... and move the services into the deployment directory.
The extraconfig/services directory was initially created for
experimental services using an interface that was work in progress but
is now stable enough, so the services can live among the others for
simplification.
Change-Id: I2bd0b169ed18ea2fccfea4475402dd73076924c8
The ceph-ansible tasks are now invoked with the tripleo-admin user,
which doesn't by default have write access to /var/lib/mistral, but it
does have sudo access.
This change makes /var/lib/mistral/overcloud/ceph-ansible be owned by
the tripleo-admin user so that subsequent tasks can write to that
directory.
Related-Bug: #1813832
Change-Id: I98bb38078be84cbda3e9a9e338af0d054dc53420
I4aa8055fe800723b3e140f8232c9e41e769e11f3 wrongly replaced 'include'
with 'include_tasks' in openshift and kubernetes templates and broke
their deployment, resulting in an ansible error:
ERROR! 'include_tasks' is not a valid attribute for a Play
Use import_playbook instead.
Change-Id: I0bb9bfabeb06dc9d602ad173ce2d12d1771b6b1f
Closes-Bug: #1812983
With the upgrade to puppet 5, we can no longer use dots in the hieradata
key lookups. This change updates the THT for firewall_rules,
haproxy_endpoints and haproxy_userlists to use the colon notation.
Change-Id: I6f67153e04aed191acb715fe8cfa976ee2e75878
Related-Bug: #1803024
The new master branch should point now to rocky.
So, HOT templates should specify that they might contain features
for rocky release [1]
Also, this submission updates the yaml validation to use only latest
heat_version alias. There are cases in which we will need to set
the version for specific templates i.e. mixed versions, so there
is added a variable to assign specific templates to specific heat_version
aliases, avoiding the introductions of error by bulk replacing the
the old version in new releases.
[1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#rocky
Change-Id: Ib17526d9cc453516d99d4659ee5fa51a5aa7fb4b
The output comes from ansible and is already fully readable as it is.
Also, because the previous task didn't have the 'failed_when: false'
directive, it would never reach the 'print xxx outputs' task in case of
failure, while showing the output twice on success.
It is safe to just delete the task.
Change-Id: I56b44aec0a549e184f46344ea362f655ab80b3b0
This converts "tags: stepN" to "when: step|int == N" for the direct
execution as an ansible playbook, with a loop variable 'step'.
The tasks all include the explicit cast |int.
This also adds a set_fact task for handling of the package removal
with the UpgradeRemovePackages parameter (no change to the interface)
The yaml-validate also now checks for duplicate 'when:' statements
Q upgrade spec @ Ibde21e6efae3a7d311bee526d63c5692c4e27b28
Related Blueprint: major-upgrade-workflow
[0]: 394a92f761/tripleo_common/utils/config.py (L141)
Change-Id: I6adc5619a28099f4e241351b63377f1e96933810
There are still some templates with the wrong
alias name. This patch updates them with the
correct version.
Change-Id: I43549ac98f3736029d4aaad1ead745caf40f9299
It seems the ansible_ssh_private_key_file variable is only defined
when --private-key parameter is passed to the main deployment Ansible
run. This is always true for deploying via tripleoclient and Mistral,
but may not be true when deploying via manual ansible-playbook
execution.
We now check whether the variable is defined before using it. If it's
not defined, user's default ssh key will be used for trying to connect
to the overcloud nodes.
Change-Id: Id04d3bab85713d644899694231dd4009a88385af
We have swap enabled in CI, by default Kubespray refuses to run with
swap, and so does Kubelet. Make this behavior configurable and allow
swap in the Kubespray scenario env file. It should be fine to run with
swap for development/testing [1].
[1] https://github.com/kubernetes-incubator/kubespray/issues/1787#issuecomment-336159788
Depends-On: I7a02134970c1b1754d42c4e85ed0a2188a5ecdb6
Change-Id: I023824a31f1278b01c33ce81d4af81247dd5f672
The private key file is not part of the inventory in our case, but
it's a global Ansible parameter. Make sure that we carry the same
--private-key parameter from parent Ansible run into Kubespray.
Change-Id: If6e341ee52f9d4944ee1855d3339e26b9a485dd0
Doing this was useful for playing with Kubespray, but it's suboptimal
for multiple reasons:
1. It gets generated into artifacts directory which we collect for CI
logs. It has around 220 megabytes, which would be very bad for log
collection space usage. Even if Kubespray made the location
configurable, mistral user's external_deploy_tasks don't have
rights to write it e.g. into /usr/local/bin, so usefulness of doing
this at all is questionable.
2. Kubectl on the undercloud, it would ideally be preinstalled via
RPMs rather than relying on the respective COE installers to
produce one by fetching it from the overcloud.
Change-Id: Ia7faeb13537adfc3326302d26965439f5603c5a8
We don't install git by default (at least in CI), so let's use a
tarball instead of git clone to get Kubespray sources.
Change-Id: I8321206b095effbc482779a10ff77fd18299bbdf
Depends-On: I2da025961c584cb1adc83943561b1d9faa3559b1
We don't do host key checking for any of our current Ansible
executions (validations, ceph-ansible, ...) so let's not do it for
Kubespray either. Having it enabled caused Kubespray to stop and ask
for confirmation, and given that the outer Ansible action wasn't
interactive, it failed.
Also we are now setting the become flag only for overcloud machines,
rather than globally on the whole ansible-playbook run. Kubespray also
accesses localhost for some task, and we won't always run it as a user
who is allowed passwordless privilege escalation (e.g. mistral user
isn't).
Change-Id: Id49b97c2b5d37f6d215132a987a53aa742b4a60f
The ansible "failed_when" filter that uses a registered output
of a previous task piped to the '|failed' filter does not work
as expected. Given the following playbook:
- name: return code
shell: |
echo "fail 2"
exit 2
failed_when: false
log_when: false
register: outputs
- debug:
msg: "rc: {{ outputs.rc }}"
- debug: msg="Broken (does not fail as expected)"
when: outputs is defined
failed_when: outputs|failed
- debug: msg="Working (fails as expected)"
when: outputs is defined
failed_when: outputs.rc != 0
We obtain the following output:
TASK [return code] ****
changed: [localhost]
TASK [debug] **********
ok: [localhost] => {
"msg": "rc: 2"
}
TASK [debug] **********
ok: [localhost] => {
"failed_when_result": false,
"msg": "Broken (does not fail as expected)"
}
TASK [debug] **********
fatal: [localhost]: FAILED! => {
"failed_when_result": true,
"msg": "Working (fails as expected)"
}
This means that the 'outputs|failed' just does not work at all.
Let's move to a more explicit check on the rc code of the registered
variable.
We also need to fix all the "outputs is defined" checks, because
when a task is skipped the registered outputs variable *is* actually
defined as the following dictionary:
{'skip_reason': u'Conditional result was False', 'skipped': True, 'changed': False}
So we use "outputs.rc is defined" in order to make sure that the
previous task did indeed run.
Closes-Bug: #1733402
Change-Id: I6ef53dc3f9aede42f10c7f110d24722355481261
When running overcloud deployment as Mistral user, we won't have
rights to alter the undercloud content (see change
I2980c584d2f4ee5c2de3720eecfc80cc43ee1fa6). If kubespray isn't found
in /usr/share/kubespray (expected RPM content location), we now clone
it elsewhere, to directory accessible by the user which runs the
overcloud deployment.
Change-Id: I9980b41668b3c838fa978e48441929d4351d101e
I originally disabled this because i couldn't successfully deploy the
API this way, but it was probably caused by garbled up node hostnames,
which was fixed in I1c0251be58535d59fe0ec157cb9acaba209e8732.
Change-Id: I0f51e971fad11568c2f9db13c0d1c54122c51f5d
By setting loadbalancer_apiserver_localhost to false we tell the
kubelets to register with 1st master rather than assuming there's an
API proxy running on each host.
Also Kubespray expects a specific format of inventory because it tries
to enforce that hostname matches the invenotry name of the node. This
previously resulted in incorrect hostnames being set.
And we also open the necessary firewall ports to allow the cluster to
communicate.
Change-Id: I1c0251be58535d59fe0ec157cb9acaba209e8732
Previously we've overriden the MountFlags option to 'shared' for
Kubernetes installation. This is no longer needed when Kubespray
deploys kubelet non-containerized.
Change-Id: I20b0f4bd6d99941a0a1876e68420cffd35f3ccfe
Add external_deploy_tasks for Kubespray installation. This makes
Kubespray installation work with the config download mechanism.
If the undercloud doesn't already contain /usr/share/kubespray
directory, it will be git-cloned. This is to bridge a gap before we
figure out where we get Kubespray RPM from.
Co-Authored-By: Flavio Percoco <flaper87@gmail.com>
Change-Id: I2573261bfd3d63aff1310b80fc454becc7504437
Emilien Macchi