There is no obvious need to have an SSH keypairs for ironic user
I was not able to find any proof in the project installation guide that
such keypairs were ever needed. Thus, such functionality is removed.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/896017
Change-Id: I493d5f5aa0a915e7bc9fb7dbcd2673749c0b95d3
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: I1ab9664505068c20924370790322caa67cc6e022
By overriding the variable `ironic_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the ironic backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: If97a857c36e9e3e7ad8a18926bb9cbf04189c7cb
Some of these files are already statically defined in the role vars,
but cannot be extended. The new variable ironic_tftp_extra_content
allows either local files (path:) or files from a web server (url:)
to be copied into the tftp server root.
A feature like this is needed to copy EFI firmware to the tftp root
for ironic node CPU architectures that are different to the
ironic control plane nodes. The EFI firmware is sometimes not
available from the system package manager for architechtures
different to the host CPU.
Change-Id: Ie30c009d0704b87c2298088935a7f2ec0d55c6fb
This directory is used by ironic to write logs collected from
ironic-python-agent on nodes being deployed to the disk of the
controller. Without the directory errors occur and it is not possible
to read the log from the agent.
"Failed to store the logs from the node <uuid> deployment due a
file-system related error. Error: [Errno 13] Permission denied:
'/var/log/ironic'"
Change-Id: I25a03e35f29ad7a835dfd72447fa7d20c50fd85c
The directory for the tftp server defined consistently between ironic
and inspector, but not for the http directory.
This patch makes the definition of the http directory work the same
way as the tftp one.
Change-Id: I8d893faa31e5858c4923cb12ef453ec9397db5df
It might be needed to supply a list of extra deploy images as
well as the defaults, possibly to cover architectures in
addition to x86.
Change-Id: I2ecf21c44bac75b0e2cbf3bd786821ff0b7bf31a
The deploy image is required in two places in an ironic deployment,
first as images uploaded to glance for the ironic service, and second
as files on a web server for the ironic-inspector service.
Previously this role only placed the deploy images on the ironic
inspector web server, but this patch provides the functionality to
also upload the images to glance.
The variables for ironic deploy image source locations are
consolidated so that only one set are required to run the tasks
for both ironic and ironic-inspector, and several overrides are
available allowing the source to be overidden to a local mirror
easily.
Finally - the name of the files placed on the inspector web server
and into glance represent the upstream name of the image files rather
than generic names which lose versioning and release information.
Change-Id: I1aed9d97a4ddbfb70d2375f5204c55374d1067c9
In an LXC deployment, nginx runs in both the ironc-api and
ironic-inspector containers. The api container can use ipxe to
boot the deployment and user images when `ironic_ipxe_enabled'
is true. The inspector container can use ipxe to independantly
serve the deploy images during inspection.
On a metal deployment these nginx instances are co-located on the
same host and share the same config files and directory structure
so no additional config is needed for inspectors nginx instance.
In an LXC depoyment the api and inspector containers need their
own individual nginx configuration to be written. This patch adds
that configuration for inspector.
A future patch could refactor the code so that only one set of
tasks is needed to deploy the nginx config to both inspector
and api.
Change-Id: Ida20e6835c6ca1c941fa76eadecf3d49e8b1239f
Swift requires CA path to be set either with OS_CACERT env var or with
simmilar flag passed to command.
Change-Id: I40e4a0ae0e702fdc9bfbb18dcc6ef1ea3f84926f
This line snuck in with I097989555a5bd3c84a8cbe992ee64f1a3dd956c9
probably to bring it in line with other OSA roles, but should already
be covered by the distribution_major_version line above.
Change-Id: Ib4a369bb27e5e0fce47ddb955dab951e6871319a
Currently the ironic role uses ansible_host as the IP to bind these
services to, which means that in an LXC deployment it is not
possible to provision ironic hosts on the bmaas network as
the services are instead bound to the mgmt network.
The code worked previously as it is most likley developed on metal
and the CI job does not actually enrol/provision a node so the
test coverage is very small.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/852174
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/854231
Change-Id: Id544d395f42f4c36a17e9c20a35aeb56a5e3bf03
There is a choice of dnsmasq or isc-dhcpd from the role defaults,
only install the config file for the one that is in use.
Change-Id: I2ab5709789582c5de4b703e78c8ddd9672fc5ca8
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.
This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.
Change-Id: I097989555a5bd3c84a8cbe992ee64f1a3dd956c9
This patchset aims to correct some design limitations with the current
ironic-inspector deploy process.
- a new ironic-inspector-dnsmasq service has been created to split
inspector-specific dnsmasq configuration out of the base dnsmasq
config files
- PXE/iPXE and UEFI support for ironic-inspector boot
- (todo) documentation improvements and diagrams
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823426
Change-Id: Ib5cbb28f97dd7421bfecb815def89305f3b1da33
This patchset adds support for deploying instances using UEFI baremetal
nodes. UEFI may replace Legacy BIOS mode in future Ironic releases. Tested
with Ubuntu Focal 20.04 LTS.
Change-Id: I0fa6234ec7321e1d69901175baeab4ddb08afc50
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to replace policy.json to
policy.yaml and remove deprecated policy.json.
config_template has been choosen instead of the copy, since it can
properly handle content that has been lookuped.
We make a separate task not to restart service when it's not needed.
[1] https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Change-Id: I701473f4d99e0be06dea494eee4f08212bb7d853
All references to Gentoo, SUSE, Debian stretch and Centos-7 are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: Ia73e88947f52a74d9c03a17a7b1201a6346b5ac3
We use the same condition, which defines against what host some "service"
tasks should run against, several times. It's hard to keep it the same
across the role and ansible spending additional resources to evaluate
it each time, so it's simpler and better for the maintenance to set
a boolean variable which will say for all tasks, that we want to run
only against signle host, if they should run or not now.
Depends-On: https://review.opendev.org/758953
Change-Id: Iab3194322e133282fcb71830f2b94e1279106ebd
This patchset adds support for iPXE, which can speed up baremetal
provisioning considerably due to the use of HTTP versus TFTP.
Change-Id: I8b49ae37a0380cd7a2191f050a52c85cc373026b
When we were migrating service to uwsgi usage, we clean forgot to
trigger uwsgi restart on service config change.
Depends-On: https://review.opendev.org/758953
Change-Id: Iaf42be11b69bd2630c3f2e929ccff8b9ad9f0639
Move it to the service setup host (defaults to utility[0]) instead
of the galera[0] host, and use galera_address (defaults to internal VIP)
as the endpoint instead of a local connection on the db host.
Change-Id: I87d61c619920a945c7a0b0887e3902f39f2b1b3c
1. There was an issue with pip packages not being installed when
inspector_hosts is not defined.
2. The db_setup task failed when inspector_hosts not defined because of
the condition.
Change-Id: I0ccd782ffd54322896559e5a6218ff532f3cae03
This commit enables and configures the Ironic Inspector. This feature
allows for baremetal nodes to be introspected. This provides useful
information about an Ironic host. Such information includes harware
and mac addresses.
Depends-On: https://review.opendev.org/680553
Change-Id: I2ee09d9cc20f9b8e4430c55129cd8bac9435299d
Move service to use uWSGI role instead of iternal task for uwsgi
deployment. This aims to ease the maintenance of uWSGI and speedup
metal deployments as the same uwsgi environment will be used
across all services.
Change-Id: Ie79a7ba7d62504e9e81edbb386f8e52ce0a03074
Dmitriy Rabotyagov