7451f55080
Kolla ansible now provides the ability to change the SELinux mode, and does so by default. The default mode is 'permissive', whereas kayobe sets it to 'disabled' in the disable-selinux role. This results in a flip-flop effect as the two fight, and worse - kayobe will reboot the system to apply the change on subsequent runs of 'kayobe <seed|controller> host configure'. This change configures the selinux mode for kolla ansible to be 'disabled' to avoid this issue. TrivialFix Change-Id: I53e1d431ecd5ddb602f41b197ac482c3ed89d1d9
233 lines
11 KiB
YAML
233 lines
11 KiB
YAML
---
|
|
- name: Set interfaces for overcloud hosts
|
|
hosts: overcloud
|
|
tags:
|
|
- config
|
|
- kolla-ansible
|
|
gather_facts: False
|
|
tasks:
|
|
- name: Set API interface
|
|
set_fact:
|
|
kolla_api_interface: "{{ internal_net_name | net_interface | replace('-', '_') }}"
|
|
when: internal_net_name in network_interfaces
|
|
- name: Validate overcloud host Kolla Ansible network configuration
|
|
fail:
|
|
msg: >
|
|
The Kolla Ansible variable {{ item.var_name }}
|
|
({{ item.description }}) is invalid. Value:
|
|
"{{ hostvars[inventory_hostname][item.var_name] | default('<undefined>') }}".
|
|
when:
|
|
- item.required | bool
|
|
- hostvars[inventory_hostname][item.var_name] is not defined or not hostvars[inventory_hostname][item.var_name]
|
|
with_items:
|
|
- var_name: "kolla_api_interface"
|
|
description: "API network interface name"
|
|
required: True
|
|
|
|
- name: Ensure Kolla Ansible is configured
|
|
hosts: localhost
|
|
tags:
|
|
- kolla-ansible
|
|
vars:
|
|
# We need to reference configuration for the controller and seed nodes.
|
|
# We pick the first host from each group for this. It is possible that at
|
|
# this point these groups have no hosts in, and we should handle that case
|
|
# gracefully.
|
|
# NOTE: Per-host configuration is not currently supported.
|
|
controller_host: "{{ groups['controllers'][0] }}"
|
|
network_host: "{{ groups['network'][0] }}"
|
|
seed_host: "{{ groups['seed'][0] }}"
|
|
pre_tasks:
|
|
# Configuration of extra user-provided Kolla globals.
|
|
- block:
|
|
- name: Check whether a Kolla extra globals configuration file exists
|
|
stat:
|
|
path: "{{ kayobe_config_path ~ '/kolla/globals.yml' }}"
|
|
get_checksum: False
|
|
get_md5: False
|
|
mime: False
|
|
register: globals_stat
|
|
|
|
- name: Read the Kolla extra globals configuration file
|
|
set_fact:
|
|
kolla_extra_globals: "{{ lookup('template', kayobe_config_path ~ '/kolla/globals.yml') | from_yaml }}"
|
|
when: globals_stat.stat.exists
|
|
tags:
|
|
- config
|
|
|
|
# Configuration and validation of controller networking.
|
|
- block:
|
|
- name: Set facts containing the controller network interfaces
|
|
set_fact:
|
|
kolla_network_interface: "{{ internal_net_name | net_interface(controller_host) | replace('-', '_') }}"
|
|
kolla_storage_interface: "{{ storage_net_name | net_interface(controller_host) | replace('-', '_') }}"
|
|
kolla_cluster_interface: "{{ storage_mgmt_net_name | net_interface(controller_host) | replace('-', '_') }}"
|
|
kolla_provision_interface: "{{ provision_wl_net_name | net_interface(controller_host) | replace('-', '_') }}"
|
|
kolla_inspector_dnsmasq_interface: "{{ provision_wl_net_name | net_interface(controller_host) | replace('-', '_') }}"
|
|
kolla_dns_interface: "{{ public_net_name | net_interface(controller_host) | replace('-', '_') }}"
|
|
|
|
- name: Validate controller Kolla Ansible network configuration
|
|
fail:
|
|
msg: >
|
|
The Kolla Ansible variable {{ item.var_name }}
|
|
({{ item.description }}) is invalid. Value:
|
|
"{{ hostvars[inventory_hostname][item.var_name] | default('<undefined>') }}".
|
|
when:
|
|
- item.required | bool
|
|
- hostvars[inventory_hostname][item.var_name] is not defined or not hostvars[inventory_hostname][item.var_name]
|
|
with_items:
|
|
- var_name: "kolla_provision_interface"
|
|
description: "Bare metal provisioning network interface name"
|
|
required: "{{ kolla_enable_ironic }}"
|
|
- var_name: "kolla_inspector_dnsmasq_interface"
|
|
description: "Bare metal introspection network interface name"
|
|
required: "{{ kolla_enable_ironic }}"
|
|
when: groups['controllers'] | length > 0
|
|
tags:
|
|
- config
|
|
- config-validation
|
|
|
|
# Configuration and validation of network host networking.
|
|
- block:
|
|
- name: Set facts containing the VIP addresses and FQDNs
|
|
set_fact:
|
|
kolla_internal_vip_address: "{{ internal_net_name | net_vip_address }}"
|
|
kolla_internal_fqdn: "{{ internal_net_name | net_fqdn or internal_net_name | net_vip_address }}"
|
|
kolla_external_vip_address: "{{ public_net_name | net_vip_address }}"
|
|
kolla_external_fqdn: "{{ public_net_name | net_fqdn or public_net_name | net_vip_address }}"
|
|
when: kolla_enable_haproxy | bool
|
|
|
|
- name: Set facts containing the VIP addresses and FQDNs
|
|
set_fact:
|
|
kolla_internal_vip_address: "{{ internal_net_name | net_ip(network_host) }}"
|
|
kolla_internal_fqdn: "{{ internal_net_name | net_ip(network_host) }}"
|
|
kolla_external_vip_address: "{{ public_net_name | net_ip(network_host) }}"
|
|
kolla_external_fqdn: "{{ public_net_name | net_ip(network_host) }}"
|
|
when: not kolla_enable_haproxy | bool
|
|
|
|
- name: Set facts containing the network host interfaces
|
|
set_fact:
|
|
kolla_external_vip_interface: "{{ public_net_name | net_interface(network_host) | replace('-', '_') }}"
|
|
|
|
- name: Initialise facts containing the network host interfaces
|
|
set_fact:
|
|
# Initialise the following lists.
|
|
kolla_neutron_bridge_names: []
|
|
kolla_neutron_external_interfaces: []
|
|
kolla_neutron_bridge_interfaces: []
|
|
|
|
# When these networks are VLANs, we need to use the underlying tagged
|
|
# bridge interface rather than the untagged interface. We therefore
|
|
# strip the .<vlan> suffix of the interface name. We use a union here
|
|
# as a single tagged interface may be shared between these networks.
|
|
- name: Set a fact containing the bridges to be patched to the Neutron OVS bridges
|
|
set_fact:
|
|
kolla_neutron_bridge_interfaces: >
|
|
{{ kolla_neutron_bridge_interfaces |
|
|
union([item | net_interface(network_host) | replace('.' ~ item | net_vlan(network_host) | default('!nomatch!'), '')]) |
|
|
list }}
|
|
with_items: "{{ [provision_wl_net_name] + external_net_names }}"
|
|
when: item in hostvars[network_host].network_interfaces
|
|
|
|
- name: Set facts containing the Neutron bridge and interface names
|
|
set_fact:
|
|
kolla_neutron_bridge_names: >
|
|
{{ kolla_neutron_bridge_names +
|
|
[item ~ network_bridge_suffix_ovs] }}
|
|
kolla_neutron_external_interfaces: >
|
|
{{ kolla_neutron_external_interfaces +
|
|
[network_patch_prefix ~ item ~ network_patch_suffix_ovs] }}
|
|
with_items: "{{ kolla_neutron_bridge_interfaces }}"
|
|
|
|
- name: Validate network host Kolla Ansible network configuration
|
|
fail:
|
|
msg: >
|
|
The Kolla Ansible variable {{ item.var_name }}
|
|
({{ item.description }}) is invalid. Value:
|
|
"{{ hostvars[inventory_hostname][item.var_name] | default('<undefined>') }}".
|
|
when:
|
|
- item.required | bool
|
|
- hostvars[inventory_hostname][item.var_name] is not defined or not hostvars[inventory_hostname][item.var_name]
|
|
with_items:
|
|
- var_name: "kolla_internal_vip_address"
|
|
description: "Internal API VIP address"
|
|
required: True
|
|
- var_name: "kolla_internal_fqdn"
|
|
description: "Internal API Fully Qualified Domain Name (FQDN)"
|
|
required: True
|
|
- var_name: "kolla_external_vip_address"
|
|
description: "external API VIP address"
|
|
required: True
|
|
- var_name: "kolla_external_fqdn"
|
|
description: "External API Fully Qualified Domain Name (FQDN)"
|
|
required: True
|
|
- var_name: "kolla_external_vip_interface"
|
|
description: "External network interface name"
|
|
required: True
|
|
- var_name: "kolla_neutron_bridge_names"
|
|
description: "List of Neutron bridge names"
|
|
required: True
|
|
- var_name: "kolla_neutron_external_interfaces"
|
|
description: "List of Neutron interface names"
|
|
required: True
|
|
|
|
- name: Validate network host Kolla Ansible Neutron bridge and interface configuration
|
|
fail:
|
|
msg: >
|
|
The Kolla Ansible variable {{ item.0.var_name }}
|
|
({{ item.0.description }}) is invalid. Value:
|
|
"{{ item.1 | default('<undefined>') }}".
|
|
when:
|
|
- item.0.required | bool
|
|
- item.1 is not defined or not item.1
|
|
with_subelements:
|
|
- - var_name: "kolla_neutron_bridge_names"
|
|
value: "{{ kolla_neutron_bridge_names }}"
|
|
description: "List of Neutron bridge names"
|
|
required: True
|
|
- var_name: "kolla_neutron_external_interfaces"
|
|
value: "{{ kolla_neutron_external_interfaces }}"
|
|
description: "List of Neutron interface names"
|
|
required: True
|
|
- value
|
|
when: groups['network'] | length > 0
|
|
tags:
|
|
- config
|
|
- config-validation
|
|
|
|
# Configuration and validation of seed networking.
|
|
- block:
|
|
- name: Set facts containing the seed network interfaces
|
|
set_fact:
|
|
kolla_bifrost_network_interface: "{{ provision_oc_net_name | net_interface(seed_host) | replace('-', '_') }}"
|
|
|
|
- name: Validate seed Kolla Ansible network configuration
|
|
fail:
|
|
msg: >
|
|
The Kolla Ansible variable {{ item.var_name }}
|
|
({{ item.description }}) is invalid. Value:
|
|
"{{ hostvars[inventory_hostname][item.var_name] | default('<undefined>') }}".
|
|
when:
|
|
- item.required | bool
|
|
- hostvars[inventory_hostname][item.var_name] is not defined or not hostvars[inventory_hostname][item.var_name]
|
|
with_items:
|
|
- var_name: "kolla_bifrost_network_interface"
|
|
description: "Bifrost network interface name"
|
|
required: True
|
|
when: groups['seed'] | length > 0
|
|
tags:
|
|
- config
|
|
- config-validation
|
|
|
|
roles:
|
|
- role: kolla-ansible
|
|
kolla_external_fqdn_cert: "{{ kolla_config_path }}/certificates/haproxy.pem"
|
|
kolla_ansible_passwords_path: "{{ kayobe_config_path }}/kolla/passwords.yml"
|
|
# NOTE: This differs from the default SELinux mode in kolla ansible,
|
|
# which is permissive. The justification for using this mode is twofold:
|
|
# 1. it avoids filling up the audit log
|
|
# 2. it avoids an issue seen when using diskimage-builder in the bifrost
|
|
# container.
|
|
# We could look at making the SELinux mode configurable in future.
|
|
kolla_selinux_state: disabled
|