ansible-collection-kolla/roles/baremetal/tasks/post-install.yml

---
- import_role:
    name: openstack.kolla.kolla_user
  when: create_kolla_user | bool

- name: Ensure virtualenv has correct ownership
  file:
    path: "{{ virtualenv }}"
    recurse: True
    state: directory
    owner: "{{ kolla_user }}"
    group: "{{ kolla_group }}"
  become: True
  when:
    - create_kolla_user | bool
    - virtualenv is not none

- name: Ensure node_config_directory directory exists
  file:
    path: "{{ node_config_directory }}"
    state: directory
    owner: "{{ kolla_user if create_kolla_user | bool else omit }}"
    group: "{{ kolla_group if create_kolla_user | bool else omit }}"
    mode: 0755
  become: True

- name: Ensure docker config directory exists
  file:
    path: /etc/docker
    state: directory
  become: True

- name: Merge Zun docker config
  set_fact:
    docker_config: "{{ docker_config | combine(docker_zun_config) }}"
  when:
    - docker_configure_for_zun | bool
    - "'zun-compute' in group_names"

- name: Warn about deprecations
  debug:
    msg: >
      docker_custom_option is deprecated in favor of docker_custom_config
  when: docker_custom_option | length > 0

- name: Setup docker insecure registries
  vars:
    registries: ["{{ docker_registry }}"]
  set_fact:
    docker_config: "{{ docker_config | combine({'insecure-registries': registries}) }}"
  when: docker_registry_insecure | bool

- name: Setup docker storage driver
  set_fact:
    docker_config: "{{ docker_config | combine({'storage-driver': docker_storage_driver}) }}"
  when: docker_storage_driver | length > 0

- name: Setup docker runtime directory
  set_fact:
    docker_config: "{{ docker_config | combine({'data-root': docker_runtime_directory}) }}"
  when: docker_runtime_directory | length > 0

- name: Warn about docker default iptables
  debug:
    msg: >-
      Docker default iptables rules will be disabled by default from the Wallaby 12.0.0
      release. If you have any non-Kolla containers that need this functionality, you should
      plan a migration for this change, or set docker_disable_default_iptables_rules to false.
  when: not docker_disable_default_iptables_rules | bool

- name: Disable docker default iptables rules
  set_fact:
    docker_config: "{{ docker_config | combine({'iptables': false}) }}"
  when: docker_disable_default_iptables_rules | bool

- name: Warn about docker default networking
  debug:
    msg: >-
      Docker default network on docker0 will be disabled by default from the
      Wallaby 12.0.0 release. If you have any non-Kolla containers that need
      this functionality, you should plan a migration for this change, or set
      docker_disable_default_network to false.
  when: not docker_disable_default_network | bool

- name: Disable docker default network on docker0
  set_fact:
    docker_config: "{{ docker_config | combine({'bridge': 'none'}) }}"
  when: docker_disable_default_network | bool

- name: Warn about docker ip_forward
  debug:
    msg: >-
      Docker ip_forward will be disabled by default from the
      Wallaby 12.0.0 release. If you have any non-Kolla containers that need
      this functionality, you should plan a migration for this change, or set
      docker_disable_ip_forward to false.
  when: not docker_disable_ip_forward | bool

- name: Disable docker ip_forward
  set_fact:
    docker_config: "{{ docker_config | combine({'ip-forward': false}) }}"
  when: docker_disable_ip_forward | bool

- name: Merge custom docker config
  set_fact:
    docker_config: "{{ docker_config | combine(docker_custom_config) }}"

- name: Write docker config
  become: True
  copy:
    content: "{{ docker_config | to_nice_json }}"
    dest: /etc/docker/daemon.json
    mode: 0644
  register: docker_configured

- name: Remove old docker options file
  become: True
  file:
    path: /etc/systemd/system/docker.service.d/kolla.conf
    state: absent
  when:
    - not docker_custom_option
    - not docker_configure_for_zun | bool or 'zun-compute' not in group_names
    - not docker_http_proxy
    - not docker_https_proxy
    - not docker_no_proxy

- name: Ensure docker service directory exists
  become: True
  file:
    path: /etc/systemd/system/docker.service.d
    state: directory
    recurse: yes
  when: >
    docker_custom_option | length > 0 or
    (docker_configure_for_zun | bool and 'zun-compute' in group_names) or
    docker_http_proxy | length > 0 or
    docker_https_proxy | length > 0 or
    docker_no_proxy | length > 0

- name: Configure docker service
  become: True
  template:
    src: docker_systemd_service.j2
    dest: /etc/systemd/system/docker.service.d/kolla.conf
  when: >
    docker_custom_option | length > 0 or
    (docker_configure_for_zun | bool and 'zun-compute' in group_names) or
    docker_http_proxy | length > 0 or
    docker_https_proxy | length > 0 or
    docker_no_proxy | length > 0

- name: Reload docker service file
  become: True
  systemd:
    name: docker
    daemon_reload: yes
  register: docker_reloaded

- name: Get stat of libvirtd apparmor profile
  stat:
    path: /etc/apparmor.d/usr.sbin.libvirtd
  register: apparmor_libvirtd_profile
  when: ansible_facts.distribution == "Ubuntu"

- name: Get stat of libvirtd apparmor disable profile
  stat:
    path: /etc/apparmor.d/disable/usr.sbin.libvirtd
  register: apparmor_libvirtd_disable_profile
  when: ansible_facts.distribution == "Ubuntu"

- name: Remove apparmor profile for libvirt
  shell: |
    apparmor_parser -v -R /etc/apparmor.d/usr.sbin.libvirtd && \
    ln -vsf /etc/apparmor.d/usr.sbin.libvirtd /etc/apparmor.d/disable
  args:
    executable: /bin/bash
  become: True
  when:
    - ansible_facts.distribution == "Ubuntu"
    - apparmor_libvirtd_profile.stat.exists
    - not apparmor_libvirtd_disable_profile.stat.exists

- name: Start docker
  systemd:
    name: docker
    state: started
    masked: no
  become: True

- name: Restart docker
  systemd:
    name: docker
    state: restarted
    masked: no
  become: True
  when: docker_configured.changed or docker_reloaded.changed

- name: Enable docker
  systemd:
    name: docker
    enabled: yes
    masked: no
  become: True

- name: Change state of selinux
  selinux:
    policy: targeted
    state: "{{ selinux_state }}"
  become: true
  when:
    - change_selinux | bool
    - ansible_facts.os_family == "RedHat"

- name: Set https proxy for git
  git_config:
    name: https.proxy
    scope: global
    value: "{{ git_https_proxy }}"
  when: git_https_proxy | length > 0

- name: Set http proxy for git
  git_config:
    name: http.proxy
    scope: global
    value: "{{ git_http_proxy }}"
  when: git_http_proxy | length > 0