Commit Graph

389 Commits

Author SHA1 Message Date
Andrew Bonney 2bb6cdf481 Don't load systemd parent service for object cache
We use the systemd_service role to load a drop-in for all
services which fall under the 'ceph-immutable-object-store'
banner, but this isn't a service in its own right.

Attempting to load the service on Ubuntu Jammy results in
an error, so we prevent loading it, and leave enabling of the
individual service up to an existing later task.

Change-Id: If9c46d22f42bc3765b217b0fbc736331bf337557
2024-02-12 13:51:03 +00:00
Dmitriy Rabotyagov 721e96f145 Align extra conf files mode
When placing ceph_extra_confs files to their destination, they're being
assigned mode 0644 with root:root ownership. However, when we're overriding
some sections in config files, we also accidentally change mode of these
files to 0640 which makes issues while reading them by clients and
makes role not idempotent.

This issue was introduced by this commit [1]

[1] https://review.opendev.org/c/openstack/openstack-ansible-ceph_client/+/888216

Change-Id: I5fe0fff9616e0829b83f61bd1b062cfd978543d6
2024-01-18 09:55:37 +01:00
Dmitriy Rabotyagov 6bb5f7dcdb Add backwards compatibility of ceph_components format
With [1] we have broken compatibility of potentially provided extra components
config without any notice.

In order to handle this now we fix backwards compatibility along with
adding a deprecation note on the format of ``client``.

[1] https://review.opendev.org/c/openstack/openstack-ansible-ceph_client/+/882827

Closes-Bug: #2047783
Change-Id: I89b67f0f0545d799194d8486a6bb25227279af84
2024-01-02 15:59:34 +00:00
Zuul 43c9071f4f Merge "Allow to distribute custom key with the role" 2023-10-10 11:34:38 +00:00
Andrew Bonney 5351a2a96d Add AppArmor configuration for ceph read/write caching
When Ceph read/write caching uses paths which aren't already
covered by the libvirt/qemu apparmor rules then additional
configuration is required to ensure VMs don't fail to boot.

Change-Id: I2dff4bf54191b763e25625aa7a10bceaa1f6e595
2023-10-09 12:54:20 +01:00
Dmitriy Rabotyagov eb27ca0874 Allow to distribute custom key with the role
Right now we have quite strong assumption that `nova_ceph_client` should be
present among clients to fetch. At the same time, in case the role is
included outside of the OSA context, ceph_client_filtered_clients might
not contain all users we expect to see.

With that we alter the logic to fetch nova key not only when role is launched
against compute host, but also when the client is present in the list.

Change-Id: I7810881a01b9d2f3d98a6c3ad590b9ea63358011
2023-10-02 15:10:43 +02:00
Dmitriy Rabotyagov d086041842 Define constraints file for docs and renos
Right now we are not using any constraints for docs and releasenotes builds.
This has resulted in docs job failures once Sphinx 7.2.0 has been released.

The patch will ensure that constraints are used an we should not face
simmilar issue again.

TOX_CONSTRAINTS_FILE is updated by Release bot once new branch is created,
so it should always track relevant constraints.

Some extra syntax-related changes can apply, since patch is being passed
through ConfigParser, that does not preserve comments and align indenting.


Change-Id: Ic3ca23b672414d1944069b274d709e3a3d94de43
2023-08-17 16:32:00 +02:00
Dmitriy Rabotyagov 05e3c0f183 Apply tags to included tasks
In order to be able to use tags to run systemd_service role solely,
they must be applied properly when role is included.

Change-Id: Ic382ddfc0e79e3b9dfdeeaabdf131466127756f2
2023-07-13 13:02:41 +00:00
Dmitriy Rabotyagov 94a58e398b Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Change-Id: Idb2dd6cd4bbf815e4b32c9bfbe9a66f33e1c4b97
2023-07-13 11:44:20 +00:00
Zuul 22a63c5918 Merge "Fix retrievement keyrings from files" 2023-06-20 12:31:03 +00:00
Dmitriy Rabotyagov d9c1289b7a Fix retrievement keyrings from files
With [1] usage of custom owner/group has been introduced. It
converted client to be a list of mappings but it was missed in 1 place.

[1] fdd2aaa00b
Closes-Bug: #2024339

Change-Id: Icfc16ca25f0b6b45a0de0bcdf4eac71ab302a120
2023-06-19 14:43:20 +02:00
Jonathan Rosser e819854b0f Fix permissions for ceph cache directories
These difrectories very specific permissions to match up with the user
and group membership.

Change-Id: I711b32a5951357b726c4b4b64e534bcd72e6c4f4
2023-06-19 13:08:38 +01:00
Jonathan Rosser e99aab1d69 Add releasenote for ceph immutable object cache and persistent write log cache
Change-Id: I13a8ab2848ab118f290e80398a3e80878b72e93f
2023-05-18 12:26:46 +01:00
Jonathan Rosser 496cc94cc7 Add config and documentation for ceph perisistent write log cache
Change-Id: I7024e52c4750d4fd7b205cc2376d73bde7b4c11b
2023-05-18 12:26:18 +01:00
Jonathan Rosser 17ccbffded Add immutable object cache documentation
Change-Id: I82e9c8d38eb3cfa3e1c3d0b46d12bd831ada043f
2023-05-18 10:20:45 +00:00
Jonathan Rosser 9ee3bb24f6 Add ceph client and configuration for immutable object cache
See [1] for details of this ceph component. Optionally deployed
on nova-compute nodes to accellerate access to read-only data
for volumes created from snapshots.

[1] https://docs.ceph.com/en/latest/rbd/rbd-persistent-read-only-cache/

Change-Id: I34f2f403d03cc95f593f21c717609b9858b8d989
2023-05-18 10:20:12 +00:00
Jonathan Rosser f7cd0b0eda Allow ceph clients to be enabled or disabled
Some clients, like the immutable object cache need
to be optional.

Change-Id: I5e78521a8530ef58bba5d17e96213391747e29bb
2023-05-15 08:28:23 +00:00
Jonathan Rosser fdd2aaa00b Allow ceph client keyring files to have custom owner/group/mode
This is required for a future patch enabling the ceph
immutable object cache.

Change-Id: Ifd78224acf389200a79aea25461b499a7c0da5d1
2023-05-10 14:32:59 +01:00
Jonathan Rosser 3502645d5a Remove conditional code for ubuntu version earlier than 20.x
This has not been supported for a while in openstack-ansible so
tidy up the old code.

Change-Id: If3e0d8205a33b00a07bea530d9d7317e83f5b0d6
2023-05-10 14:32:59 +01:00
Zuul 420e837631 Merge "Improve regexp for fetching nova secret from files" 2023-04-13 16:22:08 +00:00
Zuul 8e8e86c2eb Merge "Remove functional tests" 2023-04-07 14:53:16 +00:00
Zuul 9b3bccccf2 Merge "Unify EPEL gpg key and repo provisioning" 2023-04-04 13:50:14 +00:00
Zuul d68f5d45a7 Merge "Add EPEL GPG key for RHEL 9" 2023-04-01 22:39:32 +00:00
Jonathan Rosser f4b5bb65ec Remove functional tests
These jobs are run, but there is no actual test code executed other
than setting up the test environment them exiting success straight
away.

Change-Id: I1c3a3ef2584c65b9b4e7ee4c869d76c612c476d5
2023-03-31 20:10:28 +01:00
Dmitriy Rabotyagov 7a70556e15 Unify EPEL gpg key and repo provisioning
At the moment we do install EPEL repo in multiple other roles, like
lxc_hosts or systemd_mount. We're trying to be consistent in ways
of adding them, while ceph_client was slightly different, by carrying on
GPG keys in-repo instead of fetching them from `centos_epel_key` url.

With this patch we unify approach with other roles and reducing
maintenance costs of the repo when adding new distributions

Change-Id: I407256dc6eee3365c4f8c191a1f50717f0b35fa8
Related-Bug: #2013276
2023-03-30 21:16:28 +02:00
Dmitriy Rabotyagov f2a40ab1cd Add thrift to includepkgs from EPEL
Latest ceph releases also require thrift package to be installed,
which is provided by EPEL. We add the package of allowed ones
to come from EPEL.

Change-Id: Id2cd34bf88efbda9ba37710d1052a6f54249b5bf
Closes-Bug: #2013276
2023-03-30 21:05:41 +02:00
Dmitriy Rabotyagov 5215b796c0 Add EPEL GPG key for RHEL 9
We've missed adding a GPG key that's required for installing
packages for RHEL9 distros from EPEL.

Change-Id: I2bef98a695517c038cb9f0dcd09caa16611520b7
Closes-Bug: #2013276
2023-03-30 21:02:17 +02:00
Dmitriy Rabotyagov f69d7e922e Improve regexp for fetching nova secret from files
At the moment regexp we have does require keyring to contain only
key option. If that is full ceph authx file that does also contain
caps, regexp will grab them as well, which will result in a play failure

This patch does improve regexp to grab only key regardless of all other
content that can be present in the file.

Change-Id: I176fbcd4901dfacd4b608fac4d4fbd256d263b2a
2023-02-28 12:57:19 +00:00
Zuul 13d48e96d4 Merge "Define libvirt secrets from keyring files in ceph_extra_confs" 2023-01-11 16:15:15 +00:00
Zuul 40b576c7a0 Merge "Use correct index of previous task results" 2023-01-04 15:22:39 +00:00
Dmitriy Rabotyagov b1dff02847 Update tox.ini to work with 4.0
With tox release of 4.0, some parameters were deprecated and are ignored now
which causes tox failures. One of the most spread issues we have is using
`whitelist_externals` isntead of `allowlist_externals`


Change-Id: If194947d7929dd251113a0384a3bda3e5fde8915
2022-12-27 17:53:11 +01:00
Marcus Klein e7ebbeb5da Define libvirt secrets from keyring files in ceph_extra_confs
Previously this required always access to the mon_host of the Ceph
cluster to fetch the key for volume access. Now this key can be defined
through Ceph keyring files.

Change-Id: Ib2c755d38038b14ca3803de1bb9cbcec122eaa83
2022-12-16 13:25:49 +01:00
Marcus Klein 4054d737dd Use correct index of previous task results
Change-Id: I450515395a510e40debfcdeb04fd98169a7a835e
2022-12-16 11:24:48 +01:00
OpenStack Release Bot 6acf029ad6 Update master for stable/zed
Add file to the reno documentation build to show release notes for
stable/zed.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.

Sem-Ver: feature
Change-Id: I534f5bdb19a1e1f75eeeeefbe01c8ec3bcdbe38f
2022-12-13 13:07:19 +00:00
Marcus Klein 6bdf19df35 Ensure role not fail when secret_uuid is not part of ceph_extra_confs
Most tasks already check whether secret_uuid is defined but cleanup
tasks do this not and fail.

Change-Id: I31471907cafde83d73c8fa23bca377955523ec71
2022-12-08 11:12:34 +01:00
Erik Berg edbd5268d3 Remove redundant vars line
This line snuck in with I0a8fda2e71e80624edbe271139675a71196b23ef
probably to bring it in line with other OSA roles, but should already
be covered by the distribution_major_version line above.

Change-Id: Icf9258e9f7c37e7ae34f6924fae432f15487b260
2022-09-15 09:10:22 +02:00
Dmitriy Rabotyagov b555c1b8c5 Do not delegate facts when fetching keyrings
At the moment if multiple clusters are used, like for AZ deployments
when cinder should connect to different ceph clusters, if
ceph_keyrings_dir defined per group_var or host_var, ceph_client_keys
will get defined multiple times each time overriding previous value,
as facts are delegated to the localhost. In order to avoid such
behaviour we  define ceph_client_keys for host that delegates job
instead. This way value won't be overwriten and host_vars will be
respected.

Change-Id: I5109322a4ee805f9c0b53142a0e98d3f0aa2d3a5
2022-08-10 10:53:13 +02:00
Dmitriy Rabotyagov b3e7560e80 Provide opportunity to define cluster_name
In some cases, like AZ scenarios, deployments may interact with
several clusters at a time, while they will be distinguished by
the cluster_name. However, ceph_client role now assumes that
cluster name is `ceph` without any way to override such assumption.

Change-Id: I9dcad1e1c63294f4f59a1755507904808acb785e
2022-08-10 07:07:16 +02:00
Dmitriy Rabotyagov d9844a4e94 Switch sphinx language to en
With sphinx release of 5.0.0, they changed default for language variable
to 'en' from None. With that current None valuable is not valid and should
not be used.


Change-Id: Iacff492513352324cc94535c756b220d4753541d
2022-05-30 16:01:13 +02:00
Zuul 47df3381e2 Merge "Allow service to be absent" 2022-05-23 11:13:37 +00:00
Zuul e094ff467b Merge "Drop default nova client_uuid" 2022-05-23 11:13:35 +00:00
Zuul 935af2b324 Merge "Drop duplicated group creation tasks" 2022-05-23 10:58:16 +00:00
Dmitriy Rabotyagov 6fbe1ab3c0 Use global package_state
We missed upating ceph_client_package_state to use package_state
for default value, as other roles do.
So we're fixing it not to update ceph client packages every time, which
can lead to interesting consequences depending on the destination.

Change-Id: I0d6014649307bb6556cdc189cf8d749e1ec9b20a
2022-05-18 20:45:30 +02:00
Dmitriy Rabotyagov 04714473a8 Drop duplicated group creation tasks
Exact same tasks are define in tasks/ceph_auth.yml and should cover
needs.
So we can simply avoid running same set of tasks.

Change-Id: I30593660dc6ebab46e20b680b321e3c97315bff4
2022-05-18 13:59:02 +02:00
Dmitriy Rabotyagov f918ba48db Allow service to be absent
Currently we assume that there must be a services that needs to be
restarted. At same time it's not always the case, for example when
ceph_client role is used to prepare host for cephfs mount.

Change-Id: I6a5cf134a0117e6d8c12a339713ca425a31b907b
2022-05-18 13:47:43 +02:00
Dmitriy Rabotyagov e271e3e9b9 Drop default nova client_uuid
We have an override in user_secrets and we should not have default uuid.

Change-Id: I62846bc8df7558f9407e6c1b06a7a96e91e8e177
2022-05-18 13:20:05 +02:00
OpenStack Proposal Bot 030e273950 Updated from OpenStack Ansible Tests
Change-Id: I003800a1548aee4a03b8d8adaf6e91cf514f7006
2022-03-31 20:15:29 +00:00
Marc Gariepy d8fc0388af Cleanup setup.py config
Change-Id: I6a304677ec2d84be6298cdce952517eec8e6fcb0
2022-03-31 10:36:22 -04:00
Zuul e0141577da Merge "Simpify selection of the python interpreter." 2022-02-03 19:28:39 +00:00
Jonathan Rosser 1c427078c2 Simpify selection of the python interpreter.
We only support python3 so remove the logic supporting python2

Change-Id: I2bfbd657bf7ed5b042c3640586d8ae80c5b85136
2022-02-02 04:41:28 -05:00