33 Commits

Author SHA1 Message Date
Ian Wienand
8a1f6d9764 Cleanup eavesdrop puppet references
Cleanup documenation, puppet references and the eavesdrop_opendev
group.

Change-Id: I67096d8eced0be54db9b1ee277b24602d8c20f00
2021-06-10 09:02:23 +10:00
Ian Wienand
19ea4603f4 puppet: don't run module install steps multiple times
It turns out you can't use "run_once" with the "free" strategy in
Ansible.  It actually warns you about this, if you're looking in the
right place.

The existing run-puppet role calls two things with "run_once:", both
delegated to localhost -- cloning the ansible-role-puppet repo (so we
can include_role: puppet) and installing the puppet modules (via
install-ansible-roles role), which are copied from bridge to the
remote side and run by ansible-role-puppet.

With remote_puppet_else.yaml we are running all the puppet hosts at
once with the "free" strategy.  This means that these two tasks, both
delegated to localhost (bridge) are actually running for every host.
install-ansible-roles does a git clone, and thus we often see one of
the clones bailing out with a git locking error, because the other
host is running similtaneously.
I8585a1af2dcc294c0e61fc45d9febb044e42151d tried to stop this with
"run_once:" -- but as noted because it's running under the "free"
strategy this is silently ignored.

To get around this, split out the two copying steps into a new role
"puppet-setup".  To maintain the namespace, the "run-puppet" module is
renamed to "puppet-run".  Before each call of (now) "puppet-run", make
sure we run "puppet-setup" just on localhost.

Remove the run_once and delegation on "install-ansible-roles"; because
this is now called from the playbook with localhost context.

Change-Id: I3b1cea5a25974f56ea9202e252af7b8420f4adc9
2020-09-03 09:23:05 +10:00
Monty Taylor
4b9d1a88bd Use zuul checkouts of ansible roles from other repos
We have two standalone roles, puppet and cloud-launcher, but we
currently install them with galaxy so depends-on patches don't
work. We also install them every time we run anything, even if
we don't need them for the playbook in question.

Add two roles, one to install a set of ansible roles needed by
the host in question, and the other to encapsulate the sequence
of running puppet, which now includes installing the puppet
role, installing puppet, disabling the puppet agent and then
running puppet.

As a followup, we'll do the same thing with the puppet modules,
so that we arent' cloning and rsyncing ALL of the puppet modules
all the time no matter what.

Change-Id: I69a2e99e869ee39a3da573af421b18ad93056d5b
2020-04-30 12:39:12 -05:00
Monty Taylor
9fd2135a46 Split eavesdrop into its own playbook
Extract eavedrop into its own service playbook and
puppet manifest. While doing that, stop using jenkinsuser
on eavesdrop in favor of zuul-user.

Add the ability to override the keys for the zuul user.

Remove openstack_project::server, it doesn't do anything.

Containerize and anisblize accessbot. The structure of
how we're doing it in puppet makes it hard to actually
run the puppet in the gate. Run the script in its own
playbook so that we can avoid running it in the gate.

Change-Id: I53cb63ffa4ae50575d4fa37b24323ad13ec1bac3
2020-04-23 14:34:28 -05:00
Monty Taylor
d5c68c5131 Split codesearch into its own playbook
Make a service playbook, manifest and jobs for codesearch.

Remove openstack_project::server - it doesn't do anything.

Change-Id: I44c140de4ae0b283940f8e23e8c47af983934471
2020-04-21 13:18:28 -05:00
Monty Taylor
544b75ad2f Run puppet on old nb0[1-3] in nodepool playbook
We still need to run puppet here until they're replaced, but
we're triggering service-nodepool on project-config nodepool
changes. So run the puppet.

Change-Id: Ib0bdaeee98e19921b8c4117c12f8a0c05e64af57
2020-04-03 16:15:11 -05:00
James E. Blair
8ad300927e Split the base playbook into services
This is a first step toward making smaller playbooks which can be
run by Zuul in CD.

Zuul should be able to handle missing projects now, so remove it
from the puppet_git playbook and into puppet.

Make the base playbook be merely the base roles.

Make service playbooks for each service.

Remove the run-docker job because it's covered by service jobs.

Stop testing that puppet is installed in testinfra. It's accidentally
working due to the selection of non-puppeted hosts only being on
bionic nodes and not installing puppet on bionic. Instead, we can now
rely on actually *running* puppet when it's important, such as in the
eavesdrop job. Also remove the installation of puppet on the nodes in
the base job, since it's only useful to test that a synthetic test
of installing puppet on nodes we don't use works.

Don't run remote_puppet_git on gitea for now - it's too slow. A
followup patch will rework gitea project creation to not take hours.

Change-Id: Ibb78341c2c6be28005cea73542e829d8f7cfab08
2019-05-19 07:31:00 -05:00
Clark Boylan
6e61cbff2e Stop ansipuppeting the old cgit farm
We have replaced the cgit farm with a gitea farm. Stop managing the cgit
farm. This removes testing for centos7 as these were our only centos7
nodes.

Depends-On: https://review.opendev.org/654549
Change-Id: Ia48ff10cb88d51f609e8b28de176c72f7a9ee24f
2019-04-22 15:50:08 +00:00
James E. Blair
2eee43e627 Name plays in playbooks
In run_all, we start a bunch of plays in sequence, but it's difficult
to tell what they're doing until you see the tasks.  Name the plays
themselves to produce a better narrative structure.

Change-Id: I0597eab2c06c6963601dec689714c38101a4d470
2018-09-07 10:51:56 -07:00
Clark Boylan
7df7bc2aad Use git-servers group in remote_puppet_else
We use the git-servers group in remote_puppet_git to positively select
the git nodes in that playbook but used !git0* glob to exclude these
nodes in remote_puppet_else. Use !git-servers in remote_puppet_else so
that the two groups used line up with each other.

Change-Id: I023f8262a86117b2dec1ff5b762082e09e601e74
2018-09-06 15:57:56 -07:00
Clark Boylan
54f250cafb Serialize puppet on afs servers properly
We were matching afs* as a glob to serialize puppet runs on afs servers.
This was fine until we added afs-client and afsadmin groups to our
inventory which matched afs*. These groups included many nodes including
our mirror nodes and zuul executors all of which were running puppet
serially which is slow.

Fix this by explicitly using the afs and afsdb groups instead of a glob.

Change-Id: If21bbc48b19806343617e18fb03416c642e00ed2
2018-09-06 15:54:52 -07:00
Monty Taylor
0625c289c8
Remove infracloud references
We don't run a cloud anymore and don't use these. With the cfg
management update effort, it's unlikely we'd use them in the form they
are in even if we did get more hardware and decide to run a cloud again.

Remove them for clarity.

Change-Id: I88f58fc7f2768ad60c5387eb775a340cac2c822a
2018-08-20 11:03:55 -05:00
Monty Taylor
92c9a7c869
Clean up puppet variables and playbooks
The puppet playbooks were some of the first we wrote, so they're
slightly wonky.

Remove '---' lines that are completely unnecessary.

Fix indentation.

Move some variables that are the same everywhere into
ansible variables.

Put puppet related variables into the puppet group_vars.

Stop running puppet on localhost in the git playbook.

Change-Id: I2d2a4acccd3523f1931ebec5977771d5a310a0c7
2018-08-17 09:41:12 -05:00
Monty Taylor
b8f4081c2e
Use ansible group vars for futureparser flag
Now that we're running with ansible, we can set the futureparser varible
in the group_vars for the futureparser group and stop passing it as a
parameter explicitly.

Change-Id: I41fe283e96bb48a17f2acfe2ffd939223b5345e7
2018-08-16 14:02:50 -05:00
Monty Taylor
245609bc95
Remove bridge from disabled and add puppet group
Instead of just having bridge be disabled, make a puppet group that it's
not a part of and switch the remote_puppet_else playbook to use that.

Change-Id: Ifb96ce483fc5675d095723bda70242a425bdc619
2018-08-15 08:43:23 -05:00
Colleen Murphy
5dd32fc501 Simplify group_names variable
As noted in [1] the group_names variable is a top-level variable and
doesn't need to be accessed via the hostvars object.

[1] https://review.openstack.org/#/c/572861/1/playbooks/remote_puppet_adhoc.yaml

Change-Id: Ic895f177019b31da34cdf91a6dd62dc99a649754
2018-06-20 23:53:26 +02:00
Colleen Murphy
9ce4a353e6 Add support for turning on the future parser
If a host is a member of the 'futureparser' group, pass the
'futureparser' option to the puppet role, which will turn on parser =
future in puppet.conf when manage_config is true and when the node isn't
already using puppet 4. Nodes can be added one at a time by adding them
to modules/openstack_project/files/puppetmaster/groups.txt.

Depends-On: https://review.openstack.org/572856
Change-Id: I54e19ef6164658da8e0e5bff72a1964b88b81242
2018-06-06 20:23:43 +02:00
Paul Belanger
ce15361a28
Switch to hostgroup review for puppet_run_all playbooks
Because we changed out the hostname of review.o.o for review01.o.o our
current playbooks will be broken. To fix this moving forward, we can
just switch to the group 'review' which includes the review01.o.o
host.

Change-Id: I149eacbc759f95087f2b0a0e44fcf0b49cae7ad6
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2018-05-02 17:30:51 -04:00
Monty Taylor
082c5174b1
Turn off puppet reports
We have puppet configured to write reports when it runs. We used to
collect these and inject them into puppetdb. Since we don't do this
anymore, they're just a giant pile of files we never see.

Enable managing the puppet.conf file from ansible and then also turn off
the reports.

Change-Id: I55bef052bddc9b9ff5de76a4f0b2ec07f93f158c
2018-01-24 09:35:54 -06:00
Jeremy Stanley
a187f1665b Decommission zuulv3.openstack.org server
Now that zuulv3.openstack.org has been replaced by the larger
zuul01.openstack.org server, the former can be cleaned out of our
configuration in preparation for server deletion.

Change-Id: Icc1d545906e5615e2a205b98f364a084e1d22895
2018-01-20 00:57:04 +00:00
Jeremy Stanley
52b592b1d1 Use zuul-scheduler group instead of zuul* glob
Since Ansible host inventory globs match against both host names and
host groups, use the zuul-scheduler group when referring to
zuul01.openstack.org and similarly-named hosts so as to avoid
inadvertently matching all members of the "zuul" host group with
zuul* (which includes the executors and mergers). Continue to match
zuulv3.openstack.org separately for now as it's not in the
zuul-scheduler group (and soon to be deleted anyway).

Change-Id: I3127d121ea344e1eb37c700d37f873e34edbb86e
2018-01-19 22:51:56 +00:00
Jeremy Stanley
9cc99d4b47 Glob zuulv3 and zuul01 as zuul* in playbooks
To avoid the need for regular expression matching, switch to a
simple glob of zuul* covering zuulv3 and zuul01 servers. Now that
zuul-dev and zuulv3-dev are gone, this glob will only match the two
remaining hosts mentioned.

Change-Id: I2749ffa6c0e4d2ea6626d1ebde1d7b3ab49378bb
2018-01-16 23:40:48 +00:00
Jeremy Stanley
2d57c7cfd9 Add a zuul01.openstack.org
In preparation for replacing the zuulv3.openstack.org host with a
larger instance, set up the necessary support in
Puppet/Hiera/Ansible. While we're here, remove or replace old
references to the since-deleted zuul.openstack.org instance, and
where possible update documentation and configuration to refer to
the new zuul.openstack.org CNAME instead of the zuulv3.openstack.org
FQDN so as to smooth the future transition.

Change-Id: Ie51e133afb238dcfdbeff09747cbd2e53093ef84
2018-01-15 20:32:54 +00:00
Monty Taylor
e043e6e4bc
Add zuul scheduler to the git/gerrit puppet sequence
We have a race condition on project creation otherwise.

Change-Id: Ia5741d69194ec6a3fcba6ca58552ce021c6aaa1f
2017-12-18 09:46:36 -06:00
Paul Belanger
a62b671ee7
Make strategy free default for all remote_puppet playbooks
Now that we've confirmed ansible-playbook works as expected, lets
enable the free strategy by default.

While playbooks with singles hosts will not benefit from this, we add
it to be consistent with our playbooks.

Change-Id: Ia6abdfaf5c122f88ead2272c8700e2c1f33c5449
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-07-13 16:53:31 -04:00
Spencer Krum
6909ac2e59 Don't run infracloud puppet twice
Without this patch, we would run infracloud in its playbook, then again
in the 'everybody else' playbook.

Co-Authored-By: Colleen Murphy <colleen@gazlene.net>
Change-Id: I3de1de8f0f74e52a443c0b7a6ef6ae0a2cf7e801
2016-02-10 19:54:02 -08:00
Colleen Murphy
32f956f268 Add infracloud playbook
Add separate playbook for infacloud nodes to ensure they run in the
correct order - baremetal -> controller -> compute.

Baremetal is intentionally left out, it is not ready yet.

All 'disabled' flags on infracloud hosts are turned off. This patch
landing turns on management of the infracloud.

Co-Authored-By: Yolanda Robla <info@ysoft.biz>
Co-Authored-By: Spencer Krum <nibz@spencerkrum.com>
Change-Id: Ieeda072d45f7454d6412295c2c6a0cf7ce61d952
2016-02-08 18:03:02 -08:00
Monty Taylor
fdc24ccbb3 Add a missing colon
Change-Id: I0cc28d99e6e68fa82a9689fb9588c7680a39938c
2015-11-30 17:10:40 -06:00
Monty Taylor
7cee605a77 Add shade and openstack inventory to system
We're not ready to move from puppet inventory to openstack inventory
just yet, so don't actually swap the dynamic inventory plugin. But, add
it to the system so that running manual tests of all of the pieces is
possible.

Add the currently administratively disabled hosts to the disabled group
so that we can verify this works.

Change-Id: I73931332b2917b71a008f9213365f7594f69c41e
2015-11-28 15:59:10 -05:00
Spencer Krum
d7453b1d64 Don't manage hieradata on Puppetmaster
Puppet the puppetmaster first

Change-Id: I2ecd63c73de6f9eb915900418c5656eb5d6a2816
2015-11-28 12:48:33 -08:00
Isaac Beckman
ba06551181 Set gather_facts true in ansible playbooks
This is need to support ansible built-in facts
used by puppet-ansible

Change-Id: Id8d14905e12c1d25c49322dd4c418b3f47c0d7c4
2015-11-23 16:40:55 +02:00
Monty Taylor
1e862a9ade Add some in-tree ansible group vars
As we're using these roles, we'll want to pass potentially different
values to different of our hosts over time. For instance, we may want to
set the jenkins servers to start using puppet apply before we get all
the hosts there. Since we run most of the hosts in a big matching
mechanism, the way we can pass different input values to each host.

Change-Id: I5698355df0c13cd11fe5987787e65ee85a384256
2015-10-30 02:33:27 +00:00
Monty Taylor
d039a62045 Move playbooks out of the puppet module
/etc/ansible/playbooks isn't actually a thing, it was just a convenient
place to put things. However, to enable puppet apply, we're going to
want a group_vars directory adjacent to the playbooks, so having them be
a subdirectory of the puppet module and installed by it is just extra
complexity. Also, if we run out of system-config, then it'll be easier
to work with things like what we do with puppet environments for testing
things.

Change-Id: I947521a73051a44036e7f4c45ce74a79637f5a8b
2015-10-30 11:31:05 +09:00