Add the command ``kayobe baremetal introspection data save`` to save the
hardware introspection data gathered by ``kayobe baremetal compute
inspect``. This mirrors the functionality of ``kayobe overcloud
introspection data save``, but for use with the baremetal compute
Ironic, rather than Bifrost.
Change-Id: I654f7d6e923c442a8aa08f536cc2b82c5e5b69d1
Supports calling custom Kolla Ansible commands directly after a
``kayobe control host bootstrap``.
Change-Id: I19f188cc002f8578618003e90c0a4a154b806e49
Previously it was only possible to define custom playbook hooks in the
base configuration, and not in environments. This could be limiting in
cases where different environments require different hooks.
With this change it is now possible to define hooks both in the base
configuration and in environments.
Change-Id: Ic003c18402177318ac1aa4c2d851263893bd4e9f
If running a command in check mode such as
kayobe overcloud service deploy --check
Kayobe does not generate the local configuration for Kolla Ansible. This
can lead to an inaccurate result when comparing with the remote
configuration, if there are changes in kayobe-config.
For example:
* Run kayobe overcloud service deploy
* Change a file in etc/kayobe/kolla
* Run kayobe overcloud service deploy --check --diff
We would expect that the changed file results in a diff against the
remote config. However there is no diff displayed.
This change fixes the issue by always generating the local Kolla Ansible
config, even in check mode.
Change-Id: Ic1dd075076ea186b0928bba1a235605c0cd2ec71
Story: 2010526
Task: 47132
The 'kayobe * host configure' commands no longer use the 'kolla-ansible
bootstrap-servers' command, and associated 'baremetal' role in Kolla
Ansible. The functionality provided by the 'baremetal' role has been
extracted into the openstack.kolla Ansible collection, and split
into separate roles. This allows Kayobe to use it directly, and only the
necessary parts.
This change improves failure handling in these Kayobe commands, and aims
to reduce confusion over which '--limit' and '--tags' arguments to
provide. This ensures that if a host fails during a host configuration
command, other hosts are able to continue to completion. Previously, if
any host failed during the Kayobe playbooks, the 'kolla-ansible
bootstrap-servers' command would not run. This is useful at scale, where
host failures occur more frequently.
This change has implications for configuration of Kayobe, since some
variables that were previously in Kolla Ansible are now in Kayobe.
Several parts of the baremetal role have been split out and used here:
* apparmor-libvirt: disable AppArmor rules for libvirt on Ubuntu.
* docker: Docker installation & configuration. The docker role in
openstack.kolla combines functionality from kolla-ansible and kayobe.
* etc-hosts: it proved difficult to generalise this, so we have some
almost duplicated the code from kolla-ansible here. Requires delegated
fact gathering for the case when --limit is used.
* firewall: support to disable UFW, for feature parity.
* kolla-packages: miscellaneous package installs & removals.
The addition of the stack user to the docker group has been moved to the
user bootstrapping playbook, and the docker SDK installation has been
moved to the virtualenv setup playbook.
Depends-On: https://review.opendev.org/c/openstack/ansible-collection-kolla/+/829587
Story: 2009854
Task: 44505
Change-Id: I61a61ca59652b13687c2247d5881012b51f666a7
Adds the command ``kayobe overcloud service configuration validate`` to
run the ``oslo-config-validator`` on all hosts via Kolla-Ansible. The
output directory of the results is specified with the flag
``--output-dir``.
Change-Id: I5d5d16eeabe69e8659e33722165928df096b3559
This follows removal of support from Kolla Ansible. This also removes
support for configuring Grafana with overcloud post configure.
Change-Id: I8102fafb00db178f1ae6801d37c43a39033cbfe6
Provide the option to add hosts to the SSH known hosts file when running
control host bootstrap.
Story: 2001670
Task: 6716
Change-Id: I512a343f875ee95194ab4fa98872e349f5a6dc7b
adds the argument --skip-hooks/-sh which will stop the execution of
hooked ansible playbooks. Either a pattern can be specified to match
against or hook execution can be stopped altogether with "all"
Story: 2009241
Task: 43390
Change-Id: I4f2176aa056fec62e31d07140e3d05779480a93d
After generating an inventory file in 'kayobe overcloud inventory
discover', the IP allocation playbook runs to allocate IP addresses for
the new hosts. Currently this runs without a limit, meaning it targets
all hosts. This change fixes it to use a limit of overcloud.
TrivialFix
Change-Id: Ic3a98fb9e741a2dea792b2e6cf6a6ff802d099a2
* Switch from python-ironic-inspector-client to openstacksdk in
ironic-inspector-rules. This allows us to use clouds.yaml to provide
credentials.
* Enable authentication in Bifrost. Passwords are auto-generated by
Bifrost, and stored files in /root/.config/bifrost/. This change
depends on a Kolla Ansible patch that ensures that these credentials
are persisted between recreations of the bifrost container.
* Copy clouds.yaml and (if present) a CA certificate from the Bifrost
container to the seed host, under the Kayobe Ansible user (stack).
This allows us to use the credentials to register introspection rules.
* This patch is needed by a Kolla Ansible patch that enables TLS in
Bifrost, since we need the CA certificate on the host to register
introspection rules when TLS is enabled.
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/851837
Needed-By: https://review.opendev.org/c/openstack/kolla-ansible/+/851838
Story: 2010206
Task: 45930
Change-Id: I757f1bb72afb01a4f1689bed292f5b71b9048fa0
The disable-selinux role has been renamed to selinux and now supports
setting desired state.
Previously Kayobe was defaulting to disabling and rebooted the host - to
avoid audit logs filling up. This change allows operators to define
desired SELinux state and defaults to permissive - to adhere to those
site policies that require SELinux to be at least in permissive state.
Change-Id: I42933b0b7d55c69c9f6992e331fafb2e6c42d4d1
Ansible failure handling is different when executing multiple top-level
playbooks (CLI arguments) vs. multiple plays within a top-level
playbook. If any hosts have failed or are unreachable at the end of a
top-level playbook, then ansible-playbook exits non-zero.
In contrast, execution will continue at the end of a mid-playbook play
if there are hosts that have not failed or become unreachable. This is
documented in [1].
Currently, Kayobe executes multiple top-level playbooks, most notably in
the host configure commands where there is a long list of them. This has
implications when working at scale, where failures are more common. If a
host fails at any point, then execution of the command will stop at the
end of the current playbook. This means that the command must be run
again for all hosts. Additionally, if any hosts are unreachable, then
the command is unable to progress at all without removing them from the
inventory.
This change refactors the host configure and host upgrade commands to
use a single top-level playbook.
[1] https://github.com/markgoddard/ansible-experiments/tree/master/14-error-handling
Story: 2009854
Task: 44482
Change-Id: Ia63d66097b10b6ddda30ad693636143f8b1a85e0
This playbook is no longer necessary following the removal of the iSCSI
deploy driver from Ironic.
Change-Id: I9e99c04173acb7adb0d0e367b6db388b86baf5f2
The chrony container removal was performed in the Xena cycle, so we no
longer require this in the 'overcloud host configure' command.
Change-Id: Ic6909bba42b07a5f3528e7507cb3b25199a72b43
Adds an ability to enable SNAT service on the seed hypervisor.
Depends-On: Ie42ab7a0dc9dd1ed1925b3a17134b3770ae8ba98
Change-Id: I0a2ff5caa01d54b1532d30d501b55ef23a6deff8
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
As a first step towards supporting multiple overcloud disk images, this
change introduces a new command to build a disk image directly with DIB:
`kayobe overcloud host image build`.
It also disables building a root disk image during Bifrost bootstrap if
overcloud_dib_build_host_images is set to true.
Change-Id: I93d242889e225b4e60254f6b9cc5eeb457294ac8
Story: 2002098
Task: 41693
The config dump was removed from host configure commands in
I85670be7242bc436f73c689f027670b0938ba031, but somehow the seed
hypervisor was missed.
Change-Id: I4ae457a784423dcce96e51b4bb21219831acc854
This is only supported on CentOS for now due to limitations of the
Ansible role used to configure tuned.
Change-Id: Ie07c5f467975f8da2f720e70c94cea6285981d72
Co-Authored-By: Pierre Riteau <pierre@stackhpc.com>
Story: 2007853
Task: 40155
Follow up to Id60e25e129e323f3c07e702bb81a11efc530fb3e, adds support for
firewalld configuration on Infra VMs.
Change-Id: Idd1ab982d4bca1cbdb0c4c6041cf3b6c17eae6cb
This change allows you to define additional VMs to deploy
on the seed-hypervisor.
Co-authored-by: Piotr Parczewski <piotr@stackhpc.com>
Co-authored-by: Will Szumski <will@stackhpc.com>
Co-authored-by: Mark Goddard <mark@stackhpc.com>
Story: 2008741
Task: 42095
Change-Id: I8055fc5eb0a9edadcb35767303c659922f2d07ca
Adds support for configuring firewalld for CentOS hosts managed by
Kayobe.
* create zones
* set default zone
* set zone for interfaces
* define rules
Change-Id: Id60e25e129e323f3c07e702bb81a11efc530fb3e
Story: 2008991
Task: 42644
Ansible facts can have a large impact on the performance of the Ansible
control host. This patch introduces some control over which facts are
gathered (kayobe_ansible_setup_gather_subset) and which facts are stored
(kayobe_ansible_setup_filter). By default we do not change the default
values of these arguments to the setup module. The flexibility of these
arguments is limited, but they do provide enough for a large performance
improvement in a typical moderate to large OpenStack cloud.
In particular, the large complex dict fact for each interface has a
large effect, and on an OpenStack controller or hypervisor there may be
many virtual interfaces. We can use the kayobe_ansible_setup_filter
variable to help:
kayobe_ansible_setup_filter: 'ansible_[!qt]*'
This causes Ansible to collect but not store facts matching that
pattern, which includes the virtual interface facts. Currently we are
not referencing other facts matching the pattern within Kayobe.
Note that including the 'ansible_' prefix causes meta facts module_setup
and gather_subset to be filtered, but this seems to be the only way to
get a good match on the interface facts. To work around this, we use
ansible_facts rather than module_setup to detect whether facts exist in
the cache.
The exact improvement will vary, but has been reported to be as large as
18x on systems with many virtual interfaces.
This change also introduces a new command to gather facts for Kayobe &
Kolla Ansible on demand, 'kayobe overcloud facts gather'. This can be
used to populate a fact cache.
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/794610
Story: 2007993
Task: 42586
Change-Id: I5ce3c734433e1682ee942867505468c57440e689
This change adds support for installing Ansible collections via
requirements.yml in Kayobe or Kayobe config.
Story: 2008391
Task: 41315
Change-Id: I764ff019a18266b593add7ab80ee095d7d07a869
The Kolla Ansible chrony container is disabled by default in the Wallaby
release. A new kolla-ansible chrony-cleanup command can be used to clean
up the container.
This change extends the 'kayobe overcloud host upgrade' command to cover
cleaning up the chrony container (if disabled) and deploying a host
chrony daemon.
Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/792119
Change-Id: I275102ec6b5bab6982577b52fd29654c874446ce
Some hosts in the kayobe inventory might not be in the kolla-ansible
inventory so it makes sense for kayobe to manage NTP.
Change-Id: Iacb579a46b0e9769a4c404a858d17968f74dd7e0
Depends-On: https://review.opendev.org/c/openstack/kayobe-config-dev/+/786040
Story: 2007872
Task: 40240
Matt Crees