
Egon Rijpkema	70814e1a77	Made settings in glance and nova flexible.	2017-07-12 16:32:58 +02:00
Egon Rijpkema	dc8a75f6cb	fixed joining of cluster	2017-07-12 11:40:37 +02:00
Egon Rijpkema	588a32b450	prevent hanging upon service restart	2017-07-12 11:07:36 +02:00
Egon Rijpkema	056b383723	service would often hang	2017-07-12 10:24:46 +02:00
Egon Rijpkema	a25852b39e	Removed hardcoded ips for glance Also added domain, projects, users creation for keystone. This guide was followed: https://docs.openstack.org/ocata/install-guide-ubuntu/keystone-us	2017-07-12 10:19:45 +02:00
Egon Rijpkema	062fabd4b6	replaced hardcoded ips with env vars	2017-07-11 09:17:53 +02:00
Egon Rijpkema	f5d240a7f5	Added dummy task to gather facts. see https://serverfault.com/questions/638507/how-to-access-host-variable-of-a-different-host-with-ansible	2017-07-10 14:50:09 +02:00
Egon Rijpkema	86cd68e465	Removed inclusion of docker everywhere It is now included in the common role itself, which is applied to all.	2017-07-10 09:52:12 +02:00
Egon Rijpkema	ecbd592440	Trailing slash needed to prevent creation of subdir	2017-07-07 17:06:55 +02:00
Egon Rijpkema	19a9d1d75e	Made rabbitmq use host variables.	2017-07-07 16:14:38 +02:00
Egon Rijpkema	ef2360f814	Made rabbitmq hostnames variable	2017-07-07 14:40:20 +02:00
Egon Rijpkema	d9f6028848	Removed bogus char in my.cnf	2017-07-07 11:12:53 +02:00
Egon Rijpkema	cebd9b7a9c	Added installation of openstack horizon. The image needs to be available on the target host. It can be built from: ssh://git@git.webhosting.rug.nl:222/HPC/docker-horizon.git	2017-07-05 09:03:45 +02:00
Egon Rijpkema	9072279aa7	contaimer will be removed after use	2017-07-03 11:54:47 +02:00
		`@ -0,0 +1,2 @@`
							`[client.images]`
							`key = AQDCpDNbJ3DqDBAAvUOUcxEoZNvQUfoaU5i8iQ==`