Add variable nova_cell_force_update to enable deployers to ensure that
role execution will also update cell mappings whenever that is needed.
For instance, it could be password rotation or intention to update MySQL
address.
Change-Id: I5b99d58a5c4d27a363306361544c5d80759483fd
In case when ceph is not being used as backend for nova, qemu.conf
file is not distributed, thus some settings, like nova_qemu_vnc_tls do
not have any effect
Closes-Bug: #2003749
Change-Id: I4bc68567cda57d73d030d9a5017cc411f7ee7732
In usecases where only cinder is using ceph we currently do not
execute ceph_client role, which makes nodes failing to spawn instances
from RBD volumes.
Sample usecase where Glance might be using Swift and it might be desired to use
local storage for Nova ephemeral drives, but cinder spawning volumes
on Ceph
Currently this can be workarounded with setting `nova_rbd_inuse: True` but
at the same time `nova_libvirt_images_rbd_pool: ''`, though this is
counter-intuitive and this patch aims to improve this.
Change-Id: I412d1e9ccb51f0cd33a98333bfa1a01510867fbe
This is a follow-up change to [1]. Depending on operating system and
environment configuration, default libvirt network may not exist.
Right now, `Check for libvirt default network` task throws an error in
this case causing nova playbook to fail.
This change fixes that by instructing ansible to not throw an error
if `virsh net-list` fails with "Network not found: no network with
matching name" because it is acceptable to not have this network.
[1] https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/899768
Change-Id: If692bc94f421bc84ad9e6d43f548b68196a9e751
Currently, autostart for libvirt default network is disabled only when
this network is active during nova playbook execution.
It's an incorrect behavior because in some cases this network may not be
active from the beginning.
Autostart should be always disabled to ensure that this network will not
be unexpectedly marked as active in the future(during package upgrade,
host reboot etc.).
Closes-Bug: #2042369
Change-Id: I697234bda1601b534ce1b6ab186fa98f83179ee8
For quite some time, we relate usage of --by-service flag for
nova-manage cell_v2 discover_hosts command to the used nova_virt_type.
However, we run db_post_setup tasks only once and delegating to the
conductor host. With latest changes to the logic, when this task in
included from the playbook level it makes even less sense, since
definition of nova_virt_type for conductor is weird and wrong.
Instead, we attempt to detect if ironic is in use by checking hostvars
of all compute nodes for that. It will include host_vars, group_vars,
all sort of extra variables, etc.
Thus, ironic hosts should be better discovered now with nova-manage
command.
Related-Bug: #2034583
Change-Id: I3deea859a4017ff96919290ba50cb375c0f960ea
We have migrated to usage of ssh_keypairs role a while ago and we
can remove old migration clean-up task.
Change-Id: Ie3cbeb4bd41d3137f2332f28dbc72c8028fb5b3a
With transition to ssh-certificates for nova authorization, we no longer
need to generate and have SSH certificates for the nova user.
Change-Id: Iff105bafc177271cb59fb0662d4c139f56e64325
Due to some bugs delegation of tasks from compute to conductor hosts
does not work in real life. Due to that task import was moved to
the playbook level using role import in combination with tasks_from.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/897570
Change-Id: I777b1c90f57c805bc0a8593b5a5c7e63e43c4cd8
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/875399
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/873618
Change-Id: I792595dac8b651debcd364cd245145721575a516
When Nova is deployed with a mix of x86 and arm systems
(for example), it may be necessary to deploy both 'novnc' and
'serialconsole' proxy services on the same host in order to
service the mixed compute estate.
This patch introduces a list which defines the required proxy
console types.
Change-Id: I93cece8babf35854e5a30938eeb9b25538fb37f6
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: I730ae569f199fc8542a5a61beb149f459465d7e2
Running nova playbook with tag limit may lead to an error:
The conditional check 'nova_virt_type != 'ironic'' failed. The error
was: error while evaluating conditional (nova_virt_type != 'ironic'):
'nova_virt_type' is undefined\n\nThe error appears to be in
'/etc/ansible/roles/os_nova/tasks/main.yml': line 289, column 3, but
may be elsewhere in the file depending on the exact syntax problem.
It can be easily fixed by applying always tag to tasks from
nova_virt_detect.yml
Change-Id: I56aee80180804b8a3e3316cffc6fa8115513b8f1
We're adding 2 services that are responsible for executing db purge and
archive_deleted_rows. Services will be deployed by default, but left
stopped/disabled. This way we allow deployers to enable/disable
feature by changing value of nova_archive/purge_deleted.
Otherwise, when variables set to true once, setting them to false won't
lead to stopoing of DB trimming and that would need to be done manualy.
Change-Id: I9f110f663fae71f5f3c01c6d09e6d1302d517466
By overriding the variable `nova_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the nova backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
`nova_pki_console_certificates` are used to encrypt:
- traffic between console proxy and compute hosts
`nova_pki_certificates` are used to encrypt:
- traffic between haproxy and its backends(including console proxy)
It would be complex to use nova_pki_console_certificates to encrypt
traffic between haproxy and console proxy because they don't have valid
key_usage for that and changing key_usage would require to manually set
`pki_regen_cert` for existing environments.
Certs securing traffic between haproxy and console proxy are provided in
execstarts because otherwise they would have to be defined in nova.conf
that may be shared with nova-api(which stands behind uwsgi and should
not use TLS).
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Ibff3bf0b5eedc87c221bbb1b5976b12972fda608
When import is used ansible loads imported role or tasks which
results in plenty of skipped tasks which also consume time. With
includes ansible does not try to load play so time not wasted on
skipping things.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-uwsgi/+/880344
Change-Id: I47c6623e166254802ed0b479b2353c5f2ceb5cfa
At the moment, we do deploy openrc file on conductors and delegate
task to them. At the moment there is no good reason to do so,
since we're actively utilizing service_setup_host for all interactions
with API. With that we also replace `openstack` commands with native
compute_service_info module that provides all information we need.
Change-Id: I016ba4c5dd211c5165a74a6011da7bb384c7a82a
According to nova rolling upgrade process [1], online_data_migrations
should run once all the services are running the latest version of the
code and were restarted. With that, we should move online migrations
after handlers being flushed, when all services are restarted.
At the same time, nova-status upgrade check must run before services
are restarted to the new version, as service restart might lead to
service breakage if upgrade check fails [2]. It makes no sense to
run upgrade check when upgrade is fully finished.
[1] https://docs.openstack.org/nova/latest/admin/upgrades.html#rolling-upgrade-process
[2] https://docs.openstack.org/nova/latest/cli/nova-status.html#upgrade
Change-Id: Ic681f73a09bb0ac280c227f85c6e79b31fd3429a
Calico driver support has been removed from OpenStack-Ansible
starting in Antelope release [1]. We clean-up nove role to drop calico
support from it as well.
[1] https://review.opendev.org/c/openstack/openstack-ansible/+/866119
Change-Id: Ie9c118b8bab265e5bf06b6ec05731cd673ee4d95
RDO packages for nova does depend on python3-openvswitch,
which makes it required to install OVS on computes regardless
of everything else.
We also clean out pre-rhel9 variable files as they're not needed anymore
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/872896
Change-Id: I3e31254b7dd1c0ff3cb46153cefce6f6cadd52aa
When Galera SSL is enabled, use SSL encrypted database connections with
nova-manage commands where a connection string is provided.
Change-Id: I7019b966b475c09a4e3218461941c1112ae28028
Resource providers can be configured using the API or CLI, or they
can also be configured on a per-compute node basis using config
files stored in /etc/nova/provider_config.
This patch adds support for a user defined list of provider config
files to be created on the compute nodes. This can be specified in
user_variables or perhaps more usefully in group_vars/host_vars.
A typical use case would be describing the resources made available
as a result of GPU or other hardware installed in a compute node.
Change-Id: I13d70a1030b1173b1bc051f00323e6fb0781872b
This line was introduced by I3046953f3e27157914dbe1fefd78c7eb2ddddcf6
to bring it in line with other OSA roles, but should already be
covered by the distribution_major_version line above.
Change-Id: I21b3972553acf38af205e17aa2d48ed19332bcb0
Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.
Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: I04b22722b32b6dc8b1dc95e18c3fe96ad17e51ac
Keystone role was never migrated to usage of haproxy-endpoints role
and included task was used instead the whole time.
With that to reduce complexity and to have unified approach, all mention
of the role and handler are removed from the code.
Change-Id: I3693ee3a9a756161324e3a79464f9650fb7a9f1a
Centos-9 no longer ships this file so skip adjusting it [1]. The
file should not exist on Centos-9 systems where OSA is used.
If this file is created by a deployer it will potentially
interfere with the operation of libvirt and other configuration
made by openstack-ansible.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2042529
Change-Id: Ieeba7fb803e151a9e6d0adac3d1512aef3785e9a
Currently we're passing non-existant variable into PKI role
when defining whether to regen certificates or not.
This change fixes behaviour.
Change-Id: Ib1c8f820ccfe00923fcbc7aec2457a94629673fe
This uses ssh signed certificates so there is no longer the need
to distribute the nova public key from each compute host to all
other compute hosts.
The legacy scripts and authorized key files are removed as a
migration step.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/825292
Change-Id: I3456bdf7bed66a2675b8a410d4cf6b2174598a22
When nova don't use rbd images (ie local storage) it still might be good
idea to use direct connection to rbd to get images rather then
connect through HTTP.
Change-Id: I4f2d7cf54e07376c7a25d45093f5d83be5422234
libvirtd.socket does monitor libvirtd.service and trigger service restart
when it spot that service is down.
However in order to enable tcp and tls sockets, we need libvirt
to be stopped.
Currently race condition can happen, when we stop libvirt, but it's
started by socket before we enable tls one.
To overcome this we stop socket along with service.
Change-Id: Iacc093311036fb8d6559a0e32252579303a639ba
Since all supported distros have libvirt version >= 5.7 there's
no reason to ensure that it is true.
So we remove corresponsive code and simplify logic.
Change-Id: I281829214df8affec7774a45a3ca0405a866b5c0
Dmitriy Rabotyagov