Commit Graph

1373 Commits

Author SHA1 Message Date
Jimmy McCrory 501cf14342 Ensure nova_device_spec is templated as JSON string
When the nova_device_spec variable is provided as either a string or a
mapping, ensure that it's templated as a JSON string.

Also handle either strings or mappings within nova_device_spec if it's
provided as a list.

Closes-Bug: 2057961
Change-Id: I7041a19547af580408ff704578cb8f12d37da1ae
2024-03-14 12:09:56 -07:00
Zuul bfa8e12fcc Merge "Fix nova device_spec to support multiple values" 2024-02-13 14:37:15 +00:00
Dmitriy Rabotyagov b78e8a68ea Evaluate my_ip address once
Instead of evaluating same condition of my_ip in multiple places across
the role this patch suggests doing this once in vars and using the
resulting variable afterwards.

This not only reduce amount of evaluations made throughout the role runtime,
but also solves possible corner cases where some syntax may go off.

Closes-Bug: #2052884
Change-Id: I454b53713ecacf844ac14f77b6d1e1adc1322c0e
2024-02-11 17:36:15 +01:00
Dmitriy Rabotyagov 9843c47e81 Always distribute qemu config file
In case when ceph is not being used as backend for nova, qemu.conf
file is not distributed, thus some settings, like nova_qemu_vnc_tls do
not have any effect

Closes-Bug: #2003749
Change-Id: I4bc68567cda57d73d030d9a5017cc411f7ee7732
2024-02-06 16:59:15 +01:00
Andrew Bonney c7a976c584 Fix nova device_spec to support multiple values
It appears there was a change to remove the list option when
moving from pci_passthrough_whitelist. Instead device_spec
can be specified multiple times in the file.

This patch aims to resolve this whilst maintaining backwards
compatibility.

Change-Id: I12b38e45d7b41fbf4786d3320e511eb9127fe216
2024-02-06 09:17:58 +00:00
Dmitriy Rabotyagov 5300fcea9d Run ceph_client when cinder uses Ceph
In usecases where only cinder is using ceph we currently do not
execute ceph_client role, which makes nodes failing to spawn instances
from RBD volumes.

Sample usecase where Glance might be using Swift and it might be desired to use
local storage for Nova ephemeral drives, but cinder spawning volumes
on Ceph

Currently this can be workarounded with setting `nova_rbd_inuse: True` but
at the same time `nova_libvirt_images_rbd_pool: ''`, though this is
counter-intuitive and this patch aims to improve this.

Change-Id: I412d1e9ccb51f0cd33a98333bfa1a01510867fbe
2024-01-16 17:29:25 +00:00
Dmitriy Rabotyagov 5a533aae23 Improve Blazar integration with Nova
As of today we do not have any means of Blazar integration with Nova,
while we do provide roles for Blazar installation for a while now. This
patch aims to bring in more native integration and remove necessity
of overrides for such deployment.

Related-Bug: #2048048
Co-Authored-By: Alexey Rusetsky <fenuks@fenuks.ru>
Change-Id: Ica50a5504de1b1604f72123751cbb3f45c85ab46
2024-01-05 05:27:42 +00:00
Zuul 20e83153bb Merge "Drop until-complete flag for db purge" 2023-11-10 16:38:12 +00:00
Damian Dabrowski ab72a180e6 Avoid failures when default libvirt network does not exist
This is a follow-up change to [1]. Depending on operating system and
environment configuration, default libvirt network may not exist.
Right now, `Check for libvirt default network` task throws an error in
this case causing nova playbook to fail.

This change fixes that by instructing ansible to not throw an error
if `virsh net-list` fails with "Network not found: no network with
matching name" because it is acceptable to not have this network.

[1] https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/899768

Change-Id: If692bc94f421bc84ad9e6d43f548b68196a9e751
2023-11-06 19:43:03 +01:00
Damian Dabrowski feb15af75b Always disable libvirt default network
Currently, autostart for libvirt default network is disabled only when
this network is active during nova playbook execution.
It's an incorrect behavior because in some cases this network may not be
active from the beginning.
Autostart should be always disabled to ensure that this network will not
be unexpectedly marked as active in the future(during package upgrade,
host reboot etc.).

Closes-Bug: #2042369
Change-Id: I697234bda1601b534ce1b6ab186fa98f83179ee8
2023-11-01 10:09:31 +01:00
Zuul f372c88a09 Merge "Add nova_libvirt_live_migration_inbound_addr to compute SAN" 2023-10-26 09:58:24 +00:00
Zuul 5b7678c503 Merge "Cleanup upgrade to ssh_keypairs step" 2023-10-26 09:54:31 +00:00
Dmitriy Rabotyagov 51ce1d4923 Drop until-complete flag for db purge
Flag --until-complete is not valid for the nova-manage db purge command,
it is working only for archive_deleted_rows [1]. Suposedly it was a
copy/paste mistake to keep the flag in place.

[1] https://docs.openstack.org/nova/latest/cli/nova-manage.html#db-archive-deleted-rows

Change-Id: I7be8c41bd52b955d83c4452e67ef323abe00969e
2023-10-24 09:08:45 +02:00
Stuart Grace 7f431ebcda Use internal endpoint for barbican API
Nova defaults to using public endpoint for Barbican API which would
require internet access from the compute node so change this to
use the internal API endpoint.

Change-Id: Iaa14a9bf80d2e02197e74d67e812afc518fe1b65
2023-10-20 13:25:52 +01:00
Dmitriy Rabotyagov 4aa65eb606 Fix logic of discovering hosts by service
For quite some time, we relate usage of --by-service flag for
nova-manage cell_v2 discover_hosts command to the used nova_virt_type.
However, we run db_post_setup tasks only once and delegating to the
conductor host. With latest changes to the logic, when this task in
included from the playbook level it makes even less sense, since
definition of nova_virt_type for conductor is weird and wrong.

Instead, we attempt to detect if ironic is in use by checking hostvars
of all compute nodes for that. It will include host_vars, group_vars,
all sort of extra variables, etc.

Thus, ironic hosts should be better discovered now with nova-manage
command.

Related-Bug: #2034583
Change-Id: I3deea859a4017ff96919290ba50cb375c0f960ea
2023-10-19 08:47:36 +00:00
Dmitriy Rabotyagov 738ac83cf5 Cleanup upgrade to ssh_keypairs step
We have migrated to usage of ssh_keypairs role a while ago and we
can remove old migration clean-up task.

Change-Id: Ie3cbeb4bd41d3137f2332f28dbc72c8028fb5b3a
2023-10-19 10:44:36 +02:00
Dmitriy Rabotyagov 155323fe68 Add nova_libvirt_live_migration_inbound_addr to compute SAN
Some deployments might want to perform live migrations over dedicated
networks, like fast storage network, while keep management over default
mgmt network.

Current default behaviour will prevent such usecase, since
nova_libvirt_live_migration_inbound_addr is not added to the generated
for libvirtd certificate, and thus live migration will fail.

Also to enable users override default behviour more nicely and reduce
code duplication, new variable ``nova_pki_compute_san`` was introduced,
that handles SAN definition for compute nodes.

Change-Id: I22cc1a20190f0573b0350369a6cea5310ab0f0a7
2023-10-18 21:03:11 +02:00
Zuul 32867052d7 Merge "Run nova_db_post_setup from playbook directly" 2023-10-16 22:45:48 +00:00
Dmitriy Rabotyagov b266f9cda4 Stop generating ssh keypair for nova user
With transition to ssh-certificates for nova authorization, we no longer
need to generate and have SSH certificates for the nova user.

Change-Id: Iff105bafc177271cb59fb0662d4c139f56e64325
2023-10-13 21:13:19 +02:00
Dmitriy Rabotyagov e4ffb047c0 Run nova_db_post_setup from playbook directly
Due to some bugs delegation of tasks from compute to conductor hosts
does not work in real life. Due to that task import was moved to
the playbook level using role import in combination with tasks_from.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/897570
Change-Id: I777b1c90f57c805bc0a8593b5a5c7e63e43c4cd8
2023-10-09 10:24:32 +00:00
Dmitriy Rabotyagov 6fd5535e57 Add barbican_service_user section
Defining barbican_service_user is required for succesfull attachement
of ecnrypted volumes to VMs. Without it being in place nova-compute
fails with not being able to get service_token.

Change-Id: I8ae3e263185b1cd8036a4fde12d9c950f2ce8b98
2023-10-09 08:25:25 +00:00
Dmitriy Rabotyagov d82a9d424e Fix example playbook linters
Change-Id: I0d44b87c2ac31827eeb72c1db3d48e0ca571633a
2023-10-09 10:24:48 +02:00
Zuul e57d076633 Merge "Do not install qemu package on debian derived OS" 2023-09-20 15:15:09 +00:00
Dmitriy Rabotyagov 08ccb5108a Split lines to not exceed 160 characters limit
Change-Id: Ia5afdded2df7ec80b36072dec3c7fbbce5600647
2023-09-18 16:19:04 +02:00
Jonathan Rosser 76bbf0ff65 Do not install qemu package on debian derived OS
This is a dummy package with almost no content and no dependancies.
It does not exist on debian 12.

Change-Id: Ibb330238e728af257d46812e64a58fc71a424a1f
2023-09-12 16:34:44 +01:00
Marc Gariepy 9d2924fa80 Config has changed for pci passthrough.
updating the config for pci devices since the old config is deprecated.
https://docs.openstack.org/nova/latest/configuration/config.html#pci.device_spec

Change-Id: Id2da29464359b4845c7d05e3bec53759341f4bad
2023-09-05 14:28:40 -04:00
Zuul 6873b7d8a1 Merge "Add quorum queues support for the service" 2023-09-04 08:03:03 +00:00
Zuul bf6aaf7ab0 Merge "Enable multiple console proxies where requried in deployments" 2023-08-30 09:49:31 +00:00
Dmitriy Rabotyagov da9793f18e Add quorum queues support for the service
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.

In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/875399
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/873618
Change-Id: I792595dac8b651debcd364cd245145721575a516
2023-08-28 08:17:52 +00:00
James Denton a2fb474086 Allow Glance region to be set via variable
The region_name var is missing from the [glance] block in
the nova.conf template, and while a conf override can be used,
all other service blocks have region_name defined and overridable
with service_region.

Change-Id: I28ac078f9ebe24c8799638e93d0967003d0c0605
2023-08-15 10:47:10 -05:00
Zuul 2928f95e1a Merge "Fix linters and metadata" 2023-08-14 11:19:50 +00:00
Andrew Bonney d0877c6fd3 Enable multiple console proxies where requried in deployments
When Nova is deployed with a mix of x86 and arm systems
(for example), it may be necessary to deploy both 'novnc' and
'serialconsole' proxy services on the same host in order to
service the mixed compute estate.

This patch introduces a list which defines the required proxy
console types.

Change-Id: I93cece8babf35854e5a30938eeb9b25538fb37f6
2023-08-07 08:19:06 +01:00
Dmitriy Rabotyagov 9b9bc21121 Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: I730ae569f199fc8542a5a61beb149f459465d7e2
2023-07-17 16:17:30 +02:00
Damian Dabrowski 7000bc3f3f Deprecate nova_ram_weight_multiplier
Long time ago a variable `nova_ram_weight_multiplier` was implemented
and its default value was set to 5.0.
There are 2 issues with this:
1. Default value in nova is 1.0 [1] so our value is much bigger than
nova's default without having a strong reason for that.
2. OSA does not provide similar variables for other multipliers like
`cpu_weight_multiplier`.

Because there are a couple of different multipliers and more of them
can be implemented in the future(for ex.
`hypervisor_version_weight_multiplier` was implemented in 2023.2) it
would be hard for the OSA project to maintain variables for all of them.
It is better to deprecate `nova_ram_weight_multiplier` and let users
define multipliers with `nova_nova_conf_overrides` if necessary.

[1] https://docs.openstack.org/nova/2023.1/configuration/config.html#filter_scheduler.ram_weight_multiplier

Change-Id: I4f82840e94312d38696e3ddd05ef494821233f4d
2023-07-11 21:35:41 +02:00
Damian Dabrowski c90a5c2b92 Apply always tag to nova_virt_detect.yml
Running nova playbook with tag limit may lead to an error:

The conditional check 'nova_virt_type != 'ironic'' failed. The error
was: error while evaluating conditional (nova_virt_type != 'ironic'):
'nova_virt_type' is undefined\n\nThe error appears to be in
'/etc/ansible/roles/os_nova/tasks/main.yml': line 289, column 3, but
may be elsewhere in the file depending on the exact syntax problem.

It can be easily fixed by applying always tag to tasks from
nova_virt_detect.yml

Change-Id: I56aee80180804b8a3e3316cffc6fa8115513b8f1
2023-06-06 07:35:36 +02:00
Dmitriy Rabotyagov 47007578b1 Install libvirt-deamon for RHEL systems
CentOS has upgraded their libivrt to version 9.3, where libvirt-daemon
is not installed as a dependency anymore. So we need to explicitly
isntall this package to restore functionality.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=2209936

Change-Id: Ic6f2606b5a478c7a891c25bd131ad351a19699bc
2023-05-25 21:01:26 +00:00
Dmitriy Rabotyagov 00d59dcd41 Add auth credentials for service_user
Having auth credentials in service_user is required to interact with
other services. Otherwise nova won't be properly authenticated,
for example during volume detach request.

Change-Id: Ifd607d3acfb18ee4d1de0b8dc39350419cae9c22
2023-05-22 15:51:53 +02:00
Zuul 4b20549673 Merge "Define service_user for nova services" 2023-05-20 10:16:27 +00:00
Dmitriy Rabotyagov 9c23b0c359 Define service_user for nova services
In order to cover OSSA-2023-003, a requirement to define service_user
section for all nova services has been added by nova.

Change-Id: I81cd6431fec94f56b0ebd66c94e90c9623ba0e38
2023-05-19 11:48:46 +00:00
Zuul 34e86d2851 Merge "Add way to periodically trim Nova DB" 2023-05-18 21:33:56 +00:00
Zuul 6314e46fe9 Merge "Ensure ipxe-qemu is always installed" 2023-05-18 18:32:12 +00:00
Dmitriy Rabotyagov efe64725e1 Add way to periodically trim Nova DB
We're adding 2 services that are responsible for executing db purge and
archive_deleted_rows. Services will be deployed by default, but left
stopped/disabled. This way we allow deployers to enable/disable
feature by changing value of nova_archive/purge_deleted.

Otherwise, when variables set to true once, setting them to false won't
lead to stopoing of DB trimming and that would need to be done manualy.

Change-Id: I9f110f663fae71f5f3c01c6d09e6d1302d517466
2023-05-18 08:11:02 +00:00
Zuul 2925c1c29c Merge "Delegate compute wait tasks to service_setup_host" 2023-05-09 12:14:08 +00:00
Zuul 5a839b7af3 Merge "Use include instead of import for conditional tasks" 2023-05-04 23:12:02 +00:00
Jonathan Rosser 15fde4287d Ensure ipxe-qemu is always installed
This is required by qemu-system-x86 but only recommended by
qemu-system-arm. Without the file /usr/lib/ipxe/efi-virtio.rom
from ipxe-qemu it is not possible to boot a VM on arm
hosts.

This patch ensures that ipxe-qemu is always installed.

Change-Id: I27fd98a1568bda8bea3d88c3f18b44a080982d0e
2023-05-04 10:08:12 +01:00
Zuul dd00e710d7 Merge "Add TLS support to nova API backends" 2023-05-03 14:57:07 +00:00
Damian Dabrowski e02e56fc93 Add TLS support to nova API backends
By overriding the variable `nova_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the nova backend api.

The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.

`nova_pki_console_certificates` are used to encrypt:
- traffic between console proxy and compute hosts

`nova_pki_certificates` are used to encrypt:
- traffic between haproxy and its backends(including console proxy)

It would be complex to use nova_pki_console_certificates to encrypt
traffic between haproxy and console proxy because they don't have valid
key_usage for that and changing key_usage would require to manually set
`pki_regen_cert` for existing environments.

Certs securing traffic between haproxy and console proxy are provided in
execstarts because otherwise they would have to be defined in nova.conf
that may be shared with nova-api(which stands behind uwsgi and should
not use TLS).

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Ibff3bf0b5eedc87c221bbb1b5976b12972fda608
2023-04-29 18:49:39 +02:00
Dmitriy Rabotyagov 5d310c69fd Use include instead of import for conditional tasks
When import is used ansible loads imported role or tasks which
results in plenty of skipped tasks which also consume time. With
includes ansible does not try to load play so time not wasted on
skipping things.

Depends-On: https://review.opendev.org/c/openstack/ansible-role-uwsgi/+/880344
Change-Id: I47c6623e166254802ed0b479b2353c5f2ceb5cfa
2023-04-24 17:52:29 +00:00
Dmitriy Rabotyagov ef4ca0c2b4 Delegate compute wait tasks to service_setup_host
At the moment, we do deploy openrc file on conductors and delegate
task to them. At the moment there is no good reason to do so,
since we're actively utilizing service_setup_host for all interactions
with API. With that we also replace `openstack` commands with native
compute_service_info module that provides all information we need.

Change-Id: I016ba4c5dd211c5165a74a6011da7bb384c7a82a
2023-04-24 17:51:06 +00:00
Dmitriy Rabotyagov cb62372a31 Move online_data_migrations to post-setup
According to nova rolling upgrade process [1], online_data_migrations
should run once all the services are running the latest version of the
code and were restarted. With that, we should move online migrations
after handlers being flushed, when all services are restarted.

At the same time, nova-status upgrade check must run before services
are restarted to the new version, as service restart might lead to
service breakage if upgrade check fails [2]. It makes no sense to
run upgrade check when upgrade is fully finished.

[1] https://docs.openstack.org/nova/latest/admin/upgrades.html#rolling-upgrade-process
[2] https://docs.openstack.org/nova/latest/cli/nova-status.html#upgrade

Change-Id: Ic681f73a09bb0ac280c227f85c6e79b31fd3429a
2023-04-12 18:21:52 +02:00