 676d574623
			
		
	
	676d574623
	
	
	
		
			
			The security hardening playbook was not being executed. This change adds the security hardning playbook to the defeault re-deployment process. If a deployer wishes to opt-out of the default security hardening they can disable it using the `apply_security_hardening` option. Change-Id: I69baa1d2cb209cf3686ca2da00e698ed5dbf92f9 Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
		
			
				
	
	
		
			154 lines
		
	
	
		
			5.1 KiB
		
	
	
	
		
			Bash
		
	
	
		
			Executable File
		
	
	
	
	
			
		
		
	
	
			154 lines
		
	
	
		
			5.1 KiB
		
	
	
	
		
			Bash
		
	
	
		
			Executable File
		
	
	
	
	
| #!/usr/bin/env bash
 | |
| 
 | |
| # Copyright 2017, Rackspace US, Inc.
 | |
| #
 | |
| # Licensed under the Apache License, Version 2.0 (the "License");
 | |
| # you may not use this file except in compliance with the License.
 | |
| # You may obtain a copy of the License at
 | |
| #
 | |
| #     http://www.apache.org/licenses/LICENSE-2.0
 | |
| #
 | |
| # Unless required by applicable law or agreed to in writing, software
 | |
| # distributed under the License is distributed on an "AS IS" BASIS,
 | |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 | |
| # See the License for the specific language governing permissions and
 | |
| # limitations under the License.
 | |
| 
 | |
| ## Shell Opts ----------------------------------------------------------------
 | |
| set -e -u
 | |
| 
 | |
| ## Main ----------------------------------------------------------------------
 | |
| source lib/vars.sh
 | |
| source lib/functions.sh
 | |
| 
 | |
| ### Set lock file to notate redeploy has started
 | |
| # Notate that redeploy has started, if it fails midway, it can be
 | |
| # resumed from the starting script without getting prompted to
 | |
| # set the version again.
 | |
| touch /etc/openstack_deploy/upgrade-leap/redeploy-started.complete
 | |
| 
 | |
| ### Run the redeploy tasks
 | |
| # Forget about the old neutron agent container in inventory.
 | |
| #  This is done to maximize uptime by leaving the old systems in
 | |
| #  place while the redeployment work is going on.
 | |
| # TODO(evrardjp): Move this to a playbook, this way it will follow the
 | |
| # RUN_TASKS model
 | |
| 
 | |
| if [ ! -f /etc/openstack_deploy/upgrade-leap/neutron-container-forget.complete ];then
 | |
|   SCRIPTS_PATH="/opt/leap42/openstack-ansible-${NEWTON_RELEASE}/scripts" \
 | |
|     MAIN_PATH="/opt/leap42/openstack-ansible-${NEWTON_RELEASE}" \
 | |
|       ${UPGRADE_UTILS}/neutron-container-forget.sh
 | |
|   touch /etc/openstack_deploy/upgrade-leap/neutron-container-forget.complete
 | |
| fi
 | |
| 
 | |
| link_release "/opt/leap42/openstack-ansible-${NEWTON_RELEASE}"
 | |
| RUN_TASKS=()
 | |
| 
 | |
| # Pre-setup-hosts hook
 | |
| if [[ -n ${PRE_SETUP_HOSTS_HOOK+x} ]]; then
 | |
|   RUN_TASKS+=("$PRE_SETUP_HOSTS_HOOK")
 | |
| fi
 | |
| 
 | |
| # Setup Hosts
 | |
| RUN_TASKS+=("openstack-hosts-setup.yml -e redeploy_rerun=true")
 | |
| 
 | |
| # Run the security-hardening playbook in redeployment
 | |
| RUN_TASKS+=("security-hardening.yml")
 | |
| 
 | |
| # Ensure the same pip everywhere, even if requirement met or above
 | |
| RUN_TASKS+=("${UPGRADE_UTILS}/pip-unify.yml -e release_version=\"${NEWTON_RELEASE}\"")
 | |
| 
 | |
| RUN_TASKS+=("${UPGRADE_UTILS}/db-stop.yml")
 | |
| RUN_TASKS+=("${UPGRADE_UTILS}/ansible_fact_cleanup.yml")
 | |
| # Physical host cleanup
 | |
| RUN_TASKS+=("${UPGRADE_UTILS}/destroy-old-containers.yml")
 | |
| # Permissions for qemu save, because physical host cleanup
 | |
| RUN_TASKS+=("${UPGRADE_UTILS}/nova-libvirt-fix.yml")
 | |
| 
 | |
| RUN_TASKS+=("lxc-hosts-setup.yml")
 | |
| RUN_TASKS+=("lxc-containers-create.yml")
 | |
| 
 | |
| # Post-setup-hosts hook
 | |
| if [[ -n ${POST_SETUP_HOSTS_HOOK+x} ]]; then
 | |
|   RUN_TASKS+=("$POST_SETUP_HOSTS_HOOK")
 | |
| fi
 | |
| 
 | |
| # Pre-setup-infrastructure hook
 | |
| if [[ -n ${PRE_SETUP_INFRASTRUCTURE_HOOK+x} ]]; then
 | |
|   RUN_TASKS+=("$PRE_SETUP_INFRASTRUCTURE_HOOK")
 | |
| fi
 | |
| 
 | |
| # Setup Infrastructure
 | |
| RUN_TASKS+=("unbound-install.yml")
 | |
| RUN_TASKS+=("repo-install.yml")
 | |
| RUN_TASKS+=("${UPGRADE_UTILS}/haproxy-cleanup.yml")
 | |
| RUN_TASKS+=("haproxy-install.yml")
 | |
| RUN_TASKS+=("memcached-install.yml")
 | |
| RUN_TASKS+=("galera-install.yml")
 | |
| RUN_TASKS+=("rabbitmq-install.yml")
 | |
| RUN_TASKS+=("etcd-install.yml")
 | |
| RUN_TASKS+=("utility-install.yml")
 | |
| RUN_TASKS+=("rsyslog-install.yml")
 | |
| 
 | |
| # MariaDB sync for major maria upgrades and cluster schema sync
 | |
| RUN_TASKS+=("${UPGRADE_UTILS}/db-force-upgrade.yml")
 | |
| 
 | |
| # Post-setup-infrastructure hook
 | |
| if [[ -n ${POST_SETUP_INFRASTRUCTURE_HOOK+x} ]]; then
 | |
|   RUN_TASKS+=("$POST_SETUP_INFRASTRUCTURE_HOOK")
 | |
| fi
 | |
| 
 | |
| # Pre-setup-openstack hook
 | |
| if [[ -n ${PRE_SETUP_OPENSTACK_HOOK+x} ]]; then
 | |
|   RUN_TASKS+=("$PRE_SETUP_OPENSTACK_HOOK")
 | |
| fi
 | |
| 
 | |
| # Setup OpenStack
 | |
| 
 | |
| RUN_TASKS+=("os-keystone-install.yml")
 | |
| RUN_TASKS+=("os-glance-install.yml")
 | |
| RUN_TASKS+=("os-cinder-install.yml")
 | |
| 
 | |
| 
 | |
| # The first run will install everything everywhere and restart the nova services
 | |
| RUN_TASKS+=("os-nova-install.yml")
 | |
| 
 | |
| # This is being run before hand to ensure a speedy service upgrade to maintain running VMs.
 | |
| #  this also works around an issue where very early versions of libvirt may not be fully
 | |
| #  replaced on the first run.
 | |
| RUN_TASKS+=("os-nova-install.yml --limit nova_compute")
 | |
| 
 | |
| RUN_TASKS+=("os-neutron-install.yml")
 | |
| RUN_TASKS+=("${UPGRADE_UTILS}/neutron-remove-old-containers.yml")
 | |
| 
 | |
| RUN_TASKS+=("os-heat-install.yml")
 | |
| RUN_TASKS+=("os-horizon-install.yml")
 | |
| RUN_TASKS+=("os-ceilometer-install.yml")
 | |
| RUN_TASKS+=("os-aodh-install.yml")
 | |
| 
 | |
| if grep -rni "^gnocchi_storage_driver" /etc/openstack_deploy/*.{yaml,yml} | grep -qw "swift"; then
 | |
|   RUN_TASKS+=("os-gnocchi-install.yml -e gnocchi_identity_only=true")
 | |
| fi
 | |
| 
 | |
| RUN_TASKS+=("os-swift-install.yml")
 | |
| RUN_TASKS+=("os-gnocchi-install.yml")
 | |
| RUN_TASKS+=("os-ironic-install.yml")
 | |
| RUN_TASKS+=("os-magnum-install.yml")
 | |
| RUN_TASKS+=("os-sahara-install.yml")
 | |
| 
 | |
| RUN_TASKS+=("${UPGRADE_UTILS}/post-redeploy-cleanup.yml")
 | |
| 
 | |
| # Post-setup-openstack hook
 | |
| if [[ -n ${POST_SETUP_OPENSTACK_HOOK+x} ]]; then
 | |
|   RUN_TASKS+=("$POST_SETUP_OPENSTACK_HOOK")
 | |
| fi
 | |
| 
 | |
| # Loads a shell script that can be used to modify
 | |
| # the RUN_TASKS behavior.
 | |
| if [[ ${REDEPLOY_EXTRA_SCRIPT:-} ]]; then
 | |
|     notice "Running extra script before re-deploy"
 | |
|     source ${REDEPLOY_EXTRA_SCRIPT}
 | |
| fi
 | |
| run_items "${REDEPLOY_OA_FOLDER}"
 | |
| ### Run the redeploy tasks
 |