As part of the effort to implement Ansible code linting in CI
(using ansible-lint) - we need to implement recommendations from
ansible-lint output [1].
One of them is to stop using local_action in favor of delegate_to -
to increase readability and and match the style of typical ansible
tasks.
[1]: https://review.opendev.org/694779/
Partially implements: blueprint ansible-lint
Change-Id: I46c259ddad5a6aaf9c7301e6c44cd8a1d5c457d3
Sometimes as cloud admins, we want to only update code that is running
in a cloud. But we dont need to do anything else. Make an action in
kolla-ansible that allows us to do that.
Change-Id: I904f595c69f7276e71692696471e32fd1f88e6e8
Implements: blueprint deploy-containers-action
Use upstream Ansible modules for registration of services, endpoints,
users, projects, roles, and role grants.
Change-Id: I7c9138d422cc91c177fd8992347176bb54156b5a
This commit adds the functionality for an operator to specify
their own trusted CA certificate file for interacting with the
Keystone API.
Implements: blueprint support-trusted-ca-certificate-file
Change-Id: I84f9897cc8e107658701fb309ec318c0f805883b
Docker has no restart policy named 'never'. It has 'no'.
This has bitten us already (see [1]) and might bite us again whenever
we want to change the restart policy to 'no'.
This patch makes our docker integration honor all valid restart policies
and only valid restart policies.
All relevant docker restart policy usages are patched as well.
I added some FIXMEs around which are relevant to kolla-ansible docker
integration. They are not fixed in here to not alter behavior.
[1] https://review.opendev.org/667363
Change-Id: I1c9764fb9bbda08a71186091aced67433ad4e3d6
Signed-off-by: Radosław Piliszek <radoslaw.piliszek@gmail.com>
A common class of problems goes like this:
* kolla-ansible deploy
* Hit a problem, often in ansible/roles/*/tasks/bootstrap.yml
* Re-run kolla-ansible deploy
* Service fails to start
This happens because the DB is created during the first run, but for some
reason we fail before performing the DB sync. This means that on the second run
we don't include ansible/roles/*/tasks/bootstrap_service.yml because the DB
already exists, and therefore still don't perform the DB sync. However this
time, the command may complete without apparent error.
We should be less careful about when we perform the DB sync, and do it whenever
it is necessary. There is an argument for not doing the sync during a
'reconfigure' command, although we will not change that here.
This change only always performs the DB sync during 'deploy' and
'reconfigure' commands.
Change-Id: I82d30f3fcf325a3fdff3c59f19a1f88055b566cc
Closes-Bug: #1823766
Closes-Bug: #1797814
Currently, we have a lot of logic for checking if a handler should run,
depending on whether config files have changed and whether the
container configuration has changed. As rm_work pointed out during
the recent haproxy refactor, these conditionals are typically
unnecessary - we can rely on Ansible's handler notification system
to only trigger handlers when they need to run. This removes a lot
of error prone code.
This patch removes conditional handler logic for all services. It is
important to ensure that we no longer trigger handlers when unnecessary,
because without these checks in place it will trigger a restart of the
containers.
Implements: blueprint simplify-handlers
Change-Id: I4f1aa03e9a9faaf8aecd556dfeafdb834042e4cd
Many tasks that use Docker have become specified already, but
not all. This change ensures all tasks that use the following
modules have become:
* kolla_docker
* kolla_ceph_keyring
* kolla_toolbox
* kolla_container_facts
It also adds become for 'command' tasks that use docker CLI.
Change-Id: I4a5ebcedaccb9261dbc958ec67e8077d7980e496
When ansible goes in to a loop, by default it prints all the keys for
the item it is looping over. Some roles, when setting up the databases,
iterate over an object that includes the database password.
Override the loop label to hide everything but the database name.
Change-Id: I336a81a5ecd824ace7d40e9a35942a1c853554cd
With Docker CE, the daemon sets the default policy of the iptables
FORWARD chain to DROP. This causes problems for provisioning bare metal
servers when ironic inspector is used with the 'iptables' PXE filter.
It's not entirely clear why these two things interact in this way,
but switching to the 'dnsmasq' filter works around the issue, and is
probably a good move anyway because it is more efficient.
We have added a migration task here to flush and remove the ironic-inspector
iptables chain since inspector does not do this itself currently.
Change-Id: Iceed5a096819203eb2b92466d39575d3adf8e218
Closes-Bug: #1823044
Several config file permissions are incorrect on the host. In general,
files should be 0660, and directories and executables 0770.
Change-Id: Id276ac1864f280554e98b937f2845bb424d521de
Closes-Bug: #1821579
When adding the rolling upgrade support, some upgrade procedures were
modified to pull images explicitly. This is done inconsistently between
services, and is a change in behaviour from Rocky and earlier releases.
This change removes all image pulling from upgrade tasks.
Change-Id: Id0fed17714235e1daed60b83b1f30620f097eb97
This allows ironic service endpoints to use custom hostnames, and adds the
following variables:
* ironic_internal_fqdn
* ironic_external_fqdn
* ironic_inspector_internal_fqdn
* ironic_inspector_external_fqdn
These default to the old values of kolla_internal_fqdn or
kolla_external_fqdn.
This also adds ironic_api_listen_port and ironic_inspector_listen_port
options, which default to ironic_api_port and ironic_inspector_port for
backward compatibility.
These options allow the user to differentiate between the port the
service listens on, and the port the service is reachable on. This is
useful for external load balancers which live on the same host as the
service itself.
Change-Id: I45b175e85866b4cfecad8451b202a5a27f888a84
Implements: blueprint service-hostnames
With this change, an operator may be able to stop a
service container without stopping all services in a host.
This change is the starting point to start
fast-forward upgrades support.
In next changes new flags will be introducced to disable
stop dataplane services during upgrades.
Change-Id: Ifde7a39d7d8596ef0d7405ecf1ac1d49a459d9ef
Implements: blueprint support-stop-containers
Having all services in one giant haproxy file makes altering
configuration for a service both painful and dangerous. Each service
should be configured with a simple set of variables and rendered with a
single unified template.
Available are two new templates:
* haproxy_single_service_listen.cfg.j2: close to the original style, but
only one service per file
* haproxy_single_service_split.cfg.j2: using the newer haproxy syntax
for separated frontend and backend
For now the default will be the single listen block, for ease of
transition.
Change-Id: I6e237438fbc0aa3c89a3c8bd706a53b74e71904b
Now kolla dev mode only support clone master branch from git,
add version tag to support clone dedicated branch.
Change-Id: I88de238e5dc7461ba0662a3ecea9a2d80fd0db60
This commit is to apply resource-constraints to a few more OpenStack services.
Commit to apply constraints to the last set of services will be made in
the upcoming commit.
Depends-on: Icafa54baca24d2de64238222a5677b9d8b90e2aa
Change-Id: I39004f54281f97d53dfa4b1dbcf248650ad6f186
Add become to all tasks that use the module "kolla_docker"
Change-Id: I4309c4011687b88ec31d739fd8f834fe2326ff10
Partial-Implements: blueprint ansible-specific-task-become
When enable_ironic_ipxe is set in /etc/kolla/globals.yml,
the following happens:
- a new docker container, ironic_ipxe, is created. This contains
an apache webserver used to serve up the boot images
- ironic is configured to use ipxe
Change-Id: I08fca1864a00afb768494406c49e968920c83ae7
Implements: blueprint ironic-ipxe
In change I78cb60168aaa40bb6439198283546b7faf33917c, action was changed
to kolla_action, and serial to kolla_serial, to avoid Ansible warnings
due to use of reserved keywords. In that change, some keywords were
missed, and some changes that were merged since then have not switched
to the new variables. This change fixes all current instances of those
issues.
Change-Id: I357dffdfcb2b405e280a962d366ee65eebf0a8d1
Implements: blueprint migrate-to-ansible-2-2-0
- rename action and serial to kolla_ansible and kolla_serial
- use become instead of "sudo <command>" in shell
- Remove quota for failed_when and changed_when in rabbitmq tasks
Change-Id: I78cb60168aaa40bb6439198283546b7faf33917c
Implements: blueprint migrate-to-ansible-2-2-0
When attempting to inspect a node with ironic, it seems at times
ironic_dnsmasq fails to process dhcp bootp requests, giving the
following error repeating:
dnsmasq-dhcp: DHCPDISCOVER(eth0) 52:54:00:ff:15:55
dnsmasq-dhcp: DHCPOFFER(eth0) 192.169.5.100 52:54:00:ff:15:55
dnsmasq-dhcp: ARP-cache injection failed: Operation not permitted
Adding NET_ADMIN fixes this.
Co-Authored-By: Mark Goddard <mark@stackhpc.com>
Closes-Bug: #1762805
Change-Id: I39acb81801710f849336380d3fde01c70cd8d8ce
- remove uesless module_extra_vars, this is a historical issue. In the
past, we use 'docker exec kolla_toolbox ansible xxx' to run module on
target node, so complex data have to pass through extra_vars. Now we
are using kolla_toolbox module, no need to use extra_vars anymore.
- Remove some useless until.
Change-Id: I72ed28001202917f9a82a1c3ea33cd6319911ec8
When deploy ironic, the ironic_dnsmasq keep restaring if
ironic_dnsmasq_dhcp_range is missing, so it necessary to add a
prechecks to ensure it be set.
Change-Id: I0c1d91f62f4e5dad2d9a45a2a7bb51b5121dbfda
This change allows the following use cases:
1. Using an already-configured MariaDB / MySQL server / Cluster
2. Using already-created DB users, without requiring root DB access.
Update: added external mariadb precheck
Change-Id: I78b0d178306d7c5293b0bf53e445f19f18b4b824
Implements: blueprint external-mariadb-support.
Closes-Bug: #1603121
Fixes a bug where the Baremetal Introspection service's public endpoint
registered in the Identity service referenced the internal API endpoint.
Also updates keystone endpoints for the Baremetal and Baremetal
Introspection services during reconfigure and upgrade operations.
Previously this was only done during deploy.
Change-Id: I32d475f288bb4a3834c13cc86f0c53b5437c3d25
Closes-Bug: #1738418
Support pxe uefi mode following guide
https://docs.openstack.org/ironic/latest/install/configure-pxe.html
In the meantime, ironic-agent kernel and initramfs does not have to
be provided as precondition under /etc/kolla/config in such mode.
Add condition check as well.
Change-Id: Ieefcf5f9fe839eab63f3fe4a1c5cf845f4fd4eb5
Signed-off-by: Zhangfei Gao <zhangfei.gao@linaro.org>
flat network type is not mandatory. There are two cases,
1. ironic with flat network: we can use neutron vlan network to
provision baremetal nodes, as long as the interface of the baremetal
nodes are configured to use the same vlan.
2. ironic with neutron network: all provision and cleaning_network can
be vlan type and no flat is needed at all.
So we should remove the task.
Change-Id: I176ded6d2a8b14e350f665f63bc37eb488d32679
Closes-Bug: #1725170
When deploying with tls enabled in public
endpoints, ansible modules fails due SSL certificates
are self-signed.
This change adds a new variable to allow customization
on which endpoints ansible should connect.
Defaults to admin because admin auth parameters defaults
to admin endpoint.
Change-Id: Ic3ed58cf9c9579cae08a11bbfe6fce983b5a9cbc
Closes-Bug: #1720995
Actually Openstack services configuration can be overriden using many
files:
- /etc/kolla/config/<< service name >>/<< config file >>
- /etc/kolla/config/<< service name >>/<<host>>/<< config file >>
- /etc/kolla/config/global.conf
- /etc/kolla/config/database.conf
- /etc/kolla/config/messaging.conf
Only per-service configuration is actually documented here:
https://github.com/openstack/kolla-ansible/blob/master/doc/advanced-configuration.rst#L164
Allowing to globally modify service configuration can be perform too,
but it can be done in 3 different manners, all not documented:
- /etc/kolla/config/global.conf
- /etc/kolla/config/database.conf
- /etc/kolla/config/messaging.conf
database.conf and messaging.conf seems redundant with global.conf.
In order to simplify codebase it seems logical to remove them.
Documentation has been added for overriding configuration globally and
release note has been added too.
Closes-Bug: #1682479
Change-Id: I5d922dfc0d938173bad34ac64e490b78db1b7e31
Before this change ironic prechecks failed with the error:
'tenant_network_types' is undefined
This problem appears to have been introduced in:
296ddbeb035c6f582b316f066fe2ddffece07aca
Closes-Bug: #1714946
Change-Id: I609ae20c4558370a0a8c4c316cd47cbd1d086331
The Ironic templates and roles assume Keystone is enabled and they don't
make use of the `enable_keystone var. This patch changes the behavior so
that `noauth` is used as auth method for Ironic if keystone is not
enabled, the Ironic endpoint is not registered if keystone is not
enabled and the keystone section is not created in the config file.
Change-Id: I813de42d10ac264eec81076cb107b58af09ff686
Ironic inspector should honour the Ansible inventory group
ironic-inspector. Ironic inspector may not be required at all. If
Ironic inspector is required then it should only run on a single
node, and this should be reflected by the inventory.
This change makes a number of Ironic inspector-related tasks dependent
upon the host's membership of the ironic-inspector group. Also, we
couple the ironic-dnsmasq container with the ironic-inspector group
rather than ironic-conductor, as the service is for inspector rather
than Ironic.
Change-Id: Ifd90753b0fe1a55c11b7723c28e1d14ab3d32737
Closes-Bug: #1665257
kolla-kubernetes is using its own configuration generation[0], so it is
time for kolla-ansible to remove the related code to simplify the
logical.
[0] https://github.com/openstack/kolla-kubernetes/tree/master/ansible
Change-Id: I7bb0b7fe3b8eea906613e936d5e9d19f4f2e80bb
Implements: blueprint clean-k8s-config
