OpenStack-Ansible role for Zookeeper deployment¶
This role installs a Zookeeper cluster that is part of OpenStack infratructure and used as a coordination service by multiple services through Tooz.
To clone or view the source code for this repository, visit the role repository for zookeeper.
To install role requirements, please run
ansible-galaxy install -r requirements.yml
Default variables¶
# Define zookepeer version and download URI
zookeeper_download_version: 3.9.3
zookeeper_download_version_checksum: >-
sha512:d44d870c1691662efbf1a8baf1859c901b820dc5ff163b36e81beb27b6fbf3cd31b5f1f075697edaaf6d3e7a4cb0cc92f924dcff64b294ef13d535589bdaf143
zookeeper_download_url: >-
https://archive.apache.org/dist/zookeeper/zookeeper-{{ zookeeper_download_version }}/apache-zookeeper-{{ zookeeper_download_version }}-bin.tar.gz
# Define zookeeper clustering option
zookeeper_cluster_members: "{{ groups['zookeeper_all'] }}"
# The first port is used by followers to connect to the leader
# The second one is used for leader election
zookeeper_cluster_peer_ports: 2888:3888
# This variable is used to define what fact which will be taken out of
# hostvars for each cluster member as it's address
zookeeper_cluster_address_hostvars_key: "ansible_host"
# Ports and TLS
zookeeper_client_port: 2181
zookeeper_secure_client_port: 2281
zookeeper_ssl_client_enable: True
zookeeper_ssl_quorum_enable: True
zookeeper_ssl_protocols:
- TLSv1.2
- TLSv1.3
# Storage location for SSL certificate authority
zookeeper_pki_dir: "{{ openstack_pki_dir | default('/etc/pki/zookeeper-ca') }}"
# Delegated host for operating the certificate authority
zookeeper_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
# Create a certificate authority if one does not already exist
zookeeper_pki_create_ca: "{{ openstack_pki_authorities is not defined | bool }}"
zookeeper_pki_regen_ca: ''
zookeeper_pki_authorities:
- name: "ZookeeperRoot"
country: "GB"
state_or_province_name: "England"
organization_name: "Example Corporation"
organizational_unit_name: "IT Security"
cn: "Zookeeper Root CA"
provider: selfsigned
basic_constraints: "CA:TRUE"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+3650d"
- name: "ZookeeperIntermediate"
country: "GB"
state_or_province_name: "England"
organization_name: "Example Corporation"
organizational_unit_name: "IT Security"
cn: "Zookeeper Intermediate CA"
provider: ownca
basic_constraints: "CA:TRUE,pathlen:0"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+3650d"
signed_by: "ZookeeperRoot"
# Installation details for certificate authorities
zookeeper_pki_install_ca:
- name: "ZookeeperRoot"
condition: "{{ zookeeper_pki_create_ca }}"
# Zookeeper server certificate
zookeeper_pki_keys_path: "{{ zookeeper_pki_dir ~ '/certs/private/' }}"
zookeeper_pki_certs_path: "{{ zookeeper_pki_dir ~ '/certs/certs/' }}"
zookeeper_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ZookeeperIntermediate') }}"
zookeeper_pki_intermediate_cert_path: >-
{{ zookeeper_pki_dir ~ '/roots/' ~ zookeeper_pki_intermediate_cert_name ~ '/certs/' ~ zookeeper_pki_intermediate_cert_name ~ '.crt' }}
zookeeper_pki_regen_cert: ''
zookeeper_pki_certificates:
- name: "zookeeper_{{ ansible_facts['hostname'] }}"
provider: ownca
cn: "{{ hostvars[inventory_hostname][zookeeper_cluster_address_hostvars_key] }}"
san: "{{ 'DNS:' ~ ansible_facts['fqdn'] ~ ',IP:' ~ ansible_host }}"
signed_by: "{{ zookeeper_pki_intermediate_cert_name }}"
condition: "{{ zookeeper_ssl_client_enable or zookeeper_ssl_quorum_enable }}"
key_format: pkcs8
# Installation details for SSL certificates
zookeeper_pki_install_certificates:
- src: "{{ zookeeper_user_ssl_cert | default(zookeeper_pki_certs_path ~ 'zookeeper_' ~ ansible_facts['hostname'] ~ '.crt') }}"
dest: "{{ zookeeper_ssl_cert }}"
owner: "{{ zookeeper_system_user_name }}"
group: "{{ zookeeper_system_group_name }}"
mode: "0644"
condition: "{{ zookeeper_ssl_client_enable or zookeeper_ssl_quorum_enable }}"
- src: "{{ zookeeper_user_ssl_key | default(zookeeper_pki_keys_path ~ 'zookeeper_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
dest: "{{ zookeeper_ssl_key }}"
owner: "{{ zookeeper_system_user_name }}"
group: "{{ zookeeper_system_group_name }}"
mode: "0600"
condition: "{{ zookeeper_ssl_client_enable or zookeeper_ssl_quorum_enable }}"
- src: "{{ zookeeper_user_ssl_ca_cert | default(zookeeper_pki_intermediate_cert_path) }}"
dest: "{{ zookeeper_ssl_ca_cert }}"
owner: "{{ zookeeper_system_user_name }}"
group: "{{ zookeeper_system_group_name }}"
mode: "0644"
condition: "{{ zookeeper_ssl_client_enable or zookeeper_ssl_quorum_enable }}"
zookeeper_ssl_cert: "{{ zookeeper_config_dir }}/certs/certs/zookeeper.crt"
zookeeper_ssl_key: "{{ zookeeper_config_dir }}/certs/private/zookeeper.key"
zookeeper_ssl_ca_cert: "{{ zookeeper_config_dir }}/certs/certs/zookeeper-ca.crt"
zookeeper_ssl_keystore_location: "{{ zookeeper_config_dir }}/certs/private/zookeeper.pem"
zookeeper_ssl_truststore_location: "{{ _zookeeper_ssl_truststore_location }}"
zookeeper_ssl_client_auth: want
zookeeper_ssl_quorum_client_auth: need
# Define operating system user/group names
zookeeper_system_user_name: zookeeper
zookeeper_system_group_name: zookeeper
zookeeper_system_comment: zookeeper system user
zookeeper_system_shell: /bin/false
zookeeper_system_user_home: /var/lib/zookeeper
zookeeper_file_zoo_conf_mode: "0644"
zookeeper_config_dir: "/etc/zookeeper"
zookeeper_data_dir: "{{ zookeeper_system_user_home }}"
zookeeper_data_log_dir: "{{ zookeeper_data_dir }}/log"
zookeeper_file_myid_dest: "{{ zookeeper_data_dir }}/myid"
# Set the package install state for distribution packages
zookeeper_package_requirements: "{{ _zookeeper_package_requirements }}"
zookeeper_package_state: "{{ package_state | default('latest') }}"
# autopurge configuration
# Amount of most recent snapshots and the corresponding transaction logs to keep
zookeeper_snap_retain_count: 3
# The time interval in hours for which the purge task has to be triggered
zookeeper_purge_interval: 1
# Service configuration
zookeeper_service:
name: zookeeper
execstarts: "/opt/zookeeper/bin/zkServer.sh --config {{ zookeeper_config_dir }} start-foreground"
execstops: "/opt/zookeeper/bin/zkServer.sh --config {{ zookeeper_config_dir }} stop"
zookeeper_init_config_overrides: {}
zookeeper_commands_whitelist:
- stat
- ruok
- isro
- envi
zookeeper_prometheus_enable: False
zookeeper_prometheus_port: 7000
Example playbook¶
---
- name: Install zookeeper cluster
hosts: zookeeper_all
become: yes
vars:
management_address: "{{ ansible_host }}"
roles:
- role: zookeeper
tags:
- zookeeper