Currently, file /etc/systemd/resolved.conf.d/openstack-ansible.conf has
incorrect format and is being ignored:
```
systemd-resolved[740]:
/etc/systemd/resolved.conf.d/openstack-ansible.conf:2:
Missing '=', ignoring line.
```
Change-Id: I23529b0dd032cbb6ba59acc3d3b668c06847da08
This has not had any practical use for several releases and mostly
carries copies of ansible facts. Remove the variable and use the
facts directly.
Change-Id: I1d2be9d07b38eaf2b737819c451a0d2339f723d0
Rather than edit resolv.conf, use the recommended method of
operation for systemd-resolved and configure the dns server
through a resolved drop-in.
Change-Id: I1b08a45ccced87ecd200f3e7294165e922df39ff
debootstrap uses http for it's apt config so can function without
the certificates from ca-certificates being installed.
The debian bookworm cloud image defaults to using https for the
apt repo urls, so unless the ca-certificates package is present
no more apt operations can be done once the apt configuration is
synchronised from the host to the container image.
Installing ca-certificates during the initial debootstrap avoids
the issue of not being able to install ca-certificates due to failed
SSL verification.
Change-Id: Ia78429eaf4bd71a8f3509c4e484f7dd02574c6b1
Debian bookworm needs the sources.list.d and mirrors directory
syncing to the container image to result in a working apt config.
Change-Id: I0c62340e7868948d9c55c96559ddafadf8cb7db1
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
This is a follow-up change to [1].
[1] https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/888180
Change-Id: I2564e3dcb2efad8f6a2ed21bec61668c1b6f6209
Sometimes there could be intermittent issues on some of the
mirrors that would be picked while building the base image.
In order to increases chances of image to build, we add a retries
to increase chances to pick properly synced mirror.
Change-Id: I5546ee71cce4f4b40fbd1d38d5d49586606bbbda
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: If6171be3d649f6e7dd26decf1460d45775bd5f9e
Right now we write output of `date -d @{{ timestamp }} to
the expiry file, and then attempt to comapre with timestamp.
However, output of `date -d` is datetime and not timestamp,
so these 2 things can not be properly compared. So image cache
was valid forever.
Change-Id: I42f5b43f09d3c530813dd7fd334eafce7a5eaf39
This patch aims to handle creation of OVS bridge if
`lxc_net_bridge_type` is set to `openvswitch`. That will finalize path
when deployer prefers to have OVS as the only bridge provider and do not
use LXB for any bridges.
Change-Id: Idd7a6eecf718df7fd8b4ae008f7dc00e42e8c32c
With tox release of 4.0, some parameters were deprecated and are ignored now
which causes tox failures. One of the most spread issues we have is using
`whitelist_externals` isntead of `allowlist_externals`
Change-Id: I4967f301398621ae6e7b47b22d9a4d52037f6a3b
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: I80855ac314edcb193375976c86ac6001fac83ff3
Tar is required for LXC to create base container using lxc-create. When
it's absent lxc-create exits with code 1 without any output on this
task [1]
[1] ef721dbf13/tasks/lxc_cache_create.yml (L71)
Change-Id: Ic54d160c7329aebb7769c407d3af7b0f66145bcc
These are needed universally in the service container images so
install them into the base image to save build time later.
Change-Id: Ia51329110ffa2c634799544ac6c7b7f2016369a5
This change adds a new role default option which will allow operators
to omit the deployment of specific lxc bridge network config. This
change is being implemented because, as an operator, I have a host
setup specifically built for OpenStack which includes an interface
config covering the lxc deployment. Currently when running a deployment
the role will attempt to deploy a new interface file which at best
conflicts with the host setup and at worst fails to run due to the
interface being in a state unknown to OSA.
The new config option `lxc_net_managed` is default **true** keeping
the existing expectations, but when set to **false** the role will
no longer deploy an interface file or attempt to bring up the interface
using the distro tools.
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: Icdf4a1f5ff98dc1b86c6a87ea4e606b7c74e1aac
We also leverage systemd-networkd for managing lxc-net and replace
using of custom service template for lxc-dnsmasq service with our
systemd-service role. These changes are quite tighten together, so
it's quite hard to split them in different patchsets.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/861350
Change-Id: I5ac99e2b6c6e6ccd9da18ae68e1f8801f95f4f4e
aria2c and systemd-proxy templates exists but they are not referenced
and used by playbooks nowadays. Thus, we can safely remove them
Change-Id: I5223138aa7e50c92531076fe7764f204bfec3e24
Since ansible 2.8 it's possible to provide policy_rc_d attribute to the
apt module in order to avoid service restart on installation/upgrade
Change-Id: I299605bb5735cd510a82490a710ef6fae98bfafa
This line snuck in with Icfa97babeb7034cab623aca883bb83d5a07f7233
probably to bring it in line with other OSA roles, but should already
be covered by the distribution_major_version line above.
Change-Id: Ifa5d05a70988962e2bce8538204ddd3131ad6003
Instead of overriding this value everywhere, it's easier to
define it from the start to the value we want. In this case,
we want to define it to "present", while still being
overridable.
Change-Id: If9db9aec4b48d2118aae0f2ef611f0e044d63fb3
As of today, each lxc-utils update would lead to restart of all
containers. At the same time this might be unwanted behaviour, as
if it's run without limit, all cluster members inside containers can
go down at the same time.
In order to prevent that, we place policy-rc.d file that will simply
quit with 101 code `action forbidden by policy` on service restart
attempt.
Change-Id: I9140b7ab9f9266fcf4fe800e4610497f2324df4e
With sphinx release of 5.0.0, they changed default for language variable
to 'en' from None. With that current None valuable is not valid and should
not be used.
Change-Id: I5f7244ed81d9ab87e23654d881d976bc4faa2960
Inside a chroot, phased updates are disabled [1]. This means that
the container base image always gets the latest packages regardless
of what is happening with the phasing.
At runtime, the default in Ubuntu releases 21.04 and onward is to
obey the package phasing information. This means that packages
inside the OSA built container image can be newer than the installation
candidates once the container is running, leading to installation
errors. This is particularly sensitive with source packages such as
systemd where there is a very tight version coupling between
all components leading to only one valid installation candidate.
This patch creates apt config inside the container base image to
always install the latest package version regardless of phasing.
There does not seem to be any alternative, as phasing is always
disabled during the debootstrap.
[1] https://discourse.ubuntu.com/t/phased-updates-in-apt-in-21-04/20345
Change-Id: Ia558e3aa1447220016c53349cf9dac0b822d06f4
Remove installation of aria2 everywhere as we no longer download
lxc images but build them locally.
Change-Id: I5eba0b1f08cfe23998cf1116bb017e8a8ef0bb72
NFV repo is supposed to be installed using system packages, as it should
also contain nfvsigdist variable for yum.
So avoid issue with yum update at this step we drop the repo that was
copied from host.
As alternative approach, we can drop copying yum.repos.d at all, but this
can lead to an unexpected results.
Change-Id: Ia5041c7d855a9e988afc4c2a0d16fdeb6a9c357f
This is needed to ensure that systemd-tmpfiles-setup service
is present, which is used to create /dev/fuse in centos containers
in other parts of the osa-gluster patch series.
Change-Id: I6a6401debad4937eb9f6a5be31c8cee42d7035cd