Commit Graph

848 Commits

Author SHA1 Message Date
Damian Dabrowski 56d69ce9e8 Fix resolved config on Debian
Currently, file /etc/systemd/resolved.conf.d/openstack-ansible.conf has
incorrect format and is being ignored:

```
systemd-resolved[740]:
/etc/systemd/resolved.conf.d/openstack-ansible.conf:2:
Missing '=', ignoring line.
```

Change-Id: I23529b0dd032cbb6ba59acc3d3b668c06847da08
2024-01-05 12:26:31 +01:00
Dmitriy Rabotyagov bd011b0eee Fix permissions for base directories
With fixing linters [1] I have accidentally set incorrect mode for base directories
to 0644 while it should be 0755.

[1] https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/888180

Closes-Bug: #2047593
Change-Id: Ied402f4f22ac333573c7144877da669251eccf8c
2024-01-04 15:31:46 +01:00
Zuul 3d6a3d812d Merge "Stop installing openssh and rsync to containers" 2023-10-13 09:51:09 +00:00
Dmitriy Rabotyagov d4d8114a11 Stop installing openssh and rsync to containers
With fixing keystone role there should be no need in explicitly
installing rsync and openssh everywhere.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/889934
Change-Id: I25729462fa6be7953e8ef0687ec4580509c21aaf
2023-10-12 08:01:57 +00:00
Jonathan Rosser d57f9a8f47 Remove lxc_cache_map variable
This has not had any practical use for several releases and mostly
carries copies of ansible facts. Remove the variable and use the
facts directly.

Change-Id: I1d2be9d07b38eaf2b737819c451a0d2339f723d0
2023-10-11 15:56:08 +00:00
Jonathan Rosser a22ec2150f Remove old tasks and vars from image download process
These are leftover from when the role downloaded prebuilt LXC
iamges, but are no longer used.

Change-Id: I3689e18cbd62804d7a959beb8f58f91920beecd1
2023-10-10 17:38:52 +01:00
Jonathan Rosser 655818e0a0 Remove old cleaup task
Change-Id: If065bbd51701591c5755278e86423ef46f01f893
2023-10-10 17:25:16 +01:00
Jonathan Rosser 39542e2c65 Switch to native systemd-resolved from resolv.conf
Rather than edit resolv.conf, use the recommended method of
operation for systemd-resolved and configure the dns server
through a resolved drop-in.

Change-Id: I1b08a45ccced87ecd200f3e7294165e922df39ff
2023-09-29 12:44:13 +00:00
Jonathan Rosser 03dc91fa85 Add ca-certificates into debian base image during debootstrap.
debootstrap uses http for it's apt config so can function without
the certificates from ca-certificates being installed.

The debian bookworm cloud image defaults to using https for the
apt repo urls, so unless the ca-certificates package is present
no more apt operations can be done once the apt configuration is
synchronised from the host to the container image.

Installing ca-certificates during the initial debootstrap avoids
the issue of not being able to install ca-certificates due to failed
SSL verification.

Change-Id: Ia78429eaf4bd71a8f3509c4e484f7dd02574c6b1
2023-09-29 12:44:05 +00:00
Jonathan Rosser 2506f0080a Sync additional apt config from the host to the container base image
Debian bookworm needs the sources.list.d and mirrors directory
syncing to the container image to result in a working apt config.

Change-Id: I0c62340e7868948d9c55c96559ddafadf8cb7db1
2023-09-29 12:43:58 +00:00
Jonathan Rosser 22b6df4193 Ensure systemd-resolved is present in debian container images
It is not present by default in the rootfs built by
debootstrap for debian bookworm

Change-Id: Ie7200d5c01948c885c3dd4e8103c8f0a65e26108
2023-09-28 09:19:18 +00:00
Jonathan Rosser 42cfa88bb5 Fix linter error
Split long line

Change-Id: I2466a9959bc93da754e11d8b9c6fb5d90f64163f
2023-09-28 10:00:13 +01:00
Dmitriy Rabotyagov 2272de8f0c Fix linters issues
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

This is a follow-up change to [1].

[1] https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/888180

Change-Id: I2564e3dcb2efad8f6a2ed21bec61668c1b6f6209
2023-08-22 13:24:46 +02:00
Dmitriy Rabotyagov 4686fac862 Add retries to LXC base build command
Sometimes there could be intermittent issues on some of the
mirrors that would be picked while building the base image.

In order to increases chances of image to build, we add a retries
to increase chances to pick properly synced mirror.

Change-Id: I5546ee71cce4f4b40fbd1d38d5d49586606bbbda
2023-07-20 07:27:33 +00:00
Dmitriy Rabotyagov a5589beb5f Fix linters issue and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Change-Id: If6171be3d649f6e7dd26decf1460d45775bd5f9e
2023-07-20 07:27:08 +00:00
Dmitriy Rabotyagov a51291f87d Refactor LXC image expiration
Right now we write output of `date -d @{{ timestamp }} to
the expiry file, and then attempt to comapre with timestamp.
However, output of  `date -d` is datetime and not timestamp,
so these 2 things can not be properly compared. So image cache
was valid forever.

Change-Id: I42f5b43f09d3c530813dd7fd334eafce7a5eaf39
2023-07-20 07:25:46 +00:00
Dmitriy Rabotyagov caebffe51e Cleanup old OS support
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/886517
Change-Id: I45c4126b30ddf1e552808667937692af1764c491
2023-06-21 12:14:06 +02:00
Zuul 6edd7f802b Merge "Allow to create OVS bridge for lxcbr0" 2023-01-13 17:36:25 +00:00
Jonathan Rosser e519c6b302 Remove "warn" paramter from command module
This is removed in ansible 2.14.

Change-Id: I38e2fdbbd6dab744199407504911caecdbfc140f
2023-01-10 08:38:49 +00:00
Dmitriy Rabotyagov db7c1e8a7c Allow to create OVS bridge for lxcbr0
This patch aims to handle creation of OVS bridge if
`lxc_net_bridge_type` is set to `openvswitch`. That will finalize path
when deployer prefers to have OVS as the only bridge provider and do not
use LXB for any bridges.

Change-Id: Idd7a6eecf718df7fd8b4ae008f7dc00e42e8c32c
2023-01-03 08:05:05 +00:00
Dmitriy Rabotyagov 97a3e26e01 Update tox.ini to work with 4.0
With tox release of 4.0, some parameters were deprecated and are ignored now
which causes tox failures. One of the most spread issues we have is using
`whitelist_externals` isntead of `allowlist_externals`


Change-Id: I4967f301398621ae6e7b47b22d9a4d52037f6a3b
2022-12-27 17:53:12 +01:00
Zuul 5a36b5cd26 Merge "Ensure tar is installed on LXC host" 2022-12-19 16:59:28 +00:00
OpenStack Release Bot 8975a4df06 Update master for stable/zed
Add file to the reno documentation build to show release notes for
stable/zed.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.

Sem-Ver: feature
Change-Id: I80855ac314edcb193375976c86ac6001fac83ff3
2022-12-13 13:09:09 +00:00
Dmitriy Rabotyagov 30b97f57c9 Ensure tar is installed on LXC host
Tar is required for LXC to create base container using lxc-create. When
it's absent lxc-create exits with code 1 without any output on this
task [1]

[1] ef721dbf13/tasks/lxc_cache_create.yml (L71)

Change-Id: Ic54d160c7329aebb7769c407d3af7b0f66145bcc
2022-12-12 15:57:37 +01:00
Jonathan Rosser ca12ef136a Add git and libxml2 to container base image
These are needed universally in the service container images so
install them into the base image to save build time later.

Change-Id: Ia51329110ffa2c634799544ac6c7b7f2016369a5
2022-12-12 09:49:44 +00:00
Jonathan Rosser ef721dbf13 Use correct apt repo when ubuntu architecture is not x86_64
All other architectures are at ports.ubuntu.com.

Change-Id: I0f2d433bc11bd28541b48bf6b6644d83d4d19c4d
2022-11-30 14:02:35 +00:00
Dmitriy Rabotyagov 9385ec8011 Add option to disable lxc interface management
This change adds a new role default option which will allow operators
to omit the deployment of specific lxc bridge network config. This
change is being implemented because, as an operator, I have a host
setup specifically built for OpenStack which includes an interface
config covering the lxc deployment. Currently when running a deployment
the role will attempt to deploy a new interface file which at best
conflicts with the host setup and at worst fails to run due to the
interface being in a state unknown to OSA.

The new config option `lxc_net_managed` is default **true** keeping
the existing expectations, but when set to **false** the role will
no longer deploy an interface file or attempt to bring up the interface
using the distro tools.

Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Change-Id: Icdf4a1f5ff98dc1b86c6a87ea4e606b7c74e1aac
2022-11-29 17:27:05 +01:00
Dmitriy Rabotyagov 3d8e3690ba Replace ifupdown with native ip-link
We also leverage systemd-networkd for managing lxc-net and replace
using of custom service template for lxc-dnsmasq service with our
systemd-service role. These changes are quite tighten together, so
it's quite hard to split them in different patchsets.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/861350
Change-Id: I5ac99e2b6c6e6ccd9da18ae68e1f8801f95f4f4e
2022-11-11 09:57:56 +01:00
Dmitriy Rabotyagov d1fe9f7bec Cleanup CentOS 8 Stream
Change-Id: I48120976c48a8edcfdec29e651928f55ff92155a
2022-11-02 12:46:47 +01:00
Dmitriy Rabotyagov 3d25c4f72b Cleanup unused templates
aria2c and systemd-proxy templates exists but they are not referenced
and used by playbooks nowadays. Thus, we can safely remove them

Change-Id: I5223138aa7e50c92531076fe7764f204bfec3e24
2022-10-14 13:24:35 +02:00
Dmitriy Rabotyagov a09612c1fb Use policy_rc_d attribute instead of copy
Since ansible 2.8 it's possible to provide policy_rc_d attribute to the
apt module in order to avoid service restart on installation/upgrade

Change-Id: I299605bb5735cd510a82490a710ef6fae98bfafa
2022-09-26 13:30:35 +02:00
Erik Berg 028d3e5303 Remove redundant vars line
This line snuck in with Icfa97babeb7034cab623aca883bb83d5a07f7233
probably to bring it in line with other OSA roles, but should already
be covered by the distribution_major_version line above.

Change-Id: Ifa5d05a70988962e2bce8538204ddd3131ad6003
2022-09-15 10:15:43 +02:00
Jean-Philippe Evrard 0b35e65fd2 Define coherent safe default for package state
Instead of overriding this value everywhere, it's easier to
define it from the start to the value we want. In this case,
we want to define it to "present", while still being
overridable.

Change-Id: If9db9aec4b48d2118aae0f2ef611f0e044d63fb3
2022-08-09 14:28:39 +02:00
Dmitriy Rabotyagov f8594d335f Prevent lxc.service from being restarted on package update
As of today, each lxc-utils update would lead to restart of all
containers. At the same time this might be unwanted behaviour, as
if it's run without limit, all cluster members inside containers can
go down at the same time.

In order to prevent that, we place policy-rc.d file that will simply
quit with 101 code `action forbidden by policy` on service restart
attempt.

Change-Id: I9140b7ab9f9266fcf4fe800e4610497f2324df4e
2022-07-28 09:40:05 +00:00
Andrew Bonney 783076a508 Take account of lxc_apt_mirror in new debootstrap command
Without this change the mirror variable is ignored which can
cause issues on systems running behind a proxy.

Change-Id: I3e761c181c1bf3b736fff3bf9ac441e266bc4e2c
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/851233
2022-07-27 14:37:05 +00:00
Zuul 844ebcdab6 Merge "Switch sphinx language to en" 2022-05-30 16:11:29 +00:00
Dmitriy Rabotyagov 51228fad0a Switch sphinx language to en
With sphinx release of 5.0.0, they changed default for language variable
to 'en' from None. With that current None valuable is not valid and should
not be used.


Change-Id: I5f7244ed81d9ab87e23654d881d976bc4faa2960
2022-05-30 16:01:17 +02:00
Jonathan Rosser 3b8d1459b9 Disable apt phased updates inside containers.
Inside a chroot, phased updates are disabled [1]. This means that
the container base image always gets the latest packages regardless
of what is happening with the phasing.

At runtime, the default in Ubuntu releases 21.04 and onward is to
obey the package phasing information. This means that packages
inside the OSA built container image can be newer than the installation
candidates once the container is running, leading to installation
errors. This is particularly sensitive with source packages such as
systemd where there is a very tight version coupling between
all components leading to only one valid installation candidate.

This patch creates apt config inside the container base image to
always install the latest package version regardless of phasing.

There does not seem to be any alternative, as phasing is always
disabled during the debootstrap.

[1] https://discourse.ubuntu.com/t/phased-updates-in-apt-in-21-04/20345

Change-Id: Ia558e3aa1447220016c53349cf9dac0b822d06f4
2022-05-30 12:39:45 +00:00
Zuul 5f47e6d310 Merge "Use integrated repo 'hosts' jobs to test different backing stores" 2022-05-30 10:28:43 +00:00
Jonathan Rosser 667321df9c Use integrated repo 'hosts' jobs to test different backing stores
This uses the main openstack-ansible repo for testing these different
backing store scenarios rather than openstack-ansible-tests. This is
more maintainable and ensures that we test using the same code as is
used for a real deployment.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/843027
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-repo_server/+/843418
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/843547
Change-Id: Ic62a8fd7290318ed7c76c22620ee0b6f09075a85
2022-05-26 21:29:46 +00:00
Jonathan Rosser fd23eeedfc
Add centos-9 support
Remove installation of aria2 everywhere as we no longer download
lxc images but build them locally.

Change-Id: I5eba0b1f08cfe23998cf1116bb017e8a8ef0bb72
2022-05-19 17:23:09 -04:00
Dmitriy Rabotyagov 3928a0b914 Clean up NFV OpenvSwitch repo for container build
NFV repo is supposed to be installed using system packages, as it should
also contain nfvsigdist variable for yum.
So avoid issue with yum update at this step we drop the repo that was
copied from host.

As alternative approach, we can drop copying yum.repos.d at all, but this
can lead to an unexpected results.

Change-Id: Ia5041c7d855a9e988afc4c2a0d16fdeb6a9c357f
2022-05-17 12:53:20 +02:00
Zuul 4d4517f2af Merge "Replace systemd-mount template with role" 2022-04-29 20:56:48 +00:00
Zuul c679877aba Merge "Unify debian and ubuntu cache prep scripts" 2022-04-29 17:05:26 +00:00
Jonathan Rosser d72ed7e469 Unify debian and ubuntu cache prep scripts
These should be able to be common, with a dictionary added to select
the right libpython version to install based on the OS release.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-lxc_container_create/+/839167
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/838762
Change-Id: I2cb97a25237a0495ea8d9001d80d06b134b8e500
2022-04-27 08:35:00 +00:00
Zuul 01a8891afc Merge "systemd-resolved package is not available for redhat" 2022-04-26 13:11:31 +00:00
Jonathan Rosser 8626a26d9a Ensure systemd-udev is present in centos containers
This is needed to ensure that systemd-tmpfiles-setup service
is present, which is used to create /dev/fuse in centos containers
in other parts of the osa-gluster patch series.

Change-Id: I6a6401debad4937eb9f6a5be31c8cee42d7035cd
2022-04-19 11:07:20 +00:00
Jonathan Rosser e8e89c0b13 systemd-resolved package is not available for redhat
Change-Id: Ib6134264e1a1d3a19b343b3c503da1602b68bc00
2022-04-11 09:20:35 +00:00
Dmitriy Rabotyagov 337ddf8780 Replace systemd-mount template with role
To reduce role complexity we replace separatelly maintained template
with systemd_mount role that is widely used across OSA.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/836945
Change-Id: I23632f9c145be334b1d19067352f8b82114a1209
2022-04-07 11:40:09 +00:00
OpenStack Proposal Bot 469a0e5fee Updated from OpenStack Ansible Tests
Change-Id: Iedefd4210a53320f0f5bed985bca3ccc4cb5c331
2022-03-29 17:17:24 +00:00