{"id":409,"sha1":"045105513db75f0b3bc22a66ee0e853b20d7c8cf","playbook":{"id":4,"items":{"plays":104,"tasks":1377,"results":1365,"hosts":2,"files":504,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":8,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-openstack.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-08T13:39:52.478534Z","ended":"2025-12-08T14:14:54.510371Z","duration":"00:35:02.031837","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.12.3","server_version":"1.7.4","status":"failed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-openstack.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2016, Ian Cordasco\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n## Verbosity Options\ndebug: false\n\n# Set the host which will execute the shade modules\n# for the service setup. The host must already have\n# clouds.yaml properly configured.\nbarbican_service_setup_host: \"{{ openstack_service_setup_host | default('localhost') }}\"\nbarbican_service_setup_host_python_interpreter: >-\n {{\n openstack_service_setup_host_python_interpreter | default(\n (barbican_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))\n }}\n\n# Set the package install state for distribution packages\n# Options are 'present' and 'latest'\nbarbican_package_state: \"{{ package_state | default('latest') }}\"\n\n# Set installation method.\nbarbican_install_method: \"{{ service_install_method | default('source') }}\"\nbarbican_venv_python_executable: \"{{ openstack_venv_python_executable | default('python3') }}\"\n\n# Toggle keystone authentication for barbican\nbarbican_keystone_auth: \"{{ (groups['keystone_all'] is defined) and (groups['keystone_all'] | length > 0) }}\"\n\n## System info\nbarbican_system_group_name: barbican\nbarbican_system_user_name: barbican\nbarbican_system_user_comment: Barbican System User\nbarbican_system_user_shell: /bin/false\nbarbican_system_user_home: \"/var/lib/{{ barbican_system_user_name }}\"\nbarbican_etc_directory: /etc/barbican\n\n# Barbican services info\nbarbican_keystone_listener_enable: false\nbarbican_worker_enable: false\nbarbican_retry_enable: false\n\n# Variable defines barbican store backends configuration. It supports multibackend scenario\n# in case list length > 1. Then additional key global_default should be present, otherwise\n# first element would be set as global default. For multibackend one backend should be set\n# as global_default: True\nbarbican_backends_config:\n software:\n secret_store_plugin: store_crypto\n crypto_plugin: simple_crypto\n\n# Variable defines barbican crypto configuration.\nbarbican_plugins_config:\n simple_crypto_plugin:\n kek: \"{{ barbican_simple_crypto_key | b64encode }}\"\n\n## Service Name-Group Mapping\nbarbican_services:\n barbican-api:\n group: barbican_all\n service_name: barbican-api\n init_config_overrides: \"{{ barbican_init_config_overrides }}\"\n uwsgi_bind_address: \"{{ barbican_service_host }}\"\n uwsgi_port: \"{{ barbican_service_port }}\"\n uwsgi_overrides: \"{{ barbican_uwsgi_init_overrides }}\"\n wsgi_app: true\n wsgi: \"barbican.wsgi.api:application\"\n start_order: 1\n uwsgi_tls: \"{{ barbican_backend_ssl | ternary(barbican_uwsgi_tls, {}) }}\"\n barbican-worker:\n group: barbican_all\n service_name: barbican-worker\n init_config_overrides: \"{{ barbican_init_config_overrides }}\"\n execstarts: \"{{ barbican_bin }}/barbican-worker\"\n condition: \"{{ barbican_worker_enable | bool }}\"\n start_order: 2\n barbican-keystone-listener:\n group: barbican_all\n service_name: barbican-keystone-listener\n init_config_overrides: \"{{ barbican_init_config_overrides }}\"\n execstarts: \"{{ barbican_bin }}/barbican-keystone-listener\"\n condition: \"{{ barbican_keystone_listener_enable | bool }}\"\n start_order: 3\n barbican-retry:\n group: barbican_all\n service_name: barbican-retry\n init_config_overrides: \"{{ barbican_init_config_overrides }}\"\n execstarts: \"{{ barbican_bin }}/barbican-retry\"\n condition: \"{{ barbican_retry_enable | bool }}\"\n start_order: 4\n\n# With `barbican_user_libraries` you can deploy libraries, needed for barbican\n# to interact with third party services like HSM\n# barbican_user_libraries:\n# - src: /etc/openstack_deploy/barbican/libdpod.plugin\n# dest: /opt/barbican/libs/libCryptoki2.so\n# owner: root\n# group: \"{{ barbican_system_group_name }}\"\n# - src: /etc/openstack_deploy/barbican/Chrystoki.conf\n# dest: /opt/barbican/Chrystoki.conf\n# link: /etc/Chrystoki.conf\n\nbarbican_user_libraries: []\n\n## Service Type and Data\nbarbican_service_name: barbican\nbarbican_service_user_name: barbican\nbarbican_service_type: key-manager\nbarbican_service_description: \"OpenStack Key and Secrets Management (Barbican)\"\nbarbican_default_role_names:\n - \"key-manager:service-admin\"\n - creator\n - observer\n - audit\nbarbican_service_role_names:\n - admin\n - creator\n - service\nbarbican_service_token_roles:\n - service\nbarbican_service_token_roles_required: \"{{ openstack_service_token_roles_required | default(True) }}\"\nbarbican_service_region: \"{{ service_region | default('RegionOne') }}\"\nbarbican_service_host: \"{{ openstack_service_bind_address | default('0.0.0.0') }}\"\nbarbican_service_port: 9311\nbarbican_service_proto: http\nbarbican_service_publicuri_proto: \"{{ openstack_service_publicuri_proto | default(barbican_service_proto) }}\"\nbarbican_service_adminuri_proto: \"{{ openstack_service_adminuri_proto | default(barbican_service_proto) }}\"\nbarbican_service_internaluri_proto: \"{{ openstack_service_internaluri_proto | default(barbican_service_proto) }}\"\nbarbican_service_publicurl: \"{{ barbican_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ barbican_service_port }}\"\nbarbican_service_internalurl: \"{{ barbican_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}\"\nbarbican_service_adminurl: \"{{ barbican_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ barbican_service_port }}\"\n\nbarbican_service_in_ldap: \"{{ service_ldap_backend_enabled | default(False) }}\"\n\nbarbican_init_config_overrides: {}\nbarbican_config_overrides: {}\nbarbican_policy_overrides: {}\nbarbican_paste_overrides: {}\nbarbican_api_audit_map_overrides: {}\nbarbican_vassals_api_overrides: {}\n\n## The git source/branch\nbarbican_git_repo: \"https://opendev.org/openstack/barbican\"\nbarbican_git_install_branch: master\nbarbican_upper_constraints_url: >-\n {{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}\nbarbican_git_constraints:\n - \"--constraint {{ barbican_upper_constraints_url }}\"\n\nbarbican_pip_install_args: \"{{ pip_install_options | default('') }}\"\n\n# Name of the virtual env to deploy into\nbarbican_venv_tag: \"{{ venv_tag | default('untagged') }}\"\nbarbican_bin: \"{{ _barbican_bin }}\"\n\n# Database vars\nbarbican_db_setup_host: \"{{ openstack_db_setup_host | default('localhost') }}\"\nbarbican_db_setup_python_interpreter: >-\n {{\n openstack_db_setup_python_interpreter | default(\n (barbican_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))\n }}\nbarbican_galera_address: \"{{ galera_address | default('127.0.0.1') }}\"\nbarbican_galera_database: barbican\nbarbican_galera_user: barbican\nbarbican_galera_use_ssl: \"{{ galera_use_ssl | default(False) }}\"\nbarbican_galera_ssl_ca_cert: \"{{ galera_ssl_ca_cert | default('') }}\"\nbarbican_galera_port: \"{{ galera_port | default('3306') }}\"\n# NOTE: barbican does not support pool_timeout so it is not set for this role\nbarbican_db_max_overflow: \"{{ openstack_db_max_overflow | default('50') }}\"\nbarbican_db_max_pool_size: \"{{ openstack_db_max_pool_size | default('5') }}\"\nbarbican_db_pool_timeout: \"{{ openstack_db_pool_timeout | default('30') }}\"\nbarbican_db_connection_recycle_time: \"{{ openstack_db_connection_recycle_time | default('600') }}\"\n\n## Oslo Messaging\nbarbican_ceilometer_enabled: \"{{ (groups['ceilometer_all'] is defined) and (groups['ceilometer_all'] | length > 0) }}\"\n\n# RPC\nbarbican_oslomsg_rpc_host_group: \"{{ oslomsg_rpc_host_group | default('rabbitmq_all') }}\"\nbarbican_oslomsg_rpc_setup_host: \"{{ (barbican_oslomsg_rpc_host_group in groups) | ternary(groups[barbican_oslomsg_rpc_host_group][0], 'localhost') }}\"\nbarbican_oslomsg_rpc_transport: \"{{ oslomsg_rpc_transport | default('rabbit') }}\"\nbarbican_oslomsg_rpc_servers: \"{{ oslomsg_rpc_servers | default('127.0.0.1') }}\"\nbarbican_oslomsg_rpc_port: \"{{ oslomsg_rpc_port | default('5672') }}\"\nbarbican_oslomsg_rpc_use_ssl: \"{{ oslomsg_rpc_use_ssl | default(False) }}\"\nbarbican_oslomsg_rpc_userid: barbican\nbarbican_oslomsg_rpc_policies: []\n# vhost name depends on value of oslomsg_rabbit_quorum_queues. In case quorum queues\n# are not used - vhost name will be prefixed with leading `/`.\nbarbican_oslomsg_rpc_vhost:\n - name: /barbican\n state: \"{{ barbican_oslomsg_rabbit_quorum_queues | ternary('absent', 'present') }}\"\n - name: barbican\n state: \"{{ barbican_oslomsg_rabbit_quorum_queues | ternary('present', 'absent') }}\"\nbarbican_oslomsg_rpc_ssl_version: \"{{ oslomsg_rpc_ssl_version | default('TLSv1_2') }}\"\nbarbican_oslomsg_rpc_ssl_ca_file: \"{{ oslomsg_rpc_ssl_ca_file | default('') }}\"\n\n# Notify\nbarbican_oslomsg_notify_configure: \"{{ oslomsg_notify_configure | default(barbican_ceilometer_enabled) }}\"\nbarbican_oslomsg_notify_host_group: \"{{ oslomsg_notify_host_group | default('rabbitmq_all') }}\"\nbarbican_oslomsg_notify_setup_host: \"{{ (barbican_oslomsg_notify_host_group in groups) | ternary(groups[barbican_oslomsg_notify_host_group][0], 'localhost') }}\"\nbarbican_oslomsg_notify_transport: \"{{ oslomsg_notify_transport | default('rabbit') }}\"\nbarbican_oslomsg_notify_servers: \"{{ oslomsg_notify_servers | default('127.0.0.1') }}\"\nbarbican_oslomsg_notify_port: \"{{ oslomsg_notify_port | default('5672') }}\"\nbarbican_oslomsg_notify_use_ssl: \"{{ oslomsg_notify_use_ssl | default(False) }}\"\nbarbican_oslomsg_notify_userid: \"{{ barbican_oslomsg_rpc_userid }}\"\nbarbican_oslomsg_notify_password: \"{{ barbican_oslomsg_rpc_password }}\"\nbarbican_oslomsg_notify_vhost: \"{{ barbican_oslomsg_rpc_vhost }}\"\nbarbican_oslomsg_notify_ssl_version: \"{{ oslomsg_notify_ssl_version | default('TLSv1_2') }}\"\nbarbican_oslomsg_notify_ssl_ca_file: \"{{ oslomsg_notify_ssl_ca_file | default('') }}\"\nbarbican_oslomsg_notify_policies: []\n\n## RabbitMQ integration\nbarbican_oslomsg_rabbit_quorum_queues: \"{{ oslomsg_rabbit_quorum_queues | default(True) }}\"\nbarbican_oslomsg_rabbit_stream_fanout: \"{{ oslomsg_rabbit_stream_fanout | default(barbican_oslomsg_rabbit_quorum_queues) }}\"\nbarbican_oslomsg_rabbit_transient_quorum_queues: \"{{ oslomsg_rabbit_transient_quorum_queues | default(barbican_oslomsg_rabbit_stream_fanout) }}\"\nbarbican_oslomsg_rabbit_qos_prefetch_count: \"{{ oslomsg_rabbit_qos_prefetch_count | default(barbican_oslomsg_rabbit_stream_fanout | ternary(10, 0)) }}\"\nbarbican_oslomsg_rabbit_queue_manager: \"{{ oslomsg_rabbit_queue_manager | default(barbican_oslomsg_rabbit_quorum_queues) }}\"\nbarbican_oslomsg_rabbit_quorum_delivery_limit: \"{{ oslomsg_rabbit_quorum_delivery_limit | default(0) }}\"\nbarbican_oslomsg_rabbit_quorum_max_memory_bytes: \"{{ oslomsg_rabbit_quorum_max_memory_bytes | default(0) }}\"\n\n# Keystone AuthToken/Middleware\nbarbican_keystone_auth_plugin: password\nbarbican_service_project_domain_id: default\nbarbican_service_user_domain_id: default\nbarbican_service_project_name: service\n\n# uwsgi configuration vars\nbarbican_wsgi_processes_max: 16\nbarbican_wsgi_processes: >-\n {{ [[(ansible_facts['processor_vcpus'] // ansible_facts['processor_threads_per_core']) | default(1), 1] | max * 2, barbican_wsgi_processes_max] | min }}\nbarbican_wsgi_threads: 1\nbarbican_uwsgi_tls:\n crt: \"{{ barbican_ssl_cert }}\"\n key: \"{{ barbican_ssl_key }}\"\n\n# Memcached override\nbarbican_memcached_servers: \"{{ memcached_servers }}\"\n\n# packages required to run the barbican service\nbarbican_pip_packages:\n - \"git+{{ barbican_git_repo }}@{{ barbican_git_install_branch }}#egg=barbican\"\n - osprofiler\n - PyMySQL\n - pymemcache\n - python-memcached\n - systemd-python\n\nbarbican_user_pip_packages: []\n\nbarbican_uwsgi_init_overrides: {}\n\n###\n### Backend TLS\n###\n\n# Define if communication between haproxy and service backends should be\n# encrypted with TLS.\nbarbican_backend_ssl: \"{{ openstack_service_backend_ssl | default(False) }}\"\n\n# Storage location for SSL certificate authority\nbarbican_pki_dir: \"{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}\"\n\n# Delegated host for operating the certificate authority\nbarbican_pki_setup_host: \"{{ openstack_pki_setup_host | default('localhost') }}\"\n\n# barbican server certificate\nbarbican_pki_keys_path: \"{{ barbican_pki_dir ~ '/certs/private/' }}\"\nbarbican_pki_certs_path: \"{{ barbican_pki_dir ~ '/certs/certs/' }}\"\nbarbican_pki_intermediate_cert_name: \"{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}\"\nbarbican_pki_regen_cert: \"\"\nbarbican_pki_san: \"{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}\"\nbarbican_pki_certificates:\n - name: \"barbican_{{ ansible_facts['hostname'] }}\"\n provider: ownca\n cn: \"{{ ansible_facts['hostname'] }}\"\n san: \"{{ barbican_pki_san }}\"\n signed_by: \"{{ barbican_pki_intermediate_cert_name }}\"\n\n# barbican destination files for SSL certificates\nbarbican_ssl_cert: /etc/barbican/barbican.pem\nbarbican_ssl_key: /etc/barbican/barbican.key\n\n# Installation details for SSL certificates\nbarbican_pki_install_certificates:\n - src: \"{{ barbican_user_ssl_cert | default(barbican_pki_certs_path ~ 'barbican_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}\"\n dest: \"{{ barbican_ssl_cert }}\"\n owner: \"{{ barbican_system_user_name }}\"\n group: \"{{ barbican_system_user_name }}\"\n mode: \"0644\"\n - src: \"{{ barbican_user_ssl_key | default(barbican_pki_keys_path ~ 'barbican_' ~ ansible_facts['hostname'] ~ '.key.pem') }}\"\n dest: \"{{ barbican_ssl_key }}\"\n owner: \"{{ barbican_system_user_name }}\"\n group: \"{{ barbican_system_user_name }}\"\n mode: \"0600\"\n\n# Define user-provided SSL certificates\n# barbican_user_ssl_cert: \n# barbican_user_ssl_key: \n","created":"2025-12-08T13:39:54.930491Z","updated":"2025-12-08T13:39:54.930522Z","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible-os_barbican/defaults/main.yml"}