In order to force requests module inside venvs to trust system-trusted
certificate authorities, we need to define environment variable
that will provide full path to CA file. Otherwise certifi provided file
will be used, that can't be updated with new CA once they're added
to system trust store.
Change-Id: I79446813602ae094bb788d3c29654fb814ec19a8
There has been one confirmed denial-of-service against the opendev
git servers due to an openstack-ansible deployment failing to
correctly use cached wheels from the repo server and instead clone
and build the source code for each openstack service on each target
host.
Whilst we wait for further information to understand the root cause
of that DOS, it is possible to adjust the user-agent that git uses
on a per-domain basis.
A previous patch [1] creates a user-agent string very early during
the setup of a deployment host, or all-in-one environment, but not
any other nodes in a multinode environment. This patch addresses
creating /etc/gitconfig for all hosts in a multinode environment.
If git is not installed on a host (which would be the default state
for hosts other than the deploy host and repo server) a placeholder
/etc/gitconfig is written in case later in the deployment the
python_venv_build role installs git and clones openstack services
from source code to install into a venv without use of the repo
server container. The repo server should normally clone once for
each service deployed for the whole environment.
The user-agent, where possible, contains the git version string,
the openstack-ansible version string and the OSA 'component' to
aid understanding traffic patterns seen at the opendev.org git servers.
[1] https://review.opendev.org/c/openstack/openstack-ansible/+/786596
Change-Id: I4f82bb1a08d01f30c45444f52db357e47245fe31
This patch aims to simplify generation of hosts
file content as it's now generated purely with ansible.
As a result upgrade jobs should be fixed afterwards
Change-Id: I7961115f215153515ba3f3a00bbbeeb9fb4568f1
This patch removes a task which adds an entry to /etc/hosts for
the hostname / 127.0.1.1.
Some services, such as rabbitmq, require that the ip address they
are configured to listen on resolves to a hostname with the same
ip. Before this patch there were two /etc/hosts entries for the
hostname of each host, 127.0.1.1 and the mgmt network address.
This patch ensures that the /etc/hosts file is unambiguous and
always resolves the hostname to the mgmt network ip address.
Change-Id: I5c9bf4cd0a3a416447f6f1797df4657402a64382
Zypper uses the concept of "vendor stickiness" and will refuse to
upgrade packages that require a vendor change. This change introduces
a new override variable to instruct zypper to view a list of vendors
as equivalent.
Change-Id: Ib3412b02f1edf9aae03cd5478ac2310cce3f2e8a
Signed-off-by: Nicolas Bock <nicolas.bock@suse.com>
inventory_hostname is ansible alias of the host. It may be
equal to hostname in most cases, but also can be short alias for
convenience.
ansible_hostname is discovered hostname, i.e. real hostname.
It make more sense to use real hostname to construct fqdn
and use inventory_hostname as an alias.
Change-Id: If980f67da27035aa81b554ef59dedaf5a34357f4
In Ansible 2.5, the stat module moves calculating md5 checksums of files
to the 'checksum_algorithm' option and 'checksum' return value.
To retain compatibility with both current and new versions of Ansible,
use the default checksum algorithm, sha1, instead.
Change-Id: I6e606193f66a4f4c6c70eceee8eeaef05a099f26
A hosts line may contain tabs instead of spaces and the '\ .*' regexp
doesn't match on that case. As such, we can improve the regexp to simply
look for any character after matching the address word. This fixes the
following problem when an entry with a tab exists in the file
~$ cat -Et /etc/hosts|head -n1
127.0.0.1^Ilocalhost$
The entry is not updated by the script leading to the following problem
fatal: [localhost]: FAILED! => {
"assertion": "'127.0.1.1 localhost.openstack.local localhost' in hosts_content",
"changed": false,
"evaluated_to": false
}
Change-Id: I23d22cbf4317a3c9228bcdb6b3e9e6c2238fcfb7
We currently have spread out package/host management to multiple
roles, sometimes repeating ourselves in the process (see
pip_install and openstack_hosts overlap)
That is against Ansible principles, and we should have one role
that configures the minimum (to run openstack), applying it to
all the nodes, maybe behaving slightly differently depending on
some parameters. Here that parameter is if the host is a container
or not. If the host is a container, all the physical host
configuration (kernel and sysctl) is be skipped, the
rest of the configuration (packages/repos) still applies.
This needed a refactor to split the tasks into those two group
while remaining efficient and avoid multiple back and forth
of package installs/removal. For that last point, new defaults
variables were introduced, allowing overrides per host/group.
A node now member of a group x can now directly use this role
to setup all its necessary repos and keys.
Last, but not least, this override mechanism can now easily
trigger pip_install role, which can from now on, be removed
from every role. On top of that pip_install role can now
remove its repo management, and focus on installing pip on
hosts that don't have a proper version of pip installed.
Change-Id: Ibf145e561c80a12055bd4d5dca3914c4d495a748
Using lineinfile for writing kernel modules is tedious and usually
takes 10-12 seconds each time. This method takes about 1 second.
Change-Id: Ide4bfb87f375bc80f9dce2208717b6050004a942
Add support for SUSE based distributions. We also mark CentOS7 as
supported distribution. Finally, we update the bindep.txt, run_tests.sh
and Vagrantfile files from the openstack-ansible-tests repository.
Change-Id: I9986dadbc690344bad68ca23a1cb30aec92cb7ef
Currently the entire environment file is replaced,
which may remove any existing configuration on the
hosts including any pre-existing proxy configurations
and anything else the deployer may have put there.
This method replaces it with an additive process which
respects pre-existing content, but still allows the
global_environment_variables variable changes to be
fully reflected in the resulting environment file.
Change-Id: Ida3897f2553491913a3183e67b6503bed5281d5e
The hostfile update script is currently being generated on the
deployment host and copied to all other hosts within an environment.
This is resulting in the 127.0.1.1 entry always containing the hostname
of the deployment host.
Instead, generate a temporary file for the script locally which
pre-populates all shared hosts entries and use that as a template for
assigning the 127.0.1.1 entry on each remote host.
Change-Id: Ia5e375772cab76c748cca058ae7d7944e7528020
Closes-Bug: #1657568
Downstream deployers may want not to deploy the
/etc/openstack-release file, or to customise the
contents.
This patch makes the file drop optional, but also
makes the contents more configurable.
Change-Id: I549a23f2f08dfb97ca8daa36f00437d927de30a5
When upgrading from a /etc/hosts file created before commit
ae02667b84 the old entries were not
removed on the first run. The hostname generation had to be run again to
remove them.
Reordering the if statement ensures that existing entries are changed
instead of adding new entries for the same IP address and that
duplicate entries are removed in all cases.
Change-Id: I2a21d13310b457e91a090541ae7f02f974413965
In order to be able to use become: yes to execute command with ansible
the requiretty option needs to be disabled on centos.
Change-Id: Ifbba7153cf7d3d97daf86106c1f027787d76e865
template systat cron for centos
only install /etc/default/systat on ubuntu
/etc/default/sysstat only configure debian-sa1 which is not on centos
introduce 2 vars :
openstack_host_sysstat_file
openstack_host_cron_template
Change-Id: Ib4fde6e4b9d3ce23524a5b5a17dbf15065bbeb4c
The LVM configuration tasks/template are no longer needed in the
openstack_hosts role since they're already in the os_cinder role.
This patch removes the tasks and the lvm.conf template.
Partial-bug: 1615325
Change-Id: I09b2cd9a1eee9f8310783b7d6468963b21fee322
The change simply adds a more complete hostname within the
"/etc/hosts" file for all nodes within inventory which
ensures all hosts are reachable and have a proper host entry
for itself and all other hosts. Additionally the hostname
insert script has been made idempotent and tests have been
added to ensure functionality.
Partial-Bug: #1577245
Change-Id: Ib1e3b6f02758906e3ec7ab35737c1a58fcbca216
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
Include the space in after the IP address in the match string to avoid
matching IP addreses which only differ in an addtional digit at the end.
With the previous logic an entry for 10.1.1.1 would also delete entries
for 10.1.1.12 or 10.1.1.123.
Change-Id: I797ff261630f4115b3852138c19eb039303e27c6
This change makes the host file prep and setup a lot faster
especially when deploying against very large clusters. The
change moves away from the lineinfile module and instead generates
a script with the same capabilities and then executes the script.
The generated script is stored in locally on the remote host
at "/usr/local/bin/openstack-host-hostfile-setup.sh" and can be
executed at any time to fix and or clean up host file problems.
Change-Id: Idca583deb403fce2b15a3dbc6255bb3bf92d9446
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
openstack_hosts role uses global_environment_variable for
creating its environment.j2. If the variable is not defined
the templating will fail.
This should fix it.
Change-Id: I891e99fd624589ee36d6ce4892c835fa5ece9671
The existing lineinfile implementation is buggy when changing and removing
entries from the global_environment_variables dict
Change-Id: Ic9899b1a4a72e72d0bac26eb8f650681186332e1
Partial-Bug: #1573131
Sysstat won't enable unless the ENABLED switch has been set to true.
Passing openstack_host_sysstat_enabled as true inside jinja will end
up as a "True" value inside the /etc/default/sysstat rather then the
expected "true" value and sysstat won't start.
The added jinja filter lower will make sure that the boolean is always
stored in lower case.
Additionally openstack_host_systat_enabled was renamed to
openstack_host_sysstat_enabled to better reflect the dependency to sysstat
Change-Id: I6361433f990f96ca37dac7055062c17c2940bf70
Closes-Bug: #1530979
The change moves the role out from the main repo openstack-ansible
repository and into its own standalone repository.
Items within this change:
* The role has been updated to ensure it runs standalone.
* Tests added to the role within tox.
* Functional tests added to the role that can either be run
via the run_tests.sh script or using tox.
* dev requirements have been updated for testing usecases.
* Docs added to both the README.rst file as well as the docs
folder.
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>