We're wanting to more properly set permissions on the ansible puppet
role manifest dir. This ends up setting mode 0755 with ownership of
root:root on the dir. As a result sudo is necessary to move these
contents later.
Change-Id: I6b6aa79e8e8b63f4665679ab183a8551f0dd521e
We create a virtualenv to install ansible in which then runs puppet for
us in our puppet apply jobs. This is pulling in setuptools 50 which then
fails due to the problems setuptools 50 has with older pythons. Address
this by pinning back to setuptools <50.
Change-Id: I02ea466319f7cd90f73972bf5a99876d14823ac1
Make inventory/service for service-specific things, including the
groups.yaml group definitions, and inventory/base for hostvars
related to the base system, including the list of hosts.
Move the exisitng host_vars into inventory/service, since most of
them are likely service-specific. Move group_vars/all.yaml into
base/group_vars as almost all of it is related to base things,
with the execption of the gerrit public key.
A followup patch will move host-specific values into equivilent
files in inventory/base.
This should let us override hostvars in gate jobs. It should also
allow us to do better file matchers - and to be able to organize
our playbooks move if we want to.
Depends-On: https://review.opendev.org/731583
Change-Id: Iddf57b5be47c2e9de16b83a1bc83bee25db995cf
We have one global variable that is used in two places.
By removing it, we can more easily split site.pp into
per-service manifest files, and ultimately we should be
deriving this from groups['elasticsearch'] anyway.
Change-Id: I1d794b269847da85778f71e816359953af9b31e0
We are copying system-config in parallel to a bunch of targets
and we're also creating and deleting applytest files. Instead,
do the apply test files outside of the dir that's going to
get synced in the puppet role.
While we're at it, copy don't link the openstack_project
module into /etc/puppet/modules, just to be sure.
Change-Id: I4bcd8ebd6da8395e77d673ac76f4c41568d810ec
We use project-config for gerrit, gitea and nodepool config. That's
cool, because can clone that from zuul too and make sure that each
prod run we're doing runs with the contents of the patch in question.
Introduce a flag file that can be touched in /home/zuulcd that will
block zuul from running prod playbooks. By default, if the file is
there, zuul will wait for an hour before giving up.
Rename zuulcd to zuul
To better align prod and test, name the zuul user zuul.
Change-Id: I83c38c9c430218059579f3763e02d6b9f40c7b89
We had the clouds split from back when we used the openstack
dynamic inventory plugin. We don't use that anymore, so we don't
need these to be split. Any other usage we have directly references
a cloud.
Change-Id: I5d95bf910fb8e2cbca64f92c6ad4acd3aaeed1a3
As part of OpenDev rename, a lot of links were changed.
A couple of URLs point to old locations, update them.
This list was done while grepping for "openstack-infra" and fixing
locations that are wrong.
Change-Id: I313d76284bb549f1b2c636ce17fa662c233c0af9
With the move from OpenStack governance to our own OpenDev team, we
should also move to use the #opendev IRC channel in preference to
the #openstack-infra channel which will remain in use for OpenStack
specific discussions.
Update the references in our docs accordingly.
Change-Id: I448704f5d2664fd233a69a2ad12578ca24d9878a
This will give us a nice link to the goaccess reports on the zuul
dashboard build pages.
Move ansible-lint config into config file
As of 4.2.0 we can configure ansible-lint with a config file. It's
also apparently now smart enough to only find ansible yaml. Let's
see how that goes.
Add a fake zuul_return module
This should let us fake out ansible-lint without having to install
all of zuul.
Change-Id: Ib233eb577a8ca2aabfe3a49b2cd823dd4a00bd82
A few things have changed and we need to fix them in one go.
Use mirror for installing docker for buildset-registry
While, we need to make this more systemic, that's hanging off of the
mirror rework. For now, since we know all of these jobs are debian
based, just set the mirror location.
Replace use of zuul cloner with git clones
You can never be a prophet in your own hometown. This is now broken
because of the git cache rework, so just replace it.
Update libjemalloc library
python:slim is based on buster now, which has libjemalloc2 not
libjemalloc1.
Remove gerrit repo remote for submodules
A recent change to the base jobs to use prepare-workspace-git
broke the gerrit image builds by actually having the origin
remote by /dev/null as intended. This breaks submodules because
for a few of them where we don't have matching stable branches
the submodule relative path behavior is actually exactly what
we want.
Since we don't care about the remote otherwise, remove the
origin remote before doing the submodule update --init so that
the submodule will clone the refs from the zuul prepared repo.
Change-Id: Ieb5b6bc8711fe971ed3445c7c267306ac4616464
This causes newlines to appear in the config file which causes the
server to fail to start which is the opposite of what this is
supposed to do.
Change-Id: I2ff7e8835878652b3a7cdc2f633d263b37aaa7e9
This script helps restart the AFS servers, which is useful when
updating parameters. It can also enable audit logging.
It can also stop and start the servers, although it's unlikely we'd
want all the servers offline at the same time so stopping has a
warning included.
Documentation is updated to refer to the helper script
Change-Id: Idcb3e43a3f6e614cdb787d4334e692a98bffdd15
We ended up running into a problem with nodepool built control plane
images (has to do with boot from volume not allowing us to delete images
that are in use by a nova instance). We have decided to clean this up
and go back to not doing this until we can do it more properly.
Note this isn't a revert because having a group for access to control
plane clouds does seem like a good idea in general and I believe there
have been changes we'd have to resolve in the clouds.yaml files anyway.
Depends-On: https://review.opendev.org/#/c/665012/
Change-Id: I5e72928ec2dec37afa9c8567eff30eb6e9c04f1d
This tool scans gerrit changes for comments from zuul over the last 30
days to build out success rates for check and gate pipelines. This only
looks at changes that have merged to avoid those that never can merge
because they only fail or are expected to fail.
This tool emits information like:
Changes: 4475
Check Failures: 5317.0
Check Successes: 9173.0
Check Rate of failure: 0.3669427191166322
Gate Failures: 687.0
Gate Successes: 4450.0
Gate Rate of failure: 0.13373564337161767
Total Failures: 6004.0
Total Successes: 13623.0
Total Rate of failure: 0.3059051306873185
Change-Id: I759ba670c6b81f4425ce618c412db9cbd0e51401
Git repo moves based on cgit aliases from project-config, the
OpenStack TC guidance recorded in
http://lists.openstack.org/pipermail/openstack-discuss/2019-April/004920.html
and the ethercalc used to collect input from other users of the
system. Also the results of an extensive bikeshedding session at
http://eavesdrop.openstack.org/irclogs/%23openstack-infra/%23openstack-infra.2019-04-11.log.html#t2019-04-11T14:54:09
which concluded that anything left homeless goes in a namespace
called "x" since that's short, a basic alphabetic character and
provides no particular connotation.
The opendev-migrate script, when run, provides a shareable rendering
on stdout and also writes a repos.yaml file for input into the
rename_repos playbook.
The opendev-patching script, when run, uses the repos.yaml file and
iterates over a tree of Git repositories updating their Zuul
configuration, playbooks and roles as well as .gitreview files both
for the project renames and the opendev hostname changes. It also
creates a rename commit in project-config so that manage-projects
will be in sync with the results of the rename_repos playbook.
Change-Id: Ifa9fa6896110e8a33f32dcda6325bd58846935e2
Task: #30570
Co-Authored-By: James E. Blair <jeblair@redhat.com>
We ignore E006 which is line lenght longer than 79 characters. We don't
actually care about that. Fix E042 in run_all.sh this represents a
potential real issue in bash as it will hide errors.
This makes the bashate output much cleaner which should make it easier
for people to understand why it fails when it fails in check.
Change-Id: I2249b76e33003b57a1d2ab5fcdb17eda4e5cd7ad
In order to have nodepool build images and upload them to control
plane clouds, add them to the clouds.yaml on the nodepool-builder
hosts. Keep them out of the launcher configs by splitting the config
templates. So that we can keep our copies of things to a minimum,
create a group called "control-plane-clouds" and put bridge and nb0*
in it.
There are clouds mentions in here that we no longer use, a followup
patch will clean those up.
NOTE: Requires shifting the clouds config dict from
host_vars/bridge.openstack.org.yaml to group_vars/control-plane-clouds.yaml
in the secrets on bridge.
Needed-By: https://review.opendev.org/640044
Change-Id: Id1161bca8f23129202599dba299c288a6aa29212
Now that the tools/owners.py script is a module in the
openstack_election package within the openstack/election repository,
we can stop providing a copy here.
Change-Id: I39efbad539790687646c1d76159894e9e997ff72
Depends-On: I180ef0e5ec880b46f0427c1c952b640a780b5732
There are many references to review.openstack.org, and while the
redirect should work, we can also go ahead and fix them.
Change-Id: I28f398796a6392a3dffea1d25cfe2ae3a36a3589
There's a bunch in here. This is mostly big-ticket things and test
fixes. Also, change the README to rst - because why is it markdown?
Depends-On: https://review.opendev.org/654005
Change-Id: I21e5017011e1111b4d7a9e4bf0ea6b10f5dd8c1b
Setting Puppet-Version: !X (where X would usually be 3) marks a hosts
as not wanting to run the apply tests for that puppet version. This
is helpful for puppet4 hosts that wish to bring in new modules that
are not puppet3 compatible.
Change-Id: I081d15a53bd85152e7729c4c1da094dfee6d7073
This script requires GITHUB_USERNAME and the GITHUB_PASSWORD env
variables to be set and lets users with sufficient privileges initiate
a transfer from a GitHub organization to another by specifying two
arguments, for example:
./github-org-transfer.py oldorg/repo neworg/repo
Change-Id: I2383d256958c028efe81b235ff8641d131bbb3a7
This is a mechanically generated change to replace openstack.org
git:// URLs with https:// equivalents.
This is in aid of a planned future move of the git hosting
infrastructure to a self-hosted instance of gitea (https://gitea.io),
which does not support the git wire protocol at this stage.
This update should result in no functional change.
For more information see the thread at
http://lists.openstack.org/pipermail/openstack-discuss/2019-March/003825.html
Change-Id: I6c126f7e724249741403a87733f546c1642f7f25
The k8s-on-openstack project produces an opinionated kubernetes
that is correctly set up to be integrated with OpenStack. All of the
patches we've submitted to update it for our environment have been
landed upstream, so just consume it directly.
It's possible we might want to take a more hands-on forky approach in
the future, but for now it seems fairly stable.
Change-Id: I4ff605b6a947ab9b9f3d0a73852dde74c705979f
We moved from dynamic to static inventory. When creating a new host with
launch-node, a script isn't really needed, the inventory is yaml, the
new host can just be added. However, generating a new inventory by
hitting the APIs of all of our clouds might be useful, so add a utility
script to help in case such a thing is needed.
Change-Id: Iae1be8e9cfe19533005e9f0395d1ef7a6427bc83
There appears to be a race running the ansible synchronize (rsync under
the hood) top copy puppet modules for multiple puppet applies at the
same time on CentOS7. Running this in parallel appears safe on Ubuntu
and does save quite a bit of job runtime.
Workaround this by running the apply test serially on CentOS only.
Change-Id: Icd0836db215c0b417989d38994a378a705bbc62b
This is designed to run on bridge.o.o and give us an overview of the
last few ansible cron runs so we can see if there are issues.
Change-Id: I1b23cac74272af891d0b29963dc943bd54128664
This manages the clouds.yaml files in ansible so that we can get them
updated automatically on bridge.openstack.org (which does not puppet).
Co-Authored-By: James E. Blair <jeblair@redhat.com>
Depends-On: https://review.openstack.org/598378
Change-Id: I2071f2593f57024bc985e18eaf1ffbf6f3d38140
With the dependent change, zuul-sphinx will raise a warning when the
autoroles matcher finds a role without a README.rst. Since we
error-on-warnings this will stop the docs build. Thus we don't need
this explicit linters check.
Change-Id: I02eefce2448152505bacba3b2a12021515b4a31a
Depends-On: https://review.openstack.org/596014
These role docs aren't exactly War and Peace, but I think longer term
as we fiddle about making things generic or not and moving them
around, we'll be better off having kept ourselves to writing
*something*.
Add terse README.rst files for all existing roles, and add simple
linter check to ensure new roles get them too.
Change-Id: Ibc836310fb8a45e12c2e31f112d92509ac350413
