At the moment there's no handy way to perform CA installation or
update, as pki role is not tagged properly.
Applying tag to the role will allow to narrow down scope of the role
only to PKI installation if that is needed.
Related-Bug: #2098918
Change-Id: I904d0e03574ea91a4766aeb9ae21152113f47c6f
Since ansible-core 2.10 it is recommended to use modules via FQCN
In order to align with recommendation, we perform migration
by applying suggestions made by `ansible-lint --fix=fqcn`
Change-Id: Ibf7bac98d8ca25801a2abd0f4b195d6a248e6589
In order to reduce divergance with ansible-lint rules, we apply
auto-fixing of violations.
In current patch we replace all kind of truthy variables with
`true` or `false` values to align with recommendations along with
alignment of used quotes.
Change-Id: I96f2934f392affc01cdf3b85ad9198e21a6991be
Referring gpg key for UCA on the host results in absent GPG inside
containers once repos are copied from hosts to LXC on early step.
While we could copy /usr/share/keyrings, it's better to align and
distribute content of GPG rather then copying things around.
Change-Id: I43b6b73d6e9a1b3db484616f5295f64e4326bdc0
At the moment we fixup only x86_64 arch while there way more arches
in the wild. So it's worth to have a mapping for architectures in place
rather then maintain quite complex replaces.
Closes-Bug: #2081764
Change-Id: I2b9e65a533789f92d6dd7b8059e21268e4a39ab7
This allows the gpg key to be installed without requiring external
connectivity which will be beneficial for offline installations.
Related-Bug: 2081775
Change-Id: If7581e8ce1cba9f02406e8ff2748a4470e46237a
Currently libselinux-python3 is a metadata package providing
python3-libselinux. So let's use current package name for installation
while it's available.
Change-Id: Ieaee988819bc88359c9356d4edbf93ed323ac5e2
Due to a CentOS Stream behaviour, which occasionally tries to enforce
selinux inside LXC containers and requires for libselinux python binding
to be present install containers for modules to execute.
This mainly occurs for utility container, but we add for all containers
just to be on a safe side.
Closes-Bug: #2080765
Change-Id: I0d6bb175edae9a45d5cbc3bf8ad21ada98d2abc0
With modern setuptools presence of packaging module for python might
be essential for some tools to operate properly. In most cases the
package is being pre-shipped in the image, though it's still worth to
ensure it's presence rather then rely on the specific image build.
This should also ensure that we have the module inside LXC as well.
Change-Id: Idb31e2644511e07d7bbb8064f8c749870b14397e
We're missing `=` in gitconfig template. That template is being used
only when `git` is missing from the image template, which is the reason
why it slipped attention.
Change-Id: I602cb8b603306241e601cffc2324cb618a1dc792
This is defaulted to '*" and will be undefined when a CI specific
override is subsequently merged to the openstack-ansible repository.
Change-Id: I1c1dc35d8d59db4ae2b6770a620d91548a8a3734
The package is included in Caracal UCA repo but requires newer
python3-pytest which is not present in UCA and causes a conflict [1]
Corresponsive bug report was created towards UCA [2], but until then
it's worth to pin package back to be installed from universe rather then
UCA.
[1] https://paste.openstack.org/show/b9gCyKaVHjYMeupI5dLD/
[2] https://bugs.launchpad.net/cloud-archive/+bug/2064798
Change-Id: I47e796648a820927b79794110d07a9ce88d98cc2
In order to save quite some time during the role execution, we apply
run_once when defining /etc/hosts content.
While this good for "static" content which is based on the inventory,
resolving openstack_host_custom_hosts_records once may lead to
unexpected behaviour. For instance, if host record depends on some specific
group or other variables defined in host/group variables.
In order to resolve it accordingly, we merge status and custom records together
in blockinfile, which allows to resolve record individually for each host
and not having penalty for most usecases.
Change-Id: I48274de908fc6dc4a2e22a789e8355c7ba263599
The variable `uca_apt_source_list_filename` is not defined anywhere
in openstack-ansible so this task is redundant.
Change-Id: I15cc331ad5ec11507860bf61b0c2b20fa8c0b2a0
Due to the bug in Ansible [1] it does not resolve requirement of /usr/bin/curl
properly, always trying to install `curl-minimal`, which would fail on systems with
already installed `curl`.
Since `curl` presence is essential for DNF, we should be able to skip installation
of curl to EL systems, as they are all shipped with it as of today.
[1] https://github.com/ansible/ansible/issues/82461
Closes-Bug: #2046172
Change-Id: I0f1bd3aa3dbce93c42fdb9399948c41edab2369d
After adding `localhost` to inventory explicitly [1] this caused an interesting
side-effect, where a record for `localhost` is being added to the managed block
in /etc/hosts file, which might override FQDN defenition for the host.
This also makes healthcheck-hosts.yml fail the test, since expected record is not present.
[1] https://review.opendev.org/c/openstack/openstack-ansible/+/899523
Change-Id: If1840530a54aa9ae22eda1d3094f0c40ab66ddde
Once UCA and RDO have released their packages for 2023.2 we can update
the openstack_distrib_code_name
Change-Id: I4da504eb51ee7f5359902d1af432657982b8fc84
Debian 11 latest repository for osbpo is Zed, while for Debian 12 both
Antelope and Bobact are available. We should use correct repos whenever
possible.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/894561
Change-Id: Iad6cc3839ad474982dcf88dddd57775cd5a628c7
At the moment we aim to make systemd-journald a universal destination
for log files across services. With that there is currently no way
of configuring journald using OSA. While this might be
neat for production deployments, it's very valuable to have for CI
as well.
Change-Id: I70a8c9266cb12811a58f5a183955dbec319e539f
There were couple of tasks designed for unsupported
operating systems like Debian 10 or CentOS 8 that were
left during previous cleanups.
Change-Id: I5f920c16a6f6053e64b8013b2a668eb3b1ed2f6a
This var is renamed _openstack_hosts_package list so that it
does not collide with a variable of the same name used in the
python_venv_build role.
Change-Id: Idedf39312df718a7d815eebb3642f75207348afb
Ubuntu 20.04 is not supported or tested in 2023.2, so we remove
focal-related variables from the role.
Change-Id: I52f772f519db6c4924443498bb3453f69cd997de
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Change-Id: Ide0ca8cf60f3a92c98543465d53bc4720067b153
Rocky 9.2 was released today and ships a new centos-release-nfv which
points to builds of RDO Dependencies build against RHEL 9 buildroots
instead of CentOS Stream 9. As such, we no longer need to keep Rocky at
a lower version of ovs/ovn and can match other distributions (and
Stream) on 3.1.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/883377
Change-Id: I396a75119cdfd3762a59f6e5437234fcc661b7ae
RDO provides two sets of repositories with OpenStack packages, RDO Trunk
and RDO CloudSIG [1]. Currently, openstack_hosts role always uses Trunk
repos but in some cases, users may prefer to use CloudSIG.
This patch adds a variable openstack_hosts_rdo_repo_type which can take
values "trunk" or "cloudsig" to select the type or repos to be used.
[1] https://www.rdoproject.org/what/repos/
Change-Id: I95ee40ae1366e815507b62ba632935e664971f42
Once distro packages are released, we can update our release name. This
should also fix distro jobs.
Change-Id: I826b08e026211271e9b0e363d4512b383dcd61d2
As we've landed fix for CentOS to work properly with new OVS and
workarounded bug, we can now start using new OVS version for stream.
Exclude can be removed once issue will be sorted out for Rocky as well.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/878911
Change-Id: I864cb07231ebf5c820c2ce3721323bebdc337e13
OVS 3.1 was released by CentOS NFV SIG which is built against newer
rdma-core libraries leading to uninstallable openvswitch3.1 on
Rocky Linux due to missing libmlx5.so.1(MLX5_1.24).
While CentOS doesn't need this specific rollback, it will be easier to
fix gates this way.
Change-Id: I388c115d368c0c0638d1dd4f9f11f4448a13a6b1
