Cinder needs memcached host

it is encrypted with a default password...

README.md

@@ -1,8 +1,42 @@
 # hpc-cloud
 
-This repository will contain playbooks to bring up openstack components inside docker containers.
+This repository contains playbooks to bring up openstack components inside docker containers.
+It makes use of ansible roles for the openstack components and the supporting infrastructure.
+The following roles are installed.
+
+### Openstack components.
+
+* keystone
+* glance-controller
+* horizon
+* neutron-controller
+* nova-controller
+* nova-compute
+* cinder-controller
+* cinder-storage
+
+### Auxilary components:
+
+* database (mariadb)
+* rabbitmq (cluster of three nodes)
+* memcached
+
+## Getting started:
+
+### Prerequisites:
+* A cluster of servers to install the components on.
+  * The machines running nova-compute and neutron-controller need a separate interface for neutron to use.
+* ubuntu 16.04 with python installed (usually already present).
+* Access to the webhost12.service.rug.nl docker repository.
+
+### Settings:
+Passwords need be added to `secrets.yml.topol` and it needs to be saved as `secrets.yml`.
+This can be done by running `./generate_secrets.py`.
+Optionally, one can encrypt the secrtets by running `ansible-vault encrypt secrets.yml`.
+
+
+### Secrets:
 
-It makes use of ansible roles.
 The roles can be set in the inventory file (hosts)
 
 To bring up one role, for instance keystone, use:

cinder-controller.yml

@@ -0,0 +1,9 @@
+---
+- hosts: all
+  name: Dummy to gather facts
+  tasks: []
+
+- hosts: cinder-controller
+  become: True
+  roles:
+     - cinder-controller

cinder-storage.yml

@@ -0,0 +1,9 @@
+---
+- hosts: all
+  name: Dummy to gather facts
+  tasks: []
+
+- hosts: cinder-storage
+  become: True
+  roles:
+     - cinder-storage

generate_secrets.py

@@ -0,0 +1,33 @@
+#!/usr/bin/env python
+
+"""
+Open the secrets.yml and replace all passwords.
+Original is backed up.
+"""
+
+import random
+import string
+from subprocess import call
+from yaml import load, dump
+
+try:
+    from yaml import CLoader as Loader, CDumper as Dumper
+except ImportError:
+    from yaml import Loader, Dumper
+
+# length of generated passwords.
+pass_length = 20
+
+with open('secrets.yml.topol', 'r') as f:
+    data = load(f, Loader=Loader)
+
+for key, value in data.iteritems():
+    data[key] = ''.join(
+        random.choice(string.ascii_letters + string.digits)
+        for _ in range(pass_length))
+
+# Make numbered backups of the secrets file.
+call(['cp', '--backup=numbered', 'secrets.yml', 'secrets.yml.bak'])
+
+with open('secrets.yml', 'w') as f:
+    dump(data, f, Dumper=Dumper, default_flow_style=False)

hosts

@@ -34,10 +34,16 @@ openstack01-node03
 #run_options="-e CASSANDRA_SEEDS=172.23.41.1"
 
 [neutron-controller]
-openstack01-node01
+openstack01-node01 provider_interface_name=ens192
 
 [nova-controller]
 openstack01-node03
 
+[cinder-controller]
+openstack01-node03
+
+[cinder-storage]
+openstack01-node01 storage_volume=/dev/loop0
+
 [nova-compute]
-openstack01-node04
+openstack01-node04 provider_interface_name=dummy0

post-install.yml

@@ -0,0 +1,26 @@
+---
+- hosts: all
+  name: Dummy to gather facts
+  tasks: []
+
+- hosts: keystone
+  become: True
+  vars_files:
+    - settings.yml
+  tasks:
+    - name: copy public key
+      copy:
+        content: "{{ rsa_pub }}"
+        dest: /srv/keystone/root/id_rsa.pub
+    - name: post install configuration
+      command: docker exec -i keystone.service bash -c "source /root/admin-openrc.sh && {{ item }}"
+      with_items:
+        - openstack network create  --share --external  --provider-physical-network provider  --provider-network-type flat provider
+        - >
+            openstack subnet create --network provider
+            --allocation-pool start={{ allocation_pool['start'] }},end={{ allocation_pool['end'] }}
+            --dns-nameserver {{ dns_nameserver }} --gateway {{ gateway }} --subnet-range {{ subnet_range }} provider
+        - openstack flavor create --id 0 --vcpus 1 --ram 64 --disk 1 m1.nano
+        - openstack keypair create --public-key /root/id_rsa.pub adminkey
+
+

roles/cinder-controller/tasks/main.yml

@@ -0,0 +1,59 @@
+# Build and install a docker image for cinder.
+---
+- name: include secrets
+  include_vars:
+    file: ../../secrets.yml
+    name: secrets
+
+- set_fact:
+    docker_image: webhost12.service.rug.nl/hpc/openstack-cinder-controller:latest
+    env_vars: >
+        -e "MY_IP={{ ansible_default_ipv4.address }}"
+        -e "CINDER_HOST={{ hostvars[groups['cinder-controller'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "CINDER_PASSWORD={{ secrets['CINDER_PASSWORD'] }}"
+        -e "CINDER_USER=cinder"
+        -e "KEYSTONE_HOST={{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "MEMCACHED_HOST={{ hostvars[groups['memcached'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "MYSQL_HOST={{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "MYSQL_ROOT_PASSWORD={{ secrets['MYSQL_ROOT_PASSWORD'] }}"
+        -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}"
+        -e "RABBIT_HOST={{ hostvars[groups['rabbitmq'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "RABBIT_PASSWORD={{ secrets['RABBIT_PASSWORD'] }}"
+        -e "RABBIT_USER=openstack"
+
+- name: pull docker image
+  docker_image:
+    name: "{{ docker_image }}"
+  tags: pull
+
+- name: Make build and persistent directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0777
+  with_items:
+      - /srv/cinder-controller
+      - /srv/cinder-controller/root
+
+- name: install service file.
+  template:
+    src: templates/cinder-controller.service
+    dest: /etc/systemd/system/cinder-controller.service
+    mode: 644
+    owner: root
+    group: root
+
+- command: systemctl daemon-reload
+
+- name: Initialize database.
+  command: >
+             /usr/bin/docker run --rm
+             {{ env_vars }}
+             -v /srv/cinder-controller/root:/root \
+             {{ docker_image }} /etc/bootstrap.sh
+  tags: bootstrap
+
+- name: make sure service is started
+  systemd:
+    name: cinder-controller.service
+    state: restarted

roles/cinder-controller/templates/cinder-controller.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=Openstack Glance Container
+After=docker.service
+Requires=docker.service
+
+[Service]
+TimeoutStartSec=0
+Restart=always
+ExecStartPre=-/usr/bin/docker kill %n
+ExecStartPre=-/usr/bin/docker rm %n
+ExecStart=/usr/bin/docker run --name %n \
+  {{ env_vars | replace('\n', '') }} \
+  -v /srv/cinder-controller/root:/root \
+  -p 8776:8776 \
+  {{ docker_image }}
+
+[Install]
+WantedBy=multi-user.target

roles/cinder-storage/tasks/main.yml

@@ -0,0 +1,61 @@
+# Build and install a docker image for cinder.
+---
+- name: include secrets
+  include_vars:
+    file: ../../secrets.yml
+    name: secrets
+
+- set_fact:
+    docker_image: webhost12.service.rug.nl/hpc/openstack-cinder-storage:latest
+    env_vars: >
+        -e "MY_IP={{ ansible_default_ipv4.address }}"
+        -e "CINDER_HOST={{ hostvars[groups['cinder-storage'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "CINDER_PASSWORD={{ secrets['CINDER_PASSWORD'] }}"
+        -e "CINDER_USER=cinder"
+        -e "GLANCE_HOST={{ hostvars[groups['glance-controller'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "KEYSTONE_HOST={{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "MYSQL_HOST={{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "MYSQL_ROOT_PASSWORD={{ secrets['MYSQL_ROOT_PASSWORD'] }}"
+        -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}"
+        -e "RABBIT_HOST={{ hostvars[groups['rabbitmq'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "RABBIT_PASSWORD={{ secrets['RABBIT_PASSWORD'] }}"
+        -e "RABBIT_USER=openstack"
+
+- name: pull docker image
+  docker_image:
+    name: "{{ docker_image }}"
+  tags: pull
+
+- name: Make build and persistent directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0777
+  with_items:
+      - /srv/cinder-storage
+      - /srv/cinder-storage/root
+
+- name: initial setup
+  command: >
+             /usr/bin/docker run --rm
+             --privileged
+             {{ env_vars }}
+             -v /srv/cinder-storage/root:/root \
+             -v "{{ storage_volume }}":/dev/cinder_storage_volume \
+             {{ docker_image }} /etc/bootstrap.sh
+  tags: bootstrap
+
+- name: install service file.
+  template:
+    src: templates/cinder-storage.service
+    dest: /etc/systemd/system/cinder-storage.service
+    mode: 644
+    owner: root
+    group: root
+
+- command: systemctl daemon-reload
+
+- name: make sure service is started
+  systemd:
+    name: cinder-storage.service
+    state: restarted

roles/cinder-storage/templates/cinder-storage.service

@@ -0,0 +1,20 @@
+[Unit]
+Description=Openstack Glance Container
+After=docker.service
+Requires=docker.service
+
+[Service]
+TimeoutStartSec=0
+Restart=always
+ExecStartPre=-/usr/bin/docker kill %n
+ExecStartPre=-/usr/bin/docker rm %n
+ExecStart=/usr/bin/docker run --name %n \
+  --privileged \
+  {{ env_vars | replace('\n', '') }} \
+  -v /srv/cinder-storage/root:/root \
+  -v "{{ storage_volume }}":/dev/cinder_storage_volume \
+  -p 8776:8776 \
+  {{ docker_image }}
+
+[Install]
+WantedBy=multi-user.target

roles/glance-controller/tasks/main.yml

@@ -1,18 +1,24 @@
 # Build and install a docker image for glance.
 ---
+- name: include secrets
+  include_vars:
+    file: ../../secrets.yml
+    name: secrets
+
 - set_fact:
     docker_image: webhost12.service.rug.nl/hpc/openstack-glance:latest
     env_vars: >
-        -e "RABBIT_HOST={{ hostvars[groups['rabbitmq'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "GLANCE_HOST={{ hostvars[groups['glance-controller'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "GLANCE_PASSWORD={{ secrets['GLANCE_PASSWORD'] }}"
+        -e "GLANCE_USER=glance"
+        -e "KEYSTONE_HOST={{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}"
         -e "MEMCACHED_HOST={{ hostvars[groups['memcached'][0]]['ansible_default_ipv4']['address'] }}"
         -e "MYSQL_HOST={{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}"
-        -e "MYSQL_ROOT_PASSWORD=geheim"
+        -e "MYSQL_ROOT_PASSWORD={{ secrets['MYSQL_ROOT_PASSWORD'] }}"
-        -e "KEYSTONE_HOST={{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}"
-        -e "GLANCE_HOST={{ hostvars[groups['glance-controller'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "RABBIT_HOST={{ hostvars[groups['rabbitmq'][0]]['ansible_default_ipv4']['address'] }}"
-        -e "GLANCE_USER=glance"
+        -e "RABBIT_PASSWORD={{ secrets['RABBIT_PASSWORD'] }}"
-        -e "GLANCE_PASSWORD=geheim"
         -e "RABBIT_USER=openstack"
-        -e "RABBIT_PASSWORD=geheim"
 
 - name: pull docker image
   docker_image:
@@ -26,6 +32,7 @@
     mode: 0777
   with_items:
       - /srv/glance
+      - /srv/glance/root
 
 - name: install service file.
   template:
@@ -42,6 +49,7 @@
              /usr/bin/docker run --rm
              {{ env_vars }}
              --add-host=keystone:{{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }} \
+             -v /srv/glance/root:/root \
              {{ docker_image }} /etc/bootstrap.sh
   tags: bootstrap
 

roles/glance-controller/templates/glance.service

@@ -6,9 +6,11 @@ Requires=docker.service
 [Service]
 TimeoutStartSec=0
 Restart=always
-ExecStartPre=-/usr/bin/docker rm -f %n
+ExecStartPre=-/usr/bin/docker kill %n
+ExecStartPre=-/usr/bin/docker rm %n
 ExecStart=/usr/bin/docker run --name %n \
   {{ env_vars | replace('\n', '') }} \
+  -v /srv/glance/root:/root \
   -p 9292:9292 \
   {{ docker_image }}
 

roles/horizon/tasks/main.yml

@@ -6,6 +6,7 @@
 - name: pull docker image
   docker_image:
     name: "{{ docker_image }}"
+    force: True
   tags: pull
 
 - name: install service file.

roles/horizon/templates/horizon.service

@@ -6,7 +6,8 @@ Requires=docker.service
 [Service]
 TimeoutStartSec=0
 Restart=always
-ExecStartPre=-/usr/bin/docker rm -f %n
+ExecStartPre=-/usr/bin/docker kill %n
+ExecStartPre=-/usr/bin/docker rm %n
 ExecStart=/usr/bin/docker run --name %n \
   -e "MEMCACHED_SERVER={{ hostvars[groups['memcached'][0]]['ansible_default_ipv4']['address'] }}" \
   -e "KEYSTONE_HOST={{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}" \

roles/keystone/files/Dockerfile

@@ -1,31 +0,0 @@
-# Build keystone. It needs to be run with
-# --add-host=mariadb:<ip mariadb listens tp>
-# Wen starting with an initialized db,
-# run keystone-manage db_sync from this docker first:
-# $ docker run hpc/keystone --add-host=mariadb:<ip mariadb> "keystone-manage db_sync"
-
-FROM ubuntu:16.04
-
-RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5EDB1B62EC4926EA
-
-RUN set -x \
-    && echo "deb http://ubuntu-cloud.archive.canonical.com/ubuntu xenial-updates/ocata main" > /etc/apt/sources.list.d/ocata.list \
-    && apt-get -y update \
-    && apt-get -y install \
-    && apt-get -y install keystone python-openstackclient \
-    && apt-get -y clean
-
-# set admin token TODO: make this a secret
-# in volume of met env
-COPY keystone.conf /etc/keystone/keystone.conf
-
-RUN mkdir /etc/keystone/fernet-keys
-
-RUN chown keystone: /etc/keystone/fernet-keys
-
-COPY admin-openrc.sh root/admin-openrc.sh
-
-COPY bootstrap.sh /etc/bootstrap.sh
-
-#RUN keystone-manage db_sync
-CMD apachectl -DFOREGROUND

roles/keystone/files/bootstrap.sh

@@ -1,16 +0,0 @@
-#!/bin/bash
-
-source /root/admin-openrc.sh
-
-openstack project create --domain default \
-      --description "Service Project" service
-
-openstack project create --domain default \
-  --description "Demo Project" demo
-
-openstack user create --domain default \
-  --password geheim demo
-
-openstack role create user
-
-openstack role add --project demo --user demo user

roles/keystone/files/keystone.conf

@@ -1,12 +0,0 @@
-[DEFAULT]
-
-verbose = true
-
-[database]
-connection = mysql+pymysql://keystone:keystone@mariadb/keystone
-
-[token]
-provider = fernet
-
-[identity]
-default_domain_id = default

roles/keystone/scripts/initialize_db.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # Start a mariadb container to use its mysql client to initialize the keystone database.
-docker run --rm -i mariadb:10.2 mysql -uroot -pgeheim --host "$1" << EOF
+docker run --rm -i mariadb:10.2 mysql -uroot -p"$MYSQL_ROOT_PASSWORD" --host "$DB_HOST" << EOF
 CREATE DATABASE IF NOT EXISTS keystone;
 GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
 GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';

roles/keystone/tasks/main.yml

@@ -1,10 +1,20 @@
 # Build and install a docker image for keystone.
 ---
+- name: include secrets
+  include_vars:
+    file: ../../secrets.yml
+    name: secrets
+
 - name: Make persistent directories
   file:
-    path: /srv/keystone/fernet-keys
+    path: "{{ item }}"
     state: directory
     mode: 0777
+  with_items:
+    - /srv
+    - /srv/keystone
+    - /srv/keystone/fernet-keys
+    - /srv/keystone/root
 
 - set_fact:
     docker_image: webhost12.service.rug.nl/hpc/openstack-keystone:latest
@@ -12,6 +22,7 @@
 - name: pull docker image
   docker_image:
     name: "{{ docker_image }}"
+    force: True
   tags: pull
 
 - name: install service file.
@@ -26,7 +37,10 @@
   command: systemctl daemon-reload
 
 - name: Initialize db
-  script: scripts/initialize_db.sh {{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}
+  script: scripts/initialize_db.sh
+  environment:
+    MYSQL_ROOT_PASSWORD: "{{ secrets['MYSQL_ROOT_PASSWORD'] }}"
+    DB_HOST: "{{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}"
   register: result
   until: result|succeeded
   # sometimes the initial connect fails.
@@ -47,7 +61,7 @@
       - fernet_setup --keystone-user keystone --keystone-group keystone
       - credential_setup --keystone-user keystone --keystone-group keystone
       - >
-          bootstrap --bootstrap-password geheim
+          bootstrap --bootstrap-password {{ secrets['OS_PASSWORD'] }}
                     --bootstrap-admin-url http://{{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}:35357/v3/
                     --bootstrap-internal-url http://{{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}:35357/v3/
                     --bootstrap-public-url http://{{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}:5000/v3/
@@ -63,5 +77,8 @@
              /usr/bin/docker run --rm
              --add-host=mariadb:{{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}
              -v /srv/keystone/fernet-keys:/etc/keystone/fernet-keys
+             -v /srv/keystone/root:/root
              -e "KEYSTONE_HOST={{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}"
+             -e "OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3"
+             -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}"
              {{ docker_image }} bash /etc/bootstrap.sh

roles/keystone/templates/admin-openrc.sh

@@ -1,5 +1,5 @@
 export OS_TENANT_NAME=admin
 export OS_USERNAME=admin
-export OS_PASSWORD=geheim
+export OS_PASSWORD={{ hostvars[groups['keystone'][0]]['OS_PASSWORD'] }}
 export OS_AUTH_URL=http://{{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}:35357/v3
 export OS_IDENTITY_API_VERSION=3

roles/keystone/templates/keystone.service

@@ -6,12 +6,14 @@ Requires=docker.service
 [Service]
 TimeoutStartSec=0
 Restart=always
-ExecStartPre=-/usr/bin/docker rm -f %n
+ExecStartPre=-/usr/bin/docker kill %n
+ExecStartPre=-/usr/bin/docker rm %n
 ExecStart=/usr/bin/docker run --name %n \
   --add-host=mariadb:{{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }} \
   -e "KEYSTONE_HOST={{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}" \
   -p 5000:5000 -p 35357:35357 \
   -v /srv/keystone/fernet-keys:/etc/keystone/fernet-keys \
+  -v /srv/keystone/root:/root \
   {{ docker_image }}
 
 [Install]

roles/mariadb/tasks/main.yml

@@ -1,8 +1,13 @@
 # Install a docker based mariadb.
 ---
+- name: include secrets
+  include_vars:
+    file: ../../secrets.yml
+    name: secrets
+
 - name: install service file.
   template:
-    src: files/mysql.service
+    src: templates/mysql.service
     dest: /etc/systemd/system/mysql.service
     mode: 644
     owner: root

roles/mariadb/templates/mysql.service

@@ -6,13 +6,13 @@ Requires=docker.service
 [Service]
 TimeoutStartSec=0
 Restart=always
-ExecStartPre=-/usr/bin/docker stop %n
+ExecStartPre=-/usr/bin/docker kill %n || /bin/true
 ExecStartPre=-/usr/bin/docker rm %n
 ExecStartPre=/usr/bin/docker pull mariadb:10.2
 ExecStart=/usr/bin/docker run  -p 3306:3306 --name %n \
  -v /srv/mariadb/lib/mysql:/var/lib/mysql \
  -v /srv/mariadb/etc/mysql:/etc/mysql \
- -e MYSQL_ROOT_PASSWORD=geheim mariadb:10.2
+ -e MYSQL_ROOT_PASSWORD={{ secrets['MYSQL_ROOT_PASSWORD'] }} mariadb:10.2
 
 [Install]
 WantedBy=multi-user.target

roles/neutron-controller/tasks/main.yml

@@ -1,28 +1,37 @@
 # Build and install a docker image for neutron-controller.
 ---
+- name: include secrets
+  include_vars:
+    file: ../../secrets.yml
+    name: secrets
+
 - set_fact:
     docker_image: "webhost12.service.rug.nl/hpc/openstack-neutron-controller:latest"
 
 - name: pull docker image
   docker_image:
     name: "{{ docker_image }}"
+    force: True
   tags: pull
 
 - set_fact:
     env_vars: >
         -e "KEYSTONE_HOST={{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}"
-        -e "METADATA_SECRET=geheim"
+        -e "MEMCACHED_HOST={{ hostvars[groups['memcached'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "METADATA_SECRET={{ secrets['METADATA_SECRET'] }}"
         -e "MY_IP={{ hostvars[groups['neutron-controller'][0]]['ansible_default_ipv4']['address'] }}"
         -e "MYSQL_HOST={{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}"
-        -e "MYSQL_ROOT_PASSWORD=geheim"
+        -e "MYSQL_ROOT_PASSWORD={{ secrets['MYSQL_ROOT_PASSWORD'] }}"
-        -e "NEUTRON_PASSWORD=geheim"
+        -e "NEUTRON_PASSWORD={{ secrets['NEUTRON_PASSWORD'] }}"
         -e "NEUTRON_USER=neutron"
-        -e "NOVA_CONTROLLER_HOST={{ hostvars[groups['nova-controller'][0]]['ansible_default_ipv4']['address'] }}"
-        -e "NOVA_PASSWORD=geheim"
         -e "NOVA_USER=nova"
-        -e "MEMCACHED_HOST={{ hostvars[groups['memcached'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "NOVA_PASSWORD={{ secrets['NOVA_PASSWORD'] }}"
+        -e "NOVA_CONTROLLER_HOST={{ hostvars[groups['nova-controller'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "NOVA_PLACEMENT_PASSWORD={{ secrets['NOVA_PLACEMENT_PASSWORD'] }}"
+        -e "NOVA_PLACEMENT_USER=placement"
+        -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}"
         -e "PROVIDER_INTERFACE_NAME={{ provider_interface_name }}"
-        -e "RABBIT_PASSWORD=geheim"
+        -e "RABBIT_PASSWORD={{ secrets['RABBIT_PASSWORD'] }}"
         -e "RABBIT_USER=openstack"
   tags: env
 

roles/neutron-controller/templates/neutron-controller.service

@@ -6,12 +6,14 @@ Requires=docker.service
 [Service]
 TimeoutStartSec=0
 Restart=always
-ExecStartPre=-/usr/bin/docker rm -f %n
+ExecStartPre=-/usr/bin/docker kill %n
+ExecStartPre=-/usr/bin/docker rm %n
 ExecStart=/usr/bin/docker run --name %n \
   {{ env_vars | replace('\n', '') }} \
   --add-host=nova-controller:{{ hostvars[groups['nova-controller'][0]]['ansible_default_ipv4']['address'] }} \
   --add-host=mariadb:{{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }} \
   --add-host=keystone:{{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }} \
+  --add-host={{ ansible_nodename }}:{{ ansible_default_ipv4.address }} \
   --privileged \
   --network host \
   -v /lib/modules:/lib/modules \

roles/nova-compute/tasks/main.yml

@@ -1,5 +1,10 @@
 # Build and install a docker image for nova-controller.
 ---
+- name: include secrets
+  include_vars:
+    file: ../../secrets.yml
+    name: secrets
+
 - set_fact:
     docker_image: webhost12.service.rug.nl/hpc/openstack-nova-compute:latest
   tags: facts
@@ -7,6 +12,7 @@
 - name: pull docker image
   docker_image:
     name: "{{ docker_image }}"
+    force: True
   tags: pull
 
 - name: install service file.
@@ -31,3 +37,7 @@
   systemd:
     name: nova-compute.service
     state: restarted
+
+- name: let nova controler discover new host
+  command: docker exec -i nova-controller.service nova-manage cell_v2 discover_hosts
+  delegate_to: "{{ hostvars[groups['nova-controller'][0]]['ansible_hostname'] }}"

roles/nova-compute/templates/nova-compute.service

@@ -6,33 +6,37 @@ Requires=docker.service
 [Service]
 TimeoutStartSec=0
 Restart=always
-ExecStartPre=-/usr/bin/docker rm -f %n
+ExecStartPre=-/usr/bin/docker kill %n
+ExecStartPre=-/usr/bin/docker rm %n
 ExecStart=/usr/bin/docker run --name %n \
-    -e "MY_IP={{ hostvars[groups['nova-compute'][0]]['ansible_default_ipv4']['address'] }}" \
+    -e "GLANCE_CONTROLLER_HOST={{ hostvars[groups['glance-controller'][0]]['ansible_default_ipv4']['address'] }}" \
-    -e "NOVA_USER=nova" \
-    -e "NOVA_COMPUTE_USER=nova_compute" \
-    -e "NOVA_PASSWORD=geheim" \
-    -e "NOVA_PLACEMENT_USER=placement" \
-    -e "NOVA_PLACEMENT_PASSWORD=geheim" \
-    -e "RABBIT_USER=openstack" \
-    -e "RABBIT_PASSWORD=geheim" \
-    -e "RABBIT_HOST={{ hostvars[groups['rabbitmq'][0]]['ansible_default_ipv4']['address'] }}" \
     -e "KEYSTONE_HOST={{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}" \
     -e "MEMCACHED_HOST={{ hostvars[groups['memcached'][0]]['ansible_default_ipv4']['address'] }}" \
+    -e "MY_IP={{ hostvars[groups['nova-compute'][0]]['ansible_default_ipv4']['address'] }}" \
     -e "MYSQL_HOST={{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}" \
-    -e "MYSQL_ROOT_PASSWORD=geheim" \
+    -e "MYSQL_ROOT_PASSWORD={{ secrets['MYSQL_ROOT_PASSWORD'] }}" \
     -e "NEUTRON_CONTROLLER_HOST={{ hostvars[groups['neutron-controller'][0]]['ansible_default_ipv4']['address'] }}" \
-    -e "NEUTRON_PASSWORD=geheim" \
+    -e "NEUTRON_PASSWORD={{ secrets['NEUTRON_PASSWORD'] }}" \
     -e "NEUTRON_USER=neutron" \
+    -e "NOVA_COMPUTE_USER=nova_compute" \
     -e "NOVA_CONTROLLER_HOST={{ hostvars[groups['nova-controller'][0]]['ansible_default_ipv4']['address'] }}" \
+    -e "NOVA_PASSWORD={{ secrets['NOVA_PASSWORD'] }}" \
+    -e "NOVA_PASSWORD={{ secrets['NOVA_PASSWORD'] }}" \
+    -e "NOVA_PLACEMENT_PASSWORD={{ secrets['NOVA_PLACEMENT_PASSWORD'] }}" \
+    -e "NOVA_PLACEMENT_USER=placement" \
+    -e "NOVA_USER=nova" \
+    -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}" \
     -e "PROVIDER_INTERFACE_NAME={{ provider_interface_name }}" \
-    -e "GLANCE_CONTROLLER_HOST={{ hostvars[groups['glance-controller'][0]]['ansible_default_ipv4']['address'] }}" \
+    -e "RABBIT_HOST={{ hostvars[groups['rabbitmq'][0]]['ansible_default_ipv4']['address'] }}" \
+    -e "RABBIT_PASSWORD={{ secrets['RABBIT_PASSWORD'] }}" \
+    -e "RABBIT_USER=openstack" \
     --add-host=keystone:{{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }} \
     --add-host=mariadb:{{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }} \
     --privileged \
     -v /var/run/libvirt/libvirt-sock:/var/run/libvirt/libvirt-sock \
     -v /var/lib/nova/instances:/var/lib/nova/instances \
     -v /lib/modules:/lib/modules \
+    -v /etc/machine-id:/etc/machine-id \
     --network host \
     {{ docker_image }} /etc/run.sh
 

roles/nova-controller/tasks/main.yml

@@ -1,30 +1,45 @@
 # Build and install a docker image for nova-controller.
 ---
+- name: include secrets
+  include_vars:
+    file: ../../secrets.yml
+    name: secrets
+
+- name: Make persistent directories
+  file:
+    path: "{ item }}"
+    state: directory
+    mode: 0777
+  with_items:
+    - /srv/nova-controller
+    - /srv/nova-controller/root
+
 - set_fact:
     docker_image: webhost12.service.rug.nl/hpc/openstack-nova-service:latest
     env_vars: >
-        -e "MY_IP={{ hostvars[groups['nova-controller'][0]]['ansible_default_ipv4']['address'] }}"
-        -e "NOVA_USER=nova"
-        -e "NOVA_PASSWORD=geheim"
-        -e "NOVA_PLACEMENT_USER=placement"
-        -e "NOVA_PLACEMENT_PASSWORD=geheim"
-        -e "RABBIT_USER=openstack"
-        -e "RABBIT_PASSWORD=geheim"
-        -e "KEYSTONE_HOST={{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}"
-        -e "NEUTRON_CONTROLLER_HOST={{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}"
-        -e "MEMCACHED_HOST={{ hostvars[groups['memcached'][0]]['ansible_default_ipv4']['address'] }}"
-        -e "MYSQL_HOST={{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}"
-        -e "MYSQL_ROOT_PASSWORD=geheim"
-        -e "NOVA_CONTROLLER_HOST={{ hostvars[groups['nova-controller'][0]]['ansible_default_ipv4']['address'] }}"
         -e "GLANCE_CONTROLLER_HOST={{ hostvars[groups['glance-controller'][0]]['ansible_default_ipv4']['address'] }}"
-        -e "NEUTRON_PASSWORD=geheim"
+        -e "KEYSTONE_HOST={{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "MEMCACHED_HOST={{ hostvars[groups['memcached'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "MY_IP={{ hostvars[groups['nova-controller'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "MYSQL_HOST={{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "MYSQL_ROOT_PASSWORD={{ secrets['MYSQL_ROOT_PASSWORD'] }}"
+        -e "NEUTRON_CONTROLLER_HOST={{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "NEUTRON_PASSWORD={{ secrets['NEUTRON_PASSWORD'] }}"
         -e "NEUTRON_USER=neutron"
-        -e "METADATA_SECRET=geheim"
+        -e "NOVA_CONTROLLER_HOST={{ hostvars[groups['nova-controller'][0]]['ansible_default_ipv4']['address'] }}"
+        -e "NOVA_PASSWORD={{ secrets['NOVA_PASSWORD'] }}"
+        -e "NOVA_PLACEMENT_PASSWORD={{ secrets['NOVA_PLACEMENT_PASSWORD'] }}"
+        -e "NOVA_PLACEMENT_USER=placement"
+        -e "NOVA_USER=nova"
+        -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}"
+        -e "RABBIT_PASSWORD={{ secrets['RABBIT_PASSWORD'] }}"
+        -e "RABBIT_USER=openstack"
   tags: facts
 
 - name: pull docker image
   docker_image:
     name: "{{ docker_image }}"
+    force: True
   tags: pull
 
 - name: install service file.
@@ -43,6 +58,7 @@
     {{ env_vars }}
     --add-host=mariadb:{{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }}
     --add-host=keystone:{{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }}
+    -v /srv/nova-controller/root:/root
     {{ docker_image }}
     /etc/bootstrap.sh
   tags: bootstrap

roles/nova-controller/templates/nova-controller.service

@@ -6,14 +6,17 @@ Requires=docker.service
 [Service]
 TimeoutStartSec=0
 Restart=always
-ExecStartPre=-/usr/bin/docker rm -f %n
+ExecStartPre=-/usr/bin/docker kill %n
+ExecStartPre=-/usr/bin/docker rm %n
 ExecStart=/usr/bin/docker run --name %n \
   {{ env_vars | replace('\n', '') }} \
   --add-host=mariadb:{{ hostvars[groups['databases'][0]]['ansible_default_ipv4']['address'] }} \
   --add-host=keystone:{{ hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address'] }} \
   --privileged \
+  -v /srv/nova-controller/root:/root \
   -p 8774:8774 \
   -p 8778:8778 \
+  -p 6080:6080 \
   {{ docker_image }} /etc/run.sh
 
 [Install]

roles/rabbitmq/files/rabbitmq.service

@@ -6,7 +6,7 @@ Requires=docker.service
 [Service]
 TimeoutStartSec=0
 Restart=always
-ExecStartPre=-/usr/bin/docker stop %n
+ExecStartPre=-/usr/bin/docker kill %n
 ExecStartPre=-/usr/bin/docker rm %n
 ExecStartPre=/usr/bin/docker pull rabbitmq:latest
 ExecStart=/usr/bin/docker run \
@@ -14,8 +14,8 @@ ExecStart=/usr/bin/docker run \
           --add-host "{{ hostvars[groups['rabbitmq'][1]]['ansible_hostname'] }}:{{ hostvars[groups['rabbitmq'][1]]['ansible_default_ipv4']['address'] }}" \
           --add-host "{{ hostvars[groups['rabbitmq'][2]]['ansible_hostname'] }}:{{ hostvars[groups['rabbitmq'][2]]['ansible_default_ipv4']['address'] }}" \
           -p 4369:4369 -p 25679:25679 -p 25672:25672 -p 5671-5672:5671-5672 -p 8080:15672 \
-          -e "RABBITMQ_DEFAULT_USER=user" -e "RABBITMQ_DEFAULT_PASS=password" \
+          -e "RABBITMQ_DEFAULT_USER=user" -e "RABBITMQ_DEFAULT_PASS={{ secrets['RABBIT_PASSWORD'] }}" \
-          -e "RABBITMQ_ERLANG_COOKIE=IHyW9HpfbXRL+pZkhGd8pA==" \
+          -e "RABBITMQ_ERLANG_COOKIE={{ secrets['RABBITMQ_ERLANG_COOKIE'] }}" \
           -e "RABBITMQ_NODENAME=rabbit_{{ ansible_nodename }}" \
           --hostname "{{ ansible_nodename }}" --name %n rabbitmq:3-management
 

roles/rabbitmq/tasks/main.yml

@@ -1,5 +1,13 @@
 # Install a docker based rabbitMQ.
 ---
+- name: include secrets
+  include_vars:
+    file: ../../secrets.yml
+    name: secrets
+
+- include_vars:
+    dir: 'vars'
+
 - name: install service file.
   template:
     src: files/rabbitmq.service
@@ -18,7 +26,7 @@
 
 - name: wait for container to be started
   wait_for:
-      port: 15671
+      port: 5672
 
 - name: setup the cluster
   command: "docker exec -i rabbitmq.service {{ item }}"
@@ -31,7 +39,7 @@
 - name: create openstack user
   command: "docker exec -i rabbitmq.service {{ item }}"
   with_items:
-      - rabbitmqctl add_user openstack geheim
+      - rabbitmqctl add_user openstack "{{ secrets['RABBIT_PASSWORD'] }}"
       - rabbitmqctl set_permissions openstack ".*" ".*" ".*"
   when: ansible_nodename == hostname_node0
   register: command_result

secrets.yml

@@ -0,0 +1,30 @@
+$ANSIBLE_VAULT;1.1;AES256
+62633134346438356462333363626164393762356139653666323461333037393536373631653565
+6631306631333538353534663738313062636232633339610a303161323131373739393735666463
+65353135626430353737373239623361306137326334333761626235353463393465383830666666
+6138616530346563310a306263316331346263356139383435316239346230313266636363313564
+36633130393062373936363765636361343939313639326237633337353665666338633338343837
+34613534333063303537323738396436333964613362636664366264313334663365336132623464
+64656131373261376466356638636338643135393139386534626132323262393064626666323462
+64323664373262356632393465653932303939313338656665336639613966626234636666373163
+35633231666338643863623737396435626364333365656536613130666435323837323136663339
+61363936336434656530313538643463663737613831646265313731363734356635356438353062
+34323063346265393737343834343065616139656234666230323131366138396265393737666236
+39353766643239323339623534393962666432656331323462656439306365613539366230643133
+36316138303361313134336431343137343433383430616137376563383233303432383664333930
+61613531313638303531643232343066376565663032326533313461363839383664366338356439
+37363233666663653736376538386536653262653633323065363830623032363063393635653762
+32636365656362323362303962306538336234626533323830656230386432666461343063663832
+62373133343933353563653762333836333862376232353339313662363865616439623635393839
+37346433346264633036343761613230396434366132653261643137386466326235613030306235
+34333065623232303939623233373762393939653639333734336336303762326662386530356563
+65303165623564303635356337353662363433626466653939323438633938386166386262623435
+64376431396631623034386434393431616631363663393835343035313639663538643565616330
+65353365303131326335646164333231306564383936396139643935646331393235326666336230
+38326165663865343966356335326438303133663239656235313935626332323332376665343132
+62336139643262333938303537313533623535333736643163373137343035393034613939663061
+36323063643734343865333138356434643266663436653435353132386330636238343637653434
+65616361333263336332643262623034343439383737366663373166643433653466313237613930
+32373162646461323266353662326134343839613264313339306430366165633838663831666565
+65333337623962313561306333616232393334353934316565666331336561633934623339353138
+62656339386530333036383831613762353234643461656436623033613930353531

secrets.yml.topol

@@ -0,0 +1,11 @@
+---
+GLANCE_PASSWORD:
+METADATA_SECRET:
+MYSQL_ROOT_PASSWORD:
+NEUTRON_PASSWORD:
+NOVA_PASSWORD:
+NOVA_PLACEMENT_PASSWORD:
+OS_PASSWORD:   # Keystone admin password
+OS_DEMO_PASSWORD: # Keystone demo user password
+RABBIT_PASSWORD:
+RABBITMQ_ERLANG_COOKIE:

settings.yml

@@ -0,0 +1,12 @@
+---
+- allocation_pool:
+    start: 172.23.128.50
+    end: 172.23.128.249
+
+- dns_nameserver: 129.125.4.6
+
+- gateway: 172.23.128.250
+
+- subnet_range: 172.23.128.0/24
+
+- rsa_pub: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDStPUPXkcu81onUm/le54JCu174yXJJDsthDr96Mv8irBVBWuy5FxnaASuDpmC4QE4s0UAIg1iq/SWrr8qdBQ4OVuYFiW0S7ZJvcoKr/40Wh+T5MeltGQfmkDp6kBsfaMSo6M4tF1c8i+XgOgxb4fxHYb8mFhseztRLx6McxJJJLB0nu+T12WQ01nl0XtwD+3EsZWfxRH0KA59VHZSe3Anc5z+Fm7WU+1Vzy6/pkiIhVReI1L6VVhZsIdSu3fQK6fHQcujtfuw6RKEpisZQqnxMUviWQ98yeQXHk6Nx840WCh3vvKveEAoC4Y/UEZa1TMe6PczfUaLjaidUkpulJsP egon@egon-pc

site.yml

@@ -9,3 +9,4 @@
 - include: neutron-controller.yml
 - include: nova-compute.yml
 - include: horizon.yml
+- include: post-install.yml

test_hosts

@@ -0,0 +1,28 @@
+[databases]
+ansible-test-2
+
+[keystone]
+ansible-test-3
+
+[glance-controller]
+ansible-test-2
+
+[horizon]
+ansible-test-3
+
+[rabbitmq]
+ansible-test
+ansible-test-2
+ansible-test-3
+
+[memcached]
+ansible-test-3
+
+[neutron-controller]
+ansible-test provider_interface_name=ens10
+
+[nova-controller]
+ansible-test
+
+[nova-compute]
+ansible-test-2 provider_interface_name=ens10