Default value of Restart for any service which type is not `oneshot` is
`on-failure`. While this suits most usecases, this leads to unexpected
consequences for cinder-purge-deleted.service.
In case there're some historical inconsistencies in the database which
make impossible to flush deleted volumes from the database
(ie due to prior manual intervention), cinder-manage exists with code 1
which triggers systemd to restart the service and attempt cleanup again.
The troublesome part is the transactional behaviour of the script. With
each run it locks records in it's transaction that is failing and being
reverted in a loops with 2 sec delay, that not only causes unnecessary
load for database itself, but also causes deadlocks during operations
with volumes that are not being re-tryed and fail with 500 return code
in cinder-api.
Changing Restart to `on-abnormal` will leave service in a failed state
and systemd won't attempt to restart it.
Change-Id: Ib091cc11a16fcd31ef351d9ec21d070d25829791
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: I671cc35a055b35fb249ad3054c45ec65f2b54ab4
We're adding a service that is responsible for executing db purge.
Service will be deployed by default, but left
stopped/disabled. This way we allow deployers to enable/disable
feature by changing value of cinder_purge_deleted.
Otherwise, when variables set to true once, setting them back to false
won't lead to stopping of DB trimming , so timer would need to be
stopped manually.
Change-Id: Ic5ae8c778bff2858fcb31c85d4b910805e452c3f
By overriding the variable `cinder_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the cinder backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Ib682499e900071db38cc2fd7c30822d0c33dba38
It's supposed that online migrations are executed once services are
upgraded and restarted after upgrade. Eventually, you can run
online migrations before the next upgrade according to the doc [1]
So we move that to a separate file that is executed after all services
are upgraded and handlers are flushed. Tasks are delegated to API hosts
and we clean up facts for them as well.
[1] https://docs.openstack.org/cinder/latest/admin/upgrades.html#database-upgrades
Change-Id: Ic3ecdddd7dcc2dd617c8606278590c8e59230fdf
At the moment we don't restart services if systemd unit file is changed.
We knowingly prevent systemd_service role handlers to execute
by providing `state: started` as otherwise service will be restarted twice.
With that now we ensure that role handlers will also listen for systemd
unit changes.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879671
Change-Id: I8140add1a4e4fdacee89bd29bd2e3c87eff0953a
We used rsync to synchronize filters from rootwrap.d. However, with
smart-source that is not needed anymore, since /etc/cinder is simply
a symlink to the source directory of rsync. We still need os-brick
rootwrap linkage though.
Change-Id: Ib1571c5be67155b584c412da8336de49bc80d948
With changing cinder code we potentially can break some backends.
In order to detect this in time we are adding ceph and nfs scenarios.
We also fix lvm backend for use on RedHat.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/859339
Change-Id: Ifceb2b816199339ec7725bd95cc890595eed95d9
This line was introduced by I21f84809c44ac4be0165fadfb8da67bbcbc9b05c
for centos-7 support, and should already be covered by the
distribution_major_version line above.
Change-Id: I5d5f84b84de35763024709212e0673607127e264
Role was never migrated to usage of haproxy-endpoints role
and included task was used instead the whole time.
With that to reduce complexity and to have unified approach, all mention
of the role and handler are removed from the code.
Change-Id: I0c055393ccb1c8d61affc2c1bb6d01f0c329afe9
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I1d0156a2ad829aa730419e1d9dfa1cd49026a6be
Related-Bug: #1948456
Always fetch config files as it's treated as safe operation.
On top of that handle case when there's no local config specified.
Change-Id: I5f5f36da96672679d6801c2a52c58d86657ca612
According to our playbook, role runs against api last, after scheduler,
volume and backup services are already setup.
It makes difference only when cinder-scheduler and cinder-api are
deployed to different targets.
Change-Id: I18f68b5cb9dd60d9cf72850e840d0459e1245b76
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.
This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.
Change-Id: I5c50529b5e73bac6094c203d49a32497c7a388c3
Since we still use ceph-ansible that has their own implementation of
config_template module it's worth to use mentioned module as a collection
explicitly.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/819814
Change-Id: Id31fde6375ab5ebf90e1f13b11f80d43773e4c54
Backend creation should happen on the last host in the group, instead
of the first one, since we put LB in MAINT state during deployment, while
other containers are not ready yet. Thus we should be creating backends
at the very end of the deployment, when all containers are set.
Change-Id: I3d5811e059d1b5cb3e87fe7657872e41105c832e
Closes-Bug: #1920964
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: I796d9de164a8b79eff8a615442dd46e7de2353e7
Policy override task without tags requires a lot of time to just
change policy.json file. cinder-config tag wasn't included either, so
it was added to this task as well. In my system new tag requires 10
times less time than cinder-config, so additional tag is reasonable.
Change-Id: I343dc39f2276e313b4142e6cd494f195e4514ce1
Instead of overriding each service separatelly it might make
sense for deployers to define some higher level variable that
will be used first or fallback to default variable.
Change-Id: If14b89d4c795ba7e129af6a2f4b4bcbc10208986
ceph_client role checks length of the `openstack_service_venv_bin` variable
to determine if libraries symlinking into venv should occur. So for
distro path this should be empty string as no symlinking should be done.
Change-Id: Ie5073c1b178109b4daa95be7bec50f9648260eb2
When we were migrating service to uwsgi usage, we clean forgot to
trigger uwsgi restart on service config change.
Change-Id: Ie1f386f21b955dcc1d2450efa9391c56d05d5695
We use the same condition, which defines against what host some "service"
tasks should run against, several times. It's hard to keep it the same
across the role and ansible spending additional resources to evaluate
it each time, so it's simpler and better for the maintenance to set
a boolean variable which will say for all tasks, that we want to run
only against signle host, if they should run or not now.
Change-Id: Ibdb078d39b3189c844aed14aa1ae74cb2ce97600