f8a150cc76
We currently have spread out package/host management to multiple roles, sometimes repeating ourselves in the process (see pip_install and openstack_hosts overlap) That is against Ansible principles, and we should have one role that configures the minimum (to run openstack), applying it to all the nodes, maybe behaving slightly differently depending on some parameters. Here that parameter is if the host is a container or not. If the host is a container, all the physical host configuration (kernel and sysctl) is be skipped, the rest of the configuration (packages/repos) still applies. This needed a refactor to split the tasks into those two group while remaining efficient and avoid multiple back and forth of package installs/removal. For that last point, new defaults variables were introduced, allowing overrides per host/group. A node now member of a group x can now directly use this role to setup all its necessary repos and keys. Last, but not least, this override mechanism can now easily trigger pip_install role, which can from now on, be removed from every role. On top of that pip_install role can now remove its repo management, and focus on installing pip on hosts that don't have a proper version of pip installed. Change-Id: Ibf145e561c80a12055bd4d5dca3914c4d495a748
108 lines
3.6 KiB
YAML
108 lines
3.6 KiB
YAML
---
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Disable requiretty for root sudo on centos
|
|
template:
|
|
dest: /etc/sudoers.d/openstack-ansible
|
|
owner: root
|
|
group: root
|
|
mode: "0440"
|
|
src: sudoers.j2
|
|
|
|
# yum configuration tasks that apply on all nodes.
|
|
- name: Remove the blacklisted packages
|
|
package:
|
|
name: "{{ openstack_hosts_package_list | selectattr('state','equalto','absent') | map(attribute='name') | list }}"
|
|
state: absent
|
|
|
|
# Copy all factored-in GPG keys.
|
|
# KeyID 764429E6 from https://raw.githubusercontent.com/rdo-infra/centos-release-openstack/ocata-rdo/RPM-GPG-KEY-CentOS-SIG-Cloud
|
|
# KeyID 61E8806C from keyserver for rdo-qemu-ev
|
|
- name: If a keyfile is provided, copy the gpg keyfile to the key location
|
|
copy:
|
|
src: "{{ item.keyfile }}"
|
|
dest: "{{ item.key }}"
|
|
mode: '0644'
|
|
with_items: "{{ openstack_hosts_package_repos_keys | selectattr('keyfile','defined') | list }}"
|
|
|
|
- name: Ensure GPG keys have the correct SELinux contexts applied
|
|
command: restorecon -Rv /etc/pki/rpm-gpg/
|
|
# TODO(evrardjp): Be more idempotent
|
|
changed_when: false
|
|
|
|
# Handle gpg keys manually
|
|
- name: Install gpg keys
|
|
rpm_key:
|
|
key: "{{ key.key }}"
|
|
validate_certs: "{{ key.validate_certs | default(omit) }}"
|
|
state: "{{ key.state | default('present') }}"
|
|
with_items: "{{ openstack_hosts_package_repos_keys }}"
|
|
loop_control:
|
|
loop_var: key
|
|
register: _add_yum_keys
|
|
until: _add_yum_keys | success
|
|
retries: 5
|
|
delay: 2
|
|
|
|
- name: Add requirement packages (repositories gpg keys packages, toolkits...)
|
|
package:
|
|
name: "{{ openstack_hosts_package_list | rejectattr('state','equalto','absent') | map(attribute='name') | list }}"
|
|
state: "{{ openstack_hosts_package_state }}"
|
|
|
|
- name: Check for existing yum repositories
|
|
shell: "yum-config-manager | grep 'repo:'"
|
|
register: existing_yum_repos
|
|
|
|
- name: Add yum repositories if they do not exist
|
|
yum_repository:
|
|
name: "{{ repo.name }}"
|
|
description: "{{ repo.description | default(omit) }}"
|
|
baseurl: "{{ repo.baseurl | default(omit) }}"
|
|
gpgkey: "{{ repo.gpgkey | default(omit) }}"
|
|
gpgcheck: "{{ repo.gpgcheck | default(omit) }}"
|
|
enabled: "{{ repo.enabled | default('yes') }}"
|
|
with_items: "{{ openstack_hosts_package_repos }}"
|
|
loop_control:
|
|
loop_var: repo
|
|
when:
|
|
- repo.name not in existing_yum_repos.stdout
|
|
register: _adding_repo
|
|
until: _adding_repo | success
|
|
retries: 5
|
|
delay: 2
|
|
|
|
- name: Update yum repositories if they already exist
|
|
command: >
|
|
yum-config-manager
|
|
--enable {{ item.name }}
|
|
{% for key in item.keys() if key != 'file' %}
|
|
--setopt="{{ item.name }}.{{ key }}={{ item[key] }}"
|
|
{% endfor %}
|
|
# TODO(evrardjp): Be more idempotent
|
|
changed_when: false
|
|
with_items: "{{ openstack_hosts_package_repos }}"
|
|
when:
|
|
- item.name in existing_yum_repos.stdout
|
|
|
|
- name: Update repo priorities
|
|
command: >
|
|
yum-config-manager
|
|
{% for repo_priority in openstack_hosts_package_repos_priorities %}
|
|
--enable {{ repo_priority['name'] }} \
|
|
--setopt="{{ repo_priority['name'] }}.priority={{ repo_priority['priority'] }}"
|
|
{% endfor %}
|
|
# TODO(evrardjp): Be more idempotent
|
|
changed_when: false
|