Since ansible-core 2.10 it is recommended to use modules via FQCN
In order to align with recommendation, we perform migration
by applying suggestions made by `ansible-lint --fix=fqcn`
Change-Id: Ib3dafb476992c0c75ae1b3cc84024463641a0775
In order to reduce divergance with ansible-lint rules, we apply
auto-fixing of violations.
In current patch we replace all kind of truthy variables with
`true` or `false` values to align with recommendations along with
alignment of used quotes.
Change-Id: If512039bae99218e054a8841cb32c3903b616ed7
Configuration of RPC for ironic-inspector was a bit of a mixed
bag, with some config fixed at defaults which are only relevant
for HA queues. This conforms it to the way the majority of
variables are managed.
Note that this changes the default for
ironic_inspector_oslomsg_rpc_use_ssl, but this should be set via
oslomsg_rpc_use_ssl anyway.
This also removes various unused inspector notification defaults.
Change-Id: I7edc658f57de5ffc6d4aa158b02d26fa3ad71c9d
As noted in https://bugs.launchpad.net/ironic/+bug/2074090
the kernel and ramdisk images now need to be uploaded in raw
format due to fixes for underlying CVEs.
Change-Id: I2b74d9ab4d07a4d5b6045d353cf91db70c4e6cb1
The default nginx config file on centos/rocky includes a server
section listening on port 80 and [::]:80. There is no way to disable
this other than to adjust the configuration file.
This patch supplies a modified version of the centos nginx config
file which does not include a default server section.
A systemd drop in is installed to override the nginx service
ExecStart which starts the service using the modified configuration
file.
Change-Id: If7674a750e5316feb4d0fcff8cd0f4df7a67ffbb
With ansible-core 2.16 a breaking changes landed [1] to some filters
making their result returned in arbitrary order. With that, we were
relying on them to always return exactly same ordered lists.
With that we need to ensure that we still have determenistic behaviour
where this is important.
[1] https://github.com/ansible/ansible/issues/82554
Change-Id: Id2aaa7d32b6a0c25699e6e8031ae23480efdbad3
See https://review.opendev.org/c/openstack/ironic/+/907148
Ironic enables oslo policy RBAC changes from 2024.1 by default.
Once enabled, in theory system scoped tokens are required for
various actions, but in practice this doesn't necessarily work
when interacting with other services.
New Ironic variables provide the means to continue with a
relatively standard deployment without having to make
far-reaching policy changes.
Change-Id: I2cb53414cce3a899a0db5f74e56798de95c6c4b1
Due to the shortcoming of QManager implementation [1], in case of uWSGI
usage on metal hosts, the flow ends up with having the same
hostname/processname set, making services to fight over same file
under SHM.
In order to avoid this, we prepend the hostname with a service_name.
We can not change processname instead, since it will lead to the fight
between different processes of the same service.
[1] https://bugs.launchpad.net/oslo.messaging/+bug/2065922
Change-Id: I562e8d0a65b12aa8ce88caea2d7e955f78c3bf33
<service>-config tags are quite broad and have a long execution
time. Where you only need to modify a service's '.conf' file and
similar it is useful to have a quicker method to do so.
Change-Id: Ic1a896df1ba8d14aca9a12e0adf0d1822a5262d3
During last release cycle oslo.messaging has landed [1] series of extremely
useful changes that are designed to implement modern messaging
techniques for rabbitmq quorum queues.
Since these changes are breaking and require queues being re-created,
it makes total sense to align these with migration to quorum queues by default.
[1] https://review.opendev.org/q/topic:%22bug-2031497%22
Change-Id: Ia0d7ac84ced77511b82f28e409477e4d1589adb6
In order to be able to globally enable notification reporting for all services,
without an need to have ceilometer deployed or bunch of overrides for each
service, we add `oslomsg_notify_enabled` variable that aims to control
behaviour of enabled notifications.
Presence of ceilometer is still respected by default and being referenced.
Potential usecase are various billing panels that do rely on notifications
but do not require presence of Ceilometer.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/914144
Change-Id: I9efc107116b149b75b2ed8b54335758e57d6dabc
In order to allow definition of policies per service, we need to add variables
to service roles, that will be passed to openstack.osa.mq_setup.
Currently this can be handled by leveraging group_vars and overriding `oslomsg_rpc_policies` as a whole, but it's not obvious and
can be non-trivial for some groups which are co-locating multiple services
or in case of metal deployments.
Change-Id: Ia7bb2a6ddd3ccdf887ca514ff6b03f41fb8af612
It appears this was missed in patch
Ib8d53b394937405c821687b1c46b2b19112267dd
This patch conforms the other pxe config to use the same
inspector callback URL
Change-Id: I5eee7d054bb4eda70acbaab9885c3985efb04002
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/896017
Change-Id: I0f6ae74be36c0cb7a2270cfa1085c44e6dd4dc77
There is no obvious need to have an SSH keypairs for ironic user
I was not able to find any proof in the project installation guide that
such keypairs were ever needed. Thus, such functionality is removed.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/896017
Change-Id: I493d5f5aa0a915e7bc9fb7dbcd2673749c0b95d3
Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.
Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.
Change-Id: I3ee97d4b7a3070211dbba3824f9d605da3b8bd01
Related-Bug: #2029486
OSA playbooks only call this role once for all Ironic containers
(API and inspector). As a result, the wheel builds only happen
once. If the first host (which is responsible for wheel builds)
is an API container, these vars would prevent Ironic inspector
requirements being accounted for, and as such no matching
constraints will be generated.
When the venv is deployed to the Ironic inspector container,
the lack of constraints can cause dependencies which are too new
to be installed, causing the service to fail.
Alternatively this role could be called twice by the playbook
for differing container/host roles, but as inspector is expected
to be merged into ironic at some point this feels equally valid.
Change-Id: I3952a4e5514824381410d87ed6d535f13ec40498
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: I1ab9664505068c20924370790322caa67cc6e022
In LXC example, the BMAAS network is not routable to any other networks
nor to the internal VIP.
It means that Ironic Python Agent(IPA) is not able to communicate with
ironic API and ironic inspector over haproxy.
To solve that issue, `ironic_inspector_callback_url` and
`ironic_ironic_conf_overrides.service_catalog.endpoint_override` values
were overriden to instruct IPA to communicate with ironic api/inspector
backends directly on BMAAS network(instead of going via HAProxy on
management network).
It may cause a problem with certificate verification if these backends
are listening on https because most likely they are using self-signed
certificate.
As a workaround, `ipa-insecure=1` kernel parameter[1] is added to IPA
for both inspection and deployment.
[1] https://docs.openstack.org/ironic-python-agent/latest/install/index.html#ipa-and-tls
Change-Id: Idfb5a4e9bf4f39441fc99b5aa78500d6195e6da0
By overriding the variable `ironic_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the ironic backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: If97a857c36e9e3e7ad8a18926bb9cbf04189c7cb
At the moment we don't restart services if systemd unit file is changed.
We knowingly prevent systemd_service role handlers to execute
by providing `state: started` as otherwise service will be restarted twice.
With that now we ensure that role handlers will also listen for systemd
unit changes.
Change-Id: Ia9d1164e1e38201244a062be95f936b314c5c56b
Enabling this driver type ensures that the no-console, no-raid
and no-inspect interfaces are enabled so that they can be later
configured on a per-node basis if required.
These interfaces are useful to have enabled at the same time as
driver specific interfaces such as idrac or ilo in order so that
managment of specific functions can be disabled if required.
Change-Id: I2904ba005e3fa18faf8ccf04661e206501fa4aa3
This patch enables the native raid driver implementation for each
of the hardware types defined in `ironic_driver_types`. If necessary
this can be overridden in ironic.conf using config overrides.
Change-Id: I28b39b391d307e0a4aa71e13337f646d872925ec
idrac is the legacy name of the WSMAN interface. It has
been deprecated in favor of idrac-wsman and may be removed
in a future release of the idrac hardware type driver.
Change-Id: I2bf70374ac761c6ddeb8fc0b838470c036b70541
This patch adds the `console` field to the ironic_driver_types
variable and then enables a set of console drivers in the ironic
config through the `enabled_console_interfaces` option.
If `ipmitool-socat` is one of the enabled drivers, then the socat
distro package is installed to support that.
Defaults are added for socat bind address and port range to
use.
[1] https://opendev.org/openstack/ironic/src/branch/master/doc/source/admin/upgrade-to-hardware-types.rst
Change-Id: I36dd1a0ec69e5702143a1a26bd5901fc88706e84
