Add configure tasks for iscsid role

This patch adds configure task which replaces the iscsid configuration in [1] with these modifications. - configure /etc/iscsi on the host directly, so it eliminates the use of /var/lib/config-data/ansible-generated - remove "sync from host" and "sync to host" operations which are no longer needed. - optimize the install task. [1] https://github.com/openstack/puppet-tripleo/blob/master/manifests /profile/base/iscsid.pp Co-Authored-By: Manoj Katari <mkatari@redhat.com> Change-Id: Idb57bb5179897ee7b4461f81372e6021b72be4d8
2023-02-13 19:58:09 -08:00 · 2023-02-13 19:58:09 -08:00 · 322415d3c4
parent 4dea939ba0
commit 322415d3c4
8 changed files with 100 additions and 40 deletions
--- a/tripleo_ansible/roles/tripleo_container_standalone/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_container_standalone/defaults/main.yml
@ -70,4 +70,3 @@ tripleo_container_standalone_volumes: "{{

 tripleo_debug: False
 tripleo_deploy_identifier: ''
-tripleo_iscsid_config_volume: /var/lib/config-data/ansible-generated/iscsid
--- a/tripleo_ansible/roles/tripleo_iscsid/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_iscsid/defaults/main.yml
@ -23,13 +23,15 @@ tripleo_iscsid_debug: "{{ (ansible_verbosity | int) >= 2 | bool }}"
 tripleo_iscsid_hide_sensitive_logs: true

 tripleo_iscsid_image: "quay.io/tripleomastercentos9/openstack-iscsid:current-tripleo"
-tripleo_iscsid_config_dir: /var/lib/config-data/ansible-generated/iscsid
+tripleo_iscsid_config_image: "{{ tripleo_iscsid_image }}"
 tripleo_iscsid_volumes:
  - /var/lib/kolla/config_files/iscsid.json:/var/lib/kolla/config_files/config.json:ro
  - /dev:/dev
  - /run:/run
  - /sys:/sys
  - /lib/modules:/lib/modules:ro
-  - "{{ tripleo_iscsid_config_dir }}/etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro"
+  - /etc/iscsi:/etc/iscsi:z
  - /etc/target:/etc/target:z
  - /var/lib/iscsi:/var/lib/iscsi:z
+
+tripleo_iscsid_chap_algs: 'SHA3-256,SHA256,SHA1,MD5'
--- a/tripleo_ansible/roles/tripleo_iscsid/files/iscsid.yaml
+++ b/tripleo_ansible/roles/tripleo_iscsid/files/iscsid.yaml
@ -1,6 +1 @@
 command: /usr/sbin/iscsid -f
-config_files:
-  - source: "/var/lib/kolla/config_files/src-iscsid/"
-    dest: "/etc/iscsi/"
-    merge: true
-    preserve_properties: true
--- a/tripleo_ansible/roles/tripleo_iscsid/tasks/configure.yml
+++ b/tripleo_ansible/roles/tripleo_iscsid/tasks/configure.yml
@ -14,8 +14,45 @@
 # License for the specific language governing permissions and limitations
 # under the License.

- name: Ensure {{ tripleo_iscsid_config_dir }}/etc/iscsi  exists
-  file:
-    path: "{{ tripleo_iscsid_config_dir }}/etc/iscsi"
-    state: directory
-    recurse: true
+
+- name: Check if the iSCSI initiator name (IQN) has been reset
+  ansible.builtin.stat:
+    path: /etc/iscsi/.initiator_reset
+  register: initiator_reset_state
+
+# NOTE: Each overcloud node must have its own, unique iSCSI Qualified Name
+# (IQN) but it has to be reset once, and only once as all the services on the
+# node must use the same IQN. It is reset based on the existence of
+# .initiator_reset sentinel file.
+
+- name: Ensure the system has a unique IQN
+  when: initiator_reset_state.stat.exists == False
+  block:
+
+  - name: Generate a unique IQN
+    ansible.builtin.command: podman run -ti --rm --name iscsid_config {{ tripleo_iscsid_config_image }} /usr/sbin/iscsi-iname
+    register: iscsi_iname
+
+  - name: Save the new IQN
+    ansible.builtin.copy:
+      dest: /etc/iscsi/initiatorname.iscsi
+      content: "InitiatorName={{ iscsi_iname.stdout }}"
+
+  - name: Record the IQN has been reset
+    ansible.builtin.file:
+      path: /etc/iscsi/.initiator_reset
+      state: touch
+
+- name: Write CHAP algorithms
+  ansible.builtin.lineinfile:
+    path: "/etc/iscsi/iscsid.conf"
+    line: "node.session.auth.chap_algs = {{ tripleo_iscsid_chap_algs }}"
+    regexp: "^node.session.auth.chap_algs"
+    insertafter: "^#node.session.auth.chap.algs"
+  register: modify_stat
+
+- name: Record the iscsid container restart is required
+  when : modify_stat.changed
+  ansible.builtin.file:
+   path: /etc/iscsi/.iscsid_restart_required
+   state: touch
--- a/tripleo_ansible/roles/tripleo_iscsid/tasks/install.yml
+++ b/tripleo_ansible/roles/tripleo_iscsid/tasks/install.yml
@ -14,40 +14,48 @@
 # License for the specific language governing permissions and limitations
 # under the License.

+- name: Create persistent directories
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    setype: "{{ item.setype }}"
+    state: directory
+  loop:
+    - { 'path': /etc/iscsi, 'setype': container_file_t }
+    - { 'path': /etc/target, 'setype': container_file_t }
+    - { 'path': /var/lib/iscsi, 'setype': container_file_t }

- name: create fcontext entry for iscsi
+- name: Create fcontext entry for iscsi
  community.general.sefcontext:
    target: "{{ item.path }}(/.*)?"
    setype: "{{ item.setype }}"
    state: present
-  with_items:
+  loop:
    - { 'path': /etc/iscsi, 'setype': container_file_t }
    - { 'path': /etc/target, 'setype': container_file_t }
    - { 'path': /var/lib/iscsi, 'setype': container_file_t }
-  when:
-    - tripleo_selinux_mode | default('enforcing') == 'enforcing'
- name: create persistent directories
-  file:
-    path: "{{ item.path }}"
-    state: directory
-    setype: "{{ item.setype }}"
-  with_items:
-    - { 'path': /etc/iscsi, 'setype': container_file_t }
-    - { 'path': /etc/target, 'setype': container_file_t }
-    - { 'path': /var/lib/iscsi, 'setype': container_file_t }
- name: stat /lib/systemd/system/iscsid.socket
-  stat: path=/lib/systemd/system/iscsid.socket
+
+- name: Stat /lib/systemd/system/iscsid.socket
+  ansible.builtin.stat:
+    path: /lib/systemd/system/iscsid.socket
  register: stat_iscsid_socket
+
 - name: Stop and disable iscsid.socket service
-  service: name=iscsid.socket state=stopped enabled=no
+  ansible.builtin.service:
+    name: iscsid.socket
+    state: stopped
+    enabled: no
  when: stat_iscsid_socket.stat.exists
+
 - name: Check if iscsi.service is enabled
-  command: systemctl is-enabled --quiet iscsi.service
+  ansible.builtin.command: systemctl is-enabled --quiet iscsi.service
  failed_when: false
  register: iscsi_service_enabled_result
+
 - name: Stop iscsi.service
-  service: name=iscsi.service state=stopped enabled=no
+  ansible.builtin.service:
+    name: iscsi.service
+    state: stopped
+    enabled: no
  when:
-    - not ansible_check_mode
    - iscsi_service_enabled_result is changed
    - iscsi_service_enabled_result.rc == 0
--- a/tripleo_ansible/roles/tripleo_iscsid/tasks/run.yml
+++ b/tripleo_ansible/roles/tripleo_iscsid/tasks/run.yml
@ -24,3 +24,29 @@
      iscsid: "{{ lookup('template', 'iscsid.yaml.j2') | from_yaml }}"
    tripleo_container_standalone_kolla_config_files:
      iscsid: "{{ lookup('file', 'files/iscsid.yaml') | from_yaml }}"
+  register: manage_iscsid_stat
+
+- name: Check if the iscsid container restart is required
+  ansible.builtin.stat:
+    path: /etc/iscsi/.iscsid_restart_required
+  register: iscsi_restart_stat
+
+# Existence of sentinel file (.iscsid_restart_required) on the host
+# indicates that restart of the iscisd container is needed to refresh
+# /etc/iscsid.conf
+# sentinel file will exist on an initial deployment, but the restart is
+# actually needed only if the service is already running, so we check if
+# the manage_iscsid_stat changed.
+
+- name: Restart iscsid container to refresh /etcd/iscsid.conf
+  when:
+    - not manage_iscsid_stat.changed|bool
+    - iscsi_restart_stat.stat.exists|bool
+  systemd:
+    name: tripleo_iscsid
+    state: restarted
+
+- name: Remove iscsid container restart sentinel file
+  ansible.builtin.file:
+    path: /etc/iscsi/.iscsid_restart_required
+    state: absent
--- a/tripleo_ansible/roles/tripleo_nova_compute/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_nova_compute/defaults/main.yml
@ -132,11 +132,11 @@ tripleo_nova_compute_volumes:
  - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
  - /var/lib/kolla/config_files/nova_compute.json:/var/lib/kolla/config_files/config.json:ro
  - "{{ tripleo_nova_compute_config_dir }}:/var/lib/kolla/config_files/src:ro"
-  - "{{ tripleo_iscsid_config_volume }}:/var/lib/kolla/config_files/src-iscsid:ro"
  - "{{ tripleo_nova_compute_ceph_config_path }}:/var/lib/kolla/config_files/src-ceph:ro"
  - /dev:/dev
  - /lib/modules:/lib/modules:ro
  - /run:/run
+  - /etc/iscsi:/etc/iscsi:z
  - /var/lib/iscsi:/var/lib/iscsi:z
  - /var/lib/libvirt:/var/lib/libvirt:shared
  - /sys/class/net:/sys/class/net
--- a/tripleo_ansible/roles/tripleo_nova_compute/templates/kolla_config/nova_compute.yaml.j2
+++ b/tripleo_ansible/roles/tripleo_nova_compute/templates/kolla_config/nova_compute.yaml.j2
@ -11,13 +11,6 @@ config_files:
    dest: "/"
    merge: true
    preserve_properties: true
-  # (TODO: slagle) This must be commented out until files exist at this path
-  # otherwise kolla-start fails. This can be enabled once the tripleo_iscsid
-  # role is actually generating configuration.
-  # - source: "/var/lib/kolla/config_files/src-iscsid/*"
-  #   dest: "/etc/iscsi/"
-  #   merge: true
-  #   preserve_properties: true
  - source: "/var/lib/kolla/config_files/src-ceph/"
    dest: "/etc/ceph/"
    merge: true