Not updating the gerrit git links thing, because that needs to
be a wider patch that updates the link syntax too.
Change-Id: I98013ba79e707540879e0cf2849a35c52f3371e8
We have a bunch of this handled now in ansible, so remove the old stuff.
Remove puppetmaster group management files. It's confusing for there to
be two files. Remove the old one.
Remove mqtt config. This isn't really a thing currently, and we're
eyeing running things from zuul anyway, so no need to port to ansible.
Change-Id: I8b64d21eadcc4a08bd5e5440fc5f756ae5bcd46b
Instead of just having bridge be disabled, make a puppet group that it's
not a part of and switch the remote_puppet_else playbook to use that.
Change-Id: Ifb96ce483fc5675d095723bda70242a425bdc619
The puppet 4 tests are passing for etherpad_lite so let's try it out for
real.
Depends-on: https://review.openstack.org/590023
Change-Id: Ia91bd3950c9f48505a3024a16300091cf42d7f69
We want to launch a new bastion host to run ansible on. Because we're
working on the transition to ansible, it seems like being able to do
that without needing puppet would be nice. This gets user management,
base repo setup and whatnot installed. It doesn't remove them from the
existing puppet, nor does it change the way we're calling anything that
currently exists.
Add bridge.openstack.org to the disabled group so that we don't try to
run puppet on it.
Change-Id: I3165423753009c639d9d2e2ed7d9adbe70360932
Although a few issues have been uncovered for askbot on Xenial or in
testing scenarios with SSL parameters, those shouldn't affect the
production trusty nodes, so flip the switch for ask-staging.
Change-Id: I5603fae2ea7bb67d233939323fa38816cd5aa016
This patch adds groups.o.o to the futureparser ansible group to have
ansible set parser = future in its puppet.conf.
Change-Id: I5a59f5855c42372cd16682ea7cb859c0ed38fa1d
This patch adds groups-dev to the futureparser ansible group to have
ansible set parser = future in its puppet.conf.
Change-Id: Ide789a7f5751714adb913ebc50e965f21f09bc48
Depends-On: https://review.openstack.org/584341
This change will configure puppet.conf with parser = future to turn on
the future parser with puppet 3 on review-dev.openstack.org without
upgrading puppet.
Change-Id: I36833385b94ba37823abe59936ccc11a98f36f52
Change I76b1099bf0cf3bfead17f96e456cdce87d0e8a49 altered the name of
the inventory script, so reflect that in the corresponding
subprocess call in launch-node.py and a comment in the
expand-groups.sh script.
Change-Id: I4c2c762716813b5d59dcc1b623f5988c8aa7d490
Infracloud is sadly deceased. The upside is we can delete a lot of code
we don't need anymore. This patch removes infracloud nodes from
site.pp so that the puppet-apply test no longer bothers to validate
them, removes the infracloud modules from modules.env so that we don't
bother to install those modules in puppet-apply and puppet functional
tests, and removes the infracloud-specific data from the public hiera.
Additionally stop the puppetmaster from trying to run the infracloud
ansible playbook and finally remove the chocolate region from nodepool's
clouds.yaml (vanilla was already done).
This patch leaves the run_infracloud.sh script and the
infracloud-specific ansible playbooks as well as the infracloud
manifests in the openstack_project puppet module. It's possible those
tools could come in handy in the future if we ever have another
infracloud, and leaving those tools in place doesn't add confusion about
which hosts are actually active nor does it leave cruft that gets
unnecessarily tested.
Change-Id: Ic760cc55f8e17fa7f39f2dd0433f5560aa8e2d65
Rather then creating per fqdn hiera entries for secrets, move to use a
group. This avoids the need to duplicate data.
Change-Id: I2208343b5281f70fc0850c0fe4e85038a53ed189
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Rather then creating per fqdn hiera entries for secrets, move to use a
group. This avoids the need to duplicate data.
Change-Id: I748314f52aeb6d288a1b133b3c20402c236dfb45
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Add the zuul-scheduler ansible group for hosts in the inventory
matching zuul[0-9]+.openstack.org.
Change-Id: I5d54d623dcbb12dd2645481a1ee74c2c5512a814
As explained in the comment, with the generated-groups file in the
inventory, as we regenerate the groups we end up finding old entries
that have actually disappeared and keep putting them back in.
Change-Id: I86463ecf516c38bb08d3d45e706a0da61a33efdf
We don't need a clean workspaces playbook, nor do we need to do anything
with that during renames. We don't need to reference machines that don't
exist in ansible groups. The launcher ssh config is not used by
anything.
Change-Id: Id3e9cddb06b6e47b6f07d9a39086f3b054b46bde
This runs bind as a hidden master nameserver so we can do all the
keysigning there, and then use nsd (or bind) as public authoritative
slaves.
Change-Id: Ifb2ad109103051fa13c4af1c7be1ca0ae98bb1a1
Now that we are using a numeric group, we need to add it to groups.txt
and update our private hieradata to use groups too.
Change-Id: I732d3698b3dfb591c2d6fa71f53e7a27f6143950
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
We no longer need our proposal or signing nodes. These are now managed
directly in zuulv3 jobs (via nodepool).
Also noticed wheel mirror group was never deleted, so removing that
too.
Change-Id: Ibca89052b8d27093e17a33cb738fd3855538dca1
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Migrate backups to new backup01.ord.rax.ci.openstack.org
We decided to start fresh backups on the new server, so this is ready
to go. I have performed an initial backup on each server so it has
accepted the host key of the new server and been tested (I also fixed
up review-dev.o.o, which was rebuilt but keys not updated ... todo:
add this to puppet, but since it changes so infrequently not high
priority).
Change-Id: I0872f9fcf4a334d32f632b3cb04801deefab4fd1
It needs to be in the nodepool group so that it will get updated hiera
information so that its clouds.yaml file can be correct.
Change-Id: Icd06ba6d67c6c6a6a78dbb3a22ec5c744fde47ee
We want to start encrypting our gearman traffic for zuulv3, as such
we'll need to bring online a CA service. The idea here, is we create a
new CA for each interconnecting service we want SSL certs for.
As an example /etc/zuul-ca will be used to generate SSL certs for our
gearman service.
Change-Id: I8c341559292c78d5428fe16837f28494a76e65db
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Co-Authored-By: Jeremy Stanley <fungi@yuggoth.org>
This is needed to copy private hieradata files to our zuul-executor
servers.
Change-Id: I85fe6a8c85ebed5662010571d3a0f9e46cd918c8
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
According to https://github.com/ansible/ansible/issues/22505 the raw
raw results returned should be sanitized with the
CallbackBase._dump_results() method to ensure sensitive strings such
as those flagged by no_log are elided.
Change-Id: Iaebba820ffcb8628cf1e2373546e51ffc02deed6
The topic names need to be consistent between event types to ensure
people can properly use wildcards to filter the messages on just the
things they care about. However playbook and task were inconsistent in
topics from between different methods in the callback plugin. This
commit fixes that by making sure we always use 'playbook' and 'task',
not 'playbooks' or 'tasks'.
Change-Id: I3e6240560ad562e8f41f7e314ef7a4b0b1178e32
This commit fixes a missing cast for the playbook uuid so we can use it
in the topc. Without this we get a type error and nothing works.
Change-Id: Ib3a814bc93d9685d9b735a462c6ed56ad4370cfb
This commit adds the mqtt ansible callback plugin to the puppetmaster
config so that whenever we run ansible we'll emit events to the
firehose for that.
Change-Id: Id5f10705687c5bb9854d386efd7fed486172f745
This was missed as part of the earlier translate upgrade change. With
switch to digitized host names we also want to group those hosts
together in hiera and ansible. Make that change here.
Change-Id: I6d25b35efbf0b43bd63a8ff9e217b68663575c75
Add X.509 certificates, certificate chains and private keys for
https://developer.openstack.org/ and https://docs.openstack.org/
separately using SNI (as the list grows we can consider condensing
these into a single cert using ServerAltNames later).
Change-Id: Ia365be3363b611e5ee3b6dceb38ec311456466ec
This is a simple first deployment of an ethercalc service. It does not
come with authenticated redis or redis backups. It will however have
working ssl.
Change-Id: I8c434a6bff42bce75e67fb37665d213f3cc018c8
Depends-On: Id10247211d9643e81bb1b6e8fb67377ba6de873a
Backup from production was successfully restored, so we can restore
the services, reenable puppet run now.
Change-Id: I4f0a7452072aa24215b01d54e98ccc0712e53ad5
We also need to make sure the group info is reflected in the ansible
groups.txt file. This new group which match the old and new servers. Can
change the * to + once the old server is gone.
Change-Id: I8da12d800e472c5bbd8245277269c4cf4774da14