kayobe/ansible/overcloud-provision.yml
Mark Goddard 32a82ea039 Support authentication in Bifrost
* Switch from python-ironic-inspector-client to openstacksdk in
  ironic-inspector-rules. This allows us to use clouds.yaml to provide
  credentials.
* Enable authentication in Bifrost. Passwords are auto-generated by
  Bifrost, and stored files in /root/.config/bifrost/. This change
  depends on a Kolla Ansible patch that ensures that these credentials
  are persisted between recreations of the bifrost container.
* Copy clouds.yaml and (if present) a CA certificate from the Bifrost
  container to the seed host, under the Kayobe Ansible user (stack).
  This allows us to use the credentials to register introspection rules.
* This patch is needed by a Kolla Ansible patch that enables TLS in
  Bifrost, since we need the CA certificate on the host to register
  introspection rules when TLS is enabled.

Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/851837
Needed-By: https://review.opendev.org/c/openstack/kolla-ansible/+/851838

Story: 2010206
Task: 45930

Change-Id: I757f1bb72afb01a4f1689bed292f5b71b9048fa0
2022-08-25 11:56:03 +02:00

218 lines
8.1 KiB
YAML

---
# Use bifrost to provision the overcloud nodes with a base OS.
- name: Ensure the overcloud nodes are provisioned
hosts: overcloud
tags:
- provision
vars:
wait_manageable_timeout: 60
wait_available_timeout: 60
# Set to False to avoid waiting for the nodes to become active.
wait_active: True
wait_active_timeout: 600
wait_active_interval: 10
# Set to False to avoid waiting for the nodes to be accessible via
# SSH.
wait_ssh: True
wait_ssh_timeout: 600
# List of states from which we can get to active.
provisionable_states:
- enroll
- manageable
- available
- active
# List of valid states while a node is being provisioned.
deploying_states:
# The API is asynchronous, so allow the initial state.
- available
- deploying
- wait call-back
# List of hosts to limit Bifrost deploy-dynamic.yaml playbook to.
bifrost_limit: ['localhost']
# Retries to use when using Ironic API and hitting node locked errors.
ironic_retries: 6
ironic_retry_interval: 5
seed_host: "{{ groups['seed'][0] }}"
gather_facts: no
tasks:
- name: Check the ironic node's initial provision state
command: >
docker exec bifrost_deploy
bash -c '
export OS_CLOUD=bifrost &&
export OS_BAREMETAL_API_VERSION=1.34 &&
export BIFROST_INVENTORY_SOURCE=ironic &&
ansible baremetal
--connection local
--inventory /etc/bifrost/inventory/
-e @/etc/bifrost/bifrost.yml
-e @/etc/bifrost/dib.yml
--limit {{ inventory_hostname }}
-m command
-a "baremetal node show {% raw %}{{ inventory_hostname }}{% endraw %} -f value -c provision_state"'
register: show_result
changed_when: False
delegate_to: "{{ seed_host }}"
vars:
# NOTE: Without this, the seed's ansible_host variable will not be
# respected when using delegate_to.
ansible_host: "{{ hostvars[seed_host].ansible_host | default(seed_host) }}"
- name: Set a fact containing the ironic node's initial provision state
set_fact:
initial_provision_state: "{{ show_result.stdout_lines[1] }}"
- name: Fail if the ironic node is in an unexpected provision state
fail:
msg: >
Ironic node for {{ inventory_hostname }} is in an unexpected
initial provision state: {{ initial_provision_state }}. Expected
states are: {{ provisionable_states | join(',') }}.
when: initial_provision_state not in provisionable_states
- name: Ensure the ironic node is manageable
command: >
docker exec bifrost_deploy
bash -c '
export OS_CLOUD=bifrost &&
export BIFROST_INVENTORY_SOURCE=ironic &&
ansible baremetal -vvvv
--connection local
--inventory /etc/bifrost/inventory/
-e @/etc/bifrost/bifrost.yml
-e @/etc/bifrost/dib.yml
--limit {{ inventory_hostname }}
-m command
-a "baremetal node manage --wait {{ wait_manageable_timeout }} {% raw %}{{ inventory_hostname }}{% endraw %}"'
register: manage_result
until: manage_result is successful or 'is locked by host' in manage_result.stdout
retries: "{{ ironic_retries }}"
delay: "{{ ironic_retry_interval }}"
when: initial_provision_state == 'enroll'
delegate_to: "{{ seed_host }}"
vars:
# NOTE: Without this, the seed's ansible_host variable will not be
# respected when using delegate_to.
ansible_host: "{{ hostvars[seed_host].ansible_host | default(seed_host) }}"
- name: Ensure the ironic node is available
command: >
docker exec bifrost_deploy
bash -c '
export OS_CLOUD=bifrost &&
export BIFROST_INVENTORY_SOURCE=ironic &&
ansible baremetal -vvvv
--connection local
--inventory /etc/bifrost/inventory/
-e @/etc/bifrost/bifrost.yml
-e @/etc/bifrost/dib.yml
--limit {{ inventory_hostname }}
-m command
-a "baremetal node provide --wait {{ wait_available_timeout }} {% raw %}{{ inventory_hostname }}{% endraw %}"'
register: provide_result
until: >-
provide_result is successful or
'is locked by host' in provide_result.stdout or
'while it is in state "available"' in provide_result.stdout
failed_when:
- provide_result is not successful
# If fast-track deployment is enabled, it's possible that ironic will
# move the node to available, even though the initial state was
# manageable.
- "'while it is in state \"available\"' not in provide_result.stdout"
retries: "{{ ironic_retries }}"
delay: "{{ ironic_retry_interval }}"
when: initial_provision_state in ['enroll', 'manageable']
delegate_to: "{{ seed_host }}"
vars:
# NOTE: Without this, the seed's ansible_host variable will not be
# respected when using delegate_to.
ansible_host: "{{ hostvars[seed_host].ansible_host | default(seed_host) }}"
- name: Set a fact containing the bifrost host list
set_fact:
bifrost_limit: "{{ bifrost_limit + [item] }}"
with_items: "{{ play_hosts }}"
when: hostvars[item].initial_provision_state != 'active'
run_once: True
- name: Ensure the ironic nodes are provisioned
command: >
docker exec bifrost_deploy
bash -c '
export OS_CLOUD=bifrost &&
export BIFROST_INVENTORY_SOURCE=ironic &&
ansible-playbook -vvvv
/bifrost/playbooks/deploy-dynamic.yaml
--inventory /etc/bifrost/inventory/
-e @/etc/bifrost/bifrost.yml
-e @/etc/bifrost/dib.yml
--limit {{ bifrost_limit | join(':') }}'
when: bifrost_limit
delegate_to: "{{ seed_host }}"
vars:
# NOTE: Without this, the seed's ansible_host variable will not be
# respected when using delegate_to.
ansible_host: "{{ hostvars[seed_host].ansible_host | default(seed_host) }}"
# We execute this only once, allowing the Bifrost Ansible to handle
# multiple nodes.
run_once: True
- name: Wait for the ironic node to become active
command: >
docker exec bifrost_deploy
bash -c '
export OS_CLOUD=bifrost &&
export OS_BAREMETAL_API_VERSION=1.34 &&
export BIFROST_INVENTORY_SOURCE=ironic &&
ansible baremetal
--connection local
--inventory /etc/bifrost/inventory/
-e @/etc/bifrost/bifrost.yml
-e @/etc/bifrost/dib.yml
--limit {{ inventory_hostname }}
-m command
-a "baremetal node show {% raw %}{{ inventory_hostname }}{% endraw %} -f value -c provision_state"'
register: show_result
# Wait until the node is no longer in one of the deploying states.
until: not show_result.stdout_lines[1:] | intersect(deploying_states)
retries: "{{ wait_active_timeout // wait_active_interval }}"
delay: "{{ wait_active_interval }}"
when:
- wait_active | bool
- initial_provision_state != 'active'
changed_when: False
delegate_to: "{{ seed_host }}"
vars:
# NOTE: Without this, the seed's ansible_host variable will not be
# respected when using delegate_to.
ansible_host: "{{ hostvars[seed_host].ansible_host | default(seed_host) }}"
- name: Set a fact containing the final provision state
set_fact:
final_provision_state: "{{ show_result.stdout_lines[1] }}"
when:
- wait_active | bool
- initial_provision_state != 'active'
- name: Fail if any of the nodes are not available
fail:
msg: >
Ironic node for {{ inventory_hostname }} is in an unexpected
provision state after provisioning. Ironic provision state:
{{ final_provision_state }}. Expected: active.
when:
- wait_active | bool
- initial_provision_state != 'active'
- final_provision_state != 'active'
- name: Wait for SSH access to the nodes
local_action:
module: wait_for
host: "{{ ansible_host }}"
port: 22
state: started
timeout: "{{ wait_ssh_timeout }}"
when: wait_ssh | bool