71d4c697cd
Since [1] nova-compute uses rbd python library instead of libvirt to cleanup volumes and get pool info - so it requires cinder keyring on filesystem. In external ceph case it is often that nova key does not exist (is simply a copied cinder key) and the rbd user is set to cinder - therefore the earlier mentioned operations will fail due to a missing keyring on the filesystem. [1]: https://review.opendev.org/#/c/668564/ Change-Id: Idef21dc5f7e9ff512bc8920630a3de61a1e69eee Backport: train Closes-Bug: #1859408
150 lines
4.5 KiB
YAML
150 lines
4.5 KiB
YAML
---
|
|
- name: Ensuring config directory exists
|
|
file:
|
|
path: "{{ node_config_directory }}/{{ item }}"
|
|
state: "directory"
|
|
mode: "0770"
|
|
become: true
|
|
with_items:
|
|
- "nova-libvirt/secrets"
|
|
when: inventory_hostname in groups[nova_cell_compute_group]
|
|
|
|
- name: Check nova keyring file
|
|
stat:
|
|
path: "{{ node_custom_config }}/nova/ceph.client.nova.keyring"
|
|
delegate_to: localhost
|
|
run_once: True
|
|
register: nova_cephx_keyring_file
|
|
failed_when: not nova_cephx_keyring_file.stat.exists
|
|
when:
|
|
- nova_backend == "rbd"
|
|
- external_ceph_cephx_enabled | bool
|
|
|
|
- name: Check cinder keyring file
|
|
stat:
|
|
path: "{{ node_custom_config }}/nova/ceph.client.cinder.keyring"
|
|
delegate_to: localhost
|
|
run_once: True
|
|
register: cinder_cephx_keyring_file
|
|
failed_when: not cinder_cephx_keyring_file.stat.exists
|
|
when:
|
|
- cinder_backend_ceph | bool
|
|
- external_ceph_cephx_enabled | bool
|
|
|
|
- name: Copy over ceph nova keyring file
|
|
copy:
|
|
src: "{{ nova_cephx_keyring_file.stat.path }}"
|
|
dest: "{{ node_config_directory }}/{{ item }}/"
|
|
mode: "0660"
|
|
become: true
|
|
with_items:
|
|
- nova-compute
|
|
- nova-libvirt
|
|
when:
|
|
- inventory_hostname in groups[nova_cell_compute_group]
|
|
- nova_backend == "rbd"
|
|
- external_ceph_cephx_enabled | bool
|
|
notify:
|
|
- Restart {{ item }} container
|
|
|
|
- name: Copy over ceph cinder keyring file
|
|
copy:
|
|
src: "{{ cinder_cephx_keyring_file.stat.path }}"
|
|
dest: "{{ node_config_directory }}/{{ item }}/"
|
|
mode: "0660"
|
|
become: true
|
|
with_items: # NOTE: nova-libvirt does not need it
|
|
- nova-compute
|
|
when:
|
|
- inventory_hostname in groups[nova_cell_compute_group]
|
|
- nova_backend == "rbd"
|
|
- external_ceph_cephx_enabled | bool
|
|
notify:
|
|
- Restart {{ item }} container
|
|
|
|
- name: Copy over ceph.conf
|
|
template:
|
|
src: "{{ node_custom_config }}/nova/ceph.conf"
|
|
dest: "{{ node_config_directory }}/{{ item }}/"
|
|
mode: "0660"
|
|
become: true
|
|
with_items:
|
|
- nova-compute
|
|
- nova-libvirt
|
|
when:
|
|
- inventory_hostname in groups[nova_cell_compute_group]
|
|
- nova_backend == "rbd"
|
|
notify:
|
|
- Restart {{ item }} container
|
|
|
|
- name: Pushing nova secret xml for libvirt
|
|
template:
|
|
src: "secret.xml.j2"
|
|
dest: "{{ node_config_directory }}/nova-libvirt/secrets/{{ item.uuid }}.xml"
|
|
mode: "0600"
|
|
become: true
|
|
when:
|
|
- inventory_hostname in groups[nova_cell_compute_group]
|
|
- item.enabled | bool
|
|
with_items:
|
|
- uuid: "{{ rbd_secret_uuid }}"
|
|
name: "client.nova secret"
|
|
enabled: "{{ nova_backend == 'rbd' }}"
|
|
- uuid: "{{ cinder_rbd_secret_uuid }}"
|
|
name: "client.cinder secret"
|
|
enabled: "{{ cinder_backend_ceph }}"
|
|
notify:
|
|
- Restart nova-libvirt container
|
|
|
|
- name: Extract nova key from file
|
|
set_fact:
|
|
nova_cephx_raw_key: "{{ lookup('file', nova_cephx_keyring_file.stat.path) | regex_search('key\\s*=.*$', multiline=True) | regex_replace('key\\s*=\\s*(.*)\\s*', '\\1') }}"
|
|
changed_when: false
|
|
run_once: True
|
|
when:
|
|
- nova_backend == "rbd"
|
|
- external_ceph_cephx_enabled | bool
|
|
|
|
- name: Extract cinder key from file
|
|
set_fact:
|
|
cinder_cephx_raw_key: "{{ lookup('file', cinder_cephx_keyring_file.stat.path) | regex_search('key\\s*=.*$', multiline=True) | regex_replace('key\\s*=\\s*(.*)\\s*', '\\1') }}"
|
|
changed_when: false
|
|
run_once: True
|
|
when:
|
|
- cinder_backend_ceph | bool
|
|
- external_ceph_cephx_enabled | bool
|
|
|
|
- name: Pushing secrets key for libvirt
|
|
copy:
|
|
content: "{{ item.result }}"
|
|
dest: "{{ node_config_directory }}/nova-libvirt/secrets/{{ item.uuid }}.base64"
|
|
mode: "0600"
|
|
become: true
|
|
when:
|
|
- inventory_hostname in groups[nova_cell_compute_group]
|
|
- item.enabled | bool
|
|
- external_ceph_cephx_enabled | bool
|
|
with_items:
|
|
# NOTE(yoctozepto): 'default' filter required due to eager evaluation of item content
|
|
# which will be undefined if the applicable condition is False
|
|
- uuid: "{{ rbd_secret_uuid }}"
|
|
result: "{{ nova_cephx_raw_key | default }}"
|
|
enabled: "{{ nova_backend == 'rbd' }}"
|
|
- uuid: "{{ cinder_rbd_secret_uuid }}"
|
|
result: "{{ cinder_cephx_raw_key | default }}"
|
|
enabled: "{{ cinder_backend_ceph }}"
|
|
notify:
|
|
- Restart nova-libvirt container
|
|
|
|
- name: Ensuring config directory has correct owner and permission
|
|
become: true
|
|
file:
|
|
path: "{{ node_config_directory }}/{{ item }}"
|
|
recurse: yes
|
|
owner: "{{ config_owner_user }}"
|
|
group: "{{ config_owner_group }}"
|
|
with_items:
|
|
- "nova-compute"
|
|
- "nova-libvirt/secrets"
|
|
when: inventory_hostname in groups[nova_cell_compute_group]
|