Commit Graph

584 Commits

Author SHA1 Message Date
Zuul 255f773294 Merge "Do not log contents of installed keypairs by default" 2024-02-27 23:07:33 +00:00
Zuul 0c3185ed1a Merge "Add override for gluster host used for bootstrap operations" 2024-02-21 14:12:32 +00:00
Andrew Bonney 01869973c7 Add override for gluster host used for bootstrap operations
This change permits overriding of the host used to bootstrap the
cluster. This is necessary when the cluster already exists and
a new (or upgraded) host needs to join an existing cluster. This
only works when actions are performed from an existing cluster
member.

This patch additionally resolves an issue where the volume
creation step can fail if the bootstrap host's peer names don't
exactly match those being passed to it (such as when they end with
.openstack.local). A restart of the service fixes this by reading
the correct hostnames back from the peer files.

Change-Id: I7127cb86e81abc982290681d24b8a6554a46f58b
2024-02-14 10:03:55 +00:00
Zuul e42f22d3f5 Merge "Add role to do common setup tasks for lxc containers" 2024-02-13 15:08:53 +00:00
Zuul 8dff9b4851 Merge "Add role for provisioning default variables for install methods" 2024-02-13 11:29:26 +00:00
Jonathan Rosser a0471a3436 Do not log contents of installed keypairs by default
This could put private key contents into the ansible log which is
undesireable.

Change-Id: Ic8e548b14e9fac26cf3b5a918479fdf8e0b24c6c
2024-02-12 16:40:02 +00:00
Dmitriy Rabotyagov f6b1057b65 Add role for provisioning default variables for install methods
Change-Id: I33dba6ecf99d281531739ea55f1352932cbda68a
2024-02-06 18:26:03 +01:00
Dmitriy Rabotyagov e78b1fa8b8 Add openstack_resources role skeleton
This adds new role that aims to provide a handy structure to manage
openstack resources, like flavors, networks, aggregates, etc. It's aimed
to be re-used not only inside OSA by creating common resources,
but also by operators to automate their routine.

Change-Id: I81a9cd612931b84468343948b315db193acd8923
2024-01-25 22:02:41 +00:00
Gaudenz Steinlin cccf4c03f1
Ensure consistent ordering of network_mappings
The provider_networks module returned the network_mappings in a random
order changing with every invocation. This returns the entries sorted
and adds a test to ensure the ordering is consistent between
invocations.

Change-Id: Iaec4534ebd8ff80cf7c7e3a1c8f187dd3990e4bc
2023-12-21 14:12:15 +01:00
Dmitriy Rabotyagov d186d9b921 Fix building release notes for the project
Change-Id: I73893a14e1c18e17e0ba55bd78bc7ea044b25cf0
2023-12-07 18:48:27 +01:00
Dmitriy Rabotyagov dcec963fc7 Add no_log to setup_roles inlcude
During include we're iterating over users, which also exposes user
actual password to stdout and logs.

Change-Id: Icef8c89a1c0daf01cfc1abd53322333ba2f06d92
2023-11-23 12:53:08 +01:00
Zuul af13ea01cd Merge "Set the default domain for the role_assignment" 2023-11-13 10:53:36 +00:00
Jonathan Rosser deaf58fd59 Add role to do common setup tasks for lxc containers
This is the same code as in common/tasks/os-lxc-container-setup.yml
but can now be called using a FQCN from code in openstack ansible or
any other collection.

Change-Id: I5beb9609366e82fabaec65f98731c501d659d3e7
2023-11-09 14:11:36 +00:00
Jonathan Rosser a62ff6732c Add common haproxy playbook from openstack-ansible repo
This was previously common-playbooks/haproxy-service-config.yml
in the openstack-ansible repo which was like that before collections
existed.

Moving this playbook into a collection allows it to be called
by FQCN from any other collection which might be useful when
extending openstack-ansible.

Change-Id: I41e18cbb83bd157cac371ebf311a279991218a83
2023-11-08 16:02:15 +00:00
Dmitriy Rabotyagov 8ecfce0082 Set the default domain for the role_assignment
From time to time it might happen in deployments, that some project
will create a service user in their domains. When this happens and
domain is not supplied for the role_assignment module fails with
multiple users with the same name exist.

However, domain param is used not only for lookups but also for
scoped assignments [1]. When project is not supplied, domain scope
will be assigned. And when domain is not defined, then system scope
will be applied. But since all projects (except keystone) have reverted
their system_scope efforts, we can safely set default for the domain
to workaround potential issues with lookups.

[1] https://docs.ansible.com/ansible/latest/collections/openstack/cloud/role_assignment_module.html#parameter-domain

Change-Id: Ia406d101632806d18495380d8911468ea14bc502
2023-11-07 16:03:55 +01:00
Zuul f685bc25b7 Merge "Remove retries decorator from ssh plugin" 2023-10-30 16:24:46 +00:00
Zuul 1740eb31ef Merge "Retrieve container name and physical host via get_options" 2023-10-26 16:47:24 +00:00
Zuul 5b30cb70ec Merge "Remove extra container check" 2023-10-26 16:47:23 +00:00
Zuul 9af8c3b21e Merge "Cosmetic tidy up of pid lookup function" 2023-10-26 16:47:21 +00:00
Zuul f96cc254ee Merge "Remove nspawn container support" 2023-10-26 14:27:41 +00:00
Jonathan Rosser 93fd7c2c22 Remove retries decorator from ssh plugin
The decorator is used when calling exec_command, which in turn calls
exec_command from the original SSH plugin, which calls _run
that has it's own retry logic.

This patch removes the retry logic from the openstack-ansible
connection plugin and relies on what is present in the original
SSH connection plugin.

Change-Id: I28cd7a8321665d52d123ae14336346d14df82a36
2023-10-26 13:28:20 +01:00
Zuul 8ff478c8b4 Merge "Calculate if target is a container only once" 2023-10-26 12:06:23 +00:00
Jonathan Rosser faf4b76ea5 Retrieve container name and physical host via get_options
This was done in the constructor and also via get_options,
this patch simplifies the constructor and relies on get_options
to populate these variables.

Change-Id: I3f5896d4f4a6286ad8d587a745f24a4f6dd226f0
2023-10-24 13:18:38 +00:00
Jonathan Rosser 362f98ca93 Remove extra container check
This code is only ever called from functions which have already
checked if the target is a container, so the check is duplicate.

Change-Id: If63269719881c04804d6d17f6134cc67ab0bb9a7
2023-10-24 13:25:25 +01:00
Jonathan Rosser 4615ef2930 Cosmetic tidy up of pid lookup function
The code flow can be made more obvious in this function

Change-Id: Ie65d7af764485cfa78e7a322817f984a7ee2762c
2023-10-24 13:23:40 +01:00
Jonathan Rosser ea46200a4f Remove nspawn container support
The code can be simplified by removing nspawn support that is
not longer used in openstack-ansible.

Change-Id: I88daf27351968d3e66a837fa09ffeac6ed853e8c
2023-10-24 13:22:17 +01:00
Jonathan Rosser 9197a768ca Calculate if target is a container only once
The code calls the container check method many times which
generates a lot of log messages, so instead set a flag to indicate a
container and then use the value of the flag.

Change-Id: Ie6297359fd9c8129faf08b9842d297ade99dcade
2023-10-24 13:20:11 +01:00
Jonathan Rosser 1338ed71c4 Simplfy addition of keystone users to roles
CI is failing on octavia and telemetry with error like this
https://paste.opendev.org/show/bLIL6EZRZYxoBb7p6qdo/

This patch removes the duplicate code path when the user role
is a string or list and ensures that the role(s) are always
a list when including the setup_roles tasks.

Change-Id: I5ffe04b5f3a199cf2b6cdf5161f12fc1f62cb435
2023-10-19 18:48:06 +00:00
Dmitriy Rabotyagov aa277377ac Generate SSH certificates for delegation test
Last test, that tries to delegate to a host that is not part of inventory
requires an SSH access to such host.
Since with latest changes to lxc_hosts repo [1] we do not install
SSH server nor provision SSH keys to containers by default.

As additional profit we now have a functional test of the ssh_keypairs
role.

[1] https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/889945

Change-Id: Ia6b0f4406d0c2244327c2eb9fdee9a53462557c5
2023-10-19 18:47:48 +00:00
likui e15d20f003 Replace base64.encodestring with base64.encodebytes
Base64.encodestring has been deprecated since 3.1 and removed
in python 3.9,Replace it with base64.encodebytes from python3.1[1].

[1]https://docs.python.org/3.9/library/base64.html?highlight=deprecated#base64.encodebytes

Change-Id: I159bf1db5e74c5c5e604d4f11660c2a0be916ae0
2023-09-19 11:16:21 +08:00
Zuul 9f13a58e2b Merge "Allow to manage more the one vhost with mq_setup" 2023-08-18 15:30:10 +00:00
Dmitriy Rabotyagov 5c37d1be03 Define default value for _service_adminuri_insecure
Only "Add keystone domain" task does not have a default value for
_service_adminuri_insecure, while in all other places across
the role this is True by default. To align behaviour of tasks, we set
_service_adminuri_insecure to True by default.

Change-Id: I6b7dff5c4277f8745844966645c5eeeea4b7e467
2023-08-15 16:45:34 +02:00
Zuul 0f444233c2 Merge "Allow to define cloud name for service_setup" 2023-07-25 11:14:33 +00:00
Zuul 3866450540 Merge "Do not use notify inside handlers" 2023-07-24 20:49:57 +00:00
Zuul 9e3ba5b619 Merge "Installing systemd-udev with NVR" 2023-07-24 20:49:55 +00:00
Dmitriy Rabotyagov 1e46752752 Allow to define cloud name for service_setup
At the moment there is no way to override cloud name for service_setup
which might be useful for usage of the role outside of the OSA setup.

This intorduce `service_cloud_name`  variable for this purpose.

Change-Id: I0790e4a29cb9378dac126149554f936d80fe707c
2023-07-21 10:17:41 +00:00
Dmitriy Rabotyagov 267ea035d2 Do not use notify inside handlers
Since latest ansible handlers are not triggered inside the same
handlers flush, which means that triggering mysql restart
the way we did does not work anymore. So instead of
notifying inside handlers, we add listen key to tasks
that are triggered by these newly produced notifications.

This could be due to the bug [1], but ansible-core version that has
backport included still shows inconsistent behaviour

[1] https://github.com/ansible/ansible/issues/80880

Change-Id: I33a590e329cd455c9357d569867247f723d8a64a
2023-07-18 13:30:33 +02:00
Dmitriy Rabotyagov 2638ff34e7 Installing systemd-udev with NVR
Due to the bug [1] in CentOS packaging, systemd-udev is substituted with
systemd-boot-unsigned. So you need to use NVR to properly
install systemd-udev until the bug is fixed.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=2183279

Change-Id: I3129b75af1127c62a0bd1cee39586730c5f6589c
2023-07-18 10:16:29 +02:00
Dmitriy Rabotyagov 90b1687038 Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: I626739e80fd28e95bb6cf350ab310f1814d61604
2023-07-17 14:44:20 +02:00
Dmitriy Rabotyagov f35126af68 Skip updating service password by default
At the moment we always do attempt to reset passwords for the
keystone services, which in some cases leads to race conditions in
services. Thus, running a role is not idempotent which we fix by
introducing a `service_update_password` variable. So whenever password
needs to be reseted/updated, the variable should be supplied for that.

Change-Id: I11b1046ea91cef7de0b2f6433baabbb144e07700
Closes-Bug: #2023370
2023-06-20 13:57:02 +02:00
Dmitriy Rabotyagov ed5b610177 Allow to manage more the one vhost with mq_setup
This change enables us to supply list of vhosts that needs to be
created or deleted, rather then support only single vhost creation

We also reduce code duplication by leveraging task includes.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/880031
Change-Id: I76548f45a20db29c1bfd5db332b490b670d973a4
2023-06-01 13:47:37 +00:00
Dmitriy Rabotyagov a4357fbb9a Workaround failures when project is unset
In cases, when we want to have only domain scope, we set project to
an empty string or null.

Needed-By: https://review.opendev.org/c/openstack/openstack-ansible-os_heat/+/879963
Change-Id: Iac723a4e748dc1a0c3769934e4ec73019e308aea
2023-04-11 08:32:08 +00:00
Dmitriy Rabotyagov 71ac235fa3 Revert "Ensure systemd-udev is installed for gluster"
This reverts commit 54cf778a8b.

Reason for revert: This patch ideally should not be needed at all, since originally task was failing already after "Install gluster repo packages" task, but this task was not installing systemd-udev for some reason, while installing glusterfs-server.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879069
Change-Id: I5bd6250a3961ea056f73886484e9ac67a7090aff
2023-03-30 17:50:13 +00:00
Neil Hanlon 54cf778a8b Ensure systemd-udev is installed for gluster
We're relying on udev to exists for glusterfs since we're
applying overrides for it as well as attempting to restart.

While systemd-udev seems not being pre-installed in all CentOS
containers anymore, so we should ensure it's installed
before trying to adjust it's unit file.

Change-Id: I7d952b371bdfa41c17eaa4248b8249ca772258bc
2023-03-29 17:51:24 +00:00
Damian Dabrowski a4628e6369 Do not use openstack.osa.linear strategy plugin
Custom linear plugin was added long time ago.
Nowadays it causes issues with loop conditionals.
It's not really needed these times. Everything works fine without it.
I also didn't notice any performance degradation after disabling it on
my AIO.

Closes-Bug: #2007849
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/874482
Change-Id: I607ea3f06dc3cd5d68dcffb291a958664a41baf1
2023-02-22 22:41:58 +01:00
Dmitriy Rabotyagov 1dbc2985d3 Use cryptography backend for openssh_keypair
With default "auto" backend, opensshbin is first pick, which fails
to read a key in case of insecure permissions. This makes task fail
in case private key in topic has mode different from 0600, even if
different mode specified for the module itself [1].

Along with switching backend we also adding mode key to be supported

[1] https://github.com/ansible-collections/community.crypto/issues/564
Change-Id: I9444ef832136783bde1eff5425e4cd369f905a5c
2023-01-18 20:26:57 +01:00
Zuul 145fd7a1e6 Merge "Fix no_log variable templating in db_setup role." 2023-01-18 10:15:05 +00:00
Zuul b56c614e27 Merge "Add variable to control no_log in service_setup role" 2023-01-18 10:15:03 +00:00
Zuul 4382648006 Merge "Add variable to control no_log in mq_setup role" 2023-01-18 10:08:52 +00:00
Jonathan Rosser b16038ea23 Fix no_log variable templating in db_setup role.
This was missing "{{ }}" and does not work without.

Change-Id: Ide631f9d26fab6ed7fc7f94cad07cdceedb81b90
2023-01-17 16:52:58 +00:00