From 7cee605a77a8d55dd91e4ffadcb956bcda60a879 Mon Sep 17 00:00:00 2001
From: Monty Taylor <mordred@inaugust.com>
Date: Wed, 25 Nov 2015 11:31:23 -0500
Subject: [PATCH] Add shade and openstack inventory to system

We're not ready to move from puppet inventory to openstack inventory
just yet, so don't actually swap the dynamic inventory plugin. But, add
it to the system so that running manual tests of all of the pieces is
possible.

Add the currently administratively disabled hosts to the disabled group
so that we can verify this works.

Change-Id: I73931332b2917b71a008f9213365f7594f69c41e
---
 doc/source/puppet.rst                         | 17 +-----
 doc/source/sysadmin.rst                       | 27 ++++++++--
 .../files/puppetmaster/static-inventory       | 11 ++++
 .../manifests/puppetmaster.pp                 | 54 ++++++++++++-------
 .../puppetmaster/ansible-clouds.yaml.erb      |  3 ++
 playbooks/remote_puppet_afs.yaml              |  2 +-
 playbooks/remote_puppet_else.yaml             |  2 +-
 playbooks/remote_puppet_git.yaml              |  6 +--
 playbooks/update_puppet.yaml                  |  2 +-
 9 files changed, 77 insertions(+), 47 deletions(-)
 create mode 100644 modules/openstack_project/files/puppetmaster/static-inventory

diff --git a/doc/source/puppet.rst b/doc/source/puppet.rst
index 7b832d96d0..3835f5c1b6 100644
--- a/doc/source/puppet.rst
+++ b/doc/source/puppet.rst
@@ -142,22 +142,7 @@ Disabling Puppet on Nodes
 -------------------------
 
 In the case of needing to disable the running of puppet on a node, it's a
-simple matter of disabling the agent:
-
-.. code-block:: bash
-
-  sudo puppet agent --disable
-
-This will prevent any subsequent runs of the agent, including ones triggered
-globally by the run_all script. If, as an admin, you need to run puppet on
-a node where it has been disabled, you need to specify an alternate disable
-lock file which will allow your local run of puppet without allowing the
-globally orchestrated runs to occur:
-
-.. code-block:: bash
-
-  sudo puppet agent --test --agent_disabled_lockfile=/tmp/alt-lock-file
-
+simple matter of adding an entry to the ansible inventory "disabled" group.
 
 Important Notes
 ---------------
diff --git a/doc/source/sysadmin.rst b/doc/source/sysadmin.rst
index dbdca011c4..d88ab9a273 100644
--- a/doc/source/sysadmin.rst
+++ b/doc/source/sysadmin.rst
@@ -285,14 +285,31 @@ Disable/Enable Puppet
 You should normally not make manual changes to servers, but instead,
 make changes through puppet.  However, under some circumstances, you
 may need to temporarily make a manual change to a puppet-managed
-resource on a server.  In that case, run the following command on that
-server to disable puppet::
+resource on a server.
 
-  sudo puppet agent --disable
+In the case of needing to disable the running of puppet on a node, it's a
+simple matter of adding an entry to the ansible inventory "disabled" group.
+There are two inventory files available for this, `/etc/ansible/hosts/static`
+and `/etc/ansible/hosts/emergency`. `/etc/ansible/hosts/static` is intended
+to be managed via git from the system-config repo in
+`modules/openstack_project/files/puppetmaster/static-inventory`.
+`/etc/ansible/hosts/emergency` is a file that should normally be empty, but
+the contents are not managed by puppet. It's purpose is to allow for disabling
+puppet at times when landing a change to the puppet repo would be either
+unreasonable or impossible.
 
-When you are ready for puppet to run again, use::
+There are two sections in each file, `disabled` and `disabled:children`. Due
+to te multi-cloud nature of the ansible inventory, a hostname cannot be counted
+on to be unique, so each cloud instance is listed in the inventory by its
+UUID with a group created for its hostname. If you want to disable a cloud
+instance by name, you need to put its name in `disabled:children`. If you want
+to refer to a single instance by UUID, or if there are statically defined
+hosts that need to be disabled, you should put those in `disabled`.
 
-  sudo puppet agent --enable
+Disabling puppet via ansible inventory does not disable puppet from being
+run directly on the host, it merely prevents the puppetmaster from causing
+puppet to be run. If you choose to run puppet manually on a host, take care
+to ensure that it has not been disabled at the puppetmaster level first.
 
 .. _cinder:
 
diff --git a/modules/openstack_project/files/puppetmaster/static-inventory b/modules/openstack_project/files/puppetmaster/static-inventory
new file mode 100644
index 0000000000..0734230670
--- /dev/null
+++ b/modules/openstack_project/files/puppetmaster/static-inventory
@@ -0,0 +1,11 @@
+[disabled]
+ci-backup-rs-ord.openstack.org
+jenkins-dev.openstack.org
+hound.openstack.org
+pypi.bhs1.openstack.org
+pypi.region-b.geo-1.openstack.org
+pypi.sjc1.openstack.org
+review-dev.openstack.org
+subunit-worker01.openstack.org
+
+[disabled:children]
diff --git a/modules/openstack_project/manifests/puppetmaster.pp b/modules/openstack_project/manifests/puppetmaster.pp
index f84d09af68..e31b1fe5d7 100644
--- a/modules/openstack_project/manifests/puppetmaster.pp
+++ b/modules/openstack_project/manifests/puppetmaster.pp
@@ -11,7 +11,9 @@ class openstack_project::puppetmaster (
   include logrotate
   include openstack_project::params
 
-  include ansible
+  class { '::ansible':
+    ansible_hostfile => '/etc/ansible/hosts',
+  }
 
   file { '/etc/ansible/hostfile':
     ensure  => present,
@@ -119,19 +121,19 @@ class openstack_project::puppetmaster (
   }
 
 # For launch/launch-node.py.
-  package { ['python-cinderclient', 'python-novaclient']:
+  package { 'shade':
     ensure   => latest,
     provider => pip,
-    require  => [Package['python-lxml'], Package['libxslt1-dev']],
   }
   package { 'python-paramiko':
     ensure => present,
   }
+  # No longer needed with latest client libs
   package { 'python-lxml':
-    ensure => present,
+    ensure => absent,
   }
   package { 'libxslt1-dev':
-    ensure => present,
+    ensure => absent,
   }
 
 # Enable puppetdb
@@ -170,25 +172,37 @@ class openstack_project::puppetmaster (
     require => Cron['restartjenkinsmasters'],
   }
 
-# Playbooks
-#
-  file { '/etc/ansible/playbooks':
-    ensure  => absent,
+  vcsrepo { '/opt/ansible':
+    ensure   => latest,
+    provider => git,
+    revision => 'stable-2.0',
+    source   => 'https://github.com/ansible/ansible',
   }
 
-  file { '/etc/ansible/remote_puppet.yaml':
-    ensure => absent,
+  file { '/etc/ansible/hosts':
+    ensure  => directory,
   }
-  file { '/etc/ansible/remote_puppet_afs.yaml':
-    ensure => absent,
+
+  file { '/etc/ansible/hosts/puppet':
+    owner       => 'root',
+    group       => 'root',
+    mode        => '0755',
+    subscribe   => Class['::ansible'],
+    source      => '/usr/local/bin/puppet.py',
+    replace     => true,
   }
-  file { '/etc/ansible/remote_puppet_else.yaml':
-    ensure => absent,
+
+  file { '/etc/ansible/hosts/static':
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0444',
+    source  => 'puppet:///modules/openstack_project/puppetmaster/static-inventory',
   }
-  file { '/etc/ansible/remote_puppet_git.yaml':
-    ensure => absent,
-  }
-  file { '/etc/ansible/clean_workspaces.yaml':
-    ensure => absent,
+
+  file { '/etc/ansible/hosts/emergency':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0444',
   }
 }
diff --git a/modules/openstack_project/templates/puppetmaster/ansible-clouds.yaml.erb b/modules/openstack_project/templates/puppetmaster/ansible-clouds.yaml.erb
index 26ad8dfa17..4fd3cf1cca 100644
--- a/modules/openstack_project/templates/puppetmaster/ansible-clouds.yaml.erb
+++ b/modules/openstack_project/templates/puppetmaster/ansible-clouds.yaml.erb
@@ -1,3 +1,6 @@
+cache:
+  expiration_time: 86400
+  path: /var/cache/ansible-inventory.json
 clouds:
   openstackci2-hpcloud:
     profile: hp
diff --git a/playbooks/remote_puppet_afs.yaml b/playbooks/remote_puppet_afs.yaml
index 51f5cf3a2f..2438d424eb 100644
--- a/playbooks/remote_puppet_afs.yaml
+++ b/playbooks/remote_puppet_afs.yaml
@@ -1,5 +1,5 @@
 ---
-- hosts: "afs*"
+- hosts: "afs*:!disabled"
   gather_facts: true
   roles:
   - role: puppet
diff --git a/playbooks/remote_puppet_else.yaml b/playbooks/remote_puppet_else.yaml
index ecbaa6e646..b14fb058fa 100644
--- a/playbooks/remote_puppet_else.yaml
+++ b/playbooks/remote_puppet_else.yaml
@@ -1,4 +1,4 @@
-- hosts: '!review.openstack.org:!git0*:!afs*:!puppetmaster*'
+- hosts: '!review.openstack.org:!git0*:!afs*:!puppetmaster*!disabled'
   gather_facts: true
   roles:
   - role: puppet
diff --git a/playbooks/remote_puppet_git.yaml b/playbooks/remote_puppet_git.yaml
index e0c6db57ef..0a539ee2d0 100644
--- a/playbooks/remote_puppet_git.yaml
+++ b/playbooks/remote_puppet_git.yaml
@@ -1,5 +1,5 @@
 ---
-- hosts: localhost
+- hosts: "localhost:!disabled"
   gather_facts: true
   connection: local
   tasks:
@@ -10,14 +10,14 @@
   roles:
     - role: puppet
       copy_hieradata: False
-- hosts: git0*
+- hosts: "git0*:!disabled"
   gather_facts: true
   max_fail_percentage: 1
   roles:
     - role: puppet
       facts:
         project_config_ref: "{{ hostvars.localhost.gitinfo.after }}"
-- hosts: review.openstack.org
+- hosts: "review.openstack.org:!disabled"
   gather_facts: true
   roles:
     - role: puppet
diff --git a/playbooks/update_puppet.yaml b/playbooks/update_puppet.yaml
index 0ee99410e2..d74a64b28b 100644
--- a/playbooks/update_puppet.yaml
+++ b/playbooks/update_puppet.yaml
@@ -1,5 +1,5 @@
 ---
-- hosts: '!puppetmaster.openstack.org'
+- hosts: '!puppetmaster.openstack.org:!disabled'
   gather_facts: false
   tasks:
   - synchronize: