openstack/kolla-ansible
Code Issues Proposed changes
kolla-ansible/ansible/roles/baremetal/tasks/post-install.yml
Mark Goddard 5c39810de2 Apply Zun configuration for Docker based on inventory 
If docker_configure_for_zun is set to true, then Zun-specific
configuration for Docker is applied to all nodes. It should only be
applied based on the relevant inventory groups. In some cases this can
cause Docker to fail to start. See
https://storyboard.openstack.org/#!/story/2008544 for details.

This change applies the configuration based on the zun-compute and
zun-cni-daemon groups. It also modifies the expression to not assume
that these groups exist in the inventory.

Change-Id: I0141abf0dd83e3a567ea6dcca945f86db129becf
Closes-Bug: #1914378
Story: 2008544
Task: 41645
Co-Authored-By: Buddhika Sanjeewa <bsanjeewa@kln.ac.lk>
2021-04-21 10:42:55 +00:00

296 lines
7.6 KiB
YAML
Raw Blame History

---
- name: Create kolla user
user:
name: "{{ kolla_user }}"
state: present
group: "{{ kolla_group }}"
groups: "sudo"
append: true
become: True
when: create_kolla_user | bool
- name: Add public key to kolla user authorized keys
authorized_key:
user: "{{ kolla_user }}"
key: "{{ kolla_ssh_key.public_key }}"
become: True
when: create_kolla_user | bool
- name: Grant kolla user passwordless sudo
lineinfile:
dest: /etc/sudoers.d/kolla-ansible-users
state: present
create: yes
mode: '0640'
regexp: '^{{ kolla_user }}'
line: '{{ kolla_user }} ALL=(ALL) NOPASSWD: ALL'
become: True
when: create_kolla_user_sudoers | bool
- name: Ensure virtualenv has correct ownership
file:
path: "{{ virtualenv }}"
recurse: True
state: directory
owner: "{{ kolla_user }}"
group: "{{ kolla_group }}"
become: True
when: virtualenv is not none
- name: Ensure node_config_directory directory exists for user kolla
file:
path: "{{ node_config_directory }}"
state: directory
owner: "{{ kolla_user }}"
group: "{{ kolla_group }}"
mode: 0755
become: True
when: create_kolla_user | bool
- name: Ensure node_config_directory directory exists
file:
path: "{{ node_config_directory }}"
state: directory
mode: 0755
become: True
when: not create_kolla_user | bool
- name: Ensure docker config directory exists
file:
path: /etc/docker
state: directory
become: True
- name: Merge Zun docker config
set_fact:
docker_config: "{{ docker_config | combine(docker_zun_config) }}"
when:
- docker_configure_for_zun | bool
- "'zun-compute' in group_names"
- name: Warn about deprecations
debug:
msg: >
docker_custom_option is deprecated in favor of docker_custom_config
when: docker_custom_option | length > 0
- name: Setup docker insecure registries
vars:
registries: ["{{ docker_registry }}"]
set_fact:
docker_config: "{{ docker_config | combine({'insecure-registries': registries}) }}"
when: docker_registry_insecure | bool
- name: Setup docker storage driver
set_fact:
docker_config: "{{ docker_config | combine({'storage-driver': docker_storage_driver}) }}"
when: docker_storage_driver | length > 0
- name: Setup docker runtime directory
set_fact:
docker_config: "{{ docker_config | combine({'data-root': docker_runtime_directory}) }}"
when: docker_runtime_directory | length > 0
- name: Warn about docker default iptables
debug:
msg: >-
Docker default iptables rules will be disabled by default from the Wallaby 12.0.0
release. If you have any non-Kolla containers that need this functionality, you should
plan a migration for this change, or set docker_disable_default_iptables_rules to false.
when: not docker_disable_default_iptables_rules | bool
- name: Disable docker default iptables rules
set_fact:
docker_config: "{{ docker_config | combine({'iptables': false}) }}"
when: docker_disable_default_iptables_rules | bool
- name: Warn about docker default networking
debug:
msg: >-
Docker default network on docker0 will be disabled by default from the
Wallaby 12.0.0 release. If you have any non-Kolla containers that need
this functionality, you should plan a migration for this change, or set
docker_disable_default_network to false.
when: not docker_disable_default_network | bool
- name: Disable docker default network on docker0
set_fact:
docker_config: "{{ docker_config | combine({'bridge': 'none'}) }}"
when: docker_disable_default_network | bool
- name: Merge custom docker config
set_fact:
docker_config: "{{ docker_config | combine(docker_custom_config) }}"
- name: Write docker config
become: True
copy:
content: "{{ docker_config | to_nice_json }}"
dest: /etc/docker/daemon.json
mode: 0644
register: docker_configured
- name: Remove old docker options file
become: True
file:
path: /etc/systemd/system/docker.service.d/kolla.conf
state: absent
when:
- not docker_custom_option
- not docker_configure_for_zun | bool or 'zun-compute' not in group_names
- not docker_http_proxy
- not docker_https_proxy
- not docker_no_proxy
- name: Ensure docker service directory exists
become: True
file:
path: /etc/systemd/system/docker.service.d
state: directory
recurse: yes
when: >
docker_custom_option | length > 0 or
(docker_configure_for_zun | bool and 'zun-compute' in group_names) or
docker_http_proxy | length > 0 or
docker_https_proxy | length > 0 or
docker_no_proxy | length > 0
- name: Configure docker service
become: True
template:
src: docker_systemd_service.j2
dest: /etc/systemd/system/docker.service.d/kolla.conf
when: >
docker_custom_option | length > 0 or
(docker_configure_for_zun | bool and 'zun-compute' in group_names) or
docker_http_proxy | length > 0 or
docker_https_proxy | length > 0 or
docker_no_proxy | length > 0
- name: Reload docker service file
become: True
systemd:
name: docker
daemon_reload: yes
register: docker_reloaded
- name: Get stat of libvirtd apparmor profile
stat:
path: /etc/apparmor.d/usr.sbin.libvirtd
register: apparmor_libvirtd_profile
when: ansible_distribution == "Ubuntu"
- name: Get stat of libvirtd apparmor disable profile
stat:
path: /etc/apparmor.d/disable/usr.sbin.libvirtd
register: apparmor_libvirtd_disable_profile
when: ansible_distribution == "Ubuntu"
- name: Remove apparmor profile for libvirt
command: apparmor_parser -R /etc/apparmor.d/usr.sbin.libvirtd
become: True
when:
- ansible_distribution == "Ubuntu"
- apparmor_libvirtd_profile.stat.exists
- not apparmor_libvirtd_disable_profile.stat.exists
- name: Get stat of chronyd apparmor profile
stat:
path: /etc/apparmor.d/usr.sbin.chronyd
register: apparmor_chronyd_profile
when:
- ansible_os_family == "Debian"
- enable_chrony | bool
- name: Remove apparmor profile for chrony
command: apparmor_parser -R /etc/apparmor.d/usr.sbin.chronyd
become: True
when:
- ansible_os_family == "Debian"
- enable_chrony | bool
- apparmor_chronyd_profile.stat.exists
- name: Create docker group
group:
name: docker
become: True
- name: Add kolla user to docker group
user:
name: "{{ kolla_user }}"
append: yes
groups: docker
become: True
when: create_kolla_user | bool
- name: Start docker
service:
name: docker
state: started
become: True
- name: Restart docker
service:
name: docker
state: restarted
become: True
when: docker_configured.changed or docker_reloaded.changed
- name: Enable docker
service:
name: docker
enabled: yes
become: True
- name: Stop time service
service:
name: ntp
state: stopped
become: True
when:
- ansible_os_family == "Debian"
- enable_host_ntp | bool
- name: Stop time service
service:
name: ntpd
state: stopped
become: True
when:
- ansible_os_family == "RedHat"
- enable_host_ntp | bool
- name: Synchronizing time one-time
command: ntpd -gq
become: True
when: enable_host_ntp | bool
- name: Start time sync service
service:
name: ntp
state: started
enabled: yes
become: True
when:
- ansible_os_family == "Debian"
- enable_host_ntp | bool
- name: Start time sync service
service:
name: ntpd
state: started
enabled: yes
become: True
when:
- ansible_os_family == "RedHat"
- enable_host_ntp | bool
- name: Change state of selinux
selinux:
policy: targeted
state: "{{ selinux_state }}"
become: true
when:
- change_selinux | bool
- ansible_os_family == "RedHat"
View Git Blame Copy Permalink